Commit graph

292 commits

Author SHA1 Message Date
rcourtman
f0688db9af test: Add edge case for recovery token load read error
Tests the error logging path when os.ReadFile fails with an error
other than ErrNotExist. Uses a directory in place of the file.
2025-12-01 23:54:42 +00:00
rcourtman
347d6b1cbb test: Add edge case for writeErrorResponse encode failure
Tests the error logging path when json.Encode fails due to a
write error on the ResponseWriter.
2025-12-01 23:52:21 +00:00
rcourtman
90d81f2217 test: Add edge cases for markAutoRegistered empty inputs
Tests the early return paths when nodeType or nodeName are empty.
2025-12-01 23:50:10 +00:00
rcourtman
3280fad5ae test: Add edge case for clearBootstrapToken remove failure
Tests the warning log path when os.Remove fails with an error other
than ErrNotExist. Uses a directory with contents to trigger ENOTEMPTY.
2025-12-01 23:47:58 +00:00
rcourtman
678c5aac5f test: Add edge cases for initializeBootstrapToken
- Nil router and nil config handling (no panic)
- OIDC enabled clears bootstrap token
Coverage: 80% to 92%.
2025-12-01 23:40:22 +00:00
rcourtman
8c40c7faa3 test: Add panic recovery test for ErrorHandler
Tests that panics in handlers are recovered and return 500.
Coverage: 91.7% to 100%.
2025-12-01 23:37:50 +00:00
rcourtman
d0c2524353 test: Add edge case for handleValidateBootstrapToken invalid JSON
Tests invalid JSON body triggers json.Decode error and returns 400.
Coverage: 90.5% to 100%.
2025-12-01 23:35:40 +00:00
rcourtman
890178acb0 test: Add edge case for RequireScope empty scope
Empty scope should allow all requests through without checking token.
Coverage: 84.6% to 100%.
2025-12-01 23:33:11 +00:00
rcourtman
0fa717a78a test: Add edge case for normalizeNodeHost URL parse error
Control character (null byte) triggers url.Parse error, covering the
'invalid host format' error branch. Coverage: 96.3% to 100%.
2025-12-01 23:28:32 +00:00
rcourtman
08765c7b59 test: Add edge case for DemoModeMiddleware WebSocket POST upgrade
Tests WebSocket upgrade with POST method in demo mode, ensuring the
websocket check branch is exercised after the GET/HEAD/OPTIONS check.
Coverage: 90% to 100%.
2025-12-01 23:24:06 +00:00
rcourtman
a5369ba2cd test: Add test for ErrorHandler empty URL path normalization
Covers the fix for issue #334 where empty path is normalized to '/'.
Coverage: 87.5% to 91.7%.
2025-12-01 23:21:07 +00:00
rcourtman
1fdb15c779 test: Add edge case tests for auth helper functions
- respondMissingScope: nil writer handling (80% to 100%)
- attachAPITokenRecord: nil record handling (80% to 100%)
- getAPITokenRecordFromRequest: wrong type and missing value (87.5% to 100%)
2025-12-01 23:15:04 +00:00
rcourtman
c71fb694bb test: Add edge case test for addQueryParam URL parse error
Add test case for URL containing control character (null byte)
which triggers url.Parse error and returns path unchanged.

Coverage improved from 88.9% to 100%.
2025-12-01 23:08:36 +00:00
rcourtman
37cc97952f test: Add comprehensive test cases for isPrivateIP function
Expand test coverage from 5 cases to 26 cases:
- Public IPv4/IPv6 addresses
- All RFC1918 private ranges (10.x, 172.16-31.x, 192.168.x)
- Loopback addresses (127.x.x.x, ::1)
- Link-local addresses (169.254.x.x, fe80::)
- Link-local multicast (224.0.0.x, ff02::)
- Unique local IPv6 (fc00::/7, fd00::)
- Edge cases: empty string, invalid IP, invalid format
- Addresses with port numbers

Coverage unchanged at 93.8% (remaining 6.2% is defensive
error handling for hardcoded valid CIDRs).
2025-12-01 22:54:56 +00:00
rcourtman
ef380df362 test: Add edge case tests for normalizeNodeHost function
Add 6 new test cases covering previously untested branches:
- Empty host returns error
- Whitespace-only host returns error
- Unknown node type keeps host without port
- Docker node type keeps host without port
- IPv4 address gets default port
- IPv4 with custom port preserved

Coverage improved from 92.6% to 96.3%.
2025-12-01 22:49:29 +00:00
rcourtman
4019b3006b test: Add tests for instance lookup and setup token validation
- Add TestFindInstanceNameByHost (12 test cases):
  - PVE instance lookup by host
  - PBS instance lookup by host
  - Unknown node types return empty
  - Empty config handling

- Add TestValidateSetupToken (8 test cases):
  - Empty token returns false
  - Valid/expired/used setup codes
  - Valid/expired recent setup tokens
  - Non-existent token handling
  - Precedence of setup codes over recent tokens

Both functions now have 100% coverage of their logic paths.
2025-12-01 22:19:30 +00:00
rcourtman
67a351fbd9 test: Add tests for webhook template generation and bootstrap token functions
- Add comprehensive tests for generatePayloadFromTemplateWithService covering:
  - Valid JSON template rendering
  - Invalid template syntax error handling
  - Template execution errors
  - ntfy service (plain text, skips JSON validation)
  - Various services (discord, telegram, pagerduty) JSON validation
  - Template function usage (upper, title)
  - Numeric and boolean values in templates
  - Special characters and empty template edge cases

- Add tests for bootstrapTokenValid covering:
  - Nil router handling
  - Empty hash and empty token cases
  - Valid token validation
  - Invalid token rejection
  - Whitespace trimming

- Add tests for clearBootstrapToken covering:
  - Nil router safety
  - Token file deletion
  - Missing file handling
  - Empty path handling
2025-12-01 22:07:40 +00:00
rcourtman
3233c48986 test: Add tests for API helper functions
- isRecentlyAutoRegistered: expiry logic, cleanup behavior
- clearAutoRegistered: key deletion, empty input handling
- normalizeDockerAgentArch: all arch variants, case handling, trimming
2025-12-01 21:33:45 +00:00
rcourtman
4973eb4c8a test: Improve coverage for cluster config handler functions
- deriveSchemeAndPort: 87.5% → 100%
  - Empty/whitespace string handling
  - Invalid URL parsing fallback
  - Host without port
- ensureHostHasPort: 91.7% → 100%
  - Empty port returns host unchanged
  - Protocol-relative URL handling (//host)
2025-12-01 14:46:00 +00:00
rcourtman
c6030d1b13 test: Add tests for ResetRateLimitForIP function
- Test nil globalRateLimitConfig early return (no panic)
- Test actual rate limit reset clears IP from limiter
- Improves coverage from 80% to 100%
2025-12-01 14:38:26 +00:00
rcourtman
737c02983f test: Improve coverage for security utility functions
- Add fmt.Stringer test cases for isEmptyInterface (80% -> 100%)
- Expand isTrustedNetwork tests with edge cases (80% -> 100%)
  - Empty/invalid IP strings
  - Invalid CIDR handling
  - Whitespace trimming in CIDRs
  - Multiple network matching
2025-12-01 14:33:31 +00:00
rcourtman
b863b2473d test: Add tests for config handler utility functions
- TestSanitizeErrorMessage: All operation types and error hiding
- TestFindExistingGuestURL: Node matching and edge cases
- TestMatchInstanceNameByHost: Host normalization and matching
Coverage: api 27.7% → 28.0%
2025-12-01 14:09:35 +00:00
rcourtman
be5a6eb97e test: Add tests for OIDC handler utility functions
- sanitizeOIDCReturnTo: path validation, protocol-relative URL rejection
- addQueryParam: URL building, encoding, fragment preservation
- extractStringClaim: type handling (string, []string, []interface{})
- extractStringSliceClaim: slice extraction with comma/space splitting
- matchesValue: case-insensitive value matching
- matchesDomain: email domain validation with @ handling
- intersects: set intersection with case normalization
- buildRedirectURL: proxy header handling (X-Forwarded-Proto/Host)

Coverage: api 26.7% → 27.7%
2025-12-01 13:56:38 +00:00
rcourtman
c2de40d696 test: Add error path tests for loadOrCreateBootstrapToken
Cover all error branches in bootstrap token loading:
- Empty/whitespace dataPath validation
- os.MkdirAll failure (directory creation blocked by file)
- os.WriteFile failure (read-only directory)
- os.ReadFile failure (permission denied on existing file)
- Empty file contents after read
- Whitespace-only file contents

Also adds test for generateBootstrapToken helper function.
2025-12-01 13:00:27 +00:00
rcourtman
72420a616a ADA changes (auto-committed by cron safety check) 2025-12-01 11:20:57 +00:00
rcourtman
22b429a1c9 test: Add unit tests for validateIPAddress, validatePort, defaultPortForNodeType
Cover API validation functions that were previously untested:
- validateIPAddress: IPv4/IPv6 validation with edge cases
- validatePort: Port range validation (1-65535)
- defaultPortForNodeType: Proxmox node type to default port mapping
2025-12-01 11:06:50 +00:00
rcourtman
82c7925895 refactor: Remove dead HandleTestExistingNode function
This function was superseded by HandleTestNode which is wired to the
router at /api/config/nodes/{id}/test. The old function was not
registered in the router and served no purpose.

Removes 121 lines of unused code.
2025-12-01 10:21:50 +00:00
rcourtman
5fcd4e9cb9 Add unit tests for extractHostAndPort utility function
27 test cases covering URL/host:port parsing for node configuration:
- Scheme stripping (http://, https://)
- Path removal from URLs
- IPv4 addresses with and without ports
- IPv6 addresses (bracketed with port, unbracketed)
- Edge cases (empty string, localhost, port-only)
- Error cases (malformed brackets)

Documents current behavior: bracketed IPv6 without port returns error
(net.SplitHostPort limitation).
2025-12-01 01:19:10 +00:00
rcourtman
a21dd8c3d2 Add unit tests for system_settings.go map utility functions
52 test cases covering:
- firstValueForKeys: 18 cases for multi-key lookup with priority ordering
- hasAnyKey: 15 cases for key existence checking
- discoveryConfigMap: 19 cases for nested config extraction with camelCase/snake_case support

Tests verify edge cases including nil maps, empty key slices, type assertion failures,
and priority ordering for field name variants used in configuration parsing.
2025-12-01 01:05:07 +00:00
rcourtman
51671d2a56 Add unit tests for RecoveryTokenStore
20 test cases covering:
- Token generation (uniqueness, expiry durations, format)
- Token validation (valid, invalid, expired, used, empty store)
- Concurrent use protection (replay attack prevention)
- Cleanup routine (expired tokens, used tokens, stop signal)
- Persistence (save, load, filter expired on load)
- Edge cases (missing file, invalid JSON)
2025-12-01 00:06:32 +00:00
rcourtman
990a00c5be Add unit tests for normalizePVEUser and shouldSkipClusterAutoDetection 2025-11-30 23:53:41 +00:00
rcourtman
6ff3f57ac7 Add unit tests for security lockout and session management functions
Tests for internal/api/security.go:
- RecordFailedLogin: increments counts, triggers lockout at max attempts
- ClearFailedLogins: clears count and lockout state
- GetLockoutInfo: returns correct attempts/lockout status
- ResetLockout: admin lockout reset functionality
- TrackUserSession: user/session tracking
- GetSessionUsername: session lookup
- clearCSRFCookie: nil safety, cookie attributes
- issueNewCSRFCookie: nil safety, empty session handling
- FailedLogin/AuditEvent struct field validation

30 test cases covering lockout, session tracking, and CSRF functions.
2025-11-30 23:33:51 +00:00
rcourtman
314669d584 Add unit tests for SessionStore (internal/api)
Coverage for sessionHash, CreateSession, ValidateSession,
ValidateAndExtendSession, DeleteSession, persistence, and cleanup.
21 test cases covering session lifecycle, expiration handling,
and disk persistence. Coverage 25.0% → 25.3%.
2025-11-30 23:18:34 +00:00
rcourtman
554d44aba0 Add unit tests for auth helper functions (internal/api)
Tests for detectProxy, isConnectionSecure, getCookieSettings, and
generateSessionToken functions. Covers proxy detection for various
headers including X-Forwarded-For, CF-Ray, Forwarded (RFC 7239),
and secure connection detection via TLS and proxy headers.
2025-11-30 23:04:44 +00:00
rcourtman
3378814a05 Add unit tests for bootstrap token functions (internal/api)
20 test cases covering:
- generateBootstrapToken: uniqueness, format, hex encoding
- loadOrCreateBootstrapToken: new token creation, existing token loading,
  empty/whitespace paths, empty token files, directory creation, file permissions
- bootstrapTokenValid: nil router safety, empty hash/token handling
- clearBootstrapToken: nil safety, file deletion, state clearing

First test file for bootstrap_token.go security utilities.
2025-11-30 22:54:28 +00:00
rcourtman
f8c7a30d28 Fix cluster proxy token collision - store per-node control tokens
When multiple cluster nodes register sensor-proxy, each registration
was overwriting the previous node's control token on the shared
PVEInstance. This caused "Proxy token not recognized" errors on all
but the last-registered node.

Changes:
- Add TemperatureProxyControlToken field to ClusterEndpoint struct
- Store control tokens per-endpoint for cluster registrations
- Check both instance-level and endpoint-level tokens when validating

Related to #738
2025-11-30 20:37:58 +00:00
rcourtman
2620aa5db5 Add unit tests for security.go IP parsing utilities
- extractRemoteIP: 17 test cases for remote address parsing
  (IPv4/IPv6 with/without ports, bracketed notation, edge cases)
- firstValidForwardedIP: 21 test cases for X-Forwarded-For parsing
  (single/multiple IPs, invalid entries, IPv4/IPv6 mixed)
- isPrivateIPExtended: 33 test cases extending existing coverage
  (RFC 1918 boundaries, loopback range, IPv6 private/local, ports)

Total: 71 new test cases for IP address handling utilities.
2025-11-30 15:48:45 +00:00
rcourtman
2c26054d57 Add unit tests for router.go proxy header utility functions (api)
Add 77 test cases for 4 previously untested utility functions:
- firstForwardedValue: 14 cases for X-Forwarded-For header parsing
- sanitizeForwardedHost: 27 cases for host sanitization with scheme/port handling
- isLoopbackHost: 20 cases for loopback detection (localhost, 127.x, ::1)
- shouldAppendForwardedPort: 16 cases for port appending decisions

Key edge cases covered:
- IPv6 address bracket handling in sanitizeForwardedHost
- Case-insensitive localhost detection
- Full 127.0.0.0/8 loopback range validation
- strconv.Atoi accepts negative port strings (documented as current behavior)
2025-11-30 15:34:32 +00:00
rcourtman
930e003519 Add unit tests for normalizeUnifiedAgentArch and getClientIP (api)
Tests for unified_agent.go:
- normalizeUnifiedAgentArch: 51 test cases covering all supported
  architectures (linux/darwin/windows), case insensitivity,
  whitespace handling, and invalid inputs

Tests for updates.go:
- getClientIP: 18 test cases covering X-Forwarded-For priority,
  X-Real-IP fallback, RemoteAddr extraction, IPv4/IPv6 support,
  nil header safety, and case insensitivity
2025-11-30 15:05:37 +00:00
rcourtman
04d4b6606a Add unit tests for CSRF token store (api) 2025-11-30 14:55:47 +00:00
rcourtman
fe3f32ebcc Add unit tests for responseWriter middleware wrapper (api)
Tests for the responseWriter struct in middleware.go:
- APIError.Error() interface implementation (3 cases)
- WriteHeader once-only semantics (4 cases)
- Write with implicit WriteHeader (3 cases)
- StatusCode nil safety (4 cases)
- Hijack support detection (2 cases)
- Flush support detection (3 cases)
- Full flow integration and edge cases (4 cases)

First test file for middleware.go. 22 test cases total covering
HTTP response wrapper behavior used by ErrorHandler middleware.
2025-11-30 14:33:38 +00:00
rcourtman
39d02d62a3 Add unit tests for temperature proxy utility functions (api)
- extractHostPart: 22 test cases covering URL parsing, hostname extraction
- buildAuthorizedNodeList: 8 test cases for PVE instance node list building
- generateSecureToken: 5 test cases for cryptographic token generation
- proxySyncState: 6 test cases for sync status tracking and snapshots

First test file for temperature_proxy.go utility functions.
2025-11-30 14:07:04 +00:00
rcourtman
07587ec818 Add unit tests for GetRateLimiterForEndpoint (api)
37 test cases covering endpoint routing to rate limiters:
- Authentication endpoints (login, logout, change-password, auth/*)
- Recovery endpoints (security/recovery)
- Export/Import endpoints (config/export, config/import)
- Configuration write operations (POST/PUT/DELETE to config/*)
- Configuration read operations (GET to config/*, discover, security/status)
- Update endpoints (updates/*)
- WebSocket endpoints (/ws/*)
- Public endpoints (health, version, metrics, etc.)
- General API fallback
- Case insensitivity (uppercase paths)
- Lazy initialization when globalRateLimitConfig is nil
- Priority ordering tests for overlapping patterns
2025-11-30 13:48:23 +00:00
rcourtman
aee687bb03 Add unit tests for DemoModeMiddleware (api)
26 test cases covering:
- Demo mode disabled (all requests pass through)
- Demo mode enabled with read-only methods (GET/HEAD/OPTIONS allowed)
- WebSocket upgrade handling (case-insensitive)
- Auth endpoint allowlist (login, OIDC, logout)
- Modification request blocking (POST/PUT/DELETE/PATCH)
- Partial path match rejection (security)
- Response format verification (JSON error response)

First test file for demo_middleware.go. Tests verify correct header
setting (X-Demo-Mode) and error response structure.
2025-11-30 13:34:08 +00:00
rcourtman
702e56c97a Add unit tests for hasLegacyThresholds function (diagnostics)
Covers all legacy threshold field detection paths including
CPU, Memory, Disk, DiskRead, DiskWrite, NetworkIn, NetworkOut,
and mixed modern/legacy configurations.
2025-11-30 10:05:33 +00:00
rcourtman
722ea83b5d Add unit tests for RateLimiter (internal/api/ratelimit.go)
16 test cases covering:
- Basic rate limiting with Allow() (limit enforcement, different IPs)
- Sliding window behavior (time-based expiry, partial expiry)
- Edge cases (zero limit, large limit, empty IP)
- Cleanup routine (full cleanup, partial cleanup)
- Concurrent access (thread safety with 100 parallel attempts)
- Middleware integration (allowed/denied paths, X-Forwarded-For)

First test file for internal/api package.
2025-11-30 04:33:59 +00:00
rcourtman
b763ccc412 Add unit tests for HTTP metrics utility functions
83 test cases covering classifyStatus, isNumeric, looksLikeUUID,
normalizeSegment, and normalizeRoute functions used for Prometheus
metrics aggregation. Tests cover status code classification, numeric
string validation, UUID format detection, URL segment normalization,
and route path normalization with query param stripping.
2025-11-30 02:48:05 +00:00
rcourtman
04c12414d2 Add unit tests for diagnostics utility functions
Test coverage for 9 pure functions in internal/api/diagnostics.go:
- isFallbackMemorySource: 13 cases covering fallback and non-fallback sources
- copyStringSlice: 4 cases including nil handling and copy verification
- normalizeHostForComparison: 16 cases for URL normalization
- normalizeVersionLabel: 11 cases for version prefix handling
- contains: 8 cases for string slice membership
- containsFold: 11 cases for case-insensitive matching
- interfaceToStringSlice: 9 cases for type conversion
- preferredDockerHostName: 5 cases for name preference hierarchy
- formatTimeMaybe: 3 cases for time formatting
2025-11-30 00:18:41 +00:00
rcourtman
1b3effcb10 Fix redactSecretsFromURL matching params with prefixed names
The function was using substring matching for sensitive param names,
causing parameters like "extra_token" or "myapikey" to be incorrectly
redacted when they matched "token=" or "apikey=" as substrings.

Now checks for proper boundary characters (? or &) before matching,
so only actual parameter names are redacted.

Related to ADA knowledge entry: "Query param redaction uses substring matching"
2025-11-29 22:03:15 +00:00
rcourtman
46f90e1585 Show CPU core count on EnhancedCPUBar progress bar 2025-11-29 21:47:22 +00:00