import pytest from l4d2web.app import create_app from l4d2web.auth import hash_password from l4d2web.db import init_db, session_scope from l4d2web.models import Blueprint, BlueprintOverlay, Overlay, User from l4d2web.services.security import validate_overlay_ref @pytest.fixture def admin_client(tmp_path, monkeypatch): db_url = f"sqlite:///{tmp_path/'admin_overlay.db'}" monkeypatch.setenv("DATABASE_URL", db_url) app = create_app({"TESTING": True, "DATABASE_URL": db_url, "SECRET_KEY": "test"}) init_db() with session_scope() as session: admin = User(username="admin", password_digest=hash_password("secret"), admin=True) session.add(admin) session.flush() admin_id = admin.id client = app.test_client() with client.session_transaction() as sess: sess["user_id"] = admin_id sess["csrf_token"] = "test-token" return client @pytest.fixture def user_client_with_overlay(tmp_path, monkeypatch): db_url = f"sqlite:///{tmp_path/'user_overlay.db'}" monkeypatch.setenv("DATABASE_URL", db_url) app = create_app({"TESTING": True, "DATABASE_URL": db_url, "SECRET_KEY": "test"}) init_db() with session_scope() as session: user = User(username="alice", password_digest=hash_password("secret"), admin=False) session.add(user) session.add(Overlay(name="standard", path="standard")) session.flush() user_id = user.id client = app.test_client() with client.session_transaction() as sess: sess["user_id"] = user_id sess["csrf_token"] = "test-token" return client def test_user_can_view_overlay_catalog(user_client_with_overlay) -> None: response = user_client_with_overlay.get("/overlays") text = response.get_data(as_text=True) assert response.status_code == 200 assert "standard" in text assert "Add overlay" not in text def test_admin_can_view_overlay_edit_controls(admin_client) -> None: response = admin_client.get("/overlays") text = response.get_data(as_text=True) assert response.status_code == 200 assert "Add overlay" in text assert 'action="/overlays"' in text def test_admin_can_create_overlay(admin_client) -> None: response = admin_client.post( "/overlays", data={"name": "standard", "path": "standard"}, headers={"X-CSRF-Token": "test-token"}, ) assert response.status_code == 302 assert response.headers["Location"] == "/overlays" def test_overlay_ref_must_be_relative(admin_client) -> None: response = admin_client.post( "/overlays", data={"name": "bad", "path": "/tmp/bad"}, headers={"X-CSRF-Token": "test-token"}, ) assert response.status_code == 400 @pytest.mark.parametrize("overlay_ref", [" standard", "standard ", "a//b", "a/", "./a", "a/.", "."]) def test_overlay_ref_rejects_unsafe_components(overlay_ref: str) -> None: with pytest.raises(ValueError): validate_overlay_ref(overlay_ref) def test_overlay_route_rejects_whitespace_padded_ref(admin_client) -> None: response = admin_client.post( "/overlays", data={"name": "bad", "path": " standard"}, headers={"X-CSRF-Token": "test-token"}, ) assert response.status_code == 400 def test_non_admin_cannot_create_overlay(user_client_with_overlay) -> None: response = user_client_with_overlay.post( "/overlays", data={"name": "bad", "path": "bad"}, headers={"X-CSRF-Token": "test-token"}, ) assert response.status_code == 403 def test_admin_can_update_and_delete_overlay(admin_client) -> None: create = admin_client.post( "/overlays", data={"name": "standard", "path": "standard"}, headers={"X-CSRF-Token": "test-token"}, ) assert create.status_code == 302 update = admin_client.post( "/overlays/1", data={"name": "edited", "path": "edited"}, headers={"X-CSRF-Token": "test-token"}, ) assert update.status_code == 302 delete = admin_client.post( "/overlays/1/delete", headers={"X-CSRF-Token": "test-token"}, ) assert delete.status_code == 302 def test_update_overlay_rejects_duplicate_name(admin_client) -> None: for name in ["standard", "competitive"]: response = admin_client.post( "/overlays", data={"name": name, "path": name}, headers={"X-CSRF-Token": "test-token"}, ) assert response.status_code == 302 response = admin_client.post( "/overlays/2", data={"name": "standard", "path": "competitive"}, headers={"X-CSRF-Token": "test-token"}, ) assert response.status_code == 409 def test_overlay_detail_page_lists_using_blueprints(admin_client) -> None: create = admin_client.post( "/overlays", data={"name": "shared", "path": "shared"}, headers={"X-CSRF-Token": "test-token"}, ) assert create.status_code == 302 with session_scope() as session: admin = session.query(User).filter_by(username="admin").one() bp_one = Blueprint(user_id=admin.id, name="alpha-bp", arguments="[]", config="[]") bp_two = Blueprint(user_id=admin.id, name="beta-bp", arguments="[]", config="[]") session.add_all([bp_one, bp_two]) session.flush() session.add(BlueprintOverlay(blueprint_id=bp_one.id, overlay_id=1, position=0)) session.add(BlueprintOverlay(blueprint_id=bp_two.id, overlay_id=1, position=0)) response = admin_client.get("/overlays/1") text = response.get_data(as_text=True) assert response.status_code == 200 assert "alpha-bp" in text assert "beta-bp" in text assert "Used by" in text def test_overlay_detail_page_404_when_missing(admin_client) -> None: response = admin_client.get("/overlays/999") assert response.status_code == 404 def test_overlay_detail_hides_edit_for_non_admin(user_client_with_overlay) -> None: response = user_client_with_overlay.get("/overlays/1") text = response.get_data(as_text=True) assert response.status_code == 200 assert "standard" in text assert 'action="/overlays/1"' not in text assert "delete-overlay-modal" not in text def test_overlay_update_redirects_to_detail(admin_client) -> None: create = admin_client.post( "/overlays", data={"name": "standard", "path": "standard"}, headers={"X-CSRF-Token": "test-token"}, ) assert create.status_code == 302 response = admin_client.post( "/overlays/1", data={"name": "renamed", "path": "renamed"}, headers={"X-CSRF-Token": "test-token"}, ) assert response.status_code == 302 assert response.headers["Location"] == "/overlays/1" def test_delete_overlay_rejects_in_use_overlay(admin_client) -> None: create = admin_client.post( "/overlays", data={"name": "standard", "path": "standard"}, headers={"X-CSRF-Token": "test-token"}, ) assert create.status_code == 302 with session_scope() as session: user = session.query(User).filter_by(username="admin").one() blueprint = Blueprint(user_id=user.id, name="bp", arguments="[]", config="[]") session.add(blueprint) session.flush() session.add(BlueprintOverlay(blueprint_id=blueprint.id, overlay_id=1, position=0)) response = admin_client.post( "/overlays/1/delete", headers={"X-CSRF-Token": "test-token"}, ) assert response.status_code == 409