sprint-2.5: RBAC 4 roles + Studio bootable + Flash Console
End-to-end implementation per docs/sprint-2.5-plan.md. New requirement added by user mid-sprint: 4-role RBAC (Super Admin / Engineer / Owner / User) with dual-auth for Engineer flashing firmware, plus a "mini Arduino IDE" inside the Studio. Tests: pytest 231/231 green (129 Sprint 2 + 102 Sprint 2.5 new). RBAC core (arautopilot/core/): - rbac.py: 4 roles, 12 capabilities, immutable capability matrix, has() / capabilities_of() / require() / requires_dual_auth() helpers. Engineer flashing firmware needs SA approval; everything else is single-factor. - user.py: User model with PBKDF2-HMAC-SHA256 PIN hashing (200k iters, 16-byte salt, self-describing hash format for future migrations). 4-8 digit numeric PINs enforced. - user_store.py: JSON-backed user database. seed_demo_users() for first-run UX. - audit.py: append-only JSONL audit log. AuditEvent with timestamp, user_id, role, action, target, outcome, reason, secondary_user_id for dual-auth, optional extra payload. Crypto signing of lines deferred to Sprint 8. Studio GUI (arautopilot/studio/): - app.py: real entry point (replaces Sprint 0 stub). --seed-demo populates demo users without launching GUI; --data-dir overrides the ~/.ar-autopilot/studio/ default. - session.py: Session + SessionHolder. check() always audits the decision; verify_super_admin_pin() + log_dual_auth_grant() for dual-auth flows. - login_window.py: modal login dialog with user picker + PIN field. Audits login attempts (success and bad-PIN denials). - main_window.py: top-level window with sidebar (user + role + caps) and tab area (Overview, Flash Console, Project placeholder, Telemetry placeholder). - flash_console.py: the "mini Arduino IDE". Lists serial ports via pyserial; picks firmware variant (esp32-dev / esp32-debug); compiles via 'pio run'; flashes via 'pio run -t upload --upload-port <port>'; streams pio output to a dark-themed read-only console; supports cancel. For Engineer flashes, asks the Super Admin for their PIN inline before invoking pio. Records dual-auth grant + pio exit code in the audit log. Dependencies: - New [project.optional-dependencies] group 'studio': PySide6>=6.6, pyserial>=3.5, platformio>=6.1. Kept optional so the core can be installed in lean / CI environments. Tests (arautopilot/tests/): - test_rbac.py: 32 tests for capability matrix, dual-auth policy, no-privilege-escalation invariants, partial overlap between roles. - test_user.py: 11 tests for PIN hashing, verification, salting, serialisation, field validators. - test_audit.py: 9 tests for JSONL append, immutability, round-trip, corrupt-line detection, dual-auth event shape, blank-line tolerance. - test_user_store.py: 10 tests for CRUD, persistence, role filtering, demo seed idempotency. - test_session.py: 9 tests for capability checks + audit side effects, SA PIN verification, dual-auth recording, SessionHolder lifecycle. - test_studio_smoke.py: 5 headless tests verifying Studio modules import without a display server, --seed-demo works, helpers safe to call without hardware. NOT in Sprint 2.5 (intentional): - Crypto signing of audit log lines (hash-chain) -- Sprint 8 - HWID binding of the user store -- Sprint 8 - Project configurator + .appack compiler -- Sprint 4 - Flutter bridge display -- Sprint 4 - Telemetry dashboard tab -- Sprint 4 - Serial monitor as a separate tab -- future enhancement Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,146 @@
|
||||
"""Tests for ``arautopilot.studio.session.Session``."""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
from pathlib import Path
|
||||
|
||||
import pytest
|
||||
|
||||
from arautopilot.core.audit import AuditLog, AuditOutcome
|
||||
from arautopilot.core.rbac import Capability, Role
|
||||
from arautopilot.core.user import User
|
||||
from arautopilot.core.user_store import UserStore
|
||||
from arautopilot.studio.session import Session, SessionHolder
|
||||
|
||||
|
||||
@pytest.fixture
|
||||
def store_and_audit(tmp_path: Path) -> tuple[UserStore, AuditLog]:
|
||||
store = UserStore(tmp_path / "users.json")
|
||||
audit = AuditLog(tmp_path / "audit.jsonl")
|
||||
return store, audit
|
||||
|
||||
|
||||
def _sa_session(store: UserStore, audit: AuditLog) -> Session:
|
||||
u = User.create(display_name="SA", role=Role.SUPER_ADMIN, pin="0001")
|
||||
store.add(u)
|
||||
return Session(user=u, store=store, audit=audit)
|
||||
|
||||
|
||||
def _eng_session(store: UserStore, audit: AuditLog) -> Session:
|
||||
u = User.create(display_name="Eng", role=Role.ENGINEER, pin="0002")
|
||||
store.add(u)
|
||||
return Session(user=u, store=store, audit=audit)
|
||||
|
||||
|
||||
def test_session_can_for_super_admin(store_and_audit: tuple[UserStore, AuditLog]) -> None:
|
||||
store, audit = store_and_audit
|
||||
s = _sa_session(store, audit)
|
||||
assert s.can(Capability.FLASH_FIRMWARE)
|
||||
assert s.can(Capability.EDIT_BASE_GAINS)
|
||||
assert s.can(Capability.MANAGE_USERS)
|
||||
|
||||
|
||||
def test_session_check_records_audit_on_grant(
|
||||
store_and_audit: tuple[UserStore, AuditLog]
|
||||
) -> None:
|
||||
store, audit = store_and_audit
|
||||
s = _sa_session(store, audit)
|
||||
assert s.check(Capability.FLASH_FIRMWARE, target="COM7") is True
|
||||
events = audit.read_all()
|
||||
assert len(events) == 1
|
||||
assert events[0].outcome is AuditOutcome.SUCCESS
|
||||
assert events[0].action == "check:flash_firmware"
|
||||
assert events[0].target == "COM7"
|
||||
|
||||
|
||||
def test_session_check_records_audit_on_denial(
|
||||
store_and_audit: tuple[UserStore, AuditLog]
|
||||
) -> None:
|
||||
store, audit = store_and_audit
|
||||
u = User.create(display_name="Crew", role=Role.USER, pin="4444")
|
||||
store.add(u)
|
||||
s = Session(user=u, store=store, audit=audit)
|
||||
assert s.check(Capability.FLASH_FIRMWARE) is False
|
||||
events = audit.read_all()
|
||||
assert len(events) == 1
|
||||
assert events[0].outcome is AuditOutcome.DENIED
|
||||
assert "lacks" in events[0].reason
|
||||
|
||||
|
||||
def test_engineer_needs_dual_auth_for_flash(
|
||||
store_and_audit: tuple[UserStore, AuditLog]
|
||||
) -> None:
|
||||
store, audit = store_and_audit
|
||||
s = _eng_session(store, audit)
|
||||
assert s.needs_dual_auth(Capability.FLASH_FIRMWARE)
|
||||
assert not s.needs_dual_auth(Capability.BUILD_FIRMWARE)
|
||||
|
||||
|
||||
def test_verify_super_admin_pin_succeeds_with_right_pin(
|
||||
store_and_audit: tuple[UserStore, AuditLog]
|
||||
) -> None:
|
||||
store, audit = store_and_audit
|
||||
sa = User.create(display_name="SA", role=Role.SUPER_ADMIN, pin="0001")
|
||||
store.add(sa)
|
||||
eng = User.create(display_name="Eng", role=Role.ENGINEER, pin="0002")
|
||||
store.add(eng)
|
||||
s = Session(user=eng, store=store, audit=audit)
|
||||
matched = s.verify_super_admin_pin("0001")
|
||||
assert matched is not None
|
||||
assert matched.user_id == sa.user_id
|
||||
|
||||
|
||||
def test_verify_super_admin_pin_fails_with_wrong_pin(
|
||||
store_and_audit: tuple[UserStore, AuditLog]
|
||||
) -> None:
|
||||
store, audit = store_and_audit
|
||||
store.add(User.create(display_name="SA", role=Role.SUPER_ADMIN, pin="0001"))
|
||||
eng = User.create(display_name="Eng", role=Role.ENGINEER, pin="0002")
|
||||
store.add(eng)
|
||||
s = Session(user=eng, store=store, audit=audit)
|
||||
assert s.verify_super_admin_pin("9999") is None
|
||||
|
||||
|
||||
def test_dual_auth_grant_records_secondary_user(
|
||||
store_and_audit: tuple[UserStore, AuditLog]
|
||||
) -> None:
|
||||
store, audit = store_and_audit
|
||||
sa = User.create(display_name="SA", role=Role.SUPER_ADMIN, pin="0001")
|
||||
store.add(sa)
|
||||
eng = User.create(display_name="Eng", role=Role.ENGINEER, pin="0002")
|
||||
store.add(eng)
|
||||
s = Session(user=eng, store=store, audit=audit)
|
||||
s.log_dual_auth_grant(Capability.FLASH_FIRMWARE, sa,
|
||||
target="COM7:esp32-dev",
|
||||
extra={"variant": "esp32-dev"})
|
||||
events = audit.read_all()
|
||||
assert events[0].secondary_user_id == sa.user_id
|
||||
assert events[0].outcome is AuditOutcome.SUCCESS
|
||||
assert events[0].target == "COM7:esp32-dev"
|
||||
assert events[0].extra == {"variant": "esp32-dev"}
|
||||
|
||||
|
||||
def test_session_holder_set_and_require(
|
||||
store_and_audit: tuple[UserStore, AuditLog]
|
||||
) -> None:
|
||||
store, audit = store_and_audit
|
||||
s = _sa_session(store, audit)
|
||||
SessionHolder.set(s)
|
||||
assert SessionHolder.current() is s
|
||||
assert SessionHolder.require() is s
|
||||
SessionHolder.set(None)
|
||||
assert SessionHolder.current() is None
|
||||
with pytest.raises(RuntimeError):
|
||||
SessionHolder.require()
|
||||
|
||||
|
||||
def test_log_action_helper(
|
||||
store_and_audit: tuple[UserStore, AuditLog]
|
||||
) -> None:
|
||||
store, audit = store_and_audit
|
||||
s = _sa_session(store, audit)
|
||||
s.log_action("mode_change", outcome=AuditOutcome.SUCCESS,
|
||||
extra={"from": "STANDBY", "to": "HEADING_HOLD"})
|
||||
events = audit.read_all()
|
||||
assert events[0].action == "mode_change"
|
||||
assert events[0].extra["to"] == "HEADING_HOLD"
|
||||
Reference in New Issue
Block a user