heartbeat/tests/test_oauth.py

import time as time_mod

import pytest

from hbd.server import oauth


CFG_OFF = {}
CFG_ON = {
    "oauth": {
        "gitea": {
            "url": "https://git.example.com",
            "client_id": "cid",
            "client_secret": "csec",
        }
    }
}
CFG_PARTIAL = {"oauth": {"gitea": {"url": "https://git.example.com"}}}


@pytest.fixture(autouse=True)
def clear_oauth_states():
    oauth._states.clear()
    yield
    oauth._states.clear()


def test_is_enabled_when_all_keys_present():
    assert oauth.is_enabled(CFG_ON) is True


def test_is_enabled_false_when_no_oauth_key():
    assert oauth.is_enabled(CFG_OFF) is False


def test_is_enabled_false_when_partial_config():
    assert oauth.is_enabled(CFG_PARTIAL) is False


def test_make_state_returns_unique_tokens():
    s1 = oauth.make_state()
    s2 = oauth.make_state()
    assert s1 != s2
    assert len(s1) == 64  # 32 bytes hex


def test_validate_state_valid():
    state = oauth.make_state()
    assert oauth.validate_state(state) is True


def test_validate_state_consumed_on_use():
    state = oauth.make_state()
    oauth.validate_state(state)
    assert oauth.validate_state(state) is False  # replay rejected


def test_validate_state_unknown():
    assert oauth.validate_state("notastate") is False


def test_validate_state_expired(monkeypatch):
    state = oauth.make_state()
    # Wind expiry into the past
    monkeypatch.setitem(oauth._states, state, time_mod.time() - 1000)
    assert oauth.validate_state(state) is False