planar 0.10.0__py3-none-any.whl → 0.11.0__py3-none-any.whl

planar/security/tests/test_auth_middleware.py

@@ -1,162 +0,0 @@
-from unittest.mock import Mock, patch
-
-import pytest
-from fastapi import FastAPI, HTTPException
-from fastapi.responses import JSONResponse
-
-from planar.security.auth_middleware import AuthMiddleware
-
-
-@pytest.fixture
-def app():
-    return FastAPI()
-
-
-@pytest.fixture
-def auth_middleware(app):
-    return AuthMiddleware(
-        app=app,
-        client_id="test-client-id",
-        org_id="test-org-id",
-        additional_exclusion_paths=["/test/exclude"],
-        service_token="plt_test-service-token",
-    )
-
-
-class TestAuthMiddleware:
-    def test_org_id_validation_none(self, auth_middleware):
-        """Test that org_id validation fails when token has None org_id"""
-        with (
-            patch.object(auth_middleware, "get_signing_key_from_jwt"),
-            patch("jwt.decode") as mock_decode,
-        ):
-            mock_decode.return_value = {"org_id": None}
-
-            with pytest.raises(HTTPException) as exc_info:
-                auth_middleware.validate_jwt_token("fake-token")
-
-            assert exc_info.value.status_code == 401
-            assert exc_info.value.detail == "Invalid organization"
-
-    def test_org_id_validation_empty_string(self, auth_middleware):
-        """Test that org_id validation fails when token has empty string org_id"""
-        with (
-            patch.object(auth_middleware, "get_signing_key_from_jwt"),
-            patch("jwt.decode") as mock_decode,
-        ):
-            mock_decode.return_value = {"org_id": ""}
-
-            with pytest.raises(HTTPException) as exc_info:
-                auth_middleware.validate_jwt_token("fake-token")
-
-            assert exc_info.value.status_code == 401
-            assert exc_info.value.detail == "Invalid organization"
-
-    def test_org_id_validation_mismatch(self, auth_middleware):
-        """Test that org_id validation fails when token org_id doesn't match"""
-        with (
-            patch.object(auth_middleware, "get_signing_key_from_jwt"),
-            patch("jwt.decode") as mock_decode,
-        ):
-            mock_decode.return_value = {"org_id": "different-org-id"}
-
-            with pytest.raises(HTTPException) as exc_info:
-                auth_middleware.validate_jwt_token("fake-token")
-
-            assert exc_info.value.status_code == 401
-            assert exc_info.value.detail == "Invalid organization"
-
-    def test_org_id_validation_success(self, auth_middleware):
-        """Test that org_id validation succeeds when token org_id matches"""
-        with (
-            patch.object(auth_middleware, "get_signing_key_from_jwt"),
-            patch("jwt.decode") as mock_decode,
-        ):
-            expected_payload = {"org_id": "test-org-id", "user_id": "test-user"}
-            mock_decode.return_value = expected_payload
-
-            result = auth_middleware.validate_jwt_token("fake-token")
-
-            assert result == expected_payload
-
-    @pytest.mark.asyncio
-    async def test_service_token_validation_success(self, auth_middleware):
-        """Test that service token validation succeeds when token matches"""
-        mock_request = Mock()
-        mock_request.url.path = "/planar/v1/something"
-        mock_request.headers = {"Authorization": "Bearer plt_test-service-token"}
-        mock_call_next = Mock()
-        mock_call_next.return_value = JSONResponse(
-            status_code=200, content={"message": "success"}
-        )
-
-        async def mock_call_next_func(request):
-            return mock_call_next(request)
-
-        result = await auth_middleware.dispatch(mock_request, mock_call_next_func)
-        mock_call_next.assert_called_once_with(mock_request)
-        assert result is not None
-        assert result.status_code == 200
-
-    @pytest.mark.asyncio
-    async def test_service_token_validation_failure(self, auth_middleware):
-        """Test that service token validation succeeds when token matches"""
-        mock_request = Mock()
-        mock_request.url.path = "/planar/v1/something"
-        mock_request.headers = {"Authorization": "Bearer plt_wrong-token"}
-        mock_call_next = Mock()
-        mock_call_next.return_value = JSONResponse(
-            status_code=200, content={"message": "success"}
-        )
-
-        async def mock_call_next_func(request):
-            return mock_call_next(request)
-
-        result = await auth_middleware.dispatch(mock_request, mock_call_next_func)
-        mock_call_next.assert_not_called()
-        assert result is not None
-        assert result.status_code == 401
-
-    @pytest.mark.asyncio
-    async def test_exclusion_paths_includes_health_and_additional(self, app):
-        """Test that exclusion paths include health endpoint and additional paths"""
-        middleware = AuthMiddleware(
-            app=app,
-            client_id="test-client-id",
-            org_id="test-org-id",
-            additional_exclusion_paths=["/custom/path", "/another/path"],
-        )
-
-        mock_request = Mock()
-        mock_call_next = Mock()
-
-        async def mock_call_next_func(request):
-            return mock_call_next(request)
-
-        expected_paths = ["/planar/v1/health", "/custom/path", "/another/path"]
-        for path in expected_paths:
-            mock_request.url.path = path
-            mock_call_next.reset_mock()
-
-            await middleware.dispatch(mock_request, mock_call_next_func)  # type: ignore
-
-            mock_call_next.assert_called_once_with(mock_request)
-
-        # Test that non-excluded paths are not excluded
-        mock_request.url.path = "/not-excluded"
-        mock_call_next.reset_mock()
-        result = await middleware.dispatch(mock_request, mock_call_next_func)
-        assert result is not None
-        assert result.status_code == 401
-        mock_call_next.assert_not_called()
-
-    def test_required_org_id_parameter(self, app):
-        """Test that org_id parameter is required (not optional)"""
-        # This test ensures org_id cannot be None based on type hints
-        # The actual enforcement is at the type level, so we just verify
-        # the constructor works with a valid org_id
-        middleware = AuthMiddleware(
-            app=app, client_id="test-client-id", org_id="required-org-id"
-        )
-
-        assert middleware.org_id == "required-org-id"

planar/security/tests/test_authorization_context.py

@@ -1,78 +0,0 @@
-from planar.security.auth_context import Principal
-from planar.security.authorization import (
-    CedarEntity,
-    PolicyService,
-    ResourceType,
-    WorkflowAction,
-    get_policy_service,
-    policy_service_context,
-    set_policy_service,
-)
-
-
-def test_policy_service_context_variable():
-    """Test that the authorization service context variable works correctly."""
-    # Initially, no authz service should be set
-    assert get_policy_service() is None
-
-    # Create a mock policy service
-    policy_service = PolicyService()
-
-    # Set the policy service in context
-    set_policy_service(policy_service)
-    assert get_policy_service() is policy_service
-
-    # Reset the context
-    set_policy_service(None)
-    assert get_policy_service() is None
-
-    # Test the context manager
-    async def test_context_manager():
-        async with policy_service_context(policy_service):
-            assert get_policy_service() is policy_service
-        # After exiting the context, it should be None again
-        assert get_policy_service() is None
-
-    # Run the async test
-    import asyncio
-
-    asyncio.run(test_context_manager())
-
-
-def test_policy_service_with_principal():
-    """Test that the policy service works with principal resources."""
-    policy_service = PolicyService()
-
-    # Create a mock principal with only required fields
-    principal = Principal(sub="test-user")  # type: ignore
-
-    # Create resources
-    principal_resource = CedarEntity.from_principal(principal)
-    workflow_resource = CedarEntity.from_workflow("test_workflow")
-
-    # Test that the service can be used
-    assert principal_resource.resource_type == ResourceType.PRINCIPAL
-    assert workflow_resource.resource_type == ResourceType.WORKFLOW
-    assert principal_resource.resource_attributes["sub"] == "test-user"
-    assert workflow_resource.resource_attributes["function_name"] == "test_workflow"
-
-    assert (
-        policy_service.is_allowed(
-            principal_resource, WorkflowAction.WORKFLOW_RUN, workflow_resource
-        )
-        is True
-    )
-
-    assert (
-        policy_service.is_allowed(
-            principal_resource, WorkflowAction.WORKFLOW_RUN, workflow_resource
-        )
-        is True
-    )
-
-    assert (
-        policy_service.is_allowed(
-            principal_resource, "Workflow::Fail", workflow_resource
-        )
-        is False
-    )

planar/security/tests/test_cedar_basics.py

@@ -1,41 +0,0 @@
-from cedarpy import Decision, format_policies, is_authorized
-
-
-def test_cedar_permissions():
-    # Define entities
-    entities = [
-        {
-            "uid": {"__entity": {"type": "Principal", "id": "alice"}},
-            "attrs": {},
-            "parents": [],
-        },
-        {
-            "uid": {"__entity": {"type": "Document", "id": "doc1"}},
-            "attrs": {},
-            "parents": [],
-        },
-    ]
-
-    # Initialize the Cedar policy service
-    policy = """
-    permit (
-        principal,
-        action == Action::"Run",
-        resource
-    );
-    """
-    formatted_policy = format_policies(policy)
-    print(formatted_policy)
-
-    # Create a simple request
-    request = {
-        "principal": 'Principal::"alice"',
-        "action": 'Action::"Run"',
-        "resource": 'Document::"doc1"',
-    }
-
-    # Test the authorization
-    result = is_authorized(request, policy, entities)
-    assert result.decision == Decision.Allow, (
-        "Cedar works and basic permission should be allowed"
-    )

planar/security/tests/test_cedar_policies.py

@@ -1,158 +0,0 @@
-import pytest
-
-from planar.security.auth_context import Principal
-from planar.security.authorization import (
-    AgentAction,
-    CedarEntity,
-    PolicyService,
-    RuleAction,
-    WorkflowAction,
-)
-
-
-@pytest.fixture
-def policy_service():
-    return PolicyService()
-
-
-def test_workflow_permissions(policy_service: PolicyService):
-    # Create a test principal (user)
-    user_principal = Principal(
-        sub="user123"  # type: ignore
-    )
-
-    # Create test resources
-    workflow_resource = CedarEntity.from_workflow("com.example.workflow.ProcessData")
-
-    # Test Workflow Actions
-    assert policy_service.is_allowed(
-        CedarEntity.from_principal(user_principal),
-        WorkflowAction.WORKFLOW_LIST,
-        workflow_resource,
-    ), "User should be able to list workflows"
-
-    assert policy_service.is_allowed(
-        CedarEntity.from_principal(user_principal),
-        WorkflowAction.WORKFLOW_VIEW_DETAILS,
-        workflow_resource,
-    ), "User should be able to view workflow details"
-
-    assert policy_service.is_allowed(
-        CedarEntity.from_principal(user_principal),
-        WorkflowAction.WORKFLOW_RUN,
-        workflow_resource,
-    ), "User should be able to run workflow"
-
-    assert policy_service.is_allowed(
-        CedarEntity.from_principal(user_principal),
-        WorkflowAction.WORKFLOW_CANCEL,
-        workflow_resource,
-    ), "User should be able to cancel workflow"
-
-
-def test_agent_permissions(policy_service: PolicyService):
-    user_principal = Principal(
-        sub="user123"  # type: ignore
-    )
-
-    agent_resource = CedarEntity.from_agent("OcrAgent")
-
-    # Test Agent Actions
-    assert policy_service.is_allowed(
-        CedarEntity.from_principal(user_principal),
-        AgentAction.AGENT_LIST,
-        agent_resource,
-    ), "User should be able to list agents"
-
-    assert policy_service.is_allowed(
-        CedarEntity.from_principal(user_principal),
-        AgentAction.AGENT_VIEW_DETAILS,
-        agent_resource,
-    ), "User should be able to view agent details"
-
-    assert policy_service.is_allowed(
-        CedarEntity.from_principal(user_principal),
-        AgentAction.AGENT_RUN,
-        agent_resource,
-    ), "User should be able to run agent"
-
-    assert policy_service.is_allowed(
-        CedarEntity.from_principal(user_principal),
-        AgentAction.AGENT_UPDATE,
-        agent_resource,
-    ), "User should be able to configure agent"
-
-
-def test_denied_permission(policy_service: PolicyService):
-    # Create a test principal (user)
-    user_principal = Principal(
-        sub="user123"  # type: ignore
-    )
-
-    # Create test resource
-    workflow_resource = CedarEntity.from_workflow("com.example.workflow.ProcessData")
-
-    # Test that a non-existent action is denied
-    assert not policy_service.is_allowed(
-        CedarEntity.from_principal(user_principal),
-        "Workflow::Delete",  # This action is not defined in our policies
-        workflow_resource,
-    ), "User should not be able to delete workflows"
-
-
-def test_deny_edits_to_rules_for_member_role(policy_service: PolicyService):
-    member_jwt_data = {
-        "org_name": "CoPlane",
-        "user_first_name": "Donald",
-        "user_last_name": "Knuth",
-        "user_email": "don@coplane.com",
-        "iss": "https://auth-api.coplane.com",
-        "sub": "user_02JYMGMYETXMAVB0GKT868T8V7",
-        "sid": "session_01JZ6NJVC1MSR86VZNR54BF9D4",
-        "jti": "01JZ8EHD793F6RTY8FC4A3H4E9",
-        "org_id": "org_01JY4QP57Y7H4EQ7HT3BGN7TNK",
-        "role": "member",
-        "permissions": [],
-        "feature_flags": [],
-        "exp": 1751556901,
-        "iat": 1751556601,
-    }
-
-    user_principal = Principal.from_jwt_payload(member_jwt_data)
-
-    rule_resource = CedarEntity.from_rule("complex_business_rule")
-
-    assert not policy_service.is_allowed(
-        CedarEntity.from_principal(user_principal),
-        RuleAction.RULE_UPDATE,
-        rule_resource,
-    )
-
-
-def test_allow_edits_to_rules_for_admin_role(policy_service: PolicyService):
-    member_jwt_data = {
-        "org_name": "CoPlane",
-        "user_first_name": "Donald",
-        "user_last_name": "Knuth",
-        "user_email": "don@coplane.com",
-        "iss": "https://auth-api.coplane.com",
-        "sub": "user_02JYMGMYETXMAVB0GKT868T8V7",
-        "sid": "session_01JZ6NJVC1MSR86VZNR54BF9D4",
-        "jti": "01JZ8EHD793F6RTY8FC4A3H4E9",
-        "org_id": "org_01JY4QP57Y7H4EQ7HT3BGN7TNK",
-        "role": "admin",
-        "permissions": [],
-        "feature_flags": [],
-        "exp": 1751556901,
-        "iat": 1751556601,
-    }
-
-    user_principal = Principal.from_jwt_payload(member_jwt_data)
-
-    rule_resource = CedarEntity.from_rule("complex_business_rule")
-
-    assert policy_service.is_allowed(
-        CedarEntity.from_principal(user_principal),
-        RuleAction.RULE_UPDATE,
-        rule_resource,
-    )

planar/security/tests/test_jwt_principal_context.py

@@ -1,179 +0,0 @@
-import pytest
-
-from planar.security.auth_context import (
-    Principal,
-    clear_principal,
-    get_current_principal,
-    has_role,
-    require_principal,
-    set_principal,
-)
-
-
-def test_principal_from_jwt_payload():
-    # Test with minimal required fields
-    payload = {"sub": "user123"}
-    principal = Principal.from_jwt_payload(payload)
-    assert principal.sub == "user123"
-    assert principal.extra_claims == {}
-
-    # Test with all standard fields
-    payload = {
-        "sub": "user123",
-        "iss": "https://auth-api.coplane.com",
-        "exp": 1234567890,
-        "iat": 1234567890,
-        "sid": "session123",
-        "jti": "jwt123",
-        "org_id": "org123",
-        "org_name": "Test Org",
-        "user_first_name": "John",
-        "user_last_name": "Doe",
-        "user_email": "john@example.com",
-        "role": "admin",
-        "permissions": ["read", "write"],
-    }
-    principal = Principal.from_jwt_payload(payload)
-    assert principal.sub == "user123"
-    assert principal.iss == "https://auth-api.coplane.com"
-    assert principal.exp == 1234567890
-    assert principal.iat == 1234567890
-    assert principal.sid == "session123"
-    assert principal.jti == "jwt123"
-    assert principal.org_id == "org123"
-    assert principal.org_name == "Test Org"
-    assert principal.user_first_name == "John"
-    assert principal.user_last_name == "Doe"
-    assert principal.user_email == "john@example.com"
-    assert principal.role == "admin"
-    assert principal.permissions == ["read", "write"]
-    assert principal.extra_claims == {}
-
-    # Test with extra claims
-    payload = {
-        "sub": "user123",
-        "custom_field": "custom_value",
-        "another_field": 123,
-    }
-    principal = Principal.from_jwt_payload(payload)
-    assert principal.sub == "user123"
-    assert principal.extra_claims == {
-        "custom_field": "custom_value",
-        "another_field": 123,
-    }
-
-    # Test with missing required field
-    with pytest.raises(ValueError, match="JWT payload must contain 'sub' field"):
-        Principal.from_jwt_payload({})
-
-
-def test_get_current_principal():
-    # Test when no principal is set
-    assert get_current_principal() is None
-
-    # Test when principal is set
-    principal = Principal(
-        sub="user123",
-        iss=None,
-        exp=None,
-        iat=None,
-        sid=None,
-        jti=None,
-        org_id=None,
-        org_name=None,
-        user_first_name=None,
-        user_last_name=None,
-        user_email=None,
-        role=None,
-        permissions=None,
-    )
-    token = set_principal(principal)
-    try:
-        assert get_current_principal() == principal
-    finally:
-        clear_principal(token)
-
-    # Verify principal is cleared
-    assert get_current_principal() is None
-
-
-def test_has_role():
-    # Test when no principal is set
-    assert not has_role("admin")
-
-    # Test when principal has matching role
-    principal = Principal(
-        sub="user123",
-        role="admin",
-        iss=None,
-        exp=None,
-        iat=None,
-        sid=None,
-        jti=None,
-        org_id=None,
-        org_name=None,
-        user_first_name=None,
-        user_last_name=None,
-        user_email=None,
-        permissions=None,
-    )
-    token = set_principal(principal)
-    try:
-        assert has_role("admin")
-        assert not has_role("user")
-    finally:
-        clear_principal(token)
-
-    # Test when principal has no role
-    principal = Principal(
-        sub="user123",
-        iss=None,
-        exp=None,
-        iat=None,
-        sid=None,
-        jti=None,
-        org_id=None,
-        org_name=None,
-        user_first_name=None,
-        user_last_name=None,
-        user_email=None,
-        role=None,
-        permissions=None,
-    )
-    token = set_principal(principal)
-    try:
-        assert not has_role("admin")
-    finally:
-        clear_principal(token)
-
-
-def test_require_principal():
-    # Test when no principal is set
-    with pytest.raises(RuntimeError, match="No authenticated principal in context"):
-        require_principal()
-
-    # Test when principal is set
-    principal = Principal(
-        sub="user123",
-        iss=None,
-        exp=None,
-        iat=None,
-        sid=None,
-        jti=None,
-        org_id=None,
-        org_name=None,
-        user_first_name=None,
-        user_last_name=None,
-        user_email=None,
-        role=None,
-        permissions=None,
-    )
-    token = set_principal(principal)
-    try:
-        assert require_principal() == principal
-    finally:
-        clear_principal(token)
-
-    # Verify principal is cleared
-    with pytest.raises(RuntimeError, match="No authenticated principal in context"):
-        require_principal()