import unittest from datetime import datetime, timedelta, timezone from admin_app.core import AdminSecurityService, AdminSettings, AuthenticatedStaffPrincipal from shared.contracts import StaffRole class AdminSecurityServiceTests(unittest.TestCase): def setUp(self): self.settings = AdminSettings( admin_auth_token_secret="test-secret", admin_auth_password_pepper="pepper", ) self.security_service = AdminSecurityService(self.settings) def test_hash_password_and_verify_round_trip(self): password_hash = self.security_service.hash_password("SenhaMuitoSegura!123") self.assertTrue(self.security_service.verify_password("SenhaMuitoSegura!123", password_hash)) self.assertFalse(self.security_service.verify_password("senha-errada", password_hash)) def test_validate_password_strength_rejects_weak_password(self): with self.assertRaises(ValueError): self.security_service.validate_password_strength("fraca") def test_issue_and_decode_access_token_round_trip(self): principal = AuthenticatedStaffPrincipal( id=7, email="admin@empresa.com", display_name="Admin", role=StaffRole.ADMIN, is_active=True, ) token = self.security_service.issue_access_token(principal, session_id=99) claims = self.security_service.decode_access_token(token) self.assertEqual(claims.sub, "7") self.assertEqual(claims.sid, 99) self.assertEqual(claims.email, "admin@empresa.com") self.assertEqual(claims.role, StaffRole.ADMIN) self.assertEqual(claims.token_type, "access") def test_refresh_token_hash_is_stable_for_same_token(self): refresh_token = self.security_service.generate_refresh_token() self.assertEqual( self.security_service.hash_refresh_token(refresh_token), self.security_service.hash_refresh_token(refresh_token), ) def test_build_refresh_token_expiry_uses_refresh_ttl(self): expires_at = self.security_service.build_refresh_token_expiry() min_expected = datetime.now(timezone.utc) + timedelta(days=6) self.assertGreater(expires_at, min_expected) if __name__ == "__main__": unittest.main()