smartproxy/test/test.certificate-provisioning.ts

import { SmartProxy } from '../ts/proxies/smart-proxy/index.js';
import { expect, tap } from '@git.zone/tstest/tapbundle';

const testProxy = new SmartProxy({
  routes: [{
    name: 'test-route',
    match: { ports: 443, domains: 'test.example.com' },
    action: {
      type: 'forward',
      target: { host: 'localhost', port: 8080 },
      tls: {
        mode: 'terminate',
        certificate: 'auto',
        acme: {
          email: 'test@example.com',
          useProduction: false
        }
      }
    }
  }]
});

tap.test('should provision certificate automatically', async () => {
  await testProxy.start();
  
  // Wait for certificate provisioning
  await new Promise(resolve => setTimeout(resolve, 5000));
  
  const status = testProxy.getCertificateStatus('test-route');
  expect(status).toBeDefined();
  expect(status.status).toEqual('valid');
  expect(status.source).toEqual('acme');
  
  await testProxy.stop();
});

tap.test('should handle static certificates', async () => {
  const proxy = new SmartProxy({
    routes: [{
      name: 'static-route',
      match: { ports: 443, domains: 'static.example.com' },
      action: {
        type: 'forward',
        target: { host: 'localhost', port: 8080 },
        tls: {
          mode: 'terminate',
          certificate: {
            cert: '-----BEGIN CERTIFICATE-----\nMIIC...\n-----END CERTIFICATE-----',
            key: '-----BEGIN PRIVATE KEY-----\nMIIE...\n-----END PRIVATE KEY-----'
          }
        }
      }
    }]
  });
  
  await proxy.start();
  
  const status = proxy.getCertificateStatus('static-route');
  expect(status).toBeDefined();
  expect(status.status).toEqual('valid');
  expect(status.source).toEqual('static');
  
  await proxy.stop();
});

tap.test('should handle ACME challenge routes', async () => {
  const proxy = new SmartProxy({
    routes: [{
      name: 'auto-cert-route',
      match: { ports: 443, domains: 'acme.example.com' },
      action: {
        type: 'forward',
        target: { host: 'localhost', port: 8080 },
        tls: {
          mode: 'terminate',
          certificate: 'auto',
          acme: {
            email: 'acme@example.com',
            useProduction: false,
            challengePort: 80
          }
        }
      }
    }, {
      name: 'port-80-route',
      match: { ports: 80, domains: 'acme.example.com' },
      action: {
        type: 'forward',
        target: { host: 'localhost', port: 8080 }
      }
    }]
  });
  
  await proxy.start();
  
  // The SmartCertManager should automatically add challenge routes
  // Let's verify the route manager sees them
  const routes = proxy.routeManager.getAllRoutes();
  const challengeRoute = routes.find(r => r.name === 'acme-challenge');
  
  expect(challengeRoute).toBeDefined();
  expect(challengeRoute?.match.path).toEqual('/.well-known/acme-challenge/*');
  expect(challengeRoute?.priority).toEqual(1000);
  
  await proxy.stop();
});

tap.test('should renew certificates', async () => {
  const proxy = new SmartProxy({
    routes: [{
      name: 'renew-route',
      match: { ports: 443, domains: 'renew.example.com' },
      action: {
        type: 'forward',
        target: { host: 'localhost', port: 8080 },
        tls: {
          mode: 'terminate',
          certificate: 'auto',
          acme: {
            email: 'renew@example.com',
            useProduction: false,
            renewBeforeDays: 30
          }
        }
      }
    }]
  });
  
  await proxy.start();
  
  // Force renewal
  await proxy.renewCertificate('renew-route');
  
  const status = proxy.getCertificateStatus('renew-route');
  expect(status).toBeDefined();
  expect(status.status).toEqual('valid');
  
  await proxy.stop();
});

tap.start();