f99010fae1
Desktop Artifacts / Desktop Build (Linux) (push) Waiting to run
Desktop Artifacts / Desktop Build (Windows) (push) Waiting to run
Desktop Artifacts / Desktop Build (Linux (arm64)) (push) Waiting to run
Desktop Artifacts (macOS) / Desktop Build (macOS (aarch64)) (push) Waiting to run
Desktop Artifacts (macOS) / Desktop Build (macOS (x86_64)) (push) Waiting to run
CI / lint (push) Failing after 1s
CI / frontend (push) Failing after 1s
CI / scripts (push) Failing after 1s
CI / Go Test (ubuntu-latest) (push) Failing after 0s
CI / frontend-node-25 (push) Failing after 1s
CI / docs (push) Failing after 0s
CI / coverage (push) Failing after 0s
CI / e2e (push) Failing after 0s
Docker / build-and-push (push) Failing after 1s
CI / integration (push) Failing after 4m43s
CI / Go Test (windows-latest) (push) Has been cancelled
CI / Desktop Unit Tests (Windows) (push) Has been cancelled
93 lines
2.5 KiB
Go
93 lines
2.5 KiB
Go
package server_test
|
|
|
|
import (
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"go.kenn.io/agentsview/internal/config"
|
|
"go.kenn.io/agentsview/internal/server"
|
|
)
|
|
|
|
func TestPprofDisabledByDefault(t *testing.T) {
|
|
te := setup(t)
|
|
|
|
w := te.get(t, "/debug/pprof/cmdline")
|
|
|
|
// Without the option the path falls through to the SPA
|
|
// handler, which never serves the pprof text/plain payload.
|
|
assert.NotEqual(t, "text/plain; charset=utf-8",
|
|
w.Header().Get("Content-Type"),
|
|
"pprof must not be reachable unless enabled")
|
|
}
|
|
|
|
func TestPprofEnabledServesProfiles(t *testing.T) {
|
|
te := setupWithServerOpts(
|
|
t, []server.Option{server.WithPprof(true)},
|
|
)
|
|
|
|
w := te.get(t, "/debug/pprof/cmdline")
|
|
require.Equal(t, http.StatusOK, w.Code)
|
|
assert.Equal(t, "text/plain; charset=utf-8",
|
|
w.Header().Get("Content-Type"))
|
|
|
|
w = te.get(t, "/debug/pprof/heap?debug=1")
|
|
require.Equal(t, http.StatusOK, w.Code)
|
|
assert.Contains(t, w.Body.String(), "heap profile:",
|
|
"named profiles should be served via the pprof index")
|
|
}
|
|
|
|
func TestPprofRequiresBearerAuthWhenAuthEnabled(t *testing.T) {
|
|
te := setupWithServerOpts(t,
|
|
[]server.Option{server.WithPprof(true)},
|
|
func(cfg *config.Config) {
|
|
cfg.RequireAuth = true
|
|
cfg.AuthToken = "pprof-secret"
|
|
},
|
|
)
|
|
|
|
w := te.get(t, "/debug/pprof/cmdline")
|
|
assert.Equal(t, http.StatusUnauthorized, w.Code,
|
|
"pprof must be gated like /api/ when require_auth is on")
|
|
|
|
req := httptest.NewRequest(
|
|
http.MethodGet, "/debug/pprof/cmdline", nil,
|
|
)
|
|
req.Header.Set("Authorization", "Bearer pprof-secret")
|
|
rec := httptest.NewRecorder()
|
|
te.handler.ServeHTTP(rec, req)
|
|
require.Equal(t, http.StatusOK, rec.Code)
|
|
assert.Equal(t, "text/plain; charset=utf-8",
|
|
rec.Header().Get("Content-Type"),
|
|
"a valid bearer token must reach the pprof handler")
|
|
}
|
|
|
|
func TestPprofRejectsUnexpectedHost(t *testing.T) {
|
|
te := setupWithServerOpts(
|
|
t, []server.Option{server.WithPprof(true)},
|
|
)
|
|
|
|
req := httptest.NewRequest(
|
|
http.MethodGet, "/debug/pprof/cmdline", nil,
|
|
)
|
|
req.Host = "attacker.example.net"
|
|
rec := httptest.NewRecorder()
|
|
te.handler.ServeHTTP(rec, req)
|
|
assert.Equal(t, http.StatusForbidden, rec.Code,
|
|
"pprof must enforce the same Host allowlist as API routes")
|
|
}
|
|
|
|
func TestPprofPathStaysUngatedWhenDisabled(t *testing.T) {
|
|
te := setup(t, func(cfg *config.Config) {
|
|
cfg.RequireAuth = true
|
|
cfg.AuthToken = "pprof-secret"
|
|
})
|
|
|
|
w := te.get(t, "/debug/pprof/cmdline")
|
|
assert.Equal(t, http.StatusOK, w.Code,
|
|
"with pprof disabled the path is SPA fallback and must not be auth-gated")
|
|
}
|