@kya-os/mcp-i-core 1.2.3-canary.7 → 1.3.0-canary.clientinfo.20251126003544

package/src/services/__tests__/proof-verifier.test.ts

@@ -0,0 +1,489 @@
+/**
+ * Tests for ProofVerifier
+ *
+ * Comprehensive security test coverage for proof verification service.
+ * Tests nonce replay protection, timestamp skew validation, canonical payload reconstruction,
+ * and various security attack scenarios.
+ *
+ * Test Coverage Requirements: 100% - All security-critical code paths
+ */
+
+import { describe, it, expect, beforeEach, vi } from 'vitest';
+import { ProofVerifier } from '../proof-verifier.js';
+import { CryptoService, type Ed25519JWK } from '../crypto.service.js';
+import type {
+  CryptoProvider,
+  ClockProvider,
+  NonceCacheProvider,
+  FetchProvider,
+} from '../../providers/base.js';
+import type { DetachedProof } from '@kya-os/contracts/proof';
+import {
+  ProofVerificationError,
+  PROOF_VERIFICATION_ERROR_CODES,
+} from '../errors.js';
+
+describe('ProofVerifier Security', () => {
+  let proofVerifier: ProofVerifier;
+  let mockCryptoProvider: CryptoProvider;
+  let mockClockProvider: ClockProvider;
+  let mockNonceCache: NonceCacheProvider;
+  let mockFetchProvider: FetchProvider;
+  let cryptoService: CryptoService;
+
+  const validJwk: Ed25519JWK = {
+    kty: 'OKP',
+    crv: 'Ed25519',
+    x: 'VCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ',
+    kid: 'did:key:z123#key-1',
+  };
+
+  const createValidProof = (): DetachedProof => {
+    const header = { alg: 'EdDSA', typ: 'JWT' };
+    // Create a proper JSON payload that matches the meta structure
+    const payload = {
+      aud: 'test-audience',
+      sub: 'did:key:z123',
+      iss: 'did:key:z123',
+      nonce: 'nonce123',
+      ts: Math.floor(Date.now() / 1000),
+      sessionId: 'session123',
+      requestHash: 'sha256:' + 'a'.repeat(64),
+      responseHash: 'sha256:' + 'b'.repeat(64),
+    };
+    // Use btoa for base64 encoding (available in test environment via polyfill)
+    const headerB64 = btoa(JSON.stringify(header))
+      .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+    const payloadB64 = btoa(JSON.stringify(payload))
+      .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+    const signatureB64 = btoa('signature')
+      .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+    const jws = `${headerB64}.${payloadB64}.${signatureB64}`;
+
+    return {
+      jws,
+      meta: {
+        did: 'did:key:z123',
+        kid: 'did:key:z123#key-1',
+        ts: Math.floor(Date.now() / 1000),
+        nonce: 'nonce123',
+        audience: 'test-audience',
+        sessionId: 'session123',
+        requestHash: 'sha256:' + 'a'.repeat(64),
+        responseHash: 'sha256:' + 'b'.repeat(64),
+      },
+    };
+  };
+
+  beforeEach(() => {
+    mockCryptoProvider = {
+      sign: vi.fn(),
+      verify: vi.fn().mockResolvedValue(true),
+      generateKeyPair: vi.fn(),
+      hash: vi.fn(),
+      randomBytes: vi.fn(),
+    };
+
+    cryptoService = new CryptoService(mockCryptoProvider);
+
+    mockClockProvider = {
+      now: vi.fn().mockReturnValue(Date.now()), // Return milliseconds
+      isWithinSkew: vi.fn().mockReturnValue(true),
+      hasExpired: vi.fn(),
+      calculateExpiry: vi.fn((ttlSeconds: number) => Date.now() + (ttlSeconds * 1000)), // Return milliseconds
+      format: vi.fn(),
+    };
+
+    mockNonceCache = {
+      has: vi.fn().mockResolvedValue(false),
+      add: vi.fn().mockResolvedValue(undefined),
+      cleanup: vi.fn().mockResolvedValue(undefined),
+      destroy: vi.fn().mockResolvedValue(undefined),
+    };
+
+    mockFetchProvider = {
+      resolveDID: vi.fn().mockResolvedValue({
+        verificationMethod: [{
+          id: 'did:key:z123#key-1',
+          publicKeyJwk: validJwk,
+        }],
+      }),
+      fetchStatusList: vi.fn(),
+      fetchDelegationChain: vi.fn(),
+      fetch: vi.fn(),
+    };
+
+    proofVerifier = new ProofVerifier({
+      cryptoProvider: mockCryptoProvider,
+      clockProvider: mockClockProvider,
+      nonceCacheProvider: mockNonceCache,
+      fetchProvider: mockFetchProvider,
+      timestampSkewSeconds: 120,
+      nonceTtlSeconds: 300,
+    });
+  });
+
+  describe('Nonce Replay Protection', () => {
+    it('should prevent nonce replay attacks', async () => {
+      const proof = createValidProof();
+
+      // First verification should succeed
+      const result1 = await proofVerifier.verifyProof(proof, validJwk);
+      expect(result1.valid).toBe(true);
+      expect(mockNonceCache.has).toHaveBeenCalledWith('nonce123', 'did:key:z123');
+      expect(mockNonceCache.add).toHaveBeenCalled();
+
+      // Reset mock to simulate second attempt
+      mockNonceCache.has = vi.fn().mockResolvedValue(true);
+
+      // Second verification with same nonce should fail
+      const result2 = await proofVerifier.verifyProof(proof, validJwk);
+      expect(result2.valid).toBe(false);
+      expect(result2.reason).toContain('replay');
+    });
+
+    it('should add nonce to cache after successful verification', async () => {
+      const proof = createValidProof();
+
+      await proofVerifier.verifyProof(proof, validJwk);
+
+      expect(mockNonceCache.add).toHaveBeenCalledWith(
+        'nonce123',
+        expect.any(Number),
+        'did:key:z123'
+      );
+    });
+  });
+
+  describe('Timestamp Skew Validation', () => {
+    it('should enforce timestamp skew limits', async () => {
+      const proof = createValidProof();
+      const currentTime = Date.now(); // milliseconds
+
+      // Set clock to 5 minutes in the future
+      mockClockProvider.now = vi.fn().mockReturnValue(currentTime);
+      mockClockProvider.isWithinSkew = vi.fn().mockReturnValue(false);
+
+      const result = await proofVerifier.verifyProof(proof, validJwk);
+
+      expect(result.valid).toBe(false);
+      expect(result.reason).toContain('skew');
+      // isWithinSkew is called with timestamp in milliseconds (converted from seconds)
+      expect(mockClockProvider.isWithinSkew).toHaveBeenCalledWith(
+        proof.meta.ts * 1000, // Convert seconds to milliseconds
+        120
+      );
+    });
+
+    it('should accept timestamps within skew window', async () => {
+      const proof = createValidProof();
+      mockClockProvider.isWithinSkew = vi.fn().mockReturnValue(true);
+
+      const result = await proofVerifier.verifyProof(proof, validJwk);
+
+      expect(result.valid).toBe(true);
+    });
+
+    it('should use custom timestamp skew seconds', async () => {
+      const customProofVerifier = new ProofVerifier({
+        cryptoProvider: mockCryptoProvider,
+        clockProvider: mockClockProvider,
+        nonceCacheProvider: mockNonceCache,
+        fetchProvider: mockFetchProvider,
+        timestampSkewSeconds: 300, // 5 minutes
+        nonceTtlSeconds: 300,
+      });
+
+      const proof = createValidProof();
+      mockClockProvider.isWithinSkew = vi.fn().mockReturnValue(false);
+
+      await customProofVerifier.verifyProof(proof, validJwk);
+
+      // isWithinSkew is called with timestamp in milliseconds (converted from seconds)
+      expect(mockClockProvider.isWithinSkew).toHaveBeenCalledWith(
+        proof.meta.ts * 1000, // Convert seconds to milliseconds
+        300
+      );
+    });
+  });
+
+  describe('Canonical Payload Reconstruction', () => {
+    it('should reconstruct canonical payload from meta', async () => {
+      const proof = createValidProof();
+
+      await proofVerifier.verifyProof(proof, validJwk);
+
+      // Verify that verifyJWS was called with detached payload
+      expect(mockCryptoProvider.verify).toHaveBeenCalled();
+    });
+
+    it('should validate canonical payload ordering determinism', () => {
+      const meta1 = {
+        z: 1,
+        a: 2,
+        m: 3,
+        did: 'did:test',
+        kid: 'kid',
+        ts: 123,
+        nonce: 'nonce',
+        audience: 'aud',
+        sessionId: 'session',
+        requestHash: 'sha256:' + 'a'.repeat(64),
+        responseHash: 'sha256:' + 'b'.repeat(64),
+      };
+      const meta2 = {
+        a: 2,
+        m: 3,
+        z: 1,
+        did: 'did:test',
+        kid: 'kid',
+        ts: 123,
+        nonce: 'nonce',
+        audience: 'aud',
+        sessionId: 'session',
+        requestHash: 'sha256:' + 'a'.repeat(64),
+        responseHash: 'sha256:' + 'b'.repeat(64),
+      };
+
+      const canonical1 = proofVerifier.buildCanonicalPayload(meta1);
+      const canonical2 = proofVerifier.buildCanonicalPayload(meta2);
+
+      // Should be identical despite different key order
+      expect(canonical1).toBe(canonical2);
+    });
+
+    it('should handle detached JWS reconstruction', async () => {
+      const header = { alg: 'EdDSA' };
+      const headerB64 = btoa(JSON.stringify(header))
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const signatureB64 = btoa('signature')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const detachedJws = `${headerB64}..${signatureB64}`;
+
+      const proof: DetachedProof = {
+        jws: detachedJws,
+        meta: createValidProof().meta,
+      };
+
+      const result = await proofVerifier.verifyProof(proof, validJwk);
+
+      // Should call verifyJWS with detached payload
+      expect(mockCryptoProvider.verify).toHaveBeenCalled();
+      expect(result.valid).toBe(true);
+    });
+  });
+
+  describe('Proof Structure Validation', () => {
+    it('should reject invalid proof structure', async () => {
+      const invalidProof = {
+        jws: 'invalid',
+        meta: {
+          // Missing required fields
+          did: 'did:test',
+        },
+      } as any;
+
+      const result = await proofVerifier.verifyProof(invalidProof, validJwk);
+
+      expect(result.valid).toBe(false);
+      expect(result.reason).toContain('Invalid proof structure');
+    });
+
+    it('should reject proof with missing required meta fields', async () => {
+      const invalidProof: DetachedProof = {
+        jws: 'header.payload.signature',
+        meta: {
+          did: 'did:test',
+          kid: 'kid',
+          ts: 123,
+          nonce: 'nonce',
+          audience: 'aud',
+          sessionId: 'session',
+          // Missing requestHash and responseHash
+          requestHash: '' as any,
+          responseHash: '' as any,
+        },
+      };
+
+      const result = await proofVerifier.verifyProof(invalidProof, validJwk);
+
+      expect(result.valid).toBe(false);
+    });
+  });
+
+  describe('Signature Verification', () => {
+    it('should reject proof with invalid signature', async () => {
+      const proof = createValidProof();
+      mockCryptoProvider.verify = vi.fn().mockResolvedValue(false);
+
+      const result = await proofVerifier.verifyProof(proof, validJwk);
+
+      expect(result.valid).toBe(false);
+      expect(result.reason).toContain('Invalid JWS signature');
+    });
+
+    it('should handle signature verification errors gracefully', async () => {
+      const proof = createValidProof();
+      mockCryptoProvider.verify = vi.fn().mockRejectedValue(
+        new Error('Crypto error')
+      );
+
+      const result = await proofVerifier.verifyProof(proof, validJwk);
+
+      expect(result.valid).toBe(false);
+      expect(result.reason).toBeDefined();
+      // Should not throw, should return error result
+    });
+  });
+
+  describe('verifyProofDetached', () => {
+    it('should verify proof with string canonical payload', async () => {
+      const proof = createValidProof();
+      const canonicalPayload = proofVerifier.buildCanonicalPayload(proof.meta);
+
+      const result = await proofVerifier.verifyProofDetached(
+        proof,
+        canonicalPayload,
+        validJwk
+      );
+
+      expect(result.valid).toBe(true);
+    });
+
+    it('should verify proof with Uint8Array canonical payload', async () => {
+      const proof = createValidProof();
+      const canonicalPayload = proofVerifier.buildCanonicalPayload(proof.meta);
+      const canonicalPayloadBytes = new TextEncoder().encode(canonicalPayload);
+
+      const result = await proofVerifier.verifyProofDetached(
+        proof,
+        canonicalPayloadBytes,
+        validJwk
+      );
+
+      expect(result.valid).toBe(true);
+    });
+
+    it('should prevent nonce replay in verifyProofDetached', async () => {
+      const proof = createValidProof();
+      const canonicalPayload = proofVerifier.buildCanonicalPayload(proof.meta);
+
+      // First verification
+      const result1 = await proofVerifier.verifyProofDetached(
+        proof,
+        canonicalPayload,
+        validJwk
+      );
+      expect(result1.valid).toBe(true);
+
+      // Second verification should fail
+      mockNonceCache.has = vi.fn().mockResolvedValue(true);
+      const result2 = await proofVerifier.verifyProofDetached(
+        proof,
+        canonicalPayload,
+        validJwk
+      );
+      expect(result2.valid).toBe(false);
+      expect(result2.reason).toContain('replay');
+    });
+  });
+
+  describe('Error Handling', () => {
+    it('should never throw on verification errors', async () => {
+      const proof = createValidProof();
+      
+      // Simulate various error conditions
+      mockNonceCache.has = vi.fn().mockRejectedValue(new Error('Cache error'));
+      
+      const result = await proofVerifier.verifyProof(proof, validJwk);
+
+      // Should return error result, not throw
+      expect(result.valid).toBe(false);
+      expect(result.reason).toBeDefined();
+    });
+
+    it('should handle clock provider errors gracefully', async () => {
+      const proof = createValidProof();
+      mockClockProvider.isWithinSkew = vi.fn().mockImplementation(() => {
+        throw new Error('Clock error');
+      });
+
+      const result = await proofVerifier.verifyProof(proof, validJwk);
+
+      expect(result.valid).toBe(false);
+      expect(result.reason).toBeDefined();
+    });
+  });
+
+  describe('fetchPublicKeyFromDID', () => {
+    it('should fetch public key from DID document', async () => {
+      const jwk = await proofVerifier.fetchPublicKeyFromDID('did:key:z123', 'key-1');
+
+      expect(jwk).toEqual(validJwk);
+      expect(mockFetchProvider.resolveDID).toHaveBeenCalledWith('did:key:z123');
+    });
+
+    it('should throw ProofVerificationError if DID document not found', async () => {
+      mockFetchProvider.resolveDID = vi.fn().mockResolvedValue(null);
+
+      await expect(
+        proofVerifier.fetchPublicKeyFromDID('did:key:z123')
+      ).rejects.toThrow(ProofVerificationError);
+
+      try {
+        await proofVerifier.fetchPublicKeyFromDID('did:key:z123');
+      } catch (error) {
+        expect(error).toBeInstanceOf(ProofVerificationError);
+        expect((error as ProofVerificationError).code).toBe(
+          PROOF_VERIFICATION_ERROR_CODES.DID_DOCUMENT_NOT_FOUND
+        );
+      }
+    });
+
+    it('should throw ProofVerificationError if verification method not found', async () => {
+      mockFetchProvider.resolveDID = vi.fn().mockResolvedValue({
+        verificationMethod: [],
+      });
+
+      await expect(
+        proofVerifier.fetchPublicKeyFromDID('did:key:z123', 'key-1')
+      ).rejects.toThrow(ProofVerificationError);
+
+      try {
+        await proofVerifier.fetchPublicKeyFromDID('did:key:z123', 'key-1');
+      } catch (error) {
+        expect(error).toBeInstanceOf(ProofVerificationError);
+        expect((error as ProofVerificationError).code).toBe(
+          PROOF_VERIFICATION_ERROR_CODES.VERIFICATION_METHOD_NOT_FOUND
+        );
+      }
+    });
+
+    it('should throw ProofVerificationError if JWK is not Ed25519', async () => {
+      mockFetchProvider.resolveDID = vi.fn().mockResolvedValue({
+        verificationMethod: [{
+          id: 'did:key:z123#key-1',
+          publicKeyJwk: {
+            kty: 'RSA',
+            crv: 'RS256',
+            n: 'invalid',
+          },
+        }],
+      });
+
+      await expect(
+        proofVerifier.fetchPublicKeyFromDID('did:key:z123')
+      ).rejects.toThrow(ProofVerificationError);
+
+      try {
+        await proofVerifier.fetchPublicKeyFromDID('did:key:z123');
+      } catch (error) {
+        expect(error).toBeInstanceOf(ProofVerificationError);
+        expect((error as ProofVerificationError).code).toBe(
+          PROOF_VERIFICATION_ERROR_CODES.INVALID_JWK_FORMAT
+        );
+      }
+    });
+  });
+});
+

package/src/services/__tests__/provider-resolution.integration.test.ts

@@ -0,0 +1,198 @@
+/**
+ * Provider Resolution Integration Tests
+ *
+ * Tests end-to-end provider resolution flow and backward compatibility.
+ *
+ * @package @kya-os/mcp-i-core
+ */
+
+import { describe, it, expect, beforeEach, vi } from "vitest";
+import { OAuthProviderRegistry } from "../oauth-provider-registry.js";
+import { ProviderResolver } from "../provider-resolver.js";
+import { OAuthConfigService } from "../oauth-config.service.js";
+import { ToolProtectionService } from "../tool-protection.service.js";
+import type { ToolProtection } from "@kya-os/contracts/tool-protection";
+import type { OAuthConfig } from "@kya-os/contracts/config";
+
+describe("Provider Resolution Integration", () => {
+  let mockConfigService: OAuthConfigService;
+  let mockToolProtectionService: ToolProtectionService;
+  let providerRegistry: OAuthProviderRegistry;
+  let providerResolver: ProviderResolver;
+
+  const mockOAuthConfig: OAuthConfig = {
+    providers: {
+      github: {
+        clientId: "github_client_id",
+        authorizationUrl: "https://github.com/login/oauth/authorize",
+        tokenUrl: "https://github.com/login/oauth/access_token",
+        supportsPKCE: true,
+        requiresClientSecret: false,
+      },
+      google: {
+        clientId: "google_client_id",
+        authorizationUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+        tokenUrl: "https://oauth2.googleapis.com/token",
+        supportsPKCE: true,
+        requiresClientSecret: false,
+      },
+    },
+  };
+
+  beforeEach(() => {
+    mockConfigService = {
+      getOAuthConfig: vi.fn().mockResolvedValue(mockOAuthConfig),
+    } as any;
+
+    mockToolProtectionService = {
+      checkToolProtection: vi.fn(),
+      getProjectId: vi.fn().mockReturnValue("test-project"),
+    } as any;
+
+    providerRegistry = new OAuthProviderRegistry(mockConfigService);
+    providerResolver = new ProviderResolver(providerRegistry, mockConfigService);
+  });
+
+  describe("End-to-end provider resolution", () => {
+    it("should resolve provider for tool with oauthProvider field", async () => {
+      await providerRegistry.loadFromAgentShield("test-project");
+
+      const toolProtection: ToolProtection = {
+        requiresDelegation: true,
+        requiredScopes: ["repo:read"],
+        oauthProvider: "github",
+      };
+
+      const provider = await providerResolver.resolveProvider(
+        toolProtection,
+        "test-project"
+      );
+
+      expect(provider).toBe("github");
+    });
+
+    it("should resolve provider via scope inference when oauthProvider not specified", async () => {
+      await providerRegistry.loadFromAgentShield("test-project");
+
+      const toolProtection: ToolProtection = {
+        requiresDelegation: true,
+        requiredScopes: ["github:repo:read"],
+        // No oauthProvider field (Phase 1 compatibility)
+      };
+
+      const consoleSpy = vi.spyOn(console, "log").mockImplementation(() => {});
+
+      const provider = await providerResolver.resolveProvider(
+        toolProtection,
+        "test-project"
+      );
+
+      expect(provider).toBe("github");
+      expect(consoleSpy).toHaveBeenCalledWith(
+        expect.stringContaining("Inferred provider")
+      );
+
+      consoleSpy.mockRestore();
+    });
+
+    it("should fall back to first configured provider for Phase 1 compatibility", async () => {
+      await providerRegistry.loadFromAgentShield("test-project");
+
+      const toolProtection: ToolProtection = {
+        requiresDelegation: true,
+        requiredScopes: ["custom:scope"], // No recognizable prefix
+        // No oauthProvider field
+      };
+
+      const consoleSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
+
+      const provider = await providerResolver.resolveProvider(
+        toolProtection,
+        "test-project"
+      );
+
+      // Should use first configured provider (github)
+      expect(provider).toBe("github");
+      expect(consoleSpy).toHaveBeenCalledWith(
+        expect.stringContaining("deprecated")
+      );
+
+      consoleSpy.mockRestore();
+    });
+  });
+
+  describe("Backward compatibility", () => {
+    it("should work with Phase 1 tools (no oauthProvider field)", async () => {
+      await providerRegistry.loadFromAgentShield("test-project");
+
+      const toolProtection: ToolProtection = {
+        requiresDelegation: true,
+        requiredScopes: ["repo:read"],
+        // No oauthProvider - Phase 1 style
+      };
+
+      // Should not throw - uses fallback resolution
+      const provider = await providerResolver.resolveProvider(
+        toolProtection,
+        "test-project"
+      );
+
+      expect(provider).toBeDefined();
+      expect(typeof provider).toBe("string");
+    });
+
+    it("should handle tools with empty requiredScopes", async () => {
+      await providerRegistry.loadFromAgentShield("test-project");
+
+      const toolProtection: ToolProtection = {
+        requiresDelegation: true,
+        requiredScopes: [],
+        // No oauthProvider
+      };
+
+      const consoleSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
+
+      const provider = await providerResolver.resolveProvider(
+        toolProtection,
+        "test-project"
+      );
+
+      // Should fall back to first provider
+      expect(provider).toBe("github");
+      expect(consoleSpy).toHaveBeenCalled();
+
+      consoleSpy.mockRestore();
+    });
+  });
+
+  describe("Multi-provider scenarios", () => {
+    it("should resolve different providers for different tools", async () => {
+      await providerRegistry.loadFromAgentShield("test-project");
+
+      const githubTool: ToolProtection = {
+        requiresDelegation: true,
+        requiredScopes: ["repo:read"],
+        oauthProvider: "github",
+      };
+
+      const googleTool: ToolProtection = {
+        requiresDelegation: true,
+        requiredScopes: ["calendar:read"],
+        oauthProvider: "google",
+      };
+
+      const githubProvider = await providerResolver.resolveProvider(
+        githubTool,
+        "test-project"
+      );
+      const googleProvider = await providerResolver.resolveProvider(
+        googleTool,
+        "test-project"
+      );
+
+      expect(githubProvider).toBe("github");
+      expect(googleProvider).toBe("google");
+    });
+  });
+});
+