feat: add integration tests for role management functionality

- Introduced a new integration test for verifying the granting and revoking of the `system:network_writer` role.
- Enhanced the ServerFixture to manage private keys for the manager and database owner.
- Updated utility functions to improve transaction handling and assertions.
- Refactored existing test code for better type safety and clarity.

Author: outerlook

tests/integration/role_management_test.go

@@ -0,0 +1,128 @@
+package integration
+
+import (
+	"context"
+	"testing"
+
+	"github.com/kwilteam/kwil-db/core/crypto"
+	"github.com/kwilteam/kwil-db/core/crypto/auth"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/trufnetwork/sdk-go/core/tnclient"
+	apitypes "github.com/trufnetwork/sdk-go/core/types"
+	"github.com/trufnetwork/sdk-go/core/util"
+)
+
+// TestRoleManagement verifies granting and revoking the `system:network_writer` role.
+func TestRoleManagement(t *testing.T) {
+	fixture := NewServerFixture(t)
+	err := fixture.Setup()
+	t.Cleanup(func() {
+		fixture.Teardown()
+	})
+	require.NoError(t, err, "Failed to setup server fixture")
+
+	ctx := context.Background()
+
+	// ---------------------------------------------------------------------
+	// Bootstrap: manager client (already member of system:network_writers_manager)
+	// ---------------------------------------------------------------------
+	managerClient, err := tnclient.NewClient(ctx, TestKwilProvider, tnclient.WithSigner(&auth.EthPersonalSigner{Key: *fixture.ManagerPrivateKey}))
+	require.NoError(t, err, "failed to create manager client")
+
+	managerAddr := managerClient.Address()
+
+	// ---------------------------------------------------------------------
+	// newWriter client – will be granted / revoked
+	// ---------------------------------------------------------------------
+	newWriterPk, err := crypto.Secp256k1PrivateKeyFromHex("2222222222222222222222222222222222222222222222222222222222222222")
+	require.NoError(t, err)
+	newWriterClient, err := tnclient.NewClient(ctx, TestKwilProvider, tnclient.WithSigner(&auth.EthPersonalSigner{Key: *newWriterPk}))
+	require.NoError(t, err)
+	newWriterAddr := newWriterClient.Address()
+
+	// randomUser client – never gets the role
+	randomPk, err := crypto.Secp256k1PrivateKeyFromHex("3333333333333333333333333333333333333333333333333333333333333333")
+	require.NoError(t, err)
+	randomClient, err := tnclient.NewClient(ctx, TestKwilProvider, tnclient.WithSigner(&auth.EthPersonalSigner{Key: *randomPk}))
+	require.NoError(t, err)
+	randomAddr := randomClient.Address()
+
+	// ---------------------------------------------------------------------
+	// Load Role Management API
+	// ---------------------------------------------------------------------
+	roleMgmt, err := managerClient.LoadRoleManagementActions()
+	require.NoError(t, err)
+
+	// Helper to check membership of a single wallet
+	isWriter := func(wallet util.EthereumAddress) bool {
+		res, err := roleMgmt.AreMembersOf(ctx, apitypes.AreMembersOfInput{
+			Owner:    "system",
+			RoleName: "network_writer",
+			Wallets:  []util.EthereumAddress{wallet},
+		})
+		require.NoError(t, err)
+		require.Len(t, res, 1)
+		return res[0].IsMember
+	}
+
+	// Initial assertions – none of the three wallets are writers.
+	assert.False(t, isWriter(managerAddr))
+	assert.False(t, isWriter(newWriterAddr))
+	assert.False(t, isWriter(randomAddr))
+
+	//---------------------------------------------------------------------
+	// Grant role to newWriter
+	//---------------------------------------------------------------------
+	grantTx, err := roleMgmt.GrantRole(ctx, apitypes.GrantRoleInput{
+		Owner:    "system",
+		RoleName: "network_writer",
+		Wallets:  []util.EthereumAddress{newWriterAddr},
+	})
+	require.NoError(t, err)
+	waitTxToBeMinedWithSuccess(t, ctx, managerClient, grantTx)
+
+	assert.True(t, isWriter(newWriterAddr))
+
+	//---------------------------------------------------------------------
+	// newWriter deploys a primitive stream – should succeed
+	//---------------------------------------------------------------------
+	streamID := util.GenerateStreamId("role-management-go-test")
+	txHash, err := newWriterClient.DeployStream(ctx, streamID, apitypes.StreamTypePrimitive)
+	require.NoError(t, err, "new writer failed to deploy primitive stream")
+	waitTxToBeMinedWithSuccess(t, ctx, newWriterClient, txHash)
+
+	// Clean up the stream after test
+	t.Cleanup(func() {
+		destroyHash, err := newWriterClient.DestroyStream(ctx, streamID)
+		if err == nil {
+			waitTxToBeMinedWithSuccess(t, ctx, newWriterClient, destroyHash)
+		}
+	})
+
+	//---------------------------------------------------------------------
+	// Revoke role from newWriter
+	//---------------------------------------------------------------------
+	revokeTx, err := roleMgmt.RevokeRole(ctx, apitypes.RevokeRoleInput{
+		Owner:    "system",
+		RoleName: "network_writer",
+		Wallets:  []util.EthereumAddress{newWriterAddr},
+	})
+	require.NoError(t, err)
+	waitTxToBeMinedWithSuccess(t, ctx, managerClient, revokeTx)
+
+	assert.False(t, isWriter(newWriterAddr))
+
+	// Deployment should now fail on-chain for newWriter (submission succeeds, tx fails)
+	streamIDRevoked := util.GenerateStreamId("role-management-go-test-revoked")
+	txRevoked, err := newWriterClient.DeployStream(ctx, streamIDRevoked, apitypes.StreamTypePrimitive)
+	// client-side submission should succeed; failure occurs on-chain
+	require.NoError(t, err, "tx submission should succeed even though on-chain will fail")
+	waitTxToBeMinedWithFailure(t, ctx, newWriterClient, txRevoked)
+
+	// randomUser should also fail on-chain
+	randStream := util.GenerateStreamId("role-management-go-test-random")
+	txRand, err := randomClient.DeployStream(ctx, randStream, apitypes.StreamTypePrimitive)
+	require.NoError(t, err, "tx submission should succeed for random user (failure is on-chain)")
+	waitTxToBeMinedWithFailure(t, ctx, randomClient, txRand)
+}

tests/integration/server_fixture.go

@@ -11,30 +11,29 @@ import (
 	"testing"
 	"time"
 
-	"github.com/ethereum/go-ethereum/crypto"
 	"github.com/joho/godotenv"
 	kwilcrypto "github.com/kwilteam/kwil-db/core/crypto"
 	"github.com/kwilteam/kwil-db/core/crypto/auth"
-	"github.com/trufnetwork/sdk-go/core/tnclient"
-	"github.com/trufnetwork/sdk-go/core/util"
 )
 
 // Constants for the test setup
 const (
-	networkName      = "truf-test-network"
-	TestKwilProvider = "http://localhost:8484"
-	TestPrivateKey   = "1111111111111111111111111111111111111111111111111111111111111111" // Test private key
-	DB_PRIVATE_KEY   = "0000000000000000000000000000000000000000000000000000000000000001"
-	DB_PUBLIC_KEY    = "0x7E5F4552091A69125d5DfCb7b8C2659029395Bdf"
+	networkName       = "truf-test-network"
+	TestKwilProvider  = "http://localhost:8484"
+	managerPrivateKey = "1111111111111111111111111111111111111111111111111111111111111111" // manager wallet for system roles
+	DB_PRIVATE_KEY    = "0000000000000000000000000000000000000000000000000000000000000001" // database owner wallet
+	DB_PUBLIC_KEY     = "0x7E5F4552091A69125d5DfCb7b8C2659029395Bdf"
 )
 
 // ServerFixture is a fixture for setting up and tearing down a Trufnetwork server for testing
 type ServerFixture struct {
-	t          *testing.T
-	docker     *docker
-	client     *tnclient.Client
-	ctx        context.Context
-	containers struct {
+	t                 *testing.T
+	docker            *docker
+	ctx               context.Context
+	Endpoint          string
+	ManagerPrivateKey *kwilcrypto.Secp256k1PrivateKey
+	DBOwnerPrivateKey *kwilcrypto.Secp256k1PrivateKey
+	containers        struct {
 		postgres containerSpec
 		tndb     containerSpec
 	}
@@ -61,11 +60,22 @@ type docker struct {
 func NewServerFixture(t *testing.T) *ServerFixture {
 	ctx := context.Background()
 	d := newDocker(t)
+	managerPk, err := kwilcrypto.Secp256k1PrivateKeyFromHex(managerPrivateKey)
+	if err != nil {
+		t.Fatalf("failed to parse manager private key: %v", err)
+	}
+	dbOwnerPk, err := kwilcrypto.Secp256k1PrivateKeyFromHex(DB_PRIVATE_KEY)
+	if err != nil {
+		t.Fatalf("failed to parse db owner private key: %v", err)
+	}
 
 	return &ServerFixture{
-		t:      t,
-		docker: d,
-		ctx:    ctx,
+		t:                 t,
+		docker:            d,
+		ctx:               ctx,
+		Endpoint:          TestKwilProvider,
+		ManagerPrivateKey: managerPk,
+		DBOwnerPrivateKey: dbOwnerPk,
 		containers: struct {
 			postgres containerSpec
 			tndb     containerSpec
@@ -188,7 +198,12 @@ func (s *ServerFixture) Setup() error {
 	} else {
 		providerArg := fmt.Sprintf("PROVIDER=%s", TestKwilProvider)
 		privateKeyArg := fmt.Sprintf("PRIVATE_KEY=%s", DB_PRIVATE_KEY)
-		migrateCmd := exec.CommandContext(s.ctx, "task", "action:migrate", providerArg, privateKeyArg)
+		// derive 0x-address from manager private key
+		mgrPk, _ := kwilcrypto.Secp256k1PrivateKeyFromHex(managerPrivateKey)
+		mgrSigner := &auth.EthPersonalSigner{Key: *mgrPk}
+		mgrAddr, _ := auth.EthSecp256k1Authenticator{}.Identifier(mgrSigner.CompactID())
+		adminWalletArg := fmt.Sprintf("ADMIN_WALLET=%s", mgrAddr)
+		migrateCmd := exec.CommandContext(s.ctx, "task", "action:migrate", providerArg, privateKeyArg, adminWalletArg)
 		migrateCmd.Dir = nodeRepoDir
 
 		s.t.Logf("Executing command in %s: %s", migrateCmd.Dir, strings.Join(migrateCmd.Args, " "))
@@ -199,84 +214,6 @@ func (s *ServerFixture) Setup() error {
 		}
 		s.t.Logf("Migration task successful. Output: %s", string(migrateOut))
 	}
-
-	// Create client
-	s.t.Log("Creating private key...")
-	pk, err := kwilcrypto.Secp256k1PrivateKeyFromHex(TestPrivateKey)
-	if err != nil {
-		return fmt.Errorf("failed to parse private key: %w", err)
-	}
-	s.t.Log("Successfully created private key")
-
-	s.t.Log("Creating TN client...")
-	s.t.Logf("Using provider: %s", TestKwilProvider)
-
-	// Get the Ethereum address from the public key
-	pubKeyBytes := pk.Public().Bytes()
-	// Remove the first byte which is the compression flag
-	pubKeyBytes = pubKeyBytes[1:]
-	addr, err := util.NewEthereumAddressFromBytes(crypto.Keccak256(pubKeyBytes)[12:])
-	if err != nil {
-		return fmt.Errorf("failed to get address from public key: %w", err)
-	}
-	s.t.Logf("Using signer with address: %s", addr.Address())
-
-	s.t.Log("Attempting to create client...")
-	var lastErr error
-	for i := 0; i < 60; i++ { // 60 seconds max wait
-		s.t.Logf("Attempt %d/60: Creating client with provider URL %s", i+1, TestKwilProvider)
-
-		// First check if the server is accepting connections
-		cmd := exec.Command("curl", "-s", "-w", "\n%{http_code}", "http://localhost:8484/api/v1/health")
-		out, err := cmd.CombinedOutput()
-		if err != nil {
-			lastErr = fmt.Errorf("health check command failed: %w", err)
-			s.t.Logf("Health check command failed: %v", err)
-			time.Sleep(time.Second)
-			continue
-		}
-
-		// Split output into response body and status code
-		parts := strings.Split(string(out), "\n")
-		if len(parts) != 2 {
-			lastErr = fmt.Errorf("unexpected health check output format: %s", string(out))
-			s.t.Logf("Health check output format error: %s", string(out))
-			time.Sleep(time.Second)
-			continue
-		}
-
-		statusCode := strings.TrimSpace(parts[1])
-		s.t.Logf("Health check response - Status: %s", statusCode)
-		if statusCode != "200" {
-			lastErr = fmt.Errorf("health check returned non-200 status: %s", statusCode)
-			s.t.Logf("Health check failed with status %s", statusCode)
-			time.Sleep(time.Second)
-			continue
-		}
-
-		s.t.Log("Health check passed, attempting to create client...")
-		// Try to create the client now that we know the server is accepting connections
-		s.client, err = tnclient.NewClient(
-			s.ctx,
-			TestKwilProvider,
-			tnclient.WithSigner(&auth.EthPersonalSigner{Key: *pk}),
-		)
-		if err != nil {
-			lastErr = fmt.Errorf("failed to create TN client: %w", err)
-			s.t.Logf("Client creation failed: %v", err)
-			time.Sleep(time.Second)
-			continue
-		}
-
-		// Successfully created client
-		s.t.Log("Client created successfully")
-		break
-	}
-
-	if s.client == nil {
-		return fmt.Errorf("failed to create client after 60 attempts. Last error: %w", lastErr)
-	}
-
 	return nil
 }
 
@@ -293,11 +230,6 @@ func (s *ServerFixture) Teardown() {
 	s.docker.cleanup()
 }
 
-// Client returns the client for interacting with the server
-func (s *ServerFixture) Client() *tnclient.Client {
-	return s.client
-}
-
 // newDocker creates a new docker helper
 func newDocker(t *testing.T) *docker {
 	return &docker{t: t}