gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-11 05:48:53 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
fe0912c68335065de4ec1801bef6cb29de44d32e
certctl/web/src/pages/CertificateDetailPage.test.tsx
T
Shankar fe0912c683 Bundle H follow-up: fix Pass 3 test mock shape mismatches caught by CI 
CI surfaced two real failures in the Pass 3 tests:

1. ObservabilityPage.test.tsx — tests 2 + 3 mocked getMetrics with only

   the uptime field, but ObservabilityPage.tsx:85 reads metrics.gauge

   .certificate_total. Test 2 silently 'passed' because the page error

   bailed out before any rendering took place — its assertions (no live

   <script>, __xss_pwned__ undefined) became vacuous; test 3 surfaced

   the actual TypeError. Fix: every getMetrics mock now returns the full

   MetricsResponse shape (gauge / counter / uptime) per src/api/types.ts

   :517 — sanity-checked against the actual TS interface.

2. CertificateDetailPage.test.tsx — the xssCert mock was missing

   updated_at, which CertificateDetailPage.tsx:605 reads through

   formatDateTime. formatDateTime tolerates undefined per utils.ts:6,

   so the page didn't throw, but the cert mock should mirror the real

   ManagedCertificate shape — added updated_at.

Both fixes are mock-shape corrections; no production code changes.
2026-04-27 03:18:51 +00:00

117 lines
4.6 KiB
TypeScript
Raw Blame History

import { describe, it, expect, vi, beforeEach } from 'vitest';
import { render, screen, waitFor, cleanup } from '@testing-library/react';
import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
import { MemoryRouter, Route, Routes } from 'react-router-dom';
import type { ReactNode } from 'react';
// -----------------------------------------------------------------------------
// M-029 Pass 3 (Audit M-026): CertificateDetailPage XSS-hardening + render
// coverage.
//
// CertificateDetailPage surfaces cert subject DN, SANs, issuer DN, version
// history, deployment job error messages — every one of these is either
// CSR-controlled (subject / SANs) or upstream-CA / target-side error text.
// The M-004 MCP fence handles inside-LLM safety; this test pins GUI XSS
// safety on the same data.
// -----------------------------------------------------------------------------
vi.mock('../api/client', () => ({
getCertificate: vi.fn(),
getCertificateVersions: vi.fn(),
getTargets: vi.fn(),
getProfile: vi.fn(),
getProfiles: vi.fn(),
getJobs: vi.fn(),
getRenewalPolicies: vi.fn(),
triggerRenewal: vi.fn(),
triggerDeployment: vi.fn(),
archiveCertificate: vi.fn(),
revokeCertificate: vi.fn(),
updateCertificate: vi.fn(),
downloadCertificatePEM: vi.fn(),
exportCertificatePKCS12: vi.fn(),
}));
import CertificateDetailPage from './CertificateDetailPage';
import * as client from '../api/client';
function renderRoute(ui: ReactNode, path = '/certificates/mc-xss-001') {
const qc = new QueryClient({
defaultOptions: { queries: { retry: false, gcTime: 0, staleTime: 0 } },
});
return render(
<QueryClientProvider client={qc}>
<MemoryRouter initialEntries={[path]}>
<Routes>
<Route path="/certificates/:id" element={ui} />
</Routes>
</MemoryRouter>
</QueryClientProvider>,
);
}
const xssPayload = '<script data-xss="cert-detail">window.__xss_pwned__=1;</script>';
const xssCert = {
id: 'mc-xss-001',
name: xssPayload,
common_name: xssPayload,
sans: [xssPayload, 'plain.example.com'],
status: 'Active',
environment: xssPayload,
issuer_id: 'iss-xss',
certificate_profile_id: 'cp-xss',
owner_id: 'o-xss',
team_id: 't-xss',
renewal_policy_id: 'rp-xss',
expires_at: new Date(Date.now() + 30 * 86400000).toISOString(),
created_at: new Date().toISOString(),
updated_at: new Date().toISOString(),
not_before: new Date(Date.now() - 86400000).toISOString(),
not_after: new Date(Date.now() + 30 * 86400000).toISOString(),
serial_number: xssPayload,
fingerprint_sha256: xssPayload,
pem_encoded: xssPayload,
};
describe('CertificateDetailPage — render + XSS hardening (M-026 / M-029 Pass 3)', () => {
beforeEach(() => {
vi.clearAllMocks();
cleanup();
delete (window as unknown as { __xss_pwned__?: number }).__xss_pwned__;
// Wire defaults for the sidecar queries — every page render fans out
// 7+ queries and any unmocked call will reject and surface an error
// boundary instead of the page body.
vi.mocked(client.getCertificate).mockResolvedValue(xssCert as never);
vi.mocked(client.getCertificateVersions).mockResolvedValue([] as never);
vi.mocked(client.getTargets).mockResolvedValue({ data: [], total: 0, page: 1, per_page: 50 } as never);
vi.mocked(client.getProfile).mockResolvedValue({ id: 'cp-xss', name: 'Profile' } as never);
vi.mocked(client.getProfiles).mockResolvedValue({ data: [], total: 0, page: 1, per_page: 50 } as never);
vi.mocked(client.getRenewalPolicies).mockResolvedValue({ data: [], total: 0, page: 1, per_page: 500 } as never);
vi.mocked(client.getJobs).mockResolvedValue({ data: [], total: 0, page: 1, per_page: 50 } as never);
});
it('renders the page when getCertificate resolves', async () => {
vi.mocked(client.getCertificate).mockResolvedValue({ ...xssCert, common_name: 'plain.example.com' } as never);
renderRoute(<CertificateDetailPage />);
await waitFor(() => {
expect(screen.getByText('plain.example.com')).toBeInTheDocument();
});
});
it('does NOT execute <script> payloads in cert subject / SANs / serial / pem', async () => {
renderRoute(<CertificateDetailPage />);
await waitFor(() => {
expect(document.body.textContent ?? '').toContain('<script data-xss="cert-detail">');
});
const liveScripts = document.querySelectorAll('script[data-xss="cert-detail"]');
expect(liveScripts.length, 'cert fields must not inject a live <script>').toBe(0);
expect(
(window as unknown as { __xss_pwned__?: number }).__xss_pwned__,
'cert <script> body must not have executed',
).toBeUndefined();
});
});
Reference in New Issue View Git Blame Copy Permalink