coming together

tests/test_admin_api.py

@@ -0,0 +1,101 @@
+import os
+import uuid
+
+import pytest
+from fastapi.testclient import TestClient
+
+os.environ.setdefault("SECRET_KEY", "x" * 32)
+os.environ.setdefault("DATABASE_URL", "sqlite:////tmp/delphi_test.sqlite")
+
+from app.main import app  # noqa: E402
+from app.auth.security import get_current_user, get_admin_user  # noqa: E402
+from tests.helpers import assert_http_error  # noqa: E402
+
+
+class _User:
+    def __init__(self, is_admin: bool):
+        self.id = 1 if is_admin else 2
+        self.username = "admin" if is_admin else "user"
+        self.is_admin = is_admin
+        self.is_active = True
+        self.first_name = "Test"
+        self.last_name = "User"
+
+
+@pytest.fixture()
+def client_admin():
+    app.dependency_overrides[get_current_user] = lambda: _User(True)
+    app.dependency_overrides[get_admin_user] = lambda: _User(True)
+    try:
+        yield TestClient(app)
+    finally:
+        app.dependency_overrides.pop(get_current_user, None)
+        app.dependency_overrides.pop(get_admin_user, None)
+
+
+@pytest.fixture()
+def client_user():
+    app.dependency_overrides[get_current_user] = lambda: _User(False)
+    try:
+        yield TestClient(app)
+    finally:
+        app.dependency_overrides.pop(get_current_user, None)
+
+
+def test_admin_only_access(client_user: TestClient):
+    # Drop auth to simulate unauthenticated
+    app.dependency_overrides.pop(get_current_user, None)
+    c = TestClient(app)
+    resp = c.get("/api/admin/health")
+    assert_http_error(resp, 403, "Not authenticated")
+
+    # Authenticated non-admin should get 403 from admin endpoints
+    app.dependency_overrides[get_current_user] = lambda: _User(False)
+    resp = c.get("/api/admin/users")
+    assert_http_error(resp, 403, "Not enough permissions")
+
+
+def test_lookup_crud_file_types_and_statuses_and_audit(client_admin: TestClient):
+    # List lookup tables
+    resp = client_admin.get("/api/admin/lookups/tables")
+    assert resp.status_code == 200
+    assert "tables" in resp.json()
+
+    # Create a system setting (as a simple admin CRUD target)
+    skey = f"test_setting_{uuid.uuid4().hex[:6]}"
+    resp = client_admin.post(
+        "/api/admin/settings",
+        json={
+            "setting_key": skey,
+            "setting_value": "on",
+            "description": "pytest",
+            "setting_type": "STRING",
+        },
+    )
+    assert resp.status_code == 200
+    assert resp.json()["setting"]["setting_key"] == skey
+
+    # Update the setting
+    resp = client_admin.put(
+        f"/api/admin/settings/{skey}",
+        json={"setting_value": "off", "description": "changed"},
+    )
+    assert resp.status_code == 200
+    assert resp.json()["setting"]["setting_value"] == "off"
+
+    # Read the setting
+    resp = client_admin.get(f"/api/admin/settings/{skey}")
+    assert resp.status_code == 200
+    assert resp.json()["setting_key"] == skey
+
+    # Delete the setting
+    resp = client_admin.delete(f"/api/admin/settings/{skey}")
+    assert resp.status_code == 200
+
+    # Verify audit logs endpoint is accessible and returns structure
+    resp = client_admin.get("/api/admin/audit/logs")
+    assert resp.status_code == 200
+    body = resp.json()
+    assert set(body.keys()) == {"total", "logs"}
+
+