"""Tests for checklist section 1.2 — Authorization guards. Covers the three guard helpers that enforce repo-level access control: _guard_visibility — 404 on missing repo; 401 on private + unauthenticated _guard_write_access — 403 when non-owner tries to write to a private repo _guard_repo_owner — 403 when non-owner attempts an owner-only action All tests are synchronous unit tests — no DB or HTTP fixtures needed. """ from __future__ import annotations import pytest from fastapi import HTTPException from unittest.mock import AsyncMock, MagicMock # --------------------------------------------------------------------------- # Helpers — build lightweight repo/claims stand-ins without importing ORM # --------------------------------------------------------------------------- def _repo(*, visibility: str = "public", owner: str = "alice") -> MagicMock: r = MagicMock() r.visibility = visibility r.owner = owner return r def _claims(*, handle: str = "alice") -> MagicMock: c = MagicMock() c.handle = handle return c def _db_no_collab() -> AsyncMock: """Async DB session stub that returns no collaborator row.""" result = MagicMock() result.scalar_one_or_none.return_value = None db = AsyncMock() db.execute = AsyncMock(return_value=result) return db # --------------------------------------------------------------------------- # _guard_visibility # --------------------------------------------------------------------------- class TestGuardVisibility: def setup_method(self) -> None: from musehub.api.routes.musehub.repos import _guard_visibility self.guard = _guard_visibility def test_none_repo_raises_404(self) -> None: with pytest.raises(HTTPException) as exc_info: self.guard(None, _claims()) assert exc_info.value.status_code == 404 def test_none_repo_none_claims_raises_404(self) -> None: """404 takes priority over 401 — missing repo is never exposed as 401.""" with pytest.raises(HTTPException) as exc_info: self.guard(None, None) assert exc_info.value.status_code == 404 def test_public_repo_no_claims_allowed(self) -> None: """Public repo with no auth must not raise.""" self.guard(_repo(visibility="public"), None) def test_public_repo_with_claims_allowed(self) -> None: self.guard(_repo(visibility="public"), _claims()) def test_private_repo_with_claims_allowed(self) -> None: """Authenticated user may access a private repo.""" self.guard(_repo(visibility="private"), _claims()) def test_private_repo_no_claims_raises_401(self) -> None: with pytest.raises(HTTPException) as exc_info: self.guard(_repo(visibility="private"), None) assert exc_info.value.status_code == 401 def test_private_repo_401_includes_www_authenticate(self) -> None: with pytest.raises(HTTPException) as exc_info: self.guard(_repo(visibility="private"), None) assert "WWW-Authenticate" in exc_info.value.headers assert "MSign" in exc_info.value.headers["WWW-Authenticate"] # --------------------------------------------------------------------------- # _guard_write_access # --------------------------------------------------------------------------- class TestGuardWriteAccess: def setup_method(self) -> None: from musehub.api.routes.musehub.issues import _guard_write_access self.guard = _guard_write_access def test_public_repo_any_user_may_write(self) -> None: """Any authenticated user can write to a public repo.""" self.guard(_repo(visibility="public", owner="alice"), "bob") def test_public_repo_owner_may_write(self) -> None: self.guard(_repo(visibility="public", owner="alice"), "alice") def test_private_repo_owner_may_write(self) -> None: self.guard(_repo(visibility="private", owner="alice"), "alice") def test_private_repo_non_owner_raises_403(self) -> None: with pytest.raises(HTTPException) as exc_info: self.guard(_repo(visibility="private", owner="alice"), "bob") assert exc_info.value.status_code == 403 def test_private_repo_403_detail_message(self) -> None: with pytest.raises(HTTPException) as exc_info: self.guard(_repo(visibility="private", owner="alice"), "bob") assert "private" in exc_info.value.detail.lower() # --------------------------------------------------------------------------- # _guard_repo_owner # --------------------------------------------------------------------------- class TestGuardRepoOwner: async def test_owner_allowed(self) -> None: from musehub.api.routes.musehub.issues import _guard_repo_owner # Owner check short-circuits before any DB call. await _guard_repo_owner(_repo(owner="alice"), "alice", _db_no_collab()) async def test_non_owner_raises_403(self) -> None: from musehub.api.routes.musehub.issues import _guard_repo_owner with pytest.raises(HTTPException) as exc_info: await _guard_repo_owner(_repo(owner="alice"), "bob", _db_no_collab()) assert exc_info.value.status_code == 403 async def test_non_owner_public_repo_still_raises_403(self) -> None: """Even public repos: only owner may perform owner-only actions.""" from musehub.api.routes.musehub.issues import _guard_repo_owner with pytest.raises(HTTPException) as exc_info: await _guard_repo_owner(_repo(visibility="public", owner="alice"), "bob", _db_no_collab()) assert exc_info.value.status_code == 403 async def test_403_detail_message(self) -> None: from musehub.api.routes.musehub.issues import _guard_repo_owner with pytest.raises(HTTPException) as exc_info: await _guard_repo_owner(_repo(owner="alice"), "bob", _db_no_collab()) assert "owner" in exc_info.value.detail.lower()