mosaicstack/stack
1
0
Fork 0
Code Issues 19 Pull Requests Actions Packages Projects Releases 13 Wiki Activity

test(federation): M2 integration tests (FED-M2-09) #499

Merged
jason.woltje merged 2 commits from feat/federation-m2-integration into main 2026-04-22 05:08:25 +00:00
Conversation 0 Commits 2 Files Changed 1 +483
jason.woltje commented 2026-04-22 04:56:27 +00:00
Owner
Copy Link

Summary

Integration tests for the Mosaic federation M2 milestone (FED-M2-09).

Closes #461

Tests covered

  • #1createGrant writes a pending row to DB; scope and status verified (FEDERATED_INTEGRATION=1)
  • #5clientKeyPem stored in DB is a sealed ciphertext, not a PEM (FEDERATED_INTEGRATION=1)
  • #7createGrant rejects scope with unknown resource type with FederationScopeError (FEDERATED_INTEGRATION=1)
  • #8listGrants returns accurate status for pending/revoked grants; peer list correct (FEDERATED_INTEGRATION=1)
  • #2EnrollmentService.redeem returns a valid PEM certificate via real Step-CA (STEP_CA_AVAILABLE=1)
  • #3 — Second EnrollmentService.redeem with the same token throws GoneException (STEP_CA_AVAILABLE=1)

Gate env vars

DB-only tests (#1, #5, #7, #8): FEDERATED_INTEGRATION=1

Step-CA tests (#2, #3) additional vars:

  • STEP_CA_AVAILABLE=1
  • STEP_CA_URL=https://localhost:9000
  • STEP_CA_PROVISIONER_KEY_JSON — from docker exec $(docker ps -qf name=step-ca) cat /home/step/secrets/mosaic-fed.json
  • STEP_CA_ROOT_CERT_PATH=/tmp/step-ca-root.crt — copy from docker cp $(docker ps -qf name=step-ca):/home/step/certs/root_ca.crt /tmp/step-ca-root.crt

How to run

Prerequisites: docker compose -f docker-compose.federated.yml --profile federated up -d

DB-only: FEDERATED_INTEGRATION=1 pnpm --filter @mosaicstack/gateway test src/__tests__/integration/federation-m2.integration.test.ts

Design notes

  • CaService is mocked via useValue in DB-only tests so Step-CA env vars are not required
  • Two separate describe blocks with different gate conditions
  • Each test creates isolated data with a unique RUN_ID UUID prefix
  • afterAll cleans up in FK-safe order: tokens -> grants -> peers -> users
  • Uses createDb/DbHandle from @mosaicstack/db (avoids direct drizzle-orm/postgres-js import)
## Summary Integration tests for the Mosaic federation M2 milestone (FED-M2-09). Closes #461 ### Tests covered - **#1** — `createGrant` writes a `pending` row to DB; scope and status verified (`FEDERATED_INTEGRATION=1`) - **#5** — `clientKeyPem` stored in DB is a sealed ciphertext, not a PEM (`FEDERATED_INTEGRATION=1`) - **#7** — `createGrant` rejects scope with unknown resource type with `FederationScopeError` (`FEDERATED_INTEGRATION=1`) - **#8** — `listGrants` returns accurate status for pending/revoked grants; peer list correct (`FEDERATED_INTEGRATION=1`) - **#2** — `EnrollmentService.redeem` returns a valid PEM certificate via real Step-CA (`STEP_CA_AVAILABLE=1`) - **#3** — Second `EnrollmentService.redeem` with the same token throws `GoneException` (`STEP_CA_AVAILABLE=1`) ### Gate env vars DB-only tests (#1, #5, #7, #8): `FEDERATED_INTEGRATION=1` Step-CA tests (#2, #3) additional vars: - `STEP_CA_AVAILABLE=1` - `STEP_CA_URL=https://localhost:9000` - `STEP_CA_PROVISIONER_KEY_JSON` — from `docker exec $(docker ps -qf name=step-ca) cat /home/step/secrets/mosaic-fed.json` - `STEP_CA_ROOT_CERT_PATH=/tmp/step-ca-root.crt` — copy from `docker cp $(docker ps -qf name=step-ca):/home/step/certs/root_ca.crt /tmp/step-ca-root.crt` ### How to run Prerequisites: `docker compose -f docker-compose.federated.yml --profile federated up -d` DB-only: `FEDERATED_INTEGRATION=1 pnpm --filter @mosaicstack/gateway test src/__tests__/integration/federation-m2.integration.test.ts` ### Design notes - CaService is mocked via `useValue` in DB-only tests so Step-CA env vars are not required - Two separate describe blocks with different gate conditions - Each test creates isolated data with a unique `RUN_ID` UUID prefix - afterAll cleans up in FK-safe order: tokens -> grants -> peers -> users - Uses `createDb`/`DbHandle` from `@mosaicstack/db` (avoids direct drizzle-orm/postgres-js import)
jason.woltje added 1 commit 2026-04-22 04:56:28 +00:00
test(federation): M2 integration tests (grant CRUD, enrollment, replay, at-rest encryption)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
17f1423318 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
jason.woltje added 1 commit 2026-04-22 05:07:49 +00:00
test(federation): fix BETTER_AUTH_SECRET requirement in M2 integration tests
Some checks failed
ci/woodpecker/pr/ci Pipeline failed
Details
ci/woodpecker/push/ci Pipeline failed
Details
08bea8fba0 
Ensure BETTER_AUTH_SECRET is set before seal() is called in test #5, add
it to the DB-only run command in the header comment, and surface cleanup
errors to stderr instead of silently swallowing them.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
jason.woltje merged commit 3eee176cc3 into main 2026-04-22 05:08:25 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
jason.woltje
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: mosaicstack/stack#499
Delete Branch "feat/federation-m2-integration"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?