apcore-cli 0.7.0

Command-line interface for apcore modules
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178

// apcore-cli — Integration tests for AuthProvider.
// Protocol spec: SEC-02

use std::collections::HashMap;

use apcore_cli::config::ConfigResolver;
use apcore_cli::security::auth::{AuthProvider, AuthenticationError};

/// Serialize all tests that touch APCORE_AUTH_API_KEY to prevent data races
/// when tests run in parallel.
static ENV_LOCK: std::sync::Mutex<()> = std::sync::Mutex::new(());

fn make_empty_resolver() -> ConfigResolver {
    ConfigResolver::new(None, None)
}

#[test]
fn test_get_api_key_from_env_var() {
    // APCORE_AUTH_API_KEY must be returned when set.
    let _guard = ENV_LOCK.lock().unwrap();
    // SAFETY: test-only env manipulation, serialized via ENV_LOCK.
    unsafe { std::env::set_var("APCORE_AUTH_API_KEY", "env-key-abc") };
    let provider = AuthProvider::new(make_empty_resolver());
    let key = provider.get_api_key();
    // SAFETY: cleanup regardless of assertion outcome.
    unsafe { std::env::remove_var("APCORE_AUTH_API_KEY") };
    assert_eq!(key.unwrap(), Some("env-key-abc".to_string()));
}

#[test]
fn test_get_api_key_missing_returns_error() {
    // When no key is available, get_api_key() must return Ok(None).
    let _guard = ENV_LOCK.lock().unwrap();
    // SAFETY: test-only env manipulation, serialized via ENV_LOCK.
    unsafe { std::env::remove_var("APCORE_AUTH_API_KEY") };
    let provider = AuthProvider::new(make_empty_resolver());
    assert_eq!(provider.get_api_key().unwrap(), None);
}

#[test]
fn test_authenticate_request_adds_bearer_header() {
    // authenticate_request (HashMap-based) must insert Authorization when key is available.
    let _guard = ENV_LOCK.lock().unwrap();
    // SAFETY: test-only env manipulation, serialized via ENV_LOCK.
    unsafe { std::env::set_var("APCORE_AUTH_API_KEY", "bearer-test-key") };
    let provider = AuthProvider::new(make_empty_resolver());
    let result = provider.authenticate_request(HashMap::new());
    // SAFETY: cleanup.
    unsafe { std::env::remove_var("APCORE_AUTH_API_KEY") };
    let headers = result.expect("authenticate_request must succeed when key is set");
    assert_eq!(
        headers.get("Authorization").map(|s| s.as_str()),
        Some("Bearer bearer-test-key"),
        "Authorization header must be set"
    );
}

#[test]
fn test_apply_to_reqwest_injects_bearer_header() {
    // apply_to_reqwest must succeed when a key is available.
    let _guard = ENV_LOCK.lock().unwrap();
    unsafe { std::env::set_var("APCORE_AUTH_API_KEY", "reqwest-key") };
    let provider = AuthProvider::new(make_empty_resolver());
    let client = reqwest::Client::new();
    let builder = client.get("https://example.com");
    let result = provider.apply_to_reqwest(builder);
    unsafe { std::env::remove_var("APCORE_AUTH_API_KEY") };
    assert!(
        result.is_ok(),
        "apply_to_reqwest must succeed when key is set"
    );
}

#[test]
fn test_check_status_code_200_ok() {
    let _guard = ENV_LOCK.lock().unwrap();
    unsafe { std::env::remove_var("APCORE_AUTH_API_KEY") };
    let provider = AuthProvider::new(make_empty_resolver());
    assert!(provider.check_status_code(200).is_ok());
}

#[test]
fn test_check_status_code_401_returns_invalid_key() {
    let _guard = ENV_LOCK.lock().unwrap();
    unsafe { std::env::remove_var("APCORE_AUTH_API_KEY") };
    let provider = AuthProvider::new(make_empty_resolver());
    let err = provider.check_status_code(401).unwrap_err();
    assert!(matches!(err, AuthenticationError::InvalidApiKey));
}

#[test]
fn test_check_status_code_403_returns_invalid_key() {
    let _guard = ENV_LOCK.lock().unwrap();
    unsafe { std::env::remove_var("APCORE_AUTH_API_KEY") };
    let provider = AuthProvider::new(make_empty_resolver());
    let err = provider.check_status_code(403).unwrap_err();
    assert!(matches!(err, AuthenticationError::InvalidApiKey));
}

#[test]
fn test_check_status_code_500_passes_through() {
    let _guard = ENV_LOCK.lock().unwrap();
    unsafe { std::env::remove_var("APCORE_AUTH_API_KEY") };
    let provider = AuthProvider::new(make_empty_resolver());
    assert!(provider.check_status_code(500).is_ok());
}

#[test]
fn test_error_messages_match_spec() {
    let missing = AuthenticationError::MissingApiKey;
    assert!(
        missing.to_string().contains("APCORE_AUTH_API_KEY"),
        "MissingApiKey message must mention the env var"
    );
    let invalid = AuthenticationError::InvalidApiKey;
    assert!(
        invalid.to_string().contains("Authentication failed"),
        "InvalidApiKey message must say 'Authentication failed', got: {}",
        invalid
    );
}

// Regression test for D10-002: authenticate_request returns owned augmented map.
// Spec contract: "On success: dict — the input headers dict with Authorization added".
// The Rust signature must take HashMap<String, String> by value and return the
// augmented map, matching Python's mutate-and-return semantics.
#[test]
fn test_authenticate_request_returns_augmented_headers_map() {
    let _guard = ENV_LOCK.lock().unwrap();
    // SAFETY: test-only env manipulation, serialized via ENV_LOCK.
    unsafe { std::env::set_var("APCORE_AUTH_API_KEY", "owned-return-key") };
    let provider = AuthProvider::new(make_empty_resolver());
    let mut headers = HashMap::new();
    headers.insert("X-Trace-Id".to_string(), "abc-123".to_string());

    // Call must return the augmented map (not unit) and preserve pre-existing entries.
    let returned: HashMap<String, String> = provider
        .authenticate_request(headers)
        .expect("authenticate_request must succeed when key is set");

    // SAFETY: cleanup.
    unsafe { std::env::remove_var("APCORE_AUTH_API_KEY") };

    assert_eq!(
        returned.get("Authorization").map(String::as_str),
        Some("Bearer owned-return-key"),
        "returned map must contain Authorization header"
    );
    assert_eq!(
        returned.get("X-Trace-Id").map(String::as_str),
        Some("abc-123"),
        "returned map must preserve pre-existing entries (mutate-and-return semantics)"
    );
}

// Regression test for A-D-008: CLI flag must take precedence over env var.
#[test]
fn test_cli_flag_takes_precedence_over_env_var() {
    let _guard = ENV_LOCK.lock().unwrap();
    // Set env var to "env-key"
    unsafe { std::env::set_var("APCORE_AUTH_API_KEY", "env-key") };

    // Supply "cli-key" via the resolver's cli_flags map
    let mut flags = HashMap::new();
    flags.insert("--api-key".to_string(), Some("cli-key".to_string()));
    let resolver = ConfigResolver::new(Some(flags), None);
    let provider = AuthProvider::new(resolver);
    let result = provider.get_api_key();

    unsafe { std::env::remove_var("APCORE_AUTH_API_KEY") };

    // CLI flag must win — should be "cli-key", not "env-key"
    assert_eq!(
        result.unwrap(),
        Some("cli-key".to_string()),
        "CLI --api-key flag must take precedence over APCORE_AUTH_API_KEY env var"
    );
}