anti
d80e6aa6d1
Auth (V2.1.1/V3.1.2, V2.1.3, V3.1.1): - Pin JWT iss/aud/typ at mint and require+verify them at decode; revocation (jti denylist + tokens_valid_from) still enforced. - Change-password now requires min_length=12. - SSE auth moves off JWT-in-URL to a single-use 60s opaque ticket (POST /auth/sse-ticket); raw JWT in query no longer authenticates a stream. Removed dead fail-open get_stream_user helper. Egress (V5.1.1, V9.1.1/V14.1.3): - Webhook delivery + CRUD reject SSRF destinations (private/loopback/link-local/ metadata, IPv4-mapped, multi-A-record) via resolved-IP validation, pin to the vetted IP, and never auto-follow redirects. Opt-out via DECNET_WEBHOOK_ALLOW_PRIVATE. - UpdaterClient pins the worker leaf cert SHA-256 against the stored per-host fingerprint (fail closed on missing/mismatch); DECNET_VERIFY_HOSTNAME now defaults True. Hardening (V13.1.3, V4.1.4, V13.1.2): - Rate-limit change-password (5/min), enroll-bundle (10/min), webhook-create (20/min), host-delete (20/min) via the existing slowapi limiter. - Correct false 'global auth middleware' comment; document enroll-bundle proxy trust. Correctness (BUG-7..11): - BUG-7 unbound bus in finally; BUG-8 apply_ceiling clamps to min(base,ceiling); BUG-9 commit before emit; BUG-10 multi-actor rearm for sub-threshold identities; BUG-11 normalize naive timestamps to UTC. Already-closed (no change): V14.1.1, V2.1.2/V3.1.3, V5.1.2. Tests added for every fix; unanimous adversarial review.
156 lines
5.7 KiB
Python
156 lines
5.7 KiB
Python
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
"""Bulk session revocation (WI3): password/role changes move tokens_valid_from
|
|
forward, killing every prior token for that user.
|
|
|
|
End-to-end revocation is proven with deterministically *aged* tokens (iat well
|
|
in the past) so the assertions don't race the floored-cutoff grey zone — a
|
|
token minted in the very same wall-clock second as the change intentionally
|
|
survives (see dependencies._resolve_token). The same-second re-login path is
|
|
covered separately.
|
|
"""
|
|
from __future__ import annotations
|
|
|
|
import time
|
|
import uuid as _uuid
|
|
|
|
import jwt
|
|
import pytest
|
|
from sqlalchemy import select
|
|
|
|
from decnet.env import DECNET_ADMIN_USER, DECNET_ADMIN_PASSWORD
|
|
from decnet.web.auth import (
|
|
ALGORITHM,
|
|
JWT_AUDIENCE,
|
|
JWT_ISSUER,
|
|
JWT_TYPE,
|
|
SECRET_KEY,
|
|
get_password_hash,
|
|
)
|
|
from decnet.web.db.models import User
|
|
from decnet.web.dependencies import repo
|
|
|
|
PROTECTED = "/api/v1/attackers?limit=1"
|
|
|
|
|
|
async def _seed_user(username: str, password: str, role: str = "viewer") -> str:
|
|
async with repo.session_factory() as session:
|
|
existing = (await session.execute(
|
|
select(User).where(User.username == username)
|
|
)).scalar_one_or_none()
|
|
if existing:
|
|
return existing.uuid
|
|
u = str(_uuid.uuid4())
|
|
session.add(User(
|
|
uuid=u, username=username, password_hash=get_password_hash(password),
|
|
role=role, must_change_password=False,
|
|
))
|
|
await session.commit()
|
|
return u
|
|
|
|
|
|
def _auth(token: str) -> dict[str, str]:
|
|
return {"Authorization": f"Bearer {token}"}
|
|
|
|
|
|
def _uuid_of(token: str) -> str:
|
|
return jwt.decode(token, options={"verify_signature": False})["uuid"]
|
|
|
|
|
|
def _aged_token(uuid: str, *, seconds_old: int = 30) -> str:
|
|
"""A well-formed token issued ``seconds_old`` ago — older than any cutoff a
|
|
change sets to 'now', so it is deterministically revoked once bumped."""
|
|
now = int(time.time())
|
|
return jwt.encode(
|
|
{
|
|
"uuid": uuid,
|
|
"jti": f"aged-{uuid}",
|
|
"iat": now - seconds_old,
|
|
"exp": now + 3600,
|
|
# The verifier now pins issuer/audience/type (V2.1.1 / V3.1.2); a
|
|
# manually-encoded token must carry them or decode rejects it.
|
|
"iss": JWT_ISSUER,
|
|
"aud": JWT_AUDIENCE,
|
|
"typ": JWT_TYPE,
|
|
},
|
|
SECRET_KEY, algorithm=ALGORITHM,
|
|
)
|
|
|
|
|
|
async def _login(client, username: str, password: str) -> str:
|
|
r = await client.post(
|
|
"/api/v1/auth/login", json={"username": username, "password": password},
|
|
)
|
|
return r.json()["access_token"]
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_self_password_change_revokes_prior_tokens(client):
|
|
# Dedicated user — the admin fixture already bumped admin's cutoff. The aged
|
|
# token is the "old session"; a fresh login drives the change.
|
|
uuid = await _seed_user("selfchange-user", "selfchange-pass-1")
|
|
aged = _aged_token(uuid)
|
|
assert (await client.get(PROTECTED, headers=_auth(aged))).status_code == 200
|
|
current = await _login(client, "selfchange-user", "selfchange-pass-1")
|
|
r = await client.post(
|
|
"/api/v1/auth/change-password",
|
|
json={"old_password": "selfchange-pass-1", "new_password": "selfchange-pass-2"},
|
|
headers=_auth(current),
|
|
)
|
|
assert r.status_code == 200, r.text
|
|
# Every token issued before the change is dead.
|
|
assert (await client.get(PROTECTED, headers=_auth(aged))).status_code == 401
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_relogin_after_password_change_works_immediately(client, auth_token):
|
|
# Guards the same-second iat/cutoff race: a re-login right after the change
|
|
# must succeed (floored cutoff), not get caught by its own revocation.
|
|
await client.post(
|
|
"/api/v1/auth/change-password",
|
|
json={"old_password": DECNET_ADMIN_PASSWORD, "new_password": "fresh-pass-77"},
|
|
headers=_auth(auth_token),
|
|
)
|
|
fresh = await _login(client, DECNET_ADMIN_USER, "fresh-pass-77")
|
|
assert (await client.get(PROTECTED, headers=_auth(fresh))).status_code == 200
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_admin_password_reset_revokes_target_sessions(client, auth_token, viewer_token):
|
|
viewer_uuid = _uuid_of(viewer_token)
|
|
aged = _aged_token(viewer_uuid)
|
|
assert (await client.get(PROTECTED, headers=_auth(aged))).status_code == 200
|
|
r = await client.put(
|
|
f"/api/v1/config/users/{viewer_uuid}/reset-password",
|
|
json={"new_password": "reset-by-admin-1"},
|
|
headers=_auth(auth_token),
|
|
)
|
|
assert r.status_code == 200, r.text
|
|
assert (await client.get(PROTECTED, headers=_auth(aged))).status_code == 401
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_role_change_revokes_target_sessions(client, auth_token, viewer_token):
|
|
viewer_uuid = _uuid_of(viewer_token)
|
|
aged = _aged_token(viewer_uuid)
|
|
assert (await client.get(PROTECTED, headers=_auth(aged))).status_code == 200
|
|
r = await client.put(
|
|
f"/api/v1/config/users/{viewer_uuid}/role",
|
|
json={"role": "admin"},
|
|
headers=_auth(auth_token),
|
|
)
|
|
assert r.status_code == 200, r.text
|
|
assert (await client.get(PROTECTED, headers=_auth(aged))).status_code == 401
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_revocation_is_per_user(client, auth_token, viewer_token):
|
|
# Resetting the viewer must not revoke the admin's own (valid) token.
|
|
assert (await client.get(PROTECTED, headers=_auth(auth_token))).status_code == 200
|
|
viewer_uuid = _uuid_of(viewer_token)
|
|
await client.put(
|
|
f"/api/v1/config/users/{viewer_uuid}/reset-password",
|
|
json={"new_password": "reset-by-admin-2"},
|
|
headers=_auth(auth_token),
|
|
)
|
|
assert (await client.get(PROTECTED, headers=_auth(auth_token))).status_code == 200
|