installer: address PR26.4 auditor conditions A–E

itcmsgr · claude · itcmsgr · commit 84e9c281a355 · 2026-04-30T00:44:15.000+03:00
A. Explicit port-22 negative regression guard - TestRequiredPorts_ConfDDoesNotIncludeSSHPort22: dedicated test proving DirectAdmin RequiredPorts (TCP_IN + UDP_IN) does NOT include port 22. Independent of full-surface identity test so a future conf.d edit re-introducing 22 trips a clearly-named failure. Comment cites the four-truth rule (conf.d wins, SSH managed by /etc/nftban/ports.d/00-ssh.conf, shell-library port 22 inclusion is stale). B. Fail-closed branches — no fallback to [2222] under any error - assertNoControlPlaneFallback test helper added. - TestRequiredPorts_MissingConfD_FailsClosed: now also asserts returned tcp/udp slices are nil/empty (no [2222] fallback). - TestRequiredPorts_EmptyTCPIn_FailsClosed: same. - TestRequiredPorts_NilPanelConfig_FailsClosed: same. - TestRequiredPorts_RealLoader_MissingConfD_FailsClosed (was already present; the structural shape of fail-closed is now covered uniformly). C. Range-form (35000-35999) regression guard - TestRequiredPorts_RealLoader_RangeExpansion_LengthAndEndpoints: fixture conf.d with the canonical TCP_IN; asserts EXACT length 14 + 1000 = 1014, both endpoints (35000 and 35999) present, a mid-range port (35500) present, every discrete declared port present, and SSH 22 still excluded. Catches a future loader change that drops range expansion or shifts the boundary. D. Removed stale "PR26.4 follow-up" doc-comment from ValidateReachability — replaced with PR26.4-current text noting that RequiredPorts now loads the full conf.d surface but ValidateReachability still probes only the control plane. The ValidateReachability error message no longer says "validated in PR26.4"; new wording: "loaded from conf.d via RequiredPorts but not probed here". E. Renamed misleading test TestFrameworkIntegration_DA_Reason_DoesNotImplyFullPortSurvival → TestFrameworkIntegration_DA_ControlPlaneError_DoesNotClaimFullSurfaceReachability The semantic is unchanged (control-plane error must not claim full-surface probing), but the name now reflects post-PR26.4 reality where RequiredPorts does load the full surface declaratively. No production code paths changed beyond the doc-comment + error wording. All test additions/changes are test-file only. Lab4 proof (post A–E, base 5366caf): go vet ... clean go test -v panelfw/ports/validate 100 sub-tests PASS, 0 FAIL go test ./... 66 packages PASS, 0 FAIL Hard exclusions preserved: no cPanel/Plesk/other adapters; no shell decommission; no parser rewrite; no restore/firewall/authority changes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/internal/installer/panelfw/adapters/directadmin/directadmin.go b/internal/installer/panelfw/adapters/directadmin/directadmin.go
@@ -224,17 +224,21 @@ func (a *adapter) RequiredPorts(ctx context.Context, exec executor.Executor) ([]
 // state. Returns nil on success; a structured error otherwise. Does
 // NOT mutate ports, services, or rules.
 //
-// Scope is the control plane (default 2222) only. The full DirectAdmin
-// service-port surface (mail/web/SSH/etc.) is NOT validated here —
-// see the file-level "PR26.4 follow-up" comment.
+// Scope is the control plane (default 2222 or per-`directadmin.conf`
+// override) only. RequiredPorts (PR26.4) loads the full DirectAdmin
+// service-port surface from the canonical conf.d via panel_loader, but
+// this method deliberately does NOT probe each conf.d-declared port —
+// full-surface reachability probing is intentionally out of scope here
+// and remains the broader rebuild/validate path's responsibility.
 func (a *adapter) ValidateReachability(ctx context.Context, exec executor.Executor) error {
 	port := readConfiguredPort(exec)
 	if portInListenState(exec, port) {
 		return nil
 	}
 	return fmt.Errorf(
 		"DirectAdmin control-plane port %d not in LISTEN state — control-plane unreachable "+
-			"(note: this assertion validates the control plane only; full DirectAdmin port surface validated in PR26.4)",
+			"(this assertion probes the control plane only; the full DirectAdmin port surface is loaded "+
+			"from conf.d via RequiredPorts but not probed here)",
 		port)
 }
 
diff --git a/internal/installer/panelfw/adapters/directadmin/directadmin_test.go b/internal/installer/panelfw/adapters/directadmin/directadmin_test.go
@@ -281,6 +281,8 @@ func TestRequiredPorts_ConfDLoaded_NotJust2222(t *testing.T) {
 }
 
 // PR26.4 R4: missing conf.d main.conf must fail closed.
+// Loader returns (nil, err) — adapter must propagate error AND must
+// NOT silently fall back to [2222].
 func TestRequiredPorts_MissingConfD_FailsClosed(t *testing.T) {
 	withStubLoader(t, func(configDir, panelName string) (*ports.PanelConfig, error) {
 		return nil, fmt.Errorf("panel config not found: %s/conf.d/panels/%s/main.conf",
@@ -294,9 +296,12 @@ func TestRequiredPorts_MissingConfD_FailsClosed(t *testing.T) {
 	if !strings.Contains(err.Error(), "DirectAdmin conf.d") {
 		t.Errorf("error must reference DirectAdmin conf.d; got %v", err)
 	}
+	assertNoControlPlaneFallback(t, tcp, udp)
 }
 
 // PR26.4 R5: malformed conf.d (loaded but empty TCP_IN) must fail closed.
+// Loader returns a PanelConfig with empty TCPIn — adapter must error
+// AND must NOT fall back to [2222].
 func TestRequiredPorts_EmptyTCPIn_FailsClosed(t *testing.T) {
 	withStubLoader(t, func(configDir, panelName string) (*ports.PanelConfig, error) {
 		return &ports.PanelConfig{
@@ -307,23 +312,139 @@ func TestRequiredPorts_EmptyTCPIn_FailsClosed(t *testing.T) {
 		}, nil
 	})
 
-	_, _, err := New().RequiredPorts(context.Background(), executor.NewMockExecutor())
+	tcp, udp, err := New().RequiredPorts(context.Background(), executor.NewMockExecutor())
 	if err == nil {
 		t.Fatalf("expected error on empty TCP_IN")
 	}
 	if !strings.Contains(err.Error(), "no TCP_IN") {
 		t.Errorf("error must explain malformed TCP_IN; got %v", err)
 	}
+	assertNoControlPlaneFallback(t, tcp, udp)
 }
 
-// Loader returning nil PanelConfig (defensive).
+// Loader returning nil PanelConfig (defensive). Loader returns
+// (nil, nil) — adapter must error AND must NOT fall back to [2222].
 func TestRequiredPorts_NilPanelConfig_FailsClosed(t *testing.T) {
 	withStubLoader(t, func(configDir, panelName string) (*ports.PanelConfig, error) {
 		return nil, nil
 	})
-	if _, _, err := New().RequiredPorts(context.Background(), executor.NewMockExecutor()); err == nil {
+	tcp, udp, err := New().RequiredPorts(context.Background(), executor.NewMockExecutor())
+	if err == nil {
 		t.Fatalf("expected error when loader returns nil cfg")
 	}
+	assertNoControlPlaneFallback(t, tcp, udp)
+}
+
+// PR26.4 condition A: explicit regression guard — port 22 (SSH) must
+// NOT appear in DirectAdmin RequiredPorts output. The canonical
+// conf.d intentionally excludes 22 (managed separately by
+// /etc/nftban/ports.d/00-ssh.conf); the legacy shell library
+// historically included 22 (four-truth drift). Conf.d wins.
+//
+// This test is independent of the full-surface identity test so a
+// future conf.d edit that re-introduces 22 trips a clearly-named
+// failure even if the surface-identity test has been amended.
+func TestRequiredPorts_ConfDDoesNotIncludeSSHPort22(t *testing.T) {
+	withStubLoader(t, func(configDir, panelName string) (*ports.PanelConfig, error) {
+		return &ports.PanelConfig{
+			Name:    "directadmin",
+			Enabled: true,
+			TCPIn:   canonicalDA.tcpIn,
+			UDPIn:   canonicalDA.udpIn,
+		}, nil
+	})
+	tcp, udp, err := New().RequiredPorts(context.Background(), executor.NewMockExecutor())
+	if err != nil {
+		t.Fatalf("unexpected error from canonical DA stub: %v", err)
+	}
+	if containsInt(tcp, 22) {
+		t.Errorf("DirectAdmin RequiredPorts TCP_IN must NOT include port 22 — "+
+			"SSH is managed by /etc/nftban/ports.d/00-ssh.conf, conf.d wins over shell library; got %v", tcp)
+	}
+	if containsInt(udp, 22) {
+		t.Errorf("DirectAdmin RequiredPorts UDP_IN must NOT include port 22; got %v", udp)
+	}
+}
+
+// PR26.4 condition C: range-form (35000-35999) regression guard.
+// internal/ports/panel_loader.parsePortList expands ranges into
+// individual ints (35000..35999 = 1000 values). Verify the loader
+// integration produces the expected expanded length and both endpoints
+// so a future loader change that drops range expansion or shifts the
+// boundary surfaces here.
+//
+// Canonical conf.d declares:
+//
+//	TCP_IN: 14 discrete + 35000-35999 range = 14 + 1000 = 1014 ports
+func TestRequiredPorts_RealLoader_RangeExpansion_LengthAndEndpoints(t *testing.T) {
+	if _, err := os.Stat("/bin/bash"); err != nil {
+		t.Skipf("/bin/bash unavailable on this host: %v", err)
+	}
+	const fixtureMain = `
+NFTBAN_DIRECTADMIN_PATH="/usr/local/directadmin"
+NFTBAN_DIRECTADMIN_PANEL_PORT="2222"
+NFTBAN_DIRECTADMIN_TCP_IN="20,21,25,53,853,80,110,143,443,465,587,993,995,2222,35000-35999"
+NFTBAN_DIRECTADMIN_UDP_IN="20,21,53,853,80,443"
+`
+	withFixtureConfD(t, fixtureMain)
+
+	tcp, udp, err := New().RequiredPorts(context.Background(), executor.NewMockExecutor())
+	if err != nil {
+		t.Fatalf("real-loader RequiredPorts: %v", err)
+	}
+
+	// Exact length: 14 discrete + 1000 expanded range = 1014.
+	const expectedTCP = 14 + 1000
+	if len(tcp) != expectedTCP {
+		t.Errorf("TCP_IN length = %d; want %d (14 discrete + 1000-port range expansion)",
+			len(tcp), expectedTCP)
+	}
+	// Both range endpoints must be present.
+	if !containsInt(tcp, 35000) {
+		t.Errorf("TCP_IN must include range start 35000; got %v ports total", len(tcp))
+	}
+	if !containsInt(tcp, 35999) {
+		t.Errorf("TCP_IN must include range end 35999; got %v ports total", len(tcp))
+	}
+	// Spot-check one mid-range port to confirm the loader didn't only
+	// keep endpoints.
+	if !containsInt(tcp, 35500) {
+		t.Errorf("TCP_IN must include mid-range port 35500 (loader range expansion broken?)")
+	}
+	// Every discrete declared port must be present.
+	for _, p := range []int{20, 21, 25, 53, 853, 80, 110, 143, 443, 465, 587, 993, 995, 2222} {
+		if !containsInt(tcp, p) {
+			t.Errorf("TCP_IN missing discrete declared port %d", p)
+		}
+	}
+	// SSH port 22 still excluded even with the real loader.
+	if containsInt(tcp, 22) {
+		t.Errorf("real loader produced TCP_IN containing port 22 — conf.d four-truth violation; got %v", tcp)
+	}
+	// UDP_IN exact length and contents.
+	wantUDP := []int{20, 21, 53, 853, 80, 443}
+	if len(udp) != len(wantUDP) {
+		t.Errorf("UDP_IN length = %d; want %d", len(udp), len(wantUDP))
+	}
+	for _, p := range wantUDP {
+		if !containsInt(udp, p) {
+			t.Errorf("UDP_IN missing %d", p)
+		}
+	}
+}
+
+// assertNoControlPlaneFallback is a fail-closed assertion helper: when
+// RequiredPorts errors, the returned slices must be nil/empty — never
+// the legacy [2222] fallback. This catches a regression where a future
+// edit re-introduces the pre-PR26.4 default-port behavior.
+func assertNoControlPlaneFallback(t *testing.T, tcp, udp []int) {
+	t.Helper()
+	if len(tcp) != 0 {
+		t.Errorf("fail-closed: tcp must be nil/empty on error — must NOT fall back to [2222]; got %v", tcp)
+	}
+	if len(udp) != 0 {
+		t.Errorf("fail-closed: udp must be nil/empty on error; got %v", udp)
+	}
 }
 
 // PR26.4 defensive: returned slices must not alias internal loader state.
@@ -500,10 +621,12 @@ func TestValidateReachability_NotListening_ErrorMentionsControlPlane(t *testing.
 		t.Errorf("error must explicitly say 'control-plane'; got %q", msg)
 	}
 	// Negative: the message must NOT make affirmative claims of full
-	// survival or full surface validation. We allow the explanatory
-	// negation form ("full DirectAdmin port surface validated in
-	// PR26.4") because it reads as scope clarification, not a claim
-	// the assertion has validated those ports.
+	// surface probing. The PR26.4-shape error mentions "full
+	// DirectAdmin port surface" as part of an explanatory negation
+	// ("loaded from conf.d via RequiredPorts but not probed here") —
+	// that's scope clarification, not a claim the method has probed
+	// those ports. The forbidden list below catches affirmative-claim
+	// verbs only.
 	for _, forbidden := range []string{
 		"full panel survival validated",
 		"full panel survived",
@@ -637,11 +760,16 @@ func TestFrameworkIntegration_DA_Detected_NotReachable_Blocks(t *testing.T) {
 	}
 }
 
-// PR26.3 Path A: the surfaced Reason on a failing DA host must NOT
-// claim that the full panel survival was checked — the assertion
-// covers only the control plane in PR26.3. Full port-surface
-// validation lands in PR26.4.
-func TestFrameworkIntegration_DA_Reason_DoesNotImplyFullPortSurvival(t *testing.T) {
+// PR26.4: the surfaced Reason on a control-plane-unreachable host
+// must NOT claim full-surface reachability has been probed. After
+// PR26.4, RequiredPorts loads the full DirectAdmin port surface from
+// conf.d (panel_loader), but ValidateReachability still probes the
+// control plane only — so the Reason on failure must read as a
+// control-plane miss, not as "all 1014 panel ports unreachable".
+//
+// Renamed from TestFrameworkIntegration_DA_Reason_DoesNotImplyFullPortSurvival
+// so the name matches the post-PR26.4 semantics.
+func TestFrameworkIntegration_DA_ControlPlaneError_DoesNotClaimFullSurfaceReachability(t *testing.T) {
 	stubCanonicalDA(t)
 
 	a := New()
@@ -657,10 +785,11 @@ func TestFrameworkIntegration_DA_Reason_DoesNotImplyFullPortSurvival(t *testing.
 	if !res.Fatal {
 		t.Fatalf("expected Fatal=true; got %#v", res)
 	}
-	// These phrases would imply the assertion validated more than the
-	// control plane. The error MAY mention "full ... port surface" in
-	// a NEGATION (e.g., "...full DirectAdmin port surface validated in
-	// PR26.4"), so we look for affirmative-claim verbs instead.
+	// Affirmative-claim phrases that would overstate the assertion's
+	// scope. The error MAY mention "full ... port surface" inside a
+	// negation (the PR26.4 wording: "loaded from conf.d via
+	// RequiredPorts but not probed here"); that is intentional scope
+	// clarification, not a claim the method has probed those ports.
 	for _, forbidden := range []string{
 		"full panel survival validated",
 		"full panel survived",
@@ -670,7 +799,7 @@ func TestFrameworkIntegration_DA_Reason_DoesNotImplyFullPortSurvival(t *testing.
 		"all panel ports validated",
 	} {
 		if strings.Contains(res.Reason, forbidden) {
-			t.Errorf("Reason must NOT claim %q (overstates PR26.3 scope); got %q", forbidden, res.Reason)
+			t.Errorf("Reason must NOT claim %q (control-plane probe only); got %q", forbidden, res.Reason)
 		}
 	}
 }
