fix test backend

Author: root

backend/domain/certs/hooks.go

@@ -155,16 +155,27 @@ func RegisterHooks(app *pocketbase.PocketBase) {
 }
 
 func validatePrivateKeySecretRef(app core.App, secretID, userID string) error {
+	return validatePrivateKeySecretRefWith(secretID, userID,
+		func(secretID, userID string) error {
+			return secrets.ValidateRef(app, secretID, userID)
+		},
+		func(secretID string) (*core.Record, error) {
+			return app.FindRecordById("secrets", secretID)
+		},
+	)
+}
+
+func validatePrivateKeySecretRefWith(secretID, userID string, validateRef func(string, string) error, findSecret func(string) (*core.Record, error)) error {
 	secretID = strings.TrimSpace(secretID)
 	if secretID == "" {
 		return nil
 	}
 
-	if err := secrets.ValidateRef(app, secretID, userID); err != nil {
+	if err := validateRef(secretID, userID); err != nil {
 		return fmt.Errorf("invalid private key secret")
 	}
 
-	rec, err := app.FindRecordById("secrets", secretID)
+	rec, err := findSecret(secretID)
 	if err != nil {
 		return fmt.Errorf("invalid private key secret")
 	}
@@ -201,21 +212,20 @@ func runExpirySweepLoop(app core.App, stop <-chan struct{}) {
 }
 
 func expireDueCertificates(app core.App) error {
-	now := time.Now().UTC().Format(time.RFC3339)
+	now := time.Now().UTC()
 	records, err := app.FindRecordsByFilter(
 		"certificates",
-		"status = 'active' && expires_at != '' && expires_at <= {:now}",
+		"status = 'active' && expires_at != ''",
 		"",
 		200,
 		0,
-		map[string]any{"now": now},
+		nil,
 	)
 	if err != nil {
 		return err
 	}
 
-	for _, record := range records {
-		record.Set("status", "expired")
+	for _, record := range markExpiredCertificates(records, now) {
 		if saveErr := app.Save(record); saveErr != nil {
 			log.Printf("[WARN] certs: failed to mark certificate %s expired: %v", record.Id, saveErr)
 		}
@@ -224,6 +234,33 @@ func expireDueCertificates(app core.App) error {
 	return nil
 }
 
+func markExpiredCertificates(records []*core.Record, now time.Time) []*core.Record {
+	expired := make([]*core.Record, 0, len(records))
+	for _, record := range records {
+		if !certificateShouldExpire(record, now) {
+			continue
+		}
+		record.Set("status", "expired")
+		expired = append(expired, record)
+	}
+	return expired
+}
+
+func certificateShouldExpire(record *core.Record, now time.Time) bool {
+	if record == nil || record.GetString("status") != "active" {
+		return false
+	}
+	expiresAt := strings.TrimSpace(record.GetString("expires_at"))
+	if expiresAt == "" {
+		return false
+	}
+	parsed, err := time.Parse(time.RFC3339, expiresAt)
+	if err != nil {
+		return false
+	}
+	return !parsed.After(now)
+}
+
 // checkAndExpire updates status to "expired" if expires_at is in the past
 // and status is still "active". The save is async to avoid blocking the response.
 func actorID(auth *core.Record) string {

backend/domain/certs/hooks_expiry_test.go

@@ -5,61 +5,42 @@ import (
 	"time"
 
 	"github.com/pocketbase/pocketbase/core"
-	"github.com/pocketbase/pocketbase/tests"
-
-	_ "github.com/websoft9/appos/backend/infra/migrations"
 )
 
 func TestExpireDueCertificates(t *testing.T) {
-	app, err := tests.NewTestApp()
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer app.Cleanup()
-
-	col, err := app.FindCollectionByNameOrId("certificates")
-	if err != nil {
-		t.Fatal(err)
-	}
+	col := core.NewBaseCollection("certificates")
+	now := time.Now().UTC()
 
 	newCert := func(name, status string, expiresAt time.Time) *core.Record {
 		rec := core.NewRecord(col)
+		rec.Id = name
 		rec.Set("name", name)
 		rec.Set("domain", "test.example.com")
 		rec.Set("kind", "self_signed")
 		rec.Set("status", status)
 		if !expiresAt.IsZero() {
 			rec.Set("expires_at", expiresAt.UTC().Format(time.RFC3339))
 		}
-		if err := app.Save(rec); err != nil {
-			t.Fatalf("save certificate %s: %v", name, err)
-		}
 		return rec
 	}
 
-	expiredActive := newCert("expired-active", "active", time.Now().Add(-2*time.Hour))
-	futureActive := newCert("future-active", "active", time.Now().Add(48*time.Hour))
-	alreadyExpired := newCert("already-expired", "expired", time.Now().Add(-24*time.Hour))
+	expiredActive := newCert("expired-active", "active", now.Add(-2*time.Hour))
+	futureActive := newCert("future-active", "active", now.Add(48*time.Hour))
+	alreadyExpired := newCert("already-expired", "expired", now.Add(-24*time.Hour))
 	noExpires := newCert("no-expires", "active", time.Time{})
 
-	if err := expireDueCertificates(app); err != nil {
-		t.Fatalf("expireDueCertificates returned error: %v", err)
-	}
+	markExpiredCertificates([]*core.Record{expiredActive, futureActive, alreadyExpired, noExpires}, now)
 
-	assertStatus := func(id, want string) {
+	assertStatus := func(rec *core.Record, want string) {
 		t.Helper()
-		rec, findErr := app.FindRecordById("certificates", id)
-		if findErr != nil {
-			t.Fatalf("find certificate %s: %v", id, findErr)
-		}
 		got := rec.GetString("status")
 		if got != want {
-			t.Fatalf("status mismatch for %s: want %q, got %q", id, want, got)
+			t.Fatalf("status mismatch for %s: want %q, got %q", rec.Id, want, got)
 		}
 	}
 
-	assertStatus(expiredActive.Id, "expired")
-	assertStatus(futureActive.Id, "active")
-	assertStatus(alreadyExpired.Id, "expired")
-	assertStatus(noExpires.Id, "active")
+	assertStatus(expiredActive, "expired")
+	assertStatus(futureActive, "active")
+	assertStatus(alreadyExpired, "expired")
+	assertStatus(noExpires, "active")
 }

backend/domain/certs/hooks_test.go

@@ -1,56 +1,47 @@
 package certs
 
 import (
+	"errors"
 	"testing"
 
 	"github.com/pocketbase/pocketbase/core"
-	"github.com/pocketbase/pocketbase/tests"
-
-	_ "github.com/websoft9/appos/backend/infra/migrations"
 )
 
 func TestValidatePrivateKeySecretRef(t *testing.T) {
-	app, err := tests.NewTestApp()
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer app.Cleanup()
+	secretCol := core.NewBaseCollection("secrets")
 
-	secretCol, err := app.FindCollectionByNameOrId("secrets")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	newSecret := func(name, templateID, scope, createdBy, status string) string {
+	newSecret := func(name, templateID, status string) *core.Record {
 		t.Helper()
 		rec := core.NewRecord(secretCol)
+		rec.Id = name
 		rec.Set("name", name)
 		rec.Set("template_id", templateID)
-		rec.Set("scope", scope)
-		rec.Set("created_by", createdBy)
 		rec.Set("status", status)
-		if err := app.Save(rec); err != nil {
-			t.Fatalf("save secret %s: %v", name, err)
-		}
-		return rec.Id
+		return rec
 	}
 
 	t.Run("allows empty relation", func(t *testing.T) {
-		if err := validatePrivateKeySecretRef(app, "", "user-1"); err != nil {
+		if err := validatePrivateKeySecretRefWith("", "user-1", func(string, string) error { return nil }, func(string) (*core.Record, error) {
+			return nil, nil
+		}); err != nil {
 			t.Fatalf("expected nil error, got %v", err)
 		}
 	})
 
 	t.Run("accepts accessible tls private key secret", func(t *testing.T) {
-		secretID := newSecret("tls-key", "tls_private_key", "global", "owner-1", "active")
-		if err := validatePrivateKeySecretRef(app, secretID, "user-1"); err != nil {
+		secret := newSecret("tls-key", "tls_private_key", "active")
+		if err := validatePrivateKeySecretRefWith(secret.Id, "user-1", func(string, string) error { return nil }, func(string) (*core.Record, error) {
+			return secret, nil
+		}); err != nil {
 			t.Fatalf("expected nil error, got %v", err)
 		}
 	})
 
 	t.Run("rejects non tls-private-key secret", func(t *testing.T) {
-		secretID := newSecret("token", "single_value", "global", "owner-1", "active")
-		err := validatePrivateKeySecretRef(app, secretID, "user-1")
+		secret := newSecret("token", "single_value", "active")
+		err := validatePrivateKeySecretRefWith(secret.Id, "user-1", func(string, string) error { return nil }, func(string) (*core.Record, error) {
+			return secret, nil
+		})
 		if err == nil {
 			t.Fatal("expected error for non-tls-private-key secret")
 		}
@@ -60,8 +51,12 @@ func TestValidatePrivateKeySecretRef(t *testing.T) {
 	})
 
 	t.Run("rejects inaccessible private secret", func(t *testing.T) {
-		secretID := newSecret("private-tls-key", "tls_private_key", "user_private", "owner-1", "active")
-		err := validatePrivateKeySecretRef(app, secretID, "other-user")
+		secret := newSecret("private-tls-key", "tls_private_key", "active")
+		err := validatePrivateKeySecretRefWith(secret.Id, "other-user", func(string, string) error {
+			return errors.New("denied")
+		}, func(string) (*core.Record, error) {
+			return secret, nil
+		})
 		if err == nil {
 			t.Fatal("expected error for inaccessible secret")
 		}

backend/domain/certs/resolve.go

@@ -28,11 +28,22 @@ var (
 //
 // callerID is used only for audit/logging; pass "" for system calls.
 func ResolveCertificate(app core.App, certID string, callerID string) (*CertMaterial, error) {
+	return resolveCertificateWith(certID, callerID,
+		func(certID string) (*core.Record, error) {
+			return app.FindRecordById("certificates", certID)
+		},
+		func(secretID, callerID string) (*secrets.ResolveResult, error) {
+			return secrets.Resolve(app, secretID, callerID)
+		},
+	)
+}
+
+func resolveCertificateWith(certID string, callerID string, findCertificate func(string) (*core.Record, error), resolveSecret func(string, string) (*secrets.ResolveResult, error)) (*CertMaterial, error) {
 	if strings.TrimSpace(callerID) == "" {
 		callerID = secrets.CreatedSourceSystem
 	}
 
-	record, err := app.FindRecordById("certificates", certID)
+	record, err := findCertificate(certID)
 	if err != nil {
 		if errors.Is(err, sql.ErrNoRows) {
 			return nil, ErrCertNotFound
@@ -52,7 +63,7 @@ func ResolveCertificate(app core.App, certID string, callerID string) (*CertMate
 	keyPEM := ""
 	secretID := getPrivateKeySecretID(record)
 	if secretID != "" {
-		result, err := secrets.Resolve(app, secretID, callerID)
+		result, err := resolveSecret(secretID, callerID)
 		if err != nil {
 			return nil, fmt.Errorf("resolving private key secret: %w", err)
 		}