CalvinBackup/Shadowbroker
1
0
Fork 0
mirror of https://github.com/BigBodyCobain/Shadowbroker.git synced 2026-05-08 18:34:58 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
4ec1fce53d28ce347df29166329485048e0d751e
Shadowbroker/backend/tests/mesh/test_s8b_auth_policy_table.py
T
BigBodyCobain 28b3bd5ebf release: prepare v0.9.7
2026-05-01 22:56:50 -06:00

176 lines
6.1 KiB
Python
Raw Blame History

"""Auth policy table consolidation.
Tests:
- Representative route -> tier mappings stay honest
- Wormhole and mesh DM routes are private_control_only
- Wormhole gate compose/decrypt align with private_control_only
- No route appears in conflicting classifications
- Legacy _private_infonet_required_tier stays consistent with the table
"""
import auth
from auth import (
_PRIVATE_INFONET_ROUTES,
_ROUTE_TRANSPORT_PATTERNS,
_ROUTE_TRANSPORT_POLICY,
_minimum_transport_tier,
_private_infonet_required_tier,
)
def test_no_duplicate_route_keys_in_policy_table():
known_tiers = {"private_control_only", "private_transitional", "private_strong"}
for key, policy in _ROUTE_TRANSPORT_POLICY.items():
tier = policy.enforcement_tier
assert tier in known_tiers, f"{key} has unknown tier {tier!r}"
def test_no_route_classified_in_conflicting_tiers():
for (method, path), policy in _ROUTE_TRANSPORT_POLICY.items():
exact_tier = policy.enforcement_tier
resolved = _minimum_transport_tier(path, method)
assert resolved == exact_tier
def test_dm_compose_is_private_control_only():
assert _minimum_transport_tier("/api/wormhole/dm/compose", "POST") == "private_control_only"
def test_dm_decrypt_is_private_control_only():
assert _minimum_transport_tier("/api/wormhole/dm/decrypt", "POST") == "private_control_only"
def test_gate_message_compose_is_private_control_only():
assert _minimum_transport_tier("/api/wormhole/gate/message/compose", "POST") == "private_control_only"
def test_gate_message_decrypt_is_private_control_only():
assert _minimum_transport_tier("/api/wormhole/gate/message/decrypt", "POST") == "private_control_only"
def test_gate_messages_decrypt_is_private_control_only():
assert _minimum_transport_tier("/api/wormhole/gate/messages/decrypt", "POST") == "private_control_only"
def test_gate_enter_is_private_control_only():
assert _minimum_transport_tier("/api/wormhole/gate/enter", "POST") == "private_control_only"
def test_gate_persona_create_is_private_control_only():
assert _minimum_transport_tier("/api/wormhole/gate/persona/create", "POST") == "private_control_only"
def test_gate_key_rotate_is_private_control_only():
assert _minimum_transport_tier("/api/wormhole/gate/key/rotate", "POST") == "private_control_only"
def test_dm_support_routes_are_control_only():
for path in [
"/api/wormhole/dm/encrypt",
"/api/wormhole/dm/reset",
"/api/wormhole/dm/register-key",
"/api/wormhole/dm/prekey/register",
"/api/wormhole/dm/bootstrap-encrypt",
"/api/wormhole/dm/bootstrap-decrypt",
"/api/wormhole/dm/sender-token",
"/api/wormhole/dm/open-seal",
"/api/wormhole/dm/build-seal",
"/api/wormhole/dm/dead-drop-token",
"/api/wormhole/dm/pairwise-alias",
"/api/wormhole/dm/pairwise-alias/rotate",
"/api/wormhole/dm/dead-drop-tokens",
"/api/wormhole/dm/sas",
]:
assert _minimum_transport_tier(path, "POST") == "private_control_only"
def test_mesh_dm_send_post_is_strong():
assert _minimum_transport_tier("/api/mesh/dm/send", "POST") == "private_strong"
def test_mesh_identity_rotate_post_is_strong():
assert _minimum_transport_tier("/api/mesh/identity/rotate", "POST") == "private_strong"
def test_mesh_dm_poll_get_is_strong():
assert _minimum_transport_tier("/api/mesh/dm/poll", "GET") == "private_strong"
def test_mesh_dm_prekey_bundle_get_transitional():
assert _minimum_transport_tier("/api/mesh/dm/prekey-bundle", "GET") == "private_transitional"
def test_mesh_report_post_transitional():
assert _minimum_transport_tier("/api/mesh/report", "POST") == "private_transitional"
def test_mesh_vote_post_transitional():
assert _minimum_transport_tier("/api/mesh/vote", "POST") == "private_transitional"
def test_mesh_gate_create_post_transitional():
assert _minimum_transport_tier("/api/mesh/gate/create", "POST") == "private_transitional"
def test_mesh_gate_id_message_pattern_strong():
assert _minimum_transport_tier("/api/mesh/gate/infonet/message", "POST") == "private_strong"
assert _minimum_transport_tier("/api/mesh/gate/abc123/message", "POST") == "private_strong"
def test_unknown_route_returns_empty():
assert _minimum_transport_tier("/api/health", "GET") == ""
assert _minimum_transport_tier("/api/mesh/status", "GET") == ""
def test_private_infonet_dm_send_strong():
assert _private_infonet_required_tier("/api/mesh/dm/send", "POST") == "strong"
def test_private_infonet_identity_rotate_strong():
assert _private_infonet_required_tier("/api/mesh/identity/rotate", "POST") == "strong"
def test_private_infonet_dm_poll_get_strong():
assert _private_infonet_required_tier("/api/mesh/dm/poll", "GET") == "strong"
def test_private_infonet_vote_transitional():
assert _private_infonet_required_tier("/api/mesh/vote", "POST") == "transitional"
def test_private_infonet_gate_message_strong():
assert _private_infonet_required_tier("/api/mesh/gate/infonet/message", "POST") == "strong"
def test_private_infonet_unknown_route_empty():
assert _private_infonet_required_tier("/api/health", "GET") == ""
def test_private_infonet_routes_derived_from_policy_table():
for method, path in _PRIVATE_INFONET_ROUTES:
assert (method, path) in _ROUTE_TRANSPORT_POLICY
assert path.startswith("/api/mesh/")
def test_transport_patterns_still_reserved_for_gate_messages():
assert any(
method == "POST"
and prefix == "/api/mesh/gate/"
and suffix == "/message"
and policy.enforcement_tier == "private_strong"
for method, prefix, suffix, policy in _ROUTE_TRANSPORT_PATTERNS
)
def test_legacy_helper_is_derived_not_hand_curated():
for (method, path), policy in _ROUTE_TRANSPORT_POLICY.items():
if not path.startswith("/api/mesh/"):
continue
tier = policy.enforcement_tier
expected = {
"private_control_only": "control_only",
"private_transitional": "transitional",
"private_strong": "strong",
}.get(tier, "")
assert auth._private_infonet_required_tier(path, method) == expected
Reference in New Issue View Git Blame Copy Permalink