Files
ss-tools/backend/tests/api/test_auth.py
busya f75c15dbc6 test: massive coverage expansion — 15 new test modules + assistant tool fixes + orthogonal testing
- 10 translate plugin test files (100% coverage on 12 modules)
- assistant/handler tools: 85+ tests covering dispatch, registry, resolvers, routes, llm_planner, 13 tool handlers
- clean release: artifact_catalog_loader, mappers, approval, publication tests
- API routes: translate_helpers, validation_service extensions, datasets to 100%
- notifications: providers/service tests
- services: profile_preference_service
- docs/orthogonal-test-report.md — full speckit.tests audit
- Fixes: 3 git_base async mock failures, 4 assistant handler permission-check patches
- .gitignore: coverage artifacts
2026-06-15 15:38:59 +03:00

256 lines
9.2 KiB
Python

# #region Test.Api.Auth [C:3] [TYPE Module] [SEMANTICS test,auth,api]
# @BRIEF Unit tests for auth API routes — login, logout, me, ADFS.
# @RELATION BINDS_TO -> [Api.Auth]
# @TEST_EDGE: invalid_credentials -> 401
# @TEST_EDGE: locked_account -> 429 (rate limited)
# @TEST_EDGE: missing_fields -> 422
# @TEST_EDGE: already_expired_token -> 200 (idempotent logout)
import os
# Set env BEFORE any source imports
os.environ.setdefault("DATABASE_URL", "sqlite:///:memory:")
os.environ.setdefault("AUTH_DATABASE_URL", "sqlite:///:memory:")
os.environ.setdefault("SECRET_KEY", "test-secret-key-for-tests")
import sys
from pathlib import Path
from unittest.mock import AsyncMock, MagicMock, patch
import pytest
from fastapi import FastAPI, HTTPException, status
from fastapi.testclient import TestClient
_src = str(Path(__file__).resolve().parent.parent.parent / "src")
if _src not in sys.path:
sys.path.insert(0, _src)
@pytest.fixture(autouse=True)
def _patch_rate_limiter():
"""Ensure rate limiter is safe."""
with patch("src.api.auth.rate_limiter") as mock_rl:
mock_rl.is_banned.return_value = False
mock_rl.record_attempt = MagicMock()
mock_rl.record_success = MagicMock()
yield
# ── Helper: build TestClient with auth dependencies overridden ──
def _make_client() -> TestClient:
"""Build a TestClient for the auth router with all dependencies overridden."""
from src.api.auth import router
from src.core.database import get_auth_db
from src.dependencies import get_current_user
from src.schemas.auth import User, RoleSchema
app = FastAPI()
app.include_router(router)
mock_db = MagicMock()
mock_user = User(
id="user-1",
username="testuser",
email="test@example.com",
auth_source="LOCAL",
created_at=__import__("datetime").datetime.now(),
roles=[RoleSchema(id="role-1", name="Admin", description="Admin role", permissions=[])],
)
app.dependency_overrides[get_auth_db] = lambda: mock_db
app.dependency_overrides[get_current_user] = lambda: mock_user
return TestClient(app)
# ── Tests ──
class TestLogin:
"""POST /api/auth/login"""
def test_login_success(self):
"""Happy path: valid credentials return 200 + Token."""
mock_user = MagicMock()
mock_user.username = "testuser"
mock_token = MagicMock()
mock_token.access_token = "abc.def.ghi"
mock_token.token_type = "bearer"
with patch("src.api.auth.AuthService") as MockAuth:
auth_instance = MockAuth.return_value
auth_instance.authenticate_user.return_value = mock_user
auth_instance.create_session.return_value = mock_token
client = _make_client()
resp = client.post("/api/auth/login", data={"username": "testuser", "password": "secret123"})
assert resp.status_code == 200
assert resp.json()["access_token"] == "abc.def.ghi"
assert resp.json()["token_type"] == "bearer"
def test_login_invalid_credentials(self):
"""Invalid credentials return 401."""
with patch("src.api.auth.AuthService") as MockAuth:
auth_instance = MockAuth.return_value
auth_instance.authenticate_user.return_value = None
client = _make_client()
resp = client.post("/api/auth/login", data={"username": "bad", "password": "wrong"})
assert resp.status_code == 401
assert "Incorrect username or password" in resp.text
def test_login_rate_limited(self):
"""Banned IP returns 429."""
with patch("src.api.auth.rate_limiter") as mock_rl:
mock_rl.is_banned.return_value = True
client = _make_client()
resp = client.post("/api/auth/login", data={"username": "test", "password": "test"})
assert resp.status_code == 429
assert "Too many login attempts" in resp.text
def test_login_missing_fields(self):
"""Missing form data returns 422."""
client = _make_client()
resp = client.post("/api/auth/login", data={})
assert resp.status_code == 422
class TestMe:
"""GET /api/auth/me"""
def test_me_authenticated(self):
"""Authenticated user returns profile."""
client = _make_client()
resp = client.get("/api/auth/me")
assert resp.status_code == 200
data = resp.json()
assert data["username"] == "testuser"
assert data["email"] == "test@example.com"
def test_me_unauthenticated(self):
"""Unauthenticated request returns 401."""
from src.core.database import get_auth_db
from src.dependencies import get_current_user
app = FastAPI()
from src.api.auth import router
app.include_router(router)
app.dependency_overrides[get_current_user] = lambda: (_ for _ in ()).throw(
HTTPException(status_code=401, detail="Not authenticated")
)
app.dependency_overrides[get_auth_db] = lambda: MagicMock()
client = TestClient(app)
resp = client.get("/api/auth/me")
assert resp.status_code == 401
class TestLogout:
"""POST /api/auth/logout"""
def test_logout_success(self):
"""Valid token blacklisted, returns 200."""
with patch("src.api.auth.blacklist_token") as mock_blacklist:
client = _make_client()
resp = client.post(
"/api/auth/logout",
headers={"Authorization": "Bearer some.jwt.token"},
)
assert resp.status_code == 200
assert resp.json()["message"] == "Successfully logged out"
mock_blacklist.assert_called_once()
def test_logout_no_token_header(self):
"""No Authorization header still succeeds (no token to blacklist)."""
with patch("src.api.auth.blacklist_token") as mock_blacklist:
client = _make_client()
resp = client.post("/api/auth/logout")
assert resp.status_code == 200
mock_blacklist.assert_not_called()
def test_logout_expired_token(self):
"""Expired token — still returns 200 (idempotent)."""
with patch("src.api.auth.blacklist_token") as mock_blacklist:
client = _make_client()
resp = client.post(
"/api/auth/logout",
headers={"Authorization": "Bearer expired.token.here"},
)
assert resp.status_code == 200
mock_blacklist.assert_called_once()
class TestLoginAdfs:
"""GET /api/auth/login/adfs"""
def test_adfs_not_configured(self):
"""ADFS not configured returns 503."""
with patch("src.api.auth.is_adfs_configured", return_value=False):
client = _make_client()
resp = client.get("/api/auth/login/adfs")
assert resp.status_code == 503
assert "ADFS is not configured" in resp.text
def test_adfs_redirect(self):
"""ADFS configured redirects to provider."""
mock_oauth = MagicMock()
mock_oauth.adfs.authorize_redirect = AsyncMock(return_value=None)
with patch("src.api.auth.is_adfs_configured", return_value=True), \
patch("src.api.auth.oauth", mock_oauth):
client = _make_client()
resp = client.get("/api/auth/login/adfs")
assert resp.status_code in (200, 307)
class TestCallbackAdfs:
"""GET /api/auth/callback/adfs"""
def test_callback_not_configured(self):
"""ADFS not configured returns 503."""
with patch("src.api.auth.is_adfs_configured", return_value=False):
client = _make_client()
resp = client.get("/api/auth/callback/adfs")
assert resp.status_code == 503
def test_callback_no_userinfo(self):
"""ADFS token without userinfo returns 400."""
mock_oauth = MagicMock()
mock_oauth.adfs.authorize_access_token = AsyncMock(return_value={})
with patch("src.api.auth.is_adfs_configured", return_value=True), \
patch("src.api.auth.oauth", mock_oauth):
client = _make_client()
resp = client.get("/api/auth/callback/adfs")
assert resp.status_code == 400
assert "Failed to retrieve user info" in resp.text
def test_callback_success(self):
"""ADFS callback provisions user and returns token."""
from types import SimpleNamespace
mock_token = SimpleNamespace(
access_token="adfs.token.xyz",
token_type="bearer",
)
mock_user_info = {"sub": "adfs-user", "email": "adfs@example.com"}
mock_oauth = MagicMock()
mock_oauth.adfs.authorize_access_token = AsyncMock(
return_value={"userinfo": mock_user_info}
)
with patch("src.api.auth.is_adfs_configured", return_value=True), \
patch("src.api.auth.oauth", mock_oauth), \
patch("src.api.auth.AuthService") as MockAuth:
auth_instance = MockAuth.return_value
auth_instance.provision_adfs_user.return_value = MagicMock()
auth_instance.create_session.return_value = mock_token
client = _make_client()
resp = client.get("/api/auth/callback/adfs")
assert resp.status_code == 200
assert resp.json()["access_token"] == "adfs.token.xyz"
# #endregion Test.Api.Auth