diff --git a/.docker/docker-entrypoint.sh b/.docker/docker-entrypoint.sh index e660a6ee..45836e1a 100755 --- a/.docker/docker-entrypoint.sh +++ b/.docker/docker-entrypoint.sh @@ -303,6 +303,19 @@ ACQUIS_EOF # Also handle case where it might be without trailing slash sed -i 's|log_dir: /var/log$|log_dir: /var/log/crowdsec|g' "$CS_CONFIG_DIR/config.yaml" + # Redirect CrowdSec LAPI database to persistent volume + # Default path /var/lib/crowdsec/data/crowdsec.db is ephemeral (not volume-mounted), + # so it is destroyed on every container rebuild. The bouncer API key (stored on the + # persistent volume at /app/data/crowdsec/) survives rebuilds but the LAPI database + # that validates it does not — causing perpetual key rejection. + # Redirecting db_path to the volume-mounted CS_DATA_DIR fixes this. + sed -i "s|db_path: /var/lib/crowdsec/data/crowdsec.db|db_path: ${CS_DATA_DIR}/crowdsec.db|g" "$CS_CONFIG_DIR/config.yaml" + if grep -q "db_path:.*${CS_DATA_DIR}" "$CS_CONFIG_DIR/config.yaml"; then + echo "✓ CrowdSec LAPI database redirected to persistent volume: ${CS_DATA_DIR}/crowdsec.db" + else + echo "⚠️ WARNING: Could not verify LAPI db_path redirect — bouncer keys may not survive rebuilds" + fi + # Verify LAPI configuration was applied correctly if grep -q "listen_uri:.*:8085" "$CS_CONFIG_DIR/config.yaml"; then echo "✓ CrowdSec LAPI configured for port 8085" diff --git a/.github/renovate.json b/.github/renovate.json index 6a4451cf..d2e3b753 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -324,6 +324,12 @@ "matchDatasources": ["go"], "matchPackageNames": ["github.com/oschwald/geoip2-golang/v2"], "sourceUrl": "https://github.com/oschwald/geoip2-golang" + }, + { + "description": "Fix Renovate lookup for google/uuid", + "matchDatasources": ["go"], + "matchPackageNames": ["github.com/google/uuid"], + "sourceUrl": "https://github.com/google/uuid" } ] } diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index aaa131c0..aca4b0ca 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -52,7 +52,7 @@ jobs: # This avoids gh-pages branch errors and permission issues on fork PRs if: github.event.workflow_run.event == 'push' && github.event.workflow_run.head_branch == 'main' # Security: Pinned to full SHA for supply chain security - uses: benchmark-action/github-action-benchmark@4e0b38bc48375986542b13c0d8976b7b80c60c00 # v1 + uses: benchmark-action/github-action-benchmark@a60cea5bc7b49e15c1f58f411161f99e0df48372 # v1.22.0 with: name: Go Benchmark tool: 'go' diff --git a/.github/workflows/codecov-upload.yml b/.github/workflows/codecov-upload.yml index b7153222..1f3034e0 100644 --- a/.github/workflows/codecov-upload.yml +++ b/.github/workflows/codecov-upload.yml @@ -166,7 +166,7 @@ jobs: ref: ${{ github.sha }} - name: Set up Node.js - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' diff --git a/.github/workflows/docs-to-issues.yml b/.github/workflows/docs-to-issues.yml index 04d63683..7eabf41b 100644 --- a/.github/workflows/docs-to-issues.yml +++ b/.github/workflows/docs-to-issues.yml @@ -44,7 +44,7 @@ jobs: ref: ${{ github.event.workflow_run.head_sha || github.sha }} - name: Set up Node.js - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: ${{ env.NODE_VERSION }} diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 15a35f24..93bae635 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -38,7 +38,7 @@ jobs: # Step 2: Set up Node.js (for building any JS-based doc tools) - name: 🔧 Set up Node.js - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: ${{ env.NODE_VERSION }} diff --git a/.github/workflows/e2e-tests-split.yml b/.github/workflows/e2e-tests-split.yml index ed81d8c6..2330cba1 100644 --- a/.github/workflows/e2e-tests-split.yml +++ b/.github/workflows/e2e-tests-split.yml @@ -151,7 +151,7 @@ jobs: - name: Set up Node.js if: steps.resolve-image.outputs.image_source == 'build' - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' @@ -225,7 +225,7 @@ jobs: ref: ${{ github.sha }} - name: Set up Node.js - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' @@ -427,7 +427,7 @@ jobs: ref: ${{ github.sha }} - name: Set up Node.js - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' @@ -637,7 +637,7 @@ jobs: ref: ${{ github.sha }} - name: Set up Node.js - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' @@ -859,7 +859,7 @@ jobs: ref: ${{ github.sha }} - name: Set up Node.js - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' @@ -1096,7 +1096,7 @@ jobs: ref: ${{ github.sha }} - name: Set up Node.js - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' @@ -1341,7 +1341,7 @@ jobs: ref: ${{ github.sha }} - name: Set up Node.js - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' diff --git a/.github/workflows/propagate-changes.yml b/.github/workflows/propagate-changes.yml index 5b950e21..0986616e 100644 --- a/.github/workflows/propagate-changes.yml +++ b/.github/workflows/propagate-changes.yml @@ -28,7 +28,7 @@ jobs: (github.event.workflow_run.head_branch == 'main' || github.event.workflow_run.head_branch == 'development') steps: - name: Set up Node (for github-script) - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: ${{ env.NODE_VERSION }} @@ -37,6 +37,8 @@ jobs: env: CURRENT_BRANCH: ${{ github.event.workflow_run.head_branch || github.ref_name }} CURRENT_SHA: ${{ github.event.workflow_run.head_sha || github.sha }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }} with: script: | const currentBranch = process.env.CURRENT_BRANCH || context.ref.replace('refs/heads/', ''); @@ -133,7 +135,9 @@ jobs: const sensitive = files.some(fn => configPaths.some(sp => fn.startsWith(sp) || fn.includes(sp))); if (sensitive) { - core.info(`${src} -> ${base} contains sensitive changes (${files.join(', ')}). Skipping automatic propagation.`); + const preview = files.slice(0, 25).join(', '); + const suffix = files.length > 25 ? ` …(+${files.length - 25} more)` : ''; + core.info(`${src} -> ${base} contains sensitive changes (${preview}${suffix}). Skipping automatic propagation.`); return; } } catch (error) { @@ -203,6 +207,3 @@ jobs: await createPR('development', targetBranch); } } - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }} diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 8033435f..a7b255d7 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -262,7 +262,7 @@ jobs: bash "scripts/repo_health_check.sh" - name: Set up Node.js - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' diff --git a/.github/workflows/release-goreleaser.yml b/.github/workflows/release-goreleaser.yml index 0507698c..62475112 100644 --- a/.github/workflows/release-goreleaser.yml +++ b/.github/workflows/release-goreleaser.yml @@ -52,7 +52,7 @@ jobs: cache-dependency-path: backend/go.sum - name: Set up Node.js - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: ${{ env.NODE_VERSION }} @@ -67,7 +67,7 @@ jobs: - name: Install Cross-Compilation Tools (Zig) # Security: Pinned to full SHA for supply chain security - uses: goto-bus-stop/setup-zig@abea47f85e598557f500fa1fd2ab7464fcb39406 # v2 + uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2.2.1 with: version: 0.13.0 @@ -75,7 +75,7 @@ jobs: - name: Run GoReleaser - uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7 + uses: goreleaser/goreleaser-action@e24998b8b67b290c2fa8b7c14fcfa7de2c5c9b8c # v7 with: distribution: goreleaser version: '~> v2.5' diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index e8b2e9d2..f91adf86 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -33,7 +33,7 @@ jobs: go-version: ${{ env.GO_VERSION }} - name: Run Renovate - uses: renovatebot/github-action@eb932558ad942cccfd8211cf535f17ff183a9f74 # v46.1.9 + uses: renovatebot/github-action@83ec54fee49ab67d9cd201084c1ff325b4b462e4 # v46.1.10 with: configurationFile: .github/renovate.json token: ${{ secrets.RENOVATE_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.gitignore b/.gitignore index fadfc82a..a59cb9ac 100644 --- a/.gitignore +++ b/.gitignore @@ -316,6 +316,5 @@ docs/reports/codecove_patch_report.md vuln-results.json test_output.txt coverage_results.txt -new-results.json -.gitignore final-results.json +new-results.json diff --git a/.grype.yaml b/.grype.yaml index 042c1a79..8be966c9 100644 --- a/.grype.yaml +++ b/.grype.yaml @@ -203,45 +203,47 @@ ignore: # GHSA-6g7g-w4f8-9c9x: buger/jsonparser Delete panic on malformed JSON (DoS) # Severity: HIGH (CVSS 7.5) # Package: github.com/buger/jsonparser v1.1.1 (embedded in /usr/local/bin/crowdsec and /usr/local/bin/cscli) - # Status: NO upstream fix available — OSV marks "Last affected: v1.1.1" with no Fixed event + # Status: UPSTREAM FIX EXISTS (v1.1.2 released 2026-03-20) — awaiting CrowdSec to update dependency + # NOTE: As of 2026-04-20, grype v0.111.0 with fresh DB no longer flags this finding in the image. + # This suppression is retained as a safety net in case future DB updates re-surface it. # # Vulnerability Details: # - The Delete function fails to validate offsets on malformed JSON input, producing a # negative slice index and a runtime panic — denial of service (CWE-125). # - CVSSv3: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H # - # Root Cause (Third-Party Binary + No Upstream Fix): + # Root Cause (Third-Party Binary — Fix Exists Upstream, Not Yet in CrowdSec): # - Charon does not use buger/jsonparser directly. It is compiled into CrowdSec binaries. - # - The buger/jsonparser repository has no released fix as of 2026-03-19 (GitHub issue #275 - # and golang/vulndb #4514 are both open). - # - Fix path: once buger/jsonparser releases a patched version and CrowdSec updates their - # dependency, rebuild the Docker image and remove this suppression. + # - buger/jsonparser released v1.1.2 on 2026-03-20 fixing issue #275. + # - CrowdSec has not yet released a version built with buger/jsonparser v1.1.2. + # - Fix path: once CrowdSec updates their dependency and rebuilds, rebuild the Docker image + # and remove this suppression. # - # Risk Assessment: ACCEPTED (Limited exploitability + no upstream fix) + # Risk Assessment: ACCEPTED (Limited exploitability; fix exists upstream but not yet in CrowdSec) # - The DoS vector requires passing malformed JSON to the vulnerable Delete function within # CrowdSec's internal processing pipeline; this is not a direct attack surface in Charon. # - CrowdSec's exposed surface is its HTTP API (not raw JSON stream parsing via this path). # # Mitigation (active while suppression is in effect): - # - Monitor buger/jsonparser: https://github.com/buger/jsonparser/issues/275 - # - Monitor CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases + # - Monitor CrowdSec releases for a build using buger/jsonparser >= v1.1.2. + # - CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases # - Weekly CI security rebuild flags the moment a fixed image ships. # # Review: - # - Reviewed 2026-03-19 (initial suppression): no upstream fix exists. Set 30-day review. - # - Extended 2026-04-04: no upstream fix available. buger/jsonparser issue #275 still open. - # - Next review: 2026-05-19. Remove suppression once buger/jsonparser ships a fix and - # CrowdSec updates their dependency. + # - Reviewed 2026-03-19 (initial suppression): no upstream fix. Set 30-day review. + # - Extended 2026-04-04: no upstream fix. buger/jsonparser issue #275 still open. + # - Updated 2026-04-20: buger/jsonparser v1.1.2 released 2026-03-20. CrowdSec not yet updated. + # Grype v0.111.0 with fresh DB (2026-04-20) no longer flags this finding. Suppression retained + # as a safety net. Next review: 2026-05-19 — remove if CrowdSec ships with v1.1.2+. # # Removal Criteria: - # - buger/jsonparser releases a patched version (v1.1.2 or higher) - # - CrowdSec releases a version built with the patched jsonparser + # - CrowdSec releases a version built with buger/jsonparser >= v1.1.2 # - Rebuild Docker image, run security-scan-docker-image, confirm finding is resolved # - Remove this entry and the corresponding .trivyignore entry simultaneously # # References: # - GHSA-6g7g-w4f8-9c9x: https://github.com/advisories/GHSA-6g7g-w4f8-9c9x - # - Upstream issue: https://github.com/buger/jsonparser/issues/275 + # - Upstream fix: https://github.com/buger/jsonparser/releases/tag/v1.1.2 # - golang/vulndb: https://github.com/golang/vulndb/issues/4514 # - CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases - vulnerability: GHSA-6g7g-w4f8-9c9x @@ -251,21 +253,20 @@ ignore: type: go-module reason: | HIGH — DoS panic via malformed JSON in buger/jsonparser v1.1.1 embedded in CrowdSec binaries. - No upstream fix: buger/jsonparser has no released patch as of 2026-03-19 (issue #275 open). - Charon does not use this package directly; the vector requires reaching CrowdSec's internal - JSON processing pipeline. Risk accepted; no remediation path until upstream ships a fix. - Reviewed 2026-03-19: no patched release available. - expiry: "2026-05-19" # Extended 2026-04-04: no upstream fix. Next review 2026-05-19. + Upstream fix: buger/jsonparser v1.1.2 released 2026-03-20; CrowdSec has not yet updated their + dependency. Grype no longer flags this as of 2026-04-20 (fresh DB). Suppression retained as + safety net pending CrowdSec update. Charon does not use this package directly. + Updated 2026-04-20: fix v1.1.2 exists upstream; awaiting CrowdSec dependency update. + expiry: "2026-05-19" # Review 2026-05-19: remove if CrowdSec ships with buger/jsonparser >= v1.1.2. # Action items when this suppression expires: - # 1. Check buger/jsonparser releases: https://github.com/buger/jsonparser/releases - # and issue #275: https://github.com/buger/jsonparser/issues/275 - # 2. If a fix has shipped AND CrowdSec has updated their dependency: - # a. Rebuild Docker image and run local security-scan-docker-image - # b. Remove this suppression entry and the corresponding .trivyignore entry - # 3. If no fix yet: Extend expiry by 30 days and update the review comment above - # 4. If extended 3+ times with no progress: Consider opening an issue upstream or - # evaluating whether CrowdSec can replace buger/jsonparser with a safe alternative + # 1. Check if CrowdSec has released a version with buger/jsonparser >= v1.1.2: + # https://github.com/crowdsecurity/crowdsec/releases + # 2. If CrowdSec has updated: rebuild Docker image, run security-scan-docker-image, + # and remove this suppression entry and the corresponding .trivyignore entry + # 3. If grype still does not flag it with fresh DB: consider removing the suppression as + # it may no longer be necessary + # 4. If no CrowdSec update yet: Extend expiry by 30 days # GHSA-jqcq-xjh3-6g23: pgproto3/v2 DataRow.Decode panic on negative field length (DoS) # Severity: HIGH (CVSS 7.5) diff --git a/ARCHITECTURE.md b/ARCHITECTURE.md index 55d2aa54..c28ffdf1 100644 --- a/ARCHITECTURE.md +++ b/ARCHITECTURE.md @@ -577,6 +577,7 @@ graph LR - Global threat intelligence (crowd-sourced IP reputation) - Automatic IP banning with configurable duration - Decision management API (view, create, delete bans) +- IP whitelist management: operators add/remove IPs and CIDRs via the management UI; entries are persisted in SQLite and regenerated into a `crowdsecurity/whitelists` parser YAML on every mutating operation and at startup **Modes:** diff --git a/Dockerfile b/Dockerfile index b63876fd..280aeb6a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,7 +13,7 @@ ARG BUILD_DEBUG=0 ARG GO_VERSION=1.26.2 # renovate: datasource=docker depName=alpine versioning=docker -ARG ALPINE_IMAGE=alpine:3.23.3@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659 +ARG ALPINE_IMAGE=alpine:3.23.4@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11 # ---- Shared CrowdSec Version ---- # renovate: datasource=github-releases depName=crowdsecurity/crowdsec @@ -92,7 +92,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \ # ---- Frontend Builder ---- # Build the frontend using the BUILDPLATFORM to avoid arm64 musl Rollup native issues # renovate: datasource=docker depName=node -FROM --platform=$BUILDPLATFORM node:24.14.1-alpine@sha256:8510330d3eb72c804231a834b1a8ebb55cb3796c3e4431297a24d246b8add4d5 AS frontend-builder +FROM --platform=$BUILDPLATFORM node:24.15.0-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f AS frontend-builder WORKDIR /app/frontend # Copy frontend package files @@ -386,13 +386,13 @@ RUN go get github.com/expr-lang/expr@v${EXPR_LANG_VERSION} && \ go get github.com/jackc/pgx/v4@v4.18.3 && \ # GHSA-xmrv-pmrh-hhx2: AWS SDK v2 event stream injection # renovate: datasource=go depName=github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream - go get github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream@v1.7.8 && \ + go get github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream@v1.7.9 && \ # renovate: datasource=go depName=github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs - go get github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs@v1.68.0 && \ + go get github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs@v1.69.1 && \ # renovate: datasource=go depName=github.com/aws/aws-sdk-go-v2/service/kinesis - go get github.com/aws/aws-sdk-go-v2/service/kinesis@v1.43.5 && \ + go get github.com/aws/aws-sdk-go-v2/service/kinesis@v1.43.6 && \ # renovate: datasource=go depName=github.com/aws/aws-sdk-go-v2/service/s3 - go get github.com/aws/aws-sdk-go-v2/service/s3@v1.99.0 && \ + go get github.com/aws/aws-sdk-go-v2/service/s3@v1.99.1 && \ go mod tidy # Fix compatibility issues with expr-lang v1.17.7 diff --git a/backend/go.mod b/backend/go.mod index b2a8e167..6df52c13 100644 --- a/backend/go.mod +++ b/backend/go.mod @@ -39,7 +39,7 @@ require ( github.com/containerd/log v0.1.0 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/distribution/reference v0.6.0 // indirect - github.com/docker/go-connections v0.6.0 // indirect + github.com/docker/go-connections v0.7.0 // indirect github.com/docker/go-units v0.5.0 // indirect github.com/dustin/go-humanize v1.0.1 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect @@ -99,5 +99,5 @@ require ( modernc.org/libc v1.72.0 // indirect modernc.org/mathutil v1.7.1 // indirect modernc.org/memory v1.11.0 // indirect - modernc.org/sqlite v1.48.2 // indirect + modernc.org/sqlite v1.49.1 // indirect ) diff --git a/backend/go.sum b/backend/go.sum index 6f23218c..aa1c8e57 100644 --- a/backend/go.sum +++ b/backend/go.sum @@ -29,8 +29,8 @@ github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5Qvfr github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= github.com/docker/docker v28.5.2+incompatible h1:DBX0Y0zAjZbSrm1uzOkdr1onVghKaftjlSWt4AFexzM= github.com/docker/docker v28.5.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94= -github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE= +github.com/docker/go-connections v0.7.0 h1:6SsRfJddP22WMrCkj19x9WKjEDTB+ahsdiGYf0mN39c= +github.com/docker/go-connections v0.7.0/go.mod h1:no1qkHdjq7kLMGUXYAduOhYPSJxxvgWBh7ogVvptn3Q= github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4= github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= @@ -263,8 +263,8 @@ modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8= modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns= modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w= modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE= -modernc.org/sqlite v1.48.2 h1:5CnW4uP8joZtA0LedVqLbZV5GD7F/0x91AXeSyjoh5c= -modernc.org/sqlite v1.48.2/go.mod h1:hWjRO6Tj/5Ik8ieqxQybiEOUXy0NJFNp2tpvVpKlvig= +modernc.org/sqlite v1.49.1 h1:dYGHTKcX1sJ+EQDnUzvz4TJ5GbuvhNJa8Fg6ElGx73U= +modernc.org/sqlite v1.49.1/go.mod h1:m0w8xhwYUVY3H6pSDwc3gkJ/irZT/0YEXwBlhaxQEew= modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0= modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A= modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y= diff --git a/backend/internal/api/handlers/crowdsec_handler.go b/backend/internal/api/handlers/crowdsec_handler.go index b6bbf66c..140f7393 100644 --- a/backend/internal/api/handlers/crowdsec_handler.go +++ b/backend/internal/api/handlers/crowdsec_handler.go @@ -63,6 +63,7 @@ type CrowdsecHandler struct { Hub *crowdsec.HubService Console *crowdsec.ConsoleEnrollmentService Security *services.SecurityService + WhitelistSvc *services.CrowdSecWhitelistService CaddyManager *caddy.Manager // For config reload after bouncer registration LAPIMaxWait time.Duration // For testing; 0 means 60s default LAPIPollInterval time.Duration // For testing; 0 means 500ms default @@ -383,7 +384,7 @@ func NewCrowdsecHandler(db *gorm.DB, executor CrowdsecExecutor, binPath, dataDir securitySvc = services.NewSecurityService(db) consoleSvc = crowdsec.NewConsoleEnrollmentService(db, &crowdsec.SecureCommandExecutor{}, dataDir, consoleSecret) } - return &CrowdsecHandler{ + h := &CrowdsecHandler{ DB: db, Executor: executor, CmdExec: &RealCommandExecutor{}, @@ -395,6 +396,10 @@ func NewCrowdsecHandler(db *gorm.DB, executor CrowdsecExecutor, binPath, dataDir dashCache: newDashboardCache(), validateLAPIURL: validateCrowdsecLAPIBaseURLDefault, } + if db != nil { + h.WhitelistSvc = services.NewCrowdSecWhitelistService(db, dataDir) + } + return h } // isCerberusEnabled returns true when Cerberus is enabled via DB or env flag. @@ -2700,6 +2705,75 @@ func fileExists(path string) bool { return err == nil } +// ListWhitelists returns all CrowdSec IP/CIDR whitelist entries. +func (h *CrowdsecHandler) ListWhitelists(c *gin.Context) { + entries, err := h.WhitelistSvc.List(c.Request.Context()) + if err != nil { + logger.Log().WithError(err).Error("failed to list whitelist entries") + c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to list whitelist entries"}) + return + } + c.JSON(http.StatusOK, gin.H{"whitelist": entries}) +} + +// AddWhitelist adds a new IP or CIDR to the CrowdSec whitelist. +func (h *CrowdsecHandler) AddWhitelist(c *gin.Context) { + var req struct { + IPOrCIDR string `json:"ip_or_cidr" binding:"required"` + Reason string `json:"reason"` + } + if err := c.ShouldBindJSON(&req); err != nil { + c.JSON(http.StatusBadRequest, gin.H{"error": "ip_or_cidr is required"}) + return + } + + entry, err := h.WhitelistSvc.Add(c.Request.Context(), req.IPOrCIDR, req.Reason) + if err != nil { + switch { + case errors.Is(err, services.ErrInvalidIPOrCIDR): + c.JSON(http.StatusBadRequest, gin.H{"error": "invalid IP address or CIDR notation"}) + case errors.Is(err, services.ErrDuplicateEntry): + c.JSON(http.StatusConflict, gin.H{"error": "entry already exists in whitelist"}) + default: + logger.Log().WithError(err).Error("failed to add whitelist entry") + c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to add whitelist entry"}) + } + return + } + + if _, execErr := h.CmdExec.Execute(c.Request.Context(), "cscli", "hub", "reload"); execErr != nil { + logger.Log().WithError(execErr).Warn("cscli hub reload failed after whitelist add (non-fatal)") + } + + c.JSON(http.StatusCreated, entry) +} + +// DeleteWhitelist removes a whitelist entry by UUID. +func (h *CrowdsecHandler) DeleteWhitelist(c *gin.Context) { + id := c.Param("uuid") + if id == "" { + c.JSON(http.StatusBadRequest, gin.H{"error": "uuid is required"}) + return + } + + if err := h.WhitelistSvc.Delete(c.Request.Context(), id); err != nil { + switch { + case errors.Is(err, services.ErrWhitelistNotFound): + c.JSON(http.StatusNotFound, gin.H{"error": "whitelist entry not found"}) + default: + logger.Log().WithError(err).Error("failed to delete whitelist entry") + c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to delete whitelist entry"}) + } + return + } + + if _, execErr := h.CmdExec.Execute(c.Request.Context(), "cscli", "hub", "reload"); execErr != nil { + logger.Log().WithError(execErr).Warn("cscli hub reload failed after whitelist delete (non-fatal)") + } + + c.Status(http.StatusNoContent) +} + // RegisterRoutes registers crowdsec admin routes under protected group func (h *CrowdsecHandler) RegisterRoutes(rg *gin.RouterGroup) { rg.POST("/admin/crowdsec/start", h.Start) @@ -2742,4 +2816,8 @@ func (h *CrowdsecHandler) RegisterRoutes(rg *gin.RouterGroup) { rg.GET("/admin/crowdsec/dashboard/scenarios", h.DashboardScenarios) rg.GET("/admin/crowdsec/alerts", h.ListAlerts) rg.GET("/admin/crowdsec/decisions/export", h.ExportDecisions) + // Whitelist management endpoints (Issue #939) + rg.GET("/admin/crowdsec/whitelist", h.ListWhitelists) + rg.POST("/admin/crowdsec/whitelist", h.AddWhitelist) + rg.DELETE("/admin/crowdsec/whitelist/:uuid", h.DeleteWhitelist) } diff --git a/backend/internal/api/handlers/crowdsec_whitelist_handler_test.go b/backend/internal/api/handlers/crowdsec_whitelist_handler_test.go new file mode 100644 index 00000000..59760760 --- /dev/null +++ b/backend/internal/api/handlers/crowdsec_whitelist_handler_test.go @@ -0,0 +1,284 @@ +package handlers + +import ( + "bytes" + "context" + "encoding/json" + "errors" + "net/http" + "net/http/httptest" + "testing" + + "github.com/Wikid82/charon/backend/internal/models" + "github.com/Wikid82/charon/backend/internal/services" + "github.com/gin-gonic/gin" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "gorm.io/gorm" +) + +type mockCmdExecWhitelist struct { + reloadCalled bool + reloadErr error +} + +func (m *mockCmdExecWhitelist) Execute(_ context.Context, _ string, _ ...string) ([]byte, error) { + m.reloadCalled = true + return nil, m.reloadErr +} + +func setupWhitelistHandler(t *testing.T) (*CrowdsecHandler, *gin.Engine, *gorm.DB) { + t.Helper() + db := OpenTestDB(t) + require.NoError(t, db.AutoMigrate(&models.CrowdSecWhitelist{})) + fe := &fakeExec{} + h := newTestCrowdsecHandler(t, db, fe, "/bin/false", "") + h.WhitelistSvc = services.NewCrowdSecWhitelistService(db, "") + + r := gin.New() + g := r.Group("/api/v1") + g.GET("/admin/crowdsec/whitelist", h.ListWhitelists) + g.POST("/admin/crowdsec/whitelist", h.AddWhitelist) + g.DELETE("/admin/crowdsec/whitelist/:uuid", h.DeleteWhitelist) + + return h, r, db +} + +func TestListWhitelists_Empty(t *testing.T) { + t.Parallel() + _, r, _ := setupWhitelistHandler(t) + + w := httptest.NewRecorder() + req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/crowdsec/whitelist", nil) + r.ServeHTTP(w, req) + + assert.Equal(t, http.StatusOK, w.Code) + var resp map[string]interface{} + require.NoError(t, json.Unmarshal(w.Body.Bytes(), &resp)) + entries, ok := resp["whitelist"].([]interface{}) + assert.True(t, ok) + assert.Empty(t, entries) +} + +func TestAddWhitelist_ValidIP(t *testing.T) { + t.Parallel() + h, r, _ := setupWhitelistHandler(t) + mock := &mockCmdExecWhitelist{} + h.CmdExec = mock + + body := `{"ip_or_cidr":"1.2.3.4","reason":"test"}` + w := httptest.NewRecorder() + req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/crowdsec/whitelist", bytes.NewBufferString(body)) + req.Header.Set("Content-Type", "application/json") + r.ServeHTTP(w, req) + + assert.Equal(t, http.StatusCreated, w.Code) + assert.True(t, mock.reloadCalled) + + var entry models.CrowdSecWhitelist + require.NoError(t, json.Unmarshal(w.Body.Bytes(), &entry)) + assert.Equal(t, "1.2.3.4", entry.IPOrCIDR) + assert.NotEmpty(t, entry.UUID) +} + +func TestAddWhitelist_InvalidIP(t *testing.T) { + t.Parallel() + _, r, _ := setupWhitelistHandler(t) + + body := `{"ip_or_cidr":"not-valid","reason":""}` + w := httptest.NewRecorder() + req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/crowdsec/whitelist", bytes.NewBufferString(body)) + req.Header.Set("Content-Type", "application/json") + r.ServeHTTP(w, req) + + assert.Equal(t, http.StatusBadRequest, w.Code) +} + +func TestAddWhitelist_Duplicate(t *testing.T) { + t.Parallel() + _, r, _ := setupWhitelistHandler(t) + + body := `{"ip_or_cidr":"9.9.9.9","reason":""}` + for i := 0; i < 2; i++ { + w := httptest.NewRecorder() + req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/crowdsec/whitelist", bytes.NewBufferString(body)) + req.Header.Set("Content-Type", "application/json") + r.ServeHTTP(w, req) + if i == 0 { + assert.Equal(t, http.StatusCreated, w.Code) + } else { + assert.Equal(t, http.StatusConflict, w.Code) + } + } +} + +func TestDeleteWhitelist_Existing(t *testing.T) { + t.Parallel() + h, r, db := setupWhitelistHandler(t) + mock := &mockCmdExecWhitelist{} + h.CmdExec = mock + + svc := services.NewCrowdSecWhitelistService(db, "") + entry, err := svc.Add(t.Context(), "7.7.7.7", "to delete") + require.NoError(t, err) + + w := httptest.NewRecorder() + req := httptest.NewRequest(http.MethodDelete, "/api/v1/admin/crowdsec/whitelist/"+entry.UUID, nil) + r.ServeHTTP(w, req) + + assert.Equal(t, http.StatusNoContent, w.Code) + assert.True(t, mock.reloadCalled) +} + +func TestDeleteWhitelist_NotFound(t *testing.T) { + t.Parallel() + _, r, _ := setupWhitelistHandler(t) + + w := httptest.NewRecorder() + req := httptest.NewRequest(http.MethodDelete, "/api/v1/admin/crowdsec/whitelist/00000000-0000-0000-0000-000000000000", nil) + r.ServeHTTP(w, req) + + assert.Equal(t, http.StatusNotFound, w.Code) +} + +func TestListWhitelists_AfterAdd(t *testing.T) { + t.Parallel() + _, r, db := setupWhitelistHandler(t) + svc := services.NewCrowdSecWhitelistService(db, "") + _, err := svc.Add(t.Context(), "8.8.8.8", "google dns") + require.NoError(t, err) + + w := httptest.NewRecorder() + req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/crowdsec/whitelist", nil) + r.ServeHTTP(w, req) + + assert.Equal(t, http.StatusOK, w.Code) + var resp map[string]interface{} + require.NoError(t, json.Unmarshal(w.Body.Bytes(), &resp)) + entries := resp["whitelist"].([]interface{}) + assert.Len(t, entries, 1) +} + +func TestAddWhitelist_400_MissingField(t *testing.T) { + t.Parallel() + _, r, _ := setupWhitelistHandler(t) + + body := `{}` + w := httptest.NewRecorder() + req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/crowdsec/whitelist", bytes.NewBufferString(body)) + req.Header.Set("Content-Type", "application/json") + r.ServeHTTP(w, req) + + assert.Equal(t, http.StatusBadRequest, w.Code) + var resp map[string]interface{} + require.NoError(t, json.Unmarshal(w.Body.Bytes(), &resp)) + assert.Equal(t, "ip_or_cidr is required", resp["error"]) +} + +func TestListWhitelists_DBError(t *testing.T) { + t.Parallel() + _, r, db := setupWhitelistHandler(t) + sqlDB, err := db.DB() + require.NoError(t, err) + _ = sqlDB.Close() + + w := httptest.NewRecorder() + req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/crowdsec/whitelist", nil) + r.ServeHTTP(w, req) + + assert.Equal(t, http.StatusInternalServerError, w.Code) + var resp map[string]interface{} + require.NoError(t, json.Unmarshal(w.Body.Bytes(), &resp)) + assert.Equal(t, "failed to list whitelist entries", resp["error"]) +} + +func TestAddWhitelist_DBError(t *testing.T) { + t.Parallel() + _, r, db := setupWhitelistHandler(t) + sqlDB, err := db.DB() + require.NoError(t, err) + _ = sqlDB.Close() + + body := `{"ip_or_cidr":"1.2.3.4","reason":"test"}` + w := httptest.NewRecorder() + req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/crowdsec/whitelist", bytes.NewBufferString(body)) + req.Header.Set("Content-Type", "application/json") + r.ServeHTTP(w, req) + + assert.Equal(t, http.StatusInternalServerError, w.Code) + var resp map[string]interface{} + require.NoError(t, json.Unmarshal(w.Body.Bytes(), &resp)) + assert.Equal(t, "failed to add whitelist entry", resp["error"]) +} + +func TestAddWhitelist_ReloadFailure(t *testing.T) { + t.Parallel() + h, r, _ := setupWhitelistHandler(t) + mock := &mockCmdExecWhitelist{reloadErr: errors.New("cscli failed")} + h.CmdExec = mock + + body := `{"ip_or_cidr":"3.3.3.3","reason":"reload test"}` + w := httptest.NewRecorder() + req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/crowdsec/whitelist", bytes.NewBufferString(body)) + req.Header.Set("Content-Type", "application/json") + r.ServeHTTP(w, req) + + assert.Equal(t, http.StatusCreated, w.Code) + assert.True(t, mock.reloadCalled) +} + +func TestDeleteWhitelist_DBError(t *testing.T) { + t.Parallel() + _, r, db := setupWhitelistHandler(t) + svc := services.NewCrowdSecWhitelistService(db, "") + entry, err := svc.Add(t.Context(), "4.4.4.4", "will close db") + require.NoError(t, err) + + sqlDB, err := db.DB() + require.NoError(t, err) + _ = sqlDB.Close() + + w := httptest.NewRecorder() + req := httptest.NewRequest(http.MethodDelete, "/api/v1/admin/crowdsec/whitelist/"+entry.UUID, nil) + r.ServeHTTP(w, req) + + assert.Equal(t, http.StatusInternalServerError, w.Code) + var resp map[string]interface{} + require.NoError(t, json.Unmarshal(w.Body.Bytes(), &resp)) + assert.Equal(t, "failed to delete whitelist entry", resp["error"]) +} + +func TestDeleteWhitelist_ReloadFailure(t *testing.T) { + t.Parallel() + h, r, db := setupWhitelistHandler(t) + mock := &mockCmdExecWhitelist{reloadErr: errors.New("cscli failed")} + h.CmdExec = mock + + svc := services.NewCrowdSecWhitelistService(db, "") + entry, err := svc.Add(t.Context(), "5.5.5.5", "reload test") + require.NoError(t, err) + + w := httptest.NewRecorder() + req := httptest.NewRequest(http.MethodDelete, "/api/v1/admin/crowdsec/whitelist/"+entry.UUID, nil) + r.ServeHTTP(w, req) + + assert.Equal(t, http.StatusNoContent, w.Code) + assert.True(t, mock.reloadCalled) +} + +func TestDeleteWhitelist_EmptyUUID(t *testing.T) { + t.Parallel() + h, _, _ := setupWhitelistHandler(t) + + w := httptest.NewRecorder() + c, _ := gin.CreateTestContext(w) + c.Request = httptest.NewRequest(http.MethodDelete, "/api/v1/admin/crowdsec/whitelist/", nil) + c.Params = gin.Params{{Key: "uuid", Value: ""}} + + h.DeleteWhitelist(c) + + assert.Equal(t, http.StatusBadRequest, w.Code) + var resp map[string]interface{} + require.NoError(t, json.Unmarshal(w.Body.Bytes(), &resp)) + assert.Equal(t, "uuid is required", resp["error"]) +} diff --git a/backend/internal/api/routes/routes.go b/backend/internal/api/routes/routes.go index 0a085c29..2d422f2b 100644 --- a/backend/internal/api/routes/routes.go +++ b/backend/internal/api/routes/routes.go @@ -122,6 +122,7 @@ func RegisterWithDeps(ctx context.Context, router *gin.Engine, db *gorm.DB, cfg &models.DNSProviderCredential{}, // Multi-credential support (Phase 3) &models.Plugin{}, // Phase 5: DNS provider plugins &models.ManualChallenge{}, // Phase 1: Manual DNS challenges + &models.CrowdSecWhitelist{}, // Issue #939: CrowdSec IP whitelist management ); err != nil { return fmt.Errorf("auto migrate: %w", err) } diff --git a/backend/internal/models/crowdsec_whitelist.go b/backend/internal/models/crowdsec_whitelist.go new file mode 100644 index 00000000..c371d7dc --- /dev/null +++ b/backend/internal/models/crowdsec_whitelist.go @@ -0,0 +1,13 @@ +package models + +import "time" + +// CrowdSecWhitelist represents a single IP or CIDR block that CrowdSec should never ban. +type CrowdSecWhitelist struct { + ID uint `json:"-" gorm:"primaryKey"` + UUID string `json:"uuid" gorm:"uniqueIndex;not null"` + IPOrCIDR string `json:"ip_or_cidr" gorm:"not null;uniqueIndex"` + Reason string `json:"reason" gorm:"not null;default:''"` + CreatedAt time.Time `json:"created_at"` + UpdatedAt time.Time `json:"updated_at"` +} diff --git a/backend/internal/services/crowdsec_startup.go b/backend/internal/services/crowdsec_startup.go index 2f00fe93..d05d85b8 100644 --- a/backend/internal/services/crowdsec_startup.go +++ b/backend/internal/services/crowdsec_startup.go @@ -197,6 +197,12 @@ func ReconcileCrowdSecOnStartup(db *gorm.DB, executor CrowdsecProcessManager, bi "data_dir": dataDir, }).Info("CrowdSec reconciliation: starting CrowdSec (mode=local, not currently running)") + // Regenerate whitelist YAML before starting so CrowdSec loads the current entries. + whitelistSvc := NewCrowdSecWhitelistService(db, dataDir) + if writeErr := whitelistSvc.WriteYAML(context.Background()); writeErr != nil { + logger.Log().WithError(writeErr).Warn("CrowdSec reconciliation: failed to write whitelist YAML on startup (non-fatal)") + } + startCtx, startCancel := context.WithTimeout(context.Background(), 30*time.Second) defer startCancel() diff --git a/backend/internal/services/crowdsec_whitelist_service.go b/backend/internal/services/crowdsec_whitelist_service.go new file mode 100644 index 00000000..d27b0bed --- /dev/null +++ b/backend/internal/services/crowdsec_whitelist_service.go @@ -0,0 +1,190 @@ +package services + +import ( + "context" + "errors" + "fmt" + "net" + "os" + "path/filepath" + "strings" + + "github.com/Wikid82/charon/backend/internal/logger" + "github.com/Wikid82/charon/backend/internal/models" + "github.com/google/uuid" + "gorm.io/gorm" +) + +// Sentinel errors for CrowdSecWhitelistService operations. +var ( + ErrWhitelistNotFound = errors.New("whitelist entry not found") + ErrInvalidIPOrCIDR = errors.New("invalid IP address or CIDR notation") + ErrDuplicateEntry = errors.New("entry already exists in whitelist") +) + +const whitelistYAMLHeader = `name: charon-whitelist +description: "Charon-managed IP/CIDR whitelist" +filter: "evt.Meta.service == 'http'" +whitelist: + reason: "Charon managed whitelist" +` + +// CrowdSecWhitelistService manages the CrowdSec IP/CIDR whitelist. +type CrowdSecWhitelistService struct { + db *gorm.DB + dataDir string +} + +// NewCrowdSecWhitelistService creates a new CrowdSecWhitelistService. +func NewCrowdSecWhitelistService(db *gorm.DB, dataDir string) *CrowdSecWhitelistService { + return &CrowdSecWhitelistService{db: db, dataDir: dataDir} +} + +// List returns all whitelist entries ordered by creation time. +func (s *CrowdSecWhitelistService) List(ctx context.Context) ([]models.CrowdSecWhitelist, error) { + var entries []models.CrowdSecWhitelist + if err := s.db.WithContext(ctx).Order("created_at ASC").Find(&entries).Error; err != nil { + return nil, fmt.Errorf("list whitelist entries: %w", err) + } + return entries, nil +} + +// Add validates and persists a new whitelist entry, then regenerates the YAML file. +// Returns ErrInvalidIPOrCIDR for malformed input and ErrDuplicateEntry for conflicts. +func (s *CrowdSecWhitelistService) Add(ctx context.Context, ipOrCIDR, reason string) (*models.CrowdSecWhitelist, error) { + normalized, err := normalizeIPOrCIDR(strings.TrimSpace(ipOrCIDR)) + if err != nil { + return nil, ErrInvalidIPOrCIDR + } + + entry := models.CrowdSecWhitelist{ + UUID: uuid.New().String(), + IPOrCIDR: normalized, + Reason: reason, + } + + if err := s.db.WithContext(ctx).Create(&entry).Error; err != nil { + if errors.Is(err, gorm.ErrDuplicatedKey) || strings.Contains(err.Error(), "UNIQUE constraint failed") { + return nil, ErrDuplicateEntry + } + return nil, fmt.Errorf("add whitelist entry: %w", err) + } + + if err := s.WriteYAML(ctx); err != nil { + logger.Log().WithError(err).Warn("failed to write CrowdSec whitelist YAML after add (non-fatal)") + } + + return &entry, nil +} + +// Delete removes a whitelist entry by UUID and regenerates the YAML file. +// Returns ErrWhitelistNotFound if the UUID does not exist. +func (s *CrowdSecWhitelistService) Delete(ctx context.Context, id string) error { + result := s.db.WithContext(ctx).Where("uuid = ?", id).Delete(&models.CrowdSecWhitelist{}) + if result.Error != nil { + return fmt.Errorf("delete whitelist entry: %w", result.Error) + } + if result.RowsAffected == 0 { + return ErrWhitelistNotFound + } + + if err := s.WriteYAML(ctx); err != nil { + logger.Log().WithError(err).Warn("failed to write CrowdSec whitelist YAML after delete (non-fatal)") + } + + return nil +} + +// WriteYAML renders and atomically writes the CrowdSec whitelist YAML file. +// It is a no-op when dataDir is empty (unit-test mode). +func (s *CrowdSecWhitelistService) WriteYAML(ctx context.Context) error { + if s.dataDir == "" { + return nil + } + + var entries []models.CrowdSecWhitelist + if err := s.db.WithContext(ctx).Order("created_at ASC").Find(&entries).Error; err != nil { + return fmt.Errorf("write whitelist yaml: query entries: %w", err) + } + + var ips, cidrs []string + for _, e := range entries { + if strings.Contains(e.IPOrCIDR, "/") { + cidrs = append(cidrs, e.IPOrCIDR) + } else { + ips = append(ips, e.IPOrCIDR) + } + } + + content := buildWhitelistYAML(ips, cidrs) + + dir := filepath.Join(s.dataDir, "config", "parsers", "s02-enrich") + if err := os.MkdirAll(dir, 0o750); err != nil { + return fmt.Errorf("write whitelist yaml: create dir: %w", err) + } + + target := filepath.Join(dir, "charon-whitelist.yaml") + tmp := target + ".tmp" + + if err := os.WriteFile(tmp, content, 0o640); err != nil { + return fmt.Errorf("write whitelist yaml: write temp: %w", err) + } + + if err := os.Rename(tmp, target); err != nil { + _ = os.Remove(tmp) + return fmt.Errorf("write whitelist yaml: rename: %w", err) + } + + return nil +} + +// normalizeIPOrCIDR validates and normalizes an IP address or CIDR block. +// For CIDRs, the network address is returned (e.g. "10.0.0.1/8" → "10.0.0.0/8"). +func normalizeIPOrCIDR(raw string) (string, error) { + if strings.Contains(raw, "/") { + ip, network, err := net.ParseCIDR(raw) + if err != nil { + return "", err + } + _ = ip + return network.String(), nil + } + ip := net.ParseIP(raw) + if ip == nil { + return "", fmt.Errorf("invalid IP: %q", raw) + } + + return ip.String(), nil +} + +// buildWhitelistYAML constructs the YAML content for the CrowdSec whitelist parser. +func buildWhitelistYAML(ips, cidrs []string) []byte { + var sb strings.Builder + sb.WriteString(whitelistYAMLHeader) + + sb.WriteString(" ip:") + if len(ips) == 0 { + sb.WriteString(" []\n") + } else { + sb.WriteString("\n") + for _, ip := range ips { + sb.WriteString(" - \"") + sb.WriteString(ip) + sb.WriteString("\"\n") + } + } + + sb.WriteString(" cidr:") + if len(cidrs) == 0 { + sb.WriteString(" []\n") + } else { + sb.WriteString("\n") + for _, cidr := range cidrs { + sb.WriteString(" - \"") + sb.WriteString(cidr) + sb.WriteString("\"\n") + } + } + + return []byte(sb.String()) +} diff --git a/backend/internal/services/crowdsec_whitelist_service_test.go b/backend/internal/services/crowdsec_whitelist_service_test.go new file mode 100644 index 00000000..4fbea4cf --- /dev/null +++ b/backend/internal/services/crowdsec_whitelist_service_test.go @@ -0,0 +1,309 @@ +package services_test + +import ( + "context" + "fmt" + "os" + "path/filepath" + "testing" + + "github.com/Wikid82/charon/backend/internal/models" + "github.com/Wikid82/charon/backend/internal/services" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "gorm.io/driver/sqlite" + "gorm.io/gorm" + gormlogger "gorm.io/gorm/logger" +) + +func openWhitelistTestDB(t *testing.T) *gorm.DB { + t.Helper() + db, err := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{ + Logger: gormlogger.Default.LogMode(gormlogger.Silent), + }) + require.NoError(t, err) + require.NoError(t, db.AutoMigrate(&models.CrowdSecWhitelist{})) + t.Cleanup(func() { + sqlDB, err := db.DB() + if err == nil { + _ = sqlDB.Close() + } + }) + return db +} + +func TestCrowdSecWhitelistService_List_Empty(t *testing.T) { + t.Parallel() + svc := services.NewCrowdSecWhitelistService(openWhitelistTestDB(t), "") + entries, err := svc.List(context.Background()) + require.NoError(t, err) + assert.Empty(t, entries) +} + +func TestCrowdSecWhitelistService_Add_ValidIP(t *testing.T) { + t.Parallel() + svc := services.NewCrowdSecWhitelistService(openWhitelistTestDB(t), "") + entry, err := svc.Add(context.Background(), "1.2.3.4", "test reason") + require.NoError(t, err) + assert.NotEmpty(t, entry.UUID) + assert.Equal(t, "1.2.3.4", entry.IPOrCIDR) + assert.Equal(t, "test reason", entry.Reason) +} + +func TestCrowdSecWhitelistService_Add_ValidCIDR(t *testing.T) { + t.Parallel() + svc := services.NewCrowdSecWhitelistService(openWhitelistTestDB(t), "") + entry, err := svc.Add(context.Background(), "192.168.1.0/24", "local net") + require.NoError(t, err) + assert.Equal(t, "192.168.1.0/24", entry.IPOrCIDR) +} + +func TestCrowdSecWhitelistService_Add_NormalizesCIDR(t *testing.T) { + t.Parallel() + svc := services.NewCrowdSecWhitelistService(openWhitelistTestDB(t), "") + entry, err := svc.Add(context.Background(), "10.0.0.1/8", "normalize test") + require.NoError(t, err) + assert.Equal(t, "10.0.0.0/8", entry.IPOrCIDR) +} + +func TestCrowdSecWhitelistService_Add_InvalidIP(t *testing.T) { + t.Parallel() + svc := services.NewCrowdSecWhitelistService(openWhitelistTestDB(t), "") + _, err := svc.Add(context.Background(), "not-an-ip", "") + assert.ErrorIs(t, err, services.ErrInvalidIPOrCIDR) +} + +func TestCrowdSecWhitelistService_Add_Duplicate(t *testing.T) { + t.Parallel() + db := openWhitelistTestDB(t) + svc := services.NewCrowdSecWhitelistService(db, "") + _, err := svc.Add(context.Background(), "5.5.5.5", "first") + require.NoError(t, err) + _, err = svc.Add(context.Background(), "5.5.5.5", "second") + assert.ErrorIs(t, err, services.ErrDuplicateEntry) +} + +func TestCrowdSecWhitelistService_Delete_Existing(t *testing.T) { + t.Parallel() + db := openWhitelistTestDB(t) + svc := services.NewCrowdSecWhitelistService(db, "") + entry, err := svc.Add(context.Background(), "6.6.6.6", "to delete") + require.NoError(t, err) + + err = svc.Delete(context.Background(), entry.UUID) + require.NoError(t, err) + + entries, err := svc.List(context.Background()) + require.NoError(t, err) + assert.Empty(t, entries) +} + +func TestCrowdSecWhitelistService_Delete_NotFound(t *testing.T) { + t.Parallel() + svc := services.NewCrowdSecWhitelistService(openWhitelistTestDB(t), "") + err := svc.Delete(context.Background(), "00000000-0000-0000-0000-000000000000") + assert.ErrorIs(t, err, services.ErrWhitelistNotFound) +} + +func TestCrowdSecWhitelistService_WriteYAML_EmptyDataDir(t *testing.T) { + t.Parallel() + svc := services.NewCrowdSecWhitelistService(openWhitelistTestDB(t), "") + err := svc.WriteYAML(context.Background()) + assert.NoError(t, err) +} + +func TestCrowdSecWhitelistService_WriteYAML_CreatesFile(t *testing.T) { + t.Parallel() + tmpDir := t.TempDir() + db := openWhitelistTestDB(t) + svc := services.NewCrowdSecWhitelistService(db, tmpDir) + + _, err := svc.Add(context.Background(), "1.1.1.1", "dns") + require.NoError(t, err) + _, err = svc.Add(context.Background(), "10.0.0.0/8", "internal") + require.NoError(t, err) + + yamlPath := filepath.Join(tmpDir, "config", "parsers", "s02-enrich", "charon-whitelist.yaml") + content, err := os.ReadFile(yamlPath) + require.NoError(t, err) + + s := string(content) + assert.Contains(t, s, "name: charon-whitelist") + assert.Contains(t, s, `"1.1.1.1"`) + assert.Contains(t, s, `"10.0.0.0/8"`) +} + +func TestCrowdSecWhitelistService_WriteYAML_EmptyLists(t *testing.T) { + t.Parallel() + tmpDir := t.TempDir() + svc := services.NewCrowdSecWhitelistService(openWhitelistTestDB(t), tmpDir) + + err := svc.WriteYAML(context.Background()) + require.NoError(t, err) + + yamlPath := filepath.Join(tmpDir, "config", "parsers", "s02-enrich", "charon-whitelist.yaml") + content, err := os.ReadFile(yamlPath) + require.NoError(t, err) + + s := string(content) + assert.Contains(t, s, "ip: []") + assert.Contains(t, s, "cidr: []") +} + +func TestCrowdSecWhitelistService_List_AfterAdd(t *testing.T) { + t.Parallel() + db := openWhitelistTestDB(t) + svc := services.NewCrowdSecWhitelistService(db, "") + + for i := 0; i < 3; i++ { + _, err := svc.Add(context.Background(), fmt.Sprintf("10.0.0.%d", i+1), "") + require.NoError(t, err) + } + + entries, err := svc.List(context.Background()) + require.NoError(t, err) + assert.Len(t, entries, 3) +} + +func TestAdd_ValidIPv6_Success(t *testing.T) { + t.Parallel() + svc := services.NewCrowdSecWhitelistService(openWhitelistTestDB(t), "") + entry, err := svc.Add(context.Background(), "2001:db8::1", "ipv6 test") + require.NoError(t, err) + assert.Equal(t, "2001:db8::1", entry.IPOrCIDR) + + entries, err := svc.List(context.Background()) + require.NoError(t, err) + assert.Len(t, entries, 1) + assert.Equal(t, "2001:db8::1", entries[0].IPOrCIDR) +} + +func TestCrowdSecWhitelistService_List_DBError(t *testing.T) { + t.Parallel() + db := openWhitelistTestDB(t) + svc := services.NewCrowdSecWhitelistService(db, "") + sqlDB, err := db.DB() + require.NoError(t, err) + _ = sqlDB.Close() + + _, err = svc.List(context.Background()) + assert.Error(t, err) +} + +func TestCrowdSecWhitelistService_Add_DBCreateError(t *testing.T) { + t.Parallel() + db := openWhitelistTestDB(t) + svc := services.NewCrowdSecWhitelistService(db, "") + sqlDB, err := db.DB() + require.NoError(t, err) + _ = sqlDB.Close() + + _, err = svc.Add(context.Background(), "1.2.3.4", "test") + assert.Error(t, err) + assert.NotErrorIs(t, err, services.ErrInvalidIPOrCIDR) + assert.NotErrorIs(t, err, services.ErrDuplicateEntry) +} + +func TestCrowdSecWhitelistService_Delete_DBError(t *testing.T) { + t.Parallel() + db := openWhitelistTestDB(t) + svc := services.NewCrowdSecWhitelistService(db, "") + sqlDB, err := db.DB() + require.NoError(t, err) + _ = sqlDB.Close() + + err = svc.Delete(context.Background(), "some-uuid") + assert.Error(t, err) + assert.NotErrorIs(t, err, services.ErrWhitelistNotFound) +} + +func TestCrowdSecWhitelistService_WriteYAML_DBError(t *testing.T) { + t.Parallel() + db := openWhitelistTestDB(t) + tmpDir := t.TempDir() + svc := services.NewCrowdSecWhitelistService(db, tmpDir) + sqlDB, err := db.DB() + require.NoError(t, err) + _ = sqlDB.Close() + + err = svc.WriteYAML(context.Background()) + assert.Error(t, err) + assert.Contains(t, err.Error(), "query entries") +} + +func TestCrowdSecWhitelistService_WriteYAML_MkdirError(t *testing.T) { + t.Parallel() + db := openWhitelistTestDB(t) + // Use a path under /dev/null which cannot have subdirectories + svc := services.NewCrowdSecWhitelistService(db, "/dev/null/impossible") + + err := svc.WriteYAML(context.Background()) + assert.Error(t, err) + assert.Contains(t, err.Error(), "create dir") +} + +func TestCrowdSecWhitelistService_WriteYAML_WriteFileError(t *testing.T) { + t.Parallel() + db := openWhitelistTestDB(t) + tmpDir := t.TempDir() + svc := services.NewCrowdSecWhitelistService(db, tmpDir) + + // Create a directory where the .tmp file would be written, causing WriteFile to fail + dir := filepath.Join(tmpDir, "config", "parsers", "s02-enrich") + require.NoError(t, os.MkdirAll(dir, 0o750)) + tmpTarget := filepath.Join(dir, "charon-whitelist.yaml.tmp") + require.NoError(t, os.MkdirAll(tmpTarget, 0o750)) + + err := svc.WriteYAML(context.Background()) + assert.Error(t, err) + assert.Contains(t, err.Error(), "write temp") +} + +func TestCrowdSecWhitelistService_Add_WriteYAMLWarning(t *testing.T) { + t.Parallel() + db := openWhitelistTestDB(t) + // dataDir that will cause MkdirAll to fail inside WriteYAML (non-fatal) + svc := services.NewCrowdSecWhitelistService(db, "/dev/null/impossible") + + entry, err := svc.Add(context.Background(), "2.2.2.2", "yaml warn test") + require.NoError(t, err) + assert.Equal(t, "2.2.2.2", entry.IPOrCIDR) +} + +func TestCrowdSecWhitelistService_Delete_WriteYAMLWarning(t *testing.T) { + t.Parallel() + db := openWhitelistTestDB(t) + // First add with empty dataDir so it succeeds + svcAdd := services.NewCrowdSecWhitelistService(db, "") + entry, err := svcAdd.Add(context.Background(), "3.3.3.3", "to delete") + require.NoError(t, err) + + // Now create a service with a broken dataDir and delete + svcDel := services.NewCrowdSecWhitelistService(db, "/dev/null/impossible") + err = svcDel.Delete(context.Background(), entry.UUID) + require.NoError(t, err) +} + +func TestCrowdSecWhitelistService_WriteYAML_RenameError(t *testing.T) { + t.Parallel() + db := openWhitelistTestDB(t) + tmpDir := t.TempDir() + svc := services.NewCrowdSecWhitelistService(db, tmpDir) + + // Create target as a directory so rename (atomic replace) fails + dir := filepath.Join(tmpDir, "config", "parsers", "s02-enrich") + require.NoError(t, os.MkdirAll(dir, 0o750)) + target := filepath.Join(dir, "charon-whitelist.yaml") + require.NoError(t, os.MkdirAll(target, 0o750)) + + err := svc.WriteYAML(context.Background()) + assert.Error(t, err) + assert.Contains(t, err.Error(), "rename") +} + +func TestCrowdSecWhitelistService_Add_InvalidCIDR(t *testing.T) { + t.Parallel() + svc := services.NewCrowdSecWhitelistService(openWhitelistTestDB(t), "") + _, err := svc.Add(context.Background(), "not-an-ip/24", "invalid cidr with slash") + assert.ErrorIs(t, err, services.ErrInvalidIPOrCIDR) +} diff --git a/configs/crowdsec/install_hub_items.sh b/configs/crowdsec/install_hub_items.sh index c2a2f214..84086c37 100644 --- a/configs/crowdsec/install_hub_items.sh +++ b/configs/crowdsec/install_hub_items.sh @@ -24,6 +24,7 @@ echo "Installing base parsers..." cscli parsers install crowdsecurity/http-logs --force || echo "⚠️ Failed to install crowdsecurity/http-logs" cscli parsers install crowdsecurity/syslog-logs --force || echo "⚠️ Failed to install crowdsecurity/syslog-logs" cscli parsers install crowdsecurity/geoip-enrich --force || echo "⚠️ Failed to install crowdsecurity/geoip-enrich" +cscli parsers install crowdsecurity/whitelists --force || echo "⚠️ Failed to install crowdsecurity/whitelists" # Install HTTP scenarios for attack detection echo "Installing HTTP scenarios..." diff --git a/docs/plans/archive/patch-coverage-improvement-plan-2026-05-02.md b/docs/plans/archive/patch-coverage-improvement-plan-2026-05-02.md new file mode 100644 index 00000000..f976b196 --- /dev/null +++ b/docs/plans/archive/patch-coverage-improvement-plan-2026-05-02.md @@ -0,0 +1,460 @@ +# Coverage Improvement Plan — Patch Coverage ≥ 90% + +**Date**: 2026-05-02 +**Status**: Draft — Awaiting Approval +**Priority**: High +**Archived Previous Plan**: Custom Certificate Upload & Management (Issue #22) → `docs/plans/archive/custom-cert-upload-management-spec-2026-05-02.md` + +--- + +## 1. Introduction + +This plan identifies exact uncovered branches across the six highest-gap backend source files and two frontend components, and specifies new test cases to close those gaps. The target is to raise overall patch coverage from **85.61% (206 missing lines)** to **≥ 90%**. + +**Constraints**: +- No source file modifications — test files only +- Go tests placed in `*_patch_coverage_test.go` (same package as source) +- Frontend tests extend existing `__tests__/*.test.tsx` files +- Use testify (Go) and Vitest + React Testing Library (frontend) + +--- + +## 2. Research Findings + +### 2.1 Coverage Gap Summary + +| Package | File | Missing Lines | Current Coverage | +|---|---|---|---| +| `handlers` | `certificate_handler.go` | ~54 | 70.28% | +| `services` | `certificate_service.go` | ~54 | 82.85% | +| `services` | `certificate_validator.go` | ~18 | 88.68% | +| `handlers` | `proxy_host_handler.go` | ~12 | 55.17% | +| `config` | `config.go` | ~8 | ~92% | +| `caddy` | `manager.go` | ~10 | ~88% | +| Frontend | `CertificateList.tsx` | moderate | — | +| Frontend | `CertificateUploadDialog.tsx` | moderate | — | + +### 2.2 Test Infrastructure (Confirmed) + +- **In-memory DB**: `gorm.Open(sqlite.Open(fmt.Sprintf("file:%s?mode=memory&cache=shared", t.Name())), &gorm.Config{})` +- **Mock auth**: `mockAuthMiddleware()` from `coverage_helpers_test.go` +- **Mock backup service**: `&mockBackupService{createFunc: ..., availableSpaceFunc: ...}` +- **Manager test hooks**: package-level `generateConfigFunc`, `validateConfigFunc`, `writeFileFunc` vars with `defer` restore pattern +- **Frontend mocks**: `vi.mock('../../hooks/...', ...)` and `vi.mock('react-i18next', ...)` + +### 2.3 Existing Patch Test Files + +| File | Existing Tests | +|---|---| +| `certificate_handler_patch_coverage_test.go` | `TestDelete_UUID_WithBackup_Success`, `_NotFound`, `_InUse` | +| `certificate_service_patch_coverage_test.go` | `TestExportCertificate_DER`, `_PFX`, `_P12`, `_UnsupportedFormat` | +| `certificate_validator_extra_coverage_test.go` | ECDSA/Ed25519 key match, `ConvertDERToPEM` valid/invalid | +| `manager_patch_coverage_test.go` | DNS provider encryption key paths | +| `proxy_host_handler_test.go` | Full CRUD + BulkUpdateACL + BulkUpdateSecurityHeaders | +| `proxy_host_handler_update_test.go` | Update edge cases, `ParseForwardPortField`, `ParseNullableUintField` | + +--- + +## 3. Technical Specifications — Per-File Gap Analysis + +### 3.1 `certificate_handler.go` — Export Re-Auth Path (~18 lines) + +The `Export` handler re-authenticates the user when `include_key=true`. All six guard branches are uncovered. + +**Gap location**: Lines ~260–320 (password empty check, `user` context key extraction, `map[string]any` cast, `id` field lookup, DB user lookup, bcrypt check) + +**New tests** (append to `certificate_handler_patch_coverage_test.go`): + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestExport_IncludeKey_MissingPassword` | POST with `include_key=true`, no `password` field | 403 | +| `TestExport_IncludeKey_NoUserContext` | No `"user"` key in gin context | 403 | +| `TestExport_IncludeKey_InvalidClaimsType` | `"user"` set to a plain string | 403 | +| `TestExport_IncludeKey_UserIDNotInClaims` | `user = map[string]any{}` with no `"id"` key | 403 | +| `TestExport_IncludeKey_UserNotFoundInDB` | Valid claims, no matching user row | 403 | +| `TestExport_IncludeKey_WrongPassword` | User in DB, wrong plaintext password submitted | 403 | + +### 3.2 `certificate_handler.go` — Export Service Errors (~4 lines) + +**Gap location**: After `ExportCertificate` call — ErrCertNotFound and generic error branches + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestExport_CertNotFound` | Unknown UUID | 404 | +| `TestExport_ServiceError` | Service returns non-not-found error | 500 | + +### 3.3 `certificate_handler.go` — Delete Numeric-ID Error Paths (~12 lines) + +**Gap location**: `IsCertificateInUse` error, disk space check, backup error, `DeleteCertificateByID` returning `ErrCertInUse` or generic error + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestDelete_NumericID_UsageCheckError` | `IsCertificateInUse` returns error | 500 | +| `TestDelete_NumericID_LowDiskSpace` | `availableSpaceFunc` returns 0 | 507 | +| `TestDelete_NumericID_BackupError` | `createFunc` returns error | 500 | +| `TestDelete_NumericID_CertInUse_FromService` | `DeleteCertificateByID` → `ErrCertInUse` | 409 | +| `TestDelete_NumericID_DeleteError` | `DeleteCertificateByID` → generic error | 500 | + +### 3.4 `certificate_handler.go` — Delete UUID Additional Error Paths (~8 lines) + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestDelete_UUID_UsageCheckInternalError` | `IsCertificateInUseByUUID` returns non-ErrCertNotFound error | 500 | +| `TestDelete_UUID_LowDiskSpace` | `availableSpaceFunc` returns 0 | 507 | +| `TestDelete_UUID_BackupCreationError` | `createFunc` returns error | 500 | +| `TestDelete_UUID_CertInUse_FromService` | `DeleteCertificate` → `ErrCertInUse` | 409 | + +### 3.5 `certificate_handler.go` — Upload/Validate File Open Errors (~8 lines) + +**Gap location**: `file.Open()` calls on multipart key and chain form files returning errors + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestUpload_KeyFile_OpenError` | Valid cert file, malformed key multipart entry | 500 | +| `TestUpload_ChainFile_OpenError` | Valid cert+key, malformed chain multipart entry | 500 | +| `TestValidate_KeyFile_OpenError` | Valid cert, malformed key multipart entry | 500 | +| `TestValidate_ChainFile_OpenError` | Valid cert+key, malformed chain multipart entry | 500 | + +### 3.6 `certificate_handler.go` — `sendDeleteNotification` Rate-Limit (~2 lines) + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestSendDeleteNotification_RateLimit` | Call `sendDeleteNotification` twice within 10-second window | Second call is a no-op | + +--- + +### 3.7 `certificate_service.go` — `SyncFromDisk` Branches (~14 lines) + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestSyncFromDisk_StagingToProductionUpgrade` | DB has staging cert, disk has production cert for same domain | DB cert updated to production provider | +| `TestSyncFromDisk_ExpiryOnlyUpdate` | Disk cert content matches DB cert, only expiry changed | Only `expires_at` column updated | +| `TestSyncFromDisk_CertRootStatPermissionError` | `os.Chmod(certRoot, 0)` before sync; add skip guard `if os.Getuid() == 0 { t.Skip("chmod permission test cannot run as root") }` | No panic; logs error; function completes | + +### 3.8 `certificate_service.go` — `ListCertificates` Background Goroutine (~4 lines) + +**Gap location**: `initialized=true` && TTL expired path → spawns background goroutine + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestListCertificates_StaleCache_TriggersBackgroundSync` | `initialized=true`, `lastScan` = 10 min ago | Returns cached list without blocking; background sync completes | + +*Use `require.Eventually(t, func() bool { return svc.lastScan.After(before) }, 2*time.Second, 10*time.Millisecond, "background sync did not update lastScan")` after the call — avoids flaky fixed sleeps.* + +### 3.9 `certificate_service.go` — `GetDecryptedPrivateKey` Nil encSvc and Decrypt Failure (~4 lines) + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestGetDecryptedPrivateKey_NoEncSvc` | Service with `nil` encSvc, cert has non-empty `PrivateKeyEncrypted` | Returns error | +| `TestGetDecryptedPrivateKey_DecryptFails` | encSvc configured, corrupted ciphertext in DB | Returns wrapped error | + +### 3.10 `certificate_service.go` — `MigratePrivateKeys` Branches (~6 lines) + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestMigratePrivateKeys_NoEncSvc` | `encSvc == nil` | Returns nil; logs warning | +| `TestMigratePrivateKeys_WithRows` | DB has cert with `private_key` populated, valid encSvc | Row migrated: `private_key` cleared, `private_key_enc` set | + +### 3.11 `certificate_service.go` — `UpdateCertificate` Errors (~4 lines) + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestUpdateCertificate_NotFound` | Non-existent UUID | Returns `ErrCertNotFound` | +| `TestUpdateCertificate_DBSaveError` | Valid UUID, DB closed before Save | Returns wrapped error | + +### 3.12 `certificate_service.go` — `DeleteCertificate` ACME File Cleanup (~8 lines) + +**Gap location**: `cert.Provider == "letsencrypt"` branch → Walk certRoot and remove `.crt`/`.key`/`.json` files + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestDeleteCertificate_LetsEncryptProvider_FileCleanup` | Create temp `.crt` matching cert domain, delete cert | `.crt` removed from disk | +| `TestDeleteCertificate_StagingProvider_FileCleanup` | Provider = `"letsencrypt-staging"` | Same cleanup behavior triggered | + +### 3.13 `certificate_service.go` — `CheckExpiringCertificates` (~8 lines) + +**Implementation** (lines ~966–1020): queries `provider = 'custom'` certs expiring before `threshold`, iterates and sends notification for certs with `daysLeft <= warningDays`. + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestCheckExpiringCertificates_ExpiresInRange` | Custom cert `expires_at = now+5d`, warningDays=30 | Returns slice with 1 cert | +| `TestCheckExpiringCertificates_AlreadyExpired` | Custom cert `expires_at = yesterday` | Result contains cert with negative days | +| `TestCheckExpiringCertificates_DBError` | DB closed before query | Returns error | + +--- + +### 3.14 `certificate_validator.go` — `DetectFormat` Password-Protected PFX (~2 lines) + +**Gap location**: PFX where `pkcs12.DecodeAll("")` fails but first byte is `0x30` (ASN.1 SEQUENCE), DER parse also fails → returns `FormatPFX` + +**New file**: `certificate_validator_patch_coverage_test.go` + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestDetectFormat_PasswordProtectedPFX` | Generate PFX with non-empty password, call `DetectFormat` | Returns `FormatPFX` | + +### 3.15 `certificate_validator.go` — `parsePEMPrivateKey` Additional Block Types (~4 lines) + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestParsePEMPrivateKey_PKCS1RSA` | PEM block type `"RSA PRIVATE KEY"` (x509.MarshalPKCS1PrivateKey) | Returns RSA key | +| `TestParsePEMPrivateKey_EC` | PEM block type `"EC PRIVATE KEY"` (x509.MarshalECPrivateKey) | Returns ECDSA key | + +### 3.16 `certificate_validator.go` — `detectKeyType` P-384 and Unknown Curves (~4 lines) + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestDetectKeyType_ECDSAP384` | P-384 ECDSA key | Returns `"ECDSA-P384"` | +| `TestDetectKeyType_ECDSAUnknownCurve` | ECDSA key with custom/unknown curve (e.g. P-224) | Returns `"ECDSA"` | + +### 3.17 `certificate_validator.go` — `ConvertPEMToPFX` Empty Chain (~2 lines) + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestConvertPEMToPFX_EmptyChain` | Valid cert+key PEM, empty chain string | Returns PFX bytes without error | + +### 3.18 `certificate_validator.go` — `ConvertPEMToDER` Non-Certificate Block (~2 lines) + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestConvertPEMToDER_NonCertBlock` | PEM block type `"PRIVATE KEY"` | Returns nil data and error | + +### 3.19 `certificate_validator.go` — `formatSerial` Nil BigInt (~2 lines) + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestFormatSerial_Nil` | `formatSerial(nil)` | Returns `""` | + +--- + +### 3.20 `proxy_host_handler.go` — `generateForwardHostWarnings` Private IP (~2 lines) + +**Gap location**: `net.ParseIP(forwardHost) != nil && network.IsPrivateIP(ip)` branch (non-Docker private IP) + +**New file**: `proxy_host_handler_patch_coverage_test.go` + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestGenerateForwardHostWarnings_PrivateIP` | forwardHost = `"192.168.1.100"` (RFC-1918, non-Docker) | Returns warning with field `"forward_host"` | + +### 3.21 `proxy_host_handler.go` — `BulkUpdateSecurityHeaders` Edge Cases (~4 lines) + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestBulkUpdateSecurityHeaders_AllFail_Rollback` | All UUIDs not found → `updated == 0` at end | 400, transaction rolled back | +| `TestBulkUpdateSecurityHeaders_ProfileDB_NonNotFoundError` | Profile lookup returns wrapped DB error | 500 | + +--- + +### 3.22 Frontend: `CertificateList.tsx` — Untested Branches + +**File**: `frontend/src/components/__tests__/CertificateList.test.tsx` + +| Gap | New Test | +|---|---| +| `bulkDeleteMutation` success | `'calls bulkDeleteMutation.mutate with selected UUIDs on confirm'` | +| `bulkDeleteMutation` error | `'shows error toast on bulk delete failure'` | +| Sort direction toggle | `'toggles sort direction when same column clicked twice'` | +| `selectedIds` reconciliation | `'reconciles selectedIds when certificate list shrinks'` | +| Export dialog open | `'opens export dialog when export button clicked'` | + +### 3.23 Frontend: `CertificateUploadDialog.tsx` — Untested Branches + +**File**: `frontend/src/components/dialogs/__tests__/CertificateUploadDialog.test.tsx` + +| Gap | New Test | +|---|---| +| PFX hides key/chain zones | `'hides key and chain file inputs when PFX file selected'` | +| Upload success closes dialog | `'calls onOpenChange(false) on successful upload'` | +| Upload error shows toast | `'shows error toast when upload mutation fails'` | +| Validate result shown | `'displays validation result after validate clicked'` | + +--- + +## 4. Implementation Plan + +### Phase 1: Playwright Smoke Tests (Acceptance Gating) + +Add smoke coverage to confirm certificate export and delete flows reach the backend. + +**File**: `tests/certificate-coverage-smoke.spec.ts` + +```typescript +import { test, expect } from '@playwright/test' + +test.describe('Certificate Coverage Smoke', () => { + test('export dialog opens when export button clicked', async ({ page }) => { + await page.goto('/') + // navigate to Certificates, click export on a cert + // assert dialog visible + }) + + test('delete dialog opens for deletable certificate', async ({ page }) => { + await page.goto('/') + // assert delete confirmation dialog appears + }) +}) +``` + +### Phase 2: Backend — Handler Tests + +**File**: `backend/internal/api/handlers/certificate_handler_patch_coverage_test.go` +**Action**: Append all tests from sections 3.1–3.6. + +Setup pattern for handler tests: + +```go +func setupCertHandlerTest(t *testing.T) (*gin.Engine, *CertificateHandler, *gorm.DB) { + t.Helper() + db, err := gorm.Open(sqlite.Open(fmt.Sprintf("file:%s?mode=memory&cache=shared", t.Name())), &gorm.Config{}) + require.NoError(t, err) + require.NoError(t, db.AutoMigrate(&models.SSLCertificate{}, &models.User{}, &models.ProxyHost{})) + tmpDir := t.TempDir() + certSvc := services.NewCertificateService(tmpDir, db, nil) + backup := &mockBackupService{ + availableSpaceFunc: func() (int64, error) { return 1 << 30, nil }, + createFunc: func(string) (string, error) { return "/tmp/backup.db", nil }, + } + h := NewCertificateHandler(certSvc, backup, nil) + h.SetDB(db) + r := gin.New() + r.Use(mockAuthMiddleware()) + h.RegisterRoutes(r.Group("/api")) + return r, h, db +} +``` + +For `TestExport_IncludeKey_*` tests: inject user into gin context directly using a custom middleware wrapper that sets `"user"` (type `map[string]any`, field `"id"`) to the desired value. + +### Phase 3: Backend — Service Tests + +**File**: `backend/internal/services/certificate_service_patch_coverage_test.go` +**Action**: Append all tests from sections 3.7–3.13. + +Setup pattern: + +```go +func newTestSvc(t *testing.T) (*CertificateService, *gorm.DB, string) { + t.Helper() + db, err := gorm.Open(sqlite.Open(fmt.Sprintf("file:%s?mode=memory&cache=shared", t.Name())), &gorm.Config{}) + require.NoError(t, err) + require.NoError(t, db.AutoMigrate(&models.SSLCertificate{}, &models.ProxyHost{})) + tmpDir := t.TempDir() + return NewCertificateService(tmpDir, db, nil), db, tmpDir +} +``` + +For `TestMigratePrivateKeys_WithRows`: use `db.Exec("INSERT INTO ssl_certificates (..., private_key) VALUES (...)` raw SQL to bypass GORM's `gorm:"-"` tag. + +### Phase 4: Backend — Validator Tests + +**File**: `backend/internal/services/certificate_validator_patch_coverage_test.go` (new) + +Key helpers needed: + +```go +// generatePKCS1RSAKeyPEM returns an RSA key in PKCS#1 "RSA PRIVATE KEY" PEM format. +func generatePKCS1RSAKeyPEM(t *testing.T) []byte { + key, err := rsa.GenerateKey(rand.Reader, 2048) + require.NoError(t, err) + return pem.EncodeToMemory(&pem.Block{ + Type: "RSA PRIVATE KEY", + Bytes: x509.MarshalPKCS1PrivateKey(key), + }) +} + +// generateECKeyPEM returns an EC key in "EC PRIVATE KEY" (SEC1) PEM format. +func generateECKeyPEM(t *testing.T, curve elliptic.Curve) []byte { + key, err := ecdsa.GenerateKey(curve, rand.Reader) + require.NoError(t, err) + b, err := x509.MarshalECPrivateKey(key) + require.NoError(t, err) + return pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: b}) +} +``` + +### Phase 5: Backend — Proxy Host Handler Tests + +**File**: `backend/internal/api/handlers/proxy_host_handler_patch_coverage_test.go` (new) + +Setup pattern mirrors existing `proxy_host_handler_test.go` — use in-memory SQLite, `mockAuthMiddleware`, and `mockCaddyManager` (already available via test hook vars). + +### Phase 6: Frontend Tests + +**Files**: +- `frontend/src/components/__tests__/CertificateList.test.tsx` +- `frontend/src/components/dialogs/__tests__/CertificateUploadDialog.test.tsx` + +Use existing mock structure; add new `it(...)` blocks inside existing `describe` blocks. + +Frontend bulk delete success test pattern: + +```typescript +it('calls bulkDeleteMutation.mutate with selected UUIDs on confirm', async () => { + const bulkDeleteFn = vi.fn() + mockUseBulkDeleteCertificates.mockReturnValue({ + mutate: bulkDeleteFn, + isPending: false, + }) + render() + // select checkboxes, click bulk delete, confirm dialog + expect(bulkDeleteFn).toHaveBeenCalledWith(['uuid-1', 'uuid-2']) +}) +``` + +### Phase 7: Validation + +1. `cd /projects/Charon && bash scripts/go-test-coverage.sh` +2. `cd /projects/Charon && bash scripts/frontend-test-coverage.sh` +3. `bash scripts/local-patch-report.sh` → verify `test-results/local-patch-report.md` shows ≥ 90% +4. `bash scripts/scan-gorm-security.sh --check` → zero CRITICAL/HIGH + +--- + +## 5. Commit Slicing Strategy + +**Decision**: One PR with 5 ordered, independently-reviewable commits. + +**Rationale**: Four packages touched across two build systems (Go + Node). Atomic commits allow targeted revert if a mock approach proves brittle for a specific file, without rolling back unrelated coverage gains. + +| # | Scope | Files | Dependencies | Validation Gate | +|---|---|---|---|---| +| **Commit 1** | Handler re-auth + delete + file-open errors | `certificate_handler_patch_coverage_test.go` (extend) | None | `go test ./backend/internal/api/handlers/...` | +| **Commit 2** | Service SyncFromDisk, ListCerts, GetDecryptedKey, Migrate, Update, Delete, CheckExpiring | `certificate_service_patch_coverage_test.go` (extend) | None | `go test ./backend/internal/services/...` | +| **Commit 3** | Validator DetectFormat, parsePEMPrivateKey, detectKeyType, ConvertPEMToPFX/DER, formatSerial | `certificate_validator_patch_coverage_test.go` (new) | Commit 2 not required (separate file) | `go test ./backend/internal/services/...` | +| **Commit 4** | Proxy host warnings + BulkUpdateSecurityHeaders edge cases | `proxy_host_handler_patch_coverage_test.go` (new) | None | `go test ./backend/internal/api/handlers/...` | +| **Commit 5** | Frontend CertificateList + CertificateUploadDialog | `CertificateList.test.tsx`, `CertificateUploadDialog.test.tsx` (extend) | None | `npm run test` | + +**Rollback**: Any commit is safe to revert independently — all changes are additive test-only files. + +**Contingency**: If the `Export` handler's re-auth tests require gin context injection that the current router wiring doesn't support cleanly, use a sub-router with a custom test middleware that pre-populates `"user"` (`map[string]any{"id": uint(1)}`) with the specific value under test, bypassing `mockAuthMiddleware` for those cases only. + +--- + +## 6. Acceptance Criteria + +- [ ] `go test -race ./backend/...` — all tests pass, no data races +- [ ] Backend patch coverage ≥ 90% for all modified Go files per `test-results/local-patch-report.md` +- [ ] `npm run test` — all Vitest tests pass +- [ ] Frontend patch coverage ≥ 90% for `CertificateList.tsx` and `CertificateUploadDialog.tsx` +- [ ] GORM security scan: zero CRITICAL/HIGH findings +- [ ] No new `//nolint` or `//nosec` directives introduced +- [ ] No source file modifications — test files only +- [ ] All new Go test names follow `TestFunctionName_Scenario` convention +- [ ] Previous spec archived to `docs/plans/archive/` + +--- + +## 7. Estimated Coverage Impact + +| File | Current | Estimated After | Lines Recovered | +|---|---|---|---| +| `certificate_handler.go` | 70.28% | ~85% | ~42 lines | +| `certificate_service.go` | 82.85% | ~92% | ~44 lines | +| `certificate_validator.go` | 88.68% | ~96% | ~18 lines | +| `proxy_host_handler.go` | 55.17% | ~60% | ~8 lines | +| `CertificateList.tsx` | moderate | high | ~15 lines | +| `CertificateUploadDialog.tsx` | moderate | high | ~12 lines | +| **Overall patch** | **85.61%** | **≥ 90%** | **~139 lines** | + +> **Note**: Proxy host handler remains below 90% after this plan because the `Create`/`Update`/`Delete` handler paths require full Caddy manager mock integration. A follow-up plan should address these with a dedicated `mockCaddyManager` interface. diff --git a/docs/plans/current_spec.md b/docs/plans/current_spec.md index f976b196..8c76ff60 100644 --- a/docs/plans/current_spec.md +++ b/docs/plans/current_spec.md @@ -1,460 +1,897 @@ -# Coverage Improvement Plan — Patch Coverage ≥ 90% +# CrowdSec IP Whitelist Management — Implementation Plan -**Date**: 2026-05-02 +**Issue**: [#939 — CrowdSec IP Whitelist Management](https://github.com/owner/Charon/issues/939) +**Date**: 2026-05-20 **Status**: Draft — Awaiting Approval **Priority**: High -**Archived Previous Plan**: Custom Certificate Upload & Management (Issue #22) → `docs/plans/archive/custom-cert-upload-management-spec-2026-05-02.md` +**Archived Previous Plan**: Coverage Improvement Plan (patch coverage ≥ 90%) → `docs/plans/archive/patch-coverage-improvement-plan-2026-05-02.md` --- ## 1. Introduction -This plan identifies exact uncovered branches across the six highest-gap backend source files and two frontend components, and specifies new test cases to close those gaps. The target is to raise overall patch coverage from **85.61% (206 missing lines)** to **≥ 90%**. +### 1.1 Overview -**Constraints**: -- No source file modifications — test files only -- Go tests placed in `*_patch_coverage_test.go` (same package as source) -- Frontend tests extend existing `__tests__/*.test.tsx` files -- Use testify (Go) and Vitest + React Testing Library (frontend) +CrowdSec enforces IP ban decisions by default. Operators need a way to permanently exempt known-good IPs (uptime monitors, internal subnets, VPN exits, partners) from ever being banned. CrowdSec handles this through its `whitelists` parser, which intercepts alert evaluation and suppresses bans for matching IPs/CIDRs before decisions are even written. + +This feature gives Charon operators a first-class UI for managing those whitelist entries: add an IP or CIDR, give it a reason, and have Charon persist it in the database, render the required YAML parser file into the CrowdSec config tree, and signal CrowdSec to reload—all without manual file editing. + +### 1.2 Objectives + +- Allow operators to add, view, and remove CrowdSec whitelist entries (IPs and CIDRs) through the Charon management UI. +- Persist entries in SQLite so they survive container restarts. +- Generate a `crowdsecurity/whitelists`-compatible YAML parser file on every mutating operation and on startup. +- Automatically install the `crowdsecurity/whitelists` hub parser so CrowdSec can process the file. +- Show the Whitelist tab only when CrowdSec is in `local` mode, consistent with other CrowdSec-only tabs. --- ## 2. Research Findings -### 2.1 Coverage Gap Summary +### 2.1 Existing CrowdSec Architecture -| Package | File | Missing Lines | Current Coverage | +| Component | Location | Notes | +|---|---|---| +| Hub parser installer | `configs/crowdsec/install_hub_items.sh` | Run at container start; uses `cscli parsers install --force` | +| CrowdSec handler | `backend/internal/api/handlers/crowdsec_handler.go` | ~2750 LOC; `RegisterRoutes` at L2704 | +| Route registration | `backend/internal/api/routes/routes.go` | `crowdsecHandler.RegisterRoutes(management)` at ~L620 | +| CrowdSec startup | `backend/internal/services/crowdsec_startup.go` | `ReconcileCrowdSecOnStartup()` runs before process start | +| Security config | `backend/internal/models/security_config.go` | `CrowdSecMode`, `CrowdSecConfigDir` (via `cfg.Security.CrowdSecConfigDir`) | +| IP/CIDR helper | `backend/internal/security/whitelist.go` | `IsIPInCIDRList()` using `net.ParseIP` / `net.ParseCIDR` | +| AutoMigrate | `routes.go` ~L95–125 | `&models.ManualChallenge{}` is currently the last entry | + +### 2.2 Gap Analysis + +- `crowdsecurity/whitelists` hub parser is **not** installed by `install_hub_items.sh` — the YAML file would be ignored by CrowdSec without it. +- No `CrowdSecWhitelist` model exists in `backend/internal/models/`. +- No whitelist service, handler methods, or API routes exist. +- No frontend tab, API client functions, or TanStack Query hooks exist. +- No E2E test spec covers whitelist management. + +### 2.3 Relevant Patterns + +**Model pattern** (from `access_list.go` + `security_config.go`): +```go +type Model struct { + ID uint `json:"-" gorm:"primaryKey"` + UUID string `json:"uuid" gorm:"uniqueIndex;not null"` + // domain fields + CreatedAt time.Time `json:"created_at"` + UpdatedAt time.Time `json:"updated_at"` +} +``` + +**Service pattern** (from `access_list_service.go`): +```go +var ErrXxxNotFound = errors.New("xxx not found") + +type XxxService struct { db *gorm.DB } + +func NewXxxService(db *gorm.DB) *XxxService { return &XxxService{db: db} } +``` + +**Handler error response pattern** (from `crowdsec_handler.go`): +```go +c.JSON(http.StatusBadRequest, gin.H{"error": "..."}) +c.JSON(http.StatusNotFound, gin.H{"error": "..."}) +c.JSON(http.StatusInternalServerError, gin.H{"error": "..."}) +``` + +**Frontend API client pattern** (from `frontend/src/api/crowdsec.ts`): +```typescript +export const listXxx = async (): Promise => { + const resp = await client.get('/admin/crowdsec/xxx') + return resp.data +} +``` + +**Frontend mutation pattern** (from `CrowdSecConfig.tsx`): +```typescript +const mutation = useMutation({ + mutationFn: (data) => apiCall(data), + onSuccess: () => { + toast.success('...') + queryClient.invalidateQueries({ queryKey: ['crowdsec-whitelist'] }) + }, + onError: (err) => toast.error(err instanceof Error ? err.message : '...'), +}) +``` + +### 2.4 CrowdSec Whitelist YAML Format + +CrowdSec's `crowdsecurity/whitelists` parser expects the following YAML structure at a path under the `parsers/s02-enrich/` directory: + +```yaml +name: charon-whitelist +description: "Charon-managed IP/CIDR whitelist" +filter: "evt.Meta.service == 'http'" +whitelist: + reason: "Charon managed whitelist" + ip: + - "1.2.3.4" + cidr: + - "10.0.0.0/8" + - "192.168.0.0/16" +``` + +For an empty whitelist, both `ip` and `cidr` must be present as empty lists (not omitted) to produce valid YAML that CrowdSec can parse without error. + +--- + +## 3. Technical Specifications + +### 3.1 Database Schema + +**New model**: `backend/internal/models/crowdsec_whitelist.go` + +```go +package models + +import "time" + +// CrowdSecWhitelist represents a single IP or CIDR exempted from CrowdSec banning. +type CrowdSecWhitelist struct { + ID uint `json:"-" gorm:"primaryKey"` + UUID string `json:"uuid" gorm:"uniqueIndex;not null"` + IPOrCIDR string `json:"ip_or_cidr" gorm:"not null;uniqueIndex"` + Reason string `json:"reason" gorm:"not null;default:''"` + CreatedAt time.Time `json:"created_at"` + UpdatedAt time.Time `json:"updated_at"` +} +``` + +**AutoMigrate registration** (`backend/internal/api/routes/routes.go`, append after `&models.ManualChallenge{}`): +```go +&models.CrowdSecWhitelist{}, +``` + +### 3.2 API Design + +All new endpoints live under the existing `/api/v1` prefix and are registered inside `CrowdsecHandler.RegisterRoutes(rg *gin.RouterGroup)`, following the same `rg.METHOD("/admin/crowdsec/...")` naming pattern as every other CrowdSec endpoint. + +#### Endpoint Table + +| Method | Path | Auth | Description | |---|---|---|---| -| `handlers` | `certificate_handler.go` | ~54 | 70.28% | -| `services` | `certificate_service.go` | ~54 | 82.85% | -| `services` | `certificate_validator.go` | ~18 | 88.68% | -| `handlers` | `proxy_host_handler.go` | ~12 | 55.17% | -| `config` | `config.go` | ~8 | ~92% | -| `caddy` | `manager.go` | ~10 | ~88% | -| Frontend | `CertificateList.tsx` | moderate | — | -| Frontend | `CertificateUploadDialog.tsx` | moderate | — | - -### 2.2 Test Infrastructure (Confirmed) - -- **In-memory DB**: `gorm.Open(sqlite.Open(fmt.Sprintf("file:%s?mode=memory&cache=shared", t.Name())), &gorm.Config{})` -- **Mock auth**: `mockAuthMiddleware()` from `coverage_helpers_test.go` -- **Mock backup service**: `&mockBackupService{createFunc: ..., availableSpaceFunc: ...}` -- **Manager test hooks**: package-level `generateConfigFunc`, `validateConfigFunc`, `writeFileFunc` vars with `defer` restore pattern -- **Frontend mocks**: `vi.mock('../../hooks/...', ...)` and `vi.mock('react-i18next', ...)` - -### 2.3 Existing Patch Test Files - -| File | Existing Tests | -|---|---| -| `certificate_handler_patch_coverage_test.go` | `TestDelete_UUID_WithBackup_Success`, `_NotFound`, `_InUse` | -| `certificate_service_patch_coverage_test.go` | `TestExportCertificate_DER`, `_PFX`, `_P12`, `_UnsupportedFormat` | -| `certificate_validator_extra_coverage_test.go` | ECDSA/Ed25519 key match, `ConvertDERToPEM` valid/invalid | -| `manager_patch_coverage_test.go` | DNS provider encryption key paths | -| `proxy_host_handler_test.go` | Full CRUD + BulkUpdateACL + BulkUpdateSecurityHeaders | -| `proxy_host_handler_update_test.go` | Update edge cases, `ParseForwardPortField`, `ParseNullableUintField` | - ---- - -## 3. Technical Specifications — Per-File Gap Analysis - -### 3.1 `certificate_handler.go` — Export Re-Auth Path (~18 lines) - -The `Export` handler re-authenticates the user when `include_key=true`. All six guard branches are uncovered. - -**Gap location**: Lines ~260–320 (password empty check, `user` context key extraction, `map[string]any` cast, `id` field lookup, DB user lookup, bcrypt check) - -**New tests** (append to `certificate_handler_patch_coverage_test.go`): - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestExport_IncludeKey_MissingPassword` | POST with `include_key=true`, no `password` field | 403 | -| `TestExport_IncludeKey_NoUserContext` | No `"user"` key in gin context | 403 | -| `TestExport_IncludeKey_InvalidClaimsType` | `"user"` set to a plain string | 403 | -| `TestExport_IncludeKey_UserIDNotInClaims` | `user = map[string]any{}` with no `"id"` key | 403 | -| `TestExport_IncludeKey_UserNotFoundInDB` | Valid claims, no matching user row | 403 | -| `TestExport_IncludeKey_WrongPassword` | User in DB, wrong plaintext password submitted | 403 | - -### 3.2 `certificate_handler.go` — Export Service Errors (~4 lines) - -**Gap location**: After `ExportCertificate` call — ErrCertNotFound and generic error branches - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestExport_CertNotFound` | Unknown UUID | 404 | -| `TestExport_ServiceError` | Service returns non-not-found error | 500 | - -### 3.3 `certificate_handler.go` — Delete Numeric-ID Error Paths (~12 lines) - -**Gap location**: `IsCertificateInUse` error, disk space check, backup error, `DeleteCertificateByID` returning `ErrCertInUse` or generic error - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestDelete_NumericID_UsageCheckError` | `IsCertificateInUse` returns error | 500 | -| `TestDelete_NumericID_LowDiskSpace` | `availableSpaceFunc` returns 0 | 507 | -| `TestDelete_NumericID_BackupError` | `createFunc` returns error | 500 | -| `TestDelete_NumericID_CertInUse_FromService` | `DeleteCertificateByID` → `ErrCertInUse` | 409 | -| `TestDelete_NumericID_DeleteError` | `DeleteCertificateByID` → generic error | 500 | - -### 3.4 `certificate_handler.go` — Delete UUID Additional Error Paths (~8 lines) - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestDelete_UUID_UsageCheckInternalError` | `IsCertificateInUseByUUID` returns non-ErrCertNotFound error | 500 | -| `TestDelete_UUID_LowDiskSpace` | `availableSpaceFunc` returns 0 | 507 | -| `TestDelete_UUID_BackupCreationError` | `createFunc` returns error | 500 | -| `TestDelete_UUID_CertInUse_FromService` | `DeleteCertificate` → `ErrCertInUse` | 409 | - -### 3.5 `certificate_handler.go` — Upload/Validate File Open Errors (~8 lines) - -**Gap location**: `file.Open()` calls on multipart key and chain form files returning errors - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestUpload_KeyFile_OpenError` | Valid cert file, malformed key multipart entry | 500 | -| `TestUpload_ChainFile_OpenError` | Valid cert+key, malformed chain multipart entry | 500 | -| `TestValidate_KeyFile_OpenError` | Valid cert, malformed key multipart entry | 500 | -| `TestValidate_ChainFile_OpenError` | Valid cert+key, malformed chain multipart entry | 500 | - -### 3.6 `certificate_handler.go` — `sendDeleteNotification` Rate-Limit (~2 lines) - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestSendDeleteNotification_RateLimit` | Call `sendDeleteNotification` twice within 10-second window | Second call is a no-op | - ---- - -### 3.7 `certificate_service.go` — `SyncFromDisk` Branches (~14 lines) - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestSyncFromDisk_StagingToProductionUpgrade` | DB has staging cert, disk has production cert for same domain | DB cert updated to production provider | -| `TestSyncFromDisk_ExpiryOnlyUpdate` | Disk cert content matches DB cert, only expiry changed | Only `expires_at` column updated | -| `TestSyncFromDisk_CertRootStatPermissionError` | `os.Chmod(certRoot, 0)` before sync; add skip guard `if os.Getuid() == 0 { t.Skip("chmod permission test cannot run as root") }` | No panic; logs error; function completes | - -### 3.8 `certificate_service.go` — `ListCertificates` Background Goroutine (~4 lines) - -**Gap location**: `initialized=true` && TTL expired path → spawns background goroutine - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestListCertificates_StaleCache_TriggersBackgroundSync` | `initialized=true`, `lastScan` = 10 min ago | Returns cached list without blocking; background sync completes | - -*Use `require.Eventually(t, func() bool { return svc.lastScan.After(before) }, 2*time.Second, 10*time.Millisecond, "background sync did not update lastScan")` after the call — avoids flaky fixed sleeps.* - -### 3.9 `certificate_service.go` — `GetDecryptedPrivateKey` Nil encSvc and Decrypt Failure (~4 lines) - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestGetDecryptedPrivateKey_NoEncSvc` | Service with `nil` encSvc, cert has non-empty `PrivateKeyEncrypted` | Returns error | -| `TestGetDecryptedPrivateKey_DecryptFails` | encSvc configured, corrupted ciphertext in DB | Returns wrapped error | - -### 3.10 `certificate_service.go` — `MigratePrivateKeys` Branches (~6 lines) - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestMigratePrivateKeys_NoEncSvc` | `encSvc == nil` | Returns nil; logs warning | -| `TestMigratePrivateKeys_WithRows` | DB has cert with `private_key` populated, valid encSvc | Row migrated: `private_key` cleared, `private_key_enc` set | - -### 3.11 `certificate_service.go` — `UpdateCertificate` Errors (~4 lines) - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestUpdateCertificate_NotFound` | Non-existent UUID | Returns `ErrCertNotFound` | -| `TestUpdateCertificate_DBSaveError` | Valid UUID, DB closed before Save | Returns wrapped error | - -### 3.12 `certificate_service.go` — `DeleteCertificate` ACME File Cleanup (~8 lines) - -**Gap location**: `cert.Provider == "letsencrypt"` branch → Walk certRoot and remove `.crt`/`.key`/`.json` files - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestDeleteCertificate_LetsEncryptProvider_FileCleanup` | Create temp `.crt` matching cert domain, delete cert | `.crt` removed from disk | -| `TestDeleteCertificate_StagingProvider_FileCleanup` | Provider = `"letsencrypt-staging"` | Same cleanup behavior triggered | - -### 3.13 `certificate_service.go` — `CheckExpiringCertificates` (~8 lines) - -**Implementation** (lines ~966–1020): queries `provider = 'custom'` certs expiring before `threshold`, iterates and sends notification for certs with `daysLeft <= warningDays`. - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestCheckExpiringCertificates_ExpiresInRange` | Custom cert `expires_at = now+5d`, warningDays=30 | Returns slice with 1 cert | -| `TestCheckExpiringCertificates_AlreadyExpired` | Custom cert `expires_at = yesterday` | Result contains cert with negative days | -| `TestCheckExpiringCertificates_DBError` | DB closed before query | Returns error | - ---- - -### 3.14 `certificate_validator.go` — `DetectFormat` Password-Protected PFX (~2 lines) - -**Gap location**: PFX where `pkcs12.DecodeAll("")` fails but first byte is `0x30` (ASN.1 SEQUENCE), DER parse also fails → returns `FormatPFX` - -**New file**: `certificate_validator_patch_coverage_test.go` - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestDetectFormat_PasswordProtectedPFX` | Generate PFX with non-empty password, call `DetectFormat` | Returns `FormatPFX` | - -### 3.15 `certificate_validator.go` — `parsePEMPrivateKey` Additional Block Types (~4 lines) - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestParsePEMPrivateKey_PKCS1RSA` | PEM block type `"RSA PRIVATE KEY"` (x509.MarshalPKCS1PrivateKey) | Returns RSA key | -| `TestParsePEMPrivateKey_EC` | PEM block type `"EC PRIVATE KEY"` (x509.MarshalECPrivateKey) | Returns ECDSA key | - -### 3.16 `certificate_validator.go` — `detectKeyType` P-384 and Unknown Curves (~4 lines) - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestDetectKeyType_ECDSAP384` | P-384 ECDSA key | Returns `"ECDSA-P384"` | -| `TestDetectKeyType_ECDSAUnknownCurve` | ECDSA key with custom/unknown curve (e.g. P-224) | Returns `"ECDSA"` | - -### 3.17 `certificate_validator.go` — `ConvertPEMToPFX` Empty Chain (~2 lines) - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestConvertPEMToPFX_EmptyChain` | Valid cert+key PEM, empty chain string | Returns PFX bytes without error | - -### 3.18 `certificate_validator.go` — `ConvertPEMToDER` Non-Certificate Block (~2 lines) - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestConvertPEMToDER_NonCertBlock` | PEM block type `"PRIVATE KEY"` | Returns nil data and error | - -### 3.19 `certificate_validator.go` — `formatSerial` Nil BigInt (~2 lines) - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestFormatSerial_Nil` | `formatSerial(nil)` | Returns `""` | - ---- - -### 3.20 `proxy_host_handler.go` — `generateForwardHostWarnings` Private IP (~2 lines) - -**Gap location**: `net.ParseIP(forwardHost) != nil && network.IsPrivateIP(ip)` branch (non-Docker private IP) - -**New file**: `proxy_host_handler_patch_coverage_test.go` - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestGenerateForwardHostWarnings_PrivateIP` | forwardHost = `"192.168.1.100"` (RFC-1918, non-Docker) | Returns warning with field `"forward_host"` | - -### 3.21 `proxy_host_handler.go` — `BulkUpdateSecurityHeaders` Edge Cases (~4 lines) - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestBulkUpdateSecurityHeaders_AllFail_Rollback` | All UUIDs not found → `updated == 0` at end | 400, transaction rolled back | -| `TestBulkUpdateSecurityHeaders_ProfileDB_NonNotFoundError` | Profile lookup returns wrapped DB error | 500 | - ---- - -### 3.22 Frontend: `CertificateList.tsx` — Untested Branches - -**File**: `frontend/src/components/__tests__/CertificateList.test.tsx` - -| Gap | New Test | -|---|---| -| `bulkDeleteMutation` success | `'calls bulkDeleteMutation.mutate with selected UUIDs on confirm'` | -| `bulkDeleteMutation` error | `'shows error toast on bulk delete failure'` | -| Sort direction toggle | `'toggles sort direction when same column clicked twice'` | -| `selectedIds` reconciliation | `'reconciles selectedIds when certificate list shrinks'` | -| Export dialog open | `'opens export dialog when export button clicked'` | - -### 3.23 Frontend: `CertificateUploadDialog.tsx` — Untested Branches - -**File**: `frontend/src/components/dialogs/__tests__/CertificateUploadDialog.test.tsx` - -| Gap | New Test | -|---|---| -| PFX hides key/chain zones | `'hides key and chain file inputs when PFX file selected'` | -| Upload success closes dialog | `'calls onOpenChange(false) on successful upload'` | -| Upload error shows toast | `'shows error toast when upload mutation fails'` | -| Validate result shown | `'displays validation result after validate clicked'` | +| `GET` | `/api/v1/admin/crowdsec/whitelist` | Management | List all whitelist entries | +| `POST` | `/api/v1/admin/crowdsec/whitelist` | Management | Add a new entry | +| `DELETE` | `/api/v1/admin/crowdsec/whitelist/:uuid` | Management | Remove an entry by UUID | + +#### `GET /admin/crowdsec/whitelist` + +**Response 200**: +```json +{ + "whitelist": [ + { + "uuid": "a1b2c3d4-...", + "ip_or_cidr": "10.0.0.0/8", + "reason": "Internal subnet", + "created_at": "2026-05-20T12:00:00Z", + "updated_at": "2026-05-20T12:00:00Z" + } + ] +} +``` + +#### `POST /admin/crowdsec/whitelist` + +**Request body**: +```json +{ "ip_or_cidr": "10.0.0.0/8", "reason": "Internal subnet" } +``` + +**Response 201**: +```json +{ + "uuid": "a1b2c3d4-...", + "ip_or_cidr": "10.0.0.0/8", + "reason": "Internal subnet", + "created_at": "...", + "updated_at": "..." +} +``` + +**Error responses**: +- `400` — missing/invalid `ip_or_cidr` field, unparseable IP/CIDR +- `409` — duplicate entry (same `ip_or_cidr` already exists) +- `500` — database or YAML write failure + +#### `DELETE /admin/crowdsec/whitelist/:uuid` + +**Response 204** — no body + +**Error responses**: +- `404` — entry not found +- `500` — database or YAML write failure + +### 3.3 Service Design + +**New file**: `backend/internal/services/crowdsec_whitelist_service.go` + +```go +package services + +import ( + "context" + "errors" + "net" + "os" + "path/filepath" + "text/template" + + "github.com/google/uuid" + "gorm.io/gorm" + + "github.com/yourusername/charon/backend/internal/models" + "github.com/yourusername/charon/backend/internal/logger" +) + +var ( + ErrWhitelistNotFound = errors.New("whitelist entry not found") + ErrInvalidIPOrCIDR = errors.New("invalid IP address or CIDR notation") + ErrDuplicateEntry = errors.New("whitelist entry already exists") +) + +type CrowdSecWhitelistService struct { + db *gorm.DB + dataDir string +} + +func NewCrowdSecWhitelistService(db *gorm.DB, dataDir string) *CrowdSecWhitelistService { + return &CrowdSecWhitelistService{db: db, dataDir: dataDir} +} + +// List returns all whitelist entries ordered by creation time. +func (s *CrowdSecWhitelistService) List(ctx context.Context) ([]models.CrowdSecWhitelist, error) { ... } + +// Add validates, persists, and regenerates the YAML file. +func (s *CrowdSecWhitelistService) Add(ctx context.Context, ipOrCIDR, reason string) (*models.CrowdSecWhitelist, error) { ... } + +// Delete removes an entry by UUID and regenerates the YAML file. +func (s *CrowdSecWhitelistService) Delete(ctx context.Context, uuid string) error { ... } + +// WriteYAML renders all current entries to /parsers/s02-enrich/charon-whitelist.yaml +func (s *CrowdSecWhitelistService) WriteYAML(ctx context.Context) error { ... } +``` + +**Validation logic** in `Add()`: +1. Trim whitespace from `ipOrCIDR`. +2. Attempt `net.ParseIP(ipOrCIDR)` — if non-nil, it's a bare IP ✓ +3. Attempt `net.ParseCIDR(ipOrCIDR)` — if `err == nil`, it's a valid CIDR ✓; normalize host bits immediately: `ipOrCIDR = network.String()` (e.g., `"10.0.0.1/8"` → `"10.0.0.0/8"`). +4. If both fail → return `ErrInvalidIPOrCIDR` +5. Attempt DB insert; if GORM unique constraint error → return `ErrDuplicateEntry` +6. On success → call `WriteYAML(ctx)` (non-fatal on YAML error: log + return original entry) + +> **Note**: `Add()` and `Delete()` do **not** call `cscli hub reload`. Reload is the caller's responsibility (handled in `CrowdsecHandler.AddWhitelist` and `DeleteWhitelist` via `h.CmdExec`). + +**CIDR normalization snippet** (step 3): +```go +if ip, network, err := net.ParseCIDR(ipOrCIDR); err == nil { + _ = ip + ipOrCIDR = network.String() // normalizes "10.0.0.1/8" → "10.0.0.0/8" +} +``` + +**YAML generation** in `WriteYAML()`: + +Guard: if `s.dataDir == ""`, return `nil` immediately (no-op — used in unit tests that don't need file I/O). + +```go +const whitelistTmpl = `name: charon-whitelist +description: "Charon-managed IP/CIDR whitelist" +filter: "evt.Meta.service == 'http'" +whitelist: + reason: "Charon managed whitelist" + ip: +{{- range .IPs}} + - "{{.}}" +{{- end}} +{{- if not .IPs}} + [] +{{- end}} + cidr: +{{- range .CIDRs}} + - "{{.}}" +{{- end}} +{{- if not .CIDRs}} + [] +{{- end}} +` +``` + +Target file path: `/config/parsers/s02-enrich/charon-whitelist.yaml` + +Directory created with `os.MkdirAll(..., 0o750)` if absent. + +File written atomically: render to `.tmp` → `os.Rename(tmp, path)`. + +### 3.4 Handler Design + +**Additions to `CrowdsecHandler` struct**: +```go +type CrowdsecHandler struct { + // ... existing fields ... + WhitelistSvc *services.CrowdSecWhitelistService // NEW +} +``` + +**`NewCrowdsecHandler` constructor** — initialize `WhitelistSvc`: +```go +h := &CrowdsecHandler{ + // ... existing assignments ... +} +if db != nil { + h.WhitelistSvc = services.NewCrowdSecWhitelistService(db, dataDir) +} +return h +``` + +**Three new methods on `CrowdsecHandler`**: + +```go +// ListWhitelists handles GET /admin/crowdsec/whitelist +func (h *CrowdsecHandler) ListWhitelists(c *gin.Context) { + entries, err := h.WhitelistSvc.List(c.Request.Context()) + if err != nil { + c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to list whitelist entries"}) + return + } + c.JSON(http.StatusOK, gin.H{"whitelist": entries}) +} + +// AddWhitelist handles POST /admin/crowdsec/whitelist +func (h *CrowdsecHandler) AddWhitelist(c *gin.Context) { + var req struct { + IPOrCIDR string `json:"ip_or_cidr" binding:"required"` + Reason string `json:"reason"` + } + if err := c.ShouldBindJSON(&req); err != nil { + c.JSON(http.StatusBadRequest, gin.H{"error": "ip_or_cidr is required"}) + return + } + entry, err := h.WhitelistSvc.Add(c.Request.Context(), req.IPOrCIDR, req.Reason) + if errors.Is(err, services.ErrInvalidIPOrCIDR) { + c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) + return + } + if errors.Is(err, services.ErrDuplicateEntry) { + c.JSON(http.StatusConflict, gin.H{"error": err.Error()}) + return + } + if err != nil { + c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to add whitelist entry"}) + return + } + // Reload CrowdSec so the new entry takes effect immediately (non-fatal). + if reloadErr := h.CmdExec.Execute("cscli", "hub", "reload"); reloadErr != nil { + logger.Log().WithError(reloadErr).Warn("failed to reload CrowdSec after whitelist add (non-fatal)") + } + c.JSON(http.StatusCreated, entry) +} + +// DeleteWhitelist handles DELETE /admin/crowdsec/whitelist/:uuid +func (h *CrowdsecHandler) DeleteWhitelist(c *gin.Context) { + id := strings.TrimSpace(c.Param("uuid")) + if id == "" { + c.JSON(http.StatusBadRequest, gin.H{"error": "uuid required"}) + return + } + err := h.WhitelistSvc.Delete(c.Request.Context(), id) + if errors.Is(err, services.ErrWhitelistNotFound) { + c.JSON(http.StatusNotFound, gin.H{"error": "whitelist entry not found"}) + return + } + if err != nil { + c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to delete whitelist entry"}) + return + } + // Reload CrowdSec so the removed entry is no longer exempt (non-fatal). + if reloadErr := h.CmdExec.Execute("cscli", "hub", "reload"); reloadErr != nil { + logger.Log().WithError(reloadErr).Warn("failed to reload CrowdSec after whitelist delete (non-fatal)") + } + c.Status(http.StatusNoContent) +} +``` + +**Route registration** (append inside `RegisterRoutes`, after existing decision/bouncer routes): +```go +// Whitelist management +rg.GET("/admin/crowdsec/whitelist", h.ListWhitelists) +rg.POST("/admin/crowdsec/whitelist", h.AddWhitelist) +rg.DELETE("/admin/crowdsec/whitelist/:uuid", h.DeleteWhitelist) +``` + +### 3.5 Startup Integration + +**File**: `backend/internal/services/crowdsec_startup.go` + +In `ReconcileCrowdSecOnStartup()`, before the CrowdSec process is started: + +```go +// Regenerate whitelist YAML to ensure it reflects the current DB state. +whitelistSvc := NewCrowdSecWhitelistService(db, dataDir) +if err := whitelistSvc.WriteYAML(ctx); err != nil { + logger.Log().WithError(err).Warn("failed to write CrowdSec whitelist YAML on startup (non-fatal)") +} +``` + +This is **non-fatal**: if the DB has no entries, WriteYAML still writes an empty whitelist file, which is valid. + +### 3.6 Hub Parser Installation + +**File**: `configs/crowdsec/install_hub_items.sh` + +Add after the existing `cscli parsers install` lines: + +```bash +cscli parsers install crowdsecurity/whitelists --force || echo "⚠️ Failed to install crowdsecurity/whitelists" +``` + +### 3.7 Frontend Design + +#### API Client (`frontend/src/api/crowdsec.ts`) + +Append the following types and functions: + +```typescript +export interface CrowdSecWhitelistEntry { + uuid: string + ip_or_cidr: string + reason: string + created_at: string + updated_at: string +} + +export interface AddWhitelistPayload { + ip_or_cidr: string + reason: string +} + +export const listWhitelists = async (): Promise => { + const resp = await client.get<{ whitelist: CrowdSecWhitelistEntry[] }>('/admin/crowdsec/whitelist') + return resp.data.whitelist +} + +export const addWhitelist = async (data: AddWhitelistPayload): Promise => { + const resp = await client.post('/admin/crowdsec/whitelist', data) + return resp.data +} + +export const deleteWhitelist = async (uuid: string): Promise => { + await client.delete(`/admin/crowdsec/whitelist/${uuid}`) +} +``` + +#### TanStack Query Hooks (`frontend/src/hooks/useCrowdSecWhitelist.ts`) + +```typescript +import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query' +import { listWhitelists, addWhitelist, deleteWhitelist, AddWhitelistPayload } from '../api/crowdsec' +import { toast } from 'sonner' + +export const useWhitelistEntries = () => + useQuery({ + queryKey: ['crowdsec-whitelist'], + queryFn: listWhitelists, + }) + +export const useAddWhitelist = () => { + const queryClient = useQueryClient() + return useMutation({ + mutationFn: (data: AddWhitelistPayload) => addWhitelist(data), + onSuccess: () => { + toast.success('Whitelist entry added') + queryClient.invalidateQueries({ queryKey: ['crowdsec-whitelist'] }) + }, + onError: (err: unknown) => { + toast.error(err instanceof Error ? err.message : 'Failed to add whitelist entry') + }, + }) +} + +export const useDeleteWhitelist = () => { + const queryClient = useQueryClient() + return useMutation({ + mutationFn: (uuid: string) => deleteWhitelist(uuid), + onSuccess: () => { + toast.success('Whitelist entry removed') + queryClient.invalidateQueries({ queryKey: ['crowdsec-whitelist'] }) + }, + onError: (err: unknown) => { + toast.error(err instanceof Error ? err.message : 'Failed to remove whitelist entry') + }, + }) +} +``` + +#### CrowdSecConfig.tsx Changes + +The `CrowdSecConfig.tsx` page uses a tab navigation pattern. The new "Whitelist" tab: + +1. **Visibility**: Only render the tab when `isLocalMode === true` (same guard as Decisions tab). +2. **Tab value**: `"whitelist"` — append to the existing tab list. +3. **Tab panel content** (isolated component or inline JSX): + - **Add entry form**: `ip_or_cidr` text input + `reason` text input + "Add" button (disabled while `addMutation.isPending`). Validation error shown inline when backend returns 400/409. + - **Quick-add current IP**: A secondary "Add My IP" button that calls `GET /api/v1/system/my-ip` (existing endpoint) and pre-fills the `ip_or_cidr` field with the returned IP. + - **Entries table**: Columns — IP/CIDR, Reason, Added, Actions. Each row has a delete button with a confirmation dialog (matching the ban/unban modal pattern used for Decisions). + - **Empty state**: "No whitelist entries" message when the list is empty. + - **Loading state**: Skeleton rows while `useWhitelistEntries` is fetching. + +**Imports added to `CrowdSecConfig.tsx`**: +```typescript +import { useWhitelistEntries, useAddWhitelist, useDeleteWhitelist } from '../hooks/useCrowdSecWhitelist' +``` + +### 3.8 Data Flow Diagram + +``` +Operator adds IP in UI + │ + ▼ +POST /api/v1/admin/crowdsec/whitelist + │ + ▼ +CrowdsecHandler.AddWhitelist() + │ + ▼ +CrowdSecWhitelistService.Add() + ├── Validate IP/CIDR (net.ParseIP / net.ParseCIDR) + ├── Normalize CIDR host bits (network.String()) + ├── Insert into SQLite (models.CrowdSecWhitelist) + └── WriteYAML() → /config/parsers/s02-enrich/charon-whitelist.yaml + │ + ▼ +h.CmdExec.Execute("cscli", "hub", "reload") [non-fatal on error] + │ + ▼ +Return 201 to frontend + │ + ▼ +invalidateQueries(['crowdsec-whitelist']) + │ + ▼ +Table re-fetches and shows new entry +``` + +``` +Container restart + │ + ▼ +ReconcileCrowdSecOnStartup() + │ + ▼ +CrowdSecWhitelistService.WriteYAML() + └── Reads all DB entries → renders YAML + │ + ▼ +CrowdSec process starts + │ + ▼ +CrowdSec loads parsers/s02-enrich/charon-whitelist.yaml + └── crowdsecurity/whitelists parser activates + │ + ▼ +IPs/CIDRs in file are exempt from all ban decisions +``` + +### 3.9 Error Handling Matrix + +| Scenario | Service Error | HTTP Status | Frontend Behavior | +|---|---|---|---| +| Blank `ip_or_cidr` | — | 400 | Inline validation (required field) | +| Malformed IP/CIDR | `ErrInvalidIPOrCIDR` | 400 | Toast: "Invalid IP address or CIDR notation" | +| Duplicate entry | `ErrDuplicateEntry` | 409 | Toast: "This IP/CIDR is already whitelisted" | +| DB unavailable | generic error | 500 | Toast: "Failed to add whitelist entry" | +| UUID not found on DELETE | `ErrWhitelistNotFound` | 404 | Toast: "Whitelist entry not found" | +| YAML write failure | logged, non-fatal | 201 (Add still succeeds) | No user-facing error; log warning | +| CrowdSec reload failure | logged, non-fatal | 201/204 (operation still succeeds) | No user-facing error; log warning | + +### 3.10 Security Considerations + +- **Input validation**: All `ip_or_cidr` values are validated server-side with `net.ParseIP` / `net.ParseCIDR` before persisting. Arbitrary strings are rejected. +- **Path traversal**: `WriteYAML` constructs the output path via `filepath.Join(s.dataDir, "config", "parsers", "s02-enrich", "charon-whitelist.yaml")`. `dataDir` is set at startup—not user-supplied at request time. +- **Privilege**: All three endpoints require management-level access (same as all other CrowdSec endpoints). +- **YAML injection**: Values are rendered through Go's `text/template` with explicit quoting of each entry; no raw string concatenation. +- **Log safety**: IPs are logged using the same structured field pattern used in existing CrowdSec handler methods (e.g., `logger.Log().WithField("ip", entry.IPOrCIDR).Info(...)`). --- ## 4. Implementation Plan -### Phase 1: Playwright Smoke Tests (Acceptance Gating) +### Phase 1 — Hub Parser Installation (Groundwork) -Add smoke coverage to confirm certificate export and delete flows reach the backend. +**Files Changed**: +- `configs/crowdsec/install_hub_items.sh` -**File**: `tests/certificate-coverage-smoke.spec.ts` +**Task 1.1**: Add `cscli parsers install crowdsecurity/whitelists --force` after the last parser install line (currently `crowdsecurity/syslog-logs`). + +**Acceptance**: File change is syntactically valid bash; `shellcheck` passes. + +--- + +### Phase 2 — Database Model + +**Files Changed**: +- `backend/internal/models/crowdsec_whitelist.go` _(new file)_ +- `backend/internal/api/routes/routes.go` _(append to AutoMigrate call)_ + +**Task 2.1**: Create `crowdsec_whitelist.go` with the `CrowdSecWhitelist` struct per §3.1. + +**Task 2.2**: Append `&models.CrowdSecWhitelist{}` to the `db.AutoMigrate(...)` call in `routes.go`. + +**Validation Gate**: `go build ./backend/...` passes; GORM generates `crowdsec_whitelists` table on next startup. + +--- + +### Phase 3 — Whitelist Service + +**Files Changed**: +- `backend/internal/services/crowdsec_whitelist_service.go` _(new file)_ + +**Task 3.1**: Implement `CrowdSecWhitelistService` with `List`, `Add`, `Delete`, `WriteYAML` per §3.3. + +**Task 3.2**: Implement IP/CIDR validation in `Add()`: +- `net.ParseIP(ipOrCIDR) != nil` → valid bare IP +- `net.ParseCIDR(ipOrCIDR)` returns no error → valid CIDR +- Both fail → `ErrInvalidIPOrCIDR` + +**Task 3.3**: Implement `WriteYAML()`: +- Query all entries from DB. +- Partition into `ips` (bare IPs) and `cidrs` (CIDR notation) slices. +- Render template per §2.4. +- Atomic write: temp file → `os.Rename`. +- Create directory (`os.MkdirAll`) if not present. + +**Validation Gate**: `go test ./backend/internal/services/... -run TestCrowdSecWhitelist` passes. + +--- + +### Phase 4 — API Endpoints + +**Files Changed**: +- `backend/internal/api/handlers/crowdsec_handler.go` + +**Task 4.1**: Add `WhitelistSvc *services.CrowdSecWhitelistService` field to `CrowdsecHandler` struct. + +**Task 4.2**: Initialize `WhitelistSvc` in `NewCrowdsecHandler()` when `db != nil`. + +**Task 4.3**: Implement `ListWhitelists`, `AddWhitelist`, `DeleteWhitelist` methods per §3.4. + +**Task 4.4**: Register three routes in `RegisterRoutes()` per §3.4. + +**Task 4.5**: In `AddWhitelist` and `DeleteWhitelist`, after the service call returns without error, call `h.CmdExec.Execute("cscli", "hub", "reload")`. Log a warning on failure; do not change the HTTP response status (reload failure is non-fatal). + +**Validation Gate**: `go test ./backend/internal/api/handlers/... -run TestWhitelist` passes; `make lint-fast` clean. + +--- + +### Phase 5 — Startup Integration + +**Files Changed**: +- `backend/internal/services/crowdsec_startup.go` + +**Task 5.1**: In `ReconcileCrowdSecOnStartup()`, after the DB and config are loaded but before calling `h.Executor.Start()`, instantiate `CrowdSecWhitelistService` and call `WriteYAML(ctx)`. Log warning on error; do not abort startup. + +**Validation Gate**: `go test ./backend/internal/services/... -run TestReconcile` passes; existing reconcile tests still pass. + +--- + +### Phase 6 — Frontend API + Hooks + +**Files Changed**: +- `frontend/src/api/crowdsec.ts` +- `frontend/src/hooks/useCrowdSecWhitelist.ts` _(new file)_ + +**Task 6.1**: Add `CrowdSecWhitelistEntry`, `AddWhitelistPayload` types and `listWhitelists`, `addWhitelist`, `deleteWhitelist` functions to `crowdsec.ts` per §3.7. + +**Task 6.2**: Create `useCrowdSecWhitelist.ts` with `useWhitelistEntries`, `useAddWhitelist`, `useDeleteWhitelist` hooks per §3.7. + +**Validation Gate**: `pnpm test` (Vitest) passes; TypeScript compilation clean. + +--- + +### Phase 7 — Frontend UI + +**Files Changed**: +- `frontend/src/pages/CrowdSecConfig.tsx` + +**Task 7.1**: Import the three hooks from `useCrowdSecWhitelist.ts`. + +**Task 7.2**: Add `"whitelist"` to the tab list (visible only when `isLocalMode === true`). + +**Task 7.3**: Implement the Whitelist tab panel: +- Add-entry form with IP/CIDR + Reason inputs. +- "Add My IP" button: `GET /api/v1/system/my-ip` → pre-fill `ip_or_cidr`. +- Entries table with UUID key, IP/CIDR, Reason, created date, delete button. +- Delete confirmation dialog (reuse existing modal pattern). + +**Task 7.4**: Wire mutation errors to inline form validation messages (400/409 responses). + +**Validation Gate**: `pnpm test` passes; TypeScript clean; `make lint-fast` clean. + +--- + +### Phase 8 — Tests + +**Files Changed**: +- `backend/internal/services/crowdsec_whitelist_service_test.go` _(new file)_ +- `backend/internal/api/handlers/crowdsec_whitelist_handler_test.go` _(new file)_ +- `tests/crowdsec-whitelist.spec.ts` _(new file)_ + +**Task 8.1 — Service unit tests**: + +| Test | Scenario | +|---|---| +| `TestAdd_ValidIP_Success` | Bare IPv4 inserted; YAML file created | +| `TestAdd_ValidIPv6_Success` | Bare IPv6 inserted | +| `TestAdd_ValidCIDR_Success` | CIDR range inserted | +| `TestAdd_CIDRNormalization` | `"10.0.0.1/8"` stored as `"10.0.0.0/8"` | +| `TestAdd_InvalidIPOrCIDR_Error` | Returns `ErrInvalidIPOrCIDR` | +| `TestAdd_DuplicateEntry_Error` | Second identical insert returns `ErrDuplicateEntry` | +| `TestDelete_Success` | Entry removed; YAML regenerated | +| `TestDelete_NotFound_Error` | Returns `ErrWhitelistNotFound` | +| `TestList_Empty` | Returns empty slice | +| `TestList_Populated` | Returns all entries ordered by `created_at` | +| `TestWriteYAML_EmptyList` | Writes valid YAML with empty `ip: []` and `cidr: []` | +| `TestWriteYAML_MixedEntries` | IPs in `ip:` block; CIDRs in `cidr:` block | +| `TestWriteYAML_EmptyDataDir_NoOp` | `dataDir == ""` → returns `nil`, no file written | + +**Task 8.2 — Handler unit tests** (using in-memory SQLite + `mockAuthMiddleware`): + +| Test | Scenario | +|---|---| +| `TestListWhitelists_200` | Returns 200 with entries array | +| `TestAddWhitelist_201` | Valid payload → 201 | +| `TestAddWhitelist_400_MissingField` | Empty body → 400 | +| `TestAddWhitelist_400_InvalidIP` | Malformed IP → 400 | +| `TestAddWhitelist_409_Duplicate` | Duplicate → 409 | +| `TestDeleteWhitelist_204` | Valid UUID → 204 | +| `TestDeleteWhitelist_404` | Unknown UUID → 404 | + +**Task 8.3 — E2E Playwright tests** (`tests/crowdsec-whitelist.spec.ts`): ```typescript import { test, expect } from '@playwright/test' -test.describe('Certificate Coverage Smoke', () => { - test('export dialog opens when export button clicked', async ({ page }) => { - await page.goto('/') - // navigate to Certificates, click export on a cert - // assert dialog visible +test.describe('CrowdSec Whitelist Management', () => { + test.beforeEach(async ({ page }) => { + await page.goto('http://localhost:8080') + await page.getByRole('link', { name: 'Security' }).click() + await page.getByRole('tab', { name: 'CrowdSec' }).click() + await page.getByRole('tab', { name: 'Whitelist' }).click() }) - test('delete dialog opens for deletable certificate', async ({ page }) => { - await page.goto('/') - // assert delete confirmation dialog appears + test('Whitelist tab only visible in local mode', async ({ page }) => { + await page.goto('http://localhost:8080') + await page.getByRole('link', { name: 'Security' }).click() + await page.getByRole('tab', { name: 'CrowdSec' }).click() + // When CrowdSec is not in local mode, the Whitelist tab must not exist + await expect(page.getByRole('tab', { name: 'Whitelist' })).toBeHidden() + }) + + test('displays empty state when no entries exist', async ({ page }) => { + await expect(page.getByText('No whitelist entries')).toBeVisible() + }) + + test('adds a valid IP address', async ({ page }) => { + await page.getByRole('textbox', { name: 'IP or CIDR' }).fill('203.0.113.5') + await page.getByRole('textbox', { name: 'Reason' }).fill('Uptime monitor') + await page.getByRole('button', { name: 'Add' }).click() + await expect(page.getByText('Whitelist entry added')).toBeVisible() + await expect(page.getByRole('cell', { name: '203.0.113.5' })).toBeVisible() + }) + + test('adds a valid CIDR range', async ({ page }) => { + await page.getByRole('textbox', { name: 'IP or CIDR' }).fill('10.0.0.0/8') + await page.getByRole('textbox', { name: 'Reason' }).fill('Internal subnet') + await page.getByRole('button', { name: 'Add' }).click() + await expect(page.getByText('Whitelist entry added')).toBeVisible() + await expect(page.getByRole('cell', { name: '10.0.0.0/8' })).toBeVisible() + }) + + test('"Add My IP" button pre-fills the detected client IP', async ({ page }) => { + await page.getByRole('button', { name: 'Add My IP' }).click() + const ipField = page.getByRole('textbox', { name: 'IP or CIDR' }) + const value = await ipField.inputValue() + // Value must be a non-empty valid IP + expect(value).toMatch(/^[\d.]+$|^[0-9a-fA-F:]+$/) + }) + + test('shows validation error for invalid input', async ({ page }) => { + await page.getByRole('textbox', { name: 'IP or CIDR' }).fill('not-an-ip') + await page.getByRole('button', { name: 'Add' }).click() + await expect(page.getByText('Invalid IP address or CIDR notation')).toBeVisible() + }) + + test('removes an entry via delete confirmation', async ({ page }) => { + // Seed an entry first + await page.getByRole('textbox', { name: 'IP or CIDR' }).fill('198.51.100.1') + await page.getByRole('button', { name: 'Add' }).click() + await expect(page.getByRole('cell', { name: '198.51.100.1' })).toBeVisible() + + // Delete it + await page.getByRole('row', { name: /198\.51\.100\.1/ }).getByRole('button', { name: 'Delete' }).click() + await page.getByRole('button', { name: 'Confirm' }).click() + await expect(page.getByText('Whitelist entry removed')).toBeVisible() + await expect(page.getByRole('cell', { name: '198.51.100.1' })).toBeHidden() }) }) ``` -### Phase 2: Backend — Handler Tests +--- -**File**: `backend/internal/api/handlers/certificate_handler_patch_coverage_test.go` -**Action**: Append all tests from sections 3.1–3.6. +### Phase 9 — Documentation -Setup pattern for handler tests: +**Files Changed**: +- `ARCHITECTURE.md` +- `docs/features/crowdsec-whitelist.md` _(new file, optional for this PR)_ -```go -func setupCertHandlerTest(t *testing.T) (*gin.Engine, *CertificateHandler, *gorm.DB) { - t.Helper() - db, err := gorm.Open(sqlite.Open(fmt.Sprintf("file:%s?mode=memory&cache=shared", t.Name())), &gorm.Config{}) - require.NoError(t, err) - require.NoError(t, db.AutoMigrate(&models.SSLCertificate{}, &models.User{}, &models.ProxyHost{})) - tmpDir := t.TempDir() - certSvc := services.NewCertificateService(tmpDir, db, nil) - backup := &mockBackupService{ - availableSpaceFunc: func() (int64, error) { return 1 << 30, nil }, - createFunc: func(string) (string, error) { return "/tmp/backup.db", nil }, - } - h := NewCertificateHandler(certSvc, backup, nil) - h.SetDB(db) - r := gin.New() - r.Use(mockAuthMiddleware()) - h.RegisterRoutes(r.Group("/api")) - return r, h, db -} -``` - -For `TestExport_IncludeKey_*` tests: inject user into gin context directly using a custom middleware wrapper that sets `"user"` (type `map[string]any`, field `"id"`) to the desired value. - -### Phase 3: Backend — Service Tests - -**File**: `backend/internal/services/certificate_service_patch_coverage_test.go` -**Action**: Append all tests from sections 3.7–3.13. - -Setup pattern: - -```go -func newTestSvc(t *testing.T) (*CertificateService, *gorm.DB, string) { - t.Helper() - db, err := gorm.Open(sqlite.Open(fmt.Sprintf("file:%s?mode=memory&cache=shared", t.Name())), &gorm.Config{}) - require.NoError(t, err) - require.NoError(t, db.AutoMigrate(&models.SSLCertificate{}, &models.ProxyHost{})) - tmpDir := t.TempDir() - return NewCertificateService(tmpDir, db, nil), db, tmpDir -} -``` - -For `TestMigratePrivateKeys_WithRows`: use `db.Exec("INSERT INTO ssl_certificates (..., private_key) VALUES (...)` raw SQL to bypass GORM's `gorm:"-"` tag. - -### Phase 4: Backend — Validator Tests - -**File**: `backend/internal/services/certificate_validator_patch_coverage_test.go` (new) - -Key helpers needed: - -```go -// generatePKCS1RSAKeyPEM returns an RSA key in PKCS#1 "RSA PRIVATE KEY" PEM format. -func generatePKCS1RSAKeyPEM(t *testing.T) []byte { - key, err := rsa.GenerateKey(rand.Reader, 2048) - require.NoError(t, err) - return pem.EncodeToMemory(&pem.Block{ - Type: "RSA PRIVATE KEY", - Bytes: x509.MarshalPKCS1PrivateKey(key), - }) -} - -// generateECKeyPEM returns an EC key in "EC PRIVATE KEY" (SEC1) PEM format. -func generateECKeyPEM(t *testing.T, curve elliptic.Curve) []byte { - key, err := ecdsa.GenerateKey(curve, rand.Reader) - require.NoError(t, err) - b, err := x509.MarshalECPrivateKey(key) - require.NoError(t, err) - return pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: b}) -} -``` - -### Phase 5: Backend — Proxy Host Handler Tests - -**File**: `backend/internal/api/handlers/proxy_host_handler_patch_coverage_test.go` (new) - -Setup pattern mirrors existing `proxy_host_handler_test.go` — use in-memory SQLite, `mockAuthMiddleware`, and `mockCaddyManager` (already available via test hook vars). - -### Phase 6: Frontend Tests - -**Files**: -- `frontend/src/components/__tests__/CertificateList.test.tsx` -- `frontend/src/components/dialogs/__tests__/CertificateUploadDialog.test.tsx` - -Use existing mock structure; add new `it(...)` blocks inside existing `describe` blocks. - -Frontend bulk delete success test pattern: - -```typescript -it('calls bulkDeleteMutation.mutate with selected UUIDs on confirm', async () => { - const bulkDeleteFn = vi.fn() - mockUseBulkDeleteCertificates.mockReturnValue({ - mutate: bulkDeleteFn, - isPending: false, - }) - render() - // select checkboxes, click bulk delete, confirm dialog - expect(bulkDeleteFn).toHaveBeenCalledWith(['uuid-1', 'uuid-2']) -}) -``` - -### Phase 7: Validation - -1. `cd /projects/Charon && bash scripts/go-test-coverage.sh` -2. `cd /projects/Charon && bash scripts/frontend-test-coverage.sh` -3. `bash scripts/local-patch-report.sh` → verify `test-results/local-patch-report.md` shows ≥ 90% -4. `bash scripts/scan-gorm-security.sh --check` → zero CRITICAL/HIGH +**Task 9.1**: Update the CrowdSec row in the Cerberus security components table in `ARCHITECTURE.md` to mention whitelist management. --- -## 5. Commit Slicing Strategy +## 5. Acceptance Criteria -**Decision**: One PR with 5 ordered, independently-reviewable commits. +### Functional -**Rationale**: Four packages touched across two build systems (Go + Node). Atomic commits allow targeted revert if a mock approach proves brittle for a specific file, without rolling back unrelated coverage gains. +- [ ] Operator can add a bare IPv4 address (e.g., `203.0.113.5`) to the whitelist. +- [ ] Operator can add a bare IPv6 address (e.g., `2001:db8::1`) to the whitelist. +- [ ] Operator can add a CIDR range (e.g., `10.0.0.0/8`) to the whitelist. +- [ ] Adding an invalid IP/CIDR (e.g., `not-an-ip`) returns a 400 error with a clear message. +- [ ] Adding a duplicate entry returns a 409 conflict error. +- [ ] Operator can delete an entry; it disappears from the list. +- [ ] The Whitelist tab is only visible when CrowdSec is in `local` mode. +- [ ] After adding or deleting an entry, the whitelist YAML file is regenerated in `/config/parsers/s02-enrich/charon-whitelist.yaml`. +- [ ] Adding or removing a whitelist entry triggers `cscli hub reload` via `h.CmdExec` so changes take effect immediately without a container restart. +- [ ] On container restart, the YAML file is regenerated from DB entries before CrowdSec starts. +- [ ] **Admin IP protection**: The "Add My IP" button pre-fills the operator's current IP in the `ip_or_cidr` field; a Playwright E2E test verifies the button correctly pre-fills the detected client IP. -| # | Scope | Files | Dependencies | Validation Gate | -|---|---|---|---|---| -| **Commit 1** | Handler re-auth + delete + file-open errors | `certificate_handler_patch_coverage_test.go` (extend) | None | `go test ./backend/internal/api/handlers/...` | -| **Commit 2** | Service SyncFromDisk, ListCerts, GetDecryptedKey, Migrate, Update, Delete, CheckExpiring | `certificate_service_patch_coverage_test.go` (extend) | None | `go test ./backend/internal/services/...` | -| **Commit 3** | Validator DetectFormat, parsePEMPrivateKey, detectKeyType, ConvertPEMToPFX/DER, formatSerial | `certificate_validator_patch_coverage_test.go` (new) | Commit 2 not required (separate file) | `go test ./backend/internal/services/...` | -| **Commit 4** | Proxy host warnings + BulkUpdateSecurityHeaders edge cases | `proxy_host_handler_patch_coverage_test.go` (new) | None | `go test ./backend/internal/api/handlers/...` | -| **Commit 5** | Frontend CertificateList + CertificateUploadDialog | `CertificateList.test.tsx`, `CertificateUploadDialog.test.tsx` (extend) | None | `npm run test` | +### Technical -**Rollback**: Any commit is safe to revert independently — all changes are additive test-only files. - -**Contingency**: If the `Export` handler's re-auth tests require gin context injection that the current router wiring doesn't support cleanly, use a sub-router with a custom test middleware that pre-populates `"user"` (`map[string]any{"id": uint(1)}`) with the specific value under test, bypassing `mockAuthMiddleware` for those cases only. +- [ ] `go test ./backend/...` passes — no regressions. +- [ ] `pnpm test` (Vitest) passes. +- [ ] `make lint-fast` clean — no new lint findings. +- [ ] GORM Security Scanner returns zero CRITICAL/HIGH findings. +- [ ] Playwright E2E suite passes (Firefox, `--project=firefox`). +- [ ] `crowdsecurity/whitelists` parser is installed by `install_hub_items.sh`. --- -## 6. Acceptance Criteria +## 6. Commit Slicing Strategy -- [ ] `go test -race ./backend/...` — all tests pass, no data races -- [ ] Backend patch coverage ≥ 90% for all modified Go files per `test-results/local-patch-report.md` -- [ ] `npm run test` — all Vitest tests pass -- [ ] Frontend patch coverage ≥ 90% for `CertificateList.tsx` and `CertificateUploadDialog.tsx` -- [ ] GORM security scan: zero CRITICAL/HIGH findings -- [ ] No new `//nolint` or `//nosec` directives introduced -- [ ] No source file modifications — test files only -- [ ] All new Go test names follow `TestFunctionName_Scenario` convention -- [ ] Previous spec archived to `docs/plans/archive/` +**Decision**: Single PR with ordered logical commits. No scope overlap between commits; each commit leaves the codebase in a compilable state. + +**Trigger reasons**: Cross-domain change (infra script + model + service + handler + startup + frontend) benefits from ordered commits for surgical rollback and focused review. + +| # | Type | Commit Message | Files | Depends On | Validation Gate | +|---|---|---|---|---|---| +| 1 | `chore` | `install crowdsecurity/whitelists parser by default` | `configs/crowdsec/install_hub_items.sh` | — | `shellcheck` | +| 2 | `feat` | `add CrowdSecWhitelist model and automigrate registration` | `backend/internal/models/crowdsec_whitelist.go`, `backend/internal/api/routes/routes.go` | #1 | `go build ./backend/...` | +| 3 | `feat` | `add CrowdSecWhitelistService with YAML generation` | `backend/internal/services/crowdsec_whitelist_service.go` | #2 | `go test ./backend/internal/services/...` | +| 4 | `feat` | `add whitelist API endpoints to CrowdsecHandler` | `backend/internal/api/handlers/crowdsec_handler.go` | #3 | `go test ./backend/...` + `make lint-fast` | +| 5 | `feat` | `regenerate whitelist YAML on CrowdSec startup reconcile` | `backend/internal/services/crowdsec_startup.go` | #3 | `go test ./backend/internal/services/...` | +| 6 | `feat` | `add whitelist API client functions and TanStack hooks` | `frontend/src/api/crowdsec.ts`, `frontend/src/hooks/useCrowdSecWhitelist.ts` | #4 | `pnpm test` | +| 7 | `feat` | `add Whitelist tab to CrowdSecConfig UI` | `frontend/src/pages/CrowdSecConfig.tsx` | #6 | `pnpm test` + `make lint-fast` | +| 8 | `test` | `add whitelist service and handler unit tests` | `*_test.go` files | #4 | `go test ./backend/...` | +| 9 | `test` | `add E2E tests for CrowdSec whitelist management` | `tests/crowdsec-whitelist.spec.ts` | #7 | Playwright Firefox | +| 10 | `docs` | `update architecture docs for CrowdSec whitelist feature` | `ARCHITECTURE.md` | #7 | `make lint-fast` | + +**Rollback notes**: +- Commits 1–3 are pure additions (no existing code modified except the `AutoMigrate` list append in commit 2 and `install_hub_items.sh` in commit 1). Reverting them is safe. +- Commit 4 modifies `crowdsec_handler.go` by adding fields and methods without altering existing ones; reverting is mechanical. +- Commit 5 modifies `crowdsec_startup.go` — the added block is isolated in a clearly marked section; revert is a 5-line removal. +- Commits 6–7 are frontend-only; reverting has no backend impact. --- -## 7. Estimated Coverage Impact +## 7. Open Questions / Risks -| File | Current | Estimated After | Lines Recovered | -|---|---|---|---| -| `certificate_handler.go` | 70.28% | ~85% | ~42 lines | -| `certificate_service.go` | 82.85% | ~92% | ~44 lines | -| `certificate_validator.go` | 88.68% | ~96% | ~18 lines | -| `proxy_host_handler.go` | 55.17% | ~60% | ~8 lines | -| `CertificateList.tsx` | moderate | high | ~15 lines | -| `CertificateUploadDialog.tsx` | moderate | high | ~12 lines | -| **Overall patch** | **85.61%** | **≥ 90%** | **~139 lines** | +| Risk | Likelihood | Mitigation | +|---|---|---| +| CrowdSec does not hot-reload parser files — requires `cscli reload` or process restart | Resolved | `cscli hub reload` is called via `h.CmdExec.Execute(...)` in `AddWhitelist` and `DeleteWhitelist` after each successful `WriteYAML()`. Failure is non-fatal; logged as a warning. | +| `crowdsecurity/whitelists` parser path may differ across CrowdSec versions | Low | Use `/config/parsers/s02-enrich/` which is the canonical path; add a note to verify on version upgrades | +| Large whitelist files could cause CrowdSec performance issues | Very Low | Reasonable for typical use; document a soft limit recommendation (< 500 entries) in the UI | +| `dataDir` empty string in tests | Resolved | Guard added to `WriteYAML`: `if s.dataDir == "" { return nil }` — no-op when `dataDir` is unset | +| `CROWDSEC_TRUSTED_IPS` env var seeding | — | **Follow-up / future enhancement** (not in scope for this PR): if `CROWDSEC_TRUSTED_IPS` is set at runtime, parse comma-separated IPs and include them as read-only seed entries in the generated YAML (separate from DB-managed entries). Document in a follow-up issue. | -> **Note**: Proxy host handler remains below 90% after this plan because the `Create`/`Update`/`Delete` handler paths require full Caddy manager mock integration. A follow-up plan should address these with a dedicated `mockCaddyManager` interface. diff --git a/docs/reports/qa_report_crowdsec_whitelist_2026-04-16.md b/docs/reports/qa_report_crowdsec_whitelist_2026-04-16.md new file mode 100644 index 00000000..8bd230e6 --- /dev/null +++ b/docs/reports/qa_report_crowdsec_whitelist_2026-04-16.md @@ -0,0 +1,226 @@ +# QA Audit Report — CrowdSec IP Whitelist Management + +**Feature Branch**: `feature/beta-release` +**Pull Request**: #952 +**Repository**: Wikid82/Charon +**Audit Date**: 2026-04-16 +**Auditor**: QA Security Agent + +--- + +## Overall Verdict + +### APPROVED WITH CONDITIONS + +The CrowdSec IP Whitelist Management feature passes all critical quality and security gates. All feature-specific E2E tests pass across three browsers. Backend and frontend coverage exceed thresholds. No security vulnerabilities were found in the feature code. Two upstream HIGH CVEs in the Docker image and below-threshold overall patch coverage require tracking but do not block the release. + +--- + +## Gate Results Summary + +| # | Gate | Result | Detail | +|---|------|--------|--------| +| 1 | Playwright E2E | **PASS** | All CrowdSec whitelist tests passed; 14 pre-existing failures (unrelated) | +| 2 | Go Backend Coverage | **PASS** | 88.4% line coverage (threshold: 87%) | +| 3 | Frontend Coverage | **PASS** | 90.06% line coverage (threshold: 87%) | +| 4 | Patch Coverage | **WARN** | Overall 89.4% (threshold: 90%); Backend 88.0% PASS; Frontend 97.0% PASS | +| 5 | TypeScript Type Check | **PASS** | `npx tsc --noEmit` — 0 errors | +| 6 | Lefthook (Lint/Format) | **PASS** | All 6 hooks green | +| 7 | GORM Security Scan | **PASS** | 0 CRITICAL/HIGH/MEDIUM issues | +| 8 | Trivy Filesystem Scan | **PASS** | 0 CRITICAL/HIGH vulnerabilities | +| 9 | Trivy Docker Image Scan | **WARN** | 2 unique HIGH CVEs (upstream dependencies) | +| 10 | CodeQL SARIF Review | **PASS** | 1 pre-existing Go finding; 0 JS findings; 0 whitelist-related | + +--- + +## Detailed Gate Analysis + +### Gate 1 — Playwright E2E Tests + +**Result**: PASS +**Browsers**: Chromium, Firefox, WebKit (all three) + +**CrowdSec Whitelist-Specific Tests (10 tests)**: All PASSED +- Add whitelist entry with valid IP +- Add whitelist entry with valid CIDR +- Reject invalid IP/CIDR input +- Reject duplicate entry +- Delete whitelist entry +- Display whitelist table with entries +- Empty state display +- Whitelist tab visibility (local mode only) +- Form validation and error handling +- Toast notification on success/failure + +**Pre-existing Failures (14 unique, unrelated to this feature)**: +- Certificate deletion tests (7): cert delete/bulk-delete operations +- Caddy import tests (3): conflict details, server detection, resolution +- Navigation test (1): main navigation item count +- User management tests (2): invite link copy, keyboard navigation +- Integration test (1): system health check + +None of the pre-existing failures are related to the CrowdSec whitelist feature. + +### Gate 2 — Go Backend Coverage + +**Result**: PASS +**Coverage**: 88.4% line coverage +**Threshold**: 87% + +### Gate 3 — Frontend Coverage + +**Result**: PASS +**Coverage**: 90.06% line coverage (Statements: 89.03%, Branches: 85.84%, Functions: 85.85%) +**Threshold**: 87% + +5 pre-existing test timeouts in `ProxyHostForm-dns.test.tsx` and `ProxyHostForm-dropdown-changes.test.tsx` — not whitelist-related. + +### Gate 4 — Patch Coverage + +**Result**: WARN (non-blocking) + +| Scope | Changed Lines | Covered | Patch % | Status | +|-------|--------------|---------|---------|--------| +| Overall | 1689 | 1510 | 89.4% | WARN (threshold: 90%) | +| Backend | 1426 | 1255 | 88.0% | PASS (threshold: 85%) | +| Frontend | 263 | 255 | 97.0% | PASS (threshold: 85%) | + +**CrowdSec-Specific Patch Coverage**: +- `crowdsec_handler.go`: 71.2% — 17 uncovered changed lines (error-handling branches) +- `crowdsec_whitelist_service.go`: 83.6% — 18 uncovered changed lines (YAML write failure, edge cases) +- `CrowdSecConfig.tsx`: 93.3% — 2 uncovered changed lines + +**Recommendation**: Add targeted unit tests for error-handling branches in `crowdsec_handler.go` (lines 2712-2772) and `crowdsec_whitelist_service.go` (lines 47-148) to bring CrowdSec-specific patch coverage above 90%. This is tracked as a follow-up improvement and does not block release. + +### Gate 5 — TypeScript Type Check + +**Result**: PASS +`npx tsc --noEmit` from `frontend/` completed with 0 errors. + +### Gate 6 — Lefthook (Lint/Format) + +**Result**: PASS +All 6 hooks passed: +- `go-fmt` +- `go-vet` +- `go-staticcheck` +- `eslint` +- `prettier-check` +- `tsc-check` + +### Gate 7 — GORM Security Scan + +**Result**: PASS +`./scripts/scan-gorm-security.sh --check` — 0 CRITICAL, 0 HIGH, 0 MEDIUM issues. +No exposed IDs, secrets, or DTO embedding violations in CrowdSec whitelist models. + +### Gate 8 — Trivy Filesystem Scan + +**Result**: PASS +`trivy fs --scanners vuln --severity CRITICAL,HIGH --format table .` — 0 vulnerabilities detected in application source and dependencies. + +### Gate 9 — Trivy Docker Image Scan + +**Result**: WARN (non-blocking for this feature) +Image: `charon:local` (Alpine 3.23.3) + +| CVE | Severity | Package | Installed | Fixed | Component | +|-----|----------|---------|-----------|-------|-----------| +| CVE-2026-34040 | HIGH | github.com/docker/docker | v28.5.2+incompatible | 29.3.1 | Charon Go binary (Moby authorization bypass) | +| CVE-2026-32286 | HIGH | github.com/jackc/pgproto3/v2 | v2.3.3 | No fix | CrowdSec binaries (PostgreSQL protocol DoS) | + +**Analysis**: +- CVE-2026-34040: Moby authorization bypass — affects Docker API access control. Charon does not expose Docker API to untrusted networks. Low practical risk. Update `github.com/docker/docker` to v29.3.1 when available. +- CVE-2026-32286: PostgreSQL protocol DoS — present only in CrowdSec's `crowdsec` and `cscli` binaries, not in Charon's own code. Awaiting upstream fix from CrowdSec. + +**Recommendation**: Track both CVEs for remediation. Neither impacts CrowdSec whitelist management functionality or Charon's own security posture directly. + +### Gate 10 — CodeQL SARIF Review + +**Result**: PASS + +- **Go**: 1 pre-existing finding — `cookie-secure-not-set` at `auth_handler.go:152`. Not whitelist-related. Tracked separately. +- **JavaScript**: 0 findings. +- **CrowdSec whitelist**: 0 findings across both Go and JavaScript. + +--- + +## Security Review — CrowdSec IP Whitelist Feature + +### 1. IP/CIDR Input Validation + +**Status**: SECURE + +The `normalizeIPOrCIDR()` function in `crowdsec_whitelist_service.go` uses Go standard library functions `net.ParseIP()` and `net.ParseCIDR()` for validation. Invalid inputs are rejected with the sentinel error `ErrInvalidIPOrCIDR`. No user input passes through without validation. + +### 2. YAML Injection Prevention + +**Status**: SECURE + +`buildWhitelistYAML()` uses a `strings.Builder` to construct YAML output. Only IP addresses and CIDR ranges that have already passed `normalizeIPOrCIDR()` validation are included. The normalized output from `net.ParseIP`/`net.ParseCIDR` cannot contain YAML metacharacters. + +### 3. Path Traversal Protection + +**Status**: SECURE + +`WriteYAML()` uses hardcoded file paths (no user input in path construction). Atomic write pattern: writes to `.tmp` suffix, then `os.Rename()` to final path. No directory traversal vectors. + +### 4. SQL Injection Prevention + +**Status**: SECURE + +All GORM queries use parameterized operations: +- `Where("uuid = ?", id)` for delete +- `Where("ip_or_cidr = ?", normalized)` for duplicate check +- Standard GORM `Create()` for inserts + +No raw SQL or string concatenation. + +### 5. Authentication & Authorization + +**Status**: SECURE + +All whitelist routes are registered under the admin route group in `routes.go`, which is protected by: +- Cerberus middleware (authentication/authorization enforcement) +- Emergency bypass middleware (for recovery scenarios only) +- Security headers and gzip middleware + +No unauthenticated access to whitelist endpoints is possible. + +### 6. Log Safety + +**Status**: SECURE + +Whitelist service logs only operational error context (e.g., "failed to write CrowdSec whitelist YAML after add"). No IP addresses, user data, or PII are written to logs. Other handler code uses `util.SanitizeForLog()` for user-controlled input in log messages. + +--- + +## Conditions for Approval + +These items are tracked as follow-up improvements and do not block merge: + +1. **Patch Coverage Improvement**: Add targeted unit tests for error-handling branches in: + - `crowdsec_handler.go` (lines 2712-2772, 71.2% patch coverage) + - `crowdsec_whitelist_service.go` (lines 47-148, 83.6% patch coverage) + +2. **Upstream CVE Tracking**: + - CVE-2026-34040: Update `github.com/docker/docker` to v29.3.1 when Go module is available + - CVE-2026-32286: Monitor CrowdSec upstream for `pgproto3` fix + +3. **Pre-existing Test Failures**: 14 pre-existing E2E test failures (certificate deletion, caddy import, navigation, user management) should be tracked in existing issues. None are regressions from this feature. + +--- + +## Artifacts + +| Artifact | Location | +|----------|----------| +| Playwright HTML Report | `playwright-report/index.html` | +| Backend Coverage | `backend/coverage.txt` | +| Frontend Coverage | `frontend/coverage/lcov.info`, `frontend/coverage/coverage-summary.json` | +| Patch Coverage Report | `test-results/local-patch-report.md`, `test-results/local-patch-report.json` | +| GORM Security Scan | Inline (0 findings) | +| Trivy Filesystem Scan | Inline (0 findings) | +| Trivy Image Scan | `trivy-image-report.json` | +| CodeQL Go SARIF | `codeql-results-go.sarif` | +| CodeQL JS SARIF | `codeql-results-javascript.sarif` | diff --git a/frontend/package-lock.json b/frontend/package-lock.json index c9939649..fd26856f 100644 --- a/frontend/package-lock.json +++ b/frontend/package-lock.json @@ -14,19 +14,19 @@ "@radix-ui/react-select": "^2.2.6", "@radix-ui/react-tabs": "^1.1.13", "@radix-ui/react-tooltip": "^1.2.8", - "@tanstack/react-query": "^5.99.0", - "axios": "1.15.0", + "@tanstack/react-query": "^5.99.2", + "axios": "1.15.1", "class-variance-authority": "^0.7.1", "clsx": "^2.1.1", "date-fns": "^4.1.0", - "i18next": "^26.0.5", + "i18next": "^26.0.6", "i18next-browser-languagedetector": "^8.2.1", "lucide-react": "^1.8.0", "react": "^19.2.5", "react-dom": "^19.2.5", "react-hook-form": "^7.72.1", "react-hot-toast": "^2.6.0", - "react-i18next": "^17.0.3", + "react-i18next": "^17.0.4", "react-router-dom": "^7.14.1", "recharts": "^3.8.1", "tailwind-merge": "^3.5.0", @@ -55,27 +55,27 @@ "@vitest/eslint-plugin": "^1.6.16", "@vitest/ui": "^4.1.4", "autoprefixer": "^10.5.0", - "eslint": "^10.2.0", + "eslint": "^10.2.1", "eslint-import-resolver-typescript": "^4.4.4", "eslint-plugin-import-x": "^4.16.2", "eslint-plugin-jsx-a11y": "^6.10.2", "eslint-plugin-no-unsanitized": "^4.1.5", "eslint-plugin-promise": "^7.2.1", "eslint-plugin-react-compiler": "^19.1.0-rc.2", - "eslint-plugin-react-hooks": "^7.0.1", + "eslint-plugin-react-hooks": "^7.1.1", "eslint-plugin-react-refresh": "^0.5.2", "eslint-plugin-security": "^4.0.0", - "eslint-plugin-sonarjs": "^4.0.2", + "eslint-plugin-sonarjs": "^4.0.3", "eslint-plugin-testing-library": "^7.16.2", "eslint-plugin-unicorn": "^64.0.0", "eslint-plugin-unused-imports": "^4.4.1", "jsdom": "29.0.2", - "knip": "^6.4.1", + "knip": "^6.5.0", "postcss": "^8.5.10", "tailwindcss": "^4.2.2", - "typescript": "^6.0.2", + "typescript": "^6.0.3", "typescript-eslint": "^8.58.2", - "vite": "^8.0.8", + "vite": "^8.0.9", "vitest": "^4.1.4", "zod-validation-error": "^5.0.0" } @@ -101,14 +101,15 @@ } }, "node_modules/@asamuzakjp/css-color": { - "version": "5.1.10", - "resolved": "https://registry.npmjs.org/@asamuzakjp/css-color/-/css-color-5.1.10.tgz", - "integrity": "sha512-02OhhkKtgNRuicQ/nF3TRnGsxL9wp0r3Y7VlKWyOHHGmGyvXv03y+PnymU8FKFJMTjIr1Bk8U2g1HWSLrpAHww==", + "version": "5.1.11", + "resolved": "https://registry.npmjs.org/@asamuzakjp/css-color/-/css-color-5.1.11.tgz", + "integrity": "sha512-KVw6qIiCTUQhByfTd78h2yD1/00waTmm9uy/R7Ck/ctUyAPj+AEDLkQIdJW0T8+qGgj3j5bpNKK7Q3G+LedJWg==", "dev": true, "license": "MIT", "dependencies": { - "@csstools/css-calc": "^3.1.1", - "@csstools/css-color-parser": "^4.0.2", + "@asamuzakjp/generational-cache": "^1.0.1", + "@csstools/css-calc": "^3.2.0", + "@csstools/css-color-parser": "^4.1.0", "@csstools/css-parser-algorithms": "^4.0.0", "@csstools/css-tokenizer": "^4.0.0" }, @@ -117,12 +118,13 @@ } }, "node_modules/@asamuzakjp/dom-selector": { - "version": "7.0.9", - "resolved": "https://registry.npmjs.org/@asamuzakjp/dom-selector/-/dom-selector-7.0.9.tgz", - "integrity": "sha512-r3ElRr7y8ucyN2KdICwGsmj19RoN13CLCa/pvGydghWK6ZzeKQ+TcDjVdtEZz2ElpndM5jXw//B9CEee0mWnVg==", + "version": "7.1.1", + "resolved": "https://registry.npmjs.org/@asamuzakjp/dom-selector/-/dom-selector-7.1.1.tgz", + "integrity": "sha512-67RZDnYRc8H/8MLDgQCDE//zoqVFwajkepHZgmXrbwybzXOEwOWGPYGmALYl9J2DOLfFPPs6kKCqmbzV895hTQ==", "dev": true, "license": "MIT", "dependencies": { + "@asamuzakjp/generational-cache": "^1.0.1", "@asamuzakjp/nwsapi": "^2.3.9", "bidi-js": "^1.0.3", "css-tree": "^3.2.1", @@ -132,6 +134,16 @@ "node": "^20.19.0 || ^22.12.0 || >=24.0.0" } }, + "node_modules/@asamuzakjp/generational-cache": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/@asamuzakjp/generational-cache/-/generational-cache-1.0.1.tgz", + "integrity": "sha512-wajfB8KqzMCN2KGNFdLkReeHncd0AslUSrvHVvvYWuU8ghncRJoA50kT3zP9MVL0+9g4/67H+cdvBskj9THPzg==", + "dev": true, + "license": "MIT", + "engines": { + "node": "^20.19.0 || ^22.12.0 || >=24.0.0" + } + }, "node_modules/@asamuzakjp/nwsapi": { "version": "2.3.9", "resolved": "https://registry.npmjs.org/@asamuzakjp/nwsapi/-/nwsapi-2.3.9.tgz", @@ -1102,29 +1114,43 @@ "license": "MIT" }, "node_modules/@humanfs/core": { - "version": "0.19.1", - "resolved": "https://registry.npmjs.org/@humanfs/core/-/core-0.19.1.tgz", - "integrity": "sha512-5DyQ4+1JEUzejeK1JGICcideyfUbGixgS9jNgex5nqkW+cY7WZhxBigmieN5Qnw9ZosSNVC9KQKyb+GUaGyKUA==", + "version": "0.19.2", + "resolved": "https://registry.npmjs.org/@humanfs/core/-/core-0.19.2.tgz", + "integrity": "sha512-UhXNm+CFMWcbChXywFwkmhqjs3PRCmcSa/hfBgLIb7oQ5HNb1wS0icWsGtSAUNgefHeI+eBrA8I1fxmbHsGdvA==", "dev": true, "license": "Apache-2.0", + "dependencies": { + "@humanfs/types": "^0.15.0" + }, "engines": { "node": ">=18.18.0" } }, "node_modules/@humanfs/node": { - "version": "0.16.7", - "resolved": "https://registry.npmjs.org/@humanfs/node/-/node-0.16.7.tgz", - "integrity": "sha512-/zUx+yOsIrG4Y43Eh2peDeKCxlRt/gET6aHfaKpuq267qXdYDFViVHfMaLyygZOnl0kGWxFIgsBy8QFuTLUXEQ==", + "version": "0.16.8", + "resolved": "https://registry.npmjs.org/@humanfs/node/-/node-0.16.8.tgz", + "integrity": "sha512-gE1eQNZ3R++kTzFUpdGlpmy8kDZD/MLyHqDwqjkVQI0JMdI1D51sy1H958PNXYkM2rAac7e5/CnIKZrHtPh3BQ==", "dev": true, "license": "Apache-2.0", "dependencies": { - "@humanfs/core": "^0.19.1", + "@humanfs/core": "^0.19.2", + "@humanfs/types": "^0.15.0", "@humanwhocodes/retry": "^0.4.0" }, "engines": { "node": ">=18.18.0" } }, + "node_modules/@humanfs/types": { + "version": "0.15.0", + "resolved": "https://registry.npmjs.org/@humanfs/types/-/types-0.15.0.tgz", + "integrity": "sha512-ZZ1w0aoQkwuUuC7Yf+7sdeaNfqQiiLcSRbfI08oAxqLtpXQr9AIVX7Ay7HLDuiLYAaFPu8oBYNq/QIi9URHJ3Q==", + "dev": true, + "license": "Apache-2.0", + "engines": { + "node": ">=18.18.0" + } + }, "node_modules/@humanwhocodes/module-importer": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/@humanwhocodes/module-importer/-/module-importer-1.0.1.tgz", @@ -1281,9 +1307,9 @@ } }, "node_modules/@oxc-parser/binding-android-arm-eabi": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-android-arm-eabi/-/binding-android-arm-eabi-0.121.0.tgz", - "integrity": "sha512-n07FQcySwOlzap424/PLMtOkbS7xOu8nsJduKL8P3COGHKgKoDYXwoAHCbChfgFpHnviehrLWIPX0lKGtbEk/A==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-android-arm-eabi/-/binding-android-arm-eabi-0.126.0.tgz", + "integrity": "sha512-svyoHt25J4741QJ5aa4R+h0iiBeSRt63Lr3aAZcxy2c/NeSE1IfDeMnSij6rIg7EjxkdlXzz613wUjeCeilBNA==", "cpu": [ "arm" ], @@ -1298,9 +1324,9 @@ } }, "node_modules/@oxc-parser/binding-android-arm64": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-android-arm64/-/binding-android-arm64-0.121.0.tgz", - "integrity": "sha512-/Dd1xIXboYAicw+twT2utxPD7bL8qh7d3ej0qvaYIMj3/EgIrGR+tSnjCUkiCT6g6uTC0neSS4JY8LxhdSU/sA==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-android-arm64/-/binding-android-arm64-0.126.0.tgz", + "integrity": "sha512-hPEBRKgplp1mG9GkINFsr4JVMDNrGJLOqfDaadTWpAoTnzYR5Rmv8RMvB3hJZpiNvbk1aacopdHUP1pggMQ/cw==", "cpu": [ "arm64" ], @@ -1315,9 +1341,9 @@ } }, "node_modules/@oxc-parser/binding-darwin-arm64": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-darwin-arm64/-/binding-darwin-arm64-0.121.0.tgz", - "integrity": "sha512-A0jNEvv7QMtCO1yk205t3DWU9sWUjQ2KNF0hSVO5W9R9r/R1BIvzG01UQAfmtC0dQm7sCrs5puixurKSfr2bRQ==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-darwin-arm64/-/binding-darwin-arm64-0.126.0.tgz", + "integrity": "sha512-ccRpu9sdYmznePJQG5halhs0FW5tw5a8zRSoZXOzM1OjoeZ4jiRRruFiPclsD59edoVAK1l83dvfjWz1nQi6lg==", "cpu": [ "arm64" ], @@ -1332,9 +1358,9 @@ } }, "node_modules/@oxc-parser/binding-darwin-x64": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-darwin-x64/-/binding-darwin-x64-0.121.0.tgz", - "integrity": "sha512-SsHzipdxTKUs3I9EOAPmnIimEeJOemqRlRDOp9LIj+96wtxZejF51gNibmoGq8KoqbT1ssAI5po/E3J+vEtXGA==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-darwin-x64/-/binding-darwin-x64-0.126.0.tgz", + "integrity": "sha512-CHB4zVjNSKqx8Fw9pHowzQQnjjuq04i4Ng0Avj+DixlwhwAoMYqlFbocYIlbg+q3zOLGlm7vEHm83jqEMitnyg==", "cpu": [ "x64" ], @@ -1349,9 +1375,9 @@ } }, "node_modules/@oxc-parser/binding-freebsd-x64": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-freebsd-x64/-/binding-freebsd-x64-0.121.0.tgz", - "integrity": "sha512-v1APOTkCp+RWOIDAHRoaeW/UoaHF15a60E8eUL6kUQXh+i4K7PBwq2Wi7jm8p0ymID5/m/oC1w3W31Z/+r7HQw==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-freebsd-x64/-/binding-freebsd-x64-0.126.0.tgz", + "integrity": "sha512-RQ3nEJdcDKBfBjmLJ3Vl1d0KQERPV1P8eUrnBm7+VTYyoaJSPLVFuPg1mlD1hk3n0/879VLFMfusFkBal4ssWQ==", "cpu": [ "x64" ], @@ -1366,9 +1392,9 @@ } }, "node_modules/@oxc-parser/binding-linux-arm-gnueabihf": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-0.121.0.tgz", - "integrity": "sha512-PmqPQuqHZyFVWA4ycr0eu4VnTMmq9laOHZd+8R359w6kzuNZPvmmunmNJ8ybkm769A0nCoVp3TJ6dUz7B3FYIQ==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-0.126.0.tgz", + "integrity": "sha512-onipc2wCDA7Bauzb4KK1mab0GsEDf4ujiIfWECdnmY/2LlzAoX3xdQRLAUyEDB1kn3yilHBrkmXDdHluyHXxiw==", "cpu": [ "arm" ], @@ -1383,9 +1409,9 @@ } }, "node_modules/@oxc-parser/binding-linux-arm-musleabihf": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm-musleabihf/-/binding-linux-arm-musleabihf-0.121.0.tgz", - "integrity": "sha512-vF24htj+MOH+Q7y9A8NuC6pUZu8t/C2Fr/kDOi2OcNf28oogr2xadBPXAbml802E8wRAVfbta6YLDQTearz+jw==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm-musleabihf/-/binding-linux-arm-musleabihf-0.126.0.tgz", + "integrity": "sha512-5BuJJPohrV5NJ8lmcYOMbfRCUGoYH5J9HZHeuqOLwkHXWAuPMN3X1h8bC/2mWjmosdbfTtmyIdX3spS/TkqKNg==", "cpu": [ "arm" ], @@ -1400,9 +1426,9 @@ } }, "node_modules/@oxc-parser/binding-linux-arm64-gnu": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-0.121.0.tgz", - "integrity": "sha512-wjH8cIG2Lu/3d64iZpbYr73hREMgKAfu7fqpXjgM2S16y2zhTfDIp8EQjxO8vlDtKP5Rc7waZW72lh8nZtWrpA==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-0.126.0.tgz", + "integrity": "sha512-r2KApRgm2pOJaduRm6GOT8x0whcr67AyejNkSdzPt34GJ+Y3axcXN2mwlTs+8lfO/SSmpO5ZJGYiHYnxEE0jkw==", "cpu": [ "arm64" ], @@ -1417,9 +1443,9 @@ } }, "node_modules/@oxc-parser/binding-linux-arm64-musl": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm64-musl/-/binding-linux-arm64-musl-0.121.0.tgz", - "integrity": "sha512-qT663J/W8yQFw3dtscbEi9LKJevr20V7uWs2MPGTnvNZ3rm8anhhE16gXGpxDOHeg9raySaSHKhd4IGa3YZvuw==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm64-musl/-/binding-linux-arm64-musl-0.126.0.tgz", + "integrity": "sha512-FQ+MMh7MT0Dr/u8+RWmWKlfoeWPQyHDbhhxJShJlYtROXXPHsRs9EvmQOZZ3sx4Nn7JU8NX+oyw2YzQ7anBJcA==", "cpu": [ "arm64" ], @@ -1434,9 +1460,9 @@ } }, "node_modules/@oxc-parser/binding-linux-ppc64-gnu": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-0.121.0.tgz", - "integrity": "sha512-mYNe4NhVvDBbPkAP8JaVS8lC1dsoJZWH5WCjpw5E+sjhk1R08wt3NnXYUzum7tIiWPfgQxbCMcoxgeemFASbRw==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-0.126.0.tgz", + "integrity": "sha512-Wv/T8C98hRQhGTlx2XFyLn5raRMp9U1lOQD+YnXNgAr7wHbJJpZ8mDBU7Rw+M3WytGcGTFcr6kqgfyQeHVtLbQ==", "cpu": [ "ppc64" ], @@ -1451,9 +1477,9 @@ } }, "node_modules/@oxc-parser/binding-linux-riscv64-gnu": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-riscv64-gnu/-/binding-linux-riscv64-gnu-0.121.0.tgz", - "integrity": "sha512-+QiFoGxhAbaI/amqX567784cDyyuZIpinBrJNxUzb+/L2aBRX67mN6Jv40pqduHf15yYByI+K5gUEygCuv0z9w==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-riscv64-gnu/-/binding-linux-riscv64-gnu-0.126.0.tgz", + "integrity": "sha512-DHx1rT1zauW0ZbLHOiQh5AC9Xs3UkWx2XmfZHs+7nnWYr3sagrufoUQC+/XPwwjMIlCFXiFGM0sFh3TyOCZwqA==", "cpu": [ "riscv64" ], @@ -1468,9 +1494,9 @@ } }, "node_modules/@oxc-parser/binding-linux-riscv64-musl": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-riscv64-musl/-/binding-linux-riscv64-musl-0.121.0.tgz", - "integrity": "sha512-9ykEgyTa5JD/Uhv2sttbKnCfl2PieUfOjyxJC/oDL2UO0qtXOtjPLl7H8Kaj5G7p3hIvFgu3YWvAxvE0sqY+hQ==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-riscv64-musl/-/binding-linux-riscv64-musl-0.126.0.tgz", + "integrity": "sha512-umDc2mTShH0U2zcEYf8mIJ163seLJNn54ZUZYeI5jD4qlg9izPwoLrC2aNPKlMJTu6u/ysmQWiEvIiaAG+INkw==", "cpu": [ "riscv64" ], @@ -1485,9 +1511,9 @@ } }, "node_modules/@oxc-parser/binding-linux-s390x-gnu": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-0.121.0.tgz", - "integrity": "sha512-DB1EW5VHZdc1lIRjOI3bW/wV6R6y0xlfvdVrqj6kKi7Ayu2U3UqUBdq9KviVkcUGd5Oq+dROqvUEEFRXGAM7EQ==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-0.126.0.tgz", + "integrity": "sha512-PXXeWayclRtO1pxQEeCpiqIglQdhK2mAI2VX5xnsWdImzSB5GpoQ8TNw7vTCKk2k+GZuxl+q1knncidjCyUP9w==", "cpu": [ "s390x" ], @@ -1502,9 +1528,9 @@ } }, "node_modules/@oxc-parser/binding-linux-x64-gnu": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-x64-gnu/-/binding-linux-x64-gnu-0.121.0.tgz", - "integrity": "sha512-s4lfobX9p4kPTclvMiH3gcQUd88VlnkMTF6n2MTMDAyX5FPNRhhRSFZK05Ykhf8Zy5NibV4PbGR6DnK7FGNN6A==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-x64-gnu/-/binding-linux-x64-gnu-0.126.0.tgz", + "integrity": "sha512-wzocjxm34TbB3bFlqG65JiLtvf6ZDg2ZxRkLLbgXwDQUNU+0MPjQN8zy/0jBKNA5fnPLk3XeVdZ7Uin+7+CVkg==", "cpu": [ "x64" ], @@ -1519,9 +1545,9 @@ } }, "node_modules/@oxc-parser/binding-linux-x64-musl": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-x64-musl/-/binding-linux-x64-musl-0.121.0.tgz", - "integrity": "sha512-P9KlyTpuBuMi3NRGpJO8MicuGZfOoqZVRP1WjOecwx8yk4L/+mrCRNc5egSi0byhuReblBF2oVoDSMgV9Bj4Hw==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-x64-musl/-/binding-linux-x64-musl-0.126.0.tgz", + "integrity": "sha512-e83uftP60jmkPs2+CW6T6A1GYzN2H6IumDAiTntv9WyHR73PI3ImHNBkYqnA3ukeKI3xjcCbhSh9QeJWmufxGQ==", "cpu": [ "x64" ], @@ -1536,9 +1562,9 @@ } }, "node_modules/@oxc-parser/binding-openharmony-arm64": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-openharmony-arm64/-/binding-openharmony-arm64-0.121.0.tgz", - "integrity": "sha512-R+4jrWOfF2OAPPhj3Eb3U5CaKNAH9/btMveMULIrcNW/hjfysFQlF8wE0GaVBr81dWz8JLgQlsxwctoL78JwXw==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-openharmony-arm64/-/binding-openharmony-arm64-0.126.0.tgz", + "integrity": "sha512-4WiOILHnPrTDY2/L4mE6PZCYwLN1d3ghma6BuTJ452CCgzRMt3uFplCtR+o3r9zdUWJYb370UizpI9CUcWXr1A==", "cpu": [ "arm64" ], @@ -1553,9 +1579,9 @@ } }, "node_modules/@oxc-parser/binding-wasm32-wasi": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-wasm32-wasi/-/binding-wasm32-wasi-0.121.0.tgz", - "integrity": "sha512-5TFISkPTymKvsmIlKasPVTPuWxzCcrT8pM+p77+mtQbIZDd1UC8zww4CJcRI46kolmgrEX6QpKO8AvWMVZ+ifw==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-wasm32-wasi/-/binding-wasm32-wasi-0.126.0.tgz", + "integrity": "sha512-Y17hhnrQTrxgAxAyAq401vnN9URsAL4s5AjqpG1NDsXSlhe1yBNnns+rC2P6xcMoitgX5nKH2ryYt9oiFRlzLw==", "cpu": [ "wasm32" ], @@ -1563,16 +1589,18 @@ "license": "MIT", "optional": true, "dependencies": { - "@napi-rs/wasm-runtime": "^1.1.1" + "@emnapi/core": "1.9.2", + "@emnapi/runtime": "1.9.2", + "@napi-rs/wasm-runtime": "^1.1.4" }, "engines": { "node": ">=14.0.0" } }, "node_modules/@oxc-parser/binding-win32-arm64-msvc": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-0.121.0.tgz", - "integrity": "sha512-V0pxh4mql4XTt3aiEtRNUeBAUFOw5jzZNxPABLaOKAWrVzSr9+XUaB095lY7jqMf5t8vkfh8NManGB28zanYKw==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-0.126.0.tgz", + "integrity": "sha512-Znug1u1iRvT4VC3jANz6nhGBHsFwEFMxuimYpJFwMtsB6H5FcEoZRMmH26tHkSTD03JvDmG+gB65W3ajLjPcSw==", "cpu": [ "arm64" ], @@ -1587,9 +1615,9 @@ } }, "node_modules/@oxc-parser/binding-win32-ia32-msvc": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-ia32-msvc/-/binding-win32-ia32-msvc-0.121.0.tgz", - "integrity": "sha512-4Ob1qvYMPnlF2N9rdmKdkQFdrq16QVcQwBsO8yiPZXof0fHKFF+LmQV501XFbi7lHyrKm8rlJRfQ/M8bZZPVLw==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-ia32-msvc/-/binding-win32-ia32-msvc-0.126.0.tgz", + "integrity": "sha512-qrw7mx5hFFTxVSXToOA40hpnjgNB/DJprZchtB4rDKNLKqkD3F26HbzaQeH1nxAKej0efSZfJd5Sw3qdtOLGhw==", "cpu": [ "ia32" ], @@ -1604,9 +1632,9 @@ } }, "node_modules/@oxc-parser/binding-win32-x64-msvc": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-x64-msvc/-/binding-win32-x64-msvc-0.121.0.tgz", - "integrity": "sha512-BOp1KCzdboB1tPqoCPXgntgFs0jjeSyOXHzgxVFR7B/qfr3F8r4YDacHkTOUNXtDgM8YwKnkf3rE5gwALYX7NA==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-x64-msvc/-/binding-win32-x64-msvc-0.126.0.tgz", + "integrity": "sha512-ibB1s+mPUFXvS7MFJO2jpw/aCNs/P6ifnWlRyTYB+WYBpniOiCcHQQskZneJtwcjQMDRol3RGG3ihoYnzXSY4w==", "cpu": [ "x64" ], @@ -1621,9 +1649,9 @@ } }, "node_modules/@oxc-project/types": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-project/types/-/types-0.121.0.tgz", - "integrity": "sha512-CGtOARQb9tyv7ECgdAlFxi0Fv7lmzvmlm2rpD/RdijOO9rfk/JvB1CjT8EnoD+tjna/IYgKKw3IV7objRb+aYw==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-project/types/-/types-0.126.0.tgz", + "integrity": "sha512-oGfVtjAgwQVVpfBrbtk4e1XDyWHRFta6BS3GWVzrF8xYBT2VGQAk39yJS/wFSMrZqoiCU4oghT3Ch0HaHGIHcQ==", "dev": true, "license": "MIT", "funding": { @@ -2741,9 +2769,9 @@ } }, "node_modules/@rolldown/binding-android-arm64": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-android-arm64/-/binding-android-arm64-1.0.0-rc.15.tgz", - "integrity": "sha512-YYe6aWruPZDtHNpwu7+qAHEMbQ/yRl6atqb/AhznLTnD3UY99Q1jE7ihLSahNWkF4EqRPVC4SiR4O0UkLK02tA==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-android-arm64/-/binding-android-arm64-1.0.0-rc.16.tgz", + "integrity": "sha512-rhY3k7Bsae9qQfOtph2Pm2jZEA+s8Gmjoz4hhmx70K9iMQ/ddeae+xhRQcM5IuVx5ry1+bGfkvMn7D6MJggVSA==", "cpu": [ "arm64" ], @@ -2758,9 +2786,9 @@ } }, "node_modules/@rolldown/binding-darwin-arm64": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-arm64/-/binding-darwin-arm64-1.0.0-rc.15.tgz", - "integrity": "sha512-oArR/ig8wNTPYsXL+Mzhs0oxhxfuHRfG7Ikw7jXsw8mYOtk71W0OkF2VEVh699pdmzjPQsTjlD1JIOoHkLP1Fg==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-arm64/-/binding-darwin-arm64-1.0.0-rc.16.tgz", + "integrity": "sha512-rNz0yK078yrNn3DrdgN+PKiMOW8HfQ92jQiXxwX8yW899ayV00MLVdaCNeVBhG/TbH3ouYVObo8/yrkiectkcQ==", "cpu": [ "arm64" ], @@ -2775,9 +2803,9 @@ } }, "node_modules/@rolldown/binding-darwin-x64": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-x64/-/binding-darwin-x64-1.0.0-rc.15.tgz", - "integrity": "sha512-YzeVqOqjPYvUbJSWJ4EDL8ahbmsIXQpgL3JVipmN+MX0XnXMeWomLN3Fb+nwCmP/jfyqte5I3XRSm7OfQrbyxw==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-x64/-/binding-darwin-x64-1.0.0-rc.16.tgz", + "integrity": "sha512-r/OmdR00HmD4i79Z//xO06uEPOq5hRXdhw7nzkxQxwSavs3PSHa1ijntdpOiZ2mzOQ3fVVu8C1M19FoNM+dMUQ==", "cpu": [ "x64" ], @@ -2792,9 +2820,9 @@ } }, "node_modules/@rolldown/binding-freebsd-x64": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-freebsd-x64/-/binding-freebsd-x64-1.0.0-rc.15.tgz", - "integrity": "sha512-9Erhx956jeQ0nNTyif1+QWAXDRD38ZNjr//bSHrt6wDwB+QkAfl2q6Mn1k6OBPerznjRmbM10lgRb1Pli4xZPw==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-freebsd-x64/-/binding-freebsd-x64-1.0.0-rc.16.tgz", + "integrity": "sha512-KcRE5w8h0OnjUatG8pldyD14/CQ5Phs1oxfR+3pKDjboHRo9+MkqQaiIZlZRpsxC15paeXme/I127tUa9TXJ6g==", "cpu": [ "x64" ], @@ -2809,9 +2837,9 @@ } }, "node_modules/@rolldown/binding-linux-arm-gnueabihf": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-1.0.0-rc.15.tgz", - "integrity": "sha512-cVwk0w8QbZJGTnP/AHQBs5yNwmpgGYStL88t4UIaqcvYJWBfS0s3oqVLZPwsPU6M0zlW4GqjP0Zq5MnAGwFeGA==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-1.0.0-rc.16.tgz", + "integrity": "sha512-bT0guA1bpxEJ/ZhTRniQf7rNF8ybvXOuWbNIeLABaV5NGjx4EtOWBTSRGWFU9ZWVkPOZ+HNFP8RMcBokBiZ0Kg==", "cpu": [ "arm" ], @@ -2826,13 +2854,16 @@ } }, "node_modules/@rolldown/binding-linux-arm64-gnu": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-1.0.0-rc.15.tgz", - "integrity": "sha512-eBZ/u8iAK9SoHGanqe/jrPnY0JvBN6iXbVOsbO38mbz+ZJsaobExAm1Iu+rxa4S1l2FjG0qEZn4Rc6X8n+9M+w==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-1.0.0-rc.16.tgz", + "integrity": "sha512-+tHktCHWV8BDQSjemUqm/Jl/TPk3QObCTIjmdDy/nlupcujZghmKK2962LYrqFpWu+ai01AN/REOH3NEpqvYQg==", "cpu": [ "arm64" ], "dev": true, + "libc": [ + "glibc" + ], "license": "MIT", "optional": true, "os": [ @@ -2843,13 +2874,16 @@ } }, "node_modules/@rolldown/binding-linux-arm64-musl": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-musl/-/binding-linux-arm64-musl-1.0.0-rc.15.tgz", - "integrity": "sha512-ZvRYMGrAklV9PEkgt4LQM6MjQX2P58HPAuecwYObY2DhS2t35R0I810bKi0wmaYORt6m/2Sm+Z+nFgb0WhXNcQ==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-musl/-/binding-linux-arm64-musl-1.0.0-rc.16.tgz", + "integrity": "sha512-3fPzdREH806oRLxpTWW1Gt4tQHs0TitZFOECB2xzCFLPKnSOy90gwA7P29cksYilFO6XVRY1kzga0cL2nRjKPg==", "cpu": [ "arm64" ], "dev": true, + "libc": [ + "musl" + ], "license": "MIT", "optional": true, "os": [ @@ -2860,13 +2894,16 @@ } }, "node_modules/@rolldown/binding-linux-ppc64-gnu": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-1.0.0-rc.15.tgz", - "integrity": "sha512-VDpgGBzgfg5hLg+uBpCLoFG5kVvEyafmfxGUV0UHLcL5irxAK7PKNeC2MwClgk6ZAiNhmo9FLhRYgvMmedLtnQ==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-1.0.0-rc.16.tgz", + "integrity": "sha512-EKwI1tSrLs7YVw+JPJT/G2dJQ1jl9qlTTTEG0V2Ok/RdOenRfBw2PQdLPyjhIu58ocdBfP7vIRN/pvMsPxs/AQ==", "cpu": [ "ppc64" ], "dev": true, + "libc": [ + "glibc" + ], "license": "MIT", "optional": true, "os": [ @@ -2877,13 +2914,16 @@ } }, "node_modules/@rolldown/binding-linux-s390x-gnu": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-1.0.0-rc.15.tgz", - "integrity": "sha512-y1uXY3qQWCzcPgRJATPSOUP4tCemh4uBdY7e3EZbVwCJTY3gLJWnQABgeUetvED+bt1FQ01OeZwvhLS2bpNrAQ==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-1.0.0-rc.16.tgz", + "integrity": "sha512-Uknladnb3Sxqu6SEcqBldQyJUpk8NleooZEc0MbRBJ4inEhRYWZX0NJu12vNf2mqAq7gsofAxHrGghiUYjhaLQ==", "cpu": [ "s390x" ], "dev": true, + "libc": [ + "glibc" + ], "license": "MIT", "optional": true, "os": [ @@ -2894,13 +2934,16 @@ } }, "node_modules/@rolldown/binding-linux-x64-gnu": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-gnu/-/binding-linux-x64-gnu-1.0.0-rc.15.tgz", - "integrity": "sha512-023bTPBod7J3Y/4fzAN6QtpkSABR0rigtrwaP+qSEabUh5zf6ELr9Nc7GujaROuPY3uwdSIXWrvhn1KxOvurWA==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-gnu/-/binding-linux-x64-gnu-1.0.0-rc.16.tgz", + "integrity": "sha512-FIb8+uG49sZBtLTn+zt1AJ20TqVcqWeSIyoVt0or7uAWesgKaHbiBh6OpA/k9v0LTt+PTrb1Lao133kP4uVxkg==", "cpu": [ "x64" ], "dev": true, + "libc": [ + "glibc" + ], "license": "MIT", "optional": true, "os": [ @@ -2911,13 +2954,16 @@ } }, "node_modules/@rolldown/binding-linux-x64-musl": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-musl/-/binding-linux-x64-musl-1.0.0-rc.15.tgz", - "integrity": "sha512-witB2O0/hU4CgfOOKUoeFgQ4GktPi1eEbAhaLAIpgD6+ZnhcPkUtPsoKKHRzmOoWPZue46IThdSgdo4XneOLYw==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-musl/-/binding-linux-x64-musl-1.0.0-rc.16.tgz", + "integrity": "sha512-RuERhF9/EgWxZEXYWCOaViUWHIboceK4/ivdtQ3R0T44NjLkIIlGIAVAuCddFxsZ7vnRHtNQUrt2vR2n2slB2w==", "cpu": [ "x64" ], "dev": true, + "libc": [ + "musl" + ], "license": "MIT", "optional": true, "os": [ @@ -2928,9 +2974,9 @@ } }, "node_modules/@rolldown/binding-openharmony-arm64": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-openharmony-arm64/-/binding-openharmony-arm64-1.0.0-rc.15.tgz", - "integrity": "sha512-UCL68NJ0Ud5zRipXZE9dF5PmirzJE4E4BCIOOssEnM7wLDsxjc6Qb0sGDxTNRTP53I6MZpygyCpY8Aa8sPfKPg==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-openharmony-arm64/-/binding-openharmony-arm64-1.0.0-rc.16.tgz", + "integrity": "sha512-mXcXnvd9GpazCxeUCCnZ2+YF7nut+ZOEbE4GtaiPtyY6AkhZWbK70y1KK3j+RDhjVq5+U8FySkKRb/+w0EeUwA==", "cpu": [ "arm64" ], @@ -2945,9 +2991,9 @@ } }, "node_modules/@rolldown/binding-wasm32-wasi": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-wasm32-wasi/-/binding-wasm32-wasi-1.0.0-rc.15.tgz", - "integrity": "sha512-ApLruZq/ig+nhaE7OJm4lDjayUnOHVUa77zGeqnqZ9pn0ovdVbbNPerVibLXDmWeUZXjIYIT8V3xkT58Rm9u5Q==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-wasm32-wasi/-/binding-wasm32-wasi-1.0.0-rc.16.tgz", + "integrity": "sha512-3Q2KQxnC8IJOLqXmUMoYwyIPZU9hzRbnHaoV3Euz+VVnjZKcY8ktnNP8T9R4/GGQtb27C/UYKABxesKWb8lsvQ==", "cpu": [ "wasm32" ], @@ -2957,16 +3003,16 @@ "dependencies": { "@emnapi/core": "1.9.2", "@emnapi/runtime": "1.9.2", - "@napi-rs/wasm-runtime": "^1.1.3" + "@napi-rs/wasm-runtime": "^1.1.4" }, "engines": { - "node": ">=14.0.0" + "node": "^20.19.0 || >=22.12.0" } }, "node_modules/@rolldown/binding-win32-arm64-msvc": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-1.0.0-rc.15.tgz", - "integrity": "sha512-KmoUoU7HnN+Si5YWJigfTws1jz1bKBYDQKdbLspz0UaqjjFkddHsqorgiW1mxcAj88lYUE6NC/zJNwT+SloqtA==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-1.0.0-rc.16.tgz", + "integrity": "sha512-tj7XRemQcOcFwv7qhpUxMTBbI5mWMlE4c1Omhg5+h8GuLXzyj8HviYgR+bB2DMDgRqUE+jiDleqSCRjx4aYk/Q==", "cpu": [ "arm64" ], @@ -2981,9 +3027,9 @@ } }, "node_modules/@rolldown/binding-win32-x64-msvc": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-x64-msvc/-/binding-win32-x64-msvc-1.0.0-rc.15.tgz", - "integrity": "sha512-3P2A8L+x75qavWLe/Dll3EYBJLQmtkJN8rfh+U/eR3MqMgL/h98PhYI+JFfXuDPgPeCB7iZAKiqii5vqOvnA0g==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-x64-msvc/-/binding-win32-x64-msvc-1.0.0-rc.16.tgz", + "integrity": "sha512-PH5DRZT+F4f2PTXRXR8uJxnBq2po/xFtddyabTJVJs/ZYVHqXPEgNIr35IHTEa6bpa0Q8Awg+ymkTaGnKITw4g==", "cpu": [ "x64" ], @@ -3288,9 +3334,9 @@ } }, "node_modules/@tanstack/query-core": { - "version": "5.99.0", - "resolved": "https://registry.npmjs.org/@tanstack/query-core/-/query-core-5.99.0.tgz", - "integrity": "sha512-3Jv3WQG0BCcH7G+7lf/bP8QyBfJOXeY+T08Rin3GZ1bshvwlbPt7NrDHMEzGdKIOmOzvIQmxjk28YEQX60k7pQ==", + "version": "5.99.2", + "resolved": "https://registry.npmjs.org/@tanstack/query-core/-/query-core-5.99.2.tgz", + "integrity": "sha512-1HunU0bXVsR1ZJMZbcOPE6VtaBJxsW809RE9xPe4Gz7MlB0GWwQvuTPhMoEmQ/hIzFKJ/DWAuttIe7BOaWx0tA==", "license": "MIT", "funding": { "type": "github", @@ -3298,12 +3344,12 @@ } }, "node_modules/@tanstack/react-query": { - "version": "5.99.0", - "resolved": "https://registry.npmjs.org/@tanstack/react-query/-/react-query-5.99.0.tgz", - "integrity": "sha512-OY2bCqPemT1LlqJ8Y2CUau4KELnIhhG9Ol3ZndPbdnB095pRbPo1cHuXTndg8iIwtoHTgwZjyaDnQ0xD0mYwAw==", + "version": "5.99.2", + "resolved": "https://registry.npmjs.org/@tanstack/react-query/-/react-query-5.99.2.tgz", + "integrity": "sha512-vM91UEe45QUS9ED6OklsVL15i8qKcRqNwpWzPTVWvRPRSEgDudDgHpvyTjcdlwHcrKNa80T+xXYcchT2noPnZA==", "license": "MIT", "dependencies": { - "@tanstack/query-core": "5.99.0" + "@tanstack/query-core": "5.99.2" }, "funding": { "type": "github", @@ -4921,9 +4967,9 @@ } }, "node_modules/axios": { - "version": "1.15.0", - "resolved": "https://registry.npmjs.org/axios/-/axios-1.15.0.tgz", - "integrity": "sha512-wWyJDlAatxk30ZJer+GeCWS209sA42X+N5jU2jy6oHTp7ufw8uzUTVFBX9+wTfAlhiJXGS0Bq7X6efruWjuK9Q==", + "version": "1.15.1", + "resolved": "https://registry.npmjs.org/axios/-/axios-1.15.1.tgz", + "integrity": "sha512-WOG+Jj8ZOvR0a3rAn+Tuf1UQJRxw5venr6DgdbJzngJE3qG7X0kL83CZGpdHMxEm+ZK3seAbvFsw4FfOfP9vxg==", "license": "MIT", "dependencies": { "follow-redirects": "^1.15.11", @@ -4952,9 +4998,9 @@ } }, "node_modules/baseline-browser-mapping": { - "version": "2.10.19", - "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.19.tgz", - "integrity": "sha512-qCkNLi2sfBOn8XhZQ0FXsT1Ki/Yo5P90hrkRamVFRS7/KV9hpfA4HkoWNU152+8w0zPjnxo5psx5NL3PSGgv5g==", + "version": "2.10.20", + "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.20.tgz", + "integrity": "sha512-1AaXxEPfXT+GvTBJFuy4yXVHWJBXa4OdbIebGN/wX5DlsIkU0+wzGnd2lOzokSk51d5LUmqjgBLRLlypLUqInQ==", "dev": true, "license": "Apache-2.0", "bin": { @@ -4987,19 +5033,6 @@ "node": "18 || 20 || >=22" } }, - "node_modules/braces": { - "version": "3.0.3", - "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz", - "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==", - "dev": true, - "license": "MIT", - "dependencies": { - "fill-range": "^7.1.1" - }, - "engines": { - "node": ">=8" - } - }, "node_modules/browserslist": { "version": "4.28.2", "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.28.2.tgz", @@ -5777,9 +5810,9 @@ } }, "node_modules/electron-to-chromium": { - "version": "1.5.336", - "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.336.tgz", - "integrity": "sha512-AbH9q9J455r/nLmdNZes0G0ZKcRX73FicwowalLs6ijwOmCJSRRrLX63lcAlzy9ux3dWK1w1+1nsBJEWN11hcQ==", + "version": "1.5.340", + "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.340.tgz", + "integrity": "sha512-908qahOGocRMinT2nM3ajCEM99H4iPdv84eagPP3FfZy/1ZGeOy2CZYzjhms81ckOPCXPlW7LkY4XpxD8r1DrA==", "dev": true, "license": "ISC" }, @@ -5805,13 +5838,13 @@ } }, "node_modules/entities": { - "version": "6.0.1", - "resolved": "https://registry.npmjs.org/entities/-/entities-6.0.1.tgz", - "integrity": "sha512-aN97NXWF6AWBTahfVOIrB/NShkzi5H7F9r1s9mD3cDj4Ko5f2qhhVoYMibXF7GlLveb/D2ioWay8lxI97Ven3g==", + "version": "8.0.0", + "resolved": "https://registry.npmjs.org/entities/-/entities-8.0.0.tgz", + "integrity": "sha512-zwfzJecQ/Uej6tusMqwAqU/6KL2XaB2VZ2Jg54Je6ahNBGNH6Ek6g3jjNCF0fG9EWQKGZNddNjU5F1ZQn/sBnA==", "dev": true, "license": "BSD-2-Clause", "engines": { - "node": ">=0.12" + "node": ">=20.19.0" }, "funding": { "url": "https://github.com/fb55/entities?sponsor=1" @@ -6003,18 +6036,18 @@ } }, "node_modules/eslint": { - "version": "10.2.0", - "resolved": "https://registry.npmjs.org/eslint/-/eslint-10.2.0.tgz", - "integrity": "sha512-+L0vBFYGIpSNIt/KWTpFonPrqYvgKw1eUI5Vn7mEogrQcWtWYtNQ7dNqC+px/J0idT3BAkiWrhfS7k+Tum8TUA==", + "version": "10.2.1", + "resolved": "https://registry.npmjs.org/eslint/-/eslint-10.2.1.tgz", + "integrity": "sha512-wiyGaKsDgqXvF40P8mDwiUp/KQjE1FdrIEJsM8PZ3XCiniTMXS3OHWWUe5FI5agoCnr8x4xPrTDZuxsBlNHl+Q==", "dev": true, "license": "MIT", "dependencies": { "@eslint-community/eslint-utils": "^4.8.0", "@eslint-community/regexpp": "^4.12.2", - "@eslint/config-array": "^0.23.4", - "@eslint/config-helpers": "^0.5.4", - "@eslint/core": "^1.2.0", - "@eslint/plugin-kit": "^0.7.0", + "@eslint/config-array": "^0.23.5", + "@eslint/config-helpers": "^0.5.5", + "@eslint/core": "^1.2.1", + "@eslint/plugin-kit": "^0.7.1", "@humanfs/node": "^0.16.6", "@humanwhocodes/module-importer": "^1.0.1", "@humanwhocodes/retry": "^0.4.2", @@ -6301,9 +6334,9 @@ } }, "node_modules/eslint-plugin-react-hooks": { - "version": "7.0.1", - "resolved": "https://registry.npmjs.org/eslint-plugin-react-hooks/-/eslint-plugin-react-hooks-7.0.1.tgz", - "integrity": "sha512-O0d0m04evaNzEPoSW+59Mezf8Qt0InfgGIBJnpC0h3NH/WjUAR7BIKUfysC6todmtiZ/A0oUVS8Gce0WhBrHsA==", + "version": "7.1.1", + "resolved": "https://registry.npmjs.org/eslint-plugin-react-hooks/-/eslint-plugin-react-hooks-7.1.1.tgz", + "integrity": "sha512-f2I7Gw6JbvCexzIInuSbZpfdQ44D7iqdWX01FKLvrPgqxoE7oMj8clOfto8U6vYiz4yd5oKu39rRSVOe1zRu0g==", "dev": true, "license": "MIT", "dependencies": { @@ -6317,7 +6350,7 @@ "node": ">=18" }, "peerDependencies": { - "eslint": "^3.0.0 || ^4.0.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0-0 || ^9.0.0" + "eslint": "^3.0.0 || ^4.0.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0-0 || ^9.0.0 || ^10.0.0" } }, "node_modules/eslint-plugin-react-hooks/node_modules/zod-validation-error": { @@ -6360,9 +6393,9 @@ } }, "node_modules/eslint-plugin-sonarjs": { - "version": "4.0.2", - "resolved": "https://registry.npmjs.org/eslint-plugin-sonarjs/-/eslint-plugin-sonarjs-4.0.2.tgz", - "integrity": "sha512-BTcT1zr1iTbmJtVlcesISwnXzh+9uhf9LEOr+RRNf4kR8xA0HQTPft4oiyOCzCOGKkpSJxjR8ZYF6H7VPyplyw==", + "version": "4.0.3", + "resolved": "https://registry.npmjs.org/eslint-plugin-sonarjs/-/eslint-plugin-sonarjs-4.0.3.tgz", + "integrity": "sha512-5drkJKLC9qQddIiaATV0e8+ygbUc7b0Ti6VB7M2d3jmKNh3X0RaiIJYTs3dr9xnlhlrxo+/s1FoO3Jgv6O/c7g==", "dev": true, "license": "LGPL-3.0-only", "dependencies": { @@ -6373,10 +6406,10 @@ "globals": "^17.4.0", "jsx-ast-utils-x": "^0.1.0", "lodash.merge": "^4.6.2", - "minimatch": "^10.2.4", + "minimatch": "^10.2.5", "scslre": "^0.3.0", "semver": "^7.7.4", - "ts-api-utils": "^2.4.0", + "ts-api-utils": "^2.5.0", "typescript": ">=5" }, "peerDependencies": { @@ -6629,36 +6662,6 @@ "dev": true, "license": "MIT" }, - "node_modules/fast-glob": { - "version": "3.3.3", - "resolved": "https://registry.npmjs.org/fast-glob/-/fast-glob-3.3.3.tgz", - "integrity": "sha512-7MptL8U0cqcFdzIzwOTHoilX9x5BrNqye7Z/LuC7kCMRio1EMSyqRK3BEAUD7sXRq4iT4AzTVuZdhgQ2TCvYLg==", - "dev": true, - "license": "MIT", - "dependencies": { - "@nodelib/fs.stat": "^2.0.2", - "@nodelib/fs.walk": "^1.2.3", - "glob-parent": "^5.1.2", - "merge2": "^1.3.0", - "micromatch": "^4.0.8" - }, - "engines": { - "node": ">=8.6.0" - } - }, - "node_modules/fast-glob/node_modules/glob-parent": { - "version": "5.1.2", - "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz", - "integrity": "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==", - "dev": true, - "license": "ISC", - "dependencies": { - "is-glob": "^4.0.1" - }, - "engines": { - "node": ">= 6" - } - }, "node_modules/fast-json-stable-stringify": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz", @@ -6745,19 +6748,6 @@ "node": ">=16.0.0" } }, - "node_modules/fill-range": { - "version": "7.1.1", - "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz", - "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==", - "dev": true, - "license": "MIT", - "dependencies": { - "to-regex-range": "^5.0.1" - }, - "engines": { - "node": ">=8" - } - }, "node_modules/find-up": { "version": "5.0.0", "resolved": "https://registry.npmjs.org/find-up/-/find-up-5.0.0.tgz", @@ -7047,9 +7037,9 @@ } }, "node_modules/get-tsconfig": { - "version": "4.13.7", - "resolved": "https://registry.npmjs.org/get-tsconfig/-/get-tsconfig-4.13.7.tgz", - "integrity": "sha512-7tN6rFgBlMgpBML5j8typ92BKFi2sFQvIdpAqLA2beia5avZDrMs0FLZiM5etShWq5irVyGcGMEA1jcDaK7A/Q==", + "version": "4.14.0", + "resolved": "https://registry.npmjs.org/get-tsconfig/-/get-tsconfig-4.14.0.tgz", + "integrity": "sha512-yTb+8DXzDREzgvYmh6s9vHsSVCHeC0G3PI5bEXNBHtmshPnO+S5O7qgLEOn0I5QvMy6kpZN8K1NKGyilLb93wA==", "dev": true, "license": "MIT", "dependencies": { @@ -7217,9 +7207,9 @@ } }, "node_modules/hasown": { - "version": "2.0.2", - "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz", - "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==", + "version": "2.0.3", + "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.3.tgz", + "integrity": "sha512-ej4AhfhfL2Q2zpMmLo7U1Uv9+PyhIZpgQLGT1F9miIGmiCJIoCgSmczFdrc97mWT4kVY72KA+WnnhJ5pghSvSg==", "license": "MIT", "dependencies": { "function-bind": "^1.1.2" @@ -7275,9 +7265,9 @@ } }, "node_modules/i18next": { - "version": "26.0.5", - "resolved": "https://registry.npmjs.org/i18next/-/i18next-26.0.5.tgz", - "integrity": "sha512-9uHb4T27TdV36phJXcbpnRPt5yzAfqHXVrdASvmHZyPuZJtrLythd+GyXhiaHV5LlpuuskbAqhwPjmfTbKbi8w==", + "version": "26.0.6", + "resolved": "https://registry.npmjs.org/i18next/-/i18next-26.0.6.tgz", + "integrity": "sha512-A4U6eCXodIbrhf8EarRurB9/4ebyaurH4+fu4gig9bqxmpSt+fCAFm/GpRQDcN1Xzu/LdFCx4nYHsnM1edIIbg==", "funding": [ { "type": "individual", @@ -7641,16 +7631,6 @@ "url": "https://github.com/sponsors/ljharb" } }, - "node_modules/is-number": { - "version": "7.0.0", - "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz", - "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.12.0" - } - }, "node_modules/is-number-object": { "version": "1.1.1", "resolved": "https://registry.npmjs.org/is-number-object/-/is-number-object-1.1.1.tgz", @@ -8055,9 +8035,9 @@ } }, "node_modules/knip": { - "version": "6.4.1", - "resolved": "https://registry.npmjs.org/knip/-/knip-6.4.1.tgz", - "integrity": "sha512-Ry+ywmDFSZvKp/jx7LxMgsZWRTs931alV84e60lh0Stf6kSRYqSIUTkviyyDFRcSO3yY1Kpbi83OirN+4lA2Xw==", + "version": "6.5.0", + "resolved": "https://registry.npmjs.org/knip/-/knip-6.5.0.tgz", + "integrity": "sha512-84xSq/g8CtPWLJcY5WZeGWj/pbqQxJRC7iXTTutB0MkMm260hKxlzIXSTnxuTuIxre2MBSokhLkfth8dQQYVPQ==", "dev": true, "funding": [ { @@ -8072,17 +8052,17 @@ "license": "ISC", "dependencies": { "@nodelib/fs.walk": "^1.2.3", - "fast-glob": "^3.3.3", "formatly": "^0.3.0", - "get-tsconfig": "4.13.7", + "get-tsconfig": "4.14.0", "jiti": "^2.6.0", "minimist": "^1.2.8", - "oxc-parser": "^0.121.0", + "oxc-parser": "^0.126.0", "oxc-resolver": "^11.19.1", "picocolors": "^1.1.1", - "picomatch": "^4.0.1", + "picomatch": "^4.0.4", "smol-toml": "^1.6.1", "strip-json-comments": "5.0.3", + "tinyglobby": "^0.2.16", "unbash": "^2.2.0", "yaml": "^2.8.2", "zod": "^4.1.11" @@ -8784,16 +8764,6 @@ "dev": true, "license": "CC0-1.0" }, - "node_modules/merge2": { - "version": "1.4.1", - "resolved": "https://registry.npmjs.org/merge2/-/merge2-1.4.1.tgz", - "integrity": "sha512-8q7VEgMJW4J8tcfVPy8g09NcQwZdbwFEqhe/WZkoIzjn/3TGDwtOCYtXGxA3O8tPzpczCCDgv+P2P5y00ZJOOg==", - "dev": true, - "license": "MIT", - "engines": { - "node": ">= 8" - } - }, "node_modules/micromark": { "version": "4.0.2", "resolved": "https://registry.npmjs.org/micromark/-/micromark-4.0.2.tgz", @@ -9422,33 +9392,6 @@ ], "license": "MIT" }, - "node_modules/micromatch": { - "version": "4.0.8", - "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.8.tgz", - "integrity": "sha512-PXwfBhYu0hBCPw8Dn0E+WDYb7af3dSLVWKi3HGv84IdF4TyFoC0ysxFd0Goxw7nSv4T/PzEJQxsYsEiFCKo2BA==", - "dev": true, - "license": "MIT", - "dependencies": { - "braces": "^3.0.3", - "picomatch": "^2.3.1" - }, - "engines": { - "node": ">=8.6" - } - }, - "node_modules/micromatch/node_modules/picomatch": { - "version": "2.3.2", - "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz", - "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=8.6" - }, - "funding": { - "url": "https://github.com/sponsors/jonschlinkert" - } - }, "node_modules/mime-db": { "version": "1.52.0", "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz", @@ -9702,13 +9645,13 @@ } }, "node_modules/oxc-parser": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/oxc-parser/-/oxc-parser-0.121.0.tgz", - "integrity": "sha512-ek9o58+SCv6AV7nchiAcUJy1DNE2CC5WRdBcO0mF+W4oRjNQfPO7b3pLjTHSFECpHkKGOZSQxx3hk8viIL5YCg==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/oxc-parser/-/oxc-parser-0.126.0.tgz", + "integrity": "sha512-FktCvLby/mOHyuijZt22+nOt10dS24gGUZE3XwIbUg7Kf4+rer3/5T7RgwzazlNuVsCjPloZ3p8E+4ONT3A8Kw==", "dev": true, "license": "MIT", "dependencies": { - "@oxc-project/types": "^0.121.0" + "@oxc-project/types": "^0.126.0" }, "engines": { "node": "^20.19.0 || >=22.12.0" @@ -9717,26 +9660,26 @@ "url": "https://github.com/sponsors/Boshen" }, "optionalDependencies": { - "@oxc-parser/binding-android-arm-eabi": "0.121.0", - "@oxc-parser/binding-android-arm64": "0.121.0", - "@oxc-parser/binding-darwin-arm64": "0.121.0", - "@oxc-parser/binding-darwin-x64": "0.121.0", - "@oxc-parser/binding-freebsd-x64": "0.121.0", - "@oxc-parser/binding-linux-arm-gnueabihf": "0.121.0", - "@oxc-parser/binding-linux-arm-musleabihf": "0.121.0", - "@oxc-parser/binding-linux-arm64-gnu": "0.121.0", - "@oxc-parser/binding-linux-arm64-musl": "0.121.0", - "@oxc-parser/binding-linux-ppc64-gnu": "0.121.0", - "@oxc-parser/binding-linux-riscv64-gnu": "0.121.0", - "@oxc-parser/binding-linux-riscv64-musl": "0.121.0", - "@oxc-parser/binding-linux-s390x-gnu": "0.121.0", - "@oxc-parser/binding-linux-x64-gnu": "0.121.0", - "@oxc-parser/binding-linux-x64-musl": "0.121.0", - "@oxc-parser/binding-openharmony-arm64": "0.121.0", - "@oxc-parser/binding-wasm32-wasi": "0.121.0", - "@oxc-parser/binding-win32-arm64-msvc": "0.121.0", - "@oxc-parser/binding-win32-ia32-msvc": "0.121.0", - "@oxc-parser/binding-win32-x64-msvc": "0.121.0" + "@oxc-parser/binding-android-arm-eabi": "0.126.0", + "@oxc-parser/binding-android-arm64": "0.126.0", + "@oxc-parser/binding-darwin-arm64": "0.126.0", + "@oxc-parser/binding-darwin-x64": "0.126.0", + "@oxc-parser/binding-freebsd-x64": "0.126.0", + "@oxc-parser/binding-linux-arm-gnueabihf": "0.126.0", + "@oxc-parser/binding-linux-arm-musleabihf": "0.126.0", + "@oxc-parser/binding-linux-arm64-gnu": "0.126.0", + "@oxc-parser/binding-linux-arm64-musl": "0.126.0", + "@oxc-parser/binding-linux-ppc64-gnu": "0.126.0", + "@oxc-parser/binding-linux-riscv64-gnu": "0.126.0", + "@oxc-parser/binding-linux-riscv64-musl": "0.126.0", + "@oxc-parser/binding-linux-s390x-gnu": "0.126.0", + "@oxc-parser/binding-linux-x64-gnu": "0.126.0", + "@oxc-parser/binding-linux-x64-musl": "0.126.0", + "@oxc-parser/binding-openharmony-arm64": "0.126.0", + "@oxc-parser/binding-wasm32-wasi": "0.126.0", + "@oxc-parser/binding-win32-arm64-msvc": "0.126.0", + "@oxc-parser/binding-win32-ia32-msvc": "0.126.0", + "@oxc-parser/binding-win32-x64-msvc": "0.126.0" } }, "node_modules/oxc-resolver": { @@ -9817,13 +9760,13 @@ } }, "node_modules/parse5": { - "version": "8.0.0", - "resolved": "https://registry.npmjs.org/parse5/-/parse5-8.0.0.tgz", - "integrity": "sha512-9m4m5GSgXjL4AjumKzq1Fgfp3Z8rsvjRNbnkVwfu2ImRqE5D0LnY2QfDen18FSY9C573YU5XxSapdHZTZ2WolA==", + "version": "8.0.1", + "resolved": "https://registry.npmjs.org/parse5/-/parse5-8.0.1.tgz", + "integrity": "sha512-z1e/HMG90obSGeidlli3hj7cbocou0/wa5HacvI3ASx34PecNjNQeaHNo5WIZpWofN9kgkqV1q5YvXe3F0FoPw==", "dev": true, "license": "MIT", "dependencies": { - "entities": "^6.0.0" + "entities": "^8.0.0" }, "funding": { "url": "https://github.com/inikulin/parse5?sponsor=1" @@ -10085,9 +10028,9 @@ } }, "node_modules/react-i18next": { - "version": "17.0.3", - "resolved": "https://registry.npmjs.org/react-i18next/-/react-i18next-17.0.3.tgz", - "integrity": "sha512-x4xjvUNZ56T+zfXWNedNnCET9Xq1IBYWX7IsWo5cCQ/RT+Rm7GWqt0h9PShFi4IhyMnsdiu1C6Jc4DE+/S3PFQ==", + "version": "17.0.4", + "resolved": "https://registry.npmjs.org/react-i18next/-/react-i18next-17.0.4.tgz", + "integrity": "sha512-hQipmK4EF0y6RO6tt6WuqnmWpWYEXmQUUzecmMBuNsIgYd3smXcG4GtYPWhvgxn0pqMOItKlEO8H24HCs5hc3g==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.29.2", @@ -10472,14 +10415,14 @@ } }, "node_modules/rolldown": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/rolldown/-/rolldown-1.0.0-rc.15.tgz", - "integrity": "sha512-Ff31guA5zT6WjnGp0SXw76X6hzGRk/OQq2hE+1lcDe+lJdHSgnSX6nK3erbONHyCbpSj9a9E+uX/OvytZoWp2g==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/rolldown/-/rolldown-1.0.0-rc.16.tgz", + "integrity": "sha512-rzi5WqKzEZw3SooTt7cgm4eqIoujPIyGcJNGFL7iPEuajQw7vxMHUkXylu4/vhCkJGXsgRmxqMKXUpT6FEgl0g==", "dev": true, "license": "MIT", "dependencies": { - "@oxc-project/types": "=0.124.0", - "@rolldown/pluginutils": "1.0.0-rc.15" + "@oxc-project/types": "=0.126.0", + "@rolldown/pluginutils": "1.0.0-rc.16" }, "bin": { "rolldown": "bin/cli.mjs" @@ -10488,37 +10431,27 @@ "node": "^20.19.0 || >=22.12.0" }, "optionalDependencies": { - "@rolldown/binding-android-arm64": "1.0.0-rc.15", - "@rolldown/binding-darwin-arm64": "1.0.0-rc.15", - "@rolldown/binding-darwin-x64": "1.0.0-rc.15", - "@rolldown/binding-freebsd-x64": "1.0.0-rc.15", - "@rolldown/binding-linux-arm-gnueabihf": "1.0.0-rc.15", - "@rolldown/binding-linux-arm64-gnu": "1.0.0-rc.15", - "@rolldown/binding-linux-arm64-musl": "1.0.0-rc.15", - "@rolldown/binding-linux-ppc64-gnu": "1.0.0-rc.15", - "@rolldown/binding-linux-s390x-gnu": "1.0.0-rc.15", - "@rolldown/binding-linux-x64-gnu": "1.0.0-rc.15", - "@rolldown/binding-linux-x64-musl": "1.0.0-rc.15", - "@rolldown/binding-openharmony-arm64": "1.0.0-rc.15", - "@rolldown/binding-wasm32-wasi": "1.0.0-rc.15", - "@rolldown/binding-win32-arm64-msvc": "1.0.0-rc.15", - "@rolldown/binding-win32-x64-msvc": "1.0.0-rc.15" - } - }, - "node_modules/rolldown/node_modules/@oxc-project/types": { - "version": "0.124.0", - "resolved": "https://registry.npmjs.org/@oxc-project/types/-/types-0.124.0.tgz", - "integrity": "sha512-VBFWMTBvHxS11Z5Lvlr3IWgrwhMTXV+Md+EQF0Xf60+wAdsGFTBx7X7K/hP4pi8N7dcm1RvcHwDxZ16Qx8keUg==", - "dev": true, - "license": "MIT", - "funding": { - "url": "https://github.com/sponsors/Boshen" + "@rolldown/binding-android-arm64": "1.0.0-rc.16", + "@rolldown/binding-darwin-arm64": "1.0.0-rc.16", + "@rolldown/binding-darwin-x64": "1.0.0-rc.16", + "@rolldown/binding-freebsd-x64": "1.0.0-rc.16", + "@rolldown/binding-linux-arm-gnueabihf": "1.0.0-rc.16", + "@rolldown/binding-linux-arm64-gnu": "1.0.0-rc.16", + "@rolldown/binding-linux-arm64-musl": "1.0.0-rc.16", + "@rolldown/binding-linux-ppc64-gnu": "1.0.0-rc.16", + "@rolldown/binding-linux-s390x-gnu": "1.0.0-rc.16", + "@rolldown/binding-linux-x64-gnu": "1.0.0-rc.16", + "@rolldown/binding-linux-x64-musl": "1.0.0-rc.16", + "@rolldown/binding-openharmony-arm64": "1.0.0-rc.16", + "@rolldown/binding-wasm32-wasi": "1.0.0-rc.16", + "@rolldown/binding-win32-arm64-msvc": "1.0.0-rc.16", + "@rolldown/binding-win32-x64-msvc": "1.0.0-rc.16" } }, "node_modules/rolldown/node_modules/@rolldown/pluginutils": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0-rc.15.tgz", - "integrity": "sha512-UromN0peaE53IaBRe9W7CjrZgXl90fqGpK+mIZbA3qSTeYqg3pqpROBdIPvOG3F5ereDHNwoHBI2e50n1BDr1g==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0-rc.16.tgz", + "integrity": "sha512-45+YtqxLYKDWQouLKCrpIZhke+nXxhsw+qAHVzHDVwttyBlHNBVs2K25rDXrZzhpTp9w1FlAlvweV1H++fdZoA==", "dev": true, "license": "MIT" }, @@ -10547,15 +10480,15 @@ } }, "node_modules/safe-array-concat": { - "version": "1.1.3", - "resolved": "https://registry.npmjs.org/safe-array-concat/-/safe-array-concat-1.1.3.tgz", - "integrity": "sha512-AURm5f0jYEOydBj7VQlVvDrjeFgthDdEF5H1dP+6mNpoXOMo1quQqJ4wvJDyRZ9+pO3kGWoOdmV08cSv2aJV6Q==", + "version": "1.1.4", + "resolved": "https://registry.npmjs.org/safe-array-concat/-/safe-array-concat-1.1.4.tgz", + "integrity": "sha512-wtZlHyOje6OZTGqAoaDKxFkgRtkF9CnHAVnCHKfuj200wAgL+bSJhdsCD2l0Qx/2ekEXjPWcyKkfGb5CPboslg==", "dev": true, "license": "MIT", "dependencies": { - "call-bind": "^1.0.8", - "call-bound": "^1.0.2", - "get-intrinsic": "^1.2.6", + "call-bind": "^1.0.9", + "call-bound": "^1.0.4", + "get-intrinsic": "^1.3.0", "has-symbols": "^1.1.0", "isarray": "^2.0.5" }, @@ -11114,19 +11047,6 @@ "integrity": "sha512-7W5Efjhsc3chVdFhqtaU0KtK32J37Zcr9RKtID54nG+tIpcY79CQK/veYPODxtD/LJ4Lue66jvrQzIX2Z2/pUQ==", "license": "MIT" }, - "node_modules/to-regex-range": { - "version": "5.0.1", - "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz", - "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==", - "dev": true, - "license": "MIT", - "dependencies": { - "is-number": "^7.0.0" - }, - "engines": { - "node": ">=8.0" - } - }, "node_modules/totalist": { "version": "3.0.1", "resolved": "https://registry.npmjs.org/totalist/-/totalist-3.0.1.tgz", @@ -11274,9 +11194,9 @@ } }, "node_modules/typescript": { - "version": "6.0.2", - "resolved": "https://registry.npmjs.org/typescript/-/typescript-6.0.2.tgz", - "integrity": "sha512-bGdAIrZ0wiGDo5l8c++HWtbaNCWTS4UTv7RaTH/ThVIgjkveJt83m74bBHMJkuCbslY8ixgLBVZJIOiQlQTjfQ==", + "version": "6.0.3", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-6.0.3.tgz", + "integrity": "sha512-y2TvuxSZPDyQakkFRPZHKFm+KKVqIisdg9/CZwm9ftvKXLP8NRWj38/ODjNbr43SsoXqNuAisEf1GdCxqWcdBw==", "devOptional": true, "license": "Apache-2.0", "bin": { @@ -11582,17 +11502,17 @@ } }, "node_modules/vite": { - "version": "8.0.8", - "resolved": "https://registry.npmjs.org/vite/-/vite-8.0.8.tgz", - "integrity": "sha512-dbU7/iLVa8KZALJyLOBOQ88nOXtNG8vxKuOT4I2mD+Ya70KPceF4IAmDsmU0h1Qsn5bPrvsY9HJstCRh3hG6Uw==", + "version": "8.0.9", + "resolved": "https://registry.npmjs.org/vite/-/vite-8.0.9.tgz", + "integrity": "sha512-t7g7GVRpMXjNpa67HaVWI/8BWtdVIQPCL2WoozXXA7LBGEFK4AkkKkHx2hAQf5x1GZSlcmEDPkVLSGahxnEEZw==", "dev": true, "license": "MIT", "dependencies": { "lightningcss": "^1.32.0", "picomatch": "^4.0.4", - "postcss": "^8.5.8", - "rolldown": "1.0.0-rc.15", - "tinyglobby": "^0.2.15" + "postcss": "^8.5.10", + "rolldown": "1.0.0-rc.16", + "tinyglobby": "^0.2.16" }, "bin": { "vite": "bin/vite.js" diff --git a/frontend/package.json b/frontend/package.json index 11d36683..690fb863 100644 --- a/frontend/package.json +++ b/frontend/package.json @@ -33,19 +33,19 @@ "@radix-ui/react-select": "^2.2.6", "@radix-ui/react-tabs": "^1.1.13", "@radix-ui/react-tooltip": "^1.2.8", - "@tanstack/react-query": "^5.99.0", - "axios": "1.15.0", + "@tanstack/react-query": "^5.99.2", + "axios": "1.15.1", "class-variance-authority": "^0.7.1", "clsx": "^2.1.1", "date-fns": "^4.1.0", - "i18next": "^26.0.5", + "i18next": "^26.0.6", "i18next-browser-languagedetector": "^8.2.1", "lucide-react": "^1.8.0", "react": "^19.2.5", "react-dom": "^19.2.5", "react-hook-form": "^7.72.1", "react-hot-toast": "^2.6.0", - "react-i18next": "^17.0.3", + "react-i18next": "^17.0.4", "react-router-dom": "^7.14.1", "recharts": "^3.8.1", "tailwind-merge": "^3.5.0", @@ -74,43 +74,43 @@ "@vitest/eslint-plugin": "^1.6.16", "@vitest/ui": "^4.1.4", "autoprefixer": "^10.5.0", - "eslint": "^10.2.0", + "eslint": "^10.2.1", "eslint-import-resolver-typescript": "^4.4.4", "eslint-plugin-import-x": "^4.16.2", "eslint-plugin-jsx-a11y": "^6.10.2", "eslint-plugin-no-unsanitized": "^4.1.5", "eslint-plugin-promise": "^7.2.1", "eslint-plugin-react-compiler": "^19.1.0-rc.2", - "eslint-plugin-react-hooks": "^7.0.1", + "eslint-plugin-react-hooks": "^7.1.1", "eslint-plugin-react-refresh": "^0.5.2", "eslint-plugin-security": "^4.0.0", - "eslint-plugin-sonarjs": "^4.0.2", + "eslint-plugin-sonarjs": "^4.0.3", "eslint-plugin-testing-library": "^7.16.2", "eslint-plugin-unicorn": "^64.0.0", "eslint-plugin-unused-imports": "^4.4.1", "jsdom": "29.0.2", - "knip": "^6.4.1", + "knip": "^6.5.0", "postcss": "^8.5.10", "tailwindcss": "^4.2.2", - "typescript": "^6.0.2", + "typescript": "^6.0.3", "typescript-eslint": "^8.58.2", - "vite": "^8.0.8", + "vite": "^8.0.9", "vitest": "^4.1.4", "zod-validation-error": "^5.0.0" }, "overrides": { - "typescript": "^6.0.2", + "typescript": "^6.0.3", "eslint-plugin-react-hooks": { - "eslint": "^10.2.0" + "eslint": "^10.2.1" }, "eslint-plugin-jsx-a11y": { - "eslint": "^10.2.0" + "eslint": "^10.2.1" }, "eslint-plugin-promise": { - "eslint": "^10.2.0" + "eslint": "^10.2.1" }, "@vitejs/plugin-react": { - "vite": "8.0.8" + "vite": "8.0.9" } } } diff --git a/frontend/src/api/__tests__/crowdsec.test.ts b/frontend/src/api/__tests__/crowdsec.test.ts index 38e46d4a..70de8ba4 100644 --- a/frontend/src/api/__tests__/crowdsec.test.ts +++ b/frontend/src/api/__tests__/crowdsec.test.ts @@ -116,6 +116,120 @@ describe('crowdsec API', () => { }) }) + describe('listCrowdsecDecisions', () => { + it('should call GET /admin/crowdsec/decisions and return data', async () => { + const mockData = { + decisions: [ + { id: '1', ip: '1.2.3.4', reason: 'bot', duration: '24h', created_at: '2024-01-01T00:00:00Z', source: 'crowdsec' }, + ], + } + vi.mocked(client.get).mockResolvedValue({ data: mockData }) + + const result = await crowdsec.listCrowdsecDecisions() + + expect(client.get).toHaveBeenCalledWith('/admin/crowdsec/decisions') + expect(result).toEqual(mockData) + }) + }) + + describe('banIP', () => { + it('should call POST /admin/crowdsec/ban with ip, duration, and reason', async () => { + vi.mocked(client.post).mockResolvedValue({}) + + await crowdsec.banIP('1.2.3.4', '24h', 'manual ban') + + expect(client.post).toHaveBeenCalledWith('/admin/crowdsec/ban', { + ip: '1.2.3.4', + duration: '24h', + reason: 'manual ban', + }) + }) + }) + + describe('unbanIP', () => { + it('should call DELETE /admin/crowdsec/ban/{encoded ip}', async () => { + vi.mocked(client.delete).mockResolvedValue({}) + + await crowdsec.unbanIP('1.2.3.4') + + expect(client.delete).toHaveBeenCalledWith('/admin/crowdsec/ban/1.2.3.4') + }) + + it('should URL-encode special characters in the IP', async () => { + vi.mocked(client.delete).mockResolvedValue({}) + + await crowdsec.unbanIP('::1') + + expect(client.delete).toHaveBeenCalledWith('/admin/crowdsec/ban/%3A%3A1') + }) + }) + + describe('getCrowdsecKeyStatus', () => { + it('should call GET /admin/crowdsec/key-status and return data', async () => { + const mockData = { + key_source: 'file' as const, + env_key_rejected: false, + current_key_preview: 'abc***xyz', + message: 'Key loaded from file', + } + vi.mocked(client.get).mockResolvedValue({ data: mockData }) + + const result = await crowdsec.getCrowdsecKeyStatus() + + expect(client.get).toHaveBeenCalledWith('/admin/crowdsec/key-status') + expect(result).toEqual(mockData) + }) + }) + + describe('listWhitelists', () => { + it('should call GET /admin/crowdsec/whitelist and return the whitelist array', async () => { + const mockWhitelist = [ + { + uuid: 'uuid-1', + ip_or_cidr: '192.168.1.1', + reason: 'Home', + created_at: '2024-01-01T00:00:00Z', + updated_at: '2024-01-01T00:00:00Z', + }, + ] + vi.mocked(client.get).mockResolvedValue({ data: { whitelist: mockWhitelist } }) + + const result = await crowdsec.listWhitelists() + + expect(client.get).toHaveBeenCalledWith('/admin/crowdsec/whitelist') + expect(result).toEqual(mockWhitelist) + }) + }) + + describe('addWhitelist', () => { + it('should call POST /admin/crowdsec/whitelist and return the created entry', async () => { + const payload = { ip_or_cidr: '192.168.1.1', reason: 'Home' } + const mockEntry = { + uuid: 'uuid-1', + ip_or_cidr: '192.168.1.1', + reason: 'Home', + created_at: '2024-01-01T00:00:00Z', + updated_at: '2024-01-01T00:00:00Z', + } + vi.mocked(client.post).mockResolvedValue({ data: mockEntry }) + + const result = await crowdsec.addWhitelist(payload) + + expect(client.post).toHaveBeenCalledWith('/admin/crowdsec/whitelist', payload) + expect(result).toEqual(mockEntry) + }) + }) + + describe('deleteWhitelist', () => { + it('should call DELETE /admin/crowdsec/whitelist/{uuid}', async () => { + vi.mocked(client.delete).mockResolvedValue({}) + + await crowdsec.deleteWhitelist('uuid-1') + + expect(client.delete).toHaveBeenCalledWith('/admin/crowdsec/whitelist/uuid-1') + }) + }) + describe('default export', () => { it('should export all functions', () => { expect(crowdsec.default).toHaveProperty('startCrowdsec') @@ -126,6 +240,14 @@ describe('crowdsec API', () => { expect(crowdsec.default).toHaveProperty('listCrowdsecFiles') expect(crowdsec.default).toHaveProperty('readCrowdsecFile') expect(crowdsec.default).toHaveProperty('writeCrowdsecFile') + expect(crowdsec.default).toHaveProperty('listCrowdsecDecisions') + expect(crowdsec.default).toHaveProperty('banIP') + expect(crowdsec.default).toHaveProperty('unbanIP') + expect(crowdsec.default).toHaveProperty('getCrowdsecKeyStatus') + expect(crowdsec.default).toHaveProperty('listWhitelists') + expect(crowdsec.default).toHaveProperty('addWhitelist') + expect(crowdsec.default).toHaveProperty('deleteWhitelist') }) }) + }) diff --git a/frontend/src/api/crowdsec.ts b/frontend/src/api/crowdsec.ts index 839bb6cc..77b1b425 100644 --- a/frontend/src/api/crowdsec.ts +++ b/frontend/src/api/crowdsec.ts @@ -156,4 +156,31 @@ export async function getCrowdsecKeyStatus(): Promise { return resp.data } -export default { startCrowdsec, stopCrowdsec, statusCrowdsec, importCrowdsecConfig, exportCrowdsecConfig, listCrowdsecFiles, readCrowdsecFile, writeCrowdsecFile, listCrowdsecDecisions, banIP, unbanIP, getCrowdsecKeyStatus } +export interface CrowdSecWhitelistEntry { + uuid: string + ip_or_cidr: string + reason: string + created_at: string + updated_at: string +} + +export interface AddWhitelistPayload { + ip_or_cidr: string + reason: string +} + +export const listWhitelists = async (): Promise => { + const resp = await client.get<{ whitelist: CrowdSecWhitelistEntry[] }>('/admin/crowdsec/whitelist') + return resp.data.whitelist +} + +export const addWhitelist = async (data: AddWhitelistPayload): Promise => { + const resp = await client.post('/admin/crowdsec/whitelist', data) + return resp.data +} + +export const deleteWhitelist = async (uuid: string): Promise => { + await client.delete(`/admin/crowdsec/whitelist/${uuid}`) +} + +export default { startCrowdsec, stopCrowdsec, statusCrowdsec, importCrowdsecConfig, exportCrowdsecConfig, listCrowdsecFiles, readCrowdsecFile, writeCrowdsecFile, listCrowdsecDecisions, banIP, unbanIP, getCrowdsecKeyStatus, listWhitelists, addWhitelist, deleteWhitelist } diff --git a/frontend/src/hooks/__tests__/useCrowdSecWhitelist.test.ts b/frontend/src/hooks/__tests__/useCrowdSecWhitelist.test.ts new file mode 100644 index 00000000..b59bdc09 --- /dev/null +++ b/frontend/src/hooks/__tests__/useCrowdSecWhitelist.test.ts @@ -0,0 +1,155 @@ +import { QueryClientProvider } from '@tanstack/react-query' +import { renderHook, act, waitFor } from '@testing-library/react' +import React from 'react' +import { vi, describe, it, expect, beforeEach } from 'vitest' + +import * as crowdsecApi from '../../api/crowdsec' +import * as toastUtil from '../../utils/toast' +import { createTestQueryClient } from '../../test/createTestQueryClient' +import { useWhitelistEntries, useAddWhitelist, useDeleteWhitelist } from '../useCrowdSecWhitelist' + +import type { CrowdSecWhitelistEntry } from '../../api/crowdsec' + +vi.mock('../../api/crowdsec', () => ({ + listWhitelists: vi.fn(), + addWhitelist: vi.fn(), + deleteWhitelist: vi.fn(), +})) + +vi.mock('../../utils/toast', () => ({ + toast: { + success: vi.fn(), + error: vi.fn(), + }, +})) + +const wrapper = ({ children }: { children: React.ReactNode }) => { + const qc = createTestQueryClient() + return React.createElement(QueryClientProvider, { client: qc }, children) +} + +const mockEntry: CrowdSecWhitelistEntry = { + uuid: 'abc-123', + ip_or_cidr: '192.168.1.1', + reason: 'trusted device', + created_at: '2025-01-01T00:00:00Z', + updated_at: '2025-01-01T00:00:00Z', +} + +describe('useWhitelistEntries', () => { + beforeEach(() => vi.clearAllMocks()) + + it('returns whitelist entries on success', async () => { + vi.mocked(crowdsecApi.listWhitelists).mockResolvedValue([mockEntry]) + + const { result } = renderHook(() => useWhitelistEntries(), { wrapper }) + + await waitFor(() => expect(result.current.isSuccess).toBe(true)) + + expect(result.current.data).toEqual([mockEntry]) + }) + + it('returns empty array when no entries', async () => { + vi.mocked(crowdsecApi.listWhitelists).mockResolvedValue([]) + + const { result } = renderHook(() => useWhitelistEntries(), { wrapper }) + + await waitFor(() => expect(result.current.isSuccess).toBe(true)) + + expect(result.current.data).toEqual([]) + }) +}) + +describe('useAddWhitelist', () => { + beforeEach(() => vi.clearAllMocks()) + + it('calls addWhitelist and shows success toast on success', async () => { + vi.mocked(crowdsecApi.addWhitelist).mockResolvedValue(mockEntry) + + const { result } = renderHook(() => useAddWhitelist(), { wrapper }) + + await act(async () => { + result.current.mutate({ ip_or_cidr: '192.168.1.1', reason: 'test' }) + }) + + await waitFor(() => expect(result.current.isSuccess).toBe(true)) + + expect(crowdsecApi.addWhitelist).toHaveBeenCalledWith({ ip_or_cidr: '192.168.1.1', reason: 'test' }) + expect(toastUtil.toast.success).toHaveBeenCalledWith('Whitelist entry added') + }) + + it('shows error toast with server message on failure', async () => { + vi.mocked(crowdsecApi.addWhitelist).mockRejectedValue(new Error('IP already whitelisted')) + + const { result } = renderHook(() => useAddWhitelist(), { wrapper }) + + await act(async () => { + result.current.mutate({ ip_or_cidr: '10.0.0.0/8', reason: '' }) + }) + + await waitFor(() => expect(result.current.isError).toBe(true)) + + expect(toastUtil.toast.error).toHaveBeenCalledWith('IP already whitelisted') + }) + + it('shows generic error toast for non-Error failures', async () => { + vi.mocked(crowdsecApi.addWhitelist).mockRejectedValue('unexpected') + + const { result } = renderHook(() => useAddWhitelist(), { wrapper }) + + await act(async () => { + result.current.mutate({ ip_or_cidr: '10.0.0.1', reason: '' }) + }) + + await waitFor(() => expect(result.current.isError).toBe(true)) + + expect(toastUtil.toast.error).toHaveBeenCalledWith('Failed to add whitelist entry') + }) +}) + +describe('useDeleteWhitelist', () => { + beforeEach(() => vi.clearAllMocks()) + + it('calls deleteWhitelist and shows success toast on success', async () => { + vi.mocked(crowdsecApi.deleteWhitelist).mockResolvedValue(undefined) + + const { result } = renderHook(() => useDeleteWhitelist(), { wrapper }) + + await act(async () => { + result.current.mutate('abc-123') + }) + + await waitFor(() => expect(result.current.isSuccess).toBe(true)) + + expect(crowdsecApi.deleteWhitelist).toHaveBeenCalledWith('abc-123') + expect(toastUtil.toast.success).toHaveBeenCalledWith('Whitelist entry removed') + }) + + it('shows error toast with server message on failure', async () => { + vi.mocked(crowdsecApi.deleteWhitelist).mockRejectedValue(new Error('Entry not found')) + + const { result } = renderHook(() => useDeleteWhitelist(), { wrapper }) + + await act(async () => { + result.current.mutate('bad-uuid') + }) + + await waitFor(() => expect(result.current.isError).toBe(true)) + + expect(toastUtil.toast.error).toHaveBeenCalledWith('Entry not found') + }) + + it('shows generic error toast for non-Error failures', async () => { + vi.mocked(crowdsecApi.deleteWhitelist).mockRejectedValue(null) + + const { result } = renderHook(() => useDeleteWhitelist(), { wrapper }) + + await act(async () => { + result.current.mutate('some-uuid') + }) + + await waitFor(() => expect(result.current.isError).toBe(true)) + + expect(toastUtil.toast.error).toHaveBeenCalledWith('Failed to remove whitelist entry') + }) +}) diff --git a/frontend/src/hooks/useCrowdSecWhitelist.ts b/frontend/src/hooks/useCrowdSecWhitelist.ts new file mode 100644 index 00000000..a36bfceb --- /dev/null +++ b/frontend/src/hooks/useCrowdSecWhitelist.ts @@ -0,0 +1,38 @@ +import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query' + +import { listWhitelists, addWhitelist, deleteWhitelist, type AddWhitelistPayload } from '../api/crowdsec' +import { toast } from '../utils/toast' + +export const useWhitelistEntries = () => + useQuery({ + queryKey: ['crowdsec-whitelist'], + queryFn: listWhitelists, + }) + +export const useAddWhitelist = () => { + const queryClient = useQueryClient() + return useMutation({ + mutationFn: (data: AddWhitelistPayload) => addWhitelist(data), + onSuccess: () => { + toast.success('Whitelist entry added') + queryClient.invalidateQueries({ queryKey: ['crowdsec-whitelist'] }) + }, + onError: (err: unknown) => { + toast.error(err instanceof Error ? err.message : 'Failed to add whitelist entry') + }, + }) +} + +export const useDeleteWhitelist = () => { + const queryClient = useQueryClient() + return useMutation({ + mutationFn: (uuid: string) => deleteWhitelist(uuid), + onSuccess: () => { + toast.success('Whitelist entry removed') + queryClient.invalidateQueries({ queryKey: ['crowdsec-whitelist'] }) + }, + onError: (err: unknown) => { + toast.error(err instanceof Error ? err.message : 'Failed to remove whitelist entry') + }, + }) +} diff --git a/frontend/src/pages/CrowdSecConfig.tsx b/frontend/src/pages/CrowdSecConfig.tsx index 3044347b..ea82c143 100644 --- a/frontend/src/pages/CrowdSecConfig.tsx +++ b/frontend/src/pages/CrowdSecConfig.tsx @@ -6,10 +6,11 @@ import { useTranslation } from 'react-i18next' import { useNavigate, Link } from 'react-router-dom' import { createBackup } from '../api/backups' -import { exportCrowdsecConfig, importCrowdsecConfig, listCrowdsecFiles, readCrowdsecFile, writeCrowdsecFile, listCrowdsecDecisions, banIP, unbanIP, type CrowdSecDecision, statusCrowdsec, type CrowdSecStatus, startCrowdsec } from '../api/crowdsec' +import { exportCrowdsecConfig, importCrowdsecConfig, listCrowdsecFiles, readCrowdsecFile, writeCrowdsecFile, listCrowdsecDecisions, banIP, unbanIP, type CrowdSecDecision, type CrowdSecWhitelistEntry, statusCrowdsec, type CrowdSecStatus, startCrowdsec } from '../api/crowdsec' import { getFeatureFlags } from '../api/featureFlags' import { listCrowdsecPresets, pullCrowdsecPreset, applyCrowdsecPreset, getCrowdsecPresetCache } from '../api/presets' import { getSecurityStatus } from '../api/security' +import { getMyIP } from '../api/system' import { CrowdSecBouncerKeyDisplay } from '../components/CrowdSecBouncerKeyDisplay' import { ConfigReloadOverlay } from '../components/LoadingStates' import { Button } from '../components/ui/Button' @@ -19,6 +20,7 @@ import { Skeleton } from '../components/ui/Skeleton' import { Tabs, TabsContent, TabsList, TabsTrigger } from '../components/ui/Tabs' import { CROWDSEC_PRESETS, type CrowdsecPreset } from '../data/crowdsecPresets' import { useConsoleStatus, useEnrollConsole, useClearConsoleEnrollment } from '../hooks/useConsoleEnrollment' +import { useWhitelistEntries, useAddWhitelist, useDeleteWhitelist } from '../hooks/useCrowdSecWhitelist' import { buildCrowdsecExportFilename, downloadCrowdsecExport, promptCrowdsecFilename } from '../utils/crowdsecExport' import { toast } from '../utils/toast' @@ -36,6 +38,8 @@ export default function CrowdSecConfig() { const [showBanModal, setShowBanModal] = useState(false) const [banForm, setBanForm] = useState({ ip: '', duration: '24h', reason: '' }) const [confirmUnban, setConfirmUnban] = useState(null) + const [whitelistForm, setWhitelistForm] = useState<{ ip_or_cidr: string; reason: string }>({ ip_or_cidr: '', reason: '' }) + const [confirmDeleteWhitelist, setConfirmDeleteWhitelist] = useState(null) const [isApplyingPreset, setIsApplyingPreset] = useState(false) const [presetPreview, setPresetPreview] = useState('') const [presetMeta, setPresetMeta] = useState<{ cacheKey?: string; etag?: string; retrievedAt?: string; source?: string } | null>(null) @@ -361,6 +365,25 @@ export default function CrowdSecConfig() { }, }) + const whitelistQuery = useWhitelistEntries() + const addWhitelistMutation = useAddWhitelist() + const deleteWhitelistMutation = useDeleteWhitelist() + + const whitelistInlineError = addWhitelistMutation.error instanceof Error + ? addWhitelistMutation.error.message + : addWhitelistMutation.error != null + ? 'Failed to add entry' + : null + + const handleAddMyIP = async () => { + try { + const result = await getMyIP() + setWhitelistForm((prev) => ({ ...prev, ip_or_cidr: result.ip })) + } catch { + toast.error('Failed to detect your IP address') + } + } + const handleExport = async () => { const defaultName = buildCrowdsecExportFilename() const filename = promptCrowdsecFilename(defaultName) @@ -517,7 +540,9 @@ export default function CrowdSecConfig() { pullPresetMutation.isPending || isApplyingPreset || banMutation.isPending || - unbanMutation.isPending + unbanMutation.isPending || + addWhitelistMutation.isPending || + deleteWhitelistMutation.isPending // Determine contextual message const getMessage = () => { @@ -539,6 +564,12 @@ export default function CrowdSecConfig() { if (unbanMutation.isPending) { return { message: 'Guardian lowers shield...', submessage: 'Unbanning IP address' } } + if (addWhitelistMutation.isPending) { + return { message: 'Guardian updates list...', submessage: 'Adding IP to whitelist' } + } + if (deleteWhitelistMutation.isPending) { + return { message: 'Guardian updates list...', submessage: 'Removing from whitelist' } + } return { message: 'Strengthening the guard...', submessage: 'Configuration in progress' } } @@ -565,6 +596,7 @@ export default function CrowdSecConfig() { {t('security.crowdsec.tabs.config', 'Configuration')} {t('security.crowdsec.tabs.dashboard', 'Dashboard')} + {isLocalMode && {t('crowdsecConfig.whitelist.tabLabel', 'Whitelist')}} @@ -1241,6 +1273,135 @@ export default function CrowdSecConfig() { + + {isLocalMode && ( + + +
+
+ +

{t('crowdsecConfig.whitelist.title', 'IP Whitelist')}

+
+

+ {t('crowdsecConfig.whitelist.description', 'Whitelisted IPs and CIDRs are never blocked by CrowdSec, even if they trigger alerts.')} +

+ + {/* Add entry form */} +
+
+ { + setWhitelistForm((prev) => ({ ...prev, ip_or_cidr: e.target.value })) + if (addWhitelistMutation.error) addWhitelistMutation.reset() + }} + error={whitelistInlineError ?? undefined} + errorTestId="whitelist-ip-error" + aria-required={true} + data-testid="whitelist-ip-input" + /> +
+
+ setWhitelistForm((prev) => ({ ...prev, reason: e.target.value }))} + data-testid="whitelist-reason-input" + /> +
+
+ + +
+
+ + {/* Entries table */} + {whitelistQuery.isLoading ? ( +
+ + + +
+ ) : !whitelistQuery.data?.length ? ( +

+ {t('crowdsecConfig.whitelist.none', 'No whitelist entries')} +

+ ) : ( +
+ + + + + + + + + + + {whitelistQuery.data.map((entry) => ( + + + + + + + ))} + +
+ {t('crowdsecConfig.whitelist.columnIp', 'IP / CIDR')} + + {t('crowdsecConfig.whitelist.columnReason', 'Reason')} + + {t('crowdsecConfig.whitelist.columnAdded', 'Added')} + + {t('crowdsecConfig.bannedIps.actions')} +
{entry.ip_or_cidr}{entry.reason || '-'} + {entry.created_at ? new Date(entry.created_at).toLocaleString() : '-'} + + +
+
+ )} +
+ + + )} + @@ -1386,6 +1547,54 @@ export default function CrowdSecConfig() { )} + + {/* Delete Whitelist Entry Modal */} + {confirmDeleteWhitelist && ( +
+ + +
+ + + )} ) } diff --git a/frontend/src/pages/Security.tsx b/frontend/src/pages/Security.tsx index d88884b6..45a5e4d6 100644 --- a/frontend/src/pages/Security.tsx +++ b/frontend/src/pages/Security.tsx @@ -435,7 +435,7 @@ export default function Security() {
- {t('security.crowdsec')} + {t('security.crowdsec.title')} {t('security.crowdsecDescription')}
@@ -485,7 +485,7 @@ export default function Security() {
{t('security.layer2')} - {t('security.acl')} + {t('security.acl.badge')}
{status.acl.enabled ? t('common.enabled') : t('common.disabled')} @@ -538,7 +538,7 @@ export default function Security() {
{t('security.layer3')} - {t('security.waf')} + {t('security.waf.badge')}
{status.waf.enabled ? t('common.enabled') : t('common.disabled')} diff --git a/frontend/src/pages/__tests__/CrowdSecConfig.whitelist.test.tsx b/frontend/src/pages/__tests__/CrowdSecConfig.whitelist.test.tsx new file mode 100644 index 00000000..003d7b27 --- /dev/null +++ b/frontend/src/pages/__tests__/CrowdSecConfig.whitelist.test.tsx @@ -0,0 +1,321 @@ +import { screen, waitFor } from '@testing-library/react' +import userEvent from '@testing-library/user-event' +import { AxiosError } from 'axios' +import { describe, it, expect, vi, beforeEach } from 'vitest' + +import * as backupsApi from '../../api/backups' +import * as crowdsecApi from '../../api/crowdsec' +import * as featureFlagsApi from '../../api/featureFlags' +import * as presetsApi from '../../api/presets' +import * as securityApi from '../../api/security' +import * as settingsApi from '../../api/settings' +import * as systemApi from '../../api/system' +import { renderWithQueryClient } from '../../test-utils/renderWithQueryClient' +import { toast } from '../../utils/toast' +import CrowdSecConfig from '../CrowdSecConfig' + +vi.mock('../../api/security') +vi.mock('../../api/crowdsec') +vi.mock('../../api/presets') +vi.mock('../../api/backups') +vi.mock('../../api/settings') +vi.mock('../../api/featureFlags') +vi.mock('../../api/system') +vi.mock('../../hooks/useConsoleEnrollment', () => ({ + useConsoleStatus: vi.fn(() => ({ + data: { + status: 'not_enrolled', + key_present: false, + last_error: null, + last_attempt_at: null, + enrolled_at: null, + last_heartbeat_at: null, + correlation_id: 'corr-1', + tenant: 'default', + agent_name: 'charon-agent', + }, + isLoading: false, + isRefetching: false, + })), + useEnrollConsole: vi.fn(() => ({ + mutateAsync: vi.fn().mockResolvedValue({ status: 'enrolling', key_present: false }), + isPending: false, + })), + useClearConsoleEnrollment: vi.fn(() => ({ mutate: vi.fn(), isPending: false })), +})) +vi.mock('../../components/CrowdSecBouncerKeyDisplay', () => ({ + CrowdSecBouncerKeyDisplay: () => null, +})) +vi.mock('../../utils/crowdsecExport', () => ({ + buildCrowdsecExportFilename: vi.fn(() => 'crowdsec-default.tar.gz'), + promptCrowdsecFilename: vi.fn(() => 'crowdsec.tar.gz'), + downloadCrowdsecExport: vi.fn(), +})) +vi.mock('../../utils/toast', () => ({ + toast: { success: vi.fn(), error: vi.fn(), info: vi.fn() }, +})) + +// The i18n mock in test setup returns the translation key when no translation is found. +// These constants keep assertions in sync with what the component actually renders. +const TAB_WHITELIST = 'crowdsecConfig.whitelist.tabLabel' +const MODAL_TITLE = 'crowdsecConfig.whitelist.deleteModal.title' +const BTN_REMOVE = 'crowdsecConfig.whitelist.deleteModal.submit' + +const baseStatus = { + cerberus: { enabled: true }, + crowdsec: { enabled: true, mode: 'local' as const, api_url: '' }, + waf: { enabled: true, mode: 'enabled' as const }, + rate_limit: { enabled: true }, + acl: { enabled: true }, +} + +const axiosError = (status: number, message: string, data?: Record) => + new AxiosError(message, undefined, undefined, undefined, { + status, + statusText: String(status), + headers: {}, + config: {}, + data: data ?? { error: message }, + } as never) + +const mockWhitelistEntries = [ + { + uuid: 'uuid-1', + ip_or_cidr: '192.168.1.1', + reason: 'Home IP', + created_at: '2024-01-01T00:00:00Z', + updated_at: '2024-01-01T00:00:00Z', + }, + { + uuid: 'uuid-2', + ip_or_cidr: '10.0.0.0/8', + reason: 'LAN', + created_at: '2024-01-02T00:00:00Z', + updated_at: '2024-01-02T00:00:00Z', + }, +] + +const renderPage = async () => { + renderWithQueryClient() + await waitFor(() => screen.getByText('CrowdSec Configuration')) +} + +const goToWhitelistTab = async () => { + await userEvent.click(screen.getByRole('tab', { name: TAB_WHITELIST })) + await waitFor(() => screen.getByTestId('whitelist-ip-input')) +} + +describe('CrowdSecConfig – whitelist tab', () => { + beforeEach(() => { + vi.clearAllMocks() + vi.mocked(securityApi.getSecurityStatus).mockResolvedValue(baseStatus) + vi.mocked(crowdsecApi.statusCrowdsec).mockResolvedValue({ running: true, pid: 123, lapi_ready: true }) + vi.mocked(crowdsecApi.listCrowdsecFiles).mockResolvedValue({ files: ['acquis.yaml'] }) + vi.mocked(crowdsecApi.readCrowdsecFile).mockResolvedValue({ content: '' }) + vi.mocked(crowdsecApi.writeCrowdsecFile).mockResolvedValue(undefined) + vi.mocked(crowdsecApi.listCrowdsecDecisions).mockResolvedValue({ decisions: [] }) + vi.mocked(crowdsecApi.banIP).mockResolvedValue(undefined) + vi.mocked(crowdsecApi.unbanIP).mockResolvedValue(undefined) + vi.mocked(crowdsecApi.exportCrowdsecConfig).mockResolvedValue(new Blob(['data'])) + vi.mocked(crowdsecApi.importCrowdsecConfig).mockResolvedValue(undefined) + vi.mocked(crowdsecApi.listWhitelists).mockResolvedValue([]) + vi.mocked(crowdsecApi.addWhitelist).mockResolvedValue({ + uuid: 'uuid-new', + ip_or_cidr: '1.2.3.4', + reason: '', + created_at: '', + updated_at: '', + }) + vi.mocked(crowdsecApi.deleteWhitelist).mockResolvedValue(undefined) + vi.mocked(presetsApi.listCrowdsecPresets).mockResolvedValue({ presets: [] }) + vi.mocked(presetsApi.pullCrowdsecPreset).mockResolvedValue({ + status: 'pulled', + slug: '', + preview: '', + cache_key: '', + etag: '', + retrieved_at: '', + source: 'hub', + }) + vi.mocked(presetsApi.applyCrowdsecPreset).mockResolvedValue({ + status: 'applied', + backup: '', + reload_hint: false, + used_cscli: false, + cache_key: '', + slug: '', + }) + vi.mocked(presetsApi.getCrowdsecPresetCache).mockResolvedValue({ + preview: '', + cache_key: '', + etag: '', + }) + vi.mocked(backupsApi.createBackup).mockResolvedValue({ filename: 'backup.tar.gz' }) + vi.mocked(settingsApi.updateSetting).mockResolvedValue() + vi.mocked(featureFlagsApi.getFeatureFlags).mockResolvedValue({ + 'feature.crowdsec.console_enrollment': false, + }) + vi.mocked(systemApi.getMyIP).mockResolvedValue({ ip: '203.0.113.1', source: 'cloudflare' }) + }) + + it('shows whitelist tab trigger in local mode', async () => { + await renderPage() + expect(screen.getByRole('tab', { name: TAB_WHITELIST })).toBeInTheDocument() + }) + + it('does not show whitelist tab in disabled mode', async () => { + vi.mocked(securityApi.getSecurityStatus).mockResolvedValue({ + ...baseStatus, + crowdsec: { enabled: true, mode: 'disabled' as const, api_url: '' }, + }) + await renderPage() + expect(screen.queryByRole('tab', { name: TAB_WHITELIST })).not.toBeInTheDocument() + }) + + it('shows empty state when there are no whitelist entries', async () => { + await renderPage() + await goToWhitelistTab() + expect(screen.getByTestId('whitelist-empty')).toBeInTheDocument() + }) + + it('renders whitelist entries in the table', async () => { + vi.mocked(crowdsecApi.listWhitelists).mockResolvedValue(mockWhitelistEntries) + await renderPage() + await goToWhitelistTab() + expect(await screen.findByText('192.168.1.1')).toBeInTheDocument() + expect(screen.getByText('10.0.0.0/8')).toBeInTheDocument() + expect(screen.getByText('Home IP')).toBeInTheDocument() + expect(screen.getByText('LAN')).toBeInTheDocument() + }) + + it('submits a new whitelist entry', async () => { + await renderPage() + await goToWhitelistTab() + await userEvent.type(screen.getByTestId('whitelist-ip-input'), '1.2.3.4') + await userEvent.type(screen.getByTestId('whitelist-reason-input'), 'Test reason') + await userEvent.click(screen.getByTestId('whitelist-add-btn')) + await waitFor(() => + expect(crowdsecApi.addWhitelist).toHaveBeenCalledWith({ + ip_or_cidr: '1.2.3.4', + reason: 'Test reason', + }), + ) + }) + + it('shows add-whitelist loading overlay while mutation is pending', async () => { + let resolveAdd!: (v: (typeof mockWhitelistEntries)[0]) => void + vi.mocked(crowdsecApi.addWhitelist).mockImplementationOnce( + () => + new Promise((resolve) => { + resolveAdd = resolve + }), + ) + await renderPage() + await goToWhitelistTab() + await userEvent.type(screen.getByTestId('whitelist-ip-input'), '1.2.3.4') + await userEvent.click(screen.getByTestId('whitelist-add-btn')) + await waitFor(() => expect(screen.getByText('Adding IP to whitelist')).toBeInTheDocument()) + resolveAdd(mockWhitelistEntries[0]) + }) + + it('displays inline error when adding a whitelist entry fails', async () => { + vi.mocked(crowdsecApi.addWhitelist).mockRejectedValueOnce( + axiosError(400, 'Invalid IP', { error: 'bad ip format' }), + ) + await renderPage() + await goToWhitelistTab() + await userEvent.type(screen.getByTestId('whitelist-ip-input'), 'bad-ip') + await userEvent.click(screen.getByTestId('whitelist-add-btn')) + await waitFor(() => expect(screen.getByTestId('whitelist-ip-error')).toBeInTheDocument()) + }) + + it('opens delete confirmation dialog', async () => { + vi.mocked(crowdsecApi.listWhitelists).mockResolvedValue(mockWhitelistEntries) + await renderPage() + await goToWhitelistTab() + await userEvent.click((await screen.findAllByTestId('whitelist-delete-btn'))[0]) + expect(await screen.findByRole('dialog', { name: MODAL_TITLE })).toBeInTheDocument() + }) + + it('cancels whitelist deletion via Cancel button', async () => { + vi.mocked(crowdsecApi.listWhitelists).mockResolvedValue(mockWhitelistEntries) + await renderPage() + await goToWhitelistTab() + await userEvent.click((await screen.findAllByTestId('whitelist-delete-btn'))[0]) + await userEvent.click(await screen.findByRole('button', { name: 'Cancel' })) + await waitFor(() => + expect(screen.queryByRole('dialog', { name: MODAL_TITLE })).not.toBeInTheDocument(), + ) + expect(crowdsecApi.deleteWhitelist).not.toHaveBeenCalled() + }) + + it('confirms whitelist entry deletion via Remove button', async () => { + vi.mocked(crowdsecApi.listWhitelists).mockResolvedValue(mockWhitelistEntries) + await renderPage() + await goToWhitelistTab() + await userEvent.click((await screen.findAllByTestId('whitelist-delete-btn'))[0]) + await userEvent.click(await screen.findByRole('button', { name: BTN_REMOVE })) + await waitFor(() => expect(crowdsecApi.deleteWhitelist).toHaveBeenCalledWith('uuid-1')) + }) + + it('shows delete-whitelist loading overlay while mutation is pending', async () => { + vi.mocked(crowdsecApi.listWhitelists).mockResolvedValue(mockWhitelistEntries) + let resolveDelete!: () => void + vi.mocked(crowdsecApi.deleteWhitelist).mockImplementationOnce( + () => + new Promise((resolve) => { + resolveDelete = resolve + }), + ) + await renderPage() + await goToWhitelistTab() + await userEvent.click((await screen.findAllByTestId('whitelist-delete-btn'))[0]) + await userEvent.click(await screen.findByRole('button', { name: BTN_REMOVE })) + await waitFor(() => expect(screen.getByText('Removing from whitelist')).toBeInTheDocument()) + resolveDelete() + }) + + it('closes delete dialog on Escape key', async () => { + vi.mocked(crowdsecApi.listWhitelists).mockResolvedValue(mockWhitelistEntries) + await renderPage() + await goToWhitelistTab() + await userEvent.click((await screen.findAllByTestId('whitelist-delete-btn'))[0]) + expect(await screen.findByRole('dialog', { name: MODAL_TITLE })).toBeInTheDocument() + await userEvent.keyboard('{Escape}') + await waitFor(() => + expect(screen.queryByRole('dialog', { name: MODAL_TITLE })).not.toBeInTheDocument(), + ) + }) + + it('closes delete dialog when backdrop is clicked', async () => { + vi.mocked(crowdsecApi.listWhitelists).mockResolvedValue(mockWhitelistEntries) + await renderPage() + await goToWhitelistTab() + await userEvent.click((await screen.findAllByTestId('whitelist-delete-btn'))[0]) + expect(await screen.findByRole('dialog', { name: MODAL_TITLE })).toBeInTheDocument() + await userEvent.click(screen.getByRole('button', { name: /close/i })) + await waitFor(() => + expect(screen.queryByRole('dialog', { name: MODAL_TITLE })).not.toBeInTheDocument(), + ) + }) + + it('fills IP input when Add My IP is clicked', async () => { + await renderPage() + await goToWhitelistTab() + await userEvent.click(screen.getByTestId('whitelist-add-my-ip-btn')) + await waitFor(() => { + const input = screen.getByTestId('whitelist-ip-input') as HTMLInputElement + expect(input.value).toBe('203.0.113.1') + }) + }) + + it('shows error toast when Add My IP request fails', async () => { + vi.mocked(systemApi.getMyIP).mockRejectedValueOnce(new Error('network error')) + await renderPage() + await goToWhitelistTab() + await userEvent.click(screen.getByTestId('whitelist-add-my-ip-btn')) + await waitFor(() => + expect(toast.error).toHaveBeenCalledWith('Failed to detect your IP address'), + ) + }) +}) diff --git a/frontend/src/pages/__tests__/Dashboard.test.tsx b/frontend/src/pages/__tests__/Dashboard.test.tsx index 06883756..0235e9f4 100644 --- a/frontend/src/pages/__tests__/Dashboard.test.tsx +++ b/frontend/src/pages/__tests__/Dashboard.test.tsx @@ -27,7 +27,7 @@ vi.mock('../../hooks/useRemoteServers', () => ({ vi.mock('../../hooks/useCertificates', () => ({ useCertificates: () => ({ certificates: [ - { id: 1, status: 'valid', domain: 'test.com' }, + { id: 1, status: 'valid', domain: 'test.com', domains: 'test.com,www.test.com' }, { id: 2, status: 'expired', domain: 'expired.com' }, ], isLoading: false, @@ -84,4 +84,5 @@ describe('Dashboard page', () => { // "1 valid" still renders even though cert.domains is undefined expect(screen.getByText('1 valid')).toBeInTheDocument() }) + }) diff --git a/frontend/src/pages/__tests__/Security.functional.test.tsx b/frontend/src/pages/__tests__/Security.functional.test.tsx index bb385492..1b0a87c9 100644 --- a/frontend/src/pages/__tests__/Security.functional.test.tsx +++ b/frontend/src/pages/__tests__/Security.functional.test.tsx @@ -73,6 +73,7 @@ const securityTranslations: Record = { 'security.waf': 'WAF', 'security.rate': 'Rate', 'security.crowdsec': 'CrowdSec', + 'security.crowdsec.title': 'CrowdSec', 'security.crowdsecDescription': 'IP Reputation', 'security.crowdsecProtects': 'Blocks known attackers, botnets, and malicious IPs', 'security.crowdsecDisabledDescription': 'Enable to block known malicious IPs', diff --git a/frontend/src/pages/__tests__/UsersPage.test.tsx b/frontend/src/pages/__tests__/UsersPage.test.tsx index 5fa138c2..dfc77960 100644 --- a/frontend/src/pages/__tests__/UsersPage.test.tsx +++ b/frontend/src/pages/__tests__/UsersPage.test.tsx @@ -447,18 +447,23 @@ describe('UsersPage', () => { const user = userEvent.setup() expect(await screen.findByText('Invite User')).toBeInTheDocument() await user.click(screen.getByRole('button', { name: /Invite User/i })) + expect(await screen.findByPlaceholderText('user@example.com')).toBeInTheDocument() - const emailInput = screen.getByPlaceholderText('user@example.com') - await user.type(emailInput, 'test@example.com') + vi.useFakeTimers() + + try { + const emailInput = screen.getByPlaceholderText('user@example.com') + fireEvent.change(emailInput, { target: { value: 'test@example.com' } }) + + await act(async () => { + await vi.advanceTimersByTimeAsync(550) + }) - await waitFor(() => { expect(client.post).toHaveBeenCalledWith('/users/preview-invite-url', { email: 'test@example.com' }) - }, { timeout: 2000 }) - - // Look for the preview URL content with ellipsis replacing the token - await waitFor(() => { expect(screen.getByText('https://charon.example.com/accept-invite?token=...')).toBeInTheDocument() - }, { timeout: 2000 }) + } finally { + vi.useRealTimers() + } }) it('debounces URL preview for 500ms', async () => { diff --git a/package-lock.json b/package-lock.json index 1b6667fd..5d7740c1 100644 --- a/package-lock.json +++ b/package-lock.json @@ -19,8 +19,8 @@ "prettier": "^3.8.3", "prettier-plugin-tailwindcss": "^0.7.2", "tar": "^7.5.13", - "typescript": "^6.0.2", - "vite": "^8.0.8", + "typescript": "^6.0.3", + "vite": "^8.0.9", "vitest": "^4.1.4" } }, @@ -231,29 +231,43 @@ } }, "node_modules/@humanfs/core": { - "version": "0.19.1", - "resolved": "https://registry.npmjs.org/@humanfs/core/-/core-0.19.1.tgz", - "integrity": "sha512-5DyQ4+1JEUzejeK1JGICcideyfUbGixgS9jNgex5nqkW+cY7WZhxBigmieN5Qnw9ZosSNVC9KQKyb+GUaGyKUA==", + "version": "0.19.2", + "resolved": "https://registry.npmjs.org/@humanfs/core/-/core-0.19.2.tgz", + "integrity": "sha512-UhXNm+CFMWcbChXywFwkmhqjs3PRCmcSa/hfBgLIb7oQ5HNb1wS0icWsGtSAUNgefHeI+eBrA8I1fxmbHsGdvA==", "dev": true, "license": "Apache-2.0", + "dependencies": { + "@humanfs/types": "^0.15.0" + }, "engines": { "node": ">=18.18.0" } }, "node_modules/@humanfs/node": { - "version": "0.16.7", - "resolved": "https://registry.npmjs.org/@humanfs/node/-/node-0.16.7.tgz", - "integrity": "sha512-/zUx+yOsIrG4Y43Eh2peDeKCxlRt/gET6aHfaKpuq267qXdYDFViVHfMaLyygZOnl0kGWxFIgsBy8QFuTLUXEQ==", + "version": "0.16.8", + "resolved": "https://registry.npmjs.org/@humanfs/node/-/node-0.16.8.tgz", + "integrity": "sha512-gE1eQNZ3R++kTzFUpdGlpmy8kDZD/MLyHqDwqjkVQI0JMdI1D51sy1H958PNXYkM2rAac7e5/CnIKZrHtPh3BQ==", "dev": true, "license": "Apache-2.0", "dependencies": { - "@humanfs/core": "^0.19.1", + "@humanfs/core": "^0.19.2", + "@humanfs/types": "^0.15.0", "@humanwhocodes/retry": "^0.4.0" }, "engines": { "node": ">=18.18.0" } }, + "node_modules/@humanfs/types": { + "version": "0.15.0", + "resolved": "https://registry.npmjs.org/@humanfs/types/-/types-0.15.0.tgz", + "integrity": "sha512-ZZ1w0aoQkwuUuC7Yf+7sdeaNfqQiiLcSRbfI08oAxqLtpXQr9AIVX7Ay7HLDuiLYAaFPu8oBYNq/QIi9URHJ3Q==", + "dev": true, + "license": "Apache-2.0", + "engines": { + "node": ">=18.18.0" + } + }, "node_modules/@humanwhocodes/module-importer": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/@humanwhocodes/module-importer/-/module-importer-1.0.1.tgz", @@ -381,9 +395,9 @@ } }, "node_modules/@oxc-project/types": { - "version": "0.124.0", - "resolved": "https://registry.npmjs.org/@oxc-project/types/-/types-0.124.0.tgz", - "integrity": "sha512-VBFWMTBvHxS11Z5Lvlr3IWgrwhMTXV+Md+EQF0Xf60+wAdsGFTBx7X7K/hP4pi8N7dcm1RvcHwDxZ16Qx8keUg==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-project/types/-/types-0.126.0.tgz", + "integrity": "sha512-oGfVtjAgwQVVpfBrbtk4e1XDyWHRFta6BS3GWVzrF8xYBT2VGQAk39yJS/wFSMrZqoiCU4oghT3Ch0HaHGIHcQ==", "dev": true, "license": "MIT", "funding": { @@ -407,9 +421,9 @@ } }, "node_modules/@rolldown/binding-android-arm64": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-android-arm64/-/binding-android-arm64-1.0.0-rc.15.tgz", - "integrity": "sha512-YYe6aWruPZDtHNpwu7+qAHEMbQ/yRl6atqb/AhznLTnD3UY99Q1jE7ihLSahNWkF4EqRPVC4SiR4O0UkLK02tA==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-android-arm64/-/binding-android-arm64-1.0.0-rc.16.tgz", + "integrity": "sha512-rhY3k7Bsae9qQfOtph2Pm2jZEA+s8Gmjoz4hhmx70K9iMQ/ddeae+xhRQcM5IuVx5ry1+bGfkvMn7D6MJggVSA==", "cpu": [ "arm64" ], @@ -424,9 +438,9 @@ } }, "node_modules/@rolldown/binding-darwin-arm64": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-arm64/-/binding-darwin-arm64-1.0.0-rc.15.tgz", - "integrity": "sha512-oArR/ig8wNTPYsXL+Mzhs0oxhxfuHRfG7Ikw7jXsw8mYOtk71W0OkF2VEVh699pdmzjPQsTjlD1JIOoHkLP1Fg==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-arm64/-/binding-darwin-arm64-1.0.0-rc.16.tgz", + "integrity": "sha512-rNz0yK078yrNn3DrdgN+PKiMOW8HfQ92jQiXxwX8yW899ayV00MLVdaCNeVBhG/TbH3ouYVObo8/yrkiectkcQ==", "cpu": [ "arm64" ], @@ -441,9 +455,9 @@ } }, "node_modules/@rolldown/binding-darwin-x64": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-x64/-/binding-darwin-x64-1.0.0-rc.15.tgz", - "integrity": "sha512-YzeVqOqjPYvUbJSWJ4EDL8ahbmsIXQpgL3JVipmN+MX0XnXMeWomLN3Fb+nwCmP/jfyqte5I3XRSm7OfQrbyxw==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-x64/-/binding-darwin-x64-1.0.0-rc.16.tgz", + "integrity": "sha512-r/OmdR00HmD4i79Z//xO06uEPOq5hRXdhw7nzkxQxwSavs3PSHa1ijntdpOiZ2mzOQ3fVVu8C1M19FoNM+dMUQ==", "cpu": [ "x64" ], @@ -458,9 +472,9 @@ } }, "node_modules/@rolldown/binding-freebsd-x64": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-freebsd-x64/-/binding-freebsd-x64-1.0.0-rc.15.tgz", - "integrity": "sha512-9Erhx956jeQ0nNTyif1+QWAXDRD38ZNjr//bSHrt6wDwB+QkAfl2q6Mn1k6OBPerznjRmbM10lgRb1Pli4xZPw==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-freebsd-x64/-/binding-freebsd-x64-1.0.0-rc.16.tgz", + "integrity": "sha512-KcRE5w8h0OnjUatG8pldyD14/CQ5Phs1oxfR+3pKDjboHRo9+MkqQaiIZlZRpsxC15paeXme/I127tUa9TXJ6g==", "cpu": [ "x64" ], @@ -475,9 +489,9 @@ } }, "node_modules/@rolldown/binding-linux-arm-gnueabihf": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-1.0.0-rc.15.tgz", - "integrity": "sha512-cVwk0w8QbZJGTnP/AHQBs5yNwmpgGYStL88t4UIaqcvYJWBfS0s3oqVLZPwsPU6M0zlW4GqjP0Zq5MnAGwFeGA==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-1.0.0-rc.16.tgz", + "integrity": "sha512-bT0guA1bpxEJ/ZhTRniQf7rNF8ybvXOuWbNIeLABaV5NGjx4EtOWBTSRGWFU9ZWVkPOZ+HNFP8RMcBokBiZ0Kg==", "cpu": [ "arm" ], @@ -492,9 +506,9 @@ } }, "node_modules/@rolldown/binding-linux-arm64-gnu": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-1.0.0-rc.15.tgz", - "integrity": "sha512-eBZ/u8iAK9SoHGanqe/jrPnY0JvBN6iXbVOsbO38mbz+ZJsaobExAm1Iu+rxa4S1l2FjG0qEZn4Rc6X8n+9M+w==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-1.0.0-rc.16.tgz", + "integrity": "sha512-+tHktCHWV8BDQSjemUqm/Jl/TPk3QObCTIjmdDy/nlupcujZghmKK2962LYrqFpWu+ai01AN/REOH3NEpqvYQg==", "cpu": [ "arm64" ], @@ -509,9 +523,9 @@ } }, "node_modules/@rolldown/binding-linux-arm64-musl": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-musl/-/binding-linux-arm64-musl-1.0.0-rc.15.tgz", - "integrity": "sha512-ZvRYMGrAklV9PEkgt4LQM6MjQX2P58HPAuecwYObY2DhS2t35R0I810bKi0wmaYORt6m/2Sm+Z+nFgb0WhXNcQ==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-musl/-/binding-linux-arm64-musl-1.0.0-rc.16.tgz", + "integrity": "sha512-3fPzdREH806oRLxpTWW1Gt4tQHs0TitZFOECB2xzCFLPKnSOy90gwA7P29cksYilFO6XVRY1kzga0cL2nRjKPg==", "cpu": [ "arm64" ], @@ -526,9 +540,9 @@ } }, "node_modules/@rolldown/binding-linux-ppc64-gnu": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-1.0.0-rc.15.tgz", - "integrity": "sha512-VDpgGBzgfg5hLg+uBpCLoFG5kVvEyafmfxGUV0UHLcL5irxAK7PKNeC2MwClgk6ZAiNhmo9FLhRYgvMmedLtnQ==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-1.0.0-rc.16.tgz", + "integrity": "sha512-EKwI1tSrLs7YVw+JPJT/G2dJQ1jl9qlTTTEG0V2Ok/RdOenRfBw2PQdLPyjhIu58ocdBfP7vIRN/pvMsPxs/AQ==", "cpu": [ "ppc64" ], @@ -543,9 +557,9 @@ } }, "node_modules/@rolldown/binding-linux-s390x-gnu": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-1.0.0-rc.15.tgz", - "integrity": "sha512-y1uXY3qQWCzcPgRJATPSOUP4tCemh4uBdY7e3EZbVwCJTY3gLJWnQABgeUetvED+bt1FQ01OeZwvhLS2bpNrAQ==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-1.0.0-rc.16.tgz", + "integrity": "sha512-Uknladnb3Sxqu6SEcqBldQyJUpk8NleooZEc0MbRBJ4inEhRYWZX0NJu12vNf2mqAq7gsofAxHrGghiUYjhaLQ==", "cpu": [ "s390x" ], @@ -560,9 +574,9 @@ } }, "node_modules/@rolldown/binding-linux-x64-gnu": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-gnu/-/binding-linux-x64-gnu-1.0.0-rc.15.tgz", - "integrity": "sha512-023bTPBod7J3Y/4fzAN6QtpkSABR0rigtrwaP+qSEabUh5zf6ELr9Nc7GujaROuPY3uwdSIXWrvhn1KxOvurWA==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-gnu/-/binding-linux-x64-gnu-1.0.0-rc.16.tgz", + "integrity": "sha512-FIb8+uG49sZBtLTn+zt1AJ20TqVcqWeSIyoVt0or7uAWesgKaHbiBh6OpA/k9v0LTt+PTrb1Lao133kP4uVxkg==", "cpu": [ "x64" ], @@ -577,9 +591,9 @@ } }, "node_modules/@rolldown/binding-linux-x64-musl": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-musl/-/binding-linux-x64-musl-1.0.0-rc.15.tgz", - "integrity": "sha512-witB2O0/hU4CgfOOKUoeFgQ4GktPi1eEbAhaLAIpgD6+ZnhcPkUtPsoKKHRzmOoWPZue46IThdSgdo4XneOLYw==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-musl/-/binding-linux-x64-musl-1.0.0-rc.16.tgz", + "integrity": "sha512-RuERhF9/EgWxZEXYWCOaViUWHIboceK4/ivdtQ3R0T44NjLkIIlGIAVAuCddFxsZ7vnRHtNQUrt2vR2n2slB2w==", "cpu": [ "x64" ], @@ -594,9 +608,9 @@ } }, "node_modules/@rolldown/binding-openharmony-arm64": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-openharmony-arm64/-/binding-openharmony-arm64-1.0.0-rc.15.tgz", - "integrity": "sha512-UCL68NJ0Ud5zRipXZE9dF5PmirzJE4E4BCIOOssEnM7wLDsxjc6Qb0sGDxTNRTP53I6MZpygyCpY8Aa8sPfKPg==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-openharmony-arm64/-/binding-openharmony-arm64-1.0.0-rc.16.tgz", + "integrity": "sha512-mXcXnvd9GpazCxeUCCnZ2+YF7nut+ZOEbE4GtaiPtyY6AkhZWbK70y1KK3j+RDhjVq5+U8FySkKRb/+w0EeUwA==", "cpu": [ "arm64" ], @@ -611,9 +625,9 @@ } }, "node_modules/@rolldown/binding-wasm32-wasi": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-wasm32-wasi/-/binding-wasm32-wasi-1.0.0-rc.15.tgz", - "integrity": "sha512-ApLruZq/ig+nhaE7OJm4lDjayUnOHVUa77zGeqnqZ9pn0ovdVbbNPerVibLXDmWeUZXjIYIT8V3xkT58Rm9u5Q==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-wasm32-wasi/-/binding-wasm32-wasi-1.0.0-rc.16.tgz", + "integrity": "sha512-3Q2KQxnC8IJOLqXmUMoYwyIPZU9hzRbnHaoV3Euz+VVnjZKcY8ktnNP8T9R4/GGQtb27C/UYKABxesKWb8lsvQ==", "cpu": [ "wasm32" ], @@ -623,16 +637,16 @@ "dependencies": { "@emnapi/core": "1.9.2", "@emnapi/runtime": "1.9.2", - "@napi-rs/wasm-runtime": "^1.1.3" + "@napi-rs/wasm-runtime": "^1.1.4" }, "engines": { - "node": ">=14.0.0" + "node": "^20.19.0 || >=22.12.0" } }, "node_modules/@rolldown/binding-win32-arm64-msvc": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-1.0.0-rc.15.tgz", - "integrity": "sha512-KmoUoU7HnN+Si5YWJigfTws1jz1bKBYDQKdbLspz0UaqjjFkddHsqorgiW1mxcAj88lYUE6NC/zJNwT+SloqtA==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-1.0.0-rc.16.tgz", + "integrity": "sha512-tj7XRemQcOcFwv7qhpUxMTBbI5mWMlE4c1Omhg5+h8GuLXzyj8HviYgR+bB2DMDgRqUE+jiDleqSCRjx4aYk/Q==", "cpu": [ "arm64" ], @@ -647,9 +661,9 @@ } }, "node_modules/@rolldown/binding-win32-x64-msvc": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-x64-msvc/-/binding-win32-x64-msvc-1.0.0-rc.15.tgz", - "integrity": "sha512-3P2A8L+x75qavWLe/Dll3EYBJLQmtkJN8rfh+U/eR3MqMgL/h98PhYI+JFfXuDPgPeCB7iZAKiqii5vqOvnA0g==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-x64-msvc/-/binding-win32-x64-msvc-1.0.0-rc.16.tgz", + "integrity": "sha512-PH5DRZT+F4f2PTXRXR8uJxnBq2po/xFtddyabTJVJs/ZYVHqXPEgNIr35IHTEa6bpa0Q8Awg+ymkTaGnKITw4g==", "cpu": [ "x64" ], @@ -664,9 +678,9 @@ } }, "node_modules/@rolldown/pluginutils": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0-rc.15.tgz", - "integrity": "sha512-UromN0peaE53IaBRe9W7CjrZgXl90fqGpK+mIZbA3qSTeYqg3pqpROBdIPvOG3F5ereDHNwoHBI2e50n1BDr1g==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0-rc.16.tgz", + "integrity": "sha512-45+YtqxLYKDWQouLKCrpIZhke+nXxhsw+qAHVzHDVwttyBlHNBVs2K25rDXrZzhpTp9w1FlAlvweV1H++fdZoA==", "dev": true, "license": "MIT" }, @@ -3606,14 +3620,14 @@ } }, "node_modules/rolldown": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/rolldown/-/rolldown-1.0.0-rc.15.tgz", - "integrity": "sha512-Ff31guA5zT6WjnGp0SXw76X6hzGRk/OQq2hE+1lcDe+lJdHSgnSX6nK3erbONHyCbpSj9a9E+uX/OvytZoWp2g==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/rolldown/-/rolldown-1.0.0-rc.16.tgz", + "integrity": "sha512-rzi5WqKzEZw3SooTt7cgm4eqIoujPIyGcJNGFL7iPEuajQw7vxMHUkXylu4/vhCkJGXsgRmxqMKXUpT6FEgl0g==", "dev": true, "license": "MIT", "dependencies": { - "@oxc-project/types": "=0.124.0", - "@rolldown/pluginutils": "1.0.0-rc.15" + "@oxc-project/types": "=0.126.0", + "@rolldown/pluginutils": "1.0.0-rc.16" }, "bin": { "rolldown": "bin/cli.mjs" @@ -3622,21 +3636,21 @@ "node": "^20.19.0 || >=22.12.0" }, "optionalDependencies": { - "@rolldown/binding-android-arm64": "1.0.0-rc.15", - "@rolldown/binding-darwin-arm64": "1.0.0-rc.15", - "@rolldown/binding-darwin-x64": "1.0.0-rc.15", - "@rolldown/binding-freebsd-x64": "1.0.0-rc.15", - "@rolldown/binding-linux-arm-gnueabihf": "1.0.0-rc.15", - "@rolldown/binding-linux-arm64-gnu": "1.0.0-rc.15", - "@rolldown/binding-linux-arm64-musl": "1.0.0-rc.15", - "@rolldown/binding-linux-ppc64-gnu": "1.0.0-rc.15", - "@rolldown/binding-linux-s390x-gnu": "1.0.0-rc.15", - "@rolldown/binding-linux-x64-gnu": "1.0.0-rc.15", - "@rolldown/binding-linux-x64-musl": "1.0.0-rc.15", - "@rolldown/binding-openharmony-arm64": "1.0.0-rc.15", - "@rolldown/binding-wasm32-wasi": "1.0.0-rc.15", - "@rolldown/binding-win32-arm64-msvc": "1.0.0-rc.15", - "@rolldown/binding-win32-x64-msvc": "1.0.0-rc.15" + "@rolldown/binding-android-arm64": "1.0.0-rc.16", + "@rolldown/binding-darwin-arm64": "1.0.0-rc.16", + "@rolldown/binding-darwin-x64": "1.0.0-rc.16", + "@rolldown/binding-freebsd-x64": "1.0.0-rc.16", + "@rolldown/binding-linux-arm-gnueabihf": "1.0.0-rc.16", + "@rolldown/binding-linux-arm64-gnu": "1.0.0-rc.16", + "@rolldown/binding-linux-arm64-musl": "1.0.0-rc.16", + "@rolldown/binding-linux-ppc64-gnu": "1.0.0-rc.16", + "@rolldown/binding-linux-s390x-gnu": "1.0.0-rc.16", + "@rolldown/binding-linux-x64-gnu": "1.0.0-rc.16", + "@rolldown/binding-linux-x64-musl": "1.0.0-rc.16", + "@rolldown/binding-openharmony-arm64": "1.0.0-rc.16", + "@rolldown/binding-wasm32-wasi": "1.0.0-rc.16", + "@rolldown/binding-win32-arm64-msvc": "1.0.0-rc.16", + "@rolldown/binding-win32-x64-msvc": "1.0.0-rc.16" } }, "node_modules/run-parallel": { @@ -4014,9 +4028,9 @@ } }, "node_modules/typescript": { - "version": "6.0.2", - "resolved": "https://registry.npmjs.org/typescript/-/typescript-6.0.2.tgz", - "integrity": "sha512-bGdAIrZ0wiGDo5l8c++HWtbaNCWTS4UTv7RaTH/ThVIgjkveJt83m74bBHMJkuCbslY8ixgLBVZJIOiQlQTjfQ==", + "version": "6.0.3", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-6.0.3.tgz", + "integrity": "sha512-y2TvuxSZPDyQakkFRPZHKFm+KKVqIisdg9/CZwm9ftvKXLP8NRWj38/ODjNbr43SsoXqNuAisEf1GdCxqWcdBw==", "dev": true, "license": "Apache-2.0", "bin": { @@ -4086,17 +4100,17 @@ } }, "node_modules/vite": { - "version": "8.0.8", - "resolved": "https://registry.npmjs.org/vite/-/vite-8.0.8.tgz", - "integrity": "sha512-dbU7/iLVa8KZALJyLOBOQ88nOXtNG8vxKuOT4I2mD+Ya70KPceF4IAmDsmU0h1Qsn5bPrvsY9HJstCRh3hG6Uw==", + "version": "8.0.9", + "resolved": "https://registry.npmjs.org/vite/-/vite-8.0.9.tgz", + "integrity": "sha512-t7g7GVRpMXjNpa67HaVWI/8BWtdVIQPCL2WoozXXA7LBGEFK4AkkKkHx2hAQf5x1GZSlcmEDPkVLSGahxnEEZw==", "dev": true, "license": "MIT", "dependencies": { "lightningcss": "^1.32.0", "picomatch": "^4.0.4", - "postcss": "^8.5.8", - "rolldown": "1.0.0-rc.15", - "tinyglobby": "^0.2.15" + "postcss": "^8.5.10", + "rolldown": "1.0.0-rc.16", + "tinyglobby": "^0.2.16" }, "bin": { "vite": "bin/vite.js" diff --git a/package.json b/package.json index ca48fa3f..d65a4b8f 100644 --- a/package.json +++ b/package.json @@ -27,8 +27,8 @@ "prettier": "^3.8.3", "prettier-plugin-tailwindcss": "^0.7.2", "tar": "^7.5.13", - "typescript": "^6.0.2", - "vite": "^8.0.8", + "typescript": "^6.0.3", + "vite": "^8.0.9", "vitest": "^4.1.4" } } diff --git a/tests/crowdsec-whitelist.spec.ts b/tests/crowdsec-whitelist.spec.ts new file mode 100644 index 00000000..24fbdfb9 --- /dev/null +++ b/tests/crowdsec-whitelist.spec.ts @@ -0,0 +1,406 @@ +import { test, expect, request as playwrightRequest } from '@playwright/test'; +import type { APIRequestContext } from '@playwright/test'; +import { + withSecurityEnabled, + captureSecurityState, + setSecurityModuleEnabled, +} from './utils/security-helpers'; +import { getStorageStateAuthHeaders } from './utils/api-helpers'; +import { STORAGE_STATE } from './constants'; + +/** + * CrowdSec IP Whitelist Management E2E Tests + * + * Tests the whitelist tab on the CrowdSec configuration page (/security/crowdsec). + * The tab is conditionally rendered: it only appears when CrowdSec mode is not 'disabled'. + * + * Uses IPs in the 10.99.x.x range to avoid conflicts with real network addresses. + * + * NOTE: Uses request.newContext({ storageState }) instead of the `request` fixture because + * the auth cookie has `secure: true` which the fixture won't send over HTTP, but + * Playwright's APIRequestContext does send it. + */ + +const BASE_URL = process.env.PLAYWRIGHT_BASE_URL ?? 'http://127.0.0.1:8080'; +const TEST_IP_PREFIX = '10.99'; + +function createRequestContext(): Promise { + return playwrightRequest.newContext({ + baseURL: BASE_URL, + storageState: STORAGE_STATE, + extraHTTPHeaders: getStorageStateAuthHeaders(), + }); +} + +test.describe('CrowdSec IP Whitelist Management', () => { + // Serial mode prevents the tab-visibility test (which disables CrowdSec) from + // racing with the local-mode tests (which require CrowdSec enabled). + test.describe.configure({ mode: 'serial' }); + + test.describe('tab visibility', () => { + test('whitelist tab is hidden when CrowdSec is disabled', async ({ page }) => { + const rc = await createRequestContext(); + const originalState = await captureSecurityState(rc); + if (originalState.crowdsec) { + await setSecurityModuleEnabled(rc, 'crowdsec', false); + } + + try { + await test.step('Navigate to CrowdSec config page', async () => { + await page.goto('/security/crowdsec'); + await page.waitForLoadState('networkidle'); + }); + + await test.step('Verify whitelist tab is not present', async () => { + await expect(page.getByRole('tab', { name: 'Whitelist' })).not.toBeVisible(); + }); + } finally { + if (originalState.crowdsec) { + await setSecurityModuleEnabled(rc, 'crowdsec', true); + } + await rc.dispose(); + } + }); + }); + + test.describe('with CrowdSec in local mode', () => { + let rc: APIRequestContext; + let cleanupSecurity: () => Promise; + + test.beforeAll(async () => { + rc = await createRequestContext(); + cleanupSecurity = await withSecurityEnabled(rc, { crowdsec: true, cerberus: true }); + + // Wait for CrowdSec to enter local mode (may take a few seconds after enabling) + for (let attempt = 0; attempt < 15; attempt++) { + const statusResp = await rc.get('/api/v1/security/status'); + if (statusResp.ok()) { + const status = await statusResp.json(); + if (status.crowdsec?.mode !== 'disabled') break; + } + await new Promise((resolve) => setTimeout(resolve, 2000)); + } + }); + + test.afterAll(async () => { + // Remove any leftover test entries before restoring security state + const resp = await rc.get('/api/v1/admin/crowdsec/whitelist'); + if (resp.ok()) { + const data = await resp.json(); + for (const entry of (data.whitelist ?? []) as Array<{ uuid: string; ip_or_cidr: string }>) { + if (entry.ip_or_cidr.startsWith(TEST_IP_PREFIX)) { + await rc.delete(`/api/v1/admin/crowdsec/whitelist/${entry.uuid}`); + } + } + } + await cleanupSecurity?.(); + await rc.dispose(); + }); + + test.beforeEach(async ({ page }) => { + await test.step('Open CrowdSec Whitelist tab', async () => { + // CrowdSec may take time to enter local mode after being enabled. + // Retry navigation until the Whitelist tab is visible. + const maxAttempts = 15; + let tabFound = false; + for (let attempt = 0; attempt < maxAttempts; attempt++) { + await page.goto('/security/crowdsec'); + // Wait for network to settle so React Query status fetch completes + await page.waitForLoadState('networkidle', { timeout: 8000 }).catch(() => {}); + const whitelistTab = page.getByRole('tab', { name: 'Whitelist' }); + const visible = await whitelistTab.isVisible().catch(() => false); + if (visible) { + await whitelistTab.click(); + await page.waitForLoadState('networkidle', { timeout: 8000 }).catch(() => {}); + tabFound = true; + break; + } + if (attempt < maxAttempts - 1) { + await new Promise((resolve) => setTimeout(resolve, 2000)); + } + } + if (!tabFound) { + // Fail with a clear error message if tab never appeared + await expect(page.getByRole('tab', { name: 'Whitelist' })).toBeVisible({ + timeout: 1000, + }); + } + }); + }); + + test('displays empty state when no whitelist entries exist', async ({ page }) => { + await test.step('Verify empty state message and snapshot', async () => { + const emptyEl = page.getByTestId('whitelist-empty'); + await expect(emptyEl).toBeVisible(); + await expect(emptyEl).toHaveText('No whitelist entries'); + + await expect(emptyEl).toMatchAriaSnapshot(` + - paragraph: No whitelist entries + `); + }); + }); + + test('adds a valid IPv4 address to the whitelist', async ({ page }) => { + const testIP = `${TEST_IP_PREFIX}.1.10`; + let addedUUID: string | null = null; + + try { + await test.step('Fill IP address and reason fields', async () => { + await page.getByTestId('whitelist-ip-input').fill(testIP); + await page.getByTestId('whitelist-reason-input').fill('IPv4 E2E test entry'); + }); + + await test.step('Submit the form and capture response', async () => { + const responsePromise = page.waitForResponse( + (resp) => + resp.url().includes('/api/v1/admin/crowdsec/whitelist') && + resp.request().method() === 'POST' + ); + await page.getByTestId('whitelist-add-btn').click(); + const response = await responsePromise; + expect(response.status()).toBe(201); + const body = await response.json(); + addedUUID = body.uuid as string; + }); + + await test.step('Verify the entry appears in the table', async () => { + await expect(page.getByRole('cell', { name: testIP, exact: true })).toBeVisible({ timeout: 10_000 }); + await expect(page.getByRole('cell', { name: 'IPv4 E2E test entry' })).toBeVisible({ timeout: 10_000 }); + }); + } finally { + if (addedUUID) { + await rc.delete(`/api/v1/admin/crowdsec/whitelist/${addedUUID}`); + } + } + }); + + test('adds a valid CIDR range to the whitelist', async ({ page }) => { + const testCIDR = `${TEST_IP_PREFIX}.2.0/24`; + let addedUUID: string | null = null; + + try { + await test.step('Fill CIDR notation and reason', async () => { + await page.getByTestId('whitelist-ip-input').fill(testCIDR); + await page.getByTestId('whitelist-reason-input').fill('CIDR E2E test range'); + }); + + await test.step('Submit the form and capture response', async () => { + const responsePromise = page.waitForResponse( + (resp) => + resp.url().includes('/api/v1/admin/crowdsec/whitelist') && + resp.request().method() === 'POST' + ); + await page.getByTestId('whitelist-add-btn').click(); + const response = await responsePromise; + expect(response.status()).toBe(201); + const body = await response.json(); + addedUUID = body.uuid as string; + }); + + await test.step('Verify CIDR entry appears in the table', async () => { + await expect(page.getByRole('cell', { name: testCIDR, exact: true })).toBeVisible({ timeout: 10_000 }); + await expect(page.getByRole('cell', { name: 'CIDR E2E test range' })).toBeVisible({ timeout: 10_000 }); + }); + } finally { + if (addedUUID) { + await rc.delete(`/api/v1/admin/crowdsec/whitelist/${addedUUID}`); + } + } + }); + + test('"Add My IP" button pre-fills the detected client IP', async ({ page }) => { + const ipResp = await rc.get('/api/v1/system/my-ip'); + expect(ipResp.ok()).toBeTruthy(); + const { ip: detectedIP } = await ipResp.json() as { ip: string }; + + await test.step('Click the "Add My IP" button', async () => { + await page.getByTestId('whitelist-add-my-ip-btn').click(); + }); + + await test.step('Verify the IP input is pre-filled with the detected IP', async () => { + await expect(page.getByTestId('whitelist-ip-input')).toHaveValue(detectedIP); + }); + }); + + test('shows an inline validation error for an invalid IP address', async ({ page }) => { + await test.step('Fill the IP field with an invalid value', async () => { + await page.getByTestId('whitelist-ip-input').fill('not-an-ip'); + }); + + await test.step('Submit the form', async () => { + await page.getByTestId('whitelist-add-btn').click(); + }); + + await test.step('Verify the inline error element is visible with an error message', async () => { + const errorEl = page.getByTestId('whitelist-ip-error'); + await expect(errorEl).toBeVisible(); + await expect(errorEl).toContainText(/invalid/i); + }); + }); + + test('shows a conflict error when adding a duplicate whitelist entry', async ({ page }) => { + const testIP = `${TEST_IP_PREFIX}.3.10`; + let addedUUID: string | null = null; + + try { + await test.step('Pre-seed the whitelist entry via API', async () => { + const addResp = await rc.post('/api/v1/admin/crowdsec/whitelist', { + data: { ip_or_cidr: testIP, reason: 'duplicate seed' }, + }); + expect(addResp.status()).toBe(201); + const body = await addResp.json(); + addedUUID = body.uuid as string; + }); + + await test.step('Reload the whitelist tab to see the seeded entry', async () => { + await page.goto('/security/crowdsec'); + const whitelistTab = page.getByRole('tab', { name: 'Whitelist' }); + await expect(whitelistTab).toBeVisible({ timeout: 15_000 }); + await whitelistTab.click(); + await expect(page.getByRole('cell', { name: testIP, exact: true })).toBeVisible({ timeout: 10_000 }); + }); + + await test.step('Attempt to add the same IP again', async () => { + await page.getByTestId('whitelist-ip-input').fill(testIP); + await page.getByTestId('whitelist-add-btn').click(); + }); + + await test.step('Verify the conflict error is shown inline', async () => { + const errorEl = page.getByTestId('whitelist-ip-error'); + await expect(errorEl).toBeVisible(); + await expect(errorEl).toContainText(/already exists/i); + }); + } finally { + if (addedUUID) { + await rc.delete(`/api/v1/admin/crowdsec/whitelist/${addedUUID}`); + } + } + }); + + test('removes a whitelist entry via the delete confirmation modal', async ({ page }) => { + const testIP = `${TEST_IP_PREFIX}.4.10`; + let addedUUID: string | null = null; + + try { + await test.step('Pre-seed a whitelist entry via API', async () => { + const addResp = await rc.post('/api/v1/admin/crowdsec/whitelist', { + data: { ip_or_cidr: testIP, reason: 'delete modal test' }, + }); + expect(addResp.status()).toBe(201); + const body = await addResp.json(); + addedUUID = body.uuid as string; + }); + + await test.step('Reload the whitelist tab to see the seeded entry', async () => { + await page.goto('/security/crowdsec'); + const whitelistTab = page.getByRole('tab', { name: 'Whitelist' }); + await expect(whitelistTab).toBeVisible({ timeout: 15_000 }); + await whitelistTab.click(); + await expect(page.getByRole('cell', { name: testIP, exact: true })).toBeVisible({ timeout: 10_000 }); + }); + + await test.step('Click the delete button for the entry', async () => { + const deleteBtn = page.getByRole('button', { + name: new RegExp(`Remove whitelist entry for ${testIP.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}`, 'i'), + }); + await expect(deleteBtn).toBeVisible(); + await deleteBtn.click(); + }); + + await test.step('Verify the confirmation modal appears', async () => { + const modal = page.getByRole('dialog'); + await expect(modal).toBeVisible(); + await expect(modal.locator('#whitelist-delete-modal-title')).toHaveText( + 'Remove Whitelist Entry' + ); + await expect(modal).toMatchAriaSnapshot(` + - dialog: + - heading "Remove Whitelist Entry" [level=2] + `); + }); + + await test.step('Confirm deletion and verify the entry is removed', async () => { + const deleteResponsePromise = page.waitForResponse( + (resp) => + resp.url().includes('/api/v1/admin/crowdsec/whitelist/') && + resp.request().method() === 'DELETE' + ); + await page.getByRole('button', { name: 'Remove', exact: true }).click(); + const deleteResponse = await deleteResponsePromise; + expect(deleteResponse.ok()).toBeTruthy(); + addedUUID = null; // cleaned up by the UI action + + await expect(page.getByRole('cell', { name: testIP, exact: true })).not.toBeVisible(); + await expect(page.getByTestId('whitelist-empty')).toBeVisible(); + }); + } finally { + // Fallback cleanup if the UI delete failed + if (addedUUID) { + await rc.delete(`/api/v1/admin/crowdsec/whitelist/${addedUUID}`); + } + } + }); + + test('delete confirmation modal is dismissed by the Cancel button', async ({ page }) => { + const testIP = `${TEST_IP_PREFIX}.5.10`; + let addedUUID: string | null = null; + + try { + await test.step('Pre-seed a whitelist entry via API', async () => { + const addResp = await rc.post('/api/v1/admin/crowdsec/whitelist', { + data: { ip_or_cidr: testIP, reason: 'cancel modal test' }, + }); + expect(addResp.status()).toBe(201); + const body = await addResp.json(); + addedUUID = body.uuid as string; + }); + + await test.step('Reload the whitelist tab', async () => { + await page.goto('/security/crowdsec'); + const whitelistTab = page.getByRole('tab', { name: 'Whitelist' }); + await expect(whitelistTab).toBeVisible({ timeout: 15_000 }); + await whitelistTab.click(); + await expect(page.getByRole('cell', { name: testIP, exact: true })).toBeVisible({ timeout: 10_000 }); + }); + + await test.step('Open the delete modal', async () => { + const deleteBtn = page.getByRole('button', { + name: new RegExp(`Remove whitelist entry for ${testIP.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}`, 'i'), + }); + await deleteBtn.click(); + await expect(page.getByRole('dialog')).toBeVisible(); + }); + + await test.step('Cancel and verify the entry is still present', async () => { + await page.getByRole('button', { name: 'Cancel' }).click(); + await expect(page.getByRole('dialog')).not.toBeVisible(); + await expect(page.getByRole('cell', { name: testIP, exact: true })).toBeVisible(); + }); + } finally { + if (addedUUID) { + await rc.delete(`/api/v1/admin/crowdsec/whitelist/${addedUUID}`); + } + } + }); + + test('add button is disabled when the IP field is empty', async ({ page }) => { + await test.step('Verify add button is disabled with empty IP field', async () => { + const ipInput = page.getByTestId('whitelist-ip-input'); + const addBtn = page.getByTestId('whitelist-add-btn'); + + await expect(ipInput).toHaveValue(''); + await expect(addBtn).toBeDisabled(); + }); + + await test.step('Button becomes enabled when IP is entered', async () => { + await page.getByTestId('whitelist-ip-input').fill('192.168.1.1'); + await expect(page.getByTestId('whitelist-add-btn')).toBeEnabled(); + }); + + await test.step('Button returns to disabled state when IP is cleared', async () => { + await page.getByTestId('whitelist-ip-input').clear(); + await expect(page.getByTestId('whitelist-add-btn')).toBeDisabled(); + }); + }); + }); +});