tag/v13.29.0/test/test.admin-bootstrap.node.ts

import { tap, expect } from '@git.zone/tstest/tapbundle';
import { TypedRequest } from '@api.global/typedrequest';
import { OpsServer } from '../ts/opsserver/index.js';
import { DcRouterDb } from '../ts/db/index.js';
import * as plugins from '../ts/plugins.js';
import * as interfaces from '../ts_interfaces/index.js';

const testPort = 3110;
const baseUrl = `http://localhost:${testPort}/typedrequest`;
const bootstrapPassword = 'temporary-bootstrap-password';
const persistedPassword = 'persisted-admin-password';

let previousAdminPassword: string | undefined;
let opsServer: OpsServer;
let testDb: DcRouterDb;
let storagePath: string;
let bootstrapIdentity: interfaces.data.IIdentity;
let persistedIdentity: interfaces.data.IIdentity;

const createStatusRequest = () => new TypedRequest<interfaces.requests.IReq_GetAdminBootstrapStatus>(
  baseUrl,
  'getAdminBootstrapStatus',
);

const createLoginRequest = () => new TypedRequest<interfaces.requests.IReq_AdminLoginWithUsernameAndPassword>(
  baseUrl,
  'adminLoginWithUsernameAndPassword',
);

tap.test('setup db-backed OpsServer admin bootstrap test', async () => {
  previousAdminPassword = process.env.DCROUTER_ADMIN_PASSWORD;
  process.env.DCROUTER_ADMIN_PASSWORD = bootstrapPassword;

  storagePath = plugins.path.join(
    plugins.os.tmpdir(),
    `dcrouter-admin-bootstrap-${Date.now()}-${Math.random().toString(16).slice(2)}`,
  );

  DcRouterDb.resetInstance();
  testDb = DcRouterDb.getInstance({
    storagePath,
    dbName: `dcrouter-admin-bootstrap-${Date.now()}-${Math.random().toString(16).slice(2)}`,
  });
  await testDb.start();
  await testDb.getDb().mongoDb.createCollection('__test_init');

  const fakeDcRouter = {
    options: {
      opsServerPort: testPort,
      dbConfig: { enabled: true },
      adminAuth: {
        idpClient: {
          loginWithEmailAndPassword: async () => ({
            jwt: 'idp-jwt',
            refreshToken: 'idp-refresh-token',
            user: {
              id: 'idp-user-1',
              data: {
                name: 'Wrong IdP User',
                username: 'wrong@example.com',
                email: 'wrong@example.com',
                status: 'active',
                connectedOrgs: [],
              },
            },
          }),
          stop: async () => {},
        },
      },
    },
    typedrouter: new plugins.typedrequest.TypedRouter(),
    dcRouterDb: testDb,
  };

  opsServer = new OpsServer(fakeDcRouter as any);
  await opsServer.start();
});

tap.test('reports bootstrap required without auto-persisting an admin', async () => {
  const status = await createStatusRequest().fire({});

  expect(status.dbEnabled).toEqual(true);
  expect(status.dbReady).toEqual(true);
  expect(status.hasPersistentAdmin).toEqual(false);
  expect(status.needsBootstrap).toEqual(true);
  expect(status.ephemeralAdminAvailable).toEqual(true);
});

tap.test('allows temporary bootstrap admin login before persisted admin exists', async () => {
  const response = await createLoginRequest().fire({
    username: 'admin',
    password: bootstrapPassword,
  });

  if (!response.identity) {
    throw new Error('Expected bootstrap login identity');
  }
  bootstrapIdentity = response.identity;
  expect(bootstrapIdentity.role).toEqual('admin');
});

tap.test('creates the initial persisted admin explicitly', async () => {
  const request = new TypedRequest<interfaces.requests.IReq_CreateInitialAdminUser>(
    baseUrl,
    'createInitialAdminUser',
  );

  const response = await request.fire({
    identity: bootstrapIdentity,
    email: 'Admin@Example.com',
    name: 'Persisted Admin',
    password: persistedPassword,
    enableIdpGlobalAuth: true,
  });

  expect(response.success).toEqual(true);
  expect(response.user?.role).toEqual('admin');
  expect(response.user?.authSources).toContain('local');
  expect(response.user?.authSources).toContain('idp.global');
  if (!response.identity) {
    throw new Error('Expected persisted admin identity');
  }
  persistedIdentity = response.identity;
});

tap.test('disables bootstrap mode after persisted admin exists', async () => {
  const status = await createStatusRequest().fire({});

  expect(status.hasPersistentAdmin).toEqual(true);
  expect(status.needsBootstrap).toEqual(false);
  expect(status.ephemeralAdminAvailable).toEqual(false);
});

tap.test('rejects the old temporary admin after persisted admin creation', async () => {
  let rejected = false;
  try {
    await createLoginRequest().fire({
      username: 'admin',
      password: bootstrapPassword,
    });
  } catch {
    rejected = true;
  }

  expect(rejected).toEqual(true);
});

tap.test('rejects the old temporary admin identity after persisted admin creation', async () => {
  const request = new TypedRequest<interfaces.requests.IReq_VerifyIdentity>(
    baseUrl,
    'verifyIdentity',
  );
  const response = await request.fire({ identity: bootstrapIdentity });

  expect(response.valid).toEqual(false);
});

tap.test('authenticates the persisted admin locally by normalized email', async () => {
  const response = await createLoginRequest().fire({
    username: 'admin@example.com',
    password: persistedPassword,
    authSource: 'local',
  });

  if (!response.identity) {
    throw new Error('Expected persisted admin login identity');
  }
  expect(response.identity.userId).toEqual(persistedIdentity.userId);
});

tap.test('rejects idp.global login when IdP email does not match local account', async () => {
  let rejected = false;
  try {
    await createLoginRequest().fire({
      username: 'admin@example.com',
      password: 'idp-password',
      authSource: 'idp.global',
    });
  } catch {
    rejected = true;
  }

  expect(rejected).toEqual(true);
});

tap.test('lists persisted users without password material', async () => {
  const request = new TypedRequest<interfaces.requests.IReq_ListUsers>(baseUrl, 'listUsers');
  const response = await request.fire({ identity: persistedIdentity });

  expect(response.users.length).toEqual(1);
  expect(response.users[0].email).toEqual('Admin@Example.com');
  expect((response.users[0] as any).password).toBeUndefined();
});

tap.test('cleanup db-backed OpsServer admin bootstrap test', async () => {
  await opsServer.stop();
  await testDb.stop();
  DcRouterDb.resetInstance();
  await plugins.fs.promises.rm(storagePath, { recursive: true, force: true });

  if (previousAdminPassword === undefined) {
    delete process.env.DCROUTER_ADMIN_PASSWORD;
  } else {
    process.env.DCROUTER_ADMIN_PASSWORD = previousAdminPassword;
  }
});

export default tap.start();
feat(opsserver-admin): add persisted admin bootstrap flow with optional idp.global authentication 2026-05-14 00:30:09 +00:00			`import { tap, expect } from '@git.zone/tstest/tapbundle';`
			`import { TypedRequest } from '@api.global/typedrequest';`
			`import { OpsServer } from '../ts/opsserver/index.js';`
			`import { DcRouterDb } from '../ts/db/index.js';`
			`import * as plugins from '../ts/plugins.js';`
			`import * as interfaces from '../ts_interfaces/index.js';`

			`const testPort = 3110;`
			const baseUrl = `http://localhost:${testPort}/typedrequest`;
			`const bootstrapPassword = 'temporary-bootstrap-password';`
			`const persistedPassword = 'persisted-admin-password';`

			`let previousAdminPassword: string \| undefined;`
			`let opsServer: OpsServer;`
			`let testDb: DcRouterDb;`
			`let storagePath: string;`
			`let bootstrapIdentity: interfaces.data.IIdentity;`
			`let persistedIdentity: interfaces.data.IIdentity;`

			`const createStatusRequest = () => new TypedRequest<interfaces.requests.IReq_GetAdminBootstrapStatus>(`
			`baseUrl,`
			`'getAdminBootstrapStatus',`
			`);`

			`const createLoginRequest = () => new TypedRequest<interfaces.requests.IReq_AdminLoginWithUsernameAndPassword>(`
			`baseUrl,`
			`'adminLoginWithUsernameAndPassword',`
			`);`

			`tap.test('setup db-backed OpsServer admin bootstrap test', async () => {`
			`previousAdminPassword = process.env.DCROUTER_ADMIN_PASSWORD;`
			`process.env.DCROUTER_ADMIN_PASSWORD = bootstrapPassword;`

			`storagePath = plugins.path.join(`
			`plugins.os.tmpdir(),`
			`dcrouter-admin-bootstrap-${Date.now()}-${Math.random().toString(16).slice(2)}`,
			`);`

			`DcRouterDb.resetInstance();`
			`testDb = DcRouterDb.getInstance({`
			`storagePath,`
			dbName: `dcrouter-admin-bootstrap-${Date.now()}-${Math.random().toString(16).slice(2)}`,
			`});`
			`await testDb.start();`
			`await testDb.getDb().mongoDb.createCollection('__test_init');`

			`const fakeDcRouter = {`
			`options: {`
			`opsServerPort: testPort,`
			`dbConfig: { enabled: true },`
			`adminAuth: {`
			`idpClient: {`
			`loginWithEmailAndPassword: async () => ({`
			`jwt: 'idp-jwt',`
			`refreshToken: 'idp-refresh-token',`
			`user: {`
			`id: 'idp-user-1',`
			`data: {`
			`name: 'Wrong IdP User',`
			`username: 'wrong@example.com',`
			`email: 'wrong@example.com',`
			`status: 'active',`
			`connectedOrgs: [],`
			`},`
			`},`
			`}),`
			`stop: async () => {},`
			`},`
			`},`
			`},`
			`typedrouter: new plugins.typedrequest.TypedRouter(),`
			`dcRouterDb: testDb,`
			`};`

			`opsServer = new OpsServer(fakeDcRouter as any);`
			`await opsServer.start();`
			`});`

			`tap.test('reports bootstrap required without auto-persisting an admin', async () => {`
			`const status = await createStatusRequest().fire({});`

			`expect(status.dbEnabled).toEqual(true);`
			`expect(status.dbReady).toEqual(true);`
			`expect(status.hasPersistentAdmin).toEqual(false);`
			`expect(status.needsBootstrap).toEqual(true);`
			`expect(status.ephemeralAdminAvailable).toEqual(true);`
			`});`

			`tap.test('allows temporary bootstrap admin login before persisted admin exists', async () => {`
			`const response = await createLoginRequest().fire({`
			`username: 'admin',`
			`password: bootstrapPassword,`
			`});`

			`if (!response.identity) {`
			`throw new Error('Expected bootstrap login identity');`
			`}`
			`bootstrapIdentity = response.identity;`
			`expect(bootstrapIdentity.role).toEqual('admin');`
			`});`

			`tap.test('creates the initial persisted admin explicitly', async () => {`
			`const request = new TypedRequest<interfaces.requests.IReq_CreateInitialAdminUser>(`
			`baseUrl,`
			`'createInitialAdminUser',`
			`);`

			`const response = await request.fire({`
			`identity: bootstrapIdentity,`
			`email: 'Admin@Example.com',`
			`name: 'Persisted Admin',`
			`password: persistedPassword,`
			`enableIdpGlobalAuth: true,`
			`});`

			`expect(response.success).toEqual(true);`
			`expect(response.user?.role).toEqual('admin');`
			`expect(response.user?.authSources).toContain('local');`
			`expect(response.user?.authSources).toContain('idp.global');`
			`if (!response.identity) {`
			`throw new Error('Expected persisted admin identity');`
			`}`
			`persistedIdentity = response.identity;`
			`});`

			`tap.test('disables bootstrap mode after persisted admin exists', async () => {`
			`const status = await createStatusRequest().fire({});`

			`expect(status.hasPersistentAdmin).toEqual(true);`
			`expect(status.needsBootstrap).toEqual(false);`
			`expect(status.ephemeralAdminAvailable).toEqual(false);`
			`});`

			`tap.test('rejects the old temporary admin after persisted admin creation', async () => {`
			`let rejected = false;`
			`try {`
			`await createLoginRequest().fire({`
			`username: 'admin',`
			`password: bootstrapPassword,`
			`});`
			`} catch {`
			`rejected = true;`
			`}`

			`expect(rejected).toEqual(true);`
			`});`

			`tap.test('rejects the old temporary admin identity after persisted admin creation', async () => {`
			`const request = new TypedRequest<interfaces.requests.IReq_VerifyIdentity>(`
			`baseUrl,`
			`'verifyIdentity',`
			`);`
			`const response = await request.fire({ identity: bootstrapIdentity });`

			`expect(response.valid).toEqual(false);`
			`});`

			`tap.test('authenticates the persisted admin locally by normalized email', async () => {`
			`const response = await createLoginRequest().fire({`
			`username: 'admin@example.com',`
			`password: persistedPassword,`
			`authSource: 'local',`
			`});`

			`if (!response.identity) {`
			`throw new Error('Expected persisted admin login identity');`
			`}`
			`expect(response.identity.userId).toEqual(persistedIdentity.userId);`
			`});`

			`tap.test('rejects idp.global login when IdP email does not match local account', async () => {`
			`let rejected = false;`
			`try {`
			`await createLoginRequest().fire({`
			`username: 'admin@example.com',`
			`password: 'idp-password',`
			`authSource: 'idp.global',`
			`});`
			`} catch {`
			`rejected = true;`
			`}`

			`expect(rejected).toEqual(true);`
			`});`

			`tap.test('lists persisted users without password material', async () => {`
			`const request = new TypedRequest<interfaces.requests.IReq_ListUsers>(baseUrl, 'listUsers');`
			`const response = await request.fire({ identity: persistedIdentity });`

			`expect(response.users.length).toEqual(1);`
			`expect(response.users[0].email).toEqual('Admin@Example.com');`
			`expect((response.users[0] as any).password).toBeUndefined();`
			`});`

			`tap.test('cleanup db-backed OpsServer admin bootstrap test', async () => {`
			`await opsServer.stop();`
			`await testDb.stop();`
			`DcRouterDb.resetInstance();`
			`await plugins.fs.promises.rm(storagePath, { recursive: true, force: true });`

			`if (previousAdminPassword === undefined) {`
			`delete process.env.DCROUTER_ADMIN_PASSWORD;`
			`} else {`
			`process.env.DCROUTER_ADMIN_PASSWORD = previousAdminPassword;`
			`}`
			`});`

			`export default tap.start();`