File size: 3,698 Bytes
6a7089a | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 | package main
import (
"io"
"os"
"path/filepath"
"strings"
"testing"
"github.com/pinchtab/pinchtab/internal/config"
)
func TestHandleSecurityCommandDefaultConfigSkipsEmptySections(t *testing.T) {
cfg := testRuntimeConfig()
output := captureStdout(t, func() {
handleSecurityCommand(cfg)
})
required := []string{
"Security",
"All recommended security defaults are active.",
}
for _, needle := range required {
if !strings.Contains(output, needle) {
t.Fatalf("expected output to contain %q\n%s", needle, output)
}
}
unwanted := []string{
"Security posture",
"Warnings",
"Recommended security defaults",
"Recommended defaults",
"Restore recommended security defaults in config?",
"Interactive restore skipped because stdin/stdout is not a terminal.",
}
for _, needle := range unwanted {
if strings.Contains(output, needle) {
t.Fatalf("expected output to skip %q\n%s", needle, output)
}
}
}
func captureStdout(t *testing.T, fn func()) string {
t.Helper()
orig := os.Stdout
r, w, err := os.Pipe()
if err != nil {
t.Fatalf("os.Pipe() error = %v", err)
}
os.Stdout = w
defer func() {
os.Stdout = orig
}()
fn()
if err := w.Close(); err != nil {
t.Fatalf("close writer error = %v", err)
}
data, err := io.ReadAll(r)
if err != nil {
t.Fatalf("ReadAll() error = %v", err)
}
if err := r.Close(); err != nil {
t.Fatalf("close reader error = %v", err)
}
return string(data)
}
func TestApplyGuardsDownPreset(t *testing.T) {
configPath := filepath.Join(t.TempDir(), "pinchtab", "config.json")
t.Setenv("PINCHTAB_CONFIG", configPath)
fc := config.DefaultFileConfig()
fc.Server.Token = "guarded-token"
if err := os.MkdirAll(filepath.Dir(configPath), 0o755); err != nil {
t.Fatalf("MkdirAll() error = %v", err)
}
if err := config.SaveFileConfig(&fc, configPath); err != nil {
t.Fatalf("SaveFileConfig() error = %v", err)
}
cfg, gotPath, changed, err := applyGuardsDownPreset()
if err != nil {
t.Fatalf("applyGuardsDownPreset() error = %v", err)
}
if !changed {
t.Fatal("expected guards down preset to change config")
}
if gotPath != configPath {
t.Fatalf("config path = %q, want %q", gotPath, configPath)
}
if cfg.Bind != "127.0.0.1" {
t.Fatalf("Bind = %q, want 127.0.0.1", cfg.Bind)
}
if cfg.Token != "guarded-token" {
t.Fatalf("Token = %q, want existing token to remain", cfg.Token)
}
if !cfg.AllowEvaluate || !cfg.AllowMacro || !cfg.AllowScreencast || !cfg.AllowDownload || !cfg.AllowUpload {
t.Fatalf("expected sensitive endpoints enabled, got %+v", cfg)
}
if !cfg.AttachEnabled {
t.Fatal("expected attach endpoint enabled")
}
if got := strings.Join(cfg.AttachAllowHosts, ","); got != "127.0.0.1,localhost,::1" {
t.Fatalf("AttachAllowHosts = %q", got)
}
if got := strings.Join(cfg.AttachAllowSchemes, ","); got != "ws,wss" {
t.Fatalf("AttachAllowSchemes = %q", got)
}
if cfg.IDPI.Enabled || cfg.IDPI.StrictMode || cfg.IDPI.ScanContent || cfg.IDPI.WrapContent {
t.Fatalf("expected IDPI protections disabled, got %+v", cfg.IDPI)
}
}
func testRuntimeConfig() *config.RuntimeConfig {
return &config.RuntimeConfig{
Bind: "127.0.0.1",
Token: "abcd1234efgh5678",
AllowEvaluate: false,
AllowMacro: false,
AllowScreencast: false,
AllowDownload: false,
AllowUpload: false,
AttachEnabled: false,
AttachAllowHosts: []string{"127.0.0.1", "localhost", "::1"},
AttachAllowSchemes: []string{"ws", "wss"},
IDPI: config.IDPIConfig{
Enabled: true,
AllowedDomains: []string{"127.0.0.1", "localhost", "::1"},
StrictMode: true,
ScanContent: true,
WrapContent: true,
},
}
}
|