Loom / tools /sim_authtoken.py
deploy-space action
deploy 6158a00 (c)
b972454
Raw
History Blame Contribute Delete
5.18 kB
from __future__ import annotations
import json
import os
import threading
import time
import urllib.error
import urllib.request
from pathlib import Path
# Quota-free test of auto-rotating bearer tokens: window math + grace, tamper rejection,
# end-to-end auth with a derived token, and static back-compat. MOCK_MODE=1 python tools/sim_authtoken.py
os.environ.setdefault("MOCK_MODE", "1")
os.environ.setdefault("LOOM_LOG", "0")
os.environ.pop("METRICS_HF_REPO", None)
os.environ.pop("JOBS_HF_REPO", None)
for key in ("NVIDIA_API_KEY", "CF_API_TOKEN", "CF_ACCOUNT_ID", "OPENROUTER_API_KEY", "GITHUB_TOKEN"):
os.environ[key] = "mock"
import sys # noqa: E402
sys.path.insert(0, str(Path(__file__).resolve().parent.parent))
import authtoken # noqa: E402
FAILS: list[str] = []
def check(name, cond, detail=""):
print(f" [{'PASS' if cond else 'FAIL'}] {name}" + (f" ({detail})" if detail else ""))
if not cond: FAILS.append(name)
SECRET = "root-secret-never-travels"
W = 3600
def main() -> int:
print("scenario: window math + grace + tamper")
t0 = 1_000_000_000.0 # arbitrary fixed clock
cur = authtoken.make_token(SECRET, now=t0, window_s=W)
prev = authtoken.make_token(SECRET, now=t0 - W, window_s=W)
two_ago = authtoken.make_token(SECRET, now=t0 - 2 * W, window_s=W)
check("token stable within a window",
cur == authtoken.make_token(SECRET, now=t0 + 5, window_s=W))
check("token changes across windows", cur != prev != two_ago and cur != two_ago)
check("current window accepted", authtoken.token_matches(cur, SECRET, now=t0, window_s=W, grace=1))
check("previous window accepted (grace)", authtoken.token_matches(prev, SECRET, now=t0, window_s=W, grace=1))
check("two-windows-ago REJECTED (expired)",
not authtoken.token_matches(two_ago, SECRET, now=t0, window_s=W, grace=1))
check("tampered token rejected", not authtoken.token_matches(cur[:-2] + "xy", SECRET, now=t0, window_s=W))
check("wrong secret rejected", not authtoken.token_matches(cur, "other-secret", now=t0, window_s=W))
check("a leaked token self-expires after window+grace",
not authtoken.token_matches(cur, SECRET, now=t0 + 2 * W + 1, window_s=W, grace=1))
print("scenario: end-to-end auth with a derived token (no static token set)")
os.environ.pop("CRITIQUE_TOKEN", None)
os.environ["CRITIQUE_ROTATION_SECRET"] = SECRET
os.environ["TOKEN_WINDOW_S"] = str(W)
import importlib
importlib.reload(authtoken)
import critique_service as cs
importlib.reload(cs)
PORT = 7975
panel = cs.Panel()
srv = cs.BoundedThreadingHTTPServer(("127.0.0.1", PORT), cs.Handler, max_workers=8)
srv.panel = panel
from jobs import JobRunner
srv.jobs = JobRunner(panel, judge_timeout_s=30)
threading.Thread(target=srv.serve_forever, daemon=True).start()
time.sleep(1.0)
def call(token):
req = urllib.request.Request(f"http://127.0.0.1:{PORT}/api/stats",
headers={"Authorization": f"Bearer {token}"})
try:
return urllib.request.urlopen(req, timeout=10).status
except urllib.error.HTTPError as e:
return e.code
good = authtoken.make_token(SECRET) # current real-clock token
check("derived current token authenticates (200)", call(good) == 200, f"code={call(good)}")
check("garbage token rejected (401)", call("not-a-real-token") == 401)
check("a stale window token rejected (401)",
call(authtoken.make_token(SECRET, now=time.time() - 5 * W)) == 401)
h = json.load(urllib.request.urlopen(f"http://127.0.0.1:{PORT}/health", timeout=10))
check("/health reports rotation enabled", (h.get("token_rotation") or {}).get("enabled") is True,
str(h.get("token_rotation")))
check("/health never exposes the secret or a token",
SECRET not in json.dumps(h) and good not in json.dumps(h))
srv.shutdown()
print("scenario: static token still works (back-compat)")
os.environ.pop("CRITIQUE_ROTATION_SECRET", None)
os.environ["CRITIQUE_TOKEN"] = "static-classic"
importlib.reload(authtoken); importlib.reload(cs)
PORT2 = 7976
panel2 = cs.Panel()
srv2 = cs.BoundedThreadingHTTPServer(("127.0.0.1", PORT2), cs.Handler, max_workers=8)
srv2.panel = panel2
srv2.jobs = JobRunner(panel2, judge_timeout_s=30)
threading.Thread(target=srv2.serve_forever, daemon=True).start()
time.sleep(1.0)
def call2(token):
req = urllib.request.Request(f"http://127.0.0.1:{PORT2}/api/stats",
headers={"Authorization": f"Bearer {token}"})
try:
return urllib.request.urlopen(req, timeout=10).status
except urllib.error.HTTPError as e:
return e.code
check("static token authenticates", call2("static-classic") == 200)
check("wrong static token rejected", call2("nope") == 401)
srv2.shutdown()
print()
if FAILS:
print(f"FAILED ({len(FAILS)}): {FAILS}"); return 1
print("ALL AUTH-TOKEN SCENARIOS PASSED (zero real API calls)"); return 0
if __name__ == "__main__":
raise SystemExit(main())