Ensure mock server conforms to the documented API (#609)

* DEV-37524: Add mock Imperva API server for acceptance testing

This commit introduces a mock server that simulates the Imperva API,
enabling acceptance tests to run without requiring real API credentials.

Changes include:
- Mock server implementation (incapsula/mock_server.go) with in-memory
  storage for accounts, sites, and CSP domains
- Test helper functions for easy mock server setup in tests
- Standalone server CLI (cmd/mock-server/main.go) on port 19443
- GNUmakefile updates: 'make server' target and mock server check
  before running tests
- Fixed flaky BadConnection tests in client_*_test.go files
- Fixed broken HashiCorp logo in README

Usage:
  make server  # Start mock server in separate terminal
  make test    # Run tests (requires mock server)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Conforming API responses from mock server with the documentation

Updates to mock server to align with official Imperva API documentation:

- Add missing fields to Account responses (plan_id, user_name, logins,
  trial_end_date, inactivity_timeout)
- Update account configure endpoint to use param/value pattern
- Add support for additional account parameters (support_all_tls_versions,
  wildcard_san_for_new_sites, enable_http2_for_new_sites, etc.)
- Add missing fields to CSP AuthorizationStatus (note, author, reviewedAt,
  lastNoteAt, forceChange)
- Add applyToAllOnboardedPaths field to CSP PreApprovedDomain
- Fix data privacy endpoint to return 'region' instead of 'region_default'
- Update default values to match Terraform schema defaults
  (inactivity_timeout=15, wildcard_san_for_new_sites="Default")
- Add test helpers and parsing verification tests
- Document mock server endpoints in README with links to API documentation
- Add incapsula.test to gitignore

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

---------

Co-authored-by: Ed Sumerfield <esumerfield@stackct.com>
Co-authored-by: Claude <noreply@anthropic.com>

Author: 3 people

.gitignore

@@ -6,5 +6,8 @@ examples/*.tfstate*
 examples/ignore
 incapsula/c.out
 terraform-provider-incapsula
+mock-server
+incapsula.test
 .idea/
-.tmp/
+.tmp/
+.claude/

GNUmakefile

@@ -29,11 +29,37 @@ install: build
 	mkdir -p ~/.terraform.d/plugins/${HOSTNAME}/${NAMESPACE}/${PKG_NAME}/${VERSION}/${OS_ARCH}
 	mv ${BINARY} ~/.terraform.d/plugins/${HOSTNAME}/${NAMESPACE}/${PKG_NAME}/${VERSION}/${OS_ARCH}
 
-test: fmtcheck
+MOCK_SERVER_PORT?=19443
+MOCK_SERVER_URL=http://localhost:$(MOCK_SERVER_PORT)
+
+test: fmtcheck check-mock-server
 	go test -i $(TEST) || exit 1
 	echo $(TEST) | \
 		xargs -t -n4 go test $(TESTARGS) -timeout=30s -parallel=4
 
+check-mock-server:
+	@if ! curl -s -o /dev/null -w '' $(MOCK_SERVER_URL)/account 2>/dev/null; then \
+		echo ""; \
+		echo "ERROR: Mock Imperva API server is not running on $(MOCK_SERVER_URL)"; \
+		echo ""; \
+		echo "To start the mock server, run in a separate terminal:"; \
+		echo ""; \
+		echo "  make server"; \
+		echo ""; \
+		echo "Then set the following environment variables:"; \
+		echo ""; \
+		echo "  export INCAPSULA_API_ID=mock-api-id"; \
+		echo "  export INCAPSULA_API_KEY=mock-api-key"; \
+		echo "  export INCAPSULA_BASE_URL=$(MOCK_SERVER_URL)"; \
+		echo "  export INCAPSULA_BASE_URL_REV_2=$(MOCK_SERVER_URL)"; \
+		echo "  export INCAPSULA_BASE_URL_REV_3=$(MOCK_SERVER_URL)"; \
+		echo "  export INCAPSULA_BASE_URL_API=$(MOCK_SERVER_URL)"; \
+		echo "  export INCAPSULA_CUSTOM_TEST_DOMAIN=.mock.incaptest.com"; \
+		echo ""; \
+		exit 1; \
+	fi
+	@echo "Mock server is running on $(MOCK_SERVER_URL)"
+
 testacc: fmtcheck
 	TF_ACC=1 go test $(TEST) -v $(TESTARGS) -timeout 120m
 
@@ -58,6 +84,10 @@ errcheck:
 clean:
 	go clean -cache -modcache -i -r
 
+server:
+	@echo "Starting mock Imperva API server..."
+	go run ./cmd/mock-server
+
 test-compile:
 	@if [ "$(TEST)" = "./..." ]; then \
 		echo "ERROR: Set TEST to a specific package. For example,"; \
@@ -80,5 +110,5 @@ ifeq (,$(wildcard $(GOPATH)/src/$(WEBSITE_REPO)))
 endif
 	@$(MAKE) -C $(GOPATH)/src/$(WEBSITE_REPO) website-provider-test PROVIDER_PATH=$(shell pwd) PROVIDER_NAME=$(PKG_NAME)
 
-.PHONY: build test testacc vet fmt fmtcheck errcheck  test-compile website website-test
+.PHONY: build test testacc vet fmt fmtcheck errcheck test-compile website website-test server check-mock-server
 

README.md

@@ -5,7 +5,7 @@ Terraform `Incapsula` Provider
 - [![Gitter chat](https://badges.gitter.im/hashicorp-terraform/Lobby.png)](https://gitter.im/hashicorp-terraform/Lobby)
 - Mailing list: [Google Groups](http://groups.google.com/group/terraform-tool)
 
-<img src="https://cdn.rawgit.com/hashicorp/terraform-website/master/content/source/assets/images/logo-hashicorp.svg" width="600px">
+<img src="assets/HashiCorp_Logo.png" width="600px">
 
 Maintainers
 -----------
@@ -86,3 +86,95 @@ with installation command execution
 ./tf-provider-incap-orch.sh -i "youApiID" "youApiKey"
 ```
 
+Mock Server for Testing
+-----------------------
+
+A mock Imperva API server is provided for running tests without requiring real API credentials. This enables CI/CD pipelines and local development without access to a live Imperva environment.
+
+### Starting the Mock Server
+
+```sh
+make server
+```
+
+This starts the mock server on port 19443. The server outputs the required environment variables:
+
+```sh
+export INCAPSULA_API_ID=mock-api-id
+export INCAPSULA_API_KEY=mock-api-key
+export INCAPSULA_BASE_URL=http://localhost:19443
+export INCAPSULA_BASE_URL_REV_2=http://localhost:19443
+export INCAPSULA_BASE_URL_REV_3=http://localhost:19443
+export INCAPSULA_BASE_URL_API=http://localhost:19443
+export INCAPSULA_CUSTOM_TEST_DOMAIN=.mock.incaptest.com
+```
+
+### Running Tests with Mock Server
+
+```sh
+# Terminal 1: Start the mock server
+make server
+
+# Terminal 2: Run tests (requires mock server to be running)
+make test
+```
+
+### Implemented Endpoints
+
+The mock server implements the following Imperva API endpoints:
+
+#### Account Management ([Cloud v1 API Documentation](https://docs-cybersec-be.thalesgroup.com/api/bundle/api-docs/page/cloud-v1-api-definition.htm))
+
+| Endpoint | Method | Description |
+|----------|--------|-------------|
+| `/accounts/add` | POST | Create account |
+| `/account` | POST | Get account status |
+| `/accounts/configure` | POST | Update account |
+| `/accounts/delete` | POST | Delete account |
+| `/accounts/data-privacy/show` | POST | Get data privacy settings |
+| `/accounts/data-privacy/set-region-default` | POST | Set default data region |
+
+#### Site Management ([Cloud v1 API Documentation](https://docs-cybersec-be.thalesgroup.com/api/bundle/api-docs/page/cloud-v1-api-definition.htm))
+
+| Endpoint | Method | Description |
+|----------|--------|-------------|
+| `/sites/add` | POST | Create site |
+| `/sites/status` | POST | Get site status |
+| `/sites/configure` | POST | Update site |
+| `/sites/delete` | POST | Delete site |
+
+#### CSP Pre-Approved Domains ([CSP API Documentation](https://docs-cybersec-be.thalesgroup.com/api/bundle/api-docs/page/csp-api-definition.htm))
+
+| Endpoint | Method | Description |
+|----------|--------|-------------|
+| `/csp-api/v1/sites/{siteId}/preapprovedlist` | GET | List pre-approved domains |
+| `/csp-api/v1/sites/{siteId}/preapprovedlist` | POST | Add pre-approved domain |
+| `/csp-api/v1/sites/{siteId}/preapprovedlist/{domainRef}` | GET | Get specific domain |
+| `/csp-api/v1/sites/{siteId}/preapprovedlist/{domainRef}` | DELETE | Remove domain |
+| `/csp-api/v1/sites/{siteId}/domains/{domainRef}/status` | GET/PUT | Domain status |
+| `/csp-api/v1/sites/{siteId}/domains/{domainRef}/notes` | GET/POST/DELETE | Domain notes |
+
+### Response Format
+
+All API responses follow the standard Imperva format:
+
+```json
+{
+  "res": 0,
+  "res_message": "OK",
+  "debug_info": {...},
+  "account|site|data": {...}
+}
+```
+
+Error responses use non-zero `res` codes as documented in the [API documentation](https://docs-cybersec-be.thalesgroup.com/api/bundle/api-docs/page/cloud-v1-api-definition.htm).
+
+### Adding New Endpoints
+
+To add new endpoints to the mock server:
+
+1. Add the route in `mock_server.go` in the `router()` function
+2. Implement the handler function following existing patterns
+3. Add tests in `mock_server_test.go`
+4. Update this documentation
+

assets/HashiCorp_Logo.png

@@ -0,0 +1,64 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"log"
+	"net/http"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/terraform-providers/terraform-provider-incapsula/incapsula"
+)
+
+func main() {
+	port := flag.Int("port", 19443, "Port to listen on")
+	flag.Parse()
+
+	// Create the mock server
+	mock := incapsula.NewMockImpervaServer()
+
+	// Create a new server on the specified port instead of using the httptest server
+	mock.Server.Close() // Close the auto-started httptest server
+
+	addr := fmt.Sprintf(":%d", *port)
+	server := &http.Server{
+		Addr:    addr,
+		Handler: http.HandlerFunc(mock.ServeHTTP),
+	}
+
+	// Handle shutdown gracefully
+	done := make(chan bool)
+	quit := make(chan os.Signal, 1)
+	signal.Notify(quit, syscall.SIGINT, syscall.SIGTERM)
+
+	go func() {
+		<-quit
+		log.Println("Shutting down mock server...")
+		done <- true
+	}()
+
+	log.Printf("Mock Imperva API server starting on http://localhost%s", addr)
+	log.Println("")
+	log.Println("Environment variables to use with Terraform:")
+	log.Println("")
+	fmt.Printf("export INCAPSULA_API_ID=mock-api-id\n")
+	fmt.Printf("export INCAPSULA_API_KEY=mock-api-key\n")
+	fmt.Printf("export INCAPSULA_BASE_URL=http://localhost%s\n", addr)
+	fmt.Printf("export INCAPSULA_BASE_URL_REV_2=http://localhost%s\n", addr)
+	fmt.Printf("export INCAPSULA_BASE_URL_REV_3=http://localhost%s\n", addr)
+	fmt.Printf("export INCAPSULA_BASE_URL_API=http://localhost%s\n", addr)
+	fmt.Printf("export INCAPSULA_CUSTOM_TEST_DOMAIN=.mock.incaptest.com\n")
+	log.Println("")
+	log.Println("Press Ctrl+C to stop the server")
+
+	go func() {
+		if err := server.ListenAndServe(); err != nil && err != http.ErrServerClosed {
+			log.Fatalf("Failed to start server: %v", err)
+		}
+	}()
+
+	<-done
+	log.Println("Server stopped")
+}

cmd/mock-server/main.go

@@ -171,11 +171,11 @@ func TestClientGetAccountSSlSettingsBadConnection(t *testing.T) {
 }
 
 func TestClientDeleteAccountSSlSettingsBadConnection(t *testing.T) {
-	config := &Config{APIID: "foo", APIKey: "bar", BaseURLAPI: "http://badness.incapsula.com"}
+	config := &Config{APIID: "foo", APIKey: "bar", BaseURLAPI: "http://invalid.invalid"}
 	client := &Client{config: config, httpClient: &http.Client{Timeout: time.Millisecond * 1}}
 	diag := client.DeleteAccountSSLSettings("")
-	if diag == nil || !diag.HasError() || !strings.Contains(diag[0].Detail, "Timeout exceeded while awaiting") {
-		t.Errorf("Should have received an time out error")
+	if diag == nil || !diag.HasError() || !strings.Contains(diag[0].Detail, "error from Imperva service when deleting Account SSL certificate") {
+		t.Errorf("Should have received an error, got: %v", diag)
 	}
 }
 

incapsula/client_account_ssl_settings_test.go

@@ -158,23 +158,23 @@ func TestClientGetSiteCertificateRequestStatusError500(t *testing.T) {
 }
 
 func TestClientGetSiteCertificateRequestStatusBadConnection(t *testing.T) {
-	config := &Config{APIID: "foo", APIKey: "bar", BaseURLAPI: "http://badness.incapsula.com"}
+	config := &Config{APIID: "foo", APIKey: "bar", BaseURLAPI: "http://invalid.invalid"}
 	client := &Client{config: config, httpClient: &http.Client{Timeout: time.Millisecond * 1}}
 	updateAccountSSLSettingsResponse, diag := client.GetSiteCertificateRequestStatus(123, nil)
-	if diag == nil || !diag.HasError() || !strings.Contains(diag[0].Detail, "Timeout exceeded while awaiting") {
-		t.Errorf("Should have received an time out error")
+	if diag == nil || !diag.HasError() || !strings.Contains(diag[0].Detail, "Failed to get request site certificate") {
+		t.Errorf("Should have received an error, got: %v", diag)
 	}
 	if updateAccountSSLSettingsResponse != nil {
 		t.Errorf("Should have received a nil addAccountResponse instance")
 	}
 }
 
 func TestClientDeleteRequestSiteCertificateBadConnection(t *testing.T) {
-	config := &Config{APIID: "foo", APIKey: "bar", BaseURLAPI: "http://badness.incapsula.com"}
+	config := &Config{APIID: "foo", APIKey: "bar", BaseURLAPI: "http://invalid.invalid"}
 	client := &Client{config: config, httpClient: &http.Client{Timeout: time.Millisecond * 1}}
 	_, diag := client.DeleteRequestSiteCertificate(123, nil)
-	if diag == nil || !diag.HasError() || !strings.Contains(diag[0].Detail, "Timeout exceeded while awaiting") {
-		t.Errorf("Should have received an time out error")
+	if diag == nil || !diag.HasError() || !strings.Contains(diag[0].Detail, "Failed to delete request site certificate") {
+		t.Errorf("Should have received an error, got: %v", diag)
 	}
 }
 
@@ -217,11 +217,11 @@ func TestClientDeleteRequestSiteCertificateWithAccountId(t *testing.T) {
 }
 
 func TestClientValidateDomainBadConnection(t *testing.T) {
-	config := &Config{APIID: "foo", APIKey: "bar", BaseURLAPI: "http://badness.incapsula.com"}
+	config := &Config{APIID: "foo", APIKey: "bar", BaseURLAPI: "http://invalid.invalid"}
 	client := &Client{config: config, httpClient: &http.Client{Timeout: time.Millisecond * 1}}
 	diag := client.ValidateDomains(123, []int{222})
-	if diag == nil || !diag.HasError() || !strings.Contains(diag[0].Detail, "Timeout exceeded while awaiting") {
-		t.Errorf("Should have received an time out error")
+	if diag == nil || !diag.HasError() || !strings.Contains(diag[0].Detail, "Failed to request site SSL validation") {
+		t.Errorf("Should have received an error, got: %v", diag)
 	}
 }
 func TestClientValidateDomainError500(t *testing.T) {