adc007b7b0
- kei-router — keyword-dispatch meta-tool (CfC ML fallback removed) - kei-sage — Obsidian-style knowledge graph, FTS5 + BFS + PageRank - kei-task — task DAG with deps, milestones, dependency-chain queries - kei-chat-store — Claude conversation session persistence + FTS search - kei-crossdomain — typed-edge store + BFS cross-domain glue - kei-search-core — 3-wave deep research with microcent budget cap - kei-content-store — asset + prompt + campaign registry - kei-social-store — people + interactions CRM (lite) - kei-curator — edge-decay graph hygiene utility - kei-auth — multi-tenant session tokens (replaces single-bearer) Genesis-scan pre-import pass: skipped pkg/mxl1/*, pkg/inference/*, pkg/trainer/*, pkg/nc01/*, internal/ml/* (all Genesis/CfC adjacent, sensitive IP). Security: skipped tools_threat/radio/protocol/med/mlreg (offensive/banned). Domain verticals skipped: hr/legal/infra/ops/api/osint/edu/geo/hw/finance. New 'mcp' profile in MANIFEST.toml bundles all 10 for MCP server deployment. Workspace now 24 crates, cargo check --workspace clean, 94 workspace tests pass.
52 lines
1.7 KiB
Rust
52 lines
1.7 KiB
Rust
use kei_auth::schema::open_memory;
|
|
use kei_auth::scopes::Scope;
|
|
use kei_auth::tokens::{issue, revoke, verify};
|
|
|
|
const KEY: &[u8] = b"test-key-must-not-be-used-in-production";
|
|
|
|
#[test]
|
|
fn issue_and_verify() {
|
|
let conn = open_memory().unwrap();
|
|
let tok = issue(&conn, "alice", "kgl", Scope::Write, 3600, KEY).unwrap();
|
|
let out = verify(&conn, &tok, KEY).unwrap();
|
|
assert_eq!(out.user_id, "alice");
|
|
assert_eq!(out.project, "kgl");
|
|
assert_eq!(out.scope, Scope::Write);
|
|
}
|
|
|
|
#[test]
|
|
fn revoke_blocks_verify() {
|
|
let conn = open_memory().unwrap();
|
|
let tok = issue(&conn, "bob", "x", Scope::Read, 3600, KEY).unwrap();
|
|
assert_eq!(revoke(&conn, &tok).unwrap(), 1);
|
|
assert!(verify(&conn, &tok, KEY).is_err());
|
|
}
|
|
|
|
#[test]
|
|
fn expired_token_rejected() {
|
|
let conn = open_memory().unwrap();
|
|
let tok = issue(&conn, "carol", "x", Scope::Read, -10, KEY).unwrap();
|
|
let err = verify(&conn, &tok, KEY);
|
|
assert!(err.is_err(), "expired must fail");
|
|
}
|
|
|
|
#[test]
|
|
fn scope_check_admin_implies_write() {
|
|
assert!(Scope::Admin.allows(Scope::Write));
|
|
assert!(Scope::Admin.allows(Scope::Read));
|
|
assert!(Scope::Write.allows(Scope::Read));
|
|
assert!(!Scope::Read.allows(Scope::Write));
|
|
assert!(!Scope::Write.allows(Scope::Admin));
|
|
}
|
|
|
|
#[test]
|
|
fn tampered_token_rejected() {
|
|
let conn = open_memory().unwrap();
|
|
let tok = issue(&conn, "dave", "x", Scope::Read, 3600, KEY).unwrap();
|
|
let mut chars: Vec<char> = tok.chars().collect();
|
|
// flip one char in the signature
|
|
let last = chars.len() - 1;
|
|
chars[last] = if chars[last] == 'A' { 'B' } else { 'A' };
|
|
let tampered: String = chars.into_iter().collect();
|
|
assert!(verify(&conn, &tampered, KEY).is_err());
|
|
}
|