import { describe, it, expect, vi, beforeEach } from 'vitest'; import Fastify from 'fastify'; import { BackupService } from '../src/services/backup/backup-service.js'; import { RestoreService } from '../src/services/backup/restore-service.js'; import { encrypt, decrypt, isSensitiveKey } from '../src/services/backup/crypto.js'; import { registerBackupRoutes } from '../src/routes/backup.js'; import type { IMcpServerRepository, IMcpProfileRepository } from '../src/repositories/interfaces.js'; import type { IProjectRepository } from '../src/repositories/project.repository.js'; // Mock data const mockServers = [ { id: 's1', name: 'github', description: 'GitHub MCP', packageName: '@mcp/github', dockerImage: null, transport: 'STDIO' as const, repositoryUrl: null, envTemplate: [], version: 1, createdAt: new Date(), updatedAt: new Date(), }, { id: 's2', name: 'slack', description: 'Slack MCP', packageName: null, dockerImage: 'mcp/slack:latest', transport: 'SSE' as const, repositoryUrl: null, envTemplate: [], version: 1, createdAt: new Date(), updatedAt: new Date(), }, ]; const mockProfiles = [ { id: 'p1', name: 'default', serverId: 's1', permissions: ['read'], envOverrides: { GITHUB_TOKEN: 'ghp_secret123' }, version: 1, createdAt: new Date(), updatedAt: new Date(), }, ]; const mockProjects = [ { id: 'proj1', name: 'my-project', description: 'Test project', ownerId: 'user1', version: 1, createdAt: new Date(), updatedAt: new Date(), }, ]; function mockServerRepo(): IMcpServerRepository { return { findAll: vi.fn(async () => [...mockServers]), findById: vi.fn(async (id: string) => mockServers.find((s) => s.id === id) ?? null), findByName: vi.fn(async (name: string) => mockServers.find((s) => s.name === name) ?? null), create: vi.fn(async (data) => ({ id: 'new-s', ...data, envTemplate: [], version: 1, createdAt: new Date(), updatedAt: new Date() } as typeof mockServers[0])), update: vi.fn(async (id, data) => ({ ...mockServers.find((s) => s.id === id)!, ...data })), delete: vi.fn(async () => {}), }; } function mockProfileRepo(): IMcpProfileRepository { return { findAll: vi.fn(async () => [...mockProfiles]), findById: vi.fn(async (id: string) => mockProfiles.find((p) => p.id === id) ?? null), findByServerAndName: vi.fn(async () => null), create: vi.fn(async (data) => ({ id: 'new-p', ...data, version: 1, createdAt: new Date(), updatedAt: new Date() } as typeof mockProfiles[0])), update: vi.fn(async (id, data) => ({ ...mockProfiles.find((p) => p.id === id)!, ...data })), delete: vi.fn(async () => {}), }; } function mockProjectRepo(): IProjectRepository { return { findAll: vi.fn(async () => [...mockProjects]), findById: vi.fn(async (id: string) => mockProjects.find((p) => p.id === id) ?? null), findByName: vi.fn(async () => null), create: vi.fn(async (data) => ({ id: 'new-proj', ...data, version: 1, createdAt: new Date(), updatedAt: new Date() } as typeof mockProjects[0])), update: vi.fn(async (id, data) => ({ ...mockProjects.find((p) => p.id === id)!, ...data })), delete: vi.fn(async () => {}), setProfiles: vi.fn(async () => {}), getProfileIds: vi.fn(async () => ['p1']), }; } describe('Crypto', () => { it('encrypts and decrypts successfully', () => { const data = 'hello secret world'; const password = 'my-password-123'; const encrypted = encrypt(data, password); expect(encrypted.algorithm).toBe('aes-256-gcm'); expect(encrypted.ciphertext).not.toBe(data); const decrypted = decrypt(encrypted, password); expect(decrypted).toBe(data); }); it('fails with wrong password', () => { const encrypted = encrypt('secret', 'correct-password'); expect(() => decrypt(encrypted, 'wrong-password')).toThrow(); }); it('handles large data', () => { const data = 'x'.repeat(10000); const encrypted = encrypt(data, 'pass'); expect(decrypt(encrypted, 'pass')).toBe(data); }); it('detects sensitive keys', () => { expect(isSensitiveKey('GITHUB_TOKEN')).toBe(true); expect(isSensitiveKey('API_KEY')).toBe(true); expect(isSensitiveKey('DATABASE_PASSWORD')).toBe(true); expect(isSensitiveKey('AWS_SECRET')).toBe(true); expect(isSensitiveKey('MY_SECRET_KEY')).toBe(true); expect(isSensitiveKey('CREDENTIALS')).toBe(true); expect(isSensitiveKey('PORT')).toBe(false); expect(isSensitiveKey('DATABASE_URL')).toBe(false); expect(isSensitiveKey('NODE_ENV')).toBe(false); }); }); describe('BackupService', () => { let backupService: BackupService; beforeEach(() => { backupService = new BackupService(mockServerRepo(), mockProfileRepo(), mockProjectRepo()); }); it('creates backup with all resources', async () => { const bundle = await backupService.createBackup(); expect(bundle.version).toBe('1'); expect(bundle.encrypted).toBe(false); expect(bundle.servers).toHaveLength(2); expect(bundle.profiles).toHaveLength(1); expect(bundle.projects).toHaveLength(1); expect(bundle.servers[0]!.name).toBe('github'); expect(bundle.profiles[0]!.serverName).toBe('github'); expect(bundle.projects[0]!.name).toBe('my-project'); }); it('filters resources', async () => { const bundle = await backupService.createBackup({ resources: ['servers'] }); expect(bundle.servers).toHaveLength(2); expect(bundle.profiles).toHaveLength(0); expect(bundle.projects).toHaveLength(0); }); it('encrypts sensitive env values when password provided', async () => { const bundle = await backupService.createBackup({ password: 'test-pass' }); expect(bundle.encrypted).toBe(true); expect(bundle.encryptedSecrets).toBeDefined(); // The GITHUB_TOKEN should be replaced with placeholder const overrides = bundle.profiles[0]!.envOverrides as Record; expect(overrides['GITHUB_TOKEN']).toContain('__ENCRYPTED:'); }); it('handles empty repositories', async () => { const emptyServerRepo = mockServerRepo(); (emptyServerRepo.findAll as ReturnType).mockResolvedValue([]); const emptyProfileRepo = mockProfileRepo(); (emptyProfileRepo.findAll as ReturnType).mockResolvedValue([]); const emptyProjectRepo = mockProjectRepo(); (emptyProjectRepo.findAll as ReturnType).mockResolvedValue([]); const service = new BackupService(emptyServerRepo, emptyProfileRepo, emptyProjectRepo); const bundle = await service.createBackup(); expect(bundle.servers).toHaveLength(0); expect(bundle.profiles).toHaveLength(0); expect(bundle.projects).toHaveLength(0); }); }); describe('RestoreService', () => { let restoreService: RestoreService; let serverRepo: IMcpServerRepository; let profileRepo: IMcpProfileRepository; let projectRepo: IProjectRepository; beforeEach(() => { serverRepo = mockServerRepo(); profileRepo = mockProfileRepo(); projectRepo = mockProjectRepo(); // Default: nothing exists yet (serverRepo.findByName as ReturnType).mockResolvedValue(null); (profileRepo.findByServerAndName as ReturnType).mockResolvedValue(null); (projectRepo.findByName as ReturnType).mockResolvedValue(null); restoreService = new RestoreService(serverRepo, profileRepo, projectRepo); }); const validBundle = { version: '1', mcpctlVersion: '0.1.0', createdAt: new Date().toISOString(), encrypted: false, servers: [{ name: 'github', description: 'GitHub', packageName: null, dockerImage: null, transport: 'STDIO', repositoryUrl: null, envTemplate: [] }], profiles: [{ name: 'default', serverName: 'github', permissions: ['read'], envOverrides: {} }], projects: [{ name: 'test-proj', description: 'Test', profileNames: ['default'] }], }; it('validates valid bundle', () => { expect(restoreService.validateBundle(validBundle)).toBe(true); }); it('rejects invalid bundle', () => { expect(restoreService.validateBundle(null)).toBe(false); expect(restoreService.validateBundle({})).toBe(false); expect(restoreService.validateBundle({ version: '1' })).toBe(false); }); it('restores all resources', async () => { const result = await restoreService.restore(validBundle); expect(result.serversCreated).toBe(1); expect(result.profilesCreated).toBe(1); expect(result.projectsCreated).toBe(1); expect(result.errors).toHaveLength(0); expect(serverRepo.create).toHaveBeenCalled(); expect(profileRepo.create).toHaveBeenCalled(); expect(projectRepo.create).toHaveBeenCalled(); }); it('skips existing resources with skip strategy', async () => { (serverRepo.findByName as ReturnType).mockResolvedValue(mockServers[0]); const result = await restoreService.restore(validBundle, { conflictStrategy: 'skip' }); expect(result.serversSkipped).toBe(1); expect(result.serversCreated).toBe(0); expect(serverRepo.create).not.toHaveBeenCalled(); }); it('aborts on conflict with fail strategy', async () => { (serverRepo.findByName as ReturnType).mockResolvedValue(mockServers[0]); const result = await restoreService.restore(validBundle, { conflictStrategy: 'fail' }); expect(result.errors).toContain('Server "github" already exists'); }); it('overwrites existing with overwrite strategy', async () => { (serverRepo.findByName as ReturnType).mockResolvedValue(mockServers[0]); const result = await restoreService.restore(validBundle, { conflictStrategy: 'overwrite' }); expect(result.serversCreated).toBe(1); expect(serverRepo.update).toHaveBeenCalled(); }); it('fails restore with encrypted bundle and no password', async () => { const encBundle = { ...validBundle, encrypted: true, encryptedSecrets: encrypt('{}', 'pw') }; const result = await restoreService.restore(encBundle); expect(result.errors).toContain('Backup is encrypted but no password provided'); }); it('restores encrypted bundle with correct password', async () => { const secrets = { 'profile:default:API_KEY': 'secret-val' }; const encBundle = { ...validBundle, encrypted: true, encryptedSecrets: encrypt(JSON.stringify(secrets), 'test-pw'), profiles: [{ ...validBundle.profiles[0]!, envOverrides: { API_KEY: '__ENCRYPTED:profile:default:API_KEY__' } }], }; const result = await restoreService.restore(encBundle, { password: 'test-pw' }); expect(result.errors).toHaveLength(0); expect(result.profilesCreated).toBe(1); }); it('fails with wrong decryption password', async () => { const encBundle = { ...validBundle, encrypted: true, encryptedSecrets: encrypt('{"key":"val"}', 'correct'), }; const result = await restoreService.restore(encBundle, { password: 'wrong' }); expect(result.errors[0]).toContain('Failed to decrypt'); }); }); describe('Backup Routes', () => { let backupService: BackupService; let restoreService: RestoreService; beforeEach(() => { const sRepo = mockServerRepo(); const pRepo = mockProfileRepo(); const prRepo = mockProjectRepo(); backupService = new BackupService(sRepo, pRepo, prRepo); const rSRepo = mockServerRepo(); (rSRepo.findByName as ReturnType).mockResolvedValue(null); const rPRepo = mockProfileRepo(); (rPRepo.findByServerAndName as ReturnType).mockResolvedValue(null); const rPrRepo = mockProjectRepo(); (rPrRepo.findByName as ReturnType).mockResolvedValue(null); restoreService = new RestoreService(rSRepo, rPRepo, rPrRepo); }); async function buildApp() { const app = Fastify(); registerBackupRoutes(app, { backupService, restoreService }); return app; } it('POST /api/v1/backup returns bundle', async () => { const app = await buildApp(); const res = await app.inject({ method: 'POST', url: '/api/v1/backup', payload: {}, }); expect(res.statusCode).toBe(200); const body = res.json(); expect(body.version).toBe('1'); expect(body.servers).toBeDefined(); expect(body.profiles).toBeDefined(); expect(body.projects).toBeDefined(); }); it('POST /api/v1/restore imports bundle', async () => { const app = await buildApp(); const bundle = await backupService.createBackup(); const res = await app.inject({ method: 'POST', url: '/api/v1/restore', payload: { bundle, conflictStrategy: 'skip' }, }); expect(res.statusCode).toBe(200); const body = res.json(); expect(body.serversCreated).toBeDefined(); }); it('POST /api/v1/restore rejects invalid bundle', async () => { const app = await buildApp(); const res = await app.inject({ method: 'POST', url: '/api/v1/restore', payload: { bundle: { invalid: true } }, }); expect(res.statusCode).toBe(400); expect(res.json().error).toContain('Invalid'); }); });