7a0da7932b
OSV-Scanner (Scheduled) / scan-scheduled (push) Failing after 0s
Create Release / test-gate (push) Has been cancelled
Create Release / release-gate (push) Has been cancelled
Create Release / ci-gate (push) Has been cancelled
Create Release / version-check (push) Has been cancelled
Create Release / e2e-test-gate (push) Has been cancelled
Create Release / responsive-test-gate (push) Has been cancelled
Create Release / compat-test-gate (push) Has been cancelled
Create Release / compose-integration-gate (push) Has been cancelled
Create Release / vulture-gate (push) Has been cancelled
Create Release / build (push) Has been cancelled
Create Release / provenance (push) Has been cancelled
Create Release / prerelease-docker (push) Has been cancelled
Create Release / publish-docker (push) Has been cancelled
Create Release / create-release (push) Has been cancelled
Create Release / cleanup-changelog (push) Has been cancelled
Create Release / trigger-pypi (push) Has been cancelled
Create Release / monitor-pypi (push) Has been cancelled
Create Release / Clean up orphan prerelease tags and signatures (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-form] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-metrics] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-workflow] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-core] (push) Has been cancelled
CodeQL Advanced / Analyze (javascript-typescript) (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [history-news] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [library] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [link-analytics] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-core] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-lifecycle] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [error-benchmark] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-pages] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) (push) Has been cancelled
Docker Tests (Consolidated) / Accessibility Tests (push) Has been cancelled
Docker Tests (Consolidated) / LLM Unit Tests (push) Has been cancelled
Docker Tests (Consolidated) / LLM Example Tests (push) Has been cancelled
Docker Tests (Consolidated) / Production Image Smoke Test (push) Has been cancelled
Docker Tests (Consolidated) / Infrastructure Tests (push) Has been cancelled
OSSF Scorecard / OSSF Security Scorecard Analysis (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [mobile] (push) Has been cancelled
Backwards Compatibility / Verify Encryption Constants (push) Has been cancelled
Backwards Compatibility / PyPI Version Compatibility (push) Has been cancelled
Backwards Compatibility / Database Migration Tests (push) Has been cancelled
CodeQL Advanced / Analyze (python) (push) Has been cancelled
Docker Tests (Consolidated) / detect-changes (push) Has been cancelled
Docker Tests (Consolidated) / Build Test Image (push) Has been cancelled
Docker Tests (Consolidated) / All Pytest Tests + Coverage (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [accessibility] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [api-crud] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-login] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-pages] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-register] (push) Has been cancelled
300 lines
10 KiB
Python
300 lines
10 KiB
Python
"""
|
|
HTTP behavioral tests for encrypted DB password check at research start.
|
|
|
|
Verifies that /api/start_research returns 401 when the encrypted DB
|
|
password is unavailable, and that the check happens BEFORE creating
|
|
database records (no orphaned IN_PROGRESS rows).
|
|
"""
|
|
|
|
from contextlib import contextmanager
|
|
from unittest.mock import Mock, patch
|
|
|
|
from flask import Flask, jsonify
|
|
|
|
from local_deep_research.followup_research.routes import followup_bp
|
|
from local_deep_research.web.auth.routes import auth_bp
|
|
from local_deep_research.web.routes.research_routes import research_bp
|
|
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Test Infrastructure
|
|
# ---------------------------------------------------------------------------
|
|
|
|
_ROUTES_MOD = "local_deep_research.web.routes.research_routes"
|
|
|
|
|
|
def _create_test_app():
|
|
"""Create Flask app with auth + research blueprints."""
|
|
app = Flask(__name__)
|
|
app.config["SECRET_KEY"] = "test-secret"
|
|
app.config["WTF_CSRF_ENABLED"] = False
|
|
app.register_blueprint(auth_bp)
|
|
app.register_blueprint(research_bp)
|
|
|
|
@app.errorhandler(500)
|
|
def _handle_500(error):
|
|
return jsonify({"error": "Internal server error"}), 500
|
|
|
|
return app
|
|
|
|
|
|
@contextmanager
|
|
def _authenticated_client(app, has_encryption=False, password_available=True):
|
|
"""Provide test client with mocked auth, DB session, and settings."""
|
|
mock_db = Mock()
|
|
mock_db.connections = {"testuser": True}
|
|
mock_db.has_encryption = has_encryption
|
|
|
|
# Chainable mock query
|
|
_mock_query = Mock()
|
|
_mock_query.all.return_value = []
|
|
_mock_query.first.return_value = None
|
|
_mock_query.count.return_value = 0
|
|
_mock_query.scalar.return_value = 0
|
|
_mock_query.filter_by.return_value = _mock_query
|
|
_mock_query.filter.return_value = _mock_query
|
|
_mock_query.order_by.return_value = _mock_query
|
|
_mock_query.limit.return_value = _mock_query
|
|
|
|
_mock_db_session = Mock()
|
|
_mock_db_session.query.return_value = _mock_query
|
|
|
|
@contextmanager
|
|
def _fake_session(*args, **kwargs):
|
|
yield _mock_db_session
|
|
|
|
# Mock session password store
|
|
mock_password_store = Mock()
|
|
if password_available:
|
|
mock_password_store.get_session_password.return_value = "test-password"
|
|
else:
|
|
mock_password_store.get_session_password.return_value = None
|
|
|
|
# Mock SettingsManager
|
|
mock_settings_manager = Mock()
|
|
mock_settings_manager.get_setting.side_effect = lambda key, default=None: {
|
|
"llm.provider": "OLLAMA",
|
|
"llm.model": "test-model",
|
|
"search.tool": "searxng",
|
|
"search.iterations": 5,
|
|
"search.questions_per_iteration": 5,
|
|
"search.search_strategy": "source-based",
|
|
"app.max_concurrent_researches": 3,
|
|
}.get(key, default)
|
|
mock_settings_manager.get_all_settings.return_value = {}
|
|
|
|
# Mock start_research_process to avoid actually starting threads
|
|
mock_start = Mock()
|
|
mock_start.return_value = Mock() # mock thread
|
|
|
|
# Mock SettingsManager constructor to return our mock
|
|
mock_settings_cls = Mock(return_value=mock_settings_manager)
|
|
|
|
patches = [
|
|
patch("local_deep_research.web.auth.decorators.db_manager", mock_db),
|
|
# The guard reads has_encryption via the shared resolve_user_password
|
|
# helper, which imports db_manager from encrypted_db (not the route
|
|
# module). Patch it at the source so the real get_user_password chain
|
|
# (session_password_store, patched below) still drives the result.
|
|
patch("local_deep_research.database.encrypted_db.db_manager", mock_db),
|
|
patch(
|
|
f"{_ROUTES_MOD}.get_user_db_session",
|
|
side_effect=_fake_session,
|
|
),
|
|
patch(
|
|
f"{_ROUTES_MOD}.start_research_process",
|
|
mock_start,
|
|
),
|
|
patch(
|
|
"local_deep_research.database.session_passwords.session_password_store",
|
|
mock_password_store,
|
|
),
|
|
patch(
|
|
"local_deep_research.settings.manager.SettingsManager",
|
|
mock_settings_cls,
|
|
),
|
|
patch(
|
|
"local_deep_research.settings.SettingsManager",
|
|
mock_settings_cls,
|
|
),
|
|
]
|
|
|
|
try:
|
|
for p in patches:
|
|
p.start()
|
|
with app.test_client() as client:
|
|
with client.session_transaction() as sess:
|
|
sess["username"] = "testuser"
|
|
sess["session_id"] = "test-session-id"
|
|
yield client, mock_start, _mock_db_session
|
|
finally:
|
|
for p in reversed(patches):
|
|
p.stop()
|
|
|
|
|
|
def _post_start_research(client):
|
|
"""POST a minimal research request."""
|
|
return client.post(
|
|
"/api/start_research",
|
|
json={
|
|
"query": "test query",
|
|
"mode": "quick",
|
|
"model_provider": "OLLAMA",
|
|
"model": "test-model",
|
|
},
|
|
content_type="application/json",
|
|
)
|
|
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Tests
|
|
# ---------------------------------------------------------------------------
|
|
|
|
|
|
class TestEncryptedDbPasswordCheck:
|
|
"""Verify encrypted DB password check at /api/start_research."""
|
|
|
|
def test_encrypted_db_no_password_returns_401(self):
|
|
"""Encrypted DB + no password → 401 with session expired message."""
|
|
app = _create_test_app()
|
|
with _authenticated_client(
|
|
app, has_encryption=True, password_available=False
|
|
) as (client, mock_start, mock_db_session):
|
|
resp = _post_start_research(client)
|
|
assert resp.status_code == 401
|
|
data = resp.get_json()
|
|
assert "session has expired" in data["message"].lower()
|
|
# Research should NOT have been started
|
|
mock_start.assert_not_called()
|
|
# No DB record should have been created (core guarantee)
|
|
mock_db_session.add.assert_not_called()
|
|
|
|
def test_encrypted_db_with_password_does_not_return_401(self):
|
|
"""Encrypted DB + password available → should NOT return 401."""
|
|
app = _create_test_app()
|
|
with _authenticated_client(
|
|
app, has_encryption=True, password_available=True
|
|
) as (client, _mock_start, _mock_db_session):
|
|
resp = _post_start_research(client)
|
|
# 500 is expected from incomplete mocking (settings snapshot);
|
|
# the key assertion is that the password check passed (not 401).
|
|
assert resp.status_code in (200, 500)
|
|
|
|
def test_unencrypted_db_no_password_does_not_return_401(
|
|
self,
|
|
): # DevSkim: ignore DS101155 - testing DB encryption flag, not TLS certificates
|
|
"""Unencrypted DB + no password → should NOT return 401 (warning only)."""
|
|
app = _create_test_app()
|
|
with _authenticated_client(
|
|
app, has_encryption=False, password_available=False
|
|
) as (client, _mock_start, _mock_db_session):
|
|
resp = _post_start_research(client)
|
|
assert resp.status_code in (200, 500)
|
|
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Follow-up route tests
|
|
# ---------------------------------------------------------------------------
|
|
|
|
_FOLLOWUP_MOD = "local_deep_research.followup_research.routes"
|
|
|
|
|
|
def _create_followup_test_app():
|
|
"""Create Flask app with auth + followup blueprints."""
|
|
app = Flask(__name__)
|
|
app.config["SECRET_KEY"] = "test-secret"
|
|
app.config["WTF_CSRF_ENABLED"] = False
|
|
app.register_blueprint(auth_bp)
|
|
app.register_blueprint(followup_bp)
|
|
|
|
@app.errorhandler(500)
|
|
def _handle_500(error):
|
|
return jsonify({"error": "Internal server error"}), 500
|
|
|
|
return app
|
|
|
|
|
|
@contextmanager
|
|
def _authenticated_followup_client(
|
|
app, has_encryption=False, password_available=True
|
|
):
|
|
"""Provide test client with mocked auth and followup dependencies."""
|
|
mock_db = Mock()
|
|
mock_db.connections = {"testuser": True}
|
|
mock_db.has_encryption = has_encryption
|
|
|
|
_mock_db_session = Mock()
|
|
|
|
@contextmanager
|
|
def _fake_session(*args, **kwargs):
|
|
yield _mock_db_session
|
|
|
|
mock_password_store = Mock()
|
|
if password_available:
|
|
mock_password_store.get_session_password.return_value = "test-password"
|
|
else:
|
|
mock_password_store.get_session_password.return_value = None
|
|
|
|
mock_settings_manager = Mock()
|
|
mock_settings_manager.get_all_settings.return_value = {}
|
|
mock_settings_cls = Mock(return_value=mock_settings_manager)
|
|
|
|
patches = [
|
|
patch("local_deep_research.web.auth.decorators.db_manager", mock_db),
|
|
patch("local_deep_research.database.encrypted_db.db_manager", mock_db),
|
|
patch(
|
|
"local_deep_research.database.session_passwords.session_password_store",
|
|
mock_password_store,
|
|
),
|
|
patch(
|
|
"local_deep_research.database.session_context.get_user_db_session",
|
|
side_effect=_fake_session,
|
|
),
|
|
patch(
|
|
"local_deep_research.settings.manager.SettingsManager",
|
|
mock_settings_cls,
|
|
),
|
|
]
|
|
|
|
try:
|
|
for p in patches:
|
|
p.start()
|
|
with app.test_client() as client:
|
|
with client.session_transaction() as sess:
|
|
sess["username"] = "testuser"
|
|
sess["session_id"] = "test-session-id"
|
|
yield client, _mock_db_session
|
|
finally:
|
|
for p in reversed(patches):
|
|
p.stop()
|
|
|
|
|
|
def _post_followup_start(client):
|
|
"""POST a minimal followup start request."""
|
|
return client.post(
|
|
"/api/followup/start",
|
|
json={
|
|
"parent_research_id": "fake-parent-id",
|
|
"question": "follow-up question",
|
|
},
|
|
content_type="application/json",
|
|
)
|
|
|
|
|
|
class TestFollowupEncryptedDbPasswordCheck:
|
|
"""Verify encrypted DB password check at /api/followup/start."""
|
|
|
|
def test_encrypted_db_no_password_returns_401(self):
|
|
"""Encrypted DB + no password → 401 on followup start."""
|
|
app = _create_followup_test_app()
|
|
with _authenticated_followup_client(
|
|
app, has_encryption=True, password_available=False
|
|
) as (client, mock_db_session):
|
|
resp = _post_followup_start(client)
|
|
assert resp.status_code == 401
|
|
data = resp.get_json()
|
|
assert data["success"] is False
|
|
assert "session has expired" in data["error"].lower()
|
|
# No DB record should have been created
|
|
mock_db_session.add.assert_not_called()
|