use serde::Deserialize;
#[expect(clippy::struct_excessive_bools, reason = "security override flags")]
#[derive(Debug, Clone, Default, Deserialize, serde::Serialize)]
#[serde(default, deny_unknown_fields)]
pub struct InsecureOptions {
pub allow_open_security_filters: bool,
pub allow_private_endpoints: bool,
pub allow_private_health_checks: bool,
pub allow_public_admin: bool,
pub allow_root: bool,
pub allow_tls_without_sni: bool,
pub allow_unbounded_body: bool,
pub csrf_log_only: bool,
pub skip_pipeline_validation: bool,
}
#[cfg(test)]
#[expect(clippy::allow_attributes, reason = "blanket test suppressions")]
#[allow(
clippy::unwrap_used,
clippy::expect_used,
clippy::indexing_slicing,
clippy::needless_raw_strings,
clippy::needless_raw_string_hashes,
reason = "tests use unwrap/expect/indexing/raw strings for brevity"
)]
mod tests {
use super::*;
#[test]
fn all_flags_default_to_false() {
let opts = InsecureOptions::default();
assert!(
!opts.allow_open_security_filters,
"allow_open_security_filters should default to false"
);
assert!(
!opts.allow_private_endpoints,
"allow_private_endpoints should default to false"
);
assert!(
!opts.allow_private_health_checks,
"allow_private_health_checks should default to false"
);
assert!(!opts.allow_public_admin, "allow_public_admin should default to false");
assert!(!opts.allow_root, "allow_root should default to false");
assert!(
!opts.allow_tls_without_sni,
"allow_tls_without_sni should default to false"
);
assert!(
!opts.allow_unbounded_body,
"allow_unbounded_body should default to false"
);
assert!(!opts.csrf_log_only, "csrf_log_only should default to false");
assert!(
!opts.skip_pipeline_validation,
"skip_pipeline_validation should default to false"
);
}
#[test]
fn deserializes_partial_overrides() {
let yaml = "allow_root: true\nskip_pipeline_validation: true\n";
let opts: InsecureOptions = serde_yaml::from_str(yaml).unwrap();
assert!(opts.allow_root, "allow_root should be true");
assert!(opts.skip_pipeline_validation, "skip_pipeline_validation should be true");
assert!(!opts.allow_public_admin, "allow_public_admin should still be false");
}
#[test]
fn deserializes_empty_to_defaults() {
let opts: InsecureOptions = serde_yaml::from_str("{}").unwrap();
assert!(!opts.allow_root, "empty YAML should produce defaults");
}
}