13a2867ef6
End-to-end implementation per docs/sprint-2.5-plan.md. New requirement added by user mid-sprint: 4-role RBAC (Super Admin / Engineer / Owner / User) with dual-auth for Engineer flashing firmware, plus a "mini Arduino IDE" inside the Studio. Tests: pytest 231/231 green (129 Sprint 2 + 102 Sprint 2.5 new). RBAC core (arautopilot/core/): - rbac.py: 4 roles, 12 capabilities, immutable capability matrix, has() / capabilities_of() / require() / requires_dual_auth() helpers. Engineer flashing firmware needs SA approval; everything else is single-factor. - user.py: User model with PBKDF2-HMAC-SHA256 PIN hashing (200k iters, 16-byte salt, self-describing hash format for future migrations). 4-8 digit numeric PINs enforced. - user_store.py: JSON-backed user database. seed_demo_users() for first-run UX. - audit.py: append-only JSONL audit log. AuditEvent with timestamp, user_id, role, action, target, outcome, reason, secondary_user_id for dual-auth, optional extra payload. Crypto signing of lines deferred to Sprint 8. Studio GUI (arautopilot/studio/): - app.py: real entry point (replaces Sprint 0 stub). --seed-demo populates demo users without launching GUI; --data-dir overrides the ~/.ar-autopilot/studio/ default. - session.py: Session + SessionHolder. check() always audits the decision; verify_super_admin_pin() + log_dual_auth_grant() for dual-auth flows. - login_window.py: modal login dialog with user picker + PIN field. Audits login attempts (success and bad-PIN denials). - main_window.py: top-level window with sidebar (user + role + caps) and tab area (Overview, Flash Console, Project placeholder, Telemetry placeholder). - flash_console.py: the "mini Arduino IDE". Lists serial ports via pyserial; picks firmware variant (esp32-dev / esp32-debug); compiles via 'pio run'; flashes via 'pio run -t upload --upload-port <port>'; streams pio output to a dark-themed read-only console; supports cancel. For Engineer flashes, asks the Super Admin for their PIN inline before invoking pio. Records dual-auth grant + pio exit code in the audit log. Dependencies: - New [project.optional-dependencies] group 'studio': PySide6>=6.6, pyserial>=3.5, platformio>=6.1. Kept optional so the core can be installed in lean / CI environments. Tests (arautopilot/tests/): - test_rbac.py: 32 tests for capability matrix, dual-auth policy, no-privilege-escalation invariants, partial overlap between roles. - test_user.py: 11 tests for PIN hashing, verification, salting, serialisation, field validators. - test_audit.py: 9 tests for JSONL append, immutability, round-trip, corrupt-line detection, dual-auth event shape, blank-line tolerance. - test_user_store.py: 10 tests for CRUD, persistence, role filtering, demo seed idempotency. - test_session.py: 9 tests for capability checks + audit side effects, SA PIN verification, dual-auth recording, SessionHolder lifecycle. - test_studio_smoke.py: 5 headless tests verifying Studio modules import without a display server, --seed-demo works, helpers safe to call without hardware. NOT in Sprint 2.5 (intentional): - Crypto signing of audit log lines (hash-chain) -- Sprint 8 - HWID binding of the user store -- Sprint 8 - Project configurator + .appack compiler -- Sprint 4 - Flutter bridge display -- Sprint 4 - Telemetry dashboard tab -- Sprint 4 - Serial monitor as a separate tab -- future enhancement Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
104 lines
3.6 KiB
Python
104 lines
3.6 KiB
Python
"""Tests for ``arautopilot.core.user``."""
|
|
|
|
from __future__ import annotations
|
|
|
|
import pytest
|
|
from pydantic import ValidationError
|
|
|
|
from arautopilot.core.rbac import Role
|
|
from arautopilot.core.user import User
|
|
|
|
|
|
def test_create_user_with_valid_pin() -> None:
|
|
u = User.create(display_name="Test Engineer", role=Role.ENGINEER, pin="1234")
|
|
assert u.display_name == "Test Engineer"
|
|
assert u.role is Role.ENGINEER
|
|
assert u.pin_hash.startswith("pbkdf2_sha256$")
|
|
assert u.active is True
|
|
assert u.last_login_at is None
|
|
|
|
|
|
def test_verify_correct_pin() -> None:
|
|
u = User.create(display_name="X", role=Role.USER, pin="9876")
|
|
assert u.verify_pin("9876") is True
|
|
|
|
|
|
def test_verify_incorrect_pin() -> None:
|
|
u = User.create(display_name="X", role=Role.USER, pin="9876")
|
|
assert u.verify_pin("0000") is False
|
|
assert u.verify_pin("987") is False # too short, treated as invalid
|
|
assert u.verify_pin("98765") is False
|
|
assert u.verify_pin("") is False
|
|
|
|
|
|
def test_pin_hash_is_different_each_time_for_same_pin() -> None:
|
|
"""Salting must make the hashes diverge even for identical PINs."""
|
|
a = User.create(display_name="A", role=Role.USER, pin="1234")
|
|
b = User.create(display_name="B", role=Role.USER, pin="1234")
|
|
assert a.pin_hash != b.pin_hash
|
|
# But both verify against the same PIN.
|
|
assert a.verify_pin("1234")
|
|
assert b.verify_pin("1234")
|
|
|
|
|
|
def test_set_pin_returns_new_instance_with_new_hash() -> None:
|
|
u = User.create(display_name="A", role=Role.USER, pin="1234")
|
|
old_hash = u.pin_hash
|
|
u2 = u.set_pin("5678")
|
|
assert u2.pin_hash != old_hash
|
|
assert u2.verify_pin("5678") is True
|
|
assert u2.verify_pin("1234") is False
|
|
|
|
|
|
def test_pin_must_be_numeric_4_to_8_digits() -> None:
|
|
with pytest.raises(ValueError):
|
|
User.create(display_name="A", role=Role.USER, pin="abc")
|
|
with pytest.raises(ValueError):
|
|
User.create(display_name="A", role=Role.USER, pin="12")
|
|
with pytest.raises(ValueError):
|
|
User.create(display_name="A", role=Role.USER, pin="123456789")
|
|
with pytest.raises(ValueError):
|
|
User.create(display_name="A", role=Role.USER, pin="12 34")
|
|
|
|
|
|
def test_pin_hash_field_validator_rejects_garbage() -> None:
|
|
with pytest.raises(ValidationError):
|
|
User(display_name="A", role=Role.USER, pin_hash="not-a-real-hash")
|
|
with pytest.raises(ValidationError):
|
|
# Right shape but wrong scheme.
|
|
User(display_name="A", role=Role.USER,
|
|
pin_hash="md5$1000$xxxxxxxxxx$yyyyyyyyyy")
|
|
|
|
|
|
def test_user_rejects_unknown_field() -> None:
|
|
# Direct construction with unknown field should fail (extra="forbid").
|
|
with pytest.raises(ValidationError):
|
|
User(display_name="A", role=Role.USER, pin_hash="pbkdf2_sha256$200000$xx$yy",
|
|
unknown="x") # type: ignore[call-arg]
|
|
|
|
|
|
def test_touch_login_advances_timestamp() -> None:
|
|
u = User.create(display_name="A", role=Role.USER, pin="1234")
|
|
assert u.last_login_at is None
|
|
u2 = u.touch_login()
|
|
assert u2.last_login_at is not None
|
|
assert u2.user_id == u.user_id
|
|
|
|
|
|
def test_vessel_scoped_user() -> None:
|
|
u = User.create(display_name="Captain", role=Role.OWNER, pin="4242",
|
|
vessel_id="abc123")
|
|
assert u.vessel_id == "abc123"
|
|
|
|
|
|
def test_serialisation_round_trip() -> None:
|
|
import json
|
|
u = User.create(display_name="Test", role=Role.ENGINEER, pin="2468")
|
|
data = u.model_dump(mode="json")
|
|
text = json.dumps(data)
|
|
rebuilt = User.model_validate(json.loads(text))
|
|
assert rebuilt.display_name == u.display_name
|
|
assert rebuilt.role == u.role
|
|
assert rebuilt.pin_hash == u.pin_hash
|
|
assert rebuilt.verify_pin("2468") is True
|