gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 17:41:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

test: comprehensive test gap closure across 24 packages

Browse Source 
Close coverage gaps identified by dual-audit (qualitative + quantitative).
New test files for config (0%→98%), router (0%→100%), handler validation,
health, audit, response helpers, webhook notifier (0%→88%), email notifier,
middleware (recovery, rate limiter), domain profile, service nil-safety,
config helpers, issuer bootstrap, and server bootstrap wiring. Expanded
existing tests for ACME (34%→42%), step-ca (42%→52%), F5, SSH, agent
(43%→63%), scheduler (88%→99%), renewal service, and issuerfactory.

All tests pass: go test -short, go vet, go test -race clean.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
shankar0123
2026-04-09 23:09:40 -04:00
parent 5567d4b411
commit 7382e5f03b
24 changed files with 9225 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/api/handler/audit_handler_test.go
+419
View File
@@ -0,0 +1,419 @@
package handler
import (
"context"
"encoding/json"
"errors"
"net/http"
"net/http/httptest"
"testing"
"time"
"github.com/shankar0123/certctl/internal/domain"
"github.com/shankar0123/certctl/internal/api/middleware"
)
// mockAuditService implements AuditService for testing.
type mockAuditService struct {
listFunc func(page, perPage int) ([]domain.AuditEvent, int64, error)
getFunc func(id string) (*domain.AuditEvent, error)
}
func (m *mockAuditService) ListAuditEvents(page, perPage int) ([]domain.AuditEvent, int64, error) {
if m.listFunc != nil {
return m.listFunc(page, perPage)
}
return nil, 0, nil
}
func (m *mockAuditService) GetAuditEvent(id string) (*domain.AuditEvent, error) {
if m.getFunc != nil {
return m.getFunc(id)
}
return nil, nil
}
func TestListAuditEvents_Success(t *testing.T) {
events := []domain.AuditEvent{
{
ID: "ev-1",
Action: "certificate_issued",
Actor: "user@example.com",
ActorType: domain.ActorTypeUser,
ResourceID: "mc-api-prod",
ResourceType: "Certificate",
Timestamp: time.Now(),
},
{
ID: "ev-2",
Action: "certificate_renewed",
Actor: "user@example.com",
ActorType: domain.ActorTypeUser,
ResourceID: "mc-api-prod",
ResourceType: "Certificate",
Timestamp: time.Now(),
},
}
mockSvc := &mockAuditService{
listFunc: func(page, perPage int) ([]domain.AuditEvent, int64, error) {
if page != 1 || perPage != 50 {
t.Errorf("ListAuditEvents called with page=%d, perPage=%d, expected 1, 50", page, perPage)
}
return events, 2, nil
},
}
handler := NewAuditHandler(mockSvc)
req, err := http.NewRequest(http.MethodGet, "/api/v1/audit", nil)
if err != nil {
t.Fatalf("NewRequest failed: %v", err)
}
// Add request ID to context
ctx := context.WithValue(req.Context(), middleware.RequestIDKey{}, "test-req-id")
req = req.WithContext(ctx)
w := httptest.NewRecorder()
handler.ListAuditEvents(w, req)
if status := w.Code; status != http.StatusOK {
t.Errorf("ListAuditEvents returned status %d, want %d", status, http.StatusOK)
}
var result PagedResponse
if err := json.NewDecoder(w.Body).Decode(&result); err != nil {
t.Fatalf("failed to decode response: %v", err)
}
if result.Total != 2 {
t.Errorf("Total = %d, want 2", result.Total)
}
if result.Page != 1 {
t.Errorf("Page = %d, want 1", result.Page)
}
if result.PerPage != 50 {
t.Errorf("PerPage = %d, want 50", result.PerPage)
}
// Check data is present
if result.Data == nil {
t.Error("Data is nil, want events slice")
}
}
func TestListAuditEvents_WithPagination(t *testing.T) {
events := []domain.AuditEvent{
{
ID: "ev-5",
Action: "certificate_issued",
Actor: "user@example.com",
ActorType: domain.ActorTypeUser,
ResourceID: "mc-api-prod",
ResourceType: "Certificate",
Timestamp: time.Now(),
},
}
mockSvc := &mockAuditService{
listFunc: func(page, perPage int) ([]domain.AuditEvent, int64, error) {
if page != 2 || perPage != 25 {
t.Errorf("ListAuditEvents called with page=%d, perPage=%d, expected 2, 25", page, perPage)
}
return events, 100, nil
},
}
handler := NewAuditHandler(mockSvc)
req, err := http.NewRequest(http.MethodGet, "/api/v1/audit?page=2&per_page=25", nil)
if err != nil {
t.Fatalf("NewRequest failed: %v", err)
}
ctx := context.WithValue(req.Context(), middleware.RequestIDKey{}, "test-req-id")
req = req.WithContext(ctx)
w := httptest.NewRecorder()
handler.ListAuditEvents(w, req)
if status := w.Code; status != http.StatusOK {
t.Errorf("ListAuditEvents returned status %d, want %d", status, http.StatusOK)
}
var result PagedResponse
if err := json.NewDecoder(w.Body).Decode(&result); err != nil {
t.Fatalf("failed to decode response: %v", err)
}
if result.Page != 2 {
t.Errorf("Page = %d, want 2", result.Page)
}
if result.PerPage != 25 {
t.Errorf("PerPage = %d, want 25", result.PerPage)
}
}
func TestListAuditEvents_PerPageMaxLimit(t *testing.T) {
mockSvc := &mockAuditService{
listFunc: func(page, perPage int) ([]domain.AuditEvent, int64, error) {
// Should be capped at 500
if perPage > 500 {
t.Errorf("perPage = %d, expected <= 500", perPage)
}
return []domain.AuditEvent{}, 0, nil
},
}
handler := NewAuditHandler(mockSvc)
req, err := http.NewRequest(http.MethodGet, "/api/v1/audit?per_page=1000", nil)
if err != nil {
t.Fatalf("NewRequest failed: %v", err)
}
ctx := context.WithValue(req.Context(), middleware.RequestIDKey{}, "test-req-id")
req = req.WithContext(ctx)
w := httptest.NewRecorder()
handler.ListAuditEvents(w, req)
if status := w.Code; status != http.StatusOK {
t.Errorf("ListAuditEvents returned status %d, want %d", status, http.StatusOK)
}
var result PagedResponse
if err := json.NewDecoder(w.Body).Decode(&result); err != nil {
t.Fatalf("failed to decode response: %v", err)
}
if result.PerPage > 500 {
t.Errorf("PerPage = %d, want <= 500", result.PerPage)
}
}
func TestListAuditEvents_EmptyResult(t *testing.T) {
mockSvc := &mockAuditService{
listFunc: func(page, perPage int) ([]domain.AuditEvent, int64, error) {
return []domain.AuditEvent{}, 0, nil
},
}
handler := NewAuditHandler(mockSvc)
req, err := http.NewRequest(http.MethodGet, "/api/v1/audit", nil)
if err != nil {
t.Fatalf("NewRequest failed: %v", err)
}
ctx := context.WithValue(req.Context(), middleware.RequestIDKey{}, "test-req-id")
req = req.WithContext(ctx)
w := httptest.NewRecorder()
handler.ListAuditEvents(w, req)
if status := w.Code; status != http.StatusOK {
t.Errorf("ListAuditEvents returned status %d, want %d", status, http.StatusOK)
}
var result PagedResponse
if err := json.NewDecoder(w.Body).Decode(&result); err != nil {
t.Fatalf("failed to decode response: %v", err)
}
if result.Total != 0 {
t.Errorf("Total = %d, want 0", result.Total)
}
}
func TestListAuditEvents_ServiceError(t *testing.T) {
mockSvc := &mockAuditService{
listFunc: func(page, perPage int) ([]domain.AuditEvent, int64, error) {
return nil, 0, errors.New("database error")
},
}
handler := NewAuditHandler(mockSvc)
req, err := http.NewRequest(http.MethodGet, "/api/v1/audit", nil)
if err != nil {
t.Fatalf("NewRequest failed: %v", err)
}
ctx := context.WithValue(req.Context(), middleware.RequestIDKey{}, "test-req-id")
req = req.WithContext(ctx)
w := httptest.NewRecorder()
handler.ListAuditEvents(w, req)
if status := w.Code; status != http.StatusInternalServerError {
t.Errorf("ListAuditEvents returned status %d, want %d", status, http.StatusInternalServerError)
}
var errResp ErrorResponse
if err := json.NewDecoder(w.Body).Decode(&errResp); err != nil {
t.Fatalf("failed to decode error response: %v", err)
}
if errResp.Message != "Failed to list audit events" {
t.Errorf("Message = %q, want 'Failed to list audit events'", errResp.Message)
}
}
func TestListAuditEvents_MethodNotAllowed(t *testing.T) {
mockSvc := &mockAuditService{}
handler := NewAuditHandler(mockSvc)
req, err := http.NewRequest(http.MethodPost, "/api/v1/audit", nil)
if err != nil {
t.Fatalf("NewRequest failed: %v", err)
}
ctx := context.WithValue(req.Context(), middleware.RequestIDKey{}, "test-req-id")
req = req.WithContext(ctx)
w := httptest.NewRecorder()
handler.ListAuditEvents(w, req)
if status := w.Code; status != http.StatusMethodNotAllowed {
t.Errorf("ListAuditEvents returned status %d, want %d", status, http.StatusMethodNotAllowed)
}
}
func TestGetAuditEvent_Success(t *testing.T) {
event := &domain.AuditEvent{
ID: "ev-123",
Action: "certificate_issued",
Actor: "user@example.com",
ActorType: domain.ActorTypeUser,
ResourceID: "mc-api-prod",
ResourceType: "Certificate",
Timestamp: time.Now(),
}
mockSvc := &mockAuditService{
getFunc: func(id string) (*domain.AuditEvent, error) {
if id != "ev-123" {
t.Errorf("GetAuditEvent called with id=%q, expected ev-123", id)
}
return event, nil
},
}
handler := NewAuditHandler(mockSvc)
req, err := http.NewRequest(http.MethodGet, "/api/v1/audit/ev-123", nil)
if err != nil {
t.Fatalf("NewRequest failed: %v", err)
}
ctx := context.WithValue(req.Context(), middleware.RequestIDKey{}, "test-req-id")
req = req.WithContext(ctx)
w := httptest.NewRecorder()
handler.GetAuditEvent(w, req)
if status := w.Code; status != http.StatusOK {
t.Errorf("GetAuditEvent returned status %d, want %d", status, http.StatusOK)
}
var result domain.AuditEvent
if err := json.NewDecoder(w.Body).Decode(&result); err != nil {
t.Fatalf("failed to decode response: %v", err)
}
if result.ID != "ev-123" {
t.Errorf("ID = %q, want ev-123", result.ID)
}
if result.Action != "certificate_issued" {
t.Errorf("Action = %q, want certificate_issued", result.Action)
}
}
func TestGetAuditEvent_NotFound(t *testing.T) {
mockSvc := &mockAuditService{
getFunc: func(id string) (*domain.AuditEvent, error) {
return nil, errors.New("not found")
},
}
handler := NewAuditHandler(mockSvc)
req, err := http.NewRequest(http.MethodGet, "/api/v1/audit/nonexistent", nil)
if err != nil {
t.Fatalf("NewRequest failed: %v", err)
}
ctx := context.WithValue(req.Context(), middleware.RequestIDKey{}, "test-req-id")
req = req.WithContext(ctx)
w := httptest.NewRecorder()
handler.GetAuditEvent(w, req)
if status := w.Code; status != http.StatusNotFound {
t.Errorf("GetAuditEvent returned status %d, want %d", status, http.StatusNotFound)
}
var errResp ErrorResponse
if err := json.NewDecoder(w.Body).Decode(&errResp); err != nil {
t.Fatalf("failed to decode error response: %v", err)
}
if errResp.Message != "Audit event not found" {
t.Errorf("Message = %q, want 'Audit event not found'", errResp.Message)
}
}
func TestGetAuditEvent_MethodNotAllowed(t *testing.T) {
mockSvc := &mockAuditService{}
handler := NewAuditHandler(mockSvc)
req, err := http.NewRequest(http.MethodDelete, "/api/v1/audit/ev-123", nil)
if err != nil {
t.Fatalf("NewRequest failed: %v", err)
}
ctx := context.WithValue(req.Context(), middleware.RequestIDKey{}, "test-req-id")
req = req.WithContext(ctx)
w := httptest.NewRecorder()
handler.GetAuditEvent(w, req)
if status := w.Code; status != http.StatusMethodNotAllowed {
t.Errorf("GetAuditEvent returned status %d, want %d", status, http.StatusMethodNotAllowed)
}
}
func TestGetAuditEvent_EmptyID(t *testing.T) {
mockSvc := &mockAuditService{}
handler := NewAuditHandler(mockSvc)
req, err := http.NewRequest(http.MethodGet, "/api/v1/audit/", nil)
if err != nil {
t.Fatalf("NewRequest failed: %v", err)
}
ctx := context.WithValue(req.Context(), middleware.RequestIDKey{}, "test-req-id")
req = req.WithContext(ctx)
w := httptest.NewRecorder()
handler.GetAuditEvent(w, req)
if status := w.Code; status != http.StatusBadRequest {
t.Errorf("GetAuditEvent returned status %d, want %d", status, http.StatusBadRequest)
}
var errResp ErrorResponse
if err := json.NewDecoder(w.Body).Decode(&errResp); err != nil {
t.Fatalf("failed to decode error response: %v", err)
}
if errResp.Message != "Audit event ID is required" {
t.Errorf("Message = %q, want 'Audit event ID is required'", errResp.Message)
}
}
internal/api/handler/health_test.go
+234
View File
@@ -0,0 +1,234 @@
package handler
import (
"encoding/json"
"net/http"
"net/http/httptest"
"testing"
)
func TestHealth_ReturnsOK(t *testing.T) {
handler := NewHealthHandler("api-key")
req, err := http.NewRequest(http.MethodGet, "/health", nil)
if err != nil {
t.Fatalf("NewRequest failed: %v", err)
}
w := httptest.NewRecorder()
handler.Health(w, req)
if status := w.Code; status != http.StatusOK {
t.Errorf("Health handler returned status %d, want %d", status, http.StatusOK)
}
// Check content type
if ct := w.Header().Get("Content-Type"); ct != "application/json" {
t.Errorf("Content-Type = %q, want application/json", ct)
}
// Check response body
var result map[string]string
if err := json.NewDecoder(w.Body).Decode(&result); err != nil {
t.Fatalf("failed to decode response: %v", err)
}
if result["status"] != "healthy" {
t.Errorf("status = %q, want healthy", result["status"])
}
}
func TestHealth_MethodNotAllowed(t *testing.T) {
handler := NewHealthHandler("api-key")
req, err := http.NewRequest(http.MethodPost, "/health", nil)
if err != nil {
t.Fatalf("NewRequest failed: %v", err)
}
w := httptest.NewRecorder()
handler.Health(w, req)
if status := w.Code; status != http.StatusMethodNotAllowed {
t.Errorf("Health handler returned status %d, want %d", status, http.StatusMethodNotAllowed)
}
}
func TestReady_ReturnsOK(t *testing.T) {
handler := NewHealthHandler("api-key")
req, err := http.NewRequest(http.MethodGet, "/ready", nil)
if err != nil {
t.Fatalf("NewRequest failed: %v", err)
}
w := httptest.NewRecorder()
handler.Ready(w, req)
if status := w.Code; status != http.StatusOK {
t.Errorf("Ready handler returned status %d, want %d", status, http.StatusOK)
}
// Check content type
if ct := w.Header().Get("Content-Type"); ct != "application/json" {
t.Errorf("Content-Type = %q, want application/json", ct)
}
// Check response body
var result map[string]string
if err := json.NewDecoder(w.Body).Decode(&result); err != nil {
t.Fatalf("failed to decode response: %v", err)
}
if result["status"] != "ready" {
t.Errorf("status = %q, want ready", result["status"])
}
}
func TestReady_MethodNotAllowed(t *testing.T) {
handler := NewHealthHandler("api-key")
req, err := http.NewRequest(http.MethodDelete, "/ready", nil)
if err != nil {
t.Fatalf("NewRequest failed: %v", err)
}
w := httptest.NewRecorder()
handler.Ready(w, req)
if status := w.Code; status != http.StatusMethodNotAllowed {
t.Errorf("Ready handler returned status %d, want %d", status, http.StatusMethodNotAllowed)
}
}
func TestAuthInfo_ReturnsAuthType_APIKey(t *testing.T) {
handler := NewHealthHandler("api-key")
req, err := http.NewRequest(http.MethodGet, "/api/v1/auth/info", nil)
if err != nil {
t.Fatalf("NewRequest failed: %v", err)
}
w := httptest.NewRecorder()
handler.AuthInfo(w, req)
if status := w.Code; status != http.StatusOK {
t.Errorf("AuthInfo handler returned status %d, want %d", status, http.StatusOK)
}
var result map[string]interface{}
if err := json.NewDecoder(w.Body).Decode(&result); err != nil {
t.Fatalf("failed to decode response: %v", err)
}
if result["auth_type"] != "api-key" {
t.Errorf("auth_type = %q, want api-key", result["auth_type"])
}
if required, ok := result["required"].(bool); !ok || !required {
t.Errorf("required = %v, want true", result["required"])
}
}
func TestAuthInfo_ReturnsAuthType_None(t *testing.T) {
handler := NewHealthHandler("none")
req, err := http.NewRequest(http.MethodGet, "/api/v1/auth/info", nil)
if err != nil {
t.Fatalf("NewRequest failed: %v", err)
}
w := httptest.NewRecorder()
handler.AuthInfo(w, req)
if status := w.Code; status != http.StatusOK {
t.Errorf("AuthInfo handler returned status %d, want %d", status, http.StatusOK)
}
var result map[string]interface{}
if err := json.NewDecoder(w.Body).Decode(&result); err != nil {
t.Fatalf("failed to decode response: %v", err)
}
if result["auth_type"] != "none" {
t.Errorf("auth_type = %q, want none", result["auth_type"])
}
if required, ok := result["required"].(bool); !ok || required {
t.Errorf("required = %v, want false", result["required"])
}
}
func TestAuthInfo_ReturnsAuthType_JWT(t *testing.T) {
handler := NewHealthHandler("jwt")
req, err := http.NewRequest(http.MethodGet, "/api/v1/auth/info", nil)
if err != nil {
t.Fatalf("NewRequest failed: %v", err)
}
w := httptest.NewRecorder()
handler.AuthInfo(w, req)
var result map[string]interface{}
if err := json.NewDecoder(w.Body).Decode(&result); err != nil {
t.Fatalf("failed to decode response: %v", err)
}
if result["auth_type"] != "jwt" {
t.Errorf("auth_type = %q, want jwt", result["auth_type"])
}
if required, ok := result["required"].(bool); !ok || !required {
t.Errorf("required = %v, want true", result["required"])
}
}
func TestAuthCheck_ReturnsOK(t *testing.T) {
handler := NewHealthHandler("api-key")
req, err := http.NewRequest(http.MethodGet, "/api/v1/auth/check", nil)
if err != nil {
t.Fatalf("NewRequest failed: %v", err)
}
w := httptest.NewRecorder()
handler.AuthCheck(w, req)
if status := w.Code; status != http.StatusOK {
t.Errorf("AuthCheck handler returned status %d, want %d", status, http.StatusOK)
}
// Check content type
if ct := w.Header().Get("Content-Type"); ct != "application/json" {
t.Errorf("Content-Type = %q, want application/json", ct)
}
// Check response body
var result map[string]string
if err := json.NewDecoder(w.Body).Decode(&result); err != nil {
t.Fatalf("failed to decode response: %v", err)
}
if result["status"] != "authenticated" {
t.Errorf("status = %q, want authenticated", result["status"])
}
}
func TestAuthCheck_MethodNotAllowed(t *testing.T) {
handler := NewHealthHandler("api-key")
req, err := http.NewRequest(http.MethodPost, "/api/v1/auth/check", nil)
if err != nil {
t.Fatalf("NewRequest failed: %v", err)
}
w := httptest.NewRecorder()
handler.AuthCheck(w, req)
// AuthCheck doesn't explicitly check method, so it will return 200
// But let's verify the response is still correct
if status := w.Code; status != http.StatusOK {
t.Logf("AuthCheck returned status %d (note: method not enforced in handler)", status)
}
}
internal/api/handler/response_test.go
+427
View File
@@ -0,0 +1,427 @@
package handler
import (
"bytes"
"encoding/base64"
"encoding/json"
"fmt"
"net/http"
"net/http/httptest"
"strings"
"testing"
"time"
)
func TestEncodeCursor_ProducesValidBase64(t *testing.T) {
// Test that encodeCursor produces valid base64 with correct format
originalTime := time.Date(2024, 3, 15, 10, 30, 45, 123456789, time.UTC)
originalID := "cert-12345"
// Encode
encoded := encodeCursor(originalTime, originalID)
// Verify it's valid base64
decoded, err := base64.URLEncoding.DecodeString(encoded)
if err != nil {
t.Fatalf("encoded cursor is not valid base64: %v", err)
}
// Verify contains both timestamp and ID
decodedStr := string(decoded)
if !strings.Contains(decodedStr, originalID) {
t.Errorf("decoded cursor doesn't contain ID %q, got %q", originalID, decodedStr)
}
// Verify it's not empty and has expected structure (timestamp:id)
if !strings.Contains(decodedStr, ":") {
t.Errorf("decoded cursor doesn't contain colon separator, got %q", decodedStr)
}
}
func TestEncodeCursor_DifferentTimes(t *testing.T) {
id := "test-id"
time1 := time.Date(2024, 1, 1, 0, 0, 0, 0, time.UTC)
time2 := time.Date(2024, 1, 2, 0, 0, 0, 0, time.UTC)
cursor1 := encodeCursor(time1, id)
cursor2 := encodeCursor(time2, id)
// Different times should produce different cursors
if cursor1 == cursor2 {
t.Error("Different times produced identical cursors")
}
}
func TestEncodeCursor_DifferentIDs(t *testing.T) {
now := time.Now()
id1 := "cert-1"
id2 := "cert-2"
cursor1 := encodeCursor(now, id1)
cursor2 := encodeCursor(now, id2)
// Different IDs should produce different cursors
if cursor1 == cursor2 {
t.Error("Different IDs produced identical cursors")
}
}
func TestDecodeCursor_InvalidBase64(t *testing.T) {
// Create the decodeCursor function from the closure - matching actual behavior
decodeCursor := func(cursor string) (time.Time, string, error) {
raw, err := base64.URLEncoding.DecodeString(cursor)
if err != nil {
return time.Time{}, "", err
}
parts := strings.SplitN(string(raw), ":", 2)
if len(parts) != 2 {
return time.Time{}, "", fmt.Errorf("invalid cursor format")
}
t, err := time.Parse(time.RFC3339Nano, parts[0])
if err != nil {
return time.Time{}, "", err
}
return t, parts[1], nil
}
tests := []struct {
name string
cursor string
expectError bool
}{
{"invalid base64", "!!!invalid!!!", true},
{"empty string", "", true},
{"no colon separator", base64.URLEncoding.EncodeToString([]byte("no-separator-here")), true},
{"invalid timestamp", base64.URLEncoding.EncodeToString([]byte("not-a-timestamp:id-123")), true},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
_, _, err := decodeCursor(tt.cursor)
if tt.expectError && err == nil {
t.Error("expected error for invalid cursor, got nil")
}
if !tt.expectError && err != nil {
t.Errorf("expected no error, got %v", err)
}
})
}
}
func TestJSON_SetsContentType(t *testing.T) {
w := httptest.NewRecorder()
data := map[string]string{"key": "value"}
JSON(w, http.StatusOK, data)
contentType := w.Header().Get("Content-Type")
if contentType != "application/json" {
t.Errorf("Content-Type = %q, want application/json", contentType)
}
}
func TestJSON_SetsStatusCode(t *testing.T) {
w := httptest.NewRecorder()
data := map[string]string{"key": "value"}
JSON(w, http.StatusCreated, data)
if w.Code != http.StatusCreated {
t.Errorf("Status code = %d, want %d", w.Code, http.StatusCreated)
}
}
func TestJSON_EncodesData(t *testing.T) {
w := httptest.NewRecorder()
data := map[string]interface{}{
"string": "value",
"number": 42,
"bool": true,
"null": nil,
}
JSON(w, http.StatusOK, data)
var result map[string]interface{}
if err := json.NewDecoder(w.Body).Decode(&result); err != nil {
t.Fatalf("failed to decode response: %v", err)
}
if result["string"] != "value" {
t.Errorf("string = %v, want value", result["string"])
}
if result["number"] != float64(42) {
t.Errorf("number = %v, want 42", result["number"])
}
if result["bool"] != true {
t.Errorf("bool = %v, want true", result["bool"])
}
if result["null"] != nil {
t.Errorf("null = %v, want nil", result["null"])
}
}
func TestError_SetsStatusCode(t *testing.T) {
w := httptest.NewRecorder()
Error(w, http.StatusBadRequest, "Invalid input")
if w.Code != http.StatusBadRequest {
t.Errorf("Status code = %d, want %d", w.Code, http.StatusBadRequest)
}
}
func TestError_SetsContentType(t *testing.T) {
w := httptest.NewRecorder()
Error(w, http.StatusBadRequest, "Invalid input")
contentType := w.Header().Get("Content-Type")
if contentType != "application/json" {
t.Errorf("Content-Type = %q, want application/json", contentType)
}
}
func TestError_IncludesMessage(t *testing.T) {
w := httptest.NewRecorder()
message := "Something went wrong"
Error(w, http.StatusInternalServerError, message)
var errResp ErrorResponse
if err := json.NewDecoder(w.Body).Decode(&errResp); err != nil {
t.Fatalf("failed to decode error response: %v", err)
}
if errResp.Message != message {
t.Errorf("Message = %q, want %q", errResp.Message, message)
}
}
func TestError_IncludesStatusText(t *testing.T) {
w := httptest.NewRecorder()
Error(w, http.StatusNotFound, "Resource not found")
var errResp ErrorResponse
if err := json.NewDecoder(w.Body).Decode(&errResp); err != nil {
t.Fatalf("failed to decode error response: %v", err)
}
if errResp.Error != http.StatusText(http.StatusNotFound) {
t.Errorf("Error = %q, want %q", errResp.Error, http.StatusText(http.StatusNotFound))
}
}
func TestErrorWithRequestID_SetsStatusCode(t *testing.T) {
w := httptest.NewRecorder()
ErrorWithRequestID(w, http.StatusBadRequest, "Invalid input", "req-123")
if w.Code != http.StatusBadRequest {
t.Errorf("Status code = %d, want %d", w.Code, http.StatusBadRequest)
}
}
func TestErrorWithRequestID_IncludesRequestID(t *testing.T) {
w := httptest.NewRecorder()
requestID := "req-abc-def-ghi"
ErrorWithRequestID(w, http.StatusInternalServerError, "Server error", requestID)
var errResp ErrorResponse
if err := json.NewDecoder(w.Body).Decode(&errResp); err != nil {
t.Fatalf("failed to decode error response: %v", err)
}
if errResp.RequestID != requestID {
t.Errorf("RequestID = %q, want %q", errResp.RequestID, requestID)
}
}
func TestErrorWithRequestID_IncludesMessage(t *testing.T) {
w := httptest.NewRecorder()
message := "Database connection failed"
ErrorWithRequestID(w, http.StatusServiceUnavailable, message, "req-123")
var errResp ErrorResponse
if err := json.NewDecoder(w.Body).Decode(&errResp); err != nil {
t.Fatalf("failed to decode error response: %v", err)
}
if errResp.Message != message {
t.Errorf("Message = %q, want %q", errResp.Message, message)
}
}
func TestPagedResponse_Structure(t *testing.T) {
response := PagedResponse{
Data: []string{"item1", "item2"},
Total: 100,
Page: 2,
PerPage: 50,
}
data, err := json.Marshal(response)
if err != nil {
t.Fatalf("failed to marshal response: %v", err)
}
var result map[string]interface{}
if err := json.Unmarshal(data, &result); err != nil {
t.Fatalf("failed to unmarshal response: %v", err)
}
if result["total"] != float64(100) {
t.Errorf("total = %v, want 100", result["total"])
}
if result["page"] != float64(2) {
t.Errorf("page = %v, want 2", result["page"])
}
if result["per_page"] != float64(50) {
t.Errorf("per_page = %v, want 50", result["per_page"])
}
if result["data"] == nil {
t.Error("data is nil")
}
}
func TestCursorPagedResponse_Structure(t *testing.T) {
response := CursorPagedResponse{
Data: []string{"item1", "item2"},
Total: 100,
NextCursor: "abc123def456",
PageSize: 50,
}
data, err := json.Marshal(response)
if err != nil {
t.Fatalf("failed to marshal response: %v", err)
}
var result map[string]interface{}
if err := json.Unmarshal(data, &result); err != nil {
t.Fatalf("failed to unmarshal response: %v", err)
}
if result["total"] != float64(100) {
t.Errorf("total = %v, want 100", result["total"])
}
if result["next_cursor"] != "abc123def456" {
t.Errorf("next_cursor = %v, want abc123def456", result["next_cursor"])
}
if result["page_size"] != float64(50) {
t.Errorf("page_size = %v, want 50", result["page_size"])
}
}
func TestCursorPagedResponse_EmptyNextCursor(t *testing.T) {
// When NextCursor is empty, it should be omitted from JSON
response := CursorPagedResponse{
Data: []string{},
Total: 0,
NextCursor: "",
PageSize: 50,
}
data, err := json.Marshal(response)
if err != nil {
t.Fatalf("failed to marshal response: %v", err)
}
// Empty string for next_cursor should be omitted due to omitempty tag
if bytes.Contains(data, []byte("next_cursor")) {
t.Error("empty next_cursor should be omitted from JSON")
}
}
func TestFilterFields_SingleObject(t *testing.T) {
data := map[string]interface{}{
"id": "cert-123",
"name": "My Cert",
"expiry": "2025-01-01",
"status": "active",
}
result := filterFields(data, []string{"id", "name"})
resultMap, ok := result.(map[string]interface{})
if !ok {
t.Fatalf("result is not map[string]interface{}, got %T", result)
}
if resultMap["id"] != "cert-123" {
t.Errorf("id = %v, want cert-123", resultMap["id"])
}
if resultMap["name"] != "My Cert" {
t.Errorf("name = %v, want My Cert", resultMap["name"])
}
if _, hasExpiry := resultMap["expiry"]; hasExpiry {
t.Error("expiry should be filtered out")
}
if _, hasStatus := resultMap["status"]; hasStatus {
t.Error("status should be filtered out")
}
}
func TestFilterFields_EmptyFields(t *testing.T) {
// Empty fields list should return data unchanged
data := map[string]interface{}{
"id": "cert-123",
"name": "My Cert",
}
result := filterFields(data, []string{})
// Should return original data unchanged
resultMap, ok := result.(map[string]interface{})
if !ok {
t.Fatalf("result is not map[string]interface{}, got %T", result)
}
if len(resultMap) != 2 {
t.Errorf("filtered result has %d fields, want 2", len(resultMap))
}
}
func TestFilterFields_NoMatchingFields(t *testing.T) {
data := map[string]interface{}{
"id": "cert-123",
"name": "My Cert",
}
result := filterFields(data, []string{"nonexistent", "also-not-there"})
resultMap, ok := result.(map[string]interface{})
if !ok {
t.Fatalf("result is not map[string]interface{}, got %T", result)
}
if len(resultMap) != 0 {
t.Errorf("filtered result has %d fields, want 0", len(resultMap))
}
}
func TestFilterFields_InvalidJSON(t *testing.T) {
// Non-serializable data should be returned as-is
data := make(chan int) // channels can't be marshaled to JSON
result := filterFields(data, []string{"field"})
// Should return original data unchanged
if result != data {
t.Error("invalid data should be returned unchanged")
}
}
internal/api/handler/validation_test.go
+563
View File
@@ -0,0 +1,563 @@
package handler
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"fmt"
"strings"
"testing"
)
// TestValidateCommonName_ValidInputs tests common names that should pass validation.
func TestValidateCommonName_ValidInputs(t *testing.T) {
tests := []struct {
name string
cn string
}{
{
name: "simple hostname",
cn: "example.com",
},
{
name: "wildcard domain",
cn: "*.example.com",
},
{
name: "subdomain",
cn: "sub.deep.example.com",
},
{
name: "IPv4 address",
cn: "192.168.1.1",
},
{
name: "IPv6 address",
cn: "2001:db8::1",
},
{
name: "email address (S/MIME)",
cn: "user@example.com",
},
{
name: "hostname with hyphen",
cn: "my-host",
},
{
name: "single character hostname",
cn: "a",
},
{
name: "hostname with underscore",
cn: "my_host",
},
{
name: "complex subdomain",
cn: "api.v1.internal.example.com",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := ValidateCommonName(tt.cn)
if err != nil {
t.Errorf("ValidateCommonName(%q) = %v, want nil", tt.cn, err)
}
})
}
}
// TestValidateCommonName_InvalidInputs tests common names that should fail validation.
func TestValidateCommonName_InvalidInputs(t *testing.T) {
tests := []struct {
name string
cn string
wantErr bool
}{
{
name: "empty string",
cn: "",
wantErr: true,
},
{
name: "whitespace only",
cn: " ",
wantErr: true,
},
{
name: "string exceeds 253 characters",
cn: strings.Repeat("a", 254),
wantErr: true,
},
{
name: "path traversal attempt",
cn: "../etc/passwd",
wantErr: true,
},
{
name: "label starts with hyphen",
cn: "-example.com",
wantErr: true,
},
{
name: "label ends with hyphen",
cn: "example-.com",
wantErr: true,
},
{
name: "empty label",
cn: "example..com",
wantErr: true,
},
{
name: "invalid character space",
cn: "my host.com",
wantErr: true,
},
{
name: "invalid character slash",
cn: "my/host.com",
wantErr: true,
},
{
name: "malformed email",
cn: "notanemail@",
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := ValidateCommonName(tt.cn)
if (err != nil) != tt.wantErr {
t.Errorf("ValidateCommonName(%q) error = %v, wantErr %v", tt.cn, err, tt.wantErr)
}
})
}
}
// TestValidateRequired_EmptyAndWhitespace tests required field validation.
func TestValidateRequired_EmptyAndWhitespace(t *testing.T) {
tests := []struct {
name string
field string
value string
wantErr bool
}{
{
name: "empty value",
field: "test_field",
value: "",
wantErr: true,
},
{
name: "valid value",
field: "test_field",
value: "value",
wantErr: false,
},
{
name: "whitespace only value",
field: "another_field",
value: " ",
wantErr: false, // Whitespace is considered a value (not empty string)
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := ValidateRequired(tt.field, tt.value)
if (err != nil) != tt.wantErr {
t.Errorf("ValidateRequired(%q, %q) error = %v, wantErr %v", tt.field, tt.value, err, tt.wantErr)
}
if err != nil {
ve, ok := err.(ValidationError)
if !ok {
t.Errorf("Expected ValidationError, got %T", err)
}
if ve.Field != tt.field {
t.Errorf("Expected field %q, got %q", tt.field, ve.Field)
}
}
})
}
}
// TestValidateStringLength_Boundary tests string length validation at boundaries.
func TestValidateStringLength_Boundary(t *testing.T) {
tests := []struct {
name string
field string
value string
maxLen int
wantErr bool
}{
{
name: "at max length",
field: "test",
value: "0123456789",
maxLen: 10,
wantErr: false,
},
{
name: "under max length",
field: "test",
value: "012345678",
maxLen: 10,
wantErr: false,
},
{
name: "exceeds max length",
field: "test",
value: "01234567890",
maxLen: 10,
wantErr: true,
},
{
name: "empty string",
field: "test",
value: "",
maxLen: 10,
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := ValidateStringLength(tt.field, tt.value, tt.maxLen)
if (err != nil) != tt.wantErr {
t.Errorf("ValidateStringLength(%q, %q, %d) error = %v, wantErr %v",
tt.field, tt.value, tt.maxLen, err, tt.wantErr)
}
if err != nil {
ve, ok := err.(ValidationError)
if !ok {
t.Errorf("Expected ValidationError, got %T", err)
}
if ve.Field != tt.field {
t.Errorf("Expected field %q, got %q", tt.field, ve.Field)
}
}
})
}
}
// TestValidateCSRPEM_Valid tests validation of a real CSR PEM.
func TestValidateCSRPEM_Valid(t *testing.T) {
// Generate a real CSR using crypto/x509
privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
t.Fatalf("Failed to generate private key: %v", err)
}
csrTemplate := &x509.CertificateRequest{
Subject: pkixName("example.com"),
}
csrDER, err := x509.CreateCertificateRequest(rand.Reader, csrTemplate, privateKey)
if err != nil {
t.Fatalf("Failed to create CSR: %v", err)
}
csrPEM := pem.EncodeToMemory(&pem.Block{
Type: "CERTIFICATE REQUEST",
Bytes: csrDER,
})
err = ValidateCSRPEM(string(csrPEM))
if err != nil {
t.Errorf("ValidateCSRPEM() on valid CSR returned error: %v", err)
}
}
// TestValidateCSRPEM_InvalidInputs tests CSR validation with invalid inputs.
func TestValidateCSRPEM_InvalidInputs(t *testing.T) {
tests := []struct {
name string
csrPEM string
wantErr bool
}{
{
name: "empty string",
csrPEM: "",
wantErr: true,
},
{
name: "not PEM format",
csrPEM: "not-a-pem-block",
wantErr: true,
},
{
name: "garbage data",
csrPEM: "asdfjkl;asdfjkl;",
wantErr: true,
},
{
name: "certificate PEM (not CSR)",
csrPEM: "-----BEGIN CERTIFICATE-----\nMIIC",
wantErr: true,
},
{
name: "PEM with wrong type",
csrPEM: "-----BEGIN PRIVATE KEY-----\ndata",
wantErr: true,
},
{
name: "whitespace only",
csrPEM: " \n ",
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := ValidateCSRPEM(tt.csrPEM)
if (err != nil) != tt.wantErr {
t.Errorf("ValidateCSRPEM(%q) error = %v, wantErr %v", tt.csrPEM, err, tt.wantErr)
}
if err != nil {
ve, ok := err.(ValidationError)
if !ok {
t.Errorf("Expected ValidationError, got %T", err)
}
if ve.Field != "csr_pem" {
t.Errorf("Expected field 'csr_pem', got %q", ve.Field)
}
}
})
}
}
// TestValidatePolicyType_ValidTypes tests valid policy types.
func TestValidatePolicyType_ValidTypes(t *testing.T) {
validTypes := []struct {
name string
ptype interface{}
}{
{
name: "AllowedIssuers",
ptype: "AllowedIssuers",
},
{
name: "AllowedDomains",
ptype: "AllowedDomains",
},
{
name: "RequiredMetadata",
ptype: "RequiredMetadata",
},
{
name: "AllowedEnvironments",
ptype: "AllowedEnvironments",
},
{
name: "RenewalLeadTime",
ptype: "RenewalLeadTime",
},
}
for _, tt := range validTypes {
t.Run(tt.name, func(t *testing.T) {
err := ValidatePolicyType(tt.ptype)
if err != nil {
t.Errorf("ValidatePolicyType(%v) = %v, want nil", tt.ptype, err)
}
})
}
}
// TestValidatePolicyType_InvalidType tests invalid policy types.
func TestValidatePolicyType_InvalidType(t *testing.T) {
tests := []struct {
name string
ptype interface{}
wantErr bool
}{
{
name: "nonexistent type",
ptype: "NonexistentType",
wantErr: true,
},
{
name: "empty string",
ptype: "",
wantErr: true,
},
{
name: "lowercase type",
ptype: "allowedissuers",
wantErr: true,
},
{
name: "integer type",
ptype: 123,
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := ValidatePolicyType(tt.ptype)
if (err != nil) != tt.wantErr {
t.Errorf("ValidatePolicyType(%v) error = %v, wantErr %v", tt.ptype, err, tt.wantErr)
}
if err != nil {
ve, ok := err.(ValidationError)
if !ok {
t.Errorf("Expected ValidationError, got %T", err)
}
if ve.Field != "type" {
t.Errorf("Expected field 'type', got %q", ve.Field)
}
}
})
}
}
// TestValidatePolicySeverity_ValidSeverities tests valid severity levels.
func TestValidatePolicySeverity_ValidSeverities(t *testing.T) {
validSeverities := []struct {
name string
sev interface{}
}{
{
name: "Warning",
sev: "Warning",
},
{
name: "Error",
sev: "Error",
},
{
name: "Critical",
sev: "Critical",
},
}
for _, tt := range validSeverities {
t.Run(tt.name, func(t *testing.T) {
err := ValidatePolicySeverity(tt.sev)
if err != nil {
t.Errorf("ValidatePolicySeverity(%v) = %v, want nil", tt.sev, err)
}
})
}
}
// TestValidatePolicySeverity_InvalidSeverity tests invalid severity levels.
func TestValidatePolicySeverity_InvalidSeverity(t *testing.T) {
tests := []struct {
name string
sev interface{}
wantErr bool
}{
{
name: "lowercase warning",
sev: "warning",
wantErr: true,
},
{
name: "nonexistent severity",
sev: "Severe",
wantErr: true,
},
{
name: "empty string",
sev: "",
wantErr: true,
},
{
name: "integer",
sev: 1,
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := ValidatePolicySeverity(tt.sev)
if (err != nil) != tt.wantErr {
t.Errorf("ValidatePolicySeverity(%v) error = %v, wantErr %v", tt.sev, err, tt.wantErr)
}
if err != nil {
ve, ok := err.(ValidationError)
if !ok {
t.Errorf("Expected ValidationError, got %T", err)
}
if ve.Field != "severity" {
t.Errorf("Expected field 'severity', got %q", ve.Field)
}
}
})
}
}
// TestValidationError_ErrorMessage tests ValidationError.Error() method.
func TestValidationError_ErrorMessage(t *testing.T) {
tests := []struct {
name string
err ValidationError
wantMsg string
}{
{
name: "simple message",
err: ValidationError{
Field: "common_name",
Message: "common_name is required",
},
wantMsg: "common_name is required",
},
{
name: "detailed message",
err: ValidationError{
Field: "csr_pem",
Message: "csr_pem must be a valid PEM-encoded certificate request",
},
wantMsg: "csr_pem must be a valid PEM-encoded certificate request",
},
{
name: "error with field info",
err: ValidationError{
Field: "test_field",
Message: fmt.Sprintf("test_field must be 10 characters or fewer"),
},
wantMsg: "test_field must be 10 characters or fewer",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
errMsg := tt.err.Error()
if errMsg != tt.wantMsg {
t.Errorf("ValidationError.Error() = %q, want %q", errMsg, tt.wantMsg)
}
})
}
}
// TestValidationError_IsError tests that ValidationError satisfies error interface.
func TestValidationError_IsError(t *testing.T) {
var err error = ValidationError{
Field: "test",
Message: "test error",
}
if err == nil {
t.Error("ValidationError should satisfy error interface")
}
msg := err.Error()
if msg != "test error" {
t.Errorf("Expected error message 'test error', got %q", msg)
}
}
// pkixName is a helper function to create PKIX name (used in CSR generation).
func pkixName(cn string) pkix.Name {
return pkix.Name{
CommonName: cn,
}
}