VARASYS/ZDDC
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ZDDC/zddc/internal/config/config_test.go
ZDDC ea385b5366 Initial commit 
ZDDC — Zero Day Document Control. A file-naming convention plus five
single-file HTML tools (archive, transmittal, classifier, mdedit,
landing) and an optional Go HTTP server (zddc-server) with ACL and a
virtual archive index. Self-contained, offline-capable, dependency-free.

See README.md for an overview, AGENTS.md and ARCHITECTURE.md for the
build/release/architecture detail, bootstrap/README.md for the
two-level deployment install pattern, and zddc/README.md for the
HTTP server.
2026-04-27 11:05:47 -05:00

229 lines
5.8 KiB
Go
Raw Blame History

package config
import (
"os"
"path/filepath"
"strings"
"testing"
)
func TestIsLoopbackAddr(t *testing.T) {
cases := []struct {
addr string
want bool
}{
{"127.0.0.1:8080", true},
{"localhost:8080", true},
{"[::1]:8080", true},
{"127.0.0.5:80", true}, // any 127/8 is loopback
{"0.0.0.0:8080", false},
{":8443", false}, // bare port = all interfaces
{"10.0.0.1:80", false},
{"example.com:443", false},
{"[2001:db8::1]:80", false},
{"", false},
{"not-an-addr", false}, // SplitHostPort fails
}
for _, tc := range cases {
t.Run(tc.addr, func(t *testing.T) {
if got := isLoopbackAddr(tc.addr); got != tc.want {
t.Errorf("isLoopbackAddr(%q) = %v, want %v", tc.addr, got, tc.want)
}
})
}
}
func TestLoad(t *testing.T) {
root := t.TempDir()
// Pre-set the env so each subtest can override what it needs.
type envSet map[string]string
clearAll := func() {
for _, k := range []string{"ZDDC_ROOT", "ZDDC_ADDR", "ZDDC_TLS_CERT", "ZDDC_TLS_KEY", "ZDDC_INSECURE_DIRECT", "ZDDC_LOG_LEVEL", "ZDDC_INDEX_PATH", "ZDDC_EMAIL_HEADER", "ZDDC_CORS_ORIGIN"} {
os.Unsetenv(k)
}
}
apply := func(env envSet) {
clearAll()
for k, v := range env {
os.Setenv(k, v)
}
}
cases := []struct {
name string
env envSet
wantErr bool
errContains string
check func(*testing.T, Config)
}{
{
name: "missing root",
env: envSet{},
// ZDDC_ROOT not set
wantErr: true,
errContains: "ZDDC_ROOT",
},
{
name: "root not a directory",
env: envSet{"ZDDC_ROOT": filepath.Join(root, "does-not-exist")},
wantErr: true,
errContains: "not accessible",
},
{
name: "defaults applied with TLS self-signed",
env: envSet{"ZDDC_ROOT": root},
check: func(t *testing.T, cfg Config) {
if cfg.Addr != ":8443" {
t.Errorf("Addr = %q, want :8443", cfg.Addr)
}
if cfg.TLSMode != "selfsigned" {
t.Errorf("TLSMode = %q, want selfsigned", cfg.TLSMode)
}
if cfg.IndexPath != ".archive" {
t.Errorf("IndexPath = %q, want .archive", cfg.IndexPath)
}
if cfg.EmailHeader != "X-Email" {
t.Errorf("EmailHeader = %q, want X-Email", cfg.EmailHeader)
}
if len(cfg.CORSOrigins) != 1 || cfg.CORSOrigins[0] != "https://zddc.varasys.io" {
t.Errorf("CORSOrigins = %v, want [https://zddc.varasys.io]", cfg.CORSOrigins)
}
},
},
{
name: "CORS single origin override",
env: envSet{
"ZDDC_ROOT": root,
"ZDDC_CORS_ORIGIN": "https://tools.acme.com",
},
check: func(t *testing.T, cfg Config) {
if len(cfg.CORSOrigins) != 1 || cfg.CORSOrigins[0] != "https://tools.acme.com" {
t.Errorf("CORSOrigins = %v, want [https://tools.acme.com]", cfg.CORSOrigins)
}
},
},
{
name: "CORS multi-origin allowlist",
env: envSet{
"ZDDC_ROOT": root,
"ZDDC_CORS_ORIGIN": "https://a.example, https://b.example ,https://c.example",
},
check: func(t *testing.T, cfg Config) {
want := []string{"https://a.example", "https://b.example", "https://c.example"}
if len(cfg.CORSOrigins) != len(want) {
t.Fatalf("CORSOrigins = %v, want %v", cfg.CORSOrigins, want)
}
for i, w := range want {
if cfg.CORSOrigins[i] != w {
t.Errorf("CORSOrigins[%d] = %q, want %q", i, cfg.CORSOrigins[i], w)
}
}
},
},
{
name: "CORS disabled with empty value",
env: envSet{
"ZDDC_ROOT": root,
"ZDDC_CORS_ORIGIN": "",
},
check: func(t *testing.T, cfg Config) {
if len(cfg.CORSOrigins) != 0 {
t.Errorf("CORSOrigins = %v, want empty (CORS disabled)", cfg.CORSOrigins)
}
},
},
{
name: "TLS provided requires both cert and key",
env: envSet{
"ZDDC_ROOT": root,
"ZDDC_TLS_CERT": "/some/cert.pem",
// missing key
},
wantErr: true,
errContains: "both be set or both be empty",
},
{
name: "plain HTTP on all interfaces without insecure flag is rejected",
env: envSet{
"ZDDC_ROOT": root,
"ZDDC_TLS_CERT": "none",
"ZDDC_ADDR": ":8080",
},
wantErr: true,
errContains: "ZDDC_INSECURE_DIRECT",
},
{
name: "plain HTTP on 0.0.0.0 without insecure flag is rejected",
env: envSet{
"ZDDC_ROOT": root,
"ZDDC_TLS_CERT": "none",
"ZDDC_ADDR": "0.0.0.0:8080",
},
wantErr: true,
errContains: "ZDDC_INSECURE_DIRECT",
},
{
name: "plain HTTP on loopback is allowed",
env: envSet{
"ZDDC_ROOT": root,
"ZDDC_TLS_CERT": "none",
"ZDDC_ADDR": "127.0.0.1:8080",
},
check: func(t *testing.T, cfg Config) {
if cfg.TLSMode != "none" {
t.Errorf("TLSMode = %q, want none", cfg.TLSMode)
}
},
},
{
name: "plain HTTP on non-loopback with explicit opt-in is allowed",
env: envSet{
"ZDDC_ROOT": root,
"ZDDC_TLS_CERT": "none",
"ZDDC_ADDR": ":8080",
"ZDDC_INSECURE_DIRECT": "1",
},
check: func(t *testing.T, cfg Config) {
if cfg.TLSMode != "none" {
t.Errorf("TLSMode = %q, want none", cfg.TLSMode)
}
},
},
{
name: "ZDDC_INSECURE_DIRECT set to non-1 is not opt-in",
env: envSet{
"ZDDC_ROOT": root,
"ZDDC_TLS_CERT": "none",
"ZDDC_ADDR": ":8080",
"ZDDC_INSECURE_DIRECT": "true", // must be exactly "1"
},
wantErr: true,
errContains: "ZDDC_INSECURE_DIRECT",
},
}
for _, tc := range cases {
t.Run(tc.name, func(t *testing.T) {
apply(tc.env)
defer clearAll()
cfg, err := Load()
if tc.wantErr {
if err == nil {
t.Fatalf("Load() = nil error, want error containing %q", tc.errContains)
}
if tc.errContains != "" && !strings.Contains(err.Error(), tc.errContains) {
t.Errorf("Load() error = %v, want substring %q", err, tc.errContains)
}
return
}
if err != nil {
t.Fatalf("Load() unexpected error: %v", err)
}
if tc.check != nil {
tc.check(t, cfg)
}
})
}
}
Reference in a new issue View git blame Copy permalink