| 158 | |
| 159 | |
| 160 | class ConfigServiceSecurityTests(SettingsOverrideMixin, unittest.TestCase): |
| 161 | def test_admin_password_update_rotates_jwt_secret(self): |
| 162 | old_secret = "j" * 48 |
| 163 | settings.user_config = { |
| 164 | **copy.deepcopy(DEFAULT_CONFIG), |
| 165 | "admin_token": hash_password("old-admin-password"), |
| 166 | "jwt_secret": old_secret, |
| 167 | } |
| 168 | original_key_value = admin_services.KeyValue |
| 169 | original_refresh_settings = admin_services.refresh_settings |
| 170 | admin_services.KeyValue = FakeKeyValue |
| 171 | admin_services.refresh_settings = fake_refresh_settings |
| 172 | FakeKeyValue.saved_value = None |
| 173 | try: |
| 174 | asyncio.run(ConfigService().update_config({"admin_token": "new-admin-password"})) |
| 175 | finally: |
| 176 | admin_services.KeyValue = original_key_value |
| 177 | admin_services.refresh_settings = original_refresh_settings |
| 178 | |
| 179 | self.assertIsNotNone(FakeKeyValue.saved_value) |
| 180 | self.assertTrue(verify_password("new-admin-password", FakeKeyValue.saved_value["admin_token"])) |
| 181 | self.assertNotEqual(FakeKeyValue.saved_value["jwt_secret"], old_secret) |
| 182 | self.assertGreaterEqual(len(FakeKeyValue.saved_value["jwt_secret"]), 32) |
| 183 | |
| 184 | def test_initialize_system_sets_admin_password_and_jwt_secret(self): |
| 185 | original_key_value = core_config.KeyValue |
| 186 | original_refresh_settings = core_config.refresh_settings |
| 187 | FakeConfigKeyValue.record = FakeConfigRecord( |
| 188 | { |
| 189 | **copy.deepcopy(DEFAULT_CONFIG), |
| 190 | "admin_token": "", |
| 191 | "jwt_secret": "", |
| 192 | } |
| 193 | ) |
| 194 | FakeConfigKeyValue.saved_value = None |
| 195 | core_config.KeyValue = FakeConfigKeyValue |
| 196 | core_config.refresh_settings = fake_refresh_settings |
| 197 | try: |
| 198 | asyncio.run( |
| 199 | core_config.initialize_system( |
| 200 | admin_password="new-admin-password", |
| 201 | site_name="我的文件快递柜", |
| 202 | setup_options={ |
| 203 | "uploadSize": 50 * 1024 * 1024, |
| 204 | "errorCount": 6, |
| 205 | "expireStyle": ["day", "count"], |
| 206 | }, |
| 207 | ) |
| 208 | ) |
| 209 | finally: |
| 210 | core_config.KeyValue = original_key_value |
| 211 | core_config.refresh_settings = original_refresh_settings |
| 212 | |
| 213 | self.assertIsNotNone(FakeConfigKeyValue.saved_value) |
| 214 | self.assertTrue( |
| 215 | verify_password("new-admin-password", FakeConfigKeyValue.saved_value["admin_token"]) |
| 216 | ) |
| 217 | self.assertGreaterEqual(len(FakeConfigKeyValue.saved_value["jwt_secret"]), 32) |
nothing calls this directly
no outgoing calls
no test coverage detected