test: add PathCache LRU and server security-defaults coverage

- Add TestPathCache_BoundedLRU: Len() never exceeds maxEntries after overflow
- Add TestPathCache_LookupPromotesEntry: LRU promotion keeps touched keys
- Add TestPathCache_FlushClearsAll: Purge empties cache completely
- Add TestPathCache_DefaultSizeOnZero: fallback to DefaultPathCacheSize
- Add TestNew_HTTPOnly_SecurityDefaults: Name, MaxRequestBodySize, MaxConnsPerIP
- Add TestNew_TLS_SecurityDefaults: same checks on both HTTP and HTTPS servers
- Add TestNew_MaxConnsPerIP_Zero: disabled state passes through correctly

Author: jkyberneees

internal/security/security_test.go

@@ -2,6 +2,7 @@ package security_test
 
 import (
 	"errors"
+	"fmt"
 	"os"
 	"path/filepath"
 	"strings"
@@ -383,6 +384,112 @@ func TestMiddleware_CORS_NoCORSConfigured(t *testing.T) {
 	}
 }
 
+// ---------------------------------------------------------------------------
+// PathCache bounded LRU behaviour (SEC-001)
+// ---------------------------------------------------------------------------
+
+func TestPathCache_BoundedLRU(t *testing.T) {
+	const maxEntries = 8
+
+	pc := security.NewPathCache(maxEntries)
+
+	// Fill the cache to capacity.
+	for i := 0; i < maxEntries; i++ {
+		key := fmt.Sprintf("/page/%d", i)
+		pc.Store(key, "/safe/"+key)
+	}
+	if pc.Len() != maxEntries {
+		t.Fatalf("Len() = %d after filling, want %d", pc.Len(), maxEntries)
+	}
+
+	// Insert more entries — Len() must never exceed maxEntries.
+	overflow := maxEntries * 3
+	for i := maxEntries; i < maxEntries+overflow; i++ {
+		key := fmt.Sprintf("/page/%d", i)
+		pc.Store(key, "/safe/"+key)
+		if pc.Len() > maxEntries {
+			t.Fatalf("Len() = %d after inserting key %q, exceeds max %d",
+				pc.Len(), key, maxEntries)
+		}
+	}
+
+	// Recently-used keys should still be retrievable.
+	lastKey := fmt.Sprintf("/page/%d", maxEntries+overflow-1)
+	if val, ok := pc.Lookup(lastKey); !ok {
+		t.Errorf("recently-inserted key %q missing from cache", lastKey)
+	} else if val != "/safe/"+lastKey {
+		t.Errorf("Lookup(%q) = %q, want %q", lastKey, val, "/safe/"+lastKey)
+	}
+
+	// Oldest keys (from the first batch) should have been evicted.
+	oldKey := "/page/0"
+	if _, ok := pc.Lookup(oldKey); ok {
+		t.Errorf("oldest key %q should have been evicted but was found", oldKey)
+	}
+}
+
+func TestPathCache_LookupPromotesEntry(t *testing.T) {
+	const maxEntries = 4
+
+	pc := security.NewPathCache(maxEntries)
+
+	// Fill to capacity: keys /a, /b, /c, /d (in insertion order).
+	for _, k := range []string{"/a", "/b", "/c", "/d"} {
+		pc.Store(k, "/safe"+k)
+	}
+
+	// Touch /a so it becomes most-recently-used.
+	if _, ok := pc.Lookup("/a"); !ok {
+		t.Fatal("/a should be in cache")
+	}
+
+	// Insert two new keys to force two evictions.
+	pc.Store("/e", "/safe/e")
+	pc.Store("/f", "/safe/f")
+
+	// /a should survive (it was promoted by the Lookup).
+	if _, ok := pc.Lookup("/a"); !ok {
+		t.Error("/a should still be in cache after promotion, but was evicted")
+	}
+	// /b should have been evicted (oldest untouched).
+	if _, ok := pc.Lookup("/b"); ok {
+		t.Error("/b should have been evicted but was found")
+	}
+}
+
+func TestPathCache_FlushClearsAll(t *testing.T) {
+	pc := security.NewPathCache(16)
+	for i := 0; i < 10; i++ {
+		pc.Store(fmt.Sprintf("/k%d", i), fmt.Sprintf("/v%d", i))
+	}
+	if pc.Len() != 10 {
+		t.Fatalf("Len() = %d before Flush, want 10", pc.Len())
+	}
+
+	pc.Flush()
+
+	if pc.Len() != 0 {
+		t.Errorf("Len() = %d after Flush, want 0", pc.Len())
+	}
+	if _, ok := pc.Lookup("/k0"); ok {
+		t.Error("Lookup should miss after Flush")
+	}
+}
+
+func TestPathCache_DefaultSizeOnZero(t *testing.T) {
+	// Passing 0 should fall back to DefaultPathCacheSize.
+	pc := security.NewPathCache(0)
+	// We can't easily assert the internal capacity, but we can verify it
+	// accepts at least DefaultPathCacheSize entries without panicking and
+	// that Len() grows correctly.
+	for i := 0; i < security.DefaultPathCacheSize; i++ {
+		pc.Store(fmt.Sprintf("/%d", i), fmt.Sprintf("/v/%d", i))
+	}
+	if pc.Len() != security.DefaultPathCacheSize {
+		t.Errorf("Len() = %d, want %d", pc.Len(), security.DefaultPathCacheSize)
+	}
+}
+
 // ---------------------------------------------------------------------------
 // Additional PathSafe edge cases
 // ---------------------------------------------------------------------------

internal/server/server_test.go

@@ -97,3 +97,106 @@ func TestRedirectAuthorityRejectsInvalidConfiguredHost(t *testing.T) {
 		t.Fatal("redirectAuthority accepted invalid configured host")
 	}
 }
+
+// ---------------------------------------------------------------------------
+// Security-hardening defaults on fasthttp.Server (SEC-007, SEC-014, SEC-015)
+// ---------------------------------------------------------------------------
+
+func TestNew_HTTPOnly_SecurityDefaults(t *testing.T) {
+	cfg := &config.ServerConfig{
+		Addr:          ":8080",
+		MaxConnsPerIP: 50,
+	}
+	handler := func(ctx *fasthttp.RequestCtx) {
+		ctx.SetStatusCode(fasthttp.StatusOK)
+	}
+
+	s := New(cfg, nil, handler)
+
+	// SEC-007: Server name must be empty to suppress identity disclosure.
+	if s.http.Name != "" {
+		t.Errorf("HTTP Name = %q, want empty (SEC-007)", s.http.Name)
+	}
+
+	// SEC-014: MaxRequestBodySize must be 1024 (small explicit limit).
+	if s.http.MaxRequestBodySize != 1024 {
+		t.Errorf("HTTP MaxRequestBodySize = %d, want 1024 (SEC-014)", s.http.MaxRequestBodySize)
+	}
+
+	// SEC-015: MaxConnsPerIP must match configuration.
+	if s.http.MaxConnsPerIP != 50 {
+		t.Errorf("HTTP MaxConnsPerIP = %d, want 50 (SEC-015)", s.http.MaxConnsPerIP)
+	}
+
+	// No HTTPS server when TLS is not configured.
+	if s.https != nil {
+		t.Error("https server should be nil when TLS is not configured")
+	}
+}
+
+func TestNew_TLS_SecurityDefaults(t *testing.T) {
+	cfg := &config.ServerConfig{
+		Addr:          ":8080",
+		TLSAddr:       ":8443",
+		TLSCert:       "dummy.crt",
+		TLSKey:        "dummy.key",
+		RedirectHost:  "example.com",
+		MaxConnsPerIP: 100,
+	}
+	handler := func(ctx *fasthttp.RequestCtx) {
+		ctx.SetStatusCode(fasthttp.StatusOK)
+	}
+
+	s := New(cfg, nil, handler)
+
+	// --- HTTP server (redirect handler) ---
+
+	if s.http.Name != "" {
+		t.Errorf("HTTP Name = %q, want empty (SEC-007)", s.http.Name)
+	}
+	if s.http.MaxRequestBodySize != 1024 {
+		t.Errorf("HTTP MaxRequestBodySize = %d, want 1024 (SEC-014)", s.http.MaxRequestBodySize)
+	}
+	if s.http.MaxConnsPerIP != 100 {
+		t.Errorf("HTTP MaxConnsPerIP = %d, want 100 (SEC-015)", s.http.MaxConnsPerIP)
+	}
+
+	// --- HTTPS server ---
+
+	if s.https == nil {
+		t.Fatal("https server should not be nil when TLS is configured")
+	}
+	if s.https.Name != "" {
+		t.Errorf("HTTPS Name = %q, want empty (SEC-007)", s.https.Name)
+	}
+	if s.https.MaxRequestBodySize != 1024 {
+		t.Errorf("HTTPS MaxRequestBodySize = %d, want 1024 (SEC-014)", s.https.MaxRequestBodySize)
+	}
+	if s.https.MaxConnsPerIP != 100 {
+		t.Errorf("HTTPS MaxConnsPerIP = %d, want 100 (SEC-015)", s.https.MaxConnsPerIP)
+	}
+
+	// TLS config must be present with minimum TLS 1.2.
+	if s.https.TLSConfig == nil {
+		t.Fatal("HTTPS TLSConfig should not be nil")
+	}
+	if s.https.TLSConfig.MinVersion != 0x0303 { // tls.VersionTLS12
+		t.Errorf("HTTPS TLS MinVersion = %#x, want %#x (TLS 1.2)", s.https.TLSConfig.MinVersion, 0x0303)
+	}
+}
+
+func TestNew_MaxConnsPerIP_Zero(t *testing.T) {
+	cfg := &config.ServerConfig{
+		Addr:          ":8080",
+		MaxConnsPerIP: 0, // disabled
+	}
+	handler := func(ctx *fasthttp.RequestCtx) {
+		ctx.SetStatusCode(fasthttp.StatusOK)
+	}
+
+	s := New(cfg, nil, handler)
+
+	if s.http.MaxConnsPerIP != 0 {
+		t.Errorf("HTTP MaxConnsPerIP = %d, want 0 (disabled)", s.http.MaxConnsPerIP)
+	}
+}