mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 20:51:30 +00:00
shankar0123
68f6fd474b
Closes #7. The issuer create/update handlers swallowed all service errors as generic 500s. Now differentiates: 409 for UNIQUE constraint violations, 400 for unsupported issuer type, 404 for not-found on update, 500 for unknown errors. Adds structured error logging via slog. OnboardingWizard now pre-populates config field defaults when a type is selected (matching IssuersPage behavior), preventing empty required fields from causing silent failures. install-agent.sh hardened for curl|bash usage: --agent-id flag, =value syntax, /dev/tty stdin reopening, proper stderr routing in download_binary, non-interactive install examples in help text, and updated wizard commands. Adds adversarial security tests for EST, path traversal, and query injection handlers. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
546 lines
14 KiB
Go
546 lines
14 KiB
Go
package handler
|
|
|
|
import (
|
|
"bytes"
|
|
"encoding/json"
|
|
"fmt"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/shankar0123/certctl/internal/domain"
|
|
)
|
|
|
|
// MockIssuerService is a mock implementation of IssuerService interface.
|
|
type MockIssuerService struct {
|
|
ListIssuersFn func(page, perPage int) ([]domain.Issuer, int64, error)
|
|
GetIssuerFn func(id string) (*domain.Issuer, error)
|
|
CreateIssuerFn func(issuer domain.Issuer) (*domain.Issuer, error)
|
|
UpdateIssuerFn func(id string, issuer domain.Issuer) (*domain.Issuer, error)
|
|
DeleteIssuerFn func(id string) error
|
|
TestConnectionFn func(id string) error
|
|
}
|
|
|
|
func (m *MockIssuerService) ListIssuers(page, perPage int) ([]domain.Issuer, int64, error) {
|
|
if m.ListIssuersFn != nil {
|
|
return m.ListIssuersFn(page, perPage)
|
|
}
|
|
return nil, 0, nil
|
|
}
|
|
|
|
func (m *MockIssuerService) GetIssuer(id string) (*domain.Issuer, error) {
|
|
if m.GetIssuerFn != nil {
|
|
return m.GetIssuerFn(id)
|
|
}
|
|
return nil, nil
|
|
}
|
|
|
|
func (m *MockIssuerService) CreateIssuer(issuer domain.Issuer) (*domain.Issuer, error) {
|
|
if m.CreateIssuerFn != nil {
|
|
return m.CreateIssuerFn(issuer)
|
|
}
|
|
return nil, nil
|
|
}
|
|
|
|
func (m *MockIssuerService) UpdateIssuer(id string, issuer domain.Issuer) (*domain.Issuer, error) {
|
|
if m.UpdateIssuerFn != nil {
|
|
return m.UpdateIssuerFn(id, issuer)
|
|
}
|
|
return nil, nil
|
|
}
|
|
|
|
func (m *MockIssuerService) DeleteIssuer(id string) error {
|
|
if m.DeleteIssuerFn != nil {
|
|
return m.DeleteIssuerFn(id)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (m *MockIssuerService) TestConnection(id string) error {
|
|
if m.TestConnectionFn != nil {
|
|
return m.TestConnectionFn(id)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func TestListIssuers_Success(t *testing.T) {
|
|
now := time.Now()
|
|
iss1 := domain.Issuer{
|
|
ID: "iss-local",
|
|
Name: "Local CA",
|
|
Type: "LocalCA",
|
|
Enabled: true,
|
|
CreatedAt: now,
|
|
UpdatedAt: now,
|
|
}
|
|
iss2 := domain.Issuer{
|
|
ID: "iss-acme",
|
|
Name: "ACME Staging",
|
|
Type: "ACME",
|
|
Enabled: true,
|
|
CreatedAt: now,
|
|
UpdatedAt: now,
|
|
}
|
|
|
|
mock := &MockIssuerService{
|
|
ListIssuersFn: func(page, perPage int) ([]domain.Issuer, int64, error) {
|
|
return []domain.Issuer{iss1, iss2}, 2, nil
|
|
},
|
|
}
|
|
|
|
handler := NewIssuerHandler(mock)
|
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/issuers", nil)
|
|
req = req.WithContext(contextWithRequestID())
|
|
w := httptest.NewRecorder()
|
|
|
|
handler.ListIssuers(w, req)
|
|
|
|
if w.Code != http.StatusOK {
|
|
t.Fatalf("expected status 200, got %d", w.Code)
|
|
}
|
|
|
|
var resp PagedResponse
|
|
if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
|
|
t.Fatalf("failed to decode response: %v", err)
|
|
}
|
|
if resp.Total != 2 {
|
|
t.Errorf("expected total 2, got %d", resp.Total)
|
|
}
|
|
}
|
|
|
|
func TestListIssuers_Pagination(t *testing.T) {
|
|
var capturedPage, capturedPerPage int
|
|
mock := &MockIssuerService{
|
|
ListIssuersFn: func(page, perPage int) ([]domain.Issuer, int64, error) {
|
|
capturedPage = page
|
|
capturedPerPage = perPage
|
|
return []domain.Issuer{}, 0, nil
|
|
},
|
|
}
|
|
|
|
handler := NewIssuerHandler(mock)
|
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/issuers?page=2&per_page=10", nil)
|
|
req = req.WithContext(contextWithRequestID())
|
|
w := httptest.NewRecorder()
|
|
|
|
handler.ListIssuers(w, req)
|
|
|
|
if capturedPage != 2 {
|
|
t.Errorf("expected page 2, got %d", capturedPage)
|
|
}
|
|
if capturedPerPage != 10 {
|
|
t.Errorf("expected per_page 10, got %d", capturedPerPage)
|
|
}
|
|
}
|
|
|
|
func TestListIssuers_ServiceError(t *testing.T) {
|
|
mock := &MockIssuerService{
|
|
ListIssuersFn: func(page, perPage int) ([]domain.Issuer, int64, error) {
|
|
return nil, 0, ErrMockServiceFailed
|
|
},
|
|
}
|
|
|
|
handler := NewIssuerHandler(mock)
|
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/issuers", nil)
|
|
req = req.WithContext(contextWithRequestID())
|
|
w := httptest.NewRecorder()
|
|
|
|
handler.ListIssuers(w, req)
|
|
|
|
if w.Code != http.StatusInternalServerError {
|
|
t.Fatalf("expected status 500, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestListIssuers_MethodNotAllowed(t *testing.T) {
|
|
handler := NewIssuerHandler(&MockIssuerService{})
|
|
req := httptest.NewRequest(http.MethodDelete, "/api/v1/issuers", nil)
|
|
w := httptest.NewRecorder()
|
|
|
|
handler.ListIssuers(w, req)
|
|
|
|
if w.Code != http.StatusMethodNotAllowed {
|
|
t.Fatalf("expected status 405, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestGetIssuer_Success(t *testing.T) {
|
|
now := time.Now()
|
|
mock := &MockIssuerService{
|
|
GetIssuerFn: func(id string) (*domain.Issuer, error) {
|
|
return &domain.Issuer{
|
|
ID: id,
|
|
Name: "Local CA",
|
|
Type: "LocalCA",
|
|
Enabled: true,
|
|
CreatedAt: now,
|
|
UpdatedAt: now,
|
|
}, nil
|
|
},
|
|
}
|
|
|
|
handler := NewIssuerHandler(mock)
|
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/issuers/iss-local", nil)
|
|
req = req.WithContext(contextWithRequestID())
|
|
w := httptest.NewRecorder()
|
|
|
|
handler.GetIssuer(w, req)
|
|
|
|
if w.Code != http.StatusOK {
|
|
t.Fatalf("expected status 200, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestGetIssuer_NotFound(t *testing.T) {
|
|
mock := &MockIssuerService{
|
|
GetIssuerFn: func(id string) (*domain.Issuer, error) {
|
|
return nil, ErrMockNotFound
|
|
},
|
|
}
|
|
|
|
handler := NewIssuerHandler(mock)
|
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/issuers/nonexistent", nil)
|
|
req = req.WithContext(contextWithRequestID())
|
|
w := httptest.NewRecorder()
|
|
|
|
handler.GetIssuer(w, req)
|
|
|
|
if w.Code != http.StatusNotFound {
|
|
t.Fatalf("expected status 404, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestGetIssuer_EmptyID(t *testing.T) {
|
|
handler := NewIssuerHandler(&MockIssuerService{})
|
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/issuers/", nil)
|
|
req = req.WithContext(contextWithRequestID())
|
|
w := httptest.NewRecorder()
|
|
|
|
handler.GetIssuer(w, req)
|
|
|
|
if w.Code != http.StatusBadRequest {
|
|
t.Fatalf("expected status 400, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestCreateIssuer_Success(t *testing.T) {
|
|
now := time.Now()
|
|
mock := &MockIssuerService{
|
|
CreateIssuerFn: func(issuer domain.Issuer) (*domain.Issuer, error) {
|
|
issuer.ID = "iss-new"
|
|
issuer.CreatedAt = now
|
|
issuer.UpdatedAt = now
|
|
return &issuer, nil
|
|
},
|
|
}
|
|
|
|
body := map[string]interface{}{
|
|
"name": "New Issuer",
|
|
"type": "LocalCA",
|
|
}
|
|
bodyBytes, _ := json.Marshal(body)
|
|
|
|
handler := NewIssuerHandler(mock)
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/issuers", bytes.NewReader(bodyBytes))
|
|
req = req.WithContext(contextWithRequestID())
|
|
w := httptest.NewRecorder()
|
|
|
|
handler.CreateIssuer(w, req)
|
|
|
|
if w.Code != http.StatusCreated {
|
|
t.Fatalf("expected status 201, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestCreateIssuer_MissingName(t *testing.T) {
|
|
body := map[string]interface{}{
|
|
"type": "LocalCA",
|
|
}
|
|
bodyBytes, _ := json.Marshal(body)
|
|
|
|
handler := NewIssuerHandler(&MockIssuerService{})
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/issuers", bytes.NewReader(bodyBytes))
|
|
req = req.WithContext(contextWithRequestID())
|
|
w := httptest.NewRecorder()
|
|
|
|
handler.CreateIssuer(w, req)
|
|
|
|
if w.Code != http.StatusBadRequest {
|
|
t.Fatalf("expected status 400, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestCreateIssuer_MissingType(t *testing.T) {
|
|
body := map[string]interface{}{
|
|
"name": "New Issuer",
|
|
}
|
|
bodyBytes, _ := json.Marshal(body)
|
|
|
|
handler := NewIssuerHandler(&MockIssuerService{})
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/issuers", bytes.NewReader(bodyBytes))
|
|
req = req.WithContext(contextWithRequestID())
|
|
w := httptest.NewRecorder()
|
|
|
|
handler.CreateIssuer(w, req)
|
|
|
|
if w.Code != http.StatusBadRequest {
|
|
t.Fatalf("expected status 400, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestCreateIssuer_InvalidJSON(t *testing.T) {
|
|
handler := NewIssuerHandler(&MockIssuerService{})
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/issuers", bytes.NewReader([]byte("{invalid")))
|
|
req = req.WithContext(contextWithRequestID())
|
|
w := httptest.NewRecorder()
|
|
|
|
handler.CreateIssuer(w, req)
|
|
|
|
if w.Code != http.StatusBadRequest {
|
|
t.Fatalf("expected status 400, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestCreateIssuer_NameTooLong(t *testing.T) {
|
|
longName := ""
|
|
for i := 0; i < 256; i++ {
|
|
longName += "x"
|
|
}
|
|
body := map[string]interface{}{
|
|
"name": longName,
|
|
"type": "LocalCA",
|
|
}
|
|
bodyBytes, _ := json.Marshal(body)
|
|
|
|
handler := NewIssuerHandler(&MockIssuerService{})
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/issuers", bytes.NewReader(bodyBytes))
|
|
req = req.WithContext(contextWithRequestID())
|
|
w := httptest.NewRecorder()
|
|
|
|
handler.CreateIssuer(w, req)
|
|
|
|
if w.Code != http.StatusBadRequest {
|
|
t.Fatalf("expected status 400, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestCreateIssuer_DuplicateName(t *testing.T) {
|
|
mock := &MockIssuerService{
|
|
CreateIssuerFn: func(issuer domain.Issuer) (*domain.Issuer, error) {
|
|
return nil, fmt.Errorf("failed to create issuer: duplicate key value violates unique constraint \"issuers_name_key\"")
|
|
},
|
|
}
|
|
|
|
body := map[string]interface{}{
|
|
"name": "ACME Issuer",
|
|
"type": "ACME",
|
|
}
|
|
bodyBytes, _ := json.Marshal(body)
|
|
|
|
handler := NewIssuerHandler(mock)
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/issuers", bytes.NewReader(bodyBytes))
|
|
req = req.WithContext(contextWithRequestID())
|
|
w := httptest.NewRecorder()
|
|
|
|
handler.CreateIssuer(w, req)
|
|
|
|
if w.Code != http.StatusConflict {
|
|
t.Fatalf("expected status 409, got %d", w.Code)
|
|
}
|
|
|
|
var resp ErrorResponse
|
|
if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
|
|
t.Fatalf("failed to decode response: %v", err)
|
|
}
|
|
if !strings.Contains(resp.Message, "already exists") {
|
|
t.Errorf("expected message to contain 'already exists', got %q", resp.Message)
|
|
}
|
|
}
|
|
|
|
func TestCreateIssuer_UnsupportedType(t *testing.T) {
|
|
mock := &MockIssuerService{
|
|
CreateIssuerFn: func(issuer domain.Issuer) (*domain.Issuer, error) {
|
|
return nil, fmt.Errorf("unsupported issuer type: FakeCA")
|
|
},
|
|
}
|
|
|
|
body := map[string]interface{}{
|
|
"name": "Fake Issuer",
|
|
"type": "FakeCA",
|
|
}
|
|
bodyBytes, _ := json.Marshal(body)
|
|
|
|
handler := NewIssuerHandler(mock)
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/issuers", bytes.NewReader(bodyBytes))
|
|
req = req.WithContext(contextWithRequestID())
|
|
w := httptest.NewRecorder()
|
|
|
|
handler.CreateIssuer(w, req)
|
|
|
|
if w.Code != http.StatusBadRequest {
|
|
t.Fatalf("expected status 400, got %d", w.Code)
|
|
}
|
|
|
|
var resp ErrorResponse
|
|
if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
|
|
t.Fatalf("failed to decode response: %v", err)
|
|
}
|
|
if !strings.Contains(resp.Message, "unsupported issuer type") {
|
|
t.Errorf("expected message to contain 'unsupported issuer type', got %q", resp.Message)
|
|
}
|
|
}
|
|
|
|
func TestCreateIssuer_GenericServiceError(t *testing.T) {
|
|
mock := &MockIssuerService{
|
|
CreateIssuerFn: func(issuer domain.Issuer) (*domain.Issuer, error) {
|
|
return nil, fmt.Errorf("failed to encrypt config: cipher error")
|
|
},
|
|
}
|
|
|
|
body := map[string]interface{}{
|
|
"name": "Some Issuer",
|
|
"type": "ACME",
|
|
}
|
|
bodyBytes, _ := json.Marshal(body)
|
|
|
|
handler := NewIssuerHandler(mock)
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/issuers", bytes.NewReader(bodyBytes))
|
|
req = req.WithContext(contextWithRequestID())
|
|
w := httptest.NewRecorder()
|
|
|
|
handler.CreateIssuer(w, req)
|
|
|
|
if w.Code != http.StatusInternalServerError {
|
|
t.Fatalf("expected status 500, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestUpdateIssuer_DuplicateName(t *testing.T) {
|
|
mock := &MockIssuerService{
|
|
UpdateIssuerFn: func(id string, issuer domain.Issuer) (*domain.Issuer, error) {
|
|
return nil, fmt.Errorf("failed to update issuer: duplicate key value violates unique constraint")
|
|
},
|
|
}
|
|
|
|
body := map[string]interface{}{
|
|
"name": "Existing Name",
|
|
"type": "ACME",
|
|
}
|
|
bodyBytes, _ := json.Marshal(body)
|
|
|
|
handler := NewIssuerHandler(mock)
|
|
req := httptest.NewRequest(http.MethodPut, "/api/v1/issuers/iss-test", bytes.NewReader(bodyBytes))
|
|
req = req.WithContext(contextWithRequestID())
|
|
w := httptest.NewRecorder()
|
|
|
|
handler.UpdateIssuer(w, req)
|
|
|
|
if w.Code != http.StatusConflict {
|
|
t.Fatalf("expected status 409, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestDeleteIssuer_Success(t *testing.T) {
|
|
var deletedID string
|
|
mock := &MockIssuerService{
|
|
DeleteIssuerFn: func(id string) error {
|
|
deletedID = id
|
|
return nil
|
|
},
|
|
}
|
|
|
|
handler := NewIssuerHandler(mock)
|
|
req := httptest.NewRequest(http.MethodDelete, "/api/v1/issuers/iss-local", nil)
|
|
req = req.WithContext(contextWithRequestID())
|
|
w := httptest.NewRecorder()
|
|
|
|
handler.DeleteIssuer(w, req)
|
|
|
|
if w.Code != http.StatusNoContent {
|
|
t.Fatalf("expected status 204, got %d", w.Code)
|
|
}
|
|
if deletedID != "iss-local" {
|
|
t.Errorf("expected deleted ID 'iss-local', got '%s'", deletedID)
|
|
}
|
|
}
|
|
|
|
func TestDeleteIssuer_ServiceError(t *testing.T) {
|
|
mock := &MockIssuerService{
|
|
DeleteIssuerFn: func(id string) error {
|
|
return ErrMockServiceFailed
|
|
},
|
|
}
|
|
|
|
handler := NewIssuerHandler(mock)
|
|
req := httptest.NewRequest(http.MethodDelete, "/api/v1/issuers/iss-local", nil)
|
|
req = req.WithContext(contextWithRequestID())
|
|
w := httptest.NewRecorder()
|
|
|
|
handler.DeleteIssuer(w, req)
|
|
|
|
if w.Code != http.StatusInternalServerError {
|
|
t.Fatalf("expected status 500, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestTestConnection_Success(t *testing.T) {
|
|
mock := &MockIssuerService{
|
|
TestConnectionFn: func(id string) error {
|
|
return nil
|
|
},
|
|
}
|
|
|
|
handler := NewIssuerHandler(mock)
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/issuers/iss-local/test", nil)
|
|
req = req.WithContext(contextWithRequestID())
|
|
w := httptest.NewRecorder()
|
|
|
|
handler.TestConnection(w, req)
|
|
|
|
if w.Code != http.StatusOK {
|
|
t.Fatalf("expected status 200, got %d", w.Code)
|
|
}
|
|
|
|
var resp map[string]string
|
|
if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
|
|
t.Fatalf("failed to decode response: %v", err)
|
|
}
|
|
if resp["status"] != "connection_successful" {
|
|
t.Errorf("expected status 'connection_successful', got '%s'", resp["status"])
|
|
}
|
|
}
|
|
|
|
func TestTestConnection_Failure(t *testing.T) {
|
|
mock := &MockIssuerService{
|
|
TestConnectionFn: func(id string) error {
|
|
return ErrMockServiceFailed
|
|
},
|
|
}
|
|
|
|
handler := NewIssuerHandler(mock)
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/issuers/iss-local/test", nil)
|
|
req = req.WithContext(contextWithRequestID())
|
|
w := httptest.NewRecorder()
|
|
|
|
handler.TestConnection(w, req)
|
|
|
|
if w.Code != http.StatusInternalServerError {
|
|
t.Fatalf("expected status 500, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestTestConnection_EmptyID(t *testing.T) {
|
|
handler := NewIssuerHandler(&MockIssuerService{})
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/issuers//test", nil)
|
|
req = req.WithContext(contextWithRequestID())
|
|
w := httptest.NewRecorder()
|
|
|
|
handler.TestConnection(w, req)
|
|
|
|
if w.Code != http.StatusBadRequest {
|
|
t.Fatalf("expected status 400, got %d", w.Code)
|
|
}
|
|
}
|