portok 1.0.0

package/test/security.test.mjs

@@ -0,0 +1,256 @@
+/**
+ * Security Tests
+ * Tests token validation, IP allowlist, and rate limiting
+ */
+
+import { describe, it, before, after } from 'node:test';
+import assert from 'node:assert';
+import { spawn } from 'node:child_process';
+import { createMockServer, getFreePort, waitFor } from './helpers/mock-server.mjs';
+
+describe('Security', () => {
+  let mockServer;
+  let proxyPort;
+  let daemonProcess;
+  const adminToken = 'secure-test-token-xyz';
+
+  before(async () => {
+    mockServer = await createMockServer({ port: 0 });
+    proxyPort = await getFreePort();
+
+    daemonProcess = spawn('node', ['portokd.mjs'], {
+      env: {
+        ...process.env,
+        LISTEN_PORT: String(proxyPort),
+        INITIAL_TARGET_PORT: String(mockServer.port),
+        ADMIN_TOKEN: adminToken,
+        STATE_FILE: `/tmp/portok-security-test-${Date.now()}.json`,
+        ADMIN_ALLOWLIST: '127.0.0.1,::1,::ffff:127.0.0.1',
+        DRAIN_MS: '1000',
+        ROLLBACK_WINDOW_MS: '60000',
+        ROLLBACK_CHECK_EVERY_MS: '5000',
+        ROLLBACK_FAIL_THRESHOLD: '3',
+        ADMIN_RATE_LIMIT: '1000',
+      },
+      stdio: 'pipe',
+    });
+
+    await waitFor(async () => {
+      try {
+        const res = await fetch(`http://127.0.0.1:${proxyPort}/__status`, {
+          headers: { 'x-admin-token': adminToken },
+        });
+        return res.ok;
+      } catch {
+        return false;
+      }
+    }, 5000);
+  });
+
+  after(async () => {
+    if (daemonProcess) {
+      daemonProcess.kill('SIGTERM');
+    }
+    if (mockServer) await mockServer.close();
+  });
+
+  describe('Token Validation', () => {
+    it('should reject request without token', async () => {
+      const response = await fetch(`http://127.0.0.1:${proxyPort}/__status`);
+      assert.strictEqual(response.status, 401);
+
+      const data = await response.json();
+      assert.ok(data.error.includes('Unauthorized'));
+    });
+
+    it('should reject request with invalid token', async () => {
+      const response = await fetch(`http://127.0.0.1:${proxyPort}/__status`, {
+        headers: { 'x-admin-token': 'wrong-token' },
+      });
+      assert.strictEqual(response.status, 401);
+    });
+
+    it('should accept request with correct token', async () => {
+      const response = await fetch(`http://127.0.0.1:${proxyPort}/__status`, {
+        headers: { 'x-admin-token': adminToken },
+      });
+      assert.strictEqual(response.status, 200);
+    });
+
+    it('should use timing-safe comparison', async () => {
+      // Test various token lengths to ensure timing-safe comparison
+      const testTokens = [
+        '',
+        'a',
+        'short',
+        adminToken.substring(0, 5),
+        adminToken + 'extra',
+        adminToken,
+      ];
+
+      for (const token of testTokens) {
+        const response = await fetch(`http://127.0.0.1:${proxyPort}/__status`, {
+          headers: { 'x-admin-token': token },
+        });
+
+        if (token === adminToken) {
+          assert.strictEqual(response.status, 200);
+        } else {
+          assert.strictEqual(response.status, 401);
+        }
+      }
+    });
+
+    it('should require token for all admin endpoints', async () => {
+      const endpoints = [
+        { path: '/__status', method: 'GET' },
+        { path: '/__metrics', method: 'GET' },
+        { path: '/__health', method: 'GET' },
+        { path: `/__switch?port=${mockServer.port}`, method: 'POST' },
+      ];
+
+      for (const { path, method } of endpoints) {
+        const response = await fetch(`http://127.0.0.1:${proxyPort}${path}`, {
+          method,
+        });
+        assert.strictEqual(response.status, 401, `Expected 401 for ${method} ${path}`);
+      }
+    });
+  });
+
+  describe('Admin Endpoints vs Proxy', () => {
+    it('should not require token for proxied requests', async () => {
+      const response = await fetch(`http://127.0.0.1:${proxyPort}/`);
+      assert.strictEqual(response.status, 200);
+    });
+
+    it('should proxy /status (not admin endpoint)', async () => {
+      const response = await fetch(`http://127.0.0.1:${proxyPort}/status`);
+      // Should go to backend, not be treated as admin
+      assert.strictEqual(response.status, 200);
+    });
+
+    it('should only treat /__ prefix as admin', async () => {
+      // /_status should be proxied, not admin
+      const response = await fetch(`http://127.0.0.1:${proxyPort}/_status`);
+      assert.strictEqual(response.status, 200);
+    });
+  });
+
+  describe('Rate Limiting', () => {
+    it('should not rate limit proxied requests', async () => {
+      // Make many proxied requests
+      const responses = [];
+      for (let i = 0; i < 20; i++) {
+        const response = await fetch(`http://127.0.0.1:${proxyPort}/`);
+        responses.push(response.status);
+      }
+
+      // All should succeed
+      const successCount = responses.filter(s => s === 200).length;
+      assert.strictEqual(successCount, 20);
+    });
+  });
+
+  describe('Target Host Security (SSRF Guard)', () => {
+    it('should only proxy to localhost', async () => {
+      // All requests should go to 127.0.0.1
+      const response = await fetch(`http://127.0.0.1:${proxyPort}/echo`);
+      const data = await response.json();
+
+      // Verify the request reached our mock server on localhost
+      assert.ok(data.headers.host);
+    });
+
+    it('should not allow port override via headers', async () => {
+      // Try to trick proxy with Host header
+      const response = await fetch(`http://127.0.0.1:${proxyPort}/echo`, {
+        headers: {
+          'Host': 'evil.com:9999',
+        },
+      });
+
+      // Should still reach our mock server
+      assert.strictEqual(response.status, 200);
+    });
+  });
+});
+
+describe('Security - Rate Limit Test', () => {
+  let mockServer;
+  let proxyPort;
+  let daemonProcess;
+  const adminToken = 'rate-limit-test-token';
+
+  before(async () => {
+    mockServer = await createMockServer({ port: 0 });
+    proxyPort = await getFreePort();
+
+    // Use rate limit of 15 - waitFor uses ~5 requests, then we make 15 more
+    daemonProcess = spawn('node', ['portokd.mjs'], {
+      env: {
+        ...process.env,
+        LISTEN_PORT: String(proxyPort),
+        INITIAL_TARGET_PORT: String(mockServer.port),
+        ADMIN_TOKEN: adminToken,
+        STATE_FILE: `/tmp/portok-ratelimit-test-${Date.now()}.json`,
+        DRAIN_MS: '1000',
+        ROLLBACK_WINDOW_MS: '60000',
+        ROLLBACK_CHECK_EVERY_MS: '5000',
+        ROLLBACK_FAIL_THRESHOLD: '3',
+        ADMIN_RATE_LIMIT: '15',
+      },
+      stdio: 'pipe',
+    });
+
+    await waitFor(async () => {
+      try {
+        const res = await fetch(`http://127.0.0.1:${proxyPort}/__status`, {
+          headers: { 'x-admin-token': adminToken },
+        });
+        return res.ok;
+      } catch {
+        return false;
+      }
+    }, 5000);
+  });
+
+  after(async () => {
+    if (daemonProcess) {
+      daemonProcess.kill('SIGTERM');
+    }
+    if (mockServer) await mockServer.close();
+  });
+
+  it('should rate limit admin endpoints', async () => {
+    // Make 20 requests rapidly - some should get rate limited
+    const responses = [];
+
+    for (let i = 0; i < 20; i++) {
+      const response = await fetch(`http://127.0.0.1:${proxyPort}/__status`, {
+        headers: { 'x-admin-token': adminToken },
+      });
+      responses.push(response.status);
+    }
+
+    const successCount = responses.filter(s => s === 200).length;
+    const rateLimitedCount = responses.filter(s => s === 429).length;
+
+    // Some should succeed, some should be rate limited
+    assert.ok(successCount > 0, `Expected some successes, got ${successCount}`);
+    assert.ok(rateLimitedCount > 0, `Expected some rate limited responses, got ${rateLimitedCount}`);
+  });
+
+  it('should return 429 with proper error message', async () => {
+    // Should be rate limited from previous test
+    const response = await fetch(`http://127.0.0.1:${proxyPort}/__status`, {
+      headers: { 'x-admin-token': adminToken },
+    });
+
+    // Should be rate limited
+    assert.strictEqual(response.status, 429);
+    const data = await response.json();
+    assert.ok(data.error.includes('Rate limit'));
+  });
+});
+

package/test/switching.test.mjs

@@ -0,0 +1,261 @@
+/**
+ * Health-Gated Switching Tests
+ * Tests the /__switch endpoint with health checks
+ */
+
+import { describe, it, before, after, beforeEach } from 'node:test';
+import assert from 'node:assert';
+import { spawn } from 'node:child_process';
+import { createMockServer, getFreePort, waitFor, adminRequest } from './helpers/mock-server.mjs';
+
+describe('Health-Gated Switching', () => {
+  let mockServer1;
+  let mockServer2;
+  let proxyPort;
+  let daemonProcess;
+  const adminToken = 'test-token-switch';
+
+  before(async () => {
+    // Create two mock backend servers
+    mockServer1 = await createMockServer({ port: 0 });
+    mockServer2 = await createMockServer({ port: 0 });
+
+    // Get a free port for the proxy
+    proxyPort = await getFreePort();
+
+    // Start the daemon
+    daemonProcess = spawn('node', ['portokd.mjs'], {
+      env: {
+        ...process.env,
+        LISTEN_PORT: String(proxyPort),
+        INITIAL_TARGET_PORT: String(mockServer1.port),
+        ADMIN_TOKEN: adminToken,
+        STATE_FILE: `/tmp/portok-switch-test-${Date.now()}.json`,
+        DRAIN_MS: '500',
+        ROLLBACK_WINDOW_MS: '10000',
+        ROLLBACK_CHECK_EVERY_MS: '1000',
+        ROLLBACK_FAIL_THRESHOLD: '3',
+        ADMIN_RATE_LIMIT: '1000',
+      },
+      stdio: 'pipe',
+    });
+
+    // Wait for daemon to start
+    await waitFor(async () => {
+      try {
+        const res = await fetch(`http://127.0.0.1:${proxyPort}/__status`, {
+          headers: { 'x-admin-token': adminToken },
+        });
+        return res.ok;
+      } catch {
+        return false;
+      }
+    }, 5000);
+  });
+
+  after(async () => {
+    if (daemonProcess) {
+      daemonProcess.kill('SIGTERM');
+    }
+    if (mockServer1) await mockServer1.close();
+    if (mockServer2) await mockServer2.close();
+  });
+
+  beforeEach(() => {
+    mockServer1.setHealthy(true);
+    mockServer2.setHealthy(true);
+  });
+
+  describe('Successful Switch', () => {
+    it('should switch to healthy port', async () => {
+      const response = await fetch(`http://127.0.0.1:${proxyPort}/__switch?port=${mockServer2.port}`, {
+        method: 'POST',
+        headers: { 'x-admin-token': adminToken },
+      });
+
+      assert.strictEqual(response.status, 200);
+
+      const data = await response.json();
+      assert.strictEqual(data.success, true);
+      assert.strictEqual(data.switch.to, mockServer2.port);
+      assert.strictEqual(data.switch.from, mockServer1.port);
+      assert.strictEqual(data.switch.reason, 'manual');
+      assert.ok(data.switch.id);
+    });
+
+    it('should update status after switch', async () => {
+      // First switch to server2
+      await fetch(`http://127.0.0.1:${proxyPort}/__switch?port=${mockServer2.port}`, {
+        method: 'POST',
+        headers: { 'x-admin-token': adminToken },
+      });
+
+      // Check status
+      const statusRes = await fetch(`http://127.0.0.1:${proxyPort}/__status`, {
+        headers: { 'x-admin-token': adminToken },
+      });
+
+      const status = await statusRes.json();
+      assert.strictEqual(status.activePort, mockServer2.port);
+      assert.ok(status.drainUntil); // Drain should be active
+      assert.strictEqual(status.lastSwitch.to, mockServer2.port);
+    });
+
+    it('should route traffic to new port after switch', async () => {
+      // Switch to server2
+      await fetch(`http://127.0.0.1:${proxyPort}/__switch?port=${mockServer2.port}`, {
+        method: 'POST',
+        headers: { 'x-admin-token': adminToken },
+      });
+
+      // Clear both servers' request logs
+      mockServer1.clearRequests();
+      mockServer2.clearRequests();
+
+      // Make a request - should go to server2 for new connections
+      // (Existing connections might still go to server1 during drain)
+      await new Promise(resolve => setTimeout(resolve, 100));
+
+      const response = await fetch(`http://127.0.0.1:${proxyPort}/`);
+      assert.strictEqual(response.status, 200);
+    });
+  });
+
+  describe('Failed Switch - Unhealthy Port', () => {
+    it('should reject switch to unhealthy port with 409', async () => {
+      // Make server2 unhealthy
+      mockServer2.setHealthy(false);
+
+      const response = await fetch(`http://127.0.0.1:${proxyPort}/__switch?port=${mockServer2.port}`, {
+        method: 'POST',
+        headers: { 'x-admin-token': adminToken },
+      });
+
+      assert.strictEqual(response.status, 409);
+
+      const data = await response.json();
+      assert.ok(data.error.includes('Health check failed'));
+    });
+
+    it('should not change active port when switch fails', async () => {
+      // Get current status
+      const statusBefore = await adminRequest(`http://127.0.0.1:${proxyPort}`, '/__status', { token: adminToken });
+      const portBefore = statusBefore.data.activePort;
+
+      // Make server2 unhealthy and try to switch
+      mockServer2.setHealthy(false);
+
+      await fetch(`http://127.0.0.1:${proxyPort}/__switch?port=${mockServer2.port}`, {
+        method: 'POST',
+        headers: { 'x-admin-token': adminToken },
+      });
+
+      // Check status unchanged
+      const statusAfter = await adminRequest(`http://127.0.0.1:${proxyPort}`, '/__status', { token: adminToken });
+      assert.strictEqual(statusAfter.data.activePort, portBefore);
+    });
+  });
+
+  describe('Switch Validation', () => {
+    it('should reject invalid port (non-numeric)', async () => {
+      const response = await fetch(`http://127.0.0.1:${proxyPort}/__switch?port=invalid`, {
+        method: 'POST',
+        headers: { 'x-admin-token': adminToken },
+      });
+
+      assert.strictEqual(response.status, 400);
+
+      const data = await response.json();
+      assert.ok(data.error.includes('Invalid port'));
+    });
+
+    it('should reject port out of range', async () => {
+      const response = await fetch(`http://127.0.0.1:${proxyPort}/__switch?port=99999`, {
+        method: 'POST',
+        headers: { 'x-admin-token': adminToken },
+      });
+
+      assert.strictEqual(response.status, 400);
+    });
+
+    it('should reject port 0', async () => {
+      const response = await fetch(`http://127.0.0.1:${proxyPort}/__switch?port=0`, {
+        method: 'POST',
+        headers: { 'x-admin-token': adminToken },
+      });
+
+      assert.strictEqual(response.status, 400);
+    });
+
+    it('should reject missing port parameter', async () => {
+      const response = await fetch(`http://127.0.0.1:${proxyPort}/__switch`, {
+        method: 'POST',
+        headers: { 'x-admin-token': adminToken },
+      });
+
+      assert.strictEqual(response.status, 400);
+    });
+  });
+
+  describe('Health Endpoint', () => {
+    it('should report healthy when active port is healthy', async () => {
+      const response = await fetch(`http://127.0.0.1:${proxyPort}/__health`, {
+        headers: { 'x-admin-token': adminToken },
+      });
+
+      assert.strictEqual(response.status, 200);
+
+      const data = await response.json();
+      assert.strictEqual(data.healthy, true);
+    });
+
+    it('should report unhealthy when active port is unhealthy', async () => {
+      // Get current active port from status
+      const statusRes = await fetch(`http://127.0.0.1:${proxyPort}/__status`, {
+        headers: { 'x-admin-token': adminToken },
+      });
+      const status = await statusRes.json();
+
+      // Make current active server unhealthy
+      if (status.activePort === mockServer1.port) {
+        mockServer1.setHealthy(false);
+      } else {
+        mockServer2.setHealthy(false);
+      }
+
+      const response = await fetch(`http://127.0.0.1:${proxyPort}/__health`, {
+        headers: { 'x-admin-token': adminToken },
+      });
+
+      assert.strictEqual(response.status, 503);
+
+      const data = await response.json();
+      assert.strictEqual(data.healthy, false);
+    });
+  });
+
+  describe('Switch ID', () => {
+    it('should generate unique switch IDs', async () => {
+      const ids = new Set();
+
+      for (let i = 0; i < 3; i++) {
+        const response = await fetch(`http://127.0.0.1:${proxyPort}/__switch?port=${mockServer1.port}`, {
+          method: 'POST',
+          headers: { 'x-admin-token': adminToken },
+        });
+
+        const data = await response.json();
+        ids.add(data.switch.id);
+
+        // Switch back
+        await fetch(`http://127.0.0.1:${proxyPort}/__switch?port=${mockServer2.port}`, {
+          method: 'POST',
+          headers: { 'x-admin-token': adminToken },
+        });
+      }
+
+      assert.strictEqual(ids.size, 3); // All IDs should be unique
+    });
+  });
+});
+