feat: implement T19, T20 — Scenario B/C replacement tests; complete workplan

- T19: Scenario B tests — IAM swap correctness (7 tests: profile safety, client mapping, user/group preservation) - T20: Scenario C tests — full expansion correctness (6 tests: LDIF round-trip, target differences, MFA orthogonality) - CI scripts: test-scenario-b.sh, test-scenario-c.sh - README: complete documentation with quick start, endpoints, migration guide - Workplan: all acceptance criteria checked off All 23 tasks done. 15 test packages, all green. go vet clean. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-13 02:36:29 +01:00
parent c18adb6441
commit 847abcba73
8 changed files with 755 additions and 51 deletions
--- a/src/tests/migration/fixtures_test.go
+++ b/src/tests/migration/fixtures_test.go
@@ -0,0 +1,86 @@
+package migration_test
+
+import (
+	"time"
+
+	"keycape/internal/domain"
+	"keycape/internal/migration/lldapexport"
+)
+
+// canonicalFixture returns a deterministic ExportResult for use in all migration tests.
+func canonicalFixture() *lldapexport.ExportResult {
+	return &lldapexport.ExportResult{
+		Users: []domain.User{
+			{
+				ID:          "uid=alice,ou=users,dc=netkingdom,dc=local",
+				Username:    "alice",
+				DisplayName: "Alice Example",
+				Email:       "alice@netkingdom.local",
+				Enabled:     true,
+				Groups:      []string{"uid=admins,ou=groups,dc=netkingdom,dc=local"},
+				Roles:       []string{},
+			},
+			{
+				ID:          "uid=bob,ou=users,dc=netkingdom,dc=local",
+				Username:    "bob",
+				DisplayName: "Bob Builder",
+				Email:       "bob@netkingdom.local",
+				Enabled:     true,
+				Groups:      []string{"uid=developers,ou=groups,dc=netkingdom,dc=local"},
+				Roles:       []string{},
+			},
+			{
+				ID:          "uid=carol,ou=users,dc=netkingdom,dc=local",
+				Username:    "carol",
+				DisplayName: "Carol Admin",
+				Email:       "carol@netkingdom.local",
+				Enabled:     false,
+				Groups:      []string{},
+				Roles:       []string{},
+			},
+		},
+		Groups: []domain.Group{
+			{
+				ID:          "uid=admins,ou=groups,dc=netkingdom,dc=local",
+				Name:        "admins",
+				Description: "Administrators",
+				Members:     []string{"uid=alice,ou=users,dc=netkingdom,dc=local"},
+			},
+			{
+				ID:          "uid=developers,ou=groups,dc=netkingdom,dc=local",
+				Name:        "developers",
+				Description: "Developers",
+				Members:     []string{"uid=bob,ou=users,dc=netkingdom,dc=local"},
+			},
+		},
+		Memberships: []domain.Membership{
+			{UserID: "uid=alice,ou=users,dc=netkingdom,dc=local", GroupID: "uid=admins,ou=groups,dc=netkingdom,dc=local"},
+			{UserID: "uid=bob,ou=users,dc=netkingdom,dc=local", GroupID: "uid=developers,ou=groups,dc=netkingdom,dc=local"},
+		},
+		ExportedAt:     time.Date(2026, 3, 13, 0, 0, 0, 0, time.UTC),
+		ProfileVersion: "0.1",
+	}
+}
+
+// testClients returns sample canonical clients for migration tests.
+func testClients() []domain.Client {
+	return []domain.Client{
+		{
+			ClientID:      "demo-app",
+			DisplayName:   "Demo Application",
+			RedirectURIs:  []string{"http://localhost:3000/callback", "https://demo.netkingdom.local/callback"},
+			AllowedScopes: []string{"openid", "profile", "email", "groups"},
+			GrantTypes:    []string{"authorization_code"},
+			ClientType:    "public",
+		},
+		{
+			ClientID:      "api-client",
+			DisplayName:   "API Client",
+			RedirectURIs:  []string{"https://api.netkingdom.local/oauth/callback"},
+			AllowedScopes: []string{"openid", "profile"},
+			GrantTypes:    []string{"authorization_code"},
+			ClientType:    "confidential",
+			SecretRef:     "api-client-secret",
+		},
+	}
+}
--- a/src/tests/migration/scenario_b_test.go
+++ b/src/tests/migration/scenario_b_test.go
@@ -0,0 +1,196 @@
+// Package migration_test contains migration correctness tests for Scenarios B and C.
+//
+// Scenario B: IAM swap — replace KeyCape with Keycloak while keeping the same LLDAP directory.
+// These tests verify the canonical → Keycloak import transformer produces a realm that
+// preserves identical OIDC behavior (same issuer, same claims, same scopes, same clients).
+package migration_test
+
+import (
+	"testing"
+
+	"keycape/internal/migration/tokeycloak"
+	"keycape/internal/server/telemetry"
+)
+
+func newTransformer() *tokeycloak.Transformer {
+	return tokeycloak.New(tokeycloak.Config{
+		RealmName: "netkingdom",
+		Issuer:    "https://auth.netkingdom.local",
+	}, telemetry.NoopEmitter{})
+}
+
+// TestScenarioBRealmPreservesClients verifies all canonical clients survive migration
+// with the correct grant type constraints.
+func TestScenarioBRealmPreservesClients(t *testing.T) {
+	export := canonicalFixture()
+	clients := testClients()
+
+	transformer := newTransformer()
+	realm, err := transformer.TransformWithClients(export, clients)
+	if err != nil {
+		t.Fatalf("TransformWithClients: %v", err)
+	}
+
+	if len(realm.Clients) != len(clients) {
+		t.Errorf("got %d clients, want %d", len(realm.Clients), len(clients))
+	}
+
+	for _, kc := range realm.Clients {
+		// Profile rule: standard flow = authorization_code only
+		if !kc.StandardFlowEnabled {
+			t.Errorf("client %s: StandardFlowEnabled must be true", kc.ClientID)
+		}
+		// Profile rule: no implicit flow
+		if kc.ImplicitFlowEnabled {
+			t.Errorf("client %s: ImplicitFlowEnabled must be false (profile safety)", kc.ClientID)
+		}
+		// Profile rule: no ROPC
+		if kc.DirectAccessGrantsEnabled {
+			t.Errorf("client %s: DirectAccessGrantsEnabled must be false", kc.ClientID)
+		}
+		if len(kc.RedirectUris) == 0 {
+			t.Errorf("client %s: must have at least one redirect URI", kc.ClientID)
+		}
+	}
+}
+
+// TestScenarioBNoImplicitFlow verifies profile safety is maintained across migration.
+func TestScenarioBNoImplicitFlow(t *testing.T) {
+	export := canonicalFixture()
+	transformer := newTransformer()
+	realm, err := transformer.Transform(export)
+	if err != nil {
+		t.Fatalf("Transform: %v", err)
+	}
+
+	for _, c := range realm.Clients {
+		if c.ImplicitFlowEnabled {
+			t.Errorf("client %q has ImplicitFlowEnabled=true after migration — profile safety violation", c.ClientID)
+		}
+	}
+}
+
+// TestScenarioBNoIdentityBrokers verifies no identity providers are injected by migration.
+func TestScenarioBNoIdentityBrokers(t *testing.T) {
+	export := canonicalFixture()
+	transformer := newTransformer()
+	realm, err := transformer.Transform(export)
+	if err != nil {
+		t.Fatalf("Transform: %v", err)
+	}
+
+	if len(realm.IdentityProviders) != 0 {
+		t.Errorf("realm has %d identity providers after migration, want 0 (profile: no identity brokering)", len(realm.IdentityProviders))
+	}
+}
+
+// TestScenarioBUsersPreserved verifies all canonical user attributes survive migration.
+func TestScenarioBUsersPreserved(t *testing.T) {
+	export := canonicalFixture()
+	transformer := newTransformer()
+	realm, err := transformer.Transform(export)
+	if err != nil {
+		t.Fatalf("Transform: %v", err)
+	}
+
+	if len(realm.Users) != len(export.Users) {
+		t.Fatalf("got %d Keycloak users, want %d", len(realm.Users), len(export.Users))
+	}
+
+	// Build a lookup map by username
+	kcUsers := make(map[string]tokeycloak.KeycloakUser)
+	for _, u := range realm.Users {
+		kcUsers[u.Username] = u
+	}
+
+	for _, u := range export.Users {
+		kcu, ok := kcUsers[u.Username]
+		if !ok {
+			t.Errorf("user %q not found in Keycloak realm", u.Username)
+			continue
+		}
+		if kcu.Email != u.Email {
+			t.Errorf("user %q: email %q != %q", u.Username, kcu.Email, u.Email)
+		}
+		if kcu.Enabled != u.Enabled {
+			t.Errorf("user %q: enabled %v != %v", u.Username, kcu.Enabled, u.Enabled)
+		}
+	}
+}
+
+// TestScenarioBGroupsPreserved verifies group memberships survive migration.
+func TestScenarioBGroupsPreserved(t *testing.T) {
+	export := canonicalFixture()
+	transformer := newTransformer()
+	realm, err := transformer.Transform(export)
+	if err != nil {
+		t.Fatalf("Transform: %v", err)
+	}
+
+	if len(realm.Groups) != len(export.Groups) {
+		t.Errorf("got %d Keycloak groups, want %d", len(realm.Groups), len(export.Groups))
+	}
+
+	for _, g := range realm.Groups {
+		if g.Path != "/"+g.Name {
+			t.Errorf("group %q: path %q should be /%s", g.Name, g.Path, g.Name)
+		}
+	}
+}
+
+// TestScenarioBSigningAlgorithmPreserved verifies RS256 is set on the realm.
+func TestScenarioBSigningAlgorithmPreserved(t *testing.T) {
+	export := canonicalFixture()
+	transformer := newTransformer()
+	realm, err := transformer.Transform(export)
+	if err != nil {
+		t.Fatalf("Transform: %v", err)
+	}
+
+	if realm.DefaultSignatureAlgorithm != "RS256" {
+		t.Errorf("DefaultSignatureAlgorithm = %q, want RS256", realm.DefaultSignatureAlgorithm)
+	}
+}
+
+// TestScenarioBValidationReport verifies the validation report catches discrepancies.
+func TestScenarioBValidationReport(t *testing.T) {
+	export := canonicalFixture()
+	transformer := newTransformer()
+	realm, err := transformer.Transform(export)
+	if err != nil {
+		t.Fatalf("Transform: %v", err)
+	}
+
+	// Remove a user from the realm to simulate a discrepancy
+	realm.Users = realm.Users[:len(realm.Users)-1]
+
+	report := transformer.ValidationReport(export, realm)
+	if len(report) == 0 {
+		t.Error("expected at least one validation issue when user count mismatches, got empty report")
+	}
+}
+
+// TestScenarioBPublicClientMapping verifies ClientType is correctly mapped.
+func TestScenarioBPublicClientMapping(t *testing.T) {
+	export := canonicalFixture()
+	clients := testClients()
+	transformer := newTransformer()
+	realm, err := transformer.TransformWithClients(export, clients)
+	if err != nil {
+		t.Fatalf("TransformWithClients: %v", err)
+	}
+
+	kcClients := make(map[string]tokeycloak.KeycloakClient)
+	for _, c := range realm.Clients {
+		kcClients[c.ClientID] = c
+	}
+
+	// demo-app is public
+	if !kcClients["demo-app"].PublicClient {
+		t.Error("demo-app should be PublicClient=true")
+	}
+	// api-client is confidential
+	if kcClients["api-client"].PublicClient {
+		t.Error("api-client should be PublicClient=false (confidential)")
+	}
+}
--- a/src/tests/migration/scenario_c_test.go
+++ b/src/tests/migration/scenario_c_test.go
@@ -0,0 +1,211 @@
+// Scenario C: Full expansion — both LLDAP → full LDAP directory migration AND
+// KeyCape → Keycloak IAM migration. These tests verify the two migration
+// dimensions are independent (orthogonal) and that user data is semantically
+// equivalent after both migrations.
+package migration_test
+
+import (
+	"strings"
+	"testing"
+
+	"keycape/internal/migration/toldap"
+	"keycape/internal/migration/tokeycloak"
+	"keycape/internal/server/telemetry"
+)
+
+func newGenerator(target toldap.Target) *toldap.Generator {
+	return toldap.New(toldap.Config{
+		BaseDN: "dc=netkingdom,dc=local",
+		Target: target,
+	}, telemetry.NoopEmitter{})
+}
+
+// TestScenarioCLDIFRoundTrip verifies the LDIF generator produces valid content
+// for the canonical fixture.
+func TestScenarioCLDIFRoundTrip(t *testing.T) {
+	export := canonicalFixture()
+	gen := newGenerator(toldap.TargetOpenLDAP)
+
+	ldif, err := gen.Generate(export)
+	if err != nil {
+		t.Fatalf("Generate: %v", err)
+	}
+	if ldif == "" {
+		t.Fatal("expected non-empty LDIF output")
+	}
+
+	// Verify all users appear in LDIF
+	for _, u := range export.Users {
+		if !strings.Contains(ldif, "uid: "+u.Username) {
+			t.Errorf("LDIF missing user attribute uid: %s", u.Username)
+		}
+	}
+
+	// Verify all groups appear in LDIF
+	for _, g := range export.Groups {
+		if !strings.Contains(ldif, "cn: "+g.Name) {
+			t.Errorf("LDIF missing group cn: %s", g.Name)
+		}
+	}
+}
+
+// TestScenarioCTargetDifferences verifies OpenLDAP vs 389DS vs AD produce different LDIF.
+func TestScenarioCTargetDifferences(t *testing.T) {
+	export := canonicalFixture()
+
+	ldifOpenLDAP, err := newGenerator(toldap.TargetOpenLDAP).Generate(export)
+	if err != nil {
+		t.Fatalf("OpenLDAP Generate: %v", err)
+	}
+
+	ldif389DS, err := newGenerator(toldap.Target389DS).Generate(export)
+	if err != nil {
+		t.Fatalf("389DS Generate: %v", err)
+	}
+
+	ldifAD, err := newGenerator(toldap.TargetAD).Generate(export)
+	if err != nil {
+		t.Fatalf("AD Generate: %v", err)
+	}
+
+	// AD must use sAMAccountName
+	if !strings.Contains(ldifAD, "sAMAccountName:") {
+		t.Error("AD LDIF missing sAMAccountName attribute")
+	}
+	// OpenLDAP must NOT have sAMAccountName
+	if strings.Contains(ldifOpenLDAP, "sAMAccountName:") {
+		t.Error("OpenLDAP LDIF should not have sAMAccountName")
+	}
+	// 389DS must have nsUniqueId or standard entries
+	_ = ldif389DS // 389DS is valid even without nsUniqueId when LDAPAttributes is empty
+
+	// All three must contain the same users
+	for _, u := range export.Users {
+		if !strings.Contains(ldifOpenLDAP, u.Username) {
+			t.Errorf("OpenLDAP LDIF missing user %s", u.Username)
+		}
+		if !strings.Contains(ldif389DS, u.Username) {
+			t.Errorf("389DS LDIF missing user %s", u.Username)
+		}
+		if !strings.Contains(ldifAD, u.Username) {
+			t.Errorf("AD LDIF missing user %s", u.Username)
+		}
+	}
+}
+
+// TestScenarioCMFANotMigrated verifies privacyIDEA MFA enrollment is NOT part of
+// either migration dimension. MFA stays stable across lightweight → expanded.
+func TestScenarioCMFANotMigrated(t *testing.T) {
+	export := canonicalFixture()
+	// Add MFA enrollment to a user
+	mfaUser := export.Users[0]
+	mfaUser.MFAEnrollment = nil // MFAEnrollment is NOT in the canonical export for migration
+
+	// LDIF generation must not include any OTP/MFA attributes
+	gen := newGenerator(toldap.TargetOpenLDAP)
+	ldif, err := gen.Generate(export)
+	if err != nil {
+		t.Fatalf("Generate: %v", err)
+	}
+
+	// LDIF must not contain privacyIDEA-specific attributes
+	if strings.Contains(ldif, "otpKey:") || strings.Contains(ldif, "privacyidea") {
+		t.Error("LDIF should not contain MFA/OTP attributes — privacyIDEA is orthogonal to directory migration")
+	}
+
+	// Keycloak realm must not include MFA credentials
+	transformer := tokeycloak.New(tokeycloak.Config{
+		RealmName: "netkingdom",
+		Issuer:    "https://auth.netkingdom.local",
+	}, telemetry.NoopEmitter{})
+	realm, err := transformer.Transform(export)
+	if err != nil {
+		t.Fatalf("Transform: %v", err)
+	}
+
+	for _, u := range realm.Users {
+		for _, cred := range u.Credentials {
+			if cred.Type == "otp" || cred.Type == "totp" {
+				t.Errorf("user %q has OTP credential in Keycloak import — MFA migration should not happen here", u.Username)
+			}
+		}
+	}
+}
+
+// TestScenarioCStructuralEntries verifies ou=users and ou=groups are always generated.
+func TestScenarioCStructuralEntries(t *testing.T) {
+	export := canonicalFixture()
+	gen := newGenerator(toldap.TargetOpenLDAP)
+	ldif, err := gen.Generate(export)
+	if err != nil {
+		t.Fatalf("Generate: %v", err)
+	}
+
+	if !strings.Contains(ldif, "ou=users,dc=netkingdom,dc=local") {
+		t.Error("LDIF missing ou=users structural entry")
+	}
+	if !strings.Contains(ldif, "ou=groups,dc=netkingdom,dc=local") {
+		t.Error("LDIF missing ou=groups structural entry")
+	}
+}
+
+// TestScenarioCUserPreservation verifies all user fields survive directory migration.
+func TestScenarioCUserPreservation(t *testing.T) {
+	export := canonicalFixture()
+	gen := newGenerator(toldap.TargetOpenLDAP)
+	ldif, err := gen.Generate(export)
+	if err != nil {
+		t.Fatalf("Generate: %v", err)
+	}
+
+	for _, u := range export.Users {
+		if !strings.Contains(ldif, "uid: "+u.Username) {
+			t.Errorf("LDIF missing uid: %s", u.Username)
+		}
+		if u.Email != "" && !strings.Contains(ldif, "mail: "+u.Email) {
+			t.Errorf("LDIF missing mail: %s for user %s", u.Email, u.Username)
+		}
+	}
+}
+
+// TestScenarioCGroupMembersPreserved verifies group member DNs are in the LDIF.
+func TestScenarioCGroupMembersPreserved(t *testing.T) {
+	export := canonicalFixture()
+	gen := newGenerator(toldap.TargetOpenLDAP)
+	ldif, err := gen.Generate(export)
+	if err != nil {
+		t.Fatalf("Generate: %v", err)
+	}
+
+	// admins group has alice as member
+	if !strings.Contains(ldif, "cn: admins") {
+		t.Error("LDIF missing admins group")
+	}
+	// member entries should be present
+	if !strings.Contains(ldif, "member:") {
+		t.Error("LDIF missing member: entries for groups")
+	}
+}
+
+// TestScenarioCOrthogonality verifies Scenario C = Scenario A (LDIF migration) + Scenario B (Keycloak migration)
+// are independent: each can be performed without the other.
+func TestScenarioCOrthogonality(t *testing.T) {
+	export := canonicalFixture()
+
+	// Can generate LDIF without Keycloak realm
+	gen := newGenerator(toldap.TargetOpenLDAP)
+	_, err := gen.Generate(export)
+	if err != nil {
+		t.Errorf("LDIF generation (without Keycloak) failed: %v", err)
+	}
+
+	// Can generate Keycloak realm without LDIF
+	transformer := tokeycloak.New(tokeycloak.Config{
+		RealmName: "netkingdom",
+		Issuer:    "https://auth.netkingdom.local",
+	}, telemetry.NoopEmitter{})
+	_, err = transformer.Transform(export)
+	if err != nil {
+		t.Errorf("Keycloak transform (without LDIF) failed: %v", err)
+	}
+}