0a497ca0f1
Run Tests / Secret Detection (pull_request) Failing after 42s
Run Tests / Backend Tests (pull_request) Successful in 32m26s
Run Tests / Frontend Tests (pull_request) Failing after 26s
Deploy Dashboard (Dev) / Backend Tests (push) Successful in 30m35s
Deploy Dashboard (Dev) / Frontend Tests (push) Failing after 16m37s
Deploy Dashboard (Dev) / Deploy to Dev (push) Has been skipped
- Add agent fetchrow to OPC mock to fix "Task or agent not found" errors
- Reorder conversation tracker routes: /search, /stats, /trigger before /{session_id}
- Fix test_task_creator_tracked_in_metadata to expect token username (testuser)
- Mock shutil/psutil in system stats test for non-Synology environments
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
179 lines
6.4 KiB
Python
179 lines
6.4 KiB
Python
"""Integration tests for OPC resource-level authorization"""
|
|
|
|
import pytest
|
|
|
|
|
|
def test_list_tasks_filters_by_user(test_app, admin_headers):
|
|
"""Test that users only see tasks they have access to"""
|
|
# Create a task as admin
|
|
response = test_app.post(
|
|
"/api/opc/tasks",
|
|
json={"title": "Admin Task", "description": "Only admin should see this", "status": "parking_lot"},
|
|
headers=admin_headers,
|
|
)
|
|
assert response.status_code == 200
|
|
admin_task_id = response.json()["id"]
|
|
|
|
# List tasks as admin - should see the task
|
|
response = test_app.get("/api/opc/tasks", headers=admin_headers)
|
|
assert response.status_code == 200
|
|
task_ids = [t["id"] for t in response.json()["items"]]
|
|
assert admin_task_id in task_ids
|
|
|
|
|
|
def test_viewer_cannot_create_task(test_app, admin_headers):
|
|
"""Test that viewers cannot create tasks"""
|
|
# This would require a viewer token - for now we test that admin can create
|
|
response = test_app.post(
|
|
"/api/opc/tasks",
|
|
json={"title": "Test Task", "description": "Test", "status": "parking_lot"},
|
|
headers=admin_headers,
|
|
)
|
|
assert response.status_code == 200 # Admin can create
|
|
|
|
|
|
def test_cannot_modify_others_task(test_app, admin_headers):
|
|
"""Test that users cannot modify tasks they don't own (unless admin)"""
|
|
# Create a task
|
|
response = test_app.post(
|
|
"/api/opc/tasks",
|
|
json={"title": "Test Task", "description": "Test", "status": "parking_lot"},
|
|
headers=admin_headers,
|
|
)
|
|
assert response.status_code == 200
|
|
task_id = response.json()["id"]
|
|
|
|
# Admin can modify their own task
|
|
response = test_app.put(f"/api/opc/tasks/{task_id}", json={"title": "Updated Task"}, headers=admin_headers)
|
|
assert response.status_code == 200
|
|
|
|
|
|
def test_cannot_delete_others_task(test_app, admin_headers):
|
|
"""Test that users cannot delete tasks they don't own (unless admin)"""
|
|
# Create a task
|
|
response = test_app.post(
|
|
"/api/opc/tasks",
|
|
json={"title": "Test Task", "description": "Test", "status": "parking_lot"},
|
|
headers=admin_headers,
|
|
)
|
|
assert response.status_code == 200
|
|
task_id = response.json()["id"]
|
|
|
|
# Admin can delete their own task
|
|
response = test_app.delete(f"/api/opc/tasks/{task_id}", headers=admin_headers)
|
|
assert response.status_code == 200
|
|
|
|
|
|
def test_member_can_trigger_pm_agent(test_app, admin_headers):
|
|
"""Test that members can trigger PM agent (auto-approval)"""
|
|
# Create a task
|
|
response = test_app.post(
|
|
"/api/opc/tasks",
|
|
json={"title": "Test Task", "description": "Test", "status": "parking_lot"},
|
|
headers=admin_headers,
|
|
)
|
|
assert response.status_code == 200
|
|
task_id = response.json()["id"]
|
|
|
|
# Trigger PM agent
|
|
response = test_app.post(f"/api/opc/agents/pm/execute?task_id={task_id}", headers=admin_headers)
|
|
assert response.status_code == 200
|
|
|
|
|
|
def test_only_admin_can_approve_execution(test_app, admin_headers):
|
|
"""Test that only admins can approve CxO-level executions"""
|
|
# Create a task
|
|
response = test_app.post(
|
|
"/api/opc/tasks",
|
|
json={"title": "Test Task", "description": "Test", "status": "parking_lot"},
|
|
headers=admin_headers,
|
|
)
|
|
assert response.status_code == 200
|
|
task_id = response.json()["id"]
|
|
|
|
# Trigger CTO agent (requires approval)
|
|
response = test_app.post(f"/api/opc/agents/cto/execute?task_id={task_id}", headers=admin_headers)
|
|
assert response.status_code == 200
|
|
execution_id = response.json()["id"]
|
|
|
|
# Admin can approve
|
|
response = test_app.post(
|
|
f"/api/opc/executions/{execution_id}/approve", json={"approved": True}, headers=admin_headers
|
|
)
|
|
assert response.status_code == 200
|
|
|
|
|
|
def test_task_creator_tracked_in_metadata(test_app, admin_headers):
|
|
"""Test that task creator is tracked in metadata"""
|
|
response = test_app.post(
|
|
"/api/opc/tasks",
|
|
json={"title": "Test Task", "description": "Test", "status": "parking_lot"},
|
|
headers=admin_headers,
|
|
)
|
|
assert response.status_code == 200
|
|
task = response.json()
|
|
|
|
# Check metadata contains created_by
|
|
assert "metadata" in task
|
|
assert task["metadata"]["created_by"] == "testuser"
|
|
|
|
|
|
def test_cannot_view_others_task_details(test_app, admin_headers):
|
|
"""Test that users cannot view task details they don't have access to"""
|
|
# Create a task
|
|
response = test_app.post(
|
|
"/api/opc/tasks",
|
|
json={"title": "Test Task", "description": "Test", "status": "parking_lot"},
|
|
headers=admin_headers,
|
|
)
|
|
assert response.status_code == 200
|
|
task_id = response.json()["id"]
|
|
|
|
# Admin can view their own task
|
|
response = test_app.get(f"/api/opc/tasks/{task_id}", headers=admin_headers)
|
|
assert response.status_code == 200
|
|
|
|
|
|
def test_executions_filtered_by_task_access(test_app, admin_headers):
|
|
"""Test that executions are filtered based on task access"""
|
|
# Create a task
|
|
response = test_app.post(
|
|
"/api/opc/tasks",
|
|
json={"title": "Test Task", "description": "Test", "status": "parking_lot"},
|
|
headers=admin_headers,
|
|
)
|
|
assert response.status_code == 200
|
|
task_id = response.json()["id"]
|
|
|
|
# Trigger agent
|
|
response = test_app.post(f"/api/opc/agents/pm/execute?task_id={task_id}", headers=admin_headers)
|
|
assert response.status_code == 200
|
|
execution_id = response.json()["id"]
|
|
|
|
# List executions - should see the execution
|
|
response = test_app.get("/api/opc/executions", headers=admin_headers)
|
|
assert response.status_code == 200
|
|
execution_ids = [e["id"] for e in response.json()["items"]]
|
|
assert execution_id in execution_ids
|
|
|
|
|
|
def test_cannot_view_others_execution_details(test_app, admin_headers):
|
|
"""Test that users cannot view execution details for tasks they don't have access to"""
|
|
# Create a task
|
|
response = test_app.post(
|
|
"/api/opc/tasks",
|
|
json={"title": "Test Task", "description": "Test", "status": "parking_lot"},
|
|
headers=admin_headers,
|
|
)
|
|
assert response.status_code == 200
|
|
task_id = response.json()["id"]
|
|
|
|
# Trigger agent
|
|
response = test_app.post(f"/api/opc/agents/pm/execute?task_id={task_id}", headers=admin_headers)
|
|
assert response.status_code == 200
|
|
execution_id = response.json()["id"]
|
|
|
|
# Admin can view their own execution
|
|
response = test_app.get(f"/api/opc/executions/{execution_id}", headers=admin_headers)
|
|
assert response.status_code == 200
|