221 lines
9.5 KiB
Python
221 lines
9.5 KiB
Python
from __future__ import annotations
|
|
|
|
from pathlib import Path
|
|
|
|
from fastapi.testclient import TestClient
|
|
|
|
from beaver.interfaces.web.app import create_app
|
|
from beaver.services.agent_service import AgentService
|
|
from beaver.services.user_file_resolver import UserFileStorageResolver
|
|
from beaver.services.user_files import LocalUserFileStorage, UserFileService
|
|
|
|
|
|
def _auth_headers(app, username: str = "alice") -> dict[str, str]:
|
|
token = f"test-token-{username}"
|
|
app.state.auth_tokens[token] = username
|
|
return {"Authorization": f"Bearer {token}"}
|
|
|
|
|
|
def test_workspace_browser_api_manages_workspace_files(tmp_path: Path) -> None:
|
|
service = AgentService(workspace=tmp_path)
|
|
app = create_app(service=service, manage_service_lifecycle=False)
|
|
|
|
with TestClient(app) as client:
|
|
root = client.get("/api/workspace/browse")
|
|
mkdir = client.post("/api/workspace/mkdir", params={"path": "docs"})
|
|
upload = client.post(
|
|
"/api/workspace/upload",
|
|
data={"path": "docs"},
|
|
files={"file": ("hello.txt", b"hello workspace", "text/plain")},
|
|
)
|
|
docs = client.get("/api/workspace/browse", params={"path": "docs"})
|
|
download = client.get("/api/workspace/download", params={"path": "docs/hello.txt"})
|
|
deleted = client.delete("/api/workspace/delete", params={"path": "docs/hello.txt"})
|
|
after_delete = client.get("/api/workspace/browse", params={"path": "docs"})
|
|
|
|
assert root.status_code == 200
|
|
assert root.json()["path"] == ""
|
|
assert all(item["name"] != "docs" for item in root.json()["items"])
|
|
assert mkdir.status_code == 200
|
|
assert mkdir.json()["path"] == "docs"
|
|
assert upload.status_code == 200
|
|
assert upload.json()["path"] == "docs/hello.txt"
|
|
assert docs.status_code == 200
|
|
assert [item["name"] for item in docs.json()["items"]] == ["hello.txt"]
|
|
assert download.status_code == 200
|
|
assert download.content == b"hello workspace"
|
|
assert deleted.status_code == 200
|
|
assert deleted.json() == {"ok": True}
|
|
assert after_delete.status_code == 200
|
|
assert after_delete.json()["items"] == []
|
|
|
|
|
|
def test_attachment_file_api_round_trips_uploaded_file(tmp_path: Path) -> None:
|
|
service = AgentService(workspace=tmp_path)
|
|
app = create_app(service=service, manage_service_lifecycle=False)
|
|
|
|
with TestClient(app) as client:
|
|
upload = client.post(
|
|
"/api/files/upload",
|
|
data={"session_id": "web:test"},
|
|
files={"file": ("note.txt", b"hello attachment", "text/plain")},
|
|
)
|
|
file_id = upload.json()["file_id"]
|
|
listed = client.get("/api/files", params={"session_id": "web:test"})
|
|
download = client.get(f"/api/files/{file_id}")
|
|
deleted = client.delete(f"/api/files/{file_id}")
|
|
missing = client.get(f"/api/files/{file_id}")
|
|
|
|
assert upload.status_code == 200
|
|
assert upload.json()["name"] == "note.txt"
|
|
assert upload.json()["url"] == f"/api/files/{file_id}"
|
|
assert listed.status_code == 200
|
|
assert [item["file_id"] for item in listed.json()] == [file_id]
|
|
assert download.status_code == 200
|
|
assert download.content == b"hello attachment"
|
|
assert deleted.status_code == 200
|
|
assert deleted.json() == {"ok": True}
|
|
assert missing.status_code == 404
|
|
|
|
|
|
def test_user_files_api_uses_virtual_roots_and_hides_workspace(tmp_path: Path) -> None:
|
|
service = AgentService(workspace=tmp_path)
|
|
app = create_app(service=service, manage_service_lifecycle=False)
|
|
|
|
with TestClient(app) as client:
|
|
headers = _auth_headers(app)
|
|
root = client.get("/api/user-files/browse", headers=headers)
|
|
status = client.get("/api/user-files/status", headers=headers)
|
|
upload = client.post(
|
|
"/api/user-files/upload",
|
|
data={"path": "uploads"},
|
|
files={"file": ("hello.txt", b"hello user files", "text/plain")},
|
|
headers=headers,
|
|
)
|
|
uploads = client.get("/api/user-files/browse", params={"path": "uploads"}, headers=headers)
|
|
preview = client.get("/api/user-files/preview", params={"path": "uploads/hello.txt"}, headers=headers)
|
|
download = client.get("/api/user-files/download", params={"path": "uploads/hello.txt"}, headers=headers)
|
|
|
|
assert root.status_code == 200
|
|
assert [item["name"] for item in root.json()["items"]] == ["uploads", "outputs", "shared", "tasks"]
|
|
assert all("bucket" not in item for item in root.json()["items"])
|
|
assert status.status_code == 200
|
|
assert status.json()["workspace_visible"] is False
|
|
assert "base_path" not in status.json()
|
|
assert upload.status_code == 200
|
|
assert upload.json()["path"] == "uploads/hello.txt"
|
|
assert uploads.status_code == 200
|
|
assert [item["name"] for item in uploads.json()["items"]] == ["hello.txt"]
|
|
assert preview.status_code == 200
|
|
assert preview.json()["content"] == "hello user files"
|
|
assert download.status_code == 200
|
|
assert download.content == b"hello user files"
|
|
|
|
|
|
def test_user_files_api_rejects_invalid_paths_and_root_delete(tmp_path: Path) -> None:
|
|
service = AgentService(workspace=tmp_path)
|
|
app = create_app(service=service, manage_service_lifecycle=False)
|
|
|
|
with TestClient(app) as client:
|
|
headers = _auth_headers(app)
|
|
traversal = client.get("/api/user-files/browse", params={"path": "uploads/../state"}, headers=headers)
|
|
unknown_root = client.get("/api/user-files/browse", params={"path": "memory/private.txt"}, headers=headers)
|
|
absolute_browse = client.get("/api/user-files/browse", params={"path": "/uploads/input.txt"}, headers=headers)
|
|
absolute_download = client.get("/api/user-files/download", params={"path": "/outputs/result.txt"}, headers=headers)
|
|
absolute_preview = client.get("/api/user-files/preview", params={"path": "/shared/profile.json"}, headers=headers)
|
|
absolute_mkdir = client.post("/api/user-files/mkdir", params={"path": "/tasks/task-123/draft.md"}, headers=headers)
|
|
absolute_upload = client.post(
|
|
"/api/user-files/upload",
|
|
data={"path": "/uploads"},
|
|
files={"file": ("input.txt", b"x", "text/plain")},
|
|
headers=headers,
|
|
)
|
|
delete_root = client.delete("/api/user-files/delete", params={"path": "uploads"}, headers=headers)
|
|
|
|
assert traversal.status_code == 400
|
|
assert unknown_root.status_code == 400
|
|
assert absolute_browse.status_code == 400
|
|
assert absolute_download.status_code == 400
|
|
assert absolute_preview.status_code == 400
|
|
assert absolute_mkdir.status_code == 400
|
|
assert absolute_upload.status_code == 400
|
|
assert delete_root.status_code == 400
|
|
|
|
|
|
def test_user_files_api_rejects_anonymous_access_before_storage(tmp_path: Path) -> None:
|
|
service = AgentService(workspace=tmp_path)
|
|
app = create_app(service=service, manage_service_lifecycle=False)
|
|
|
|
with TestClient(app) as client:
|
|
browse = client.get("/api/user-files/browse")
|
|
status = client.get("/api/user-files/status")
|
|
upload = client.post(
|
|
"/api/user-files/upload",
|
|
data={"path": "uploads"},
|
|
files={"file": ("hello.txt", b"hello user files", "text/plain")},
|
|
)
|
|
delete = client.delete("/api/user-files/delete", params={"path": "uploads/hello.txt"})
|
|
mkdir = client.post("/api/user-files/mkdir", params={"path": "uploads/new"})
|
|
|
|
assert browse.status_code == 401
|
|
assert status.status_code == 401
|
|
assert upload.status_code == 401
|
|
assert delete.status_code == 401
|
|
assert mkdir.status_code == 401
|
|
|
|
|
|
def test_user_files_api_authenticated_request_resolves_identity(tmp_path: Path, monkeypatch) -> None:
|
|
service = AgentService(workspace=tmp_path)
|
|
app = create_app(service=service, manage_service_lifecycle=False)
|
|
seen = []
|
|
|
|
async def fake_service(self):
|
|
seen.append(self.auth_context)
|
|
return UserFileService(LocalUserFileStorage(tmp_path / "user-files"))
|
|
|
|
monkeypatch.setattr(UserFileStorageResolver, "service", fake_service)
|
|
|
|
with TestClient(app) as client:
|
|
alice_headers = _auth_headers(app, "alice")
|
|
upload = client.post(
|
|
"/api/user-files/upload",
|
|
data={"path": "uploads"},
|
|
files={"file": ("alice.txt", b"alice", "text/plain")},
|
|
headers=alice_headers,
|
|
)
|
|
|
|
assert upload.status_code == 200
|
|
assert seen
|
|
assert seen[0].username == "alice"
|
|
assert seen[0].backend_id == "alice"
|
|
assert seen[0].storage_namespace == "users/alice"
|
|
|
|
|
|
def test_user_files_api_streams_upload_and_enforces_configured_limit(tmp_path: Path, monkeypatch) -> None:
|
|
monkeypatch.setenv("BEAVER_USER_FILES_MAX_UPLOAD_BYTES", "5")
|
|
service = AgentService(workspace=tmp_path)
|
|
app = create_app(service=service, manage_service_lifecycle=False)
|
|
|
|
with TestClient(app) as client:
|
|
headers = _auth_headers(app)
|
|
ok_upload = client.post(
|
|
"/api/user-files/upload",
|
|
data={"path": "uploads"},
|
|
files={"file": ("small.txt", b"abcde", "text/plain")},
|
|
headers=headers,
|
|
)
|
|
too_large = client.post(
|
|
"/api/user-files/upload",
|
|
data={"path": "uploads"},
|
|
files={"file": ("large.txt", b"abcdef", "text/plain")},
|
|
headers=headers,
|
|
)
|
|
preview = client.get("/api/user-files/preview", params={"path": "uploads/small.txt"}, headers=headers)
|
|
|
|
assert ok_upload.status_code == 200
|
|
assert ok_upload.json()["path"] == "uploads/small.txt"
|
|
assert too_large.status_code == 413
|
|
assert "File too large" in too_large.json()["detail"]
|
|
assert preview.status_code == 200
|
|
assert preview.json()["content"] == "abcde"
|