Hiddenden/AegisGitea-MCP
3
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add opt-in write access for all token-visible repos

Browse Source
This commit is contained in:
Latte
2026-02-14 16:35:03 +01:00
parent e22a8d37e4
commit 8504a95a11
10 changed files with 74 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
tests/test_config.py
View File

@@ -78,3 +78,31 @@ def test_settings_singleton(mock_env: None) -> None:
settings2 = get_settings()
assert settings1 is settings2
def test_write_mode_requires_whitelist_or_allow_all(monkeypatch: pytest.MonkeyPatch) -> None:
"""Write mode without whitelist must be rejected unless allow-all is enabled."""
monkeypatch.setenv("GITEA_URL", "https://gitea.example.com")
monkeypatch.setenv("GITEA_TOKEN", "test-token")
monkeypatch.setenv("MCP_API_KEYS", "a" * 64)
monkeypatch.setenv("WRITE_MODE", "true")
monkeypatch.delenv("WRITE_REPOSITORY_WHITELIST", raising=False)
monkeypatch.setenv("WRITE_ALLOW_ALL_TOKEN_REPOS", "false")
reset_settings()
with pytest.raises(ValidationError):
get_settings()
def test_write_mode_allows_all_token_repos(monkeypatch: pytest.MonkeyPatch) -> None:
"""Allow-all mode should pass validation without explicit repository whitelist."""
monkeypatch.setenv("GITEA_URL", "https://gitea.example.com")
monkeypatch.setenv("GITEA_TOKEN", "test-token")
monkeypatch.setenv("MCP_API_KEYS", "a" * 64)
monkeypatch.setenv("WRITE_MODE", "true")
monkeypatch.delenv("WRITE_REPOSITORY_WHITELIST", raising=False)
monkeypatch.setenv("WRITE_ALLOW_ALL_TOKEN_REPOS", "true")
reset_settings()
settings = get_settings()
assert settings.write_allow_all_token_repos is True

17
tests/test_policy.py
View File

@@ -125,3 +125,20 @@ def test_write_mode_repository_whitelist(monkeypatch: pytest.MonkeyPatch, tmp_pa
assert allowed.allowed
assert denied.allowed is False
def test_write_mode_allow_all_token_repos(monkeypatch: pytest.MonkeyPatch, tmp_path: Path) -> None:
"""Write mode can be configured to allow all repos accessible to token."""
_set_base_env(monkeypatch)
monkeypatch.setenv("WRITE_MODE", "true")
monkeypatch.setenv("WRITE_ALLOW_ALL_TOKEN_REPOS", "true")
policy_path = tmp_path / "policy.yaml"
policy_path.write_text("defaults:\n write: allow\n", encoding="utf-8")
reset_settings()
_ = get_settings()
engine = PolicyEngine.from_yaml_file(policy_path)
decision = engine.authorize("create_issue", is_write=True, repository="acme/any-repo")
assert decision.allowed