51 lines
1.8 KiB
Python
51 lines
1.8 KiB
Python
"""Tests for tamper-evident audit logging."""
|
|
|
|
import json
|
|
from pathlib import Path
|
|
|
|
import pytest
|
|
|
|
from aegis_gitea_mcp.audit import AuditLogger, validate_audit_log_integrity
|
|
|
|
|
|
def test_audit_log_integrity_valid(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> None:
|
|
"""Fresh audit log should validate with intact hash chain."""
|
|
monkeypatch.setenv("GITEA_URL", "https://gitea.example.com")
|
|
monkeypatch.setenv("GITEA_TOKEN", "token-123")
|
|
monkeypatch.setenv("MCP_API_KEYS", "a" * 64)
|
|
|
|
log_path = tmp_path / "audit.log"
|
|
logger = AuditLogger(log_path=log_path)
|
|
logger.log_tool_invocation("list_repositories", result_status="pending")
|
|
logger.log_tool_invocation("list_repositories", result_status="success")
|
|
logger.close()
|
|
|
|
valid, errors = validate_audit_log_integrity(log_path)
|
|
assert valid
|
|
assert errors == []
|
|
|
|
|
|
def test_audit_log_integrity_detects_tamper(
|
|
tmp_path: Path, monkeypatch: pytest.MonkeyPatch
|
|
) -> None:
|
|
"""Integrity validation should fail when entries are modified."""
|
|
monkeypatch.setenv("GITEA_URL", "https://gitea.example.com")
|
|
monkeypatch.setenv("GITEA_TOKEN", "token-123")
|
|
monkeypatch.setenv("MCP_API_KEYS", "a" * 64)
|
|
|
|
log_path = tmp_path / "audit.log"
|
|
logger = AuditLogger(log_path=log_path)
|
|
logger.log_tool_invocation("list_repositories", result_status="pending")
|
|
logger.log_tool_invocation("list_repositories", result_status="success")
|
|
logger.close()
|
|
|
|
lines = log_path.read_text(encoding="utf-8").splitlines()
|
|
first_entry = json.loads(lines[0])
|
|
first_entry["payload"]["tool_name"] = "tampered"
|
|
lines[0] = json.dumps(first_entry)
|
|
log_path.write_text("\n".join(lines) + "\n", encoding="utf-8")
|
|
|
|
valid, errors = validate_audit_log_integrity(log_path)
|
|
assert not valid
|
|
assert errors
|