sboulahtit/orion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f804ff8442e42388b2514e93533959cab3afcb2f
orion/app/modules/loyalty/tests/unit/test_config.py
Samir Boulahtit 4b56eb7ab1
Some checks failed
CI / ruff (push) Successful in 18s
Details
CI / pytest (push) Failing after 2h37m39s
Details
CI / validate (push) Successful in 30s
Details
CI / dependency-scanning (push) Successful in 32s
Details
CI / docs (push) Has been skipped
Details
CI / deploy (push) Has been skipped
Details
feat(loyalty): Phase 1 production launch hardening 
Phase 1 of the loyalty production launch plan: config & security
hardening, dropped-data fix, DB integrity guards, rate limiting, and
constant-time auth compare. 362 tests pass.

- 1.4 Persist customer birth_date (new column + migration). Enrollment
  form was collecting it but the value was silently dropped because
  create_customer_for_enrollment never received it. Backfills existing
  customers without overwriting.
- 1.1 LOYALTY_GOOGLE_SERVICE_ACCOUNT_JSON validated at startup (file
  must exist and be readable; ~ expanded). Adds is_google_wallet_enabled
  and is_apple_wallet_enabled derived flags. Prod path documented as
  ~/apps/orion/google-wallet-sa.json.
- 1.5 CHECK constraints on loyalty_cards (points_balance, stamp_count
  non-negative) and loyalty_programs (min_purchase, points_per_euro,
  welcome_bonus non-negative; stamps_target >= 1). Mirrored as
  CheckConstraint in models. Pre-flight scan showed zero violations.
- 1.3 @rate_limit on store mutating endpoints: stamp 60/min,
  redeem/points-earn 30-60/min, void/adjust 20/min, pin unlock 10/min.
- 1.2 Constant-time hmac.compare_digest for Apple Wallet auth token
  (pulled forward from Phase 9 — code is safe whenever Apple ships).

See app/modules/loyalty/docs/production-launch-plan.md for the full
launch plan and remaining phases.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-09 23:36:34 +02:00

100 lines
4.0 KiB
Python
Raw Blame History

"""Tests for loyalty module configuration validators."""
import os
import pytest
from app.modules.loyalty.config import ModuleConfig
@pytest.mark.unit
@pytest.mark.loyalty
class TestGoogleWalletConfigValidator:
"""Validator must fail fast when the SA path is set but unreachable."""
def test_unset_path_is_allowed(self, monkeypatch):
"""Google Wallet config is optional — None passes."""
monkeypatch.delenv("LOYALTY_GOOGLE_SERVICE_ACCOUNT_JSON", raising=False)
monkeypatch.delenv("LOYALTY_GOOGLE_ISSUER_ID", raising=False)
cfg = ModuleConfig(_env_file=None)
assert cfg.google_service_account_json is None
assert cfg.is_google_wallet_enabled is False
def test_existing_file_passes(self, tmp_path, monkeypatch):
"""A real file path passes and is returned expanded."""
sa_file = tmp_path / "fake-sa.json"
sa_file.write_text("{}")
monkeypatch.setenv("LOYALTY_GOOGLE_SERVICE_ACCOUNT_JSON", str(sa_file))
monkeypatch.setenv("LOYALTY_GOOGLE_ISSUER_ID", "1234567890")
cfg = ModuleConfig(_env_file=None)
assert cfg.google_service_account_json == str(sa_file)
assert cfg.is_google_wallet_enabled is True
def test_missing_file_raises(self, tmp_path, monkeypatch):
"""A path that does not exist raises a clear error at import time."""
bogus = tmp_path / "does-not-exist.json"
monkeypatch.setenv("LOYALTY_GOOGLE_SERVICE_ACCOUNT_JSON", str(bogus))
with pytest.raises(ValueError, match="no file exists"):
ModuleConfig(_env_file=None)
def test_unreadable_file_raises(self, tmp_path, monkeypatch):
"""A path that exists but is not readable raises a clear error."""
sa_file = tmp_path / "no-read.json"
sa_file.write_text("{}")
os.chmod(sa_file, 0o000)
try:
monkeypatch.setenv(
"LOYALTY_GOOGLE_SERVICE_ACCOUNT_JSON", str(sa_file)
)
# Skip if running as root (root bypasses unix file perms)
if os.geteuid() == 0:
pytest.skip("Cannot test unreadable file as root")
with pytest.raises(ValueError, match="not readable"):
ModuleConfig(_env_file=None)
finally:
os.chmod(sa_file, 0o600)
def test_tilde_path_is_expanded(self, tmp_path, monkeypatch):
"""Leading ~ is expanded so deployments can use ~/apps/orion/..."""
# Plant the file at $HOME/.../fake-sa.json then reference via ~
home = tmp_path / "home"
home.mkdir()
sa_dir = home / "apps" / "orion"
sa_dir.mkdir(parents=True)
sa_file = sa_dir / "fake-sa.json"
sa_file.write_text("{}")
monkeypatch.setenv("HOME", str(home))
monkeypatch.setenv(
"LOYALTY_GOOGLE_SERVICE_ACCOUNT_JSON",
"~/apps/orion/fake-sa.json",
)
cfg = ModuleConfig(_env_file=None)
assert cfg.google_service_account_json == str(sa_file)
@pytest.mark.unit
@pytest.mark.loyalty
class TestAppleWalletEnabledFlag:
"""is_apple_wallet_enabled is a derived flag for the storefront UI."""
def test_disabled_when_unset(self, monkeypatch):
for var in (
"LOYALTY_APPLE_PASS_TYPE_ID",
"LOYALTY_APPLE_TEAM_ID",
"LOYALTY_APPLE_WWDR_CERT_PATH",
"LOYALTY_APPLE_SIGNER_CERT_PATH",
"LOYALTY_APPLE_SIGNER_KEY_PATH",
):
monkeypatch.delenv(var, raising=False)
cfg = ModuleConfig(_env_file=None)
assert cfg.is_apple_wallet_enabled is False
def test_enabled_when_all_set(self, monkeypatch):
monkeypatch.setenv("LOYALTY_APPLE_PASS_TYPE_ID", "pass.com.x.y")
monkeypatch.setenv("LOYALTY_APPLE_TEAM_ID", "ABCD1234")
monkeypatch.setenv("LOYALTY_APPLE_WWDR_CERT_PATH", "/tmp/wwdr.pem")
monkeypatch.setenv("LOYALTY_APPLE_SIGNER_CERT_PATH", "/tmp/signer.pem")
monkeypatch.setenv("LOYALTY_APPLE_SIGNER_KEY_PATH", "/tmp/signer.key")
cfg = ModuleConfig(_env_file=None)
assert cfg.is_apple_wallet_enabled is True
Reference in New Issue View Git Blame Copy Permalink