alexei.dolgolyov/tiny-forge
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
410a131cec63e1071aa0bbbf4b091ebf8a71a5c0
tiny-forge/internal/staticsite/safehttp_test.go
T
alexei.dolgolyov ea55d31177
Build / build (push) Successful in 10m43s
Details
feat(discovery+runtime): restore static-site wizard discovery + close /sites/[id] feature parity 
Two-stage feature arc closing the gaps left by the hard legacy cutover.
The static-site creation wizard regains its auto-discovery + connection-test
flow; /apps/[id] grows the runtime/storage/lifecycle surface the legacy
/sites/[id] page used to expose.

Backend (Go)
- internal/api/discovery.go: six admin-gated endpoints wrapping
  staticsite.GitProvider — POST /api/discovery/git/{detect-provider,
  test-connection,repos,branches,tree} + GET /api/discovery/image/conflicts.
  Identifier validation (validateGitIdent / validateGitBranch) at the
  boundary so provider URL interpolation cannot be hijacked via `..`.
  Upstream errors scrubbed: detailed slog on the server, generic 502 to
  the client (mitigates token-reflection-in-error-page).
- internal/api/workload_runtime.go: four endpoints —
  GET /api/workloads/{id}/runtime-state decodes containers.extra_json for
  static workloads; GET /api/workloads/{id}/storage execs `du -sb /app/data`
  with a 30s in-process cache (storageProbeCache) so polling can't turn
  into per-request execs; POST /api/workloads/{id}/{stop,start} iterate
  ListContainersByWorkload and call docker.StopContainer / StartContainer,
  returning 200 / 409 (nothing to act on) / 502 (all failed).
- internal/staticsite/safehttp.go: NewSafeHTTPClient + ValidateBaseURL +
  blockReason. DialContext re-resolves hostnames and refuses loopback /
  link-local / multicast / unspecified addresses. RFC1918 + ULA explicitly
  allowed (self-hosted Gitea on LAN is the dominant deployment).
  Replaced four raw &http.Client{} constructions in the provider files.
- internal/staticsite/gitlab_provider.go: url.PathEscape each segment in
  the raw-file URL builder for parity with projectPath().
- Test coverage: 26 cases in discovery_test.go (image-tag stripping,
  source-config decoding, conflict scenarios, validator boundaries,
  scheme rejection), 14 in workload_runtime_test.go (404 / 409 / nil-docker
  / probe-cache), 16 in safehttp_test.go (URL validation + block-reason
  policy matrix + live dial against loopback + AWS metadata literals).

Frontend (Svelte 5 + runes)
- web/src/lib/api.ts: typed wrappers for every endpoint, AbortSignal
  threaded through post(); ApiError exported so callers can narrow on
  e.status; new DetectedGitProvider narrow union.
- web/src/routes/apps/new/+page.svelte: static-form discovery controls
  (auto-detect provider, test connection, repo / branch / folder
  EntityPickers, Deno auto-detect); image-form conflict panel with
  debounced lookup + double-click submit guard ("Forge anyway") + Inspect
  button that pre-fills port/healthcheck; English error fallbacks routed
  through apps.new.errors.* (en + ru).
- web/src/routes/apps/[id]/+page.svelte: runtime-state panel + storage
  panel + Stop / Start / Open-site toolbar; universal live-state badge
  in the hero lede for image/compose/static (RUNNING / TRANSITIONING /
  STOPPED / NOT DEPLOYED / MIXED · n/m RUNNING); ContainerStats panel
  per row (auto-collapsing native <details> when N > 2); read-only
  webhook bindings summary card; responsive toolbar overflow with native
  <details> at <640px (z-index 100 above sticky nav).
- web/src/app.css: project-wide .forge-btn-ghost:focus-visible outline.

Hardening from go-reviewer + security-reviewer + typescript-reviewer +
frontend-design UI/UX subagents (0 CRITICAL, all HIGH/BLOCKER addressed
inline, IMPORTANT applied before commit):
- AbortController + per-call sequence tokens on every long-running
  fetch (loadRuntimeState / loadStorage / loadTriggerMeta / inspectImage /
  listImageConflicts) plus onDestroy cleanup so late resolves cannot
  mutate dead component state.
- doStop / doStart snapshot and restore `error` across the finally-block
  reload so a load()-cleared message doesn't hide a real failure.
- triggersById refreshed after inline trigger creation so the webhook
  card doesn't silently exclude the just-created trigger.
- Live-state badge wraps in role=status / aria-live=polite (no redundant
  aria-label).
- Webhook row has a single click target (was two pointing at the same URL).
- Empty webhook section hides entirely.
- Dropped role=menu / role=menuitem from the overflow menu (they would
  promise arrow-key nav we don't wire; native Tab + ESC carry it).

Doc
- docs/CODEMAPS/INDEX.md + new docs/CODEMAPS/discovery-and-runtime.md
  map the endpoint surface, security posture, frontend integration
  patterns, and an "add a new probe" recipe.

Verification
- svelte-check: 0 errors, 3 pre-existing a11y warnings.
- go build + go vet + go test ./...: all green.
- i18n parity: en + ru at 1413 keys each.
- Live smoke against :8090: 404 / 409 / 502 envelopes correct, discovery
  sanity passes, ProbeError surfaces on no-container path.
2026-05-16 21:35:51 +03:00

117 lines
3.5 KiB
Go
Raw Blame History

package staticsite
import (
"context"
"errors"
"net"
"net/http"
"strings"
"testing"
"time"
)
func TestValidateBaseURL(t *testing.T) {
cases := []struct {
name string
input string
wantError bool
}{
{"https", "https://git.example.com", false},
{"http", "http://git.example.com", false},
{"trailing_slash", "https://git.example.com/", false},
{"with_path", "https://git.example.com/sub", false},
{"with_port", "https://git.example.com:8080", false},
{"empty", "", true},
{"whitespace_only", " ", true},
{"ftp_scheme", "ftp://git.example.com", true},
{"file_scheme", "file:///etc/passwd", true},
{"no_scheme", "git.example.com", true},
{"scheme_no_host", "https://", true},
}
for _, tc := range cases {
t.Run(tc.name, func(t *testing.T) {
err := ValidateBaseURL(tc.input)
if tc.wantError && err == nil {
t.Errorf("ValidateBaseURL(%q) = nil, want error", tc.input)
}
if !tc.wantError && err != nil {
t.Errorf("ValidateBaseURL(%q) = %v, want nil", tc.input, err)
}
})
}
}
func TestBlockReason_PolicyMatrix(t *testing.T) {
cases := []struct {
name string
ip string
wantBlocked bool
}{
// Allowed.
{"public_v4", "8.8.8.8", false},
{"rfc1918_10", "10.0.0.1", false},
{"rfc1918_172_16", "172.16.0.1", false},
{"rfc1918_192_168", "192.168.1.1", false},
{"public_v6", "2606:4700:4700::1111", false},
{"ula_v6", "fd00::1", false}, // ULA private — allowed, mirrors RFC1918
// Blocked.
{"loopback_v4", "127.0.0.1", true},
{"loopback_v6", "::1", true},
{"unspecified_v4", "0.0.0.0", true},
{"unspecified_v6", "::", true},
{"link_local_v4_metadata", "169.254.169.254", true}, // AWS/GCP metadata
{"link_local_v6", "fe80::1", true},
{"multicast_v4", "224.0.0.1", true},
}
for _, tc := range cases {
t.Run(tc.name, func(t *testing.T) {
ip := net.ParseIP(tc.ip)
if ip == nil {
t.Fatalf("parse %q", tc.ip)
}
got := blockReason(ip)
blocked := got != ""
if blocked != tc.wantBlocked {
t.Errorf("blockReason(%s) = %q (blocked=%v), want blocked=%v",
tc.ip, got, blocked, tc.wantBlocked)
}
})
}
}
// TestSafeHTTPClient_RejectsLoopbackLiteral exercises the actual dial
// path: a request to a loopback literal must fail before any TCP work
// happens, with ErrBlockedAddress in the chain.
func TestSafeHTTPClient_RejectsLoopbackLiteral(t *testing.T) {
client := NewSafeHTTPClient(2 * time.Second)
req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, "http://127.0.0.1:1/", nil)
if err != nil {
t.Fatalf("new request: %v", err)
}
_, err = client.Do(req)
if err == nil {
t.Fatal("expected error, got nil")
}
if !errors.Is(err, ErrBlockedAddress) && !strings.Contains(err.Error(), "blocked") {
t.Errorf("err = %v, expected ErrBlockedAddress in chain or 'blocked' in message", err)
}
}
// TestSafeHTTPClient_RejectsAWSMetadataLiteral mirrors the loopback
// case but for the AWS/GCP cloud metadata IP (link-local).
func TestSafeHTTPClient_RejectsAWSMetadataLiteral(t *testing.T) {
client := NewSafeHTTPClient(2 * time.Second)
req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, "http://169.254.169.254/latest/meta-data/", nil)
if err != nil {
t.Fatalf("new request: %v", err)
}
_, err = client.Do(req)
if err == nil {
t.Fatal("expected error, got nil")
}
if !errors.Is(err, ErrBlockedAddress) && !strings.Contains(err.Error(), "blocked") {
t.Errorf("err = %v, expected ErrBlockedAddress in chain or 'blocked' in message", err)
}
}
Reference in New Issue View Git Blame Copy Permalink