test: add chown traversal and writeConfigs OpenSSL guard tests

Copilot · web-flow · commit 0939154edd57 · 2026-05-13T02:16:38.000Z
- ssl-bump-chown.test.ts: new file with jest.mock('fs') to verify
  chownRecursive (called by initSslDb) walks subdirectories and chowns
  every entry when chownSync succeeds — addresses the regression gap
  noted in the PR review
- config-writer.test.ts: new file testing the isOpenSslAvailable guard
  in writeConfigs; verifies the SSL Bump initialization failed message
  and that generateSessionCa is not called when OpenSSL is absent
diff --git a/src/config-writer.test.ts b/src/config-writer.test.ts
@@ -0,0 +1,117 @@
+import * as fs from 'fs';
+import * as os from 'os';
+import * as path from 'path';
+
+// jest.mock() calls are hoisted before imports — keep them at the top.
+
+// fs.chownSync is non-configurable and cannot be overridden with jest.spyOn.
+// Use a module-level mock that replaces only chownSync, keeping all other
+// fs functions real so directory/file creation in writeConfigs works normally.
+jest.mock('fs', () => {
+  const actual = jest.requireActual<typeof import('fs')>('fs');
+  return { ...actual, chownSync: jest.fn() };
+});
+
+jest.mock('./ssl-bump', () => ({
+  isOpenSslAvailable: jest.fn(),
+  generateSessionCa: jest.fn(),
+  initSslDb: jest.fn(),
+  parseUrlPatterns: jest.fn().mockReturnValue([]),
+}));
+
+jest.mock('./host-env', () => ({
+  SQUID_PORT: 3128,
+  getSafeHostUid: jest.fn().mockReturnValue('1000'),
+  getSafeHostGid: jest.fn().mockReturnValue('1000'),
+  getRealUserHome: jest.fn(),
+}));
+
+jest.mock('./squid-config', () => ({
+  generateSquidConfig: jest.fn().mockReturnValue('# mock squid config'),
+  generatePolicyManifest: jest.fn().mockReturnValue({}),
+}));
+
+jest.mock('./compose-generator', () => ({
+  generateDockerCompose: jest.fn().mockReturnValue({ services: {}, version: '3' }),
+  redactDockerComposeSecrets: jest.fn().mockReturnValue({ services: {}, version: '3' }),
+}));
+
+import { writeConfigs } from './config-writer';
+import { isOpenSslAvailable } from './ssl-bump';
+import { getRealUserHome } from './host-env';
+
+describe('writeConfigs', () => {
+  let tempDir: string;
+
+  beforeEach(() => {
+    tempDir = fs.mkdtempSync(path.join(os.tmpdir(), 'config-writer-test-'));
+    jest.clearAllMocks();
+    // getRealUserHome is used to locate host home subdirectories; point it at
+    // tempDir so mkdirSync calls stay within the temp tree.
+    (getRealUserHome as jest.Mock).mockReturnValue(tempDir);
+  });
+
+  afterEach(() => {
+    // Clean up tempDir and the chroot-home sibling directory that writeConfigs creates.
+    fs.rmSync(tempDir, { recursive: true, force: true });
+    fs.rmSync(`${tempDir}-chroot-home`, { recursive: true, force: true });
+  });
+
+  describe('SSL Bump preflight guard', () => {
+    it('should throw when sslBump is enabled and OpenSSL is unavailable', async () => {
+      (isOpenSslAvailable as jest.Mock).mockResolvedValue(false);
+
+      await expect(
+        writeConfigs({
+          workDir: tempDir,
+          sslBump: true,
+          allowedDomains: [],
+          agentCommand: 'echo test',
+          logLevel: 'info',
+          keepContainers: false,
+          buildLocal: false,
+          imageRegistry: 'ghcr.io/github/gh-aw-firewall',
+          imageTag: 'latest',
+        })
+      ).rejects.toThrow('SSL Bump initialization failed: openssl is not available on this system');
+    });
+
+    it('should check OpenSSL availability before calling generateSessionCa', async () => {
+      (isOpenSslAvailable as jest.Mock).mockResolvedValue(false);
+      const { generateSessionCa } = jest.requireMock('./ssl-bump');
+
+      await expect(
+        writeConfigs({
+          workDir: tempDir,
+          sslBump: true,
+          allowedDomains: [],
+          agentCommand: 'echo test',
+          logLevel: 'info',
+          keepContainers: false,
+          buildLocal: false,
+          imageRegistry: 'ghcr.io/github/gh-aw-firewall',
+          imageTag: 'latest',
+        })
+      ).rejects.toThrow();
+
+      expect(isOpenSslAvailable).toHaveBeenCalledTimes(1);
+      expect(generateSessionCa).not.toHaveBeenCalled();
+    });
+
+    it('should not check OpenSSL availability when sslBump is not enabled', async () => {
+      await writeConfigs({
+        workDir: tempDir,
+        sslBump: false,
+        allowedDomains: [],
+        agentCommand: 'echo test',
+        logLevel: 'info',
+        keepContainers: false,
+        buildLocal: false,
+        imageRegistry: 'ghcr.io/github/gh-aw-firewall',
+        imageTag: 'latest',
+      });
+
+      expect(isOpenSslAvailable).not.toHaveBeenCalled();
+    });
+  });
+});
diff --git a/src/ssl-bump-chown.test.ts b/src/ssl-bump-chown.test.ts
@@ -0,0 +1,103 @@
+/**
+ * Tests for the chown traversal inside initSslDb.
+ *
+ * fs.chownSync is a non-configurable property and cannot be replaced with
+ * jest.spyOn. This file uses a module-level jest.mock('fs', ...) to intercept
+ * chownSync calls so the successful (non-EPERM) recursion path can be verified.
+ * It is separate from ssl-bump.test.ts which relies on real fs operations.
+ */
+
+import * as path from 'path';
+import * as os from 'os';
+
+// Mock chownSync and conditionally intercept readdirSync (withFileTypes calls only).
+const mockChownSync = jest.fn();
+const mockReaddirSync = jest.fn();
+
+jest.mock('fs', () => {
+  const actual = jest.requireActual<typeof import('fs')>('fs');
+  return {
+    ...actual,
+    chownSync: (...args: unknown[]) => mockChownSync(...args),
+    readdirSync: (...args: unknown[]) => {
+      // Only intercept calls that pass { withFileTypes: true } — those come from
+      // chownRecursive. All other readdirSync calls (e.g. from mkdirSync internals)
+      // use the real implementation.
+      if (args[1] && typeof args[1] === 'object' && 'withFileTypes' in (args[1] as object)) {
+        return mockReaddirSync(...args);
+      }
+      return actual.readdirSync(...args as Parameters<typeof actual.readdirSync>);
+    },
+  };
+});
+
+// Mock execa (imported transitively by ssl-bump.ts).
+jest.mock('execa');
+
+import * as fs from 'fs';
+import { initSslDb } from './ssl-bump';
+
+describe('initSslDb chown traversal', () => {
+  let tempDir: string;
+
+  beforeEach(() => {
+    mockChownSync.mockReset();
+    mockReaddirSync.mockReset();
+    tempDir = fs.mkdtempSync(path.join(os.tmpdir(), 'ssl-db-chown-test-'));
+  });
+
+  afterEach(() => {
+    fs.rmSync(tempDir, { recursive: true, force: true });
+  });
+
+  it('should chown ssl_db root, certs subdir, and all created files', async () => {
+    // Let chownSync succeed (no EPERM).
+    mockChownSync.mockImplementation(() => {});
+
+    // Return the real ssl_db structure that initSslDb creates:
+    // first readdirSync call is on ssl_db root → index.txt, size, certs (dir)
+    // second readdirSync call is on certs → empty
+    mockReaddirSync
+      .mockReturnValueOnce([
+        { name: 'index.txt', isDirectory: () => false },
+        { name: 'size', isDirectory: () => false },
+        { name: 'certs', isDirectory: () => true },
+      ])
+      .mockReturnValueOnce([]);
+
+    const sslDbPath = await initSslDb(tempDir);
+
+    // Root ssl_db directory
+    expect(mockChownSync).toHaveBeenCalledWith(sslDbPath, 13, 13);
+    // Files in ssl_db root
+    expect(mockChownSync).toHaveBeenCalledWith(path.join(sslDbPath, 'index.txt'), 13, 13);
+    expect(mockChownSync).toHaveBeenCalledWith(path.join(sslDbPath, 'size'), 13, 13);
+    // Subdirectory (recursed into)
+    expect(mockChownSync).toHaveBeenCalledWith(path.join(sslDbPath, 'certs'), 13, 13);
+    expect(mockChownSync).toHaveBeenCalledTimes(4);
+  });
+
+  it('should recurse into nested subdirectories', async () => {
+    mockChownSync.mockImplementation(() => {});
+
+    // ssl_db root contains one subdirectory with a file inside it.
+    mockReaddirSync
+      .mockReturnValueOnce([
+        { name: 'certs', isDirectory: () => true },
+      ])
+      .mockReturnValueOnce([
+        { name: '1234ABCD.pem', isDirectory: () => false },
+      ]);
+
+    const sslDbPath = await initSslDb(tempDir);
+
+    expect(mockChownSync).toHaveBeenCalledWith(sslDbPath, 13, 13);
+    expect(mockChownSync).toHaveBeenCalledWith(path.join(sslDbPath, 'certs'), 13, 13);
+    expect(mockChownSync).toHaveBeenCalledWith(
+      path.join(sslDbPath, 'certs', '1234ABCD.pem'),
+      13,
+      13
+    );
+    expect(mockChownSync).toHaveBeenCalledTimes(3);
+  });
+});
