|
| 1 | +"""API-key scope enforcement across the v2 API (issue #717 / P0.6). |
| 2 | +
|
| 3 | +Before this, every v2 router mounted a blanket ``require_auth`` that proved |
| 4 | +*authentication* only — a read-scoped key could POST/PUT/DELETE and even store |
| 5 | +credentials or merge PRs. Now: |
| 6 | +
|
| 7 | +- safe methods (GET) need ``read`` |
| 8 | +- mutating methods (POST/PUT/PATCH/DELETE) need ``write`` |
| 9 | +- credential storage/deletion and PR-merge need ``admin`` |
| 10 | +
|
| 11 | +JWT principals and the auth-disabled synthetic principal carry all scopes, so |
| 12 | +this only constrains scoped API keys. |
| 13 | +""" |
| 14 | + |
| 15 | +import importlib |
| 16 | + |
| 17 | +import pytest |
| 18 | +from fastapi.testclient import TestClient |
| 19 | + |
| 20 | +from codeframe.auth.api_keys import SCOPE_READ, SCOPE_WRITE, SCOPE_ADMIN |
| 21 | +from codeframe.auth.manager import reset_auth_engine |
| 22 | +from codeframe.core.api_key_service import ApiKeyService |
| 23 | +from codeframe.platform_store.database import Database |
| 24 | + |
| 25 | +pytestmark = pytest.mark.v2 |
| 26 | + |
| 27 | + |
| 28 | +@pytest.fixture |
| 29 | +def scoped_app(tmp_path, monkeypatch): |
| 30 | + """Real server app with auth ON and three API keys (read/write/admin).""" |
| 31 | + db_path = tmp_path / "state.db" |
| 32 | + monkeypatch.setenv("DATABASE_PATH", str(db_path)) |
| 33 | + monkeypatch.setenv("CODEFRAME_AUTH_REQUIRED", "true") |
| 34 | + reset_auth_engine() |
| 35 | + |
| 36 | + db = Database(db_path) |
| 37 | + db.initialize() |
| 38 | + db.conn.execute( |
| 39 | + """ |
| 40 | + INSERT OR REPLACE INTO users ( |
| 41 | + id, email, name, hashed_password, |
| 42 | + is_active, is_superuser, is_verified, email_verified |
| 43 | + ) VALUES (1, 'test@example.com', 'Test', '!DISABLED!', 1, 0, 1, 1) |
| 44 | + """ |
| 45 | + ) |
| 46 | + db.conn.commit() |
| 47 | + |
| 48 | + svc = ApiKeyService(db) |
| 49 | + keys = { |
| 50 | + "read": svc.create_api_key(user_id=1, name="r", scopes=[SCOPE_READ]).key, |
| 51 | + "write": svc.create_api_key(user_id=1, name="w", scopes=[SCOPE_READ, SCOPE_WRITE]).key, |
| 52 | + "admin": svc.create_api_key(user_id=1, name="a", scopes=[SCOPE_ADMIN]).key, |
| 53 | + } |
| 54 | + db.close() |
| 55 | + |
| 56 | + from codeframe.ui import server |
| 57 | + |
| 58 | + importlib.reload(server) |
| 59 | + yield server.app, keys |
| 60 | + reset_auth_engine() |
| 61 | + |
| 62 | + |
| 63 | +def _hdr(key: str) -> dict: |
| 64 | + return {"X-API-Key": key} |
| 65 | + |
| 66 | + |
| 67 | +class TestMethodScope: |
| 68 | + def test_read_key_allowed_on_get(self, scoped_app): |
| 69 | + app, keys = scoped_app |
| 70 | + r = TestClient(app).get("/api/v2/settings", headers=_hdr(keys["read"])) |
| 71 | + assert r.status_code != 403 # read scope satisfies a GET |
| 72 | + assert r.status_code != 401 |
| 73 | + |
| 74 | + def test_read_key_forbidden_on_write(self, scoped_app): |
| 75 | + app, keys = scoped_app |
| 76 | + # PUT /api/v2/settings mutates → needs write; read key must 403 before |
| 77 | + # any body validation (router-level dependency fires first). |
| 78 | + r = TestClient(app).put("/api/v2/settings", headers=_hdr(keys["read"]), json={}) |
| 79 | + assert r.status_code == 403 |
| 80 | + |
| 81 | + def test_write_key_allowed_on_write(self, scoped_app): |
| 82 | + app, keys = scoped_app |
| 83 | + r = TestClient(app).put("/api/v2/settings", headers=_hdr(keys["write"]), json={}) |
| 84 | + assert r.status_code != 403 # write scope passes the method guard |
| 85 | + assert r.status_code != 401 |
| 86 | + |
| 87 | + |
| 88 | +class TestAdminScope: |
| 89 | + def test_read_key_forbidden_on_credential_storage(self, scoped_app): |
| 90 | + app, keys = scoped_app |
| 91 | + r = TestClient(app).put( |
| 92 | + "/api/v2/settings/keys/openai", headers=_hdr(keys["read"]), json={"value": "sk-x"} |
| 93 | + ) |
| 94 | + assert r.status_code == 403 |
| 95 | + |
| 96 | + def test_write_key_forbidden_on_credential_storage(self, scoped_app): |
| 97 | + app, keys = scoped_app |
| 98 | + # write is not enough — credential storage is admin-only. |
| 99 | + r = TestClient(app).put( |
| 100 | + "/api/v2/settings/keys/openai", headers=_hdr(keys["write"]), json={"value": "sk-x"} |
| 101 | + ) |
| 102 | + assert r.status_code == 403 |
| 103 | + |
| 104 | + def test_admin_key_allowed_on_credential_storage(self, scoped_app): |
| 105 | + app, keys = scoped_app |
| 106 | + r = TestClient(app).put( |
| 107 | + "/api/v2/settings/keys/openai", headers=_hdr(keys["admin"]), json={"value": "sk-x"} |
| 108 | + ) |
| 109 | + # admin passes the scope gate; may 400 on value format, but never 403. |
| 110 | + assert r.status_code != 403 |
| 111 | + assert r.status_code != 401 |
| 112 | + |
| 113 | + def test_write_key_forbidden_on_pr_merge(self, scoped_app): |
| 114 | + app, keys = scoped_app |
| 115 | + r = TestClient(app).post( |
| 116 | + "/api/v2/pr/1/merge", headers=_hdr(keys["write"]), json={} |
| 117 | + ) |
| 118 | + assert r.status_code == 403 |
| 119 | + |
| 120 | + def test_admin_key_allowed_on_pr_merge(self, scoped_app): |
| 121 | + app, keys = scoped_app |
| 122 | + r = TestClient(app).post( |
| 123 | + "/api/v2/pr/1/merge", headers=_hdr(keys["admin"]), json={} |
| 124 | + ) |
| 125 | + # admin passes the scope gate; may 400/404/422 on body/logic, never 403. |
| 126 | + assert r.status_code != 403 |
| 127 | + assert r.status_code != 401 |
| 128 | + |
| 129 | + |
| 130 | +class TestPatchIsMutating: |
| 131 | + def test_read_key_forbidden_on_patch(self, scoped_app): |
| 132 | + app, keys = scoped_app |
| 133 | + # PATCH is not a safe method → needs write; a read key must 403. |
| 134 | + r = TestClient(app).patch( |
| 135 | + "/api/v2/tasks/abc", headers=_hdr(keys["read"]), json={} |
| 136 | + ) |
| 137 | + assert r.status_code == 403 |
0 commit comments