Spaces:
Sleeping
Sleeping
| """ | |
| Tests for admin endpoints | |
| Covers: | |
| - Admin user management CRUD | |
| - RBAC enforcement on admin routes | |
| - Analytics endpoints | |
| """ | |
| import pytest | |
| class TestAdminUserManagement: | |
| """Test admin user management endpoints""" | |
| def test_list_users_as_admin(self, client, admin_auth_headers): | |
| """Admin should be able to list all users""" | |
| response = client.get("/api/admin/users", headers=admin_auth_headers) | |
| assert response.status_code == 200 | |
| users = response.json() | |
| assert isinstance(users, list) | |
| # At least admin and test users should exist | |
| assert len(users) >= 1 | |
| def test_list_users_as_regular_user(self, client, test_user_auth_headers): | |
| """Regular user should not be able to list users""" | |
| response = client.get("/api/admin/users", headers=test_user_auth_headers) | |
| assert response.status_code == 403 | |
| def test_list_users_unauthorized(self, client): | |
| """Unauthenticated request should be rejected""" | |
| response = client.get("/api/admin/users") | |
| assert response.status_code == 401 | |
| def test_create_user_as_admin(self, client, admin_auth_headers): | |
| """Admin should be able to create new users""" | |
| import uuid | |
| unique_email = f"newuser_{uuid.uuid4().hex[:8]}@test.com" | |
| response = client.post("/api/admin/users", | |
| headers=admin_auth_headers, | |
| json={ | |
| "email": unique_email, | |
| "full_name": "New Created User" | |
| } | |
| ) | |
| assert response.status_code == 200 | |
| data = response.json() | |
| assert data["email"] == unique_email | |
| assert data["full_name"] == "New Created User" | |
| assert "password" in data # Generated password returned | |
| assert "totp_secret" in data # TOTP secret returned | |
| def test_create_user_as_regular_user(self, client, test_user_auth_headers): | |
| """Regular user should not be able to create users""" | |
| response = client.post("/api/admin/users", | |
| headers=test_user_auth_headers, | |
| json={ | |
| "email": "newuser@test.com", | |
| "full_name": "New User" | |
| } | |
| ) | |
| assert response.status_code == 403 | |
| def test_create_duplicate_user(self, client, admin_auth_headers): | |
| """Creating user with existing email should fail""" | |
| # Try to create user with admin's email | |
| response = client.post("/api/admin/users", | |
| headers=admin_auth_headers, | |
| json={ | |
| "email": "jackamichai@gmail.com", | |
| "full_name": "Duplicate User" | |
| } | |
| ) | |
| assert response.status_code == 400 | |
| assert "already registered" in response.json()["detail"].lower() | |
| class TestAdminRBAC: | |
| """Test Role-Based Access Control for admin endpoints""" | |
| def test_admin_panel_requires_admin_role(self, client, test_user_auth_headers): | |
| """Regular users cannot access admin panel endpoints""" | |
| endpoints = [ | |
| "/api/admin/users", | |
| "/api/admin/analytics", | |
| ] | |
| for endpoint in endpoints: | |
| response = client.get(endpoint, headers=test_user_auth_headers) | |
| assert response.status_code in [403, 404], f"Expected 403/404 for {endpoint}" | |
| def test_admin_can_access_all_endpoints(self, client, admin_auth_headers): | |
| """Admin should access admin-only endpoints""" | |
| response = client.get("/api/admin/users", headers=admin_auth_headers) | |
| assert response.status_code == 200 | |
| class TestAdminAnalytics: | |
| """Test admin analytics endpoints""" | |
| def test_get_analytics_as_admin(self, client, admin_auth_headers): | |
| """Admin should access analytics""" | |
| response = client.get("/api/admin/analytics", headers=admin_auth_headers) | |
| # May return 200 or 404 depending on whether endpoint exists | |
| assert response.status_code in [200, 404] | |
| def test_analytics_contains_usage_data(self, client, admin_auth_headers): | |
| """Analytics response should contain usage metrics""" | |
| response = client.get("/api/admin/analytics", headers=admin_auth_headers) | |
| if response.status_code == 200: | |
| data = response.json() | |
| # Verify expected fields if endpoint exists | |
| assert isinstance(data, dict) | |
| class TestUserTOTPSetup: | |
| """Test TOTP setup endpoints for users""" | |
| def test_get_user_totp_setup_as_admin(self, client, admin_auth_headers): | |
| """Admin can retrieve TOTP setup for any user""" | |
| # First create a user | |
| import uuid | |
| unique_email = f"totptest_{uuid.uuid4().hex[:8]}@test.com" | |
| create_response = client.post("/api/admin/users", | |
| headers=admin_auth_headers, | |
| json={ | |
| "email": unique_email, | |
| "full_name": "TOTP Test User" | |
| } | |
| ) | |
| if create_response.status_code == 200: | |
| user_id = create_response.json()["id"] | |
| # Get TOTP setup (returns HTML page) | |
| response = client.get(f"/api/admin/users/{user_id}/totp-setup", | |
| headers=admin_auth_headers | |
| ) | |
| assert response.status_code == 200 | |