# retoor import json from tests.conftest import run_async from devplacepy.services.devii.actions.catalog import PLATFORM_CATALOG from devplacepy.services.devii.actions.dispatcher import Dispatcher class _Recorder: def __init__(self): self.calls = [] def record_system(self, event_key, **kwargs): self.calls.append((event_key, kwargs)) return "rec" class _FakeClient: def __init__(self, authenticated=True): self.authenticated = authenticated self.username = "voidwalker" def _bare_dispatcher(owner_kind, owner_id, *, is_admin=False, is_primary_admin=False): dispatcher = Dispatcher.__new__(Dispatcher) dispatcher._actions = PLATFORM_CATALOG.by_name() dispatcher._virtual_tools = None dispatcher._client = _FakeClient(authenticated=True) dispatcher._is_admin = is_admin dispatcher._is_primary_admin = is_primary_admin dispatcher._owner_kind = owner_kind dispatcher._owner_id = owner_id return dispatcher def _patch_recorder(monkeypatch): from devplacepy.services.audit import record as audit_record recorder = _Recorder() monkeypatch.setattr(audit_record, "record_system", recorder.record_system) return recorder def test_admin_tool_denied_for_member_is_audited(monkeypatch): recorder = _patch_recorder(monkeypatch) dispatcher = _bare_dispatcher("user", "member-uid-123", is_admin=False) result = run_async( dispatcher.dispatch( "admin_set_user_role", {"username": "voidwalker", "role": "Admin"} ) ) assert json.loads(result)["error"] == "auth_required" assert len(recorder.calls) == 1 event_key, kwargs = recorder.calls[0] assert event_key == "security.authz.denied" assert kwargs["origin"] == "devii" assert kwargs["via_agent"] == 1 assert kwargs["result"] == "denied" assert kwargs["actor_kind"] == "user" assert kwargs["actor_uid"] == "member-uid-123" assert kwargs["actor_role"] == "member" assert kwargs["metadata"]["tool"] == "admin_set_user_role" def test_admin_tool_denied_for_guest_actor_shape(monkeypatch): recorder = _patch_recorder(monkeypatch) dispatcher = _bare_dispatcher("guest", "cookie-abc", is_admin=False) run_async(dispatcher.dispatch("admin_list_users", {})) assert len(recorder.calls) == 1 _, kwargs = recorder.calls[0] assert kwargs["actor_kind"] == "guest" assert kwargs["actor_uid"] is None assert kwargs["actor_role"] == "guest" def test_admin_tool_allowed_for_admin_is_not_denial_audited(monkeypatch): recorder = _patch_recorder(monkeypatch) dispatcher = _bare_dispatcher("user", "admin-uid-9", is_admin=True) run_async(dispatcher.dispatch("admin_list_users", {})) assert all(call[0] != "security.authz.denied" for call in recorder.calls) def test_primary_admin_tool_denied_for_regular_admin_is_audited(monkeypatch): recorder = _patch_recorder(monkeypatch) dispatcher = _bare_dispatcher( "user", "admin-uid-9", is_admin=True, is_primary_admin=False ) result = run_async(dispatcher.dispatch("db_list_tables", {})) assert json.loads(result)["error"] == "auth_required" assert len(recorder.calls) == 1 event_key, kwargs = recorder.calls[0] assert event_key == "security.authz.denied" assert kwargs["metadata"]["tool"] == "db_list_tables" assert kwargs["actor_role"] == "admin"