steve
44feb708bc
The smoke runbook caught a real bug: ConsumeEnrollmentToken was
inserting into host_credentials (FK -> hosts) inside the same tx as
the token burn, but the host row didn't exist yet — CreateHost
runs in the *next* statement. The agent saw a generic 401 with no
clue why.
Fix: drop the host_credentials insert from ConsumeEnrollmentToken;
the HTTP handler now does Consume -> CreateHost ->
SetHostCredentials. SetHostCredentials failure is logged loudly
but doesn't fail the enrol — operator recovers via PUT
/api/hosts/{id}/repo-credentials.
Adds slog.Warn lines on both 401 paths in handleAgentEnroll so the
underlying cause is visible in server logs (the wire response stays
generic to avoid leaking which step failed).
Test: TestEnrollmentTransfersRepoCreds rewritten to mirror the new
order (consume -> create host -> SetHostCredentials).
Runbook (docs/e2e-smoke.md): rest-server moved off 8000 (commonly
in use); URLs use trailing slash on the rest path; clarified that
secrets_key is minted on first agent start, not at enrol time.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
107 lines
3.3 KiB
Go
107 lines
3.3 KiB
Go
package http
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"testing"
|
|
)
|
|
|
|
// TestEnrollmentTransfersRepoCreds verifies the round-trip:
|
|
// - operator mints a token with repo_url/username/password
|
|
// - encrypted blob lands on the token row, bound to token_hash
|
|
// - on consume, the blob is re-encrypted bound to host_id and
|
|
// written to host_credentials in the same tx.
|
|
func TestEnrollmentTransfersRepoCreds(t *testing.T) {
|
|
t.Parallel()
|
|
srv, _, st := newTestServerWithHub(t)
|
|
|
|
ctx := context.Background()
|
|
want := repoCredsBlob{
|
|
RepoURL: "rest:https://repo.example/host42",
|
|
RepoUsername: "host42",
|
|
RepoPassword: "hunter2",
|
|
}
|
|
|
|
// Encrypt + create token like the operator endpoint would.
|
|
const tokHash = "tok-hash-fixture"
|
|
enc, err := srv.encryptRepoCreds(want, []byte("token:"+tokHash))
|
|
if err != nil {
|
|
t.Fatalf("encrypt: %v", err)
|
|
}
|
|
if err := st.CreateEnrollmentToken(ctx, tokHash, 1<<20, enc); err != nil {
|
|
t.Fatalf("create token: %v", err)
|
|
}
|
|
|
|
// Rebind under host_id, then consume (this is what the agent
|
|
// enroll handler does inline).
|
|
const hostID = "h-fixture"
|
|
encForHost, err := srv.rebindTokenCreds(ctx, tokHash, hostID)
|
|
if err != nil {
|
|
t.Fatalf("rebind: %v", err)
|
|
}
|
|
if encForHost == "" {
|
|
t.Fatal("rebind returned empty blob; expected re-encrypted ciphertext")
|
|
}
|
|
if encForHost == enc {
|
|
t.Errorf("rebind should change ciphertext (additional-data differs); got identical")
|
|
}
|
|
|
|
// Burn the token, then create the host row, then promote — same
|
|
// order the HTTP handler runs.
|
|
if err := st.ConsumeEnrollmentToken(ctx, tokHash, hostID); err != nil {
|
|
t.Fatalf("consume: %v", err)
|
|
}
|
|
if _, err := st.DB().Exec(
|
|
`INSERT INTO hosts (id, name, os, arch, enrolled_at) VALUES (?,?,?,?,?)`,
|
|
hostID, "host42", "linux", "amd64", "2026-01-01T00:00:00Z"); err != nil {
|
|
t.Fatalf("insert host: %v", err)
|
|
}
|
|
if err := st.SetHostCredentials(ctx, hostID, encForHost); err != nil {
|
|
t.Fatalf("set host credentials: %v", err)
|
|
}
|
|
|
|
// host_credentials row should now hold the host-bound ciphertext.
|
|
got, err := st.GetHostCredentials(ctx, hostID)
|
|
if err != nil {
|
|
t.Fatalf("get host creds: %v", err)
|
|
}
|
|
plain, err := srv.deps.AEAD.Decrypt(got, []byte("host:"+hostID))
|
|
if err != nil {
|
|
t.Fatalf("decrypt: %v", err)
|
|
}
|
|
var blob repoCredsBlob
|
|
if err := json.Unmarshal(plain, &blob); err != nil {
|
|
t.Fatalf("unmarshal: %v", err)
|
|
}
|
|
if blob != want {
|
|
t.Errorf("blob mismatch:\n got %+v\nwant %+v", blob, want)
|
|
}
|
|
|
|
// Cross-check: decrypting with a wrong AD must fail (swap
|
|
// detection — proves the AAD binding is doing real work).
|
|
if _, err := srv.deps.AEAD.Decrypt(got, []byte("host:other-host")); err == nil {
|
|
t.Error("decrypt with wrong AD must fail; AAD binding is broken")
|
|
}
|
|
}
|
|
|
|
// TestEnrollmentTokenWithoutCreds is the regression that ensures the
|
|
// existing ttl/single-use semantics still work when no creds are
|
|
// attached (used by the enrollment_test.go fixture path).
|
|
func TestEnrollmentTokenWithoutCreds(t *testing.T) {
|
|
t.Parallel()
|
|
_, _, st := newTestServerWithHub(t)
|
|
ctx := context.Background()
|
|
|
|
const tokHash = "no-creds-token"
|
|
if err := st.CreateEnrollmentToken(ctx, tokHash, 1<<20, ""); err != nil {
|
|
t.Fatalf("create: %v", err)
|
|
}
|
|
enc, err := st.GetEnrollmentTokenCreds(ctx, tokHash)
|
|
if err != nil {
|
|
t.Fatalf("get token creds: %v", err)
|
|
}
|
|
if enc != "" {
|
|
t.Errorf("token without creds should return empty blob; got %q", enc)
|
|
}
|
|
}
|