| """Phase 2 — Priority 7: ISSUE-182 interim RBAC mitigation.""" |
| import os |
| import sys |
|
|
| os.environ.setdefault("CEPHEUS_CLOUD", "1") |
| os.environ["CEPHEUS_AUTH_DEV_MODE"] = "1" |
| os.environ.setdefault("CEPHEUS_API_KEY", "test-key") |
|
|
| BACKEND_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) |
| if BACKEND_DIR not in sys.path: |
| sys.path.insert(0, BACKEND_DIR) |
|
|
| import pytest |
| from fastapi.testclient import TestClient |
|
|
| import auth_service |
| import main |
|
|
| API_HEADERS = {"X-API-Key": "test-key"} |
|
|
|
|
| def _staff_token(client): |
| r = client.post("/auth/login", json={"username": "staff", "password": "staff"}) |
| assert r.status_code == 200 |
| return r.json()["access_token"] |
|
|
|
|
| def _admin_token(client): |
| r = client.post("/auth/login", json={"username": "admin", "password": "admin"}) |
| assert r.status_code == 200 |
| return r.json()["access_token"] |
|
|
|
|
| @pytest.fixture(autouse=True) |
| def _enable_dev_auth(monkeypatch): |
| monkeypatch.setenv("CEPHEUS_AUTH_DEV_MODE", "1") |
| monkeypatch.setenv( |
| "CEPHEUS_DEV_AUTH_USERS", |
| '[{"username":"admin","password":"admin","role":"admin"},' |
| '{"username":"staff","password":"staff","role":"staff"}]', |
| ) |
|
|
|
|
| @pytest.fixture |
| def client(): |
| return TestClient(main.app) |
|
|
|
|
| def test_operator_api_key_cannot_delete_signage(client, monkeypatch): |
| monkeypatch.setitem(main.signage_placements, "s1", {"lat": 1, "lng": 2}) |
| r = client.delete("/site/signage-placements/s1", headers=API_HEADERS) |
| assert r.status_code == 403 |
|
|
|
|
| def test_admin_jwt_can_clear_gossip(client): |
| token = _admin_token(client) |
| r = client.post("/gossip/clear", headers={"Authorization": f"Bearer {token}"}) |
| assert r.status_code == 200 |
|
|
|
|
| def test_staff_jwt_cannot_clear_gossip(client): |
| token = _staff_token(client) |
| r = client.post("/gossip/clear", headers={"Authorization": f"Bearer {token}"}) |
| assert r.status_code == 403 |
|
|
|
|
| def test_staff_jwt_cannot_register_face(client): |
| token = _staff_token(client) |
| r = client.post( |
| "/register_face", |
| headers={"Authorization": f"Bearer {token}"}, |
| data={"name": "Test"}, |
| files={"file": ("x.jpg", b"fake", "image/jpeg")}, |
| ) |
| assert r.status_code == 403 |
|
|