Files
alembic/tests/test_credential_service.py
T
andrew e49d12a72b Add test suite (T1)
First automated coverage. 38 tests, run against the built image (which has the
app deps); tests/ and requirements-dev.txt are not baked into the runtime image.

- tests/test_dedup_gating.py: the safety-critical one. Drives dedup-library.sh's
  process_group with --apply + --only-paths and asserts ONLY the confirmed path
  is deleted and the higher-ranked FLAC is kept.
- tests/test_pipeline_runner.py: lock skip, use_lock=False bypass, lock release,
  success/failure/timeout recording.
- tests/test_db.py: schema version + idempotent migrations, FK-safe job-run
  pruning, stale-run reconciliation.
- tests/test_credential_service.py: conf-field substitution incl. newline-
  injection safety, secret/non-secret classification, cookie-expiry parsing.
- tests/test_playlist_service.py: cron round-trips, name validation, render.
- tests/test_diagnostics.py: /health + /setup checks.
- conftest.py points every path setting at throwaway temp dirs and a temp DB, so
  tests never touch a real library, /config, or the network. See tests/README.md.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-10 16:00:07 -06:00

60 lines
2.2 KiB
Python

import os
import stat
from app.services import credential_service as cs
from app.services import playlist_service as pl
def test_set_conf_field_replaces_existing():
text = "user = OLD\npass = OLD\n"
out = cs._set_conf_field(text, "user", "newuser")
assert "user = newuser" in out
assert "pass = OLD" in out # other lines untouched
def test_set_conf_field_appends_when_absent():
out = cs._set_conf_field("input = x\n", "user", "bob")
assert out.rstrip().endswith("user = bob")
def test_set_conf_field_strips_newlines():
# a newline in a value must not inject a second config line
out = cs._set_conf_field("user = x\n", "user", "bad\nname = injected")
assert "\nname = injected" not in out
assert "user = badname = injected" in out
def test_secret_keys_classification():
assert "password" in cs.SECRET_KEYS
assert "client_secret" in cs.SECRET_KEYS
# identifiers/urls/prefs are NOT secret (shown as text in the UI)
assert "username" not in cs.SECRET_KEYS
assert "base_url" not in cs.SECRET_KEYS
assert "region" not in cs.SECRET_KEYS
def test_render_playlist_confs_injects_creds_safely(db, config_dir):
cs.set_credentials(db, "spotify", {"client_id": "CID", "client_secret": "CSECRET"})
# a password containing shell metacharacters must land literally
cs.set_credentials(db, "soulseek", {"username": "seek", "password": "p'a$(id)ss"})
pl.create(db, name="rtest", spotify_url="https://open.spotify.com/playlist/Z")
conf = config_dir / "pipeline" / "rtest.conf"
text = conf.read_text()
assert "user = seek" in text
assert "pass = p'a$(id)ss" in text
assert "spotify-id = CID" in text
assert "spotify-secret = CSECRET" in text
# rendered config must be owner-only (holds the Soulseek password)
assert stat.S_IMODE(os.stat(conf).st_mode) == 0o600
def test_bandcamp_cookie_expiry_parsing():
jar = "\n".join([
"# Netscape HTTP Cookie File",
"\t".join([".bandcamp.com", "TRUE", "/", "TRUE", "1893456000", "identity", "abc"]),
])
exp = cs._bandcamp_cookie_expiry(jar)
assert exp == 1893456000.0
assert cs._bandcamp_cookie_expiry("no identity cookie here") is None