yunoadmin
/
bambuddy
镜像自地址 https://github.com/maziggy/bambuddy


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207
							"""Unit tests for SpoolBuddy schema validation (security fixes H2, M2, M4).

Tests Pydantic model validation without requiring a running server or DB.
"""

import pytest
from pydantic import ValidationError

from backend.app.schemas.spoolbuddy import (
    DeviceRegisterRequest,
    HeartbeatRequest,
    ScaleReadingRequest,
    UpdateStatusRequest,
    WriteTagResultRequest,
)

# ---------------------------------------------------------------------------
# H2 — UpdateStatusRequest: only valid Literal values accepted
# ---------------------------------------------------------------------------


class TestUpdateStatusRequestValidation:
    def test_valid_status_updating(self):
        req = UpdateStatusRequest(status="updating")
        assert req.status == "updating"

    def test_valid_status_complete(self):
        req = UpdateStatusRequest(status="complete")
        assert req.status == "complete"

    def test_valid_status_error(self):
        req = UpdateStatusRequest(status="error")
        assert req.status == "error"

    def test_invalid_status_rejected(self):
        """Arbitrary status strings must be rejected (H2: prevents unbounded WS injection)."""
        with pytest.raises(ValidationError):
            UpdateStatusRequest(status="hacked")

    def test_empty_status_rejected(self):
        with pytest.raises(ValidationError):
            UpdateStatusRequest(status="")

    def test_message_max_length_enforced(self):
        """message field must not exceed 255 chars."""
        with pytest.raises(ValidationError):
            UpdateStatusRequest(status="updating", message="x" * 256)

    def test_message_at_max_length_accepted(self):
        req = UpdateStatusRequest(status="complete", message="x" * 255)
        assert len(req.message) == 255


# ---------------------------------------------------------------------------
# M2 — HeartbeatRequest: system_stats size limit (4096 bytes)
# ---------------------------------------------------------------------------


class TestHeartbeatSystemStatsValidation:
    def test_none_accepted(self):
        req = HeartbeatRequest(system_stats=None)
        assert req.system_stats is None

    def test_small_dict_accepted(self):
        req = HeartbeatRequest(system_stats={"cpu": 12.5, "mem": 60.0})
        assert req.system_stats["cpu"] == 12.5

    def test_oversized_dict_rejected(self):
        """system_stats exceeding 4096 bytes JSON-encoded must be rejected (M2)."""
        huge = {"data": "x" * 5000}
        with pytest.raises(ValidationError, match="4096"):
            HeartbeatRequest(system_stats=huge)

    def test_exactly_4096_bytes_accepted(self):
        """A dict whose JSON is exactly 4096 bytes must pass."""
        import json

        # Build a dict whose JSON is exactly 4096 bytes
        filler = "x" * (4096 - len('{"k": ""}'))
        d = {"k": filler}
        assert len(json.dumps(d)) == 4096
        req = HeartbeatRequest(system_stats=d)
        assert req.system_stats is not None

    def test_one_byte_over_limit_rejected(self):
        import json

        filler = "x" * (4097 - len('{"k": ""}'))
        d = {"k": filler}
        assert len(json.dumps(d)) == 4097
        with pytest.raises(ValidationError):
            HeartbeatRequest(system_stats=d)


# ---------------------------------------------------------------------------
# M4 — DeviceRegisterRequest: max_length on device-sourced string fields
# ---------------------------------------------------------------------------


class TestDeviceRegisterRequestValidation:
    VALID_BASE = {"device_id": "dev1", "hostname": "spoolbuddy.local", "ip_address": "192.168.1.50"}

    def test_valid_minimal_accepted(self):
        req = DeviceRegisterRequest(**self.VALID_BASE)
        assert req.device_id == "dev1"

    def test_firmware_version_too_long_rejected(self):
        with pytest.raises(ValidationError):
            DeviceRegisterRequest(**self.VALID_BASE, firmware_version="x" * 21)

    def test_firmware_version_at_max_accepted(self):
        req = DeviceRegisterRequest(**self.VALID_BASE, firmware_version="x" * 20)
        assert req.firmware_version == "x" * 20

    def test_nfc_reader_type_too_long_rejected(self):
        with pytest.raises(ValidationError):
            DeviceRegisterRequest(**self.VALID_BASE, nfc_reader_type="x" * 21)

    def test_nfc_connection_too_long_rejected(self):
        with pytest.raises(ValidationError):
            DeviceRegisterRequest(**self.VALID_BASE, nfc_connection="x" * 21)

    def test_backend_url_too_long_rejected(self):
        with pytest.raises(ValidationError):
            DeviceRegisterRequest(**self.VALID_BASE, backend_url="http://" + "x" * 249)

    def test_backend_url_at_max_accepted(self):
        url = "http://" + "x" * (255 - len("http://"))
        req = DeviceRegisterRequest(**self.VALID_BASE, backend_url=url)
        assert req.backend_url == url

    def test_device_id_too_long_rejected(self):
        with pytest.raises(ValidationError):
            DeviceRegisterRequest(device_id="x" * 51, hostname="h", ip_address="1.2.3.4")


# ---------------------------------------------------------------------------
# M4 — WriteTagResultRequest: device_id max_length
# ---------------------------------------------------------------------------


class TestWriteTagResultRequestValidation:
    def test_device_id_too_long_rejected(self):
        with pytest.raises(ValidationError):
            WriteTagResultRequest(device_id="x" * 51, spool_id=1, tag_uid="AABBCCDD", success=True)

    def test_device_id_at_max_accepted(self):
        req = WriteTagResultRequest(device_id="x" * 50, spool_id=1, tag_uid="AABBCCDD", success=True)
        assert len(req.device_id) == 50

    def test_tag_uid_hex_pattern_accepted(self):
        req = WriteTagResultRequest(device_id="dev1", spool_id=1, tag_uid="AABBCCDD", success=True)
        assert req.tag_uid == "AABBCCDD"

    def test_tag_uid_non_hex_rejected(self):
        """Non-hex characters in tag_uid must be rejected (prevents injection via NFC write-back)."""
        with pytest.raises(ValidationError):
            WriteTagResultRequest(device_id="dev1", spool_id=1, tag_uid="AABB; DROP", success=True)

    def test_tag_uid_too_short_rejected(self):
        with pytest.raises(ValidationError):
            WriteTagResultRequest(device_id="dev1", spool_id=1, tag_uid="AABB", success=True)

    def test_tag_uid_max_length_accepted(self):
        req = WriteTagResultRequest(device_id="dev1", spool_id=1, tag_uid="A" * 30, success=True)
        assert len(req.tag_uid) == 30

    def test_tag_uid_over_max_length_rejected(self):
        with pytest.raises(ValidationError):
            WriteTagResultRequest(device_id="dev1", spool_id=1, tag_uid="A" * 31, success=True)


# ---------------------------------------------------------------------------
# M4 — ScaleReadingRequest: weight_grams accepts any float (raw uncalibrated ADC)
# ---------------------------------------------------------------------------


class TestScaleReadingRequestValidation:
    def test_valid_weight_accepted(self):
        req = ScaleReadingRequest(device_id="sb1", weight_grams=250.0)
        assert req.weight_grams == 250.0

    def test_zero_weight_accepted(self):
        req = ScaleReadingRequest(device_id="sb1", weight_grams=0.0)
        assert req.weight_grams == 0.0

    def test_large_raw_adc_weight_accepted(self):
        # Uncalibrated scale with factor=1.0 produces raw ADC values in the millions
        req = ScaleReadingRequest(device_id="sb1", weight_grams=5_000_000.0)
        assert req.weight_grams == 5_000_000.0

    def test_negative_weight_accepted(self):
        # Scale can legitimately read negative values when tare is not calibrated
        req = ScaleReadingRequest(device_id="sb1", weight_grams=-50_000.0)
        assert req.weight_grams == -50_000.0

    def test_nan_weight_rejected(self):
        import math

        with pytest.raises(ValidationError):
            ScaleReadingRequest(device_id="sb1", weight_grams=math.nan)

    def test_inf_weight_rejected(self):
        import math

        with pytest.raises(ValidationError):
            ScaleReadingRequest(device_id="sb1", weight_grams=math.inf)