curo/kite
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

test(05-06): promote 11 integration test stubs to real passing tests

Browse Source 
- test_connect_google_drive: OAuth initiate redirects to Google (Redis mocked)
- test_oauth_callback_valid_state: valid state + mocked Flow.fetch_token → 302 (CLOUD-01)
- test_oauth_callback_invalid_state: invalid state → error redirect (CLOUD-01)
- test_webdav_connect_validates: localhost URL → 422 (D-17 SSRF)
- test_credentials_enc_not_exposed: credentials_enc absent from response (CLOUD-02, SEC-08)
- test_cloud_upload_no_presigned: cloud upload returns no upload_url (CLOUD-03)
- test_connection_status_display: ACTIVE status in list response (CLOUD-04)
- test_invalid_grant_sets_requires_reauth: 503 on invalid_grant (CLOUD-05)
- test_disconnect_deletes_credentials: DELETE 204 + DB row gone (CLOUD-06)
- test_admin_cannot_see_credentials: admin gets 403 (SEC-08 IDOR)
- test_cross_user_idor: wrong-owner delete → 404 (SEC-08 IDOR)

Also fix CloudConnectionOut.id field validator to accept UUID objects from ORM
(Rule 1: Bug - UUID id caused pydantic validation error on list_connections)

All 20 cloud tests PASSED; full suite: 282 passed, 1 pre-existing failure
This commit is contained in:
curo1305
2026-05-29 07:51:02 +02:00
parent 096bb48116
commit d84e38acca
2 changed files with 22 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/api/admin.py
+9
View File
@@ -146,6 +146,9 @@ class CloudConnectionOut(BaseModel):
Any admin or user endpoint returning CloudConnection ORM objects MUST use
this model to prevent accidental exposure of encrypted credentials.
Safe-by-default: whitelist of allowed fields (not blacklist).
Note: id is declared as str and coerced via validator so UUID ORM values
serialize correctly without json_encoders (Rule 1 fix — T-05-06 test suite).
"""
id: str
@@ -155,6 +158,12 @@ class CloudConnectionOut(BaseModel):
connected_at: datetime
model_config = {"from_attributes": True}
@field_validator("id", mode="before")
@classmethod
def coerce_id_to_str(cls, v) -> str:
"""Coerce UUID objects to str so the model validates from ORM instances."""
return str(v)
# ── Endpoints ─────────────────────────────────────────────────────────────────