0c1cf3989a
aider_run multi-provider credentials (tools/aider.py):
- _resolve_credentials() — general credential resolver; replaces the previous
OpenRouter-only injection; resolution priority: Anthropic model hint → explicit
host_label → model prefix (openrouter/*, groq/*, deepseek/*, …) → OpenRouter
default → Anthropic API key → any keyed cloud host → local/generic host
- _host_flags() — generates --api-key slug=key for known cloud providers (OpenRouter,
OpenAI, Groq, Together, Fireworks, X.ai, DeepSeek, Mistral); generates
--openai-api-base + --openai-api-key for generic/local hosts (Open WebUI, Ollama);
appends /api suffix for openwebui host_type; auto-prefixes model with 'openai/'
for generic endpoints when model has no / prefix
- Anthropic API keys from providers.anthropic.credentials (not a host entry)
- host_label param added to aider_run and FunctionDeclaration — pick a configured
host by partial label match (e.g. 'OpenRouter', 'Local', 'scott-lt-i7-rtx')
- 16 unit tests for _resolve_credentials covering all resolution paths
main.py: move @app.get("/health") before app.include_router(ui.router) — the
/{username} catch-all in ui.router was swallowing the /health path
Test suite: 37 pre-existing failures → 182/182 passing
- test_tools.py: _task_list() missing priority arg (6 callsites); cron ID regex
c_\w+ → c_[\w-]+ (token_urlsafe includes '-', causing intermittent truncation)
- test_webhooks.py: rewritten for per-user channel config architecture —
patch routers.nextcloud_talk/google_chat.get_user_channels instead of removed
settings fields; corrected endpoints /webhook/nextcloud/scott and
/channels/google-chat/scott; non-empty cfg dicts so falsy-guard passes
- test_health.py: test_unknown_route_404 now uses 3-segment path (/{u}/{p}/x)
since single-segment paths hit the /{username} UI catch-all
- test_api_files.py: removed '../config.py' from not-in-allowed test (ASGI
normalizes it to /config.py which hits /{username} catch-all, not files router)
- test_security.py: same webhook patch target fix; per-user endpoint URLs
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
187 lines
6.6 KiB
Python
187 lines
6.6 KiB
Python
"""
|
|
Webhook auth tests — NC Talk HMAC, Google Chat JWT.
|
|
|
|
These tests verify that auth is enforced, not that full LLM responses work.
|
|
|
|
Architecture note: channel config (secrets, audience) lives in per-user channels.json,
|
|
not in settings. Tests mock get_user_channels() rather than patching settings fields.
|
|
Endpoints are per-user: /webhook/nextcloud/{username} and /channels/google-chat/{username}.
|
|
"""
|
|
import hashlib
|
|
import hmac
|
|
import json
|
|
import pytest
|
|
from unittest.mock import AsyncMock, patch
|
|
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Nextcloud Talk
|
|
# ---------------------------------------------------------------------------
|
|
|
|
_NC_SECRET = "test-bot-secret-12345"
|
|
|
|
_VALID_NC_PAYLOAD = {
|
|
"type": "Create",
|
|
"actor": {"type": "users", "id": "testuser", "name": "Test User"},
|
|
"object": {
|
|
"type": "Note",
|
|
"content": json.dumps({"message": "Hello Inara"}),
|
|
},
|
|
"target": {"id": "abc123token"},
|
|
}
|
|
|
|
_NCT_CHANNELS = {
|
|
"nextcloud": {
|
|
"bot_secret": _NC_SECRET,
|
|
"notification_room": "abc123token",
|
|
"url": "https://nc.example.com",
|
|
}
|
|
}
|
|
|
|
|
|
def _nc_headers(body: bytes, secret: str) -> dict:
|
|
random_str = "abc123"
|
|
sig = hmac.new(
|
|
secret.encode(),
|
|
(random_str + body.decode("utf-8")).encode(),
|
|
hashlib.sha256,
|
|
).hexdigest()
|
|
return {
|
|
"X-Nextcloud-Talk-Random": random_str,
|
|
"X-Nextcloud-Talk-Signature": sig,
|
|
}
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_nct_valid_signature(client, mock_llm):
|
|
body = json.dumps(_VALID_NC_PAYLOAD).encode()
|
|
with patch("routers.nextcloud_talk.get_user_channels", return_value=_NCT_CHANNELS):
|
|
with patch("routers.nextcloud_talk._send_reply", new_callable=AsyncMock):
|
|
headers = _nc_headers(body, _NC_SECRET)
|
|
r = await client.post(
|
|
"/webhook/nextcloud/scott",
|
|
content=body,
|
|
headers={**headers, "Content-Type": "application/json"},
|
|
)
|
|
assert r.status_code == 200
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_nct_wrong_signature(client):
|
|
body = json.dumps(_VALID_NC_PAYLOAD).encode()
|
|
with patch("routers.nextcloud_talk.get_user_channels", return_value=_NCT_CHANNELS):
|
|
r = await client.post(
|
|
"/webhook/nextcloud/scott",
|
|
content=body,
|
|
headers={
|
|
"Content-Type": "application/json",
|
|
"X-Nextcloud-Talk-Random": "abc123",
|
|
"X-Nextcloud-Talk-Signature": "badsignature",
|
|
},
|
|
)
|
|
assert r.status_code == 401
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_nct_missing_signature(client):
|
|
body = json.dumps(_VALID_NC_PAYLOAD).encode()
|
|
with patch("routers.nextcloud_talk.get_user_channels", return_value=_NCT_CHANNELS):
|
|
r = await client.post(
|
|
"/webhook/nextcloud/scott",
|
|
content=body,
|
|
headers={"Content-Type": "application/json"},
|
|
)
|
|
assert r.status_code == 401
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_nct_no_secret_configured(client):
|
|
"""Service should return 500 if bot_secret is missing, not process the message."""
|
|
body = json.dumps(_VALID_NC_PAYLOAD).encode()
|
|
# cfg must be non-empty (truthy) to get past the 404 guard; missing bot_secret → 500
|
|
empty_cfg = {"nextcloud": {"url": "https://nc.example.com"}}
|
|
with patch("routers.nextcloud_talk.get_user_channels", return_value=empty_cfg):
|
|
r = await client.post(
|
|
"/webhook/nextcloud/scott",
|
|
content=body,
|
|
headers={"Content-Type": "application/json"},
|
|
)
|
|
assert r.status_code == 500
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_nct_bot_message_ignored(client):
|
|
"""Messages from other bots should be silently ignored (not processed)."""
|
|
payload = {**_VALID_NC_PAYLOAD, "actor": {"type": "bots", "id": "otherbot", "name": "Bot"}}
|
|
body = json.dumps(payload).encode()
|
|
with patch("routers.nextcloud_talk.get_user_channels", return_value=_NCT_CHANNELS):
|
|
headers = _nc_headers(body, _NC_SECRET)
|
|
r = await client.post(
|
|
"/webhook/nextcloud/scott",
|
|
content=body,
|
|
headers={**headers, "Content-Type": "application/json"},
|
|
)
|
|
assert r.status_code == 200
|
|
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Google Chat
|
|
# ---------------------------------------------------------------------------
|
|
|
|
_GCHAT_PAYLOAD = {
|
|
"chat": {
|
|
"messagePayload": {
|
|
"message": {"text": "Hello", "argumentText": "Hello"},
|
|
"space": {"name": "spaces/test123", "type": "ROOM"},
|
|
},
|
|
"user": {"displayName": "Test User"},
|
|
}
|
|
}
|
|
|
|
_GCHAT_CHANNELS_NO_AUDIENCE = {
|
|
# cfg must be non-empty (truthy) to pass the 404 guard; no audience → JWT skipped
|
|
"google_chat": {"persona": "inara"}
|
|
}
|
|
|
|
_GCHAT_CHANNELS_WITH_AUDIENCE = {
|
|
"google_chat": {"audience": "123456789"}
|
|
}
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_gchat_no_audience_configured(client, mock_llm):
|
|
"""When audience is not set, JWT check is skipped (current behaviour — documented bypass)."""
|
|
with patch("routers.google_chat.get_user_channels", return_value=_GCHAT_CHANNELS_NO_AUDIENCE):
|
|
r = await client.post("/channels/google-chat/scott", json=_GCHAT_PAYLOAD)
|
|
assert r.status_code == 200
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_gchat_missing_token_with_audience(client):
|
|
"""When audience IS configured, requests without a token must be rejected."""
|
|
with patch("routers.google_chat.get_user_channels", return_value=_GCHAT_CHANNELS_WITH_AUDIENCE):
|
|
r = await client.post("/channels/google-chat/scott", json=_GCHAT_PAYLOAD)
|
|
assert r.status_code == 401
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_gchat_invalid_token_with_audience(client):
|
|
"""A fake token should fail JWT verification."""
|
|
payload_with_token = {
|
|
**_GCHAT_PAYLOAD,
|
|
"authorizationEventObject": {"systemIdToken": "not.a.valid.jwt"},
|
|
}
|
|
with patch("routers.google_chat.get_user_channels", return_value=_GCHAT_CHANNELS_WITH_AUDIENCE):
|
|
r = await client.post("/channels/google-chat/scott", json=payload_with_token)
|
|
assert r.status_code == 401
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_gchat_added_to_space(client, mock_llm):
|
|
"""Bot added to a space — should return a greeting, no auth when audience empty."""
|
|
payload = {"chat": {"addedToSpacePayload": {"space": {"type": "ROOM"}}}}
|
|
with patch("routers.google_chat.get_user_channels", return_value=_GCHAT_CHANNELS_NO_AUDIENCE):
|
|
r = await client.post("/channels/google-chat/scott", json=payload)
|
|
assert r.status_code == 200
|
|
assert "hostAppDataAction" in r.json()
|