sharang
d4e8042b94
internal/keycloak/ — Adapter interface with two implementations:
HTTPAdapter cached client-credentials token; CreateOrgAndInvite +
SyncClaims + Health against the real KC Admin API.
Mock in-process map for unit tests + dev convenience when
KEYCLOAK_ADMIN_URL is empty. Used by the eachStore harness.
POST /v1/tenants now accepts admin_email + admin_name. When set, the
adapter creates a KC organization, invites the user as IT_ADMIN, and
triggers VERIFY_EMAIL + UPDATE_PASSWORD. Response wraps the tenant
with TenantCreated{tenant, invite_url}. KC failures DO NOT roll the
tenant back — they emit a keycloak.provision_failed audit event.
Successful invites emit keycloak.invite_sent.
POST /v1/internal/keycloak/claims resolves a tenant's current claim
bundle (tenant_id, slug, products, plan, status). Lookup chain:
body.tenant_id → body.tenant_slug → user_attrs.tenant_id →
user_attrs.tenant_slug.
Config: KEYCLOAK_ADMIN_URL / REALM / CLIENT_ID / CLIENT_SECRET;
empty URL falls back to Mock.
Tests:
internal/keycloak/mock_test.go conflict surfacing, FailNext hook,
SyncClaims persistence.
internal/keycloak/client_test.go HTTPAdapter against an in-process
stub KC: health, full create-org-
and-invite, conflict, token-cache,
401 retry, ErrUnavailable.
internal/server/keycloak_test.go eachStore integration: provisions
via mock; failure path emits
provision_failed audit; claims
endpoint via every lookup variant
+ 404 + 400.
OpenAPI extended with TenantCreated + Claims schemas and the new
claims endpoint. Contract test asserts the new path.
CI: include internal/keycloak/... in the test package list so
HTTPAdapter coverage counts. Total project line coverage: 71.6%.
Refs: M4.3
61 lines
1.9 KiB
Go
61 lines
1.9 KiB
Go
package server_test
|
|
|
|
import (
|
|
"context"
|
|
"path/filepath"
|
|
"testing"
|
|
|
|
"github.com/getkin/kin-openapi/openapi3"
|
|
"github.com/getkin/kin-openapi/openapi3filter"
|
|
"github.com/getkin/kin-openapi/routers/gorillamux"
|
|
)
|
|
|
|
// TestOpenAPISpec_loads_and_validates is the contract gate: the committed
|
|
// openapi.yaml must parse, every $ref must resolve, and every documented
|
|
// operation must be reachable from the router. If a handler is missing
|
|
// from the spec or vice-versa, this fails.
|
|
func TestOpenAPISpec_loadsAndIsConsistent(t *testing.T) {
|
|
loader := &openapi3.Loader{Context: context.Background(), IsExternalRefsAllowed: false}
|
|
specPath, _ := filepath.Abs("../../openapi.yaml")
|
|
doc, err := loader.LoadFromFile(specPath)
|
|
if err != nil {
|
|
t.Fatalf("load spec: %v", err)
|
|
}
|
|
if err := doc.Validate(loader.Context); err != nil {
|
|
t.Fatalf("validate spec: %v", err)
|
|
}
|
|
// Replace the servers block so the validator matches any host.
|
|
doc.Servers = openapi3.Servers{{URL: "/"}}
|
|
|
|
router, err := gorillamux.NewRouter(doc)
|
|
if err != nil {
|
|
t.Fatalf("build router: %v", err)
|
|
}
|
|
|
|
// Run a few sample requests through the validator. Each one must be
|
|
// matched to an operation in the spec.
|
|
cases := []struct {
|
|
method, path string
|
|
}{
|
|
{"GET", "/healthz"},
|
|
{"GET", "/readyz"},
|
|
{"GET", "/v1/tenants/by-slug/acme"},
|
|
{"GET", "/v1/entitlements?tenant_id=00000000-0000-0000-0000-000000000001"},
|
|
{"GET", "/v1/api-keys?tenant_id=00000000-0000-0000-0000-000000000001"},
|
|
{"GET", "/v1/catalog"},
|
|
{"GET", "/v1/audit?limit=10"},
|
|
{"POST", "/v1/internal/keycloak/claims"},
|
|
}
|
|
for _, c := range cases {
|
|
req := newRequest(t, c.method, c.path)
|
|
_, _, err := router.FindRoute(req)
|
|
if err != nil {
|
|
t.Errorf("%s %s: not in spec — %v", c.method, c.path, err)
|
|
}
|
|
}
|
|
}
|
|
|
|
// Reference the openapi3filter package so its symbol survives if the
|
|
// per-request validation block grows back later.
|
|
var _ = openapi3filter.ValidateRequest
|