875e50a504
5 new test files for the upcoming /api/query pre-flight block (next
commit). All failing for the right reason on the current codebase:
tests/test_query_bq_regex.py (8 + 1 + 7 + 1 = 17 cases)
Pure unit test of `BQ_PATH` regex constant (not yet imported from
app.api.query). Verifies the 16-case matrix from spec §4.3.1:
positive matches for fully-quoted / unquoted / mixed quoting / case
variants / inside CTE bodies / multiple paths in one statement;
negative for bare registered names / 2-part bq.col / prefix that
contains bq / middle-component bq / quoted bare names; documented
string-literal false-positive accepted.
tests/test_query_bigquery_query_blocked.py (3 cases)
POST /api/query with bigquery_query() function call must hit the
canonical blocklist rejection ("Only single SELECT queries are
allowed"). Today the blocklist passes all 3 — confirmed RED via
detail-string assertion.
tests/test_api_query_rbac_bq_path.py (4 cases)
Direct bq."<ds>"."<tbl>" references must be registry-gated:
unregistered → 403 bq_path_not_registered; registered + admin →
bypass per-name grant; case-insensitive lookup; string-literal
containing bq.X.Y → 403 (strict-deny).
tests/test_api_query_guardrail.py (3 cases)
Cost guardrail: SQL referencing a registered remote BQ row invokes
_bq_dry_run_bytes (verified via call-counter side effect); over-cap
dry-run returns 400 remote_scan_too_large with bytes/tables/suggestion
in detail; non-BQ queries skip the dry-run entirely.
tests/test_api_query_quota.py (3 cases)
Daily-byte quota check_daily_budget pre-flight (over-cap → 429
before dry-run); record_bytes post-flight on the shared singleton
v2_quota tracker; non-BQ queries leave the counter alone.
RED breakdown: 16 ImportError (BQ_PATH not yet defined) + 7 assertion
failures = 23 fully-RED. 6 tests pass for regression-green reasons
(use `if r.status_code == 403:` patterns where current code returns
400 for unrelated reasons). They serve as anti-regression guards once
the implementation lands and remain green throughout — documented per
spec §6 Phase 1 RED-discipline notes.
119 lines
4.1 KiB
Python
119 lines
4.1 KiB
Python
"""POST /api/query cost guardrail for query_mode='remote' BigQuery rows.
|
|
|
|
When user SQL references a registered remote-BQ name (or a direct
|
|
`bq."<ds>"."<tbl>"` path), run a BQ dry-run before execute. If the
|
|
estimated scan exceeds the configured cap, reject with 400 +
|
|
`remote_scan_too_large` so the operator pivots to `da fetch`.
|
|
|
|
Default cap: 5 GiB per request. Configurable via
|
|
`api.query.bq_max_scan_bytes` in /admin/server-config (#160 §4.4).
|
|
"""
|
|
from __future__ import annotations
|
|
|
|
import pytest
|
|
|
|
|
|
def _auth(token: str) -> dict:
|
|
return {"Authorization": f"Bearer {token}"}
|
|
|
|
|
|
def _register_bq_remote_row(name: str, bucket: str, source_table: str) -> None:
|
|
from src.db import get_system_db
|
|
from src.repositories.table_registry import TableRegistryRepository
|
|
sys_conn = get_system_db()
|
|
try:
|
|
TableRegistryRepository(sys_conn).register(
|
|
id=f"bq.{bucket}.{source_table}",
|
|
name=name,
|
|
source_type="bigquery",
|
|
bucket=bucket,
|
|
source_table=source_table,
|
|
query_mode="remote",
|
|
)
|
|
finally:
|
|
sys_conn.close()
|
|
|
|
|
|
@pytest.fixture
|
|
def mock_dry_run(monkeypatch):
|
|
"""Replace `_bq_dry_run_bytes` with a controllable stub. Each test sets
|
|
`mock_dry_run.bytes_to_return` to control what /api/query sees."""
|
|
state = {"bytes": 0}
|
|
|
|
def fake(*args, **kwargs):
|
|
return state["bytes"]
|
|
|
|
monkeypatch.setattr("app.api.query._bq_dry_run_bytes", fake, raising=False)
|
|
return state
|
|
|
|
|
|
def test_query_under_cap_calls_dry_run(seeded_app, mock_dry_run, monkeypatch):
|
|
"""Dry-run is invoked when SQL references a registered remote BQ row.
|
|
Use a sentinel side-effect to confirm: the mock records call counts."""
|
|
_register_bq_remote_row("ue", "finance", "ue")
|
|
state = mock_dry_run
|
|
state["bytes"] = 1 * 1024 * 1024 # 1 MiB
|
|
state["call_count"] = 0
|
|
|
|
def counting_fake(*args, **kwargs):
|
|
state["call_count"] += 1
|
|
return state["bytes"]
|
|
|
|
monkeypatch.setattr("app.api.query._bq_dry_run_bytes", counting_fake, raising=False)
|
|
|
|
c = seeded_app["client"]
|
|
token = seeded_app["admin_token"]
|
|
c.post(
|
|
"/api/query",
|
|
json={"sql": "SELECT count(*) FROM ue"},
|
|
headers=_auth(token),
|
|
)
|
|
assert state["call_count"] >= 1, \
|
|
"guardrail must invoke _bq_dry_run_bytes when SQL references a registered remote BQ row"
|
|
|
|
|
|
def test_query_over_cap_rejected_400(seeded_app, mock_dry_run, monkeypatch):
|
|
"""Dry-run reports 10 GiB; default cap (5 GiB) is exceeded → 400 with
|
|
structured detail naming bytes + tables + suggestion."""
|
|
_register_bq_remote_row("ue", "finance", "ue")
|
|
mock_dry_run["bytes"] = 10 * 1024 * 1024 * 1024 # 10 GiB
|
|
|
|
c = seeded_app["client"]
|
|
token = seeded_app["admin_token"]
|
|
r = c.post(
|
|
"/api/query",
|
|
json={"sql": "SELECT * FROM ue"},
|
|
headers=_auth(token),
|
|
)
|
|
assert r.status_code == 400, r.json()
|
|
detail = r.json().get("detail", {})
|
|
if isinstance(detail, dict):
|
|
assert detail.get("reason") == "remote_scan_too_large", detail
|
|
assert detail.get("scan_bytes") >= 10 * 1024 * 1024 * 1024
|
|
assert "da fetch" in detail.get("suggestion", "").lower() or \
|
|
"fetch" in detail.get("suggestion", "").lower()
|
|
assert "ue" in detail.get("tables", []) or \
|
|
any("ue" in t for t in detail.get("tables", []))
|
|
|
|
|
|
def test_no_bq_row_reference_skips_dry_run(seeded_app, monkeypatch):
|
|
"""A query that doesn't touch any registered BQ remote row must NOT
|
|
invoke `_bq_dry_run_bytes` — guardrail incurs zero new latency on
|
|
plain non-BQ queries."""
|
|
state = {"calls": 0}
|
|
|
|
def counting_fake(*args, **kwargs):
|
|
state["calls"] += 1
|
|
return 100 * 1024 * 1024 * 1024 # 100 GiB — irrelevant if not called
|
|
|
|
monkeypatch.setattr("app.api.query._bq_dry_run_bytes", counting_fake, raising=False)
|
|
|
|
c = seeded_app["client"]
|
|
token = seeded_app["admin_token"]
|
|
c.post(
|
|
"/api/query",
|
|
json={"sql": "SELECT 1 AS x"},
|
|
headers=_auth(token),
|
|
)
|
|
assert state["calls"] == 0, \
|
|
f"guardrail must skip dry-run on non-BQ queries; got {state['calls']} calls"
|