"""Phase 2 — Priority 7: ISSUE-182 interim RBAC mitigation.""" import os import sys os.environ.setdefault("CEPHEUS_CLOUD", "1") os.environ["CEPHEUS_AUTH_DEV_MODE"] = "1" os.environ.setdefault("CEPHEUS_API_KEY", "test-key") BACKEND_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) if BACKEND_DIR not in sys.path: sys.path.insert(0, BACKEND_DIR) import pytest from fastapi.testclient import TestClient import auth_service import main API_HEADERS = {"X-API-Key": "test-key"} def _staff_token(client): r = client.post("/auth/login", json={"username": "staff", "password": "staff"}) assert r.status_code == 200 return r.json()["access_token"] def _admin_token(client): r = client.post("/auth/login", json={"username": "admin", "password": "admin"}) assert r.status_code == 200 return r.json()["access_token"] @pytest.fixture(autouse=True) def _enable_dev_auth(monkeypatch): monkeypatch.setenv("CEPHEUS_AUTH_DEV_MODE", "1") monkeypatch.setenv( "CEPHEUS_DEV_AUTH_USERS", '[{"username":"admin","password":"admin","role":"admin"},' '{"username":"staff","password":"staff","role":"staff"}]', ) @pytest.fixture def client(): return TestClient(main.app) def test_operator_api_key_cannot_delete_signage(client, monkeypatch): monkeypatch.setitem(main.signage_placements, "s1", {"lat": 1, "lng": 2}) r = client.delete("/site/signage-placements/s1", headers=API_HEADERS) assert r.status_code == 403 def test_admin_jwt_can_clear_gossip(client): token = _admin_token(client) r = client.post("/gossip/clear", headers={"Authorization": f"Bearer {token}"}) assert r.status_code == 200 def test_staff_jwt_cannot_clear_gossip(client): token = _staff_token(client) r = client.post("/gossip/clear", headers={"Authorization": f"Bearer {token}"}) assert r.status_code == 403 def test_staff_jwt_cannot_register_face(client): token = _staff_token(client) r = client.post( "/register_face", headers={"Authorization": f"Bearer {token}"}, data={"name": "Test"}, files={"file": ("x.jpg", b"fake", "image/jpeg")}, ) assert r.status_code == 403