AI-Cognitive-Leap/agnes-the-ai-analyst
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'worktree-agent-a417e289' into feature/v2-fastapi-duckdb-docker-cli

Browse source
This commit is contained in:
ZdenekSrotyr 2026-04-12 14:24:39 +02:00
commit ed58075419
4 changed files with 85 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
tests/test_api_complete.py
View file

@ -237,3 +237,16 @@ class TestUpload:
headers=_h(client["admin"]),
)
assert resp.status_code == 413
def test_upload_does_not_leak_absolute_path(self, client):
"""Upload response should not contain absolute filesystem paths."""
import io
resp = client["client"].post(
"/api/upload/artifacts",
files={"file": ("test.txt", io.BytesIO(b"hello"), "text/plain")},
headers=_h(client["admin"]),
)
assert resp.status_code == 200
data = resp.json()
assert not data.get("path", "").startswith("/"), "Response should not leak absolute path"
assert "filename" in data, "Response should contain filename"

24
tests/test_instance_config.py
View file

@ -10,3 +10,27 @@ class TestInstanceConfig:
from app.instance_config import get_instance_name
name = get_instance_name()
assert isinstance(name, str)
def test_reads_nested_instance_name(self, tmp_path, monkeypatch):
"""get_instance_name should read instance.name from YAML, not flat instance_name."""
monkeypatch.setenv("DATA_DIR", str(tmp_path))
monkeypatch.setenv("TESTING", "1")
monkeypatch.setenv("JWT_SECRET_KEY", "test-secret-key-min-32-characters!!")
state_dir = tmp_path / "state"
state_dir.mkdir(exist_ok=True)
(state_dir / "instance.yaml").write_text(
"instance:\n name: Acme Analytics\n subtitle: Data Team\n"
)
import importlib
import app.instance_config as mod
# Reset cached config to force reload
mod._instance_config = None
importlib.reload(mod)
assert mod.get_instance_name() == "Acme Analytics"
assert mod.get_instance_subtitle() == "Data Team"
# Cleanup: reset cache after test
mod._instance_config = None

44
tests/test_security.py
View file

@ -281,6 +281,50 @@ class TestAuthSecurity:
assert resp.status_code == 401
# ---- Script RBAC ----
@pytest.fixture
def viewer_client(tmp_path, monkeypatch):
"""TestClient with a viewer-role user seeded."""
monkeypatch.setenv("DATA_DIR", str(tmp_path))
monkeypatch.setenv("JWT_SECRET_KEY", "test-secret-32chars-minimum!!!!!")
monkeypatch.setenv("SCRIPT_TIMEOUT", "5")
from app.main import create_app
from src.db import get_system_db
from src.repositories.users import UserRepository
from app.auth.jwt import create_access_token
from fastapi.testclient import TestClient
conn = get_system_db()
UserRepository(conn).create(id="viewer1", email="viewer@test.com", name="Viewer", role="viewer")
conn.close()
app = create_app()
c = TestClient(app)
token = create_access_token(user_id="viewer1", email="viewer@test.com", role="viewer")
return c, token
class TestScriptRBAC:
def test_viewer_cannot_run_scripts(self, viewer_client):
"""Viewers should not be able to execute scripts."""
c, token = viewer_client
headers = {"Authorization": f"Bearer {token}"}
resp = c.post("/api/scripts/run", json={
"name": "test", "source": "print('hi')"
}, headers=headers)
assert resp.status_code == 403
def test_viewer_cannot_deploy_scripts(self, viewer_client):
c, token = viewer_client
headers = {"Authorization": f"Bearer {token}"}
resp = c.post("/api/scripts/deploy", json={
"name": "test", "source": "print('hi')", "schedule": ""
}, headers=headers)
assert resp.status_code == 403
# ---- JWT Claims ----
class TestJwtClaims:

4
tests/test_web_ui.py
View file

@ -109,3 +109,7 @@ class TestAdminRoleGuards:
def test_admin_can_access_admin_permissions(self, web_client, admin_cookie):
resp = web_client.get("/admin/permissions", cookies=admin_cookie)
assert resp.status_code == 200
def test_analyst_cannot_access_corporate_memory_admin(self, web_client, admin_cookie, analyst_cookie):
resp = web_client.get("/corporate-memory/admin", cookies=analyst_cookie)
assert resp.status_code == 403