Commit Graph

8 Commits

Author SHA1 Message Date
DL6ER 20164bff26 tests: resolve iCloud Private Relay zones from local pdns
The API query-count assertions depend on resolving mask.icloud.com, whose
mask.icloud.com -> mask.apple-dns.net CNAME chain was recursed to the public
internet. dnsmasq fires extra DNSKEY validation queries depending on whether
Apple currently DNSSEC-signs icloud.com / apple-dns.net, and Apple toggles this
over time. The runtime DS-probing workaround in conftest.py could not reliably
model dnsmasq's behaviour (e.g. when Apple returns SERVFAIL on DS), so the suite
went flaky again.

Serve the icloud.com and apple-dns.net zones from the local authoritative
PowerDNS server instead, so the chain resolves hermetically and the query counts
are deterministic regardless of Apple's upstream DNSSEC posture. The DS-probing
fixture is dropped and the expected counters become fixed constants again.

Signed-off-by: DL6ER <dl6er@dl6er.de>
2026-06-24 06:25:39 +00:00
copilot-swe-agent[bot] 959a532d6b test: move DNSSEC probe to autouse session fixture with retry/backoff
Agent-Logs-Url: https://github.com/pi-hole/FTL/sessions/f711f6f8-1f54-48c8-9d99-661803762c38

Co-authored-by: DL6ER <16748619+DL6ER@users.noreply.github.com>
2026-04-12 08:01:21 +00:00
Dominik e198fc5587 test: auto-detect upstream DNSSEC state for query-count assertions
The pytest API tests assert exact query counts that depend on whether icloud.com and apple-dns.net are DNSSEC-signed.  When Apple removed DNSSEC from those zones (April 2026), dnsmasq stopped firing two DNSKEY validation queries during the mask.icloud.com CNAME chain walk, breaking 7 tests on every CI run - including re-runs of previously green commits.

Instead of hardcoding either set of numbers, detect the current DNSSEC state at test startup by querying the local pdns_recursor (port 5555, bypassing FTL to avoid counter pollution) for DS records on both domains.  Four module-level constants (TOTAL, FORWARDED, DNSKEY, TOP_DOMAIN) are set accordingly, and the 11 affected assertions now reference these constants.

The bats "Special domain: Record is returned when explicitly allowed" test is preserved unchanged - the hybrid detection makes it safe regardless of upstream DNSSEC posture.

Signed-off-by: Dominik <dl6er@dl6er.de>
2026-04-12 07:56:23 +02:00
Dominik 4b87386d13 fix: handle strdup NULL check for cJSON reference domains in list API
Add missing NULL check after strdup() when making a writable copy of
cJSON reference strings in api_list_write(). Without this, a failed
allocation under memory pressure would dereference NULL in the
lowercasing loop. Also fix minor docstring typo in punycode test.

Signed-off-by: Dominik <dl6er@dl6er.de>
2026-04-09 21:38:44 +02:00
Dominik 9e81373ec4 fix: accept punycode domains that libidn2 rejects under IDNA2008
When adding or searching for exact domains, the API unconditionally
passes the input through idn2_to_ascii_lz() for IDN normalization.
This round-trips punycode domains: decode to Unicode, validate against
IDNA2008, re-encode to ASCII. Characters like emoji are disallowed by
IDNA2008 (RFC 5892), so valid punycode domains such as
xn--4ca0bs45142c.com (äöü😀.com) are rejected with "string contains
a disallowed character" even though they are perfectly valid DNS names.

Fix by checking whether the input is already pure ASCII before calling
idn2_to_ascii_lz(). If every byte is <= 0x7F, skip IDN conversion
entirely — the domain is already in a DNS-compatible form and only
needs lowercasing and valid_domain() validation. Non-ASCII input
(actual Unicode domains) still goes through the IDN conversion path.

Applied to both the list API (src/api/list.c) and the search API
(src/api/search.c).

Fixes: https://github.com/pi-hole/FTL/issues/2837

Signed-off-by: Dominik <dl6er@dl6er.de>
2026-04-06 11:08:42 +02:00
Dominik cc33fbc545 test: add PUT/DELETE, batch delete, query filter, and auth tests
Add ~80 new pytest API integration tests covering previously untested
endpoints and HTTP methods:

- DELETE 204/404 for groups, domains, clients, lists, config array
  items, network devices, and info messages
- PUT create/replace round-trips for groups, domains, clients, lists
- PUT error cases (missing body, invalid domain type)
- Batch delete (POST :batchDelete) for groups, domains, clients, lists
- DNS blocking toggle (POST disable + re-enable)
- Auth session logout (DELETE /api/auth) and delete-by-ID
- GET endpoints: clients, config, network gateway/routes, info
  host/sensors/metrics, query filters (domain, client_ip, upstream,
  blocklist pseudo-upstream), query suggestions, query cursor
  pagination, stats database with time ranges, history database
  with time ranges
- Search with partial matching
- TOTP credential suggestion (GET /api/auth/totp)
- Config PATCH round-trip (bool and integer, change + verify + restore)
- NTP server protocol-level test (UDP NTPv4 request/response)
- Update test_final.bats known-warning patterns and config write counts

Signed-off-by: Dominik <dl6er@dl6er.de>
2026-03-30 21:26:16 +02:00
Dominik bb89fbfe7b test: add comprehensive API endpoint tests, fix double-free in printFTLenv
Add pytest tests for all previously untested GET API endpoints:
dns/blocking, domains (all type/kind combinations and single lookup),
groups, stats/summary, stats/top_domains, stats/top_clients,
stats/upstreams, stats/query_types, stats/recent_blocked,
stats/database (error handling), dhcp/leases, endpoints, info/ftl,
info/login, info/version, info/messages, info/client, info/database,
info/system, network/devices, network/interfaces, logs (dnsmasq, ftl,
webserver), and padd.

All assertions use exact expected values derived from the deterministic
BATS DNS query seeding (137 total queries, 49 blocked, 47 forwarded,
41 cached, 11 active clients, 8 gravity domains).  On failure, the
full JSON response is dumped to /tmp/ftl_test_*.json for easy
inspection.

Fix double-free bug in printFTLenv() (src/config/env.c): when
printFTLenv() was called more than once (e.g. after config reload
triggered by the CLI password test), it would free item->error a
second time because neither the pointer nor the error_allocated flag
were reset after the first free.  This produced "Trying to free NULL
pointer in printFTLenv()" warnings.  Fix: set item->error = NULL and
item->error_allocated = false after freeing.

Files modified:
  src/config/env.c      — reset error/error_allocated after free
  test/api/test_api.py  — add 34 new endpoint tests (22 -> 56 total)

Signed-off-by: Dominik <dl6er@dl6er.de>
2026-03-25 13:29:17 +01:00
Dominik e189c8e823 test: add pytest API test files and final BATS validation suite
Add the pytest test files and final BATS suite that were described
in the previous commit but not yet included.

New files:
  test/api/conftest.py     — shared fixtures (api_session, openapi, ftl)
  test/api/pytest.ini      — pytest configuration
  test/api/test_api.py     — HTTP errors, config validation, search,
                              history, lists, queries, Lua pages
  test/api/test_openapi.py — OpenAPI spec validation, teleporter
  test/api/test_z_auth.py  — auth workflow (app password, login,
                              rate limiting, password removal)
  test/test_final.bats     — log validation, config rotation counts,
                              FTL termination

Signed-off-by: Dominik <dl6er@dl6er.de>
2026-03-25 11:28:03 +01:00