Add initial work from Codex

2026-03-20 15:13:33 +01:00
parent 19771ddd37
commit adb5c1a439
48 changed files with 7054 additions and 16 deletions
--- a/backend/tests/test_security_tokens.py
+++ b/backend/tests/test_security_tokens.py
@@ -0,0 +1,65 @@
+from __future__ import annotations
+
+import pytest
+from fastapi import HTTPException
+
+from app.core.config import settings
+from app.core.security import InternalTokenManager, require_internal_principal
+
+
+def test_internal_token_round_trip(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.setattr(
+        settings,
+        "internal_service_shared_secret",
+        "unit-test-shared-secret-key-at-least-32b",
+    )
+    monkeypatch.setattr(settings, "internal_service_token_audience", "bi-internal-test")
+    monkeypatch.setattr(settings, "internal_service_allowed_issuers", "api-gateway")
+    monkeypatch.setattr(settings, "internal_token_clock_skew_seconds", 0)
+
+    manager = InternalTokenManager()
+    token = manager.mint(
+        subject="user-123",
+        scopes=["openid", "profile"],
+        source_service="api-gateway",
+    )
+
+    principal = manager.verify(token)
+    assert principal.subject == "user-123"
+    assert principal.claims["iss"] == "api-gateway"
+    assert principal.claims["typ"] == "internal-service"
+
+
+def test_internal_token_rejects_untrusted_issuer(
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    monkeypatch.setattr(
+        settings,
+        "internal_service_shared_secret",
+        "unit-test-shared-secret-key-at-least-32b",
+    )
+    monkeypatch.setattr(settings, "internal_service_token_audience", "bi-internal-test")
+    monkeypatch.setattr(settings, "internal_service_allowed_issuers", "api-gateway")
+    monkeypatch.setattr(settings, "internal_token_clock_skew_seconds", 0)
+
+    manager = InternalTokenManager()
+    token = manager.mint(
+        subject="user-123",
+        scopes=["openid"],
+        source_service="analytics",
+    )
+
+    with pytest.raises(HTTPException) as exc:
+        manager.verify(token)
+    assert exc.value.status_code == 401
+    assert exc.value.detail == "Internal token issuer is not allowed."
+
+
+def test_require_internal_principal_rejects_missing_token(
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    monkeypatch.setattr(settings, "internal_service_auth_enabled", True)
+    with pytest.raises(HTTPException) as exc:
+        require_internal_principal(None)
+    assert exc.value.status_code == 401
+    assert exc.value.detail == "Missing x-internal-service-token header."