anti
337520c7ad
- V7.1.3: env known-insecure-default error no longer echoes the rejected secret value. - V9.1.4: syslog-over-TLS forwarder + listener pin minimum_version=TLSv1_2. - V12.1.2: updater tarball SHA-256 verification is now mandatory and fail-closed — /update and /update-self reject a missing digest (400), the executor rejects missing/mismatched digests before extract/apply. Every push path supplies it. - V13.1.4: reject a wildcard '*' in DECNET_CORS_ORIGINS at startup. - V13.1.5: enforce application/json on JSON write endpoints (415 otherwise), exempting multipart upload routes. - BUG-17: SSE error log records the user uuid, not the resume cursor. Also completes V2.1.7 consistently: the attacker-injectable PYTEST* env bypass is replaced with explicit DECNET_TESTING=1 in the three remaining sites (env.validate_public_binding, config logging, mysql url builder). Tests added for every fix; unanimous adversarial review (no update-outage risk — all push paths verified to send the digest).
79 lines
3.3 KiB
Python
79 lines
3.3 KiB
Python
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
"""
|
|
Unit tests for decnet.web.db.mysql.database.build_mysql_url / resolve_url.
|
|
|
|
No MySQL server is required — these are pure URL-construction tests.
|
|
"""
|
|
import pytest
|
|
|
|
from decnet.web.db.mysql.database import build_mysql_url, resolve_url
|
|
|
|
|
|
def test_build_url_defaults(monkeypatch):
|
|
for v in ("DECNET_DB_HOST", "DECNET_DB_PORT", "DECNET_DB_NAME",
|
|
"DECNET_DB_USER", "DECNET_DB_PASSWORD", "DECNET_DB_URL"):
|
|
monkeypatch.delenv(v, raising=False)
|
|
# DECNET_TESTING=1 is set by conftest, so empty password is allowed here.
|
|
url = build_mysql_url()
|
|
assert url == "mysql+asyncmy://decnet:@localhost:3306/decnet"
|
|
|
|
|
|
def test_build_url_from_env(monkeypatch):
|
|
monkeypatch.setenv("DECNET_DB_HOST", "db.internal")
|
|
monkeypatch.setenv("DECNET_DB_PORT", "3307")
|
|
monkeypatch.setenv("DECNET_DB_NAME", "decnet_prod")
|
|
monkeypatch.setenv("DECNET_DB_USER", "svc_decnet")
|
|
monkeypatch.setenv("DECNET_DB_PASSWORD", "hunter2")
|
|
url = build_mysql_url()
|
|
assert url == "mysql+asyncmy://svc_decnet:hunter2@db.internal:3307/decnet_prod"
|
|
|
|
|
|
def test_build_url_percent_encodes_password(monkeypatch):
|
|
"""Passwords with @ : / # etc must not break URL parsing."""
|
|
monkeypatch.setenv("DECNET_DB_PASSWORD", "p@ss:word/!#")
|
|
url = build_mysql_url(user="u", host="h", port=3306, database="d")
|
|
# @ → %40, : → %3A, / → %2F, # → %23, ! → %21
|
|
assert "p%40ss%3Aword%2F%21%23" in url
|
|
assert url.startswith("mysql+asyncmy://u:")
|
|
assert url.endswith("@h:3306/d")
|
|
|
|
|
|
def test_build_url_component_args_override_env(monkeypatch):
|
|
monkeypatch.setenv("DECNET_DB_HOST", "ignored")
|
|
monkeypatch.setenv("DECNET_DB_PASSWORD", "env-pw")
|
|
url = build_mysql_url(host="arg.host", user="arg-user", password="arg-pw",
|
|
port=9999, database="arg-db")
|
|
assert url == "mysql+asyncmy://arg-user:arg-pw@arg.host:9999/arg-db"
|
|
|
|
|
|
def test_resolve_url_prefers_explicit_arg(monkeypatch):
|
|
monkeypatch.setenv("DECNET_DB_URL", "mysql+asyncmy://env-url/x")
|
|
assert resolve_url("mysql+asyncmy://explicit/y") == "mysql+asyncmy://explicit/y"
|
|
|
|
|
|
def test_resolve_url_uses_env_url_before_components(monkeypatch):
|
|
monkeypatch.setenv("DECNET_DB_URL", "mysql+asyncmy://env-user:env-pw@env-host/env-db")
|
|
monkeypatch.setenv("DECNET_DB_HOST", "ignored.host")
|
|
assert resolve_url() == "mysql+asyncmy://env-user:env-pw@env-host/env-db"
|
|
|
|
|
|
def test_resolve_url_falls_back_to_components(monkeypatch):
|
|
monkeypatch.delenv("DECNET_DB_URL", raising=False)
|
|
monkeypatch.setenv("DECNET_DB_HOST", "fallback.host")
|
|
monkeypatch.setenv("DECNET_DB_PASSWORD", "pw")
|
|
url = resolve_url()
|
|
assert "fallback.host" in url
|
|
assert url.startswith("mysql+asyncmy://")
|
|
|
|
|
|
def test_build_url_requires_password_outside_tests(monkeypatch):
|
|
"""Without a password and not under the test harness, construction must fail loudly."""
|
|
for v in ("DECNET_DB_URL", "DECNET_DB_PASSWORD"):
|
|
monkeypatch.delenv(v, raising=False)
|
|
# Clear the test-harness flag so the safety check trips. A leaked PYTEST_*
|
|
# var must NOT re-enable the bypass (V2.1.7).
|
|
monkeypatch.delenv("DECNET_TESTING", raising=False)
|
|
monkeypatch.setenv("PYTEST_CURRENT_TEST", "x")
|
|
with pytest.raises(ValueError, match="DECNET_DB_PASSWORD is not set"):
|
|
build_mysql_url()
|