"""Tests for admin configure and registry API endpoints.""" import ipaddress import socket from unittest.mock import patch import pytest def _auth(token): return {"Authorization": f"Bearer {token}"} class TestAdminConfigure: def test_configure_local_source(self, seeded_app): c = seeded_app["client"] token = seeded_app["admin_token"] resp = c.post( "/api/admin/configure", json={"data_source": "local"}, headers=_auth(token), ) assert resp.status_code == 200 data = resp.json() assert data["status"] == "ok" assert data["data_source"] == "local" def test_configure_invalid_source_type_returns_400(self, seeded_app): c = seeded_app["client"] token = seeded_app["admin_token"] resp = c.post( "/api/admin/configure", json={"data_source": "invalid_source"}, headers=_auth(token), ) assert resp.status_code == 400 assert "data_source" in resp.json()["detail"].lower() or "must be" in resp.json()["detail"] def test_configure_requires_admin(self, seeded_app): c = seeded_app["client"] token = seeded_app["analyst_token"] resp = c.post( "/api/admin/configure", json={"data_source": "local"}, headers=_auth(token), ) assert resp.status_code == 403 def test_configure_requires_auth(self, seeded_app): c = seeded_app["client"] resp = c.post( "/api/admin/configure", json={"data_source": "local"}, ) assert resp.status_code == 401 def test_configure_bigquery_missing_project_returns_400(self, seeded_app): c = seeded_app["client"] token = seeded_app["admin_token"] resp = c.post( "/api/admin/configure", json={"data_source": "bigquery"}, # missing bigquery_project headers=_auth(token), ) assert resp.status_code == 400 def test_configure_bigquery_with_project(self, seeded_app): c = seeded_app["client"] token = seeded_app["admin_token"] resp = c.post( "/api/admin/configure", json={"data_source": "bigquery", "bigquery_project": "my-project"}, headers=_auth(token), ) assert resp.status_code == 200 data = resp.json() assert data["data_source"] == "bigquery" def test_configure_missing_data_source_returns_422(self, seeded_app): c = seeded_app["client"] token = seeded_app["admin_token"] resp = c.post( "/api/admin/configure", json={}, # missing data_source entirely headers=_auth(token), ) assert resp.status_code == 422 class TestAdminConfigureSSRF: """SSRF protection: keboola_url must not point to private/reserved networks. Uses socket.getaddrinfo + ipaddress checks — tests mock DNS resolution so they work regardless of the test runner's network/IPv6 config. """ @staticmethod def _mock_getaddrinfo(host, port, **kwargs): """Predictable DNS resolution for tests — returns the IP literal as-is.""" try: ip = ipaddress.ip_address(host) family = socket.AF_INET6 if ip.version == 6 else socket.AF_INET return [(family, socket.SOCK_STREAM, socket.IPPROTO_TCP, "", (str(ip), port))] except ValueError: # Not an IP literal — let real DNS resolve (for public URL test) return socket.getaddrinfo(host, port, **kwargs) def test_configure_rejects_localhost_url(self, seeded_app): c = seeded_app["client"] token = seeded_app["admin_token"] resp = c.post( "/api/admin/configure", json={"data_source": "keboola", "keboola_token": "tok", "keboola_url": "http://localhost:8080"}, headers=_auth(token), ) assert resp.status_code == 400 assert "private" in resp.json()["detail"].lower() or "reserved" in resp.json()["detail"].lower() def test_configure_rejects_127_0_0_1_url(self, seeded_app): c = seeded_app["client"] token = seeded_app["admin_token"] with patch("app.api.admin._socket.getaddrinfo", self._mock_getaddrinfo): resp = c.post( "/api/admin/configure", json={"data_source": "keboola", "keboola_token": "tok", "keboola_url": "https://127.0.0.1"}, headers=_auth(token), ) assert resp.status_code == 400 def test_configure_rejects_10_0_0_1_url(self, seeded_app): c = seeded_app["client"] token = seeded_app["admin_token"] with patch("app.api.admin._socket.getaddrinfo", self._mock_getaddrinfo): resp = c.post( "/api/admin/configure", json={"data_source": "keboola", "keboola_token": "tok", "keboola_url": "https://10.0.0.1"}, headers=_auth(token), ) assert resp.status_code == 400 def test_configure_rejects_192_168_url(self, seeded_app): c = seeded_app["client"] token = seeded_app["admin_token"] with patch("app.api.admin._socket.getaddrinfo", self._mock_getaddrinfo): resp = c.post( "/api/admin/configure", json={"data_source": "keboola", "keboola_token": "tok", "keboola_url": "https://192.168.1.1"}, headers=_auth(token), ) assert resp.status_code == 400 def test_configure_rejects_169_254_metadata_url(self, seeded_app): """169.254.x.x (link-local) must be rejected — cloud metadata endpoint.""" c = seeded_app["client"] token = seeded_app["admin_token"] with patch("app.api.admin._socket.getaddrinfo", self._mock_getaddrinfo): resp = c.post( "/api/admin/configure", json={"data_source": "keboola", "keboola_token": "tok", "keboola_url": "http://169.254.169.254"}, headers=_auth(token), ) assert resp.status_code == 400 def test_configure_rejects_ipv6_loopback(self, seeded_app): """IPv6 loopback ::1 must be rejected.""" c = seeded_app["client"] token = seeded_app["admin_token"] with patch("app.api.admin._socket.getaddrinfo", self._mock_getaddrinfo): resp = c.post( "/api/admin/configure", json={"data_source": "keboola", "keboola_token": "tok", "keboola_url": "http://[::1]:8080"}, headers=_auth(token), ) assert resp.status_code == 400 def test_configure_rejects_ipv6_link_local(self, seeded_app): """IPv6 link-local fe80::1 must be rejected.""" c = seeded_app["client"] token = seeded_app["admin_token"] with patch("app.api.admin._socket.getaddrinfo", self._mock_getaddrinfo): resp = c.post( "/api/admin/configure", json={"data_source": "keboola", "keboola_token": "tok", "keboola_url": "http://[fe80::1]:8080"}, headers=_auth(token), ) assert resp.status_code == 400 def test_configure_rejects_ipv6_unique_local(self, seeded_app): """IPv6 unique-local fc00::1 must be rejected.""" c = seeded_app["client"] token = seeded_app["admin_token"] with patch("app.api.admin._socket.getaddrinfo", self._mock_getaddrinfo): resp = c.post( "/api/admin/configure", json={"data_source": "keboola", "keboola_token": "tok", "keboola_url": "http://[fc00::1]:8080"}, headers=_auth(token), ) assert resp.status_code == 400 def test_configure_rejects_ipv6_multicast(self, seeded_app): """IPv6 multicast ff02::1 must be rejected.""" c = seeded_app["client"] token = seeded_app["admin_token"] with patch("app.api.admin._socket.getaddrinfo", self._mock_getaddrinfo): resp = c.post( "/api/admin/configure", json={"data_source": "keboola", "keboola_token": "tok", "keboola_url": "http://[ff02::1]:8080"}, headers=_auth(token), ) assert resp.status_code == 400 def test_configure_accepts_public_url(self, seeded_app): """A public URL should pass SSRF validation (connection test may still fail).""" c = seeded_app["client"] token = seeded_app["admin_token"] resp = c.post( "/api/admin/configure", json={"data_source": "keboola", "keboola_token": "tok", "keboola_url": "https://connection.keboola.com"}, headers=_auth(token), ) # Should NOT be 400 with SSRF message — may be 400 from failed connection test, or 200 if resp.status_code == 400: assert "private" not in resp.json()["detail"].lower() class TestAdminRegistry: def test_list_registry_empty(self, seeded_app): c = seeded_app["client"] token = seeded_app["admin_token"] resp = c.get("/api/admin/registry", headers=_auth(token)) assert resp.status_code == 200 data = resp.json() assert "tables" in data assert "count" in data assert data["count"] == 0 def test_list_registry_requires_admin(self, seeded_app): c = seeded_app["client"] token = seeded_app["analyst_token"] resp = c.get("/api/admin/registry", headers=_auth(token)) assert resp.status_code == 403 def test_list_registry_requires_auth(self, seeded_app): c = seeded_app["client"] resp = c.get("/api/admin/registry") assert resp.status_code == 401 class TestRegisterTable: def test_register_table_success(self, seeded_app): c = seeded_app["client"] token = seeded_app["admin_token"] resp = c.post( "/api/admin/register-table", json={"name": "orders", "source_type": "keboola", "bucket": "in.c-crm", "source_table": "orders", "query_mode": "local"}, headers=_auth(token), ) assert resp.status_code == 201 data = resp.json() assert data["id"] == "orders" assert data["name"] == "orders" assert data["status"] == "registered" def test_register_table_appears_in_registry(self, seeded_app): c = seeded_app["client"] token = seeded_app["admin_token"] c.post( "/api/admin/register-table", json={"name": "customers", "source_type": "keboola"}, headers=_auth(token), ) resp = c.get("/api/admin/registry", headers=_auth(token)) assert resp.status_code == 200 names = [t["name"] for t in resp.json()["tables"]] assert "customers" in names def test_register_duplicate_returns_409(self, seeded_app): c = seeded_app["client"] token = seeded_app["admin_token"] # Register once c.post( "/api/admin/register-table", json={"name": "dup_table"}, headers=_auth(token), ) # Register again resp = c.post( "/api/admin/register-table", json={"name": "dup_table"}, headers=_auth(token), ) assert resp.status_code == 409 def test_register_requires_admin(self, seeded_app): c = seeded_app["client"] token = seeded_app["analyst_token"] resp = c.post( "/api/admin/register-table", json={"name": "new_table"}, headers=_auth(token), ) assert resp.status_code == 403 def test_register_requires_auth(self, seeded_app): c = seeded_app["client"] resp = c.post( "/api/admin/register-table", json={"name": "new_table"}, ) assert resp.status_code == 401 def test_register_table_with_all_fields(self, seeded_app): c = seeded_app["client"] token = seeded_app["admin_token"] resp = c.post( "/api/admin/register-table", json={ "name": "full_table", "source_type": "keboola", "bucket": "in.c-crm", "source_table": "full_table", "query_mode": "local", "sync_schedule": "0 6 * * *", "description": "Full configuration table", "profile_after_sync": True, }, headers=_auth(token), ) assert resp.status_code == 201 class TestDeleteRegistryTable: def test_delete_registered_table(self, seeded_app): c = seeded_app["client"] token = seeded_app["admin_token"] # Register c.post( "/api/admin/register-table", json={"name": "to_delete"}, headers=_auth(token), ) # Delete resp = c.delete("/api/admin/registry/to_delete", headers=_auth(token)) assert resp.status_code == 204 # Verify gone from registry list_resp = c.get("/api/admin/registry", headers=_auth(token)) names = [t["name"] for t in list_resp.json()["tables"]] assert "to_delete" not in names def test_delete_nonexistent_table_returns_404(self, seeded_app): c = seeded_app["client"] token = seeded_app["admin_token"] resp = c.delete("/api/admin/registry/nonexistent_table", headers=_auth(token)) assert resp.status_code == 404 def test_delete_requires_admin(self, seeded_app): c = seeded_app["client"] token = seeded_app["analyst_token"] resp = c.delete("/api/admin/registry/some_table", headers=_auth(token)) assert resp.status_code == 403 def test_delete_requires_auth(self, seeded_app): c = seeded_app["client"] resp = c.delete("/api/admin/registry/some_table") assert resp.status_code == 401 class TestDiscoverAndRegister: def test_discover_and_register_requires_admin(self, seeded_app): c = seeded_app["client"] token = seeded_app["analyst_token"] resp = c.post("/api/admin/discover-and-register", headers=_auth(token)) assert resp.status_code == 403 def test_discover_and_register_requires_auth(self, seeded_app): c = seeded_app["client"] resp = c.post("/api/admin/discover-and-register") assert resp.status_code == 401 def test_discover_and_register_non_keboola_returns_zero(self, seeded_app): """With no keboola config, discover-and-register returns 0 registered tables.""" c = seeded_app["client"] token = seeded_app["admin_token"] # Configure as local (non-keboola) c.post( "/api/admin/configure", json={"data_source": "local"}, headers=_auth(token), ) resp = c.post("/api/admin/discover-and-register", headers=_auth(token)) assert resp.status_code == 200 data = resp.json() assert data["registered"] == 0 assert data["source"] != "keboola"