iflow-mcp_democratize-technology-chronos-mcp 2.0.0__py3-none-any.whl

tests/unit/test_config.py

@@ -0,0 +1,111 @@
+"""
+Unit tests for configuration management
+"""
+
+import pytest
+
+from chronos_mcp.config import ChronosConfig, ConfigManager
+from chronos_mcp.models import Account
+
+
+class TestConfigManager:
+    def test_config_init(self, mock_config_manager):
+        """Test ConfigManager initialization"""
+        # The config_dir is set but not necessarily created until save
+        assert mock_config_manager.config_dir.name == ".chronos"
+        assert mock_config_manager.config_file.name == "accounts.json"
+        assert isinstance(mock_config_manager.config, ChronosConfig)
+
+    def test_add_account(self, mock_config_manager, sample_account):
+        """Test adding an account"""
+        mock_config_manager.add_account(sample_account)
+        assert "test_account" in mock_config_manager.config.accounts
+        assert (
+            mock_config_manager.config.accounts["test_account"].username == "testuser"
+        )
+        # Should be set as default if it's the first account
+        assert mock_config_manager.config.default_account == "test_account"
+
+    def test_remove_account(self, mock_config_manager, sample_account):
+        """Test removing an account"""
+        mock_config_manager.add_account(sample_account)
+        mock_config_manager.remove_account("test_account")
+        assert "test_account" not in mock_config_manager.config.accounts
+        assert mock_config_manager.config.default_account is None
+
+    def test_get_account(self, mock_config_manager, sample_account):
+        """Test getting an account"""
+        mock_config_manager.add_account(sample_account)
+        account = mock_config_manager.get_account("test_account")
+        assert account.username == "testuser"
+
+    def test_get_default_account(self, mock_config_manager, sample_account):
+        """Test getting default account when no alias specified"""
+        mock_config_manager.add_account(sample_account)
+        account = mock_config_manager.get_account()  # No alias
+        assert account.username == "testuser"
+
+    def test_save_and_load_config(self, tmp_path, sample_account):
+        """Test saving and loading configuration"""
+        # Create a config manager with a real temp directory
+        config_dir = tmp_path / ".chronos"
+        config_dir.mkdir(exist_ok=True)
+
+        # Override the config_dir for this test
+        mgr = ConfigManager()
+        mgr.config_dir = config_dir
+        mgr.config_file = config_dir / "accounts.json"
+
+        # Add account and save
+        mgr.add_account(sample_account)
+        mgr.save_config()  # Changed from _save_config to save_config
+
+        # Verify file was created
+        assert mgr.config_file.exists()
+
+        # Create new manager instance to test loading
+        new_mgr = ConfigManager()
+        new_mgr.config_dir = config_dir
+        new_mgr.config_file = config_dir / "accounts.json"
+        new_mgr._load_config()
+
+        assert "test_account" in new_mgr.config.accounts
+        assert new_mgr.config.accounts["test_account"].username == "testuser"
+
+    def test_list_accounts(self, mock_config_manager, sample_account):
+        """Test listing all accounts"""
+        mock_config_manager.add_account(sample_account)
+        accounts = mock_config_manager.list_accounts()
+        assert len(accounts) == 1
+        assert "test_account" in accounts
+
+    def test_add_duplicate_account_raises_error(
+        self, mock_config_manager, sample_account
+    ):
+        """Test that adding an account with duplicate alias raises AccountAlreadyExistsError"""
+        from chronos_mcp.exceptions import AccountAlreadyExistsError
+
+        # Add the first account
+        mock_config_manager.add_account(sample_account)
+
+        # Create a second account with the same alias but different URL
+        duplicate_account = Account(
+            alias="test_account",  # Same alias
+            url="https://different.caldav.com",  # Different URL
+            username="different_user",
+            password="different_pass",
+        )
+
+        # Attempt to add duplicate should raise error
+        with pytest.raises(AccountAlreadyExistsError) as exc_info:
+            mock_config_manager.add_account(duplicate_account)
+
+        # Verify error details
+        assert "test_account" in str(exc_info.value)
+        assert exc_info.value.error_code == "ACCOUNT_EXISTS"
+
+        # Verify original account was not modified
+        accounts = mock_config_manager.list_accounts()
+        assert len(accounts) == 1
+        assert str(accounts["test_account"].url) == "https://caldav.example.com/"
+        assert accounts["test_account"].username == "testuser"

tests/unit/test_config_validation.py

@@ -0,0 +1,128 @@
+"""
+Tests for configuration validation
+"""
+
+import os
+from unittest.mock import patch, Mock
+import pytest
+
+from chronos_mcp.config import ConfigManager
+from chronos_mcp.exceptions import ValidationError
+
+
+class TestConfigValidation:
+    """Test configuration input validation"""
+
+    @patch('os.getenv')
+    @patch('chronos_mcp.config.get_credential_manager')
+    def test_environment_password_validation(self, mock_cred_manager, mock_getenv):
+        """Test that environment variable passwords are validated"""
+        # Mock environment variables with control character in password
+        def getenv_side_effect(key, default=None):
+            env_vars = {
+                'CALDAV_BASE_URL': 'https://example.com',
+                'CALDAV_USERNAME': 'valid_user',
+                'CALDAV_PASSWORD': 'a' * 11000  # Exceeds max length
+            }
+            return env_vars.get(key, default)
+
+        mock_getenv.side_effect = getenv_side_effect
+        mock_cred_manager.return_value.keyring_available = False
+
+        # Should skip environment account due to validation failure
+        config_mgr = ConfigManager()
+
+        # Default account should not be created due to validation failure
+        assert "default" not in config_mgr.config.accounts
+
+    @patch('os.getenv')
+    @patch('chronos_mcp.config.get_credential_manager')
+    def test_environment_username_validation(self, mock_cred_manager, mock_getenv):
+        """Test that environment variable usernames are validated"""
+        # Mock environment variables with XSS in username
+        def getenv_side_effect(key, default=None):
+            env_vars = {
+                'CALDAV_BASE_URL': 'https://example.com',
+                'CALDAV_USERNAME': '<script>alert("xss")</script>',  # XSS - should be rejected
+                'CALDAV_PASSWORD': 'ValidPassword123'
+            }
+            return env_vars.get(key, default)
+
+        mock_getenv.side_effect = getenv_side_effect
+        mock_cred_manager.return_value.keyring_available = False
+
+        # Should skip environment account due to validation failure
+        config_mgr = ConfigManager()
+
+        # Default account should not be created
+        assert "default" not in config_mgr.config.accounts
+
+    @patch.dict(os.environ, {
+        'CALDAV_BASE_URL': 'https://example.com',
+        'CALDAV_USERNAME': 'valid_user',
+        'CALDAV_PASSWORD': 'ValidP@ssw0rd!'
+    })
+    @patch('chronos_mcp.config.get_credential_manager')
+    def test_environment_valid_credentials(self, mock_cred_manager):
+        """Test that valid environment credentials are accepted"""
+        mock_cred_mgr = Mock()
+        mock_cred_mgr.keyring_available = False
+        mock_cred_manager.return_value = mock_cred_mgr
+
+        config_mgr = ConfigManager()
+
+        # Default account should be created with valid inputs
+        assert "default" in config_mgr.config.accounts
+        assert config_mgr.config.accounts["default"].username == "valid_user"
+        assert config_mgr.config.accounts["default"].password == "ValidP@ssw0rd!"
+
+
+class TestModelValidation:
+    """Test Pydantic model-level validation (defense-in-depth)"""
+
+    def test_account_model_password_validation(self):
+        """Test that Account model validates password field"""
+        from chronos_mcp.models import Account
+        from pydantic import ValidationError
+
+        # Test with oversized password - should be rejected by validator
+        with pytest.raises(ValidationError) as exc_info:
+            Account(
+                alias="test",
+                url="https://example.com",
+                username="user",
+                password="a" * 11000,  # Exceeds validation limit
+                display_name="Test Account"
+            )
+
+        assert "CALDAV_PASSWORD" in str(exc_info.value) or "password" in str(exc_info.value).lower()
+
+    def test_account_model_valid_password(self):
+        """Test that Account model accepts valid passwords"""
+        from chronos_mcp.models import Account
+
+        # Valid password should pass
+        account = Account(
+            alias="test",
+            url="https://example.com",
+            username="user",
+            password="ValidP@ssw0rd!123",
+            display_name="Test Account"
+        )
+
+        assert account.password == "ValidP@ssw0rd!123"
+
+    def test_account_model_none_password(self):
+        """Test that Account model accepts None password (keyring scenario)"""
+        from chronos_mcp.models import Account
+
+        # None password should pass (for keyring usage)
+        account = Account(
+            alias="test",
+            url="https://example.com",
+            username="user",
+            password=None,
+            display_name="Test Account"
+        )
+
+        assert account.password is None

tests/unit/test_credentials_security.py

@@ -0,0 +1,189 @@
+"""
+Security-focused tests for credential management
+"""
+
+import io
+import logging
+import sys
+from unittest.mock import MagicMock, Mock, patch
+
+import pytest
+
+from chronos_mcp.credentials import CredentialManager, get_credential_manager
+
+
+class TestCredentialSecurity:
+    """Test security aspects of credential management"""
+
+    def test_no_password_info_in_debug_logs(self, caplog):
+        """Test that password information is redacted in debug logs"""
+        # Test with keyring available
+        with patch("chronos_mcp.credentials.keyring") as mock_keyring:
+            mock_keyring.get_password.return_value = "test_password"
+
+            manager = CredentialManager()
+            manager.keyring_available = True
+
+            with caplog.at_level(logging.DEBUG):
+                password = manager.get_password("test_alias")
+
+            # Check that debug log doesn't contain actual alias
+            debug_logs = [
+                record.message
+                for record in caplog.records
+                if record.levelname == "DEBUG"
+            ]
+            assert any("[REDACTED]" in log for log in debug_logs)
+            assert not any("test_alias" in log for log in debug_logs)
+            assert password == "test_password"
+
+    def test_no_password_info_in_fallback_logs(self, caplog):
+        """Test that fallback password logs are redacted"""
+        manager = CredentialManager()
+        manager.keyring_available = False
+
+        with caplog.at_level(logging.DEBUG):
+            password = manager.get_password(
+                "test_alias", fallback_password="fallback_pass"
+            )
+
+        # Check that debug log doesn't contain actual alias
+        debug_logs = [
+            record.message for record in caplog.records if record.levelname == "DEBUG"
+        ]
+        assert any("[REDACTED]" in log for log in debug_logs)
+        assert not any("test_alias" in log for log in debug_logs)
+        assert password == "fallback_pass"
+
+    def test_no_password_info_in_store_logs(self, caplog):
+        """Test that password storage logs are redacted"""
+        with patch("chronos_mcp.credentials.keyring") as mock_keyring:
+            mock_keyring.set_password.return_value = None
+
+            manager = CredentialManager()
+            manager.keyring_available = True
+
+            with caplog.at_level(logging.INFO):
+                result = manager.set_password("test_alias", "secret_password")
+
+            # Check that info log doesn't contain actual alias
+            info_logs = [
+                record.message
+                for record in caplog.records
+                if record.levelname == "INFO"
+            ]
+            assert any("[REDACTED]" in log for log in info_logs)
+            assert not any("test_alias" in log for log in info_logs)
+            assert result is True
+
+    def test_no_password_info_in_delete_logs(self, caplog):
+        """Test that password deletion logs are redacted"""
+        with patch("chronos_mcp.credentials.keyring") as mock_keyring:
+            mock_keyring.delete_password.return_value = None
+
+            manager = CredentialManager()
+            manager.keyring_available = True
+
+            with caplog.at_level(logging.INFO):
+                result = manager.delete_password("test_alias")
+
+            # Check logs don't contain actual alias
+            info_logs = [
+                record.message
+                for record in caplog.records
+                if record.levelname == "INFO"
+            ]
+            assert any("[REDACTED]" in log for log in info_logs)
+            assert not any("test_alias" in log for log in info_logs)
+            assert result is True
+
+    def test_no_password_info_in_debug_delete_logs(self, caplog):
+        """Test that debug deletion logs are redacted"""
+        with (
+            patch("chronos_mcp.credentials.keyring") as mock_keyring,
+            patch("chronos_mcp.credentials.keyring.errors") as mock_errors,
+        ):
+
+            # Create a proper PasswordDeleteError exception
+            class MockPasswordDeleteError(Exception):
+                pass
+
+            mock_errors.PasswordDeleteError = MockPasswordDeleteError
+
+            # Make delete_password raise the exception
+            mock_keyring.delete_password.side_effect = MockPasswordDeleteError()
+
+            manager = CredentialManager()
+            manager.keyring_available = True
+
+            with caplog.at_level(logging.DEBUG):
+                result = manager.delete_password("test_alias")
+
+            # Check that debug log doesn't contain actual alias
+            debug_logs = [
+                record.message
+                for record in caplog.records
+                if record.levelname == "DEBUG"
+            ]
+            assert any("[REDACTED]" in log for log in debug_logs)
+            assert not any("test_alias" in log for log in debug_logs)
+            assert result is False
+
+    def test_no_password_info_when_keyring_unavailable(self, caplog):
+        """Test redacted logs when keyring is unavailable"""
+        manager = CredentialManager()
+        manager.keyring_available = False
+
+        with caplog.at_level(logging.DEBUG):
+            result = manager.set_password("test_alias", "secret_password")
+
+        # Check that debug log doesn't contain actual alias
+        debug_logs = [
+            record.message for record in caplog.records if record.levelname == "DEBUG"
+        ]
+        assert any("[REDACTED]" in log for log in debug_logs)
+        assert not any("test_alias" in log for log in debug_logs)
+        assert result is False
+
+    def test_password_never_logged_directly(self, caplog):
+        """Test that actual passwords are never logged anywhere"""
+        with patch("chronos_mcp.credentials.keyring") as mock_keyring:
+            mock_keyring.get_password.return_value = "supersecret123"
+            mock_keyring.set_password.return_value = None
+            mock_keyring.delete_password.return_value = None
+
+            manager = CredentialManager()
+            manager.keyring_available = True
+
+            # Capture all log levels
+            with caplog.at_level(logging.DEBUG):
+                manager.get_password("test_alias")
+                manager.set_password("test_alias", "supersecret123")
+                manager.delete_password("test_alias")
+
+            # Check that password never appears in any log
+            all_logs = [record.message for record in caplog.records]
+            assert not any("supersecret123" in log for log in all_logs)
+            assert not any(
+                "secret" in log.lower()
+                for log in all_logs
+                if "supersecret123" not in log
+            )
+
+    def test_alias_never_logged_in_password_context(self, caplog):
+        """Test that aliases never appear in password-related logs"""
+        sensitive_alias = "production_admin_account"
+
+        with patch("chronos_mcp.credentials.keyring") as mock_keyring:
+            mock_keyring.get_password.return_value = "password123"
+
+            manager = CredentialManager()
+            manager.keyring_available = True
+
+            with caplog.at_level(logging.DEBUG):
+                manager.get_password(sensitive_alias)
+
+            # Check that sensitive alias never appears in logs
+            all_logs = [record.message for record in caplog.records]
+            assert not any(sensitive_alias in log for log in all_logs)
+            assert any("[REDACTED]" in log for log in all_logs)

tests/unit/test_cryptography_security.py

@@ -0,0 +1,178 @@
+"""
+Test suite for cryptography security and version compatibility.
+
+This test verifies that the cryptography library functions correctly for
+our use case and helps detect any security vulnerabilities or compatibility
+issues when updating to newer versions.
+"""
+
+import pytest
+import sys
+from unittest.mock import patch, MagicMock
+
+
+# Test version information
+def test_cryptography_version_check():
+    """Test that cryptography version is appropriate for security requirements."""
+    try:
+        import cryptography
+        from packaging import version
+
+        current_version = version.parse(cryptography.__version__)
+
+        # Version 45.0.5 is our current version
+        # We should verify it's at least this version to ensure known vulnerabilities are patched
+        min_version = version.parse("42.0.4")  # Known vulnerable versions are < 42.0.4
+
+        assert (
+            current_version >= min_version
+        ), f"Cryptography version {current_version} is below minimum secure version {min_version}"
+
+        print(f"Current cryptography version: {current_version}")
+
+    except ImportError:
+        pytest.fail("Cryptography library not available")
+
+
+def test_keyring_cryptography_integration():
+    """Test that keyring works with current cryptography version."""
+    try:
+        import keyring
+        from chronos_mcp.credentials import CredentialManager
+
+        # Test that credential manager can be instantiated
+        credential_manager = CredentialManager()
+
+        # Test basic functionality - this should not fail with cryptography issues
+        status = credential_manager.get_status()
+        assert isinstance(status, dict)
+        assert "keyring_available" in status
+
+        # If keyring is available, test basic operations
+        if status["keyring_available"]:
+            # Test storing and retrieving a test credential
+            test_alias = "test_crypto_security"
+            test_password = "test_password_123"
+
+            try:
+                # Store password
+                result = credential_manager.set_password(test_alias, test_password)
+
+                if result:  # Only test retrieval if storage succeeded
+                    # Retrieve password
+                    retrieved = credential_manager.get_password(test_alias)
+                    assert retrieved == test_password
+
+                    # Clean up
+                    credential_manager.delete_password(test_alias)
+
+            except Exception as e:
+                # Log the error but don't fail the test if it's a platform-specific keyring issue
+                print(f"Keyring operation failed (may be platform-specific): {e}")
+
+    except ImportError as e:
+        pytest.skip(f"Keyring not available: {e}")
+
+
+def test_cryptography_vulnerable_version_detection():
+    """Test that we can detect if we're running a vulnerable cryptography version."""
+    try:
+        import cryptography
+        from packaging import version
+
+        current_version = version.parse(cryptography.__version__)
+
+        # Known vulnerable versions
+        vulnerable_versions = [
+            "38.0.0",
+            "38.0.1",
+            "38.0.2",
+            "38.0.3",
+            "38.0.4",
+            "39.0.0",
+            "40.0.0",
+            "40.0.1",
+            "40.0.2",
+            "41.0.0",
+            "41.0.1",
+            "41.0.2",
+            "41.0.3",
+            "41.0.4",
+            "41.0.5",
+            "41.0.6",
+            "41.0.7",
+            "42.0.0",
+            "42.0.1",
+            "42.0.2",
+            "42.0.3",  # CVE-2023-23931, CVE-2023-0286
+        ]
+
+        # This test should PASS with our current version (45.0.5)
+        # but would FAIL if we were running a vulnerable version
+        for vuln_version in vulnerable_versions:
+            assert current_version > version.parse(vuln_version), (
+                f"Current version {current_version} is vulnerable! "
+                f"Known vulnerable version: {vuln_version}"
+            )
+
+    except ImportError:
+        pytest.fail("Cryptography library not available")
+
+
+def test_future_cryptography_version_compatibility():
+    """Test that updating to newer cryptography versions doesn't break our usage."""
+    try:
+        import cryptography
+        from packaging import version
+
+        current_version = version.parse(cryptography.__version__)
+
+        # Test that we're not on a version that's too old
+        # Version 46.0.1 is the latest as of this test
+        recommended_min = version.parse("45.0.0")
+
+        assert (
+            current_version >= recommended_min
+        ), f"Cryptography version {current_version} is older than recommended minimum {recommended_min}"
+
+        # This test will help us detect if a future update breaks compatibility
+        # by testing basic cryptographic operations that keyring might use
+        from cryptography.fernet import Fernet
+        from cryptography.hazmat.primitives import hashes
+        from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
+        import os
+        import base64
+
+        # Test basic encryption/decryption (similar to what keyring backends might do)
+        password = b"test_password"
+        salt = os.urandom(16)
+
+        kdf = PBKDF2HMAC(
+            algorithm=hashes.SHA256(),
+            length=32,
+            salt=salt,
+            iterations=100000,
+        )
+        key = base64.urlsafe_b64encode(kdf.derive(password))
+        f = Fernet(key)
+
+        # Test encryption/decryption
+        test_data = b"sensitive credential data"
+        encrypted = f.encrypt(test_data)
+        decrypted = f.decrypt(encrypted)
+
+        assert decrypted == test_data, "Basic cryptography operations failed"
+
+    except ImportError:
+        pytest.fail("Cryptography library not available")
+    except Exception as e:
+        pytest.fail(f"Cryptography compatibility test failed: {e}")
+
+
+if __name__ == "__main__":
+    # Run tests directly for debugging
+    test_cryptography_version_check()
+    test_keyring_cryptography_integration()
+    test_cryptography_vulnerable_version_detection()
+    test_future_cryptography_version_compatibility()
+    print("All cryptography security tests passed!")