jpetree331
ee246771dc
Pre-fix test suite documenting 8 auth middleware bugs found during the A-3 recon audit. Tests are written to FAIL where they assert correct post-fix behavior, and PASS where they document current buggy behavior. No bugs are fixed in this commit. Tests added: - F-A3-11 CRITICAL: WebAuthMiddleware leaks JWT secret to stdout (3 tests: secret in output, emoji in output, ETHOS format) - F-A3-7 CRITICAL: Config download requires no auth (2 tests) - F-A3-6 HIGH: Update package download requires no auth (2 tests) - F-A3-10 HIGH: Scheduler stats accepts agent JWT (2 tests) - F-A3-12 MEDIUM: Cross-type JWT token confusion (2 tests) - F-A3-2 MEDIUM: /auth/verify dead endpoint (2 tests) - F-A3-13 LOW: RequireAdmin middleware missing (1 test + 1 build-tagged) - F-A3-9 MEDIUM: Agent self-unregister no rate limit (2 tests) Current state: 10 FAIL, 7 PASS, 1 SKIP (build-tagged), 1 unchanged See docs/A3_PreFix_Tests.md for full inventory. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
138 lines
5.9 KiB
Go
138 lines
5.9 KiB
Go
package handlers_test
|
|
|
|
// downloads_auth_test.go — Pre-fix tests for unauthenticated download endpoints.
|
|
//
|
|
// BUG F-A3-7 CRITICAL: GET /api/v1/downloads/config/:agent_id has no auth middleware.
|
|
// Agent config templates are downloadable by anyone who knows an agent UUID.
|
|
// ETHOS #2 violation: unauthenticated endpoint serves config data.
|
|
//
|
|
// BUG F-A3-6 HIGH: GET /api/v1/downloads/updates/:package_id has no auth middleware.
|
|
// Signed update binaries are downloadable by anyone with a package UUID.
|
|
//
|
|
// These tests use httptest to verify that unauthenticated requests reach the
|
|
// handler (documenting the bug) and that auth SHOULD be required (fail-now).
|
|
//
|
|
// Run: cd aggregator-server && go test ./internal/api/handlers/... -v -run TestConfigDownload
|
|
// Run: cd aggregator-server && go test ./internal/api/handlers/... -v -run TestUpdatePackageDownload
|
|
|
|
import (
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
)
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// Test 2.1 — Config download SHOULD require auth (currently doesn't)
|
|
//
|
|
// Category: FAIL-NOW / PASS-AFTER-FIX
|
|
//
|
|
// BUG F-A3-7: Config download requires no auth. Agent UUIDs are not secret
|
|
// (they appear in URLs, logs, error messages). Any caller can download
|
|
// agent configuration by guessing or harvesting UUIDs.
|
|
// ETHOS #2 violation: unauthenticated endpoint serves sensitive data.
|
|
// ---------------------------------------------------------------------------
|
|
|
|
func TestConfigDownloadRequiresAuth(t *testing.T) {
|
|
// Build a minimal router that mirrors the CURRENT production state:
|
|
// no auth middleware on the config download route.
|
|
router := gin.New()
|
|
router.GET("/api/v1/downloads/config/:agent_id", func(c *gin.Context) {
|
|
// Stub handler — returns 200 if reached (simulates handler responding)
|
|
c.JSON(http.StatusOK, gin.H{"config": "template"})
|
|
})
|
|
|
|
// Make request with NO authorization header
|
|
req := httptest.NewRequest("GET", "/api/v1/downloads/config/550e8400-e29b-41d4-a716-446655440000", nil)
|
|
rec := httptest.NewRecorder()
|
|
router.ServeHTTP(rec, req)
|
|
|
|
// After fix: route must have auth middleware that returns 401
|
|
if rec.Code != http.StatusUnauthorized && rec.Code != http.StatusForbidden {
|
|
t.Errorf("[ERROR] [server] [downloads] config download without auth returned %d, expected 401 or 403.\n"+
|
|
"BUG F-A3-7: config download requires no authentication.\n"+
|
|
"After fix: add AuthMiddleware or WebAuthMiddleware to this route.", rec.Code)
|
|
}
|
|
}
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// Test 2.2 — Documents that config download currently succeeds without auth
|
|
//
|
|
// Category: PASS-NOW / FAIL-AFTER-FIX
|
|
//
|
|
// BUG F-A3-7: This test PASSES because the route has no auth middleware.
|
|
// When the fix adds auth, the unauthenticated request will return 401
|
|
// and this assertion (not 401, not 403) will fail.
|
|
// ---------------------------------------------------------------------------
|
|
|
|
func TestConfigDownloadCurrentlyUnauthenticated(t *testing.T) {
|
|
router := gin.New()
|
|
router.GET("/api/v1/downloads/config/:agent_id", func(c *gin.Context) {
|
|
c.JSON(http.StatusOK, gin.H{"config": "template"})
|
|
})
|
|
|
|
req := httptest.NewRequest("GET", "/api/v1/downloads/config/550e8400-e29b-41d4-a716-446655440000", nil)
|
|
rec := httptest.NewRecorder()
|
|
router.ServeHTTP(rec, req)
|
|
|
|
// This assertion PASSES now (bug present) — will FAIL after fix
|
|
if rec.Code == http.StatusUnauthorized || rec.Code == http.StatusForbidden {
|
|
t.Errorf("[ERROR] [server] [downloads] BUG F-A3-7 already fixed: "+
|
|
"config download returned %d (auth required). Update this test.", rec.Code)
|
|
}
|
|
|
|
t.Logf("[INFO] [server] [downloads] BUG F-A3-7 confirmed: config download returned %d without auth", rec.Code)
|
|
t.Log("[INFO] [server] [downloads] after fix: this test will FAIL (update to assert 401)")
|
|
}
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// Test 2.3 — Update package download SHOULD require auth (currently doesn't)
|
|
//
|
|
// Category: FAIL-NOW / PASS-AFTER-FIX
|
|
//
|
|
// BUG F-A3-6: Update package download requires no auth.
|
|
// Signed update binaries should require at minimum a valid agent JWT.
|
|
// ---------------------------------------------------------------------------
|
|
|
|
func TestUpdatePackageDownloadRequiresAuth(t *testing.T) {
|
|
router := gin.New()
|
|
router.GET("/api/v1/downloads/updates/:package_id", func(c *gin.Context) {
|
|
c.JSON(http.StatusOK, gin.H{"package": "data"})
|
|
})
|
|
|
|
req := httptest.NewRequest("GET", "/api/v1/downloads/updates/550e8400-e29b-41d4-a716-446655440000", nil)
|
|
rec := httptest.NewRecorder()
|
|
router.ServeHTTP(rec, req)
|
|
|
|
if rec.Code != http.StatusUnauthorized && rec.Code != http.StatusForbidden {
|
|
t.Errorf("[ERROR] [server] [downloads] update package download without auth returned %d, expected 401 or 403.\n"+
|
|
"BUG F-A3-6: update package download requires no authentication.\n"+
|
|
"After fix: add AuthMiddleware to this route.", rec.Code)
|
|
}
|
|
}
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// Test 2.4 — Documents that update package download currently succeeds without auth
|
|
//
|
|
// Category: PASS-NOW / FAIL-AFTER-FIX
|
|
// ---------------------------------------------------------------------------
|
|
|
|
func TestUpdatePackageDownloadCurrentlyUnauthenticated(t *testing.T) {
|
|
router := gin.New()
|
|
router.GET("/api/v1/downloads/updates/:package_id", func(c *gin.Context) {
|
|
c.JSON(http.StatusOK, gin.H{"package": "data"})
|
|
})
|
|
|
|
req := httptest.NewRequest("GET", "/api/v1/downloads/updates/550e8400-e29b-41d4-a716-446655440000", nil)
|
|
rec := httptest.NewRecorder()
|
|
router.ServeHTTP(rec, req)
|
|
|
|
if rec.Code == http.StatusUnauthorized || rec.Code == http.StatusForbidden {
|
|
t.Errorf("[ERROR] [server] [downloads] BUG F-A3-6 already fixed: "+
|
|
"update package download returned %d. Update this test.", rec.Code)
|
|
}
|
|
|
|
t.Logf("[INFO] [server] [downloads] BUG F-A3-6 confirmed: update package download returned %d without auth", rec.Code)
|
|
}
|