fix mTLS cross-CA isolation bug, add instance-sync and mTLS tests
Extract pemToBase64Der and buildClientAuthentication from caddy.ts into a new caddy-mtls.ts module, adding groupMtlsDomainsByCaSet to group mTLS domains by their CA fingerprint before building TLS connection policies. Previously all mTLS domains sharing a cert type (auto-managed, imported, or managed) were grouped into a single policy, causing CA union: a client cert from CA_B could authenticate against a host that only trusted CA_A. The fix creates one policy per unique CA set, ensuring strict per-host CA isolation across all three TLS policy code paths. Also adds: - tests/unit/caddy-mtls.test.ts (26 tests) covering pemToBase64Der, buildClientAuthentication, groupMtlsDomainsByCaSet, and cross-CA isolation regression tests - tests/unit/instance-sync-env.test.ts (33 tests) for the five pure env-reading functions in instance-sync.ts - tests/integration/instance-sync.test.ts (16 tests) for buildSyncPayload and applySyncPayload using an in-memory SQLite db - Fix tests/helpers/db.ts to use a relative import for db/schema so it works inside vi.mock factory dynamic imports Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
fuomag9
+1
-1
@@ -2,7 +2,7 @@ import Database from 'better-sqlite3';
|
||||
import { drizzle } from 'drizzle-orm/better-sqlite3';
|
||||
import { migrate } from 'drizzle-orm/better-sqlite3/migrator';
|
||||
import { resolve } from 'node:path';
|
||||
import * as schema from '@/src/lib/db/schema';
|
||||
import * as schema from '../../src/lib/db/schema';
|
||||
|
||||
const migrationsFolder = resolve(process.cwd(), 'drizzle');
|
||||
|
||||
|
||||
Reference in New Issue
Block a user