From 0a3b64ba5ccbbeab4fce2e2b6a21b2445934591b Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Wed, 15 Apr 2026 17:19:19 +0000 Subject: [PATCH 01/44] fix: correct misplaced env block in propagate-changes workflow --- .github/workflows/propagate-changes.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/propagate-changes.yml b/.github/workflows/propagate-changes.yml index 5b950e21..d4678783 100644 --- a/.github/workflows/propagate-changes.yml +++ b/.github/workflows/propagate-changes.yml @@ -37,6 +37,8 @@ jobs: env: CURRENT_BRANCH: ${{ github.event.workflow_run.head_branch || github.ref_name }} CURRENT_SHA: ${{ github.event.workflow_run.head_sha || github.sha }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }} with: script: | const currentBranch = process.env.CURRENT_BRANCH || context.ref.replace('refs/heads/', ''); @@ -133,7 +135,9 @@ jobs: const sensitive = files.some(fn => configPaths.some(sp => fn.startsWith(sp) || fn.includes(sp))); if (sensitive) { - core.info(`${src} -> ${base} contains sensitive changes (${files.join(', ')}). Skipping automatic propagation.`); + const preview = files.slice(0, 25).join(', '); + const suffix = files.length > 25 ? ` …(+${files.length - 25} more)` : ''; + core.info(`${src} -> ${base} contains sensitive changes (${preview}${suffix}). Skipping automatic propagation.`); return; } } catch (error) { @@ -203,6 +207,3 @@ jobs: await createPR('development', targetBranch); } } - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }} From 98c720987d491f16139c85d2277c3675952cfbdb Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 16 Apr 2026 13:26:37 +0000 Subject: [PATCH 02/44] chore(deps): update non-major-updates --- Dockerfile | 4 ++-- frontend/package-lock.json | 12 ++++++------ frontend/package.json | 2 +- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index efc4040f..4a188937 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,7 +13,7 @@ ARG BUILD_DEBUG=0 ARG GO_VERSION=1.26.2 # renovate: datasource=docker depName=alpine versioning=docker -ARG ALPINE_IMAGE=alpine:3.23.3@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659 +ARG ALPINE_IMAGE=alpine:3.23.4@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11 # ---- Shared CrowdSec Version ---- # renovate: datasource=github-releases depName=crowdsecurity/crowdsec @@ -92,7 +92,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \ # ---- Frontend Builder ---- # Build the frontend using the BUILDPLATFORM to avoid arm64 musl Rollup native issues # renovate: datasource=docker depName=node -FROM --platform=$BUILDPLATFORM node:24.14.1-alpine@sha256:01743339035a5c3c11a373cd7c83aeab6ed1457b55da6a69e014a95ac4e4700b AS frontend-builder +FROM --platform=$BUILDPLATFORM node:24.14.1-alpine@sha256:8510330d3eb72c804231a834b1a8ebb55cb3796c3e4431297a24d246b8add4d5 AS frontend-builder WORKDIR /app/frontend # Copy frontend package files diff --git a/frontend/package-lock.json b/frontend/package-lock.json index c9939649..2e16daa1 100644 --- a/frontend/package-lock.json +++ b/frontend/package-lock.json @@ -65,7 +65,7 @@ "eslint-plugin-react-hooks": "^7.0.1", "eslint-plugin-react-refresh": "^0.5.2", "eslint-plugin-security": "^4.0.0", - "eslint-plugin-sonarjs": "^4.0.2", + "eslint-plugin-sonarjs": "^4.0.3", "eslint-plugin-testing-library": "^7.16.2", "eslint-plugin-unicorn": "^64.0.0", "eslint-plugin-unused-imports": "^4.4.1", @@ -6360,9 +6360,9 @@ } }, "node_modules/eslint-plugin-sonarjs": { - "version": "4.0.2", - "resolved": "https://registry.npmjs.org/eslint-plugin-sonarjs/-/eslint-plugin-sonarjs-4.0.2.tgz", - "integrity": "sha512-BTcT1zr1iTbmJtVlcesISwnXzh+9uhf9LEOr+RRNf4kR8xA0HQTPft4oiyOCzCOGKkpSJxjR8ZYF6H7VPyplyw==", + "version": "4.0.3", + "resolved": "https://registry.npmjs.org/eslint-plugin-sonarjs/-/eslint-plugin-sonarjs-4.0.3.tgz", + "integrity": "sha512-5drkJKLC9qQddIiaATV0e8+ygbUc7b0Ti6VB7M2d3jmKNh3X0RaiIJYTs3dr9xnlhlrxo+/s1FoO3Jgv6O/c7g==", "dev": true, "license": "LGPL-3.0-only", "dependencies": { @@ -6373,10 +6373,10 @@ "globals": "^17.4.0", "jsx-ast-utils-x": "^0.1.0", "lodash.merge": "^4.6.2", - "minimatch": "^10.2.4", + "minimatch": "^10.2.5", "scslre": "^0.3.0", "semver": "^7.7.4", - "ts-api-utils": "^2.4.0", + "ts-api-utils": "^2.5.0", "typescript": ">=5" }, "peerDependencies": { diff --git a/frontend/package.json b/frontend/package.json index 11d36683..de584438 100644 --- a/frontend/package.json +++ b/frontend/package.json @@ -84,7 +84,7 @@ "eslint-plugin-react-hooks": "^7.0.1", "eslint-plugin-react-refresh": "^0.5.2", "eslint-plugin-security": "^4.0.0", - "eslint-plugin-sonarjs": "^4.0.2", + "eslint-plugin-sonarjs": "^4.0.3", "eslint-plugin-testing-library": "^7.16.2", "eslint-plugin-unicorn": "^64.0.0", "eslint-plugin-unused-imports": "^4.4.1", From 40090cda23b6a2e938fcbbe4a98eca414f2076c4 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Wed, 15 Apr 2026 19:41:18 +0000 Subject: [PATCH 03/44] feat: add installation of crowdsecurity/whitelists parser --- configs/crowdsec/install_hub_items.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/configs/crowdsec/install_hub_items.sh b/configs/crowdsec/install_hub_items.sh index c2a2f214..84086c37 100644 --- a/configs/crowdsec/install_hub_items.sh +++ b/configs/crowdsec/install_hub_items.sh @@ -24,6 +24,7 @@ echo "Installing base parsers..." cscli parsers install crowdsecurity/http-logs --force || echo "⚠️ Failed to install crowdsecurity/http-logs" cscli parsers install crowdsecurity/syslog-logs --force || echo "⚠️ Failed to install crowdsecurity/syslog-logs" cscli parsers install crowdsecurity/geoip-enrich --force || echo "⚠️ Failed to install crowdsecurity/geoip-enrich" +cscli parsers install crowdsecurity/whitelists --force || echo "⚠️ Failed to install crowdsecurity/whitelists" # Install HTTP scenarios for attack detection echo "Installing HTTP scenarios..." From 1726a19cb6a5e86d05646ab694632536c9127e30 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Wed, 15 Apr 2026 19:49:43 +0000 Subject: [PATCH 04/44] feat: add CrowdSecWhitelist model and integrate into API route registration --- backend/internal/api/routes/routes.go | 1 + backend/internal/models/crowdsec_whitelist.go | 13 +++++++++++++ 2 files changed, 14 insertions(+) create mode 100644 backend/internal/models/crowdsec_whitelist.go diff --git a/backend/internal/api/routes/routes.go b/backend/internal/api/routes/routes.go index 0a085c29..2d422f2b 100644 --- a/backend/internal/api/routes/routes.go +++ b/backend/internal/api/routes/routes.go @@ -122,6 +122,7 @@ func RegisterWithDeps(ctx context.Context, router *gin.Engine, db *gorm.DB, cfg &models.DNSProviderCredential{}, // Multi-credential support (Phase 3) &models.Plugin{}, // Phase 5: DNS provider plugins &models.ManualChallenge{}, // Phase 1: Manual DNS challenges + &models.CrowdSecWhitelist{}, // Issue #939: CrowdSec IP whitelist management ); err != nil { return fmt.Errorf("auto migrate: %w", err) } diff --git a/backend/internal/models/crowdsec_whitelist.go b/backend/internal/models/crowdsec_whitelist.go new file mode 100644 index 00000000..c371d7dc --- /dev/null +++ b/backend/internal/models/crowdsec_whitelist.go @@ -0,0 +1,13 @@ +package models + +import "time" + +// CrowdSecWhitelist represents a single IP or CIDR block that CrowdSec should never ban. +type CrowdSecWhitelist struct { + ID uint `json:"-" gorm:"primaryKey"` + UUID string `json:"uuid" gorm:"uniqueIndex;not null"` + IPOrCIDR string `json:"ip_or_cidr" gorm:"not null;uniqueIndex"` + Reason string `json:"reason" gorm:"not null;default:''"` + CreatedAt time.Time `json:"created_at"` + UpdatedAt time.Time `json:"updated_at"` +} From 5642a37c4476430183fa260e01b38fd73ffddc79 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Wed, 15 Apr 2026 19:51:01 +0000 Subject: [PATCH 05/44] feat: implement CrowdSecWhitelistService for managing IP/CIDR whitelists --- .../services/crowdsec_whitelist_service.go | 188 ++++++++++++++++++ 1 file changed, 188 insertions(+) create mode 100644 backend/internal/services/crowdsec_whitelist_service.go diff --git a/backend/internal/services/crowdsec_whitelist_service.go b/backend/internal/services/crowdsec_whitelist_service.go new file mode 100644 index 00000000..8d89c3ba --- /dev/null +++ b/backend/internal/services/crowdsec_whitelist_service.go @@ -0,0 +1,188 @@ +package services + +import ( + "context" + "errors" + "fmt" + "net" + "os" + "path/filepath" + "strings" + + "github.com/Wikid82/charon/backend/internal/logger" + "github.com/Wikid82/charon/backend/internal/models" + "github.com/google/uuid" + "gorm.io/gorm" +) + +// Sentinel errors for CrowdSecWhitelistService operations. +var ( + ErrWhitelistNotFound = errors.New("whitelist entry not found") + ErrInvalidIPOrCIDR = errors.New("invalid IP address or CIDR notation") + ErrDuplicateEntry = errors.New("entry already exists in whitelist") +) + +const whitelistYAMLHeader = `name: charon-whitelist +description: "Charon-managed IP/CIDR whitelist" +filter: "evt.Meta.service == 'http'" +whitelist: + reason: "Charon managed whitelist" +` + +// CrowdSecWhitelistService manages the CrowdSec IP/CIDR whitelist. +type CrowdSecWhitelistService struct { + db *gorm.DB + dataDir string +} + +// NewCrowdSecWhitelistService creates a new CrowdSecWhitelistService. +func NewCrowdSecWhitelistService(db *gorm.DB, dataDir string) *CrowdSecWhitelistService { + return &CrowdSecWhitelistService{db: db, dataDir: dataDir} +} + +// List returns all whitelist entries ordered by creation time. +func (s *CrowdSecWhitelistService) List(ctx context.Context) ([]models.CrowdSecWhitelist, error) { + var entries []models.CrowdSecWhitelist + if err := s.db.WithContext(ctx).Order("created_at ASC").Find(&entries).Error; err != nil { + return nil, fmt.Errorf("list whitelist entries: %w", err) + } + return entries, nil +} + +// Add validates and persists a new whitelist entry, then regenerates the YAML file. +// Returns ErrInvalidIPOrCIDR for malformed input and ErrDuplicateEntry for conflicts. +func (s *CrowdSecWhitelistService) Add(ctx context.Context, ipOrCIDR, reason string) (*models.CrowdSecWhitelist, error) { + normalized, err := normalizeIPOrCIDR(strings.TrimSpace(ipOrCIDR)) + if err != nil { + return nil, ErrInvalidIPOrCIDR + } + + entry := models.CrowdSecWhitelist{ + UUID: uuid.New().String(), + IPOrCIDR: normalized, + Reason: reason, + } + + if err := s.db.WithContext(ctx).Create(&entry).Error; err != nil { + if errors.Is(err, gorm.ErrDuplicatedKey) || strings.Contains(err.Error(), "UNIQUE constraint failed") { + return nil, ErrDuplicateEntry + } + return nil, fmt.Errorf("add whitelist entry: %w", err) + } + + if err := s.WriteYAML(ctx); err != nil { + logger.Log().WithError(err).Warn("failed to write CrowdSec whitelist YAML after add (non-fatal)") + } + + return &entry, nil +} + +// Delete removes a whitelist entry by UUID and regenerates the YAML file. +// Returns ErrWhitelistNotFound if the UUID does not exist. +func (s *CrowdSecWhitelistService) Delete(ctx context.Context, id string) error { + result := s.db.WithContext(ctx).Where("uuid = ?", id).Delete(&models.CrowdSecWhitelist{}) + if result.Error != nil { + return fmt.Errorf("delete whitelist entry: %w", result.Error) + } + if result.RowsAffected == 0 { + return ErrWhitelistNotFound + } + + if err := s.WriteYAML(ctx); err != nil { + logger.Log().WithError(err).Warn("failed to write CrowdSec whitelist YAML after delete (non-fatal)") + } + + return nil +} + +// WriteYAML renders and atomically writes the CrowdSec whitelist YAML file. +// It is a no-op when dataDir is empty (unit-test mode). +func (s *CrowdSecWhitelistService) WriteYAML(ctx context.Context) error { + if s.dataDir == "" { + return nil + } + + var entries []models.CrowdSecWhitelist + if err := s.db.WithContext(ctx).Order("created_at ASC").Find(&entries).Error; err != nil { + return fmt.Errorf("write whitelist yaml: query entries: %w", err) + } + + var ips, cidrs []string + for _, e := range entries { + if strings.Contains(e.IPOrCIDR, "/") { + cidrs = append(cidrs, e.IPOrCIDR) + } else { + ips = append(ips, e.IPOrCIDR) + } + } + + content := buildWhitelistYAML(ips, cidrs) + + dir := filepath.Join(s.dataDir, "config", "parsers", "s02-enrich") + if err := os.MkdirAll(dir, 0o750); err != nil { + return fmt.Errorf("write whitelist yaml: create dir: %w", err) + } + + target := filepath.Join(dir, "charon-whitelist.yaml") + tmp := target + ".tmp" + + if err := os.WriteFile(tmp, content, 0o640); err != nil { + return fmt.Errorf("write whitelist yaml: write temp: %w", err) + } + + if err := os.Rename(tmp, target); err != nil { + _ = os.Remove(tmp) + return fmt.Errorf("write whitelist yaml: rename: %w", err) + } + + return nil +} + +// normalizeIPOrCIDR validates and normalizes an IP address or CIDR block. +// For CIDRs, the network address is returned (e.g. "10.0.0.1/8" → "10.0.0.0/8"). +func normalizeIPOrCIDR(raw string) (string, error) { + if strings.Contains(raw, "/") { + ip, network, err := net.ParseCIDR(raw) + if err != nil { + return "", err + } + _ = ip + return network.String(), nil + } + if net.ParseIP(raw) == nil { + return "", fmt.Errorf("invalid IP: %q", raw) + } + return raw, nil +} + +// buildWhitelistYAML constructs the YAML content for the CrowdSec whitelist parser. +func buildWhitelistYAML(ips, cidrs []string) []byte { + var sb strings.Builder + sb.WriteString(whitelistYAMLHeader) + + sb.WriteString(" ip:") + if len(ips) == 0 { + sb.WriteString(" []\n") + } else { + sb.WriteString("\n") + for _, ip := range ips { + sb.WriteString(" - \"") + sb.WriteString(ip) + sb.WriteString("\"\n") + } + } + + sb.WriteString(" cidr:") + if len(cidrs) == 0 { + sb.WriteString(" []\n") + } else { + sb.WriteString("\n") + for _, cidr := range cidrs { + sb.WriteString(" - \"") + sb.WriteString(cidr) + sb.WriteString("\"\n") + } + } + + return []byte(sb.String()) +} From 741a59c33383fe7f9e37ce02df5cc74755c9ceaf Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Wed, 15 Apr 2026 19:51:46 +0000 Subject: [PATCH 06/44] feat: add whitelist management endpoints to CrowdsecHandler --- .../internal/api/handlers/crowdsec_handler.go | 75 +++++++++++++++++++ 1 file changed, 75 insertions(+) diff --git a/backend/internal/api/handlers/crowdsec_handler.go b/backend/internal/api/handlers/crowdsec_handler.go index b6bbf66c..bea6782e 100644 --- a/backend/internal/api/handlers/crowdsec_handler.go +++ b/backend/internal/api/handlers/crowdsec_handler.go @@ -63,6 +63,7 @@ type CrowdsecHandler struct { Hub *crowdsec.HubService Console *crowdsec.ConsoleEnrollmentService Security *services.SecurityService + WhitelistSvc *services.CrowdSecWhitelistService CaddyManager *caddy.Manager // For config reload after bouncer registration LAPIMaxWait time.Duration // For testing; 0 means 60s default LAPIPollInterval time.Duration // For testing; 0 means 500ms default @@ -392,6 +393,7 @@ func NewCrowdsecHandler(db *gorm.DB, executor CrowdsecExecutor, binPath, dataDir Hub: hubSvc, Console: consoleSvc, Security: securitySvc, + WhitelistSvc: services.NewCrowdSecWhitelistService(db, dataDir), dashCache: newDashboardCache(), validateLAPIURL: validateCrowdsecLAPIBaseURLDefault, } @@ -2700,6 +2702,75 @@ func fileExists(path string) bool { return err == nil } +// ListWhitelists returns all CrowdSec IP/CIDR whitelist entries. +func (h *CrowdsecHandler) ListWhitelists(c *gin.Context) { + entries, err := h.WhitelistSvc.List(c.Request.Context()) + if err != nil { + logger.Log().WithError(err).Error("failed to list whitelist entries") + c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to list whitelist entries"}) + return + } + c.JSON(http.StatusOK, gin.H{"entries": entries}) +} + +// AddWhitelist adds a new IP or CIDR to the CrowdSec whitelist. +func (h *CrowdsecHandler) AddWhitelist(c *gin.Context) { + var req struct { + IPOrCIDR string `json:"ip_or_cidr" binding:"required"` + Reason string `json:"reason"` + } + if err := c.ShouldBindJSON(&req); err != nil { + c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) + return + } + + entry, err := h.WhitelistSvc.Add(c.Request.Context(), req.IPOrCIDR, req.Reason) + if err != nil { + switch { + case errors.Is(err, services.ErrInvalidIPOrCIDR): + c.JSON(http.StatusBadRequest, gin.H{"error": "invalid IP address or CIDR notation"}) + case errors.Is(err, services.ErrDuplicateEntry): + c.JSON(http.StatusConflict, gin.H{"error": "entry already exists in whitelist"}) + default: + logger.Log().WithError(err).Error("failed to add whitelist entry") + c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to add whitelist entry"}) + } + return + } + + if _, execErr := h.CmdExec.Execute(c.Request.Context(), "cscli", "hub", "reload"); execErr != nil { + logger.Log().WithError(execErr).Warn("cscli hub reload failed after whitelist add (non-fatal)") + } + + c.JSON(http.StatusCreated, entry) +} + +// DeleteWhitelist removes a whitelist entry by UUID. +func (h *CrowdsecHandler) DeleteWhitelist(c *gin.Context) { + id := c.Param("uuid") + if id == "" { + c.JSON(http.StatusBadRequest, gin.H{"error": "uuid is required"}) + return + } + + if err := h.WhitelistSvc.Delete(c.Request.Context(), id); err != nil { + switch { + case errors.Is(err, services.ErrWhitelistNotFound): + c.JSON(http.StatusNotFound, gin.H{"error": "whitelist entry not found"}) + default: + logger.Log().WithError(err).Error("failed to delete whitelist entry") + c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to delete whitelist entry"}) + } + return + } + + if _, execErr := h.CmdExec.Execute(c.Request.Context(), "cscli", "hub", "reload"); execErr != nil { + logger.Log().WithError(execErr).Warn("cscli hub reload failed after whitelist delete (non-fatal)") + } + + c.Status(http.StatusNoContent) +} + // RegisterRoutes registers crowdsec admin routes under protected group func (h *CrowdsecHandler) RegisterRoutes(rg *gin.RouterGroup) { rg.POST("/admin/crowdsec/start", h.Start) @@ -2742,4 +2813,8 @@ func (h *CrowdsecHandler) RegisterRoutes(rg *gin.RouterGroup) { rg.GET("/admin/crowdsec/dashboard/scenarios", h.DashboardScenarios) rg.GET("/admin/crowdsec/alerts", h.ListAlerts) rg.GET("/admin/crowdsec/decisions/export", h.ExportDecisions) + // Whitelist management endpoints (Issue #939) + rg.GET("/admin/crowdsec/whitelist", h.ListWhitelists) + rg.POST("/admin/crowdsec/whitelist", h.AddWhitelist) + rg.DELETE("/admin/crowdsec/whitelist/:uuid", h.DeleteWhitelist) } From a243066691caab84e6212b88ac259ecfc6e3a214 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Wed, 15 Apr 2026 19:52:41 +0000 Subject: [PATCH 07/44] feat: regenerate whitelist YAML on CrowdSec startup --- backend/internal/services/crowdsec_startup.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/backend/internal/services/crowdsec_startup.go b/backend/internal/services/crowdsec_startup.go index 2f00fe93..d05d85b8 100644 --- a/backend/internal/services/crowdsec_startup.go +++ b/backend/internal/services/crowdsec_startup.go @@ -197,6 +197,12 @@ func ReconcileCrowdSecOnStartup(db *gorm.DB, executor CrowdsecProcessManager, bi "data_dir": dataDir, }).Info("CrowdSec reconciliation: starting CrowdSec (mode=local, not currently running)") + // Regenerate whitelist YAML before starting so CrowdSec loads the current entries. + whitelistSvc := NewCrowdSecWhitelistService(db, dataDir) + if writeErr := whitelistSvc.WriteYAML(context.Background()); writeErr != nil { + logger.Log().WithError(writeErr).Warn("CrowdSec reconciliation: failed to write whitelist YAML on startup (non-fatal)") + } + startCtx, startCancel := context.WithTimeout(context.Background(), 30*time.Second) defer startCancel() From 19719693b0290523b6fe8fefa4281d5a2e6f673b Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Wed, 15 Apr 2026 19:53:27 +0000 Subject: [PATCH 08/44] feat: add unit tests for CrowdSecWhitelistService and CrowdsecHandler --- .../crowdsec_whitelist_handler_test.go | 159 +++++++++++++++++ .../crowdsec_whitelist_service_test.go | 166 ++++++++++++++++++ 2 files changed, 325 insertions(+) create mode 100644 backend/internal/api/handlers/crowdsec_whitelist_handler_test.go create mode 100644 backend/internal/services/crowdsec_whitelist_service_test.go diff --git a/backend/internal/api/handlers/crowdsec_whitelist_handler_test.go b/backend/internal/api/handlers/crowdsec_whitelist_handler_test.go new file mode 100644 index 00000000..8e932806 --- /dev/null +++ b/backend/internal/api/handlers/crowdsec_whitelist_handler_test.go @@ -0,0 +1,159 @@ +package handlers + +import ( + "bytes" + "context" + "encoding/json" + "net/http" + "net/http/httptest" + "testing" + + "github.com/Wikid82/charon/backend/internal/models" + "github.com/Wikid82/charon/backend/internal/services" + "github.com/gin-gonic/gin" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "gorm.io/gorm" +) + +type mockCmdExecWhitelist struct { + reloadCalled bool + reloadErr error +} + +func (m *mockCmdExecWhitelist) Execute(_ context.Context, _ string, _ ...string) ([]byte, error) { + m.reloadCalled = true + return nil, m.reloadErr +} + +func setupWhitelistHandler(t *testing.T) (*CrowdsecHandler, *gin.Engine, *gorm.DB) { + t.Helper() + db := OpenTestDB(t) + require.NoError(t, db.AutoMigrate(&models.CrowdSecWhitelist{})) + fe := &fakeExec{} + h := newTestCrowdsecHandler(t, db, fe, "/bin/false", "") + h.WhitelistSvc = services.NewCrowdSecWhitelistService(db, "") + + r := gin.New() + g := r.Group("/api/v1") + g.GET("/admin/crowdsec/whitelist", h.ListWhitelists) + g.POST("/admin/crowdsec/whitelist", h.AddWhitelist) + g.DELETE("/admin/crowdsec/whitelist/:uuid", h.DeleteWhitelist) + + return h, r, db +} + +func TestListWhitelists_Empty(t *testing.T) { + t.Parallel() + _, r, _ := setupWhitelistHandler(t) + + w := httptest.NewRecorder() + req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/crowdsec/whitelist", nil) + r.ServeHTTP(w, req) + + assert.Equal(t, http.StatusOK, w.Code) + var resp map[string]interface{} + require.NoError(t, json.Unmarshal(w.Body.Bytes(), &resp)) + entries, ok := resp["entries"].([]interface{}) + assert.True(t, ok) + assert.Empty(t, entries) +} + +func TestAddWhitelist_ValidIP(t *testing.T) { + t.Parallel() + h, r, _ := setupWhitelistHandler(t) + mock := &mockCmdExecWhitelist{} + h.CmdExec = mock + + body := `{"ip_or_cidr":"1.2.3.4","reason":"test"}` + w := httptest.NewRecorder() + req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/crowdsec/whitelist", bytes.NewBufferString(body)) + req.Header.Set("Content-Type", "application/json") + r.ServeHTTP(w, req) + + assert.Equal(t, http.StatusCreated, w.Code) + assert.True(t, mock.reloadCalled) + + var entry models.CrowdSecWhitelist + require.NoError(t, json.Unmarshal(w.Body.Bytes(), &entry)) + assert.Equal(t, "1.2.3.4", entry.IPOrCIDR) + assert.NotEmpty(t, entry.UUID) +} + +func TestAddWhitelist_InvalidIP(t *testing.T) { + t.Parallel() + _, r, _ := setupWhitelistHandler(t) + + body := `{"ip_or_cidr":"not-valid","reason":""}` + w := httptest.NewRecorder() + req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/crowdsec/whitelist", bytes.NewBufferString(body)) + req.Header.Set("Content-Type", "application/json") + r.ServeHTTP(w, req) + + assert.Equal(t, http.StatusBadRequest, w.Code) +} + +func TestAddWhitelist_Duplicate(t *testing.T) { + t.Parallel() + _, r, _ := setupWhitelistHandler(t) + + body := `{"ip_or_cidr":"9.9.9.9","reason":""}` + for i := 0; i < 2; i++ { + w := httptest.NewRecorder() + req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/crowdsec/whitelist", bytes.NewBufferString(body)) + req.Header.Set("Content-Type", "application/json") + r.ServeHTTP(w, req) + if i == 0 { + assert.Equal(t, http.StatusCreated, w.Code) + } else { + assert.Equal(t, http.StatusConflict, w.Code) + } + } +} + +func TestDeleteWhitelist_Existing(t *testing.T) { + t.Parallel() + h, r, db := setupWhitelistHandler(t) + mock := &mockCmdExecWhitelist{} + h.CmdExec = mock + + svc := services.NewCrowdSecWhitelistService(db, "") + entry, err := svc.Add(t.Context(), "7.7.7.7", "to delete") + require.NoError(t, err) + + w := httptest.NewRecorder() + req := httptest.NewRequest(http.MethodDelete, "/api/v1/admin/crowdsec/whitelist/"+entry.UUID, nil) + r.ServeHTTP(w, req) + + assert.Equal(t, http.StatusNoContent, w.Code) + assert.True(t, mock.reloadCalled) +} + +func TestDeleteWhitelist_NotFound(t *testing.T) { + t.Parallel() + _, r, _ := setupWhitelistHandler(t) + + w := httptest.NewRecorder() + req := httptest.NewRequest(http.MethodDelete, "/api/v1/admin/crowdsec/whitelist/00000000-0000-0000-0000-000000000000", nil) + r.ServeHTTP(w, req) + + assert.Equal(t, http.StatusNotFound, w.Code) +} + +func TestListWhitelists_AfterAdd(t *testing.T) { + t.Parallel() + _, r, db := setupWhitelistHandler(t) + svc := services.NewCrowdSecWhitelistService(db, "") + _, err := svc.Add(t.Context(), "8.8.8.8", "google dns") + require.NoError(t, err) + + w := httptest.NewRecorder() + req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/crowdsec/whitelist", nil) + r.ServeHTTP(w, req) + + assert.Equal(t, http.StatusOK, w.Code) + var resp map[string]interface{} + require.NoError(t, json.Unmarshal(w.Body.Bytes(), &resp)) + entries := resp["entries"].([]interface{}) + assert.Len(t, entries, 1) +} diff --git a/backend/internal/services/crowdsec_whitelist_service_test.go b/backend/internal/services/crowdsec_whitelist_service_test.go new file mode 100644 index 00000000..438221f2 --- /dev/null +++ b/backend/internal/services/crowdsec_whitelist_service_test.go @@ -0,0 +1,166 @@ +package services_test + +import ( + "context" + "fmt" + "os" + "path/filepath" + "testing" + + "github.com/Wikid82/charon/backend/internal/models" + "github.com/Wikid82/charon/backend/internal/services" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "gorm.io/driver/sqlite" + "gorm.io/gorm" + gormlogger "gorm.io/gorm/logger" +) + +func openWhitelistTestDB(t *testing.T) *gorm.DB { + t.Helper() + db, err := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{ + Logger: gormlogger.Default.LogMode(gormlogger.Silent), + }) + require.NoError(t, err) + require.NoError(t, db.AutoMigrate(&models.CrowdSecWhitelist{})) + t.Cleanup(func() { + sqlDB, err := db.DB() + if err == nil { + _ = sqlDB.Close() + } + }) + return db +} + +func TestCrowdSecWhitelistService_List_Empty(t *testing.T) { + t.Parallel() + svc := services.NewCrowdSecWhitelistService(openWhitelistTestDB(t), "") + entries, err := svc.List(context.Background()) + require.NoError(t, err) + assert.Empty(t, entries) +} + +func TestCrowdSecWhitelistService_Add_ValidIP(t *testing.T) { + t.Parallel() + svc := services.NewCrowdSecWhitelistService(openWhitelistTestDB(t), "") + entry, err := svc.Add(context.Background(), "1.2.3.4", "test reason") + require.NoError(t, err) + assert.NotEmpty(t, entry.UUID) + assert.Equal(t, "1.2.3.4", entry.IPOrCIDR) + assert.Equal(t, "test reason", entry.Reason) +} + +func TestCrowdSecWhitelistService_Add_ValidCIDR(t *testing.T) { + t.Parallel() + svc := services.NewCrowdSecWhitelistService(openWhitelistTestDB(t), "") + entry, err := svc.Add(context.Background(), "192.168.1.0/24", "local net") + require.NoError(t, err) + assert.Equal(t, "192.168.1.0/24", entry.IPOrCIDR) +} + +func TestCrowdSecWhitelistService_Add_NormalizesCIDR(t *testing.T) { + t.Parallel() + svc := services.NewCrowdSecWhitelistService(openWhitelistTestDB(t), "") + entry, err := svc.Add(context.Background(), "10.0.0.1/8", "normalize test") + require.NoError(t, err) + assert.Equal(t, "10.0.0.0/8", entry.IPOrCIDR) +} + +func TestCrowdSecWhitelistService_Add_InvalidIP(t *testing.T) { + t.Parallel() + svc := services.NewCrowdSecWhitelistService(openWhitelistTestDB(t), "") + _, err := svc.Add(context.Background(), "not-an-ip", "") + assert.ErrorIs(t, err, services.ErrInvalidIPOrCIDR) +} + +func TestCrowdSecWhitelistService_Add_Duplicate(t *testing.T) { + t.Parallel() + db := openWhitelistTestDB(t) + svc := services.NewCrowdSecWhitelistService(db, "") + _, err := svc.Add(context.Background(), "5.5.5.5", "first") + require.NoError(t, err) + _, err = svc.Add(context.Background(), "5.5.5.5", "second") + assert.ErrorIs(t, err, services.ErrDuplicateEntry) +} + +func TestCrowdSecWhitelistService_Delete_Existing(t *testing.T) { + t.Parallel() + db := openWhitelistTestDB(t) + svc := services.NewCrowdSecWhitelistService(db, "") + entry, err := svc.Add(context.Background(), "6.6.6.6", "to delete") + require.NoError(t, err) + + err = svc.Delete(context.Background(), entry.UUID) + require.NoError(t, err) + + entries, err := svc.List(context.Background()) + require.NoError(t, err) + assert.Empty(t, entries) +} + +func TestCrowdSecWhitelistService_Delete_NotFound(t *testing.T) { + t.Parallel() + svc := services.NewCrowdSecWhitelistService(openWhitelistTestDB(t), "") + err := svc.Delete(context.Background(), "00000000-0000-0000-0000-000000000000") + assert.ErrorIs(t, err, services.ErrWhitelistNotFound) +} + +func TestCrowdSecWhitelistService_WriteYAML_EmptyDataDir(t *testing.T) { + t.Parallel() + svc := services.NewCrowdSecWhitelistService(openWhitelistTestDB(t), "") + err := svc.WriteYAML(context.Background()) + assert.NoError(t, err) +} + +func TestCrowdSecWhitelistService_WriteYAML_CreatesFile(t *testing.T) { + t.Parallel() + tmpDir := t.TempDir() + db := openWhitelistTestDB(t) + svc := services.NewCrowdSecWhitelistService(db, tmpDir) + + _, err := svc.Add(context.Background(), "1.1.1.1", "dns") + require.NoError(t, err) + _, err = svc.Add(context.Background(), "10.0.0.0/8", "internal") + require.NoError(t, err) + + yamlPath := filepath.Join(tmpDir, "config", "parsers", "s02-enrich", "charon-whitelist.yaml") + content, err := os.ReadFile(yamlPath) + require.NoError(t, err) + + s := string(content) + assert.Contains(t, s, "name: charon-whitelist") + assert.Contains(t, s, `"1.1.1.1"`) + assert.Contains(t, s, `"10.0.0.0/8"`) +} + +func TestCrowdSecWhitelistService_WriteYAML_EmptyLists(t *testing.T) { + t.Parallel() + tmpDir := t.TempDir() + svc := services.NewCrowdSecWhitelistService(openWhitelistTestDB(t), tmpDir) + + err := svc.WriteYAML(context.Background()) + require.NoError(t, err) + + yamlPath := filepath.Join(tmpDir, "config", "parsers", "s02-enrich", "charon-whitelist.yaml") + content, err := os.ReadFile(yamlPath) + require.NoError(t, err) + + s := string(content) + assert.Contains(t, s, "ip: []") + assert.Contains(t, s, "cidr: []") +} + +func TestCrowdSecWhitelistService_List_AfterAdd(t *testing.T) { + t.Parallel() + db := openWhitelistTestDB(t) + svc := services.NewCrowdSecWhitelistService(db, "") + + for i := 0; i < 3; i++ { + _, err := svc.Add(context.Background(), fmt.Sprintf("10.0.0.%d", i+1), "") + require.NoError(t, err) + } + + entries, err := svc.List(context.Background()) + require.NoError(t, err) + assert.Len(t, entries, 3) +} From 28bc73bb1ae58e5d81d80ecefbe8e54c9fa4af88 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Wed, 15 Apr 2026 21:03:41 +0000 Subject: [PATCH 09/44] feat: add whitelist management hooks for querying and mutating whitelist entries --- frontend/src/api/crowdsec.ts | 29 ++++++++++++++++- frontend/src/hooks/useCrowdSecWhitelist.ts | 38 ++++++++++++++++++++++ 2 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 frontend/src/hooks/useCrowdSecWhitelist.ts diff --git a/frontend/src/api/crowdsec.ts b/frontend/src/api/crowdsec.ts index 839bb6cc..77b1b425 100644 --- a/frontend/src/api/crowdsec.ts +++ b/frontend/src/api/crowdsec.ts @@ -156,4 +156,31 @@ export async function getCrowdsecKeyStatus(): Promise { return resp.data } -export default { startCrowdsec, stopCrowdsec, statusCrowdsec, importCrowdsecConfig, exportCrowdsecConfig, listCrowdsecFiles, readCrowdsecFile, writeCrowdsecFile, listCrowdsecDecisions, banIP, unbanIP, getCrowdsecKeyStatus } +export interface CrowdSecWhitelistEntry { + uuid: string + ip_or_cidr: string + reason: string + created_at: string + updated_at: string +} + +export interface AddWhitelistPayload { + ip_or_cidr: string + reason: string +} + +export const listWhitelists = async (): Promise => { + const resp = await client.get<{ whitelist: CrowdSecWhitelistEntry[] }>('/admin/crowdsec/whitelist') + return resp.data.whitelist +} + +export const addWhitelist = async (data: AddWhitelistPayload): Promise => { + const resp = await client.post('/admin/crowdsec/whitelist', data) + return resp.data +} + +export const deleteWhitelist = async (uuid: string): Promise => { + await client.delete(`/admin/crowdsec/whitelist/${uuid}`) +} + +export default { startCrowdsec, stopCrowdsec, statusCrowdsec, importCrowdsecConfig, exportCrowdsecConfig, listCrowdsecFiles, readCrowdsecFile, writeCrowdsecFile, listCrowdsecDecisions, banIP, unbanIP, getCrowdsecKeyStatus, listWhitelists, addWhitelist, deleteWhitelist } diff --git a/frontend/src/hooks/useCrowdSecWhitelist.ts b/frontend/src/hooks/useCrowdSecWhitelist.ts new file mode 100644 index 00000000..a36bfceb --- /dev/null +++ b/frontend/src/hooks/useCrowdSecWhitelist.ts @@ -0,0 +1,38 @@ +import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query' + +import { listWhitelists, addWhitelist, deleteWhitelist, type AddWhitelistPayload } from '../api/crowdsec' +import { toast } from '../utils/toast' + +export const useWhitelistEntries = () => + useQuery({ + queryKey: ['crowdsec-whitelist'], + queryFn: listWhitelists, + }) + +export const useAddWhitelist = () => { + const queryClient = useQueryClient() + return useMutation({ + mutationFn: (data: AddWhitelistPayload) => addWhitelist(data), + onSuccess: () => { + toast.success('Whitelist entry added') + queryClient.invalidateQueries({ queryKey: ['crowdsec-whitelist'] }) + }, + onError: (err: unknown) => { + toast.error(err instanceof Error ? err.message : 'Failed to add whitelist entry') + }, + }) +} + +export const useDeleteWhitelist = () => { + const queryClient = useQueryClient() + return useMutation({ + mutationFn: (uuid: string) => deleteWhitelist(uuid), + onSuccess: () => { + toast.success('Whitelist entry removed') + queryClient.invalidateQueries({ queryKey: ['crowdsec-whitelist'] }) + }, + onError: (err: unknown) => { + toast.error(err instanceof Error ? err.message : 'Failed to remove whitelist entry') + }, + }) +} From c977cf619069590f4d84fd852f58e546e51957f5 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Wed, 15 Apr 2026 21:04:48 +0000 Subject: [PATCH 10/44] feat: add whitelist management functionality to CrowdSecConfig --- frontend/src/pages/CrowdSecConfig.tsx | 208 +++++++++++++++++++++++++- 1 file changed, 206 insertions(+), 2 deletions(-) diff --git a/frontend/src/pages/CrowdSecConfig.tsx b/frontend/src/pages/CrowdSecConfig.tsx index 3044347b..e26286c3 100644 --- a/frontend/src/pages/CrowdSecConfig.tsx +++ b/frontend/src/pages/CrowdSecConfig.tsx @@ -6,10 +6,11 @@ import { useTranslation } from 'react-i18next' import { useNavigate, Link } from 'react-router-dom' import { createBackup } from '../api/backups' -import { exportCrowdsecConfig, importCrowdsecConfig, listCrowdsecFiles, readCrowdsecFile, writeCrowdsecFile, listCrowdsecDecisions, banIP, unbanIP, type CrowdSecDecision, statusCrowdsec, type CrowdSecStatus, startCrowdsec } from '../api/crowdsec' +import { exportCrowdsecConfig, importCrowdsecConfig, listCrowdsecFiles, readCrowdsecFile, writeCrowdsecFile, listCrowdsecDecisions, banIP, unbanIP, type CrowdSecDecision, type CrowdSecWhitelistEntry, statusCrowdsec, type CrowdSecStatus, startCrowdsec } from '../api/crowdsec' import { getFeatureFlags } from '../api/featureFlags' import { listCrowdsecPresets, pullCrowdsecPreset, applyCrowdsecPreset, getCrowdsecPresetCache } from '../api/presets' import { getSecurityStatus } from '../api/security' +import { getMyIP } from '../api/system' import { CrowdSecBouncerKeyDisplay } from '../components/CrowdSecBouncerKeyDisplay' import { ConfigReloadOverlay } from '../components/LoadingStates' import { Button } from '../components/ui/Button' @@ -19,6 +20,7 @@ import { Skeleton } from '../components/ui/Skeleton' import { Tabs, TabsContent, TabsList, TabsTrigger } from '../components/ui/Tabs' import { CROWDSEC_PRESETS, type CrowdsecPreset } from '../data/crowdsecPresets' import { useConsoleStatus, useEnrollConsole, useClearConsoleEnrollment } from '../hooks/useConsoleEnrollment' +import { useWhitelistEntries, useAddWhitelist, useDeleteWhitelist } from '../hooks/useCrowdSecWhitelist' import { buildCrowdsecExportFilename, downloadCrowdsecExport, promptCrowdsecFilename } from '../utils/crowdsecExport' import { toast } from '../utils/toast' @@ -36,6 +38,8 @@ export default function CrowdSecConfig() { const [showBanModal, setShowBanModal] = useState(false) const [banForm, setBanForm] = useState({ ip: '', duration: '24h', reason: '' }) const [confirmUnban, setConfirmUnban] = useState(null) + const [whitelistForm, setWhitelistForm] = useState<{ ip_or_cidr: string; reason: string }>({ ip_or_cidr: '', reason: '' }) + const [confirmDeleteWhitelist, setConfirmDeleteWhitelist] = useState(null) const [isApplyingPreset, setIsApplyingPreset] = useState(false) const [presetPreview, setPresetPreview] = useState('') const [presetMeta, setPresetMeta] = useState<{ cacheKey?: string; etag?: string; retrievedAt?: string; source?: string } | null>(null) @@ -361,6 +365,25 @@ export default function CrowdSecConfig() { }, }) + const whitelistQuery = useWhitelistEntries() + const addWhitelistMutation = useAddWhitelist() + const deleteWhitelistMutation = useDeleteWhitelist() + + const whitelistInlineError = addWhitelistMutation.error instanceof Error + ? addWhitelistMutation.error.message + : addWhitelistMutation.error != null + ? 'Failed to add entry' + : null + + const handleAddMyIP = async () => { + try { + const result = await getMyIP() + setWhitelistForm((prev) => ({ ...prev, ip_or_cidr: result.ip })) + } catch { + toast.error('Failed to detect your IP address') + } + } + const handleExport = async () => { const defaultName = buildCrowdsecExportFilename() const filename = promptCrowdsecFilename(defaultName) @@ -517,7 +540,9 @@ export default function CrowdSecConfig() { pullPresetMutation.isPending || isApplyingPreset || banMutation.isPending || - unbanMutation.isPending + unbanMutation.isPending || + addWhitelistMutation.isPending || + deleteWhitelistMutation.isPending // Determine contextual message const getMessage = () => { @@ -539,6 +564,12 @@ export default function CrowdSecConfig() { if (unbanMutation.isPending) { return { message: 'Guardian lowers shield...', submessage: 'Unbanning IP address' } } + if (addWhitelistMutation.isPending) { + return { message: 'Guardian updates list...', submessage: 'Adding IP to whitelist' } + } + if (deleteWhitelistMutation.isPending) { + return { message: 'Guardian updates list...', submessage: 'Removing from whitelist' } + } return { message: 'Strengthening the guard...', submessage: 'Configuration in progress' } } @@ -565,6 +596,7 @@ export default function CrowdSecConfig() { {t('security.crowdsec.tabs.config', 'Configuration')} {t('security.crowdsec.tabs.dashboard', 'Dashboard')} + {isLocalMode && {t('crowdsecConfig.whitelist.tabLabel', 'Whitelist')}} @@ -1241,6 +1273,135 @@ export default function CrowdSecConfig() { + + {isLocalMode && ( + + +
+
+ +

{t('crowdsecConfig.whitelist.title', 'IP Whitelist')}

+
+

+ {t('crowdsecConfig.whitelist.description', 'Whitelisted IPs and CIDRs are never blocked by CrowdSec, even if they trigger alerts.')} +

+ + {/* Add entry form */} +
+
+ { + setWhitelistForm((prev) => ({ ...prev, ip_or_cidr: e.target.value })) + if (addWhitelistMutation.error) addWhitelistMutation.reset() + }} + error={whitelistInlineError ?? undefined} + errorTestId="whitelist-ip-error" + aria-required={true} + data-testid="whitelist-ip-input" + /> +
+
+ setWhitelistForm((prev) => ({ ...prev, reason: e.target.value }))} + data-testid="whitelist-reason-input" + /> +
+
+ + +
+
+ + {/* Entries table */} + {whitelistQuery.isLoading ? ( +
+ + + +
+ ) : !whitelistQuery.data?.length ? ( +

+ {t('crowdsecConfig.whitelist.none', 'No whitelist entries')} +

+ ) : ( +
+ + + + + + + + + + + {whitelistQuery.data.map((entry) => ( + + + + + + + ))} + +
+ {t('crowdsecConfig.whitelist.columnIp', 'IP / CIDR')} + + {t('crowdsecConfig.whitelist.columnReason', 'Reason')} + + {t('crowdsecConfig.whitelist.columnAdded', 'Added')} + + {t('crowdsecConfig.bannedIps.actions')} +
{entry.ip_or_cidr}{entry.reason || '-'} + {entry.created_at ? new Date(entry.created_at).toLocaleString() : '-'} + + +
+
+ )} +
+ + + )} + @@ -1386,6 +1547,49 @@ export default function CrowdSecConfig() { )} + + {/* Delete Whitelist Entry Modal */} + {confirmDeleteWhitelist && ( +
+
setConfirmDeleteWhitelist(null)} role="button" tabIndex={-1} aria-label={t('common.close')} /> +
{ + if (e.key === 'Escape') setConfirmDeleteWhitelist(null) + }} + > +

+ {t('crowdsecConfig.whitelist.deleteModal.title', 'Remove Whitelist Entry')} +

+

+ {t('crowdsecConfig.whitelist.deleteModal.body', 'Remove {{ip}} from the whitelist? CrowdSec may then block this IP if it triggers alerts.', { ip: confirmDeleteWhitelist.ip_or_cidr })} +

+
+ + +
+
+
+ )} ) } From aee0eeef82e438171d39d9dacea29535833b3fe0 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Wed, 15 Apr 2026 21:06:00 +0000 Subject: [PATCH 11/44] feat: add unit tests for useCrowdSecWhitelist hooks --- .../__tests__/useCrowdSecWhitelist.test.ts | 155 ++++++++++++++++++ 1 file changed, 155 insertions(+) create mode 100644 frontend/src/hooks/__tests__/useCrowdSecWhitelist.test.ts diff --git a/frontend/src/hooks/__tests__/useCrowdSecWhitelist.test.ts b/frontend/src/hooks/__tests__/useCrowdSecWhitelist.test.ts new file mode 100644 index 00000000..b59bdc09 --- /dev/null +++ b/frontend/src/hooks/__tests__/useCrowdSecWhitelist.test.ts @@ -0,0 +1,155 @@ +import { QueryClientProvider } from '@tanstack/react-query' +import { renderHook, act, waitFor } from '@testing-library/react' +import React from 'react' +import { vi, describe, it, expect, beforeEach } from 'vitest' + +import * as crowdsecApi from '../../api/crowdsec' +import * as toastUtil from '../../utils/toast' +import { createTestQueryClient } from '../../test/createTestQueryClient' +import { useWhitelistEntries, useAddWhitelist, useDeleteWhitelist } from '../useCrowdSecWhitelist' + +import type { CrowdSecWhitelistEntry } from '../../api/crowdsec' + +vi.mock('../../api/crowdsec', () => ({ + listWhitelists: vi.fn(), + addWhitelist: vi.fn(), + deleteWhitelist: vi.fn(), +})) + +vi.mock('../../utils/toast', () => ({ + toast: { + success: vi.fn(), + error: vi.fn(), + }, +})) + +const wrapper = ({ children }: { children: React.ReactNode }) => { + const qc = createTestQueryClient() + return React.createElement(QueryClientProvider, { client: qc }, children) +} + +const mockEntry: CrowdSecWhitelistEntry = { + uuid: 'abc-123', + ip_or_cidr: '192.168.1.1', + reason: 'trusted device', + created_at: '2025-01-01T00:00:00Z', + updated_at: '2025-01-01T00:00:00Z', +} + +describe('useWhitelistEntries', () => { + beforeEach(() => vi.clearAllMocks()) + + it('returns whitelist entries on success', async () => { + vi.mocked(crowdsecApi.listWhitelists).mockResolvedValue([mockEntry]) + + const { result } = renderHook(() => useWhitelistEntries(), { wrapper }) + + await waitFor(() => expect(result.current.isSuccess).toBe(true)) + + expect(result.current.data).toEqual([mockEntry]) + }) + + it('returns empty array when no entries', async () => { + vi.mocked(crowdsecApi.listWhitelists).mockResolvedValue([]) + + const { result } = renderHook(() => useWhitelistEntries(), { wrapper }) + + await waitFor(() => expect(result.current.isSuccess).toBe(true)) + + expect(result.current.data).toEqual([]) + }) +}) + +describe('useAddWhitelist', () => { + beforeEach(() => vi.clearAllMocks()) + + it('calls addWhitelist and shows success toast on success', async () => { + vi.mocked(crowdsecApi.addWhitelist).mockResolvedValue(mockEntry) + + const { result } = renderHook(() => useAddWhitelist(), { wrapper }) + + await act(async () => { + result.current.mutate({ ip_or_cidr: '192.168.1.1', reason: 'test' }) + }) + + await waitFor(() => expect(result.current.isSuccess).toBe(true)) + + expect(crowdsecApi.addWhitelist).toHaveBeenCalledWith({ ip_or_cidr: '192.168.1.1', reason: 'test' }) + expect(toastUtil.toast.success).toHaveBeenCalledWith('Whitelist entry added') + }) + + it('shows error toast with server message on failure', async () => { + vi.mocked(crowdsecApi.addWhitelist).mockRejectedValue(new Error('IP already whitelisted')) + + const { result } = renderHook(() => useAddWhitelist(), { wrapper }) + + await act(async () => { + result.current.mutate({ ip_or_cidr: '10.0.0.0/8', reason: '' }) + }) + + await waitFor(() => expect(result.current.isError).toBe(true)) + + expect(toastUtil.toast.error).toHaveBeenCalledWith('IP already whitelisted') + }) + + it('shows generic error toast for non-Error failures', async () => { + vi.mocked(crowdsecApi.addWhitelist).mockRejectedValue('unexpected') + + const { result } = renderHook(() => useAddWhitelist(), { wrapper }) + + await act(async () => { + result.current.mutate({ ip_or_cidr: '10.0.0.1', reason: '' }) + }) + + await waitFor(() => expect(result.current.isError).toBe(true)) + + expect(toastUtil.toast.error).toHaveBeenCalledWith('Failed to add whitelist entry') + }) +}) + +describe('useDeleteWhitelist', () => { + beforeEach(() => vi.clearAllMocks()) + + it('calls deleteWhitelist and shows success toast on success', async () => { + vi.mocked(crowdsecApi.deleteWhitelist).mockResolvedValue(undefined) + + const { result } = renderHook(() => useDeleteWhitelist(), { wrapper }) + + await act(async () => { + result.current.mutate('abc-123') + }) + + await waitFor(() => expect(result.current.isSuccess).toBe(true)) + + expect(crowdsecApi.deleteWhitelist).toHaveBeenCalledWith('abc-123') + expect(toastUtil.toast.success).toHaveBeenCalledWith('Whitelist entry removed') + }) + + it('shows error toast with server message on failure', async () => { + vi.mocked(crowdsecApi.deleteWhitelist).mockRejectedValue(new Error('Entry not found')) + + const { result } = renderHook(() => useDeleteWhitelist(), { wrapper }) + + await act(async () => { + result.current.mutate('bad-uuid') + }) + + await waitFor(() => expect(result.current.isError).toBe(true)) + + expect(toastUtil.toast.error).toHaveBeenCalledWith('Entry not found') + }) + + it('shows generic error toast for non-Error failures', async () => { + vi.mocked(crowdsecApi.deleteWhitelist).mockRejectedValue(null) + + const { result } = renderHook(() => useDeleteWhitelist(), { wrapper }) + + await act(async () => { + result.current.mutate('some-uuid') + }) + + await waitFor(() => expect(result.current.isError).toBe(true)) + + expect(toastUtil.toast.error).toHaveBeenCalledWith('Failed to remove whitelist entry') + }) +}) From eb9b907ba3e62b2a56f190270e0d7d390922fdef Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Thu, 16 Apr 2026 00:11:20 +0000 Subject: [PATCH 12/44] feat: add end-to-end tests for CrowdSec IP whitelist management --- tests/crowdsec-whitelist.spec.ts | 407 +++++++++++++++++++++++++++++++ 1 file changed, 407 insertions(+) create mode 100644 tests/crowdsec-whitelist.spec.ts diff --git a/tests/crowdsec-whitelist.spec.ts b/tests/crowdsec-whitelist.spec.ts new file mode 100644 index 00000000..a0e72117 --- /dev/null +++ b/tests/crowdsec-whitelist.spec.ts @@ -0,0 +1,407 @@ +import { test, expect, request as playwrightRequest } from '@playwright/test'; +import type { APIRequestContext } from '@playwright/test'; +import { + withSecurityEnabled, + captureSecurityState, + setSecurityModuleEnabled, + getSecurityStatus, +} from './utils/security-helpers'; +import { getStorageStateAuthHeaders } from './utils/api-helpers'; +import { STORAGE_STATE } from './constants'; + +/** + * CrowdSec IP Whitelist Management E2E Tests + * + * Tests the whitelist tab on the CrowdSec configuration page (/security/crowdsec). + * The tab is conditionally rendered: it only appears when CrowdSec mode is not 'disabled'. + * + * Uses IPs in the 10.99.x.x range to avoid conflicts with real network addresses. + * + * NOTE: Uses request.newContext({ storageState }) instead of the `request` fixture because + * the auth cookie has `secure: true` which the fixture won't send over HTTP, but + * Playwright's APIRequestContext does send it. + */ + +const BASE_URL = process.env.PLAYWRIGHT_BASE_URL ?? 'http://127.0.0.1:8080'; +const TEST_IP_PREFIX = '10.99'; + +function createRequestContext(): Promise { + return playwrightRequest.newContext({ + baseURL: BASE_URL, + storageState: STORAGE_STATE, + extraHTTPHeaders: getStorageStateAuthHeaders(), + }); +} + +test.describe('CrowdSec IP Whitelist Management', () => { + // Serial mode prevents the tab-visibility test (which disables CrowdSec) from + // racing with the local-mode tests (which require CrowdSec enabled). + test.describe.configure({ mode: 'serial' }); + + test.describe('tab visibility', () => { + test('whitelist tab is hidden when CrowdSec is disabled', async ({ page }) => { + const rc = await createRequestContext(); + const originalState = await captureSecurityState(rc); + if (originalState.crowdsec) { + await setSecurityModuleEnabled(rc, 'crowdsec', false); + } + + try { + await test.step('Navigate to CrowdSec config page', async () => { + await page.goto('/security/crowdsec'); + await page.waitForLoadState('networkidle'); + }); + + await test.step('Verify whitelist tab is not present', async () => { + await expect(page.getByRole('tab', { name: 'Whitelist' })).not.toBeVisible(); + }); + } finally { + if (originalState.crowdsec) { + await setSecurityModuleEnabled(rc, 'crowdsec', true); + } + await rc.dispose(); + } + }); + }); + + test.describe('with CrowdSec in local mode', () => { + let rc: APIRequestContext; + let cleanupSecurity: () => Promise; + + test.beforeAll(async () => { + rc = await createRequestContext(); + cleanupSecurity = await withSecurityEnabled(rc, { crowdsec: true, cerberus: true }); + + // Wait for CrowdSec to enter local mode (may take a few seconds after enabling) + for (let attempt = 0; attempt < 15; attempt++) { + const statusResp = await rc.get('/api/v1/security/status'); + if (statusResp.ok()) { + const status = await statusResp.json(); + if (status.crowdsec?.mode !== 'disabled') break; + } + await new Promise((resolve) => setTimeout(resolve, 2000)); + } + }); + + test.afterAll(async () => { + // Remove any leftover test entries before restoring security state + const resp = await rc.get('/api/v1/admin/crowdsec/whitelist'); + if (resp.ok()) { + const data = await resp.json(); + for (const entry of (data.whitelist ?? []) as Array<{ uuid: string; ip_or_cidr: string }>) { + if (entry.ip_or_cidr.startsWith(TEST_IP_PREFIX)) { + await rc.delete(`/api/v1/admin/crowdsec/whitelist/${entry.uuid}`); + } + } + } + await cleanupSecurity?.(); + await rc.dispose(); + }); + + test.beforeEach(async ({ page }) => { + await test.step('Open CrowdSec Whitelist tab', async () => { + // CrowdSec may take time to enter local mode after being enabled. + // Retry navigation until the Whitelist tab is visible. + const maxAttempts = 15; + let tabFound = false; + for (let attempt = 0; attempt < maxAttempts; attempt++) { + await page.goto('/security/crowdsec'); + // Wait for network to settle so React Query status fetch completes + await page.waitForLoadState('networkidle', { timeout: 8000 }).catch(() => {}); + const whitelistTab = page.getByRole('tab', { name: 'Whitelist' }); + const visible = await whitelistTab.isVisible().catch(() => false); + if (visible) { + await whitelistTab.click(); + await page.waitForLoadState('networkidle', { timeout: 8000 }).catch(() => {}); + tabFound = true; + break; + } + if (attempt < maxAttempts - 1) { + await new Promise((resolve) => setTimeout(resolve, 2000)); + } + } + if (!tabFound) { + // Fail with a clear error message if tab never appeared + await expect(page.getByRole('tab', { name: 'Whitelist' })).toBeVisible({ + timeout: 1000, + }); + } + }); + }); + + test('displays empty state when no whitelist entries exist', async ({ page }) => { + await test.step('Verify empty state message and snapshot', async () => { + const emptyEl = page.getByTestId('whitelist-empty'); + await expect(emptyEl).toBeVisible(); + await expect(emptyEl).toHaveText('No whitelist entries'); + + await expect(emptyEl).toMatchAriaSnapshot(` + - paragraph: No whitelist entries + `); + }); + }); + + test('adds a valid IPv4 address to the whitelist', async ({ page }) => { + const testIP = `${TEST_IP_PREFIX}.1.10`; + let addedUUID: string | null = null; + + try { + await test.step('Fill IP address and reason fields', async () => { + await page.getByTestId('whitelist-ip-input').fill(testIP); + await page.getByTestId('whitelist-reason-input').fill('IPv4 E2E test entry'); + }); + + await test.step('Submit the form and capture response', async () => { + const responsePromise = page.waitForResponse( + (resp) => + resp.url().includes('/api/v1/admin/crowdsec/whitelist') && + resp.request().method() === 'POST' + ); + await page.getByTestId('whitelist-add-btn').click(); + const response = await responsePromise; + expect(response.status()).toBe(201); + const body = await response.json(); + addedUUID = body.uuid as string; + }); + + await test.step('Verify the entry appears in the table', async () => { + await expect(page.getByRole('cell', { name: testIP, exact: true })).toBeVisible({ timeout: 10_000 }); + await expect(page.getByRole('cell', { name: 'IPv4 E2E test entry' })).toBeVisible({ timeout: 10_000 }); + }); + } finally { + if (addedUUID) { + await rc.delete(`/api/v1/admin/crowdsec/whitelist/${addedUUID}`); + } + } + }); + + test('adds a valid CIDR range to the whitelist', async ({ page }) => { + const testCIDR = `${TEST_IP_PREFIX}.2.0/24`; + let addedUUID: string | null = null; + + try { + await test.step('Fill CIDR notation and reason', async () => { + await page.getByTestId('whitelist-ip-input').fill(testCIDR); + await page.getByTestId('whitelist-reason-input').fill('CIDR E2E test range'); + }); + + await test.step('Submit the form and capture response', async () => { + const responsePromise = page.waitForResponse( + (resp) => + resp.url().includes('/api/v1/admin/crowdsec/whitelist') && + resp.request().method() === 'POST' + ); + await page.getByTestId('whitelist-add-btn').click(); + const response = await responsePromise; + expect(response.status()).toBe(201); + const body = await response.json(); + addedUUID = body.uuid as string; + }); + + await test.step('Verify CIDR entry appears in the table', async () => { + await expect(page.getByRole('cell', { name: testCIDR, exact: true })).toBeVisible({ timeout: 10_000 }); + await expect(page.getByRole('cell', { name: 'CIDR E2E test range' })).toBeVisible({ timeout: 10_000 }); + }); + } finally { + if (addedUUID) { + await rc.delete(`/api/v1/admin/crowdsec/whitelist/${addedUUID}`); + } + } + }); + + test('"Add My IP" button pre-fills the detected client IP', async ({ page }) => { + const ipResp = await rc.get('/api/v1/system/my-ip'); + expect(ipResp.ok()).toBeTruthy(); + const { ip: detectedIP } = await ipResp.json() as { ip: string }; + + await test.step('Click the "Add My IP" button', async () => { + await page.getByTestId('whitelist-add-my-ip-btn').click(); + }); + + await test.step('Verify the IP input is pre-filled with the detected IP', async () => { + await expect(page.getByTestId('whitelist-ip-input')).toHaveValue(detectedIP); + }); + }); + + test('shows an inline validation error for an invalid IP address', async ({ page }) => { + await test.step('Fill the IP field with an invalid value', async () => { + await page.getByTestId('whitelist-ip-input').fill('not-an-ip'); + }); + + await test.step('Submit the form', async () => { + await page.getByTestId('whitelist-add-btn').click(); + }); + + await test.step('Verify the inline error element is visible with an error message', async () => { + const errorEl = page.getByTestId('whitelist-ip-error'); + await expect(errorEl).toBeVisible(); + await expect(errorEl).toContainText(/invalid/i); + }); + }); + + test('shows a conflict error when adding a duplicate whitelist entry', async ({ page }) => { + const testIP = `${TEST_IP_PREFIX}.3.10`; + let addedUUID: string | null = null; + + try { + await test.step('Pre-seed the whitelist entry via API', async () => { + const addResp = await rc.post('/api/v1/admin/crowdsec/whitelist', { + data: { ip_or_cidr: testIP, reason: 'duplicate seed' }, + }); + expect(addResp.status()).toBe(201); + const body = await addResp.json(); + addedUUID = body.uuid as string; + }); + + await test.step('Reload the whitelist tab to see the seeded entry', async () => { + await page.goto('/security/crowdsec'); + const whitelistTab = page.getByRole('tab', { name: 'Whitelist' }); + await expect(whitelistTab).toBeVisible({ timeout: 15_000 }); + await whitelistTab.click(); + await expect(page.getByRole('cell', { name: testIP, exact: true })).toBeVisible({ timeout: 10_000 }); + }); + + await test.step('Attempt to add the same IP again', async () => { + await page.getByTestId('whitelist-ip-input').fill(testIP); + await page.getByTestId('whitelist-add-btn').click(); + }); + + await test.step('Verify the conflict error is shown inline', async () => { + const errorEl = page.getByTestId('whitelist-ip-error'); + await expect(errorEl).toBeVisible(); + await expect(errorEl).toContainText(/already exists/i); + }); + } finally { + if (addedUUID) { + await rc.delete(`/api/v1/admin/crowdsec/whitelist/${addedUUID}`); + } + } + }); + + test('removes a whitelist entry via the delete confirmation modal', async ({ page }) => { + const testIP = `${TEST_IP_PREFIX}.4.10`; + let addedUUID: string | null = null; + + try { + await test.step('Pre-seed a whitelist entry via API', async () => { + const addResp = await rc.post('/api/v1/admin/crowdsec/whitelist', { + data: { ip_or_cidr: testIP, reason: 'delete modal test' }, + }); + expect(addResp.status()).toBe(201); + const body = await addResp.json(); + addedUUID = body.uuid as string; + }); + + await test.step('Reload the whitelist tab to see the seeded entry', async () => { + await page.goto('/security/crowdsec'); + const whitelistTab = page.getByRole('tab', { name: 'Whitelist' }); + await expect(whitelistTab).toBeVisible({ timeout: 15_000 }); + await whitelistTab.click(); + await expect(page.getByRole('cell', { name: testIP, exact: true })).toBeVisible({ timeout: 10_000 }); + }); + + await test.step('Click the delete button for the entry', async () => { + const deleteBtn = page.getByRole('button', { + name: new RegExp(`Remove whitelist entry for ${testIP.replace(/\./g, '\\.')}`, 'i'), + }); + await expect(deleteBtn).toBeVisible(); + await deleteBtn.click(); + }); + + await test.step('Verify the confirmation modal appears', async () => { + const modal = page.getByRole('dialog'); + await expect(modal).toBeVisible(); + await expect(modal.locator('#whitelist-delete-modal-title')).toHaveText( + 'Remove Whitelist Entry' + ); + await expect(modal).toMatchAriaSnapshot(` + - dialog: + - heading "Remove Whitelist Entry" [level=2] + `); + }); + + await test.step('Confirm deletion and verify the entry is removed', async () => { + const deleteResponsePromise = page.waitForResponse( + (resp) => + resp.url().includes('/api/v1/admin/crowdsec/whitelist/') && + resp.request().method() === 'DELETE' + ); + await page.getByRole('button', { name: 'Remove', exact: true }).click(); + const deleteResponse = await deleteResponsePromise; + expect(deleteResponse.ok()).toBeTruthy(); + addedUUID = null; // cleaned up by the UI action + + await expect(page.getByRole('cell', { name: testIP, exact: true })).not.toBeVisible(); + await expect(page.getByTestId('whitelist-empty')).toBeVisible(); + }); + } finally { + // Fallback cleanup if the UI delete failed + if (addedUUID) { + await rc.delete(`/api/v1/admin/crowdsec/whitelist/${addedUUID}`); + } + } + }); + + test('delete confirmation modal is dismissed by the Cancel button', async ({ page }) => { + const testIP = `${TEST_IP_PREFIX}.5.10`; + let addedUUID: string | null = null; + + try { + await test.step('Pre-seed a whitelist entry via API', async () => { + const addResp = await rc.post('/api/v1/admin/crowdsec/whitelist', { + data: { ip_or_cidr: testIP, reason: 'cancel modal test' }, + }); + expect(addResp.status()).toBe(201); + const body = await addResp.json(); + addedUUID = body.uuid as string; + }); + + await test.step('Reload the whitelist tab', async () => { + await page.goto('/security/crowdsec'); + const whitelistTab = page.getByRole('tab', { name: 'Whitelist' }); + await expect(whitelistTab).toBeVisible({ timeout: 15_000 }); + await whitelistTab.click(); + await expect(page.getByRole('cell', { name: testIP, exact: true })).toBeVisible({ timeout: 10_000 }); + }); + + await test.step('Open the delete modal', async () => { + const deleteBtn = page.getByRole('button', { + name: new RegExp(`Remove whitelist entry for ${testIP.replace(/\./g, '\\.')}`, 'i'), + }); + await deleteBtn.click(); + await expect(page.getByRole('dialog')).toBeVisible(); + }); + + await test.step('Cancel and verify the entry is still present', async () => { + await page.getByRole('button', { name: 'Cancel' }).click(); + await expect(page.getByRole('dialog')).not.toBeVisible(); + await expect(page.getByRole('cell', { name: testIP, exact: true })).toBeVisible(); + }); + } finally { + if (addedUUID) { + await rc.delete(`/api/v1/admin/crowdsec/whitelist/${addedUUID}`); + } + } + }); + + test('add button is disabled when the IP field is empty', async ({ page }) => { + await test.step('Verify add button is disabled with empty IP field', async () => { + const ipInput = page.getByTestId('whitelist-ip-input'); + const addBtn = page.getByTestId('whitelist-add-btn'); + + await expect(ipInput).toHaveValue(''); + await expect(addBtn).toBeDisabled(); + }); + + await test.step('Button becomes enabled when IP is entered', async () => { + await page.getByTestId('whitelist-ip-input').fill('192.168.1.1'); + await expect(page.getByTestId('whitelist-add-btn')).toBeEnabled(); + }); + + await test.step('Button returns to disabled state when IP is cleared', async () => { + await page.getByTestId('whitelist-ip-input').clear(); + await expect(page.getByTestId('whitelist-add-btn')).toBeDisabled(); + }); + }); + }); +}); From 028342c63abc5602e2b315a155516de41e4b2e4a Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Thu, 16 Apr 2026 00:12:10 +0000 Subject: [PATCH 13/44] fix: update JSON response key for whitelist entries in ListWhitelists handler --- backend/internal/api/handlers/crowdsec_handler.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/internal/api/handlers/crowdsec_handler.go b/backend/internal/api/handlers/crowdsec_handler.go index bea6782e..f79532bc 100644 --- a/backend/internal/api/handlers/crowdsec_handler.go +++ b/backend/internal/api/handlers/crowdsec_handler.go @@ -2710,7 +2710,7 @@ func (h *CrowdsecHandler) ListWhitelists(c *gin.Context) { c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to list whitelist entries"}) return } - c.JSON(http.StatusOK, gin.H{"entries": entries}) + c.JSON(http.StatusOK, gin.H{"whitelist": entries}) } // AddWhitelist adds a new IP or CIDR to the CrowdSec whitelist. From 973efd6412e7a4ffbb11c2b6baa34a4da523191d Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Thu, 16 Apr 2026 01:15:04 +0000 Subject: [PATCH 14/44] fix: initialize WhitelistSvc only if db is not nil and update error message in AddWhitelist handler --- backend/internal/api/handlers/crowdsec_handler.go | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/backend/internal/api/handlers/crowdsec_handler.go b/backend/internal/api/handlers/crowdsec_handler.go index f79532bc..140f7393 100644 --- a/backend/internal/api/handlers/crowdsec_handler.go +++ b/backend/internal/api/handlers/crowdsec_handler.go @@ -384,7 +384,7 @@ func NewCrowdsecHandler(db *gorm.DB, executor CrowdsecExecutor, binPath, dataDir securitySvc = services.NewSecurityService(db) consoleSvc = crowdsec.NewConsoleEnrollmentService(db, &crowdsec.SecureCommandExecutor{}, dataDir, consoleSecret) } - return &CrowdsecHandler{ + h := &CrowdsecHandler{ DB: db, Executor: executor, CmdExec: &RealCommandExecutor{}, @@ -393,10 +393,13 @@ func NewCrowdsecHandler(db *gorm.DB, executor CrowdsecExecutor, binPath, dataDir Hub: hubSvc, Console: consoleSvc, Security: securitySvc, - WhitelistSvc: services.NewCrowdSecWhitelistService(db, dataDir), dashCache: newDashboardCache(), validateLAPIURL: validateCrowdsecLAPIBaseURLDefault, } + if db != nil { + h.WhitelistSvc = services.NewCrowdSecWhitelistService(db, dataDir) + } + return h } // isCerberusEnabled returns true when Cerberus is enabled via DB or env flag. @@ -2720,7 +2723,7 @@ func (h *CrowdsecHandler) AddWhitelist(c *gin.Context) { Reason string `json:"reason"` } if err := c.ShouldBindJSON(&req); err != nil { - c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) + c.JSON(http.StatusBadRequest, gin.H{"error": "ip_or_cidr is required"}) return } From f0fdf9b752f3a1a3bd0831ff1d6448e2e34e3a98 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Thu, 16 Apr 2026 01:15:53 +0000 Subject: [PATCH 15/44] test: update response key for whitelist entries and add validation test for missing fields --- .../crowdsec_whitelist_handler_test.go | 20 +++++++++++++++++-- .../crowdsec_whitelist_service_test.go | 13 ++++++++++++ 2 files changed, 31 insertions(+), 2 deletions(-) diff --git a/backend/internal/api/handlers/crowdsec_whitelist_handler_test.go b/backend/internal/api/handlers/crowdsec_whitelist_handler_test.go index 8e932806..dc03065b 100644 --- a/backend/internal/api/handlers/crowdsec_whitelist_handler_test.go +++ b/backend/internal/api/handlers/crowdsec_whitelist_handler_test.go @@ -54,7 +54,7 @@ func TestListWhitelists_Empty(t *testing.T) { assert.Equal(t, http.StatusOK, w.Code) var resp map[string]interface{} require.NoError(t, json.Unmarshal(w.Body.Bytes(), &resp)) - entries, ok := resp["entries"].([]interface{}) + entries, ok := resp["whitelist"].([]interface{}) assert.True(t, ok) assert.Empty(t, entries) } @@ -154,6 +154,22 @@ func TestListWhitelists_AfterAdd(t *testing.T) { assert.Equal(t, http.StatusOK, w.Code) var resp map[string]interface{} require.NoError(t, json.Unmarshal(w.Body.Bytes(), &resp)) - entries := resp["entries"].([]interface{}) + entries := resp["whitelist"].([]interface{}) assert.Len(t, entries, 1) } + +func TestAddWhitelist_400_MissingField(t *testing.T) { + t.Parallel() + _, r, _ := setupWhitelistHandler(t) + + body := `{}` + w := httptest.NewRecorder() + req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/crowdsec/whitelist", bytes.NewBufferString(body)) + req.Header.Set("Content-Type", "application/json") + r.ServeHTTP(w, req) + + assert.Equal(t, http.StatusBadRequest, w.Code) + var resp map[string]interface{} + require.NoError(t, json.Unmarshal(w.Body.Bytes(), &resp)) + assert.Equal(t, "ip_or_cidr is required", resp["error"]) +} diff --git a/backend/internal/services/crowdsec_whitelist_service_test.go b/backend/internal/services/crowdsec_whitelist_service_test.go index 438221f2..9d52016f 100644 --- a/backend/internal/services/crowdsec_whitelist_service_test.go +++ b/backend/internal/services/crowdsec_whitelist_service_test.go @@ -164,3 +164,16 @@ func TestCrowdSecWhitelistService_List_AfterAdd(t *testing.T) { require.NoError(t, err) assert.Len(t, entries, 3) } + +func TestAdd_ValidIPv6_Success(t *testing.T) { + t.Parallel() + svc := services.NewCrowdSecWhitelistService(openWhitelistTestDB(t), "") + entry, err := svc.Add(context.Background(), "2001:db8::1", "ipv6 test") + require.NoError(t, err) + assert.Equal(t, "2001:db8::1", entry.IPOrCIDR) + + entries, err := svc.List(context.Background()) + require.NoError(t, err) + assert.Len(t, entries, 1) + assert.Equal(t, "2001:db8::1", entries[0].IPOrCIDR) +} From 2a1652d0b1ae2142aea7089c82bae1162ce52b50 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Thu, 16 Apr 2026 01:17:36 +0000 Subject: [PATCH 16/44] feat: add IP whitelist management details to architecture documentation --- ARCHITECTURE.md | 1 + ...ch-coverage-improvement-plan-2026-05-02.md | 460 ++++++ docs/plans/current_spec.md | 1253 +++++++++++------ 3 files changed, 1306 insertions(+), 408 deletions(-) create mode 100644 docs/plans/archive/patch-coverage-improvement-plan-2026-05-02.md diff --git a/ARCHITECTURE.md b/ARCHITECTURE.md index 55d2aa54..c28ffdf1 100644 --- a/ARCHITECTURE.md +++ b/ARCHITECTURE.md @@ -577,6 +577,7 @@ graph LR - Global threat intelligence (crowd-sourced IP reputation) - Automatic IP banning with configurable duration - Decision management API (view, create, delete bans) +- IP whitelist management: operators add/remove IPs and CIDRs via the management UI; entries are persisted in SQLite and regenerated into a `crowdsecurity/whitelists` parser YAML on every mutating operation and at startup **Modes:** diff --git a/docs/plans/archive/patch-coverage-improvement-plan-2026-05-02.md b/docs/plans/archive/patch-coverage-improvement-plan-2026-05-02.md new file mode 100644 index 00000000..f976b196 --- /dev/null +++ b/docs/plans/archive/patch-coverage-improvement-plan-2026-05-02.md @@ -0,0 +1,460 @@ +# Coverage Improvement Plan — Patch Coverage ≥ 90% + +**Date**: 2026-05-02 +**Status**: Draft — Awaiting Approval +**Priority**: High +**Archived Previous Plan**: Custom Certificate Upload & Management (Issue #22) → `docs/plans/archive/custom-cert-upload-management-spec-2026-05-02.md` + +--- + +## 1. Introduction + +This plan identifies exact uncovered branches across the six highest-gap backend source files and two frontend components, and specifies new test cases to close those gaps. The target is to raise overall patch coverage from **85.61% (206 missing lines)** to **≥ 90%**. + +**Constraints**: +- No source file modifications — test files only +- Go tests placed in `*_patch_coverage_test.go` (same package as source) +- Frontend tests extend existing `__tests__/*.test.tsx` files +- Use testify (Go) and Vitest + React Testing Library (frontend) + +--- + +## 2. Research Findings + +### 2.1 Coverage Gap Summary + +| Package | File | Missing Lines | Current Coverage | +|---|---|---|---| +| `handlers` | `certificate_handler.go` | ~54 | 70.28% | +| `services` | `certificate_service.go` | ~54 | 82.85% | +| `services` | `certificate_validator.go` | ~18 | 88.68% | +| `handlers` | `proxy_host_handler.go` | ~12 | 55.17% | +| `config` | `config.go` | ~8 | ~92% | +| `caddy` | `manager.go` | ~10 | ~88% | +| Frontend | `CertificateList.tsx` | moderate | — | +| Frontend | `CertificateUploadDialog.tsx` | moderate | — | + +### 2.2 Test Infrastructure (Confirmed) + +- **In-memory DB**: `gorm.Open(sqlite.Open(fmt.Sprintf("file:%s?mode=memory&cache=shared", t.Name())), &gorm.Config{})` +- **Mock auth**: `mockAuthMiddleware()` from `coverage_helpers_test.go` +- **Mock backup service**: `&mockBackupService{createFunc: ..., availableSpaceFunc: ...}` +- **Manager test hooks**: package-level `generateConfigFunc`, `validateConfigFunc`, `writeFileFunc` vars with `defer` restore pattern +- **Frontend mocks**: `vi.mock('../../hooks/...', ...)` and `vi.mock('react-i18next', ...)` + +### 2.3 Existing Patch Test Files + +| File | Existing Tests | +|---|---| +| `certificate_handler_patch_coverage_test.go` | `TestDelete_UUID_WithBackup_Success`, `_NotFound`, `_InUse` | +| `certificate_service_patch_coverage_test.go` | `TestExportCertificate_DER`, `_PFX`, `_P12`, `_UnsupportedFormat` | +| `certificate_validator_extra_coverage_test.go` | ECDSA/Ed25519 key match, `ConvertDERToPEM` valid/invalid | +| `manager_patch_coverage_test.go` | DNS provider encryption key paths | +| `proxy_host_handler_test.go` | Full CRUD + BulkUpdateACL + BulkUpdateSecurityHeaders | +| `proxy_host_handler_update_test.go` | Update edge cases, `ParseForwardPortField`, `ParseNullableUintField` | + +--- + +## 3. Technical Specifications — Per-File Gap Analysis + +### 3.1 `certificate_handler.go` — Export Re-Auth Path (~18 lines) + +The `Export` handler re-authenticates the user when `include_key=true`. All six guard branches are uncovered. + +**Gap location**: Lines ~260–320 (password empty check, `user` context key extraction, `map[string]any` cast, `id` field lookup, DB user lookup, bcrypt check) + +**New tests** (append to `certificate_handler_patch_coverage_test.go`): + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestExport_IncludeKey_MissingPassword` | POST with `include_key=true`, no `password` field | 403 | +| `TestExport_IncludeKey_NoUserContext` | No `"user"` key in gin context | 403 | +| `TestExport_IncludeKey_InvalidClaimsType` | `"user"` set to a plain string | 403 | +| `TestExport_IncludeKey_UserIDNotInClaims` | `user = map[string]any{}` with no `"id"` key | 403 | +| `TestExport_IncludeKey_UserNotFoundInDB` | Valid claims, no matching user row | 403 | +| `TestExport_IncludeKey_WrongPassword` | User in DB, wrong plaintext password submitted | 403 | + +### 3.2 `certificate_handler.go` — Export Service Errors (~4 lines) + +**Gap location**: After `ExportCertificate` call — ErrCertNotFound and generic error branches + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestExport_CertNotFound` | Unknown UUID | 404 | +| `TestExport_ServiceError` | Service returns non-not-found error | 500 | + +### 3.3 `certificate_handler.go` — Delete Numeric-ID Error Paths (~12 lines) + +**Gap location**: `IsCertificateInUse` error, disk space check, backup error, `DeleteCertificateByID` returning `ErrCertInUse` or generic error + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestDelete_NumericID_UsageCheckError` | `IsCertificateInUse` returns error | 500 | +| `TestDelete_NumericID_LowDiskSpace` | `availableSpaceFunc` returns 0 | 507 | +| `TestDelete_NumericID_BackupError` | `createFunc` returns error | 500 | +| `TestDelete_NumericID_CertInUse_FromService` | `DeleteCertificateByID` → `ErrCertInUse` | 409 | +| `TestDelete_NumericID_DeleteError` | `DeleteCertificateByID` → generic error | 500 | + +### 3.4 `certificate_handler.go` — Delete UUID Additional Error Paths (~8 lines) + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestDelete_UUID_UsageCheckInternalError` | `IsCertificateInUseByUUID` returns non-ErrCertNotFound error | 500 | +| `TestDelete_UUID_LowDiskSpace` | `availableSpaceFunc` returns 0 | 507 | +| `TestDelete_UUID_BackupCreationError` | `createFunc` returns error | 500 | +| `TestDelete_UUID_CertInUse_FromService` | `DeleteCertificate` → `ErrCertInUse` | 409 | + +### 3.5 `certificate_handler.go` — Upload/Validate File Open Errors (~8 lines) + +**Gap location**: `file.Open()` calls on multipart key and chain form files returning errors + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestUpload_KeyFile_OpenError` | Valid cert file, malformed key multipart entry | 500 | +| `TestUpload_ChainFile_OpenError` | Valid cert+key, malformed chain multipart entry | 500 | +| `TestValidate_KeyFile_OpenError` | Valid cert, malformed key multipart entry | 500 | +| `TestValidate_ChainFile_OpenError` | Valid cert+key, malformed chain multipart entry | 500 | + +### 3.6 `certificate_handler.go` — `sendDeleteNotification` Rate-Limit (~2 lines) + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestSendDeleteNotification_RateLimit` | Call `sendDeleteNotification` twice within 10-second window | Second call is a no-op | + +--- + +### 3.7 `certificate_service.go` — `SyncFromDisk` Branches (~14 lines) + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestSyncFromDisk_StagingToProductionUpgrade` | DB has staging cert, disk has production cert for same domain | DB cert updated to production provider | +| `TestSyncFromDisk_ExpiryOnlyUpdate` | Disk cert content matches DB cert, only expiry changed | Only `expires_at` column updated | +| `TestSyncFromDisk_CertRootStatPermissionError` | `os.Chmod(certRoot, 0)` before sync; add skip guard `if os.Getuid() == 0 { t.Skip("chmod permission test cannot run as root") }` | No panic; logs error; function completes | + +### 3.8 `certificate_service.go` — `ListCertificates` Background Goroutine (~4 lines) + +**Gap location**: `initialized=true` && TTL expired path → spawns background goroutine + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestListCertificates_StaleCache_TriggersBackgroundSync` | `initialized=true`, `lastScan` = 10 min ago | Returns cached list without blocking; background sync completes | + +*Use `require.Eventually(t, func() bool { return svc.lastScan.After(before) }, 2*time.Second, 10*time.Millisecond, "background sync did not update lastScan")` after the call — avoids flaky fixed sleeps.* + +### 3.9 `certificate_service.go` — `GetDecryptedPrivateKey` Nil encSvc and Decrypt Failure (~4 lines) + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestGetDecryptedPrivateKey_NoEncSvc` | Service with `nil` encSvc, cert has non-empty `PrivateKeyEncrypted` | Returns error | +| `TestGetDecryptedPrivateKey_DecryptFails` | encSvc configured, corrupted ciphertext in DB | Returns wrapped error | + +### 3.10 `certificate_service.go` — `MigratePrivateKeys` Branches (~6 lines) + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestMigratePrivateKeys_NoEncSvc` | `encSvc == nil` | Returns nil; logs warning | +| `TestMigratePrivateKeys_WithRows` | DB has cert with `private_key` populated, valid encSvc | Row migrated: `private_key` cleared, `private_key_enc` set | + +### 3.11 `certificate_service.go` — `UpdateCertificate` Errors (~4 lines) + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestUpdateCertificate_NotFound` | Non-existent UUID | Returns `ErrCertNotFound` | +| `TestUpdateCertificate_DBSaveError` | Valid UUID, DB closed before Save | Returns wrapped error | + +### 3.12 `certificate_service.go` — `DeleteCertificate` ACME File Cleanup (~8 lines) + +**Gap location**: `cert.Provider == "letsencrypt"` branch → Walk certRoot and remove `.crt`/`.key`/`.json` files + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestDeleteCertificate_LetsEncryptProvider_FileCleanup` | Create temp `.crt` matching cert domain, delete cert | `.crt` removed from disk | +| `TestDeleteCertificate_StagingProvider_FileCleanup` | Provider = `"letsencrypt-staging"` | Same cleanup behavior triggered | + +### 3.13 `certificate_service.go` — `CheckExpiringCertificates` (~8 lines) + +**Implementation** (lines ~966–1020): queries `provider = 'custom'` certs expiring before `threshold`, iterates and sends notification for certs with `daysLeft <= warningDays`. + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestCheckExpiringCertificates_ExpiresInRange` | Custom cert `expires_at = now+5d`, warningDays=30 | Returns slice with 1 cert | +| `TestCheckExpiringCertificates_AlreadyExpired` | Custom cert `expires_at = yesterday` | Result contains cert with negative days | +| `TestCheckExpiringCertificates_DBError` | DB closed before query | Returns error | + +--- + +### 3.14 `certificate_validator.go` — `DetectFormat` Password-Protected PFX (~2 lines) + +**Gap location**: PFX where `pkcs12.DecodeAll("")` fails but first byte is `0x30` (ASN.1 SEQUENCE), DER parse also fails → returns `FormatPFX` + +**New file**: `certificate_validator_patch_coverage_test.go` + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestDetectFormat_PasswordProtectedPFX` | Generate PFX with non-empty password, call `DetectFormat` | Returns `FormatPFX` | + +### 3.15 `certificate_validator.go` — `parsePEMPrivateKey` Additional Block Types (~4 lines) + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestParsePEMPrivateKey_PKCS1RSA` | PEM block type `"RSA PRIVATE KEY"` (x509.MarshalPKCS1PrivateKey) | Returns RSA key | +| `TestParsePEMPrivateKey_EC` | PEM block type `"EC PRIVATE KEY"` (x509.MarshalECPrivateKey) | Returns ECDSA key | + +### 3.16 `certificate_validator.go` — `detectKeyType` P-384 and Unknown Curves (~4 lines) + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestDetectKeyType_ECDSAP384` | P-384 ECDSA key | Returns `"ECDSA-P384"` | +| `TestDetectKeyType_ECDSAUnknownCurve` | ECDSA key with custom/unknown curve (e.g. P-224) | Returns `"ECDSA"` | + +### 3.17 `certificate_validator.go` — `ConvertPEMToPFX` Empty Chain (~2 lines) + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestConvertPEMToPFX_EmptyChain` | Valid cert+key PEM, empty chain string | Returns PFX bytes without error | + +### 3.18 `certificate_validator.go` — `ConvertPEMToDER` Non-Certificate Block (~2 lines) + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestConvertPEMToDER_NonCertBlock` | PEM block type `"PRIVATE KEY"` | Returns nil data and error | + +### 3.19 `certificate_validator.go` — `formatSerial` Nil BigInt (~2 lines) + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestFormatSerial_Nil` | `formatSerial(nil)` | Returns `""` | + +--- + +### 3.20 `proxy_host_handler.go` — `generateForwardHostWarnings` Private IP (~2 lines) + +**Gap location**: `net.ParseIP(forwardHost) != nil && network.IsPrivateIP(ip)` branch (non-Docker private IP) + +**New file**: `proxy_host_handler_patch_coverage_test.go` + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestGenerateForwardHostWarnings_PrivateIP` | forwardHost = `"192.168.1.100"` (RFC-1918, non-Docker) | Returns warning with field `"forward_host"` | + +### 3.21 `proxy_host_handler.go` — `BulkUpdateSecurityHeaders` Edge Cases (~4 lines) + +| Test Name | Scenario | Expected | +|---|---|---| +| `TestBulkUpdateSecurityHeaders_AllFail_Rollback` | All UUIDs not found → `updated == 0` at end | 400, transaction rolled back | +| `TestBulkUpdateSecurityHeaders_ProfileDB_NonNotFoundError` | Profile lookup returns wrapped DB error | 500 | + +--- + +### 3.22 Frontend: `CertificateList.tsx` — Untested Branches + +**File**: `frontend/src/components/__tests__/CertificateList.test.tsx` + +| Gap | New Test | +|---|---| +| `bulkDeleteMutation` success | `'calls bulkDeleteMutation.mutate with selected UUIDs on confirm'` | +| `bulkDeleteMutation` error | `'shows error toast on bulk delete failure'` | +| Sort direction toggle | `'toggles sort direction when same column clicked twice'` | +| `selectedIds` reconciliation | `'reconciles selectedIds when certificate list shrinks'` | +| Export dialog open | `'opens export dialog when export button clicked'` | + +### 3.23 Frontend: `CertificateUploadDialog.tsx` — Untested Branches + +**File**: `frontend/src/components/dialogs/__tests__/CertificateUploadDialog.test.tsx` + +| Gap | New Test | +|---|---| +| PFX hides key/chain zones | `'hides key and chain file inputs when PFX file selected'` | +| Upload success closes dialog | `'calls onOpenChange(false) on successful upload'` | +| Upload error shows toast | `'shows error toast when upload mutation fails'` | +| Validate result shown | `'displays validation result after validate clicked'` | + +--- + +## 4. Implementation Plan + +### Phase 1: Playwright Smoke Tests (Acceptance Gating) + +Add smoke coverage to confirm certificate export and delete flows reach the backend. + +**File**: `tests/certificate-coverage-smoke.spec.ts` + +```typescript +import { test, expect } from '@playwright/test' + +test.describe('Certificate Coverage Smoke', () => { + test('export dialog opens when export button clicked', async ({ page }) => { + await page.goto('/') + // navigate to Certificates, click export on a cert + // assert dialog visible + }) + + test('delete dialog opens for deletable certificate', async ({ page }) => { + await page.goto('/') + // assert delete confirmation dialog appears + }) +}) +``` + +### Phase 2: Backend — Handler Tests + +**File**: `backend/internal/api/handlers/certificate_handler_patch_coverage_test.go` +**Action**: Append all tests from sections 3.1–3.6. + +Setup pattern for handler tests: + +```go +func setupCertHandlerTest(t *testing.T) (*gin.Engine, *CertificateHandler, *gorm.DB) { + t.Helper() + db, err := gorm.Open(sqlite.Open(fmt.Sprintf("file:%s?mode=memory&cache=shared", t.Name())), &gorm.Config{}) + require.NoError(t, err) + require.NoError(t, db.AutoMigrate(&models.SSLCertificate{}, &models.User{}, &models.ProxyHost{})) + tmpDir := t.TempDir() + certSvc := services.NewCertificateService(tmpDir, db, nil) + backup := &mockBackupService{ + availableSpaceFunc: func() (int64, error) { return 1 << 30, nil }, + createFunc: func(string) (string, error) { return "/tmp/backup.db", nil }, + } + h := NewCertificateHandler(certSvc, backup, nil) + h.SetDB(db) + r := gin.New() + r.Use(mockAuthMiddleware()) + h.RegisterRoutes(r.Group("/api")) + return r, h, db +} +``` + +For `TestExport_IncludeKey_*` tests: inject user into gin context directly using a custom middleware wrapper that sets `"user"` (type `map[string]any`, field `"id"`) to the desired value. + +### Phase 3: Backend — Service Tests + +**File**: `backend/internal/services/certificate_service_patch_coverage_test.go` +**Action**: Append all tests from sections 3.7–3.13. + +Setup pattern: + +```go +func newTestSvc(t *testing.T) (*CertificateService, *gorm.DB, string) { + t.Helper() + db, err := gorm.Open(sqlite.Open(fmt.Sprintf("file:%s?mode=memory&cache=shared", t.Name())), &gorm.Config{}) + require.NoError(t, err) + require.NoError(t, db.AutoMigrate(&models.SSLCertificate{}, &models.ProxyHost{})) + tmpDir := t.TempDir() + return NewCertificateService(tmpDir, db, nil), db, tmpDir +} +``` + +For `TestMigratePrivateKeys_WithRows`: use `db.Exec("INSERT INTO ssl_certificates (..., private_key) VALUES (...)` raw SQL to bypass GORM's `gorm:"-"` tag. + +### Phase 4: Backend — Validator Tests + +**File**: `backend/internal/services/certificate_validator_patch_coverage_test.go` (new) + +Key helpers needed: + +```go +// generatePKCS1RSAKeyPEM returns an RSA key in PKCS#1 "RSA PRIVATE KEY" PEM format. +func generatePKCS1RSAKeyPEM(t *testing.T) []byte { + key, err := rsa.GenerateKey(rand.Reader, 2048) + require.NoError(t, err) + return pem.EncodeToMemory(&pem.Block{ + Type: "RSA PRIVATE KEY", + Bytes: x509.MarshalPKCS1PrivateKey(key), + }) +} + +// generateECKeyPEM returns an EC key in "EC PRIVATE KEY" (SEC1) PEM format. +func generateECKeyPEM(t *testing.T, curve elliptic.Curve) []byte { + key, err := ecdsa.GenerateKey(curve, rand.Reader) + require.NoError(t, err) + b, err := x509.MarshalECPrivateKey(key) + require.NoError(t, err) + return pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: b}) +} +``` + +### Phase 5: Backend — Proxy Host Handler Tests + +**File**: `backend/internal/api/handlers/proxy_host_handler_patch_coverage_test.go` (new) + +Setup pattern mirrors existing `proxy_host_handler_test.go` — use in-memory SQLite, `mockAuthMiddleware`, and `mockCaddyManager` (already available via test hook vars). + +### Phase 6: Frontend Tests + +**Files**: +- `frontend/src/components/__tests__/CertificateList.test.tsx` +- `frontend/src/components/dialogs/__tests__/CertificateUploadDialog.test.tsx` + +Use existing mock structure; add new `it(...)` blocks inside existing `describe` blocks. + +Frontend bulk delete success test pattern: + +```typescript +it('calls bulkDeleteMutation.mutate with selected UUIDs on confirm', async () => { + const bulkDeleteFn = vi.fn() + mockUseBulkDeleteCertificates.mockReturnValue({ + mutate: bulkDeleteFn, + isPending: false, + }) + render() + // select checkboxes, click bulk delete, confirm dialog + expect(bulkDeleteFn).toHaveBeenCalledWith(['uuid-1', 'uuid-2']) +}) +``` + +### Phase 7: Validation + +1. `cd /projects/Charon && bash scripts/go-test-coverage.sh` +2. `cd /projects/Charon && bash scripts/frontend-test-coverage.sh` +3. `bash scripts/local-patch-report.sh` → verify `test-results/local-patch-report.md` shows ≥ 90% +4. `bash scripts/scan-gorm-security.sh --check` → zero CRITICAL/HIGH + +--- + +## 5. Commit Slicing Strategy + +**Decision**: One PR with 5 ordered, independently-reviewable commits. + +**Rationale**: Four packages touched across two build systems (Go + Node). Atomic commits allow targeted revert if a mock approach proves brittle for a specific file, without rolling back unrelated coverage gains. + +| # | Scope | Files | Dependencies | Validation Gate | +|---|---|---|---|---| +| **Commit 1** | Handler re-auth + delete + file-open errors | `certificate_handler_patch_coverage_test.go` (extend) | None | `go test ./backend/internal/api/handlers/...` | +| **Commit 2** | Service SyncFromDisk, ListCerts, GetDecryptedKey, Migrate, Update, Delete, CheckExpiring | `certificate_service_patch_coverage_test.go` (extend) | None | `go test ./backend/internal/services/...` | +| **Commit 3** | Validator DetectFormat, parsePEMPrivateKey, detectKeyType, ConvertPEMToPFX/DER, formatSerial | `certificate_validator_patch_coverage_test.go` (new) | Commit 2 not required (separate file) | `go test ./backend/internal/services/...` | +| **Commit 4** | Proxy host warnings + BulkUpdateSecurityHeaders edge cases | `proxy_host_handler_patch_coverage_test.go` (new) | None | `go test ./backend/internal/api/handlers/...` | +| **Commit 5** | Frontend CertificateList + CertificateUploadDialog | `CertificateList.test.tsx`, `CertificateUploadDialog.test.tsx` (extend) | None | `npm run test` | + +**Rollback**: Any commit is safe to revert independently — all changes are additive test-only files. + +**Contingency**: If the `Export` handler's re-auth tests require gin context injection that the current router wiring doesn't support cleanly, use a sub-router with a custom test middleware that pre-populates `"user"` (`map[string]any{"id": uint(1)}`) with the specific value under test, bypassing `mockAuthMiddleware` for those cases only. + +--- + +## 6. Acceptance Criteria + +- [ ] `go test -race ./backend/...` — all tests pass, no data races +- [ ] Backend patch coverage ≥ 90% for all modified Go files per `test-results/local-patch-report.md` +- [ ] `npm run test` — all Vitest tests pass +- [ ] Frontend patch coverage ≥ 90% for `CertificateList.tsx` and `CertificateUploadDialog.tsx` +- [ ] GORM security scan: zero CRITICAL/HIGH findings +- [ ] No new `//nolint` or `//nosec` directives introduced +- [ ] No source file modifications — test files only +- [ ] All new Go test names follow `TestFunctionName_Scenario` convention +- [ ] Previous spec archived to `docs/plans/archive/` + +--- + +## 7. Estimated Coverage Impact + +| File | Current | Estimated After | Lines Recovered | +|---|---|---|---| +| `certificate_handler.go` | 70.28% | ~85% | ~42 lines | +| `certificate_service.go` | 82.85% | ~92% | ~44 lines | +| `certificate_validator.go` | 88.68% | ~96% | ~18 lines | +| `proxy_host_handler.go` | 55.17% | ~60% | ~8 lines | +| `CertificateList.tsx` | moderate | high | ~15 lines | +| `CertificateUploadDialog.tsx` | moderate | high | ~12 lines | +| **Overall patch** | **85.61%** | **≥ 90%** | **~139 lines** | + +> **Note**: Proxy host handler remains below 90% after this plan because the `Create`/`Update`/`Delete` handler paths require full Caddy manager mock integration. A follow-up plan should address these with a dedicated `mockCaddyManager` interface. diff --git a/docs/plans/current_spec.md b/docs/plans/current_spec.md index f976b196..8c76ff60 100644 --- a/docs/plans/current_spec.md +++ b/docs/plans/current_spec.md @@ -1,460 +1,897 @@ -# Coverage Improvement Plan — Patch Coverage ≥ 90% +# CrowdSec IP Whitelist Management — Implementation Plan -**Date**: 2026-05-02 +**Issue**: [#939 — CrowdSec IP Whitelist Management](https://github.com/owner/Charon/issues/939) +**Date**: 2026-05-20 **Status**: Draft — Awaiting Approval **Priority**: High -**Archived Previous Plan**: Custom Certificate Upload & Management (Issue #22) → `docs/plans/archive/custom-cert-upload-management-spec-2026-05-02.md` +**Archived Previous Plan**: Coverage Improvement Plan (patch coverage ≥ 90%) → `docs/plans/archive/patch-coverage-improvement-plan-2026-05-02.md` --- ## 1. Introduction -This plan identifies exact uncovered branches across the six highest-gap backend source files and two frontend components, and specifies new test cases to close those gaps. The target is to raise overall patch coverage from **85.61% (206 missing lines)** to **≥ 90%**. +### 1.1 Overview -**Constraints**: -- No source file modifications — test files only -- Go tests placed in `*_patch_coverage_test.go` (same package as source) -- Frontend tests extend existing `__tests__/*.test.tsx` files -- Use testify (Go) and Vitest + React Testing Library (frontend) +CrowdSec enforces IP ban decisions by default. Operators need a way to permanently exempt known-good IPs (uptime monitors, internal subnets, VPN exits, partners) from ever being banned. CrowdSec handles this through its `whitelists` parser, which intercepts alert evaluation and suppresses bans for matching IPs/CIDRs before decisions are even written. + +This feature gives Charon operators a first-class UI for managing those whitelist entries: add an IP or CIDR, give it a reason, and have Charon persist it in the database, render the required YAML parser file into the CrowdSec config tree, and signal CrowdSec to reload—all without manual file editing. + +### 1.2 Objectives + +- Allow operators to add, view, and remove CrowdSec whitelist entries (IPs and CIDRs) through the Charon management UI. +- Persist entries in SQLite so they survive container restarts. +- Generate a `crowdsecurity/whitelists`-compatible YAML parser file on every mutating operation and on startup. +- Automatically install the `crowdsecurity/whitelists` hub parser so CrowdSec can process the file. +- Show the Whitelist tab only when CrowdSec is in `local` mode, consistent with other CrowdSec-only tabs. --- ## 2. Research Findings -### 2.1 Coverage Gap Summary +### 2.1 Existing CrowdSec Architecture -| Package | File | Missing Lines | Current Coverage | +| Component | Location | Notes | +|---|---|---| +| Hub parser installer | `configs/crowdsec/install_hub_items.sh` | Run at container start; uses `cscli parsers install --force` | +| CrowdSec handler | `backend/internal/api/handlers/crowdsec_handler.go` | ~2750 LOC; `RegisterRoutes` at L2704 | +| Route registration | `backend/internal/api/routes/routes.go` | `crowdsecHandler.RegisterRoutes(management)` at ~L620 | +| CrowdSec startup | `backend/internal/services/crowdsec_startup.go` | `ReconcileCrowdSecOnStartup()` runs before process start | +| Security config | `backend/internal/models/security_config.go` | `CrowdSecMode`, `CrowdSecConfigDir` (via `cfg.Security.CrowdSecConfigDir`) | +| IP/CIDR helper | `backend/internal/security/whitelist.go` | `IsIPInCIDRList()` using `net.ParseIP` / `net.ParseCIDR` | +| AutoMigrate | `routes.go` ~L95–125 | `&models.ManualChallenge{}` is currently the last entry | + +### 2.2 Gap Analysis + +- `crowdsecurity/whitelists` hub parser is **not** installed by `install_hub_items.sh` — the YAML file would be ignored by CrowdSec without it. +- No `CrowdSecWhitelist` model exists in `backend/internal/models/`. +- No whitelist service, handler methods, or API routes exist. +- No frontend tab, API client functions, or TanStack Query hooks exist. +- No E2E test spec covers whitelist management. + +### 2.3 Relevant Patterns + +**Model pattern** (from `access_list.go` + `security_config.go`): +```go +type Model struct { + ID uint `json:"-" gorm:"primaryKey"` + UUID string `json:"uuid" gorm:"uniqueIndex;not null"` + // domain fields + CreatedAt time.Time `json:"created_at"` + UpdatedAt time.Time `json:"updated_at"` +} +``` + +**Service pattern** (from `access_list_service.go`): +```go +var ErrXxxNotFound = errors.New("xxx not found") + +type XxxService struct { db *gorm.DB } + +func NewXxxService(db *gorm.DB) *XxxService { return &XxxService{db: db} } +``` + +**Handler error response pattern** (from `crowdsec_handler.go`): +```go +c.JSON(http.StatusBadRequest, gin.H{"error": "..."}) +c.JSON(http.StatusNotFound, gin.H{"error": "..."}) +c.JSON(http.StatusInternalServerError, gin.H{"error": "..."}) +``` + +**Frontend API client pattern** (from `frontend/src/api/crowdsec.ts`): +```typescript +export const listXxx = async (): Promise => { + const resp = await client.get('/admin/crowdsec/xxx') + return resp.data +} +``` + +**Frontend mutation pattern** (from `CrowdSecConfig.tsx`): +```typescript +const mutation = useMutation({ + mutationFn: (data) => apiCall(data), + onSuccess: () => { + toast.success('...') + queryClient.invalidateQueries({ queryKey: ['crowdsec-whitelist'] }) + }, + onError: (err) => toast.error(err instanceof Error ? err.message : '...'), +}) +``` + +### 2.4 CrowdSec Whitelist YAML Format + +CrowdSec's `crowdsecurity/whitelists` parser expects the following YAML structure at a path under the `parsers/s02-enrich/` directory: + +```yaml +name: charon-whitelist +description: "Charon-managed IP/CIDR whitelist" +filter: "evt.Meta.service == 'http'" +whitelist: + reason: "Charon managed whitelist" + ip: + - "1.2.3.4" + cidr: + - "10.0.0.0/8" + - "192.168.0.0/16" +``` + +For an empty whitelist, both `ip` and `cidr` must be present as empty lists (not omitted) to produce valid YAML that CrowdSec can parse without error. + +--- + +## 3. Technical Specifications + +### 3.1 Database Schema + +**New model**: `backend/internal/models/crowdsec_whitelist.go` + +```go +package models + +import "time" + +// CrowdSecWhitelist represents a single IP or CIDR exempted from CrowdSec banning. +type CrowdSecWhitelist struct { + ID uint `json:"-" gorm:"primaryKey"` + UUID string `json:"uuid" gorm:"uniqueIndex;not null"` + IPOrCIDR string `json:"ip_or_cidr" gorm:"not null;uniqueIndex"` + Reason string `json:"reason" gorm:"not null;default:''"` + CreatedAt time.Time `json:"created_at"` + UpdatedAt time.Time `json:"updated_at"` +} +``` + +**AutoMigrate registration** (`backend/internal/api/routes/routes.go`, append after `&models.ManualChallenge{}`): +```go +&models.CrowdSecWhitelist{}, +``` + +### 3.2 API Design + +All new endpoints live under the existing `/api/v1` prefix and are registered inside `CrowdsecHandler.RegisterRoutes(rg *gin.RouterGroup)`, following the same `rg.METHOD("/admin/crowdsec/...")` naming pattern as every other CrowdSec endpoint. + +#### Endpoint Table + +| Method | Path | Auth | Description | |---|---|---|---| -| `handlers` | `certificate_handler.go` | ~54 | 70.28% | -| `services` | `certificate_service.go` | ~54 | 82.85% | -| `services` | `certificate_validator.go` | ~18 | 88.68% | -| `handlers` | `proxy_host_handler.go` | ~12 | 55.17% | -| `config` | `config.go` | ~8 | ~92% | -| `caddy` | `manager.go` | ~10 | ~88% | -| Frontend | `CertificateList.tsx` | moderate | — | -| Frontend | `CertificateUploadDialog.tsx` | moderate | — | - -### 2.2 Test Infrastructure (Confirmed) - -- **In-memory DB**: `gorm.Open(sqlite.Open(fmt.Sprintf("file:%s?mode=memory&cache=shared", t.Name())), &gorm.Config{})` -- **Mock auth**: `mockAuthMiddleware()` from `coverage_helpers_test.go` -- **Mock backup service**: `&mockBackupService{createFunc: ..., availableSpaceFunc: ...}` -- **Manager test hooks**: package-level `generateConfigFunc`, `validateConfigFunc`, `writeFileFunc` vars with `defer` restore pattern -- **Frontend mocks**: `vi.mock('../../hooks/...', ...)` and `vi.mock('react-i18next', ...)` - -### 2.3 Existing Patch Test Files - -| File | Existing Tests | -|---|---| -| `certificate_handler_patch_coverage_test.go` | `TestDelete_UUID_WithBackup_Success`, `_NotFound`, `_InUse` | -| `certificate_service_patch_coverage_test.go` | `TestExportCertificate_DER`, `_PFX`, `_P12`, `_UnsupportedFormat` | -| `certificate_validator_extra_coverage_test.go` | ECDSA/Ed25519 key match, `ConvertDERToPEM` valid/invalid | -| `manager_patch_coverage_test.go` | DNS provider encryption key paths | -| `proxy_host_handler_test.go` | Full CRUD + BulkUpdateACL + BulkUpdateSecurityHeaders | -| `proxy_host_handler_update_test.go` | Update edge cases, `ParseForwardPortField`, `ParseNullableUintField` | - ---- - -## 3. Technical Specifications — Per-File Gap Analysis - -### 3.1 `certificate_handler.go` — Export Re-Auth Path (~18 lines) - -The `Export` handler re-authenticates the user when `include_key=true`. All six guard branches are uncovered. - -**Gap location**: Lines ~260–320 (password empty check, `user` context key extraction, `map[string]any` cast, `id` field lookup, DB user lookup, bcrypt check) - -**New tests** (append to `certificate_handler_patch_coverage_test.go`): - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestExport_IncludeKey_MissingPassword` | POST with `include_key=true`, no `password` field | 403 | -| `TestExport_IncludeKey_NoUserContext` | No `"user"` key in gin context | 403 | -| `TestExport_IncludeKey_InvalidClaimsType` | `"user"` set to a plain string | 403 | -| `TestExport_IncludeKey_UserIDNotInClaims` | `user = map[string]any{}` with no `"id"` key | 403 | -| `TestExport_IncludeKey_UserNotFoundInDB` | Valid claims, no matching user row | 403 | -| `TestExport_IncludeKey_WrongPassword` | User in DB, wrong plaintext password submitted | 403 | - -### 3.2 `certificate_handler.go` — Export Service Errors (~4 lines) - -**Gap location**: After `ExportCertificate` call — ErrCertNotFound and generic error branches - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestExport_CertNotFound` | Unknown UUID | 404 | -| `TestExport_ServiceError` | Service returns non-not-found error | 500 | - -### 3.3 `certificate_handler.go` — Delete Numeric-ID Error Paths (~12 lines) - -**Gap location**: `IsCertificateInUse` error, disk space check, backup error, `DeleteCertificateByID` returning `ErrCertInUse` or generic error - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestDelete_NumericID_UsageCheckError` | `IsCertificateInUse` returns error | 500 | -| `TestDelete_NumericID_LowDiskSpace` | `availableSpaceFunc` returns 0 | 507 | -| `TestDelete_NumericID_BackupError` | `createFunc` returns error | 500 | -| `TestDelete_NumericID_CertInUse_FromService` | `DeleteCertificateByID` → `ErrCertInUse` | 409 | -| `TestDelete_NumericID_DeleteError` | `DeleteCertificateByID` → generic error | 500 | - -### 3.4 `certificate_handler.go` — Delete UUID Additional Error Paths (~8 lines) - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestDelete_UUID_UsageCheckInternalError` | `IsCertificateInUseByUUID` returns non-ErrCertNotFound error | 500 | -| `TestDelete_UUID_LowDiskSpace` | `availableSpaceFunc` returns 0 | 507 | -| `TestDelete_UUID_BackupCreationError` | `createFunc` returns error | 500 | -| `TestDelete_UUID_CertInUse_FromService` | `DeleteCertificate` → `ErrCertInUse` | 409 | - -### 3.5 `certificate_handler.go` — Upload/Validate File Open Errors (~8 lines) - -**Gap location**: `file.Open()` calls on multipart key and chain form files returning errors - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestUpload_KeyFile_OpenError` | Valid cert file, malformed key multipart entry | 500 | -| `TestUpload_ChainFile_OpenError` | Valid cert+key, malformed chain multipart entry | 500 | -| `TestValidate_KeyFile_OpenError` | Valid cert, malformed key multipart entry | 500 | -| `TestValidate_ChainFile_OpenError` | Valid cert+key, malformed chain multipart entry | 500 | - -### 3.6 `certificate_handler.go` — `sendDeleteNotification` Rate-Limit (~2 lines) - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestSendDeleteNotification_RateLimit` | Call `sendDeleteNotification` twice within 10-second window | Second call is a no-op | - ---- - -### 3.7 `certificate_service.go` — `SyncFromDisk` Branches (~14 lines) - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestSyncFromDisk_StagingToProductionUpgrade` | DB has staging cert, disk has production cert for same domain | DB cert updated to production provider | -| `TestSyncFromDisk_ExpiryOnlyUpdate` | Disk cert content matches DB cert, only expiry changed | Only `expires_at` column updated | -| `TestSyncFromDisk_CertRootStatPermissionError` | `os.Chmod(certRoot, 0)` before sync; add skip guard `if os.Getuid() == 0 { t.Skip("chmod permission test cannot run as root") }` | No panic; logs error; function completes | - -### 3.8 `certificate_service.go` — `ListCertificates` Background Goroutine (~4 lines) - -**Gap location**: `initialized=true` && TTL expired path → spawns background goroutine - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestListCertificates_StaleCache_TriggersBackgroundSync` | `initialized=true`, `lastScan` = 10 min ago | Returns cached list without blocking; background sync completes | - -*Use `require.Eventually(t, func() bool { return svc.lastScan.After(before) }, 2*time.Second, 10*time.Millisecond, "background sync did not update lastScan")` after the call — avoids flaky fixed sleeps.* - -### 3.9 `certificate_service.go` — `GetDecryptedPrivateKey` Nil encSvc and Decrypt Failure (~4 lines) - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestGetDecryptedPrivateKey_NoEncSvc` | Service with `nil` encSvc, cert has non-empty `PrivateKeyEncrypted` | Returns error | -| `TestGetDecryptedPrivateKey_DecryptFails` | encSvc configured, corrupted ciphertext in DB | Returns wrapped error | - -### 3.10 `certificate_service.go` — `MigratePrivateKeys` Branches (~6 lines) - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestMigratePrivateKeys_NoEncSvc` | `encSvc == nil` | Returns nil; logs warning | -| `TestMigratePrivateKeys_WithRows` | DB has cert with `private_key` populated, valid encSvc | Row migrated: `private_key` cleared, `private_key_enc` set | - -### 3.11 `certificate_service.go` — `UpdateCertificate` Errors (~4 lines) - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestUpdateCertificate_NotFound` | Non-existent UUID | Returns `ErrCertNotFound` | -| `TestUpdateCertificate_DBSaveError` | Valid UUID, DB closed before Save | Returns wrapped error | - -### 3.12 `certificate_service.go` — `DeleteCertificate` ACME File Cleanup (~8 lines) - -**Gap location**: `cert.Provider == "letsencrypt"` branch → Walk certRoot and remove `.crt`/`.key`/`.json` files - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestDeleteCertificate_LetsEncryptProvider_FileCleanup` | Create temp `.crt` matching cert domain, delete cert | `.crt` removed from disk | -| `TestDeleteCertificate_StagingProvider_FileCleanup` | Provider = `"letsencrypt-staging"` | Same cleanup behavior triggered | - -### 3.13 `certificate_service.go` — `CheckExpiringCertificates` (~8 lines) - -**Implementation** (lines ~966–1020): queries `provider = 'custom'` certs expiring before `threshold`, iterates and sends notification for certs with `daysLeft <= warningDays`. - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestCheckExpiringCertificates_ExpiresInRange` | Custom cert `expires_at = now+5d`, warningDays=30 | Returns slice with 1 cert | -| `TestCheckExpiringCertificates_AlreadyExpired` | Custom cert `expires_at = yesterday` | Result contains cert with negative days | -| `TestCheckExpiringCertificates_DBError` | DB closed before query | Returns error | - ---- - -### 3.14 `certificate_validator.go` — `DetectFormat` Password-Protected PFX (~2 lines) - -**Gap location**: PFX where `pkcs12.DecodeAll("")` fails but first byte is `0x30` (ASN.1 SEQUENCE), DER parse also fails → returns `FormatPFX` - -**New file**: `certificate_validator_patch_coverage_test.go` - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestDetectFormat_PasswordProtectedPFX` | Generate PFX with non-empty password, call `DetectFormat` | Returns `FormatPFX` | - -### 3.15 `certificate_validator.go` — `parsePEMPrivateKey` Additional Block Types (~4 lines) - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestParsePEMPrivateKey_PKCS1RSA` | PEM block type `"RSA PRIVATE KEY"` (x509.MarshalPKCS1PrivateKey) | Returns RSA key | -| `TestParsePEMPrivateKey_EC` | PEM block type `"EC PRIVATE KEY"` (x509.MarshalECPrivateKey) | Returns ECDSA key | - -### 3.16 `certificate_validator.go` — `detectKeyType` P-384 and Unknown Curves (~4 lines) - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestDetectKeyType_ECDSAP384` | P-384 ECDSA key | Returns `"ECDSA-P384"` | -| `TestDetectKeyType_ECDSAUnknownCurve` | ECDSA key with custom/unknown curve (e.g. P-224) | Returns `"ECDSA"` | - -### 3.17 `certificate_validator.go` — `ConvertPEMToPFX` Empty Chain (~2 lines) - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestConvertPEMToPFX_EmptyChain` | Valid cert+key PEM, empty chain string | Returns PFX bytes without error | - -### 3.18 `certificate_validator.go` — `ConvertPEMToDER` Non-Certificate Block (~2 lines) - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestConvertPEMToDER_NonCertBlock` | PEM block type `"PRIVATE KEY"` | Returns nil data and error | - -### 3.19 `certificate_validator.go` — `formatSerial` Nil BigInt (~2 lines) - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestFormatSerial_Nil` | `formatSerial(nil)` | Returns `""` | - ---- - -### 3.20 `proxy_host_handler.go` — `generateForwardHostWarnings` Private IP (~2 lines) - -**Gap location**: `net.ParseIP(forwardHost) != nil && network.IsPrivateIP(ip)` branch (non-Docker private IP) - -**New file**: `proxy_host_handler_patch_coverage_test.go` - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestGenerateForwardHostWarnings_PrivateIP` | forwardHost = `"192.168.1.100"` (RFC-1918, non-Docker) | Returns warning with field `"forward_host"` | - -### 3.21 `proxy_host_handler.go` — `BulkUpdateSecurityHeaders` Edge Cases (~4 lines) - -| Test Name | Scenario | Expected | -|---|---|---| -| `TestBulkUpdateSecurityHeaders_AllFail_Rollback` | All UUIDs not found → `updated == 0` at end | 400, transaction rolled back | -| `TestBulkUpdateSecurityHeaders_ProfileDB_NonNotFoundError` | Profile lookup returns wrapped DB error | 500 | - ---- - -### 3.22 Frontend: `CertificateList.tsx` — Untested Branches - -**File**: `frontend/src/components/__tests__/CertificateList.test.tsx` - -| Gap | New Test | -|---|---| -| `bulkDeleteMutation` success | `'calls bulkDeleteMutation.mutate with selected UUIDs on confirm'` | -| `bulkDeleteMutation` error | `'shows error toast on bulk delete failure'` | -| Sort direction toggle | `'toggles sort direction when same column clicked twice'` | -| `selectedIds` reconciliation | `'reconciles selectedIds when certificate list shrinks'` | -| Export dialog open | `'opens export dialog when export button clicked'` | - -### 3.23 Frontend: `CertificateUploadDialog.tsx` — Untested Branches - -**File**: `frontend/src/components/dialogs/__tests__/CertificateUploadDialog.test.tsx` - -| Gap | New Test | -|---|---| -| PFX hides key/chain zones | `'hides key and chain file inputs when PFX file selected'` | -| Upload success closes dialog | `'calls onOpenChange(false) on successful upload'` | -| Upload error shows toast | `'shows error toast when upload mutation fails'` | -| Validate result shown | `'displays validation result after validate clicked'` | +| `GET` | `/api/v1/admin/crowdsec/whitelist` | Management | List all whitelist entries | +| `POST` | `/api/v1/admin/crowdsec/whitelist` | Management | Add a new entry | +| `DELETE` | `/api/v1/admin/crowdsec/whitelist/:uuid` | Management | Remove an entry by UUID | + +#### `GET /admin/crowdsec/whitelist` + +**Response 200**: +```json +{ + "whitelist": [ + { + "uuid": "a1b2c3d4-...", + "ip_or_cidr": "10.0.0.0/8", + "reason": "Internal subnet", + "created_at": "2026-05-20T12:00:00Z", + "updated_at": "2026-05-20T12:00:00Z" + } + ] +} +``` + +#### `POST /admin/crowdsec/whitelist` + +**Request body**: +```json +{ "ip_or_cidr": "10.0.0.0/8", "reason": "Internal subnet" } +``` + +**Response 201**: +```json +{ + "uuid": "a1b2c3d4-...", + "ip_or_cidr": "10.0.0.0/8", + "reason": "Internal subnet", + "created_at": "...", + "updated_at": "..." +} +``` + +**Error responses**: +- `400` — missing/invalid `ip_or_cidr` field, unparseable IP/CIDR +- `409` — duplicate entry (same `ip_or_cidr` already exists) +- `500` — database or YAML write failure + +#### `DELETE /admin/crowdsec/whitelist/:uuid` + +**Response 204** — no body + +**Error responses**: +- `404` — entry not found +- `500` — database or YAML write failure + +### 3.3 Service Design + +**New file**: `backend/internal/services/crowdsec_whitelist_service.go` + +```go +package services + +import ( + "context" + "errors" + "net" + "os" + "path/filepath" + "text/template" + + "github.com/google/uuid" + "gorm.io/gorm" + + "github.com/yourusername/charon/backend/internal/models" + "github.com/yourusername/charon/backend/internal/logger" +) + +var ( + ErrWhitelistNotFound = errors.New("whitelist entry not found") + ErrInvalidIPOrCIDR = errors.New("invalid IP address or CIDR notation") + ErrDuplicateEntry = errors.New("whitelist entry already exists") +) + +type CrowdSecWhitelistService struct { + db *gorm.DB + dataDir string +} + +func NewCrowdSecWhitelistService(db *gorm.DB, dataDir string) *CrowdSecWhitelistService { + return &CrowdSecWhitelistService{db: db, dataDir: dataDir} +} + +// List returns all whitelist entries ordered by creation time. +func (s *CrowdSecWhitelistService) List(ctx context.Context) ([]models.CrowdSecWhitelist, error) { ... } + +// Add validates, persists, and regenerates the YAML file. +func (s *CrowdSecWhitelistService) Add(ctx context.Context, ipOrCIDR, reason string) (*models.CrowdSecWhitelist, error) { ... } + +// Delete removes an entry by UUID and regenerates the YAML file. +func (s *CrowdSecWhitelistService) Delete(ctx context.Context, uuid string) error { ... } + +// WriteYAML renders all current entries to /parsers/s02-enrich/charon-whitelist.yaml +func (s *CrowdSecWhitelistService) WriteYAML(ctx context.Context) error { ... } +``` + +**Validation logic** in `Add()`: +1. Trim whitespace from `ipOrCIDR`. +2. Attempt `net.ParseIP(ipOrCIDR)` — if non-nil, it's a bare IP ✓ +3. Attempt `net.ParseCIDR(ipOrCIDR)` — if `err == nil`, it's a valid CIDR ✓; normalize host bits immediately: `ipOrCIDR = network.String()` (e.g., `"10.0.0.1/8"` → `"10.0.0.0/8"`). +4. If both fail → return `ErrInvalidIPOrCIDR` +5. Attempt DB insert; if GORM unique constraint error → return `ErrDuplicateEntry` +6. On success → call `WriteYAML(ctx)` (non-fatal on YAML error: log + return original entry) + +> **Note**: `Add()` and `Delete()` do **not** call `cscli hub reload`. Reload is the caller's responsibility (handled in `CrowdsecHandler.AddWhitelist` and `DeleteWhitelist` via `h.CmdExec`). + +**CIDR normalization snippet** (step 3): +```go +if ip, network, err := net.ParseCIDR(ipOrCIDR); err == nil { + _ = ip + ipOrCIDR = network.String() // normalizes "10.0.0.1/8" → "10.0.0.0/8" +} +``` + +**YAML generation** in `WriteYAML()`: + +Guard: if `s.dataDir == ""`, return `nil` immediately (no-op — used in unit tests that don't need file I/O). + +```go +const whitelistTmpl = `name: charon-whitelist +description: "Charon-managed IP/CIDR whitelist" +filter: "evt.Meta.service == 'http'" +whitelist: + reason: "Charon managed whitelist" + ip: +{{- range .IPs}} + - "{{.}}" +{{- end}} +{{- if not .IPs}} + [] +{{- end}} + cidr: +{{- range .CIDRs}} + - "{{.}}" +{{- end}} +{{- if not .CIDRs}} + [] +{{- end}} +` +``` + +Target file path: `/config/parsers/s02-enrich/charon-whitelist.yaml` + +Directory created with `os.MkdirAll(..., 0o750)` if absent. + +File written atomically: render to `.tmp` → `os.Rename(tmp, path)`. + +### 3.4 Handler Design + +**Additions to `CrowdsecHandler` struct**: +```go +type CrowdsecHandler struct { + // ... existing fields ... + WhitelistSvc *services.CrowdSecWhitelistService // NEW +} +``` + +**`NewCrowdsecHandler` constructor** — initialize `WhitelistSvc`: +```go +h := &CrowdsecHandler{ + // ... existing assignments ... +} +if db != nil { + h.WhitelistSvc = services.NewCrowdSecWhitelistService(db, dataDir) +} +return h +``` + +**Three new methods on `CrowdsecHandler`**: + +```go +// ListWhitelists handles GET /admin/crowdsec/whitelist +func (h *CrowdsecHandler) ListWhitelists(c *gin.Context) { + entries, err := h.WhitelistSvc.List(c.Request.Context()) + if err != nil { + c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to list whitelist entries"}) + return + } + c.JSON(http.StatusOK, gin.H{"whitelist": entries}) +} + +// AddWhitelist handles POST /admin/crowdsec/whitelist +func (h *CrowdsecHandler) AddWhitelist(c *gin.Context) { + var req struct { + IPOrCIDR string `json:"ip_or_cidr" binding:"required"` + Reason string `json:"reason"` + } + if err := c.ShouldBindJSON(&req); err != nil { + c.JSON(http.StatusBadRequest, gin.H{"error": "ip_or_cidr is required"}) + return + } + entry, err := h.WhitelistSvc.Add(c.Request.Context(), req.IPOrCIDR, req.Reason) + if errors.Is(err, services.ErrInvalidIPOrCIDR) { + c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) + return + } + if errors.Is(err, services.ErrDuplicateEntry) { + c.JSON(http.StatusConflict, gin.H{"error": err.Error()}) + return + } + if err != nil { + c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to add whitelist entry"}) + return + } + // Reload CrowdSec so the new entry takes effect immediately (non-fatal). + if reloadErr := h.CmdExec.Execute("cscli", "hub", "reload"); reloadErr != nil { + logger.Log().WithError(reloadErr).Warn("failed to reload CrowdSec after whitelist add (non-fatal)") + } + c.JSON(http.StatusCreated, entry) +} + +// DeleteWhitelist handles DELETE /admin/crowdsec/whitelist/:uuid +func (h *CrowdsecHandler) DeleteWhitelist(c *gin.Context) { + id := strings.TrimSpace(c.Param("uuid")) + if id == "" { + c.JSON(http.StatusBadRequest, gin.H{"error": "uuid required"}) + return + } + err := h.WhitelistSvc.Delete(c.Request.Context(), id) + if errors.Is(err, services.ErrWhitelistNotFound) { + c.JSON(http.StatusNotFound, gin.H{"error": "whitelist entry not found"}) + return + } + if err != nil { + c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to delete whitelist entry"}) + return + } + // Reload CrowdSec so the removed entry is no longer exempt (non-fatal). + if reloadErr := h.CmdExec.Execute("cscli", "hub", "reload"); reloadErr != nil { + logger.Log().WithError(reloadErr).Warn("failed to reload CrowdSec after whitelist delete (non-fatal)") + } + c.Status(http.StatusNoContent) +} +``` + +**Route registration** (append inside `RegisterRoutes`, after existing decision/bouncer routes): +```go +// Whitelist management +rg.GET("/admin/crowdsec/whitelist", h.ListWhitelists) +rg.POST("/admin/crowdsec/whitelist", h.AddWhitelist) +rg.DELETE("/admin/crowdsec/whitelist/:uuid", h.DeleteWhitelist) +``` + +### 3.5 Startup Integration + +**File**: `backend/internal/services/crowdsec_startup.go` + +In `ReconcileCrowdSecOnStartup()`, before the CrowdSec process is started: + +```go +// Regenerate whitelist YAML to ensure it reflects the current DB state. +whitelistSvc := NewCrowdSecWhitelistService(db, dataDir) +if err := whitelistSvc.WriteYAML(ctx); err != nil { + logger.Log().WithError(err).Warn("failed to write CrowdSec whitelist YAML on startup (non-fatal)") +} +``` + +This is **non-fatal**: if the DB has no entries, WriteYAML still writes an empty whitelist file, which is valid. + +### 3.6 Hub Parser Installation + +**File**: `configs/crowdsec/install_hub_items.sh` + +Add after the existing `cscli parsers install` lines: + +```bash +cscli parsers install crowdsecurity/whitelists --force || echo "⚠️ Failed to install crowdsecurity/whitelists" +``` + +### 3.7 Frontend Design + +#### API Client (`frontend/src/api/crowdsec.ts`) + +Append the following types and functions: + +```typescript +export interface CrowdSecWhitelistEntry { + uuid: string + ip_or_cidr: string + reason: string + created_at: string + updated_at: string +} + +export interface AddWhitelistPayload { + ip_or_cidr: string + reason: string +} + +export const listWhitelists = async (): Promise => { + const resp = await client.get<{ whitelist: CrowdSecWhitelistEntry[] }>('/admin/crowdsec/whitelist') + return resp.data.whitelist +} + +export const addWhitelist = async (data: AddWhitelistPayload): Promise => { + const resp = await client.post('/admin/crowdsec/whitelist', data) + return resp.data +} + +export const deleteWhitelist = async (uuid: string): Promise => { + await client.delete(`/admin/crowdsec/whitelist/${uuid}`) +} +``` + +#### TanStack Query Hooks (`frontend/src/hooks/useCrowdSecWhitelist.ts`) + +```typescript +import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query' +import { listWhitelists, addWhitelist, deleteWhitelist, AddWhitelistPayload } from '../api/crowdsec' +import { toast } from 'sonner' + +export const useWhitelistEntries = () => + useQuery({ + queryKey: ['crowdsec-whitelist'], + queryFn: listWhitelists, + }) + +export const useAddWhitelist = () => { + const queryClient = useQueryClient() + return useMutation({ + mutationFn: (data: AddWhitelistPayload) => addWhitelist(data), + onSuccess: () => { + toast.success('Whitelist entry added') + queryClient.invalidateQueries({ queryKey: ['crowdsec-whitelist'] }) + }, + onError: (err: unknown) => { + toast.error(err instanceof Error ? err.message : 'Failed to add whitelist entry') + }, + }) +} + +export const useDeleteWhitelist = () => { + const queryClient = useQueryClient() + return useMutation({ + mutationFn: (uuid: string) => deleteWhitelist(uuid), + onSuccess: () => { + toast.success('Whitelist entry removed') + queryClient.invalidateQueries({ queryKey: ['crowdsec-whitelist'] }) + }, + onError: (err: unknown) => { + toast.error(err instanceof Error ? err.message : 'Failed to remove whitelist entry') + }, + }) +} +``` + +#### CrowdSecConfig.tsx Changes + +The `CrowdSecConfig.tsx` page uses a tab navigation pattern. The new "Whitelist" tab: + +1. **Visibility**: Only render the tab when `isLocalMode === true` (same guard as Decisions tab). +2. **Tab value**: `"whitelist"` — append to the existing tab list. +3. **Tab panel content** (isolated component or inline JSX): + - **Add entry form**: `ip_or_cidr` text input + `reason` text input + "Add" button (disabled while `addMutation.isPending`). Validation error shown inline when backend returns 400/409. + - **Quick-add current IP**: A secondary "Add My IP" button that calls `GET /api/v1/system/my-ip` (existing endpoint) and pre-fills the `ip_or_cidr` field with the returned IP. + - **Entries table**: Columns — IP/CIDR, Reason, Added, Actions. Each row has a delete button with a confirmation dialog (matching the ban/unban modal pattern used for Decisions). + - **Empty state**: "No whitelist entries" message when the list is empty. + - **Loading state**: Skeleton rows while `useWhitelistEntries` is fetching. + +**Imports added to `CrowdSecConfig.tsx`**: +```typescript +import { useWhitelistEntries, useAddWhitelist, useDeleteWhitelist } from '../hooks/useCrowdSecWhitelist' +``` + +### 3.8 Data Flow Diagram + +``` +Operator adds IP in UI + │ + ▼ +POST /api/v1/admin/crowdsec/whitelist + │ + ▼ +CrowdsecHandler.AddWhitelist() + │ + ▼ +CrowdSecWhitelistService.Add() + ├── Validate IP/CIDR (net.ParseIP / net.ParseCIDR) + ├── Normalize CIDR host bits (network.String()) + ├── Insert into SQLite (models.CrowdSecWhitelist) + └── WriteYAML() → /config/parsers/s02-enrich/charon-whitelist.yaml + │ + ▼ +h.CmdExec.Execute("cscli", "hub", "reload") [non-fatal on error] + │ + ▼ +Return 201 to frontend + │ + ▼ +invalidateQueries(['crowdsec-whitelist']) + │ + ▼ +Table re-fetches and shows new entry +``` + +``` +Container restart + │ + ▼ +ReconcileCrowdSecOnStartup() + │ + ▼ +CrowdSecWhitelistService.WriteYAML() + └── Reads all DB entries → renders YAML + │ + ▼ +CrowdSec process starts + │ + ▼ +CrowdSec loads parsers/s02-enrich/charon-whitelist.yaml + └── crowdsecurity/whitelists parser activates + │ + ▼ +IPs/CIDRs in file are exempt from all ban decisions +``` + +### 3.9 Error Handling Matrix + +| Scenario | Service Error | HTTP Status | Frontend Behavior | +|---|---|---|---| +| Blank `ip_or_cidr` | — | 400 | Inline validation (required field) | +| Malformed IP/CIDR | `ErrInvalidIPOrCIDR` | 400 | Toast: "Invalid IP address or CIDR notation" | +| Duplicate entry | `ErrDuplicateEntry` | 409 | Toast: "This IP/CIDR is already whitelisted" | +| DB unavailable | generic error | 500 | Toast: "Failed to add whitelist entry" | +| UUID not found on DELETE | `ErrWhitelistNotFound` | 404 | Toast: "Whitelist entry not found" | +| YAML write failure | logged, non-fatal | 201 (Add still succeeds) | No user-facing error; log warning | +| CrowdSec reload failure | logged, non-fatal | 201/204 (operation still succeeds) | No user-facing error; log warning | + +### 3.10 Security Considerations + +- **Input validation**: All `ip_or_cidr` values are validated server-side with `net.ParseIP` / `net.ParseCIDR` before persisting. Arbitrary strings are rejected. +- **Path traversal**: `WriteYAML` constructs the output path via `filepath.Join(s.dataDir, "config", "parsers", "s02-enrich", "charon-whitelist.yaml")`. `dataDir` is set at startup—not user-supplied at request time. +- **Privilege**: All three endpoints require management-level access (same as all other CrowdSec endpoints). +- **YAML injection**: Values are rendered through Go's `text/template` with explicit quoting of each entry; no raw string concatenation. +- **Log safety**: IPs are logged using the same structured field pattern used in existing CrowdSec handler methods (e.g., `logger.Log().WithField("ip", entry.IPOrCIDR).Info(...)`). --- ## 4. Implementation Plan -### Phase 1: Playwright Smoke Tests (Acceptance Gating) +### Phase 1 — Hub Parser Installation (Groundwork) -Add smoke coverage to confirm certificate export and delete flows reach the backend. +**Files Changed**: +- `configs/crowdsec/install_hub_items.sh` -**File**: `tests/certificate-coverage-smoke.spec.ts` +**Task 1.1**: Add `cscli parsers install crowdsecurity/whitelists --force` after the last parser install line (currently `crowdsecurity/syslog-logs`). + +**Acceptance**: File change is syntactically valid bash; `shellcheck` passes. + +--- + +### Phase 2 — Database Model + +**Files Changed**: +- `backend/internal/models/crowdsec_whitelist.go` _(new file)_ +- `backend/internal/api/routes/routes.go` _(append to AutoMigrate call)_ + +**Task 2.1**: Create `crowdsec_whitelist.go` with the `CrowdSecWhitelist` struct per §3.1. + +**Task 2.2**: Append `&models.CrowdSecWhitelist{}` to the `db.AutoMigrate(...)` call in `routes.go`. + +**Validation Gate**: `go build ./backend/...` passes; GORM generates `crowdsec_whitelists` table on next startup. + +--- + +### Phase 3 — Whitelist Service + +**Files Changed**: +- `backend/internal/services/crowdsec_whitelist_service.go` _(new file)_ + +**Task 3.1**: Implement `CrowdSecWhitelistService` with `List`, `Add`, `Delete`, `WriteYAML` per §3.3. + +**Task 3.2**: Implement IP/CIDR validation in `Add()`: +- `net.ParseIP(ipOrCIDR) != nil` → valid bare IP +- `net.ParseCIDR(ipOrCIDR)` returns no error → valid CIDR +- Both fail → `ErrInvalidIPOrCIDR` + +**Task 3.3**: Implement `WriteYAML()`: +- Query all entries from DB. +- Partition into `ips` (bare IPs) and `cidrs` (CIDR notation) slices. +- Render template per §2.4. +- Atomic write: temp file → `os.Rename`. +- Create directory (`os.MkdirAll`) if not present. + +**Validation Gate**: `go test ./backend/internal/services/... -run TestCrowdSecWhitelist` passes. + +--- + +### Phase 4 — API Endpoints + +**Files Changed**: +- `backend/internal/api/handlers/crowdsec_handler.go` + +**Task 4.1**: Add `WhitelistSvc *services.CrowdSecWhitelistService` field to `CrowdsecHandler` struct. + +**Task 4.2**: Initialize `WhitelistSvc` in `NewCrowdsecHandler()` when `db != nil`. + +**Task 4.3**: Implement `ListWhitelists`, `AddWhitelist`, `DeleteWhitelist` methods per §3.4. + +**Task 4.4**: Register three routes in `RegisterRoutes()` per §3.4. + +**Task 4.5**: In `AddWhitelist` and `DeleteWhitelist`, after the service call returns without error, call `h.CmdExec.Execute("cscli", "hub", "reload")`. Log a warning on failure; do not change the HTTP response status (reload failure is non-fatal). + +**Validation Gate**: `go test ./backend/internal/api/handlers/... -run TestWhitelist` passes; `make lint-fast` clean. + +--- + +### Phase 5 — Startup Integration + +**Files Changed**: +- `backend/internal/services/crowdsec_startup.go` + +**Task 5.1**: In `ReconcileCrowdSecOnStartup()`, after the DB and config are loaded but before calling `h.Executor.Start()`, instantiate `CrowdSecWhitelistService` and call `WriteYAML(ctx)`. Log warning on error; do not abort startup. + +**Validation Gate**: `go test ./backend/internal/services/... -run TestReconcile` passes; existing reconcile tests still pass. + +--- + +### Phase 6 — Frontend API + Hooks + +**Files Changed**: +- `frontend/src/api/crowdsec.ts` +- `frontend/src/hooks/useCrowdSecWhitelist.ts` _(new file)_ + +**Task 6.1**: Add `CrowdSecWhitelistEntry`, `AddWhitelistPayload` types and `listWhitelists`, `addWhitelist`, `deleteWhitelist` functions to `crowdsec.ts` per §3.7. + +**Task 6.2**: Create `useCrowdSecWhitelist.ts` with `useWhitelistEntries`, `useAddWhitelist`, `useDeleteWhitelist` hooks per §3.7. + +**Validation Gate**: `pnpm test` (Vitest) passes; TypeScript compilation clean. + +--- + +### Phase 7 — Frontend UI + +**Files Changed**: +- `frontend/src/pages/CrowdSecConfig.tsx` + +**Task 7.1**: Import the three hooks from `useCrowdSecWhitelist.ts`. + +**Task 7.2**: Add `"whitelist"` to the tab list (visible only when `isLocalMode === true`). + +**Task 7.3**: Implement the Whitelist tab panel: +- Add-entry form with IP/CIDR + Reason inputs. +- "Add My IP" button: `GET /api/v1/system/my-ip` → pre-fill `ip_or_cidr`. +- Entries table with UUID key, IP/CIDR, Reason, created date, delete button. +- Delete confirmation dialog (reuse existing modal pattern). + +**Task 7.4**: Wire mutation errors to inline form validation messages (400/409 responses). + +**Validation Gate**: `pnpm test` passes; TypeScript clean; `make lint-fast` clean. + +--- + +### Phase 8 — Tests + +**Files Changed**: +- `backend/internal/services/crowdsec_whitelist_service_test.go` _(new file)_ +- `backend/internal/api/handlers/crowdsec_whitelist_handler_test.go` _(new file)_ +- `tests/crowdsec-whitelist.spec.ts` _(new file)_ + +**Task 8.1 — Service unit tests**: + +| Test | Scenario | +|---|---| +| `TestAdd_ValidIP_Success` | Bare IPv4 inserted; YAML file created | +| `TestAdd_ValidIPv6_Success` | Bare IPv6 inserted | +| `TestAdd_ValidCIDR_Success` | CIDR range inserted | +| `TestAdd_CIDRNormalization` | `"10.0.0.1/8"` stored as `"10.0.0.0/8"` | +| `TestAdd_InvalidIPOrCIDR_Error` | Returns `ErrInvalidIPOrCIDR` | +| `TestAdd_DuplicateEntry_Error` | Second identical insert returns `ErrDuplicateEntry` | +| `TestDelete_Success` | Entry removed; YAML regenerated | +| `TestDelete_NotFound_Error` | Returns `ErrWhitelistNotFound` | +| `TestList_Empty` | Returns empty slice | +| `TestList_Populated` | Returns all entries ordered by `created_at` | +| `TestWriteYAML_EmptyList` | Writes valid YAML with empty `ip: []` and `cidr: []` | +| `TestWriteYAML_MixedEntries` | IPs in `ip:` block; CIDRs in `cidr:` block | +| `TestWriteYAML_EmptyDataDir_NoOp` | `dataDir == ""` → returns `nil`, no file written | + +**Task 8.2 — Handler unit tests** (using in-memory SQLite + `mockAuthMiddleware`): + +| Test | Scenario | +|---|---| +| `TestListWhitelists_200` | Returns 200 with entries array | +| `TestAddWhitelist_201` | Valid payload → 201 | +| `TestAddWhitelist_400_MissingField` | Empty body → 400 | +| `TestAddWhitelist_400_InvalidIP` | Malformed IP → 400 | +| `TestAddWhitelist_409_Duplicate` | Duplicate → 409 | +| `TestDeleteWhitelist_204` | Valid UUID → 204 | +| `TestDeleteWhitelist_404` | Unknown UUID → 404 | + +**Task 8.3 — E2E Playwright tests** (`tests/crowdsec-whitelist.spec.ts`): ```typescript import { test, expect } from '@playwright/test' -test.describe('Certificate Coverage Smoke', () => { - test('export dialog opens when export button clicked', async ({ page }) => { - await page.goto('/') - // navigate to Certificates, click export on a cert - // assert dialog visible +test.describe('CrowdSec Whitelist Management', () => { + test.beforeEach(async ({ page }) => { + await page.goto('http://localhost:8080') + await page.getByRole('link', { name: 'Security' }).click() + await page.getByRole('tab', { name: 'CrowdSec' }).click() + await page.getByRole('tab', { name: 'Whitelist' }).click() }) - test('delete dialog opens for deletable certificate', async ({ page }) => { - await page.goto('/') - // assert delete confirmation dialog appears + test('Whitelist tab only visible in local mode', async ({ page }) => { + await page.goto('http://localhost:8080') + await page.getByRole('link', { name: 'Security' }).click() + await page.getByRole('tab', { name: 'CrowdSec' }).click() + // When CrowdSec is not in local mode, the Whitelist tab must not exist + await expect(page.getByRole('tab', { name: 'Whitelist' })).toBeHidden() + }) + + test('displays empty state when no entries exist', async ({ page }) => { + await expect(page.getByText('No whitelist entries')).toBeVisible() + }) + + test('adds a valid IP address', async ({ page }) => { + await page.getByRole('textbox', { name: 'IP or CIDR' }).fill('203.0.113.5') + await page.getByRole('textbox', { name: 'Reason' }).fill('Uptime monitor') + await page.getByRole('button', { name: 'Add' }).click() + await expect(page.getByText('Whitelist entry added')).toBeVisible() + await expect(page.getByRole('cell', { name: '203.0.113.5' })).toBeVisible() + }) + + test('adds a valid CIDR range', async ({ page }) => { + await page.getByRole('textbox', { name: 'IP or CIDR' }).fill('10.0.0.0/8') + await page.getByRole('textbox', { name: 'Reason' }).fill('Internal subnet') + await page.getByRole('button', { name: 'Add' }).click() + await expect(page.getByText('Whitelist entry added')).toBeVisible() + await expect(page.getByRole('cell', { name: '10.0.0.0/8' })).toBeVisible() + }) + + test('"Add My IP" button pre-fills the detected client IP', async ({ page }) => { + await page.getByRole('button', { name: 'Add My IP' }).click() + const ipField = page.getByRole('textbox', { name: 'IP or CIDR' }) + const value = await ipField.inputValue() + // Value must be a non-empty valid IP + expect(value).toMatch(/^[\d.]+$|^[0-9a-fA-F:]+$/) + }) + + test('shows validation error for invalid input', async ({ page }) => { + await page.getByRole('textbox', { name: 'IP or CIDR' }).fill('not-an-ip') + await page.getByRole('button', { name: 'Add' }).click() + await expect(page.getByText('Invalid IP address or CIDR notation')).toBeVisible() + }) + + test('removes an entry via delete confirmation', async ({ page }) => { + // Seed an entry first + await page.getByRole('textbox', { name: 'IP or CIDR' }).fill('198.51.100.1') + await page.getByRole('button', { name: 'Add' }).click() + await expect(page.getByRole('cell', { name: '198.51.100.1' })).toBeVisible() + + // Delete it + await page.getByRole('row', { name: /198\.51\.100\.1/ }).getByRole('button', { name: 'Delete' }).click() + await page.getByRole('button', { name: 'Confirm' }).click() + await expect(page.getByText('Whitelist entry removed')).toBeVisible() + await expect(page.getByRole('cell', { name: '198.51.100.1' })).toBeHidden() }) }) ``` -### Phase 2: Backend — Handler Tests +--- -**File**: `backend/internal/api/handlers/certificate_handler_patch_coverage_test.go` -**Action**: Append all tests from sections 3.1–3.6. +### Phase 9 — Documentation -Setup pattern for handler tests: +**Files Changed**: +- `ARCHITECTURE.md` +- `docs/features/crowdsec-whitelist.md` _(new file, optional for this PR)_ -```go -func setupCertHandlerTest(t *testing.T) (*gin.Engine, *CertificateHandler, *gorm.DB) { - t.Helper() - db, err := gorm.Open(sqlite.Open(fmt.Sprintf("file:%s?mode=memory&cache=shared", t.Name())), &gorm.Config{}) - require.NoError(t, err) - require.NoError(t, db.AutoMigrate(&models.SSLCertificate{}, &models.User{}, &models.ProxyHost{})) - tmpDir := t.TempDir() - certSvc := services.NewCertificateService(tmpDir, db, nil) - backup := &mockBackupService{ - availableSpaceFunc: func() (int64, error) { return 1 << 30, nil }, - createFunc: func(string) (string, error) { return "/tmp/backup.db", nil }, - } - h := NewCertificateHandler(certSvc, backup, nil) - h.SetDB(db) - r := gin.New() - r.Use(mockAuthMiddleware()) - h.RegisterRoutes(r.Group("/api")) - return r, h, db -} -``` - -For `TestExport_IncludeKey_*` tests: inject user into gin context directly using a custom middleware wrapper that sets `"user"` (type `map[string]any`, field `"id"`) to the desired value. - -### Phase 3: Backend — Service Tests - -**File**: `backend/internal/services/certificate_service_patch_coverage_test.go` -**Action**: Append all tests from sections 3.7–3.13. - -Setup pattern: - -```go -func newTestSvc(t *testing.T) (*CertificateService, *gorm.DB, string) { - t.Helper() - db, err := gorm.Open(sqlite.Open(fmt.Sprintf("file:%s?mode=memory&cache=shared", t.Name())), &gorm.Config{}) - require.NoError(t, err) - require.NoError(t, db.AutoMigrate(&models.SSLCertificate{}, &models.ProxyHost{})) - tmpDir := t.TempDir() - return NewCertificateService(tmpDir, db, nil), db, tmpDir -} -``` - -For `TestMigratePrivateKeys_WithRows`: use `db.Exec("INSERT INTO ssl_certificates (..., private_key) VALUES (...)` raw SQL to bypass GORM's `gorm:"-"` tag. - -### Phase 4: Backend — Validator Tests - -**File**: `backend/internal/services/certificate_validator_patch_coverage_test.go` (new) - -Key helpers needed: - -```go -// generatePKCS1RSAKeyPEM returns an RSA key in PKCS#1 "RSA PRIVATE KEY" PEM format. -func generatePKCS1RSAKeyPEM(t *testing.T) []byte { - key, err := rsa.GenerateKey(rand.Reader, 2048) - require.NoError(t, err) - return pem.EncodeToMemory(&pem.Block{ - Type: "RSA PRIVATE KEY", - Bytes: x509.MarshalPKCS1PrivateKey(key), - }) -} - -// generateECKeyPEM returns an EC key in "EC PRIVATE KEY" (SEC1) PEM format. -func generateECKeyPEM(t *testing.T, curve elliptic.Curve) []byte { - key, err := ecdsa.GenerateKey(curve, rand.Reader) - require.NoError(t, err) - b, err := x509.MarshalECPrivateKey(key) - require.NoError(t, err) - return pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: b}) -} -``` - -### Phase 5: Backend — Proxy Host Handler Tests - -**File**: `backend/internal/api/handlers/proxy_host_handler_patch_coverage_test.go` (new) - -Setup pattern mirrors existing `proxy_host_handler_test.go` — use in-memory SQLite, `mockAuthMiddleware`, and `mockCaddyManager` (already available via test hook vars). - -### Phase 6: Frontend Tests - -**Files**: -- `frontend/src/components/__tests__/CertificateList.test.tsx` -- `frontend/src/components/dialogs/__tests__/CertificateUploadDialog.test.tsx` - -Use existing mock structure; add new `it(...)` blocks inside existing `describe` blocks. - -Frontend bulk delete success test pattern: - -```typescript -it('calls bulkDeleteMutation.mutate with selected UUIDs on confirm', async () => { - const bulkDeleteFn = vi.fn() - mockUseBulkDeleteCertificates.mockReturnValue({ - mutate: bulkDeleteFn, - isPending: false, - }) - render() - // select checkboxes, click bulk delete, confirm dialog - expect(bulkDeleteFn).toHaveBeenCalledWith(['uuid-1', 'uuid-2']) -}) -``` - -### Phase 7: Validation - -1. `cd /projects/Charon && bash scripts/go-test-coverage.sh` -2. `cd /projects/Charon && bash scripts/frontend-test-coverage.sh` -3. `bash scripts/local-patch-report.sh` → verify `test-results/local-patch-report.md` shows ≥ 90% -4. `bash scripts/scan-gorm-security.sh --check` → zero CRITICAL/HIGH +**Task 9.1**: Update the CrowdSec row in the Cerberus security components table in `ARCHITECTURE.md` to mention whitelist management. --- -## 5. Commit Slicing Strategy +## 5. Acceptance Criteria -**Decision**: One PR with 5 ordered, independently-reviewable commits. +### Functional -**Rationale**: Four packages touched across two build systems (Go + Node). Atomic commits allow targeted revert if a mock approach proves brittle for a specific file, without rolling back unrelated coverage gains. +- [ ] Operator can add a bare IPv4 address (e.g., `203.0.113.5`) to the whitelist. +- [ ] Operator can add a bare IPv6 address (e.g., `2001:db8::1`) to the whitelist. +- [ ] Operator can add a CIDR range (e.g., `10.0.0.0/8`) to the whitelist. +- [ ] Adding an invalid IP/CIDR (e.g., `not-an-ip`) returns a 400 error with a clear message. +- [ ] Adding a duplicate entry returns a 409 conflict error. +- [ ] Operator can delete an entry; it disappears from the list. +- [ ] The Whitelist tab is only visible when CrowdSec is in `local` mode. +- [ ] After adding or deleting an entry, the whitelist YAML file is regenerated in `/config/parsers/s02-enrich/charon-whitelist.yaml`. +- [ ] Adding or removing a whitelist entry triggers `cscli hub reload` via `h.CmdExec` so changes take effect immediately without a container restart. +- [ ] On container restart, the YAML file is regenerated from DB entries before CrowdSec starts. +- [ ] **Admin IP protection**: The "Add My IP" button pre-fills the operator's current IP in the `ip_or_cidr` field; a Playwright E2E test verifies the button correctly pre-fills the detected client IP. -| # | Scope | Files | Dependencies | Validation Gate | -|---|---|---|---|---| -| **Commit 1** | Handler re-auth + delete + file-open errors | `certificate_handler_patch_coverage_test.go` (extend) | None | `go test ./backend/internal/api/handlers/...` | -| **Commit 2** | Service SyncFromDisk, ListCerts, GetDecryptedKey, Migrate, Update, Delete, CheckExpiring | `certificate_service_patch_coverage_test.go` (extend) | None | `go test ./backend/internal/services/...` | -| **Commit 3** | Validator DetectFormat, parsePEMPrivateKey, detectKeyType, ConvertPEMToPFX/DER, formatSerial | `certificate_validator_patch_coverage_test.go` (new) | Commit 2 not required (separate file) | `go test ./backend/internal/services/...` | -| **Commit 4** | Proxy host warnings + BulkUpdateSecurityHeaders edge cases | `proxy_host_handler_patch_coverage_test.go` (new) | None | `go test ./backend/internal/api/handlers/...` | -| **Commit 5** | Frontend CertificateList + CertificateUploadDialog | `CertificateList.test.tsx`, `CertificateUploadDialog.test.tsx` (extend) | None | `npm run test` | +### Technical -**Rollback**: Any commit is safe to revert independently — all changes are additive test-only files. - -**Contingency**: If the `Export` handler's re-auth tests require gin context injection that the current router wiring doesn't support cleanly, use a sub-router with a custom test middleware that pre-populates `"user"` (`map[string]any{"id": uint(1)}`) with the specific value under test, bypassing `mockAuthMiddleware` for those cases only. +- [ ] `go test ./backend/...` passes — no regressions. +- [ ] `pnpm test` (Vitest) passes. +- [ ] `make lint-fast` clean — no new lint findings. +- [ ] GORM Security Scanner returns zero CRITICAL/HIGH findings. +- [ ] Playwright E2E suite passes (Firefox, `--project=firefox`). +- [ ] `crowdsecurity/whitelists` parser is installed by `install_hub_items.sh`. --- -## 6. Acceptance Criteria +## 6. Commit Slicing Strategy -- [ ] `go test -race ./backend/...` — all tests pass, no data races -- [ ] Backend patch coverage ≥ 90% for all modified Go files per `test-results/local-patch-report.md` -- [ ] `npm run test` — all Vitest tests pass -- [ ] Frontend patch coverage ≥ 90% for `CertificateList.tsx` and `CertificateUploadDialog.tsx` -- [ ] GORM security scan: zero CRITICAL/HIGH findings -- [ ] No new `//nolint` or `//nosec` directives introduced -- [ ] No source file modifications — test files only -- [ ] All new Go test names follow `TestFunctionName_Scenario` convention -- [ ] Previous spec archived to `docs/plans/archive/` +**Decision**: Single PR with ordered logical commits. No scope overlap between commits; each commit leaves the codebase in a compilable state. + +**Trigger reasons**: Cross-domain change (infra script + model + service + handler + startup + frontend) benefits from ordered commits for surgical rollback and focused review. + +| # | Type | Commit Message | Files | Depends On | Validation Gate | +|---|---|---|---|---|---| +| 1 | `chore` | `install crowdsecurity/whitelists parser by default` | `configs/crowdsec/install_hub_items.sh` | — | `shellcheck` | +| 2 | `feat` | `add CrowdSecWhitelist model and automigrate registration` | `backend/internal/models/crowdsec_whitelist.go`, `backend/internal/api/routes/routes.go` | #1 | `go build ./backend/...` | +| 3 | `feat` | `add CrowdSecWhitelistService with YAML generation` | `backend/internal/services/crowdsec_whitelist_service.go` | #2 | `go test ./backend/internal/services/...` | +| 4 | `feat` | `add whitelist API endpoints to CrowdsecHandler` | `backend/internal/api/handlers/crowdsec_handler.go` | #3 | `go test ./backend/...` + `make lint-fast` | +| 5 | `feat` | `regenerate whitelist YAML on CrowdSec startup reconcile` | `backend/internal/services/crowdsec_startup.go` | #3 | `go test ./backend/internal/services/...` | +| 6 | `feat` | `add whitelist API client functions and TanStack hooks` | `frontend/src/api/crowdsec.ts`, `frontend/src/hooks/useCrowdSecWhitelist.ts` | #4 | `pnpm test` | +| 7 | `feat` | `add Whitelist tab to CrowdSecConfig UI` | `frontend/src/pages/CrowdSecConfig.tsx` | #6 | `pnpm test` + `make lint-fast` | +| 8 | `test` | `add whitelist service and handler unit tests` | `*_test.go` files | #4 | `go test ./backend/...` | +| 9 | `test` | `add E2E tests for CrowdSec whitelist management` | `tests/crowdsec-whitelist.spec.ts` | #7 | Playwright Firefox | +| 10 | `docs` | `update architecture docs for CrowdSec whitelist feature` | `ARCHITECTURE.md` | #7 | `make lint-fast` | + +**Rollback notes**: +- Commits 1–3 are pure additions (no existing code modified except the `AutoMigrate` list append in commit 2 and `install_hub_items.sh` in commit 1). Reverting them is safe. +- Commit 4 modifies `crowdsec_handler.go` by adding fields and methods without altering existing ones; reverting is mechanical. +- Commit 5 modifies `crowdsec_startup.go` — the added block is isolated in a clearly marked section; revert is a 5-line removal. +- Commits 6–7 are frontend-only; reverting has no backend impact. --- -## 7. Estimated Coverage Impact +## 7. Open Questions / Risks -| File | Current | Estimated After | Lines Recovered | -|---|---|---|---| -| `certificate_handler.go` | 70.28% | ~85% | ~42 lines | -| `certificate_service.go` | 82.85% | ~92% | ~44 lines | -| `certificate_validator.go` | 88.68% | ~96% | ~18 lines | -| `proxy_host_handler.go` | 55.17% | ~60% | ~8 lines | -| `CertificateList.tsx` | moderate | high | ~15 lines | -| `CertificateUploadDialog.tsx` | moderate | high | ~12 lines | -| **Overall patch** | **85.61%** | **≥ 90%** | **~139 lines** | +| Risk | Likelihood | Mitigation | +|---|---|---| +| CrowdSec does not hot-reload parser files — requires `cscli reload` or process restart | Resolved | `cscli hub reload` is called via `h.CmdExec.Execute(...)` in `AddWhitelist` and `DeleteWhitelist` after each successful `WriteYAML()`. Failure is non-fatal; logged as a warning. | +| `crowdsecurity/whitelists` parser path may differ across CrowdSec versions | Low | Use `/config/parsers/s02-enrich/` which is the canonical path; add a note to verify on version upgrades | +| Large whitelist files could cause CrowdSec performance issues | Very Low | Reasonable for typical use; document a soft limit recommendation (< 500 entries) in the UI | +| `dataDir` empty string in tests | Resolved | Guard added to `WriteYAML`: `if s.dataDir == "" { return nil }` — no-op when `dataDir` is unset | +| `CROWDSEC_TRUSTED_IPS` env var seeding | — | **Follow-up / future enhancement** (not in scope for this PR): if `CROWDSEC_TRUSTED_IPS` is set at runtime, parse comma-separated IPs and include them as read-only seed entries in the generated YAML (separate from DB-managed entries). Document in a follow-up issue. | -> **Note**: Proxy host handler remains below 90% after this plan because the `Create`/`Update`/`Delete` handler paths require full Caddy manager mock integration. A follow-up plan should address these with a dedicated `mockCaddyManager` interface. From 557b33dc73f77055ac2c24518457d563d51f3b62 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Thu, 16 Apr 2026 01:18:43 +0000 Subject: [PATCH 17/44] fix: update docker/go-connections dependency to v0.7.0 --- backend/go.mod | 2 +- backend/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/backend/go.mod b/backend/go.mod index b2a8e167..fadc0046 100644 --- a/backend/go.mod +++ b/backend/go.mod @@ -39,7 +39,7 @@ require ( github.com/containerd/log v0.1.0 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/distribution/reference v0.6.0 // indirect - github.com/docker/go-connections v0.6.0 // indirect + github.com/docker/go-connections v0.7.0 // indirect github.com/docker/go-units v0.5.0 // indirect github.com/dustin/go-humanize v1.0.1 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect diff --git a/backend/go.sum b/backend/go.sum index 6f23218c..aef6c54f 100644 --- a/backend/go.sum +++ b/backend/go.sum @@ -29,8 +29,8 @@ github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5Qvfr github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= github.com/docker/docker v28.5.2+incompatible h1:DBX0Y0zAjZbSrm1uzOkdr1onVghKaftjlSWt4AFexzM= github.com/docker/docker v28.5.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94= -github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE= +github.com/docker/go-connections v0.7.0 h1:6SsRfJddP22WMrCkj19x9WKjEDTB+ahsdiGYf0mN39c= +github.com/docker/go-connections v0.7.0/go.mod h1:no1qkHdjq7kLMGUXYAduOhYPSJxxvgWBh7ogVvptn3Q= github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4= github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= From 3d0179a119f4a13a733a01f37096681ed2f28e31 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Thu, 16 Apr 2026 01:20:38 +0000 Subject: [PATCH 18/44] fix: update @asamuzakjp/css-color and @asamuzakjp/dom-selector to latest versions and add @asamuzakjp/generational-cache dependency --- frontend/package-lock.json | 34 +++++++++++++++++++++++----------- 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/frontend/package-lock.json b/frontend/package-lock.json index 2e16daa1..04937000 100644 --- a/frontend/package-lock.json +++ b/frontend/package-lock.json @@ -101,14 +101,15 @@ } }, "node_modules/@asamuzakjp/css-color": { - "version": "5.1.10", - "resolved": "https://registry.npmjs.org/@asamuzakjp/css-color/-/css-color-5.1.10.tgz", - "integrity": "sha512-02OhhkKtgNRuicQ/nF3TRnGsxL9wp0r3Y7VlKWyOHHGmGyvXv03y+PnymU8FKFJMTjIr1Bk8U2g1HWSLrpAHww==", + "version": "5.1.11", + "resolved": "https://registry.npmjs.org/@asamuzakjp/css-color/-/css-color-5.1.11.tgz", + "integrity": "sha512-KVw6qIiCTUQhByfTd78h2yD1/00waTmm9uy/R7Ck/ctUyAPj+AEDLkQIdJW0T8+qGgj3j5bpNKK7Q3G+LedJWg==", "dev": true, "license": "MIT", "dependencies": { - "@csstools/css-calc": "^3.1.1", - "@csstools/css-color-parser": "^4.0.2", + "@asamuzakjp/generational-cache": "^1.0.1", + "@csstools/css-calc": "^3.2.0", + "@csstools/css-color-parser": "^4.1.0", "@csstools/css-parser-algorithms": "^4.0.0", "@csstools/css-tokenizer": "^4.0.0" }, @@ -117,12 +118,13 @@ } }, "node_modules/@asamuzakjp/dom-selector": { - "version": "7.0.9", - "resolved": "https://registry.npmjs.org/@asamuzakjp/dom-selector/-/dom-selector-7.0.9.tgz", - "integrity": "sha512-r3ElRr7y8ucyN2KdICwGsmj19RoN13CLCa/pvGydghWK6ZzeKQ+TcDjVdtEZz2ElpndM5jXw//B9CEee0mWnVg==", + "version": "7.0.10", + "resolved": "https://registry.npmjs.org/@asamuzakjp/dom-selector/-/dom-selector-7.0.10.tgz", + "integrity": "sha512-KyOb19eytNSELkmdqzZZUXWCU25byIlOld5qVFg0RYdS0T3tt7jeDByxk9hIAC73frclD8GKrHttr0SUjKCCdQ==", "dev": true, "license": "MIT", "dependencies": { + "@asamuzakjp/generational-cache": "^1.0.1", "@asamuzakjp/nwsapi": "^2.3.9", "bidi-js": "^1.0.3", "css-tree": "^3.2.1", @@ -132,6 +134,16 @@ "node": "^20.19.0 || ^22.12.0 || >=24.0.0" } }, + "node_modules/@asamuzakjp/generational-cache": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/@asamuzakjp/generational-cache/-/generational-cache-1.0.1.tgz", + "integrity": "sha512-wajfB8KqzMCN2KGNFdLkReeHncd0AslUSrvHVvvYWuU8ghncRJoA50kT3zP9MVL0+9g4/67H+cdvBskj9THPzg==", + "dev": true, + "license": "MIT", + "engines": { + "node": "^20.19.0 || ^22.12.0 || >=24.0.0" + } + }, "node_modules/@asamuzakjp/nwsapi": { "version": "2.3.9", "resolved": "https://registry.npmjs.org/@asamuzakjp/nwsapi/-/nwsapi-2.3.9.tgz", @@ -5777,9 +5789,9 @@ } }, "node_modules/electron-to-chromium": { - "version": "1.5.336", - "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.336.tgz", - "integrity": "sha512-AbH9q9J455r/nLmdNZes0G0ZKcRX73FicwowalLs6ijwOmCJSRRrLX63lcAlzy9ux3dWK1w1+1nsBJEWN11hcQ==", + "version": "1.5.338", + "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.338.tgz", + "integrity": "sha512-KVQQ3xko9/coDX3qXLUEEbqkKT8L+1DyAovrtu0Khtrt9wjSZ+7CZV4GVzxFy9Oe1NbrIU1oVXCwHJruIA1PNg==", "dev": true, "license": "ISC" }, From f46bb838cab719d313f4b4d7aaae6374b37ab83e Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Thu, 16 Apr 2026 13:13:47 +0000 Subject: [PATCH 19/44] feat: add QA audit report for CrowdSec IP Whitelist Management --- ...qa_report_crowdsec_whitelist_2026-04-16.md | 226 ++++++++++++++++++ 1 file changed, 226 insertions(+) create mode 100644 docs/reports/qa_report_crowdsec_whitelist_2026-04-16.md diff --git a/docs/reports/qa_report_crowdsec_whitelist_2026-04-16.md b/docs/reports/qa_report_crowdsec_whitelist_2026-04-16.md new file mode 100644 index 00000000..8bd230e6 --- /dev/null +++ b/docs/reports/qa_report_crowdsec_whitelist_2026-04-16.md @@ -0,0 +1,226 @@ +# QA Audit Report — CrowdSec IP Whitelist Management + +**Feature Branch**: `feature/beta-release` +**Pull Request**: #952 +**Repository**: Wikid82/Charon +**Audit Date**: 2026-04-16 +**Auditor**: QA Security Agent + +--- + +## Overall Verdict + +### APPROVED WITH CONDITIONS + +The CrowdSec IP Whitelist Management feature passes all critical quality and security gates. All feature-specific E2E tests pass across three browsers. Backend and frontend coverage exceed thresholds. No security vulnerabilities were found in the feature code. Two upstream HIGH CVEs in the Docker image and below-threshold overall patch coverage require tracking but do not block the release. + +--- + +## Gate Results Summary + +| # | Gate | Result | Detail | +|---|------|--------|--------| +| 1 | Playwright E2E | **PASS** | All CrowdSec whitelist tests passed; 14 pre-existing failures (unrelated) | +| 2 | Go Backend Coverage | **PASS** | 88.4% line coverage (threshold: 87%) | +| 3 | Frontend Coverage | **PASS** | 90.06% line coverage (threshold: 87%) | +| 4 | Patch Coverage | **WARN** | Overall 89.4% (threshold: 90%); Backend 88.0% PASS; Frontend 97.0% PASS | +| 5 | TypeScript Type Check | **PASS** | `npx tsc --noEmit` — 0 errors | +| 6 | Lefthook (Lint/Format) | **PASS** | All 6 hooks green | +| 7 | GORM Security Scan | **PASS** | 0 CRITICAL/HIGH/MEDIUM issues | +| 8 | Trivy Filesystem Scan | **PASS** | 0 CRITICAL/HIGH vulnerabilities | +| 9 | Trivy Docker Image Scan | **WARN** | 2 unique HIGH CVEs (upstream dependencies) | +| 10 | CodeQL SARIF Review | **PASS** | 1 pre-existing Go finding; 0 JS findings; 0 whitelist-related | + +--- + +## Detailed Gate Analysis + +### Gate 1 — Playwright E2E Tests + +**Result**: PASS +**Browsers**: Chromium, Firefox, WebKit (all three) + +**CrowdSec Whitelist-Specific Tests (10 tests)**: All PASSED +- Add whitelist entry with valid IP +- Add whitelist entry with valid CIDR +- Reject invalid IP/CIDR input +- Reject duplicate entry +- Delete whitelist entry +- Display whitelist table with entries +- Empty state display +- Whitelist tab visibility (local mode only) +- Form validation and error handling +- Toast notification on success/failure + +**Pre-existing Failures (14 unique, unrelated to this feature)**: +- Certificate deletion tests (7): cert delete/bulk-delete operations +- Caddy import tests (3): conflict details, server detection, resolution +- Navigation test (1): main navigation item count +- User management tests (2): invite link copy, keyboard navigation +- Integration test (1): system health check + +None of the pre-existing failures are related to the CrowdSec whitelist feature. + +### Gate 2 — Go Backend Coverage + +**Result**: PASS +**Coverage**: 88.4% line coverage +**Threshold**: 87% + +### Gate 3 — Frontend Coverage + +**Result**: PASS +**Coverage**: 90.06% line coverage (Statements: 89.03%, Branches: 85.84%, Functions: 85.85%) +**Threshold**: 87% + +5 pre-existing test timeouts in `ProxyHostForm-dns.test.tsx` and `ProxyHostForm-dropdown-changes.test.tsx` — not whitelist-related. + +### Gate 4 — Patch Coverage + +**Result**: WARN (non-blocking) + +| Scope | Changed Lines | Covered | Patch % | Status | +|-------|--------------|---------|---------|--------| +| Overall | 1689 | 1510 | 89.4% | WARN (threshold: 90%) | +| Backend | 1426 | 1255 | 88.0% | PASS (threshold: 85%) | +| Frontend | 263 | 255 | 97.0% | PASS (threshold: 85%) | + +**CrowdSec-Specific Patch Coverage**: +- `crowdsec_handler.go`: 71.2% — 17 uncovered changed lines (error-handling branches) +- `crowdsec_whitelist_service.go`: 83.6% — 18 uncovered changed lines (YAML write failure, edge cases) +- `CrowdSecConfig.tsx`: 93.3% — 2 uncovered changed lines + +**Recommendation**: Add targeted unit tests for error-handling branches in `crowdsec_handler.go` (lines 2712-2772) and `crowdsec_whitelist_service.go` (lines 47-148) to bring CrowdSec-specific patch coverage above 90%. This is tracked as a follow-up improvement and does not block release. + +### Gate 5 — TypeScript Type Check + +**Result**: PASS +`npx tsc --noEmit` from `frontend/` completed with 0 errors. + +### Gate 6 — Lefthook (Lint/Format) + +**Result**: PASS +All 6 hooks passed: +- `go-fmt` +- `go-vet` +- `go-staticcheck` +- `eslint` +- `prettier-check` +- `tsc-check` + +### Gate 7 — GORM Security Scan + +**Result**: PASS +`./scripts/scan-gorm-security.sh --check` — 0 CRITICAL, 0 HIGH, 0 MEDIUM issues. +No exposed IDs, secrets, or DTO embedding violations in CrowdSec whitelist models. + +### Gate 8 — Trivy Filesystem Scan + +**Result**: PASS +`trivy fs --scanners vuln --severity CRITICAL,HIGH --format table .` — 0 vulnerabilities detected in application source and dependencies. + +### Gate 9 — Trivy Docker Image Scan + +**Result**: WARN (non-blocking for this feature) +Image: `charon:local` (Alpine 3.23.3) + +| CVE | Severity | Package | Installed | Fixed | Component | +|-----|----------|---------|-----------|-------|-----------| +| CVE-2026-34040 | HIGH | github.com/docker/docker | v28.5.2+incompatible | 29.3.1 | Charon Go binary (Moby authorization bypass) | +| CVE-2026-32286 | HIGH | github.com/jackc/pgproto3/v2 | v2.3.3 | No fix | CrowdSec binaries (PostgreSQL protocol DoS) | + +**Analysis**: +- CVE-2026-34040: Moby authorization bypass — affects Docker API access control. Charon does not expose Docker API to untrusted networks. Low practical risk. Update `github.com/docker/docker` to v29.3.1 when available. +- CVE-2026-32286: PostgreSQL protocol DoS — present only in CrowdSec's `crowdsec` and `cscli` binaries, not in Charon's own code. Awaiting upstream fix from CrowdSec. + +**Recommendation**: Track both CVEs for remediation. Neither impacts CrowdSec whitelist management functionality or Charon's own security posture directly. + +### Gate 10 — CodeQL SARIF Review + +**Result**: PASS + +- **Go**: 1 pre-existing finding — `cookie-secure-not-set` at `auth_handler.go:152`. Not whitelist-related. Tracked separately. +- **JavaScript**: 0 findings. +- **CrowdSec whitelist**: 0 findings across both Go and JavaScript. + +--- + +## Security Review — CrowdSec IP Whitelist Feature + +### 1. IP/CIDR Input Validation + +**Status**: SECURE + +The `normalizeIPOrCIDR()` function in `crowdsec_whitelist_service.go` uses Go standard library functions `net.ParseIP()` and `net.ParseCIDR()` for validation. Invalid inputs are rejected with the sentinel error `ErrInvalidIPOrCIDR`. No user input passes through without validation. + +### 2. YAML Injection Prevention + +**Status**: SECURE + +`buildWhitelistYAML()` uses a `strings.Builder` to construct YAML output. Only IP addresses and CIDR ranges that have already passed `normalizeIPOrCIDR()` validation are included. The normalized output from `net.ParseIP`/`net.ParseCIDR` cannot contain YAML metacharacters. + +### 3. Path Traversal Protection + +**Status**: SECURE + +`WriteYAML()` uses hardcoded file paths (no user input in path construction). Atomic write pattern: writes to `.tmp` suffix, then `os.Rename()` to final path. No directory traversal vectors. + +### 4. SQL Injection Prevention + +**Status**: SECURE + +All GORM queries use parameterized operations: +- `Where("uuid = ?", id)` for delete +- `Where("ip_or_cidr = ?", normalized)` for duplicate check +- Standard GORM `Create()` for inserts + +No raw SQL or string concatenation. + +### 5. Authentication & Authorization + +**Status**: SECURE + +All whitelist routes are registered under the admin route group in `routes.go`, which is protected by: +- Cerberus middleware (authentication/authorization enforcement) +- Emergency bypass middleware (for recovery scenarios only) +- Security headers and gzip middleware + +No unauthenticated access to whitelist endpoints is possible. + +### 6. Log Safety + +**Status**: SECURE + +Whitelist service logs only operational error context (e.g., "failed to write CrowdSec whitelist YAML after add"). No IP addresses, user data, or PII are written to logs. Other handler code uses `util.SanitizeForLog()` for user-controlled input in log messages. + +--- + +## Conditions for Approval + +These items are tracked as follow-up improvements and do not block merge: + +1. **Patch Coverage Improvement**: Add targeted unit tests for error-handling branches in: + - `crowdsec_handler.go` (lines 2712-2772, 71.2% patch coverage) + - `crowdsec_whitelist_service.go` (lines 47-148, 83.6% patch coverage) + +2. **Upstream CVE Tracking**: + - CVE-2026-34040: Update `github.com/docker/docker` to v29.3.1 when Go module is available + - CVE-2026-32286: Monitor CrowdSec upstream for `pgproto3` fix + +3. **Pre-existing Test Failures**: 14 pre-existing E2E test failures (certificate deletion, caddy import, navigation, user management) should be tracked in existing issues. None are regressions from this feature. + +--- + +## Artifacts + +| Artifact | Location | +|----------|----------| +| Playwright HTML Report | `playwright-report/index.html` | +| Backend Coverage | `backend/coverage.txt` | +| Frontend Coverage | `frontend/coverage/lcov.info`, `frontend/coverage/coverage-summary.json` | +| Patch Coverage Report | `test-results/local-patch-report.md`, `test-results/local-patch-report.json` | +| GORM Security Scan | Inline (0 findings) | +| Trivy Filesystem Scan | Inline (0 findings) | +| Trivy Image Scan | `trivy-image-report.json` | +| CodeQL Go SARIF | `codeql-results-go.sarif` | +| CodeQL JS SARIF | `codeql-results-javascript.sarif` | From 402a8b31058874913af02434a2df29fdf1c3bae0 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Thu, 16 Apr 2026 13:16:17 +0000 Subject: [PATCH 20/44] fix: update electron-to-chromium, eslint-plugin-sonarjs, minimatch, and ts-api-utils to latest versions --- frontend/package-lock.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/frontend/package-lock.json b/frontend/package-lock.json index 04937000..7be02a23 100644 --- a/frontend/package-lock.json +++ b/frontend/package-lock.json @@ -5789,9 +5789,9 @@ } }, "node_modules/electron-to-chromium": { - "version": "1.5.338", - "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.338.tgz", - "integrity": "sha512-KVQQ3xko9/coDX3qXLUEEbqkKT8L+1DyAovrtu0Khtrt9wjSZ+7CZV4GVzxFy9Oe1NbrIU1oVXCwHJruIA1PNg==", + "version": "1.5.339", + "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.339.tgz", + "integrity": "sha512-Is+0BBHJ4NrdpAYiperrmp53pLywG/yV/6lIMTAnhxvzj/Cmn5Q/ogSHC6AKe7X+8kPLxxFk0cs5oc/3j/fxIg==", "dev": true, "license": "ISC" }, From 4232c0a8eef45c0b2496e7a8c8678f2d8f07badb Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Thu, 16 Apr 2026 13:31:37 +0000 Subject: [PATCH 21/44] fix: update benchmark-action/github-action-benchmark to v1.22.0 and mlugg/setup-zig to v2.2.1 for improved security and functionality --- .github/workflows/benchmark.yml | 2 +- .github/workflows/release-goreleaser.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index aaa131c0..aca4b0ca 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -52,7 +52,7 @@ jobs: # This avoids gh-pages branch errors and permission issues on fork PRs if: github.event.workflow_run.event == 'push' && github.event.workflow_run.head_branch == 'main' # Security: Pinned to full SHA for supply chain security - uses: benchmark-action/github-action-benchmark@4e0b38bc48375986542b13c0d8976b7b80c60c00 # v1 + uses: benchmark-action/github-action-benchmark@a60cea5bc7b49e15c1f58f411161f99e0df48372 # v1.22.0 with: name: Go Benchmark tool: 'go' diff --git a/.github/workflows/release-goreleaser.yml b/.github/workflows/release-goreleaser.yml index 0507698c..a9fa9e16 100644 --- a/.github/workflows/release-goreleaser.yml +++ b/.github/workflows/release-goreleaser.yml @@ -67,7 +67,7 @@ jobs: - name: Install Cross-Compilation Tools (Zig) # Security: Pinned to full SHA for supply chain security - uses: goto-bus-stop/setup-zig@abea47f85e598557f500fa1fd2ab7464fcb39406 # v2 + uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2.2.1 with: version: 0.13.0 From 983ae34147e238d63ad3e46ac459af1bbf1eeb7b Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Thu, 16 Apr 2026 14:04:15 +0000 Subject: [PATCH 22/44] fix(docker): persist CrowdSec LAPI database across container rebuilds --- .docker/docker-entrypoint.sh | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.docker/docker-entrypoint.sh b/.docker/docker-entrypoint.sh index e660a6ee..45836e1a 100755 --- a/.docker/docker-entrypoint.sh +++ b/.docker/docker-entrypoint.sh @@ -303,6 +303,19 @@ ACQUIS_EOF # Also handle case where it might be without trailing slash sed -i 's|log_dir: /var/log$|log_dir: /var/log/crowdsec|g' "$CS_CONFIG_DIR/config.yaml" + # Redirect CrowdSec LAPI database to persistent volume + # Default path /var/lib/crowdsec/data/crowdsec.db is ephemeral (not volume-mounted), + # so it is destroyed on every container rebuild. The bouncer API key (stored on the + # persistent volume at /app/data/crowdsec/) survives rebuilds but the LAPI database + # that validates it does not — causing perpetual key rejection. + # Redirecting db_path to the volume-mounted CS_DATA_DIR fixes this. + sed -i "s|db_path: /var/lib/crowdsec/data/crowdsec.db|db_path: ${CS_DATA_DIR}/crowdsec.db|g" "$CS_CONFIG_DIR/config.yaml" + if grep -q "db_path:.*${CS_DATA_DIR}" "$CS_CONFIG_DIR/config.yaml"; then + echo "✓ CrowdSec LAPI database redirected to persistent volume: ${CS_DATA_DIR}/crowdsec.db" + else + echo "⚠️ WARNING: Could not verify LAPI db_path redirect — bouncer keys may not survive rebuilds" + fi + # Verify LAPI configuration was applied correctly if grep -q "listen_uri:.*:8085" "$CS_CONFIG_DIR/config.yaml"; then echo "✓ CrowdSec LAPI configured for port 8085" From 55f64f8050b097db6eaca886ed4a423a2634f973 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Thu, 16 Apr 2026 14:07:36 +0000 Subject: [PATCH 23/44] fix: update translation keys for CrowdSec security titles and badges --- frontend/src/pages/Security.tsx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/frontend/src/pages/Security.tsx b/frontend/src/pages/Security.tsx index d88884b6..45a5e4d6 100644 --- a/frontend/src/pages/Security.tsx +++ b/frontend/src/pages/Security.tsx @@ -435,7 +435,7 @@ export default function Security() {
- {t('security.crowdsec')} + {t('security.crowdsec.title')} {t('security.crowdsecDescription')}
@@ -485,7 +485,7 @@ export default function Security() {
{t('security.layer2')} - {t('security.acl')} + {t('security.acl.badge')}
{status.acl.enabled ? t('common.enabled') : t('common.disabled')} @@ -538,7 +538,7 @@ export default function Security() {
{t('security.layer3')} - {t('security.waf')} + {t('security.waf.badge')}
{status.waf.enabled ? t('common.enabled') : t('common.disabled')} From 5980a8081c187c3924ff4a0171dc118f2bcdce5c Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Thu, 16 Apr 2026 14:12:07 +0000 Subject: [PATCH 24/44] fix: improve regex for delete button name matching in CrowdSec IP Whitelist tests --- tests/crowdsec-whitelist.spec.ts | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tests/crowdsec-whitelist.spec.ts b/tests/crowdsec-whitelist.spec.ts index a0e72117..24fbdfb9 100644 --- a/tests/crowdsec-whitelist.spec.ts +++ b/tests/crowdsec-whitelist.spec.ts @@ -4,7 +4,6 @@ import { withSecurityEnabled, captureSecurityState, setSecurityModuleEnabled, - getSecurityStatus, } from './utils/security-helpers'; import { getStorageStateAuthHeaders } from './utils/api-helpers'; import { STORAGE_STATE } from './constants'; @@ -302,7 +301,7 @@ test.describe('CrowdSec IP Whitelist Management', () => { await test.step('Click the delete button for the entry', async () => { const deleteBtn = page.getByRole('button', { - name: new RegExp(`Remove whitelist entry for ${testIP.replace(/\./g, '\\.')}`, 'i'), + name: new RegExp(`Remove whitelist entry for ${testIP.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}`, 'i'), }); await expect(deleteBtn).toBeVisible(); await deleteBtn.click(); @@ -366,7 +365,7 @@ test.describe('CrowdSec IP Whitelist Management', () => { await test.step('Open the delete modal', async () => { const deleteBtn = page.getByRole('button', { - name: new RegExp(`Remove whitelist entry for ${testIP.replace(/\./g, '\\.')}`, 'i'), + name: new RegExp(`Remove whitelist entry for ${testIP.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}`, 'i'), }); await deleteBtn.click(); await expect(page.getByRole('dialog')).toBeVisible(); From 3b3ea83ecda58a9fded1bac2b27df504e5cbcd87 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Thu, 16 Apr 2026 23:51:01 +0000 Subject: [PATCH 25/44] chore: add database error handling tests for whitelist service and handler --- .../crowdsec_whitelist_handler_test.go | 92 +++++++++++++ .../crowdsec_whitelist_service_test.go | 123 ++++++++++++++++++ 2 files changed, 215 insertions(+) diff --git a/backend/internal/api/handlers/crowdsec_whitelist_handler_test.go b/backend/internal/api/handlers/crowdsec_whitelist_handler_test.go index dc03065b..7f603dea 100644 --- a/backend/internal/api/handlers/crowdsec_whitelist_handler_test.go +++ b/backend/internal/api/handlers/crowdsec_whitelist_handler_test.go @@ -4,6 +4,7 @@ import ( "bytes" "context" "encoding/json" + "errors" "net/http" "net/http/httptest" "testing" @@ -173,3 +174,94 @@ func TestAddWhitelist_400_MissingField(t *testing.T) { require.NoError(t, json.Unmarshal(w.Body.Bytes(), &resp)) assert.Equal(t, "ip_or_cidr is required", resp["error"]) } + +func TestListWhitelists_DBError(t *testing.T) { + t.Parallel() + _, r, db := setupWhitelistHandler(t) + sqlDB, err := db.DB() + require.NoError(t, err) + _ = sqlDB.Close() + + w := httptest.NewRecorder() + req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/crowdsec/whitelist", nil) + r.ServeHTTP(w, req) + + assert.Equal(t, http.StatusInternalServerError, w.Code) + var resp map[string]interface{} + require.NoError(t, json.Unmarshal(w.Body.Bytes(), &resp)) + assert.Equal(t, "failed to list whitelist entries", resp["error"]) +} + +func TestAddWhitelist_DBError(t *testing.T) { + t.Parallel() + _, r, db := setupWhitelistHandler(t) + sqlDB, err := db.DB() + require.NoError(t, err) + _ = sqlDB.Close() + + body := `{"ip_or_cidr":"1.2.3.4","reason":"test"}` + w := httptest.NewRecorder() + req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/crowdsec/whitelist", bytes.NewBufferString(body)) + req.Header.Set("Content-Type", "application/json") + r.ServeHTTP(w, req) + + assert.Equal(t, http.StatusInternalServerError, w.Code) + var resp map[string]interface{} + require.NoError(t, json.Unmarshal(w.Body.Bytes(), &resp)) + assert.Equal(t, "failed to add whitelist entry", resp["error"]) +} + +func TestAddWhitelist_ReloadFailure(t *testing.T) { + t.Parallel() + h, r, _ := setupWhitelistHandler(t) + mock := &mockCmdExecWhitelist{reloadErr: errors.New("cscli failed")} + h.CmdExec = mock + + body := `{"ip_or_cidr":"3.3.3.3","reason":"reload test"}` + w := httptest.NewRecorder() + req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/crowdsec/whitelist", bytes.NewBufferString(body)) + req.Header.Set("Content-Type", "application/json") + r.ServeHTTP(w, req) + + assert.Equal(t, http.StatusCreated, w.Code) + assert.True(t, mock.reloadCalled) +} + +func TestDeleteWhitelist_DBError(t *testing.T) { + t.Parallel() + _, r, db := setupWhitelistHandler(t) + svc := services.NewCrowdSecWhitelistService(db, "") + entry, err := svc.Add(t.Context(), "4.4.4.4", "will close db") + require.NoError(t, err) + + sqlDB, err := db.DB() + require.NoError(t, err) + _ = sqlDB.Close() + + w := httptest.NewRecorder() + req := httptest.NewRequest(http.MethodDelete, "/api/v1/admin/crowdsec/whitelist/"+entry.UUID, nil) + r.ServeHTTP(w, req) + + assert.Equal(t, http.StatusInternalServerError, w.Code) + var resp map[string]interface{} + require.NoError(t, json.Unmarshal(w.Body.Bytes(), &resp)) + assert.Equal(t, "failed to delete whitelist entry", resp["error"]) +} + +func TestDeleteWhitelist_ReloadFailure(t *testing.T) { + t.Parallel() + h, r, db := setupWhitelistHandler(t) + mock := &mockCmdExecWhitelist{reloadErr: errors.New("cscli failed")} + h.CmdExec = mock + + svc := services.NewCrowdSecWhitelistService(db, "") + entry, err := svc.Add(t.Context(), "5.5.5.5", "reload test") + require.NoError(t, err) + + w := httptest.NewRecorder() + req := httptest.NewRequest(http.MethodDelete, "/api/v1/admin/crowdsec/whitelist/"+entry.UUID, nil) + r.ServeHTTP(w, req) + + assert.Equal(t, http.StatusNoContent, w.Code) + assert.True(t, mock.reloadCalled) +} diff --git a/backend/internal/services/crowdsec_whitelist_service_test.go b/backend/internal/services/crowdsec_whitelist_service_test.go index 9d52016f..1d1d0cf0 100644 --- a/backend/internal/services/crowdsec_whitelist_service_test.go +++ b/backend/internal/services/crowdsec_whitelist_service_test.go @@ -177,3 +177,126 @@ func TestAdd_ValidIPv6_Success(t *testing.T) { assert.Len(t, entries, 1) assert.Equal(t, "2001:db8::1", entries[0].IPOrCIDR) } + +func TestCrowdSecWhitelistService_List_DBError(t *testing.T) { + t.Parallel() + db := openWhitelistTestDB(t) + svc := services.NewCrowdSecWhitelistService(db, "") + sqlDB, err := db.DB() + require.NoError(t, err) + _ = sqlDB.Close() + + _, err = svc.List(context.Background()) + assert.Error(t, err) +} + +func TestCrowdSecWhitelistService_Add_DBCreateError(t *testing.T) { + t.Parallel() + db := openWhitelistTestDB(t) + svc := services.NewCrowdSecWhitelistService(db, "") + sqlDB, err := db.DB() + require.NoError(t, err) + _ = sqlDB.Close() + + _, err = svc.Add(context.Background(), "1.2.3.4", "test") + assert.Error(t, err) + assert.NotErrorIs(t, err, services.ErrInvalidIPOrCIDR) + assert.NotErrorIs(t, err, services.ErrDuplicateEntry) +} + +func TestCrowdSecWhitelistService_Delete_DBError(t *testing.T) { + t.Parallel() + db := openWhitelistTestDB(t) + svc := services.NewCrowdSecWhitelistService(db, "") + sqlDB, err := db.DB() + require.NoError(t, err) + _ = sqlDB.Close() + + err = svc.Delete(context.Background(), "some-uuid") + assert.Error(t, err) + assert.NotErrorIs(t, err, services.ErrWhitelistNotFound) +} + +func TestCrowdSecWhitelistService_WriteYAML_DBError(t *testing.T) { + t.Parallel() + db := openWhitelistTestDB(t) + tmpDir := t.TempDir() + svc := services.NewCrowdSecWhitelistService(db, tmpDir) + sqlDB, err := db.DB() + require.NoError(t, err) + _ = sqlDB.Close() + + err = svc.WriteYAML(context.Background()) + assert.Error(t, err) + assert.Contains(t, err.Error(), "query entries") +} + +func TestCrowdSecWhitelistService_WriteYAML_MkdirError(t *testing.T) { + t.Parallel() + db := openWhitelistTestDB(t) + // Use a path under /dev/null which cannot have subdirectories + svc := services.NewCrowdSecWhitelistService(db, "/dev/null/impossible") + + err := svc.WriteYAML(context.Background()) + assert.Error(t, err) + assert.Contains(t, err.Error(), "create dir") +} + +func TestCrowdSecWhitelistService_WriteYAML_WriteFileError(t *testing.T) { + t.Parallel() + db := openWhitelistTestDB(t) + tmpDir := t.TempDir() + svc := services.NewCrowdSecWhitelistService(db, tmpDir) + + // Create a directory where the .tmp file would be written, causing WriteFile to fail + dir := filepath.Join(tmpDir, "config", "parsers", "s02-enrich") + require.NoError(t, os.MkdirAll(dir, 0o750)) + tmpTarget := filepath.Join(dir, "charon-whitelist.yaml.tmp") + require.NoError(t, os.MkdirAll(tmpTarget, 0o750)) + + err := svc.WriteYAML(context.Background()) + assert.Error(t, err) + assert.Contains(t, err.Error(), "write temp") +} + +func TestCrowdSecWhitelistService_Add_WriteYAMLWarning(t *testing.T) { + t.Parallel() + db := openWhitelistTestDB(t) + // dataDir that will cause MkdirAll to fail inside WriteYAML (non-fatal) + svc := services.NewCrowdSecWhitelistService(db, "/dev/null/impossible") + + entry, err := svc.Add(context.Background(), "2.2.2.2", "yaml warn test") + require.NoError(t, err) + assert.Equal(t, "2.2.2.2", entry.IPOrCIDR) +} + +func TestCrowdSecWhitelistService_Delete_WriteYAMLWarning(t *testing.T) { + t.Parallel() + db := openWhitelistTestDB(t) + // First add with empty dataDir so it succeeds + svcAdd := services.NewCrowdSecWhitelistService(db, "") + entry, err := svcAdd.Add(context.Background(), "3.3.3.3", "to delete") + require.NoError(t, err) + + // Now create a service with a broken dataDir and delete + svcDel := services.NewCrowdSecWhitelistService(db, "/dev/null/impossible") + err = svcDel.Delete(context.Background(), entry.UUID) + require.NoError(t, err) +} + +func TestCrowdSecWhitelistService_WriteYAML_RenameError(t *testing.T) { + t.Parallel() + db := openWhitelistTestDB(t) + tmpDir := t.TempDir() + svc := services.NewCrowdSecWhitelistService(db, tmpDir) + + // Create target as a directory so rename (atomic replace) fails + dir := filepath.Join(tmpDir, "config", "parsers", "s02-enrich") + require.NoError(t, os.MkdirAll(dir, 0o750)) + target := filepath.Join(dir, "charon-whitelist.yaml") + require.NoError(t, os.MkdirAll(target, 0o750)) + + err := svc.WriteYAML(context.Background()) + assert.Error(t, err) + assert.Contains(t, err.Error(), "rename") +} From c46c1976a2673fc68db88858c942f9b4e0bc6a5a Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Thu, 16 Apr 2026 23:52:39 +0000 Subject: [PATCH 26/44] fix: update typescript to version 6.0.3 for improved functionality and security --- package-lock.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index 1b6667fd..d2f1ec3a 100644 --- a/package-lock.json +++ b/package-lock.json @@ -4014,9 +4014,9 @@ } }, "node_modules/typescript": { - "version": "6.0.2", - "resolved": "https://registry.npmjs.org/typescript/-/typescript-6.0.2.tgz", - "integrity": "sha512-bGdAIrZ0wiGDo5l8c++HWtbaNCWTS4UTv7RaTH/ThVIgjkveJt83m74bBHMJkuCbslY8ixgLBVZJIOiQlQTjfQ==", + "version": "6.0.3", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-6.0.3.tgz", + "integrity": "sha512-y2TvuxSZPDyQakkFRPZHKFm+KKVqIisdg9/CZwm9ftvKXLP8NRWj38/ODjNbr43SsoXqNuAisEf1GdCxqWcdBw==", "dev": true, "license": "Apache-2.0", "bin": { From 1af786e7c8653a657bc10fe5af643ef31abf7832 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Thu, 16 Apr 2026 23:53:11 +0000 Subject: [PATCH 27/44] fix: update eslint-plugin-react-hooks and typescript to latest versions for improved compatibility --- frontend/package-lock.json | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/frontend/package-lock.json b/frontend/package-lock.json index 7be02a23..5154fe88 100644 --- a/frontend/package-lock.json +++ b/frontend/package-lock.json @@ -6313,9 +6313,9 @@ } }, "node_modules/eslint-plugin-react-hooks": { - "version": "7.0.1", - "resolved": "https://registry.npmjs.org/eslint-plugin-react-hooks/-/eslint-plugin-react-hooks-7.0.1.tgz", - "integrity": "sha512-O0d0m04evaNzEPoSW+59Mezf8Qt0InfgGIBJnpC0h3NH/WjUAR7BIKUfysC6todmtiZ/A0oUVS8Gce0WhBrHsA==", + "version": "7.1.0", + "resolved": "https://registry.npmjs.org/eslint-plugin-react-hooks/-/eslint-plugin-react-hooks-7.1.0.tgz", + "integrity": "sha512-LDicyhrRFrIaheDYryeM2W8gWyZXnAs4zIr2WVPiOSeTmIu2RjR4x/9N0xLaRWZ+9hssBDGo3AadcohuzAvSvg==", "dev": true, "license": "MIT", "dependencies": { @@ -6329,7 +6329,7 @@ "node": ">=18" }, "peerDependencies": { - "eslint": "^3.0.0 || ^4.0.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0-0 || ^9.0.0" + "eslint": "^3.0.0 || ^4.0.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0-0 || ^9.0.0 || ^10.0.0" } }, "node_modules/eslint-plugin-react-hooks/node_modules/zod-validation-error": { @@ -11286,9 +11286,9 @@ } }, "node_modules/typescript": { - "version": "6.0.2", - "resolved": "https://registry.npmjs.org/typescript/-/typescript-6.0.2.tgz", - "integrity": "sha512-bGdAIrZ0wiGDo5l8c++HWtbaNCWTS4UTv7RaTH/ThVIgjkveJt83m74bBHMJkuCbslY8ixgLBVZJIOiQlQTjfQ==", + "version": "6.0.3", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-6.0.3.tgz", + "integrity": "sha512-y2TvuxSZPDyQakkFRPZHKFm+KKVqIisdg9/CZwm9ftvKXLP8NRWj38/ODjNbr43SsoXqNuAisEf1GdCxqWcdBw==", "devOptional": true, "license": "Apache-2.0", "bin": { From aa6c751007b40b6009d428f7e2b844a2c3b35090 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 17 Apr 2026 20:39:46 +0000 Subject: [PATCH 28/44] fix(deps): update non-major-updates --- Dockerfile | 10 +++++----- frontend/package-lock.json | 34 +++++++++++++++++----------------- frontend/package.json | 16 ++++++++-------- package-lock.json | 2 +- package.json | 2 +- 5 files changed, 32 insertions(+), 32 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4a188937..63a096bd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -92,7 +92,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \ # ---- Frontend Builder ---- # Build the frontend using the BUILDPLATFORM to avoid arm64 musl Rollup native issues # renovate: datasource=docker depName=node -FROM --platform=$BUILDPLATFORM node:24.14.1-alpine@sha256:8510330d3eb72c804231a834b1a8ebb55cb3796c3e4431297a24d246b8add4d5 AS frontend-builder +FROM --platform=$BUILDPLATFORM node:24.15.0-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f AS frontend-builder WORKDIR /app/frontend # Copy frontend package files @@ -386,13 +386,13 @@ RUN go get github.com/expr-lang/expr@v${EXPR_LANG_VERSION} && \ go get github.com/jackc/pgx/v4@v4.18.3 && \ # GHSA-xmrv-pmrh-hhx2: AWS SDK v2 event stream injection # renovate: datasource=go depName=github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream - go get github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream@v1.7.8 && \ + go get github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream@v1.7.9 && \ # renovate: datasource=go depName=github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs - go get github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs@v1.68.0 && \ + go get github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs@v1.69.1 && \ # renovate: datasource=go depName=github.com/aws/aws-sdk-go-v2/service/kinesis - go get github.com/aws/aws-sdk-go-v2/service/kinesis@v1.43.5 && \ + go get github.com/aws/aws-sdk-go-v2/service/kinesis@v1.43.6 && \ # renovate: datasource=go depName=github.com/aws/aws-sdk-go-v2/service/s3 - go get github.com/aws/aws-sdk-go-v2/service/s3@v1.99.0 && \ + go get github.com/aws/aws-sdk-go-v2/service/s3@v1.99.1 && \ go mod tidy # Fix compatibility issues with expr-lang v1.17.7 diff --git a/frontend/package-lock.json b/frontend/package-lock.json index 5154fe88..b19d120d 100644 --- a/frontend/package-lock.json +++ b/frontend/package-lock.json @@ -26,7 +26,7 @@ "react-dom": "^19.2.5", "react-hook-form": "^7.72.1", "react-hot-toast": "^2.6.0", - "react-i18next": "^17.0.3", + "react-i18next": "^17.0.4", "react-router-dom": "^7.14.1", "recharts": "^3.8.1", "tailwind-merge": "^3.5.0", @@ -55,14 +55,14 @@ "@vitest/eslint-plugin": "^1.6.16", "@vitest/ui": "^4.1.4", "autoprefixer": "^10.5.0", - "eslint": "^10.2.0", + "eslint": "^10.2.1", "eslint-import-resolver-typescript": "^4.4.4", "eslint-plugin-import-x": "^4.16.2", "eslint-plugin-jsx-a11y": "^6.10.2", "eslint-plugin-no-unsanitized": "^4.1.5", "eslint-plugin-promise": "^7.2.1", "eslint-plugin-react-compiler": "^19.1.0-rc.2", - "eslint-plugin-react-hooks": "^7.0.1", + "eslint-plugin-react-hooks": "^7.1.1", "eslint-plugin-react-refresh": "^0.5.2", "eslint-plugin-security": "^4.0.0", "eslint-plugin-sonarjs": "^4.0.3", @@ -73,7 +73,7 @@ "knip": "^6.4.1", "postcss": "^8.5.10", "tailwindcss": "^4.2.2", - "typescript": "^6.0.2", + "typescript": "^6.0.3", "typescript-eslint": "^8.58.2", "vite": "^8.0.8", "vitest": "^4.1.4", @@ -6015,18 +6015,18 @@ } }, "node_modules/eslint": { - "version": "10.2.0", - "resolved": "https://registry.npmjs.org/eslint/-/eslint-10.2.0.tgz", - "integrity": "sha512-+L0vBFYGIpSNIt/KWTpFonPrqYvgKw1eUI5Vn7mEogrQcWtWYtNQ7dNqC+px/J0idT3BAkiWrhfS7k+Tum8TUA==", + "version": "10.2.1", + "resolved": "https://registry.npmjs.org/eslint/-/eslint-10.2.1.tgz", + "integrity": "sha512-wiyGaKsDgqXvF40P8mDwiUp/KQjE1FdrIEJsM8PZ3XCiniTMXS3OHWWUe5FI5agoCnr8x4xPrTDZuxsBlNHl+Q==", "dev": true, "license": "MIT", "dependencies": { "@eslint-community/eslint-utils": "^4.8.0", "@eslint-community/regexpp": "^4.12.2", - "@eslint/config-array": "^0.23.4", - "@eslint/config-helpers": "^0.5.4", - "@eslint/core": "^1.2.0", - "@eslint/plugin-kit": "^0.7.0", + "@eslint/config-array": "^0.23.5", + "@eslint/config-helpers": "^0.5.5", + "@eslint/core": "^1.2.1", + "@eslint/plugin-kit": "^0.7.1", "@humanfs/node": "^0.16.6", "@humanwhocodes/module-importer": "^1.0.1", "@humanwhocodes/retry": "^0.4.2", @@ -6313,9 +6313,9 @@ } }, "node_modules/eslint-plugin-react-hooks": { - "version": "7.1.0", - "resolved": "https://registry.npmjs.org/eslint-plugin-react-hooks/-/eslint-plugin-react-hooks-7.1.0.tgz", - "integrity": "sha512-LDicyhrRFrIaheDYryeM2W8gWyZXnAs4zIr2WVPiOSeTmIu2RjR4x/9N0xLaRWZ+9hssBDGo3AadcohuzAvSvg==", + "version": "7.1.1", + "resolved": "https://registry.npmjs.org/eslint-plugin-react-hooks/-/eslint-plugin-react-hooks-7.1.1.tgz", + "integrity": "sha512-f2I7Gw6JbvCexzIInuSbZpfdQ44D7iqdWX01FKLvrPgqxoE7oMj8clOfto8U6vYiz4yd5oKu39rRSVOe1zRu0g==", "dev": true, "license": "MIT", "dependencies": { @@ -10097,9 +10097,9 @@ } }, "node_modules/react-i18next": { - "version": "17.0.3", - "resolved": "https://registry.npmjs.org/react-i18next/-/react-i18next-17.0.3.tgz", - "integrity": "sha512-x4xjvUNZ56T+zfXWNedNnCET9Xq1IBYWX7IsWo5cCQ/RT+Rm7GWqt0h9PShFi4IhyMnsdiu1C6Jc4DE+/S3PFQ==", + "version": "17.0.4", + "resolved": "https://registry.npmjs.org/react-i18next/-/react-i18next-17.0.4.tgz", + "integrity": "sha512-hQipmK4EF0y6RO6tt6WuqnmWpWYEXmQUUzecmMBuNsIgYd3smXcG4GtYPWhvgxn0pqMOItKlEO8H24HCs5hc3g==", "license": "MIT", "dependencies": { "@babel/runtime": "^7.29.2", diff --git a/frontend/package.json b/frontend/package.json index de584438..d6112bb1 100644 --- a/frontend/package.json +++ b/frontend/package.json @@ -45,7 +45,7 @@ "react-dom": "^19.2.5", "react-hook-form": "^7.72.1", "react-hot-toast": "^2.6.0", - "react-i18next": "^17.0.3", + "react-i18next": "^17.0.4", "react-router-dom": "^7.14.1", "recharts": "^3.8.1", "tailwind-merge": "^3.5.0", @@ -74,14 +74,14 @@ "@vitest/eslint-plugin": "^1.6.16", "@vitest/ui": "^4.1.4", "autoprefixer": "^10.5.0", - "eslint": "^10.2.0", + "eslint": "^10.2.1", "eslint-import-resolver-typescript": "^4.4.4", "eslint-plugin-import-x": "^4.16.2", "eslint-plugin-jsx-a11y": "^6.10.2", "eslint-plugin-no-unsanitized": "^4.1.5", "eslint-plugin-promise": "^7.2.1", "eslint-plugin-react-compiler": "^19.1.0-rc.2", - "eslint-plugin-react-hooks": "^7.0.1", + "eslint-plugin-react-hooks": "^7.1.1", "eslint-plugin-react-refresh": "^0.5.2", "eslint-plugin-security": "^4.0.0", "eslint-plugin-sonarjs": "^4.0.3", @@ -92,22 +92,22 @@ "knip": "^6.4.1", "postcss": "^8.5.10", "tailwindcss": "^4.2.2", - "typescript": "^6.0.2", + "typescript": "^6.0.3", "typescript-eslint": "^8.58.2", "vite": "^8.0.8", "vitest": "^4.1.4", "zod-validation-error": "^5.0.0" }, "overrides": { - "typescript": "^6.0.2", + "typescript": "^6.0.3", "eslint-plugin-react-hooks": { - "eslint": "^10.2.0" + "eslint": "^10.2.1" }, "eslint-plugin-jsx-a11y": { - "eslint": "^10.2.0" + "eslint": "^10.2.1" }, "eslint-plugin-promise": { - "eslint": "^10.2.0" + "eslint": "^10.2.1" }, "@vitejs/plugin-react": { "vite": "8.0.8" diff --git a/package-lock.json b/package-lock.json index d2f1ec3a..664c8ea8 100644 --- a/package-lock.json +++ b/package-lock.json @@ -19,7 +19,7 @@ "prettier": "^3.8.3", "prettier-plugin-tailwindcss": "^0.7.2", "tar": "^7.5.13", - "typescript": "^6.0.2", + "typescript": "^6.0.3", "vite": "^8.0.8", "vitest": "^4.1.4" } diff --git a/package.json b/package.json index ca48fa3f..a6ef2ac1 100644 --- a/package.json +++ b/package.json @@ -27,7 +27,7 @@ "prettier": "^3.8.3", "prettier-plugin-tailwindcss": "^0.7.2", "tar": "^7.5.13", - "typescript": "^6.0.2", + "typescript": "^6.0.3", "vite": "^8.0.8", "vitest": "^4.1.4" } From d73b3aee5c5edc416cdb8c2910ff002eb50c6e36 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Sat, 18 Apr 2026 01:34:43 +0000 Subject: [PATCH 29/44] fix(deps): update @humanfs/core and @humanfs/node to latest versions and add @humanfs/types dependency --- package-lock.json | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/package-lock.json b/package-lock.json index 664c8ea8..a5deda4f 100644 --- a/package-lock.json +++ b/package-lock.json @@ -231,29 +231,43 @@ } }, "node_modules/@humanfs/core": { - "version": "0.19.1", - "resolved": "https://registry.npmjs.org/@humanfs/core/-/core-0.19.1.tgz", - "integrity": "sha512-5DyQ4+1JEUzejeK1JGICcideyfUbGixgS9jNgex5nqkW+cY7WZhxBigmieN5Qnw9ZosSNVC9KQKyb+GUaGyKUA==", + "version": "0.19.2", + "resolved": "https://registry.npmjs.org/@humanfs/core/-/core-0.19.2.tgz", + "integrity": "sha512-UhXNm+CFMWcbChXywFwkmhqjs3PRCmcSa/hfBgLIb7oQ5HNb1wS0icWsGtSAUNgefHeI+eBrA8I1fxmbHsGdvA==", "dev": true, "license": "Apache-2.0", + "dependencies": { + "@humanfs/types": "^0.15.0" + }, "engines": { "node": ">=18.18.0" } }, "node_modules/@humanfs/node": { - "version": "0.16.7", - "resolved": "https://registry.npmjs.org/@humanfs/node/-/node-0.16.7.tgz", - "integrity": "sha512-/zUx+yOsIrG4Y43Eh2peDeKCxlRt/gET6aHfaKpuq267qXdYDFViVHfMaLyygZOnl0kGWxFIgsBy8QFuTLUXEQ==", + "version": "0.16.8", + "resolved": "https://registry.npmjs.org/@humanfs/node/-/node-0.16.8.tgz", + "integrity": "sha512-gE1eQNZ3R++kTzFUpdGlpmy8kDZD/MLyHqDwqjkVQI0JMdI1D51sy1H958PNXYkM2rAac7e5/CnIKZrHtPh3BQ==", "dev": true, "license": "Apache-2.0", "dependencies": { - "@humanfs/core": "^0.19.1", + "@humanfs/core": "^0.19.2", + "@humanfs/types": "^0.15.0", "@humanwhocodes/retry": "^0.4.0" }, "engines": { "node": ">=18.18.0" } }, + "node_modules/@humanfs/types": { + "version": "0.15.0", + "resolved": "https://registry.npmjs.org/@humanfs/types/-/types-0.15.0.tgz", + "integrity": "sha512-ZZ1w0aoQkwuUuC7Yf+7sdeaNfqQiiLcSRbfI08oAxqLtpXQr9AIVX7Ay7HLDuiLYAaFPu8oBYNq/QIi9URHJ3Q==", + "dev": true, + "license": "Apache-2.0", + "engines": { + "node": ">=18.18.0" + } + }, "node_modules/@humanwhocodes/module-importer": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/@humanwhocodes/module-importer/-/module-importer-1.0.1.tgz", From c02219cc92b357932fb5d2a04da8afb75466347e Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Sat, 18 Apr 2026 01:35:43 +0000 Subject: [PATCH 30/44] fix(deps): update @asamuzakjp/dom-selector, @humanfs/core, @humanfs/node, and hasown to latest versions; add @humanfs/types dependency --- frontend/package-lock.json | 46 +++++++++++++++++++++++++------------- 1 file changed, 30 insertions(+), 16 deletions(-) diff --git a/frontend/package-lock.json b/frontend/package-lock.json index b19d120d..bf34991f 100644 --- a/frontend/package-lock.json +++ b/frontend/package-lock.json @@ -118,9 +118,9 @@ } }, "node_modules/@asamuzakjp/dom-selector": { - "version": "7.0.10", - "resolved": "https://registry.npmjs.org/@asamuzakjp/dom-selector/-/dom-selector-7.0.10.tgz", - "integrity": "sha512-KyOb19eytNSELkmdqzZZUXWCU25byIlOld5qVFg0RYdS0T3tt7jeDByxk9hIAC73frclD8GKrHttr0SUjKCCdQ==", + "version": "7.1.0", + "resolved": "https://registry.npmjs.org/@asamuzakjp/dom-selector/-/dom-selector-7.1.0.tgz", + "integrity": "sha512-ASf825+5vsGuYWoyFyNsex2mNtPTXpCvYTR942+w/eNw7PqS0Lhl/PE1hC7bajneI3m/Oxi+yrP3vTOPxfwM8A==", "dev": true, "license": "MIT", "dependencies": { @@ -1114,29 +1114,43 @@ "license": "MIT" }, "node_modules/@humanfs/core": { - "version": "0.19.1", - "resolved": "https://registry.npmjs.org/@humanfs/core/-/core-0.19.1.tgz", - "integrity": "sha512-5DyQ4+1JEUzejeK1JGICcideyfUbGixgS9jNgex5nqkW+cY7WZhxBigmieN5Qnw9ZosSNVC9KQKyb+GUaGyKUA==", + "version": "0.19.2", + "resolved": "https://registry.npmjs.org/@humanfs/core/-/core-0.19.2.tgz", + "integrity": "sha512-UhXNm+CFMWcbChXywFwkmhqjs3PRCmcSa/hfBgLIb7oQ5HNb1wS0icWsGtSAUNgefHeI+eBrA8I1fxmbHsGdvA==", "dev": true, "license": "Apache-2.0", + "dependencies": { + "@humanfs/types": "^0.15.0" + }, "engines": { "node": ">=18.18.0" } }, "node_modules/@humanfs/node": { - "version": "0.16.7", - "resolved": "https://registry.npmjs.org/@humanfs/node/-/node-0.16.7.tgz", - "integrity": "sha512-/zUx+yOsIrG4Y43Eh2peDeKCxlRt/gET6aHfaKpuq267qXdYDFViVHfMaLyygZOnl0kGWxFIgsBy8QFuTLUXEQ==", + "version": "0.16.8", + "resolved": "https://registry.npmjs.org/@humanfs/node/-/node-0.16.8.tgz", + "integrity": "sha512-gE1eQNZ3R++kTzFUpdGlpmy8kDZD/MLyHqDwqjkVQI0JMdI1D51sy1H958PNXYkM2rAac7e5/CnIKZrHtPh3BQ==", "dev": true, "license": "Apache-2.0", "dependencies": { - "@humanfs/core": "^0.19.1", + "@humanfs/core": "^0.19.2", + "@humanfs/types": "^0.15.0", "@humanwhocodes/retry": "^0.4.0" }, "engines": { "node": ">=18.18.0" } }, + "node_modules/@humanfs/types": { + "version": "0.15.0", + "resolved": "https://registry.npmjs.org/@humanfs/types/-/types-0.15.0.tgz", + "integrity": "sha512-ZZ1w0aoQkwuUuC7Yf+7sdeaNfqQiiLcSRbfI08oAxqLtpXQr9AIVX7Ay7HLDuiLYAaFPu8oBYNq/QIi9URHJ3Q==", + "dev": true, + "license": "Apache-2.0", + "engines": { + "node": ">=18.18.0" + } + }, "node_modules/@humanwhocodes/module-importer": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/@humanwhocodes/module-importer/-/module-importer-1.0.1.tgz", @@ -5789,9 +5803,9 @@ } }, "node_modules/electron-to-chromium": { - "version": "1.5.339", - "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.339.tgz", - "integrity": "sha512-Is+0BBHJ4NrdpAYiperrmp53pLywG/yV/6lIMTAnhxvzj/Cmn5Q/ogSHC6AKe7X+8kPLxxFk0cs5oc/3j/fxIg==", + "version": "1.5.340", + "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.340.tgz", + "integrity": "sha512-908qahOGocRMinT2nM3ajCEM99H4iPdv84eagPP3FfZy/1ZGeOy2CZYzjhms81ckOPCXPlW7LkY4XpxD8r1DrA==", "dev": true, "license": "ISC" }, @@ -7229,9 +7243,9 @@ } }, "node_modules/hasown": { - "version": "2.0.2", - "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz", - "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==", + "version": "2.0.3", + "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.3.tgz", + "integrity": "sha512-ej4AhfhfL2Q2zpMmLo7U1Uv9+PyhIZpgQLGT1F9miIGmiCJIoCgSmczFdrc97mWT4kVY72KA+WnnhJ5pghSvSg==", "license": "MIT", "dependencies": { "function-bind": "^1.1.2" From 0859ab31ab3216ca95a254dacf2e9bda5fb681ea Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Sat, 18 Apr 2026 01:36:58 +0000 Subject: [PATCH 31/44] fix(deps): update modernc.org/sqlite to version 1.49.1 for improved functionality --- backend/go.mod | 2 +- backend/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/backend/go.mod b/backend/go.mod index fadc0046..6df52c13 100644 --- a/backend/go.mod +++ b/backend/go.mod @@ -99,5 +99,5 @@ require ( modernc.org/libc v1.72.0 // indirect modernc.org/mathutil v1.7.1 // indirect modernc.org/memory v1.11.0 // indirect - modernc.org/sqlite v1.48.2 // indirect + modernc.org/sqlite v1.49.1 // indirect ) diff --git a/backend/go.sum b/backend/go.sum index aef6c54f..aa1c8e57 100644 --- a/backend/go.sum +++ b/backend/go.sum @@ -263,8 +263,8 @@ modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8= modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns= modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w= modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE= -modernc.org/sqlite v1.48.2 h1:5CnW4uP8joZtA0LedVqLbZV5GD7F/0x91AXeSyjoh5c= -modernc.org/sqlite v1.48.2/go.mod h1:hWjRO6Tj/5Ik8ieqxQybiEOUXy0NJFNp2tpvVpKlvig= +modernc.org/sqlite v1.49.1 h1:dYGHTKcX1sJ+EQDnUzvz4TJ5GbuvhNJa8Fg6ElGx73U= +modernc.org/sqlite v1.49.1/go.mod h1:m0w8xhwYUVY3H6pSDwc3gkJ/irZT/0YEXwBlhaxQEew= modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0= modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A= modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y= From f5e7c2bdfcc67aa120cb3c72b19f611d9e10375f Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Sat, 18 Apr 2026 01:39:06 +0000 Subject: [PATCH 32/44] fix(test): resolve CrowdSec card title lookup in Security test mock The Security component renders the CrowdSec card title using the nested translation key 'security.crowdsec.title', but the test mock only had the flat key 'security.crowdsec'. The mock fallback returns the key string itself when a lookup misses, causing getByText('CrowdSec') to find nothing. Added 'security.crowdsec.title' to the securityTranslations map so the mock resolves to the expected 'CrowdSec' string, matching the component's actual t() call and allowing the title assertion to pass. --- frontend/src/pages/__tests__/Security.functional.test.tsx | 1 + 1 file changed, 1 insertion(+) diff --git a/frontend/src/pages/__tests__/Security.functional.test.tsx b/frontend/src/pages/__tests__/Security.functional.test.tsx index bb385492..1b0a87c9 100644 --- a/frontend/src/pages/__tests__/Security.functional.test.tsx +++ b/frontend/src/pages/__tests__/Security.functional.test.tsx @@ -73,6 +73,7 @@ const securityTranslations: Record = { 'security.waf': 'WAF', 'security.rate': 'Rate', 'security.crowdsec': 'CrowdSec', + 'security.crowdsec.title': 'CrowdSec', 'security.crowdsecDescription': 'IP Reputation', 'security.crowdsecProtects': 'Blocks known attackers, botnets, and malicious IPs', 'security.crowdsecDisabledDescription': 'Enable to block known malicious IPs', From a3259b042d4219518f8a2d15d67e3f4d11c90204 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 19 Apr 2026 17:10:33 +0000 Subject: [PATCH 33/44] fix(deps): update non-major-updates --- .github/workflows/release-goreleaser.yml | 2 +- frontend/package-lock.json | 24 ++++++++++++------------ frontend/package.json | 4 ++-- 3 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/release-goreleaser.yml b/.github/workflows/release-goreleaser.yml index a9fa9e16..1c07f9ee 100644 --- a/.github/workflows/release-goreleaser.yml +++ b/.github/workflows/release-goreleaser.yml @@ -75,7 +75,7 @@ jobs: - name: Run GoReleaser - uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7 + uses: goreleaser/goreleaser-action@e24998b8b67b290c2fa8b7c14fcfa7de2c5c9b8c # v7 with: distribution: goreleaser version: '~> v2.5' diff --git a/frontend/package-lock.json b/frontend/package-lock.json index bf34991f..260cc5a5 100644 --- a/frontend/package-lock.json +++ b/frontend/package-lock.json @@ -14,12 +14,12 @@ "@radix-ui/react-select": "^2.2.6", "@radix-ui/react-tabs": "^1.1.13", "@radix-ui/react-tooltip": "^1.2.8", - "@tanstack/react-query": "^5.99.0", + "@tanstack/react-query": "^5.99.2", "axios": "1.15.0", "class-variance-authority": "^0.7.1", "clsx": "^2.1.1", "date-fns": "^4.1.0", - "i18next": "^26.0.5", + "i18next": "^26.0.6", "i18next-browser-languagedetector": "^8.2.1", "lucide-react": "^1.8.0", "react": "^19.2.5", @@ -3314,9 +3314,9 @@ } }, "node_modules/@tanstack/query-core": { - "version": "5.99.0", - "resolved": "https://registry.npmjs.org/@tanstack/query-core/-/query-core-5.99.0.tgz", - "integrity": "sha512-3Jv3WQG0BCcH7G+7lf/bP8QyBfJOXeY+T08Rin3GZ1bshvwlbPt7NrDHMEzGdKIOmOzvIQmxjk28YEQX60k7pQ==", + "version": "5.99.2", + "resolved": "https://registry.npmjs.org/@tanstack/query-core/-/query-core-5.99.2.tgz", + "integrity": "sha512-1HunU0bXVsR1ZJMZbcOPE6VtaBJxsW809RE9xPe4Gz7MlB0GWwQvuTPhMoEmQ/hIzFKJ/DWAuttIe7BOaWx0tA==", "license": "MIT", "funding": { "type": "github", @@ -3324,12 +3324,12 @@ } }, "node_modules/@tanstack/react-query": { - "version": "5.99.0", - "resolved": "https://registry.npmjs.org/@tanstack/react-query/-/react-query-5.99.0.tgz", - "integrity": "sha512-OY2bCqPemT1LlqJ8Y2CUau4KELnIhhG9Ol3ZndPbdnB095pRbPo1cHuXTndg8iIwtoHTgwZjyaDnQ0xD0mYwAw==", + "version": "5.99.2", + "resolved": "https://registry.npmjs.org/@tanstack/react-query/-/react-query-5.99.2.tgz", + "integrity": "sha512-vM91UEe45QUS9ED6OklsVL15i8qKcRqNwpWzPTVWvRPRSEgDudDgHpvyTjcdlwHcrKNa80T+xXYcchT2noPnZA==", "license": "MIT", "dependencies": { - "@tanstack/query-core": "5.99.0" + "@tanstack/query-core": "5.99.2" }, "funding": { "type": "github", @@ -7301,9 +7301,9 @@ } }, "node_modules/i18next": { - "version": "26.0.5", - "resolved": "https://registry.npmjs.org/i18next/-/i18next-26.0.5.tgz", - "integrity": "sha512-9uHb4T27TdV36phJXcbpnRPt5yzAfqHXVrdASvmHZyPuZJtrLythd+GyXhiaHV5LlpuuskbAqhwPjmfTbKbi8w==", + "version": "26.0.6", + "resolved": "https://registry.npmjs.org/i18next/-/i18next-26.0.6.tgz", + "integrity": "sha512-A4U6eCXodIbrhf8EarRurB9/4ebyaurH4+fu4gig9bqxmpSt+fCAFm/GpRQDcN1Xzu/LdFCx4nYHsnM1edIIbg==", "funding": [ { "type": "individual", diff --git a/frontend/package.json b/frontend/package.json index d6112bb1..870bec74 100644 --- a/frontend/package.json +++ b/frontend/package.json @@ -33,12 +33,12 @@ "@radix-ui/react-select": "^2.2.6", "@radix-ui/react-tabs": "^1.1.13", "@radix-ui/react-tooltip": "^1.2.8", - "@tanstack/react-query": "^5.99.0", + "@tanstack/react-query": "^5.99.2", "axios": "1.15.0", "class-variance-authority": "^0.7.1", "clsx": "^2.1.1", "date-fns": "^4.1.0", - "i18next": "^26.0.5", + "i18next": "^26.0.6", "i18next-browser-languagedetector": "^8.2.1", "lucide-react": "^1.8.0", "react": "^19.2.5", From df5e69236a661992167bd0c9388f5ba6513a06ac Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Sun, 19 Apr 2026 21:03:48 +0000 Subject: [PATCH 34/44] fix(deps): update dependencies for improved stability and performance --- frontend/package-lock.json | 48 +++++++++++++++++++------------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/frontend/package-lock.json b/frontend/package-lock.json index bf34991f..458d1f56 100644 --- a/frontend/package-lock.json +++ b/frontend/package-lock.json @@ -118,9 +118,9 @@ } }, "node_modules/@asamuzakjp/dom-selector": { - "version": "7.1.0", - "resolved": "https://registry.npmjs.org/@asamuzakjp/dom-selector/-/dom-selector-7.1.0.tgz", - "integrity": "sha512-ASf825+5vsGuYWoyFyNsex2mNtPTXpCvYTR942+w/eNw7PqS0Lhl/PE1hC7bajneI3m/Oxi+yrP3vTOPxfwM8A==", + "version": "7.1.1", + "resolved": "https://registry.npmjs.org/@asamuzakjp/dom-selector/-/dom-selector-7.1.1.tgz", + "integrity": "sha512-67RZDnYRc8H/8MLDgQCDE//zoqVFwajkepHZgmXrbwybzXOEwOWGPYGmALYl9J2DOLfFPPs6kKCqmbzV895hTQ==", "dev": true, "license": "MIT", "dependencies": { @@ -3314,9 +3314,9 @@ } }, "node_modules/@tanstack/query-core": { - "version": "5.99.0", - "resolved": "https://registry.npmjs.org/@tanstack/query-core/-/query-core-5.99.0.tgz", - "integrity": "sha512-3Jv3WQG0BCcH7G+7lf/bP8QyBfJOXeY+T08Rin3GZ1bshvwlbPt7NrDHMEzGdKIOmOzvIQmxjk28YEQX60k7pQ==", + "version": "5.99.2", + "resolved": "https://registry.npmjs.org/@tanstack/query-core/-/query-core-5.99.2.tgz", + "integrity": "sha512-1HunU0bXVsR1ZJMZbcOPE6VtaBJxsW809RE9xPe4Gz7MlB0GWwQvuTPhMoEmQ/hIzFKJ/DWAuttIe7BOaWx0tA==", "license": "MIT", "funding": { "type": "github", @@ -3324,12 +3324,12 @@ } }, "node_modules/@tanstack/react-query": { - "version": "5.99.0", - "resolved": "https://registry.npmjs.org/@tanstack/react-query/-/react-query-5.99.0.tgz", - "integrity": "sha512-OY2bCqPemT1LlqJ8Y2CUau4KELnIhhG9Ol3ZndPbdnB095pRbPo1cHuXTndg8iIwtoHTgwZjyaDnQ0xD0mYwAw==", + "version": "5.99.2", + "resolved": "https://registry.npmjs.org/@tanstack/react-query/-/react-query-5.99.2.tgz", + "integrity": "sha512-vM91UEe45QUS9ED6OklsVL15i8qKcRqNwpWzPTVWvRPRSEgDudDgHpvyTjcdlwHcrKNa80T+xXYcchT2noPnZA==", "license": "MIT", "dependencies": { - "@tanstack/query-core": "5.99.0" + "@tanstack/query-core": "5.99.2" }, "funding": { "type": "github", @@ -4978,9 +4978,9 @@ } }, "node_modules/baseline-browser-mapping": { - "version": "2.10.19", - "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.19.tgz", - "integrity": "sha512-qCkNLi2sfBOn8XhZQ0FXsT1Ki/Yo5P90hrkRamVFRS7/KV9hpfA4HkoWNU152+8w0zPjnxo5psx5NL3PSGgv5g==", + "version": "2.10.20", + "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.20.tgz", + "integrity": "sha512-1AaXxEPfXT+GvTBJFuy4yXVHWJBXa4OdbIebGN/wX5DlsIkU0+wzGnd2lOzokSk51d5LUmqjgBLRLlypLUqInQ==", "dev": true, "license": "Apache-2.0", "bin": { @@ -5831,13 +5831,13 @@ } }, "node_modules/entities": { - "version": "6.0.1", - "resolved": "https://registry.npmjs.org/entities/-/entities-6.0.1.tgz", - "integrity": "sha512-aN97NXWF6AWBTahfVOIrB/NShkzi5H7F9r1s9mD3cDj4Ko5f2qhhVoYMibXF7GlLveb/D2ioWay8lxI97Ven3g==", + "version": "8.0.0", + "resolved": "https://registry.npmjs.org/entities/-/entities-8.0.0.tgz", + "integrity": "sha512-zwfzJecQ/Uej6tusMqwAqU/6KL2XaB2VZ2Jg54Je6ahNBGNH6Ek6g3jjNCF0fG9EWQKGZNddNjU5F1ZQn/sBnA==", "dev": true, "license": "BSD-2-Clause", "engines": { - "node": ">=0.12" + "node": ">=20.19.0" }, "funding": { "url": "https://github.com/fb55/entities?sponsor=1" @@ -7301,9 +7301,9 @@ } }, "node_modules/i18next": { - "version": "26.0.5", - "resolved": "https://registry.npmjs.org/i18next/-/i18next-26.0.5.tgz", - "integrity": "sha512-9uHb4T27TdV36phJXcbpnRPt5yzAfqHXVrdASvmHZyPuZJtrLythd+GyXhiaHV5LlpuuskbAqhwPjmfTbKbi8w==", + "version": "26.0.6", + "resolved": "https://registry.npmjs.org/i18next/-/i18next-26.0.6.tgz", + "integrity": "sha512-A4U6eCXodIbrhf8EarRurB9/4ebyaurH4+fu4gig9bqxmpSt+fCAFm/GpRQDcN1Xzu/LdFCx4nYHsnM1edIIbg==", "funding": [ { "type": "individual", @@ -9843,13 +9843,13 @@ } }, "node_modules/parse5": { - "version": "8.0.0", - "resolved": "https://registry.npmjs.org/parse5/-/parse5-8.0.0.tgz", - "integrity": "sha512-9m4m5GSgXjL4AjumKzq1Fgfp3Z8rsvjRNbnkVwfu2ImRqE5D0LnY2QfDen18FSY9C573YU5XxSapdHZTZ2WolA==", + "version": "8.0.1", + "resolved": "https://registry.npmjs.org/parse5/-/parse5-8.0.1.tgz", + "integrity": "sha512-z1e/HMG90obSGeidlli3hj7cbocou0/wa5HacvI3ASx34PecNjNQeaHNo5WIZpWofN9kgkqV1q5YvXe3F0FoPw==", "dev": true, "license": "MIT", "dependencies": { - "entities": "^6.0.0" + "entities": "^8.0.0" }, "funding": { "url": "https://github.com/inikulin/parse5?sponsor=1" From db1e77ceb3ff4db30fa447a08f5009a63ed53c2d Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Sun, 19 Apr 2026 21:08:26 +0000 Subject: [PATCH 35/44] test(coverage): cover all modified lines for 100% patch coverage vs origin/main - Add domains field to certificate mock to exercise per-domain loop in Dashboard component, covering the previously untested branch - Extend CrowdSec whitelist test suite with backdrop-click close test to cover the dialog dismissal handler - Remove duplicate describe blocks introduced when whitelist API tests were appended to crowdsec.test.ts, resolving ESLint vitest/no-identical-title errors that were blocking pre-commit hooks --- frontend/src/api/__tests__/crowdsec.test.ts | 122 +++++++ .../CrowdSecConfig.whitelist.test.tsx | 321 ++++++++++++++++++ .../src/pages/__tests__/Dashboard.test.tsx | 3 +- 3 files changed, 445 insertions(+), 1 deletion(-) create mode 100644 frontend/src/pages/__tests__/CrowdSecConfig.whitelist.test.tsx diff --git a/frontend/src/api/__tests__/crowdsec.test.ts b/frontend/src/api/__tests__/crowdsec.test.ts index 38e46d4a..70de8ba4 100644 --- a/frontend/src/api/__tests__/crowdsec.test.ts +++ b/frontend/src/api/__tests__/crowdsec.test.ts @@ -116,6 +116,120 @@ describe('crowdsec API', () => { }) }) + describe('listCrowdsecDecisions', () => { + it('should call GET /admin/crowdsec/decisions and return data', async () => { + const mockData = { + decisions: [ + { id: '1', ip: '1.2.3.4', reason: 'bot', duration: '24h', created_at: '2024-01-01T00:00:00Z', source: 'crowdsec' }, + ], + } + vi.mocked(client.get).mockResolvedValue({ data: mockData }) + + const result = await crowdsec.listCrowdsecDecisions() + + expect(client.get).toHaveBeenCalledWith('/admin/crowdsec/decisions') + expect(result).toEqual(mockData) + }) + }) + + describe('banIP', () => { + it('should call POST /admin/crowdsec/ban with ip, duration, and reason', async () => { + vi.mocked(client.post).mockResolvedValue({}) + + await crowdsec.banIP('1.2.3.4', '24h', 'manual ban') + + expect(client.post).toHaveBeenCalledWith('/admin/crowdsec/ban', { + ip: '1.2.3.4', + duration: '24h', + reason: 'manual ban', + }) + }) + }) + + describe('unbanIP', () => { + it('should call DELETE /admin/crowdsec/ban/{encoded ip}', async () => { + vi.mocked(client.delete).mockResolvedValue({}) + + await crowdsec.unbanIP('1.2.3.4') + + expect(client.delete).toHaveBeenCalledWith('/admin/crowdsec/ban/1.2.3.4') + }) + + it('should URL-encode special characters in the IP', async () => { + vi.mocked(client.delete).mockResolvedValue({}) + + await crowdsec.unbanIP('::1') + + expect(client.delete).toHaveBeenCalledWith('/admin/crowdsec/ban/%3A%3A1') + }) + }) + + describe('getCrowdsecKeyStatus', () => { + it('should call GET /admin/crowdsec/key-status and return data', async () => { + const mockData = { + key_source: 'file' as const, + env_key_rejected: false, + current_key_preview: 'abc***xyz', + message: 'Key loaded from file', + } + vi.mocked(client.get).mockResolvedValue({ data: mockData }) + + const result = await crowdsec.getCrowdsecKeyStatus() + + expect(client.get).toHaveBeenCalledWith('/admin/crowdsec/key-status') + expect(result).toEqual(mockData) + }) + }) + + describe('listWhitelists', () => { + it('should call GET /admin/crowdsec/whitelist and return the whitelist array', async () => { + const mockWhitelist = [ + { + uuid: 'uuid-1', + ip_or_cidr: '192.168.1.1', + reason: 'Home', + created_at: '2024-01-01T00:00:00Z', + updated_at: '2024-01-01T00:00:00Z', + }, + ] + vi.mocked(client.get).mockResolvedValue({ data: { whitelist: mockWhitelist } }) + + const result = await crowdsec.listWhitelists() + + expect(client.get).toHaveBeenCalledWith('/admin/crowdsec/whitelist') + expect(result).toEqual(mockWhitelist) + }) + }) + + describe('addWhitelist', () => { + it('should call POST /admin/crowdsec/whitelist and return the created entry', async () => { + const payload = { ip_or_cidr: '192.168.1.1', reason: 'Home' } + const mockEntry = { + uuid: 'uuid-1', + ip_or_cidr: '192.168.1.1', + reason: 'Home', + created_at: '2024-01-01T00:00:00Z', + updated_at: '2024-01-01T00:00:00Z', + } + vi.mocked(client.post).mockResolvedValue({ data: mockEntry }) + + const result = await crowdsec.addWhitelist(payload) + + expect(client.post).toHaveBeenCalledWith('/admin/crowdsec/whitelist', payload) + expect(result).toEqual(mockEntry) + }) + }) + + describe('deleteWhitelist', () => { + it('should call DELETE /admin/crowdsec/whitelist/{uuid}', async () => { + vi.mocked(client.delete).mockResolvedValue({}) + + await crowdsec.deleteWhitelist('uuid-1') + + expect(client.delete).toHaveBeenCalledWith('/admin/crowdsec/whitelist/uuid-1') + }) + }) + describe('default export', () => { it('should export all functions', () => { expect(crowdsec.default).toHaveProperty('startCrowdsec') @@ -126,6 +240,14 @@ describe('crowdsec API', () => { expect(crowdsec.default).toHaveProperty('listCrowdsecFiles') expect(crowdsec.default).toHaveProperty('readCrowdsecFile') expect(crowdsec.default).toHaveProperty('writeCrowdsecFile') + expect(crowdsec.default).toHaveProperty('listCrowdsecDecisions') + expect(crowdsec.default).toHaveProperty('banIP') + expect(crowdsec.default).toHaveProperty('unbanIP') + expect(crowdsec.default).toHaveProperty('getCrowdsecKeyStatus') + expect(crowdsec.default).toHaveProperty('listWhitelists') + expect(crowdsec.default).toHaveProperty('addWhitelist') + expect(crowdsec.default).toHaveProperty('deleteWhitelist') }) }) + }) diff --git a/frontend/src/pages/__tests__/CrowdSecConfig.whitelist.test.tsx b/frontend/src/pages/__tests__/CrowdSecConfig.whitelist.test.tsx new file mode 100644 index 00000000..003d7b27 --- /dev/null +++ b/frontend/src/pages/__tests__/CrowdSecConfig.whitelist.test.tsx @@ -0,0 +1,321 @@ +import { screen, waitFor } from '@testing-library/react' +import userEvent from '@testing-library/user-event' +import { AxiosError } from 'axios' +import { describe, it, expect, vi, beforeEach } from 'vitest' + +import * as backupsApi from '../../api/backups' +import * as crowdsecApi from '../../api/crowdsec' +import * as featureFlagsApi from '../../api/featureFlags' +import * as presetsApi from '../../api/presets' +import * as securityApi from '../../api/security' +import * as settingsApi from '../../api/settings' +import * as systemApi from '../../api/system' +import { renderWithQueryClient } from '../../test-utils/renderWithQueryClient' +import { toast } from '../../utils/toast' +import CrowdSecConfig from '../CrowdSecConfig' + +vi.mock('../../api/security') +vi.mock('../../api/crowdsec') +vi.mock('../../api/presets') +vi.mock('../../api/backups') +vi.mock('../../api/settings') +vi.mock('../../api/featureFlags') +vi.mock('../../api/system') +vi.mock('../../hooks/useConsoleEnrollment', () => ({ + useConsoleStatus: vi.fn(() => ({ + data: { + status: 'not_enrolled', + key_present: false, + last_error: null, + last_attempt_at: null, + enrolled_at: null, + last_heartbeat_at: null, + correlation_id: 'corr-1', + tenant: 'default', + agent_name: 'charon-agent', + }, + isLoading: false, + isRefetching: false, + })), + useEnrollConsole: vi.fn(() => ({ + mutateAsync: vi.fn().mockResolvedValue({ status: 'enrolling', key_present: false }), + isPending: false, + })), + useClearConsoleEnrollment: vi.fn(() => ({ mutate: vi.fn(), isPending: false })), +})) +vi.mock('../../components/CrowdSecBouncerKeyDisplay', () => ({ + CrowdSecBouncerKeyDisplay: () => null, +})) +vi.mock('../../utils/crowdsecExport', () => ({ + buildCrowdsecExportFilename: vi.fn(() => 'crowdsec-default.tar.gz'), + promptCrowdsecFilename: vi.fn(() => 'crowdsec.tar.gz'), + downloadCrowdsecExport: vi.fn(), +})) +vi.mock('../../utils/toast', () => ({ + toast: { success: vi.fn(), error: vi.fn(), info: vi.fn() }, +})) + +// The i18n mock in test setup returns the translation key when no translation is found. +// These constants keep assertions in sync with what the component actually renders. +const TAB_WHITELIST = 'crowdsecConfig.whitelist.tabLabel' +const MODAL_TITLE = 'crowdsecConfig.whitelist.deleteModal.title' +const BTN_REMOVE = 'crowdsecConfig.whitelist.deleteModal.submit' + +const baseStatus = { + cerberus: { enabled: true }, + crowdsec: { enabled: true, mode: 'local' as const, api_url: '' }, + waf: { enabled: true, mode: 'enabled' as const }, + rate_limit: { enabled: true }, + acl: { enabled: true }, +} + +const axiosError = (status: number, message: string, data?: Record) => + new AxiosError(message, undefined, undefined, undefined, { + status, + statusText: String(status), + headers: {}, + config: {}, + data: data ?? { error: message }, + } as never) + +const mockWhitelistEntries = [ + { + uuid: 'uuid-1', + ip_or_cidr: '192.168.1.1', + reason: 'Home IP', + created_at: '2024-01-01T00:00:00Z', + updated_at: '2024-01-01T00:00:00Z', + }, + { + uuid: 'uuid-2', + ip_or_cidr: '10.0.0.0/8', + reason: 'LAN', + created_at: '2024-01-02T00:00:00Z', + updated_at: '2024-01-02T00:00:00Z', + }, +] + +const renderPage = async () => { + renderWithQueryClient() + await waitFor(() => screen.getByText('CrowdSec Configuration')) +} + +const goToWhitelistTab = async () => { + await userEvent.click(screen.getByRole('tab', { name: TAB_WHITELIST })) + await waitFor(() => screen.getByTestId('whitelist-ip-input')) +} + +describe('CrowdSecConfig – whitelist tab', () => { + beforeEach(() => { + vi.clearAllMocks() + vi.mocked(securityApi.getSecurityStatus).mockResolvedValue(baseStatus) + vi.mocked(crowdsecApi.statusCrowdsec).mockResolvedValue({ running: true, pid: 123, lapi_ready: true }) + vi.mocked(crowdsecApi.listCrowdsecFiles).mockResolvedValue({ files: ['acquis.yaml'] }) + vi.mocked(crowdsecApi.readCrowdsecFile).mockResolvedValue({ content: '' }) + vi.mocked(crowdsecApi.writeCrowdsecFile).mockResolvedValue(undefined) + vi.mocked(crowdsecApi.listCrowdsecDecisions).mockResolvedValue({ decisions: [] }) + vi.mocked(crowdsecApi.banIP).mockResolvedValue(undefined) + vi.mocked(crowdsecApi.unbanIP).mockResolvedValue(undefined) + vi.mocked(crowdsecApi.exportCrowdsecConfig).mockResolvedValue(new Blob(['data'])) + vi.mocked(crowdsecApi.importCrowdsecConfig).mockResolvedValue(undefined) + vi.mocked(crowdsecApi.listWhitelists).mockResolvedValue([]) + vi.mocked(crowdsecApi.addWhitelist).mockResolvedValue({ + uuid: 'uuid-new', + ip_or_cidr: '1.2.3.4', + reason: '', + created_at: '', + updated_at: '', + }) + vi.mocked(crowdsecApi.deleteWhitelist).mockResolvedValue(undefined) + vi.mocked(presetsApi.listCrowdsecPresets).mockResolvedValue({ presets: [] }) + vi.mocked(presetsApi.pullCrowdsecPreset).mockResolvedValue({ + status: 'pulled', + slug: '', + preview: '', + cache_key: '', + etag: '', + retrieved_at: '', + source: 'hub', + }) + vi.mocked(presetsApi.applyCrowdsecPreset).mockResolvedValue({ + status: 'applied', + backup: '', + reload_hint: false, + used_cscli: false, + cache_key: '', + slug: '', + }) + vi.mocked(presetsApi.getCrowdsecPresetCache).mockResolvedValue({ + preview: '', + cache_key: '', + etag: '', + }) + vi.mocked(backupsApi.createBackup).mockResolvedValue({ filename: 'backup.tar.gz' }) + vi.mocked(settingsApi.updateSetting).mockResolvedValue() + vi.mocked(featureFlagsApi.getFeatureFlags).mockResolvedValue({ + 'feature.crowdsec.console_enrollment': false, + }) + vi.mocked(systemApi.getMyIP).mockResolvedValue({ ip: '203.0.113.1', source: 'cloudflare' }) + }) + + it('shows whitelist tab trigger in local mode', async () => { + await renderPage() + expect(screen.getByRole('tab', { name: TAB_WHITELIST })).toBeInTheDocument() + }) + + it('does not show whitelist tab in disabled mode', async () => { + vi.mocked(securityApi.getSecurityStatus).mockResolvedValue({ + ...baseStatus, + crowdsec: { enabled: true, mode: 'disabled' as const, api_url: '' }, + }) + await renderPage() + expect(screen.queryByRole('tab', { name: TAB_WHITELIST })).not.toBeInTheDocument() + }) + + it('shows empty state when there are no whitelist entries', async () => { + await renderPage() + await goToWhitelistTab() + expect(screen.getByTestId('whitelist-empty')).toBeInTheDocument() + }) + + it('renders whitelist entries in the table', async () => { + vi.mocked(crowdsecApi.listWhitelists).mockResolvedValue(mockWhitelistEntries) + await renderPage() + await goToWhitelistTab() + expect(await screen.findByText('192.168.1.1')).toBeInTheDocument() + expect(screen.getByText('10.0.0.0/8')).toBeInTheDocument() + expect(screen.getByText('Home IP')).toBeInTheDocument() + expect(screen.getByText('LAN')).toBeInTheDocument() + }) + + it('submits a new whitelist entry', async () => { + await renderPage() + await goToWhitelistTab() + await userEvent.type(screen.getByTestId('whitelist-ip-input'), '1.2.3.4') + await userEvent.type(screen.getByTestId('whitelist-reason-input'), 'Test reason') + await userEvent.click(screen.getByTestId('whitelist-add-btn')) + await waitFor(() => + expect(crowdsecApi.addWhitelist).toHaveBeenCalledWith({ + ip_or_cidr: '1.2.3.4', + reason: 'Test reason', + }), + ) + }) + + it('shows add-whitelist loading overlay while mutation is pending', async () => { + let resolveAdd!: (v: (typeof mockWhitelistEntries)[0]) => void + vi.mocked(crowdsecApi.addWhitelist).mockImplementationOnce( + () => + new Promise((resolve) => { + resolveAdd = resolve + }), + ) + await renderPage() + await goToWhitelistTab() + await userEvent.type(screen.getByTestId('whitelist-ip-input'), '1.2.3.4') + await userEvent.click(screen.getByTestId('whitelist-add-btn')) + await waitFor(() => expect(screen.getByText('Adding IP to whitelist')).toBeInTheDocument()) + resolveAdd(mockWhitelistEntries[0]) + }) + + it('displays inline error when adding a whitelist entry fails', async () => { + vi.mocked(crowdsecApi.addWhitelist).mockRejectedValueOnce( + axiosError(400, 'Invalid IP', { error: 'bad ip format' }), + ) + await renderPage() + await goToWhitelistTab() + await userEvent.type(screen.getByTestId('whitelist-ip-input'), 'bad-ip') + await userEvent.click(screen.getByTestId('whitelist-add-btn')) + await waitFor(() => expect(screen.getByTestId('whitelist-ip-error')).toBeInTheDocument()) + }) + + it('opens delete confirmation dialog', async () => { + vi.mocked(crowdsecApi.listWhitelists).mockResolvedValue(mockWhitelistEntries) + await renderPage() + await goToWhitelistTab() + await userEvent.click((await screen.findAllByTestId('whitelist-delete-btn'))[0]) + expect(await screen.findByRole('dialog', { name: MODAL_TITLE })).toBeInTheDocument() + }) + + it('cancels whitelist deletion via Cancel button', async () => { + vi.mocked(crowdsecApi.listWhitelists).mockResolvedValue(mockWhitelistEntries) + await renderPage() + await goToWhitelistTab() + await userEvent.click((await screen.findAllByTestId('whitelist-delete-btn'))[0]) + await userEvent.click(await screen.findByRole('button', { name: 'Cancel' })) + await waitFor(() => + expect(screen.queryByRole('dialog', { name: MODAL_TITLE })).not.toBeInTheDocument(), + ) + expect(crowdsecApi.deleteWhitelist).not.toHaveBeenCalled() + }) + + it('confirms whitelist entry deletion via Remove button', async () => { + vi.mocked(crowdsecApi.listWhitelists).mockResolvedValue(mockWhitelistEntries) + await renderPage() + await goToWhitelistTab() + await userEvent.click((await screen.findAllByTestId('whitelist-delete-btn'))[0]) + await userEvent.click(await screen.findByRole('button', { name: BTN_REMOVE })) + await waitFor(() => expect(crowdsecApi.deleteWhitelist).toHaveBeenCalledWith('uuid-1')) + }) + + it('shows delete-whitelist loading overlay while mutation is pending', async () => { + vi.mocked(crowdsecApi.listWhitelists).mockResolvedValue(mockWhitelistEntries) + let resolveDelete!: () => void + vi.mocked(crowdsecApi.deleteWhitelist).mockImplementationOnce( + () => + new Promise((resolve) => { + resolveDelete = resolve + }), + ) + await renderPage() + await goToWhitelistTab() + await userEvent.click((await screen.findAllByTestId('whitelist-delete-btn'))[0]) + await userEvent.click(await screen.findByRole('button', { name: BTN_REMOVE })) + await waitFor(() => expect(screen.getByText('Removing from whitelist')).toBeInTheDocument()) + resolveDelete() + }) + + it('closes delete dialog on Escape key', async () => { + vi.mocked(crowdsecApi.listWhitelists).mockResolvedValue(mockWhitelistEntries) + await renderPage() + await goToWhitelistTab() + await userEvent.click((await screen.findAllByTestId('whitelist-delete-btn'))[0]) + expect(await screen.findByRole('dialog', { name: MODAL_TITLE })).toBeInTheDocument() + await userEvent.keyboard('{Escape}') + await waitFor(() => + expect(screen.queryByRole('dialog', { name: MODAL_TITLE })).not.toBeInTheDocument(), + ) + }) + + it('closes delete dialog when backdrop is clicked', async () => { + vi.mocked(crowdsecApi.listWhitelists).mockResolvedValue(mockWhitelistEntries) + await renderPage() + await goToWhitelistTab() + await userEvent.click((await screen.findAllByTestId('whitelist-delete-btn'))[0]) + expect(await screen.findByRole('dialog', { name: MODAL_TITLE })).toBeInTheDocument() + await userEvent.click(screen.getByRole('button', { name: /close/i })) + await waitFor(() => + expect(screen.queryByRole('dialog', { name: MODAL_TITLE })).not.toBeInTheDocument(), + ) + }) + + it('fills IP input when Add My IP is clicked', async () => { + await renderPage() + await goToWhitelistTab() + await userEvent.click(screen.getByTestId('whitelist-add-my-ip-btn')) + await waitFor(() => { + const input = screen.getByTestId('whitelist-ip-input') as HTMLInputElement + expect(input.value).toBe('203.0.113.1') + }) + }) + + it('shows error toast when Add My IP request fails', async () => { + vi.mocked(systemApi.getMyIP).mockRejectedValueOnce(new Error('network error')) + await renderPage() + await goToWhitelistTab() + await userEvent.click(screen.getByTestId('whitelist-add-my-ip-btn')) + await waitFor(() => + expect(toast.error).toHaveBeenCalledWith('Failed to detect your IP address'), + ) + }) +}) diff --git a/frontend/src/pages/__tests__/Dashboard.test.tsx b/frontend/src/pages/__tests__/Dashboard.test.tsx index 06883756..0235e9f4 100644 --- a/frontend/src/pages/__tests__/Dashboard.test.tsx +++ b/frontend/src/pages/__tests__/Dashboard.test.tsx @@ -27,7 +27,7 @@ vi.mock('../../hooks/useRemoteServers', () => ({ vi.mock('../../hooks/useCertificates', () => ({ useCertificates: () => ({ certificates: [ - { id: 1, status: 'valid', domain: 'test.com' }, + { id: 1, status: 'valid', domain: 'test.com', domains: 'test.com,www.test.com' }, { id: 2, status: 'expired', domain: 'expired.com' }, ], isLoading: false, @@ -84,4 +84,5 @@ describe('Dashboard page', () => { // "1 valid" still renders even though cert.domains is undefined expect(screen.getByText('1 valid')).toBeInTheDocument() }) + }) From 2c284bdd497b6aa97f07e94e38b39b00ce51df4f Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Sun, 19 Apr 2026 21:11:14 +0000 Subject: [PATCH 36/44] test: add tests for handling empty UUID in DeleteWhitelist and invalid CIDR in Add method --- .../handlers/crowdsec_whitelist_handler_test.go | 17 +++++++++++++++++ .../services/crowdsec_whitelist_service_test.go | 7 +++++++ 2 files changed, 24 insertions(+) diff --git a/backend/internal/api/handlers/crowdsec_whitelist_handler_test.go b/backend/internal/api/handlers/crowdsec_whitelist_handler_test.go index 7f603dea..59760760 100644 --- a/backend/internal/api/handlers/crowdsec_whitelist_handler_test.go +++ b/backend/internal/api/handlers/crowdsec_whitelist_handler_test.go @@ -265,3 +265,20 @@ func TestDeleteWhitelist_ReloadFailure(t *testing.T) { assert.Equal(t, http.StatusNoContent, w.Code) assert.True(t, mock.reloadCalled) } + +func TestDeleteWhitelist_EmptyUUID(t *testing.T) { + t.Parallel() + h, _, _ := setupWhitelistHandler(t) + + w := httptest.NewRecorder() + c, _ := gin.CreateTestContext(w) + c.Request = httptest.NewRequest(http.MethodDelete, "/api/v1/admin/crowdsec/whitelist/", nil) + c.Params = gin.Params{{Key: "uuid", Value: ""}} + + h.DeleteWhitelist(c) + + assert.Equal(t, http.StatusBadRequest, w.Code) + var resp map[string]interface{} + require.NoError(t, json.Unmarshal(w.Body.Bytes(), &resp)) + assert.Equal(t, "uuid is required", resp["error"]) +} diff --git a/backend/internal/services/crowdsec_whitelist_service_test.go b/backend/internal/services/crowdsec_whitelist_service_test.go index 1d1d0cf0..4fbea4cf 100644 --- a/backend/internal/services/crowdsec_whitelist_service_test.go +++ b/backend/internal/services/crowdsec_whitelist_service_test.go @@ -300,3 +300,10 @@ func TestCrowdSecWhitelistService_WriteYAML_RenameError(t *testing.T) { assert.Error(t, err) assert.Contains(t, err.Error(), "rename") } + +func TestCrowdSecWhitelistService_Add_InvalidCIDR(t *testing.T) { + t.Parallel() + svc := services.NewCrowdSecWhitelistService(openWhitelistTestDB(t), "") + _, err := svc.Add(context.Background(), "not-an-ip/24", "invalid cidr with slash") + assert.ErrorIs(t, err, services.ErrInvalidIPOrCIDR) +} From 2b2f3c876bc0f89152f92dca2e5a7431cd561e18 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Mon, 20 Apr 2026 11:01:53 +0000 Subject: [PATCH 37/44] chore: fix Renovate lookup failure for google/uuid dependency --- .github/renovate.json | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/renovate.json b/.github/renovate.json index 6a4451cf..d2e3b753 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -324,6 +324,12 @@ "matchDatasources": ["go"], "matchPackageNames": ["github.com/oschwald/geoip2-golang/v2"], "sourceUrl": "https://github.com/oschwald/geoip2-golang" + }, + { + "description": "Fix Renovate lookup for google/uuid", + "matchDatasources": ["go"], + "matchPackageNames": ["github.com/google/uuid"], + "sourceUrl": "https://github.com/google/uuid" } ] } From 816124634b7d4f15197f3da64bbe173b001964e9 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Mon, 20 Apr 2026 11:16:20 +0000 Subject: [PATCH 38/44] fix(deps): update @oxc-parser dependencies to version 0.126.0 and remove unused packages --- frontend/package-lock.json | 326 ++++++++++++------------------------- 1 file changed, 106 insertions(+), 220 deletions(-) diff --git a/frontend/package-lock.json b/frontend/package-lock.json index 9fb118b7..60ae22b9 100644 --- a/frontend/package-lock.json +++ b/frontend/package-lock.json @@ -1307,9 +1307,9 @@ } }, "node_modules/@oxc-parser/binding-android-arm-eabi": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-android-arm-eabi/-/binding-android-arm-eabi-0.121.0.tgz", - "integrity": "sha512-n07FQcySwOlzap424/PLMtOkbS7xOu8nsJduKL8P3COGHKgKoDYXwoAHCbChfgFpHnviehrLWIPX0lKGtbEk/A==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-android-arm-eabi/-/binding-android-arm-eabi-0.126.0.tgz", + "integrity": "sha512-svyoHt25J4741QJ5aa4R+h0iiBeSRt63Lr3aAZcxy2c/NeSE1IfDeMnSij6rIg7EjxkdlXzz613wUjeCeilBNA==", "cpu": [ "arm" ], @@ -1324,9 +1324,9 @@ } }, "node_modules/@oxc-parser/binding-android-arm64": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-android-arm64/-/binding-android-arm64-0.121.0.tgz", - "integrity": "sha512-/Dd1xIXboYAicw+twT2utxPD7bL8qh7d3ej0qvaYIMj3/EgIrGR+tSnjCUkiCT6g6uTC0neSS4JY8LxhdSU/sA==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-android-arm64/-/binding-android-arm64-0.126.0.tgz", + "integrity": "sha512-hPEBRKgplp1mG9GkINFsr4JVMDNrGJLOqfDaadTWpAoTnzYR5Rmv8RMvB3hJZpiNvbk1aacopdHUP1pggMQ/cw==", "cpu": [ "arm64" ], @@ -1341,9 +1341,9 @@ } }, "node_modules/@oxc-parser/binding-darwin-arm64": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-darwin-arm64/-/binding-darwin-arm64-0.121.0.tgz", - "integrity": "sha512-A0jNEvv7QMtCO1yk205t3DWU9sWUjQ2KNF0hSVO5W9R9r/R1BIvzG01UQAfmtC0dQm7sCrs5puixurKSfr2bRQ==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-darwin-arm64/-/binding-darwin-arm64-0.126.0.tgz", + "integrity": "sha512-ccRpu9sdYmznePJQG5halhs0FW5tw5a8zRSoZXOzM1OjoeZ4jiRRruFiPclsD59edoVAK1l83dvfjWz1nQi6lg==", "cpu": [ "arm64" ], @@ -1358,9 +1358,9 @@ } }, "node_modules/@oxc-parser/binding-darwin-x64": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-darwin-x64/-/binding-darwin-x64-0.121.0.tgz", - "integrity": "sha512-SsHzipdxTKUs3I9EOAPmnIimEeJOemqRlRDOp9LIj+96wtxZejF51gNibmoGq8KoqbT1ssAI5po/E3J+vEtXGA==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-darwin-x64/-/binding-darwin-x64-0.126.0.tgz", + "integrity": "sha512-CHB4zVjNSKqx8Fw9pHowzQQnjjuq04i4Ng0Avj+DixlwhwAoMYqlFbocYIlbg+q3zOLGlm7vEHm83jqEMitnyg==", "cpu": [ "x64" ], @@ -1375,9 +1375,9 @@ } }, "node_modules/@oxc-parser/binding-freebsd-x64": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-freebsd-x64/-/binding-freebsd-x64-0.121.0.tgz", - "integrity": "sha512-v1APOTkCp+RWOIDAHRoaeW/UoaHF15a60E8eUL6kUQXh+i4K7PBwq2Wi7jm8p0ymID5/m/oC1w3W31Z/+r7HQw==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-freebsd-x64/-/binding-freebsd-x64-0.126.0.tgz", + "integrity": "sha512-RQ3nEJdcDKBfBjmLJ3Vl1d0KQERPV1P8eUrnBm7+VTYyoaJSPLVFuPg1mlD1hk3n0/879VLFMfusFkBal4ssWQ==", "cpu": [ "x64" ], @@ -1392,9 +1392,9 @@ } }, "node_modules/@oxc-parser/binding-linux-arm-gnueabihf": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-0.121.0.tgz", - "integrity": "sha512-PmqPQuqHZyFVWA4ycr0eu4VnTMmq9laOHZd+8R359w6kzuNZPvmmunmNJ8ybkm769A0nCoVp3TJ6dUz7B3FYIQ==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-0.126.0.tgz", + "integrity": "sha512-onipc2wCDA7Bauzb4KK1mab0GsEDf4ujiIfWECdnmY/2LlzAoX3xdQRLAUyEDB1kn3yilHBrkmXDdHluyHXxiw==", "cpu": [ "arm" ], @@ -1409,9 +1409,9 @@ } }, "node_modules/@oxc-parser/binding-linux-arm-musleabihf": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm-musleabihf/-/binding-linux-arm-musleabihf-0.121.0.tgz", - "integrity": "sha512-vF24htj+MOH+Q7y9A8NuC6pUZu8t/C2Fr/kDOi2OcNf28oogr2xadBPXAbml802E8wRAVfbta6YLDQTearz+jw==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm-musleabihf/-/binding-linux-arm-musleabihf-0.126.0.tgz", + "integrity": "sha512-5BuJJPohrV5NJ8lmcYOMbfRCUGoYH5J9HZHeuqOLwkHXWAuPMN3X1h8bC/2mWjmosdbfTtmyIdX3spS/TkqKNg==", "cpu": [ "arm" ], @@ -1426,9 +1426,9 @@ } }, "node_modules/@oxc-parser/binding-linux-arm64-gnu": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-0.121.0.tgz", - "integrity": "sha512-wjH8cIG2Lu/3d64iZpbYr73hREMgKAfu7fqpXjgM2S16y2zhTfDIp8EQjxO8vlDtKP5Rc7waZW72lh8nZtWrpA==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-0.126.0.tgz", + "integrity": "sha512-r2KApRgm2pOJaduRm6GOT8x0whcr67AyejNkSdzPt34GJ+Y3axcXN2mwlTs+8lfO/SSmpO5ZJGYiHYnxEE0jkw==", "cpu": [ "arm64" ], @@ -1443,9 +1443,9 @@ } }, "node_modules/@oxc-parser/binding-linux-arm64-musl": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm64-musl/-/binding-linux-arm64-musl-0.121.0.tgz", - "integrity": "sha512-qT663J/W8yQFw3dtscbEi9LKJevr20V7uWs2MPGTnvNZ3rm8anhhE16gXGpxDOHeg9raySaSHKhd4IGa3YZvuw==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm64-musl/-/binding-linux-arm64-musl-0.126.0.tgz", + "integrity": "sha512-FQ+MMh7MT0Dr/u8+RWmWKlfoeWPQyHDbhhxJShJlYtROXXPHsRs9EvmQOZZ3sx4Nn7JU8NX+oyw2YzQ7anBJcA==", "cpu": [ "arm64" ], @@ -1460,9 +1460,9 @@ } }, "node_modules/@oxc-parser/binding-linux-ppc64-gnu": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-0.121.0.tgz", - "integrity": "sha512-mYNe4NhVvDBbPkAP8JaVS8lC1dsoJZWH5WCjpw5E+sjhk1R08wt3NnXYUzum7tIiWPfgQxbCMcoxgeemFASbRw==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-0.126.0.tgz", + "integrity": "sha512-Wv/T8C98hRQhGTlx2XFyLn5raRMp9U1lOQD+YnXNgAr7wHbJJpZ8mDBU7Rw+M3WytGcGTFcr6kqgfyQeHVtLbQ==", "cpu": [ "ppc64" ], @@ -1477,9 +1477,9 @@ } }, "node_modules/@oxc-parser/binding-linux-riscv64-gnu": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-riscv64-gnu/-/binding-linux-riscv64-gnu-0.121.0.tgz", - "integrity": "sha512-+QiFoGxhAbaI/amqX567784cDyyuZIpinBrJNxUzb+/L2aBRX67mN6Jv40pqduHf15yYByI+K5gUEygCuv0z9w==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-riscv64-gnu/-/binding-linux-riscv64-gnu-0.126.0.tgz", + "integrity": "sha512-DHx1rT1zauW0ZbLHOiQh5AC9Xs3UkWx2XmfZHs+7nnWYr3sagrufoUQC+/XPwwjMIlCFXiFGM0sFh3TyOCZwqA==", "cpu": [ "riscv64" ], @@ -1494,9 +1494,9 @@ } }, "node_modules/@oxc-parser/binding-linux-riscv64-musl": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-riscv64-musl/-/binding-linux-riscv64-musl-0.121.0.tgz", - "integrity": "sha512-9ykEgyTa5JD/Uhv2sttbKnCfl2PieUfOjyxJC/oDL2UO0qtXOtjPLl7H8Kaj5G7p3hIvFgu3YWvAxvE0sqY+hQ==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-riscv64-musl/-/binding-linux-riscv64-musl-0.126.0.tgz", + "integrity": "sha512-umDc2mTShH0U2zcEYf8mIJ163seLJNn54ZUZYeI5jD4qlg9izPwoLrC2aNPKlMJTu6u/ysmQWiEvIiaAG+INkw==", "cpu": [ "riscv64" ], @@ -1511,9 +1511,9 @@ } }, "node_modules/@oxc-parser/binding-linux-s390x-gnu": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-0.121.0.tgz", - "integrity": "sha512-DB1EW5VHZdc1lIRjOI3bW/wV6R6y0xlfvdVrqj6kKi7Ayu2U3UqUBdq9KviVkcUGd5Oq+dROqvUEEFRXGAM7EQ==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-0.126.0.tgz", + "integrity": "sha512-PXXeWayclRtO1pxQEeCpiqIglQdhK2mAI2VX5xnsWdImzSB5GpoQ8TNw7vTCKk2k+GZuxl+q1knncidjCyUP9w==", "cpu": [ "s390x" ], @@ -1528,9 +1528,9 @@ } }, "node_modules/@oxc-parser/binding-linux-x64-gnu": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-x64-gnu/-/binding-linux-x64-gnu-0.121.0.tgz", - "integrity": "sha512-s4lfobX9p4kPTclvMiH3gcQUd88VlnkMTF6n2MTMDAyX5FPNRhhRSFZK05Ykhf8Zy5NibV4PbGR6DnK7FGNN6A==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-x64-gnu/-/binding-linux-x64-gnu-0.126.0.tgz", + "integrity": "sha512-wzocjxm34TbB3bFlqG65JiLtvf6ZDg2ZxRkLLbgXwDQUNU+0MPjQN8zy/0jBKNA5fnPLk3XeVdZ7Uin+7+CVkg==", "cpu": [ "x64" ], @@ -1545,9 +1545,9 @@ } }, "node_modules/@oxc-parser/binding-linux-x64-musl": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-x64-musl/-/binding-linux-x64-musl-0.121.0.tgz", - "integrity": "sha512-P9KlyTpuBuMi3NRGpJO8MicuGZfOoqZVRP1WjOecwx8yk4L/+mrCRNc5egSi0byhuReblBF2oVoDSMgV9Bj4Hw==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-x64-musl/-/binding-linux-x64-musl-0.126.0.tgz", + "integrity": "sha512-e83uftP60jmkPs2+CW6T6A1GYzN2H6IumDAiTntv9WyHR73PI3ImHNBkYqnA3ukeKI3xjcCbhSh9QeJWmufxGQ==", "cpu": [ "x64" ], @@ -1562,9 +1562,9 @@ } }, "node_modules/@oxc-parser/binding-openharmony-arm64": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-openharmony-arm64/-/binding-openharmony-arm64-0.121.0.tgz", - "integrity": "sha512-R+4jrWOfF2OAPPhj3Eb3U5CaKNAH9/btMveMULIrcNW/hjfysFQlF8wE0GaVBr81dWz8JLgQlsxwctoL78JwXw==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-openharmony-arm64/-/binding-openharmony-arm64-0.126.0.tgz", + "integrity": "sha512-4WiOILHnPrTDY2/L4mE6PZCYwLN1d3ghma6BuTJ452CCgzRMt3uFplCtR+o3r9zdUWJYb370UizpI9CUcWXr1A==", "cpu": [ "arm64" ], @@ -1579,9 +1579,9 @@ } }, "node_modules/@oxc-parser/binding-wasm32-wasi": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-wasm32-wasi/-/binding-wasm32-wasi-0.121.0.tgz", - "integrity": "sha512-5TFISkPTymKvsmIlKasPVTPuWxzCcrT8pM+p77+mtQbIZDd1UC8zww4CJcRI46kolmgrEX6QpKO8AvWMVZ+ifw==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-wasm32-wasi/-/binding-wasm32-wasi-0.126.0.tgz", + "integrity": "sha512-Y17hhnrQTrxgAxAyAq401vnN9URsAL4s5AjqpG1NDsXSlhe1yBNnns+rC2P6xcMoitgX5nKH2ryYt9oiFRlzLw==", "cpu": [ "wasm32" ], @@ -1589,16 +1589,18 @@ "license": "MIT", "optional": true, "dependencies": { - "@napi-rs/wasm-runtime": "^1.1.1" + "@emnapi/core": "1.9.2", + "@emnapi/runtime": "1.9.2", + "@napi-rs/wasm-runtime": "^1.1.4" }, "engines": { "node": ">=14.0.0" } }, "node_modules/@oxc-parser/binding-win32-arm64-msvc": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-0.121.0.tgz", - "integrity": "sha512-V0pxh4mql4XTt3aiEtRNUeBAUFOw5jzZNxPABLaOKAWrVzSr9+XUaB095lY7jqMf5t8vkfh8NManGB28zanYKw==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-0.126.0.tgz", + "integrity": "sha512-Znug1u1iRvT4VC3jANz6nhGBHsFwEFMxuimYpJFwMtsB6H5FcEoZRMmH26tHkSTD03JvDmG+gB65W3ajLjPcSw==", "cpu": [ "arm64" ], @@ -1613,9 +1615,9 @@ } }, "node_modules/@oxc-parser/binding-win32-ia32-msvc": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-ia32-msvc/-/binding-win32-ia32-msvc-0.121.0.tgz", - "integrity": "sha512-4Ob1qvYMPnlF2N9rdmKdkQFdrq16QVcQwBsO8yiPZXof0fHKFF+LmQV501XFbi7lHyrKm8rlJRfQ/M8bZZPVLw==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-ia32-msvc/-/binding-win32-ia32-msvc-0.126.0.tgz", + "integrity": "sha512-qrw7mx5hFFTxVSXToOA40hpnjgNB/DJprZchtB4rDKNLKqkD3F26HbzaQeH1nxAKej0efSZfJd5Sw3qdtOLGhw==", "cpu": [ "ia32" ], @@ -1630,9 +1632,9 @@ } }, "node_modules/@oxc-parser/binding-win32-x64-msvc": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-x64-msvc/-/binding-win32-x64-msvc-0.121.0.tgz", - "integrity": "sha512-BOp1KCzdboB1tPqoCPXgntgFs0jjeSyOXHzgxVFR7B/qfr3F8r4YDacHkTOUNXtDgM8YwKnkf3rE5gwALYX7NA==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-x64-msvc/-/binding-win32-x64-msvc-0.126.0.tgz", + "integrity": "sha512-ibB1s+mPUFXvS7MFJO2jpw/aCNs/P6ifnWlRyTYB+WYBpniOiCcHQQskZneJtwcjQMDRol3RGG3ihoYnzXSY4w==", "cpu": [ "x64" ], @@ -1647,9 +1649,9 @@ } }, "node_modules/@oxc-project/types": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/@oxc-project/types/-/types-0.121.0.tgz", - "integrity": "sha512-CGtOARQb9tyv7ECgdAlFxi0Fv7lmzvmlm2rpD/RdijOO9rfk/JvB1CjT8EnoD+tjna/IYgKKw3IV7objRb+aYw==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-project/types/-/types-0.126.0.tgz", + "integrity": "sha512-oGfVtjAgwQVVpfBrbtk4e1XDyWHRFta6BS3GWVzrF8xYBT2VGQAk39yJS/wFSMrZqoiCU4oghT3Ch0HaHGIHcQ==", "dev": true, "license": "MIT", "funding": { @@ -5013,19 +5015,6 @@ "node": "18 || 20 || >=22" } }, - "node_modules/braces": { - "version": "3.0.3", - "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz", - "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==", - "dev": true, - "license": "MIT", - "dependencies": { - "fill-range": "^7.1.1" - }, - "engines": { - "node": ">=8" - } - }, "node_modules/browserslist": { "version": "4.28.2", "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.28.2.tgz", @@ -6655,36 +6644,6 @@ "dev": true, "license": "MIT" }, - "node_modules/fast-glob": { - "version": "3.3.3", - "resolved": "https://registry.npmjs.org/fast-glob/-/fast-glob-3.3.3.tgz", - "integrity": "sha512-7MptL8U0cqcFdzIzwOTHoilX9x5BrNqye7Z/LuC7kCMRio1EMSyqRK3BEAUD7sXRq4iT4AzTVuZdhgQ2TCvYLg==", - "dev": true, - "license": "MIT", - "dependencies": { - "@nodelib/fs.stat": "^2.0.2", - "@nodelib/fs.walk": "^1.2.3", - "glob-parent": "^5.1.2", - "merge2": "^1.3.0", - "micromatch": "^4.0.8" - }, - "engines": { - "node": ">=8.6.0" - } - }, - "node_modules/fast-glob/node_modules/glob-parent": { - "version": "5.1.2", - "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz", - "integrity": "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==", - "dev": true, - "license": "ISC", - "dependencies": { - "is-glob": "^4.0.1" - }, - "engines": { - "node": ">= 6" - } - }, "node_modules/fast-json-stable-stringify": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz", @@ -6771,19 +6730,6 @@ "node": ">=16.0.0" } }, - "node_modules/fill-range": { - "version": "7.1.1", - "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz", - "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==", - "dev": true, - "license": "MIT", - "dependencies": { - "to-regex-range": "^5.0.1" - }, - "engines": { - "node": ">=8" - } - }, "node_modules/find-up": { "version": "5.0.0", "resolved": "https://registry.npmjs.org/find-up/-/find-up-5.0.0.tgz", @@ -7073,9 +7019,9 @@ } }, "node_modules/get-tsconfig": { - "version": "4.13.7", - "resolved": "https://registry.npmjs.org/get-tsconfig/-/get-tsconfig-4.13.7.tgz", - "integrity": "sha512-7tN6rFgBlMgpBML5j8typ92BKFi2sFQvIdpAqLA2beia5avZDrMs0FLZiM5etShWq5irVyGcGMEA1jcDaK7A/Q==", + "version": "4.14.0", + "resolved": "https://registry.npmjs.org/get-tsconfig/-/get-tsconfig-4.14.0.tgz", + "integrity": "sha512-yTb+8DXzDREzgvYmh6s9vHsSVCHeC0G3PI5bEXNBHtmshPnO+S5O7qgLEOn0I5QvMy6kpZN8K1NKGyilLb93wA==", "dev": true, "license": "MIT", "dependencies": { @@ -7667,16 +7613,6 @@ "url": "https://github.com/sponsors/ljharb" } }, - "node_modules/is-number": { - "version": "7.0.0", - "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz", - "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.12.0" - } - }, "node_modules/is-number-object": { "version": "1.1.1", "resolved": "https://registry.npmjs.org/is-number-object/-/is-number-object-1.1.1.tgz", @@ -8081,9 +8017,9 @@ } }, "node_modules/knip": { - "version": "6.4.1", - "resolved": "https://registry.npmjs.org/knip/-/knip-6.4.1.tgz", - "integrity": "sha512-Ry+ywmDFSZvKp/jx7LxMgsZWRTs931alV84e60lh0Stf6kSRYqSIUTkviyyDFRcSO3yY1Kpbi83OirN+4lA2Xw==", + "version": "6.5.0", + "resolved": "https://registry.npmjs.org/knip/-/knip-6.5.0.tgz", + "integrity": "sha512-84xSq/g8CtPWLJcY5WZeGWj/pbqQxJRC7iXTTutB0MkMm260hKxlzIXSTnxuTuIxre2MBSokhLkfth8dQQYVPQ==", "dev": true, "funding": [ { @@ -8098,17 +8034,17 @@ "license": "ISC", "dependencies": { "@nodelib/fs.walk": "^1.2.3", - "fast-glob": "^3.3.3", "formatly": "^0.3.0", - "get-tsconfig": "4.13.7", + "get-tsconfig": "4.14.0", "jiti": "^2.6.0", "minimist": "^1.2.8", - "oxc-parser": "^0.121.0", + "oxc-parser": "^0.126.0", "oxc-resolver": "^11.19.1", "picocolors": "^1.1.1", - "picomatch": "^4.0.1", + "picomatch": "^4.0.4", "smol-toml": "^1.6.1", "strip-json-comments": "5.0.3", + "tinyglobby": "^0.2.16", "unbash": "^2.2.0", "yaml": "^2.8.2", "zod": "^4.1.11" @@ -8810,16 +8746,6 @@ "dev": true, "license": "CC0-1.0" }, - "node_modules/merge2": { - "version": "1.4.1", - "resolved": "https://registry.npmjs.org/merge2/-/merge2-1.4.1.tgz", - "integrity": "sha512-8q7VEgMJW4J8tcfVPy8g09NcQwZdbwFEqhe/WZkoIzjn/3TGDwtOCYtXGxA3O8tPzpczCCDgv+P2P5y00ZJOOg==", - "dev": true, - "license": "MIT", - "engines": { - "node": ">= 8" - } - }, "node_modules/micromark": { "version": "4.0.2", "resolved": "https://registry.npmjs.org/micromark/-/micromark-4.0.2.tgz", @@ -9448,33 +9374,6 @@ ], "license": "MIT" }, - "node_modules/micromatch": { - "version": "4.0.8", - "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.8.tgz", - "integrity": "sha512-PXwfBhYu0hBCPw8Dn0E+WDYb7af3dSLVWKi3HGv84IdF4TyFoC0ysxFd0Goxw7nSv4T/PzEJQxsYsEiFCKo2BA==", - "dev": true, - "license": "MIT", - "dependencies": { - "braces": "^3.0.3", - "picomatch": "^2.3.1" - }, - "engines": { - "node": ">=8.6" - } - }, - "node_modules/micromatch/node_modules/picomatch": { - "version": "2.3.2", - "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz", - "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=8.6" - }, - "funding": { - "url": "https://github.com/sponsors/jonschlinkert" - } - }, "node_modules/mime-db": { "version": "1.52.0", "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz", @@ -9728,13 +9627,13 @@ } }, "node_modules/oxc-parser": { - "version": "0.121.0", - "resolved": "https://registry.npmjs.org/oxc-parser/-/oxc-parser-0.121.0.tgz", - "integrity": "sha512-ek9o58+SCv6AV7nchiAcUJy1DNE2CC5WRdBcO0mF+W4oRjNQfPO7b3pLjTHSFECpHkKGOZSQxx3hk8viIL5YCg==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/oxc-parser/-/oxc-parser-0.126.0.tgz", + "integrity": "sha512-FktCvLby/mOHyuijZt22+nOt10dS24gGUZE3XwIbUg7Kf4+rer3/5T7RgwzazlNuVsCjPloZ3p8E+4ONT3A8Kw==", "dev": true, "license": "MIT", "dependencies": { - "@oxc-project/types": "^0.121.0" + "@oxc-project/types": "^0.126.0" }, "engines": { "node": "^20.19.0 || >=22.12.0" @@ -9743,26 +9642,26 @@ "url": "https://github.com/sponsors/Boshen" }, "optionalDependencies": { - "@oxc-parser/binding-android-arm-eabi": "0.121.0", - "@oxc-parser/binding-android-arm64": "0.121.0", - "@oxc-parser/binding-darwin-arm64": "0.121.0", - "@oxc-parser/binding-darwin-x64": "0.121.0", - "@oxc-parser/binding-freebsd-x64": "0.121.0", - "@oxc-parser/binding-linux-arm-gnueabihf": "0.121.0", - "@oxc-parser/binding-linux-arm-musleabihf": "0.121.0", - "@oxc-parser/binding-linux-arm64-gnu": "0.121.0", - "@oxc-parser/binding-linux-arm64-musl": "0.121.0", - "@oxc-parser/binding-linux-ppc64-gnu": "0.121.0", - "@oxc-parser/binding-linux-riscv64-gnu": "0.121.0", - "@oxc-parser/binding-linux-riscv64-musl": "0.121.0", - "@oxc-parser/binding-linux-s390x-gnu": "0.121.0", - "@oxc-parser/binding-linux-x64-gnu": "0.121.0", - "@oxc-parser/binding-linux-x64-musl": "0.121.0", - "@oxc-parser/binding-openharmony-arm64": "0.121.0", - "@oxc-parser/binding-wasm32-wasi": "0.121.0", - "@oxc-parser/binding-win32-arm64-msvc": "0.121.0", - "@oxc-parser/binding-win32-ia32-msvc": "0.121.0", - "@oxc-parser/binding-win32-x64-msvc": "0.121.0" + "@oxc-parser/binding-android-arm-eabi": "0.126.0", + "@oxc-parser/binding-android-arm64": "0.126.0", + "@oxc-parser/binding-darwin-arm64": "0.126.0", + "@oxc-parser/binding-darwin-x64": "0.126.0", + "@oxc-parser/binding-freebsd-x64": "0.126.0", + "@oxc-parser/binding-linux-arm-gnueabihf": "0.126.0", + "@oxc-parser/binding-linux-arm-musleabihf": "0.126.0", + "@oxc-parser/binding-linux-arm64-gnu": "0.126.0", + "@oxc-parser/binding-linux-arm64-musl": "0.126.0", + "@oxc-parser/binding-linux-ppc64-gnu": "0.126.0", + "@oxc-parser/binding-linux-riscv64-gnu": "0.126.0", + "@oxc-parser/binding-linux-riscv64-musl": "0.126.0", + "@oxc-parser/binding-linux-s390x-gnu": "0.126.0", + "@oxc-parser/binding-linux-x64-gnu": "0.126.0", + "@oxc-parser/binding-linux-x64-musl": "0.126.0", + "@oxc-parser/binding-openharmony-arm64": "0.126.0", + "@oxc-parser/binding-wasm32-wasi": "0.126.0", + "@oxc-parser/binding-win32-arm64-msvc": "0.126.0", + "@oxc-parser/binding-win32-ia32-msvc": "0.126.0", + "@oxc-parser/binding-win32-x64-msvc": "0.126.0" } }, "node_modules/oxc-resolver": { @@ -10573,15 +10472,15 @@ } }, "node_modules/safe-array-concat": { - "version": "1.1.3", - "resolved": "https://registry.npmjs.org/safe-array-concat/-/safe-array-concat-1.1.3.tgz", - "integrity": "sha512-AURm5f0jYEOydBj7VQlVvDrjeFgthDdEF5H1dP+6mNpoXOMo1quQqJ4wvJDyRZ9+pO3kGWoOdmV08cSv2aJV6Q==", + "version": "1.1.4", + "resolved": "https://registry.npmjs.org/safe-array-concat/-/safe-array-concat-1.1.4.tgz", + "integrity": "sha512-wtZlHyOje6OZTGqAoaDKxFkgRtkF9CnHAVnCHKfuj200wAgL+bSJhdsCD2l0Qx/2ekEXjPWcyKkfGb5CPboslg==", "dev": true, "license": "MIT", "dependencies": { - "call-bind": "^1.0.8", - "call-bound": "^1.0.2", - "get-intrinsic": "^1.2.6", + "call-bind": "^1.0.9", + "call-bound": "^1.0.4", + "get-intrinsic": "^1.3.0", "has-symbols": "^1.1.0", "isarray": "^2.0.5" }, @@ -11140,19 +11039,6 @@ "integrity": "sha512-7W5Efjhsc3chVdFhqtaU0KtK32J37Zcr9RKtID54nG+tIpcY79CQK/veYPODxtD/LJ4Lue66jvrQzIX2Z2/pUQ==", "license": "MIT" }, - "node_modules/to-regex-range": { - "version": "5.0.1", - "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz", - "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==", - "dev": true, - "license": "MIT", - "dependencies": { - "is-number": "^7.0.0" - }, - "engines": { - "node": ">=8.0" - } - }, "node_modules/totalist": { "version": "3.0.1", "resolved": "https://registry.npmjs.org/totalist/-/totalist-3.0.1.tgz", From 38cdc5d9d040ebf419ff3219dfaa5377d05bd2da Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Mon, 20 Apr 2026 11:16:56 +0000 Subject: [PATCH 39/44] fix(deps): update @oxc-project/types and @rolldown dependencies to version 0.126.0 and 1.0.0-rc.16 respectively --- package-lock.json | 158 +++++++++++++++++++++++----------------------- 1 file changed, 79 insertions(+), 79 deletions(-) diff --git a/package-lock.json b/package-lock.json index a5deda4f..ff80c859 100644 --- a/package-lock.json +++ b/package-lock.json @@ -395,9 +395,9 @@ } }, "node_modules/@oxc-project/types": { - "version": "0.124.0", - "resolved": "https://registry.npmjs.org/@oxc-project/types/-/types-0.124.0.tgz", - "integrity": "sha512-VBFWMTBvHxS11Z5Lvlr3IWgrwhMTXV+Md+EQF0Xf60+wAdsGFTBx7X7K/hP4pi8N7dcm1RvcHwDxZ16Qx8keUg==", + "version": "0.126.0", + "resolved": "https://registry.npmjs.org/@oxc-project/types/-/types-0.126.0.tgz", + "integrity": "sha512-oGfVtjAgwQVVpfBrbtk4e1XDyWHRFta6BS3GWVzrF8xYBT2VGQAk39yJS/wFSMrZqoiCU4oghT3Ch0HaHGIHcQ==", "dev": true, "license": "MIT", "funding": { @@ -421,9 +421,9 @@ } }, "node_modules/@rolldown/binding-android-arm64": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-android-arm64/-/binding-android-arm64-1.0.0-rc.15.tgz", - "integrity": "sha512-YYe6aWruPZDtHNpwu7+qAHEMbQ/yRl6atqb/AhznLTnD3UY99Q1jE7ihLSahNWkF4EqRPVC4SiR4O0UkLK02tA==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-android-arm64/-/binding-android-arm64-1.0.0-rc.16.tgz", + "integrity": "sha512-rhY3k7Bsae9qQfOtph2Pm2jZEA+s8Gmjoz4hhmx70K9iMQ/ddeae+xhRQcM5IuVx5ry1+bGfkvMn7D6MJggVSA==", "cpu": [ "arm64" ], @@ -438,9 +438,9 @@ } }, "node_modules/@rolldown/binding-darwin-arm64": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-arm64/-/binding-darwin-arm64-1.0.0-rc.15.tgz", - "integrity": "sha512-oArR/ig8wNTPYsXL+Mzhs0oxhxfuHRfG7Ikw7jXsw8mYOtk71W0OkF2VEVh699pdmzjPQsTjlD1JIOoHkLP1Fg==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-arm64/-/binding-darwin-arm64-1.0.0-rc.16.tgz", + "integrity": "sha512-rNz0yK078yrNn3DrdgN+PKiMOW8HfQ92jQiXxwX8yW899ayV00MLVdaCNeVBhG/TbH3ouYVObo8/yrkiectkcQ==", "cpu": [ "arm64" ], @@ -455,9 +455,9 @@ } }, "node_modules/@rolldown/binding-darwin-x64": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-x64/-/binding-darwin-x64-1.0.0-rc.15.tgz", - "integrity": "sha512-YzeVqOqjPYvUbJSWJ4EDL8ahbmsIXQpgL3JVipmN+MX0XnXMeWomLN3Fb+nwCmP/jfyqte5I3XRSm7OfQrbyxw==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-x64/-/binding-darwin-x64-1.0.0-rc.16.tgz", + "integrity": "sha512-r/OmdR00HmD4i79Z//xO06uEPOq5hRXdhw7nzkxQxwSavs3PSHa1ijntdpOiZ2mzOQ3fVVu8C1M19FoNM+dMUQ==", "cpu": [ "x64" ], @@ -472,9 +472,9 @@ } }, "node_modules/@rolldown/binding-freebsd-x64": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-freebsd-x64/-/binding-freebsd-x64-1.0.0-rc.15.tgz", - "integrity": "sha512-9Erhx956jeQ0nNTyif1+QWAXDRD38ZNjr//bSHrt6wDwB+QkAfl2q6Mn1k6OBPerznjRmbM10lgRb1Pli4xZPw==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-freebsd-x64/-/binding-freebsd-x64-1.0.0-rc.16.tgz", + "integrity": "sha512-KcRE5w8h0OnjUatG8pldyD14/CQ5Phs1oxfR+3pKDjboHRo9+MkqQaiIZlZRpsxC15paeXme/I127tUa9TXJ6g==", "cpu": [ "x64" ], @@ -489,9 +489,9 @@ } }, "node_modules/@rolldown/binding-linux-arm-gnueabihf": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-1.0.0-rc.15.tgz", - "integrity": "sha512-cVwk0w8QbZJGTnP/AHQBs5yNwmpgGYStL88t4UIaqcvYJWBfS0s3oqVLZPwsPU6M0zlW4GqjP0Zq5MnAGwFeGA==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-1.0.0-rc.16.tgz", + "integrity": "sha512-bT0guA1bpxEJ/ZhTRniQf7rNF8ybvXOuWbNIeLABaV5NGjx4EtOWBTSRGWFU9ZWVkPOZ+HNFP8RMcBokBiZ0Kg==", "cpu": [ "arm" ], @@ -506,9 +506,9 @@ } }, "node_modules/@rolldown/binding-linux-arm64-gnu": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-1.0.0-rc.15.tgz", - "integrity": "sha512-eBZ/u8iAK9SoHGanqe/jrPnY0JvBN6iXbVOsbO38mbz+ZJsaobExAm1Iu+rxa4S1l2FjG0qEZn4Rc6X8n+9M+w==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-1.0.0-rc.16.tgz", + "integrity": "sha512-+tHktCHWV8BDQSjemUqm/Jl/TPk3QObCTIjmdDy/nlupcujZghmKK2962LYrqFpWu+ai01AN/REOH3NEpqvYQg==", "cpu": [ "arm64" ], @@ -523,9 +523,9 @@ } }, "node_modules/@rolldown/binding-linux-arm64-musl": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-musl/-/binding-linux-arm64-musl-1.0.0-rc.15.tgz", - "integrity": "sha512-ZvRYMGrAklV9PEkgt4LQM6MjQX2P58HPAuecwYObY2DhS2t35R0I810bKi0wmaYORt6m/2Sm+Z+nFgb0WhXNcQ==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-musl/-/binding-linux-arm64-musl-1.0.0-rc.16.tgz", + "integrity": "sha512-3fPzdREH806oRLxpTWW1Gt4tQHs0TitZFOECB2xzCFLPKnSOy90gwA7P29cksYilFO6XVRY1kzga0cL2nRjKPg==", "cpu": [ "arm64" ], @@ -540,9 +540,9 @@ } }, "node_modules/@rolldown/binding-linux-ppc64-gnu": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-1.0.0-rc.15.tgz", - "integrity": "sha512-VDpgGBzgfg5hLg+uBpCLoFG5kVvEyafmfxGUV0UHLcL5irxAK7PKNeC2MwClgk6ZAiNhmo9FLhRYgvMmedLtnQ==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-1.0.0-rc.16.tgz", + "integrity": "sha512-EKwI1tSrLs7YVw+JPJT/G2dJQ1jl9qlTTTEG0V2Ok/RdOenRfBw2PQdLPyjhIu58ocdBfP7vIRN/pvMsPxs/AQ==", "cpu": [ "ppc64" ], @@ -557,9 +557,9 @@ } }, "node_modules/@rolldown/binding-linux-s390x-gnu": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-1.0.0-rc.15.tgz", - "integrity": "sha512-y1uXY3qQWCzcPgRJATPSOUP4tCemh4uBdY7e3EZbVwCJTY3gLJWnQABgeUetvED+bt1FQ01OeZwvhLS2bpNrAQ==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-1.0.0-rc.16.tgz", + "integrity": "sha512-Uknladnb3Sxqu6SEcqBldQyJUpk8NleooZEc0MbRBJ4inEhRYWZX0NJu12vNf2mqAq7gsofAxHrGghiUYjhaLQ==", "cpu": [ "s390x" ], @@ -574,9 +574,9 @@ } }, "node_modules/@rolldown/binding-linux-x64-gnu": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-gnu/-/binding-linux-x64-gnu-1.0.0-rc.15.tgz", - "integrity": "sha512-023bTPBod7J3Y/4fzAN6QtpkSABR0rigtrwaP+qSEabUh5zf6ELr9Nc7GujaROuPY3uwdSIXWrvhn1KxOvurWA==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-gnu/-/binding-linux-x64-gnu-1.0.0-rc.16.tgz", + "integrity": "sha512-FIb8+uG49sZBtLTn+zt1AJ20TqVcqWeSIyoVt0or7uAWesgKaHbiBh6OpA/k9v0LTt+PTrb1Lao133kP4uVxkg==", "cpu": [ "x64" ], @@ -591,9 +591,9 @@ } }, "node_modules/@rolldown/binding-linux-x64-musl": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-musl/-/binding-linux-x64-musl-1.0.0-rc.15.tgz", - "integrity": "sha512-witB2O0/hU4CgfOOKUoeFgQ4GktPi1eEbAhaLAIpgD6+ZnhcPkUtPsoKKHRzmOoWPZue46IThdSgdo4XneOLYw==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-musl/-/binding-linux-x64-musl-1.0.0-rc.16.tgz", + "integrity": "sha512-RuERhF9/EgWxZEXYWCOaViUWHIboceK4/ivdtQ3R0T44NjLkIIlGIAVAuCddFxsZ7vnRHtNQUrt2vR2n2slB2w==", "cpu": [ "x64" ], @@ -608,9 +608,9 @@ } }, "node_modules/@rolldown/binding-openharmony-arm64": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-openharmony-arm64/-/binding-openharmony-arm64-1.0.0-rc.15.tgz", - "integrity": "sha512-UCL68NJ0Ud5zRipXZE9dF5PmirzJE4E4BCIOOssEnM7wLDsxjc6Qb0sGDxTNRTP53I6MZpygyCpY8Aa8sPfKPg==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-openharmony-arm64/-/binding-openharmony-arm64-1.0.0-rc.16.tgz", + "integrity": "sha512-mXcXnvd9GpazCxeUCCnZ2+YF7nut+ZOEbE4GtaiPtyY6AkhZWbK70y1KK3j+RDhjVq5+U8FySkKRb/+w0EeUwA==", "cpu": [ "arm64" ], @@ -625,9 +625,9 @@ } }, "node_modules/@rolldown/binding-wasm32-wasi": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-wasm32-wasi/-/binding-wasm32-wasi-1.0.0-rc.15.tgz", - "integrity": "sha512-ApLruZq/ig+nhaE7OJm4lDjayUnOHVUa77zGeqnqZ9pn0ovdVbbNPerVibLXDmWeUZXjIYIT8V3xkT58Rm9u5Q==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-wasm32-wasi/-/binding-wasm32-wasi-1.0.0-rc.16.tgz", + "integrity": "sha512-3Q2KQxnC8IJOLqXmUMoYwyIPZU9hzRbnHaoV3Euz+VVnjZKcY8ktnNP8T9R4/GGQtb27C/UYKABxesKWb8lsvQ==", "cpu": [ "wasm32" ], @@ -637,16 +637,16 @@ "dependencies": { "@emnapi/core": "1.9.2", "@emnapi/runtime": "1.9.2", - "@napi-rs/wasm-runtime": "^1.1.3" + "@napi-rs/wasm-runtime": "^1.1.4" }, "engines": { - "node": ">=14.0.0" + "node": "^20.19.0 || >=22.12.0" } }, "node_modules/@rolldown/binding-win32-arm64-msvc": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-1.0.0-rc.15.tgz", - "integrity": "sha512-KmoUoU7HnN+Si5YWJigfTws1jz1bKBYDQKdbLspz0UaqjjFkddHsqorgiW1mxcAj88lYUE6NC/zJNwT+SloqtA==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-1.0.0-rc.16.tgz", + "integrity": "sha512-tj7XRemQcOcFwv7qhpUxMTBbI5mWMlE4c1Omhg5+h8GuLXzyj8HviYgR+bB2DMDgRqUE+jiDleqSCRjx4aYk/Q==", "cpu": [ "arm64" ], @@ -661,9 +661,9 @@ } }, "node_modules/@rolldown/binding-win32-x64-msvc": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-x64-msvc/-/binding-win32-x64-msvc-1.0.0-rc.15.tgz", - "integrity": "sha512-3P2A8L+x75qavWLe/Dll3EYBJLQmtkJN8rfh+U/eR3MqMgL/h98PhYI+JFfXuDPgPeCB7iZAKiqii5vqOvnA0g==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-x64-msvc/-/binding-win32-x64-msvc-1.0.0-rc.16.tgz", + "integrity": "sha512-PH5DRZT+F4f2PTXRXR8uJxnBq2po/xFtddyabTJVJs/ZYVHqXPEgNIr35IHTEa6bpa0Q8Awg+ymkTaGnKITw4g==", "cpu": [ "x64" ], @@ -678,9 +678,9 @@ } }, "node_modules/@rolldown/pluginutils": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0-rc.15.tgz", - "integrity": "sha512-UromN0peaE53IaBRe9W7CjrZgXl90fqGpK+mIZbA3qSTeYqg3pqpROBdIPvOG3F5ereDHNwoHBI2e50n1BDr1g==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0-rc.16.tgz", + "integrity": "sha512-45+YtqxLYKDWQouLKCrpIZhke+nXxhsw+qAHVzHDVwttyBlHNBVs2K25rDXrZzhpTp9w1FlAlvweV1H++fdZoA==", "dev": true, "license": "MIT" }, @@ -3620,14 +3620,14 @@ } }, "node_modules/rolldown": { - "version": "1.0.0-rc.15", - "resolved": "https://registry.npmjs.org/rolldown/-/rolldown-1.0.0-rc.15.tgz", - "integrity": "sha512-Ff31guA5zT6WjnGp0SXw76X6hzGRk/OQq2hE+1lcDe+lJdHSgnSX6nK3erbONHyCbpSj9a9E+uX/OvytZoWp2g==", + "version": "1.0.0-rc.16", + "resolved": "https://registry.npmjs.org/rolldown/-/rolldown-1.0.0-rc.16.tgz", + "integrity": "sha512-rzi5WqKzEZw3SooTt7cgm4eqIoujPIyGcJNGFL7iPEuajQw7vxMHUkXylu4/vhCkJGXsgRmxqMKXUpT6FEgl0g==", "dev": true, "license": "MIT", "dependencies": { - "@oxc-project/types": "=0.124.0", - "@rolldown/pluginutils": "1.0.0-rc.15" + "@oxc-project/types": "=0.126.0", + "@rolldown/pluginutils": "1.0.0-rc.16" }, "bin": { "rolldown": "bin/cli.mjs" @@ -3636,21 +3636,21 @@ "node": "^20.19.0 || >=22.12.0" }, "optionalDependencies": { - "@rolldown/binding-android-arm64": "1.0.0-rc.15", - "@rolldown/binding-darwin-arm64": "1.0.0-rc.15", - "@rolldown/binding-darwin-x64": "1.0.0-rc.15", - "@rolldown/binding-freebsd-x64": "1.0.0-rc.15", - "@rolldown/binding-linux-arm-gnueabihf": "1.0.0-rc.15", - "@rolldown/binding-linux-arm64-gnu": "1.0.0-rc.15", - "@rolldown/binding-linux-arm64-musl": "1.0.0-rc.15", - "@rolldown/binding-linux-ppc64-gnu": "1.0.0-rc.15", - "@rolldown/binding-linux-s390x-gnu": "1.0.0-rc.15", - "@rolldown/binding-linux-x64-gnu": "1.0.0-rc.15", - "@rolldown/binding-linux-x64-musl": "1.0.0-rc.15", - "@rolldown/binding-openharmony-arm64": "1.0.0-rc.15", - "@rolldown/binding-wasm32-wasi": "1.0.0-rc.15", - "@rolldown/binding-win32-arm64-msvc": "1.0.0-rc.15", - "@rolldown/binding-win32-x64-msvc": "1.0.0-rc.15" + "@rolldown/binding-android-arm64": "1.0.0-rc.16", + "@rolldown/binding-darwin-arm64": "1.0.0-rc.16", + "@rolldown/binding-darwin-x64": "1.0.0-rc.16", + "@rolldown/binding-freebsd-x64": "1.0.0-rc.16", + "@rolldown/binding-linux-arm-gnueabihf": "1.0.0-rc.16", + "@rolldown/binding-linux-arm64-gnu": "1.0.0-rc.16", + "@rolldown/binding-linux-arm64-musl": "1.0.0-rc.16", + "@rolldown/binding-linux-ppc64-gnu": "1.0.0-rc.16", + "@rolldown/binding-linux-s390x-gnu": "1.0.0-rc.16", + "@rolldown/binding-linux-x64-gnu": "1.0.0-rc.16", + "@rolldown/binding-linux-x64-musl": "1.0.0-rc.16", + "@rolldown/binding-openharmony-arm64": "1.0.0-rc.16", + "@rolldown/binding-wasm32-wasi": "1.0.0-rc.16", + "@rolldown/binding-win32-arm64-msvc": "1.0.0-rc.16", + "@rolldown/binding-win32-x64-msvc": "1.0.0-rc.16" } }, "node_modules/run-parallel": { @@ -4100,17 +4100,17 @@ } }, "node_modules/vite": { - "version": "8.0.8", - "resolved": "https://registry.npmjs.org/vite/-/vite-8.0.8.tgz", - "integrity": "sha512-dbU7/iLVa8KZALJyLOBOQ88nOXtNG8vxKuOT4I2mD+Ya70KPceF4IAmDsmU0h1Qsn5bPrvsY9HJstCRh3hG6Uw==", + "version": "8.0.9", + "resolved": "https://registry.npmjs.org/vite/-/vite-8.0.9.tgz", + "integrity": "sha512-t7g7GVRpMXjNpa67HaVWI/8BWtdVIQPCL2WoozXXA7LBGEFK4AkkKkHx2hAQf5x1GZSlcmEDPkVLSGahxnEEZw==", "dev": true, "license": "MIT", "dependencies": { "lightningcss": "^1.32.0", "picomatch": "^4.0.4", - "postcss": "^8.5.8", - "rolldown": "1.0.0-rc.15", - "tinyglobby": "^0.2.15" + "postcss": "^8.5.10", + "rolldown": "1.0.0-rc.16", + "tinyglobby": "^0.2.16" }, "bin": { "vite": "bin/vite.js" From 612d3655fa3eae0a8e133710142bf8ff199b59f1 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Mon, 20 Apr 2026 11:27:56 +0000 Subject: [PATCH 40/44] fix: improve IP normalization in normalizeIPOrCIDR function Co-authored-by: Copilot --- backend/internal/services/crowdsec_whitelist_service.go | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/backend/internal/services/crowdsec_whitelist_service.go b/backend/internal/services/crowdsec_whitelist_service.go index 8d89c3ba..d27b0bed 100644 --- a/backend/internal/services/crowdsec_whitelist_service.go +++ b/backend/internal/services/crowdsec_whitelist_service.go @@ -149,10 +149,12 @@ func normalizeIPOrCIDR(raw string) (string, error) { _ = ip return network.String(), nil } - if net.ParseIP(raw) == nil { + ip := net.ParseIP(raw) + if ip == nil { return "", fmt.Errorf("invalid IP: %q", raw) } - return raw, nil + + return ip.String(), nil } // buildWhitelistYAML constructs the YAML content for the CrowdSec whitelist parser. From 437a35bd477ae9c066c3fe237b612c2615f55c95 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Mon, 20 Apr 2026 11:29:10 +0000 Subject: [PATCH 41/44] fix: replace div with button for close action in whitelist delete modal Co-authored-by: Copilot --- frontend/src/pages/CrowdSecConfig.tsx | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/frontend/src/pages/CrowdSecConfig.tsx b/frontend/src/pages/CrowdSecConfig.tsx index e26286c3..ea82c143 100644 --- a/frontend/src/pages/CrowdSecConfig.tsx +++ b/frontend/src/pages/CrowdSecConfig.tsx @@ -1556,7 +1556,12 @@ export default function CrowdSecConfig() { aria-modal="true" aria-labelledby="whitelist-delete-modal-title" > -
setConfirmDeleteWhitelist(null)} role="button" tabIndex={-1} aria-label={t('common.close')} /> +