anti
ea95a009df
Groups every flat test_*.py under the module it exercises, matching the
existing tests/{profiler,sniffer,prober,collector,correlation,cli,web,
topology,swarm,bus,updater,api,docker,geoip,...} layout. New folders:
services/, fleet/, config/, logging/, db/ (+ db/mysql/), telemetry/,
mutator/, core/.
Path-dependent __file__ references bumped an extra .parent in three
files that moved one level deeper:
- tests/sniffer/test_sniffer_ja3.py (template path)
- tests/services/test_ssh_capture_emit.py (template path)
- tests/cli/test_mode_gating.py (REPO root)
- tests/web/test_env_lazy_jwt.py (repo var)
Also drops two SQLite runtime artifacts (test_decnet.db-{shm,wal}) that
were leaking into the repo from a previous test run.
Fixes two test_service_isolation cases that patched asyncio.sleep (no
longer on the profiler main-loop hot path — same pre-existing bug I
fixed earlier in test_attacker_worker.py) by patching asyncio.wait_for
and passing interval=0.
67 lines
2.6 KiB
Python
67 lines
2.6 KiB
Python
"""
|
|
Tests for _ensure_admin_user env-drift self-healing.
|
|
|
|
Scenario: DECNET_ADMIN_PASSWORD changes between runs while the SQLite DB
|
|
persists on disk. Previously _ensure_admin_user was strictly insert-if-missing,
|
|
so the stale hash from the first seed locked out every subsequent login.
|
|
|
|
Contract: if the admin still has must_change_password=True (they never
|
|
finalized their own password), the stored hash re-syncs from the env.
|
|
Once the admin picks a real password, we never touch it.
|
|
"""
|
|
import pytest
|
|
|
|
from decnet.web.auth import verify_password
|
|
from decnet.web.db.sqlite.repository import SQLiteRepository
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_admin_seeded_on_empty_db(tmp_path, monkeypatch):
|
|
monkeypatch.setattr("decnet.web.db.sqlmodel_repo.DECNET_ADMIN_PASSWORD", "first")
|
|
repo = SQLiteRepository(db_path=str(tmp_path / "t.db"))
|
|
await repo.initialize()
|
|
user = await repo.get_user_by_username("admin")
|
|
assert user is not None
|
|
assert verify_password("first", user["password_hash"])
|
|
assert user["must_change_password"] is True or user["must_change_password"] == 1
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_admin_password_resyncs_when_not_finalized(tmp_path, monkeypatch):
|
|
db = str(tmp_path / "t.db")
|
|
|
|
monkeypatch.setattr("decnet.web.db.sqlmodel_repo.DECNET_ADMIN_PASSWORD", "first")
|
|
r1 = SQLiteRepository(db_path=db)
|
|
await r1.initialize()
|
|
|
|
monkeypatch.setattr("decnet.web.db.sqlmodel_repo.DECNET_ADMIN_PASSWORD", "second")
|
|
r2 = SQLiteRepository(db_path=db)
|
|
await r2.initialize()
|
|
|
|
user = await r2.get_user_by_username("admin")
|
|
assert verify_password("second", user["password_hash"])
|
|
assert not verify_password("first", user["password_hash"])
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_finalized_admin_password_is_preserved(tmp_path, monkeypatch):
|
|
db = str(tmp_path / "t.db")
|
|
|
|
monkeypatch.setattr("decnet.web.db.sqlmodel_repo.DECNET_ADMIN_PASSWORD", "seed")
|
|
r1 = SQLiteRepository(db_path=db)
|
|
await r1.initialize()
|
|
admin = await r1.get_user_by_username("admin")
|
|
# Simulate the admin finalising their password via the change-password flow.
|
|
from decnet.web.auth import get_password_hash
|
|
await r1.update_user_password(
|
|
admin["uuid"], get_password_hash("chosen"), must_change_password=False
|
|
)
|
|
|
|
monkeypatch.setattr("decnet.web.db.sqlmodel_repo.DECNET_ADMIN_PASSWORD", "different")
|
|
r2 = SQLiteRepository(db_path=db)
|
|
await r2.initialize()
|
|
|
|
user = await r2.get_user_by_username("admin")
|
|
assert verify_password("chosen", user["password_hash"])
|
|
assert not verify_password("different", user["password_hash"])
|