Files
wehub-resource-sync f99010fae1
CI / lint (push) Failing after 1s
CI / frontend (push) Failing after 1s
CI / scripts (push) Failing after 1s
CI / Go Test (ubuntu-latest) (push) Failing after 0s
CI / frontend-node-25 (push) Failing after 1s
CI / docs (push) Failing after 0s
CI / coverage (push) Failing after 0s
CI / e2e (push) Failing after 0s
Docker / build-and-push (push) Failing after 1s
CI / integration (push) Failing after 4m43s
CI / Go Test (windows-latest) (push) Has been cancelled
CI / Desktop Unit Tests (Windows) (push) Has been cancelled
Desktop Artifacts / Desktop Build (Linux (arm64)) (push) Has been cancelled
Desktop Artifacts / Desktop Build (Linux) (push) Has been cancelled
Desktop Artifacts / Desktop Build (Windows) (push) Has been cancelled
Desktop Artifacts (macOS) / Desktop Build (macOS (aarch64)) (push) Has been cancelled
Desktop Artifacts (macOS) / Desktop Build (macOS (x86_64)) (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:30:36 +08:00

69 lines
1.9 KiB
Go

package server
import (
"net/http"
"net/http/httptest"
"testing"
"github.com/stretchr/testify/assert"
"go.kenn.io/agentsview/internal/config"
)
func TestHumaScanSecretsReadOnly(t *testing.T) {
t.Parallel()
srv := &Server{cfg: config.Config{Host: "127.0.0.1"}} // nil engine
srv.mux = http.NewServeMux()
srv.routes()
req := httptest.NewRequest(http.MethodPost, "/api/v1/secrets/scan", nil)
req.RemoteAddr = "127.0.0.1:1234"
w := httptest.NewRecorder()
srv.mux.ServeHTTP(w, req)
assert.Equal(t, http.StatusNotImplemented, w.Code, "body: %s", w.Body.String())
}
// TestHandleListSecretsRevealGate verifies the endpoint rejects reveal from a
// non-localhost or proxied request before consulting the backend (so a nil
// SessionService is fine), and validates numeric params.
func TestHandleListSecretsRevealGate(t *testing.T) {
t.Parallel()
cases := []struct {
name string
query string
remoteAddr string
xff string
wantStatus int
}{
{"reveal from remote", "reveal=true", "203.0.113.5:1234", "",
http.StatusForbidden},
// A reverse proxy reaches the loopback backend, so RemoteAddr is
// loopback; the forwarding header marks it proxied, so reveal must
// still be rejected.
{"reveal via proxied loopback", "reveal=true", "127.0.0.1:1234",
"203.0.113.5", http.StatusForbidden},
{"invalid limit", "limit=abc", "127.0.0.1:1234", "",
http.StatusBadRequest},
}
for _, tt := range cases {
t.Run(tt.name, func(t *testing.T) {
t.Parallel()
srv := &Server{
cfg: config.Config{Host: "127.0.0.1"},
mux: http.NewServeMux(),
}
srv.routes()
req := httptest.NewRequest(http.MethodGet,
"/api/v1/secrets?"+tt.query, nil)
req.RemoteAddr = tt.remoteAddr
if tt.xff != "" {
req.Header.Set("X-Forwarded-For", tt.xff)
}
w := httptest.NewRecorder()
srv.mux.ServeHTTP(w, req)
assert.Equal(t, tt.wantStatus, w.Code, "body: %s", w.Body.String())
})
}
}