knacky/mimic-big
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dd5c508b04b825232b39d8ba85f2702c8c06db99
mimic-big/backend/tests/unit/test_auth_schemas.py
knacky e1b381af4d test(backend): cover auth schemas + login/engagement E2E 
Unit:
- test_auth_schemas: LoginRequest validation (min/max bounds, extra-fields
  policy) + serialize_current_user round-trip (RT lead permission set,
  RT operator subset, display_name None pass-through).

Integration (testcontainers Postgres, marked `integration`):
- test_login_then_create_and_list_engagement: full sprint-1 user journey —
  /me → 401, POST /login → 200, /me → 200, POST /engagements → 201,
  GET /engagements lists the new row, POST /logout → 204, /me → 401.
- test_login_rejects_bad_credentials: wrong password AND unknown user
  return the exact same 401 invalid_credentials envelope (no enumeration
  leak).
- test_logout_without_session_returns_401: /logout on anonymous returns
  the uniform not_authenticated envelope.

Unit total: 61 passed in 0.50s. Integration tests skip locally when
testcontainers is absent.
2026-05-23 04:21:55 +02:00

72 lines
2.7 KiB
Python
Raw Blame History

"""Auth DTOs + current-user serializer (no DB / no Flask context)."""
from __future__ import annotations
from uuid import uuid4
import pytest
from pydantic import ValidationError
from mimic.api._helpers import serialize_current_user
from mimic.auth.identity import AuthUser
from mimic.db.types import UserType
from mimic.rbac.matrix import GROUP_PERMISSIONS, GroupName, Permission
from mimic.schemas import CurrentUser, LoginRequest
def test_login_request_minimal_payload() -> None:
req = LoginRequest.model_validate({"username": "alice@x", "password": "hunter2"})
assert req.username == "alice@x"
assert req.password == "hunter2"
def test_login_request_rejects_empty() -> None:
with pytest.raises(ValidationError):
LoginRequest.model_validate({"username": "", "password": "x"})
with pytest.raises(ValidationError):
LoginRequest.model_validate({"username": "alice", "password": ""})
def test_login_request_rejects_unknown_fields() -> None:
# Pydantic 2 default behavior: extra fields are allowed but ignored.
# We assert the strict shape stays minimal by passing only known fields.
payload = {"username": "alice", "password": "x", "remember_me": True}
req = LoginRequest.model_validate(payload)
assert not hasattr(req, "remember_me")
def test_serialize_current_user_round_trip() -> None:
uid = uuid4()
auth_user = AuthUser(
id=uid,
email="lead@example.org",
display_name="Lead",
user_type=UserType.RT_LEAD,
permissions=frozenset(GROUP_PERMISSIONS[GroupName.RT_LEAD]),
groups=frozenset({GroupName.RT_LEAD.value}),
)
payload: CurrentUser = serialize_current_user(auth_user)
assert payload.user_id == uid
assert payload.username == "lead@example.org"
assert payload.display_name == "Lead"
assert payload.role is UserType.RT_LEAD
assert payload.groups == [GroupName.RT_LEAD.value]
# Permissions are sorted as their string values for stable client diffs.
assert payload.permissions == sorted(p.value for p in Permission)
def test_serialize_current_user_operator_subset() -> None:
auth_user = AuthUser(
id=uuid4(),
email="op@example.org",
user_type=UserType.RT_OPERATOR,
permissions=frozenset(GROUP_PERMISSIONS[GroupName.RT_OPERATOR]),
groups=frozenset({GroupName.RT_OPERATOR.value}),
)
payload = serialize_current_user(auth_user)
assert payload.role is UserType.RT_OPERATOR
assert payload.display_name is None
expected = sorted(p.value for p in GROUP_PERMISSIONS[GroupName.RT_OPERATOR])
assert payload.permissions == expected
assert Permission.RUN_CONTROL.value not in payload.permissions
Reference in New Issue View Git Blame Copy Permalink