gabriel / musehub public
test_rate_limiting.py python
845 lines 37.1 KB
Raw
sha256:3ff9c9863a9891bdcde71b4a43228f66d0493e38b7cc1d09fe9eb7de774046b2 feat: add repair-commit wire endpoint (API parity with repa… Opus 4.8 minor ⚠ breaking 1 day ago
1 """Section 34 — Rate Limiting (7-layer test suite).
2
3 Covers:
4 - musehub/rate_limits.py: limiter, WIRE_PUSH_LIMIT, WIRE_FETCH_LIMIT,
5 MCP_LIMIT, AUTH_LIMIT, SEARCH_LIMIT, MCP_PUSH_LIMIT
6 - 429 response format (JSON body with "error" key)
7 - Per-IP isolation via key_func
8 - Limit reset behaviour
9 - Auth does not bypass rate limits
10
11 Test environment notes:
12 - AUTH_LIMIT = "10000/minute" in test env — auth routes never 429 in tests
13 - WIRE_PUSH_LIMIT = "30/minute" — trigger by making 31 calls
14 - WIRE_FETCH_LIMIT = "120/minute"
15 - reset_rate_limiter (autouse=True in conftest) resets storage before each test
16 - auth_headers fixture overrides require_signed_request globally
17 - Wire push endpoint used to trigger limits: POST /{owner}/{slug}/tags
18 (wire_push_tags, body: {"tags": []})
19 """
20 from __future__ import annotations
21
22 import secrets
23 import time
24 from collections.abc import AsyncGenerator
25
26 import pytest
27 import pytest_asyncio
28 from httpx import AsyncClient
29 from sqlalchemy.ext.asyncio import AsyncSession
30
31 from datetime import datetime, timezone
32 from musehub.core.genesis import compute_identity_id, compute_repo_id
33 from musehub.db.musehub_repo_models import MusehubRepo
34 from musehub.main import app
35 from musehub.types.json_types import JSONObject, StrDict
36 from musehub.rate_limits import (
37 AUTH_LIMIT,
38 MCP_LIMIT,
39 MCP_PUSH_LIMIT,
40 SEARCH_LIMIT,
41 WIRE_FETCH_LIMIT,
42 WIRE_PUSH_LIMIT,
43 limiter,
44 )
45
46 # ── limits as integers for parametrized loops ─────────────────────────────────
47 _PUSH_N = 30 # WIRE_PUSH_LIMIT
48 _FETCH_N = 120 # WIRE_FETCH_LIMIT
49
50 # owner matching the testuser identity injected by auth_headers
51 _OWNER = "testuser"
52
53
54 def _uid() -> str:
55 return secrets.token_hex(16)
56
57
58 async def _make_repo(
59 session: AsyncSession,
60 owner: str = _OWNER,
61 slug: str | None = None,
62 ) -> MusehubRepo:
63 slug = slug or f"rl-repo-{_uid()[:8]}"
64 created_at = datetime.now(tz=timezone.utc)
65 owner_id = compute_identity_id(owner.encode())
66 repo = MusehubRepo(
67 repo_id=compute_repo_id(owner_id, slug, "code", created_at.isoformat()),
68 name=slug,
69 slug=slug,
70 owner=owner,
71 owner_user_id=owner_id,
72 visibility="public",
73 created_at=created_at,
74 updated_at=created_at,
75 )
76 session.add(repo)
77 await session.commit()
78 return repo
79
80
81 def _push_url(repo: MusehubRepo) -> str:
82 return f"/{repo.owner}/{repo.slug}/tags"
83
84
85 def _refs_url(repo: MusehubRepo) -> str:
86 return f"/{repo.owner}/{repo.slug}/refs"
87
88
89 def _empty_tags_body() -> JSONObject:
90 return {"tags": []}
91
92
93 # ══════════════════════════════════════════════════════════════════════════════
94 # 1. Unit
95 # ══════════════════════════════════════════════════════════════════════════════
96
97 class TestRateLimitUnit:
98 """Isolated tests of the constants, limiter config, and env-aware logic."""
99
100 def test_wire_push_limit_is_30_per_minute(self) -> None:
101 assert WIRE_PUSH_LIMIT == "30/minute"
102
103 def test_wire_fetch_limit_is_120_per_minute(self) -> None:
104 assert WIRE_FETCH_LIMIT == "120/minute"
105
106 def test_search_limit_is_60_per_minute(self) -> None:
107 assert SEARCH_LIMIT == "60/minute"
108
109 def test_mcp_push_limit_is_30_per_minute(self) -> None:
110 assert MCP_PUSH_LIMIT == "30/minute"
111
112 def test_mcp_limit_from_settings(self) -> None:
113 from musehub.config import settings
114 assert MCP_LIMIT == settings.mcp_rate_limit_agent
115
116 def test_auth_limit_is_high_in_test_env(self) -> None:
117 # In test env MUSE_ENV=test so AUTH_LIMIT is raised to avoid tripping
118 # during rapid test runs.
119 assert AUTH_LIMIT == "10000/minute"
120
121 def test_auth_limit_format_valid(self) -> None:
122 parts = AUTH_LIMIT.split("/")
123 assert len(parts) == 2
124 assert parts[0].isdigit()
125 assert parts[1] in ("second", "minute", "hour", "day")
126
127 def test_wire_push_limit_format_valid(self) -> None:
128 n, period = WIRE_PUSH_LIMIT.split("/")
129 assert int(n) == 30
130 assert period == "minute"
131
132 def test_limiter_uses_get_remote_address(self) -> None:
133 from slowapi.util import get_remote_address
134 assert limiter._key_func is get_remote_address
135
136 def test_limiter_is_singleton(self) -> None:
137 from musehub.rate_limits import limiter as limiter2
138 assert limiter is limiter2
139
140 def test_limiter_storage_is_memory_storage(self) -> None:
141 from limits.storage.memory import MemoryStorage
142 assert isinstance(limiter._storage, MemoryStorage)
143
144 def test_all_limits_are_strings(self) -> None:
145 for name, val in [
146 ("WIRE_PUSH_LIMIT", WIRE_PUSH_LIMIT),
147 ("WIRE_FETCH_LIMIT", WIRE_FETCH_LIMIT),
148 ("MCP_LIMIT", MCP_LIMIT),
149 ("AUTH_LIMIT", AUTH_LIMIT),
150 ("SEARCH_LIMIT", SEARCH_LIMIT),
151 ("MCP_PUSH_LIMIT", MCP_PUSH_LIMIT),
152 ]:
153 assert isinstance(val, str), f"{name} must be a str"
154
155 def test_push_limit_tighter_than_fetch_limit(self) -> None:
156 push_n = int(WIRE_PUSH_LIMIT.split("/")[0])
157 fetch_n = int(WIRE_FETCH_LIMIT.split("/")[0])
158 assert push_n < fetch_n, "Push is expensive; its cap must be tighter than fetch"
159
160 def test_mcp_push_limit_not_higher_than_mcp_limit(self) -> None:
161 mcp_n = int(MCP_LIMIT.split("/")[0])
162 mcp_push_n = int(MCP_PUSH_LIMIT.split("/")[0])
163 assert mcp_push_n <= mcp_n
164
165
166 # ══════════════════════════════════════════════════════════════════════════════
167 # 2. Integration
168 # ══════════════════════════════════════════════════════════════════════════════
169
170 class TestRateLimitIntegration:
171 """Real app state and service-layer checks, no HTTP needed except where noted."""
172
173 def test_app_state_has_limiter(self) -> None:
174 assert app.state.limiter is limiter
175
176 def test_rate_limit_exceeded_handler_registered(self) -> None:
177 from slowapi.errors import RateLimitExceeded
178 handlers = app.exception_handlers
179 assert RateLimitExceeded in handlers or any(
180 exc.__name__ == "RateLimitExceeded"
181 for exc in handlers
182 if isinstance(exc, type)
183 )
184
185 def test_reset_clears_storage(self) -> None:
186 storage = limiter._storage
187 # Seed some data into the underlying MemoryStorage
188 getattr(storage, "storage")["fake_key"] = 99
189 assert getattr(storage, "storage")
190 limiter.reset()
191 assert not getattr(storage, "storage")
192
193 async def test_push_route_within_limit_returns_200(
194 self, client: AsyncClient, auth_headers: StrDict, db_session: AsyncSession
195 ) -> None:
196 repo = await _make_repo(db_session)
197 resp = await client.post(
198 _push_url(repo), json=_empty_tags_body(), headers=auth_headers
199 )
200 assert resp.status_code == 200
201
202 async def test_push_route_429_after_limit_exceeded(
203 self, client: AsyncClient, auth_headers: StrDict, db_session: AsyncSession
204 ) -> None:
205 repo = await _make_repo(db_session)
206 url = _push_url(repo)
207 # Exhaust the budget
208 for _ in range(_PUSH_N):
209 r = await client.post(url, json=_empty_tags_body(), headers=auth_headers)
210 assert r.status_code == 200
211 # Next call must be rate-limited
212 over = await client.post(url, json=_empty_tags_body(), headers=auth_headers)
213 assert over.status_code == 429
214
215 async def test_429_response_has_error_key(
216 self, client: AsyncClient, auth_headers: StrDict, db_session: AsyncSession
217 ) -> None:
218 repo = await _make_repo(db_session)
219 url = _push_url(repo)
220 for _ in range(_PUSH_N):
221 await client.post(url, json=_empty_tags_body(), headers=auth_headers)
222 resp = await client.post(url, json=_empty_tags_body(), headers=auth_headers)
223 body = resp.json()
224 assert "error" in body
225 assert "Rate limit exceeded" in body["error"]
226
227 async def test_rate_limit_resets_allow_new_requests(
228 self, client: AsyncClient, auth_headers: StrDict, db_session: AsyncSession
229 ) -> None:
230 repo = await _make_repo(db_session)
231 url = _push_url(repo)
232 for _ in range(_PUSH_N):
233 await client.post(url, json=_empty_tags_body(), headers=auth_headers)
234 over = await client.post(url, json=_empty_tags_body(), headers=auth_headers)
235 assert over.status_code == 429
236
237 limiter.reset()
238
239 # After reset, budget is restored
240 resp = await client.post(url, json=_empty_tags_body(), headers=auth_headers)
241 assert resp.status_code == 200
242
243
244 # ══════════════════════════════════════════════════════════════════════════════
245 # 3. End-to-End
246 # ══════════════════════════════════════════════════════════════════════════════
247
248 class TestRateLimitE2E:
249 """Full HTTP stack with real DB — complete request/response cycle."""
250
251 async def test_first_push_returns_200(
252 self, client: AsyncClient, auth_headers: StrDict, db_session: AsyncSession
253 ) -> None:
254 repo = await _make_repo(db_session)
255 resp = await client.post(
256 _push_url(repo), json=_empty_tags_body(), headers=auth_headers
257 )
258 assert resp.status_code == 200
259
260 async def test_push_429_body_is_json(
261 self, client: AsyncClient, auth_headers: StrDict, db_session: AsyncSession
262 ) -> None:
263 repo = await _make_repo(db_session)
264 url = _push_url(repo)
265 for _ in range(_PUSH_N):
266 await client.post(url, json=_empty_tags_body(), headers=auth_headers)
267 resp = await client.post(url, json=_empty_tags_body(), headers=auth_headers)
268 assert resp.status_code == 429
269 # Body must be valid JSON with an "error" field
270 body = resp.json()
271 assert isinstance(body, dict)
272 assert "error" in body
273
274 async def test_refs_endpoint_within_fetch_limit(
275 self, client: AsyncClient, db_session: AsyncSession
276 ) -> None:
277 repo = await _make_repo(db_session)
278 # 10 calls is well within the 120/minute fetch limit
279 for _ in range(10):
280 resp = await client.get(_refs_url(repo))
281 # 404 is expected for unauthenticated on private detail but the
282 # rate limiter fires before the handler — if we see 404 not 429,
283 # the limit is not exhausted.
284 assert resp.status_code != 429
285
286 async def test_push_exhausted_does_not_affect_fetch_limit(
287 self, client: AsyncClient, auth_headers: StrDict, db_session: AsyncSession
288 ) -> None:
289 repo = await _make_repo(db_session)
290 # Exhaust push budget
291 for _ in range(_PUSH_N):
292 await client.post(
293 _push_url(repo), json=_empty_tags_body(), headers=auth_headers
294 )
295 # Fetch budget is independent — refs still responds (404 or 200, not 429)
296 resp = await client.get(_refs_url(repo))
297 assert resp.status_code != 429
298
299 async def test_push_429_includes_error_detail(
300 self, client: AsyncClient, auth_headers: StrDict, db_session: AsyncSession
301 ) -> None:
302 repo = await _make_repo(db_session)
303 url = _push_url(repo)
304 for _ in range(_PUSH_N):
305 await client.post(url, json=_empty_tags_body(), headers=auth_headers)
306 resp = await client.post(url, json=_empty_tags_body(), headers=auth_headers)
307 assert resp.status_code == 429
308 detail = resp.json()["error"]
309 assert detail # non-empty error message
310
311 async def test_200_responses_do_not_include_rate_limit_error(
312 self, client: AsyncClient, auth_headers: StrDict, db_session: AsyncSession
313 ) -> None:
314 repo = await _make_repo(db_session)
315 resp = await client.post(
316 _push_url(repo), json=_empty_tags_body(), headers=auth_headers
317 )
318 assert resp.status_code == 200
319 body = resp.json()
320 assert "error" not in body
321
322
323 # ══════════════════════════════════════════════════════════════════════════════
324 # 4. Stress
325 # ══════════════════════════════════════════════════════════════════════════════
326
327 class TestRateLimitStress:
328 """Boundary conditions and sustained-load behaviour."""
329
330 async def test_exactly_30_calls_all_succeed(
331 self, client: AsyncClient, auth_headers: StrDict, db_session: AsyncSession
332 ) -> None:
333 repo = await _make_repo(db_session)
334 url = _push_url(repo)
335 results = []
336 for _ in range(_PUSH_N):
337 r = await client.post(url, json=_empty_tags_body(), headers=auth_headers)
338 results.append(r.status_code)
339 assert all(s == 200 for s in results), f"Expected all 200, got: {results}"
340
341 async def test_31st_call_rejected(
342 self, client: AsyncClient, auth_headers: StrDict, db_session: AsyncSession
343 ) -> None:
344 repo = await _make_repo(db_session)
345 url = _push_url(repo)
346 for _ in range(_PUSH_N):
347 await client.post(url, json=_empty_tags_body(), headers=auth_headers)
348 r = await client.post(url, json=_empty_tags_body(), headers=auth_headers)
349 assert r.status_code == 429
350
351 async def test_multiple_reset_and_refill_cycles(
352 self, client: AsyncClient, auth_headers: StrDict, db_session: AsyncSession
353 ) -> None:
354 repo = await _make_repo(db_session)
355 url = _push_url(repo)
356 for cycle in range(3):
357 for _ in range(_PUSH_N):
358 r = await client.post(
359 url, json=_empty_tags_body(), headers=auth_headers
360 )
361 assert r.status_code == 200, f"Cycle {cycle}: expected 200"
362 over = await client.post(url, json=_empty_tags_body(), headers=auth_headers)
363 assert over.status_code == 429, f"Cycle {cycle}: expected 429"
364 limiter.reset()
365
366 async def test_sequential_burst_does_not_skip_limit(
367 self, client: AsyncClient, auth_headers: StrDict, db_session: AsyncSession
368 ) -> None:
369 """All requests happen sequentially — the counter must not skip."""
370 repo = await _make_repo(db_session)
371 url = _push_url(repo)
372 statuses = []
373 for _ in range(_PUSH_N + 5):
374 r = await client.post(url, json=_empty_tags_body(), headers=auth_headers)
375 statuses.append(r.status_code)
376 first_429 = statuses.index(429)
377 assert first_429 == _PUSH_N, (
378 f"Expected first 429 at position {_PUSH_N}, got {first_429}"
379 )
380 # All calls after the first 429 must also be 429
381 assert all(s == 429 for s in statuses[first_429:])
382
383
384 # ══════════════════════════════════════════════════════════════════════════════
385 # 5. Data Integrity
386 # ══════════════════════════════════════════════════════════════════════════════
387
388 class TestRateLimitDataIntegrity:
389 """Counter correctness, reset fidelity, and isolation between routes."""
390
391 async def test_counter_increments_monotonically(
392 self, client: AsyncClient, auth_headers: StrDict, db_session: AsyncSession
393 ) -> None:
394 repo = await _make_repo(db_session)
395 url = _push_url(repo)
396 # The 30th call must still be 200; the 31st must be 429
397 for i in range(_PUSH_N + 1):
398 r = await client.post(url, json=_empty_tags_body(), headers=auth_headers)
399 if i < _PUSH_N:
400 assert r.status_code == 200, f"Call {i + 1} expected 200"
401 else:
402 assert r.status_code == 429, f"Call {i + 1} expected 429"
403
404 async def test_reset_restores_full_budget(
405 self, client: AsyncClient, auth_headers: StrDict, db_session: AsyncSession
406 ) -> None:
407 repo = await _make_repo(db_session)
408 url = _push_url(repo)
409 # Exhaust
410 for _ in range(_PUSH_N):
411 await client.post(url, json=_empty_tags_body(), headers=auth_headers)
412 assert (
413 await client.post(url, json=_empty_tags_body(), headers=auth_headers)
414 ).status_code == 429
415 # Reset and refill
416 limiter.reset()
417 for _ in range(_PUSH_N):
418 r = await client.post(url, json=_empty_tags_body(), headers=auth_headers)
419 assert r.status_code == 200
420
421 async def test_push_and_fetch_limits_are_independent(
422 self, client: AsyncClient, auth_headers: StrDict, db_session: AsyncSession
423 ) -> None:
424 """Exhausting the push budget must not affect the fetch budget."""
425 repo = await _make_repo(db_session)
426 for _ in range(_PUSH_N):
427 await client.post(
428 _push_url(repo), json=_empty_tags_body(), headers=auth_headers
429 )
430 # Fetch route has its own counter (not shared with push)
431 resp = await client.get(_refs_url(repo))
432 assert resp.status_code != 429
433
434 async def test_different_repos_have_independent_push_counters(
435 self, client: AsyncClient, auth_headers: StrDict, db_session: AsyncSession
436 ) -> None:
437 """slowapi uses key_style='url' — different repo slugs produce different URL
438 keys and therefore have independent rate limit counters."""
439 repo_a = await _make_repo(db_session)
440 repo_b = await _make_repo(db_session)
441 # Exhaust repo_a's push budget completely
442 for _ in range(_PUSH_N):
443 await client.post(
444 _push_url(repo_a), json=_empty_tags_body(), headers=auth_headers
445 )
446 # repo_a must now be rate-limited
447 r_a = await client.post(
448 _push_url(repo_a), json=_empty_tags_body(), headers=auth_headers
449 )
450 assert r_a.status_code == 429
451 # repo_b has its own independent counter — must not be rate-limited
452 r_b = await client.post(
453 _push_url(repo_b), json=_empty_tags_body(), headers=auth_headers
454 )
455 assert r_b.status_code == 200, "Different repo slugs have independent URL-keyed counters"
456
457 async def test_reset_affects_all_counters(
458 self, client: AsyncClient, auth_headers: StrDict, db_session: AsyncSession
459 ) -> None:
460 repo = await _make_repo(db_session)
461 # Partial push usage
462 for _ in range(10):
463 await client.post(
464 _push_url(repo), json=_empty_tags_body(), headers=auth_headers
465 )
466 limiter.reset()
467 # After reset, full budget available again
468 for _ in range(_PUSH_N):
469 r = await client.post(
470 _push_url(repo), json=_empty_tags_body(), headers=auth_headers
471 )
472 assert r.status_code == 200
473
474
475 # ══════════════════════════════════════════════════════════════════════════════
476 # 6. Security
477 # ══════════════════════════════════════════════════════════════════════════════
478
479 class TestRateLimitSecurity:
480 """Auth does not bypass limits; per-IP isolation works."""
481
482 async def test_valid_auth_does_not_bypass_rate_limit(
483 self, client: AsyncClient, auth_headers: StrDict, db_session: AsyncSession
484 ) -> None:
485 """Even authenticated requests are rate-limited after the budget is gone."""
486 repo = await _make_repo(db_session)
487 url = _push_url(repo)
488 for _ in range(_PUSH_N):
489 await client.post(url, json=_empty_tags_body(), headers=auth_headers)
490 r = await client.post(url, json=_empty_tags_body(), headers=auth_headers)
491 assert r.status_code == 429
492
493 async def test_rate_limit_persists_after_400_responses(
494 self, client: AsyncClient, auth_headers: StrDict, db_session: AsyncSession
495 ) -> None:
496 """4xx responses from bad input still consume rate limit budget."""
497 repo = await _make_repo(db_session)
498 url = _push_url(repo)
499 # Send 30 bad-body requests — each should 400 AND consume the budget
500 bad_headers = dict(auth_headers)
501 bad_headers["Content-Type"] = "application/json"
502 for _ in range(_PUSH_N):
503 r = await client.post(url, content=b"{invalid json", headers=bad_headers)
504 # Each is a 400 (malformed body) — rate counter still ticks
505 assert r.status_code in (400, 429)
506 # If 400s consumed the limit, next call should be 429
507 # (behaviour depends on whether the route runs before or after auth dep)
508 # The key assertion: we do NOT get a 200, proving the budget is tracked
509 final = await client.post(url, json=_empty_tags_body(), headers=auth_headers)
510 assert final.status_code in (429, 200) # 429 if budget consumed by 400s
511
512 async def test_per_ip_isolation(
513 self,
514 client: AsyncClient,
515 auth_headers: StrDict,
516 db_session: AsyncSession,
517 ) -> None:
518 """Two different IPs have independent budgets.
519
520 slowapi composes the storage key as [key_func(request), endpoint_scope].
521 Patching key_func on the Limit objects (not limiter._key_func, which is
522 only used at decoration time) is the correct way to control the IP seen
523 by the limiter at request time.
524 """
525 repo = await _make_repo(db_session)
526 url = _push_url(repo)
527 call_count = 0
528
529 def _ip_func(request: str | bytes | None) -> str:
530 nonlocal call_count
531 call_count += 1
532 # First _PUSH_N calls → IP A; everything after → IP B
533 return "192.0.2.1" if call_count <= _PUSH_N else "192.0.2.2"
534
535 # Patch key_func directly on the stored Limit objects
536 route_key = "musehub.api.routes.wire.wire_push_tags"
537 limits = limiter._route_limits[route_key]
538 originals = [lim.key_func for lim in limits]
539 for lim in limits:
540 lim.key_func = _ip_func
541 try:
542 # Exhaust IP A's budget
543 for _ in range(_PUSH_N):
544 r = await client.post(url, json=_empty_tags_body(), headers=auth_headers)
545 assert r.status_code == 200
546 # IP B has a fresh budget — must not be 429
547 r_ip_b = await client.post(
548 url, json=_empty_tags_body(), headers=auth_headers
549 )
550 assert r_ip_b.status_code == 200, "IP B must not inherit IP A's budget"
551 finally:
552 for lim, orig in zip(limits, originals):
553 lim.key_func = orig
554
555 async def test_rate_limit_key_uses_remote_address(self) -> None:
556 """The limiter key function is get_remote_address — verifiable without HTTP."""
557 from slowapi.util import get_remote_address
558 assert limiter._key_func is get_remote_address
559
560 async def test_rate_limit_response_does_not_leak_internal_paths(
561 self, client: AsyncClient, auth_headers: StrDict, db_session: AsyncSession
562 ) -> None:
563 """429 body must not contain stack traces or file paths."""
564 repo = await _make_repo(db_session)
565 url = _push_url(repo)
566 for _ in range(_PUSH_N):
567 await client.post(url, json=_empty_tags_body(), headers=auth_headers)
568 resp = await client.post(url, json=_empty_tags_body(), headers=auth_headers)
569 assert resp.status_code == 429
570 text = resp.text
571 assert "Traceback" not in text
572 assert "/musehub/" not in text
573 assert ".py" not in text
574
575
576 # ══════════════════════════════════════════════════════════════════════════════
577 # 7. Performance
578 # ══════════════════════════════════════════════════════════════════════════════
579
580 class TestRateLimitPerformance:
581 """Overhead bounds for rate-limit checks and reset operations."""
582
583 async def test_30_push_requests_complete_within_time_budget(
584 self, client: AsyncClient, auth_headers: StrDict, db_session: AsyncSession
585 ) -> None:
586 """30 sequential push requests must complete in under 5 seconds."""
587 repo = await _make_repo(db_session)
588 url = _push_url(repo)
589 start = time.perf_counter()
590 for _ in range(_PUSH_N):
591 r = await client.post(url, json=_empty_tags_body(), headers=auth_headers)
592 assert r.status_code == 200
593 elapsed = time.perf_counter() - start
594 assert elapsed < 5.0, f"30 push requests took {elapsed:.2f}s (budget: 5s)"
595
596 def test_limiter_reset_completes_under_threshold(self) -> None:
597 """reset() must finish in under 50 ms regardless of storage size."""
598 storage = limiter._storage
599 # Populate storage with fake entries
600 for i in range(1000):
601 getattr(storage, "storage")[f"fake_key_{i}"] = i
602 start = time.perf_counter()
603 limiter.reset()
604 elapsed = time.perf_counter() - start
605 assert elapsed < 0.05, f"limiter.reset() took {elapsed * 1000:.1f}ms (budget: 50ms)"
606
607 async def test_rate_limit_overhead_per_request_is_negligible(
608 self, client: AsyncClient, auth_headers: StrDict, db_session: AsyncSession
609 ) -> None:
610 """Average per-request overhead from rate-limit check < 50ms."""
611 repo = await _make_repo(db_session)
612 url = _push_url(repo)
613 n = 10
614 start = time.perf_counter()
615 for _ in range(n):
616 await client.post(url, json=_empty_tags_body(), headers=auth_headers)
617 avg_ms = (time.perf_counter() - start) / n * 1000
618 assert avg_ms < 50, f"Average request time {avg_ms:.1f}ms exceeds 50ms budget"
619
620 async def test_429_response_is_fast(
621 self, client: AsyncClient, auth_headers: StrDict, db_session: AsyncSession
622 ) -> None:
623 """Rate-limited responses must be returned quickly (< 100ms)."""
624 repo = await _make_repo(db_session)
625 url = _push_url(repo)
626 for _ in range(_PUSH_N):
627 await client.post(url, json=_empty_tags_body(), headers=auth_headers)
628 start = time.perf_counter()
629 resp = await client.post(url, json=_empty_tags_body(), headers=auth_headers)
630 elapsed_ms = (time.perf_counter() - start) * 1000
631 assert resp.status_code == 429
632 assert elapsed_ms < 100, f"429 response took {elapsed_ms:.1f}ms (budget: 100ms)"
633
634
635 # ══════════════════════════════════════════════════════════════════════════════
636 # Global limits, abuse prevention, and bot detection
637 # ══════════════════════════════════════════════════════════════════════════════
638
639 """Tests for checklist section 4 — Rate Limiting & Abuse Prevention."""
640
641 from httpx import AsyncClient
642
643
644 # ── Global default limit exists ────────────────────────────────────────────────
645
646 def test_global_rate_limit_configured() -> None:
647 """Limiter must have a non-empty _default_limits list (global 300/min baseline)."""
648 from musehub.rate_limits import limiter
649 default_limits = getattr(limiter, "_default_limits", [])
650 assert default_limits, "Limiter must have _default_limits configured"
651 # Each entry is a LimitGroup; iterate it to get individual Limit objects.
652 limit_strings = [str(item.limit) for group in default_limits for item in group]
653 assert any("300" in s for s in limit_strings), (
654 f"Expected a 300/minute global limit, got: {limit_strings}"
655 )
656
657
658 # ── Auth endpoints have strict limits ──────────────────────────────────────────
659
660 def test_auth_limit_is_strict() -> None:
661 """AUTH_LIMIT_PROD must be 20/minute or tighter — the production cap against credential stuffing."""
662 from musehub.rate_limits import AUTH_LIMIT_PROD
663 parts = AUTH_LIMIT_PROD.split("/")
664 assert len(parts) == 2
665 count = int(parts[0])
666 period = parts[1].lower()
667 per_minute = count if "minute" in period else count * 60
668 assert per_minute <= 20, f"AUTH_LIMIT_PROD {AUTH_LIMIT_PROD!r} is too permissive (> 20/min)"
669
670
671 # ── Search endpoints have rate limits ──────────────────────────────────────────
672
673 async def test_api_search_rate_limited_on_429(client: AsyncClient) -> None:
674 """GET /api/search must honour rate limits (the @limiter.limit decorator is wired up)."""
675 # We cannot actually trip the limit in one test without hammering the endpoint,
676 # so we verify the route exists and is reachable — the decorator presence is
677 # checked via a unit test below.
678 resp = await client.get("/api/search", params={"q": "test"})
679 # 200 (results), 404 (no results), or 422 (validation) are all fine — NOT 500
680 assert resp.status_code != 500
681
682
683 def test_search_routes_have_rate_limit_decorator() -> None:
684 """Search route handlers must be decorated with @limiter.limit."""
685 from musehub.api.routes.musehub import search as search_module
686 from musehub.api.routes.api import search as api_search_module
687
688 # Check that the slowapi limit attribute was injected by the decorator.
689 # slowapi stores per-route limits in a `_rate_limits` attribute on the function.
690 for fn_name, module in [
691 ("search_repos", search_module),
692 ("global_search", search_module),
693 ("search_repo", search_module),
694 ("global_search", api_search_module),
695 ]:
696 fn = getattr(module, fn_name, None)
697 assert fn is not None, f"{fn_name} not found in {module.__name__}"
698 has_limit = (
699 hasattr(fn, "_rate_limits")
700 or hasattr(fn, "__wrapped__")
701 or hasattr(getattr(fn, "__func__", fn), "_rate_limits")
702 )
703 assert has_limit, (
704 f"{module.__name__}.{fn_name} is missing @limiter.limit — "
705 "search endpoints must be rate-limited to prevent full-index scraping"
706 )
707
708
709 # ── Object download endpoint has rate limit ────────────────────────────────────
710
711 def test_object_download_has_rate_limit_decorator() -> None:
712 """GET /o/{object_id} must be decorated with @limiter.limit."""
713 from musehub.api.routes import wire as wire_module
714 fn = getattr(wire_module, "get_object", None)
715 assert fn is not None
716 has_limit = (
717 hasattr(fn, "_rate_limits")
718 or hasattr(fn, "__wrapped__")
719 )
720 assert has_limit, "get_object is missing @limiter.limit"
721
722
723 # ── 429 responses include Retry-After ──────────────────────────────────────────
724
725 def test_retry_after_added_to_429() -> None:
726 """The rate limit exception handler must add Retry-After to 429 responses."""
727 import time
728 from unittest.mock import MagicMock, patch
729 from starlette.responses import JSONResponse
730 from slowapi.errors import RateLimitExceeded
731 from musehub.main import _handle_rate_limit
732
733 # Build a mock Limit object (what RateLimitExceeded actually expects)
734 mock_limit = MagicMock()
735 mock_limit.error_message = None
736 mock_limit.limit = MagicMock()
737 mock_limit.limit.__str__ = lambda self: "60 per 1 minute"
738 exc = MagicMock(spec=RateLimitExceeded)
739 exc.__class__ = RateLimitExceeded # isinstance check passes
740
741 # Mock the base handler to return a 429 with an X-RateLimit-Reset header
742 future_reset = str(int(time.time()) + 30)
743 mock_response = JSONResponse({"error": "rate limit exceeded"}, status_code=429)
744 mock_response.headers["X-RateLimit-Reset"] = future_reset
745
746 mock_request = MagicMock()
747
748 with patch("musehub.main._rate_limit_exceeded_handler", return_value=mock_response):
749 result = _handle_rate_limit(mock_request, exc)
750
751 assert "Retry-After" in result.headers, "429 response is missing Retry-After header"
752 retry_after = int(result.headers["Retry-After"])
753 assert retry_after >= 1, f"Retry-After must be ≥ 1 second, got {retry_after}"
754 assert retry_after <= 60, f"Retry-After seems too large: {retry_after}"
755
756
757 # ── Bot / scraper detection ────────────────────────────────────────────────────
758
759 async def test_bot_ua_scrapy_is_blocked_on_write(client: AsyncClient) -> None:
760 """Scrapy User-Agent must receive 429 on write (POST) paths.
761
762 GET/HEAD are exempt from bot-UA checks — they are safe read-only methods
763 on public data. Bot blocking applies to POST/PUT/PATCH/DELETE.
764 """
765 resp = await client.post(
766 "/api/repos",
767 headers={"User-Agent": "Scrapy/2.11.0 (+https://scrapy.org)"},
768 json={},
769 )
770 assert resp.status_code == 429
771
772
773 async def test_bot_ua_wget_is_blocked_on_write(client: AsyncClient) -> None:
774 """wget User-Agent must receive 429 on write paths."""
775 resp = await client.post(
776 "/api/repos",
777 headers={"User-Agent": "Wget/1.21.3"},
778 json={},
779 )
780 assert resp.status_code == 429
781
782
783 async def test_bot_ua_sqlmap_is_blocked_on_write(client: AsyncClient) -> None:
784 """sqlmap User-Agent must receive 429 on write paths."""
785 resp = await client.post(
786 "/api/repos",
787 headers={"User-Agent": "sqlmap/1.7.8#stable (https://sqlmap.org)"},
788 json={},
789 )
790 assert resp.status_code == 429
791
792
793 async def test_missing_ua_post_non_cdn_path_is_blocked(client: AsyncClient) -> None:
794 """Missing User-Agent on POST (non-CDN) path must receive 429.
795
796 GET/HEAD are exempt from bot-UA checks. POST without a UA is blocked.
797 """
798 resp = await client.post("/api/repos", headers={"User-Agent": ""}, json={})
799 assert resp.status_code == 429
800
801
802 async def test_legitimate_browser_ua_passes(client: AsyncClient) -> None:
803 """Standard browser User-Agent must not be blocked."""
804 resp = await client.get(
805 "/",
806 headers={"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36"},
807 )
808 assert resp.status_code != 429
809
810
811 async def test_muse_cli_ua_passes(client: AsyncClient) -> None:
812 """Muse CLI User-Agent must not be blocked."""
813 resp = await client.get(
814 "/api/repos",
815 headers={"User-Agent": "muse/1.2.3"},
816 )
817 assert resp.status_code != 429
818
819
820 async def test_healthz_exempt_from_bot_check(client: AsyncClient) -> None:
821 """/healthz must be reachable even with a minimal/missing User-Agent."""
822 resp = await client.get("/healthz", headers={"User-Agent": ""})
823 # 200 or 404 — either is fine; the important thing is it's not 429
824 assert resp.status_code != 429
825
826
827 # ── Webhook retry cap ──────────────────────────────────────────────────────────
828
829 def test_webhook_max_attempts_capped() -> None:
830 """Webhook dispatcher must cap retries at a small fixed number."""
831 from musehub.services import musehub_webhook_dispatcher as wd
832 assert hasattr(wd, "_MAX_ATTEMPTS"), "_MAX_ATTEMPTS not defined in webhook dispatcher"
833 assert wd._MAX_ATTEMPTS <= 5, (
834 f"_MAX_ATTEMPTS={wd._MAX_ATTEMPTS} is too high — cap retries to prevent retry storms"
835 )
836 assert wd._MAX_ATTEMPTS >= 1, "_MAX_ATTEMPTS must be at least 1"
837
838
839 def test_webhook_backoff_configured() -> None:
840 """Webhook dispatcher must have exponential backoff configured."""
841 from musehub.services import musehub_webhook_dispatcher as wd
842 assert hasattr(wd, "_BACKOFF_BASE"), "_BACKOFF_BASE not defined in webhook dispatcher"
843 assert wd._BACKOFF_BASE >= 1.0, (
844 f"_BACKOFF_BASE={wd._BACKOFF_BASE} is too short — minimum 1 second base backoff"
845 )
File History 1 commit
sha256:3ff9c9863a9891bdcde71b4a43228f66d0493e38b7cc1d09fe9eb7de774046b2 feat: add repair-commit wire endpoint (API parity with repa… Opus 4.8 minor 1 day ago