anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): close MEDIUM ASVS findings — JWT pinning, SSE tickets, SSRF, mTLS pin, rate limits + correctness bugs

Browse Source 
Auth (V2.1.1/V3.1.2, V2.1.3, V3.1.1):
- Pin JWT iss/aud/typ at mint and require+verify them at decode; revocation
  (jti denylist + tokens_valid_from) still enforced.
- Change-password now requires min_length=12.
- SSE auth moves off JWT-in-URL to a single-use 60s opaque ticket
  (POST /auth/sse-ticket); raw JWT in query no longer authenticates a stream.
  Removed dead fail-open get_stream_user helper.

Egress (V5.1.1, V9.1.1/V14.1.3):
- Webhook delivery + CRUD reject SSRF destinations (private/loopback/link-local/
  metadata, IPv4-mapped, multi-A-record) via resolved-IP validation, pin to the
  vetted IP, and never auto-follow redirects. Opt-out via DECNET_WEBHOOK_ALLOW_PRIVATE.
- UpdaterClient pins the worker leaf cert SHA-256 against the stored per-host
  fingerprint (fail closed on missing/mismatch); DECNET_VERIFY_HOSTNAME now
  defaults True.

Hardening (V13.1.3, V4.1.4, V13.1.2):
- Rate-limit change-password (5/min), enroll-bundle (10/min), webhook-create
  (20/min), host-delete (20/min) via the existing slowapi limiter.
- Correct false 'global auth middleware' comment; document enroll-bundle proxy
  trust.

Correctness (BUG-7..11):
- BUG-7 unbound bus in finally; BUG-8 apply_ceiling clamps to min(base,ceiling);
  BUG-9 commit before emit; BUG-10 multi-actor rearm for sub-threshold identities;
  BUG-11 normalize naive timestamps to UTC.

Already-closed (no change): V14.1.1, V2.1.2/V3.1.3, V5.1.2. Tests added for
every fix; unanimous adversarial review.
This commit is contained in:
anti
2026-06-10 12:32:15 -04:00
parent 6a8af315fb
commit d80e6aa6d1
37 changed files with 1414 additions and 121 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
tests/api/auth/test_bulk_revocation.py
View File

@@ -18,7 +18,14 @@ import pytest
from sqlalchemy import select
from decnet.env import DECNET_ADMIN_USER, DECNET_ADMIN_PASSWORD
from decnet.web.auth import ALGORITHM, SECRET_KEY, get_password_hash
from decnet.web.auth import (
ALGORITHM,
JWT_AUDIENCE,
JWT_ISSUER,
JWT_TYPE,
SECRET_KEY,
get_password_hash,
)
from decnet.web.db.models import User
from decnet.web.dependencies import repo
@@ -54,7 +61,17 @@ def _aged_token(uuid: str, *, seconds_old: int = 30) -> str:
change sets to 'now', so it is deterministically revoked once bumped."""
now = int(time.time())
return jwt.encode(
{"uuid": uuid, "jti": f"aged-{uuid}", "iat": now - seconds_old, "exp": now + 3600},
{
"uuid": uuid,
"jti": f"aged-{uuid}",
"iat": now - seconds_old,
"exp": now + 3600,
# The verifier now pins issuer/audience/type (V2.1.1 / V3.1.2); a
# manually-encoded token must carry them or decode rejects it.
"iss": JWT_ISSUER,
"aud": JWT_AUDIENCE,
"typ": JWT_TYPE,
},
SECRET_KEY, algorithm=ALGORITHM,
)

43
tests/api/auth/test_change_pass.py
View File

@@ -4,6 +4,7 @@ import pytest
from hypothesis import given, strategies as st, settings
import httpx
from decnet.env import DECNET_ADMIN_USER, DECNET_ADMIN_PASSWORD
from decnet.web.limiter import limiter as _limiter
from ..conftest import _FUZZ_SETTINGS
@pytest.mark.anyio
@@ -57,6 +58,46 @@ async def test_fuzz_change_password(client: httpx.AsyncClient, old_password: str
json=_payload,
headers={"Authorization": f"Bearer {_token}"}
)
assert _response.status_code in (200, 401, 422)
# 400: schema-guard middleware rejects bad length/shape (e.g. a
# new_password below the 12-char floor) before the handler runs.
assert _response.status_code in (200, 400, 401, 422)
except (UnicodeEncodeError, json.JSONDecodeError):
pass
# ─── Rate-limit enforcement ─────────────────────────────────────────────────
@pytest.mark.anyio
async def test_change_password_rate_limit_trips_after_5(client: httpx.AsyncClient) -> None:
"""5 change-password attempts from one IP → 6th returns 429."""
login_resp = await client.post(
"/api/v1/auth/login",
json={"username": DECNET_ADMIN_USER, "password": DECNET_ADMIN_PASSWORD},
)
token = login_resp.json()["access_token"]
for i in range(5):
r = await client.post(
"/api/v1/auth/change-password",
json={"old_password": f"wrong-{i}", "new_password": "does-not-matter-x!"},
headers={"Authorization": f"Bearer {token}"},
)
# 401 (bad old password) or 429 if the limiter fires — either is fine
assert r.status_code in (401, 429), f"attempt {i}: got {r.status_code}"
# The 6th attempt must trip the rate limiter (limit is 5/minute).
r = await client.post(
"/api/v1/auth/change-password",
json={"old_password": "still-wrong", "new_password": "does-not-matter-x!"},
headers={"Authorization": f"Bearer {token}"},
)
assert r.status_code == 429
@pytest.mark.anyio
async def test_change_password_route_has_rate_limit_decorator() -> None:
"""Contract test: change_password handler must be wrapped by slowapi."""
from decnet.web.router.auth import api_change_pass as _mod
assert getattr(_mod.change_password, "__wrapped__", None) is not None

111
tests/api/auth/test_sse_ticket.py Normal file
View File

@@ -0,0 +1,111 @@
# SPDX-License-Identifier: AGPL-3.0-or-later
"""SSE stream tickets (V3.1.1) + change-password min-length (V2.1.3).
The ticket store is a security boundary: single-use, 60s, fail-closed. These
cover the mint→redeem happy path, single-use reuse rejection, expiry rejection,
the endpoint round-trip, and the V3.1.1 invariant that a raw JWT in the SSE
query string is no longer accepted.
"""
from __future__ import annotations
import httpx
import pytest
from fastapi import HTTPException
from decnet.env import DECNET_ADMIN_USER, DECNET_ADMIN_PASSWORD
from decnet.web.auth import create_access_token
from decnet.web import dependencies as deps
# ── ticket store unit tests ──────────────────────────────────────────────────
def test_mint_then_redeem_happy_path() -> None:
deps._reset_sse_tickets()
ticket = deps.mint_sse_ticket("user-1", "viewer")
identity = deps._redeem_sse_ticket(ticket)
assert identity == {"uuid": "user-1", "role": "viewer"}
def test_ticket_is_single_use() -> None:
deps._reset_sse_tickets()
ticket = deps.mint_sse_ticket("user-1", "admin")
deps._redeem_sse_ticket(ticket) # first redeem consumes it
with pytest.raises(HTTPException) as exc:
deps._redeem_sse_ticket(ticket)
assert exc.value.status_code == 401
def test_unknown_ticket_rejected() -> None:
deps._reset_sse_tickets()
with pytest.raises(HTTPException) as exc:
deps._redeem_sse_ticket("never-minted")
assert exc.value.status_code == 401
def test_expired_ticket_rejected() -> None:
deps._reset_sse_tickets()
# Mint, then jam the entry's expiry into the past so redeem fails closed.
ticket = deps.mint_sse_ticket("user-1", "viewer")
exp, identity = deps._sse_tickets[ticket]
deps._sse_tickets[ticket] = (exp - deps._SSE_TICKET_TTL - 1, identity)
with pytest.raises(HTTPException) as exc:
deps._redeem_sse_ticket(ticket)
assert exc.value.status_code == 401
# ── endpoint round-trip ──────────────────────────────────────────────────────
@pytest.mark.anyio
async def test_sse_ticket_endpoint_requires_auth(client: httpx.AsyncClient) -> None:
resp = await client.post("/api/v1/auth/sse-ticket")
assert resp.status_code == 401
@pytest.mark.anyio
async def test_sse_ticket_endpoint_mints_and_redeems(
client: httpx.AsyncClient, auth_token: str
) -> None:
deps._reset_sse_tickets()
resp = await client.post(
"/api/v1/auth/sse-ticket",
headers={"Authorization": f"Bearer {auth_token}"},
)
assert resp.status_code == 200, resp.text
body = resp.json()
assert body["expires_in"] == 60
ticket = body["ticket"]
assert ticket and "." not in ticket # opaque, not a JWT
# The minted ticket redeems to a bound identity exactly once.
identity = deps._redeem_sse_ticket(ticket)
assert "uuid" in identity and identity["role"] in ("admin", "viewer")
def test_raw_jwt_in_sse_query_rejected() -> None:
"""V3.1.1: a raw JWT is not a valid opaque ticket — _redeem_sse_ticket rejects
any token that wasn't minted by mint_sse_ticket (unknown key → 401)."""
deps._reset_sse_tickets()
token = create_access_token({"uuid": "leaked", "jti": "x"})
with pytest.raises(HTTPException) as exc:
deps._redeem_sse_ticket(token)
assert exc.value.status_code == 401
# ── V2.1.3 change-password min length ────────────────────────────────────────
@pytest.mark.anyio
async def test_change_password_below_min_length_rejected(
client: httpx.AsyncClient,
) -> None:
resp = await client.post("/api/v1/auth/login", json={
"username": DECNET_ADMIN_USER, "password": DECNET_ADMIN_PASSWORD,
})
token = resp.json()["access_token"]
# 11 chars — one below the 12-char floor. The request-validation layer
# rejects the bad length before any auth/logic runs; DECNET's schema-guard
# middleware surfaces length violations as 400 (not the raw 422).
r = await client.post(
"/api/v1/auth/change-password",
json={"old_password": DECNET_ADMIN_PASSWORD, "new_password": "short123456"},
headers={"Authorization": f"Bearer {token}"},
)
assert r.status_code in (400, 422), r.text

28
tests/api/swarm_mgmt/test_enroll_bundle.py
View File

@@ -379,3 +379,31 @@ async def test_host_row_persisted_after_enroll(client, auth_token):
assert row is not None
assert row["name"] == "eta"
assert row["status"] == "enrolled"
# ─── Rate-limit enforcement ─────────────────────────────────────────────────
@pytest.mark.anyio
async def test_enroll_bundle_rate_limit_trips_after_10(client, auth_token):
"""10 enroll-bundle POSTs from one IP → 11th returns 429.
Each request uses a unique agent name (otherwise the 2nd hits the 409
duplicate-name guard before the rate check fires). The limiter is
10/minute for this endpoint.
"""
for i in range(10):
r = await _post(client, auth_token, agent_name=f"rl-node-{i}")
# 201 (created) or 429 if limiter fires early — accept both.
assert r.status_code in (201, 429), f"attempt {i}: got {r.status_code}"
r = await _post(client, auth_token, agent_name="rl-node-overflow")
assert r.status_code == 429
@pytest.mark.anyio
async def test_enroll_bundle_route_has_rate_limit_decorator() -> None:
"""Contract test: create_enroll_bundle must be wrapped by slowapi."""
from decnet.web.router.swarm_mgmt import api_enroll_bundle as _mod
assert getattr(_mod.create_enroll_bundle, "__wrapped__", None) is not None

74
tests/api/webhooks/test_crud.py
View File

@@ -9,6 +9,80 @@ import pytest
PATH = "/api/v1/webhooks/"
@pytest.fixture(autouse=True)
def _public_dns(monkeypatch: pytest.MonkeyPatch):
"""Resolve hostnames to a public IP so the registration-time SSRF guard
passes for the functional CRUD cases without touching the network.
IP-literal URLs (e.g. the loopback-rejection test) don't hit DNS, so
this stub doesn't mask them.
"""
import socket
from decnet.webhook import ssrf
def fake_getaddrinfo(host, port, *a, **k):
return [(socket.AF_INET, socket.SOCK_STREAM, 6, "", ("93.184.216.34", port))]
monkeypatch.setattr(ssrf.socket, "getaddrinfo", fake_getaddrinfo)
@pytest.mark.asyncio
async def test_create_rejects_loopback_url(
client: httpx.AsyncClient, auth_token: str
):
res = await client.post(
PATH,
json={
"name": "wh-ssrf",
"url": "http://127.0.0.1:8080/inbound",
"topic_patterns": ["system.>"],
},
headers={"Authorization": f"Bearer {auth_token}"},
)
assert res.status_code == 422, res.text
assert "forbidden" in res.text.lower()
@pytest.mark.asyncio
async def test_create_rejects_metadata_url(
client: httpx.AsyncClient, auth_token: str
):
res = await client.post(
PATH,
json={
"name": "wh-meta",
"url": "http://169.254.169.254/latest/meta-data/",
"topic_patterns": ["system.>"],
},
headers={"Authorization": f"Bearer {auth_token}"},
)
assert res.status_code == 422, res.text
@pytest.mark.asyncio
async def test_update_rejects_loopback_url(
client: httpx.AsyncClient, auth_token: str
):
create = await client.post(
PATH,
json={
"name": "wh-upd-ssrf",
"url": "https://good.example/x",
"topic_patterns": ["system.>"],
},
headers={"Authorization": f"Bearer {auth_token}"},
)
assert create.status_code == 201, create.text
uuid = create.json()["uuid"]
res = await client.patch(
f"{PATH}{uuid}",
json={"url": "http://10.0.0.1/x"},
headers={"Authorization": f"Bearer {auth_token}"},
)
assert res.status_code == 422, res.text
@pytest.mark.asyncio
async def test_create_requires_patterns(client: httpx.AsyncClient, auth_token: str):
res = await client.post(

59
tests/correlation/attribution/test_multi_actor_correlator.py
View File

@@ -223,3 +223,62 @@ async def test_independent_dedup_per_identity(
seen = {c["payload"]["identity_uuid"] for c in captured}
assert seen == {iuid_a, iuid_b}
await bus.close()
@pytest.mark.anyio
async def test_rearms_for_sub_threshold_identity_in_candidates(
monkeypatch: pytest.MonkeyPatch,
) -> None:
"""BUG-10 regression: seen_now.add() must run AFTER the threshold guard.
If an identity is returned by the repo with < MULTI_ACTOR_MIN_PRIMITIVES
(defensive path) it must NOT be added to seen_now. That means it stays
absent from seen_now → gets removed from last_fired on the stale-rearm
sweep → re-fires when primitives climb back above threshold.
Before fix: seen_now.add() ran before the continue, so the identity
was treated as present-and-seen even though it was below threshold,
and last_fired was never cleared → no rearm.
"""
bus = FakeBus()
await bus.connect()
captured: list[dict[str, Any]] = []
async def cap(_b, t, p, *, event_type=""):
captured.append({"topic": t, "payload": p})
monkeypatch.setattr(_aw, "publish_safely", cap)
iuid = "test-rearm-uuid"
class _StubRepo:
def __init__(self, entries: list[dict]) -> None:
self._entries = entries
async def list_multi_actor_identities(self) -> list[dict]:
return list(self._entries)
# First tick: identity fires with 2 primitives.
repo_above = _StubRepo([
{"identity_uuid": iuid, "primitives": ["prim.a", "prim.b"]},
])
last_fired: dict[str, Any] = {}
await _aw.tick_multi_actor(bus, repo_above, last_fired) # type: ignore[arg-type]
assert len(captured) == 1
assert iuid in last_fired
# Second tick: identity returned by repo but with only 1 primitive
# (sub-threshold defensive path). last_fired[iuid] must be cleared.
repo_below = _StubRepo([
{"identity_uuid": iuid, "primitives": ["prim.a"]},
])
await _aw.tick_multi_actor(bus, repo_below, last_fired) # type: ignore[arg-type]
assert iuid not in last_fired, (
"sub-threshold identity must be removed from last_fired so it re-arms"
)
# Third tick: identity climbs back above threshold — must re-fire.
await _aw.tick_multi_actor(bus, repo_above, last_fired) # type: ignore[arg-type]
assert len(captured) == 2, "identity must re-fire after rearm"
await bus.close()

66
tests/correlation/test_fingerprint_rotation.py
View File

@@ -235,3 +235,69 @@ def test_multiple_rotations_increment_counter(engine, now):
row = session.exec(select(AttackerFingerprintState)).one()
assert row.rotation_count == 2
assert row.last_hash == "h3"
def test_emit_after_commit_raising_publish_does_not_lose_row(engine, now) -> None:
"""BUG-9 regression: publish_fn is called AFTER session.commit().
A raising publish_fn must not roll back / lose the committed rotation
row. Before fix, publish was called before commit so a raise in
publish_fn left the session without a commit and the state row was lost.
"""
later = now + timedelta(hours=1)
call_order: list[str] = []
class _OrderRecorder:
def __call__(self, event_type: str, payload: dict) -> None:
call_order.append("emit")
raise RuntimeError("downstream unavailable")
publish = _OrderRecorder()
with Session(engine) as session:
# Patch session.commit to record ordering.
original_commit = session.commit
def _recording_commit() -> None:
call_order.append("commit")
original_commit()
session.commit = _recording_commit # type: ignore[method-assign]
_seed_attacker(session)
with Session(engine) as session:
original_commit2 = session.commit
def _recording_commit2() -> None:
call_order.append("commit")
original_commit2()
session.commit = _recording_commit2 # type: ignore[method-assign]
# first_sighting — no publish yet
record_fingerprint(
session,
attacker_ip="1.2.3.4", port=22, probe_type="hassh",
new_hash="h1", ts=now,
)
call_order.clear()
# rotation — publish_fn raises after commit
outcome = record_fingerprint(
session,
attacker_ip="1.2.3.4", port=22, probe_type="hassh",
new_hash="h2", ts=later,
publish_fn=publish,
)
assert outcome.kind == "rotated"
# commit must come before emit
assert call_order.index("commit") < call_order.index("emit")
# The rotation row must be persisted despite publish raising
with Session(engine) as session:
row = session.exec(select(AttackerFingerprintState)).one()
assert row.last_hash == "h2"
assert row.rotation_count == 1

40
tests/correlation/test_parser_double_wrap.py
View File

@@ -9,6 +9,8 @@ must agree with the collector's ``parse_rfc5424`` so that
"""
from __future__ import annotations
from datetime import timezone
from decnet.correlation.parser import parse_line
@@ -71,3 +73,41 @@ def test_outer_msgid_set_does_not_recurse() -> None:
assert e.event_type == "auth_attempt"
assert e.decky == "omega-decky"
assert e.service == "auth-helper"
# ---------------------------------------------------------------------------
# BUG-11 regression: naive datetime normalization
# ---------------------------------------------------------------------------
_NAIVE_TS_LINE = (
"<14>1 2026-05-02T06:22:48.089309 omega-decky smtp - disconnect "
"[relay@55555 src_ip=\"10.0.0.1\"]"
)
_AWARE_TS_LINE = (
"<14>1 2026-05-02T06:22:48.089309+00:00 omega-decky smtp - disconnect "
"[relay@55555 src_ip=\"10.0.0.2\"]"
)
def test_naive_timestamp_normalized_to_utc() -> None:
"""BUG-11 regression: a log line with a naïve ISO timestamp (no tz offset)
must parse to a tz-aware UTC datetime so it sorts alongside aware ones
without TypeError. Before fix, fromisoformat returned a naïve datetime
which crashed min/max/sort with aware datetimes downstream."""
e = parse_line(_NAIVE_TS_LINE)
assert e is not None
assert e.timestamp.tzinfo is not None
assert e.timestamp.tzinfo == timezone.utc
def test_naive_and_aware_timestamps_sortable_together() -> None:
"""A naïve-source entry and an aware-source entry must compare
without raising TypeError."""
naive_entry = parse_line(_NAIVE_TS_LINE)
aware_entry = parse_line(_AWARE_TS_LINE)
assert naive_entry is not None
assert aware_entry is not None
# min/max would raise TypeError pre-fix
earliest = min(naive_entry.timestamp, aware_entry.timestamp)
assert earliest is not None

23
tests/orchestrator/test_worker_integration.py
View File

@@ -276,6 +276,29 @@ async def test_one_tick_email_branch_records_orchestrator_email(
assert ev.payload["mail_decky_uuid"] == mail_decky.uuid
@pytest.mark.asyncio
async def test_smtp_probe_listener_get_bus_raises_no_unbound_error(
repo, monkeypatch,
) -> None:
"""BUG-7 regression: if get_bus() raises, the finally block must not
produce an UnboundLocalError on ``bus``; the function must return
cleanly (RuntimeError is logged+swallowed by the outer except handler)."""
import asyncio
from decnet.orchestrator import worker as _w
def bad_get_bus(**_kw):
raise RuntimeError("bus factory unavailable")
monkeypatch.setattr(_w, "get_bus", bad_get_bus)
shutdown = asyncio.Event()
shutdown.set()
# Before fix: UnboundLocalError escaped from finally because ``bus``
# was never assigned. After fix: completes without any exception.
await _w._run_smtp_probe_listener(repo, shutdown)
@pytest.mark.asyncio
async def test_tick_is_noop_when_no_running_deckies(repo, fake_bus, monkeypatch):
called = False

13
tests/ttp/test_rule_index.py
View File

@@ -345,9 +345,18 @@ def test_expired_state_treated_as_disabled_by_is_active() -> None:
def test_apply_ceiling_only_clamps_clipped() -> None:
from decnet.ttp.impl._state import apply_ceiling
# ceiling is ignored unless state is clipped
enabled = RuleState(state="enabled", confidence_max=0.5)
assert apply_ceiling(0.9, enabled) == 0.9 # ceiling ignored unless clipped
assert apply_ceiling(0.9, enabled) == 0.9
# clipped + base > ceiling → clamped to ceiling (not scaled)
clipped = RuleState(state="clipped", confidence_max=0.5)
assert apply_ceiling(0.9, clipped) == pytest.approx(0.45)
assert apply_ceiling(0.9, clipped) == pytest.approx(0.5)
# clipped + base <= ceiling → base passes through unchanged
clipped_below = RuleState(state="clipped", confidence_max=0.8)
assert apply_ceiling(0.6, clipped_below) == pytest.approx(0.6)
# clipped + no ceiling declared → base passes through
clipped_no_max = RuleState(state="clipped", confidence_max=None)
assert apply_ceiling(0.9, clipped_no_max) == 0.9

194
tests/updater/test_updater_client_pin.py Normal file
View File

@@ -0,0 +1,194 @@
# SPDX-License-Identifier: AGPL-3.0-or-later
"""UpdaterClient SHA-256 leaf-cert pinning (master->worker updater channel).
The updater channel pip-installs code as root, so it pins the worker's
updater leaf cert against ``SwarmHost.updater_cert_fingerprint`` and fails
closed on mismatch OR a missing recorded fingerprint.
We don't need the real updater ASGI app: ``UpdaterClient.__aenter__`` runs
``_verify_pin`` which opens its own throwaway TLS connection to extract the
peer leaf cert before any RPC. A minimal threaded mTLS socket server that
simply completes the handshake is enough to exercise the pin.
"""
from __future__ import annotations
import pathlib
import socket
import ssl
import threading
import time
import pytest
from decnet.swarm import client as swarm_client
from decnet.swarm import pki
from decnet.swarm.updater_client import UpdaterClient
def _free_port() -> int:
s = socket.socket()
s.bind(("127.0.0.1", 0))
port = s.getsockname()[1]
s.close()
return port
class _MiniTLSServer:
"""Threaded mTLS server that accepts a connection, completes the
handshake (presenting the worker leaf cert), then closes."""
def __init__(self, worker_dir: pathlib.Path, port: int) -> None:
self._ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
self._ctx.load_cert_chain(
str(worker_dir / "worker.crt"), str(worker_dir / "worker.key")
)
self._ctx.load_verify_locations(cafile=str(worker_dir / "ca.crt"))
self._ctx.verify_mode = ssl.CERT_REQUIRED
self._sock = socket.socket()
self._sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
self._sock.bind(("127.0.0.1", port))
self._sock.listen(8)
self._sock.settimeout(0.5)
self._stop = threading.Event()
self._thread = threading.Thread(target=self._serve, daemon=True)
def start(self) -> None:
self._thread.start()
def _serve(self) -> None:
while not self._stop.is_set():
try:
conn, _ = self._sock.accept()
except socket.timeout:
continue
except OSError:
break
try:
tls = self._ctx.wrap_socket(conn, server_side=True)
try:
tls.recv(64)
except OSError:
pass
tls.close()
except OSError:
try:
conn.close()
except OSError:
pass
def stop(self) -> None:
self._stop.set()
try:
self._sock.close()
except OSError:
pass
self._thread.join(timeout=5)
@pytest.fixture
def updater_env(tmp_path: pathlib.Path):
ca_dir = tmp_path / "ca"
pki.ensure_ca(ca_dir)
worker_dir = tmp_path / "updater"
pki.write_worker_bundle(
pki.issue_worker_cert(pki.load_ca(ca_dir), "updater-test", ["127.0.0.1"]),
worker_dir,
)
master_id = swarm_client.ensure_master_identity(ca_dir)
port = _free_port()
server = _MiniTLSServer(worker_dir, port)
server.start()
# Give the listener a moment.
time.sleep(0.1)
try:
yield worker_dir, port, master_id
finally:
server.stop()
@pytest.mark.asyncio
async def test_pin_accepts_matching_fingerprint(updater_env) -> None:
worker_dir, port, master_id = updater_env
expected = pki.fingerprint((worker_dir / "worker.crt").read_bytes())
host = {
"uuid": "h1",
"name": "updater-test",
"address": "127.0.0.1",
"updater_cert_fingerprint": expected,
}
async with UpdaterClient(
host=host, updater_port=port, identity=master_id
) as u:
# Entering the context already ran _verify_pin successfully.
assert u._expected_fingerprint == expected.lower()
@pytest.mark.asyncio
async def test_pin_rejects_mismatch(updater_env) -> None:
_worker_dir, port, master_id = updater_env
host = {
"uuid": "h1",
"name": "updater-test",
"address": "127.0.0.1",
"updater_cert_fingerprint": "0" * 64,
}
with pytest.raises(swarm_client.FingerprintMismatchError):
async with UpdaterClient(host=host, updater_port=port, identity=master_id):
pass
@pytest.mark.asyncio
async def test_pin_rejects_missing_fingerprint(updater_env) -> None:
"""Fail closed: a host with no recorded updater fingerprint is refused
(unlike AgentClient, the updater channel never falls through to CA-only)."""
_worker_dir, port, master_id = updater_env
host = {
"uuid": "h1",
"name": "updater-test",
"address": "127.0.0.1",
"updater_cert_fingerprint": None,
}
with pytest.raises(swarm_client.FingerprintMismatchError):
async with UpdaterClient(host=host, updater_port=port, identity=master_id):
pass
def test_verify_hostname_defaults_to_env_flag(monkeypatch) -> None:
"""The verify_hostname kwarg defaults to DECNET_VERIFY_HOSTNAME, which
now defaults to True (operators opt OUT explicitly)."""
import decnet.env as env
monkeypatch.setattr(env, "DECNET_VERIFY_HOSTNAME", True)
c_default = UpdaterClient(address="127.0.0.1", updater_port=9)
assert c_default._verify_hostname is True
monkeypatch.setattr(env, "DECNET_VERIFY_HOSTNAME", False)
c_off = UpdaterClient(address="127.0.0.1", updater_port=9)
assert c_off._verify_hostname is False
# Explicit kwarg overrides the env default.
c_explicit = UpdaterClient(
address="127.0.0.1", updater_port=9, verify_hostname=True
)
assert c_explicit._verify_hostname is True
@pytest.mark.asyncio
async def test_build_client_constructs_with_flag(updater_env) -> None:
"""_build_client must construct a client for both flag values without
error; check_hostname is wired from self._verify_hostname (verified via
the live handshake in the pin tests above, which use verify_hostname
from the env default)."""
import httpx
_worker_dir, port, master_id = updater_env
for flag in (True, False):
c = UpdaterClient(
address="127.0.0.1", updater_port=port, identity=master_id,
verify_hostname=flag,
)
built = c._build_client(httpx.Timeout(5.0))
assert isinstance(built, httpx.AsyncClient)
assert c._verify_hostname is flag
await built.aclose()

51
tests/web/test_web_api.py
View File

@@ -76,57 +76,6 @@ class TestGetCurrentUser:
await get_current_user(request)
# ── get_stream_user ───────────────────────────────────────────────────────────
class TestGetStreamUser:
@pytest.mark.asyncio
async def test_bearer_header(self):
from decnet.web.dependencies import get_stream_user
token = create_access_token({"uuid": "stream-uuid"})
request = MagicMock()
request.headers = {"Authorization": f"Bearer {token}"}
result = await get_stream_user(request, token=None)
assert result == "stream-uuid"
@pytest.mark.asyncio
async def test_query_param_fallback(self):
from decnet.web.dependencies import get_stream_user
token = create_access_token({"uuid": "query-uuid"})
request = MagicMock()
request.headers = {}
result = await get_stream_user(request, token=token)
assert result == "query-uuid"
@pytest.mark.asyncio
async def test_no_token_raises(self):
from fastapi import HTTPException
from decnet.web.dependencies import get_stream_user
request = MagicMock()
request.headers = {}
with pytest.raises(HTTPException) as exc_info:
await get_stream_user(request, token=None)
assert exc_info.value.status_code == 401
@pytest.mark.asyncio
async def test_invalid_token_raises(self):
from fastapi import HTTPException
from decnet.web.dependencies import get_stream_user
request = MagicMock()
request.headers = {}
with pytest.raises(HTTPException):
await get_stream_user(request, token="bad-token")
@pytest.mark.asyncio
async def test_missing_uuid_raises(self):
from fastapi import HTTPException
from decnet.web.dependencies import get_stream_user
token = create_access_token({"sub": "no-uuid"})
request = MagicMock()
request.headers = {"Authorization": f"Bearer {token}"}
with pytest.raises(HTTPException):
await get_stream_user(request, token=None)
# ── web/api.py lifespan ──────────────────────────────────────────────────────
class TestLifespan:

155
tests/webhook/test_client.py
View File

@@ -30,6 +30,23 @@ def _sub(url: str = "https://webhook.example/inbound", secret: str = "s" * 32) -
return {"uuid": "w1", "url": url, "secret": secret}
@pytest.fixture(autouse=True)
def _public_dns(monkeypatch: pytest.MonkeyPatch):
"""Resolve every hostname to a routable public IP so the SSRF guard
passes for the HMAC/retry behavioral tests without touching the network.
SSRF-specific tests below override this with their own resolution.
"""
import socket
from decnet.webhook import ssrf
def fake_getaddrinfo(host, port, *a, **k):
return [(socket.AF_INET, socket.SOCK_STREAM, 6, "", ("93.184.216.34", port))]
monkeypatch.setattr(ssrf.socket, "getaddrinfo", fake_getaddrinfo)
def test_sign_matches_known_vector():
body = b'{"hello":"world"}'
secret = "0123456789abcdef"
@@ -144,3 +161,141 @@ async def test_deliver_receiver_can_verify_signature():
).hexdigest()
)
assert captured["sig"] == expected
# ----------------------------- SSRF egress guard ----------------------------
def _resolve_to(monkeypatch, ip: str) -> None:
import socket as _socket
from decnet.webhook import ssrf
def fake(host, port, *a, **k):
return [(_socket.AF_INET, _socket.SOCK_STREAM, 6, "", (ip, port))]
monkeypatch.setattr(ssrf.socket, "getaddrinfo", fake)
@pytest.mark.parametrize(
"url",
[
"https://127.0.0.1/inbound", # loopback literal
"https://169.254.169.254/latest/meta-data", # cloud metadata
"https://10.1.2.3/inbound", # RFC1918 literal
"https://192.168.1.5/x", # RFC1918 literal
"https://[::1]/x", # IPv6 loopback
],
)
@pytest.mark.asyncio
async def test_deliver_blocks_forbidden_ip_literal(url):
sent = {"n": 0}
async def handler(request: httpx.Request) -> httpx.Response:
sent["n"] += 1
return httpx.Response(200)
transport = httpx.MockTransport(handler)
async with httpx.AsyncClient(transport=transport) as client:
result = await deliver(_sub(url=url), _EVENT, retry_schedule=[], client=client)
assert result.ok is False
assert result.attempts == 0 # never left the guard
assert sent["n"] == 0 # transport never hit
@pytest.mark.asyncio
async def test_deliver_blocks_hostname_resolving_to_private(monkeypatch):
_resolve_to(monkeypatch, "10.0.0.7")
sent = {"n": 0}
async def handler(request: httpx.Request) -> httpx.Response:
sent["n"] += 1
return httpx.Response(200)
transport = httpx.MockTransport(handler)
async with httpx.AsyncClient(transport=transport) as client:
result = await deliver(
_sub(url="https://rebind.evil.example/x"), _EVENT,
retry_schedule=[], client=client,
)
assert result.ok is False
assert sent["n"] == 0
assert "forbidden" in (result.error or "").lower()
@pytest.mark.asyncio
async def test_deliver_blocks_non_http_scheme():
result = await deliver(
_sub(url="file:///etc/passwd"), _EVENT, retry_schedule=[],
)
assert result.ok is False
assert "scheme" in (result.error or "").lower()
@pytest.mark.asyncio
async def test_deliver_public_url_passes(monkeypatch):
_resolve_to(monkeypatch, "93.184.216.34")
async def handler(request: httpx.Request) -> httpx.Response:
return httpx.Response(200)
transport = httpx.MockTransport(handler)
async with httpx.AsyncClient(transport=transport) as client:
result = await deliver(
_sub(url="https://good.example/inbound"), _EVENT,
retry_schedule=[], client=client,
)
assert result.ok is True
@pytest.mark.asyncio
async def test_deliver_allow_private_escape_hatch(monkeypatch):
# Operator opt-in flips the guard off for internal targets.
import decnet.env as env
monkeypatch.setattr(env, "DECNET_WEBHOOK_ALLOW_PRIVATE", True)
async def handler(request: httpx.Request) -> httpx.Response:
return httpx.Response(200)
transport = httpx.MockTransport(handler)
async with httpx.AsyncClient(transport=transport) as client:
result = await deliver(
_sub(url="https://127.0.0.1/inbound"), _EVENT,
retry_schedule=[], client=client,
)
assert result.ok is True
@pytest.mark.asyncio
async def test_deliver_does_not_follow_redirect_to_internal(monkeypatch):
"""A 302 pointing at an IMDS address must never be followed.
deliver() sets follow_redirects=False on every send() call regardless of
the injected client's config, so the response is the raw 302 and the
internal IP is never contacted.
"""
requests_seen: list[str] = []
async def handler(request: httpx.Request) -> httpx.Response:
requests_seen.append(str(request.url))
# First request: public host returns a redirect to the cloud metadata IP.
return httpx.Response(
302,
headers={"Location": "http://169.254.169.254/latest/meta-data/"},
)
transport = httpx.MockTransport(handler)
# Deliberately build the client with follow_redirects=True to prove that
# deliver() overrides it at the send() level.
async with httpx.AsyncClient(
transport=transport, follow_redirects=True
) as client:
result = await deliver(_sub(), _EVENT, retry_schedule=[], client=client)
# Only the initial request to the public host should have been made.
assert len(requests_seen) == 1
assert "169.254.169.254" not in requests_seen[0]
# deliver() treats the 302 as a non-retryable non-2xx.
assert result.ok is False
assert result.status_code == 302

14
tests/webhook/test_worker.py
View File

@@ -19,6 +19,20 @@ from decnet.webhook.worker import (
)
@pytest.fixture(autouse=True)
def _public_dns(monkeypatch: pytest.MonkeyPatch):
"""Resolve the test webhook host to a public IP so the egress SSRF guard
passes for these integration tests without touching the network."""
import socket
from decnet.webhook import ssrf
def fake_getaddrinfo(host, port, *a, **k):
return [(socket.AF_INET, socket.SOCK_STREAM, 6, "", ("93.184.216.34", port))]
monkeypatch.setattr(ssrf.socket, "getaddrinfo", fake_getaddrinfo)
def _sub(
uuid: str,
name: str,