akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity

feat: add ManualDNSChallenge component and related hooks for manual DNS challenge management

Browse Source 
- Implemented `useManualChallenge`, `useChallengePoll`, and `useManualChallengeMutations` hooks for managing manual DNS challenges.
- Created tests for the `useManualChallenge` hooks to ensure correct fetching and mutation behavior.
- Added `ManualDNSChallenge` component for displaying challenge details and actions.
- Developed end-to-end tests for the Manual DNS Provider feature, covering provider selection, challenge UI, and accessibility compliance.
- Included error handling tests for verification failures and network errors.
This commit is contained in:
GitHub Actions
2026-01-12 04:01:40 +00:00
parent a199dfd079
commit d7939bed70
132 changed files with 8680 additions and 878 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
.github/agents/Managment.agent.md vendored
View File

@@ -72,22 +72,30 @@ You are "lazy" in the smartest way possible. You never do what a subordinate can
The task is not complete until ALL of the following pass with zero issues:
1. **Coverage Tests (MANDATORY - Verify Explicitly)**:
1. **Playwright E2E Tests (MANDATORY - Run First)**:
- **Run**: `npx playwright test --project=chromium` from project root
- **Why First**: If the app is broken at E2E level, unit tests may need updates. Catch integration issues early.
- **Scope**: Run tests relevant to modified features (e.g., `tests/manual-dns-provider.spec.ts`)
- **On Failure**: Trace root cause through frontend → backend flow before proceeding
- **Base URL**: Uses `PLAYWRIGHT_BASE_URL` or default from `playwright.config.js`
- All E2E tests must pass before proceeding to unit tests
2. **Coverage Tests (MANDATORY - Verify Explicitly)**:
- **Backend**: Ensure `Backend_Dev` ran VS Code task "Test: Backend with Coverage" or `scripts/go-test-coverage.sh`
- **Frontend**: Ensure `Frontend_Dev` ran VS Code task "Test: Frontend with Coverage" or `scripts/frontend-test-coverage.sh`
- **Why**: These are in manual stage of pre-commit for performance. Subagents MUST run them via VS Code tasks or scripts.
- Minimum coverage: 85% for both backend and frontend.
- All tests must pass with zero failures.
2. **Type Safety (Frontend)**:
3. **Type Safety (Frontend)**:
- Ensure `Frontend_Dev` ran VS Code task "Lint: TypeScript Check" or `npm run type-check`
- **Why**: This check is in manual stage of pre-commit for performance. Subagents MUST run it explicitly.
3. **Pre-commit Hooks**: Ensure `QA_Security` ran `pre-commit run --all-files` (fast hooks only; coverage was verified in step 1)
4. **Pre-commit Hooks**: Ensure `QA_Security` ran `pre-commit run --all-files` (fast hooks only; coverage was verified in step 2)
4. **Security Scans**: Ensure `QA_Security` ran CodeQL and Trivy with zero Critical or High severity issues
5. **Security Scans**: Ensure `QA_Security` ran CodeQL and Trivy with zero Critical or High severity issues
5. **Linting**: All language-specific linters must pass
6. **Linting**: All language-specific linters must pass
**Your Role**: You delegate implementation to subagents, but YOU are responsible for verifying they completed the Definition of Done. Do not accept "DONE" from a subagent until you have confirmed they ran coverage tests, type checks, and security scans explicitly.

21
.github/agents/Planning.agent.md vendored
View File

@@ -67,9 +67,12 @@ Your goal is to design the **User Experience** first, then engineer the **Backen
}
```
### 🕵️ Phase 1: QA & Security
### 🕵️ Phase 1: Playwright E2E Tests (Run First)
1. Build tests for coverage of perposed code additions and chages based on how the code SHOULD work
1. Run `npx playwright test --project=chromium` to verify app functions correctly
2. If tests fail, trace root cause through frontend → backend flow
3. Write/update Playwright tests for new features in `tests/*.spec.ts`
4. Build unit tests for coverage of proposed code additions and changes based on how the code SHOULD work
### 🏗️ Phase 2: Backend Implementation (Go)
@@ -89,15 +92,19 @@ Your goal is to design the **User Experience** first, then engineer the **Backen
### 🕵️ Phase 3: QA & Security
1. Edge Cases: {List specific scenarios to test}
2. **Coverage Tests (MANDATORY)**:
1. **Playwright E2E Tests (MANDATORY - Run First)**:
- Run `npx playwright test --project=chromium` from project root
- All E2E tests must pass BEFORE running unit tests
- If E2E fails, trace root cause and fix before proceeding
2. Edge Cases: {List specific scenarios to test}
3. **Coverage Tests (MANDATORY - After E2E passes)**:
- Backend: Run VS Code task "Test: Backend with Coverage" or execute `scripts/go-test-coverage.sh`
- Frontend: Run VS Code task "Test: Frontend with Coverage" or execute `scripts/frontend-test-coverage.sh`
- Minimum coverage: 85% for both backend and frontend
- **Critical**: These are in manual stage of pre-commit for performance. Agents MUST run them via VS Code tasks or scripts before marking tasks complete.
3. Security: Run CodeQL and Trivy scans. Triage and fix any new errors or warnings.
4. **Type Safety (Frontend)**: Run VS Code task "Lint: TypeScript Check" or execute `cd frontend && npm run type-check`
5. Linting: Run `pre-commit` hooks on all files and triage anything not auto-fixed.
4. Security: Run CodeQL and Trivy scans. Triage and fix any new errors or warnings.
5. **Type Safety (Frontend)**: Run VS Code task "Lint: TypeScript Check" or execute `cd frontend && npm run type-check`
6. Linting: Run `pre-commit` hooks on all files and triage anything not auto-fixed.
### 📚 Phase 4: Documentation

18
.github/agents/QA_Security.agent.md vendored
View File

@@ -70,13 +70,21 @@ When Trivy or CodeQLreports CVEs in container dependencies (especially Caddy tra
The task is not complete until ALL of the following pass with zero issues:
1. **Security Scans**:
1. **Playwright E2E Tests (MANDATORY - Run First)**:
- **Run**: `npx playwright test --project=chromium` from project root
- **Why First**: If the app is broken at E2E level, unit tests may need updates. Catch integration issues early.
- **Scope**: Run tests relevant to modified features (e.g., `tests/manual-dns-provider.spec.ts`)
- **On Failure**: Trace root cause through frontend → backend flow, report to Management or Dev subagent
- **Base URL**: Uses `PLAYWRIGHT_BASE_URL` or default `http://100.98.12.109:8080`
- All E2E tests must pass before proceeding
2. **Security Scans**:
- CodeQL: Run VS Code task "Security: CodeQL All (CI-Aligned)" or individual Go/JS tasks
- Trivy: Run VS Code task "Security: Trivy Scan"
- Go Vulnerabilities: Run VS Code task "Security: Go Vulnerability Check"
- Zero Critical/High issues allowed
2. **Coverage Tests (MANDATORY - Run Explicitly)**:
3. **Coverage Tests (MANDATORY - Run Explicitly)**:
- **MANDATORY**: Patch coverage must cover 100% of new/modified code. This prevents CodeCov Report failing CI.
- **Backend**: Run VS Code task "Test: Backend with Coverage" or execute `scripts/go-test-coverage.sh`
- **Frontend**: Run VS Code task "Test: Frontend with Coverage" or execute `scripts/frontend-test-coverage.sh`
@@ -84,14 +92,14 @@ The task is not complete until ALL of the following pass with zero issues:
- Minimum coverage: 85% for both backend and frontend.
- All tests must pass with zero failures.
3. **Type Safety (Frontend)**:
4. **Type Safety (Frontend)**:
- Run VS Code task "Lint: TypeScript Check" or execute `cd frontend && npm run type-check`
- **Why**: This check is in manual stage of pre-commit for performance. You MUST run it explicitly.
- Fix all type errors immediately.
4. **Pre-commit Hooks**: Run `pre-commit run --all-files` (this runs fast hooks only; coverage was verified in step 1)
5. **Pre-commit Hooks**: Run `pre-commit run --all-files` (this runs fast hooks only; coverage was verified in step 3)
5. **Linting (MANDATORY - Run All Explicitly)**:
6. **Linting (MANDATORY - Run All Explicitly)**:
- **Backend GolangCI-Lint**: Run VS Code task "Lint: GolangCI-Lint (Docker)" - This is the FULL linter suite including gocritic, bodyclose, etc.
- **Why**: "Lint: Go Vet" only runs `go vet`, NOT the full golangci-lint suite. CI runs golangci-lint, so you MUST run this task to match CI behavior.
- **Command**: `cd backend && docker run --rm -v $(pwd):/app:ro -w /app golangci/golangci-lint:latest golangci-lint run -v`

29
.github/instructions/copilot-instructions.md vendored
View File

@@ -114,7 +114,15 @@ Before proposing ANY code change or fix, you must build a mental map of the feat
Before marking an implementation task as complete, perform the following in order:
1. **Security Scans** (MANDATORY - Zero Tolerance):
1. **Playwright E2E Tests** (MANDATORY - Run First):
- **Run**: `npx playwright test --project=chromium` from project root
- **Why First**: If the app is broken at E2E level, unit tests may need updates. Catch integration issues early.
- **Scope**: Run tests relevant to modified features (e.g., `tests/manual-dns-provider.spec.ts`)
- **On Failure**: Trace root cause through frontend → backend flow before proceeding
- **Base URL**: Uses `PLAYWRIGHT_BASE_URL` or default from `playwright.config.js`
- All E2E tests must pass before proceeding to unit tests
2. **Security Scans** (MANDATORY - Zero Tolerance):
- **CodeQL Go Scan**: Run VS Code task "Security: CodeQL Go Scan (CI-Aligned)" OR `pre-commit run codeql-go-scan --all-files`
- Must use `security-and-quality` suite (CI-aligned)
- **Zero high/critical (error-level) findings allowed**
@@ -136,12 +144,12 @@ Before marking an implementation task as complete, perform the following in orde
- Database creation: `--threads=0 --overwrite`
- Analysis: `--sarif-add-baseline-file-info`
2. **Pre-Commit Triage**: Run `pre-commit run --all-files`.
3. **Pre-Commit Triage**: Run `pre-commit run --all-files`.
- If errors occur, **fix them immediately**.
- If logic errors occur, analyze and propose a fix.
- Do not output code that violates pre-commit standards.
3. **Staticcheck BLOCKING Validation**: Pre-commit hooks automatically run fast linters including staticcheck.
4. **Staticcheck BLOCKING Validation**: Pre-commit hooks automatically run fast linters including staticcheck.
- **CRITICAL:** Staticcheck errors are BLOCKING - you MUST fix them before commit succeeds.
- Manual verification: Run VS Code task "Lint: Staticcheck (Fast)" or `make lint-fast`
- To check only staticcheck: `make lint-staticcheck-only`
@@ -149,7 +157,7 @@ Before marking an implementation task as complete, perform the following in orde
- If pre-commit fails: Fix the reported issues, then retry commit
- **Do NOT** use `--no-verify` to bypass this check unless emergency hotfix
4. **Coverage Testing** (MANDATORY - Non-negotiable):
5. **Coverage Testing** (MANDATORY - Non-negotiable):
- **MANDATORY**: Patch coverage must cover 100% of modified lines (Codecov Patch view must be green). If patch coverage fails, add targeted tests for the missing patch line ranges.
- **Backend Changes**: Run the VS Code task "Test: Backend with Coverage" or execute `scripts/go-test-coverage.sh`.
- Minimum coverage: 85% (set via `CHARON_MIN_COVERAGE` or `CPM_MIN_COVERAGE`).
@@ -162,22 +170,21 @@ Before marking an implementation task as complete, perform the following in orde
- **Critical**: Coverage tests are NOT run by default pre-commit hooks (they are in manual stage for performance). You MUST run them explicitly via VS Code tasks or scripts before completing any task.
- **Why**: CI enforces coverage in GitHub Actions. Local verification prevents CI failures and maintains code quality.
4. **Type Safety** (Frontend only):
6. **Type Safety** (Frontend only):
- Run the VS Code task "Lint: TypeScript Check" or execute `cd frontend && npm run type-check`.
- Fix all type errors immediately. This is non-negotiable.
- This check is also in manual stage for performance but MUST be run before completion.
5. **Verify Build**: Ensure the backend compiles and the frontend builds without errors.
7. **Verify Build**: Ensure the backend compiles and the frontend builds without errors.
- Backend: `cd backend && go build ./...`
- Frontend: `cd frontend && npm run build`
6. **Fixed and New Code Testing**:
- Ensure all existing and new unit tests pass with zero failures using Playwright MCP.
- When fasilures and Errors are found, deep-dive into root causes. Using the correct `subAgent`, update the working plan, review the implementation, and fix the issues.
8. **Fixed and New Code Testing**:
- Ensure all existing and new unit tests pass with zero failures.
- When failures and errors are found, deep-dive into root causes. Using the correct `subAgent`, update the working plan, review the implementation, and fix the issues.
- No issue is out of scope for investigation and resolution. All issues must be addressed before task completion.
6. **Clean Up**: Ensure no debug print statements or commented-out blocks remain.
9. **Clean Up**: Ensure no debug print statements or commented-out blocks remain.
- Remove `console.log`, `fmt.Println`, and similar debugging statements.
- Delete commented-out code blocks.
- Remove unused imports.

10
.github/instructions/testing.instructions.md vendored
View File

@@ -4,6 +4,16 @@ description: 'Strict protocols for test execution, debugging, and coverage valid
---
# Testing Protocols
## 0. E2E Verification First (Playwright)
**MANDATORY**: Before running unit tests, verify the application functions correctly end-to-end.
* **Run Playwright E2E Tests**: Execute `npx playwright test --project=chromium` from the project root.
* **Why First**: If the application is broken at the E2E level, unit tests may need updates. Playwright catches integration issues early.
* **Base URL**: Tests use `PLAYWRIGHT_BASE_URL` env var or default from `playwright.config.js` (Tailscale IP: `http://100.98.12.109:8080`).
* **On Failure**: Analyze failures, trace root cause through frontend → backend flow, then fix before proceeding to unit tests.
* **Scope**: Run relevant test files for the feature being modified (e.g., `tests/manual-dns-provider.spec.ts`).
## 1. Execution Environment
* **No Truncation:** Never use pipe commands (e.g., `head`, `tail`) or flags that limit stdout/stderr. If a test hangs, it likely requires an interactive input or is caught in a loop; analyze the full output to identify the block.
* **Task-Based Execution:** Do not manually construct test strings. Use existing project tasks (e.g., `npm test`, `go test ./...`). If a specific sub-module requires frequent testing, generate a new task definition in the project's configuration file (e.g., `.vscode/tasks.json`) before proceeding.

7
.vscode/settings.json vendored
View File

@@ -10,5 +10,10 @@
},
"go.useLanguageServer": true,
"go.lintOnSave": "workspace",
"go.vetOnSave": "workspace"
"go.vetOnSave": "workspace",
"yaml.validate": false,
"yaml.schemaStore.enable": false,
"files.exclude": {},
"search.exclude": {},
"files.associations": {}
}

9
backend/.golangci-fast.yml
View File

@@ -24,11 +24,4 @@ linters-settings:
- (net/http.ResponseWriter).Write
issues:
exclude-rules:
# Exclude test files to match main config behavior
- path: _test\.go
linters:
- staticcheck
- errcheck
- govet
- ineffassign
exclude-generated-strict: true

25
backend/.golangci.yml
View File

@@ -1,5 +1,4 @@
version: "2"
# golangci-lint configuration
run:
timeout: 5m
tests: true
@@ -15,7 +14,7 @@ linters:
- unused
- errcheck
linters-config:
linters-settings:
gocritic:
enabled-tags:
- diagnostic
@@ -52,19 +51,17 @@ linters-config:
- os.WriteFile
- os.Remove
- (*gorm.io/gorm.DB).AutoMigrate
# Additional test cleanup functions
- (*database/sql.Rows).Close
- (gorm.io/gorm.Migrator).DropTable
- (*net/http.Response.Body).Close
- json.Unmarshal
- (*github.com/Wikid82/charon/backend/models.User).SetPassword
- (*github.com/Wikid82/charon/backend/internal/services.NotificationService).CreateProvider
- (*github.com/Wikid82/charon/backend/internal/services.ProxyHostService).Create
issues:
exclude-generated-strict: true
exclude-dirs-use-default: false
exclude:
# Exclude some linters from running on tests
- path: _test\.go
linters:
- errcheck
- gosec
- govet
- ineffassign
- staticcheck
exclude-rules:
# Exclude gosec file permission warnings - 0644/0755 are intentional for config/data dirs
- linters:
- gosec

6
backend/cmd/api/main_test.go
View File

@@ -41,7 +41,7 @@ func TestResetPasswordCommand_Succeeds(t *testing.T) {
t.Fatalf("seed user: %v", err)
}
cmd := exec.Command(os.Args[0], "-test.run=TestResetPasswordCommand_Succeeds")
cmd := exec.Command(os.Args[0], "-test.run=TestResetPasswordCommand_Succeeds") //nolint:gosec // G204: Test subprocess pattern using os.Args[0] is safe
cmd.Dir = tmp
cmd.Env = append(os.Environ(),
"CHARON_TEST_RUN_MAIN=1",
@@ -87,7 +87,7 @@ func TestMigrateCommand_Succeeds(t *testing.T) {
t.Fatal("SecurityConfig table should not exist yet")
}
cmd := exec.Command(os.Args[0], "-test.run=TestMigrateCommand_Succeeds")
cmd := exec.Command(os.Args[0], "-test.run=TestMigrateCommand_Succeeds") //nolint:gosec // G204: Test subprocess pattern using os.Args[0] is safe
cmd.Dir = tmp
cmd.Env = append(os.Environ(),
"CHARON_TEST_RUN_MAIN=1",
@@ -147,7 +147,7 @@ func TestStartupVerification_MissingTables(t *testing.T) {
// Close and reopen to simulate startup scenario
sqlDB, _ := db.DB()
sqlDB.Close()
_ = sqlDB.Close()
db, err = database.Connect(dbPath)
if err != nil {

21
backend/cmd/seed/main.go
View File

@@ -107,11 +107,12 @@ func main() {
for _, server := range remoteServers {
result := db.Where("host = ? AND port = ?", server.Host, server.Port).FirstOrCreate(&server)
if result.Error != nil {
switch {
case result.Error != nil:
logger.Log().WithField("server", server.Name).WithError(result.Error).Error("Failed to seed remote server")
} else if result.RowsAffected > 0 {
case result.RowsAffected > 0:
logger.Log().WithField("server", server.Name).Infof("✓ Created remote server: %s (%s:%d)", server.Name, server.Host, server.Port)
} else {
default:
logger.Log().WithField("server", server.Name).Info("Remote server already exists")
}
}
@@ -161,11 +162,12 @@ func main() {
for _, host := range proxyHosts {
result := db.Where("domain_names = ?", host.DomainNames).FirstOrCreate(&host)
if result.Error != nil {
switch {
case result.Error != nil:
logger.Log().WithField("host", util.SanitizeForLog(host.DomainNames)).WithError(result.Error).Error("Failed to seed proxy host")
} else if result.RowsAffected > 0 {
case result.RowsAffected > 0:
logger.Log().WithField("host", util.SanitizeForLog(host.DomainNames)).Infof("✓ Created proxy host: %s -> %s://%s:%d", host.DomainNames, host.ForwardScheme, host.ForwardHost, host.ForwardPort)
} else {
default:
logger.Log().WithField("host", util.SanitizeForLog(host.DomainNames)).Info("Proxy host already exists")
}
}
@@ -194,11 +196,12 @@ func main() {
for _, setting := range settings {
result := db.Where("key = ?", setting.Key).FirstOrCreate(&setting)
if result.Error != nil {
switch {
case result.Error != nil:
logger.Log().WithField("setting", setting.Key).WithError(result.Error).Error("Failed to seed setting")
} else if result.RowsAffected > 0 {
case result.RowsAffected > 0:
logger.Log().WithField("setting", setting.Key).Infof("✓ Created setting: %s = %s", setting.Key, setting.Value)
} else {
default:
logger.Log().WithField("setting", setting.Key).Info("Setting already exists")
}
}

112
backend/final_lint.txt Normal file
View File

@@ -0,0 +1,112 @@
internal/api/handlers/security_handler_audit_test.go:581:18: Error return value of `json.Unmarshal` is not checked (errcheck)
json.Unmarshal(w.Body.Bytes(), &resp)
^
internal/api/handlers/security_handler_coverage_test.go:525:16: Error return value of `json.Unmarshal` is not checked (errcheck)
json.Unmarshal(w.Body.Bytes(), &tokenResp)
^
internal/api/handlers/security_handler_coverage_test.go:589:16: Error return value of `json.Unmarshal` is not checked (errcheck)
json.Unmarshal(w.Body.Bytes(), &resp)
^
internal/caddy/config_test.go:1794:14: Error return value of `os.Unsetenv` is not checked (errcheck)
os.Unsetenv(v)
^
internal/config/config_test.go:74:11: Error return value of `os.Setenv` is not checked (errcheck)
os.Setenv("CPM_DB_PATH", filepath.Join(tempDir, "db", "test.db"))
^
internal/config/config_test.go:75:11: Error return value of `os.Setenv` is not checked (errcheck)
os.Setenv("CPM_IMPORT_DIR", filepath.Join(tempDir, "imports"))
^
internal/config/config_test.go:82:11: Error return value of `os.Setenv` is not checked (errcheck)
os.Setenv("CPM_CADDY_CONFIG_DIR", filepath.Join(tempDir, "caddy"))
^
internal/config/config_test.go:175:19: Error return value of `os.Unsetenv` is not checked (errcheck)
defer os.Unsetenv("CHARON_ACME_STAGING")
^
internal/config/config_test.go:196:19: Error return value of `os.Unsetenv` is not checked (errcheck)
defer os.Unsetenv("CHARON_DEBUG")
^
internal/services/dns_provider_service_test.go:1493:13: Error return value of `sqlDB.Close` is not checked (errcheck)
sqlDB.Close()
^
internal/services/dns_provider_service_test.go:1531:13: Error return value of `sqlDB.Close` is not checked (errcheck)
sqlDB.Close()
^
internal/services/dns_provider_service_test.go:1549:13: Error return value of `sqlDB.Close` is not checked (errcheck)
sqlDB.Close()
^
cmd/seed/seed_smoke_test.go:21:12: G301: Expect directory permissions to be 0750 or less (gosec)
if err := os.MkdirAll("data", 0o755); err != nil {
^
internal/api/handlers/manual_challenge_handler.go:649:15: G115: integer overflow conversion int -> uint (gosec)
return uint(v)
^
internal/api/handlers/manual_challenge_handler.go:651:15: G115: integer overflow conversion int64 -> uint (gosec)
return uint(v)
^
internal/api/handlers/security_handler_rules_decisions_test.go:162:92: G115: integer overflow conversion uint -> int (gosec)
req = httptest.NewRequest(http.MethodDelete, "/api/v1/security/rulesets/"+strconv.Itoa(int(rs.ID)), http.NoBody)
^
internal/caddy/config.go:463:16: G602: slice index out of range (gosec)
host := hosts[i]
^
internal/config/config.go:68:12: G301: Expect directory permissions to be 0750 or less (gosec)
if err := os.MkdirAll(filepath.Dir(cfg.DatabasePath), 0o755); err != nil {
^
internal/config/config.go:72:12: G301: Expect directory permissions to be 0750 or less (gosec)
if err := os.MkdirAll(cfg.CaddyConfigDir, 0o755); err != nil {
^
internal/config/config_test.go:67:12: G304: Potential file inclusion via variable (gosec)
f, err := os.Create(filePath)
^
internal/config/config_test.go:148:12: G304: Potential file inclusion via variable (gosec)
f, err := os.Create(blockingFile)
^
internal/crowdsec/hub_cache.go:82:12: G306: Expect WriteFile permissions to be 0600 or less (gosec)
if err := os.WriteFile(archivePath, archive, 0o640); err != nil {
^
internal/crowdsec/hub_cache.go:86:12: G306: Expect WriteFile permissions to be 0600 or less (gosec)
if err := os.WriteFile(previewPath, []byte(preview), 0o640); err != nil {
^
internal/crowdsec/hub_cache.go:105:12: G306: Expect WriteFile permissions to be 0600 or less (gosec)
if err := os.WriteFile(metaPath, raw, 0o640); err != nil {
^
internal/crowdsec/hub_cache.go:127:15: G304: Potential file inclusion via variable (gosec)
data, err := os.ReadFile(metaPath)
^
internal/crowdsec/hub_sync.go:1016:16: G110: Potential DoS vulnerability via decompression bomb (gosec)
if _, err := io.Copy(f, tr); err != nil {
^
internal/database/database_test.go:181:12: G302: Expect file permissions to be 0600 or less (gosec)
f, err := os.OpenFile(dbPath, os.O_RDWR, 0o644)
^
internal/database/errors_test.go:187:12: G302: Expect file permissions to be 0600 or less (gosec)
f, err := os.OpenFile(dbPath, os.O_RDWR, 0o644)
^
internal/services/backup_service.go:316:12: G305: File traversal when extracting zip/tar archive (gosec)
fpath := filepath.Join(dest, f.Name)
^
internal/services/backup_service.go:345:12: G110: Potential DoS vulnerability via decompression bomb (gosec)
_, err = io.Copy(outFile, rc)
^
internal/services/backup_service_test.go:469:6: G302: Expect file permissions to be 0600 or less (gosec)
_ = os.Chmod(service.BackupDir, 0o444)
^
internal/services/uptime_service_test.go:58:13: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
server := &http.Server{
Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
}),
}
internal/services/uptime_service_test.go:831:14: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
server := &http.Server{
Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusNotFound)
}),
}
internal/util/crypto_test.go:63:2: G101: Potential hardcoded credentials (gosec)
secret := "a]3kL9#mP2$vN7@qR5*wX1&yT4^uI8%oE0!"
^
34 issues:
* errcheck: 12
* gosec: 22
exit status 1

31
backend/fix_all_errcheck.sh Executable file
View File

@@ -0,0 +1,31 @@
#!/bin/bash
# Fix all errcheck errors iteratively
for i in {1..10}; do
echo "=== Iteration $i ==="
# Run linter and extract just file:line for errcheck errors
errors=$(go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest run --config .golangci.yml ./... 2>&1 | grep "errcheck" | grep -oP '.*\.go:\d+' | sort -u)
if [ -z "$errors" ]; then
echo "NO MORE ERRCHECK ERRORS FOUND!"
break
fi
echo "Found $(echo "$errors" | wc -l) error locations"
# Fix each one
while IFS=: read -r file line; do
# Check what function is on that line
func=$(sed -n "${line}p" "$file" | grep -oP '(db\.AutoMigrate|json\.Unmarshal|os\.Setenv|os\.Unsetenv|sqlDB\.Close|w\.Write)')
if [ "$func" = "w.Write" ]; then
# w.Write returns 2 values
sed -i "${line}s/w\.Write/_, _ = w.Write/" "$file"
elif [ -n "$func" ]; then
sed -i "${line}s/${func}/_ = ${func}/" "$file"
fi
echo "Fixed $file:$line"
done <<< "$errors"
done

67
backend/fix_all_lint_errors.sh Executable file
View File

@@ -0,0 +1,67 @@
#!/bin/bash
# Fix ALL errcheck and typecheck errors iteratively until ZERO remain
MAX_ITER=20
for i in $(seq 1 $MAX_ITER); do
echo "=== ITERATION $i ==="
# Run full linter
go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest run --config .golangci.yml ./... 2>&1 > lint_iter_$i.txt
# Extract errcheck errors
errcheck_errors=$(grep "errcheck" lint_iter_$i.txt | grep -oP '.*\.go:\d+' | sort -u)
# Extract typecheck/defer errors
typecheck_errors=$(grep "typecheck.*unexpected = at end of statement\|expected '==', found '='" lint_iter_$i.txt | grep -oP '.*\.go:\d+' | head -1 | cut -d: -f1-2)
errcheck_count=$(echo "$errcheck_errors" | grep -v '^$' | wc -l)
typecheck_count=$(echo "$typecheck_errors" | grep -v '^$' | wc -l)
echo "Found $errcheck_count errcheck errors and $typecheck_count typecheck errors"
if [ "$errcheck_count" -eq 0 ] && [ "$typecheck_count" -eq 0 ]; then
echo "✅ ✅ ✅ NO MORE ERRORS! SUCCESS! ✅ ✅ ✅"
break
fi
# Fix errcheck errors
if [ "$errcheck_count" -gt 0 ]; then
while IFS=: read -r file line; do
[ -z "$file" ] && continue
func=$(sed -n "${line}p" "$file" | grep -oP '(db\.AutoMigrate|json\.Unmarshal|os\.Setenv|os\.Unsetenv|sqlDB\.Close|w\.Write)')
if [ "$func" = "w.Write" ]; then
sed -i "${line}s/w\.Write/_, _ = w.Write/" "$file"
echo "Fixed $file:$line (w.Write)"
elif [ -n "$func" ]; then
sed -i "${line}s/${func}/_ = ${func}/" "$file"
echo "Fixed $file:$line ($func)"
fi
done <<< "$errcheck_errors"
fi
# Fix typecheck/defer errors
if [ "$typecheck_count" -gt 0 ]; then
while IFS=: read -r file line; do
[ -z "$file" ] && continue
# Check if it's a defer with blank identifier
content=$(sed -n "${line}p" "$file")
if echo "$content" | grep -q "defer _ = os\.Unsetenv"; then
# Extract the argument
arg=$(echo "$content" | grep -oP 'os\.Unsetenv\([^)]+\)')
# Replace with proper defer wrapper
sed -i "${line}s|defer _ = ${arg}|defer func() { _ = ${arg} }()|" "$file"
echo "Fixed defer Unsetenv at $file:$line"
elif echo "$content" | grep -q "defer _ = os\.Setenv"; then
arg=$(echo "$content" | grep -oP 'os\.Setenv\([^)]+,[^)]+\)')
sed -i "${line}s|defer _ = ${arg}|defer func() { _ = ${arg} }()|" "$file"
echo "Fixed defer Setenv at $file:$line"
fi
done <<< "$typecheck_errors"
fi
done
if [ $i -eq $MAX_ITER ]; then
echo "❌ Reached maximum iterations!"
exit 1
fi

129
backend/full_lint_output.txt Normal file
View File

@@ -0,0 +1,129 @@
internal/api/handlers/notification_coverage_test.go:22:16: Error return value of `db.AutoMigrate` is not checked (errcheck)
db.AutoMigrate(&models.Notification{}, &models.NotificationProvider{}, &models.NotificationTemplate{})
^
internal/api/handlers/pr_coverage_test.go:404:16: Error return value of `db.AutoMigrate` is not checked (errcheck)
db.AutoMigrate(&models.SecurityAudit{}, &models.DNSProvider{})
^
internal/api/handlers/pr_coverage_test.go:438:16: Error return value of `db.AutoMigrate` is not checked (errcheck)
db.AutoMigrate(&models.SecurityAudit{}, &models.DNSProvider{})
^
internal/api/handlers/settings_handler_test.go:895:16: Error return value of `json.Unmarshal` is not checked (errcheck)
json.Unmarshal(w.Body.Bytes(), &resp)
^
internal/api/handlers/settings_handler_test.go:923:16: Error return value of `json.Unmarshal` is not checked (errcheck)
json.Unmarshal(w.Body.Bytes(), &resp)
^
internal/api/handlers/settings_handler_test.go:1081:16: Error return value of `json.Unmarshal` is not checked (errcheck)
json.Unmarshal(w.Body.Bytes(), &resp)
^
internal/caddy/manager_additional_test.go:1467:11: Error return value of `w.Write` is not checked (errcheck)
w.Write([]byte(`{"apps":{"http":{}}}`))
^
internal/caddy/manager_additional_test.go:1522:11: Error return value of `w.Write` is not checked (errcheck)
w.Write([]byte("{" + "\"apps\":{\"http\":{}}}"))
^
internal/caddy/manager_test.go:133:11: Error return value of `w.Write` is not checked (errcheck)
w.Write([]byte(`{"apps": {"http": {}}}`))
^
internal/config/config_test.go:56:11: Error return value of `os.Setenv` is not checked (errcheck)
os.Setenv("CHARON_DB_PATH", charonDB)
^
internal/config/config_test.go:57:11: Error return value of `os.Setenv` is not checked (errcheck)
os.Setenv("CPM_DB_PATH", cpmDB)
^
internal/config/config_test.go:72:11: Error return value of `os.Setenv` is not checked (errcheck)
os.Setenv("CPM_CADDY_CONFIG_DIR", filePath)
^
internal/config/config_test.go:157:14: Error return value of `os.Unsetenv` is not checked (errcheck)
os.Unsetenv("CHARON_DB_PATH")
^
internal/config/config_test.go:158:14: Error return value of `os.Unsetenv` is not checked (errcheck)
os.Unsetenv("CHARON_CADDY_CONFIG_DIR")
^
internal/config/config_test.go:159:14: Error return value of `os.Unsetenv` is not checked (errcheck)
os.Unsetenv("CHARON_IMPORT_DIR")
^
internal/database/errors_test.go:230:13: Error return value of `sqlDB.Close` is not checked (errcheck)
sqlDB.Close()
^
internal/services/dns_provider_service_test.go:1446:13: Error return value of `sqlDB.Close` is not checked (errcheck)
sqlDB.Close()
^
internal/services/dns_provider_service_test.go:1466:13: Error return value of `sqlDB.Close` is not checked (errcheck)
sqlDB.Close()
^
cmd/seed/seed_smoke_test.go:21:12: G301: Expect directory permissions to be 0750 or less (gosec)
if err := os.MkdirAll("data", 0o755); err != nil {
^
internal/api/handlers/manual_challenge_handler.go:649:15: G115: integer overflow conversion int -> uint (gosec)
return uint(v)
^
internal/api/handlers/manual_challenge_handler.go:651:15: G115: integer overflow conversion int64 -> uint (gosec)
return uint(v)
^
internal/api/handlers/security_handler_rules_decisions_test.go:162:92: G115: integer overflow conversion uint -> int (gosec)
req = httptest.NewRequest(http.MethodDelete, "/api/v1/security/rulesets/"+strconv.Itoa(int(rs.ID)), http.NoBody)
^
internal/caddy/config.go:463:16: G602: slice index out of range (gosec)
host := hosts[i]
^
internal/config/config.go:68:12: G301: Expect directory permissions to be 0750 or less (gosec)
if err := os.MkdirAll(filepath.Dir(cfg.DatabasePath), 0o755); err != nil {
^
internal/config/config.go:72:12: G301: Expect directory permissions to be 0750 or less (gosec)
if err := os.MkdirAll(cfg.CaddyConfigDir, 0o755); err != nil {
^
internal/config/config_test.go:67:12: G304: Potential file inclusion via variable (gosec)
f, err := os.Create(filePath)
^
internal/config/config_test.go:148:12: G304: Potential file inclusion via variable (gosec)
f, err := os.Create(blockingFile)
^
internal/crowdsec/hub_cache.go:82:12: G306: Expect WriteFile permissions to be 0600 or less (gosec)
if err := os.WriteFile(archivePath, archive, 0o640); err != nil {
^
internal/crowdsec/hub_cache.go:86:12: G306: Expect WriteFile permissions to be 0600 or less (gosec)
if err := os.WriteFile(previewPath, []byte(preview), 0o640); err != nil {
^
internal/crowdsec/hub_cache.go:105:12: G306: Expect WriteFile permissions to be 0600 or less (gosec)
if err := os.WriteFile(metaPath, raw, 0o640); err != nil {
^
internal/crowdsec/hub_cache.go:127:15: G304: Potential file inclusion via variable (gosec)
data, err := os.ReadFile(metaPath)
^
internal/crowdsec/hub_sync.go:1016:16: G110: Potential DoS vulnerability via decompression bomb (gosec)
if _, err := io.Copy(f, tr); err != nil {
^
internal/database/database_test.go:181:12: G302: Expect file permissions to be 0600 or less (gosec)
f, err := os.OpenFile(dbPath, os.O_RDWR, 0o644)
^
internal/database/errors_test.go:187:12: G302: Expect file permissions to be 0600 or less (gosec)
f, err := os.OpenFile(dbPath, os.O_RDWR, 0o644)
^
internal/services/backup_service.go:316:12: G305: File traversal when extracting zip/tar archive (gosec)
fpath := filepath.Join(dest, f.Name)
^
internal/services/backup_service.go:345:12: G110: Potential DoS vulnerability via decompression bomb (gosec)
_, err = io.Copy(outFile, rc)
^
internal/services/backup_service_test.go:469:6: G302: Expect file permissions to be 0600 or less (gosec)
_ = os.Chmod(service.BackupDir, 0o444)
^
internal/services/uptime_service_test.go:58:13: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
server := &http.Server{
Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
}),
}
internal/services/uptime_service_test.go:831:14: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
server := &http.Server{
Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusNotFound)
}),
}
internal/util/crypto_test.go:63:2: G101: Potential hardcoded credentials (gosec)
secret := "a]3kL9#mP2$vN7@qR5*wX1&yT4^uI8%oE0!"
^
40 issues:
* errcheck: 18
* gosec: 22

6
backend/internal/api/handlers/access_list_handler_coverage_test.go
View File

@@ -16,7 +16,7 @@ import (
func TestAccessListHandler_SetGeoIPService(t *testing.T) {
db, _ := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
db.AutoMigrate(&models.AccessList{})
_ = db.AutoMigrate(&models.AccessList{})
handler := NewAccessListHandler(db)
@@ -30,7 +30,7 @@ func TestAccessListHandler_SetGeoIPService(t *testing.T) {
func TestAccessListHandler_SetGeoIPService_Nil(t *testing.T) {
db, _ := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
db.AutoMigrate(&models.AccessList{})
_ = db.AutoMigrate(&models.AccessList{})
handler := NewAccessListHandler(db)
@@ -151,7 +151,7 @@ func TestAccessListHandler_Get_DBError(t *testing.T) {
func TestAccessListHandler_Delete_InternalError(t *testing.T) {
db, _ := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
// Migrate AccessList but not ProxyHost to cause internal error on delete
db.AutoMigrate(&models.AccessList{})
_ = db.AutoMigrate(&models.AccessList{})
gin.SetMode(gin.TestMode)
router := gin.New()

64
backend/internal/api/handlers/additional_coverage_test.go
View File

@@ -22,7 +22,7 @@ import (
func setupImportCoverageDB(t *testing.T) *gorm.DB {
t.Helper()
db := OpenTestDB(t)
db.AutoMigrate(&models.ImportSession{}, &models.ProxyHost{}, &models.Domain{})
_ = db.AutoMigrate(&models.ImportSession{}, &models.ProxyHost{}, &models.Domain{})
return db
}
@@ -90,7 +90,7 @@ func TestImportHandler_Commit_SessionNotFound(t *testing.T) {
func setupRemoteServerCoverageDB2(t *testing.T) *gorm.DB {
t.Helper()
db := OpenTestDB(t)
db.AutoMigrate(&models.RemoteServer{})
_ = db.AutoMigrate(&models.RemoteServer{})
return db
}
@@ -106,7 +106,7 @@ func TestRemoteServerHandler_TestConnection_Unreachable(t *testing.T) {
Host: "192.0.2.1", // TEST-NET - not routable
Port: 65535,
}
svc.Create(server)
_ = svc.Create(server)
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
@@ -124,7 +124,7 @@ func TestRemoteServerHandler_TestConnection_Unreachable(t *testing.T) {
func setupSecurityCoverageDB3(t *testing.T) *gorm.DB {
t.Helper()
db := OpenTestDB(t)
db.AutoMigrate(
_ = db.AutoMigrate(
&models.SecurityConfig{},
&models.SecurityDecision{},
&models.SecurityRuleSet{},
@@ -140,7 +140,7 @@ func TestSecurityHandler_GetConfig_InternalError(t *testing.T) {
h := NewSecurityHandler(config.SecurityConfig{}, db, nil)
// Drop table to cause internal error (not ErrSecurityConfigNotFound)
db.Migrator().DropTable(&models.SecurityConfig{})
_ = db.Migrator().DropTable(&models.SecurityConfig{})
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
@@ -183,7 +183,7 @@ func TestSecurityHandler_GenerateBreakGlass_Error(t *testing.T) {
h := NewSecurityHandler(config.SecurityConfig{}, db, nil)
// Drop the config table so generate fails
db.Migrator().DropTable(&models.SecurityConfig{})
_ = db.Migrator().DropTable(&models.SecurityConfig{})
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
@@ -202,7 +202,7 @@ func TestSecurityHandler_ListDecisions_Error(t *testing.T) {
h := NewSecurityHandler(config.SecurityConfig{}, db, nil)
// Drop decisions table
db.Migrator().DropTable(&models.SecurityDecision{})
_ = db.Migrator().DropTable(&models.SecurityDecision{})
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
@@ -221,7 +221,7 @@ func TestSecurityHandler_ListRuleSets_Error(t *testing.T) {
h := NewSecurityHandler(config.SecurityConfig{}, db, nil)
// Drop rulesets table
db.Migrator().DropTable(&models.SecurityRuleSet{})
_ = db.Migrator().DropTable(&models.SecurityRuleSet{})
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
@@ -240,7 +240,7 @@ func TestSecurityHandler_UpsertRuleSet_Error(t *testing.T) {
h := NewSecurityHandler(config.SecurityConfig{}, db, nil)
// Drop table to cause upsert to fail
db.Migrator().DropTable(&models.SecurityRuleSet{})
_ = db.Migrator().DropTable(&models.SecurityRuleSet{})
body, _ := json.Marshal(map[string]any{
"name": "test-ruleset",
@@ -265,7 +265,7 @@ func TestSecurityHandler_CreateDecision_LogError(t *testing.T) {
h := NewSecurityHandler(config.SecurityConfig{}, db, nil)
// Drop decisions table to cause log to fail
db.Migrator().DropTable(&models.SecurityDecision{})
_ = db.Migrator().DropTable(&models.SecurityDecision{})
body, _ := json.Marshal(map[string]any{
"ip": "192.168.1.1",
@@ -290,7 +290,7 @@ func TestSecurityHandler_DeleteRuleSet_Error(t *testing.T) {
h := NewSecurityHandler(config.SecurityConfig{}, db, nil)
// Drop table to cause delete to fail (not NotFound but table error)
db.Migrator().DropTable(&models.SecurityRuleSet{})
_ = db.Migrator().DropTable(&models.SecurityRuleSet{})
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
@@ -321,7 +321,7 @@ func TestCrowdsec_ImportConfig_EmptyUpload(t *testing.T) {
fw, _ := mw.CreateFormFile("file", "empty.tar.gz")
// Write nothing to make file empty
_ = fw
mw.Close()
_ = mw.Close()
w := httptest.NewRecorder()
req := httptest.NewRequest("POST", "/api/v1/admin/crowdsec/import", buf)
@@ -451,10 +451,10 @@ func setupLogsDownloadTest(t *testing.T) (h *LogsHandler, logsDir string) {
t.Helper()
tmpDir := t.TempDir()
dataDir := filepath.Join(tmpDir, "data")
os.MkdirAll(dataDir, 0o755)
_ = os.MkdirAll(dataDir, 0o755)
logsDir = filepath.Join(dataDir, "logs")
os.MkdirAll(logsDir, 0o755)
_ = os.MkdirAll(logsDir, 0o755)
dbPath := filepath.Join(dataDir, "charon.db")
cfg := &config.Config{DatabasePath: dbPath}
@@ -499,7 +499,7 @@ func TestLogsHandler_Download_Success(t *testing.T) {
h, logsDir := setupLogsDownloadTest(t)
// Create a log file to download
os.WriteFile(filepath.Join(logsDir, "test.log"), []byte("log content"), 0o644)
_ = os.WriteFile(filepath.Join(logsDir, "test.log"), []byte("log content"), 0o644)
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
@@ -557,11 +557,11 @@ func TestBackupHandler_List_ServiceError(t *testing.T) {
// Create a temp dir with invalid permission for backup dir
tmpDir := t.TempDir()
dataDir := filepath.Join(tmpDir, "data")
os.MkdirAll(dataDir, 0o755)
_ = os.MkdirAll(dataDir, 0o755)
// Create database file so config is valid
dbPath := filepath.Join(dataDir, "charon.db")
os.WriteFile(dbPath, []byte("test"), 0o644)
_ = os.WriteFile(dbPath, []byte("test"), 0o644)
cfg := &config.Config{
DatabasePath: dbPath,
@@ -571,8 +571,8 @@ func TestBackupHandler_List_ServiceError(t *testing.T) {
h := NewBackupHandler(svc)
// Make backup dir a file to cause ReadDir error
os.RemoveAll(svc.BackupDir)
os.WriteFile(svc.BackupDir, []byte("not a dir"), 0o644)
_ = os.RemoveAll(svc.BackupDir)
_ = os.WriteFile(svc.BackupDir, []byte("not a dir"), 0o644)
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
@@ -589,10 +589,10 @@ func TestBackupHandler_Delete_PathTraversal(t *testing.T) {
tmpDir := t.TempDir()
dataDir := filepath.Join(tmpDir, "data")
os.MkdirAll(dataDir, 0o755)
_ = os.MkdirAll(dataDir, 0o755)
dbPath := filepath.Join(dataDir, "charon.db")
os.WriteFile(dbPath, []byte("test"), 0o644)
_ = os.WriteFile(dbPath, []byte("test"), 0o644)
cfg := &config.Config{
DatabasePath: dbPath,
@@ -619,10 +619,10 @@ func TestBackupHandler_Delete_InternalError2(t *testing.T) {
tmpDir := t.TempDir()
dataDir := filepath.Join(tmpDir, "data")
os.MkdirAll(dataDir, 0o755)
_ = os.MkdirAll(dataDir, 0o755)
dbPath := filepath.Join(dataDir, "charon.db")
os.WriteFile(dbPath, []byte("test"), 0o644)
_ = os.WriteFile(dbPath, []byte("test"), 0o644)
cfg := &config.Config{
DatabasePath: dbPath,
@@ -634,13 +634,13 @@ func TestBackupHandler_Delete_InternalError2(t *testing.T) {
// Create a backup
backupsDir := filepath.Join(dataDir, "backups")
os.MkdirAll(backupsDir, 0o755)
_ = os.MkdirAll(backupsDir, 0o755)
backupFile := filepath.Join(backupsDir, "test.zip")
os.WriteFile(backupFile, []byte("backup"), 0o644)
_ = os.WriteFile(backupFile, []byte("backup"), 0o644)
// Remove write permissions to cause delete error
os.Chmod(backupsDir, 0o555)
defer os.Chmod(backupsDir, 0o755)
_ = os.Chmod(backupsDir, 0o555)
defer func() { _ = os.Chmod(backupsDir, 0o755) }()
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
@@ -697,7 +697,7 @@ func TestRemoteServerHandler_TestConnectionCustom_Unreachable2(t *testing.T) {
func setupAuthCoverageDB(t *testing.T) *gorm.DB {
t.Helper()
db := OpenTestDB(t)
db.AutoMigrate(&models.User{}, &models.Setting{})
_ = db.AutoMigrate(&models.User{}, &models.Setting{})
return db
}
@@ -743,7 +743,7 @@ func TestBackupHandler_Create_Error(t *testing.T) {
// Use a path where database file doesn't exist
tmpDir := t.TempDir()
dataDir := filepath.Join(tmpDir, "data")
os.MkdirAll(dataDir, 0o755)
_ = os.MkdirAll(dataDir, 0o755)
// Don't create the database file - this will cause CreateBackup to fail
dbPath := filepath.Join(dataDir, "charon.db")
@@ -772,7 +772,7 @@ func TestBackupHandler_Create_Error(t *testing.T) {
func setupSettingsCoverageDB(t *testing.T) *gorm.DB {
t.Helper()
db := OpenTestDB(t)
db.AutoMigrate(&models.Setting{})
_ = db.AutoMigrate(&models.Setting{})
return db
}
@@ -783,7 +783,7 @@ func TestSettingsHandler_GetSettings_Error(t *testing.T) {
h := NewSettingsHandler(db)
// Drop table to cause error
db.Migrator().DropTable(&models.Setting{})
_ = db.Migrator().DropTable(&models.Setting{})
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
@@ -825,7 +825,7 @@ func TestRemoteServerHandler_TestConnection_Reachable(t *testing.T) {
Host: "127.0.0.1",
Port: 22, // SSH port typically listening on localhost
}
svc.Create(server)
_ = svc.Create(server)
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)

6
backend/internal/api/handlers/audit_log_handler_test.go
View File

@@ -376,7 +376,7 @@ func TestAuditLogHandler_ServiceErrors(t *testing.T) {
// Close the database to trigger error
sqlDB, err := db.DB()
assert.NoError(t, err)
sqlDB.Close()
_ = sqlDB.Close()
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
@@ -621,14 +621,14 @@ func TestAuditLogHandler_Get_InternalError(t *testing.T) {
// Create a fresh DB and immediately close it to simulate internal error
db, err := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
assert.NoError(t, err)
db.AutoMigrate(&models.SecurityAudit{})
_ = db.AutoMigrate(&models.SecurityAudit{})
securityService := services.NewSecurityService(db)
handler := NewAuditLogHandler(securityService)
// Close the DB to force internal error (not "not found")
sqlDB, _ := db.DB()
sqlDB.Close()
_ = sqlDB.Close()
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)

46
backend/internal/api/handlers/auth_handler_test.go
View File

@@ -23,7 +23,7 @@ func setupAuthHandler(t *testing.T) (*AuthHandler, *gorm.DB) {
dbName := "file:" + t.Name() + "?mode=memory&cache=shared"
db, err := gorm.Open(sqlite.Open(dbName), &gorm.Config{})
require.NoError(t, err)
db.AutoMigrate(&models.User{}, &models.Setting{})
_ = db.AutoMigrate(&models.User{}, &models.Setting{})
cfg := config.Config{JWTSecret: "test-secret"}
authService := services.NewAuthService(db, cfg)
@@ -40,7 +40,7 @@ func TestAuthHandler_Login(t *testing.T) {
Email: "test@example.com",
Name: "Test User",
}
user.SetPassword("password123")
_ = user.SetPassword("password123")
db.Create(user)
gin.SetMode(gin.TestMode)
@@ -64,8 +64,8 @@ func TestAuthHandler_Login(t *testing.T) {
func TestSetSecureCookie_HTTPS_Strict(t *testing.T) {
gin.SetMode(gin.TestMode)
os.Setenv("CHARON_ENV", "production")
defer os.Unsetenv("CHARON_ENV")
_ = os.Setenv("CHARON_ENV", "production")
defer func() { _ = os.Unsetenv("CHARON_ENV") }()
recorder := httptest.NewRecorder()
ctx, _ := gin.CreateTestContext(recorder)
req := httptest.NewRequest("POST", "https://example.com/login", http.NoBody)
@@ -218,7 +218,7 @@ func TestAuthHandler_Me(t *testing.T) {
assert.Equal(t, http.StatusOK, w.Code)
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
assert.Equal(t, float64(user.ID), resp["user_id"])
assert.Equal(t, "admin", resp["role"])
assert.Equal(t, "Me User", resp["name"])
@@ -253,7 +253,7 @@ func TestAuthHandler_ChangePassword(t *testing.T) {
Email: "change@example.com",
Name: "Change User",
}
user.SetPassword("oldpassword")
_ = user.SetPassword("oldpassword")
db.Create(user)
gin.SetMode(gin.TestMode)
@@ -288,7 +288,7 @@ func TestAuthHandler_ChangePassword_WrongOld(t *testing.T) {
t.Parallel()
handler, db := setupAuthHandler(t)
user := &models.User{UUID: uuid.NewString(), Email: "wrong@example.com"}
user.SetPassword("correct")
_ = user.SetPassword("correct")
db.Create(user)
gin.SetMode(gin.TestMode)
@@ -344,7 +344,7 @@ func setupAuthHandlerWithDB(t *testing.T) (*AuthHandler, *gorm.DB) {
dbName := "file:" + t.Name() + "?mode=memory&cache=shared"
db, err := gorm.Open(sqlite.Open(dbName), &gorm.Config{})
require.NoError(t, err)
db.AutoMigrate(&models.User{}, &models.Setting{}, &models.ProxyHost{})
_ = db.AutoMigrate(&models.User{}, &models.Setting{}, &models.ProxyHost{})
cfg := config.Config{JWTSecret: "test-secret"}
authService := services.NewAuthService(db, cfg)
@@ -401,7 +401,7 @@ func TestAuthHandler_Verify_ValidToken(t *testing.T) {
Role: "user",
Enabled: true,
}
user.SetPassword("password123")
_ = user.SetPassword("password123")
db.Create(user)
// Generate token
@@ -432,7 +432,7 @@ func TestAuthHandler_Verify_BearerToken(t *testing.T) {
Role: "admin",
Enabled: true,
}
user.SetPassword("password123")
_ = user.SetPassword("password123")
db.Create(user)
token, _ := handler.authService.GenerateToken(user)
@@ -460,7 +460,7 @@ func TestAuthHandler_Verify_DisabledUser(t *testing.T) {
Name: "Disabled User",
Role: "user",
}
user.SetPassword("password123")
_ = user.SetPassword("password123")
db.Create(user)
// Explicitly disable after creation to bypass GORM's default:true behavior
db.Model(user).Update("enabled", false)
@@ -502,7 +502,7 @@ func TestAuthHandler_Verify_ForwardAuthDenied(t *testing.T) {
Enabled: true,
PermissionMode: models.PermissionModeDenyAll,
}
user.SetPassword("password123")
_ = user.SetPassword("password123")
db.Create(user)
token, _ := handler.authService.GenerateToken(user)
@@ -533,7 +533,7 @@ func TestAuthHandler_VerifyStatus_NotAuthenticated(t *testing.T) {
assert.Equal(t, http.StatusOK, w.Code)
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
assert.Equal(t, false, resp["authenticated"])
}
@@ -551,7 +551,7 @@ func TestAuthHandler_VerifyStatus_InvalidToken(t *testing.T) {
assert.Equal(t, http.StatusOK, w.Code)
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
assert.Equal(t, false, resp["authenticated"])
}
@@ -566,7 +566,7 @@ func TestAuthHandler_VerifyStatus_Authenticated(t *testing.T) {
Role: "user",
Enabled: true,
}
user.SetPassword("password123")
_ = user.SetPassword("password123")
db.Create(user)
token, _ := handler.authService.GenerateToken(user)
@@ -582,7 +582,7 @@ func TestAuthHandler_VerifyStatus_Authenticated(t *testing.T) {
assert.Equal(t, http.StatusOK, w.Code)
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
assert.Equal(t, true, resp["authenticated"])
userObj := resp["user"].(map[string]any)
assert.Equal(t, "status@example.com", userObj["email"])
@@ -598,7 +598,7 @@ func TestAuthHandler_VerifyStatus_DisabledUser(t *testing.T) {
Name: "Disabled User 2",
Role: "user",
}
user.SetPassword("password123")
_ = user.SetPassword("password123")
db.Create(user)
// Explicitly disable after creation to bypass GORM's default:true behavior
db.Model(user).Update("enabled", false)
@@ -616,7 +616,7 @@ func TestAuthHandler_VerifyStatus_DisabledUser(t *testing.T) {
assert.Equal(t, http.StatusOK, w.Code)
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
assert.Equal(t, false, resp["authenticated"])
}
@@ -668,7 +668,7 @@ func TestAuthHandler_GetAccessibleHosts_AllowAll(t *testing.T) {
assert.Equal(t, http.StatusOK, w.Code)
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
hosts := resp["hosts"].([]any)
assert.Len(t, hosts, 2)
}
@@ -705,7 +705,7 @@ func TestAuthHandler_GetAccessibleHosts_DenyAll(t *testing.T) {
assert.Equal(t, http.StatusOK, w.Code)
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
hosts := resp["hosts"].([]any)
assert.Len(t, hosts, 0)
}
@@ -745,7 +745,7 @@ func TestAuthHandler_GetAccessibleHosts_PermittedHosts(t *testing.T) {
assert.Equal(t, http.StatusOK, w.Code)
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
hosts := resp["hosts"].([]any)
assert.Len(t, hosts, 1)
}
@@ -834,7 +834,7 @@ func TestAuthHandler_CheckHostAccess_Allowed(t *testing.T) {
assert.Equal(t, http.StatusOK, w.Code)
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
assert.Equal(t, true, resp["can_access"])
}
@@ -867,6 +867,6 @@ func TestAuthHandler_CheckHostAccess_Denied(t *testing.T) {
assert.Equal(t, http.StatusOK, w.Code)
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
assert.Equal(t, false, resp["can_access"])
}

46
backend/internal/api/handlers/backup_handler_test.go
View File

@@ -69,7 +69,7 @@ func setupBackupTest(t *testing.T) (*gin.Engine, *services.BackupService, string
func TestBackupLifecycle(t *testing.T) {
router, _, tmpDir := setupBackupTest(t)
defer os.RemoveAll(tmpDir)
defer func() { _ = os.RemoveAll(tmpDir) }()
// 1. List backups (should be empty)
req := httptest.NewRequest(http.MethodGet, "/api/v1/backups", http.NoBody)
@@ -124,7 +124,7 @@ func TestBackupLifecycle(t *testing.T) {
router.ServeHTTP(resp, req)
require.Equal(t, http.StatusOK, resp.Code)
var list []any
json.Unmarshal(resp.Body.Bytes(), &list)
_ = json.Unmarshal(resp.Body.Bytes(), &list)
require.Empty(t, list)
// 8. Delete non-existent backup
@@ -148,18 +148,18 @@ func TestBackupLifecycle(t *testing.T) {
func TestBackupHandler_Errors(t *testing.T) {
router, svc, tmpDir := setupBackupTest(t)
defer os.RemoveAll(tmpDir)
defer func() { _ = os.RemoveAll(tmpDir) }()
// 1. List Error (remove backup dir to cause ReadDir error)
// Note: Service now handles missing dir gracefully by returning empty list
os.RemoveAll(svc.BackupDir)
_ = os.RemoveAll(svc.BackupDir)
req := httptest.NewRequest(http.MethodGet, "/api/v1/backups", http.NoBody)
resp := httptest.NewRecorder()
router.ServeHTTP(resp, req)
require.Equal(t, http.StatusOK, resp.Code)
var list []any
json.Unmarshal(resp.Body.Bytes(), &list)
_ = json.Unmarshal(resp.Body.Bytes(), &list)
require.Empty(t, list)
// 4. Delete Error (Not Found)
@@ -171,7 +171,7 @@ func TestBackupHandler_Errors(t *testing.T) {
func TestBackupHandler_List_Success(t *testing.T) {
router, _, tmpDir := setupBackupTest(t)
defer os.RemoveAll(tmpDir)
defer func() { _ = os.RemoveAll(tmpDir) }()
// Create a backup first
req := httptest.NewRequest(http.MethodPost, "/api/v1/backups", http.NoBody)
@@ -194,7 +194,7 @@ func TestBackupHandler_List_Success(t *testing.T) {
func TestBackupHandler_Create_Success(t *testing.T) {
router, _, tmpDir := setupBackupTest(t)
defer os.RemoveAll(tmpDir)
defer func() { _ = os.RemoveAll(tmpDir) }()
req := httptest.NewRequest(http.MethodPost, "/api/v1/backups", http.NoBody)
resp := httptest.NewRecorder()
@@ -202,14 +202,14 @@ func TestBackupHandler_Create_Success(t *testing.T) {
require.Equal(t, http.StatusCreated, resp.Code)
var result map[string]string
json.Unmarshal(resp.Body.Bytes(), &result)
_ = json.Unmarshal(resp.Body.Bytes(), &result)
require.NotEmpty(t, result["filename"])
require.Contains(t, result["filename"], "backup_")
}
func TestBackupHandler_Download_Success(t *testing.T) {
router, _, tmpDir := setupBackupTest(t)
defer os.RemoveAll(tmpDir)
defer func() { _ = os.RemoveAll(tmpDir) }()
// Create backup
req := httptest.NewRequest(http.MethodPost, "/api/v1/backups", http.NoBody)
@@ -218,7 +218,7 @@ func TestBackupHandler_Download_Success(t *testing.T) {
require.Equal(t, http.StatusCreated, resp.Code)
var result map[string]string
json.Unmarshal(resp.Body.Bytes(), &result)
_ = json.Unmarshal(resp.Body.Bytes(), &result)
filename := result["filename"]
// Download it
@@ -231,7 +231,7 @@ func TestBackupHandler_Download_Success(t *testing.T) {
func TestBackupHandler_PathTraversal(t *testing.T) {
router, _, tmpDir := setupBackupTest(t)
defer os.RemoveAll(tmpDir)
defer func() { _ = os.RemoveAll(tmpDir) }()
// Try path traversal in Delete
req := httptest.NewRequest(http.MethodDelete, "/api/v1/backups/../../../etc/passwd", http.NoBody)
@@ -254,7 +254,7 @@ func TestBackupHandler_PathTraversal(t *testing.T) {
func TestBackupHandler_Download_InvalidPath(t *testing.T) {
router, _, tmpDir := setupBackupTest(t)
defer os.RemoveAll(tmpDir)
defer func() { _ = os.RemoveAll(tmpDir) }()
// Request with path traversal attempt
req := httptest.NewRequest(http.MethodGet, "/api/v1/backups/../invalid/download", http.NoBody)
@@ -266,11 +266,11 @@ func TestBackupHandler_Download_InvalidPath(t *testing.T) {
func TestBackupHandler_Create_ServiceError(t *testing.T) {
router, svc, tmpDir := setupBackupTest(t)
defer os.RemoveAll(tmpDir)
defer func() { _ = os.RemoveAll(tmpDir) }()
// Remove write permissions on backup dir to force create error
os.Chmod(svc.BackupDir, 0o444)
defer os.Chmod(svc.BackupDir, 0o755)
_ = os.Chmod(svc.BackupDir, 0o444)
defer func() { _ = os.Chmod(svc.BackupDir, 0o755) }()
req := httptest.NewRequest(http.MethodPost, "/api/v1/backups", http.NoBody)
resp := httptest.NewRecorder()
@@ -281,7 +281,7 @@ func TestBackupHandler_Create_ServiceError(t *testing.T) {
func TestBackupHandler_Delete_InternalError(t *testing.T) {
router, svc, tmpDir := setupBackupTest(t)
defer os.RemoveAll(tmpDir)
defer func() { _ = os.RemoveAll(tmpDir) }()
// Create a backup first
req := httptest.NewRequest(http.MethodPost, "/api/v1/backups", http.NoBody)
@@ -290,12 +290,12 @@ func TestBackupHandler_Delete_InternalError(t *testing.T) {
require.Equal(t, http.StatusCreated, resp.Code)
var result map[string]string
json.Unmarshal(resp.Body.Bytes(), &result)
_ = json.Unmarshal(resp.Body.Bytes(), &result)
filename := result["filename"]
// Make backup dir read-only to cause delete error (not NotExist)
os.Chmod(svc.BackupDir, 0o444)
defer os.Chmod(svc.BackupDir, 0o755)
_ = os.Chmod(svc.BackupDir, 0o444)
defer func() { _ = os.Chmod(svc.BackupDir, 0o755) }()
req = httptest.NewRequest(http.MethodDelete, "/api/v1/backups/"+filename, http.NoBody)
resp = httptest.NewRecorder()
@@ -306,7 +306,7 @@ func TestBackupHandler_Delete_InternalError(t *testing.T) {
func TestBackupHandler_Restore_InternalError(t *testing.T) {
router, svc, tmpDir := setupBackupTest(t)
defer os.RemoveAll(tmpDir)
defer func() { _ = os.RemoveAll(tmpDir) }()
// Create a backup first
req := httptest.NewRequest(http.MethodPost, "/api/v1/backups", http.NoBody)
@@ -315,12 +315,12 @@ func TestBackupHandler_Restore_InternalError(t *testing.T) {
require.Equal(t, http.StatusCreated, resp.Code)
var result map[string]string
json.Unmarshal(resp.Body.Bytes(), &result)
_ = json.Unmarshal(resp.Body.Bytes(), &result)
filename := result["filename"]
// Make data dir read-only to cause restore error
os.Chmod(svc.DataDir, 0o444)
defer os.Chmod(svc.DataDir, 0o755)
_ = os.Chmod(svc.DataDir, 0o444)
defer func() { _ = os.Chmod(svc.DataDir, 0o755) }()
req = httptest.NewRequest(http.MethodPost, "/api/v1/backups/"+filename+"/restore", http.NoBody)
resp = httptest.NewRecorder()

60
backend/internal/api/handlers/cerberus_logs_ws_test.go
View File

@@ -67,8 +67,8 @@ func TestCerberusLogsHandler_SuccessfulConnection(t *testing.T) {
// Connect WebSocket
conn, resp, err := websocket.DefaultDialer.Dial(wsURL, nil)
require.NoError(t, err)
defer resp.Body.Close()
defer conn.Close()
defer func() { _ = resp.Body.Close() }()
defer func() { _ = conn.Close() }()
assert.Equal(t, http.StatusSwitchingProtocols, resp.StatusCode)
}
@@ -83,7 +83,7 @@ func TestCerberusLogsHandler_ReceiveLogEntries(t *testing.T) {
// Create the log file
file, err := os.Create(logPath)
require.NoError(t, err)
defer file.Close()
defer func() { _ = file.Close() }()
watcher := services.NewLogWatcher(logPath)
err = watcher.Start(context.Background())
@@ -102,7 +102,7 @@ func TestCerberusLogsHandler_ReceiveLogEntries(t *testing.T) {
wsURL := "ws" + strings.TrimPrefix(server.URL, "http") + "/ws"
conn, _, err := websocket.DefaultDialer.Dial(wsURL, nil) //nolint:bodyclose // WebSocket Dial response body is consumed by the dial
require.NoError(t, err)
defer conn.Close()
defer func() { _ = conn.Close() }()
// Give the subscription time to register and watcher to seek to end
time.Sleep(300 * time.Millisecond)
@@ -124,10 +124,10 @@ func TestCerberusLogsHandler_ReceiveLogEntries(t *testing.T) {
require.NoError(t, err)
_, err = file.WriteString(string(logJSON) + "\n")
require.NoError(t, err)
file.Sync()
_ = file.Sync()
// Read the entry from WebSocket
conn.SetReadDeadline(time.Now().Add(2 * time.Second))
_ = conn.SetReadDeadline(time.Now().Add(2 * time.Second))
_, msg, err := conn.ReadMessage()
require.NoError(t, err)
@@ -152,7 +152,7 @@ func TestCerberusLogsHandler_SourceFilter(t *testing.T) {
file, err := os.Create(logPath)
require.NoError(t, err)
defer file.Close()
defer func() { _ = file.Close() }()
watcher := services.NewLogWatcher(logPath)
err = watcher.Start(context.Background())
@@ -170,7 +170,7 @@ func TestCerberusLogsHandler_SourceFilter(t *testing.T) {
wsURL := "ws" + strings.TrimPrefix(server.URL, "http") + "/ws?source=waf"
conn, _, err := websocket.DefaultDialer.Dial(wsURL, nil) //nolint:bodyclose // WebSocket Dial response body is consumed by the dial
require.NoError(t, err)
defer conn.Close()
defer func() { _ = conn.Close() }()
time.Sleep(300 * time.Millisecond)
@@ -188,7 +188,7 @@ func TestCerberusLogsHandler_SourceFilter(t *testing.T) {
normalLog.Request.Host = "example.com"
normalJSON, _ := json.Marshal(normalLog)
file.WriteString(string(normalJSON) + "\n")
_, _ = file.WriteString(string(normalJSON) + "\n")
// Write a WAF blocked request (should pass filter)
wafLog := models.CaddyAccessLog{
@@ -205,11 +205,11 @@ func TestCerberusLogsHandler_SourceFilter(t *testing.T) {
wafLog.Request.Host = "example.com"
wafJSON, _ := json.Marshal(wafLog)
file.WriteString(string(wafJSON) + "\n")
file.Sync()
_, _ = file.WriteString(string(wafJSON) + "\n")
_ = file.Sync()
// Read from WebSocket - should only get WAF entry
conn.SetReadDeadline(time.Now().Add(2 * time.Second))
_ = conn.SetReadDeadline(time.Now().Add(2 * time.Second))
_, msg, err := conn.ReadMessage()
require.NoError(t, err)
@@ -231,7 +231,7 @@ func TestCerberusLogsHandler_BlockedOnlyFilter(t *testing.T) {
file, err := os.Create(logPath)
require.NoError(t, err)
defer file.Close()
defer func() { _ = file.Close() }()
watcher := services.NewLogWatcher(logPath)
err = watcher.Start(context.Background())
@@ -249,7 +249,7 @@ func TestCerberusLogsHandler_BlockedOnlyFilter(t *testing.T) {
wsURL := "ws" + strings.TrimPrefix(server.URL, "http") + "/ws?blocked_only=true"
conn, _, err := websocket.DefaultDialer.Dial(wsURL, nil) //nolint:bodyclose // WebSocket Dial response body is consumed by the dial
require.NoError(t, err)
defer conn.Close()
defer func() { _ = conn.Close() }()
time.Sleep(300 * time.Millisecond)
@@ -267,7 +267,7 @@ func TestCerberusLogsHandler_BlockedOnlyFilter(t *testing.T) {
normalLog.Request.Host = "example.com"
normalJSON, _ := json.Marshal(normalLog)
file.WriteString(string(normalJSON) + "\n")
_, _ = file.WriteString(string(normalJSON) + "\n")
// Write a rate limited request (should pass filter)
blockedLog := models.CaddyAccessLog{
@@ -283,11 +283,11 @@ func TestCerberusLogsHandler_BlockedOnlyFilter(t *testing.T) {
blockedLog.Request.Host = "example.com"
blockedJSON, _ := json.Marshal(blockedLog)
file.WriteString(string(blockedJSON) + "\n")
file.Sync()
_, _ = file.WriteString(string(blockedJSON) + "\n")
_ = file.Sync()
// Read from WebSocket - should only get blocked entry
conn.SetReadDeadline(time.Now().Add(2 * time.Second))
_ = conn.SetReadDeadline(time.Now().Add(2 * time.Second))
_, msg, err := conn.ReadMessage()
require.NoError(t, err)
@@ -308,7 +308,7 @@ func TestCerberusLogsHandler_IPFilter(t *testing.T) {
file, err := os.Create(logPath)
require.NoError(t, err)
defer file.Close()
defer func() { _ = file.Close() }()
watcher := services.NewLogWatcher(logPath)
err = watcher.Start(context.Background())
@@ -326,7 +326,7 @@ func TestCerberusLogsHandler_IPFilter(t *testing.T) {
wsURL := "ws" + strings.TrimPrefix(server.URL, "http") + "/ws?ip=192.168"
conn, _, err := websocket.DefaultDialer.Dial(wsURL, nil) //nolint:bodyclose // WebSocket Dial response body is consumed by the dial
require.NoError(t, err)
defer conn.Close()
defer func() { _ = conn.Close() }()
time.Sleep(300 * time.Millisecond)
@@ -344,7 +344,7 @@ func TestCerberusLogsHandler_IPFilter(t *testing.T) {
log1.Request.Host = "example.com"
json1, _ := json.Marshal(log1)
file.WriteString(string(json1) + "\n")
_, _ = file.WriteString(string(json1) + "\n")
// Write request from matching IP
log2 := models.CaddyAccessLog{
@@ -360,11 +360,11 @@ func TestCerberusLogsHandler_IPFilter(t *testing.T) {
log2.Request.Host = "example.com"
json2, _ := json.Marshal(log2)
file.WriteString(string(json2) + "\n")
file.Sync()
_, _ = file.WriteString(string(json2) + "\n")
_ = file.Sync()
// Read from WebSocket - should only get matching IP entry
conn.SetReadDeadline(time.Now().Add(2 * time.Second))
_ = conn.SetReadDeadline(time.Now().Add(2 * time.Second))
_, msg, err := conn.ReadMessage()
require.NoError(t, err)
@@ -402,7 +402,7 @@ func TestCerberusLogsHandler_ClientDisconnect(t *testing.T) {
require.NoError(t, err)
// Close the connection
conn.Close()
_ = conn.Close()
// Give time for cleanup
time.Sleep(100 * time.Millisecond)
@@ -419,7 +419,7 @@ func TestCerberusLogsHandler_MultipleClients(t *testing.T) {
file, err := os.Create(logPath)
require.NoError(t, err)
defer file.Close()
defer func() { _ = file.Close() }()
watcher := services.NewLogWatcher(logPath)
err = watcher.Start(context.Background())
@@ -441,7 +441,7 @@ func TestCerberusLogsHandler_MultipleClients(t *testing.T) {
// Close all connections after test
for _, conn := range conns {
if conn != nil {
conn.Close()
_ = conn.Close()
}
}
}()
@@ -467,12 +467,12 @@ func TestCerberusLogsHandler_MultipleClients(t *testing.T) {
logEntry.Request.Host = "example.com"
logJSON, _ := json.Marshal(logEntry)
file.WriteString(string(logJSON) + "\n")
file.Sync()
_, _ = file.WriteString(string(logJSON) + "\n")
_ = file.Sync()
// All clients should receive the entry
for i, conn := range conns {
conn.SetReadDeadline(time.Now().Add(2 * time.Second))
_ = conn.SetReadDeadline(time.Now().Add(2 * time.Second))
_, msg, err := conn.ReadMessage()
require.NoError(t, err, "Client %d should receive message", i)

12
backend/internal/api/handlers/certificate_handler_coverage_test.go
View File

@@ -35,7 +35,7 @@ func TestCertificateHandler_List_DBError(t *testing.T) {
func TestCertificateHandler_Delete_InvalidID(t *testing.T) {
db, _ := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
db.AutoMigrate(&models.SSLCertificate{}, &models.ProxyHost{})
_ = db.AutoMigrate(&models.SSLCertificate{}, &models.ProxyHost{})
gin.SetMode(gin.TestMode)
r := gin.New()
@@ -54,7 +54,7 @@ func TestCertificateHandler_Delete_InvalidID(t *testing.T) {
func TestCertificateHandler_Delete_NotFound(t *testing.T) {
// Use unique in-memory DB per test to avoid SQLite locking issues in parallel test runs
db, _ := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
db.AutoMigrate(&models.SSLCertificate{}, &models.ProxyHost{})
_ = db.AutoMigrate(&models.SSLCertificate{}, &models.ProxyHost{})
gin.SetMode(gin.TestMode)
r := gin.New()
@@ -73,7 +73,7 @@ func TestCertificateHandler_Delete_NotFound(t *testing.T) {
func TestCertificateHandler_Delete_NoBackupService(t *testing.T) {
// Use unique in-memory DB per test to avoid SQLite locking issues in parallel test runs
db, _ := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
db.AutoMigrate(&models.SSLCertificate{}, &models.ProxyHost{})
_ = db.AutoMigrate(&models.SSLCertificate{}, &models.ProxyHost{})
// Create certificate
cert := models.SSLCertificate{UUID: "test-cert-no-backup", Name: "no-backup-cert", Provider: "custom", Domains: "nobackup.example.com"}
@@ -111,7 +111,7 @@ func TestCertificateHandler_Delete_CheckUsageDBError(t *testing.T) {
// Use unique in-memory DB per test to avoid SQLite locking issues in parallel test runs
db, _ := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
// Only migrate SSLCertificate, not ProxyHost to cause error when checking usage
db.AutoMigrate(&models.SSLCertificate{})
_ = db.AutoMigrate(&models.SSLCertificate{})
// Create certificate
cert := models.SSLCertificate{UUID: "test-cert-db-err", Name: "db-error-cert", Provider: "custom", Domains: "dberr.example.com"}
@@ -134,7 +134,7 @@ func TestCertificateHandler_Delete_CheckUsageDBError(t *testing.T) {
func TestCertificateHandler_List_WithCertificates(t *testing.T) {
// Use unique in-memory DB per test to avoid SQLite locking issues in parallel test runs
db, _ := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
db.AutoMigrate(&models.SSLCertificate{}, &models.ProxyHost{})
_ = db.AutoMigrate(&models.SSLCertificate{}, &models.ProxyHost{})
// Create certificates
db.Create(&models.SSLCertificate{UUID: "cert-1", Name: "Cert 1", Provider: "custom", Domains: "one.example.com"})
@@ -160,7 +160,7 @@ func TestCertificateHandler_Delete_ZeroID(t *testing.T) {
// Tests the ID=0 validation check (line 149-152 in certificate_handler.go)
// DELETE /api/certificates/0 should return 400 Bad Request
db, _ := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
db.AutoMigrate(&models.SSLCertificate{}, &models.ProxyHost{})
_ = db.AutoMigrate(&models.SSLCertificate{}, &models.ProxyHost{})
gin.SetMode(gin.TestMode)
r := gin.New()

10
backend/internal/api/handlers/certificate_handler_test.go
View File

@@ -421,10 +421,10 @@ func TestCertificateHandler_Upload_Success(t *testing.T) {
t.Fatalf("failed to generate cert: %v", err)
}
part, _ := writer.CreateFormFile("certificate_file", "cert.pem")
part.Write([]byte(certPEM))
_, _ = part.Write([]byte(certPEM))
part2, _ := writer.CreateFormFile("key_file", "key.pem")
part2.Write([]byte(keyPEM))
writer.Close()
_, _ = part2.Write([]byte(keyPEM))
_ = writer.Close()
req := httptest.NewRequest(http.MethodPost, "/api/certificates", &body)
req.Header.Set("Content-Type", writer.FormDataContentType())
@@ -459,9 +459,9 @@ func generateSelfSignedCertPEM() (certPEM, keyPEM string, err error) {
return "", "", err
}
certBuf := new(bytes.Buffer)
pem.Encode(certBuf, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
_ = pem.Encode(certBuf, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
keyBuf := new(bytes.Buffer)
pem.Encode(keyBuf, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
_ = pem.Encode(keyBuf, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
certPEM = certBuf.String()
keyPEM = keyBuf.String()
return certPEM, keyPEM, nil

7
backend/internal/api/handlers/coverage_helpers_test.go
View File

@@ -71,12 +71,13 @@ func Test_ttlRemainingSeconds(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := ttlRemainingSeconds(tt.now, tt.retrievedAt, tt.ttl)
if tt.wantNil {
switch {
case tt.wantNil:
assert.Nil(t, result)
} else if tt.wantZero {
case tt.wantZero:
require.NotNil(t, result)
assert.Equal(t, int64(0), *result)
} else if tt.wantPositive {
case tt.wantPositive:
require.NotNil(t, result)
assert.Greater(t, *result, int64(0))
}

6
backend/internal/api/handlers/credential_handler_test.go
View File

@@ -26,9 +26,9 @@ import (
func setupCredentialHandlerTest(t *testing.T) (*gin.Engine, *gorm.DB, *models.DNSProvider) {
// Set encryption key for test - must be done before any service initialization
os.Setenv("CHARON_ENCRYPTION_KEY", "MDEyMzQ1Njc4OWFiY2RlZjAxMjM0NTY3ODlhYmNkZWY=")
_ = os.Setenv("CHARON_ENCRYPTION_KEY", "MDEyMzQ1Njc4OWFiY2RlZjAxMjM0NTY3ODlhYmNkZWY=")
t.Cleanup(func() {
os.Unsetenv("CHARON_ENCRYPTION_KEY")
_ = os.Unsetenv("CHARON_ENCRYPTION_KEY")
})
gin.SetMode(gin.TestMode)
@@ -42,7 +42,7 @@ func setupCredentialHandlerTest(t *testing.T) (*gin.Engine, *gorm.DB, *models.DN
// Close database connection when test completes
t.Cleanup(func() {
sqlDB, _ := db.DB()
sqlDB.Close()
_ = sqlDB.Close()
})
err = db.AutoMigrate(

4
backend/internal/api/handlers/crowdsec_coverage_target_test.go
View File

@@ -196,8 +196,8 @@ func TestGetLAPIKeyLookup(t *testing.T) {
// TestGetLAPIKeyEmpty tests no env vars set
func TestGetLAPIKeyEmpty(t *testing.T) {
// Ensure no env vars are set
os.Unsetenv("CROWDSEC_API_KEY")
os.Unsetenv("CROWDSEC_BOUNCER_API_KEY")
_ = os.Unsetenv("CROWDSEC_API_KEY")
_ = os.Unsetenv("CROWDSEC_BOUNCER_API_KEY")
key := getLAPIKey()
require.Equal(t, "", key)

38
backend/internal/api/handlers/crowdsec_exec_test.go
View File

@@ -52,10 +52,10 @@ while true; do sleep 1; done
// Create mock /proc/{pid}/cmdline with "crowdsec" for the started process
procPidDir := filepath.Join(mockProc, strconv.Itoa(pid))
os.MkdirAll(procPidDir, 0o755)
_ = os.MkdirAll(procPidDir, 0o755)
// Use a cmdline that contains "crowdsec" to simulate a real CrowdSec process
mockCmdline := "/usr/bin/crowdsec\x00-c\x00/etc/crowdsec/config.yaml"
os.WriteFile(filepath.Join(procPidDir, "cmdline"), []byte(mockCmdline), 0o644)
_ = os.WriteFile(filepath.Join(procPidDir, "cmdline"), []byte(mockCmdline), 0o644)
// ensure pid file exists and content matches
pidB, err := os.ReadFile(e.pidFile(tmp))
@@ -108,7 +108,7 @@ func TestDefaultCrowdsecExecutor_Status_InvalidPid(t *testing.T) {
tmpDir := t.TempDir()
// Write invalid pid
os.WriteFile(filepath.Join(tmpDir, "crowdsec.pid"), []byte("invalid"), 0o644)
_ = os.WriteFile(filepath.Join(tmpDir, "crowdsec.pid"), []byte("invalid"), 0o644)
running, pid, err := exec.Status(context.Background(), tmpDir)
@@ -123,7 +123,7 @@ func TestDefaultCrowdsecExecutor_Status_NonExistentProcess(t *testing.T) {
// Write a pid that doesn't exist
// Use a very high PID that's unlikely to exist
os.WriteFile(filepath.Join(tmpDir, "crowdsec.pid"), []byte("999999999"), 0o644)
_ = os.WriteFile(filepath.Join(tmpDir, "crowdsec.pid"), []byte("999999999"), 0o644)
running, pid, err := exec.Status(context.Background(), tmpDir)
@@ -147,7 +147,7 @@ func TestDefaultCrowdsecExecutor_Stop_InvalidPid(t *testing.T) {
tmpDir := t.TempDir()
// Write invalid pid
os.WriteFile(filepath.Join(tmpDir, "crowdsec.pid"), []byte("invalid"), 0o644)
_ = os.WriteFile(filepath.Join(tmpDir, "crowdsec.pid"), []byte("invalid"), 0o644)
err := exec.Stop(context.Background(), tmpDir)
@@ -164,7 +164,7 @@ func TestDefaultCrowdsecExecutor_Stop_NonExistentProcess(t *testing.T) {
tmpDir := t.TempDir()
// Write a pid that doesn't exist
os.WriteFile(filepath.Join(tmpDir, "crowdsec.pid"), []byte("999999999"), 0o644)
_ = os.WriteFile(filepath.Join(tmpDir, "crowdsec.pid"), []byte("999999999"), 0o644)
err := exec.Stop(context.Background(), tmpDir)
@@ -212,11 +212,11 @@ func TestDefaultCrowdsecExecutor_isCrowdSecProcess_ValidProcess(t *testing.T) {
// Create a fake PID directory with crowdsec in cmdline
pid := 12345
procPidDir := filepath.Join(tmpDir, strconv.Itoa(pid))
os.MkdirAll(procPidDir, 0o755)
_ = os.MkdirAll(procPidDir, 0o755)
// Write cmdline with crowdsec (null-separated like real /proc)
cmdline := "/usr/bin/crowdsec\x00-c\x00/etc/crowdsec/config.yaml"
os.WriteFile(filepath.Join(procPidDir, "cmdline"), []byte(cmdline), 0o644)
_ = os.WriteFile(filepath.Join(procPidDir, "cmdline"), []byte(cmdline), 0o644)
assert.True(t, exec.isCrowdSecProcess(pid), "Should detect CrowdSec process")
}
@@ -231,11 +231,11 @@ func TestDefaultCrowdsecExecutor_isCrowdSecProcess_DifferentProcess(t *testing.T
// Create a fake PID directory with a different process (like dlv debugger)
pid := 12345
procPidDir := filepath.Join(tmpDir, strconv.Itoa(pid))
os.MkdirAll(procPidDir, 0o755)
_ = os.MkdirAll(procPidDir, 0o755)
// Write cmdline with dlv (the original bug case)
cmdline := "/usr/local/bin/dlv\x00--telemetry\x00--headless"
os.WriteFile(filepath.Join(procPidDir, "cmdline"), []byte(cmdline), 0o644)
_ = os.WriteFile(filepath.Join(procPidDir, "cmdline"), []byte(cmdline), 0o644)
assert.False(t, exec.isCrowdSecProcess(pid), "Should NOT detect dlv as CrowdSec")
}
@@ -261,10 +261,10 @@ func TestDefaultCrowdsecExecutor_isCrowdSecProcess_EmptyCmdline(t *testing.T) {
// Create a fake PID directory with empty cmdline
pid := 12345
procPidDir := filepath.Join(tmpDir, strconv.Itoa(pid))
os.MkdirAll(procPidDir, 0o755)
_ = os.MkdirAll(procPidDir, 0o755)
// Write empty cmdline
os.WriteFile(filepath.Join(procPidDir, "cmdline"), []byte(""), 0o644)
_ = os.WriteFile(filepath.Join(procPidDir, "cmdline"), []byte(""), 0o644)
assert.False(t, exec.isCrowdSecProcess(pid), "Should return false for empty cmdline")
}
@@ -281,12 +281,12 @@ func TestDefaultCrowdsecExecutor_Status_PIDReuse_DifferentProcess(t *testing.T)
currentPID := os.Getpid()
// Write current PID to the crowdsec.pid file (simulating stale PID file)
os.WriteFile(filepath.Join(tmpDir, "crowdsec.pid"), []byte(strconv.Itoa(currentPID)), 0o644)
_ = os.WriteFile(filepath.Join(tmpDir, "crowdsec.pid"), []byte(strconv.Itoa(currentPID)), 0o644)
// Create mock /proc entry for current PID but with a non-crowdsec cmdline
procPidDir := filepath.Join(mockProc, strconv.Itoa(currentPID))
os.MkdirAll(procPidDir, 0o755)
os.WriteFile(filepath.Join(procPidDir, "cmdline"), []byte("/usr/local/bin/dlv\x00debug"), 0o644)
_ = os.MkdirAll(procPidDir, 0o755)
_ = os.WriteFile(filepath.Join(procPidDir, "cmdline"), []byte("/usr/local/bin/dlv\x00debug"), 0o644)
// Status should return NOT running because the PID is not CrowdSec
running, pid, err := exec.Status(context.Background(), tmpDir)
@@ -308,12 +308,12 @@ func TestDefaultCrowdsecExecutor_Status_PIDReuse_IsCrowdSec(t *testing.T) {
currentPID := os.Getpid()
// Write current PID to the crowdsec.pid file
os.WriteFile(filepath.Join(tmpDir, "crowdsec.pid"), []byte(strconv.Itoa(currentPID)), 0o644)
_ = os.WriteFile(filepath.Join(tmpDir, "crowdsec.pid"), []byte(strconv.Itoa(currentPID)), 0o644)
// Create mock /proc entry for current PID with crowdsec cmdline
procPidDir := filepath.Join(mockProc, strconv.Itoa(currentPID))
os.MkdirAll(procPidDir, 0o755)
os.WriteFile(filepath.Join(procPidDir, "cmdline"), []byte("/usr/bin/crowdsec\x00-c\x00config.yaml"), 0o644)
_ = os.MkdirAll(procPidDir, 0o755)
_ = os.WriteFile(filepath.Join(procPidDir, "cmdline"), []byte("/usr/bin/crowdsec\x00-c\x00config.yaml"), 0o644)
// Status should return running because it IS CrowdSec
running, pid, err := exec.Status(context.Background(), tmpDir)
@@ -329,7 +329,7 @@ func TestDefaultCrowdsecExecutor_Stop_SignalError(t *testing.T) {
// Write a pid for a process that exists but we can't signal (e.g., init process or other user's process)
// Use PID 1 which exists but typically can't be signaled by non-root
os.WriteFile(filepath.Join(tmpDir, "crowdsec.pid"), []byte("1"), 0o644)
_ = os.WriteFile(filepath.Join(tmpDir, "crowdsec.pid"), []byte("1"), 0o644)
err := exec.Stop(context.Background(), tmpDir)

10
backend/internal/api/handlers/crowdsec_handler_comprehensive_test.go
View File

@@ -120,10 +120,10 @@ func TestIsConsoleEnrollmentEnabled(t *testing.T) {
envValue: "true",
want: true,
setupFunc: func() {
os.Setenv("FEATURE_CROWDSEC_CONSOLE_ENROLLMENT", "true")
_ = os.Setenv("FEATURE_CROWDSEC_CONSOLE_ENROLLMENT", "true")
},
cleanup: func() {
os.Unsetenv("FEATURE_CROWDSEC_CONSOLE_ENROLLMENT")
_ = os.Unsetenv("FEATURE_CROWDSEC_CONSOLE_ENROLLMENT")
},
},
{
@@ -131,10 +131,10 @@ func TestIsConsoleEnrollmentEnabled(t *testing.T) {
envValue: "false",
want: false,
setupFunc: func() {
os.Setenv("FEATURE_CROWDSEC_CONSOLE_ENROLLMENT", "false")
_ = os.Setenv("FEATURE_CROWDSEC_CONSOLE_ENROLLMENT", "false")
},
cleanup: func() {
os.Unsetenv("FEATURE_CROWDSEC_CONSOLE_ENROLLMENT")
_ = os.Unsetenv("FEATURE_CROWDSEC_CONSOLE_ENROLLMENT")
},
},
{
@@ -142,7 +142,7 @@ func TestIsConsoleEnrollmentEnabled(t *testing.T) {
envValue: "",
want: false,
setupFunc: func() {
os.Unsetenv("FEATURE_CROWDSEC_CONSOLE_ENROLLMENT")
_ = os.Unsetenv("FEATURE_CROWDSEC_CONSOLE_ENROLLMENT")
},
cleanup: func() {},
},

10
backend/internal/api/handlers/crowdsec_handler_coverage_test.go
View File

@@ -218,7 +218,7 @@ func TestCrowdsec_ExportConfig_NotFound(t *testing.T) {
db := setupCrowdDB(t)
// Use a non-existent directory
nonExistentDir := "/tmp/crowdsec-nonexistent-dir-12345"
os.RemoveAll(nonExistentDir) // Make sure it doesn't exist
_ = os.RemoveAll(nonExistentDir) // Make sure it doesn't exist
h := NewCrowdsecHandler(db, &fakeExec{}, "/bin/false", nonExistentDir)
// remove any cache dir created during handler init so Export sees missing dir
@@ -254,7 +254,7 @@ func TestCrowdsec_ListFiles_EmptyDir(t *testing.T) {
assert.Equal(t, http.StatusOK, w.Code)
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
// Files may be nil or empty array when dir is empty
files := resp["files"]
if files != nil {
@@ -266,7 +266,7 @@ func TestCrowdsec_ListFiles_NonExistent(t *testing.T) {
gin.SetMode(gin.TestMode)
db := setupCrowdDB(t)
nonExistentDir := "/tmp/crowdsec-nonexistent-dir-67890"
os.RemoveAll(nonExistentDir)
_ = os.RemoveAll(nonExistentDir)
h := NewCrowdsecHandler(db, &fakeExec{}, "/bin/false", nonExistentDir)
@@ -280,7 +280,7 @@ func TestCrowdsec_ListFiles_NonExistent(t *testing.T) {
assert.Equal(t, http.StatusOK, w.Code)
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
// Should return empty array (nil) for non-existent dir
// The files key should exist
_, ok := resp["files"]
@@ -330,7 +330,7 @@ func TestCrowdsec_ReadFile_NestedPath(t *testing.T) {
assert.Equal(t, http.StatusOK, w.Code)
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
assert.Equal(t, "nested content", resp["content"])
}

12
backend/internal/api/handlers/crowdsec_handler_test.go
View File

@@ -106,8 +106,8 @@ func TestImportConfig(t *testing.T) {
buf := &bytes.Buffer{}
mw := multipart.NewWriter(buf)
fw, _ := mw.CreateFormFile("file", "cfg.tar.gz")
fw.Write([]byte("dummy"))
mw.Close()
_, _ = fw.Write([]byte("dummy"))
_ = mw.Close()
w := httptest.NewRecorder()
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/crowdsec/import", buf)
@@ -143,8 +143,8 @@ func TestImportCreatesBackup(t *testing.T) {
buf := &bytes.Buffer{}
mw := multipart.NewWriter(buf)
fw, _ := mw.CreateFormFile("file", "cfg.tar.gz")
fw.Write([]byte("dummy2"))
mw.Close()
_, _ = fw.Write([]byte("dummy2"))
_ = mw.Close()
w := httptest.NewRecorder()
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/crowdsec/import", buf)
@@ -158,7 +158,7 @@ func TestImportCreatesBackup(t *testing.T) {
found := false
entries, _ := os.ReadDir(filepath.Dir(tmpDir))
for _, e := range entries {
if e.IsDir() && filepath.HasPrefix(e.Name(), filepath.Base(tmpDir)+".backup.") {
if e.IsDir() && strings.HasPrefix(e.Name(), filepath.Base(tmpDir)+".backup.") {
found = true
break
}
@@ -1308,7 +1308,7 @@ func TestCrowdsecHandler_ExportConfig_DirNotFound(t *testing.T) {
db := setupCrowdDB(t)
// Use a non-existent directory
nonExistentDir := "/tmp/crowdsec-nonexistent-test-" + t.Name()
os.RemoveAll(nonExistentDir)
_ = os.RemoveAll(nonExistentDir)
h := NewCrowdsecHandler(db, &fakeExec{}, "/bin/false", nonExistentDir)
// Remove any cache dir created during handler init so Export sees missing dir

14
backend/internal/api/handlers/db_health_handler_test.go
View File

@@ -169,7 +169,7 @@ func TestNewDBHealthHandler(t *testing.T) {
// With backup service
tmpDir := t.TempDir()
dbPath := filepath.Join(tmpDir, "charon.db")
os.WriteFile(dbPath, []byte("test"), 0o644)
_ = os.WriteFile(dbPath, []byte("test"), 0o644)
cfg := &config.Config{DatabasePath: dbPath}
backupSvc := services.NewBackupService(cfg)
@@ -196,7 +196,7 @@ func TestDBHealthHandler_Check_CorruptedDatabase(t *testing.T) {
// Close it
sqlDB, _ := db.DB()
sqlDB.Close()
_ = sqlDB.Close()
// Corrupt the database file
corruptDBFile(t, dbPath)
@@ -243,14 +243,14 @@ func TestDBHealthHandler_Check_BackupServiceError(t *testing.T) {
// Create backup service with unreadable directory
tmpDir := t.TempDir()
dbPath := filepath.Join(tmpDir, "charon.db")
os.WriteFile(dbPath, []byte("test"), 0o644)
_ = os.WriteFile(dbPath, []byte("test"), 0o644)
cfg := &config.Config{DatabasePath: dbPath}
backupService := services.NewBackupService(cfg)
// Make backup directory unreadable to trigger error in GetLastBackupTime
os.Chmod(backupService.BackupDir, 0o000)
defer os.Chmod(backupService.BackupDir, 0o755) // Restore for cleanup
_ = os.Chmod(backupService.BackupDir, 0o000)
defer func() { _ = os.Chmod(backupService.BackupDir, 0o755) }() // Restore for cleanup
handler := NewDBHealthHandler(db, backupService)
@@ -284,7 +284,7 @@ func TestDBHealthHandler_Check_BackupTimeZero(t *testing.T) {
// Create backup service with empty backup directory (no backups yet)
tmpDir := t.TempDir()
dbPath := filepath.Join(tmpDir, "charon.db")
os.WriteFile(dbPath, []byte("test"), 0o644)
_ = os.WriteFile(dbPath, []byte("test"), 0o644)
cfg := &config.Config{DatabasePath: dbPath}
backupService := services.NewBackupService(cfg)
@@ -314,7 +314,7 @@ func corruptDBFile(t *testing.T, dbPath string) {
t.Helper()
f, err := os.OpenFile(dbPath, os.O_RDWR, 0o644)
require.NoError(t, err)
defer f.Close()
defer func() { _ = f.Close() }()
// Get file size
stat, err := f.Stat()

62
backend/internal/api/handlers/encryption_handler_test.go
View File

@@ -23,7 +23,7 @@ func setupEncryptionTestDB(t *testing.T) *gorm.DB {
// Use a unique file-based database for each test to avoid sharing state
dbPath := fmt.Sprintf("/tmp/test_encryption_%d.db", time.Now().UnixNano())
t.Cleanup(func() {
os.Remove(dbPath)
_ = os.Remove(dbPath)
})
db, err := gorm.Open(sqlite.Open(dbPath), &gorm.Config{
@@ -69,8 +69,8 @@ func TestEncryptionHandler_GetStatus(t *testing.T) {
// Generate test keys
currentKey, err := crypto.GenerateNewKey()
require.NoError(t, err)
os.Setenv("CHARON_ENCRYPTION_KEY", currentKey)
defer os.Unsetenv("CHARON_ENCRYPTION_KEY")
_ = os.Setenv("CHARON_ENCRYPTION_KEY", currentKey)
defer func() { _ = os.Unsetenv("CHARON_ENCRYPTION_KEY") }()
rotationService, err := crypto.NewRotationService(db)
require.NoError(t, err)
@@ -111,8 +111,8 @@ func TestEncryptionHandler_GetStatus(t *testing.T) {
t.Run("status shows next key when configured", func(t *testing.T) {
nextKey, err := crypto.GenerateNewKey()
require.NoError(t, err)
os.Setenv("CHARON_ENCRYPTION_KEY_NEXT", nextKey)
defer os.Unsetenv("CHARON_ENCRYPTION_KEY_NEXT")
_ = os.Setenv("CHARON_ENCRYPTION_KEY_NEXT", nextKey)
defer func() { _ = os.Unsetenv("CHARON_ENCRYPTION_KEY_NEXT") }()
rotationService, err := crypto.NewRotationService(db)
require.NoError(t, err)
@@ -137,7 +137,7 @@ func TestEncryptionHandler_GetStatus(t *testing.T) {
// Close the database to trigger an error
sqlDB, err := db.DB()
require.NoError(t, err)
sqlDB.Close()
_ = sqlDB.Close()
rotationService, err := crypto.NewRotationService(db)
require.NoError(t, err)
@@ -163,11 +163,11 @@ func TestEncryptionHandler_Rotate(t *testing.T) {
nextKey, err := crypto.GenerateNewKey()
require.NoError(t, err)
os.Setenv("CHARON_ENCRYPTION_KEY", currentKey)
os.Setenv("CHARON_ENCRYPTION_KEY_NEXT", nextKey)
_ = os.Setenv("CHARON_ENCRYPTION_KEY", currentKey)
_ = os.Setenv("CHARON_ENCRYPTION_KEY_NEXT", nextKey)
defer func() {
os.Unsetenv("CHARON_ENCRYPTION_KEY")
os.Unsetenv("CHARON_ENCRYPTION_KEY_NEXT")
_ = os.Unsetenv("CHARON_ENCRYPTION_KEY")
_ = os.Unsetenv("CHARON_ENCRYPTION_KEY_NEXT")
}()
// Create test providers
@@ -233,8 +233,8 @@ func TestEncryptionHandler_Rotate(t *testing.T) {
})
t.Run("rotation fails without next key", func(t *testing.T) {
os.Unsetenv("CHARON_ENCRYPTION_KEY_NEXT")
defer os.Setenv("CHARON_ENCRYPTION_KEY_NEXT", nextKey)
_ = os.Unsetenv("CHARON_ENCRYPTION_KEY_NEXT")
defer func() { _ = os.Setenv("CHARON_ENCRYPTION_KEY_NEXT", nextKey) }()
rotationService, err := crypto.NewRotationService(db)
require.NoError(t, err)
@@ -256,8 +256,8 @@ func TestEncryptionHandler_GetHistory(t *testing.T) {
currentKey, err := crypto.GenerateNewKey()
require.NoError(t, err)
os.Setenv("CHARON_ENCRYPTION_KEY", currentKey)
defer os.Unsetenv("CHARON_ENCRYPTION_KEY")
_ = os.Setenv("CHARON_ENCRYPTION_KEY", currentKey)
defer func() { _ = os.Unsetenv("CHARON_ENCRYPTION_KEY") }()
rotationService, err := crypto.NewRotationService(db)
require.NoError(t, err)
@@ -273,7 +273,7 @@ func TestEncryptionHandler_GetHistory(t *testing.T) {
EventCategory: "encryption",
Details: "{}",
}
securityService.LogAudit(audit)
_ = securityService.LogAudit(audit)
}
// Flush async audit logging
@@ -330,7 +330,7 @@ func TestEncryptionHandler_GetHistory(t *testing.T) {
t.Run("history error when service fails", func(t *testing.T) {
// Create a new DB that will be closed to trigger error
dbPath := fmt.Sprintf("/tmp/test_encryption_fail_%d.db", time.Now().UnixNano())
defer os.Remove(dbPath)
defer func() { _ = os.Remove(dbPath) }()
failDB, err := gorm.Open(sqlite.Open(dbPath), &gorm.Config{PrepareStmt: false})
require.NoError(t, err)
@@ -338,8 +338,8 @@ func TestEncryptionHandler_GetHistory(t *testing.T) {
currentKey, err := crypto.GenerateNewKey()
require.NoError(t, err)
os.Setenv("CHARON_ENCRYPTION_KEY", currentKey)
defer os.Unsetenv("CHARON_ENCRYPTION_KEY")
_ = os.Setenv("CHARON_ENCRYPTION_KEY", currentKey)
defer func() { _ = os.Unsetenv("CHARON_ENCRYPTION_KEY") }()
rotationService, err := crypto.NewRotationService(failDB)
require.NoError(t, err)
@@ -349,7 +349,7 @@ func TestEncryptionHandler_GetHistory(t *testing.T) {
// Close the database to trigger errors
sqlDB, err := failDB.DB()
require.NoError(t, err)
sqlDB.Close()
_ = sqlDB.Close()
handler := NewEncryptionHandler(rotationService, failSecurityService)
router := setupEncryptionTestRouter(handler, true)
@@ -370,8 +370,8 @@ func TestEncryptionHandler_Validate(t *testing.T) {
currentKey, err := crypto.GenerateNewKey()
require.NoError(t, err)
os.Setenv("CHARON_ENCRYPTION_KEY", currentKey)
defer os.Unsetenv("CHARON_ENCRYPTION_KEY")
_ = os.Setenv("CHARON_ENCRYPTION_KEY", currentKey)
defer func() { _ = os.Unsetenv("CHARON_ENCRYPTION_KEY") }()
rotationService, err := crypto.NewRotationService(db)
require.NoError(t, err)
@@ -418,8 +418,8 @@ func TestEncryptionHandler_Validate(t *testing.T) {
t.Run("validation fails with invalid key configuration", func(t *testing.T) {
// Unset the encryption key to trigger validation failure
os.Unsetenv("CHARON_ENCRYPTION_KEY")
defer os.Setenv("CHARON_ENCRYPTION_KEY", currentKey)
_ = os.Unsetenv("CHARON_ENCRYPTION_KEY")
defer func() { _ = os.Setenv("CHARON_ENCRYPTION_KEY", currentKey) }()
// Create rotation service with no key configured
rotationService, err := crypto.NewRotationService(db)
@@ -464,8 +464,8 @@ func TestEncryptionHandler_IntegrationFlow(t *testing.T) {
nextKey, err := crypto.GenerateNewKey()
require.NoError(t, err)
os.Setenv("CHARON_ENCRYPTION_KEY", currentKey)
defer os.Unsetenv("CHARON_ENCRYPTION_KEY")
_ = os.Setenv("CHARON_ENCRYPTION_KEY", currentKey)
defer func() { _ = os.Unsetenv("CHARON_ENCRYPTION_KEY") }()
// Create initial provider
currentService, err := crypto.NewEncryptionService(currentKey)
@@ -505,7 +505,7 @@ func TestEncryptionHandler_IntegrationFlow(t *testing.T) {
assert.Equal(t, http.StatusOK, w.Code)
// Step 3: Configure next key
os.Setenv("CHARON_ENCRYPTION_KEY_NEXT", nextKey)
_ = os.Setenv("CHARON_ENCRYPTION_KEY_NEXT", nextKey)
defer os.Unsetenv("CHARON_ENCRYPTION_KEY_NEXT")
// Reinitialize rotation service to pick up new key
@@ -643,8 +643,8 @@ func TestEncryptionHandler_RefreshKey_RotatesCredentials(t *testing.T) {
nextKey, err := crypto.GenerateNewKey()
require.NoError(t, err)
os.Setenv("CHARON_ENCRYPTION_KEY", currentKey)
os.Setenv("CHARON_ENCRYPTION_KEY_NEXT", nextKey)
_ = os.Setenv("CHARON_ENCRYPTION_KEY", currentKey)
_ = os.Setenv("CHARON_ENCRYPTION_KEY_NEXT", nextKey)
defer func() {
os.Unsetenv("CHARON_ENCRYPTION_KEY")
os.Unsetenv("CHARON_ENCRYPTION_KEY_NEXT")
@@ -699,7 +699,7 @@ func TestEncryptionHandler_RefreshKey_FailsWithoutProvider(t *testing.T) {
// Set only current key, no next key
currentKey, err := crypto.GenerateNewKey()
require.NoError(t, err)
os.Setenv("CHARON_ENCRYPTION_KEY", currentKey)
_ = os.Setenv("CHARON_ENCRYPTION_KEY", currentKey)
defer os.Unsetenv("CHARON_ENCRYPTION_KEY")
rotationService, err := crypto.NewRotationService(db)
@@ -750,8 +750,8 @@ func TestEncryptionHandler_RefreshKey_InvalidOldKey(t *testing.T) {
require.NoError(t, db.Create(&provider).Error)
// Now set wrong key and try to rotate
os.Setenv("CHARON_ENCRYPTION_KEY", wrongKey)
os.Setenv("CHARON_ENCRYPTION_KEY_NEXT", nextKey)
_ = os.Setenv("CHARON_ENCRYPTION_KEY", wrongKey)
_ = os.Setenv("CHARON_ENCRYPTION_KEY_NEXT", nextKey)
defer func() {
os.Unsetenv("CHARON_ENCRYPTION_KEY")
os.Unsetenv("CHARON_ENCRYPTION_KEY_NEXT")

2
backend/internal/api/handlers/handlers_test.go
View File

@@ -22,7 +22,7 @@ func setupTestDB(t *testing.T) *gorm.DB {
db := handlers.OpenTestDB(t)
// Auto migrate all models that handlers depend on
db.AutoMigrate(
_ = db.AutoMigrate(
&models.ProxyHost{},
&models.Location{},
&models.RemoteServer{},

2
backend/internal/api/handlers/import_handler_sanitize_test.go
View File

@@ -23,7 +23,7 @@ func TestImportUploadSanitizesFilename(t *testing.T) {
db := OpenTestDB(t)
// Create a fake caddy executable to avoid dependency on system binary
fakeCaddy := filepath.Join(tmpDir, "caddy")
os.WriteFile(fakeCaddy, []byte("#!/bin/sh\nexit 0"), 0o755)
_ = os.WriteFile(fakeCaddy, []byte("#!/bin/sh\nexit 0"), 0o755)
svc := NewImportHandler(db, fakeCaddy, tmpDir, "")
router := gin.New()

46
backend/internal/api/handlers/import_handler_test.go
View File

@@ -26,7 +26,7 @@ func setupImportTestDB(t *testing.T) *gorm.DB {
if err != nil {
panic("failed to connect to test database")
}
db.AutoMigrate(&models.ImportSession{}, &models.ProxyHost{}, &models.Location{})
_ = db.AutoMigrate(&models.ImportSession{}, &models.ProxyHost{}, &models.Location{})
return db
}
@@ -52,7 +52,7 @@ func TestImportHandler_GetStatus(t *testing.T) {
// Case 2: No DB session but has mounted Caddyfile
tmpDir := t.TempDir()
mountPath := filepath.Join(tmpDir, "mounted.caddyfile")
os.WriteFile(mountPath, []byte("example.com"), 0o644)
_ = os.WriteFile(mountPath, []byte("example.com"), 0o644) //nolint:gosec // G306: test file
handler2 := handlers.NewImportHandler(db, "echo", "/tmp", mountPath)
router2 := gin.New()
@@ -115,7 +115,7 @@ func TestImportHandler_GetPreview(t *testing.T) {
assert.Equal(t, http.StatusOK, w.Code)
var result map[string]any
json.Unmarshal(w.Body.Bytes(), &result)
_ = json.Unmarshal(w.Body.Bytes(), &result)
preview := result["preview"].(map[string]any)
hosts := preview["hosts"].([]any)
@@ -198,7 +198,7 @@ func TestImportHandler_Upload(t *testing.T) {
// Use fake caddy script
cwd, _ := os.Getwd()
fakeCaddy := filepath.Join(cwd, "testdata", "fake_caddy.sh")
os.Chmod(fakeCaddy, 0o755)
_ = os.Chmod(fakeCaddy, 0o755) //nolint:gosec // G302: test script needs exec permissions
tmpDir := t.TempDir()
handler := handlers.NewImportHandler(db, fakeCaddy, tmpDir, "")
@@ -231,7 +231,7 @@ func TestImportHandler_GetPreview_WithContent(t *testing.T) {
// Case: Active session with source file
content := "example.com {\n reverse_proxy localhost:8080\n}"
sourceFile := filepath.Join(tmpDir, "source.caddyfile")
err := os.WriteFile(sourceFile, []byte(content), 0o644)
err := os.WriteFile(sourceFile, []byte(content), 0o644) //nolint:gosec // G306: test file
assert.NoError(t, err)
// Case: Active session with source file
@@ -320,14 +320,14 @@ func TestCheckMountedImport(t *testing.T) {
// Use fake caddy script
cwd, _ := os.Getwd()
fakeCaddy := filepath.Join(cwd, "testdata", "fake_caddy.sh")
os.Chmod(fakeCaddy, 0o755)
_ = os.Chmod(fakeCaddy, 0o755) //nolint:gosec // G302: test script needs exec permissions
// Case 1: File does not exist
err := handlers.CheckMountedImport(db, mountPath, fakeCaddy, tmpDir)
assert.NoError(t, err)
// Case 2: File exists, not processed
err = os.WriteFile(mountPath, []byte("example.com"), 0o644)
err = os.WriteFile(mountPath, []byte("example.com"), 0o644) //nolint:gosec // G306: test file
assert.NoError(t, err)
err = handlers.CheckMountedImport(db, mountPath, fakeCaddy, tmpDir)
@@ -368,7 +368,7 @@ func TestImportHandler_Upload_Failure(t *testing.T) {
assert.Equal(t, http.StatusBadRequest, w.Code)
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
// The error message comes from Upload -> ImportFile -> "import failed: ..."
assert.Contains(t, resp["error"], "import failed")
}
@@ -431,10 +431,10 @@ func TestImportHandler_GetPreview_BackupContent(t *testing.T) {
// Create backup file
backupDir := filepath.Join(tmpDir, "backups")
os.MkdirAll(backupDir, 0o755)
_ = os.MkdirAll(backupDir, 0o755) //nolint:gosec // G301: test dir
content := "backup content"
backupFile := filepath.Join(backupDir, "source.caddyfile")
os.WriteFile(backupFile, []byte(content), 0o644)
_ = os.WriteFile(backupFile, []byte(content), 0o644) //nolint:gosec // G306: test file
// Case: Active session with missing source file but existing backup
session := models.ImportSession{
@@ -451,7 +451,7 @@ func TestImportHandler_GetPreview_BackupContent(t *testing.T) {
assert.Equal(t, http.StatusOK, w.Code)
var result map[string]any
json.Unmarshal(w.Body.Bytes(), &result)
_ = json.Unmarshal(w.Body.Bytes(), &result)
assert.Equal(t, content, result["caddyfile_content"])
}
@@ -478,13 +478,13 @@ func TestImportHandler_GetPreview_TransientMount(t *testing.T) {
// Create a mounted Caddyfile
content := "example.com"
err := os.WriteFile(mountPath, []byte(content), 0o644)
err := os.WriteFile(mountPath, []byte(content), 0o644) //nolint:gosec // G306: test file
assert.NoError(t, err)
// Use fake caddy script
cwd, _ := os.Getwd()
fakeCaddy := filepath.Join(cwd, "testdata", "fake_caddy_hosts.sh")
os.Chmod(fakeCaddy, 0o755)
_ = os.Chmod(fakeCaddy, 0o755) //nolint:gosec // G302: test script needs exec permissions
handler := handlers.NewImportHandler(db, fakeCaddy, tmpDir, mountPath)
router := gin.New()
@@ -522,7 +522,7 @@ func TestImportHandler_Commit_TransientUpload(t *testing.T) {
// Use fake caddy script
cwd, _ := os.Getwd()
fakeCaddy := filepath.Join(cwd, "testdata", "fake_caddy_hosts.sh")
os.Chmod(fakeCaddy, 0o755)
_ = os.Chmod(fakeCaddy, 0o755) //nolint:gosec // G302: test script needs exec permissions
handler := handlers.NewImportHandler(db, fakeCaddy, tmpDir, "")
router := gin.New()
@@ -542,7 +542,7 @@ func TestImportHandler_Commit_TransientUpload(t *testing.T) {
// Extract session ID
var uploadResp map[string]any
json.Unmarshal(w.Body.Bytes(), &uploadResp)
_ = json.Unmarshal(w.Body.Bytes(), &uploadResp)
session := uploadResp["session"].(map[string]any)
sessionID := session["id"].(string)
@@ -580,13 +580,13 @@ func TestImportHandler_Commit_TransientMount(t *testing.T) {
mountPath := filepath.Join(tmpDir, "mounted.caddyfile")
// Create a mounted Caddyfile
err := os.WriteFile(mountPath, []byte("mounted.com"), 0o644)
err := os.WriteFile(mountPath, []byte("mounted.com"), 0o644) //nolint:gosec // G306: test file
assert.NoError(t, err)
// Use fake caddy script
cwd, _ := os.Getwd()
fakeCaddy := filepath.Join(cwd, "testdata", "fake_caddy_hosts.sh")
os.Chmod(fakeCaddy, 0o755)
_ = os.Chmod(fakeCaddy, 0o755) //nolint:gosec // G302: test script needs exec permissions
handler := handlers.NewImportHandler(db, fakeCaddy, tmpDir, mountPath)
router := gin.New()
@@ -627,7 +627,7 @@ func TestImportHandler_Cancel_TransientUpload(t *testing.T) {
// Use fake caddy script
cwd, _ := os.Getwd()
fakeCaddy := filepath.Join(cwd, "testdata", "fake_caddy_hosts.sh")
os.Chmod(fakeCaddy, 0o755)
_ = os.Chmod(fakeCaddy, 0o755) //nolint:gosec // G302: test script needs exec permissions
handler := handlers.NewImportHandler(db, fakeCaddy, tmpDir, "")
router := gin.New()
@@ -647,7 +647,7 @@ func TestImportHandler_Cancel_TransientUpload(t *testing.T) {
// Extract session ID and file path
var uploadResp map[string]any
json.Unmarshal(w.Body.Bytes(), &uploadResp)
_ = json.Unmarshal(w.Body.Bytes(), &uploadResp)
session := uploadResp["session"].(map[string]any)
sessionID := session["id"].(string)
sourceFile := session["source_file"].(string)
@@ -794,7 +794,7 @@ func TestImportHandler_UploadMulti(t *testing.T) {
// Use fake caddy script
cwd, _ := os.Getwd()
fakeCaddy := filepath.Join(cwd, "testdata", "fake_caddy_hosts.sh")
os.Chmod(fakeCaddy, 0o755)
_ = os.Chmod(fakeCaddy, 0o755) //nolint:gosec // G302: test script needs exec permissions
handler := handlers.NewImportHandler(db, fakeCaddy, tmpDir, "")
router := gin.New()
@@ -816,7 +816,7 @@ func TestImportHandler_UploadMulti(t *testing.T) {
assert.Equal(t, http.StatusOK, w.Code)
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
assert.NotNil(t, resp["session"])
assert.NotNil(t, resp["preview"])
})
@@ -839,7 +839,7 @@ func TestImportHandler_UploadMulti(t *testing.T) {
assert.Equal(t, http.StatusOK, w.Code)
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
session := resp["session"].(map[string]any)
assert.Equal(t, "transient", session["state"])
})
@@ -893,7 +893,7 @@ func TestImportHandler_UploadMulti(t *testing.T) {
assert.Equal(t, http.StatusBadRequest, w.Code)
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
assert.Contains(t, resp["error"], "empty")
})
}

34
backend/internal/api/handlers/logs_handler_coverage_test.go
View File

@@ -21,17 +21,17 @@ func TestLogsHandler_Read_FilterBySearch(t *testing.T) {
tmpDir := t.TempDir()
dataDir := filepath.Join(tmpDir, "data")
os.MkdirAll(dataDir, 0o755)
_ = os.MkdirAll(dataDir, 0o755)
dbPath := filepath.Join(dataDir, "charon.db")
logsDir := filepath.Join(dataDir, "logs")
os.MkdirAll(logsDir, 0o755)
_ = os.MkdirAll(logsDir, 0o755)
// Write JSON log lines
content := `{"level":"info","ts":1600000000,"msg":"request handled","request":{"method":"GET","host":"example.com","uri":"/api/search","remote_ip":"1.2.3.4"},"status":200}
{"level":"error","ts":1600000060,"msg":"error occurred","request":{"method":"POST","host":"example.com","uri":"/api/submit","remote_ip":"5.6.7.8"},"status":500}
`
os.WriteFile(filepath.Join(logsDir, "access.log"), []byte(content), 0o644)
_ = os.WriteFile(filepath.Join(logsDir, "access.log"), []byte(content), 0o644)
cfg := &config.Config{DatabasePath: dbPath}
svc := services.NewLogService(cfg)
@@ -54,16 +54,16 @@ func TestLogsHandler_Read_FilterByHost(t *testing.T) {
tmpDir := t.TempDir()
dataDir := filepath.Join(tmpDir, "data")
os.MkdirAll(dataDir, 0o755)
_ = os.MkdirAll(dataDir, 0o755)
dbPath := filepath.Join(dataDir, "charon.db")
logsDir := filepath.Join(dataDir, "logs")
os.MkdirAll(logsDir, 0o755)
_ = os.MkdirAll(logsDir, 0o755)
content := `{"level":"info","ts":1600000000,"msg":"request handled","request":{"method":"GET","host":"example.com","uri":"/","remote_ip":"1.2.3.4"},"status":200}
{"level":"info","ts":1600000001,"msg":"request handled","request":{"method":"GET","host":"other.com","uri":"/","remote_ip":"1.2.3.4"},"status":200}
`
os.WriteFile(filepath.Join(logsDir, "access.log"), []byte(content), 0o644)
_ = os.WriteFile(filepath.Join(logsDir, "access.log"), []byte(content), 0o644)
cfg := &config.Config{DatabasePath: dbPath}
svc := services.NewLogService(cfg)
@@ -84,16 +84,16 @@ func TestLogsHandler_Read_FilterByLevel(t *testing.T) {
tmpDir := t.TempDir()
dataDir := filepath.Join(tmpDir, "data")
os.MkdirAll(dataDir, 0o755)
_ = os.MkdirAll(dataDir, 0o755)
dbPath := filepath.Join(dataDir, "charon.db")
logsDir := filepath.Join(dataDir, "logs")
os.MkdirAll(logsDir, 0o755)
_ = os.MkdirAll(logsDir, 0o755)
content := `{"level":"info","ts":1600000000,"msg":"info message"}
{"level":"error","ts":1600000001,"msg":"error message"}
`
os.WriteFile(filepath.Join(logsDir, "access.log"), []byte(content), 0o644)
_ = os.WriteFile(filepath.Join(logsDir, "access.log"), []byte(content), 0o644)
cfg := &config.Config{DatabasePath: dbPath}
svc := services.NewLogService(cfg)
@@ -114,16 +114,16 @@ func TestLogsHandler_Read_FilterByStatus(t *testing.T) {
tmpDir := t.TempDir()
dataDir := filepath.Join(tmpDir, "data")
os.MkdirAll(dataDir, 0o755)
_ = os.MkdirAll(dataDir, 0o755)
dbPath := filepath.Join(dataDir, "charon.db")
logsDir := filepath.Join(dataDir, "logs")
os.MkdirAll(logsDir, 0o755)
_ = os.MkdirAll(logsDir, 0o755)
content := `{"level":"info","ts":1600000000,"msg":"200 OK","request":{"host":"example.com"},"status":200}
{"level":"error","ts":1600000001,"msg":"500 Error","request":{"host":"example.com"},"status":500}
`
os.WriteFile(filepath.Join(logsDir, "access.log"), []byte(content), 0o644)
_ = os.WriteFile(filepath.Join(logsDir, "access.log"), []byte(content), 0o644)
cfg := &config.Config{DatabasePath: dbPath}
svc := services.NewLogService(cfg)
@@ -144,16 +144,16 @@ func TestLogsHandler_Read_SortAsc(t *testing.T) {
tmpDir := t.TempDir()
dataDir := filepath.Join(tmpDir, "data")
os.MkdirAll(dataDir, 0o755)
_ = os.MkdirAll(dataDir, 0o755)
dbPath := filepath.Join(dataDir, "charon.db")
logsDir := filepath.Join(dataDir, "logs")
os.MkdirAll(logsDir, 0o755)
_ = os.MkdirAll(logsDir, 0o755)
content := `{"level":"info","ts":1600000000,"msg":"first"}
{"level":"info","ts":1600000001,"msg":"second"}
`
os.WriteFile(filepath.Join(logsDir, "access.log"), []byte(content), 0o644)
_ = os.WriteFile(filepath.Join(logsDir, "access.log"), []byte(content), 0o644)
cfg := &config.Config{DatabasePath: dbPath}
svc := services.NewLogService(cfg)
@@ -174,13 +174,13 @@ func TestLogsHandler_List_DirectoryIsFile(t *testing.T) {
tmpDir := t.TempDir()
dataDir := filepath.Join(tmpDir, "data")
os.MkdirAll(dataDir, 0o755)
_ = os.MkdirAll(dataDir, 0o755)
dbPath := filepath.Join(dataDir, "charon.db")
logsDir := filepath.Join(dataDir, "logs")
// Create logs dir as a file to cause error
os.WriteFile(logsDir, []byte("not a dir"), 0o644)
_ = os.WriteFile(logsDir, []byte("not a dir"), 0o644)
cfg := &config.Config{DatabasePath: dbPath}
svc := services.NewLogService(cfg)

12
backend/internal/api/handlers/logs_handler_test.go
View File

@@ -69,7 +69,7 @@ func setupLogsTest(t *testing.T) (*gin.Engine, *services.LogService, string) {
func TestLogsLifecycle(t *testing.T) {
router, _, tmpDir := setupLogsTest(t)
defer os.RemoveAll(tmpDir)
defer func() { _ = os.RemoveAll(tmpDir) }()
// 1. List logs
req := httptest.NewRequest(http.MethodGet, "/api/v1/logs", http.NoBody)
@@ -99,9 +99,9 @@ func TestLogsLifecycle(t *testing.T) {
require.Equal(t, http.StatusOK, resp.Code)
var content struct {
Filename string `json:"filename"`
Logs []any `json:"logs"`
Total int `json:"total"`
Filename string `json:"filename"`
Logs []any `json:"logs"`
Total int `json:"total"`
}
err = json.Unmarshal(resp.Body.Bytes(), &content)
require.NoError(t, err)
@@ -127,7 +127,7 @@ func TestLogsLifecycle(t *testing.T) {
require.Equal(t, http.StatusNotFound, resp.Code)
// 6. List logs error (delete directory)
os.RemoveAll(filepath.Join(tmpDir, "data", "logs"))
_ = os.RemoveAll(filepath.Join(tmpDir, "data", "logs"))
req = httptest.NewRequest(http.MethodGet, "/api/v1/logs", http.NoBody)
resp = httptest.NewRecorder()
router.ServeHTTP(resp, req)
@@ -141,7 +141,7 @@ func TestLogsLifecycle(t *testing.T) {
func TestLogsHandler_PathTraversal(t *testing.T) {
_, _, tmpDir := setupLogsTest(t)
defer os.RemoveAll(tmpDir)
defer func() { _ = os.RemoveAll(tmpDir) }()
// Manually invoke handler to bypass Gin router cleaning
w := httptest.NewRecorder()

657
backend/internal/api/handlers/manual_challenge_handler.go Normal file
View File

@@ -0,0 +1,657 @@
package handlers
import (
"context"
"errors"
"net/http"
"strconv"
"github.com/Wikid82/charon/backend/internal/models"
"github.com/Wikid82/charon/backend/internal/services"
"github.com/gin-gonic/gin"
)
// ManualChallengeServiceInterface defines the interface for manual challenge operations.
// This allows for easier testing by enabling mock implementations.
type ManualChallengeServiceInterface interface {
CreateChallenge(ctx context.Context, req services.CreateChallengeRequest) (*models.ManualChallenge, error)
GetChallengeForUser(ctx context.Context, challengeID string, userID uint) (*models.ManualChallenge, error)
ListChallengesForProvider(ctx context.Context, providerID, userID uint) ([]models.ManualChallenge, error)
VerifyChallenge(ctx context.Context, challengeID string, userID uint) (*services.VerifyResult, error)
PollChallengeStatus(ctx context.Context, challengeID string, userID uint) (*services.ChallengeStatusResponse, error)
DeleteChallenge(ctx context.Context, challengeID string, userID uint) error
}
// DNSProviderServiceInterface defines the subset of DNSProviderService needed by ManualChallengeHandler.
type DNSProviderServiceInterface interface {
Get(ctx context.Context, id uint) (*models.DNSProvider, error)
}
// ManualChallengeHandler handles manual DNS challenge API requests.
type ManualChallengeHandler struct {
challengeService ManualChallengeServiceInterface
providerService DNSProviderServiceInterface
}
// NewManualChallengeHandler creates a new manual challenge handler.
func NewManualChallengeHandler(challengeService ManualChallengeServiceInterface, providerService DNSProviderServiceInterface) *ManualChallengeHandler {
return &ManualChallengeHandler{
challengeService: challengeService,
providerService: providerService,
}
}
// ManualChallengeResponse represents the API response for a manual challenge.
type ManualChallengeResponse struct {
ID string `json:"id"`
ProviderID uint `json:"provider_id"`
FQDN string `json:"fqdn"`
Value string `json:"value"`
Status string `json:"status"`
DNSPropagated bool `json:"dns_propagated"`
CreatedAt string `json:"created_at"`
ExpiresAt string `json:"expires_at"`
LastCheckAt string `json:"last_check_at,omitempty"`
TimeRemainingSeconds int `json:"time_remaining_seconds"`
ErrorMessage string `json:"error_message,omitempty"`
}
// ErrorResponse represents an error response with a code.
type ErrorResponse struct {
Success bool `json:"success"`
Error struct {
Code string `json:"code"`
Message string `json:"message"`
Details map[string]interface{} `json:"details,omitempty"`
} `json:"error"`
}
// newErrorResponse creates a standardized error response.
func newErrorResponse(code, message string, details map[string]interface{}) ErrorResponse {
resp := ErrorResponse{Success: false}
resp.Error.Code = code
resp.Error.Message = message
resp.Error.Details = details
return resp
}
// GetChallenge handles GET /api/v1/dns-providers/:id/manual-challenge/:challengeId
// Returns the status and details of a manual DNS challenge.
func (h *ManualChallengeHandler) GetChallenge(c *gin.Context) {
providerID, err := strconv.ParseUint(c.Param("id"), 10, 32)
if err != nil {
c.JSON(http.StatusBadRequest, newErrorResponse(
"INVALID_PROVIDER_ID",
"Invalid provider ID",
nil,
))
return
}
challengeID := c.Param("challengeId")
if challengeID == "" {
c.JSON(http.StatusBadRequest, newErrorResponse(
"INVALID_CHALLENGE_ID",
"Challenge ID is required",
nil,
))
return
}
// Get user ID from context (set by auth middleware)
userID := getUserIDFromContext(c)
// Verify provider exists and user has access
provider, err := h.providerService.Get(c.Request.Context(), uint(providerID))
if err != nil {
if errors.Is(err, services.ErrDNSProviderNotFound) {
c.JSON(http.StatusNotFound, newErrorResponse(
"PROVIDER_NOT_FOUND",
"DNS provider not found",
nil,
))
return
}
c.JSON(http.StatusInternalServerError, newErrorResponse(
"INTERNAL_ERROR",
"Failed to retrieve DNS provider",
nil,
))
return
}
// Verify provider is manual type
if provider.ProviderType != "manual" {
c.JSON(http.StatusBadRequest, newErrorResponse(
"INVALID_PROVIDER_TYPE",
"This endpoint is only available for manual DNS providers",
nil,
))
return
}
// Get challenge
challenge, err := h.challengeService.GetChallengeForUser(c.Request.Context(), challengeID, userID)
if err != nil {
if errors.Is(err, services.ErrChallengeNotFound) {
c.JSON(http.StatusNotFound, newErrorResponse(
"CHALLENGE_NOT_FOUND",
"Challenge not found",
map[string]interface{}{"challenge_id": challengeID},
))
return
}
if errors.Is(err, services.ErrUnauthorized) {
c.JSON(http.StatusForbidden, newErrorResponse(
"UNAUTHORIZED",
"You do not have access to this challenge",
nil,
))
return
}
c.JSON(http.StatusInternalServerError, newErrorResponse(
"INTERNAL_ERROR",
"Failed to retrieve challenge",
nil,
))
return
}
// Verify challenge belongs to the specified provider
if challenge.ProviderID != uint(providerID) {
c.JSON(http.StatusNotFound, newErrorResponse(
"CHALLENGE_NOT_FOUND",
"Challenge not found for this provider",
nil,
))
return
}
c.JSON(http.StatusOK, challengeToResponse(challenge))
}
// VerifyChallenge handles POST /api/v1/dns-providers/:id/manual-challenge/:challengeId/verify
// Triggers DNS verification for a challenge.
func (h *ManualChallengeHandler) VerifyChallenge(c *gin.Context) {
providerID, err := strconv.ParseUint(c.Param("id"), 10, 32)
if err != nil {
c.JSON(http.StatusBadRequest, newErrorResponse(
"INVALID_PROVIDER_ID",
"Invalid provider ID",
nil,
))
return
}
challengeID := c.Param("challengeId")
if challengeID == "" {
c.JSON(http.StatusBadRequest, newErrorResponse(
"INVALID_CHALLENGE_ID",
"Challenge ID is required",
nil,
))
return
}
// Get user ID from context
userID := getUserIDFromContext(c)
// Verify provider exists and is manual type
provider, err := h.providerService.Get(c.Request.Context(), uint(providerID))
if err != nil {
if errors.Is(err, services.ErrDNSProviderNotFound) {
c.JSON(http.StatusNotFound, newErrorResponse(
"PROVIDER_NOT_FOUND",
"DNS provider not found",
nil,
))
return
}
c.JSON(http.StatusInternalServerError, newErrorResponse(
"INTERNAL_ERROR",
"Failed to retrieve DNS provider",
nil,
))
return
}
if provider.ProviderType != "manual" {
c.JSON(http.StatusBadRequest, newErrorResponse(
"INVALID_PROVIDER_TYPE",
"This endpoint is only available for manual DNS providers",
nil,
))
return
}
// Verify ownership before verification
challenge, err := h.challengeService.GetChallengeForUser(c.Request.Context(), challengeID, userID)
if err != nil {
if errors.Is(err, services.ErrChallengeNotFound) {
c.JSON(http.StatusNotFound, newErrorResponse(
"CHALLENGE_NOT_FOUND",
"Challenge not found",
map[string]interface{}{"challenge_id": challengeID},
))
return
}
if errors.Is(err, services.ErrUnauthorized) {
c.JSON(http.StatusForbidden, newErrorResponse(
"UNAUTHORIZED",
"You do not have access to this challenge",
nil,
))
return
}
c.JSON(http.StatusInternalServerError, newErrorResponse(
"INTERNAL_ERROR",
"Failed to retrieve challenge",
nil,
))
return
}
if challenge.ProviderID != uint(providerID) {
c.JSON(http.StatusNotFound, newErrorResponse(
"CHALLENGE_NOT_FOUND",
"Challenge not found for this provider",
nil,
))
return
}
// Perform verification
result, err := h.challengeService.VerifyChallenge(c.Request.Context(), challengeID, userID)
if err != nil {
if errors.Is(err, services.ErrChallengeExpired) {
c.JSON(http.StatusGone, newErrorResponse(
"CHALLENGE_EXPIRED",
"Challenge has expired",
map[string]interface{}{
"challenge_id": challengeID,
"expired_at": challenge.ExpiresAt.Format("2006-01-02T15:04:05Z"),
},
))
return
}
c.JSON(http.StatusInternalServerError, newErrorResponse(
"INTERNAL_ERROR",
"Failed to verify challenge",
nil,
))
return
}
c.JSON(http.StatusOK, result)
}
// PollChallenge handles GET /api/v1/dns-providers/:id/manual-challenge/:challengeId/poll
// Returns the current status for polling.
func (h *ManualChallengeHandler) PollChallenge(c *gin.Context) {
providerID, err := strconv.ParseUint(c.Param("id"), 10, 32)
if err != nil {
c.JSON(http.StatusBadRequest, newErrorResponse(
"INVALID_PROVIDER_ID",
"Invalid provider ID",
nil,
))
return
}
challengeID := c.Param("challengeId")
if challengeID == "" {
c.JSON(http.StatusBadRequest, newErrorResponse(
"INVALID_CHALLENGE_ID",
"Challenge ID is required",
nil,
))
return
}
userID := getUserIDFromContext(c)
// Verify provider exists
provider, err := h.providerService.Get(c.Request.Context(), uint(providerID))
if err != nil {
if errors.Is(err, services.ErrDNSProviderNotFound) {
c.JSON(http.StatusNotFound, newErrorResponse(
"PROVIDER_NOT_FOUND",
"DNS provider not found",
nil,
))
return
}
c.JSON(http.StatusInternalServerError, newErrorResponse(
"INTERNAL_ERROR",
"Failed to retrieve DNS provider",
nil,
))
return
}
if provider.ProviderType != "manual" {
c.JSON(http.StatusBadRequest, newErrorResponse(
"INVALID_PROVIDER_TYPE",
"This endpoint is only available for manual DNS providers",
nil,
))
return
}
// Get challenge status
status, err := h.challengeService.PollChallengeStatus(c.Request.Context(), challengeID, userID)
if err != nil {
if errors.Is(err, services.ErrChallengeNotFound) {
c.JSON(http.StatusNotFound, newErrorResponse(
"CHALLENGE_NOT_FOUND",
"Challenge not found",
nil,
))
return
}
if errors.Is(err, services.ErrUnauthorized) {
c.JSON(http.StatusForbidden, newErrorResponse(
"UNAUTHORIZED",
"You do not have access to this challenge",
nil,
))
return
}
c.JSON(http.StatusInternalServerError, newErrorResponse(
"INTERNAL_ERROR",
"Failed to get challenge status",
nil,
))
return
}
c.JSON(http.StatusOK, status)
}
// ListChallenges handles GET /api/v1/dns-providers/:id/manual-challenges
// Returns all challenges for a provider.
func (h *ManualChallengeHandler) ListChallenges(c *gin.Context) {
providerID, err := strconv.ParseUint(c.Param("id"), 10, 32)
if err != nil {
c.JSON(http.StatusBadRequest, newErrorResponse(
"INVALID_PROVIDER_ID",
"Invalid provider ID",
nil,
))
return
}
userID := getUserIDFromContext(c)
// Verify provider exists and is manual type
provider, err := h.providerService.Get(c.Request.Context(), uint(providerID))
if err != nil {
if errors.Is(err, services.ErrDNSProviderNotFound) {
c.JSON(http.StatusNotFound, newErrorResponse(
"PROVIDER_NOT_FOUND",
"DNS provider not found",
nil,
))
return
}
c.JSON(http.StatusInternalServerError, newErrorResponse(
"INTERNAL_ERROR",
"Failed to retrieve DNS provider",
nil,
))
return
}
if provider.ProviderType != "manual" {
c.JSON(http.StatusBadRequest, newErrorResponse(
"INVALID_PROVIDER_TYPE",
"This endpoint is only available for manual DNS providers",
nil,
))
return
}
challenges, err := h.challengeService.ListChallengesForProvider(c.Request.Context(), uint(providerID), userID)
if err != nil {
c.JSON(http.StatusInternalServerError, newErrorResponse(
"INTERNAL_ERROR",
"Failed to list challenges",
nil,
))
return
}
responses := make([]ManualChallengeResponse, len(challenges))
for i, ch := range challenges {
responses[i] = *challengeToResponse(&ch)
}
c.JSON(http.StatusOK, gin.H{
"challenges": responses,
"total": len(responses),
})
}
// DeleteChallenge handles DELETE /api/v1/dns-providers/:id/manual-challenge/:challengeId
// Cancels/deletes a challenge.
func (h *ManualChallengeHandler) DeleteChallenge(c *gin.Context) {
providerID, err := strconv.ParseUint(c.Param("id"), 10, 32)
if err != nil {
c.JSON(http.StatusBadRequest, newErrorResponse(
"INVALID_PROVIDER_ID",
"Invalid provider ID",
nil,
))
return
}
challengeID := c.Param("challengeId")
if challengeID == "" {
c.JSON(http.StatusBadRequest, newErrorResponse(
"INVALID_CHALLENGE_ID",
"Challenge ID is required",
nil,
))
return
}
userID := getUserIDFromContext(c)
// Verify provider exists
provider, err := h.providerService.Get(c.Request.Context(), uint(providerID))
if err != nil {
if errors.Is(err, services.ErrDNSProviderNotFound) {
c.JSON(http.StatusNotFound, newErrorResponse(
"PROVIDER_NOT_FOUND",
"DNS provider not found",
nil,
))
return
}
c.JSON(http.StatusInternalServerError, newErrorResponse(
"INTERNAL_ERROR",
"Failed to retrieve DNS provider",
nil,
))
return
}
if provider.ProviderType != "manual" {
c.JSON(http.StatusBadRequest, newErrorResponse(
"INVALID_PROVIDER_TYPE",
"This endpoint is only available for manual DNS providers",
nil,
))
return
}
err = h.challengeService.DeleteChallenge(c.Request.Context(), challengeID, userID)
if err != nil {
if errors.Is(err, services.ErrChallengeNotFound) {
c.JSON(http.StatusNotFound, newErrorResponse(
"CHALLENGE_NOT_FOUND",
"Challenge not found",
nil,
))
return
}
if errors.Is(err, services.ErrUnauthorized) {
c.JSON(http.StatusForbidden, newErrorResponse(
"UNAUTHORIZED",
"You do not have access to this challenge",
nil,
))
return
}
c.JSON(http.StatusInternalServerError, newErrorResponse(
"INTERNAL_ERROR",
"Failed to delete challenge",
nil,
))
return
}
c.JSON(http.StatusOK, gin.H{
"success": true,
"message": "Challenge deleted successfully",
})
}
// CreateChallengeRequest represents the request to create a manual challenge.
type CreateChallengeRequest struct {
FQDN string `json:"fqdn" binding:"required"`
Token string `json:"token"`
Value string `json:"value" binding:"required"`
}
// CreateChallenge handles POST /api/v1/dns-providers/:id/manual-challenges
// Creates a new manual DNS challenge.
func (h *ManualChallengeHandler) CreateChallenge(c *gin.Context) {
providerID, err := strconv.ParseUint(c.Param("id"), 10, 32)
if err != nil {
c.JSON(http.StatusBadRequest, newErrorResponse(
"INVALID_PROVIDER_ID",
"Invalid provider ID",
nil,
))
return
}
var req CreateChallengeRequest
if err := c.ShouldBindJSON(&req); err != nil {
c.JSON(http.StatusBadRequest, newErrorResponse(
"INVALID_REQUEST",
err.Error(),
nil,
))
return
}
userID := getUserIDFromContext(c)
// Verify provider exists and is manual type
provider, err := h.providerService.Get(c.Request.Context(), uint(providerID))
if err != nil {
if errors.Is(err, services.ErrDNSProviderNotFound) {
c.JSON(http.StatusNotFound, newErrorResponse(
"PROVIDER_NOT_FOUND",
"DNS provider not found",
nil,
))
return
}
c.JSON(http.StatusInternalServerError, newErrorResponse(
"INTERNAL_ERROR",
"Failed to retrieve DNS provider",
nil,
))
return
}
if provider.ProviderType != "manual" {
c.JSON(http.StatusBadRequest, newErrorResponse(
"INVALID_PROVIDER_TYPE",
"This endpoint is only available for manual DNS providers",
nil,
))
return
}
challenge, err := h.challengeService.CreateChallenge(c.Request.Context(), services.CreateChallengeRequest{
ProviderID: uint(providerID),
UserID: userID,
FQDN: req.FQDN,
Token: req.Token,
Value: req.Value,
})
if err != nil {
if errors.Is(err, services.ErrChallengeInProgress) {
c.JSON(http.StatusConflict, newErrorResponse(
"CHALLENGE_IN_PROGRESS",
"Another challenge is already in progress for this domain",
map[string]interface{}{"fqdn": req.FQDN},
))
return
}
c.JSON(http.StatusInternalServerError, newErrorResponse(
"INTERNAL_ERROR",
"Failed to create challenge",
nil,
))
return
}
c.JSON(http.StatusCreated, challengeToResponse(challenge))
}
// RegisterRoutes registers all manual challenge routes.
func (h *ManualChallengeHandler) RegisterRoutes(rg *gin.RouterGroup) {
// Routes under /dns-providers/:id
rg.GET("/dns-providers/:id/manual-challenges", h.ListChallenges)
rg.POST("/dns-providers/:id/manual-challenges", h.CreateChallenge)
rg.GET("/dns-providers/:id/manual-challenge/:challengeId", h.GetChallenge)
rg.POST("/dns-providers/:id/manual-challenge/:challengeId/verify", h.VerifyChallenge)
rg.GET("/dns-providers/:id/manual-challenge/:challengeId/poll", h.PollChallenge)
rg.DELETE("/dns-providers/:id/manual-challenge/:challengeId", h.DeleteChallenge)
}
// Helper functions
func challengeToResponse(ch *models.ManualChallenge) *ManualChallengeResponse {
resp := &ManualChallengeResponse{
ID: ch.ID,
ProviderID: ch.ProviderID,
FQDN: ch.FQDN,
Value: ch.Value,
Status: string(ch.Status),
DNSPropagated: ch.DNSPropagated,
CreatedAt: ch.CreatedAt.Format("2006-01-02T15:04:05Z"),
ExpiresAt: ch.ExpiresAt.Format("2006-01-02T15:04:05Z"),
TimeRemainingSeconds: int(ch.TimeRemaining().Seconds()),
ErrorMessage: ch.ErrorMessage,
}
if ch.LastCheckAt != nil {
resp.LastCheckAt = ch.LastCheckAt.Format("2006-01-02T15:04:05Z")
}
return resp
}
// getUserIDFromContext extracts user ID from gin context.
func getUserIDFromContext(c *gin.Context) uint {
// Try to get user_id from context (set by auth middleware)
if userID, exists := c.Get("user_id"); exists {
switch v := userID.(type) {
case uint:
return v
case int:
return uint(v)
case int64:
return uint(v)
case uint64:
return uint(v)
}
}
return 0
}

561
backend/internal/api/handlers/manual_challenge_handler_test.go Normal file
View File

@@ -0,0 +1,561 @@
package handlers
import (
"bytes"
"context"
"encoding/json"
"net/http"
"net/http/httptest"
"testing"
"time"
"github.com/Wikid82/charon/backend/internal/models"
"github.com/Wikid82/charon/backend/internal/services"
"github.com/gin-gonic/gin"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/mock"
"github.com/stretchr/testify/require"
)
// MockManualChallengeService mocks the ManualChallengeServiceInterface for testing.
type MockManualChallengeService struct {
mock.Mock
}
func (m *MockManualChallengeService) CreateChallenge(ctx context.Context, req services.CreateChallengeRequest) (*models.ManualChallenge, error) {
args := m.Called(ctx, req)
if args.Get(0) == nil {
return nil, args.Error(1)
}
return args.Get(0).(*models.ManualChallenge), args.Error(1)
}
func (m *MockManualChallengeService) GetChallengeForUser(ctx context.Context, challengeID string, userID uint) (*models.ManualChallenge, error) {
args := m.Called(ctx, challengeID, userID)
if args.Get(0) == nil {
return nil, args.Error(1)
}
return args.Get(0).(*models.ManualChallenge), args.Error(1)
}
func (m *MockManualChallengeService) ListChallengesForProvider(ctx context.Context, providerID, userID uint) ([]models.ManualChallenge, error) {
args := m.Called(ctx, providerID, userID)
if args.Get(0) == nil {
return nil, args.Error(1)
}
return args.Get(0).([]models.ManualChallenge), args.Error(1)
}
func (m *MockManualChallengeService) VerifyChallenge(ctx context.Context, challengeID string, userID uint) (*services.VerifyResult, error) {
args := m.Called(ctx, challengeID, userID)
if args.Get(0) == nil {
return nil, args.Error(1)
}
return args.Get(0).(*services.VerifyResult), args.Error(1)
}
func (m *MockManualChallengeService) PollChallengeStatus(ctx context.Context, challengeID string, userID uint) (*services.ChallengeStatusResponse, error) {
args := m.Called(ctx, challengeID, userID)
if args.Get(0) == nil {
return nil, args.Error(1)
}
return args.Get(0).(*services.ChallengeStatusResponse), args.Error(1)
}
func (m *MockManualChallengeService) DeleteChallenge(ctx context.Context, challengeID string, userID uint) error {
args := m.Called(ctx, challengeID, userID)
return args.Error(0)
}
// mockDNSProviderServiceForChallenge is a minimal mock for manual challenge tests.
type mockDNSProviderServiceForChallenge struct {
mock.Mock
}
func (m *mockDNSProviderServiceForChallenge) Get(ctx context.Context, id uint) (*models.DNSProvider, error) {
args := m.Called(ctx, id)
if args.Get(0) == nil {
return nil, args.Error(1)
}
return args.Get(0).(*models.DNSProvider), args.Error(1)
}
func setupChallengeTestRouter() *gin.Engine {
gin.SetMode(gin.TestMode)
return gin.New()
}
func setUserID(c *gin.Context, userID uint) {
c.Set("user_id", userID)
}
func TestNewManualChallengeHandler(t *testing.T) {
mockService := new(MockManualChallengeService)
mockProviderService := new(mockDNSProviderServiceForChallenge)
handler := NewManualChallengeHandler(mockService, mockProviderService)
require.NotNil(t, handler)
assert.Equal(t, mockService, handler.challengeService)
assert.Equal(t, mockProviderService, handler.providerService)
}
func TestManualChallengeHandler_GetChallenge(t *testing.T) {
mockService := new(MockManualChallengeService)
mockProviderService := new(mockDNSProviderServiceForChallenge)
handler := NewManualChallengeHandler(mockService, mockProviderService)
router := setupChallengeTestRouter()
router.GET("/dns-providers/:id/manual-challenge/:challengeId", func(c *gin.Context) {
setUserID(c, 1)
handler.GetChallenge(c)
})
now := time.Now()
challenge := &models.ManualChallenge{
ID: "test-challenge-id",
ProviderID: 1,
UserID: 1,
FQDN: "_acme-challenge.example.com",
Value: "txtvalue",
Status: models.ChallengeStatusPending,
CreatedAt: now,
ExpiresAt: now.Add(10 * time.Minute),
}
provider := &models.DNSProvider{
ID: 1,
ProviderType: "manual",
}
mockProviderService.On("Get", mock.Anything, uint(1)).Return(provider, nil)
mockService.On("GetChallengeForUser", mock.Anything, "test-challenge-id", uint(1)).Return(challenge, nil)
req, _ := http.NewRequest("GET", "/dns-providers/1/manual-challenge/test-challenge-id", nil)
w := httptest.NewRecorder()
router.ServeHTTP(w, req)
assert.Equal(t, http.StatusOK, w.Code)
var resp ManualChallengeResponse
err := json.Unmarshal(w.Body.Bytes(), &resp)
require.NoError(t, err)
assert.Equal(t, "test-challenge-id", resp.ID)
assert.Equal(t, uint(1), resp.ProviderID)
}
func TestManualChallengeHandler_GetChallenge_NotFound(t *testing.T) {
mockService := new(MockManualChallengeService)
mockProviderService := new(mockDNSProviderServiceForChallenge)
handler := NewManualChallengeHandler(mockService, mockProviderService)
router := setupChallengeTestRouter()
router.GET("/dns-providers/:id/manual-challenge/:challengeId", func(c *gin.Context) {
setUserID(c, 1)
handler.GetChallenge(c)
})
provider := &models.DNSProvider{
ID: 1,
ProviderType: "manual",
}
mockProviderService.On("Get", mock.Anything, uint(1)).Return(provider, nil)
mockService.On("GetChallengeForUser", mock.Anything, "nonexistent", uint(1)).Return(nil, services.ErrChallengeNotFound)
req, _ := http.NewRequest("GET", "/dns-providers/1/manual-challenge/nonexistent", nil)
w := httptest.NewRecorder()
router.ServeHTTP(w, req)
assert.Equal(t, http.StatusNotFound, w.Code)
}
func TestManualChallengeHandler_GetChallenge_InvalidProviderType(t *testing.T) {
mockService := new(MockManualChallengeService)
mockProviderService := new(mockDNSProviderServiceForChallenge)
handler := NewManualChallengeHandler(mockService, mockProviderService)
router := setupChallengeTestRouter()
router.GET("/dns-providers/:id/manual-challenge/:challengeId", func(c *gin.Context) {
setUserID(c, 1)
handler.GetChallenge(c)
})
provider := &models.DNSProvider{
ID: 1,
ProviderType: "cloudflare", // Not manual
}
mockProviderService.On("Get", mock.Anything, uint(1)).Return(provider, nil)
req, _ := http.NewRequest("GET", "/dns-providers/1/manual-challenge/test", nil)
w := httptest.NewRecorder()
router.ServeHTTP(w, req)
assert.Equal(t, http.StatusBadRequest, w.Code)
}
func TestManualChallengeHandler_CreateChallenge(t *testing.T) {
mockService := new(MockManualChallengeService)
mockProviderService := new(mockDNSProviderServiceForChallenge)
handler := NewManualChallengeHandler(mockService, mockProviderService)
router := setupChallengeTestRouter()
router.POST("/dns-providers/:id/manual-challenges", func(c *gin.Context) {
setUserID(c, 1)
handler.CreateChallenge(c)
})
now := time.Now()
challenge := &models.ManualChallenge{
ID: "new-challenge-id",
ProviderID: 1,
UserID: 1,
FQDN: "_acme-challenge.example.com",
Value: "txtvalue",
Status: models.ChallengeStatusPending,
CreatedAt: now,
ExpiresAt: now.Add(10 * time.Minute),
}
provider := &models.DNSProvider{
ID: 1,
ProviderType: "manual",
}
mockProviderService.On("Get", mock.Anything, uint(1)).Return(provider, nil)
mockService.On("CreateChallenge", mock.Anything, mock.AnythingOfType("services.CreateChallengeRequest")).Return(challenge, nil)
body := CreateChallengeRequest{
FQDN: "_acme-challenge.example.com",
Value: "txtvalue",
}
bodyBytes, _ := json.Marshal(body)
req, _ := http.NewRequest("POST", "/dns-providers/1/manual-challenges", bytes.NewReader(bodyBytes))
req.Header.Set("Content-Type", "application/json")
w := httptest.NewRecorder()
router.ServeHTTP(w, req)
assert.Equal(t, http.StatusCreated, w.Code)
}
func TestManualChallengeHandler_CreateChallenge_InvalidRequest(t *testing.T) {
mockService := new(MockManualChallengeService)
mockProviderService := new(mockDNSProviderServiceForChallenge)
handler := NewManualChallengeHandler(mockService, mockProviderService)
router := setupChallengeTestRouter()
router.POST("/dns-providers/:id/manual-challenges", func(c *gin.Context) {
setUserID(c, 1)
handler.CreateChallenge(c)
})
provider := &models.DNSProvider{
ID: 1,
ProviderType: "manual",
}
mockProviderService.On("Get", mock.Anything, uint(1)).Return(provider, nil)
// Missing required field
body := `{"fqdn": ""}`
req, _ := http.NewRequest("POST", "/dns-providers/1/manual-challenges", bytes.NewReader([]byte(body)))
req.Header.Set("Content-Type", "application/json")
w := httptest.NewRecorder()
router.ServeHTTP(w, req)
assert.Equal(t, http.StatusBadRequest, w.Code)
}
func TestManualChallengeHandler_VerifyChallenge(t *testing.T) {
mockService := new(MockManualChallengeService)
mockProviderService := new(mockDNSProviderServiceForChallenge)
handler := NewManualChallengeHandler(mockService, mockProviderService)
router := setupChallengeTestRouter()
router.POST("/dns-providers/:id/manual-challenge/:challengeId/verify", func(c *gin.Context) {
setUserID(c, 1)
handler.VerifyChallenge(c)
})
now := time.Now()
challenge := &models.ManualChallenge{
ID: "test-challenge",
ProviderID: 1,
UserID: 1,
FQDN: "_acme-challenge.example.com",
Value: "txtvalue",
Status: models.ChallengeStatusPending,
CreatedAt: now,
ExpiresAt: now.Add(10 * time.Minute),
}
provider := &models.DNSProvider{
ID: 1,
ProviderType: "manual",
}
result := &services.VerifyResult{
Success: true,
DNSFound: true,
Message: "DNS TXT record verified successfully",
Status: "verified",
}
mockProviderService.On("Get", mock.Anything, uint(1)).Return(provider, nil)
mockService.On("GetChallengeForUser", mock.Anything, "test-challenge", uint(1)).Return(challenge, nil)
mockService.On("VerifyChallenge", mock.Anything, "test-challenge", uint(1)).Return(result, nil)
req, _ := http.NewRequest("POST", "/dns-providers/1/manual-challenge/test-challenge/verify", nil)
w := httptest.NewRecorder()
router.ServeHTTP(w, req)
assert.Equal(t, http.StatusOK, w.Code)
}
func TestManualChallengeHandler_PollChallenge(t *testing.T) {
mockService := new(MockManualChallengeService)
mockProviderService := new(mockDNSProviderServiceForChallenge)
handler := NewManualChallengeHandler(mockService, mockProviderService)
router := setupChallengeTestRouter()
router.GET("/dns-providers/:id/manual-challenge/:challengeId/poll", func(c *gin.Context) {
setUserID(c, 1)
handler.PollChallenge(c)
})
provider := &models.DNSProvider{
ID: 1,
ProviderType: "manual",
}
now := time.Now()
status := &services.ChallengeStatusResponse{
ID: "test-challenge",
Status: "pending",
DNSPropagated: false,
TimeRemainingSeconds: 300,
LastCheckAt: &now,
}
mockProviderService.On("Get", mock.Anything, uint(1)).Return(provider, nil)
mockService.On("PollChallengeStatus", mock.Anything, "test-challenge", uint(1)).Return(status, nil)
req, _ := http.NewRequest("GET", "/dns-providers/1/manual-challenge/test-challenge/poll", nil)
w := httptest.NewRecorder()
router.ServeHTTP(w, req)
assert.Equal(t, http.StatusOK, w.Code)
}
func TestManualChallengeHandler_ListChallenges(t *testing.T) {
mockService := new(MockManualChallengeService)
mockProviderService := new(mockDNSProviderServiceForChallenge)
handler := NewManualChallengeHandler(mockService, mockProviderService)
router := setupChallengeTestRouter()
router.GET("/dns-providers/:id/manual-challenges", func(c *gin.Context) {
setUserID(c, 1)
handler.ListChallenges(c)
})
provider := &models.DNSProvider{
ID: 1,
ProviderType: "manual",
}
now := time.Now()
challenges := []models.ManualChallenge{
{
ID: "challenge-1",
ProviderID: 1,
UserID: 1,
FQDN: "_acme-challenge.example1.com",
Value: "value1",
Status: models.ChallengeStatusPending,
CreatedAt: now,
ExpiresAt: now.Add(10 * time.Minute),
},
{
ID: "challenge-2",
ProviderID: 1,
UserID: 1,
FQDN: "_acme-challenge.example2.com",
Value: "value2",
Status: models.ChallengeStatusVerified,
CreatedAt: now,
ExpiresAt: now.Add(10 * time.Minute),
},
}
mockProviderService.On("Get", mock.Anything, uint(1)).Return(provider, nil)
mockService.On("ListChallengesForProvider", mock.Anything, uint(1), uint(1)).Return(challenges, nil)
req, _ := http.NewRequest("GET", "/dns-providers/1/manual-challenges", nil)
w := httptest.NewRecorder()
router.ServeHTTP(w, req)
assert.Equal(t, http.StatusOK, w.Code)
var resp map[string]interface{}
err := json.Unmarshal(w.Body.Bytes(), &resp)
require.NoError(t, err)
assert.Equal(t, float64(2), resp["total"])
}
func TestManualChallengeHandler_DeleteChallenge(t *testing.T) {
mockService := new(MockManualChallengeService)
mockProviderService := new(mockDNSProviderServiceForChallenge)
handler := NewManualChallengeHandler(mockService, mockProviderService)
router := setupChallengeTestRouter()
router.DELETE("/dns-providers/:id/manual-challenge/:challengeId", func(c *gin.Context) {
setUserID(c, 1)
handler.DeleteChallenge(c)
})
provider := &models.DNSProvider{
ID: 1,
ProviderType: "manual",
}
mockProviderService.On("Get", mock.Anything, uint(1)).Return(provider, nil)
mockService.On("DeleteChallenge", mock.Anything, "test-challenge", uint(1)).Return(nil)
req, _ := http.NewRequest("DELETE", "/dns-providers/1/manual-challenge/test-challenge", nil)
w := httptest.NewRecorder()
router.ServeHTTP(w, req)
assert.Equal(t, http.StatusOK, w.Code)
}
func TestManualChallengeHandler_InvalidProviderID(t *testing.T) {
mockService := new(MockManualChallengeService)
mockProviderService := new(mockDNSProviderServiceForChallenge)
handler := NewManualChallengeHandler(mockService, mockProviderService)
router := setupChallengeTestRouter()
router.GET("/dns-providers/:id/manual-challenge/:challengeId", func(c *gin.Context) {
setUserID(c, 1)
handler.GetChallenge(c)
})
req, _ := http.NewRequest("GET", "/dns-providers/invalid/manual-challenge/test", nil)
w := httptest.NewRecorder()
router.ServeHTTP(w, req)
assert.Equal(t, http.StatusBadRequest, w.Code)
}
func TestManualChallengeHandler_ProviderNotFound(t *testing.T) {
mockService := new(MockManualChallengeService)
mockProviderService := new(mockDNSProviderServiceForChallenge)
handler := NewManualChallengeHandler(mockService, mockProviderService)
router := setupChallengeTestRouter()
router.GET("/dns-providers/:id/manual-challenge/:challengeId", func(c *gin.Context) {
setUserID(c, 1)
handler.GetChallenge(c)
})
mockProviderService.On("Get", mock.Anything, uint(999)).Return(nil, services.ErrDNSProviderNotFound)
req, _ := http.NewRequest("GET", "/dns-providers/999/manual-challenge/test", nil)
w := httptest.NewRecorder()
router.ServeHTTP(w, req)
assert.Equal(t, http.StatusNotFound, w.Code)
}
func TestManualChallengeHandler_RegisterRoutes(t *testing.T) {
mockService := new(MockManualChallengeService)
mockProviderService := new(mockDNSProviderServiceForChallenge)
handler := NewManualChallengeHandler(mockService, mockProviderService)
router := setupChallengeTestRouter()
handler.RegisterRoutes(router.Group("/"))
// Verify routes are registered by checking that they respond (even with errors)
routes := router.Routes()
paths := make(map[string]bool)
for _, route := range routes {
paths[route.Path] = true
}
assert.True(t, paths["/dns-providers/:id/manual-challenges"])
assert.True(t, paths["/dns-providers/:id/manual-challenge/:challengeId"])
assert.True(t, paths["/dns-providers/:id/manual-challenge/:challengeId/verify"])
assert.True(t, paths["/dns-providers/:id/manual-challenge/:challengeId/poll"])
}
func TestGetUserIDFromContext(t *testing.T) {
tests := []struct {
name string
value interface{}
expected uint
}{
{"uint value", uint(42), 42},
{"int value", int(42), 42},
{"int64 value", int64(42), 42},
{"uint64 value", uint64(42), 42},
{"missing value", nil, 0},
{"invalid type", "42", 0},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
gin.SetMode(gin.TestMode)
c, _ := gin.CreateTestContext(httptest.NewRecorder())
if tt.value != nil {
c.Set("user_id", tt.value)
}
result := getUserIDFromContext(c)
assert.Equal(t, tt.expected, result)
})
}
}
func TestChallengeToResponse(t *testing.T) {
now := time.Now()
lastCheck := now.Add(-1 * time.Minute)
challenge := &models.ManualChallenge{
ID: "test-id",
ProviderID: 1,
UserID: 1,
FQDN: "_acme-challenge.example.com",
Value: "txtvalue",
Status: models.ChallengeStatusPending,
DNSPropagated: false,
CreatedAt: now,
ExpiresAt: now.Add(10 * time.Minute),
LastCheckAt: &lastCheck,
ErrorMessage: "test error",
}
resp := challengeToResponse(challenge)
assert.Equal(t, "test-id", resp.ID)
assert.Equal(t, uint(1), resp.ProviderID)
assert.Equal(t, "_acme-challenge.example.com", resp.FQDN)
assert.Equal(t, "txtvalue", resp.Value)
assert.Equal(t, "pending", resp.Status)
assert.False(t, resp.DNSPropagated)
assert.NotEmpty(t, resp.CreatedAt)
assert.NotEmpty(t, resp.ExpiresAt)
assert.NotEmpty(t, resp.LastCheckAt)
assert.Equal(t, "test error", resp.ErrorMessage)
}
func TestNewErrorResponse(t *testing.T) {
details := map[string]interface{}{"key": "value"}
resp := newErrorResponse("TEST_CODE", "Test message", details)
assert.False(t, resp.Success)
assert.Equal(t, "TEST_CODE", resp.Error.Code)
assert.Equal(t, "Test message", resp.Error.Message)
assert.Equal(t, details, resp.Error.Details)
}

24
backend/internal/api/handlers/misc_coverage_test.go
View File

@@ -18,7 +18,7 @@ import (
func setupDomainCoverageDB(t *testing.T) *gorm.DB {
t.Helper()
db := OpenTestDB(t)
db.AutoMigrate(&models.Domain{})
_ = db.AutoMigrate(&models.Domain{})
return db
}
@@ -28,7 +28,7 @@ func TestDomainHandler_List_Error(t *testing.T) {
h := NewDomainHandler(db, nil)
// Drop table to cause error
db.Migrator().DropTable(&models.Domain{})
_ = db.Migrator().DropTable(&models.Domain{})
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
@@ -60,7 +60,7 @@ func TestDomainHandler_Create_DBError(t *testing.T) {
h := NewDomainHandler(db, nil)
// Drop table to cause error
db.Migrator().DropTable(&models.Domain{})
_ = db.Migrator().DropTable(&models.Domain{})
body, _ := json.Marshal(map[string]string{"name": "example.com"})
@@ -81,7 +81,7 @@ func TestDomainHandler_Delete_Error(t *testing.T) {
h := NewDomainHandler(db, nil)
// Drop table to cause error
db.Migrator().DropTable(&models.Domain{})
_ = db.Migrator().DropTable(&models.Domain{})
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
@@ -98,7 +98,7 @@ func TestDomainHandler_Delete_Error(t *testing.T) {
func setupRemoteServerCoverageDB(t *testing.T) *gorm.DB {
t.Helper()
db := OpenTestDB(t)
db.AutoMigrate(&models.RemoteServer{})
_ = db.AutoMigrate(&models.RemoteServer{})
return db
}
@@ -109,7 +109,7 @@ func TestRemoteServerHandler_List_Error(t *testing.T) {
h := NewRemoteServerHandler(svc, nil)
// Drop table to cause error
db.Migrator().DropTable(&models.RemoteServer{})
_ = db.Migrator().DropTable(&models.RemoteServer{})
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
@@ -162,7 +162,7 @@ func TestRemoteServerHandler_Update_InvalidJSON(t *testing.T) {
// Create a server first
server := &models.RemoteServer{Name: "Test", Host: "localhost", Port: 22}
svc.Create(server)
_ = svc.Create(server)
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
@@ -234,7 +234,7 @@ func TestRemoteServerHandler_TestConnectionCustom_Unreachable(t *testing.T) {
func setupUptimeCoverageDB(t *testing.T) *gorm.DB {
t.Helper()
db := OpenTestDB(t)
db.AutoMigrate(&models.UptimeMonitor{}, &models.UptimeHeartbeat{})
_ = db.AutoMigrate(&models.UptimeMonitor{}, &models.UptimeHeartbeat{})
return db
}
@@ -245,7 +245,7 @@ func TestUptimeHandler_List_Error(t *testing.T) {
h := NewUptimeHandler(svc)
// Drop table to cause error
db.Migrator().DropTable(&models.UptimeMonitor{})
_ = db.Migrator().DropTable(&models.UptimeMonitor{})
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
@@ -263,7 +263,7 @@ func TestUptimeHandler_GetHistory_Error(t *testing.T) {
h := NewUptimeHandler(svc)
// Drop history table
db.Migrator().DropTable(&models.UptimeHeartbeat{})
_ = db.Migrator().DropTable(&models.UptimeHeartbeat{})
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
@@ -299,7 +299,7 @@ func TestUptimeHandler_Sync_Error(t *testing.T) {
h := NewUptimeHandler(svc)
// Drop table to cause error
db.Migrator().DropTable(&models.UptimeMonitor{})
_ = db.Migrator().DropTable(&models.UptimeMonitor{})
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
@@ -317,7 +317,7 @@ func TestUptimeHandler_Delete_Error(t *testing.T) {
h := NewUptimeHandler(svc)
// Drop table to cause error
db.Migrator().DropTable(&models.UptimeMonitor{})
_ = db.Migrator().DropTable(&models.UptimeMonitor{})
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)

28
backend/internal/api/handlers/notification_coverage_test.go
View File

@@ -19,7 +19,7 @@ import (
func setupNotificationCoverageDB(t *testing.T) *gorm.DB {
t.Helper()
db := OpenTestDB(t)
db.AutoMigrate(&models.Notification{}, &models.NotificationProvider{}, &models.NotificationTemplate{})
_ = db.AutoMigrate(&models.Notification{}, &models.NotificationProvider{}, &models.NotificationTemplate{})
return db
}
@@ -32,7 +32,7 @@ func TestNotificationHandler_List_Error(t *testing.T) {
h := NewNotificationHandler(svc)
// Drop the table to cause error
db.Migrator().DropTable(&models.Notification{})
_ = db.Migrator().DropTable(&models.Notification{})
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
@@ -51,8 +51,8 @@ func TestNotificationHandler_List_UnreadOnly(t *testing.T) {
h := NewNotificationHandler(svc)
// Create some notifications
svc.Create(models.NotificationTypeInfo, "Test 1", "Message 1")
svc.Create(models.NotificationTypeInfo, "Test 2", "Message 2")
_, _ = svc.Create(models.NotificationTypeInfo, "Test 1", "Message 1")
_, _ = svc.Create(models.NotificationTypeInfo, "Test 2", "Message 2")
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
@@ -70,7 +70,7 @@ func TestNotificationHandler_MarkAsRead_Error(t *testing.T) {
h := NewNotificationHandler(svc)
// Drop table to cause error
db.Migrator().DropTable(&models.Notification{})
_ = db.Migrator().DropTable(&models.Notification{})
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
@@ -89,7 +89,7 @@ func TestNotificationHandler_MarkAllAsRead_Error(t *testing.T) {
h := NewNotificationHandler(svc)
// Drop table to cause error
db.Migrator().DropTable(&models.Notification{})
_ = db.Migrator().DropTable(&models.Notification{})
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
@@ -109,7 +109,7 @@ func TestNotificationProviderHandler_List_Error(t *testing.T) {
h := NewNotificationProviderHandler(svc)
// Drop table to cause error
db.Migrator().DropTable(&models.NotificationProvider{})
_ = db.Migrator().DropTable(&models.NotificationProvider{})
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
@@ -143,7 +143,7 @@ func TestNotificationProviderHandler_Create_DBError(t *testing.T) {
h := NewNotificationProviderHandler(svc)
// Drop table to cause error
db.Migrator().DropTable(&models.NotificationProvider{})
_ = db.Migrator().DropTable(&models.NotificationProvider{})
provider := models.NotificationProvider{
Name: "Test",
@@ -243,7 +243,7 @@ func TestNotificationProviderHandler_Update_DBError(t *testing.T) {
h := NewNotificationProviderHandler(svc)
// Drop table to cause error
db.Migrator().DropTable(&models.NotificationProvider{})
_ = db.Migrator().DropTable(&models.NotificationProvider{})
provider := models.NotificationProvider{
Name: "Test",
@@ -271,7 +271,7 @@ func TestNotificationProviderHandler_Delete_Error(t *testing.T) {
h := NewNotificationProviderHandler(svc)
// Drop table to cause error
db.Migrator().DropTable(&models.NotificationProvider{})
_ = db.Migrator().DropTable(&models.NotificationProvider{})
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
@@ -388,7 +388,7 @@ func TestNotificationTemplateHandler_List_Error(t *testing.T) {
h := NewNotificationTemplateHandler(svc)
// Drop table to cause error
db.Migrator().DropTable(&models.NotificationTemplate{})
_ = db.Migrator().DropTable(&models.NotificationTemplate{})
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
@@ -422,7 +422,7 @@ func TestNotificationTemplateHandler_Create_DBError(t *testing.T) {
h := NewNotificationTemplateHandler(svc)
// Drop table to cause error
db.Migrator().DropTable(&models.NotificationTemplate{})
_ = db.Migrator().DropTable(&models.NotificationTemplate{})
tmpl := models.NotificationTemplate{
Name: "Test",
@@ -464,7 +464,7 @@ func TestNotificationTemplateHandler_Update_DBError(t *testing.T) {
h := NewNotificationTemplateHandler(svc)
// Drop table to cause error
db.Migrator().DropTable(&models.NotificationTemplate{})
_ = db.Migrator().DropTable(&models.NotificationTemplate{})
tmpl := models.NotificationTemplate{
Name: "Test",
@@ -490,7 +490,7 @@ func TestNotificationTemplateHandler_Delete_Error(t *testing.T) {
h := NewNotificationTemplateHandler(svc)
// Drop table to cause error
db.Migrator().DropTable(&models.NotificationTemplate{})
_ = db.Migrator().DropTable(&models.NotificationTemplate{})
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)

6
backend/internal/api/handlers/notification_handler_test.go
View File

@@ -25,7 +25,7 @@ func setupNotificationTestDB() *gorm.DB {
if err != nil {
panic("failed to connect to test database")
}
db.AutoMigrate(&models.Notification{}, &models.NotificationProvider{})
_ = db.AutoMigrate(&models.Notification{}, &models.NotificationProvider{})
return db
}
@@ -124,7 +124,7 @@ func TestNotificationHandler_MarkAllAsRead_Error(t *testing.T) {
// Close DB to force error
sqlDB, _ := db.DB()
sqlDB.Close()
_ = sqlDB.Close()
req, _ := http.NewRequest("POST", "/notifications/read-all", http.NoBody)
w := httptest.NewRecorder()
@@ -143,7 +143,7 @@ func TestNotificationHandler_DBError(t *testing.T) {
// Close DB to force error
sqlDB, _ := db.DB()
sqlDB.Close()
_ = sqlDB.Close()
req, _ := http.NewRequest("POST", "/notifications/1/read", http.NoBody)
w := httptest.NewRecorder()

14
backend/internal/api/handlers/plugin_handler_test.go
View File

@@ -529,7 +529,7 @@ func TestPluginHandler_ListPlugins_ExternalLoadedPlugin(t *testing.T) {
Description: "External DNS provider",
},
}
dnsprovider.Global().Register(testProvider)
_ = dnsprovider.Global().Register(testProvider)
defer dnsprovider.Global().Unregister("external-type")
handler := NewPluginHandler(db, pluginLoader)
@@ -593,7 +593,7 @@ func TestPluginHandler_GetPlugin_WithProvider(t *testing.T) {
DocumentationURL: "https://example.com/docs",
},
}
dnsprovider.Global().Register(testProvider)
_ = dnsprovider.Global().Register(testProvider)
defer dnsprovider.Global().Unregister("provider-type")
handler := NewPluginHandler(db, pluginLoader)
@@ -882,7 +882,7 @@ func TestPluginHandler_EnablePlugin_DBUpdateError(t *testing.T) {
// Close the underlying connection to simulate DB error
sqlDB, _ := db.DB()
sqlDB.Close()
_ = sqlDB.Close()
router := gin.New()
router.POST("/plugins/:id/enable", handler.EnablePlugin)
@@ -915,7 +915,7 @@ func TestPluginHandler_DisablePlugin_DBUpdateError(t *testing.T) {
// Close the underlying connection to simulate DB error
sqlDB, _ := db.DB()
sqlDB.Close()
_ = sqlDB.Close()
router := gin.New()
router.POST("/plugins/:id/disable", handler.DisablePlugin)
@@ -948,7 +948,7 @@ func TestPluginHandler_GetPlugin_DBInternalError(t *testing.T) {
// Close the underlying connection to simulate DB error
sqlDB, _ := db.DB()
sqlDB.Close()
_ = sqlDB.Close()
router := gin.New()
router.GET("/plugins/:id", handler.GetPlugin)
@@ -982,7 +982,7 @@ func TestPluginHandler_EnablePlugin_FirstDBLookupError(t *testing.T) {
// Close the underlying connection to simulate DB error
sqlDB, _ := db.DB()
sqlDB.Close()
_ = sqlDB.Close()
router := gin.New()
router.POST("/plugins/:id/enable", handler.EnablePlugin)
@@ -1016,7 +1016,7 @@ func TestPluginHandler_DisablePlugin_FirstDBLookupError(t *testing.T) {
// Close the underlying connection to simulate DB error
sqlDB, _ := db.DB()
sqlDB.Close()
_ = sqlDB.Close()
router := gin.New()
router.POST("/plugins/:id/disable", handler.DisablePlugin)

42
backend/internal/api/handlers/pr_coverage_test.go
View File

@@ -45,7 +45,7 @@ func TestPluginHandler_EnablePlugin_DatabaseUpdateError(t *testing.T) {
// Close DB to trigger error during update
sqlDB, _ := db.DB()
sqlDB.Close()
_ = sqlDB.Close()
router := gin.New()
router.POST("/plugins/:id/enable", handler.EnablePlugin)
@@ -77,7 +77,7 @@ func TestPluginHandler_DisablePlugin_DatabaseUpdateError(t *testing.T) {
// Close DB to trigger error during update
sqlDB, _ := db.DB()
sqlDB.Close()
_ = sqlDB.Close()
router := gin.New()
router.POST("/plugins/:id/disable", handler.DisablePlugin)
@@ -108,7 +108,7 @@ func TestPluginHandler_GetPlugin_DatabaseError(t *testing.T) {
// Close DB to trigger database error
sqlDB, _ := db.DB()
sqlDB.Close()
_ = sqlDB.Close()
router := gin.New()
router.GET("/plugins/:id", handler.GetPlugin)
@@ -130,7 +130,7 @@ func TestPluginHandler_EnablePlugin_DatabaseFirstError(t *testing.T) {
// Close DB to trigger error when fetching plugin
sqlDB, _ := db.DB()
sqlDB.Close()
_ = sqlDB.Close()
router := gin.New()
router.POST("/plugins/:id/enable", handler.EnablePlugin)
@@ -152,7 +152,7 @@ func TestPluginHandler_DisablePlugin_DatabaseFirstError(t *testing.T) {
// Close DB to trigger error when fetching plugin
sqlDB, _ := db.DB()
sqlDB.Close()
_ = sqlDB.Close()
router := gin.New()
router.POST("/plugins/:id/disable", handler.DisablePlugin)
@@ -221,7 +221,7 @@ func TestEncryptionHandler_GetHistory_PaginationBoundary(t *testing.T) {
assert.Equal(t, http.StatusOK, w.Code)
var response map[string]any
json.Unmarshal(w.Body.Bytes(), &response)
_ = json.Unmarshal(w.Body.Bytes(), &response)
// limit should not exceed 100
assert.LessOrEqual(t, response["limit"].(float64), float64(100))
}
@@ -330,7 +330,7 @@ func TestSettingsHandler_TestPublicURL_PrivateIPBlocked_Coverage(t *testing.T) {
// Should return 200 but with reachable=false due to SSRF protection
assert.Equal(t, http.StatusOK, w.Code)
var response map[string]any
json.Unmarshal(w.Body.Bytes(), &response)
_ = json.Unmarshal(w.Body.Bytes(), &response)
assert.False(t, response["reachable"].(bool))
}
@@ -358,7 +358,7 @@ func TestSettingsHandler_ValidatePublicURL_WithTrailingSlash(t *testing.T) {
assert.Equal(t, http.StatusOK, w.Code)
var response map[string]any
json.Unmarshal(w.Body.Bytes(), &response)
_ = json.Unmarshal(w.Body.Bytes(), &response)
assert.True(t, response["valid"].(bool))
}
@@ -386,7 +386,7 @@ func TestSettingsHandler_ValidatePublicURL_MissingScheme(t *testing.T) {
assert.Equal(t, http.StatusBadRequest, w.Code)
var response map[string]any
json.Unmarshal(w.Body.Bytes(), &response)
_ = json.Unmarshal(w.Body.Bytes(), &response)
assert.False(t, response["valid"].(bool))
}
@@ -398,10 +398,10 @@ func TestAuditLogHandler_List_PaginationEdgeCases(t *testing.T) {
gin.SetMode(gin.TestMode)
dbPath := fmt.Sprintf("/tmp/test_audit_pagination_%d.db", time.Now().UnixNano())
t.Cleanup(func() { os.Remove(dbPath) })
t.Cleanup(func() { _ = os.Remove(dbPath) })
db, _ := gorm.Open(sqlite.Open(dbPath), &gorm.Config{})
db.AutoMigrate(&models.SecurityAudit{}, &models.DNSProvider{})
_ = db.AutoMigrate(&models.SecurityAudit{}, &models.DNSProvider{})
// Create test audits
for i := 0; i < 10; i++ {
@@ -432,10 +432,10 @@ func TestAuditLogHandler_List_CategoryFilter(t *testing.T) {
gin.SetMode(gin.TestMode)
dbPath := fmt.Sprintf("/tmp/test_audit_category_%d.db", time.Now().UnixNano())
t.Cleanup(func() { os.Remove(dbPath) })
t.Cleanup(func() { _ = os.Remove(dbPath) })
db, _ := gorm.Open(sqlite.Open(dbPath), &gorm.Config{})
db.AutoMigrate(&models.SecurityAudit{}, &models.DNSProvider{})
_ = db.AutoMigrate(&models.SecurityAudit{}, &models.DNSProvider{})
// Create test audits with different categories
db.Create(&models.SecurityAudit{
@@ -470,10 +470,10 @@ func TestAuditLogHandler_ListByProvider_DatabaseError(t *testing.T) {
gin.SetMode(gin.TestMode)
dbPath := fmt.Sprintf("/tmp/test_audit_db_error_%d.db", time.Now().UnixNano())
t.Cleanup(func() { os.Remove(dbPath) })
t.Cleanup(func() { _ = os.Remove(dbPath) })
db, _ := gorm.Open(sqlite.Open(dbPath), &gorm.Config{})
db.AutoMigrate(&models.SecurityAudit{}, &models.DNSProvider{})
_ = db.AutoMigrate(&models.SecurityAudit{}, &models.DNSProvider{})
secService := services.NewSecurityService(db)
defer secService.Close()
@@ -481,7 +481,7 @@ func TestAuditLogHandler_ListByProvider_DatabaseError(t *testing.T) {
// Close DB to trigger error
sqlDB, _ := db.DB()
sqlDB.Close()
_ = sqlDB.Close()
router := gin.New()
router.GET("/audit/provider/:id", handler.ListByProvider)
@@ -497,10 +497,10 @@ func TestAuditLogHandler_ListByProvider_InvalidProviderID(t *testing.T) {
gin.SetMode(gin.TestMode)
dbPath := fmt.Sprintf("/tmp/test_audit_invalid_id_%d.db", time.Now().UnixNano())
t.Cleanup(func() { os.Remove(dbPath) })
t.Cleanup(func() { _ = os.Remove(dbPath) })
db, _ := gorm.Open(sqlite.Open(dbPath), &gorm.Config{})
db.AutoMigrate(&models.SecurityAudit{}, &models.DNSProvider{})
_ = db.AutoMigrate(&models.SecurityAudit{}, &models.DNSProvider{})
secService := services.NewSecurityService(db)
defer secService.Close()
@@ -586,7 +586,7 @@ func setupCredentialHandlerTestWithCtx(t *testing.T) (*gin.Engine, *gorm.DB, *mo
t.Cleanup(func() {
sqlDB, _ := db.DB()
sqlDB.Close()
_ = sqlDB.Close()
})
err = db.AutoMigrate(
@@ -684,7 +684,7 @@ func TestCredentialHandler_List_DatabaseClosed(t *testing.T) {
dbName := fmt.Sprintf("file:%s?mode=memory&cache=shared", t.Name())
db, _ := gorm.Open(sqlite.Open(dbName), &gorm.Config{})
db.AutoMigrate(&models.DNSProvider{}, &models.DNSProviderCredential{})
_ = db.AutoMigrate(&models.DNSProvider{}, &models.DNSProviderCredential{})
testKey := "MDEyMzQ1Njc4OWFiY2RlZjAxMjM0NTY3ODlhYmNkZWY="
encryptor, _ := crypto.NewEncryptionService(testKey)
@@ -696,7 +696,7 @@ func TestCredentialHandler_List_DatabaseClosed(t *testing.T) {
// Close DB to trigger error
sqlDB, _ := db.DB()
sqlDB.Close()
_ = sqlDB.Close()
req, _ := http.NewRequest("GET", "/api/v1/dns-providers/1/credentials", nil)
w := httptest.NewRecorder()

2
backend/internal/api/handlers/proxy_host_handler_test.go
View File

@@ -397,7 +397,7 @@ func TestProxyHostConnection(t *testing.T) {
// Start a local listener
l, err := net.Listen("tcp", "127.0.0.1:0")
require.NoError(t, err)
defer l.Close()
defer func() { _ = l.Close() }()
addr := l.Addr().(*net.TCPAddr)

2
backend/internal/api/handlers/remote_server_handler_test.go
View File

@@ -20,7 +20,7 @@ func setupRemoteServerTest_New(t *testing.T) (*gin.Engine, *handlers.RemoteServe
t.Helper()
db := setupTestDB(t)
// Ensure RemoteServer table exists
db.AutoMigrate(&models.RemoteServer{})
_ = db.AutoMigrate(&models.RemoteServer{})
ns := services.NewNotificationService(db)
handler := handlers.NewRemoteServerHandler(services.NewRemoteServerService(db), ns)

6
backend/internal/api/handlers/security_handler_audit_test.go
View File

@@ -177,7 +177,7 @@ func TestSecurityHandler_UpsertRuleSet_EmptyName(t *testing.T) {
assert.Equal(t, http.StatusBadRequest, w.Code)
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
assert.Contains(t, resp, "error")
}
@@ -517,7 +517,7 @@ func TestSecurityHandler_Enable_WithoutWhitelist(t *testing.T) {
assert.Equal(t, http.StatusBadRequest, w.Code)
var resp map[string]string
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
assert.Contains(t, resp["error"], "whitelist")
}
@@ -578,7 +578,7 @@ func TestSecurityHandler_GetStatus_CrowdSecModeValidation(t *testing.T) {
assert.Equal(t, http.StatusOK, w.Code)
var resp map[string]map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
// Invalid modes should be normalized to "disabled"
assert.Equal(t, "disabled", resp["crowdsec"]["mode"],

6
backend/internal/api/handlers/security_handler_coverage_test.go
View File

@@ -522,7 +522,7 @@ func TestSecurityHandler_Enable_WithValidBreakGlassToken(t *testing.T) {
assert.Equal(t, http.StatusOK, w.Code)
var tokenResp map[string]string
json.Unmarshal(w.Body.Bytes(), &tokenResp)
_ = json.Unmarshal(w.Body.Bytes(), &tokenResp)
token := tokenResp["token"]
// Now try to enable with the token
@@ -586,7 +586,7 @@ func TestSecurityHandler_Disable_FromLocalhost(t *testing.T) {
assert.Equal(t, http.StatusOK, w.Code)
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
assert.False(t, resp["enabled"].(bool))
}
@@ -612,7 +612,7 @@ func TestSecurityHandler_Disable_FromRemoteWithToken(t *testing.T) {
req, _ := http.NewRequest("POST", "/security/breakglass/generate", http.NoBody)
router.ServeHTTP(w, req)
var tokenResp map[string]string
json.Unmarshal(w.Body.Bytes(), &tokenResp)
_ = json.Unmarshal(w.Body.Bytes(), &tokenResp)
token := tokenResp["token"]
// Disable with token

10
backend/internal/api/handlers/security_handler_waf_test.go
View File

@@ -191,7 +191,7 @@ func TestSecurityHandler_AddWAFExclusion_ToExistingConfig(t *testing.T) {
router.ServeHTTP(w, req)
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
exclusions := resp["exclusions"].([]any)
assert.Len(t, exclusions, 2)
}
@@ -360,7 +360,7 @@ func TestSecurityHandler_DeleteWAFExclusion_Success(t *testing.T) {
assert.Equal(t, http.StatusOK, w.Code)
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
assert.True(t, resp["deleted"].(bool))
// Verify only one exclusion remains
@@ -368,7 +368,7 @@ func TestSecurityHandler_DeleteWAFExclusion_Success(t *testing.T) {
req, _ = http.NewRequest("GET", "/security/waf/exclusions", http.NoBody)
router.ServeHTTP(w, req)
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
exclusions := resp["exclusions"].([]any)
assert.Len(t, exclusions, 1)
first := exclusions[0].(map[string]any)
@@ -403,7 +403,7 @@ func TestSecurityHandler_DeleteWAFExclusion_WithTarget(t *testing.T) {
router.ServeHTTP(w, req)
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
exclusions := resp["exclusions"].([]any)
assert.Len(t, exclusions, 1)
first := exclusions[0].(map[string]any)
@@ -514,7 +514,7 @@ func TestSecurityHandler_WAFExclusion_FullWorkflow(t *testing.T) {
router.ServeHTTP(w, req)
assert.Equal(t, http.StatusOK, w.Code)
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
assert.Len(t, resp["exclusions"].([]any), 0)
// Step 2: Add first exclusion (full rule removal)

26
backend/internal/api/handlers/settings_handler_test.go
View File

@@ -122,7 +122,7 @@ func setupSettingsTestDB(t *testing.T) *gorm.DB {
if err != nil {
panic("failed to connect to test database")
}
db.AutoMigrate(&models.Setting{})
_ = db.AutoMigrate(&models.Setting{})
return db
}
@@ -281,7 +281,7 @@ func setupSettingsHandlerWithMail(t *testing.T) (*handlers.SettingsHandler, *gor
if err != nil {
panic("failed to connect to test database")
}
db.AutoMigrate(&models.Setting{})
_ = db.AutoMigrate(&models.Setting{})
return handlers.NewSettingsHandler(db), db
}
@@ -307,7 +307,7 @@ func TestSettingsHandler_GetSMTPConfig(t *testing.T) {
assert.Equal(t, http.StatusOK, w.Code)
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
assert.Equal(t, "smtp.example.com", resp["host"])
assert.Equal(t, float64(587), resp["port"])
assert.Equal(t, "********", resp["password"]) // Password should be masked
@@ -328,7 +328,7 @@ func TestSettingsHandler_GetSMTPConfig_Empty(t *testing.T) {
assert.Equal(t, http.StatusOK, w.Code)
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
assert.Equal(t, false, resp["configured"])
}
@@ -496,7 +496,7 @@ func TestSettingsHandler_TestSMTPConfig_NotConfigured(t *testing.T) {
assert.Equal(t, http.StatusBadRequest, w.Code)
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
assert.Equal(t, false, resp["success"])
}
@@ -589,7 +589,7 @@ func TestSettingsHandler_SendTestEmail_NotConfigured(t *testing.T) {
assert.Equal(t, http.StatusBadRequest, w.Code)
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
assert.Equal(t, false, resp["success"])
}
@@ -687,7 +687,7 @@ func TestSettingsHandler_ValidatePublicURL_InvalidFormat(t *testing.T) {
assert.Equal(t, http.StatusBadRequest, w.Code)
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
assert.Equal(t, false, resp["valid"])
})
}
@@ -726,7 +726,7 @@ func TestSettingsHandler_ValidatePublicURL_Success(t *testing.T) {
assert.Equal(t, http.StatusOK, w.Code)
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
assert.Equal(t, true, resp["valid"])
assert.Equal(t, tc.expected, resp["normalized"])
})
@@ -811,7 +811,7 @@ func TestSettingsHandler_TestPublicURL_InvalidURL(t *testing.T) {
assert.Equal(t, http.StatusBadRequest, w.Code)
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
// BadRequest responses only have 'error' field, not 'reachable'
assert.Contains(t, resp["error"].(string), "parse")
}
@@ -850,7 +850,7 @@ func TestSettingsHandler_TestPublicURL_PrivateIPBlocked(t *testing.T) {
assert.Equal(t, http.StatusOK, w.Code) // Returns 200 but with reachable=false
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
assert.Equal(t, false, resp["reachable"])
// Verify error message contains relevant security text
errorMsg := resp["error"].(string)
@@ -892,7 +892,7 @@ func TestSettingsHandler_TestPublicURL_Success(t *testing.T) {
assert.Equal(t, http.StatusOK, w.Code)
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
// The test verifies the handler works with a real public URL
assert.Equal(t, true, resp["reachable"], "example.com should be reachable")
@@ -920,7 +920,7 @@ func TestSettingsHandler_TestPublicURL_DNSFailure(t *testing.T) {
assert.Equal(t, http.StatusOK, w.Code) // Returns 200 but with reachable=false
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
assert.Equal(t, false, resp["reachable"])
// DNS errors contain "dns" or "resolution" keywords (case-insensitive)
errorMsg := resp["error"].(string)
@@ -1078,7 +1078,7 @@ func TestSettingsHandler_TestPublicURL_EmbeddedCredentials(t *testing.T) {
assert.Equal(t, http.StatusOK, w.Code)
var resp map[string]any
json.Unmarshal(w.Body.Bytes(), &resp)
_ = json.Unmarshal(w.Body.Bytes(), &resp)
assert.False(t, resp["reachable"].(bool))
assert.Contains(t, resp["error"].(string), "credentials")
}

7
backend/internal/api/handlers/system_handler.go
View File

@@ -25,11 +25,12 @@ func (h *SystemHandler) GetMyIP(c *gin.Context) {
ip := getClientIP(c.Request)
source := "direct"
if c.GetHeader("X-Forwarded-For") != "" {
switch {
case c.GetHeader("X-Forwarded-For") != "":
source = "X-Forwarded-For"
} else if c.GetHeader("X-Real-IP") != "" {
case c.GetHeader("X-Real-IP") != "":
source = "X-Real-IP"
} else if c.GetHeader("CF-Connecting-IP") != "" {
case c.GetHeader("CF-Connecting-IP") != "":
source = "Cloudflare"
}

4
backend/internal/api/handlers/testdb_test.go
View File

@@ -37,7 +37,7 @@ func TestGetTemplateDB_HasTables(t *testing.T) {
var tables []string
rows, err := tmpl.Raw("SELECT name FROM sqlite_master WHERE type='table'").Rows()
require.NoError(t, err)
defer rows.Close()
defer func() { _ = rows.Close() }()
for rows.Next() {
var name string
@@ -95,7 +95,7 @@ func TestOpenTestDBWithMigrations(t *testing.T) {
var tables []string
rows, err := db.Raw("SELECT name FROM sqlite_master WHERE type='table' AND name NOT LIKE 'sqlite_%'").Rows()
require.NoError(t, err)
defer rows.Close()
defer func() { _ = rows.Close() }()
for rows.Next() {
var name string

2
backend/internal/api/handlers/update_handler_test.go
View File

@@ -20,7 +20,7 @@ func TestUpdateHandler_Check(t *testing.T) {
return
}
w.Header().Set("Content-Type", "application/json")
w.Write([]byte(`{"tag_name":"v1.0.0","html_url":"https://github.com/example/repo/releases/tag/v1.0.0"}`))
_, _ = w.Write([]byte(`{"tag_name":"v1.0.0","html_url":"https://github.com/example/repo/releases/tag/v1.0.0"}`))
}))
defer server.Close()

18
backend/internal/api/handlers/user_handler_coverage_test.go
View File

@@ -16,7 +16,7 @@ import (
func setupUserCoverageDB(t *testing.T) *gorm.DB {
t.Helper()
db := OpenTestDB(t)
db.AutoMigrate(&models.User{}, &models.Setting{})
_ = db.AutoMigrate(&models.User{}, &models.Setting{})
return db
}
@@ -26,7 +26,7 @@ func TestUserHandler_GetSetupStatus_Error(t *testing.T) {
h := NewUserHandler(db)
// Drop table to cause error
db.Migrator().DropTable(&models.User{})
_ = db.Migrator().DropTable(&models.User{})
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
@@ -43,7 +43,7 @@ func TestUserHandler_Setup_CheckStatusError(t *testing.T) {
h := NewUserHandler(db)
// Drop table to cause error
db.Migrator().DropTable(&models.User{})
_ = db.Migrator().DropTable(&models.User{})
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
@@ -61,7 +61,7 @@ func TestUserHandler_Setup_AlreadyCompleted(t *testing.T) {
// Create a user to mark setup as complete
user := &models.User{UUID: "uuid-a", Name: "Admin", Email: "admin@test.com", Role: "admin"}
user.SetPassword("password123")
_ = user.SetPassword("password123")
db.Create(user)
w := httptest.NewRecorder()
@@ -108,7 +108,7 @@ func TestUserHandler_RegenerateAPIKey_DBError(t *testing.T) {
h := NewUserHandler(db)
// Drop table to cause error
db.Migrator().DropTable(&models.User{})
_ = db.Migrator().DropTable(&models.User{})
w := httptest.NewRecorder()
c, _ := gin.CreateTestContext(w)
@@ -207,11 +207,11 @@ func TestUserHandler_UpdateProfile_EmailConflict(t *testing.T) {
// Create two users
user1 := &models.User{UUID: "uuid-1", Name: "User1", Email: "user1@test.com", Role: "admin", APIKey: "key1"}
user1.SetPassword("password123")
_ = user1.SetPassword("password123")
db.Create(user1)
user2 := &models.User{UUID: "uuid-2", Name: "User2", Email: "user2@test.com", Role: "admin", APIKey: "key2"}
user2.SetPassword("password123")
_ = user2.SetPassword("password123")
db.Create(user2)
// Try to change user2's email to user1's email
@@ -239,7 +239,7 @@ func TestUserHandler_UpdateProfile_EmailChangeNoPassword(t *testing.T) {
h := NewUserHandler(db)
user := &models.User{UUID: "uuid-u", Name: "User", Email: "user@test.com", Role: "admin"}
user.SetPassword("password123")
_ = user.SetPassword("password123")
db.Create(user)
// Try to change email without password
@@ -266,7 +266,7 @@ func TestUserHandler_UpdateProfile_WrongPassword(t *testing.T) {
h := NewUserHandler(db)
user := &models.User{UUID: "uuid-u", Name: "User", Email: "user@test.com", Role: "admin"}
user.SetPassword("password123")
_ = user.SetPassword("password123")
db.Create(user)
// Try to change email with wrong password

8
backend/internal/api/handlers/user_handler_test.go
View File

@@ -24,7 +24,7 @@ func setupUserHandler(t *testing.T) (*UserHandler, *gorm.DB) {
dbName := "file:" + t.Name() + "?mode=memory&cache=shared"
db, err := gorm.Open(sqlite.Open(dbName), &gorm.Config{})
require.NoError(t, err)
db.AutoMigrate(&models.User{}, &models.Setting{})
_ = db.AutoMigrate(&models.User{}, &models.Setting{})
return NewUserHandler(db), db
}
@@ -229,7 +229,7 @@ func TestUserHandler_Errors(t *testing.T) {
// Update on non-existent record usually returns nil error in GORM unless configured otherwise.
// However, let's see if we can force an error by closing DB? No, shared DB.
// We can drop the table?
db.Migrator().DropTable(&models.User{})
_ = db.Migrator().DropTable(&models.User{})
req, _ = http.NewRequest("POST", "/api-key-not-found", http.NoBody)
w = httptest.NewRecorder()
r.ServeHTTP(w, req)
@@ -247,7 +247,7 @@ func TestUserHandler_UpdateProfile(t *testing.T) {
Name: "Test User",
APIKey: uuid.NewString(),
}
user.SetPassword("password123")
_ = user.SetPassword("password123")
db.Create(user)
gin.SetMode(gin.TestMode)
@@ -396,7 +396,7 @@ func setupUserHandlerWithProxyHosts(t *testing.T) (*UserHandler, *gorm.DB) {
dbName := "file:" + t.Name() + "?mode=memory&cache=shared"
db, err := gorm.Open(sqlite.Open(dbName), &gorm.Config{})
require.NoError(t, err)
db.AutoMigrate(&models.User{}, &models.Setting{}, &models.ProxyHost{})
_ = db.AutoMigrate(&models.User{}, &models.Setting{}, &models.ProxyHost{})
return NewUserHandler(db), db
}

2
backend/internal/api/handlers/user_integration_test.go
View File

@@ -22,7 +22,7 @@ func TestUserLoginAfterEmailChange(t *testing.T) {
dbName := "file:" + t.Name() + "?mode=memory&cache=shared"
db, err := gorm.Open(sqlite.Open(dbName), &gorm.Config{})
require.NoError(t, err)
db.AutoMigrate(&models.User{}, &models.Setting{})
_ = db.AutoMigrate(&models.User{}, &models.Setting{})
// Setup Services and Handlers
cfg := config.Config{}

2
backend/internal/api/middleware/auth_test.go
View File

@@ -19,7 +19,7 @@ func setupAuthService(t *testing.T) *services.AuthService {
dbName := "file:" + t.Name() + "?mode=memory&cache=shared"
db, err := gorm.Open(sqlite.Open(dbName), &gorm.Config{})
require.NoError(t, err)
db.AutoMigrate(&models.User{})
_ = db.AutoMigrate(&models.User{})
cfg := config.Config{JWTSecret: "test-secret"}
return services.NewAuthService(db, cfg)
}

9
backend/internal/api/routes/routes.go
View File

@@ -24,6 +24,9 @@ import (
"github.com/Wikid82/charon/backend/internal/metrics"
"github.com/Wikid82/charon/backend/internal/models"
"github.com/Wikid82/charon/backend/internal/services"
// Import custom DNS providers to register them
_ "github.com/Wikid82/charon/backend/pkg/dnsprovider/custom"
)
// Register wires up API routes and performs automatic migrations.
@@ -69,6 +72,7 @@ func Register(router *gin.Engine, db *gorm.DB, cfg config.Config) error {
&models.DNSProvider{},
&models.DNSProviderCredential{}, // Multi-credential support (Phase 3)
&models.Plugin{}, // Phase 5: DNS provider plugins
&models.ManualChallenge{}, // Phase 1: Manual DNS challenges
); err != nil {
return fmt.Errorf("auto migrate: %w", err)
}
@@ -312,6 +316,11 @@ func Register(router *gin.Engine, db *gorm.DB, cfg config.Config) error {
adminPlugins.POST("/:id/enable", pluginHandler.EnablePlugin)
adminPlugins.POST("/:id/disable", pluginHandler.DisablePlugin)
adminPlugins.POST("/reload", pluginHandler.ReloadPlugins)
// Manual DNS Challenges (Phase 1) - For users without automated DNS API access
manualChallengeService := services.NewManualChallengeService(db)
manualChallengeHandler := handlers.NewManualChallengeHandler(manualChallengeService, dnsProviderService)
manualChallengeHandler.RegisterRoutes(protected)
}
} else {
logger.Log().Warn("CHARON_ENCRYPTION_KEY not set - DNS provider and plugin features will be unavailable")

2
backend/internal/api/routes/routes_import_test.go
View File

@@ -18,7 +18,7 @@ func setupTestImportDB(t *testing.T) *gorm.DB {
if err != nil {
t.Fatalf("failed to connect to test database: %v", err)
}
db.AutoMigrate(&models.ImportSession{}, &models.ProxyHost{})
_ = db.AutoMigrate(&models.ImportSession{}, &models.ProxyHost{})
return db
}

2
backend/internal/api/routes/routes_test.go
View File

@@ -86,7 +86,7 @@ func TestRegister_AutoMigrateFailure(t *testing.T) {
// Close underlying SQL connection to force migration failure
sqlDB, err := db.DB()
require.NoError(t, err)
sqlDB.Close()
_ = sqlDB.Close()
cfg := config.Config{
JWTSecret: "test-secret",

8
backend/internal/caddy/client_test.go
View File

@@ -41,7 +41,7 @@ func TestClient_Load_Success(t *testing.T) {
func TestClient_Load_Failure(t *testing.T) {
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusBadRequest)
w.Write([]byte(`{"error": "invalid config"}`))
_, _ = w.Write([]byte(`{"error": "invalid config"}`))
}))
defer server.Close()
@@ -68,7 +68,7 @@ func TestClient_GetConfig_Success(t *testing.T) {
require.Equal(t, "/config/", r.URL.Path)
require.Equal(t, http.MethodGet, r.Method)
w.WriteHeader(http.StatusOK)
json.NewEncoder(w).Encode(testConfig)
_ = json.NewEncoder(w).Encode(testConfig)
}))
defer server.Close()
@@ -112,7 +112,7 @@ func TestClient_Ping_CreateRequestFailure(t *testing.T) {
func TestClient_GetConfig_Failure(t *testing.T) {
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusInternalServerError)
w.Write([]byte("internal error"))
_, _ = w.Write([]byte("internal error"))
}))
defer server.Close()
@@ -125,7 +125,7 @@ func TestClient_GetConfig_Failure(t *testing.T) {
func TestClient_GetConfig_InvalidJSON(t *testing.T) {
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
w.Write([]byte("invalid json"))
_, _ = w.Write([]byte("invalid json"))
}))
defer server.Close()

14
backend/internal/caddy/config.go
View File

@@ -1193,11 +1193,12 @@ func buildWAFHandler(host *models.ProxyHost, rulesets []models.SecurityRuleSet,
// Second pass: select by priority if not already selected
if selected == nil {
if hostRulesetMatch != nil {
switch {
case hostRulesetMatch != nil:
selected = hostRulesetMatch
} else if appMatch != nil {
case appMatch != nil:
selected = appMatch
} else if owaspFallback != nil {
case owaspFallback != nil:
selected = owaspFallback
}
}
@@ -1427,12 +1428,13 @@ func buildSecurityHeadersHandler(host *models.ProxyHost) (Handler, error) {
// Use profile if configured
var cfg *models.SecurityHeaderProfile
if host.SecurityHeaderProfile != nil {
switch {
case host.SecurityHeaderProfile != nil:
cfg = host.SecurityHeaderProfile
} else if !host.SecurityHeadersEnabled {
case !host.SecurityHeadersEnabled:
// No profile and headers disabled - skip
return nil, nil
} else {
default:
// Use default secure headers
cfg = getDefaultSecurityHeaderProfile()
}

10
backend/internal/caddy/config_extra_test.go
View File

@@ -277,22 +277,22 @@ func TestGenerateConfig_SecurityPipeline_OmitWhenDisabled(t *testing.T) {
func TestGetAccessLogPath(t *testing.T) {
// Save and restore env vars
origEnv := os.Getenv("CHARON_ENV")
defer os.Setenv("CHARON_ENV", origEnv)
defer func() { _ = os.Setenv("CHARON_ENV", origEnv) }()
t.Run("CrowdSecEnabled_UsesStandardPath", func(t *testing.T) {
os.Setenv("CHARON_ENV", "development")
_ = os.Setenv("CHARON_ENV", "development")
path := getAccessLogPath("/data/caddy/data", true)
require.Equal(t, "/var/log/caddy/access.log", path)
})
t.Run("Production_UsesStandardPath", func(t *testing.T) {
os.Setenv("CHARON_ENV", "production")
_ = os.Setenv("CHARON_ENV", "production")
path := getAccessLogPath("/data/caddy/data", false)
require.Equal(t, "/var/log/caddy/access.log", path)
})
t.Run("Development_UsesRelativePath", func(t *testing.T) {
os.Setenv("CHARON_ENV", "development")
_ = os.Setenv("CHARON_ENV", "development")
path := getAccessLogPath("/data/caddy/data", false)
// Only in development without CrowdSec should it use relative path
// Note: This test may fail if /.dockerenv exists (e.g., running in CI container)
@@ -307,7 +307,7 @@ func TestGetAccessLogPath(t *testing.T) {
})
t.Run("NoEnv_CrowdSecEnabled_UsesStandardPath", func(t *testing.T) {
os.Unsetenv("CHARON_ENV")
_ = os.Unsetenv("CHARON_ENV")
path := getAccessLogPath("/tmp/caddy-data", true)
require.Equal(t, "/var/log/caddy/access.log", path)
})

6
backend/internal/caddy/config_patch_coverage_test.go
View File

@@ -235,14 +235,14 @@ func TestGenerateConfig_HTTPChallenge_ExcludesIPDomains(t *testing.T) {
}
func TestGetCrowdSecAPIKey_EnvPriority(t *testing.T) {
os.Unsetenv("CROWDSEC_API_KEY")
os.Unsetenv("CROWDSEC_BOUNCER_API_KEY")
_ = os.Unsetenv("CROWDSEC_API_KEY")
_ = os.Unsetenv("CROWDSEC_BOUNCER_API_KEY")
t.Setenv("CROWDSEC_BOUNCER_API_KEY", "bouncer")
t.Setenv("CROWDSEC_API_KEY", "primary")
require.Equal(t, "primary", getCrowdSecAPIKey())
os.Unsetenv("CROWDSEC_API_KEY")
_ = os.Unsetenv("CROWDSEC_API_KEY")
require.Equal(t, "bouncer", getCrowdSecAPIKey())
}

2
backend/internal/caddy/config_security_headers_test.go
View File

@@ -214,7 +214,7 @@ func TestBuildCSPString(t *testing.T) {
assert.NoError(t, err)
// CSP order can vary, so check parts exist
if tt.expected != "" {
parts := []string{}
var parts []string
if tt.expected == "default-src 'self'" {
parts = []string{"default-src 'self'"}
} else {

24
backend/internal/caddy/config_test.go
View File

@@ -562,15 +562,15 @@ func TestGetAccessLogPath_DockerEnv(t *testing.T) {
// Save original env
originalEnv := os.Getenv("CHARON_ENV")
defer os.Setenv("CHARON_ENV", originalEnv)
defer func() { _ = os.Setenv("CHARON_ENV", originalEnv) }()
// Set CHARON_ENV=production
os.Setenv("CHARON_ENV", "production")
_ = os.Setenv("CHARON_ENV", "production")
path := getAccessLogPath("/tmp/caddy-data", false)
require.Equal(t, "/var/log/caddy/access.log", path)
// Unset CHARON_ENV - should use development path
os.Unsetenv("CHARON_ENV")
_ = os.Unsetenv("CHARON_ENV")
path = getAccessLogPath("/tmp/storage/caddy/data", false)
require.Contains(t, path, "logs/access.log")
require.Contains(t, path, "/tmp/storage/logs/access.log")
@@ -582,14 +582,14 @@ func TestGetAccessLogPath_Development(t *testing.T) {
originalEnv := os.Getenv("CHARON_ENV")
defer func() {
if originalEnv != "" {
os.Setenv("CHARON_ENV", originalEnv)
_ = os.Setenv("CHARON_ENV", originalEnv)
} else {
os.Unsetenv("CHARON_ENV")
_ = os.Unsetenv("CHARON_ENV")
}
}()
// Clear CHARON_ENV to simulate dev environment
os.Unsetenv("CHARON_ENV")
_ = os.Unsetenv("CHARON_ENV")
// Test with typical dev path
storageDir := "/home/user/charon/data/caddy/data"
@@ -839,14 +839,14 @@ func TestGenerateConfig_WithCrowdSecApp(t *testing.T) {
originalAPIKey := os.Getenv("CROWDSEC_API_KEY")
defer func() {
if originalAPIKey != "" {
os.Setenv("CROWDSEC_API_KEY", originalAPIKey)
_ = os.Setenv("CROWDSEC_API_KEY", originalAPIKey)
} else {
os.Unsetenv("CROWDSEC_API_KEY")
_ = os.Unsetenv("CROWDSEC_API_KEY")
}
}()
// Set test API key
os.Setenv("CROWDSEC_API_KEY", "test-api-key-12345")
_ = os.Setenv("CROWDSEC_API_KEY", "test-api-key-12345")
config, err := GenerateConfig(hosts, "/tmp/caddy-data", "admin@example.com", "", "", false, true, false, false, false, "", nil, nil, nil, secCfg, nil)
require.NoError(t, err)
@@ -1791,14 +1791,14 @@ func TestGetCrowdSecAPIKey(t *testing.T) {
envVars := []string{"CROWDSEC_API_KEY", "CROWDSEC_BOUNCER_API_KEY", "CERBERUS_SECURITY_CROWDSEC_API_KEY", "CHARON_SECURITY_CROWDSEC_API_KEY", "CPM_SECURITY_CROWDSEC_API_KEY"}
for _, v := range envVars {
origVars[v] = os.Getenv(v)
os.Unsetenv(v)
_ = os.Unsetenv(v)
}
defer func() {
for k, v := range origVars {
if v != "" {
os.Setenv(k, v)
} else {
os.Unsetenv(k)
_ = os.Unsetenv(k)
}
}
}()
@@ -1813,7 +1813,7 @@ func TestGetCrowdSecAPIKey(t *testing.T) {
require.Equal(t, "primary-key", result)
// Test fallback priority
os.Unsetenv("CROWDSEC_API_KEY")
_ = os.Unsetenv("CROWDSEC_API_KEY")
os.Setenv("CROWDSEC_BOUNCER_API_KEY", "bouncer-key")
result = getCrowdSecAPIKey()
require.Equal(t, "bouncer-key", result)

12
backend/internal/caddy/importer_extra_test.go
View File

@@ -135,7 +135,7 @@ func TestBackupCaddyfile_Success(t *testing.T) {
tmp := t.TempDir()
originalFile := filepath.Join(tmp, "Caddyfile")
data := []byte("original-data")
os.WriteFile(originalFile, data, 0o644)
_ = os.WriteFile(originalFile, data, 0o644)
backupDir := filepath.Join(tmp, "backup")
path, err := BackupCaddyfile(originalFile, backupDir)
require.NoError(t, err)
@@ -195,10 +195,10 @@ func TestImporter_ExtractHosts_DuplicateHost(t *testing.T) {
func TestBackupCaddyfile_WriteFailure(t *testing.T) {
tmp := t.TempDir()
originalFile := filepath.Join(tmp, "Caddyfile")
os.WriteFile(originalFile, []byte("original"), 0o644)
_ = os.WriteFile(originalFile, []byte("original"), 0o644)
// Create backup dir and make it readonly to prevent writing (best-effort)
backupDir := filepath.Join(tmp, "backup")
os.MkdirAll(backupDir, 0o555)
_ = os.MkdirAll(backupDir, 0o555)
_, err := BackupCaddyfile(originalFile, backupDir)
// Might error due to write permission; accept both success or failure depending on platform
if err != nil {
@@ -357,14 +357,14 @@ func TestImporter_ExtractHosts_ForceSplitFallback_PartsSscanfFail(t *testing.T)
func TestBackupCaddyfile_WriteErrorDeterministic(t *testing.T) {
tmp := t.TempDir()
originalFile := filepath.Join(tmp, "Caddyfile")
os.WriteFile(originalFile, []byte("original-data"), 0o644)
_ = os.WriteFile(originalFile, []byte("original-data"), 0o644)
backupDir := filepath.Join(tmp, "backup")
os.MkdirAll(backupDir, 0o755)
_ = os.MkdirAll(backupDir, 0o755)
// Determine backup path name the function will use
pid := fmt.Sprintf("%d", os.Getpid())
// Pre-create a directory at the exact backup path to ensure write fails with EISDIR
path := filepath.Join(backupDir, fmt.Sprintf("Caddyfile.%s.backup", pid))
os.Mkdir(path, 0o755)
_ = os.Mkdir(path, 0o755)
_, err := BackupCaddyfile(originalFile, backupDir)
require.Error(t, err)
}

86
backend/internal/caddy/manager_additional_test.go
View File

@@ -49,7 +49,7 @@ func TestManager_Rollback_UnmarshalError(t *testing.T) {
tmp := t.TempDir()
// Write a non-JSON file with .json extension
p := filepath.Join(tmp, "config-123.json")
os.WriteFile(p, []byte("not json"), 0o644)
_ = os.WriteFile(p, []byte("not json"), 0o644)
manager := NewManager(nil, nil, tmp, "", false, config.SecurityConfig{})
// Reader error should happen before client.Load
err := manager.rollback(context.Background())
@@ -61,7 +61,7 @@ func TestManager_Rollback_LoadSnapshotFail(t *testing.T) {
// Create a valid JSON file and set client to return error for /load
tmp := t.TempDir()
p := filepath.Join(tmp, "config-123.json")
os.WriteFile(p, []byte(`{"apps":{"http":{}}}`), 0o644)
_ = os.WriteFile(p, []byte(`{"apps":{"http":{}}}`), 0o644)
// Mock client that returns error on Load
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -84,7 +84,7 @@ func TestManager_SaveSnapshot_WriteError(t *testing.T) {
// Create a file at path to use as configDir, so writes fail
tmp := t.TempDir()
notDir := filepath.Join(tmp, "file-not-dir")
os.WriteFile(notDir, []byte("data"), 0o644)
_ = os.WriteFile(notDir, []byte("data"), 0o644)
manager := NewManager(nil, nil, notDir, "", false, config.SecurityConfig{})
_, err := manager.saveSnapshot(&Config{})
assert.Error(t, err)
@@ -94,10 +94,10 @@ func TestManager_SaveSnapshot_WriteError(t *testing.T) {
func TestBackupCaddyfile_MkdirAllFailure(t *testing.T) {
tmp := t.TempDir()
originalFile := filepath.Join(tmp, "Caddyfile")
os.WriteFile(originalFile, []byte("original"), 0o644)
_ = os.WriteFile(originalFile, []byte("original"), 0o644)
// Create a file where the backup dir should be to cause MkdirAll to fail
badDir := filepath.Join(tmp, "notadir")
os.WriteFile(badDir, []byte("data"), 0o644)
_ = os.WriteFile(badDir, []byte("data"), 0o644)
_, err := BackupCaddyfile(originalFile, badDir)
assert.Error(t, err)
@@ -123,7 +123,7 @@ func TestManager_ApplyConfig_WithSettings(t *testing.T) {
}
if r.URL.Path == "/config/" && r.Method == http.MethodGet {
w.WriteHeader(http.StatusOK)
w.Write([]byte("{\"apps\":{\"http\":{}}}"))
_, _ = w.Write([]byte("{\"apps\":{\"http\":{}}}"))
return
}
w.WriteHeader(http.StatusNotFound)
@@ -178,9 +178,9 @@ func TestManager_RotateSnapshots_DeletesOld(t *testing.T) {
for i := 1; i <= 5; i++ {
name := fmt.Sprintf("config-%d.json", i)
p := filepath.Join(tmp, name)
os.WriteFile(p, []byte("{}"), 0o644)
_ = os.WriteFile(p, []byte("{}"), 0o644)
// tweak mod time
os.Chtimes(p, time.Now().Add(time.Duration(i)*time.Second), time.Now().Add(time.Duration(i)*time.Second))
_ = os.Chtimes(p, time.Now().Add(time.Duration(i)*time.Second), time.Now().Add(time.Duration(i)*time.Second))
}
manager := NewManager(nil, nil, tmp, "", false, config.SecurityConfig{})
@@ -208,7 +208,7 @@ func TestManager_ApplyConfig_RotateSnapshotsWarning(t *testing.T) {
}
if r.URL.Path == "/config/" && r.Method == http.MethodGet {
w.WriteHeader(http.StatusOK)
w.Write([]byte("{" + "\"apps\":{\"http\":{}}}"))
_, _ = w.Write([]byte("{" + "\"apps\":{\"http\":{}}}"))
return
}
w.WriteHeader(http.StatusNotFound)
@@ -230,10 +230,10 @@ func TestManager_ApplyConfig_RotateSnapshotsWarning(t *testing.T) {
// Create snapshot files: make the oldest a non-empty directory to force delete error;
// generate 11 snapshots so rotateSnapshots(10) will attempt to delete 1
d1 := filepath.Join(tmp, "config-1.json")
os.MkdirAll(d1, 0o755)
os.WriteFile(filepath.Join(d1, "inner"), []byte("x"), 0o644) // non-empty
_ = os.MkdirAll(d1, 0o755)
_ = os.WriteFile(filepath.Join(d1, "inner"), []byte("x"), 0o644) // non-empty
for i := 2; i <= 11; i++ {
os.WriteFile(filepath.Join(tmp, fmt.Sprintf("config-%d.json", i)), []byte("{}"), 0o644)
_ = os.WriteFile(filepath.Join(tmp, fmt.Sprintf("config-%d.json", i)), []byte("{}"), 0o644)
}
// Set modification times to ensure config-1.json is oldest
for i := 1; i <= 11; i++ {
@@ -242,7 +242,7 @@ func TestManager_ApplyConfig_RotateSnapshotsWarning(t *testing.T) {
p = d1
}
tmo := time.Now().Add(time.Duration(-i) * time.Minute)
os.Chtimes(p, tmo, tmo)
_ = os.Chtimes(p, tmo, tmo)
}
client := NewClientWithExpectedPort(caddyServer.URL, expectedPortFromURL(t, caddyServer.URL))
@@ -263,7 +263,7 @@ func TestManager_ApplyConfig_LoadFailsAndRollbackFails(t *testing.T) {
}
if r.URL.Path == "/config/" && r.Method == http.MethodGet {
w.WriteHeader(http.StatusOK)
w.Write([]byte("{" + "\"apps\":{\"http\":{}}}"))
_, _ = w.Write([]byte("{" + "\"apps\":{\"http\":{}}}"))
return
}
w.WriteHeader(http.StatusNotFound)
@@ -298,7 +298,7 @@ func TestManager_ApplyConfig_SaveSnapshotFails(t *testing.T) {
}
if r.URL.Path == "/config/" && r.Method == http.MethodGet {
w.WriteHeader(http.StatusOK)
w.Write([]byte("{" + "\"apps\":{\"http\":{}}}"))
_, _ = w.Write([]byte("{" + "\"apps\":{\"http\":{}}}"))
return
}
w.WriteHeader(http.StatusNotFound)
@@ -318,7 +318,7 @@ func TestManager_ApplyConfig_SaveSnapshotFails(t *testing.T) {
// Create a file where configDir should be to cause saveSnapshot to fail
tmp := t.TempDir()
filePath := filepath.Join(tmp, "file-not-dir")
os.WriteFile(filePath, []byte("data"), 0o644)
_ = os.WriteFile(filePath, []byte("data"), 0o644)
client := newTestClient(t, caddyServer.URL)
manager := NewManager(client, db, filePath, "", false, config.SecurityConfig{})
@@ -343,7 +343,7 @@ func TestManager_ApplyConfig_LoadFailsThenRollbackSucceeds(t *testing.T) {
}
if r.URL.Path == "/config/" && r.Method == http.MethodGet {
w.WriteHeader(http.StatusOK)
w.Write([]byte("{" + "\"apps\":{\"http\":{}}}"))
_, _ = w.Write([]byte("{" + "\"apps\":{\"http\":{}}}"))
return
}
w.WriteHeader(http.StatusNotFound)
@@ -387,8 +387,8 @@ func TestManager_RotateSnapshots_DeleteError(t *testing.T) {
// Create three files to remove one
for i := 1; i <= 3; i++ {
p := filepath.Join(tmp, fmt.Sprintf("config-%d.json", i))
os.WriteFile(p, []byte("{}"), 0o644)
os.Chtimes(p, time.Now().Add(time.Duration(i)*time.Second), time.Now().Add(time.Duration(i)*time.Second))
_ = os.WriteFile(p, []byte("{}"), 0o644)
_ = os.Chtimes(p, time.Now().Add(time.Duration(i)*time.Second), time.Now().Add(time.Duration(i)*time.Second))
}
manager := NewManager(nil, nil, tmp, "", false, config.SecurityConfig{})
@@ -496,7 +496,7 @@ func TestManager_ApplyConfig_ValidateFails(t *testing.T) {
}
if r.URL.Path == "/config/" && r.Method == http.MethodGet {
w.WriteHeader(http.StatusOK)
w.Write([]byte("{" + "\"apps\":{\"http\":{}}}"))
_, _ = w.Write([]byte("{" + "\"apps\":{\"http\":{}}}"))
return
}
w.WriteHeader(http.StatusNotFound)
@@ -516,7 +516,7 @@ func TestManager_Rollback_ReadFileError(t *testing.T) {
manager := NewManager(nil, nil, tmp, "", false, config.SecurityConfig{})
// Create snapshot entries via write
p := filepath.Join(tmp, "config-123.json")
os.WriteFile(p, []byte(`{"apps":{"http":{}}}`), 0o644)
_ = os.WriteFile(p, []byte(`{"apps":{"http":{}}}`), 0o644)
// Stub readFileFunc to return error
origRead := readFileFunc
readFileFunc = func(p string) ([]byte, error) { return nil, fmt.Errorf("read error") }
@@ -544,7 +544,7 @@ func TestManager_ApplyConfig_RotateSnapshotsWarning_Stderr(t *testing.T) {
}
if r.URL.Path == "/config/" && r.Method == http.MethodGet {
w.WriteHeader(http.StatusOK)
w.Write([]byte("{" + "\"apps\":{\"http\":{}}}"))
_, _ = w.Write([]byte("{" + "\"apps\":{\"http\":{}}}"))
return
}
w.WriteHeader(http.StatusNotFound)
@@ -587,7 +587,7 @@ func TestManager_ApplyConfig_PassesAdminWhitelistToGenerateConfig(t *testing.T)
}
if r.URL.Path == "/config/" && r.Method == http.MethodGet {
w.WriteHeader(http.StatusOK)
w.Write([]byte("{" + "\"apps\":{\"http\":{}}}"))
_, _ = w.Write([]byte("{" + "\"apps\":{\"http\":{}}}"))
return
}
w.WriteHeader(http.StatusNotFound)
@@ -638,7 +638,7 @@ func TestManager_ApplyConfig_PassesRuleSetsToGenerateConfig(t *testing.T) {
}
if r.URL.Path == "/config/" && r.Method == http.MethodGet {
w.WriteHeader(http.StatusOK)
w.Write([]byte("{" + "\"apps\":{\"http\":{}}}"))
_, _ = w.Write([]byte("{" + "\"apps\":{\"http\":{}}}"))
return
}
w.WriteHeader(http.StatusNotFound)
@@ -691,7 +691,7 @@ func TestManager_ApplyConfig_IncludesWAFHandlerWithRuleset(t *testing.T) {
}
if r.URL.Path == "/config/" && r.Method == http.MethodGet {
w.WriteHeader(http.StatusOK)
w.Write([]byte("{" + "\"apps\":{\"http\":{}}}"))
_, _ = w.Write([]byte("{" + "\"apps\":{\"http\":{}}}"))
return
}
w.WriteHeader(http.StatusNotFound)
@@ -787,7 +787,7 @@ func TestManager_ApplyConfig_RulesetWriteFileFailure(t *testing.T) {
}
if r.URL.Path == "/config/" && r.Method == http.MethodGet {
w.WriteHeader(http.StatusOK)
w.Write([]byte("{" + "\"apps\":{\"http\":{}}}"))
_, _ = w.Write([]byte("{" + "\"apps\":{\"http\":{}}}"))
return
}
w.WriteHeader(http.StatusNotFound)
@@ -825,7 +825,7 @@ func TestManager_ApplyConfig_RulesetDirMkdirFailure(t *testing.T) {
tmp := t.TempDir()
// Create a file at tmp/coraza to cause MkdirAll on tmp/coraza/rulesets to fail
corazaFile := filepath.Join(tmp, "coraza")
os.WriteFile(corazaFile, []byte("not a dir"), 0o644)
_ = os.WriteFile(corazaFile, []byte("not a dir"), 0o644)
dsn := fmt.Sprintf("file:%s?mode=memory&cache=shared", t.Name()+"rulesets-mkdirfail")
db, err := gorm.Open(sqlite.Open(dsn), &gorm.Config{})
@@ -847,7 +847,7 @@ func TestManager_ApplyConfig_RulesetDirMkdirFailure(t *testing.T) {
}
if r.URL.Path == "/config/" && r.Method == http.MethodGet {
w.WriteHeader(http.StatusOK)
w.Write([]byte("{" + "\"apps\":{\"http\":{}}}"))
_, _ = w.Write([]byte("{" + "\"apps\":{\"http\":{}}}"))
return
}
w.WriteHeader(http.StatusNotFound)
@@ -1041,7 +1041,7 @@ func TestManager_ApplyConfig_PrependsSecRuleEngineDirectives(t *testing.T) {
}
if r.URL.Path == "/config/" && r.Method == http.MethodGet {
w.WriteHeader(http.StatusOK)
w.Write([]byte(`{"apps":{"http":{}}}`))
_, _ = w.Write([]byte(`{"apps":{"http":{}}}`))
return
}
w.WriteHeader(http.StatusNotFound)
@@ -1100,7 +1100,7 @@ SecRule REQUEST_BODY "<script>" "id:12345,phase:2,deny,status:403,msg:'XSS block
}
if r.URL.Path == "/config/" && r.Method == http.MethodGet {
w.WriteHeader(http.StatusOK)
w.Write([]byte(`{"apps":{"http":{}}}`))
_, _ = w.Write([]byte(`{"apps":{"http":{}}}`))
return
}
w.WriteHeader(http.StatusNotFound)
@@ -1151,7 +1151,7 @@ func TestManager_ApplyConfig_DebugMarshalFailure(t *testing.T) {
}
if r.URL.Path == "/config/" && r.Method == http.MethodGet {
w.WriteHeader(http.StatusOK)
w.Write([]byte(`{"apps":{"http":{}}}`))
_, _ = w.Write([]byte(`{"apps":{"http":{}}}`))
return
}
w.WriteHeader(http.StatusNotFound)
@@ -1197,7 +1197,7 @@ func TestManager_ApplyConfig_WAFModeMonitorUsesDetectionOnly(t *testing.T) {
}
if r.URL.Path == "/config/" && r.Method == http.MethodGet {
w.WriteHeader(http.StatusOK)
w.Write([]byte(`{"apps":{"http":{}}}`))
_, _ = w.Write([]byte(`{"apps":{"http":{}}}`))
return
}
w.WriteHeader(http.StatusNotFound)
@@ -1252,7 +1252,7 @@ func TestManager_ApplyConfig_PerRulesetModeOverride(t *testing.T) {
}
if r.URL.Path == "/config/" && r.Method == http.MethodGet {
w.WriteHeader(http.StatusOK)
w.Write([]byte(`{"apps":{"http":{}}}`))
_, _ = w.Write([]byte(`{"apps":{"http":{}}}`))
return
}
w.WriteHeader(http.StatusNotFound)
@@ -1298,13 +1298,13 @@ func TestManager_ApplyConfig_RulesetFileCleanup(t *testing.T) {
// Create a stale file in the coraza rulesets dir
corazaDir := filepath.Join(tmp, "coraza", "rulesets")
os.MkdirAll(corazaDir, 0o755)
_ = os.MkdirAll(corazaDir, 0o755)
staleFile := filepath.Join(corazaDir, "stale-ruleset.conf")
os.WriteFile(staleFile, []byte("old content"), 0o644)
_ = os.WriteFile(staleFile, []byte("old content"), 0o644)
// Create a subdirectory that should be skipped during cleanup (not deleted)
subDir := filepath.Join(corazaDir, "subdir")
os.MkdirAll(subDir, 0o755)
_ = os.MkdirAll(subDir, 0o755)
caddyServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.URL.Path == "/load" && r.Method == http.MethodPost {
@@ -1313,7 +1313,7 @@ func TestManager_ApplyConfig_RulesetFileCleanup(t *testing.T) {
}
if r.URL.Path == "/config/" && r.Method == http.MethodGet {
w.WriteHeader(http.StatusOK)
w.Write([]byte(`{"apps":{"http":{}}}`))
_, _ = w.Write([]byte(`{"apps":{"http":{}}}`))
return
}
w.WriteHeader(http.StatusNotFound)
@@ -1367,7 +1367,7 @@ func TestManager_ApplyConfig_RulesetCleanupReadDirError(t *testing.T) {
}
if r.URL.Path == "/config/" && r.Method == http.MethodGet {
w.WriteHeader(http.StatusOK)
w.Write([]byte(`{"apps":{"http":{}}}`))
_, _ = w.Write([]byte(`{"apps":{"http":{}}}`))
return
}
w.WriteHeader(http.StatusNotFound)
@@ -1407,9 +1407,9 @@ func TestManager_ApplyConfig_RulesetCleanupRemoveError(t *testing.T) {
// Create stale file
corazaDir := filepath.Join(tmp, "coraza", "rulesets")
os.MkdirAll(corazaDir, 0o755)
_ = os.MkdirAll(corazaDir, 0o755)
staleFile := filepath.Join(corazaDir, "stale.conf")
os.WriteFile(staleFile, []byte("old"), 0o644)
_ = os.WriteFile(staleFile, []byte("old"), 0o644)
caddyServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.URL.Path == "/load" && r.Method == http.MethodPost {
@@ -1418,7 +1418,7 @@ func TestManager_ApplyConfig_RulesetCleanupRemoveError(t *testing.T) {
}
if r.URL.Path == "/config/" && r.Method == http.MethodGet {
w.WriteHeader(http.StatusOK)
w.Write([]byte(`{"apps":{"http":{}}}`))
_, _ = w.Write([]byte(`{"apps":{"http":{}}}`))
return
}
w.WriteHeader(http.StatusNotFound)
@@ -1464,7 +1464,7 @@ func TestManager_ApplyConfig_WAFModeBlockExplicit(t *testing.T) {
}
if r.URL.Path == "/config/" && r.Method == http.MethodGet {
w.WriteHeader(http.StatusOK)
w.Write([]byte(`{"apps":{"http":{}}}`))
_, _ = w.Write([]byte(`{"apps":{"http":{}}}`))
return
}
w.WriteHeader(http.StatusNotFound)
@@ -1519,7 +1519,7 @@ func TestManager_ApplyConfig_RulesetNamePathTraversal(t *testing.T) {
}
if r.URL.Path == "/config/" && r.Method == http.MethodGet {
w.WriteHeader(http.StatusOK)
w.Write([]byte("{" + "\"apps\":{\"http\":{}}}"))
_, _ = w.Write([]byte("{" + "\"apps\":{\"http\":{}}}"))
return
}
w.WriteHeader(http.StatusNotFound)

2
backend/internal/caddy/manager_helpers_test.go
View File

@@ -168,7 +168,7 @@ func TestGetCredentialForDomain_NoEncryptionKey(t *testing.T) {
origKeys := map[string]string{}
for _, key := range []string{"CHARON_ENCRYPTION_KEY", "ENCRYPTION_KEY", "CERBERUS_ENCRYPTION_KEY"} {
origKeys[key] = os.Getenv(key)
os.Unsetenv(key)
_ = os.Unsetenv(key)
}
defer func() {
for key, val := range origKeys {

5
backend/internal/caddy/manager_multicred_integration_test.go
View File

@@ -226,9 +226,10 @@ func TestApplyConfig_MultiCredential_ExactMatch(t *testing.T) {
var comPolicy, orgPolicy *AutomationPolicy
for _, policy := range policies {
if len(policy.Subjects) > 0 {
if policy.Subjects[0] == "*.example.com" {
switch policy.Subjects[0] {
case "*.example.com":
comPolicy = policy
} else if policy.Subjects[0] == "*.example.org" {
case "*.example.org":
orgPolicy = policy
}
}

10
backend/internal/caddy/manager_test.go
View File

@@ -130,7 +130,7 @@ func TestManager_GetCurrentConfig(t *testing.T) {
caddyServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.URL.Path == "/config/" && r.Method == "GET" {
w.Header().Set("Content-Type", "application/json")
w.Write([]byte(`{"apps": {"http": {}}}`))
_, _ = w.Write([]byte(`{"apps": {"http": {}}}`))
return
}
w.WriteHeader(http.StatusNotFound)
@@ -171,7 +171,7 @@ func TestManager_RotateSnapshots(t *testing.T) {
ts := time.Now().Add(-time.Duration(i+1) * time.Minute).Unix()
fname := fmt.Sprintf("config-%d.json", ts)
f, _ := os.Create(filepath.Join(tmpDir, fname))
f.Close()
_ = f.Close()
}
// Call ApplyConfig once
@@ -272,7 +272,7 @@ func TestManager_ApplyConfig_DBError(t *testing.T) {
// Close DB to force error
sqlDB, _ := db.DB()
sqlDB.Close()
_ = sqlDB.Close()
err = manager.ApplyConfig(context.Background())
assert.Error(t, err)
@@ -289,7 +289,7 @@ func TestManager_ApplyConfig_ValidationError(t *testing.T) {
// Setup Manager with a file as configDir to force saveSnapshot error
tmpDir := t.TempDir()
configDir := filepath.Join(tmpDir, "config-file")
os.WriteFile(configDir, []byte("not a dir"), 0o644)
_ = os.WriteFile(configDir, []byte("not a dir"), 0o644)
client := NewClient("http://localhost")
manager := NewManager(client, db, configDir, "", false, config.SecurityConfig{})
@@ -325,7 +325,7 @@ func TestManager_Rollback_Failure(t *testing.T) {
manager := NewManager(client, db, tmpDir, "", false, config.SecurityConfig{})
// Create a dummy snapshot manually so rollback has something to try
os.WriteFile(filepath.Join(tmpDir, "config-123.json"), []byte("{}"), 0o644)
_ = os.WriteFile(filepath.Join(tmpDir, "config-123.json"), []byte("{}"), 0o644)
// Apply Config - will fail, try rollback, rollback will fail
err = manager.ApplyConfig(context.Background())

70
backend/internal/config/config_test.go
View File

@@ -12,14 +12,14 @@ import (
func TestLoad(t *testing.T) {
// Save original env vars
originalEnv := os.Getenv("CPM_ENV")
defer os.Setenv("CPM_ENV", originalEnv)
defer func() { _ = os.Setenv("CPM_ENV", originalEnv) }()
// Set test env vars
os.Setenv("CPM_ENV", "test")
_ = os.Setenv("CPM_ENV", "test")
tempDir := t.TempDir()
os.Setenv("CPM_DB_PATH", filepath.Join(tempDir, "test.db"))
os.Setenv("CPM_CADDY_CONFIG_DIR", filepath.Join(tempDir, "caddy"))
os.Setenv("CPM_IMPORT_DIR", filepath.Join(tempDir, "imports"))
_ = os.Setenv("CPM_DB_PATH", filepath.Join(tempDir, "test.db"))
_ = os.Setenv("CPM_CADDY_CONFIG_DIR", filepath.Join(tempDir, "caddy"))
_ = os.Setenv("CPM_IMPORT_DIR", filepath.Join(tempDir, "imports"))
cfg, err := Load()
require.NoError(t, err)
@@ -33,13 +33,13 @@ func TestLoad(t *testing.T) {
func TestLoad_Defaults(t *testing.T) {
// Clear env vars to test defaults
os.Unsetenv("CPM_ENV")
os.Unsetenv("CPM_HTTP_PORT")
_ = os.Unsetenv("CPM_ENV")
_ = os.Unsetenv("CPM_HTTP_PORT")
// We need to set paths to a temp dir to avoid creating real dirs in test
tempDir := t.TempDir()
os.Setenv("CPM_DB_PATH", filepath.Join(tempDir, "default.db"))
os.Setenv("CPM_CADDY_CONFIG_DIR", filepath.Join(tempDir, "caddy_default"))
os.Setenv("CPM_IMPORT_DIR", filepath.Join(tempDir, "imports_default"))
_ = os.Setenv("CPM_DB_PATH", filepath.Join(tempDir, "default.db"))
_ = os.Setenv("CPM_CADDY_CONFIG_DIR", filepath.Join(tempDir, "caddy_default"))
_ = os.Setenv("CPM_IMPORT_DIR", filepath.Join(tempDir, "imports_default"))
cfg, err := Load()
require.NoError(t, err)
@@ -53,8 +53,8 @@ func TestLoad_CharonPrefersOverCPM(t *testing.T) {
tempDir := t.TempDir()
charonDB := filepath.Join(tempDir, "charon.db")
cpmDB := filepath.Join(tempDir, "cpm.db")
os.Setenv("CHARON_DB_PATH", charonDB)
os.Setenv("CPM_DB_PATH", cpmDB)
_ = os.Setenv("CHARON_DB_PATH", charonDB)
_ = os.Setenv("CPM_DB_PATH", cpmDB)
cfg, err := Load()
require.NoError(t, err)
@@ -66,21 +66,21 @@ func TestLoad_Error(t *testing.T) {
filePath := filepath.Join(tempDir, "file")
f, err := os.Create(filePath)
require.NoError(t, err)
f.Close()
_ = f.Close()
// Case 1: CaddyConfigDir is a file
os.Setenv("CPM_CADDY_CONFIG_DIR", filePath)
_ = os.Setenv("CPM_CADDY_CONFIG_DIR", filePath)
// Set other paths to valid locations to isolate the error
os.Setenv("CPM_DB_PATH", filepath.Join(tempDir, "db", "test.db"))
os.Setenv("CPM_IMPORT_DIR", filepath.Join(tempDir, "imports"))
_ = os.Setenv("CPM_DB_PATH", filepath.Join(tempDir, "db", "test.db"))
_ = os.Setenv("CPM_IMPORT_DIR", filepath.Join(tempDir, "imports"))
_, err = Load()
assert.Error(t, err)
assert.Contains(t, err.Error(), "ensure caddy config directory")
// Case 2: ImportDir is a file
os.Setenv("CPM_CADDY_CONFIG_DIR", filepath.Join(tempDir, "caddy"))
os.Setenv("CPM_IMPORT_DIR", filePath)
_ = os.Setenv("CPM_CADDY_CONFIG_DIR", filepath.Join(tempDir, "caddy"))
_ = os.Setenv("CPM_IMPORT_DIR", filePath)
_, err = Load()
assert.Error(t, err)
@@ -93,32 +93,32 @@ func TestGetEnvAny(t *testing.T) {
assert.Equal(t, "fallback_value", result)
// Test with first key set
os.Setenv("TEST_KEY1", "value1")
defer os.Unsetenv("TEST_KEY1")
_ = os.Setenv("TEST_KEY1", "value1")
defer func() { _ = os.Unsetenv("TEST_KEY1") }()
result = getEnvAny("fallback", "TEST_KEY1", "TEST_KEY2")
assert.Equal(t, "value1", result)
// Test with second key set (first takes precedence)
os.Setenv("TEST_KEY2", "value2")
defer os.Unsetenv("TEST_KEY2")
_ = os.Setenv("TEST_KEY2", "value2")
defer func() { _ = os.Unsetenv("TEST_KEY2") }()
result = getEnvAny("fallback", "TEST_KEY1", "TEST_KEY2")
assert.Equal(t, "value1", result)
// Test with only second key set
os.Unsetenv("TEST_KEY1")
_ = os.Unsetenv("TEST_KEY1")
result = getEnvAny("fallback", "TEST_KEY1", "TEST_KEY2")
assert.Equal(t, "value2", result)
// Test with empty string value (should still be considered set)
os.Setenv("TEST_KEY3", "")
defer os.Unsetenv("TEST_KEY3")
_ = os.Setenv("TEST_KEY3", "")
defer func() { _ = os.Unsetenv("TEST_KEY3") }()
result = getEnvAny("fallback", "TEST_KEY3")
assert.Equal(t, "fallback", result) // Empty strings are treated as not set
}
func TestLoad_SecurityConfig(t *testing.T) {
tempDir := t.TempDir()
os.Setenv("CHARON_DB_PATH", filepath.Join(tempDir, "test.db"))
_ = os.Setenv("CHARON_DB_PATH", filepath.Join(tempDir, "test.db"))
os.Setenv("CHARON_CADDY_CONFIG_DIR", filepath.Join(tempDir, "caddy"))
os.Setenv("CHARON_IMPORT_DIR", filepath.Join(tempDir, "imports"))
@@ -127,9 +127,9 @@ func TestLoad_SecurityConfig(t *testing.T) {
os.Setenv("CERBERUS_SECURITY_WAF_MODE", "enabled")
os.Setenv("CERBERUS_SECURITY_CERBERUS_ENABLED", "true")
defer func() {
os.Unsetenv("CERBERUS_SECURITY_CROWDSEC_MODE")
os.Unsetenv("CERBERUS_SECURITY_WAF_MODE")
os.Unsetenv("CERBERUS_SECURITY_CERBERUS_ENABLED")
_ = os.Unsetenv("CERBERUS_SECURITY_CROWDSEC_MODE")
_ = os.Unsetenv("CERBERUS_SECURITY_WAF_MODE")
_ = os.Unsetenv("CERBERUS_SECURITY_CERBERUS_ENABLED")
}()
cfg, err := Load()
@@ -147,16 +147,16 @@ func TestLoad_DatabasePathError(t *testing.T) {
blockingFile := filepath.Join(tempDir, "blocking")
f, err := os.Create(blockingFile)
require.NoError(t, err)
f.Close()
_ = f.Close()
// Try to use a path that requires creating a dir inside the blocking file
os.Setenv("CHARON_DB_PATH", filepath.Join(blockingFile, "data", "test.db"))
os.Setenv("CHARON_CADDY_CONFIG_DIR", filepath.Join(tempDir, "caddy"))
os.Setenv("CHARON_IMPORT_DIR", filepath.Join(tempDir, "imports"))
defer func() {
os.Unsetenv("CHARON_DB_PATH")
os.Unsetenv("CHARON_CADDY_CONFIG_DIR")
os.Unsetenv("CHARON_IMPORT_DIR")
_ = os.Unsetenv("CHARON_DB_PATH")
_ = os.Unsetenv("CHARON_CADDY_CONFIG_DIR")
_ = os.Unsetenv("CHARON_IMPORT_DIR")
}()
_, err = Load()
@@ -172,7 +172,7 @@ func TestLoad_ACMEStaging(t *testing.T) {
// Test ACME staging enabled
os.Setenv("CHARON_ACME_STAGING", "true")
defer os.Unsetenv("CHARON_ACME_STAGING")
defer func() { _ = os.Unsetenv("CHARON_ACME_STAGING") }()
cfg, err := Load()
require.NoError(t, err)
@@ -193,7 +193,7 @@ func TestLoad_DebugMode(t *testing.T) {
// Test debug mode enabled
os.Setenv("CHARON_DEBUG", "true")
defer os.Unsetenv("CHARON_DEBUG")
defer func() { _ = os.Unsetenv("CHARON_DEBUG") }()
cfg, err := Load()
require.NoError(t, err)

2
backend/internal/crowdsec/device_busy_test.go
View File

@@ -30,7 +30,7 @@ func TestApplyWithOpenFileHandles(t *testing.T) {
// This would cause os.Rename to fail with "device or resource busy" on some systems
f, err := os.Open(cacheFile)
require.NoError(t, err)
defer f.Close()
defer func() { _ = f.Close() }()
// Create and cache a preset
archive := makeTarGz(t, map[string]string{"new/preset.yaml": "new: preset"})

4
backend/internal/crypto/encryption_test.go
View File

@@ -444,7 +444,9 @@ func TestDecrypt_AppendedData(t *testing.T) {
// Decode and append extra data
ciphertextBytes, _ := base64.StdEncoding.DecodeString(ciphertext)
appendedBytes := append(ciphertextBytes, []byte("extra garbage")...)
appendedBytes := make([]byte, len(ciphertextBytes)+len("extra garbage"))
copy(appendedBytes, ciphertextBytes)
copy(appendedBytes[len(ciphertextBytes):], "extra garbage")
appendedCiphertext := base64.StdEncoding.EncodeToString(appendedBytes)
// Attempt to decrypt with appended data

24
backend/internal/crypto/rotation_service_test.go
View File

@@ -37,8 +37,8 @@ func setupTestKeys(t *testing.T) (currentKey, nextKey, legacyKey string) {
legacyKey, err = GenerateNewKey()
require.NoError(t, err)
os.Setenv("CHARON_ENCRYPTION_KEY", currentKey)
t.Cleanup(func() { os.Unsetenv("CHARON_ENCRYPTION_KEY") })
_ = os.Setenv("CHARON_ENCRYPTION_KEY", currentKey)
t.Cleanup(func() { _ = os.Unsetenv("CHARON_ENCRYPTION_KEY") })
return currentKey, nextKey, legacyKey
}
@@ -58,8 +58,8 @@ func TestNewRotationService(t *testing.T) {
t.Run("successful initialization with next key", func(t *testing.T) {
_, nextKey, _ := setupTestKeys(t)
os.Setenv("CHARON_ENCRYPTION_KEY_NEXT", nextKey)
defer os.Unsetenv("CHARON_ENCRYPTION_KEY_NEXT")
_ = os.Setenv("CHARON_ENCRYPTION_KEY_NEXT", nextKey)
defer func() { _ = os.Unsetenv("CHARON_ENCRYPTION_KEY_NEXT") }()
rs, err := NewRotationService(db)
assert.NoError(t, err)
@@ -69,8 +69,8 @@ func TestNewRotationService(t *testing.T) {
t.Run("successful initialization with legacy keys", func(t *testing.T) {
_, _, legacyKey := setupTestKeys(t)
os.Setenv("CHARON_ENCRYPTION_KEY_V1", legacyKey)
defer os.Unsetenv("CHARON_ENCRYPTION_KEY_V1")
_ = os.Setenv("CHARON_ENCRYPTION_KEY_V1", legacyKey)
defer func() { _ = os.Unsetenv("CHARON_ENCRYPTION_KEY_V1") }()
rs, err := NewRotationService(db)
assert.NoError(t, err)
@@ -80,8 +80,8 @@ func TestNewRotationService(t *testing.T) {
})
t.Run("fails without current key", func(t *testing.T) {
os.Unsetenv("CHARON_ENCRYPTION_KEY")
defer os.Setenv("CHARON_ENCRYPTION_KEY", currentKey)
_ = os.Unsetenv("CHARON_ENCRYPTION_KEY")
defer func() { _ = os.Setenv("CHARON_ENCRYPTION_KEY", currentKey) }()
rs, err := NewRotationService(db)
assert.Error(t, err)
@@ -90,8 +90,8 @@ func TestNewRotationService(t *testing.T) {
})
t.Run("handles invalid next key gracefully", func(t *testing.T) {
os.Setenv("CHARON_ENCRYPTION_KEY_NEXT", "invalid_base64")
defer os.Unsetenv("CHARON_ENCRYPTION_KEY_NEXT")
_ = os.Setenv("CHARON_ENCRYPTION_KEY_NEXT", "invalid_base64")
defer func() { _ = os.Unsetenv("CHARON_ENCRYPTION_KEY_NEXT") }()
rs, err := NewRotationService(db)
assert.Error(t, err)
@@ -117,8 +117,8 @@ func TestEncryptWithCurrentKey(t *testing.T) {
t.Run("encrypts with next key when configured", func(t *testing.T) {
_, nextKey, _ := setupTestKeys(t)
os.Setenv("CHARON_ENCRYPTION_KEY_NEXT", nextKey)
defer os.Unsetenv("CHARON_ENCRYPTION_KEY_NEXT")
_ = os.Setenv("CHARON_ENCRYPTION_KEY_NEXT", nextKey)
defer func() { _ = os.Unsetenv("CHARON_ENCRYPTION_KEY_NEXT") }()
rs, err := NewRotationService(db)
require.NoError(t, err)

6
backend/internal/database/database_test.go
View File

@@ -85,7 +85,7 @@ func TestConnect_IntegrityCheckCorrupted(t *testing.T) {
// Close the database
sqlDB, _ := db.DB()
sqlDB.Close()
_ = sqlDB.Close()
// Corrupt the database file by overwriting with invalid data
// We'll overwrite the middle of the file to corrupt it
@@ -151,7 +151,7 @@ func TestConnect_CorruptedDatabase_FullIntegrationScenario(t *testing.T) {
// Close database
sqlDB, _ := db.DB()
sqlDB.Close()
_ = sqlDB.Close()
// Corrupt the database
corruptDB(t, dbPath)
@@ -180,7 +180,7 @@ func corruptDB(t *testing.T, dbPath string) {
// Open and corrupt file
f, err := os.OpenFile(dbPath, os.O_RDWR, 0o644)
require.NoError(t, err)
defer f.Close()
defer func() { _ = f.Close() }()
// Get file size
stat, err := f.Stat()

6
backend/internal/database/errors_test.go
View File

@@ -181,7 +181,7 @@ func TestCheckIntegrity_ActualCorruption(t *testing.T) {
// Close connection
sqlDB, _ := db.DB()
sqlDB.Close()
_ = sqlDB.Close()
// Corrupt the database file
f, err := os.OpenFile(dbPath, os.O_RDWR, 0o644)
@@ -193,7 +193,7 @@ func TestCheckIntegrity_ActualCorruption(t *testing.T) {
_, err = f.WriteAt([]byte("CORRUPTED_DATA"), stat.Size()/2)
require.NoError(t, err)
}
f.Close()
_ = f.Close()
// Reconnect
db2, err := Connect(dbPath)
@@ -227,7 +227,7 @@ func TestCheckIntegrity_PRAGMAError(t *testing.T) {
// Close the underlying SQL connection
sqlDB, err := db.DB()
require.NoError(t, err)
sqlDB.Close()
_ = sqlDB.Close()
// Now CheckIntegrity should fail because connection is closed
ok, message := CheckIntegrity(db)

2
backend/internal/models/domain_test.go
View File

@@ -11,7 +11,7 @@ import (
func TestDomain_BeforeCreate(t *testing.T) {
db, err := gorm.Open(sqlite.Open("file::memory:?cache=shared"), &gorm.Config{})
assert.NoError(t, err)
db.AutoMigrate(&Domain{})
_ = db.AutoMigrate(&Domain{})
// Case 1: UUID is empty, should be generated
d1 := &Domain{Name: "example.com"}

96
backend/internal/models/manual_challenge.go Normal file
View File

@@ -0,0 +1,96 @@
// Package models defines the database schema and domain types.
package models
import (
"time"
)
// ChallengeStatus represents the state of a manual DNS challenge.
type ChallengeStatus string
const (
// ChallengeStatusCreated indicates the challenge has been created but not yet processed.
ChallengeStatusCreated ChallengeStatus = "created"
// ChallengeStatusPending indicates the challenge is waiting for DNS propagation.
ChallengeStatusPending ChallengeStatus = "pending"
// ChallengeStatusVerifying indicates DNS record was found, verification in progress.
ChallengeStatusVerifying ChallengeStatus = "verifying"
// ChallengeStatusVerified indicates the challenge was successfully verified.
ChallengeStatusVerified ChallengeStatus = "verified"
// ChallengeStatusExpired indicates the challenge timed out.
ChallengeStatusExpired ChallengeStatus = "expired"
// ChallengeStatusFailed indicates the challenge failed.
ChallengeStatusFailed ChallengeStatus = "failed"
)
// ManualChallenge represents a manual DNS challenge for ACME DNS-01 validation.
// Users manually create the required TXT record at their DNS provider.
type ManualChallenge struct {
// ID is the primary key (UUIDv4, cryptographically random).
ID string `json:"id" gorm:"primaryKey;size:36"`
// ProviderID is the foreign key to the DNS provider.
ProviderID uint `json:"provider_id" gorm:"index;not null"`
// UserID is the foreign key for ownership validation.
UserID uint `json:"user_id" gorm:"index;not null"`
// FQDN is the fully qualified domain name for the TXT record.
// Example: "_acme-challenge.example.com"
FQDN string `json:"fqdn" gorm:"index;not null;size:255"`
// Token is the ACME challenge token (for identification).
Token string `json:"token" gorm:"size:255"`
// Value is the TXT record value that must be created.
Value string `json:"value" gorm:"not null;size:255"`
// Status is the current state of the challenge.
Status ChallengeStatus `json:"status" gorm:"index;not null;size:20;default:'created'"`
// ErrorMessage stores any error message if the challenge failed.
ErrorMessage string `json:"error_message,omitempty" gorm:"type:text"`
// DNSPropagated indicates if the DNS record has been detected.
DNSPropagated bool `json:"dns_propagated" gorm:"default:false"`
// CreatedAt is when the challenge was created.
CreatedAt time.Time `json:"created_at"`
// ExpiresAt is when the challenge will expire.
ExpiresAt time.Time `json:"expires_at" gorm:"index"`
// LastCheckAt is when DNS was last checked for propagation.
LastCheckAt *time.Time `json:"last_check_at,omitempty"`
// VerifiedAt is when the challenge was successfully verified.
VerifiedAt *time.Time `json:"verified_at,omitempty"`
}
// TableName specifies the database table name.
func (ManualChallenge) TableName() string {
return "manual_challenges"
}
// IsTerminal returns true if the challenge is in a terminal state.
func (c *ManualChallenge) IsTerminal() bool {
return c.Status == ChallengeStatusVerified ||
c.Status == ChallengeStatusExpired ||
c.Status == ChallengeStatusFailed
}
// IsActive returns true if the challenge is in an active state.
func (c *ManualChallenge) IsActive() bool {
return c.Status == ChallengeStatusCreated ||
c.Status == ChallengeStatusPending ||
c.Status == ChallengeStatusVerifying
}
// TimeRemaining returns the duration until the challenge expires.
func (c *ManualChallenge) TimeRemaining() time.Duration {
remaining := time.Until(c.ExpiresAt)
if remaining < 0 {
return 0
}
return remaining
}

159
backend/internal/models/manual_challenge_test.go Normal file
View File

@@ -0,0 +1,159 @@
package models
import (
"testing"
"time"
"github.com/stretchr/testify/assert"
)
func TestChallengeStatus_Constants(t *testing.T) {
// Verify all expected status values exist
assert.Equal(t, ChallengeStatus("created"), ChallengeStatusCreated)
assert.Equal(t, ChallengeStatus("pending"), ChallengeStatusPending)
assert.Equal(t, ChallengeStatus("verifying"), ChallengeStatusVerifying)
assert.Equal(t, ChallengeStatus("verified"), ChallengeStatusVerified)
assert.Equal(t, ChallengeStatus("expired"), ChallengeStatusExpired)
assert.Equal(t, ChallengeStatus("failed"), ChallengeStatusFailed)
}
func TestManualChallenge_TableName(t *testing.T) {
challenge := ManualChallenge{}
assert.Equal(t, "manual_challenges", challenge.TableName())
}
func TestManualChallenge_IsTerminal(t *testing.T) {
tests := []struct {
name string
status ChallengeStatus
expected bool
}{
{"created is not terminal", ChallengeStatusCreated, false},
{"pending is not terminal", ChallengeStatusPending, false},
{"verifying is not terminal", ChallengeStatusVerifying, false},
{"verified is terminal", ChallengeStatusVerified, true},
{"expired is terminal", ChallengeStatusExpired, true},
{"failed is terminal", ChallengeStatusFailed, true},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
challenge := &ManualChallenge{Status: tt.status}
assert.Equal(t, tt.expected, challenge.IsTerminal())
})
}
}
func TestManualChallenge_IsActive(t *testing.T) {
tests := []struct {
name string
status ChallengeStatus
expected bool
}{
{"created is active", ChallengeStatusCreated, true},
{"pending is active", ChallengeStatusPending, true},
{"verifying is active", ChallengeStatusVerifying, true},
{"verified is not active", ChallengeStatusVerified, false},
{"expired is not active", ChallengeStatusExpired, false},
{"failed is not active", ChallengeStatusFailed, false},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
challenge := &ManualChallenge{Status: tt.status}
assert.Equal(t, tt.expected, challenge.IsActive())
})
}
}
func TestManualChallenge_TimeRemaining(t *testing.T) {
tests := []struct {
name string
expiresAt time.Time
expectPositive bool
}{
{
name: "future expiration returns positive duration",
expiresAt: time.Now().Add(10 * time.Minute),
expectPositive: true,
},
{
name: "past expiration returns zero",
expiresAt: time.Now().Add(-5 * time.Minute),
expectPositive: false,
},
{
name: "just expired returns zero",
expiresAt: time.Now().Add(-1 * time.Second),
expectPositive: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
challenge := &ManualChallenge{ExpiresAt: tt.expiresAt}
remaining := challenge.TimeRemaining()
if tt.expectPositive {
assert.Greater(t, remaining, time.Duration(0))
} else {
assert.Equal(t, time.Duration(0), remaining)
}
})
}
}
func TestManualChallenge_StructFields(t *testing.T) {
now := time.Now()
lastCheck := now.Add(-1 * time.Minute)
verified := now.Add(-30 * time.Second)
challenge := &ManualChallenge{
ID: "test-uuid-123",
ProviderID: 1,
UserID: 2,
FQDN: "_acme-challenge.example.com",
Token: "token123",
Value: "txtvalue456",
Status: ChallengeStatusPending,
ErrorMessage: "",
DNSPropagated: false,
CreatedAt: now,
ExpiresAt: now.Add(10 * time.Minute),
LastCheckAt: &lastCheck,
VerifiedAt: &verified,
}
assert.Equal(t, "test-uuid-123", challenge.ID)
assert.Equal(t, uint(1), challenge.ProviderID)
assert.Equal(t, uint(2), challenge.UserID)
assert.Equal(t, "_acme-challenge.example.com", challenge.FQDN)
assert.Equal(t, "token123", challenge.Token)
assert.Equal(t, "txtvalue456", challenge.Value)
assert.Equal(t, ChallengeStatusPending, challenge.Status)
assert.Empty(t, challenge.ErrorMessage)
assert.False(t, challenge.DNSPropagated)
assert.Equal(t, now, challenge.CreatedAt)
assert.NotNil(t, challenge.LastCheckAt)
assert.NotNil(t, challenge.VerifiedAt)
}
func TestManualChallenge_NilOptionalFields(t *testing.T) {
challenge := &ManualChallenge{
ID: "test-uuid",
ProviderID: 1,
UserID: 1,
FQDN: "_acme-challenge.example.com",
Value: "value",
Status: ChallengeStatusCreated,
CreatedAt: time.Now(),
ExpiresAt: time.Now().Add(10 * time.Minute),
LastCheckAt: nil,
VerifiedAt: nil,
}
assert.Nil(t, challenge.LastCheckAt)
assert.Nil(t, challenge.VerifiedAt)
assert.True(t, challenge.IsActive())
assert.False(t, challenge.IsTerminal())
}

4
backend/internal/models/notification_test.go
View File

@@ -11,7 +11,7 @@ import (
func TestNotification_BeforeCreate(t *testing.T) {
db, err := gorm.Open(sqlite.Open("file::memory:?cache=shared"), &gorm.Config{})
assert.NoError(t, err)
db.AutoMigrate(&Notification{})
_ = db.AutoMigrate(&Notification{})
// Case 1: ID is empty, should be generated
n1 := &Notification{Title: "Test", Message: "Test Message"}
@@ -30,7 +30,7 @@ func TestNotification_BeforeCreate(t *testing.T) {
func TestNotificationConfig_BeforeCreate(t *testing.T) {
db, err := gorm.Open(sqlite.Open("file::memory:?cache=shared"), &gorm.Config{})
assert.NoError(t, err)
db.AutoMigrate(&NotificationConfig{})
_ = db.AutoMigrate(&NotificationConfig{})
// Case 1: ID is empty, should be generated
nc1 := &NotificationConfig{Enabled: true, MinLogLevel: "error"}

21
backend/internal/network/internal_service_client_test.go
View File

@@ -87,7 +87,7 @@ func TestNewInternalServiceHTTPClient_RedirectsDisabled(t *testing.T) {
return
}
w.WriteHeader(http.StatusOK)
w.Write([]byte("redirected"))
_, _ = w.Write([]byte("redirected"))
}))
defer server.Close()
@@ -97,7 +97,7 @@ func TestNewInternalServiceHTTPClient_RedirectsDisabled(t *testing.T) {
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
defer resp.Body.Close()
defer func() { _ = resp.Body.Close() }()
// Should receive the redirect response, not follow it
if resp.StatusCode != http.StatusFound {
@@ -133,7 +133,7 @@ func TestNewInternalServiceHTTPClient_ActualRequest(t *testing.T) {
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusOK)
w.Write([]byte(`{"status":"ok"}`))
_, _ = w.Write([]byte(`{"status":"ok"}`))
}))
defer server.Close()
@@ -143,7 +143,7 @@ func TestNewInternalServiceHTTPClient_ActualRequest(t *testing.T) {
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
defer resp.Body.Close()
defer func() { _ = resp.Body.Close() }()
if resp.StatusCode != http.StatusOK {
t.Errorf("expected status 200, got %d", resp.StatusCode)
@@ -162,7 +162,10 @@ func TestNewInternalServiceHTTPClient_TimeoutEnforced(t *testing.T) {
// Use a very short timeout
client := NewInternalServiceHTTPClient(100 * time.Millisecond)
_, err := client.Get(server.URL)
resp, err := client.Get(server.URL)
if resp != nil {
_ = resp.Body.Close()
}
if err == nil {
t.Error("expected timeout error, got nil")
}
@@ -191,7 +194,7 @@ func TestNewInternalServiceHTTPClient_ProxyIgnored(t *testing.T) {
// Set up a server to verify no proxy is used
directServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
w.Write([]byte("direct"))
_, _ = w.Write([]byte("direct"))
}))
defer directServer.Close()
@@ -208,7 +211,7 @@ func TestNewInternalServiceHTTPClient_ProxyIgnored(t *testing.T) {
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
defer resp.Body.Close()
defer func() { _ = resp.Body.Close() }()
if resp.StatusCode != http.StatusOK {
t.Errorf("expected status 200, got %d", resp.StatusCode)
@@ -231,7 +234,7 @@ func TestNewInternalServiceHTTPClient_PostRequest(t *testing.T) {
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
defer resp.Body.Close()
defer func() { _ = resp.Body.Close() }()
if resp.StatusCode != http.StatusCreated {
t.Errorf("expected status 201, got %d", resp.StatusCode)
@@ -258,7 +261,7 @@ func BenchmarkNewInternalServiceHTTPClient_Request(b *testing.B) {
for i := 0; i < b.N; i++ {
resp, err := client.Get(server.URL)
if err == nil {
resp.Body.Close()
_ = resp.Body.Close()
}
}
}

26
backend/internal/network/safeclient_test.go
View File

@@ -111,7 +111,7 @@ func TestSafeDialer_BlocksPrivateIPs(t *testing.T) {
conn, err := dialer(ctx, "tcp", tt.address)
if tt.shouldBlock {
if err == nil {
conn.Close()
_ = conn.Close()
t.Errorf("expected connection to %s to be blocked", tt.address)
}
}
@@ -144,7 +144,7 @@ func TestSafeDialer_AllowsLocalhost(t *testing.T) {
t.Errorf("expected connection to localhost to be allowed when allowLocalhost=true, got error: %v", err)
return
}
conn.Close()
_ = conn.Close()
}
func TestSafeDialer_AllowedDomains(t *testing.T) {
@@ -204,7 +204,7 @@ func TestNewSafeHTTPClient_WithAllowLocalhost(t *testing.T) {
// Create a local test server
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
w.Write([]byte("OK"))
_, _ = w.Write([]byte("OK"))
}))
defer server.Close()
@@ -217,7 +217,7 @@ func TestNewSafeHTTPClient_WithAllowLocalhost(t *testing.T) {
if err != nil {
t.Fatalf("expected request to localhost to succeed with allowLocalhost, got: %v", err)
}
defer resp.Body.Close()
defer func() { _ = resp.Body.Close() }()
if resp.StatusCode != http.StatusOK {
t.Errorf("expected status 200, got %d", resp.StatusCode)
@@ -247,7 +247,7 @@ func TestNewSafeHTTPClient_BlocksSSRF(t *testing.T) {
t.Parallel()
resp, err := client.Get(url)
if err == nil {
defer resp.Body.Close()
defer func() { _ = resp.Body.Close() }()
t.Errorf("expected request to %s to be blocked", url)
}
})
@@ -278,7 +278,7 @@ func TestNewSafeHTTPClient_WithMaxRedirects(t *testing.T) {
resp, err := client.Get(server.URL)
if err == nil {
defer resp.Body.Close()
defer func() { _ = resp.Body.Close() }()
t.Error("expected redirect limit to be enforced")
}
}
@@ -494,7 +494,7 @@ func TestNewSafeHTTPClient_NoRedirectsByDefault(t *testing.T) {
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
defer resp.Body.Close()
defer func() { _ = resp.Body.Close() }()
// Should not follow redirect - should return 302
if resp.StatusCode != http.StatusFound {
@@ -661,7 +661,7 @@ func TestSafeDialer_AllIPsPrivate(t *testing.T) {
t.Parallel()
conn, err := dialer(ctx, "tcp", addr)
if err == nil {
conn.Close()
_ = conn.Close()
t.Errorf("expected connection to %s to be blocked (all IPs private)", addr)
}
})
@@ -694,7 +694,7 @@ func TestNewSafeHTTPClient_RedirectToPrivateIP(t *testing.T) {
// Make request - should fail when trying to follow redirect to private IP
resp, err := client.Get(server.URL)
if err == nil {
defer resp.Body.Close()
defer func() { _ = resp.Body.Close() }()
t.Error("expected error when redirect targets private IP")
}
}
@@ -761,7 +761,7 @@ func TestNewSafeHTTPClient_TooManyRedirects(t *testing.T) {
resp, err := client.Get(server.URL)
if resp != nil {
resp.Body.Close()
defer func() { _ = resp.Body.Close() }()
}
if err == nil {
t.Error("expected error for too many redirects")
@@ -810,7 +810,7 @@ func TestNewSafeHTTPClient_MetadataEndpoint(t *testing.T) {
// AWS metadata endpoint
resp, err := client.Get("http://169.254.169.254/latest/meta-data/")
if resp != nil {
defer resp.Body.Close()
defer func() { _ = resp.Body.Close() }()
}
if err == nil {
t.Error("expected cloud metadata endpoint to be blocked")
@@ -886,7 +886,7 @@ func TestNewSafeHTTPClient_RedirectValidation(t *testing.T) {
return
}
w.WriteHeader(http.StatusOK)
w.Write([]byte("success"))
_, _ = w.Write([]byte("success"))
}))
defer server.Close()
@@ -900,7 +900,7 @@ func TestNewSafeHTTPClient_RedirectValidation(t *testing.T) {
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
defer resp.Body.Close()
defer func() { _ = resp.Body.Close() }()
if resp.StatusCode != http.StatusOK {
t.Errorf("expected status 200, got %d", resp.StatusCode)

10
backend/internal/security/url_validator_coverage_test.go
View File

@@ -9,10 +9,10 @@ import (
func TestInternalServiceHostAllowlist(t *testing.T) {
// Save original env var
originalEnv := os.Getenv(InternalServiceHostAllowlistEnvVar)
defer os.Setenv(InternalServiceHostAllowlistEnvVar, originalEnv)
defer func() { _ = os.Setenv(InternalServiceHostAllowlistEnvVar, originalEnv) }()
t.Run("DefaultLocalhostOnly", func(t *testing.T) {
os.Setenv(InternalServiceHostAllowlistEnvVar, "")
_ = os.Setenv(InternalServiceHostAllowlistEnvVar, "")
allowlist := InternalServiceHostAllowlist()
// Should contain localhost entries
@@ -30,7 +30,7 @@ func TestInternalServiceHostAllowlist(t *testing.T) {
})
t.Run("WithAdditionalHosts", func(t *testing.T) {
os.Setenv(InternalServiceHostAllowlistEnvVar, "crowdsec,caddy,traefik")
_ = os.Setenv(InternalServiceHostAllowlistEnvVar, "crowdsec,caddy,traefik")
allowlist := InternalServiceHostAllowlist()
// Should contain localhost + additional hosts
@@ -47,7 +47,7 @@ func TestInternalServiceHostAllowlist(t *testing.T) {
})
t.Run("WithEmptyAndWhitespaceEntries", func(t *testing.T) {
os.Setenv(InternalServiceHostAllowlistEnvVar, " , crowdsec , , caddy , ")
_ = os.Setenv(InternalServiceHostAllowlistEnvVar, " , crowdsec , , caddy , ")
allowlist := InternalServiceHostAllowlist()
// Should contain localhost + valid hosts (empty and whitespace ignored)
@@ -64,7 +64,7 @@ func TestInternalServiceHostAllowlist(t *testing.T) {
})
t.Run("WithInvalidEntries", func(t *testing.T) {
os.Setenv(InternalServiceHostAllowlistEnvVar, "crowdsec,http://invalid,user@host,/path")
_ = os.Setenv(InternalServiceHostAllowlistEnvVar, "crowdsec,http://invalid,user@host,/path")
allowlist := InternalServiceHostAllowlist()
// Should only have localhost + crowdsec (others rejected)

2
backend/internal/services/auth_service_test.go
View File

@@ -74,7 +74,7 @@ func TestAuthService_Login(t *testing.T) {
assert.True(t, user.LockedUntil.After(time.Now()))
// Try login with correct password while locked
token, err = service.Login("test@example.com", "password123")
_, err = service.Login("test@example.com", "password123")
assert.Error(t, err)
assert.Equal(t, "account locked", err.Error())
}

238
backend/internal/services/backup_service_test.go
View File

@@ -17,7 +17,7 @@ func TestBackupService_CreateAndList(t *testing.T) {
// Setup temp dirs
tmpDir, err := os.MkdirTemp("", "cpm-backup-service-test")
require.NoError(t, err)
defer os.RemoveAll(tmpDir)
defer func() { _ = os.RemoveAll(tmpDir) }()
dataDir := filepath.Join(tmpDir, "data")
err = os.MkdirAll(dataDir, 0o755)
@@ -87,7 +87,7 @@ func TestBackupService_Restore_ZipSlip(t *testing.T) {
DataDir: filepath.Join(tmpDir, "data"),
BackupDir: filepath.Join(tmpDir, "backups"),
}
os.MkdirAll(service.BackupDir, 0o755)
_ = os.MkdirAll(service.BackupDir, 0o755)
// Create malicious zip
zipPath := filepath.Join(service.BackupDir, "malicious.zip")
@@ -99,8 +99,8 @@ func TestBackupService_Restore_ZipSlip(t *testing.T) {
require.NoError(t, err)
_, err = f.Write([]byte("evil"))
require.NoError(t, err)
w.Close()
zipFile.Close()
_ = w.Close()
_ = zipFile.Close()
// Attempt restore
err = service.RestoreBackup("malicious.zip")
@@ -114,7 +114,7 @@ func TestBackupService_PathTraversal(t *testing.T) {
DataDir: filepath.Join(tmpDir, "data"),
BackupDir: filepath.Join(tmpDir, "backups"),
}
os.MkdirAll(service.BackupDir, 0o755)
_ = os.MkdirAll(service.BackupDir, 0o755)
// Test GetBackupPath with traversal
// Should return error
@@ -133,11 +133,11 @@ func TestBackupService_RunScheduledBackup(t *testing.T) {
// Setup temp dirs
tmpDir := t.TempDir()
dataDir := filepath.Join(tmpDir, "data")
os.MkdirAll(dataDir, 0o755)
_ = os.MkdirAll(dataDir, 0o755)
// Create dummy DB
dbPath := filepath.Join(dataDir, "charon.db")
os.WriteFile(dbPath, []byte("dummy db"), 0o644)
_ = os.WriteFile(dbPath, []byte("dummy db"), 0o644)
cfg := &config.Config{DatabasePath: dbPath}
service := NewBackupService(cfg)
@@ -166,11 +166,11 @@ func TestBackupService_CreateBackup_Errors(t *testing.T) {
t.Run("cannot create backup directory", func(t *testing.T) {
tmpDir := t.TempDir()
dbPath := filepath.Join(tmpDir, "charon.db")
os.WriteFile(dbPath, []byte("test"), 0o644)
_ = os.WriteFile(dbPath, []byte("test"), 0o644)
// Create backup dir as a file to cause mkdir error
backupDir := filepath.Join(tmpDir, "backups")
os.WriteFile(backupDir, []byte("blocking"), 0o644)
_ = os.WriteFile(backupDir, []byte("blocking"), 0o644)
service := &BackupService{
DataDir: tmpDir,
@@ -189,7 +189,7 @@ func TestBackupService_RestoreBackup_Errors(t *testing.T) {
DataDir: filepath.Join(tmpDir, "data"),
BackupDir: filepath.Join(tmpDir, "backups"),
}
os.MkdirAll(service.BackupDir, 0o755)
_ = os.MkdirAll(service.BackupDir, 0o755)
err := service.RestoreBackup("nonexistent.zip")
assert.Error(t, err)
@@ -201,11 +201,11 @@ func TestBackupService_RestoreBackup_Errors(t *testing.T) {
DataDir: filepath.Join(tmpDir, "data"),
BackupDir: filepath.Join(tmpDir, "backups"),
}
os.MkdirAll(service.BackupDir, 0o755)
_ = os.MkdirAll(service.BackupDir, 0o755)
// Create invalid zip
badZip := filepath.Join(service.BackupDir, "bad.zip")
os.WriteFile(badZip, []byte("not a zip"), 0o644)
_ = os.WriteFile(badZip, []byte("not a zip"), 0o644)
err := service.RestoreBackup("bad.zip")
assert.Error(t, err)
@@ -217,7 +217,7 @@ func TestBackupService_ListBackups_EmptyDir(t *testing.T) {
service := &BackupService{
BackupDir: filepath.Join(tmpDir, "backups"),
}
os.MkdirAll(service.BackupDir, 0o755)
_ = os.MkdirAll(service.BackupDir, 0o755)
backups, err := service.ListBackups()
require.NoError(t, err)
@@ -242,7 +242,7 @@ func TestBackupService_CleanupOldBackups(t *testing.T) {
DataDir: filepath.Join(tmpDir, "data"),
BackupDir: filepath.Join(tmpDir, "backups"),
}
os.MkdirAll(service.BackupDir, 0o755)
_ = os.MkdirAll(service.BackupDir, 0o755)
// Create 10 backup files manually with different timestamps
for i := 0; i < 10; i++ {
@@ -250,10 +250,10 @@ func TestBackupService_CleanupOldBackups(t *testing.T) {
zipPath := filepath.Join(service.BackupDir, filename)
f, err := os.Create(zipPath)
require.NoError(t, err)
f.Close()
_ = f.Close()
// Set modification time to ensure proper ordering
modTime := time.Date(2025, 1, i+1, 10, 0, 0, 0, time.UTC)
os.Chtimes(zipPath, modTime, modTime)
_ = os.Chtimes(zipPath, modTime, modTime)
}
backups, err := service.ListBackups()
@@ -277,7 +277,7 @@ func TestBackupService_CleanupOldBackups(t *testing.T) {
DataDir: filepath.Join(tmpDir, "data"),
BackupDir: filepath.Join(tmpDir, "backups"),
}
os.MkdirAll(service.BackupDir, 0o755)
_ = os.MkdirAll(service.BackupDir, 0o755)
// Create 3 backup files
for i := 0; i < 3; i++ {
@@ -285,7 +285,7 @@ func TestBackupService_CleanupOldBackups(t *testing.T) {
zipPath := filepath.Join(service.BackupDir, filename)
f, err := os.Create(zipPath)
require.NoError(t, err)
f.Close()
_ = f.Close()
}
// Try to keep 7 - should delete nothing
@@ -304,7 +304,7 @@ func TestBackupService_CleanupOldBackups(t *testing.T) {
DataDir: filepath.Join(tmpDir, "data"),
BackupDir: filepath.Join(tmpDir, "backups"),
}
os.MkdirAll(service.BackupDir, 0o755)
_ = os.MkdirAll(service.BackupDir, 0o755)
// Create 5 backup files
for i := 0; i < 5; i++ {
@@ -312,9 +312,9 @@ func TestBackupService_CleanupOldBackups(t *testing.T) {
zipPath := filepath.Join(service.BackupDir, filename)
f, err := os.Create(zipPath)
require.NoError(t, err)
f.Close()
_ = f.Close()
modTime := time.Date(2025, 1, i+1, 10, 0, 0, 0, time.UTC)
os.Chtimes(zipPath, modTime, modTime)
_ = os.Chtimes(zipPath, modTime, modTime)
}
// Try to keep 0 - should keep at least 1
@@ -332,7 +332,7 @@ func TestBackupService_CleanupOldBackups(t *testing.T) {
service := &BackupService{
BackupDir: filepath.Join(tmpDir, "backups"),
}
os.MkdirAll(service.BackupDir, 0o755)
_ = os.MkdirAll(service.BackupDir, 0o755)
deleted, err := service.CleanupOldBackups(7)
require.NoError(t, err)
@@ -344,10 +344,10 @@ func TestBackupService_GetLastBackupTime(t *testing.T) {
t.Run("returns latest backup time", func(t *testing.T) {
tmpDir := t.TempDir()
dataDir := filepath.Join(tmpDir, "data")
os.MkdirAll(dataDir, 0o755)
_ = os.MkdirAll(dataDir, 0o755)
dbPath := filepath.Join(dataDir, "charon.db")
os.WriteFile(dbPath, []byte("dummy db"), 0o644)
_ = os.WriteFile(dbPath, []byte("dummy db"), 0o644)
cfg := &config.Config{DatabasePath: dbPath}
service := NewBackupService(cfg)
@@ -368,7 +368,7 @@ func TestBackupService_GetLastBackupTime(t *testing.T) {
service := &BackupService{
BackupDir: filepath.Join(tmpDir, "backups"),
}
os.MkdirAll(service.BackupDir, 0o755)
_ = os.MkdirAll(service.BackupDir, 0o755)
lastBackup, err := service.GetLastBackupTime()
require.NoError(t, err)
@@ -385,14 +385,14 @@ func TestDefaultBackupRetention(t *testing.T) {
func TestNewBackupService_BackupDirCreationError(t *testing.T) {
tmpDir := t.TempDir()
dataDir := filepath.Join(tmpDir, "data")
os.MkdirAll(dataDir, 0o755)
_ = os.MkdirAll(dataDir, 0o755)
// Create a file where backup dir should be to cause mkdir error
backupDirPath := filepath.Join(dataDir, "backups")
os.WriteFile(backupDirPath, []byte("blocking"), 0o644)
_ = os.WriteFile(backupDirPath, []byte("blocking"), 0o644)
dbPath := filepath.Join(dataDir, "charon.db")
os.WriteFile(dbPath, []byte("test"), 0o644)
_ = os.WriteFile(dbPath, []byte("test"), 0o644)
cfg := &config.Config{DatabasePath: dbPath}
// Should not panic even if backup dir creation fails (error is logged, not returned)
@@ -405,10 +405,10 @@ func TestNewBackupService_BackupDirCreationError(t *testing.T) {
func TestNewBackupService_CronScheduleError(t *testing.T) {
tmpDir := t.TempDir()
dataDir := filepath.Join(tmpDir, "data")
os.MkdirAll(dataDir, 0o755)
_ = os.MkdirAll(dataDir, 0o755)
dbPath := filepath.Join(dataDir, "charon.db")
os.WriteFile(dbPath, []byte("test"), 0o644)
_ = os.WriteFile(dbPath, []byte("test"), 0o644)
cfg := &config.Config{DatabasePath: dbPath}
// Service should initialize without panic even if cron has issues
@@ -422,7 +422,7 @@ func TestNewBackupService_CronScheduleError(t *testing.T) {
func TestRunScheduledBackup_CreateBackupFails(t *testing.T) {
tmpDir := t.TempDir()
dataDir := filepath.Join(tmpDir, "data")
os.MkdirAll(dataDir, 0o755)
_ = os.MkdirAll(dataDir, 0o755)
// Create a fake database path - don't create the actual file
dbPath := filepath.Join(dataDir, "charon.db")
@@ -452,10 +452,10 @@ func TestRunScheduledBackup_CreateBackupFails(t *testing.T) {
func TestRunScheduledBackup_CleanupFails(t *testing.T) {
tmpDir := t.TempDir()
dataDir := filepath.Join(tmpDir, "data")
os.MkdirAll(dataDir, 0o755)
_ = os.MkdirAll(dataDir, 0o755)
dbPath := filepath.Join(dataDir, "charon.db")
os.WriteFile(dbPath, []byte("test"), 0o644)
_ = os.WriteFile(dbPath, []byte("test"), 0o644)
cfg := &config.Config{DatabasePath: dbPath}
service := NewBackupService(cfg)
@@ -466,8 +466,8 @@ func TestRunScheduledBackup_CleanupFails(t *testing.T) {
require.NoError(t, err)
// Make backup directory read-only to cause cleanup to fail
os.Chmod(service.BackupDir, 0o444)
defer os.Chmod(service.BackupDir, 0o755) // Restore for cleanup
_ = os.Chmod(service.BackupDir, 0o444)
defer func() { _ = os.Chmod(service.BackupDir, 0o755) }() // Restore for cleanup
// Should not panic when cleanup fails
service.RunScheduledBackup()
@@ -485,7 +485,7 @@ func TestGetLastBackupTime_ListBackupsError(t *testing.T) {
}
// Create a file where directory should be
os.WriteFile(service.BackupDir, []byte("blocking"), 0o644)
_ = os.WriteFile(service.BackupDir, []byte("blocking"), 0o644)
lastBackup, err := service.GetLastBackupTime()
assert.Error(t, err)
@@ -497,10 +497,10 @@ func TestGetLastBackupTime_ListBackupsError(t *testing.T) {
func TestRunScheduledBackup_CleanupDeletesZero(t *testing.T) {
tmpDir := t.TempDir()
dataDir := filepath.Join(tmpDir, "data")
os.MkdirAll(dataDir, 0o755)
_ = os.MkdirAll(dataDir, 0o755)
dbPath := filepath.Join(dataDir, "charon.db")
os.WriteFile(dbPath, []byte("test"), 0o644)
_ = os.WriteFile(dbPath, []byte("test"), 0o644)
cfg := &config.Config{DatabasePath: dbPath}
service := NewBackupService(cfg)
@@ -521,7 +521,7 @@ func TestCleanupOldBackups_PartialFailure(t *testing.T) {
DataDir: filepath.Join(tmpDir, "data"),
BackupDir: filepath.Join(tmpDir, "backups"),
}
os.MkdirAll(service.BackupDir, 0o755)
_ = os.MkdirAll(service.BackupDir, 0o755)
// Create 5 backup files
for i := 0; i < 5; i++ {
@@ -529,13 +529,13 @@ func TestCleanupOldBackups_PartialFailure(t *testing.T) {
zipPath := filepath.Join(service.BackupDir, filename)
f, err := os.Create(zipPath)
require.NoError(t, err)
f.Close()
_ = f.Close()
modTime := time.Date(2025, 1, i+1, 10, 0, 0, 0, time.UTC)
os.Chtimes(zipPath, modTime, modTime)
_ = os.Chtimes(zipPath, modTime, modTime)
// Make files 0 and 1 read-only to cause deletion to fail
if i < 2 {
os.Chmod(zipPath, 0o444)
_ = os.Chmod(zipPath, 0o444)
}
}
@@ -550,10 +550,10 @@ func TestCleanupOldBackups_PartialFailure(t *testing.T) {
func TestCreateBackup_CaddyDirMissing(t *testing.T) {
tmpDir := t.TempDir()
dataDir := filepath.Join(tmpDir, "data")
os.MkdirAll(dataDir, 0o755)
_ = os.MkdirAll(dataDir, 0o755)
dbPath := filepath.Join(dataDir, "charon.db")
os.WriteFile(dbPath, []byte("dummy db"), 0o644)
_ = os.WriteFile(dbPath, []byte("dummy db"), 0o644)
// Explicitly NOT creating caddy directory
cfg := &config.Config{DatabasePath: dbPath}
@@ -573,16 +573,16 @@ func TestCreateBackup_CaddyDirMissing(t *testing.T) {
func TestCreateBackup_CaddyDirUnreadable(t *testing.T) {
tmpDir := t.TempDir()
dataDir := filepath.Join(tmpDir, "data")
os.MkdirAll(dataDir, 0o755)
_ = os.MkdirAll(dataDir, 0o755)
dbPath := filepath.Join(dataDir, "charon.db")
os.WriteFile(dbPath, []byte("dummy db"), 0o644)
_ = os.WriteFile(dbPath, []byte("dummy db"), 0o644)
// Create caddy dir with no read permissions
caddyDir := filepath.Join(dataDir, "caddy")
os.MkdirAll(caddyDir, 0o755)
os.Chmod(caddyDir, 0o000)
defer os.Chmod(caddyDir, 0o755) // Restore for cleanup
_ = os.MkdirAll(caddyDir, 0o755)
_ = os.Chmod(caddyDir, 0o000)
defer func() { _ = os.Chmod(caddyDir, 0o755) }() // Restore for cleanup
cfg := &config.Config{DatabasePath: dbPath}
service := NewBackupService(cfg)
@@ -601,10 +601,10 @@ func TestBackupService_addToZip_FileNotFound(t *testing.T) {
zipPath := filepath.Join(tmpDir, "test.zip")
zipFile, err := os.Create(zipPath)
require.NoError(t, err)
defer zipFile.Close()
defer func() { _ = zipFile.Close() }()
w := zip.NewWriter(zipFile)
defer w.Close()
defer func() { _ = w.Close() }()
service := &BackupService{}
@@ -623,10 +623,10 @@ func TestBackupService_addToZip_FileOpenError(t *testing.T) {
zipPath := filepath.Join(tmpDir, "test.zip")
zipFile, err := os.Create(zipPath)
require.NoError(t, err)
defer zipFile.Close()
defer func() { _ = zipFile.Close() }()
w := zip.NewWriter(zipFile)
defer w.Close()
defer func() { _ = w.Close() }()
// Create a directory (not a file) that cannot be opened as a file
srcPath := filepath.Join(tmpDir, "unreadable_dir")
@@ -637,7 +637,7 @@ func TestBackupService_addToZip_FileOpenError(t *testing.T) {
unreadablePath := filepath.Join(srcPath, "unreadable.txt")
err = os.WriteFile(unreadablePath, []byte("test"), 0o000)
require.NoError(t, err)
defer os.Chmod(unreadablePath, 0o644) // Restore for cleanup
defer func() { _ = os.Chmod(unreadablePath, 0o644) }() // Restore for cleanup
service := &BackupService{}
@@ -651,10 +651,10 @@ func TestBackupService_addToZip_FileOpenError(t *testing.T) {
func TestBackupService_Start(t *testing.T) {
tmpDir := t.TempDir()
dataDir := filepath.Join(tmpDir, "data")
os.MkdirAll(dataDir, 0o755)
_ = os.MkdirAll(dataDir, 0o755)
dbPath := filepath.Join(dataDir, "charon.db")
os.WriteFile(dbPath, []byte("test"), 0o644)
_ = os.WriteFile(dbPath, []byte("test"), 0o644)
cfg := &config.Config{DatabasePath: dbPath}
service := NewBackupService(cfg)
@@ -673,10 +673,10 @@ func TestBackupService_Start(t *testing.T) {
func TestRunScheduledBackup_CleanupSucceedsWithDeletions(t *testing.T) {
tmpDir := t.TempDir()
dataDir := filepath.Join(tmpDir, "data")
os.MkdirAll(dataDir, 0o755)
_ = os.MkdirAll(dataDir, 0o755)
dbPath := filepath.Join(dataDir, "charon.db")
os.WriteFile(dbPath, []byte("test"), 0o644)
_ = os.WriteFile(dbPath, []byte("test"), 0o644)
cfg := &config.Config{DatabasePath: dbPath}
service := NewBackupService(cfg)
@@ -688,9 +688,9 @@ func TestRunScheduledBackup_CleanupSucceedsWithDeletions(t *testing.T) {
zipPath := filepath.Join(service.BackupDir, filename)
f, err := os.Create(zipPath)
require.NoError(t, err)
f.Close()
_ = f.Close()
modTime := time.Date(2025, 1, i+1, 10, 0, 0, 0, time.UTC)
os.Chtimes(zipPath, modTime, modTime)
_ = os.Chtimes(zipPath, modTime, modTime)
}
// RunScheduledBackup creates a new backup and triggers cleanup
@@ -710,7 +710,7 @@ func TestCleanupOldBackups_ListBackupsError(t *testing.T) {
}
// Create a file where directory should be
os.WriteFile(service.BackupDir, []byte("blocking"), 0o644)
_ = os.WriteFile(service.BackupDir, []byte("blocking"), 0o644)
deleted, err := service.CleanupOldBackups(5)
assert.Error(t, err)
@@ -725,21 +725,21 @@ func TestListBackups_EntryInfoError(t *testing.T) {
service := &BackupService{
BackupDir: filepath.Join(tmpDir, "backups"),
}
os.MkdirAll(service.BackupDir, 0o755)
_ = os.MkdirAll(service.BackupDir, 0o755)
// Create a valid zip file
zipPath := filepath.Join(service.BackupDir, "backup_test.zip")
f, err := os.Create(zipPath)
require.NoError(t, err)
f.Close()
_ = f.Close()
// Create a non-zip file that should be ignored
txtPath := filepath.Join(service.BackupDir, "readme.txt")
os.WriteFile(txtPath, []byte("not a backup"), 0o644)
_ = os.WriteFile(txtPath, []byte("not a backup"), 0o644)
// Create a directory that should be ignored
dirPath := filepath.Join(service.BackupDir, "subdir.zip")
os.MkdirAll(dirPath, 0o755)
_ = os.MkdirAll(dirPath, 0o755)
backups, err := service.ListBackups()
require.NoError(t, err)
@@ -754,7 +754,7 @@ func TestRestoreBackup_PathTraversal_FirstCheck(t *testing.T) {
DataDir: filepath.Join(tmpDir, "data"),
BackupDir: filepath.Join(tmpDir, "backups"),
}
os.MkdirAll(service.BackupDir, 0o755)
_ = os.MkdirAll(service.BackupDir, 0o755)
// Test path traversal with filename containing path separator
err := service.RestoreBackup("../../../etc/passwd")
@@ -768,7 +768,7 @@ func TestRestoreBackup_PathTraversal_SecondCheck(t *testing.T) {
DataDir: filepath.Join(tmpDir, "data"),
BackupDir: filepath.Join(tmpDir, "backups"),
}
os.MkdirAll(service.BackupDir, 0o755)
_ = os.MkdirAll(service.BackupDir, 0o755)
// Test with a filename that passes the first check but could still
// be problematic (this tests the second prefix check)
@@ -783,7 +783,7 @@ func TestDeleteBackup_PathTraversal_SecondCheck(t *testing.T) {
DataDir: filepath.Join(tmpDir, "data"),
BackupDir: filepath.Join(tmpDir, "backups"),
}
os.MkdirAll(service.BackupDir, 0o755)
_ = os.MkdirAll(service.BackupDir, 0o755)
// Test first check - filename with path separator
err := service.DeleteBackup("sub/file.zip")
@@ -797,7 +797,7 @@ func TestGetBackupPath_PathTraversal_SecondCheck(t *testing.T) {
DataDir: filepath.Join(tmpDir, "data"),
BackupDir: filepath.Join(tmpDir, "backups"),
}
os.MkdirAll(service.BackupDir, 0o755)
_ = os.MkdirAll(service.BackupDir, 0o755)
// Test first check - filename with path separator
_, err := service.GetBackupPath("sub/file.zip")
@@ -811,8 +811,8 @@ func TestUnzip_DirectoryCreation(t *testing.T) {
DataDir: filepath.Join(tmpDir, "data"),
BackupDir: filepath.Join(tmpDir, "backups"),
}
os.MkdirAll(service.BackupDir, 0o755)
os.MkdirAll(service.DataDir, 0o755)
_ = os.MkdirAll(service.BackupDir, 0o755)
_ = os.MkdirAll(service.DataDir, 0o755)
// Create a zip with nested directory structure
zipPath := filepath.Join(service.BackupDir, "nested.zip")
@@ -828,8 +828,8 @@ func TestUnzip_DirectoryCreation(t *testing.T) {
require.NoError(t, err)
_, err = f.Write([]byte("nested content"))
require.NoError(t, err)
w.Close()
zipFile.Close()
_ = w.Close()
_ = zipFile.Close()
// Restore the backup
err = service.RestoreBackup("nested.zip")
@@ -852,8 +852,8 @@ func TestUnzip_OpenFileError(t *testing.T) {
DataDir: filepath.Join(tmpDir, "data"),
BackupDir: filepath.Join(tmpDir, "backups"),
}
os.MkdirAll(service.BackupDir, 0o755)
os.MkdirAll(service.DataDir, 0o755)
_ = os.MkdirAll(service.BackupDir, 0o755)
_ = os.MkdirAll(service.DataDir, 0o755)
// Create a valid zip
zipPath := filepath.Join(service.BackupDir, "test.zip")
@@ -865,12 +865,12 @@ func TestUnzip_OpenFileError(t *testing.T) {
require.NoError(t, err)
_, err = f.Write([]byte("test content"))
require.NoError(t, err)
w.Close()
zipFile.Close()
_ = w.Close()
_ = zipFile.Close()
// Make data dir read-only to cause OpenFile error
os.Chmod(service.DataDir, 0o444)
defer os.Chmod(service.DataDir, 0o755)
_ = os.Chmod(service.DataDir, 0o444)
defer func() { _ = os.Chmod(service.DataDir, 0o755) }()
err = service.RestoreBackup("test.zip")
assert.Error(t, err)
@@ -884,8 +884,8 @@ func TestUnzip_FileOpenInZipError(t *testing.T) {
DataDir: filepath.Join(tmpDir, "data"),
BackupDir: filepath.Join(tmpDir, "backups"),
}
os.MkdirAll(service.BackupDir, 0o755)
os.MkdirAll(service.DataDir, 0o755)
_ = os.MkdirAll(service.BackupDir, 0o755)
_ = os.MkdirAll(service.DataDir, 0o755)
// Create a valid zip with a file
zipPath := filepath.Join(service.BackupDir, "valid.zip")
@@ -897,8 +897,8 @@ func TestUnzip_FileOpenInZipError(t *testing.T) {
require.NoError(t, err)
_, err = f.Write([]byte("file content"))
require.NoError(t, err)
w.Close()
zipFile.Close()
_ = w.Close()
_ = zipFile.Close()
// Restore should work
err = service.RestoreBackup("valid.zip")
@@ -915,10 +915,10 @@ func TestAddDirToZip_WalkError(t *testing.T) {
zipPath := filepath.Join(tmpDir, "test.zip")
zipFile, err := os.Create(zipPath)
require.NoError(t, err)
defer zipFile.Close()
defer func() { _ = zipFile.Close() }()
w := zip.NewWriter(zipFile)
defer w.Close()
defer func() { _ = w.Close() }()
service := &BackupService{}
@@ -932,9 +932,9 @@ func TestAddDirToZip_SkipsDirectories(t *testing.T) {
// Create directory structure
srcDir := filepath.Join(tmpDir, "src")
os.MkdirAll(filepath.Join(srcDir, "subdir"), 0o755)
os.WriteFile(filepath.Join(srcDir, "file1.txt"), []byte("content1"), 0o644)
os.WriteFile(filepath.Join(srcDir, "subdir", "file2.txt"), []byte("content2"), 0o644)
_ = os.MkdirAll(filepath.Join(srcDir, "subdir"), 0o755)
_ = os.WriteFile(filepath.Join(srcDir, "file1.txt"), []byte("content1"), 0o644)
_ = os.WriteFile(filepath.Join(srcDir, "subdir", "file2.txt"), []byte("content2"), 0o644)
zipPath := filepath.Join(tmpDir, "test.zip")
zipFile, err := os.Create(zipPath)
@@ -946,13 +946,13 @@ func TestAddDirToZip_SkipsDirectories(t *testing.T) {
err = service.addDirToZip(w, srcDir, "backup")
require.NoError(t, err)
w.Close()
zipFile.Close()
_ = w.Close()
_ = zipFile.Close()
// Verify zip contains expected files
r, err := zip.OpenReader(zipPath)
require.NoError(t, err)
defer r.Close()
defer func() { _ = r.Close() }()
fileNames := make([]string, 0)
for _, f := range r.File {
@@ -996,8 +996,8 @@ func TestUnzip_CopyError(t *testing.T) {
DataDir: filepath.Join(tmpDir, "data"),
BackupDir: filepath.Join(tmpDir, "backups"),
}
os.MkdirAll(service.BackupDir, 0o755)
os.MkdirAll(service.DataDir, 0o755)
_ = os.MkdirAll(service.BackupDir, 0o755)
_ = os.MkdirAll(service.DataDir, 0o755)
// Create a valid zip
zipPath := filepath.Join(service.BackupDir, "test.zip")
@@ -1009,14 +1009,14 @@ func TestUnzip_CopyError(t *testing.T) {
require.NoError(t, err)
_, err = f.Write([]byte("test content"))
require.NoError(t, err)
w.Close()
zipFile.Close()
_ = w.Close()
_ = zipFile.Close()
// Create the subdir as read-only to cause copy error
subDir := filepath.Join(service.DataDir, "subdir")
os.MkdirAll(subDir, 0o755)
os.Chmod(subDir, 0o444)
defer os.Chmod(subDir, 0o755)
_ = os.MkdirAll(subDir, 0o755)
_ = os.Chmod(subDir, 0o444)
defer func() { _ = os.Chmod(subDir, 0o755) }()
// Restore should fail because we can't write to subdir
err = service.RestoreBackup("test.zip")
@@ -1028,10 +1028,10 @@ func TestCreateBackup_ZipWriterCloseError(t *testing.T) {
// by creating a valid backup and ensuring proper cleanup
tmpDir := t.TempDir()
dataDir := filepath.Join(tmpDir, "data")
os.MkdirAll(dataDir, 0o755)
_ = os.MkdirAll(dataDir, 0o755)
dbPath := filepath.Join(dataDir, "charon.db")
os.WriteFile(dbPath, []byte("test db content"), 0o644)
_ = os.WriteFile(dbPath, []byte("test db content"), 0o644)
cfg := &config.Config{DatabasePath: dbPath}
service := NewBackupService(cfg)
@@ -1046,7 +1046,7 @@ func TestCreateBackup_ZipWriterCloseError(t *testing.T) {
backupPath := filepath.Join(service.BackupDir, filename)
r, err := zip.OpenReader(backupPath)
require.NoError(t, err)
defer r.Close()
defer func() { _ = r.Close() }()
// Verify it contains the database
var foundDB bool
@@ -1064,13 +1064,13 @@ func TestAddToZip_CreateError(t *testing.T) {
zipPath := filepath.Join(tmpDir, "test.zip")
zipFile, err := os.Create(zipPath)
require.NoError(t, err)
defer zipFile.Close()
defer func() { _ = zipFile.Close() }()
w := zip.NewWriter(zipFile)
// Create a source file
srcPath := filepath.Join(tmpDir, "source.txt")
os.WriteFile(srcPath, []byte("test content"), 0o644)
_ = os.WriteFile(srcPath, []byte("test content"), 0o644)
service := &BackupService{}
@@ -1079,11 +1079,11 @@ func TestAddToZip_CreateError(t *testing.T) {
require.NoError(t, err)
// Close the writer to finalize
w.Close()
_ = w.Close()
// Try to add to closed writer - this should fail
w2 := zip.NewWriter(zipFile)
err = service.addToZip(w2, srcPath, "dest2.txt")
_ = service.addToZip(w2, srcPath, "dest2.txt")
// This may or may not error depending on internal state
// The main point is we're testing the code path
}
@@ -1093,13 +1093,13 @@ func TestListBackups_IgnoresNonZipFiles(t *testing.T) {
service := &BackupService{
BackupDir: filepath.Join(tmpDir, "backups"),
}
os.MkdirAll(service.BackupDir, 0o755)
_ = os.MkdirAll(service.BackupDir, 0o755)
// Create various files
os.WriteFile(filepath.Join(service.BackupDir, "backup.zip"), []byte(""), 0o644)
os.WriteFile(filepath.Join(service.BackupDir, "backup.tar.gz"), []byte(""), 0o644)
os.WriteFile(filepath.Join(service.BackupDir, "readme.txt"), []byte(""), 0o644)
os.WriteFile(filepath.Join(service.BackupDir, ".hidden.zip"), []byte(""), 0o644)
_ = os.WriteFile(filepath.Join(service.BackupDir, "backup.zip"), []byte(""), 0o644)
_ = os.WriteFile(filepath.Join(service.BackupDir, "backup.tar.gz"), []byte(""), 0o644)
_ = os.WriteFile(filepath.Join(service.BackupDir, "readme.txt"), []byte(""), 0o644)
_ = os.WriteFile(filepath.Join(service.BackupDir, ".hidden.zip"), []byte(""), 0o644)
backups, err := service.ListBackups()
require.NoError(t, err)
@@ -1121,7 +1121,7 @@ func TestRestoreBackup_CreatesNestedDirectories(t *testing.T) {
DataDir: filepath.Join(tmpDir, "data"),
BackupDir: filepath.Join(tmpDir, "backups"),
}
os.MkdirAll(service.BackupDir, 0o755)
_ = os.MkdirAll(service.BackupDir, 0o755)
// Create a zip with deeply nested structure
zipPath := filepath.Join(service.BackupDir, "nested.zip")
@@ -1133,8 +1133,8 @@ func TestRestoreBackup_CreatesNestedDirectories(t *testing.T) {
require.NoError(t, err)
_, err = f.Write([]byte("deep content"))
require.NoError(t, err)
w.Close()
zipFile.Close()
_ = w.Close()
_ = zipFile.Close()
// DataDir doesn't exist yet
err = service.RestoreBackup("nested.zip")
@@ -1150,15 +1150,15 @@ func TestBackupService_FullCycle(t *testing.T) {
// Full integration test: create, list, restore, delete
tmpDir := t.TempDir()
dataDir := filepath.Join(tmpDir, "data")
os.MkdirAll(dataDir, 0o755)
_ = os.MkdirAll(dataDir, 0o755)
// Create database and caddy config
dbPath := filepath.Join(dataDir, "charon.db")
os.WriteFile(dbPath, []byte("original db"), 0o644)
_ = os.WriteFile(dbPath, []byte("original db"), 0o644)
caddyDir := filepath.Join(dataDir, "caddy")
os.MkdirAll(caddyDir, 0o755)
os.WriteFile(filepath.Join(caddyDir, "config.json"), []byte(`{"original": true}`), 0o644)
_ = os.MkdirAll(caddyDir, 0o755)
_ = os.WriteFile(filepath.Join(caddyDir, "config.json"), []byte(`{"original": true}`), 0o644)
cfg := &config.Config{DatabasePath: dbPath}
service := NewBackupService(cfg)
@@ -1169,8 +1169,8 @@ func TestBackupService_FullCycle(t *testing.T) {
require.NoError(t, err)
// Modify files
os.WriteFile(dbPath, []byte("modified db"), 0o644)
os.WriteFile(filepath.Join(caddyDir, "config.json"), []byte(`{"modified": true}`), 0o644)
_ = os.WriteFile(dbPath, []byte("modified db"), 0o644)
_ = os.WriteFile(filepath.Join(caddyDir, "config.json"), []byte(`{"modified": true}`), 0o644)
// Verify modification
content, _ := os.ReadFile(dbPath)

7
backend/internal/services/certificate_service.go
View File

@@ -156,12 +156,13 @@ func (s *CertificateService) SyncFromDisk() error {
isNewStaging := strings.Contains(provider, "staging")
shouldUpdateCert := false
if isExistingStaging && !isNewStaging {
switch {
case isExistingStaging && !isNewStaging:
// Upgrade from staging to production - always update
shouldUpdateCert = true
} else if !isExistingStaging && isNewStaging {
case !isExistingStaging && isNewStaging:
// Don't downgrade from production to staging - skip
} else if existing.Certificate != string(certData) {
case existing.Certificate != string(certData):
// Same type but different content - update
shouldUpdateCert = true
}

5
backend/internal/services/certificate_service_test.go
View File

@@ -86,7 +86,7 @@ func TestCertificateService_GetCertificateInfo(t *testing.T) {
if err != nil {
t.Fatalf("Failed to create temp dir: %v", err)
}
defer os.RemoveAll(tmpDir)
defer func() { _ = os.RemoveAll(tmpDir) }()
// Setup in-memory DB
dsn := fmt.Sprintf("file:%s?mode=memory&cache=shared", t.Name())
@@ -395,6 +395,7 @@ func TestCertificateService_ListCertificates_EdgeCases(t *testing.T) {
domain := "invalid.com"
certDir := filepath.Join(tmpDir, "certificates", "acme-v02.api.letsencrypt.org-directory", domain)
err = os.MkdirAll(certDir, 0o755)
require.NoError(t, err)
certPath := filepath.Join(certDir, domain+".crt")
err = os.WriteFile(certPath, []byte("invalid certificate content"), 0o644)
@@ -502,7 +503,7 @@ func TestCertificateService_DeleteCertificate_Errors(t *testing.T) {
// Manually remove the file (custom certs stored by numeric ID)
certPath := filepath.Join(tmpDir, "certificates", "custom", "cert.crt")
os.Remove(certPath)
_ = os.Remove(certPath)
// Delete should still work (DB cleanup)
err = cs.DeleteCertificate(cert.ID)

2
backend/internal/services/credential_service_test.go
View File

@@ -26,7 +26,7 @@ func setupCredentialTestDB(t *testing.T) (*gorm.DB, *crypto.EncryptionService) {
// Close database connection when test completes
t.Cleanup(func() {
sqlDB, _ := db.DB()
sqlDB.Close()
_ = sqlDB.Close()
})
err = db.AutoMigrate(

6
backend/internal/services/crowdsec_startup_test.go
View File

@@ -102,7 +102,7 @@ func setupCrowdsecTestFixtures(t *testing.T) (binPath, dataDir string, cleanup f
require.NoError(t, err)
cleanup = func() {
os.RemoveAll(tempDir)
_ = os.RemoveAll(tempDir)
}
return binPath, dataDir, cleanup
@@ -480,7 +480,7 @@ func TestReconcileCrowdSecOnStartup_DBError(t *testing.T) {
// Close DB to simulate DB error (this will cause queries to fail)
sqlDB, err := db.DB()
require.NoError(t, err)
sqlDB.Close()
_ = sqlDB.Close()
// Should handle DB errors gracefully (no panic)
ReconcileCrowdSecOnStartup(db, exec, binPath, dataDir)
@@ -501,7 +501,7 @@ func TestReconcileCrowdSecOnStartup_CreateConfigDBError(t *testing.T) {
// Close DB immediately to cause Create() to fail
sqlDB, err := db.DB()
require.NoError(t, err)
sqlDB.Close()
_ = sqlDB.Close()
// Should handle DB error during Create gracefully (no panic)
// This tests line 78-80: DB error after creating SecurityConfig

19
backend/internal/services/dns_detection_service_test.go
View File

@@ -76,9 +76,10 @@ func TestNewDNSDetectionService(t *testing.T) {
service := NewDNSDetectionService(db)
assert.NotNil(t, service)
// Verify it implements the interface
_, ok := service.(DNSDetectionService)
assert.True(t, ok)
// Verify it implements the interface by using it
// NewDNSDetectionService returns DNSDetectionService, so type is guaranteed
patterns := service.GetNameserverPatterns()
assert.NotNil(t, patterns)
}
func TestGetNameserverPatterns(t *testing.T) {
@@ -367,11 +368,9 @@ func TestDetectionResult_Validation(t *testing.T) {
t.Run("result with error", func(t *testing.T) {
result := &DetectionResult{
Domain: "invalid-domain.com",
Detected: false,
Nameservers: []string{},
Confidence: "none",
Error: "DNS lookup failed: no such host",
Detected: false,
Confidence: "none",
Error: "DNS lookup failed: no such host",
}
assert.False(t, result.Detected)
@@ -452,7 +451,7 @@ func TestConcurrentCacheAccess(t *testing.T) {
for i := 0; i < goroutines; i++ {
go func(id int) {
domain := strings.Replace("test-DOMAIN-ID.com", "ID", string(rune(id)), -1)
domain := strings.ReplaceAll("test-DOMAIN-ID.com", "ID", string(rune(id)))
result := &DetectionResult{
Domain: domain,
Detected: true,
@@ -483,7 +482,7 @@ func TestDatabaseError(t *testing.T) {
sqlDB, err := db.DB()
require.NoError(t, err)
sqlDB.Close()
_ = sqlDB.Close()
service := NewDNSDetectionService(db)

78
backend/internal/services/dns_provider_service_test.go
View File

@@ -17,6 +17,15 @@ import (
_ "github.com/Wikid82/charon/backend/pkg/dnsprovider/builtin" // Auto-register DNS providers
)
// testContextKey is a custom type for context keys to avoid staticcheck SA1029
type testContextKey string
const (
testUserIDKey testContextKey = "user_id"
testClientIPKey testContextKey = "client_ip"
testUserAgentKey testContextKey = "user_agent"
)
// setupTestDB creates an in-memory SQLite database for testing.
func setupDNSProviderTestDB(t *testing.T) (*gorm.DB, *crypto.EncryptionService) {
t.Helper()
@@ -60,28 +69,12 @@ func setupDNSProviderTestDB(t *testing.T) (*gorm.DB, *crypto.EncryptionService)
// Register cleanup
t.Cleanup(func() {
sqlDB.Close()
_ = sqlDB.Close()
})
return db, encryptor
}
// setupDNSServiceWithCleanup creates a DNS provider service and ensures cleanup
func setupDNSServiceWithCleanup(t *testing.T, db *gorm.DB, encryptor *crypto.EncryptionService) *dnsProviderService {
t.Helper()
svc := NewDNSProviderService(db, encryptor).(*dnsProviderService)
// Register cleanup to close the security service
t.Cleanup(func() {
if svc.securityService != nil {
svc.securityService.Close()
}
})
return svc
}
func TestDNSProviderService_Create(t *testing.T) {
db, encryptor := setupDNSProviderTestDB(t)
service := NewDNSProviderService(db, encryptor)
@@ -1410,7 +1403,7 @@ func TestDNSProviderService_List_DBError(t *testing.T) {
// Close the DB connection to trigger error
sqlDB, err := db.DB()
require.NoError(t, err)
sqlDB.Close()
_ = sqlDB.Close()
// List should fail
_, err = service.List(ctx)
@@ -1425,7 +1418,7 @@ func TestDNSProviderService_Get_DBError(t *testing.T) {
// Close the DB connection to trigger error
sqlDB, err := db.DB()
require.NoError(t, err)
sqlDB.Close()
_ = sqlDB.Close()
// Get should fail with a DB error (not ErrDNSProviderNotFound)
_, err = service.Get(ctx, 1)
@@ -1450,7 +1443,7 @@ func TestDNSProviderService_Create_DBErrorOnDefaultUnset(t *testing.T) {
// Now close the DB
sqlDB, err := db.DB()
require.NoError(t, err)
sqlDB.Close()
_ = sqlDB.Close()
// Trying to create another default should fail when trying to unset the existing default
_, err = workingService.Create(ctx, CreateDNSProviderRequest{
@@ -1470,7 +1463,7 @@ func TestDNSProviderService_Create_DBErrorOnCreate(t *testing.T) {
// Close the DB connection to trigger error
sqlDB, err := db.DB()
require.NoError(t, err)
sqlDB.Close()
_ = sqlDB.Close()
// Create should fail
_, err = service.Create(ctx, CreateDNSProviderRequest{
@@ -1497,7 +1490,7 @@ func TestDNSProviderService_Update_DBErrorOnSave(t *testing.T) {
// Close the DB connection to trigger error
sqlDB, err := db.DB()
require.NoError(t, err)
sqlDB.Close()
_ = sqlDB.Close()
// Update should fail
newName := "Updated"
@@ -1535,7 +1528,7 @@ func TestDNSProviderService_Update_DBErrorOnDefaultUnset(t *testing.T) {
// Close the DB connection to trigger error
sqlDB, err := db.DB()
require.NoError(t, err)
sqlDB.Close()
_ = sqlDB.Close()
// Update to make second provider default should fail
isDefault := true
@@ -1553,7 +1546,7 @@ func TestDNSProviderService_Delete_DBError(t *testing.T) {
// Close the DB connection to trigger error
sqlDB, err := db.DB()
require.NoError(t, err)
sqlDB.Close()
_ = sqlDB.Close()
// Delete should fail
err = service.Delete(ctx, 1)
@@ -1568,9 +1561,9 @@ func TestDNSProviderService_AuditLogging_Create(t *testing.T) {
require.NoError(t, err)
service := NewDNSProviderService(db, encryptor)
ctx := context.WithValue(context.Background(), "user_id", "test-user")
ctx = context.WithValue(ctx, "client_ip", "192.168.1.1")
ctx = context.WithValue(ctx, "user_agent", "TestAgent/1.0")
ctx := context.WithValue(context.Background(), testUserIDKey, "test-user")
ctx = context.WithValue(ctx, testClientIPKey, "192.168.1.1")
ctx = context.WithValue(ctx, testUserAgentKey, "TestAgent/1.0")
// Create a provider
req := CreateDNSProviderRequest{
@@ -1612,9 +1605,9 @@ func TestDNSProviderService_AuditLogging_Create(t *testing.T) {
func TestDNSProviderService_AuditLogging_Update(t *testing.T) {
db, encryptor := setupDNSProviderTestDB(t)
service := NewDNSProviderService(db, encryptor)
ctx := context.WithValue(context.Background(), "user_id", "test-user")
ctx = context.WithValue(ctx, "client_ip", "192.168.1.2")
ctx = context.WithValue(ctx, "user_agent", "TestAgent/1.0")
ctx := context.WithValue(context.Background(), testUserIDKey, "test-user")
ctx = context.WithValue(ctx, testClientIPKey, "192.168.1.2")
ctx = context.WithValue(ctx, testUserAgentKey, "TestAgent/1.0")
// Create a provider first
provider, err := service.Create(ctx, CreateDNSProviderRequest{
@@ -1666,11 +1659,20 @@ func TestDNSProviderService_AuditLogging_Update(t *testing.T) {
assert.Equal(t, "Updated Name", newValues["name"])
}
// Context key types for audit logging tests
type contextKey string
const (
contextKeyUserID contextKey = "user_id"
contextKeyClientIP contextKey = "client_ip"
contextKeyUserAgent contextKey = "user_agent"
)
func TestDNSProviderService_AuditLogging_Delete(t *testing.T) {
db, encryptor := setupDNSProviderTestDB(t)
service := NewDNSProviderService(db, encryptor)
ctx := context.WithValue(context.Background(), "user_id", "admin-user")
ctx = context.WithValue(ctx, "client_ip", "10.0.0.1")
ctx := context.WithValue(context.Background(), contextKeyUserID, "admin-user")
ctx = context.WithValue(ctx, contextKeyClientIP, "10.0.0.1")
// Create a provider first
provider, err := service.Create(ctx, CreateDNSProviderRequest{
@@ -1714,7 +1716,7 @@ func TestDNSProviderService_AuditLogging_Delete(t *testing.T) {
func TestDNSProviderService_AuditLogging_Test(t *testing.T) {
db, encryptor := setupDNSProviderTestDB(t)
service := NewDNSProviderService(db, encryptor)
ctx := context.WithValue(context.Background(), "user_id", "test-user")
ctx := context.WithValue(context.Background(), contextKeyUserID, "test-user")
// Create a provider
provider, err := service.Create(ctx, CreateDNSProviderRequest{
@@ -1749,7 +1751,7 @@ func TestDNSProviderService_AuditLogging_Test(t *testing.T) {
func TestDNSProviderService_AuditLogging_GetDecryptedCredentials(t *testing.T) {
db, encryptor := setupDNSProviderTestDB(t)
service := NewDNSProviderService(db, encryptor)
ctx := context.WithValue(context.Background(), "user_id", "admin")
ctx := context.WithValue(context.Background(), contextKeyUserID, "admin")
// Create a provider
provider, err := service.Create(ctx, CreateDNSProviderRequest{
@@ -1790,12 +1792,12 @@ func TestDNSProviderService_AuditLogging_GetDecryptedCredentials(t *testing.T) {
func TestDNSProviderService_AuditLogging_ContextHelpers(t *testing.T) {
// Test actor extraction
ctx := context.WithValue(context.Background(), "user_id", "user-123")
ctx := context.WithValue(context.Background(), contextKeyUserID, "user-123")
actor := getActorFromContext(ctx)
assert.Equal(t, "user-123", actor)
// Test with uint user ID
ctx = context.WithValue(context.Background(), "user_id", uint(456))
ctx = context.WithValue(context.Background(), contextKeyUserID, uint(456))
actor = getActorFromContext(ctx)
assert.Equal(t, "456", actor)
@@ -1805,12 +1807,12 @@ func TestDNSProviderService_AuditLogging_ContextHelpers(t *testing.T) {
assert.Equal(t, "system", actor)
// Test IP extraction
ctx = context.WithValue(context.Background(), "client_ip", "10.0.0.1")
ctx = context.WithValue(context.Background(), contextKeyClientIP, "10.0.0.1")
ip := getIPFromContext(ctx)
assert.Equal(t, "10.0.0.1", ip)
// Test User-Agent extraction
ctx = context.WithValue(context.Background(), "user_agent", "TestAgent/2.0")
ctx = context.WithValue(context.Background(), contextKeyUserAgent, "TestAgent/2.0")
ua := getUserAgentFromContext(ctx)
assert.Equal(t, "TestAgent/2.0", ua)
}

2
backend/internal/services/geoip_service_test.go
View File

@@ -136,7 +136,7 @@ func TestGeoIPService_Integration(t *testing.T) {
svc, err := NewGeoIPService(dbPath)
require.NoError(t, err)
defer svc.Close()
defer func() { _ = svc.Close() }()
t.Run("IsLoaded", func(t *testing.T) {
assert.True(t, svc.IsLoaded())

2
backend/internal/services/log_service_test.go
View File

@@ -15,7 +15,7 @@ import (
func TestLogService(t *testing.T) {
tmpDir, err := os.MkdirTemp("", "cpm-log-service-test")
require.NoError(t, err)
defer os.RemoveAll(tmpDir)
defer func() { _ = os.RemoveAll(tmpDir) }()
dataDir := filepath.Join(tmpDir, "data")
logsDir := filepath.Join(dataDir, "logs")

10
backend/internal/services/log_watcher_test.go
View File

@@ -323,7 +323,7 @@ func TestLogWatcherIntegration(t *testing.T) {
// Create the log file
file, err := os.Create(logPath)
require.NoError(t, err)
defer file.Close()
defer func() { _ = file.Close() }()
// Create and start watcher
watcher := NewLogWatcher(logPath)
@@ -355,7 +355,7 @@ func TestLogWatcherIntegration(t *testing.T) {
_, err = file.WriteString(string(logJSON) + "\n")
require.NoError(t, err)
file.Sync()
_ = file.Sync()
// Wait for the entry to be broadcast
select {
@@ -452,7 +452,7 @@ func TestLogWatcher_ReadLoop_EOFRetry(t *testing.T) {
// Create empty log file
file, err := os.Create(logPath)
require.NoError(t, err)
file.Close()
_ = file.Close()
watcher := NewLogWatcher(logPath)
err = watcher.Start(context.Background())
@@ -470,8 +470,8 @@ func TestLogWatcher_ReadLoop_EOFRetry(t *testing.T) {
logEntry := `{"level":"info","ts":1702406400.123,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"192.168.1.1","method":"GET","uri":"/test","host":"example.com","headers":{}},"status":200,"duration":0.001,"size":100}`
_, err = file.WriteString(logEntry + "\n")
require.NoError(t, err)
file.Sync()
file.Close()
_ = file.Sync()
_ = file.Close()
// Wait for watcher to read the new entry
select {

6
backend/internal/services/mail_service_test.go
View File

@@ -370,7 +370,7 @@ func BenchmarkMailService_IsConfigured(b *testing.B) {
db, _ := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{
Logger: logger.Default.LogMode(logger.Silent),
})
db.AutoMigrate(&models.Setting{})
_ = db.AutoMigrate(&models.Setting{})
svc := NewMailService(db)
config := &SMTPConfig{
@@ -378,7 +378,7 @@ func BenchmarkMailService_IsConfigured(b *testing.B) {
Port: 587,
FromAddress: "noreply@example.com",
}
svc.SaveSMTPConfig(config)
_ = svc.SaveSMTPConfig(config)
b.ResetTimer()
for i := 0; i < b.N; i++ {
@@ -436,7 +436,7 @@ func TestMailService_SendInvite_TokenFormat(t *testing.T) {
Port: 587,
FromAddress: "noreply@example.com",
}
svc.SaveSMTPConfig(config)
_ = svc.SaveSMTPConfig(config)
err := svc.SendInvite("test@example.com", "token123", "Charon", "https://charon.local/")
assert.Error(t, err)

450
backend/internal/services/manual_challenge_service.go Normal file
View File

@@ -0,0 +1,450 @@
package services
import (
"context"
"errors"
"fmt"
"net"
"strings"
"sync"
"time"
"github.com/Wikid82/charon/backend/internal/logger"
"github.com/Wikid82/charon/backend/internal/models"
"github.com/Wikid82/charon/backend/pkg/dnsprovider/custom"
"github.com/google/uuid"
"github.com/robfig/cron/v3"
"gorm.io/gorm"
"gorm.io/gorm/clause"
)
// Manual challenge error codes.
var (
ErrChallengeNotFound = errors.New("challenge not found")
ErrChallengeExpired = errors.New("challenge has expired")
ErrChallengeInProgress = errors.New("another challenge is in progress for this FQDN")
ErrUnauthorized = errors.New("unauthorized access to challenge")
ErrDNSNotPropagated = errors.New("DNS record not yet propagated")
)
// ManualChallengeService manages the lifecycle of manual DNS challenges.
type ManualChallengeService struct {
db *gorm.DB
cron *cron.Cron
// Mutex for concurrent verification attempts
verifyMu sync.Mutex
// DNS resolver for verification (can be overridden for testing)
resolver DNSResolver
}
// DNSResolver interface for DNS lookups (allows mocking in tests).
type DNSResolver interface {
LookupTXT(ctx context.Context, name string) ([]string, error)
}
// DefaultDNSResolver uses net.Resolver for DNS lookups.
type DefaultDNSResolver struct {
resolver *net.Resolver
}
// NewDefaultDNSResolver creates a DNS resolver that queries authoritative nameservers.
func NewDefaultDNSResolver() *DefaultDNSResolver {
return &DefaultDNSResolver{
resolver: &net.Resolver{
PreferGo: true,
Dial: func(ctx context.Context, network, address string) (net.Conn, error) {
d := net.Dialer{
Timeout: 10 * time.Second,
}
return d.DialContext(ctx, network, address)
},
},
}
}
// LookupTXT performs a TXT record lookup.
func (r *DefaultDNSResolver) LookupTXT(ctx context.Context, name string) ([]string, error) {
return r.resolver.LookupTXT(ctx, name)
}
// NewManualChallengeService creates a new manual challenge service.
func NewManualChallengeService(db *gorm.DB) *ManualChallengeService {
s := &ManualChallengeService{
db: db,
cron: cron.New(),
resolver: NewDefaultDNSResolver(),
}
// Schedule cleanup job to run every hour
_, err := s.cron.AddFunc("0 * * * *", s.cleanupExpiredChallenges)
if err != nil {
logger.Log().WithError(err).Error("Failed to schedule manual challenge cleanup job")
}
return s
}
// Start starts the cron scheduler for cleanup jobs.
func (s *ManualChallengeService) Start() {
s.cron.Start()
logger.Log().Info("Manual challenge service cleanup scheduler started")
}
// Stop gracefully shuts down the cron scheduler.
func (s *ManualChallengeService) Stop() {
ctx := s.cron.Stop()
<-ctx.Done()
logger.Log().Info("Manual challenge service cleanup scheduler stopped")
}
// SetResolver allows setting a custom DNS resolver (for testing).
func (s *ManualChallengeService) SetResolver(resolver DNSResolver) {
s.resolver = resolver
}
// CreateChallengeRequest represents a request to create a manual challenge.
type CreateChallengeRequest struct {
ProviderID uint
UserID uint
FQDN string
Token string
Value string
}
// CreateChallenge creates a new manual DNS challenge.
// Implements database locking to prevent concurrent challenges for the same FQDN.
func (s *ManualChallengeService) CreateChallenge(ctx context.Context, req CreateChallengeRequest) (*models.ManualChallenge, error) {
// Generate cryptographically random challenge ID (UUIDv4)
challengeID := uuid.New().String()
// Get timeout from provider credentials (defaults to 10 minutes)
timeout := time.Duration(custom.DefaultTimeoutMinutes) * time.Minute
tx := s.db.WithContext(ctx).Begin()
defer func() {
if r := recover(); r != nil {
tx.Rollback()
}
}()
// Attempt to acquire lock on existing active challenges for this FQDN
var existing models.ManualChallenge
err := tx.Clauses(clause.Locking{Strength: "UPDATE", Options: "NOWAIT"}).
Where("fqdn = ? AND status IN ?", req.FQDN, []string{
string(models.ChallengeStatusCreated),
string(models.ChallengeStatusPending),
string(models.ChallengeStatusVerifying),
}).
First(&existing).Error
if err == nil {
// Active challenge exists
if existing.UserID == req.UserID {
// Same user - return existing challenge
tx.Rollback()
return &existing, nil
}
// Different user - reject
tx.Rollback()
return nil, ErrChallengeInProgress
}
if !errors.Is(err, gorm.ErrRecordNotFound) {
// Lock acquisition failed or other error
tx.Rollback()
return nil, fmt.Errorf("failed to check existing challenges: %w", err)
}
// No active challenge exists - create new one
now := time.Now()
challenge := &models.ManualChallenge{
ID: challengeID,
ProviderID: req.ProviderID,
UserID: req.UserID,
FQDN: req.FQDN,
Token: req.Token,
Value: req.Value,
Status: models.ChallengeStatusPending,
CreatedAt: now,
ExpiresAt: now.Add(timeout),
}
if err := tx.Create(challenge).Error; err != nil {
tx.Rollback()
return nil, fmt.Errorf("failed to create challenge: %w", err)
}
if err := tx.Commit().Error; err != nil {
return nil, fmt.Errorf("failed to commit transaction: %w", err)
}
logger.Log().WithField("challenge_id", challengeID).
WithField("fqdn", req.FQDN).
Info("Created manual DNS challenge")
return challenge, nil
}
// GetChallenge retrieves a challenge by ID.
func (s *ManualChallengeService) GetChallenge(ctx context.Context, challengeID string) (*models.ManualChallenge, error) {
var challenge models.ManualChallenge
if err := s.db.WithContext(ctx).Where("id = ?", challengeID).First(&challenge).Error; err != nil {
if errors.Is(err, gorm.ErrRecordNotFound) {
return nil, ErrChallengeNotFound
}
return nil, fmt.Errorf("failed to get challenge: %w", err)
}
return &challenge, nil
}
// GetChallengeForUser retrieves a challenge and verifies ownership.
func (s *ManualChallengeService) GetChallengeForUser(ctx context.Context, challengeID string, userID uint) (*models.ManualChallenge, error) {
challenge, err := s.GetChallenge(ctx, challengeID)
if err != nil {
return nil, err
}
if challenge.UserID != userID {
logger.Log().Warn("Unauthorized challenge access attempt",
"challenge_id", challengeID,
"owner_id", challenge.UserID,
"requester_id", userID,
)
return nil, ErrUnauthorized
}
return challenge, nil
}
// ListChallengesForProvider lists all challenges for a specific provider.
func (s *ManualChallengeService) ListChallengesForProvider(ctx context.Context, providerID, userID uint) ([]models.ManualChallenge, error) {
var challenges []models.ManualChallenge
if err := s.db.WithContext(ctx).
Where("provider_id = ? AND user_id = ?", providerID, userID).
Order("created_at DESC").
Find(&challenges).Error; err != nil {
return nil, fmt.Errorf("failed to list challenges: %w", err)
}
return challenges, nil
}
// VerifyResult represents the result of a DNS verification attempt.
type VerifyResult struct {
Success bool `json:"success"`
DNSFound bool `json:"dns_found"`
Message string `json:"message,omitempty"`
Status string `json:"status"`
TimeRemaining int `json:"time_remaining_seconds,omitempty"`
}
// VerifyChallenge triggers DNS verification for a challenge.
func (s *ManualChallengeService) VerifyChallenge(ctx context.Context, challengeID string, userID uint) (*VerifyResult, error) {
// Use mutex to prevent concurrent verification of the same challenge
s.verifyMu.Lock()
defer s.verifyMu.Unlock()
challenge, err := s.GetChallengeForUser(ctx, challengeID, userID)
if err != nil {
return nil, err
}
// Check if challenge has expired
if time.Now().After(challenge.ExpiresAt) {
if challenge.Status != models.ChallengeStatusExpired {
s.updateChallengeStatus(ctx, challenge, models.ChallengeStatusExpired, "Challenge timed out")
}
return nil, ErrChallengeExpired
}
// Check if already in terminal state
if challenge.IsTerminal() {
return &VerifyResult{
Success: challenge.Status == models.ChallengeStatusVerified,
DNSFound: challenge.DNSPropagated,
Message: fmt.Sprintf("Challenge is in terminal state: %s", challenge.Status),
Status: string(challenge.Status),
}, nil
}
// Perform DNS lookup
now := time.Now()
challenge.LastCheckAt = &now
dnsFound := s.checkDNSPropagation(ctx, challenge.FQDN, challenge.Value)
challenge.DNSPropagated = dnsFound
if dnsFound {
// DNS record found - mark as verified
challenge.Status = models.ChallengeStatusVerified
challenge.VerifiedAt = &now
if err := s.db.WithContext(ctx).Save(challenge).Error; err != nil {
logger.Log().WithError(err).Error("Failed to update challenge status to verified")
}
logger.Log().WithField("challenge_id", challengeID).
WithField("fqdn", challenge.FQDN).
Info("Manual DNS challenge verified successfully")
return &VerifyResult{
Success: true,
DNSFound: true,
Message: "DNS TXT record verified successfully",
Status: string(models.ChallengeStatusVerified),
}, nil
}
// DNS record not found yet
challenge.Status = models.ChallengeStatusPending
if err := s.db.WithContext(ctx).Save(challenge).Error; err != nil {
logger.Log().WithError(err).Error("Failed to update challenge last check time")
}
return &VerifyResult{
Success: false,
DNSFound: false,
Message: "DNS TXT record not found. Please ensure the record is created and wait for propagation.",
Status: string(models.ChallengeStatusPending),
TimeRemaining: int(challenge.TimeRemaining().Seconds()),
}, nil
}
// PollChallengeStatus returns the current status of a challenge for polling.
func (s *ManualChallengeService) PollChallengeStatus(ctx context.Context, challengeID string, userID uint) (*ChallengeStatusResponse, error) {
challenge, err := s.GetChallengeForUser(ctx, challengeID, userID)
if err != nil {
return nil, err
}
// Check for expiration
if time.Now().After(challenge.ExpiresAt) && challenge.Status != models.ChallengeStatusExpired {
s.updateChallengeStatus(ctx, challenge, models.ChallengeStatusExpired, "Challenge timed out")
challenge.Status = models.ChallengeStatusExpired
}
return &ChallengeStatusResponse{
ID: challenge.ID,
Status: string(challenge.Status),
DNSPropagated: challenge.DNSPropagated,
TimeRemainingSeconds: int(challenge.TimeRemaining().Seconds()),
LastCheckAt: challenge.LastCheckAt,
}, nil
}
// ChallengeStatusResponse represents the response for challenge status polling.
type ChallengeStatusResponse struct {
ID string `json:"id"`
Status string `json:"status"`
DNSPropagated bool `json:"dns_propagated"`
TimeRemainingSeconds int `json:"time_remaining_seconds"`
LastCheckAt *time.Time `json:"last_check_at,omitempty"`
}
// DeleteChallenge deletes a challenge.
func (s *ManualChallengeService) DeleteChallenge(ctx context.Context, challengeID string, userID uint) error {
challenge, err := s.GetChallengeForUser(ctx, challengeID, userID)
if err != nil {
return err
}
if err := s.db.WithContext(ctx).Delete(challenge).Error; err != nil {
return fmt.Errorf("failed to delete challenge: %w", err)
}
logger.Log().WithField("challenge_id", challengeID).Info("Manual DNS challenge deleted")
return nil
}
// checkDNSPropagation queries DNS for the TXT record.
func (s *ManualChallengeService) checkDNSPropagation(ctx context.Context, fqdn, expectedValue string) bool {
// Create a context with timeout for DNS lookup
lookupCtx, cancel := context.WithTimeout(ctx, 10*time.Second)
defer cancel()
records, err := s.resolver.LookupTXT(lookupCtx, fqdn)
if err != nil {
logger.Log().WithError(err).
WithField("fqdn", fqdn).
Debug("DNS TXT lookup failed")
return false
}
// Check if any of the TXT records match the expected value
for _, record := range records {
// TXT records may be split into multiple strings, join them
cleanRecord := strings.TrimSpace(record)
if cleanRecord == expectedValue {
return true
}
}
logger.Log().WithField("fqdn", fqdn).
WithField("found_records", len(records)).
Debug("DNS TXT record not found or value mismatch")
return false
}
// updateChallengeStatus updates the status of a challenge.
func (s *ManualChallengeService) updateChallengeStatus(ctx context.Context, challenge *models.ManualChallenge, status models.ChallengeStatus, message string) {
challenge.Status = status
challenge.ErrorMessage = message
if err := s.db.WithContext(ctx).Save(challenge).Error; err != nil {
logger.Log().WithError(err).
WithField("challenge_id", challenge.ID).
Error("Failed to update challenge status")
}
}
// cleanupExpiredChallenges marks pending challenges as expired and deletes old challenges.
func (s *ManualChallengeService) cleanupExpiredChallenges() {
// Mark challenges in pending state that have passed their expiration as expired
expiredCount := s.db.Model(&models.ManualChallenge{}).
Where("status IN ? AND expires_at < ?",
[]string{
string(models.ChallengeStatusCreated),
string(models.ChallengeStatusPending),
string(models.ChallengeStatusVerifying),
},
time.Now(),
).
Updates(map[string]interface{}{
"status": models.ChallengeStatusExpired,
"error_message": "Challenge timed out",
}).RowsAffected
if expiredCount > 0 {
logger.Log().WithField("count", expiredCount).Info("Marked expired manual challenges")
}
// Hard delete challenges older than 7 days
deleteCutoff := time.Now().Add(-7 * 24 * time.Hour)
deleteResult := s.db.Where("created_at < ?", deleteCutoff).Delete(&models.ManualChallenge{})
if deleteResult.Error != nil {
logger.Log().WithError(deleteResult.Error).Error("Failed to delete old manual challenges")
} else if deleteResult.RowsAffected > 0 {
logger.Log().WithField("count", deleteResult.RowsAffected).Info("Deleted old manual challenges")
}
}
// GetActiveChallengeForFQDN returns an active challenge for a given FQDN if one exists.
func (s *ManualChallengeService) GetActiveChallengeForFQDN(ctx context.Context, fqdn string, userID uint) (*models.ManualChallenge, error) {
var challenge models.ManualChallenge
err := s.db.WithContext(ctx).
Where("fqdn = ? AND user_id = ? AND status IN ?", fqdn, userID, []string{
string(models.ChallengeStatusCreated),
string(models.ChallengeStatusPending),
string(models.ChallengeStatusVerifying),
}).
First(&challenge).Error
if err != nil {
if errors.Is(err, gorm.ErrRecordNotFound) {
return nil, nil
}
return nil, fmt.Errorf("failed to get active challenge: %w", err)
}
return &challenge, nil
}

672
backend/internal/services/manual_challenge_service_test.go Normal file
View File

@@ -0,0 +1,672 @@
package services
import (
"context"
"errors"
"testing"
"time"
"github.com/Wikid82/charon/backend/internal/models"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"gorm.io/driver/sqlite"
"gorm.io/gorm"
)
// MockDNSResolver is a mock implementation of DNSResolver for testing.
type MockDNSResolver struct {
Records map[string][]string
LookupError error
}
func NewMockDNSResolver() *MockDNSResolver {
return &MockDNSResolver{
Records: make(map[string][]string),
}
}
func (m *MockDNSResolver) LookupTXT(ctx context.Context, name string) ([]string, error) {
if m.LookupError != nil {
return nil, m.LookupError
}
if records, ok := m.Records[name]; ok {
return records, nil
}
return nil, errors.New("no such host")
}
func (m *MockDNSResolver) SetRecords(fqdn string, values []string) {
m.Records[fqdn] = values
}
func setupManualChallengeTestDB(t *testing.T) *gorm.DB {
t.Helper()
db, err := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
require.NoError(t, err)
err = db.AutoMigrate(&models.ManualChallenge{})
require.NoError(t, err)
return db
}
func TestNewManualChallengeService(t *testing.T) {
db := setupManualChallengeTestDB(t)
service := NewManualChallengeService(db)
require.NotNil(t, service)
assert.NotNil(t, service.db)
assert.NotNil(t, service.cron)
assert.NotNil(t, service.resolver)
}
func TestManualChallengeService_SetResolver(t *testing.T) {
db := setupManualChallengeTestDB(t)
service := NewManualChallengeService(db)
mockResolver := NewMockDNSResolver()
service.SetResolver(mockResolver)
assert.Equal(t, mockResolver, service.resolver)
}
func TestManualChallengeService_CreateChallenge(t *testing.T) {
db := setupManualChallengeTestDB(t)
service := NewManualChallengeService(db)
ctx := context.Background()
req := CreateChallengeRequest{
ProviderID: 1,
UserID: 1,
FQDN: "_acme-challenge.example.com",
Token: "token123",
Value: "txtvalue456",
}
challenge, err := service.CreateChallenge(ctx, req)
require.NoError(t, err)
require.NotNil(t, challenge)
assert.NotEmpty(t, challenge.ID)
assert.Equal(t, uint(1), challenge.ProviderID)
assert.Equal(t, uint(1), challenge.UserID)
assert.Equal(t, "_acme-challenge.example.com", challenge.FQDN)
assert.Equal(t, "token123", challenge.Token)
assert.Equal(t, "txtvalue456", challenge.Value)
assert.Equal(t, models.ChallengeStatusPending, challenge.Status)
assert.False(t, challenge.DNSPropagated)
assert.True(t, challenge.ExpiresAt.After(time.Now()))
}
func TestManualChallengeService_CreateChallenge_SameUserReturnsExisting(t *testing.T) {
db := setupManualChallengeTestDB(t)
service := NewManualChallengeService(db)
ctx := context.Background()
req := CreateChallengeRequest{
ProviderID: 1,
UserID: 1,
FQDN: "_acme-challenge.example.com",
Token: "token123",
Value: "txtvalue456",
}
// Create first challenge
challenge1, err := service.CreateChallenge(ctx, req)
require.NoError(t, err)
// Try to create another for same FQDN and user
challenge2, err := service.CreateChallenge(ctx, req)
require.NoError(t, err)
// Should return the same challenge
assert.Equal(t, challenge1.ID, challenge2.ID)
}
func TestManualChallengeService_GetChallenge(t *testing.T) {
db := setupManualChallengeTestDB(t)
service := NewManualChallengeService(db)
ctx := context.Background()
req := CreateChallengeRequest{
ProviderID: 1,
UserID: 1,
FQDN: "_acme-challenge.example.com",
Token: "token123",
Value: "txtvalue456",
}
created, err := service.CreateChallenge(ctx, req)
require.NoError(t, err)
// Get the challenge
challenge, err := service.GetChallenge(ctx, created.ID)
require.NoError(t, err)
assert.Equal(t, created.ID, challenge.ID)
}
func TestManualChallengeService_GetChallenge_NotFound(t *testing.T) {
db := setupManualChallengeTestDB(t)
service := NewManualChallengeService(db)
ctx := context.Background()
_, err := service.GetChallenge(ctx, "nonexistent-id")
assert.ErrorIs(t, err, ErrChallengeNotFound)
}
func TestManualChallengeService_GetChallengeForUser(t *testing.T) {
db := setupManualChallengeTestDB(t)
service := NewManualChallengeService(db)
ctx := context.Background()
req := CreateChallengeRequest{
ProviderID: 1,
UserID: 1,
FQDN: "_acme-challenge.example.com",
Token: "token123",
Value: "txtvalue456",
}
created, err := service.CreateChallenge(ctx, req)
require.NoError(t, err)
// Same user should be able to access
challenge, err := service.GetChallengeForUser(ctx, created.ID, 1)
require.NoError(t, err)
assert.Equal(t, created.ID, challenge.ID)
// Different user should get unauthorized error
_, err = service.GetChallengeForUser(ctx, created.ID, 2)
assert.ErrorIs(t, err, ErrUnauthorized)
}
func TestManualChallengeService_ListChallengesForProvider(t *testing.T) {
db := setupManualChallengeTestDB(t)
service := NewManualChallengeService(db)
ctx := context.Background()
// Create challenges for provider 1
for i := 0; i < 3; i++ {
_, err := service.CreateChallenge(ctx, CreateChallengeRequest{
ProviderID: 1,
UserID: 1,
FQDN: "_acme-challenge" + string(rune('a'+i)) + ".example.com",
Value: "value" + string(rune('a'+i)),
})
require.NoError(t, err)
}
// Create challenge for different provider
_, err := service.CreateChallenge(ctx, CreateChallengeRequest{
ProviderID: 2,
UserID: 1,
FQDN: "_acme-challenge.other.com",
Value: "other",
})
require.NoError(t, err)
// List challenges for provider 1
challenges, err := service.ListChallengesForProvider(ctx, 1, 1)
require.NoError(t, err)
assert.Len(t, challenges, 3)
// List challenges for provider 2
challenges, err = service.ListChallengesForProvider(ctx, 2, 1)
require.NoError(t, err)
assert.Len(t, challenges, 1)
}
func TestManualChallengeService_VerifyChallenge_DNSFound(t *testing.T) {
db := setupManualChallengeTestDB(t)
service := NewManualChallengeService(db)
mockResolver := NewMockDNSResolver()
service.SetResolver(mockResolver)
ctx := context.Background()
req := CreateChallengeRequest{
ProviderID: 1,
UserID: 1,
FQDN: "_acme-challenge.example.com",
Token: "token123",
Value: "txtvalue456",
}
challenge, err := service.CreateChallenge(ctx, req)
require.NoError(t, err)
// Set up mock DNS to return the expected value
mockResolver.SetRecords("_acme-challenge.example.com", []string{"txtvalue456"})
// Verify the challenge
result, err := service.VerifyChallenge(ctx, challenge.ID, 1)
require.NoError(t, err)
assert.True(t, result.Success)
assert.True(t, result.DNSFound)
assert.Equal(t, "verified", result.Status)
}
func TestManualChallengeService_VerifyChallenge_DNSNotFound(t *testing.T) {
db := setupManualChallengeTestDB(t)
service := NewManualChallengeService(db)
mockResolver := NewMockDNSResolver()
service.SetResolver(mockResolver)
ctx := context.Background()
req := CreateChallengeRequest{
ProviderID: 1,
UserID: 1,
FQDN: "_acme-challenge.example.com",
Token: "token123",
Value: "txtvalue456",
}
challenge, err := service.CreateChallenge(ctx, req)
require.NoError(t, err)
// DNS not set up - should not find record
result, err := service.VerifyChallenge(ctx, challenge.ID, 1)
require.NoError(t, err)
assert.False(t, result.Success)
assert.False(t, result.DNSFound)
assert.Equal(t, "pending", result.Status)
}
func TestManualChallengeService_VerifyChallenge_Expired(t *testing.T) {
db := setupManualChallengeTestDB(t)
service := NewManualChallengeService(db)
ctx := context.Background()
// Create an expired challenge directly
challenge := &models.ManualChallenge{
ID: "expired-challenge",
ProviderID: 1,
UserID: 1,
FQDN: "_acme-challenge.example.com",
Value: "value",
Status: models.ChallengeStatusPending,
CreatedAt: time.Now().Add(-20 * time.Minute),
ExpiresAt: time.Now().Add(-10 * time.Minute), // Already expired
}
err := db.Create(challenge).Error
require.NoError(t, err)
// Verify should fail with expired error
_, err = service.VerifyChallenge(ctx, challenge.ID, 1)
assert.ErrorIs(t, err, ErrChallengeExpired)
}
func TestManualChallengeService_VerifyChallenge_AlreadyVerified(t *testing.T) {
db := setupManualChallengeTestDB(t)
service := NewManualChallengeService(db)
ctx := context.Background()
// Create a verified challenge directly
now := time.Now()
challenge := &models.ManualChallenge{
ID: "verified-challenge",
ProviderID: 1,
UserID: 1,
FQDN: "_acme-challenge.example.com",
Value: "value",
Status: models.ChallengeStatusVerified,
DNSPropagated: true,
CreatedAt: now.Add(-5 * time.Minute),
ExpiresAt: now.Add(5 * time.Minute),
VerifiedAt: &now,
}
err := db.Create(challenge).Error
require.NoError(t, err)
// Verify should return success
result, err := service.VerifyChallenge(ctx, challenge.ID, 1)
require.NoError(t, err)
assert.True(t, result.Success)
assert.Equal(t, "verified", result.Status)
}
func TestManualChallengeService_PollChallengeStatus(t *testing.T) {
db := setupManualChallengeTestDB(t)
service := NewManualChallengeService(db)
ctx := context.Background()
req := CreateChallengeRequest{
ProviderID: 1,
UserID: 1,
FQDN: "_acme-challenge.example.com",
Value: "txtvalue456",
}
challenge, err := service.CreateChallenge(ctx, req)
require.NoError(t, err)
status, err := service.PollChallengeStatus(ctx, challenge.ID, 1)
require.NoError(t, err)
assert.Equal(t, challenge.ID, status.ID)
assert.Equal(t, "pending", status.Status)
assert.False(t, status.DNSPropagated)
assert.Greater(t, status.TimeRemainingSeconds, 0)
}
func TestManualChallengeService_DeleteChallenge(t *testing.T) {
db := setupManualChallengeTestDB(t)
service := NewManualChallengeService(db)
ctx := context.Background()
req := CreateChallengeRequest{
ProviderID: 1,
UserID: 1,
FQDN: "_acme-challenge.example.com",
Value: "txtvalue456",
}
challenge, err := service.CreateChallenge(ctx, req)
require.NoError(t, err)
// Delete the challenge
err = service.DeleteChallenge(ctx, challenge.ID, 1)
require.NoError(t, err)
// Should not be found anymore
_, err = service.GetChallenge(ctx, challenge.ID)
assert.ErrorIs(t, err, ErrChallengeNotFound)
}
func TestManualChallengeService_DeleteChallenge_Unauthorized(t *testing.T) {
db := setupManualChallengeTestDB(t)
service := NewManualChallengeService(db)
ctx := context.Background()
req := CreateChallengeRequest{
ProviderID: 1,
UserID: 1,
FQDN: "_acme-challenge.example.com",
Value: "txtvalue456",
}
challenge, err := service.CreateChallenge(ctx, req)
require.NoError(t, err)
// Try to delete as different user
err = service.DeleteChallenge(ctx, challenge.ID, 2)
assert.ErrorIs(t, err, ErrUnauthorized)
}
func TestManualChallengeService_GetActiveChallengeForFQDN(t *testing.T) {
db := setupManualChallengeTestDB(t)
service := NewManualChallengeService(db)
ctx := context.Background()
fqdn := "_acme-challenge.example.com"
// No active challenge yet
challenge, err := service.GetActiveChallengeForFQDN(ctx, fqdn, 1)
require.NoError(t, err)
assert.Nil(t, challenge)
// Create a challenge
req := CreateChallengeRequest{
ProviderID: 1,
UserID: 1,
FQDN: fqdn,
Value: "txtvalue456",
}
created, err := service.CreateChallenge(ctx, req)
require.NoError(t, err)
// Now should find active challenge
challenge, err = service.GetActiveChallengeForFQDN(ctx, fqdn, 1)
require.NoError(t, err)
require.NotNil(t, challenge)
assert.Equal(t, created.ID, challenge.ID)
}
func TestManualChallengeService_checkDNSPropagation(t *testing.T) {
db := setupManualChallengeTestDB(t)
service := NewManualChallengeService(db)
mockResolver := NewMockDNSResolver()
service.SetResolver(mockResolver)
ctx := context.Background()
fqdn := "_acme-challenge.example.com"
expectedValue := "txtvalue456"
// No record - should return false
found := service.checkDNSPropagation(ctx, fqdn, expectedValue)
assert.False(t, found)
// Add wrong value - should return false
mockResolver.SetRecords(fqdn, []string{"wrongvalue"})
found = service.checkDNSPropagation(ctx, fqdn, expectedValue)
assert.False(t, found)
// Add correct value - should return true
mockResolver.SetRecords(fqdn, []string{expectedValue})
found = service.checkDNSPropagation(ctx, fqdn, expectedValue)
assert.True(t, found)
// Multiple records including correct value - should return true
mockResolver.SetRecords(fqdn, []string{"other", expectedValue, "another"})
found = service.checkDNSPropagation(ctx, fqdn, expectedValue)
assert.True(t, found)
}
func TestManualChallengeService_checkDNSPropagation_Error(t *testing.T) {
db := setupManualChallengeTestDB(t)
service := NewManualChallengeService(db)
mockResolver := NewMockDNSResolver()
mockResolver.LookupError = errors.New("DNS lookup failed")
service.SetResolver(mockResolver)
ctx := context.Background()
found := service.checkDNSPropagation(ctx, "_acme-challenge.example.com", "value")
assert.False(t, found)
}
func TestManualChallengeService_StartStop(t *testing.T) {
db := setupManualChallengeTestDB(t)
service := NewManualChallengeService(db)
// Start should not panic
service.Start()
// Stop should not panic
service.Stop()
}
func TestDefaultDNSResolver_LookupTXT(t *testing.T) {
resolver := NewDefaultDNSResolver()
require.NotNil(t, resolver)
require.NotNil(t, resolver.resolver)
// This test may fail depending on network, so we just verify the resolver is created correctly
ctx := context.Background()
// Try to lookup a known domain (may fail in CI due to network)
_, err := resolver.LookupTXT(ctx, "google.com")
// We don't assert on the result since it depends on network
_ = err
}
func TestChallengeStatusResponse_Fields(t *testing.T) {
now := time.Now()
resp := &ChallengeStatusResponse{
ID: "test-id",
Status: "pending",
DNSPropagated: false,
TimeRemainingSeconds: 300,
LastCheckAt: &now,
}
assert.Equal(t, "test-id", resp.ID)
assert.Equal(t, "pending", resp.Status)
assert.False(t, resp.DNSPropagated)
assert.Equal(t, 300, resp.TimeRemainingSeconds)
assert.NotNil(t, resp.LastCheckAt)
}
func TestVerifyResult_Fields(t *testing.T) {
result := &VerifyResult{
Success: true,
DNSFound: true,
Message: "DNS TXT record verified successfully",
Status: "verified",
TimeRemaining: 0,
}
assert.True(t, result.Success)
assert.True(t, result.DNSFound)
assert.Equal(t, "DNS TXT record verified successfully", result.Message)
assert.Equal(t, "verified", result.Status)
}
func TestCreateChallengeRequest_Fields(t *testing.T) {
req := CreateChallengeRequest{
ProviderID: 1,
UserID: 2,
FQDN: "_acme-challenge.example.com",
Token: "token",
Value: "value",
}
assert.Equal(t, uint(1), req.ProviderID)
assert.Equal(t, uint(2), req.UserID)
assert.Equal(t, "_acme-challenge.example.com", req.FQDN)
assert.Equal(t, "token", req.Token)
assert.Equal(t, "value", req.Value)
}
func TestManualChallengeService_CleanupExpiredChallenges(t *testing.T) {
db := setupManualChallengeTestDB(t)
service := NewManualChallengeService(db)
// Create challenges with different states and expiration times
now := time.Now()
// Create an expired pending challenge
expiredChallenge := &models.ManualChallenge{
ID: "expired-pending",
ProviderID: 1,
UserID: 1,
FQDN: "_acme-challenge.expired.com",
Value: "value1",
Status: models.ChallengeStatusPending,
CreatedAt: now.Add(-20 * time.Minute),
ExpiresAt: now.Add(-10 * time.Minute),
}
require.NoError(t, db.Create(expiredChallenge).Error)
// Create an old challenge (should be deleted)
oldChallenge := &models.ManualChallenge{
ID: "old-challenge",
ProviderID: 1,
UserID: 1,
FQDN: "_acme-challenge.old.com",
Value: "value2",
Status: models.ChallengeStatusVerified,
CreatedAt: now.Add(-8 * 24 * time.Hour), // 8 days old
ExpiresAt: now.Add(-8 * 24 * time.Hour),
}
require.NoError(t, db.Create(oldChallenge).Error)
// Create an active challenge (should not be affected)
activeChallenge := &models.ManualChallenge{
ID: "active-challenge",
ProviderID: 1,
UserID: 1,
FQDN: "_acme-challenge.active.com",
Value: "value3",
Status: models.ChallengeStatusPending,
CreatedAt: now,
ExpiresAt: now.Add(10 * time.Minute),
}
require.NoError(t, db.Create(activeChallenge).Error)
// Run cleanup
service.cleanupExpiredChallenges()
// Verify expired challenge is marked as expired
var expiredResult models.ManualChallenge
db.Where("id = ?", "expired-pending").First(&expiredResult)
assert.Equal(t, models.ChallengeStatusExpired, expiredResult.Status)
// Verify old challenge is deleted
var oldCount int64
db.Model(&models.ManualChallenge{}).Where("id = ?", "old-challenge").Count(&oldCount)
assert.Equal(t, int64(0), oldCount)
// Verify active challenge is unchanged
var activeResult models.ManualChallenge
db.Where("id = ?", "active-challenge").First(&activeResult)
assert.Equal(t, models.ChallengeStatusPending, activeResult.Status)
}
func TestManualChallengeService_PollChallengeStatus_Expired(t *testing.T) {
db := setupManualChallengeTestDB(t)
service := NewManualChallengeService(db)
ctx := context.Background()
// Create an expired but not yet marked challenge
now := time.Now()
challenge := &models.ManualChallenge{
ID: "poll-expired",
ProviderID: 1,
UserID: 1,
FQDN: "_acme-challenge.expired.com",
Value: "value",
Status: models.ChallengeStatusPending,
CreatedAt: now.Add(-20 * time.Minute),
ExpiresAt: now.Add(-5 * time.Minute), // Already expired
}
require.NoError(t, db.Create(challenge).Error)
// Poll should mark it as expired
status, err := service.PollChallengeStatus(ctx, challenge.ID, 1)
require.NoError(t, err)
assert.Equal(t, "expired", status.Status)
}
func TestManualChallengeService_CreateChallenge_DifferentUser(t *testing.T) {
db := setupManualChallengeTestDB(t)
service := NewManualChallengeService(db)
ctx := context.Background()
// Create a challenge for user 1
_, err := service.CreateChallenge(ctx, CreateChallengeRequest{
ProviderID: 1,
UserID: 1,
FQDN: "_acme-challenge.example.com",
Value: "value1",
})
require.NoError(t, err)
// Try to create another for same FQDN but different user
_, err = service.CreateChallenge(ctx, CreateChallengeRequest{
ProviderID: 1,
UserID: 2,
FQDN: "_acme-challenge.example.com",
Value: "value2",
})
assert.ErrorIs(t, err, ErrChallengeInProgress)
}
func TestManualChallengeService_ListChallengesForProvider_Empty(t *testing.T) {
db := setupManualChallengeTestDB(t)
service := NewManualChallengeService(db)
ctx := context.Background()
challenges, err := service.ListChallengesForProvider(ctx, 999, 1)
require.NoError(t, err)
assert.Empty(t, challenges)
}

2
backend/internal/services/notification_service_json_test.go
View File

@@ -341,7 +341,7 @@ func TestSendExternal_UsesJSONForSupportedServices(t *testing.T) {
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
called.Store(true)
var payload map[string]any
json.NewDecoder(r.Body).Decode(&payload)
_ = json.NewDecoder(r.Body).Decode(&payload)
assert.NotNil(t, payload["content"])
w.WriteHeader(http.StatusOK)
}))

52
backend/internal/services/notification_service_test.go
View File

@@ -25,7 +25,7 @@ import (
func setupNotificationTestDB(t *testing.T) *gorm.DB {
db, err := gorm.Open(sqlite.Open("file::memory:"), &gorm.Config{})
require.NoError(t, err)
db.AutoMigrate(&models.Notification{}, &models.NotificationProvider{})
_ = db.AutoMigrate(&models.Notification{}, &models.NotificationProvider{})
return db
}
@@ -44,8 +44,8 @@ func TestNotificationService_List(t *testing.T) {
db := setupNotificationTestDB(t)
svc := NewNotificationService(db)
svc.Create(models.NotificationTypeInfo, "N1", "M1")
svc.Create(models.NotificationTypeInfo, "N2", "M2")
_, _ = svc.Create(models.NotificationTypeInfo, "N1", "M1")
_, _ = svc.Create(models.NotificationTypeInfo, "N2", "M2")
list, err := svc.List(false)
require.NoError(t, err)
@@ -78,8 +78,8 @@ func TestNotificationService_MarkAllAsRead(t *testing.T) {
db := setupNotificationTestDB(t)
svc := NewNotificationService(db)
svc.Create(models.NotificationTypeInfo, "N1", "M1")
svc.Create(models.NotificationTypeInfo, "N2", "M2")
_, _ = svc.Create(models.NotificationTypeInfo, "N1", "M1")
_, _ = svc.Create(models.NotificationTypeInfo, "N2", "M2")
err := svc.MarkAllAsRead()
require.NoError(t, err)
@@ -131,7 +131,7 @@ func TestNotificationService_TestProvider_Webhook(t *testing.T) {
// Start a test server
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
var body map[string]any
json.NewDecoder(r.Body).Decode(&body)
_ = json.NewDecoder(r.Body).Decode(&body)
// Minimal template uses lowercase keys: title, message
assert.Equal(t, "Test Notification", body["title"])
w.WriteHeader(http.StatusOK)
@@ -168,7 +168,7 @@ func TestNotificationService_SendExternal(t *testing.T) {
Enabled: true,
NotifyProxyHosts: true,
}
svc.CreateProvider(&provider)
_ = svc.CreateProvider(&provider)
svc.SendExternal(context.Background(), "proxy_host", "Title", "Message", nil)
@@ -188,7 +188,7 @@ func TestNotificationService_SendExternal_MinimalVsDetailedTemplates(t *testing.
rcvMinimal := make(chan map[string]any, 1)
tsMin := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
var body map[string]any
json.NewDecoder(r.Body).Decode(&body)
_ = json.NewDecoder(r.Body).Decode(&body)
rcvMinimal <- body
w.WriteHeader(http.StatusOK)
}))
@@ -202,7 +202,7 @@ func TestNotificationService_SendExternal_MinimalVsDetailedTemplates(t *testing.
NotifyUptime: true,
Template: "minimal",
}
svc.CreateProvider(&providerMin)
_ = svc.CreateProvider(&providerMin)
data := map[string]any{"Title": "Min Title", "Message": "Min Message", "Time": time.Now().Format(time.RFC3339), "EventType": "uptime"}
svc.SendExternal(context.Background(), "uptime", "Min Title", "Min Message", data)
@@ -223,7 +223,7 @@ func TestNotificationService_SendExternal_MinimalVsDetailedTemplates(t *testing.
rcvDetailed := make(chan map[string]any, 1)
tsDet := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
var body map[string]any
json.NewDecoder(r.Body).Decode(&body)
_ = json.NewDecoder(r.Body).Decode(&body)
rcvDetailed <- body
w.WriteHeader(http.StatusOK)
}))
@@ -237,7 +237,7 @@ func TestNotificationService_SendExternal_MinimalVsDetailedTemplates(t *testing.
NotifyUptime: true,
Template: "detailed",
}
svc.CreateProvider(&providerDet)
_ = svc.CreateProvider(&providerDet)
dataDet := map[string]any{"Title": "Det Title", "Message": "Det Message", "Time": time.Now().Format(time.RFC3339), "EventType": "uptime", "HostName": "example-host", "HostIP": "1.2.3.4", "ServiceCount": 1, "Services": []map[string]any{{"Name": "svc1"}}}
svc.SendExternal(context.Background(), "uptime", "Det Title", "Det Message", dataDet)
@@ -276,7 +276,7 @@ func TestNotificationService_SendExternal_Filtered(t *testing.T) {
Enabled: true,
NotifyProxyHosts: false, // Disabled
}
svc.CreateProvider(&provider)
_ = svc.CreateProvider(&provider)
// Force update to false because GORM default tag might override zero value (false) on Create
db.Model(&provider).Update("notify_proxy_hosts", false)
@@ -301,7 +301,7 @@ func TestNotificationService_SendExternal_Shoutrrr(t *testing.T) {
Enabled: true,
NotifyProxyHosts: true,
}
svc.CreateProvider(&provider)
_ = svc.CreateProvider(&provider)
// This will log an error but should cover the code path
svc.SendExternal(context.Background(), "proxy_host", "Title", "Message", nil)
@@ -403,7 +403,7 @@ func TestNotificationService_SendCustomWebhook_Errors(t *testing.T) {
received := make(chan struct{})
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
var body map[string]any
json.NewDecoder(r.Body).Decode(&body)
_ = json.NewDecoder(r.Body).Decode(&body)
if custom, ok := body["custom"]; ok {
receivedBody = custom.(string)
}
@@ -418,7 +418,7 @@ func TestNotificationService_SendCustomWebhook_Errors(t *testing.T) {
Config: `{"custom": "Test: {{.Title}}"}`,
}
data := map[string]any{"Title": "My Title", "Message": "Test Message"}
svc.sendJSONPayload(context.Background(), provider, data)
_ = svc.sendJSONPayload(context.Background(), provider, data)
select {
case <-received:
@@ -433,7 +433,7 @@ func TestNotificationService_SendCustomWebhook_Errors(t *testing.T) {
received := make(chan struct{})
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
var body map[string]any
json.NewDecoder(r.Body).Decode(&body)
_ = json.NewDecoder(r.Body).Decode(&body)
if title, ok := body["title"]; ok {
receivedContent = title.(string)
}
@@ -448,7 +448,7 @@ func TestNotificationService_SendCustomWebhook_Errors(t *testing.T) {
// Config is empty, so default template is used: minimal
}
data := map[string]any{"Title": "Default Title", "Message": "Test Message"}
svc.sendJSONPayload(context.Background(), provider, data)
_ = svc.sendJSONPayload(context.Background(), provider, data)
select {
case <-received:
@@ -660,7 +660,7 @@ func TestNotificationService_SendExternal_EdgeCases(t *testing.T) {
URL: "http://example.com",
Enabled: false,
}
svc.CreateProvider(&provider)
_ = svc.CreateProvider(&provider)
// Should complete without error
svc.SendExternal(context.Background(), "proxy_host", "Title", "Message", nil)
@@ -720,7 +720,7 @@ func TestNotificationService_SendExternal_EdgeCases(t *testing.T) {
receivedCustom.Store("")
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
var body map[string]any
json.NewDecoder(r.Body).Decode(&body)
_ = json.NewDecoder(r.Body).Decode(&body)
if custom, ok := body["custom"]; ok {
receivedCustom.Store(custom.(string))
}
@@ -736,7 +736,7 @@ func TestNotificationService_SendExternal_EdgeCases(t *testing.T) {
NotifyProxyHosts: true,
Config: `{"custom": "{{.CustomField}}"}`,
}
svc.CreateProvider(&provider)
_ = svc.CreateProvider(&provider)
customData := map[string]any{
"CustomField": "test-value",
@@ -1027,7 +1027,7 @@ func TestSendCustomWebhook_TemplateSelection(t *testing.T) {
var receivedBody map[string]any
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
body, _ := io.ReadAll(r.Body)
json.Unmarshal(body, &receivedBody)
_ = json.Unmarshal(body, &receivedBody)
w.WriteHeader(http.StatusOK)
}))
defer server.Close()
@@ -1071,7 +1071,7 @@ func TestSendCustomWebhook_EmptyCustomTemplateDefaultsToMinimal(t *testing.T) {
var receivedBody map[string]any
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
body, _ := io.ReadAll(r.Body)
json.Unmarshal(body, &receivedBody)
_ = json.Unmarshal(body, &receivedBody)
w.WriteHeader(http.StatusOK)
}))
defer server.Close()
@@ -1943,13 +1943,13 @@ func TestRenderTemplate_CustomTemplateWithWhitespace(t *testing.T) {
func TestListTemplates_DBError(t *testing.T) {
// Create a DB connection and close it to simulate error
db, _ := gorm.Open(sqlite.Open("file::memory:"), &gorm.Config{})
db.AutoMigrate(&models.NotificationTemplate{})
_ = db.AutoMigrate(&models.NotificationTemplate{})
svc := NewNotificationService(db)
// Close the underlying connection to force error
sqlDB, _ := db.DB()
sqlDB.Close()
_ = sqlDB.Close()
_, err := svc.ListTemplates()
require.Error(t, err)
@@ -1958,13 +1958,13 @@ func TestListTemplates_DBError(t *testing.T) {
func TestSendExternal_DBFetchError(t *testing.T) {
// Create a DB connection and close it to simulate error
db, _ := gorm.Open(sqlite.Open("file::memory:"), &gorm.Config{})
db.AutoMigrate(&models.NotificationProvider{})
_ = db.AutoMigrate(&models.NotificationProvider{})
svc := NewNotificationService(db)
// Close the underlying connection to force error
sqlDB, _ := db.DB()
sqlDB.Close()
_ = sqlDB.Close()
// Should not panic, just log error and return
svc.SendExternal(context.Background(), "test", "Title", "Message", nil)

4
backend/internal/services/proxyhost_service_test.go
View File

@@ -121,7 +121,7 @@ func TestProxyHostService_CRUD(t *testing.T) {
ForwardHost: "127.0.0.1",
ForwardPort: 8080,
}
service.Create(host2)
_ = service.Create(host2)
host.DomainNames = "other.example.com" // Conflict with host2
err = service.Update(host)
@@ -161,7 +161,7 @@ func TestProxyHostService_TestConnection(t *testing.T) {
// Start a local listener
l, err := net.Listen("tcp", "127.0.0.1:0")
require.NoError(t, err)
defer l.Close()
defer func() { _ = l.Close() }()
addr := l.Addr().(*net.TCPAddr)
err = service.TestConnection(addr.IP.String(), addr.Port)

Some files were not shown because too many files have changed in this diff Show More