roof
d5018c2b34
Sprint 1 — Security & correctness:
- Restore all 10 commented-out is_local_request() checks (vault, containers, images, volumes)
- Fix XFF spoofing: only trust the LAST X-Forwarded-For entry (Caddy's append), not all
- Require prefix length in wireguard.address (was accepting bare IPs like 10.0.0.1)
- Validate service_access list in add_peer (valid: calendar/files/mail/webdav)
- Fix dhcp/reservations POST/DELETE: unpack mac/ip/hostname from body (was passing dict as positional arg)
- Fix network/test POST: remove spurious data arg (test_connectivity takes no args)
- Fix remove_peer: clear iptables rules and regenerate DNS ACLs on deletion (was leaving stale rules)
- Fix CoreDNS reload: SIGHUP → SIGUSR1 (SIGHUP kills the process; SIGUSR1 triggers reload plugin)
- Remove local.{domain} block from Corefile template (local.zone doesn't exist, caused log spam)
- Fix routing_manager._remove_nat_rule: targeted -D instead of flushing entire POSTROUTING chain
Sprint 2 — State consistency:
- Atomic config writes in config_manager, ip_utils, firewall_manager, network_manager
(write to .tmp → fsync → os.replace, prevents truncated files on kill)
- backup_config: now also backs up Caddyfile, Corefile, .env, DNS zone files
- restore_config: restores all of the above so config stays consistent after restore
Sprint 3 — Dead code / documentation:
- Remove CellManager instantiation from app startup (was never called, double-instantiated all managers)
- Document routing_manager scope (targets host, not cell-wireguard; methods not called by any active route)
Sprint 4 — Test infrastructure:
- Add tests/conftest.py with shared tmp_dir, tmp_config_dir, tmp_data_dir, flask_client fixtures
- Add tests/test_config_validation.py: 400 paths for ip_range, port, wireguard.address validation
- Add tests/test_ip_utils_caddyfile.py: 14 tests for write_caddyfile (was completely untested)
- Expand test_app_misc.py: 7 new is_local_request tests covering XFF spoofing and cell-network IPs
- Add --cov-fail-under=70 to make test-coverage
- Add pre-commit hook that runs pytest before every commit
414 tests pass (was 372).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
103 lines
3.5 KiB
Python
103 lines
3.5 KiB
Python
"""
|
|
Tests for ip_utils.write_caddyfile — this function is called on every
|
|
ip_range / domain / cell_name change and was previously untested.
|
|
"""
|
|
import os
|
|
import sys
|
|
import tempfile
|
|
import unittest
|
|
|
|
sys.path.insert(0, os.path.join(os.path.dirname(__file__), '..', 'api'))
|
|
|
|
from ip_utils import write_caddyfile, get_service_ips
|
|
|
|
|
|
class TestWriteCaddyfile(unittest.TestCase):
|
|
|
|
def setUp(self):
|
|
self.tmp = tempfile.mkdtemp()
|
|
self.path = os.path.join(self.tmp, 'caddy', 'Caddyfile')
|
|
|
|
def _write(self, ip_range='172.20.0.0/16', cell_name='mycell', domain='cell'):
|
|
ok = write_caddyfile(ip_range, cell_name, domain, self.path)
|
|
self.assertTrue(ok, "write_caddyfile returned False")
|
|
with open(self.path) as f:
|
|
return f.read()
|
|
|
|
def test_creates_file_in_subdirectory(self):
|
|
self._write()
|
|
self.assertTrue(os.path.isfile(self.path))
|
|
|
|
def test_cell_domain_vhost_present(self):
|
|
content = self._write(cell_name='mycell', domain='cell')
|
|
self.assertIn('http://mycell.cell', content)
|
|
|
|
def test_custom_domain_used(self):
|
|
content = self._write(cell_name='pic0', domain='dev')
|
|
self.assertIn('http://pic0.dev', content)
|
|
self.assertNotIn('mycell', content)
|
|
self.assertNotIn('.cell', content)
|
|
|
|
def test_service_subdomains_use_domain(self):
|
|
content = self._write(domain='mynet')
|
|
self.assertIn('http://calendar.mynet', content)
|
|
self.assertIn('http://files.mynet', content)
|
|
self.assertIn('http://mail.mynet', content)
|
|
self.assertIn('http://webdav.mynet', content)
|
|
|
|
def test_virtual_ips_match_ip_range(self):
|
|
ip_range = '10.0.0.0/16'
|
|
content = self._write(ip_range=ip_range)
|
|
ips = get_service_ips(ip_range)
|
|
self.assertIn(ips['vip_calendar'], content)
|
|
self.assertIn(ips['vip_files'], content)
|
|
self.assertIn(ips['vip_mail'], content)
|
|
self.assertIn(ips['vip_webdav'], content)
|
|
|
|
def test_reverse_proxy_targets_are_internal_ports(self):
|
|
content = self._write()
|
|
self.assertIn('reverse_proxy cell-radicale:5232', content)
|
|
self.assertIn('reverse_proxy cell-filegator:8080', content)
|
|
self.assertIn('reverse_proxy cell-rainloop:8888', content)
|
|
self.assertIn('reverse_proxy cell-webdav:80', content)
|
|
|
|
def test_api_proxy_present(self):
|
|
content = self._write()
|
|
self.assertIn('reverse_proxy cell-api:3000', content)
|
|
|
|
def test_overwrite_on_second_call(self):
|
|
self._write(cell_name='first', domain='cell')
|
|
content = self._write(cell_name='second', domain='cell')
|
|
self.assertIn('second.cell', content)
|
|
self.assertNotIn('first.cell', content)
|
|
|
|
def test_different_ip_ranges_produce_different_vips(self):
|
|
c1 = self._write(ip_range='10.0.0.0/16')
|
|
os.remove(self.path)
|
|
c2 = self._write(ip_range='192.168.1.0/24')
|
|
self.assertNotEqual(c1, c2)
|
|
|
|
def test_auto_https_off(self):
|
|
content = self._write()
|
|
self.assertIn('auto_https off', content)
|
|
|
|
def test_catchall_block_present(self):
|
|
content = self._write()
|
|
self.assertIn(':80 {', content)
|
|
|
|
def test_invalid_ip_range_returns_false(self):
|
|
result = write_caddyfile('not-a-cidr', 'cell', 'cell', self.path)
|
|
self.assertFalse(result)
|
|
|
|
def test_file_is_not_empty(self):
|
|
self._write()
|
|
self.assertGreater(os.path.getsize(self.path), 100)
|
|
|
|
def tearDown(self):
|
|
import shutil
|
|
shutil.rmtree(self.tmp, ignore_errors=True)
|
|
|
|
|
|
if __name__ == '__main__':
|
|
unittest.main()
|