Source code for test.cata_log_hub.test_security

# SPDX-License-Identifier: AGPL-3.0-or-later
#
# Cata-Log - the central hub for digital flyers
# Copyright (C) 2026 David Aderbauer & The Cata-Log Contributors
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.

import pytest
from fastapi.exceptions import HTTPException
from fastapi.security import HTTPBasicCredentials
from httpx import Request, codes

from cata_log_hub import security


[docs] def test_verify_credentials__get__success(faker, fake_credentials): security.verify_credentials( request=Request( method="GET", url=faker.uri_path(), ), credentials=HTTPBasicCredentials( username=fake_credentials[0], password=fake_credentials[1] ), )
[docs] def test_verify_credentials__post__success(faker, fake_credentials): security.verify_credentials( request=Request( method="POST", url=faker.uri_path(), ), credentials=HTTPBasicCredentials( username=fake_credentials[0], password=fake_credentials[1] ), )
[docs] def test_verify_credentials__get__bad_auth(faker, fake_credentials): with pytest.raises( HTTPException, ) as exc_info: security.verify_credentials( request=Request( method="GET", url=faker.uri_path(), ), credentials=HTTPBasicCredentials( username=faker.user_name(), password=faker.password() ), ) assert exc_info.value.status_code == codes.UNAUTHORIZED assert exc_info.value.headers is not None assert "WWW-Authenticate" in exc_info.value.headers assert exc_info.value.headers["WWW-Authenticate"] == "Basic"
[docs] def test_verify_credentials__post__bad_auth(faker, fake_credentials): with pytest.raises(HTTPException) as exc_info: security.verify_credentials( request=Request( method="POST", url=faker.uri_path(), ), credentials=HTTPBasicCredentials( username=faker.user_name(), password=faker.password() ), ) assert exc_info.value.status_code == codes.UNAUTHORIZED assert exc_info.value.headers is not None assert "WWW-Authenticate" in exc_info.value.headers assert exc_info.value.headers["WWW-Authenticate"] == "Basic"
[docs] def test_verify_credentials__get__bad_auth__public_get( faker, fake_credentials, public_get ): security.verify_credentials( request=Request( method="GET", url=faker.uri_path(), ), credentials=HTTPBasicCredentials( username=faker.user_name(), password=faker.password() ), )
[docs] def test_verify_credentials__post__bad_auth__public_get( faker, fake_credentials, public_get ): with pytest.raises(HTTPException) as exc_info: security.verify_credentials( request=Request( method="POST", url=faker.uri_path(), ), credentials=HTTPBasicCredentials( username=faker.user_name(), password=faker.password() ), ) assert exc_info.value.status_code == codes.UNAUTHORIZED assert exc_info.value.headers is not None assert "WWW-Authenticate" in exc_info.value.headers assert exc_info.value.headers["WWW-Authenticate"] == "Basic"
[docs] def test_verify_credentials__get__noauth__public_get( faker, fake_credentials, public_get ): security.verify_credentials( request=Request( method="GET", url=faker.uri_path(), ), credentials=None, )
[docs] def test_verify_credentials__post__noauth__public_get( faker, fake_credentials, public_get ): with pytest.raises(HTTPException) as exc_info: security.verify_credentials( request=Request( method="POST", url=faker.uri_path(), ), credentials=None, ) assert exc_info.value.status_code == codes.UNAUTHORIZED assert exc_info.value.headers is not None assert "WWW-Authenticate" in exc_info.value.headers assert exc_info.value.headers["WWW-Authenticate"] == "Basic"
[docs] def test_verify_credentials__get__no_password(faker, fake_username): with pytest.raises(HTTPException) as exc_info: security.verify_credentials( request=Request( method="GET", url=faker.uri_path(), ), credentials=HTTPBasicCredentials(username=fake_username, password=""), ) assert exc_info.value.status_code == codes.UNAUTHORIZED assert exc_info.value.headers is not None assert "WWW-Authenticate" in exc_info.value.headers assert exc_info.value.headers["WWW-Authenticate"] == "Basic"
[docs] def test_verify_credentials__post__no_password(faker, fake_username): with pytest.raises(HTTPException) as exc_info: security.verify_credentials( request=Request( method="POST", url=faker.uri_path(), ), credentials=HTTPBasicCredentials(username=fake_username, password=""), ) assert exc_info.value.status_code == codes.UNAUTHORIZED assert exc_info.value.headers is not None assert "WWW-Authenticate" in exc_info.value.headers assert exc_info.value.headers["WWW-Authenticate"] == "Basic"
[docs] def test_verify_credentials__get__noauth__unprotected(faker, fake_credentials): url_path = faker.uri_path() security.UNPROTECTED_PATHS = (url_path, *security.UNPROTECTED_PATHS) security.verify_credentials( request=Request( method="GET", url=url_path, ), credentials=None, )
[docs] def test_verify_credentials__post__noauth__unprotected(faker, fake_credentials): url_path = faker.uri_path() security.UNPROTECTED_PATHS = (url_path, *security.UNPROTECTED_PATHS) security.verify_credentials( request=Request( method="POST", url=url_path, ), credentials=None, )
[docs] def test_verify_credentials__get__no_password__public_get( faker, fake_username, public_get ): security.verify_credentials( request=Request( method="GET", url=faker.uri_path(), ), credentials=HTTPBasicCredentials(username=fake_username, password=""), )
[docs] def test_verify_credentials__post__no_password__public_get( faker, fake_username, public_get ): with pytest.raises(HTTPException) as exc_info: security.verify_credentials( request=Request( method="POST", url=faker.uri_path(), ), credentials=HTTPBasicCredentials(username=fake_username, password=""), ) assert exc_info.value.status_code == codes.UNAUTHORIZED assert exc_info.value.headers is not None assert "WWW-Authenticate" in exc_info.value.headers assert exc_info.value.headers["WWW-Authenticate"] == "Basic"