Home Explore Help
Sign In
yunoadmin
/
bambuddy
mirror of https://github.com/maziggy/bambuddy
1
0
Fork 0
Files Issues 0 Wiki
Tree: 1e734fb7c6
Branches Tags
bambuddy
/
backend
/
tests
/
unit
/
test_oidc_icon_validation.py

test_oidc_icon_validation.py 4.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114 
  1. """Unit tests for the icon_url Pydantic validator (#1333).
    2. 

  2. 

  3. Mirrors the issuer_url validator pattern: HTTPS-only + private/loopback/
    4. 

  4. link-local IP literals rejected. Hostname-based URLs are accepted without
    5. 

  5. DNS resolution (deliberate, see _validate_issuer_url).
    6. 

  6. """
    7. 

  7. 

  8. import pytest
    9. 

  9. 

  10. from backend.app.schemas.auth import OIDCProviderCreate
    11. 

  11. 

  12. 

  13. def _make_payload(icon_url: str | None) -> dict:
    14. 

  14.     """Minimal valid OIDCProviderCreate payload with the given icon_url."""
    15. 

  15.     return {
    16. 

  16.         "name": "Test",
    17. 

  17.         "issuer_url": "https://idp.example.com",
    18. 

  18.         "client_id": "client",
    19. 

  19.         "client_secret": "secret",
    20. 

  20.         "icon_url": icon_url,
    21. 

  21.     }
    22. 

  22. 

  23. 

  24. def test_icon_url_none_accepted():
    25. 

  25.     OIDCProviderCreate(**_make_payload(None))
    26. 

  26. 

  27. 

  28. def test_icon_url_valid_https_accepted():
    29. 

  29.     OIDCProviderCreate(**_make_payload("https://example.com/icon.png"))
    30. 

  30. 

  31. 

  32. def test_icon_url_http_rejected():
    33. 

  33.     with pytest.raises(ValueError, match="icon_url must start with https"):
    34. 

  34.         OIDCProviderCreate(**_make_payload("http://example.com/icon.png"))
    35. 

  35. 

  36. 

  37. def test_icon_url_empty_string_rejected():
    38. 

  38.     # Pydantic doesn't coerce "" to None — the validator runs on the raw value.
    39. 

  39.     with pytest.raises(ValueError, match="icon_url must start with https"):
    40. 

  40.         OIDCProviderCreate(**_make_payload(""))
    41. 

  41. 

  42. 

  43. @pytest.mark.parametrize(
    44. 

  44.     "url",
    45. 

  45.     [
    46. 

  46.         "https://192.168.1.1/icon.png",
    47. 

  47.         "https://10.0.0.5/icon.png",
    48. 

  48.         "https://172.16.0.1/icon.png",
    49. 

  49.     ],
    50. 

  50. )
    51. 

  51. def test_icon_url_private_ip_rejected(url):
    52. 

  52.     with pytest.raises(ValueError, match="private"):
    53. 

  53.         OIDCProviderCreate(**_make_payload(url))
    54. 

  54. 

  55. 

  56. def test_icon_url_loopback_ip_rejected():
    57. 

  57.     with pytest.raises(ValueError, match="loopback"):
    58. 

  58.         OIDCProviderCreate(**_make_payload("https://127.0.0.1/icon.png"))
    59. 

  59. 

  60. 

  61. def test_icon_url_link_local_or_cloud_metadata_rejected():
    62. 

  62.     # 169.254.169.254 is BOTH link-local AND a cloud-metadata IP — the guard
    63. 

  63.     # checks cloud-metadata first (per intentional ordering), so either
    64. 

  64.     # rejection message is correct. Mirrors the same pattern in
    65. 

  65.     # test_oidc_icon_helpers.test_rejects_link_local.
    66. 

  66.     with pytest.raises(ValueError, match="cloud metadata|link-local"):
    67. 

  67.         OIDCProviderCreate(**_make_payload("https://169.254.169.254/icon.png"))
    68. 

  68. 

  69. 

  70. def test_icon_url_hostname_accepted_no_dns():
    71. 

  71.     # "localhost" is a hostname, not a bare IP — DNS resolution is deliberately
    72. 

  72.     # not performed here (matches _validate_issuer_url policy). The runtime
    73. 

  73.     # SSRF guard (assert_safe_public_https_url) handles the bare-IP cases
    74. 

  74.     # again; hostnames are caught only by the IDP-itself-misconfigured path.
    75. 

  75.     OIDCProviderCreate(**_make_payload("https://idp.internal.corp/icon.png"))
    76. 

  76. 

  77. 

  78. # ─── I1: schema now delegates to runtime SSRF guard ──────────────────────
    79. 

  79. # Verifies that the wider allowlist (numeric IPs, cloud-meta, multicast,
    80. 

  80. # IPv4-mapped IPv6) is enforced at Pydantic-parse-time too, not just at
    81. 

  81. # fetch time.
    82. 

  82. 

  83. 

  84. @pytest.mark.parametrize(
    85. 

  85.     "url",
    86. 

  86.     [
    87. 

  87.         "https://2130706433/icon.png",  # decimal-encoded 127.0.0.1
    88. 

  88.         "https://0x7f000001/icon.png",  # hex-encoded 127.0.0.1
    89. 

  89.     ],
    90. 

  90. )
    91. 

  91. def test_icon_url_numeric_encoded_ip_rejected(url):
    92. 

  92.     with pytest.raises(ValueError, match="numeric-encoded"):
    93. 

  93.         OIDCProviderCreate(**_make_payload(url))
    94. 

  94. 

  95. 

  96. def test_icon_url_cloud_metadata_alibaba_rejected():
    97. 

  97.     with pytest.raises(ValueError, match="cloud metadata"):
    98. 

  98.         OIDCProviderCreate(**_make_payload("https://100.100.100.200/icon.png"))
    99. 

  99. 

  100. 

  101. def test_icon_url_unspecified_rejected():
    102. 

  102.     with pytest.raises(ValueError, match="unspecified"):
    103. 

  103.         OIDCProviderCreate(**_make_payload("https://0.0.0.0/icon.png"))
    104. 

  104. 

  105. 

  106. def test_icon_url_multicast_rejected():
    107. 

  107.     with pytest.raises(ValueError, match="multicast"):
    108. 

  108.         OIDCProviderCreate(**_make_payload("https://224.0.0.1/icon.png"))
    109. 

  109. 

  110. 

  111. def test_icon_url_ipv4_mapped_ipv6_private_rejected():
    112. 

  112.     # ::ffff:192.168.1.1 unwraps to 192.168.1.1 → private
    113. 

  113.     with pytest.raises(ValueError, match="private"):
    114. 

  114.         OIDCProviderCreate(**_make_payload("https://[::ffff:192.168.1.1]/icon.png"))
    115.