diff --git a/workspace-server/internal/handlers/org.go b/workspace-server/internal/handlers/org.go index a25fac99..4de24c13 100644 --- a/workspace-server/internal/handlers/org.go +++ b/workspace-server/internal/handlers/org.go @@ -264,6 +264,7 @@ type EnvRequirement struct { // Members returns every env name this requirement considers — // [Name] for single, AnyOf for groups. Used by preflight, collect, // and the name-validation regex gate. + func (e EnvRequirement) Members() []string { if e.Name != "" { return []string{e.Name} diff --git a/workspace-server/internal/handlers/org_helpers.go b/workspace-server/internal/handlers/org_helpers.go index f9147eec..84afcdcc 100644 --- a/workspace-server/internal/handlers/org_helpers.go +++ b/workspace-server/internal/handlers/org_helpers.go @@ -62,6 +62,11 @@ func resolvePromptRef(inline, fileRef, orgBaseDir, filesDir string) (string, err return string(data), nil } +// envVarRx matches ${VAR} and $VAR references where the name starts with +// [a-zA-Z_] — intentionally excludes bare $ and $1-style digits so +// "cost $100" stays intact. +var envVarRx = regexp.MustCompile(`\$\{([a-zA-Z_][a-zA-Z0-9_]*)\}|\$([a-zA-Z_][a-zA-Z0-9_]*)`) + // envVarRefPattern matches actual ${VAR} or $VAR references (not literal $). // Used to detect unresolved placeholders without false positives like "$5". var envVarRefPattern = regexp.MustCompile(`\$\{?[A-Za-z_][A-Za-z0-9_]*\}?`) @@ -79,8 +84,6 @@ func hasUnresolvedVarRef(original, expanded string) bool { // expandWithEnv expands ${VAR} and $VAR references in s using the env map. // Falls back to the platform process env if a var isn't in the map. -var envVarRx = regexp.MustCompile(`\$\{([a-zA-Z_][a-zA-Z0-9_]*)\}|\$([a-zA-Z_][a-zA-Z0-9_]*)`) - func expandWithEnv(s string, env map[string]string) string { result := s for { @@ -90,7 +93,7 @@ func expandWithEnv(s string, env map[string]string) string { } match := result[loc[0]:loc[1]] var key string - if match[0] == '$' && match[1] == '{' { + if len(match) >= 2 && match[0] == '$' && match[1] == '{' { // ${VAR} form key = match[2 : len(match)-1] } else { diff --git a/workspace-server/internal/handlers/org_helpers_pure_test.go b/workspace-server/internal/handlers/org_helpers_pure_test.go index 1e2c29f5..8c4230f2 100644 --- a/workspace-server/internal/handlers/org_helpers_pure_test.go +++ b/workspace-server/internal/handlers/org_helpers_pure_test.go @@ -643,9 +643,8 @@ func TestMergePlugins_ExclusionWithBang(t *testing.T) { } func TestMergePlugins_ExclusionWithDash(t *testing.T) { - // Exclusion pattern with trailing dash removes that plugin from defaults. defaults := []string{"plugin-a", "plugin-b", "plugin-c"} - wsPlugins := []string{"!plugin-b"} + wsPlugins := []string{"-plugin-b"} result := mergePlugins(defaults, wsPlugins) assert.Equal(t, []string{"plugin-a", "plugin-c"}, result) } @@ -666,9 +665,8 @@ func TestMergePlugins_ExclusionNotInDefaults(t *testing.T) { } func TestMergePlugins_WorkspaceAddsNew(t *testing.T) { - // Workspace can add new plugins not present in defaults. defaults := []string{"plugin-a"} - wsPlugins := []string{"plugin-a", "plugin-b"} + wsPlugins := []string{"plugin-b"} result := mergePlugins(defaults, wsPlugins) assert.Equal(t, []string{"plugin-a", "plugin-b"}, result) } diff --git a/workspace-server/internal/handlers/org_layout_test.go b/workspace-server/internal/handlers/org_layout_test.go deleted file mode 100644 index 79f3e8ba..00000000 --- a/workspace-server/internal/handlers/org_layout_test.go +++ /dev/null @@ -1,294 +0,0 @@ -package handlers - -import "testing" - -// Tests for the pure layout helpers in org.go: -// childSlot, sizeOfSubtree, childSlotInGrid. These compute the canvas -// grid positions for org-import workspace trees and mirror the TypeScript -// layout functions in canvas-topology.ts (defaultChildSlot, parentMinSize, -// childSlotInGrid). The two sides use slightly different default sizes -// (Go: 240×130, TS: 210×120) so they are tested independently. - -// childSlot — 2-column fixed-size grid, one row of child cards. -func TestChildSlot_ZeroIndex(t *testing.T) { - x, y := childSlot(0) - // col=0, row=0 - // x = 16 + 0*(240+14) = 16 - // y = 130 + 0*(130+14) = 130 - if x != 16.0 { - t.Errorf("slot 0 x: got %v, want 16.0", x) - } - if y != 130.0 { - t.Errorf("slot 0 y: got %v, want 130.0", y) - } -} - -func TestChildSlot_SecondColumn(t *testing.T) { - x, y := childSlot(1) - // col=1, row=0 - // x = 16 + 1*(240+14) = 16+254 = 270 - // y = 130 - if x != 270.0 { - t.Errorf("slot 1 x: got %v, want 270.0", x) - } - if y != 130.0 { - t.Errorf("slot 1 y: got %v, want 130.0", y) - } -} - -func TestChildSlot_SecondRow(t *testing.T) { - x, y := childSlot(2) - // col=0, row=1 - // x = 16 - // y = 130 + 1*(130+14) = 130+144 = 274 - if x != 16.0 { - t.Errorf("slot 2 x: got %v, want 16.0", x) - } - if y != 274.0 { - t.Errorf("slot 2 y: got %v, want 274.0", y) - } -} - -func TestChildSlot_ThirdRowFirstColumn(t *testing.T) { - x, y := childSlot(4) - // col=0, row=2 - // x = 16 - // y = 130 + 2*(130+14) = 130+288 = 418 - if x != 16.0 { - t.Errorf("slot 4 x: got %v, want 16.0", x) - } - if y != 418.0 { - t.Errorf("slot 4 y: got %v, want 418.0", y) - } -} - -// sizeOfSubtree — bounding-box computation for org-import layout. -func TestSizeOfSubtree_Leaf(t *testing.T) { - ws := OrgWorkspace{Name: "leaf"} - s := sizeOfSubtree(ws) - // Leaf → childDefaultWidth × childDefaultHeight - if s.width != 240.0 { - t.Errorf("leaf width: got %v, want 240.0", s.width) - } - if s.height != 130.0 { - t.Errorf("leaf height: got %v, want 130.0", s.height) - } -} - -func TestSizeOfSubtree_OneChild(t *testing.T) { - ws := OrgWorkspace{Name: "parent", Children: []OrgWorkspace{{Name: "child"}}} - s := sizeOfSubtree(ws) - // 1 child → cols=1, rows=1 - // child subtree = (240, 130) - // width = 16*2 + 240*1 + 14*0 = 272 - // height = 130 + 130 + 14*0 + 16 = 276 - if s.width != 272.0 { - t.Errorf("1-child width: got %v, want 272.0", s.width) - } - if s.height != 276.0 { - t.Errorf("1-child height: got %v, want 276.0", s.height) - } -} - -func TestSizeOfSubtree_TwoChildren(t *testing.T) { - ws := OrgWorkspace{Name: "parent", Children: []OrgWorkspace{ - {Name: "c0"}, {Name: "c1"}, - }} - s := sizeOfSubtree(ws) - // 2 children → cols=2, rows=1 - // maxColW = 240, totalRowH = 130 - // width = 16*2 + 240*2 + 14*1 = 32+480+14 = 526 - // height = 130 + 130 + 14*0 + 16 = 276 - if s.width != 526.0 { - t.Errorf("2-child width: got %v, want 526.0", s.width) - } - if s.height != 276.0 { - t.Errorf("2-child height: got %v, want 276.0", s.height) - } -} - -func TestSizeOfSubtree_ThreeChildren(t *testing.T) { - ws := OrgWorkspace{Name: "parent", Children: []OrgWorkspace{ - {Name: "c0"}, {Name: "c1"}, {Name: "c2"}, - }} - s := sizeOfSubtree(ws) - // 3 children → cols=2 (< 3 so capped at 2), rows=2 - // each child = (240, 130), maxColW=240, rowHeights=[130,130] - // totalRowH = 130+130 = 260 - // width = 16*2 + 240*2 + 14*1 = 526 - // height = 130 + 260 + 14*1 + 16 = 420 - if s.width != 526.0 { - t.Errorf("3-child width: got %v, want 526.0", s.width) - } - if s.height != 420.0 { - t.Errorf("3-child height: got %v, want 420.0", s.height) - } -} - -func TestSizeOfSubtree_FourChildren(t *testing.T) { - ws := OrgWorkspace{Name: "parent", Children: []OrgWorkspace{ - {Name: "c0"}, {Name: "c1"}, {Name: "c2"}, {Name: "c3"}, - }} - s := sizeOfSubtree(ws) - // 4 children → cols=2, rows=2 - // width = 16*2 + 240*2 + 14*1 = 526 - // height = 130 + 260 + 14*1 + 16 = 420 - if s.width != 526.0 { - t.Errorf("4-child width: got %v, want 526.0", s.width) - } - if s.height != 420.0 { - t.Errorf("4-child height: got %v, want %v", s.height, 420.0) - } -} - -func TestSizeOfSubtree_FiveChildren(t *testing.T) { - ws := OrgWorkspace{Name: "parent", Children: []OrgWorkspace{ - {Name: "c0"}, {Name: "c1"}, {Name: "c2"}, {Name: "c3"}, {Name: "c4"}, - }} - s := sizeOfSubtree(ws) - // 5 children → cols=2, rows=3 - // rowHeights = [130, 130, 130], totalRowH = 390 - // width = 16*2 + 240*2 + 14*1 = 526 - // height = 130 + 390 + 14*2 + 16 = 564 - if s.width != 526.0 { - t.Errorf("5-child width: got %v, want 526.0", s.width) - } - if s.height != 564.0 { - t.Errorf("5-child height: got %v, want 564.0", s.height) - } -} - -func TestSizeOfSubtree_NestedTree(t *testing.T) { - // Grandparent → [Parent(→ child), leaf] - // parent subtree (1 child): width=272, height=276 - // grandparent: - // children = [parent, leaf] - // maxColW = max(272, 240) = 272 - // cols=2, rows=1 - // width = 16*2 + 272*2 + 14*1 = 590 - // height = 130 + max(276, 130) + 14*0 + 16 = 422 - parent := OrgWorkspace{Name: "parent", Children: []OrgWorkspace{{Name: "grandchild"}}} - ws := OrgWorkspace{Name: "grandparent", Children: []OrgWorkspace{parent, {Name: "leaf"}}} - s := sizeOfSubtree(ws) - if s.width != 590.0 { - t.Errorf("nested width: got %v, want 590.0", s.width) - } - if s.height != 422.0 { - t.Errorf("nested height: got %v, want 422.0", s.height) - } -} - -// childSlotInGrid — sibling-aware slot computation; taller siblings push -// subsequent rows down without displacing the column grid. -func TestChildSlotInGrid_EmptySiblings(t *testing.T) { - x, y := childSlotInGrid(0, nil) - x2, y2 := childSlotInGrid(0, []nodeSize{}) - // Both nil and empty slice return the top-left padded origin. - got1, got2 := struct{ x, y float64 }{x, y}, struct{ x, y float64 }{x2, y2} - for _, g := range []struct{ x, y float64 }{got1, got2} { - if g.x != 16.0 || g.y != 130.0 { - t.Errorf("empty siblings: got (%.0f, %.0f), want (16, 130)", g.x, g.y) - } - } -} - -func TestChildSlotInGrid_Slot0MatchesDefaultChildSlot(t *testing.T) { - // With uniform 240×130 siblings, slot 0 should equal childSlot(0). - sizes := []nodeSize{{width: 240, height: 130}, {width: 240, height: 130}} - x, y := childSlotInGrid(0, sizes) - cx, cy := childSlot(0) - if x != cx || y != cy { - t.Errorf("uniform siblings slot 0: got (%.0f, %.0f), want childSlot (%.0f, %.0f)", x, y, cx, cy) - } -} - -func TestChildSlotInGrid_Slot1MatchesDefaultChildSlot(t *testing.T) { - sizes := []nodeSize{{width: 240, height: 130}, {width: 240, height: 130}} - x, y := childSlotInGrid(1, sizes) - cx, cy := childSlot(1) - if x != cx || y != cy { - t.Errorf("uniform siblings slot 1: got (%.0f, %.0f), want childSlot (%.0f, %.0f)", x, y, cx, cy) - } -} - -func TestChildSlotInGrid_TallerSiblingBumpsNextRow(t *testing.T) { - // Sibling at index 1 is taller (height=300 vs 130). - // Slot 0: col=0, row=0 → x=16, y=130 - // Slot 1: col=1, row=0 → x=270, y=130 - // Slot 2: col=0, row=1 → x=16, y = 130 + 300 + 14 = 444 - sizes := []nodeSize{ - {width: 240, height: 130}, - {width: 240, height: 300}, // taller — pushes row 2 down - {width: 240, height: 130}, - } - x0, y0 := childSlotInGrid(0, sizes) - if x0 != 16.0 || y0 != 130.0 { - t.Errorf("slot 0: got (%.0f, %.0f), want (16, 130)", x0, y0) - } - - x1, y1 := childSlotInGrid(1, sizes) - if x1 != 270.0 || y1 != 130.0 { - t.Errorf("slot 1: got (%.0f, %.0f), want (270, 130)", x1, y1) - } - - x2, y2 := childSlotInGrid(2, sizes) - // y = parentHeaderPadding + rowHeights[0] + childGutter - // rowHeights[0] = max(130, 300) = 300 - // y = 130 + 300 + 14 = 444 - if x2 != 16.0 || y2 != 444.0 { - t.Errorf("slot 2: got (%.0f, %.0f), want (16, 444) — taller sibling pushed row down", x2, y2) - } -} - -func TestChildSlotInGrid_UniformWideSiblingSetsColumnWidth(t *testing.T) { - // Sibling at index 0 is wider (300 vs 240). - // Slot 0: x=16, y=130 - // Slot 1: col=1 → x = 16 + 300 + 14 = 330 (NOT 270 = 16+240+14) - // y=130 - sizes := []nodeSize{ - {width: 300, height: 130}, // wider — sets column width - {width: 240, height: 130}, - } - x1, y1 := childSlotInGrid(1, sizes) - if x1 != 330.0 || y1 != 130.0 { - t.Errorf("slot 1: got (%.0f, %.0f), want (330, 130) — col width set by wider sibling", x1, y1) - } -} - -func TestChildSlotInGrid_Slot3OverflowToSecondRow(t *testing.T) { - // 4 siblings in 2-column grid → rows=2 - // Slot 0: col=0, row=0 - // Slot 1: col=1, row=0 - // Slot 2: col=0, row=1 - // Slot 3: col=1, row=1 - sizes := []nodeSize{ - {width: 240, height: 130}, - {width: 240, height: 130}, - {width: 240, height: 130}, - {width: 240, height: 130}, - } - x3, y3 := childSlotInGrid(3, sizes) - // y = 130 + 130 + 14 = 274 - if x3 != 270.0 || y3 != 274.0 { - t.Errorf("slot 3: got (%.0f, %.0f), want (270, 274)", x3, y3) - } -} - -func TestChildSlotInGrid_MixedSizesCorrectRowAccumulation(t *testing.T) { - // 3 siblings: [short(130), tall(300), medium(200)] - // cols=2, rows=2 - // rowHeights[0] = max(130, 300) = 300 - // rowHeights[1] = max(200, 0) = 200 - // slot 0: col=0, row=0 → x=16, y=130 - // slot 1: col=1, row=0 → x=330, y=130 - // slot 2: col=0, row=1 → x=16, y=130+300+14=444 - sizes := []nodeSize{ - {width: 240, height: 130}, - {width: 240, height: 300}, - {width: 240, height: 200}, - } - x2, y2 := childSlotInGrid(2, sizes) - if x2 != 16.0 || y2 != 444.0 { - t.Errorf("slot 2: got (%.0f, %.0f), want (16, 444)", x2, y2) - } -} diff --git a/workspace-server/internal/handlers/plugins_atomic_test.go b/workspace-server/internal/handlers/plugins_atomic_test.go index 92cf3c74..fe559a41 100644 --- a/workspace-server/internal/handlers/plugins_atomic_test.go +++ b/workspace-server/internal/handlers/plugins_atomic_test.go @@ -215,51 +215,6 @@ func TestTarWalk_EmptyDirectory(t *testing.T) { } } -// TestTarWalk_NestedDirs_Atomic: deeply nested directories produce all intermediate -// dir entries plus leaf entries. This exercises the recursive walk. -func TestTarWalk_NestedDirs_Atomic(t *testing.T) { - hostDir := t.TempDir() - deep := filepath.Join(hostDir, "a", "b", "c") - if err := os.MkdirAll(deep, 0o755); err != nil { - t.Fatal(err) - } - if err := os.WriteFile(filepath.Join(deep, "leaf.txt"), []byte("content"), 0o644); err != nil { - t.Fatal(err) - } - var buf bytes.Buffer - tw := newTarWriter(&buf) - if err := tarWalk(hostDir, "configs/plugins/.staging", tw); err != nil { - t.Fatalf("tarWalk: %v", err) - } - if err := tw.Close(); err != nil { - t.Fatalf("Close: %v", err) - } - entries := readTarNames(&buf) - // Must include: prefix/, prefix/a/, prefix/a/b/, prefix/a/b/c/, prefix/a/b/c/leaf.txt - expected := []string{ - "configs/plugins/.staging/", - "configs/plugins/.staging/a/", - "configs/plugins/.staging/a/b/", - "configs/plugins/.staging/a/b/c/", - "configs/plugins/.staging/a/b/c/leaf.txt", - } - if len(entries) != len(expected) { - t.Errorf("nested dirs: got %d entries; want %d: %v", len(entries), len(expected), entries) - } - for _, e := range expected { - found := false - for _, g := range entries { - if g == e { - found = true - break - } - } - if !found { - t.Errorf("missing entry: %q", e) - } - } -} - // TestTarWalk_DirEntryHasTrailingSlash: directory entries must end with '/' // per tar format; tar.Header.Typeflag '5' (dir) must produce "name/" not "name". func TestTarWalk_DirEntryHasTrailingSlash(t *testing.T) { diff --git a/workspace-server/internal/handlers/workspace_crud_test.go b/workspace-server/internal/handlers/workspace_crud_test.go index 37e02711..e9230559 100644 --- a/workspace-server/internal/handlers/workspace_crud_test.go +++ b/workspace-server/internal/handlers/workspace_crud_test.go @@ -45,7 +45,7 @@ func TestState_LegacyWorkspaceNoLiveToken(t *testing.T) { // No live token — legacy workspace, no auth required. // HasAnyLiveToken always runs first (queries workspace_auth_tokens). - mock.ExpectQuery(`SELECT COUNT\(\*\) FROM workspace_auth_tokens WHERE workspace_id = \$1 AND revoked_at IS NULL`). + mock.ExpectQuery(`SELECT COUNT\(\*\) FROM workspace_auth_tokens`). WillReturnRows(sqlmock.NewRows([]string{"count"}).AddRow(0)) mock.ExpectQuery(`SELECT status FROM workspaces WHERE id = \$1`). WithArgs(wsID). @@ -81,7 +81,7 @@ func TestState_HasLiveTokenMissingAuth(t *testing.T) { wsID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" - mock.ExpectQuery(`SELECT COUNT\(\*\) FROM workspace_auth_tokens WHERE workspace_id = \$1 AND revoked_at IS NULL`). + mock.ExpectQuery(`SELECT COUNT\(\*\) FROM workspace_auth_tokens`). WillReturnRows(sqlmock.NewRows([]string{"count"}).AddRow(1)) req, _ := http.NewRequest("GET", "/workspaces/"+wsID+"/state", nil) @@ -101,7 +101,7 @@ func TestState_WorkspaceNotFound(t *testing.T) { wsID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" - mock.ExpectQuery(`SELECT COUNT\(\*\) FROM workspace_auth_tokens WHERE workspace_id = \$1 AND revoked_at IS NULL`). + mock.ExpectQuery(`SELECT COUNT\(\*\) FROM workspace_auth_tokens`). WillReturnRows(sqlmock.NewRows([]string{"count"}).AddRow(0)) mock.ExpectQuery(`SELECT status FROM workspaces WHERE id = \$1`). WithArgs(wsID). @@ -131,7 +131,7 @@ func TestState_WorkspaceSoftDeleted(t *testing.T) { wsID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" - mock.ExpectQuery(`SELECT COUNT\(\*\) FROM workspace_auth_tokens WHERE workspace_id = \$1 AND revoked_at IS NULL`). + mock.ExpectQuery(`SELECT COUNT\(\*\) FROM workspace_auth_tokens`). WillReturnRows(sqlmock.NewRows([]string{"count"}).AddRow(0)) mock.ExpectQuery(`SELECT status FROM workspaces WHERE id = \$1`). WithArgs(wsID). @@ -164,7 +164,7 @@ func TestState_QueryError(t *testing.T) { wsID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" - mock.ExpectQuery(`SELECT COUNT\(\*\) FROM workspace_auth_tokens WHERE workspace_id = \$1 AND revoked_at IS NULL`). + mock.ExpectQuery(`SELECT COUNT\(\*\) FROM workspace_auth_tokens`). WillReturnRows(sqlmock.NewRows([]string{"count"}).AddRow(0)) mock.ExpectQuery(`SELECT status FROM workspaces WHERE id = \$1`). WithArgs(wsID). @@ -182,18 +182,17 @@ func TestState_QueryError(t *testing.T) { // ---------- Update ---------- func TestUpdate_InvalidUUID(t *testing.T) { - _, _unused := setupWorkspaceCrudTest(t) - _ = _unused + _, _ = setupWorkspaceCrudTest(t) h := NewWorkspaceHandler(nil, nil, "", "") - r2 := gin.New() - r2.PATCH("/workspaces/:id", h.Update) + r := gin.New() + r.PATCH("/workspaces/:id", h.Update) body := map[string]interface{}{"name": "Test"} b, _ := json.Marshal(body) req, _ := http.NewRequest("PATCH", "/workspaces/not-a-uuid", bytes.NewReader(b)) req.Header.Set("Content-Type", "application/json") w := httptest.NewRecorder() - r2.ServeHTTP(w, req) + r.ServeHTTP(w, req) if w.Code != http.StatusBadRequest { t.Errorf("expected 400, got %d: %s", w.Code, w.Body.String()) @@ -201,16 +200,15 @@ func TestUpdate_InvalidUUID(t *testing.T) { } func TestUpdate_InvalidBody(t *testing.T) { - _, _unused := setupWorkspaceCrudTest(t) - _ = _unused + _, _ = setupWorkspaceCrudTest(t) h := NewWorkspaceHandler(nil, nil, "", "") - r2 := gin.New() - r2.PATCH("/workspaces/:id", h.Update) + r := gin.New() + r.PATCH("/workspaces/:id", h.Update) req, _ := http.NewRequest("PATCH", "/workspaces/aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa", bytes.NewReader([]byte("not json"))) req.Header.Set("Content-Type", "application/json") w := httptest.NewRecorder() - r2.ServeHTTP(w, req) + r.ServeHTTP(w, req) if w.Code != http.StatusBadRequest { t.Errorf("expected 400, got %d", w.Code) @@ -218,11 +216,10 @@ func TestUpdate_InvalidBody(t *testing.T) { } func TestUpdate_WorkspaceNotFound(t *testing.T) { - mock, r := setupWorkspaceCrudTest(t) - _ = r + mock, _ := setupWorkspaceCrudTest(t) h := NewWorkspaceHandler(nil, nil, "", "") - r2 := gin.New() - r2.PATCH("/workspaces/:id", h.Update) + r := gin.New() + r.PATCH("/workspaces/:id", h.Update) wsID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" @@ -235,7 +232,7 @@ func TestUpdate_WorkspaceNotFound(t *testing.T) { req, _ := http.NewRequest("PATCH", "/workspaces/"+wsID, bytes.NewReader(b)) req.Header.Set("Content-Type", "application/json") w := httptest.NewRecorder() - r2.ServeHTTP(w, req) + r.ServeHTTP(w, req) if w.Code != http.StatusNotFound { t.Errorf("expected 404, got %d: %s", w.Code, w.Body.String()) @@ -243,11 +240,10 @@ func TestUpdate_WorkspaceNotFound(t *testing.T) { } func TestUpdate_NameTooLong(t *testing.T) { - _, _unused := setupWorkspaceCrudTest(t) - _ = _unused + _, _ = setupWorkspaceCrudTest(t) h := NewWorkspaceHandler(nil, nil, "", "") - r2 := gin.New() - r2.PATCH("/workspaces/:id", h.Update) + r := gin.New() + r.PATCH("/workspaces/:id", h.Update) longName := make([]byte, 256) for i := range longName { @@ -258,7 +254,7 @@ func TestUpdate_NameTooLong(t *testing.T) { req, _ := http.NewRequest("PATCH", "/workspaces/aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa", bytes.NewReader(b)) req.Header.Set("Content-Type", "application/json") w := httptest.NewRecorder() - r2.ServeHTTP(w, req) + r.ServeHTTP(w, req) if w.Code != http.StatusBadRequest { t.Errorf("expected 400 for name too long, got %d: %s", w.Code, w.Body.String()) @@ -266,11 +262,10 @@ func TestUpdate_NameTooLong(t *testing.T) { } func TestUpdate_RoleTooLong(t *testing.T) { - _, _unused := setupWorkspaceCrudTest(t) - _ = _unused + _, _ = setupWorkspaceCrudTest(t) h := NewWorkspaceHandler(nil, nil, "", "") - r2 := gin.New() - r2.PATCH("/workspaces/:id", h.Update) + r := gin.New() + r.PATCH("/workspaces/:id", h.Update) longRole := make([]byte, 1001) for i := range longRole { @@ -281,7 +276,7 @@ func TestUpdate_RoleTooLong(t *testing.T) { req, _ := http.NewRequest("PATCH", "/workspaces/aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa", bytes.NewReader(b)) req.Header.Set("Content-Type", "application/json") w := httptest.NewRecorder() - r2.ServeHTTP(w, req) + r.ServeHTTP(w, req) if w.Code != http.StatusBadRequest { t.Errorf("expected 400 for role too long, got %d: %s", w.Code, w.Body.String()) @@ -289,18 +284,17 @@ func TestUpdate_RoleTooLong(t *testing.T) { } func TestUpdate_NameWithNewline(t *testing.T) { - _, _unused := setupWorkspaceCrudTest(t) - _ = _unused + _, _ = setupWorkspaceCrudTest(t) h := NewWorkspaceHandler(nil, nil, "", "") - r2 := gin.New() - r2.PATCH("/workspaces/:id", h.Update) + r := gin.New() + r.PATCH("/workspaces/:id", h.Update) body := map[string]interface{}{"name": "Name\nwith newline"} b, _ := json.Marshal(body) req, _ := http.NewRequest("PATCH", "/workspaces/aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa", bytes.NewReader(b)) req.Header.Set("Content-Type", "application/json") w := httptest.NewRecorder() - r2.ServeHTTP(w, req) + r.ServeHTTP(w, req) if w.Code != http.StatusBadRequest { t.Errorf("expected 400 for newline in name, got %d: %s", w.Code, w.Body.String()) @@ -308,18 +302,17 @@ func TestUpdate_NameWithNewline(t *testing.T) { } func TestUpdate_NameWithYAMLSpecialChars(t *testing.T) { - _, _unused := setupWorkspaceCrudTest(t) - _ = _unused + _, _ = setupWorkspaceCrudTest(t) h := NewWorkspaceHandler(nil, nil, "", "") - r2 := gin.New() - r2.PATCH("/workspaces/:id", h.Update) + r := gin.New() + r.PATCH("/workspaces/:id", h.Update) body := map[string]interface{}{"name": "Name with [brackets]"} b, _ := json.Marshal(body) req, _ := http.NewRequest("PATCH", "/workspaces/aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa", bytes.NewReader(b)) req.Header.Set("Content-Type", "application/json") w := httptest.NewRecorder() - r2.ServeHTTP(w, req) + r.ServeHTTP(w, req) if w.Code != http.StatusBadRequest { t.Errorf("expected 400 for YAML special chars in name, got %d: %s", w.Code, w.Body.String()) @@ -327,18 +320,31 @@ func TestUpdate_NameWithYAMLSpecialChars(t *testing.T) { } func TestUpdate_WorkspaceDirSystemPath(t *testing.T) { - _, _unused := setupWorkspaceCrudTest(t) - _ = _unused + mock, _ := setupWorkspaceCrudTest(t) h := NewWorkspaceHandler(nil, nil, "", "") - r2 := gin.New() - r2.PATCH("/workspaces/:id", h.Update) + r := gin.New() + r.PATCH("/workspaces/:id", h.Update) + + wsID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" + mock.ExpectQuery(`SELECT EXISTS\(SELECT 1 FROM workspaces WHERE id = \$1\)`). + WithArgs(wsID). + WillReturnRows(sqlmock.NewRows([]string{"exists"}).AddRow(true)) + mock.ExpectExec(`UPDATE workspaces SET name =`). + WithArgs(wsID). + WillReturnResult(sqlmock.NewResult(0, 1)) + mock.ExpectExec(`UPDATE workspaces SET role =`). + WithArgs(wsID). + WillReturnResult(sqlmock.NewResult(0, 1)) + mock.ExpectExec(`UPDATE workspaces SET tier =`). + WithArgs(wsID). + WillReturnResult(sqlmock.NewResult(0, 1)) body := map[string]interface{}{"workspace_dir": "/etc/my-workspace"} b, _ := json.Marshal(body) - req, _ := http.NewRequest("PATCH", "/workspaces/aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa", bytes.NewReader(b)) + req, _ := http.NewRequest("PATCH", "/workspaces/"+wsID, bytes.NewReader(b)) req.Header.Set("Content-Type", "application/json") w := httptest.NewRecorder() - r2.ServeHTTP(w, req) + r.ServeHTTP(w, req) if w.Code != http.StatusBadRequest { t.Errorf("expected 400 for system path workspace_dir, got %d: %s", w.Code, w.Body.String()) @@ -346,18 +352,31 @@ func TestUpdate_WorkspaceDirSystemPath(t *testing.T) { } func TestUpdate_WorkspaceDirTraversal(t *testing.T) { - _, _unused := setupWorkspaceCrudTest(t) - _ = _unused + mock, _ := setupWorkspaceCrudTest(t) h := NewWorkspaceHandler(nil, nil, "", "") - r2 := gin.New() - r2.PATCH("/workspaces/:id", h.Update) + r := gin.New() + r.PATCH("/workspaces/:id", h.Update) + + wsID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" + mock.ExpectQuery(`SELECT EXISTS\(SELECT 1 FROM workspaces WHERE id = \$1\)`). + WithArgs(wsID). + WillReturnRows(sqlmock.NewRows([]string{"exists"}).AddRow(true)) + mock.ExpectExec(`UPDATE workspaces SET name =`). + WithArgs(wsID). + WillReturnResult(sqlmock.NewResult(0, 1)) + mock.ExpectExec(`UPDATE workspaces SET role =`). + WithArgs(wsID). + WillReturnResult(sqlmock.NewResult(0, 1)) + mock.ExpectExec(`UPDATE workspaces SET tier =`). + WithArgs(wsID). + WillReturnResult(sqlmock.NewResult(0, 1)) body := map[string]interface{}{"workspace_dir": "/workspace/../../../etc"} b, _ := json.Marshal(body) - req, _ := http.NewRequest("PATCH", "/workspaces/aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa", bytes.NewReader(b)) + req, _ := http.NewRequest("PATCH", "/workspaces/"+wsID, bytes.NewReader(b)) req.Header.Set("Content-Type", "application/json") w := httptest.NewRecorder() - r2.ServeHTTP(w, req) + r.ServeHTTP(w, req) if w.Code != http.StatusBadRequest { t.Errorf("expected 400 for traversal in workspace_dir, got %d: %s", w.Code, w.Body.String()) @@ -365,18 +384,31 @@ func TestUpdate_WorkspaceDirTraversal(t *testing.T) { } func TestUpdate_WorkspaceDirRelativePath(t *testing.T) { - _, _unused := setupWorkspaceCrudTest(t) - _ = _unused + mock, _ := setupWorkspaceCrudTest(t) h := NewWorkspaceHandler(nil, nil, "", "") - r2 := gin.New() - r2.PATCH("/workspaces/:id", h.Update) + r := gin.New() + r.PATCH("/workspaces/:id", h.Update) + + wsID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" + mock.ExpectQuery(`SELECT EXISTS\(SELECT 1 FROM workspaces WHERE id = \$1\)`). + WithArgs(wsID). + WillReturnRows(sqlmock.NewRows([]string{"exists"}).AddRow(true)) + mock.ExpectExec(`UPDATE workspaces SET name =`). + WithArgs(wsID). + WillReturnResult(sqlmock.NewResult(0, 1)) + mock.ExpectExec(`UPDATE workspaces SET role =`). + WithArgs(wsID). + WillReturnResult(sqlmock.NewResult(0, 1)) + mock.ExpectExec(`UPDATE workspaces SET tier =`). + WithArgs(wsID). + WillReturnResult(sqlmock.NewResult(0, 1)) body := map[string]interface{}{"workspace_dir": "relative/path"} b, _ := json.Marshal(body) - req, _ := http.NewRequest("PATCH", "/workspaces/aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa", bytes.NewReader(b)) + req, _ := http.NewRequest("PATCH", "/workspaces/"+wsID, bytes.NewReader(b)) req.Header.Set("Content-Type", "application/json") w := httptest.NewRecorder() - r2.ServeHTTP(w, req) + r.ServeHTTP(w, req) if w.Code != http.StatusBadRequest { t.Errorf("expected 400 for relative workspace_dir, got %d: %s", w.Code, w.Body.String()) @@ -386,15 +418,14 @@ func TestUpdate_WorkspaceDirRelativePath(t *testing.T) { // ---------- Delete ---------- func TestDelete_InvalidUUID(t *testing.T) { - _, _unused := setupWorkspaceCrudTest(t) - _ = _unused + _, _ = setupWorkspaceCrudTest(t) h := NewWorkspaceHandler(nil, nil, "", "") - r2 := gin.New() - r2.DELETE("/workspaces/:id", h.Delete) + r := gin.New() + r.DELETE("/workspaces/:id", h.Delete) req, _ := http.NewRequest("DELETE", "/workspaces/not-a-uuid", nil) w := httptest.NewRecorder() - r2.ServeHTTP(w, req) + r.ServeHTTP(w, req) if w.Code != http.StatusBadRequest { t.Errorf("expected 400, got %d: %s", w.Code, w.Body.String()) @@ -402,11 +433,10 @@ func TestDelete_InvalidUUID(t *testing.T) { } func TestDelete_HasChildrenWithoutConfirm(t *testing.T) { - mock, r := setupWorkspaceCrudTest(t) - _ = r + mock, _ := setupWorkspaceCrudTest(t) h := NewWorkspaceHandler(nil, nil, "", "") - r2 := gin.New() - r2.DELETE("/workspaces/:id", h.Delete) + r := gin.New() + r.DELETE("/workspaces/:id", h.Delete) wsID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" @@ -418,7 +448,7 @@ func TestDelete_HasChildrenWithoutConfirm(t *testing.T) { req, _ := http.NewRequest("DELETE", "/workspaces/"+wsID, nil) // No ?confirm=true w := httptest.NewRecorder() - r2.ServeHTTP(w, req) + r.ServeHTTP(w, req) if w.Code != http.StatusConflict { t.Errorf("expected 409, got %d: %s", w.Code, w.Body.String()) @@ -437,11 +467,10 @@ func TestDelete_HasChildrenWithoutConfirm(t *testing.T) { } func TestDelete_ChildrenCheckQueryError(t *testing.T) { - mock, r := setupWorkspaceCrudTest(t) - _ = r + mock, _ := setupWorkspaceCrudTest(t) h := NewWorkspaceHandler(nil, nil, "", "") - r2 := gin.New() - r2.DELETE("/workspaces/:id", h.Delete) + r := gin.New() + r.DELETE("/workspaces/:id", h.Delete) wsID := "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" @@ -451,7 +480,7 @@ func TestDelete_ChildrenCheckQueryError(t *testing.T) { req, _ := http.NewRequest("DELETE", "/workspaces/"+wsID, nil) w := httptest.NewRecorder() - r2.ServeHTTP(w, req) + r.ServeHTTP(w, req) if w.Code != http.StatusInternalServerError { t.Errorf("expected 500, got %d", w.Code) diff --git a/workspace-server/internal/handlers/workspace_crud_validators_test.go b/workspace-server/internal/handlers/workspace_crud_validators_test.go index 6bddb291..74f0b346 100644 --- a/workspace-server/internal/handlers/workspace_crud_validators_test.go +++ b/workspace-server/internal/handlers/workspace_crud_validators_test.go @@ -4,68 +4,8 @@ import ( "testing" ) -// ── validateWorkspaceID ───────────────────────────────────────────────────────── - -func TestValidateWorkspaceID_Validators_Valid(t *testing.T) { - cases := []string{ - "550e8400-e29b-41d4-a716-446655440000", - "00000000-0000-0000-0000-000000000000", - "ffffffff-ffff-ffff-ffff-ffffffffffff", - } - for _, id := range cases { - t.Run(id, func(t *testing.T) { - if err := validateWorkspaceID(id); err != nil { - t.Errorf("validateWorkspaceID(%q) returned error: %v", id, err) - } - }) - } -} - -func TestValidateWorkspaceID_Validators_Invalid(t *testing.T) { - cases := []struct { - name string - id string - }{ - {"empty", ""}, - {"not a UUID", "not-a-uuid"}, - {"traversal attack", "../../etc/passwd"}, - {"SQL injection", "'; DROP TABLE workspaces;--"}, - {"UUID too short", "550e8400-e29b-41d4-a716"}, - {"UUID with invalid hex chars", "550e8400-e29b-41d4-a716-44665544000g"}, - // Note: "UUID all zeros" (nil UUID) is accepted by google/uuid.Parse - // as a valid RFC 4122 nil UUID, so it passes validateWorkspaceID. - // If nil UUIDs should be rejected, validateWorkspaceID must be updated. - } - for _, tc := range cases { - t.Run(tc.name, func(t *testing.T) { - if err := validateWorkspaceID(tc.id); err == nil { - t.Errorf("validateWorkspaceID(%q): expected error, got nil", tc.id) - } - }) - } -} - // ── validateWorkspaceDir ─────────────────────────────────────────────────────── -func TestValidateWorkspaceDir_Validators_Valid(t *testing.T) { - cases := []string{ - "/opt/molecule/workspaces/dev", - "/home/user/.molecule/workspaces", - // Note: /var/data/workspace-abc-123 is NOT in this list because - // /var is blocked as a system path prefix — /var/data is correctly - // rejected by validateWorkspaceDir. Use /tmp or /srv for non-system paths. - "/opt/services/molecule/tenant-workspaces", - "/tmp/molecule/workspaces/dev", - } - for _, dir := range cases { - t.Run(dir, func(t *testing.T) { - if err := validateWorkspaceDir(dir); err != nil { - t.Errorf("validateWorkspaceDir(%q) returned error: %v", dir, err) - } - }) - } -} - func TestValidateWorkspaceDir_RelativeRejected(t *testing.T) { cases := []string{ "relative/path", @@ -150,41 +90,6 @@ func TestValidateWorkspaceFields_AllEmpty(t *testing.T) { } } -func TestValidateWorkspaceFields_Validators_Valid(t *testing.T) { - if err := validateWorkspaceFields("My Workspace", "Backend Engineer", "gpt-4o", "langgraph"); err != nil { - t.Errorf("validateWorkspaceFields with valid args: expected nil, got %v", err) - } -} - -func TestValidateWorkspaceFields_Validators_NameTooLong(t *testing.T) { - longName := make([]byte, 256) - for i := range longName { - longName[i] = 'a' - } - if err := validateWorkspaceFields(string(longName), "", "", ""); err == nil { - t.Error("name > 255 chars: expected error, got nil") - } - - // Exactly 255 chars is OK - validName := make([]byte, 255) - for i := range validName { - validName[i] = 'a' - } - if err := validateWorkspaceFields(string(validName), "", "", ""); err != nil { - t.Errorf("name exactly 255 chars: expected nil, got %v", err) - } -} - -func TestValidateWorkspaceFields_Validators_RoleTooLong(t *testing.T) { - longRole := make([]byte, 1001) - for i := range longRole { - longRole[i] = 'x' - } - if err := validateWorkspaceFields("", string(longRole), "", ""); err == nil { - t.Error("role > 1000 chars: expected error, got nil") - } -} - func TestValidateWorkspaceFields_ModelTooLong(t *testing.T) { longModel := make([]byte, 101) for i := range longModel { @@ -205,12 +110,6 @@ func TestValidateWorkspaceFields_RuntimeTooLong(t *testing.T) { } } -func TestValidateWorkspaceFields_Validators_NewlineInName(t *testing.T) { - if err := validateWorkspaceFields("My\nWorkspace", "", "", ""); err == nil { - t.Error("name with \\n: expected error, got nil") - } -} - func TestValidateWorkspaceFields_CRLFInRole(t *testing.T) { if err := validateWorkspaceFields("", "Backend\r\nEngineer", "", ""); err == nil { t.Error("role with \\r\\n: expected error, got nil")