"""End-to-end coverage of the hijack/recovery decision matrix. Two axes: - Hijack attempt: yes / no - Admin reset: yes / no The deliverable property (besides the four cell behaviours themselves) is **strict non-increase**: a closed-question score must never improve after any reset, regardless of who triggered the reset or why. That property is what makes false-hijack claims self-penalising and forecloses "ask for a reset to get a do-over" as an attack on the engagement portal. """ from __future__ import annotations from fastapi.testclient import TestClient from conftest import admin_login, join_student def _new_client(client: TestClient) -> TestClient: """Fresh cookie jar against the same app (= different browser).""" return client.__class__(client.app) # ============================================================ # Cell A — no hijack, no reset (baseline) # ============================================================ def test_cell_A_normal_flow_unaffected(client, sid): """Baseline: a single legitimate student plays through, no resets, cookie keeps working across reads.""" join_student(client, sid, "alice", "Alice") rooms = client.app.state.rooms client.portal.call(rooms.open_question, sid, 0, 5) ack = client.portal.call(rooms.submit_answer, sid, "alice", 0, "B") client.portal.call(rooms.close_question, sid) assert ack["score"] > 0 me = client.get(f"/api/session/{sid}/me").json() submissions = {s["question_idx"]: s for s in me["submissions"]} assert submissions[0]["status"] == "submitted" assert submissions[0]["score"] > 0 # ============================================================ # Cell B1 — no hijack, admin resets anyway (false-claim attempt) # ============================================================ def test_cell_B1_false_claim_loses_full_credit_on_closed_question(client, sid): """A student who got Q0 right (full credit) then claims hijack and asks for a reset: their Q0 score is forced to 0/missed. Strictly self-penalising — false claims cannot improve closed scores.""" join_student(client, sid, "alice", "Alice") rooms = client.app.state.rooms client.portal.call(rooms.open_question, sid, 0, 5) ack = client.portal.call(rooms.submit_answer, sid, "alice", 0, "B") pre_reset_score = ack["score"] assert pre_reset_score > 0 client.portal.call(rooms.close_question, sid) # "Hijack claim" → admin reset. admin_login(client) assert client.delete("/admin/api/students/alice").status_code == 200 legit = _new_client(client) response = legit.post(f"/api/session/{sid}/join", json={"student_id": "alice", "name": "Alice"}) assert response.status_code == 200 me = legit.get(f"/api/session/{sid}/me").json() submissions = {s["question_idx"]: s for s in me["submissions"]} assert submissions[0]["status"] == "missed" assert submissions[0]["score"] == 0 assert submissions[0]["score"] < pre_reset_score, "reset must not improve closed-Q score" def test_cell_B1_partial_credit_also_zeroed_after_reset(client, sid): """Same property at intermediate score: a partial credit becomes 0, not preserved at the partial level.""" join_student(client, sid, "alice", "Alice") rooms = client.app.state.rooms client.portal.call(rooms.open_question, sid, 0, 5) # Wait by manipulating the question event's opened_at could be flaky; # instead just verify the structural property: any reset → 0. client.portal.call(rooms.submit_answer, sid, "alice", 0, "B") client.portal.call(rooms.close_question, sid) admin_login(client) assert client.delete("/admin/api/students/alice").status_code == 200 legit = _new_client(client) legit.post(f"/api/session/{sid}/join", json={"student_id": "alice", "name": "Alice"}) me = legit.get(f"/api/session/{sid}/me").json() assert all(s["score"] == 0 for s in me["submissions"]), me["submissions"] # ============================================================ # Cell B2 — student cleared their own cookie (no hijack) # ============================================================ def test_cell_B2_self_cleared_cookie_must_reset(client, sid): """Student joins, then their own browser loses the cookie (cleared or moved devices). They cannot re-claim their id without admin intervention, AND when admin clears the slot, closed-Q points are zeroed exactly as in B1 — clearing your own cookie is not a free re-roll.""" join_student(client, sid, "alice", "Alice") rooms = client.app.state.rooms client.portal.call(rooms.open_question, sid, 0, 5) client.portal.call(rooms.submit_answer, sid, "alice", 0, "B") client.portal.call(rooms.close_question, sid) # "Cleared cookie" = a fresh browser asks for the same id. cleared = _new_client(client) response = cleared.post(f"/api/session/{sid}/join", json={"student_id": "alice", "name": "Alice"}) assert response.status_code == 409 # Recovery via admin. admin_login(client) assert client.delete("/admin/api/students/alice").status_code == 200 response = cleared.post(f"/api/session/{sid}/join", json={"student_id": "alice", "name": "Alice"}) assert response.status_code == 200 me = cleared.get(f"/api/session/{sid}/me").json() submissions = {s["question_idx"]: s for s in me["submissions"]} assert submissions[0]["status"] == "missed" assert submissions[0]["score"] == 0 # ============================================================ # Cell C — hijack, no reset (acknowledged social-mitigation cell) # ============================================================ def test_cell_C_hijacker_without_recovery_keeps_slot(client, sid): """Without admin recovery, the first claimer (potentially a hijacker) holds the slot for the duration of the lecture. The legit student cannot dislodge them via repeated /join. Defence is social (paper attendance, low grade weight, visible duplicate-join alert).""" hijacker = _new_client(client) response = hijacker.post(f"/api/session/{sid}/join", json={"student_id": "alice", "name": "Hijacker"}) assert response.status_code == 200 # Legit student tries from many fresh browsers — every attempt 409s # because the slot is held. for _ in range(5): legit = _new_client(client) response = legit.post(f"/api/session/{sid}/join", json={"student_id": "alice", "name": "Real Alice"}) assert response.status_code == 409 # Hijacker keeps working, /me succeeds with their cookie. assert hijacker.get(f"/api/session/{sid}/me").status_code == 200 # Audit log accumulated 5 duplicate_join events for the same id. admin_login(client) csv_text = client.get("/admin/api/csv").text alice_row = next(line for line in csv_text.splitlines() if ",alice," in line) assert alice_row.endswith(",0,0,5"), alice_row # ============================================================ # Cell D — hijack + recovery (canonical good case) # ============================================================ def test_cell_D_hijack_then_admin_recovery_locks_out_hijacker(client, sid): """Hijacker claims, hijacker submits a wrong answer to Q0, Q0 closes, admin clears the slot, legit student re-claims with a fresh cookie. Verify: - hijacker's wrong submission is wiped - legit student gets 0/missed for the closed Q (no improvement) - hijacker's old cookie is dead on every authed read - legit student is normal from the next Q on """ hijacker = _new_client(client) response = hijacker.post(f"/api/session/{sid}/join", json={"student_id": "alice", "name": "Hijacker"}) assert response.status_code == 200 rooms = client.app.state.rooms client.portal.call(rooms.open_question, sid, 0, 5) # Hijacker submits the wrong answer (correct is B, wrong is A). ack = client.portal.call(rooms.submit_answer, sid, "alice", 0, "A") assert ack["score"] == 0 client.portal.call(rooms.close_question, sid) # Admin recovery. admin_login(client) assert client.delete("/admin/api/students/alice").status_code == 200 legit = _new_client(client) response = legit.post(f"/api/session/{sid}/join", json={"student_id": "alice", "name": "Real Alice"}) assert response.status_code == 200 # Closed Q is zeroed for the re-claimed student (cannot reclaim # credit OR be improved post-hoc). me = legit.get(f"/api/session/{sid}/me").json() assert me["name"] == "Real Alice" submissions = {s["question_idx"]: s for s in me["submissions"]} assert submissions[0]["status"] == "missed" assert submissions[0]["score"] == 0 # Hijacker's cookie is now permanently dead. response = hijacker.get(f"/api/session/{sid}/me") assert response.status_code == 401 response = hijacker.post(f"/api/session/{sid}/event", json={"kind": "blur"}) assert response.status_code == 401 # Legit student is normal on Q1. client.portal.call(rooms.open_question, sid, 1, 5) ack = client.portal.call(rooms.submit_answer, sid, "alice", 1, "C") assert ack["type"] == "submit_ack" assert ack["score"] > 0 def test_cell_D_recovery_during_open_question_grants_remaining_time(client, sid): """If admin clears a hijacker mid-question (i.e. the question is still open), the legit re-joiner can submit the open question with the remaining time on the original opened_at clock — they don't get a private 60 s fresh window.""" hijacker = _new_client(client) hijacker.post(f"/api/session/{sid}/join", json={"student_id": "alice", "name": "Hijacker"}) rooms = client.app.state.rooms client.portal.call(rooms.open_question, sid, 0, 5) client.portal.call(rooms.submit_answer, sid, "alice", 0, "A") # hijacker wrong admin_login(client) assert client.delete("/admin/api/students/alice").status_code == 200 # Q0 is still open. Legit re-claims; the hijacker's wrong answer is # gone, and the legit student has time to submit because the Q # didn't close. This proves the hijacker's submission isn't "sticky" # via the PK — clear_student deletes it. legit = _new_client(client) legit.post(f"/api/session/{sid}/join", json={"student_id": "alice", "name": "Real Alice"}) ack = client.portal.call(rooms.submit_answer, sid, "alice", 0, "B") assert ack["type"] == "submit_ack" assert ack["answer"] == "B" assert ack["score"] > 0 # ============================================================ # Defensive structural checks # ============================================================ def test_admin_clear_student_requires_admin_cookie(client, sid): """The recovery hatch must be admin-only — otherwise a hijacker could DELETE the legit student's slot themselves.""" join_student(client, sid, "alice", "Alice") response = client.delete("/admin/api/students/alice") assert response.status_code == 401 def test_repeated_duplicate_join_attempts_each_audited(client, sid): """Every 409'd attempt to claim an existing id appends a row to student_events. The CSV count column reflects the running total.""" join_student(client, sid, "alice", "Alice") for _ in range(7): attacker = _new_client(client) attacker.post(f"/api/session/{sid}/join", json={"student_id": "alice", "name": "X"}) admin_login(client) csv_text = client.get("/admin/api/csv").text alice_row = next(line for line in csv_text.splitlines() if ",alice," in line) assert alice_row.endswith(",0,0,7") def test_event_endpoint_with_stale_cookie_after_recovery_returns_401(client, sid): """After admin clears + legit re-claims, a now-dead cookie cannot pollute the audit log with blur events under the new owner's id.""" hijacker = _new_client(client) hijacker.post(f"/api/session/{sid}/join", json={"student_id": "alice", "name": "Hijacker"}) admin_login(client) client.delete("/admin/api/students/alice") legit = _new_client(client) legit.post(f"/api/session/{sid}/join", json={"student_id": "alice", "name": "Real Alice"}) response = hijacker.post(f"/api/session/{sid}/event", json={"kind": "blur"}) assert response.status_code == 401 csv_text = client.get("/admin/api/csv").text alice_row = next(line for line in csv_text.splitlines() if ",alice," in line) # Hijacker's blur attempt did not land in Alice's audit count. assert alice_row.endswith(",0,0,0"), alice_row def test_strict_non_increase_perfect_score_is_zeroed_on_reset(client, sid): """Edge case of the strict non-increase property: even a maximum score (instant-correct = 1.00) becomes 0 after reset.""" join_student(client, sid, "alice", "Alice") rooms = client.app.state.rooms client.portal.call(rooms.open_question, sid, 0, 5) ack = client.portal.call(rooms.submit_answer, sid, "alice", 0, "B") # linear_decay: instant-correct is exactly 1.00 (the spec lock). assert 0.95 <= ack["score"] <= 1.00 client.portal.call(rooms.close_question, sid) admin_login(client) client.delete("/admin/api/students/alice") legit = _new_client(client) legit.post(f"/api/session/{sid}/join", json={"student_id": "alice", "name": "Alice"}) me = legit.get(f"/api/session/{sid}/me").json() submissions = {s["question_idx"]: s for s in me["submissions"]} assert submissions[0]["score"] == 0