Add LAN-only status UI for caddy-autogen

Apps/caddy-autogen/tests/integration_tests.py

@@ -1,5 +1,7 @@
 #!/usr/bin/env python3
 import importlib.util
+import json
+import tempfile
 from pathlib import Path
 
 
@@ -93,8 +95,13 @@ def test_optin_route_selection(module):
         allow_internal_tls_fallback=False,
         wildcard_domain="home.example.test",
         cert_email="",
+        status_ui_port=31820,
+        status_upstream="discovery-agent:8089",
     )
 
+    assert_true(":31820" in caddyfile, "expected status UI server block")
+    assert_true("remote_ip private_ranges" in caddyfile, "expected LAN-only restriction")
+    assert_true("reverse_proxy discovery-agent:8089" in caddyfile, "expected status upstream")
     assert_true("frigate.home.example.test" in caddyfile, "expected frigate host in caddyfile")
     assert_true("reverse_proxy http://host.docker.internal:5000" in caddyfile, "expected web port route")
     assert_true("8554" not in caddyfile and "8555" not in caddyfile, "media ports must not be routed")
@@ -122,6 +129,8 @@ def test_fail_closed_and_internal_fallback(module):
             allow_internal_tls_fallback=False,
             wildcard_domain="",
             cert_email="",
+            status_ui_port=31820,
+            status_upstream="discovery-agent:8089",
         )
     except RuntimeError as exc:
         failed = True
@@ -135,15 +144,60 @@ def test_fail_closed_and_internal_fallback(module):
         allow_internal_tls_fallback=True,
         wildcard_domain="",
         cert_email="",
+        status_ui_port=31820,
+        status_upstream="discovery-agent:8089",
     )
     assert_true("local_certs" in fallback_caddyfile, "expected local_certs in fallback mode")
     assert_true("tls internal" in fallback_caddyfile, "expected internal tls in fallback mode")
 
 
+def test_cloudflare_verify_and_cert_discovery(module):
+    class FakeResponse:
+        def __init__(self, payload):
+            self._payload = payload
+
+        def read(self):
+            return json.dumps(self._payload).encode("utf-8")
+
+        def __enter__(self):
+            return self
+
+        def __exit__(self, exc_type, exc, tb):
+            return False
+
+    def fake_urlopen(req, timeout=0):
+        _ = req
+        _ = timeout
+        return FakeResponse({"success": True})
+
+    original_urlopen = module.urllib.request.urlopen
+    module.urllib.request.urlopen = fake_urlopen
+    try:
+        status = module._verify_cloudflare_token("https://api.cloudflare.com/client/v4/user/tokens/verify", "token")
+    finally:
+        module.urllib.request.urlopen = original_urlopen
+
+    assert_true(status["reachable"] is True, "cloudflare should be reachable in mocked success")
+    assert_true(status["token_valid"] is True, "token should be valid in mocked success")
+
+    with tempfile.TemporaryDirectory() as td:
+        cert_dir = Path(td) / "caddy" / "certificates" / "acme-v02.api.letsencrypt.org-directory" / "example.com"
+        cert_dir.mkdir(parents=True, exist_ok=True)
+        (cert_dir / "demo.home.example.test.crt").write_text("fake", encoding="utf-8")
+        (cert_dir / "_.home.example.test.crt").write_text("fake", encoding="utf-8")
+
+        hosts = module._collect_letsencrypt_hosts(td)
+        assert_true("demo.home.example.test" in hosts, "expected concrete cert host")
+        assert_true("*.home.example.test" in hosts, "expected wildcard cert host conversion")
+        assert_true(module._has_matching_le_cert("api.home.example.test", hosts), "wildcard should match")
+        assert_true(module._has_matching_le_cert("demo.home.example.test", hosts), "exact cert should match")
+
+
 def main():
     module = load_agent_module()
     test_optin_route_selection(module)
     test_fail_closed_and_internal_fallback(module)
+    test_cloudflare_verify_and_cert_discovery(module)
     print("Integration tests passed")