Add initial work from Codex

2026-03-20 15:13:33 +01:00
parent 19771ddd37
commit adb5c1a439
48 changed files with 7054 additions and 16 deletions
--- a/backend/tests/test_analytics_service.py
+++ b/backend/tests/test_analytics_service.py
@@ -0,0 +1,79 @@
+from __future__ import annotations
+
+from datetime import date, timedelta
+
+import pandas as pd
+
+from app.services.analytics_service import AnalyticsService
+
+
+class StubWarehouseClient:
+    def fetch_daily_sales(self) -> pd.DataFrame:
+        today = date.today()
+        rows = []
+        for i in range(120):
+            day = today - timedelta(days=120 - i)
+            rows.append(
+                {
+                    "sale_date": day.isoformat(),
+                    "revenue": 1000 + (i * 5),
+                    "cost": 500 + (i * 2),
+                    "quantity": 40 + i,
+                    "orders": 5 + (i % 4),
+                    "source": "stub",
+                }
+            )
+        return pd.DataFrame(rows)
+
+    def fetch_product_performance(self) -> pd.DataFrame:
+        return pd.DataFrame(
+            [
+                {
+                    "product_id": "A1",
+                    "product_name": "Alpha",
+                    "category_name": "CatA",
+                    "revenue": 12000,
+                    "cost": 6000,
+                    "quantity": 400,
+                    "orders": 150,
+                    "source": "stub",
+                },
+                {
+                    "product_id": "B1",
+                    "product_name": "Beta",
+                    "category_name": "CatB",
+                    "revenue": 9000,
+                    "cost": 8500,
+                    "quantity": 300,
+                    "orders": 110,
+                    "source": "stub",
+                },
+            ]
+        )
+
+    def fetch_customer_performance(self) -> pd.DataFrame:
+        return pd.DataFrame(
+            [
+                {
+                    "customer_id": "C1",
+                    "customer_name": "Contoso",
+                    "revenue": 15000,
+                    "orders": 80,
+                    "source": "stub",
+                }
+            ]
+        )
+
+
+def test_forecast_has_expected_horizon() -> None:
+    service = AnalyticsService(StubWarehouseClient())  # type: ignore[arg-type]
+    forecast = service.get_forecast(horizon_days=15)
+    assert len(forecast) == 15
+    assert "predicted_revenue" in forecast[0]
+
+
+def test_rankings_are_sorted() -> None:
+    service = AnalyticsService(StubWarehouseClient())  # type: ignore[arg-type]
+    rankings = service.get_rankings(top_n=2)
+    assert len(rankings) == 2
+    assert rankings[0]["score"] >= rankings[1]["score"]
--- a/backend/tests/test_security_tokens.py
+++ b/backend/tests/test_security_tokens.py
@@ -0,0 +1,65 @@
+from __future__ import annotations
+
+import pytest
+from fastapi import HTTPException
+
+from app.core.config import settings
+from app.core.security import InternalTokenManager, require_internal_principal
+
+
+def test_internal_token_round_trip(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.setattr(
+        settings,
+        "internal_service_shared_secret",
+        "unit-test-shared-secret-key-at-least-32b",
+    )
+    monkeypatch.setattr(settings, "internal_service_token_audience", "bi-internal-test")
+    monkeypatch.setattr(settings, "internal_service_allowed_issuers", "api-gateway")
+    monkeypatch.setattr(settings, "internal_token_clock_skew_seconds", 0)
+
+    manager = InternalTokenManager()
+    token = manager.mint(
+        subject="user-123",
+        scopes=["openid", "profile"],
+        source_service="api-gateway",
+    )
+
+    principal = manager.verify(token)
+    assert principal.subject == "user-123"
+    assert principal.claims["iss"] == "api-gateway"
+    assert principal.claims["typ"] == "internal-service"
+
+
+def test_internal_token_rejects_untrusted_issuer(
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    monkeypatch.setattr(
+        settings,
+        "internal_service_shared_secret",
+        "unit-test-shared-secret-key-at-least-32b",
+    )
+    monkeypatch.setattr(settings, "internal_service_token_audience", "bi-internal-test")
+    monkeypatch.setattr(settings, "internal_service_allowed_issuers", "api-gateway")
+    monkeypatch.setattr(settings, "internal_token_clock_skew_seconds", 0)
+
+    manager = InternalTokenManager()
+    token = manager.mint(
+        subject="user-123",
+        scopes=["openid"],
+        source_service="analytics",
+    )
+
+    with pytest.raises(HTTPException) as exc:
+        manager.verify(token)
+    assert exc.value.status_code == 401
+    assert exc.value.detail == "Internal token issuer is not allowed."
+
+
+def test_require_internal_principal_rejects_missing_token(
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    monkeypatch.setattr(settings, "internal_service_auth_enabled", True)
+    with pytest.raises(HTTPException) as exc:
+        require_internal_principal(None)
+    assert exc.value.status_code == 401
+    assert exc.value.detail == "Missing x-internal-service-token header."