c5948f26fc
* fix(api): harden API surface before Swagger — 9 findings from issue #336 ADV-001: POST /api/sync/table-subscriptions now checks can_access() per table entry, matching the gate already on POST /api/sync/settings. ADV-002: GET /webhooks/jira/health gated behind require_admin; jira_domain removed from response to prevent anonymous info disclosure. ADV-003: GET /api/version no longer exposes commit_sha or schema_version. ADV-005: /docs, /redoc, /openapi.json now require a valid session via custom FastAPI routes (docs_url=None, redoc_url=None, openapi_url=None). ADV-006: /cli/ and /webhooks/ added to _API_PATH_PREFIXES so future auth-gated routes there return JSON 401 not an HTML redirect. ADV-007: GET /api/catalog/tables wired to CatalogTablesResponse model. ADV-008: TableSubscriptionUpdate.tables capped at max_length=500. ADV-009: GET /api/users and GET /auth/admin/tokens accept limit/offset (default 1000, max 10000); repositories updated accordingly. Tests: 11 new regression tests in TestApiHardening336; test_jira_webhooks fixture updated with seeded admin user; OpenAPI snapshot regenerated. * fix(test): update test_journey_jira health check to use admin auth after ADV-002 gate * fix(security): close /auth/bootstrap auth-bypass + BREAKING markers on ADV-002/003/005 Reviewer-flagged regression introduced by ADV-009's pagination on UserRepository.list_all(): the silent default LIMIT 1000 broke the bootstrap check at app/auth/router.py and the startup no-password warning at app/main.py — both call list_all() with no args and depend on exhaustive enumeration. On an instance with >1000 users where no password-holder lands in the email-sorted first page, [u for u in list_all() if u.get('password_hash')] becomes empty → bootstrap re-opens → an unauthenticated caller can claim admin via /auth/bootstrap. Real auth-bypass on a security-sensitive boot path. Fix: - src/repositories/users.py: list_all() restored to no-arg, returns EVERY row (no LIMIT). Comment explicitly warns against re-adding pagination here. API-surface pagination moved to a new list_paginated(limit, offset) method with its own docstring. - app/api/users.py: GET /api/users now calls list_paginated(). Existing query-param validation (limit <= 10000) preserved. Regression guards in tests/test_security.py::TestApiHardening336: - test_users_list_all_returns_every_row_no_silent_limit asserts list_all() takes no params other than self (via inspect.signature) so a future cleanup can't accidentally re-add limit/offset. - test_users_list_paginated_is_separate_method asserts the paginated variant is a distinct method, not an overload. CHANGELOG: added **BREAKING** markers per CLAUDE.md release discipline to three pre-existing ADV bullets that are observable breaking changes for external consumers: - ADV-002 (webhook health going from anonymous to admin-only) - ADV-003 (/api/version dropping commit_sha + schema_version) - ADV-005 (/docs, /redoc, /openapi.json going from anonymous to session-required) * release: 0.54.25 — API hardening before Swagger (ADV-001..009) + bootstrap-bypass regression fix --------- Co-authored-by: ZdenekSrotyr <zdenek.srotyr@keboola.com>
131 lines
4.8 KiB
Python
131 lines
4.8 KiB
Python
"""J5 — Jira webhook journey tests.
|
|
|
|
Tests the Jira webhook endpoint: valid HMAC signature accepted, invalid
|
|
signature rejected, missing signature handled, and basic health check.
|
|
"""
|
|
|
|
import hashlib
|
|
import hmac
|
|
import json
|
|
import pytest
|
|
from unittest.mock import patch, MagicMock
|
|
|
|
|
|
def _make_signature(payload: bytes, secret: str) -> str:
|
|
"""Generate a valid HMAC-SHA256 signature for a payload."""
|
|
sig = hmac.new(secret.encode("utf-8"), payload, hashlib.sha256).hexdigest()
|
|
return f"sha256={sig}"
|
|
|
|
|
|
SAMPLE_JIRA_EVENT = {
|
|
"webhookEvent": "jira:issue_updated",
|
|
"issue": {
|
|
"key": "PROJ-123",
|
|
"fields": {
|
|
"summary": "Test issue",
|
|
"status": {"name": "In Progress"},
|
|
},
|
|
},
|
|
}
|
|
|
|
|
|
@pytest.mark.journey
|
|
class TestJiraWebhookJourney:
|
|
def test_webhook_health_check(self, seeded_app):
|
|
"""Jira webhook health endpoint is accessible to admins."""
|
|
c = seeded_app["client"]
|
|
headers = {"Authorization": f"Bearer {seeded_app['admin_token']}"}
|
|
resp = c.get("/webhooks/jira/health", headers=headers)
|
|
assert resp.status_code == 200
|
|
body = resp.json()
|
|
assert "status" in body
|
|
assert body["status"] == "ok"
|
|
assert "jira_domain" not in body
|
|
|
|
def test_webhook_with_no_secret_configured_refused(self, seeded_app):
|
|
"""Issue #83: when JIRA_WEBHOOK_SECRET is not set, webhook is REFUSED
|
|
with 503 (was previously fail-open — accepted unauthenticated). The
|
|
rename of this test from `_accepted` → `_refused` documents the
|
|
contract change."""
|
|
c = seeded_app["client"]
|
|
payload = json.dumps(SAMPLE_JIRA_EVENT).encode()
|
|
|
|
with patch("app.api.jira_webhooks.Config") as mock_cfg:
|
|
mock_cfg.JIRA_WEBHOOK_SECRET = ""
|
|
mock_cfg.JIRA_DATA_DIR = MagicMock()
|
|
|
|
resp = c.post(
|
|
"/webhooks/jira",
|
|
content=payload,
|
|
headers={"Content-Type": "application/json"},
|
|
)
|
|
assert resp.status_code == 503
|
|
assert "secret" in resp.json()["detail"].lower()
|
|
|
|
def test_webhook_with_valid_hmac_signature(self, seeded_app):
|
|
"""POST with valid HMAC-SHA256 signature is accepted."""
|
|
c = seeded_app["client"]
|
|
secret = "test-jira-secret-xyz"
|
|
payload = json.dumps(SAMPLE_JIRA_EVENT).encode()
|
|
signature = _make_signature(payload, secret)
|
|
|
|
mock_service = MagicMock()
|
|
mock_service.is_configured.return_value = True
|
|
mock_service.process_webhook_event.return_value = True
|
|
|
|
with patch("app.api.jira_webhooks.Config") as mock_cfg, \
|
|
patch("app.api.jira_webhooks.get_jira_service", return_value=mock_service), \
|
|
patch("app.api.jira_webhooks._log_webhook_event"):
|
|
mock_cfg.JIRA_WEBHOOK_SECRET = secret
|
|
mock_cfg.JIRA_DATA_DIR = MagicMock()
|
|
|
|
resp = c.post(
|
|
"/webhooks/jira",
|
|
content=payload,
|
|
headers={
|
|
"Content-Type": "application/json",
|
|
"X-Hub-Signature-256": signature,
|
|
},
|
|
)
|
|
assert resp.status_code == 200
|
|
body = resp.json()
|
|
assert body["status"] == "ok"
|
|
assert body["event"] == "jira:issue_updated"
|
|
|
|
def test_webhook_with_invalid_signature_rejected(self, seeded_app):
|
|
"""POST with wrong signature returns 401."""
|
|
c = seeded_app["client"]
|
|
secret = "real-secret"
|
|
payload = json.dumps(SAMPLE_JIRA_EVENT).encode()
|
|
bad_signature = "sha256=0000000000000000000000000000000000000000000000000000000000000000"
|
|
|
|
with patch("app.api.jira_webhooks.Config") as mock_cfg:
|
|
mock_cfg.JIRA_WEBHOOK_SECRET = secret
|
|
mock_cfg.JIRA_DATA_DIR = MagicMock()
|
|
|
|
resp = c.post(
|
|
"/webhooks/jira",
|
|
content=payload,
|
|
headers={
|
|
"Content-Type": "application/json",
|
|
"X-Hub-Signature-256": bad_signature,
|
|
},
|
|
)
|
|
assert resp.status_code == 401
|
|
assert "Invalid signature" in resp.json()["detail"]
|
|
|
|
def test_webhook_empty_payload_rejected(self, seeded_app):
|
|
"""Empty body returns 400 (the secret-configured path; the
|
|
no-secret path returns 503 — see test_webhook_with_no_secret_configured_refused)."""
|
|
c = seeded_app["client"]
|
|
|
|
with patch("app.api.jira_webhooks.Config") as mock_cfg, \
|
|
patch("app.api.jira_webhooks._verify_signature", return_value=True):
|
|
mock_cfg.JIRA_WEBHOOK_SECRET = "test-secret-not-empty"
|
|
|
|
resp = c.post(
|
|
"/webhooks/jira",
|
|
content=b"",
|
|
headers={"Content-Type": "application/json"},
|
|
)
|
|
assert resp.status_code == 400
|