trustgraph/tests/unit/test_gateway/test_capabilities.py

"""
Tests for gateway/capabilities.py — the capability + role + workspace
model that underpins all gateway authorisation.
"""

import pytest
from aiohttp import web

from trustgraph.gateway.capabilities import (
    PUBLIC, AUTHENTICATED,
    KNOWN_CAPABILITIES, ROLE_DEFINITIONS,
    check, enforce_workspace, access_denied, auth_failure,
)


# -- test fixtures ---------------------------------------------------------


class _Identity:
    """Minimal stand-in for auth.Identity — the capability module
    accesses ``.workspace`` and ``.roles``."""
    def __init__(self, workspace, roles):
        self.user_id = "user-1"
        self.workspace = workspace
        self.roles = list(roles)


def reader_in(ws):
    return _Identity(ws, ["reader"])


def writer_in(ws):
    return _Identity(ws, ["writer"])


def admin_in(ws):
    return _Identity(ws, ["admin"])


# -- role table sanity -----------------------------------------------------


class TestRoleTable:

    def test_oss_roles_present(self):
        assert set(ROLE_DEFINITIONS.keys()) == {"reader", "writer", "admin"}

    def test_admin_is_cross_workspace(self):
        assert ROLE_DEFINITIONS["admin"]["workspace_scope"] == "*"

    def test_reader_writer_are_assigned_scope(self):
        assert ROLE_DEFINITIONS["reader"]["workspace_scope"] == "assigned"
        assert ROLE_DEFINITIONS["writer"]["workspace_scope"] == "assigned"

    def test_admin_superset_of_writer(self):
        admin = ROLE_DEFINITIONS["admin"]["capabilities"]
        writer = ROLE_DEFINITIONS["writer"]["capabilities"]
        assert writer.issubset(admin)

    def test_writer_superset_of_reader(self):
        writer = ROLE_DEFINITIONS["writer"]["capabilities"]
        reader = ROLE_DEFINITIONS["reader"]["capabilities"]
        assert reader.issubset(writer)

    def test_admin_has_users_admin(self):
        assert "users:admin" in ROLE_DEFINITIONS["admin"]["capabilities"]

    def test_writer_does_not_have_users_admin(self):
        assert "users:admin" not in ROLE_DEFINITIONS["writer"]["capabilities"]

    def test_every_bundled_capability_is_known(self):
        for role in ROLE_DEFINITIONS.values():
            for cap in role["capabilities"]:
                assert cap in KNOWN_CAPABILITIES


# -- check() ---------------------------------------------------------------


class TestCheck:

    def test_reader_has_reader_cap_in_own_workspace(self):
        assert check(reader_in("default"), "graph:read", "default")

    def test_reader_does_not_have_writer_cap(self):
        assert not check(reader_in("default"), "graph:write", "default")

    def test_reader_cannot_act_in_other_workspace(self):
        assert not check(reader_in("default"), "graph:read", "acme")

    def test_writer_has_write_in_own_workspace(self):
        assert check(writer_in("default"), "graph:write", "default")

    def test_writer_cannot_act_in_other_workspace(self):
        assert not check(writer_in("default"), "graph:write", "acme")

    def test_admin_has_everything_everywhere(self):
        for cap in ("graph:read", "graph:write", "config:write",
                    "users:admin", "metrics:read"):
            assert check(admin_in("default"), cap, "acme"), (
                f"admin should have {cap} in acme"
            )

    def test_admin_has_caps_without_explicit_workspace(self):
        assert check(admin_in("default"), "users:admin")

    def test_default_target_is_identity_workspace(self):
        # Reader with no target workspace → should check against own
        assert check(reader_in("default"), "graph:read")

    def test_unknown_capability_returns_false(self):
        assert not check(admin_in("default"), "nonsense:cap", "default")

    def test_unknown_role_contributes_nothing(self):
        ident = _Identity("default", ["made-up-role"])
        assert not check(ident, "graph:read", "default")

    def test_multi_role_union(self):
        # If a user is both reader and admin, they inherit admin's
        # cross-workspace powers.
        ident = _Identity("default", ["reader", "admin"])
        assert check(ident, "users:admin", "acme")


# -- enforce_workspace() ---------------------------------------------------


class TestEnforceWorkspace:

    def test_reader_in_own_workspace_allowed(self):
        data = {"workspace": "default", "operation": "x"}
        enforce_workspace(data, reader_in("default"))
        assert data["workspace"] == "default"

    def test_reader_no_workspace_injects_assigned(self):
        data = {"operation": "x"}
        enforce_workspace(data, reader_in("default"))
        assert data["workspace"] == "default"

    def test_reader_mismatched_workspace_denied(self):
        data = {"workspace": "acme", "operation": "x"}
        with pytest.raises(web.HTTPForbidden):
            enforce_workspace(data, reader_in("default"))

    def test_admin_can_target_any_workspace(self):
        data = {"workspace": "acme", "operation": "x"}
        enforce_workspace(data, admin_in("default"))
        assert data["workspace"] == "acme"

    def test_admin_no_workspace_defaults_to_assigned(self):
        data = {"operation": "x"}
        enforce_workspace(data, admin_in("default"))
        assert data["workspace"] == "default"

    def test_writer_same_workspace_specified_allowed(self):
        data = {"workspace": "default"}
        enforce_workspace(data, writer_in("default"))
        assert data["workspace"] == "default"

    def test_non_dict_passthrough(self):
        # Non-dict bodies are returned unchanged (e.g. streaming).
        result = enforce_workspace("not-a-dict", reader_in("default"))
        assert result == "not-a-dict"

    def test_with_capability_tightens_check(self):
        # Reader lacks graph:write; workspace-only check would pass
        # (scope is fine), but combined check must reject.
        data = {"workspace": "default"}
        with pytest.raises(web.HTTPForbidden):
            enforce_workspace(
                data, reader_in("default"), capability="graph:write",
            )

    def test_with_capability_passes_when_granted(self):
        data = {"workspace": "default"}
        enforce_workspace(
            data, reader_in("default"), capability="graph:read",
        )
        assert data["workspace"] == "default"


# -- helpers ---------------------------------------------------------------


class TestResponseHelpers:

    def test_auth_failure_is_401(self):
        exc = auth_failure()
        assert exc.status == 401
        assert "auth failure" in exc.text

    def test_access_denied_is_403(self):
        exc = access_denied()
        assert exc.status == 403
        assert "access denied" in exc.text


class TestSentinels:

    def test_public_and_authenticated_are_distinct(self):
        assert PUBLIC != AUTHENTICATED
        assert PUBLIC not in KNOWN_CAPABILITIES
        assert AUTHENTICATED not in KNOWN_CAPABILITIES
feat: IAM service, gateway auth middleware, capability model, and CLIs (#849) Replaces the legacy GATEWAY_SECRET shared-token gate with an IAM-backed identity and authorisation model. The gateway no longer has an "allow-all" or "no auth" mode; every request is authenticated via the IAM service, authorised against a capability model that encodes both the operation and the workspace it targets, and rejected with a deliberately-uninformative 401 / 403 on any failure. IAM service (trustgraph-flow/trustgraph/iam, trustgraph-base/schema/iam) ----------------------------------------------------------------------- * New backend service (iam-svc) owning users, workspaces, API keys, passwords and JWT signing keys in Cassandra. Reached over the standard pub/sub request/response pattern; gateway is the only caller. * Operations: bootstrap, resolve-api-key, login, get-signing-key-public, rotate-signing-key, create/list/get/update/disable/delete/enable-user, change-password, reset-password, create/list/get/update/disable- workspace, create/list/revoke-api-key. * Ed25519 JWT signing (alg=EdDSA). Key rotation writes a new kid and retires the previous one; validation is grace-period friendly. * Passwords: PBKDF2-HMAC-SHA-256, 600k iterations, per-user salt. * API keys: 128-bit random, SHA-256 hashed. Plaintext returned once. * Bootstrap is explicit: --bootstrap-mode {token,bootstrap} is a required startup argument with no permissive default. Masked "auth failure" errors hide whether a refused bootstrap request was due to mode, state, or authorisation. Gateway authentication (trustgraph-flow/trustgraph/gateway/auth.py) ------------------------------------------------------------------- * IamAuth replaces the legacy Authenticator. Distinguishes JWTs (three-segment dotted) from API keys by shape; verifies JWTs locally using the cached IAM public key; resolves API keys via IAM with a short-TTL hash-keyed cache. Every failure path surfaces the same 401 body ("auth failure") so callers cannot enumerate credential state. * Public key is fetched at gateway startup with a bounded retry loop; traffic does not begin flowing until auth has started. Capability model (trustgraph-flow/trustgraph/gateway/capabilities.py) --------------------------------------------------------------------- * Roles have two dimensions: a capability set and a workspace scope. OSS ships reader / writer / admin; the first two are workspace- assigned, admin is cross-workspace (""). No "cross-workspace" pseudo-capability — workspace permission is a property of the role. check(identity, capability, target_workspace=None) is the single authorisation test: some role must grant the capability and be active in the target workspace. * enforce_workspace validates a request-body workspace against the caller's role scopes and injects the resolved value. Cross- workspace admin is permitted by role scope, not by a bypass. * Gateway endpoints declare a required capability explicitly — no permissive default. Construction fails fast if omitted. Enterprise editions can replace the role table without changing the wire protocol. WebSocket first-frame auth (dispatch/mux.py, endpoint/socket.py) ---------------------------------------------------------------- * /api/v1/socket handshake unconditionally accepts; authentication runs on the first WebSocket frame ({"type":"auth","token":"..."}) with {"type":"auth-ok","workspace":"..."} / {"type":"auth-failed"}. The socket stays open on failure so the client can re-authenticate — browsers treat a handshake-time 401 as terminal, breaking reconnection. * Mux.receive rejects every non-auth frame before auth succeeds, enforces the caller's workspace (envelope + inner payload) using the role-scope resolver, and supports mid-session re-auth. * Flow import/export streaming endpoints keep the legacy ?token= handshake (URL-scoped short-lived transfers; no re-auth need). Auth surface ------------ * POST /api/v1/auth/login — public, returns a JWT. * POST /api/v1/auth/bootstrap — public; forwards to IAM's bootstrap op which itself enforces mode + tables-empty. * POST /api/v1/auth/change-password — any authenticated user. * POST /api/v1/iam — admin-only generic forwarder for the rest of the IAM API (per-op REST endpoints to follow in a later change). Removed / breaking ------------------ * GATEWAY_SECRET / --api-token / default_api_token and the legacy Authenticator.permitted contract. The gateway cannot run without IAM. * ?token= on /api/v1/socket. * DispatcherManager and Mux both raise on auth=None — no silent downgrade path. CLI tools (trustgraph-cli) -------------------------- tg-bootstrap-iam, tg-login, tg-create-user, tg-list-users, tg-disable-user, tg-enable-user, tg-delete-user, tg-change-password, tg-reset-password, tg-create-api-key, tg-list-api-keys, tg-revoke-api-key, tg-create-workspace, tg-list-workspaces. Passwords read via getpass; tokens / one-time secrets written to stdout with operator context on stderr so shell composition works cleanly. AsyncSocketClient / SocketClient updated to the first-frame auth protocol. Specifications -------------- * docs/tech-specs/iam.md updated with the error policy, workspace resolver extension point, and OSS role-scope model. * docs/tech-specs/iam-protocol.md (new) — transport, dataclasses, operation table, error taxonomy, bootstrap modes. * docs/tech-specs/capabilities.md (new) — capability vocabulary, OSS role bundles, agent-as-composition note, enforcement-boundary policy, enterprise extensibility. Tests ----- * test_auth.py (rewritten) — IamAuth + JWT round-trip with real Ed25519 keypairs + API-key cache behaviour. * test_capabilities.py (new) — role table sanity, check across role x workspace combinations, enforce_workspace paths, unknown-cap / unknown-role fail-closed. * Every endpoint test construction now names its capability explicitly (no permissive defaults relied upon). New tests pin the fail-closed invariants: DispatcherManager / Mux refuse auth=None; i18n path-traversal defense is exercised. * test_socket_graceful_shutdown rewritten against IamAuth. 2026-04-24 17:29:10 +01:00			`"""`
			`Tests for gateway/capabilities.py — the capability + role + workspace`
			`model that underpins all gateway authorisation.`
			`"""`

			`import pytest`
			`from aiohttp import web`

			`from trustgraph.gateway.capabilities import (`
			`PUBLIC, AUTHENTICATED,`
			`KNOWN_CAPABILITIES, ROLE_DEFINITIONS,`
			`check, enforce_workspace, access_denied, auth_failure,`
			`)`


			`# -- test fixtures ---------------------------------------------------------`


			`class _Identity:`
			`"""Minimal stand-in for auth.Identity — the capability module`
			accesses ``.workspace`` and ``.roles``."""
			`def __init__(self, workspace, roles):`
			`self.user_id = "user-1"`
			`self.workspace = workspace`
			`self.roles = list(roles)`


			`def reader_in(ws):`
			`return _Identity(ws, ["reader"])`


			`def writer_in(ws):`
			`return _Identity(ws, ["writer"])`


			`def admin_in(ws):`
			`return _Identity(ws, ["admin"])`


			`# -- role table sanity -----------------------------------------------------`


			`class TestRoleTable:`

			`def test_oss_roles_present(self):`
			`assert set(ROLE_DEFINITIONS.keys()) == {"reader", "writer", "admin"}`

			`def test_admin_is_cross_workspace(self):`
			`assert ROLE_DEFINITIONS["admin"]["workspace_scope"] == "*"`

			`def test_reader_writer_are_assigned_scope(self):`
			`assert ROLE_DEFINITIONS["reader"]["workspace_scope"] == "assigned"`
			`assert ROLE_DEFINITIONS["writer"]["workspace_scope"] == "assigned"`

			`def test_admin_superset_of_writer(self):`
			`admin = ROLE_DEFINITIONS["admin"]["capabilities"]`
			`writer = ROLE_DEFINITIONS["writer"]["capabilities"]`
			`assert writer.issubset(admin)`

			`def test_writer_superset_of_reader(self):`
			`writer = ROLE_DEFINITIONS["writer"]["capabilities"]`
			`reader = ROLE_DEFINITIONS["reader"]["capabilities"]`
			`assert reader.issubset(writer)`

			`def test_admin_has_users_admin(self):`
			`assert "users:admin" in ROLE_DEFINITIONS["admin"]["capabilities"]`

			`def test_writer_does_not_have_users_admin(self):`
			`assert "users:admin" not in ROLE_DEFINITIONS["writer"]["capabilities"]`

			`def test_every_bundled_capability_is_known(self):`
			`for role in ROLE_DEFINITIONS.values():`
			`for cap in role["capabilities"]:`
			`assert cap in KNOWN_CAPABILITIES`


			`# -- check() ---------------------------------------------------------------`


			`class TestCheck:`

			`def test_reader_has_reader_cap_in_own_workspace(self):`
			`assert check(reader_in("default"), "graph:read", "default")`

			`def test_reader_does_not_have_writer_cap(self):`
			`assert not check(reader_in("default"), "graph:write", "default")`

			`def test_reader_cannot_act_in_other_workspace(self):`
			`assert not check(reader_in("default"), "graph:read", "acme")`

			`def test_writer_has_write_in_own_workspace(self):`
			`assert check(writer_in("default"), "graph:write", "default")`

			`def test_writer_cannot_act_in_other_workspace(self):`
			`assert not check(writer_in("default"), "graph:write", "acme")`

			`def test_admin_has_everything_everywhere(self):`
			`for cap in ("graph:read", "graph:write", "config:write",`
			`"users:admin", "metrics:read"):`
			`assert check(admin_in("default"), cap, "acme"), (`
			`f"admin should have {cap} in acme"`
			`)`

			`def test_admin_has_caps_without_explicit_workspace(self):`
			`assert check(admin_in("default"), "users:admin")`

			`def test_default_target_is_identity_workspace(self):`
			`# Reader with no target workspace → should check against own`
			`assert check(reader_in("default"), "graph:read")`

			`def test_unknown_capability_returns_false(self):`
			`assert not check(admin_in("default"), "nonsense:cap", "default")`

			`def test_unknown_role_contributes_nothing(self):`
			`ident = _Identity("default", ["made-up-role"])`
			`assert not check(ident, "graph:read", "default")`

			`def test_multi_role_union(self):`
			`# If a user is both reader and admin, they inherit admin's`
			`# cross-workspace powers.`
			`ident = _Identity("default", ["reader", "admin"])`
			`assert check(ident, "users:admin", "acme")`


			`# -- enforce_workspace() ---------------------------------------------------`


			`class TestEnforceWorkspace:`

			`def test_reader_in_own_workspace_allowed(self):`
			`data = {"workspace": "default", "operation": "x"}`
			`enforce_workspace(data, reader_in("default"))`
			`assert data["workspace"] == "default"`

			`def test_reader_no_workspace_injects_assigned(self):`
			`data = {"operation": "x"}`
			`enforce_workspace(data, reader_in("default"))`
			`assert data["workspace"] == "default"`

			`def test_reader_mismatched_workspace_denied(self):`
			`data = {"workspace": "acme", "operation": "x"}`
			`with pytest.raises(web.HTTPForbidden):`
			`enforce_workspace(data, reader_in("default"))`

			`def test_admin_can_target_any_workspace(self):`
			`data = {"workspace": "acme", "operation": "x"}`
			`enforce_workspace(data, admin_in("default"))`
			`assert data["workspace"] == "acme"`

			`def test_admin_no_workspace_defaults_to_assigned(self):`
			`data = {"operation": "x"}`
			`enforce_workspace(data, admin_in("default"))`
			`assert data["workspace"] == "default"`

			`def test_writer_same_workspace_specified_allowed(self):`
			`data = {"workspace": "default"}`
			`enforce_workspace(data, writer_in("default"))`
			`assert data["workspace"] == "default"`

			`def test_non_dict_passthrough(self):`
			`# Non-dict bodies are returned unchanged (e.g. streaming).`
			`result = enforce_workspace("not-a-dict", reader_in("default"))`
			`assert result == "not-a-dict"`

			`def test_with_capability_tightens_check(self):`
			`# Reader lacks graph:write; workspace-only check would pass`
			`# (scope is fine), but combined check must reject.`
			`data = {"workspace": "default"}`
			`with pytest.raises(web.HTTPForbidden):`
			`enforce_workspace(`
			`data, reader_in("default"), capability="graph:write",`
			`)`

			`def test_with_capability_passes_when_granted(self):`
			`data = {"workspace": "default"}`
			`enforce_workspace(`
			`data, reader_in("default"), capability="graph:read",`
			`)`
			`assert data["workspace"] == "default"`


			`# -- helpers ---------------------------------------------------------------`


			`class TestResponseHelpers:`

			`def test_auth_failure_is_401(self):`
			`exc = auth_failure()`
			`assert exc.status == 401`
			`assert "auth failure" in exc.text`

			`def test_access_denied_is_403(self):`
			`exc = access_denied()`
			`assert exc.status == 403`
			`assert "access denied" in exc.text`


			`class TestSentinels:`

			`def test_public_and_authenticated_are_distinct(self):`
			`assert PUBLIC != AUTHENTICATED`
			`assert PUBLIC not in KNOWN_CAPABILITIES`
			`assert AUTHENTICATED not in KNOWN_CAPABILITIES`