Add example environment configuration and Docker Compose setup
CI / Go Tests (push) Failing after 9s
CI / Build (push) Successful in 9s
Format / gofmt (push) Successful in 7s
Release Artifacts / Validate release tag (push) Successful in 1s
Release Artifacts / Build and release executables (push) Failing after 8s
Release Artifacts / Build and release Docker image (push) Has been skipped

- Introduced a new `.env.example` file to provide a template for environment variables used by the Scratchbox server.
- Added a `docker-compose.example.yml` file to facilitate easy deployment of the Scratchbox service with Docker.
- Updated `docker-entrypoint.sh` to enforce environment variable settings for server configuration.
- Removed the generation of a config key file from the workflow, simplifying the configuration process.
- Adjusted the README.md to reflect changes in configuration management and usage instructions.
This commit is contained in:
2026-06-01 04:36:53 -05:00
parent f74e028227
commit bc9077660b
10 changed files with 672 additions and 112 deletions
+208 -32
View File
@@ -5,6 +5,7 @@ import (
"encoding/base64"
"errors"
"fmt"
"io/fs"
"net/netip"
"os"
"path/filepath"
@@ -31,8 +32,7 @@ const (
defaultRawCacheMaxEntries = 32
defaultDataDir = "./data"
defaultCleanupInterval = "1m"
defaultStorageEncryptionKey = "vVPlqMfKa8OtD3x0RKp4rVCJ4QoScf5mWdgfg4f+5GU="
defaultEncryptionKeyFile = "config.key"
dataDirEncryptionKeyFilename = "metadata.key"
defaultUIRateLimitEnabled = false
defaultAPIReadRateLimitEnabled = false
defaultAPIWriteRateLimitEnabled = true
@@ -44,6 +44,7 @@ const (
defaultAPIWriteRateLimitBurst = 10
maxDefaultTTLLimit = 24 * time.Hour
minCleanupInterval = 10 * time.Second
envPrefix = "SCRATCHBOX_"
)
type Config struct {
@@ -88,7 +89,6 @@ type LimitsConfig struct {
type StorageConfig struct {
DataDir string `yaml:"data_dir" comment:"Directory where scratch files and metadata are stored."`
CleanupInterval string `yaml:"cleanup_interval" comment:"How often expired scratches are deleted (minimum 10s)."`
EncryptionKeyFile string `yaml:"encryption_key_file" comment:"Path to a file containing a base64-encoded 32-byte AES key for at-rest encryption. Relative paths are resolved from the config file directory."`
CleanupIntervalParsed time.Duration `yaml:"-"`
EncryptionKeyBytes []byte `yaml:"-"`
}
@@ -121,10 +121,17 @@ func Load(path string) (Config, error) {
return Config{}, fmt.Errorf("parse config yaml: %w", err)
}
}
if err := cfg.loadEncryptionKey(path); err != nil {
if err := cfg.Validate(); err != nil {
return Config{}, err
}
return cfg, nil
}
func LoadFromEnv() (Config, error) {
cfg := defaults()
if err := cfg.applyEnvOverrides(envPrefix); err != nil {
return Config{}, err
}
if err := cfg.Validate(); err != nil {
return Config{}, err
}
@@ -157,10 +164,8 @@ func defaults() Config {
RawCacheMaxEntries: defaultRawCacheMaxEntries,
},
Storage: StorageConfig{
DataDir: defaultDataDir,
CleanupInterval: defaultCleanupInterval,
EncryptionKeyFile: defaultEncryptionKeyFile,
EncryptionKeyBytes: mustDecodeDefaultEncryptionKey(),
DataDir: defaultDataDir,
CleanupInterval: defaultCleanupInterval,
},
Security: SecurityConfig{
AllowedIPs: []string{
@@ -276,12 +281,14 @@ func (c *Config) Validate() error {
if err := ensureWritableDir(c.Storage.DataDir); err != nil {
return fmt.Errorf("storage.data_dir not writable: %w", err)
}
if strings.TrimSpace(c.Storage.EncryptionKeyFile) == "" {
return errors.New("storage.encryption_key_file is required")
encKey, err := ensureEncryptionKeyInDataDir(c.Storage.DataDir)
if err != nil {
return fmt.Errorf("storage encryption key setup failed: %w", err)
}
if len(c.Storage.EncryptionKeyBytes) != 32 {
return fmt.Errorf("storage.encryption_key_file must decode to 32 bytes, got %d", len(c.Storage.EncryptionKeyBytes))
if len(encKey) != 32 {
return fmt.Errorf("storage encryption key must decode to 32 bytes, got %d", len(encKey))
}
c.Storage.EncryptionKeyBytes = encKey
prefixes, err := parseAllowedPrefixes(c.Security.AllowedIPs)
if err != nil {
@@ -419,27 +426,56 @@ func GenerateEncryptionKey() (string, error) {
return base64.StdEncoding.EncodeToString(raw), nil
}
func (c *Config) loadEncryptionKey(configPath string) error {
if configPath == "" {
return nil
}
keyPath := strings.TrimSpace(c.Storage.EncryptionKeyFile)
if keyPath == "" {
return errors.New("storage.encryption_key_file is required")
}
if !filepath.IsAbs(keyPath) {
keyPath = filepath.Join(filepath.Dir(configPath), keyPath)
}
func ensureEncryptionKeyInDataDir(dataDir string) ([]byte, error) {
keyPath := filepath.Join(dataDir, dataDirEncryptionKeyFilename)
keyRaw, err := os.ReadFile(keyPath)
if err != nil {
return fmt.Errorf("read storage.encryption_key_file %q: %w", keyPath, err)
if !errors.Is(err, os.ErrNotExist) {
return nil, fmt.Errorf("read %q: %w", keyPath, err)
}
hasFiles, checkErr := dataDirContainsFiles(dataDir, keyPath)
if checkErr != nil {
return nil, fmt.Errorf("scan %q for existing files: %w", dataDir, checkErr)
}
if hasFiles {
return nil, fmt.Errorf("refusing to generate missing %q because %q contains files; restore the original key file to avoid data corruption", dataDirEncryptionKeyFilename, dataDir)
}
generated, genErr := GenerateEncryptionKey()
if genErr != nil {
return nil, fmt.Errorf("generate key: %w", genErr)
}
if writeErr := os.WriteFile(keyPath, []byte(generated+"\n"), 0o600); writeErr != nil {
return nil, fmt.Errorf("write %q: %w", keyPath, writeErr)
}
return decodeEncryptionKey(generated)
}
encKey, err := decodeEncryptionKey(strings.TrimSpace(string(keyRaw)))
if err != nil {
return fmt.Errorf("storage.encryption_key_file invalid: %w", err)
return nil, fmt.Errorf("%q invalid: %w", keyPath, err)
}
c.Storage.EncryptionKeyBytes = encKey
return nil
return encKey, nil
}
func dataDirContainsFiles(dataDir string, keyPath string) (bool, error) {
keyPath = filepath.Clean(keyPath)
foundFile := false
err := filepath.WalkDir(dataDir, func(path string, d fs.DirEntry, walkErr error) error {
if walkErr != nil {
return walkErr
}
if d.IsDir() {
return nil
}
if filepath.Clean(path) == keyPath {
return nil
}
foundFile = true
return fs.SkipAll
})
if err != nil && !errors.Is(err, fs.SkipAll) {
return false, err
}
return foundFile, nil
}
func decodeEncryptionKey(raw string) ([]byte, error) {
@@ -456,10 +492,150 @@ func decodeEncryptionKey(raw string) ([]byte, error) {
return encKey, nil
}
func mustDecodeDefaultEncryptionKey() []byte {
encKey, err := decodeEncryptionKey(defaultStorageEncryptionKey)
if err != nil {
panic(fmt.Sprintf("invalid built-in encryption key: %v", err))
func (c *Config) applyEnvOverrides(prefix string) error {
if err := applyStringEnv(prefix+"SERVER_LISTEN_ADDR", &c.Server.ListenAddr); err != nil {
return err
}
return encKey
if err := applyStringEnv(prefix+"SERVER_READ_HEADER_TIMEOUT", &c.Server.ReadHeaderTimeout); err != nil {
return err
}
if err := applyStringEnv(prefix+"SERVER_READ_TIMEOUT", &c.Server.ReadTimeout); err != nil {
return err
}
if err := applyStringEnv(prefix+"SERVER_WRITE_TIMEOUT", &c.Server.WriteTimeout); err != nil {
return err
}
if err := applyStringEnv(prefix+"SERVER_IDLE_TIMEOUT", &c.Server.IdleTimeout); err != nil {
return err
}
if err := applyIntEnv(prefix+"SERVER_MAX_HEADER_BYTES", &c.Server.MaxHeaderBytes); err != nil {
return err
}
if err := applyBoolEnv(prefix+"SERVER_ACCESS_LOG_ENABLED", &c.Server.AccessLog.Enabled); err != nil {
return err
}
if err := applyStringEnv(prefix+"SERVER_ACCESS_LOG_FILE_PATH", &c.Server.AccessLog.FilePath); err != nil {
return err
}
if err := applyStringEnv(prefix+"SERVER_ACCESS_LOG_MAX_SIZE", &c.Server.AccessLog.MaxSize); err != nil {
return err
}
if err := applyIntEnv(prefix+"SERVER_ACCESS_LOG_MAX_BACKUPS", &c.Server.AccessLog.MaxBackups); err != nil {
return err
}
if err := applyStringEnv(prefix+"LIMITS_MAX_UPLOAD_SIZE", &c.Limits.MaxUploadSize); err != nil {
return err
}
if err := applyStringEnv(prefix+"LIMITS_DEFAULT_TTL", &c.Limits.DefaultTTL); err != nil {
return err
}
if err := applyStringEnv(prefix+"LIMITS_RAW_CACHE_MAX_SIZE", &c.Limits.RawCacheMaxSize); err != nil {
return err
}
if err := applyIntEnv(prefix+"LIMITS_RAW_CACHE_MAX_ENTRIES", &c.Limits.RawCacheMaxEntries); err != nil {
return err
}
if err := applyStringEnv(prefix+"STORAGE_DATA_DIR", &c.Storage.DataDir); err != nil {
return err
}
if err := applyStringEnv(prefix+"STORAGE_CLEANUP_INTERVAL", &c.Storage.CleanupInterval); err != nil {
return err
}
applyListEnv(prefix+"SECURITY_ALLOWED_IPS", &c.Security.AllowedIPs)
if err := applyBoolEnv(prefix+"SECURITY_TRUST_PROXY_HEADERS", &c.Security.TrustProxyHeaders); err != nil {
return err
}
applyListEnv(prefix+"SECURITY_TRUSTED_PROXY_IPS", &c.Security.TrustedProxyIPs)
if err := applyBoolEnv(prefix+"SECURITY_RATE_LIMIT_UI_ENABLED", &c.Security.RateLimitUI.Enabled); err != nil {
return err
}
if err := applyIntEnv(prefix+"SECURITY_RATE_LIMIT_UI_REQUESTS_PER_MINUTE", &c.Security.RateLimitUI.RequestsPerMinute); err != nil {
return err
}
if err := applyIntEnv(prefix+"SECURITY_RATE_LIMIT_UI_BURST", &c.Security.RateLimitUI.Burst); err != nil {
return err
}
if err := applyBoolEnv(prefix+"SECURITY_RATE_LIMIT_API_READ_ENABLED", &c.Security.RateLimitAPIRead.Enabled); err != nil {
return err
}
if err := applyIntEnv(prefix+"SECURITY_RATE_LIMIT_API_READ_REQUESTS_PER_MINUTE", &c.Security.RateLimitAPIRead.RequestsPerMinute); err != nil {
return err
}
if err := applyIntEnv(prefix+"SECURITY_RATE_LIMIT_API_READ_BURST", &c.Security.RateLimitAPIRead.Burst); err != nil {
return err
}
if err := applyBoolEnv(prefix+"SECURITY_RATE_LIMIT_API_WRITE_ENABLED", &c.Security.RateLimitAPIWrite.Enabled); err != nil {
return err
}
if err := applyIntEnv(prefix+"SECURITY_RATE_LIMIT_API_WRITE_REQUESTS_PER_MINUTE", &c.Security.RateLimitAPIWrite.RequestsPerMinute); err != nil {
return err
}
if err := applyIntEnv(prefix+"SECURITY_RATE_LIMIT_API_WRITE_BURST", &c.Security.RateLimitAPIWrite.Burst); err != nil {
return err
}
return nil
}
func applyStringEnv(name string, target *string) error {
value, ok := os.LookupEnv(name)
if !ok {
return nil
}
*target = strings.TrimSpace(value)
return nil
}
func applyBoolEnv(name string, target *bool) error {
value, ok := os.LookupEnv(name)
if !ok {
return nil
}
parsed, err := strconv.ParseBool(strings.TrimSpace(value))
if err != nil {
return fmt.Errorf("%s invalid bool: %w", name, err)
}
*target = parsed
return nil
}
func applyIntEnv(name string, target *int) error {
value, ok := os.LookupEnv(name)
if !ok {
return nil
}
parsed, err := strconv.Atoi(strings.TrimSpace(value))
if err != nil {
return fmt.Errorf("%s invalid int: %w", name, err)
}
*target = parsed
return nil
}
func applyListEnv(name string, target *[]string) {
value, ok := os.LookupEnv(name)
if !ok {
return
}
if strings.TrimSpace(value) == "" {
*target = nil
return
}
parts := strings.Split(value, ",")
out := make([]string, 0, len(parts))
for _, part := range parts {
item := strings.TrimSpace(part)
if item == "" {
continue
}
out = append(out, item)
}
*target = out
}
+147 -25
View File
@@ -76,7 +76,6 @@ func TestLoadParsesConfiguredFields(t *testing.T) {
tmp := t.TempDir()
dataDir := filepath.Join(tmp, "store")
configPath := filepath.Join(tmp, "config.yaml")
keyPath := filepath.Join(tmp, "scratchbox.key")
content := `
server:
listen_addr: "127.0.0.1:9090"
@@ -98,7 +97,6 @@ limits:
storage:
data_dir: "` + dataDir + `"
cleanup_interval: "45s"
encryption_key_file: "` + filepath.Base(keyPath) + `"
security:
allowed_ips:
- "127.0.0.1"
@@ -122,9 +120,6 @@ security:
if err := os.WriteFile(configPath, []byte(content), 0o644); err != nil {
t.Fatalf("WriteFile() error = %v", err)
}
if err := os.WriteFile(keyPath, []byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\n"), 0o600); err != nil {
t.Fatalf("WriteFile(key) error = %v", err)
}
cfg, err := Load(configPath)
if err != nil {
@@ -176,8 +171,8 @@ security:
if len(cfg.Storage.EncryptionKeyBytes) != 32 {
t.Fatalf("EncryptionKeyBytes length = %d, want 32", len(cfg.Storage.EncryptionKeyBytes))
}
if cfg.Storage.EncryptionKeyBytes[0] != 0 {
t.Fatalf("EncryptionKeyBytes[0] = %d, want 0", cfg.Storage.EncryptionKeyBytes[0])
if _, err := os.Stat(filepath.Join(dataDir, dataDirEncryptionKeyFilename)); err != nil {
t.Fatalf("expected data-dir key file to exist: %v", err)
}
if !cfg.Security.TrustProxyHeaders {
t.Fatalf("TrustProxyHeaders = false, want true")
@@ -362,20 +357,6 @@ func TestValidateRejectsInvalidValues(t *testing.T) {
},
wantErr: "storage.cleanup_interval",
},
{
name: "encryption key file required",
mutate: func(cfg *Config) {
cfg.Storage.EncryptionKeyFile = " "
},
wantErr: "storage.encryption_key_file is required",
},
{
name: "encryption key bytes invalid length",
mutate: func(cfg *Config) {
cfg.Storage.EncryptionKeyBytes = []byte("short")
},
wantErr: "storage.encryption_key_file must decode to 32 bytes",
},
{
name: "invalid ui rate limit rpm",
mutate: func(cfg *Config) {
@@ -447,20 +428,161 @@ storage:
t.Fatalf("WriteFile(valid config) error = %v", err)
}
_, err = Load(validConfigPath)
if err == nil || !strings.Contains(err.Error(), "read storage.encryption_key_file") {
t.Fatalf("Load() error = %v, want missing key file error", err)
if err != nil {
t.Fatalf("Load() error = %v, want nil", err)
}
keyPath := filepath.Join(tmp, "config.key")
keyPath := filepath.Join(tmp, "store", dataDirEncryptionKeyFilename)
if err := os.WriteFile(keyPath, []byte("not-base64"), 0o600); err != nil {
t.Fatalf("WriteFile(invalid key) error = %v", err)
}
_, err = Load(validConfigPath)
if err == nil || !strings.Contains(err.Error(), "storage.encryption_key_file invalid: invalid base64") {
if err == nil || !strings.Contains(err.Error(), "storage encryption key setup failed") {
t.Fatalf("Load() error = %v, want invalid key base64 error", err)
}
}
func TestLoadFailsWhenKeyMissingAndDataFilesExist(t *testing.T) {
t.Parallel()
tmp := t.TempDir()
dataDir := filepath.Join(tmp, "store")
scratchesDir := filepath.Join(dataDir, "scratches")
if err := os.MkdirAll(scratchesDir, 0o755); err != nil {
t.Fatalf("MkdirAll() error = %v", err)
}
if err := os.WriteFile(filepath.Join(scratchesDir, "existing-scratch"), []byte("payload"), 0o600); err != nil {
t.Fatalf("WriteFile() error = %v", err)
}
configPath := filepath.Join(tmp, "config.yaml")
configRaw := `
storage:
data_dir: "` + dataDir + `"
cleanup_interval: "10s"
`
if err := os.WriteFile(configPath, []byte(configRaw), 0o644); err != nil {
t.Fatalf("WriteFile(config) error = %v", err)
}
_, err := Load(configPath)
if err == nil || !strings.Contains(err.Error(), "refusing to generate missing") {
t.Fatalf("Load() error = %v, want missing-key safety error", err)
}
}
func TestLoadFromEnvParsesConfiguredFields(t *testing.T) {
dataDir := filepath.Join(t.TempDir(), "store")
t.Setenv("SCRATCHBOX_SERVER_LISTEN_ADDR", "127.0.0.1:19090")
t.Setenv("SCRATCHBOX_SERVER_READ_HEADER_TIMEOUT", "6s")
t.Setenv("SCRATCHBOX_SERVER_READ_TIMEOUT", "20s")
t.Setenv("SCRATCHBOX_SERVER_WRITE_TIMEOUT", "40s")
t.Setenv("SCRATCHBOX_SERVER_IDLE_TIMEOUT", "80s")
t.Setenv("SCRATCHBOX_SERVER_MAX_HEADER_BYTES", "2097152")
t.Setenv("SCRATCHBOX_SERVER_ACCESS_LOG_ENABLED", "false")
t.Setenv("SCRATCHBOX_SERVER_ACCESS_LOG_FILE_PATH", "/tmp/access.log")
t.Setenv("SCRATCHBOX_SERVER_ACCESS_LOG_MAX_SIZE", "4MiB")
t.Setenv("SCRATCHBOX_SERVER_ACCESS_LOG_MAX_BACKUPS", "8")
t.Setenv("SCRATCHBOX_LIMITS_MAX_UPLOAD_SIZE", "8MiB")
t.Setenv("SCRATCHBOX_LIMITS_DEFAULT_TTL", "30m")
t.Setenv("SCRATCHBOX_LIMITS_RAW_CACHE_MAX_SIZE", "64MiB")
t.Setenv("SCRATCHBOX_LIMITS_RAW_CACHE_MAX_ENTRIES", "16")
t.Setenv("SCRATCHBOX_STORAGE_DATA_DIR", dataDir)
t.Setenv("SCRATCHBOX_STORAGE_CLEANUP_INTERVAL", "15s")
t.Setenv("SCRATCHBOX_SECURITY_ALLOWED_IPS", "127.0.0.1,10.0.0.0/8")
t.Setenv("SCRATCHBOX_SECURITY_TRUST_PROXY_HEADERS", "true")
t.Setenv("SCRATCHBOX_SECURITY_TRUSTED_PROXY_IPS", "10.0.0.0/8")
t.Setenv("SCRATCHBOX_SECURITY_RATE_LIMIT_UI_ENABLED", "true")
t.Setenv("SCRATCHBOX_SECURITY_RATE_LIMIT_UI_REQUESTS_PER_MINUTE", "50")
t.Setenv("SCRATCHBOX_SECURITY_RATE_LIMIT_UI_BURST", "20")
t.Setenv("SCRATCHBOX_SECURITY_RATE_LIMIT_API_READ_ENABLED", "true")
t.Setenv("SCRATCHBOX_SECURITY_RATE_LIMIT_API_READ_REQUESTS_PER_MINUTE", "60")
t.Setenv("SCRATCHBOX_SECURITY_RATE_LIMIT_API_READ_BURST", "30")
t.Setenv("SCRATCHBOX_SECURITY_RATE_LIMIT_API_WRITE_ENABLED", "true")
t.Setenv("SCRATCHBOX_SECURITY_RATE_LIMIT_API_WRITE_REQUESTS_PER_MINUTE", "40")
t.Setenv("SCRATCHBOX_SECURITY_RATE_LIMIT_API_WRITE_BURST", "12")
cfg, err := LoadFromEnv()
if err != nil {
t.Fatalf("LoadFromEnv() error = %v", err)
}
if cfg.Server.ListenAddr != "127.0.0.1:19090" {
t.Fatalf("ListenAddr = %q, want %q", cfg.Server.ListenAddr, "127.0.0.1:19090")
}
if cfg.Server.ReadHeaderTimeoutDur != 6*time.Second {
t.Fatalf("ReadHeaderTimeoutDur = %s, want 6s", cfg.Server.ReadHeaderTimeoutDur)
}
if cfg.Server.ReadTimeoutDur != 20*time.Second {
t.Fatalf("ReadTimeoutDur = %s, want 20s", cfg.Server.ReadTimeoutDur)
}
if cfg.Server.WriteTimeoutDur != 40*time.Second {
t.Fatalf("WriteTimeoutDur = %s, want 40s", cfg.Server.WriteTimeoutDur)
}
if cfg.Server.IdleTimeoutDur != 80*time.Second {
t.Fatalf("IdleTimeoutDur = %s, want 80s", cfg.Server.IdleTimeoutDur)
}
if cfg.Server.MaxHeaderBytes != 2*1024*1024 {
t.Fatalf("MaxHeaderBytes = %d, want %d", cfg.Server.MaxHeaderBytes, 2*1024*1024)
}
if cfg.Server.AccessLog.Enabled {
t.Fatalf("AccessLog.Enabled = %v, want false", cfg.Server.AccessLog.Enabled)
}
if cfg.Limits.MaxUploadSizeBytes != 8*1024*1024 {
t.Fatalf("MaxUploadSizeBytes = %d, want %d", cfg.Limits.MaxUploadSizeBytes, int64(8*1024*1024))
}
if cfg.Limits.DefaultTTLDuration != 30*time.Minute {
t.Fatalf("DefaultTTLDuration = %s, want 30m", cfg.Limits.DefaultTTLDuration)
}
if cfg.Limits.RawCacheMaxBytes != 64*1024*1024 {
t.Fatalf("RawCacheMaxBytes = %d, want %d", cfg.Limits.RawCacheMaxBytes, int64(64*1024*1024))
}
if cfg.Limits.RawCacheMaxEntries != 16 {
t.Fatalf("RawCacheMaxEntries = %d, want 16", cfg.Limits.RawCacheMaxEntries)
}
if cfg.Storage.DataDir != dataDir {
t.Fatalf("DataDir = %q, want %q", cfg.Storage.DataDir, dataDir)
}
if cfg.Storage.CleanupIntervalParsed != 15*time.Second {
t.Fatalf("CleanupIntervalParsed = %s, want 15s", cfg.Storage.CleanupIntervalParsed)
}
if len(cfg.Storage.EncryptionKeyBytes) != 32 {
t.Fatalf("EncryptionKeyBytes length = %d, want 32", len(cfg.Storage.EncryptionKeyBytes))
}
if len(cfg.Security.AllowedPrefixes) != 2 {
t.Fatalf("AllowedPrefixes len = %d, want 2", len(cfg.Security.AllowedPrefixes))
}
if len(cfg.Security.TrustedProxyPrefixes) != 1 {
t.Fatalf("TrustedProxyPrefixes len = %d, want 1", len(cfg.Security.TrustedProxyPrefixes))
}
if !cfg.Security.TrustProxyHeaders {
t.Fatalf("TrustProxyHeaders = false, want true")
}
if cfg.Security.RateLimitUI.RequestsPerMinute != 50 || cfg.Security.RateLimitUI.Burst != 20 {
t.Fatalf("unexpected rate_limit_ui values: %+v", cfg.Security.RateLimitUI)
}
if cfg.Security.RateLimitAPIRead.RequestsPerMinute != 60 || cfg.Security.RateLimitAPIRead.Burst != 30 {
t.Fatalf("unexpected rate_limit_api_read values: %+v", cfg.Security.RateLimitAPIRead)
}
if cfg.Security.RateLimitAPIWrite.RequestsPerMinute != 40 || cfg.Security.RateLimitAPIWrite.Burst != 12 {
t.Fatalf("unexpected rate_limit_api_write values: %+v", cfg.Security.RateLimitAPIWrite)
}
}
func TestLoadFromEnvRejectsInvalidBool(t *testing.T) {
t.Setenv("SCRATCHBOX_STORAGE_DATA_DIR", filepath.Join(t.TempDir(), "store"))
t.Setenv("SCRATCHBOX_SERVER_ACCESS_LOG_ENABLED", "not-bool")
_, err := LoadFromEnv()
if err == nil || !strings.Contains(err.Error(), "SCRATCHBOX_SERVER_ACCESS_LOG_ENABLED invalid bool") {
t.Fatalf("LoadFromEnv() error = %v, want invalid bool env error", err)
}
}
func TestParseAllowedPrefixesTrimsAndParses(t *testing.T) {
t.Parallel()