test: expand security regression coverage

2026-04-30 04:20:20 +00:00 · 2026-02-04 10:28:41 +00:00 · 2026-02-04 10:28:41 +00:00 · b9eee668e5
commit b9eee668e5
parent 4bebd2f576
16 changed files with 2644 additions and 0 deletions
--- a/internal/api/router_proxy_auth_security_test.go
+++ b/internal/api/router_proxy_auth_security_test.go
@ -0,0 +1,107 @@
+package api
+
+import (
+	"bytes"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/rcourtman/pulse-go-rewrite/internal/config"
+)
+
+func TestProxyAuthNonAdminCannotResetLockout(t *testing.T) {
+	t.Setenv("PULSE_DATA_DIR", t.TempDir())
+
+	cfg := &config.Config{
+		ProxyAuthSecret:     "proxy-secret",
+		ProxyAuthUserHeader: "X-Proxy-User",
+		ProxyAuthRoleHeader: "X-Proxy-Roles",
+		ProxyAuthAdminRole:  "admin",
+	}
+
+	router := NewRouter(cfg, nil, nil, nil, nil, "1.0.0")
+
+	body, err := json.Marshal(map[string]string{"identifier": "user1"})
+	if err != nil {
+		t.Fatalf("marshal body: %v", err)
+	}
+
+	req := httptest.NewRequest(http.MethodPost, "/api/security/reset-lockout", bytes.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("X-Proxy-Secret", "proxy-secret")
+	req.Header.Set("X-Proxy-User", "viewer")
+	req.Header.Set("X-Proxy-Roles", "viewer|user")
+	rec := httptest.NewRecorder()
+
+	router.Handler().ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusForbidden {
+		t.Fatalf("expected status %d, got %d (%s)", http.StatusForbidden, rec.Code, rec.Body.String())
+	}
+}
+
+func TestProxyAuthAdminCanResetLockoutWithSettingsScope(t *testing.T) {
+	t.Setenv("PULSE_DATA_DIR", t.TempDir())
+
+	rawToken := "proxy-admin-token-123.12345678"
+	record, err := config.NewAPITokenRecord(rawToken, "admin-token", []string{config.ScopeSettingsWrite})
+	if err != nil {
+		t.Fatalf("new token record: %v", err)
+	}
+
+	cfg := &config.Config{
+		ProxyAuthSecret:     "proxy-secret",
+		ProxyAuthUserHeader: "X-Proxy-User",
+		ProxyAuthRoleHeader: "X-Proxy-Roles",
+		ProxyAuthAdminRole:  "admin",
+		APITokens:           []config.APITokenRecord{*record},
+	}
+	cfg.SortAPITokens()
+
+	router := NewRouter(cfg, nil, nil, nil, nil, "1.0.0")
+
+	body, err := json.Marshal(map[string]string{"identifier": "user1"})
+	if err != nil {
+		t.Fatalf("marshal body: %v", err)
+	}
+
+	req := httptest.NewRequest(http.MethodPost, "/api/security/reset-lockout", bytes.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("X-Proxy-Secret", "proxy-secret")
+	req.Header.Set("X-Proxy-User", "adminuser")
+	req.Header.Set("X-Proxy-Roles", "viewer|admin")
+	req.Header.Set("X-API-Token", rawToken)
+	rec := httptest.NewRecorder()
+
+	router.Handler().ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Fatalf("expected status %d, got %d (%s)", http.StatusOK, rec.Code, rec.Body.String())
+	}
+}
+
+func TestSecurityStatusAccessibleWithProxyAuth(t *testing.T) {
+	t.Setenv("PULSE_DATA_DIR", t.TempDir())
+
+	cfg := &config.Config{
+		ProxyAuthSecret:     "proxy-secret",
+		ProxyAuthUserHeader: "X-Proxy-User",
+		ProxyAuthRoleHeader: "X-Proxy-Roles",
+		ProxyAuthAdminRole:  "admin",
+	}
+
+	router := NewRouter(cfg, nil, nil, nil, nil, "1.0.0")
+
+	req := httptest.NewRequest(http.MethodGet, "/api/security/status", nil)
+	req.Header.Set("X-Proxy-Secret", "proxy-secret")
+	req.Header.Set("X-Proxy-User", "viewer")
+	req.Header.Set("X-Proxy-Roles", "viewer|user")
+	rec := httptest.NewRecorder()
+
+	router.Handler().ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Fatalf("expected status %d, got %d (%s)", http.StatusOK, rec.Code, rec.Body.String())
+	}
+}