b3dba57bc5
* docs: add tenant data isolation design spec Complete architecture plan for multi-tenant data isolation across all layers (PostgreSQL RLS, application-layer filtering, schema migration, testing strategy, and phased rollout checklist). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * docs: add background job isolation policy to tenant isolation spec Documents policy for all 5 existing background jobs: - Knowledge Flywheel and PSA Retry flagged for account_id threading - Chat Retention already follows correct pattern (model for others) - Maintenance Schedule Firing needs account_id in queries + Session creation - AI Conversation Expiry approved as cross-tenant with justification Adds approved cross-tenant query registry and Phase 2 checklist items. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * docs: add tenant isolation Phase 0 implementation plan 8 tasks covering: CRITICAL copilot hotfix, tenant_filter() helper, get_tenant_context dependency, analytics/category/AI session gap fixes, full UUID endpoint audit, TargetList dead code audit, teams orphan check, and CI grep check for missing tenant filters. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: add tenant_filter() helper and get_tenant_context dependency tenant_filter(model, account_id) is the canonical app-layer tenant scoping expression. Every query on a tenant table must use it. build_tree_access_filter and build_step_visibility_filter updated to call tenant_filter() internally for the account_id match. get_tenant_context is a FastAPI dependency that returns account_id or raises 403 if the user has no account — prevents raw access to current_user.account_id and centralises the null check. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: scope analytics/flows/{tree_id} to requesting account Any authenticated user could read flow analytics (session counts, completion rates, CSAT) for any tree UUID. Now returns 404 if the tree doesn't belong to the requesting account. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: scope category tree_count to requesting account tree_count on GET /categories/{id} was including trees from all accounts, leaking cross-tenant row counts. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: restrict AI session search to current user only Search endpoint used OR(user_id, account_id), exposing other users' problem_summary and problem_domain within the same account. Sessions are user-scoped only — cross-user access requires explicit escalation or sharing. List and search endpoints now behave consistently. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: add ownership check and 404 responses to ai-sessions endpoints Cross-tenant isolation audit found: - retry-psa-push had NO ownership check (CRITICAL) — any user could retry any session's PSA push - save_task_lane used db.get() without ownership filter, returned 403 revealing existence - get_session returned 403 instead of 404 for unauthorized access - stream_documentation returned 403 instead of 404 All now use query-level user_id filtering and return 404 to avoid revealing existence. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: return 404 instead of 403 for cross-tenant session access All session endpoints (get, update, complete, scratchpad, variables, export, ticket-link) now return 404 instead of 403 when a user tries to access another user's session. This prevents confirming existence of resources across tenant boundaries. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: return 404 instead of 403 for cross-tenant tree access get_tree and update_tree now return 404 when a user cannot access a tree (private tree from another account). Prevents confirming resource existence across tenant boundaries. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: return 404 instead of 403 for cross-tenant step access get_step_or_404 now returns 404 when can_view_step or can_edit_step fails, preventing confirmation of step existence across tenant boundaries. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: return 404 instead of 403 for cross-tenant upload access get_upload_url and delete_upload now return 404 when the upload belongs to a different account/user, preventing resource existence confirmation. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: return 404 instead of 403 for cross-tenant share access revoke_share and create_share now return 404 when the caller is not the owner, preventing resource existence confirmation across users. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: return 404 instead of 403 for cross-team tree access in maintenance schedules _get_tree_or_403 now returns 404 when the user's team does not match, preventing confirmation of tree existence across teams. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: return 404 instead of 403 for cross-account tag access get_tag now returns 404 for account-specific tags that belong to another account, preventing resource existence confirmation. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: return 404 instead of 403 for cross-account step category access get_step_category now returns 404 for account-specific categories that belong to another account, preventing resource existence confirmation. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * test: add cross-tenant isolation tests for Task 6 UUID audit Tests cover: - Tree GET/PUT returns 404 for cross-account access - Session GET returns 404 for cross-user access - AI session GET returns 404 for cross-user access - AI session retry-psa-push requires ownership - Upload URL returns 404 for cross-account access - Share revoke returns 404 for cross-user access Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: return 404 (not 403) for get_documentation cross-user access; add missing Task 6 tests get_documentation was revealing session existence via 403. Added pre-check query filtering by session_id AND user_id before calling the engine. Also add cross-tenant isolation tests for steps, tags, step_categories, and maintenance_schedules endpoints fixed in Task 6 (TDD was skipped). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: address Task 6 quality review — rename helper, restore 403 for intra-account, add docs test - Rename _get_tree_or_403 → _get_tree_or_404 in maintenance_schedules.py (function now raises 404, old name was misleading) - Restore HTTP 403 for intra-account permission failures in update_tree: same-account users who can see a tree but can't edit it got 404 (wrong); only cross-account lookups should return 404 to avoid confirming existence - Apply same 403/404 distinction to update_tree_visibility - Add test: get_documentation must return 404 for cross-user session access - Add comment documenting owner-only design for documentation endpoints Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * chore: Task 7+8 — TargetList audit, CI tenant-filter grep check Task 7: TargetList dead code audit - Found active code references in 12+ files across backend and frontend (full CRUD API + frontend page + MaintenanceScheduleSection + BatchLaunchModal) - Decision: migrate to account_id in Phase 1 (cannot drop) - DB row count not available from code-server — must verify from VPS SSH before Phase 1 migration - Teams orphan check query documented; must run from VPS SSH before Phase 1 - Results documented in spec Section 9 Task 8: CI tenant-filter enforcement check (warn mode) - Create backend/scripts/check_tenant_filters.py Scans endpoint and service files for select() on tenant tables without tenant_filter/account_id/user_id in surrounding context. Currently reports 109 warnings (Phase 1 backlog). Exits 0 (warn mode). - Add Check tenant filter enforcement step to backend CI job Add --fail flag after Phase 1 backlog clears to make it blocking. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * docs: record Phase 0 audit results — 0 orphaned teams, 0 target_list rows Both checks confirmed 2026-04-09 from production DB. Phase 1 migration is safe to proceed. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
579 lines
20 KiB
Python
579 lines
20 KiB
Python
"""Phase 0 tenant-isolation tests.
|
|
|
|
Verifies that endpoints respect account boundaries and don't leak data
|
|
across tenants. Each task group tests a specific endpoint fix.
|
|
"""
|
|
import uuid
|
|
import datetime as dt
|
|
import pytest
|
|
from httpx import AsyncClient
|
|
from sqlalchemy.ext.asyncio import AsyncSession
|
|
|
|
from app.models.account import Account
|
|
from app.models.user import User
|
|
from app.models.tree import Tree
|
|
from app.core.security import get_password_hash
|
|
|
|
|
|
# ── Helpers ──────────────────────────────────────────────────────────────────
|
|
|
|
async def _create_account_and_user(db: AsyncSession, prefix: str):
|
|
"""Create a fresh account + engineer user. Returns (account, user, plain_password)."""
|
|
password = "TestPass123!"
|
|
account = Account(
|
|
name=f"{prefix}-corp",
|
|
display_code=uuid.uuid4().hex[:8],
|
|
)
|
|
db.add(account)
|
|
await db.flush()
|
|
|
|
user = User(
|
|
email=f"{prefix}-{uuid.uuid4().hex[:6]}@example.com",
|
|
name=f"{prefix} user",
|
|
password_hash=get_password_hash(password),
|
|
is_active=True,
|
|
account_id=account.id,
|
|
account_role="engineer",
|
|
)
|
|
db.add(user)
|
|
await db.flush()
|
|
return account, user, password
|
|
|
|
|
|
async def _login(client: AsyncClient, email: str, password: str) -> dict:
|
|
"""Log in and return Authorization headers."""
|
|
resp = await client.post(
|
|
"/api/v1/auth/login",
|
|
json={"email": email, "password": password},
|
|
)
|
|
assert resp.status_code == 200, f"Login failed: {resp.text}"
|
|
token = resp.json()["access_token"]
|
|
return {"Authorization": f"Bearer {token}"}
|
|
|
|
|
|
async def _create_private_tree(db: AsyncSession, account: Account, user: User) -> Tree:
|
|
"""Create a private tree owned by the given account/user."""
|
|
tree = Tree(
|
|
name=f"Private Tree {uuid.uuid4().hex[:6]}",
|
|
account_id=account.id,
|
|
author_id=user.id,
|
|
visibility="private",
|
|
tree_type="troubleshooting",
|
|
tree_structure={"id": "root", "type": "start", "children": []},
|
|
is_active=True,
|
|
status="published",
|
|
)
|
|
db.add(tree)
|
|
await db.flush()
|
|
return tree
|
|
|
|
|
|
# ── Task 3: Analytics flow endpoint ──────────────────────────────────────────
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_analytics_flow_cannot_read_other_account_tree(
|
|
client: AsyncClient, test_db: AsyncSession
|
|
):
|
|
"""Account A cannot read flow analytics for Account B's private tree."""
|
|
acct_a, user_a, pass_a = await _create_account_and_user(test_db, "anl-a")
|
|
acct_b, user_b, pass_b = await _create_account_and_user(test_db, "anl-b")
|
|
tree_b = await _create_private_tree(test_db, acct_b, user_b)
|
|
await test_db.commit()
|
|
|
|
headers_a = await _login(client, user_a.email, pass_a)
|
|
|
|
resp = await client.get(
|
|
f"/api/v1/analytics/flows/{tree_b.id}",
|
|
headers=headers_a,
|
|
)
|
|
assert resp.status_code == 404, f"Expected 404, got {resp.status_code}: {resp.text}"
|
|
|
|
|
|
# ── Task 4: Category tree count ───────────────────────────────────────────────
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_category_tree_count_scoped_to_account(
|
|
client: AsyncClient, test_db: AsyncSession
|
|
):
|
|
"""tree_count on a category must not include trees from other accounts."""
|
|
from app.models.category import TreeCategory
|
|
|
|
acct_a, user_a, pass_a = await _create_account_and_user(test_db, "cat-a")
|
|
acct_b, user_b, pass_b = await _create_account_and_user(test_db, "cat-b")
|
|
|
|
# Shared category (account_id=None means global)
|
|
category = TreeCategory(
|
|
name="Shared Category",
|
|
slug=f"shared-cat-{uuid.uuid4().hex[:6]}",
|
|
account_id=None,
|
|
is_active=True,
|
|
)
|
|
test_db.add(category)
|
|
await test_db.flush()
|
|
|
|
# 3 trees for account_b under this category
|
|
for i in range(3):
|
|
tree = Tree(
|
|
name=f"B Tree {i}",
|
|
account_id=acct_b.id,
|
|
author_id=user_b.id,
|
|
category_id=category.id,
|
|
visibility="team",
|
|
tree_type="troubleshooting",
|
|
tree_structure={"id": "root", "type": "start", "children": []},
|
|
is_active=True,
|
|
status="published",
|
|
)
|
|
test_db.add(tree)
|
|
|
|
# 1 tree for account_a under this category
|
|
tree_a = Tree(
|
|
name="A Tree",
|
|
account_id=acct_a.id,
|
|
author_id=user_a.id,
|
|
category_id=category.id,
|
|
visibility="team",
|
|
tree_type="troubleshooting",
|
|
tree_structure={"id": "root", "type": "start", "children": []},
|
|
is_active=True,
|
|
status="published",
|
|
)
|
|
test_db.add(tree_a)
|
|
await test_db.commit()
|
|
|
|
headers_a = await _login(client, user_a.email, pass_a)
|
|
|
|
resp = await client.get(
|
|
f"/api/v1/categories/{category.id}",
|
|
headers=headers_a,
|
|
)
|
|
assert resp.status_code == 200, resp.text
|
|
# account_a should only see their 1 tree, not account_b's 3
|
|
assert resp.json()["tree_count"] == 1, (
|
|
f"Expected tree_count=1 (own trees only), got {resp.json()['tree_count']}"
|
|
)
|
|
|
|
|
|
# ── Task 5: AI session search scope ──────────────────────────────────────────
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_ai_session_search_cannot_see_other_users_sessions(
|
|
client: AsyncClient, test_db: AsyncSession
|
|
):
|
|
"""User A cannot find User B's AI sessions via the search endpoint,
|
|
even when both users are in the same account."""
|
|
from app.models.ai_session import AISession
|
|
|
|
# Two users in the SAME account
|
|
account = Account(name="Shared Corp", display_code=uuid.uuid4().hex[:8])
|
|
test_db.add(account)
|
|
await test_db.flush()
|
|
|
|
password = "TestPass123!"
|
|
user_a = User(
|
|
email=f"user-a-{uuid.uuid4().hex[:6]}@shared.com",
|
|
name="User A",
|
|
password_hash=get_password_hash(password),
|
|
is_active=True,
|
|
account_id=account.id,
|
|
account_role="engineer",
|
|
)
|
|
user_b = User(
|
|
email=f"user-b-{uuid.uuid4().hex[:6]}@shared.com",
|
|
name="User B",
|
|
password_hash=get_password_hash(password),
|
|
is_active=True,
|
|
account_id=account.id,
|
|
account_role="engineer",
|
|
)
|
|
test_db.add_all([user_a, user_b])
|
|
await test_db.flush()
|
|
|
|
# Session belonging to user_b with distinctive problem_summary
|
|
session_b = AISession(
|
|
user_id=user_b.id,
|
|
account_id=account.id,
|
|
problem_summary="CONFIDENTIAL: user_b's session",
|
|
problem_domain="networking",
|
|
status="resolved",
|
|
)
|
|
test_db.add(session_b)
|
|
await test_db.commit()
|
|
|
|
headers_a = await _login(client, user_a.email, password)
|
|
|
|
resp = await client.get(
|
|
"/api/v1/ai-sessions/search",
|
|
params={"q": "CONFIDENTIAL"},
|
|
headers=headers_a,
|
|
)
|
|
assert resp.status_code == 200, resp.text
|
|
results = resp.json()
|
|
ids = [r["id"] for r in results]
|
|
assert str(session_b.id) not in ids, (
|
|
"User A can see User B's session via search — cross-user leak within account"
|
|
)
|
|
|
|
|
|
# ── Task 6: Cross-tenant UUID audit ─────────────────────────────────────────
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_get_tree_returns_404_not_403_for_other_account(
|
|
client: AsyncClient, test_db: AsyncSession
|
|
):
|
|
"""Account A gets 404 (not 403) when accessing Account B's private tree."""
|
|
acct_a, user_a, pass_a = await _create_account_and_user(test_db, "t6-tree-a")
|
|
acct_b, user_b, pass_b = await _create_account_and_user(test_db, "t6-tree-b")
|
|
tree_b = await _create_private_tree(test_db, acct_b, user_b)
|
|
await test_db.commit()
|
|
|
|
headers_a = await _login(client, user_a.email, pass_a)
|
|
resp = await client.get(f"/api/v1/trees/{tree_b.id}", headers=headers_a)
|
|
assert resp.status_code == 404, (
|
|
f"Expected 404 for cross-tenant tree access, got {resp.status_code}"
|
|
)
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_update_tree_returns_404_not_403_for_other_account(
|
|
client: AsyncClient, test_db: AsyncSession
|
|
):
|
|
"""Account A gets 404 (not 403) when trying to update Account B's tree."""
|
|
acct_a, user_a, pass_a = await _create_account_and_user(test_db, "t6-upd-a")
|
|
acct_b, user_b, pass_b = await _create_account_and_user(test_db, "t6-upd-b")
|
|
tree_b = await _create_private_tree(test_db, acct_b, user_b)
|
|
await test_db.commit()
|
|
|
|
headers_a = await _login(client, user_a.email, pass_a)
|
|
resp = await client.put(
|
|
f"/api/v1/trees/{tree_b.id}",
|
|
json={"name": "Hacked"},
|
|
headers=headers_a,
|
|
)
|
|
assert resp.status_code == 404, (
|
|
f"Expected 404 for cross-tenant tree update, got {resp.status_code}"
|
|
)
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_get_session_returns_404_not_403_for_other_user(
|
|
client: AsyncClient, test_db: AsyncSession
|
|
):
|
|
"""User A gets 404 (not 403) when accessing User B's session."""
|
|
from app.models.session import Session
|
|
|
|
acct_a, user_a, pass_a = await _create_account_and_user(test_db, "t6-sess-a")
|
|
acct_b, user_b, pass_b = await _create_account_and_user(test_db, "t6-sess-b")
|
|
tree_b = await _create_private_tree(test_db, acct_b, user_b)
|
|
|
|
session_b = Session(
|
|
tree_id=tree_b.id,
|
|
user_id=user_b.id,
|
|
tree_snapshot={"id": "root", "type": "start", "children": []},
|
|
path_taken=[],
|
|
decisions=[],
|
|
)
|
|
test_db.add(session_b)
|
|
await test_db.commit()
|
|
|
|
headers_a = await _login(client, user_a.email, pass_a)
|
|
resp = await client.get(f"/api/v1/sessions/{session_b.id}", headers=headers_a)
|
|
assert resp.status_code == 404, (
|
|
f"Expected 404 for cross-user session access, got {resp.status_code}"
|
|
)
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_ai_session_get_returns_404_not_403_for_other_user(
|
|
client: AsyncClient, test_db: AsyncSession
|
|
):
|
|
"""User A gets 404 (not 403) when accessing User B's AI session."""
|
|
from app.models.ai_session import AISession
|
|
|
|
acct_a, user_a, pass_a = await _create_account_and_user(test_db, "t6-ais-a")
|
|
acct_b, user_b, pass_b = await _create_account_and_user(test_db, "t6-ais-b")
|
|
|
|
ai_session_b = AISession(
|
|
user_id=user_b.id,
|
|
account_id=acct_b.id,
|
|
problem_summary="Test session",
|
|
problem_domain="networking",
|
|
status="active",
|
|
)
|
|
test_db.add(ai_session_b)
|
|
await test_db.commit()
|
|
|
|
headers_a = await _login(client, user_a.email, pass_a)
|
|
resp = await client.get(f"/api/v1/ai-sessions/{ai_session_b.id}", headers=headers_a)
|
|
assert resp.status_code == 404, (
|
|
f"Expected 404 for cross-user AI session access, got {resp.status_code}"
|
|
)
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_ai_session_retry_psa_push_requires_ownership(
|
|
client: AsyncClient, test_db: AsyncSession
|
|
):
|
|
"""User A cannot retry PSA push for User B's AI session."""
|
|
from app.models.ai_session import AISession
|
|
|
|
acct_a, user_a, pass_a = await _create_account_and_user(test_db, "t6-psa-a")
|
|
acct_b, user_b, pass_b = await _create_account_and_user(test_db, "t6-psa-b")
|
|
|
|
ai_session_b = AISession(
|
|
user_id=user_b.id,
|
|
account_id=acct_b.id,
|
|
problem_summary="PSA test",
|
|
problem_domain="networking",
|
|
status="resolved",
|
|
)
|
|
test_db.add(ai_session_b)
|
|
await test_db.commit()
|
|
|
|
headers_a = await _login(client, user_a.email, pass_a)
|
|
resp = await client.post(
|
|
f"/api/v1/ai-sessions/{ai_session_b.id}/retry-psa-push",
|
|
headers=headers_a,
|
|
)
|
|
assert resp.status_code == 404, (
|
|
f"Expected 404 for cross-user retry-psa-push, got {resp.status_code}"
|
|
)
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_upload_url_returns_404_not_403_for_other_account(
|
|
client: AsyncClient, test_db: AsyncSession
|
|
):
|
|
"""User A gets 404 (not 403) when accessing User B's upload URL."""
|
|
from app.models.file_upload import FileUpload
|
|
|
|
acct_a, user_a, pass_a = await _create_account_and_user(test_db, "t6-upl-a")
|
|
acct_b, user_b, pass_b = await _create_account_and_user(test_db, "t6-upl-b")
|
|
|
|
upload_b = FileUpload(
|
|
account_id=acct_b.id,
|
|
uploaded_by=user_b.id,
|
|
filename="secret.png",
|
|
content_type="image/png",
|
|
size_bytes=1024,
|
|
storage_key="test/secret.png",
|
|
)
|
|
test_db.add(upload_b)
|
|
await test_db.commit()
|
|
|
|
headers_a = await _login(client, user_a.email, pass_a)
|
|
resp = await client.get(f"/api/v1/uploads/{upload_b.id}/url", headers=headers_a)
|
|
assert resp.status_code in (404, 503), (
|
|
f"Expected 404 (or 503 if storage not configured) for cross-account upload, got {resp.status_code}"
|
|
)
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_share_revoke_returns_404_not_403_for_other_user(
|
|
client: AsyncClient, test_db: AsyncSession
|
|
):
|
|
"""User A gets 404 (not 403) when revoking User B's share."""
|
|
from app.models.session import Session
|
|
from app.models.session_share import SessionShare
|
|
|
|
acct_a, user_a, pass_a = await _create_account_and_user(test_db, "t6-shr-a")
|
|
acct_b, user_b, pass_b = await _create_account_and_user(test_db, "t6-shr-b")
|
|
tree_b = await _create_private_tree(test_db, acct_b, user_b)
|
|
|
|
session_b = Session(
|
|
tree_id=tree_b.id,
|
|
user_id=user_b.id,
|
|
tree_snapshot={"id": "root", "type": "start", "children": []},
|
|
path_taken=[],
|
|
decisions=[],
|
|
)
|
|
test_db.add(session_b)
|
|
await test_db.flush()
|
|
|
|
share_b = SessionShare(
|
|
session_id=session_b.id,
|
|
account_id=acct_b.id,
|
|
share_token="test-token-unique-" + uuid.uuid4().hex[:8],
|
|
share_name="Test",
|
|
visibility="public",
|
|
created_by=user_b.id,
|
|
)
|
|
test_db.add(share_b)
|
|
await test_db.commit()
|
|
|
|
headers_a = await _login(client, user_a.email, pass_a)
|
|
resp = await client.delete(f"/api/v1/shares/{share_b.id}", headers=headers_a)
|
|
assert resp.status_code == 404, (
|
|
f"Expected 404 for cross-user share revoke, got {resp.status_code}"
|
|
)
|
|
|
|
|
|
# ── Task 6 (continued): steps, tags, step_categories, maintenance_schedules ──
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_cannot_access_other_account_step(
|
|
client: AsyncClient, test_db: AsyncSession
|
|
):
|
|
"""User A gets 404 when reading a team-visibility step owned by Account B."""
|
|
from app.models.step_library import StepLibrary
|
|
|
|
acct_a, user_a, pass_a = await _create_account_and_user(test_db, "t6-step-a")
|
|
acct_b, user_b, pass_b = await _create_account_and_user(test_db, "t6-step-b")
|
|
|
|
# Create a team-visibility step owned by account B
|
|
step_b = StepLibrary(
|
|
title="Account B Confidential Step",
|
|
step_type="action",
|
|
content={"description": "secret step"},
|
|
created_by=user_b.id,
|
|
account_id=acct_b.id,
|
|
visibility="team",
|
|
is_active=True,
|
|
)
|
|
test_db.add(step_b)
|
|
await test_db.commit()
|
|
|
|
headers_a = await _login(client, user_a.email, pass_a)
|
|
resp = await client.get(f"/api/v1/steps/{step_b.id}", headers=headers_a)
|
|
assert resp.status_code == 404, (
|
|
f"Expected 404 for cross-account step access, got {resp.status_code}: {resp.text}"
|
|
)
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_cannot_access_other_account_tag(
|
|
client: AsyncClient, test_db: AsyncSession
|
|
):
|
|
"""User A gets 404 when reading a tag scoped to Account B."""
|
|
from app.models.tag import TreeTag
|
|
|
|
acct_a, user_a, pass_a = await _create_account_and_user(test_db, "t6-tag-a")
|
|
acct_b, user_b, pass_b = await _create_account_and_user(test_db, "t6-tag-b")
|
|
|
|
# Create an account-scoped tag for account B
|
|
tag_b = TreeTag(
|
|
name=f"account-b-tag-{uuid.uuid4().hex[:6]}",
|
|
slug=f"account-b-tag-{uuid.uuid4().hex[:6]}",
|
|
account_id=acct_b.id,
|
|
)
|
|
test_db.add(tag_b)
|
|
await test_db.commit()
|
|
|
|
headers_a = await _login(client, user_a.email, pass_a)
|
|
resp = await client.get(f"/api/v1/tags/{tag_b.id}", headers=headers_a)
|
|
assert resp.status_code == 404, (
|
|
f"Expected 404 for cross-account tag access, got {resp.status_code}: {resp.text}"
|
|
)
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_cannot_access_other_account_step_category(
|
|
client: AsyncClient, test_db: AsyncSession
|
|
):
|
|
"""User A gets 404 when reading a step category scoped to Account B."""
|
|
from app.models.step_category import StepCategory
|
|
|
|
acct_a, user_a, pass_a = await _create_account_and_user(test_db, "t6-scat-a")
|
|
acct_b, user_b, pass_b = await _create_account_and_user(test_db, "t6-scat-b")
|
|
|
|
# Create an account-scoped step category for account B
|
|
category_b = StepCategory(
|
|
name=f"Account B Category {uuid.uuid4().hex[:6]}",
|
|
slug=f"account-b-cat-{uuid.uuid4().hex[:6]}",
|
|
account_id=acct_b.id,
|
|
is_active=True,
|
|
)
|
|
test_db.add(category_b)
|
|
await test_db.commit()
|
|
|
|
headers_a = await _login(client, user_a.email, pass_a)
|
|
resp = await client.get(f"/api/v1/step-categories/{category_b.id}", headers=headers_a)
|
|
assert resp.status_code == 404, (
|
|
f"Expected 404 for cross-account step category access, got {resp.status_code}: {resp.text}"
|
|
)
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_maintenance_schedule_returns_404_for_other_team(
|
|
client: AsyncClient, test_db: AsyncSession
|
|
):
|
|
"""User A gets 404 when reading a maintenance schedule belonging to Team B's tree."""
|
|
from app.models.team import Team
|
|
from app.models.maintenance_schedule import MaintenanceSchedule
|
|
|
|
# Create two separate teams
|
|
team_a = Team(name="Team A Corp")
|
|
team_b = Team(name="Team B Corp")
|
|
test_db.add_all([team_a, team_b])
|
|
await test_db.flush()
|
|
|
|
# Create accounts and users, assign to respective teams
|
|
acct_a, user_a, pass_a = await _create_account_and_user(test_db, "t6-ms-a")
|
|
acct_b, user_b, pass_b = await _create_account_and_user(test_db, "t6-ms-b")
|
|
user_a.team_id = team_a.id
|
|
user_b.team_id = team_b.id
|
|
await test_db.flush()
|
|
|
|
# Create a maintenance tree owned by team B
|
|
tree_b = Tree(
|
|
name="Team B Maintenance Flow",
|
|
account_id=acct_b.id,
|
|
author_id=user_b.id,
|
|
team_id=team_b.id,
|
|
visibility="team",
|
|
tree_type="maintenance",
|
|
tree_structure={"id": "root", "type": "start", "children": []},
|
|
is_active=True,
|
|
status="published",
|
|
)
|
|
test_db.add(tree_b)
|
|
await test_db.flush()
|
|
|
|
# Create a schedule for that tree
|
|
schedule_b = MaintenanceSchedule(
|
|
tree_id=tree_b.id,
|
|
created_by=user_b.id,
|
|
cron_expression="0 2 * * 0",
|
|
timezone="UTC",
|
|
is_active=True,
|
|
next_run_at=dt.datetime(2026, 12, 31, tzinfo=dt.timezone.utc),
|
|
)
|
|
test_db.add(schedule_b)
|
|
await test_db.commit()
|
|
|
|
headers_a = await _login(client, user_a.email, pass_a)
|
|
resp = await client.get(f"/api/v1/maintenance-schedules/tree/{tree_b.id}", headers=headers_a)
|
|
assert resp.status_code == 404, (
|
|
f"Expected 404 for cross-team maintenance schedule access, got {resp.status_code}: {resp.text}"
|
|
)
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_get_documentation_returns_404_for_other_user_session(
|
|
client: AsyncClient, test_db: AsyncSession
|
|
):
|
|
"""GET /ai-sessions/{id}/documentation must return 404 (not 403) for cross-user access."""
|
|
from app.models.ai_session import AISession
|
|
|
|
acct_a, user_a, pass_a = await _create_account_and_user(test_db, "doc-a")
|
|
acct_b, user_b, pass_b = await _create_account_and_user(test_db, "doc-b")
|
|
|
|
session_b = AISession(
|
|
user_id=user_b.id,
|
|
account_id=acct_b.id,
|
|
problem_summary="B's confidential session",
|
|
problem_domain="networking",
|
|
status="resolved",
|
|
)
|
|
test_db.add(session_b)
|
|
await test_db.commit()
|
|
|
|
headers_a = await _login(client, user_a.email, pass_a)
|
|
resp = await client.get(
|
|
f"/api/v1/ai-sessions/{session_b.id}/documentation",
|
|
headers=headers_a,
|
|
)
|
|
assert resp.status_code == 404, f"Expected 404, got {resp.status_code}: {resp.text}"
|