test(mcp): TokenService unit tests with fake repo

This commit is contained in:
2026-05-08 08:04:54 +08:00
parent 7d9cd4bf6b
commit 8031579487
+341
View File
@@ -0,0 +1,341 @@
package mcp_test
import (
"context"
"errors"
"sync"
"testing"
"time"
"github.com/google/uuid"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/yan1h/agent-coding-workflow/internal/audit"
"github.com/yan1h/agent-coding-workflow/internal/infra/errs"
"github.com/yan1h/agent-coding-workflow/internal/mcp"
)
// ===== fake repo =====
type fakeRepo struct {
mu sync.Mutex
tokens map[uuid.UUID]*mcp.MCPToken
byHash map[string]uuid.UUID
}
func newFakeRepo() *fakeRepo {
return &fakeRepo{
tokens: map[uuid.UUID]*mcp.MCPToken{},
byHash: map[string]uuid.UUID{},
}
}
func (r *fakeRepo) Create(ctx context.Context, t *mcp.MCPToken) (*mcp.MCPToken, error) {
r.mu.Lock()
defer r.mu.Unlock()
c := *t
c.CreatedAt = time.Now()
r.tokens[c.ID] = &c
r.byHash[string(c.TokenHash)] = c.ID
return &c, nil
}
func (r *fakeRepo) GetByHash(ctx context.Context, h []byte) (*mcp.MCPToken, error) {
r.mu.Lock()
defer r.mu.Unlock()
id, ok := r.byHash[string(h)]
if !ok {
return nil, errs.New(errs.CodeMcpTokenInvalid, "not found")
}
c := *r.tokens[id]
return &c, nil
}
func (r *fakeRepo) GetByID(ctx context.Context, id uuid.UUID) (*mcp.MCPToken, error) {
r.mu.Lock()
defer r.mu.Unlock()
t, ok := r.tokens[id]
if !ok {
return nil, errs.New(errs.CodeMcpTokenNotFound, "not found")
}
c := *t
return &c, nil
}
func (r *fakeRepo) List(ctx context.Context, caller *uuid.UUID, activeOnly bool) ([]*mcp.MCPToken, error) {
r.mu.Lock()
defer r.mu.Unlock()
var out []*mcp.MCPToken
for _, t := range r.tokens {
if caller != nil && (t.UserID != *caller || t.Issuer != mcp.IssuerAdmin) {
continue
}
if activeOnly && !t.IsActive(time.Now()) {
continue
}
c := *t
out = append(out, &c)
}
return out, nil
}
func (r *fakeRepo) UpdateLastUsed(ctx context.Context, id uuid.UUID) error {
r.mu.Lock()
defer r.mu.Unlock()
if t, ok := r.tokens[id]; ok {
now := time.Now()
t.LastUsedAt = &now
}
return nil
}
func (r *fakeRepo) Revoke(ctx context.Context, id uuid.UUID) (uuid.UUID, error) {
r.mu.Lock()
defer r.mu.Unlock()
t, ok := r.tokens[id]
if !ok || t.RevokedAt != nil {
return uuid.Nil, errs.New(errs.CodeMcpTokenNotFound, "not found")
}
now := time.Now()
t.RevokedAt = &now
return id, nil
}
func (r *fakeRepo) RevokeBySession(ctx context.Context, sid uuid.UUID) ([]uuid.UUID, error) {
r.mu.Lock()
defer r.mu.Unlock()
var revoked []uuid.UUID
now := time.Now()
for _, t := range r.tokens {
if t.Issuer == mcp.IssuerSystem && t.ACPSessionID != nil && *t.ACPSessionID == sid && t.RevokedAt == nil {
t.RevokedAt = &now
revoked = append(revoked, t.ID)
}
}
return revoked, nil
}
func (r *fakeRepo) ReapStaleSystemTokens(ctx context.Context) ([]uuid.UUID, error) {
return nil, nil
}
func (r *fakeRepo) PurgeExpired(ctx context.Context, before time.Time) (int64, error) {
return 0, nil
}
func (r *fakeRepo) DeleteByID(ctx context.Context, id uuid.UUID) error {
r.mu.Lock()
defer r.mu.Unlock()
delete(r.tokens, id)
return nil
}
// ===== fake audit =====
type fakeAudit struct {
mu sync.Mutex
entries []audit.Entry
}
func (a *fakeAudit) Record(ctx context.Context, e audit.Entry) error {
a.mu.Lock()
defer a.mu.Unlock()
a.entries = append(a.entries, e)
return nil
}
func (a *fakeAudit) actions() []string {
a.mu.Lock()
defer a.mu.Unlock()
out := make([]string, 0, len(a.entries))
for _, e := range a.entries {
out = append(out, e.Action)
}
return out
}
// ===== tests =====
func TestIssueAdmin_HappyPath(t *testing.T) {
t.Parallel()
repo := newFakeRepo()
au := &fakeAudit{}
svc := mcp.NewTokenService(repo, au)
uid := uuid.New()
in := mcp.IssueAdminInput{
UserID: uid,
Name: "test",
Scope: mcp.Scope{Tools: []string{"list_issues"}},
ExpiresAt: time.Now().Add(time.Hour),
CreatedBy: uid,
}
res, err := svc.IssueAdmin(context.Background(), in)
require.NoError(t, err)
assert.NotEmpty(t, res.Plaintext)
assert.Equal(t, []string{"mcp.token.create"}, au.actions())
}
func TestIssueAdmin_NameRequired(t *testing.T) {
t.Parallel()
svc := mcp.NewTokenService(newFakeRepo(), &fakeAudit{})
_, err := svc.IssueAdmin(context.Background(), mcp.IssueAdminInput{
UserID: uuid.New(),
Name: "",
ExpiresAt: time.Now().Add(time.Hour),
CreatedBy: uuid.New(),
})
ae, ok := errs.As(err)
require.True(t, ok)
assert.Equal(t, errs.CodeMcpTokenNameRequired, ae.Code)
}
func TestIssueAdmin_ExpiresRequired(t *testing.T) {
t.Parallel()
svc := mcp.NewTokenService(newFakeRepo(), &fakeAudit{})
_, err := svc.IssueAdmin(context.Background(), mcp.IssueAdminInput{
UserID: uuid.New(),
Name: "x",
CreatedBy: uuid.New(),
})
ae, ok := errs.As(err)
require.True(t, ok)
assert.Equal(t, errs.CodeMcpTokenExpiresRequired, ae.Code)
}
func TestIssueSystemToken_Defaults(t *testing.T) {
t.Parallel()
repo := newFakeRepo()
au := &fakeAudit{}
svc := mcp.NewTokenService(repo, au)
uid := uuid.New()
sid := uuid.New()
pid := uuid.New()
res, err := svc.IssueSystemToken(context.Background(), mcp.IssueSystemTokenInput{
UserID: uid,
ACPSessionID: sid,
ProjectIDs: []uuid.UUID{pid},
})
require.NoError(t, err)
got, err := repo.GetByID(context.Background(), res.ID)
require.NoError(t, err)
assert.Equal(t, mcp.IssuerSystem, got.Issuer)
require.NotNil(t, got.ACPSessionID)
assert.Equal(t, sid, *got.ACPSessionID)
assert.NotNil(t, got.ExpiresAt)
assert.WithinDuration(t, time.Now().Add(24*time.Hour), *got.ExpiresAt, time.Minute)
// 默认工具白名单包含 PM 写入但不含 list_recent_messages
assert.Contains(t, got.Scope.Tools, "create_issue")
assert.NotContains(t, got.Scope.Tools, "list_recent_messages")
assert.Equal(t, []string{"mcp.token.create_system"}, au.actions())
}
func TestAuthenticate_HappyPath(t *testing.T) {
t.Parallel()
repo := newFakeRepo()
svc := mcp.NewTokenService(repo, &fakeAudit{})
res, err := svc.IssueAdmin(context.Background(), mcp.IssueAdminInput{
UserID: uuid.New(),
Name: "x",
ExpiresAt: time.Now().Add(time.Hour),
CreatedBy: uuid.New(),
})
require.NoError(t, err)
tok, err := svc.Authenticate(context.Background(), res.Plaintext)
require.NoError(t, err)
assert.Equal(t, res.ID, tok.ID)
}
func TestAuthenticate_Empty(t *testing.T) {
t.Parallel()
svc := mcp.NewTokenService(newFakeRepo(), &fakeAudit{})
_, err := svc.Authenticate(context.Background(), "")
ae, ok := errs.As(err)
require.True(t, ok)
assert.Equal(t, errs.CodeMcpTokenInvalid, ae.Code)
}
func TestAuthenticate_Revoked(t *testing.T) {
t.Parallel()
repo := newFakeRepo()
svc := mcp.NewTokenService(repo, &fakeAudit{})
res, _ := svc.IssueAdmin(context.Background(), mcp.IssueAdminInput{
UserID: uuid.New(),
Name: "x",
ExpiresAt: time.Now().Add(time.Hour),
CreatedBy: uuid.New(),
})
require.NoError(t, svc.Revoke(context.Background(), res.ID, uuid.New()))
_, err := svc.Authenticate(context.Background(), res.Plaintext)
ae, ok := errs.As(err)
require.True(t, ok)
assert.Equal(t, errs.CodeMcpTokenRevoked, ae.Code)
}
func TestAuthenticate_Expired(t *testing.T) {
t.Parallel()
repo := newFakeRepo()
svc := mcp.NewTokenService(repo, &fakeAudit{})
res, _ := svc.IssueAdmin(context.Background(), mcp.IssueAdminInput{
UserID: uuid.New(),
Name: "x",
ExpiresAt: time.Now().Add(time.Hour),
CreatedBy: uuid.New(),
})
// 直接改 fake repo 中 expires_at 为已过去
past := time.Now().Add(-time.Hour)
repo.tokens[res.ID].ExpiresAt = &past
_, err := svc.Authenticate(context.Background(), res.Plaintext)
ae, ok := errs.As(err)
require.True(t, ok)
assert.Equal(t, errs.CodeMcpTokenExpired, ae.Code)
}
func TestAuthenticate_TamperedToken(t *testing.T) {
t.Parallel()
svc := mcp.NewTokenService(newFakeRepo(), &fakeAudit{})
_, err := svc.Authenticate(context.Background(), "mcpt_tampered_value")
ae, ok := errs.As(err)
require.True(t, ok)
assert.Equal(t, errs.CodeMcpTokenInvalid, ae.Code)
}
func TestRevokeBySession_AuditPerToken(t *testing.T) {
t.Parallel()
repo := newFakeRepo()
au := &fakeAudit{}
svc := mcp.NewTokenService(repo, au)
uid := uuid.New()
sid := uuid.New()
pid := uuid.New()
for i := 0; i < 3; i++ {
_, err := svc.IssueSystemToken(context.Background(), mcp.IssueSystemTokenInput{
UserID: uid, ACPSessionID: sid, ProjectIDs: []uuid.UUID{pid},
})
require.NoError(t, err)
}
require.NoError(t, svc.RevokeBySession(context.Background(), sid))
// 3 个 system 创建 + 3 个 by_session 撤销 = 6 条 audit
actions := au.actions()
assert.Len(t, actions, 6)
createCnt, revokeCnt := 0, 0
for _, a := range actions {
switch a {
case "mcp.token.create_system":
createCnt++
case "mcp.token.revoke_by_session":
revokeCnt++
}
}
assert.Equal(t, 3, createCnt)
assert.Equal(t, 3, revokeCnt)
}
// 编译期保证:类型实现接口
var _ = errors.New