jac-scale 0.1.1__py3-none-any.whl → 0.1.4__py3-none-any.whl

jac_scale/tests/test_serve.py

@@ -3,6 +3,9 @@
 import contextlib
 import gc
 import glob
+import hashlib
+import hmac
+import json
 import socket
 import subprocess
 import time
@@ -260,7 +263,7 @@ class TestJacScaleServe:
     def _create_expired_token(self, username: str, days_ago: int = 1) -> str:
         """Create an expired JWT token for testing."""
         # Use the same secret as the server (default)
-        secret = "supersecretkey"
+        secret = "supersecretkey_for_testing_only!"
         algorithm = "HS256"
 
         past_time = datetime.now(UTC) - timedelta(days=days_ago)
@@ -273,7 +276,7 @@ class TestJacScaleServe:
 
     def _create_very_old_token(self, username: str, days_ago: int = 15) -> str:
         """Create a token that's too old to refresh."""
-        secret = "supersecretkey"
+        secret = "supersecretkey_for_testing_only!"
         algorithm = "HS256"
 
         past_time = datetime.now(UTC) - timedelta(days=days_ago)
@@ -505,7 +508,7 @@ class TestJacScaleServe:
         new_token = refresh_result["token"]
 
         # Decode both tokens and verify username is preserved
-        secret = "supersecretkey"
+        secret = "supersecretkey_for_testing_only!"
         algorithm = "HS256"
 
         original_payload = pyjwt.decode(original_token, secret, algorithms=[algorithm])
@@ -535,7 +538,7 @@ class TestJacScaleServe:
         new_token = refresh_result["token"]
 
         # Decode tokens and compare expiration times
-        secret = "supersecretkey"
+        secret = "supersecretkey_for_testing_only!"
         algorithm = "HS256"
 
         original_payload = pyjwt.decode(original_token, secret, algorithms=[algorithm])
@@ -1561,6 +1564,356 @@ class TestJacScaleServe:
         )
         assert old_password_response.status_code == 401
 
+    # ========================================================================
+    # Webhook Walker Tests
+    # ========================================================================
+
+    def _generate_webhook_signature(self, payload: bytes, secret: str) -> str:
+        """Generate HMAC-SHA256 signature for webhook payload."""
+        return hmac.new(secret.encode("utf-8"), payload, hashlib.sha256).hexdigest()
+
+    def test_webhook_endpoint_exists_for_webhook_walkers(self) -> None:
+        """Test 1: Verify webhook endpoints are registered for walkers with @restspec(webhook=True)."""
+        response = requests.get(f"{self.base_url}/openapi.json", timeout=5)
+        assert response.status_code == 200
+        schema = response.json()
+        paths = schema.get("paths", {})
+
+        # PaymentReceived has @restspec(webhook=True) -> should have /webhook/ endpoint
+        assert "/webhook/PaymentReceived" in paths, (
+            f"Expected /webhook/PaymentReceived in paths: {list(paths.keys())}"
+        )
+        # MinimalWebhook has @restspec(webhook=True) -> should have /webhook/ endpoint
+        assert "/webhook/MinimalWebhook" in paths, (
+            f"Expected /webhook/MinimalWebhook in paths: {list(paths.keys())}"
+        )
+
+    def test_normal_walker_not_in_webhook_endpoint(self) -> None:
+        """Test 2: Verify normal walkers (without @restspec(webhook=True)) are NOT in /webhook/."""
+        response = requests.get(f"{self.base_url}/openapi.json", timeout=5)
+        assert response.status_code == 200
+        schema = response.json()
+        paths = schema.get("paths", {})
+
+        # NormalPayment does NOT have @restspec(webhook=True) -> should NOT have /webhook/ endpoint
+        assert "/webhook/NormalPayment" not in paths, (
+            "NormalPayment should NOT have webhook endpoint but found in paths"
+        )
+        # NormalPayment should be accessible via /walker/ endpoint
+        assert "/walker/NormalPayment" in paths or "/walker/{walker_name}" in paths, (
+            "NormalPayment should be accessible via /walker/ endpoint"
+        )
+
+    def test_normal_walker_accessible_via_walker_endpoint(self) -> None:
+        """Test 2b: Verify NormalPayment (no webhook restspec) works via /walker/ endpoint."""
+        # Create user and get token
+        username = f"normal_walker_user_{uuid.uuid4().hex[:8]}"
+        register_response = requests.post(
+            f"{self.base_url}/user/register",
+            json={"username": username, "password": "password123"},
+            timeout=10,
+        )
+        assert register_response.status_code == 201
+        register_data = cast(
+            dict[str, Any],
+            self._extract_transport_response_data(register_response.json()),
+        )
+        token = register_data["token"]
+
+        # Call NormalPayment via /walker/ endpoint
+        response = requests.post(
+            f"{self.base_url}/walker/NormalPayment",
+            json={
+                "payment_id": "PAY-NORMAL-001",
+                "order_id": "ORD-NORMAL-001",
+                "amount": 50.00,
+                "currency": "EUR",
+            },
+            headers={"Authorization": f"Bearer {token}"},
+            timeout=10,
+        )
+
+        assert response.status_code == 200, (
+            f"Expected 200, got {response.status_code}: {response.text}"
+        )
+        data = cast(
+            dict[str, Any], self._extract_transport_response_data(response.json())
+        )
+        assert "reports" in data
+        report = data["reports"][0]
+        assert report["status"] == "success"
+        assert report["payment_id"] == "PAY-NORMAL-001"
+        assert report["transport"] == "http"
+
+    def test_webhook_requires_api_key(self) -> None:
+        """Test that webhook endpoints require API key authentication."""
+        payload = json.dumps({})
+
+        # Try to call MinimalWebhook without API key
+        response = requests.post(
+            f"{self.base_url}/webhook/MinimalWebhook",
+            data=payload,
+            headers={"Content-Type": "application/json"},
+            timeout=5,
+        )
+
+        # Should fail - 401 (our custom error) or 422 (FastAPI validation for missing header)
+        assert response.status_code in (401, 422), (
+            f"Expected 401 or 422, got {response.status_code}: {response.text}"
+        )
+
+    def test_webhook_invalid_api_key(self) -> None:
+        """Test that webhook endpoints reject invalid API keys."""
+        payload = json.dumps({})
+
+        # Try with invalid API key
+        response = requests.post(
+            f"{self.base_url}/webhook/MinimalWebhook",
+            data=payload,
+            headers={
+                "Content-Type": "application/json",
+                "X-API-Key": "invalid_key_12345",
+            },
+            timeout=5,
+        )
+
+        # Should fail with 401 Unauthorized
+        assert response.status_code == 401, (
+            f"Expected 401, got {response.status_code}: {response.text}"
+        )
+
+    def test_minimal_webhook_with_valid_api_key(self) -> None:
+        """Test 3: MinimalWebhook (with @restspec(webhook=True)) works with valid API key."""
+        # Create user and get auth token
+        username = f"minimal_webhook_user_{uuid.uuid4().hex[:8]}"
+        register_response = requests.post(
+            f"{self.base_url}/user/register",
+            json={"username": username, "password": "password123"},
+            timeout=10,
+        )
+        assert register_response.status_code == 201
+        register_data = cast(
+            dict[str, Any],
+            self._extract_transport_response_data(register_response.json()),
+        )
+        token = register_data["token"]
+
+        # Create API key
+        api_key_response = requests.post(
+            f"{self.base_url}/api-key/create",
+            json={"name": "minimal_webhook_key", "expiry_days": 30},
+            headers={"Authorization": f"Bearer {token}"},
+            timeout=10,
+        )
+        assert api_key_response.status_code == 201, (
+            f"Failed to create API key: {api_key_response.text}"
+        )
+        api_key_data = cast(
+            dict[str, Any],
+            self._extract_transport_response_data(api_key_response.json()),
+        )
+        api_key = api_key_data["api_key"]
+
+        # Call MinimalWebhook with valid API key (empty payload - no fields required)
+        payload = json.dumps({})
+        payload_bytes = payload.encode("utf-8")
+        signature = self._generate_webhook_signature(payload_bytes, api_key)
+        response = requests.post(
+            f"{self.base_url}/webhook/MinimalWebhook",
+            data=payload,
+            headers={
+                "Content-Type": "application/json",
+                "X-API-Key": api_key,
+                "X-Webhook-Signature": signature,
+            },
+            timeout=10,
+        )
+
+        assert response.status_code == 200, (
+            f"Expected 200, got {response.status_code}: {response.text}"
+        )
+        data = cast(
+            dict[str, Any], self._extract_transport_response_data(response.json())
+        )
+        assert "reports" in data
+        assert data["reports"][0]["status"] == "received"
+        assert data["reports"][0]["transport"] == "webhook"
+
+    def test_webhook_payment_received_with_fields(self) -> None:
+        """Test 1: PaymentReceived webhook walker with multiple fields + @restspec(webhook=True)."""
+        # Create user and get API key
+        username = f"payment_user_{uuid.uuid4().hex[:8]}"
+        register_response = requests.post(
+            f"{self.base_url}/user/register",
+            json={"username": username, "password": "password123"},
+            timeout=10,
+        )
+        assert register_response.status_code == 201
+        register_data = cast(
+            dict[str, Any],
+            self._extract_transport_response_data(register_response.json()),
+        )
+        token = register_data["token"]
+
+        api_key_response = requests.post(
+            f"{self.base_url}/api-key/create",
+            json={"name": "payment_webhook_key", "expiry_days": 30},
+            headers={"Authorization": f"Bearer {token}"},
+            timeout=10,
+        )
+        assert api_key_response.status_code == 201
+        api_key_data = cast(
+            dict[str, Any],
+            self._extract_transport_response_data(api_key_response.json()),
+        )
+        api_key = api_key_data["api_key"]
+
+        # Send payment webhook
+        payload = json.dumps(
+            {
+                "payment_id": "PAY-12345",
+                "order_id": "ORD-67890",
+                "amount": 99.99,
+                "currency": "USD",
+            }
+        )
+        payload_bytes = payload.encode("utf-8")
+        signature = self._generate_webhook_signature(payload_bytes, api_key)
+
+        response = requests.post(
+            f"{self.base_url}/webhook/PaymentReceived",
+            data=payload,
+            headers={
+                "Content-Type": "application/json",
+                "X-API-Key": api_key,
+                "X-Webhook-Signature": signature,
+            },
+            timeout=10,
+        )
+
+        assert response.status_code == 200, (
+            f"Expected 200, got {response.status_code}: {response.text}"
+        )
+        data = cast(
+            dict[str, Any], self._extract_transport_response_data(response.json())
+        )
+        assert "reports" in data
+        report = data["reports"][0]
+        assert report["status"] == "success"
+        assert report["payment_id"] == "PAY-12345"
+        assert report["order_id"] == "ORD-67890"
+        assert report["amount"] == 99.99
+        assert report["currency"] == "USD"
+
+    def test_webhook_not_accessible_via_regular_walker_endpoint(self) -> None:
+        """Test that webhook walkers (with @restspec(webhook=True)) are NOT accessible via /walker/."""
+        # Create user and get token
+        username = f"webhook_path_user_{uuid.uuid4().hex[:8]}"
+        register_response = requests.post(
+            f"{self.base_url}/user/register",
+            json={"username": username, "password": "password123"},
+            timeout=10,
+        )
+        assert register_response.status_code == 201
+        register_data = cast(
+            dict[str, Any],
+            self._extract_transport_response_data(register_response.json()),
+        )
+        token = register_data["token"]
+
+        # Try to access PaymentReceived (webhook walker) via /walker/ endpoint
+        response = requests.post(
+            f"{self.base_url}/walker/PaymentReceived",
+            json={
+                "payment_id": "PAY-TEST",
+                "order_id": "ORD-TEST",
+                "amount": 10.00,
+            },
+            headers={"Authorization": f"Bearer {token}"},
+            timeout=10,
+        )
+
+        # Webhook walkers should not be accessible via /walker/ endpoint
+        # In static mode: 404 (Not Found) or 405 (Method Not Allowed - no POST registered)
+        # In dynamic mode: 400 (Bad Request - explicitly rejected)
+        assert response.status_code in (400, 404, 405), (
+            f"Expected 400/404/405, got {response.status_code}: {response.text}"
+        )
+
+    def test_webhook_revoked_api_key(self) -> None:
+        """Test that revoked API keys are rejected."""
+        # Create user and get auth token
+        username = f"webhook_revoke_user_{uuid.uuid4().hex[:8]}"
+        register_response = requests.post(
+            f"{self.base_url}/user/register",
+            json={"username": username, "password": "password123"},
+            timeout=10,
+        )
+        assert register_response.status_code == 201
+        register_data = cast(
+            dict[str, Any],
+            self._extract_transport_response_data(register_response.json()),
+        )
+        token = register_data["token"]
+
+        # Create API key
+        api_key_response = requests.post(
+            f"{self.base_url}/api-key/create",
+            json={"name": "key_to_revoke", "expiry_days": 30},
+            headers={"Authorization": f"Bearer {token}"},
+            timeout=10,
+        )
+        assert api_key_response.status_code == 201
+        api_key_data = cast(
+            dict[str, Any],
+            self._extract_transport_response_data(api_key_response.json()),
+        )
+        api_key = api_key_data["api_key"]
+        api_key_id = api_key_data["api_key_id"]
+
+        # Verify API key works with MinimalWebhook
+        payload = json.dumps({})
+        payload_bytes = payload.encode("utf-8")
+        signature = self._generate_webhook_signature(payload_bytes, api_key)
+        response = requests.post(
+            f"{self.base_url}/webhook/MinimalWebhook",
+            data=payload,
+            headers={
+                "Content-Type": "application/json",
+                "X-API-Key": api_key,
+                "X-Webhook-Signature": signature,
+            },
+            timeout=10,
+        )
+        assert response.status_code == 200
+
+        # Revoke the API key
+        revoke_response = requests.delete(
+            f"{self.base_url}/api-key/{api_key_id}",
+            headers={"Authorization": f"Bearer {token}"},
+            timeout=10,
+        )
+        assert revoke_response.status_code == 200, (
+            f"Failed to revoke key: {revoke_response.text}"
+        )
+
+        # Try to use revoked key (same payload and signature)
+        response = requests.post(
+            f"{self.base_url}/webhook/MinimalWebhook",
+            data=payload,
+            headers={
+                "Content-Type": "application/json",
+                "X-API-Key": api_key,
+                "X-Webhook-Signature": signature,
+            },
+            timeout=10,
+        )
+
+        # Should fail with 401
+        assert response.status_code == 401, (
+            f"Expected 401 for revoked key, got {response.status_code}: {response.text}"
+        )
+
 
 class TestJacScaleServeDevMode:
     """Test jac-scale serve with --dev mode (dynamic routing).
@@ -1833,3 +2186,57 @@ class TestJacScaleServeDevMode:
         assert reports[1]["status"] == "after_async_wait"
         assert reports[2]["status"] == "completed"
         assert "task" in reports[2]
+
+    def test_walker_stream_response(self) -> None:
+        """Test that walker streaming responses work correctly."""
+        response = requests.post(
+            f"{self.base_url}/walker/WalkerStream",
+            json={"count": 3},
+            timeout=30,
+            stream=True,
+        )
+
+        assert response.status_code == 200, (
+            f"Failed with status {response.status_code}: {response.text}"
+        )
+        assert response.headers["content-type"] == "text/event-stream; charset=utf-8"
+        assert response.headers.get("cache-control") == "no-cache"
+        assert response.headers.get("connection") == "close"
+
+        # Collect streaming content
+        content = ""
+        for chunk in response.iter_content(chunk_size=1024, decode_unicode=True):
+            if chunk:
+                content += chunk
+
+        # The generator yields "Report 0", "Report 1", "Report 2" without delimiters
+        # They get concatenated together in the stream
+        expected = "Report 0Report 1Report 2"
+        assert content == expected, f"Expected '{expected}', got '{content}'"
+
+    def test_function_stream_response(self) -> None:
+        """Test that function streaming responses work correctly."""
+        response = requests.post(
+            f"{self.base_url}/function/FunctionStream",
+            json={"count": 2},
+            timeout=30,
+            stream=True,
+        )
+
+        assert response.status_code == 200, (
+            f"Failed with status {response.status_code}: {response.text}"
+        )
+        assert response.headers["content-type"] == "text/event-stream; charset=utf-8"
+        assert response.headers.get("cache-control") == "no-cache"
+        assert response.headers.get("connection") == "close"
+
+        # Collect streaming content
+        content = ""
+        for chunk in response.iter_content(chunk_size=1024, decode_unicode=True):
+            if chunk:
+                content += chunk
+
+        # The generator yields "Func 0", "Func 1" without delimiters
+        # They get concatenated together in the stream
+        expected = "Func 0Func 1"
+        assert content == expected, f"Expected '{expected}', got '{content}'"