azaion/detections
1
0
Fork 0
mirror of https://github.com/azaion/detections.git synced 2026-04-22 11:26:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AZ-178] Fix Critical/High security findings: auth, CVEs, non-root containers, per-job SSE

Browse Source 
- Pin all deps; h11==0.16.0 (CVE-2025-43859), python-multipart>=1.3.1 (CVE-2026-28356), PyJWT==2.12.1
- Add HMAC JWT verification (require_auth FastAPI dependency, JWT_SECRET-gated)
- Fix TokenManager._refresh() to use ADMIN_API_URL instead of ANNOTATIONS_URL
- Rename POST /detect → POST /detect/image (image-only, rejects video files)
- Replace global SSE stream with per-job SSE: GET /detect/{media_id} with event replay buffer
- Apply require_auth to all 4 protected endpoints
- Fix on_annotation/on_status closure to use mutable current_id for correct post-upload event routing
- Add non-root appuser to Dockerfile and Dockerfile.gpu
- Add JWT_SECRET to e2e/docker-compose.test.yml and run-tests.sh
- Update all e2e tests and unit tests for new endpoints and HMAC token signing
- 64/64 tests pass

Made-with: Cursor
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-04-02 06:32:12 +03:00
parent dac350cbc5
commit 097811a67b
25 changed files with 369 additions and 429 deletions
Download Patch File Download Diff File Expand all files Collapse all files
e2e/tests/test_async_sse.py
+1 -1
View File
@@ -41,7 +41,7 @@ def test_ft_p09_sse_event_delivery(
def _listen():
try:
with sse_client_factory() as sse:
with sse_client_factory(media_id) as sse:
time.sleep(0.3)
for event in sse.events():
if not event.data or not str(event.data).strip():
e2e/tests/test_health_engine.py
+4 -4
View File
@@ -33,14 +33,14 @@ class TestHealthEngineStep01PreInit:
@pytest.mark.cpu
@pytest.mark.slow
class TestHealthEngineStep02LazyInit:
def test_ft_p_14_lazy_initialization(self, http_client, image_small):
def test_ft_p_14_lazy_initialization(self, http_client, image_small, auth_headers):
before = _get_health(http_client)
assert before["aiAvailability"] == "None", (
f"engine already initialized (aiAvailability={before['aiAvailability']}); "
"lazy-init test must run before any test that triggers warm_engine"
)
files = {"file": ("lazy.jpg", image_small, "image/jpeg")}
r = http_client.post("/detect", files=files, timeout=_DETECT_TIMEOUT)
r = http_client.post("/detect/image", files=files, headers=auth_headers, timeout=_DETECT_TIMEOUT)
r.raise_for_status()
body = r.json()
assert isinstance(body, list)
@@ -60,9 +60,9 @@ class TestHealthEngineStep03Warmed:
_assert_active_ai(data)
assert data.get("errorMessage") is None
def test_ft_p_15_onnx_cpu_detect(self, http_client, image_small):
def test_ft_p_15_onnx_cpu_detect(self, http_client, image_small, auth_headers):
files = {"file": ("onnx.jpg", image_small, "image/jpeg")}
r = http_client.post("/detect", files=files, timeout=_DETECT_TIMEOUT)
r = http_client.post("/detect/image", files=files, headers=auth_headers, timeout=_DETECT_TIMEOUT)
r.raise_for_status()
body = r.json()
assert isinstance(body, list)
e2e/tests/test_negative.py
+6 -8
View File
@@ -13,9 +13,9 @@ def _assert_health_200(http_client):
@pytest.mark.cpu
def test_ft_n_01_empty_image_returns_400(http_client, empty_image):
def test_ft_n_01_empty_image_returns_400(http_client, empty_image, auth_headers):
files = {"file": ("empty.jpg", empty_image, "image/jpeg")}
r = http_client.post("/detect", files=files, timeout=30)
r = http_client.post("/detect/image", files=files, headers=auth_headers, timeout=30)
assert r.status_code == 400
body = r.json()
assert "detail" in body
@@ -24,9 +24,9 @@ def test_ft_n_01_empty_image_returns_400(http_client, empty_image):
@pytest.mark.cpu
def test_ft_n_02_corrupt_image_returns_400_or_422(http_client, corrupt_image):
def test_ft_n_02_corrupt_image_returns_400_or_422(http_client, corrupt_image, auth_headers):
files = {"file": ("corrupt.jpg", corrupt_image, "image/jpeg")}
r = http_client.post("/detect", files=files, timeout=30)
r = http_client.post("/detect/image", files=files, headers=auth_headers, timeout=30)
assert r.status_code in (400, 422)
body = r.json()
assert "detail" in body
@@ -35,14 +35,12 @@ def test_ft_n_02_corrupt_image_returns_400_or_422(http_client, corrupt_image):
@pytest.mark.cpu
def test_ft_n_03_loader_error_mode_detect_does_not_500(
http_client, mock_loader_url, image_small
http_client, mock_loader_url, image_small, auth_headers
):
cfg = requests.post(
f"{mock_loader_url}/mock/config", json={"mode": "error"}, timeout=10
)
cfg.raise_for_status()
files = {"file": ("small.jpg", image_small, "image/jpeg")}
r = http_client.post("/detect", files=files, timeout=_DETECT_TIMEOUT)
r = http_client.post("/detect/image", files=files, headers=auth_headers, timeout=_DETECT_TIMEOUT)
assert r.status_code != 500
e2e/tests/test_performance.py
+8 -5
View File
@@ -19,14 +19,15 @@ def _percentile_ms(sorted_ms, p):
@pytest.mark.timeout(60)
def test_nft_perf_01_single_image_latency_p95(
warm_engine, http_client, image_small
warm_engine, http_client, image_small, auth_headers
):
times_ms = []
for _ in range(10):
t0 = time.perf_counter()
r = http_client.post(
"/detect",
"/detect/image",
files={"file": ("img.jpg", image_small, "image/jpeg")},
headers=auth_headers,
timeout=8,
)
elapsed_ms = (time.perf_counter() - t0) * 1000.0
@@ -46,12 +47,13 @@ def test_nft_perf_01_single_image_latency_p95(
@pytest.mark.timeout(60)
def test_nft_perf_03_tiling_overhead_large_image(
warm_engine, http_client, image_small, image_large
warm_engine, http_client, image_small, image_large, auth_headers
):
t_small = time.perf_counter()
r_small = http_client.post(
"/detect",
"/detect/image",
files={"file": ("small.jpg", image_small, "image/jpeg")},
headers=auth_headers,
timeout=8,
)
small_ms = (time.perf_counter() - t_small) * 1000.0
@@ -61,9 +63,10 @@ def test_nft_perf_03_tiling_overhead_large_image(
)
t_large = time.perf_counter()
r_large = http_client.post(
"/detect",
"/detect/image",
files={"file": ("large.jpg", image_large, "image/jpeg")},
data={"config": config},
headers=auth_headers,
timeout=20,
)
large_ms = (time.perf_counter() - t_large) * 1000.0
e2e/tests/test_resilience.py
+5 -7
View File
@@ -5,13 +5,13 @@ _DETECT_TIMEOUT = 60
def test_nft_res_01_loader_outage_after_init(
warm_engine, http_client, mock_loader_url, image_small
warm_engine, http_client, mock_loader_url, image_small, auth_headers
):
requests.post(
f"{mock_loader_url}/mock/config", json={"mode": "error"}, timeout=10
).raise_for_status()
files = {"file": ("r1.jpg", image_small, "image/jpeg")}
r = http_client.post("/detect", files=files, timeout=_DETECT_TIMEOUT)
r = http_client.post("/detect/image", files=files, headers=auth_headers, timeout=_DETECT_TIMEOUT)
assert r.status_code == 200
assert isinstance(r.json(), list)
h = http_client.get("/health")
@@ -22,17 +22,15 @@ def test_nft_res_01_loader_outage_after_init(
def test_nft_res_03_transient_loader_first_fail(
mock_loader_url, http_client, image_small
mock_loader_url, http_client, image_small, auth_headers
):
requests.post(
f"{mock_loader_url}/mock/config", json={"mode": "first_fail"}, timeout=10
).raise_for_status()
files = {"file": ("r3a.jpg", image_small, "image/jpeg")}
r1 = http_client.post("/detect", files=files, timeout=_DETECT_TIMEOUT)
r1 = http_client.post("/detect/image", files=files, headers=auth_headers, timeout=_DETECT_TIMEOUT)
files2 = {"file": ("r3b.jpg", image_small, "image/jpeg")}
r2 = http_client.post("/detect", files=files2, timeout=_DETECT_TIMEOUT)
r2 = http_client.post("/detect/image", files=files2, headers=auth_headers, timeout=_DETECT_TIMEOUT)
assert r2.status_code == 200
if r1.status_code != 200:
assert r1.status_code != 500
e2e/tests/test_resource_limits.py
+6 -4
View File
@@ -8,11 +8,12 @@ import pytest
@pytest.mark.slow
@pytest.mark.timeout(120)
def test_nft_res_lim_03_max_detections_per_frame(
warm_engine, http_client, image_dense
warm_engine, http_client, image_dense, auth_headers
):
r = http_client.post(
"/detect",
"/detect/image",
files={"file": ("img.jpg", image_dense, "image/jpeg")},
headers=auth_headers,
timeout=120,
)
assert r.status_code == 200
@@ -22,10 +23,11 @@ def test_nft_res_lim_03_max_detections_per_frame(
@pytest.mark.slow
def test_nft_res_lim_04_log_file_rotation(warm_engine, http_client, image_small):
def test_nft_res_lim_04_log_file_rotation(warm_engine, http_client, image_small, auth_headers):
http_client.post(
"/detect",
"/detect/image",
files={"file": ("img.jpg", image_small, "image/jpeg")},
headers=auth_headers,
timeout=60,
)
candidates = [
e2e/tests/test_security.py
+6 -7
View File
@@ -5,7 +5,7 @@ import requests
def test_nft_sec_01_malformed_multipart(base_url, http_client):
url = f"{base_url.rstrip('/')}/detect"
url = f"{base_url.rstrip('/')}/detect/image"
r1 = requests.post(
url,
data=b"not-multipart-body",
@@ -25,18 +25,19 @@ def test_nft_sec_01_malformed_multipart(base_url, http_client):
files={"file": ("", b"", "")},
timeout=30,
)
assert r3.status_code in (400, 422)
assert r3.status_code in (400, 401, 422)
assert http_client.get("/health").status_code == 200
@pytest.mark.timeout(30)
def test_nft_sec_02_oversized_request(http_client):
def test_nft_sec_02_oversized_request(http_client, auth_headers):
large = os.urandom(50 * 1024 * 1024)
try:
r = http_client.post(
"/detect",
"/detect/image",
files={"file": ("large.jpg", large, "image/jpeg")},
timeout=15,
headers=auth_headers,
timeout=15,
)
except requests.RequestException:
pass
@@ -44,5 +45,3 @@ def test_nft_sec_02_oversized_request(http_client):
assert r.status_code != 500
assert r.status_code in (413, 400, 422)
assert http_client.get("/health").status_code == 200
e2e/tests/test_single_image.py
+19 -12
View File
@@ -81,10 +81,11 @@ def _weather_label_ok(label, base_names):
@pytest.mark.slow
def test_ft_p_03_detection_response_structure_ac1(http_client, image_small, warm_engine):
def test_ft_p_03_detection_response_structure_ac1(http_client, image_small, warm_engine, auth_headers):
r = http_client.post(
"/detect",
"/detect/image",
files={"file": ("img.jpg", image_small, "image/jpeg")},
headers=auth_headers,
)
assert r.status_code == 200
body = r.json()
@@ -105,12 +106,13 @@ def test_ft_p_03_detection_response_structure_ac1(http_client, image_small, warm
@pytest.mark.slow
def test_ft_p_05_confidence_filtering_ac2(http_client, image_small, warm_engine):
def test_ft_p_05_confidence_filtering_ac2(http_client, image_small, warm_engine, auth_headers):
cfg_hi = json.dumps({"probability_threshold": 0.8})
r_hi = http_client.post(
"/detect",
"/detect/image",
files={"file": ("img.jpg", image_small, "image/jpeg")},
data={"config": cfg_hi},
headers=auth_headers,
)
assert r_hi.status_code == 200
hi = r_hi.json()
@@ -119,9 +121,10 @@ def test_ft_p_05_confidence_filtering_ac2(http_client, image_small, warm_engine)
assert float(d["confidence"]) + _EPS >= 0.8
cfg_lo = json.dumps({"probability_threshold": 0.1})
r_lo = http_client.post(
"/detect",
"/detect/image",
files={"file": ("img.jpg", image_small, "image/jpeg")},
data={"config": cfg_lo},
headers=auth_headers,
)
assert r_lo.status_code == 200
lo = r_lo.json()
@@ -130,12 +133,13 @@ def test_ft_p_05_confidence_filtering_ac2(http_client, image_small, warm_engine)
@pytest.mark.slow
def test_ft_p_06_overlap_deduplication_ac3(http_client, image_dense, warm_engine):
def test_ft_p_06_overlap_deduplication_ac3(http_client, image_dense, warm_engine, auth_headers):
cfg_loose = json.dumps({"tracking_intersection_threshold": 0.6})
r1 = http_client.post(
"/detect",
"/detect/image",
files={"file": ("img.jpg", image_dense, "image/jpeg")},
data={"config": cfg_loose},
headers=auth_headers,
timeout=_DETECT_SLOW_TIMEOUT,
)
assert r1.status_code == 200
@@ -151,9 +155,10 @@ def test_ft_p_06_overlap_deduplication_ac3(http_client, image_dense, warm_engine
assert ratio <= 0.6 + _EPS, (label, ratio)
cfg_strict = json.dumps({"tracking_intersection_threshold": 0.01})
r2 = http_client.post(
"/detect",
"/detect/image",
files={"file": ("img.jpg", image_dense, "image/jpeg")},
data={"config": cfg_strict},
headers=auth_headers,
timeout=_DETECT_SLOW_TIMEOUT,
)
assert r2.status_code == 200
@@ -163,7 +168,7 @@ def test_ft_p_06_overlap_deduplication_ac3(http_client, image_dense, warm_engine
@pytest.mark.slow
def test_ft_p_07_physical_size_filtering_ac4(http_client, image_small, warm_engine):
def test_ft_p_07_physical_size_filtering_ac4(http_client, image_small, warm_engine, auth_headers):
by_id, _ = _load_classes_media()
wh = _image_width_height(image_small)
assert wh is not None
@@ -180,9 +185,10 @@ def test_ft_p_07_physical_size_filtering_ac4(http_client, image_small, warm_engi
}
)
r = http_client.post(
"/detect",
"/detect/image",
files={"file": ("img.jpg", image_small, "image/jpeg")},
data={"config": cfg},
headers=auth_headers,
timeout=_DETECT_SLOW_TIMEOUT,
)
assert r.status_code == 200
@@ -197,12 +203,13 @@ def test_ft_p_07_physical_size_filtering_ac4(http_client, image_small, warm_engi
@pytest.mark.slow
def test_ft_p_13_weather_mode_class_variants_ac5(
http_client, image_different_types, warm_engine
http_client, image_different_types, warm_engine, auth_headers
):
_, base_names = _load_classes_media()
r = http_client.post(
"/detect",
"/detect/image",
files={"file": ("img.jpg", image_different_types, "image/jpeg")},
headers=auth_headers,
timeout=_DETECT_SLOW_TIMEOUT,
)
assert r.status_code == 200
e2e/tests/test_streaming_video_upload.py
+29 -12
View File
@@ -36,14 +36,21 @@ def _chunked_reader(path: str, chunk_size: int = 64 * 1024):
yield chunk
def _start_sse_listener(http_client) -> tuple[list[dict], list[BaseException], threading.Event]:
def _start_sse_listener(
http_client, media_id: str, auth_headers: dict
) -> tuple[list[dict], list[BaseException], threading.Event]:
events: list[dict] = []
errors: list[BaseException] = []
first_event = threading.Event()
def _listen():
try:
with http_client.get("/detect/stream", stream=True, timeout=_TIMEOUT + 2) as resp:
with http_client.get(
f"/detect/{media_id}",
stream=True,
timeout=_TIMEOUT + 2,
headers=auth_headers,
) as resp:
resp.raise_for_status()
for event in sseclient.SSEClient(resp).events():
if not event.data or not str(event.data).strip():
@@ -62,24 +69,30 @@ def _start_sse_listener(http_client) -> tuple[list[dict], list[BaseException], t
@pytest.mark.timeout(10)
def test_streaming_video_detections_appear_during_upload(warm_engine, http_client):
def test_streaming_video_detections_appear_during_upload(
warm_engine, http_client, auth_headers
):
# Arrange
video_path = _fixture_path("video_test01.mp4")
events, errors, first_event = _start_sse_listener(http_client)
time.sleep(0.3)
# Act
r = http_client.post(
"/detect/video",
data=_chunked_reader(video_path),
headers={"X-Filename": "video_test01.mp4", "Content-Type": "application/octet-stream"},
headers={
**auth_headers,
"X-Filename": "video_test01.mp4",
"Content-Type": "application/octet-stream",
},
timeout=8,
)
assert r.status_code == 200
media_id = r.json()["mediaId"]
events, errors, first_event = _start_sse_listener(http_client, media_id, auth_headers)
first_event.wait(timeout=_TIMEOUT)
# Assert
assert not errors, f"SSE thread error: {errors}"
assert r.status_code == 200
assert len(events) >= 1, "Expected at least one SSE event within 5s"
print(f"\n First {len(events)} SSE events:")
for e in events:
@@ -87,24 +100,28 @@ def test_streaming_video_detections_appear_during_upload(warm_engine, http_clien
@pytest.mark.timeout(10)
def test_non_faststart_video_still_works(warm_engine, http_client):
def test_non_faststart_video_still_works(warm_engine, http_client, auth_headers):
# Arrange
video_path = _fixture_path("video_test01.mp4")
events, errors, first_event = _start_sse_listener(http_client)
time.sleep(0.3)
# Act
r = http_client.post(
"/detect/video",
data=_chunked_reader(video_path),
headers={"X-Filename": "video_test01_plain.mp4", "Content-Type": "application/octet-stream"},
headers={
**auth_headers,
"X-Filename": "video_test01_plain.mp4",
"Content-Type": "application/octet-stream",
},
timeout=8,
)
assert r.status_code == 200
media_id = r.json()["mediaId"]
events, errors, first_event = _start_sse_listener(http_client, media_id, auth_headers)
first_event.wait(timeout=_TIMEOUT)
# Assert
assert not errors, f"SSE thread error: {errors}"
assert r.status_code == 200
assert len(events) >= 1, "Expected at least one SSE event within 5s"
print(f"\n First {len(events)} SSE events:")
for e in events:
e2e/tests/test_tiling.py
+6 -4
View File
@@ -28,12 +28,13 @@ def _assert_no_same_label_near_duplicate_centers(detections):
@pytest.mark.slow
def test_ft_p_04_gsd_based_tiling_ac1(http_client, image_large, warm_engine):
def test_ft_p_04_gsd_based_tiling_ac1(http_client, image_large, warm_engine, auth_headers):
config = json.dumps(_GSD)
r = http_client.post(
"/detect",
"/detect/image",
files={"file": ("img.jpg", image_large, "image/jpeg")},
data={"config": config},
headers=auth_headers,
timeout=_TILING_TIMEOUT,
)
assert r.status_code == 200
@@ -43,12 +44,13 @@ def test_ft_p_04_gsd_based_tiling_ac1(http_client, image_large, warm_engine):
@pytest.mark.slow
def test_ft_p_16_tile_boundary_deduplication_ac2(http_client, image_large, warm_engine):
def test_ft_p_16_tile_boundary_deduplication_ac2(http_client, image_large, warm_engine, auth_headers):
config = json.dumps({**_GSD, "big_image_tile_overlap_percent": 20})
r = http_client.post(
"/detect",
"/detect/image",
files={"file": ("img.jpg", image_large, "image/jpeg")},
data={"config": config},
headers=auth_headers,
timeout=_TILING_TIMEOUT,
)
assert r.status_code == 200
e2e/tests/test_video.py
+17 -12
View File
@@ -20,17 +20,32 @@ def _chunked_reader(path: str, chunk_size: int = 64 * 1024):
@pytest.fixture(scope="module")
def video_events(warm_engine, http_client):
def video_events(warm_engine, http_client, auth_headers):
if not Path(_VIDEO).is_file():
pytest.skip(f"missing fixture {_VIDEO}")
r = http_client.post(
"/detect/video",
data=_chunked_reader(_VIDEO),
headers={
**auth_headers,
"X-Filename": "video_test01.mp4",
"Content-Type": "application/octet-stream",
},
timeout=15,
)
assert r.status_code == 200
media_id = r.json()["mediaId"]
collected: list[tuple[float, dict]] = []
thread_exc: list[BaseException] = []
done = threading.Event()
def _listen():
try:
with http_client.get("/detect/stream", stream=True, timeout=35) as resp:
with http_client.get(
f"/detect/{media_id}", stream=True, timeout=35, headers=auth_headers
) as resp:
resp.raise_for_status()
sse = sseclient.SSEClient(resp)
for event in sse.events():
@@ -50,16 +65,6 @@ def video_events(warm_engine, http_client):
th = threading.Thread(target=_listen, daemon=True)
th.start()
time.sleep(0.3)
r = http_client.post(
"/detect/video",
data=_chunked_reader(_VIDEO),
headers={"X-Filename": "video_test01.mp4", "Content-Type": "application/octet-stream"},
timeout=15,
)
assert r.status_code == 200
assert done.wait(timeout=30)
th.join(timeout=5)
assert not thread_exc, thread_exc