@etcsec-com/etc-collector 1.4.0

package/tests/unit/api/middlewares/authenticate.test.ts

@@ -0,0 +1,446 @@
+import { Response, NextFunction } from 'express';
+import { authenticate, AuthenticatedRequest } from '../../../../src/api/middlewares/authenticate';
+import { TokenService } from '../../../../src/services/auth/token.service';
+import {
+  TokenExpiredError,
+  TokenRevokedError,
+  UsageLimitExceededError,
+  TokenNotFoundError,
+  InvalidSignatureError,
+  InvalidTokenError,
+} from '../../../../src/services/auth/errors';
+
+/**
+ * Unit Tests for Authentication Middleware
+ * Task 10: Write Unit Tests for Authentication Middleware (Story 1.4)
+ */
+
+// Mock logger
+jest.mock('../../../../src/utils/logger', () => ({
+  logger: {
+    info: jest.fn(),
+    warn: jest.fn(),
+    error: jest.fn(),
+    debug: jest.fn(),
+  },
+}));
+
+describe('authenticate middleware', () => {
+  let mockTokenService: jest.Mocked<TokenService>;
+  let middleware: ReturnType<typeof authenticate>;
+  let mockReq: Partial<AuthenticatedRequest>;
+  let mockRes: Partial<Response>;
+  let mockNext: jest.Mock;
+  let mockJson: jest.Mock;
+  let mockStatus: jest.Mock;
+
+  const VALID_TOKEN = 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.mock.signature';
+  const VALID_PAYLOAD = {
+    jti: 'test-jti-123',
+    iss: 'etc-collector',
+    sub: 'system',
+    iat: Math.floor(Date.now() / 1000),
+    exp: Math.floor(Date.now() / 1000) + 3600,
+    service: 'etc-collector',
+    maxUses: 10,
+  };
+
+  beforeEach(() => {
+    // Create mock TokenService
+    mockTokenService = {
+      validate: jest.fn(),
+      incrementUsage: jest.fn(),
+    } as any;
+
+    // Create middleware with mock service
+    middleware = authenticate(mockTokenService);
+
+    // Setup mock Express objects
+    mockJson = jest.fn();
+    mockStatus = jest.fn(() => ({ json: mockJson }));
+
+    mockReq = {
+      headers: {},
+      path: '/api/v1/test',
+      method: 'GET',
+    };
+
+    mockRes = {
+      status: mockStatus as any,
+      json: mockJson,
+    };
+
+    mockNext = jest.fn();
+  });
+
+  describe('Successful Authentication', () => {
+    it('should authenticate valid token and call next()', async () => {
+      // Arrange
+      mockReq.headers = {
+        authorization: `Bearer ${VALID_TOKEN}`,
+      };
+
+      mockTokenService.validate.mockResolvedValue(VALID_PAYLOAD);
+      mockTokenService.incrementUsage.mockResolvedValue(undefined);
+
+      // Act
+      await middleware(
+        mockReq as AuthenticatedRequest,
+        mockRes as Response,
+        mockNext as NextFunction
+      );
+
+      // Assert
+      expect(mockTokenService.validate).toHaveBeenCalledWith(VALID_TOKEN);
+      expect(mockTokenService.incrementUsage).toHaveBeenCalledWith(VALID_PAYLOAD.jti);
+      expect(mockReq.token).toEqual({
+        jti: VALID_PAYLOAD.jti,
+        iat: VALID_PAYLOAD.iat,
+        exp: VALID_PAYLOAD.exp,
+        maxUses: VALID_PAYLOAD.maxUses,
+      });
+      expect(mockNext).toHaveBeenCalled();
+      expect(mockStatus).not.toHaveBeenCalled();
+    });
+
+    it('should attach token info to request object', async () => {
+      // Arrange
+      mockReq.headers = {
+        authorization: `Bearer ${VALID_TOKEN}`,
+      };
+
+      mockTokenService.validate.mockResolvedValue(VALID_PAYLOAD);
+      mockTokenService.incrementUsage.mockResolvedValue(undefined);
+
+      // Act
+      await middleware(
+        mockReq as AuthenticatedRequest,
+        mockRes as Response,
+        mockNext as NextFunction
+      );
+
+      // Assert
+      expect(mockReq.token).toBeDefined();
+      expect(mockReq.token!.jti).toBe(VALID_PAYLOAD.jti);
+      expect(mockReq.token!.iat).toBe(VALID_PAYLOAD.iat);
+      expect(mockReq.token!.exp).toBe(VALID_PAYLOAD.exp);
+      expect(mockReq.token!.maxUses).toBe(VALID_PAYLOAD.maxUses);
+    });
+
+    it('should increment token usage on successful authentication', async () => {
+      // Arrange
+      mockReq.headers = {
+        authorization: `Bearer ${VALID_TOKEN}`,
+      };
+
+      mockTokenService.validate.mockResolvedValue(VALID_PAYLOAD);
+      mockTokenService.incrementUsage.mockResolvedValue(undefined);
+
+      // Act
+      await middleware(
+        mockReq as AuthenticatedRequest,
+        mockRes as Response,
+        mockNext as NextFunction
+      );
+
+      // Assert
+      expect(mockTokenService.incrementUsage).toHaveBeenCalledWith(VALID_PAYLOAD.jti);
+    });
+  });
+
+  describe('Missing or Invalid Authorization Header', () => {
+    it('should reject missing Authorization header with 401', async () => {
+      // Arrange
+      mockReq.headers = {};
+
+      // Act
+      await middleware(
+        mockReq as AuthenticatedRequest,
+        mockRes as Response,
+        mockNext as NextFunction
+      );
+
+      // Assert
+      expect(mockStatus).toHaveBeenCalledWith(401);
+      expect(mockJson).toHaveBeenCalledWith({
+        success: false,
+        error: {
+          code: 'AUTHENTICATION_FAILED',
+          message: 'Missing or invalid Authorization header',
+        },
+      });
+      expect(mockNext).not.toHaveBeenCalled();
+      expect(mockTokenService.validate).not.toHaveBeenCalled();
+    });
+
+    it('should reject Authorization header without Bearer prefix', async () => {
+      // Arrange
+      mockReq.headers = {
+        authorization: VALID_TOKEN, // Missing 'Bearer ' prefix
+      };
+
+      // Act
+      await middleware(
+        mockReq as AuthenticatedRequest,
+        mockRes as Response,
+        mockNext as NextFunction
+      );
+
+      // Assert
+      expect(mockStatus).toHaveBeenCalledWith(401);
+      expect(mockJson).toHaveBeenCalledWith({
+        success: false,
+        error: {
+          code: 'AUTHENTICATION_FAILED',
+          message: 'Missing or invalid Authorization header',
+        },
+      });
+      expect(mockNext).not.toHaveBeenCalled();
+    });
+
+    it('should reject Authorization header with wrong scheme', async () => {
+      // Arrange
+      mockReq.headers = {
+        authorization: `Basic ${VALID_TOKEN}`, // Wrong scheme
+      };
+
+      // Act
+      await middleware(
+        mockReq as AuthenticatedRequest,
+        mockRes as Response,
+        mockNext as NextFunction
+      );
+
+      // Assert
+      expect(mockStatus).toHaveBeenCalledWith(401);
+      expect(mockNext).not.toHaveBeenCalled();
+    });
+  });
+
+  describe('Expired Token', () => {
+    it('should reject expired token with 401 TOKEN_EXPIRED', async () => {
+      // Arrange
+      mockReq.headers = {
+        authorization: `Bearer ${VALID_TOKEN}`,
+      };
+
+      mockTokenService.validate.mockRejectedValue(new TokenExpiredError());
+
+      // Act
+      await middleware(
+        mockReq as AuthenticatedRequest,
+        mockRes as Response,
+        mockNext as NextFunction
+      );
+
+      // Assert
+      expect(mockStatus).toHaveBeenCalledWith(401);
+      expect(mockJson).toHaveBeenCalledWith({
+        success: false,
+        error: {
+          code: 'TOKEN_EXPIRED',
+          message: 'Token has expired',
+        },
+      });
+      expect(mockNext).not.toHaveBeenCalled();
+      expect(mockTokenService.incrementUsage).not.toHaveBeenCalled();
+    });
+  });
+
+  describe('Revoked Token', () => {
+    it('should reject revoked token with 401 TOKEN_REVOKED', async () => {
+      // Arrange
+      mockReq.headers = {
+        authorization: `Bearer ${VALID_TOKEN}`,
+      };
+
+      mockTokenService.validate.mockRejectedValue(new TokenRevokedError());
+
+      // Act
+      await middleware(
+        mockReq as AuthenticatedRequest,
+        mockRes as Response,
+        mockNext as NextFunction
+      );
+
+      // Assert
+      expect(mockStatus).toHaveBeenCalledWith(401);
+      expect(mockJson).toHaveBeenCalledWith({
+        success: false,
+        error: {
+          code: 'TOKEN_REVOKED',
+          message: 'Token has been revoked',
+        },
+      });
+      expect(mockNext).not.toHaveBeenCalled();
+      expect(mockTokenService.incrementUsage).not.toHaveBeenCalled();
+    });
+  });
+
+  describe('Usage Limit Exceeded', () => {
+    it('should reject token with quota exceeded with 403 USAGE_LIMIT_EXCEEDED', async () => {
+      // Arrange
+      mockReq.headers = {
+        authorization: `Bearer ${VALID_TOKEN}`,
+      };
+
+      mockTokenService.validate.mockRejectedValue(new UsageLimitExceededError());
+
+      // Act
+      await middleware(
+        mockReq as AuthenticatedRequest,
+        mockRes as Response,
+        mockNext as NextFunction
+      );
+
+      // Assert
+      expect(mockStatus).toHaveBeenCalledWith(403);
+      expect(mockJson).toHaveBeenCalledWith({
+        success: false,
+        error: {
+          code: 'USAGE_LIMIT_EXCEEDED',
+          message: 'Token usage limit exceeded',
+        },
+      });
+      expect(mockNext).not.toHaveBeenCalled();
+      expect(mockTokenService.incrementUsage).not.toHaveBeenCalled();
+    });
+  });
+
+  describe('Token Not Found', () => {
+    it('should reject token not in database with 401 AUTHENTICATION_FAILED', async () => {
+      // Arrange
+      mockReq.headers = {
+        authorization: `Bearer ${VALID_TOKEN}`,
+      };
+
+      mockTokenService.validate.mockRejectedValue(new TokenNotFoundError());
+
+      // Act
+      await middleware(
+        mockReq as AuthenticatedRequest,
+        mockRes as Response,
+        mockNext as NextFunction
+      );
+
+      // Assert
+      expect(mockStatus).toHaveBeenCalledWith(401);
+      expect(mockJson).toHaveBeenCalledWith({
+        success: false,
+        error: {
+          code: 'AUTHENTICATION_FAILED',
+          message: 'Invalid token',
+        },
+      });
+      expect(mockNext).not.toHaveBeenCalled();
+    });
+  });
+
+  describe('Invalid Signature', () => {
+    it('should reject token with invalid signature with 401', async () => {
+      // Arrange
+      mockReq.headers = {
+        authorization: `Bearer ${VALID_TOKEN}`,
+      };
+
+      mockTokenService.validate.mockRejectedValue(new InvalidSignatureError());
+
+      // Act
+      await middleware(
+        mockReq as AuthenticatedRequest,
+        mockRes as Response,
+        mockNext as NextFunction
+      );
+
+      // Assert
+      expect(mockStatus).toHaveBeenCalledWith(401);
+      expect(mockJson).toHaveBeenCalledWith({
+        success: false,
+        error: {
+          code: 'AUTHENTICATION_FAILED',
+          message: 'Invalid token signature',
+        },
+      });
+      expect(mockNext).not.toHaveBeenCalled();
+    });
+  });
+
+  describe('Invalid Token', () => {
+    it('should reject malformed token with 401', async () => {
+      // Arrange
+      mockReq.headers = {
+        authorization: `Bearer ${VALID_TOKEN}`,
+      };
+
+      mockTokenService.validate.mockRejectedValue(new InvalidTokenError());
+
+      // Act
+      await middleware(
+        mockReq as AuthenticatedRequest,
+        mockRes as Response,
+        mockNext as NextFunction
+      );
+
+      // Assert
+      expect(mockStatus).toHaveBeenCalledWith(401);
+      expect(mockJson).toHaveBeenCalledWith({
+        success: false,
+        error: {
+          code: 'AUTHENTICATION_FAILED',
+          message: 'Invalid token',
+        },
+      });
+      expect(mockNext).not.toHaveBeenCalled();
+    });
+  });
+
+  describe('Unexpected Errors', () => {
+    it('should handle unexpected error with generic 401', async () => {
+      // Arrange
+      mockReq.headers = {
+        authorization: `Bearer ${VALID_TOKEN}`,
+      };
+
+      mockTokenService.validate.mockRejectedValue(new Error('Unexpected error'));
+
+      // Act
+      await middleware(
+        mockReq as AuthenticatedRequest,
+        mockRes as Response,
+        mockNext as NextFunction
+      );
+
+      // Assert
+      expect(mockStatus).toHaveBeenCalledWith(401);
+      expect(mockJson).toHaveBeenCalledWith({
+        success: false,
+        error: {
+          code: 'AUTHENTICATION_FAILED',
+          message: 'Authentication failed',
+        },
+      });
+      expect(mockNext).not.toHaveBeenCalled();
+    });
+  });
+
+  describe('Error Response Format', () => {
+    it('should always return consistent error format', async () => {
+      // Arrange
+      mockReq.headers = {};
+
+      // Act
+      await middleware(
+        mockReq as AuthenticatedRequest,
+        mockRes as Response,
+        mockNext as NextFunction
+      );
+
+      // Assert
+      const errorResponse = mockJson.mock.calls[0][0];
+      expect(errorResponse).toHaveProperty('success', false);
+      expect(errorResponse).toHaveProperty('error');
+      expect(errorResponse.error).toHaveProperty('code');
+      expect(errorResponse.error).toHaveProperty('message');
+    });
+  });
+});

package/tests/unit/providers/azure/azure-errors.test.ts

@@ -0,0 +1,193 @@
+/**
+ * Azure Error Types Unit Tests
+ *
+ * Tests for Azure-specific error classes and error handling utilities.
+ */
+
+import {
+  AzureError,
+  AzureAuthenticationError,
+  AzureAPIError,
+  AzureRateLimitError,
+  AzureTimeoutError,
+  AzurePermissionError,
+  AzureConfigurationError,
+  AzureTokenExpiredError,
+  isRetryableError,
+} from '../../../../src/providers/azure/azure-errors';
+
+describe('Azure Error Types', () => {
+  describe('AzureError', () => {
+    it('should create base Azure error', () => {
+      const error = new AzureError('Test error');
+
+      expect(error).toBeInstanceOf(Error);
+      expect(error).toBeInstanceOf(AzureError);
+      expect(error.name).toBe('AzureError');
+      expect(error.message).toBe('Test error');
+    });
+  });
+
+  describe('AzureAuthenticationError', () => {
+    it('should create authentication error with context', () => {
+      const error = new AzureAuthenticationError(
+        'Auth failed',
+        'tenant-123',
+        'client-456'
+      );
+
+      expect(error).toBeInstanceOf(AzureError);
+      expect(error.name).toBe('AzureAuthenticationError');
+      expect(error.message).toBe('Auth failed');
+      expect(error.tenantId).toBe('tenant-123');
+      expect(error.clientId).toBe('client-456');
+    });
+
+    it('should store cause error', () => {
+      const cause = new Error('Invalid credentials');
+      const error = new AzureAuthenticationError(
+        'Auth failed',
+        'tenant-123',
+        'client-456',
+        cause
+      );
+
+      expect(error.cause).toBe(cause);
+    });
+  });
+
+  describe('AzureAPIError', () => {
+    it('should create API error with status code', () => {
+      const error = new AzureAPIError('API failed', '/users', 500);
+
+      expect(error).toBeInstanceOf(AzureError);
+      expect(error.name).toBe('AzureAPIError');
+      expect(error.endpoint).toBe('/users');
+      expect(error.statusCode).toBe(500);
+    });
+
+    it('should create API error without status code', () => {
+      const error = new AzureAPIError('API failed', '/groups');
+
+      expect(error.endpoint).toBe('/groups');
+      expect(error.statusCode).toBeUndefined();
+    });
+  });
+
+  describe('AzureRateLimitError', () => {
+    it('should create rate limit error with retry-after', () => {
+      const error = new AzureRateLimitError('Rate limited', '/users', 60);
+
+      expect(error).toBeInstanceOf(AzureError);
+      expect(error.name).toBe('AzureRateLimitError');
+      expect(error.endpoint).toBe('/users');
+      expect(error.retryAfter).toBe(60);
+    });
+  });
+
+  describe('AzureTimeoutError', () => {
+    it('should create timeout error', () => {
+      const error = new AzureTimeoutError('Timeout', 'GET /users', 30000);
+
+      expect(error).toBeInstanceOf(AzureError);
+      expect(error.name).toBe('AzureTimeoutError');
+      expect(error.operation).toBe('GET /users');
+      expect(error.timeoutMs).toBe(30000);
+    });
+  });
+
+  describe('AzurePermissionError', () => {
+    it('should create permission error with required permissions', () => {
+      const error = new AzurePermissionError(
+        'Insufficient permissions',
+        '/users',
+        ['User.Read.All', 'Directory.Read.All']
+      );
+
+      expect(error).toBeInstanceOf(AzureError);
+      expect(error.name).toBe('AzurePermissionError');
+      expect(error.endpoint).toBe('/users');
+      expect(error.requiredPermissions).toEqual(['User.Read.All', 'Directory.Read.All']);
+    });
+  });
+
+  describe('AzureConfigurationError', () => {
+    it('should create configuration error', () => {
+      const error = new AzureConfigurationError('Missing tenant ID', 'tenantId');
+
+      expect(error).toBeInstanceOf(AzureError);
+      expect(error.name).toBe('AzureConfigurationError');
+      expect(error.configKey).toBe('tenantId');
+    });
+  });
+
+  describe('AzureTokenExpiredError', () => {
+    it('should create token expired error', () => {
+      const expiresAt = new Date('2026-01-13T00:00:00Z');
+      const error = new AzureTokenExpiredError('Token expired', expiresAt);
+
+      expect(error).toBeInstanceOf(AzureError);
+      expect(error.name).toBe('AzureTokenExpiredError');
+      expect(error.expiresAt).toEqual(expiresAt);
+    });
+  });
+
+  describe('isRetryableError', () => {
+    it('should identify rate limit errors as retryable', () => {
+      const error = new AzureRateLimitError('Rate limited', '/users', 60);
+      expect(isRetryableError(error)).toBe(true);
+    });
+
+    it('should identify timeout errors as retryable', () => {
+      const error = new AzureTimeoutError('Timeout', 'GET /users', 30000);
+      expect(isRetryableError(error)).toBe(true);
+    });
+
+    it('should identify 429 API errors as retryable', () => {
+      const error = new AzureAPIError('Too many requests', '/users', 429);
+      expect(isRetryableError(error)).toBe(true);
+    });
+
+    it('should identify 500 API errors as retryable', () => {
+      const error = new AzureAPIError('Server error', '/users', 500);
+      expect(isRetryableError(error)).toBe(true);
+    });
+
+    it('should identify 503 API errors as retryable', () => {
+      const error = new AzureAPIError('Service unavailable', '/users', 503);
+      expect(isRetryableError(error)).toBe(true);
+    });
+
+    it('should NOT identify 404 API errors as retryable', () => {
+      const error = new AzureAPIError('Not found', '/users', 404);
+      expect(isRetryableError(error)).toBe(false);
+    });
+
+    it('should NOT identify authentication errors as retryable', () => {
+      const error = new AzureAuthenticationError('Auth failed', 'tenant', 'client');
+      expect(isRetryableError(error)).toBe(false);
+    });
+
+    it('should NOT identify permission errors as retryable', () => {
+      const error = new AzurePermissionError('No access', '/users', ['User.Read.All']);
+      expect(isRetryableError(error)).toBe(false);
+    });
+
+    it('should identify network errors as retryable', () => {
+      const error = new Error('Network error') as Error & { code: string };
+      error.code = 'ECONNREFUSED';
+      expect(isRetryableError(error)).toBe(true);
+    });
+
+    it('should identify ETIMEDOUT errors as retryable', () => {
+      const error = new Error('Connection timed out') as Error & { code: string };
+      error.code = 'ETIMEDOUT';
+      expect(isRetryableError(error)).toBe(true);
+    });
+
+    it('should NOT identify unknown errors as retryable', () => {
+      const error = new Error('Unknown error');
+      expect(isRetryableError(error)).toBe(false);
+    });
+  });
+});