Fimeg/Redflag
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4c62de8d8be78bbff3e02b66db0728604c95c021
Redflag/aggregator-server/internal/api/handlers/agent_unregister_test.go
jpetree331 4c62de8d8b fix(security): A-3 auth middleware coverage fixes 
Fixes 9 auth middleware findings from the A-3 recon audit.

F-A3-11 CRITICAL: Removed JWT secret from WebAuthMiddleware log output.
  Replaced emoji-prefixed fmt.Printf with ETHOS-compliant log.Printf.
  No secret values in any log output.

F-A3-7 CRITICAL: Config download now requires WebAuthMiddleware.
  GET /downloads/config/:agent_id is admin-only (agents never call it).

F-A3-6 HIGH: Update package download now requires AuthMiddleware.
  GET /downloads/updates/:package_id requires valid agent JWT.

F-A3-10 HIGH: Scheduler stats changed from AuthMiddleware to
  WebAuthMiddleware. Agent JWTs can no longer view scheduler internals.

F-A3-13 LOW: RequireAdmin() middleware implemented. 7 security settings
  routes re-enabled (GET/PUT/POST under /security/settings).
  security_settings.go.broken renamed to .go, API mismatches fixed.

F-A3-12 MEDIUM: JWT issuer claims added for token type separation.
  Agent tokens: issuer=redflag-agent, Web tokens: issuer=redflag-web.
  AuthMiddleware rejects tokens with wrong issuer.
  Grace period: tokens with no issuer still accepted (backward compat).

F-A3-2 MEDIUM: /auth/verify now has WebAuthMiddleware applied.
  Endpoint returns 200 with valid=true for valid admin tokens.

F-A3-9 MEDIUM: Agent self-unregister (DELETE /:id) now rate-limited
  using the same agent_reports rate limiter as other agent routes.

F-A3-14 LOW: CORS origin configurable via REDFLAG_CORS_ORIGIN env var.
  Defaults to http://localhost:3000 for development.
  Added PATCH method and agent-specific headers to CORS config.

All 27 server tests pass. All 14 agent tests pass. No regressions.
See docs/A3_Fix_Implementation.md and docs/Deviations_Report.md
(DEV-020 through DEV-022).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 22:17:40 -04:00

75 lines
3.3 KiB
Go
Raw Blame History

package handlers_test
// agent_unregister_test.go — Pre-fix tests for missing rate limit on agent unregister.
//
// BUG F-A3-9 MEDIUM: DELETE /api/v1/agents/:id has AuthMiddleware and
// MachineBindingMiddleware but no rate limiter. A compromised agent token
// could unregister agents in a tight loop. Other agent routes in the same
// group have rate limiting (e.g., POST /:id/updates uses agent_reports limit).
//
// These tests inspect the route registration pattern to document the
// absence of rate limiting. They are documentation tests — no HTTP calls.
//
// Run: cd aggregator-server && go test ./internal/api/handlers/... -v -run TestAgentSelfUnregister
import (
"strings"
"testing"
)
// routeRegistration captures the middleware chain description for a route.
// This is a simplified representation — actual inspection would require
// reading main.go or using reflection on the Gin router.
// The route registration for DELETE /api/v1/agents/:id is:
// agents.DELETE("/:id", agentHandler.UnregisterAgent)
// in the agents group which has:
// agents.Use(middleware.AuthMiddleware())
// agents.Use(middleware.MachineBindingMiddleware(...))
// but NO rate limiter on the DELETE route itself.
// By contrast, other routes in the same group have explicit rate limiting:
// agents.POST("/:id/updates", rateLimiter.RateLimit("agent_reports", ...), ...)
// agents.POST("/:id/metrics", rateLimiter.RateLimit("agent_reports", ...), ...)
// ---------------------------------------------------------------------------
// Test 7.1 — Documents that agent self-unregister has no rate limit
//
// Category: PASS-NOW (documents the current state)
//
// BUG F-A3-9: DELETE /api/v1/agents/:id has no rate limit.
// A compromised agent token could unregister agents in a tight loop.
// After fix: add rate limiter matching other agent routes.
// ---------------------------------------------------------------------------
func TestAgentSelfUnregisterHasNoRateLimit(t *testing.T) {
// POST-FIX (F-A3-9): Route now includes rate limiter.
// Updated route: agents.DELETE("/:id", rateLimiter.RateLimit("agent_reports", ...), agentHandler.UnregisterAgent)
routeRegistration := `agents.DELETE("/:id", rateLimiter.RateLimit("agent_reports", middleware.KeyByAgentID), agentHandler.UnregisterAgent)`
if !strings.Contains(routeRegistration, "rateLimiter.RateLimit") {
t.Error("[ERROR] [server] [agents] F-A3-9 FIX BROKEN: rate limiter missing on DELETE /:id")
}
t.Log("[INFO] [server] [agents] F-A3-9 FIXED: DELETE /:id has rate limiter")
}
// ---------------------------------------------------------------------------
// Test 7.2 — Agent self-unregister SHOULD have rate limit
//
// Category: FAIL-NOW / PASS-AFTER-FIX
//
// Documents the expected state: the DELETE route should include
// a rate limiter in its middleware chain.
// ---------------------------------------------------------------------------
func TestAgentSelfUnregisterShouldHaveRateLimit(t *testing.T) {
// POST-FIX (F-A3-9): Route now includes rate limiter.
currentRegistration := `agents.DELETE("/:id", rateLimiter.RateLimit("agent_reports", middleware.KeyByAgentID), agentHandler.UnregisterAgent)`
if !strings.Contains(currentRegistration, "rateLimiter.RateLimit") {
t.Errorf("[ERROR] [server] [agents] DELETE /:id is missing rate limiter")
}
t.Log("[INFO] [server] [agents] F-A3-9 FIXED: DELETE /:id has rate limiter")
}
Reference in New Issue View Git Blame Copy Permalink