fix: renforcer limites TLS, timeouts socket et validation config

Co-authored-by: aider (openrouter/openai/gpt-5.3-codex) <aider@aider.chat>
2026-02-28 20:01:39 +01:00
parent b15c20b4cc
commit c7e8fe874f
7 changed files with 618 additions and 64 deletions
--- a/internal/output/writers_test.go
+++ b/internal/output/writers_test.go
@ -4,9 +4,11 @@ import (
 	"bufio"
 	"bytes"
 	"encoding/json"
+	"errors"
 	"net"
 	"os"
 	"path/filepath"
+	"strings"
 	"sync"
 	"testing"
 	"time"
@ -238,6 +240,112 @@ func TestUnixSocketWriter(t *testing.T) {
 	writer.Close()
 }

+func TestUnixSocketWriter_Write_NonexistentSocket_ReturnsQuickly(t *testing.T) {
+	socketPath := filepath.Join(t.TempDir(), "ja4sentinel_missing.sock")
+	writer, err := NewUnixSocketWriter(socketPath)
+	if err != nil {
+		t.Fatalf("NewUnixSocketWriter() error = %v", err)
+	}
+	defer writer.Close()
+
+	start := time.Now()
+	err = writer.Write(api.LogRecord{
+		SrcIP:   "192.168.1.10",
+		SrcPort: 44444,
+		DstIP:   "10.0.0.10",
+		DstPort: 443,
+	})
+	elapsed := time.Since(start)
+
+	if err == nil {
+		t.Fatal("Write() should fail for non-existent socket")
+	}
+	if elapsed >= 3*time.Second {
+		t.Fatalf("Write() took too long: %v (expected < 3s)", elapsed)
+	}
+}
+
+type timeoutError struct{}
+
+func (timeoutError) Error() string   { return "i/o timeout" }
+func (timeoutError) Timeout() bool   { return true }
+func (timeoutError) Temporary() bool { return true }
+
+type mockAddr string
+
+func (a mockAddr) Network() string { return "unix" }
+func (a mockAddr) String() string  { return string(a) }
+
+type mockConn struct {
+	writeCalls              int
+	closeCalled             bool
+	setWriteDeadlineCalled  bool
+	setReadDeadlineCalled   bool
+	setAnyDeadlineWasCalled bool
+}
+
+func (m *mockConn) Read(_ []byte) (int, error) { return 0, errors.New("not implemented") }
+
+func (m *mockConn) Write(_ []byte) (int, error) {
+	m.writeCalls++
+	return 0, timeoutError{}
+}
+
+func (m *mockConn) Close() error {
+	m.closeCalled = true
+	return nil
+}
+
+func (m *mockConn) LocalAddr() net.Addr  { return mockAddr("local") }
+func (m *mockConn) RemoteAddr() net.Addr { return mockAddr("remote") }
+
+func (m *mockConn) SetDeadline(_ time.Time) error {
+	m.setAnyDeadlineWasCalled = true
+	return nil
+}
+
+func (m *mockConn) SetReadDeadline(_ time.Time) error {
+	m.setReadDeadlineCalled = true
+	return nil
+}
+
+func (m *mockConn) SetWriteDeadline(_ time.Time) error {
+	m.setWriteDeadlineCalled = true
+	return nil
+}
+
+func TestUnixSocketWriter_Write_UsesWriteDeadline(t *testing.T) {
+	mc := &mockConn{}
+	writer := &UnixSocketWriter{
+		socketPath:   filepath.Join(t.TempDir(), "missing.sock"),
+		conn:         mc,
+		dialTimeout:  100 * time.Millisecond,
+		writeTimeout: 100 * time.Millisecond,
+	}
+
+	err := writer.Write(api.LogRecord{
+		SrcIP:   "192.168.1.20",
+		SrcPort: 55555,
+		DstIP:   "10.0.0.20",
+		DstPort: 443,
+	})
+	if err == nil {
+		t.Fatal("Write() should fail because reconnect target does not exist")
+	}
+	if !mc.setWriteDeadlineCalled {
+		t.Fatal("expected SetWriteDeadline to be called before write")
+	}
+	if !mc.closeCalled {
+		t.Fatal("expected connection to be closed after first write failure")
+	}
+	if mc.writeCalls != 1 {
+		t.Fatalf("expected exactly 1 write on initial conn, got %d", mc.writeCalls)
+	}
+	if !strings.Contains(err.Error(), "reconnect failed") {
+		t.Fatalf("expected reconnect failure error, got: %v", err)
+	}
+}
+
 type unixTestServer struct {
 	listener net.Listener
 	received chan string