tests/test_config_security.py

"""Tests for security-critical config behavior."""

from __future__ import annotations

import os

import pytest


def test_jwt_secret_autogenerated_in_dev():
    """In non-production, an empty JWT_SECRET should auto-generate."""
    os.environ["ENVIRONMENT"] = "development"
    os.environ["JWT_SECRET"] = ""
    os.environ.setdefault("DATABASE_URL", "sqlite:///:memory:")

    from app.core.config import Settings

    settings = Settings()
    assert settings.jwt_secret != ""
    assert len(settings.jwt_secret) == 64  # hex(32 bytes) = 64 chars


def test_jwt_secret_fails_in_production_when_empty():
    """In production, an empty JWT_SECRET must raise, not silently generate."""
    os.environ["ENVIRONMENT"] = "production"
    os.environ["JWT_SECRET"] = ""
    os.environ.setdefault("DATABASE_URL", "sqlite:///:memory:")

    from app.core.config import Settings

    with pytest.raises(ValueError, match="JWT_SECRET must be explicitly set"):
        Settings()


def test_jwt_secret_fails_in_production_with_known_default():
    """Known defaults like the old docker-compose fallback must also fail."""
    os.environ["ENVIRONMENT"] = "production"
    os.environ["JWT_SECRET"] = "depscreen-docker-secret"
    os.environ.setdefault("DATABASE_URL", "sqlite:///:memory:")

    from app.core.config import Settings

    with pytest.raises(ValueError, match="JWT_SECRET must be explicitly set"):
        Settings()


def test_jwt_secret_accepted_in_production_when_explicit():
    """A real secret in production should be accepted as-is."""
    os.environ["ENVIRONMENT"] = "production"
    os.environ["JWT_SECRET"] = "a" * 64
    # Must supply a non-localhost/non-sqlite DATABASE_URL so the new
    # validate_database_url validator doesn't block this test.
    os.environ["DATABASE_URL"] = "postgresql://user:pass@db.example.com:5432/depscreen"

    from app.core.config import Settings

    settings = Settings()
    assert settings.jwt_secret == "a" * 64