Hartmut
bfdf0a82da
Tests, CSP nonce middleware, SSRF guard, perf-route hardening, Docker env isolation, migration runbook, RBAC E2E coverage. Tickets resolved: - #19: MfaSetup.test.ts — static source tests confirming local QR rendering - #20: ssrf-guard.test.ts (16 tests) + webhook-procedure-support mock fix - #21: /api/perf route.test.ts (5 tests) — header-only auth, fail-closed - #22: middleware.ts (nonce-based CSP) + middleware.test.ts (6 tests); layout.tsx async + nonce prop; CSP removed from next.config.ts - #23: Active-session registry enforcement verified (already in codebase) - #24: docker-compose.yml REDIS_URL hardcoded (no host-env substitution) - #25: docker-compose.yml REDIS_URL + docs/developer-runbook.md created - #26: e2e/dev-system/rbac-data-access.spec.ts (12 tests, 3 roles × 4 procedures) Quality gates: tsc clean, api 1447/1447, web 189/189 passing. Turbo concurrency capped at 2 (package.json) to prevent OOM under parallel test runs. Co-Authored-By: claude-flow <ruv@ruv.net>
213 lines
5.9 KiB
TypeScript
213 lines
5.9 KiB
TypeScript
import { beforeEach, describe, expect, it, vi } from "vitest";
|
|
import { createAuditEntry } from "../lib/audit.js";
|
|
import {
|
|
createWebhook,
|
|
deleteWebhook,
|
|
getWebhookById,
|
|
listWebhooks,
|
|
testWebhook,
|
|
updateWebhook,
|
|
} from "../router/webhook-procedure-support.js";
|
|
import * as webhookSupport from "../router/webhook-support.js";
|
|
|
|
vi.mock("../lib/audit.js", () => ({
|
|
createAuditEntry: vi.fn(),
|
|
}));
|
|
|
|
// Mock the SSRF guard so tests do not perform real DNS lookups.
|
|
// The guard's security behaviour is covered separately in ssrf-guard.test.ts.
|
|
vi.mock("../lib/ssrf-guard.js", () => ({
|
|
assertWebhookUrlAllowed: vi.fn().mockResolvedValue(undefined),
|
|
}));
|
|
|
|
function createContext(db: Record<string, unknown>) {
|
|
return {
|
|
db: db as never,
|
|
dbUser: { id: "user_admin" },
|
|
};
|
|
}
|
|
|
|
describe("webhook-procedure-support", () => {
|
|
beforeEach(() => {
|
|
vi.clearAllMocks();
|
|
});
|
|
|
|
it("lists webhooks ordered by creation date descending", async () => {
|
|
const findMany = vi.fn().mockResolvedValue([{ id: "wh_1" }]);
|
|
const ctx = createContext({
|
|
webhook: { findMany },
|
|
});
|
|
|
|
const result = await listWebhooks(ctx);
|
|
|
|
expect(result).toEqual([{ id: "wh_1" }]);
|
|
expect(findMany).toHaveBeenCalledWith({
|
|
orderBy: { createdAt: "desc" },
|
|
});
|
|
});
|
|
|
|
it("loads a webhook by id", async () => {
|
|
const findUnique = vi.fn().mockResolvedValue({ id: "wh_1", name: "Primary" });
|
|
const ctx = createContext({
|
|
webhook: { findUnique },
|
|
});
|
|
|
|
const result = await getWebhookById(ctx, { id: "wh_1" });
|
|
|
|
expect(result).toEqual({ id: "wh_1", name: "Primary" });
|
|
expect(findUnique).toHaveBeenCalledWith({ where: { id: "wh_1" } });
|
|
});
|
|
|
|
it("creates a webhook and records an audit entry", async () => {
|
|
const created = {
|
|
id: "wh_2",
|
|
name: "Primary",
|
|
url: "https://example.com/webhook",
|
|
events: ["project.created"],
|
|
isActive: true,
|
|
};
|
|
const create = vi.fn().mockResolvedValue(created);
|
|
const ctx = createContext({
|
|
webhook: { create },
|
|
});
|
|
|
|
const result = await createWebhook(ctx, {
|
|
name: "Primary",
|
|
url: "https://example.com/webhook",
|
|
events: ["project.created"],
|
|
isActive: true,
|
|
});
|
|
|
|
expect(result).toBe(created);
|
|
expect(create).toHaveBeenCalledWith({
|
|
data: {
|
|
name: "Primary",
|
|
url: "https://example.com/webhook",
|
|
events: ["project.created"],
|
|
isActive: true,
|
|
},
|
|
});
|
|
expect(createAuditEntry).toHaveBeenCalledWith(expect.objectContaining({
|
|
db: ctx.db,
|
|
entityType: "Webhook",
|
|
entityId: "wh_2",
|
|
entityName: "Primary",
|
|
action: "CREATE",
|
|
userId: "user_admin",
|
|
after: created,
|
|
source: "ui",
|
|
}));
|
|
});
|
|
|
|
it("updates a webhook and records before/after audit snapshots", async () => {
|
|
const before = {
|
|
id: "wh_3",
|
|
name: "Primary",
|
|
url: "https://old.example.com/webhook",
|
|
};
|
|
const after = {
|
|
id: "wh_3",
|
|
name: "Primary",
|
|
url: "https://new.example.com/webhook",
|
|
};
|
|
const findUnique = vi.fn().mockResolvedValue(before);
|
|
const update = vi.fn().mockResolvedValue(after);
|
|
const ctx = createContext({
|
|
webhook: { findUnique, update },
|
|
});
|
|
|
|
const result = await updateWebhook(ctx, {
|
|
id: "wh_3",
|
|
data: { url: "https://new.example.com/webhook" },
|
|
});
|
|
|
|
expect(result).toBe(after);
|
|
expect(findUnique).toHaveBeenCalledWith({ where: { id: "wh_3" } });
|
|
expect(update).toHaveBeenCalledWith({
|
|
where: { id: "wh_3" },
|
|
data: {
|
|
url: "https://new.example.com/webhook",
|
|
},
|
|
});
|
|
expect(createAuditEntry).toHaveBeenCalledWith(expect.objectContaining({
|
|
db: ctx.db,
|
|
entityType: "Webhook",
|
|
entityId: "wh_3",
|
|
entityName: "Primary",
|
|
action: "UPDATE",
|
|
userId: "user_admin",
|
|
before,
|
|
after,
|
|
source: "ui",
|
|
}));
|
|
});
|
|
|
|
it("deletes a webhook and records a delete audit entry", async () => {
|
|
const existing = { id: "wh_4", name: "Legacy Webhook" };
|
|
const findUnique = vi.fn().mockResolvedValue(existing);
|
|
const deleteFn = vi.fn().mockResolvedValue(existing);
|
|
const ctx = createContext({
|
|
webhook: { findUnique, delete: deleteFn },
|
|
});
|
|
|
|
await expect(deleteWebhook(ctx, { id: "wh_4" })).resolves.toBeUndefined();
|
|
|
|
expect(findUnique).toHaveBeenCalledWith({ where: { id: "wh_4" } });
|
|
expect(deleteFn).toHaveBeenCalledWith({ where: { id: "wh_4" } });
|
|
expect(createAuditEntry).toHaveBeenCalledWith(expect.objectContaining({
|
|
db: ctx.db,
|
|
entityType: "Webhook",
|
|
entityId: "wh_4",
|
|
entityName: "Legacy Webhook",
|
|
action: "DELETE",
|
|
userId: "user_admin",
|
|
before: existing,
|
|
source: "ui",
|
|
}));
|
|
});
|
|
|
|
it("tests a webhook delivery and records the result", async () => {
|
|
const existing = {
|
|
id: "wh_5",
|
|
name: "Primary",
|
|
url: "https://example.com/webhook",
|
|
secret: null,
|
|
};
|
|
const findUnique = vi.fn().mockResolvedValue(existing);
|
|
const sendWebhookTestRequestSpy = vi
|
|
.spyOn(webhookSupport, "sendWebhookTestRequest")
|
|
.mockResolvedValue({
|
|
success: true,
|
|
statusCode: 202,
|
|
statusText: "Accepted",
|
|
});
|
|
const ctx = createContext({
|
|
webhook: { findUnique },
|
|
});
|
|
|
|
const result = await testWebhook(ctx, { id: "wh_5" });
|
|
|
|
expect(result).toEqual({
|
|
success: true,
|
|
statusCode: 202,
|
|
statusText: "Accepted",
|
|
});
|
|
expect(sendWebhookTestRequestSpy).toHaveBeenCalledWith(existing);
|
|
expect(createAuditEntry).toHaveBeenCalledWith(expect.objectContaining({
|
|
db: ctx.db,
|
|
entityType: "Webhook",
|
|
entityId: "wh_5",
|
|
entityName: "Primary",
|
|
action: "UPDATE",
|
|
userId: "user_admin",
|
|
summary: "Tested webhook (result: success)",
|
|
metadata: {
|
|
success: true,
|
|
statusCode: 202,
|
|
statusText: "Accepted",
|
|
},
|
|
source: "ui",
|
|
}));
|
|
});
|
|
});
|