Feat/testing (#7)

* adding some tests and checks
* add pre-commit with ruff
* use PyCQA/bandit-action@v1 action
* run pytest with poetry
* improve badit warning


Signed-off-by: Luiz Oliveira <ziuloliveira@gmail.com>

Author: Ziul

.github/workflows/tests.yaml

@@ -7,11 +7,24 @@ jobs:
   security:
     name: security
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
     steps:
       - uses: actions/checkout@v4
       - name: Secret Scanning
         uses: trufflesecurity/trufflehog@main
         with:
           base: ""
           head: ${{ github.ref_name }}
-          extra_args: --results=verified,unknown
+          extra_args: --results=verified,unknown
+      - uses: astral-sh/ruff-action@v3
+        name: Linting
+      - name: Bandit
+        uses: PyCQA/bandit-action@v1
+      - name: Pytest
+        run: |
+          pip install poetry
+          poetry install
+          export PYTHONPATH=$(pwd)
+          mkdir -p static/openapi
+          poetry run pytest

.pre-commit-config.yaml

@@ -0,0 +1,5 @@
+repos:
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.4.4
+    hooks:
+      - id: ruff

README.md

@@ -4,7 +4,8 @@
 [![Latest Release](https://img.shields.io/github/v/release/Ziul/swagger-operator?label=release&color=blue)](https://github.com/Ziul/swagger-operator/releases)
 [![Docker Pulls](https://img.shields.io/docker/pulls/ziuloliveira/swagger-operator)](https://hub.docker.com/r/ziuloliveira/swagger-operator)
 [![License](https://img.shields.io/github/license/Ziul/swagger-operator)](https://github.com/Ziul/swagger-operator/blob/main/LICENSE)
-
+[![Ruff](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/main/assets/badge/v2.json)](https://github.com/astral-sh/ruff)
+[![security: bandit](https://img.shields.io/badge/security-bandit-yellow.svg)](https://github.com/PyCQA/bandit)
 
 A Kubernetes operator that automatically discovers services annotated with OpenAPI/Swagger documentation and aggregates their documentation in a single UI.
 

poetry.lock

@@ -1,8 +1,8 @@
 [tool.poetry]
 name = "swagger-operator"
-version = "0.1.0"
+version = "0.2.0"
 description = ""
-authors = ["Luiz Oliveira"]
+authors = ["Luiz Oliveira", "Gustavo Coelho"]
 license = "MIT"
 readme = "README.md"
 
@@ -18,7 +18,18 @@ itsdangerous = "^2.2.0"
 
 [tool.poetry.group.dev.dependencies]
 ipdb = "^0.13.13"
+pytest = "^8.3.5"
+pytest-asyncio = "^0.26.0"
+pytest-cov = "^6.1.1"
+httpx = "^0.28.1"
+bandit = "^1.8.3"
+ruff = "^0.11.10"
+pre-commit = "^4.2.0"
 
 [build-system]
 requires = ["poetry-core"]
 build-backend = "poetry.core.masonry.api"
+
+[tool.bandit]
+exclude_dirs = ["tests", ".git", ".venv", ".github"]
+skips = ["B101", "B113"]

pyproject.toml

@@ -0,0 +1,4 @@
+[pytest]
+addopts = --cov=. --cov-report=term-missing -p no:warnings -q
+testpaths = tests
+norecursedirs = tests

pytest.ini

@@ -1,4 +1,4 @@
-from fastapi import FastAPI, Request, HTTPException, Depends
+from fastapi import FastAPI, Request, HTTPException, Depends, status
 from fastapi.responses import HTMLResponse, Response
 from fastapi.staticfiles import StaticFiles
 from fastapi.templating import Jinja2Templates
@@ -12,12 +12,12 @@
 from authlib.integrations.starlette_client import OAuth
 from starlette.config import Config
 from starlette.middleware.sessions import SessionMiddleware
-from fastapi import HTTPException, status
+import secrets
 
 logger = logging.getLogger("uvicorn.error")
 
 app = FastAPI()
-app.add_middleware(SessionMiddleware, secret_key="some-random-string", max_age=None)
+app.add_middleware(SessionMiddleware, secret_key=secrets.token_urlsafe(32), max_age=None)
 
 
 # static files
@@ -27,11 +27,11 @@
 
 ENABLE_OIDC = os.environ.get("ENABLE_OIDC", "false").lower() == "true"
 AUTH_CALLBACK = os.environ.get("AUTH_CALLBACK", None)
+config = Config()  # ou use variáveis de ambiente diretamente
+oauth = OAuth(config)
 
 
 if ENABLE_OIDC:
-    config = Config()  # ou use variáveis de ambiente diretamente
-    oauth = OAuth(config)
     oauth.register(
         name='oidc',
         client_id=os.environ.get("OIDC_CLIENT_ID"),
@@ -134,6 +134,7 @@ async def docs(request: Request, template:str=None, user=Depends(require_login))
             logger.info(f"Loaded {len(swaggers)} URLs.")
     except FileNotFoundError:
         logger.error("File not found: static/openapi/urls.json")
+        request.session['error'] = "File not found: static/openapi/urls.json"
         swaggers = [
             {
                 "url": "/openapi.json",
@@ -143,6 +144,7 @@ async def docs(request: Request, template:str=None, user=Depends(require_login))
         ]
     except json.JSONDecodeError:
         logger.error("Error decoding JSON from static/openapi/urls.json")
+        request.session['error'] = "Error decoding JSON from static/openapi/urls.json"
         swaggers = [
             {
                 "url": "/openapi.json",
@@ -183,14 +185,10 @@ async def config(request: Request):
     try:
         with open('static/openapi/urls.json') as f:
             swaggers = json.load(f)
-    except:
-        swaggers = [
-            {
-                "url": "/openapi.json",
-                "name": "Swagger Aggregator",
-                "header": "",
-            }
-        ]
+    except Exception as e:
+        logger.error(f"Error loading configuration file: {e}")
+        swaggers = []
+        request.session['error'] = "Error loading configuration file."
 
     return templates.TemplateResponse(
         "config.html",

server.py

@@ -0,0 +1,134 @@
+import json
+from unittest.mock import patch, mock_open, MagicMock
+from fastapi.testclient import TestClient
+from server import app, apply_proxy_to_openapi
+from urllib.parse import unquote
+
+client = TestClient(app)
+
+def test_proxy_invalid_url():
+    # Tests error when passing an invalid URL
+    response = client.get("/proxy", params={"url": "http://invalid-url"})
+    assert response.status_code == 500
+    assert "Failed to fetch OpenAPI document" in response.text
+
+def test_docs_returns_html():
+    # Tests if the main route returns HTML
+    response = client.get("/")
+    assert response.status_code == 200
+    assert "text/html" in response.headers["content-type"]
+
+def test_proxy_with_headers():
+    url = "http://example.com/openapi.json"
+    headers_dict = {"Authorization": "Bearer token123"}
+    headers_encoded = json.dumps(headers_dict)  # The endpoint expects headers already in JSON
+
+    mock_response = MagicMock()
+    mock_response.content = b'{"openapi": "3.0.0"}'
+    mock_response.text = '{"openapi": "3.0.0"}'
+    mock_response.headers = {"content-type": "application/json"}
+
+    with patch("server.requests.get", return_value=mock_response) as mock_get:
+        response = client.get("/proxy", params={"url": url, "headers": headers_encoded})
+        assert response.status_code == 200
+        assert response.json() == {"openapi": "3.0.0"}
+        mock_get.assert_called_once()
+        # Checks if the headers were passed correctly
+        called_headers = mock_get.call_args[1]["headers"]
+        assert called_headers == headers_dict
+
+def test_proxy_yaml_response():
+    url = "http://example.com/openapi.yaml"
+    headers_dict = {"Authorization": "Bearer token123"}
+    headers_json = json.dumps(headers_dict)
+
+    yaml_content = """
+openapi: 3.0.0
+info:
+  title: API Teste
+  version: "1.0"
+paths: {}
+"""
+    mock_response = MagicMock()
+    mock_response.content = yaml_content.encode("utf-8")
+    mock_response.text = yaml_content
+    mock_response.headers = {"content-type": "application/yaml"}
+
+    with patch("server.requests.get", return_value=mock_response) as mock_get:
+        response = client.get("/proxy", params={"url": url, "headers": headers_json})
+        assert response.status_code == 200
+        assert response.headers["content-type"].startswith("text/yaml")
+        assert "openapi: 3.0.0" in response.text
+        mock_get.assert_called_once()
+        called_headers = mock_get.call_args[1]["headers"]
+        assert called_headers == headers_dict
+
+def test_docs_file_not_found(monkeypatch):
+    # Simulates FileNotFoundError when opening the file
+    with patch("builtins.open", side_effect=FileNotFoundError):
+        response = client.get("/")
+        assert response.status_code == 200
+        # Should contain the default aggregator name
+        assert "Swagger Aggregator" in response.text
+
+def test_docs_json_decode_error(monkeypatch):
+    # Simulates invalid JSON error when opening the file
+    m = mock_open(read_data="not a json")
+    with patch("builtins.open", m):
+        with patch("json.load", side_effect=json.JSONDecodeError("msg", "doc", 0)):
+            response = client.get("/")
+            assert response.status_code == 200
+            assert "Swagger Aggregator" in response.text
+
+def test_config_json_decode_error():
+    # Simulates invalid JSON error when opening the file
+    m = mock_open(read_data="not a json")
+    with patch("builtins.open", m):
+        with patch("json.load", side_effect=Exception("invalid json")):
+            response = client.get("/config")
+            assert response.status_code == 200
+
+def test_apply_proxy_to_openapi_with_http():
+    url = "http://example.com/openapi.json"
+    header = {"Authorization": "Bearer token"}
+    result = apply_proxy_to_openapi(url, header)
+    assert result.startswith("/proxy?url=http://example.com/openapi.json")
+    assert "headers=" in result
+    headers_param = result.split("headers=")[1]
+    decoded = json.loads(unquote(headers_param))  # Fixed here!
+    assert decoded == header
+
+def test_apply_proxy_to_openapi_with_http_and_headers():
+    url = "http://example.com/openapi.json"
+    header = {"Authorization": "Bearer token"}
+    result = apply_proxy_to_openapi(url, header)
+    assert result.startswith("/proxy?url=http://example.com/openapi.json")
+    assert "headers=" in result
+    # Decodes and checks the header
+    headers_param = result.split("headers=")[1]
+    decoded = json.loads(unquote(headers_param))
+    assert decoded == header
+
+def test_apply_proxy_to_openapi_with_http_no_headers():
+    url = "http://example.com/openapi.json"
+    result = apply_proxy_to_openapi(url)
+    assert result == f"/proxy?url={url}"
+
+def test_apply_proxy_to_openapi_with_non_http_url():
+    url = "/local/openapi.json"
+    result = apply_proxy_to_openapi(url)
+    assert result == url
+
+def test_apply_proxy_to_openapi_with_empty_header():
+    url = "http://example.com/openapi.json"
+    result = apply_proxy_to_openapi(url, {})
+    # Should not add headers if the dict is empty
+    assert result == f"/proxy?url={url}"
+
+def test_apply_proxy_to_openapi_with_special_characters_in_header():
+    url = "http://example.com/openapi.json"
+    header = {"X-Test": "çãõ@#%&"}
+    result = apply_proxy_to_openapi(url, header)
+    headers_param = result.split("headers=")[1]
+    decoded = json.loads(unquote(headers_param))
+    assert decoded == header