d25d482dc2
Publish CLI Package / publish-npm (push) Waiting to run
Publish Python SDK / publish-pypi (push) Waiting to run
Publish TypeScript SDK / publish-npm (push) Waiting to run
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
159 lines
5.2 KiB
TypeScript
159 lines
5.2 KiB
TypeScript
/**
|
|
* @vitest-environment node
|
|
*/
|
|
import { beforeEach, describe, expect, it, vi } from 'vitest'
|
|
|
|
const { mockValidateUrlWithDNS, mockSecureFetch } = vi.hoisted(() => ({
|
|
mockValidateUrlWithDNS: vi.fn(),
|
|
mockSecureFetch: vi.fn(),
|
|
}))
|
|
|
|
vi.mock('@/lib/core/security/input-validation.server', () => ({
|
|
validateUrlWithDNS: mockValidateUrlWithDNS,
|
|
secureFetchWithPinnedIP: mockSecureFetch,
|
|
}))
|
|
|
|
import { executeAgiloftRequest } from '@/tools/agiloft/utils.server'
|
|
|
|
const baseParams = {
|
|
instanceUrl: 'https://example.agiloft.com',
|
|
knowledgeBase: 'demo',
|
|
login: 'admin',
|
|
password: 'secret',
|
|
table: 'contracts',
|
|
}
|
|
|
|
function mockResponse(body: { ok?: boolean; status?: number; json?: unknown; text?: string }) {
|
|
return {
|
|
ok: body.ok ?? true,
|
|
status: body.status ?? 200,
|
|
statusText: '',
|
|
headers: { get: () => null, getSetCookie: () => [], toRecord: () => ({}) },
|
|
body: null,
|
|
text: async () => body.text ?? '',
|
|
json: async () => body.json ?? {},
|
|
arrayBuffer: async () => new ArrayBuffer(0),
|
|
}
|
|
}
|
|
|
|
beforeEach(() => {
|
|
mockValidateUrlWithDNS.mockReset()
|
|
mockSecureFetch.mockReset()
|
|
mockValidateUrlWithDNS.mockResolvedValue({ isValid: true, resolvedIP: '203.0.113.10' })
|
|
})
|
|
|
|
describe('executeAgiloftRequest', () => {
|
|
it('resolves DNS once, logs in, runs the operation with the bearer token, then logs out — all pinned', async () => {
|
|
mockSecureFetch
|
|
.mockResolvedValueOnce(mockResponse({ json: { access_token: 'tok-1' } }))
|
|
.mockResolvedValueOnce(mockResponse({ json: { id: 42, fields: { name: 'foo' } } }))
|
|
.mockResolvedValueOnce(mockResponse({}))
|
|
|
|
const result = await executeAgiloftRequest(
|
|
baseParams,
|
|
(base) => ({
|
|
url: `${base}/ewws/REST/demo/contracts/42`,
|
|
method: 'GET',
|
|
headers: { Accept: 'application/json' },
|
|
}),
|
|
async (response) => {
|
|
const data = (await response.json()) as { id: number; fields: Record<string, unknown> }
|
|
return {
|
|
success: response.ok,
|
|
output: { id: String(data.id), fields: data.fields },
|
|
}
|
|
}
|
|
)
|
|
|
|
expect(result).toEqual({ success: true, output: { id: '42', fields: { name: 'foo' } } })
|
|
|
|
expect(mockValidateUrlWithDNS).toHaveBeenCalledWith(
|
|
'https://example.agiloft.com',
|
|
'instanceUrl'
|
|
)
|
|
|
|
const calls = mockSecureFetch.mock.calls
|
|
expect(calls).toHaveLength(3)
|
|
expect(calls[0][0]).toBe(
|
|
'https://example.agiloft.com/ewws/EWLogin?$KB=demo&$login=admin&$password=secret'
|
|
)
|
|
expect(calls[1][0]).toBe('https://example.agiloft.com/ewws/REST/demo/contracts/42')
|
|
expect(calls[2][0]).toBe('https://example.agiloft.com/ewws/EWLogout?$KB=demo')
|
|
|
|
for (const call of calls) {
|
|
expect(call[1]).toBe('203.0.113.10')
|
|
}
|
|
expect(calls[1][2]).toMatchObject({
|
|
method: 'GET',
|
|
headers: { Accept: 'application/json', Authorization: 'Bearer tok-1' },
|
|
})
|
|
})
|
|
|
|
it('still logs out when the operation throws', async () => {
|
|
mockSecureFetch
|
|
.mockResolvedValueOnce(mockResponse({ json: { access_token: 'tok-2' } }))
|
|
.mockResolvedValueOnce(mockResponse({ ok: false, status: 500 }))
|
|
.mockResolvedValueOnce(mockResponse({}))
|
|
|
|
await expect(
|
|
executeAgiloftRequest(
|
|
baseParams,
|
|
(base) => ({ url: `${base}/ewws/REST/demo/contracts/42`, method: 'GET' }),
|
|
async (response) => {
|
|
if (!response.ok) throw new Error('operation failed')
|
|
return { success: true, output: {} }
|
|
}
|
|
)
|
|
).rejects.toThrow('operation failed')
|
|
|
|
expect(mockSecureFetch).toHaveBeenCalledTimes(3)
|
|
expect(mockSecureFetch.mock.calls[2][0]).toContain('/ewws/EWLogout')
|
|
})
|
|
|
|
it('swallows logout failures (best-effort)', async () => {
|
|
mockSecureFetch
|
|
.mockResolvedValueOnce(mockResponse({ json: { access_token: 'tok-3' } }))
|
|
.mockResolvedValueOnce(mockResponse({ json: { ok: true } }))
|
|
.mockRejectedValueOnce(new Error('logout network error'))
|
|
|
|
const result = await executeAgiloftRequest(
|
|
baseParams,
|
|
(base) => ({ url: `${base}/ewws/REST/demo/contracts/42`, method: 'GET' }),
|
|
async () => ({ success: true, output: {} })
|
|
)
|
|
|
|
expect(result.success).toBe(true)
|
|
})
|
|
|
|
it('throws when login does not return an access token', async () => {
|
|
mockSecureFetch.mockResolvedValueOnce(mockResponse({ json: {} }))
|
|
|
|
await expect(
|
|
executeAgiloftRequest(
|
|
baseParams,
|
|
(base) => ({ url: `${base}/ewws/REST/demo/contracts/42`, method: 'GET' }),
|
|
async () => ({ success: true, output: {} })
|
|
)
|
|
).rejects.toThrow('Agiloft login did not return an access token')
|
|
|
|
expect(mockSecureFetch).toHaveBeenCalledTimes(1)
|
|
})
|
|
|
|
it('rejects an instance URL that resolves to a blocked IP without issuing any request', async () => {
|
|
mockValidateUrlWithDNS.mockResolvedValue({
|
|
isValid: false,
|
|
error: 'instanceUrl resolves to a blocked IP address',
|
|
})
|
|
|
|
await expect(
|
|
executeAgiloftRequest(
|
|
{ ...baseParams, instanceUrl: 'https://internal.attacker.com' },
|
|
(base) => ({ url: `${base}/ewws/REST/demo/contracts/42`, method: 'GET' }),
|
|
async () => ({ success: true, output: {} })
|
|
)
|
|
).rejects.toThrow(/blocked IP address/)
|
|
|
|
expect(mockSecureFetch).not.toHaveBeenCalled()
|
|
})
|
|
})
|