content-addressed blob storage: blob_storage.py, memory, local, and S3 adapters

2026-05-07 03:51:25 +02:00
parent c2bc7071d7
commit ebace73761
22 changed files with 1489 additions and 47 deletions
--- a/tests/test_representation_content_service.py
+++ b/tests/test_representation_content_service.py
@@ -0,0 +1,216 @@
+from __future__ import annotations
+
+import pytest
+
+from kontextual_engine import (
+    Actor,
+    ActorType,
+    AssetRegistryService,
+    AuthorizationError,
+    Classification,
+    InMemoryAssetRegistryRepository,
+    InMemoryBlobStorage,
+    LocalBlobStorage,
+    OperationContext,
+    PolicyDecision,
+    RepresentationContentService,
+    RepresentationKind,
+    Sensitivity,
+    ValidationError,
+)
+
+
+def test_content_service_adds_representation_bytes_with_deduplicated_blob() -> None:
+    repo = InMemoryAssetRegistryRepository()
+    blobs = InMemoryBlobStorage()
+    context = operation_context()
+    AssetRegistryService(repo).create_asset(
+        "Content Asset",
+        Classification(asset_type="document", sensitivity=Sensitivity.INTERNAL),
+        context,
+        asset_id="asset-content",
+    )
+    service = RepresentationContentService(repo, blobs)
+
+    first = service.add_representation_from_bytes(
+        "asset-content",
+        RepresentationKind.SOURCE,
+        "text/plain",
+        b"same bytes",
+        context,
+    )
+    second = service.add_representation_from_bytes(
+        "asset-content",
+        RepresentationKind.DERIVED,
+        "text/plain",
+        b"same bytes",
+        context,
+    )
+
+    representations = repo.list_representations(asset_id="asset-content")
+    assert len(representations) == 2
+    assert representations[0].storage_ref == representations[1].storage_ref
+    assert first.version.sequence == 2
+    assert second.version.sequence == 3
+    assert len(blobs.iter_blobs()) == 1
+
+
+def test_content_service_reads_bytes_with_policy_and_audit() -> None:
+    repo = InMemoryAssetRegistryRepository()
+    blobs = InMemoryBlobStorage()
+    context = operation_context()
+    AssetRegistryService(repo).create_asset(
+        "Readable",
+        Classification(asset_type="document", sensitivity=Sensitivity.INTERNAL),
+        context,
+        asset_id="asset-readable",
+    )
+    service = RepresentationContentService(repo, blobs)
+    service.add_representation_from_bytes(
+        "asset-readable",
+        RepresentationKind.SOURCE,
+        "text/plain",
+        b"read me",
+        context,
+    )
+
+    content = service.get_content_stream("asset-readable", context)
+    streamed = service.stream_content("asset-readable", context, chunk_size=3)
+
+    assert content.content == b"read me"
+    assert b"".join(streamed.chunks) == b"read me"
+    assert content.representation.media_type == "text/plain"
+    assert content.blob.storage_ref == content.representation.storage_ref
+    assert content.audit_event.operation == "asset.content_stream.read"
+    assert repo.list_audit_events(target="asset:asset-readable")[-1].operation == "asset.content_stream.read"
+
+
+def test_content_service_reads_source_normalized_and_derived_by_kind() -> None:
+    repo = InMemoryAssetRegistryRepository()
+    blobs = InMemoryBlobStorage()
+    context = operation_context()
+    AssetRegistryService(repo).create_asset(
+        "Kinds",
+        Classification(asset_type="document", sensitivity=Sensitivity.INTERNAL),
+        context,
+        asset_id="asset-kinds",
+    )
+    service = RepresentationContentService(repo, blobs)
+    service.add_representation_from_bytes("asset-kinds", RepresentationKind.SOURCE, "text/plain", b"source", context)
+    service.add_representation_from_bytes(
+        "asset-kinds",
+        RepresentationKind.NORMALIZED,
+        "text/plain",
+        b"normalized",
+        context,
+    )
+    service.add_representation_from_bytes("asset-kinds", RepresentationKind.DERIVED, "text/plain", b"derived", context)
+
+    assert service.get_content_stream("asset-kinds", context, kind=RepresentationKind.SOURCE).content == b"source"
+    assert service.get_content_stream("asset-kinds", context, kind=RepresentationKind.NORMALIZED).content == b"normalized"
+    assert service.get_content_stream("asset-kinds", context, kind=RepresentationKind.DERIVED).content == b"derived"
+
+
+def test_content_service_denies_bytes_before_exposure() -> None:
+    repo = InMemoryAssetRegistryRepository()
+    blobs = InMemoryBlobStorage()
+    context = operation_context()
+    AssetRegistryService(repo).create_asset(
+        "Denied",
+        Classification(asset_type="document", sensitivity=Sensitivity.INTERNAL),
+        context,
+        asset_id="asset-denied-stream",
+    )
+    writer = RepresentationContentService(repo, blobs)
+    writer.add_representation_from_bytes(
+        "asset-denied-stream",
+        RepresentationKind.SOURCE,
+        "text/plain",
+        b"secret",
+        context,
+    )
+    reader = RepresentationContentService(repo, blobs, policy_gateway=DenyContentPolicy())
+
+    with pytest.raises(AuthorizationError):
+        reader.get_content_stream("asset-denied-stream", context)
+
+
+def test_content_service_cleanup_uses_repository_references() -> None:
+    repo = InMemoryAssetRegistryRepository()
+    blobs = InMemoryBlobStorage()
+    context = operation_context()
+    AssetRegistryService(repo).create_asset(
+        "Cleanup",
+        Classification(asset_type="document", sensitivity=Sensitivity.INTERNAL),
+        context,
+        asset_id="asset-cleanup",
+    )
+    service = RepresentationContentService(repo, blobs)
+    service.add_representation_from_bytes(
+        "asset-cleanup",
+        RepresentationKind.SOURCE,
+        "text/plain",
+        b"kept",
+        context,
+    )
+    orphan = blobs.put_bytes(b"orphan").blob
+
+    cleanup = service.cleanup_unreferenced_blobs(dry_run=True)
+
+    assert cleanup.deleted_count == 1
+    assert cleanup.deleted_storage_refs == (orphan.storage_ref,)
+    assert cleanup.reclaimable_bytes == len(b"orphan")
+
+
+def test_content_service_detects_corrupted_stored_content(tmp_path) -> None:
+    repo = InMemoryAssetRegistryRepository()
+    blobs = LocalBlobStorage(tmp_path / "blobs")
+    context = operation_context()
+    AssetRegistryService(repo).create_asset(
+        "Corrupt",
+        Classification(asset_type="document", sensitivity=Sensitivity.INTERNAL),
+        context,
+        asset_id="asset-corrupt",
+    )
+    service = RepresentationContentService(repo, blobs)
+    service.add_representation_from_bytes(
+        "asset-corrupt",
+        RepresentationKind.SOURCE,
+        "text/plain",
+        b"expected",
+        context,
+    )
+    representation = repo.list_representations(asset_id="asset-corrupt")[0]
+    path = blobs.root / representation.storage_ref.removeprefix("blob://local/")
+    path.write_bytes(b"corrupted")
+
+    with pytest.raises(ValidationError):
+        service.get_content_stream("asset-corrupt", context)
+    with pytest.raises(ValidationError):
+        b"".join(service.stream_content("asset-corrupt", context).chunks)
+
+
+def operation_context() -> OperationContext:
+    return OperationContext.create(
+        Actor.create(ActorType.HUMAN, actor_id="content-test"),
+        correlation_id="corr-content",
+    )
+
+
+class DenyContentPolicy:
+    def authorize(
+        self,
+        context: OperationContext,
+        action: str,
+        resource: str,
+        *,
+        resource_metadata: dict[str, str] | None = None,
+    ) -> PolicyDecision:
+        if action == "asset.content_stream.read":
+            return PolicyDecision.deny(
+                context.actor.id,
+                action,
+                resource,
+                reason="content reads disabled",
+            )
+        return PolicyDecision.allow(context.actor.id, action, resource)