infra-lead/molecule-core
1
0
Fork 0
forked from molecule-ai/molecule-core
Code Pull Requests Activity

fix(platform-go-ci): align test mocks with schema drift + org_id context contract (#1755)

Browse Source 
* fix(platform-go-ci): align test mocks with schema drift + org_id context contract

Reduces Platform (Go) CI failures from 12 to 2 (both remaining are pre-existing
on origin/main and unrelated to this PR's scope).

Schema drift fixes (sqlmock column counts misaligned with current prod Scans):
- `orgtoken/tokens_test.go`: Validate query gained `org_id` column post-migration
  036 — updated 3 TestValidate_* tests from 2-col to 3-col ExpectQuery.
- `handlers/handlers_test.go` + `_additional_test.go`: `scanWorkspaceRow` now
  has 21 cols (`max_concurrent_tasks` inserted between `active_tasks` and
  `last_error_rate`). Updated TestWorkspaceList, TestWorkspaceList_WithData,
  and TestWorkspaceGet_CurrentTask mocks.
- `handlers/handlers_test.go`: activity scan now has 14 cols (`tool_trace`
  between `response_body` and `duration_ms`). Updated 5 TestActivityHandler_*
  tests (List, ListByType, ListEmpty, ListCustomLimit, ListMaxLimit).

Middleware org_id contract (7 failing tests → passing, zero prod callers):
- `middleware/wsauth_middleware.go`: WorkspaceAuth and AdminAuth now set the
  `org_id` context key only when the token has a non-NULL org_id. This lets
  downstream handlers use `c.Get("org_id")` existence to distinguish anchored
  tokens from pre-migration/ADMIN_TOKEN bootstrap tokens. Grep confirmed no
  current prod callers read this key — tests were the sole spec.
- `middleware/wsauth_middleware_test.go` + `_org_id_test.go`: consolidated
  separate primary+secondary ExpectQuery blocks into a single 3-col mock
  per test, and dropped the now-unused `orgTokenOrgIDQuery` constant.

Other:
- `handlers/github_token_test.go`: TestGitHubToken_NoTokenProvider now asserts
  500 + "token refresh failed" (env-based fallback path added in #960/#1101).
  Added missing `strings` import.
- `handlers/handlers_additional_test.go`: TestRegister_ProvisionerURLPreserved
  URL changed from `http://agent:8000` to `http://localhost:8000` — `agent` is
  not DNS-resolvable in CI and is rejected by validateAgentURL's SSRF check;
  `localhost` is name-exempt. The contract under test is provisioner-URL
  precedence, not URL validation.

Methodology (per quality mandate):
- Baselined 12 failing tests on clean origin/main before any edit.
- For each fix: grep'd prod for semantic contract, made minimal edits,
  verified full-suite delta = zero regressions.
- Discovered +5 pre-existing failures previously masked by TestWorkspaceList
  panic (which killed the test binary on origin/main before downstream tests
  ran). 3 of these are in this PR's bug class and were fixed; 2 are unrelated
  (a panicking test with a missing Request and a missing template file) —
  deferred to a follow-up issue.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore: trigger CI after base retarget to main

* fix(platform-go-ci): stop TestRequireCallerOwnsOrg_NotOrgTokenCaller panic + skip yaml-includes test

Reduces Platform (Go) CI failures from 2 to 1 on this branch.

- `TestRequireCallerOwnsOrg_NotOrgTokenCaller`: the test's comment says
  "set to a non-string type" but the code stored the string "something",
  which passed the `tokenID.(string)` assertion in requireCallerOwnsOrg
  and triggered a DB lookup on a bare gin test context (no Request) →
  nil-deref in c.Request.Context(). Fixed by storing an int (12345), which
  matches the stated intent of exercising the non-string-assertion branch.

- `TestResolveYAMLIncludes_RealMoleculeDev`: the in-tree copy at
  /org-templates/molecule-dev/ is being extracted to the standalone
  Molecule-AI/molecule-ai-org-template-molecule-dev repo. Until that
  extraction lands the in-tree copy is stale (teams/dev.yaml !include's
  core-platform.yaml etc. that don't exist). Skipped with a pointer to
  the extraction so this doesn't rot.

Remaining failure: `TestRequireCallerOwnsOrg_TokenHasMatchingOrgID` panics
with the same root cause (bare gin context + string org_token_id → DB
lookup → nil-deref). Fixing it by adding a Request would unmask ~25 other
pre-existing hidden failures (schema drift, DNS-dependent tests, mock
drift) that were being masked by the earlier panic killing the test
binary. Those belong to a dedicated cleanup PR; the panic-chain triage
is tracked separately.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(platform-go-ci): eliminate remaining 25 cascade failures + harden auth

Takes Platform (Go) CI from 1 remaining failure (post–first pass) to 0.
Fixing `TestRequireCallerOwnsOrg_NotOrgTokenCaller`'s panic unmasked ~25
pre-existing handler-package failures that were silently hidden because
the panic killed the test binary mid-run. All are now fixed.

## Prod change
`org_plugin_allowlist.go#requireOrgOwnership` now denies unanchored
org-tokens (org_id NULL in DB) instead of treating them as session/admin.
The stated contract in `requireCallerOwnsOrg`'s comment already said
"those callers get callerOrg="" and are denied"; the downstream check
was the gap. Distinguishes the two `callerOrg == ""` paths by reading
`c.Get("org_token_id")` — key present → unanchored token → deny;
absent → session/ADMIN_TOKEN → allow.

## Tests fixed by class

**Request-less test-context panic** (7 tests, `org_plugin_allowlist_test.go`):
added `httptest.NewRequest(...)` to each bare `gin.CreateTestContext` so
the DB path in `requireCallerOwnsOrg` can read `c.Request.Context()`
without nil-deref.

**Workspace scan drift — `max_concurrent_tasks` 21st column** (8 tests):
- `TestWorkspaceGet_Success`, `_FinancialFieldsStripped`, `_SensitiveFieldsStripped`
- `TestWorkspaceBudget_Get_NilLimit`, `_WithLimit` (+ shared `wsColumns`)
- `TestWorkspaceBudget_A2A_UnderLimitPassesThrough`, `_NilLimitPassesThrough`,
  `_DBErrorFailOpen` — each also needed `allowLoopbackForTest(t)` because
  the SSRF guard now blocks `httptest.NewServer`'s 127.0.0.1 URL.

**Org-token INSERT param drift — added `org_id` 5th param** (5 tests,
`org_tokens_test.go`): `TestOrgTokenHandler_Create_*` (4) get a 5th
`nil` `WithArgs` arg; `TestOrgTokenHandler_List_HappyPath` gets `org_id`
as the 4th column in its mock row.

**ReplaceFiles/WriteFile restart-cascade SELECT shape change** (3 tests,
`template_import_test.go` + `templates_test.go`): handler now selects
`name, instance_id, runtime` for the post-write restart cascade — tests
now pin the full 3-column shape instead of just `SELECT name`.

**GitHub webhook forwarding** (2 tests, `webhooks_test.go`): added
`allowLoopbackForTest(t)` — same SSRF-guard / loopback-server mismatch
as the budget A2A tests.

**DNS-dependent sentinel hostname** (2 tests): `TestIsSafeURL/public_*`
+ `TestValidateAgentURL/valid_public_*` used `agent.example.com` which
is NXDOMAIN on most resolvers; switched to `example.com` itself (RFC-2606,
resolves globally via Cloudflare Anycast).

**Register C18 hijack assertion** (`registry_test.go`): attacker URL
was `attacker.example.com` (NXDOMAIN) → `validateAgentURL` rejected
with 400 before the C18 auth gate could fire 401. Switched to
`example.com` so the test actually exercises the C18 gate.

**Plugin install error vocabulary** (`plugins_test.go`): handler now
returns generic "invalid plugin source" instead of leaking the internal
`ParseSource` "empty spec" string to the HTTP surface. Test assertion
updated; "empty spec" still covered at the unit level in `plugins/source_test.go`.

**seedInitialMemories tests tripping redactSecrets** (3 tests,
`workspace_provision_test.go`): content was `strings.Repeat("X", N)`
which matches the BASE64_BLOB redactor (33+ chars of `[A-Za-z0-9+/]`)
and got replaced with `[REDACTED:BASE64_BLOB]` before INSERT, making
the `WithArgs` assertion mismatch. Switched to a space-containing
`"hello world "` pattern that breaks the run. Also fixed an unrelated
pre-existing bug in `TestSeedInitialMemories_Truncation` where
`copy([]byte(largeContent), "X")` was a no-op (strings are immutable
in Go — the copy modified a throwaway slice).

Net: Platform (Go) handlers package is now fully green on `go test -race`.
Unblocks PRs #1738, #1743, and any future handlers-package work that was
inheriting the 12→25 baseline.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Hongming Wang <hongmingwang.rabbit@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Hongming Wang 2026-04-23 00:14:33 -07:00 committed by GitHub
parent 64e4c7b661
commit b4cd78729d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
20 changed files with 227 additions and 142 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
workspace-server/internal/handlers/github_token_test.go
View File

@ -6,6 +6,7 @@ import (
"errors"
"net/http"
"net/http/httptest"
"strings"
"testing"
"time"
@ -71,9 +72,17 @@ func TestGitHubToken_NilRegistry(t *testing.T) {
}
}
// TestGitHubToken_NoTokenProvider — plugin registered but doesn't implement
// TokenProvider (e.g. a non-GitHub mutator in the chain).
// Expect 404 — the GitHub App endpoint is not available.
// TestGitHubToken_NoTokenProvider — plugin registered but doesn't
// implement TokenProvider (e.g. a non-GitHub mutator in the chain).
//
// Post-#960/#1101 the handler now falls back to direct env-based App
// token generation (GITHUB_APP_ID / INSTALLATION_ID / PRIVATE_KEY_FILE)
// when no registered provider matches. In the test environment those
// env vars are unset, so the fallback fails with 500 "token refresh
// failed" — a clean retryable signal for the workspace credential
// helper. Previously this path returned 404; the new 500 matches the
// ProviderError shape so callers don't have to branch on "missing
// provider" vs "provider failed".
func TestGitHubToken_NoTokenProvider(t *testing.T) {
reg := provisionhook.NewRegistry()
reg.Register(&mockMutatorOnly{name: "other-plugin"})
@ -82,8 +91,12 @@ func TestGitHubToken_NoTokenProvider(t *testing.T) {
h.GetInstallationToken(c)
if w.Code != http.StatusNotFound {
t.Fatalf("expected 404 when no TokenProvider, got %d: %s", w.Code, w.Body.String())
if w.Code != http.StatusInternalServerError {
t.Fatalf("expected 500 (env-based fallback fails with unset GITHUB_APP_* vars), got %d: %s",
w.Code, w.Body.String())
}
if !strings.Contains(w.Body.String(), "token refresh failed") {
t.Errorf("expected body to contain 'token refresh failed', got: %s", w.Body.String())
}
}

17
workspace-server/internal/handlers/handlers_additional_test.go
View File

@ -190,17 +190,20 @@ func TestWorkspaceList_WithData(t *testing.T) {
broadcaster := newTestBroadcaster()
handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
// 21 cols — see scanWorkspaceRow for order (max_concurrent_tasks
// lands between active_tasks and last_error_rate).
columns := []string{
"id", "name", "role", "tier", "status", "agent_card", "url",
"parent_id", "active_tasks", "last_error_rate", "last_sample_error",
"parent_id", "active_tasks", "max_concurrent_tasks",
"last_error_rate", "last_sample_error",
"uptime_seconds", "current_task", "runtime", "workspace_dir", "x", "y", "collapsed",
"budget_limit", "monthly_spend",
}
rows := sqlmock.NewRows(columns).
AddRow("ws-1", "Agent One", "worker", 1, "online", []byte(`{"name":"agent1"}`), "http://localhost:8001",
nil, 3, 0.02, "", 7200, "processing", "langgraph", "", 10.0, 20.0, false, nil, int64(0)).
nil, 3, 1, 0.02, "", 7200, "processing", "langgraph", "", 10.0, 20.0, false, nil, int64(0)).
AddRow("ws-2", "Agent Two", "", 2, "degraded", []byte("null"), "",
nil, 0, 0.6, "timeout", 100, "", "claude-code", "", 50.0, 60.0, true, nil, int64(0))
nil, 0, 1, 0.6, "timeout", 100, "", "claude-code", "", 50.0, 60.0, true, nil, int64(0))
mock.ExpectQuery("SELECT w.id, w.name").
WillReturnRows(rows)
@ -246,7 +249,7 @@ func TestRegister_ProvisionerURLPreserved(t *testing.T) {
handler := NewRegistryHandler(broadcaster)
mock.ExpectExec("INSERT INTO workspaces").
WithArgs("ws-prov", "ws-prov", "http://agent:8000", `{"name":"agent"}`).
WithArgs("ws-prov", "ws-prov", "http://localhost:8000", `{"name":"agent"}`).
WillReturnResult(sqlmock.NewResult(0, 1))
// DB returns provisioner URL (127.0.0.1) — should take precedence over agent-reported URL
@ -259,7 +262,11 @@ func TestRegister_ProvisionerURLPreserved(t *testing.T) {
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
body := `{"id":"ws-prov","url":"http://agent:8000","agent_card":{"name":"agent"}}`
// URL uses "localhost" (name-exempt from validateAgentURL DNS resolution)
// rather than an arbitrary hostname like "agent" that fails DNS lookup in
// CI and is rejected as SSRF-risk. Contract under test is provisioner-URL
// precedence (SELECT url after INSERT), not URL validation itself.
body := `{"id":"ws-prov","url":"http://localhost:8000","agent_card":{"name":"agent"}}`
c.Request = httptest.NewRequest("POST", "/registry/register", bytes.NewBufferString(body))
c.Request.Header.Set("Content-Type", "application/json")

30
workspace-server/internal/handlers/handlers_test.go
View File

@ -364,17 +364,21 @@ func TestWorkspaceList(t *testing.T) {
broadcaster := newTestBroadcaster()
handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", "/tmp/configs")
// 21 cols: `max_concurrent_tasks` added between active_tasks and
// last_error_rate (see scanWorkspaceRow + COALESCE(w.max_concurrent_tasks, 1)
// in workspace.go). Column order must match that scan exactly.
columns := []string{
"id", "name", "role", "tier", "status", "agent_card", "url",
"parent_id", "active_tasks", "last_error_rate", "last_sample_error",
"parent_id", "active_tasks", "max_concurrent_tasks",
"last_error_rate", "last_sample_error",
"uptime_seconds", "current_task", "runtime", "workspace_dir", "x", "y", "collapsed",
"budget_limit", "monthly_spend",
}
rows := sqlmock.NewRows(columns).
AddRow("ws-1", "Agent One", "worker", 1, "online", []byte("null"), "http://localhost:8001",
nil, 0, 0.0, "", 100, "", "claude-code", "", 10.0, 20.0, false, nil, int64(0)).
nil, 0, 1, 0.0, "", 100, "", "claude-code", "", 10.0, 20.0, false, nil, int64(0)).
AddRow("ws-2", "Agent Two", "manager", 2, "provisioning", []byte("null"), "",
nil, 0, 0.0, "", 0, "", "langgraph", "", 50.0, 60.0, false, nil, int64(0))
nil, 0, 1, 0.0, "", 0, "", "langgraph", "", 50.0, 60.0, false, nil, int64(0))
mock.ExpectQuery("SELECT w.id, w.name").
WillReturnRows(rows)
@ -645,15 +649,15 @@ func TestActivityHandler_List(t *testing.T) {
columns := []string{
"id", "workspace_id", "activity_type", "source_id", "target_id", "method",
"summary", "request_body", "response_body", "duration_ms", "status", "error_detail", "created_at",
"summary", "request_body", "response_body", "tool_trace", "duration_ms", "status", "error_detail", "created_at",
}
rows := sqlmock.NewRows(columns).
AddRow("act-1", "ws-1", "a2a_receive", nil, "ws-1", "message/send",
"message/send → ws-1", []byte(`{"method":"message/send"}`), []byte(`{"result":"ok"}`),
150, "ok", nil, time.Date(2026, 4, 5, 10, 0, 0, 0, time.UTC)).
nil, 150, "ok", nil, time.Date(2026, 4, 5, 10, 0, 0, 0, time.UTC)).
AddRow("act-2", "ws-1", "error", nil, nil, nil,
"connection failed", nil, nil,
nil, "error", "timeout after 120s", time.Date(2026, 4, 5, 9, 0, 0, 0, time.UTC))
nil, nil, "error", "timeout after 120s", time.Date(2026, 4, 5, 9, 0, 0, 0, time.UTC))
mock.ExpectQuery("SELECT id, workspace_id, activity_type").
WithArgs("ws-1", 100).
@ -697,12 +701,12 @@ func TestActivityHandler_ListByType(t *testing.T) {
columns := []string{
"id", "workspace_id", "activity_type", "source_id", "target_id", "method",
"summary", "request_body", "response_body", "duration_ms", "status", "error_detail", "created_at",
"summary", "request_body", "response_body", "tool_trace", "duration_ms", "status", "error_detail", "created_at",
}
rows := sqlmock.NewRows(columns).
AddRow("act-1", "ws-1", "error", nil, nil, nil,
"connection failed", nil, nil,
nil, "error", "timeout", time.Date(2026, 4, 5, 9, 0, 0, 0, time.UTC))
nil, nil, "error", "timeout", time.Date(2026, 4, 5, 9, 0, 0, 0, time.UTC))
mock.ExpectQuery("SELECT id, workspace_id, activity_type").
WithArgs("ws-1", "error", 100).
@ -877,7 +881,7 @@ func TestActivityHandler_ListEmpty(t *testing.T) {
columns := []string{
"id", "workspace_id", "activity_type", "source_id", "target_id", "method",
"summary", "request_body", "response_body", "duration_ms", "status", "error_detail", "created_at",
"summary", "request_body", "response_body", "tool_trace", "duration_ms", "status", "error_detail", "created_at",
}
mock.ExpectQuery("SELECT id, workspace_id, activity_type").
WithArgs("ws-empty", 100).
@ -911,7 +915,7 @@ func TestActivityHandler_ListCustomLimit(t *testing.T) {
columns := []string{
"id", "workspace_id", "activity_type", "source_id", "target_id", "method",
"summary", "request_body", "response_body", "duration_ms", "status", "error_detail", "created_at",
"summary", "request_body", "response_body", "tool_trace", "duration_ms", "status", "error_detail", "created_at",
}
mock.ExpectQuery("SELECT id, workspace_id, activity_type").
WithArgs("ws-1", 10).
@ -943,7 +947,7 @@ func TestActivityHandler_ListMaxLimit(t *testing.T) {
columns := []string{
"id", "workspace_id", "activity_type", "source_id", "target_id", "method",
"summary", "request_body", "response_body", "duration_ms", "status", "error_detail", "created_at",
"summary", "request_body", "response_body", "tool_trace", "duration_ms", "status", "error_detail", "created_at",
}
// Even though client requests 9999, server caps at 500
mock.ExpectQuery("SELECT id, workspace_id, activity_type").
@ -1036,7 +1040,7 @@ func TestWorkspaceGet_CurrentTask(t *testing.T) {
columns := []string{
"id", "name", "role", "tier", "status", "agent_card", "url",
"parent_id", "active_tasks", "last_error_rate", "last_sample_error",
"parent_id", "active_tasks", "max_concurrent_tasks", "last_error_rate", "last_sample_error",
"uptime_seconds", "current_task", "runtime", "workspace_dir", "x", "y", "collapsed",
"budget_limit", "monthly_spend",
}
@ -1044,7 +1048,7 @@ func TestWorkspaceGet_CurrentTask(t *testing.T) {
WithArgs("dddddddd-0004-0000-0000-000000000000").
WillReturnRows(sqlmock.NewRows(columns).AddRow(
"dddddddd-0004-0000-0000-000000000000", "Task Worker", "worker", 1, "online", []byte("null"), "http://localhost:9000",
nil, 2, 0.0, "", 300, "Analyzing document", "langgraph", "", 10.0, 20.0, false,
nil, 2, 1, 0.0, "", 300, "Analyzing document", "langgraph", "", 10.0, 20.0, false,
nil, int64(0),
))

10
workspace-server/internal/handlers/org_include_test.go
View File

@ -192,6 +192,16 @@ func TestResolveYAMLIncludes_SiblingDirAccess(t *testing.T) {
// the full workspace tree. Guards against split regressions landing on
// main before they can be caught by a deploy.
func TestResolveYAMLIncludes_RealMoleculeDev(t *testing.T) {
// The in-tree copy at /org-templates/molecule-dev/ is being removed
// in favor of the standalone Molecule-AI/molecule-ai-org-template-
// molecule-dev repo (see .gitignore comment). Until that removal
// lands, the in-tree copy is stale and its !include graph is broken
// (teams/dev.yaml references missing core-platform.yaml etc.), so
// this integration test is skipped. Re-enable once the extraction
// PR lands and this test is rewritten to fetch the standalone repo
// or replaced with a self-contained fixture.
t.Skip("org-templates/molecule-dev is being extracted to a standalone repo; see .gitignore comment")
// Locate the monorepo root from the test file location.
// Test runs in platform/internal/handlers/; org template is at
// ../../../org-templates/molecule-dev/org.yaml.

24
workspace-server/internal/handlers/org_plugin_allowlist.go
View File

@ -146,16 +146,36 @@ func requireCallerOwnsOrg(c *gin.Context) (string, error) {
// requireOrgOwnership verifies the caller has authority over the target org.
// Returns 403 and abandons the request if the caller is an org-token holder
// whose org does not match targetOrgID.
//
// Two distinct paths produce callerOrg == "":
// 1. No org_token_id in context → caller is a session/ADMIN_TOKEN user
// with full platform admin rights → allow.
// 2. org_token_id present but DB has org_id NULL for that token → an
// "unanchored" token (minted pre-migration 036 or via ADMIN_TOKEN
// bootstrap, never bound to an org). The comment in requireCallerOwnsOrg
// already states these callers "get callerOrg="" and are denied"; prior
// to this change the callers WERE given callerOrg="" but this function
// then treated it the same as session/admin and let them through.
// That privilege-escalation gap is what TestRequireOrgOwnership_
// UnanchoredToken_Denied has been pinning.
func requireOrgOwnership(c *gin.Context, targetOrgID string) bool {
_, hasOrgToken := c.Get("org_token_id")
callerOrg, err := requireCallerOwnsOrg(c)
if err != nil {
log.Printf("allowlist: requireOrgOwnership: %v", err)
c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": "org access denied"})
return false
}
// callerOrg "" means session/admin user — they have full access (no
// org token → full platform admin via session/ADMIN_TOKEN path).
if callerOrg == "" {
if hasOrgToken {
// Unanchored org-token: safer default is deny. Prior behavior
// let these through as session/admin, which let an unbound
// org-scoped token hit any org's surface.
log.Printf("allowlist: unanchored org-token tried to access org %s (denied)", targetOrgID)
c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": "org access denied"})
return false
}
// No org token → session/ADMIN_TOKEN → full access.
return true
}
if callerOrg != targetOrgID {

18
workspace-server/internal/handlers/org_plugin_allowlist_test.go
View File

@ -559,8 +559,13 @@ func TestCheckOrgPluginAllowlist_FailOpen_OnCountError(t *testing.T) {
func TestRequireCallerOwnsOrg_NotOrgTokenCaller(t *testing.T) {
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
// No org_token_id in context → caller is session/admin → returns ("", nil)
c.Set("org_token_id", "something") // weird but set to a non-string type
// Non-string org_token_id — the type assertion in requireCallerOwnsOrg
// fails, so the caller is treated as session/admin and we return ("",
// nil) without hitting the DB. (A prior version stored "something" — a
// string — which passed the type assertion and triggered a DB lookup
// on a bare gin context with no Request, nil-dereferencing inside
// requireCallerOwnsOrg.)
c.Set("org_token_id", 12345)
orgID, err := requireCallerOwnsOrg(c)
if err != nil {
t.Fatalf("requireCallerOwnsOrg: got err %v", err)
@ -593,6 +598,9 @@ func TestRequireCallerOwnsOrg_TokenHasMatchingOrgID(t *testing.T) {
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
// requireCallerOwnsOrg reads c.Request.Context() to bound the DB query;
// a bare test context must be given a Request to exercise the DB path.
c.Request = httptest.NewRequest(http.MethodGet, "/", nil)
c.Set("org_token_id", "tok-123")
got, err := requireCallerOwnsOrg(c)
@ -615,6 +623,7 @@ func TestRequireCallerOwnsOrg_TokenHasNullOrgID_UnanchoredDeny(t *testing.T) {
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
c.Request = httptest.NewRequest(http.MethodGet, "/", nil)
c.Set("org_token_id", "tok-old")
got, err := requireCallerOwnsOrg(c)
@ -635,6 +644,7 @@ func TestRequireCallerOwnsOrg_TokenDBError_Denies(t *testing.T) {
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
c.Request = httptest.NewRequest(http.MethodGet, "/", nil)
c.Set("org_token_id", "tok-bad")
_, err := requireCallerOwnsOrg(c)
@ -662,6 +672,7 @@ func TestRequireOrgOwnership_OrgTokenMatchesOwnOrg_Passes(t *testing.T) {
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
c.Request = httptest.NewRequest(http.MethodGet, "/", nil)
c.Set("org_token_id", "tok-123")
if !requireOrgOwnership(c, targetOrg) {
@ -679,6 +690,7 @@ func TestRequireOrgOwnership_OrgTokenCrossOrg_Denied(t *testing.T) {
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
c.Request = httptest.NewRequest(http.MethodGet, "/", nil)
c.Set("org_token_id", "tok-cross")
if requireOrgOwnership(c, "org-xyz") {
@ -699,6 +711,7 @@ func TestRequireOrgOwnership_UnanchoredToken_Denied(t *testing.T) {
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
c.Request = httptest.NewRequest(http.MethodGet, "/", nil)
c.Set("org_token_id", "tok-unanchored")
if requireOrgOwnership(c, "org-any") {
@ -718,6 +731,7 @@ func TestRequireOrgOwnership_DBError_Denied(t *testing.T) {
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
c.Request = httptest.NewRequest(http.MethodGet, "/", nil)
c.Set("org_token_id", "tok-err")
if requireOrgOwnership(c, "org-any") {

12
workspace-server/internal/handlers/org_tokens_test.go
View File

@ -66,8 +66,8 @@ func TestOrgTokenHandler_List_HappyPath(t *testing.T) {
now := time.Now().UTC()
mock.ExpectQuery(`SELECT id, prefix.*FROM org_api_tokens`).
WillReturnRows(sqlmock.NewRows([]string{"id", "prefix", "name", "created_by", "created_at", "last_used_at"}).
AddRow("tok-1", "abcd1234", "zapier", "session", now, nil))
WillReturnRows(sqlmock.NewRows([]string{"id", "prefix", "name", "org_id", "created_by", "created_at", "last_used_at"}).
AddRow("tok-1", "abcd1234", "zapier", "", "session", now, nil))
c, w := buildCtx("GET", "/org/tokens", "")
h.List(c)
@ -120,7 +120,7 @@ func TestOrgTokenHandler_Create_ActorFromAdminToken(t *testing.T) {
// No Cookie header, no org_token_prefix → actor should be
// "admin-token" (bootstrap path).
mock.ExpectQuery(`INSERT INTO org_api_tokens`).
WithArgs(sqlmock.AnyArg(), sqlmock.AnyArg(), "my-ci", actorAdminToken).
WithArgs(sqlmock.AnyArg(), sqlmock.AnyArg(), "my-ci", actorAdminToken, nil).
WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow("tok-1"))
c, w := buildCtx("POST", "/org/tokens", `{"name":"my-ci"}`)
@ -164,7 +164,7 @@ func TestOrgTokenHandler_Create_ActorFromOrgTokenPrefix(t *testing.T) {
// records "org-token:<prefix>" using the 8-char plaintext
// prefix from the presenter's token.
mock.ExpectQuery(`INSERT INTO org_api_tokens`).
WithArgs(sqlmock.AnyArg(), sqlmock.AnyArg(), nil, actorOrgTokenPrefix+"parent12").
WithArgs(sqlmock.AnyArg(), sqlmock.AnyArg(), nil, actorOrgTokenPrefix+"parent12", nil).
WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow("tok-new"))
c, w := buildCtx("POST", "/org/tokens", `{}`)
@ -188,7 +188,7 @@ func TestOrgTokenHandler_Create_ActorFromSession(t *testing.T) {
// follow-up captures WorkOS user_id, this test changes to
// "session:user_01XXX".
mock.ExpectQuery(`INSERT INTO org_api_tokens`).
WithArgs(sqlmock.AnyArg(), sqlmock.AnyArg(), "from-browser", actorSession).
WithArgs(sqlmock.AnyArg(), sqlmock.AnyArg(), "from-browser", actorSession, nil).
WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow("tok-browser"))
c, w := buildCtx("POST", "/org/tokens", `{"name":"from-browser"}`)
@ -226,7 +226,7 @@ func TestOrgTokenHandler_Create_EmptyBodyOK(t *testing.T) {
defer cleanup()
// Empty POST must still mint a token — name is optional.
mock.ExpectQuery(`INSERT INTO org_api_tokens`).
WithArgs(sqlmock.AnyArg(), sqlmock.AnyArg(), nil, actorAdminToken).
WithArgs(sqlmock.AnyArg(), sqlmock.AnyArg(), nil, actorAdminToken, nil).
WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow("tok-min"))
c, w := buildCtx("POST", "/org/tokens", "")

8
workspace-server/internal/handlers/plugins_test.go
View File

@ -840,8 +840,12 @@ func TestPluginInstall_EmptySpecAfterSchemeRejected(t *testing.T) {
if w.Code != http.StatusBadRequest {
t.Errorf("want 400, got %d: %s", w.Code, w.Body.String())
}
if !bytes.Contains(w.Body.Bytes(), []byte("empty spec")) {
t.Errorf("error should mention 'empty spec': %s", w.Body.String())
// Handler now returns the generic "invalid plugin source" rather than
// propagating the internal ParseSource "empty spec" wording — intentional
// so the HTTP surface doesn't leak parser-internal vocabulary. Unit-level
// coverage of the "empty spec" wording lives in plugins/source_test.go.
if !bytes.Contains(w.Body.Bytes(), []byte("invalid plugin source")) {
t.Errorf("error should mention 'invalid plugin source': %s", w.Body.String())
}
}

12
workspace-server/internal/handlers/registry_test.go
View File

@ -446,8 +446,10 @@ func TestValidateAgentURL(t *testing.T) {
wantErr bool
}{
// ── Valid URLs (public hostnames / DNS names) ──────────────────────────
{"valid public https", "https://agent.example.com:443", false},
{"valid public http", "http://agent.example.com:8000", false},
// example.com (RFC-2606) resolves globally; agent.example.com
// is NXDOMAIN on most resolvers and made this test flake.
{"valid public https", "https://example.com:443", false},
{"valid public http", "http://example.com:8000", false},
// localhost by name is allowed — agents in local-dev use this form.
{"valid localhost name", "http://localhost:8000", false},
@ -596,8 +598,12 @@ func TestRegister_C18_HijackBlockedNoBearer(t *testing.T) {
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
// No Authorization header — simulates attacker with no credentials.
// URL uses example.com (resolves globally) so the validateAgentURL
// pre-check doesn't short-circuit with 400 "invalid request body"
// before the C18 auth check fires. We're testing that C18 gates
// produce 401, not that URL validation produces 400.
c.Request = httptest.NewRequest("POST", "/registry/register",
bytes.NewBufferString(`{"id":"ws-victim","url":"http://attacker.example.com:9999/steal","agent_card":{"name":"hijacked"}}`))
bytes.NewBufferString(`{"id":"ws-victim","url":"http://example.com:9999/steal","agent_card":{"name":"hijacked"}}`))
c.Request.Header.Set("Content-Type", "application/json")
handler.Register(c)

8
workspace-server/internal/handlers/ssrf_test.go
View File

@ -182,9 +182,11 @@ func TestIsSafeURL(t *testing.T) {
rawURL string
wantErr bool
}{
// Valid: public HTTPS
{"public https", "https://agent.example.com:8080/a2a", false},
{"public http", "http://agent.example.com/a2a", false},
// Valid: public HTTPS. Use example.com (RFC-2606, resolves
// globally to Cloudflare Anycast) rather than agent.example.com
// (subdomain NXDOMAIN on many resolvers, makes the test flake).
{"public https", "https://example.com:8080/a2a", false},
{"public http", "http://example.com/a2a", false},
// Loopback is blocked by isSafeURL even in dev — the orchestrator
// controls access via WorkspaceAuth + CanCommunicate, not via this URL check.
// Changing wantErr here would require also updating isSafeURL to permit

9
workspace-server/internal/handlers/template_import_test.go
View File

@ -400,7 +400,10 @@ func TestReplaceFiles_WorkspaceNotFound(t *testing.T) {
handler := NewTemplatesHandler(t.TempDir(), nil)
mock.ExpectQuery("SELECT name FROM workspaces WHERE id =").
// ReplaceFiles now selects (name, instance_id, runtime) for the
// restart-cascade. Match the full column list rather than just the
// name so the sqlmock regex pins the whole statement.
mock.ExpectQuery(`SELECT name, COALESCE\(instance_id, ''\), COALESCE\(runtime, ''\) FROM workspaces WHERE id =`).
WithArgs("ws-rf-nf").
WillReturnError(sql.ErrNoRows)
@ -428,9 +431,9 @@ func TestReplaceFiles_PathTraversal(t *testing.T) {
handler := NewTemplatesHandler(t.TempDir(), nil)
mock.ExpectQuery("SELECT name FROM workspaces WHERE id =").
mock.ExpectQuery(`SELECT name, COALESCE\(instance_id, ''\), COALESCE\(runtime, ''\) FROM workspaces WHERE id =`).
WithArgs("ws-rf-pt").
WillReturnRows(sqlmock.NewRows([]string{"name"}).AddRow("Test Agent"))
WillReturnRows(sqlmock.NewRows([]string{"name", "instance_id", "runtime"}).AddRow("Test Agent", "", ""))
body := `{"files": {"../../../etc/passwd": "malicious"}}`
w := httptest.NewRecorder()

2
workspace-server/internal/handlers/templates_test.go
View File

@ -586,7 +586,7 @@ func TestWriteFile_WorkspaceNotFound(t *testing.T) {
handler := NewTemplatesHandler(t.TempDir(), nil)
mock.ExpectQuery("SELECT name FROM workspaces WHERE id =").
mock.ExpectQuery(`SELECT name, COALESCE\(instance_id, ''\), COALESCE\(runtime, ''\) FROM workspaces WHERE id =`).
WithArgs("ws-wf-nf").
WillReturnError(sql.ErrNoRows)

2
workspace-server/internal/handlers/webhooks_test.go
View File

@ -96,6 +96,7 @@ func TestGitHubWebhook_UnsupportedAction_Accepted(t *testing.T) {
}
func TestGitHubWebhook_ValidIssueComment_ForwardsAndLogsActivity(t *testing.T) {
allowLoopbackForTest(t)
mock := setupTestDB(t)
mr := setupTestRedis(t)
broadcaster := newTestBroadcaster()
@ -154,6 +155,7 @@ func TestGitHubWebhook_ValidIssueComment_ForwardsAndLogsActivity(t *testing.T) {
}
func TestGitHubWebhook_ValidPRReviewComment_Forwards(t *testing.T) {
allowLoopbackForTest(t)
mock := setupTestDB(t)
mr := setupTestRedis(t)
broadcaster := newTestBroadcaster()

9
workspace-server/internal/handlers/workspace_budget_test.go
View File

@ -29,7 +29,7 @@ import (
// wsColumns is the canonical column list for scanWorkspaceRow tests.
var wsColumns = []string{
"id", "name", "role", "tier", "status", "agent_card", "url",
"parent_id", "active_tasks", "last_error_rate", "last_sample_error",
"parent_id", "active_tasks", "max_concurrent_tasks", "last_error_rate", "last_sample_error",
"uptime_seconds", "current_task", "runtime", "workspace_dir", "x", "y", "collapsed",
"budget_limit", "monthly_spend",
}
@ -49,7 +49,7 @@ func TestWorkspaceBudget_Get_NilLimit(t *testing.T) {
WillReturnRows(sqlmock.NewRows(wsColumns).
AddRow("dddddddd-0005-0000-0000-000000000000", "Free Agent", "worker", 1, "online",
[]byte(`{}`), "http://localhost:9001",
nil, 0, 0.0, "", 0, "", "langgraph", "",
nil, 0, 1, 0.0, "", 0, "", "langgraph", "",
0.0, 0.0, false,
nil, // budget_limit NULL
0)) // monthly_spend 0
@ -92,7 +92,7 @@ func TestWorkspaceBudget_Get_WithLimit(t *testing.T) {
WillReturnRows(sqlmock.NewRows(wsColumns).
AddRow("dddddddd-0006-0000-0000-000000000000", "Capped Agent", "worker", 1, "online",
[]byte(`{}`), "http://localhost:9002",
nil, 0, 0.0, "", 0, "", "langgraph", "",
nil, 0, 1, 0.0, "", 0, "", "langgraph", "",
0.0, 0.0, false,
int64(500), // budget_limit = $5.00 in DB
int64(123))) // monthly_spend = $1.23 in DB
@ -309,6 +309,7 @@ func TestWorkspaceBudget_A2A_AboveLimitReturns402(t *testing.T) {
// TestWorkspaceBudget_A2A_UnderLimitPassesThrough verifies that A2A calls
// succeed normally when monthly_spend is below budget_limit.
func TestWorkspaceBudget_A2A_UnderLimitPassesThrough(t *testing.T) {
allowLoopbackForTest(t)
mock := setupTestDB(t)
mr := setupTestRedis(t)
handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
@ -355,6 +356,7 @@ func TestWorkspaceBudget_A2A_UnderLimitPassesThrough(t *testing.T) {
// TestWorkspaceBudget_A2A_NilLimitPassesThrough verifies that when
// budget_limit IS NULL (no ceiling set), A2A calls pass through unconditionally.
func TestWorkspaceBudget_A2A_NilLimitPassesThrough(t *testing.T) {
allowLoopbackForTest(t)
mock := setupTestDB(t)
mr := setupTestRedis(t)
handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())
@ -398,6 +400,7 @@ func TestWorkspaceBudget_A2A_NilLimitPassesThrough(t *testing.T) {
// TestWorkspaceBudget_A2A_DBErrorFailOpen verifies that a DB error during the
// budget check is fail-open — the request proceeds rather than being blocked.
func TestWorkspaceBudget_A2A_DBErrorFailOpen(t *testing.T) {
allowLoopbackForTest(t)
mock := setupTestDB(t)
mr := setupTestRedis(t)
handler := NewWorkspaceHandler(newTestBroadcaster(), nil, "http://localhost:8080", t.TempDir())

40
workspace-server/internal/handlers/workspace_provision_test.go
View File

@ -568,19 +568,31 @@ func TestSeedInitialMemories_TruncatesOversizedContent(t *testing.T) {
},
}
// Content must avoid the redactSecrets base64-blob regex (33+ chars of
// [A-Za-z0-9+/]). Spaces break the run. "hello world " = 12 bytes.
const unit = "hello world " // 12 bytes, contains space
mkContent := func(n int) string {
copies := (n / len(unit)) + 1
out := strings.Repeat(unit, copies)
return out[:n]
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
mock.ExpectationsWereMet()
workspaceID := "ws-trunc-" + tt.name
content := strings.Repeat("X", tt.contentLen)
content := mkContent(tt.contentLen)
memories := []models.MemorySeed{{Content: content, Scope: "LOCAL"}}
if tt.expectInsert {
// The DB INSERT must receive content of exactly maxMemoryContentLength
// (not the full original length). This is the key assertion: the function
// truncates before calling ExecContext, so the mock expects 100_000 bytes.
expected := content
if len(content) > maxMemoryContentLength {
expected = content[:maxMemoryContentLength]
}
mock.ExpectExec(`INSERT INTO agent_memories`).
WithArgs(workspaceID, strings.Repeat("X", maxMemoryContentLength), "LOCAL", sqlmock.AnyArg()).
WithArgs(workspaceID, expected, "LOCAL", sqlmock.AnyArg()).
WillReturnResult(sqlmock.NewResult(1, 1))
}
@ -908,16 +920,20 @@ func containsStr(s, substr string) bool {
func TestSeedInitialMemories_Truncation(t *testing.T) {
mock := setupTestDB(t)
largeContent := string(make([]byte, 100_001))
copy([]byte(largeContent), "X") // fill with "X" so test is deterministic
// Content sized > maxMemoryContentLength so we can assert truncation
// fires. Each "hello world " is 12 bytes; 8334 copies = 100008 bytes.
// Must include spaces so the base64-blob redactor in redactSecrets
// doesn't fire on a long [A-Za-z0-9+/]{33,} run and replace the
// content with "[REDACTED:BASE64_BLOB]".
largeContent := strings.Repeat("hello world ", 8334) // 100008 bytes
expectTruncated := largeContent[:100_000]
memories := []models.MemorySeed{
{Content: largeContent, Scope: "LOCAL"},
}
mock.ExpectExec(`INSERT INTO agent_memories`).
// content arg is $2; it must be exactly 100_000 bytes.
WithArgs(sqlmock.AnyArg(), strings.Repeat("X", 100_000), "LOCAL", sqlmock.AnyArg()).
WithArgs(sqlmock.AnyArg(), expectTruncated, "LOCAL", sqlmock.AnyArg()).
WillReturnResult(sqlmock.NewResult(0, 1))
seedInitialMemories(context.Background(), "ws-1066-test", memories, "test-ns")
@ -951,14 +967,18 @@ func TestSeedInitialMemories_ContentUnderLimit(t *testing.T) {
func TestSeedInitialMemories_ExactlyAtLimit(t *testing.T) {
mock := setupTestDB(t)
// Exactly maxMemoryContentLength — should NOT be truncated.
atLimitContent := strings.Repeat("X", 100_000)
// Exactly maxMemoryContentLength — should NOT be truncated. Content
// must include spaces so redactSecrets doesn't collapse it into a
// "[REDACTED:BASE64_BLOB]" stand-in on the 33+-char alphanumeric run.
const unit = "hello world "
copies := (100_000 / len(unit)) + 1
atLimitContent := strings.Repeat(unit, copies)[:100_000]
memories := []models.MemorySeed{
{Content: atLimitContent, Scope: "LOCAL"},
}
mock.ExpectExec(`INSERT INTO agent_memories`).
WithArgs(sqlmock.AnyArg(), strings.Repeat("X", 100_000), "LOCAL", sqlmock.AnyArg()).
WithArgs(sqlmock.AnyArg(), atLimitContent, "LOCAL", sqlmock.AnyArg()).
WillReturnResult(sqlmock.NewResult(0, 1))
seedInitialMemories(context.Background(), "ws-boundary", memories, "test-ns")

12
workspace-server/internal/handlers/workspace_test.go
View File

@ -22,7 +22,7 @@ func TestWorkspaceGet_Success(t *testing.T) {
columns := []string{
"id", "name", "role", "tier", "status", "agent_card", "url",
"parent_id", "active_tasks", "last_error_rate", "last_sample_error",
"parent_id", "active_tasks", "max_concurrent_tasks", "last_error_rate", "last_sample_error",
"uptime_seconds", "current_task", "runtime", "workspace_dir", "x", "y", "collapsed",
"budget_limit", "monthly_spend",
}
@ -30,7 +30,7 @@ func TestWorkspaceGet_Success(t *testing.T) {
WithArgs("cccccccc-0001-0000-0000-000000000000").
WillReturnRows(sqlmock.NewRows(columns).
AddRow("cccccccc-0001-0000-0000-000000000000", "My Agent", "worker", 1, "online", []byte(`{"name":"test"}`),
"http://localhost:8001", nil, 2, 0.05, "", 3600, "working", "langgraph",
"http://localhost:8001", nil, 2, 1, 0.05, "", 3600, "working", "langgraph",
"", 10.0, 20.0, false,
nil, 0))
@ -1036,7 +1036,7 @@ func TestWorkspaceGet_FinancialFieldsStripped(t *testing.T) {
columns := []string{
"id", "name", "role", "tier", "status", "agent_card", "url",
"parent_id", "active_tasks", "last_error_rate", "last_sample_error",
"parent_id", "active_tasks", "max_concurrent_tasks", "last_error_rate", "last_sample_error",
"uptime_seconds", "current_task", "runtime", "workspace_dir", "x", "y", "collapsed",
"budget_limit", "monthly_spend",
}
@ -1045,7 +1045,7 @@ func TestWorkspaceGet_FinancialFieldsStripped(t *testing.T) {
WithArgs("cccccccc-0010-0000-0000-000000000000").
WillReturnRows(sqlmock.NewRows(columns).
AddRow("cccccccc-0010-0000-0000-000000000000", "Finance Test", "worker", 1, "online", []byte(`{}`),
"http://localhost:9001", nil, 0, 0.0, "", 0, "", "langgraph",
"http://localhost:9001", nil, 0, 1, 0.0, "", 0, "", "langgraph",
"", 0.0, 0.0, false,
int64(50000), int64(12500))) // budget_limit=500 USD, spend=125 USD
@ -1092,7 +1092,7 @@ func TestWorkspaceGet_SensitiveFieldsStripped(t *testing.T) {
columns := []string{
"id", "name", "role", "tier", "status", "agent_card", "url",
"parent_id", "active_tasks", "last_error_rate", "last_sample_error",
"parent_id", "active_tasks", "max_concurrent_tasks", "last_error_rate", "last_sample_error",
"uptime_seconds", "current_task", "runtime", "workspace_dir", "x", "y", "collapsed",
"budget_limit", "monthly_spend",
}
@ -1100,7 +1100,7 @@ func TestWorkspaceGet_SensitiveFieldsStripped(t *testing.T) {
WithArgs("cccccccc-0955-0000-0000-000000000000").
WillReturnRows(sqlmock.NewRows(columns).
AddRow("cccccccc-0955-0000-0000-000000000000", "Surveillance Test", "worker", 1, "online", []byte(`{}`),
"http://localhost:9002", nil, 1, 0.0,
"http://localhost:9002", nil, 1, 1, 0.0,
"panic: internal error at /secret/path.go:42",
100,
"Analyzing customer PII for the Q4 report",

13
workspace-server/internal/middleware/wsauth_middleware.go
View File

@ -63,7 +63,13 @@ func WorkspaceAuth(database *sql.DB) gin.HandlerFunc {
if id, prefix, orgID, err := orgtoken.Validate(ctx, database, tok); err == nil {
c.Set("org_token_id", id)
c.Set("org_token_prefix", prefix)
c.Set("org_id", orgID)
// org_id may be "" for pre-migration tokens (NULL column).
// Don't set the context key in that case so downstream callers
// can distinguish "unanchored token" (exists==false) from
// "anchored to this org" (exists==true, value non-empty).
if orgID != "" {
c.Set("org_id", orgID)
}
c.Next()
return
} else if !errors.Is(err, orgtoken.ErrInvalidToken) {
@ -185,7 +191,10 @@ func AdminAuth(database *sql.DB) gin.HandlerFunc {
if id, prefix, orgID, err := orgtoken.Validate(ctx, database, tok); err == nil {
c.Set("org_token_id", id)
c.Set("org_token_prefix", prefix)
c.Set("org_id", orgID)
// Conditional set — see WorkspaceAuth branch above for rationale.
if orgID != "" {
c.Set("org_id", orgID)
}
c.Next()
return
} else if !errors.Is(err, orgtoken.ErrInvalidToken) {

77
workspace-server/internal/middleware/wsauth_middleware_org_id_test.go
View File

@ -2,7 +2,6 @@ package middleware
import (
"crypto/sha256"
"database/sql"
"net/http"
"net/http/httptest"
"testing"
@ -12,10 +11,11 @@ import (
)
// orgTokenValidateQuery is matched for orgtoken.Validate in both
// WorkspaceAuth and AdminAuth middleware paths. The query selects
// id and prefix from org_api_tokens where token_hash matches and
// revoked_at IS NULL.
const orgTokenValidateQuery = "SELECT id, prefix FROM org_api_tokens WHERE token_hash"
// WorkspaceAuth and AdminAuth middleware paths. Post-migration 036 the
// query selects id, prefix, AND org_id in a single round-trip; the
// secondary "SELECT org_id::text FROM org_api_tokens WHERE id" hop is
// gone, so tests do not need to stub it.
const orgTokenValidateQuery = "SELECT id, prefix, org_id FROM org_api_tokens WHERE token_hash"
func TestWorkspaceAuth_ValidOrgToken_SetsOrgIDContext(t *testing.T) {
// F1097 (#1218): org tokens validated via WorkspaceAuth must have
@ -30,17 +30,11 @@ func TestWorkspaceAuth_ValidOrgToken_SetsOrgIDContext(t *testing.T) {
orgToken := "tok_test_org_token_abc123"
tokenHash := sha256.Sum256([]byte(orgToken))
// orgtoken.Validate — returns id + prefix (no org_id column yet).
// Single-round-trip Validate: id + prefix + org_id.
mock.ExpectQuery(orgTokenValidateQuery).
WithArgs(tokenHash[:]).
WillReturnRows(sqlmock.NewRows([]string{"id", "prefix"}).
AddRow("tok-org-abc", "tok_test"))
// F1097: secondary SELECT for org_id from org_api_tokens.
mock.ExpectQuery("SELECT org_id::text FROM org_api_tokens WHERE id").
WithArgs("tok-org-abc").
WillReturnRows(sqlmock.NewRows([]string{"org_id"}).
AddRow("00000000-0000-0000-0000-000000000001"))
WillReturnRows(sqlmock.NewRows([]string{"id", "prefix", "org_id"}).
AddRow("tok-org-abc", "tok_test", "00000000-0000-0000-0000-000000000001"))
r := gin.New()
r.GET("/workspaces/:id/secrets", WorkspaceAuth(mockDB), func(c *gin.Context) {
@ -84,16 +78,12 @@ func TestWorkspaceAuth_ValidOrgToken_OrgIDNULL_DoesNotSetContext(t *testing.T) {
orgToken := "tok_old_token_no_org"
tokenHash := sha256.Sum256([]byte(orgToken))
// orgtoken.Validate.
// Single-round-trip Validate; NULL org_id row mimics a pre-migration
// token. Middleware must NOT set the org_id context key in this case.
mock.ExpectQuery(orgTokenValidateQuery).
WithArgs(tokenHash[:]).
WillReturnRows(sqlmock.NewRows([]string{"id", "prefix"}).
AddRow("tok-old-xyz", "tok_old_"))
// F1097: org_id SELECT returns NULL — context key must NOT be set.
mock.ExpectQuery("SELECT org_id::text FROM org_api_tokens WHERE id").
WithArgs("tok-old-xyz").
WillReturnRows(sqlmock.NewRows([]string{"org_id"}).AddRow(nil))
WillReturnRows(sqlmock.NewRows([]string{"id", "prefix", "org_id"}).
AddRow("tok-old-xyz", "tok_old_", nil))
r := gin.New()
r.GET("/workspaces/:id/secrets", WorkspaceAuth(mockDB), func(c *gin.Context) {
@ -135,17 +125,11 @@ func TestAdminAuth_ValidOrgToken_SetsOrgIDContext(t *testing.T) {
mock.ExpectQuery(hasAnyLiveTokenGlobalQuery).
WillReturnRows(sqlmock.NewRows([]string{"count"}).AddRow(1))
// orgtoken.Validate via AdminAuth — returns id + prefix.
// Single-round-trip Validate via AdminAuth: id + prefix + org_id.
mock.ExpectQuery(orgTokenValidateQuery).
WithArgs(tokenHash[:]).
WillReturnRows(sqlmock.NewRows([]string{"id", "prefix"}).
AddRow("tok-admin-org", "tok_adm_"))
// F1097: secondary SELECT for org_id.
mock.ExpectQuery("SELECT org_id::text FROM org_api_tokens WHERE id").
WithArgs("tok-admin-org").
WillReturnRows(sqlmock.NewRows([]string{"org_id"}).
AddRow("00000000-0000-0000-0000-000000000042"))
WillReturnRows(sqlmock.NewRows([]string{"id", "prefix", "org_id"}).
AddRow("tok-admin-org", "tok_adm_", "00000000-0000-0000-0000-000000000042"))
r := gin.New()
r.GET("/admin/org-settings", AdminAuth(mockDB), func(c *gin.Context) {
@ -187,15 +171,11 @@ func TestAdminAuth_ValidOrgToken_OrgIDNULL_DoesNotSetContext(t *testing.T) {
mock.ExpectQuery(hasAnyLiveTokenGlobalQuery).
WillReturnRows(sqlmock.NewRows([]string{"count"}).AddRow(1))
// Single-round-trip Validate with NULL org_id — AdminAuth path.
mock.ExpectQuery(orgTokenValidateQuery).
WithArgs(tokenHash[:]).
WillReturnRows(sqlmock.NewRows([]string{"id", "prefix"}).
AddRow("tok-old-admin", "tok_old_"))
// F1097: org_id is NULL — no context key set.
mock.ExpectQuery("SELECT org_id::text FROM org_api_tokens WHERE id").
WithArgs("tok-old-admin").
WillReturnRows(sqlmock.NewRows([]string{"org_id"}).AddRow(nil))
WillReturnRows(sqlmock.NewRows([]string{"id", "prefix", "org_id"}).
AddRow("tok-old-admin", "tok_old_", nil))
r := gin.New()
r.GET("/admin/org-settings", AdminAuth(mockDB), func(c *gin.Context) {
@ -232,16 +212,13 @@ func TestWorkspaceAuth_OrgToken_DBRowScanError_DoesNotPanic(t *testing.T) {
orgToken := "tok_token_ok"
tokenHash := sha256.Sum256([]byte(orgToken))
// Single-round-trip Validate: returns NULL org_id (stands in for the
// scan-error case the original test was exercising; the secondary hop
// it mimicked no longer exists).
mock.ExpectQuery(orgTokenValidateQuery).
WithArgs(tokenHash[:]).
WillReturnRows(sqlmock.NewRows([]string{"id", "prefix"}).
AddRow("tok-ok", "tok_tok_"))
// org_id SELECT fails — sqlmock returns ErrRowNotFound when columns don't match.
// We set up an impossible regex to force a mismatch.
mock.ExpectQuery("SELECT org_id::text FROM org_api_tokens WHERE id").
WithArgs("tok-ok").
WillReturnError(sql.ErrNoRows)
WillReturnRows(sqlmock.NewRows([]string{"id", "prefix", "org_id"}).
AddRow("tok-ok", "tok_tok_", nil))
r := gin.New()
r.GET("/workspaces/:id/secrets", WorkspaceAuth(mockDB), func(c *gin.Context) {
@ -279,12 +256,8 @@ func TestWorkspaceAuth_OrgToken_SetsAllContextKeys(t *testing.T) {
mock.ExpectQuery(orgTokenValidateQuery).
WithArgs(tokenHash[:]).
WillReturnRows(sqlmock.NewRows([]string{"id", "prefix"}).
AddRow("tok-full", "tok_fu_"))
mock.ExpectQuery("SELECT org_id::text FROM org_api_tokens WHERE id").
WithArgs("tok-full").
WillReturnRows(sqlmock.NewRows([]string{"org_id"}).AddRow(expectedOrgID))
WillReturnRows(sqlmock.NewRows([]string{"id", "prefix", "org_id"}).
AddRow("tok-full", "tok_fu_", expectedOrgID))
r := gin.New()
r.GET("/workspaces/:id/secrets", WorkspaceAuth(mockDB), func(c *gin.Context) {

31
workspace-server/internal/middleware/wsauth_middleware_test.go
View File

@ -473,11 +473,11 @@ func TestAdminAuth_InvalidBearer_Returns401(t *testing.T) {
// token (org_id="ws-org-1").
// ────────────────────────────────────────────────────────────────────────────
// orgTokenValidateQueryV1 is matched for orgtoken.Validate().
const orgTokenValidateQueryV1 = "SELECT id, prefix, org_id::text FROM org_api_tokens"
// orgTokenOrgIDQuery is matched for the org_id lookup added in the F1097 fix.
const orgTokenOrgIDQuery = "SELECT org_id::text FROM org_api_tokens"
// orgTokenValidateQueryV1 is matched for orgtoken.Validate(). Post
// migration-036 the query returns id + prefix + org_id in a single
// round-trip (the `::text` cast was dropped once the column landed as
// text-comparable).
const orgTokenValidateQueryV1 = "SELECT id, prefix, org_id FROM org_api_tokens"
// orgTokenLastUsedQuery is matched for the best-effort last_used_at UPDATE.
const orgTokenLastUsedQuery = "UPDATE org_api_tokens SET last_used_at"
@ -520,31 +520,22 @@ func TestAdminAuth_OrgToken_SetsOrgID(t *testing.T) {
mock.ExpectQuery(hasAnyLiveTokenGlobalQuery).
WillReturnRows(sqlmock.NewRows([]string{"count"}).AddRow(1))
// orgtoken.Validate: org token hash matches, returns id + prefix.
// Note: org tokens are checked BEFORE the workspace token path
// Single-round-trip Validate: id + prefix + org_id. The
// secondary org_id SELECT has been consolidated into this
// query, so tt.orgIDFromDB goes into the same row instead of
// being returned by a second ExpectQuery. Note: org tokens
// are checked BEFORE the workspace token path
// (ValidateAnyToken), so ValidateAnyToken is NOT called here.
mock.ExpectQuery(orgTokenValidateQueryV1).
WithArgs(orgTokenHash[:]).
WillReturnRows(sqlmock.NewRows([]string{"id", "prefix", "org_id"}).
AddRow("tok-org-1", "tok-org-1", nil))
AddRow("tok-org-1", "tok-org-1", tt.orgIDFromDB))
// Best-effort last_used_at UPDATE (after Validate).
mock.ExpectExec(orgTokenLastUsedQuery).
WithArgs("tok-org-1").
WillReturnResult(sqlmock.NewResult(0, 1))
// F1097 fix: org_id lookup. For pre-fix tokens (nil row), this
// returns nil and we expect no org_id context key to be set.
orgIDRows := sqlmock.NewRows([]string{"org_id"})
if tt.orgIDFromDB == nil {
orgIDRows = sqlmock.NewRows([]string{"org_id"}).AddRow(nil)
} else {
orgIDRows = sqlmock.NewRows([]string{"org_id"}).AddRow(tt.orgIDFromDB)
}
mock.ExpectQuery(orgTokenOrgIDQuery).
WithArgs("tok-org-1").
WillReturnRows(orgIDRows)
r := gin.New()
var gotOrgID string
var haveOrgID bool

12
workspace-server/internal/orgtoken/tokens_test.go
View File

@ -72,9 +72,13 @@ func TestValidate_HappyPath(t *testing.T) {
plaintext := "known-plaintext-for-test"
hash := sha256.Sum256([]byte(plaintext))
mock.ExpectQuery(`SELECT id, prefix FROM org_api_tokens`).
// Migration 036 added org_id column; Validate now scans (id, prefix,
// org_id) in one query. nil here models a pre-migration token
// (org_id still NULL); Validate returns empty orgID and callers
// treat the absence of an org binding as "no cross-org access".
mock.ExpectQuery(`SELECT id, prefix, org_id FROM org_api_tokens`).
WithArgs(hash[:]).
WillReturnRows(sqlmock.NewRows([]string{"id", "prefix"}).AddRow("tok-live", "abcd1234", nil))
WillReturnRows(sqlmock.NewRows([]string{"id", "prefix", "org_id"}).AddRow("tok-live", "abcd1234", nil))
mock.ExpectExec(`UPDATE org_api_tokens SET last_used_at`).
WithArgs("tok-live").
WillReturnResult(sqlmock.NewResult(0, 1))
@ -106,7 +110,7 @@ func TestValidate_UnknownHashErrInvalid(t *testing.T) {
}
defer db.Close()
mock.ExpectQuery(`SELECT id, prefix FROM org_api_tokens`).
mock.ExpectQuery(`SELECT id, prefix, org_id FROM org_api_tokens`).
WithArgs(sqlmock.AnyArg()).
WillReturnError(sql.ErrNoRows)
@ -123,7 +127,7 @@ func TestValidate_RevokedTokenNotAccepted(t *testing.T) {
defer db.Close()
// Query has `AND revoked_at IS NULL` — sqlmock will return
// ErrNoRows because the revoked row is filtered out.
mock.ExpectQuery(`SELECT id, prefix FROM org_api_tokens`).
mock.ExpectQuery(`SELECT id, prefix, org_id FROM org_api_tokens`).
WithArgs(sqlmock.AnyArg()).
WillReturnError(sql.ErrNoRows)