test(federation): M2 E2E peer-add enrollment flow (FED-M2-10) #500

Merged

jason.woltje merged 3 commits from feat/federation-m2-e2e into main 2026-04-22 05:37:07 +00:00

Conversation 0 Commits 3 Files Changed 1 +243

jason.woltje commented 2026-04-22 05:29:41 +00:00

Owner

Copy Link

Summary

• Implements FED-M2-10: E2E HTTP test for the federation peer add enrollment flow
• Covers MILESTONES.md acceptance criterion #6: peer add <url> on Server A yields an active peer record with a valid cert + key
• Simulates two gateways against a single NestJS/Fastify app using Test.createTestingModule with FederationModule imported and AdminGuard overridden to allow all requests

What is tested

The test executes the full peer add enrollment flow in five steps:

1. Server B setup — create a grant + enrollment token via GrantsService/EnrollmentService directly
2. Server A keypair — POST /api/admin/federation/peers/keypair asserts 201 with peerId and csrPem
3. Enrollment — POST /api/federation/enrollment/:token with CSR asserts 200 with certPem and certChainPem
4. Store cert — PATCH /api/admin/federation/peers/:peerId/cert asserts 200
5. DB assertion — verifies state='active', cert present, certSerial non-empty, clientKeyPem is sealed ciphertext, certNotAfter is in the future

Gate env vars

FEDERATED_INTEGRATION=1
STEP_CA_AVAILABLE=1
STEP_CA_URL=https://localhost:9000
STEP_CA_PROVISIONER_KEY_JSON=...
STEP_CA_ROOT_CERT_PATH=/tmp/step-ca-root.crt

How to run

docker compose -f docker-compose.federated.yml --profile federated up -d

FEDERATED_INTEGRATION=1 STEP_CA_AVAILABLE=1 \
STEP_CA_URL=https://localhost:9000 \
STEP_CA_PROVISIONER_KEY_JSON="$(docker exec $(docker ps -qf name=step-ca) cat /home/step/secrets/mosaic-fed.json)" \
STEP_CA_ROOT_CERT_PATH=/tmp/step-ca-root.crt \
pnpm --filter @mosaicstack/gateway test \
  src/__tests__/integration/federation-m2-e2e.integration.test.ts

Quality gates

All passed locally:

• typecheck — clean (turbo cache miss, fresh execution for gateway)
• lint — clean (turbo cache miss, fresh execution for gateway)
• format:check — all files properly formatted (prettier)
• Test skips correctly when env vars not set

Closes #461

## Summary - Implements FED-M2-10: E2E HTTP test for the federation `peer add` enrollment flow - Covers MILESTONES.md acceptance criterion **#6**: `peer add <url>` on Server A yields an `active` peer record with a valid cert + key - Simulates two gateways against a single NestJS/Fastify app using `Test.createTestingModule` with `FederationModule` imported and `AdminGuard` overridden to allow all requests ## What is tested The test executes the full `peer add` enrollment flow in five steps: 1. **Server B setup** — create a grant + enrollment token via `GrantsService`/`EnrollmentService` directly 2. **Server A keypair** — `POST /api/admin/federation/peers/keypair` asserts 201 with peerId and csrPem 3. **Enrollment** — `POST /api/federation/enrollment/:token` with CSR asserts 200 with certPem and certChainPem 4. **Store cert** — `PATCH /api/admin/federation/peers/:peerId/cert` asserts 200 5. **DB assertion** — verifies state='active', cert present, certSerial non-empty, clientKeyPem is sealed ciphertext, certNotAfter is in the future ## Gate env vars ``` FEDERATED_INTEGRATION=1 STEP_CA_AVAILABLE=1 STEP_CA_URL=https://localhost:9000 STEP_CA_PROVISIONER_KEY_JSON=... STEP_CA_ROOT_CERT_PATH=/tmp/step-ca-root.crt ``` ## How to run ```bash docker compose -f docker-compose.federated.yml --profile federated up -d FEDERATED_INTEGRATION=1 STEP_CA_AVAILABLE=1 \ STEP_CA_URL=https://localhost:9000 \ STEP_CA_PROVISIONER_KEY_JSON="$(docker exec $(docker ps -qf name=step-ca) cat /home/step/secrets/mosaic-fed.json)" \ STEP_CA_ROOT_CERT_PATH=/tmp/step-ca-root.crt \ pnpm --filter @mosaicstack/gateway test \ src/__tests__/integration/federation-m2-e2e.integration.test.ts ``` ## Quality gates All passed locally: - typecheck — clean (turbo cache miss, fresh execution for gateway) - lint — clean (turbo cache miss, fresh execution for gateway) - format:check — all files properly formatted (prettier) - Test skips correctly when env vars not set Closes #461

jason.woltje added 2 commits 2026-04-22 05:29:42 +00:00

test(federation): M2 E2E peer-add enrollment flow test (FED-M2-10) ... 04b62539c7

Tests MILESTONES.md acceptance criterion #6: peer add flow yields an
active peer record with a valid cert + key. Simulates two gateways
against a single NestJS app instance with FederationModule + overridden
AdminGuard. Steps: keypair → enrollment → cert storage → DB assertion.
Gated by FEDERATED_INTEGRATION=1 and STEP_CA_AVAILABLE=1.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

test(federation): require all Step-CA env vars for stepCaRun gate ... 5ea040af4c

Guard against partial env var sets where STEP_CA_AVAILABLE=1 is set
but provisioner key or root cert path are missing, which would cause
CaService constructor to throw during NestJS module instantiation.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

jason.woltje added 1 commit 2026-04-22 05:36:45 +00:00

test(federation): fix DB provider injection in M2 E2E test module ... f84706e122

Move DB token from overrideProvider (which requires an existing binding)
to the providers array so Nest can resolve GrantsService dependencies
when FederationModule is tested without DatabaseModule.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

jason.woltje merged commit 0ee5b14c68 into main 2026-04-22 05:37:07 +00:00

jason.woltje referenced this issue from a commit 2026-04-22 05:37:08 +00:00

test(federation): M2 E2E peer-add enrollment flow (FED-M2-10) (#500)

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

jason.woltje

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaicstack/stack#500