solution_challenge_backend / backend /tests /test_phase2_rbac.py
github-actions
Deploy to Hugging Face
c794b6b
Raw
History Blame Contribute Delete
2.2 kB
"""Phase 2 — Priority 7: ISSUE-182 interim RBAC mitigation."""
import os
import sys
os.environ.setdefault("CEPHEUS_CLOUD", "1")
os.environ["CEPHEUS_AUTH_DEV_MODE"] = "1"
os.environ.setdefault("CEPHEUS_API_KEY", "test-key")
BACKEND_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
if BACKEND_DIR not in sys.path:
sys.path.insert(0, BACKEND_DIR)
import pytest
from fastapi.testclient import TestClient
import auth_service
import main
API_HEADERS = {"X-API-Key": "test-key"}
def _staff_token(client):
r = client.post("/auth/login", json={"username": "staff", "password": "staff"})
assert r.status_code == 200
return r.json()["access_token"]
def _admin_token(client):
r = client.post("/auth/login", json={"username": "admin", "password": "admin"})
assert r.status_code == 200
return r.json()["access_token"]
@pytest.fixture(autouse=True)
def _enable_dev_auth(monkeypatch):
monkeypatch.setenv("CEPHEUS_AUTH_DEV_MODE", "1")
monkeypatch.setenv(
"CEPHEUS_DEV_AUTH_USERS",
'[{"username":"admin","password":"admin","role":"admin"},'
'{"username":"staff","password":"staff","role":"staff"}]',
)
@pytest.fixture
def client():
return TestClient(main.app)
def test_operator_api_key_cannot_delete_signage(client, monkeypatch):
monkeypatch.setitem(main.signage_placements, "s1", {"lat": 1, "lng": 2})
r = client.delete("/site/signage-placements/s1", headers=API_HEADERS)
assert r.status_code == 403
def test_admin_jwt_can_clear_gossip(client):
token = _admin_token(client)
r = client.post("/gossip/clear", headers={"Authorization": f"Bearer {token}"})
assert r.status_code == 200
def test_staff_jwt_cannot_clear_gossip(client):
token = _staff_token(client)
r = client.post("/gossip/clear", headers={"Authorization": f"Bearer {token}"})
assert r.status_code == 403
def test_staff_jwt_cannot_register_face(client):
token = _staff_token(client)
r = client.post(
"/register_face",
headers={"Authorization": f"Bearer {token}"},
data={"name": "Test"},
files={"file": ("x.jpg", b"fake", "image/jpeg")},
)
assert r.status_code == 403