| 1 | """ |
| 2 | test_operator_auth_unit |
| 3 | ======================= |
| 4 | Regression test for the registry operator-auth fail-closed boot gate. |
| 5 | |
| 6 | The registry must refuse to start when OVERSIGHT_OPERATOR_TOKEN is empty |
| 7 | unless OVERSIGHT_AUTH_DISABLED=1 is set explicitly. Without this gate, the |
| 8 | public write endpoints (/register, /attribute) let anyone self-sign manifests |
| 9 | into the append-only transparency log. |
| 10 | """ |
| 11 | |
| 12 | from __future__ import annotations |
| 13 | |
| 14 | import sys |
| 15 | from pathlib import Path |
| 16 | |
| 17 | import pytest |
| 18 | |
| 19 | ROOT = Path(__file__).resolve().parent.parent |
| 20 | sys.path.insert(0, str(ROOT)) |
| 21 | |
| 22 | import registry.server as server |
| 23 | |
| 24 | |
| 25 | def _set(token: str, disabled: bool): |
| 26 | server.OPERATOR_TOKEN = token |
| 27 | server.AUTH_DISABLED = disabled |
| 28 | |
| 29 | |
| 30 | def test_no_token_not_disabled_refuses_to_boot(): |
| 31 | _set("", False) |
| 32 | with pytest.raises(RuntimeError, match="OVERSIGHT_OPERATOR_TOKEN is required"): |
| 33 | server._enforce_auth_config() |
| 34 | |
| 35 | |
| 36 | def test_no_token_but_disabled_boots_with_warning(recwarn): |
| 37 | _set("", True) |
| 38 | server._enforce_auth_config() |
| 39 | assert any( |
| 40 | "OVERSIGHT_AUTH_DISABLED" in str(w.message) for w in recwarn.list |
| 41 | ), "expected a loud warning when auth is explicitly disabled" |
| 42 | |
| 43 | |
| 44 | def test_token_set_boots_cleanly(): |
| 45 | _set("a-real-operator-token-value", False) |
| 46 | server._enforce_auth_config() |
| 47 | |
| 48 | |
| 49 | def test_token_set_boots_cleanly_even_if_disabled(): |
| 50 | _set("a-real-operator-token-value", True) |
| 51 | server._enforce_auth_config() |