|
| 1 | +"""Tests for application settings guards.""" |
| 2 | + |
| 3 | +import os |
| 4 | +from unittest.mock import patch |
| 5 | + |
| 6 | +import pytest |
| 7 | +from pydantic import ValidationError |
| 8 | + |
| 9 | +from lightspeed_agent.config import Settings |
| 10 | + |
| 11 | + |
| 12 | +class TestSkipJwtProductionGuard: |
| 13 | + """Verify SKIP_JWT_VALIDATION cannot be enabled in Cloud Run.""" |
| 14 | + |
| 15 | + def _env_without_k_service(self) -> dict[str, str]: |
| 16 | + """Return a copy of os.environ without K_SERVICE.""" |
| 17 | + return {k: v for k, v in os.environ.items() if k != "K_SERVICE"} |
| 18 | + |
| 19 | + def test_skip_jwt_allowed_without_k_service(self): |
| 20 | + """SKIP_JWT_VALIDATION=true is fine when K_SERVICE is unset.""" |
| 21 | + with patch.dict(os.environ, self._env_without_k_service(), clear=True): |
| 22 | + settings = Settings(skip_jwt_validation=True) |
| 23 | + assert settings.skip_jwt_validation is True |
| 24 | + |
| 25 | + def test_skip_jwt_blocked_in_cloud_run(self): |
| 26 | + """SKIP_JWT_VALIDATION=true must fail when K_SERVICE is set.""" |
| 27 | + with patch.dict( |
| 28 | + os.environ, {"K_SERVICE": "lightspeed-agent"}, clear=False |
| 29 | + ): |
| 30 | + with pytest.raises( |
| 31 | + ValidationError, match="not allowed in Cloud Run" |
| 32 | + ): |
| 33 | + Settings(skip_jwt_validation=True) |
| 34 | + |
| 35 | + def test_no_skip_jwt_allowed_in_cloud_run(self): |
| 36 | + """SKIP_JWT_VALIDATION=false (default) is fine in Cloud Run.""" |
| 37 | + with patch.dict( |
| 38 | + os.environ, {"K_SERVICE": "lightspeed-agent"}, clear=False |
| 39 | + ): |
| 40 | + settings = Settings(skip_jwt_validation=False) |
| 41 | + assert settings.skip_jwt_validation is False |
| 42 | + |
| 43 | + def test_skip_jwt_defaults_to_false(self): |
| 44 | + """Default value of skip_jwt_validation is False.""" |
| 45 | + with patch.dict( |
| 46 | + os.environ, |
| 47 | + self._env_without_k_service() |
| 48 | + | {"SKIP_JWT_VALIDATION": "false"}, |
| 49 | + clear=True, |
| 50 | + ): |
| 51 | + settings = Settings(skip_jwt_validation=False) |
| 52 | + assert settings.skip_jwt_validation is False |
0 commit comments