f99010fae1
CI / lint (push) Failing after 1s
CI / frontend (push) Failing after 1s
CI / scripts (push) Failing after 1s
CI / Go Test (ubuntu-latest) (push) Failing after 0s
CI / frontend-node-25 (push) Failing after 1s
CI / docs (push) Failing after 0s
CI / coverage (push) Failing after 0s
CI / e2e (push) Failing after 0s
Docker / build-and-push (push) Failing after 1s
CI / integration (push) Failing after 4m43s
CI / Go Test (windows-latest) (push) Has been cancelled
CI / Desktop Unit Tests (Windows) (push) Has been cancelled
Desktop Artifacts / Desktop Build (Linux (arm64)) (push) Has been cancelled
Desktop Artifacts / Desktop Build (Linux) (push) Has been cancelled
Desktop Artifacts / Desktop Build (Windows) (push) Has been cancelled
Desktop Artifacts (macOS) / Desktop Build (macOS (aarch64)) (push) Has been cancelled
Desktop Artifacts (macOS) / Desktop Build (macOS (x86_64)) (push) Has been cancelled
69 lines
1.9 KiB
Go
69 lines
1.9 KiB
Go
package server
|
|
|
|
import (
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
"go.kenn.io/agentsview/internal/config"
|
|
)
|
|
|
|
func TestHumaScanSecretsReadOnly(t *testing.T) {
|
|
t.Parallel()
|
|
srv := &Server{cfg: config.Config{Host: "127.0.0.1"}} // nil engine
|
|
srv.mux = http.NewServeMux()
|
|
srv.routes()
|
|
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/secrets/scan", nil)
|
|
req.RemoteAddr = "127.0.0.1:1234"
|
|
w := httptest.NewRecorder()
|
|
srv.mux.ServeHTTP(w, req)
|
|
|
|
assert.Equal(t, http.StatusNotImplemented, w.Code, "body: %s", w.Body.String())
|
|
}
|
|
|
|
// TestHandleListSecretsRevealGate verifies the endpoint rejects reveal from a
|
|
// non-localhost or proxied request before consulting the backend (so a nil
|
|
// SessionService is fine), and validates numeric params.
|
|
func TestHandleListSecretsRevealGate(t *testing.T) {
|
|
t.Parallel()
|
|
cases := []struct {
|
|
name string
|
|
query string
|
|
remoteAddr string
|
|
xff string
|
|
wantStatus int
|
|
}{
|
|
{"reveal from remote", "reveal=true", "203.0.113.5:1234", "",
|
|
http.StatusForbidden},
|
|
// A reverse proxy reaches the loopback backend, so RemoteAddr is
|
|
// loopback; the forwarding header marks it proxied, so reveal must
|
|
// still be rejected.
|
|
{"reveal via proxied loopback", "reveal=true", "127.0.0.1:1234",
|
|
"203.0.113.5", http.StatusForbidden},
|
|
{"invalid limit", "limit=abc", "127.0.0.1:1234", "",
|
|
http.StatusBadRequest},
|
|
}
|
|
for _, tt := range cases {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
t.Parallel()
|
|
srv := &Server{
|
|
cfg: config.Config{Host: "127.0.0.1"},
|
|
mux: http.NewServeMux(),
|
|
}
|
|
srv.routes()
|
|
req := httptest.NewRequest(http.MethodGet,
|
|
"/api/v1/secrets?"+tt.query, nil)
|
|
req.RemoteAddr = tt.remoteAddr
|
|
if tt.xff != "" {
|
|
req.Header.Set("X-Forwarded-For", tt.xff)
|
|
}
|
|
w := httptest.NewRecorder()
|
|
srv.mux.ServeHTTP(w, req)
|
|
assert.Equal(t, tt.wantStatus, w.Code, "body: %s", w.Body.String())
|
|
})
|
|
}
|
|
}
|