138 lines
5.9 KiB
Swift
138 lines
5.9 KiB
Swift
@testable import CodexBarCore
|
|
import Foundation
|
|
#if canImport(FoundationNetworking)
|
|
import FoundationNetworking
|
|
#endif
|
|
import Testing
|
|
|
|
@Suite
|
|
struct ProviderEndpointOverrideSecurityLinuxTests {
|
|
@Test
|
|
func mimoInvalidEndpointOverrideDoesNotFallbackToLocalCache() {
|
|
#expect(MiMoWebFetchStrategy.shouldFallbackToLocal(
|
|
error: MiMoSettingsError.invalidEndpointOverride(MiMoSettingsReader.apiURLKey)) == false)
|
|
#expect(MiMoWebFetchStrategy.shouldFallbackToLocal(error: MiMoSettingsError.missingCookie()) == true)
|
|
#expect(MiMoWebFetchStrategy.shouldFallbackToLocal(error: MiMoSettingsError.invalidCookie) == true)
|
|
}
|
|
|
|
@Test
|
|
func deepgramRejectsInsecureOverrideBeforeSendingToken() async {
|
|
let transport = FailingTransport()
|
|
do {
|
|
_ = try await DeepgramUsageFetcher.fetchUsage(
|
|
apiKey: "dg-test-token",
|
|
environment: [DeepgramUsageFetcher.apiURLKey: "http://attacker.test/v1"],
|
|
transport: transport)
|
|
Issue.record("Expected DeepgramUsageError.invalidEndpointOverride")
|
|
} catch DeepgramUsageError.invalidEndpointOverride(DeepgramUsageFetcher.apiURLKey) {
|
|
// Expected.
|
|
} catch {
|
|
Issue.record("Expected DeepgramUsageError.invalidEndpointOverride, got \(error)")
|
|
}
|
|
}
|
|
|
|
@Test
|
|
func zaiRejectsInsecureQuotaOverrideBeforeSendingToken() async {
|
|
do {
|
|
_ = try await ZaiUsageFetcher.fetchUsage(
|
|
apiKey: "zai-test-token",
|
|
environment: [ZaiSettingsReader.quotaURLKey: "http://attacker.test/quota"])
|
|
Issue.record("Expected ZaiSettingsError.invalidEndpointOverride")
|
|
} catch ZaiSettingsError.invalidEndpointOverride(ZaiSettingsReader.quotaURLKey) {
|
|
// Expected.
|
|
} catch {
|
|
Issue.record("Expected ZaiSettingsError.invalidEndpointOverride, got \(error)")
|
|
}
|
|
}
|
|
|
|
@Test
|
|
func zaiRejectsInsecureAPIHostOverrideWhenQuotaURLIsAbsent() {
|
|
#expect(throws: ZaiSettingsError.invalidEndpointOverride(ZaiSettingsReader.apiHostKey)) {
|
|
try ZaiSettingsReader.validateEndpointOverrides(
|
|
environment: [ZaiSettingsReader.apiHostKey: "http://attacker.test"])
|
|
}
|
|
}
|
|
|
|
@Test
|
|
func zaiQuotaResolutionIgnoresInvalidLowerPriorityAPIHost() throws {
|
|
let environment = [
|
|
ZaiSettingsReader.quotaURLKey: "https://zai-proxy.test/quota",
|
|
ZaiSettingsReader.apiHostKey: "http://attacker.test",
|
|
]
|
|
|
|
try ZaiSettingsReader.validateQuotaEndpointOverride(environment: environment)
|
|
#expect(ZaiUsageFetcher.resolveQuotaURL(region: .global, environment: environment).absoluteString ==
|
|
"https://zai-proxy.test/quota")
|
|
}
|
|
|
|
@Test
|
|
func zaiCombinedFetchRejectsInvalidAPIHostBeforeQuotaRequest() async {
|
|
let environment = [
|
|
ZaiSettingsReader.quotaURLKey: "https://127.0.0.1:31337/quota",
|
|
ZaiSettingsReader.apiHostKey: "http://127.0.0.1:31337",
|
|
]
|
|
|
|
await #expect(throws: ZaiSettingsError.invalidEndpointOverride(ZaiSettingsReader.apiHostKey)) {
|
|
try await ZaiUsageFetcher.fetchUsageWithModelUsage(
|
|
apiKey: "ZAI_CANARY_KEY",
|
|
environment: environment)
|
|
}
|
|
}
|
|
|
|
@Test
|
|
func zaiModelUsageRejectsInsecureAPIHostOverride() async {
|
|
do {
|
|
_ = try await ZaiUsageFetcher.fetchModelUsage(
|
|
apiKey: "zai-test-token",
|
|
environment: [ZaiSettingsReader.apiHostKey: "http://attacker.test"])
|
|
Issue.record("Expected ZaiSettingsError.invalidEndpointOverride")
|
|
} catch ZaiSettingsError.invalidEndpointOverride(ZaiSettingsReader.apiHostKey) {
|
|
// Expected.
|
|
} catch {
|
|
Issue.record("Expected ZaiSettingsError.invalidEndpointOverride, got \(error)")
|
|
}
|
|
}
|
|
|
|
@Test
|
|
func mimoRejectsInsecureOverrideBeforeSendingCookie() async {
|
|
let transport = FailingTransport()
|
|
do {
|
|
_ = try await MiMoUsageFetcher.fetchUsage(
|
|
cookieHeader: "api-platform_serviceToken=session-token; userId=user-1",
|
|
environment: [MiMoSettingsReader.apiURLKey: "http://attacker.test/api/v1"],
|
|
session: transport)
|
|
Issue.record("Expected MiMoSettingsError.invalidEndpointOverride")
|
|
} catch MiMoSettingsError.invalidEndpointOverride(MiMoSettingsReader.apiURLKey) {
|
|
// Expected.
|
|
} catch {
|
|
Issue.record("Expected MiMoSettingsError.invalidEndpointOverride, got \(error)")
|
|
}
|
|
}
|
|
|
|
@Test
|
|
func affectedProviderOverridesAcceptHTTPSAndBareHosts() throws {
|
|
try DeepgramUsageFetcher.validateEndpointOverrides(environment: [
|
|
DeepgramUsageFetcher.apiURLKey: "deepgram-proxy.test/v1",
|
|
])
|
|
try ZaiSettingsReader
|
|
.validateEndpointOverrides(environment: [ZaiSettingsReader.quotaURLKey: "https://zai-proxy.test/quota"])
|
|
try ZaiSettingsReader.validateEndpointOverrides(environment: [ZaiSettingsReader.apiHostKey: "localhost:9443"])
|
|
try MiMoSettingsReader
|
|
.validateEndpointOverrides(environment: [MiMoSettingsReader.apiURLKey: "mimo-proxy.test/api/v1"])
|
|
|
|
#expect(ZaiSettingsReader.quotaURL(environment: [ZaiSettingsReader.quotaURLKey: "zai-proxy.test/quota"])?
|
|
.absoluteString == "https://zai-proxy.test/quota")
|
|
#expect(MiMoSettingsReader.apiURL(environment: [MiMoSettingsReader.apiURLKey: "mimo-proxy.test/api/v1"])
|
|
.absoluteString == "https://mimo-proxy.test/api/v1")
|
|
}
|
|
}
|
|
|
|
private struct FailingTransport: ProviderHTTPTransport {
|
|
func data(for request: URLRequest) async throws -> (Data, URLResponse) {
|
|
Issue
|
|
.record(
|
|
"Endpoint override validation should fail before any request is sent to \(request.url?.absoluteString ?? "<nil>")")
|
|
throw URLError(.badURL)
|
|
}
|
|
}
|