ca02340a4c
Replace the confused Profile abstraction with a dedicated Secret resource
following Kubernetes conventions. Servers now have env entries with inline
values or secretRef references. Env vars are resolved and passed to
containers at startup (fixes existing gap).
- Add Secret CRUD (model, repo, service, routes, CLI commands)
- Server env: {name, value} or {name, valueFrom: {secretRef: {name, key}}}
- Add env-resolver utility shared by instance startup and config generation
- Remove all profile-related code (models, services, routes, CLI, tests)
- Update backup/restore for secrets instead of profiles
- describe secret masks values by default, --show-values to reveal
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
335 lines
13 KiB
TypeScript
335 lines
13 KiB
TypeScript
import { describe, it, expect, vi, beforeEach } from 'vitest';
|
|
import Fastify from 'fastify';
|
|
import { BackupService } from '../src/services/backup/backup-service.js';
|
|
import { RestoreService } from '../src/services/backup/restore-service.js';
|
|
import { encrypt, decrypt, isSensitiveKey } from '../src/services/backup/crypto.js';
|
|
import { registerBackupRoutes } from '../src/routes/backup.js';
|
|
import type { IMcpServerRepository, ISecretRepository } from '../src/repositories/interfaces.js';
|
|
import type { IProjectRepository } from '../src/repositories/project.repository.js';
|
|
|
|
// Mock data
|
|
const mockServers = [
|
|
{
|
|
id: 's1', name: 'github', description: 'GitHub MCP', packageName: '@mcp/github',
|
|
dockerImage: null, transport: 'STDIO' as const, repositoryUrl: null,
|
|
env: [], version: 1, createdAt: new Date(), updatedAt: new Date(),
|
|
},
|
|
{
|
|
id: 's2', name: 'slack', description: 'Slack MCP', packageName: null,
|
|
dockerImage: 'mcp/slack:latest', transport: 'SSE' as const, repositoryUrl: null,
|
|
env: [], version: 1, createdAt: new Date(), updatedAt: new Date(),
|
|
},
|
|
];
|
|
|
|
const mockSecrets = [
|
|
{
|
|
id: 'sec1', name: 'github-secrets',
|
|
data: { GITHUB_TOKEN: 'ghp_secret123' },
|
|
version: 1, createdAt: new Date(), updatedAt: new Date(),
|
|
},
|
|
];
|
|
|
|
const mockProjects = [
|
|
{
|
|
id: 'proj1', name: 'my-project', description: 'Test project',
|
|
ownerId: 'user1', version: 1, createdAt: new Date(), updatedAt: new Date(),
|
|
},
|
|
];
|
|
|
|
function mockServerRepo(): IMcpServerRepository {
|
|
return {
|
|
findAll: vi.fn(async () => [...mockServers]),
|
|
findById: vi.fn(async (id: string) => mockServers.find((s) => s.id === id) ?? null),
|
|
findByName: vi.fn(async (name: string) => mockServers.find((s) => s.name === name) ?? null),
|
|
create: vi.fn(async (data) => ({ id: 'new-s', ...data, env: [], version: 1, createdAt: new Date(), updatedAt: new Date() } as typeof mockServers[0])),
|
|
update: vi.fn(async (id, data) => ({ ...mockServers.find((s) => s.id === id)!, ...data })),
|
|
delete: vi.fn(async () => {}),
|
|
};
|
|
}
|
|
|
|
function mockSecretRepo(): ISecretRepository {
|
|
return {
|
|
findAll: vi.fn(async () => [...mockSecrets]),
|
|
findById: vi.fn(async (id: string) => mockSecrets.find((s) => s.id === id) ?? null),
|
|
findByName: vi.fn(async (name: string) => mockSecrets.find((s) => s.name === name) ?? null),
|
|
create: vi.fn(async (data) => ({ id: 'new-sec', ...data, version: 1, createdAt: new Date(), updatedAt: new Date() } as typeof mockSecrets[0])),
|
|
update: vi.fn(async (id, data) => ({ ...mockSecrets.find((s) => s.id === id)!, ...data })),
|
|
delete: vi.fn(async () => {}),
|
|
};
|
|
}
|
|
|
|
function mockProjectRepo(): IProjectRepository {
|
|
return {
|
|
findAll: vi.fn(async () => [...mockProjects]),
|
|
findById: vi.fn(async (id: string) => mockProjects.find((p) => p.id === id) ?? null),
|
|
findByName: vi.fn(async () => null),
|
|
create: vi.fn(async (data) => ({ id: 'new-proj', ...data, version: 1, createdAt: new Date(), updatedAt: new Date() } as typeof mockProjects[0])),
|
|
update: vi.fn(async (id, data) => ({ ...mockProjects.find((p) => p.id === id)!, ...data })),
|
|
delete: vi.fn(async () => {}),
|
|
};
|
|
}
|
|
|
|
describe('Crypto', () => {
|
|
it('encrypts and decrypts successfully', () => {
|
|
const data = 'hello secret world';
|
|
const password = 'my-password-123';
|
|
const encrypted = encrypt(data, password);
|
|
|
|
expect(encrypted.algorithm).toBe('aes-256-gcm');
|
|
expect(encrypted.ciphertext).not.toBe(data);
|
|
|
|
const decrypted = decrypt(encrypted, password);
|
|
expect(decrypted).toBe(data);
|
|
});
|
|
|
|
it('fails with wrong password', () => {
|
|
const encrypted = encrypt('secret', 'correct-password');
|
|
expect(() => decrypt(encrypted, 'wrong-password')).toThrow();
|
|
});
|
|
|
|
it('handles large data', () => {
|
|
const data = 'x'.repeat(10000);
|
|
const encrypted = encrypt(data, 'pass');
|
|
expect(decrypt(encrypted, 'pass')).toBe(data);
|
|
});
|
|
|
|
it('detects sensitive keys', () => {
|
|
expect(isSensitiveKey('GITHUB_TOKEN')).toBe(true);
|
|
expect(isSensitiveKey('API_KEY')).toBe(true);
|
|
expect(isSensitiveKey('DATABASE_PASSWORD')).toBe(true);
|
|
expect(isSensitiveKey('AWS_SECRET')).toBe(true);
|
|
expect(isSensitiveKey('MY_SECRET_KEY')).toBe(true);
|
|
expect(isSensitiveKey('CREDENTIALS')).toBe(true);
|
|
expect(isSensitiveKey('PORT')).toBe(false);
|
|
expect(isSensitiveKey('DATABASE_URL')).toBe(false);
|
|
expect(isSensitiveKey('NODE_ENV')).toBe(false);
|
|
});
|
|
});
|
|
|
|
describe('BackupService', () => {
|
|
let backupService: BackupService;
|
|
|
|
beforeEach(() => {
|
|
backupService = new BackupService(mockServerRepo(), mockProjectRepo(), mockSecretRepo());
|
|
});
|
|
|
|
it('creates backup with all resources', async () => {
|
|
const bundle = await backupService.createBackup();
|
|
|
|
expect(bundle.version).toBe('1');
|
|
expect(bundle.encrypted).toBe(false);
|
|
expect(bundle.servers).toHaveLength(2);
|
|
expect(bundle.secrets).toHaveLength(1);
|
|
expect(bundle.projects).toHaveLength(1);
|
|
expect(bundle.servers[0]!.name).toBe('github');
|
|
expect(bundle.secrets[0]!.name).toBe('github-secrets');
|
|
expect(bundle.projects[0]!.name).toBe('my-project');
|
|
});
|
|
|
|
it('filters resources', async () => {
|
|
const bundle = await backupService.createBackup({ resources: ['servers'] });
|
|
expect(bundle.servers).toHaveLength(2);
|
|
expect(bundle.secrets).toHaveLength(0);
|
|
expect(bundle.projects).toHaveLength(0);
|
|
});
|
|
|
|
it('encrypts sensitive secret values when password provided', async () => {
|
|
const bundle = await backupService.createBackup({ password: 'test-pass' });
|
|
|
|
expect(bundle.encrypted).toBe(true);
|
|
expect(bundle.encryptedSecrets).toBeDefined();
|
|
// The GITHUB_TOKEN should be replaced with placeholder
|
|
const data = bundle.secrets[0]!.data;
|
|
expect(data['GITHUB_TOKEN']).toContain('__ENCRYPTED:');
|
|
});
|
|
|
|
it('handles empty repositories', async () => {
|
|
const emptyServerRepo = mockServerRepo();
|
|
(emptyServerRepo.findAll as ReturnType<typeof vi.fn>).mockResolvedValue([]);
|
|
const emptySecretRepo = mockSecretRepo();
|
|
(emptySecretRepo.findAll as ReturnType<typeof vi.fn>).mockResolvedValue([]);
|
|
const emptyProjectRepo = mockProjectRepo();
|
|
(emptyProjectRepo.findAll as ReturnType<typeof vi.fn>).mockResolvedValue([]);
|
|
|
|
const service = new BackupService(emptyServerRepo, emptyProjectRepo, emptySecretRepo);
|
|
const bundle = await service.createBackup();
|
|
|
|
expect(bundle.servers).toHaveLength(0);
|
|
expect(bundle.secrets).toHaveLength(0);
|
|
expect(bundle.projects).toHaveLength(0);
|
|
});
|
|
});
|
|
|
|
describe('RestoreService', () => {
|
|
let restoreService: RestoreService;
|
|
let serverRepo: IMcpServerRepository;
|
|
let secretRepo: ISecretRepository;
|
|
let projectRepo: IProjectRepository;
|
|
|
|
beforeEach(() => {
|
|
serverRepo = mockServerRepo();
|
|
secretRepo = mockSecretRepo();
|
|
projectRepo = mockProjectRepo();
|
|
// Default: nothing exists yet
|
|
(serverRepo.findByName as ReturnType<typeof vi.fn>).mockResolvedValue(null);
|
|
(secretRepo.findByName as ReturnType<typeof vi.fn>).mockResolvedValue(null);
|
|
(projectRepo.findByName as ReturnType<typeof vi.fn>).mockResolvedValue(null);
|
|
restoreService = new RestoreService(serverRepo, projectRepo, secretRepo);
|
|
});
|
|
|
|
const validBundle = {
|
|
version: '1',
|
|
mcpctlVersion: '0.1.0',
|
|
createdAt: new Date().toISOString(),
|
|
encrypted: false,
|
|
servers: [{ name: 'github', description: 'GitHub', packageName: null, dockerImage: null, transport: 'STDIO', repositoryUrl: null, env: [] }],
|
|
secrets: [{ name: 'github-secrets', data: { GITHUB_TOKEN: 'ghp_123' } }],
|
|
projects: [{ name: 'test-proj', description: 'Test' }],
|
|
};
|
|
|
|
it('validates valid bundle', () => {
|
|
expect(restoreService.validateBundle(validBundle)).toBe(true);
|
|
});
|
|
|
|
it('rejects invalid bundle', () => {
|
|
expect(restoreService.validateBundle(null)).toBe(false);
|
|
expect(restoreService.validateBundle({})).toBe(false);
|
|
expect(restoreService.validateBundle({ version: '1' })).toBe(false);
|
|
});
|
|
|
|
it('restores all resources', async () => {
|
|
const result = await restoreService.restore(validBundle);
|
|
|
|
expect(result.serversCreated).toBe(1);
|
|
expect(result.secretsCreated).toBe(1);
|
|
expect(result.projectsCreated).toBe(1);
|
|
expect(result.errors).toHaveLength(0);
|
|
expect(serverRepo.create).toHaveBeenCalled();
|
|
expect(secretRepo.create).toHaveBeenCalled();
|
|
expect(projectRepo.create).toHaveBeenCalled();
|
|
});
|
|
|
|
it('skips existing resources with skip strategy', async () => {
|
|
(serverRepo.findByName as ReturnType<typeof vi.fn>).mockResolvedValue(mockServers[0]);
|
|
const result = await restoreService.restore(validBundle, { conflictStrategy: 'skip' });
|
|
|
|
expect(result.serversSkipped).toBe(1);
|
|
expect(result.serversCreated).toBe(0);
|
|
expect(serverRepo.create).not.toHaveBeenCalled();
|
|
});
|
|
|
|
it('aborts on conflict with fail strategy', async () => {
|
|
(serverRepo.findByName as ReturnType<typeof vi.fn>).mockResolvedValue(mockServers[0]);
|
|
const result = await restoreService.restore(validBundle, { conflictStrategy: 'fail' });
|
|
|
|
expect(result.errors).toContain('Server "github" already exists');
|
|
});
|
|
|
|
it('overwrites existing with overwrite strategy', async () => {
|
|
(serverRepo.findByName as ReturnType<typeof vi.fn>).mockResolvedValue(mockServers[0]);
|
|
const result = await restoreService.restore(validBundle, { conflictStrategy: 'overwrite' });
|
|
|
|
expect(result.serversCreated).toBe(1);
|
|
expect(serverRepo.update).toHaveBeenCalled();
|
|
});
|
|
|
|
it('fails restore with encrypted bundle and no password', async () => {
|
|
const encBundle = { ...validBundle, encrypted: true, encryptedSecrets: encrypt('{}', 'pw') };
|
|
const result = await restoreService.restore(encBundle);
|
|
expect(result.errors).toContain('Backup is encrypted but no password provided');
|
|
});
|
|
|
|
it('restores encrypted bundle with correct password', async () => {
|
|
const encryptedData = { 'secret:github-secrets:GITHUB_TOKEN': 'ghp_decrypted' };
|
|
const encBundle = {
|
|
...validBundle,
|
|
encrypted: true,
|
|
encryptedSecrets: encrypt(JSON.stringify(encryptedData), 'test-pw'),
|
|
secrets: [{ name: 'github-secrets', data: { GITHUB_TOKEN: '__ENCRYPTED:secret:github-secrets:GITHUB_TOKEN__' } }],
|
|
};
|
|
|
|
const result = await restoreService.restore(encBundle, { password: 'test-pw' });
|
|
expect(result.errors).toHaveLength(0);
|
|
expect(result.secretsCreated).toBe(1);
|
|
});
|
|
|
|
it('fails with wrong decryption password', async () => {
|
|
const encBundle = {
|
|
...validBundle,
|
|
encrypted: true,
|
|
encryptedSecrets: encrypt('{"key":"val"}', 'correct'),
|
|
};
|
|
const result = await restoreService.restore(encBundle, { password: 'wrong' });
|
|
expect(result.errors[0]).toContain('Failed to decrypt');
|
|
});
|
|
});
|
|
|
|
describe('Backup Routes', () => {
|
|
let backupService: BackupService;
|
|
let restoreService: RestoreService;
|
|
|
|
beforeEach(() => {
|
|
const sRepo = mockServerRepo();
|
|
const secRepo = mockSecretRepo();
|
|
const prRepo = mockProjectRepo();
|
|
backupService = new BackupService(sRepo, prRepo, secRepo);
|
|
|
|
const rSRepo = mockServerRepo();
|
|
(rSRepo.findByName as ReturnType<typeof vi.fn>).mockResolvedValue(null);
|
|
const rSecRepo = mockSecretRepo();
|
|
(rSecRepo.findByName as ReturnType<typeof vi.fn>).mockResolvedValue(null);
|
|
const rPrRepo = mockProjectRepo();
|
|
(rPrRepo.findByName as ReturnType<typeof vi.fn>).mockResolvedValue(null);
|
|
restoreService = new RestoreService(rSRepo, rPrRepo, rSecRepo);
|
|
});
|
|
|
|
async function buildApp() {
|
|
const app = Fastify();
|
|
registerBackupRoutes(app, { backupService, restoreService });
|
|
return app;
|
|
}
|
|
|
|
it('POST /api/v1/backup returns bundle', async () => {
|
|
const app = await buildApp();
|
|
const res = await app.inject({
|
|
method: 'POST',
|
|
url: '/api/v1/backup',
|
|
payload: {},
|
|
});
|
|
|
|
expect(res.statusCode).toBe(200);
|
|
const body = res.json();
|
|
expect(body.version).toBe('1');
|
|
expect(body.servers).toBeDefined();
|
|
expect(body.secrets).toBeDefined();
|
|
expect(body.projects).toBeDefined();
|
|
});
|
|
|
|
it('POST /api/v1/restore imports bundle', async () => {
|
|
const app = await buildApp();
|
|
const bundle = await backupService.createBackup();
|
|
|
|
const res = await app.inject({
|
|
method: 'POST',
|
|
url: '/api/v1/restore',
|
|
payload: { bundle, conflictStrategy: 'skip' },
|
|
});
|
|
|
|
expect(res.statusCode).toBe(200);
|
|
const body = res.json();
|
|
expect(body.serversCreated).toBeDefined();
|
|
});
|
|
|
|
it('POST /api/v1/restore rejects invalid bundle', async () => {
|
|
const app = await buildApp();
|
|
const res = await app.inject({
|
|
method: 'POST',
|
|
url: '/api/v1/restore',
|
|
payload: { bundle: { invalid: true } },
|
|
});
|
|
|
|
expect(res.statusCode).toBe(400);
|
|
expect(res.json().error).toContain('Invalid');
|
|
});
|
|
});
|