Gateway 使用一次性接入码创建 Exchange,将 Exchange Token、机器凭据与 Session Key 仅写入 SecretStore,并持久化脱敏配对进度。\n\n资源就绪后先保存凭据和 Manifest,再自动准备 SSF,最后确认远端 Exchange;SecretStore 失败时保持 ready,重试会触发新 Secret 轮换,不回放旧值。\n\n验证:go test ./...;go vet ./...
88 lines
3.0 KiB
Go
88 lines
3.0 KiB
Go
package main
|
|
|
|
import (
|
|
"os"
|
|
"strings"
|
|
"testing"
|
|
)
|
|
|
|
func TestSecurityEventIdempotencyRepairMigrationExists(t *testing.T) {
|
|
payload, err := os.ReadFile("../../migrations/0064_security_event_connection_idempotency_repair.sql")
|
|
if err != nil {
|
|
t.Fatalf("read repair migration: %v", err)
|
|
}
|
|
sql := string(payload)
|
|
for _, statement := range []string{
|
|
"CREATE TABLE IF NOT EXISTS gateway_security_event_connection_idempotency",
|
|
"CREATE INDEX IF NOT EXISTS idx_gateway_security_event_connection_idempotency_created",
|
|
} {
|
|
if !strings.Contains(sql, statement) {
|
|
t.Fatalf("repair migration is missing %q", statement)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestSecurityEventVerificationStateRepairMigrationExists(t *testing.T) {
|
|
payload, err := os.ReadFile("../../migrations/0065_security_event_verification_state_repair.sql")
|
|
if err != nil {
|
|
t.Fatalf("read verification state repair migration: %v", err)
|
|
}
|
|
sql := string(payload)
|
|
for _, statement := range []string{
|
|
"ADD COLUMN IF NOT EXISTS stream_status",
|
|
"ADD COLUMN IF NOT EXISTS created_at",
|
|
"CREATE TABLE IF NOT EXISTS gateway_security_event_verification_challenges",
|
|
"CREATE INDEX IF NOT EXISTS idx_gateway_security_event_challenges_expiry",
|
|
} {
|
|
if !strings.Contains(sql, statement) {
|
|
t.Fatalf("verification state repair migration is missing %q", statement)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestIdentityConfigurationRevisionMigrationDefinesSecretReferencesAndSingleActiveRevision(t *testing.T) {
|
|
payload, err := os.ReadFile("../../migrations/0067_identity_configuration_revisions.sql")
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
content := string(payload)
|
|
for _, required := range []string{
|
|
"CREATE TABLE IF NOT EXISTS gateway_identity_configuration_revisions",
|
|
"machine_credential_ref text",
|
|
"session_encryption_key_ref text",
|
|
"WHERE state = 'active'",
|
|
"CHECK (state IN ('draft','validated','active','superseded','failed'))",
|
|
} {
|
|
if !strings.Contains(content, required) {
|
|
t.Fatalf("identity configuration migration is missing %q", required)
|
|
}
|
|
}
|
|
for _, forbidden := range []string{"machine_secret", "client_secret", "exchange_token text", "onboarding_code text"} {
|
|
if strings.Contains(strings.ToLower(content), forbidden) {
|
|
t.Fatalf("identity configuration migration stores forbidden secret field %q", forbidden)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestIdentityOnboardingExchangeMigrationStoresOnlySecretReferences(t *testing.T) {
|
|
payload, err := os.ReadFile("../../migrations/0068_identity_onboarding_exchanges.sql")
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
content := strings.ToLower(string(payload))
|
|
for _, required := range []string{
|
|
"create table if not exists gateway_identity_onboarding_exchanges",
|
|
"exchange_token_ref text not null",
|
|
"security_event_configuration_url text",
|
|
} {
|
|
if !strings.Contains(content, required) {
|
|
t.Fatalf("identity onboarding migration is missing %q", required)
|
|
}
|
|
}
|
|
for _, forbidden := range []string{"exchange_token text", "onboarding_code", "client_secret", "machine_secret"} {
|
|
if strings.Contains(content, forbidden) {
|
|
t.Fatalf("identity onboarding migration stores forbidden secret field %q", forbidden)
|
|
}
|
|
}
|
|
}
|