Separate HMAC key from read token

2026-02-11 15:17:46 +01:00 · 2026-02-11 15:17:46 +01:00 · 6e3242bbd8
commit 6e3242bbd8
parent aa3e8cddf9
6 changed files with 91 additions and 41 deletions
--- a/internal/integration/integration_test.go
+++ b/internal/integration/integration_test.go
@ -18,7 +18,10 @@ import (
 	"edp.buildth.ing/DevFW-CICD/forgejo-runner-resource-collector/internal/summary"
 )

-const testReadToken = "integration-test-token"
+const (
+	testReadToken = "integration-test-token"
+	testHMACKey   = "integration-hmac-key"
+)

 // setupTestReceiver creates a test receiver with SQLite storage, auth, and HTTP server
 func setupTestReceiver(t *testing.T) (*receiver.Store, *httptest.Server, func()) {
@ -29,7 +32,7 @@ func setupTestReceiver(t *testing.T) (*receiver.Store, *httptest.Server, func())
 		t.Fatalf("NewStore() error = %v", err)
 	}

-	handler := receiver.NewHandler(store, slog.New(slog.NewTextHandler(io.Discard, nil)), testReadToken)
+	handler := receiver.NewHandler(store, slog.New(slog.NewTextHandler(io.Discard, nil)), testReadToken, testHMACKey)
 	mux := http.NewServeMux()
 	handler.RegisterRoutes(mux)

@ -45,7 +48,7 @@ func setupTestReceiver(t *testing.T) (*receiver.Store, *httptest.Server, func())

 // generatePushToken generates a scoped push token for an execution context
 func generatePushToken(exec summary.ExecutionContext) string {
-	return receiver.GenerateScopedToken(testReadToken, exec.Organization, exec.Repository, exec.Workflow, exec.Job)
+	return receiver.GenerateScopedToken(testHMACKey, exec.Organization, exec.Repository, exec.Workflow, exec.Job)
 }

 func TestPushClientToReceiver(t *testing.T) {
@ -164,7 +167,7 @@ func TestPushClientIntegration(t *testing.T) {
 	t.Setenv("GITHUB_RUN_ID", "push-run-456")

 	// Generate scoped push token
-	pushToken := receiver.GenerateScopedToken(testReadToken, "push-client-org", "push-client-repo", "push-test.yml", "push-job")
+	pushToken := receiver.GenerateScopedToken(testHMACKey, "push-client-org", "push-client-repo", "push-test.yml", "push-job")

 	// Create push client with token - it reads execution context from env vars
 	pushClient := summary.NewPushClient(server.URL+"/api/v1/metrics", pushToken)
@ -274,8 +277,9 @@ func TestMultiplePushes(t *testing.T) {
 }

 func TestPushClientWithTokenIntegration(t *testing.T) {
-	readToken := "integration-secret"
-	store, server, cleanup := setupTestReceiverWithToken(t, readToken)
+	readToken := "integration-read-secret"
+	hmacKey := "integration-hmac-secret"
+	store, server, cleanup := setupTestReceiverWithToken(t, readToken, hmacKey)
 	defer cleanup()

 	// Generate a scoped token via the API
@ -340,8 +344,9 @@ func TestPushClientWithTokenIntegration(t *testing.T) {
 }

 func TestPushClientWithWrongTokenIntegration(t *testing.T) {
-	readToken := "integration-secret"
-	_, server, cleanup := setupTestReceiverWithToken(t, readToken)
+	readToken := "integration-read-secret"
+	hmacKey := "integration-hmac-secret"
+	_, server, cleanup := setupTestReceiverWithToken(t, readToken, hmacKey)
 	defer cleanup()

 	t.Setenv("GITHUB_REPOSITORY_OWNER", "token-org")
@ -358,7 +363,7 @@ func TestPushClientWithWrongTokenIntegration(t *testing.T) {
 	}
 }

-func setupTestReceiverWithToken(t *testing.T, token string) (*receiver.Store, *httptest.Server, func()) {
+func setupTestReceiverWithToken(t *testing.T, readToken, hmacKey string) (*receiver.Store, *httptest.Server, func()) {
 	t.Helper()
 	dbPath := filepath.Join(t.TempDir(), "test.db")
 	store, err := receiver.NewStore(dbPath)
@ -366,7 +371,7 @@ func setupTestReceiverWithToken(t *testing.T, token string) (*receiver.Store, *h
 		t.Fatalf("NewStore() error = %v", err)
 	}

-	handler := receiver.NewHandler(store, slog.New(slog.NewTextHandler(io.Discard, nil)), token)
+	handler := receiver.NewHandler(store, slog.New(slog.NewTextHandler(io.Discard, nil)), readToken, hmacKey)
 	mux := http.NewServeMux()
 	handler.RegisterRoutes(mux)