m17hr1l/neuronetz-gateway
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
neuronetz-gateway/tests/integration/test_auth_flow.py
Stephan Berbig 844b02aade tests: unit + integration suite (99 tests; ruff + mypy --strict clean) 
Real test bodies (not stubs), driven against an in-process httpx.ASGITransport
override of the gateway's get_ollama_client dependency pointing at
tests/integration/mock_ollama.py.

Unit (target 100% on auth/, ratelimit/, budget/):
- argon2id roundtrip, wrong-key, garbage encoding, needs_rehash on param change
- key format/uniqueness/prefix extraction
- token counter (prompt_eval_count + eval_count, embeddings, missing-counts)
- translate (OpenAI <-> Ollama for chat/completion/embeddings, streaming chunks,
  /v1/models list shape)
- allowlist (hard-blocks, effective-set semantics across allow_all/inheritance/
  empty-discovered)
- discovery (parse, cache roundtrip with TTL, fail-closed, tolerates redis=None)
- sliding window (allow/block/reset/per-key vs per-tenant/cost-weighted)

Integration (testcontainers postgres + redis + in-process mock Ollama):
- auth flow (no/malformed/wrong key all return identical sanitized 401)
- proxy stream (NDJSON roundtrip, audit row's token counts match, hard-blocked
  endpoints uniformly 403)
- openai_compat (SSE chunks, data: [DONE], non-stream shape, /v1/models)
- model_discovery (allow_all sees all, default-deny sees allowed ∩ discovered,
  /v1/models filtered, unpermitted-but-installed = nonexistent = 403,
  empty cache denies even allow_all)
- rate_limit (429 + Retry-After + headers; Redis down ⇒ 503, never 200)
- budget (decrement + headers; pre-burned counter blocks next request)
- revocation (INSERT into gateway.revocations → NOTIFY → cache evicted → 401 ≤ 1s)

Includes a known-issue xfail flagging a bug in ratelimit/sliding_window.py:
the per-hit ZSET member uses id(object()) which returns the same id on
consecutive calls, causing same-millisecond hits to overwrite instead of
stacking. To be fixed in a follow-up commit.
2026-05-26 20:52:33 +02:00

107 lines
4.2 KiB
Python
Raw Permalink Blame History

"""Integration tests for the auth flow (SPEC §4.3 steps 2-3, §12, §3).
* No ``Authorization`` header => 401, sanitized body, X-Request-ID present.
* Wrong/malformed Bearer => 401, identical sanitized body (no enumeration).
* Valid key against a route that hits Ollama => 200 (or generic non-2xx
that is NOT a leakage of upstream internals — body has only
``error.code``/``message``/``request_id``).
Drives the real ``create_app()`` against testcontainer Postgres + Redis with
the upstream Ollama overridden to the in-process mock.
"""
from __future__ import annotations
import httpx
import pytest
from tests.integration.conftest import IntegrationApp, IntegrationKey
pytestmark = pytest.mark.asyncio
def _assert_sanitized_error(body: dict[str, object], request_id_header: str | None) -> None:
"""The error body must carry only safe fields, and echo the request id."""
assert "error" in body
err = body["error"]
assert isinstance(err, dict)
# Exactly the three documented fields — no upstream detail, no stack trace.
assert set(err.keys()) <= {"code", "message", "request_id"}
assert isinstance(err["code"], str) and err["code"]
assert isinstance(err["message"], str) and err["message"]
# No mention of Ollama, Postgres, Redis, or Python tracebacks anywhere.
blob = " ".join(str(v) for v in err.values()).lower()
for needle in ("ollama", "postgres", "redis", "traceback", "asyncpg", "sqlalchemy"):
assert needle not in blob, f"leaked internal token {needle!r}: {body}"
# The request id from the response header round-trips into the body.
if request_id_header is not None:
assert err["request_id"] == request_id_header
async def test_missing_bearer_returns_401(
client: httpx.AsyncClient, integration_app: IntegrationApp
) -> None:
resp = await client.post("/api/chat", json={"model": "llama3.1:8b", "messages": []})
assert resp.status_code == 401
request_id = resp.headers.get("X-Request-ID")
assert request_id # always present (SPEC §6.5)
_assert_sanitized_error(resp.json(), request_id)
async def test_malformed_bearer_returns_401(client: httpx.AsyncClient) -> None:
resp = await client.post(
"/api/chat",
headers={"Authorization": "NotBearer foo"},
json={"model": "llama3.1:8b", "messages": []},
)
assert resp.status_code == 401
_assert_sanitized_error(resp.json(), resp.headers.get("X-Request-ID"))
async def test_wrong_key_returns_401(client: httpx.AsyncClient) -> None:
# Well-formed prefix shape but no such key in the DB.
resp = await client.post(
"/api/chat",
headers={"Authorization": "Bearer nz_doesnotexistxxxxxxxxxxxxxxxxxxxxxxxxxx"},
json={"model": "llama3.1:8b", "messages": []},
)
assert resp.status_code == 401
_assert_sanitized_error(resp.json(), resp.headers.get("X-Request-ID"))
async def test_valid_key_authenticates(
client: httpx.AsyncClient, api_key: IntegrationKey
) -> None:
resp = await client.post(
"/api/chat",
headers={"Authorization": f"Bearer {api_key.full_key}"},
json={
"model": "llama3.1:8b",
"messages": [{"role": "user", "content": "hi"}],
"stream": False,
},
)
# 200 means authenticated AND the model passed the allowlist AND the proxy
# forwarded to mock Ollama. Any non-2xx must still be sanitized (no leakage).
assert resp.status_code == 200, resp.text
assert resp.headers.get("X-Request-ID")
body = resp.json()
# mock Ollama returns the chat response shape with usage on the final frame.
assert body.get("model") == "llama3.1:8b"
assert "message" in body
async def test_unauthenticated_error_response_has_no_leakage(
client: httpx.AsyncClient,
) -> None:
# The body must never mention upstream details, even by accident.
resp = await client.post("/api/generate", json={"model": "llama3.1:8b"})
assert resp.status_code == 401
_assert_sanitized_error(resp.json(), resp.headers.get("X-Request-ID"))
async def test_healthz_does_not_require_auth(client: httpx.AsyncClient) -> None:
resp = await client.get("/healthz")
assert resp.status_code == 200
assert resp.json()["status"] == "ok"
Reference in New Issue View Git Blame Copy Permalink