import pytest

import json

from fastapi import FastAPI, APIRouter

from fastapi.testclient import TestClient

from unittest.mock import MagicMock

from openscada_lite.modules.security.model import SecurityModel

from openscada_lite.modules.security.service import SecurityService

from openscada_lite.modules.security.controller import SecurityController

@pytest.fixture

def app(tmp_path):

"""Create a FastAPI app with SecurityController mounted."""

# Create a FastAPI app

app = FastAPI()

# Create a temporary security configuration file

config_path = tmp_path / "security_config.json"

config_path.write_text(json.dumps({"users": [], "groups": []}))

# Initialize the SecurityModel

model = SecurityModel()

# Create an APIRouter

router = APIRouter()

# Initialize the SecurityController

socketio = MagicMock()

controller = SecurityController(model, socketio, "security", router)

# Create the SecurityService

event_bus = MagicMock()

service = SecurityService(event_bus, model, controller)

# Include the router in the FastAPI app

app.include_router(router)

# Return the FastAPI app, model, controller, and service for testing

return app, model, controller, service

@pytest.fixture

def client(app):

app, _, _, _ = app

return TestClient(app)

def test_full_config_roundtrip(client):

# Prepare full config JSON (simplified unified test setup)

config = {

"groups": [

{

"name": "test_group",

"permissions": [

"security_editor_access",

"command/sendcommandmsg",

"datapoint/rawtagupdatemsg",

],

}

],

"users": [

{

"allowed_apps": ["security_editor"],

"groups": ["test_group"],

"password_hash": "8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918",

"username": "admin",

}

],

}

# Save config

resp = client.post("/security/config", json=config)

assert resp.status_code == 200

# Load config

resp = client.get("/security/config")

assert resp.status_code == 200

loaded = resp.json()

assert loaded == config

# Check structure

assert "users" in loaded and "groups" in loaded

assert loaded["users"][0]["username"] == "admin"

assert loaded["groups"][0]["name"] == "test_group"

assert "security_editor_access" in loaded["groups"][0]["permissions"]

def test_login_admin(client):

# Prepare config with admin user (password: 'admin')

config = {

"groups": [{"name": "test_group", "permissions": ["security_editor_access"]}],

"users": [

{

"allowed_apps": ["security_editor"],

"groups": ["test_group"],

"password_hash": "8c6976e5b5410415bde908bd4dee15dfb167" # NOSONAR

"a9c873fc4bb8a81f6f2ab448a918", # NOSONAR

"username": "admin",

}

],

}

client.post("/security/config", json=config)

# Try login with admin/admin

resp = client.post(

"/security/login",

json={

"username": "admin",

"password": "admin",

"app": "security_editor",

}, # NOSONAR

)

assert resp.status_code == 200

data = resp.json()

assert "jwt" in resp.cookies.keys()

assert data["user"] == "admin"

def test_invalid_login(client):

# Prepare config with admin user

config = {

"groups": [{"name": "test_group", "permissions": []}],

"users": [

{

"allowed_apps": ["security_editor"],

"groups": ["test_group"],

"password_hash": "8c6976e5b5410415bde908bd4dee15df" # NOSONAR

"b167a9c873fc4bb8a81f6f2ab448a918", # NOSONAR

"username": "admin",

}

],

}

client.post("/security/config", json=config)

# Wrong password

resp = client.post(

"/security/login",

json={

"username": "admin",

"password": "wrong",

"app": "security_editor",

}, # NOSONAR

)

assert resp.status_code == 401

# Unknown user

resp = client.post(

"/security/login",

json={

"username": "ghost",

"password": "admin",

"app": "security_editor",

}, # NOSONAR

)

assert resp.status_code == 401

def test_missing_fields(client):

# POST config missing users/groups

resp = client.post("/security/config", json={})

assert resp.status_code == 400 or resp.status_code == 422

def test_permissions_structure(client):

# Save config with multiple groups/permissions

config = {

"groups": [

{"name": "g1", "permissions": ["p1", "p2"]},

{"name": "g2", "permissions": ["p3"]},

],

"users": [

{

"username": "u1",

"groups": ["g1"],

"allowed_apps": [],

"password_hash": "", # NOSONAR

},

{

"username": "u2",

"groups": ["g2"],

"allowed_apps": [],

"password_hash": "", # NOSONAR

},

],

}

resp = client.post("/security/config", json=config)

assert resp.status_code == 200

resp = client.get("/security/config")

assert resp.status_code == 200

loaded = resp.json()

assert len(loaded["groups"]) == 2

assert len(loaded["users"]) == 2

assert loaded["groups"][0]["permissions"] == ["p1", "p2"]

assert loaded["groups"][1]["permissions"] == ["p3"]

def test_admin_permissions(client):

# Prepare config with admin user and specific permissions

config = {

"groups": [

{

"name": "test_group",

"permissions": [

"security_editor_access",

"command/sendcommandmsg",

"datapoint/rawtagupdatemsg",

],

}

],

"users": [

{

"allowed_apps": ["security_editor"],

"groups": ["test_group"],

"password_hash": "8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918",

"username": "admin",

}

],

}

resp = client.post("/security/config", json=config)

assert resp.status_code == 200

# Test login

resp = client.post(

"/security/login",

json={

"username": "admin",

"password": "admin",

"app": "security_editor",

}, # NOSONAR

)

assert resp.status_code == 200

# Verify permissions in config

resp = client.get("/security/config")

assert resp.status_code == 200

loaded = resp.json()

perms = loaded["groups"][0]["permissions"]

assert "security_editor_access" in perms

assert "command/sendcommandmsg" in perms

assert "datapoint/rawtagupdatemsg" in perms