anti
245975a6dd
Auth/session (V2.1.7, V4.1.5, V4.1.6, V2.1.4/V2.1.5): - env secret validation no longer bypassed by attacker-injectable PYTEST* env; gated on explicit DECNET_TESTING=1 (set only in conftest). - must_change_password now enforced on the SSE header-JWT path, not just ticket mint. - GET /system/deployment-mode requires viewer auth (was leaking role + topology size). - CreateUser/ResetUser passwords min_length=12; passwords >72 bytes rejected explicitly instead of bcrypt silently truncating. Swarm ingestion (V9.1.3, BUG-16): - Log listener hard-rejects peers with unparseable/empty cert CN (fail closed, ingests nothing) instead of tagging 'unknown'. - Shutdown handlers no longer swallow real errors (narrowed to CancelledError). Info leakage (V7.1.2, V14.1.2): - Exception text sanitized on swarm-update, health, tarpit, realism, file-drop, blank-topology endpoints (raw tc/docker stderr, DB/Docker errors logged server-side, generic detail returned). pyproject license corrected to AGPL-3.0. Correctness (BUG-12..16): - BUG-12 atomic credential upsert (UNIQUE constraint + IntegrityError retry, consistent principal_key canonicalization). - BUG-13 rule-tail watermark uses >= with seen-id dedup (no same-second drop). - BUG-14 worker wake cleared before wait (no lost wake during tick). - BUG-15 intel gather tolerates an unexpected provider raise. - BUG-16 see above. Already-closed (verified, no change): V2.1.6, V5.1.3, V9.1.2. Accept-risk + documented: V2.1.8 cache window, V3.1.3 idle timeout. Tests added for every fix; unanimous adversarial review after two refute-fix rounds.
241 lines
7.8 KiB
Python
241 lines
7.8 KiB
Python
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
"""POST /api/v1/swarm-updates/push — happy paths, rollback, validation."""
|
|
from __future__ import annotations
|
|
|
|
import re
|
|
|
|
import pytest
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Helpers
|
|
# ---------------------------------------------------------------------------
|
|
|
|
_INTERNAL_LEAK_RE = re.compile(
|
|
r"Errno|ConnectionRefused|TimeoutError|OSError|RuntimeError|Exception|"
|
|
r"Traceback|\w+Error:\s|\w+Exception:\s|File \"|line \d+",
|
|
re.IGNORECASE,
|
|
)
|
|
|
|
def _assert_no_internal_detail(detail: str | None) -> None:
|
|
"""Assert the detail string does not contain any internal exception noise."""
|
|
if detail is None:
|
|
return
|
|
assert not _INTERNAL_LEAK_RE.search(detail), (
|
|
f"V7.1.2: internal exception detail leaked to client: {detail!r}"
|
|
)
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_push_to_single_host_success(client, auth_token, add_host, fake_updater):
|
|
h = await add_host("alpha")
|
|
|
|
resp = await client.post(
|
|
"/api/v1/swarm-updates/push",
|
|
headers={"Authorization": f"Bearer {auth_token}"},
|
|
json={"host_uuids": [h["uuid"]]},
|
|
)
|
|
assert resp.status_code == 200
|
|
body = resp.json()
|
|
assert body["sha"] == "deadbeef"
|
|
assert body["tarball_bytes"] == len(b"tarball-bytes")
|
|
assert body["results"][0]["status"] == "updated"
|
|
assert body["results"][0]["host_name"] == "alpha"
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_push_reports_rollback_on_409(client, auth_token, add_host, fake_updater):
|
|
h = await add_host("alpha")
|
|
Resp = fake_updater["Response"]
|
|
fake_updater["client"].update_responses = {
|
|
"alpha": Resp(409, {"error": "probe timed out", "stderr": "boom", "rolled_back": True}),
|
|
}
|
|
|
|
resp = await client.post(
|
|
"/api/v1/swarm-updates/push",
|
|
headers={"Authorization": f"Bearer {auth_token}"},
|
|
json={"host_uuids": [h["uuid"]]},
|
|
)
|
|
assert resp.status_code == 200
|
|
result = resp.json()["results"][0]
|
|
assert result["status"] == "rolled-back"
|
|
assert result["http_status"] == 409
|
|
assert result["stderr"] == "boom"
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_push_all_aggregates_mixed_results(client, auth_token, add_host, fake_updater):
|
|
await add_host("alpha", "10.0.0.1")
|
|
await add_host("beta", "10.0.0.2")
|
|
Resp = fake_updater["Response"]
|
|
fake_updater["client"].update_responses = {
|
|
"alpha": Resp(200, {"probe": "ok"}),
|
|
"beta": RuntimeError("connect timeout"),
|
|
}
|
|
|
|
resp = await client.post(
|
|
"/api/v1/swarm-updates/push",
|
|
headers={"Authorization": f"Bearer {auth_token}"},
|
|
json={"all": True},
|
|
)
|
|
assert resp.status_code == 200
|
|
statuses = {r["host_name"]: r["status"] for r in resp.json()["results"]}
|
|
assert statuses == {"alpha": "updated", "beta": "failed"}
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_transport_exception_detail_does_not_leak_internals(
|
|
client, auth_token, add_host, fake_updater,
|
|
):
|
|
"""V7.1.2: a raw transport exception must never appear in the response body."""
|
|
await add_host("alpha", "10.0.0.1")
|
|
fake_updater["client"].update_responses = {
|
|
"alpha": OSError("[Errno 111] Connection refused"),
|
|
}
|
|
|
|
resp = await client.post(
|
|
"/api/v1/swarm-updates/push",
|
|
headers={"Authorization": f"Bearer {auth_token}"},
|
|
json={"all": True},
|
|
)
|
|
assert resp.status_code == 200
|
|
result = resp.json()["results"][0]
|
|
assert result["status"] == "failed"
|
|
_assert_no_internal_detail(result.get("detail"))
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_include_self_failure_detail_does_not_leak_internals(
|
|
client, auth_token, add_host, fake_updater,
|
|
):
|
|
"""V7.1.2: include_self transport failure must not expose exception class/msg."""
|
|
await add_host("alpha", "10.0.0.1")
|
|
fake_updater["client"].update_self_responses = {
|
|
"alpha": OSError("[Errno 104] Connection reset by peer"),
|
|
}
|
|
|
|
resp = await client.post(
|
|
"/api/v1/swarm-updates/push",
|
|
headers={"Authorization": f"Bearer {auth_token}"},
|
|
json={"all": True, "include_self": True},
|
|
)
|
|
assert resp.status_code == 200
|
|
result = resp.json()["results"][0]
|
|
# status is self-failed (non-expected drop)
|
|
assert result["status"] == "self-failed"
|
|
_assert_no_internal_detail(result.get("detail"))
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_tarball_built_once_across_multi_host_push(
|
|
client, auth_token, add_host, fake_updater, monkeypatch,
|
|
):
|
|
await add_host("alpha", "10.0.0.1")
|
|
await add_host("beta", "10.0.0.2")
|
|
calls = {"count": 0}
|
|
|
|
def counted(root, extra_excludes=None):
|
|
calls["count"] += 1
|
|
return b"tarball-bytes"
|
|
|
|
monkeypatch.setattr(
|
|
"decnet.web.router.swarm_updates.api_push_update.tar_working_tree", counted,
|
|
)
|
|
|
|
resp = await client.post(
|
|
"/api/v1/swarm-updates/push",
|
|
headers={"Authorization": f"Bearer {auth_token}"},
|
|
json={"all": True},
|
|
)
|
|
assert resp.status_code == 200
|
|
assert calls["count"] == 1
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_include_self_only_runs_update_self_on_success(
|
|
client, auth_token, add_host, fake_updater,
|
|
):
|
|
await add_host("alpha", "10.0.0.1")
|
|
await add_host("beta", "10.0.0.2")
|
|
Resp = fake_updater["Response"]
|
|
fake_updater["client"].update_responses = {
|
|
"alpha": Resp(200, {"probe": "ok"}),
|
|
"beta": Resp(409, {"error": "bad", "rolled_back": True}),
|
|
}
|
|
|
|
resp = await client.post(
|
|
"/api/v1/swarm-updates/push",
|
|
headers={"Authorization": f"Bearer {auth_token}"},
|
|
json={"all": True, "include_self": True},
|
|
)
|
|
assert resp.status_code == 200
|
|
results = {r["host_name"]: r for r in resp.json()["results"]}
|
|
assert results["alpha"]["status"] == "self-updated"
|
|
assert results["beta"]["status"] == "rolled-back"
|
|
# update_self must NOT have been called on beta (rolled-back agent).
|
|
methods_called = [(name, m) for name, m, _ in fake_updater["client"].calls]
|
|
assert ("beta", "update_self") not in methods_called
|
|
assert ("alpha", "update_self") in methods_called
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_include_self_tolerates_expected_connection_drop(
|
|
client, auth_token, add_host, fake_updater, connection_drop_exc,
|
|
):
|
|
await add_host("alpha", "10.0.0.1")
|
|
fake_updater["client"].update_self_responses = {
|
|
"alpha": connection_drop_exc,
|
|
}
|
|
|
|
resp = await client.post(
|
|
"/api/v1/swarm-updates/push",
|
|
headers={"Authorization": f"Bearer {auth_token}"},
|
|
json={"all": True, "include_self": True},
|
|
)
|
|
assert resp.status_code == 200
|
|
assert resp.json()["results"][0]["status"] == "self-updated"
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_host_and_all_are_mutually_exclusive(
|
|
client, auth_token, add_host, fake_updater,
|
|
):
|
|
h = await add_host("alpha")
|
|
|
|
resp = await client.post(
|
|
"/api/v1/swarm-updates/push",
|
|
headers={"Authorization": f"Bearer {auth_token}"},
|
|
json={"host_uuids": [h["uuid"]], "all": True},
|
|
)
|
|
assert resp.status_code == 400
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_neither_host_nor_all_rejected(client, auth_token, fake_updater):
|
|
resp = await client.post(
|
|
"/api/v1/swarm-updates/push",
|
|
headers={"Authorization": f"Bearer {auth_token}"},
|
|
json={},
|
|
)
|
|
assert resp.status_code == 400
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_unknown_host_uuid_returns_404(client, auth_token, fake_updater):
|
|
resp = await client.post(
|
|
"/api/v1/swarm-updates/push",
|
|
headers={"Authorization": f"Bearer {auth_token}"},
|
|
json={"host_uuids": ["nonexistent"]},
|
|
)
|
|
assert resp.status_code == 404
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_viewer_is_forbidden(client, viewer_token, add_host, fake_updater):
|
|
h = await add_host("alpha")
|
|
resp = await client.post(
|
|
"/api/v1/swarm-updates/push",
|
|
headers={"Authorization": f"Bearer {viewer_token}"},
|
|
json={"host_uuids": [h["uuid"]]},
|
|
)
|
|
assert resp.status_code == 403
|