anti
f2b3393669
Replaces LICENSE (GPLv3 -> AGPLv3) and prepends `SPDX-License-Identifier: AGPL-3.0-or-later` to every source file across decnet/, decnet_web/, tests/, scripts/, and tools/. Rationale: closes the GPLv3 ASP loophole so any party operating a modified DECNET as a network service must offer their modified source. Personal copyright (Samuel Paschuan) + inbound=outbound contributions make a future unilateral relicense infeasible. - LICENSE: full AGPL-3.0 text (gnu.org/licenses/agpl-3.0.txt) - COPYRIGHT: project copyright notice - tools/add_spdx_headers.py: idempotent header injector (shebang- and PEP 263-aware) Touches 1565 source files (.py, .ts, .tsx, .js, .jsx, .css, .sh). No behavior change; comments only.
68 lines
2.6 KiB
Python
68 lines
2.6 KiB
Python
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
"""
|
|
Tests for _ensure_admin_user env-drift self-healing.
|
|
|
|
Scenario: DECNET_ADMIN_PASSWORD changes between runs while the SQLite DB
|
|
persists on disk. Previously _ensure_admin_user was strictly insert-if-missing,
|
|
so the stale hash from the first seed locked out every subsequent login.
|
|
|
|
Contract: if the admin still has must_change_password=True (they never
|
|
finalized their own password), the stored hash re-syncs from the env.
|
|
Once the admin picks a real password, we never touch it.
|
|
"""
|
|
import pytest
|
|
|
|
from decnet.web.auth import verify_password
|
|
from decnet.web.db.sqlite.repository import SQLiteRepository
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_admin_seeded_on_empty_db(tmp_path, monkeypatch):
|
|
monkeypatch.setattr("decnet.web.db.sqlmodel_repo.DECNET_ADMIN_PASSWORD", "first")
|
|
repo = SQLiteRepository(db_path=str(tmp_path / "t.db"))
|
|
await repo.initialize()
|
|
user = await repo.get_user_by_username("admin")
|
|
assert user is not None
|
|
assert verify_password("first", user["password_hash"])
|
|
assert user["must_change_password"] is True or user["must_change_password"] == 1
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_admin_password_resyncs_when_not_finalized(tmp_path, monkeypatch):
|
|
db = str(tmp_path / "t.db")
|
|
|
|
monkeypatch.setattr("decnet.web.db.sqlmodel_repo.DECNET_ADMIN_PASSWORD", "first")
|
|
r1 = SQLiteRepository(db_path=db)
|
|
await r1.initialize()
|
|
|
|
monkeypatch.setattr("decnet.web.db.sqlmodel_repo.DECNET_ADMIN_PASSWORD", "second")
|
|
r2 = SQLiteRepository(db_path=db)
|
|
await r2.initialize()
|
|
|
|
user = await r2.get_user_by_username("admin")
|
|
assert verify_password("second", user["password_hash"])
|
|
assert not verify_password("first", user["password_hash"])
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_finalized_admin_password_is_preserved(tmp_path, monkeypatch):
|
|
db = str(tmp_path / "t.db")
|
|
|
|
monkeypatch.setattr("decnet.web.db.sqlmodel_repo.DECNET_ADMIN_PASSWORD", "seed")
|
|
r1 = SQLiteRepository(db_path=db)
|
|
await r1.initialize()
|
|
admin = await r1.get_user_by_username("admin")
|
|
# Simulate the admin finalising their password via the change-password flow.
|
|
from decnet.web.auth import get_password_hash
|
|
await r1.update_user_password(
|
|
admin["uuid"], get_password_hash("chosen"), must_change_password=False
|
|
)
|
|
|
|
monkeypatch.setattr("decnet.web.db.sqlmodel_repo.DECNET_ADMIN_PASSWORD", "different")
|
|
r2 = SQLiteRepository(db_path=db)
|
|
await r2.initialize()
|
|
|
|
user = await r2.get_user_by_username("admin")
|
|
assert verify_password("chosen", user["password_hash"])
|
|
assert not verify_password("different", user["password_hash"])
|