Skip to content
Closed
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions pkg/api/audit/audit_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ func TestLogEmitsRequiredFields(t *testing.T) {
var buf bytes.Buffer
captureLog(&buf, func() {
req := httptest.NewRequest("POST", "/api/users/target-123/role", nil)
req.Host = "localhost"
req.Header.Set("X-Forwarded-For", "10.0.0.1")
//nolint:errcheck // test-only; response body is irrelevant
app.Test(req)
Expand Down Expand Up @@ -76,6 +77,7 @@ func TestLogOmitsDetailsWhenEmpty(t *testing.T) {
var buf bytes.Buffer
captureLog(&buf, func() {
req := httptest.NewRequest("DELETE", "/api/users/target-456", nil)
req.Host = "localhost"
//nolint:errcheck // test-only
app.Test(req)
})
Expand Down Expand Up @@ -104,6 +106,7 @@ func TestLogUnauthorizedAttempt(t *testing.T) {
var buf bytes.Buffer
captureLog(&buf, func() {
req := httptest.NewRequest("GET", "/api/users", nil)
req.Host = "localhost"
//nolint:errcheck // test-only
app.Test(req)
})
Expand Down Expand Up @@ -151,6 +154,7 @@ func TestLogPersistsAuditEntry(t *testing.T) {
})

req := httptest.NewRequest("PUT", "/api/settings", nil)
req.Host = "localhost"
req.Header.Set("X-Forwarded-For", "203.0.113.10")
_, err := app.Test(req)
if err != nil {
Expand Down Expand Up @@ -204,6 +208,7 @@ func TestLogStoreFailureLogsError(t *testing.T) {
var buf bytes.Buffer
captureLog(&buf, func() {
req := httptest.NewRequest("POST", "/api/login", nil)
req.Host = "localhost"
_, err := app.Test(req)
if err != nil {
t.Fatalf("app.Test() error = %v", err)
Expand Down
2 changes: 2 additions & 0 deletions pkg/api/handlers/agentic_detection_runs_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,7 @@ func TestGetDetectionRuns_DemoMode(t *testing.T) {
env.App.Get("/api/detection-runs", h.GetDetectionRuns)

req, err := http.NewRequest("GET", "/api/detection-runs", nil)
req.Host = "localhost"
require.NoError(t, err)
req.Header.Set("X-Demo-Mode", "true")

Expand All @@ -178,6 +179,7 @@ func TestGetDetectionRuns_NoToken_FallsBackToDemo(t *testing.T) {
env.App.Get("/api/detection-runs", h.GetDetectionRuns)

req, err := http.NewRequest("GET", "/api/detection-runs", nil)
req.Host = "localhost"
require.NoError(t, err)

resp, err := env.App.Test(req, 5000)
Expand Down
19 changes: 19 additions & 0 deletions pkg/api/handlers/auth/auth_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@
mockStore.On("UpdateLastLogin", mock.Anything).Return(nil).Once()

req, _ := http.NewRequest("GET", "/auth/dev", nil)
req.Host = "localhost"
resp, err := app.Test(req, 5000)

assert.NoError(t, err)
Expand All @@ -77,6 +78,7 @@
mockStore.On("UpdateLastLogin", existingUser.ID).Return(nil).Once()

req, _ := http.NewRequest("GET", "/auth/dev", nil)
req.Host = "localhost"
resp, err := app.Test(req, 5000)

assert.NoError(t, err)
Expand All @@ -94,6 +96,7 @@
// want to exercise the CSRF gate should build requests directly.
func refreshReq(authHeader string) *http.Request {
req, err := http.NewRequest("POST", "/auth/refresh", nil)
req.Host = "localhost"
if err != nil {
panic(err)
}
Expand Down Expand Up @@ -188,6 +191,7 @@
token, _ := handler.generateJWT(user)

req, _ := http.NewRequest("POST", "/auth/refresh", nil)
req.Host = "localhost"
req.Header.Set("Authorization", "Bearer "+token)
resp, _ := app.Test(req, 5000)
assert.Equal(t, http.StatusForbidden, resp.StatusCode,
Expand Down Expand Up @@ -328,6 +332,7 @@
app.Get("/auth/github", handler.GitHubLogin)

req, _ := http.NewRequest("GET", "/auth/github", nil)
req.Host = "localhost"
resp, err := app.Test(req, 5000)

assert.NoError(t, err)
Expand Down Expand Up @@ -362,6 +367,7 @@
app.Get("/auth/callback", handler.GitHubCallback)

req, _ := http.NewRequest("GET", "/auth/callback", nil)
req.Host = "localhost"
resp, err := app.Test(req, 5000)
if err != nil || resp == nil {
t.Fatalf("app.Test failed: %v", err)
Expand All @@ -378,6 +384,7 @@

// Provide code but no state
req, _ := http.NewRequest("GET", "/auth/callback?code=123", nil)
req.Host = "localhost"
resp, err := app.Test(req, 5000)
if err != nil || resp == nil {
t.Fatalf("app.Test failed: %v", err)
Expand All @@ -394,6 +401,7 @@

t.Run("Access denied by user", func(t *testing.T) {
req, _ := http.NewRequest("GET", "/auth/callback?error=access_denied&error_description=The+user+denied+access", nil)
req.Host = "localhost"
resp, err := app.Test(req, 5000)
if err != nil || resp == nil {
t.Fatalf("app.Test failed: %v", err)
Expand All @@ -407,6 +415,7 @@

t.Run("Generic GitHub error", func(t *testing.T) {
req, _ := http.NewRequest("GET", "/auth/callback?error=application_suspended&error_description=App+is+suspended", nil)
req.Host = "localhost"
resp, err := app.Test(req, 5000)
if err != nil || resp == nil {
t.Fatalf("app.Test failed: %v", err)
Expand Down Expand Up @@ -468,6 +477,7 @@
assert.NoError(t, err)

req, _ := http.NewRequest("GET", "/auth/callback?code=123&state=bogus", nil)
req.Host = "localhost"
req.AddCookie(&http.Cookie{Name: jwtCookieName, Value: cookieToken})

resp, err := app.Test(req, 5000)
Expand All @@ -483,6 +493,7 @@

t.Run("missing cookie + invalid state redirects to error page", func(t *testing.T) {
req, _ := http.NewRequest("GET", "/auth/callback?code=123&state=bogus", nil)
req.Host = "localhost"

resp, err := app.Test(req, 5000)
assert.NoError(t, err)
Expand All @@ -505,6 +516,7 @@
expiredSigned, _ := expiredJWT.SignedString([]byte("test-secret"))

req, _ := http.NewRequest("GET", "/auth/callback?code=123&state=bogus", nil)
req.Host = "localhost"
req.AddCookie(&http.Cookie{Name: jwtCookieName, Value: expiredSigned})

resp, err := app.Test(req, 5000)
Expand All @@ -530,6 +542,7 @@
forgedSigned, _ := forgedJWT.SignedString([]byte("not-the-real-secret"))

req, _ := http.NewRequest("GET", "/auth/callback?code=123&state=bogus", nil)
req.Host = "localhost"
req.AddCookie(&http.Cookie{Name: jwtCookieName, Value: forgedSigned})

resp, err := app.Test(req, 5000)
Expand All @@ -548,6 +561,7 @@
assert.NoError(t, err)

req, _ := http.NewRequest("GET", "/auth/callback?code=123", nil)
req.Host = "localhost"
req.AddCookie(&http.Cookie{Name: jwtCookieName, Value: cookieToken})

resp, err := app.Test(req, 5000)
Expand Down Expand Up @@ -753,6 +767,7 @@
// Include CR/LF in the query param; after URL decoding the handler
// should strip the control characters before reflecting them.
req, _ := http.NewRequest("GET",
req.Host = "localhost"

Check failure on line 770 in pkg/api/handlers/auth/auth_test.go

View workflow job for this annotation

GitHub Actions / build (ubuntu-latest)

expected '==', found '='

Check failure on line 770 in pkg/api/handlers/auth/auth_test.go

View workflow job for this annotation

GitHub Actions / build (windows-latest)

expected '==', found '='

Check failure on line 770 in pkg/api/handlers/auth/auth_test.go

View workflow job for this annotation

GitHub Actions / build (macos-latest)

expected '==', found '='

Check failure on line 770 in pkg/api/handlers/auth/auth_test.go

View workflow job for this annotation

GitHub Actions / go test ./...

expected '==', found '='
"/auth/callback?error=access_denied&error_description=bad%0D%0Ainjected",
nil)
resp, err := app.Test(req, 5000)
Expand All @@ -778,6 +793,7 @@

// Without the CSRF header: 403.
req, err := http.NewRequest("POST", "/auth/logout", nil)
req.Host = "localhost"
require.NoError(t, err)
req.Header.Set("Authorization", "Bearer "+token)
resp, err := app.Test(req, 5000)
Expand All @@ -786,6 +802,7 @@

// With the CSRF header: 200.
req2, err := http.NewRequest("POST", "/auth/logout", nil)
req2.Host = "localhost"
require.NoError(t, err)
req2.Header.Set("Authorization", "Bearer "+token)
req2.Header.Set("X-Requested-With", "XMLHttpRequest")
Expand Down Expand Up @@ -813,6 +830,7 @@
signed, _ := tok.SignedString([]byte("test-secret"))

req, err := http.NewRequest("POST", "/auth/logout", nil)
req.Host = "localhost"
require.NoError(t, err)
req.Header.Set("Authorization", "Bearer "+signed)
req.Header.Set("X-Requested-With", "XMLHttpRequest")
Expand All @@ -836,6 +854,7 @@
mockStore.On("UpdateLastLogin", mock.Anything).Return(nil).Once()

req, _ := http.NewRequest("GET", "/auth/dev", nil)
req.Host = "localhost"
resp, err := app.Test(req, 5000)
require.NoError(t, err)

Expand Down
3 changes: 3 additions & 0 deletions pkg/api/handlers/card_proxy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,7 @@ func TestCardProxyAuthorization_ViewerForbidden(t *testing.T) {
app.Get("/api/card-proxy", handler.Proxy)

req, err := http.NewRequest(http.MethodGet, "/api/card-proxy?url=https://example.com", nil)
req.Host = "localhost"
require.NoError(t, err)

resp, err := app.Test(req, -1)
Expand Down Expand Up @@ -148,6 +149,7 @@ func TestCardProxyAuthorization_EditorAllowed(t *testing.T) {
app.Get("/api/card-proxy", handler.Proxy)

req, err := http.NewRequest(http.MethodGet, "/api/card-proxy", nil)
req.Host = "localhost"
require.NoError(t, err)

resp, err := app.Test(req, -1)
Expand All @@ -168,6 +170,7 @@ func TestCardProxyAuthorization_NilStoreSkipsCheck(t *testing.T) {
app.Get("/api/card-proxy", handler.Proxy)

req, err := http.NewRequest(http.MethodGet, "/api/card-proxy", nil)
req.Host = "localhost"
require.NoError(t, err)

resp, err := app.Test(req, -1)
Expand Down
20 changes: 20 additions & 0 deletions pkg/api/handlers/cards_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@
app.Get("/api/cards/types", handler.GetCardTypes)

req, err := http.NewRequest("GET", "/api/cards/types", nil)
req.Host = "localhost"
require.NoError(t, err)

resp, err := app.Test(req, fiberTestTimeout)
Expand All @@ -75,6 +76,7 @@
app.Get("/api/dashboards/:id/cards", handler.ListCards)

req, err := http.NewRequest("GET", "/api/dashboards/not-a-uuid/cards", nil)
req.Host = "localhost"
require.NoError(t, err)

resp, err := app.Test(req, fiberTestTimeout)
Expand All @@ -90,6 +92,7 @@
// MockStore.GetDashboard returns nil — triggers "Access denied" (nil dashboard check)
dashID := uuid.New()
req, err := http.NewRequest("GET", "/api/dashboards/"+dashID.String()+"/cards", nil)
req.Host = "localhost"
require.NoError(t, err)

resp, err := app.Test(req, fiberTestTimeout)
Expand All @@ -106,6 +109,7 @@

body := `{"card_type":"cluster_health","position":{"x":0,"y":0,"w":4,"h":3}}`
req, err := http.NewRequest("POST", "/api/dashboards/bad-id/cards", strings.NewReader(body))
req.Host = "localhost"
require.NoError(t, err)
req.Header.Set("Content-Type", "application/json")

Expand All @@ -123,6 +127,7 @@

body := `{"position":{"x":1,"y":1,"w":4,"h":3}}`
req, err := http.NewRequest("PUT", "/api/cards/bad-id", strings.NewReader(body))
req.Host = "localhost"
require.NoError(t, err)
req.Header.Set("Content-Type", "application/json")

Expand All @@ -142,6 +147,7 @@

body := `{"position":{"x":1,"y":1,"w":4,"h":3}}`
req, err := http.NewRequest("PUT", "/api/cards/"+cardID.String(), strings.NewReader(body))
req.Host = "localhost"
require.NoError(t, err)
req.Header.Set("Content-Type", "application/json")

Expand All @@ -158,6 +164,7 @@
app.Delete("/api/cards/:id", handler.DeleteCard)

req, err := http.NewRequest("DELETE", "/api/cards/bad-id", nil)
req.Host = "localhost"
require.NoError(t, err)

resp, err := app.Test(req, fiberTestTimeout)
Expand All @@ -174,6 +181,7 @@
mockStore.On("GetCard", cardID).Return(nil, nil)

req, err := http.NewRequest("DELETE", "/api/cards/"+cardID.String(), nil)
req.Host = "localhost"
require.NoError(t, err)

resp, err := app.Test(req, fiberTestTimeout)
Expand Down Expand Up @@ -238,6 +246,7 @@
app.Post("/api/cards/:id/focus", handler.RecordFocus)

req, err := http.NewRequest("POST", "/api/cards/"+cardID.String()+"/focus",
req.Host = "localhost"

Check failure on line 249 in pkg/api/handlers/cards_test.go

View workflow job for this annotation

GitHub Actions / pr-check

missing ',' before newline in argument list

Check failure on line 249 in pkg/api/handlers/cards_test.go

View workflow job for this annotation

GitHub Actions / pr-check

expected '==', found '='

Check failure on line 249 in pkg/api/handlers/cards_test.go

View workflow job for this annotation

GitHub Actions / build (ubuntu-latest)

expected '==', found '='

Check failure on line 249 in pkg/api/handlers/cards_test.go

View workflow job for this annotation

GitHub Actions / build (windows-latest)

expected '==', found '='

Check failure on line 249 in pkg/api/handlers/cards_test.go

View workflow job for this annotation

GitHub Actions / build (macos-latest)

expected '==', found '='

Check failure on line 249 in pkg/api/handlers/cards_test.go

View workflow job for this annotation

GitHub Actions / go test ./...

expected '==', found '='
strings.NewReader("{invalid json"))
require.NoError(t, err)
req.Header.Set("Content-Type", "application/json")
Comment on lines 240 to 243
Expand All @@ -255,6 +264,7 @@
app.Get("/api/cards/history", handler.GetHistory)

req, err := http.NewRequest("GET", "/api/cards/history", nil)
req.Host = "localhost"
require.NoError(t, err)

resp, err := app.Test(req, fiberTestTimeout)
Expand Down Expand Up @@ -417,6 +427,7 @@

body := `{"target_dashboard_id":"` + targetDashID.String() + `"}`
req, err := http.NewRequest("POST", "/api/cards/"+cardID.String()+"/move", strings.NewReader(body))
req.Host = "localhost"
require.NoError(t, err)
req.Header.Set("Content-Type", "application/json")

Expand All @@ -435,6 +446,7 @@

body := `{"card_type":"cluster_health","position":{"x":0,"y":0,"w":4,"h":3}}`
req, err := http.NewRequest("POST", "/api/dashboards/"+dashID.String()+"/cards",
req.Host = "localhost"

Check failure on line 449 in pkg/api/handlers/cards_test.go

View workflow job for this annotation

GitHub Actions / pr-check

missing ',' before newline in argument list

Check failure on line 449 in pkg/api/handlers/cards_test.go

View workflow job for this annotation

GitHub Actions / pr-check

expected '==', found '='
strings.NewReader(body))
require.NoError(t, err)
req.Header.Set("Content-Type", "application/json")
Comment on lines 436 to 440
Expand All @@ -452,6 +464,7 @@

body := `{"position":{"x":1,"y":1,"w":4,"h":3}}`
req, err := http.NewRequest("PUT", "/api/cards/"+cardID.String(), strings.NewReader(body))
req.Host = "localhost"
require.NoError(t, err)
req.Header.Set("Content-Type", "application/json")

Expand All @@ -467,6 +480,7 @@
app, _, _ := newCardMutationApp(t, models.UserRoleViewer, dashID, cardID)

req, err := http.NewRequest("DELETE", "/api/cards/"+cardID.String(), nil)
req.Host = "localhost"
require.NoError(t, err)

resp, err := app.Test(req, fiberTestTimeout)
Expand All @@ -483,6 +497,7 @@

body := `{"card_type":"cluster_health","config":{"cluster":"prod"},"position":{"x":0,"y":0,"w":4,"h":3}}`
req, err := http.NewRequest("POST", "/api/dashboards/"+dashID.String()+"/cards",
req.Host = "localhost"

Check failure on line 500 in pkg/api/handlers/cards_test.go

View workflow job for this annotation

GitHub Actions / pr-check

missing ',' before newline in argument list

Check failure on line 500 in pkg/api/handlers/cards_test.go

View workflow job for this annotation

GitHub Actions / pr-check

expected '==', found '='
strings.NewReader(body))
require.NoError(t, err)
req.Header.Set("Content-Type", "application/json")
Comment on lines 484 to 488
Expand All @@ -504,6 +519,7 @@

body := `{"card_type":"pod_issues","config":{"ns":"default"},"position":{"x":1,"y":1,"w":4,"h":3}}`
req, err := http.NewRequest("PUT", "/api/cards/"+cardID.String(), strings.NewReader(body))
req.Host = "localhost"
require.NoError(t, err)
req.Header.Set("Content-Type", "application/json")

Expand All @@ -526,6 +542,7 @@

body := `{"card_type":"cluster_health","position":{"x":0,"y":0,"w":4,"h":3}}`
req, err := http.NewRequest("POST", "/api/dashboards/"+dashID.String()+"/cards",
req.Host = "localhost"

Check failure on line 545 in pkg/api/handlers/cards_test.go

View workflow job for this annotation

GitHub Actions / pr-check

missing ',' before newline in argument list

Check failure on line 545 in pkg/api/handlers/cards_test.go

View workflow job for this annotation

GitHub Actions / pr-check

expected '==', found '='
strings.NewReader(body))
require.NoError(t, err)
req.Header.Set("Content-Type", "application/json")
Comment on lines 527 to 531
Expand All @@ -545,6 +562,7 @@

body := `{"card_type":"not_a_real_card","position":{"x":0,"y":0,"w":4,"h":3}}`
req, err := http.NewRequest("POST", "/api/dashboards/"+dashID.String()+"/cards",
req.Host = "localhost"

Check failure on line 565 in pkg/api/handlers/cards_test.go

View workflow job for this annotation

GitHub Actions / pr-check

missing ',' before newline in argument list

Check failure on line 565 in pkg/api/handlers/cards_test.go

View workflow job for this annotation

GitHub Actions / pr-check

expected '==', found '='
strings.NewReader(body))
require.NoError(t, err)
req.Header.Set("Content-Type", "application/json")
Comment on lines 546 to 550
Expand All @@ -562,6 +580,7 @@

body := `{"card_type":"not_a_real_card"}`
req, err := http.NewRequest("PUT", "/api/cards/"+cardID.String(), strings.NewReader(body))
req.Host = "localhost"
require.NoError(t, err)
req.Header.Set("Content-Type", "application/json")

Expand Down Expand Up @@ -613,6 +632,7 @@

body := `{"card_type":"cluster_health","position":{"x":0,"y":0,"w":4,"h":3}}`
req, err := http.NewRequest("POST", "/api/dashboards/"+dashID.String()+"/cards",
req.Host = "localhost"
strings.NewReader(body))
require.NoError(t, err)
req.Header.Set("Content-Type", "application/json")
Comment on lines 614 to 618
Expand Down
Loading
Loading