sarin/e2e/tls_test.go

package e2e

import (
	"crypto/tls"
	"encoding/json"
	"net/http"
	"net/http/httptest"
	"testing"
)

func TestHTTPSWithInsecureFlag(t *testing.T) {
	t.Parallel()

	// Create a TLS server with a self-signed cert
	srv := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
		w.WriteHeader(http.StatusOK)
	}))
	defer srv.Close()

	// Without --insecure, it should fail (cert not trusted)
	// With --insecure, it should succeed
	res := run("-U", srv.URL, "-r", "1", "-q", "-o", "json", "-I")
	assertExitCode(t, res, 0)

	out := res.jsonOutput(t)
	assertHasResponseKey(t, out, "200")
}

func TestHTTPSWithoutInsecureFails(t *testing.T) {
	t.Parallel()

	srv := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
		w.WriteHeader(http.StatusOK)
	}))
	defer srv.Close()

	// Without --insecure, should get a TLS error (not a clean 200)
	res := run("-U", srv.URL, "-r", "1", "-q", "-o", "json")
	assertExitCode(t, res, 0) // Process still exits 0, but response key is an error

	out := res.jsonOutput(t)
	// Should NOT have a "200" key — should have a TLS error
	if _, ok := out.Responses["200"]; ok {
		t.Error("expected TLS error without --insecure, but got 200")
	}
}

func TestHTTPSInsecureViaCLILongFlag(t *testing.T) {
	t.Parallel()

	srv := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
		w.WriteHeader(http.StatusOK)
	}))
	defer srv.Close()

	// Use the long form flag
	res := run("-U", srv.URL, "-r", "1", "-q", "-o", "json", "-insecure")
	assertExitCode(t, res, 0)

	out := res.jsonOutput(t)
	assertHasResponseKey(t, out, "200")
}

func TestHTTPSInsecureViaConfigFile(t *testing.T) {
	t.Parallel()

	srv := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
		w.WriteHeader(http.StatusOK)
	}))
	defer srv.Close()

	config := `
url: "` + srv.URL + `"
requests: 1
insecure: true
quiet: true
output: json
`
	configPath := writeTemp(t, "tls_config.yaml", config)

	res := run("-f", configPath)
	assertExitCode(t, res, 0)

	out := res.jsonOutput(t)
	assertHasResponseKey(t, out, "200")
}

func TestHTTPSInsecureViaEnv(t *testing.T) {
	t.Parallel()

	srv := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
		w.WriteHeader(http.StatusOK)
	}))
	defer srv.Close()

	res := runWithEnv(map[string]string{
		"SARIN_URL":      srv.URL,
		"SARIN_REQUESTS": "1",
		"SARIN_INSECURE": "true",
		"SARIN_QUIET":    "true",
		"SARIN_OUTPUT":   "json",
	})
	assertExitCode(t, res, 0)

	out := res.jsonOutput(t)
	assertHasResponseKey(t, out, "200")
}

func TestHTTPSEchoServer(t *testing.T) {
	t.Parallel()

	// TLS echo server that returns request details
	srv := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		resp := map[string]any{
			"method": r.Method,
			"path":   r.URL.Path,
			"tls":    r.TLS != nil,
		}
		w.Header().Set("Content-Type", "application/json")
		json.NewEncoder(w).Encode(resp)
	}))
	defer srv.Close()

	// Verify request was received over TLS
	res := run("-U", srv.URL+"/secure-path", "-r", "1", "-q", "-o", "json", "-I")
	assertExitCode(t, res, 0)

	out := res.jsonOutput(t)
	assertHasResponseKey(t, out, "200")
}

// tlsCaptureServer is like captureServer but with TLS
func tlsCaptureServer() *captureServer {
	cs := &captureServer{}
	cs.Server = httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		cs.mu.Lock()
		cs.requests = append(cs.requests, echoResponse{
			Method: r.Method,
			Path:   r.URL.Path,
		})
		cs.mu.Unlock()
		w.WriteHeader(http.StatusOK)
	}))
	cs.TLS = &tls.Config{}
	cs.StartTLS()
	return cs
}

func TestHTTPSHeadersSentCorrectly(t *testing.T) {
	t.Parallel()
	cs := tlsCaptureServer()
	defer cs.Close()

	res := run("-U", cs.URL+"/api/test", "-r", "1", "-M", "POST", "-q", "-o", "json", "-I")
	assertExitCode(t, res, 0)

	req := cs.lastRequest()
	if req.Method != http.MethodPost {
		t.Errorf("expected POST over HTTPS, got %s", req.Method)
	}
	if req.Path != "/api/test" {
		t.Errorf("expected path /api/test over HTTPS, got %s", req.Path)
	}
}