molecule-ai/molecule-core
35
0
Fork 2
Code Issues 6 Pull Requests 2 Actions 49 Packages Projects Releases Wiki Activity
7db9fc7211
molecule-core/workspace/tests/test_transcript_auth.py
Molecule AI Core-DevOps 252f8d0c47
Some checks failed
sop-tier-check / tier-check (pull_request) Failing after 4s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 4s
Details
tech-debt: rename molecule-monorepo-net -> molecule-core-net 
Renames Docker network across all code, configs, scripts, and docs.

Per issue #93: the network was named molecule-monorepo-net as a holdover
from when the repo was called molecule-monorepo. The canonical repo name is
now molecule-core, so the network should be molecule-core-net.

Files changed:
- docker-compose.yml, docker-compose.infra.yml: network definition
- infra/scripts/setup.sh: docker network create
- scripts/nuke-and-rebuild.sh: docker network rm
- workspace-server/internal/provisioner/provisioner.go: DefaultNetwork
- All comments/docs: updated wording

Acceptance: grep -rn 'molecule-monorepo-net' returns zero matches.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-09 20:51:48 +00:00

48 lines
1.7 KiB
Python
Raw Blame History

"""Tests for the #328 fix — /transcript endpoint must fail-CLOSED when
the workspace auth token is not yet on disk.
Prior behaviour (regressed in #287): `if expected:` skipped the auth
check when `get_token()` returned None, so any container on
`molecule-core-net` could read the full session log during the
bootstrap window. The fix lifts the guard into transcript_auth.py for
testability.
"""
from transcript_auth import transcript_authorized
def test_missing_token_fails_closed():
# #328 regression: None token MUST return False (was the fail-open bug).
assert transcript_authorized(None, "Bearer anything") is False
def test_empty_token_fails_closed():
# Empty string is as-bad-as None — also a fail-closed case.
assert transcript_authorized("", "Bearer anything") is False
def test_valid_bearer_passes():
assert transcript_authorized("tok-123", "Bearer tok-123") is True
def test_wrong_bearer_fails():
assert transcript_authorized("tok-123", "Bearer other-token") is False
def test_missing_header_fails_even_when_expected_is_set():
# Empty auth header (not sent at all) must fail — client forgot.
assert transcript_authorized("tok-123", "") is False
def test_case_sensitive_bearer_prefix():
# Strict equality matches platform wsauth.BearerTokenFromHeader
# which is also case-sensitive on the "Bearer " prefix. Documenting
# the behavior so a future refactor is a conscious choice.
assert transcript_authorized("tok-123", "bearer tok-123") is False
def test_extra_whitespace_in_header_fails():
# Strict equality — accidental double space between Bearer and token
# must fail so an adversary can't test fuzzed variations.
assert transcript_authorized("tok-123", "Bearer tok-123") is False
Reference in New Issue View Git Blame Copy Permalink