platform/tenant-registry
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fd5f8ae36f933127a39507cf519dfbccaddf7f7b
tenant-registry/internal/server/openapi_test.go
T
sharang fd5f8ae36f
ci / shared (pull_request) Successful in 7s
Details
ci / image (pull_request) Has been skipped
Details
ci / test (pull_request) Failing after 20s
Details
feat(keycloak): M4.3 — Admin API adapter + claim resolver 
internal/keycloak/ — Adapter interface with two implementations:
  HTTPAdapter  pgxpool-style real Admin API client with cached client-
               credentials token (auto-refresh, 401 retry).
  Mock         in-process map for unit tests + dev convenience when
               KEYCLOAK_ADMIN_URL is empty. Used by the eachStore harness.

Adapter contract (adapter.go):
  CreateOrgAndInvite(ctx, InviteInput) (*InviteResult, error)
    Creates a KC organization, an IT_ADMIN user, adds the user as a
    member, triggers VERIFY_EMAIL + UPDATE_PASSWORD execute-actions
    email. Atomic from the caller's PoV; partial failures surface as
    typed errors (ErrOrgConflict, ErrUserConflict, ErrUnauthorized,
    ErrUnavailable).
  SyncClaims(ctx, userID, Claims) error
    Pushes tenant_id / tenant_slug / org_roles / products / plan /
    tenant_status into the user's KC attributes — the same shape the
    realm's protocol mappers project into JWTs.
  Health(ctx) error
    Pings /admin/serverinfo; wired into readyz.

Wiring:
  POST /v1/tenants now accepts admin_email + admin_name. When set, the
  adapter creates the org and invites the user. Response wraps the
  tenant with the new TenantCreated{tenant, invite_url} shape so dev
  testers can use the action-token URL without waiting for the email.
  KC failures DO NOT roll the tenant back — they emit a
  keycloak.provision_failed audit event so the operator can resend.
  Successful invites emit keycloak.invite_sent.

  POST /v1/internal/keycloak/claims resolves a tenant's current claim
  bundle. Lookup chain: body.tenant_id → body.tenant_slug →
  body.user_attrs.tenant_id → body.user_attrs.tenant_slug. The realm's
  protocol mapper calls this at token issuance, or operators on demand.

Config: KEYCLOAK_ADMIN_URL / REALM / CLIENT_ID / CLIENT_SECRET; empty
URL falls back to Mock for dev.

OpenAPI: TenantCreated + Claims schemas added; /v1/internal/keycloak/claims
documented. Contract test extended to cover the new endpoint.

Tests:
  internal/keycloak/mock_test.go    Mock semantics: conflict surfacing,
                                    FailNext hook, SyncClaims persistence.
  internal/server/keycloak_test.go  KC provisioning end-to-end via
                                    eachStore: invite_url returned,
                                    mock records, invite_sent audit;
                                    failure path emits provision_failed
                                    but tenant still lands; claims
                                    endpoint resolves via tenant_id /
                                    tenant_slug / user_attrs / 404 / 400.

The real-KC integration test (against a testcontainers-spun KC 26)
lands in a follow-up — gating it behind KEYCLOAK_INTEGRATION=1 + a
slower nightly CI is cleaner than baking 30s+ of KC boot into every PR.

Refs: M4.3
2026-05-19 13:24:41 +02:00

61 lines
1.9 KiB
Go
Raw Blame History

package server_test
import (
"context"
"path/filepath"
"testing"
"github.com/getkin/kin-openapi/openapi3"
"github.com/getkin/kin-openapi/openapi3filter"
"github.com/getkin/kin-openapi/routers/gorillamux"
)
// TestOpenAPISpec_loads_and_validates is the contract gate: the committed
// openapi.yaml must parse, every $ref must resolve, and every documented
// operation must be reachable from the router. If a handler is missing
// from the spec or vice-versa, this fails.
func TestOpenAPISpec_loadsAndIsConsistent(t *testing.T) {
loader := &openapi3.Loader{Context: context.Background(), IsExternalRefsAllowed: false}
specPath, _ := filepath.Abs("../../openapi.yaml")
doc, err := loader.LoadFromFile(specPath)
if err != nil {
t.Fatalf("load spec: %v", err)
}
if err := doc.Validate(loader.Context); err != nil {
t.Fatalf("validate spec: %v", err)
}
// Replace the servers block so the validator matches any host.
doc.Servers = openapi3.Servers{{URL: "/"}}
router, err := gorillamux.NewRouter(doc)
if err != nil {
t.Fatalf("build router: %v", err)
}
// Run a few sample requests through the validator. Each one must be
// matched to an operation in the spec.
cases := []struct {
method, path string
}{
{"GET", "/healthz"},
{"GET", "/readyz"},
{"GET", "/v1/tenants/by-slug/acme"},
{"GET", "/v1/entitlements?tenant_id=00000000-0000-0000-0000-000000000001"},
{"GET", "/v1/api-keys?tenant_id=00000000-0000-0000-0000-000000000001"},
{"GET", "/v1/catalog"},
{"GET", "/v1/audit?limit=10"},
{"POST", "/v1/internal/keycloak/claims"},
}
for _, c := range cases {
req := newRequest(t, c.method, c.path)
_, _, err := router.FindRoute(req)
if err != nil {
t.Errorf("%s %s: not in spec — %v", c.method, c.path, err)
}
}
}
// Reference the openapi3filter package so its symbol survives if the
// per-request validation block grows back later.
var _ = openapi3filter.ValidateRequest
Reference in New Issue View Git Blame Copy Permalink