@kya-os/mcp-i-core 1.2.3-canary.7 → 1.3.0

package/src/services/__tests__/access-control.integration.test.ts

@@ -0,0 +1,443 @@
+/**
+ * Integration Tests for AccessControlApiService and ProofVerifier
+ *
+ * End-to-end integration tests covering:
+ * - Delegation verification flow with AccessControlApiService
+ * - Proof submission flow with AccessControlApiService
+ * - Proof verification with ProofVerifier
+ * - Runtime integration with service injection
+ */
+
+import { describe, it, expect, beforeEach, vi } from "vitest";
+import { AccessControlApiService } from "../access-control.service.js";
+import { ProofVerifier } from "../proof-verifier.js";
+import { MCPIRuntimeBase } from "../../runtime/base.js";
+import {
+  createMockProviders,
+  MockFetchProvider,
+} from "../../__tests__/utils/mock-providers.js";
+import type { ProviderRuntimeConfig } from "../../config.js";
+import type { DetachedProof } from "@kya-os/contracts/proof";
+import type {
+  VerifyDelegationRequest,
+  ProofSubmissionRequest,
+  ProofSubmissionResponse,
+} from "@kya-os/contracts/agentshield-api";
+import { AgentShieldAPIError } from "@kya-os/contracts/agentshield-api";
+
+describe("AccessControlApiService Integration", () => {
+  let accessControlService: AccessControlApiService;
+  let proofVerifier: ProofVerifier;
+  let runtime: MCPIRuntimeBase;
+  let mockFetchProvider: MockFetchProvider;
+  let mockProviders: ReturnType<typeof createMockProviders>;
+
+  beforeEach(() => {
+    mockProviders = createMockProviders();
+    mockFetchProvider = mockProviders.fetchProvider as MockFetchProvider;
+
+    // Reset fetch mock before each test
+    vi.clearAllMocks();
+    mockFetchProvider.fetch.mockClear();
+
+    accessControlService = new AccessControlApiService({
+      baseUrl: "https://api.example.com",
+      apiKey: "test-api-key",
+      fetchProvider: mockFetchProvider,
+      logger: vi.fn(),
+    });
+
+    proofVerifier = new ProofVerifier({
+      cryptoProvider: mockProviders.cryptoProvider,
+      clockProvider: mockProviders.clockProvider,
+      nonceCacheProvider: mockProviders.nonceCacheProvider,
+      fetchProvider: mockFetchProvider,
+      timestampSkewSeconds: 120,
+    });
+
+    const config: ProviderRuntimeConfig = {
+      ...mockProviders,
+      environment: "development",
+      session: {
+        timestampSkewSeconds: 120,
+        ttlMinutes: 30,
+      },
+    };
+
+    runtime = new MCPIRuntimeBase(config);
+    (runtime as any).proofVerifier = proofVerifier;
+    (runtime as any).accessControlService = accessControlService;
+  });
+
+  describe("Delegation Verification Flow", () => {
+    it("should verify delegation end-to-end", async () => {
+      const request: VerifyDelegationRequest = {
+        agent_did: "did:key:z123",
+        scopes: ["scope1", "scope2"],
+      };
+
+      const mockResponse = {
+        success: true,
+        data: {
+          valid: true,
+          delegation_id: "123e4567-e89b-12d3-a456-426614174000", // Valid UUID format
+          credential: {
+            agent_did: "did:key:z123",
+            scopes: ["scope1", "scope2"],
+            issued_at: Math.floor(Date.now() / 1000), // Unix timestamp (positive integer)
+            created_at: Math.floor(Date.now() / 1000), // Unix timestamp (positive integer)
+          },
+        },
+        metadata: {
+          requestId: "test-request-id",
+          timestamp: new Date().toISOString(),
+        },
+      };
+
+      mockFetchProvider.fetch.mockResolvedValue(
+        new Response(JSON.stringify(mockResponse), {
+          status: 200,
+          headers: { "Content-Type": "application/json" },
+        })
+      );
+
+      const result = await accessControlService.verifyDelegation(request);
+
+      expect(result.data.valid).toBe(true);
+      expect(result.data.delegation_id).toBe(
+        "123e4567-e89b-12d3-a456-426614174000"
+      );
+      expect(result.data.credential?.scopes).toEqual(["scope1", "scope2"]);
+    });
+
+    it("should handle delegation verification failure", async () => {
+      const request: VerifyDelegationRequest = {
+        agent_did: "did:key:z123",
+        scopes: ["scope1"],
+      };
+
+      const mockResponse = {
+        success: true,
+        data: {
+          valid: false,
+          reason: "No delegation found for agent",
+        },
+        metadata: {
+          requestId: "test-request-id",
+          timestamp: new Date().toISOString(),
+        },
+      };
+
+      mockFetchProvider.fetch.mockResolvedValue(
+        new Response(JSON.stringify(mockResponse), {
+          status: 200,
+          headers: { "Content-Type": "application/json" },
+        })
+      );
+
+      const result = await accessControlService.verifyDelegation(request);
+
+      expect(result.data.valid).toBe(false);
+      expect(result.data.reason).toBe("No delegation found for agent");
+    });
+  });
+
+  describe("Proof Submission Flow", () => {
+    it("should submit proof end-to-end", async () => {
+      const proof: DetachedProof = {
+        jws: "header.payload.signature",
+        meta: {
+          did: "did:key:z123",
+          kid: "did:key:z123#key-1",
+          ts: Math.floor(Date.now() / 1000), // Unix timestamp in seconds
+          nonce: "nonce-123",
+          audience: "mcp-client",
+          sessionId: "session-123",
+          requestHash: "sha256:" + "a".repeat(64),
+          responseHash: "sha256:" + "b".repeat(64),
+        },
+      };
+
+      const request = {
+        session_id: "550e8400-e29b-41d4-a716-446655440000", // Valid UUID
+        delegation_id: "123e4567-e89b-12d3-a456-426614174000", // Valid UUID format
+        proofs: [proof],
+        context: {
+          toolCalls: [
+            {
+              tool: "testTool",
+              args: { param: "value" },
+              scopeId: "testTool:execute",
+            },
+          ],
+        },
+      } as ProofSubmissionRequest;
+
+      const mockResponse = {
+        success: true,
+        accepted: 1,
+        rejected: 0,
+        outcomes: {
+          success: 1,
+          failed: 0,
+          blocked: 0,
+          error: 0,
+        },
+      };
+
+      mockFetchProvider.fetch.mockResolvedValue(
+        new Response(JSON.stringify(mockResponse), {
+          status: 200,
+          headers: { "Content-Type": "application/json" },
+        })
+      );
+
+      const result = await accessControlService.submitProofs(request);
+
+      // Type assertion needed due to TypeScript type resolution issues with outdated node_modules types
+      // The actual runtime type has accepted/rejected/outcomes, but node_modules has old types
+      const typedResult = result as unknown as {
+        success: boolean;
+        accepted: number;
+        rejected: number;
+        outcomes: Record<string, number>;
+        errors?: Array<{
+          proof_index: number;
+          error: { code: string; message: string };
+        }>;
+      };
+      expect(typedResult.accepted).toBe(1);
+      expect(typedResult.rejected).toBe(0);
+      expect(typedResult.outcomes.success).toBe(1);
+    });
+
+    it("should handle proof submission with errors", async () => {
+      const proof: DetachedProof = {
+        jws: "invalid.jws.signature",
+        meta: {
+          did: "did:key:z123",
+          kid: "did:key:z123#key-1",
+          ts: Math.floor(Date.now() / 1000), // Unix timestamp in seconds
+          nonce: "nonce-123",
+          audience: "mcp-client",
+          sessionId: "session-123",
+          requestHash: "sha256:" + "a".repeat(64),
+          responseHash: "sha256:" + "b".repeat(64),
+        },
+      };
+
+      const request: ProofSubmissionRequest = {
+        session_id: "550e8400-e29b-41d4-a716-446655440000", // Valid UUID
+        delegation_id: null, // Explicitly set to null for optional field
+        proofs: [proof],
+      };
+
+      const mockResponse = {
+        success: true,
+        accepted: 0,
+        rejected: 1,
+        outcomes: {
+          success: 0,
+          failed: 1,
+          blocked: 0,
+          error: 0,
+        },
+        errors: [
+          {
+            proof_index: 0,
+            error: {
+              code: "invalid_signature",
+              message: "Invalid JWS signature",
+            },
+          },
+        ],
+      };
+
+      mockFetchProvider.fetch.mockResolvedValue(
+        new Response(JSON.stringify(mockResponse), {
+          status: 200,
+          headers: { "Content-Type": "application/json" },
+        })
+      );
+
+      const result = await accessControlService.submitProofs(request);
+
+      // Type assertion needed due to TypeScript type resolution issues with outdated node_modules types
+      // The actual runtime type has accepted/rejected/outcomes, but node_modules has old types
+      const typedResult = result as unknown as {
+        success: boolean;
+        accepted: number;
+        rejected: number;
+        outcomes: Record<string, number>;
+        errors?: Array<{
+          proof_index: number;
+          error: { code: string; message: string };
+        }>;
+      };
+      expect(typedResult.accepted).toBe(0);
+      expect(typedResult.rejected).toBe(1);
+      expect(typedResult.errors).toBeDefined();
+      expect(typedResult.errors?.length).toBe(1);
+    });
+  });
+
+  describe("Proof Verification Flow", () => {
+    it("should verify proof using ProofVerifier", async () => {
+      // Set up DID document for resolution
+      const didDoc = {
+        id: "did:key:z123",
+        verificationMethod: [
+          {
+            id: "did:key:z123#key-1",
+            type: "JsonWebKey2020",
+            publicKeyJwk: {
+              kty: "OKP",
+              crv: "Ed25519",
+              x: "VCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ",
+            },
+          },
+        ],
+      };
+
+      mockFetchProvider.setDIDDocument("did:key:z123", didDoc);
+
+      const proof: DetachedProof = {
+        jws: "header.payload.signature",
+        meta: {
+          did: "did:key:z123",
+          kid: "did:key:z123#key-1",
+          ts: Math.floor(Date.now() / 1000), // Unix timestamp in seconds
+          nonce: "nonce-123",
+          audience: "mcp-client",
+          sessionId: "session-123",
+          requestHash: "sha256:" + "a".repeat(64),
+          responseHash: "sha256:" + "b".repeat(64),
+        },
+      };
+
+      // Note: This test would require actual cryptographic verification
+      // For now, we test the flow structure
+      const publicKeyJwk = didDoc.verificationMethod[0].publicKeyJwk as {
+        kty: "OKP";
+        crv: "Ed25519";
+        x: string;
+      };
+
+      // Mock nonce cache to return false (nonce not seen)
+      vi.spyOn(mockProviders.nonceCacheProvider, "has").mockResolvedValue(
+        false
+      );
+
+      const result = await proofVerifier.verifyProof(proof, publicKeyJwk);
+
+      // Result will depend on actual signature verification
+      expect(result).toBeDefined();
+      expect("valid" in result).toBe(true);
+    });
+  });
+
+  describe("Runtime Integration", () => {
+    it("should use AccessControlApiService from runtime", async () => {
+      const request: VerifyDelegationRequest = {
+        agent_did: "did:key:z123",
+        scopes: ["scope1"],
+      };
+
+      const mockResponse = {
+        success: true,
+        data: { valid: true },
+        metadata: {
+          requestId: "test-request-id",
+          timestamp: new Date().toISOString(),
+        },
+      };
+
+      mockFetchProvider.fetch.mockResolvedValue(
+        new Response(JSON.stringify(mockResponse), {
+          status: 200,
+          headers: { "Content-Type": "application/json" },
+        })
+      );
+
+      const runtimeService = (runtime as any)
+        .accessControlService as AccessControlApiService;
+
+      expect(runtimeService).toBeDefined();
+      const result = await runtimeService.verifyDelegation(request);
+      expect(result.data.valid).toBe(true);
+    });
+
+    it("should use ProofVerifier from runtime", async () => {
+      const runtimeVerifier = (runtime as any).proofVerifier as ProofVerifier;
+      expect(runtimeVerifier).toBeDefined();
+
+      // Verify it's the same instance
+      expect(runtimeVerifier).toBe(proofVerifier);
+    });
+  });
+
+  describe("Error Handling and Retry", () => {
+    it("should retry on transient errors", async () => {
+      const request: VerifyDelegationRequest = {
+        agent_did: "did:key:z123",
+        scopes: ["scope1"],
+      };
+
+      const mockResponse = {
+        success: true,
+        data: { valid: true },
+        metadata: {
+          requestId: "test-request-id",
+          timestamp: new Date().toISOString(),
+        },
+      };
+
+      // First call fails with 500, second succeeds
+      mockFetchProvider.fetch
+        .mockResolvedValueOnce(
+          new Response("Internal Server Error", { status: 500 })
+        )
+        .mockResolvedValueOnce(
+          new Response(JSON.stringify(mockResponse), {
+            status: 200,
+            headers: { "Content-Type": "application/json" },
+          })
+        );
+
+      const result = await accessControlService.verifyDelegation(request);
+
+      expect(result.data.valid).toBe(true);
+      expect(mockFetchProvider.fetch).toHaveBeenCalledTimes(2);
+    });
+
+    it("should not retry on client errors", async () => {
+      const request: VerifyDelegationRequest = {
+        agent_did: "did:key:z123",
+        scopes: ["scope1"],
+      };
+
+      mockFetchProvider.fetch.mockResolvedValue(
+        new Response(
+          JSON.stringify({
+            success: false,
+            error: {
+              code: "validation_error",
+              message: "Invalid request",
+            },
+          }),
+          {
+            status: 400,
+            headers: { "Content-Type": "application/json" },
+          }
+        )
+      );
+
+      await expect(
+        accessControlService.verifyDelegation(request)
+      ).rejects.toThrow(AgentShieldAPIError);
+
+      // Should not retry
+      expect(mockFetchProvider.fetch).toHaveBeenCalledTimes(1);
+    });
+  });
+});