import { tap, expect } from '@git.zone/tstest/tapbundle'; import { TypedRequest } from '@api.global/typedrequest'; import { OpsServer } from '../ts/opsserver/index.js'; import { DcRouterDb } from '../ts/db/index.js'; import * as plugins from '../ts/plugins.js'; import * as interfaces from '../ts_interfaces/index.js'; const testPort = 3110; const baseUrl = `http://localhost:${testPort}/typedrequest`; const bootstrapPassword = 'temporary-bootstrap-password'; const persistedPassword = 'persisted-admin-password'; let previousAdminPassword: string | undefined; let opsServer: OpsServer; let testDb: DcRouterDb; let storagePath: string; let bootstrapIdentity: interfaces.data.IIdentity; let persistedIdentity: interfaces.data.IIdentity; const createStatusRequest = () => new TypedRequest( baseUrl, 'getAdminBootstrapStatus', ); const createLoginRequest = () => new TypedRequest( baseUrl, 'adminLoginWithUsernameAndPassword', ); tap.test('setup db-backed OpsServer admin bootstrap test', async () => { previousAdminPassword = process.env.DCROUTER_ADMIN_PASSWORD; process.env.DCROUTER_ADMIN_PASSWORD = bootstrapPassword; storagePath = plugins.path.join( plugins.os.tmpdir(), `dcrouter-admin-bootstrap-${Date.now()}-${Math.random().toString(16).slice(2)}`, ); DcRouterDb.resetInstance(); testDb = DcRouterDb.getInstance({ storagePath, dbName: `dcrouter-admin-bootstrap-${Date.now()}-${Math.random().toString(16).slice(2)}`, }); await testDb.start(); await testDb.getDb().mongoDb.createCollection('__test_init'); const fakeDcRouter = { options: { opsServerPort: testPort, dbConfig: { enabled: true }, adminAuth: { idpClient: { loginWithEmailAndPassword: async () => ({ jwt: 'idp-jwt', refreshToken: 'idp-refresh-token', user: { id: 'idp-user-1', data: { name: 'Wrong IdP User', username: 'wrong@example.com', email: 'wrong@example.com', status: 'active', connectedOrgs: [], }, }, }), stop: async () => {}, }, }, }, typedrouter: new plugins.typedrequest.TypedRouter(), dcRouterDb: testDb, }; opsServer = new OpsServer(fakeDcRouter as any); await opsServer.start(); }); tap.test('reports bootstrap required without auto-persisting an admin', async () => { const status = await createStatusRequest().fire({}); expect(status.dbEnabled).toEqual(true); expect(status.dbReady).toEqual(true); expect(status.hasPersistentAdmin).toEqual(false); expect(status.needsBootstrap).toEqual(true); expect(status.ephemeralAdminAvailable).toEqual(true); }); tap.test('allows temporary bootstrap admin login before persisted admin exists', async () => { const response = await createLoginRequest().fire({ username: 'admin', password: bootstrapPassword, }); if (!response.identity) { throw new Error('Expected bootstrap login identity'); } bootstrapIdentity = response.identity; expect(bootstrapIdentity.role).toEqual('admin'); }); tap.test('creates the initial persisted admin explicitly', async () => { const request = new TypedRequest( baseUrl, 'createInitialAdminUser', ); const response = await request.fire({ identity: bootstrapIdentity, email: 'Admin@Example.com', name: 'Persisted Admin', password: persistedPassword, enableIdpGlobalAuth: true, }); expect(response.success).toEqual(true); expect(response.user?.role).toEqual('admin'); expect(response.user?.authSources).toContain('local'); expect(response.user?.authSources).toContain('idp.global'); if (!response.identity) { throw new Error('Expected persisted admin identity'); } persistedIdentity = response.identity; }); tap.test('disables bootstrap mode after persisted admin exists', async () => { const status = await createStatusRequest().fire({}); expect(status.hasPersistentAdmin).toEqual(true); expect(status.needsBootstrap).toEqual(false); expect(status.ephemeralAdminAvailable).toEqual(false); }); tap.test('rejects the old temporary admin after persisted admin creation', async () => { let rejected = false; try { await createLoginRequest().fire({ username: 'admin', password: bootstrapPassword, }); } catch { rejected = true; } expect(rejected).toEqual(true); }); tap.test('rejects the old temporary admin identity after persisted admin creation', async () => { const request = new TypedRequest( baseUrl, 'verifyIdentity', ); const response = await request.fire({ identity: bootstrapIdentity }); expect(response.valid).toEqual(false); }); tap.test('authenticates the persisted admin locally by normalized email', async () => { const response = await createLoginRequest().fire({ username: 'admin@example.com', password: persistedPassword, authSource: 'local', }); if (!response.identity) { throw new Error('Expected persisted admin login identity'); } expect(response.identity.userId).toEqual(persistedIdentity.userId); }); tap.test('rejects idp.global login when IdP email does not match local account', async () => { let rejected = false; try { await createLoginRequest().fire({ username: 'admin@example.com', password: 'idp-password', authSource: 'idp.global', }); } catch { rejected = true; } expect(rejected).toEqual(true); }); tap.test('lists persisted users without password material', async () => { const request = new TypedRequest(baseUrl, 'listUsers'); const response = await request.fire({ identity: persistedIdentity }); expect(response.users.length).toEqual(1); expect(response.users[0].email).toEqual('Admin@Example.com'); expect((response.users[0] as any).password).toBeUndefined(); }); tap.test('cleanup db-backed OpsServer admin bootstrap test', async () => { await opsServer.stop(); await testDb.stop(); DcRouterDb.resetInstance(); await plugins.fs.promises.rm(storagePath, { recursive: true, force: true }); if (previousAdminPassword === undefined) { delete process.env.DCROUTER_ADMIN_PASSWORD; } else { process.env.DCROUTER_ADMIN_PASSWORD = previousAdminPassword; } }); export default tap.start();