Salastil/odysseus
1
0
Fork 0
mirror of https://github.com/pewdiepie-archdaemon/odysseus.git synced 2026-06-17 02:05:22 -04:00
Code Issues Packages Projects Releases Wiki Activity

Validate internal tool owner attribution

Browse Source
This commit is contained in:
pewdiepie-archdaemon
2026-06-01 15:24:52 +09:00
parent 14e8cffa41
commit 8f93d44917
2 changed files with 28 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/test_security_regressions.py
+20
View File
@@ -305,6 +305,26 @@ def test_require_admin_allows_when_auth_explicitly_disabled(monkeypatch):
assert require_admin(_Req()) is None
def test_internal_tool_owner_header_logic_requires_known_user():
"""Pin the owner-attribution branch used by app.AuthMiddleware without
booting the full FastAPI app."""
users = {
"alice": {"is_admin": False},
"AdminUser": {"is_admin": True},
}
def resolve_owner(header_value):
impersonate = (header_value or "").strip()
if impersonate and impersonate in users:
return impersonate
return "internal-tool"
assert resolve_owner("alice") == "alice"
assert resolve_owner("AdminUser") == "AdminUser"
assert resolve_owner("doesnotexist") == "internal-tool"
assert resolve_owner("") == "internal-tool"
def test_auth_manager_migrates_legacy_admin_role(tmp_path):
"""Old setup.py wrote role='admin'; startup must turn that into is_admin."""
sys.modules.pop("core.auth", None)