b4fbd6fe9f
Deploy Site / deploy-vercel (push) Has been skipped
Deploy Site / deploy-docs (push) Has been skipped
Build Skills Index / build-index (push) Has been skipped
CI / Deny unrelated histories (push) Has been skipped
CI / Detect affected areas (push) Successful in 27m35s
CI / OSV scan (push) Failing after 4s
CI / Build&Test Docker image (push) Successful in 9s
CI / Supply-chain scan (push) Has been skipped
CI / Lint Docker scripts (push) Failing after 5m13s
CI / Check contributors (push) Failing after 12m8s
CI / Docs Site (push) Failing after 12m8s
CI / TypeScript (push) Failing after 12m8s
CI / Python lints (push) Failing after 12m9s
CI / Python tests (push) Failing after 12m9s
CI / Check uv.lock (push) Failing after 23m22s
CI / CI timing report (push) Has been cancelled
Build Skills Index / trigger-deploy (push) Has been cancelled
CI / All required checks pass (push) Has been cancelled
159 lines
5.0 KiB
Python
159 lines
5.0 KiB
Python
"""Regression tests for multiplex profile-aware own-policy authorization."""
|
|
|
|
from types import SimpleNamespace
|
|
from unittest.mock import AsyncMock, MagicMock
|
|
|
|
import pytest
|
|
|
|
from gateway.config import GatewayConfig, Platform, PlatformConfig
|
|
from gateway.session import SessionSource
|
|
|
|
|
|
def _clear_auth_env(monkeypatch) -> None:
|
|
for key in (
|
|
"WECOM_ALLOWED_USERS",
|
|
"GATEWAY_ALLOWED_USERS",
|
|
"GATEWAY_ALLOW_ALL_USERS",
|
|
"WECOM_ALLOW_ALL_USERS",
|
|
):
|
|
monkeypatch.delenv(key, raising=False)
|
|
|
|
|
|
def _make_multiplex_runner(monkeypatch):
|
|
"""Runner with default allowlist WeCom and secondary open-policy WeCom."""
|
|
from gateway.run import GatewayRunner
|
|
|
|
_clear_auth_env(monkeypatch)
|
|
|
|
runner = object.__new__(GatewayRunner)
|
|
runner.config = GatewayConfig(multiplex_profiles=True)
|
|
|
|
default_adapter = SimpleNamespace(
|
|
send=AsyncMock(),
|
|
enforces_own_access_policy=True,
|
|
_dm_policy="allowlist",
|
|
_group_policy="pairing",
|
|
)
|
|
secondary_adapter = SimpleNamespace(
|
|
send=AsyncMock(),
|
|
enforces_own_access_policy=True,
|
|
_dm_policy="open",
|
|
_group_policy="open",
|
|
)
|
|
|
|
runner.adapters = {Platform.WECOM: default_adapter}
|
|
runner._profile_adapters = {
|
|
"coder": {Platform.WECOM: secondary_adapter},
|
|
}
|
|
runner.pairing_store = MagicMock()
|
|
runner.pairing_store.is_approved.return_value = False
|
|
return runner, default_adapter, secondary_adapter
|
|
|
|
|
|
def test_secondary_open_policy_not_authorized_by_default_allowlist(monkeypatch):
|
|
"""Secondary-profile open intake must not inherit default allowlist trust."""
|
|
runner, _default_adapter, _secondary_adapter = _make_multiplex_runner(monkeypatch)
|
|
|
|
source = SessionSource(
|
|
platform=Platform.WECOM,
|
|
user_id="attacker",
|
|
chat_id="dm-chat",
|
|
user_name="attacker",
|
|
chat_type="dm",
|
|
profile="coder",
|
|
)
|
|
|
|
assert runner._adapter_dm_policy(Platform.WECOM, profile="coder") == "open"
|
|
assert runner._adapter_dm_policy(Platform.WECOM) == "allowlist"
|
|
assert runner._is_user_authorized(source) is False
|
|
|
|
|
|
def test_default_profile_still_trusts_own_allowlist(monkeypatch):
|
|
"""Default-profile allowlist trust is unchanged when profile is unstamped."""
|
|
runner, _default_adapter, _secondary_adapter = _make_multiplex_runner(monkeypatch)
|
|
|
|
source = SessionSource(
|
|
platform=Platform.WECOM,
|
|
user_id="allowed-user",
|
|
chat_id="dm-chat",
|
|
user_name="allowed-user",
|
|
chat_type="dm",
|
|
profile=None,
|
|
)
|
|
|
|
assert runner._is_user_authorized(source) is True
|
|
|
|
|
|
def test_secondary_allowlist_still_authorized(monkeypatch):
|
|
"""Secondary profile with allowlist policy is trusted on its own adapter."""
|
|
runner, _default_adapter, secondary_adapter = _make_multiplex_runner(monkeypatch)
|
|
secondary_adapter._dm_policy = "allowlist"
|
|
|
|
source = SessionSource(
|
|
platform=Platform.WECOM,
|
|
user_id="allowed-user",
|
|
chat_id="dm-chat",
|
|
user_name="allowed-user",
|
|
chat_type="dm",
|
|
profile="coder",
|
|
)
|
|
|
|
assert runner._is_user_authorized(source) is True
|
|
|
|
|
|
def test_adapter_for_source_resolves_secondary_profile_adapter(monkeypatch):
|
|
"""Ingress adapter lookup must use the stamped profile's adapter map."""
|
|
runner, default_adapter, secondary_adapter = _make_multiplex_runner(monkeypatch)
|
|
|
|
source = SessionSource(
|
|
platform=Platform.WECOM,
|
|
user_id="attacker",
|
|
chat_id="dm-chat",
|
|
user_name="attacker",
|
|
chat_type="dm",
|
|
profile="coder",
|
|
)
|
|
|
|
assert runner._adapter_for_source(source) is secondary_adapter
|
|
assert runner._adapter_for_source(
|
|
SessionSource(
|
|
platform=Platform.WECOM,
|
|
user_id="allowed-user",
|
|
chat_id="dm-chat",
|
|
user_name="allowed-user",
|
|
chat_type="dm",
|
|
profile=None,
|
|
)
|
|
) is default_adapter
|
|
|
|
|
|
def test_secondary_allowlist_dm_behavior_ignores_unauthorized(monkeypatch):
|
|
"""Unauthorized-DM behavior must read the secondary adapter's dm_policy."""
|
|
runner, _default_adapter, secondary_adapter = _make_multiplex_runner(monkeypatch)
|
|
secondary_adapter._dm_policy = "allowlist"
|
|
|
|
assert runner._get_unauthorized_dm_behavior(
|
|
Platform.WECOM,
|
|
profile="coder",
|
|
) == "ignore"
|
|
assert runner._get_unauthorized_dm_behavior(Platform.WECOM) == "ignore"
|
|
|
|
|
|
def test_secondary_open_policy_fails_startup_guard(monkeypatch):
|
|
"""Secondary profiles must pass the same open-policy startup guard."""
|
|
from gateway.run import _own_policy_open_startup_violation
|
|
|
|
_clear_auth_env(monkeypatch)
|
|
|
|
secondary_cfg = GatewayConfig(multiplex_profiles=True)
|
|
secondary_cfg.platforms = {
|
|
Platform.WECOM: PlatformConfig(
|
|
enabled=True,
|
|
extra={"dm_policy": "open"},
|
|
),
|
|
}
|
|
|
|
violation = _own_policy_open_startup_violation(secondary_cfg)
|
|
assert violation is not None
|
|
assert "wecom" in violation
|
|
assert "open policy" in violation |