|
| 1 | +# src/tests/backend/auth/test_auth_utils.py |
| 2 | + |
| 3 | +import sys |
| 4 | +import os |
| 5 | +import types |
| 6 | +import base64 |
| 7 | +import json |
| 8 | +import pytest |
| 9 | + |
| 10 | +# --- Stub out backend.auth.sample_user.sample_user for dev mode --- |
| 11 | +sample_pkg = types.ModuleType("backend.auth.sample_user") |
| 12 | +sample_pkg.sample_user = { |
| 13 | + "x-ms-client-principal-id": "dev-id", |
| 14 | + "x-ms-client-principal-name": "dev-name", |
| 15 | + "x-ms-client-principal-idp": "dev-idp", |
| 16 | + "x-ms-token-aad-id-token": "dev-token", |
| 17 | + "x-ms-client-principal": base64.b64encode( |
| 18 | + json.dumps({"tid": "tenant123"}).encode("utf-8") |
| 19 | + ).decode("utf-8"), |
| 20 | +} |
| 21 | +sys.modules["backend.auth.sample_user"] = sample_pkg |
| 22 | + |
| 23 | +# --- Ensure src is on PYTHONPATH --- |
| 24 | +ROOT = os.path.abspath(os.path.join(os.path.dirname(__file__), "..", "..")) |
| 25 | +SRC = os.path.join(ROOT, "src") |
| 26 | +if SRC not in sys.path: |
| 27 | + sys.path.insert(0, SRC) |
| 28 | + |
| 29 | +from backend.auth.auth_utils import get_authenticated_user_details, get_tenantid |
| 30 | + |
| 31 | +def test_get_authenticated_user_details_dev_mode(): |
| 32 | + # No EasyAuth headers => uses sample_user stub |
| 33 | + headers = {} |
| 34 | + user = get_authenticated_user_details(headers) |
| 35 | + assert user["user_principal_id"] == "dev-id" |
| 36 | + assert user["user_name"] == "dev-name" |
| 37 | + assert user["auth_provider"] == "dev-idp" |
| 38 | + assert user["auth_token"] == "dev-token" |
| 39 | + assert user["client_principal_b64"] == sample_pkg.sample_user["x-ms-client-principal"] |
| 40 | + assert user["aad_id_token"] == "dev-token" |
| 41 | + |
| 42 | +def test_get_authenticated_user_details_prod_mode(): |
| 43 | + # Lowercase header names to trigger the prod branch |
| 44 | + headers = { |
| 45 | + "x-ms-client-principal-id": "real-id", |
| 46 | + "x-ms-client-principal-name": "real-name", |
| 47 | + "x-ms-client-principal-idp": "real-idp", |
| 48 | + "x-ms-token-aad-id-token": "real-token", |
| 49 | + "x-ms-client-principal": "b64payload", |
| 50 | + } |
| 51 | + user = get_authenticated_user_details(headers) |
| 52 | + assert user["user_principal_id"] == "real-id" |
| 53 | + assert user["user_name"] == "real-name" |
| 54 | + assert user["auth_provider"] == "real-idp" |
| 55 | + assert user["auth_token"] == "real-token" |
| 56 | + assert user["client_principal_b64"] == "b64payload" |
| 57 | + assert user["aad_id_token"] == "real-token" |
| 58 | + |
| 59 | +def test_get_tenantid_with_valid_b64(): |
| 60 | + payload = {"tid": "tenantXYZ", "foo": "bar"} |
| 61 | + b64 = base64.b64encode(json.dumps(payload).encode("utf-8")).decode("utf-8") |
| 62 | + assert get_tenantid(b64) == "tenantXYZ" |
| 63 | + |
| 64 | +def test_get_tenantid_with_invalid_b64(caplog): |
| 65 | + caplog.set_level("ERROR") |
| 66 | + # Malformed base64 should be caught and return empty string |
| 67 | + assert get_tenantid("not-a-valid-b64") == "" |
| 68 | + assert "Exception" in caplog.text or caplog.text # ensure we logged something |
0 commit comments