admin/felhom-controller
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
13c6a0929ace8038c1cc68f9621640ef86ade768
felhom-controller/controller/internal/agentapi/client_test.go
T
admin 2a0d9a1b7a slice 8A (controller half): bootstrap.json ingestion + pinned agent local-API client (v0.35.0) 
internal/bootstrap: first-run bootstrap.json ingestion (decision (c)) — seed
controller.yaml + skip setup; idempotent + fail-safe. internal/agentapi:
minimal pinned local-API client (leaf-cert SHA-256 pin, fails closed). config
LocalAPIConfig; startup /storage connectivity probe.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-10 09:47:54 +02:00

102 lines
3.0 KiB
Go
Raw Blame History

package agentapi
import (
"context"
"crypto/sha256"
"encoding/hex"
"net/http"
"net/http/httptest"
"strings"
"testing"
)
// storageStub serves the agent's {ok,data} envelope for GET /storage, requiring the bearer.
func storageStub(token string) http.Handler {
mux := http.NewServeMux()
mux.HandleFunc("GET /storage", func(w http.ResponseWriter, r *http.Request) {
if r.Header.Get("Authorization") != "Bearer "+token {
w.WriteHeader(http.StatusUnauthorized)
_, _ = w.Write([]byte(`{"ok":false,"error":"unauthorized"}`))
return
}
w.Header().Set("Content-Type", "application/json")
_, _ = w.Write([]byte(`{"ok":true,"data":{"vmid":8200,"mounts":[{"key":"mp0","storage":"fast","mount_point":"/var/lib/docker","class":"fast","backup":true}]}}`))
})
return mux
}
func leafPin(t *testing.T, s *httptest.Server) string {
t.Helper()
der := s.Certificate().Raw
sum := sha256.Sum256(der)
return hex.EncodeToString(sum[:])
}
// The correct pin + token reaches /storage and decodes the mounts.
func TestClient_PinnedStorageOK(t *testing.T) {
s := httptest.NewTLSServer(storageStub("TOK"))
defer s.Close()
endpoint := strings.TrimPrefix(s.URL, "https://")
c, err := New(endpoint, "TOK", leafPin(t, s))
if err != nil {
t.Fatalf("new: %v", err)
}
resp, err := c.Storage(context.Background())
if err != nil {
t.Fatalf("storage: %v", err)
}
if resp.VMID != 8200 || len(resp.Mounts) != 1 || resp.Mounts[0].Class != "fast" {
t.Fatalf("unexpected storage response: %+v", resp)
}
}
// A WRONG pin fails closed — the TLS handshake is rejected before any data flows.
func TestClient_WrongPinFailsClosed(t *testing.T) {
s := httptest.NewTLSServer(storageStub("TOK"))
defer s.Close()
endpoint := strings.TrimPrefix(s.URL, "https://")
wrong := strings.Repeat("ab", 32) // 64 hex chars, valid format, wrong value
c, err := New(endpoint, "TOK", wrong)
if err != nil {
t.Fatalf("new: %v", err)
}
if _, err := c.Storage(context.Background()); err == nil {
t.Fatal("expected a TLS pin failure, got success")
}
}
// A bad fingerprint format is rejected at construction.
func TestClient_BadFingerprintRejected(t *testing.T) {
if _, err := New("host:8443", "TOK", "not-a-fingerprint"); err == nil {
t.Fatal("expected an error for a non-SHA256 fingerprint")
}
if _, err := New("host:8443", "", strings.Repeat("a", 64)); err == nil {
t.Fatal("expected an error for an empty token")
}
}
// Colon-separated fingerprints (the agent logs them with ':') are accepted.
func TestClient_AcceptsColonFingerprint(t *testing.T) {
s := httptest.NewTLSServer(storageStub("TOK"))
defer s.Close()
endpoint := strings.TrimPrefix(s.URL, "https://")
pin := leafPin(t, s)
var colon strings.Builder
for i := 0; i < len(pin); i += 2 {
if i > 0 {
colon.WriteByte(':')
}
colon.WriteString(pin[i : i+2])
}
c, err := New(endpoint, "TOK", colon.String())
if err != nil {
t.Fatalf("new with colon fp: %v", err)
}
if _, err := c.Storage(context.Background()); err != nil {
t.Fatalf("storage with colon fp: %v", err)
}
}
Reference in New Issue View Git Blame Copy Permalink