lib/server/admin_security_test.go

package server

import (
	"net/http"
	"net/http/httptest"
	"os"
	"path/filepath"
	"strings"
	"testing"

	"github.com/gin-gonic/gin"

	"warpbox/lib/activity"
	"warpbox/lib/alerts"
	"warpbox/lib/config"
	"warpbox/lib/security"
)

func TestAdminSecurityActionsWriteAuditTrail(t *testing.T) {
	app, router := setupAdminSecurityTest(t)

	for _, body := range []string{
		`{"action":"ban","ip":"203.0.113.7"}`,
		`{"action":"unban","ip":"203.0.113.7"}`,
	} {
		request := httptest.NewRequest(http.MethodPost, "/admin/security/actions", strings.NewReader(body))
		request.Header.Set("Content-Type", "application/json")
		request.AddCookie(authCookie(app))
		response := httptest.NewRecorder()
		router.ServeHTTP(response, request)
		if response.Code != http.StatusOK {
			t.Fatalf("expected 200, got %d body=%s", response.Code, response.Body.String())
		}
	}

	events, err := app.activityStore.List(100, app.config.ActivityRetentionSeconds)
	if err != nil {
		t.Fatalf("activity list error: %v", err)
	}
	if len(events) < 2 {
		t.Fatalf("expected activity events, got %d", len(events))
	}
	alertsList, err := app.alertStore.List(100)
	if err != nil {
		t.Fatalf("alerts list error: %v", err)
	}
	if len(alertsList) < 2 {
		t.Fatalf("expected alerts for manual actions, got %d", len(alertsList))
	}
}

func TestAdminSecurityBulkUnbanAndUnbanAll(t *testing.T) {
	app, router := setupAdminSecurityTest(t)
	app.securityGuard.Ban("203.0.113.8", 300)
	app.securityGuard.Ban("203.0.113.9", 300)

	request := httptest.NewRequest(http.MethodPost, "/admin/security/actions", strings.NewReader(`{"action":"bulk_unban","ips":["203.0.113.8"]}`))
	request.Header.Set("Content-Type", "application/json")
	request.AddCookie(authCookie(app))
	response := httptest.NewRecorder()
	router.ServeHTTP(response, request)
	if response.Code != http.StatusOK {
		t.Fatalf("bulk_unban expected 200, got %d", response.Code)
	}
	if app.securityGuard.IsBanned("203.0.113.8") {
		t.Fatal("expected selected IP to be unbanned")
	}
	if !app.securityGuard.IsBanned("203.0.113.9") {
		t.Fatal("expected non-selected IP to remain banned")
	}

	requestAll := httptest.NewRequest(http.MethodPost, "/admin/security/actions", strings.NewReader(`{"action":"unban_all"}`))
	requestAll.Header.Set("Content-Type", "application/json")
	requestAll.AddCookie(authCookie(app))
	responseAll := httptest.NewRecorder()
	router.ServeHTTP(responseAll, requestAll)
	if responseAll.Code != http.StatusOK {
		t.Fatalf("unban_all expected 200, got %d", responseAll.Code)
	}
	if len(app.securityGuard.BanList()) != 0 {
		t.Fatal("expected all bans to be removed")
	}
}

func setupAdminSecurityTest(t *testing.T) (*App, *gin.Engine) {
	t.Helper()
	gin.SetMode(gin.TestMode)
	cwd, _ := os.Getwd()
	root := filepath.Clean(filepath.Join(cwd, "..", ".."))
	if err := os.Chdir(root); err != nil {
		t.Fatalf("chdir: %v", err)
	}
	t.Cleanup(func() { _ = os.Chdir(cwd) })

	clearAdminSettingsEnv(t)
	t.Setenv("WARPBOX_DATA_DIR", t.TempDir())
	t.Setenv("WARPBOX_ADMIN_PASSWORD", "secret")
	t.Setenv("WARPBOX_ADMIN_ENABLED", "true")

	cfg, err := config.Load()
	if err != nil {
		t.Fatalf("config load: %v", err)
	}
	if err := cfg.EnsureDirectories(); err != nil {
		t.Fatalf("ensure dirs: %v", err)
	}

	app := &App{
		config:        cfg,
		activityStore: activity.NewStore(filepath.Join(cfg.DBDir, "activity.json")),
		alertStore:    alerts.NewStore(filepath.Join(cfg.DBDir, "alerts.json")),
		securityGuard: security.NewGuard(),
	}
	app.reloadSecurityConfig()
	t.Cleanup(func() { _ = app.securityGuard.Close() })

	router := gin.New()
	admin := router.Group("/admin")
	admin.GET("/login", app.handleAdminLogin)
	protected := router.Group("/admin", app.adminAuthMiddleware)
	protected.POST("/security/actions", app.handleAdminSecurityAction)
	return app, router
}
feat(security): Implemented more security information 2026-05-03 22:46:54 +03:00			`package server`

			`import (`
			`"net/http"`
			`"net/http/httptest"`
			`"os"`
			`"path/filepath"`
			`"strings"`
			`"testing"`

			`"github.com/gin-gonic/gin"`

			`"warpbox/lib/activity"`
			`"warpbox/lib/alerts"`
			`"warpbox/lib/config"`
			`"warpbox/lib/security"`
			`)`

			`func TestAdminSecurityActionsWriteAuditTrail(t *testing.T) {`
			`app, router := setupAdminSecurityTest(t)`

			`for _, body := range []string{`
			`{"action":"ban","ip":"203.0.113.7"}`,
			`{"action":"unban","ip":"203.0.113.7"}`,
			`} {`
			`request := httptest.NewRequest(http.MethodPost, "/admin/security/actions", strings.NewReader(body))`
			`request.Header.Set("Content-Type", "application/json")`
			`request.AddCookie(authCookie(app))`
			`response := httptest.NewRecorder()`
			`router.ServeHTTP(response, request)`
			`if response.Code != http.StatusOK {`
			`t.Fatalf("expected 200, got %d body=%s", response.Code, response.Body.String())`
			`}`
			`}`

			`events, err := app.activityStore.List(100, app.config.ActivityRetentionSeconds)`
			`if err != nil {`
			`t.Fatalf("activity list error: %v", err)`
			`}`
			`if len(events) < 2 {`
			`t.Fatalf("expected activity events, got %d", len(events))`
			`}`
			`alertsList, err := app.alertStore.List(100)`
			`if err != nil {`
			`t.Fatalf("alerts list error: %v", err)`
			`}`
			`if len(alertsList) < 2 {`
			`t.Fatalf("expected alerts for manual actions, got %d", len(alertsList))`
			`}`
			`}`

			`func TestAdminSecurityBulkUnbanAndUnbanAll(t *testing.T) {`
			`app, router := setupAdminSecurityTest(t)`
			`app.securityGuard.Ban("203.0.113.8", 300)`
			`app.securityGuard.Ban("203.0.113.9", 300)`

			request := httptest.NewRequest(http.MethodPost, "/admin/security/actions", strings.NewReader(`{"action":"bulk_unban","ips":["203.0.113.8"]}`))
			`request.Header.Set("Content-Type", "application/json")`
			`request.AddCookie(authCookie(app))`
			`response := httptest.NewRecorder()`
			`router.ServeHTTP(response, request)`
			`if response.Code != http.StatusOK {`
			`t.Fatalf("bulk_unban expected 200, got %d", response.Code)`
			`}`
			`if app.securityGuard.IsBanned("203.0.113.8") {`
			`t.Fatal("expected selected IP to be unbanned")`
			`}`
			`if !app.securityGuard.IsBanned("203.0.113.9") {`
			`t.Fatal("expected non-selected IP to remain banned")`
			`}`

			requestAll := httptest.NewRequest(http.MethodPost, "/admin/security/actions", strings.NewReader(`{"action":"unban_all"}`))
			`requestAll.Header.Set("Content-Type", "application/json")`
			`requestAll.AddCookie(authCookie(app))`
			`responseAll := httptest.NewRecorder()`
			`router.ServeHTTP(responseAll, requestAll)`
			`if responseAll.Code != http.StatusOK {`
			`t.Fatalf("unban_all expected 200, got %d", responseAll.Code)`
			`}`
			`if len(app.securityGuard.BanList()) != 0 {`
			`t.Fatal("expected all bans to be removed")`
			`}`
			`}`

			`func setupAdminSecurityTest(t testing.T) (App, *gin.Engine) {`
			`t.Helper()`
			`gin.SetMode(gin.TestMode)`
			`cwd, _ := os.Getwd()`
			`root := filepath.Clean(filepath.Join(cwd, "..", ".."))`
			`if err := os.Chdir(root); err != nil {`
			`t.Fatalf("chdir: %v", err)`
			`}`
			`t.Cleanup(func() { _ = os.Chdir(cwd) })`

			`clearAdminSettingsEnv(t)`
			`t.Setenv("WARPBOX_DATA_DIR", t.TempDir())`
			`t.Setenv("WARPBOX_ADMIN_PASSWORD", "secret")`
			`t.Setenv("WARPBOX_ADMIN_ENABLED", "true")`

			`cfg, err := config.Load()`
			`if err != nil {`
			`t.Fatalf("config load: %v", err)`
			`}`
			`if err := cfg.EnsureDirectories(); err != nil {`
			`t.Fatalf("ensure dirs: %v", err)`
			`}`

			`app := &App{`
			`config: cfg,`
			`activityStore: activity.NewStore(filepath.Join(cfg.DBDir, "activity.json")),`
			`alertStore: alerts.NewStore(filepath.Join(cfg.DBDir, "alerts.json")),`
			`securityGuard: security.NewGuard(),`
			`}`
			`app.reloadSecurityConfig()`
			`t.Cleanup(func() { _ = app.securityGuard.Close() })`

			`router := gin.New()`
			`admin := router.Group("/admin")`
			`admin.GET("/login", app.handleAdminLogin)`
			`protected := router.Group("/admin", app.adminAuthMiddleware)`
			`protected.POST("/security/actions", app.handleAdminSecurityAction)`
			`return app, router`
			`}`