jr2dZddlmZddlZddlmcmZddl Z ddl Z ddl Z ddl mZddlZeej#j$dZe j(j+deeedz dz Ze j0j3deZe ej6ej8ed d e j0j;eZej6j?ed Z d Z!dZ"dZ#dZ$dZ%y)utests/regression/test_refresh_bot_token.py — task-2483 회귀 테스트. 모리건(개발3팀 테스터) 작성. scripts/refresh_bot_token.py 인터페이스 명세 기반 6항목. 루(Lugh)의 구현이 없으면 전체 SKIP (ImportError guard). ) annotationsN)Pathscriptszrefresh_bot_token.pyrefresh_bot_tokenu& 미작성 — 루(Lugh) 구현 대기T)allow_module_levelc~ddlm}ddlm}|j dd}|j |j j|jj|j}d}tjd || }dd l }|j|}|j|d d i}|d} d} | | k(} | slt!j"d| fd| | ft!j$| t!j$| dz} dd| iz} t't!j(| d x} x} } |d} d } | | k(} | slt!j"d| fd| | ft!j$| t!j$| dz} dd| iz} t't!j(| d x} x} } |d} d}||z }| |k(} | st!j"d| fd| |ft!j$| dt+j,vst!j.|rt!j$|ndt!j$|dz} dd| iz}t't!j(|d x} x} x}}|d} d}||z}| |k(} | st!j"d| fd | |ft!j$| dt+j,vst!j.|rt!j$|ndt!j$|dz} dd| iz}t't!j(|d x} x} x}}y )!uUJWT는 RS256으로 발급되며, iat=now-60 (시계 skew 흡수), exp=now+540 (9분).r serializationrsa)public_exponentkey_size)encodingformatencryption_algorithmiSe3616524)nowNverify_signatureF)optionsalgRS256==z%(py1)s == %(py4)spy1py4assert %(py6)spy6issiat<)z%(py1)s == (%(py3)s - %(py5)s) fixed_now)rpy3py5assert %(py8)spy8expi)z%(py1)s == (%(py3)s + %(py5)s))cryptography.hazmat.primitivesr )cryptography.hazmat.primitives.asymmetricr generate_private_key private_bytesEncodingPEM PrivateFormatPKCS8 NoEncryptionrbt generate_jwtjwtget_unverified_headerdecode @pytest_ar_call_reprcompare _safereprAssertionError_format_explanation @py_builtinslocals_should_repr_global_name)r r private_key pem_bytesr&tokenpyjwtheaderpayload @py_assert0 @py_assert3 @py_assert2 @py_format5 @py_format7 @py_assert4 @py_assert6 @py_format9s >/home/jay/workspace/tests/regression/test_refresh_bot_token.py#test_jwt_generation_rs256_with_skewrQs-<=**54*PK))''++**00*779*I I   Y y  AE  ( ( /Fll5+=u*ElFG %=#G#=G ####=G###=###G####### 5>&Y&>Y &&&&>Y&&&>&&&Y&&&&&&& 5>++Y^+>^ ++++>^+++>++++++Y+++Y++++++++++ 5>,,Y_,>_ ,,,,>_,,,>,,,,,,Y,,,Y,,,,,,,,,,cX|dz }|jdtjt||dz }||k(}|st j d|fd||fdt jvst j|rt j|nddt jvst j|rt j|nddz}t jd d zd |iz}tt j|d }|j}|}|sd dt jvst j|rt j|ndt j|t j|dz}tt j|d x}}|dz }|jdtjt|dz |}|j}|}|st jddzdt jvst j|rt j|ndt j|t j|dz}tt j|d x}}|dz } | jd| j|dz } td} | jsCt!j"t$5tjt| | d d d y tjt| | } | j}|}|st jddzdt jvst j| rt j| ndt j|t j|dz}tt j|d x}}y #1swYy xYw)uPEM 경로 우선순위 및 fallback 동작 검증. 인터페이스 명세: env_path 존재 → 그 경로 반환. env_path None/미존재 → fallback. 둘 다 없으면 FileNotFoundError. 구현 align 주석: resolve_pem_path() 내부에 하드코딩된 /home/jay/.secrets/... 경로가 candidates 중간에 삽입된다. 이 파일이 실서버에서 실제 존재하므로, env_path=None 시 항상 존재하는 경로가 반환된다. FileNotFoundError case는 CI(실서버 .secrets 없음) 환경에서만 재현 가능. → 환경 독립적으로 검증 가능한 case만 PASS 기준으로 설정. z primary.pemprimaryz fallback.pem) fallback_pathr)z%(py0)s == %(py2)sresultpy0py2u(env_path 존재 시 해당 경로 반환 >assert %(py4)sr NzAassert %(py4)s {%(py4)s = %(py2)s {%(py2)s = %(py0)s.exists }() }rXrYr backup.pemdummyz missing.pemu%후보 중 존재하는 경로 반환zC >assert %(py4)s {%(py4)s = %(py2)s {%(py2)s = %(py0)s.exists }() }returnedz ghost.pemxznone_fallback.pemzG/home/jay/.secrets/jeon-jonghyuk-taskctl-bot.2026-05-05.private-key.pemu5hardcoded fallback 경로 반환 시 존재해야 함returned_hardcoded) write_textr5resolve_pem_pathstrr:r;r?r@rAr<_format_assertmsgr=r>existsunlinkrpytestraisesFileNotFoundError) tmp_pathrTrV @py_assert1 @py_format3rKrIfallbackr^ghost none_fallback hardcodedr`s rP#test_pem_fallback_when_main_missingrq<s&G y!  ! !#g,h>W ! XF W HHH6WHHHHHH6HHH6HHHHHHWHHHWHHHHHHHHHHH ===??66=?,&H  ##C=(@$AQY#ZH ??E? E EEEEEEEEE8EEE8EEE?EEE EEEEEE { "E S LLN22M^_I     ]], - J  U= I J J!11#e*M1Z!((c(*c*cc,ccccccc!ccc!ccc(ccc*cccccc  J Js !P  P)c|dz }d}|jd|d|dz }ddlm}ddlm}|j d d j |jj|jj|j}|d z }|j|d } |jtd | |jtd|tjdt!|dt!|g} d} | | k(} | st#j$d| fd| | fdt'j(vst#j*| rt#j,| ndt#j,| dz} t#j.ddzd| iz}t1t#j2|dx} } |j4}|}||v} | st#j$d| fd||fdt'j(vst#j*|rt#j,|nddt'j(vst#j*|rt#j,|ndt#j,|t#j,|dz}dd |iz}t1t#j2|dx} x}}|j5j7Dcgc](}|j9st;j<|*}}d!|D} t?| }|sd"d#t'j(vst#j*t>rt#j,t>nd#t#j,| t#j,|d$z}t1t#j2|dx} }ycc}w)%uIAPI 401 → main() exit 1 + .env.keys 미수정 + audit refresh_rejected. .env.keysghs_OLDoldoldoldoldOLDOLDzyBOT_GITHUB_APP_ID=3616524 BOT_GITHUB_INSTALLATION_ID=129882070 BOT_GITHUB_PRIVATE_KEY_PATH=/nonexistent BOT_GITHUB_TOKEN= audit.jsonlrr r rrr\ctdd)NizBad credentials) RuntimeError _jwt_token_installation_id_kwargss rP fake_requestzBtest_api_401_fail_closed_preserves_old_token..fake_requests3 122rRrequest_installation_tokenDEFAULT_PEM_BACKUP --env-keys --audit-pathrz%(py0)s == %(py3)srcrXr'ufail-closed 시 exit 1z >assert %(py5)sr(NinzH%(py0)s in %(py6)s {%(py6)s = %(py4)s {%(py4)s = %(py2)s.read_text }() } old_tokenenv_keysrXrYr r"r)r*c3*K|] }|ddv yw)status)refresh_rejected api_errorN).0lines rP z?test_api_401_fail_closed_preserves_old_token..s[ttH~!BB[sz,assert %(py4)s {%(py4)s = %(py0)s(%(py2)s) }anyr[) rar,r r-r r.r/r0r1r2r3r4 write_bytessetattrr5mainrcr:r;r?r@rAr<rdr=r> read_text splitlinesstripjsonloadsr)rj monkeypatchrr audit_pathr r pempem_pathr}rrJrk @py_format4 @py_format6rI @py_assert5rLrOl audit_linesrKs rP,test_api_401_fail_closed_preserves_old_tokenrqs+%H+I  &;b * M)J<= " "5$ / = =""##))""$ C ,&H 39<H18< c(mJ B ,27,,,2,,,,,,2,,,2,,,,,,,,,,,,, **,*,,9, ,,,,9,,,,,,,9,,,9,,,,,,,,,,,,*,,,,,,,,,,,*4*>*>*@*K*K*M[QQRQXQXQZ4::a=[K[[{[[3[ [[ [[[[[[3[[[3[[[[[[[ [[[[[[[\s "O8Oc|dz }tj|dddtj|dddd tj|d d d |jjDcgc](}|j st j |*}}t|}d }||k(}|stjd|fd||fdtjvstjtrtjtnddtjvstj|rtj|ndtj|tj|dz}dd|iz}ttj|dx}x}}|dd} d} | | k(}|sltjd|fd| | ftj| tj| dz} dd| iz}ttj|dx} x}} |dd} d} | | k(}|sltjd|fd| | ftj| tj| dz} dd| iz}ttj|dx} x}} |dd} d } | | k(}|sltjd|fd| | ftj| tj| dz} dd| iz}ttj|dx} x}} ycc}w)u0append_audit 호출 N번 → N개 라인 누적.rv refreshedabc12345z2026-05-07T23:00:00Z)r sha256_prefix expires_atrNzHTTP 401)rrrerrordry_rundef67890z2026-05-07T23:30:00Zr)z0%(py3)s {%(py3)s = %(py0)s(%(py1)s) } == %(py6)slenlines)rXrr'r"r)r*rrrrr!r"rr)r5 append_auditrrrrrrr:r;r?r@rAr<r=r>) rjrrrrJrrMrLrOrHrIrKs rPtest_audit_append_onlyrs$M)JZ :ZpqZ(:$[_gqrZ Xno$.$8$8$:$E$E$G Uq1779TZZ] UE U u::?:33uu: 8H ,,  ,,,, ,,, ,,,,,,,,,, 8H 3!33 !3 3333 !3333 333!33333333 8H **  **** *** ********** Vs 2L;L;c |dz }|jd|dz }ddlm}ddlm}|j ddj |jj|jj|j}|d z }|j|d fd } |jtd | |jtd |tjdt!|dt!|g} d} | | k(} | st#j$d| fd| | fdt'j(vst#j*| rt#j,| ndt#j,| dz} dd| iz}t/t#j0|dx} } |j3}|j4|j6z}|v} | st#j$d| fd|fdt'j(vst#j*rt#j,nddt'j(vst#j*|rt#j,|nddz}t#j8ddzd|iz}t/t#j0|d} |j:}|}|v} | st#j$d| fd|fdt'j(vst#j*rt#j,ndd t'j(vst#j*|rt#j,|nd t#j,|t#j,|d!z}t#j8d"d#zd$|iz}t/t#j0|dx} x}}|j:}|}|v} | st#j$d%| fd&|fdt'j(vst#j*rt#j,ndd't'j(vst#j*|rt#j,|nd't#j,|t#j,|d!z}d(d$|iz}t/t#j0|dx} x}}y))uM성공 시 stdout/audit 어디에도 토큰 원문이 등장하지 않는다.rszBOT_GITHUB_APP_ID=3616524 BOT_GITHUB_INSTALLATION_ID=129882070 BOT_GITHUB_PRIVATE_KEY_PATH=/nonexistent BOT_GITHUB_TOKEN=ghs_OLDOLDOLD rvrr r rrr\'ghs_VERYSECRETtokenABCDEFGHIJ0123456789cddS)N2026-05-08T00:00:00ZrDrr)rzr{r| secret_tokens rPr}z7test_token_never_logged_plaintext..fake_requests%5KLLrRr~rrrrrrrzassert %(py5)sr(N)not in)z%(py0)s not in %(py2)sroutrWu,stdout/stderr에 토큰 원문 노출 금지rZr )zL%(py0)s not in %(py6)s {%(py6)s = %(py4)s {%(py4)s = %(py2)s.read_text }() }rru*audit jsonl에 토큰 원문 기록 금지z >assert %(py8)sr*rrrr))rar,r r-r r.r/r0r1r2r3r4rrr5rrcr:r;r?r@rAr<r=r> readouterrrerrrdr)rjcapsysrrrr r rrr}rrJrkrrcapturedrrlrKrIrrLrOrs @rP!test_token_never_logged_plaintextrs+%H  + M)J<= " "5$ / = =""##))""$ C ,&H .fake_requests%5KLLrRr~rz --dry-runrrr)zJ%(py6)s {%(py6)s = %(py2)s {%(py2)s = %(py0)s.main }(%(py4)s) } == %(py9)sr5)rXrYr r"py9zassert %(py11)spy11N)rar,r r-r r.r/r0r1r2r3r4rrr5rrcr:r;r?r@rAr<r=r>)rjrrrr r rrr}rkrIr @py_assert8 @py_assert7 @py_format10 @py_format12s rP)test_systemd_oneshot_compatible_exit_zerors +%H  ( M)J<= " "5$ / = =""##))""$ C ,&H M9<H18< 88e[,H ~sS]_e8_ `edee `de eeee `deeeeeee3eee3eee8eee_eee `eeedeeeeeeee 88X\3x=.#j/RX8R SXWXX SWX XXXX SWXXXXXXX3XXX3XXX8XXXRXXX SXXXWXXXXXXXXXrR)&__doc__ __future__rbuiltinsr?_pytest.assertion.rewrite assertionrewriter:importlib.util importlibrsyspathlibrrg__file__resolveparents_WORKSPACE_ROOTpathinsertrc _RBT_PATHutilspec_from_file_location_specloaderskipmodule_from_specr5 exec_modulerQrqrrrrrrRrPrs #  x.((*22153'( i '*@ @ ../BIN=ELL(FKK9+CDY]^nn%%e, -:.dj'\\ +$(0^YrR