anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ab1151ee7fb5952f6912e34375f4f27f2d82ed7b
DECNET/tests/api/auth/test_sse_ticket.py
anti 245975a6dd fix(security): close LOW ASVS findings — env bypass, SSE/deployment authz, CN fail-close, password byte-limit, exception leaks, BUG-12..16 
Auth/session (V2.1.7, V4.1.5, V4.1.6, V2.1.4/V2.1.5):
- env secret validation no longer bypassed by attacker-injectable PYTEST* env;
  gated on explicit DECNET_TESTING=1 (set only in conftest).
- must_change_password now enforced on the SSE header-JWT path, not just ticket mint.
- GET /system/deployment-mode requires viewer auth (was leaking role + topology size).
- CreateUser/ResetUser passwords min_length=12; passwords >72 bytes rejected
  explicitly instead of bcrypt silently truncating.

Swarm ingestion (V9.1.3, BUG-16):
- Log listener hard-rejects peers with unparseable/empty cert CN (fail closed,
  ingests nothing) instead of tagging 'unknown'.
- Shutdown handlers no longer swallow real errors (narrowed to CancelledError).

Info leakage (V7.1.2, V14.1.2):
- Exception text sanitized on swarm-update, health, tarpit, realism, file-drop,
  blank-topology endpoints (raw tc/docker stderr, DB/Docker errors logged
  server-side, generic detail returned). pyproject license corrected to AGPL-3.0.

Correctness (BUG-12..16):
- BUG-12 atomic credential upsert (UNIQUE constraint + IntegrityError retry,
  consistent principal_key canonicalization).
- BUG-13 rule-tail watermark uses >= with seen-id dedup (no same-second drop).
- BUG-14 worker wake cleared before wait (no lost wake during tick).
- BUG-15 intel gather tolerates an unexpected provider raise.
- BUG-16 see above.

Already-closed (verified, no change): V2.1.6, V5.1.3, V9.1.2. Accept-risk +
documented: V2.1.8 cache window, V3.1.3 idle timeout. Tests added for every fix;
unanimous adversarial review after two refute-fix rounds.
2026-06-10 13:27:14 -04:00

149 lines
5.9 KiB
Python
Raw Blame History

# SPDX-License-Identifier: AGPL-3.0-or-later
"""SSE stream tickets (V3.1.1) + change-password min-length (V2.1.3).
The ticket store is a security boundary: single-use, 60s, fail-closed. These
cover the mint→redeem happy path, single-use reuse rejection, expiry rejection,
the endpoint round-trip, and the V3.1.1 invariant that a raw JWT in the SSE
query string is no longer accepted.
"""
from __future__ import annotations
import httpx
import pytest
from fastapi import HTTPException
from decnet.env import DECNET_ADMIN_USER, DECNET_ADMIN_PASSWORD
from decnet.web.auth import create_access_token
from decnet.web import dependencies as deps
# ── ticket store unit tests ──────────────────────────────────────────────────
def test_mint_then_redeem_happy_path() -> None:
deps._reset_sse_tickets()
ticket = deps.mint_sse_ticket("user-1", "viewer")
identity = deps._redeem_sse_ticket(ticket)
assert identity == {"uuid": "user-1", "role": "viewer"}
def test_ticket_is_single_use() -> None:
deps._reset_sse_tickets()
ticket = deps.mint_sse_ticket("user-1", "admin")
deps._redeem_sse_ticket(ticket) # first redeem consumes it
with pytest.raises(HTTPException) as exc:
deps._redeem_sse_ticket(ticket)
assert exc.value.status_code == 401
def test_unknown_ticket_rejected() -> None:
deps._reset_sse_tickets()
with pytest.raises(HTTPException) as exc:
deps._redeem_sse_ticket("never-minted")
assert exc.value.status_code == 401
def test_expired_ticket_rejected() -> None:
deps._reset_sse_tickets()
# Mint, then jam the entry's expiry into the past so redeem fails closed.
ticket = deps.mint_sse_ticket("user-1", "viewer")
exp, identity = deps._sse_tickets[ticket]
deps._sse_tickets[ticket] = (exp - deps._SSE_TICKET_TTL - 1, identity)
with pytest.raises(HTTPException) as exc:
deps._redeem_sse_ticket(ticket)
assert exc.value.status_code == 401
# ── endpoint round-trip ──────────────────────────────────────────────────────
@pytest.mark.anyio
async def test_sse_ticket_endpoint_requires_auth(client: httpx.AsyncClient) -> None:
resp = await client.post("/api/v1/auth/sse-ticket")
assert resp.status_code == 401
@pytest.mark.anyio
async def test_sse_ticket_endpoint_mints_and_redeems(
client: httpx.AsyncClient, auth_token: str
) -> None:
deps._reset_sse_tickets()
resp = await client.post(
"/api/v1/auth/sse-ticket",
headers={"Authorization": f"Bearer {auth_token}"},
)
assert resp.status_code == 200, resp.text
body = resp.json()
assert body["expires_in"] == 60
ticket = body["ticket"]
assert ticket and "." not in ticket # opaque, not a JWT
# The minted ticket redeems to a bound identity exactly once.
identity = deps._redeem_sse_ticket(ticket)
assert "uuid" in identity and identity["role"] in ("admin", "viewer")
@pytest.mark.anyio
async def test_sse_header_jwt_rejects_must_change_password(monkeypatch) -> None:
"""V4.1.5: the header-JWT SSE branch must enforce must_change_password the
same way require_role does. A user blocked from every REST endpoint must not
be able to subscribe to live SSE streams with their existing token."""
async def _fake_resolve(token: str):
return "user-1", {"uuid": "user-1", "role": "viewer", "must_change_password": True}
monkeypatch.setattr(deps, "_resolve_token", _fake_resolve)
class _Req:
headers = {"Authorization": "Bearer some.jwt.token"}
gate = deps.require_stream_role("viewer", "admin")
with pytest.raises(HTTPException) as exc:
await gate(_Req(), ticket=None) # type: ignore[arg-type]
assert exc.value.status_code == 403
assert "Password change required" in exc.value.detail
@pytest.mark.anyio
async def test_sse_header_jwt_allows_cleared_user(monkeypatch) -> None:
"""Control: a user who has cleared must_change_password passes the header-JWT
SSE gate (proves the new guard didn't break the happy path)."""
async def _fake_resolve(token: str):
return "user-1", {"uuid": "user-1", "role": "viewer", "must_change_password": False}
monkeypatch.setattr(deps, "_resolve_token", _fake_resolve)
class _Req:
headers = {"Authorization": "Bearer some.jwt.token"}
gate = deps.require_stream_role("viewer", "admin")
user = await gate(_Req(), ticket=None) # type: ignore[arg-type]
assert user["uuid"] == "user-1"
def test_raw_jwt_in_sse_query_rejected() -> None:
"""V3.1.1: a raw JWT is not a valid opaque ticket — _redeem_sse_ticket rejects
any token that wasn't minted by mint_sse_ticket (unknown key → 401)."""
deps._reset_sse_tickets()
token = create_access_token({"uuid": "leaked", "jti": "x"})
with pytest.raises(HTTPException) as exc:
deps._redeem_sse_ticket(token)
assert exc.value.status_code == 401
# ── V2.1.3 change-password min length ────────────────────────────────────────
@pytest.mark.anyio
async def test_change_password_below_min_length_rejected(
client: httpx.AsyncClient,
) -> None:
resp = await client.post("/api/v1/auth/login", json={
"username": DECNET_ADMIN_USER, "password": DECNET_ADMIN_PASSWORD,
})
token = resp.json()["access_token"]
# 11 chars — one below the 12-char floor. The request-validation layer
# rejects the bad length before any auth/logic runs; DECNET's schema-guard
# middleware surfaces length violations as 400 (not the raw 422).
r = await client.post(
"/api/v1/auth/change-password",
json={"old_password": DECNET_ADMIN_PASSWORD, "new_password": "short123456"},
headers={"Authorization": f"Bearer {token}"},
)
assert r.status_code in (400, 422), r.text
Reference in New Issue View Git Blame Copy Permalink