anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
698ecaa322be98b9dde536844edf89162a42d32f
DECNET/tests/web/test_web_api.py
anti 698ecaa322 feat(auth): jti claim and token-revocation store 
Stateless JWTs had no revocation path: a stolen token stayed valid for
its full 24h even after the victim changed their password, and there was
no logout. This lays the foundation for revoking them.

- User.tokens_valid_from: per-user bulk-revocation cutoff (compared against
  the token's iat). RevokedToken(jti PK, exp): single-token denylist, pruned
  opportunistically on insert so it never outgrows live-but-revoked tokens.
- login() now mints a jti; create_access_token already stamps iat/exp.
- repo.revoke_token / is_token_revoked / set_tokens_valid_from (abstract +
  shared sqlmodel impl + DummyRepo coverage stubs).
- Centralized validate path in dependencies.py: every auth dependency now
  resolves the user and fails closed on (1) missing jti (legacy/pre-deploy
  token -> one forced re-login), (2) iat before the cutoff, (3) a denylisted
  jti. Denylist lookups ride a 10s membership cache mirroring the user cache.
- Contract/fuzz harness seeds its fixed-uuid principal under
  DECNET_CONTRACT_TEST so its minted token resolves to a live admin user.
2026-05-30 18:18:41 -04:00

174 lines
7.5 KiB
Python
Raw Blame History

# SPDX-License-Identifier: AGPL-3.0-or-later
"""
Tests for decnet/web/api.py lifespan and decnet/web/dependencies.py auth helpers.
"""
import asyncio
from unittest.mock import AsyncMock, MagicMock, patch
import pytest
from decnet.web.auth import create_access_token
# ── get_current_user ──────────────────────────────────────────────────────────
class TestGetCurrentUser:
@pytest.mark.asyncio
async def test_valid_token(self):
# Post token-revocation, get_current_user resolves the user and checks
# the denylist, so a valid token must carry a jti, name a live user, and
# not be revoked.
from decnet.web import dependencies as deps
from decnet.web.dependencies import get_current_user
deps._reset_user_cache()
token = create_access_token({"uuid": "test-uuid-123", "jti": "jti-1"})
request = MagicMock()
request.headers = {"Authorization": f"Bearer {token}"}
user = {
"uuid": "test-uuid-123", "role": "viewer",
"must_change_password": False, "tokens_valid_from": None,
}
with patch.object(deps.repo, "get_user_by_uuid", AsyncMock(return_value=user)), \
patch.object(deps.repo, "is_token_revoked", AsyncMock(return_value=False)):
result = await get_current_user(request)
assert result == "test-uuid-123"
@pytest.mark.asyncio
async def test_no_auth_header(self):
from fastapi import HTTPException
from decnet.web.dependencies import get_current_user
request = MagicMock()
request.headers = {}
with pytest.raises(HTTPException) as exc_info:
await get_current_user(request)
assert exc_info.value.status_code == 401
@pytest.mark.asyncio
async def test_invalid_jwt(self):
from fastapi import HTTPException
from decnet.web.dependencies import get_current_user
request = MagicMock()
request.headers = {"Authorization": "Bearer invalid-token"}
with pytest.raises(HTTPException) as exc_info:
await get_current_user(request)
assert exc_info.value.status_code == 401
@pytest.mark.asyncio
async def test_missing_uuid_in_payload(self):
from fastapi import HTTPException
from decnet.web.dependencies import get_current_user
token = create_access_token({"sub": "no-uuid-field"})
request = MagicMock()
request.headers = {"Authorization": f"Bearer {token}"}
with pytest.raises(HTTPException) as exc_info:
await get_current_user(request)
assert exc_info.value.status_code == 401
@pytest.mark.asyncio
async def test_bearer_prefix_required(self):
from fastapi import HTTPException
from decnet.web.dependencies import get_current_user
token = create_access_token({"uuid": "test-uuid"})
request = MagicMock()
request.headers = {"Authorization": f"Token {token}"}
with pytest.raises(HTTPException):
await get_current_user(request)
# ── get_stream_user ───────────────────────────────────────────────────────────
class TestGetStreamUser:
@pytest.mark.asyncio
async def test_bearer_header(self):
from decnet.web.dependencies import get_stream_user
token = create_access_token({"uuid": "stream-uuid"})
request = MagicMock()
request.headers = {"Authorization": f"Bearer {token}"}
result = await get_stream_user(request, token=None)
assert result == "stream-uuid"
@pytest.mark.asyncio
async def test_query_param_fallback(self):
from decnet.web.dependencies import get_stream_user
token = create_access_token({"uuid": "query-uuid"})
request = MagicMock()
request.headers = {}
result = await get_stream_user(request, token=token)
assert result == "query-uuid"
@pytest.mark.asyncio
async def test_no_token_raises(self):
from fastapi import HTTPException
from decnet.web.dependencies import get_stream_user
request = MagicMock()
request.headers = {}
with pytest.raises(HTTPException) as exc_info:
await get_stream_user(request, token=None)
assert exc_info.value.status_code == 401
@pytest.mark.asyncio
async def test_invalid_token_raises(self):
from fastapi import HTTPException
from decnet.web.dependencies import get_stream_user
request = MagicMock()
request.headers = {}
with pytest.raises(HTTPException):
await get_stream_user(request, token="bad-token")
@pytest.mark.asyncio
async def test_missing_uuid_raises(self):
from fastapi import HTTPException
from decnet.web.dependencies import get_stream_user
token = create_access_token({"sub": "no-uuid"})
request = MagicMock()
request.headers = {"Authorization": f"Bearer {token}"}
with pytest.raises(HTTPException):
await get_stream_user(request, token=None)
# ── web/api.py lifespan ──────────────────────────────────────────────────────
class TestLifespan:
@pytest.mark.asyncio
async def test_lifespan_startup_and_shutdown(self):
from decnet.web.api import lifespan
mock_app = MagicMock()
mock_repo = MagicMock()
mock_repo.initialize = AsyncMock()
with patch("decnet.web.api.repo", mock_repo):
with patch("decnet.web.api.log_ingestion_worker", return_value=asyncio.sleep(0)):
with patch("decnet.web.api.log_collector_worker", return_value=asyncio.sleep(0)):
with patch("decnet.web.api.attacker_profile_worker", return_value=asyncio.sleep(0)):
with patch("decnet.web.api.tarpit_watcher_worker", return_value=asyncio.sleep(0)):
async with lifespan(mock_app):
mock_repo.initialize.assert_awaited_once()
@pytest.mark.asyncio
async def test_lifespan_db_retry(self):
from decnet.web.api import lifespan
mock_app = MagicMock()
mock_repo = MagicMock()
_call_count: int = 0
async def _failing_init():
nonlocal _call_count
_call_count += 1
if _call_count < 3:
raise Exception("DB locked")
mock_repo.initialize = _failing_init
with patch("decnet.web.api.repo", mock_repo):
# Patch only the local _retry_sleep binding — patching
# `asyncio.sleep` globally would starve the heartbeat loop's
# own sleep and leak the task past the test's lifetime.
with patch("decnet.web.api._retry_sleep", new_callable=AsyncMock):
with patch("decnet.web.api.log_ingestion_worker", return_value=asyncio.sleep(0)):
with patch("decnet.web.api.log_collector_worker", return_value=asyncio.sleep(0)):
with patch("decnet.web.api.attacker_profile_worker", return_value=asyncio.sleep(0)):
with patch("decnet.web.api.tarpit_watcher_worker", return_value=asyncio.sleep(0)):
async with lifespan(mock_app):
assert _call_count == 3
Reference in New Issue View Git Blame Copy Permalink