7a0da7932b
Backwards Compatibility / Verify Encryption Constants (push) Waiting to run
Backwards Compatibility / PyPI Version Compatibility (push) Waiting to run
Backwards Compatibility / Database Migration Tests (push) Waiting to run
CodeQL Advanced / Analyze (javascript-typescript) (push) Waiting to run
CodeQL Advanced / Analyze (python) (push) Waiting to run
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-form] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-metrics] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-workflow] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-core] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-pages] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [history-news] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [library] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [link-analytics] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [mobile] (push) Blocked by required conditions
Docker Tests (Consolidated) / detect-changes (push) Waiting to run
Docker Tests (Consolidated) / Build Test Image (push) Waiting to run
Docker Tests (Consolidated) / All Pytest Tests + Coverage (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [accessibility] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [api-crud] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-login] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-pages] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-register] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-core] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-lifecycle] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [error-benchmark] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) (push) Blocked by required conditions
Docker Tests (Consolidated) / Accessibility Tests (push) Blocked by required conditions
Docker Tests (Consolidated) / LLM Unit Tests (push) Blocked by required conditions
Docker Tests (Consolidated) / LLM Example Tests (push) Blocked by required conditions
Docker Tests (Consolidated) / Production Image Smoke Test (push) Blocked by required conditions
Docker Tests (Consolidated) / Infrastructure Tests (push) Blocked by required conditions
OSSF Scorecard / OSSF Security Scorecard Analysis (push) Waiting to run
OSV-Scanner (Scheduled) / scan-scheduled (push) Failing after 0s
Create Release / test-gate (push) Has been cancelled
Create Release / release-gate (push) Has been cancelled
Create Release / ci-gate (push) Has been cancelled
Create Release / version-check (push) Has been cancelled
Create Release / e2e-test-gate (push) Has been cancelled
Create Release / responsive-test-gate (push) Has been cancelled
Create Release / compat-test-gate (push) Has been cancelled
Create Release / compose-integration-gate (push) Has been cancelled
Create Release / vulture-gate (push) Has been cancelled
Create Release / build (push) Has been cancelled
Create Release / provenance (push) Has been cancelled
Create Release / prerelease-docker (push) Has been cancelled
Create Release / publish-docker (push) Has been cancelled
Create Release / create-release (push) Has been cancelled
Create Release / cleanup-changelog (push) Has been cancelled
Create Release / trigger-pypi (push) Has been cancelled
Create Release / monitor-pypi (push) Has been cancelled
Create Release / Clean up orphan prerelease tags and signatures (push) Has been cancelled
329 lines
12 KiB
Python
329 lines
12 KiB
Python
"""
|
|
Authentication Security Tests
|
|
|
|
Tests that verify authentication mechanisms are secure, including
|
|
password storage, session management, and access control.
|
|
"""
|
|
|
|
import pytest
|
|
from tests.test_utils import add_src_to_path
|
|
|
|
add_src_to_path()
|
|
|
|
|
|
class TestPasswordSecurity:
|
|
"""Test password security and hashing."""
|
|
|
|
@pytest.mark.skip(reason="documentation/placeholder test - not implemented")
|
|
def test_password_hashing_uses_secure_algorithm(self):
|
|
"""
|
|
Test that passwords are hashed using a secure algorithm.
|
|
LDR uses SQLCipher encryption for user databases.
|
|
"""
|
|
# LDR uses SQLCipher with user password as encryption key
|
|
# This means the password is used to encrypt the database
|
|
# Not stored as a hash, but used for encryption
|
|
|
|
# Verify that password is not stored in plaintext
|
|
# Verify that database encryption key derivation is secure
|
|
assert True # Documentation test - SQLCipher handles this
|
|
|
|
@pytest.mark.skip(reason="documentation/placeholder test - not implemented")
|
|
def test_password_minimum_requirements(self):
|
|
"""Test that password requirements are enforced (if applicable)."""
|
|
# Password requirements to consider:
|
|
# - Minimum length (e.g., 8-12 characters)
|
|
# - Complexity (uppercase, lowercase, numbers, symbols)
|
|
# - No common passwords
|
|
# - No username in password
|
|
|
|
# For local self-hosted tool, strict requirements may be optional
|
|
# User is responsible for their own security
|
|
|
|
# This is a documentation test for password policy
|
|
pass
|
|
|
|
@pytest.mark.skip(reason="documentation/placeholder test - not implemented")
|
|
def test_password_not_logged(self):
|
|
"""Test that passwords are never logged or exposed in errors."""
|
|
# Passwords should never appear in:
|
|
# - Log files
|
|
# - Error messages
|
|
# - Debug output
|
|
# - Stack traces
|
|
|
|
# This is a security best practice
|
|
assert True # Documentation test
|
|
|
|
@pytest.mark.skip(reason="documentation/placeholder test - not implemented")
|
|
def test_timing_attack_resistance(self):
|
|
"""
|
|
Test that authentication timing is constant to prevent timing attacks.
|
|
|
|
Timing attacks:
|
|
- Attacker measures response time to guess valid usernames
|
|
- Fast response: "User doesn't exist"
|
|
- Slow response: "User exists, wrong password"
|
|
|
|
Protection:
|
|
- Constant-time password comparison
|
|
- Same processing time for valid/invalid users
|
|
"""
|
|
# Most password hashing libraries (bcrypt, argon2) are timing-safe
|
|
# SQLCipher should provide timing-safe comparison
|
|
|
|
assert True # Documentation test
|
|
|
|
|
|
class TestSessionSecurity:
|
|
"""Test session management security."""
|
|
|
|
@pytest.fixture
|
|
def client(self):
|
|
"""Create a test client."""
|
|
from local_deep_research.web.app import create_app
|
|
|
|
app, _ = create_app() # Unpack tuple (app, socket_service)
|
|
app.config["TESTING"] = True
|
|
app.config["SECRET_KEY"] = "test-secret-key"
|
|
app.config["WTF_CSRF_ENABLED"] = False
|
|
return app.test_client()
|
|
|
|
@pytest.mark.skip(reason="documentation/placeholder test - not implemented")
|
|
def test_session_expiration(self, client):
|
|
"""Test that sessions expire appropriately."""
|
|
# Sessions should:
|
|
# - Expire after inactivity timeout
|
|
# - Have absolute maximum lifetime
|
|
# - Be invalidated on logout
|
|
|
|
# This prevents:
|
|
# - Session hijacking
|
|
# - Unauthorized access from old sessions
|
|
# - Session fixation attacks
|
|
|
|
pass # Placeholder - implementation depends on session manager
|
|
|
|
@pytest.mark.skip(reason="documentation/placeholder test - not implemented")
|
|
def test_session_regeneration_on_login(self):
|
|
"""Test that session ID is regenerated after login."""
|
|
# Session fixation attack prevention:
|
|
# 1. Attacker sets victim's session ID
|
|
# 2. Victim logs in with that session ID
|
|
# 3. Attacker uses same session ID to access victim's account
|
|
|
|
# Protection: Regenerate session ID after authentication
|
|
# Flask does this automatically on session modification
|
|
|
|
assert True # Documentation test
|
|
|
|
def test_logout_invalidates_session(self, client):
|
|
"""Test that logout completely invalidates the session."""
|
|
# Logout should:
|
|
# 1. Clear session data
|
|
# 2. Invalidate session token
|
|
# 3. Clear session cookies
|
|
# 4. Redirect to login page
|
|
|
|
# Test logout endpoint
|
|
response = client.post("/auth/logout")
|
|
assert response.status_code == 302, response.status_code
|
|
|
|
# After logout, protected pages should require re-authentication
|
|
# This is tested in access control tests
|
|
|
|
@pytest.mark.skip(reason="documentation/placeholder test - not implemented")
|
|
def test_concurrent_session_handling(self):
|
|
"""Test handling of concurrent sessions."""
|
|
# Concurrent session scenarios:
|
|
# - User logs in from multiple devices
|
|
# - User logs in from multiple browsers
|
|
# - Old session while new session active
|
|
|
|
# Options:
|
|
# 1. Allow multiple sessions (lower security, better UX)
|
|
# 2. Invalidate old session on new login (higher security)
|
|
# 3. Limit number of concurrent sessions
|
|
|
|
# For local tool, multiple sessions may be acceptable
|
|
assert True # Documentation test
|
|
|
|
|
|
class TestAccessControl:
|
|
"""Test access control and authorization."""
|
|
|
|
@pytest.fixture
|
|
def client(self):
|
|
"""Create a test client."""
|
|
from local_deep_research.web.app import create_app
|
|
|
|
app, _ = create_app() # Unpack tuple (app, socket_service)
|
|
app.config["TESTING"] = True
|
|
return app.test_client()
|
|
|
|
def test_unauthenticated_access_blocked(self, client):
|
|
"""Test that protected resources require authentication."""
|
|
# Protected pages that should redirect to login:
|
|
# - Research pages
|
|
# - Settings pages
|
|
# - User data pages
|
|
|
|
# Public pages that don't require auth:
|
|
# - Login page
|
|
# - Registration page (if enabled)
|
|
# - Health check endpoint
|
|
|
|
# Test accessing protected resource without auth
|
|
protected_endpoints = [
|
|
"/research",
|
|
"/settings",
|
|
"/api/v1/research",
|
|
]
|
|
|
|
for endpoint in protected_endpoints:
|
|
response = client.get(endpoint)
|
|
# Should be one of the auth-block codes:
|
|
# 302 Redirect to login, 401 Unauthorized, 403 Forbidden,
|
|
# 404 Not Found (route hidden behind decorator).
|
|
# MUST NOT be 200 — that would mean the endpoint is reachable
|
|
# without authentication.
|
|
assert response.status_code in {302, 401, 403, 404}, (
|
|
f"{endpoint} returned {response.status_code} without auth"
|
|
)
|
|
|
|
@pytest.mark.skip(reason="documentation/placeholder test - not implemented")
|
|
def test_authentication_required_decorator(self):
|
|
"""Test that @login_required decorator is used on protected routes."""
|
|
# Flask routes should use authentication decorators:
|
|
# - @login_required for authenticated routes
|
|
# - Session validation on each request
|
|
|
|
# This is enforced through code review and testing
|
|
assert True # Documentation test
|
|
|
|
@pytest.mark.skip(reason="documentation/placeholder test - not implemented")
|
|
def test_authorization_vs_authentication(self):
|
|
"""
|
|
Clarify difference between authentication and authorization.
|
|
|
|
Authentication: Verifying user identity (who you are)
|
|
- Login with username/password
|
|
- Session token validation
|
|
- User exists and credentials correct
|
|
|
|
Authorization: Verifying user permissions (what you can do)
|
|
- Can this user access this resource?
|
|
- Does user have required role/permissions?
|
|
- Resource ownership validation
|
|
|
|
For single-user LDR instance, authorization is simpler
|
|
(authenticated user has full access to their own data)
|
|
|
|
For multi-user deployments, authorization becomes critical.
|
|
"""
|
|
assert True # Documentation test
|
|
|
|
@pytest.mark.skip(reason="documentation/placeholder test - not implemented")
|
|
def test_user_data_isolation(self):
|
|
"""Test that users can only access their own data."""
|
|
# In multi-user scenario:
|
|
# - User A should not access User B's research
|
|
# - Database queries should filter by user
|
|
# - User-specific encryption (SQLCipher per-user databases)
|
|
|
|
# LDR uses per-user encrypted databases
|
|
# This provides strong data isolation
|
|
|
|
assert True # Documentation test
|
|
|
|
|
|
class TestAuthenticationEdgeCases:
|
|
"""Test edge cases and attack scenarios."""
|
|
|
|
@pytest.fixture
|
|
def client(self):
|
|
"""Create a test client."""
|
|
from local_deep_research.web.app import create_app
|
|
|
|
app, _ = create_app() # Unpack tuple (app, socket_service)
|
|
app.config["TESTING"] = True
|
|
app.config["WTF_CSRF_ENABLED"] = False
|
|
return app.test_client()
|
|
|
|
def test_sql_injection_in_authentication(self, client):
|
|
"""Test that authentication is protected against SQL injection."""
|
|
# SQL injection in login form
|
|
sql_injection_usernames = [
|
|
"admin' OR '1'='1",
|
|
"admin'--",
|
|
"' OR '1'='1'--",
|
|
"admin' OR 1=1--",
|
|
]
|
|
|
|
for username in sql_injection_usernames:
|
|
response = client.post(
|
|
"/auth/login",
|
|
data={"username": username, "password": "anything"},
|
|
)
|
|
# Should not authenticate with SQL injection
|
|
assert response.status_code == 401, response.status_code
|
|
|
|
def test_empty_credentials_handling(self, client):
|
|
"""Test that empty username/password are rejected."""
|
|
# Empty username
|
|
response1 = client.post(
|
|
"/auth/login",
|
|
data={"username": "", "password": "password"},
|
|
)
|
|
assert response1.status_code in [400, 401]
|
|
|
|
# Empty password
|
|
response2 = client.post(
|
|
"/auth/login",
|
|
data={"username": "admin", "password": ""},
|
|
)
|
|
assert response2.status_code in [400, 401]
|
|
|
|
# Both empty
|
|
response3 = client.post(
|
|
"/auth/login",
|
|
data={"username": "", "password": ""},
|
|
)
|
|
assert response3.status_code in [400, 401]
|
|
|
|
|
|
@pytest.mark.skip(reason="documentation/placeholder test - not implemented")
|
|
def test_authentication_security_documentation():
|
|
"""
|
|
Documentation test for authentication security in LDR.
|
|
|
|
Authentication Architecture:
|
|
- SQLCipher encrypted per-user databases
|
|
- User password = database encryption key
|
|
- No centralized user authentication database
|
|
- Each user has their own encrypted database
|
|
|
|
Security Properties:
|
|
- Strong encryption (SQLCipher)
|
|
- Password not stored, used as encryption key
|
|
- Data at rest encryption
|
|
- User data isolation (separate databases)
|
|
|
|
Threat Model:
|
|
- Low risk for local single-user deployment
|
|
- Medium risk if deployed as multi-user service
|
|
- High risk if exposed to internet without additional protection
|
|
|
|
Additional Security Measures:
|
|
- HTTPS for production deployment
|
|
- Firewall/VPN for remote access
|
|
- Backup encryption
|
|
- Secure key derivation (SQLCipher built-in)
|
|
|
|
Not Applicable (due to architecture):
|
|
- Password hashing/salting (password IS the encryption key)
|
|
- Centralized user management
|
|
- OAuth/SSO integration
|
|
"""
|
|
assert True # Documentation test
|