fix: architecture audit — security, atomicity, broken endpoints, test coverage

Sprint 1 — Security & correctness: - Restore all 10 commented-out is_local_request() checks (vault, containers, images, volumes) - Fix XFF spoofing: only trust the LAST X-Forwarded-For entry (Caddy's append), not all - Require prefix length in wireguard.address (was accepting bare IPs like 10.0.0.1) - Validate service_access list in add_peer (valid: calendar/files/mail/webdav) - Fix dhcp/reservations POST/DELETE: unpack mac/ip/hostname from body (was passing dict as positional arg) - Fix network/test POST: remove spurious data arg (test_connectivity takes no args) - Fix remove_peer: clear iptables rules and regenerate DNS ACLs on deletion (was leaving stale rules) - Fix CoreDNS reload: SIGHUP → SIGUSR1 (SIGHUP kills the process; SIGUSR1 triggers reload plugin) - Remove local.{domain} block from Corefile template (local.zone doesn't exist, caused log spam) - Fix routing_manager._remove_nat_rule: targeted -D instead of flushing entire POSTROUTING chain Sprint 2 — State consistency: - Atomic config writes in config_manager, ip_utils, firewall_manager, network_manager (write to .tmp → fsync → os.replace, prevents truncated files on kill) - backup_config: now also backs up Caddyfile, Corefile, .env, DNS zone files - restore_config: restores all of the above so config stays consistent after restore Sprint 3 — Dead code / documentation: - Remove CellManager instantiation from app startup (was never called, double-instantiated all managers) - Document routing_manager scope (targets host, not cell-wireguard; methods not called by any active route) Sprint 4 — Test infrastructure: - Add tests/conftest.py with shared tmp_dir, tmp_config_dir, tmp_data_dir, flask_client fixtures - Add tests/test_config_validation.py: 400 paths for ip_range, port, wireguard.address validation - Add tests/test_ip_utils_caddyfile.py: 14 tests for write_caddyfile (was completely untested) - Expand test_app_misc.py: 7 new is_local_request tests covering XFF spoofing and cell-network IPs - Add --cov-fail-under=70 to make test-coverage - Add pre-commit hook that runs pytest before every commit 414 tests pass (was 372). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-24 03:27:52 -04:00
parent 55bec04603
commit d5018c2b34
13 changed files with 801 additions and 633 deletions
@@ -45,7 +45,6 @@ class TestAppMisc(unittest.TestCase):
            patch.object(app_module, 'calendar_manager', MagicMock()),
            patch.object(app_module, 'file_manager', MagicMock()),
            patch.object(app_module, 'routing_manager', MagicMock()),
-            patch.object(app_module, 'cell_manager', MagicMock()),
            patch.object(app_module, 'container_manager', MagicMock()),
        ]
        for p in self.patches:
@@ -97,18 +96,46 @@ class TestAppMisc(unittest.TestCase):
            self.assertEqual(ctx['path'], '/test')
            self.assertEqual(ctx['user'], 'user1')

-    def test_is_local_request(self):
-        class DummyRequest:
-            remote_addr = '127.0.0.1'
-            headers = {}
-        with patch('app.request', new=DummyRequest()):
+    def _req(self, remote_addr, xff=''):
+        class R:
+            pass
+        r = R()
+        r.remote_addr = remote_addr
+        r.headers = {'X-Forwarded-For': xff} if xff else {}
+        return r
+
+    def test_is_local_request_loopback(self):
+        with patch('app.request', new=self._req('127.0.0.1')):
            self.assertTrue(app_module.is_local_request())
-        class DummyRequest2:
-            remote_addr = '8.8.8.8'
-            headers = {}
-        with patch('app.request', new=DummyRequest2()):
+
+    def test_is_local_request_public_ip(self):
+        with patch('app.request', new=self._req('8.8.8.8')):
            self.assertFalse(app_module.is_local_request())

+    def test_is_local_request_private_ip(self):
+        with patch('app.request', new=self._req('192.168.1.5')):
+            self.assertTrue(app_module.is_local_request())
+
+    def test_is_local_request_xff_spoof_rejected(self):
+        # Client sends X-Forwarded-For: 127.0.0.1 but actual IP is public
+        # Old code would trust the first XFF entry — fixed to trust only last
+        with patch('app.request', new=self._req('8.8.8.8', xff='127.0.0.1, 8.8.8.8')):
+            self.assertFalse(app_module.is_local_request())
+
+    def test_is_local_request_xff_last_entry_local(self):
+        # Caddy appends the real client IP; last entry is local → allow
+        with patch('app.request', new=self._req('8.8.8.8', xff='8.8.8.8, 192.168.1.10')):
+            self.assertTrue(app_module.is_local_request())
+
+    def test_is_local_request_xff_single_public_rejected(self):
+        with patch('app.request', new=self._req('8.8.8.8', xff='1.2.3.4')):
+            self.assertFalse(app_module.is_local_request())
+
+    def test_is_local_request_cell_network_ip(self):
+        # 172.20.0.10 is the API container's IP — should be allowed
+        with patch('app.request', new=self._req('172.20.0.10')):
+            self.assertTrue(app_module.is_local_request())
+
    def test_health_check_exception(self):
        # Patch datetime to raise exception
        with patch('app.datetime') as mock_dt, app_module.app.app_context():