youngkingdom/dify
1
0
Fork 0
mirror of https://github.com/langgenius/dify.git synced 2026-05-27 04:16:16 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
14d4f6f2d41a2d63f66e92fa0c7738ffa7986ece
dify/api/tests/unit_tests/controllers/openapi/conftest.py
GareArc 9b25980b09 feat(openapi): redesign auth pipeline — one pipeline per token type with PipelineRouter 
Replace the single mutable-context Pipeline with a two-phase, condition-driven
system dispatched by token type.

New architecture:
- TokenType(StrEnum) replaces source: str on AuthContext / TokenKind
- AuthPipeline: pure prepare→auth step runner; no guard()
- PipelineRoute: binds AuthPipeline to an optional required_edition gate
- PipelineRouter: single guard() entry point; runs edition/license/token-type
  pre-gates then dispatches to the registered pipeline for the token type
- Cond / When: composable predicates for conditional step dispatch
- AuthData: frozen Pydantic model produced by the prepare phase; carries
  token_id so endpoints don't need to call get_auth_ctx() for identity fields
- Edition enum + current_edition(): CE / EE / SAAS discriminator

Two pipelines in composition.py:
- account_pipeline  — OAUTH_ACCOUNT tokens
- external_sso_pipeline — OAUTH_EXTERNAL_SSO tokens (EE enforced at route level)

All /openapi/v1 endpoints migrated to auth_router.guard().
Old context.py, steps.py, strategies.py, surface_gate.py deleted.
WORKSPACE_READ scope added; cached_verdicts renamed to membership_cache.
2026-05-26 03:16:28 -07:00

49 lines
1.4 KiB
Python
Raw Blame History

import uuid
import pytest
from flask import Flask
from controllers.openapi import bp as openapi_bp
from controllers.openapi.auth.data import AuthData
from controllers.openapi.auth.pipeline import PipelineRouter
from libs.oauth_bearer import Scope, TokenType
def _stub_execute(self, args, kwargs, view, *, scope=None, allowed_token_types=None, edition=None):
"""Bypass all auth logic; inject minimal AuthData and call the view directly."""
kwargs["auth_data"] = AuthData(
token_type=TokenType.OAUTH_ACCOUNT,
account_id=uuid.uuid4(),
token_hash="test",
token_id=uuid.uuid4(),
scopes=frozenset({Scope.FULL}),
required_scope=scope,
)
return view(*args, **kwargs)
@pytest.fixture
def bypass_pipeline(monkeypatch):
"""Stub PipelineRouter._execute so endpoints skip real auth at request time.
Module-level @auth_router.guard(...) captures the real router at import
time — patching guard itself does nothing. Patching _execute on the class
is the seam that fires at request time.
"""
monkeypatch.setattr(PipelineRouter, "_execute", _stub_execute)
@pytest.fixture
def openapi_app():
app = Flask(__name__)
app.config["TESTING"] = True
app.register_blueprint(openapi_bp)
return app
@pytest.fixture
def app():
a = Flask(__name__)
a.config["TESTING"] = True
return a
Reference in New Issue View Git Blame Copy Permalink