orion/tests/test_security.py

# tests/test_security.py
import pytest
from fastapi import HTTPException
from unittest.mock import patch


class TestSecurity:
    def test_protected_endpoint_without_auth(self, client):
        """Test that protected endpoints reject unauthenticated requests"""
        protected_endpoints = [
            "/api/v1/products",
            "/api/v1/stock",
            "/api/v1/shops",
            "/api/v1/stats",
            "/api/v1/admin/users"
        ]

        for endpoint in protected_endpoints:
            response = client.get(endpoint)
            assert response.status_code == 403

    def test_protected_endpoint_with_invalid_token(self, client):
        """Test protected endpoints with invalid token"""
        headers = {"Authorization": "Bearer invalid_token_here"}

        response = client.get("/api/v1/products", headers=headers)
        assert response.status_code == 403

    def test_admin_endpoint_requires_admin_role(self, client, auth_headers):
        """Test that admin endpoints require admin role"""
        response = client.get("/api/v1/admin/users", headers=auth_headers)
        assert response.status_code == 403  # Regular user should be denied

    def test_sql_injection_prevention(self, client, auth_headers):
        """Test SQL injection prevention in search parameters"""
        # Try SQL injection in search parameter
        malicious_search = "'; DROP TABLE products; --"

        response = client.get(f"/api/v1/products?search={malicious_search}", headers=auth_headers)

        # Should not crash and should return normal response
        assert response.status_code == 200
        # Database should still be intact (no products dropped)

    def test_input_validation(self, client, auth_headers):
        """Test input validation and sanitization"""
        # Test XSS attempt in product creation
        xss_payload = "<script>alert('xss')</script>"

        product_data = {
            "product_id": "XSS_TEST",
            "title": xss_payload,
            "description": xss_payload
        }

        response = client.post("/api/v1/products", headers=auth_headers, json=product_data)

        if response.status_code == 200:
            # If creation succeeds, content should be escaped/sanitized
            data = response.json()
            assert "<script>" not in data["title"]