anti
f2b3393669
Replaces LICENSE (GPLv3 -> AGPLv3) and prepends `SPDX-License-Identifier: AGPL-3.0-or-later` to every source file across decnet/, decnet_web/, tests/, scripts/, and tools/. Rationale: closes the GPLv3 ASP loophole so any party operating a modified DECNET as a network service must offer their modified source. Personal copyright (Samuel Paschuan) + inbound=outbound contributions make a future unilateral relicense infeasible. - LICENSE: full AGPL-3.0 text (gnu.org/licenses/agpl-3.0.txt) - COPYRIGHT: project copyright notice - tools/add_spdx_headers.py: idempotent header injector (shebang- and PEP 263-aware) Touches 1565 source files (.py, .ts, .tsx, .js, .jsx, .css, .sh). No behavior change; comments only.
96 lines
3.1 KiB
Python
96 lines
3.1 KiB
Python
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
"""E.2.8 — GET endpoint shape + auth contract for /api/v1/ttp/*.
|
|
|
|
The TTP router landed at E.1.9 (contract phase) returning typed
|
|
empty values. Every documented GET endpoint is now exercised: 200
|
|
with a JWT, 401 without. Repo-backed data lands at E.3 implementation
|
|
phase; this suite stays green across that transition because the
|
|
shape contract is stable from E.1.9 forward.
|
|
"""
|
|
from __future__ import annotations
|
|
|
|
from typing import Any
|
|
|
|
import httpx
|
|
import pytest
|
|
|
|
from tests.api.ttp.conftest import (
|
|
BY_ATTACKER,
|
|
BY_CAMPAIGN,
|
|
BY_IDENTITY,
|
|
BY_SESSION,
|
|
NAVIGATOR,
|
|
NAVIGATOR_IDENTITY,
|
|
RULES,
|
|
TECHNIQUES,
|
|
hdr,
|
|
)
|
|
|
|
|
|
def _resolve(path: str) -> str:
|
|
"""Substitute synthetic UUIDs / IDs into path templates."""
|
|
return path.format(
|
|
identity_uuid="00000000-0000-5000-8000-000000000000",
|
|
attacker_uuid="00000000-0000-5000-8000-000000000001",
|
|
campaign_uuid="00000000-0000-5000-8000-000000000002",
|
|
session_id="sess-deadbeef",
|
|
uuid="00000000-0000-5000-8000-000000000000",
|
|
)
|
|
|
|
|
|
# Documented GET endpoints — each must respond 200 with a JWT and 401
|
|
# without. Today they 404 because the router doesn't exist; the
|
|
# strict-xfail trip-wire flips when E.3.8 ships.
|
|
_GET_ENDPOINTS: list[str] = [
|
|
TECHNIQUES,
|
|
BY_IDENTITY,
|
|
BY_ATTACKER,
|
|
BY_CAMPAIGN,
|
|
BY_SESSION,
|
|
RULES,
|
|
NAVIGATOR,
|
|
NAVIGATOR_IDENTITY,
|
|
]
|
|
|
|
|
|
@pytest.mark.parametrize("path", _GET_ENDPOINTS)
|
|
@pytest.mark.asyncio
|
|
async def test_get_returns_200_with_jwt(
|
|
client: httpx.AsyncClient, auth_token: str, path: str,
|
|
) -> None:
|
|
res = await client.get(_resolve(path), headers=hdr(auth_token))
|
|
assert res.status_code == 200, res.text
|
|
body: Any = res.json()
|
|
# Documented response shapes vary per endpoint; every one is
|
|
# at least a JSON object or list. The schema-stability fixtures
|
|
# under tests/api/ttp/schemas/ pin the per-endpoint shape once
|
|
# impl lands.
|
|
assert isinstance(body, (dict, list))
|
|
|
|
|
|
@pytest.mark.parametrize("path", _GET_ENDPOINTS)
|
|
@pytest.mark.asyncio
|
|
async def test_get_returns_401_without_jwt(
|
|
client: httpx.AsyncClient, path: str,
|
|
) -> None:
|
|
res = await client.get(_resolve(path))
|
|
# Per project rule: every API GET is auth-gated → 401 without a JWT
|
|
# (NOT 403, NOT 404). Pinned exactly so a future "let unauth read
|
|
# the rules catalogue" change is visible.
|
|
assert res.status_code == 401, (path, res.status_code, res.text)
|
|
|
|
|
|
# ─── Router-presence sanity ──────────────────────────────────────────────────
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_ttp_router_is_mounted(
|
|
client: httpx.AsyncClient, auth_token: str,
|
|
) -> None:
|
|
"""At least one documented TTP endpoint returns something other
|
|
than 404 — i.e. the router is mounted. The strict-xfail flips
|
|
the day E.3.8 wires the router, regardless of which endpoint
|
|
landed first."""
|
|
res = await client.get(TECHNIQUES, headers=hdr(auth_token))
|
|
assert res.status_code != 404, res.text
|