bdae5a9f6e
- Backend REST/gateway/track routes, analytics, Blockscout proxy paths. - Frontend wallet and liquidity surfaces; MetaMask token list alignment. - Deployment docs, verification scripts, address inventory updates. Check: go build ./... under backend/ (pass). Made-with: Cursor
89 lines
2.9 KiB
Go
89 lines
2.9 KiB
Go
package track4
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"encoding/json"
|
|
"os"
|
|
"path/filepath"
|
|
"testing"
|
|
|
|
"net/http"
|
|
"net/http/httptest"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
type stubRoleManager struct {
|
|
allowed bool
|
|
gotIP string
|
|
logs int
|
|
}
|
|
|
|
func (s *stubRoleManager) IsIPWhitelisted(_ context.Context, _ string, ipAddress string) (bool, error) {
|
|
s.gotIP = ipAddress
|
|
return s.allowed, nil
|
|
}
|
|
|
|
func (s *stubRoleManager) LogOperatorEvent(_ context.Context, _ string, _ *int, _ string, _ string, _ string, _ map[string]interface{}, _ string, _ string) error {
|
|
s.logs++
|
|
return nil
|
|
}
|
|
|
|
func TestHandleRunScriptUsesForwardedClientIPAndRunsAllowlistedScript(t *testing.T) {
|
|
root := t.TempDir()
|
|
scriptPath := filepath.Join(root, "echo.sh")
|
|
require.NoError(t, os.WriteFile(scriptPath, []byte("#!/usr/bin/env bash\necho hello \"$1\"\n"), 0o644))
|
|
|
|
t.Setenv("OPERATOR_SCRIPTS_ROOT", root)
|
|
t.Setenv("OPERATOR_SCRIPT_ALLOWLIST", "echo.sh")
|
|
t.Setenv("OPERATOR_SCRIPT_TIMEOUT_SEC", "30")
|
|
t.Setenv("TRUST_PROXY_CIDRS", "10.0.0.0/8")
|
|
|
|
roleMgr := &stubRoleManager{allowed: true}
|
|
s := &Server{roleMgr: roleMgr, chainID: 138}
|
|
|
|
reqBody := []byte(`{"script":"echo.sh","args":["world"]}`)
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/track4/operator/run-script", bytes.NewReader(reqBody))
|
|
req = req.WithContext(context.WithValue(req.Context(), "user_address", "0x4A666F96fC8764181194447A7dFdb7d471b301C8"))
|
|
req.RemoteAddr = "10.0.0.10:8080"
|
|
req.Header.Set("X-Forwarded-For", "203.0.113.9, 10.0.0.10")
|
|
w := httptest.NewRecorder()
|
|
|
|
s.HandleRunScript(w, req)
|
|
|
|
require.Equal(t, http.StatusOK, w.Code)
|
|
require.Equal(t, "203.0.113.9", roleMgr.gotIP)
|
|
require.Equal(t, 2, roleMgr.logs)
|
|
|
|
var out struct {
|
|
Data map[string]any `json:"data"`
|
|
}
|
|
require.NoError(t, json.Unmarshal(w.Body.Bytes(), &out))
|
|
require.Equal(t, "echo.sh", out.Data["script"])
|
|
require.Equal(t, float64(0), out.Data["exit_code"])
|
|
require.Equal(t, "hello world", out.Data["stdout"])
|
|
require.Equal(t, false, out.Data["timed_out"])
|
|
}
|
|
|
|
func TestHandleRunScriptRejectsNonAllowlistedScript(t *testing.T) {
|
|
root := t.TempDir()
|
|
require.NoError(t, os.WriteFile(filepath.Join(root, "allowed.sh"), []byte("#!/usr/bin/env bash\necho ok\n"), 0o644))
|
|
require.NoError(t, os.WriteFile(filepath.Join(root, "blocked.sh"), []byte("#!/usr/bin/env bash\necho blocked\n"), 0o644))
|
|
|
|
t.Setenv("OPERATOR_SCRIPTS_ROOT", root)
|
|
t.Setenv("OPERATOR_SCRIPT_ALLOWLIST", "allowed.sh")
|
|
|
|
s := &Server{roleMgr: &stubRoleManager{allowed: true}, chainID: 138}
|
|
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/track4/operator/run-script", bytes.NewReader([]byte(`{"script":"blocked.sh"}`)))
|
|
req = req.WithContext(context.WithValue(req.Context(), "user_address", "0x4A666F96fC8764181194447A7dFdb7d471b301C8"))
|
|
req.RemoteAddr = "127.0.0.1:9999"
|
|
w := httptest.NewRecorder()
|
|
|
|
s.HandleRunScript(w, req)
|
|
|
|
require.Equal(t, http.StatusForbidden, w.Code)
|
|
require.Contains(t, w.Body.String(), "script not in OPERATOR_SCRIPT_ALLOWLIST")
|
|
}
|