AI-Cognitive-Leap/agnes-the-ai-analyst
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

test: RBAC marketplace render test + validation stub drift detectors

Browse source 
- test_render_marketplaces_filtered_by_rbac: seeds 2 marketplaces, 2 groups,
  grants, 2 users; asserts each user's rendered output references only their
  group's marketplace/plugins, not the other's (I-3).
- test_validation_stub_matches_build_context_shape in test_welcome_template_api.py:
  asserts _VALIDATION_STUB_CONTEXT top-level and nested keys (instance, server,
  user) match build_context() output so stub drift is caught in CI (I-4).
- test_validation_stub_matches_build_context_shape in test_setup_banner_api.py:
  same shape check against build_setup_banner_context() (I-4).
This commit is contained in:
ZdenekSrotyr 2026-05-02 20:58:13 +02:00
parent b3ffc98e9f
commit 5bfd8997ea
3 changed files with 156 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
tests/test_setup_banner_api.py
View file

@ -1,5 +1,10 @@
"""End-to-end tests for /api/admin/setup-banner endpoints."""
import duckdb
from src.db import _ensure_schema
from src.setup_banner import build_setup_banner_context
def _auth(token: str) -> dict[str, str]:
return {"Authorization": f"Bearer {token}"}
@ -102,3 +107,33 @@ def test_preview_rejects_invalid_template(seeded_app):
headers=admin,
)
assert r.status_code == 400
def test_validation_stub_matches_build_context_shape(seeded_app, tmp_path, monkeypatch):
"""If build_setup_banner_context grows new keys, _VALIDATION_STUB_CONTEXT
must too otherwise admins can save templates referencing keys the PUT
validator accepts but the live render rejects."""
from app.api.setup_banner import _VALIDATION_STUB_CONTEXT
monkeypatch.setenv("DATA_DIR", str(tmp_path))
db_path = tmp_path / "system.duckdb"
conn = duckdb.connect(str(db_path))
_ensure_schema(conn)
conn.close()
user = {"id": "u1", "email": "admin@test.com", "name": "Admin", "is_admin": True}
real_ctx = build_setup_banner_context(user=user, server_url="https://example.com")
# Top-level keys must match (stub has user=dict, real has user=dict when logged in)
assert set(_VALIDATION_STUB_CONTEXT.keys()) == set(real_ctx.keys()), (
f"_VALIDATION_STUB_CONTEXT top-level keys differ from build_setup_banner_context output. "
f"Stub has: {set(_VALIDATION_STUB_CONTEXT.keys())}, "
f"real has: {set(real_ctx.keys())}"
)
# One level deep for nested dicts
for key in ("instance", "server", "user"):
if isinstance(real_ctx.get(key), dict):
assert set(_VALIDATION_STUB_CONTEXT[key].keys()) == set(real_ctx[key].keys()), (
f"_VALIDATION_STUB_CONTEXT[{key!r}] drifted from build_setup_banner_context output"
)

35
tests/test_welcome_template_api.py
View file

@ -1,5 +1,10 @@
"""End-to-end tests for /api/welcome and /api/admin/welcome-template."""
import duckdb
from src.db import _ensure_schema
from src.welcome_template import build_context
def _auth(token: str) -> dict[str, str]:
return {"Authorization": f"Bearer {token}"}
@ -155,3 +160,33 @@ def test_preview_requires_admin(seeded_app):
headers=analyst,
)
assert r.status_code == 403
def test_validation_stub_matches_build_context_shape(seeded_app, tmp_path, monkeypatch):
"""If build_context grows new keys, _VALIDATION_STUB_CONTEXT must too —
otherwise admins can save templates referencing keys the PUT validator
accepts but the live render rejects."""
from app.api.welcome import _VALIDATION_STUB_CONTEXT
monkeypatch.setenv("DATA_DIR", str(tmp_path))
db_path = tmp_path / "system.duckdb"
conn = duckdb.connect(str(db_path))
_ensure_schema(conn)
user = {"id": "u1", "email": "admin@test.com", "name": "Admin", "is_admin": True, "groups": ["Admin"]}
real_ctx = build_context(conn, user=user, server_url="https://example.com")
conn.close()
# Top-level keys must match
assert set(_VALIDATION_STUB_CONTEXT.keys()) == set(real_ctx.keys()), (
f"_VALIDATION_STUB_CONTEXT top-level keys differ from build_context output. "
f"Stub has: {set(_VALIDATION_STUB_CONTEXT.keys())}, "
f"real has: {set(real_ctx.keys())}"
)
# One level deep for nested dicts
for key in ("instance", "server", "user"):
if isinstance(real_ctx.get(key), dict):
assert set(_VALIDATION_STUB_CONTEXT[key].keys()) == set(real_ctx[key].keys()), (
f"_VALIDATION_STUB_CONTEXT[{key!r}] drifted from build_context output"
)

86
tests/test_welcome_template_renderer.py
View file

@ -1,5 +1,6 @@
"""Unit tests for the welcome-prompt renderer."""
import uuid
from pathlib import Path
import duckdb
@ -56,6 +57,91 @@ def test_context_exposes_documented_keys(conn):
assert top in ctx, f"missing top-level key: {top}"
def test_render_marketplaces_filtered_by_rbac(conn, monkeypatch):
"""Two users with different group memberships render different marketplace lists."""
from app.resource_types import ResourceType
# ── Seed two marketplaces ────────────────────────────────────────────
conn.execute(
"""INSERT INTO marketplace_registry (id, name, url) VALUES
('mkt-a', 'Marketplace A', 'https://github.com/example/mkt-a'),
('mkt-b', 'Marketplace B', 'https://github.com/example/mkt-b')"""
)
# Two plugins per marketplace
for mkt, plugins in [("mkt-a", ["plugin-1", "plugin-2"]), ("mkt-b", ["plugin-3", "plugin-4"])]:
for p in plugins:
conn.execute(
"INSERT INTO marketplace_plugins (marketplace_id, name) VALUES (?, ?)",
[mkt, p],
)
# ── Seed two non-system groups ──────────────────────────────────────
gid_a = str(uuid.uuid4())
gid_b = str(uuid.uuid4())
conn.execute(
"INSERT INTO user_groups (id, name) VALUES (?, ?), (?, ?)",
[gid_a, "group-a", gid_b, "group-b"],
)
# ── Grant mkt-a/* to group-a and mkt-b/* to group-b ─────────────────
rtype = ResourceType.MARKETPLACE_PLUGIN.value
for mkt, gid, plugins in [
("mkt-a", gid_a, ["plugin-1", "plugin-2"]),
("mkt-b", gid_b, ["plugin-3", "plugin-4"]),
]:
for p in plugins:
conn.execute(
"INSERT INTO resource_grants (id, group_id, resource_type, resource_id) "
"VALUES (?, ?, ?, ?)",
[str(uuid.uuid4()), gid, rtype, f"{mkt}/{p}"],
)
# ── Seed two users, each in their own group + Everyone ───────────────
everyone_gid = conn.execute(
"SELECT id FROM user_groups WHERE name = 'Everyone'"
).fetchone()[0]
conn.execute(
"INSERT INTO users (id, email, name, active) VALUES "
"('user-a', 'user-a@example.com', 'User A', TRUE), "
"('user-b', 'user-b@example.com', 'User B', TRUE)"
)
for uid, gid in [("user-a", gid_a), ("user-b", gid_b)]:
conn.execute(
"INSERT INTO user_group_members (user_id, group_id, source) VALUES (?, ?, ?)",
[uid, gid, "admin"],
)
conn.execute(
"INSERT INTO user_group_members (user_id, group_id, source) VALUES (?, ?, ?)",
[uid, everyone_gid, "system_seed"],
)
# ── Render for each user ─────────────────────────────────────────────
WelcomeTemplateRepository(conn).set(
"{% for m in marketplaces %}{{ m.slug }}: "
"{% for p in m.plugins %}{{ p.name }} {% endfor %}{% endfor %}",
updated_by="admin@example.com",
)
user_a = {"id": "user-a", "email": "user-a@example.com", "name": "User A", "is_admin": False, "groups": ["group-a"]}
user_b = {"id": "user-b", "email": "user-b@example.com", "name": "User B", "is_admin": False, "groups": ["group-b"]}
out_a = render_welcome(conn, user=user_a, server_url="https://example.com")
out_b = render_welcome(conn, user=user_b, server_url="https://example.com")
# user-a sees mkt-a plugins only
assert "mkt-a" in out_a
assert "plugin-1" in out_a
assert "mkt-b" not in out_a
assert "plugin-3" not in out_a
# user-b sees mkt-b plugins only
assert "mkt-b" in out_b
assert "plugin-3" in out_b
assert "mkt-a" not in out_b
assert "plugin-1" not in out_b
def test_render_tolerates_missing_optional_tables(tmp_path, monkeypatch):
"""A bare DuckDB without table_registry / marketplace_registry must still render."""
monkeypatch.setenv("DATA_DIR", str(tmp_path))