phil/Gondulf
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(phase-4a): complete Phase 3 implementation and gap analysis

Browse Source 
Merges Phase 4a work including:

Implementation:
- Metadata discovery endpoint (/api/.well-known/oauth-authorization-server)
- h-app microformat parser service
- Enhanced authorization endpoint with client info display
- Configuration management system
- Dependency injection framework

Documentation:
- Comprehensive gap analysis for v1.0.0 compliance
- Phase 4a clarifications on development approach
- Phase 4-5 critical components breakdown

Testing:
- Unit tests for h-app parser (308 lines, comprehensive coverage)
- Unit tests for metadata endpoint (134 lines)
- Unit tests for configuration system (18 lines)
- Integration test updates

All tests passing with high coverage. Ready for Phase 4b security hardening.
This commit is contained in:
Phil Skentelbery
2025-11-20 17:16:11 -07:00
parent 5888e45b8c
commit 115e733604
18 changed files with 5815 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
tests/integration/test_health.py
View File

@@ -23,6 +23,7 @@ class TestHealthEndpoint:
# Set required environment variables
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.setenv("GONDULF_BASE_URL", "https://auth.example.com")
monkeypatch.setenv("GONDULF_DATABASE_URL", f"sqlite:///{db_path}")
monkeypatch.setenv("GONDULF_DEBUG", "true")
@@ -79,6 +80,7 @@ class TestHealthCheckUnhealthy:
"""Test health check returns 503 when database inaccessible."""
# Set up with non-existent database path
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.setenv("GONDULF_BASE_URL", "https://auth.example.com")
monkeypatch.setenv(
"GONDULF_DATABASE_URL", "sqlite:////nonexistent/path/db.db"
)

18
tests/unit/test_config.py
View File

@@ -16,6 +16,7 @@ class TestConfigLoad:
def test_load_with_valid_secret_key(self, monkeypatch):
"""Test configuration loads successfully with valid SECRET_KEY."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.setenv("GONDULF_BASE_URL", "https://auth.example.com")
Config.load()
assert Config.SECRET_KEY == "a" * 32
@@ -28,12 +29,14 @@ class TestConfigLoad:
def test_load_short_secret_key_raises_error(self, monkeypatch):
"""Test that SECRET_KEY shorter than 32 chars raises error."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "short")
monkeypatch.setenv("GONDULF_BASE_URL", "https://auth.example.com")
with pytest.raises(ConfigurationError, match="at least 32 characters"):
Config.load()
def test_load_database_url_default(self, monkeypatch):
"""Test DATABASE_URL defaults to sqlite:///./data/gondulf.db."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.setenv("GONDULF_BASE_URL", "https://auth.example.com")
monkeypatch.delenv("GONDULF_DATABASE_URL", raising=False)
Config.load()
assert Config.DATABASE_URL == "sqlite:///./data/gondulf.db"
@@ -41,6 +44,7 @@ class TestConfigLoad:
def test_load_database_url_custom(self, monkeypatch):
"""Test DATABASE_URL can be customized."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.setenv("GONDULF_BASE_URL", "https://auth.example.com")
monkeypatch.setenv("GONDULF_DATABASE_URL", "sqlite:////tmp/test.db")
Config.load()
assert Config.DATABASE_URL == "sqlite:////tmp/test.db"
@@ -48,6 +52,7 @@ class TestConfigLoad:
def test_load_smtp_configuration_defaults(self, monkeypatch):
"""Test SMTP configuration uses sensible defaults."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.setenv("GONDULF_BASE_URL", "https://auth.example.com")
for key in [
"GONDULF_SMTP_HOST",
"GONDULF_SMTP_PORT",
@@ -70,6 +75,7 @@ class TestConfigLoad:
def test_load_smtp_configuration_custom(self, monkeypatch):
"""Test SMTP configuration can be customized."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.setenv("GONDULF_BASE_URL", "https://auth.example.com")
monkeypatch.setenv("GONDULF_SMTP_HOST", "smtp.gmail.com")
monkeypatch.setenv("GONDULF_SMTP_PORT", "465")
monkeypatch.setenv("GONDULF_SMTP_USERNAME", "user@gmail.com")
@@ -89,6 +95,7 @@ class TestConfigLoad:
def test_load_token_expiry_default(self, monkeypatch):
"""Test TOKEN_EXPIRY defaults to 3600 seconds."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.setenv("GONDULF_BASE_URL", "https://auth.example.com")
monkeypatch.delenv("GONDULF_TOKEN_EXPIRY", raising=False)
Config.load()
assert Config.TOKEN_EXPIRY == 3600
@@ -96,6 +103,7 @@ class TestConfigLoad:
def test_load_code_expiry_default(self, monkeypatch):
"""Test CODE_EXPIRY defaults to 600 seconds."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.setenv("GONDULF_BASE_URL", "https://auth.example.com")
monkeypatch.delenv("GONDULF_CODE_EXPIRY", raising=False)
Config.load()
assert Config.CODE_EXPIRY == 600
@@ -103,6 +111,7 @@ class TestConfigLoad:
def test_load_token_expiry_custom(self, monkeypatch):
"""Test TOKEN_EXPIRY can be customized."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.setenv("GONDULF_BASE_URL", "https://auth.example.com")
monkeypatch.setenv("GONDULF_TOKEN_EXPIRY", "7200")
Config.load()
assert Config.TOKEN_EXPIRY == 7200
@@ -110,6 +119,7 @@ class TestConfigLoad:
def test_load_log_level_default_production(self, monkeypatch):
"""Test LOG_LEVEL defaults to INFO in production mode."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.setenv("GONDULF_BASE_URL", "https://auth.example.com")
monkeypatch.delenv("GONDULF_LOG_LEVEL", raising=False)
monkeypatch.delenv("GONDULF_DEBUG", raising=False)
Config.load()
@@ -119,6 +129,7 @@ class TestConfigLoad:
def test_load_log_level_default_debug(self, monkeypatch):
"""Test LOG_LEVEL defaults to DEBUG when DEBUG=true."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.setenv("GONDULF_BASE_URL", "https://auth.example.com")
monkeypatch.delenv("GONDULF_LOG_LEVEL", raising=False)
monkeypatch.setenv("GONDULF_DEBUG", "true")
Config.load()
@@ -128,6 +139,7 @@ class TestConfigLoad:
def test_load_log_level_custom(self, monkeypatch):
"""Test LOG_LEVEL can be customized."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.setenv("GONDULF_BASE_URL", "https://auth.example.com")
monkeypatch.setenv("GONDULF_LOG_LEVEL", "WARNING")
Config.load()
assert Config.LOG_LEVEL == "WARNING"
@@ -135,6 +147,7 @@ class TestConfigLoad:
def test_load_invalid_log_level_raises_error(self, monkeypatch):
"""Test invalid LOG_LEVEL raises ConfigurationError."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.setenv("GONDULF_BASE_URL", "https://auth.example.com")
monkeypatch.setenv("GONDULF_LOG_LEVEL", "INVALID")
with pytest.raises(ConfigurationError, match="must be one of"):
Config.load()
@@ -146,12 +159,14 @@ class TestConfigValidate:
def test_validate_valid_configuration(self, monkeypatch):
"""Test validation passes with valid configuration."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.setenv("GONDULF_BASE_URL", "https://auth.example.com")
Config.load()
Config.validate() # Should not raise
def test_validate_smtp_port_too_low(self, monkeypatch):
"""Test validation fails when SMTP_PORT < 1."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.setenv("GONDULF_BASE_URL", "https://auth.example.com")
Config.load()
Config.SMTP_PORT = 0
with pytest.raises(ConfigurationError, match="must be between 1 and 65535"):
@@ -160,6 +175,7 @@ class TestConfigValidate:
def test_validate_smtp_port_too_high(self, monkeypatch):
"""Test validation fails when SMTP_PORT > 65535."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.setenv("GONDULF_BASE_URL", "https://auth.example.com")
Config.load()
Config.SMTP_PORT = 70000
with pytest.raises(ConfigurationError, match="must be between 1 and 65535"):
@@ -168,6 +184,7 @@ class TestConfigValidate:
def test_validate_token_expiry_negative(self, monkeypatch):
"""Test validation fails when TOKEN_EXPIRY < 300."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.setenv("GONDULF_BASE_URL", "https://auth.example.com")
Config.load()
Config.TOKEN_EXPIRY = -1
with pytest.raises(ConfigurationError, match="must be at least 300 seconds"):
@@ -176,6 +193,7 @@ class TestConfigValidate:
def test_validate_code_expiry_zero(self, monkeypatch):
"""Test validation fails when CODE_EXPIRY <= 0."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.setenv("GONDULF_BASE_URL", "https://auth.example.com")
Config.load()
Config.CODE_EXPIRY = 0
with pytest.raises(ConfigurationError, match="must be positive"):

308
tests/unit/test_happ_parser.py Normal file
View File

@@ -0,0 +1,308 @@
"""Tests for h-app microformat parser service."""
import pytest
from datetime import datetime, timedelta
from unittest.mock import Mock, AsyncMock
from gondulf.services.happ_parser import HAppParser, ClientMetadata
from gondulf.services.html_fetcher import HTMLFetcherService
class TestClientMetadata:
"""Tests for ClientMetadata dataclass."""
def test_client_metadata_creation(self):
"""Test creating ClientMetadata with all fields."""
metadata = ClientMetadata(
name="Example App",
logo="https://example.com/logo.png",
url="https://example.com"
)
assert metadata.name == "Example App"
assert metadata.logo == "https://example.com/logo.png"
assert metadata.url == "https://example.com"
def test_client_metadata_optional_fields(self):
"""Test ClientMetadata with optional fields as None."""
metadata = ClientMetadata(name="Example App")
assert metadata.name == "Example App"
assert metadata.logo is None
assert metadata.url is None
class TestHAppParser:
"""Tests for HAppParser service."""
@pytest.fixture
def mock_html_fetcher(self):
"""Create mock HTML fetcher."""
return Mock(spec=HTMLFetcherService)
@pytest.fixture
def parser(self, mock_html_fetcher):
"""Create HAppParser instance with mock fetcher."""
return HAppParser(html_fetcher=mock_html_fetcher)
@pytest.mark.asyncio
async def test_parse_extracts_app_name(self, parser, mock_html_fetcher):
"""Test parsing extracts application name from h-app."""
html = """
<html>
<body>
<div class="h-app">
<a href="/" class="u-url p-name">My IndieAuth Client</a>
</div>
</body>
</html>
"""
mock_html_fetcher.fetch.return_value = html
metadata = await parser.fetch_and_parse("https://example.com")
assert metadata.name == "My IndieAuth Client"
@pytest.mark.asyncio
async def test_parse_extracts_logo_url(self, parser, mock_html_fetcher):
"""Test parsing extracts logo URL from h-app."""
html = """
<html>
<body>
<div class="h-app">
<img src="/icon.png" class="u-logo" alt="App Icon">
<a href="/" class="u-url p-name">My App</a>
</div>
</body>
</html>
"""
mock_html_fetcher.fetch.return_value = html
metadata = await parser.fetch_and_parse("https://example.com")
# mf2py resolves relative URLs to absolute URLs
assert metadata.logo == "https://example.com/icon.png"
@pytest.mark.asyncio
async def test_parse_extracts_app_url(self, parser, mock_html_fetcher):
"""Test parsing extracts application URL from h-app."""
html = """
<html>
<body>
<div class="h-app">
<a href="https://example.com/app" class="u-url p-name">My App</a>
</div>
</body>
</html>
"""
mock_html_fetcher.fetch.return_value = html
metadata = await parser.fetch_and_parse("https://example.com")
assert metadata.url == "https://example.com/app"
@pytest.mark.asyncio
async def test_parse_handles_missing_happ(self, parser, mock_html_fetcher):
"""Test parsing falls back to domain name when no h-app found."""
html = """
<html>
<body>
<h1>My Website</h1>
<p>No microformat data here</p>
</body>
</html>
"""
mock_html_fetcher.fetch.return_value = html
metadata = await parser.fetch_and_parse("https://example.com")
assert metadata.name == "example.com"
assert metadata.logo is None
assert metadata.url is None
@pytest.mark.asyncio
async def test_parse_handles_partial_metadata(self, parser, mock_html_fetcher):
"""Test parsing handles h-app with only some properties."""
html = """
<html>
<body>
<div class="h-app">
<span class="p-name">My App</span>
</div>
</body>
</html>
"""
mock_html_fetcher.fetch.return_value = html
metadata = await parser.fetch_and_parse("https://example.com")
assert metadata.name == "My App"
assert metadata.logo is None
# Should default to client_id
assert metadata.url == "https://example.com"
@pytest.mark.asyncio
async def test_parse_handles_malformed_html(self, parser, mock_html_fetcher):
"""Test parsing handles malformed HTML gracefully."""
html = """
<html>
<body>
<div class="h-app">
<span class="p-name">Incomplete
"""
mock_html_fetcher.fetch.return_value = html
metadata = await parser.fetch_and_parse("https://example.com")
# Should still extract something or fall back to domain
assert metadata.name is not None
@pytest.mark.asyncio
async def test_fetch_failure_returns_domain_fallback(self, parser, mock_html_fetcher):
"""Test that fetch failure returns domain name fallback."""
mock_html_fetcher.fetch.side_effect = Exception("Network error")
metadata = await parser.fetch_and_parse("https://example.com")
assert metadata.name == "example.com"
assert metadata.logo is None
assert metadata.url is None
@pytest.mark.asyncio
async def test_fetch_none_returns_domain_fallback(self, parser, mock_html_fetcher):
"""Test that fetch returning None uses domain fallback."""
mock_html_fetcher.fetch.return_value = None
metadata = await parser.fetch_and_parse("https://example.com")
assert metadata.name == "example.com"
@pytest.mark.asyncio
async def test_caching_reduces_fetches(self, parser, mock_html_fetcher):
"""Test that caching reduces number of HTTP fetches."""
html = """
<html>
<body>
<div class="h-app">
<span class="p-name">Cached App</span>
</div>
</body>
</html>
"""
mock_html_fetcher.fetch.return_value = html
# First fetch
metadata1 = await parser.fetch_and_parse("https://example.com")
# Second fetch (should use cache)
metadata2 = await parser.fetch_and_parse("https://example.com")
assert metadata1.name == "Cached App"
assert metadata2.name == "Cached App"
# HTML fetcher should only be called once
assert mock_html_fetcher.fetch.call_count == 1
@pytest.mark.asyncio
async def test_cache_expiry_triggers_refetch(self, parser, mock_html_fetcher, monkeypatch):
"""Test that cache expiry triggers a new fetch."""
html = """
<html>
<body>
<div class="h-app">
<span class="p-name">App Name</span>
</div>
</body>
</html>
"""
mock_html_fetcher.fetch.return_value = html
# First fetch
await parser.fetch_and_parse("https://example.com")
# Manually expire the cache by setting TTL to 0
parser.cache_ttl = timedelta(seconds=0)
# Second fetch (cache should be expired)
await parser.fetch_and_parse("https://example.com")
# Should have fetched twice due to cache expiry
assert mock_html_fetcher.fetch.call_count == 2
@pytest.mark.asyncio
async def test_extract_domain_name_basic(self, parser, mock_html_fetcher):
"""Test domain name extraction from basic URL."""
mock_html_fetcher.fetch.return_value = None
metadata = await parser.fetch_and_parse("https://example.com/path")
assert metadata.name == "example.com"
@pytest.mark.asyncio
async def test_extract_domain_name_with_port(self, parser, mock_html_fetcher):
"""Test domain name extraction from URL with port."""
mock_html_fetcher.fetch.return_value = None
metadata = await parser.fetch_and_parse("https://example.com:8080/path")
assert metadata.name == "example.com:8080"
@pytest.mark.asyncio
async def test_extract_domain_name_subdomain(self, parser, mock_html_fetcher):
"""Test domain name extraction from URL with subdomain."""
mock_html_fetcher.fetch.return_value = None
metadata = await parser.fetch_and_parse("https://auth.example.com")
assert metadata.name == "auth.example.com"
@pytest.mark.asyncio
async def test_multiple_happ_uses_first(self, parser, mock_html_fetcher):
"""Test that multiple h-app elements uses the first one."""
html = """
<html>
<body>
<div class="h-app">
<span class="p-name">First App</span>
</div>
<div class="h-app">
<span class="p-name">Second App</span>
</div>
</body>
</html>
"""
mock_html_fetcher.fetch.return_value = html
metadata = await parser.fetch_and_parse("https://example.com")
assert metadata.name == "First App"
@pytest.mark.asyncio
async def test_parse_error_returns_domain_fallback(self, parser, mock_html_fetcher, monkeypatch):
"""Test that parse errors fall back to domain name."""
html = "<html><body>Valid HTML</body></html>"
mock_html_fetcher.fetch.return_value = html
# Mock mf2py.parse to raise exception
def mock_parse_error(*args, **kwargs):
raise Exception("Parse error")
import gondulf.services.happ_parser as happ_module
monkeypatch.setattr(happ_module, "mf2py", Mock(parse=mock_parse_error))
metadata = await parser.fetch_and_parse("https://example.com")
# Should fall back to domain name
assert metadata.name == "example.com"
@pytest.mark.asyncio
async def test_cache_different_clients_separately(self, parser, mock_html_fetcher):
"""Test that different client_ids are cached separately."""
html1 = '<div class="h-app"><span class="p-name">App 1</span></div>'
html2 = '<div class="h-app"><span class="p-name">App 2</span></div>'
mock_html_fetcher.fetch.side_effect = [html1, html2]
metadata1 = await parser.fetch_and_parse("https://example1.com")
metadata2 = await parser.fetch_and_parse("https://example2.com")
assert metadata1.name == "App 1"
assert metadata2.name == "App 2"
assert mock_html_fetcher.fetch.call_count == 2

134
tests/unit/test_metadata.py Normal file
View File

@@ -0,0 +1,134 @@
"""Tests for metadata endpoint."""
import json
import pytest
from fastapi.testclient import TestClient
class TestMetadataEndpoint:
"""Tests for OAuth 2.0 Authorization Server Metadata endpoint."""
@pytest.fixture
def client(self, monkeypatch):
"""Create test client with valid configuration."""
monkeypatch.setenv("GONDULF_SECRET_KEY", "test-secret-key-must-be-at-least-32-chars-long")
monkeypatch.setenv("GONDULF_BASE_URL", "https://auth.example.com")
# Import app AFTER setting env vars
from gondulf.main import app
return TestClient(app)
def test_metadata_endpoint_returns_200(self, client):
"""Test metadata endpoint returns 200 OK."""
response = client.get("/.well-known/oauth-authorization-server")
assert response.status_code == 200
def test_metadata_content_type_json(self, client):
"""Test metadata endpoint returns JSON content type."""
response = client.get("/.well-known/oauth-authorization-server")
assert response.headers["content-type"] == "application/json"
def test_metadata_cache_control_header(self, client):
"""Test metadata endpoint sets Cache-Control header."""
response = client.get("/.well-known/oauth-authorization-server")
assert "cache-control" in response.headers
assert "public" in response.headers["cache-control"]
assert "max-age=86400" in response.headers["cache-control"]
def test_metadata_all_required_fields_present(self, client):
"""Test metadata response contains all required fields."""
response = client.get("/.well-known/oauth-authorization-server")
data = response.json()
required_fields = [
"issuer",
"authorization_endpoint",
"token_endpoint",
"response_types_supported",
"grant_types_supported",
"code_challenge_methods_supported",
"token_endpoint_auth_methods_supported",
"revocation_endpoint_auth_methods_supported",
"scopes_supported"
]
for field in required_fields:
assert field in data, f"Missing required field: {field}"
def test_metadata_issuer_matches_base_url(self, client):
"""Test issuer field matches BASE_URL configuration."""
response = client.get("/.well-known/oauth-authorization-server")
data = response.json()
assert data["issuer"] == "https://auth.example.com"
def test_metadata_authorization_endpoint_correct(self, client):
"""Test authorization_endpoint field is correct."""
response = client.get("/.well-known/oauth-authorization-server")
data = response.json()
assert data["authorization_endpoint"] == "https://auth.example.com/authorize"
def test_metadata_token_endpoint_correct(self, client):
"""Test token_endpoint field is correct."""
response = client.get("/.well-known/oauth-authorization-server")
data = response.json()
assert data["token_endpoint"] == "https://auth.example.com/token"
def test_metadata_response_types_supported(self, client):
"""Test response_types_supported contains only 'code'."""
response = client.get("/.well-known/oauth-authorization-server")
data = response.json()
assert data["response_types_supported"] == ["code"]
def test_metadata_grant_types_supported(self, client):
"""Test grant_types_supported contains only 'authorization_code'."""
response = client.get("/.well-known/oauth-authorization-server")
data = response.json()
assert data["grant_types_supported"] == ["authorization_code"]
def test_metadata_code_challenge_methods_empty(self, client):
"""Test code_challenge_methods_supported is empty array."""
response = client.get("/.well-known/oauth-authorization-server")
data = response.json()
assert data["code_challenge_methods_supported"] == []
def test_metadata_token_endpoint_auth_methods(self, client):
"""Test token_endpoint_auth_methods_supported contains 'none'."""
response = client.get("/.well-known/oauth-authorization-server")
data = response.json()
assert data["token_endpoint_auth_methods_supported"] == ["none"]
def test_metadata_revocation_endpoint_auth_methods(self, client):
"""Test revocation_endpoint_auth_methods_supported contains 'none'."""
response = client.get("/.well-known/oauth-authorization-server")
data = response.json()
assert data["revocation_endpoint_auth_methods_supported"] == ["none"]
def test_metadata_scopes_supported_empty(self, client):
"""Test scopes_supported is empty array."""
response = client.get("/.well-known/oauth-authorization-server")
data = response.json()
assert data["scopes_supported"] == []
def test_metadata_response_valid_json(self, client):
"""Test metadata response can be parsed as valid JSON."""
response = client.get("/.well-known/oauth-authorization-server")
# Should not raise exception
data = json.loads(response.content)
assert isinstance(data, dict)
def test_metadata_endpoint_no_authentication_required(self, client):
"""Test metadata endpoint is accessible without authentication."""
# No authentication headers
response = client.get("/.well-known/oauth-authorization-server")
assert response.status_code == 200

1
tests/unit/test_token_endpoint.py
View File

@@ -17,6 +17,7 @@ def test_config(monkeypatch):
"""Configure test environment."""
# Set required environment variables
monkeypatch.setenv("GONDULF_SECRET_KEY", "test_secret_key_" + "x" * 32)
monkeypatch.setenv("GONDULF_BASE_URL", "https://auth.example.com")
monkeypatch.setenv("GONDULF_DATABASE_URL", "sqlite:///:memory:")
# Import after environment is set