test: classifier branches, docker provider, pypi index serving, bearer/checkUpstream variants

This commit is contained in:
2026-07-03 13:48:27 +10:00
parent 053fbd70e2
commit 3e590bea2b
4 changed files with 167 additions and 0 deletions
+52
View File
@@ -0,0 +1,52 @@
package proxy
import (
"testing"
"git.unkin.net/unkin/artifactapi/internal/provider"
_ "git.unkin.net/unkin/artifactapi/internal/provider/generic"
"git.unkin.net/unkin/artifactapi/pkg/models"
)
func TestClassifierBranches(t *testing.T) {
gp, err := provider.Get(models.PackageGeneric)
if err != nil {
t.Fatal(err)
}
c := NewClassifier(gp)
if c.Classify(models.Remote{Blocklist: []string{`\.exe$`}}, "x.exe") != ClassDenied {
t.Error("blocklist match should be denied")
}
// Allowlist present but path doesn't match -> denied.
allow := models.Remote{Patterns: []string{`^allowed/`}}
if c.Classify(allow, "other/x") != ClassDenied {
t.Error("non-allowlisted path should be denied")
}
if c.Classify(allow, "allowed/x") != ClassImmutable {
t.Error("allowlisted generic path should be immutable")
}
if c.Classify(models.Remote{MutablePatterns: []string{`index$`}}, "a/index") != ClassMutable {
t.Error("mutable pattern override failed")
}
if c.Classify(models.Remote{ImmutablePatterns: []string{`\.bin$`}}, "a.bin") != ClassImmutable {
t.Error("immutable pattern failed")
}
// An invalid regex is skipped (not treated as a match) rather than denying.
if c.Classify(models.Remote{Blocklist: []string{`[invalid`}}, "anything") == ClassDenied {
t.Error("invalid blocklist regex should be skipped, not deny everything")
}
}
func TestClassificationString(t *testing.T) {
for c, want := range map[Classification]string{
ClassImmutable: "immutable",
ClassMutable: "mutable",
ClassDenied: "denied",
Classification(99): "unknown",
} {
if c.String() != want {
t.Errorf("Classification(%d).String() = %q, want %q", c, c.String(), want)
}
}
}
+33
View File
@@ -108,6 +108,10 @@ func mockUpstream(w http.ResponseWriter, r *http.Request) {
w.Write([]byte("protected payload 2"))
case "/token":
w.Write([]byte(`{"token":"minted-token","expires_in":300}`))
case "/token-at":
w.Write([]byte(`{"access_token":"at-token"}`))
case "/token-500":
w.WriteHeader(http.StatusInternalServerError)
case "/err500":
w.WriteHeader(http.StatusInternalServerError)
case "/noauth": // 401 with an unusable challenge (no realm)
@@ -451,6 +455,35 @@ func TestHeadCachedIndex(t *testing.T) {
}
}
func TestFetchBearerTokenVariants(t *testing.T) {
requireStack(t)
ctx := context.Background()
// access_token field + service/scope params + basic auth on the token req.
tok, _, err := fetchBearerToken(ctx, `Bearer realm="`+upstream.URL+`/token-at",service="reg",scope="repo:pull"`, models.Remote{Username: "u", Password: "p"})
if err != nil || tok != "at-token" {
t.Errorf("access_token variant: tok=%q err=%v", tok, err)
}
// Token endpoint error status.
if _, _, err := fetchBearerToken(ctx, `Bearer realm="`+upstream.URL+`/token-500"`, models.Remote{}); err == nil {
t.Error("expected error for 500 token endpoint")
}
}
func TestCheckUpstreamChanged(t *testing.T) {
requireStack(t)
ctx := context.Background()
r := genericRemote("eng-check")
// A non-matching ETag yields a normal 200 (not 304): not modified is false.
notModified, err := testEngine.checkUpstream(ctx, r, "pkg", `"stale-etag"`, prov(t, models.PackageNPM))
if err != nil {
t.Fatalf("checkUpstream: %v", err)
}
if notModified {
t.Error("mismatched etag should report modified (notModified=false)")
}
}
func TestUpstreamErrorUnwrap(t *testing.T) {
base := context.DeadlineExceeded
ue := &UpstreamError{Err: base}