feat: Add validation and error handling for notification templates and uptime handlers

- Implement tests for invalid JSON input in notification template creation, update, and preview endpoints. - Enhance uptime handler tests to cover sync success and error scenarios for delete and list operations. - Update routes to include backup service in certificate handler initialization. - Introduce certificate usage check before deletion in the certificate service, preventing deletion of certificates in use. - Update certificate service tests to validate new behavior regarding certificate deletion. - Add new tests for security service to verify break glass token generation and validation. - Enhance frontend certificate list component to prevent deletion of certificates in use and ensure proper backup creation. - Create unit tests for the CertificateList component to validate deletion logic and error handling.
2025-12-03 04:55:29 +00:00
parent a2c0b8fcf5
commit 336000ca5b
11 changed files with 805 additions and 392 deletions
--- a/frontend/src/components/CertificateList.tsx
+++ b/frontend/src/components/CertificateList.tsx
@@ -3,6 +3,8 @@ import { useMutation, useQueryClient } from '@tanstack/react-query'
 import { Trash2, ChevronUp, ChevronDown } from 'lucide-react'
 import { useCertificates } from '../hooks/useCertificates'
 import { deleteCertificate } from '../api/certificates'
+import { useProxyHosts } from '../hooks/useProxyHosts'
+import { createBackup } from '../api/backups'
 import { LoadingSpinner } from './LoadingStates'
 import { toast } from '../utils/toast'

@@ -11,14 +13,20 @@ type SortDirection = 'asc' | 'desc'

 export default function CertificateList() {
  const { certificates, isLoading, error } = useCertificates()
+  const { hosts } = useProxyHosts()
  const queryClient = useQueryClient()
  const [sortColumn, setSortColumn] = useState<SortColumn>('name')
  const [sortDirection, setSortDirection] = useState<SortDirection>('asc')

  const deleteMutation = useMutation({
-    mutationFn: deleteCertificate,
+    // Perform backup before actual deletion
+    mutationFn: async (id: number) => {
+      await createBackup()
+      await deleteCertificate(id)
+    },
    onSuccess: () => {
      queryClient.invalidateQueries({ queryKey: ['certificates'] })
+      queryClient.invalidateQueries({ queryKey: ['proxyHosts'] })
      toast.success('Certificate deleted')
    },
    onError: (error: Error) => {
@@ -125,11 +133,29 @@ export default function CertificateList() {
                    <StatusBadge status={cert.status} />
                  </td>
                  <td className="px-6 py-4">
-                    {cert.id && (cert.provider === 'custom' || cert.issuer?.includes('staging')) && (
+                    {cert.id && (cert.provider === 'custom' || cert.issuer?.toLowerCase().includes('staging')) && (
                      <button
                        onClick={() => {
+                          // Determine if certificate is in use by any proxy host
+                          const inUse = hosts.some(h => {
+                            const cid = h.certificate_id ?? h.certificate?.id
+                            return cid === cert.id
+                          })
+
+                          if (inUse) {
+                            toast.error('Certificate cannot be deleted because it is in use by a proxy host')
+                            return
+                          }
+
+                          // Only allow deletion for non-active statuses
+                          const isDeletableStatus = cert.status !== 'valid' && cert.status !== 'expiring'
+                          if (!isDeletableStatus) {
+                            toast.error('Only expired or deactivated certificates can be deleted')
+                            return
+                          }
+
                          const message = cert.provider === 'custom'
-                            ? 'Are you sure you want to delete this certificate?'
+                            ? 'Are you sure you want to delete this certificate? This will create a backup before deleting.'
                            : 'Delete this staging certificate? It will be regenerated on next request.'
                          if (confirm(message)) {
                            deleteMutation.mutate(cert.id!)
--- a/frontend/src/components/tests/CertificateList.test.tsx
+++ b/frontend/src/components/tests/CertificateList.test.tsx
@@ -0,0 +1,107 @@
+import { describe, it, expect, vi } from 'vitest'
+import { render, screen, waitFor } from '@testing-library/react'
+import { QueryClient, QueryClientProvider } from '@tanstack/react-query'
+import CertificateList from '../CertificateList'
+
+vi.mock('../../hooks/useCertificates', () => ({
+  useCertificates: vi.fn(() => ({
+    certificates: [
+      { id: 1, name: 'CustomCert', domain: 'example.com', issuer: 'Custom CA', expires_at: new Date().toISOString(), status: 'expired', provider: 'custom' },
+      { id: 2, name: 'LE Staging', domain: 'staging.example.com', issuer: "Let's Encrypt Staging", expires_at: new Date().toISOString(), status: 'untrusted', provider: 'letsencrypt-staging' },
+      { id: 3, name: 'ActiveCert', domain: 'active.example.com', issuer: 'Custom CA', expires_at: new Date().toISOString(), status: 'valid', provider: 'custom' },
+    ],
+    isLoading: false,
+    error: null,
+  }))
+}))
+
+vi.mock('../../api/certificates', () => ({
+  deleteCertificate: vi.fn(async () => undefined),
+}))
+
+vi.mock('../../api/backups', () => ({
+  createBackup: vi.fn(async () => ({ filename: 'backup-cert' })),
+}))
+
+vi.mock('../../hooks/useProxyHosts', () => ({
+  useProxyHosts: vi.fn(() => ({
+    hosts: [
+      { uuid: 'h1', name: 'Host1', certificate_id: 3 },
+    ],
+    loading: false,
+    isFetching: false,
+    error: null,
+    createHost: vi.fn(),
+    updateHost: vi.fn(),
+    deleteHost: vi.fn(),
+    bulkUpdateACL: vi.fn(),
+    isBulkUpdating: false,
+  })),
+}))
+
+vi.mock('../../utils/toast', () => ({
+  toast: { success: vi.fn(), error: vi.fn(), loading: vi.fn(), dismiss: vi.fn() },
+}))
+
+function renderWithClient(ui: React.ReactNode) {
+  const qc = new QueryClient({ defaultOptions: { queries: { retry: false, gcTime: 0 }, mutations: { retry: false } } })
+  return render(<QueryClientProvider client={qc}>{ui}</QueryClientProvider>)
+}
+
+describe('CertificateList', () => {
+  it('deletes custom certificate when confirmed', async () => {
+    const confirmSpy = vi.spyOn(window, 'confirm').mockImplementation(() => true)
+    const { deleteCertificate } = await import('../../api/certificates')
+    const { createBackup } = await import('../../api/backups')
+    const { toast } = await import('../../utils/toast')
+
+    renderWithClient(<CertificateList />)
+    const rows = await screen.findAllByRole('row')
+    const customRow = rows.find(r => r.querySelector('td')?.textContent?.includes('CustomCert')) as HTMLElement
+    expect(customRow).toBeTruthy()
+    const customBtn = customRow.querySelector('button[title="Delete Certificate"]') as HTMLButtonElement
+    expect(customBtn).toBeTruthy()
+    await customBtn.click()
+
+    await waitFor(() => expect(createBackup).toHaveBeenCalled())
+    await waitFor(() => expect(deleteCertificate).toHaveBeenCalledWith(1))
+    await waitFor(() => expect(toast.success).toHaveBeenCalledWith('Certificate deleted'))
+    confirmSpy.mockRestore()
+  })
+
+  it('deletes staging certificate when confirmed', async () => {
+    const confirmSpy = vi.spyOn(window, 'confirm').mockImplementation(() => true)
+    const { deleteCertificate } = await import('../../api/certificates')
+
+    renderWithClient(<CertificateList />)
+    const stagingButtons = await screen.findAllByTitle('Delete Staging Certificate')
+    expect(stagingButtons.length).toBeGreaterThan(0)
+    await stagingButtons[0].click()
+
+    await waitFor(() => expect(deleteCertificate).toHaveBeenCalledWith(2))
+    confirmSpy.mockRestore()
+  })
+
+  it('blocks deletion when certificate is in use by a proxy host', async () => {
+    const { toast } = await import('../../utils/toast')
+    renderWithClient(<CertificateList />)
+    const deleteButtons = await screen.findAllByTitle('Delete Certificate')
+    // Find button corresponding to ActiveCert (id 3)
+    const activeButton = deleteButtons.find(btn => btn.closest('tr')?.querySelector('td')?.textContent?.includes('ActiveCert'))
+    expect(activeButton).toBeTruthy()
+    if (activeButton) await activeButton.click()
+    await waitFor(() => expect(toast.error).toHaveBeenCalledWith(expect.stringContaining('in use')))
+  })
+
+  it('blocks deletion when certificate status is active (valid/expiring)', async () => {
+    const { toast } = await import('../../utils/toast')
+    renderWithClient(<CertificateList />)
+    const deleteButtons = await screen.findAllByTitle('Delete Certificate')
+    // ActiveCert (valid) should block even if not linked – ensure hosts mock links it so previous test covers linkage.
+    // Here, simulate clicking a valid cert button if present
+    const validButton = deleteButtons.find(btn => btn.closest('tr')?.querySelector('td')?.textContent?.includes('ActiveCert'))
+    expect(validButton).toBeTruthy()
+    if (validButton) await validButton.click()
+    await waitFor(() => expect(toast.error).toHaveBeenCalled())
+  })
+})