v0.1.20 - Fixed auth white and black lists

2025-12-16 06:54:26 -04:00
parent a5880ebdf6
commit 281c686fde
20 changed files with 24447 additions and 7290 deletions
--- a/tests/white_black_list_test.sh
+++ b/tests/white_black_list_test.sh
@@ -1,19 +1,28 @@
 #!/bin/bash

 # white_black_list_test.sh - Whitelist/Blacklist Rules Test Suite
-# Tests the auth_rules table functionality for pubkey and MIME type filtering
+# Tests the auth_rules table functionality using Kind 23458 admin commands

 # Configuration
 SERVER_URL="http://localhost:9001"
 UPLOAD_ENDPOINT="${SERVER_URL}/upload"
-DB_PATH="db/ginxsom.db"
+ADMIN_API_ENDPOINT="${SERVER_URL}/api/admin"
+DB_PATH="db/52e366edfa4e9cc6a6d4653828e51ccf828a2f5a05227d7a768f33b5a198681a.db"
 TEST_DIR="tests/auth_test_tmp"
+TEST_KEYS_FILE=".test_keys"

 # Test results tracking
 TESTS_PASSED=0
 TESTS_FAILED=0
 TOTAL_TESTS=0

+# Load admin keys from .test_keys
+if [[ ! -f "$TEST_KEYS_FILE" ]]; then
+    echo "❌ $TEST_KEYS_FILE not found"
+    exit 1
+fi
+source "$TEST_KEYS_FILE"
+
 # Test keys for different scenarios - Using WSB's keys for TEST_USER1
 # Generated using: nak key public <privkey>
 TEST_USER1_PRIVKEY="22cc83aa57928a2800234c939240c9a6f0f44a33ea3838a860ed38930b195afd"
@@ -42,6 +51,37 @@ record_test_result() {
    fi
 }

+# Helper function to send admin command via Kind 23458
+send_admin_command() {
+    local command_json="$1"
+    
+    # Encrypt command with NIP-44
+    local encrypted_command=$(nak encrypt --sec "$ADMIN_PRIVKEY" -p "$SERVER_PUBKEY" "$command_json")
+    
+    if [[ -z "$encrypted_command" ]]; then
+        echo "❌ Failed to encrypt command"
+        return 1
+    fi
+    
+    # Create Kind 23458 event
+    local event=$(nak event -k 23458 \
+        -c "$encrypted_command" \
+        --tag p="$SERVER_PUBKEY" \
+        --sec "$ADMIN_PRIVKEY")
+    
+    if [[ -z "$event" ]]; then
+        echo "❌ Failed to create admin event"
+        return 1
+    fi
+    
+    # Send to admin API endpoint
+    local response=$(curl -s -X POST "$ADMIN_API_ENDPOINT" \
+        -H "Content-Type: application/json" \
+        -d "$event")
+    
+    echo "$response"
+}
+
 # Check prerequisites
 for cmd in nak curl jq sqlite3; do
    if ! command -v $cmd &> /dev/null; then
@@ -130,20 +170,24 @@ test_upload() {
 }

 # Clean up any existing rules from previous tests
-echo "Cleaning up existing auth rules..."
-sqlite3 "$DB_PATH" "DELETE FROM auth_rules;" 2>/dev/null
+echo "Cleaning up existing auth rules via admin command..."
+CLEANUP_CMD='["sql_query", "DELETE FROM auth_rules"]'
+send_admin_command "$CLEANUP_CMD" > /dev/null 2>&1

 # Enable authentication rules
 echo "Enabling authentication rules..."
-sqlite3 "$DB_PATH" "UPDATE config SET value = 'true' WHERE key = 'auth_rules_enabled';"
+ENABLE_CMD='["config_update", {"auth_rules_enabled": "true"}]'
+send_admin_command "$ENABLE_CMD" > /dev/null 2>&1

 echo
 echo "=== SECTION 1: PUBKEY BLACKLIST TESTS ==="
 echo

-# Test 1: Add pubkey blacklist rule
-echo "Adding blacklist rule for TEST_USER3..."
-sqlite3 "$DB_PATH" "INSERT INTO auth_rules (rule_type, rule_target, operation, priority, description) VALUES ('pubkey_blacklist', '$TEST_USER3_PUBKEY', 'upload', 10, 'Test blacklist');"
+# Test 1: Add pubkey blacklist rule via admin command
+echo "Adding blacklist rule for TEST_USER3 via admin API..."
+BLACKLIST_CMD='["blacklist", "pubkey", "'$TEST_USER3_PUBKEY'"]'
+BLACKLIST_RESPONSE=$(send_admin_command "$BLACKLIST_CMD")
+echo "Response: $BLACKLIST_RESPONSE" | jq -c '.' 2>/dev/null || echo "$BLACKLIST_RESPONSE"

 # Test 1a: Blacklisted user should be denied
 test_file1=$(create_test_file "blacklist_test1.txt" "Content from blacklisted user")
@@ -157,13 +201,16 @@ echo
 echo "=== SECTION 2: PUBKEY WHITELIST TESTS ==="
 echo

-# Clean rules
-sqlite3 "$DB_PATH" "DELETE FROM auth_rules;"
-sqlite3 "$DB_PATH" "DELETE FROM auth_rules_cache;"
+# Clean rules via admin command
+echo "Cleaning rules via admin API..."
+CLEANUP_CMD='["sql_query", "DELETE FROM auth_rules"]'
+send_admin_command "$CLEANUP_CMD" > /dev/null 2>&1

-# Test 2: Add pubkey whitelist rule
-echo "Adding whitelist rule for TEST_USER1..."
-sqlite3 "$DB_PATH" "INSERT INTO auth_rules (rule_type, rule_target, operation, priority, description) VALUES ('pubkey_whitelist', '$TEST_USER1_PUBKEY', 'upload', 300, 'Test whitelist');"
+# Test 2: Add pubkey whitelist rule via admin command
+echo "Adding whitelist rule for TEST_USER1 via admin API..."
+WHITELIST_CMD='["whitelist", "pubkey", "'$TEST_USER1_PUBKEY'"]'
+WHITELIST_RESPONSE=$(send_admin_command "$WHITELIST_CMD")
+echo "Response: $WHITELIST_RESPONSE" | jq -c '.' 2>/dev/null || echo "$WHITELIST_RESPONSE"

 # Test 2a: Whitelisted user should succeed
 test_file3=$(create_test_file "whitelist_test1.txt" "Content from whitelisted user")
@@ -177,15 +224,17 @@ echo
 echo "=== SECTION 3: HASH BLACKLIST TESTS ==="
 echo

-# Clean rules
-sqlite3 "$DB_PATH" "DELETE FROM auth_rules;"
+# Clean rules via admin command
+CLEANUP_CMD='["sql_query", "DELETE FROM auth_rules"]'
+send_admin_command "$CLEANUP_CMD" > /dev/null 2>&1

-# Test 3: Create a file and blacklist its hash
+# Test 3: Create a file and blacklist its hash via admin command
 test_file5=$(create_test_file "hash_blacklist_test.txt" "This specific file is blacklisted")
 BLACKLISTED_HASH=$(sha256sum "$test_file5" | cut -d' ' -f1)

-echo "Adding hash blacklist rule for $BLACKLISTED_HASH..."
-sqlite3 "$DB_PATH" "INSERT INTO auth_rules (rule_type, rule_target, operation, priority, description) VALUES ('hash_blacklist', '$BLACKLISTED_HASH', 'upload', 100, 'Test hash blacklist');"
+echo "Adding hash blacklist rule for $BLACKLISTED_HASH via admin API..."
+HASH_BLACKLIST_CMD='["blacklist", "hash", "'$BLACKLISTED_HASH'"]'
+send_admin_command "$HASH_BLACKLIST_CMD" > /dev/null 2>&1

 # Test 3a: Blacklisted hash should be denied
 test_upload "Test 3a: Blacklisted Hash Upload" "$TEST_USER1_PRIVKEY" "$test_file5" "403"
@@ -198,13 +247,14 @@ echo
 echo "=== SECTION 4: MIME TYPE BLACKLIST TESTS ==="
 echo

-# Clean rules
-sqlite3 "$DB_PATH" "DELETE FROM auth_rules;"
-sqlite3 "$DB_PATH" "DELETE FROM auth_rules_cache;"
+# Clean rules via admin command
+CLEANUP_CMD='["sql_query", "DELETE FROM auth_rules"]'
+send_admin_command "$CLEANUP_CMD" > /dev/null 2>&1

-# Test 4: Blacklist executable MIME types
-echo "Adding MIME type blacklist rules..."
-sqlite3 "$DB_PATH" "INSERT INTO auth_rules (rule_type, rule_target, operation, priority, description) VALUES ('mime_blacklist', 'application/x-executable', 'upload', 200, 'Block executables');"
+# Test 4: Blacklist executable MIME types via admin command
+echo "Adding MIME type blacklist rules via admin API..."
+MIME_BLACKLIST_CMD='["blacklist", "mime", "application/x-executable"]'
+send_admin_command "$MIME_BLACKLIST_CMD" > /dev/null 2>&1

 # Note: This test would require the server to detect MIME types from file content
 # For now, we'll test with text/plain which should be allowed
@@ -215,14 +265,16 @@ echo
 echo "=== SECTION 5: MIME TYPE WHITELIST TESTS ==="
 echo

-# Clean rules
-sqlite3 "$DB_PATH" "DELETE FROM auth_rules;"
-sqlite3 "$DB_PATH" "DELETE FROM auth_rules_cache;"
+# Clean rules via admin command
+CLEANUP_CMD='["sql_query", "DELETE FROM auth_rules"]'
+send_admin_command "$CLEANUP_CMD" > /dev/null 2>&1

-# Test 5: Whitelist only image MIME types
-echo "Adding MIME type whitelist rules..."
-sqlite3 "$DB_PATH" "INSERT INTO auth_rules (rule_type, rule_target, operation, priority, description) VALUES ('mime_whitelist', 'image/jpeg', 'upload', 400, 'Allow JPEG');"
-sqlite3 "$DB_PATH" "INSERT INTO auth_rules (rule_type, rule_target, operation, priority, description) VALUES ('mime_whitelist', 'image/png', 'upload', 400, 'Allow PNG');"
+# Test 5: Whitelist only image MIME types via admin command
+echo "Adding MIME type whitelist rules via admin API..."
+MIME_WL1_CMD='["whitelist", "mime", "image/jpeg"]'
+MIME_WL2_CMD='["whitelist", "mime", "image/png"]'
+send_admin_command "$MIME_WL1_CMD" > /dev/null 2>&1
+send_admin_command "$MIME_WL2_CMD" > /dev/null 2>&1

 # Note: MIME type detection would need to be implemented in the server
 # For now, text/plain should be denied if whitelist exists
@@ -233,14 +285,16 @@ echo
 echo "=== SECTION 6: PRIORITY ORDERING TESTS ==="
 echo

-# Clean rules
-sqlite3 "$DB_PATH" "DELETE FROM auth_rules;"
-sqlite3 "$DB_PATH" "DELETE FROM auth_rules_cache;"
+# Clean rules via admin command
+CLEANUP_CMD='["sql_query", "DELETE FROM auth_rules"]'
+send_admin_command "$CLEANUP_CMD" > /dev/null 2>&1

 # Test 6: Blacklist should override whitelist (priority ordering)
-echo "Adding both blacklist (priority 10) and whitelist (priority 300) for same pubkey..."
-sqlite3 "$DB_PATH" "INSERT INTO auth_rules (rule_type, rule_target, operation, priority, description) VALUES ('pubkey_blacklist', '$TEST_USER1_PUBKEY', 'upload', 10, 'Blacklist priority test');"
-sqlite3 "$DB_PATH" "INSERT INTO auth_rules (rule_type, rule_target, operation, priority, description) VALUES ('pubkey_whitelist', '$TEST_USER1_PUBKEY', 'upload', 300, 'Whitelist priority test');"
+echo "Adding both blacklist and whitelist for same pubkey via admin API..."
+BL_CMD='["blacklist", "pubkey", "'$TEST_USER1_PUBKEY'"]'
+WL_CMD='["whitelist", "pubkey", "'$TEST_USER1_PUBKEY'"]'
+send_admin_command "$BL_CMD" > /dev/null 2>&1
+send_admin_command "$WL_CMD" > /dev/null 2>&1

 # Test 6a: Blacklist should win (lower priority number = higher priority)
 test_file9=$(create_test_file "priority_test.txt" "Testing priority ordering")
@@ -250,13 +304,14 @@ echo
 echo "=== SECTION 7: OPERATION-SPECIFIC RULES ==="
 echo

-# Clean rules
-sqlite3 "$DB_PATH" "DELETE FROM auth_rules;"
-sqlite3 "$DB_PATH" "DELETE FROM auth_rules_cache;"
+# Clean rules via admin command
+CLEANUP_CMD='["sql_query", "DELETE FROM auth_rules"]'
+send_admin_command "$CLEANUP_CMD" > /dev/null 2>&1

-# Test 7: Blacklist only for upload operation
-echo "Adding blacklist rule for upload operation only..."
-sqlite3 "$DB_PATH" "INSERT INTO auth_rules (rule_type, rule_target, operation, priority, description) VALUES ('pubkey_blacklist', '$TEST_USER2_PUBKEY', 'upload', 10, 'Upload-only blacklist');"
+# Test 7: Blacklist for user via admin command
+echo "Adding blacklist rule for TEST_USER2 via admin API..."
+BL_USER2_CMD='["blacklist", "pubkey", "'$TEST_USER2_PUBKEY'"]'
+send_admin_command "$BL_USER2_CMD" > /dev/null 2>&1

 # Test 7a: Upload should be denied
 test_file10=$(create_test_file "operation_test.txt" "Testing operation-specific rules")
@@ -266,13 +321,14 @@ echo
 echo "=== SECTION 8: WILDCARD OPERATION TESTS ==="
 echo

-# Clean rules
-sqlite3 "$DB_PATH" "DELETE FROM auth_rules;"
-sqlite3 "$DB_PATH" "DELETE FROM auth_rules_cache;"
+# Clean rules via admin command
+CLEANUP_CMD='["sql_query", "DELETE FROM auth_rules"]'
+send_admin_command "$CLEANUP_CMD" > /dev/null 2>&1

-# Test 8: Blacklist for all operations using wildcard
-echo "Adding blacklist rule for all operations (*)..."
-sqlite3 "$DB_PATH" "INSERT INTO auth_rules (rule_type, rule_target, operation, priority, description) VALUES ('pubkey_blacklist', '$TEST_USER3_PUBKEY', '*', 10, 'All operations blacklist');"
+# Test 8: Blacklist for user via admin command
+echo "Adding blacklist rule for TEST_USER3 via admin API..."
+BL_USER3_CMD='["blacklist", "pubkey", "'$TEST_USER3_PUBKEY'"]'
+send_admin_command "$BL_USER3_CMD" > /dev/null 2>&1

 # Test 8a: Upload should be denied
 test_file11=$(create_test_file "wildcard_test.txt" "Testing wildcard operation")
@@ -282,13 +338,13 @@ echo
 echo "=== SECTION 9: ENABLED/DISABLED RULES ==="
 echo

-# Clean rules
-sqlite3 "$DB_PATH" "DELETE FROM auth_rules;"
-sqlite3 "$DB_PATH" "DELETE FROM auth_rules_cache;"
+# Clean rules via admin command
+CLEANUP_CMD='["sql_query", "DELETE FROM auth_rules"]'
+send_admin_command "$CLEANUP_CMD" > /dev/null 2>&1

 # Test 9: Disabled rule should not be enforced
-echo "Adding disabled blacklist rule..."
-sqlite3 "$DB_PATH" "INSERT INTO auth_rules (rule_type, rule_target, operation, priority, enabled, description) VALUES ('pubkey_blacklist', '$TEST_USER1_PUBKEY', 'upload', 10, 0, 'Disabled blacklist');"
+echo "Adding disabled blacklist rule via SQL (admin API doesn't support active=0 on create)..."
+sqlite3 "$DB_PATH" "INSERT INTO auth_rules (rule_type, pattern_type, pattern_value, active) VALUES ('blacklist_pubkey', 'pubkey', '$TEST_USER1_PUBKEY', 0);"

 # Test 9a: Upload should succeed (rule is disabled)
 test_file12=$(create_test_file "disabled_rule_test.txt" "Testing disabled rule")
@@ -296,7 +352,7 @@ test_upload "Test 9a: Disabled Rule Not Enforced" "$TEST_USER1_PRIVKEY" "$test_f

 # Test 9b: Enable the rule
 echo "Enabling the blacklist rule..."
-sqlite3 "$DB_PATH" "UPDATE auth_rules SET enabled = 1 WHERE rule_target = '$TEST_USER1_PUBKEY';"
+sqlite3 "$DB_PATH" "UPDATE auth_rules SET active = 1 WHERE pattern_value = '$TEST_USER1_PUBKEY';"

 # Test 9c: Upload should now be denied
 test_file13=$(create_test_file "enabled_rule_test.txt" "Testing enabled rule")
@@ -307,9 +363,10 @@ echo
 echo "=== SECTION 11: CLEANUP AND RESET ==="
 echo

-# Clean up all test rules
-echo "Cleaning up test rules..."
-sqlite3 "$DB_PATH" "DELETE FROM auth_rules;"
+# Clean up all test rules via admin command
+echo "Cleaning up test rules via admin API..."
+CLEANUP_CMD='["sql_query", "DELETE FROM auth_rules"]'
+send_admin_command "$CLEANUP_CMD" > /dev/null 2>&1

 # Verify cleanup
 RULE_COUNT=$(sqlite3 "$DB_PATH" "SELECT COUNT(*) FROM auth_rules;" 2>/dev/null)