highperfocused/multica
1
0
Fork 0
mirror of https://github.com/multica-ai/multica.git synced 2026-06-17 11:48:42 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
ui/comment-trigger-chips-polish
multica/server/internal/cloudruntime/client_test.go
LinYushen c968c13c87 feat(auth): support mcn_ Cloud Node PATs verified via Fleet (#3349) 
* feat(auth): support mcn_ Cloud Node PATs verified via Fleet

Adds a new token kind, mcn_ (multica cloud node), recognized in both
the regular Auth and DaemonAuth middlewares. mcn_ tokens are minted
and owned by Multica Cloud (not the local personal_access_tokens
table); the server validates them by POSTing to the Fleet's
/api/v1/pat/verify endpoint and uses the returned owner_id as
X-User-ID for downstream handlers.

Cloud is the authoritative owner of token status, so this is a
verifier-only path with no DB fallback:

  * Fleet says valid:false -> 401 (token genuinely bad)
  * Fleet unreachable / 5xx -> 503 (transient, retry)
  * No MULTICA_CLOUD_FLEET_URL configured -> 401 (fail closed)

Verification results are cached in Redis for 60s under
mul:auth:mcn:<sha256> to bound the per-request load on Fleet without
extending the revocation window beyond what the Cloud doc allows.
Negative results are NOT cached, so a freshly minted token doesn't
get locked out by a stale 'token_not_found'.

Reuses MULTICA_CLOUD_FLEET_URL (the same env the cloud-runtime proxy
already uses) so deployments don't need a second config knob.

Tests cover the happy path, every documented invalid reason, 4xx/5xx
mapping, network error, decode error, ctx cancellation, the
fail-closed valid:true-without-owner_id case, trailing-slash URL
normalization, and the Redis cache short-circuit + negative
no-cache contract. Middleware tests pin the four 401/503/200 outcomes
in both Auth and DaemonAuth.

* auth(mcn): require owner_id to map to a real local user; drop X-User-PAT plumbing

Two related changes:

1. Cloud-verified owner_id is now checked against our local users table.
   The Cloud owner_id and our users.id share the same UUID space by
   contract; a missing local user means either the row was deleted
   under an active node or something is forging owner_ids — either
   way, fail closed.

   CloudPATVerifier.Verify takes a new OwnerLookupFunc:
     - returns (true, nil)   -> success, cache + return
     - returns (false, nil)  -> ErrCloudPATInvalid (reason='owner_unknown'),
                                NOT cached (so a freshly-created user
                                doesn't get locked out for a TTL window)
     - returns (_, error)    -> ErrCloudPATUnavailable (transient,
                                middleware emits 503)

   Both Auth and DaemonAuth wire ownerLookupFor(queries), a new shared
   helper that wraps queries.GetUser, mapping pgx.ErrNoRows / unparseable
   UUIDs to (false, nil) and other errors to a real Go error.

2. Removed all X-User-PAT plumbing. Cloud now mints node-scoped mcn_
   PATs itself during /api/v1/nodes (see multica-cloud
   docs/api/node-pat.md) and ships them into the EC2 instance via SSM,
   so multica-api no longer needs to forward the caller's mul_ PAT.
   Propagating a long-lived user PAT into a remote machine widened
   the blast radius of any node compromise; that's gone now.

   Removed:
     - cloud_runtime.go: withUserPAT option, cloudRuntimeUserPAT,
       generateCloudRuntimePAT, revokeGeneratedPAT
     - cloudruntime/Request.UserPAT field + X-User-PAT header
     - X-User-PAT from CORS allowed headers
     - obsolete handler tests:
         TestCreateCloudRuntimeNodeForwardsValidatedPAT
         TestCreateCloudRuntimeNodeRejectsUnownedPAT
         TestCreateCloudRuntimeNodeRejectsExpiredPAT
         TestCreateCloudRuntimeNodeAutoGeneratesPAT
       replaced with TestCreateCloudRuntimeNodeForwardsBody
     - X-User-PAT references in packages/core/api/client.test.ts

Tests:
  * 3 new verifier-level tests (owner_unknown not cached, lookup error
    -> Unavailable, success path is cached for both fleet AND lookup)
  * 5 new owner_lookup_test.go tests (nil queries, existing user,
    missing user, malformed UUID, DB error)
  * 1 new end-to-end DaemonAuth test (cloud says valid, no local user
    -> 401)
  * Existing X-User-PAT TS assertions removed; full vitest run passes.
  * go test ./... and go vet ./... clean on the server module.
2026-05-27 14:52:03 +08:00

87 lines
2.6 KiB
Go
Raw Permalink Blame History

package cloudruntime
import (
"context"
"errors"
"io"
"net/http"
"net/http/httptest"
"net/url"
"testing"
)
func TestClientDoForwardsFleetRequest(t *testing.T) {
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
t.Fatalf("method = %s, want POST", r.Method)
}
if r.URL.Path != "/base/api/v1/nodes" {
t.Fatalf("path = %s, want /base/api/v1/nodes", r.URL.Path)
}
if r.URL.RawQuery != "limit=20&offset=0" {
t.Fatalf("query = %s, want limit=20&offset=0", r.URL.RawQuery)
}
if got := r.Header.Get("Accept"); got != "application/json" {
t.Fatalf("Accept = %q", got)
}
if got := r.Header.Get("Content-Type"); got != "application/json" {
t.Fatalf("Content-Type = %q", got)
}
if got := r.Header.Get("X-User-ID"); got != "01972f7e-7e8d-77ef-a13d-1b0ce3e9c001" {
t.Fatalf("X-User-ID = %q", got)
}
if got := r.Header.Get("X-Request-ID"); got != "request-123" {
t.Fatalf("X-Request-ID = %q", got)
}
body, err := io.ReadAll(r.Body)
if err != nil {
t.Fatalf("read body: %v", err)
}
if got := string(body); got != `{"instance_type":"g5.xlarge"}` {
t.Fatalf("body = %s", got)
}
w.Header().Set("X-Request-ID", "fleet-request-456")
w.WriteHeader(http.StatusCreated)
w.Write([]byte(`{"status":"launching"}`))
}))
defer srv.Close()
client := NewClient(Config{BaseURL: srv.URL + "/base/"})
resp, err := client.Do(context.Background(), Request{
Method: http.MethodPost,
Path: "/api/v1/nodes",
Query: url.Values{"limit": []string{"20"}, "offset": []string{"0"}},
Body: []byte(`{"instance_type":"g5.xlarge"}`),
UserID: "01972f7e-7e8d-77ef-a13d-1b0ce3e9c001",
RequestID: "request-123",
})
if err != nil {
t.Fatalf("Do: %v", err)
}
if resp.StatusCode != http.StatusCreated {
t.Fatalf("status = %d", resp.StatusCode)
}
if got := resp.Header.Get("X-Request-ID"); got != "fleet-request-456" {
t.Fatalf("response X-Request-ID = %q", got)
}
if got := string(resp.Body); got != `{"status":"launching"}` {
t.Fatalf("response body = %s", got)
}
}
func TestClientDoDisabled(t *testing.T) {
client := NewClient(Config{})
_, err := client.Do(context.Background(), Request{Method: http.MethodGet, Path: "/healthz"})
if !errors.Is(err, ErrDisabled) {
t.Fatalf("err = %v, want ErrDisabled", err)
}
}
func TestClientDoInvalidBaseURL(t *testing.T) {
client := NewClient(Config{BaseURL: "http://%"})
_, err := client.Do(context.Background(), Request{Method: http.MethodGet, Path: "/healthz"})
if !errors.Is(err, ErrInvalidBaseURL) {
t.Fatalf("err = %v, want ErrInvalidBaseURL", err)
}
}
Reference in New Issue View Git Blame Copy Permalink