package config_test import ( "bytes" "crypto/aes" "crypto/cipher" "crypto/rand" "crypto/sha256" "encoding/base64" "encoding/json" "fmt" "io" "os" "path/filepath" "reflect" "testing" "time" "github.com/rcourtman/pulse-go-rewrite/internal/alerts" "github.com/rcourtman/pulse-go-rewrite/internal/config" "github.com/rcourtman/pulse-go-rewrite/internal/notifications" "github.com/stretchr/testify/require" "golang.org/x/crypto/pbkdf2" ) func TestSaveAlertConfig_PreservesStorageOverrideHysteresis(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } cfg := alerts.AlertConfig{ Enabled: true, StorageDefault: alerts.HysteresisThreshold{Trigger: 85, Clear: 80}, HysteresisMargin: 5.0, Overrides: map[string]alerts.ThresholdConfig{ "storage-123": { Usage: &alerts.HysteresisThreshold{Trigger: 90, Clear: 0}, }, }, } if err := cp.SaveAlertConfig(cfg); err != nil { t.Fatalf("SaveAlertConfig: %v", err) } loaded, err := cp.LoadAlertConfig() if err != nil { t.Fatalf("LoadAlertConfig: %v", err) } override, ok := loaded.Overrides["storage-123"] if !ok { t.Fatalf("storage override missing after load: %+v", loaded.Overrides) } if override.Usage == nil { t.Fatalf("usage threshold nil after load") } if got, want := override.Usage.Trigger, 90.0; got != want { t.Fatalf("trigger mismatch: got %v want %v", got, want) } if got, want := override.Usage.Clear, 85.0; got != want { t.Fatalf("clear threshold mismatch: got %v want %v", got, want) } } func TestSaveAlertConfig_DoesNotOverwriteExistingClear(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } cfg := alerts.AlertConfig{ Enabled: true, HysteresisMargin: 5.0, StorageDefault: alerts.HysteresisThreshold{Trigger: 85, Clear: 80}, Overrides: map[string]alerts.ThresholdConfig{ "storage-456": { Usage: &alerts.HysteresisThreshold{Trigger: 92, Clear: 88}, }, }, } if err := cp.SaveAlertConfig(cfg); err != nil { t.Fatalf("SaveAlertConfig: %v", err) } loaded, err := cp.LoadAlertConfig() if err != nil { t.Fatalf("LoadAlertConfig: %v", err) } override := loaded.Overrides["storage-456"] if override.Usage == nil { t.Fatalf("usage threshold nil") } if got, want := override.Usage.Clear, 88.0; got != want { t.Fatalf("clear threshold changed unexpectedly: got %v want %v", got, want) } } func TestSaveAlertConfig_NormalizesHostDefaults(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Config with nil/zero HostDefaults - should get defaults cfg := alerts.AlertConfig{ Enabled: true, StorageDefault: alerts.HysteresisThreshold{Trigger: 85, Clear: 80}, HostDefaults: alerts.ThresholdConfig{}, // Empty - needs defaults } if err := cp.SaveAlertConfig(cfg); err != nil { t.Fatalf("SaveAlertConfig: %v", err) } loaded, err := cp.LoadAlertConfig() if err != nil { t.Fatalf("LoadAlertConfig: %v", err) } // Verify host defaults were applied if loaded.HostDefaults.CPU == nil { t.Fatal("CPU defaults should be set") } if loaded.HostDefaults.CPU.Trigger != 80 { t.Errorf("CPU trigger = %v, want 80", loaded.HostDefaults.CPU.Trigger) } if loaded.HostDefaults.Memory == nil { t.Fatal("Memory defaults should be set") } if loaded.HostDefaults.Memory.Trigger != 85 { t.Errorf("Memory trigger = %v, want 85", loaded.HostDefaults.Memory.Trigger) } if loaded.HostDefaults.Disk == nil { t.Fatal("Disk defaults should be set") } if loaded.HostDefaults.Disk.Trigger != 90 { t.Errorf("Disk trigger = %v, want 90", loaded.HostDefaults.Disk.Trigger) } } func TestSaveAlertConfig_NormalizesHostDefaultsClear(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Config with trigger set but clear=0 - should compute clear cfg := alerts.AlertConfig{ Enabled: true, StorageDefault: alerts.HysteresisThreshold{Trigger: 85, Clear: 80}, HostDefaults: alerts.ThresholdConfig{ CPU: &alerts.HysteresisThreshold{Trigger: 90, Clear: 0}, Memory: &alerts.HysteresisThreshold{Trigger: 95, Clear: 0}, Disk: &alerts.HysteresisThreshold{Trigger: 92, Clear: 0}, }, } if err := cp.SaveAlertConfig(cfg); err != nil { t.Fatalf("SaveAlertConfig: %v", err) } loaded, err := cp.LoadAlertConfig() if err != nil { t.Fatalf("LoadAlertConfig: %v", err) } // Clear should be trigger - 5 if loaded.HostDefaults.CPU.Clear != 85 { t.Errorf("CPU clear = %v, want 85", loaded.HostDefaults.CPU.Clear) } if loaded.HostDefaults.Memory.Clear != 90 { t.Errorf("Memory clear = %v, want 90", loaded.HostDefaults.Memory.Clear) } if loaded.HostDefaults.Disk.Clear != 87 { t.Errorf("Disk clear = %v, want 87", loaded.HostDefaults.Disk.Clear) } } // TestSaveAlertConfig_HostDefaultsZeroDisablesAlerting verifies that setting // Host Agent thresholds to 0 is preserved (fixes GitHub issue #864). // Setting a threshold to 0 should disable alerting for that metric. func TestSaveAlertConfig_HostDefaultsZeroDisablesAlerting(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Config with Memory=0 to disable memory alerting for host agents cfg := alerts.AlertConfig{ Enabled: true, StorageDefault: alerts.HysteresisThreshold{Trigger: 85, Clear: 80}, HostDefaults: alerts.ThresholdConfig{ CPU: &alerts.HysteresisThreshold{Trigger: 80, Clear: 75}, Memory: &alerts.HysteresisThreshold{Trigger: 0, Clear: 0}, // Disabled Disk: &alerts.HysteresisThreshold{Trigger: 90, Clear: 85}, }, } if err := cp.SaveAlertConfig(cfg); err != nil { t.Fatalf("SaveAlertConfig: %v", err) } loaded, err := cp.LoadAlertConfig() if err != nil { t.Fatalf("LoadAlertConfig: %v", err) } // Memory threshold should remain at 0 (disabled), not reset to default if loaded.HostDefaults.Memory == nil { t.Fatal("Memory defaults should be preserved (not nil)") } if loaded.HostDefaults.Memory.Trigger != 0 { t.Errorf("Memory trigger = %v, want 0 (disabled)", loaded.HostDefaults.Memory.Trigger) } if loaded.HostDefaults.Memory.Clear != 0 { t.Errorf("Memory clear = %v, want 0 (disabled)", loaded.HostDefaults.Memory.Clear) } // CPU and Disk should still have their values if loaded.HostDefaults.CPU.Trigger != 80 { t.Errorf("CPU trigger = %v, want 80", loaded.HostDefaults.CPU.Trigger) } if loaded.HostDefaults.Disk.Trigger != 90 { t.Errorf("Disk trigger = %v, want 90", loaded.HostDefaults.Disk.Trigger) } } // TestSaveAlertConfig_StorageDefaultZeroDisablesAlerting verifies that setting // StorageDefault threshold to 0 is preserved to disable storage alerting. func TestSaveAlertConfig_StorageDefaultZeroDisablesAlerting(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Config with StorageDefault.Trigger=0 to disable storage alerting cfg := alerts.AlertConfig{ Enabled: true, StorageDefault: alerts.HysteresisThreshold{Trigger: 0, Clear: 0}, } if err := cp.SaveAlertConfig(cfg); err != nil { t.Fatalf("SaveAlertConfig: %v", err) } loaded, err := cp.LoadAlertConfig() if err != nil { t.Fatalf("LoadAlertConfig: %v", err) } // Storage threshold should remain at 0 (disabled), not reset to default if loaded.StorageDefault.Trigger != 0 { t.Errorf("StorageDefault trigger = %v, want 0 (disabled)", loaded.StorageDefault.Trigger) } if loaded.StorageDefault.Clear != 0 { t.Errorf("StorageDefault clear = %v, want 0 (disabled)", loaded.StorageDefault.Clear) } } // TestSaveAlertConfig_NodeTemperatureZeroDisablesAlerting verifies that setting // NodeDefaults.Temperature threshold to 0 is preserved to disable temperature alerting. func TestSaveAlertConfig_NodeTemperatureZeroDisablesAlerting(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Config with Temperature=0 to disable temperature alerting cfg := alerts.AlertConfig{ Enabled: true, StorageDefault: alerts.HysteresisThreshold{Trigger: 85, Clear: 80}, NodeDefaults: alerts.ThresholdConfig{ Temperature: &alerts.HysteresisThreshold{Trigger: 0, Clear: 0}, }, } if err := cp.SaveAlertConfig(cfg); err != nil { t.Fatalf("SaveAlertConfig: %v", err) } loaded, err := cp.LoadAlertConfig() if err != nil { t.Fatalf("LoadAlertConfig: %v", err) } // Temperature threshold should remain at 0 (disabled), not reset to default if loaded.NodeDefaults.Temperature == nil { t.Fatal("Temperature should be preserved (not nil)") } if loaded.NodeDefaults.Temperature.Trigger != 0 { t.Errorf("Temperature trigger = %v, want 0 (disabled)", loaded.NodeDefaults.Temperature.Trigger) } if loaded.NodeDefaults.Temperature.Clear != 0 { t.Errorf("Temperature clear = %v, want 0 (disabled)", loaded.NodeDefaults.Temperature.Clear) } } // TestSaveAlertConfig_AllThresholdsZeroDisablesAlerting is a comprehensive test // verifying that all threshold types can be set to 0 to disable alerting. func TestSaveAlertConfig_AllThresholdsZeroDisablesAlerting(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Config with all thresholds set to 0 to disable all alerting cfg := alerts.AlertConfig{ Enabled: true, StorageDefault: alerts.HysteresisThreshold{Trigger: 0, Clear: 0}, NodeDefaults: alerts.ThresholdConfig{ Temperature: &alerts.HysteresisThreshold{Trigger: 0, Clear: 0}, }, HostDefaults: alerts.ThresholdConfig{ CPU: &alerts.HysteresisThreshold{Trigger: 0, Clear: 0}, Memory: &alerts.HysteresisThreshold{Trigger: 0, Clear: 0}, Disk: &alerts.HysteresisThreshold{Trigger: 0, Clear: 0}, }, } if err := cp.SaveAlertConfig(cfg); err != nil { t.Fatalf("SaveAlertConfig: %v", err) } loaded, err := cp.LoadAlertConfig() if err != nil { t.Fatalf("LoadAlertConfig: %v", err) } // All thresholds should remain at 0 if loaded.StorageDefault.Trigger != 0 { t.Errorf("StorageDefault trigger = %v, want 0", loaded.StorageDefault.Trigger) } if loaded.NodeDefaults.Temperature == nil || loaded.NodeDefaults.Temperature.Trigger != 0 { t.Errorf("Temperature trigger = %v, want 0", loaded.NodeDefaults.Temperature) } if loaded.HostDefaults.CPU == nil || loaded.HostDefaults.CPU.Trigger != 0 { t.Errorf("HostDefaults.CPU trigger = %v, want 0", loaded.HostDefaults.CPU) } if loaded.HostDefaults.Memory == nil || loaded.HostDefaults.Memory.Trigger != 0 { t.Errorf("HostDefaults.Memory trigger = %v, want 0", loaded.HostDefaults.Memory) } if loaded.HostDefaults.Disk == nil || loaded.HostDefaults.Disk.Trigger != 0 { t.Errorf("HostDefaults.Disk trigger = %v, want 0", loaded.HostDefaults.Disk) } } func TestAlertConfigPersistenceNormalizesDockerIgnoredPrefixes(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } cfg := alerts.AlertConfig{ Enabled: true, StorageDefault: alerts.HysteresisThreshold{Trigger: 85, Clear: 80}, DockerIgnoredContainerPrefixes: []string{ " Foo ", "foo", "Bar", " bar ", }, } if err := cp.SaveAlertConfig(cfg); err != nil { t.Fatalf("SaveAlertConfig: %v", err) } loaded, err := cp.LoadAlertConfig() if err != nil { t.Fatalf("LoadAlertConfig: %v", err) } expected := []string{"Foo", "Bar"} if !reflect.DeepEqual(loaded.DockerIgnoredContainerPrefixes, expected) { t.Fatalf("unexpected prefixes: got %v want %v", loaded.DockerIgnoredContainerPrefixes, expected) } } func TestLoadAlertConfigAppliesDefaults(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } raw := alerts.AlertConfig{ Enabled: false, TimeThreshold: 0, TimeThresholds: map[string]int{"guest": 0, "node": 0}, DockerIgnoredContainerPrefixes: []string{" Runner "}, SnapshotDefaults: alerts.SnapshotAlertConfig{ Enabled: true, WarningDays: 20, CriticalDays: 10, WarningSizeGiB: 15, CriticalSizeGiB: 8, }, BackupDefaults: alerts.BackupAlertConfig{ Enabled: true, WarningDays: 12, CriticalDays: 8, }, NodeDefaults: alerts.ThresholdConfig{ // Use negative value to test "unset" case (negative means unset, 0 means disabled) Temperature: &alerts.HysteresisThreshold{Trigger: -1, Clear: 0}, }, } data, err := json.Marshal(raw) if err != nil { t.Fatalf("Marshal: %v", err) } if err := os.WriteFile(filepath.Join(tempDir, "alerts.json"), data, 0600); err != nil { t.Fatalf("WriteFile: %v", err) } loaded, err := cp.LoadAlertConfig() if err != nil { t.Fatalf("LoadAlertConfig: %v", err) } if loaded.TimeThreshold != 5 { t.Fatalf("expected time threshold default 5, got %d", loaded.TimeThreshold) } if got := loaded.TimeThresholds["guest"]; got != 5 { t.Fatalf("expected guest threshold default 5, got %d", got) } if got := loaded.TimeThresholds["node"]; got != 5 { t.Fatalf("expected node threshold default 5, got %d", got) } if loaded.NodeDefaults.Temperature == nil { t.Fatalf("expected node temperature defaults to be set") } // Negative trigger should be replaced with defaults (80/75) if loaded.NodeDefaults.Temperature.Trigger != 80 || loaded.NodeDefaults.Temperature.Clear != 75 { t.Fatalf("expected temperature defaults 80/75, got %+v", loaded.NodeDefaults.Temperature) } if !loaded.BackupDefaults.Enabled { t.Fatalf("expected backup defaults to remain enabled") } if loaded.BackupDefaults.WarningDays != 8 { t.Fatalf("expected backup warning normalized to 8, got %d", loaded.BackupDefaults.WarningDays) } if loaded.BackupDefaults.CriticalDays != 8 { t.Fatalf("expected backup critical normalized to 8, got %d", loaded.BackupDefaults.CriticalDays) } expectedPrefixes := []string{"Runner"} if !reflect.DeepEqual(loaded.DockerIgnoredContainerPrefixes, expectedPrefixes) { t.Fatalf("expected normalized prefixes %v, got %v", expectedPrefixes, loaded.DockerIgnoredContainerPrefixes) } if loaded.SnapshotDefaults.Enabled != true { t.Fatalf("expected snapshot defaults to preserve enabled state") } if loaded.SnapshotDefaults.WarningDays != 10 { t.Fatalf("expected snapshot warning days normalized to critical, got %d", loaded.SnapshotDefaults.WarningDays) } if loaded.SnapshotDefaults.CriticalDays != 10 { t.Fatalf("expected snapshot critical days preserved at 10, got %d", loaded.SnapshotDefaults.CriticalDays) } if loaded.SnapshotDefaults.WarningSizeGiB != 8 { t.Fatalf("expected snapshot warning size normalized to 8, got %.1f", loaded.SnapshotDefaults.WarningSizeGiB) } if loaded.SnapshotDefaults.CriticalSizeGiB != 8 { t.Fatalf("expected snapshot critical size preserved at 8, got %.1f", loaded.SnapshotDefaults.CriticalSizeGiB) } } func TestAppriseConfigPersistence(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } cfg := notifications.AppriseConfig{ Enabled: true, Targets: []string{" discord://token ", "", "mailto://alerts@example.com"}, CLIPath: " /usr/local/bin/apprise ", TimeoutSeconds: 3, } if err := cp.SaveAppriseConfig(cfg); err != nil { t.Fatalf("SaveAppriseConfig: %v", err) } loaded, err := cp.LoadAppriseConfig() if err != nil { t.Fatalf("LoadAppriseConfig: %v", err) } if !loaded.Enabled { t.Fatalf("expected config to remain enabled") } expectedTargets := []string{"discord://token", "mailto://alerts@example.com"} if !reflect.DeepEqual(loaded.Targets, expectedTargets) { t.Fatalf("unexpected targets: got %v want %v", loaded.Targets, expectedTargets) } if loaded.CLIPath != "apprise" { t.Fatalf("expected CLI path to be hardcoded to 'apprise' (security fix), got %q", loaded.CLIPath) } if loaded.TimeoutSeconds != 5 { t.Fatalf("expected timeout normalized to minimum 5 seconds, got %d", loaded.TimeoutSeconds) } // Clearing targets should disable the config on next load if err := cp.SaveAppriseConfig(notifications.AppriseConfig{Enabled: true}); err != nil { t.Fatalf("SaveAppriseConfig empty: %v", err) } empty, err := cp.LoadAppriseConfig() if err != nil { t.Fatalf("LoadAppriseConfig empty: %v", err) } if empty.Enabled { t.Fatalf("expected disabled configuration when no targets stored") } } func TestExportConfigIncludesAPITokens(t *testing.T) { t.Setenv("PULSE_DATA_DIR", t.TempDir()) tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } createdAt := time.Date(2023, 10, 1, 12, 0, 0, 0, time.UTC) tokens := []config.APITokenRecord{ { ID: "token-1", Name: "automation", Hash: "hash-1", Prefix: "hash-1", Suffix: "-0001", CreatedAt: createdAt, Scopes: []string{config.ScopeWildcard}, }, { ID: "token-2", Name: "metrics", Hash: "hash-2", Prefix: "hash-2", Suffix: "-0002", CreatedAt: createdAt.Add(time.Hour), Scopes: []string{config.ScopeMonitoringRead}, }, } if err := cp.SaveAPITokens(tokens); err != nil { t.Fatalf("SaveAPITokens: %v", err) } passphrase := "strong-passphrase" exported, err := cp.ExportConfig(passphrase) if err != nil { t.Fatalf("ExportConfig: %v", err) } decoded := mustDecodeExport(t, exported, passphrase) if decoded.Version != "4.1" { t.Fatalf("expected export version 4.1, got %q", decoded.Version) } assertJSONEqual(t, decoded.APITokens, tokens, "api tokens") } func TestImportConfigTransactionalSuccess(t *testing.T) { const passphrase = "import-success" sourceDataDir := t.TempDir() t.Setenv("PULSE_DATA_DIR", sourceDataDir) sourceConfigDir := t.TempDir() source := config.NewConfigPersistence(sourceConfigDir) if err := source.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } newNodes := []config.PVEInstance{ { Name: "pve-new", Host: "https://pve-new.example:8006", User: "root@pam", MonitorVMs: true, MonitorStorage: true, }, } newPBS := []config.PBSInstance{ { Name: "pbs-new", Host: "https://pbs-new.example:8007", User: "pbs@pam", MonitorBackups: true, }, } if err := source.SaveNodesConfig(newNodes, newPBS, nil); err != nil { t.Fatalf("SaveNodesConfig: %v", err) } newAlerts := alerts.AlertConfig{ Enabled: true, HysteresisMargin: 3.5, StorageDefault: alerts.HysteresisThreshold{ Trigger: 70, Clear: 65, }, TimeThreshold: 10, TimeThresholds: map[string]int{ "guest": 10, "node": 10, "storage": 10, "pbs": 10, }, Overrides: map[string]alerts.ThresholdConfig{ "node/pve-new": { CPU: &alerts.HysteresisThreshold{Trigger: 80, Clear: 72}, }, }, } if err := source.SaveAlertConfig(newAlerts); err != nil { t.Fatalf("SaveAlertConfig: %v", err) } newSystem := config.SystemSettings{ PBSPollingInterval: 45, PMGPollingInterval: 50, AutoUpdateEnabled: true, DiscoveryEnabled: false, DiscoverySubnet: "192.168.10.0/24", DiscoveryConfig: config.DefaultDiscoveryConfig(), Theme: "dark", AllowEmbedding: true, } if err := source.SaveSystemSettings(newSystem); err != nil { t.Fatalf("SaveSystemSettings: %v", err) } newTokens := []config.APITokenRecord{ { ID: "token-new-1", Name: "automation", Hash: "hash-new-1", Prefix: "hashn1", Suffix: "n1", CreatedAt: time.Date(2024, 1, 1, 12, 0, 0, 0, time.UTC), Scopes: []string{config.ScopeMonitoringRead, config.ScopeMonitoringWrite}, }, } if err := source.SaveAPITokens(newTokens); err != nil { t.Fatalf("SaveAPITokens: %v", err) } exported, err := source.ExportConfig(passphrase) if err != nil { t.Fatalf("ExportConfig: %v", err) } exportedData := mustDecodeExport(t, exported, passphrase) targetDataDir := t.TempDir() t.Setenv("PULSE_DATA_DIR", targetDataDir) targetConfigDir := t.TempDir() target := config.NewConfigPersistence(targetConfigDir) if err := target.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } oldNodes := []config.PVEInstance{ { Name: "pve-old", Host: "https://pve-old.example:8006", User: "root@pam", }, } if err := target.SaveNodesConfig(oldNodes, nil, nil); err != nil { t.Fatalf("SaveNodesConfig baseline: %v", err) } oldAlerts := alerts.AlertConfig{ Enabled: true, HysteresisMargin: 5, StorageDefault: alerts.HysteresisThreshold{ Trigger: 85, Clear: 80, }, Overrides: map[string]alerts.ThresholdConfig{}, } if err := target.SaveAlertConfig(oldAlerts); err != nil { t.Fatalf("SaveAlertConfig baseline: %v", err) } oldSystem := config.SystemSettings{ PBSPollingInterval: 120, PMGPollingInterval: 120, AutoUpdateEnabled: false, DiscoveryEnabled: true, DiscoverySubnet: "auto", DiscoveryConfig: config.DefaultDiscoveryConfig(), Theme: "light", } if err := target.SaveSystemSettings(oldSystem); err != nil { t.Fatalf("SaveSystemSettings baseline: %v", err) } oldTokens := []config.APITokenRecord{ { ID: "token-old-1", Name: "legacy", Hash: "hash-old-1", Prefix: "hasho1", Suffix: "o1", CreatedAt: time.Date(2023, 1, 1, 12, 0, 0, 0, time.UTC), Scopes: []string{config.ScopeWildcard}, }, } if err := target.SaveAPITokens(oldTokens); err != nil { t.Fatalf("SaveAPITokens baseline: %v", err) } if err := target.ImportConfig(exported, passphrase); err != nil { t.Fatalf("ImportConfig: %v", err) } nodesAfter, err := target.LoadNodesConfig() if err != nil { t.Fatalf("LoadNodesConfig: %v", err) } assertJSONEqual(t, nodesAfter, exportedData.Nodes, "nodes") alertsAfter, err := target.LoadAlertConfig() if err != nil { t.Fatalf("LoadAlertConfig: %v", err) } assertJSONEqual(t, alertsAfter, exportedData.Alerts, "alerts") systemAfter, err := target.LoadSystemSettings() if err != nil { t.Fatalf("LoadSystemSettings: %v", err) } if systemAfter == nil { t.Fatal("expected system settings after import") } assertJSONEqual(t, systemAfter, exportedData.System, "system settings") tokensAfter, err := target.LoadAPITokens() if err != nil { t.Fatalf("LoadAPITokens: %v", err) } assertJSONEqual(t, tokensAfter, exportedData.APITokens, "api tokens") tmpFiles, err := filepath.Glob(filepath.Join(targetConfigDir, "*.tmp")) if err != nil { t.Fatalf("Glob tmp files: %v", err) } if len(tmpFiles) != 0 { t.Fatalf("expected no tmp files after import, found %v", tmpFiles) } } func TestImportConfigRollbackOnFailure(t *testing.T) { const passphrase = "import-rollback" sourceDataDir := t.TempDir() t.Setenv("PULSE_DATA_DIR", sourceDataDir) sourceConfigDir := t.TempDir() source := config.NewConfigPersistence(sourceConfigDir) if err := source.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } newNodes := []config.PVEInstance{ { Name: "pve-new", Host: "https://pve-new.example:8006", User: "root@pam", }, } if err := source.SaveNodesConfig(newNodes, nil, nil); err != nil { t.Fatalf("SaveNodesConfig: %v", err) } newAlerts := alerts.AlertConfig{ Enabled: true, HysteresisMargin: 4, StorageDefault: alerts.HysteresisThreshold{ Trigger: 65, Clear: 60, }, Overrides: map[string]alerts.ThresholdConfig{}, } if err := source.SaveAlertConfig(newAlerts); err != nil { t.Fatalf("SaveAlertConfig: %v", err) } newSystem := config.SystemSettings{ PBSPollingInterval: 30, PMGPollingInterval: 30, AutoUpdateEnabled: true, DiscoveryEnabled: false, DiscoverySubnet: "10.20.0.0/24", DiscoveryConfig: config.DefaultDiscoveryConfig(), } if err := source.SaveSystemSettings(newSystem); err != nil { t.Fatalf("SaveSystemSettings: %v", err) } newTokens := []config.APITokenRecord{ { ID: "token-new", Name: "new", Hash: "hash-new", Prefix: "hashn", Suffix: "-n", CreatedAt: time.Date(2024, 2, 2, 12, 0, 0, 0, time.UTC), Scopes: []string{config.ScopeDockerReport}, }, } if err := source.SaveAPITokens(newTokens); err != nil { t.Fatalf("SaveAPITokens: %v", err) } exported, err := source.ExportConfig(passphrase) if err != nil { t.Fatalf("ExportConfig: %v", err) } targetDataDir := t.TempDir() t.Setenv("PULSE_DATA_DIR", targetDataDir) targetConfigDir := t.TempDir() target := config.NewConfigPersistence(targetConfigDir) if err := target.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } baselineNodes := []config.PVEInstance{ { Name: "pve-original", Host: "https://pve-original.example:8006", User: "root@pam", }, } if err := target.SaveNodesConfig(baselineNodes, nil, nil); err != nil { t.Fatalf("SaveNodesConfig baseline: %v", err) } baselineAlerts := alerts.AlertConfig{ Enabled: true, HysteresisMargin: 5, StorageDefault: alerts.HysteresisThreshold{ Trigger: 90, Clear: 85, }, Overrides: map[string]alerts.ThresholdConfig{}, } if err := target.SaveAlertConfig(baselineAlerts); err != nil { t.Fatalf("SaveAlertConfig baseline: %v", err) } baselineTokens := []config.APITokenRecord{ { ID: "token-original", Name: "original", Hash: "hash-original", Prefix: "hasho", Suffix: "-o", CreatedAt: time.Date(2023, 3, 3, 12, 0, 0, 0, time.UTC), Scopes: []string{config.ScopeWildcard}, }, } if err := target.SaveAPITokens(baselineTokens); err != nil { t.Fatalf("SaveAPITokens baseline: %v", err) } originalNodes, err := target.LoadNodesConfig() if err != nil { t.Fatalf("LoadNodesConfig: %v", err) } originalNodesJSON := mustMarshalJSON(t, originalNodes) originalAlerts, err := target.LoadAlertConfig() if err != nil { t.Fatalf("LoadAlertConfig: %v", err) } originalAlertsJSON := mustMarshalJSON(t, originalAlerts) originalTokens, err := target.LoadAPITokens() if err != nil { t.Fatalf("LoadAPITokens: %v", err) } originalTokensJSON := mustMarshalJSON(t, originalTokens) if err := os.Mkdir(filepath.Join(targetConfigDir, "system.json"), 0o700); err != nil { t.Fatalf("creating obstacle directory: %v", err) } if err := target.ImportConfig(exported, passphrase); err == nil { t.Fatal("expected import to fail, but it succeeded") } nodesAfter, err := target.LoadNodesConfig() if err != nil { t.Fatalf("LoadNodesConfig after failure: %v", err) } if !bytes.Equal(mustMarshalJSON(t, nodesAfter), originalNodesJSON) { t.Fatalf("nodes changed despite rollback:\noriginal: %s\ncurrent: %s", originalNodesJSON, mustMarshalJSON(t, nodesAfter)) } alertsAfter, err := target.LoadAlertConfig() if err != nil { t.Fatalf("LoadAlertConfig after failure: %v", err) } if !bytes.Equal(mustMarshalJSON(t, alertsAfter), originalAlertsJSON) { t.Fatalf("alerts changed despite rollback:\noriginal: %s\ncurrent: %s", originalAlertsJSON, mustMarshalJSON(t, alertsAfter)) } tokensAfter, err := target.LoadAPITokens() if err != nil { t.Fatalf("LoadAPITokens after failure: %v", err) } if !bytes.Equal(mustMarshalJSON(t, tokensAfter), originalTokensJSON) { t.Fatalf("api tokens changed despite rollback:\noriginal: %s\ncurrent: %s", originalTokensJSON, mustMarshalJSON(t, tokensAfter)) } tmpFiles, err := filepath.Glob(filepath.Join(targetConfigDir, "*.tmp")) if err != nil { t.Fatalf("Glob tmp files: %v", err) } if len(tmpFiles) != 0 { t.Fatalf("expected tmp files cleaned up after rollback, found %v", tmpFiles) } } func TestImportAcceptsVersion40Bundle(t *testing.T) { const passphrase = "import-legacy" sourceDataDir := t.TempDir() t.Setenv("PULSE_DATA_DIR", sourceDataDir) sourceConfigDir := t.TempDir() source := config.NewConfigPersistence(sourceConfigDir) if err := source.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } newNodes := []config.PVEInstance{ { Name: "pve-legacy", Host: "https://pve-legacy.example:8006", User: "root@pam", }, } if err := source.SaveNodesConfig(newNodes, nil, nil); err != nil { t.Fatalf("SaveNodesConfig: %v", err) } newAlerts := alerts.AlertConfig{ Enabled: true, HysteresisMargin: 4, StorageDefault: alerts.HysteresisThreshold{ Trigger: 75, Clear: 70, }, Overrides: map[string]alerts.ThresholdConfig{}, } if err := source.SaveAlertConfig(newAlerts); err != nil { t.Fatalf("SaveAlertConfig: %v", err) } newSystem := config.SystemSettings{ PBSPollingInterval: 80, PMGPollingInterval: 90, AutoUpdateEnabled: true, DiscoveryEnabled: true, DiscoverySubnet: "172.16.0.0/24", DiscoveryConfig: config.DefaultDiscoveryConfig(), } if err := source.SaveSystemSettings(newSystem); err != nil { t.Fatalf("SaveSystemSettings: %v", err) } exported, err := source.ExportConfig(passphrase) if err != nil { t.Fatalf("ExportConfig: %v", err) } exportData := mustDecodeExport(t, exported, passphrase) exportData.Version = "4.0" exportData.APITokens = nil legacyPayload := mustEncodeExport(t, exportData, passphrase) targetDataDir := t.TempDir() t.Setenv("PULSE_DATA_DIR", targetDataDir) targetConfigDir := t.TempDir() target := config.NewConfigPersistence(targetConfigDir) if err := target.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } baselineTokens := []config.APITokenRecord{ { ID: "token-legacy", Name: "keep-me", Hash: "hash-keep", Prefix: "hashk", Suffix: "-k", CreatedAt: time.Date(2022, 4, 4, 12, 0, 0, 0, time.UTC), Scopes: []string{config.ScopeWildcard}, }, } if err := target.SaveAPITokens(baselineTokens); err != nil { t.Fatalf("SaveAPITokens baseline: %v", err) } if err := target.ImportConfig(legacyPayload, passphrase); err != nil { t.Fatalf("ImportConfig (legacy 4.0): %v", err) } nodesAfter, err := target.LoadNodesConfig() if err != nil { t.Fatalf("LoadNodesConfig: %v", err) } assertJSONEqual(t, nodesAfter, exportData.Nodes, "nodes (4.0 import)") alertsAfter, err := target.LoadAlertConfig() if err != nil { t.Fatalf("LoadAlertConfig: %v", err) } assertJSONEqual(t, alertsAfter, exportData.Alerts, "alerts (4.0 import)") systemAfter, err := target.LoadSystemSettings() if err != nil { t.Fatalf("LoadSystemSettings: %v", err) } if systemAfter == nil { t.Fatal("expected system settings after legacy import") } assertJSONEqual(t, systemAfter, exportData.System, "system settings (4.0 import)") tokensAfter, err := target.LoadAPITokens() if err != nil { t.Fatalf("LoadAPITokens: %v", err) } assertJSONEqual(t, tokensAfter, baselineTokens, "api tokens unchanged for 4.0 import") } func TestLoadNodesConfigNormalizesPVEHostsAndClusterEndpoints(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } pveNodes := []config.PVEInstance{ { Name: "pve-cluster", Host: "https://pve.local", ClusterEndpoints: []config.ClusterEndpoint{ {NodeName: "pve1", Host: "https://pve1.local"}, {NodeName: "pve2", Host: "pve2.local"}, }, }, } if err := cp.SaveNodesConfig(pveNodes, nil, nil); err != nil { t.Fatalf("SaveNodesConfig: %v", err) } loaded, err := cp.LoadNodesConfig() if err != nil { t.Fatalf("LoadNodesConfig: %v", err) } if len(loaded.PVEInstances) != 1 { t.Fatalf("expected 1 PVE instance, got %d", len(loaded.PVEInstances)) } pve := loaded.PVEInstances[0] if pve.Host != "https://pve.local:8006" { t.Fatalf("expected primary host normalized with default port, got %q", pve.Host) } if len(pve.ClusterEndpoints) != 2 { t.Fatalf("expected 2 cluster endpoints, got %d", len(pve.ClusterEndpoints)) } if pve.ClusterEndpoints[0].Host != "https://pve1.local:8006" { t.Fatalf("expected endpoint host normalized, got %q", pve.ClusterEndpoints[0].Host) } if pve.ClusterEndpoints[1].Host != "https://pve2.local:8006" { t.Fatalf("expected endpoint host normalized, got %q", pve.ClusterEndpoints[1].Host) } // Second load should keep normalized values and not panic on migration. loadedAgain, err := cp.LoadNodesConfig() if err != nil { t.Fatalf("LoadNodesConfig second read: %v", err) } if loadedAgain.PVEInstances[0].Host != "https://pve.local:8006" { t.Fatalf("expected normalized host persisted, got %q", loadedAgain.PVEInstances[0].Host) } } func mustDecodeExport(t *testing.T, payload, passphrase string) config.ExportData { t.Helper() raw, err := base64.StdEncoding.DecodeString(payload) if err != nil { t.Fatalf("base64 decode: %v", err) } plaintext, err := decryptExportPayload(raw, passphrase) if err != nil { t.Fatalf("decrypt export: %v", err) } var data config.ExportData if err := json.Unmarshal(plaintext, &data); err != nil { t.Fatalf("unmarshal export data: %v", err) } return data } func mustEncodeExport(t *testing.T, data config.ExportData, passphrase string) string { t.Helper() plaintext, err := json.Marshal(data) if err != nil { t.Fatalf("marshal export data: %v", err) } ciphertext, err := encryptExportPayload(plaintext, passphrase) if err != nil { t.Fatalf("encrypt export data: %v", err) } return base64.StdEncoding.EncodeToString(ciphertext) } func encryptExportPayload(plaintext []byte, passphrase string) ([]byte, error) { salt := make([]byte, 32) if _, err := io.ReadFull(rand.Reader, salt); err != nil { return nil, err } key := pbkdf2.Key([]byte(passphrase), salt, 100000, 32, sha256.New) block, err := aes.NewCipher(key) if err != nil { return nil, err } gcm, err := cipher.NewGCM(block) if err != nil { return nil, err } nonce := make([]byte, gcm.NonceSize()) if _, err := io.ReadFull(rand.Reader, nonce); err != nil { return nil, err } ciphertext := gcm.Seal(nonce, nonce, plaintext, nil) result := append(salt, ciphertext...) return result, nil } func decryptExportPayload(ciphertext []byte, passphrase string) ([]byte, error) { if len(ciphertext) < 32 { return nil, io.ErrUnexpectedEOF } salt := ciphertext[:32] cipherbody := ciphertext[32:] key := pbkdf2.Key([]byte(passphrase), salt, 100000, 32, sha256.New) block, err := aes.NewCipher(key) if err != nil { return nil, err } gcm, err := cipher.NewGCM(block) if err != nil { return nil, err } if len(cipherbody) < gcm.NonceSize() { return nil, io.ErrUnexpectedEOF } nonce := cipherbody[:gcm.NonceSize()] payload := cipherbody[gcm.NonceSize():] return gcm.Open(nil, nonce, payload, nil) } func mustMarshalJSON(t *testing.T, v interface{}) []byte { t.Helper() data, err := json.Marshal(v) if err != nil { t.Fatalf("marshal json: %v", err) } return data } func assertJSONEqual(t *testing.T, got interface{}, want interface{}, context string) { t.Helper() gotJSON := mustMarshalJSON(t, got) wantJSON := mustMarshalJSON(t, want) if !bytes.Equal(gotJSON, wantJSON) { t.Fatalf("%s mismatch:\n got: %s\nwant: %s", context, gotJSON, wantJSON) } } // ============================================================================ // Error path and edge case tests for persistence functions // ============================================================================ func TestLoadAPITokensErrorInvalidJSON(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Write invalid JSON to the api_tokens.json file tokensFile := filepath.Join(tempDir, "api_tokens.json") if err := os.WriteFile(tokensFile, []byte(`{invalid json content`), 0600); err != nil { t.Fatalf("WriteFile: %v", err) } _, err := cp.LoadAPITokens() if err == nil { t.Fatal("expected error for invalid JSON, got nil") } } func TestLoadAPITokensEmptyFile(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Write empty file tokensFile := filepath.Join(tempDir, "api_tokens.json") if err := os.WriteFile(tokensFile, []byte{}, 0600); err != nil { t.Fatalf("WriteFile: %v", err) } tokens, err := cp.LoadAPITokens() if err != nil { t.Fatalf("LoadAPITokens returned error for empty file: %v", err) } if len(tokens) != 0 { t.Fatalf("expected empty slice for empty file, got %d tokens", len(tokens)) } } func TestLoadAPITokensFileNotExist(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Don't create the file - test that non-existent file returns empty slice tokens, err := cp.LoadAPITokens() if err != nil { t.Fatalf("LoadAPITokens returned error for non-existent file: %v", err) } if len(tokens) != 0 { t.Fatalf("expected empty slice for non-existent file, got %d tokens", len(tokens)) } } func TestLoadEmailConfigErrorInvalidJSON(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Write invalid JSON to the email.enc file (unencrypted for test without crypto) emailFile := filepath.Join(tempDir, "email.enc") if err := os.WriteFile(emailFile, []byte(`not valid json {{{{`), 0600); err != nil { t.Fatalf("WriteFile: %v", err) } _, err := cp.LoadEmailConfig() if err == nil { t.Fatal("expected error for invalid JSON/decryption failure, got nil") } } func TestLoadEmailConfigFileNotExist(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Don't create the file - test default config is returned cfg, err := cp.LoadEmailConfig() if err != nil { t.Fatalf("LoadEmailConfig returned error for non-existent file: %v", err) } if cfg == nil { t.Fatal("expected default config, got nil") } if cfg.Enabled { t.Fatal("expected Enabled=false for default config") } if cfg.SMTPPort != 587 { t.Fatalf("expected default SMTPPort=587, got %d", cfg.SMTPPort) } } func TestLoadEmailConfig_EncryptedRoundTrip(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Create a config with all fields populated original := notifications.EmailConfig{ Enabled: true, Provider: "smtp", SMTPHost: "mail.example.com", SMTPPort: 465, Username: "user@example.com", Password: "secret-password", From: "alerts@example.com", To: []string{"admin@example.com", "ops@example.com"}, TLS: true, StartTLS: false, } // Save (encrypts) then Load (decrypts) if err := cp.SaveEmailConfig(original); err != nil { t.Fatalf("SaveEmailConfig: %v", err) } loaded, err := cp.LoadEmailConfig() if err != nil { t.Fatalf("LoadEmailConfig: %v", err) } // Verify round-trip preserved all fields if loaded.Enabled != original.Enabled { t.Errorf("Enabled mismatch: got %v, want %v", loaded.Enabled, original.Enabled) } if loaded.Provider != original.Provider { t.Errorf("Provider mismatch: got %v, want %v", loaded.Provider, original.Provider) } if loaded.SMTPHost != original.SMTPHost { t.Errorf("SMTPHost mismatch: got %v, want %v", loaded.SMTPHost, original.SMTPHost) } if loaded.SMTPPort != original.SMTPPort { t.Errorf("SMTPPort mismatch: got %v, want %v", loaded.SMTPPort, original.SMTPPort) } if loaded.Username != original.Username { t.Errorf("Username mismatch: got %v, want %v", loaded.Username, original.Username) } if loaded.Password != original.Password { t.Errorf("Password mismatch: got %v, want %v", loaded.Password, original.Password) } if loaded.From != original.From { t.Errorf("From mismatch: got %v, want %v", loaded.From, original.From) } if len(loaded.To) != len(original.To) { t.Errorf("To length mismatch: got %d, want %d", len(loaded.To), len(original.To)) } if loaded.TLS != original.TLS { t.Errorf("TLS mismatch: got %v, want %v", loaded.TLS, original.TLS) } if loaded.StartTLS != original.StartTLS { t.Errorf("StartTLS mismatch: got %v, want %v", loaded.StartTLS, original.StartTLS) } } func TestLoadWebhooksErrorInvalidJSON(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Write invalid JSON to the webhooks.enc file webhooksFile := filepath.Join(tempDir, "webhooks.enc") if err := os.WriteFile(webhooksFile, []byte(`[{"broken`), 0600); err != nil { t.Fatalf("WriteFile: %v", err) } _, err := cp.LoadWebhooks() if err == nil { t.Fatal("expected error for invalid JSON/decryption failure, got nil") } } func TestLoadWebhooksFileNotExist(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Don't create the file - test empty slice is returned webhooks, err := cp.LoadWebhooks() if err != nil { t.Fatalf("LoadWebhooks returned error for non-existent file: %v", err) } if len(webhooks) != 0 { t.Fatalf("expected empty slice for non-existent file, got %d webhooks", len(webhooks)) } } func TestLoadWebhooksMigrationFromLegacyFile(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Create legacy webhooks.json file (unencrypted) legacyWebhooks := []notifications.WebhookConfig{ { ID: "webhook-1", Name: "test-webhook", URL: "https://example.com/hook", Method: "POST", Enabled: true, }, } legacyData, err := json.Marshal(legacyWebhooks) if err != nil { t.Fatalf("Marshal: %v", err) } legacyFile := filepath.Join(tempDir, "webhooks.json") if err := os.WriteFile(legacyFile, legacyData, 0600); err != nil { t.Fatalf("WriteFile: %v", err) } // LoadWebhooks should find and parse the legacy file webhooks, err := cp.LoadWebhooks() if err != nil { t.Fatalf("LoadWebhooks returned error: %v", err) } if len(webhooks) != 1 { t.Fatalf("expected 1 webhook from legacy file, got %d", len(webhooks)) } if webhooks[0].ID != "webhook-1" { t.Fatalf("expected webhook ID 'webhook-1', got %q", webhooks[0].ID) } } func TestLoadWebhooksMigrationFromUnencryptedEncFile(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Write plain JSON to webhooks.enc (migration scenario where file // was written before encryption was enabled) plainWebhooks := []notifications.WebhookConfig{ { ID: "unencrypted-webhook", Name: "plain-webhook", URL: "https://example.com/plain", Method: "POST", Enabled: true, }, } plainData, err := json.Marshal(plainWebhooks) if err != nil { t.Fatalf("Marshal: %v", err) } encFile := filepath.Join(tempDir, "webhooks.enc") if err := os.WriteFile(encFile, plainData, 0600); err != nil { t.Fatalf("WriteFile: %v", err) } // LoadWebhooks should fall back to parsing as plain JSON when decryption fails webhooks, err := cp.LoadWebhooks() if err != nil { t.Fatalf("LoadWebhooks returned error: %v", err) } if len(webhooks) != 1 { t.Fatalf("expected 1 webhook, got %d", len(webhooks)) } if webhooks[0].ID != "unencrypted-webhook" { t.Fatalf("expected ID 'unencrypted-webhook', got %q", webhooks[0].ID) } } func TestLoadWebhooksLegacyFileInvalidJSON(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Create legacy file with invalid JSON - should be ignored, return empty legacyFile := filepath.Join(tempDir, "webhooks.json") if err := os.WriteFile(legacyFile, []byte(`{invalid json`), 0600); err != nil { t.Fatalf("WriteFile: %v", err) } // Should return empty slice since legacy file is invalid webhooks, err := cp.LoadWebhooks() if err != nil { t.Fatalf("LoadWebhooks returned error: %v", err) } if len(webhooks) != 0 { t.Fatalf("expected empty slice for invalid legacy file, got %d webhooks", len(webhooks)) } } func TestLoadNodesConfigEmptyArrays(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Use SaveNodesConfigAllowEmpty with empty slices to properly encrypt the data if err := cp.SaveNodesConfigAllowEmpty([]config.PVEInstance{}, []config.PBSInstance{}, []config.PMGInstance{}); err != nil { t.Fatalf("SaveNodesConfigAllowEmpty: %v", err) } cfg, err := cp.LoadNodesConfig() if err != nil { t.Fatalf("LoadNodesConfig returned error: %v", err) } if cfg == nil { t.Fatal("expected config, got nil") } if len(cfg.PVEInstances) != 0 { t.Fatalf("expected empty PVEInstances, got %d", len(cfg.PVEInstances)) } if len(cfg.PBSInstances) != 0 { t.Fatalf("expected empty PBSInstances, got %d", len(cfg.PBSInstances)) } if len(cfg.PMGInstances) != 0 { t.Fatalf("expected empty PMGInstances, got %d", len(cfg.PMGInstances)) } } func TestLoadNodesConfigMissingFields(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Save config with only PVE, no PBS and PMG // When we load it back, PBS and PMG should be initialized to empty slices pveInstances := []config.PVEInstance{ { Name: "pve-test", Host: "https://pve.local:8006", User: "root@pam", }, } // Save only PVE, pass nil for PBS and PMG if err := cp.SaveNodesConfig(pveInstances, nil, nil); err != nil { t.Fatalf("SaveNodesConfig: %v", err) } cfg, err := cp.LoadNodesConfig() if err != nil { t.Fatalf("LoadNodesConfig returned error: %v", err) } if cfg == nil { t.Fatal("expected config, got nil") } if len(cfg.PVEInstances) != 1 { t.Fatalf("expected 1 PVE instance, got %d", len(cfg.PVEInstances)) } // PBS and PMG should be initialized to empty slices if cfg.PBSInstances == nil { t.Fatal("expected PBSInstances to be initialized (not nil)") } if cfg.PMGInstances == nil { t.Fatal("expected PMGInstances to be initialized (not nil)") } } func TestLoadNodesConfigCorruptedRecoversWithEmptyConfig(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Write corrupted data (invalid encrypted content) // This tests the recovery behavior: when nodes.enc is corrupted and no backup exists, // LoadNodesConfig returns an empty config instead of an error to allow system startup nodesFile := filepath.Join(tempDir, "nodes.enc") if err := os.WriteFile(nodesFile, []byte(`{broken json`), 0600); err != nil { t.Fatalf("WriteFile: %v", err) } cfg, err := cp.LoadNodesConfig() if err != nil { t.Fatalf("LoadNodesConfig should recover gracefully from corruption, got error: %v", err) } // Verify we got an empty config (recovery behavior) if cfg == nil { t.Fatal("expected empty config on recovery, got nil") } if len(cfg.PVEInstances) != 0 { t.Fatalf("expected empty PVEInstances on recovery, got %d", len(cfg.PVEInstances)) } } func TestLoadNodesConfigFileNotExist(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Don't create the file - test that empty config is returned cfg, err := cp.LoadNodesConfig() if err != nil { t.Fatalf("LoadNodesConfig returned error for non-existent file: %v", err) } if cfg == nil { t.Fatal("expected empty config, got nil") } if len(cfg.PVEInstances) != 0 { t.Fatalf("expected empty PVEInstances, got %d", len(cfg.PVEInstances)) } } func TestLoadNodesConfig_PBSTokenClearing(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Save PBS instance with both Password and TokenName (buggy config) pbsInstances := []config.PBSInstance{ { Name: "pbs-buggy", Host: "https://pbs.local:8007", User: "root@pam", Password: "secret-password", TokenName: "should-be-cleared", TokenValue: "also-cleared", MonitorBackups: true, // Already set so no migration needed for this }, } if err := cp.SaveNodesConfig(nil, pbsInstances, nil); err != nil { t.Fatalf("SaveNodesConfig: %v", err) } loaded, err := cp.LoadNodesConfig() if err != nil { t.Fatalf("LoadNodesConfig: %v", err) } if len(loaded.PBSInstances) != 1 { t.Fatalf("expected 1 PBS instance, got %d", len(loaded.PBSInstances)) } pbs := loaded.PBSInstances[0] // TokenName/TokenValue should be cleared since Password is set if pbs.TokenName != "" { t.Errorf("expected TokenName cleared, got %q", pbs.TokenName) } if pbs.TokenValue != "" { t.Errorf("expected TokenValue cleared, got %q", pbs.TokenValue) } // Password should remain if pbs.Password != "secret-password" { t.Errorf("expected Password preserved, got %q", pbs.Password) } } func TestLoadNodesConfig_PBSHostNormalization(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Save PBS instance without port (should be normalized to :8007) pbsInstances := []config.PBSInstance{ { Name: "pbs-noport", Host: "https://pbs.local", User: "root@pam", Password: "pass", MonitorBackups: true, }, } if err := cp.SaveNodesConfig(nil, pbsInstances, nil); err != nil { t.Fatalf("SaveNodesConfig: %v", err) } loaded, err := cp.LoadNodesConfig() if err != nil { t.Fatalf("LoadNodesConfig: %v", err) } if len(loaded.PBSInstances) != 1 { t.Fatalf("expected 1 PBS instance, got %d", len(loaded.PBSInstances)) } pbs := loaded.PBSInstances[0] if pbs.Host != "https://pbs.local:8007" { t.Errorf("expected PBS host normalized with port, got %q", pbs.Host) } } func TestLoadNodesConfig_PMGTokenClearing(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Save PMG instance with both Password and TokenName (buggy config) pmgInstances := []config.PMGInstance{ { Name: "pmg-buggy", Host: "https://pmg.local:8006", User: "root@pam", Password: "secret-password", TokenName: "should-be-cleared", TokenValue: "also-cleared", }, } if err := cp.SaveNodesConfig(nil, nil, pmgInstances); err != nil { t.Fatalf("SaveNodesConfig: %v", err) } loaded, err := cp.LoadNodesConfig() if err != nil { t.Fatalf("LoadNodesConfig: %v", err) } if len(loaded.PMGInstances) != 1 { t.Fatalf("expected 1 PMG instance, got %d", len(loaded.PMGInstances)) } pmg := loaded.PMGInstances[0] // TokenName/TokenValue should be cleared since Password is set if pmg.TokenName != "" { t.Errorf("expected TokenName cleared, got %q", pmg.TokenName) } if pmg.TokenValue != "" { t.Errorf("expected TokenValue cleared, got %q", pmg.TokenValue) } // Password should remain if pmg.Password != "secret-password" { t.Errorf("expected Password preserved, got %q", pmg.Password) } } func TestLoadNodesConfig_PMGHostNormalization(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Save PMG instance without port (should be normalized to :8006) pmgInstances := []config.PMGInstance{ { Name: "pmg-noport", Host: "https://pmg.local", User: "root@pam", Password: "pass", }, } if err := cp.SaveNodesConfig(nil, nil, pmgInstances); err != nil { t.Fatalf("SaveNodesConfig: %v", err) } loaded, err := cp.LoadNodesConfig() if err != nil { t.Fatalf("LoadNodesConfig: %v", err) } if len(loaded.PMGInstances) != 1 { t.Fatalf("expected 1 PMG instance, got %d", len(loaded.PMGInstances)) } pmg := loaded.PMGInstances[0] if pmg.Host != "https://pmg.local:8006" { t.Errorf("expected PMG host normalized with port, got %q", pmg.Host) } } // NOTE: TestSaveNodesConfig_BlocksEmptyWhenNodesExist is not included because // the saveNodesConfig function has a deadlock bug - it holds c.mu.Lock() while // calling LoadNodesConfig() which tries to acquire c.mu.RLock(). This makes // the empty config protection path untestable without first fixing the bug. func TestSaveNodesConfigAllowEmpty_PermitsEmptyConfig(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // First save a valid config with nodes pveInstances := []config.PVEInstance{ { Name: "pve-test", Host: "https://pve.local:8006", User: "root@pam", }, } if err := cp.SaveNodesConfig(pveInstances, nil, nil); err != nil { t.Fatalf("SaveNodesConfig initial: %v", err) } // SaveNodesConfigAllowEmpty should permit deleting all nodes err := cp.SaveNodesConfigAllowEmpty(nil, nil, nil) if err != nil { t.Fatalf("SaveNodesConfigAllowEmpty should permit empty config, got: %v", err) } // Verify nodes are now empty loaded, err := cp.LoadNodesConfig() if err != nil { t.Fatalf("LoadNodesConfig: %v", err) } if len(loaded.PVEInstances) != 0 { t.Errorf("expected 0 PVE instances after AllowEmpty save, got %d", len(loaded.PVEInstances)) } } func TestCleanupOldBackupsNonExistentDirectory(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Save a valid config so we can trigger cleanup pveInstances := []config.PVEInstance{ { Name: "pve-test", Host: "https://pve.local:8006", User: "root@pam", }, } // First save to create the file if err := cp.SaveNodesConfig(pveInstances, nil, nil); err != nil { t.Fatalf("SaveNodesConfig: %v", err) } // Cleanup with non-existent pattern should not error // The pattern won't match anything, but it shouldn't panic or error // This is implicitly tested by the SaveNodesConfig which calls cleanupOldBackups // We just verify no panic occurred and the config was saved cfg, err := cp.LoadNodesConfig() if err != nil { t.Fatalf("LoadNodesConfig: %v", err) } if len(cfg.PVEInstances) != 1 { t.Fatalf("expected 1 PVE instance, got %d", len(cfg.PVEInstances)) } } func TestCleanupOldBackupsMultipleFiles(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } nodesFile := filepath.Join(tempDir, "nodes.enc") // Create initial file initialData := []byte(`{"pveInstances":[],"pbsInstances":[],"pmgInstances":[]}`) if err := os.WriteFile(nodesFile, initialData, 0600); err != nil { t.Fatalf("WriteFile: %v", err) } // Create 15 timestamped backup files (more than the 10 limit) baseTime := time.Now() for i := 0; i < 15; i++ { backupTime := baseTime.Add(time.Duration(-i) * time.Hour) backupFile := fmt.Sprintf("%s.backup-%s", nodesFile, backupTime.Format("20060102-150405")) content := fmt.Sprintf(`{"backup": %d}`, i) if err := os.WriteFile(backupFile, []byte(content), 0600); err != nil { t.Fatalf("WriteFile backup %d: %v", i, err) } // Set modification time to simulate different ages if err := os.Chtimes(backupFile, backupTime, backupTime); err != nil { t.Fatalf("Chtimes: %v", err) } } // Verify 15 backups exist matches, err := filepath.Glob(nodesFile + ".backup-*") if err != nil { t.Fatalf("Glob: %v", err) } if len(matches) != 15 { t.Fatalf("expected 15 backup files, got %d", len(matches)) } // Now save a new config, which should trigger cleanup pveInstances := []config.PVEInstance{ { Name: "pve-test", Host: "https://pve.local:8006", User: "root@pam", }, } if err := cp.SaveNodesConfig(pveInstances, nil, nil); err != nil { t.Fatalf("SaveNodesConfig: %v", err) } // Verify that old backups were cleaned up (should have at most 10 + 1 new = 11) // Actually the cleanup runs before the new backup is created, so we should have 10 old + 1 new = 11 matches, err = filepath.Glob(nodesFile + ".backup-*") if err != nil { t.Fatalf("Glob after cleanup: %v", err) } // After cleanup, we should have max 10 old backups + 1 new backup = 11 if len(matches) > 11 { t.Fatalf("expected at most 11 backup files after cleanup, got %d", len(matches)) } } func TestLoadAppriseConfigErrorInvalidJSON(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Write invalid JSON to the apprise.enc file appriseFile := filepath.Join(tempDir, "apprise.enc") if err := os.WriteFile(appriseFile, []byte(`{not valid}`), 0600); err != nil { t.Fatalf("WriteFile: %v", err) } _, err := cp.LoadAppriseConfig() if err == nil { t.Fatal("expected error for invalid JSON/decryption failure, got nil") } } func TestLoadAppriseConfigFileNotExist(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Don't create the file - test default config is returned cfg, err := cp.LoadAppriseConfig() if err != nil { t.Fatalf("LoadAppriseConfig returned error for non-existent file: %v", err) } if cfg == nil { t.Fatal("expected default config, got nil") } if cfg.Enabled { t.Fatal("expected Enabled=false for default config") } if cfg.TimeoutSeconds != 15 { t.Fatalf("expected default TimeoutSeconds=15, got %d", cfg.TimeoutSeconds) } } func TestLoadAlertConfigErrorInvalidJSON(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Write invalid JSON to the alerts.json file alertsFile := filepath.Join(tempDir, "alerts.json") if err := os.WriteFile(alertsFile, []byte(`{"broken": `), 0600); err != nil { t.Fatalf("WriteFile: %v", err) } _, err := cp.LoadAlertConfig() if err == nil { t.Fatal("expected error for invalid JSON, got nil") } } func TestLoadSystemSettingsErrorInvalidJSON(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Write invalid JSON to the system.json file systemFile := filepath.Join(tempDir, "system.json") if err := os.WriteFile(systemFile, []byte(`not json at all`), 0600); err != nil { t.Fatalf("WriteFile: %v", err) } _, err := cp.LoadSystemSettings() if err == nil { t.Fatal("expected error for invalid JSON, got nil") } } func TestLoadSystemSettingsFileNotExist(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Don't create the file - test nil is returned (env vars take precedence) settings, err := cp.LoadSystemSettings() if err != nil { t.Fatalf("LoadSystemSettings returned error for non-existent file: %v", err) } if settings != nil { t.Fatal("expected nil for non-existent system settings file") } } // ============================================================================ // LoadOIDCConfig error paths and success cases // ============================================================================ func TestLoadOIDCConfigFileNotExist(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Don't create the file - test that nil, nil is returned cfg, err := cp.LoadOIDCConfig() if err != nil { t.Fatalf("LoadOIDCConfig returned error for non-existent file: %v", err) } if cfg != nil { t.Fatal("expected nil config for non-existent file, got non-nil") } } func TestLoadOIDCConfigFileReadError(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Create oidc.enc as a directory to trigger a read error (not IsNotExist) oidcFile := filepath.Join(tempDir, "oidc.enc") if err := os.Mkdir(oidcFile, 0700); err != nil { t.Fatalf("Mkdir: %v", err) } _, err := cp.LoadOIDCConfig() if err == nil { t.Fatal("expected error when reading directory as file, got nil") } } func TestLoadOIDCConfigValidJSONWithoutEncryption(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Use SaveOIDCConfig to properly save (and encrypt) the config, // then LoadOIDCConfig should be able to load it back expected := config.OIDCConfig{ Enabled: true, IssuerURL: "https://auth.example.com", ClientID: "test-client-id", ClientSecret: "test-client-secret", RedirectURL: "https://app.example.com/callback", Scopes: []string{"openid", "email", "profile"}, UsernameClaim: "preferred_username", } if err := cp.SaveOIDCConfig(expected); err != nil { t.Fatalf("SaveOIDCConfig: %v", err) } loaded, err := cp.LoadOIDCConfig() if err != nil { t.Fatalf("LoadOIDCConfig: %v", err) } if loaded == nil { t.Fatal("expected non-nil config, got nil") } if loaded.Enabled != expected.Enabled { t.Fatalf("Enabled mismatch: got %v want %v", loaded.Enabled, expected.Enabled) } if loaded.IssuerURL != expected.IssuerURL { t.Fatalf("IssuerURL mismatch: got %q want %q", loaded.IssuerURL, expected.IssuerURL) } if loaded.ClientID != expected.ClientID { t.Fatalf("ClientID mismatch: got %q want %q", loaded.ClientID, expected.ClientID) } if loaded.ClientSecret != expected.ClientSecret { t.Fatalf("ClientSecret mismatch: got %q want %q", loaded.ClientSecret, expected.ClientSecret) } if loaded.RedirectURL != expected.RedirectURL { t.Fatalf("RedirectURL mismatch: got %q want %q", loaded.RedirectURL, expected.RedirectURL) } if loaded.UsernameClaim != expected.UsernameClaim { t.Fatalf("UsernameClaim mismatch: got %q want %q", loaded.UsernameClaim, expected.UsernameClaim) } if !reflect.DeepEqual(loaded.Scopes, expected.Scopes) { t.Fatalf("Scopes mismatch: got %v want %v", loaded.Scopes, expected.Scopes) } } func TestLoadOIDCConfigInvalidJSON(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Write invalid data to oidc.enc file // Since crypto is enabled, writing raw JSON will cause a decryption error first // To test JSON unmarshal error, we need to bypass encryption or test the path // where crypto is nil. Writing garbage data will trigger decrypt error which // covers the decrypt error path. oidcFile := filepath.Join(tempDir, "oidc.enc") if err := os.WriteFile(oidcFile, []byte(`{invalid json content`), 0600); err != nil { t.Fatalf("WriteFile: %v", err) } _, err := cp.LoadOIDCConfig() if err == nil { t.Fatal("expected error for invalid data, got nil") } } func TestLoadOIDCConfigDecryptionError(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Write data that will fail decryption (not valid encrypted format) oidcFile := filepath.Join(tempDir, "oidc.enc") if err := os.WriteFile(oidcFile, []byte(`corrupted encrypted data`), 0600); err != nil { t.Fatalf("WriteFile: %v", err) } _, err := cp.LoadOIDCConfig() if err == nil { t.Fatal("expected decryption error, got nil") } } func TestLoadOIDCConfigRoundTrip(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Test full round-trip with encryption original := config.OIDCConfig{ Enabled: true, IssuerURL: "https://idp.example.org/realms/myrealm", ClientID: "my-app", ClientSecret: "super-secret-value", RedirectURL: "https://myapp.example.org/auth/callback", LogoutURL: "https://idp.example.org/realms/myrealm/protocol/openid-connect/logout", Scopes: []string{"openid", "email", "profile", "groups"}, UsernameClaim: "preferred_username", EmailClaim: "email", GroupsClaim: "groups", AllowedGroups: []string{"admin", "users"}, AllowedDomains: []string{"example.org"}, AllowedEmails: []string{"admin@example.org"}, CABundle: "-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----", } if err := cp.SaveOIDCConfig(original); err != nil { t.Fatalf("SaveOIDCConfig: %v", err) } loaded, err := cp.LoadOIDCConfig() if err != nil { t.Fatalf("LoadOIDCConfig: %v", err) } if loaded == nil { t.Fatal("expected config, got nil") } // Verify all fields are preserved through the round-trip if loaded.Enabled != original.Enabled { t.Errorf("Enabled: got %v want %v", loaded.Enabled, original.Enabled) } if loaded.IssuerURL != original.IssuerURL { t.Errorf("IssuerURL: got %q want %q", loaded.IssuerURL, original.IssuerURL) } if loaded.ClientID != original.ClientID { t.Errorf("ClientID: got %q want %q", loaded.ClientID, original.ClientID) } if loaded.ClientSecret != original.ClientSecret { t.Errorf("ClientSecret: got %q want %q", loaded.ClientSecret, original.ClientSecret) } if loaded.RedirectURL != original.RedirectURL { t.Errorf("RedirectURL: got %q want %q", loaded.RedirectURL, original.RedirectURL) } if loaded.LogoutURL != original.LogoutURL { t.Errorf("LogoutURL: got %q want %q", loaded.LogoutURL, original.LogoutURL) } if !reflect.DeepEqual(loaded.Scopes, original.Scopes) { t.Errorf("Scopes: got %v want %v", loaded.Scopes, original.Scopes) } if loaded.UsernameClaim != original.UsernameClaim { t.Errorf("UsernameClaim: got %q want %q", loaded.UsernameClaim, original.UsernameClaim) } if loaded.EmailClaim != original.EmailClaim { t.Errorf("EmailClaim: got %q want %q", loaded.EmailClaim, original.EmailClaim) } if loaded.GroupsClaim != original.GroupsClaim { t.Errorf("GroupsClaim: got %q want %q", loaded.GroupsClaim, original.GroupsClaim) } if !reflect.DeepEqual(loaded.AllowedGroups, original.AllowedGroups) { t.Errorf("AllowedGroups: got %v want %v", loaded.AllowedGroups, original.AllowedGroups) } if !reflect.DeepEqual(loaded.AllowedDomains, original.AllowedDomains) { t.Errorf("AllowedDomains: got %v want %v", loaded.AllowedDomains, original.AllowedDomains) } if !reflect.DeepEqual(loaded.AllowedEmails, original.AllowedEmails) { t.Errorf("AllowedEmails: got %v want %v", loaded.AllowedEmails, original.AllowedEmails) } if loaded.CABundle != original.CABundle { t.Errorf("CABundle: got %q want %q", loaded.CABundle, original.CABundle) } } func TestPersistence_EnvConfigSuppressions(t *testing.T) { tempDir := t.TempDir() p := config.NewConfigPersistence(tempDir) if err := p.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Should start empty hashes, err := p.LoadEnvTokenSuppressions() if err != nil { t.Fatalf("LoadEnvTokenSuppressions: %v", err) } if len(hashes) != 0 { t.Errorf("Expected empty hashes, got %v", hashes) } // Save some hashes expected := []string{"hash1", "hash2"} if err := p.SaveEnvTokenSuppressions(expected); err != nil { t.Fatalf("SaveEnvTokenSuppressions: %v", err) } // Load back loaded, err := p.LoadEnvTokenSuppressions() if err != nil { t.Fatalf("LoadEnvTokenSuppressions: %v", err) } if !reflect.DeepEqual(loaded, expected) { t.Errorf("Expected %v, got %v", expected, loaded) } // Save empty if err := p.SaveEnvTokenSuppressions([]string{}); err != nil { t.Fatalf("SaveEnvTokenSuppressions empty: %v", err) } loaded, err = p.LoadEnvTokenSuppressions() if err != nil { t.Fatalf("LoadEnvTokenSuppressions: %v", err) } if len(loaded) != 0 { t.Errorf("Expected empty hashes after clearing, got %v", loaded) } // Test invalid JSON invalidFile := filepath.Join(tempDir, "env_token_suppressions.json") require.NoError(t, os.WriteFile(invalidFile, []byte("{xxx"), 0644)) _, err = p.LoadEnvTokenSuppressions() if err == nil { t.Fatal("Expected error on invalid JSON") } } func TestLoadNodesConfig_PVEMonitorBackupsMigration(t *testing.T) { tempDir := t.TempDir() cp := config.NewConfigPersistence(tempDir) if err := cp.EnsureConfigDir(); err != nil { t.Fatalf("EnsureConfigDir: %v", err) } // Save PVE instance with MonitorBackups=false (simulating old config or missing field) pveInstances := []config.PVEInstance{ { Name: "pve-no-backups", Host: "https://pve.local:8006", User: "root@pam", Password: "secret", MonitorBackups: false, // This should be migrated to true }, } if err := cp.SaveNodesConfig(pveInstances, nil, nil); err != nil { t.Fatalf("SaveNodesConfig: %v", err) } loaded, err := cp.LoadNodesConfig() if err != nil { t.Fatalf("LoadNodesConfig: %v", err) } if len(loaded.PVEInstances) != 1 { t.Fatalf("expected 1 PVE instance, got %d", len(loaded.PVEInstances)) } pve := loaded.PVEInstances[0] // MonitorBackups should be migrated to true if !pve.MonitorBackups { t.Errorf("expected MonitorBackups to be migrated to true, got false") } }