odysseus/tests/test_session_owner_attribution.py

"""Tests for token-owner session attribution (effective_user + session routes).

Proves the two properties the review asked for:
  - cookie/browser users are completely unchanged (no-op swap)
  - a bearer token for owner A can never read/verify owner B's session, and a
    bearer token with no owner does not escalate.

Follows the direct-helper + mocked-DB style of tests/test_null_owner_gates.py.
"""

import os
import sys
import types
from types import SimpleNamespace
from unittest.mock import MagicMock

import pytest

sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.abspath(__file__))))

# routes.session_routes imports several heavy modules at import time that blow up
# under conftest's sqlalchemy/* MagicMock stubs (declarative classes). Stub them
# so we can import the module and exercise _verify_session_owner with a mock DB.
_STUBS = {
    "core.database": {"Session": MagicMock(), "SessionLocal": MagicMock(),
                      "Document": MagicMock(), "GalleryImage": MagicMock()},
    "core.session_manager": {"SessionManager": MagicMock()},
    "core.models": {"ChatMessage": MagicMock()},
    "src.request_models": {"SessionResponse": MagicMock()},
}
for _name, _attrs in _STUBS.items():
    if _name not in sys.modules:
        _m = types.ModuleType(_name)
        for _k, _v in _attrs.items():
            setattr(_m, _k, _v)
        sys.modules[_name] = _m

from fastapi import HTTPException  # noqa: E402

from src.auth_helpers import effective_user  # noqa: E402
import routes.session_routes as SR  # noqa: E402


def _req(**state):
    return SimpleNamespace(state=SimpleNamespace(**state))


# --- effective_user: who a request is attributed to ------------------------

def test_cookie_user_is_unchanged():
    # The whole point: browser/cookie callers behave exactly as before.
    assert effective_user(_req(api_token=False, current_user="alice")) == "alice"


def test_bearer_token_attributes_to_its_owner():
    # A paired phone runs as the "api" pseudo-user but must act as the token owner.
    assert effective_user(_req(api_token=True, api_token_owner="alice", current_user="api")) == "alice"


def test_bearer_token_without_owner_does_not_escalate():
    # No owner on the token -> falls back to current_user ("api"), never another user.
    assert effective_user(_req(api_token=True, api_token_owner=None, current_user="api")) == "api"


# --- _verify_session_owner: bearer tokens cannot cross owners ---------------

def _session_local_returning(owner_value):
    """Mock SessionLocal whose query(...).filter(...).first() yields a row with
    the given owner (or None for 'no such session')."""
    db = MagicMock()
    row = None if owner_value is _MISSING else SimpleNamespace(owner=owner_value)
    db.query.return_value.filter.return_value.first.return_value = row
    return MagicMock(return_value=db)


_MISSING = object()


def test_bearer_owner_A_cannot_verify_owner_B_session(monkeypatch):
    monkeypatch.setattr(SR, "SessionLocal", _session_local_returning("bob"))
    req = _req(api_token=True, api_token_owner="alice", current_user="api")
    with pytest.raises(HTTPException) as exc:
        SR._verify_session_owner(req, "sid-owned-by-bob")
    assert exc.value.status_code == 404


def test_owner_can_verify_their_own_session(monkeypatch):
    monkeypatch.setattr(SR, "SessionLocal", _session_local_returning("alice"))
    req = _req(api_token=True, api_token_owner="alice", current_user="api")
    # Should not raise.
    SR._verify_session_owner(req, "sid-owned-by-alice")


def test_cookie_user_owns_their_session(monkeypatch):
    # Cookie path unchanged: alice (cookie) verifies alice's session.
    monkeypatch.setattr(SR, "SessionLocal", _session_local_returning("alice"))
    req = _req(api_token=False, current_user="alice")
    SR._verify_session_owner(req, "sid")


def test_missing_session_is_404(monkeypatch):
    monkeypatch.setattr(SR, "SessionLocal", _session_local_returning(_MISSING))
    req = _req(api_token=False, current_user="alice")
    with pytest.raises(HTTPException) as exc:
        SR._verify_session_owner(req, "nope")
    assert exc.value.status_code == 404


def test_unauthenticated_caller_rejected(monkeypatch):
    req = _req(api_token=False, current_user=None)
    with pytest.raises(HTTPException) as exc:
        SR._verify_session_owner(req, "sid")
    assert exc.value.status_code == 403