3x-ui/internal/sub/mutation_audit_test.go

package sub

import (
	"encoding/base64"
	"encoding/json"
	"path/filepath"
	"strings"
	"testing"

	"github.com/mhsanaei/3x-ui/v3/internal/database"
	"github.com/mhsanaei/3x-ui/v3/internal/database/model"
	"github.com/mhsanaei/3x-ui/v3/internal/xray"
)

// initMutDB spins up a real temp SQLite DB for tests that exercise DB-backed
// query helpers, mirroring the house pattern in service_sharelink/dedup tests.
func initMutDB(t *testing.T) {
	t.Helper()
	dbDir := t.TempDir()
	t.Setenv("XUI_DB_FOLDER", dbDir)
	if err := database.InitDB(filepath.Join(dbDir, "x-ui.db")); err != nil {
		t.Fatalf("InitDB: %v", err)
	}
	t.Cleanup(func() { _ = database.CloseDB() })
}

// --- json_service.go:40 — rules are merged into routing only when non-empty ---

func TestSubJsonService_CustomRulesPrepended(t *testing.T) {
	rules := `[{"type":"field","domain":["geosite:ads"],"outboundTag":"block"}]`
	svc := NewSubJsonService("", rules, "", nil)

	routing, ok := svc.configJson["routing"].(map[string]any)
	if !ok {
		t.Fatalf("routing missing: %#v", svc.configJson["routing"])
	}
	got, _ := routing["rules"].([]any)
	// default.json ships exactly 1 rule; the custom rule must be prepended.
	if len(got) != 2 {
		t.Fatalf("rules len = %d, want 2 (custom prepended to default)", len(got))
	}
	first, _ := got[0].(map[string]any)
	if domains, _ := first["domain"].([]any); len(domains) != 1 || domains[0] != "geosite:ads" {
		t.Fatalf("custom rule must come first, got %#v", got[0])
	}
}

func TestSubJsonService_EmptyRulesLeavesDefault(t *testing.T) {
	svc := NewSubJsonService("", "", "", nil)
	routing, _ := svc.configJson["routing"].(map[string]any)
	got, _ := routing["rules"].([]any)
	if len(got) != 1 {
		t.Fatalf("rules len = %d, want 1 (no custom rules → default untouched)", len(got))
	}
}

// --- json_service.go:331,356,408 — mux is attached only when configured ---

func TestSubJsonService_MuxAttachedWhenConfigured(t *testing.T) {
	const mux = `{"enabled":true,"concurrency":8}`
	client := model.Client{ID: "uuid-1", Password: "p4ss"}

	cases := []struct {
		name     string
		raw      []byte
		wantMux  bool
		protocol model.Protocol
	}{
		{"vmess mux", NewSubJsonService(mux, "", "", nil).genVnext(&model.Inbound{Protocol: model.VMESS, Settings: `{}`}, nil, client), true, model.VMESS},
		{"vless mux", NewSubJsonService(mux, "", "", nil).genVless(&model.Inbound{Protocol: model.VLESS, Settings: `{}`}, nil, client), true, model.VLESS},
		{"server mux", NewSubJsonService(mux, "", "", nil).genServer(&model.Inbound{Protocol: model.Trojan, Settings: `{}`}, nil, client), true, model.Trojan},
		{"vmess no mux", NewSubJsonService("", "", "", nil).genVnext(&model.Inbound{Protocol: model.VMESS, Settings: `{}`}, nil, client), false, model.VMESS},
		{"vless no mux", NewSubJsonService("", "", "", nil).genVless(&model.Inbound{Protocol: model.VLESS, Settings: `{}`}, nil, client), false, model.VLESS},
		{"server no mux", NewSubJsonService("", "", "", nil).genServer(&model.Inbound{Protocol: model.Trojan, Settings: `{}`}, nil, client), false, model.Trojan},
	}
	for _, tc := range cases {
		t.Run(tc.name, func(t *testing.T) {
			var ob map[string]any
			if err := json.Unmarshal(tc.raw, &ob); err != nil {
				t.Fatalf("unmarshal outbound: %v", err)
			}
			m, has := ob["mux"]
			if tc.wantMux {
				if !has {
					t.Fatalf("mux must be set when configured, outbound = %#v", ob)
				}
				mm, _ := m.(map[string]any)
				if mm["enabled"] != true || mm["concurrency"] != float64(8) {
					t.Fatalf("mux payload wrong: %#v", m)
				}
			} else if has {
				t.Fatalf("mux must be omitted when empty, outbound = %#v", ob)
			}
		})
	}
}

// --- json_service.go:268 — a non-empty finalMask that merges to nothing must
// not add the finalmask key (the `len(merged) > 0` guard). ---

func TestSubJsonService_FinalMaskMergingToEmptyNotAdded(t *testing.T) {
	// finalMask is non-empty (passes the len(fm)==0 early return) but its only
	// key is an empty tcp slice, which mergeFinalMask drops → merged is empty,
	// so applyGlobalFinalMask (json_service.go:268) must NOT set finalmask.
	svc := NewSubJsonService("", "", `{"tcp":[]}`, nil)
	stream := svc.streamData(`{"network":"tcp","security":"none","tcpSettings":{"header":{"type":"none"}}}`)
	if _, ok := stream["finalmask"]; ok {
		t.Fatalf("finalMask merging to empty must not add a finalmask key: %#v", stream["finalmask"])
	}

	// Sanity: a finalMask that DOES merge to something still gets set, so the
	// guard is the only distinguishing factor.
	svc2 := NewSubJsonService("", "", `{"tcp":[{"type":"fragment"}]}`, nil)
	stream2 := svc2.streamData(`{"network":"tcp","security":"none","tcpSettings":{"header":{"type":"none"}}}`)
	if _, ok := stream2["finalmask"]; !ok {
		t.Fatal("non-empty finalMask must be set")
	}
}

// --- json_service.go:494 — an empty extra tcp slice must not clobber the base ---

func TestMergeFinalMask_EmptyExtraTcpKeepsBase(t *testing.T) {
	base := map[string]any{"tcp": []any{map[string]any{"type": "keep"}}}
	extra := map[string]any{"tcp": []any{}} // empty → must be ignored
	merged := mergeFinalMask(base, extra)
	tcp, _ := merged["tcp"].([]any)
	if len(tcp) != 1 {
		t.Fatalf("tcp len = %d, want 1 (empty extra must not drop or append)", len(tcp))
	}
	if first, _ := tcp[0].(map[string]any); first["type"] != "keep" {
		t.Fatalf("base tcp mask lost: %#v", tcp)
	}
	// Sanity: a non-empty extra DOES append, so the guard is the only thing
	// distinguishing the two paths.
	extra2 := map[string]any{"tcp": []any{map[string]any{"type": "add"}}}
	merged2 := mergeFinalMask(base, extra2)
	if tcp2, _ := merged2["tcp"].([]any); len(tcp2) != 2 {
		t.Fatalf("non-empty extra must append: len = %d, want 2", len(tcp2))
	}
}

// --- service.go:69-77 — configuredPublicHost priority: subDomain > webDomain > "" ---

func TestConfiguredPublicHost_Priority(t *testing.T) {
	initMutDB(t)
	db := database.GetDB()
	set := func(key, val string) {
		if err := db.Save(&model.Setting{Key: key, Value: val}).Error; err != nil {
			t.Fatalf("save %s: %v", key, err)
		}
	}

	s := &SubService{}

	// Both empty → "".
	if got := s.configuredPublicHost(); got != "" {
		t.Fatalf("no domains configured: got %q, want empty", got)
	}

	// Only webDomain → webDomain wins (exercises the second branch, service.go:73).
	set("webDomain", "web.example.com")
	if got := s.configuredPublicHost(); got != "web.example.com" {
		t.Fatalf("webDomain fallback: got %q, want web.example.com", got)
	}

	// subDomain set → subDomain takes precedence over webDomain (service.go:70).
	set("subDomain", "sub.example.com")
	if got := s.configuredPublicHost(); got != "sub.example.com" {
		t.Fatalf("subDomain priority: got %q, want sub.example.com", got)
	}
}

// --- service.go:248 — AggregateTrafficByEmails tracks the MAX LastOnline ---

func TestAggregateTrafficByEmails_LastOnlineIsMax(t *testing.T) {
	initMutDB(t)
	db := database.GetDB()

	rows := []xray.ClientTraffic{
		{Email: "a@x", Up: 10, Down: 20, LastOnline: 100},
		{Email: "b@x", Up: 1, Down: 2, LastOnline: 500}, // the max
		{Email: "c@x", Up: 3, Down: 4, LastOnline: 300},
	}
	for i := range rows {
		if err := db.Create(&rows[i]).Error; err != nil {
			t.Fatalf("seed traffic: %v", err)
		}
	}

	s := &SubService{}
	agg, lastOnline := s.AggregateTrafficByEmails([]string{"a@x", "b@x", "c@x"})
	if lastOnline != 500 {
		t.Fatalf("lastOnline = %d, want 500 (max across rows)", lastOnline)
	}
	// Up/Down must still sum so a mutant can't pass by zeroing everything.
	if agg.Up != 14 || agg.Down != 26 {
		t.Fatalf("agg up/down = %d/%d, want 14/26", agg.Up, agg.Down)
	}
}

// --- service.go:329 — projectThroughFallbackMaster returns false for nil ---

func TestProjectThroughFallbackMaster_Nil(t *testing.T) {
	s := &SubService{}
	if s.projectThroughFallbackMaster(nil) {
		t.Fatal("nil inbound must yield false (no projection, no DB hit)")
	}
}

// --- service.go:555 — empty client flow must not emit a flow param even when allowed ---

func TestGenVlessLink_NoFlowWhenClientFlowEmpty(t *testing.T) {
	// tcp+reality is a flow-allowed combo; with an empty client flow the
	// len(...)>0 guard (service.go:555) must keep `flow` out of the link.
	stream := `{
		"network":"tcp","security":"reality",
		"tcpSettings":{"header":{"type":"none"}},
		"realitySettings":{"serverNames":["r.example.com"],"shortIds":["ab"],"settings":{"publicKey":"PBK","fingerprint":"chrome"}}
	}`
	inbound := &model.Inbound{
		Listen:         "203.0.113.1",
		Port:           443,
		Protocol:       model.VLESS,
		Remark:         "noflow",
		Settings:       `{"clients":[{"id":"11111111-2222-4333-8444-555555555555","email":"user"}],"encryption":"none"}`,
		StreamSettings: stream,
	}
	s := &SubService{remarkModel: "-ieo"}
	if link := s.genVlessLink(inbound, "user"); strings.Contains(link, "flow=") {
		t.Fatalf("empty client flow must not produce a flow param, got %q", link)
	}
}

// --- service.go:906-913 — applyPathAndHostParams host source ---

func TestApplyPathAndHostParams(t *testing.T) {
	// Direct host wins (service.go:908 true branch).
	params := map[string]string{}
	applyPathAndHostParams(map[string]any{"path": "/p", "host": "direct.example.com"}, params)
	if params["path"] != "/p" {
		t.Fatalf("path = %q, want /p", params["path"])
	}
	if params["host"] != "direct.example.com" {
		t.Fatalf("direct host = %q, want direct.example.com", params["host"])
	}

	// No direct host → fall back to headers.Host (service.go:908 false branch).
	params = map[string]string{}
	applyPathAndHostParams(map[string]any{
		"path":    "/p",
		"headers": map[string]any{"Host": "via-header.example.com"},
	}, params)
	if params["host"] != "via-header.example.com" {
		t.Fatalf("header host fallback = %q, want via-header.example.com", params["host"])
	}

	// Empty-string host must NOT shadow the header fallback (len(host) > 0 guard).
	params = map[string]string{}
	applyPathAndHostParams(map[string]any{
		"path":    "/p",
		"host":    "",
		"headers": map[string]any{"Host": "via-header.example.com"},
	}, params)
	if params["host"] != "via-header.example.com" {
		t.Fatalf("empty host must defer to headers, got %q", params["host"])
	}
}

// --- external_config.go:39,42,55,58 — getClientExternalLinksBySubId ---

func TestGetClientExternalLinksBySubId(t *testing.T) {
	initMutDB(t)
	db := database.GetDB()
	s := &SubService{}

	// No client rows for the subId → nil, no error (service.go path :42).
	out, err := s.getClientExternalLinksBySubId("missing")
	if err != nil {
		t.Fatalf("missing subId err = %v, want nil", err)
	}
	if out != nil {
		t.Fatalf("missing subId = %#v, want nil", out)
	}

	// A client with NO external-link rows → nil (the rows-empty guard :58).
	bare := &model.ClientRecord{Email: "bare@x", SubID: "sub-bare", UUID: "u", Enable: true}
	if err := db.Create(bare).Error; err != nil {
		t.Fatalf("seed bare client: %v", err)
	}
	out, err = s.getClientExternalLinksBySubId("sub-bare")
	if err != nil {
		t.Fatalf("bare subId err = %v", err)
	}
	if out != nil {
		t.Fatalf("client with no links = %#v, want nil", out)
	}

	// A client with two link rows: ordering by sort_index and email/enable
	// attribution from the owning client (the loop copies rec.Email/rec.Enable).
	rec := &model.ClientRecord{Email: "owner@x", SubID: "sub-ok", UUID: "u2", Enable: true}
	if err := db.Create(rec).Error; err != nil {
		t.Fatalf("seed client: %v", err)
	}
	if err := db.Create(&model.ClientExternalLink{ClientId: rec.Id, Kind: model.ExternalLinkKindLink, Value: "trojan://b", Remark: "second", SortIndex: 5}).Error; err != nil {
		t.Fatalf("seed link b: %v", err)
	}
	if err := db.Create(&model.ClientExternalLink{ClientId: rec.Id, Kind: model.ExternalLinkKindLink, Value: "trojan://a", Remark: "first", SortIndex: 1}).Error; err != nil {
		t.Fatalf("seed link a: %v", err)
	}

	out, err = s.getClientExternalLinksBySubId("sub-ok")
	if err != nil {
		t.Fatalf("ok subId err = %v", err)
	}
	if len(out) != 2 {
		t.Fatalf("entries = %d, want 2", len(out))
	}
	// sort_index ASC: the SortIndex=1 row comes first.
	if out[0].Value != "trojan://a" || out[1].Value != "trojan://b" {
		t.Fatalf("ordering wrong: %#v", out)
	}
	// Email + Enable must be copied from the owning client, not the link row
	// (which carries neither field). The enabled owner → Enable true.
	if out[0].Email != "owner@x" || out[0].Enable != true {
		t.Fatalf("attribution wrong: email=%q enable=%v", out[0].Email, out[0].Enable)
	}

	// A DISABLED client must produce entries with Enable=false, proving the
	// value is read from the client row (Enable has a gorm default:true, so
	// flip it with a raw UPDATE that bypasses the default).
	dis := &model.ClientRecord{Email: "off@x", SubID: "sub-off", UUID: "u3", Enable: true}
	if err := db.Create(dis).Error; err != nil {
		t.Fatalf("seed disabled client: %v", err)
	}
	if err := db.Model(&model.ClientRecord{}).Where("id = ?", dis.Id).Update("enable", false).Error; err != nil {
		t.Fatalf("disable client: %v", err)
	}
	if err := db.Create(&model.ClientExternalLink{ClientId: dis.Id, Kind: model.ExternalLinkKindLink, Value: "trojan://c", SortIndex: 1}).Error; err != nil {
		t.Fatalf("seed link c: %v", err)
	}
	offOut, err := s.getClientExternalLinksBySubId("sub-off")
	if err != nil {
		t.Fatalf("off subId err = %v", err)
	}
	if len(offOut) != 1 {
		t.Fatalf("disabled client entries = %d, want 1", len(offOut))
	}
	if offOut[0].Email != "off@x" || offOut[0].Enable != false {
		t.Fatalf("disabled attribution wrong: email=%q enable=%v", offOut[0].Email, offOut[0].Enable)
	}
}

// --- external_config.go:102 — applyRemarkToLink appends a fragment when none exists ---

func TestApplyRemarkToLink_NoFragmentAppends(t *testing.T) {
	link := "trojan://[email protected]:8443?security=tls"
	out := applyRemarkToLink(link, "DE-Node")
	if out != link+"#DE-Node" {
		t.Fatalf("no-fragment link must get the remark appended, got %q", out)
	}
}

// --- external_config.go:111 — applyVmessRemark falls back to RawURLEncoding ---

func TestApplyVmessRemark_RawURLEncodingFallback(t *testing.T) {
	// The "aa?" ps forces a URL-safe char (_) in the RawURL encoding, so
	// base64.StdEncoding.DecodeString fails and the RawURLEncoding fallback
	// path (external_config.go:111) must take over. (ps is overwritten below,
	// so its value is irrelevant to the assertions.)
	payload := map[string]any{"v": "2", "ps": "aa?", "add": "1.2.3.4", "port": "443", "id": "uuid"}
	b, _ := json.Marshal(payload)
	link := "vmess://" + base64.RawURLEncoding.EncodeToString(b)
	// Guard the premise: this link must NOT be std-decodable, else the fallback
	// branch is never reached and the test is meaningless.
	if _, err := base64.StdEncoding.DecodeString(padBase64Sub(strings.TrimPrefix(link, "vmess://"))); err == nil {
		t.Fatal("test premise broken: link is std-base64 decodable, fallback not exercised")
	}

	out := applyRemarkToLink(link, "NL-Node")
	if out == link {
		t.Fatalf("raw-url-encoded vmess remark was not applied (fallback decode broken): %q", out)
	}
	// The result re-encodes with StdEncoding; decode and verify ps + credentials.
	raw, err := base64.StdEncoding.DecodeString(strings.TrimPrefix(out, "vmess://"))
	if err != nil {
		t.Fatalf("decode out: %v", err)
	}
	var got map[string]any
	if err := json.Unmarshal(raw, &got); err != nil {
		t.Fatalf("unmarshal: %v", err)
	}
	if got["ps"] != "NL-Node" {
		t.Fatalf("ps = %v, want NL-Node", got["ps"])
	}
	if got["id"] != "uuid" {
		t.Fatalf("credentials lost via fallback path: %#v", got)
	}
}

// --- external_config.go:130 — padBase64Sub pads to a multiple of 4 ---

func TestPadBase64Sub(t *testing.T) {
	cases := map[string]string{
		"":     "",
		"a":    "a===",
		"ab":   "ab==",
		"abc":  "abc=",
		"abcd": "abcd",
	}
	for in, want := range cases {
		if got := padBase64Sub(in); got != want {
			t.Fatalf("padBase64Sub(%q) = %q, want %q", in, got, want)
		}
		if len(padBase64Sub(in))%4 != 0 {
			t.Fatalf("padBase64Sub(%q) length not a multiple of 4", in)
		}
	}
}

// --- external_subscription.go:122 — base64 body decode strips embedded whitespace ---

func TestDecodeSubscriptionBody_StripsWhitespaceInBase64(t *testing.T) {
	plain := "vless://[email protected]:443#one\ntrojan://[email protected]:8443#two\n"
	encoded := base64.StdEncoding.EncodeToString([]byte(plain))
	// Inject whitespace into the base64 token; tryDecodeBase64Body must strip it
	// (external_subscription.go:122) so decoding still succeeds.
	half := len(encoded) / 2
	dirty := encoded[:half] + "\n \t" + encoded[half:]

	links := decodeSubscriptionBody([]byte(dirty))
	if len(links) != 2 || links[0] != "vless://[email protected]:443#one" || links[1] != "trojan://[email protected]:8443#two" {
		t.Fatalf("whitespace-laden base64 body decoded wrong: %#v", links)
	}
}

// --- clash_service.go:123 — duplicate proxy names disambiguate as base-N ---

func TestEnsureUniqueProxyNames_SuffixSequence(t *testing.T) {
	proxies := []map[string]any{
		{"name": "node"},
		{"name": "node"},
		{"name": "node"},
	}
	ensureUniqueProxyNames(proxies)
	if proxies[0]["name"] != "node" {
		t.Fatalf("first occurrence must keep base name, got %v", proxies[0]["name"])
	}
	if proxies[1]["name"] != "node-2" {
		t.Fatalf("second duplicate = %v, want node-2", proxies[1]["name"])
	}
	if proxies[2]["name"] != "node-3" {
		t.Fatalf("third duplicate = %v, want node-3", proxies[2]["name"])
	}
}

// --- clash_service.go:422,447 — empty transport opts must NOT add the *-opts key ---

func TestApplyTransport_EmptyOptsOmitted(t *testing.T) {
	svc := &SubClashService{}

	// httpupgrade with no path/host → opts empty → no http-upgrade-opts key (clash:422).
	huProxy := map[string]any{}
	if !svc.applyTransport(huProxy, "httpupgrade", map[string]any{"httpupgradeSettings": map[string]any{}}) {
		t.Fatal("httpupgrade must still be buildable")
	}
	if huProxy["network"] != "httpupgrade" {
		t.Fatalf("network = %v, want httpupgrade", huProxy["network"])
	}
	if _, ok := huProxy["http-upgrade-opts"]; ok {
		t.Fatalf("empty opts must not set http-upgrade-opts: %#v", huProxy["http-upgrade-opts"])
	}

	// xhttp with no path/host/mode → opts empty → no xhttp-opts key (clash:447).
	xhProxy := map[string]any{}
	if !svc.applyTransport(xhProxy, "xhttp", map[string]any{"xhttpSettings": map[string]any{}}) {
		t.Fatal("xhttp must still be buildable")
	}
	if xhProxy["network"] != "xhttp" {
		t.Fatalf("network = %v, want xhttp", xhProxy["network"])
	}
	if _, ok := xhProxy["xhttp-opts"]; ok {
		t.Fatalf("empty opts must not set xhttp-opts: %#v", xhProxy["xhttp-opts"])
	}
}