from __future__ import annotations import pytest from fastapi import HTTPException from app.core.config import settings from app.core.security import InternalTokenManager, require_internal_principal def test_internal_token_round_trip(monkeypatch: pytest.MonkeyPatch) -> None: monkeypatch.setattr( settings, "internal_service_shared_secret", "unit-test-shared-secret-key-at-least-32b", ) monkeypatch.setattr(settings, "internal_service_token_audience", "bi-internal-test") monkeypatch.setattr(settings, "internal_service_allowed_issuers", "api-gateway") monkeypatch.setattr(settings, "internal_token_clock_skew_seconds", 0) manager = InternalTokenManager() token = manager.mint( subject="user-123", scopes=["openid", "profile"], source_service="api-gateway", ) principal = manager.verify(token) assert principal.subject == "user-123" assert principal.claims["iss"] == "api-gateway" assert principal.claims["typ"] == "internal-service" def test_internal_token_rejects_untrusted_issuer( monkeypatch: pytest.MonkeyPatch, ) -> None: monkeypatch.setattr( settings, "internal_service_shared_secret", "unit-test-shared-secret-key-at-least-32b", ) monkeypatch.setattr(settings, "internal_service_token_audience", "bi-internal-test") monkeypatch.setattr(settings, "internal_service_allowed_issuers", "api-gateway") monkeypatch.setattr(settings, "internal_token_clock_skew_seconds", 0) manager = InternalTokenManager() token = manager.mint( subject="user-123", scopes=["openid"], source_service="analytics", ) with pytest.raises(HTTPException) as exc: manager.verify(token) assert exc.value.status_code == 401 assert exc.value.detail == "Internal token issuer is not allowed." def test_require_internal_principal_rejects_missing_token( monkeypatch: pytest.MonkeyPatch, ) -> None: monkeypatch.setattr(settings, "internal_service_auth_enabled", True) with pytest.raises(HTTPException) as exc: require_internal_principal(None) assert exc.value.status_code == 401 assert exc.value.detail == "Missing x-internal-service-token header."