"""Unit tests for application configuration and validation.""" import os import tempfile import pytest from pydantic import ValidationError from app.config import Settings # Module-level temp dir for tests that need real existing directories. _test_tmpdir = tempfile.mkdtemp() def _minimal_settings(**overrides: object) -> Settings: """Create a Settings with valid defaults for unit tests. Uses _test_tmpdir (module-level) for paths that require existing directories. """ defaults = { "database_path": os.path.join(_test_tmpdir, "test.db"), "fail2ban_socket": "/tmp/fake_fail2ban.sock", "fail2ban_config_dir": _test_tmpdir, "session_secret": "test-secret-key-do-not-use-in-production", } defaults.update(overrides) # type: ignore[arg-type] return Settings(**defaults) # type: ignore[arg-type] # --------------------------------------------------------------------------- # fail2ban_start_command validation tests # --------------------------------------------------------------------------- def test_fail2ban_start_command_validates_simple_command() -> None: """Simple fail2ban commands without special characters are accepted.""" settings = _minimal_settings(fail2ban_start_command="fail2ban-client start") assert settings.fail2ban_start_command == "fail2ban-client start" def test_fail2ban_start_command_validates_systemctl_command() -> None: """systemctl commands are accepted.""" settings = _minimal_settings(fail2ban_start_command="systemctl start fail2ban") assert settings.fail2ban_start_command == "systemctl start fail2ban" def test_fail2ban_start_command_accepts_quoted_paths() -> None: """Commands with quoted paths containing spaces are accepted.""" settings = _minimal_settings(fail2ban_start_command='"/opt/my tools/fail2ban-client" start') assert settings.fail2ban_start_command == '"/opt/my tools/fail2ban-client" start' def test_fail2ban_start_command_rejects_mismatched_quotes() -> None: """Commands with mismatched quotes raise ValidationError.""" with pytest.raises(ValidationError) as exc_info: _minimal_settings(fail2ban_start_command='"/opt/my tools/fail2ban-client start') error_msg = str(exc_info.value) assert "fail2ban_start_command" in error_msg assert "mismatched quotes" in error_msg or "No closing quotation" in error_msg def test_fail2ban_start_command_error_includes_problematic_value() -> None: """Validation errors include the problematic command value.""" problematic_command = '"/opt/broken start' with pytest.raises(ValidationError) as exc_info: _minimal_settings(fail2ban_start_command=problematic_command) error_msg = str(exc_info.value) assert problematic_command in error_msg def test_fail2ban_start_command_default_value_is_valid() -> None: """The default fail2ban_start_command value is valid and parseable.""" settings = _minimal_settings() assert settings.fail2ban_start_command == "fail2ban-client start" def test_fail2ban_start_command_single_quoted() -> None: """Commands with single quotes are accepted.""" settings = _minimal_settings(fail2ban_start_command="'/usr/bin/fail2ban-client' start") assert settings.fail2ban_start_command == "'/usr/bin/fail2ban-client' start" def test_fail2ban_start_command_multiple_arguments() -> None: """Commands with multiple arguments are accepted.""" settings = _minimal_settings(fail2ban_start_command="fail2ban-client -c /etc/fail2ban start") assert settings.fail2ban_start_command == "fail2ban-client -c /etc/fail2ban start" # --------------------------------------------------------------------------- # session_secret validation tests # --------------------------------------------------------------------------- def test_session_secret_enforces_minimum_length() -> None: """session_secret must be at least 32 characters.""" with pytest.raises(ValidationError) as exc_info: _minimal_settings(session_secret="short-secret") error_msg = str(exc_info.value) assert "session_secret" in error_msg assert "32" in error_msg or "at least" in error_msg def test_session_secret_accepts_32_characters() -> None: """session_secret with exactly 32 characters is accepted.""" secret_32 = "a" * 32 settings = _minimal_settings(session_secret=secret_32) assert settings.session_secret == secret_32 def test_session_secret_accepts_longer_than_32() -> None: """session_secret with more than 32 characters is accepted.""" secret_64 = "b" * 64 settings = _minimal_settings(session_secret=secret_64) assert settings.session_secret == secret_64 def test_session_secret_error_message_includes_guidance() -> None: """Validation error for short session_secret includes secret generation guidance.""" with pytest.raises(ValidationError) as exc_info: _minimal_settings(session_secret="too-short") error_msg = str(exc_info.value) assert "session_secret" in error_msg def test_session_secret_rejects_weak_secrets() -> None: """Common weak words in session_secret are rejected.""" with pytest.raises(ValidationError) as exc_info: _minimal_settings(session_secret="password1234567890123456789012345") error_msg = str(exc_info.value) assert "too weak" in error_msg or "weak" in error_msg # --------------------------------------------------------------------------- # database_path validation tests # --------------------------------------------------------------------------- def test_database_path_parent_must_exist() -> None: """database_path parent directory must exist.""" with pytest.raises(ValidationError) as exc_info: _minimal_settings(database_path="/nonexistent/parent/test.db") error_msg = str(exc_info.value) assert "parent directory does not exist" in error_msg def test_database_path_parent_must_be_writable() -> None: """database_path parent directory must be writable.""" with tempfile.TemporaryDirectory() as tmpdir: # Create a read-only directory readonly_dir = os.path.join(tmpdir, "readonly") os.makedirs(readonly_dir, exist_ok=True) os.chmod(readonly_dir, 0o555) try: with pytest.raises(ValidationError) as exc_info: _minimal_settings(database_path=os.path.join(readonly_dir, "test.db")) error_msg = str(exc_info.value) assert "not writable" in error_msg finally: os.chmod(readonly_dir, 0o755) def test_database_path_with_existing_writable_parent_is_accepted() -> None: """database_path with existing writable parent is accepted.""" with tempfile.TemporaryDirectory() as tmpdir: settings = _minimal_settings(database_path=os.path.join(tmpdir, "test.db")) assert settings.database_path == os.path.join(tmpdir, "test.db") # --------------------------------------------------------------------------- # fail2ban_socket validation tests # --------------------------------------------------------------------------- def test_fail2ban_socket_nonexistent_is_accepted() -> None: """fail2ban_socket path that doesn't exist yet is accepted (deferred creation).""" settings = _minimal_settings(fail2ban_socket="/nonexistent/socket.sock") assert settings.fail2ban_socket == "/nonexistent/socket.sock" def test_fail2ban_socket_existing_must_be_readable() -> None: """fail2ban_socket that exists must be readable.""" with tempfile.NamedTemporaryFile() as f: # Make it unreadable os.chmod(f.name, 0o000) try: with pytest.raises(ValidationError) as exc_info: _minimal_settings(fail2ban_socket=f.name) error_msg = str(exc_info.value) assert "not readable" in error_msg finally: os.chmod(f.name, 0o644) def test_fail2ban_socket_existing_readable_is_accepted() -> None: """fail2ban_socket that exists and is readable is accepted.""" with tempfile.NamedTemporaryFile() as f: settings = _minimal_settings(fail2ban_socket=f.name) assert settings.fail2ban_socket == f.name # --------------------------------------------------------------------------- # geoip_db_path validation tests # --------------------------------------------------------------------------- def test_geoip_db_path_none_is_accepted() -> None: """geoip_db_path set to None is accepted.""" settings = _minimal_settings(geoip_db_path=None) assert settings.geoip_db_path is None def test_geoip_db_path_nonexistent_is_rejected() -> None: """geoip_db_path that doesn't exist is rejected.""" with pytest.raises(ValidationError) as exc_info: _minimal_settings(geoip_db_path="/nonexistent/GeoLite2-Country.mmdb") error_msg = str(exc_info.value) assert "does not exist" in error_msg def test_geoip_db_path_existing_is_accepted() -> None: """geoip_db_path that exists is accepted.""" with tempfile.NamedTemporaryFile() as f: settings = _minimal_settings(geoip_db_path=f.name) assert settings.geoip_db_path == f.name # --------------------------------------------------------------------------- # fail2ban_config_dir validation tests # --------------------------------------------------------------------------- def test_fail2ban_config_dir_nonexistent_is_rejected() -> None: """fail2ban_config_dir that doesn't exist is rejected.""" with pytest.raises(ValidationError) as exc_info: _minimal_settings(fail2ban_config_dir="/nonexistent/fail2ban/config") error_msg = str(exc_info.value) assert "does not exist" in error_msg def test_fail2ban_config_dir_existing_is_accepted() -> None: """fail2ban_config_dir that exists is accepted.""" with tempfile.TemporaryDirectory() as tmpdir: settings = _minimal_settings(fail2ban_config_dir=tmpdir) assert settings.fail2ban_config_dir == tmpdir # --------------------------------------------------------------------------- # trusted_proxies configuration tests # --------------------------------------------------------------------------- def test_trusted_proxies_default_is_empty_list() -> None: """By default, trusted_proxies is an empty list (no trusted proxies).""" settings = _minimal_settings() assert settings.trusted_proxies == [] def test_trusted_proxies_accepts_single_ip() -> None: """Single IP address is accepted.""" settings = _minimal_settings(trusted_proxies="192.168.1.1") assert settings.trusted_proxies == ["192.168.1.1"] def test_trusted_proxies_accepts_single_cidr() -> None: """Single CIDR range is accepted.""" settings = _minimal_settings(trusted_proxies="10.0.0.0/8") assert settings.trusted_proxies == ["10.0.0.0/8"] def test_trusted_proxies_accepts_comma_separated_list() -> None: """Comma-separated list of IPs and CIDRs is accepted.""" settings = _minimal_settings(trusted_proxies="192.168.1.1,10.0.0.0/8,172.16.0.0/12") assert settings.trusted_proxies == ["192.168.1.1", "10.0.0.0/8", "172.16.0.0/12"] def test_trusted_proxies_accepts_list() -> None: """List of IPs and CIDRs is accepted.""" settings = _minimal_settings(trusted_proxies=["192.168.1.1", "10.0.0.0/8"]) assert settings.trusted_proxies == ["192.168.1.1", "10.0.0.0/8"] def test_trusted_proxies_strips_whitespace() -> None: """Whitespace around IPs is stripped.""" settings = _minimal_settings(trusted_proxies=" 192.168.1.1 , 10.0.0.0/8 ") assert settings.trusted_proxies == ["192.168.1.1", "10.0.0.0/8"] def test_trusted_proxies_rejects_invalid_ip() -> None: """Invalid IP address is rejected.""" with pytest.raises(ValidationError) as exc_info: _minimal_settings(trusted_proxies="not-an-ip") error_msg = str(exc_info.value) assert "trusted_proxies" in error_msg or "Invalid IP" in error_msg def test_trusted_proxies_rejects_invalid_cidr() -> None: """Invalid CIDR range is rejected.""" with pytest.raises(ValidationError) as exc_info: _minimal_settings(trusted_proxies="10.0.0.0/33") error_msg = str(exc_info.value) assert "trusted_proxies" in error_msg or "Invalid IP" in error_msg def test_trusted_proxies_rejects_one_invalid_in_list() -> None: """One invalid IP in a list causes entire list to be rejected.""" with pytest.raises(ValidationError) as exc_info: _minimal_settings(trusted_proxies="192.168.1.1,invalid-ip,10.0.0.0/8") error_msg = str(exc_info.value) assert "trusted_proxies" in error_msg or "Invalid IP" in error_msg def test_trusted_proxies_accepts_ipv6_address() -> None: """IPv6 address is accepted.""" settings = _minimal_settings(trusted_proxies="2001:db8::1") assert settings.trusted_proxies == ["2001:db8::1"] def test_trusted_proxies_accepts_ipv6_cidr() -> None: """IPv6 CIDR range is accepted.""" settings = _minimal_settings(trusted_proxies="2001:db8::/32") assert settings.trusted_proxies == ["2001:db8::/32"] def test_trusted_proxies_accepts_mixed_ipv4_and_ipv6() -> None: """Mixed IPv4 and IPv6 addresses and ranges are accepted.""" settings = _minimal_settings(trusted_proxies="192.168.1.0/24,2001:db8::/32,10.0.0.1") assert settings.trusted_proxies == ["192.168.1.0/24", "2001:db8::/32", "10.0.0.1"]