SoulSync/tests/test_credentials_endpoints.py

"""Phase 1: service-credential-set admin endpoints (real app, real HTTP).

These import the actual web_server app and drive the endpoints through a Flask
test client — the only way to verify the @admin_only gating and the request
validation wrappers for real. Secrets must never come back in any response.

Heavy (imports web_server once), so isolated in its own module. The default
session is profile 1 (admin); a non-admin session is simulated to prove the
gate blocks writes.
"""

from __future__ import annotations

import os
import tempfile

import pytest

# Redirect the DB before importing web_server so it never touches a real library.
_TMP = tempfile.mkdtemp(prefix='soulsync-testdb-cred-')
os.environ['DATABASE_PATH'] = os.path.join(_TMP, 'creds_ep.db')
os.environ['SOULSYNC_TEST_DB_READY'] = '1'

web_server = pytest.importorskip('web_server')


@pytest.fixture
def client():
    return web_server.app.test_client()


@pytest.fixture
def nonadmin_profile():
    """Create a real non-admin profile and yield its id."""
    db = web_server.get_database()
    pid = db.create_profile(name=f'tester_{os.urandom(3).hex()}', avatar_color='#fff')
    yield pid


# ── admin happy paths ────────────────────────────────────────────────────────

def test_admin_create_list_update_delete_roundtrip(client):
    r = client.post('/api/credentials', json={
        'service': 'plex', 'label': 'Living Room',
        'payload': {'base_url': 'http://plex:32400', 'token': 'sekret'}})
    assert r.status_code == 200 and r.get_json()['success']
    cid = r.get_json()['id']

    # list shows it, and NEVER leaks the payload/secret
    body = client.get('/api/credentials').get_json()
    assert any(c['label'] == 'Living Room' for c in body['services']['plex'])
    assert 'sekret' not in str(body) and 'payload' not in str(body)

    # update label
    assert client.put(f'/api/credentials/{cid}', json={'label': 'Den'}).get_json()['success']
    body = client.get('/api/credentials').get_json()
    assert any(c['label'] == 'Den' for c in body['services']['plex'])

    # delete
    assert client.delete(f'/api/credentials/{cid}').get_json()['success']
    body = client.get('/api/credentials').get_json()
    assert not any(c['id'] == cid for c in body['services']['plex'])


# ── validation ───────────────────────────────────────────────────────────────

def test_create_rejects_missing_fields(client):
    r = client.post('/api/credentials', json={
        'service': 'plex', 'label': 'X', 'payload': {'base_url': 'http://p'}})
    assert r.status_code == 400 and 'token' in r.get_json()['error']


def test_create_rejects_unsupported_service(client):
    r = client.post('/api/credentials', json={'service': 'itunes', 'label': 'X', 'payload': {}})
    assert r.status_code == 400


def test_create_rejects_blank_label(client):
    r = client.post('/api/credentials', json={
        'service': 'deezer', 'label': '  ', 'payload': {'arl': 'x'}})
    assert r.status_code == 400


def test_duplicate_label_conflict(client):
    p = {'service': 'qobuz', 'label': 'Dup', 'payload': {'user_auth_token': 't'}}
    assert client.post('/api/credentials', json=p).status_code == 200
    assert client.post('/api/credentials', json=p).status_code == 409


def test_update_missing_set_404(client):
    assert client.put('/api/credentials/999999', json={'label': 'x'}).status_code == 404


def test_delete_missing_set_404(client):
    assert client.delete('/api/credentials/999999').status_code == 404


# ── the security gate: non-admin cannot manage credential sets ───────────────

def test_nonadmin_blocked_from_all_credential_writes(client, nonadmin_profile):
    with client.session_transaction() as sess:
        sess['profile_id'] = nonadmin_profile
    assert client.get('/api/credentials').status_code == 403
    assert client.post('/api/credentials', json={
        'service': 'plex', 'label': 'Sneaky',
        'payload': {'base_url': 'http://p', 'token': 't'}}).status_code == 403
    assert client.put('/api/credentials/1', json={'label': 'x'}).status_code == 403
    assert client.delete('/api/credentials/1').status_code == 403


# ── Phase 2: per-profile selection (any profile selects among existing sets) ──

def test_profile_selects_among_existing_sets(client, nonadmin_profile):
    # Admin creates two Spotify sets.
    a = client.post('/api/credentials', json={'service': 'spotify', 'label': 'Acct A',
                    'payload': {'client_id': 'a', 'client_secret': 's'}}).get_json()['id']
    b = client.post('/api/credentials', json={'service': 'spotify', 'label': 'Acct B',
                    'payload': {'client_id': 'b', 'client_secret': 's'}}).get_json()['id']

    # Switch to a non-admin session — it can still READ options + SELECT.
    with client.session_transaction() as sess:
        sess['profile_id'] = nonadmin_profile

    svc = client.get('/api/profiles/me/services').get_json()['services']['spotify']
    assert {o['id'] for o in svc['options']} == {a, b}
    assert svc['selected_id'] is None
    assert 'secret' not in str(svc) and 's' not in [o.get('client_secret') for o in svc['options'] if 'client_secret' in o]

    assert client.post('/api/profiles/me/services/select',
                       json={'service': 'spotify', 'credential_id': b}).get_json()['success']
    svc = client.get('/api/profiles/me/services').get_json()['services']['spotify']
    assert svc['selected_id'] == b

    # Clear → back to None
    assert client.post('/api/profiles/me/services/select',
                       json={'service': 'spotify', 'credential_id': None}).get_json()['success']
    assert client.get('/api/profiles/me/services').get_json()['services']['spotify']['selected_id'] is None


def test_select_rejects_wrong_service_or_missing_set(client):
    sp = client.post('/api/credentials', json={'service': 'spotify', 'label': 'X',
                     'payload': {'client_id': 'a', 'client_secret': 's'}}).get_json()['id']
    # Selecting a spotify set under 'tidal' must be rejected.
    assert client.post('/api/profiles/me/services/select',
                       json={'service': 'tidal', 'credential_id': sp}).status_code == 400
    # Nonexistent id rejected.
    assert client.post('/api/profiles/me/services/select',
                       json={'service': 'spotify', 'credential_id': 999999}).status_code == 400
    # Unsupported service rejected.
    assert client.post('/api/profiles/me/services/select',
                       json={'service': 'itunes', 'credential_id': None}).status_code == 400


# ── Quick-switch: active source/server/download (admin=global, non-admin read-only) ──

def test_active_sources_read_shape(client):
    a = client.get('/api/profiles/me/active-sources').get_json()
    assert a['success'] and a['editable'] is True   # default session = admin
    assert a['metadata']['active'] and len(a['metadata']['options']) == 6
    assert len(a['server']['options']) == 4
    assert 'mode' in a['download'] and isinstance(a['download']['hybrid_order'], list)


def test_admin_sets_global_active_sources(client):
    assert client.post('/api/profiles/active-sources', json={'metadata_source': 'itunes'}).get_json()['success']
    assert client.get('/api/profiles/me/active-sources').get_json()['metadata']['active'] == 'itunes'
    # hybrid + order round-trips
    client.post('/api/profiles/active-sources', json={'download_mode': 'hybrid', 'hybrid_order': ['hifi', 'soulseek']})
    dl = client.get('/api/profiles/me/active-sources').get_json()['download']
    assert dl['mode'] == 'hybrid' and dl['hybrid_order'] == ['hifi', 'soulseek']


def test_active_sources_rejects_bad_values(client):
    assert client.post('/api/profiles/active-sources', json={'metadata_source': 'nope'}).status_code == 400
    assert client.post('/api/profiles/active-sources', json={'media_server': 'nope'}).status_code == 400
    assert client.post('/api/profiles/active-sources', json={'download_mode': 'nope'}).status_code == 400


def test_active_sources_nonadmin_readonly_and_blocked(client, nonadmin_profile):
    with client.session_transaction() as sess:
        sess['profile_id'] = nonadmin_profile
    assert client.get('/api/profiles/me/active-sources').get_json()['editable'] is False
    assert client.post('/api/profiles/active-sources', json={'metadata_source': 'deezer'}).status_code == 403


def test_spotify_free_composite_roundtrips_like_settings(client):
    # "Spotify (no auth)" is stored as fallback_source=spotify + spotify_free=true
    # (the same composite the Settings page uses) — the modal must report it as
    # active='spotify_free', not raw 'spotify'.
    from config.settings import config_manager
    assert client.post('/api/profiles/active-sources', json={'metadata_source': 'spotify_free'}).get_json()['success']
    assert config_manager.get('metadata.fallback_source') == 'spotify'
    assert config_manager.get('metadata.spotify_free') is True
    assert client.get('/api/profiles/me/active-sources').get_json()['metadata']['active'] == 'spotify_free'
    # Switching to plain spotify clears the flag.
    client.post('/api/profiles/active-sources', json={'metadata_source': 'spotify'})
    assert config_manager.get('metadata.spotify_free') is False
    assert client.get('/api/profiles/me/active-sources').get_json()['metadata']['active'] == 'spotify'


# ── My Accounts: per-profile connection status (Spotify) ──────────────────────

def test_connections_status_unconnected(client, nonadmin_profile):
    with client.session_transaction() as sess:
        sess['profile_id'] = nonadmin_profile
    body = client.get('/api/profiles/me/connections').get_json()
    assert body['success'] and body['is_admin'] is False
    assert body['connections']['spotify']['connected'] is False


def test_admin_connections_marks_admin(client):
    body = client.get('/api/profiles/me/connections').get_json()
    assert body['is_admin'] is True


def test_disconnect_admin_spotify_rejected(client):
    # Admin's Spotify is the app account (Settings) — not disconnectable here.
    assert client.post('/api/profiles/me/connections/spotify/disconnect').status_code == 400


# ── Tidal: per-profile connect status + the token-save-redirect safety ────────

def test_tidal_connection_status_and_disconnect(client, nonadmin_profile):
    db = web_server.get_database()
    with client.session_transaction() as sess:
        sess['profile_id'] = nonadmin_profile
    # unconnected
    assert client.get('/api/profiles/me/connections').get_json()['connections']['tidal']['connected'] is False
    # seed tokens → connected
    db.set_profile_tidal_tokens(nonadmin_profile, 'acc-tok', 'ref-tok')
    assert client.get('/api/profiles/me/connections').get_json()['connections']['tidal']['connected'] is True
    # disconnect → cleared
    assert client.post('/api/profiles/me/connections/tidal/disconnect').get_json()['success']
    assert db.get_profile_tidal(nonadmin_profile) == {}
    assert client.get('/api/profiles/me/connections').get_json()['connections']['tidal']['connected'] is False


def test_disconnect_unsupported_service_400(client, nonadmin_profile):
    with client.session_transaction() as sess:
        sess['profile_id'] = nonadmin_profile
    assert client.post('/api/profiles/me/connections/deezer/disconnect').status_code == 400


def test_tidal_token_refresh_redirects_to_profile_not_global(client, nonadmin_profile):
    # THE safety guarantee: a per-profile Tidal client's token save must write to
    # the PROFILE, never the global tidal_tokens slot the app runs on.
    from config.settings import config_manager
    db = web_server.get_database()
    config_manager.set('tidal_tokens', {'access_token': 'ADMIN-ACC', 'refresh_token': 'ADMIN-REF'})
    db.set_profile_tidal_tokens(nonadmin_profile, 'p-acc', 'p-ref')
    web_server.clear_profile_tidal_client(nonadmin_profile)

    c = web_server.get_tidal_client_for_profile(nonadmin_profile)
    assert c is not web_server.tidal_client            # a dedicated per-profile client
    # simulate a refresh writing new tokens
    c.access_token = 'p-acc-NEW'
    c.refresh_token = 'p-ref-NEW'
    c._save_tokens()

    assert db.get_profile_tidal(nonadmin_profile) == {'access_token': 'p-acc-NEW', 'refresh_token': 'p-ref-NEW'}
    # global slot untouched
    assert config_manager.get('tidal_tokens') == {'access_token': 'ADMIN-ACC', 'refresh_token': 'ADMIN-REF'}


def test_tidal_admin_and_unconnected_use_global_client(client):
    assert web_server.get_tidal_client_for_profile(1) is web_server.tidal_client
    assert web_server.get_tidal_client_for_profile(None) is web_server.tidal_client
    assert web_server.get_tidal_client_for_profile(987654) is web_server.tidal_client


# ── ListenBrainz: per-profile connect status + disconnect (token-paste) ───────

def test_listenbrainz_connection_status_and_disconnect(client, nonadmin_profile):
    db = web_server.get_database()
    with client.session_transaction() as sess:
        sess['profile_id'] = nonadmin_profile
    # unconnected
    conns = client.get('/api/profiles/me/connections').get_json()['connections']
    assert 'listenbrainz' in conns and conns['listenbrainz']['connected'] is False
    # seed a token directly (POST validates against the live API; this tests the
    # status + disconnect wiring without a network call)
    db.set_profile_listenbrainz(nonadmin_profile, 'lb-token', '', 'lbuser')
    conns = client.get('/api/profiles/me/connections').get_json()['connections']
    assert conns['listenbrainz']['connected'] is True
    assert conns['listenbrainz']['account'] == 'lbuser'
    # disconnect via the generic endpoint
    assert client.post('/api/profiles/me/connections/listenbrainz/disconnect').get_json()['success']
    assert client.get('/api/profiles/me/connections').get_json()['connections']['listenbrainz']['connected'] is False


# ── Background profile context drives get_current_profile_id() (part 1) ────────

def test_background_profile_override_when_no_request():
    # Outside a web request, get_current_profile_id() honours the engine's
    # background override; admin (default) and cleared state stay profile 1.
    from core.profile_context import set_background_profile, reset_background_profile
    assert web_server.get_current_profile_id() == 1     # no override → admin
    tok = set_background_profile(7)
    try:
        assert web_server.get_current_profile_id() == 7  # acts as the owner
    finally:
        reset_background_profile(tok)
    assert web_server.get_current_profile_id() == 1     # reset → admin


def test_real_session_still_wins_over_background(client, nonadmin_profile):
    # A genuine request's session profile must override any background context.
    from core.profile_context import set_background_profile, reset_background_profile
    with client.session_transaction() as sess:
        sess['profile_id'] = nonadmin_profile
    tok = set_background_profile(999)  # a bogus background override
    try:
        # the request resolves to the SESSION profile, not the background one
        body = client.get('/api/profiles/me/connections').get_json()
        assert body['is_admin'] is False  # it's the non-admin session, not 999/admin
    finally:
        reset_background_profile(tok)


# ── Part 2: the playlist SOURCE adapters read per-profile (sync handlers) ──────
# bootstrap now passes get_*_client_for_profile as the source adapters'
# client_getter; these prove that composition resolves per the current profile
# context and stays on the global client for admin (the existing pipelines).

def test_spotify_source_adapter_resolves_per_profile(monkeypatch):
    from core.playlists.sources.spotify import SpotifyPlaylistSource
    from core.metadata import registry
    # The real global Spotify client isn't a stable singleton across the suite,
    # so pin it to a sentinel for an order-independent identity check.
    sentinel = object()
    monkeypatch.setattr(registry, 'get_spotify_client', lambda *a, **k: sentinel)
    registry.register_profile_spotify_credentials_provider(lambda pid: None)
    src = SpotifyPlaylistSource(web_server.get_spotify_client_for_profile)
    # admin / no override -> the global resolver (the sentinel)
    assert src._client() is sentinel
    # unconnected background owner override -> safe global fallback, re-resolved per call
    from core.profile_context import set_background_profile, reset_background_profile
    tok = set_background_profile(424242)
    try:
        assert src._client() is sentinel
    finally:
        reset_background_profile(tok)


def test_tidal_source_adapter_resolves_per_profile():
    from core.playlists.sources.tidal import TidalPlaylistSource
    src = TidalPlaylistSource(web_server.get_tidal_client_for_profile)
    assert src._client() is web_server.tidal_client   # admin -> global, unchanged


def test_real_app_not_in_reverse_proxy_mode_by_default():
    # Direct/LAN installs (no security.trust_reverse_proxy set) must not get
    # ProxyFix or a forced-Secure cookie — proves zero impact for normal users.
    from werkzeug.middleware.proxy_fix import ProxyFix
    assert not isinstance(web_server.app.wsgi_app, ProxyFix)
    assert web_server.app.config.get('SESSION_COOKIE_SECURE') in (None, False)
    assert web_server.app.config.get('SESSION_COOKIE_SAMESITE') is None


def test_verify_launch_pin_rate_limited_after_flood(client):
    # A flood of WRONG PINs from one IP gets 429; cleaned up so neither the lock
    # nor the temp PIN leaks to other tests (the limiter is a process singleton).
    from werkzeug.security import generate_password_hash
    db = web_server.get_database()
    with db._get_connection() as conn:   # admin needs a PIN so wrong ones actually fail
        conn.execute("UPDATE profiles SET pin_hash = ? WHERE id = 1",
                     (generate_password_hash('1234', method='pbkdf2:sha256'),))
        conn.commit()
    web_server._launch_pin_limiter.record_success('127.0.0.1')  # clean slate
    try:
        for _ in range(10):
            assert client.post('/api/profiles/verify-launch-pin',
                               json={'pin': 'definitely-wrong'}).status_code == 401
        r = client.post('/api/profiles/verify-launch-pin', json={'pin': 'definitely-wrong'})
        assert r.status_code == 429
        assert 'Retry-After' in r.headers
    finally:
        web_server._launch_pin_limiter.record_success('127.0.0.1')
        with db._get_connection() as conn:
            conn.execute("UPDATE profiles SET pin_hash = NULL WHERE id = 1")
            conn.commit()


def test_auth_proxy_header_satisfies_launch_lock(client, monkeypatch):
    # Lock on + Remote-User trusted → a request with the header passes the gate.
    real_get = web_server.config_manager.get
    def fake_get(key, default=None):
        if key == 'security.require_pin_on_launch':
            return True
        if key == 'security.auth_proxy_header':
            return 'Remote-User'
        return real_get(key, default)
    monkeypatch.setattr(web_server.config_manager, 'get', fake_get)

    assert client.get('/api/profiles/me/connections').status_code == 401            # no header → locked
    assert client.get('/api/profiles/me/connections',
                      headers={'Remote-User': 'alice'}).status_code == 200          # trusted → in


def test_spoofed_auth_proxy_header_ignored_when_feature_off(client, monkeypatch):
    # THE safety pin: feature OFF (default) → a client-sent Remote-User must NOT
    # bypass the lock. Only an operator who explicitly configured it gets the trust.
    real_get = web_server.config_manager.get
    def fake_get(key, default=None):
        if key == 'security.require_pin_on_launch':
            return True
        if key == 'security.auth_proxy_header':
            return ''   # OFF (default)
        return real_get(key, default)
    monkeypatch.setattr(web_server.config_manager, 'get', fake_get)

    assert client.get('/api/profiles/me/connections',
                      headers={'Remote-User': 'admin'}).status_code == 401          # spoof ignored → still locked