Refactor config loading and add status code docs

- Move config loading to dedicated ConfigLoader class with validation - Add DATABASE_MIGRATIONS.md content to TROUBLESHOOTING.md - Add API_STATUS_CODES.md documenting all API response codes - Update runner.csx to use new config structure - Add check_responses.py validation script - Update config tests for new structure Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-05-03 11:52:01 +02:00
parent 8f26776bb3
commit 7b93499551
9 changed files with 1249 additions and 415 deletions
--- a/backend/tests/test_config.py
+++ b/backend/tests/test_config.py
@@ -1,57 +1,59 @@
 """Unit tests for application configuration and validation."""

+import os
+import tempfile
+
 import pytest
 from pydantic import ValidationError

 from app.config import Settings

+# Module-level temp dir for tests that need real existing directories.
+_test_tmpdir = tempfile.mkdtemp()
+
+
+def _minimal_settings(**overrides: object) -> Settings:
+    """Create a Settings with valid defaults for unit tests.
+
+    Uses _test_tmpdir (module-level) for paths that require existing directories.
+    """
+    defaults = {
+        "database_path": os.path.join(_test_tmpdir, "test.db"),
+        "fail2ban_socket": "/tmp/fake_fail2ban.sock",
+        "fail2ban_config_dir": _test_tmpdir,
+        "session_secret": "test-secret-key-do-not-use-in-production",
+    }
+    defaults.update(overrides)  # type: ignore[arg-type]
+    return Settings(**defaults)  # type: ignore[arg-type]
+
+
+# ---------------------------------------------------------------------------
+# fail2ban_start_command validation tests
+# ---------------------------------------------------------------------------
+

 def test_fail2ban_start_command_validates_simple_command() -> None:
    """Simple fail2ban commands without special characters are accepted."""
-    settings = Settings(
-        database_path="/tmp/test.db",
-        fail2ban_socket="/tmp/fake_fail2ban.sock",
-        fail2ban_config_dir="/tmp/fail2ban",
-        session_secret="test-secret-key-do-not-use-in-production",
-        fail2ban_start_command="fail2ban-client start",
-    )
+    settings = _minimal_settings(fail2ban_start_command="fail2ban-client start")
    assert settings.fail2ban_start_command == "fail2ban-client start"


 def test_fail2ban_start_command_validates_systemctl_command() -> None:
    """systemctl commands are accepted."""
-    settings = Settings(
-        database_path="/tmp/test.db",
-        fail2ban_socket="/tmp/fake_fail2ban.sock",
-        fail2ban_config_dir="/tmp/fail2ban",
-        session_secret="test-secret-key-do-not-use-in-production",
-        fail2ban_start_command="systemctl start fail2ban",
-    )
+    settings = _minimal_settings(fail2ban_start_command="systemctl start fail2ban")
    assert settings.fail2ban_start_command == "systemctl start fail2ban"


 def test_fail2ban_start_command_accepts_quoted_paths() -> None:
    """Commands with quoted paths containing spaces are accepted."""
-    settings = Settings(
-        database_path="/tmp/test.db",
-        fail2ban_socket="/tmp/fake_fail2ban.sock",
-        fail2ban_config_dir="/tmp/fail2ban",
-        session_secret="test-secret-key-do-not-use-in-production",
-        fail2ban_start_command='"/opt/my tools/fail2ban-client" start',
-    )
+    settings = _minimal_settings(fail2ban_start_command='"/opt/my tools/fail2ban-client" start')
    assert settings.fail2ban_start_command == '"/opt/my tools/fail2ban-client" start'


 def test_fail2ban_start_command_rejects_mismatched_quotes() -> None:
    """Commands with mismatched quotes raise ValidationError."""
    with pytest.raises(ValidationError) as exc_info:
-        Settings(
-            database_path="/tmp/test.db",
-            fail2ban_socket="/tmp/fake_fail2ban.sock",
-            fail2ban_config_dir="/tmp/fail2ban",
-            session_secret="test-secret-key-do-not-use-in-production",
-            fail2ban_start_command='"/opt/my tools/fail2ban-client start',
-        )
+        _minimal_settings(fail2ban_start_command='"/opt/my tools/fail2ban-client start')
    error_msg = str(exc_info.value)
    assert "fail2ban_start_command" in error_msg
    assert "mismatched quotes" in error_msg or "No closing quotation" in error_msg
@@ -61,62 +63,38 @@ def test_fail2ban_start_command_error_includes_problematic_value() -> None:
    """Validation errors include the problematic command value."""
    problematic_command = '"/opt/broken start'
    with pytest.raises(ValidationError) as exc_info:
-        Settings(
-            database_path="/tmp/test.db",
-            fail2ban_socket="/tmp/fake_fail2ban.sock",
-            fail2ban_config_dir="/tmp/fail2ban",
-            session_secret="test-secret-key-do-not-use-in-production",
-            fail2ban_start_command=problematic_command,
-        )
+        _minimal_settings(fail2ban_start_command=problematic_command)
    error_msg = str(exc_info.value)
    assert problematic_command in error_msg


 def test_fail2ban_start_command_default_value_is_valid() -> None:
    """The default fail2ban_start_command value is valid and parseable."""
-    settings = Settings(
-        database_path="/tmp/test.db",
-        fail2ban_socket="/tmp/fake_fail2ban.sock",
-        fail2ban_config_dir="/tmp/fail2ban",
-        session_secret="test-secret-key-do-not-use-in-production",
-    )
+    settings = _minimal_settings()
    assert settings.fail2ban_start_command == "fail2ban-client start"


 def test_fail2ban_start_command_single_quoted() -> None:
    """Commands with single quotes are accepted."""
-    settings = Settings(
-        database_path="/tmp/test.db",
-        fail2ban_socket="/tmp/fake_fail2ban.sock",
-        fail2ban_config_dir="/tmp/fail2ban",
-        session_secret="test-secret-key-do-not-use-in-production",
-        fail2ban_start_command="'/usr/bin/fail2ban-client' start",
-    )
+    settings = _minimal_settings(fail2ban_start_command="'/usr/bin/fail2ban-client' start")
    assert settings.fail2ban_start_command == "'/usr/bin/fail2ban-client' start"


 def test_fail2ban_start_command_multiple_arguments() -> None:
    """Commands with multiple arguments are accepted."""
-    settings = Settings(
-        database_path="/tmp/test.db",
-        fail2ban_socket="/tmp/fake_fail2ban.sock",
-        fail2ban_config_dir="/tmp/fail2ban",
-        session_secret="test-secret-key-do-not-use-in-production",
-        fail2ban_start_command="fail2ban-client -c /etc/fail2ban start",
-    )
+    settings = _minimal_settings(fail2ban_start_command="fail2ban-client -c /etc/fail2ban start")
    assert settings.fail2ban_start_command == "fail2ban-client -c /etc/fail2ban start"


+# ---------------------------------------------------------------------------
+# session_secret validation tests
+# ---------------------------------------------------------------------------
+
+
 def test_session_secret_enforces_minimum_length() -> None:
    """session_secret must be at least 32 characters."""
-    # Test with a secret shorter than 32 characters
    with pytest.raises(ValidationError) as exc_info:
-        Settings(
-            database_path="/tmp/test.db",
-            fail2ban_socket="/tmp/fake_fail2ban.sock",
-            fail2ban_config_dir="/tmp/fail2ban",
-            session_secret="short-secret",
-        )
+        _minimal_settings(session_secret="short-secret")
    error_msg = str(exc_info.value)
    assert "session_secret" in error_msg
    assert "32" in error_msg or "at least" in error_msg
@@ -124,42 +102,149 @@ def test_session_secret_enforces_minimum_length() -> None:

 def test_session_secret_accepts_32_characters() -> None:
    """session_secret with exactly 32 characters is accepted."""
-    secret_32 = "a" * 32  # Exactly 32 characters
-    settings = Settings(
-        database_path="/tmp/test.db",
-        fail2ban_socket="/tmp/fake_fail2ban.sock",
-        fail2ban_config_dir="/tmp/fail2ban",
-        session_secret=secret_32,
-    )
+    secret_32 = "a" * 32
+    settings = _minimal_settings(session_secret=secret_32)
    assert settings.session_secret == secret_32


 def test_session_secret_accepts_longer_than_32() -> None:
    """session_secret with more than 32 characters is accepted."""
-    secret_64 = "b" * 64  # 64 characters
-    settings = Settings(
-        database_path="/tmp/test.db",
-        fail2ban_socket="/tmp/fake_fail2ban.sock",
-        fail2ban_config_dir="/tmp/fail2ban",
-        session_secret=secret_64,
-    )
+    secret_64 = "b" * 64
+    settings = _minimal_settings(session_secret=secret_64)
    assert settings.session_secret == secret_64


 def test_session_secret_error_message_includes_guidance() -> None:
    """Validation error for short session_secret includes secret generation guidance."""
    with pytest.raises(ValidationError) as exc_info:
-        Settings(
-            database_path="/tmp/test.db",
-            fail2ban_socket="/tmp/fake_fail2ban.sock",
-            fail2ban_config_dir="/tmp/fail2ban",
-            session_secret="too-short",
-        )
+        _minimal_settings(session_secret="too-short")
    error_msg = str(exc_info.value)
-    # Verify the error mentions the constraint
    assert "session_secret" in error_msg


+def test_session_secret_rejects_weak_secrets() -> None:
+    """Common weak words in session_secret are rejected."""
+    with pytest.raises(ValidationError) as exc_info:
+        _minimal_settings(session_secret="password1234567890123456789012345")
+    error_msg = str(exc_info.value)
+    assert "too weak" in error_msg or "weak" in error_msg
+
+
+# ---------------------------------------------------------------------------
+# database_path validation tests
+# ---------------------------------------------------------------------------
+
+
+def test_database_path_parent_must_exist() -> None:
+    """database_path parent directory must exist."""
+    with pytest.raises(ValidationError) as exc_info:
+        _minimal_settings(database_path="/nonexistent/parent/test.db")
+    error_msg = str(exc_info.value)
+    assert "parent directory does not exist" in error_msg
+
+
+def test_database_path_parent_must_be_writable() -> None:
+    """database_path parent directory must be writable."""
+    with tempfile.TemporaryDirectory() as tmpdir:
+        # Create a read-only directory
+        readonly_dir = os.path.join(tmpdir, "readonly")
+        os.makedirs(readonly_dir, exist_ok=True)
+        os.chmod(readonly_dir, 0o555)
+
+        try:
+            with pytest.raises(ValidationError) as exc_info:
+                _minimal_settings(database_path=os.path.join(readonly_dir, "test.db"))
+            error_msg = str(exc_info.value)
+            assert "not writable" in error_msg
+        finally:
+            os.chmod(readonly_dir, 0o755)
+
+
+def test_database_path_with_existing_writable_parent_is_accepted() -> None:
+    """database_path with existing writable parent is accepted."""
+    with tempfile.TemporaryDirectory() as tmpdir:
+        settings = _minimal_settings(database_path=os.path.join(tmpdir, "test.db"))
+        assert settings.database_path == os.path.join(tmpdir, "test.db")
+
+
+# ---------------------------------------------------------------------------
+# fail2ban_socket validation tests
+# ---------------------------------------------------------------------------
+
+
+def test_fail2ban_socket_nonexistent_is_accepted() -> None:
+    """fail2ban_socket path that doesn't exist yet is accepted (deferred creation)."""
+    settings = _minimal_settings(fail2ban_socket="/nonexistent/socket.sock")
+    assert settings.fail2ban_socket == "/nonexistent/socket.sock"
+
+
+def test_fail2ban_socket_existing_must_be_readable() -> None:
+    """fail2ban_socket that exists must be readable."""
+    with tempfile.NamedTemporaryFile() as f:
+        # Make it unreadable
+        os.chmod(f.name, 0o000)
+        try:
+            with pytest.raises(ValidationError) as exc_info:
+                _minimal_settings(fail2ban_socket=f.name)
+            error_msg = str(exc_info.value)
+            assert "not readable" in error_msg
+        finally:
+            os.chmod(f.name, 0o644)
+
+
+def test_fail2ban_socket_existing_readable_is_accepted() -> None:
+    """fail2ban_socket that exists and is readable is accepted."""
+    with tempfile.NamedTemporaryFile() as f:
+        settings = _minimal_settings(fail2ban_socket=f.name)
+        assert settings.fail2ban_socket == f.name
+
+
+# ---------------------------------------------------------------------------
+# geoip_db_path validation tests
+# ---------------------------------------------------------------------------
+
+
+def test_geoip_db_path_none_is_accepted() -> None:
+    """geoip_db_path set to None is accepted."""
+    settings = _minimal_settings(geoip_db_path=None)
+    assert settings.geoip_db_path is None
+
+
+def test_geoip_db_path_nonexistent_is_rejected() -> None:
+    """geoip_db_path that doesn't exist is rejected."""
+    with pytest.raises(ValidationError) as exc_info:
+        _minimal_settings(geoip_db_path="/nonexistent/GeoLite2-Country.mmdb")
+    error_msg = str(exc_info.value)
+    assert "does not exist" in error_msg
+
+
+def test_geoip_db_path_existing_is_accepted() -> None:
+    """geoip_db_path that exists is accepted."""
+    with tempfile.NamedTemporaryFile() as f:
+        settings = _minimal_settings(geoip_db_path=f.name)
+        assert settings.geoip_db_path == f.name
+
+
+# ---------------------------------------------------------------------------
+# fail2ban_config_dir validation tests
+# ---------------------------------------------------------------------------
+
+
+def test_fail2ban_config_dir_nonexistent_is_rejected() -> None:
+    """fail2ban_config_dir that doesn't exist is rejected."""
+    with pytest.raises(ValidationError) as exc_info:
+        _minimal_settings(fail2ban_config_dir="/nonexistent/fail2ban/config")
+    error_msg = str(exc_info.value)
+    assert "does not exist" in error_msg
+
+
+def test_fail2ban_config_dir_existing_is_accepted() -> None:
+    """fail2ban_config_dir that exists is accepted."""
+    with tempfile.TemporaryDirectory() as tmpdir:
+        settings = _minimal_settings(fail2ban_config_dir=tmpdir)
+        assert settings.fail2ban_config_dir == tmpdir
+
+
 # ---------------------------------------------------------------------------
 # trusted_proxies configuration tests
 # ---------------------------------------------------------------------------
@@ -167,85 +252,44 @@ def test_session_secret_error_message_includes_guidance() -> None:

 def test_trusted_proxies_default_is_empty_list() -> None:
    """By default, trusted_proxies is an empty list (no trusted proxies)."""
-    settings = Settings(
-        database_path="/tmp/test.db",
-        fail2ban_socket="/tmp/fake_fail2ban.sock",
-        fail2ban_config_dir="/tmp/fail2ban",
-        session_secret="a" * 32,
-    )
+    settings = _minimal_settings()
    assert settings.trusted_proxies == []


 def test_trusted_proxies_accepts_single_ip() -> None:
    """Single IP address is accepted."""
-    settings = Settings(
-        database_path="/tmp/test.db",
-        fail2ban_socket="/tmp/fake_fail2ban.sock",
-        fail2ban_config_dir="/tmp/fail2ban",
-        session_secret="a" * 32,
-        trusted_proxies="192.168.1.1",
-    )
+    settings = _minimal_settings(trusted_proxies="192.168.1.1")
    assert settings.trusted_proxies == ["192.168.1.1"]


 def test_trusted_proxies_accepts_single_cidr() -> None:
    """Single CIDR range is accepted."""
-    settings = Settings(
-        database_path="/tmp/test.db",
-        fail2ban_socket="/tmp/fake_fail2ban.sock",
-        fail2ban_config_dir="/tmp/fail2ban",
-        session_secret="a" * 32,
-        trusted_proxies="10.0.0.0/8",
-    )
+    settings = _minimal_settings(trusted_proxies="10.0.0.0/8")
    assert settings.trusted_proxies == ["10.0.0.0/8"]


 def test_trusted_proxies_accepts_comma_separated_list() -> None:
    """Comma-separated list of IPs and CIDRs is accepted."""
-    settings = Settings(
-        database_path="/tmp/test.db",
-        fail2ban_socket="/tmp/fake_fail2ban.sock",
-        fail2ban_config_dir="/tmp/fail2ban",
-        session_secret="a" * 32,
-        trusted_proxies="192.168.1.1,10.0.0.0/8,172.16.0.0/12",
-    )
+    settings = _minimal_settings(trusted_proxies="192.168.1.1,10.0.0.0/8,172.16.0.0/12")
    assert settings.trusted_proxies == ["192.168.1.1", "10.0.0.0/8", "172.16.0.0/12"]


 def test_trusted_proxies_accepts_list() -> None:
    """List of IPs and CIDRs is accepted."""
-    settings = Settings(
-        database_path="/tmp/test.db",
-        fail2ban_socket="/tmp/fake_fail2ban.sock",
-        fail2ban_config_dir="/tmp/fail2ban",
-        session_secret="a" * 32,
-        trusted_proxies=["192.168.1.1", "10.0.0.0/8"],
-    )
+    settings = _minimal_settings(trusted_proxies=["192.168.1.1", "10.0.0.0/8"])
    assert settings.trusted_proxies == ["192.168.1.1", "10.0.0.0/8"]


 def test_trusted_proxies_strips_whitespace() -> None:
    """Whitespace around IPs is stripped."""
-    settings = Settings(
-        database_path="/tmp/test.db",
-        fail2ban_socket="/tmp/fake_fail2ban.sock",
-        fail2ban_config_dir="/tmp/fail2ban",
-        session_secret="a" * 32,
-        trusted_proxies="  192.168.1.1  ,  10.0.0.0/8  ",
-    )
+    settings = _minimal_settings(trusted_proxies="  192.168.1.1  ,  10.0.0.0/8  ")
    assert settings.trusted_proxies == ["192.168.1.1", "10.0.0.0/8"]


 def test_trusted_proxies_rejects_invalid_ip() -> None:
    """Invalid IP address is rejected."""
    with pytest.raises(ValidationError) as exc_info:
-        Settings(
-            database_path="/tmp/test.db",
-            fail2ban_socket="/tmp/fake_fail2ban.sock",
-            fail2ban_config_dir="/tmp/fail2ban",
-            session_secret="a" * 32,
-            trusted_proxies="not-an-ip",
-        )
+        _minimal_settings(trusted_proxies="not-an-ip")
    error_msg = str(exc_info.value)
    assert "trusted_proxies" in error_msg or "Invalid IP" in error_msg

@@ -253,13 +297,7 @@ def test_trusted_proxies_rejects_invalid_ip() -> None:
 def test_trusted_proxies_rejects_invalid_cidr() -> None:
    """Invalid CIDR range is rejected."""
    with pytest.raises(ValidationError) as exc_info:
-        Settings(
-            database_path="/tmp/test.db",
-            fail2ban_socket="/tmp/fake_fail2ban.sock",
-            fail2ban_config_dir="/tmp/fail2ban",
-            session_secret="a" * 32,
-            trusted_proxies="10.0.0.0/33",  # Invalid - /33 is out of range for IPv4
-        )
+        _minimal_settings(trusted_proxies="10.0.0.0/33")
    error_msg = str(exc_info.value)
    assert "trusted_proxies" in error_msg or "Invalid IP" in error_msg

@@ -267,48 +305,24 @@ def test_trusted_proxies_rejects_invalid_cidr() -> None:
 def test_trusted_proxies_rejects_one_invalid_in_list() -> None:
    """One invalid IP in a list causes entire list to be rejected."""
    with pytest.raises(ValidationError) as exc_info:
-        Settings(
-            database_path="/tmp/test.db",
-            fail2ban_socket="/tmp/fake_fail2ban.sock",
-            fail2ban_config_dir="/tmp/fail2ban",
-            session_secret="a" * 32,
-            trusted_proxies="192.168.1.1,invalid-ip,10.0.0.0/8",
-        )
+        _minimal_settings(trusted_proxies="192.168.1.1,invalid-ip,10.0.0.0/8")
    error_msg = str(exc_info.value)
    assert "trusted_proxies" in error_msg or "Invalid IP" in error_msg


 def test_trusted_proxies_accepts_ipv6_address() -> None:
    """IPv6 address is accepted."""
-    settings = Settings(
-        database_path="/tmp/test.db",
-        fail2ban_socket="/tmp/fake_fail2ban.sock",
-        fail2ban_config_dir="/tmp/fail2ban",
-        session_secret="a" * 32,
-        trusted_proxies="2001:db8::1",
-    )
+    settings = _minimal_settings(trusted_proxies="2001:db8::1")
    assert settings.trusted_proxies == ["2001:db8::1"]


 def test_trusted_proxies_accepts_ipv6_cidr() -> None:
    """IPv6 CIDR range is accepted."""
-    settings = Settings(
-        database_path="/tmp/test.db",
-        fail2ban_socket="/tmp/fake_fail2ban.sock",
-        fail2ban_config_dir="/tmp/fail2ban",
-        session_secret="a" * 32,
-        trusted_proxies="2001:db8::/32",
-    )
+    settings = _minimal_settings(trusted_proxies="2001:db8::/32")
    assert settings.trusted_proxies == ["2001:db8::/32"]


 def test_trusted_proxies_accepts_mixed_ipv4_and_ipv6() -> None:
    """Mixed IPv4 and IPv6 addresses and ranges are accepted."""
-    settings = Settings(
-        database_path="/tmp/test.db",
-        fail2ban_socket="/tmp/fake_fail2ban.sock",
-        fail2ban_config_dir="/tmp/fail2ban",
-        session_secret="a" * 32,
-        trusted_proxies="192.168.1.0/24,2001:db8::/32,10.0.0.1",
-    )
+    settings = _minimal_settings(trusted_proxies="192.168.1.0/24,2001:db8::/32,10.0.0.1")
    assert settings.trusted_proxies == ["192.168.1.0/24", "2001:db8::/32", "10.0.0.1"]