caddy-opnsense-blocker/internal/web/handler_test.go

package web

import (
	"context"
	"encoding/json"
	"net/http"
	"net/http/httptest"
	"strings"
	"testing"
	"time"

	"git.dern.ovh/infrastructure/caddy-opnsense-blocker/internal/model"
)

func TestHandlerServesOverviewAndManualActions(t *testing.T) {
	t.Parallel()

	app := &stubApp{}
	handler := NewHandler(app)

	recorder := httptest.NewRecorder()
	request := httptest.NewRequest(http.MethodGet, "/api/recent-ips?hours=24&limit=10", nil)
	handler.ServeHTTP(recorder, request)
	if recorder.Code != http.StatusOK {
		t.Fatalf("unexpected recent ip status: %d body=%s", recorder.Code, recorder.Body.String())
	}
	var recentIPs []model.RecentIPRow
	if err := json.Unmarshal(recorder.Body.Bytes(), &recentIPs); err != nil {
		t.Fatalf("decode recent ips payload: %v", err)
	}
	if len(recentIPs) != 1 || recentIPs[0].IP != "203.0.113.10" {
		t.Fatalf("unexpected recent ips payload: %+v", recentIPs)
	}

	recorder = httptest.NewRecorder()
	request = httptest.NewRequest(http.MethodGet, "/api/overview?hours=24&limit=10", nil)
	handler.ServeHTTP(recorder, request)
	if recorder.Code != http.StatusOK {
		t.Fatalf("unexpected overview status: %d", recorder.Code)
	}
	var overview model.Overview
	if err := json.Unmarshal(recorder.Body.Bytes(), &overview); err != nil {
		t.Fatalf("decode overview payload: %v", err)
	}
	if overview.TotalEvents != 1 || len(overview.RecentIPs) != 1 || len(overview.TopIPsByEvents) != 1 {
		t.Fatalf("unexpected overview payload: %+v", overview)
	}

	recorder = httptest.NewRecorder()
	request = httptest.NewRequest(http.MethodGet, "/api/overview?hours=24&limit=10&show_known_bots=false&show_allowed=false", nil)
	handler.ServeHTTP(recorder, request)
	if recorder.Code != http.StatusOK {
		t.Fatalf("unexpected filtered overview status: %d", recorder.Code)
	}
	if app.lastOverviewOptions.ShowKnownBots || app.lastOverviewOptions.ShowAllowed {
		t.Fatalf("overview filter options were not forwarded correctly: %+v", app.lastOverviewOptions)
	}

	recorder = httptest.NewRecorder()
	request = httptest.NewRequest(http.MethodPost, "/api/ips/203.0.113.10/block", strings.NewReader(`{"reason":"test reason","actor":"tester"}`))
	request.Header.Set("Content-Type", "application/json")
	handler.ServeHTTP(recorder, request)
	if recorder.Code != http.StatusOK {
		t.Fatalf("unexpected block status: %d body=%s", recorder.Code, recorder.Body.String())
	}
	if app.lastAction != "block:203.0.113.10:tester:test reason" {
		t.Fatalf("unexpected recorded action: %q", app.lastAction)
	}

	recorder = httptest.NewRecorder()
	request = httptest.NewRequest(http.MethodPost, "/api/ips/203.0.113.10/investigate", strings.NewReader(`{"actor":"tester"}`))
	request.Header.Set("Content-Type", "application/json")
	handler.ServeHTTP(recorder, request)
	if recorder.Code != http.StatusOK {
		t.Fatalf("unexpected investigate status: %d body=%s", recorder.Code, recorder.Body.String())
	}

	recorder = httptest.NewRecorder()
	request = httptest.NewRequest(http.MethodGet, "/", nil)
	handler.ServeHTTP(recorder, request)
	if recorder.Code != http.StatusOK {
		t.Fatalf("unexpected overview page status: %d", recorder.Code)
	}
	if !strings.Contains(recorder.Body.String(), "Local-only review and enforcement console") {
		t.Fatalf("overview page did not render expected content")
	}
	if strings.Contains(recorder.Body.String(), "Recent events") {
		t.Fatalf("overview page should no longer render recent events block")
	}
	if !strings.Contains(recorder.Body.String(), "Show known bots") {
		t.Fatalf("overview page should expose the known bots toggle")
	}
	if !strings.Contains(recorder.Body.String(), "Top IPs by events") {
		t.Fatalf("overview page should expose the top IPs by events block")
	}
	if !strings.Contains(recorder.Body.String(), "Top IPs by traffic") {
		t.Fatalf("overview page should expose the top IPs by traffic block")
	}
	if !strings.Contains(recorder.Body.String(), "Top sources by events") {
		t.Fatalf("overview page should expose the top sources block")
	}
	if !strings.Contains(recorder.Body.String(), "Top URLs by events") {
		t.Fatalf("overview page should expose the top URLs block")
	}
	if !strings.Contains(recorder.Body.String(), "These two filters affect both the leaderboards and the Recent IPs list") {
		t.Fatalf("overview page should explain the scope of the shared filters")
	}
	if !strings.Contains(recorder.Body.String(), "Show allowed") {
		t.Fatalf("overview page should expose the allowed toggle")
	}
	if !strings.Contains(recorder.Body.String(), "Review only") {
		t.Fatalf("overview page should expose the review-only toggle")
	}
	if !strings.Contains(recorder.Body.String(), "localStorage") {
		t.Fatalf("overview page should persist preferences in localStorage")
	}

	recorder = httptest.NewRecorder()
	request = httptest.NewRequest(http.MethodGet, "/ips/203.0.113.10", nil)
	handler.ServeHTTP(recorder, request)
	if recorder.Code != http.StatusOK {
		t.Fatalf("unexpected ip details page status: %d", recorder.Code)
	}
	body := recorder.Body.String()
	if !strings.Contains(body, `data-ip="203.0.113.10"`) {
		t.Fatalf("ip details page did not expose expected data-ip attribute: %s", body)
	}
	if strings.Contains(body, `const ip = "\"203.0.113.10\"";`) {
		t.Fatalf("ip details page still renders a doubly quoted IP")
	}
	if strings.Contains(body, `refresh().then(() => investigate());`) {
		t.Fatalf("ip details page should not auto-refresh investigation on load")
	}
	investigationIndex := strings.Index(body, "<h2>Investigation</h2>")
	decisionsIndex := strings.Index(body, "<h2>Decisions</h2>")
	requestsIndex := strings.Index(body, "<h2>Requests from this IP</h2>")
	if investigationIndex == -1 || decisionsIndex == -1 || requestsIndex == -1 {
		t.Fatalf("ip details page is missing expected sections")
	}
	if !(investigationIndex < decisionsIndex && decisionsIndex < requestsIndex) {
		t.Fatalf("expected Decisions block right after Investigation block")
	}
}

type stubApp struct {
	lastAction          string
	lastOverviewOptions model.OverviewOptions
}

func (s *stubApp) GetOverview(_ context.Context, _ time.Time, _ int, options model.OverviewOptions) (model.Overview, error) {
	s.lastOverviewOptions = options
	now := time.Now().UTC()
	return model.Overview{
		TotalEvents: 1,
		TotalIPs:    1,
		BlockedIPs:  1,
		TopIPsByEvents: []model.TopIPRow{{
			IP:           "203.0.113.10",
			Events:       3,
			TrafficBytes: 4096,
			LastSeenAt:   now,
		}},
		TopIPsByTraffic: []model.TopIPRow{{
			IP:           "203.0.113.10",
			Events:       3,
			TrafficBytes: 4096,
			LastSeenAt:   now,
		}},
		TopSources: []model.TopSourceRow{{
			SourceName:   "main",
			Events:       3,
			TrafficBytes: 4096,
			LastSeenAt:   now,
		}},
		TopURLs: []model.TopURLRow{{
			Host:         "example.test",
			URI:          "/wp-login.php",
			Events:       3,
			TrafficBytes: 4096,
			LastSeenAt:   now,
		}},
		RecentIPs: []model.IPState{{
			IP:             "203.0.113.10",
			State:          model.IPStateBlocked,
			ManualOverride: model.ManualOverrideNone,
			TotalEvents:    1,
			LastSeenAt:     now,
		}},
		RecentEvents: []model.Event{{
			ID:           1,
			SourceName:   "main",
			ClientIP:     "203.0.113.10",
			OccurredAt:   now,
			Decision:     model.DecisionActionBlock,
			CurrentState: model.IPStateBlocked,
		}},
	}, nil
}

func (s *stubApp) ListEvents(ctx context.Context, limit int) ([]model.Event, error) {
	overview, _ := s.GetOverview(ctx, time.Time{}, limit, model.OverviewOptions{ShowKnownBots: true, ShowAllowed: true})
	return overview.RecentEvents, nil
}

func (s *stubApp) ListIPs(ctx context.Context, limit int, state string) ([]model.IPState, error) {
	overview, _ := s.GetOverview(ctx, time.Time{}, limit, model.OverviewOptions{ShowKnownBots: true, ShowAllowed: true})
	return overview.RecentIPs, nil
}

func (s *stubApp) ListRecentIPs(ctx context.Context, since time.Time, limit int) ([]model.RecentIPRow, error) {
	_ = ctx
	_ = since
	_ = limit
	now := time.Now().UTC()
	return []model.RecentIPRow{{
		IP:         "203.0.113.10",
		SourceName: "main",
		State:      model.IPStateBlocked,
		Events:     3,
		LastSeenAt: now,
		Reason:     "php_path",
		Actions:    model.ActionAvailability{CanUnblock: true},
	}}, nil
}

func (s *stubApp) GetIPDetails(context.Context, string) (model.IPDetails, error) {
	now := time.Now().UTC()
	return model.IPDetails{
		State: model.IPState{
			IP:             "203.0.113.10",
			State:          model.IPStateBlocked,
			ManualOverride: model.ManualOverrideNone,
			TotalEvents:    1,
			LastSeenAt:     now,
		},
		RecentEvents:   []model.Event{{ID: 1, ClientIP: "203.0.113.10", OccurredAt: now, Decision: model.DecisionActionBlock}},
		Decisions:      []model.DecisionRecord{{ID: 1, IP: "203.0.113.10", Action: model.DecisionActionBlock, CreatedAt: now}},
		BackendActions: []model.OPNsenseAction{{ID: 1, IP: "203.0.113.10", Action: "block", Result: "added", CreatedAt: now}},
		OPNsense:       model.OPNsenseStatus{Configured: true, Present: true, CheckedAt: now},
		Actions:        model.ActionAvailability{CanUnblock: true},
		Investigation:  &model.IPInvestigation{IP: "203.0.113.10", UpdatedAt: now},
	}, nil
}

func (s *stubApp) InvestigateIP(context.Context, string) (model.IPDetails, error) {
	return s.GetIPDetails(context.Background(), "203.0.113.10")
}

func (s *stubApp) ForceBlock(_ context.Context, ip string, actor string, reason string) error {
	s.lastAction = "block:" + ip + ":" + actor + ":" + reason
	return nil
}

func (s *stubApp) ForceAllow(_ context.Context, ip string, actor string, reason string) error {
	s.lastAction = "allow:" + ip + ":" + actor + ":" + reason
	return nil
}

func (s *stubApp) ClearOverride(_ context.Context, ip string, actor string, reason string) error {
	s.lastAction = "reset:" + ip + ":" + actor + ":" + reason
	return nil
}