57 lines
1.7 KiB
Python
57 lines
1.7 KiB
Python
# ruff: noqa: INP001
|
|
"""Regression test sketch for agent-token lookup complexity.
|
|
|
|
Context:
|
|
- Current implementation performs PBKDF2 verification in a loop over *all* agents
|
|
that have a token hash (`agent_auth._find_agent_for_token`).
|
|
- This is O(N_agents) *and* each verify is expensive (PBKDF2 200k iterations).
|
|
|
|
This test is marked xfail to document the desired behavior after a hardening
|
|
refactor: O(1) lookup + single hash verify.
|
|
|
|
Once token lookup is refactored, flip this to a normal passing test.
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
from types import SimpleNamespace
|
|
|
|
import pytest
|
|
|
|
from app.core import agent_auth
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
@pytest.mark.xfail(
|
|
reason="Known DoS risk: agent token verification is currently O(N_agents)."
|
|
" Refactor token scheme/lookup to O(1) and make this pass.",
|
|
strict=False,
|
|
)
|
|
async def test_agent_token_lookup_should_not_verify_more_than_once(
|
|
monkeypatch: pytest.MonkeyPatch,
|
|
) -> None:
|
|
# Fake a session that returns many agents with token hashes.
|
|
class _FakeSession:
|
|
async def exec(self, _stmt: object) -> list[object]:
|
|
agents = []
|
|
for i in range(50):
|
|
agents.append(
|
|
SimpleNamespace(agent_token_hash=f"pbkdf2_sha256$1$salt{i}$digest{i}")
|
|
)
|
|
return agents
|
|
|
|
calls = {"n": 0}
|
|
|
|
def _fake_verify(_token: str, _stored_hash: str) -> bool:
|
|
calls["n"] += 1
|
|
# Always invalid
|
|
return False
|
|
|
|
monkeypatch.setattr(agent_auth, "verify_agent_token", _fake_verify)
|
|
|
|
out = await agent_auth._find_agent_for_token(_FakeSession(), "invalid") # type: ignore[arg-type]
|
|
assert out is None
|
|
|
|
# Desired behavior after refactor: avoid linear scan.
|
|
assert calls["n"] <= 1
|