From 77aa3c3d6ff0ee0fc6b48ec4c40029f9bc454077 Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Tue, 14 Apr 2026 18:21:46 +0200
Subject: [PATCH] test: add SensitiveKeysAdminController integration tests

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../SensitiveKeysAdminControllerIT.java       | 120 ++++++++++++++++++
 1 file changed, 120 insertions(+)
 create mode 100644 cameleer3-server-app/src/test/java/com/cameleer3/server/app/controller/SensitiveKeysAdminControllerIT.java

diff --git a/cameleer3-server-app/src/test/java/com/cameleer3/server/app/controller/SensitiveKeysAdminControllerIT.java b/cameleer3-server-app/src/test/java/com/cameleer3/server/app/controller/SensitiveKeysAdminControllerIT.java
new file mode 100644
index 00000000..884297a5
--- /dev/null
+++ b/cameleer3-server-app/src/test/java/com/cameleer3/server/app/controller/SensitiveKeysAdminControllerIT.java
@@ -0,0 +1,120 @@
+package com.cameleer3.server.app.controller;
+
+import com.cameleer3.server.app.AbstractPostgresIT;
+import com.cameleer3.server.app.TestSecurityHelper;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.web.client.TestRestTemplate;
+import org.springframework.http.HttpEntity;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+class SensitiveKeysAdminControllerIT extends AbstractPostgresIT {
+
+    @Autowired
+    private TestRestTemplate restTemplate;
+
+    @Autowired
+    private ObjectMapper objectMapper;
+
+    @Autowired
+    private TestSecurityHelper securityHelper;
+
+    private String adminJwt;
+    private String viewerJwt;
+
+    @BeforeEach
+    void setUp() {
+        adminJwt = securityHelper.adminToken();
+        viewerJwt = securityHelper.viewerToken();
+        jdbcTemplate.update("DELETE FROM server_config WHERE config_key = 'sensitive_keys'");
+    }
+
+    @Test
+    void get_notConfigured_returns204() {
+        ResponseEntity<String> response = restTemplate.exchange(
+                "/api/v1/admin/sensitive-keys", HttpMethod.GET,
+                new HttpEntity<>(securityHelper.authHeadersNoBody(adminJwt)),
+                String.class);
+        assertThat(response.getStatusCode()).isEqualTo(HttpStatus.NO_CONTENT);
+    }
+
+    @Test
+    void get_asViewer_returns403() {
+        ResponseEntity<String> response = restTemplate.exchange(
+                "/api/v1/admin/sensitive-keys", HttpMethod.GET,
+                new HttpEntity<>(securityHelper.authHeadersNoBody(viewerJwt)),
+                String.class);
+        assertThat(response.getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN);
+    }
+
+    @Test
+    void put_savesAndReturnsKeys() throws Exception {
+        String json = """
+                { "keys": ["Authorization", "Cookie", "*password*"] }
+                """;
+        ResponseEntity<String> response = restTemplate.exchange(
+                "/api/v1/admin/sensitive-keys", HttpMethod.PUT,
+                new HttpEntity<>(json, securityHelper.authHeaders(adminJwt)),
+                String.class);
+
+        assertThat(response.getStatusCode()).isEqualTo(HttpStatus.OK);
+        JsonNode body = objectMapper.readTree(response.getBody());
+        assertThat(body.path("keys").size()).isEqualTo(3);
+        assertThat(body.path("keys").get(0).asText()).isEqualTo("Authorization");
+        assertThat(body.path("pushResult").isNull()).isTrue();
+    }
+
+    @Test
+    void put_thenGet_returnsStoredKeys() throws Exception {
+        String json = """
+                { "keys": ["Authorization", "*secret*"] }
+                """;
+        restTemplate.exchange(
+                "/api/v1/admin/sensitive-keys", HttpMethod.PUT,
+                new HttpEntity<>(json, securityHelper.authHeaders(adminJwt)),
+                String.class);
+
+        ResponseEntity<String> getResponse = restTemplate.exchange(
+                "/api/v1/admin/sensitive-keys", HttpMethod.GET,
+                new HttpEntity<>(securityHelper.authHeadersNoBody(adminJwt)),
+                String.class);
+
+        assertThat(getResponse.getStatusCode()).isEqualTo(HttpStatus.OK);
+        JsonNode body = objectMapper.readTree(getResponse.getBody());
+        assertThat(body.path("keys").size()).isEqualTo(2);
+    }
+
+    @Test
+    void put_withPushToAgents_returnsEmptyPushResult() throws Exception {
+        String json = """
+                { "keys": ["Authorization"] }
+                """;
+        ResponseEntity<String> response = restTemplate.exchange(
+                "/api/v1/admin/sensitive-keys?pushToAgents=true", HttpMethod.PUT,
+                new HttpEntity<>(json, securityHelper.authHeaders(adminJwt)),
+                String.class);
+
+        assertThat(response.getStatusCode()).isEqualTo(HttpStatus.OK);
+        JsonNode body = objectMapper.readTree(response.getBody());
+        assertThat(body.path("pushResult").path("total").asInt()).isEqualTo(0);
+    }
+
+    @Test
+    void put_asViewer_returns403() {
+        String json = """
+                { "keys": ["Authorization"] }
+                """;
+        ResponseEntity<String> response = restTemplate.exchange(
+                "/api/v1/admin/sensitive-keys", HttpMethod.PUT,
+                new HttpEntity<>(json, securityHelper.authHeaders(viewerJwt)),
+                String.class);
+        assertThat(response.getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN);
+    }
+}