feat: add no-auth IAM regime as a drop-in replacement for iam-svc (#933)

Adds `no-auth-svc`, a lightweight IAM service that permits all access unconditionally — no database, no bootstrap, no signing keys. Deploy it in place of `iam-svc` for development, demos, and single-user setups where authentication overhead is unwanted. The gateway no longer hard-codes a 401 on missing credentials. Instead it asks the IAM regime via a new `authenticate-anonymous` operation whether token-free access is allowed. This keeps the gateway regime-agnostic: `iam-svc` rejects anonymous auth (preserving existing security), while `no-auth-svc` grants it with a configurable default user and workspace. Includes a tech spec (docs/tech-specs/no-auth-regime.md) and tests that pin the safety boundary — malformed tokens never fall through to the anonymous path, and a contract test ensures the full iam-svc always rejects `authenticate-anonymous`.
2026-05-20 04:45:12 +02:00 · 2026-05-18 14:10:05 +01:00 · 2026-05-18 14:10:05 +01:00 · da7d10e995
commit da7d10e995
parent ab83c81d8a
16 changed files with 876 additions and 32 deletions
--- a/tests/unit/test_iam/test_noauth_handler.py
+++ b/tests/unit/test_iam/test_noauth_handler.py
@ -0,0 +1,138 @@
+"""
+Tests for the no-auth IAM handler.
+
+Verifies that NoAuthHandler returns the expected permissive responses
+and that the always-allow authorise path returns the correct shape.
+"""
+
+import json
+from unittest.mock import Mock
+
+import pytest
+
+from trustgraph.iam.noauth.handler import NoAuthHandler
+
+
+def _make_request(**kwargs):
+    req = Mock()
+    for k, v in kwargs.items():
+        setattr(req, k, v)
+    return req
+
+
+class TestAuthenticateAnonymous:
+
+    @pytest.mark.asyncio
+    async def test_returns_default_identity(self):
+        h = NoAuthHandler(
+            default_user_id="anon", default_workspace="ws",
+        )
+        resp = await h.handle(
+            _make_request(operation="authenticate-anonymous")
+        )
+        assert resp.error is None
+        assert resp.resolved_user_id == "anon"
+        assert resp.resolved_workspace == "ws"
+        assert "admin" in list(resp.resolved_roles)
+
+    @pytest.mark.asyncio
+    async def test_custom_defaults_propagate(self):
+        h = NoAuthHandler(
+            default_user_id="dev-user", default_workspace="dev-ws",
+        )
+        resp = await h.handle(
+            _make_request(operation="authenticate-anonymous")
+        )
+        assert resp.resolved_user_id == "dev-user"
+        assert resp.resolved_workspace == "dev-ws"
+
+
+class TestResolveApiKey:
+
+    @pytest.mark.asyncio
+    async def test_any_key_resolves_to_default_identity(self):
+        h = NoAuthHandler()
+        resp = await h.handle(
+            _make_request(operation="resolve-api-key", api_key="tg_bogus")
+        )
+        assert resp.error is None
+        assert resp.resolved_user_id == "anonymous"
+        assert resp.resolved_workspace == "default"
+
+
+class TestAuthorise:
+
+    @pytest.mark.asyncio
+    async def test_always_allows(self):
+        h = NoAuthHandler()
+        resp = await h.handle(
+            _make_request(
+                operation="authorise",
+                user_id="anyone",
+                capability="anything",
+                resource_json="{}",
+                parameters_json="{}",
+            )
+        )
+        assert resp.error is None
+        assert resp.decision_allow is True
+        assert resp.decision_ttl_seconds > 0
+
+    @pytest.mark.asyncio
+    async def test_authorise_many_returns_matching_count(self):
+        h = NoAuthHandler()
+        checks = [
+            {"capability": "a", "resource": {}, "parameters": {}},
+            {"capability": "b", "resource": {}, "parameters": {}},
+            {"capability": "c", "resource": {}, "parameters": {}},
+        ]
+        resp = await h.handle(
+            _make_request(
+                operation="authorise-many",
+                user_id="u",
+                authorise_checks=json.dumps(checks),
+            )
+        )
+        assert resp.error is None
+        decisions = json.loads(resp.decisions_json)
+        assert len(decisions) == 3
+        assert all(d["allow"] is True for d in decisions)
+
+
+class TestCreateWorkspaceCallback:
+
+    @pytest.mark.asyncio
+    async def test_create_workspace_calls_callback(self):
+        called_with = []
+
+        async def on_created(ws_id):
+            called_with.append(ws_id)
+
+        h = NoAuthHandler(on_workspace_created=on_created)
+        req = _make_request(operation="create-workspace")
+        req.workspace_record = Mock()
+        req.workspace_record.id = "test-ws"
+        resp = await h.handle(req)
+        assert resp.error is None
+        assert called_with == ["test-ws"]
+
+    @pytest.mark.asyncio
+    async def test_create_workspace_without_callback_still_succeeds(self):
+        h = NoAuthHandler()
+        req = _make_request(operation="create-workspace")
+        req.workspace_record = Mock()
+        req.workspace_record.id = "test-ws"
+        resp = await h.handle(req)
+        assert resp.error is None
+
+
+class TestUnknownOperation:
+
+    @pytest.mark.asyncio
+    async def test_unknown_op_returns_error(self):
+        h = NoAuthHandler()
+        resp = await h.handle(
+            _make_request(operation="not-a-real-op")
+        )
+        assert resp.error is not None
+        assert resp.error.type == "invalid-argument"