createToken(TokenKind::Service); // No local row exists yet; the first upsert mints it. $response = $this->request( 'POST', '/api/v1/auth/users/upsert-local', [ 'Authorization' => 'Bearer ' . $token, 'Content-Type' => 'application/json', ], json_encode(['username' => 'admin']) ?: null ); self::assertSame(200, $response->getStatusCode()); $body = $this->decode($response); self::assertIsInt($body['user_id']); self::assertSame('admin', $body['role']); self::assertNull($body['email']); self::assertSame('admin', $body['display_name']); self::assertTrue($body['is_local']); self::assertSame( 1, (int) $this->db->fetchOne('SELECT COUNT(*) FROM users WHERE is_local = 1'), 'first call must create exactly one local row' ); } /** * SEC_REVIEW F3 regression. A service-token holder must not be able * to mint additional Admin user rows by rotating the `username` field * over `POST /api/v1/auth/users/upsert-local`. Before the fix every * fresh username produced a new is_local=1, role=admin row that the * caller could then impersonate via X-Acting-User-Id. */ public function testRotatingUsernamesNeverCreatesAdditionalLocalAdmins(): void { $token = $this->createToken(TokenKind::Service); $adminId = $this->createUser(Role::Admin, isLocal: true); $headers = [ 'Authorization' => 'Bearer ' . $token, 'Content-Type' => 'application/json', ]; $userIds = []; foreach (['attacker-1', 'attacker-2', 'attacker-3'] as $name) { $body = $this->decode($this->request( 'POST', '/api/v1/auth/users/upsert-local', $headers, json_encode(['username' => $name]) ?: null )); $userIds[] = $body['user_id']; self::assertSame($adminId, $body['user_id']); self::assertSame('admin', $body['role']); self::assertSame($name, $body['display_name']); } // Same user_id returned every call. self::assertSame([$adminId, $adminId, $adminId], $userIds); // And only one is_local=1 row in the DB. self::assertSame( 1, (int) $this->db->fetchOne('SELECT COUNT(*) FROM users WHERE is_local = 1'), 'rotating usernames must not mint additional local-admin rows' ); } /** * SEC_REVIEW F5: account creation must be audited. The first * upsert-local emits a `user.created` row attributed to the * service-token call (kind=system, no acting user yet) so SOC * tooling can see when the local-admin row first comes into * existence. */ public function testFirstUpsertLocalEmitsUserCreatedAudit(): void { $token = $this->createToken(TokenKind::Service); $response = $this->request( 'POST', '/api/v1/auth/users/upsert-local', [ 'Authorization' => 'Bearer ' . $token, 'Content-Type' => 'application/json', ], json_encode(['username' => 'admin']) ?: null ); self::assertSame(200, $response->getStatusCode()); $userId = $this->decode($response)['user_id']; $row = $this->db->fetchAssociative( "SELECT actor_kind, action, target_type, target_id, details_json FROM audit_log WHERE action = 'user.created' ORDER BY id DESC LIMIT 1" ); self::assertIsArray($row, 'user.created audit row must exist'); self::assertSame('system', $row['actor_kind']); self::assertSame('user', $row['target_type']); self::assertSame((string) $userId, $row['target_id']); $details = json_decode((string) $row['details_json'], true); self::assertIsArray($details); self::assertSame('local', $details['source']); self::assertSame('admin', $details['display_name']); self::assertSame('admin', $details['role']); } public function testRotatingUsernamesEmitsOnlyOneUserCreatedAudit(): void { // The first upsert mints the row + emits user.created. // Subsequent renames update display_name but must NOT emit // user.created again (no new account is created). $token = $this->createToken(TokenKind::Service); $headers = [ 'Authorization' => 'Bearer ' . $token, 'Content-Type' => 'application/json', ]; foreach (['admin', 'renamed-1', 'renamed-2'] as $name) { $this->request('POST', '/api/v1/auth/users/upsert-local', $headers, json_encode(['username' => $name]) ?: null); } $count = (int) $this->db->fetchOne( "SELECT COUNT(*) FROM audit_log WHERE action = 'user.created'" ); self::assertSame(1, $count, 'only the bootstrap call should emit user.created'); } public function testNewOidcLoginEmitsUserCreatedAudit(): void { $token = $this->createToken(TokenKind::Service); $response = $this->request( 'POST', '/api/v1/auth/users/upsert-oidc', [ 'Authorization' => 'Bearer ' . $token, 'Content-Type' => 'application/json', ], json_encode([ 'subject' => 'sub-new', 'email' => 'newcomer@example.com', 'display_name' => 'Newcomer', 'groups' => [], ]) ?: null ); self::assertSame(200, $response->getStatusCode()); $userId = $this->decode($response)['user_id']; $row = $this->db->fetchAssociative( "SELECT actor_kind, action, target_type, target_id, target_label, details_json FROM audit_log WHERE action = 'user.created' ORDER BY id DESC LIMIT 1" ); self::assertIsArray($row); self::assertSame('user', $row['target_type']); self::assertSame((string) $userId, $row['target_id']); self::assertSame('newcomer@example.com', $row['target_label']); $details = json_decode((string) $row['details_json'], true); self::assertIsArray($details); self::assertSame('oidc', $details['source']); self::assertSame('sub-new', $details['subject']); self::assertSame('viewer', $details['role']); } public function testOidcRoleDriftEmitsRoleChangedAudit(): void { $token = $this->createToken(TokenKind::Service); $headers = [ 'Authorization' => 'Bearer ' . $token, 'Content-Type' => 'application/json', ]; $this->db->insert('oidc_role_mappings', [ 'group_id' => 'admin-grp', 'role' => Role::Admin->value, ]); // First login: admin role. $this->request('POST', '/api/v1/auth/users/upsert-oidc', $headers, json_encode([ 'subject' => 'drift-sub', 'email' => 'drift@example.com', 'display_name' => 'Drift', 'groups' => ['admin-grp'], ]) ?: null); // Second login: no admin group → role drops to default viewer. $this->request('POST', '/api/v1/auth/users/upsert-oidc', $headers, json_encode([ 'subject' => 'drift-sub', 'email' => 'drift@example.com', 'display_name' => 'Drift', 'groups' => [], ]) ?: null); $row = $this->db->fetchAssociative( "SELECT details_json FROM audit_log WHERE action = 'user.role_changed' ORDER BY id DESC LIMIT 1" ); self::assertIsArray($row, 'role drift must emit user.role_changed'); $details = json_decode((string) $row['details_json'], true); self::assertIsArray($details); self::assertSame('admin', $details['changes']['role']['from']); self::assertSame('viewer', $details['changes']['role']['to']); } /** * Defense-in-depth: even if application code regresses, the partial * unique index added in 20260504100000_add_unique_local_user_index * must reject a second is_local=1 insert. */ public function testDbLayerRejectsSecondLocalAdminInsert(): void { $this->createUser(Role::Admin, isLocal: true); $this->expectException(\Doctrine\DBAL\Exception\UniqueConstraintViolationException::class); $this->db->insert('users', [ 'subject' => null, 'email' => null, 'display_name' => 'second-local', 'role' => Role::Admin->value, 'is_local' => 1, ]); } public function testUpsertLocalIsIdempotent(): void { $token = $this->createToken(TokenKind::Service); $adminId = $this->createUser(Role::Admin, isLocal: true); $headers = [ 'Authorization' => 'Bearer ' . $token, 'X-Acting-User-Id' => (string) $adminId, 'Content-Type' => 'application/json', ]; $body = json_encode(['username' => 'idempotent']) ?: null; $first = $this->decode($this->request('POST', '/api/v1/auth/users/upsert-local', $headers, $body)); $second = $this->decode($this->request('POST', '/api/v1/auth/users/upsert-local', $headers, $body)); self::assertSame($first['user_id'], $second['user_id']); } public function testUpsertOidcResolvesRoleFromGroups(): void { $token = $this->createToken(TokenKind::Service); $adminId = $this->createUser(Role::Admin, isLocal: true); // Seed a role mapping: group "ops-group" → operator $this->db->insert('oidc_role_mappings', [ 'group_id' => 'ops-group', 'role' => Role::Operator->value, ]); $this->db->insert('oidc_role_mappings', [ 'group_id' => 'admin-group', 'role' => Role::Admin->value, ]); $response = $this->request( 'POST', '/api/v1/auth/users/upsert-oidc', [ 'Authorization' => 'Bearer ' . $token, 'X-Acting-User-Id' => (string) $adminId, 'Content-Type' => 'application/json', ], json_encode([ 'subject' => 'sub-1', 'email' => 'alice@example.com', 'display_name' => 'Alice', 'groups' => ['ops-group', 'admin-group'], ]) ?: null ); self::assertSame(200, $response->getStatusCode()); $body = $this->decode($response); self::assertSame('admin', $body['role'], 'highest matching role wins'); self::assertSame('alice@example.com', $body['email']); self::assertSame('Alice', $body['display_name']); self::assertFalse($body['is_local']); } public function testUpsertOidcFallsBackToDefaultRoleWithNoMatchingGroup(): void { $token = $this->createToken(TokenKind::Service); $adminId = $this->createUser(Role::Admin, isLocal: true); $response = $this->request( 'POST', '/api/v1/auth/users/upsert-oidc', [ 'Authorization' => 'Bearer ' . $token, 'X-Acting-User-Id' => (string) $adminId, 'Content-Type' => 'application/json', ], json_encode([ 'subject' => 'sub-default', 'email' => 'b@example.com', 'display_name' => 'B', 'groups' => ['unknown-group'], ]) ?: null ); self::assertSame(200, $response->getStatusCode()); // Default in tests is Role::Viewer. self::assertSame('viewer', $this->decode($response)['role']); } public function testUpsertOidcRecomputesRoleOnSubsequentLogins(): void { $token = $this->createToken(TokenKind::Service); $adminId = $this->createUser(Role::Admin, isLocal: true); $this->db->insert('oidc_role_mappings', [ 'group_id' => 'g1', 'role' => Role::Operator->value, ]); $headers = [ 'Authorization' => 'Bearer ' . $token, 'X-Acting-User-Id' => (string) $adminId, 'Content-Type' => 'application/json', ]; $first = $this->decode($this->request( 'POST', '/api/v1/auth/users/upsert-oidc', $headers, json_encode([ 'subject' => 'churn', 'email' => 'c@example.com', 'display_name' => 'C', 'groups' => ['g1'], ]) ?: null )); self::assertSame('operator', $first['role']); // Subsequent login with no matching group → role drops to default viewer. $second = $this->decode($this->request( 'POST', '/api/v1/auth/users/upsert-oidc', $headers, json_encode([ 'subject' => 'churn', 'email' => 'c@example.com', 'display_name' => 'C', 'groups' => [], ]) ?: null )); self::assertSame($first['user_id'], $second['user_id']); self::assertSame('viewer', $second['role']); } public function testUpsertOidcRejectsAdminToken(): void { // Even an admin token can't call /auth/* — those are service-only. $token = $this->createToken(TokenKind::Admin, role: Role::Admin); $response = $this->request( 'POST', '/api/v1/auth/users/upsert-local', [ 'Authorization' => 'Bearer ' . $token, 'Content-Type' => 'application/json', ], json_encode(['username' => 'admin']) ?: null ); self::assertSame(403, $response->getStatusCode()); } }