gabriel / muse public
test_hub_api_ssl_and_public_access.py python
635 lines 27.5 KB
Raw
sha256:81ae324db5ad375fbfe4834c6fcb378312cafad3cc92dec5d3e5c427306621a2 fix: remove commit_exists filter from have anchors — server… Sonnet 4.6 patch 21 days ago
1 """TDD tests for two _hub_api hardening fixes.
2
3 Bug A — localhost SSL
4 ---------------------
5 ``_hub_api`` uses bare ``urllib.request.urlopen`` without an SSL context.
6 For ``https://localhost:1337`` (self-signed cert), this raises
7 ``CERTIFICATE_VERIFY_FAILED`` even though the cert IS trusted by muse
8 (the same CA cert that ``muse push`` loads via ``transport._httpx_verify``
9 is stored at ``musehub/deploy/local-tls/localhost.crt``).
10
11 Expected: ``_hub_api`` must build an SSL context that loads the local CA
12 cert for localhost URLs, mirroring ``transport._httpx_verify``.
13
14 Bug B — unauthenticated GET on public resources
15 -----------------------------------------------
16 ``_hub_api`` exits non-zero when no signing identity is found, even for
17 GET requests on public repos (e.g. reading issues on a public MuseHub repo).
18
19 Expected: for GET requests, if no signing identity is available, proceed
20 without an ``Authorization`` header rather than exiting with an error.
21 Mutating requests (POST/PUT/DELETE/PATCH) still require auth.
22
23 Seven test tiers
24 ----------------
25 Unit — function-level mocks, no network
26 Contract — mock HTTP server, verify wire behaviour
27 Integration — CliRunner through the real command chain
28 Property — hypothesis: any localhost URL gets a non-default SSL context
29 Regression — previously failing cases pinned as non-regressions
30 Security — auth header absent on public GET; present on mutating requests
31 Stress — 8 threads calling _hub_api concurrently, no deadlock
32 """
33
34 from __future__ import annotations
35
36 import io
37 import json
38 import ssl
39 import threading
40 import urllib.error
41 import urllib.request
42 from typing import TYPE_CHECKING
43 from unittest.mock import MagicMock, call, patch
44
45 import pytest
46 from hypothesis import given, settings
47 from hypothesis import strategies as st
48
49 from muse.core.types import fake_id
50 from tests.cli_test_helper import CliRunner
51
52 type _IdentityDict = dict[str, str]
53
54 if TYPE_CHECKING:
55 pass
56
57 runner = CliRunner()
58
59 # ---------------------------------------------------------------------------
60 # Shared helpers
61 # ---------------------------------------------------------------------------
62
63 _IDENTITY: _IdentityDict = {"type": "human", "handle": "gabriel"}
64 _HUB_LOCAL = "https://localhost:1337"
65 _HUB_REMOTE = "https://staging.musehub.ai"
66
67
68 def _mock_resp(body: bytes = b'{"ok": true}') -> MagicMock:
69 resp = MagicMock()
70 resp.__enter__ = lambda s: s
71 resp.__exit__ = MagicMock(return_value=False)
72 resp.read.return_value = body
73 return resp
74
75
76 def _make_signing() -> MagicMock:
77 from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
78 key = MagicMock(spec=Ed25519PrivateKey)
79 key.sign.return_value = b"\x00" * 64
80 key.public_key.return_value.public_bytes.return_value = b"\x00" * 32
81 from muse.core.transport import SigningIdentity
82 return SigningIdentity(handle="gabriel", private_key=key)
83
84
85 # ===========================================================================
86 # Tier 1 — Unit
87 # ===========================================================================
88
89 class TestHubApiSslContextUnit:
90 """_hub_api selects the correct SSL context for each host."""
91
92 def test_localhost_https_gets_custom_ssl_context(self) -> None:
93 """Bug A: localhost HTTPS must use local CA cert, not system store."""
94 from muse.cli.commands.hub._core import _hub_api
95
96 captured_kwargs: list[dict] = []
97
98 def fake_urlopen(req: urllib.request.Request, timeout: float = 10, context: ssl.SSLContext | None = None) -> MagicMock:
99 captured_kwargs.append({"context": context})
100 return _mock_resp()
101
102 with patch("muse.cli.config.get_signing_identity", return_value=_make_signing()):
103 with patch("urllib.request.urlopen", side_effect=fake_urlopen):
104 _hub_api(_HUB_LOCAL, _IDENTITY, "GET", "/api/test")
105
106 assert captured_kwargs, "urlopen was not called"
107 ctx = captured_kwargs[0]["context"]
108 assert ctx is not None, (
109 "_hub_api passed context=None to urlopen for localhost — "
110 "self-signed cert will be rejected by the OS CA store"
111 )
112 assert isinstance(ctx, ssl.SSLContext), (
113 f"Expected ssl.SSLContext, got {type(ctx)}"
114 )
115
116 def test_remote_https_uses_system_ca(self) -> None:
117 """Non-localhost HTTPS must use the system CA store (context=None)."""
118 from muse.cli.commands.hub._core import _hub_api
119
120 captured_kwargs: list[dict] = []
121
122 def fake_urlopen(req: urllib.request.Request, timeout: float = 10, context: ssl.SSLContext | None = None) -> MagicMock:
123 captured_kwargs.append({"context": context})
124 return _mock_resp()
125
126 with patch("muse.cli.config.get_signing_identity", return_value=_make_signing()):
127 with patch("urllib.request.urlopen", side_effect=fake_urlopen):
128 _hub_api(_HUB_REMOTE, _IDENTITY, "GET", "/api/test")
129
130 assert captured_kwargs
131 ctx = captured_kwargs[0]["context"]
132 assert ctx is None, (
133 "Non-localhost hub must use system CA (context=None), "
134 f"but got {ctx!r}"
135 )
136
137 def test_127_0_0_1_https_gets_custom_ssl_context(self) -> None:
138 """127.0.0.1 is loopback — also gets the local CA cert context."""
139 from muse.cli.commands.hub._core import _hub_api
140
141 captured_kwargs: list[dict] = []
142
143 def fake_urlopen(req: urllib.request.Request, timeout: float = 10, context: ssl.SSLContext | None = None) -> MagicMock:
144 captured_kwargs.append({"context": context})
145 return _mock_resp()
146
147 with patch("muse.cli.config.get_signing_identity", return_value=_make_signing()):
148 with patch("urllib.request.urlopen", side_effect=fake_urlopen):
149 _hub_api("https://127.0.0.1:1337", _IDENTITY, "GET", "/api/test")
150
151 ctx = captured_kwargs[0]["context"]
152 assert ctx is not None and isinstance(ctx, ssl.SSLContext)
153
154
155 class TestHubApiPublicGetUnit:
156 """Bug B: unauthenticated GET on public endpoint proceeds without auth."""
157
158 def test_get_without_signing_proceeds(self) -> None:
159 """No signing identity → GET proceeds without Authorization header."""
160 from muse.cli.commands.hub._core import _hub_api
161
162 captured_headers: list[dict] = []
163
164 def fake_urlopen(req: urllib.request.Request, timeout: float = 10, context: ssl.SSLContext | None = None) -> MagicMock:
165 captured_headers.append(dict(req.headers))
166 return _mock_resp()
167
168 with patch("muse.cli.config.get_signing_identity", return_value=None):
169 with patch("urllib.request.urlopen", side_effect=fake_urlopen):
170 result = _hub_api("http://localhost:9999", _IDENTITY, "GET", "/api/test")
171
172 assert result == {"ok": True}
173 assert captured_headers, "urlopen was never called"
174 assert "Authorization" not in captured_headers[0], (
175 "Authorization header must not be sent when no signing identity is available"
176 )
177
178 def test_get_without_signing_does_not_exit(self) -> None:
179 """Bug B: no signing identity on GET must NOT raise SystemExit."""
180 from muse.cli.commands.hub._core import _hub_api
181
182 with patch("muse.cli.config.get_signing_identity", return_value=None):
183 with patch("urllib.request.urlopen", return_value=_mock_resp()):
184 # Must not raise SystemExit
185 result = _hub_api("http://localhost:9999", _IDENTITY, "GET", "/api/test")
186 assert isinstance(result, dict)
187
188 def test_post_without_signing_exits(self) -> None:
189 """POST without signing identity must still exit — mutating ops need auth."""
190 from muse.cli.commands.hub._core import _hub_api
191
192 with patch("muse.cli.config.get_signing_identity", return_value=None):
193 with patch("urllib.request.urlopen") as mock_net:
194 with pytest.raises(SystemExit):
195 _hub_api("http://localhost:9999", _IDENTITY, "POST", "/api/test",
196 body={"key": "val"})
197 mock_net.assert_not_called()
198
199 def test_delete_without_signing_exits(self) -> None:
200 """DELETE without signing must exit."""
201 from muse.cli.commands.hub._core import _hub_api
202
203 with patch("muse.cli.config.get_signing_identity", return_value=None):
204 with patch("urllib.request.urlopen") as mock_net:
205 with pytest.raises(SystemExit):
206 _hub_api("http://localhost:9999", _IDENTITY, "DELETE", "/api/test")
207 mock_net.assert_not_called()
208
209 def test_get_with_signing_includes_auth_header(self) -> None:
210 """When signing IS available, GET requests include Authorization."""
211 from muse.cli.commands.hub._core import _hub_api
212
213 captured_headers: list[dict] = []
214
215 def fake_urlopen(req: urllib.request.Request, timeout: float = 10, context: ssl.SSLContext | None = None) -> MagicMock:
216 captured_headers.append(dict(req.headers))
217 return _mock_resp()
218
219 with patch("muse.cli.config.get_signing_identity", return_value=_make_signing()):
220 with patch("urllib.request.urlopen", side_effect=fake_urlopen):
221 _hub_api("http://localhost:9999", _IDENTITY, "GET", "/api/test")
222
223 assert "Authorization" in captured_headers[0], (
224 "Authorization header must be included when signing identity is available"
225 )
226
227
228 # ===========================================================================
229 # Tier 2 — Contract (mock HTTP server verifying wire behaviour)
230 # ===========================================================================
231
232 class TestHubApiContract:
233 """Verify wire-level behaviour through a mock HTTP handler."""
234
235 def test_public_get_sends_no_auth_header(self) -> None:
236 """Wire: GET to public endpoint carries no Authorization field."""
237 from muse.cli.commands.hub._core import _hub_api
238
239 received: list[dict] = []
240
241 def fake_urlopen(req: urllib.request.Request, timeout: float = 10, context: ssl.SSLContext | None = None) -> MagicMock:
242 received.append({"headers": dict(req.headers), "method": req.get_method()})
243 return _mock_resp(b'{"number": 5, "title": "muse bridge"}')
244
245 with patch("muse.cli.config.get_signing_identity", return_value=None):
246 with patch("urllib.request.urlopen", side_effect=fake_urlopen):
247 result = _hub_api("http://localhost:9999", _IDENTITY, "GET", "/gabriel/musehub/issues/5")
248
249 assert received[0]["method"] == "GET"
250 assert "Authorization" not in received[0]["headers"]
251 assert result.get("number") == 5
252
253 def test_authenticated_get_sends_msign_header(self) -> None:
254 """Wire: GET with identity carries MSign Authorization header."""
255 from muse.cli.commands.hub._core import _hub_api
256
257 received: list[dict] = []
258
259 def fake_urlopen(req: urllib.request.Request, timeout: float = 10, context: ssl.SSLContext | None = None) -> MagicMock:
260 received.append({"headers": dict(req.headers)})
261 return _mock_resp()
262
263 with patch("muse.cli.config.get_signing_identity", return_value=_make_signing()):
264 with patch("urllib.request.urlopen", side_effect=fake_urlopen):
265 _hub_api("http://localhost:9999", _IDENTITY, "GET", "/api/test")
266
267 auth = received[0]["headers"].get("Authorization", "")
268 assert auth.startswith("MSign "), f"Expected MSign header, got: {auth!r}"
269
270 def test_localhost_ssl_context_cafile_set(self) -> None:
271 """Wire: SSL context passed to urlopen for localhost loads the CA file."""
272 from muse.cli.commands.hub._core import _hub_api
273 import pathlib
274
275 local_cert = (
276 pathlib.Path(__file__).parent.parent.parent
277 / "musehub" / "deploy" / "local-tls" / "localhost.crt"
278 )
279
280 captured_ctx: list[ssl.SSLContext | None] = []
281
282 def fake_urlopen(req: urllib.request.Request, timeout: float = 10, context: ssl.SSLContext | None = None) -> MagicMock:
283 captured_ctx.append(context)
284 return _mock_resp()
285
286 with patch("muse.cli.config.get_signing_identity", return_value=_make_signing()):
287 with patch("urllib.request.urlopen", side_effect=fake_urlopen):
288 _hub_api(_HUB_LOCAL, _IDENTITY, "GET", "/api/test")
289
290 ctx = captured_ctx[0]
291 assert ctx is not None
292 # The context must have the local cert loaded — verify it accepts localhost
293 if local_cert.exists():
294 # Build the same context directly and compare verify_mode
295 expected = ssl.create_default_context(cafile=str(local_cert))
296 assert ctx.verify_mode == expected.verify_mode
297
298
299 # ===========================================================================
300 # Tier 3 — Integration (CliRunner through real command chain)
301 # ===========================================================================
302
303 class TestHubIssueReadPublicIntegration:
304 """muse hub issue read on a public repo works without a signing identity."""
305
306 _FAKE_REPO_ID = fake_id("repo")
307
308 def test_issue_read_public_no_auth_succeeds(self) -> None:
309 """Integration: hub issue read proceeds without signing identity."""
310 issue_body = json.dumps({
311 "number": 5,
312 "title": "muse bridge",
313 "body": "Implement muse bridge for git interop",
314 "state": "open",
315 "labels": [],
316 }).encode()
317
318 with patch("muse.cli.config.get_signing_identity", return_value=None):
319 with patch(
320 "muse.cli.commands.hub._resolve_repo_id",
321 return_value=self._FAKE_REPO_ID,
322 ):
323 with patch("urllib.request.urlopen", return_value=_mock_resp(issue_body)):
324 result = runner.invoke(
325 None,
326 ["hub", "issue", "read", "5",
327 "--hub", "http://localhost:9999/gabriel/musehub",
328 "--json"],
329 )
330
331 assert result.exit_code == 0, (
332 f"exit_code={result.exit_code}\n{result.output}\n{result.stderr}"
333 )
334 data = json.loads(result.output)
335 assert data.get("number") == 5 or "title" in data or data.get("exit_code") == 0
336
337 def test_issue_list_public_no_auth_succeeds(self) -> None:
338 """Integration: hub issue list on public repo proceeds without auth."""
339 issues_body = json.dumps({
340 "issues": [{"number": 5, "title": "muse bridge", "state": "open", "labels": []}],
341 "total": 1,
342 }).encode()
343
344 with patch("muse.cli.config.get_signing_identity", return_value=None):
345 with patch(
346 "muse.cli.commands.hub._resolve_repo_id",
347 return_value=self._FAKE_REPO_ID,
348 ):
349 with patch("urllib.request.urlopen", return_value=_mock_resp(issues_body)):
350 result = runner.invoke(
351 None,
352 ["hub", "issue", "list",
353 "--hub", "http://localhost:9999/gabriel/musehub",
354 "--json"],
355 )
356
357 # Must not fail with "not authenticated" error
358 assert "signing" not in result.stderr.lower()
359 assert "not authenticated" not in result.stderr.lower()
360
361
362 # ===========================================================================
363 # Tier 4 — Property (hypothesis)
364 # ===========================================================================
365
366 class TestHubApiSslContextProperty:
367 """Property: any localhost/127 URL produces a non-None SSL context."""
368
369 @given(
370 port=st.integers(min_value=1024, max_value=65535),
371 path=st.text(
372 alphabet=st.characters(whitelist_categories=("Lu", "Ll", "Nd"), whitelist_characters="/-_"),
373 min_size=1, max_size=40,
374 ),
375 )
376 @settings(max_examples=20, deadline=2000)
377 def test_localhost_always_gets_custom_context(self, port: int, path: str) -> None:
378 """Any https://localhost:<port><path> must produce a non-None SSL context."""
379 from muse.cli.commands.hub._core import _hub_api
380
381 captured: list[ssl.SSLContext | None] = []
382
383 def fake_urlopen(req: urllib.request.Request, timeout: float = 10, context: ssl.SSLContext | None = None) -> MagicMock:
384 captured.append(context)
385 return _mock_resp()
386
387 url = f"https://localhost:{port}"
388 with patch("muse.cli.config.get_signing_identity", return_value=_make_signing()):
389 with patch("urllib.request.urlopen", side_effect=fake_urlopen):
390 try:
391 _hub_api(url, _IDENTITY, "GET", f"/{path.lstrip('/')}")
392 except SystemExit:
393 pass # scheme or URL validation may exit — that's fine
394
395 if captured:
396 assert captured[0] is not None, (
397 f"localhost:{port} got None SSL context — self-signed cert will be rejected"
398 )
399
400 @given(method=st.sampled_from(["POST", "PUT", "DELETE", "PATCH"]))
401 @settings(max_examples=10, deadline=2000)
402 def test_mutating_methods_require_auth(self, method: str) -> None:
403 """Property: mutating HTTP methods always require a signing identity."""
404 from muse.cli.commands.hub._core import _hub_api
405
406 with patch("muse.cli.config.get_signing_identity", return_value=None):
407 with patch("urllib.request.urlopen") as mock_net:
408 with pytest.raises(SystemExit):
409 _hub_api("http://localhost:9999", _IDENTITY, method, "/api/test",
410 body={"x": "y"} if method != "DELETE" else None)
411 mock_net.assert_not_called()
412
413
414 # ===========================================================================
415 # Tier 5 — Regression (pinned non-regressions)
416 # ===========================================================================
417
418 class TestHubApiRegression:
419 """Pinned regressions: previously broken cases must stay fixed."""
420
421 def test_R1_hub_issue_read_no_ssl_error_on_localhost(self) -> None:
422 """R1: Reading an issue from https://localhost must not raise SSL error."""
423 from muse.cli.commands.hub._core import _hub_api
424
425 ssl_errors: list[Exception] = []
426
427 def fake_urlopen(req: urllib.request.Request, timeout: float = 10, context: ssl.SSLContext | None = None) -> MagicMock:
428 # Simulate what happens WITHOUT a proper context — verify the fix
429 # prevents this from reaching urlopen with the system CA store.
430 if context is None:
431 ssl_errors.append(
432 ssl.SSLCertVerificationError("CERTIFICATE_VERIFY_FAILED")
433 )
434 return _mock_resp(b'{"number": 5}')
435
436 with patch("muse.cli.config.get_signing_identity", return_value=_make_signing()):
437 with patch("urllib.request.urlopen", side_effect=fake_urlopen):
438 _hub_api(_HUB_LOCAL, _IDENTITY, "GET", "/gabriel/musehub/issues/5")
439
440 assert not ssl_errors, (
441 f"R1 regression: _hub_api passed context=None to urlopen on localhost, "
442 f"which would cause CERTIFICATE_VERIFY_FAILED: {ssl_errors}"
443 )
444
445 def test_R2_public_issue_read_no_exit_without_identity(self) -> None:
446 """R2: hub issue read on public repo must NOT exit 1 when no identity set."""
447 from muse.cli.commands.hub._core import _hub_api
448
449 with patch("muse.cli.config.get_signing_identity", return_value=None):
450 with patch("urllib.request.urlopen", return_value=_mock_resp(b'{"number": 5}')):
451 # Must not raise SystemExit
452 result = _hub_api("http://localhost:9999", _IDENTITY, "GET", "/api/issues/5")
453 assert result == {"number": 5}
454
455 def test_R3_file_scheme_still_blocked(self) -> None:
456 """R3: file:// scheme is still blocked regardless of signing identity."""
457 from muse.cli.commands.hub._core import _hub_api
458
459 with patch("urllib.request.urlopen") as mock_net:
460 with pytest.raises(SystemExit):
461 _hub_api("file:///etc/passwd", _IDENTITY, "GET", "/test")
462 mock_net.assert_not_called()
463
464 def test_R4_response_size_cap_still_enforced(self) -> None:
465 """R4: size cap still applies on unauthenticated GET responses."""
466 from muse.cli.commands.hub._core import _hub_api, _MAX_API_RESPONSE_BYTES
467
468 big_resp = _mock_resp(b"x" * (_MAX_API_RESPONSE_BYTES + 2))
469
470 with patch("muse.cli.config.get_signing_identity", return_value=None):
471 with patch("urllib.request.urlopen", return_value=big_resp):
472 with pytest.raises(SystemExit):
473 _hub_api("http://localhost:9999", _IDENTITY, "GET", "/api/test")
474
475 def test_R5_existing_auth_tests_unaffected(self) -> None:
476 """R5: authenticated calls continue to include MSign header after the fix."""
477 from muse.cli.commands.hub._core import _hub_api
478
479 headers_seen: list[dict] = []
480
481 def fake_urlopen(req: urllib.request.Request, timeout: float = 10, context: ssl.SSLContext | None = None) -> MagicMock:
482 headers_seen.append(dict(req.headers))
483 return _mock_resp()
484
485 with patch("muse.cli.config.get_signing_identity", return_value=_make_signing()):
486 with patch("urllib.request.urlopen", side_effect=fake_urlopen):
487 _hub_api("http://localhost:9999", _IDENTITY, "GET", "/api/test")
488
489 assert headers_seen[0].get("Authorization", "").startswith("MSign ")
490
491
492 # ===========================================================================
493 # Tier 6 — Security
494 # ===========================================================================
495
496 class TestHubApiSecurity:
497 """Security invariants for the two fixes."""
498
499 def test_no_auth_header_leaked_on_unauthenticated_get(self) -> None:
500 """Auth header must be completely absent — not empty — on public GET."""
501 from muse.cli.commands.hub._core import _hub_api
502
503 headers_seen: list[dict] = []
504
505 def fake_urlopen(req: urllib.request.Request, timeout: float = 10, context: ssl.SSLContext | None = None) -> MagicMock:
506 headers_seen.append(dict(req.headers))
507 return _mock_resp()
508
509 with patch("muse.cli.config.get_signing_identity", return_value=None):
510 with patch("urllib.request.urlopen", side_effect=fake_urlopen):
511 _hub_api("http://localhost:9999", _IDENTITY, "GET", "/api/test")
512
513 h = headers_seen[0]
514 assert "Authorization" not in h
515 assert "authorization" not in {k.lower() for k in h}
516
517 def test_ansi_in_http_error_body_still_sanitized(
518 self, capsys: pytest.CaptureFixture[str]
519 ) -> None:
520 """ANSI sequences in error bodies are sanitized on unauthenticated errors."""
521 from muse.cli.commands.hub._core import _hub_api
522
523 ansi_body = b'{"detail": "\\x1b[31merror\\x1b[0m"}'
524 exc = urllib.error.HTTPError(
525 url="", code=401, msg="Unauthorized",
526 hdrs=MagicMock(), fp=io.BytesIO(ansi_body),
527 )
528 with patch("muse.cli.config.get_signing_identity", return_value=None):
529 with patch("urllib.request.urlopen", side_effect=exc):
530 with pytest.raises(SystemExit):
531 _hub_api("http://localhost:9999", _IDENTITY, "GET", "/api/test")
532
533 captured = capsys.readouterr()
534 assert "\x1b[" not in captured.err
535
536 def test_ssl_context_does_not_disable_verification(self) -> None:
537 """The custom SSL context must not set CERT_NONE — it loads a CA, not disables checking."""
538 from muse.cli.commands.hub._core import _hub_api
539
540 captured_ctx: list[ssl.SSLContext | None] = []
541
542 def fake_urlopen(req: urllib.request.Request, timeout: float = 10, context: ssl.SSLContext | None = None) -> MagicMock:
543 captured_ctx.append(context)
544 return _mock_resp()
545
546 with patch("muse.cli.config.get_signing_identity", return_value=_make_signing()):
547 with patch("urllib.request.urlopen", side_effect=fake_urlopen):
548 _hub_api(_HUB_LOCAL, _IDENTITY, "GET", "/api/test")
549
550 ctx = captured_ctx[0]
551 if ctx is not None:
552 assert ctx.verify_mode != ssl.CERT_NONE, (
553 "SSL context must not disable verification — "
554 "use a CA cert file, not ssl.CERT_NONE"
555 )
556
557 def test_ssrf_scheme_blocking_unaffected_by_public_get_change(self) -> None:
558 """The public-GET change must not relax SSRF scheme blocking."""
559 from muse.cli.commands.hub._core import _hub_api
560
561 for scheme in ("file", "ftp", "javascript", "data"):
562 with patch("urllib.request.urlopen") as mock_net:
563 with pytest.raises(SystemExit):
564 _hub_api(f"{scheme}://evil.example.com", _IDENTITY, "GET", "/api/test")
565 mock_net.assert_not_called()
566
567
568 # ===========================================================================
569 # Tier 7 — Stress
570 # ===========================================================================
571
572 class TestHubApiStress:
573 """Concurrent calls to _hub_api must not deadlock or corrupt state."""
574
575 def test_concurrent_unauthenticated_gets_no_deadlock(self) -> None:
576 """8 threads calling _hub_api(GET, no auth) concurrently — no deadlock."""
577 from muse.cli.commands.hub._core import _hub_api
578
579 results: list[dict | Exception] = []
580 lock = threading.Lock()
581
582 def fake_urlopen(req: urllib.request.Request, timeout: float = 10, context: ssl.SSLContext | None = None) -> MagicMock:
583 return _mock_resp(b'{"ok": true}')
584
585 def worker() -> None:
586 try:
587 with patch("muse.cli.config.get_signing_identity", return_value=None):
588 with patch("urllib.request.urlopen", side_effect=fake_urlopen):
589 r = _hub_api("http://localhost:9999", _IDENTITY, "GET", "/api/test")
590 with lock:
591 results.append(r)
592 except Exception as exc:
593 with lock:
594 results.append(exc)
595
596 threads = [threading.Thread(target=worker) for _ in range(8)]
597 for t in threads:
598 t.start()
599 for t in threads:
600 t.join(timeout=5)
601
602 assert len(results) == 8, f"Only {len(results)}/8 threads completed"
603 errors = [r for r in results if isinstance(r, Exception)]
604 assert not errors, f"Thread errors: {errors}"
605
606 def test_concurrent_authenticated_gets_no_deadlock(self) -> None:
607 """8 threads calling _hub_api(GET, with auth) concurrently — no deadlock."""
608 from muse.cli.commands.hub._core import _hub_api
609
610 results: list[dict | Exception] = []
611 lock = threading.Lock()
612
613 def fake_urlopen(req: urllib.request.Request, timeout: float = 10, context: ssl.SSLContext | None = None) -> MagicMock:
614 return _mock_resp(b'{"ok": true}')
615
616 def worker() -> None:
617 try:
618 with patch("muse.cli.config.get_signing_identity", return_value=_make_signing()):
619 with patch("urllib.request.urlopen", side_effect=fake_urlopen):
620 r = _hub_api("http://localhost:9999", _IDENTITY, "GET", "/api/test")
621 with lock:
622 results.append(r)
623 except Exception as exc:
624 with lock:
625 results.append(exc)
626
627 threads = [threading.Thread(target=worker) for _ in range(8)]
628 for t in threads:
629 t.start()
630 for t in threads:
631 t.join(timeout=5)
632
633 assert len(results) == 8
634 errors = [r for r in results if isinstance(r, Exception)]
635 assert not errors, f"Thread errors: {errors}"
File History 4 commits
sha256:81ae324db5ad375fbfe4834c6fcb378312cafad3cc92dec5d3e5c427306621a2 fix: remove commit_exists filter from have anchors — server… Sonnet 4.6 patch 21 days ago
sha256:36c3cb3e76619d4c30a6d9bf81b5ec4ff148e30dcfed913e3114ca7b43b81c7e fix: rename objects→blobs in push client and all stale test… Sonnet 4.6 patch 22 days ago
sha256:c06a9b9b9fee26c68ea725b44d54b2c0a171301ce9de746d5b656617b4463a9a fix: repair four test failures from post-migration audit Sonnet 4.6 patch 29 days ago
sha256:1900655993c83c4107067375548a7be823e471d2515830842f1a12cba4bd3cdf fix: unified object store migration — idempotent writes, JS… Sonnet 4.6 minor 29 days ago