@oculum/scanner 1.0.14 → 1.0.15

package/src/__tests__/context-engine/route-discovery/python.test.ts

@@ -1,4 +1,51 @@
 import { extractPythonRoutes } from '../../../model/route-discovery/python'
+import { extractPythonBlock } from '../../../model/route-discovery/utils'
+import { resolveRouteAuth } from '../../../model/route-auth-resolver'
+import type { RouteMap, RouteDefinition, MountPoint } from '../../../model/route-discovery'
+import type { MiddlewareAuthConfig } from '../../../model/middleware-detector'
+import type { ScanFile } from '../../../shared/types'
+
+// ============================================================================
+// Helpers
+// ============================================================================
+
+function makeRoute(overrides: Partial<RouteDefinition>): RouteDefinition {
+  return {
+    filePath: 'app.py',
+    methods: ['GET'],
+    path: '/api/test',
+    handler: 'test_handler',
+    handlerLine: 5,
+    framework: 'flask',
+    authMiddleware: [],
+    rateLimiting: false,
+    isPublic: false,
+    inputs: [],
+    ...overrides,
+  }
+}
+
+function makeRouteMap(routes: RouteDefinition[]): RouteMap {
+  const fileToRoutes = new Map<string, RouteDefinition[]>()
+  for (const r of routes) {
+    const existing = fileToRoutes.get(r.filePath) || []
+    existing.push(r)
+    fileToRoutes.set(r.filePath, existing)
+  }
+  return { routes, fileToRoutes }
+}
+
+const emptyMiddlewareConfig: MiddlewareAuthConfig = {
+  hasAuthMiddleware: false,
+  protectedPaths: [],
+  publicPaths: [],
+  matchers: [],
+  context: { usesAuthProtect: false, usesGetToken: false, usesSession: false, hasPublicRoutes: false },
+}
+
+// ============================================================================
+// Flask Routes (existing + new auth tests)
+// ============================================================================
 
 describe('Python Route Extractor', () => {
   describe('Flask routes', () => {
@@ -67,8 +114,76 @@ def search():
       expect(sources).toContain('body')
       expect(sources).toContain('query')
     })
+
+    it('detects @fresh_jwt_required decorator', () => {
+      const content = `
+@app.route('/api/admin')
+@fresh_jwt_required()
+def admin_panel():
+    pass
+`
+      const routes = extractPythonRoutes(content, 'views.py')
+      expect(routes).toHaveLength(1)
+      expect(routes[0].authMiddleware.some(d => /fresh_jwt_required/.test(d))).toBe(true)
+    })
+
+    it('detects @jwt_optional decorator', () => {
+      const content = `
+@app.route('/api/feed')
+@jwt_optional()
+def feed():
+    pass
+`
+      const routes = extractPythonRoutes(content, 'views.py')
+      expect(routes).toHaveLength(1)
+      expect(routes[0].authMiddleware.some(d => /jwt_optional/.test(d))).toBe(true)
+    })
+
+    it('detects @fresh_login_required decorator', () => {
+      const content = `
+@fresh_login_required
+@app.route('/api/sensitive')
+def sensitive():
+    pass
+`
+      const routes = extractPythonRoutes(content, 'views.py')
+      expect(routes).toHaveLength(1)
+      expect(routes[0].authMiddleware.some(d => /fresh_login_required/.test(d))).toBe(true)
+    })
+
+    it('detects multiple auth decorators on same route', () => {
+      const content = `
+@login_required
+@app.route('/api/admin', methods=['POST'])
+@permission_required('admin')
+def admin_action():
+    pass
+`
+      const routes = extractPythonRoutes(content, 'views.py')
+      expect(routes).toHaveLength(1)
+      expect(routes[0].authMiddleware.length).toBeGreaterThanOrEqual(2)
+    })
+
+    it('detects blueprint route with auth decorator', () => {
+      const content = `
+from flask import Blueprint
+bp = Blueprint('api', __name__)
+
+@bp.route('/items')
+@token_required
+def list_items():
+    return jsonify([])
+`
+      const routes = extractPythonRoutes(content, 'views.py')
+      expect(routes).toHaveLength(1)
+      expect(routes[0].authMiddleware.some(d => /token_required/.test(d))).toBe(true)
+    })
   })
 
+  // ============================================================================
+  // Django Routes (existing + enhancements)
+  // ============================================================================
+
   describe('Django routes', () => {
     it('extracts Django path() in urlpatterns', () => {
       const content = `
@@ -86,10 +201,621 @@ urlpatterns = [
       expect(routes[0].framework).toBe('django')
       expect(routes[1].path).toBe('/api/users/:pk/')
     })
+
+    it('extracts re_path() patterns', () => {
+      const content = `
+from django.urls import re_path
+from . import views
+
+urlpatterns = [
+    re_path(r'^api/v1/users/$', views.user_list, name='user-list'),
+]
+`
+      const routes = extractPythonRoutes(content, 'urls.py')
+      expect(routes).toHaveLength(1)
+      expect(routes[0].path).toBe('/api/v1/users/')
+    })
+
+    it('strips regex anchors from re_path patterns', () => {
+      const content = `
+from django.urls import re_path
+
+urlpatterns = [
+    re_path(r'^api/$', views.api_root),
+]
+`
+      const routes = extractPythonRoutes(content, 'urls.py')
+      expect(routes).toHaveLength(1)
+      expect(routes[0].path).toBe('/api/')
+      expect(routes[0].path).not.toContain('^')
+      expect(routes[0].path).not.toContain('$')
+    })
+
+    it('detects login_required auth wrapping', () => {
+      const content = `
+from django.urls import path
+from django.contrib.auth.decorators import login_required
+
+urlpatterns = [
+    path('profile/', login_required(views.profile_view), name='profile'),
+]
+`
+      const routes = extractPythonRoutes(content, 'urls.py')
+      expect(routes).toHaveLength(1)
+      expect(routes[0].authMiddleware).toContain('login_required')
+      expect(routes[0].handler).toBe('views.profile_view')
+    })
+
+    it('detects permission_required auth wrapping', () => {
+      const content = `
+from django.urls import path
+from django.contrib.auth.decorators import permission_required
+
+urlpatterns = [
+    path('admin/', permission_required('is_admin')(views.admin_panel), name='admin'),
+]
+`
+      const routes = extractPythonRoutes(content, 'urls.py')
+      expect(routes).toHaveLength(1)
+      expect(routes[0].authMiddleware.some(m => m.includes('permission_required'))).toBe(true)
+      expect(routes[0].handler).toBe('views.admin_panel')
+    })
+
+    it('cleans view reference after stripping auth wrapper', () => {
+      const content = `
+urlpatterns = [
+    path('dashboard/', login_required(views.DashboardView.as_view()), name='dashboard'),
+]
+`
+      const routes = extractPythonRoutes(content, 'urls.py')
+      expect(routes).toHaveLength(1)
+      expect(routes[0].handler).toBe('views.DashboardView')
+    })
+
+    it('handles both path() and re_path() in same urlpatterns', () => {
+      const content = `
+from django.urls import path, re_path
+
+urlpatterns = [
+    path('api/users/', views.user_list),
+    re_path(r'^api/legacy/$', views.legacy_api),
+]
+`
+      const routes = extractPythonRoutes(content, 'urls.py')
+      expect(routes).toHaveLength(2)
+      expect(routes[0].path).toBe('/api/users/')
+      expect(routes[1].path).toBe('/api/legacy/')
+    })
+
+    it('as_view() stripping works with auth wrapping', () => {
+      const content = `
+urlpatterns = [
+    path('items/', login_required(views.ItemView.as_view()), name='items'),
+]
+`
+      const routes = extractPythonRoutes(content, 'urls.py')
+      expect(routes).toHaveLength(1)
+      expect(routes[0].handler).toBe('views.ItemView')
+    })
+  })
+
+  // ============================================================================
+  // FastAPI Routes
+  // ============================================================================
+
+  describe('FastAPI routes', () => {
+    it('extracts @app.get route', () => {
+      const content = `
+from fastapi import FastAPI
+app = FastAPI()
+
+@app.get('/api/users')
+async def get_users():
+    return []
+`
+      const routes = extractPythonRoutes(content, 'main.py')
+      expect(routes).toHaveLength(1)
+      expect(routes[0].methods).toEqual(['GET'])
+      expect(routes[0].path).toBe('/api/users')
+      expect(routes[0].framework).toBe('fastapi')
+      expect(routes[0].handler).toBe('get_users')
+    })
+
+    it('extracts @app.post route', () => {
+      const content = `
+from fastapi import FastAPI
+app = FastAPI()
+
+@app.post('/api/items')
+async def create_item():
+    pass
+`
+      const routes = extractPythonRoutes(content, 'main.py')
+      expect(routes).toHaveLength(1)
+      expect(routes[0].methods).toEqual(['POST'])
+    })
+
+    it('extracts @router.put and @app.delete', () => {
+      const content = `
+from fastapi import APIRouter
+router = APIRouter()
+
+@router.put('/api/items/{item_id}')
+async def update_item(item_id: int):
+    pass
+
+@router.delete('/api/items/{item_id}')
+async def delete_item(item_id: int):
+    pass
+`
+      const routes = extractPythonRoutes(content, 'routes.py')
+      // No FastAPI() in content, but has `from fastapi` import
+      // Actually need from fastapi import
+      const content2 = `
+from fastapi import APIRouter
+router = APIRouter()
+
+@router.put('/api/items/{item_id}')
+async def update_item(item_id: int):
+    pass
+
+@router.delete('/api/items/{item_id}')
+async def delete_item(item_id: int):
+    pass
+`
+      const routes2 = extractPythonRoutes(content2, 'routes.py')
+      expect(routes2).toHaveLength(2)
+      expect(routes2[0].methods).toEqual(['PUT'])
+      expect(routes2[1].methods).toEqual(['DELETE'])
+    })
+
+    it('extracts @app.api_route with multiple methods', () => {
+      const content = `
+from fastapi import FastAPI
+app = FastAPI()
+
+@app.api_route('/api/data', methods=['GET', 'POST'])
+async def handle_data():
+    pass
+`
+      const routes = extractPythonRoutes(content, 'main.py')
+      expect(routes).toHaveLength(1)
+      expect(routes[0].methods).toEqual(['GET', 'POST'])
+    })
+
+    it('converts FastAPI path params {item_id} to :item_id', () => {
+      const content = `
+from fastapi import FastAPI
+app = FastAPI()
+
+@app.get('/api/users/{user_id}/posts/{post_id}')
+async def get_user_post(user_id: int, post_id: int):
+    pass
+`
+      const routes = extractPythonRoutes(content, 'main.py')
+      expect(routes).toHaveLength(1)
+      expect(routes[0].path).toBe('/api/users/:user_id/posts/:post_id')
+    })
+
+    it('detects Depends(get_current_user) in function params', () => {
+      const content = `
+from fastapi import FastAPI, Depends
+app = FastAPI()
+
+@app.get('/api/me')
+async def get_me(current_user = Depends(get_current_user)):
+    return current_user
+`
+      const routes = extractPythonRoutes(content, 'main.py')
+      expect(routes).toHaveLength(1)
+      expect(routes[0].authMiddleware.some(m => m.includes('Depends'))).toBe(true)
+    })
+
+    it('detects Depends auth in multi-line function signature', () => {
+      const content = `
+from fastapi import FastAPI, Depends
+app = FastAPI()
+
+@app.get('/api/profile')
+async def get_profile(
+    db: Session = Depends(get_db),
+    user = Depends(get_current_user)
+):
+    return user
+`
+      const routes = extractPythonRoutes(content, 'main.py')
+      expect(routes).toHaveLength(1)
+      expect(routes[0].authMiddleware.some(m => m.includes('get_current_user'))).toBe(true)
+    })
+
+    it('detects Security() in function params', () => {
+      const content = `
+from fastapi import FastAPI, Security
+from fastapi.security import HTTPBearer
+app = FastAPI()
+
+security = HTTPBearer()
+
+@app.get('/api/secure')
+async def secure_endpoint(credentials = Security(security)):
+    pass
+`
+      const routes = extractPythonRoutes(content, 'main.py')
+      expect(routes).toHaveLength(1)
+      expect(routes[0].authMiddleware).toContain('Security()')
+    })
+
+    it('detects dependencies=[Depends(verify_token)] in decorator', () => {
+      const content = `
+from fastapi import FastAPI, Depends
+app = FastAPI()
+
+@app.get('/api/data', dependencies=[Depends(verify_token)])
+async def get_data():
+    return {"data": []}
+`
+      const routes = extractPythonRoutes(content, 'main.py')
+      expect(routes).toHaveLength(1)
+      expect(routes[0].authMiddleware.some(m => m.includes('verify_token'))).toBe(true)
+    })
+
+    it('detects rate limiting decorator on FastAPI route', () => {
+      const content = `
+from fastapi import FastAPI
+from slowapi import limiter
+app = FastAPI()
+
+@limiter.limit("5/minute")
+@app.get('/api/search')
+async def search():
+    pass
+`
+      const routes = extractPythonRoutes(content, 'main.py')
+      expect(routes).toHaveLength(1)
+      expect(routes[0].rateLimiting).toBe(true)
+    })
+
+    it('detects input sources in FastAPI handler body', () => {
+      const content = `
+from fastapi import FastAPI, Request
+app = FastAPI()
+
+@app.post('/api/submit')
+async def submit(request: Request):
+    params = request.query_params
+    h = request.headers.get('x-token')
+    return {"ok": True}
+`
+      const routes = extractPythonRoutes(content, 'main.py')
+      expect(routes).toHaveLength(1)
+      const sources = routes[0].inputs.map(i => i.source)
+      expect(sources).toContain('query')
+      expect(sources).toContain('headers')
+    })
+
+    it('marks health endpoint as public', () => {
+      const content = `
+from fastapi import FastAPI
+app = FastAPI()
+
+@app.get('/health')
+async def health():
+    return {"status": "ok"}
+`
+      const routes = extractPythonRoutes(content, 'main.py')
+      expect(routes).toHaveLength(1)
+      expect(routes[0].isPublic).toBe(true)
+    })
+
+    it('handles async def handler', () => {
+      const content = `
+from fastapi import FastAPI
+app = FastAPI()
+
+@app.get('/api/async')
+async def async_handler():
+    return {"async": True}
+`
+      const routes = extractPythonRoutes(content, 'main.py')
+      expect(routes).toHaveLength(1)
+      expect(routes[0].handler).toBe('async_handler')
+    })
+
+    it('does not match Flask @app.route as FastAPI', () => {
+      const content = `
+from flask import Flask
+app = Flask(__name__)
+
+@app.route('/api/test')
+def test():
+    pass
+`
+      const routes = extractPythonRoutes(content, 'app.py')
+      // Should only have Flask route, not FastAPI
+      expect(routes).toHaveLength(1)
+      expect(routes[0].framework).toBe('flask')
+    })
   })
 
+  // ============================================================================
+  // General
+  // ============================================================================
+
   it('skips non-Python files', () => {
     const routes = extractPythonRoutes('app.get("/test", handler)', 'server.js')
     expect(routes).toHaveLength(0)
   })
 })
+
+// ============================================================================
+// Python Block Extraction
+// ============================================================================
+
+describe('extractPythonBlock', () => {
+  it('extracts simple function body', () => {
+    const lines = [
+      'def hello():',
+      '    print("hello")',
+      '    return True',
+      '',
+      'x = 1',
+    ]
+    const block = extractPythonBlock(lines, 0)
+    expect(block).toContain('def hello():')
+    expect(block).toContain('print("hello")')
+    expect(block).toContain('return True')
+    expect(block).not.toContain('x = 1')
+  })
+
+  it('preserves blank lines within body', () => {
+    const lines = [
+      'def func():',
+      '    a = 1',
+      '',
+      '    b = 2',
+      'other()',
+    ]
+    const block = extractPythonBlock(lines, 0)
+    expect(block).toContain('a = 1')
+    expect(block).toContain('b = 2')
+    expect(block).not.toContain('other()')
+  })
+
+  it('stops at de-dented line', () => {
+    const lines = [
+      '    def inner():',
+      '        x = 1',
+      '        y = 2',
+      '    z = 3',
+    ]
+    const block = extractPythonBlock(lines, 0)
+    expect(block).toContain('x = 1')
+    expect(block).toContain('y = 2')
+    expect(block).not.toContain('z = 3')
+  })
+
+  it('includes nested blocks', () => {
+    const lines = [
+      'def outer():',
+      '    if True:',
+      '        for i in range(10):',
+      '            print(i)',
+      '    return None',
+      'top_level()',
+    ]
+    const block = extractPythonBlock(lines, 0)
+    expect(block).toContain('if True:')
+    expect(block).toContain('print(i)')
+    expect(block).toContain('return None')
+    expect(block).not.toContain('top_level()')
+  })
+
+  it('handles multi-line function signature', () => {
+    const lines = [
+      'def func(',
+      '    arg1,',
+      '    arg2',
+      '):',
+      '    return arg1 + arg2',
+      'x = 1',
+    ]
+    // extractPythonBlock starts from def line, body starts after '):' line
+    const block = extractPythonBlock(lines, 0)
+    expect(block).toContain('def func(')
+    expect(block).toContain('return arg1 + arg2')
+  })
+})
+
+// ============================================================================
+// Auth Resolver — Python Patterns
+// ============================================================================
+
+describe('Route Auth Resolver — Python patterns', () => {
+  it('detects abort(401) as throwing auth', () => {
+    const route = makeRoute({
+      filePath: 'app.py',
+      framework: 'flask',
+      handlerLine: 3,
+    })
+    const files: ScanFile[] = [{
+      path: 'app.py',
+      content: `from flask import abort
+@app.route('/api/private')
+def private_view():
+    if not current_user:
+        abort(401)
+    return jsonify(data)
+`,
+      language: 'python',
+      size: 100,
+    }]
+    const result = resolveRouteAuth(
+      makeRouteMap([route]), [], files, emptyMiddlewareConfig
+    )
+    expect(result.routes[0].authMiddleware).toContain('throwing_auth_helper')
+  })
+
+  it('detects raise HTTPException(status_code=401)', () => {
+    const route = makeRoute({
+      filePath: 'main.py',
+      framework: 'fastapi',
+      handlerLine: 3,
+    })
+    const files: ScanFile[] = [{
+      path: 'main.py',
+      content: `from fastapi import HTTPException
+@app.get('/api/me')
+def get_me():
+    if not user:
+        raise HTTPException(status_code=401, detail="Not authenticated")
+    return user
+`,
+      language: 'python',
+      size: 100,
+    }]
+    const result = resolveRouteAuth(
+      makeRouteMap([route]), [], files, emptyMiddlewareConfig
+    )
+    expect(result.routes[0].authMiddleware).toContain('throwing_auth_helper')
+  })
+
+  it('detects raise PermissionDenied', () => {
+    const route = makeRoute({
+      filePath: 'views.py',
+      framework: 'django',
+      handlerLine: 2,
+    })
+    const files: ScanFile[] = [{
+      path: 'views.py',
+      content: `from django.core.exceptions import PermissionDenied
+def admin_view(request):
+    if not request.user.is_staff:
+        raise PermissionDenied
+    return render(request, 'admin.html')
+`,
+      language: 'python',
+      size: 100,
+    }]
+    const result = resolveRouteAuth(
+      makeRouteMap([route]), [], files, emptyMiddlewareConfig
+    )
+    expect(result.routes[0].authMiddleware).toContain('throwing_auth_helper')
+  })
+
+  it('detects request.user.is_authenticated', () => {
+    const route = makeRoute({
+      filePath: 'views.py',
+      framework: 'django',
+      handlerLine: 1,
+    })
+    const files: ScanFile[] = [{
+      path: 'views.py',
+      content: `def dashboard(request):
+    if not request.user.is_authenticated:
+        return redirect('/login')
+    return render(request, 'dashboard.html')
+`,
+      language: 'python',
+      size: 100,
+    }]
+    const result = resolveRouteAuth(
+      makeRouteMap([route]), [], files, emptyMiddlewareConfig
+    )
+    expect(result.routes[0].authMiddleware).toContain('throwing_auth_helper')
+  })
+
+  it('detects current_user.is_authenticated (Flask-Login)', () => {
+    const route = makeRoute({
+      filePath: 'app.py',
+      framework: 'flask',
+      handlerLine: 2,
+    })
+    const files: ScanFile[] = [{
+      path: 'app.py',
+      content: `@app.route('/profile')
+def profile():
+    if not current_user.is_authenticated:
+        abort(401)
+    return render_template('profile.html')
+`,
+      language: 'python',
+      size: 100,
+    }]
+    const result = resolveRouteAuth(
+      makeRouteMap([route]), [], files, emptyMiddlewareConfig
+    )
+    expect(result.routes[0].authMiddleware).toContain('throwing_auth_helper')
+  })
+
+  it('extracts Python handler body using indentation (not braces)', () => {
+    const route = makeRoute({
+      filePath: 'views.py',
+      framework: 'django',
+      handlerLine: 1,
+    })
+    const files: ScanFile[] = [{
+      path: 'views.py',
+      content: `def my_view(request):
+    user = getCurrentUserId()
+    return JsonResponse({'user': user})
+
+def other_view(request):
+    pass
+`,
+      language: 'python',
+      size: 100,
+    }]
+    const result = resolveRouteAuth(
+      makeRouteMap([route]), [], files, emptyMiddlewareConfig
+    )
+    expect(result.routes[0].authMiddleware).toContain('throwing_auth_helper')
+  })
+
+  it('no false positive on unrelated abort calls', () => {
+    const route = makeRoute({
+      filePath: 'app.py',
+      framework: 'flask',
+      handlerLine: 2,
+    })
+    const files: ScanFile[] = [{
+      path: 'app.py',
+      content: `@app.route('/api/data')
+def get_data():
+    data = fetch_data()
+    abort(500)
+    return jsonify(data)
+`,
+      language: 'python',
+      size: 100,
+    }]
+    const result = resolveRouteAuth(
+      makeRouteMap([route]), [], files, emptyMiddlewareConfig
+    )
+    // abort(500) is NOT an auth pattern — should not be marked
+    expect(result.routes[0].authMiddleware).not.toContain('throwing_auth_helper')
+  })
+
+  it('FastAPI Depends auth carried from route definition', () => {
+    // Route already has authMiddleware from FastAPI extraction, resolver should preserve it
+    const route = makeRoute({
+      filePath: 'main.py',
+      framework: 'fastapi',
+      handlerLine: 3,
+      authMiddleware: ['Depends(get_current_user)'],
+    })
+    const files: ScanFile[] = [{
+      path: 'main.py',
+      content: `from fastapi import FastAPI, Depends
+@app.get('/api/me')
+def get_me(user = Depends(get_current_user)):
+    return user
+`,
+      language: 'python',
+      size: 100,
+    }]
+    const result = resolveRouteAuth(
+      makeRouteMap([route]), [], files, emptyMiddlewareConfig
+    )
+    expect(result.routes[0].authMiddleware).toContain('Depends(get_current_user)')
+  })
+})