MCP_CyberArk/tests/test_auth.py

"""
Tests for the API key middleware.
"""

from __future__ import annotations

from types import SimpleNamespace

import pytest
from fastapi import FastAPI
from fastapi.responses import JSONResponse
from fastapi.testclient import TestClient

import mcp_privileged.auth as auth_module
from mcp_privileged.auth import ApiKeyMiddleware

_FAKE_SETTINGS = SimpleNamespace(mcp_api_keys={"valid-key-1", "valid-key-2"})


def _make_app() -> FastAPI:
    app = FastAPI()
    app.add_middleware(ApiKeyMiddleware)

    @app.get("/mcp/test")
    async def protected() -> JSONResponse:
        return JSONResponse({"ok": True})

    @app.get("/health")
    async def health() -> JSONResponse:
        return JSONResponse({"status": "ok"})

    return app


@pytest.fixture
def client(monkeypatch) -> TestClient:
    monkeypatch.setattr(auth_module, "settings", _FAKE_SETTINGS)
    return TestClient(_make_app(), raise_server_exceptions=True)


def test_health_requires_no_auth(client: TestClient) -> None:
    response = client.get("/health")
    assert response.status_code == 200


def test_missing_key_returns_401(client: TestClient) -> None:
    response = client.get("/mcp/test")
    assert response.status_code == 401


def test_invalid_key_returns_401(client: TestClient) -> None:
    response = client.get("/mcp/test", headers={"X-API-Key": "wrong-key"})
    assert response.status_code == 401


def test_valid_x_api_key_header(client: TestClient) -> None:
    response = client.get("/mcp/test", headers={"X-API-Key": "valid-key-1"})
    assert response.status_code == 200


def test_valid_bearer_token(client: TestClient) -> None:
    response = client.get(
        "/mcp/test", headers={"Authorization": "Bearer valid-key-2"}
    )
    assert response.status_code == 200


def test_bearer_case_insensitive(client: TestClient) -> None:
    response = client.get(
        "/mcp/test", headers={"Authorization": "bearer valid-key-1"}
    )
    assert response.status_code == 200