gooneyryan/hermes-agent
0
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-05-21 03:39:54 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
bb/gui
hermes-agent/tests/gateway/test_telegram_callback_auth_fail_closed.py
T
liuhao1024 89d32052ed fix(telegram): fail-closed auth fallback when TELEGRAM_ALLOWED_USERS is empty 
The _is_callback_user_authorized fallback returned True when
TELEGRAM_ALLOWED_USERS was not set, allowing any Telegram user
to interact with the bot. Change to fail-closed: deny by default
unless GATEWAY_ALLOW_ALL_USERS=true is explicitly set.

Fixes #24457
2026-05-18 22:08:08 -07:00

109 lines
4.2 KiB
Python
Raw Permalink Blame History

"""Tests for Telegram adapter fail-closed auth fallback (#24457).
The _is_callback_user_authorized fallback must deny users by default
when TELEGRAM_ALLOWED_USERS is empty, instead of allowing everyone.
"""
import sys
import types
from types import SimpleNamespace
import pytest
from gateway.config import PlatformConfig, Platform
# -- Fake telegram modules (minimal stubs) --------------------------------
_fake_telegram_error = types.ModuleType("telegram.error")
class _TelegramError(Exception):
pass
_fake_telegram_error.TelegramError = _TelegramError
_fake_telegram_error.BadRequest = type("BadRequest", (_TelegramError,), {})
_fake_telegram_error.NetworkError = type("NetworkError", (_TelegramError,), {})
_fake_telegram_constants = types.ModuleType("telegram.constants")
_fake_telegram_constants.ParseMode = SimpleNamespace(HTML="HTML")
_fake_telegram_request = types.ModuleType("telegram.request")
_fake_telegram_request.HTTPXRequest = type("HTTPXRequest", (), {"__init__": lambda *a, **kw: None})
_fake_telegram_ext = types.ModuleType("telegram.ext")
_fake_telegram_ext.ApplicationBuilder = type("ApplicationBuilder", (), {
"token": lambda self, *a: self,
"build": lambda self: None,
})
_fake_telegram = types.ModuleType("telegram")
_fake_telegram.error = _fake_telegram_error
_fake_telegram.constants = _fake_telegram_constants
_fake_telegram.ext = _fake_telegram_ext
_fake_telegram.request = _fake_telegram_request
@pytest.fixture(autouse=True)
def _inject_fake_telegram(monkeypatch):
monkeypatch.setitem(sys.modules, "telegram", _fake_telegram)
monkeypatch.setitem(sys.modules, "telegram.error", _fake_telegram_error)
monkeypatch.setitem(sys.modules, "telegram.constants", _fake_telegram_constants)
monkeypatch.setitem(sys.modules, "telegram.ext", _fake_telegram_ext)
monkeypatch.setitem(sys.modules, "telegram.request", _fake_telegram_request)
def _make_adapter():
from gateway.platforms.telegram import TelegramAdapter
config = PlatformConfig(enabled=True, token="fake-token")
adapter = object.__new__(TelegramAdapter)
adapter.config = config
adapter._config = config
adapter._platform = Platform.TELEGRAM
adapter._connected = True
return adapter
class TestCallbackAuthFailClosed:
"""_is_callback_user_authorized fallback must be fail-closed."""
def test_no_allowlist_no_allow_all_denies(self, monkeypatch):
"""No TELEGRAM_ALLOWED_USERS and no GATEWAY_ALLOW_ALL_USERS → deny."""
monkeypatch.delenv("TELEGRAM_ALLOWED_USERS", raising=False)
monkeypatch.delenv("GATEWAY_ALLOW_ALL_USERS", raising=False)
adapter = _make_adapter()
# Force the fallback path (no runner auth)
adapter._message_handler = None
assert adapter._is_callback_user_authorized("12345") is False
def test_no_allowlist_with_global_allow_all_permits(self, monkeypatch):
"""No TELEGRAM_ALLOWED_USERS but GATEWAY_ALLOW_ALL_USERS=true → allow."""
monkeypatch.delenv("TELEGRAM_ALLOWED_USERS", raising=False)
monkeypatch.setenv("GATEWAY_ALLOW_ALL_USERS", "true")
adapter = _make_adapter()
adapter._message_handler = None
assert adapter._is_callback_user_authorized("12345") is True
def test_allowlist_with_matching_user_permits(self, monkeypatch):
"""TELEGRAM_ALLOWED_USERS contains the user → allow."""
monkeypatch.setenv("TELEGRAM_ALLOWED_USERS", "12345,67890")
adapter = _make_adapter()
adapter._message_handler = None
assert adapter._is_callback_user_authorized("12345") is True
def test_allowlist_without_matching_user_denies(self, monkeypatch):
"""TELEGRAM_ALLOWED_USERS does not contain the user → deny."""
monkeypatch.setenv("TELEGRAM_ALLOWED_USERS", "67890")
adapter = _make_adapter()
adapter._message_handler = None
assert adapter._is_callback_user_authorized("12345") is False
def test_allowlist_wildcard_permits(self, monkeypatch):
"""TELEGRAM_ALLOWED_USERS=* → allow everyone."""
monkeypatch.setenv("TELEGRAM_ALLOWED_USERS", "*")
adapter = _make_adapter()
adapter._message_handler = None
assert adapter._is_callback_user_authorized("12345") is True
Reference in New Issue View Git Blame Copy Permalink