anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b70845a85d50061f80a687520dbb80fd7d015a7a
DECNET/tests/api/webhooks/test_crud.py
anti b70845a85d feat(webhooks): subscription CRUD + HMAC-signed delivery client 
Introduces the webhook egress foundation — a new WebhookSubscription
table, admin-gated CRUD under /api/v1/webhooks, and the shared
delivery client that both the test-ping route and the upcoming worker
will use. No worker yet; this commit is API + model + client only.

Simple-mode enum (AttackerDetail / DeckyStatus / SystemStatus) expands
to bus-topic patterns at the router layer; storage is always the raw
pattern list. Advanced mode lets admins supply raw NATS-style patterns
directly. Filter-at-subscribe: the worker (next commit) will subscribe
to the union of patterns across enabled subscriptions.

Delivery client handles HMAC-SHA256 signing (X-DECNET-Signature),
retry on 429/5xx/network errors with jittered backoff, no-retry on
4xx. Secrets never leave the server on GET/LIST — only the create
response carries the secret for copy-out.

CRUD routes publish WEBHOOK_SUBSCRIPTIONS_CHANGED on the bus after
every mutation so the (future) worker can hot-reload.

Opens DEBT-037 for the deferred items (circuit breaker, dead-letter,
batch delivery, payload templates, secret-at-rest).
2026-04-24 15:30:05 -04:00

188 lines
5.2 KiB
Python
Raw Blame History

"""CRUD tests for /api/v1/webhooks — admin-gated subscription management."""
from __future__ import annotations
import httpx
import pytest
PATH = "/api/v1/webhooks/"
@pytest.mark.asyncio
async def test_create_requires_patterns(client: httpx.AsyncClient, auth_token: str):
res = await client.post(
PATH,
json={"name": "wh1", "url": "https://example.com/x"},
headers={"Authorization": f"Bearer {auth_token}"},
)
assert res.status_code == 400, res.text
@pytest.mark.asyncio
async def test_create_expands_simple_events(
client: httpx.AsyncClient, auth_token: str
):
res = await client.post(
PATH,
json={
"name": "wh-simple",
"url": "https://example.com/x",
"simple_events": ["AttackerDetail"],
},
headers={"Authorization": f"Bearer {auth_token}"},
)
assert res.status_code == 201, res.text
body = res.json()
assert body["topic_patterns"] == ["attacker.>"]
# Create-path carries the secret for copy-out.
assert body["secret"]
assert len(body["secret"]) >= 16
@pytest.mark.asyncio
async def test_list_strips_secret(client: httpx.AsyncClient, auth_token: str):
await client.post(
PATH,
json={
"name": "wh-list",
"url": "https://example.com/x",
"topic_patterns": ["system.>"],
},
headers={"Authorization": f"Bearer {auth_token}"},
)
res = await client.get(
PATH, headers={"Authorization": f"Bearer {auth_token}"}
)
assert res.status_code == 200
rows = res.json()
assert len(rows) >= 1
for r in rows:
assert "secret" not in r
@pytest.mark.asyncio
async def test_get_single_strips_secret(
client: httpx.AsyncClient, auth_token: str
):
create = await client.post(
PATH,
json={
"name": "wh-one",
"url": "https://example.com/x",
"topic_patterns": ["decky.*.state"],
},
headers={"Authorization": f"Bearer {auth_token}"},
)
uuid = create.json()["uuid"]
res = await client.get(
PATH + uuid, headers={"Authorization": f"Bearer {auth_token}"}
)
assert res.status_code == 200
assert "secret" not in res.json()
@pytest.mark.asyncio
async def test_duplicate_name_conflicts(
client: httpx.AsyncClient, auth_token: str
):
payload = {
"name": "wh-dup",
"url": "https://example.com/x",
"topic_patterns": ["system.>"],
}
first = await client.post(
PATH, json=payload, headers={"Authorization": f"Bearer {auth_token}"}
)
assert first.status_code == 201
second = await client.post(
PATH, json=payload, headers={"Authorization": f"Bearer {auth_token}"}
)
assert second.status_code == 409
@pytest.mark.asyncio
async def test_patch_merges_patterns(
client: httpx.AsyncClient, auth_token: str
):
create = await client.post(
PATH,
json={
"name": "wh-patch",
"url": "https://example.com/x",
"simple_events": ["AttackerDetail"],
},
headers={"Authorization": f"Bearer {auth_token}"},
)
uuid = create.json()["uuid"]
res = await client.patch(
PATH + uuid,
json={"topic_patterns": ["custom.>"]},
headers={"Authorization": f"Bearer {auth_token}"},
)
assert res.status_code == 200
# simple_events was NOT passed → it's None → only raw patterns survive.
assert res.json()["topic_patterns"] == ["custom.>"]
@pytest.mark.asyncio
async def test_patch_refuses_empty_patterns(
client: httpx.AsyncClient, auth_token: str
):
create = await client.post(
PATH,
json={
"name": "wh-empty",
"url": "https://example.com/x",
"simple_events": ["AttackerDetail"],
},
headers={"Authorization": f"Bearer {auth_token}"},
)
uuid = create.json()["uuid"]
res = await client.patch(
PATH + uuid,
json={"simple_events": [], "topic_patterns": []},
headers={"Authorization": f"Bearer {auth_token}"},
)
assert res.status_code == 400
@pytest.mark.asyncio
async def test_delete_returns_message(
client: httpx.AsyncClient, auth_token: str
):
create = await client.post(
PATH,
json={
"name": "wh-del",
"url": "https://example.com/x",
"topic_patterns": ["system.>"],
},
headers={"Authorization": f"Bearer {auth_token}"},
)
uuid = create.json()["uuid"]
res = await client.delete(
PATH + uuid, headers={"Authorization": f"Bearer {auth_token}"}
)
assert res.status_code == 200
assert res.json() == {"message": "Webhook deleted"}
# Second delete → 404.
res2 = await client.delete(
PATH + uuid, headers={"Authorization": f"Bearer {auth_token}"}
)
assert res2.status_code == 404
@pytest.mark.asyncio
async def test_viewer_forbidden(client: httpx.AsyncClient, viewer_token: str):
res = await client.get(
PATH, headers={"Authorization": f"Bearer {viewer_token}"}
)
assert res.status_code == 403
@pytest.mark.asyncio
async def test_unauthenticated_rejected(client: httpx.AsyncClient):
res = await client.get(PATH)
assert res.status_code == 401
Reference in New Issue View Git Blame Copy Permalink