orquestrador/tests/test_admin_system_configuration_web.py

import unittest

from fastapi.testclient import TestClient

from admin_app.app_factory import create_app
from admin_app.core import AdminSettings, AuthenticatedStaffPrincipal
from admin_app.api.dependencies import get_current_staff_principal
from shared.contracts import StaffRole


class AdminSystemConfigurationWebTests(unittest.TestCase):
    def _build_client_with_role(
        self,
        role: StaffRole,
        settings: AdminSettings | None = None,
    ) -> tuple[TestClient, object]:
        app = create_app(
            settings
            or AdminSettings(
                admin_auth_token_secret="test-secret",
                admin_api_prefix="/admin",
                admin_environment="development",
                admin_debug=True,
            )
        )
        app.dependency_overrides[get_current_staff_principal] = lambda: AuthenticatedStaffPrincipal(
            id=10,
            email="staff@empresa.com",
            display_name="Equipe Interna",
            role=role,
            is_active=True,
        )
        return TestClient(app), app

    def test_configuration_routes_require_manage_settings_permission(self):
        client, app = self._build_client_with_role(StaffRole.COLABORADOR)
        try:
            response = client.get("/admin/system/configuration", headers={"Authorization": "Bearer token"})
        finally:
            app.dependency_overrides.clear()

        self.assertEqual(response.status_code, 403)
        self.assertEqual(
            response.json()["detail"],
            "Permissao administrativa insuficiente: 'manage_settings'.",
        )

    def test_configuration_overview_returns_runtime_security_and_sources(self):
        settings = AdminSettings(
            admin_auth_token_secret="test-secret",
            admin_app_name="Admin Interno",
            admin_environment="development",
            admin_version="0.9.0",
            admin_api_prefix="/admin",
            admin_debug=True,
            admin_db_host="db.internal",
            admin_db_port=3307,
            admin_db_name="orquestrador_admin_dev",
            admin_db_cloud_sql_connection_name="project:region:instance",
            admin_auth_password_pepper="pepper",
            admin_auth_access_token_ttl_minutes=45,
            admin_auth_refresh_token_ttl_days=10,
            admin_bootstrap_enabled=True,
            admin_bootstrap_email="bootstrap@empresa.com",
            admin_bootstrap_display_name="Bootstrap Admin",
            admin_bootstrap_password="SenhaMuitoSegura!123",
            admin_bootstrap_role="diretor",
        )
        client, app = self._build_client_with_role(StaffRole.DIRETOR, settings)
        try:
            response = client.get("/admin/system/configuration", headers={"Authorization": "Bearer token"})
        finally:
            app.dependency_overrides.clear()

        self.assertEqual(response.status_code, 200)
        payload = response.json()
        self.assertEqual(payload["service"], "orquestrador-admin")
        self.assertEqual(payload["runtime"]["application"]["app_name"], "Admin Interno")
        self.assertEqual(payload["runtime"]["database"]["host"], "db.internal")
        self.assertTrue(payload["runtime"]["database"]["cloud_sql_configured"])
        self.assertEqual(payload["runtime"]["panel_session"]["cookie_path"], "/admin")
        self.assertFalse(payload["runtime"]["panel_session"]["secure_cookies"])
        self.assertEqual(payload["security"]["tokens"]["access_token_ttl_minutes"], 45)
        self.assertTrue(payload["security"]["password"]["pepper_configured"])
        self.assertTrue(payload["security"]["bootstrap"]["enabled"])
        self.assertTrue(payload["security"]["bootstrap"]["password_configured"])
        self.assertEqual(payload["write_governance"]["mode"], "admin_internal_tables_only")
        self.assertIn("staff_accounts", payload["write_governance"]["allowed_direct_write_tables"])
        self.assertIn("orders", payload["write_governance"]["blocked_product_source_tables"])
        self.assertIn("panel_session", [item["key"] for item in payload["sources"]])
        self.assertIn("admin_write_governance", [item["key"] for item in payload["sources"]])

    def test_runtime_configuration_route_exposes_panel_cookie_metadata(self):
        settings = AdminSettings(
            admin_auth_token_secret="test-secret",
            admin_api_prefix="/admin",
            admin_environment="production",
            admin_debug=False,
        )
        client, app = self._build_client_with_role(StaffRole.DIRETOR, settings)
        try:
            response = client.get("/admin/system/configuration/runtime", headers={"Authorization": "Bearer token"})
        finally:
            app.dependency_overrides.clear()

        self.assertEqual(response.status_code, 200)
        runtime = response.json()["runtime"]
        self.assertEqual(runtime["panel_session"]["access_cookie_name"], "orquestrador_admin_panel_access")
        self.assertEqual(runtime["panel_session"]["refresh_cookie_name"], "orquestrador_admin_panel_refresh")
        self.assertEqual(runtime["panel_session"]["same_site"], "lax")
        self.assertTrue(runtime["panel_session"]["secure_cookies"])

    def test_security_configuration_route_returns_credential_strategy_snapshot(self):
        settings = AdminSettings(
            admin_auth_token_secret="test-secret",
            admin_api_prefix="/admin",
            admin_auth_password_min_length=14,
            admin_auth_token_issuer="admin-runtime",
            admin_auth_refresh_token_bytes=48,
            admin_bootstrap_enabled=True,
            admin_bootstrap_role="diretor",
        )
        client, app = self._build_client_with_role(StaffRole.DIRETOR, settings)
        try:
            response = client.get("/admin/system/configuration/security", headers={"Authorization": "Bearer token"})
        finally:
            app.dependency_overrides.clear()

        self.assertEqual(response.status_code, 200)
        security = response.json()["security"]
        self.assertEqual(security["password"]["min_length"], 14)
        self.assertEqual(security["tokens"]["issuer"], "admin-runtime")
        self.assertEqual(security["tokens"]["refresh_token_bytes"], 48)
        self.assertEqual(security["bootstrap"]["role"], "diretor")


    def test_write_governance_route_exposes_internal_allowlist_and_product_blocks(self):
        settings = AdminSettings(
            admin_auth_token_secret="test-secret",
            admin_api_prefix="/admin",
        )
        client, app = self._build_client_with_role(StaffRole.DIRETOR, settings)
        try:
            response = client.get("/admin/system/configuration/write-governance", headers={"Authorization": "Bearer token"})
        finally:
            app.dependency_overrides.clear()

        self.assertEqual(response.status_code, 200)
        payload = response.json()["write_governance"]
        self.assertEqual(payload["mode"], "admin_internal_tables_only")
        self.assertIn("staff_sessions", payload["allowed_direct_write_tables"])
        self.assertIn("conversation_turns", payload["blocked_product_source_tables"])
        self.assertIn("channel_operation_policy", payload["governed_configuration_keys"])


if __name__ == "__main__":
    unittest.main()