gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-09 06:48:59 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
9201efddde2d4a3a792786ef8ec8b4f3abe9f2b5
certctl/web/src/pages/ObservabilityPage.test.tsx
T
Shankar 668a7bad11 Bundle H follow-up #2: end-to-end fix for Pass 3 CI multi-match failures 
Second CI run surfaced 8 real failures across 7 detail/list pages and 1

mock-shape error. Root causes:

  1. Multi-match disambiguation. screen.getByText(...) matched both the

     PageHeader <h2> AND duplicated text in InfoRow / detail-row spans

     within the same page (e.g., issuer name appears as page title AND

     in the Issuer Details panel; cert.common_name appears as page title

     AND in the Common Name InfoRow). The regex variants (getByText(/X/i))

     were even worse — matched any element containing the substring.

  2. NetworkScanPage mock-shape. xssScanTarget.ports was '443,8443'

     (string), but NetworkScanPage.tsx:180 calls t.ports?.join() which

     requires a number[] per src/api/types.ts:506. Page errored before

     rendering the DataTable, so the XSS test's body.textContent

     assertion saw an empty string.

Fixes:

  - Every page-title assertion in the 14 Pass 3 test files now uses

    screen.getByRole('heading', { level: 2, name: ... }), which matches

    ONLY the PageHeader <h2> (PageHeader.tsx:11 renders an actual <h2>).

    Detail-row spans / InfoRow text / column-header text in lower-level

    headings (h3) is excluded by the level filter.

  - NetworkScanPage xssScanTarget.ports changed from '443,8443' (string)

    to [443, 8443] (number[]) per the NetworkScanTarget TS type.

Pages with assertion fixes (8 tests across 7 files):

  - AgentFleetPage         /Agent/i        -> 'Agent Fleet Overview' (h2)

  - AuditPage              /Audit/         -> 'Audit Trail' (h2)

  - CertificateDetailPage  'plain.example.com' (text)  -> heading h2

  - HealthMonitorPage      /Health/i       -> 'Health Monitor' (h2)

  - IssuerDetailPage       'Plain Name' (text)         -> heading h2

  - JobDetailPage          /j-xss-001/ (text)          -> heading h2

  - JobsPage               /Jobs/i         -> 'Jobs' (h2)

  - ProfilesPage           /Profile/i      -> 'Certificate Profiles' (h2)

  - TargetDetailPage       'Plain Name' (text)         -> heading h2

Plus 4 already-correct pages updated for consistency:

  - DigestPage             text 'Certificate Digest'   -> heading h2

  - ObservabilityPage      text 'Observability'        -> heading h2

  - NetworkScanPage        /Network/i      -> 'Network Scanning' (h2)

  - ShortLivedPage         text 'Short-Lived...'       -> heading h2

Mock-shape fix:

  - NetworkScanPage.test.tsx  ports: '443,8443' -> [443, 8443]

End-to-end audit:

  Every Pass 3 test now anchors on the unambiguous PageHeader <h2>;

  no remaining getByText() with regex or substring that could spuriously

  multi-match. Mock data shapes verified against src/api/types.ts

  interfaces (NetworkScanTarget, MetricsResponse, ManagedCertificate).
2026-04-27 03:24:31 +00:00

132 lines
5.1 KiB
TypeScript
Raw Blame History

import { describe, it, expect, vi, beforeEach } from 'vitest';
import { render, screen, waitFor, cleanup } from '@testing-library/react';
import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
import { MemoryRouter } from 'react-router-dom';
import type { ReactNode } from 'react';
// -----------------------------------------------------------------------------
// M-029 Pass 3 (Audit M-026): ObservabilityPage XSS-hardening + render coverage.
//
// ObservabilityPage renders server health + metrics. The Prometheus text
// payload (getPrometheusMetrics) is operator-facing free-form text; the
// existing implementation renders it inside a controlled <pre>{text}</pre>
// surface, which React's text-interpolation escapes automatically. This test
// pins that contract so a future refactor that switched to
// dangerouslySetInnerHTML for "rich" rendering wouldn't slip past CI.
//
// Pins:
// 1. Page renders.
// 2. health.status / metrics fields containing literal <script> payloads
// do NOT execute.
// 3. The literal payload text appears as escaped content.
// -----------------------------------------------------------------------------
vi.mock('../api/client', () => ({
getMetrics: vi.fn(),
getPrometheusMetrics: vi.fn(),
getHealth: vi.fn(),
}));
import ObservabilityPage from './ObservabilityPage';
import * as client from '../api/client';
function renderWithQuery(ui: ReactNode) {
const qc = new QueryClient({
defaultOptions: { queries: { retry: false, gcTime: 0, staleTime: 0 } },
});
return render(
<QueryClientProvider client={qc}>
<MemoryRouter>{ui}</MemoryRouter>
</QueryClientProvider>,
);
}
const xssPayload = '<script data-xss="observability">window.__xss_pwned__=1;</script>';
describe('ObservabilityPage — render + XSS hardening (M-026 / M-029 Pass 3)', () => {
beforeEach(() => {
vi.clearAllMocks();
cleanup();
delete (window as unknown as { __xss_pwned__?: number }).__xss_pwned__;
});
it('renders the page header when metrics + health resolve', async () => {
vi.mocked(client.getMetrics).mockResolvedValue({
gauge: {
certificate_total: 0,
certificate_active: 0,
certificate_expiring_soon: 0,
certificate_expired: 0,
certificate_revoked: 0,
agent_total: 0,
agent_online: 0,
job_pending: 0,
},
counter: { job_completed_total: 0, job_failed_total: 0 },
uptime: { uptime_seconds: 3600, server_started: new Date().toISOString(), measured_at: new Date().toISOString() },
} as never);
vi.mocked(client.getHealth).mockResolvedValue({ status: 'ok' } as never);
vi.mocked(client.getPrometheusMetrics).mockResolvedValue('# HELP up The current up state\nup 1\n' as never);
renderWithQuery(<ObservabilityPage />);
await waitFor(() => {
expect(screen.getByRole('heading', { level: 2, name: 'Observability' })).toBeInTheDocument();
});
});
it('does NOT execute <script> payloads in health.status / Prometheus text', async () => {
vi.mocked(client.getMetrics).mockResolvedValue({
gauge: {
certificate_total: 0,
certificate_active: 0,
certificate_expiring_soon: 0,
certificate_expired: 0,
certificate_revoked: 0,
agent_total: 0,
agent_online: 0,
job_pending: 0,
},
counter: { job_completed_total: 0, job_failed_total: 0 },
uptime: { uptime_seconds: 3600, server_started: new Date().toISOString(), measured_at: new Date().toISOString() },
} as never);
vi.mocked(client.getHealth).mockResolvedValue({ status: xssPayload } as never);
vi.mocked(client.getPrometheusMetrics).mockResolvedValue(xssPayload as never);
renderWithQuery(<ObservabilityPage />);
await waitFor(() => {
expect(screen.getByRole('heading', { level: 2, name: 'Observability' })).toBeInTheDocument();
});
const liveScripts = document.querySelectorAll('script[data-xss="observability"]');
expect(liveScripts.length, 'observability data must not inject a live <script>').toBe(0);
expect(
(window as unknown as { __xss_pwned__?: number }).__xss_pwned__,
'observability <script> body must not have executed',
).toBeUndefined();
});
it('renders the literal Prometheus payload as escaped text', async () => {
vi.mocked(client.getMetrics).mockResolvedValue({
gauge: {
certificate_total: 0,
certificate_active: 0,
certificate_expiring_soon: 0,
certificate_expired: 0,
certificate_revoked: 0,
agent_total: 0,
agent_online: 0,
job_pending: 0,
},
counter: { job_completed_total: 0, job_failed_total: 0 },
uptime: { uptime_seconds: 3600, server_started: new Date().toISOString(), measured_at: new Date().toISOString() },
} as never);
vi.mocked(client.getHealth).mockResolvedValue({ status: 'ok' } as never);
vi.mocked(client.getPrometheusMetrics).mockResolvedValue(xssPayload as never);
renderWithQuery(<ObservabilityPage />);
await waitFor(() => {
expect(document.body.textContent ?? '').toContain('<script data-xss="observability">');
});
});
});
Reference in New Issue View Git Blame Copy Permalink