Tests restructuring

tests/integration/security/__init__.py

@@ -0,0 +1,3 @@
+# tests/integration/security/__init__.py
+"""Security integration tests."""
+

tests/integration/security/test_authentication.py

@@ -0,0 +1,75 @@
+# tests/integration/security/test_authentication.py
+import pytest
+
+
+@pytest.mark.integration
+@pytest.mark.security
+@pytest.mark.auth
+class TestAuthentication:
+    def test_protected_endpoint_without_auth(self, client):
+        """Test that protected endpoints reject unauthenticated requests"""
+        protected_endpoints = [
+            "/api/v1/admin/users",
+            "/api/v1/admin/shops",
+            "/api/v1/marketplace/import-jobs",
+            "/api/v1/product",
+            "/api/v1/shop",
+            "/api/v1/stats",
+            "/api/v1/stock",
+        ]
+
+        for endpoint in protected_endpoints:
+            response = client.get(endpoint)
+            assert response.status_code == 401  # Authentication missing
+
+    def test_protected_endpoint_with_invalid_token(self, client):
+        """Test protected endpoints with invalid token"""
+        headers = {"Authorization": "Bearer invalid_token_here"}
+
+        response = client.get("/api/v1/product", headers=headers)
+        assert response.status_code == 401  # Token is not valid
+
+    def test_debug_direct_bearer(self, client):
+        """Test HTTPBearer directly"""
+        response = client.get("/api/v1/debug-bearer")
+        print(f"Direct Bearer - Status: {response.status_code}")
+        print(
+            f"Direct Bearer - Response: {response.json() if response.content else 'No content'}"
+        )
+
+    def test_debug_dependencies(self, client):
+        """Debug the dependency chain step by step"""
+        # Test 1: Direct endpoint with no auth
+        response = client.get("/api/v1/admin/users")
+        print(f"Admin endpoint - Status: {response.status_code}")
+        try:
+            print(f"Admin endpoint - Response: {response.json()}")
+        except:
+            print(f"Admin endpoint - Raw: {response.content}")
+
+        # Test 2: Try a regular endpoint that uses get_current_user
+        response2 = client.get("/api/v1/product")  # or any endpoint with get_current_user
+        print(f"Regular endpoint - Status: {response2.status_code}")
+        try:
+            print(f"Regular endpoint - Response: {response2.json()}")
+        except:
+            print(f"Regular endpoint - Raw: {response2.content}")
+
+    def test_debug_available_routes(self, client):
+        """Debug test to see all available routes"""
+        print("\n=== All Available Routes ===")
+        for route in client.app.routes:
+            if hasattr(route, "path") and hasattr(route, "methods"):
+                print(f"{list(route.methods)} {route.path}")
+
+        print("\n=== Testing Product Endpoint Variations ===")
+        variations = [
+            "/api/v1/product",  # Your current attempt
+            "/api/v1/product/",  # With trailing slash
+            "/api/v1/product/list",  # With list endpoint
+            "/api/v1/product/all",  # With all endpoint
+        ]
+
+        for path in variations:
+            response = client.get(path)
+            print(f"{path}: Status {response.status_code}")

tests/integration/security/test_authorization.py

@@ -0,0 +1,46 @@
+# tests/integration/security/test_authorization.py
+import pytest
+
+
+@pytest.mark.integration
+@pytest.mark.security
+@pytest.mark.auth
+class TestAuthorization:
+    def test_admin_endpoint_requires_admin_role(self, client, auth_headers):
+        """Test that admin endpoints require admin role"""
+        response = client.get("/api/v1/admin/users", headers=auth_headers)
+        assert response.status_code == 403
+        # Regular user should be denied access
+
+    def test_admin_endpoints_with_admin_access(self, client, admin_headers):
+        """Test that admin users can access admin endpoints"""
+        admin_endpoints = [
+            "/api/v1/admin/users",
+            "/api/v1/admin/shops",
+            "/api/v1/admin/marketplace-import-jobs",
+        ]
+
+        for endpoint in admin_endpoints:
+            response = client.get(endpoint, headers=admin_headers)
+            assert response.status_code == 200  # Admin should have access
+
+    def test_regular_endpoints_with_user_access(self, client, auth_headers):
+        """Test that regular users can access non-admin endpoints"""
+        user_endpoints = [
+            "/api/v1/product",
+            "/api/v1/stats",
+            "/api/v1/stock",
+        ]
+
+        for endpoint in user_endpoints:
+            response = client.get(endpoint, headers=auth_headers)
+            assert response.status_code == 200  # Regular user should have access
+
+    def test_shop_owner_access_control(self, client, auth_headers, test_shop, other_user):
+        """Test that users can only access their own shops"""
+        # Test accessing own shop (should work)
+        response = client.get(f"/api/v1/shop/{test_shop.shop_code}", headers=auth_headers)
+        # Response depends on your implementation - could be 200 or 404 if shop doesn't belong to user
+        
+        # The exact assertion depends on your shop access control implementation
+        assert response.status_code in [200, 403, 404]

tests/integration/security/test_input_validation.py

@@ -0,0 +1,65 @@
+# tests/integration/security/test_input_validation.py
+import pytest
+
+
+@pytest.mark.integration
+@pytest.mark.security
+class TestInputValidation:
+    def test_sql_injection_prevention(self, client, auth_headers):
+        """Test SQL injection prevention in search parameters"""
+        # Try SQL injection in search parameter
+        malicious_search = "'; DROP TABLE products; --"
+
+        response = client.get(
+            f"/api/v1/product?search={malicious_search}", headers=auth_headers
+        )
+
+        # Should not crash and should return normal response
+        assert response.status_code == 200
+        # Database should still be intact (no products dropped)
+
+    # def test_input_validation(self, client, auth_headers):
+    #     # TODO: implement sanitization
+    #     """Test input validation and sanitization"""
+    #     # Test XSS attempt in product creation
+    #     xss_payload = "<script>alert('xss')</script>"
+    #
+    #     product_data = {
+    #         "product_id": "XSS_TEST",
+    #         "title": xss_payload,
+    #         "description": xss_payload,
+    #     }
+    #
+    #     response = client.post("/api/v1/product", headers=auth_headers, json=product_data)
+    #
+    #     assert response.status_code == 200
+    #     data = response.json()
+    #     assert "<script>" not in data["title"]
+    #     assert "&lt;script&gt;" in data["title"]
+
+    def test_parameter_validation(self, client, auth_headers):
+        """Test parameter validation for API endpoints"""
+        # Test invalid pagination parameters
+        response = client.get("/api/v1/product?limit=-1", headers=auth_headers)
+        assert response.status_code == 422  # Validation error
+
+        response = client.get("/api/v1/product?skip=-1", headers=auth_headers)
+        assert response.status_code == 422  # Validation error
+
+    def test_json_validation(self, client, auth_headers):
+        """Test JSON validation for POST requests"""
+        # Test invalid JSON structure
+        response = client.post(
+            "/api/v1/product", 
+            headers=auth_headers, 
+            content="invalid json content"
+        )
+        assert response.status_code == 422  # JSON decode error
+
+        # Test missing required fields
+        response = client.post(
+            "/api/v1/product",
+            headers=auth_headers,
+            json={"title": "Test Product"}  # Missing required product_id
+        )
+        assert response.status_code == 422  # Validation error