package service import ( "context" "testing" "github.com/google/uuid" "github.com/vasyakrg/dns-autoresolver/internal/crypto" "github.com/vasyakrg/dns-autoresolver/internal/diff" "github.com/vasyakrg/dns-autoresolver/internal/model" "github.com/vasyakrg/dns-autoresolver/internal/provider" "github.com/vasyakrg/dns-autoresolver/internal/provider/registry" "github.com/vasyakrg/dns-autoresolver/internal/store/dto" ) func testCipher(t *testing.T) *crypto.Cipher { t.Helper() key := make([]byte, 32) c, err := crypto.NewCipher(key) if err != nil { t.Fatal(err) } return c } // fakeProvider records applied changesets and returns canned zone records. type fakeProvider struct { actual []model.Record applied diff.Changeset } func (fakeProvider) Name() string { return "selectel" } func (fakeProvider) ListZones(context.Context, provider.Credentials) ([]provider.Zone, error) { return nil, nil } func (f *fakeProvider) GetRecords(context.Context, provider.Credentials, string) ([]model.Record, error) { return f.actual, nil } func (f *fakeProvider) ApplyChanges(_ context.Context, _ provider.Credentials, _ string, cs diff.Changeset) error { f.applied = cs return nil } func (fakeProvider) Validate(context.Context, provider.Credentials) error { return nil } type fakeLoader struct{ ref DomainRef } func (l fakeLoader) LoadDomain(context.Context, uuid.UUID, uuid.UUID) (DomainRef, error) { return l.ref, nil } // LoadZone mirrors LoadDomain's provider-access fields but — unlike // LoadDomain — never errors on a missing template, matching the real // store.LoadZone contract. func (l fakeLoader) LoadZone(context.Context, uuid.UUID, uuid.UUID) (ZoneRef, error) { return ZoneRef{ZoneID: l.ref.ZoneID, Provider: l.ref.Provider, SecretEnc: l.ref.SecretEnc}, nil } type nopRecorder struct{} func (nopRecorder) SaveCheckRun(context.Context, uuid.UUID, diff.Changeset) error { return nil } func setup(t *testing.T, actual []model.Record, tmpl dto.TemplateDoc) (*DomainService, *fakeProvider) { fp := &fakeProvider{actual: actual} reg := registry.New() reg.Register(fp) cipher := testCipher(t) enc, _ := cipher.Encrypt([]byte("secret")) loader := fakeLoader{ref: DomainRef{ZoneID: "z1", ZoneName: "example.com.", Provider: "selectel", SecretEnc: enc, Template: tmpl}} return New(loader, nopRecorder{}, reg, cipher), fp } func TestCheckProducesDiff(t *testing.T) { actual := []model.Record{{Type: model.A, Name: "a.example.com.", TTL: 300, Values: []string{"9.9.9.9"}}} tmpl := dto.TemplateDoc{Records: []dto.RecordDTO{ {Type: "A", Name: "a.example.com.", TTL: 300, Values: []string{"1.1.1.1"}}, // update }} svc, _ := setup(t, actual, tmpl) cs, err := svc.Check(context.Background(), uuid.New(), uuid.New()) if err != nil { t.Fatal(err) } if len(cs.Updates()) != 1 || cs.Updates()[0].Kind != diff.Update { t.Fatalf("expected 1 update, got %+v", cs.Updates()) } } // TestCheckMaterializesDomainNamePlaceholder covers the tmpl.Materialize // wiring in resolve: a template record using {{domain_name}} in its name and // values must be diffed against the zone using the actual zone name (without // trailing dot) substituted in, so a template reused across domains reports // in-sync rather than spurious add/delete pairs. func TestCheckMaterializesDomainNamePlaceholder(t *testing.T) { actual := []model.Record{ {Type: model.TXT, Name: "_dmarc.example.com.", TTL: 600, Values: []string{"v=DMARC1; p=quarantine"}}, } tmpl := dto.TemplateDoc{Records: []dto.RecordDTO{ {Type: "TXT", Name: "_dmarc.{{domain_name}}.", TTL: 600, Values: []string{"v=DMARC1; p=quarantine"}}, }} svc, _ := setup(t, actual, tmpl) cs, err := svc.Check(context.Background(), uuid.New(), uuid.New()) if err != nil { t.Fatal(err) } if len(cs.Updates()) != 0 || len(cs.Prunes()) != 0 { t.Fatalf("expected placeholder materialized against zone name to be in sync, got updates=%+v prunes=%+v", cs.Updates(), cs.Prunes()) } } // TestZoneRecordsReadsProviderDirectly covers the no-template zone-viewing // path: ZoneRecords must return the provider's live records with no diff // and no template involved (loader's Template field is left zero-valued). func TestZoneRecordsReadsProviderDirectly(t *testing.T) { actual := []model.Record{ {Type: model.A, Name: "a.example.com.", TTL: 300, Values: []string{"1.1.1.1"}}, {Type: model.NS, Name: "example.com.", TTL: 3600, Values: []string{"ns1.example.com."}}, } svc, _ := setup(t, actual, dto.TemplateDoc{}) recs, err := svc.ZoneRecords(context.Background(), uuid.New(), uuid.New()) if err != nil { t.Fatal(err) } if len(recs) != 2 { t.Fatalf("expected 2 records straight from the provider, got %+v", recs) } } // TestApplySelectsByKeyAndOrdersPrunesBeforeUpdates covers the two goals of // selective apply: (1) only diffs whose key is present in the request are // applied, and (2) when both an update and a prune are selected, the prune // (Delete) must land BEFORE the update in the applied Changeset — this is the // regression guard for the provider rejecting an Add/Update whose name still // conflicts with an existing record (e.g. a CNAME cannot be created while an // A on the same name still exists). func TestApplySelectsByKeyAndOrdersPrunesBeforeUpdates(t *testing.T) { // zone: a needs updating (9.9.9.9 -> 1.1.1.1), b is an extra record not in // the template (prune candidate). actual := []model.Record{ {Type: model.A, Name: "a.example.com.", TTL: 300, Values: []string{"9.9.9.9"}}, {Type: model.A, Name: "b.example.com.", TTL: 300, Values: []string{"2.2.2.2"}}, } tmpl := dto.TemplateDoc{Records: []dto.RecordDTO{ {Type: "A", Name: "a.example.com.", TTL: 300, Values: []string{"1.1.1.1"}}, // update }} const updKey = "A a.example.com." const pruneKey = "A b.example.com." // Only the prune selected -> only the delete is applied. svc, fp := setup(t, actual, tmpl) if _, err := svc.Apply(context.Background(), uuid.New(), uuid.New(), ApplyRequest{Prunes: []string{pruneKey}}); err != nil { t.Fatal(err) } if len(fp.applied.Diffs) != 1 || fp.applied.Diffs[0].Kind != diff.Delete { t.Fatalf("expected only the selected prune applied, got %+v", fp.applied.Diffs) } // Only the update selected -> only the update is applied. svc2, fp2 := setup(t, actual, tmpl) if _, err := svc2.Apply(context.Background(), uuid.New(), uuid.New(), ApplyRequest{Updates: []string{updKey}}); err != nil { t.Fatal(err) } if len(fp2.applied.Diffs) != 1 || fp2.applied.Diffs[0].Kind != diff.Update { t.Fatalf("expected only the selected update applied, got %+v", fp2.applied.Diffs) } // Nothing selected -> nothing applied. svc3, fp3 := setup(t, actual, tmpl) if _, err := svc3.Apply(context.Background(), uuid.New(), uuid.New(), ApplyRequest{}); err != nil { t.Fatal(err) } if len(fp3.applied.Diffs) != 0 { t.Fatalf("expected nothing applied when nothing is selected, got %+v", fp3.applied.Diffs) } // CRITICAL: both selected -> the prune (Delete) must be applied FIRST, // the update SECOND. Regressing this order reintroduces the // CNAME/A-conflict bug where the provider rejects the update because the // stale conflicting record hasn't been deleted yet. svc4, fp4 := setup(t, actual, tmpl) if _, err := svc4.Apply(context.Background(), uuid.New(), uuid.New(), ApplyRequest{Updates: []string{updKey}, Prunes: []string{pruneKey}}); err != nil { t.Fatal(err) } if len(fp4.applied.Diffs) != 2 { t.Fatalf("expected both selected diffs applied, got %+v", fp4.applied.Diffs) } if fp4.applied.Diffs[0].Kind != diff.Delete { t.Fatalf("expected prune (Delete) FIRST in applied order, got %+v", fp4.applied.Diffs) } if fp4.applied.Diffs[1].Kind != diff.Update { t.Fatalf("expected update SECOND in applied order, got %+v", fp4.applied.Diffs) } }