forked from HomeLab/unraid-mcp
2b777be927
Security: - Remove /mnt/ from _ALLOWED_LOG_PREFIXES to prevent Unraid share exposure - Add early .. detection for disk/logs and live/log_tail path validation - Add /boot/ prefix restriction for flash_backup source_path - Use hmac.compare_digest for timing-safe API key verification in server.py - Gate include_traceback on DEBUG log level (no tracebacks in production) Correctness: - Re-raise CredentialsNotConfiguredError in health check instead of swallowing - Fix ups_device query (remove non-existent nominalPower/currentPower fields) Best practices (BP-01, BP-05, BP-06): - Add # noqa: ASYNC109 to timeout params in _handle_live and unraid() - Fix start_array* → start_array in docstring (not in ARRAY_DESTRUCTIVE) - Remove from __future__ import annotations from snapshot.py - Replace import-time UNRAID_API_KEY/URL bindings with _settings.ATTR pattern in manager.py, snapshot.py, utils.py, diagnostics.py — fixes stale binding after apply_runtime_config() post-elicitation (BP-05) CI/CD: - Add .github/workflows/ci.yml (5-job pipeline: lint, typecheck, test, version-sync, audit) - Add fail_under = 80 to [tool.coverage.report] - Add version sync check to scripts/validate-marketplace.sh Documentation: - Sync plugin.json version 1.1.1 → 1.1.2 with pyproject.toml - Update CLAUDE.md: 3 tools, system domain count 18, scripts comment fix - Update README.md: 3 tools, security notes - Update docs/AUTHENTICATION.md: H1 title fix - Add UNRAID_CREDENTIALS_DIR to .env.example Bump: 1.1.1 → 1.1.2 Co-Authored-By: Claude <noreply@anthropic.com>
156 lines
5.4 KiB
Python
156 lines
5.4 KiB
Python
"""Tests for ApiKeyVerifier and _build_auth() in server.py."""
|
|
|
|
import importlib
|
|
from unittest.mock import MagicMock, patch
|
|
|
|
import pytest
|
|
|
|
import unraid_mcp.server as srv
|
|
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# ApiKeyVerifier unit tests
|
|
# ---------------------------------------------------------------------------
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_api_key_verifier_accepts_correct_key():
|
|
"""Returns AccessToken when the presented token matches the configured key."""
|
|
verifier = srv.ApiKeyVerifier("secret-key-abc123")
|
|
result = await verifier.verify_token("secret-key-abc123")
|
|
|
|
assert result is not None
|
|
assert result.client_id == "api-key-client"
|
|
assert result.token == "secret-key-abc123"
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_api_key_verifier_rejects_wrong_key():
|
|
"""Returns None when the token does not match."""
|
|
verifier = srv.ApiKeyVerifier("secret-key-abc123")
|
|
result = await verifier.verify_token("wrong-key")
|
|
|
|
assert result is None
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_api_key_verifier_rejects_empty_token():
|
|
"""Returns None for an empty string token."""
|
|
verifier = srv.ApiKeyVerifier("secret-key-abc123")
|
|
result = await verifier.verify_token("")
|
|
|
|
assert result is None
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_api_key_verifier_empty_key_rejects_empty_token():
|
|
"""When initialised with empty key, even an empty token is rejected.
|
|
|
|
An empty UNRAID_MCP_API_KEY means auth is disabled — ApiKeyVerifier
|
|
should not be instantiated in that case. But if it is, it must not
|
|
grant access via an empty bearer token.
|
|
"""
|
|
verifier = srv.ApiKeyVerifier("")
|
|
result = await verifier.verify_token("")
|
|
|
|
assert result is None
|
|
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# _build_auth() integration tests
|
|
# ---------------------------------------------------------------------------
|
|
|
|
|
|
def test_build_auth_returns_none_when_nothing_configured(monkeypatch):
|
|
"""Returns None when neither Google OAuth nor API key is set."""
|
|
monkeypatch.setenv("GOOGLE_CLIENT_ID", "")
|
|
monkeypatch.setenv("GOOGLE_CLIENT_SECRET", "")
|
|
monkeypatch.setenv("UNRAID_MCP_BASE_URL", "")
|
|
monkeypatch.setenv("UNRAID_MCP_API_KEY", "")
|
|
|
|
import unraid_mcp.config.settings as s
|
|
|
|
importlib.reload(s)
|
|
|
|
result = srv._build_auth()
|
|
assert result is None
|
|
|
|
|
|
def test_build_auth_returns_api_key_verifier_when_only_api_key_set(monkeypatch):
|
|
"""Returns ApiKeyVerifier when UNRAID_MCP_API_KEY is set but Google OAuth is not."""
|
|
monkeypatch.setenv("GOOGLE_CLIENT_ID", "")
|
|
monkeypatch.setenv("GOOGLE_CLIENT_SECRET", "")
|
|
monkeypatch.setenv("UNRAID_MCP_BASE_URL", "")
|
|
monkeypatch.setenv("UNRAID_MCP_API_KEY", "my-secret-api-key")
|
|
|
|
import unraid_mcp.config.settings as s
|
|
|
|
importlib.reload(s)
|
|
|
|
result = srv._build_auth()
|
|
assert isinstance(result, srv.ApiKeyVerifier)
|
|
|
|
|
|
def test_build_auth_returns_google_provider_when_only_oauth_set(monkeypatch):
|
|
"""Returns GoogleProvider when Google OAuth vars are set but no API key."""
|
|
monkeypatch.setenv("GOOGLE_CLIENT_ID", "test-id.apps.googleusercontent.com")
|
|
monkeypatch.setenv("GOOGLE_CLIENT_SECRET", "GOCSPX-test-secret")
|
|
monkeypatch.setenv("UNRAID_MCP_BASE_URL", "http://10.1.0.2:6970")
|
|
monkeypatch.setenv("UNRAID_MCP_API_KEY", "")
|
|
monkeypatch.setenv("UNRAID_MCP_JWT_SIGNING_KEY", "x" * 32)
|
|
|
|
import unraid_mcp.config.settings as s
|
|
|
|
importlib.reload(s)
|
|
|
|
mock_provider = MagicMock()
|
|
with patch("unraid_mcp.server.GoogleProvider", return_value=mock_provider):
|
|
result = srv._build_auth()
|
|
|
|
assert result is mock_provider
|
|
|
|
|
|
def test_build_auth_returns_multi_auth_when_both_configured(monkeypatch):
|
|
"""Returns MultiAuth when both Google OAuth and UNRAID_MCP_API_KEY are set."""
|
|
from fastmcp.server.auth import MultiAuth
|
|
|
|
monkeypatch.setenv("GOOGLE_CLIENT_ID", "test-id.apps.googleusercontent.com")
|
|
monkeypatch.setenv("GOOGLE_CLIENT_SECRET", "GOCSPX-test-secret")
|
|
monkeypatch.setenv("UNRAID_MCP_BASE_URL", "http://10.1.0.2:6970")
|
|
monkeypatch.setenv("UNRAID_MCP_API_KEY", "my-secret-api-key")
|
|
monkeypatch.setenv("UNRAID_MCP_JWT_SIGNING_KEY", "x" * 32)
|
|
|
|
import unraid_mcp.config.settings as s
|
|
|
|
importlib.reload(s)
|
|
|
|
mock_provider = MagicMock()
|
|
with patch("unraid_mcp.server.GoogleProvider", return_value=mock_provider):
|
|
result = srv._build_auth()
|
|
|
|
assert isinstance(result, MultiAuth)
|
|
# Server is the Google provider
|
|
assert result.server is mock_provider
|
|
# One additional verifier — the ApiKeyVerifier
|
|
assert len(result.verifiers) == 1
|
|
assert isinstance(result.verifiers[0], srv.ApiKeyVerifier)
|
|
|
|
|
|
def test_build_auth_multi_auth_api_key_verifier_uses_correct_key(monkeypatch):
|
|
"""The ApiKeyVerifier inside MultiAuth is seeded with the configured key."""
|
|
monkeypatch.setenv("GOOGLE_CLIENT_ID", "test-id.apps.googleusercontent.com")
|
|
monkeypatch.setenv("GOOGLE_CLIENT_SECRET", "GOCSPX-test-secret")
|
|
monkeypatch.setenv("UNRAID_MCP_BASE_URL", "http://10.1.0.2:6970")
|
|
monkeypatch.setenv("UNRAID_MCP_API_KEY", "super-secret-token")
|
|
monkeypatch.setenv("UNRAID_MCP_JWT_SIGNING_KEY", "x" * 32)
|
|
|
|
import unraid_mcp.config.settings as s
|
|
|
|
importlib.reload(s)
|
|
|
|
with patch("unraid_mcp.server.GoogleProvider", return_value=MagicMock()):
|
|
result = srv._build_auth()
|
|
|
|
verifier = result.verifiers[0]
|
|
assert verifier._api_key == "super-secret-token"
|