6245 lines
294 KiB
Python
6245 lines
294 KiB
Python
from __future__ import annotations
|
|
|
|
import io
|
|
import json
|
|
import os
|
|
import shutil
|
|
import tempfile
|
|
import time
|
|
import unittest
|
|
import zipfile
|
|
from datetime import datetime, timezone
|
|
from email import policy
|
|
from email.parser import BytesParser
|
|
from pathlib import Path
|
|
from unittest.mock import patch
|
|
|
|
import pyzipper
|
|
|
|
# Settings are instantiated while importing the application. Configure an
|
|
# isolated test database and local storage before importing app modules.
|
|
_TEST_ROOT = Path(tempfile.mkdtemp(prefix="multi-seal-mail-tests-"))
|
|
os.environ["APP_ENV"] = "test"
|
|
os.environ["DATABASE_URL"] = f"sqlite:///{_TEST_ROOT / 'test.db'}"
|
|
os.environ["FILE_STORAGE_BACKEND"] = "local"
|
|
os.environ["FILE_STORAGE_LOCAL_ROOT"] = str(_TEST_ROOT / "files")
|
|
os.environ["MOCK_MAILBOX_DIR"] = str(_TEST_ROOT / "mock-mailbox")
|
|
os.environ["DEV_BOOTSTRAP_ENABLED"] = "false"
|
|
|
|
from fastapi.testclient import TestClient
|
|
|
|
from govoplan_core.db.base import Base
|
|
from govoplan_core.db.bootstrap import bootstrap_dev_data
|
|
from govoplan_core.db.session import configure_database, set_database
|
|
from govoplan_core.core.change_sequence import decode_sequence_watermark, prune_sequence_entries
|
|
from govoplan_core.core.pagination import encode_keyset_cursor, keyset_query_fingerprint
|
|
|
|
_database = configure_database(os.environ["DATABASE_URL"])
|
|
engine = _database.engine
|
|
SessionLocal = _database.SessionLocal
|
|
|
|
from govoplan_core.server.app import app
|
|
from govoplan_core.security.permissions import SYSTEM_SCOPES
|
|
|
|
|
|
class ApiSmokeTests(unittest.TestCase):
|
|
@classmethod
|
|
def setUpClass(cls) -> None:
|
|
cls.client = TestClient(app)
|
|
|
|
@classmethod
|
|
def tearDownClass(cls) -> None:
|
|
cls.client.close()
|
|
engine.dispose()
|
|
shutil.rmtree(_TEST_ROOT, ignore_errors=True)
|
|
|
|
def setUp(self) -> None:
|
|
set_database(_database)
|
|
self.client.cookies.clear()
|
|
Base.metadata.drop_all(bind=engine)
|
|
Base.metadata.create_all(bind=engine)
|
|
shutil.rmtree(_TEST_ROOT / "files", ignore_errors=True)
|
|
shutil.rmtree(_TEST_ROOT / "mock-mailbox", ignore_errors=True)
|
|
with SessionLocal() as session:
|
|
bootstrap_dev_data(
|
|
session,
|
|
api_key_secret="test-api-key",
|
|
user_password="test-admin",
|
|
)
|
|
|
|
def _login(self) -> tuple[dict[str, str], dict[str, object]]:
|
|
response = self.client.post(
|
|
"/api/v1/auth/login",
|
|
json={"email": "admin@example.local", "password": "test-admin"},
|
|
)
|
|
self.assertEqual(response.status_code, 200, response.text)
|
|
payload = response.json()
|
|
return {"Authorization": f"Bearer {payload['access_token']}"}, payload
|
|
|
|
def test_recipient_import_mapping_profiles_are_db_backed(self) -> None:
|
|
headers, _ = self._login()
|
|
payload = {
|
|
"name": "ERP export",
|
|
"columnCount": 3,
|
|
"headers": ["email", "name", "field.customer_id"],
|
|
"normalizedHeaders": ["email", "name", "field_customer_id"],
|
|
"orderedHeaderFingerprint": "ordered-123",
|
|
"unorderedHeaderFingerprint": "unordered-123",
|
|
"delimiter": ";",
|
|
"headerRows": 1,
|
|
"quoted": True,
|
|
"valueSeparators": ",;|",
|
|
"mappings": [
|
|
{"columnIndex": 0, "kind": "to"},
|
|
{"columnIndex": 1, "kind": "name"},
|
|
{"columnIndex": 2, "kind": "new_field", "newFieldName": "customer_id"},
|
|
],
|
|
}
|
|
|
|
created = self.client.post("/api/v1/campaigns/recipient-import/mapping-profiles", headers=headers, json=payload)
|
|
self.assertEqual(created.status_code, 201, created.text)
|
|
created_body = created.json()
|
|
self.assertEqual(created_body["name"], "ERP export")
|
|
self.assertEqual(created_body["columnCount"], 3)
|
|
self.assertEqual(created_body["mappings"][2]["newFieldName"], "customer_id")
|
|
profile_id = created_body["id"]
|
|
|
|
listed = self.client.get("/api/v1/campaigns/recipient-import/mapping-profiles", headers=headers)
|
|
self.assertEqual(listed.status_code, 200, listed.text)
|
|
self.assertEqual([profile["id"] for profile in listed.json()["profiles"]], [profile_id])
|
|
|
|
updated_payload = {**payload, "name": "ERP export updated", "valueSeparators": "|"}
|
|
updated = self.client.put(
|
|
f"/api/v1/campaigns/recipient-import/mapping-profiles/{profile_id}",
|
|
headers=headers,
|
|
json=updated_payload,
|
|
)
|
|
self.assertEqual(updated.status_code, 200, updated.text)
|
|
self.assertEqual(updated.json()["name"], "ERP export updated")
|
|
self.assertEqual(updated.json()["valueSeparators"], "|")
|
|
|
|
deleted = self.client.delete(f"/api/v1/campaigns/recipient-import/mapping-profiles/{profile_id}", headers=headers)
|
|
self.assertEqual(deleted.status_code, 204, deleted.text)
|
|
|
|
listed_after_delete = self.client.get("/api/v1/campaigns/recipient-import/mapping-profiles", headers=headers)
|
|
self.assertEqual(listed_after_delete.status_code, 200, listed_after_delete.text)
|
|
self.assertEqual(listed_after_delete.json()["profiles"], [])
|
|
|
|
def test_campaign_entries_store_recipient_import_provenance(self) -> None:
|
|
headers, _ = self._login()
|
|
campaign_json = {
|
|
"version": "1.0",
|
|
"campaign": {"id": "import-provenance", "name": "Import provenance", "mode": "test"},
|
|
"fields": [{"name": "department", "type": "string", "required": False}],
|
|
"global_values": {},
|
|
"server": {},
|
|
"recipients": {
|
|
"from": {"email": "sender@example.org", "name": "Sender", "type": "to"},
|
|
"allow_individual_to": True,
|
|
},
|
|
"template": {"subject": "Hello", "text": "Hello"},
|
|
"attachments": {"base_path": ".", "global": [], "allow_individual": False},
|
|
"entries": {
|
|
"inline": [
|
|
{
|
|
"id": "recipient-1",
|
|
"to": [{"email": "recipient@example.org", "type": "to"}],
|
|
"fields": {"department": "Finance"},
|
|
}
|
|
],
|
|
"imports": [
|
|
{
|
|
"id": "recipient-import-test",
|
|
"imported_at": "2026-06-26T12:00:00Z",
|
|
"mode": "replace",
|
|
"source_type": "xlsx",
|
|
"filename": "recipients.xlsx",
|
|
"sheet_name": "Recipients",
|
|
"encoding": None,
|
|
"delimiter": None,
|
|
"header_rows": 1,
|
|
"quoted": None,
|
|
"value_separators": ",;|",
|
|
"rows_total": 1,
|
|
"valid_rows": 1,
|
|
"invalid_rows": 0,
|
|
"imported_rows": 1,
|
|
"field_names_created": [],
|
|
"attachment_patterns": 0,
|
|
"mapping": [
|
|
{"column_index": 0, "header": "email", "kind": "to"},
|
|
{"column_index": 1, "header": "field.department", "kind": "field", "field_name": "department"},
|
|
],
|
|
}
|
|
],
|
|
},
|
|
"validation_policy": {"missing_email": "block", "template_error": "block"},
|
|
"delivery": {"rate_limit": {"messages_per_minute": 60}},
|
|
"status_tracking": {"enabled": True},
|
|
}
|
|
created = self.client.post("/api/v1/campaigns", headers=headers, json={"config": campaign_json})
|
|
self.assertEqual(created.status_code, 200, created.text)
|
|
campaign_id = created.json()["campaign"]["id"]
|
|
version_id = created.json()["version"]["id"]
|
|
|
|
detail = self.client.get(f"/api/v1/campaigns/{campaign_id}/versions/{version_id}", headers=headers)
|
|
self.assertEqual(detail.status_code, 200, detail.text)
|
|
stored_import = detail.json()["raw_json"]["entries"]["imports"][0]
|
|
self.assertEqual(stored_import["source_type"], "xlsx")
|
|
self.assertEqual(stored_import["sheet_name"], "Recipients")
|
|
self.assertEqual(stored_import["mapping"][1]["field_name"], "department")
|
|
|
|
validated = self.client.post(f"/api/v1/campaigns/versions/{version_id}/validate", headers=headers, json={"check_files": False})
|
|
self.assertEqual(validated.status_code, 200, validated.text)
|
|
self.assertTrue(validated.json()["ok"], validated.text)
|
|
|
|
def _create_built_delivery_campaign(
|
|
self,
|
|
headers: dict[str, str],
|
|
*,
|
|
external_id: str,
|
|
recipient_count: int = 1,
|
|
) -> tuple[str, str]:
|
|
entries = [
|
|
{
|
|
"id": f"recipient-{index + 1}",
|
|
"to": [{"email": f"recipient-{index + 1}@example.org", "type": "to"}],
|
|
"fields": {"first_name": f"Recipient {index + 1}"},
|
|
}
|
|
for index in range(recipient_count)
|
|
]
|
|
campaign_json = {
|
|
"version": "1.0",
|
|
"campaign": {"id": external_id, "name": external_id, "mode": "test"},
|
|
"fields": [{"name": "first_name", "type": "string", "required": True}],
|
|
"global_values": {},
|
|
"server": {
|
|
"smtp": {
|
|
"host": "mock.smtp",
|
|
"port": 2525,
|
|
"username": "sender@example.org",
|
|
"password": "test-secret",
|
|
"security": "starttls",
|
|
}
|
|
},
|
|
"recipients": {
|
|
"from": {"email": "sender@example.org", "name": "Sender", "type": "to"},
|
|
"allow_individual_to": True,
|
|
},
|
|
"template": {
|
|
"subject": "Hello ${local::first_name}",
|
|
"text": "Hello ${local::first_name}.",
|
|
},
|
|
"attachments": {"base_path": ".", "global": [], "allow_individual": False},
|
|
"entries": {"inline": entries},
|
|
"validation_policy": {"missing_email": "block", "template_error": "block"},
|
|
"delivery": {
|
|
"rate_limit": {"messages_per_minute": 60},
|
|
"retry": {"max_attempts": 3, "backoff_seconds": [1, 5, 30]},
|
|
"imap_append_sent": {"enabled": False},
|
|
},
|
|
"status_tracking": {"enabled": True},
|
|
}
|
|
created = self.client.post("/api/v1/campaigns", headers=headers, json={"config": campaign_json})
|
|
self.assertEqual(created.status_code, 200, created.text)
|
|
campaign_id = created.json()["campaign"]["id"]
|
|
version_id = created.json()["version"]["id"]
|
|
validated = self.client.post(
|
|
f"/api/v1/campaigns/versions/{version_id}/validate",
|
|
headers=headers,
|
|
json={"check_files": False},
|
|
)
|
|
self.assertEqual(validated.status_code, 200, validated.text)
|
|
self.assertTrue(validated.json()["ok"], validated.text)
|
|
built = self.client.post(
|
|
f"/api/v1/campaigns/versions/{version_id}/build",
|
|
headers=headers,
|
|
json={"write_eml": True},
|
|
)
|
|
self.assertEqual(built.status_code, 200, built.text)
|
|
self.assertEqual(built.json()["built_count"], recipient_count, built.text)
|
|
return campaign_id, version_id
|
|
|
|
def _create_role(self, headers: dict[str, str], *, slug: str, permissions: list[str]) -> dict[str, object]:
|
|
response = self.client.post(
|
|
"/api/v1/admin/roles",
|
|
headers=headers,
|
|
json={"slug": slug, "name": slug.replace("-", " ").title(), "description": "Test role", "permissions": permissions},
|
|
)
|
|
self.assertEqual(response.status_code, 201, response.text)
|
|
return response.json()
|
|
|
|
def _create_user(
|
|
self,
|
|
headers: dict[str, str],
|
|
*,
|
|
email: str,
|
|
password: str,
|
|
role_ids: list[str],
|
|
group_ids: list[str] | None = None,
|
|
) -> dict[str, object]:
|
|
response = self.client.post(
|
|
"/api/v1/admin/users",
|
|
headers=headers,
|
|
json={
|
|
"email": email,
|
|
"display_name": email.split("@", 1)[0].replace("-", " ").title(),
|
|
"password": password,
|
|
"password_reset_required": False,
|
|
"is_active": True,
|
|
"group_ids": group_ids or [],
|
|
"role_ids": role_ids,
|
|
},
|
|
)
|
|
self.assertEqual(response.status_code, 201, response.text)
|
|
return response.json()["user"]
|
|
|
|
def _login_as(self, *, email: str, password: str, tenant_slug: str = "default") -> tuple[dict[str, str], dict[str, object]]:
|
|
response = self.client.post(
|
|
"/api/v1/auth/login",
|
|
json={"email": email, "password": password, "tenant_slug": tenant_slug},
|
|
)
|
|
self.assertEqual(response.status_code, 200, response.text)
|
|
payload = response.json()
|
|
return {"Authorization": f"Bearer {payload['access_token']}"}, payload
|
|
|
|
def _create_system_approver(self, headers: dict[str, str], *, tenant_id: str, email: str = "approver@example.local") -> dict[str, str]:
|
|
roles = self.client.get("/api/v1/admin/system/roles", headers=headers)
|
|
self.assertEqual(roles.status_code, 200, roles.text)
|
|
system_admin = next(item for item in roles.json()["roles"] if item["slug"] == "system_admin")
|
|
created = self.client.post(
|
|
"/api/v1/admin/system/accounts",
|
|
headers=headers,
|
|
json={
|
|
"email": email,
|
|
"display_name": "Configuration Approver",
|
|
"password": "approver-password",
|
|
"password_reset_required": False,
|
|
"is_active": True,
|
|
"role_ids": [system_admin["id"]],
|
|
"memberships": [{
|
|
"tenant_id": tenant_id,
|
|
"is_active": True,
|
|
"role_ids": [],
|
|
"group_ids": [],
|
|
}],
|
|
},
|
|
)
|
|
self.assertEqual(created.status_code, 201, created.text)
|
|
approver_headers, _ = self._login_as(email=email, password="approver-password")
|
|
return approver_headers
|
|
|
|
def _approved_configuration_change(
|
|
self,
|
|
headers: dict[str, str],
|
|
approver_headers: dict[str, str],
|
|
*,
|
|
key: str,
|
|
value: object,
|
|
target: dict[str, object] | None = None,
|
|
) -> str:
|
|
created = self.client.post(
|
|
"/api/v1/admin/configuration-change-requests",
|
|
headers=headers,
|
|
json={"key": key, "value": value, "dry_run": True, "target": target or {}, "reason": "test approval"},
|
|
)
|
|
self.assertEqual(created.status_code, 201, created.text)
|
|
request_id = created.json()["request"]["id"]
|
|
approved = self.client.post(
|
|
f"/api/v1/admin/configuration-change-requests/{request_id}/approve",
|
|
headers=approver_headers,
|
|
json={"reason": "approved by second system administrator"},
|
|
)
|
|
self.assertEqual(approved.status_code, 200, approved.text)
|
|
self.assertEqual(approved.json()["request"]["status"], "approved")
|
|
return request_id
|
|
|
|
|
|
def test_cookie_session_requires_csrf_for_mutations(self) -> None:
|
|
response = self.client.post(
|
|
"/api/v1/auth/login",
|
|
json={"email": "admin@example.local", "password": "test-admin"},
|
|
)
|
|
self.assertEqual(response.status_code, 200, response.text)
|
|
csrf = response.cookies.get("msm_csrf")
|
|
self.assertTrue(csrf)
|
|
|
|
me = self.client.get("/api/v1/auth/me")
|
|
self.assertEqual(me.status_code, 200, me.text)
|
|
me_payload = me.json()
|
|
self.assertEqual(me_payload["principal"]["account_id"], me_payload["user"]["account_id"])
|
|
self.assertEqual(me_payload["principal"]["membership_id"], me_payload["user"]["id"])
|
|
self.assertEqual(me_payload["principal"]["tenant_id"], me_payload["tenant"]["id"])
|
|
self.assertEqual(me_payload["principal"]["auth_method"], "session")
|
|
self.assertTrue(set(me_payload["principal"]["scopes"]).issuperset(set(me_payload["scopes"])))
|
|
|
|
blocked = self.client.patch("/api/v1/auth/profile", json={"display_name": "Blocked"})
|
|
self.assertEqual(blocked.status_code, 403, blocked.text)
|
|
|
|
allowed = self.client.patch(
|
|
"/api/v1/auth/profile",
|
|
headers={"X-CSRF-Token": csrf or ""},
|
|
json={"display_name": "Cookie Admin"},
|
|
)
|
|
self.assertEqual(allowed.status_code, 200, allowed.text)
|
|
self.assertEqual(allowed.json()["user"]["display_name"], "Cookie Admin")
|
|
|
|
def test_mailbox_message_listing_reports_total_count(self) -> None:
|
|
headers, login = self._login()
|
|
created_profile = self.client.post(
|
|
"/api/v1/mail/profiles",
|
|
headers=headers,
|
|
json={
|
|
"name": "Readable mailbox",
|
|
"smtp": {
|
|
"host": "mock.smtp",
|
|
"port": 2525,
|
|
"security": "starttls",
|
|
},
|
|
"imap": {
|
|
"host": "mock.imap",
|
|
"port": 993,
|
|
"security": "tls",
|
|
"sent_folder": "Sent",
|
|
},
|
|
"credentials": {
|
|
"smtp": {"username": "sender@example.org", "password": "smtp-secret"},
|
|
"imap": {"username": "sender@example.org", "password": "imap-secret"},
|
|
},
|
|
},
|
|
)
|
|
self.assertEqual(created_profile.status_code, 201, created_profile.text)
|
|
profile_id = created_profile.json()["id"]
|
|
|
|
from govoplan_mail.backend.dev.mock_mailbox import record_imap_append
|
|
|
|
for index in range(3):
|
|
record_imap_append(
|
|
f"Subject: Mock message {index + 1}\nFrom: sender@example.org\nTo: recipient@example.org\n\nBody {index + 1}".encode("utf-8"),
|
|
folder="INBOX",
|
|
imap_host="mock.imap",
|
|
)
|
|
|
|
listed = self.client.get(
|
|
f"/api/v1/mail/profiles/{profile_id}/mailbox/messages",
|
|
headers=headers,
|
|
params={"folder": "INBOX", "limit": 2},
|
|
)
|
|
self.assertEqual(listed.status_code, 200, listed.text)
|
|
payload = listed.json()
|
|
self.assertEqual(payload["folder"], "INBOX")
|
|
self.assertEqual(payload["total_count"], 3)
|
|
self.assertEqual(len(payload["messages"]), 2)
|
|
self.assertTrue(all(message["folder"] == "INBOX" for message in payload["messages"]))
|
|
self.assertTrue(payload["cursor_stable"])
|
|
self.assertFalse(payload["full"])
|
|
self.assertTrue(payload["next_cursor"])
|
|
|
|
next_page = self.client.get(
|
|
f"/api/v1/mail/profiles/{profile_id}/mailbox/messages",
|
|
headers=headers,
|
|
params={"folder": "INBOX", "cursor": payload["next_cursor"]},
|
|
)
|
|
self.assertEqual(next_page.status_code, 200, next_page.text)
|
|
next_payload = next_page.json()
|
|
self.assertEqual(next_payload["offset"], 2)
|
|
self.assertEqual(len(next_payload["messages"]), 1)
|
|
self.assertFalse(next_payload["next_cursor"])
|
|
|
|
stale_cursor = encode_keyset_cursor(
|
|
"mail.mailbox.messages.v1",
|
|
fingerprint=keyset_query_fingerprint(
|
|
"mail.mailbox.messages.v1",
|
|
{
|
|
"tenant_id": login["tenant"]["id"],
|
|
"profile_id": profile_id,
|
|
"folder": "INBOX",
|
|
"limit": 2,
|
|
"sort": "imap.uid.desc",
|
|
},
|
|
),
|
|
values={
|
|
"offset": 2,
|
|
"limit": 2,
|
|
"uidvalidity": "stale-mock-uidvalidity",
|
|
"after_uid": payload["messages"][-1]["uid"],
|
|
},
|
|
)
|
|
stale_page = self.client.get(
|
|
f"/api/v1/mail/profiles/{profile_id}/mailbox/messages",
|
|
headers=headers,
|
|
params={"folder": "INBOX", "cursor": stale_cursor},
|
|
)
|
|
self.assertEqual(stale_page.status_code, 200, stale_page.text)
|
|
stale_payload = stale_page.json()
|
|
self.assertTrue(stale_payload["full"])
|
|
self.assertEqual(stale_payload["offset"], 0)
|
|
self.assertEqual(len(stale_payload["messages"]), 2)
|
|
self.assertTrue(stale_payload["next_cursor"])
|
|
|
|
mismatched_cursor = self.client.get(
|
|
f"/api/v1/mail/profiles/{profile_id}/mailbox/messages",
|
|
headers=headers,
|
|
params={"folder": "Sent", "cursor": payload["next_cursor"]},
|
|
)
|
|
self.assertEqual(mismatched_cursor.status_code, 400, mismatched_cursor.text)
|
|
|
|
def test_mail_settings_delta_tracks_profiles_and_policy(self) -> None:
|
|
headers, _ = self._login()
|
|
full = self.client.get(
|
|
"/api/v1/mail/settings/delta",
|
|
headers=headers,
|
|
params={"scope_type": "tenant", "include_inactive": "true"},
|
|
)
|
|
self.assertEqual(full.status_code, 200, full.text)
|
|
full_payload = full.json()
|
|
self.assertTrue(full_payload["full"])
|
|
|
|
created_profile = self.client.post(
|
|
"/api/v1/mail/profiles",
|
|
headers=headers,
|
|
json={
|
|
"name": "Delta mail settings",
|
|
"smtp": {
|
|
"host": "mock.smtp",
|
|
"port": 2525,
|
|
"security": "starttls",
|
|
},
|
|
},
|
|
)
|
|
self.assertEqual(created_profile.status_code, 201, created_profile.text)
|
|
profile_id = created_profile.json()["id"]
|
|
|
|
profile_delta = self.client.get(
|
|
"/api/v1/mail/settings/delta",
|
|
headers=headers,
|
|
params={"scope_type": "tenant", "include_inactive": "true", "since": full_payload["watermark"]},
|
|
)
|
|
self.assertEqual(profile_delta.status_code, 200, profile_delta.text)
|
|
profile_delta_payload = profile_delta.json()
|
|
self.assertFalse(profile_delta_payload["full"])
|
|
self.assertIn("profiles", profile_delta_payload["changed_sections"])
|
|
self.assertEqual({profile["id"] for profile in profile_delta_payload["profiles"]}, {profile_id})
|
|
|
|
updated_policy = self.client.put(
|
|
"/api/v1/mail/policies/tenant",
|
|
headers=headers,
|
|
json={"policy": {"allow_user_profiles": False}},
|
|
)
|
|
self.assertEqual(updated_policy.status_code, 200, updated_policy.text)
|
|
|
|
policy_delta = self.client.get(
|
|
"/api/v1/mail/settings/delta",
|
|
headers=headers,
|
|
params={"scope_type": "tenant", "include_inactive": "true", "since": profile_delta_payload["watermark"]},
|
|
)
|
|
self.assertEqual(policy_delta.status_code, 200, policy_delta.text)
|
|
policy_delta_payload = policy_delta.json()
|
|
self.assertFalse(policy_delta_payload["full"])
|
|
self.assertIn("policy", policy_delta_payload["changed_sections"])
|
|
self.assertEqual(policy_delta_payload["policy"]["effective_policy"]["allow_user_profiles"], False)
|
|
|
|
def test_encrypted_mail_profile_can_back_campaign_without_exposing_secrets(self) -> None:
|
|
headers, _ = self._login()
|
|
created_profile = self.client.post(
|
|
"/api/v1/mail/profiles",
|
|
headers=headers,
|
|
json={
|
|
"name": "Primary sender",
|
|
"smtp": {
|
|
"host": "mock.smtp",
|
|
"port": 2525,
|
|
"security": "starttls",
|
|
},
|
|
"imap": {
|
|
"host": "mock.imap",
|
|
"port": 993,
|
|
"security": "tls",
|
|
"sent_folder": "Sent",
|
|
},
|
|
"credentials": {
|
|
"smtp": {"username": "sender@example.org", "password": "smtp-secret"},
|
|
"imap": {"username": "sender@example.org", "password": "imap-secret"},
|
|
},
|
|
},
|
|
)
|
|
self.assertEqual(created_profile.status_code, 201, created_profile.text)
|
|
profile_payload = created_profile.json()
|
|
self.assertNotIn("password", profile_payload["smtp"])
|
|
self.assertNotIn("username", profile_payload["smtp"])
|
|
self.assertNotIn("password", profile_payload["imap"])
|
|
self.assertNotIn("username", profile_payload["imap"])
|
|
self.assertEqual(profile_payload["credentials"]["smtp"]["username"], "sender@example.org")
|
|
self.assertEqual(profile_payload["credentials"]["imap"]["username"], "sender@example.org")
|
|
profile_id = profile_payload["id"]
|
|
|
|
campaign_json = {
|
|
"version": "1.0",
|
|
"campaign": {"id": "profile-backed", "name": "Profile backed", "mode": "test"},
|
|
"fields": [{"name": "first_name", "type": "string", "required": True}],
|
|
"global_values": {},
|
|
"server": {"mail_profile_id": profile_id},
|
|
"recipients": {
|
|
"from": {"email": "sender@example.org", "name": "Sender", "type": "to"},
|
|
"to": [{"email": "recipient@example.org", "type": "to"}],
|
|
},
|
|
"template": {"subject": "Hello ${local::first_name}", "text": "Hello ${local::first_name}."},
|
|
"attachments": {"base_path": ".", "global": [], "allow_individual": False},
|
|
"entries": {"inline": [{"id": "recipient-1", "fields": {"first_name": "Recipient"}}]},
|
|
"validation_policy": {"missing_email": "block", "template_error": "block"},
|
|
"delivery": {
|
|
"rate_limit": {"messages_per_minute": 60},
|
|
"retry": {"max_attempts": 3, "backoff_seconds": [1, 5, 30]},
|
|
"imap_append_sent": {"enabled": False},
|
|
},
|
|
"status_tracking": {"enabled": True},
|
|
}
|
|
created_campaign = self.client.post("/api/v1/campaigns", headers=headers, json={"config": campaign_json})
|
|
self.assertEqual(created_campaign.status_code, 200, created_campaign.text)
|
|
version_id = created_campaign.json()["version"]["id"]
|
|
|
|
validated = self.client.post(f"/api/v1/campaigns/versions/{version_id}/validate", headers=headers, json={"check_files": False})
|
|
self.assertEqual(validated.status_code, 200, validated.text)
|
|
self.assertTrue(validated.json()["ok"], validated.text)
|
|
built = self.client.post(f"/api/v1/campaigns/versions/{version_id}/build", headers=headers, json={"write_eml": False})
|
|
self.assertEqual(built.status_code, 200, built.text)
|
|
|
|
from govoplan_campaign.backend.db.models import CampaignVersion
|
|
from govoplan_mail.backend.db.models import MailServerProfile
|
|
|
|
with SessionLocal() as session:
|
|
profile = session.get(MailServerProfile, profile_id)
|
|
self.assertIsNotNone(profile)
|
|
assert profile is not None
|
|
self.assertNotEqual(profile.smtp_password_encrypted, "smtp-secret")
|
|
self.assertNotEqual(profile.imap_password_encrypted, "imap-secret")
|
|
self.assertEqual(profile.smtp_username, "sender@example.org")
|
|
self.assertEqual(profile.imap_username, "sender@example.org")
|
|
self.assertNotIn("password", profile.smtp_config)
|
|
self.assertNotIn("username", profile.smtp_config)
|
|
self.assertNotIn("password", profile.imap_config or {})
|
|
self.assertNotIn("username", profile.imap_config or {})
|
|
|
|
version = session.get(CampaignVersion, version_id)
|
|
self.assertIsNotNone(version)
|
|
assert version is not None
|
|
self.assertEqual(version.raw_json["server"], {"mail_profile_id": profile_id})
|
|
snapshot = version.execution_snapshot or {}
|
|
self.assertIsNone(snapshot.get("smtp", {}).get("password"))
|
|
self.assertEqual(snapshot.get("smtp", {}).get("host"), "mock.smtp")
|
|
|
|
def test_mail_profile_can_inherit_server_without_credentials(self) -> None:
|
|
headers, _ = self._login()
|
|
created_profile = self.client.post(
|
|
"/api/v1/mail/profiles",
|
|
headers=headers,
|
|
json={
|
|
"name": "Shared host local credentials",
|
|
"smtp": {
|
|
"host": "mock.smtp",
|
|
"port": 2525,
|
|
"security": "starttls",
|
|
},
|
|
"imap": {
|
|
"host": "mock.imap",
|
|
"port": 993,
|
|
"security": "tls",
|
|
"sent_folder": "Sent",
|
|
},
|
|
"credentials": {
|
|
"smtp": {"username": "profile-smtp@example.org", "password": "profile-smtp-secret"},
|
|
"imap": {"username": "profile-imap@example.org", "password": "profile-imap-secret"},
|
|
},
|
|
},
|
|
)
|
|
self.assertEqual(created_profile.status_code, 201, created_profile.text)
|
|
profile_id = created_profile.json()["id"]
|
|
|
|
campaign_json = {
|
|
"version": "1.0",
|
|
"campaign": {"id": "profile-local-creds", "name": "Profile local creds", "mode": "test"},
|
|
"fields": [{"name": "first_name", "type": "string", "required": True}],
|
|
"global_values": {},
|
|
"server": {
|
|
"mail_profile_id": profile_id,
|
|
"inherit_smtp_credentials": False,
|
|
"inherit_imap_credentials": False,
|
|
"credentials": {
|
|
"smtp": {"username": "campaign-smtp@example.org", "password": "campaign-smtp-secret"},
|
|
"imap": {"username": "campaign-imap@example.org", "password": "campaign-imap-secret"},
|
|
},
|
|
},
|
|
"recipients": {
|
|
"from": {"email": "sender@example.org", "name": "Sender", "type": "to"},
|
|
"to": [{"email": "recipient@example.org", "type": "to"}],
|
|
},
|
|
"template": {"subject": "Hello ${local::first_name}", "text": "Hello ${local::first_name}."},
|
|
"attachments": {"base_path": ".", "global": [], "allow_individual": False},
|
|
"entries": {"inline": [{"id": "recipient-1", "fields": {"first_name": "Recipient"}}]},
|
|
"validation_policy": {"missing_email": "block", "template_error": "block"},
|
|
"delivery": {
|
|
"rate_limit": {"messages_per_minute": 60},
|
|
"retry": {"max_attempts": 3, "backoff_seconds": [1, 5, 30]},
|
|
"imap_append_sent": {"enabled": False},
|
|
},
|
|
"status_tracking": {"enabled": True},
|
|
}
|
|
created_campaign = self.client.post("/api/v1/campaigns", headers=headers, json={"config": campaign_json})
|
|
self.assertEqual(created_campaign.status_code, 200, created_campaign.text)
|
|
version_id = created_campaign.json()["version"]["id"]
|
|
|
|
validated = self.client.post(f"/api/v1/campaigns/versions/{version_id}/validate", headers=headers, json={"check_files": False})
|
|
self.assertEqual(validated.status_code, 200, validated.text)
|
|
self.assertTrue(validated.json()["ok"], validated.text)
|
|
built = self.client.post(f"/api/v1/campaigns/versions/{version_id}/build", headers=headers, json={"write_eml": False})
|
|
self.assertEqual(built.status_code, 200, built.text)
|
|
|
|
from govoplan_campaign.backend.db.models import CampaignVersion
|
|
from govoplan_campaign.backend.sending.execution import ExecutionSnapshot, runtime_imap_config, runtime_smtp_config
|
|
|
|
with SessionLocal() as session:
|
|
version = session.get(CampaignVersion, version_id)
|
|
self.assertIsNotNone(version)
|
|
assert version is not None
|
|
snapshot_payload = version.execution_snapshot or {}
|
|
self.assertEqual(snapshot_payload.get("smtp", {}).get("host"), "mock.smtp")
|
|
self.assertEqual(snapshot_payload.get("smtp", {}).get("username"), "campaign-smtp@example.org")
|
|
self.assertIsNone(snapshot_payload.get("smtp", {}).get("password"))
|
|
self.assertEqual(snapshot_payload.get("imap", {}).get("host"), "mock.imap")
|
|
self.assertEqual(snapshot_payload.get("imap", {}).get("username"), "campaign-imap@example.org")
|
|
self.assertIsNone(snapshot_payload.get("imap", {}).get("password"))
|
|
|
|
snapshot = ExecutionSnapshot.model_validate(snapshot_payload)
|
|
smtp_runtime = runtime_smtp_config(session, version, snapshot)
|
|
imap_runtime = runtime_imap_config(session, version, snapshot)
|
|
self.assertEqual(smtp_runtime.host, "mock.smtp")
|
|
self.assertEqual(smtp_runtime.username, "campaign-smtp@example.org")
|
|
self.assertEqual(smtp_runtime.password, "campaign-smtp-secret")
|
|
self.assertIsNotNone(imap_runtime)
|
|
assert imap_runtime is not None
|
|
self.assertEqual(imap_runtime.host, "mock.imap")
|
|
self.assertEqual(imap_runtime.username, "campaign-imap@example.org")
|
|
self.assertEqual(imap_runtime.password, "campaign-imap-secret")
|
|
|
|
def test_health_schema_and_dev_mailbox_gates(self) -> None:
|
|
public_health = self.client.get("/health")
|
|
self.assertEqual(public_health.status_code, 200, public_health.text)
|
|
self.assertEqual(public_health.json(), {"status": "ok"})
|
|
|
|
unauthenticated_details = self.client.get("/health/details")
|
|
self.assertEqual(unauthenticated_details.status_code, 401, unauthenticated_details.text)
|
|
|
|
headers, _ = self._login()
|
|
details = self.client.get("/health/details", headers=headers)
|
|
self.assertEqual(details.status_code, 200, details.text)
|
|
self.assertIn("storage", details.json())
|
|
|
|
schema = self.client.get("/api/v1/schemas/campaign", headers=headers)
|
|
self.assertEqual(schema.status_code, 200, schema.text)
|
|
self.assertEqual(schema.json()["title"], "MultiMailer Campaign")
|
|
|
|
dev_mailbox = self.client.get("/api/v1/dev/mailbox/messages", headers=headers)
|
|
self.assertEqual(dev_mailbox.status_code, 404, dev_mailbox.text)
|
|
|
|
def test_docs_context_and_ops_status_are_available(self) -> None:
|
|
headers, _ = self._login()
|
|
|
|
docs = self.client.get("/api/v1/docs/context", headers=headers)
|
|
self.assertEqual(docs.status_code, 200, docs.text)
|
|
docs_payload = docs.json()
|
|
module_ids = {item["id"] for item in docs_payload["layers"]["configured"]["modules"]}
|
|
self.assertIn("docs", module_ids)
|
|
self.assertIn("ops", module_ids)
|
|
self.assertGreaterEqual(docs_payload["summary"]["visible_route_count"], 1)
|
|
self.assertGreaterEqual(docs_payload["summary"]["documentation_topic_count"], 1)
|
|
documentation_topic_ids = {item["id"] for item in docs_payload["layers"]["always"]["documentation"]}
|
|
self.assertIn("docs.configured-system-documentation", documentation_topic_ids)
|
|
workflow_topic_ids = {item["id"] for item in docs_payload["topic_groups"]["workflow"]}
|
|
reference_topic_ids = {item["id"] for item in docs_payload["topic_groups"]["reference"]}
|
|
pattern_topic_ids = {item["id"] for item in docs_payload["topic_groups"]["pattern"]}
|
|
self.assertIn("access.workflow.grant-user-access", workflow_topic_ids)
|
|
self.assertIn("access.reference.admin-access-fields", reference_topic_ids)
|
|
self.assertIn("docs.pattern.field-help", pattern_topic_ids)
|
|
workflow_topic = next(item for item in docs_payload["topic_groups"]["workflow"] if item["id"] == "access.workflow.grant-user-access")
|
|
self.assertEqual(workflow_topic["anchor_id"], "docs-topic-access-access-workflow-grant-user-access")
|
|
|
|
user_docs = self.client.get("/api/v1/docs/context?type=user&locale=de", headers=headers)
|
|
self.assertEqual(user_docs.status_code, 200, user_docs.text)
|
|
user_docs_payload = user_docs.json()
|
|
self.assertEqual(user_docs_payload["actor"]["documentation_type"], "user")
|
|
self.assertEqual(user_docs_payload["actor"]["locale"], "de")
|
|
user_always = {item["id"]: item for item in user_docs_payload["layers"]["always"]["documentation"]}
|
|
self.assertEqual(user_always["docs.configured-system-documentation"]["translation_locale"], "de")
|
|
|
|
platform_status = self.client.get("/api/v1/platform/status", headers=headers)
|
|
self.assertEqual(platform_status.status_code, 200, platform_status.text)
|
|
i18n_status = platform_status.json()["i18n"]
|
|
self.assertIn("en", i18n_status["enabled_languages"])
|
|
self.assertIn("de", {item["code"] for item in i18n_status["available_languages"]})
|
|
|
|
ops = self.client.get("/api/v1/ops/status", headers=headers)
|
|
self.assertEqual(ops.status_code, 200, ops.text)
|
|
ops_payload = ops.json()
|
|
self.assertIn(ops_payload["summary"]["active_profile"], {"local-dev", "production-like-dev", "single-process", "split-worker"})
|
|
self.assertEqual(ops_payload["summary"]["app_env"], "test")
|
|
self.assertIn("redis_url", ops_payload["summary"])
|
|
self.assertIn("celery_queues", ops_payload["summary"])
|
|
self.assertIn("readiness", ops_payload)
|
|
self.assertIn("module_registry", {item["id"] for item in ops_payload["checks"]})
|
|
self.assertIn("redis_broker", {item["id"] for item in ops_payload["checks"]})
|
|
self.assertIn("worker_split", {item["id"] for item in ops_payload["checks"]})
|
|
self.assertIn("deployment_security", {item["id"] for item in ops_payload["checks"]})
|
|
self.assertGreaterEqual(len(ops_payload["sizing"]), 1)
|
|
|
|
readiness = self.client.get("/api/v1/ops/readiness", headers=headers)
|
|
self.assertEqual(readiness.status_code, 200, readiness.text)
|
|
self.assertTrue(readiness.json()["ready"])
|
|
|
|
def test_language_packages_tenant_enablement_and_user_preference(self) -> None:
|
|
headers, _ = self._login()
|
|
|
|
settings_response = self.client.get("/api/v1/admin/system/settings", headers=headers)
|
|
self.assertEqual(settings_response.status_code, 200, settings_response.text)
|
|
settings_payload = settings_response.json()
|
|
installed_languages = settings_payload["available_languages"]
|
|
if "fr" not in {item["code"] for item in installed_languages}:
|
|
installed_languages = [
|
|
*installed_languages,
|
|
{"code": "fr", "label": "French", "native_label": "Francais"},
|
|
]
|
|
enabled_codes = list(dict.fromkeys([*settings_payload["enabled_language_codes"], "fr"]))
|
|
system_update = self.client.patch(
|
|
"/api/v1/admin/system/settings",
|
|
headers=headers,
|
|
json={
|
|
"default_locale": settings_payload["default_locale"],
|
|
"allow_tenant_custom_groups": settings_payload["allow_tenant_custom_groups"],
|
|
"allow_tenant_custom_roles": settings_payload["allow_tenant_custom_roles"],
|
|
"allow_tenant_api_keys": settings_payload["allow_tenant_api_keys"],
|
|
"available_languages": installed_languages,
|
|
"enabled_language_codes": enabled_codes,
|
|
},
|
|
)
|
|
self.assertEqual(system_update.status_code, 200, system_update.text)
|
|
self.assertIn("fr", {item["code"] for item in system_update.json()["available_languages"]})
|
|
self.assertIn("fr", system_update.json()["enabled_language_codes"])
|
|
|
|
platform_status = self.client.get("/api/v1/platform/status", headers=headers)
|
|
self.assertEqual(platform_status.status_code, 200, platform_status.text)
|
|
self.assertIn("fr", platform_status.json()["i18n"]["enabled_languages"])
|
|
|
|
tenant_update = self.client.patch(
|
|
"/api/v1/admin/tenant/settings",
|
|
headers=headers,
|
|
json={"default_locale": "fr", "enabled_language_codes": ["en", "fr"]},
|
|
)
|
|
self.assertEqual(tenant_update.status_code, 200, tenant_update.text)
|
|
self.assertEqual(tenant_update.json()["default_locale"], "fr")
|
|
self.assertEqual(tenant_update.json()["enabled_language_codes"], ["en", "fr"])
|
|
|
|
profile_update = self.client.patch(
|
|
"/api/v1/auth/profile",
|
|
headers=headers,
|
|
json={"preferred_language": "fr"},
|
|
)
|
|
self.assertEqual(profile_update.status_code, 200, profile_update.text)
|
|
profile_payload = profile_update.json()
|
|
self.assertEqual(profile_payload["user"]["preferred_language"], "fr")
|
|
self.assertEqual(profile_payload["default_language"], "fr")
|
|
self.assertEqual(profile_payload["enabled_language_codes"], ["en", "fr"])
|
|
|
|
refreshed_profile = self.client.get("/api/v1/auth/me", headers=headers)
|
|
self.assertEqual(refreshed_profile.status_code, 200, refreshed_profile.text)
|
|
self.assertEqual(refreshed_profile.json()["user"]["preferred_language"], "fr")
|
|
|
|
def test_managed_file_runtime_flow(self) -> None:
|
|
headers, login = self._login()
|
|
user_id = login["user"]["id"]
|
|
tenant_id = login["tenant"]["id"]
|
|
|
|
spaces = self.client.get("/api/v1/files/spaces", headers=headers)
|
|
self.assertEqual(spaces.status_code, 200, spaces.text)
|
|
self.assertEqual(spaces.json()["spaces"][0]["owner_id"], user_id)
|
|
|
|
folder = self.client.post(
|
|
"/api/v1/files/folders",
|
|
headers=headers,
|
|
json={"owner_type": "user", "owner_id": user_id, "path": "inbox"},
|
|
)
|
|
self.assertEqual(folder.status_code, 200, folder.text)
|
|
|
|
first = self.client.post(
|
|
"/api/v1/files/upload",
|
|
headers=headers,
|
|
data={"owner_type": "user", "owner_id": user_id, "path": "inbox"},
|
|
files=[("files", ("report.txt", b"first report", ""))],
|
|
)
|
|
self.assertEqual(first.status_code, 200, first.text)
|
|
first_file = first.json()["files"][0]
|
|
self.assertEqual(first_file["display_path"], "inbox/report.txt")
|
|
self.assertEqual(first_file["content_type"], "text/plain")
|
|
self.assertIsNone(first_file["source_provenance"])
|
|
self.assertIsNone(first_file["source_revision"])
|
|
|
|
connector_policy_sources = [
|
|
{
|
|
"scope_type": "system",
|
|
"label": "System",
|
|
"policy": {"allow": {"providers": ["seafile"]}},
|
|
},
|
|
{
|
|
"scope_type": "tenant",
|
|
"scope_id": tenant_id,
|
|
"label": "Tenant",
|
|
"policy": {"deny": {"external_paths": ["/reports/private/*"]}},
|
|
},
|
|
]
|
|
connector_policy_json = json.dumps({"sources": connector_policy_sources})
|
|
allowed_source = {
|
|
"source_type": "connector",
|
|
"connector_id": "seafile-main",
|
|
"provider": "seafile",
|
|
"external_id": "repo-1:file-1",
|
|
"external_path": "/reports/imported.txt",
|
|
"metadata": {"library": "Reports"},
|
|
}
|
|
denied_policy = self.client.post(
|
|
"/api/v1/files/connector-policy/evaluate",
|
|
headers=headers,
|
|
json={
|
|
"operation": "import",
|
|
"source_provenance": {**allowed_source, "external_path": "/reports/private/secrets.txt"},
|
|
"policy_sources": connector_policy_sources,
|
|
},
|
|
)
|
|
self.assertEqual(denied_policy.status_code, 200, denied_policy.text)
|
|
denied_decision = denied_policy.json()["decision"]
|
|
self.assertFalse(denied_decision["allowed"])
|
|
self.assertIn("connector_policy_denylist", denied_decision["requirements"])
|
|
self.assertEqual(denied_decision["details"]["deny_matches"][0]["scope"]["path"], f"tenant:{tenant_id}")
|
|
|
|
blocked_upload = self.client.post(
|
|
"/api/v1/files/upload",
|
|
headers=headers,
|
|
data={
|
|
"owner_type": "user",
|
|
"owner_id": user_id,
|
|
"path": "inbox/blocked",
|
|
"source_revision": "nextcloud-rev-1",
|
|
"source_provenance_json": json.dumps({**allowed_source, "connector_id": "nextcloud-main", "provider": "nextcloud"}),
|
|
"connector_policy_json": connector_policy_json,
|
|
},
|
|
files=[("files", ("blocked.txt", b"blocked", "text/plain"))],
|
|
)
|
|
self.assertEqual(blocked_upload.status_code, 403, blocked_upload.text)
|
|
self.assertFalse(blocked_upload.json()["detail"]["allowed"])
|
|
self.assertIn("connector_policy_allowlist", blocked_upload.json()["detail"]["requirements"])
|
|
|
|
imported = self.client.post(
|
|
"/api/v1/files/upload",
|
|
headers=headers,
|
|
data={
|
|
"owner_type": "user",
|
|
"owner_id": user_id,
|
|
"path": "inbox/imported",
|
|
"source_revision": "seafile-rev-1",
|
|
"source_provenance_json": json.dumps(allowed_source),
|
|
"connector_policy_json": connector_policy_json,
|
|
},
|
|
files=[("files", ("imported.txt", b"imported report", "text/plain"))],
|
|
)
|
|
self.assertEqual(imported.status_code, 200, imported.text)
|
|
imported_file = imported.json()["files"][0]
|
|
self.assertEqual(imported_file["source_revision"], "seafile-rev-1")
|
|
self.assertEqual(imported_file["source_provenance"]["connector_id"], "seafile-main")
|
|
self.assertEqual(imported_file["source_provenance"]["revision"], "seafile-rev-1")
|
|
self.assertEqual(imported_file["source_provenance"]["metadata"]["library"], "Reports")
|
|
|
|
# Exercises request-model conversion to FileConflictResolution and the
|
|
# explicit rename path rather than silently overwriting an asset.
|
|
second = self.client.post(
|
|
"/api/v1/files/upload",
|
|
headers=headers,
|
|
data={
|
|
"owner_type": "user",
|
|
"owner_id": user_id,
|
|
"path": "inbox",
|
|
"conflict_resolutions_json": json.dumps(
|
|
[
|
|
{
|
|
"target_path": "inbox/report.txt",
|
|
"action": "rename",
|
|
"new_path": "inbox/report-copy.txt",
|
|
}
|
|
]
|
|
),
|
|
},
|
|
files=[("files", ("report.txt", b"second report", "text/plain"))],
|
|
)
|
|
self.assertEqual(second.status_code, 200, second.text)
|
|
second_file = second.json()["files"][0]
|
|
self.assertEqual(second_file["display_path"], "inbox/report-copy.txt")
|
|
|
|
listing = self.client.get(
|
|
"/api/v1/files",
|
|
headers=headers,
|
|
params={"owner_type": "user", "owner_id": user_id, "path_prefix": "inbox"},
|
|
)
|
|
self.assertEqual(listing.status_code, 200, listing.text)
|
|
self.assertEqual(len(listing.json()["files"]), 3)
|
|
listed_import = next(item for item in listing.json()["files"] if item["id"] == imported_file["id"])
|
|
self.assertEqual(listed_import["source_revision"], "seafile-rev-1")
|
|
|
|
downloaded_import = self.client.get(f"/api/v1/files/{imported_file['id']}/download", headers=headers)
|
|
self.assertEqual(downloaded_import.status_code, 200, downloaded_import.text)
|
|
self.assertEqual(downloaded_import.content, b"imported report")
|
|
|
|
connector_audit = self.client.get(
|
|
"/api/v1/admin/audit",
|
|
headers=headers,
|
|
params={"limit": 500, "filter_action": "files.connector"},
|
|
)
|
|
self.assertEqual(connector_audit.status_code, 200, connector_audit.text)
|
|
connector_events = {item["action"]: item for item in connector_audit.json()["items"]}
|
|
imported_event = connector_events["files.connector.imported"]
|
|
accessed_event = connector_events["files.connector.accessed"]
|
|
self.assertEqual(imported_event["object_id"], imported_file["id"])
|
|
self.assertEqual(imported_event["details"]["source_revision"], "seafile-rev-1")
|
|
self.assertEqual(imported_event["details"]["source_provenance"]["connector_id"], "seafile-main")
|
|
self.assertEqual(accessed_event["object_id"], imported_file["id"])
|
|
self.assertEqual(accessed_event["details"]["operation"], "download")
|
|
self.assertEqual(accessed_event["details"]["source_revision"], "seafile-rev-1")
|
|
|
|
resolved = self.client.post(
|
|
"/api/v1/files/resolve-patterns",
|
|
headers=headers,
|
|
json={
|
|
"patterns": ["**/*.txt"],
|
|
"owner_type": "user",
|
|
"owner_id": user_id,
|
|
"include_unmatched": True,
|
|
},
|
|
)
|
|
self.assertEqual(resolved.status_code, 200, resolved.text)
|
|
self.assertEqual(len(resolved.json()["patterns"][0]["matches"]), 3)
|
|
self.assertEqual(resolved.json()["unmatched"], [])
|
|
|
|
# Exercises RenamePlanItem construction without mutating persisted paths.
|
|
rename_preview = self.client.post(
|
|
"/api/v1/files/bulk-rename",
|
|
headers=headers,
|
|
json={
|
|
"file_ids": [first_file["id"]],
|
|
"owner_type": "user",
|
|
"owner_id": user_id,
|
|
"mode": "prefix",
|
|
"prefix": "archived-",
|
|
"dry_run": True,
|
|
},
|
|
)
|
|
self.assertEqual(rename_preview.status_code, 200, rename_preview.text)
|
|
self.assertEqual(rename_preview.json()["items"][0]["new_path"], "inbox/archived-report.txt")
|
|
|
|
ownerless_rename = self.client.post(
|
|
"/api/v1/files/bulk-rename",
|
|
headers=headers,
|
|
json={"file_ids": [first_file["id"]], "mode": "prefix", "prefix": "archived-", "dry_run": True},
|
|
)
|
|
self.assertEqual(ownerless_rename.status_code, 422, ownerless_rename.text)
|
|
|
|
legacy_role = self._create_role(headers, slug="legacy-file-organizer", permissions=["files:organize"])
|
|
legacy_user = self._create_user(
|
|
headers,
|
|
email="legacy-file-organizer@example.local",
|
|
password="legacy-file-organizer-password",
|
|
role_ids=[str(legacy_role["id"])],
|
|
)
|
|
legacy_read_share = self.client.post(
|
|
f"/api/v1/files/{first_file['id']}/shares",
|
|
headers=headers,
|
|
json={"target_type": "user", "target_id": legacy_user["id"], "permission": "read"},
|
|
)
|
|
self.assertEqual(legacy_read_share.status_code, 200, legacy_read_share.text)
|
|
|
|
from govoplan_files.backend.db.models import FileShare
|
|
from govoplan_files.backend.storage.common import FileStorageError
|
|
from govoplan_files.backend.storage.transfers import legacy_rename_selection_without_owner_context
|
|
|
|
with SessionLocal() as session:
|
|
with self.assertRaises(FileStorageError):
|
|
legacy_rename_selection_without_owner_context(
|
|
session,
|
|
tenant_id=str(login["tenant"]["id"]),
|
|
user_id=str(legacy_user["id"]),
|
|
file_ids=[first_file["id"]],
|
|
mode="prefix",
|
|
prefix="blocked-",
|
|
dry_run=True,
|
|
)
|
|
share = session.query(FileShare).filter(FileShare.id == legacy_read_share.json()["id"]).one()
|
|
share.permission = "write"
|
|
session.add(share)
|
|
session.commit()
|
|
|
|
with SessionLocal() as session:
|
|
legacy_plan = legacy_rename_selection_without_owner_context(
|
|
session,
|
|
tenant_id=str(login["tenant"]["id"]),
|
|
user_id=str(legacy_user["id"]),
|
|
file_ids=[first_file["id"]],
|
|
mode="prefix",
|
|
prefix="shared-",
|
|
dry_run=True,
|
|
)
|
|
self.assertEqual(legacy_plan[0].new_path, "inbox/shared-report.txt")
|
|
|
|
invalid_share = self.client.post(
|
|
f"/api/v1/files/{first_file['id']}/shares",
|
|
headers=headers,
|
|
json={"target_type": "user", "target_id": "missing-user", "permission": "read"},
|
|
)
|
|
self.assertEqual(invalid_share.status_code, 400, invalid_share.text)
|
|
|
|
campaign = self.client.post(
|
|
"/api/v1/campaigns/new",
|
|
headers=headers,
|
|
json={"external_id": "bulk-file-share", "name": "Bulk file share"},
|
|
)
|
|
self.assertEqual(campaign.status_code, 200, campaign.text)
|
|
campaign_id = campaign.json()["campaign"]["id"]
|
|
|
|
bulk_share = self.client.post(
|
|
"/api/v1/files/bulk-shares",
|
|
headers=headers,
|
|
json={
|
|
"file_ids": [first_file["id"], second_file["id"], first_file["id"]],
|
|
"target_type": "campaign",
|
|
"target_id": campaign_id,
|
|
"permission": "read",
|
|
},
|
|
)
|
|
self.assertEqual(bulk_share.status_code, 200, bulk_share.text)
|
|
self.assertEqual(bulk_share.json()["shared_count"], 2)
|
|
self.assertEqual(len(bulk_share.json()["shares"]), 2)
|
|
|
|
repeated_bulk_share = self.client.post(
|
|
"/api/v1/files/bulk-shares",
|
|
headers=headers,
|
|
json={
|
|
"file_ids": [first_file["id"], second_file["id"]],
|
|
"target_type": "campaign",
|
|
"target_id": campaign_id,
|
|
"permission": "read",
|
|
},
|
|
)
|
|
self.assertEqual(repeated_bulk_share.status_code, 200, repeated_bulk_share.text)
|
|
self.assertEqual(repeated_bulk_share.json()["shared_count"], 2)
|
|
|
|
campaign_files = self.client.get("/api/v1/files", headers=headers, params={"campaign_id": campaign_id})
|
|
self.assertEqual(campaign_files.status_code, 200, campaign_files.text)
|
|
self.assertEqual({item["id"] for item in campaign_files.json()["files"]}, {first_file["id"], second_file["id"]})
|
|
self.assertTrue(all(item["shares"] for item in campaign_files.json()["files"]))
|
|
|
|
|
|
download = self.client.get(f"/api/v1/files/{first_file['id']}/download", headers=headers)
|
|
self.assertEqual(download.status_code, 200, download.text)
|
|
self.assertIn("filename*=UTF-8''report.txt", download.headers.get("content-disposition", ""))
|
|
self.assertEqual(download.content, b"first report")
|
|
|
|
archive = self.client.post(
|
|
"/api/v1/files/archive.zip",
|
|
headers=headers,
|
|
json={"file_ids": [first_file["id"], second_file["id"]], "filename": "reports.zip"},
|
|
)
|
|
self.assertEqual(archive.status_code, 200, archive.text)
|
|
with zipfile.ZipFile(io.BytesIO(archive.content)) as bundle:
|
|
self.assertEqual(sorted(bundle.namelist()), ["inbox/report-copy.txt", "inbox/report.txt"])
|
|
self.assertEqual(bundle.read("inbox/report.txt"), b"first report")
|
|
|
|
# A historical soft-deleted folder row can coexist with the active row.
|
|
# Moving/copying through that hierarchy must choose the active row rather
|
|
# than raising MultipleResultsFound.
|
|
target_folder = self.client.post(
|
|
"/api/v1/files/folders",
|
|
headers=headers,
|
|
json={"owner_type": "user", "owner_id": user_id, "path": "archive"},
|
|
)
|
|
self.assertEqual(target_folder.status_code, 200, target_folder.text)
|
|
from govoplan_files.backend.db.models import FileFolder
|
|
from govoplan_files.backend.storage.common import utcnow
|
|
with SessionLocal() as session:
|
|
session.add(FileFolder(
|
|
tenant_id=next(iter({folder.tenant_id for folder in session.query(FileFolder).filter(FileFolder.owner_user_id == user_id).all()})),
|
|
owner_type="user",
|
|
owner_user_id=user_id,
|
|
path="archive",
|
|
created_by_user_id=user_id,
|
|
deleted_at=utcnow(),
|
|
metadata_={},
|
|
))
|
|
session.commit()
|
|
transferred = self.client.post(
|
|
"/api/v1/files/transfer",
|
|
headers=headers,
|
|
json={
|
|
"operation": "copy",
|
|
"file_ids": [first_file["id"]],
|
|
"folder_paths": [],
|
|
"source_owner_type": "user",
|
|
"source_owner_id": user_id,
|
|
"target_owner_type": "user",
|
|
"target_owner_id": user_id,
|
|
"target_folder": "archive/2026",
|
|
"conflict_strategy": "reject",
|
|
},
|
|
)
|
|
self.assertEqual(transferred.status_code, 200, transferred.text)
|
|
self.assertEqual(transferred.json()["files"], 1)
|
|
|
|
def test_files_delta_tracks_uploads_folders_and_delete_tombstones(self) -> None:
|
|
headers, login = self._login()
|
|
user_id = login["user"]["id"]
|
|
|
|
full = self.client.get(
|
|
"/api/v1/files/delta",
|
|
headers=headers,
|
|
params={"owner_type": "user", "owner_id": user_id},
|
|
)
|
|
self.assertEqual(full.status_code, 200, full.text)
|
|
self.assertTrue(full.json()["full"])
|
|
watermark = full.json()["watermark"]
|
|
|
|
folder = self.client.post(
|
|
"/api/v1/files/folders",
|
|
headers=headers,
|
|
json={"owner_type": "user", "owner_id": user_id, "path": "delta"},
|
|
)
|
|
self.assertEqual(folder.status_code, 200, folder.text)
|
|
uploaded = self.client.post(
|
|
"/api/v1/files/upload",
|
|
headers=headers,
|
|
data={"owner_type": "user", "owner_id": user_id, "path": "delta"},
|
|
files=[("files", ("delta.txt", b"delta payload", "text/plain"))],
|
|
)
|
|
self.assertEqual(uploaded.status_code, 200, uploaded.text)
|
|
file_id = uploaded.json()["files"][0]["id"]
|
|
|
|
delta = self.client.get(
|
|
"/api/v1/files/delta",
|
|
headers=headers,
|
|
params={"owner_type": "user", "owner_id": user_id, "since": watermark},
|
|
)
|
|
self.assertEqual(delta.status_code, 200, delta.text)
|
|
delta_payload = delta.json()
|
|
self.assertFalse(delta_payload["full"])
|
|
self.assertEqual({item["id"] for item in delta_payload["files"]}, {file_id})
|
|
self.assertEqual({item["path"] for item in delta_payload["folders"]}, {"delta"})
|
|
self.assertEqual(delta_payload["deleted"], [])
|
|
|
|
deleted = self.client.delete(f"/api/v1/files/{file_id}", headers=headers)
|
|
self.assertEqual(deleted.status_code, 200, deleted.text)
|
|
after_delete = self.client.get(
|
|
"/api/v1/files/delta",
|
|
headers=headers,
|
|
params={"owner_type": "user", "owner_id": user_id, "since": delta_payload["watermark"]},
|
|
)
|
|
self.assertEqual(after_delete.status_code, 200, after_delete.text)
|
|
deleted_items = after_delete.json()["deleted"]
|
|
self.assertEqual(len(deleted_items), 1)
|
|
self.assertEqual(deleted_items[0]["id"], file_id)
|
|
self.assertEqual(deleted_items[0]["resource_type"], "file")
|
|
self.assertTrue(str(deleted_items[0]["revision"]).startswith("seq:"))
|
|
|
|
def test_files_and_folders_support_cursor_windows(self) -> None:
|
|
headers, login = self._login()
|
|
user_id = login["user"]["id"]
|
|
|
|
for folder_path in ("cursor-a", "cursor-b", "cursor-c"):
|
|
folder = self.client.post(
|
|
"/api/v1/files/folders",
|
|
headers=headers,
|
|
json={"owner_type": "user", "owner_id": user_id, "path": folder_path},
|
|
)
|
|
self.assertEqual(folder.status_code, 200, folder.text)
|
|
|
|
uploaded = self.client.post(
|
|
"/api/v1/files/upload",
|
|
headers=headers,
|
|
data={"owner_type": "user", "owner_id": user_id, "path": "cursor-a"},
|
|
files=[
|
|
("files", ("a.txt", b"a", "text/plain")),
|
|
("files", ("b.txt", b"b", "text/plain")),
|
|
("files", ("c.txt", b"c", "text/plain")),
|
|
],
|
|
)
|
|
self.assertEqual(uploaded.status_code, 200, uploaded.text)
|
|
|
|
first_files = self.client.get(
|
|
"/api/v1/files",
|
|
headers=headers,
|
|
params={"owner_type": "user", "owner_id": user_id, "page_size": 2},
|
|
)
|
|
self.assertEqual(first_files.status_code, 200, first_files.text)
|
|
first_files_payload = first_files.json()
|
|
self.assertEqual(len(first_files_payload["files"]), 2)
|
|
self.assertTrue(first_files_payload["next_cursor"])
|
|
|
|
second_files = self.client.get(
|
|
"/api/v1/files",
|
|
headers=headers,
|
|
params={"owner_type": "user", "owner_id": user_id, "cursor": first_files_payload["next_cursor"]},
|
|
)
|
|
self.assertEqual(second_files.status_code, 200, second_files.text)
|
|
self.assertEqual(len(second_files.json()["files"]), 1)
|
|
|
|
mismatched_files = self.client.get(
|
|
"/api/v1/files",
|
|
headers=headers,
|
|
params={"owner_type": "user", "owner_id": user_id, "path_prefix": "cursor-b", "cursor": first_files_payload["next_cursor"]},
|
|
)
|
|
self.assertEqual(mismatched_files.status_code, 400, mismatched_files.text)
|
|
|
|
first_folders = self.client.get(
|
|
"/api/v1/files/folders",
|
|
headers=headers,
|
|
params={"owner_type": "user", "owner_id": user_id, "page_size": 2},
|
|
)
|
|
self.assertEqual(first_folders.status_code, 200, first_folders.text)
|
|
first_folders_payload = first_folders.json()
|
|
self.assertEqual(len(first_folders_payload["folders"]), 2)
|
|
self.assertTrue(first_folders_payload["next_cursor"])
|
|
|
|
second_folders = self.client.get(
|
|
"/api/v1/files/folders",
|
|
headers=headers,
|
|
params={"owner_type": "user", "owner_id": user_id, "cursor": first_folders_payload["next_cursor"]},
|
|
)
|
|
self.assertEqual(second_folders.status_code, 200, second_folders.text)
|
|
self.assertEqual(len(second_folders.json()["folders"]), 1)
|
|
|
|
mismatched_folders = self.client.get(
|
|
"/api/v1/files/folders",
|
|
headers=headers,
|
|
params={"owner_type": "user", "owner_id": user_id, "page_size": 3, "cursor": first_folders_payload["next_cursor"]},
|
|
)
|
|
self.assertEqual(mismatched_folders.status_code, 400, mismatched_folders.text)
|
|
|
|
def test_files_delta_reports_active_window_tombstones_for_moves_and_folder_deletes(self) -> None:
|
|
headers, login = self._login()
|
|
user_id = login["user"]["id"]
|
|
|
|
source_folder = self.client.post(
|
|
"/api/v1/files/folders",
|
|
headers=headers,
|
|
json={"owner_type": "user", "owner_id": user_id, "path": "window-source"},
|
|
)
|
|
self.assertEqual(source_folder.status_code, 200, source_folder.text)
|
|
uploaded = self.client.post(
|
|
"/api/v1/files/upload",
|
|
headers=headers,
|
|
data={"owner_type": "user", "owner_id": user_id, "path": "window-source"},
|
|
files=[("files", ("moving.txt", b"moving", "text/plain"))],
|
|
)
|
|
self.assertEqual(uploaded.status_code, 200, uploaded.text)
|
|
moving_file_id = uploaded.json()["files"][0]["id"]
|
|
|
|
source_window = self.client.get(
|
|
"/api/v1/files/delta",
|
|
headers=headers,
|
|
params={"owner_type": "user", "owner_id": user_id, "path_prefix": "window-source"},
|
|
)
|
|
self.assertEqual(source_window.status_code, 200, source_window.text)
|
|
moved = self.client.post(
|
|
"/api/v1/files/transfer",
|
|
headers=headers,
|
|
json={
|
|
"operation": "move",
|
|
"file_ids": [moving_file_id],
|
|
"folder_paths": [],
|
|
"source_owner_type": "user",
|
|
"source_owner_id": user_id,
|
|
"target_owner_type": "user",
|
|
"target_owner_id": user_id,
|
|
"target_folder": "window-target",
|
|
"conflict_strategy": "reject",
|
|
},
|
|
)
|
|
self.assertEqual(moved.status_code, 200, moved.text)
|
|
|
|
after_move = self.client.get(
|
|
"/api/v1/files/delta",
|
|
headers=headers,
|
|
params={
|
|
"owner_type": "user",
|
|
"owner_id": user_id,
|
|
"path_prefix": "window-source",
|
|
"since": source_window.json()["watermark"],
|
|
},
|
|
)
|
|
self.assertEqual(after_move.status_code, 200, after_move.text)
|
|
move_deleted = after_move.json()["deleted"]
|
|
self.assertIn(moving_file_id, {item["id"] for item in move_deleted if item["resource_type"] == "file"})
|
|
self.assertEqual(after_move.json()["files"], [])
|
|
|
|
delete_root = self.client.post(
|
|
"/api/v1/files/folders",
|
|
headers=headers,
|
|
json={"owner_type": "user", "owner_id": user_id, "path": "window-delete"},
|
|
)
|
|
self.assertEqual(delete_root.status_code, 200, delete_root.text)
|
|
nested = self.client.post(
|
|
"/api/v1/files/folders",
|
|
headers=headers,
|
|
json={"owner_type": "user", "owner_id": user_id, "path": "window-delete/nested"},
|
|
)
|
|
self.assertEqual(nested.status_code, 200, nested.text)
|
|
uploaded_nested = self.client.post(
|
|
"/api/v1/files/upload",
|
|
headers=headers,
|
|
data={"owner_type": "user", "owner_id": user_id, "path": "window-delete/nested"},
|
|
files=[("files", ("deleted.txt", b"deleted", "text/plain"))],
|
|
)
|
|
self.assertEqual(uploaded_nested.status_code, 200, uploaded_nested.text)
|
|
nested_file_id = uploaded_nested.json()["files"][0]["id"]
|
|
delete_window = self.client.get(
|
|
"/api/v1/files/delta",
|
|
headers=headers,
|
|
params={"owner_type": "user", "owner_id": user_id, "path_prefix": "window-delete"},
|
|
)
|
|
self.assertEqual(delete_window.status_code, 200, delete_window.text)
|
|
|
|
deleted_folder = self.client.post(
|
|
"/api/v1/files/folders/delete",
|
|
headers=headers,
|
|
json={"owner_type": "user", "owner_id": user_id, "path": "window-delete", "recursive": True},
|
|
)
|
|
self.assertEqual(deleted_folder.status_code, 200, deleted_folder.text)
|
|
after_folder_delete = self.client.get(
|
|
"/api/v1/files/delta",
|
|
headers=headers,
|
|
params={
|
|
"owner_type": "user",
|
|
"owner_id": user_id,
|
|
"path_prefix": "window-delete",
|
|
"since": delete_window.json()["watermark"],
|
|
},
|
|
)
|
|
self.assertEqual(after_folder_delete.status_code, 200, after_folder_delete.text)
|
|
folder_delete_items = after_folder_delete.json()["deleted"]
|
|
self.assertIn(delete_root.json()["id"], {item["id"] for item in folder_delete_items if item["resource_type"] == "folder"})
|
|
self.assertIn(nested_file_id, {item["id"] for item in folder_delete_items if item["resource_type"] == "file"})
|
|
|
|
def test_files_delta_omits_private_tombstones_from_broad_reader_feed(self) -> None:
|
|
owner_headers, owner_login = self._login()
|
|
owner_id = owner_login["user"]["id"]
|
|
|
|
uploaded = self.client.post(
|
|
"/api/v1/files/upload",
|
|
headers=owner_headers,
|
|
data={"owner_type": "user", "owner_id": owner_id, "path": "private"},
|
|
files=[("files", ("private-delta.txt", b"private delta", "text/plain"))],
|
|
)
|
|
self.assertEqual(uploaded.status_code, 200, uploaded.text)
|
|
file_id = uploaded.json()["files"][0]["id"]
|
|
|
|
reader_role = self._create_role(
|
|
owner_headers,
|
|
slug="delta-broad-reader",
|
|
permissions=["files:read"],
|
|
)
|
|
self._create_user(
|
|
owner_headers,
|
|
email="delta-broad-reader@example.local",
|
|
password="delta-broad-reader-password",
|
|
role_ids=[str(reader_role["id"])],
|
|
)
|
|
reader_headers, _ = self._login_as(
|
|
email="delta-broad-reader@example.local",
|
|
password="delta-broad-reader-password",
|
|
)
|
|
|
|
full = self.client.get("/api/v1/files/delta", headers=reader_headers)
|
|
self.assertEqual(full.status_code, 200, full.text)
|
|
full_payload = full.json()
|
|
self.assertTrue(full_payload["full"])
|
|
self.assertNotIn(file_id, {item["id"] for item in full_payload["files"]})
|
|
|
|
deleted = self.client.delete(f"/api/v1/files/{file_id}", headers=owner_headers)
|
|
self.assertEqual(deleted.status_code, 200, deleted.text)
|
|
|
|
incremental = self.client.get(
|
|
"/api/v1/files/delta",
|
|
headers=reader_headers,
|
|
params={"since": full_payload["watermark"]},
|
|
)
|
|
self.assertEqual(incremental.status_code, 200, incremental.text)
|
|
incremental_payload = incremental.json()
|
|
self.assertFalse(incremental_payload["full"])
|
|
self.assertNotIn(file_id, {item["id"] for item in incremental_payload["files"]})
|
|
self.assertNotIn(file_id, {item["id"] for item in incremental_payload["deleted"]})
|
|
|
|
def test_calendar_event_window_delta_tracks_moves_deletes_and_stale_watermarks(self) -> None:
|
|
headers, _ = self._login()
|
|
calendars = self.client.get("/api/v1/calendar/calendars", headers=headers)
|
|
self.assertEqual(calendars.status_code, 200, calendars.text)
|
|
if calendars.json()["calendars"]:
|
|
calendar_id = calendars.json()["calendars"][0]["id"]
|
|
else:
|
|
created_calendar = self.client.post(
|
|
"/api/v1/calendar/calendars",
|
|
headers=headers,
|
|
json={"name": "Delta calendar", "slug": "delta-calendar", "is_default": True},
|
|
)
|
|
self.assertEqual(created_calendar.status_code, 201, created_calendar.text)
|
|
calendar_id = created_calendar.json()["id"]
|
|
|
|
window_start = "2030-01-01T00:00:00+00:00"
|
|
window_end = "2030-01-31T23:59:59+00:00"
|
|
initial = self.client.get(
|
|
"/api/v1/calendar/events/delta",
|
|
headers=headers,
|
|
params={"calendar_id": calendar_id, "start_at": window_start, "end_at": window_end},
|
|
)
|
|
self.assertEqual(initial.status_code, 200, initial.text)
|
|
initial_payload = initial.json()
|
|
self.assertTrue(initial_payload["full"])
|
|
|
|
created = self.client.post(
|
|
"/api/v1/calendar/events",
|
|
headers=headers,
|
|
json={
|
|
"calendar_id": calendar_id,
|
|
"summary": "Window delta",
|
|
"start_at": "2030-01-10T10:00:00+00:00",
|
|
"end_at": "2030-01-10T11:00:00+00:00",
|
|
},
|
|
)
|
|
self.assertEqual(created.status_code, 201, created.text)
|
|
event_id = created.json()["id"]
|
|
|
|
created_delta = self.client.get(
|
|
"/api/v1/calendar/events/delta",
|
|
headers=headers,
|
|
params={"calendar_id": calendar_id, "start_at": window_start, "end_at": window_end, "since": initial_payload["watermark"]},
|
|
)
|
|
self.assertEqual(created_delta.status_code, 200, created_delta.text)
|
|
created_delta_payload = created_delta.json()
|
|
self.assertFalse(created_delta_payload["full"])
|
|
self.assertIn(event_id, {item["id"] for item in created_delta_payload["events"]})
|
|
|
|
moved = self.client.patch(
|
|
f"/api/v1/calendar/events/{event_id}",
|
|
headers=headers,
|
|
json={"start_at": "2030-03-01T10:00:00+00:00", "end_at": "2030-03-01T11:00:00+00:00"},
|
|
)
|
|
self.assertEqual(moved.status_code, 200, moved.text)
|
|
moved_delta = self.client.get(
|
|
"/api/v1/calendar/events/delta",
|
|
headers=headers,
|
|
params={"calendar_id": calendar_id, "start_at": window_start, "end_at": window_end, "since": created_delta_payload["watermark"]},
|
|
)
|
|
self.assertEqual(moved_delta.status_code, 200, moved_delta.text)
|
|
moved_delta_payload = moved_delta.json()
|
|
self.assertFalse(moved_delta_payload["full"])
|
|
self.assertTrue(any(item["id"] == event_id and item["resource_type"] == "calendar_event" for item in moved_delta_payload["deleted"]))
|
|
self.assertNotIn(event_id, {item["id"] for item in moved_delta_payload["events"]})
|
|
|
|
visible = self.client.post(
|
|
"/api/v1/calendar/events",
|
|
headers=headers,
|
|
json={
|
|
"calendar_id": calendar_id,
|
|
"summary": "Delete delta",
|
|
"start_at": "2030-01-12T10:00:00+00:00",
|
|
"end_at": "2030-01-12T11:00:00+00:00",
|
|
},
|
|
)
|
|
self.assertEqual(visible.status_code, 201, visible.text)
|
|
visible_id = visible.json()["id"]
|
|
visible_delta = self.client.get(
|
|
"/api/v1/calendar/events/delta",
|
|
headers=headers,
|
|
params={"calendar_id": calendar_id, "start_at": window_start, "end_at": window_end, "since": moved_delta_payload["watermark"]},
|
|
)
|
|
self.assertEqual(visible_delta.status_code, 200, visible_delta.text)
|
|
self.assertIn(visible_id, {item["id"] for item in visible_delta.json()["events"]})
|
|
|
|
deleted = self.client.delete(f"/api/v1/calendar/events/{visible_id}", headers=headers)
|
|
self.assertEqual(deleted.status_code, 204, deleted.text)
|
|
deleted_delta = self.client.get(
|
|
"/api/v1/calendar/events/delta",
|
|
headers=headers,
|
|
params={"calendar_id": calendar_id, "start_at": window_start, "end_at": window_end, "since": visible_delta.json()["watermark"]},
|
|
)
|
|
self.assertEqual(deleted_delta.status_code, 200, deleted_delta.text)
|
|
deleted_delta_payload = deleted_delta.json()
|
|
self.assertTrue(any(item["id"] == visible_id and item["resource_type"] == "calendar_event" for item in deleted_delta_payload["deleted"]))
|
|
|
|
with SessionLocal() as session:
|
|
prune_sequence_entries(
|
|
session,
|
|
before_or_equal_id=decode_sequence_watermark(deleted_delta_payload["watermark"]),
|
|
tenant_id=created.json()["tenant_id"],
|
|
module_id="calendar",
|
|
collections=("calendar.events",),
|
|
)
|
|
session.commit()
|
|
|
|
stale = self.client.get(
|
|
"/api/v1/calendar/events/delta",
|
|
headers=headers,
|
|
params={"calendar_id": calendar_id, "start_at": window_start, "end_at": window_end, "since": initial_payload["watermark"]},
|
|
)
|
|
self.assertEqual(stale.status_code, 200, stale.text)
|
|
self.assertTrue(stale.json()["full"])
|
|
|
|
def test_file_connector_settings_delta_tracks_credentials_profiles_and_policy(self) -> None:
|
|
headers, _login = self._login()
|
|
full = self.client.get(
|
|
"/api/v1/files/connectors/settings/delta",
|
|
headers=headers,
|
|
params={"scope_type": "tenant", "include_disabled": "true"},
|
|
)
|
|
self.assertEqual(full.status_code, 200, full.text)
|
|
full_payload = full.json()
|
|
self.assertTrue(full_payload["full"])
|
|
|
|
credential = self.client.post(
|
|
"/api/v1/files/connectors/credentials",
|
|
headers=headers,
|
|
json={
|
|
"id": "delta-webdav-credentials",
|
|
"label": "Delta WebDAV Credentials",
|
|
"provider": "webdav",
|
|
"scope_type": "tenant",
|
|
"credential_mode": "basic",
|
|
"credentials": {"username": "govoplan", "password": "delta-secret"},
|
|
},
|
|
)
|
|
self.assertEqual(credential.status_code, 201, credential.text)
|
|
|
|
credential_delta = self.client.get(
|
|
"/api/v1/files/connectors/settings/delta",
|
|
headers=headers,
|
|
params={"scope_type": "tenant", "include_disabled": "true", "since": full_payload["watermark"]},
|
|
)
|
|
self.assertEqual(credential_delta.status_code, 200, credential_delta.text)
|
|
credential_delta_payload = credential_delta.json()
|
|
self.assertFalse(credential_delta_payload["full"])
|
|
self.assertIn("credentials", credential_delta_payload["changed_sections"])
|
|
self.assertEqual({item["id"] for item in credential_delta_payload["credentials"]}, {"delta-webdav-credentials"})
|
|
|
|
profile = self.client.post(
|
|
"/api/v1/files/connectors/profiles",
|
|
headers=headers,
|
|
json={
|
|
"id": "delta-webdav",
|
|
"label": "Delta WebDAV",
|
|
"provider": "webdav",
|
|
"endpoint_url": "http://127.0.0.1:9083",
|
|
"scope_type": "tenant",
|
|
"credential_profile_id": "delta-webdav-credentials",
|
|
"capabilities": ["browse"],
|
|
},
|
|
)
|
|
self.assertEqual(profile.status_code, 201, profile.text)
|
|
|
|
profile_delta = self.client.get(
|
|
"/api/v1/files/connectors/settings/delta",
|
|
headers=headers,
|
|
params={"scope_type": "tenant", "include_disabled": "true", "since": credential_delta_payload["watermark"]},
|
|
)
|
|
self.assertEqual(profile_delta.status_code, 200, profile_delta.text)
|
|
profile_delta_payload = profile_delta.json()
|
|
self.assertFalse(profile_delta_payload["full"])
|
|
self.assertIn("profiles", profile_delta_payload["changed_sections"])
|
|
self.assertEqual({item["id"] for item in profile_delta_payload["profiles"]}, {"delta-webdav"})
|
|
|
|
updated_credential = self.client.patch(
|
|
"/api/v1/files/connectors/credentials/delta-webdav-credentials",
|
|
headers=headers,
|
|
json={"label": "Updated Delta WebDAV Credentials"},
|
|
)
|
|
self.assertEqual(updated_credential.status_code, 200, updated_credential.text)
|
|
|
|
dependency_delta = self.client.get(
|
|
"/api/v1/files/connectors/settings/delta",
|
|
headers=headers,
|
|
params={"scope_type": "tenant", "include_disabled": "true", "since": profile_delta_payload["watermark"]},
|
|
)
|
|
self.assertEqual(dependency_delta.status_code, 200, dependency_delta.text)
|
|
dependency_delta_payload = dependency_delta.json()
|
|
self.assertIn("credentials", dependency_delta_payload["changed_sections"])
|
|
self.assertIn("profiles", dependency_delta_payload["changed_sections"])
|
|
self.assertEqual(dependency_delta_payload["profiles"][0]["credential_profile_label"], "Updated Delta WebDAV Credentials")
|
|
|
|
policy = self.client.put(
|
|
"/api/v1/files/connectors/policies/tenant",
|
|
headers=headers,
|
|
json={"policy": {"deny": {"providers": ["nfs"]}}},
|
|
)
|
|
self.assertEqual(policy.status_code, 200, policy.text)
|
|
policy_delta = self.client.get(
|
|
"/api/v1/files/connectors/settings/delta",
|
|
headers=headers,
|
|
params={"scope_type": "tenant", "include_disabled": "true", "since": dependency_delta_payload["watermark"]},
|
|
)
|
|
self.assertEqual(policy_delta.status_code, 200, policy_delta.text)
|
|
policy_delta_payload = policy_delta.json()
|
|
self.assertFalse(policy_delta_payload["full"])
|
|
self.assertIn("policy", policy_delta_payload["changed_sections"])
|
|
self.assertEqual(policy_delta_payload["policy"]["effective_policy"]["deny"]["providers"], ["nfs"])
|
|
|
|
def test_file_connector_profiles_are_governed_and_redacted(self) -> None:
|
|
headers, login = self._login()
|
|
user_id = str(login["user"]["id"])
|
|
tenant_id = str(login["tenant"]["id"])
|
|
env_keys = [
|
|
"GOVOPLAN_FILES_CONNECTOR_PROFILES_JSON",
|
|
"GOVOPLAN_TEST_SEAFILE_PASSWORD",
|
|
"GOVOPLAN_TEST_NEXTCLOUD_TOKEN",
|
|
"GOVOPLAN_TEST_SMB_PASSWORD",
|
|
]
|
|
previous_env = {key: os.environ.get(key) for key in env_keys}
|
|
try:
|
|
os.environ["GOVOPLAN_TEST_SEAFILE_PASSWORD"] = "super-secret-seafile"
|
|
os.environ["GOVOPLAN_TEST_NEXTCLOUD_TOKEN"] = "super-secret-nextcloud"
|
|
os.environ["GOVOPLAN_TEST_SMB_PASSWORD"] = "super-secret-smb"
|
|
os.environ["GOVOPLAN_FILES_CONNECTOR_PROFILES_JSON"] = json.dumps(
|
|
{
|
|
"profiles": [
|
|
{
|
|
"id": "seafile-dev",
|
|
"label": "Seafile Dev",
|
|
"provider": "seafile",
|
|
"endpoint_url": "http://127.0.0.1:9082",
|
|
"scope_type": "system",
|
|
"credential_mode": "basic",
|
|
"username": "admin@example.local",
|
|
"password_env": "GOVOPLAN_TEST_SEAFILE_PASSWORD",
|
|
"capabilities": ["browse", "import"],
|
|
"metadata": {
|
|
"static_listing": {
|
|
"": [
|
|
{"kind": "library", "name": "Reports", "path": "reports", "external_id": "lib-reports"},
|
|
{"kind": "folder", "name": "Inbox", "path": "inbox"},
|
|
{"kind": "file", "name": "readme.txt", "path": "readme.txt", "size_bytes": 12, "content_type": "text/plain"},
|
|
],
|
|
"inbox": [
|
|
{"kind": "file", "name": "imported.txt", "path": "inbox/imported.txt", "size_bytes": 15, "etag": "etag-1"}
|
|
],
|
|
}
|
|
},
|
|
"policy": {"allow": {"providers": ["seafile"]}, "deny": {"external_paths": ["blocked"]}},
|
|
},
|
|
{
|
|
"id": "tenant-webdav",
|
|
"provider": "webdav",
|
|
"base_url": "http://127.0.0.1:9083",
|
|
"scope_type": "tenant",
|
|
"scope_id": tenant_id,
|
|
"credentials": {
|
|
"type": "basic",
|
|
"username": "govoplan",
|
|
"password_env": "GOVOPLAN_TEST_WEBDAV_PASSWORD",
|
|
},
|
|
},
|
|
{
|
|
"id": "user-nextcloud",
|
|
"provider": "nextcloud",
|
|
"url": "http://127.0.0.1:9081",
|
|
"scope_type": "user",
|
|
"scope_id": user_id,
|
|
"credential_mode": "token",
|
|
"token_env": "GOVOPLAN_TEST_NEXTCLOUD_TOKEN",
|
|
},
|
|
{
|
|
"id": "tenant-smb",
|
|
"provider": "smb",
|
|
"endpoint_url": "smb://127.0.0.1:1445/files/root",
|
|
"scope_type": "tenant",
|
|
"scope_id": tenant_id,
|
|
"credential_mode": "basic",
|
|
"username": "govoplan",
|
|
"password_env": "GOVOPLAN_TEST_SMB_PASSWORD",
|
|
"capabilities": ["browse", "import"],
|
|
"policy": {"allow": {"providers": ["smb"]}},
|
|
},
|
|
{
|
|
"id": "other-tenant-smb",
|
|
"provider": "smb",
|
|
"endpoint_url": "smb://127.0.0.1:1445/files",
|
|
"scope_type": "tenant",
|
|
"scope_id": "other-tenant",
|
|
"credential_mode": "secret_ref",
|
|
"secret_ref": "vault://govoplan/files/smb",
|
|
},
|
|
{
|
|
"id": "disabled-seafile",
|
|
"provider": "seafile",
|
|
"endpoint_url": "http://127.0.0.1:9082",
|
|
"enabled": False,
|
|
},
|
|
]
|
|
}
|
|
)
|
|
|
|
provider_response = self.client.get("/api/v1/files/connectors/providers", headers=headers)
|
|
self.assertEqual(provider_response.status_code, 200, provider_response.text)
|
|
providers = {item["provider"]: item for item in provider_response.json()["providers"]}
|
|
self.assertTrue({"seafile", "nextcloud", "webdav", "smb", "nfs", "local"}.issubset(providers))
|
|
self.assertTrue(providers["seafile"]["implemented"])
|
|
self.assertTrue(providers["seafile"]["browse_supported"])
|
|
self.assertTrue(providers["seafile"]["import_supported"])
|
|
self.assertEqual(providers["smb"]["optional_dependency"], "smbprotocol")
|
|
self.assertTrue(providers["smb"]["implemented"])
|
|
self.assertTrue(providers["smb"]["browse_supported"])
|
|
self.assertTrue(providers["smb"]["import_supported"])
|
|
self.assertIn("files.connector.imported", providers["nextcloud"]["audit_events"])
|
|
self.assertIn("files.connector.synced", providers["nextcloud"]["audit_events"])
|
|
|
|
response = self.client.get("/api/v1/files/connectors/profiles", headers=headers)
|
|
self.assertEqual(response.status_code, 200, response.text)
|
|
profiles = {item["id"]: item for item in response.json()["profiles"]}
|
|
self.assertEqual(set(profiles), {"seafile-dev", "tenant-webdav", "user-nextcloud", "tenant-smb"})
|
|
self.assertTrue(profiles["seafile-dev"]["credentials_configured"])
|
|
self.assertEqual(profiles["seafile-dev"]["credential_source"], "password_env")
|
|
self.assertEqual(profiles["seafile-dev"]["source_path"], "system")
|
|
self.assertEqual(profiles["seafile-dev"]["source_kind"], "settings")
|
|
self.assertEqual(profiles["tenant-webdav"]["source_path"], f"tenant:{tenant_id}")
|
|
self.assertFalse(profiles["tenant-webdav"]["credentials_configured"])
|
|
self.assertEqual(profiles["user-nextcloud"]["source_path"], f"user:{user_id}")
|
|
self.assertEqual(profiles["seafile-dev"]["policy_sources"][0]["policy"]["allow"]["providers"], ["seafile"])
|
|
redacted_payload = json.dumps(response.json()).lower()
|
|
self.assertNotIn("super-secret", redacted_payload)
|
|
self.assertNotIn("govoplan_test_", redacted_payload)
|
|
self.assertNotIn("secret_ref", redacted_payload)
|
|
|
|
system_policy = self.client.get("/api/v1/files/connectors/policies/system", headers=headers)
|
|
self.assertEqual(system_policy.status_code, 200, system_policy.text)
|
|
self.assertEqual(system_policy.json()["scope_type"], "system")
|
|
self.assertEqual(system_policy.json()["scope_id"], None)
|
|
self.assertEqual(system_policy.json()["effective_policy_sources"], [])
|
|
|
|
tenant_policy = self.client.get("/api/v1/files/connectors/policies/tenant", headers=headers)
|
|
self.assertEqual(tenant_policy.status_code, 200, tenant_policy.text)
|
|
self.assertEqual(tenant_policy.json()["scope_type"], "tenant")
|
|
self.assertEqual(tenant_policy.json()["scope_id"], tenant_id)
|
|
self.assertEqual(tenant_policy.json()["parent_policy_sources"], [])
|
|
|
|
locked_system_policy = self.client.put(
|
|
"/api/v1/files/connectors/policies/system",
|
|
headers=headers,
|
|
json={"policy": {"allow_lower_level_limits": {"deny.credentials": False}}},
|
|
)
|
|
self.assertEqual(locked_system_policy.status_code, 200, locked_system_policy.text)
|
|
locked_tenant_policy = self.client.put(
|
|
"/api/v1/files/connectors/policies/tenant",
|
|
headers=headers,
|
|
json={"policy": {"deny": {"credentials": ["forbidden-by-parent"]}}},
|
|
)
|
|
self.assertEqual(locked_tenant_policy.status_code, 400, locked_tenant_policy.text)
|
|
reset_system_policy = self.client.put("/api/v1/files/connectors/policies/system", headers=headers, json={"policy": {}})
|
|
self.assertEqual(reset_system_policy.status_code, 200, reset_system_policy.text)
|
|
|
|
tenant_config_policy = self.client.put(
|
|
"/api/v1/files/connectors/policies/tenant",
|
|
headers=headers,
|
|
json={"policy": {"deny": {"providers": ["nfs"]}}},
|
|
)
|
|
self.assertEqual(tenant_config_policy.status_code, 200, tenant_config_policy.text)
|
|
self.assertEqual(tenant_config_policy.json()["policy"]["deny"]["providers"], ["nfs"])
|
|
denied_profile_create = self.client.post(
|
|
"/api/v1/files/connectors/profiles",
|
|
headers=headers,
|
|
json={
|
|
"id": "denied-nfs",
|
|
"label": "Denied NFS",
|
|
"provider": "nfs",
|
|
"endpoint_url": "nfs://127.0.0.1/export",
|
|
"scope_type": "tenant",
|
|
},
|
|
)
|
|
self.assertEqual(denied_profile_create.status_code, 403, denied_profile_create.text)
|
|
self.assertIn("connector_policy_denylist", denied_profile_create.json()["detail"]["requirements"])
|
|
|
|
central_blocked_credential = self.client.post(
|
|
"/api/v1/files/connectors/credentials",
|
|
headers=headers,
|
|
json={
|
|
"id": "central-blocked-webdav-credentials",
|
|
"label": "Central Blocked WebDAV Credentials",
|
|
"provider": "webdav",
|
|
"scope_type": "tenant",
|
|
"credential_mode": "basic",
|
|
"credentials": {"username": "govoplan", "password": "central-secret-webdav"},
|
|
},
|
|
)
|
|
self.assertEqual(central_blocked_credential.status_code, 201, central_blocked_credential.text)
|
|
central_blocked_profile = self.client.post(
|
|
"/api/v1/files/connectors/profiles",
|
|
headers=headers,
|
|
json={
|
|
"id": "central-blocked-webdav",
|
|
"label": "Central Blocked WebDAV",
|
|
"provider": "webdav",
|
|
"endpoint_url": "http://127.0.0.1:9083",
|
|
"scope_type": "tenant",
|
|
"credential_profile_id": "central-blocked-webdav-credentials",
|
|
"capabilities": ["browse"],
|
|
"metadata": {"static_listing": {"": [{"kind": "file", "name": "central-blocked.txt", "path": "central-blocked.txt"}]}},
|
|
},
|
|
)
|
|
self.assertEqual(central_blocked_profile.status_code, 201, central_blocked_profile.text)
|
|
central_runtime_policy = self.client.put(
|
|
"/api/v1/files/connectors/policies/tenant",
|
|
headers=headers,
|
|
json={"policy": {"deny": {"credentials": ["central-blocked-webdav-credentials"]}}},
|
|
)
|
|
self.assertEqual(central_runtime_policy.status_code, 200, central_runtime_policy.text)
|
|
self.assertEqual(central_runtime_policy.json()["effective_policy"]["deny"]["credentials"], ["central-blocked-webdav-credentials"])
|
|
self.assertEqual(central_runtime_policy.json()["effective_policy_sources"][0]["label"], "Tenant connector policy")
|
|
central_blocked_browse = self.client.get("/api/v1/files/connectors/profiles/central-blocked-webdav/browse", headers=headers)
|
|
self.assertEqual(central_blocked_browse.status_code, 403, central_blocked_browse.text)
|
|
self.assertIn("connector_policy_denylist", central_blocked_browse.json()["detail"]["requirements"])
|
|
self.assertEqual(central_blocked_browse.json()["detail"]["source_path"][0]["label"], "Tenant connector policy")
|
|
|
|
stored_credential = self.client.post(
|
|
"/api/v1/files/connectors/credentials",
|
|
headers=headers,
|
|
json={
|
|
"id": "stored-webdav-credentials",
|
|
"label": "Stored WebDAV Credentials",
|
|
"provider": "webdav",
|
|
"scope_type": "tenant",
|
|
"credential_mode": "basic",
|
|
"credentials": {"username": "govoplan", "password": "stored-secret-webdav"},
|
|
"policy": {"allow": {"credentials": ["stored-webdav-credentials"], "providers": ["webdav"]}},
|
|
},
|
|
)
|
|
self.assertEqual(stored_credential.status_code, 201, stored_credential.text)
|
|
stored_credential_payload = stored_credential.json()
|
|
self.assertEqual(stored_credential_payload["credential_secret_source"], "stored")
|
|
self.assertTrue(stored_credential_payload["credentials_configured"])
|
|
self.assertNotIn("stored-secret-webdav", json.dumps(stored_credential_payload))
|
|
|
|
stored_profile = self.client.post(
|
|
"/api/v1/files/connectors/profiles",
|
|
headers=headers,
|
|
json={
|
|
"id": "stored-webdav",
|
|
"label": "Stored WebDAV",
|
|
"provider": "webdav",
|
|
"endpoint_url": "http://127.0.0.1:9083",
|
|
"scope_type": "tenant",
|
|
"credential_profile_id": "stored-webdav-credentials",
|
|
"credential_mode": "basic",
|
|
"capabilities": ["browse", "import", "sync"],
|
|
"policy": {"allow": {"providers": ["webdav"]}},
|
|
"metadata": {
|
|
"static_listing": {
|
|
"": [
|
|
{"kind": "folder", "name": "GovOPlaN", "path": "GovOPlaN"},
|
|
{"kind": "file", "name": "notice.txt", "path": "notice.txt"},
|
|
]
|
|
}
|
|
},
|
|
},
|
|
)
|
|
self.assertEqual(stored_profile.status_code, 201, stored_profile.text)
|
|
stored_payload = stored_profile.json()
|
|
self.assertEqual(stored_payload["source_kind"], "database")
|
|
self.assertEqual(stored_payload["credential_source"], "credential_profile")
|
|
self.assertEqual(stored_payload["credential_profile_id"], "stored-webdav-credentials")
|
|
self.assertEqual(stored_payload["credential_profile_label"], "Stored WebDAV Credentials")
|
|
self.assertTrue(stored_payload["credentials_configured"])
|
|
self.assertNotIn("stored-secret-webdav", json.dumps(stored_payload))
|
|
|
|
stored_browse = self.client.get("/api/v1/files/connectors/profiles/stored-webdav/browse", headers=headers)
|
|
self.assertEqual(stored_browse.status_code, 200, stored_browse.text)
|
|
self.assertEqual([item["path"] for item in stored_browse.json()["items"]], ["GovOPlaN", "notice.txt"])
|
|
|
|
stored_list = self.client.get("/api/v1/files/connectors/profiles?include_disabled=true", headers=headers)
|
|
self.assertEqual(stored_list.status_code, 200, stored_list.text)
|
|
self.assertIn("stored-webdav", {item["id"] for item in stored_list.json()["profiles"]})
|
|
|
|
disabled_stored = self.client.delete("/api/v1/files/connectors/profiles/stored-webdav", headers=headers)
|
|
self.assertEqual(disabled_stored.status_code, 200, disabled_stored.text)
|
|
self.assertFalse(disabled_stored.json()["enabled"])
|
|
|
|
blocked_credential = self.client.post(
|
|
"/api/v1/files/connectors/credentials",
|
|
headers=headers,
|
|
json={
|
|
"id": "blocked-webdav-credentials",
|
|
"label": "Blocked WebDAV Credentials",
|
|
"provider": "webdav",
|
|
"scope_type": "tenant",
|
|
"credential_mode": "basic",
|
|
"credentials": {"username": "govoplan", "password": "blocked-secret-webdav"},
|
|
"policy": {"deny": {"credentials": ["blocked-webdav-credentials"]}},
|
|
},
|
|
)
|
|
self.assertEqual(blocked_credential.status_code, 201, blocked_credential.text)
|
|
blocked_credential_profile = self.client.post(
|
|
"/api/v1/files/connectors/profiles",
|
|
headers=headers,
|
|
json={
|
|
"id": "blocked-credential-webdav",
|
|
"label": "Blocked Credential WebDAV",
|
|
"provider": "webdav",
|
|
"endpoint_url": "http://127.0.0.1:9083",
|
|
"scope_type": "tenant",
|
|
"credential_profile_id": "blocked-webdav-credentials",
|
|
"capabilities": ["browse"],
|
|
"metadata": {"static_listing": {"": [{"kind": "file", "name": "blocked.txt", "path": "blocked.txt"}]}},
|
|
},
|
|
)
|
|
self.assertEqual(blocked_credential_profile.status_code, 201, blocked_credential_profile.text)
|
|
blocked_credential_browse = self.client.get("/api/v1/files/connectors/profiles/blocked-credential-webdav/browse", headers=headers)
|
|
self.assertEqual(blocked_credential_browse.status_code, 403, blocked_credential_browse.text)
|
|
self.assertIn("connector_policy_denylist", blocked_credential_browse.json()["detail"]["requirements"])
|
|
|
|
browse_root = self.client.get("/api/v1/files/connectors/profiles/seafile-dev/browse", headers=headers)
|
|
self.assertEqual(browse_root.status_code, 200, browse_root.text)
|
|
self.assertTrue(browse_root.json()["read_only"])
|
|
self.assertTrue(browse_root.json()["decision"]["allowed"])
|
|
self.assertEqual([item["kind"] for item in browse_root.json()["items"]], ["library", "folder", "file"])
|
|
self.assertEqual([item["name"] for item in browse_root.json()["items"]], ["Reports", "Inbox", "readme.txt"])
|
|
|
|
browse_folder = self.client.get("/api/v1/files/connectors/profiles/seafile-dev/browse?path=inbox", headers=headers)
|
|
self.assertEqual(browse_folder.status_code, 200, browse_folder.text)
|
|
self.assertEqual(browse_folder.json()["path"], "inbox")
|
|
self.assertEqual(browse_folder.json()["items"][0]["path"], "inbox/imported.txt")
|
|
|
|
browse_denied = self.client.get("/api/v1/files/connectors/profiles/seafile-dev/browse?path=blocked", headers=headers)
|
|
self.assertEqual(browse_denied.status_code, 403, browse_denied.text)
|
|
self.assertIn("connector_policy_denylist", browse_denied.json()["detail"]["requirements"])
|
|
|
|
linked_space = self.client.post(
|
|
"/api/v1/files/connector-spaces",
|
|
headers=headers,
|
|
json={
|
|
"owner_type": "user",
|
|
"owner_id": user_id,
|
|
"label": "Reports connector",
|
|
"connector_profile_id": "seafile-dev",
|
|
"library_id": "lib-reports",
|
|
"remote_path": "inbox",
|
|
},
|
|
)
|
|
self.assertEqual(linked_space.status_code, 201, linked_space.text)
|
|
linked_space_payload = linked_space.json()
|
|
self.assertEqual(linked_space_payload["label"], "Reports connector")
|
|
self.assertEqual(linked_space_payload["owner_type"], "user")
|
|
self.assertEqual(linked_space_payload["owner_id"], user_id)
|
|
self.assertEqual(linked_space_payload["connector_profile_id"], "seafile-dev")
|
|
self.assertEqual(linked_space_payload["provider"], "seafile")
|
|
self.assertEqual(linked_space_payload["library_id"], "lib-reports")
|
|
self.assertEqual(linked_space_payload["remote_path"], "inbox")
|
|
self.assertEqual(linked_space_payload["sync_mode"], "manual")
|
|
self.assertTrue(linked_space_payload["read_only"])
|
|
|
|
linked_space_list = self.client.get("/api/v1/files/connector-spaces", headers=headers)
|
|
self.assertEqual(linked_space_list.status_code, 200, linked_space_list.text)
|
|
self.assertEqual([item["id"] for item in linked_space_list.json()["spaces"]], [linked_space_payload["id"]])
|
|
|
|
all_spaces = self.client.get("/api/v1/files/spaces", headers=headers)
|
|
self.assertEqual(all_spaces.status_code, 200, all_spaces.text)
|
|
connector_space_entry = next(item for item in all_spaces.json()["spaces"] if item.get("connector_space_id") == linked_space_payload["id"])
|
|
self.assertEqual(connector_space_entry["id"], f"connector:{linked_space_payload['id']}")
|
|
self.assertEqual(connector_space_entry["space_type"], "connector")
|
|
self.assertEqual(connector_space_entry["connector_profile_id"], "seafile-dev")
|
|
self.assertEqual(connector_space_entry["remote_path"], "inbox")
|
|
|
|
blocked_space = self.client.post(
|
|
"/api/v1/files/connector-spaces",
|
|
headers=headers,
|
|
json={
|
|
"owner_type": "user",
|
|
"owner_id": user_id,
|
|
"label": "Blocked connector",
|
|
"connector_profile_id": "seafile-dev",
|
|
"library_id": "lib-reports",
|
|
"remote_path": "blocked",
|
|
},
|
|
)
|
|
self.assertEqual(blocked_space.status_code, 403, blocked_space.text)
|
|
self.assertIn("connector_policy_denylist", blocked_space.json()["detail"]["requirements"])
|
|
|
|
updated_space = self.client.patch(
|
|
f"/api/v1/files/connector-spaces/{linked_space_payload['id']}",
|
|
headers=headers,
|
|
json={"label": "Reports inbox"},
|
|
)
|
|
self.assertEqual(updated_space.status_code, 200, updated_space.text)
|
|
self.assertEqual(updated_space.json()["label"], "Reports inbox")
|
|
|
|
blocked_update = self.client.patch(
|
|
f"/api/v1/files/connector-spaces/{linked_space_payload['id']}",
|
|
headers=headers,
|
|
json={"remote_path": "blocked"},
|
|
)
|
|
self.assertEqual(blocked_update.status_code, 403, blocked_update.text)
|
|
self.assertIn("connector_policy_denylist", blocked_update.json()["detail"]["requirements"])
|
|
|
|
deleted_space = self.client.delete(f"/api/v1/files/connector-spaces/{linked_space_payload['id']}", headers=headers)
|
|
self.assertEqual(deleted_space.status_code, 200, deleted_space.text)
|
|
self.assertFalse(deleted_space.json()["is_active"])
|
|
self.assertIsNotNone(deleted_space.json()["deleted_at"])
|
|
|
|
import httpx
|
|
|
|
def seafile_request(method: str, url: str, **kwargs):
|
|
request = httpx.Request(method, url)
|
|
params = kwargs.get("params") or {}
|
|
if url == "http://127.0.0.1:9082/api2/auth-token/":
|
|
return httpx.Response(200, json={"token": "token-1"}, request=request)
|
|
if url == "http://127.0.0.1:9082/api2/repos/repo-1/file/detail/":
|
|
self.assertEqual(params.get("p"), "/reports/summary.txt")
|
|
self.assertEqual(kwargs.get("headers", {}).get("Authorization"), "Token token-1")
|
|
return httpx.Response(
|
|
200,
|
|
json={
|
|
"id": "file-1",
|
|
"name": "summary.txt",
|
|
"size": 14,
|
|
"type": "file",
|
|
"mtime": 1783425600,
|
|
"permission": "r",
|
|
},
|
|
request=request,
|
|
)
|
|
if url == "http://127.0.0.1:9082/api2/repos/repo-1/file/":
|
|
self.assertEqual(params, {"p": "/reports/summary.txt", "reuse": "1"})
|
|
return httpx.Response(200, json="https://download.example.invalid/summary.txt", request=request)
|
|
if url == "https://download.example.invalid/summary.txt":
|
|
return httpx.Response(200, content=b"summary report", headers={"content-type": "text/plain"}, request=request)
|
|
return httpx.Response(404, request=request)
|
|
|
|
with patch("govoplan_files.backend.storage.connector_browse.httpx.request", side_effect=seafile_request), patch("govoplan_files.backend.storage.connector_imports.httpx.request", side_effect=seafile_request):
|
|
imported = self.client.post(
|
|
"/api/v1/files/connectors/profiles/seafile-dev/import",
|
|
headers=headers,
|
|
json={
|
|
"library_id": "repo-1",
|
|
"path": "reports/summary.txt",
|
|
"owner_type": "user",
|
|
"owner_id": user_id,
|
|
"target_folder": "imports",
|
|
"metadata": {"case_type": "application"},
|
|
},
|
|
)
|
|
self.assertEqual(imported.status_code, 200, imported.text)
|
|
imported_file = imported.json()["files"][0]
|
|
self.assertEqual(imported_file["display_path"], "imports/summary.txt")
|
|
self.assertEqual(imported_file["source_revision"], "file-1")
|
|
self.assertEqual(imported_file["source_provenance"]["connector_id"], "seafile-dev")
|
|
self.assertEqual(imported_file["source_provenance"]["provider"], "seafile")
|
|
self.assertEqual(imported_file["source_provenance"]["external_id"], "repo-1:reports/summary.txt")
|
|
self.assertEqual(imported_file["source_provenance"]["external_path"], "reports/summary.txt")
|
|
self.assertEqual(imported_file["source_provenance"]["metadata"]["library_id"], "repo-1")
|
|
self.assertEqual(imported_file["source_provenance"]["metadata"]["case_type"], "application")
|
|
|
|
webdav_payload = {"content": b"nextcloud notice", "etag": "\"nextcloud-etag-2\""}
|
|
|
|
def webdav_request(method: str, url: str, **kwargs):
|
|
request = httpx.Request(method, url)
|
|
self.assertEqual(method, "GET")
|
|
self.assertEqual(url, "http://127.0.0.1:9081/Shared/notice.txt")
|
|
self.assertEqual(kwargs.get("headers", {}).get("Authorization"), "Bearer super-secret-nextcloud")
|
|
return httpx.Response(
|
|
200,
|
|
content=webdav_payload["content"],
|
|
headers={"content-type": "text/plain", "etag": webdav_payload["etag"], "content-length": str(len(webdav_payload["content"]))},
|
|
request=request,
|
|
)
|
|
|
|
with patch("govoplan_files.backend.storage.connector_imports.httpx.request", side_effect=webdav_request):
|
|
nextcloud_import = self.client.post(
|
|
"/api/v1/files/connectors/profiles/user-nextcloud/import",
|
|
headers=headers,
|
|
json={
|
|
"library_id": "",
|
|
"path": "Shared/notice.txt",
|
|
"owner_type": "user",
|
|
"owner_id": user_id,
|
|
"target_folder": "imports",
|
|
},
|
|
)
|
|
self.assertEqual(nextcloud_import.status_code, 200, nextcloud_import.text)
|
|
nextcloud_file = nextcloud_import.json()["files"][0]
|
|
self.assertEqual(nextcloud_file["display_path"], "imports/notice.txt")
|
|
self.assertEqual(nextcloud_file["source_revision"], "\"nextcloud-etag-2\"")
|
|
self.assertEqual(nextcloud_file["source_provenance"]["provider"], "nextcloud")
|
|
self.assertEqual(nextcloud_file["source_provenance"]["external_path"], "Shared/notice.txt")
|
|
self.assertEqual(nextcloud_file["source_provenance"]["external_id"], "Shared/notice.txt")
|
|
|
|
webdav_payload["content"] = b"nextcloud notice updated"
|
|
webdav_payload["etag"] = "\"nextcloud-etag-3\""
|
|
with patch("govoplan_files.backend.storage.connector_imports.httpx.request", side_effect=webdav_request):
|
|
nextcloud_sync = self.client.post(
|
|
"/api/v1/files/connectors/profiles/user-nextcloud/sync",
|
|
headers=headers,
|
|
json={
|
|
"library_id": "",
|
|
"path": "Shared/notice.txt",
|
|
"owner_type": "user",
|
|
"owner_id": user_id,
|
|
"target_folder": "imports",
|
|
"conflict_strategy": "rename",
|
|
},
|
|
)
|
|
self.assertEqual(nextcloud_sync.status_code, 200, nextcloud_sync.text)
|
|
synced = nextcloud_sync.json()
|
|
self.assertEqual(synced["action"], "updated")
|
|
self.assertEqual(synced["file"]["id"], nextcloud_file["id"])
|
|
self.assertEqual(synced["previous_version_id"], nextcloud_file["version_id"])
|
|
self.assertNotEqual(synced["current_version_id"], nextcloud_file["version_id"])
|
|
self.assertEqual(synced["file"]["source_revision"], "\"nextcloud-etag-3\"")
|
|
self.assertEqual(synced["file"]["size_bytes"], len(webdav_payload["content"]))
|
|
|
|
with patch("govoplan_files.backend.storage.connector_imports.httpx.request", side_effect=webdav_request):
|
|
nextcloud_sync_unchanged = self.client.post(
|
|
"/api/v1/files/connectors/profiles/user-nextcloud/sync",
|
|
headers=headers,
|
|
json={
|
|
"library_id": "",
|
|
"path": "Shared/notice.txt",
|
|
"owner_type": "user",
|
|
"owner_id": user_id,
|
|
"target_folder": "imports",
|
|
"conflict_strategy": "rename",
|
|
},
|
|
)
|
|
self.assertEqual(nextcloud_sync_unchanged.status_code, 200, nextcloud_sync_unchanged.text)
|
|
unchanged = nextcloud_sync_unchanged.json()
|
|
self.assertEqual(unchanged["action"], "unchanged")
|
|
self.assertEqual(unchanged["file"]["id"], nextcloud_file["id"])
|
|
self.assertEqual(unchanged["current_version_id"], synced["current_version_id"])
|
|
|
|
case = self
|
|
|
|
class _FakeSmbStat:
|
|
st_size = 18
|
|
st_mtime = 1783425600
|
|
st_mtime_ns = 1783425600000000000
|
|
|
|
class _FakeSmbEntry:
|
|
def __init__(self, name: str, is_dir: bool, size: int = 18) -> None:
|
|
self.name = name
|
|
self._is_dir = is_dir
|
|
self._stat = _FakeSmbStat()
|
|
self._stat.st_size = size
|
|
|
|
def is_dir(self) -> bool:
|
|
return self._is_dir
|
|
|
|
def stat(self):
|
|
return self._stat
|
|
|
|
class _FakeSmbScandir:
|
|
def __enter__(self):
|
|
return iter([
|
|
_FakeSmbEntry("Archive", True, 0),
|
|
_FakeSmbEntry("smb-notice.txt", False, 18),
|
|
])
|
|
|
|
def __exit__(self, exc_type, exc, traceback):
|
|
return False
|
|
|
|
class _FakeSmbFile:
|
|
def __enter__(self):
|
|
return self
|
|
|
|
def __exit__(self, exc_type, exc, traceback):
|
|
return False
|
|
|
|
def read(self, size: int) -> bytes:
|
|
case.assertGreater(size, 18)
|
|
return b"smb connector data"
|
|
|
|
class _FakeSmbClient:
|
|
def scandir(self, path: str, **kwargs):
|
|
case.assertEqual(path, r"\\127.0.0.1\files\root\shared")
|
|
case.assertEqual(kwargs["port"], 1445)
|
|
case.assertEqual(kwargs["username"], "govoplan")
|
|
case.assertEqual(kwargs["password"], "super-secret-smb")
|
|
case.assertTrue(kwargs["require_signing"])
|
|
return _FakeSmbScandir()
|
|
|
|
def stat(self, path: str, **kwargs):
|
|
case.assertEqual(path, r"\\127.0.0.1\files\root\shared\smb-notice.txt")
|
|
case.assertEqual(kwargs["port"], 1445)
|
|
return _FakeSmbStat()
|
|
|
|
def open_file(self, path: str, mode: str, **kwargs):
|
|
case.assertEqual(path, r"\\127.0.0.1\files\root\shared\smb-notice.txt")
|
|
case.assertEqual(mode, "rb")
|
|
case.assertEqual(kwargs["password"], "super-secret-smb")
|
|
return _FakeSmbFile()
|
|
|
|
fake_smb = _FakeSmbClient()
|
|
with patch("govoplan_files.backend.storage.connector_browse._smbclient_module", return_value=fake_smb):
|
|
smb_browse = self.client.get("/api/v1/files/connectors/profiles/tenant-smb/browse?path=shared", headers=headers)
|
|
self.assertEqual(smb_browse.status_code, 200, smb_browse.text)
|
|
self.assertEqual([(item["kind"], item["path"]) for item in smb_browse.json()["items"]], [("folder", "shared/Archive"), ("file", "shared/smb-notice.txt")])
|
|
|
|
with patch("govoplan_files.backend.storage.connector_imports._smbclient_module", return_value=fake_smb):
|
|
smb_import = self.client.post(
|
|
"/api/v1/files/connectors/profiles/tenant-smb/import",
|
|
headers=headers,
|
|
json={
|
|
"library_id": "",
|
|
"path": "shared/smb-notice.txt",
|
|
"owner_type": "user",
|
|
"owner_id": user_id,
|
|
"target_folder": "imports",
|
|
},
|
|
)
|
|
self.assertEqual(smb_import.status_code, 200, smb_import.text)
|
|
smb_file = smb_import.json()["files"][0]
|
|
self.assertEqual(smb_file["display_path"], "imports/smb-notice.txt")
|
|
self.assertEqual(smb_file["source_provenance"]["provider"], "smb")
|
|
self.assertEqual(smb_file["source_provenance"]["external_id"], "files:shared/smb-notice.txt")
|
|
self.assertEqual(smb_file["source_provenance"]["metadata"]["share"], "files")
|
|
|
|
filtered = self.client.get("/api/v1/files/connectors/profiles?provider=smb", headers=headers)
|
|
self.assertEqual(filtered.status_code, 200, filtered.text)
|
|
self.assertEqual([item["id"] for item in filtered.json()["profiles"]], ["tenant-smb"])
|
|
|
|
hidden = self.client.get("/api/v1/files/connectors/profiles/other-tenant-smb", headers=headers)
|
|
self.assertEqual(hidden.status_code, 404, hidden.text)
|
|
hidden_browse = self.client.get("/api/v1/files/connectors/profiles/other-tenant-smb/browse", headers=headers)
|
|
self.assertEqual(hidden_browse.status_code, 404, hidden_browse.text)
|
|
|
|
disabled = self.client.get("/api/v1/files/connectors/profiles?include_disabled=true", headers=headers)
|
|
self.assertEqual(disabled.status_code, 200, disabled.text)
|
|
self.assertIn("disabled-seafile", {item["id"] for item in disabled.json()["profiles"]})
|
|
|
|
from govoplan_files.backend.storage.connector_browse import (
|
|
parse_webdav_multistatus,
|
|
seafile_directory_items_from_payload,
|
|
seafile_libraries_from_payload,
|
|
)
|
|
|
|
webdav_items = parse_webdav_multistatus(
|
|
root_url="http://example.test/remote.php/dav/files/admin/",
|
|
current_path="reports",
|
|
payload="""<?xml version="1.0"?>
|
|
<d:multistatus xmlns:d="DAV:">
|
|
<d:response>
|
|
<d:href>/remote.php/dav/files/admin/reports/</d:href>
|
|
<d:propstat><d:prop><d:displayname>reports</d:displayname><d:resourcetype><d:collection /></d:resourcetype></d:prop></d:propstat>
|
|
</d:response>
|
|
<d:response>
|
|
<d:href>/remote.php/dav/files/admin/reports/summary.pdf</d:href>
|
|
<d:propstat><d:prop><d:displayname>summary.pdf</d:displayname><d:getcontentlength>42</d:getcontentlength><d:getcontenttype>application/pdf</d:getcontenttype><d:getetag>"abc"</d:getetag></d:prop></d:propstat>
|
|
</d:response>
|
|
</d:multistatus>""",
|
|
)
|
|
self.assertEqual([(item.kind, item.path, item.size_bytes) for item in webdav_items], [("file", "reports/summary.pdf", 42)])
|
|
seafile_libraries = seafile_libraries_from_payload([
|
|
{
|
|
"id": "repo-1",
|
|
"name": "Reports",
|
|
"size": 1024,
|
|
"mtime": 1783425600,
|
|
"permission": "r",
|
|
"encrypted": False,
|
|
"type": "repo",
|
|
}
|
|
])
|
|
self.assertEqual(seafile_libraries[0].to_response()["kind"], "library")
|
|
self.assertEqual(seafile_libraries[0].to_response()["path"], "repo-1")
|
|
self.assertEqual(seafile_libraries[0].to_response()["metadata"]["permission"], "r")
|
|
seafile_entries = seafile_directory_items_from_payload(
|
|
[
|
|
{"type": "dir", "name": "Inbox", "id": "dir-1", "mtime": 1783425600},
|
|
{"type": "file", "name": "summary.pdf", "id": "file-1", "size": 42, "mtime": 1783425601},
|
|
],
|
|
path="reports",
|
|
)
|
|
self.assertEqual([(item.kind, item.path, item.size_bytes) for item in seafile_entries], [("folder", "reports/Inbox", None), ("file", "reports/summary.pdf", 42)])
|
|
finally:
|
|
for key, value in previous_env.items():
|
|
if value is None:
|
|
os.environ.pop(key, None)
|
|
else:
|
|
os.environ[key] = value
|
|
|
|
def test_access_configuration_provider_round_trips_roles_groups_and_assignments(self) -> None:
|
|
headers, login = self._login()
|
|
tenant_id = str(login["tenant"]["id"])
|
|
|
|
from govoplan_access.backend.configuration_provider import SqlAccessConfigurationProvider
|
|
from govoplan_access.backend.db.models import Group, GroupRoleAssignment, Role
|
|
from govoplan_core.core.configuration_packages import (
|
|
CONFIGURATION_PROVIDER_CAPABILITY,
|
|
ConfigurationExportSelection,
|
|
ConfigurationPreflightContext,
|
|
apply_configuration_package,
|
|
dry_run_configuration_package,
|
|
export_configuration_package,
|
|
)
|
|
|
|
provider = SqlAccessConfigurationProvider()
|
|
package = {
|
|
"package_id": "govoplan.access.test",
|
|
"name": "Access test package",
|
|
"version": "1.0.0",
|
|
"required_modules": [{"module_id": "access"}],
|
|
"required_capabilities": [CONFIGURATION_PROVIDER_CAPABILITY, "access.configuration"],
|
|
"fragments": [
|
|
{
|
|
"module_id": "access",
|
|
"fragment_type": "roles",
|
|
"payload": {
|
|
"items": [
|
|
{
|
|
"slug": "application-clerk",
|
|
"name": "Application clerk",
|
|
"description": "Handles applications.",
|
|
"permissions": ["admin:users:read"],
|
|
}
|
|
]
|
|
},
|
|
},
|
|
{
|
|
"module_id": "access",
|
|
"fragment_type": "groups",
|
|
"payload": {"items": [{"slug": "front-office", "name": "Front office"}]},
|
|
},
|
|
{
|
|
"module_id": "access",
|
|
"fragment_type": "group_role_assignments",
|
|
"payload": {"items": [{"group": "front-office", "role": "application-clerk"}]},
|
|
},
|
|
],
|
|
}
|
|
context = ConfigurationPreflightContext(
|
|
tenant_id=tenant_id,
|
|
installed_modules={"access": "0.1.6"},
|
|
capabilities=frozenset({CONFIGURATION_PROVIDER_CAPABILITY, "access.configuration"}),
|
|
)
|
|
|
|
dry_run = dry_run_configuration_package(package, [provider], context)
|
|
self.assertFalse([item for item in dry_run.diagnostics if item.severity == "blocker"], [item.to_dict() for item in dry_run.diagnostics])
|
|
self.assertEqual([item.action for item in dry_run.plan], ["create", "create", "bind"])
|
|
|
|
applied = apply_configuration_package(package, [provider], context)
|
|
self.assertFalse([item for item in applied.diagnostics if item.severity == "blocker"], [item.to_dict() for item in applied.diagnostics])
|
|
self.assertIn("application-clerk", applied.created_refs)
|
|
self.assertIn("front-office", applied.created_refs)
|
|
self.assertIn("front-office:application-clerk", applied.created_refs)
|
|
|
|
with SessionLocal() as session:
|
|
role = session.query(Role).filter(Role.tenant_id == tenant_id, Role.slug == "application-clerk").one()
|
|
group = session.query(Group).filter(Group.tenant_id == tenant_id, Group.slug == "front-office").one()
|
|
assignment = session.query(GroupRoleAssignment).filter(GroupRoleAssignment.tenant_id == tenant_id, GroupRoleAssignment.group_id == group.id, GroupRoleAssignment.role_id == role.id).one_or_none()
|
|
self.assertIsNotNone(assignment)
|
|
self.assertEqual(role.permissions, ["admin:users:read"])
|
|
|
|
repeat = apply_configuration_package(package, [provider], context)
|
|
self.assertIn("application-clerk", repeat.updated_refs)
|
|
self.assertNotIn("front-office:application-clerk", repeat.created_refs)
|
|
|
|
exported = export_configuration_package([provider], ConfigurationExportSelection(tenant_id=tenant_id, module_ids=("access",)), context)
|
|
fragments = {fragment.fragment_type: fragment for fragment in exported.fragments}
|
|
self.assertIn("application-clerk", {item["slug"] for item in fragments["roles"].payload["items"]})
|
|
self.assertIn("front-office", {item["slug"] for item in fragments["groups"].payload["items"]})
|
|
self.assertIn({"group": "front-office", "role": "application-clerk"}, fragments["group_role_assignments"].payload["items"])
|
|
|
|
endpoint_package = {
|
|
**package,
|
|
"package_id": "govoplan.access.endpoint-test",
|
|
"fragments": [
|
|
{
|
|
"module_id": "access",
|
|
"fragment_type": "roles",
|
|
"payload": {"items": [{"slug": "application-reviewer", "name": "Application reviewer", "permissions": ["admin:users:read"]}]},
|
|
},
|
|
{
|
|
"module_id": "access",
|
|
"fragment_type": "groups",
|
|
"payload": {"items": [{"slug": "review-board", "name": "Review board"}]},
|
|
},
|
|
{
|
|
"module_id": "access",
|
|
"fragment_type": "group_role_assignments",
|
|
"payload": {"items": [{"group": "review-board", "role": "application-reviewer"}]},
|
|
},
|
|
],
|
|
}
|
|
catalog = self.client.get("/api/v1/admin/configuration-packages/catalog", headers=headers)
|
|
self.assertEqual(catalog.status_code, 200, catalog.text)
|
|
self.assertIn("valid", catalog.json()["validation"])
|
|
|
|
endpoint_dry_run = self.client.post(
|
|
"/api/v1/admin/configuration-packages/dry-run",
|
|
headers=headers,
|
|
json={"tenant_id": tenant_id, "package": endpoint_package},
|
|
)
|
|
self.assertEqual(endpoint_dry_run.status_code, 200, endpoint_dry_run.text)
|
|
self.assertEqual([item["action"] for item in endpoint_dry_run.json()["plan"]], ["create", "create", "bind"])
|
|
|
|
settings_response = self.client.get("/api/v1/admin/system/settings", headers=headers)
|
|
self.assertEqual(settings_response.status_code, 200, settings_response.text)
|
|
maintenance_enabled = self.client.patch(
|
|
"/api/v1/admin/system/settings",
|
|
headers=headers,
|
|
json={
|
|
"default_locale": settings_response.json()["default_locale"],
|
|
"allow_tenant_custom_groups": settings_response.json()["allow_tenant_custom_groups"],
|
|
"allow_tenant_custom_roles": settings_response.json()["allow_tenant_custom_roles"],
|
|
"allow_tenant_api_keys": settings_response.json()["allow_tenant_api_keys"],
|
|
"maintenance_mode": {"enabled": True, "message": "Configuration package apply test"},
|
|
},
|
|
)
|
|
self.assertEqual(maintenance_enabled.status_code, 200, maintenance_enabled.text)
|
|
approver_headers = self._create_system_approver(headers, tenant_id=tenant_id)
|
|
change_request_id = self._approved_configuration_change(
|
|
headers,
|
|
approver_headers,
|
|
key="configuration_packages.apply",
|
|
value=endpoint_package,
|
|
target={"tenant_id": tenant_id},
|
|
)
|
|
endpoint_apply = self.client.post(
|
|
"/api/v1/admin/configuration-packages/apply",
|
|
headers=headers,
|
|
json={"tenant_id": tenant_id, "package": endpoint_package, "change_request_id": change_request_id},
|
|
)
|
|
self.assertEqual(endpoint_apply.status_code, 200, endpoint_apply.text)
|
|
self.assertIn("application-reviewer", endpoint_apply.json()["created_refs"])
|
|
changes = self.client.get("/api/v1/admin/configuration-changes", headers=headers)
|
|
self.assertEqual(changes.status_code, 200, changes.text)
|
|
self.assertIn("configuration_packages.apply", {item["key"] for item in changes.json()["history"]})
|
|
applied_request = next(item for item in changes.json()["requests"] if item["id"] == change_request_id)
|
|
self.assertEqual(applied_request["status"], "applied")
|
|
|
|
endpoint_export = self.client.post(
|
|
"/api/v1/admin/configuration-packages/export",
|
|
headers=headers,
|
|
json={"tenant_id": tenant_id, "module_ids": ["access"]},
|
|
)
|
|
self.assertEqual(endpoint_export.status_code, 200, endpoint_export.text)
|
|
exported_roles = next(fragment for fragment in endpoint_export.json()["fragments"] if fragment["fragment_type"] == "roles")
|
|
self.assertIn("application-reviewer", {item["slug"] for item in exported_roles["payload"]["items"]})
|
|
|
|
def test_configuration_safety_admin_endpoints_explain_guardrails(self) -> None:
|
|
headers, _login = self._login()
|
|
catalog = self.client.get("/api/v1/admin/configuration-safety", headers=headers)
|
|
self.assertEqual(catalog.status_code, 200, catalog.text)
|
|
field_keys = {item["key"] for item in catalog.json()["fields"]}
|
|
self.assertIn("files.connector_profiles", field_keys)
|
|
self.assertNotIn("DATABASE_URL", field_keys)
|
|
|
|
blocked = self.client.post(
|
|
"/api/v1/admin/configuration-safety/plan",
|
|
headers=headers,
|
|
json={
|
|
"key": "files.connector_profiles",
|
|
"value": {"password": "plain-secret"},
|
|
"dry_run": False,
|
|
"approval_count": 1,
|
|
},
|
|
)
|
|
self.assertEqual(blocked.status_code, 200, blocked.text)
|
|
plan = blocked.json()["plan"]
|
|
self.assertFalse(plan["allowed"])
|
|
self.assertIn("dry_run_required", plan["blockers"])
|
|
self.assertIn("secret_reference_required", plan["blockers"])
|
|
self.assertEqual(plan["audit_event"], "files.connector_profile.updated")
|
|
|
|
def test_module_state_update_uses_change_request_and_maintenance_mode(self) -> None:
|
|
headers, _login = self._login()
|
|
catalog = self.client.get("/api/v1/admin/system/modules", headers=headers)
|
|
self.assertEqual(catalog.status_code, 200, catalog.text)
|
|
enabled_modules = catalog.json()["desired_enabled"]
|
|
|
|
blocked = self.client.put(
|
|
"/api/v1/admin/system/modules",
|
|
headers=headers,
|
|
json={"enabled_modules": enabled_modules},
|
|
)
|
|
self.assertEqual(blocked.status_code, 409, blocked.text)
|
|
blocked_detail = blocked.json()["detail"]
|
|
self.assertEqual(blocked_detail["code"], "configuration_request_required")
|
|
self.assertIn("dry_run_required", blocked_detail["plan"]["blockers"])
|
|
self.assertIn("maintenance_mode_required", blocked_detail["plan"]["blockers"])
|
|
|
|
created = self.client.post(
|
|
"/api/v1/admin/configuration-change-requests",
|
|
headers=headers,
|
|
json={
|
|
"key": "module_management.desired_enabled",
|
|
"value": {"enabled_modules": enabled_modules},
|
|
"dry_run": True,
|
|
"target": {"scope": "system"},
|
|
"reason": "module-state smoke test",
|
|
},
|
|
)
|
|
self.assertEqual(created.status_code, 201, created.text)
|
|
request = created.json()["request"]
|
|
self.assertEqual(request["status"], "approved")
|
|
self.assertTrue(request["plan"]["dry_run_satisfied"])
|
|
|
|
settings_response = self.client.get("/api/v1/admin/system/settings", headers=headers)
|
|
self.assertEqual(settings_response.status_code, 200, settings_response.text)
|
|
settings_payload = settings_response.json()
|
|
maintenance_enabled = self.client.patch(
|
|
"/api/v1/admin/system/settings",
|
|
headers=headers,
|
|
json={
|
|
"default_locale": settings_payload["default_locale"],
|
|
"allow_tenant_custom_groups": settings_payload["allow_tenant_custom_groups"],
|
|
"allow_tenant_custom_roles": settings_payload["allow_tenant_custom_roles"],
|
|
"allow_tenant_api_keys": settings_payload["allow_tenant_api_keys"],
|
|
"maintenance_mode": {"enabled": True, "message": "Module state update test"},
|
|
},
|
|
)
|
|
self.assertEqual(maintenance_enabled.status_code, 200, maintenance_enabled.text)
|
|
|
|
applied = self.client.put(
|
|
"/api/v1/admin/system/modules",
|
|
headers=headers,
|
|
json={"enabled_modules": enabled_modules, "change_request_id": request["id"]},
|
|
)
|
|
self.assertEqual(applied.status_code, 200, applied.text)
|
|
self.assertEqual(set(applied.json()["desired_enabled"]), set(enabled_modules))
|
|
|
|
changes = self.client.get("/api/v1/admin/configuration-changes", headers=headers)
|
|
self.assertEqual(changes.status_code, 200, changes.text)
|
|
applied_request = next(item for item in changes.json()["requests"] if item["id"] == request["id"])
|
|
self.assertEqual(applied_request["status"], "applied")
|
|
self.assertIn("module_management.desired_enabled", {item["key"] for item in changes.json()["history"]})
|
|
|
|
def test_zip_upload_spools_archive_instead_of_full_buffering(self) -> None:
|
|
headers, login = self._login()
|
|
user_id = str(login["user"]["id"])
|
|
payload = io.BytesIO()
|
|
with zipfile.ZipFile(payload, mode="w", compression=zipfile.ZIP_DEFLATED) as archive:
|
|
archive.writestr("reports/january.txt", "January report")
|
|
archive.writestr("reports/february.txt", "February report")
|
|
payload.seek(0)
|
|
|
|
with patch("govoplan_files.backend.router._read_limited_upload", side_effect=AssertionError("ZIP upload should not be fully buffered")):
|
|
response = self.client.post(
|
|
"/api/v1/files/upload-zip",
|
|
headers=headers,
|
|
data={"owner_type": "user", "owner_id": user_id, "path": "imports"},
|
|
files={"file": ("reports.zip", payload.getvalue(), "application/zip")},
|
|
)
|
|
|
|
self.assertEqual(response.status_code, 200, response.text)
|
|
paths = sorted(item["display_path"] for item in response.json()["files"])
|
|
self.assertEqual(paths, ["imports/reports/february.txt", "imports/reports/january.txt"])
|
|
|
|
def test_group_read_admin_does_not_grant_file_space_admin(self) -> None:
|
|
owner_headers, _ = self._login()
|
|
group = self.client.post(
|
|
"/api/v1/admin/groups",
|
|
headers=owner_headers,
|
|
json={
|
|
"slug": "private-files",
|
|
"name": "Private files",
|
|
"description": "Contains files that are not shared with group readers.",
|
|
"member_ids": [],
|
|
"role_ids": [],
|
|
},
|
|
)
|
|
self.assertEqual(group.status_code, 201, group.text)
|
|
group_id = group.json()["id"]
|
|
|
|
uploaded = self.client.post(
|
|
"/api/v1/files/upload",
|
|
headers=owner_headers,
|
|
data={"owner_type": "group", "owner_id": group_id, "path": ""},
|
|
files=[("files", ("private.txt", b"private", "text/plain"))],
|
|
)
|
|
self.assertEqual(uploaded.status_code, 200, uploaded.text)
|
|
file_id = uploaded.json()["files"][0]["id"]
|
|
|
|
role = self._create_role(
|
|
owner_headers,
|
|
slug="group-directory-reader",
|
|
permissions=["files:read", "admin:groups:read"],
|
|
)
|
|
self._create_user(
|
|
owner_headers,
|
|
email="group-reader@example.local",
|
|
password="group-reader-password",
|
|
role_ids=[str(role["id"])],
|
|
)
|
|
reader_headers, _ = self._login_as(email="group-reader@example.local", password="group-reader-password")
|
|
|
|
groups = self.client.get("/api/v1/admin/groups", headers=reader_headers)
|
|
self.assertEqual(groups.status_code, 200, groups.text)
|
|
|
|
spaces = self.client.get("/api/v1/files/spaces", headers=reader_headers)
|
|
self.assertEqual(spaces.status_code, 200, spaces.text)
|
|
self.assertNotIn(group_id, [space["owner_id"] for space in spaces.json()["spaces"]])
|
|
|
|
group_listing = self.client.get(
|
|
"/api/v1/files",
|
|
headers=reader_headers,
|
|
params={"owner_type": "group", "owner_id": group_id},
|
|
)
|
|
self.assertEqual(group_listing.status_code, 403, group_listing.text)
|
|
self.assertEqual(self.client.get(f"/api/v1/files/{file_id}", headers=reader_headers).status_code, 404)
|
|
|
|
def test_campaign_delta_tracks_create_update_and_delete_tombstone(self) -> None:
|
|
headers, _ = self._login()
|
|
|
|
full = self.client.get("/api/v1/campaigns/delta", headers=headers)
|
|
self.assertEqual(full.status_code, 200, full.text)
|
|
self.assertTrue(full.json()["full"])
|
|
watermark = full.json()["watermark"]
|
|
|
|
created = self.client.post(
|
|
"/api/v1/campaigns/new",
|
|
headers=headers,
|
|
json={"external_id": "delta-campaign", "name": "Delta campaign"},
|
|
)
|
|
self.assertEqual(created.status_code, 200, created.text)
|
|
campaign_id = created.json()["campaign"]["id"]
|
|
|
|
after_create = self.client.get(
|
|
"/api/v1/campaigns/delta",
|
|
headers=headers,
|
|
params={"since": watermark},
|
|
)
|
|
self.assertEqual(after_create.status_code, 200, after_create.text)
|
|
create_payload = after_create.json()
|
|
self.assertFalse(create_payload["full"])
|
|
self.assertIn(campaign_id, {item["id"] for item in create_payload["campaigns"]})
|
|
|
|
updated = self.client.put(
|
|
f"/api/v1/campaigns/{campaign_id}",
|
|
headers=headers,
|
|
json={"name": "Delta campaign updated"},
|
|
)
|
|
self.assertEqual(updated.status_code, 200, updated.text)
|
|
|
|
after_update = self.client.get(
|
|
"/api/v1/campaigns/delta",
|
|
headers=headers,
|
|
params={"since": create_payload["watermark"]},
|
|
)
|
|
self.assertEqual(after_update.status_code, 200, after_update.text)
|
|
updated_campaigns = {item["id"]: item for item in after_update.json()["campaigns"]}
|
|
self.assertEqual(updated_campaigns[campaign_id]["name"], "Delta campaign updated")
|
|
|
|
deleted = self.client.delete(f"/api/v1/campaigns/{campaign_id}", headers=headers)
|
|
self.assertEqual(deleted.status_code, 204, deleted.text)
|
|
|
|
after_delete = self.client.get(
|
|
"/api/v1/campaigns/delta",
|
|
headers=headers,
|
|
params={"since": after_update.json()["watermark"]},
|
|
)
|
|
self.assertEqual(after_delete.status_code, 200, after_delete.text)
|
|
deleted_items = after_delete.json()["deleted"]
|
|
self.assertEqual(len(deleted_items), 1)
|
|
self.assertEqual(deleted_items[0]["id"], campaign_id)
|
|
self.assertEqual(deleted_items[0]["resource_type"], "campaign")
|
|
self.assertTrue(str(deleted_items[0]["revision"]).startswith("seq:"))
|
|
|
|
def test_campaign_workspace_delta_tracks_version_autosave(self) -> None:
|
|
headers, _ = self._login()
|
|
created = self.client.post(
|
|
"/api/v1/campaigns/new",
|
|
headers=headers,
|
|
json={"external_id": "workspace-delta", "name": "Workspace delta"},
|
|
)
|
|
self.assertEqual(created.status_code, 200, created.text)
|
|
campaign_id = created.json()["campaign"]["id"]
|
|
version_id = created.json()["version"]["id"]
|
|
|
|
full = self.client.get(
|
|
f"/api/v1/campaigns/{campaign_id}/workspace/delta",
|
|
headers=headers,
|
|
params={"include_summary": False},
|
|
)
|
|
self.assertEqual(full.status_code, 200, full.text)
|
|
full_payload = full.json()
|
|
self.assertTrue(full_payload["full"])
|
|
self.assertEqual(full_payload["current_version"]["id"], version_id)
|
|
|
|
autosaved = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/versions/{version_id}/autosave",
|
|
headers=headers,
|
|
json={"current_step": "fields"},
|
|
)
|
|
self.assertEqual(autosaved.status_code, 200, autosaved.text)
|
|
self.assertEqual(autosaved.json()["current_step"], "fields")
|
|
|
|
delta = self.client.get(
|
|
f"/api/v1/campaigns/{campaign_id}/workspace/delta",
|
|
headers=headers,
|
|
params={"since": full_payload["watermark"], "include_summary": False},
|
|
)
|
|
self.assertEqual(delta.status_code, 200, delta.text)
|
|
delta_payload = delta.json()
|
|
self.assertFalse(delta_payload["full"])
|
|
self.assertEqual(delta_payload["current_version"]["id"], version_id)
|
|
self.assertEqual(delta_payload["current_version"]["current_step"], "fields")
|
|
self.assertIn(version_id, {item["id"] for item in delta_payload["versions"]})
|
|
|
|
def test_campaign_jobs_delta_tracks_single_job_update(self) -> None:
|
|
headers, _ = self._login()
|
|
campaign_id, version_id = self._create_built_delivery_campaign(
|
|
headers,
|
|
external_id="jobs-delta",
|
|
recipient_count=2,
|
|
)
|
|
|
|
full = self.client.get(
|
|
f"/api/v1/campaigns/{campaign_id}/jobs/delta",
|
|
headers=headers,
|
|
params={"version_id": version_id, "page_size": 50},
|
|
)
|
|
self.assertEqual(full.status_code, 200, full.text)
|
|
full_payload = full.json()
|
|
self.assertTrue(full_payload["full"])
|
|
self.assertEqual(len(full_payload["jobs"]), 2)
|
|
job_id = full_payload["jobs"][0]["id"]
|
|
|
|
from govoplan_campaign.backend.db.models import CampaignJob
|
|
|
|
with SessionLocal() as session:
|
|
job = session.get(CampaignJob, job_id)
|
|
self.assertIsNotNone(job)
|
|
job.send_status = "outcome_unknown"
|
|
job.last_error = "SMTP outcome needs reconciliation"
|
|
session.add(job)
|
|
session.commit()
|
|
|
|
delta = self.client.get(
|
|
f"/api/v1/campaigns/{campaign_id}/jobs/delta",
|
|
headers=headers,
|
|
params={"version_id": version_id, "since": full_payload["watermark"], "page_size": 50},
|
|
)
|
|
self.assertEqual(delta.status_code, 200, delta.text)
|
|
delta_payload = delta.json()
|
|
self.assertFalse(delta_payload["full"])
|
|
self.assertEqual([item["id"] for item in delta_payload["jobs"]], [job_id])
|
|
self.assertEqual(delta_payload["jobs"][0]["send_status"], "outcome_unknown")
|
|
self.assertEqual(delta_payload["jobs"][0]["last_error"], "SMTP outcome needs reconciliation")
|
|
self.assertEqual(delta_payload["counts"]["send"]["outcome_unknown"], 1)
|
|
self.assertTrue(str(delta_payload["watermark"]).startswith("seq:"))
|
|
|
|
def test_campaign_jobs_cursor_pagination_anchors_delta_pages(self) -> None:
|
|
headers, _ = self._login()
|
|
campaign_id, version_id = self._create_built_delivery_campaign(
|
|
headers,
|
|
external_id="jobs-cursor-delta",
|
|
recipient_count=5,
|
|
)
|
|
|
|
first_page = self.client.get(
|
|
f"/api/v1/campaigns/{campaign_id}/jobs/delta",
|
|
headers=headers,
|
|
params={"version_id": version_id, "page": 1, "page_size": 2},
|
|
)
|
|
self.assertEqual(first_page.status_code, 200, first_page.text)
|
|
first_payload = first_page.json()
|
|
self.assertTrue(first_payload["full"])
|
|
self.assertTrue(first_payload["next_cursor"])
|
|
|
|
second_page = self.client.get(
|
|
f"/api/v1/campaigns/{campaign_id}/jobs/delta",
|
|
headers=headers,
|
|
params={"version_id": version_id, "page": 2, "page_size": 2, "cursor": first_payload["next_cursor"]},
|
|
)
|
|
self.assertEqual(second_page.status_code, 200, second_page.text)
|
|
second_payload = second_page.json()
|
|
self.assertEqual(second_payload["cursor"], first_payload["next_cursor"])
|
|
second_page_ids = [item["id"] for item in second_payload["jobs"]]
|
|
self.assertEqual(len(second_page_ids), 2)
|
|
|
|
mismatched_cursor = self.client.get(
|
|
f"/api/v1/campaigns/{campaign_id}/jobs",
|
|
headers=headers,
|
|
params={"version_id": version_id, "page": 2, "page_size": 3, "cursor": first_payload["next_cursor"]},
|
|
)
|
|
self.assertEqual(mismatched_cursor.status_code, 400, mismatched_cursor.text)
|
|
|
|
from govoplan_campaign.backend.db.models import CampaignJob
|
|
|
|
first_page_job_id = first_payload["jobs"][0]["id"]
|
|
with SessionLocal() as session:
|
|
job = session.get(CampaignJob, first_page_job_id)
|
|
self.assertIsNotNone(job)
|
|
job.send_status = "outcome_unknown"
|
|
job.last_error = "Cursor page delta should stay on page one"
|
|
session.add(job)
|
|
session.commit()
|
|
|
|
cursor_delta = self.client.get(
|
|
f"/api/v1/campaigns/{campaign_id}/jobs/delta",
|
|
headers=headers,
|
|
params={
|
|
"version_id": version_id,
|
|
"page": 2,
|
|
"page_size": 2,
|
|
"cursor": first_payload["next_cursor"],
|
|
"since": second_payload["watermark"],
|
|
},
|
|
)
|
|
self.assertEqual(cursor_delta.status_code, 200, cursor_delta.text)
|
|
cursor_delta_payload = cursor_delta.json()
|
|
self.assertFalse(cursor_delta_payload["full"])
|
|
self.assertEqual(cursor_delta_payload["jobs"], [])
|
|
|
|
def test_temporary_and_permanent_user_lock_lifecycle(self) -> None:
|
|
headers, _ = self._login()
|
|
created = self.client.post(
|
|
"/api/v1/campaigns/new",
|
|
headers=headers,
|
|
json={"external_id": "lock-lifecycle", "name": "Lock lifecycle"},
|
|
)
|
|
self.assertEqual(created.status_code, 200, created.text)
|
|
campaign_id = created.json()["campaign"]["id"]
|
|
version_id = created.json()["version"]["id"]
|
|
|
|
temporary = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/versions/{version_id}/lock-temporarily",
|
|
headers=headers,
|
|
)
|
|
self.assertEqual(temporary.status_code, 200, temporary.text)
|
|
self.assertEqual(temporary.json()["user_lock_state"], "temporary")
|
|
self.assertTrue(temporary.json()["user_locked_at"])
|
|
|
|
blocked_update = self.client.put(
|
|
f"/api/v1/campaigns/{campaign_id}/versions/{version_id}",
|
|
headers=headers,
|
|
json={"current_step": "fields"},
|
|
)
|
|
self.assertEqual(blocked_update.status_code, 409, blocked_update.text)
|
|
|
|
unlocked = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/versions/{version_id}/unlock-user-lock",
|
|
headers=headers,
|
|
)
|
|
self.assertEqual(unlocked.status_code, 200, unlocked.text)
|
|
self.assertIsNone(unlocked.json()["user_lock_state"])
|
|
|
|
updated = self.client.put(
|
|
f"/api/v1/campaigns/{campaign_id}/versions/{version_id}",
|
|
headers=headers,
|
|
json={"current_step": "fields"},
|
|
)
|
|
self.assertEqual(updated.status_code, 200, updated.text)
|
|
self.assertEqual(updated.json()["current_step"], "fields")
|
|
|
|
relocked = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/versions/{version_id}/lock-temporarily",
|
|
headers=headers,
|
|
)
|
|
self.assertEqual(relocked.status_code, 200, relocked.text)
|
|
|
|
permanent = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/versions/{version_id}/lock-permanently",
|
|
headers=headers,
|
|
)
|
|
self.assertEqual(permanent.status_code, 200, permanent.text)
|
|
self.assertEqual(permanent.json()["user_lock_state"], "permanent")
|
|
self.assertTrue(permanent.json()["published_at"])
|
|
|
|
refused_unlock = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/versions/{version_id}/unlock-user-lock",
|
|
headers=headers,
|
|
)
|
|
self.assertEqual(refused_unlock.status_code, 409, refused_unlock.text)
|
|
|
|
|
|
def test_only_one_campaign_version_is_writable(self) -> None:
|
|
headers, _ = self._login()
|
|
created = self.client.post(
|
|
"/api/v1/campaigns/new",
|
|
headers=headers,
|
|
json={"external_id": "single-working-version", "name": "Single working version"},
|
|
)
|
|
self.assertEqual(created.status_code, 200, created.text)
|
|
campaign_id = created.json()["campaign"]["id"]
|
|
first_version_id = created.json()["version"]["id"]
|
|
|
|
parallel = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/versions/{first_version_id}/fork",
|
|
headers=headers,
|
|
json={},
|
|
)
|
|
self.assertEqual(parallel.status_code, 409, parallel.text)
|
|
self.assertIn("active working version", parallel.text)
|
|
|
|
permanent = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/versions/{first_version_id}/lock-permanently",
|
|
headers=headers,
|
|
)
|
|
self.assertEqual(permanent.status_code, 200, permanent.text)
|
|
|
|
copied = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/versions/{first_version_id}/fork",
|
|
headers=headers,
|
|
json={},
|
|
)
|
|
self.assertEqual(copied.status_code, 200, copied.text)
|
|
second_version_id = copied.json()["version"]["id"]
|
|
self.assertNotEqual(second_version_id, first_version_id)
|
|
self.assertEqual(copied.json()["campaign"]["current_version_id"], second_version_id)
|
|
|
|
historical_update = self.client.put(
|
|
f"/api/v1/campaigns/{campaign_id}/versions/{first_version_id}",
|
|
headers=headers,
|
|
json={"current_step": "fields"},
|
|
)
|
|
self.assertEqual(historical_update.status_code, 409, historical_update.text)
|
|
self.assertIn("Historical campaign versions are read-only", historical_update.text)
|
|
|
|
second_update = self.client.put(
|
|
f"/api/v1/campaigns/{campaign_id}/versions/{second_version_id}",
|
|
headers=headers,
|
|
json={"current_step": "fields"},
|
|
)
|
|
self.assertEqual(second_update.status_code, 200, second_update.text)
|
|
|
|
second_parallel = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/versions/{first_version_id}/fork",
|
|
headers=headers,
|
|
json={},
|
|
)
|
|
self.assertEqual(second_parallel.status_code, 409, second_parallel.text)
|
|
|
|
second_permanent = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/versions/{second_version_id}/lock-permanently",
|
|
headers=headers,
|
|
)
|
|
self.assertEqual(second_permanent.status_code, 200, second_permanent.text)
|
|
|
|
historical_branch = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/versions/{first_version_id}/fork",
|
|
headers=headers,
|
|
json={},
|
|
)
|
|
self.assertEqual(historical_branch.status_code, 409, historical_branch.text)
|
|
self.assertIn("cannot become a new branch", historical_branch.text)
|
|
|
|
third = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/versions/{second_version_id}/fork",
|
|
headers=headers,
|
|
json={},
|
|
)
|
|
self.assertEqual(third.status_code, 200, third.text)
|
|
self.assertEqual(third.json()["version"]["version_number"], 3)
|
|
|
|
def test_campaign_create_validate_build_and_mock_send(self) -> None:
|
|
headers, _ = self._login()
|
|
campaign_json = {
|
|
"version": "1.0",
|
|
"campaign": {"id": "api-smoke", "name": "API smoke campaign", "mode": "test"},
|
|
"fields": [{"name": "first_name", "type": "string", "required": True}],
|
|
"global_values": {},
|
|
"server": {
|
|
"smtp": {
|
|
"host": "smtp.example.invalid",
|
|
"port": 587,
|
|
"username": "sender@example.org",
|
|
"password": "test-secret",
|
|
"security": "starttls",
|
|
},
|
|
"imap": {
|
|
"enabled": True,
|
|
"host": "imap.example.invalid",
|
|
"port": 993,
|
|
"username": "sender@example.org",
|
|
"password": "test-secret",
|
|
"security": "tls",
|
|
},
|
|
},
|
|
"recipients": {
|
|
"from": {"email": "sender@example.org", "name": "Sender", "type": "to"},
|
|
"allow_individual_to": True,
|
|
},
|
|
"template": {
|
|
"subject": "Hello ${local::first_name}",
|
|
"text": "Hello ${local::first_name}, this is a smoke test.",
|
|
},
|
|
"attachments": {"base_path": ".", "global": [], "allow_individual": False},
|
|
"entries": {
|
|
"inline": [
|
|
{
|
|
"id": "recipient-1",
|
|
"to": [{"email": "recipient@example.org", "name": "Recipient", "type": "to"}],
|
|
"fields": {"first_name": "Ada"},
|
|
}
|
|
]
|
|
},
|
|
"validation_policy": {"missing_email": "block", "template_error": "block"},
|
|
"delivery": {"imap_append_sent": {"enabled": True, "folder": "Sent"}},
|
|
"status_tracking": {"enabled": True},
|
|
}
|
|
|
|
created = self.client.post(
|
|
"/api/v1/campaigns",
|
|
headers=headers,
|
|
json={"config": campaign_json},
|
|
)
|
|
self.assertEqual(created.status_code, 200, created.text)
|
|
created_payload = created.json()
|
|
campaign_id = created_payload["campaign"]["id"]
|
|
version_id = created_payload["version"]["id"]
|
|
|
|
validated = self.client.post(
|
|
f"/api/v1/campaigns/versions/{version_id}/validate",
|
|
headers=headers,
|
|
json={"check_files": False},
|
|
)
|
|
self.assertEqual(validated.status_code, 200, validated.text)
|
|
self.assertTrue(validated.json()["ok"])
|
|
|
|
built = self.client.post(
|
|
f"/api/v1/campaigns/versions/{version_id}/build",
|
|
headers=headers,
|
|
json={"write_eml": False},
|
|
)
|
|
self.assertEqual(built.status_code, 200, built.text)
|
|
self.assertEqual(built.json()["built_count"], 1)
|
|
|
|
mocked = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/mock-send",
|
|
headers=headers,
|
|
json={
|
|
"version_id": version_id,
|
|
"send": True,
|
|
"append_sent": True,
|
|
"clear_mailbox": True,
|
|
"check_files": False,
|
|
},
|
|
)
|
|
self.assertEqual(mocked.status_code, 200, mocked.text)
|
|
result = mocked.json()["result"]
|
|
self.assertTrue(result["validation"]["ok"])
|
|
self.assertEqual(result["build"]["built_count"], 1)
|
|
self.assertEqual(result["send"]["sent_count"], 1)
|
|
self.assertEqual(result["send"]["imap_appended_count"], 1)
|
|
self.assertEqual(result["send"]["imap_failed_count"], 0)
|
|
|
|
def test_managed_attachment_patterns_preview_build_and_mock_send(self) -> None:
|
|
headers, login = self._login()
|
|
user_id = login["user"]["id"]
|
|
campaign_json = {
|
|
"version": "1.0",
|
|
"campaign": {"id": "managed-attachments", "name": "Managed attachments", "mode": "test"},
|
|
"fields": [{"name": "invoice_number", "type": "string", "required": True}],
|
|
"global_values": {},
|
|
"server": {
|
|
"smtp": {
|
|
"host": "smtp.example.invalid",
|
|
"port": 587,
|
|
"username": "sender@example.org",
|
|
"password": "test-secret",
|
|
"security": "starttls",
|
|
}
|
|
},
|
|
"recipients": {
|
|
"from": {"email": "sender@example.org", "name": "Sender", "type": "to"},
|
|
"allow_individual_to": True,
|
|
},
|
|
"template": {"subject": "Invoice", "text": "Please see the attached files."},
|
|
"attachments": {
|
|
"base_path": "invoices",
|
|
"base_paths": [
|
|
{
|
|
"id": "personal-invoices",
|
|
"name": "My invoices",
|
|
"source": f"managed:user:{user_id}",
|
|
"path": "invoices",
|
|
"allow_individual": True,
|
|
}
|
|
],
|
|
"global": [],
|
|
"allow_individual": True,
|
|
},
|
|
"entries": {
|
|
"inline": [
|
|
{
|
|
"id": "recipient-1",
|
|
"to": [{"email": "recipient@example.org", "name": "Recipient", "type": "to"}],
|
|
"fields": {"invoice_number": "202605-010001"},
|
|
"attachments": [
|
|
{
|
|
"id": "nested-pattern",
|
|
"label": "Nested workbook",
|
|
"base_path_id": "personal-invoices",
|
|
"base_dir": "invoices",
|
|
"file_filter": "**/{{local:invoice_number}}-report.XLSX",
|
|
"required": True,
|
|
},
|
|
{
|
|
"id": "exact-pattern",
|
|
"label": "Exact workbook",
|
|
"base_path_id": "personal-invoices",
|
|
"base_dir": "invoices",
|
|
"file_filter": "{{local:invoice_number}}-90100010-9601741.XLSX",
|
|
"required": True,
|
|
},
|
|
],
|
|
}
|
|
]
|
|
},
|
|
"validation_policy": {
|
|
"missing_email": "block",
|
|
"template_error": "block",
|
|
"missing_required_attachment": "block",
|
|
},
|
|
"delivery": {"imap_append_sent": {"enabled": False}},
|
|
"status_tracking": {"enabled": True},
|
|
}
|
|
|
|
created = self.client.post("/api/v1/campaigns", headers=headers, json={"config": campaign_json})
|
|
self.assertEqual(created.status_code, 200, created.text)
|
|
campaign_id = created.json()["campaign"]["id"]
|
|
version_id = created.json()["version"]["id"]
|
|
|
|
for path, filename, content in [
|
|
("invoices/archive", "202605-010001-report.XLSX", b"nested workbook"),
|
|
("invoices", "202605-010001-90100010-9601741.XLSX", b"exact workbook"),
|
|
]:
|
|
uploaded = self.client.post(
|
|
"/api/v1/files/upload",
|
|
headers=headers,
|
|
data={
|
|
"owner_type": "user",
|
|
"owner_id": user_id,
|
|
"path": path,
|
|
"campaign_id": campaign_id,
|
|
},
|
|
files=[("files", (filename, content, "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"))],
|
|
)
|
|
self.assertEqual(uploaded.status_code, 200, uploaded.text)
|
|
|
|
preview = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/versions/{version_id}/attachments/preview",
|
|
headers=headers,
|
|
json={"include_unmatched": True},
|
|
)
|
|
self.assertEqual(preview.status_code, 200, preview.text)
|
|
preview_payload = preview.json()
|
|
self.assertEqual(len(preview_payload["rules"]), 2)
|
|
self.assertEqual([rule["match_count"] for rule in preview_payload["rules"]], [1, 1])
|
|
self.assertEqual(
|
|
{rule["matches"][0]["filename"] for rule in preview_payload["rules"]},
|
|
{"202605-010001-report.XLSX", "202605-010001-90100010-9601741.XLSX"},
|
|
)
|
|
self.assertEqual(preview_payload["unused_shared_files"], [])
|
|
|
|
validated = self.client.post(
|
|
f"/api/v1/campaigns/versions/{version_id}/validate",
|
|
headers=headers,
|
|
json={"check_files": True},
|
|
)
|
|
self.assertEqual(validated.status_code, 200, validated.text)
|
|
self.assertTrue(validated.json()["ok"], validated.text)
|
|
|
|
built = self.client.post(
|
|
f"/api/v1/campaigns/versions/{version_id}/build",
|
|
headers=headers,
|
|
json={"write_eml": False},
|
|
)
|
|
self.assertEqual(built.status_code, 200, built.text)
|
|
self.assertEqual(built.json()["built_count"], 1)
|
|
self.assertEqual(built.json()["messages"][0]["attachment_count"], 2)
|
|
self.assertTrue(built.json().get("built_at"))
|
|
self.assertTrue(built.json().get("build_token"))
|
|
self.assertEqual(
|
|
sum(len(item["managed_matches"]) for item in built.json()["messages"][0]["attachments"]),
|
|
2,
|
|
)
|
|
resolved_paths = {
|
|
match
|
|
for attachment in built.json()["messages"][0]["attachments"]
|
|
for match in attachment["matches"]
|
|
}
|
|
self.assertEqual(resolved_paths, {
|
|
"invoices/archive/202605-010001-report.XLSX",
|
|
"invoices/202605-010001-90100010-9601741.XLSX",
|
|
})
|
|
self.assertFalse(any("multimailer-managed-build" in value for value in resolved_paths))
|
|
|
|
jobs = self.client.get(
|
|
f"/api/v1/campaigns/{campaign_id}/jobs",
|
|
headers=headers,
|
|
params={"version_id": version_id},
|
|
)
|
|
self.assertEqual(jobs.status_code, 200, jobs.text)
|
|
self.assertEqual(len(jobs.json()["jobs"]), 1)
|
|
job_summary = jobs.json()["jobs"][0]
|
|
self.assertEqual(job_summary["campaign_version_id"], version_id)
|
|
self.assertNotIn("resolved_recipients", job_summary)
|
|
detail = self.client.get(
|
|
f"/api/v1/campaigns/{campaign_id}/jobs/{job_summary['id']}",
|
|
headers=headers,
|
|
)
|
|
self.assertEqual(detail.status_code, 200, detail.text)
|
|
job = detail.json()["job"]
|
|
self.assertEqual(job["resolved_recipients"]["to"][0]["email"], "recipient@example.org")
|
|
self.assertEqual(
|
|
{
|
|
match
|
|
for attachment in job["attachments"]
|
|
for match in attachment["matches"]
|
|
},
|
|
resolved_paths,
|
|
)
|
|
|
|
review_state = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/versions/{version_id}/review-state",
|
|
headers=headers,
|
|
json={"inspection_complete": True, "reviewed_message_keys": ["recipient-1"]},
|
|
)
|
|
self.assertEqual(review_state.status_code, 200, review_state.text)
|
|
stored_review = review_state.json()["editor_state"]["review_send"]
|
|
self.assertTrue(stored_review["inspection_complete"])
|
|
self.assertEqual(stored_review["reviewed_message_keys"], ["recipient-1"])
|
|
self.assertEqual(stored_review["build_token"], built.json()["build_token"])
|
|
|
|
reloaded_version = self.client.get(
|
|
f"/api/v1/campaigns/{campaign_id}/versions/{version_id}",
|
|
headers=headers,
|
|
)
|
|
self.assertEqual(reloaded_version.status_code, 200, reloaded_version.text)
|
|
self.assertTrue(reloaded_version.json()["editor_state"]["review_send"]["inspection_complete"])
|
|
|
|
mocked = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/mock-send",
|
|
headers=headers,
|
|
json={
|
|
"version_id": version_id,
|
|
"send": True,
|
|
"append_sent": False,
|
|
"clear_mailbox": True,
|
|
"check_files": False,
|
|
},
|
|
)
|
|
self.assertEqual(mocked.status_code, 200, mocked.text)
|
|
result = mocked.json()["result"]
|
|
self.assertTrue(result["validation"]["ok"], mocked.text)
|
|
self.assertEqual(result["send"]["sent_count"], 1)
|
|
self.assertEqual(result["send"]["results"][0]["attachments"][0]["status"], "ok")
|
|
|
|
from govoplan_files.backend.db.models import CampaignAttachmentUse
|
|
|
|
with SessionLocal() as session:
|
|
uses = session.query(CampaignAttachmentUse).filter(CampaignAttachmentUse.campaign_id == campaign_id).all()
|
|
self.assertEqual(len(uses), 2)
|
|
self.assertEqual({use.filename_used for use in uses}, {
|
|
"202605-010001-report.XLSX",
|
|
"202605-010001-90100010-9601741.XLSX",
|
|
})
|
|
|
|
def test_managed_attachment_send_uses_frozen_build_artifact_after_file_changes(self) -> None:
|
|
headers, login = self._login()
|
|
user_id = login["user"]["id"]
|
|
campaign_json = {
|
|
"version": "1.0",
|
|
"campaign": {"id": "managed-send-freeze", "name": "Managed send freeze", "mode": "test"},
|
|
"fields": [],
|
|
"global_values": {},
|
|
"server": {
|
|
"smtp": {
|
|
"host": "mock.smtp",
|
|
"port": 2525,
|
|
"username": "sender@example.org",
|
|
"password": "test-secret",
|
|
"security": "starttls",
|
|
}
|
|
},
|
|
"recipients": {
|
|
"from": {"email": "sender@example.org", "name": "Sender", "type": "to"},
|
|
"allow_individual_to": True,
|
|
},
|
|
"template": {"subject": "Frozen evidence", "text": "Please see the evidence."},
|
|
"attachments": {
|
|
"base_path": "evidence",
|
|
"base_paths": [
|
|
{
|
|
"id": "managed-evidence",
|
|
"name": "Managed evidence",
|
|
"source": f"managed:user:{user_id}",
|
|
"path": "evidence",
|
|
}
|
|
],
|
|
"global": [
|
|
{
|
|
"id": "proof",
|
|
"label": "Proof",
|
|
"base_path_id": "managed-evidence",
|
|
"base_dir": "evidence",
|
|
"file_filter": "proof.txt",
|
|
"required": True,
|
|
}
|
|
],
|
|
"allow_individual": False,
|
|
},
|
|
"entries": {
|
|
"inline": [
|
|
{
|
|
"id": "recipient-1",
|
|
"to": [{"email": "recipient@example.org", "type": "to"}],
|
|
"fields": {},
|
|
}
|
|
]
|
|
},
|
|
"validation_policy": {"missing_email": "block", "template_error": "block", "missing_required_attachment": "block"},
|
|
"delivery": {"rate_limit": {"messages_per_minute": 60}, "imap_append_sent": {"enabled": False}},
|
|
"status_tracking": {"enabled": True},
|
|
}
|
|
created = self.client.post("/api/v1/campaigns", headers=headers, json={"config": campaign_json})
|
|
self.assertEqual(created.status_code, 200, created.text)
|
|
campaign_id = created.json()["campaign"]["id"]
|
|
version_id = created.json()["version"]["id"]
|
|
|
|
uploaded = self.client.post(
|
|
"/api/v1/files/upload",
|
|
headers=headers,
|
|
data={
|
|
"owner_type": "user",
|
|
"owner_id": user_id,
|
|
"path": "evidence",
|
|
"campaign_id": campaign_id,
|
|
"source_revision": "nextcloud-etag-1",
|
|
"source_provenance_json": json.dumps(
|
|
{
|
|
"source_type": "connector",
|
|
"connector_id": "nextcloud-main",
|
|
"provider": "nextcloud",
|
|
"external_id": "file-123",
|
|
"external_path": "/Shared/proof.txt",
|
|
}
|
|
),
|
|
},
|
|
files=[("files", ("proof.txt", b"original evidence", "text/plain"))],
|
|
)
|
|
self.assertEqual(uploaded.status_code, 200, uploaded.text)
|
|
|
|
validated = self.client.post(f"/api/v1/campaigns/versions/{version_id}/validate", headers=headers, json={"check_files": True})
|
|
self.assertEqual(validated.status_code, 200, validated.text)
|
|
self.assertTrue(validated.json()["ok"], validated.text)
|
|
|
|
built = self.client.post(f"/api/v1/campaigns/versions/{version_id}/build", headers=headers, json={"write_eml": True})
|
|
self.assertEqual(built.status_code, 200, built.text)
|
|
self.assertEqual(built.json()["built_count"], 1)
|
|
managed_match = built.json()["messages"][0]["attachments"][0]["managed_matches"][0]
|
|
self.assertEqual(managed_match["source_revision"], "nextcloud-etag-1")
|
|
self.assertEqual(managed_match["source_provenance"]["connector_id"], "nextcloud-main")
|
|
self.assertEqual(managed_match["source_provenance"]["revision"], "nextcloud-etag-1")
|
|
|
|
from govoplan_campaign.backend.db.models import CampaignJob
|
|
from govoplan_files.backend.db.models import CampaignAttachmentUse, FileBlob
|
|
from govoplan_files.backend.storage.backends import get_storage_backend
|
|
from govoplan_mail.backend.dev.mock_mailbox import list_records
|
|
|
|
with SessionLocal() as session:
|
|
job = session.query(CampaignJob).filter(CampaignJob.campaign_version_id == version_id).one()
|
|
self.assertTrue(job.eml_local_path)
|
|
built_use = (
|
|
session.query(CampaignAttachmentUse)
|
|
.filter(
|
|
CampaignAttachmentUse.campaign_job_id == job.id,
|
|
CampaignAttachmentUse.use_stage == "built",
|
|
)
|
|
.one()
|
|
)
|
|
original_version_id = built_use.file_version_id
|
|
original_blob_id = built_use.file_blob_id
|
|
original_storage_key = session.get(FileBlob, original_blob_id).storage_key
|
|
|
|
get_storage_backend().delete(original_storage_key)
|
|
changed = self.client.post(
|
|
"/api/v1/files/upload",
|
|
headers=headers,
|
|
data={
|
|
"owner_type": "user",
|
|
"owner_id": user_id,
|
|
"path": "evidence",
|
|
"campaign_id": campaign_id,
|
|
"conflict_strategy": "overwrite",
|
|
},
|
|
files=[("files", ("proof.txt", b"changed live content", "text/plain"))],
|
|
)
|
|
self.assertEqual(changed.status_code, 200, changed.text)
|
|
|
|
sent = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/send-now",
|
|
headers=headers,
|
|
json={
|
|
"version_id": version_id,
|
|
"validate_before_send": False,
|
|
"build_before_send": False,
|
|
"use_rate_limit": False,
|
|
"enqueue_imap_task": False,
|
|
},
|
|
)
|
|
self.assertEqual(sent.status_code, 200, sent.text)
|
|
self.assertEqual(sent.json()["result"]["sent_count"], 1, sent.text)
|
|
|
|
records = list_records(kind="smtp")
|
|
self.assertEqual(len(records), 1)
|
|
raw_filename = records[0].get("raw_filename")
|
|
self.assertTrue(raw_filename)
|
|
captured = BytesParser(policy=policy.default).parsebytes((_TEST_ROOT / "mock-mailbox" / "messages" / str(raw_filename)).read_bytes())
|
|
attachments = {part.get_filename(): part.get_payload(decode=True) for part in captured.iter_attachments()}
|
|
self.assertEqual(attachments["proof.txt"], b"original evidence")
|
|
|
|
with SessionLocal() as session:
|
|
sent_use = (
|
|
session.query(CampaignAttachmentUse)
|
|
.filter(
|
|
CampaignAttachmentUse.campaign_id == campaign_id,
|
|
CampaignAttachmentUse.use_stage == "sent",
|
|
)
|
|
.one()
|
|
)
|
|
self.assertEqual(sent_use.file_version_id, original_version_id)
|
|
self.assertEqual(sent_use.file_blob_id, original_blob_id)
|
|
|
|
|
|
def test_non_blocking_review_conditions_can_be_accepted_in_bulk(self) -> None:
|
|
headers, _ = self._login()
|
|
campaign_json = {
|
|
"version": "1.0",
|
|
"campaign": {"id": "bulk-review", "name": "Bulk review", "mode": "test"},
|
|
"fields": [], "global_values": {},
|
|
"server": {"smtp": {"host": "smtp.example.invalid", "port": 587, "security": "starttls"}},
|
|
"recipients": {"from": {"email": "sender@example.org", "type": "to"}, "allow_individual_to": True},
|
|
"template": {"subject": "Warning test", "text": "Body"},
|
|
"attachments": {"base_path": ".", "base_paths": [], "global": [{
|
|
"id": "optional-missing", "base_dir": ".", "file_filter": "not-there.pdf",
|
|
"required": False, "missing_behavior": "warn", "zip": {"archive_id": "exclude"}
|
|
}], "zip": {"enabled": False, "archives": []}},
|
|
"entries": {"inline": [{"id": "warning-entry", "to": [{"email": "recipient@example.org", "type": "to"}]}]},
|
|
"validation_policy": {"missing_email": "block", "template_error": "block", "missing_optional_attachment": "warn"},
|
|
"delivery": {"imap_append_sent": {"enabled": False}}, "status_tracking": {"enabled": True},
|
|
}
|
|
created = self.client.post("/api/v1/campaigns", headers=headers, json={"config": campaign_json})
|
|
self.assertEqual(created.status_code, 200, created.text)
|
|
campaign_id = created.json()["campaign"]["id"]
|
|
version_id = created.json()["version"]["id"]
|
|
validated = self.client.post(f"/api/v1/campaigns/versions/{version_id}/validate", headers=headers, json={"check_files": True})
|
|
self.assertEqual(validated.status_code, 200, validated.text)
|
|
built = self.client.post(f"/api/v1/campaigns/versions/{version_id}/build", headers=headers, json={"write_eml": True})
|
|
self.assertEqual(built.status_code, 200, built.text)
|
|
self.assertEqual(built.json()["warning_count"], 1)
|
|
reviewed = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/versions/{version_id}/review-state",
|
|
headers=headers,
|
|
json={"inspection_complete": True, "reviewed_message_keys": []},
|
|
)
|
|
self.assertEqual(reviewed.status_code, 200, reviewed.text)
|
|
review_state = reviewed.json()["editor_state"]["review_send"]
|
|
self.assertTrue(review_state["inspection_complete"])
|
|
self.assertEqual(review_state["reviewed_message_keys"], ["warning-entry"])
|
|
|
|
def test_inactive_recipients_are_aggregated_but_not_built_or_reviewed(self) -> None:
|
|
headers, _ = self._login()
|
|
campaign_json = {
|
|
"version": "1.0",
|
|
"campaign": {"id": "inactive-recipients", "name": "Inactive recipients", "mode": "test"},
|
|
"fields": [],
|
|
"global_values": {},
|
|
"server": {"smtp": {"host": "smtp.example.invalid", "port": 587, "security": "starttls"}},
|
|
"recipients": {"from": {"email": "sender@example.org", "name": "Sender", "type": "to"}, "allow_individual_to": True},
|
|
"template": {"subject": "Hello", "text": "Active recipient only"},
|
|
"attachments": {"base_path": ".", "base_paths": [], "global": [], "zip": {"enabled": False, "archives": []}},
|
|
"entries": {"inline": [
|
|
{"id": "active", "active": True, "to": [{"email": "active@example.org", "type": "to"}]},
|
|
{"id": "inactive", "active": False, "to": [], "attachments": [{"base_dir": "missing", "file_filter": "missing.pdf", "required": True}]},
|
|
]},
|
|
"validation_policy": {"missing_email": "block", "template_error": "block", "missing_required_attachment": "block"},
|
|
"delivery": {"imap_append_sent": {"enabled": False}},
|
|
"status_tracking": {"enabled": True},
|
|
}
|
|
created = self.client.post("/api/v1/campaigns", headers=headers, json={"config": campaign_json})
|
|
self.assertEqual(created.status_code, 200, created.text)
|
|
campaign_id = created.json()["campaign"]["id"]
|
|
version_id = created.json()["version"]["id"]
|
|
validated = self.client.post(f"/api/v1/campaigns/versions/{version_id}/validate", headers=headers, json={"check_files": True})
|
|
self.assertEqual(validated.status_code, 200, validated.text)
|
|
self.assertTrue(validated.json()["ok"], validated.text)
|
|
built = self.client.post(f"/api/v1/campaigns/versions/{version_id}/build", headers=headers, json={"write_eml": True})
|
|
self.assertEqual(built.status_code, 200, built.text)
|
|
self.assertEqual(built.json()["inactive_count"], 1)
|
|
self.assertEqual(len(built.json()["messages"]), 1)
|
|
self.assertEqual(built.json()["messages"][0]["entry_id"], "active")
|
|
jobs = self.client.get(f"/api/v1/campaigns/{campaign_id}/jobs", headers=headers)
|
|
self.assertEqual(jobs.status_code, 200, jobs.text)
|
|
self.assertEqual(len(jobs.json()["jobs"]), 1)
|
|
report = self.client.get(f"/api/v1/campaigns/{campaign_id}/report", headers=headers)
|
|
self.assertEqual(report.status_code, 200, report.text)
|
|
self.assertEqual(report.json()["cards"]["inactive"], 1)
|
|
self.assertEqual(report.json()["status_counts"]["validation"]["inactive"], 1)
|
|
|
|
|
|
def test_recipient_address_fields_and_merge_modes(self) -> None:
|
|
headers, _ = self._login()
|
|
campaign_json = {
|
|
"version": "1.0",
|
|
"campaign": {"id": "recipient-address-fields", "name": "Recipient address fields", "mode": "test"},
|
|
"fields": [],
|
|
"global_values": {},
|
|
"server": {"smtp": {"host": "smtp.example.invalid", "port": 587, "security": "starttls"}},
|
|
"recipients": {
|
|
"from": [{"email": "global-from@example.org", "type": "to"}],
|
|
"allow_individual_from": True,
|
|
"to": [{"email": "global-to@example.org", "type": "to"}],
|
|
"allow_individual_to": True,
|
|
"cc": [{"email": "global-cc@example.org", "type": "cc"}],
|
|
"allow_individual_cc": True,
|
|
"bcc": [{"email": "global-bcc@example.org", "type": "bcc"}],
|
|
"allow_individual_bcc": True,
|
|
"reply_to": [{"email": "global-reply@example.org", "type": "reply_to"}],
|
|
"allow_individual_reply_to": True,
|
|
},
|
|
"template": {
|
|
"subject": "{{local:from.email}} | {{local:all_to.email}} | {{local:to[2].email}} | {{local:all_cc.email}}",
|
|
"text": "{{local:all_from}} / {{local:all_reply_to.email}}",
|
|
},
|
|
"attachments": {"base_path": ".", "base_paths": [], "global": [], "zip": {"enabled": False, "archives": []}},
|
|
"entries": {"inline": [{
|
|
"id": "merged-entry",
|
|
"from": [{"email": "local-from@example.org", "type": "to"}],
|
|
"merge_from": True,
|
|
"to": [{"email": "local-to@example.org", "type": "to"}],
|
|
"merge_to": True,
|
|
"cc": [{"email": "local-cc@example.org", "type": "cc"}],
|
|
"merge_cc": True,
|
|
"bcc": [{"email": "local-bcc@example.org", "type": "bcc"}],
|
|
"merge_bcc": True,
|
|
"reply_to": [{"email": "local-reply@example.org", "type": "reply_to"}],
|
|
"merge_reply_to": True,
|
|
}]},
|
|
"validation_policy": {"missing_email": "block", "template_error": "block"},
|
|
"delivery": {"imap_append_sent": {"enabled": False}},
|
|
"status_tracking": {"enabled": True},
|
|
}
|
|
created = self.client.post("/api/v1/campaigns", headers=headers, json={"config": campaign_json})
|
|
self.assertEqual(created.status_code, 200, created.text)
|
|
campaign_id = created.json()["campaign"]["id"]
|
|
version_id = created.json()["version"]["id"]
|
|
validated = self.client.post(f"/api/v1/campaigns/versions/{version_id}/validate", headers=headers, json={"check_files": False})
|
|
self.assertEqual(validated.status_code, 200, validated.text)
|
|
self.assertTrue(validated.json()["ok"], validated.text)
|
|
built = self.client.post(f"/api/v1/campaigns/versions/{version_id}/build", headers=headers, json={"write_eml": True})
|
|
self.assertEqual(built.status_code, 200, built.text)
|
|
self.assertEqual(built.json()["messages"][0]["subject"], "local-from@example.org | global-to@example.org, local-to@example.org | local-to@example.org | global-cc@example.org, local-cc@example.org")
|
|
|
|
from govoplan_campaign.backend.db.models import CampaignJob
|
|
with SessionLocal() as session:
|
|
job = session.query(CampaignJob).filter(CampaignJob.campaign_id == campaign_id).one()
|
|
self.assertEqual([item["email"] for item in job.resolved_recipients["from_all"]], ["local-from@example.org"])
|
|
self.assertEqual([item["email"] for item in job.resolved_recipients["to"]], ["global-to@example.org", "local-to@example.org"])
|
|
message = BytesParser(policy=policy.default).parsebytes(Path(job.eml_local_path).read_bytes())
|
|
self.assertIsNone(message["Sender"])
|
|
self.assertEqual([address.addr_spec for address in message["From"].addresses], ["local-from@example.org"])
|
|
self.assertEqual([address.addr_spec for address in message["To"].addresses], ["global-to@example.org", "local-to@example.org"])
|
|
self.assertEqual([address.addr_spec for address in message["Cc"].addresses], ["global-cc@example.org", "local-cc@example.org"])
|
|
self.assertEqual([address.addr_spec for address in message["Reply-To"].addresses], ["global-reply@example.org", "local-reply@example.org"])
|
|
self.assertIn("local-from@example.org / global-reply@example.org, local-reply@example.org", message.get_body(preferencelist=("plain",)).get_content())
|
|
|
|
def test_multiple_from_addresses_are_rejected(self) -> None:
|
|
headers, _ = self._login()
|
|
campaign_json = {
|
|
"version": "1.0",
|
|
"campaign": {"id": "multiple-from", "name": "Multiple From", "mode": "test"},
|
|
"fields": [],
|
|
"global_values": {},
|
|
"server": {"smtp": {"host": "smtp.example.invalid", "port": 587, "security": "starttls"}},
|
|
"recipients": {
|
|
"from": [
|
|
{"email": "first@example.org", "type": "to"},
|
|
{"email": "second@example.org", "type": "to"},
|
|
],
|
|
"to": [{"email": "recipient@example.org", "type": "to"}],
|
|
},
|
|
"template": {"subject": "Subject", "text": "Body"},
|
|
"attachments": {"base_path": ".", "base_paths": [], "global": [], "zip": {"enabled": False, "archives": []}},
|
|
"entries": {"inline": [{"id": "recipient-1"}]},
|
|
"validation_policy": {"missing_email": "block", "template_error": "block"},
|
|
"delivery": {"imap_append_sent": {"enabled": False}},
|
|
"status_tracking": {"enabled": True},
|
|
}
|
|
created = self.client.post("/api/v1/campaigns", headers=headers, json={"config": campaign_json})
|
|
self.assertEqual(created.status_code, 422, created.text)
|
|
|
|
def test_duplicate_zip_archive_filenames_block_validation(self) -> None:
|
|
headers, _ = self._login()
|
|
campaign_json = {
|
|
"version": "1.0",
|
|
"campaign": {"id": "duplicate-zip-names", "name": "Duplicate ZIP names", "mode": "test"},
|
|
"fields": [],
|
|
"global_values": {},
|
|
"server": {"smtp": {"host": "smtp.example.invalid", "port": 587, "security": "starttls"}},
|
|
"recipients": {"from": {"email": "sender@example.org", "type": "to"}, "allow_individual_to": True},
|
|
"template": {"subject": "ZIP validation", "text": "Body"},
|
|
"attachments": {
|
|
"base_path": ".",
|
|
"base_paths": [],
|
|
"global": [],
|
|
"zip": {
|
|
"enabled": True,
|
|
"archives": [
|
|
{"id": "first", "name": "Recipient-Bundle", "standard": True},
|
|
{"id": "second", "name": "recipient-bundle.zip", "standard": False},
|
|
],
|
|
},
|
|
},
|
|
"entries": {"inline": [{"id": "recipient", "to": [{"email": "recipient@example.org", "type": "to"}]}]},
|
|
"validation_policy": {"missing_email": "block", "template_error": "block"},
|
|
"delivery": {"imap_append_sent": {"enabled": False}},
|
|
"status_tracking": {"enabled": True},
|
|
}
|
|
created = self.client.post("/api/v1/campaigns", headers=headers, json={"config": campaign_json})
|
|
self.assertEqual(created.status_code, 200, created.text)
|
|
version_id = created.json()["version"]["id"]
|
|
validated = self.client.post(
|
|
f"/api/v1/campaigns/versions/{version_id}/validate",
|
|
headers=headers,
|
|
json={"check_files": False},
|
|
)
|
|
self.assertEqual(validated.status_code, 200, validated.text)
|
|
self.assertFalse(validated.json()["ok"], validated.text)
|
|
duplicate_issues = [
|
|
issue for issue in validated.json()["issues"]
|
|
if issue["code"] == "zip_archive_name_duplicate"
|
|
]
|
|
self.assertEqual(len(duplicate_issues), 1, validated.text)
|
|
self.assertEqual(duplicate_issues[0]["severity"], "error")
|
|
|
|
def test_recipient_zip_archive_with_field_password_and_rule_exclusions(self) -> None:
|
|
headers, login = self._login()
|
|
user_id = login["user"]["id"]
|
|
campaign_json = {
|
|
"version": "1.0",
|
|
"campaign": {"id": "zip-attachments", "name": "ZIP attachments", "mode": "test"},
|
|
"fields": [
|
|
{"name": "invoice_number", "type": "string", "required": True},
|
|
{"name": "zip_password", "type": "password", "required": True},
|
|
{"name": "global_zip_password", "type": "password", "required": True},
|
|
],
|
|
"global_values": {"global_zip_password": "campaign-secret"},
|
|
"server": {"smtp": {"host": "smtp.example.invalid", "port": 587, "security": "starttls"}},
|
|
"recipients": {
|
|
"from": {"email": "sender@example.org", "name": "Sender", "type": "to"},
|
|
"allow_individual_to": True,
|
|
},
|
|
"template": {"subject": "Protected files", "text": "Please see the attached files."},
|
|
"attachments": {
|
|
"base_path": "documents",
|
|
"base_paths": [{
|
|
"id": "personal-documents",
|
|
"name": "My documents",
|
|
"source": f"managed:user:{user_id}",
|
|
"path": "documents",
|
|
"allow_individual": True,
|
|
}],
|
|
"zip": {
|
|
"enabled": True,
|
|
"archives": [
|
|
{
|
|
"id": "recipient-bundle",
|
|
"name": "bundle-{{local:invoice_number}}.zip",
|
|
"standard": True,
|
|
"password_enabled": True,
|
|
"password_field": "zip_password",
|
|
"password_scope": "local",
|
|
"method": "aes"
|
|
},
|
|
{
|
|
"id": "shared-bundle",
|
|
"name": "shared-files.zip",
|
|
"standard": False,
|
|
"password_enabled": True,
|
|
"password_field": "global_zip_password",
|
|
"password_scope": "global",
|
|
"method": "aes"
|
|
}
|
|
]
|
|
},
|
|
"global": [{
|
|
"id": "guide",
|
|
"label": "Guide outside ZIP",
|
|
"base_path_id": "personal-documents",
|
|
"base_dir": "documents",
|
|
"file_filter": "guide.pdf",
|
|
"required": True,
|
|
"zip": {"mode": "exclude"},
|
|
}],
|
|
"allow_individual": True,
|
|
},
|
|
"entries": {"inline": [{
|
|
"id": "recipient-zip",
|
|
"to": [{"email": "recipient@example.org", "name": "Recipient", "type": "to"}],
|
|
"fields": {"invoice_number": "2026-001", "zip_password": "recipient-secret"},
|
|
"attachments": [
|
|
{
|
|
"id": "invoice",
|
|
"label": "Invoice in ZIP",
|
|
"base_path_id": "personal-documents",
|
|
"base_dir": "documents",
|
|
"file_filter": "invoice.pdf",
|
|
"required": True,
|
|
"zip": {"mode": "inherit"},
|
|
},
|
|
{
|
|
"id": "invoice-outside",
|
|
"label": "Invoice outside ZIP as well",
|
|
"base_path_id": "personal-documents",
|
|
"base_dir": "documents",
|
|
"file_filter": "invoice.pdf",
|
|
"required": True,
|
|
"zip": {"archive_id": "exclude"},
|
|
},
|
|
{
|
|
"id": "cover",
|
|
"label": "Cover in shared ZIP",
|
|
"base_path_id": "personal-documents",
|
|
"base_dir": "documents",
|
|
"file_filter": "cover.txt",
|
|
"required": True,
|
|
"zip": {"archive_id": "shared-bundle"},
|
|
},
|
|
{
|
|
"id": "receipt",
|
|
"label": "Receipt outside ZIP",
|
|
"base_path_id": "personal-documents",
|
|
"base_dir": "documents",
|
|
"file_filter": "receipt.txt",
|
|
"required": True,
|
|
"zip": {"archive_id": "exclude"}
|
|
},
|
|
],
|
|
}]},
|
|
"validation_policy": {"missing_email": "block", "template_error": "block", "missing_required_attachment": "block"},
|
|
"delivery": {"imap_append_sent": {"enabled": False}},
|
|
"status_tracking": {"enabled": True},
|
|
}
|
|
|
|
created = self.client.post("/api/v1/campaigns", headers=headers, json={"config": campaign_json})
|
|
self.assertEqual(created.status_code, 200, created.text)
|
|
campaign_id = created.json()["campaign"]["id"]
|
|
version_id = created.json()["version"]["id"]
|
|
|
|
for filename, content, content_type in [
|
|
("guide.pdf", b"global guide", "application/pdf"),
|
|
("invoice.pdf", b"secret invoice", "application/pdf"),
|
|
("cover.txt", b"shared cover", "text/plain"),
|
|
("receipt.txt", b"outside receipt", "text/plain"),
|
|
]:
|
|
uploaded = self.client.post(
|
|
"/api/v1/files/upload",
|
|
headers=headers,
|
|
data={"owner_type": "user", "owner_id": user_id, "path": "documents", "campaign_id": campaign_id},
|
|
files=[("files", (filename, content, content_type))],
|
|
)
|
|
self.assertEqual(uploaded.status_code, 200, uploaded.text)
|
|
|
|
preview = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/versions/{version_id}/attachments/preview",
|
|
headers=headers,
|
|
json={"include_unmatched": True},
|
|
)
|
|
self.assertEqual(preview.status_code, 200, preview.text)
|
|
by_id = {rule["attachment_id"]: rule for rule in preview.json()["rules"]}
|
|
self.assertFalse(by_id["guide"]["zip_included"])
|
|
self.assertTrue(by_id["invoice"]["zip_included"])
|
|
self.assertFalse(by_id["invoice-outside"]["zip_included"])
|
|
self.assertTrue(by_id["cover"]["zip_included"])
|
|
self.assertEqual(by_id["cover"]["zip_archive_id"], "shared-bundle")
|
|
self.assertFalse(by_id["receipt"]["zip_included"])
|
|
|
|
validated = self.client.post(
|
|
f"/api/v1/campaigns/versions/{version_id}/validate",
|
|
headers=headers,
|
|
json={"check_files": True},
|
|
)
|
|
self.assertEqual(validated.status_code, 200, validated.text)
|
|
self.assertTrue(validated.json()["ok"], validated.text)
|
|
|
|
built = self.client.post(
|
|
f"/api/v1/campaigns/versions/{version_id}/build",
|
|
headers=headers,
|
|
json={"write_eml": True},
|
|
)
|
|
self.assertEqual(built.status_code, 200, built.text)
|
|
message_summary = built.json()["messages"][0]
|
|
self.assertEqual(message_summary["attachment_count"], 5)
|
|
summaries = {item["attachment_id"]: item for item in message_summary["attachments"]}
|
|
self.assertEqual(summaries["invoice"]["zip_filename"], "bundle-2026-001.zip")
|
|
self.assertIsNone(summaries["guide"]["zip_filename"])
|
|
self.assertIsNone(summaries["invoice-outside"]["zip_filename"])
|
|
self.assertEqual(summaries["cover"]["zip_filename"], "shared-files.zip")
|
|
self.assertIsNone(summaries["receipt"]["zip_filename"])
|
|
|
|
from govoplan_files.backend.db.models import CampaignAttachmentUse
|
|
from govoplan_campaign.backend.db.models import CampaignJob
|
|
|
|
with SessionLocal() as session:
|
|
job = session.query(CampaignJob).filter(CampaignJob.campaign_id == campaign_id).one()
|
|
eml_path = Path(job.eml_local_path)
|
|
message = BytesParser(policy=policy.default).parsebytes(eml_path.read_bytes())
|
|
uses = (
|
|
session.query(CampaignAttachmentUse)
|
|
.filter(
|
|
CampaignAttachmentUse.campaign_job_id == job.id,
|
|
CampaignAttachmentUse.use_stage == "built",
|
|
)
|
|
.all()
|
|
)
|
|
self.assertEqual(len(uses), 4)
|
|
self.assertEqual(sum(use.filename_used == "invoice.pdf" for use in uses), 1)
|
|
|
|
attachments = {part.get_filename(): part.get_payload(decode=True) for part in message.iter_attachments()}
|
|
self.assertEqual(set(attachments), {"guide.pdf", "invoice.pdf", "receipt.txt", "bundle-2026-001.zip", "shared-files.zip"})
|
|
self.assertEqual(attachments["guide.pdf"], b"global guide")
|
|
self.assertEqual(attachments["invoice.pdf"], b"secret invoice")
|
|
self.assertEqual(attachments["receipt.txt"], b"outside receipt")
|
|
with pyzipper.AESZipFile(io.BytesIO(attachments["bundle-2026-001.zip"])) as archive:
|
|
archive.setpassword(b"recipient-secret")
|
|
self.assertEqual(archive.namelist(), ["invoice.pdf"])
|
|
self.assertEqual(archive.read("invoice.pdf"), b"secret invoice")
|
|
with pyzipper.AESZipFile(io.BytesIO(attachments["shared-files.zip"])) as archive:
|
|
archive.setpassword(b"campaign-secret")
|
|
self.assertEqual(archive.namelist(), ["cover.txt"])
|
|
self.assertEqual(archive.read("cover.txt"), b"shared cover")
|
|
|
|
|
|
|
|
def test_execution_snapshot_freezes_delivery_configuration_and_job_manifest(self) -> None:
|
|
headers, _ = self._login()
|
|
campaign_id, version_id = self._create_built_delivery_campaign(
|
|
headers,
|
|
external_id="snapshot-freeze",
|
|
)
|
|
|
|
from govoplan_campaign.backend.db.models import CampaignJob, CampaignVersion
|
|
|
|
with SessionLocal() as session:
|
|
version = session.get(CampaignVersion, version_id)
|
|
self.assertIsNotNone(version)
|
|
assert version is not None
|
|
snapshot = version.execution_snapshot
|
|
self.assertIsInstance(snapshot, dict)
|
|
self.assertEqual(snapshot["snapshot_version"], "3")
|
|
self.assertEqual(snapshot["job_count"], 1)
|
|
self.assertEqual(snapshot["queueable_job_count"], 1)
|
|
self.assertTrue(snapshot["job_manifest_sha256"])
|
|
self.assertTrue(snapshot["smtp_config_fingerprint"])
|
|
self.assertIsNone(snapshot["smtp"].get("password"))
|
|
self.assertTrue(version.execution_snapshot_hash)
|
|
job = session.query(CampaignJob).filter(CampaignJob.campaign_version_id == version_id).one()
|
|
self.assertTrue(job.eml_sha256)
|
|
self.assertTrue(job.message_id_header)
|
|
|
|
# Simulate accidental/config-drift mutation after the build. Sending
|
|
# must still use the immutable mock SMTP snapshot, not raw_json.
|
|
mutated = json.loads(json.dumps(version.raw_json))
|
|
mutated["server"]["smtp"]["host"] = "smtp.example.invalid"
|
|
version.raw_json = mutated
|
|
session.add(version)
|
|
session.commit()
|
|
|
|
sent = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/send-now",
|
|
headers=headers,
|
|
json={
|
|
"version_id": version_id,
|
|
"validate_before_send": False,
|
|
"build_before_send": False,
|
|
"use_rate_limit": False,
|
|
"enqueue_imap_task": False,
|
|
},
|
|
)
|
|
self.assertEqual(sent.status_code, 200, sent.text)
|
|
self.assertEqual(sent.json()["result"]["sent_count"], 1, sent.text)
|
|
self.assertEqual(sent.json()["result"]["outcome_unknown_count"], 0, sent.text)
|
|
|
|
with SessionLocal() as session:
|
|
job = session.query(CampaignJob).filter(CampaignJob.campaign_version_id == version_id).one()
|
|
self.assertEqual(job.send_status, "smtp_accepted")
|
|
|
|
def test_send_now_sends_exact_generated_eml_bytes(self) -> None:
|
|
headers, _ = self._login()
|
|
campaign_id, version_id = self._create_built_delivery_campaign(
|
|
headers,
|
|
external_id="exact-eml-parity",
|
|
)
|
|
|
|
from govoplan_campaign.backend.db.models import CampaignJob
|
|
from govoplan_mail.backend.dev.mock_mailbox import list_records
|
|
|
|
with SessionLocal() as session:
|
|
job = session.query(CampaignJob).filter(CampaignJob.campaign_version_id == version_id).one()
|
|
self.assertIsNotNone(job.eml_local_path)
|
|
generated_eml = Path(job.eml_local_path).read_bytes()
|
|
|
|
sent = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/send-now",
|
|
headers=headers,
|
|
json={
|
|
"version_id": version_id,
|
|
"validate_before_send": False,
|
|
"build_before_send": False,
|
|
"use_rate_limit": False,
|
|
"enqueue_imap_task": False,
|
|
},
|
|
)
|
|
self.assertEqual(sent.status_code, 200, sent.text)
|
|
|
|
records = list_records(kind="smtp")
|
|
self.assertEqual(len(records), 1)
|
|
raw_filename = records[0].get("raw_filename")
|
|
self.assertTrue(raw_filename)
|
|
captured_eml = (_TEST_ROOT / "mock-mailbox" / "messages" / str(raw_filename)).read_bytes()
|
|
self.assertEqual(captured_eml, generated_eml)
|
|
|
|
def test_send_now_rejects_modified_generated_eml_before_delivery(self) -> None:
|
|
headers, _ = self._login()
|
|
campaign_id, version_id = self._create_built_delivery_campaign(
|
|
headers,
|
|
external_id="tampered-eml",
|
|
)
|
|
|
|
from govoplan_campaign.backend.db.models import CampaignJob
|
|
from govoplan_mail.backend.dev.mock_mailbox import list_records
|
|
|
|
with SessionLocal() as session:
|
|
job = session.query(CampaignJob).filter(CampaignJob.campaign_version_id == version_id).one()
|
|
self.assertIsNotNone(job.eml_local_path)
|
|
eml_path = Path(job.eml_local_path)
|
|
eml_path.write_bytes(eml_path.read_bytes() + b"\r\nX-Tampered: true\r\n")
|
|
|
|
sent = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/send-now",
|
|
headers=headers,
|
|
json={
|
|
"version_id": version_id,
|
|
"validate_before_send": False,
|
|
"build_before_send": False,
|
|
"use_rate_limit": False,
|
|
"enqueue_imap_task": False,
|
|
},
|
|
)
|
|
self.assertEqual(sent.status_code, 200, sent.text)
|
|
self.assertEqual(sent.json()["result"]["failed_count"], 1)
|
|
self.assertIn("Generated EML", sent.json()["result"]["results"][0]["message"])
|
|
self.assertEqual(list_records(kind="smtp"), [])
|
|
|
|
def test_partial_smtp_recipient_refusal_is_recorded_without_retrying_accepted_delivery(self) -> None:
|
|
headers, _ = self._login()
|
|
from govoplan_mail.backend.dev.mock_mailbox import set_failures
|
|
|
|
campaign_json = {
|
|
"version": "1.0",
|
|
"campaign": {"id": "partial-refusal", "name": "Partial refusal", "mode": "test"},
|
|
"fields": [],
|
|
"global_values": {},
|
|
"server": {
|
|
"smtp": {
|
|
"host": "mock.smtp",
|
|
"port": 2525,
|
|
"username": "sender@example.org",
|
|
"password": "test-secret",
|
|
"security": "starttls",
|
|
}
|
|
},
|
|
"recipients": {
|
|
"from": {"email": "sender@example.org", "name": "Sender", "type": "to"},
|
|
"allow_individual_to": True,
|
|
},
|
|
"template": {"subject": "Partial", "text": "Partial"},
|
|
"attachments": {"base_path": ".", "global": [], "allow_individual": False},
|
|
"entries": {
|
|
"inline": [
|
|
{
|
|
"id": "one",
|
|
"to": [
|
|
{"email": "accepted@example.org", "type": "to"},
|
|
{"email": "reject-me@example.org", "type": "to"},
|
|
],
|
|
"fields": {},
|
|
}
|
|
]
|
|
},
|
|
"validation_policy": {"missing_email": "block", "template_error": "block"},
|
|
"delivery": {"rate_limit": {"messages_per_minute": 60}, "imap_append_sent": {"enabled": False}},
|
|
"status_tracking": {"enabled": True},
|
|
}
|
|
created = self.client.post("/api/v1/campaigns", headers=headers, json={"config": campaign_json})
|
|
self.assertEqual(created.status_code, 200, created.text)
|
|
campaign_id = created.json()["campaign"]["id"]
|
|
version_id = created.json()["version"]["id"]
|
|
validated = self.client.post(f"/api/v1/campaigns/versions/{version_id}/validate", headers=headers, json={"check_files": False})
|
|
self.assertEqual(validated.status_code, 200, validated.text)
|
|
built = self.client.post(f"/api/v1/campaigns/versions/{version_id}/build", headers=headers, json={"write_eml": True})
|
|
self.assertEqual(built.status_code, 200, built.text)
|
|
|
|
try:
|
|
set_failures(smtp_reject_recipients_containing="reject-me")
|
|
sent = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/send-now",
|
|
headers=headers,
|
|
json={
|
|
"version_id": version_id,
|
|
"validate_before_send": False,
|
|
"build_before_send": False,
|
|
"use_rate_limit": False,
|
|
"enqueue_imap_task": False,
|
|
},
|
|
)
|
|
self.assertEqual(sent.status_code, 200, sent.text)
|
|
result = sent.json()["result"]
|
|
self.assertEqual(result["sent_count"], 1, sent.text)
|
|
self.assertIn("refused recipients", result["results"][0]["message"])
|
|
finally:
|
|
set_failures(smtp_reject_recipients_containing=None)
|
|
|
|
from govoplan_campaign.backend.db.models import CampaignJob, SendAttempt
|
|
from govoplan_campaign.backend.sending.jobs import send_campaign_job
|
|
with SessionLocal() as session:
|
|
job = session.query(CampaignJob).filter(CampaignJob.campaign_version_id == version_id).one()
|
|
self.assertEqual(job.send_status, "smtp_accepted")
|
|
self.assertIn("reject-me@example.org", job.last_error or "")
|
|
job_id = job.id
|
|
attempt_count = job.attempt_count
|
|
attempt = session.query(SendAttempt).filter(SendAttempt.job_id == job.id).one()
|
|
self.assertEqual(attempt.status, "smtp_accepted_with_refusals")
|
|
self.assertIn("reject-me@example.org", attempt.smtp_response or "")
|
|
|
|
retry_accepted = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/jobs/retry",
|
|
headers=headers,
|
|
json={"version_id": version_id, "job_ids": [job_id], "include_permanent": True, "enqueue_celery": False},
|
|
)
|
|
self.assertEqual(retry_accepted.status_code, 200, retry_accepted.text)
|
|
self.assertEqual(retry_accepted.json()["result"]["selected_count"], 0)
|
|
self.assertIn("not an explicit retry candidate", retry_accepted.json()["result"]["skipped"][0]["reason"])
|
|
|
|
unattempted_accepted = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/jobs/send-unattempted",
|
|
headers=headers,
|
|
json={"version_id": version_id, "job_ids": [job_id], "enqueue_celery": False},
|
|
)
|
|
self.assertEqual(unattempted_accepted.status_code, 200, unattempted_accepted.text)
|
|
self.assertEqual(unattempted_accepted.json()["result"]["selected_count"], 0)
|
|
|
|
with SessionLocal() as session:
|
|
direct_result = send_campaign_job(session, job_id=job_id, use_rate_limit=False)
|
|
self.assertEqual(direct_result.status, "already_accepted")
|
|
job = session.get(CampaignJob, job_id)
|
|
self.assertEqual(job.attempt_count, attempt_count)
|
|
|
|
def test_worker_loss_becomes_unknown_and_requires_reconciliation_before_retry(self) -> None:
|
|
headers, _ = self._login()
|
|
campaign_id, version_id = self._create_built_delivery_campaign(
|
|
headers,
|
|
external_id="worker-loss",
|
|
recipient_count=2,
|
|
)
|
|
queued = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/queue",
|
|
headers=headers,
|
|
json={"version_id": version_id, "enqueue_celery": False},
|
|
)
|
|
self.assertEqual(queued.status_code, 200, queued.text)
|
|
self.assertEqual(queued.json()["queued_count"], 2)
|
|
|
|
queued_summary = self.client.get(f"/api/v1/campaigns/{campaign_id}/summary", headers=headers, params={"version_id": version_id})
|
|
self.assertEqual(queued_summary.status_code, 200, queued_summary.text)
|
|
self.assertEqual(queued_summary.json()["cards"]["queued_or_active"], 2)
|
|
self.assertEqual(queued_summary.json()["status_counts"]["send"]["queued"], 2)
|
|
|
|
from govoplan_campaign.backend.db.models import Campaign, CampaignJob, CampaignVersion, SendAttempt
|
|
from govoplan_campaign.backend.sending.jobs import send_campaign_job
|
|
|
|
with SessionLocal() as session:
|
|
jobs = (
|
|
session.query(CampaignJob)
|
|
.filter(CampaignJob.campaign_version_id == version_id)
|
|
.order_by(CampaignJob.entry_index.asc())
|
|
.all()
|
|
)
|
|
uncertain_job = jobs[0]
|
|
now = datetime.now(timezone.utc)
|
|
uncertain_job.queue_status = "sending"
|
|
uncertain_job.send_status = "sending"
|
|
uncertain_job.claimed_at = now
|
|
uncertain_job.smtp_started_at = now
|
|
uncertain_job.claim_token = "worker-loss-claim"
|
|
uncertain_job.attempt_count = 1
|
|
session.add(
|
|
SendAttempt(
|
|
job_id=uncertain_job.id,
|
|
attempt_number=1,
|
|
status="smtp_in_progress",
|
|
claim_token=uncertain_job.claim_token,
|
|
started_at=now,
|
|
)
|
|
)
|
|
session.add(uncertain_job)
|
|
session.commit()
|
|
uncertain_job_id = uncertain_job.id
|
|
|
|
with SessionLocal() as session:
|
|
result = send_campaign_job(session, job_id=uncertain_job_id, use_rate_limit=False)
|
|
self.assertEqual(result.status, "outcome_unknown")
|
|
|
|
retry_unknown = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/jobs/retry",
|
|
headers=headers,
|
|
json={"version_id": version_id, "job_ids": [uncertain_job_id], "enqueue_celery": False},
|
|
)
|
|
self.assertEqual(retry_unknown.status_code, 200, retry_unknown.text)
|
|
self.assertEqual(retry_unknown.json()["result"]["selected_count"], 0)
|
|
|
|
cancelled = self.client.post(f"/api/v1/campaigns/{campaign_id}/cancel", headers=headers)
|
|
self.assertEqual(cancelled.status_code, 200, cancelled.text)
|
|
with SessionLocal() as session:
|
|
campaign = session.get(Campaign, campaign_id)
|
|
version = session.get(CampaignVersion, version_id)
|
|
self.assertEqual(campaign.status, "outcome_unknown")
|
|
self.assertEqual(version.workflow_state, "outcome_unknown")
|
|
|
|
page = self.client.get(
|
|
f"/api/v1/campaigns/{campaign_id}/jobs",
|
|
headers=headers,
|
|
params={"version_id": version_id, "page": 1, "page_size": 1},
|
|
)
|
|
self.assertEqual(page.status_code, 200, page.text)
|
|
self.assertEqual(page.json()["total"], 2)
|
|
self.assertEqual(page.json()["pages"], 2)
|
|
self.assertEqual(page.json()["counts"]["send"]["outcome_unknown"], 1)
|
|
self.assertNotIn("resolved_recipients", page.json()["jobs"][0])
|
|
|
|
filtered_page = self.client.get(
|
|
f"/api/v1/campaigns/{campaign_id}/jobs",
|
|
headers=headers,
|
|
params={"version_id": version_id, "send_status": "outcome_unknown"},
|
|
)
|
|
self.assertEqual(filtered_page.status_code, 200, filtered_page.text)
|
|
self.assertEqual(filtered_page.json()["total"], 1)
|
|
self.assertEqual(filtered_page.json()["total_unfiltered"], 2)
|
|
self.assertEqual(filtered_page.json()["filtered_counts"]["send"]["outcome_unknown"], 1)
|
|
|
|
summary = self.client.get(f"/api/v1/campaigns/{campaign_id}/summary", headers=headers, params={"version_id": version_id})
|
|
self.assertEqual(summary.status_code, 200, summary.text)
|
|
self.assertEqual(summary.json()["cards"]["outcome_unknown"], 1)
|
|
self.assertEqual(summary.json()["status_counts"]["send"]["outcome_unknown"], 1)
|
|
|
|
detail = self.client.get(
|
|
f"/api/v1/campaigns/{campaign_id}/jobs/{uncertain_job_id}",
|
|
headers=headers,
|
|
)
|
|
self.assertEqual(detail.status_code, 200, detail.text)
|
|
self.assertIn("resolved_recipients", detail.json()["job"])
|
|
self.assertEqual(detail.json()["attempts"]["smtp"][0]["status"], "outcome_unknown")
|
|
|
|
resolved = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/jobs/{uncertain_job_id}/resolve-outcome",
|
|
headers=headers,
|
|
json={"decision": "not_sent", "note": "Verified against the SMTP logs."},
|
|
)
|
|
self.assertEqual(resolved.status_code, 200, resolved.text)
|
|
self.assertEqual(resolved.json()["result"]["send_status"], "failed_temporary")
|
|
|
|
reconciled_report = self.client.get(f"/api/v1/campaigns/{campaign_id}/report", headers=headers, params={"version_id": version_id})
|
|
self.assertEqual(reconciled_report.status_code, 200, reconciled_report.text)
|
|
self.assertEqual(reconciled_report.json()["cards"]["outcome_unknown"], 0)
|
|
self.assertEqual(reconciled_report.json()["cards"]["failed"], 1)
|
|
self.assertEqual(reconciled_report.json()["status_counts"]["send"]["failed_temporary"], 1)
|
|
|
|
retry = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/jobs/retry",
|
|
headers=headers,
|
|
json={"version_id": version_id, "job_ids": [uncertain_job_id], "enqueue_celery": False},
|
|
)
|
|
self.assertEqual(retry.status_code, 200, retry.text)
|
|
self.assertEqual(retry.json()["result"]["selected_count"], 1)
|
|
with SessionLocal() as session:
|
|
job = session.get(CampaignJob, uncertain_job_id)
|
|
self.assertEqual(job.send_status, "queued")
|
|
|
|
def test_mixed_delivery_results_are_explicitly_partially_completed(self) -> None:
|
|
headers, _ = self._login()
|
|
campaign_id, version_id = self._create_built_delivery_campaign(
|
|
headers,
|
|
external_id="partial-result",
|
|
recipient_count=2,
|
|
)
|
|
|
|
from govoplan_campaign.backend.db.models import Campaign, CampaignJob, CampaignVersion
|
|
from govoplan_campaign.backend.sending.jobs import _update_campaign_after_job
|
|
|
|
with SessionLocal() as session:
|
|
jobs = (
|
|
session.query(CampaignJob)
|
|
.filter(CampaignJob.campaign_version_id == version_id)
|
|
.order_by(CampaignJob.entry_index.asc())
|
|
.all()
|
|
)
|
|
jobs[0].send_status = "smtp_accepted"
|
|
jobs[0].sent_at = datetime.now(timezone.utc)
|
|
jobs[1].send_status = "failed_permanent"
|
|
jobs[1].last_error = "Explicit SMTP rejection"
|
|
for job in jobs:
|
|
job.queue_status = "draft"
|
|
session.add(job)
|
|
_update_campaign_after_job(session, campaign_id, version_id)
|
|
session.commit()
|
|
|
|
campaign = session.get(Campaign, campaign_id)
|
|
version = session.get(CampaignVersion, version_id)
|
|
self.assertEqual(campaign.status, "partially_completed")
|
|
self.assertEqual(version.workflow_state, "partially_completed")
|
|
|
|
report = self.client.get(f"/api/v1/campaigns/{campaign_id}/report", headers=headers)
|
|
self.assertEqual(report.status_code, 200, report.text)
|
|
cards = report.json()["cards"]
|
|
self.assertEqual(cards["smtp_accepted"], 1)
|
|
self.assertEqual(cards["failed"], 1)
|
|
self.assertTrue(cards["partially_completed"])
|
|
|
|
|
|
def test_reports_and_job_review_are_scoped_to_the_selected_version(self) -> None:
|
|
headers, _ = self._login()
|
|
campaign_id, first_version_id = self._create_built_delivery_campaign(
|
|
headers,
|
|
external_id="version-scoped-report",
|
|
recipient_count=1,
|
|
)
|
|
|
|
locked = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/versions/{first_version_id}/lock-permanently",
|
|
headers=headers,
|
|
)
|
|
self.assertEqual(locked.status_code, 200, locked.text)
|
|
copied = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/versions/{first_version_id}/fork",
|
|
headers=headers,
|
|
json={},
|
|
)
|
|
self.assertEqual(copied.status_code, 200, copied.text)
|
|
second_version_id = copied.json()["version"]["id"]
|
|
|
|
version_response = self.client.get(
|
|
f"/api/v1/campaigns/{campaign_id}/versions/{second_version_id}",
|
|
headers=headers,
|
|
)
|
|
self.assertEqual(version_response.status_code, 200, version_response.text)
|
|
campaign_json = version_response.json()["raw_json"]
|
|
campaign_json["entries"]["inline"].append(
|
|
{
|
|
"id": "recipient-2",
|
|
"to": [{"email": "recipient-2@example.org", "type": "to"}],
|
|
"fields": {"first_name": "Recipient 2"},
|
|
}
|
|
)
|
|
updated = self.client.put(
|
|
f"/api/v1/campaigns/{campaign_id}/versions/{second_version_id}",
|
|
headers=headers,
|
|
json={"campaign_json": campaign_json},
|
|
)
|
|
self.assertEqual(updated.status_code, 200, updated.text)
|
|
validated = self.client.post(
|
|
f"/api/v1/campaigns/versions/{second_version_id}/validate",
|
|
headers=headers,
|
|
json={"check_files": False},
|
|
)
|
|
self.assertEqual(validated.status_code, 200, validated.text)
|
|
self.assertTrue(validated.json()["ok"], validated.text)
|
|
built = self.client.post(
|
|
f"/api/v1/campaigns/versions/{second_version_id}/build",
|
|
headers=headers,
|
|
json={"write_eml": True},
|
|
)
|
|
self.assertEqual(built.status_code, 200, built.text)
|
|
self.assertEqual(built.json()["built_count"], 2, built.text)
|
|
|
|
first_report = self.client.get(
|
|
f"/api/v1/campaigns/{campaign_id}/report",
|
|
headers=headers,
|
|
params={"version_id": first_version_id},
|
|
)
|
|
second_report = self.client.get(
|
|
f"/api/v1/campaigns/{campaign_id}/report",
|
|
headers=headers,
|
|
params={"version_id": second_version_id},
|
|
)
|
|
self.assertEqual(first_report.status_code, 200, first_report.text)
|
|
self.assertEqual(second_report.status_code, 200, second_report.text)
|
|
self.assertEqual(first_report.json()["selected_version_id"], first_version_id)
|
|
self.assertEqual(first_report.json()["cards"]["jobs_total"], 1)
|
|
self.assertEqual(second_report.json()["selected_version_id"], second_version_id)
|
|
self.assertEqual(second_report.json()["cards"]["jobs_total"], 2)
|
|
|
|
first_jobs = self.client.get(
|
|
f"/api/v1/campaigns/{campaign_id}/jobs",
|
|
headers=headers,
|
|
params={"version_id": first_version_id, "page_size": 1},
|
|
)
|
|
self.assertEqual(first_jobs.status_code, 200, first_jobs.text)
|
|
self.assertEqual(first_jobs.json()["total"], 1)
|
|
self.assertEqual(first_jobs.json()["total_unfiltered"], 1)
|
|
self.assertEqual(first_jobs.json()["review"]["required_count"], 0)
|
|
self.assertIn("reviewed", first_jobs.json()["jobs"][0])
|
|
self.assertNotIn("resolved_recipients", first_jobs.json()["jobs"][0])
|
|
|
|
first_csv = self.client.get(
|
|
f"/api/v1/campaigns/{campaign_id}/report/jobs.csv",
|
|
headers=headers,
|
|
params={"version_id": first_version_id},
|
|
)
|
|
second_csv = self.client.get(
|
|
f"/api/v1/campaigns/{campaign_id}/report/jobs.csv",
|
|
headers=headers,
|
|
params={"version_id": second_version_id},
|
|
)
|
|
self.assertEqual(first_csv.status_code, 200, first_csv.text)
|
|
self.assertEqual(second_csv.status_code, 200, second_csv.text)
|
|
self.assertEqual(len(first_csv.text.strip().splitlines()), 2)
|
|
self.assertEqual(len(second_csv.text.strip().splitlines()), 3)
|
|
|
|
emailed = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/report/email",
|
|
headers=headers,
|
|
json={
|
|
"version_id": first_version_id,
|
|
"to": ["auditor@example.org"],
|
|
"attach_jobs_csv": True,
|
|
"dry_run": True,
|
|
},
|
|
)
|
|
self.assertEqual(emailed.status_code, 200, emailed.text)
|
|
self.assertEqual(emailed.json()["result"]["version_id"], first_version_id)
|
|
self.assertTrue(emailed.json()["result"]["attached_jobs_csv"])
|
|
self.assertFalse(emailed.json()["result"]["sent"])
|
|
|
|
|
|
def test_tenant_user_group_role_and_api_key_administration(self) -> None:
|
|
headers, login = self._login()
|
|
system_headers, _ = self._login()
|
|
|
|
overview = self.client.get("/api/v1/admin/overview", headers=headers)
|
|
self.assertEqual(overview.status_code, 200, overview.text)
|
|
self.assertEqual(overview.json()["tenant_count"], 1)
|
|
|
|
created_tenant = self.client.post(
|
|
"/api/v1/admin/tenants",
|
|
headers=headers,
|
|
json={
|
|
"slug": "operations",
|
|
"name": "Operations",
|
|
"description": "Operational tenant",
|
|
"default_locale": "de",
|
|
"settings": {},
|
|
},
|
|
)
|
|
self.assertEqual(created_tenant.status_code, 201, created_tenant.text)
|
|
tenant_id = created_tenant.json()["id"]
|
|
|
|
# Suspending the tenant that backs the current session is rejected to
|
|
# prevent an administrator from invalidating the only context through
|
|
# which they can repair the instance. Switch first, then suspend.
|
|
reject_active_tenant_suspend = self.client.patch(
|
|
f"/api/v1/admin/tenants/{login['tenant']['id']}",
|
|
headers=system_headers,
|
|
json={"is_active": False},
|
|
)
|
|
self.assertEqual(reject_active_tenant_suspend.status_code, 409, reject_active_tenant_suspend.text)
|
|
|
|
# System roles do not bypass tenant context. Tenant administration must
|
|
# use a membership-backed active tenant selected on the session.
|
|
cross_tenant_users = self.client.get(
|
|
"/api/v1/admin/users",
|
|
headers=system_headers,
|
|
params={"tenant_id": tenant_id},
|
|
)
|
|
self.assertEqual(cross_tenant_users.status_code, 409, cross_tenant_users.text)
|
|
|
|
switched = self.client.post(
|
|
"/api/v1/auth/switch-tenant",
|
|
headers=headers,
|
|
json={"tenant_id": tenant_id},
|
|
)
|
|
self.assertEqual(switched.status_code, 200, switched.text)
|
|
self.assertEqual(switched.json()["active_tenant"]["id"], tenant_id)
|
|
switched_scopes = switched.json()["scopes"]
|
|
self.assertIn("tenant:*", switched_scopes)
|
|
self.assertIn("system:*", switched_scopes)
|
|
|
|
roles = self.client.get("/api/v1/admin/roles", headers=headers)
|
|
self.assertEqual(roles.status_code, 200, roles.text)
|
|
owner_role = next(role for role in roles.json()["roles"] if role["slug"] == "owner")
|
|
|
|
custom_role = self.client.post(
|
|
"/api/v1/admin/roles",
|
|
headers=headers,
|
|
json={
|
|
"slug": "file-reader",
|
|
"name": "File reader",
|
|
"description": "Read managed files only",
|
|
"permissions": ["files:read"],
|
|
},
|
|
)
|
|
self.assertEqual(custom_role.status_code, 201, custom_role.text)
|
|
custom_role_id = custom_role.json()["id"]
|
|
|
|
group = self.client.post(
|
|
"/api/v1/admin/groups",
|
|
headers=headers,
|
|
json={
|
|
"slug": "file-reviewers",
|
|
"name": "File reviewers",
|
|
"description": "Read-only file access",
|
|
"member_ids": [],
|
|
"role_ids": [custom_role_id],
|
|
},
|
|
)
|
|
self.assertEqual(group.status_code, 201, group.text)
|
|
group_id = group.json()["id"]
|
|
|
|
created_user = self.client.post(
|
|
"/api/v1/admin/users",
|
|
headers=headers,
|
|
json={
|
|
"email": "reader@example.local",
|
|
"display_name": "Reader",
|
|
"password": "reader-password-123",
|
|
"password_reset_required": False,
|
|
"is_active": True,
|
|
"group_ids": [group_id],
|
|
"role_ids": [],
|
|
},
|
|
)
|
|
self.assertEqual(created_user.status_code, 201, created_user.text)
|
|
reader_id = created_user.json()["user"]["id"]
|
|
self.assertEqual(created_user.json()["temporary_password"], "reader-password-123")
|
|
self.assertEqual(created_user.json()["user"]["roles"], [])
|
|
self.assertIn("files:read", created_user.json()["user"]["effective_scopes"])
|
|
|
|
reader_login = self.client.post(
|
|
"/api/v1/auth/login",
|
|
json={
|
|
"email": "reader@example.local",
|
|
"password": "reader-password-123",
|
|
"tenant_slug": "operations",
|
|
},
|
|
)
|
|
self.assertEqual(reader_login.status_code, 200, reader_login.text)
|
|
reader_headers = {"Authorization": f"Bearer {reader_login.json()['access_token']}"}
|
|
|
|
file_spaces = self.client.get("/api/v1/files/spaces", headers=reader_headers)
|
|
self.assertEqual(file_spaces.status_code, 200, file_spaces.text)
|
|
denied_admin = self.client.get("/api/v1/admin/users", headers=reader_headers)
|
|
self.assertEqual(denied_admin.status_code, 403, denied_admin.text)
|
|
|
|
excessive_key = self.client.post(
|
|
"/api/v1/admin/api-keys",
|
|
headers=headers,
|
|
json={
|
|
"name": "Too broad",
|
|
"user_id": reader_id,
|
|
"scopes": ["campaign:send"],
|
|
},
|
|
)
|
|
self.assertEqual(excessive_key.status_code, 422, excessive_key.text)
|
|
|
|
reader_key = self.client.post(
|
|
"/api/v1/admin/api-keys",
|
|
headers=headers,
|
|
json={
|
|
"name": "Reader key",
|
|
"user_id": reader_id,
|
|
"scopes": ["files:read"],
|
|
},
|
|
)
|
|
self.assertEqual(reader_key.status_code, 201, reader_key.text)
|
|
api_headers = {"X-API-Key": reader_key.json()["secret"]}
|
|
self.assertEqual(self.client.get("/api/v1/files/spaces", headers=api_headers).status_code, 200)
|
|
self.assertEqual(self.client.get("/api/v1/campaigns", headers=api_headers).status_code, 403)
|
|
|
|
# API keys are bounded by the owning membership's live permissions.
|
|
# Removing the group's role must immediately narrow the existing key.
|
|
narrowed_group = self.client.patch(
|
|
f"/api/v1/admin/groups/{group_id}",
|
|
headers=headers,
|
|
json={"role_ids": []},
|
|
)
|
|
self.assertEqual(narrowed_group.status_code, 200, narrowed_group.text)
|
|
self.assertEqual(self.client.get("/api/v1/files/spaces", headers=api_headers).status_code, 403)
|
|
|
|
# The active tenant must retain an operational owner. The only owner is
|
|
# the system administrator's automatically created membership.
|
|
remove_last_owner = self.client.patch(
|
|
f"/api/v1/admin/users/{login['user']['id']}",
|
|
headers=headers,
|
|
json={"group_ids": [], "role_ids": []},
|
|
)
|
|
# The original login user id belongs to the default tenant, so the
|
|
# operations tenant correctly hides it rather than crossing tenant scope.
|
|
self.assertEqual(remove_last_owner.status_code, 404, remove_last_owner.text)
|
|
|
|
operations_users = self.client.get("/api/v1/admin/users", headers=headers)
|
|
self.assertEqual(operations_users.status_code, 200, operations_users.text)
|
|
operation_admin = next(user for user in operations_users.json()["users"] if user["email"] == "admin@example.local")
|
|
self.assertTrue(any(role["id"] == owner_role["id"] for role in operation_admin["roles"]))
|
|
remove_last_owner = self.client.patch(
|
|
f"/api/v1/admin/users/{operation_admin['id']}",
|
|
headers=headers,
|
|
json={"group_ids": [], "role_ids": []},
|
|
)
|
|
self.assertEqual(remove_last_owner.status_code, 409, remove_last_owner.text)
|
|
|
|
tenant_owner = self.client.post(
|
|
"/api/v1/admin/users",
|
|
headers=headers,
|
|
json={
|
|
"email": "tenant-owner@example.local",
|
|
"display_name": "Tenant Owner",
|
|
"password": "tenant-owner-password",
|
|
"password_reset_required": False,
|
|
"is_active": True,
|
|
"group_ids": [],
|
|
"role_ids": [owner_role["id"]],
|
|
},
|
|
)
|
|
self.assertEqual(tenant_owner.status_code, 201, tenant_owner.text)
|
|
tenant_owner_account_id = tenant_owner.json()["user"]["account_id"]
|
|
tenant_owner_login = self.client.post(
|
|
"/api/v1/auth/login",
|
|
json={
|
|
"email": "tenant-owner@example.local",
|
|
"password": "tenant-owner-password",
|
|
"tenant_slug": "operations",
|
|
},
|
|
)
|
|
self.assertEqual(tenant_owner_login.status_code, 200, tenant_owner_login.text)
|
|
tenant_owner_scopes = tenant_owner_login.json()["scopes"]
|
|
self.assertIn("tenant:*", tenant_owner_scopes)
|
|
self.assertNotIn("system:*", tenant_owner_scopes)
|
|
tenant_owner_headers = {"Authorization": f"Bearer {tenant_owner_login.json()['access_token']}"}
|
|
self.assertEqual(self.client.get("/api/v1/admin/users", headers=tenant_owner_headers).status_code, 200)
|
|
self.assertEqual(self.client.get("/api/v1/admin/tenants", headers=tenant_owner_headers).status_code, 403)
|
|
tenant_settings = self.client.get("/api/v1/admin/tenant/settings", headers=tenant_owner_headers)
|
|
self.assertEqual(tenant_settings.status_code, 200, tenant_settings.text)
|
|
self.assertEqual(tenant_settings.json()["default_locale"], "de")
|
|
updated_tenant_settings = self.client.patch(
|
|
"/api/v1/admin/tenant/settings",
|
|
headers=tenant_owner_headers,
|
|
json={"default_locale": "de-AT"},
|
|
)
|
|
self.assertEqual(updated_tenant_settings.status_code, 200, updated_tenant_settings.text)
|
|
self.assertEqual(updated_tenant_settings.json()["default_locale"], "de-AT")
|
|
refreshed_tenant_owner = self.client.get("/api/v1/auth/me", headers=tenant_owner_headers)
|
|
self.assertEqual(refreshed_tenant_owner.status_code, 200, refreshed_tenant_owner.text)
|
|
self.assertEqual(refreshed_tenant_owner.json()["active_tenant"]["default_locale"], "de-AT")
|
|
|
|
# Global account suspension immediately invalidates all of its tenant
|
|
# sessions. Reactivation restores access without changing memberships.
|
|
disabled_tenant_owner = self.client.patch(
|
|
f"/api/v1/admin/system/accounts/{tenant_owner_account_id}",
|
|
headers=system_headers,
|
|
json={"is_active": False},
|
|
)
|
|
self.assertEqual(disabled_tenant_owner.status_code, 200, disabled_tenant_owner.text)
|
|
self.assertEqual(self.client.get("/api/v1/auth/me", headers=tenant_owner_headers).status_code, 401)
|
|
reenabled_tenant_owner = self.client.patch(
|
|
f"/api/v1/admin/system/accounts/{tenant_owner_account_id}",
|
|
headers=system_headers,
|
|
json={"is_active": True},
|
|
)
|
|
self.assertEqual(reenabled_tenant_owner.status_code, 200, reenabled_tenant_owner.text)
|
|
self.assertEqual(self.client.get("/api/v1/auth/me", headers=tenant_owner_headers).status_code, 200)
|
|
|
|
system_accounts = self.client.get("/api/v1/admin/system/accounts", headers=system_headers)
|
|
self.assertEqual(system_accounts.status_code, 200, system_accounts.text)
|
|
admin_account = next(account for account in system_accounts.json()["accounts"] if account["email"] == "admin@example.local")
|
|
remove_last_system_owner = self.client.put(
|
|
f"/api/v1/admin/system/accounts/{admin_account['account_id']}/roles",
|
|
headers=system_headers,
|
|
json={"role_ids": []},
|
|
)
|
|
self.assertEqual(remove_last_system_owner.status_code, 409, remove_last_system_owner.text)
|
|
deactivate_last_system_owner = self.client.patch(
|
|
f"/api/v1/admin/system/accounts/{admin_account['account_id']}",
|
|
headers=system_headers,
|
|
json={"is_active": False},
|
|
)
|
|
self.assertEqual(deactivate_last_system_owner.status_code, 409, deactivate_last_system_owner.text)
|
|
|
|
suspended = self.client.patch(
|
|
f"/api/v1/admin/tenants/{tenant_id}",
|
|
headers=system_headers,
|
|
json={"is_active": False},
|
|
)
|
|
self.assertEqual(suspended.status_code, 200, suspended.text)
|
|
self.assertEqual(self.client.get("/api/v1/auth/me", headers=headers).status_code, 401)
|
|
reactivated = self.client.patch(
|
|
f"/api/v1/admin/tenants/{tenant_id}",
|
|
headers=system_headers,
|
|
json={"is_active": True},
|
|
)
|
|
self.assertEqual(reactivated.status_code, 200, reactivated.text)
|
|
self.assertEqual(self.client.get("/api/v1/auth/me", headers=headers).status_code, 200)
|
|
|
|
audit = self.client.get("/api/v1/admin/audit", headers=headers)
|
|
self.assertEqual(audit.status_code, 200, audit.text)
|
|
actions = {item["action"] for item in audit.json()["items"]}
|
|
self.assertIn("user.created", actions)
|
|
self.assertIn("group.created", actions)
|
|
self.assertIn("role.created", actions)
|
|
self.assertIn("tenant.settings.updated", actions)
|
|
|
|
|
|
|
|
def test_access_admin_users_delta_tracks_create_and_update(self) -> None:
|
|
headers, _ = self._login()
|
|
|
|
initial = self.client.get("/api/v1/admin/users/delta", headers=headers)
|
|
self.assertEqual(initial.status_code, 200, initial.text)
|
|
initial_payload = initial.json()
|
|
self.assertTrue(initial_payload["full"])
|
|
self.assertTrue(initial_payload["watermark"])
|
|
|
|
created = self.client.post(
|
|
"/api/v1/admin/users",
|
|
headers=headers,
|
|
json={
|
|
"email": "delta-user@example.local",
|
|
"display_name": "Delta User",
|
|
"password": "delta-user-password",
|
|
"password_reset_required": False,
|
|
"is_active": True,
|
|
"group_ids": [],
|
|
"role_ids": [],
|
|
},
|
|
)
|
|
self.assertEqual(created.status_code, 201, created.text)
|
|
user_id = created.json()["user"]["id"]
|
|
|
|
created_delta = self.client.get(
|
|
"/api/v1/admin/users/delta",
|
|
headers=headers,
|
|
params={"since": initial_payload["watermark"]},
|
|
)
|
|
self.assertEqual(created_delta.status_code, 200, created_delta.text)
|
|
created_payload = created_delta.json()
|
|
self.assertFalse(created_payload["full"])
|
|
self.assertEqual(created_payload["deleted"], [])
|
|
self.assertIn("delta-user@example.local", {user["email"] for user in created_payload["users"]})
|
|
|
|
updated = self.client.patch(
|
|
f"/api/v1/admin/users/{user_id}",
|
|
headers=headers,
|
|
json={"display_name": "Delta User Updated", "group_ids": [], "role_ids": []},
|
|
)
|
|
self.assertEqual(updated.status_code, 200, updated.text)
|
|
|
|
updated_delta = self.client.get(
|
|
"/api/v1/admin/users/delta",
|
|
headers=headers,
|
|
params={"since": created_payload["watermark"]},
|
|
)
|
|
self.assertEqual(updated_delta.status_code, 200, updated_delta.text)
|
|
updated_payload = updated_delta.json()
|
|
self.assertFalse(updated_payload["full"])
|
|
changed_user = next(user for user in updated_payload["users"] if user["id"] == user_id)
|
|
self.assertEqual(changed_user["display_name"], "Delta User Updated")
|
|
|
|
def test_access_admin_api_key_delta_returns_tombstone_when_revoked_hidden(self) -> None:
|
|
headers, login = self._login()
|
|
|
|
initial = self.client.get("/api/v1/admin/api-keys/delta", headers=headers)
|
|
self.assertEqual(initial.status_code, 200, initial.text)
|
|
initial_payload = initial.json()
|
|
self.assertTrue(initial_payload["full"])
|
|
self.assertTrue(initial_payload["watermark"])
|
|
|
|
created = self.client.post(
|
|
"/api/v1/admin/api-keys",
|
|
headers=headers,
|
|
json={
|
|
"name": "Delta API key",
|
|
"user_id": login["user"]["id"],
|
|
"scopes": ["files:read"],
|
|
},
|
|
)
|
|
self.assertEqual(created.status_code, 201, created.text)
|
|
key_id = created.json()["id"]
|
|
|
|
created_delta = self.client.get(
|
|
"/api/v1/admin/api-keys/delta",
|
|
headers=headers,
|
|
params={"since": initial_payload["watermark"]},
|
|
)
|
|
self.assertEqual(created_delta.status_code, 200, created_delta.text)
|
|
created_payload = created_delta.json()
|
|
self.assertFalse(created_payload["full"])
|
|
self.assertIn(key_id, {item["id"] for item in created_payload["api_keys"]})
|
|
|
|
revoked = self.client.post(f"/api/v1/admin/api-keys/{key_id}/revoke", headers=headers)
|
|
self.assertEqual(revoked.status_code, 200, revoked.text)
|
|
|
|
hidden_revoked_delta = self.client.get(
|
|
"/api/v1/admin/api-keys/delta",
|
|
headers=headers,
|
|
params={"since": created_payload["watermark"]},
|
|
)
|
|
self.assertEqual(hidden_revoked_delta.status_code, 200, hidden_revoked_delta.text)
|
|
hidden_payload = hidden_revoked_delta.json()
|
|
self.assertFalse(hidden_payload["full"])
|
|
self.assertTrue(
|
|
any(item["id"] == key_id and item["resource_type"] == "access_api_key" for item in hidden_payload["deleted"]),
|
|
hidden_payload["deleted"],
|
|
)
|
|
|
|
visible_revoked_delta = self.client.get(
|
|
"/api/v1/admin/api-keys/delta",
|
|
headers=headers,
|
|
params={"since": created_payload["watermark"], "include_revoked": "true"},
|
|
)
|
|
self.assertEqual(visible_revoked_delta.status_code, 200, visible_revoked_delta.text)
|
|
visible_key = next(item for item in visible_revoked_delta.json()["api_keys"] if item["id"] == key_id)
|
|
self.assertIsNotNone(visible_key["revoked_at"])
|
|
|
|
def test_settings_deltas_track_sections_and_system_language_dependency(self) -> None:
|
|
headers, _ = self._login()
|
|
|
|
system_initial = self.client.get("/api/v1/admin/system/settings/delta", headers=headers)
|
|
self.assertEqual(system_initial.status_code, 200, system_initial.text)
|
|
system_initial_payload = system_initial.json()
|
|
self.assertTrue(system_initial_payload["full"])
|
|
self.assertTrue(system_initial_payload["watermark"])
|
|
|
|
tenant_initial = self.client.get("/api/v1/admin/tenant/settings/delta", headers=headers)
|
|
self.assertEqual(tenant_initial.status_code, 200, tenant_initial.text)
|
|
tenant_initial_payload = tenant_initial.json()
|
|
self.assertTrue(tenant_initial_payload["full"])
|
|
self.assertTrue(tenant_initial_payload["watermark"])
|
|
|
|
system_item = system_initial_payload["item"]
|
|
available_languages = list(system_item["available_languages"])
|
|
if "fr" not in {item["code"] for item in available_languages}:
|
|
available_languages.append({"code": "fr", "label": "French", "native_label": "Francais"})
|
|
enabled_codes = list(dict.fromkeys([*system_item["enabled_language_codes"], "fr"]))
|
|
updated_system = self.client.patch(
|
|
"/api/v1/admin/system/settings",
|
|
headers=headers,
|
|
json={
|
|
"default_locale": system_item["default_locale"],
|
|
"allow_tenant_custom_groups": system_item["allow_tenant_custom_groups"],
|
|
"allow_tenant_custom_roles": system_item["allow_tenant_custom_roles"],
|
|
"allow_tenant_api_keys": system_item["allow_tenant_api_keys"],
|
|
"available_languages": available_languages,
|
|
"enabled_language_codes": enabled_codes,
|
|
},
|
|
)
|
|
self.assertEqual(updated_system.status_code, 200, updated_system.text)
|
|
|
|
system_delta = self.client.get(
|
|
"/api/v1/admin/system/settings/delta",
|
|
headers=headers,
|
|
params={"since": system_initial_payload["watermark"]},
|
|
)
|
|
self.assertEqual(system_delta.status_code, 200, system_delta.text)
|
|
system_delta_payload = system_delta.json()
|
|
self.assertFalse(system_delta_payload["full"])
|
|
self.assertIn("languages", system_delta_payload["changed_sections"])
|
|
self.assertIn("fr", system_delta_payload["sections"]["languages"]["enabled_language_codes"])
|
|
|
|
tenant_delta = self.client.get(
|
|
"/api/v1/admin/tenant/settings/delta",
|
|
headers=headers,
|
|
params={"since": tenant_initial_payload["watermark"]},
|
|
)
|
|
self.assertEqual(tenant_delta.status_code, 200, tenant_delta.text)
|
|
tenant_delta_payload = tenant_delta.json()
|
|
self.assertFalse(tenant_delta_payload["full"])
|
|
self.assertIn("languages", tenant_delta_payload["changed_sections"])
|
|
self.assertIn("fr", tenant_delta_payload["sections"]["languages"]["system_enabled_language_codes"])
|
|
|
|
def test_tenant_admin_delta_tracks_create_and_update(self) -> None:
|
|
headers, _ = self._login()
|
|
|
|
initial = self.client.get("/api/v1/admin/tenants/delta", headers=headers)
|
|
self.assertEqual(initial.status_code, 200, initial.text)
|
|
initial_payload = initial.json()
|
|
self.assertTrue(initial_payload["full"])
|
|
self.assertTrue(initial_payload["watermark"])
|
|
|
|
created = self.client.post(
|
|
"/api/v1/admin/tenants",
|
|
headers=headers,
|
|
json={"slug": "tenant-delta", "name": "Tenant Delta", "settings": {}},
|
|
)
|
|
self.assertEqual(created.status_code, 201, created.text)
|
|
tenant_id = created.json()["id"]
|
|
|
|
created_delta = self.client.get(
|
|
"/api/v1/admin/tenants/delta",
|
|
headers=headers,
|
|
params={"since": initial_payload["watermark"]},
|
|
)
|
|
self.assertEqual(created_delta.status_code, 200, created_delta.text)
|
|
created_payload = created_delta.json()
|
|
self.assertFalse(created_payload["full"])
|
|
self.assertIn("Tenant Delta", {tenant["name"] for tenant in created_payload["tenants"]})
|
|
self.assertFalse(created_payload["deleted"])
|
|
|
|
updated = self.client.patch(
|
|
f"/api/v1/admin/tenants/{tenant_id}",
|
|
headers=headers,
|
|
json={"name": "Tenant Delta Updated", "is_active": False},
|
|
)
|
|
self.assertEqual(updated.status_code, 200, updated.text)
|
|
|
|
updated_delta = self.client.get(
|
|
"/api/v1/admin/tenants/delta",
|
|
headers=headers,
|
|
params={"since": created_payload["watermark"]},
|
|
)
|
|
self.assertEqual(updated_delta.status_code, 200, updated_delta.text)
|
|
updated_payload = updated_delta.json()
|
|
self.assertFalse(updated_payload["full"])
|
|
updated_item = next(tenant for tenant in updated_payload["tenants"] if tenant["id"] == tenant_id)
|
|
self.assertEqual(updated_item["name"], "Tenant Delta Updated")
|
|
self.assertFalse(updated_item["is_active"])
|
|
|
|
def test_governance_template_delta_tracks_create_update_and_delete(self) -> None:
|
|
headers, login = self._login()
|
|
tenant_id = login["tenant"]["id"]
|
|
approver_headers = self._create_system_approver(headers, tenant_id=tenant_id, email="governance-delta-approver@example.local")
|
|
|
|
initial = self.client.get("/api/v1/admin/system/governance-templates/delta", headers=headers)
|
|
self.assertEqual(initial.status_code, 200, initial.text)
|
|
initial_payload = initial.json()
|
|
self.assertTrue(initial_payload["full"])
|
|
self.assertTrue(initial_payload["watermark"])
|
|
|
|
create_payload = {
|
|
"kind": "group",
|
|
"slug": "governance-delta",
|
|
"name": "Governance Delta",
|
|
"description": "Delta tracked system group",
|
|
"permissions": [],
|
|
"is_active": True,
|
|
"assignments": [{"tenant_id": tenant_id, "mode": "available"}],
|
|
}
|
|
create_change_request_id = self._approved_configuration_change(
|
|
headers,
|
|
approver_headers,
|
|
key="governance_templates",
|
|
value=create_payload,
|
|
target={"kind": "group", "slug": "governance-delta"},
|
|
)
|
|
created = self.client.post(
|
|
"/api/v1/admin/system/governance-templates",
|
|
headers=headers,
|
|
json={**create_payload, "change_request_id": create_change_request_id},
|
|
)
|
|
self.assertEqual(created.status_code, 201, created.text)
|
|
template_id = created.json()["id"]
|
|
|
|
created_delta = self.client.get(
|
|
"/api/v1/admin/system/governance-templates/delta",
|
|
headers=headers,
|
|
params={"since": initial_payload["watermark"]},
|
|
)
|
|
self.assertEqual(created_delta.status_code, 200, created_delta.text)
|
|
created_payload = created_delta.json()
|
|
self.assertFalse(created_payload["full"])
|
|
self.assertIn(template_id, {item["id"] for item in created_payload["templates"]})
|
|
|
|
update_payload = {
|
|
"name": "Governance Delta Updated",
|
|
"description": "Delta tracked system group updated",
|
|
"permissions": [],
|
|
"is_active": False,
|
|
"assignments": [{"tenant_id": tenant_id, "mode": "available"}],
|
|
}
|
|
update_change_request_id = self._approved_configuration_change(
|
|
headers,
|
|
approver_headers,
|
|
key="governance_templates",
|
|
value=update_payload,
|
|
target={"kind": "group", "id": template_id},
|
|
)
|
|
updated = self.client.patch(
|
|
f"/api/v1/admin/system/governance-templates/{template_id}",
|
|
headers=headers,
|
|
json={**update_payload, "change_request_id": update_change_request_id},
|
|
)
|
|
self.assertEqual(updated.status_code, 200, updated.text)
|
|
|
|
updated_delta = self.client.get(
|
|
"/api/v1/admin/system/governance-templates/delta",
|
|
headers=headers,
|
|
params={"since": created_payload["watermark"]},
|
|
)
|
|
self.assertEqual(updated_delta.status_code, 200, updated_delta.text)
|
|
updated_item = next(item for item in updated_delta.json()["templates"] if item["id"] == template_id)
|
|
self.assertEqual(updated_item["name"], "Governance Delta Updated")
|
|
self.assertFalse(updated_item["is_active"])
|
|
|
|
delete_value = {"id": template_id, "kind": "group", "delete": True}
|
|
delete_change_request_id = self._approved_configuration_change(
|
|
headers,
|
|
approver_headers,
|
|
key="governance_templates",
|
|
value=delete_value,
|
|
target={"kind": "group", "id": template_id},
|
|
)
|
|
deleted = self.client.delete(
|
|
f"/api/v1/admin/system/governance-templates/{template_id}",
|
|
headers=headers,
|
|
params={"change_request_id": delete_change_request_id},
|
|
)
|
|
self.assertEqual(deleted.status_code, 204, deleted.text)
|
|
|
|
deleted_delta = self.client.get(
|
|
"/api/v1/admin/system/governance-templates/delta",
|
|
headers=headers,
|
|
params={"since": updated_delta.json()["watermark"]},
|
|
)
|
|
self.assertEqual(deleted_delta.status_code, 200, deleted_delta.text)
|
|
self.assertTrue(any(item["id"] == template_id and item["resource_type"] == "governance_template" for item in deleted_delta.json()["deleted"]))
|
|
|
|
def test_module_installer_history_supports_cursor_windows(self) -> None:
|
|
from govoplan_core.core.module_installer import default_installer_runtime_dir
|
|
|
|
headers, _ = self._login()
|
|
runtime_dir = default_installer_runtime_dir(os.environ["DATABASE_URL"])
|
|
shutil.rmtree(runtime_dir, ignore_errors=True)
|
|
for run_id in ("run-001", "run-002", "run-003"):
|
|
run_dir = runtime_dir / "runs" / run_id
|
|
run_dir.mkdir(parents=True, exist_ok=True)
|
|
(run_dir / "record.json").write_text(
|
|
json.dumps({"run_id": run_id, "status": "applied", "started_at": f"2030-01-0{run_id[-1]}T00:00:00+00:00", "commands": [], "plan": []}),
|
|
encoding="utf-8",
|
|
)
|
|
requests_dir = runtime_dir / "requests"
|
|
requests_dir.mkdir(parents=True, exist_ok=True)
|
|
for request_id in ("request-001", "request-002", "request-003"):
|
|
(requests_dir / f"{request_id}.json").write_text(
|
|
json.dumps({"request_id": request_id, "status": "queued", "created_at": f"2030-01-0{request_id[-1]}T00:00:00+00:00", "options": {}}),
|
|
encoding="utf-8",
|
|
)
|
|
|
|
first_runs = self.client.get(
|
|
"/api/v1/admin/system/modules/install-runs",
|
|
headers=headers,
|
|
params={"page_size": 2},
|
|
)
|
|
self.assertEqual(first_runs.status_code, 200, first_runs.text)
|
|
first_runs_payload = first_runs.json()
|
|
self.assertEqual([item["run_id"] for item in first_runs_payload["runs"]], ["run-003", "run-002"])
|
|
self.assertTrue(first_runs_payload["next_cursor"])
|
|
|
|
next_runs = self.client.get(
|
|
"/api/v1/admin/system/modules/install-runs",
|
|
headers=headers,
|
|
params={"page_size": 2, "cursor": first_runs_payload["next_cursor"]},
|
|
)
|
|
self.assertEqual(next_runs.status_code, 200, next_runs.text)
|
|
self.assertEqual([item["run_id"] for item in next_runs.json()["runs"]], ["run-001"])
|
|
|
|
shutil.rmtree(runtime_dir / "runs" / "run-002", ignore_errors=True)
|
|
stale_runs = self.client.get(
|
|
"/api/v1/admin/system/modules/install-runs",
|
|
headers=headers,
|
|
params={"page_size": 2, "cursor": first_runs_payload["next_cursor"]},
|
|
)
|
|
self.assertEqual(stale_runs.status_code, 200, stale_runs.text)
|
|
self.assertTrue(stale_runs.json()["full"])
|
|
self.assertEqual([item["run_id"] for item in stale_runs.json()["runs"]], ["run-003", "run-001"])
|
|
|
|
first_requests = self.client.get(
|
|
"/api/v1/admin/system/modules/install-requests",
|
|
headers=headers,
|
|
params={"page_size": 2},
|
|
)
|
|
self.assertEqual(first_requests.status_code, 200, first_requests.text)
|
|
first_requests_payload = first_requests.json()
|
|
self.assertEqual([item["request_id"] for item in first_requests_payload["requests"]], ["request-003", "request-002"])
|
|
self.assertTrue(first_requests_payload["next_cursor"])
|
|
|
|
next_requests = self.client.get(
|
|
"/api/v1/admin/system/modules/install-requests",
|
|
headers=headers,
|
|
params={"page_size": 2, "cursor": first_requests_payload["next_cursor"]},
|
|
)
|
|
self.assertEqual(next_requests.status_code, 200, next_requests.text)
|
|
self.assertEqual([item["request_id"] for item in next_requests.json()["requests"]], ["request-001"])
|
|
|
|
def test_system_accounts_delta_tolerates_repeated_no_change_reload(self) -> None:
|
|
headers, _ = self._login()
|
|
initial = self.client.get("/api/v1/admin/system/accounts/delta", headers=headers)
|
|
self.assertEqual(initial.status_code, 200, initial.text)
|
|
initial_payload = initial.json()
|
|
self.assertTrue(initial_payload["full"])
|
|
self.assertTrue(initial_payload["watermark"])
|
|
|
|
first_reload = self.client.get(
|
|
"/api/v1/admin/system/accounts/delta",
|
|
headers=headers,
|
|
params={"since": initial_payload["watermark"]},
|
|
)
|
|
self.assertEqual(first_reload.status_code, 200, first_reload.text)
|
|
first_payload = first_reload.json()
|
|
self.assertFalse(first_payload["full"])
|
|
|
|
second_reload = self.client.get(
|
|
"/api/v1/admin/system/accounts/delta",
|
|
headers=headers,
|
|
params={"since": first_payload["watermark"]},
|
|
)
|
|
self.assertEqual(second_reload.status_code, 200, second_reload.text)
|
|
second_payload = second_reload.json()
|
|
self.assertFalse(second_payload["full"])
|
|
|
|
def test_configuration_changes_delta_tracks_requests(self) -> None:
|
|
headers, _ = self._login()
|
|
|
|
initial = self.client.get("/api/v1/admin/configuration-changes/delta", headers=headers)
|
|
self.assertEqual(initial.status_code, 200, initial.text)
|
|
initial_payload = initial.json()
|
|
self.assertTrue(initial_payload["full"])
|
|
self.assertTrue(initial_payload["watermark"])
|
|
|
|
created = self.client.post(
|
|
"/api/v1/admin/configuration-change-requests",
|
|
headers=headers,
|
|
json={
|
|
"key": "maintenance_mode",
|
|
"value": {"enabled": False, "message": "delta request"},
|
|
"dry_run": True,
|
|
"target": {"scope": "system"},
|
|
"reason": "delta smoke test",
|
|
},
|
|
)
|
|
self.assertEqual(created.status_code, 201, created.text)
|
|
request_id = created.json()["request"]["id"]
|
|
|
|
delta = self.client.get(
|
|
"/api/v1/admin/configuration-changes/delta",
|
|
headers=headers,
|
|
params={"since": initial_payload["watermark"]},
|
|
)
|
|
self.assertEqual(delta.status_code, 200, delta.text)
|
|
delta_payload = delta.json()
|
|
self.assertFalse(delta_payload["full"])
|
|
self.assertIn(request_id, {item["id"] for item in delta_payload["requests"]})
|
|
|
|
def test_admin_audit_delta_tracks_new_events(self) -> None:
|
|
headers, _ = self._login()
|
|
|
|
initial = self.client.get("/api/v1/admin/audit/delta", headers=headers, params={"scope": "tenant", "page_size": 25})
|
|
self.assertEqual(initial.status_code, 200, initial.text)
|
|
initial_payload = initial.json()
|
|
self.assertTrue(initial_payload["full"])
|
|
self.assertTrue(initial_payload["watermark"])
|
|
|
|
created = self.client.post(
|
|
"/api/v1/admin/users",
|
|
headers=headers,
|
|
json={
|
|
"email": "audit-delta-user@example.local",
|
|
"display_name": "Audit Delta User",
|
|
"password": "audit-delta-password",
|
|
"password_reset_required": False,
|
|
"is_active": True,
|
|
"group_ids": [],
|
|
"role_ids": [],
|
|
},
|
|
)
|
|
self.assertEqual(created.status_code, 201, created.text)
|
|
|
|
delta = self.client.get(
|
|
"/api/v1/admin/audit/delta",
|
|
headers=headers,
|
|
params={"scope": "tenant", "page_size": 25, "since": initial_payload["watermark"]},
|
|
)
|
|
self.assertEqual(delta.status_code, 200, delta.text)
|
|
delta_payload = delta.json()
|
|
self.assertFalse(delta_payload["full"])
|
|
self.assertIn("user.created", {item["action"] for item in delta_payload["items"]})
|
|
|
|
def test_access_admin_users_delta_paginates_enforces_permissions_and_tenant_scope(self) -> None:
|
|
headers, _ = self._login()
|
|
|
|
initial = self.client.get("/api/v1/admin/users/delta", headers=headers)
|
|
self.assertEqual(initial.status_code, 200, initial.text)
|
|
initial_watermark = initial.json()["watermark"]
|
|
|
|
for index in range(2):
|
|
created = self.client.post(
|
|
"/api/v1/admin/users",
|
|
headers=headers,
|
|
json={
|
|
"email": f"delta-page-{index}@example.local",
|
|
"display_name": f"Delta Page {index}",
|
|
"password": "delta-page-password",
|
|
"password_reset_required": False,
|
|
"is_active": True,
|
|
"group_ids": [],
|
|
"role_ids": [],
|
|
},
|
|
)
|
|
self.assertEqual(created.status_code, 201, created.text)
|
|
|
|
page_one = self.client.get(
|
|
"/api/v1/admin/users/delta",
|
|
headers=headers,
|
|
params={"since": initial_watermark, "limit": 1},
|
|
)
|
|
self.assertEqual(page_one.status_code, 200, page_one.text)
|
|
page_one_payload = page_one.json()
|
|
self.assertFalse(page_one_payload["full"])
|
|
self.assertTrue(page_one_payload["has_more"])
|
|
self.assertEqual(len(page_one_payload["users"]), 1)
|
|
|
|
page_two = self.client.get(
|
|
"/api/v1/admin/users/delta",
|
|
headers=headers,
|
|
params={"since": page_one_payload["watermark"], "limit": 1},
|
|
)
|
|
self.assertEqual(page_two.status_code, 200, page_two.text)
|
|
self.assertFalse(page_two.json()["full"])
|
|
self.assertEqual(len(page_two.json()["users"]), 1)
|
|
|
|
reader_role = self._create_role(headers, slug="delta-file-reader", permissions=["files:read"])
|
|
self._create_user(
|
|
headers,
|
|
email="delta-reader@example.local",
|
|
password="delta-reader-password",
|
|
role_ids=[str(reader_role["id"])],
|
|
)
|
|
reader_headers, _ = self._login_as(email="delta-reader@example.local", password="delta-reader-password")
|
|
denied = self.client.get("/api/v1/admin/users/delta", headers=reader_headers)
|
|
self.assertEqual(denied.status_code, 403, denied.text)
|
|
|
|
scoped_initial = self.client.get("/api/v1/admin/users/delta", headers=headers)
|
|
self.assertEqual(scoped_initial.status_code, 200, scoped_initial.text)
|
|
created_tenant = self.client.post(
|
|
"/api/v1/admin/tenants",
|
|
headers=headers,
|
|
json={"slug": "delta-scope", "name": "Delta scope", "settings": {}},
|
|
)
|
|
self.assertEqual(created_tenant.status_code, 201, created_tenant.text)
|
|
switched = self.client.post(
|
|
"/api/v1/auth/switch-tenant",
|
|
headers=headers,
|
|
json={"tenant_id": created_tenant.json()["id"]},
|
|
)
|
|
self.assertEqual(switched.status_code, 200, switched.text)
|
|
cross_tenant_user = self.client.post(
|
|
"/api/v1/admin/users",
|
|
headers=headers,
|
|
json={
|
|
"email": "other-tenant-delta@example.local",
|
|
"display_name": "Other Tenant Delta",
|
|
"password": "other-tenant-delta-password",
|
|
"password_reset_required": False,
|
|
"is_active": True,
|
|
"group_ids": [],
|
|
"role_ids": [],
|
|
},
|
|
)
|
|
self.assertEqual(cross_tenant_user.status_code, 201, cross_tenant_user.text)
|
|
|
|
default_headers, _ = self._login()
|
|
scoped_delta = self.client.get(
|
|
"/api/v1/admin/users/delta",
|
|
headers=default_headers,
|
|
params={"since": scoped_initial.json()["watermark"]},
|
|
)
|
|
self.assertEqual(scoped_delta.status_code, 200, scoped_delta.text)
|
|
self.assertNotIn("other-tenant-delta@example.local", {user["email"] for user in scoped_delta.json()["users"]})
|
|
|
|
def test_admin_audit_delta_supports_filtered_sorted_first_page(self) -> None:
|
|
headers, _ = self._login()
|
|
|
|
initial = self.client.get(
|
|
"/api/v1/admin/audit/delta",
|
|
headers=headers,
|
|
params={
|
|
"scope": "system",
|
|
"page_size": 25,
|
|
"sort_by": "action",
|
|
"sort_direction": "asc",
|
|
"filter_action": "system_settings",
|
|
},
|
|
)
|
|
self.assertEqual(initial.status_code, 200, initial.text)
|
|
initial_payload = initial.json()
|
|
self.assertTrue(initial_payload["full"])
|
|
|
|
settings_response = self.client.get("/api/v1/admin/system/settings", headers=headers)
|
|
self.assertEqual(settings_response.status_code, 200, settings_response.text)
|
|
settings_payload = settings_response.json()
|
|
updated = self.client.patch(
|
|
"/api/v1/admin/system/settings",
|
|
headers=headers,
|
|
json={
|
|
"default_locale": settings_payload["default_locale"],
|
|
"allow_tenant_custom_groups": settings_payload["allow_tenant_custom_groups"],
|
|
"allow_tenant_custom_roles": settings_payload["allow_tenant_custom_roles"],
|
|
"allow_tenant_api_keys": settings_payload["allow_tenant_api_keys"],
|
|
"available_languages": settings_payload["available_languages"],
|
|
"enabled_language_codes": settings_payload["enabled_language_codes"],
|
|
},
|
|
)
|
|
self.assertEqual(updated.status_code, 200, updated.text)
|
|
|
|
delta = self.client.get(
|
|
"/api/v1/admin/audit/delta",
|
|
headers=headers,
|
|
params={
|
|
"scope": "system",
|
|
"page_size": 25,
|
|
"sort_by": "action",
|
|
"sort_direction": "asc",
|
|
"filter_action": "system_settings",
|
|
"since": initial_payload["watermark"],
|
|
},
|
|
)
|
|
self.assertEqual(delta.status_code, 200, delta.text)
|
|
delta_payload = delta.json()
|
|
self.assertFalse(delta_payload["full"])
|
|
self.assertTrue(all("system_settings" in item["action"] for item in delta_payload["items"]))
|
|
self.assertIn("system_settings.updated", {item["action"] for item in delta_payload["items"]})
|
|
|
|
def test_system_governance_defaults_templates_and_central_accounts(self) -> None:
|
|
headers, login = self._login()
|
|
tenant_id = login["tenant"]["id"]
|
|
|
|
settings_response = self.client.get("/api/v1/admin/system/settings", headers=headers)
|
|
self.assertEqual(settings_response.status_code, 200, settings_response.text)
|
|
self.assertTrue(settings_response.json()["allow_tenant_custom_groups"])
|
|
self.assertEqual(settings_response.json()["privacy_retention_policy"]["audit_detail_level"], "full")
|
|
approver_headers = self._create_system_approver(headers, tenant_id=tenant_id)
|
|
|
|
privacy_update = {
|
|
**settings_response.json()["privacy_retention_policy"],
|
|
"audit_detail_level": "redacted",
|
|
"mock_mailbox_retention_days": 0,
|
|
}
|
|
settings_change_request_id = self._approved_configuration_change(
|
|
headers,
|
|
approver_headers,
|
|
key="privacy_retention_policy",
|
|
value=privacy_update,
|
|
target={"scope": "system"},
|
|
)
|
|
|
|
deny_local_groups = self.client.patch(
|
|
"/api/v1/admin/system/settings",
|
|
headers=headers,
|
|
json={
|
|
"default_locale": "en",
|
|
"allow_tenant_custom_groups": False,
|
|
"allow_tenant_custom_roles": True,
|
|
"allow_tenant_api_keys": True,
|
|
"privacy_retention_policy": privacy_update,
|
|
"change_request_id": settings_change_request_id,
|
|
},
|
|
)
|
|
self.assertEqual(deny_local_groups.status_code, 200, deny_local_groups.text)
|
|
self.assertEqual(deny_local_groups.json()["privacy_retention_policy"]["audit_detail_level"], "redacted")
|
|
self.assertEqual(deny_local_groups.json()["privacy_retention_policy"]["mock_mailbox_retention_days"], 0)
|
|
|
|
widened_tenant = self.client.patch(
|
|
f"/api/v1/admin/tenants/{tenant_id}",
|
|
headers=headers,
|
|
json={"allow_custom_groups": True},
|
|
)
|
|
self.assertEqual(widened_tenant.status_code, 422, widened_tenant.text)
|
|
|
|
retention_patch = {"allow_lower_level_limits": {"raw_campaign_json_retention_days": False}}
|
|
retention_change_request_id = self._approved_configuration_change(
|
|
headers,
|
|
approver_headers,
|
|
key="privacy_retention_policy",
|
|
value=retention_patch,
|
|
target={"scope_type": "system", "scope_id": None},
|
|
)
|
|
locked_retention = self.client.put(
|
|
"/api/v1/admin/privacy-retention/policies/system",
|
|
headers=headers,
|
|
json={"policy": retention_patch, "change_request_id": retention_change_request_id},
|
|
)
|
|
self.assertEqual(locked_retention.status_code, 200, locked_retention.text)
|
|
self.assertFalse(locked_retention.json()["effective_policy"]["allow_lower_level_limits"]["raw_campaign_json_retention_days"])
|
|
retention_explain = self.client.get(
|
|
"/api/v1/admin/privacy-retention/policies/tenant/explain",
|
|
headers=headers,
|
|
)
|
|
self.assertEqual(retention_explain.status_code, 200, retention_explain.text)
|
|
retention_explain_payload = retention_explain.json()
|
|
self.assertFalse(retention_explain_payload["decision"]["allowed"])
|
|
self.assertIn("raw_campaign_json_retention_days", retention_explain_payload["blocked_fields"])
|
|
self.assertEqual(retention_explain_payload["parent_policy_sources"][0]["path"], "system")
|
|
self.assertEqual(retention_explain_payload["decision"]["source_path"][0]["path"], "system")
|
|
tenant_retention_widen = self.client.put(
|
|
"/api/v1/admin/privacy-retention/policies/tenant",
|
|
headers=headers,
|
|
json={"policy": {"raw_campaign_json_retention_days": 1}},
|
|
)
|
|
self.assertEqual(tenant_retention_widen.status_code, 422, tenant_retention_widen.text)
|
|
tenant_retention_unlock = self.client.put(
|
|
"/api/v1/admin/privacy-retention/policies/tenant",
|
|
headers=headers,
|
|
json={"policy": {"allow_lower_level_limits": {"raw_campaign_json_retention_days": True}}},
|
|
)
|
|
self.assertEqual(tenant_retention_unlock.status_code, 422, tenant_retention_unlock.text)
|
|
|
|
retention_dry_run = self.client.post(
|
|
"/api/v1/admin/system/retention/run",
|
|
headers=headers,
|
|
json={"dry_run": True},
|
|
)
|
|
self.assertEqual(retention_dry_run.status_code, 200, retention_dry_run.text)
|
|
self.assertTrue(retention_dry_run.json()["result"]["dry_run"])
|
|
self.assertIn("raw_campaign_json", retention_dry_run.json()["result"]["counts"])
|
|
|
|
blocked_group = self.client.post(
|
|
"/api/v1/admin/groups",
|
|
headers=headers,
|
|
json={"slug": "blocked-local", "name": "Blocked local group", "member_ids": [], "role_ids": []},
|
|
)
|
|
self.assertEqual(blocked_group.status_code, 409, blocked_group.text)
|
|
|
|
central_group_payload = {
|
|
"kind": "group",
|
|
"slug": "case-workers",
|
|
"name": "Case workers",
|
|
"description": "System-controlled group identity",
|
|
"permissions": [],
|
|
"is_active": True,
|
|
"assignments": [{"tenant_id": tenant_id, "mode": "required"}],
|
|
}
|
|
governance_change_request_id = self._approved_configuration_change(
|
|
headers,
|
|
approver_headers,
|
|
key="governance_templates",
|
|
value=central_group_payload,
|
|
target={"kind": "group", "slug": "case-workers"},
|
|
)
|
|
central_group = self.client.post(
|
|
"/api/v1/admin/system/governance-templates",
|
|
headers=headers,
|
|
json={**central_group_payload, "change_request_id": governance_change_request_id},
|
|
)
|
|
self.assertEqual(central_group.status_code, 201, central_group.text)
|
|
template_id = central_group.json()["id"]
|
|
|
|
tenant_groups = self.client.get("/api/v1/admin/groups", headers=headers)
|
|
self.assertEqual(tenant_groups.status_code, 200, tenant_groups.text)
|
|
materialized = next(group for group in tenant_groups.json()["groups"] if group["system_template_id"] == template_id)
|
|
self.assertTrue(materialized["system_required"])
|
|
self.assertTrue(materialized["is_active"])
|
|
|
|
reject_required_deactivation = self.client.patch(
|
|
f"/api/v1/admin/groups/{materialized['id']}",
|
|
headers=headers,
|
|
json={"is_active": False},
|
|
)
|
|
self.assertEqual(reject_required_deactivation.status_code, 409, reject_required_deactivation.text)
|
|
|
|
created_tenant = self.client.post(
|
|
"/api/v1/admin/tenants",
|
|
headers=headers,
|
|
json={"slug": "governed", "name": "Governed", "settings": {}},
|
|
)
|
|
self.assertEqual(created_tenant.status_code, 201, created_tenant.text)
|
|
governed_tenant_id = created_tenant.json()["id"]
|
|
|
|
central_account = self.client.post(
|
|
"/api/v1/admin/system/accounts",
|
|
headers=headers,
|
|
json={
|
|
"email": "central-user@example.local",
|
|
"display_name": "Central User",
|
|
"password": "central-user-password",
|
|
"password_reset_required": False,
|
|
"is_active": True,
|
|
"role_ids": [],
|
|
"memberships": [{
|
|
"tenant_id": governed_tenant_id,
|
|
"is_active": True,
|
|
"role_ids": [],
|
|
"group_ids": [],
|
|
}],
|
|
},
|
|
)
|
|
self.assertEqual(central_account.status_code, 201, central_account.text)
|
|
memberships = central_account.json()["account"]["memberships"]
|
|
self.assertEqual([item["tenant_id"] for item in memberships], [governed_tenant_id])
|
|
|
|
audit = self.client.get(
|
|
"/api/v1/admin/audit",
|
|
headers=headers,
|
|
params={"all_tenants": True, "limit": 500},
|
|
)
|
|
self.assertEqual(audit.status_code, 200, audit.text)
|
|
actions = {item["action"] for item in audit.json()["items"]}
|
|
self.assertIn("system_settings.updated", actions)
|
|
self.assertIn("governance_template.created", actions)
|
|
self.assertIn("system_account.created", actions)
|
|
changes = self.client.get("/api/v1/admin/configuration-changes", headers=headers)
|
|
self.assertEqual(changes.status_code, 200, changes.text)
|
|
history_keys = {item["key"] for item in changes.json()["history"]}
|
|
self.assertIn("privacy_retention_policy", history_keys)
|
|
self.assertIn("governance_templates", history_keys)
|
|
|
|
|
|
def test_refined_permissions_are_narrow_and_enforce_delegation_ceiling(self) -> None:
|
|
owner_headers, _ = self._login()
|
|
designer_role = self._create_role(
|
|
owner_headers,
|
|
slug="role-designer",
|
|
permissions=["admin:users:read", "admin:roles:read", "admin:roles:write", "campaign:queue"],
|
|
)
|
|
designer = self._create_user(
|
|
owner_headers,
|
|
email="designer@example.local",
|
|
password="designer-password",
|
|
role_ids=[str(designer_role["id"])],
|
|
)
|
|
designer_headers, designer_login = self._login_as(email="designer@example.local", password="designer-password")
|
|
|
|
self.assertIn("campaign:queue", designer_login["scopes"])
|
|
self.assertNotIn("campaign:retry", designer_login["scopes"])
|
|
self.assertNotIn("campaign:send", designer_login["scopes"])
|
|
|
|
excessive_role = self.client.post(
|
|
"/api/v1/admin/roles",
|
|
headers=designer_headers,
|
|
json={
|
|
"slug": "sender-escalation",
|
|
"name": "Sender escalation",
|
|
"description": "Must be rejected",
|
|
"permissions": ["campaign:send"],
|
|
},
|
|
)
|
|
self.assertEqual(excessive_role.status_code, 422, excessive_role.text)
|
|
|
|
assign_without_assignment_permission = self.client.patch(
|
|
f"/api/v1/admin/users/{designer['id']}",
|
|
headers=designer_headers,
|
|
json={"role_ids": []},
|
|
)
|
|
self.assertEqual(assign_without_assignment_permission.status_code, 403, assign_without_assignment_permission.text)
|
|
|
|
def test_campaign_acl_separates_capability_from_object_access(self) -> None:
|
|
owner_headers, _ = self._login()
|
|
access_role = self._create_role(
|
|
owner_headers,
|
|
slug="campaign-collaborator",
|
|
permissions=["campaign:read", "campaign:update", "recipients:read"],
|
|
)
|
|
reader = self._create_user(
|
|
owner_headers,
|
|
email="campaign-reader@example.local",
|
|
password="reader-password",
|
|
role_ids=[str(access_role["id"])],
|
|
)
|
|
other = self._create_user(
|
|
owner_headers,
|
|
email="campaign-other@example.local",
|
|
password="other-password",
|
|
role_ids=[str(access_role["id"])],
|
|
)
|
|
reader_headers, _ = self._login_as(email="campaign-reader@example.local", password="reader-password")
|
|
other_headers, _ = self._login_as(email="campaign-other@example.local", password="other-password")
|
|
|
|
config = {
|
|
"version": "1.0",
|
|
"campaign": {"id": "acl-campaign", "name": "ACL campaign", "mode": "test"},
|
|
"fields": [],
|
|
"global_values": {},
|
|
"server": {"smtp": {"host": "mock.smtp", "port": 2525, "security": "starttls"}},
|
|
"recipients": {"from": {"email": "sender@example.org", "type": "to"}},
|
|
"template": {"subject": "ACL", "text": "ACL"},
|
|
"attachments": {"base_path": ".", "global": [], "allow_individual": False},
|
|
"entries": {"inline": [{"id": "one", "to": [{"email": "one@example.org", "type": "to"}], "fields": {}}]},
|
|
"validation_policy": {"missing_email": "block", "template_error": "block"},
|
|
"delivery": {"rate_limit": {"messages_per_minute": 60}, "imap_append_sent": {"enabled": False}},
|
|
"status_tracking": {"enabled": True},
|
|
}
|
|
created = self.client.post("/api/v1/campaigns", headers=owner_headers, json={"config": config})
|
|
self.assertEqual(created.status_code, 200, created.text)
|
|
campaign_id = created.json()["campaign"]["id"]
|
|
version_id = created.json()["version"]["id"]
|
|
|
|
self.assertEqual(self.client.get(f"/api/v1/campaigns/{campaign_id}", headers=reader_headers).status_code, 403)
|
|
self.assertEqual(self.client.get(f"/api/v1/campaigns/{campaign_id}", headers=other_headers).status_code, 403)
|
|
|
|
read_share = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/shares",
|
|
headers=owner_headers,
|
|
json={"target_type": "user", "target_id": reader["id"], "permission": "read"},
|
|
)
|
|
self.assertEqual(read_share.status_code, 201, read_share.text)
|
|
self.assertEqual(self.client.get(f"/api/v1/campaigns/{campaign_id}", headers=reader_headers).status_code, 200)
|
|
version_detail = self.client.get(f"/api/v1/campaigns/{campaign_id}/versions/{version_id}", headers=reader_headers)
|
|
self.assertEqual(version_detail.status_code, 200, version_detail.text)
|
|
denied_write = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/versions/{version_id}/set-step",
|
|
headers=reader_headers,
|
|
json={"current_step": "template"},
|
|
)
|
|
self.assertEqual(denied_write.status_code, 403, denied_write.text)
|
|
|
|
write_share = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/shares",
|
|
headers=owner_headers,
|
|
json={"target_type": "user", "target_id": reader["id"], "permission": "write"},
|
|
)
|
|
self.assertEqual(write_share.status_code, 201, write_share.text)
|
|
allowed_write = self.client.post(
|
|
f"/api/v1/campaigns/{campaign_id}/versions/{version_id}/set-step",
|
|
headers=reader_headers,
|
|
json={"current_step": "template"},
|
|
)
|
|
self.assertEqual(allowed_write.status_code, 200, allowed_write.text)
|
|
changed_config = version_detail.json()["raw_json"]
|
|
changed_config["entries"]["inline"][0]["to"][0]["email"] = "changed@example.org"
|
|
denied_recipient_edit = self.client.put(
|
|
f"/api/v1/campaigns/{campaign_id}/versions/{version_id}",
|
|
headers=reader_headers,
|
|
json={"campaign_json": changed_config},
|
|
)
|
|
self.assertEqual(denied_recipient_edit.status_code, 403, denied_recipient_edit.text)
|
|
self.assertEqual(self.client.get(f"/api/v1/campaigns/{campaign_id}", headers=other_headers).status_code, 403)
|
|
|
|
def test_policy_responses_include_source_provenance(self) -> None:
|
|
headers, login = self._login()
|
|
tenant_id = login["tenant"]["id"]
|
|
|
|
retention = self.client.get("/api/v1/admin/privacy-retention/policies/tenant", headers=headers)
|
|
self.assertEqual(retention.status_code, 200, retention.text)
|
|
retention_payload = retention.json()
|
|
self.assertEqual([item["label"] for item in retention_payload["effective_policy_sources"]], ["System", "Tenant"])
|
|
self.assertEqual([item["path"] for item in retention_payload["effective_policy_sources"]], ["system", f"tenant:{tenant_id}"])
|
|
self.assertEqual([item["label"] for item in retention_payload["parent_policy_sources"]], ["System"])
|
|
self.assertIn("defaults", retention_payload["effective_policy_sources"][0]["applied_fields"])
|
|
|
|
created = self.client.post(
|
|
"/api/v1/campaigns/new",
|
|
headers=headers,
|
|
json={"external_id": "policy-source-campaign", "name": "Policy source campaign"},
|
|
)
|
|
self.assertEqual(created.status_code, 200, created.text)
|
|
campaign_id = created.json()["campaign"]["id"]
|
|
|
|
updated = self.client.put(
|
|
f"/api/v1/mail/policies/campaign?scope_id={campaign_id}",
|
|
headers=headers,
|
|
json={"policy": {"allow_campaign_profiles": False}},
|
|
)
|
|
self.assertEqual(updated.status_code, 200, updated.text)
|
|
payload = updated.json()
|
|
self.assertEqual([item["label"] for item in payload["effective_policy_sources"]], ["System", "Tenant", "Owner user", "Campaign"])
|
|
campaign_source = payload["effective_policy_sources"][-1]
|
|
self.assertEqual(campaign_source["scope_type"], "campaign")
|
|
self.assertEqual(campaign_source["scope_id"], campaign_id)
|
|
self.assertEqual(campaign_source["path"], f"campaign:{campaign_id}")
|
|
self.assertIn("allow_campaign_profiles", campaign_source["applied_fields"])
|
|
|
|
def test_campaign_scoped_mail_profile_policy_is_enforced(self) -> None:
|
|
headers, _ = self._login()
|
|
created = self.client.post(
|
|
"/api/v1/campaigns/new",
|
|
headers=headers,
|
|
json={"external_id": "profile-policy-campaign", "name": "Profile policy campaign"},
|
|
)
|
|
self.assertEqual(created.status_code, 200, created.text)
|
|
campaign_id = created.json()["campaign"]["id"]
|
|
|
|
profile = self.client.post(
|
|
"/api/v1/mail/profiles",
|
|
headers=headers,
|
|
json={
|
|
"name": "Campaign SMTP",
|
|
"scope_type": "campaign",
|
|
"scope_id": campaign_id,
|
|
"smtp": {"host": "allowed.smtp.local", "port": 2525, "username": "sender@example.org", "password": "secret", "security": "starttls"},
|
|
},
|
|
)
|
|
self.assertEqual(profile.status_code, 201, profile.text)
|
|
profile_id = profile.json()["id"]
|
|
self.assertEqual(profile.json()["scope_type"], "campaign")
|
|
|
|
effective = self.client.get(f"/api/v1/mail/profiles?campaign_id={campaign_id}", headers=headers)
|
|
self.assertEqual(effective.status_code, 200, effective.text)
|
|
self.assertIn(profile_id, {item["id"] for item in effective.json()["profiles"]})
|
|
|
|
policy = self.client.put(
|
|
f"/api/v1/mail/policies/campaign?scope_id={campaign_id}",
|
|
headers=headers,
|
|
json={"policy": {"blacklist": {"smtp_hosts": ["blocked.smtp.local"]}}},
|
|
)
|
|
self.assertEqual(policy.status_code, 200, policy.text)
|
|
|
|
blocked = self.client.post(
|
|
"/api/v1/mail/profiles",
|
|
headers=headers,
|
|
json={
|
|
"name": "Blocked SMTP",
|
|
"scope_type": "campaign",
|
|
"scope_id": campaign_id,
|
|
"smtp": {"host": "blocked.smtp.local", "port": 2525, "username": "sender@example.org", "password": "secret", "security": "starttls"},
|
|
},
|
|
)
|
|
self.assertEqual(blocked.status_code, 422, blocked.text)
|
|
self.assertIn("blacklist", blocked.json()["detail"])
|
|
|
|
def test_campaign_local_mail_policy_blocks_inline_but_allows_reusable_profiles(self) -> None:
|
|
headers, _ = self._login()
|
|
created = self.client.post(
|
|
"/api/v1/campaigns/new",
|
|
headers=headers,
|
|
json={"external_id": "campaign-local-mail-policy", "name": "Campaign local mail policy"},
|
|
)
|
|
self.assertEqual(created.status_code, 200, created.text)
|
|
campaign_id = created.json()["campaign"]["id"]
|
|
version_id = created.json()["version"]["id"]
|
|
|
|
tenant_profile = self.client.post(
|
|
"/api/v1/mail/profiles",
|
|
headers=headers,
|
|
json={
|
|
"name": "Tenant reusable SMTP",
|
|
"smtp": {"host": "tenant.smtp.local", "port": 2525, "username": "sender@example.org", "password": "secret", "security": "starttls"},
|
|
},
|
|
)
|
|
self.assertEqual(tenant_profile.status_code, 201, tenant_profile.text)
|
|
tenant_profile_id = tenant_profile.json()["id"]
|
|
|
|
policy = self.client.put(
|
|
f"/api/v1/mail/policies/campaign?scope_id={campaign_id}",
|
|
headers=headers,
|
|
json={"policy": {"allow_campaign_profiles": False}},
|
|
)
|
|
self.assertEqual(policy.status_code, 200, policy.text)
|
|
self.assertFalse(policy.json()["effective_policy"]["allow_campaign_profiles"])
|
|
|
|
blocked_profile = self.client.post(
|
|
"/api/v1/mail/profiles",
|
|
headers=headers,
|
|
json={
|
|
"name": "Blocked campaign SMTP",
|
|
"scope_type": "campaign",
|
|
"scope_id": campaign_id,
|
|
"smtp": {"host": "campaign.smtp.local", "port": 2525, "username": "sender@example.org", "password": "secret", "security": "starttls"},
|
|
},
|
|
)
|
|
self.assertEqual(blocked_profile.status_code, 422, blocked_profile.text)
|
|
self.assertIn("disabled by policy", blocked_profile.json()["detail"])
|
|
|
|
detail = self.client.get(f"/api/v1/campaigns/{campaign_id}/versions/{version_id}", headers=headers)
|
|
self.assertEqual(detail.status_code, 200, detail.text)
|
|
inline_json = detail.json()["raw_json"]
|
|
inline_json["server"] = {
|
|
"smtp": {
|
|
"host": "campaign.smtp.local",
|
|
"port": 2525,
|
|
"username": "sender@example.org",
|
|
"password": "secret",
|
|
"security": "starttls",
|
|
}
|
|
}
|
|
blocked_inline = self.client.put(
|
|
f"/api/v1/campaigns/{campaign_id}/versions/{version_id}",
|
|
headers=headers,
|
|
json={"campaign_json": inline_json},
|
|
)
|
|
self.assertEqual(blocked_inline.status_code, 422, blocked_inline.text)
|
|
self.assertIn("Campaign-local inline mail settings", blocked_inline.json()["detail"])
|
|
|
|
reusable_json = detail.json()["raw_json"]
|
|
reusable_json["server"] = {"mail_profile_id": tenant_profile_id}
|
|
allowed_reusable = self.client.put(
|
|
f"/api/v1/campaigns/{campaign_id}/versions/{version_id}",
|
|
headers=headers,
|
|
json={"campaign_json": reusable_json},
|
|
)
|
|
self.assertEqual(allowed_reusable.status_code, 200, allowed_reusable.text)
|
|
|
|
def test_allowed_mail_profile_ids_gate_campaign_selection(self) -> None:
|
|
headers, _ = self._login()
|
|
created = self.client.post(
|
|
"/api/v1/campaigns/new",
|
|
headers=headers,
|
|
json={"external_id": "profile-selection-policy", "name": "Profile selection policy"},
|
|
)
|
|
self.assertEqual(created.status_code, 200, created.text)
|
|
campaign_id = created.json()["campaign"]["id"]
|
|
version_id = created.json()["version"]["id"]
|
|
|
|
profile = self.client.post(
|
|
"/api/v1/mail/profiles",
|
|
headers=headers,
|
|
json={
|
|
"name": "Tenant SMTP",
|
|
"smtp": {"host": "allowed.smtp.local", "port": 2525, "username": "sender@example.org", "password": "secret", "security": "starttls"},
|
|
},
|
|
)
|
|
self.assertEqual(profile.status_code, 201, profile.text)
|
|
profile_id = profile.json()["id"]
|
|
|
|
denied_policy = self.client.put(
|
|
f"/api/v1/mail/policies/campaign?scope_id={campaign_id}",
|
|
headers=headers,
|
|
json={"policy": {"allowed_profile_ids": ["not-the-profile"]}},
|
|
)
|
|
self.assertEqual(denied_policy.status_code, 200, denied_policy.text)
|
|
|
|
detail = self.client.get(f"/api/v1/campaigns/{campaign_id}/versions/{version_id}", headers=headers)
|
|
self.assertEqual(detail.status_code, 200, detail.text)
|
|
raw_json = detail.json()["raw_json"]
|
|
raw_json["server"] = {"mail_profile_id": profile_id}
|
|
denied_update = self.client.put(
|
|
f"/api/v1/campaigns/{campaign_id}/versions/{version_id}",
|
|
headers=headers,
|
|
json={"campaign_json": raw_json},
|
|
)
|
|
self.assertEqual(denied_update.status_code, 422, denied_update.text)
|
|
|
|
allowed_policy = self.client.put(
|
|
f"/api/v1/mail/policies/campaign?scope_id={campaign_id}",
|
|
headers=headers,
|
|
json={"policy": {"allowed_profile_ids": [profile_id]}},
|
|
)
|
|
self.assertEqual(allowed_policy.status_code, 200, allowed_policy.text)
|
|
allowed_update = self.client.put(
|
|
f"/api/v1/campaigns/{campaign_id}/versions/{version_id}",
|
|
headers=headers,
|
|
json={"campaign_json": raw_json},
|
|
)
|
|
self.assertEqual(allowed_update.status_code, 200, allowed_update.text)
|
|
|
|
def test_locked_mail_profile_credential_policy_blocks_campaign_override(self) -> None:
|
|
headers, _ = self._login()
|
|
profile = self.client.post(
|
|
"/api/v1/mail/profiles",
|
|
headers=headers,
|
|
json={
|
|
"name": "Locked credential SMTP",
|
|
"smtp": {
|
|
"host": "mock.smtp",
|
|
"port": 2525,
|
|
"security": "starttls",
|
|
},
|
|
"credentials": {
|
|
"smtp": {"username": "profile-smtp@example.org", "password": "profile-smtp-secret"},
|
|
},
|
|
},
|
|
)
|
|
self.assertEqual(profile.status_code, 201, profile.text)
|
|
profile_id = profile.json()["id"]
|
|
|
|
policy = self.client.put(
|
|
"/api/v1/mail/policies/tenant",
|
|
headers=headers,
|
|
json={"policy": {
|
|
"smtp_credentials": {"inherit": True},
|
|
"allow_lower_level_limits": {"smtp_credentials.inherit": False},
|
|
}},
|
|
)
|
|
self.assertEqual(policy.status_code, 200, policy.text)
|
|
self.assertEqual(policy.json()["effective_policy"]["smtp_credentials"]["inherit"], True)
|
|
self.assertEqual(policy.json()["effective_policy"]["allow_lower_level_limits"]["smtp_credentials.inherit"], False)
|
|
|
|
campaign_json = {
|
|
"version": "1.0",
|
|
"campaign": {"id": "locked-profile-creds", "name": "Locked profile creds", "mode": "test"},
|
|
"fields": [{"name": "first_name", "type": "string", "required": True}],
|
|
"global_values": {},
|
|
"server": {
|
|
"mail_profile_id": profile_id,
|
|
"inherit_smtp_credentials": False,
|
|
"credentials": {
|
|
"smtp": {"username": "campaign-smtp@example.org", "password": "campaign-smtp-secret"},
|
|
},
|
|
},
|
|
"recipients": {
|
|
"from": {"email": "sender@example.org", "name": "Sender", "type": "to"},
|
|
"to": [{"email": "recipient@example.org", "type": "to"}],
|
|
},
|
|
"template": {"subject": "Hello ${local::first_name}", "text": "Hello ${local::first_name}."},
|
|
"attachments": {"base_path": ".", "global": [], "allow_individual": False},
|
|
"entries": {"inline": [{"id": "recipient-1", "fields": {"first_name": "Recipient"}}]},
|
|
"validation_policy": {"missing_email": "block", "template_error": "block"},
|
|
"delivery": {"rate_limit": {"messages_per_minute": 60}, "retry": {"max_attempts": 3, "backoff_seconds": [1]}, "imap_append_sent": {"enabled": False}},
|
|
"status_tracking": {"enabled": True},
|
|
}
|
|
blocked = self.client.post("/api/v1/campaigns", headers=headers, json={"config": campaign_json})
|
|
self.assertEqual(blocked.status_code, 422, blocked.text)
|
|
self.assertIn("locked", blocked.json()["detail"])
|
|
|
|
campaign_json["server"] = {"mail_profile_id": profile_id}
|
|
allowed = self.client.post("/api/v1/campaigns", headers=headers, json={"config": campaign_json})
|
|
self.assertEqual(allowed.status_code, 200, allowed.text)
|
|
|
|
def test_file_and_raw_mail_permissions_are_independently_enforced(self) -> None:
|
|
owner_headers, _ = self._login()
|
|
role = self._create_role(
|
|
owner_headers,
|
|
slug="uploader-and-mail-tester",
|
|
permissions=["files:read", "files:upload", "mail_servers:test"],
|
|
)
|
|
self._create_user(
|
|
owner_headers,
|
|
email="uploader@example.local",
|
|
password="uploader-password",
|
|
role_ids=[str(role["id"])],
|
|
)
|
|
headers, login = self._login_as(email="uploader@example.local", password="uploader-password")
|
|
user_id = login["user"]["id"]
|
|
uploaded = self.client.post(
|
|
"/api/v1/files/upload",
|
|
headers=headers,
|
|
data={"owner_type": "user", "owner_id": user_id, "path": ""},
|
|
files=[("files", ("allowed.txt", b"allowed", "text/plain"))],
|
|
)
|
|
self.assertEqual(uploaded.status_code, 200, uploaded.text)
|
|
file_id = uploaded.json()["files"][0]["id"]
|
|
self.assertEqual(self.client.get(f"/api/v1/files/{file_id}/download", headers=headers).status_code, 403)
|
|
self.assertEqual(self.client.delete(f"/api/v1/files/{file_id}", headers=headers).status_code, 403)
|
|
|
|
raw_test = self.client.post(
|
|
"/api/v1/mail/test-smtp",
|
|
headers=headers,
|
|
json={"host": "mock.smtp", "port": 2525, "username": "u", "password": "p", "security": "starttls"},
|
|
)
|
|
self.assertEqual(raw_test.status_code, 403, raw_test.text)
|
|
self.assertIn("manage_credentials", raw_test.json()["detail"])
|
|
|
|
def test_profile_refresh_and_system_role_protection_model(self) -> None:
|
|
headers, _ = self._login()
|
|
profile = self.client.patch(
|
|
"/api/v1/auth/profile",
|
|
headers=headers,
|
|
json={
|
|
"display_name": "Global Account Name",
|
|
"tenant_display_name": "Tenant Alias",
|
|
"ui_preferences": {
|
|
"compact_tables": True,
|
|
"show_inline_help_hints": False,
|
|
"reduce_motion": True,
|
|
"sticky_section_sidebars": False,
|
|
"theme": "dark",
|
|
},
|
|
},
|
|
)
|
|
self.assertEqual(profile.status_code, 200, profile.text)
|
|
self.assertEqual(profile.json()["user"]["display_name"], "Global Account Name")
|
|
self.assertEqual(profile.json()["user"]["tenant_display_name"], "Tenant Alias")
|
|
self.assertEqual(
|
|
profile.json()["user"]["ui_preferences"],
|
|
{
|
|
"compact_tables": True,
|
|
"show_inline_help_hints": False,
|
|
"reduce_motion": True,
|
|
"sticky_section_sidebars": False,
|
|
"theme": "dark",
|
|
},
|
|
)
|
|
refreshed = self.client.get("/api/v1/auth/me", headers=headers)
|
|
self.assertEqual(refreshed.status_code, 200, refreshed.text)
|
|
self.assertEqual(refreshed.json()["user"]["display_name"], "Global Account Name")
|
|
self.assertEqual(refreshed.json()["user"]["tenant_display_name"], "Tenant Alias")
|
|
self.assertEqual(refreshed.json()["user"]["ui_preferences"]["theme"], "dark")
|
|
self.assertFalse(refreshed.json()["user"]["ui_preferences"]["show_inline_help_hints"])
|
|
|
|
roles = self.client.get("/api/v1/admin/system/roles", headers=headers)
|
|
self.assertEqual(roles.status_code, 200, roles.text)
|
|
owner = next(item for item in roles.json()["roles"] if item["slug"] == "system_owner")
|
|
administrator = next(item for item in roles.json()["roles"] if item["slug"] == "system_admin")
|
|
auditor = next(item for item in roles.json()["roles"] if item["slug"] == "system_auditor")
|
|
self.assertTrue(owner["is_builtin"])
|
|
self.assertEqual(owner["user_assignments"], 1)
|
|
self.assertEqual(owner["effective_permission_count"], len(SYSTEM_SCOPES))
|
|
self.assertEqual(owner["permissions"], ["system:*"])
|
|
self.assertFalse(administrator["is_builtin"])
|
|
self.assertFalse(auditor["is_builtin"])
|
|
|
|
blocked_owner_edit = self.client.patch(
|
|
f"/api/v1/admin/system/roles/{owner['id']}",
|
|
headers=headers,
|
|
json={"name": "Changed owner"},
|
|
)
|
|
self.assertEqual(blocked_owner_edit.status_code, 409, blocked_owner_edit.text)
|
|
edited_admin = self.client.patch(
|
|
f"/api/v1/admin/system/roles/{administrator['id']}",
|
|
headers=headers,
|
|
json={"name": "Platform administrator"},
|
|
)
|
|
self.assertEqual(edited_admin.status_code, 200, edited_admin.text)
|
|
self.assertEqual(edited_admin.json()["name"], "Platform administrator")
|
|
|
|
|
|
|
|
def test_admin_audit_supports_lazy_pagination_sorting_and_filters(self) -> None:
|
|
headers, _ = self._login()
|
|
for index in range(5):
|
|
updated = self.client.patch(
|
|
"/api/v1/admin/system/settings",
|
|
headers=headers,
|
|
json={
|
|
"default_locale": f"en-{index}",
|
|
"allow_tenant_custom_groups": True,
|
|
"allow_tenant_custom_roles": True,
|
|
"allow_tenant_api_keys": True,
|
|
},
|
|
)
|
|
self.assertEqual(updated.status_code, 200, updated.text)
|
|
|
|
first_page = self.client.get(
|
|
"/api/v1/admin/audit",
|
|
headers=headers,
|
|
params={
|
|
"scope": "system",
|
|
"page": 1,
|
|
"page_size": 2,
|
|
"sort_by": "action",
|
|
"sort_direction": "asc",
|
|
"filter_action": "system_settings",
|
|
},
|
|
)
|
|
self.assertEqual(first_page.status_code, 200, first_page.text)
|
|
payload = first_page.json()
|
|
self.assertEqual(payload["page"], 1)
|
|
self.assertEqual(payload["page_size"], 2)
|
|
self.assertGreaterEqual(payload["total"], 5)
|
|
self.assertEqual(len(payload["items"]), 2)
|
|
self.assertTrue(all("system_settings" in item["action"] for item in payload["items"]))
|
|
|
|
second_page = self.client.get(
|
|
"/api/v1/admin/audit",
|
|
headers=headers,
|
|
params={
|
|
"scope": "system",
|
|
"page": 2,
|
|
"page_size": 2,
|
|
"filter_actor": "admin@example.local",
|
|
},
|
|
)
|
|
self.assertEqual(second_page.status_code, 200, second_page.text)
|
|
self.assertEqual(second_page.json()["page"], 2)
|
|
self.assertEqual(len(second_page.json()["items"]), 2)
|
|
|
|
|
|
def test_admin_audit_cursor_pagination_is_stable_after_newer_insert(self) -> None:
|
|
headers, _ = self._login()
|
|
for index in range(6):
|
|
updated = self.client.patch(
|
|
"/api/v1/admin/system/settings",
|
|
headers=headers,
|
|
json={
|
|
"default_locale": f"en-{index}",
|
|
"allow_tenant_custom_groups": True,
|
|
"allow_tenant_custom_roles": True,
|
|
"allow_tenant_api_keys": True,
|
|
},
|
|
)
|
|
self.assertEqual(updated.status_code, 200, updated.text)
|
|
|
|
first_page = self.client.get(
|
|
"/api/v1/admin/audit",
|
|
headers=headers,
|
|
params={
|
|
"scope": "system",
|
|
"page": 1,
|
|
"page_size": 2,
|
|
"sort_by": "time",
|
|
"sort_direction": "desc",
|
|
"filter_action": "system_settings",
|
|
},
|
|
)
|
|
self.assertEqual(first_page.status_code, 200, first_page.text)
|
|
first_payload = first_page.json()
|
|
self.assertTrue(first_payload["next_cursor"])
|
|
|
|
second_page = self.client.get(
|
|
"/api/v1/admin/audit",
|
|
headers=headers,
|
|
params={
|
|
"scope": "system",
|
|
"page": 2,
|
|
"page_size": 2,
|
|
"cursor": first_payload["next_cursor"],
|
|
"sort_by": "time",
|
|
"sort_direction": "desc",
|
|
"filter_action": "system_settings",
|
|
},
|
|
)
|
|
self.assertEqual(second_page.status_code, 200, second_page.text)
|
|
second_payload = second_page.json()
|
|
second_page_ids = [item["id"] for item in second_payload["items"]]
|
|
self.assertEqual(second_payload["cursor"], first_payload["next_cursor"])
|
|
self.assertEqual(len(second_page_ids), 2)
|
|
|
|
second_page_full_delta = self.client.get(
|
|
"/api/v1/admin/audit/delta",
|
|
headers=headers,
|
|
params={
|
|
"scope": "system",
|
|
"page_size": 2,
|
|
"cursor": first_payload["next_cursor"],
|
|
"sort_by": "time",
|
|
"sort_direction": "desc",
|
|
"filter_action": "system_settings",
|
|
},
|
|
)
|
|
self.assertEqual(second_page_full_delta.status_code, 200, second_page_full_delta.text)
|
|
full_delta_payload = second_page_full_delta.json()
|
|
self.assertTrue(full_delta_payload["full"])
|
|
self.assertEqual([item["id"] for item in full_delta_payload["items"]], second_page_ids)
|
|
|
|
time.sleep(0.01)
|
|
updated = self.client.patch(
|
|
"/api/v1/admin/system/settings",
|
|
headers=headers,
|
|
json={
|
|
"default_locale": "en-cursor",
|
|
"allow_tenant_custom_groups": True,
|
|
"allow_tenant_custom_roles": True,
|
|
"allow_tenant_api_keys": True,
|
|
},
|
|
)
|
|
self.assertEqual(updated.status_code, 200, updated.text)
|
|
|
|
second_page_after_insert = self.client.get(
|
|
"/api/v1/admin/audit",
|
|
headers=headers,
|
|
params={
|
|
"scope": "system",
|
|
"page": 2,
|
|
"page_size": 2,
|
|
"cursor": first_payload["next_cursor"],
|
|
"sort_by": "time",
|
|
"sort_direction": "desc",
|
|
"filter_action": "system_settings",
|
|
},
|
|
)
|
|
self.assertEqual(second_page_after_insert.status_code, 200, second_page_after_insert.text)
|
|
self.assertEqual([item["id"] for item in second_page_after_insert.json()["items"]], second_page_ids)
|
|
|
|
cursor_delta = self.client.get(
|
|
"/api/v1/admin/audit/delta",
|
|
headers=headers,
|
|
params={
|
|
"scope": "system",
|
|
"page_size": 2,
|
|
"cursor": first_payload["next_cursor"],
|
|
"sort_by": "time",
|
|
"sort_direction": "desc",
|
|
"filter_action": "system_settings",
|
|
"since": full_delta_payload["watermark"],
|
|
},
|
|
)
|
|
self.assertEqual(cursor_delta.status_code, 200, cursor_delta.text)
|
|
cursor_delta_payload = cursor_delta.json()
|
|
self.assertFalse(cursor_delta_payload["full"])
|
|
self.assertEqual(cursor_delta_payload["items"], [])
|
|
|
|
|
|
def test_tenant_owner_selection_audit_scope_and_last_owner_protection(self) -> None:
|
|
headers, _ = self._login()
|
|
created_account = self.client.post(
|
|
"/api/v1/admin/system/accounts",
|
|
headers=headers,
|
|
json={
|
|
"email": "selected-owner@example.local",
|
|
"display_name": "Selected Owner",
|
|
"password": "selected-owner-password",
|
|
"password_reset_required": False,
|
|
"is_active": True,
|
|
"role_ids": [],
|
|
"memberships": [],
|
|
},
|
|
)
|
|
self.assertEqual(created_account.status_code, 201, created_account.text)
|
|
account_id = created_account.json()["account"]["account_id"]
|
|
|
|
candidates = self.client.get("/api/v1/admin/tenants/owner-candidates", headers=headers)
|
|
self.assertEqual(candidates.status_code, 200, candidates.text)
|
|
self.assertIn(account_id, {item["account_id"] for item in candidates.json()["accounts"]})
|
|
|
|
created_tenant = self.client.post(
|
|
"/api/v1/admin/tenants",
|
|
headers=headers,
|
|
json={
|
|
"slug": "selected-owner",
|
|
"name": "Selected owner tenant",
|
|
"owner_account_id": account_id,
|
|
"settings": {},
|
|
},
|
|
)
|
|
self.assertEqual(created_tenant.status_code, 201, created_tenant.text)
|
|
tenant_id = created_tenant.json()["id"]
|
|
|
|
system_audit = self.client.get(
|
|
"/api/v1/admin/audit?scope=system&limit=500",
|
|
headers=headers,
|
|
)
|
|
self.assertEqual(system_audit.status_code, 200, system_audit.text)
|
|
tenant_created_rows = [
|
|
item for item in system_audit.json()["items"]
|
|
if item["action"] == "tenant.created" and item["object_id"] == tenant_id
|
|
]
|
|
self.assertEqual(len(tenant_created_rows), 1)
|
|
self.assertEqual(tenant_created_rows[0]["scope"], "system")
|
|
|
|
owner_headers, _ = self._login_as(
|
|
email="selected-owner@example.local",
|
|
password="selected-owner-password",
|
|
tenant_slug="selected-owner",
|
|
)
|
|
users = self.client.get("/api/v1/admin/users", headers=owner_headers)
|
|
self.assertEqual(users.status_code, 200, users.text)
|
|
owner = next(item for item in users.json()["users"] if item["account_id"] == account_id)
|
|
self.assertTrue(owner["is_owner"])
|
|
self.assertTrue(owner["is_last_active_owner"])
|
|
|
|
tenant_audit = self.client.get(
|
|
"/api/v1/admin/audit?scope=tenant&limit=500",
|
|
headers=owner_headers,
|
|
)
|
|
self.assertEqual(tenant_audit.status_code, 200, tenant_audit.text)
|
|
self.assertFalse(any(item["action"] == "tenant.created" for item in tenant_audit.json()["items"]))
|
|
self.assertTrue(all(item["scope"] == "tenant" for item in tenant_audit.json()["items"]))
|
|
|
|
blocked = self.client.patch(
|
|
f"/api/v1/admin/users/{owner['id']}",
|
|
headers=owner_headers,
|
|
json={"is_active": False},
|
|
)
|
|
self.assertEqual(blocked.status_code, 409, blocked.text)
|
|
|
|
accounts = self.client.get("/api/v1/admin/system/accounts", headers=headers)
|
|
self.assertEqual(accounts.status_code, 200, accounts.text)
|
|
selected = next(item for item in accounts.json()["accounts"] if item["account_id"] == account_id)
|
|
selected_membership = next(item for item in selected["memberships"] if item["tenant_id"] == tenant_id)
|
|
self.assertTrue(selected_membership["is_owner"])
|
|
self.assertTrue(selected_membership["is_last_active_owner"])
|
|
|
|
|
|
|
|
if __name__ == "__main__":
|
|
unittest.main()
|