left4me/l4d2web/tests/test_overlays.py

import pytest
from l4d2web.app import create_app
from l4d2web.auth import hash_password
from l4d2web.db import init_db, session_scope
from l4d2web.models import Blueprint, BlueprintOverlay, Overlay, User
from l4d2web.services.security import validate_overlay_ref


@pytest.fixture
def admin_client(tmp_path, monkeypatch):
    db_url = f"sqlite:///{tmp_path/'admin_overlay.db'}"
    monkeypatch.setenv("DATABASE_URL", db_url)
    app = create_app({"TESTING": True, "DATABASE_URL": db_url, "SECRET_KEY": "test"})
    init_db()

    with session_scope() as session:
        admin = User(username="admin", password_digest=hash_password("secret"), admin=True)
        session.add(admin)
        session.flush()
        admin_id = admin.id

    client = app.test_client()
    with client.session_transaction() as sess:
        sess["user_id"] = admin_id
        sess["csrf_token"] = "test-token"
    return client


@pytest.fixture
def user_client_with_overlay(tmp_path, monkeypatch):
    db_url = f"sqlite:///{tmp_path/'user_overlay.db'}"
    monkeypatch.setenv("DATABASE_URL", db_url)
    app = create_app({"TESTING": True, "DATABASE_URL": db_url, "SECRET_KEY": "test"})
    init_db()

    with session_scope() as session:
        user = User(username="alice", password_digest=hash_password("secret"), admin=False)
        session.add(user)
        session.add(Overlay(name="standard", path="standard"))
        session.flush()
        user_id = user.id

    client = app.test_client()
    with client.session_transaction() as sess:
        sess["user_id"] = user_id
        sess["csrf_token"] = "test-token"
    return client


def test_user_can_view_overlay_catalog(user_client_with_overlay) -> None:
    response = user_client_with_overlay.get("/overlays")
    text = response.get_data(as_text=True)

    assert response.status_code == 200
    assert "standard" in text
    assert "Add overlay" not in text


def test_admin_can_view_overlay_edit_controls(admin_client) -> None:
    response = admin_client.get("/overlays")
    text = response.get_data(as_text=True)

    assert response.status_code == 200
    assert "Add overlay" in text
    assert 'action="/overlays"' in text


def test_admin_can_create_overlay(admin_client) -> None:
    response = admin_client.post(
        "/overlays",
        data={"name": "standard", "path": "standard"},
        headers={"X-CSRF-Token": "test-token"},
    )
    assert response.status_code == 302
    assert response.headers["Location"] == "/overlays"


def test_overlay_ref_must_be_relative(admin_client) -> None:
    response = admin_client.post(
        "/overlays",
        data={"name": "bad", "path": "/tmp/bad"},
        headers={"X-CSRF-Token": "test-token"},
    )
    assert response.status_code == 400


@pytest.mark.parametrize("overlay_ref", [" standard", "standard ", "a//b", "a/", "./a", "a/.", "."])
def test_overlay_ref_rejects_unsafe_components(overlay_ref: str) -> None:
    with pytest.raises(ValueError):
        validate_overlay_ref(overlay_ref)


def test_overlay_route_rejects_whitespace_padded_ref(admin_client) -> None:
    response = admin_client.post(
        "/overlays",
        data={"name": "bad", "path": " standard"},
        headers={"X-CSRF-Token": "test-token"},
    )
    assert response.status_code == 400


def test_non_admin_cannot_create_overlay(user_client_with_overlay) -> None:
    response = user_client_with_overlay.post(
        "/overlays",
        data={"name": "bad", "path": "bad"},
        headers={"X-CSRF-Token": "test-token"},
    )
    assert response.status_code == 403


def test_admin_can_update_and_delete_overlay(admin_client) -> None:
    create = admin_client.post(
        "/overlays",
        data={"name": "standard", "path": "standard"},
        headers={"X-CSRF-Token": "test-token"},
    )
    assert create.status_code == 302

    update = admin_client.post(
        "/overlays/1",
        data={"name": "edited", "path": "edited"},
        headers={"X-CSRF-Token": "test-token"},
    )
    assert update.status_code == 302

    delete = admin_client.post(
        "/overlays/1/delete",
        headers={"X-CSRF-Token": "test-token"},
    )
    assert delete.status_code == 302


def test_update_overlay_rejects_duplicate_name(admin_client) -> None:
    for name in ["standard", "competitive"]:
        response = admin_client.post(
            "/overlays",
            data={"name": name, "path": name},
            headers={"X-CSRF-Token": "test-token"},
        )
        assert response.status_code == 302

    response = admin_client.post(
        "/overlays/2",
        data={"name": "standard", "path": "competitive"},
        headers={"X-CSRF-Token": "test-token"},
    )

    assert response.status_code == 409


def test_delete_overlay_rejects_in_use_overlay(admin_client) -> None:
    create = admin_client.post(
        "/overlays",
        data={"name": "standard", "path": "standard"},
        headers={"X-CSRF-Token": "test-token"},
    )
    assert create.status_code == 302

    with session_scope() as session:
        user = session.query(User).filter_by(username="admin").one()
        blueprint = Blueprint(user_id=user.id, name="bp", arguments="[]", config="[]")
        session.add(blueprint)
        session.flush()
        session.add(BlueprintOverlay(blueprint_id=blueprint.id, overlay_id=1, position=0))

    response = admin_client.post(
        "/overlays/1/delete",
        headers={"X-CSRF-Token": "test-token"},
    )

    assert response.status_code == 409