test(missions): add table-driven unit tests for pure functions

AdeshDeshmukh · AdeshDeshmukh · commit 1f78b3d721de · 2026-06-13T22:23:07.000+05:30
diff --git a/pkg/api/handlers/missions/embedded_test.go b/pkg/api/handlers/missions/embedded_test.go
@@ -0,0 +1,38 @@
+package missions
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestEmbeddedHiddenMissionEntry_HiddenFiles(t *testing.T) {
+	tests := []struct {
+		name   string
+		entry  string
+		hidden bool
+	}{
+		{name: "dotfile", entry: ".hidden", hidden: true},
+		{name: "double dot", entry: "..something", hidden: true},
+		{name: "hidden dir entry", entry: ".config", hidden: true},
+		{name: "index json", entry: "index.json", hidden: true},
+		{name: "search state", entry: "search-state.json", hidden: true},
+		{name: "regular file", entry: "mission.yaml", hidden: false},
+		{name: "regular dir", entry: "fixes", hidden: false},
+		{name: "with extension", entry: "README.md", hidden: false},
+		{name: "empty string", entry: "", hidden: false},
+		{name: "index as suffix", entry: "not-index.json", hidden: false},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := embeddedHiddenMissionEntry(tt.entry)
+			assert.Equal(t, tt.hidden, result)
+		})
+	}
+}
+
+func TestEmbeddedHiddenMissionEntry_Deterministic(t *testing.T) {
+	v1 := embeddedHiddenMissionEntry(".secret")
+	v2 := embeddedHiddenMissionEntry(".secret")
+	assert.Equal(t, v1, v2, "pure function must be deterministic")
+}
diff --git a/pkg/api/handlers/missions/helpers_test.go b/pkg/api/handlers/missions/helpers_test.go
@@ -0,0 +1,48 @@
+package missions
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/gofiber/fiber/v2"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestIsDemoMode(t *testing.T) {
+	app := fiber.New()
+	app.Get("/test-demo", func(c *fiber.Ctx) error {
+		if isDemoMode(c) {
+			return c.SendString("true")
+		}
+		return c.SendString("false")
+	})
+
+	tests := []struct {
+		name   string
+		header string
+		want   bool
+	}{
+		{name: "exact true", header: "true", want: true},
+		{name: "uppercase TRUE", header: "TRUE", want: false},
+		{name: "numeric 1", header: "1", want: false},
+		{name: "literal false", header: "false", want: false},
+		{name: "no header", header: "", want: false},
+		{name: "yes value", header: "yes", want: false},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			req := httptest.NewRequest(http.MethodGet, "/test-demo", nil)
+			if tt.header != "" {
+				req.Header.Set("X-Demo-Mode", tt.header)
+			}
+			resp, err := app.Test(req, 5000)
+			require.NoError(t, err)
+			body, _ := io.ReadAll(resp.Body)
+			assert.Equal(t, fmt.Sprintf("%t", tt.want), string(body))
+		})
+	}
+}
diff --git a/pkg/api/handlers/missions/share_test.go b/pkg/api/handlers/missions/share_test.go
@@ -0,0 +1,160 @@
+package missions
+
+import (
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestValidateSlackWebhookURL_Valid(t *testing.T) {
+	validURL := "https://hooks.slack.com/services/T00/B00/XXX"
+	err := validateSlackWebhookURL(validURL)
+	assert.NoError(t, err)
+}
+
+func TestValidateSlackWebhookURL_Invalid(t *testing.T) {
+	tests := []struct {
+		name string
+		url  string
+		msg  string
+	}{
+		{name: "http instead of https", url: "http://hooks.slack.com/services/T00/B00/XXX", msg: "must use https"},
+		{name: "javascript protocol", url: "javascript:alert(1)", msg: "must use https"},
+		{name: "file protocol", url: "file:///etc/passwd", msg: "must use https"},
+		{name: "SSRF internal IP", url: "https://192.168.1.1/services/T", msg: "host must be hooks.slack.com"},
+		{name: "SSRF localhost", url: "https://localhost/services/T", msg: "host must be hooks.slack.com"},
+		{name: "wrong domain", url: "https://evil.com/services/T00/B00/XXX", msg: "host must be hooks.slack.com"},
+		{name: "subdomain confusion", url: "https://hooks.slack.com.evil.com/services/T", msg: "host must be hooks.slack.com"},
+		{name: "empty string", url: "", msg: "webhook URL is required"},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := validateSlackWebhookURL(tt.url)
+			assert.Error(t, err)
+			assert.Contains(t, err.Error(), tt.msg)
+		})
+	}
+}
+
+func TestResolveAllowedShareRepos(t *testing.T) {
+	const envVar = "KC_ALLOWED_SHARE_REPOS"
+
+	t.Run("env unset includes default repos", func(t *testing.T) {
+		t.Cleanup(func() {
+			os.Unsetenv(envVar)
+		})
+		os.Unsetenv(envVar)
+
+		repos := resolveAllowedShareRepos()
+		assert.NotEmpty(t, repos, "allowlist must not be empty")
+		assert.Contains(t, repos, "kubestellar/console-kb")
+	})
+
+	t.Run("env with additional repos", func(t *testing.T) {
+		t.Cleanup(func() {
+			os.Unsetenv(envVar)
+		})
+		os.Setenv(envVar, "org1/repo1,org2/repo2")
+
+		repos := resolveAllowedShareRepos()
+		assert.Len(t, repos, 3)
+		assert.Contains(t, repos, "org1/repo1")
+		assert.Contains(t, repos, "org2/repo2")
+	})
+
+	t.Run("env values are trimmed", func(t *testing.T) {
+		t.Cleanup(func() {
+			os.Unsetenv(envVar)
+		})
+		os.Setenv(envVar, " org1/repo1 , org2/repo2 ")
+
+		repos := resolveAllowedShareRepos()
+		assert.Len(t, repos, 3)
+		assert.Contains(t, repos, "org1/repo1")
+		assert.Contains(t, repos, "org2/repo2")
+	})
+
+	t.Run("env with empty entries are ignored", func(t *testing.T) {
+		t.Cleanup(func() {
+			os.Unsetenv(envVar)
+		})
+		os.Setenv(envVar, "org1/repo1,,org2/repo2")
+
+		repos := resolveAllowedShareRepos()
+		assert.Len(t, repos, 3)
+	})
+}
+
+func TestIsRepoAllowedForShareWithList(t *testing.T) {
+	allowlist := []string{"kubestellar/console-kb", "org1/repo1"}
+
+	t.Run("repo in list", func(t *testing.T) {
+		assert.True(t, isRepoAllowedForShareWithList("kubestellar/console-kb", allowlist))
+	})
+
+	t.Run("case insensitive match", func(t *testing.T) {
+		assert.True(t, isRepoAllowedForShareWithList("KubeStellar/Console-KB", allowlist))
+	})
+
+	t.Run("repo not in list", func(t *testing.T) {
+		assert.False(t, isRepoAllowedForShareWithList("evil/repo", allowlist))
+	})
+
+	t.Run("empty list", func(t *testing.T) {
+		assert.False(t, isRepoAllowedForShareWithList("kubestellar/console-kb", []string{}))
+	})
+
+	t.Run("nil list", func(t *testing.T) {
+		assert.False(t, isRepoAllowedForShareWithList("kubestellar/console-kb", nil))
+	})
+}
+
+func TestIsRepoAllowedForShare(t *testing.T) {
+	const envVar = "KC_ALLOWED_SHARE_REPOS"
+
+	t.Run("exact match", func(t *testing.T) {
+		t.Cleanup(func() {
+			os.Unsetenv(envVar)
+		})
+		os.Unsetenv(envVar)
+
+		assert.True(t, isRepoAllowedForShare("kubestellar/console-kb"))
+	})
+
+	t.Run("uppercase variant", func(t *testing.T) {
+		t.Cleanup(func() {
+			os.Unsetenv(envVar)
+		})
+		os.Unsetenv(envVar)
+
+		assert.True(t, isRepoAllowedForShare("KUBESTELLAR/CONSOLE-KB"))
+	})
+
+	t.Run("not in list", func(t *testing.T) {
+		t.Cleanup(func() {
+			os.Unsetenv(envVar)
+		})
+		os.Unsetenv(envVar)
+
+		assert.False(t, isRepoAllowedForShare("evil/repo"))
+	})
+
+	t.Run("empty string", func(t *testing.T) {
+		t.Cleanup(func() {
+			os.Unsetenv(envVar)
+		})
+		os.Unsetenv(envVar)
+
+		assert.False(t, isRepoAllowedForShare(""))
+	})
+
+	t.Run("path traversal attempt", func(t *testing.T) {
+		t.Cleanup(func() {
+			os.Unsetenv(envVar)
+		})
+		os.Unsetenv(envVar)
+
+		assert.False(t, isRepoAllowedForShare("layer5io/../admin/repo"))
+	})
+}
