1
0

setting_security_test.go 4.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171
  1. package service
  2. import (
  3. "path/filepath"
  4. "testing"
  5. "github.com/xlzd/gotp"
  6. "github.com/mhsanaei/3x-ui/v3/internal/database"
  7. "github.com/mhsanaei/3x-ui/v3/internal/database/model"
  8. )
  9. func setupSettingTestDB(t *testing.T) {
  10. t.Helper()
  11. if err := database.InitDB(filepath.Join(t.TempDir(), "x-ui.db")); err != nil {
  12. t.Fatal(err)
  13. }
  14. t.Cleanup(func() {
  15. if err := database.CloseDB(); err != nil {
  16. t.Fatal(err)
  17. }
  18. })
  19. }
  20. func TestGetAllSettingViewRedactsSecrets(t *testing.T) {
  21. setupSettingTestDB(t)
  22. s := &SettingService{}
  23. if err := s.saveSetting("tgBotToken", "telegram-secret"); err != nil {
  24. t.Fatal(err)
  25. }
  26. if err := s.saveSetting("twoFactorToken", "totp-secret"); err != nil {
  27. t.Fatal(err)
  28. }
  29. if err := s.saveSetting("ldapPassword", "ldap-secret"); err != nil {
  30. t.Fatal(err)
  31. }
  32. if err := s.saveSetting("smtpPassword", "smtp-secret"); err != nil {
  33. t.Fatal(err)
  34. }
  35. if err := database.GetDB().Create(&model.ApiToken{Name: "test", Token: "api-secret", Enabled: true}).Error; err != nil {
  36. t.Fatal(err)
  37. }
  38. view, err := s.GetAllSettingView()
  39. if err != nil {
  40. t.Fatal(err)
  41. }
  42. if view.TgBotToken != "" || view.TwoFactorToken != "" || view.LdapPassword != "" || view.SmtpPassword != "" {
  43. t.Fatalf("settings view leaked secrets: %#v", view)
  44. }
  45. if !view.HasTgBotToken || !view.HasTwoFactorToken || !view.HasLdapPassword || !view.HasApiToken || !view.HasSmtpPassword {
  46. t.Fatalf("settings view did not report configured secret flags: %#v", view)
  47. }
  48. }
  49. func TestUpdateAllSettingPreservesRedactedSecrets(t *testing.T) {
  50. setupSettingTestDB(t)
  51. s := &SettingService{}
  52. if err := s.saveSetting("tgBotToken", "telegram-secret"); err != nil {
  53. t.Fatal(err)
  54. }
  55. if err := s.saveSetting("ldapPassword", "ldap-secret"); err != nil {
  56. t.Fatal(err)
  57. }
  58. if err := s.saveSetting("twoFactorEnable", "true"); err != nil {
  59. t.Fatal(err)
  60. }
  61. if err := s.saveSetting("twoFactorToken", "totp-secret"); err != nil {
  62. t.Fatal(err)
  63. }
  64. if err := s.saveSetting("smtpPassword", "smtp-secret"); err != nil {
  65. t.Fatal(err)
  66. }
  67. view, err := s.GetAllSettingView()
  68. if err != nil {
  69. t.Fatal(err)
  70. }
  71. settings := &view.AllSetting
  72. if err := s.UpdateAllSetting(settings, SecretClears{}); err != nil {
  73. t.Fatal(err)
  74. }
  75. if got, _ := s.GetTgBotToken(); got != "telegram-secret" {
  76. t.Fatalf("tg token = %q, want preserved secret", got)
  77. }
  78. if got, _ := s.GetLdapPassword(); got != "ldap-secret" {
  79. t.Fatalf("ldap password = %q, want preserved secret", got)
  80. }
  81. if got, _ := s.GetTwoFactorToken(); got != "totp-secret" {
  82. t.Fatalf("2fa token = %q, want preserved secret", got)
  83. }
  84. if got, _ := s.GetSmtpPassword(); got != "smtp-secret" {
  85. t.Fatalf("smtp password = %q, want preserved secret", got)
  86. }
  87. }
  88. func TestUpdateAllSettingClearsFlaggedSecrets(t *testing.T) {
  89. setupSettingTestDB(t)
  90. s := &SettingService{}
  91. if err := s.saveSetting("tgBotToken", "telegram-secret"); err != nil {
  92. t.Fatal(err)
  93. }
  94. if err := s.saveSetting("ldapPassword", "ldap-secret"); err != nil {
  95. t.Fatal(err)
  96. }
  97. if err := s.saveSetting("smtpPassword", "smtp-secret"); err != nil {
  98. t.Fatal(err)
  99. }
  100. view, err := s.GetAllSettingView()
  101. if err != nil {
  102. t.Fatal(err)
  103. }
  104. if err := s.UpdateAllSetting(&view.AllSetting, SecretClears{SmtpPassword: true}); err != nil {
  105. t.Fatal(err)
  106. }
  107. if got, _ := s.GetSmtpPassword(); got != "" {
  108. t.Fatalf("smtp password = %q, want cleared", got)
  109. }
  110. if got, _ := s.GetTgBotToken(); got != "telegram-secret" {
  111. t.Fatalf("tg token = %q, unflagged secret must stay preserved", got)
  112. }
  113. if got, _ := s.GetLdapPassword(); got != "ldap-secret" {
  114. t.Fatalf("ldap password = %q, unflagged secret must stay preserved", got)
  115. }
  116. view, err = s.GetAllSettingView()
  117. if err != nil {
  118. t.Fatal(err)
  119. }
  120. if view.HasSmtpPassword {
  121. t.Fatal("hasSmtpPassword must report false after clearing")
  122. }
  123. if err := s.UpdateAllSetting(&view.AllSetting, SecretClears{TgBotToken: true, LdapPassword: true}); err != nil {
  124. t.Fatal(err)
  125. }
  126. if got, _ := s.GetTgBotToken(); got != "" {
  127. t.Fatalf("tg token = %q, want cleared", got)
  128. }
  129. if got, _ := s.GetLdapPassword(); got != "" {
  130. t.Fatalf("ldap password = %q, want cleared", got)
  131. }
  132. }
  133. func TestSanitizePublicHTTPURLBlocksPrivateAddressUnlessAllowed(t *testing.T) {
  134. if _, err := SanitizePublicHTTPURL("http://127.0.0.1:8080/hook", false); err == nil {
  135. t.Fatal("expected localhost URL to be blocked")
  136. }
  137. if got, err := SanitizePublicHTTPURL("http://127.0.0.1:8080/hook", true); err != nil || got != "http://127.0.0.1:8080/hook" {
  138. t.Fatalf("allowPrivate result = %q, %v", got, err)
  139. }
  140. }
  141. func TestVerifyTwoFactorCode(t *testing.T) {
  142. setupSettingTestDB(t)
  143. s := &SettingService{}
  144. if err := s.saveSetting("twoFactorEnable", "true"); err != nil {
  145. t.Fatal(err)
  146. }
  147. const token = "JBSWY3DPEHPK3PXP"
  148. if err := s.saveSetting("twoFactorToken", token); err != nil {
  149. t.Fatal(err)
  150. }
  151. if err := s.VerifyTwoFactorCode(gotp.NewDefaultTOTP(token).Now()); err != nil {
  152. t.Fatalf("valid code rejected: %v", err)
  153. }
  154. if err := s.VerifyTwoFactorCode("000000"); err == nil {
  155. t.Fatal("invalid code accepted")
  156. }
  157. }