platform/tenant-registry
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fd5f8ae36f933127a39507cf519dfbccaddf7f7b
tenant-registry/internal/server/keycloak_test.go
T
sharang fd5f8ae36f
ci / shared (pull_request) Successful in 7s
Details
ci / image (pull_request) Has been skipped
Details
ci / test (pull_request) Failing after 20s
Details
feat(keycloak): M4.3 — Admin API adapter + claim resolver 
internal/keycloak/ — Adapter interface with two implementations:
  HTTPAdapter  pgxpool-style real Admin API client with cached client-
               credentials token (auto-refresh, 401 retry).
  Mock         in-process map for unit tests + dev convenience when
               KEYCLOAK_ADMIN_URL is empty. Used by the eachStore harness.

Adapter contract (adapter.go):
  CreateOrgAndInvite(ctx, InviteInput) (*InviteResult, error)
    Creates a KC organization, an IT_ADMIN user, adds the user as a
    member, triggers VERIFY_EMAIL + UPDATE_PASSWORD execute-actions
    email. Atomic from the caller's PoV; partial failures surface as
    typed errors (ErrOrgConflict, ErrUserConflict, ErrUnauthorized,
    ErrUnavailable).
  SyncClaims(ctx, userID, Claims) error
    Pushes tenant_id / tenant_slug / org_roles / products / plan /
    tenant_status into the user's KC attributes — the same shape the
    realm's protocol mappers project into JWTs.
  Health(ctx) error
    Pings /admin/serverinfo; wired into readyz.

Wiring:
  POST /v1/tenants now accepts admin_email + admin_name. When set, the
  adapter creates the org and invites the user. Response wraps the
  tenant with the new TenantCreated{tenant, invite_url} shape so dev
  testers can use the action-token URL without waiting for the email.
  KC failures DO NOT roll the tenant back — they emit a
  keycloak.provision_failed audit event so the operator can resend.
  Successful invites emit keycloak.invite_sent.

  POST /v1/internal/keycloak/claims resolves a tenant's current claim
  bundle. Lookup chain: body.tenant_id → body.tenant_slug →
  body.user_attrs.tenant_id → body.user_attrs.tenant_slug. The realm's
  protocol mapper calls this at token issuance, or operators on demand.

Config: KEYCLOAK_ADMIN_URL / REALM / CLIENT_ID / CLIENT_SECRET; empty
URL falls back to Mock for dev.

OpenAPI: TenantCreated + Claims schemas added; /v1/internal/keycloak/claims
documented. Contract test extended to cover the new endpoint.

Tests:
  internal/keycloak/mock_test.go    Mock semantics: conflict surfacing,
                                    FailNext hook, SyncClaims persistence.
  internal/server/keycloak_test.go  KC provisioning end-to-end via
                                    eachStore: invite_url returned,
                                    mock records, invite_sent audit;
                                    failure path emits provision_failed
                                    but tenant still lands; claims
                                    endpoint resolves via tenant_id /
                                    tenant_slug / user_attrs / 404 / 400.

The real-KC integration test (against a testcontainers-spun KC 26)
lands in a follow-up — gating it behind KEYCLOAK_INTEGRATION=1 + a
slower nightly CI is cleaner than baking 30s+ of KC boot into every PR.

Refs: M4.3
2026-05-19 13:24:41 +02:00

148 lines
4.6 KiB
Go
Raw Blame History

package server_test
import (
"net/http"
"testing"
"gitea.meghsakha.com/platform/tenant-registry/internal/keycloak"
"gitea.meghsakha.com/platform/tenant-registry/internal/store"
)
func TestCreateTenant_provisionsKeycloak(t *testing.T) {
eachStore(t, func(t *testing.T, h *testHarness) {
resp, body := h.do("POST", "/v1/tenants", map[string]any{
"slug": "kc-co",
"name": "KC Co.",
"admin_email": "owner@kc-co.test",
"admin_name": "Pat Owner",
})
if resp.StatusCode != http.StatusCreated {
t.Fatalf("status = %d, body=%s", resp.StatusCode, body)
}
out := decode[struct {
Tenant *store.Tenant `json:"tenant"`
InviteURL string `json:"invite_url"`
}](t, body)
if out.Tenant.Slug != "kc-co" {
t.Errorf("slug = %q", out.Tenant.Slug)
}
if out.InviteURL == "" {
t.Error("invite_url missing in response")
}
// The mock recorded the call.
if _, ok := h.kcMock.Orgs[out.Tenant.ID]; !ok {
t.Errorf("kc mock did not record org for tenant %s", out.Tenant.ID)
}
if _, ok := h.kcMock.Users["owner@kc-co.test"]; !ok {
t.Error("kc mock did not record user for owner@kc-co.test")
}
// And we emitted a keycloak.invite_sent audit event.
resp, body = h.do("GET",
"/v1/audit?action=keycloak.invite_sent&tenant_id="+out.Tenant.ID, nil)
if resp.StatusCode != 200 {
t.Fatalf("audit list status = %d", resp.StatusCode)
}
listed := decode[struct {
Items []store.AuditEvent `json:"items"`
}](t, body)
if len(listed.Items) != 1 {
t.Errorf("expected 1 invite_sent event, got %d", len(listed.Items))
}
})
}
func TestCreateTenant_kcFailure_doesNotRollback(t *testing.T) {
eachStore(t, func(t *testing.T, h *testHarness) {
// Force the mock to fail the next call.
h.kcMock.FailNext = keycloak.ErrUnavailable
resp, body := h.do("POST", "/v1/tenants", map[string]any{
"slug": "kc-fail", "name": "KC Fail", "admin_email": "x@y.test",
})
if resp.StatusCode != http.StatusCreated {
t.Fatalf("expected tenant still created despite kc fail; status=%d body=%s",
resp.StatusCode, body)
}
out := decode[struct {
Tenant *store.Tenant `json:"tenant"`
}](t, body)
// Tenant landed in the DB.
if out.Tenant.ID == "" {
t.Error("tenant id missing")
}
// And there's a provision_failed audit event for it.
resp, body = h.do("GET",
"/v1/audit?action=keycloak.provision_failed&tenant_id="+out.Tenant.ID, nil)
listed := decode[struct {
Items []store.AuditEvent `json:"items"`
}](t, body)
if len(listed.Items) != 1 {
t.Errorf("expected 1 provision_failed event, got %d", len(listed.Items))
}
})
}
func TestKcClaims_returnsCurrentEntitlements(t *testing.T) {
eachStore(t, func(t *testing.T, h *testHarness) {
resp, body := h.do("POST", "/v1/internal/keycloak/claims", map[string]any{
"tenant_slug": h.tenant.Slug,
})
if resp.StatusCode != http.StatusOK {
t.Fatalf("status = %d, body=%s", resp.StatusCode, body)
}
got := decode[keycloak.Claims](t, body)
if got.TenantID != h.tenant.ID || got.TenantSlug != h.tenant.Slug {
t.Errorf("tenant fields off: %+v", got)
}
if got.Plan != h.tenant.Plan {
t.Errorf("plan = %q, want %q", got.Plan, h.tenant.Plan)
}
if got.TenantStatus != h.tenant.Status {
t.Errorf("status = %q, want %q", got.TenantStatus, h.tenant.Status)
}
// acme is seeded with certifai + compliance entitlements (memory)
// or one or zero (postgres, depending on prior subtest ordering).
// At minimum the field is present.
if got.Products == nil {
t.Error("products is nil; should be at least empty slice")
}
})
}
func TestKcClaims_lookupByUserAttrs(t *testing.T) {
eachStore(t, func(t *testing.T, h *testHarness) {
resp, body := h.do("POST", "/v1/internal/keycloak/claims", map[string]any{
"user_attrs": map[string]string{"tenant_slug": h.tenant.Slug},
})
if resp.StatusCode != http.StatusOK {
t.Fatalf("status = %d, body=%s", resp.StatusCode, body)
}
got := decode[keycloak.Claims](t, body)
if got.TenantID != h.tenant.ID {
t.Errorf("did not resolve via user_attrs; got %+v", got)
}
})
}
func TestKcClaims_missingTenant404(t *testing.T) {
eachStore(t, func(t *testing.T, h *testHarness) {
resp, _ := h.do("POST", "/v1/internal/keycloak/claims", map[string]any{
"tenant_slug": "nope-nope",
})
if resp.StatusCode != http.StatusNotFound {
t.Errorf("status = %d, want 404", resp.StatusCode)
}
})
}
func TestKcClaims_requiresInput(t *testing.T) {
eachStore(t, func(t *testing.T, h *testHarness) {
resp, _ := h.do("POST", "/v1/internal/keycloak/claims", map[string]any{})
if resp.StatusCode != http.StatusBadRequest {
t.Errorf("status = %d, want 400", resp.StatusCode)
}
})
}
Reference in New Issue View Git Blame Copy Permalink