70812955d1
Restores core.database/core.models/core.session_manager parent package attributes after session-owner test import stubs. Fixes one focused #2580 CI-baseline pollution bucket.
178 lines
7.2 KiB
Python
178 lines
7.2 KiB
Python
"""Tests for token-owner session attribution (effective_user + session routes).
|
|
|
|
Proves the two properties the review asked for:
|
|
- cookie/browser users are completely unchanged (no-op swap)
|
|
- a bearer token for owner A can never read/verify owner B's session, and a
|
|
bearer token with no owner does not escalate.
|
|
|
|
Follows the direct-helper + mocked-DB style of tests/test_null_owner_gates.py.
|
|
"""
|
|
|
|
import os
|
|
import sys
|
|
import importlib
|
|
from types import SimpleNamespace
|
|
from unittest.mock import MagicMock
|
|
|
|
import pytest
|
|
|
|
sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
|
|
|
|
# Stub heavy ORM modules so routes.session_routes can be imported under
|
|
# conftest's MagicMock sqlalchemy shim. Both the stubs and the cached route
|
|
# module — including the parent `routes` package attribute — are restored in the
|
|
# finally block to prevent poisoning later tests via `import routes.session_routes`.
|
|
_ABSENT = object()
|
|
|
|
|
|
def _save_module_and_parent_attr(dotted_name):
|
|
"""Capture a module's sys.modules entry *and* its parent-package attribute.
|
|
|
|
Importing ``routes.session_routes`` also sets ``session_routes`` on the
|
|
parent ``routes`` package object, and ``import routes.session_routes as X``
|
|
resolves ``X`` through that parent attribute — so restoring sys.modules
|
|
alone leaves the stale stub-bound module reachable. Returns a (module, attr)
|
|
pair to hand back to _restore_module_and_parent_attr.
|
|
"""
|
|
saved_module = sys.modules.get(dotted_name, _ABSENT)
|
|
pkg_name, _, attr = dotted_name.rpartition(".")
|
|
pkg = sys.modules.get(pkg_name)
|
|
saved_attr = getattr(pkg, attr, _ABSENT) if pkg is not None else _ABSENT
|
|
return saved_module, saved_attr
|
|
|
|
|
|
def _restore_module_and_parent_attr(dotted_name, saved_module, saved_attr):
|
|
"""Restore (or remove) both the sys.modules entry and the parent attribute.
|
|
|
|
Passing _ABSENT for both clears the cache, which is how we drop any stale
|
|
entry before the stubbed import.
|
|
"""
|
|
if saved_module is _ABSENT:
|
|
sys.modules.pop(dotted_name, None)
|
|
else:
|
|
sys.modules[dotted_name] = saved_module
|
|
pkg_name, _, attr = dotted_name.rpartition(".")
|
|
pkg = sys.modules.get(pkg_name)
|
|
if pkg is None:
|
|
return
|
|
if saved_attr is _ABSENT:
|
|
if hasattr(pkg, attr):
|
|
delattr(pkg, attr)
|
|
else:
|
|
setattr(pkg, attr, saved_attr)
|
|
|
|
|
|
def _set_module_and_parent_attr(dotted_name, module):
|
|
"""Install a module at both sys.modules *and* the parent-package attribute.
|
|
|
|
Setting only sys.modules[...] leaves the parent `core` package attribute
|
|
pointing at the previous (real) module, so a later import resolving through
|
|
the parent would bypass the stub — and, symmetrically, a stub left on the
|
|
parent attribute would poison later tests. Controlling both keeps the two
|
|
views consistent so the finally block can fully undo them.
|
|
"""
|
|
sys.modules[dotted_name] = module
|
|
pkg_name, _, attr = dotted_name.rpartition(".")
|
|
pkg = sys.modules.get(pkg_name)
|
|
if pkg is not None:
|
|
setattr(pkg, attr, module)
|
|
|
|
|
|
# Modules whose import-time effects leak through both sys.modules and the parent
|
|
# `core`/`routes` package attributes. core.database/core.models are stubbed so
|
|
# routes.session_routes imports under conftest's MagicMock sqlalchemy shim;
|
|
# core.session_manager and routes.session_routes are (re)imported fresh. Each is
|
|
# captured at both levels and restored in the finally block so this file cannot
|
|
# poison later tests via `import core.<...>` / `import routes.session_routes`.
|
|
_TEMP_STUBS = ("core.database", "core.models")
|
|
_MANAGED = _TEMP_STUBS + ("core.session_manager", "routes.session_routes")
|
|
_saved = {name: _save_module_and_parent_attr(name) for name in _MANAGED}
|
|
try:
|
|
for _name in _TEMP_STUBS:
|
|
_set_module_and_parent_attr(_name, MagicMock(name=_name))
|
|
# Clear sys.modules AND the parent package attribute for the modules we
|
|
# re-import so the stubbed import below yields fresh modules with no stale
|
|
# binding reachable behind them.
|
|
_restore_module_and_parent_attr("core.session_manager", _ABSENT, _ABSENT)
|
|
_restore_module_and_parent_attr("routes.session_routes", _ABSENT, _ABSENT)
|
|
importlib.import_module("core.session_manager")
|
|
import routes.session_routes as SR # noqa: E402
|
|
finally:
|
|
for _name, _save in _saved.items():
|
|
_restore_module_and_parent_attr(_name, *_save)
|
|
|
|
from fastapi import HTTPException # noqa: E402
|
|
from src.auth_helpers import effective_user # noqa: E402
|
|
|
|
|
|
def _req(**state):
|
|
return SimpleNamespace(state=SimpleNamespace(**state))
|
|
|
|
|
|
# --- effective_user: who a request is attributed to ------------------------
|
|
|
|
def test_cookie_user_is_unchanged():
|
|
# The whole point: browser/cookie callers behave exactly as before.
|
|
assert effective_user(_req(api_token=False, current_user="alice")) == "alice"
|
|
|
|
|
|
def test_bearer_token_attributes_to_its_owner():
|
|
# A paired phone runs as the "api" pseudo-user but must act as the token owner.
|
|
assert effective_user(_req(api_token=True, api_token_owner="alice", current_user="api")) == "alice"
|
|
|
|
|
|
def test_bearer_token_without_owner_does_not_escalate():
|
|
# No owner on the token -> falls back to current_user ("api"), never another user.
|
|
assert effective_user(_req(api_token=True, api_token_owner=None, current_user="api")) == "api"
|
|
|
|
|
|
# --- _verify_session_owner: bearer tokens cannot cross owners ---------------
|
|
|
|
def _session_local_returning(owner_value):
|
|
"""Mock SessionLocal whose query(...).filter(...).first() yields a row with
|
|
the given owner (or None for 'no such session')."""
|
|
db = MagicMock()
|
|
row = None if owner_value is _MISSING else SimpleNamespace(owner=owner_value)
|
|
db.query.return_value.filter.return_value.first.return_value = row
|
|
return MagicMock(return_value=db)
|
|
|
|
|
|
_MISSING = object()
|
|
|
|
|
|
def test_bearer_owner_A_cannot_verify_owner_B_session(monkeypatch):
|
|
monkeypatch.setattr(SR, "SessionLocal", _session_local_returning("bob"))
|
|
req = _req(api_token=True, api_token_owner="alice", current_user="api")
|
|
with pytest.raises(HTTPException) as exc:
|
|
SR._verify_session_owner(req, "sid-owned-by-bob")
|
|
assert exc.value.status_code == 404
|
|
|
|
|
|
def test_owner_can_verify_their_own_session(monkeypatch):
|
|
monkeypatch.setattr(SR, "SessionLocal", _session_local_returning("alice"))
|
|
req = _req(api_token=True, api_token_owner="alice", current_user="api")
|
|
# Should not raise.
|
|
SR._verify_session_owner(req, "sid-owned-by-alice")
|
|
|
|
|
|
def test_cookie_user_owns_their_session(monkeypatch):
|
|
# Cookie path unchanged: alice (cookie) verifies alice's session.
|
|
monkeypatch.setattr(SR, "SessionLocal", _session_local_returning("alice"))
|
|
req = _req(api_token=False, current_user="alice")
|
|
SR._verify_session_owner(req, "sid")
|
|
|
|
|
|
def test_missing_session_is_404(monkeypatch):
|
|
monkeypatch.setattr(SR, "SessionLocal", _session_local_returning(_MISSING))
|
|
req = _req(api_token=False, current_user="alice")
|
|
with pytest.raises(HTTPException) as exc:
|
|
SR._verify_session_owner(req, "nope")
|
|
assert exc.value.status_code == 404
|
|
|
|
|
|
def test_unauthenticated_caller_rejected(monkeypatch):
|
|
req = _req(api_token=False, current_user=None)
|
|
with pytest.raises(HTTPException) as exc:
|
|
SR._verify_session_owner(req, "sid")
|
|
assert exc.value.status_code == 403
|