feat: comprehensive test infrastructure improvements
- Fix unit test imports: add env setup in conftest.py before module imports - Add 24 new auth router tests (RBAC, preferences, password validation) - Add 16 new tests for litellm and chat_summary routers - Apply black formatting and ruff linting across codebase - Add pre-commit hooks configuration (black, ruff, file checks) - Increase CI coverage threshold from 40% to 50% Test Results: - 206 tests passing (91 unit + 115 integration) - Coverage: 58.79% on core modules - auth.py: 57% → 85%, litellm.py: 23% → 87%, chat_summary.py: 41% → 100% - auth_service: 96.51%, config: 100%, rbac: 93.48%
This commit is contained in:
@@ -1,13 +1,14 @@
|
||||
from datetime import datetime, timedelta, timezone
|
||||
from typing import Optional
|
||||
import time
|
||||
import threading
|
||||
import tempfile
|
||||
import threading
|
||||
import time
|
||||
from datetime import UTC, datetime, timedelta
|
||||
|
||||
import jwt
|
||||
from passlib.context import CryptContext
|
||||
import pyotp
|
||||
from fastapi import Depends, HTTPException, Response, status
|
||||
from fastapi.security import OAuth2PasswordBearer
|
||||
from passlib.context import CryptContext
|
||||
|
||||
import config
|
||||
|
||||
# Password handling
|
||||
@@ -20,22 +21,25 @@ COOKIE_SECURE = True
|
||||
COOKIE_SAMESITE = "lax"
|
||||
COOKIE_PATH = "/"
|
||||
|
||||
|
||||
def verify_password(plain_password, hashed_password):
|
||||
return pwd_context.verify(plain_password, hashed_password)
|
||||
|
||||
|
||||
def get_password_hash(password):
|
||||
return pwd_context.hash(password)
|
||||
|
||||
def create_access_token(data: dict, expires_delta: Optional[timedelta] = None):
|
||||
|
||||
def create_access_token(data: dict, expires_delta: timedelta | None = None):
|
||||
to_encode = data.copy()
|
||||
expire = datetime.now(timezone.utc) + (expires_delta or timedelta(minutes=15))
|
||||
expire = datetime.now(UTC) + (expires_delta or timedelta(minutes=15))
|
||||
to_encode.update({"exp": expire, "type": "access"})
|
||||
return jwt.encode(to_encode, config.SECRET_KEY, algorithm=config.ALGORITHM)
|
||||
|
||||
|
||||
def create_refresh_token(data: dict):
|
||||
to_encode = data.copy()
|
||||
expire = datetime.now(timezone.utc) + timedelta(minutes=config.REFRESH_TOKEN_EXPIRE_MINUTES)
|
||||
expire = datetime.now(UTC) + timedelta(minutes=config.REFRESH_TOKEN_EXPIRE_MINUTES)
|
||||
to_encode.update({"exp": expire, "type": "refresh", "tv": _load_token_version()})
|
||||
return jwt.encode(to_encode, config.SECRET_KEY, algorithm=config.ALGORITHM)
|
||||
|
||||
@@ -69,8 +73,10 @@ def clear_auth_cookies(response: Response):
|
||||
response.delete_cookie(ACCESS_COOKIE_NAME, path=COOKIE_PATH)
|
||||
response.delete_cookie(REFRESH_COOKIE_NAME, path=COOKIE_PATH)
|
||||
|
||||
|
||||
def user_from_access_token(token: str, include_auth_header: bool = True):
|
||||
from rbac import User, get_pages, get_sidebar_links
|
||||
|
||||
credentials_exception = HTTPException(
|
||||
status_code=status.HTTP_401_UNAUTHORIZED,
|
||||
detail="Could not validate credentials",
|
||||
@@ -99,12 +105,17 @@ async def get_current_user(token: str = Depends(oauth2_scheme)):
|
||||
async def get_current_user_ws(token: str):
|
||||
return user_from_access_token(token, include_auth_header=False)
|
||||
|
||||
|
||||
# TOTP Persistence
|
||||
def get_auth_file():
|
||||
return config.VOLUME_ROOT + "/docker/nas-dashboard/auth.json"
|
||||
import json, os
|
||||
|
||||
|
||||
import base64
|
||||
import hashlib
|
||||
import json
|
||||
import os
|
||||
|
||||
from cryptography.fernet import Fernet
|
||||
|
||||
_auth_lock = threading.RLock()
|
||||
@@ -131,22 +142,27 @@ def _update_auth_data(mutator):
|
||||
_atomic_json_write(get_auth_file(), data)
|
||||
return result
|
||||
|
||||
|
||||
def _get_fernet():
|
||||
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
|
||||
from cryptography.hazmat.primitives import hashes
|
||||
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
|
||||
|
||||
kdf = PBKDF2HMAC(algorithm=hashes.SHA256(), length=32, salt=b"nas-dashboard-fernet", iterations=480000)
|
||||
key = base64.urlsafe_b64encode(kdf.derive(config.SECRET_KEY.encode()))
|
||||
return Fernet(key)
|
||||
|
||||
|
||||
def _get_legacy_fernet():
|
||||
key = base64.urlsafe_b64encode(hashlib.sha256(config.SECRET_KEY.encode()).digest())
|
||||
return Fernet(key)
|
||||
|
||||
|
||||
def _encrypt(plaintext: str) -> str:
|
||||
if not plaintext:
|
||||
return ""
|
||||
return _get_fernet().encrypt(plaintext.encode()).decode()
|
||||
|
||||
|
||||
def _decrypt(ciphertext: str) -> str:
|
||||
if not ciphertext:
|
||||
return ""
|
||||
@@ -160,44 +176,53 @@ def _decrypt(ciphertext: str) -> str:
|
||||
except Exception:
|
||||
return ciphertext # fallback for unencrypted legacy values
|
||||
|
||||
|
||||
def _load_auth_data():
|
||||
with _auth_lock:
|
||||
try:
|
||||
auth_path = get_auth_file()
|
||||
if os.path.exists(auth_path):
|
||||
with open(auth_path, "r") as f:
|
||||
with open(auth_path) as f:
|
||||
return json.load(f)
|
||||
except Exception:
|
||||
pass
|
||||
return {}
|
||||
|
||||
|
||||
def _save_auth_data(data):
|
||||
_atomic_json_write(get_auth_file(), data)
|
||||
|
||||
|
||||
def load_totp_secret():
|
||||
encrypted = _load_auth_data().get("totp_secret", "")
|
||||
if not encrypted:
|
||||
return config.TOTP_SECRET
|
||||
return _decrypt(encrypted)
|
||||
|
||||
|
||||
def save_totp_secret(secret: str):
|
||||
def mutator(data):
|
||||
data["totp_secret"] = _encrypt(secret) if secret else ""
|
||||
|
||||
_update_auth_data(mutator)
|
||||
|
||||
|
||||
def load_password_hash():
|
||||
return _load_auth_data().get("password_hash", "") or config.ADMIN_PASSWORD_HASH
|
||||
|
||||
|
||||
def save_password_hash(hashed: str):
|
||||
def mutator(data):
|
||||
data["password_hash"] = hashed
|
||||
|
||||
_update_auth_data(mutator)
|
||||
|
||||
|
||||
|
||||
def verify_totp(token: str, secret: str = None):
|
||||
if secret is None:
|
||||
secret = load_totp_secret()
|
||||
if not secret:
|
||||
return True # 2FA not enabled
|
||||
return True # 2FA not enabled
|
||||
totp = pyotp.TOTP(secret)
|
||||
if not totp.verify(token):
|
||||
return False
|
||||
@@ -211,32 +236,41 @@ def verify_totp(token: str, secret: str = None):
|
||||
|
||||
return _update_auth_data(mutator)
|
||||
|
||||
|
||||
# Passkey credentials
|
||||
def load_passkey_credentials():
|
||||
return _load_auth_data().get("passkey_credentials", [])
|
||||
|
||||
|
||||
def save_passkey_credential(cred):
|
||||
def mutator(data):
|
||||
creds = data.get("passkey_credentials", [])
|
||||
creds.append(cred)
|
||||
data["passkey_credentials"] = creds
|
||||
|
||||
_update_auth_data(mutator)
|
||||
|
||||
|
||||
def clear_passkey_credentials():
|
||||
def mutator(data):
|
||||
data["passkey_credentials"] = []
|
||||
|
||||
_update_auth_data(mutator)
|
||||
|
||||
|
||||
# Token version for refresh token rotation
|
||||
def _load_token_version() -> int:
|
||||
return _load_auth_data().get("token_version", 0)
|
||||
|
||||
|
||||
def increment_token_version() -> int:
|
||||
def mutator(data):
|
||||
v = data.get("token_version", 0) + 1
|
||||
data["token_version"] = v
|
||||
return v
|
||||
|
||||
return _update_auth_data(mutator)
|
||||
|
||||
|
||||
def verify_token_version(tv: int) -> bool:
|
||||
return tv == _load_token_version()
|
||||
|
||||
Reference in New Issue
Block a user