gitea-mirror/Pulse
1
0
Fork 0
mirror of https://github.com/rcourtman/Pulse.git synced 2026-02-18 00:17:39 +01:00
Code Issues Packages Projects Releases Wiki Activity

Inventory download route exposure

Browse Source
This commit is contained in:
rcourtman
2026-02-04 13:27:00 +00:00
parent 0d564bfd8f
commit 67e2dce78d
1 changed files with 86 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

86
internal/api/router_download_inventory_test.go Normal file
View File

@@ -0,0 +1,86 @@
package api
import (
"strings"
"testing"
)
func TestRouterDownloadInventory(t *testing.T) {
literalRoutes, _, _ := parseRouterRoutes(t)
var downloadRoutes []string
for _, route := range literalRoutes {
if strings.HasPrefix(route, "/download/") {
downloadRoutes = append(downloadRoutes, route)
}
}
expectedAll := sliceToSet(t, downloadRouteAllowlist, "download route allowlist")
expectedPublic := sliceToSet(t, publicDownloadAllowlist, "public download allowlist")
expectedProtected := sliceToSet(t, protectedDownloadAllowlist, "protected download allowlist")
actualAll := sliceToSet(t, downloadRoutes, "router download routes")
if missing := setDifference(actualAll, expectedAll); len(missing) > 0 {
t.Fatalf("download routes missing from allowlist: %s", strings.Join(sortedKeys(missing), ", "))
}
if stale := setDifference(expectedAll, actualAll); len(stale) > 0 {
t.Fatalf("download allowlist contains paths not in router.go: %s", strings.Join(sortedKeys(stale), ", "))
}
if missing := setDifference(expectedPublic, expectedAll); len(missing) > 0 {
t.Fatalf("public download allowlist contains unknown routes: %s", strings.Join(sortedKeys(missing), ", "))
}
if missing := setDifference(expectedProtected, expectedAll); len(missing) > 0 {
t.Fatalf("protected download allowlist contains unknown routes: %s", strings.Join(sortedKeys(missing), ", "))
}
union := mergeSets(expectedPublic, expectedProtected)
if missing := setDifference(expectedAll, union); len(missing) > 0 {
t.Fatalf("download allowlist missing classification: %s", strings.Join(sortedKeys(missing), ", "))
}
publicPaths := sliceToSet(t, publicPathsAllowlist, "public paths allowlist")
if missing := setDifference(expectedPublic, publicPaths); len(missing) > 0 {
t.Fatalf("public downloads missing from public paths allowlist: %s", strings.Join(sortedKeys(missing), ", "))
}
if overlap := setIntersection(expectedProtected, publicPaths); len(overlap) > 0 {
t.Fatalf("protected downloads should not be public: %s", strings.Join(sortedKeys(overlap), ", "))
}
}
func mergeSets(a, b map[string]struct{}) map[string]struct{} {
merged := make(map[string]struct{}, len(a)+len(b))
for key := range a {
merged[key] = struct{}{}
}
for key := range b {
merged[key] = struct{}{}
}
return merged
}
func setIntersection(a, b map[string]struct{}) map[string]struct{} {
intersection := make(map[string]struct{})
for key := range a {
if _, ok := b[key]; ok {
intersection[key] = struct{}{}
}
}
return intersection
}
var downloadRouteAllowlist = []string{
"/download/pulse-docker-agent",
"/download/pulse-host-agent",
"/download/pulse-host-agent.sha256",
"/download/pulse-agent",
}
var publicDownloadAllowlist = []string{
"/download/pulse-docker-agent",
"/download/pulse-host-agent",
"/download/pulse-agent",
}
var protectedDownloadAllowlist = []string{
"/download/pulse-host-agent.sha256",
}