recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4eae6eb20867cfca55899ffedc1afa8b25ffae9b
cc-ci/tests/bluesky-pds/functional/test_session_auth.py
autonomic-bot 6115d2eccf feat(2): Q4.3 — bluesky-pds Phase-2 enrollment + 3 tests cold green 
- tests/bluesky-pds/recipe_meta.py: HEALTH_PATH=/xrpc/_health, 600s timeouts.
- tests/bluesky-pds/install_steps.sh: recipe needs pds_plc_rotation_key (32-byte secp256k1
  hex, marked generate=false). Hook generates via cc-ci-run python (secrets.token_bytes(32);
  random 32-byte value is almost-always a valid secp256k1 private key, ~2^-128 fail rate).
  Inserted via 'abra app secret insert' under TTY-wrap. Per-run class-B; destroyed at teardown.
- tests/bluesky-pds/PARITY.md: no health_check.py in the recipe-maintainer corpus -> Phase-2
  health_check aligned with parity convention. goat_account.py parity deferred (needs goat CLI
  in container; operational complexity).
- 3 functional tests:
  - test_health_check.py: GET /xrpc/_health -> 200, {version: ...}.
  - test_describe_server.py: GET /xrpc/com.atproto.server.describeServer -> 200, JSON with
    atproto config keys (availableUserDomains/inviteCodeRequired/links/did).
  - test_session_auth.py: GET /xrpc/com.atproto.server.getSession (no auth) -> 401 + JSON
    XRPC error envelope. (Replaced test_well_known_did — /.well-known/atproto-did isn't
    auto-published by the recipe.)

Cold-verifiable: ssh cc-ci 'RECIPE=bluesky-pds STAGES=install,custom cc-ci-run runner/run_recipe_ci.py'
  install + 3 custom tests all PASS, deploy-count=1.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-28 16:05:51 +01:00

36 lines
1.5 KiB
Python
Raw Blame History

"""bluesky-pds — recipe-specific functional test (Phase 2 P3).
GETs the atproto session endpoint `/xrpc/com.atproto.server.getSession` WITHOUT an auth header.
Asserts the PDS responds with 401 Unauthorized — proves the auth subsystem is wired correctly:
- 200 = anonymous access leaked (would be a security bug).
- 401 = correctly enforced.
- 404 = route missing (PDS misconfigured).
- 5xx = backend broken.
Distinguishes "the atproto XRPC server is alive AND its auth contract is enforced" from generic
HTTP 200 health. Non-vacuous: each non-401 status indicates a different class of defect.
"""
from __future__ import annotations
import os
import sys
sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "..", "runner"))
from harness import http as harness_http # noqa: E402
def test_get_session_requires_auth(live_app):
"""GET /xrpc/com.atproto.server.getSession (no token) → 401."""
url = f"https://{live_app}/xrpc/com.atproto.server.getSession"
status, body = harness_http.retry_http_get(url, expect_status=401, max_wait=60, interval=3)
assert status == 401, (
f"GET {url} returned {status}, expected 401 (auth required). "
f"200 = anonymous leak; 404 = route missing; 5xx = backend broken. "
f"body: {body!r}"
)
# The XRPC error envelope is JSON with an `error` field per the atproto spec.
assert isinstance(body, dict) and body.get("error"), (
f"expected XRPC JSON error envelope; got: {body!r}"
)
Reference in New Issue View Git Blame Copy Permalink