merge: testing → main (reconcile 2-week divergence)

tests/services/test_syslog_bridge_helpers.py

@@ -0,0 +1,184 @@
+"""Tests for shared emitter helpers in templates/syslog_bridge.py.
+
+The canonical file is what gets propagated into per-template build
+contexts via ``_sync_logging_helper``. This test file imports it
+directly (not a per-service synced copy) so a regression in the
+canonical surfaces immediately.
+"""
+from __future__ import annotations
+
+import base64
+import importlib.util
+from pathlib import Path
+
+import pytest
+
+
+def _load_canonical():
+    """Load the canonical templates/syslog_bridge.py as a module.
+
+    The file isn't a package member (it lives under templates/, not
+    decnet/), so we import via spec-from-path.
+    """
+    repo = Path(__file__).resolve().parents[2]
+    path = repo / "decnet" / "templates" / "syslog_bridge.py"
+    spec = importlib.util.spec_from_file_location("_canonical_syslog_bridge", path)
+    assert spec and spec.loader
+    mod = importlib.util.module_from_spec(spec)
+    spec.loader.exec_module(mod)
+    return mod
+
+
+@pytest.fixture(scope="module")
+def syslog_bridge():
+    return _load_canonical()
+
+
+def test_encode_secret_ascii_passthrough(syslog_bridge):
+    out = syslog_bridge.encode_secret("hunter2")
+    assert out["secret_printable"] == "hunter2"
+    assert base64.b64decode(out["secret_b64"]) == b"hunter2"
+
+
+def test_encode_secret_collapses_nonprintables(syslog_bridge):
+    """ANSI escape, NUL, 0xff bytes → '?' in printable form."""
+    secret = "\x1b[31mbad\x00\xff trail"
+    out = syslog_bridge.encode_secret(secret)
+    # Original utf-8 bytes survive losslessly in b64.
+    assert base64.b64decode(out["secret_b64"]) == secret.encode("utf-8", errors="replace")
+    # Printable form has no control / high bytes.
+    for ch in out["secret_printable"]:
+        assert 0x20 <= ord(ch) < 0x7f
+
+
+def test_encode_secret_empty(syslog_bridge):
+    out = syslog_bridge.encode_secret("")
+    assert out == {"secret_printable": "", "secret_b64": ""}
+
+
+def test_encode_secret_preserves_rfc5424_specials(syslog_bridge):
+    """Backslash / quote / bracket pass through to printable; sd_escape
+    upstream is responsible for the literal RFC 5424 escape on the wire."""
+    secret = 'a\\b"c]d'
+    out = syslog_bridge.encode_secret(secret)
+    assert out["secret_printable"] == 'a\\b"c]d'
+    assert base64.b64decode(out["secret_b64"]) == secret.encode("utf-8")
+
+
+def test_classify_authorization_basic(syslog_bridge):
+    """HTTP Basic — base64(user:pw) decodes to plaintext credential."""
+    cred = syslog_bridge.classify_authorization("Basic YWRtaW46aHVudGVyMg==")
+    assert cred is not None
+    assert cred["principal"] == "admin"
+    assert cred["secret_kind"] == "plaintext"
+    assert base64.b64decode(cred["secret_b64"]) == b"hunter2"
+    assert cred["secret_printable"] == "hunter2"
+
+
+def test_classify_authorization_bearer(syslog_bridge):
+    cred = syslog_bridge.classify_authorization("Bearer eyJhbGciOiJIUzI1NiJ9.foo.bar")
+    assert cred["principal"] is None
+    assert cred["secret_kind"] == "http_bearer"
+    assert base64.b64decode(cred["secret_b64"]) == b"eyJhbGciOiJIUzI1NiJ9.foo.bar"
+
+
+def test_classify_authorization_token_alias(syslog_bridge):
+    """`Token <opaque>` = same shape as Bearer (Kubernetes service accounts)."""
+    cred = syslog_bridge.classify_authorization("Token sa-jwt-token-abc")
+    assert cred["secret_kind"] == "http_bearer"
+
+
+def test_classify_authorization_digest(syslog_bridge):
+    """RFC 7616 Digest — extract username + response hash."""
+    header = ('Digest username="alice", realm="example.com", '
+              'nonce="abc123", uri="/", response="d41d8cd98f00b204e9800998ecf8427e"')
+    cred = syslog_bridge.classify_authorization(header)
+    assert cred["principal"] == "alice"
+    assert cred["secret_kind"] == "http_digest_md5"
+    assert cred["secret_printable"] == "d41d8cd98f00b204e9800998ecf8427e"
+
+
+def test_classify_authorization_unknown_scheme(syslog_bridge):
+    """NTLM, AWS4-HMAC-…, Negotiate — all return None for now."""
+    assert syslog_bridge.classify_authorization("NTLM TlRMTVNTUAA=") is None
+    assert syslog_bridge.classify_authorization("AWS4-HMAC-SHA256 Credential=…") is None
+
+
+def test_extract_form_credentials_wordpress(syslog_bridge):
+    """wp-login.php uses `log` for username and `pwd` for password."""
+    body = "log=admin&pwd=hunter2&wp-submit=Log+In"
+    cred = syslog_bridge.extract_form_credentials(
+        body, "application/x-www-form-urlencoded"
+    )
+    assert cred["principal"] == "admin"
+    assert cred["secret_kind"] == "plaintext"
+    assert cred["secret_printable"] == "hunter2"
+
+
+def test_extract_form_credentials_standard(syslog_bridge):
+    body = "username=admin&password=hunter2"
+    cred = syslog_bridge.extract_form_credentials(
+        body, "application/x-www-form-urlencoded"
+    )
+    assert cred["principal"] == "admin"
+    assert cred["secret_kind"] == "plaintext"
+    assert cred["secret_printable"] == "hunter2"
+
+
+def test_extract_form_credentials_secret_without_principal(syslog_bridge):
+    """Secret-only forms (rare but seen — password reset confirms,
+    auto-fill abuse) still capture as a credential. principal=None
+    means we couldn't pin down the user, but the secret hash is still
+    cross-correlatable for reuse analytics."""
+    body = "password=hunter2&csrf=abc"
+    cred = syslog_bridge.extract_form_credentials(
+        body, "application/x-www-form-urlencoded"
+    )
+    assert cred is not None
+    assert cred["principal"] is None
+    assert cred["secret_printable"] == "hunter2"
+
+
+def test_extract_form_credentials_alternate_keys(syslog_bridge):
+    cred = syslog_bridge.extract_form_credentials(
+        "user=alice&pwd=h%40ck", "application/x-www-form-urlencoded"
+    )
+    assert cred["principal"] == "alice"
+    assert cred["secret_printable"] == "h@ck"  # %40 decoded
+
+
+def test_extract_form_credentials_wrong_content_type(syslog_bridge):
+    """Don't try to parse JSON / multipart / etc bodies."""
+    assert syslog_bridge.extract_form_credentials(
+        "username=admin&password=x", "application/json"
+    ) is None
+    assert syslog_bridge.extract_form_credentials(
+        "username=admin&password=x", None
+    ) is None
+
+
+def test_extract_form_credentials_no_secret(syslog_bridge):
+    """Username only → no cred row (need both principal + secret)."""
+    cred = syslog_bridge.extract_form_credentials(
+        "username=admin&csrf_token=xyz", "application/x-www-form-urlencoded"
+    )
+    assert cred is None
+
+
+def test_classify_authorization_malformed(syslog_bridge):
+    assert syslog_bridge.classify_authorization(None) is None
+    assert syslog_bridge.classify_authorization("") is None
+    assert syslog_bridge.classify_authorization("Basic !!not-base64!!") is None
+    assert syslog_bridge.classify_authorization("Basic dXNlcg==") is None  # no colon
+    assert syslog_bridge.classify_authorization("Digest no-response-here") is None
+
+
+def test_encode_secret_unicode_replaced(syslog_bridge):
+    """Non-ASCII unicode encodes via utf-8, then printable strips the
+    multi-byte sequence to '?' chars (one per raw byte)."""
+    out = syslog_bridge.encode_secret("café")
+    raw = "café".encode("utf-8")  # b'caf\xc3\xa9' — 5 bytes
+    assert base64.b64decode(out["secret_b64"]) == raw
+    # printable: 'c', 'a', 'f', '?', '?' — the two trailing utf-8 bytes
+    # both fall outside [0x20, 0x7f).
+    assert out["secret_printable"] == "caf??"