Files
wehub-resource-sync 7a0da7932b
OSV-Scanner (Scheduled) / scan-scheduled (push) Failing after 0s
Create Release / test-gate (push) Has been cancelled
Create Release / release-gate (push) Has been cancelled
Create Release / ci-gate (push) Has been cancelled
Create Release / version-check (push) Has been cancelled
Create Release / e2e-test-gate (push) Has been cancelled
Create Release / responsive-test-gate (push) Has been cancelled
Create Release / compat-test-gate (push) Has been cancelled
Create Release / compose-integration-gate (push) Has been cancelled
Create Release / vulture-gate (push) Has been cancelled
Create Release / build (push) Has been cancelled
Create Release / provenance (push) Has been cancelled
Create Release / prerelease-docker (push) Has been cancelled
Create Release / publish-docker (push) Has been cancelled
Create Release / create-release (push) Has been cancelled
Create Release / cleanup-changelog (push) Has been cancelled
Create Release / trigger-pypi (push) Has been cancelled
Create Release / monitor-pypi (push) Has been cancelled
Create Release / Clean up orphan prerelease tags and signatures (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-form] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-metrics] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-workflow] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-core] (push) Has been cancelled
CodeQL Advanced / Analyze (javascript-typescript) (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [history-news] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [library] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [link-analytics] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-core] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-lifecycle] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [error-benchmark] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-pages] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) (push) Has been cancelled
Docker Tests (Consolidated) / Accessibility Tests (push) Has been cancelled
Docker Tests (Consolidated) / LLM Unit Tests (push) Has been cancelled
Docker Tests (Consolidated) / LLM Example Tests (push) Has been cancelled
Docker Tests (Consolidated) / Production Image Smoke Test (push) Has been cancelled
Docker Tests (Consolidated) / Infrastructure Tests (push) Has been cancelled
OSSF Scorecard / OSSF Security Scorecard Analysis (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [mobile] (push) Has been cancelled
Backwards Compatibility / Verify Encryption Constants (push) Has been cancelled
Backwards Compatibility / PyPI Version Compatibility (push) Has been cancelled
Backwards Compatibility / Database Migration Tests (push) Has been cancelled
CodeQL Advanced / Analyze (python) (push) Has been cancelled
Docker Tests (Consolidated) / detect-changes (push) Has been cancelled
Docker Tests (Consolidated) / Build Test Image (push) Has been cancelled
Docker Tests (Consolidated) / All Pytest Tests + Coverage (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [accessibility] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [api-crud] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-login] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-pages] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-register] (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:08:55 +08:00

253 lines
9.6 KiB
Python

"""Tests for get_user_password fallback chain in password_utils."""
from unittest.mock import MagicMock, patch
import flask
from local_deep_research.web.auth.password_utils import (
get_user_password,
resolve_user_password,
)
MODULE = "local_deep_research.web.auth.password_utils"
DB_MANAGER = "local_deep_research.database.encrypted_db.db_manager"
class TestGetUserPassword:
"""Tests for the 3-source fallback chain in get_user_password."""
def test_returns_password_from_session_store(self):
"""Path 1: session_password_store has a password for the user."""
app = flask.Flask(__name__)
with app.test_request_context():
mock_store = MagicMock()
mock_store.get_session_password.return_value = "stored_pass"
with (
patch(f"{MODULE}.session", {"session_id": "sid123"}),
patch(
f"{MODULE}.session_password_store",
mock_store,
create=True,
),
patch(
"local_deep_research.database.session_passwords.session_password_store",
mock_store,
),
):
result = get_user_password("alice")
assert result == "stored_pass"
mock_store.get_session_password.assert_called_once_with(
"alice", "sid123"
)
def test_returns_password_from_flask_g(self):
"""Path 2: no session password, but g.user_password is set."""
app = flask.Flask(__name__)
with app.test_request_context():
mock_store = MagicMock()
mock_store.get_session_password.return_value = None
with (
patch(f"{MODULE}.session", {"session_id": "sid1"}),
patch(
f"{MODULE}.session_password_store",
mock_store,
create=True,
),
patch(
"local_deep_research.database.session_passwords.session_password_store",
mock_store,
),
patch(f"{MODULE}.g") as mock_g,
):
mock_g.user_password = "g_password"
# Make getattr work on the mock
type(mock_g).user_password = "g_password"
result = get_user_password("bob")
assert result == "g_password"
def test_returns_password_from_temp_auth_token(self):
"""Path 3: temp_auth_token matches username in temp_auth_store."""
app = flask.Flask(__name__)
with app.test_request_context():
mock_session_store = MagicMock()
mock_session_store.get_session_password.return_value = None
mock_temp_store = MagicMock()
mock_temp_store.peek_auth.return_value = ("carol", "temp_pass")
mock_session = MagicMock()
mock_session.get.side_effect = lambda k, *a: {
"session_id": "sid2",
"temp_auth_token": "tok42",
}.get(k, *a)
with (
patch(f"{MODULE}.session", mock_session),
patch(
f"{MODULE}.session_password_store",
mock_session_store,
create=True,
),
patch(
"local_deep_research.database.session_passwords.session_password_store",
mock_session_store,
),
patch(f"{MODULE}.g") as mock_g,
patch(
"local_deep_research.database.temp_auth.temp_auth_store",
mock_temp_store,
),
):
mock_g.user_password = None
type(mock_g).user_password = None
result = get_user_password("carol")
assert result == "temp_pass"
mock_temp_store.peek_auth.assert_called_once_with("tok42")
def test_returns_none_when_nothing_found(self):
"""Path 4: none of the sources have a password."""
app = flask.Flask(__name__)
with app.test_request_context():
mock_session_store = MagicMock()
mock_session_store.get_session_password.return_value = None
mock_temp_store = MagicMock()
mock_temp_store.peek_auth.return_value = None
mock_session = MagicMock()
mock_session.get.side_effect = lambda k, *a: {
"session_id": "sid3",
"temp_auth_token": "tok99",
}.get(k, *a)
with (
patch(f"{MODULE}.session", mock_session),
patch(
f"{MODULE}.session_password_store",
mock_session_store,
create=True,
),
patch(
"local_deep_research.database.session_passwords.session_password_store",
mock_session_store,
),
patch(f"{MODULE}.g") as mock_g,
patch(
"local_deep_research.database.temp_auth.temp_auth_store",
mock_temp_store,
),
):
mock_g.user_password = None
type(mock_g).user_password = None
result = get_user_password("dave")
assert result is None
def test_returns_none_when_temp_auth_username_mismatch(self):
"""Path 5: temp_auth_token exists but username doesn't match."""
app = flask.Flask(__name__)
with app.test_request_context():
mock_session_store = MagicMock()
mock_session_store.get_session_password.return_value = None
mock_temp_store = MagicMock()
# Token belongs to "other_user", not "eve"
mock_temp_store.peek_auth.return_value = (
"other_user",
"some_pass",
)
mock_session = MagicMock()
mock_session.get.side_effect = lambda k, *a: {
"session_id": "sid4",
"temp_auth_token": "tok77",
}.get(k, *a)
with (
patch(f"{MODULE}.session", mock_session),
patch(
f"{MODULE}.session_password_store",
mock_session_store,
create=True,
),
patch(
"local_deep_research.database.session_passwords.session_password_store",
mock_session_store,
),
patch(f"{MODULE}.g") as mock_g,
patch(
"local_deep_research.database.temp_auth.temp_auth_store",
mock_temp_store,
),
):
mock_g.user_password = None
type(mock_g).user_password = None
result = get_user_password("eve")
assert result is None
def test_no_session_id_skips_session_store(self):
"""Path 6: no session_id so session password store is skipped."""
app = flask.Flask(__name__)
with app.test_request_context():
mock_session_store = MagicMock()
# Should never be called
mock_session_store.get_session_password.return_value = (
"SHOULD_NOT_USE"
)
with (
patch(f"{MODULE}.session", {"session_id": None}),
patch(
f"{MODULE}.session_password_store",
mock_session_store,
create=True,
),
patch(
"local_deep_research.database.session_passwords.session_password_store",
mock_session_store,
),
patch(f"{MODULE}.g") as mock_g,
):
mock_g.user_password = "from_g"
type(mock_g).user_password = "from_g"
result = get_user_password("frank")
assert result == "from_g"
mock_session_store.get_session_password.assert_not_called()
class TestResolveUserPassword:
"""Tests for resolve_user_password, the shared research-entry guard.
Returns (password, session_expired); session_expired is True only when
the DB is encrypted AND no password is available (#4457).
"""
def test_password_present_is_not_expired(self):
"""A real password -> (password, False), regardless of encryption."""
with (
patch(f"{MODULE}.get_user_password", return_value="pw"),
patch(DB_MANAGER) as mock_db,
):
mock_db.has_encryption = True
password, session_expired = resolve_user_password("alice")
assert password == "pw"
assert session_expired is False
def test_no_password_encrypted_is_expired(self):
"""Encrypted DB + no password -> (None, True): caller must reject."""
with (
patch(f"{MODULE}.get_user_password", return_value=None),
patch(DB_MANAGER) as mock_db,
):
mock_db.has_encryption = True
password, session_expired = resolve_user_password("alice")
assert password is None
assert session_expired is True
def test_no_password_unencrypted_is_not_expired(self):
"""Unencrypted DB + no password -> (None, False): caller proceeds."""
with (
patch(f"{MODULE}.get_user_password", return_value=None),
patch(DB_MANAGER) as mock_db,
):
mock_db.has_encryption = False
password, session_expired = resolve_user_password("alice")
assert password is None
assert session_expired is False