Tyler King
a58d548518
- Network-policy SPIRE plugin extension - Governance event notification with merkle anchoring - Shellstream specs for consent channels + HFL embedded ABI - All 17 audit findings from AUDIT.md remediated - SSH credential composer + substrate key manager updates - Test coverage for config + sshcert packages Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
168 lines
4.6 KiB
Go
168 lines
4.6 KiB
Go
package config
|
|
|
|
import (
|
|
"strings"
|
|
"testing"
|
|
)
|
|
|
|
func TestValidateRequiresTrustDomain(t *testing.T) {
|
|
cfg := &PluginConfig{}
|
|
err := cfg.Validate()
|
|
if err == nil {
|
|
t.Fatal("expected error for empty trust domain")
|
|
}
|
|
if !strings.Contains(err.Error(), "trust_domain is required") {
|
|
t.Errorf("expected trust_domain error, got: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestValidateRequiresGovernanceAddr(t *testing.T) {
|
|
cfg := &PluginConfig{TrustDomain: "example.org"}
|
|
err := cfg.Validate()
|
|
if err == nil {
|
|
t.Fatal("expected error for empty governance_addr")
|
|
}
|
|
if !strings.Contains(err.Error(), "governance_addr is required") {
|
|
t.Errorf("expected governance_addr error, got: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestValidateRequiresClusterID(t *testing.T) {
|
|
cfg := &PluginConfig{
|
|
TrustDomain: "example.org",
|
|
GovernanceAddr: "localhost:50051",
|
|
}
|
|
err := cfg.Validate()
|
|
if err == nil {
|
|
t.Fatal("expected error for empty cluster_id")
|
|
}
|
|
if !strings.Contains(err.Error(), "cluster_id is required") {
|
|
t.Errorf("expected cluster_id error, got: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestValidateAcceptsMinimalConfig(t *testing.T) {
|
|
cfg := &PluginConfig{
|
|
TrustDomain: "example.org",
|
|
GovernanceAddr: "localhost:50051",
|
|
ClusterID: "cluster-a",
|
|
}
|
|
err := cfg.Validate()
|
|
if err != nil {
|
|
t.Fatalf("unexpected error: %v", err)
|
|
}
|
|
// Default epoch should be applied.
|
|
if cfg.GovernanceEpochSeconds != DefaultGovernanceEpochSeconds {
|
|
t.Errorf("expected default epoch %d, got %d", DefaultGovernanceEpochSeconds, cfg.GovernanceEpochSeconds)
|
|
}
|
|
}
|
|
|
|
func TestValidateEpochDefault(t *testing.T) {
|
|
cfg := &PluginConfig{
|
|
TrustDomain: "example.org",
|
|
GovernanceAddr: "localhost:50051",
|
|
ClusterID: "cluster-a",
|
|
}
|
|
if err := cfg.Validate(); err != nil {
|
|
t.Fatalf("unexpected error: %v", err)
|
|
}
|
|
if cfg.GovernanceEpochSeconds != DefaultGovernanceEpochSeconds {
|
|
t.Errorf("GovernanceEpochSeconds: got %d, want %d", cfg.GovernanceEpochSeconds, DefaultGovernanceEpochSeconds)
|
|
}
|
|
}
|
|
|
|
func TestValidateEpochBelowMinimum(t *testing.T) {
|
|
cfg := &PluginConfig{
|
|
TrustDomain: "example.org",
|
|
GovernanceAddr: "localhost:50051",
|
|
ClusterID: "cluster-a",
|
|
GovernanceEpochSeconds: 5, // below MinGovernanceEpochSeconds (10)
|
|
}
|
|
err := cfg.Validate()
|
|
if err == nil {
|
|
t.Fatal("expected error for epoch below minimum")
|
|
}
|
|
if !strings.Contains(err.Error(), "below minimum") {
|
|
t.Errorf("expected below-minimum error, got: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestValidateEpochAboveMaximum(t *testing.T) {
|
|
cfg := &PluginConfig{
|
|
TrustDomain: "example.org",
|
|
GovernanceAddr: "localhost:50051",
|
|
ClusterID: "cluster-a",
|
|
GovernanceEpochSeconds: 7200, // above MaxGovernanceEpochSeconds (3600)
|
|
}
|
|
err := cfg.Validate()
|
|
if err == nil {
|
|
t.Fatal("expected error for epoch above maximum")
|
|
}
|
|
if !strings.Contains(err.Error(), "exceeds maximum") {
|
|
t.Errorf("expected exceeds-maximum error, got: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestValidateEpochAtBounds(t *testing.T) {
|
|
// Minimum bound.
|
|
cfg := &PluginConfig{
|
|
TrustDomain: "example.org",
|
|
GovernanceAddr: "localhost:50051",
|
|
ClusterID: "cluster-a",
|
|
GovernanceEpochSeconds: MinGovernanceEpochSeconds,
|
|
}
|
|
if err := cfg.Validate(); err != nil {
|
|
t.Fatalf("unexpected error at min bound: %v", err)
|
|
}
|
|
|
|
// Maximum bound.
|
|
cfg.GovernanceEpochSeconds = MaxGovernanceEpochSeconds
|
|
if err := cfg.Validate(); err != nil {
|
|
t.Fatalf("unexpected error at max bound: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestValidateWhitespaceOnlyCeremonyAddr(t *testing.T) {
|
|
cfg := &PluginConfig{
|
|
TrustDomain: "example.org",
|
|
GovernanceAddr: "localhost:50051",
|
|
ClusterID: "cluster-a",
|
|
CeremonyAddr: " ",
|
|
}
|
|
err := cfg.Validate()
|
|
if err == nil {
|
|
t.Fatal("expected error for whitespace-only ceremony_addr")
|
|
}
|
|
if !strings.Contains(err.Error(), "ceremony_addr is set but empty") {
|
|
t.Errorf("expected ceremony_addr error, got: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestValidateWhitespaceOnlyNotaryAddr(t *testing.T) {
|
|
cfg := &PluginConfig{
|
|
TrustDomain: "example.org",
|
|
GovernanceAddr: "localhost:50051",
|
|
ClusterID: "cluster-a",
|
|
NotaryAddr: "\t",
|
|
}
|
|
err := cfg.Validate()
|
|
if err == nil {
|
|
t.Fatal("expected error for whitespace-only notary_addr")
|
|
}
|
|
if !strings.Contains(err.Error(), "notary_addr is set but empty") {
|
|
t.Errorf("expected notary_addr error, got: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestValidateAcceptsOptionalAddresses(t *testing.T) {
|
|
cfg := &PluginConfig{
|
|
TrustDomain: "example.org",
|
|
GovernanceAddr: "localhost:50051",
|
|
ClusterID: "cluster-a",
|
|
CeremonyAddr: "localhost:50052",
|
|
NotaryAddr: "localhost:50053",
|
|
}
|
|
if err := cfg.Validate(); err != nil {
|
|
t.Fatalf("unexpected error: %v", err)
|
|
}
|
|
}
|