From b6b046c90b2cc353a6fba2222ad8fde9cddbce01 Mon Sep 17 00:00:00 2001 From: anti Date: Thu, 9 Apr 2026 12:13:22 -0400 Subject: [PATCH] =?UTF-8?q?fix:=20harden=20startup=20security=20=E2=80=94?= =?UTF-8?q?=20require=20strong=20secrets,=20restrict=20CORS?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - decnet/env.py: DECNET_JWT_SECRET and DECNET_ADMIN_PASSWORD are now required env vars; startup raises ValueError if unset or set to a known-bad default ("admin", "password", etc.) - decnet/env.py: add DECNET_CORS_ORIGINS (comma-separated, defaults to http://localhost:8080) replacing the previous allow_origins=["*"] - decnet/web/api.py: use DECNET_CORS_ORIGINS and tighten allow_methods and allow_headers to explicit lists - tests/conftest.py: set required env vars at module level so test collection works without real credentials - tests/test_web_api.py, test_web_api_fuzz.py: use DECNET_ADMIN_PASSWORD from env instead of hardcoded "admin" Closes DEBT-001, DEBT-002, DEBT-004 --- decnet/env.py | 27 +++++++++++++++++++++++++-- decnet/web/api.py | 8 ++++---- tests/conftest.py | 11 +++++++++++ tests/test_web_api.py | 15 ++++++++------- tests/test_web_api_fuzz.py | 5 +++-- 5 files changed, 51 insertions(+), 15 deletions(-) create mode 100644 tests/conftest.py diff --git a/decnet/env.py b/decnet/env.py index ee448b5..348dd98 100644 --- a/decnet/env.py +++ b/decnet/env.py @@ -9,15 +9,38 @@ _ROOT: Path = Path(__file__).parent.parent.absolute() load_dotenv(_ROOT / ".env.local") load_dotenv(_ROOT / ".env") + +def _require_env(name: str) -> str: + """Return the env var value or raise at startup if it is unset or a known-bad default.""" + _KNOWN_BAD = {"fallback-secret-key-change-me", "admin", "secret", "password", "changeme"} + value = os.environ.get(name) + if not value: + raise ValueError( + f"Required environment variable '{name}' is not set. " + f"Set it in .env.local or export it before starting DECNET." + ) + if value.lower() in _KNOWN_BAD: + raise ValueError( + f"Environment variable '{name}' is set to an insecure default ('{value}'). " + f"Choose a strong, unique value before starting DECNET." + ) + return value + + # API Options DECNET_API_HOST: str = os.environ.get("DECNET_API_HOST", "0.0.0.0") # nosec B104 DECNET_API_PORT: int = int(os.environ.get("DECNET_API_PORT", "8000")) -DECNET_JWT_SECRET: str = os.environ.get("DECNET_JWT_SECRET", "fallback-secret-key-change-me") +DECNET_JWT_SECRET: str = _require_env("DECNET_JWT_SECRET") DECNET_INGEST_LOG_FILE: str | None = os.environ.get("DECNET_INGEST_LOG_FILE", "/var/log/decnet/decnet.log") # Web Dashboard Options DECNET_WEB_HOST: str = os.environ.get("DECNET_WEB_HOST", "0.0.0.0") # nosec B104 DECNET_WEB_PORT: int = int(os.environ.get("DECNET_WEB_PORT", "8080")) DECNET_ADMIN_USER: str = os.environ.get("DECNET_ADMIN_USER", "admin") -DECNET_ADMIN_PASSWORD: str = os.environ.get("DECNET_ADMIN_PASSWORD", "admin") +DECNET_ADMIN_PASSWORD: str = _require_env("DECNET_ADMIN_PASSWORD") DECNET_DEVELOPER: bool = os.environ.get("DECNET_DEVELOPER", "False").lower() == "true" + +# CORS — comma-separated list of allowed origins for the web dashboard API. +# Example: DECNET_CORS_ORIGINS=http://localhost:8080,https://dashboard.example.com +_cors_raw: str = os.environ.get("DECNET_CORS_ORIGINS", "http://localhost:8080") +DECNET_CORS_ORIGINS: list[str] = [o.strip() for o in _cors_raw.split(",") if o.strip()] diff --git a/decnet/web/api.py b/decnet/web/api.py index 1285c3e..430c42f 100644 --- a/decnet/web/api.py +++ b/decnet/web/api.py @@ -5,7 +5,7 @@ from typing import Any, AsyncGenerator, Optional from fastapi import FastAPI from fastapi.middleware.cors import CORSMiddleware -from decnet.env import DECNET_DEVELOPER +from decnet.env import DECNET_CORS_ORIGINS, DECNET_DEVELOPER from decnet.web.dependencies import repo from decnet.web.ingester import log_ingestion_worker from decnet.web.router import api_router @@ -47,10 +47,10 @@ app: FastAPI = FastAPI( app.add_middleware( CORSMiddleware, - allow_origins=["*"], + allow_origins=DECNET_CORS_ORIGINS, allow_credentials=False, - allow_methods=["*"], - allow_headers=["*"], + allow_methods=["GET", "POST", "PUT", "DELETE", "OPTIONS"], + allow_headers=["Authorization", "Content-Type"], ) # Include the modular API router diff --git a/tests/conftest.py b/tests/conftest.py new file mode 100644 index 0000000..4f1bcb6 --- /dev/null +++ b/tests/conftest.py @@ -0,0 +1,11 @@ +""" +Shared pytest configuration. + +Env vars required by decnet.env must be set here, at module level, before +any test file imports decnet.* — pytest loads conftest.py first. +""" +import os + +os.environ.setdefault("DECNET_JWT_SECRET", "test-jwt-secret-not-for-production-use") +os.environ.setdefault("DECNET_ADMIN_PASSWORD", "test-admin-password-1234!") +os.environ.setdefault("DECNET_ADMIN_USER", "admin") diff --git a/tests/test_web_api.py b/tests/test_web_api.py index 5e22000..0e1651f 100644 --- a/tests/test_web_api.py +++ b/tests/test_web_api.py @@ -6,6 +6,7 @@ from fastapi.testclient import TestClient from decnet.web.api import app from decnet.web.dependencies import repo +from decnet.env import DECNET_ADMIN_USER, DECNET_ADMIN_PASSWORD @pytest.fixture(autouse=True) @@ -29,7 +30,7 @@ def test_login_success() -> None: # The TestClient context manager triggers startup/shutdown events response = client.post( "/api/v1/auth/login", - json={"username": "admin", "password": "admin"} + json={"username": DECNET_ADMIN_USER, "password": DECNET_ADMIN_PASSWORD} ) assert response.status_code == 200 data = response.json() @@ -57,7 +58,7 @@ def test_login_failure() -> None: def test_change_password() -> None: with TestClient(app) as client: # First login to get token - login_resp = client.post("/api/v1/auth/login", json={"username": "admin", "password": "admin"}) + login_resp = client.post("/api/v1/auth/login", json={"username": DECNET_ADMIN_USER, "password": DECNET_ADMIN_PASSWORD}) token = login_resp.json()["access_token"] # Try changing password with wrong old password @@ -71,17 +72,17 @@ def test_change_password() -> None: # Change password successfully resp2 = client.post( "/api/v1/auth/change-password", - json={"old_password": "admin", "new_password": "new_secure_password"}, + json={"old_password": DECNET_ADMIN_PASSWORD, "new_password": "new_secure_password"}, headers={"Authorization": f"Bearer {token}"} ) assert resp2.status_code == 200 # Verify old password no longer works - resp3 = client.post("/api/v1/auth/login", json={"username": "admin", "password": "admin"}) + resp3 = client.post("/api/v1/auth/login", json={"username": DECNET_ADMIN_USER, "password": DECNET_ADMIN_PASSWORD}) assert resp3.status_code == 401 # Verify new password works and must_change_password is False - resp4 = client.post("/api/v1/auth/login", json={"username": "admin", "password": "new_secure_password"}) + resp4 = client.post("/api/v1/auth/login", json={"username": DECNET_ADMIN_USER, "password": "new_secure_password"}) assert resp4.status_code == 200 assert resp4.json()["must_change_password"] is False @@ -96,7 +97,7 @@ def test_get_logs_success() -> None: with TestClient(app) as client: login_response = client.post( "/api/v1/auth/login", - json={"username": "admin", "password": "admin"} + json={"username": DECNET_ADMIN_USER, "password": DECNET_ADMIN_PASSWORD} ) token = login_response.json()["access_token"] @@ -119,7 +120,7 @@ def test_get_stats_success() -> None: with TestClient(app) as client: login_response = client.post( "/api/v1/auth/login", - json={"username": "admin", "password": "admin"} + json={"username": DECNET_ADMIN_USER, "password": DECNET_ADMIN_PASSWORD} ) token = login_response.json()["access_token"] diff --git a/tests/test_web_api_fuzz.py b/tests/test_web_api_fuzz.py index 59c2a3b..f14caeb 100644 --- a/tests/test_web_api_fuzz.py +++ b/tests/test_web_api_fuzz.py @@ -8,6 +8,7 @@ import httpx from decnet.web.api import app from decnet.web.dependencies import repo +from decnet.env import DECNET_ADMIN_USER, DECNET_ADMIN_PASSWORD # Re-use setup from test_web_api @pytest.fixture(scope="function", autouse=True) @@ -53,7 +54,7 @@ def test_fuzz_change_password(old_password: str, new_password: str) -> None: """Fuzz the change-password endpoint with random strings.""" with TestClient(app) as _client: # Get valid token first - _login_resp: httpx.Response = _client.post("/api/v1/auth/login", json={"username": "admin", "password": "admin"}) + _login_resp: httpx.Response = _client.post("/api/v1/auth/login", json={"username": DECNET_ADMIN_USER, "password": DECNET_ADMIN_PASSWORD}) _token: str = _login_resp.json()["access_token"] _payload: dict[str, str] = {"old_password": old_password, "new_password": new_password} @@ -76,7 +77,7 @@ def test_fuzz_change_password(old_password: str, new_password: str) -> None: def test_fuzz_get_logs(limit: int, offset: int, search: Optional[str]) -> None: """Fuzz the logs pagination and search.""" with TestClient(app) as _client: - _login_resp: httpx.Response = _client.post("/api/v1/auth/login", json={"username": "admin", "password": "admin"}) + _login_resp: httpx.Response = _client.post("/api/v1/auth/login", json={"username": DECNET_ADMIN_USER, "password": DECNET_ADMIN_PASSWORD}) _token: str = _login_resp.json()["access_token"] _params: dict[str, Any] = {"limit": limit, "offset": offset}