quotation service fixed

2026-02-24 16:14:09 +01:00
parent 6444813f38
commit 2fe90347a8
76 changed files with 769 additions and 230 deletions
--- a/api/pkg/messaging/internal/natsb/broker_test.go
+++ b/api/pkg/messaging/internal/natsb/broker_test.go
@@ -5,14 +5,14 @@ import (
 	"testing"
 )

-func TestSanitizeNATSURL(t *testing.T) {
+func TestBuildSafePublishableNATSURL(t *testing.T) {
 	t.Parallel()

 	t.Run("redacts single URL credentials", func(t *testing.T) {
 		t.Parallel()

 		raw := "nats://alice:supersecret@localhost:4222"
-		sanitized := sanitizeNATSURL(raw)
+		sanitized := buildSafePublishableNATSURL(raw)

 		if strings.Contains(sanitized, "supersecret") {
 			t.Fatalf("expected password to be redacted, got %q", sanitized)
@@ -22,11 +22,25 @@ func TestSanitizeNATSURL(t *testing.T) {
 		}
 	})

+	t.Run("redacts credentials in gateway URL format", func(t *testing.T) {
+		t.Parallel()
+
+		raw := "nats://dev_nats:nats_password_123@dev-nats:4222"
+		sanitized := buildSafePublishableNATSURL(raw)
+
+		if strings.Contains(sanitized, "nats_password_123") {
+			t.Fatalf("expected password to be redacted, got %q", sanitized)
+		}
+		if !strings.Contains(sanitized, "dev_nats:xxxxx@dev-nats:4222") {
+			t.Fatalf("expected sanitized URL with redacted password, got %q", sanitized)
+		}
+	})
+
 	t.Run("keeps URL without credentials unchanged", func(t *testing.T) {
 		t.Parallel()

 		raw := "nats://localhost:4222"
-		sanitized := sanitizeNATSURL(raw)
+		sanitized := buildSafePublishableNATSURL(raw)
 		if sanitized != raw {
 			t.Fatalf("expected URL without credentials to remain unchanged, got %q", sanitized)
 		}
@@ -36,7 +50,7 @@ func TestSanitizeNATSURL(t *testing.T) {
 		t.Parallel()

 		raw := " nats://alice:one@localhost:4222, nats://bob:two@localhost:4223 "
-		sanitized := sanitizeNATSURL(raw)
+		sanitized := buildSafePublishableNATSURL(raw)

 		if strings.Contains(sanitized, "one") || strings.Contains(sanitized, "two") {
 			t.Fatalf("expected passwords to be redacted, got %q", sanitized)
@@ -50,9 +64,37 @@ func TestSanitizeNATSURL(t *testing.T) {
 		t.Parallel()

 		raw := "not a url"
-		sanitized := sanitizeNATSURL(raw)
+		sanitized := buildSafePublishableNATSURL(raw)
 		if sanitized != raw {
 			t.Fatalf("expected invalid URL to remain unchanged, got %q", sanitized)
 		}
 	})
+
+	t.Run("redacts malformed URL credentials via fallback", func(t *testing.T) {
+		t.Parallel()
+
+		raw := "nats://alice:pa%ss@localhost:4222"
+		sanitized := buildSafePublishableNATSURL(raw)
+
+		if strings.Contains(sanitized, "pa%ss") {
+			t.Fatalf("expected malformed password to be redacted, got %q", sanitized)
+		}
+		if !strings.Contains(sanitized, "alice:xxxxx@localhost:4222") {
+			t.Fatalf("expected fallback redaction to preserve host and username, got %q", sanitized)
+		}
+	})
+
+	t.Run("redacts URL without scheme when user info is present", func(t *testing.T) {
+		t.Parallel()
+
+		raw := "alice:topsecret@localhost:4222"
+		sanitized := buildSafePublishableNATSURL(raw)
+
+		if strings.Contains(sanitized, "topsecret") {
+			t.Fatalf("expected password to be redacted, got %q", sanitized)
+		}
+		if !strings.Contains(sanitized, "alice:xxxxx@localhost:4222") {
+			t.Fatalf("expected sanitized authority with redacted password, got %q", sanitized)
+		}
+	})
 }