roof/pic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: full security audit remediation — P0/P1/P2/P3 fixes + 1020 passing tests

Browse Source 
P0 — Broken functionality:
- Fix 12+ endpoints with wrong manager method signatures (email/calendar/file/routing)
- Fix email_manager.delete_email_user() missing domain arg
- Fix cell-link DNS forwarding wiped on every peer change (generate_corefile now
  accepts cell_links param; add/remove_cell_dns_forward no longer clobber the file)
- Fix Flask SECRET_KEY regenerating on every restart (persisted to DATA_DIR)
- Fix _next_peer_ip exhaustion returning 500 instead of 409
- Fix ConfigManager Caddyfile path (/app/config-caddy/)
- Fix UI double-add and wrong-key peer bugs in Peers.jsx / WireGuard.jsx
- Remove hardcoded credentials from Dashboard.jsx

P1 — Security:
- CSRF token validation on all POST/PUT/DELETE/PATCH to /api/* (double-submit pattern)
- enforce_auth: 503 only when users file readable but empty; never bypass on IOError
- WireGuard add_cell_peer: validate pubkey, name, endpoint against strict regexes
- DNS add_cell_dns_forward: validate IP and domain; reject injection chars
- DNS zone write: realpath containment + record content validation
- iptables comment /32 suffix prevents substring match deleting wrong peer rules
- is_local_request() trusts only loopback + 172.16.0.0/12 (Docker bridge)
- POST /api/containers: volume allow-list prevents arbitrary host mounts
- file_manager: bcrypt ($2b→$2y) for WebDAV; realpath containment in delete_user
- email/calendar: stop persisting plaintext passwords in user records
- routing_manager: validate IPs, networks, and interface names
- peer_registry: write peers.json at mode 0o600
- vault_manager: Fernet key file at mode 0o600
- CORS: lock down to explicit origin list
- domain/cell_name validation: reject newline, brace, semicolon injection chars

P2 — Architecture:
- Peer add: rollback registry entry if firewall rules fail post-add
- restart_service(): base class now calls _restart_container(); email and calendar
  managers call cell-mail / cell-radicale respectively
- email/calendar managers sync user list (no passwords) to cell_config.json
- Pending-restart flag cleared only after helper subprocess exits with code 0
- docker-compose.yml: add config-caddy volume to API container

P3 — Tests (854 → 1020):
- Fill test_email_endpoints.py, test_calendar_endpoints.py,
  test_network_endpoints.py, test_routing_endpoints.py
- New: test_peer_management_update.py, test_peer_management_edge_cases.py,
  test_input_validation.py, test_enforce_auth_configured.py,
  test_cell_link_dns.py, test_logs_endpoints.py, test_cells_endpoints.py,
  test_is_local_request_per_endpoint.py, test_caddy_routing.py
- E2E conftest: skip WireGuard suite when wg-quick absent
- Update existing tests to match fixed signatures and comment formats

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Dmitrii Iurco
2026-04-27 11:30:21 -04:00
parent 0c12e3fc97
commit a43f9fbf0d
47 changed files with 4578 additions and 579 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/test_cell_link_dns.py
+240
View File
@@ -0,0 +1,240 @@
#!/usr/bin/env python3
"""
Tests for cell-to-cell DNS forwarding integration.
Covers:
- generate_corefile() with cell_links entries
- apply_all_dns_rules() passing cell_links through to generate_corefile()
- Correct domain/dns_ip values in the emitted forwarding stanza
- Validation: invalid characters in domain are rejected by add_cell_dns_forward()
"""
import sys
import os
import tempfile
import shutil
import unittest
from unittest.mock import patch, MagicMock, call
from pathlib import Path
api_dir = Path(__file__).parent.parent / 'api'
sys.path.insert(0, str(api_dir))
import firewall_manager
# ---------------------------------------------------------------------------
# generate_corefile() with cell_links
# ---------------------------------------------------------------------------
class TestGenerateCorefileOneLink(unittest.TestCase):
"""generate_corefile() with a single cell link produces the right stanza."""
def setUp(self):
self.tmp = tempfile.mkdtemp()
self.path = os.path.join(self.tmp, 'Corefile')
def tearDown(self):
shutil.rmtree(self.tmp)
def _read(self):
return open(self.path).read()
def test_forwarding_block_present(self):
cell_links = [{'domain': 'remote.cell', 'dns_ip': '10.5.0.1'}]
firewall_manager.generate_corefile([], self.path, cell_links=cell_links)
content = self._read()
self.assertIn('remote.cell {', content)
def test_correct_dns_ip_in_forward_directive(self):
cell_links = [{'domain': 'remote.cell', 'dns_ip': '10.5.0.1'}]
firewall_manager.generate_corefile([], self.path, cell_links=cell_links)
content = self._read()
self.assertIn('forward . 10.5.0.1', content)
def test_cache_directive_present_in_forwarding_block(self):
cell_links = [{'domain': 'remote.cell', 'dns_ip': '10.5.0.1'}]
firewall_manager.generate_corefile([], self.path, cell_links=cell_links)
content = self._read()
# 'cache' must appear in the forwarding block (after the primary zone block)
idx_primary = content.index('remote.cell {')
self.assertIn('cache', content[idx_primary:])
def test_log_directive_present_in_forwarding_block(self):
cell_links = [{'domain': 'remote.cell', 'dns_ip': '10.5.0.1'}]
firewall_manager.generate_corefile([], self.path, cell_links=cell_links)
content = self._read()
idx_primary = content.index('remote.cell {')
self.assertIn('log', content[idx_primary:])
def test_forwarding_block_appears_after_primary_zone(self):
"""The cell link stanza must appear after the primary zone block, not inside it."""
cell_links = [{'domain': 'remote.cell', 'dns_ip': '10.5.0.1'}]
firewall_manager.generate_corefile([], self.path, cell_links=cell_links)
content = self._read()
# Primary zone ends with its closing brace; remote.cell block follows
idx_primary_zone = content.index('cell {')
idx_forward_block = content.index('remote.cell {')
self.assertGreater(idx_forward_block, idx_primary_zone)
class TestGenerateCorefileMultipleLinks(unittest.TestCase):
"""generate_corefile() with multiple cell links produces one stanza each."""
def setUp(self):
self.tmp = tempfile.mkdtemp()
self.path = os.path.join(self.tmp, 'Corefile')
def tearDown(self):
shutil.rmtree(self.tmp)
def _read(self):
return open(self.path).read()
def test_all_domains_present(self):
cell_links = [
{'domain': 'alpha.cell', 'dns_ip': '10.1.0.1'},
{'domain': 'beta.cell', 'dns_ip': '10.2.0.1'},
{'domain': 'gamma.cell', 'dns_ip': '10.3.0.1'},
]
firewall_manager.generate_corefile([], self.path, cell_links=cell_links)
content = self._read()
self.assertIn('alpha.cell {', content)
self.assertIn('beta.cell {', content)
self.assertIn('gamma.cell {', content)
def test_all_dns_ips_present(self):
cell_links = [
{'domain': 'alpha.cell', 'dns_ip': '10.1.0.1'},
{'domain': 'beta.cell', 'dns_ip': '10.2.0.1'},
]
firewall_manager.generate_corefile([], self.path, cell_links=cell_links)
content = self._read()
self.assertIn('forward . 10.1.0.1', content)
self.assertIn('forward . 10.2.0.1', content)
def test_stanza_count_matches_link_count(self):
"""Each valid link contributes exactly one forwarding stanza."""
cell_links = [
{'domain': 'a.cell', 'dns_ip': '10.1.0.1'},
{'domain': 'b.cell', 'dns_ip': '10.2.0.1'},
]
firewall_manager.generate_corefile([], self.path, cell_links=cell_links)
content = self._read()
# Count occurrences of 'forward .' — one for default, one per cell link
count = content.count('forward .')
self.assertEqual(count, 3) # 1 default + 2 cell links
# ---------------------------------------------------------------------------
# apply_all_dns_rules() passes cell_links through to generate_corefile()
# ---------------------------------------------------------------------------
class TestApplyAllDnsRulesPassesCellLinks(unittest.TestCase):
"""apply_all_dns_rules() must forward the cell_links argument to generate_corefile()."""
def test_cell_links_forwarded(self):
cell_links = [{'domain': 'x.cell', 'dns_ip': '10.9.0.1'}]
with patch.object(firewall_manager, 'generate_corefile', return_value=True) as mock_gen, \
patch.object(firewall_manager, 'reload_coredns', return_value=True):
firewall_manager.apply_all_dns_rules(
peers=[],
corefile_path='/tmp/fake_Corefile',
domain='cell',
cell_links=cell_links,
)
mock_gen.assert_called_once_with(
[], '/tmp/fake_Corefile', 'cell', cell_links
)
def test_cell_links_none_forwarded_as_none(self):
with patch.object(firewall_manager, 'generate_corefile', return_value=True) as mock_gen, \
patch.object(firewall_manager, 'reload_coredns', return_value=True):
firewall_manager.apply_all_dns_rules(
peers=[],
corefile_path='/tmp/fake_Corefile',
domain='cell',
cell_links=None,
)
mock_gen.assert_called_once_with([], '/tmp/fake_Corefile', 'cell', None)
def test_reload_called_on_success(self):
with patch.object(firewall_manager, 'generate_corefile', return_value=True), \
patch.object(firewall_manager, 'reload_coredns', return_value=True) as mock_reload:
firewall_manager.apply_all_dns_rules([], '/tmp/f', cell_links=None)
mock_reload.assert_called_once()
def test_reload_not_called_on_failure(self):
with patch.object(firewall_manager, 'generate_corefile', return_value=False), \
patch.object(firewall_manager, 'reload_coredns') as mock_reload:
firewall_manager.apply_all_dns_rules([], '/tmp/f', cell_links=None)
mock_reload.assert_not_called()
# ---------------------------------------------------------------------------
# Domain validation in add_cell_dns_forward() (via network_manager)
# ---------------------------------------------------------------------------
class TestAddCellDnsForwardValidation(unittest.TestCase):
"""
add_cell_dns_forward() must reject malformed domains/IPs without writing
the Corefile or calling apply_all_dns_rules().
"""
def _get_network_manager(self, tmp_dir):
"""Construct a minimal NetworkManager with test directories."""
# We import here so the test file doesn't hard-fail if network_manager
# has an import-time dependency that's unavailable in CI.
try:
from network_manager import NetworkManager
except ImportError as e:
self.skipTest(f'NetworkManager import failed: {e}')
os.makedirs(os.path.join(tmp_dir, 'dns'), exist_ok=True)
return NetworkManager(data_dir=tmp_dir, config_dir=tmp_dir)
def setUp(self):
self.tmp = tempfile.mkdtemp()
def tearDown(self):
shutil.rmtree(self.tmp)
def test_invalid_dns_ip_returns_warning(self):
nm = self._get_network_manager(self.tmp)
result = nm.add_cell_dns_forward('valid.cell', 'not-an-ip')
self.assertTrue(result['warnings'])
self.assertFalse(result['restarted'])
def test_domain_with_newline_returns_warning(self):
nm = self._get_network_manager(self.tmp)
result = nm.add_cell_dns_forward('evil\ndomain', '10.1.0.1')
self.assertTrue(result['warnings'])
self.assertFalse(result['restarted'])
def test_domain_with_braces_returns_warning(self):
nm = self._get_network_manager(self.tmp)
result = nm.add_cell_dns_forward('evil{domain}', '10.1.0.1')
self.assertTrue(result['warnings'])
self.assertFalse(result['restarted'])
def test_domain_with_space_returns_warning(self):
nm = self._get_network_manager(self.tmp)
result = nm.add_cell_dns_forward('evil domain', '10.1.0.1')
self.assertTrue(result['warnings'])
self.assertFalse(result['restarted'])
def test_valid_domain_and_ip_calls_apply_all_dns_rules(self):
"""Valid inputs must call firewall_manager.apply_all_dns_rules()."""
nm = self._get_network_manager(self.tmp)
with patch.object(firewall_manager, 'apply_all_dns_rules', return_value=True) as mock_apply, \
patch.object(firewall_manager, 'reload_coredns', return_value=True):
result = nm.add_cell_dns_forward('valid.cell', '10.1.0.1')
mock_apply.assert_called_once()
call_kwargs = mock_apply.call_args
# cell_links kwarg must include the new entry
cell_links_arg = call_kwargs[1].get('cell_links') or call_kwargs[0][3]
domains = [l['domain'] for l in cell_links_arg]
self.assertIn('valid.cell', domains)
if __name__ == '__main__':
unittest.main()