steve/restic-manager
1
0
Fork 0
Code Issues Pull Requests Actions Projects Releases 1 Wiki Activity
Files
229f89fee2e6616dfbeedc4f7c6336546a3dde8f
restic-manager/internal/server/http/host_credentials_test.go
T
steve 2418e585db
CI / Test (linux/amd64) (push) Has been cancelled
Details
CI / Lint (push) Has been cancelled
Details
CI / Build (windows/amd64) (push) Has been cancelled
Details
CI / Build (linux/amd64) (push) Has been cancelled
Details
CI / Build (linux/arm64) (push) Has been cancelled
Details
fix: enrollment FK race + log-when-rejected; runbook fixes from dry-run 
The smoke runbook caught a real bug: ConsumeEnrollmentToken was
inserting into host_credentials (FK -> hosts) inside the same tx as
the token burn, but the host row didn't exist yet — CreateHost
runs in the *next* statement. The agent saw a generic 401 with no
clue why.

Fix: drop the host_credentials insert from ConsumeEnrollmentToken;
the HTTP handler now does Consume -> CreateHost ->
SetHostCredentials. SetHostCredentials failure is logged loudly
but doesn't fail the enrol — operator recovers via PUT
/api/hosts/{id}/repo-credentials.

Adds slog.Warn lines on both 401 paths in handleAgentEnroll so the
underlying cause is visible in server logs (the wire response stays
generic to avoid leaking which step failed).

Test: TestEnrollmentTransfersRepoCreds rewritten to mirror the new
order (consume -> create host -> SetHostCredentials).

Runbook (docs/e2e-smoke.md): rest-server moved off 8000 (commonly
in use); URLs use trailing slash on the rest path; clarified that
secrets_key is minted on first agent start, not at enrol time.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-01 14:01:59 +01:00

107 lines
3.3 KiB
Go
Raw Blame History

package http
import (
"context"
"encoding/json"
"testing"
)
// TestEnrollmentTransfersRepoCreds verifies the round-trip:
// - operator mints a token with repo_url/username/password
// - encrypted blob lands on the token row, bound to token_hash
// - on consume, the blob is re-encrypted bound to host_id and
// written to host_credentials in the same tx.
func TestEnrollmentTransfersRepoCreds(t *testing.T) {
t.Parallel()
srv, _, st := newTestServerWithHub(t)
ctx := context.Background()
want := repoCredsBlob{
RepoURL: "rest:https://repo.example/host42",
RepoUsername: "host42",
RepoPassword: "hunter2",
}
// Encrypt + create token like the operator endpoint would.
const tokHash = "tok-hash-fixture"
enc, err := srv.encryptRepoCreds(want, []byte("token:"+tokHash))
if err != nil {
t.Fatalf("encrypt: %v", err)
}
if err := st.CreateEnrollmentToken(ctx, tokHash, 1<<20, enc); err != nil {
t.Fatalf("create token: %v", err)
}
// Rebind under host_id, then consume (this is what the agent
// enroll handler does inline).
const hostID = "h-fixture"
encForHost, err := srv.rebindTokenCreds(ctx, tokHash, hostID)
if err != nil {
t.Fatalf("rebind: %v", err)
}
if encForHost == "" {
t.Fatal("rebind returned empty blob; expected re-encrypted ciphertext")
}
if encForHost == enc {
t.Errorf("rebind should change ciphertext (additional-data differs); got identical")
}
// Burn the token, then create the host row, then promote — same
// order the HTTP handler runs.
if err := st.ConsumeEnrollmentToken(ctx, tokHash, hostID); err != nil {
t.Fatalf("consume: %v", err)
}
if _, err := st.DB().Exec(
`INSERT INTO hosts (id, name, os, arch, enrolled_at) VALUES (?,?,?,?,?)`,
hostID, "host42", "linux", "amd64", "2026-01-01T00:00:00Z"); err != nil {
t.Fatalf("insert host: %v", err)
}
if err := st.SetHostCredentials(ctx, hostID, encForHost); err != nil {
t.Fatalf("set host credentials: %v", err)
}
// host_credentials row should now hold the host-bound ciphertext.
got, err := st.GetHostCredentials(ctx, hostID)
if err != nil {
t.Fatalf("get host creds: %v", err)
}
plain, err := srv.deps.AEAD.Decrypt(got, []byte("host:"+hostID))
if err != nil {
t.Fatalf("decrypt: %v", err)
}
var blob repoCredsBlob
if err := json.Unmarshal(plain, &blob); err != nil {
t.Fatalf("unmarshal: %v", err)
}
if blob != want {
t.Errorf("blob mismatch:\n got %+v\nwant %+v", blob, want)
}
// Cross-check: decrypting with a wrong AD must fail (swap
// detection — proves the AAD binding is doing real work).
if _, err := srv.deps.AEAD.Decrypt(got, []byte("host:other-host")); err == nil {
t.Error("decrypt with wrong AD must fail; AAD binding is broken")
}
}
// TestEnrollmentTokenWithoutCreds is the regression that ensures the
// existing ttl/single-use semantics still work when no creds are
// attached (used by the enrollment_test.go fixture path).
func TestEnrollmentTokenWithoutCreds(t *testing.T) {
t.Parallel()
_, _, st := newTestServerWithHub(t)
ctx := context.Background()
const tokHash = "no-creds-token"
if err := st.CreateEnrollmentToken(ctx, tokHash, 1<<20, ""); err != nil {
t.Fatalf("create: %v", err)
}
enc, err := st.GetEnrollmentTokenCreds(ctx, tokHash)
if err != nil {
t.Fatalf("get token creds: %v", err)
}
if enc != "" {
t.Errorf("token without creds should return empty blob; got %q", enc)
}
}
Reference in New Issue View Git Blame Copy Permalink