roof
d5018c2b34
Sprint 1 — Security & correctness:
- Restore all 10 commented-out is_local_request() checks (vault, containers, images, volumes)
- Fix XFF spoofing: only trust the LAST X-Forwarded-For entry (Caddy's append), not all
- Require prefix length in wireguard.address (was accepting bare IPs like 10.0.0.1)
- Validate service_access list in add_peer (valid: calendar/files/mail/webdav)
- Fix dhcp/reservations POST/DELETE: unpack mac/ip/hostname from body (was passing dict as positional arg)
- Fix network/test POST: remove spurious data arg (test_connectivity takes no args)
- Fix remove_peer: clear iptables rules and regenerate DNS ACLs on deletion (was leaving stale rules)
- Fix CoreDNS reload: SIGHUP → SIGUSR1 (SIGHUP kills the process; SIGUSR1 triggers reload plugin)
- Remove local.{domain} block from Corefile template (local.zone doesn't exist, caused log spam)
- Fix routing_manager._remove_nat_rule: targeted -D instead of flushing entire POSTROUTING chain
Sprint 2 — State consistency:
- Atomic config writes in config_manager, ip_utils, firewall_manager, network_manager
(write to .tmp → fsync → os.replace, prevents truncated files on kill)
- backup_config: now also backs up Caddyfile, Corefile, .env, DNS zone files
- restore_config: restores all of the above so config stays consistent after restore
Sprint 3 — Dead code / documentation:
- Remove CellManager instantiation from app startup (was never called, double-instantiated all managers)
- Document routing_manager scope (targets host, not cell-wireguard; methods not called by any active route)
Sprint 4 — Test infrastructure:
- Add tests/conftest.py with shared tmp_dir, tmp_config_dir, tmp_data_dir, flask_client fixtures
- Add tests/test_config_validation.py: 400 paths for ip_range, port, wireguard.address validation
- Add tests/test_ip_utils_caddyfile.py: 14 tests for write_caddyfile (was completely untested)
- Expand test_app_misc.py: 7 new is_local_request tests covering XFF spoofing and cell-network IPs
- Add --cov-fail-under=70 to make test-coverage
- Add pre-commit hook that runs pytest before every commit
414 tests pass (was 372).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
46 lines
1.2 KiB
Python
46 lines
1.2 KiB
Python
"""
|
|
Shared pytest fixtures for the PIC test suite.
|
|
"""
|
|
import os
|
|
import sys
|
|
import json
|
|
import tempfile
|
|
import shutil
|
|
import pytest
|
|
|
|
# Ensure api/ is on the path for all tests
|
|
sys.path.insert(0, os.path.join(os.path.dirname(__file__), '..', 'api'))
|
|
|
|
|
|
@pytest.fixture
|
|
def tmp_dir():
|
|
"""Temporary directory that is cleaned up after each test."""
|
|
d = tempfile.mkdtemp()
|
|
yield d
|
|
shutil.rmtree(d, ignore_errors=True)
|
|
|
|
|
|
@pytest.fixture
|
|
def tmp_config_dir(tmp_dir):
|
|
"""Temporary config dir with the sub-directories expected by managers."""
|
|
for sub in ('api', 'caddy', 'dns', 'dhcp', 'ntp', 'wireguard'):
|
|
os.makedirs(os.path.join(tmp_dir, sub), exist_ok=True)
|
|
return tmp_dir
|
|
|
|
|
|
@pytest.fixture
|
|
def tmp_data_dir(tmp_dir):
|
|
"""Temporary data dir with the sub-directories expected by managers."""
|
|
for sub in ('dns', 'mail', 'calendar', 'files', 'wireguard'):
|
|
os.makedirs(os.path.join(tmp_dir, sub), exist_ok=True)
|
|
return tmp_dir
|
|
|
|
|
|
@pytest.fixture
|
|
def flask_client():
|
|
"""Flask test client with TESTING mode enabled."""
|
|
from app import app
|
|
app.config['TESTING'] = True
|
|
with app.test_client() as client:
|
|
yield client
|