// Package tests contains integration tests for the API. package tests import ( "net/http" "net/http/httptest" "strings" "testing" "github.com/gin-gonic/gin" "gorm.io/driver/sqlite" "gorm.io/gorm" "github.com/Wikid82/charon/backend/internal/api/routes" "github.com/Wikid82/charon/backend/internal/config" ) // TestIntegration_WAF_BlockAndMonitor exercises middleware behavior and metrics exposure. // Note: Actual WAF blocking is handled by Coraza at the Caddy layer, not by the API middleware. // The cerberus middleware only tracks metrics and handles ACL enforcement. func TestIntegration_WAF_BlockAndMonitor(t *testing.T) { gin.SetMode(gin.TestMode) // Helper to spin server with given WAF mode newServer := func(mode string) (*gin.Engine, *gorm.DB) { db, err := gorm.Open(sqlite.Open("file::memory:?cache=shared"), &gorm.Config{}) if err != nil { t.Fatalf("db open: %v", err) } cfg, err := config.Load() if err != nil { t.Fatalf("load cfg: %v", err) } cfg.Security.WAFMode = mode r := gin.New() if err := routes.Register(r, db, cfg); err != nil { t.Fatalf("register: %v", err) } return r, db } // Block mode: cerberus middleware doesn't block requests - that's Coraza's job at the Caddy layer // The API middleware only tracks metrics when WAF is enabled rBlock, _ := newServer("block") req := httptest.NewRequest(http.MethodGet, "/api/v1/remote-servers?test=