136 lines
3.9 KiB
Python
136 lines
3.9 KiB
Python
from pathlib import Path
|
|
|
|
import pytest
|
|
from fastapi import Depends, Request
|
|
from fastapi.testclient import TestClient
|
|
|
|
from geniehive_control.auth import require_client_auth
|
|
from geniehive_control.keys import hash_api_key
|
|
from geniehive_control.main import create_app
|
|
|
|
|
|
def _write_config(tmp_path: Path, body: str) -> Path:
|
|
config_path = tmp_path / "control.yaml"
|
|
config_path.write_text(body)
|
|
return config_path
|
|
|
|
|
|
def test_static_client_key_auth_still_works(tmp_path: Path) -> None:
|
|
config_path = _write_config(
|
|
tmp_path,
|
|
f"""
|
|
auth:
|
|
client_api_keys:
|
|
- static-key
|
|
storage:
|
|
sqlite_path: "{tmp_path / 'geniehive.sqlite3'}"
|
|
""",
|
|
)
|
|
app = create_app(config_path)
|
|
client = TestClient(app)
|
|
|
|
assert client.get("/v1/models").status_code == 401
|
|
ok = client.get("/v1/models", headers={"X-Api-Key": "static-key"})
|
|
assert ok.status_code == 200
|
|
|
|
|
|
def test_empty_static_keys_still_allow_development_access(tmp_path: Path) -> None:
|
|
config_path = _write_config(
|
|
tmp_path,
|
|
f"""
|
|
storage:
|
|
sqlite_path: "{tmp_path / 'geniehive.sqlite3'}"
|
|
""",
|
|
)
|
|
app = create_app(config_path)
|
|
client = TestClient(app)
|
|
|
|
response = client.get("/v1/models")
|
|
assert response.status_code == 200
|
|
|
|
|
|
def test_named_client_key_auth_when_enabled(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> None:
|
|
monkeypatch.setenv("GENIEHIVE_KEY_HASH_SECRET", "test-secret")
|
|
db_path = tmp_path / "geniehive.sqlite3"
|
|
config_path = _write_config(
|
|
tmp_path,
|
|
f"""
|
|
auth:
|
|
enable_named_client_keys: true
|
|
storage:
|
|
sqlite_path: "{db_path}"
|
|
""",
|
|
)
|
|
app = create_app(config_path)
|
|
raw_key = "gh_test_named"
|
|
app.state.registry.create_client_key(
|
|
key_id="ck_named",
|
|
key_hash=hash_api_key(raw_key, secret="test-secret"),
|
|
display_name="Named User",
|
|
principal_type="person",
|
|
principal_ref="named-user",
|
|
role="developer",
|
|
allowed_models=["archive_migrator"],
|
|
allowed_operations=["chat"],
|
|
)
|
|
|
|
@app.get("/_test/client-context")
|
|
async def client_context(request: Request, _=Depends(require_client_auth)) -> dict:
|
|
context = request.state.client_context
|
|
return {
|
|
"auth_kind": context.auth_kind,
|
|
"key_id": context.key_id,
|
|
"principal_ref": context.principal_ref,
|
|
"allowed_models": list(context.allowed_models),
|
|
"allowed_operations": list(context.allowed_operations),
|
|
}
|
|
|
|
client = TestClient(app)
|
|
|
|
missing = client.get("/_test/client-context")
|
|
assert missing.status_code == 401
|
|
|
|
bad = client.get("/_test/client-context", headers={"X-Api-Key": "wrong"})
|
|
assert bad.status_code == 401
|
|
|
|
ok = client.get("/_test/client-context", headers={"X-Api-Key": raw_key})
|
|
assert ok.status_code == 200
|
|
assert ok.json() == {
|
|
"auth_kind": "named",
|
|
"key_id": "ck_named",
|
|
"principal_ref": "named-user",
|
|
"allowed_models": ["archive_migrator"],
|
|
"allowed_operations": ["chat"],
|
|
}
|
|
touched = app.state.registry.get_client_key("ck_named")
|
|
assert touched is not None
|
|
assert touched["last_used_at"] is not None
|
|
|
|
|
|
def test_disabled_named_client_key_fails(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> None:
|
|
monkeypatch.setenv("GENIEHIVE_KEY_HASH_SECRET", "test-secret")
|
|
db_path = tmp_path / "geniehive.sqlite3"
|
|
config_path = _write_config(
|
|
tmp_path,
|
|
f"""
|
|
auth:
|
|
enable_named_client_keys: true
|
|
storage:
|
|
sqlite_path: "{db_path}"
|
|
""",
|
|
)
|
|
app = create_app(config_path)
|
|
raw_key = "gh_test_disabled"
|
|
app.state.registry.create_client_key(
|
|
key_id="ck_disabled",
|
|
key_hash=hash_api_key(raw_key, secret="test-secret"),
|
|
display_name="Disabled User",
|
|
principal_type="person",
|
|
principal_ref="disabled-user",
|
|
enabled=False,
|
|
)
|
|
client = TestClient(app)
|
|
|
|
response = client.get("/v1/models", headers={"X-Api-Key": raw_key})
|
|
assert response.status_code == 401
|