mirror of
https://github.com/garrytan/gstack.git
synced 2026-05-18 18:32:28 +08:00
55a0f0e469
Three new test files: terminal-agent.test.ts (16 tests): pty-session-cookie mint/validate/ revoke, Set-Cookie shape (HttpOnly + SameSite=Strict + Path=/, NO Secure since 127.0.0.1 over HTTP), source-level guards that /pty-session and /terminal/* are NOT in TUNNEL_PATHS, /health does NOT surface ptyToken or gstack_pty, terminal-agent binds 127.0.0.1, /ws upgrade enforces chrome-extension:// Origin AND gstack_pty cookie, lazy-spawn invariant (spawnClaude is called from message handler, not upgrade), uncaughtException/ unhandledRejection handlers exist, SIGINT-then-SIGKILL cleanup. terminal-agent-integration.test.ts (7 tests): spawns the agent as a real subprocess in a tmp state dir. Verifies /internal/grant accepts/rejects the loopback token, /ws gates (no Origin → 403, bad Origin → 403, no cookie → 401), real WebSocket round-trip with /bin/bash via the BROWSE_TERMINAL_BINARY override (write 'echo hello-pty-world\n', read it back), and resize message acceptance. sidebar-tabs.test.ts (13 tests): structural regression suite locking the load-bearing invariants of the default-tab change — Terminal is .active, Chat is not, xterm assets are loaded, debug-close path no longer hardcodes tab-chat (uses activePrimaryPaneId), primary-tab click handler exists, chat surface is not accidentally deleted, terminal JS does NOT auto- reconnect on close, manifest declares ws:// + http:// localhost host permissions, no unsafe-eval. Plan called for Playwright + extension regression; the codebase doesn't ship Playwright extension launcher infra, so we follow the existing extension-test pattern (source-level structural assertions). Same load-bearing intent — locks the invariants before they regress.
173 lines
7.3 KiB
TypeScript
173 lines
7.3 KiB
TypeScript
/**
|
|
* Unit tests for the Terminal-tab PTY agent and its server-side glue.
|
|
*
|
|
* Coverage:
|
|
* - pty-session-cookie module: mint / validate / revoke / TTL pruning.
|
|
* - source-level guard: /pty-session and /terminal/* are NOT in TUNNEL_PATHS.
|
|
* - source-level guard: /health does not surface ptyToken.
|
|
* - source-level guard: terminal-agent binds 127.0.0.1 only.
|
|
* - source-level guard: terminal-agent enforces Origin AND cookie on /ws.
|
|
*
|
|
* These are read-only checks against source — they prevent silent surface
|
|
* widening during a routine refactor (matches the dual-listener.test.ts
|
|
* pattern). End-to-end behavior (real /bin/bash PTY round-trip,
|
|
* tunnel-surface 404 + denial-log) lives in
|
|
* `browse/test/terminal-agent-integration.test.ts`.
|
|
*/
|
|
|
|
import { describe, test, expect, beforeEach } from 'bun:test';
|
|
import * as fs from 'fs';
|
|
import * as path from 'path';
|
|
import {
|
|
mintPtySessionToken, validatePtySessionToken, revokePtySessionToken,
|
|
extractPtyCookie, buildPtySetCookie, buildPtyClearCookie,
|
|
PTY_COOKIE_NAME, __resetPtySessions,
|
|
} from '../src/pty-session-cookie';
|
|
|
|
const SERVER_SRC = fs.readFileSync(path.join(import.meta.dir, '../src/server.ts'), 'utf-8');
|
|
const AGENT_SRC = fs.readFileSync(path.join(import.meta.dir, '../src/terminal-agent.ts'), 'utf-8');
|
|
|
|
describe('pty-session-cookie: mint/validate/revoke', () => {
|
|
beforeEach(() => __resetPtySessions());
|
|
|
|
test('a freshly minted token validates', () => {
|
|
const { token } = mintPtySessionToken();
|
|
expect(validatePtySessionToken(token)).toBe(true);
|
|
});
|
|
|
|
test('null and unknown tokens fail validation', () => {
|
|
expect(validatePtySessionToken(null)).toBe(false);
|
|
expect(validatePtySessionToken(undefined)).toBe(false);
|
|
expect(validatePtySessionToken('')).toBe(false);
|
|
expect(validatePtySessionToken('not-a-real-token')).toBe(false);
|
|
});
|
|
|
|
test('revoke makes a token invalid', () => {
|
|
const { token } = mintPtySessionToken();
|
|
expect(validatePtySessionToken(token)).toBe(true);
|
|
revokePtySessionToken(token);
|
|
expect(validatePtySessionToken(token)).toBe(false);
|
|
});
|
|
|
|
test('Set-Cookie has HttpOnly + SameSite=Strict + Path=/ + Max-Age', () => {
|
|
const { token } = mintPtySessionToken();
|
|
const cookie = buildPtySetCookie(token);
|
|
expect(cookie).toContain(`${PTY_COOKIE_NAME}=${token}`);
|
|
expect(cookie).toContain('HttpOnly');
|
|
expect(cookie).toContain('SameSite=Strict');
|
|
expect(cookie).toContain('Path=/');
|
|
expect(cookie).toMatch(/Max-Age=\d+/);
|
|
// Secure is intentionally omitted — daemon binds 127.0.0.1 over HTTP.
|
|
expect(cookie).not.toContain('Secure');
|
|
});
|
|
|
|
test('clear-cookie has Max-Age=0', () => {
|
|
expect(buildPtyClearCookie()).toContain('Max-Age=0');
|
|
});
|
|
|
|
test('extractPtyCookie reads gstack_pty from a Cookie header', () => {
|
|
const { token } = mintPtySessionToken();
|
|
const req = new Request('http://127.0.0.1/ws', {
|
|
headers: { 'cookie': `othercookie=foo; gstack_pty=${token}; baz=qux` },
|
|
});
|
|
expect(extractPtyCookie(req)).toBe(token);
|
|
});
|
|
|
|
test('extractPtyCookie returns null when the cookie is missing', () => {
|
|
const req = new Request('http://127.0.0.1/ws', {
|
|
headers: { 'cookie': 'unrelated=value' },
|
|
});
|
|
expect(extractPtyCookie(req)).toBe(null);
|
|
});
|
|
});
|
|
|
|
describe('Source-level guard: /pty-session is not on the tunnel surface', () => {
|
|
test('TUNNEL_PATHS does not include /pty-session or /terminal/*', () => {
|
|
const start = SERVER_SRC.indexOf('const TUNNEL_PATHS = new Set<string>([');
|
|
expect(start).toBeGreaterThan(-1);
|
|
const end = SERVER_SRC.indexOf(']);', start);
|
|
const body = SERVER_SRC.slice(start, end);
|
|
expect(body).not.toContain('/pty-session');
|
|
expect(body).not.toContain('/terminal/');
|
|
expect(body).not.toContain('/terminal-');
|
|
});
|
|
});
|
|
|
|
describe('Source-level guard: /health does NOT surface ptyToken', () => {
|
|
test('/health response body does not include ptyToken', () => {
|
|
const healthIdx = SERVER_SRC.indexOf("url.pathname === '/health'");
|
|
expect(healthIdx).toBeGreaterThan(-1);
|
|
// Slice from /health through the response close-bracket.
|
|
const slice = SERVER_SRC.slice(healthIdx, healthIdx + 2000);
|
|
// The /health JSON.stringify body must not mention the cookie token.
|
|
// It's allowed to include `terminalPort` (a port number, not auth).
|
|
expect(slice).not.toContain('ptyToken');
|
|
expect(slice).not.toContain('gstack_pty');
|
|
expect(slice).toContain('terminalPort');
|
|
});
|
|
});
|
|
|
|
describe('Source-level guard: terminal-agent', () => {
|
|
test('binds 127.0.0.1 only, never 0.0.0.0', () => {
|
|
expect(AGENT_SRC).toContain("hostname: '127.0.0.1'");
|
|
expect(AGENT_SRC).not.toContain("hostname: '0.0.0.0'");
|
|
});
|
|
|
|
test('rejects /ws upgrades without chrome-extension:// Origin', () => {
|
|
// The Origin check must run BEFORE the cookie check — otherwise a
|
|
// missing-origin attempt would surface the 401 cookie message and
|
|
// signal to attackers that they need to forge a cookie.
|
|
const wsHandler = AGENT_SRC.slice(AGENT_SRC.indexOf("if (url.pathname === '/ws')"));
|
|
expect(wsHandler).toContain('chrome-extension://');
|
|
expect(wsHandler).toContain('forbidden origin');
|
|
});
|
|
|
|
test('validates gstack_pty cookie against an in-memory token set', () => {
|
|
const wsHandler = AGENT_SRC.slice(AGENT_SRC.indexOf("if (url.pathname === '/ws')"));
|
|
expect(wsHandler).toContain('gstack_pty');
|
|
expect(wsHandler).toContain('validTokens.has');
|
|
});
|
|
|
|
test('lazy spawn: claude PTY is spawned in message handler, not on upgrade', () => {
|
|
// The whole point of lazy-spawn (codex finding #8) is that the WS
|
|
// upgrade itself does NOT call spawnClaude. Spawn happens on first
|
|
// message frame.
|
|
const upgradeBlock = AGENT_SRC.slice(
|
|
AGENT_SRC.indexOf("if (url.pathname === '/ws')"),
|
|
AGENT_SRC.indexOf("websocket: {"),
|
|
);
|
|
expect(upgradeBlock).not.toContain('spawnClaude(');
|
|
// Spawn must be invoked from the message handler (lazy on first byte).
|
|
const messageHandler = AGENT_SRC.slice(AGENT_SRC.indexOf('message(ws, raw)'));
|
|
expect(messageHandler).toContain('spawnClaude(');
|
|
expect(messageHandler).toContain('!session.spawned');
|
|
});
|
|
|
|
test('process.on uncaughtException + unhandledRejection handlers exist', () => {
|
|
expect(AGENT_SRC).toContain("process.on('uncaughtException'");
|
|
expect(AGENT_SRC).toContain("process.on('unhandledRejection'");
|
|
});
|
|
|
|
test('cleanup escalates SIGINT to SIGKILL after 3s on close', () => {
|
|
// disposeSession must be idempotent and use a SIGINT-then-SIGKILL pattern.
|
|
const dispose = AGENT_SRC.slice(AGENT_SRC.indexOf('function disposeSession'));
|
|
expect(dispose).toContain("'SIGINT'");
|
|
expect(dispose).toContain("'SIGKILL'");
|
|
expect(dispose).toContain('3000');
|
|
});
|
|
});
|
|
|
|
describe('Source-level guard: server.ts /pty-session route', () => {
|
|
test('validates AUTH_TOKEN and uses cookie-based grant', () => {
|
|
const route = SERVER_SRC.slice(SERVER_SRC.indexOf("url.pathname === '/pty-session'"));
|
|
// Must check auth before minting.
|
|
const beforeMint = route.slice(0, route.indexOf('mintPtySessionToken'));
|
|
expect(beforeMint).toContain('validateAuth');
|
|
// Must call the loopback grant before responding.
|
|
expect(route).toContain('grantPtyToken');
|
|
// Must Set-Cookie with the minted token.
|
|
expect(route).toContain('Set-Cookie');
|
|
expect(route).toContain('buildPtySetCookie');
|
|
});
|
|
});
|