|
| 1 | +"""v9.0: generated OpenAPI documents framework operational responses.""" |
| 2 | + |
| 3 | +import yaml |
| 4 | +from openapi_spec_validator import validate |
| 5 | +from starlette.testclient import TestClient |
| 6 | + |
| 7 | +import responder |
| 8 | +from responder.ext.ratelimit import RateLimiter, RedisBackend |
| 9 | + |
| 10 | + |
| 11 | +def _api(**kwargs): |
| 12 | + kwargs.setdefault("openapi", "3.1.0") |
| 13 | + kwargs.setdefault("secret_key", "x" * 32) |
| 14 | + kwargs.setdefault("allowed_hosts", [";"]) |
| 15 | + kwargs.setdefault("session_https_only", False) |
| 16 | + return responder.API(**kwargs) |
| 17 | + |
| 18 | + |
| 19 | +def _schema(api): |
| 20 | + response = TestClient(api, base_url="http://;").get("/schema.yml") |
| 21 | + assert response.status_code == 200 |
| 22 | + return yaml.safe_load(response.content) |
| 23 | + |
| 24 | + |
| 25 | +def test_openapi_documents_csrf_only_on_protected_unsafe_routes(): |
| 26 | + api = _api(csrf=True) |
| 27 | + |
| 28 | + @api.get("/form") |
| 29 | + def form(req, resp): |
| 30 | + resp.text = str(req.csrf_input) |
| 31 | + |
| 32 | + @api.post("/submit") |
| 33 | + def submit(req, resp): |
| 34 | + resp.media = {"ok": True} |
| 35 | + |
| 36 | + @api.post("/webhook", csrf=False) |
| 37 | + def webhook(req, resp): |
| 38 | + resp.media = {"ok": True} |
| 39 | + |
| 40 | + spec = _schema(api) |
| 41 | + |
| 42 | + form_responses = spec["paths"]["/form"]["get"]["responses"] |
| 43 | + submit_responses = spec["paths"]["/submit"]["post"]["responses"] |
| 44 | + webhook_responses = spec["paths"]["/webhook"]["post"]["responses"] |
| 45 | + |
| 46 | + assert "403" not in form_responses |
| 47 | + assert "403" in submit_responses |
| 48 | + assert "401" not in submit_responses |
| 49 | + assert "403" not in webhook_responses |
| 50 | + assert "application/problem+json" in submit_responses["403"]["content"] |
| 51 | + validate(spec) |
| 52 | + |
| 53 | + |
| 54 | +def test_openapi_documents_route_level_rate_limits(): |
| 55 | + api = _api() |
| 56 | + limiter = RateLimiter(requests=1, period=60) |
| 57 | + |
| 58 | + @api.get("/limited") |
| 59 | + @limiter.limit |
| 60 | + def limited(req, resp): |
| 61 | + resp.media = {"ok": True} |
| 62 | + |
| 63 | + @api.get("/open") |
| 64 | + def open_route(req, resp): |
| 65 | + resp.media = {"ok": True} |
| 66 | + |
| 67 | + spec = _schema(api) |
| 68 | + limited_responses = spec["paths"]["/limited"]["get"]["responses"] |
| 69 | + open_responses = spec["paths"]["/open"]["get"]["responses"] |
| 70 | + |
| 71 | + assert "429" in limited_responses |
| 72 | + assert "503" in limited_responses |
| 73 | + assert "application/problem+json" in limited_responses["429"]["content"] |
| 74 | + assert "429" not in open_responses |
| 75 | + assert "503" not in open_responses |
| 76 | + validate(spec) |
| 77 | + |
| 78 | + |
| 79 | +def test_openapi_documents_installed_rate_limiter_on_all_routes(): |
| 80 | + api = _api() |
| 81 | + RateLimiter(requests=1, period=60).install(api) |
| 82 | + |
| 83 | + @api.get("/one") |
| 84 | + def one(req, resp): |
| 85 | + resp.media = {"ok": True} |
| 86 | + |
| 87 | + @api.post("/two") |
| 88 | + def two(req, resp): |
| 89 | + resp.media = {"ok": True} |
| 90 | + |
| 91 | + spec = _schema(api) |
| 92 | + |
| 93 | + assert "429" in spec["paths"]["/one"]["get"]["responses"] |
| 94 | + assert "429" in spec["paths"]["/two"]["post"]["responses"] |
| 95 | + validate(spec) |
| 96 | + |
| 97 | + |
| 98 | +def test_openapi_omits_413_when_request_body_limit_disabled(): |
| 99 | + api = _api(max_request_size=None) |
| 100 | + |
| 101 | + @api.post("/items") |
| 102 | + def items(req, resp): |
| 103 | + resp.media = {"ok": True} |
| 104 | + |
| 105 | + spec = _schema(api) |
| 106 | + |
| 107 | + assert "413" not in spec["paths"]["/items"]["post"]["responses"] |
| 108 | + validate(spec) |
| 109 | + |
| 110 | + |
| 111 | +def test_rate_limiter_uses_problem_details_by_default(): |
| 112 | + api = _api() |
| 113 | + RateLimiter(requests=1, period=60).install(api) |
| 114 | + |
| 115 | + @api.get("/") |
| 116 | + def index(req, resp): |
| 117 | + resp.text = "ok" |
| 118 | + |
| 119 | + client = TestClient(api, base_url="http://;") |
| 120 | + assert client.get("/").status_code == 200 |
| 121 | + |
| 122 | + response = client.get("/") |
| 123 | + |
| 124 | + assert response.status_code == 429 |
| 125 | + assert response.headers["content-type"].startswith("application/problem+json") |
| 126 | + assert response.headers["Retry-After"] == "60" |
| 127 | + assert response.json()["title"] == "Too Many Requests" |
| 128 | + |
| 129 | + |
| 130 | +def test_rate_limiter_keeps_legacy_error_shape_when_problem_details_disabled(): |
| 131 | + api = _api(problem_details=False) |
| 132 | + RateLimiter(requests=1, period=60).install(api) |
| 133 | + |
| 134 | + @api.get("/") |
| 135 | + def index(req, resp): |
| 136 | + resp.text = "ok" |
| 137 | + |
| 138 | + client = TestClient(api, base_url="http://;") |
| 139 | + assert client.get("/").status_code == 200 |
| 140 | + |
| 141 | + response = client.get("/") |
| 142 | + |
| 143 | + assert response.status_code == 429 |
| 144 | + assert response.headers["content-type"].startswith("application/json") |
| 145 | + assert response.json() == {"error": "rate limit exceeded"} |
| 146 | + |
| 147 | + |
| 148 | +def test_rate_limiter_backend_failure_uses_problem_details(): |
| 149 | + class DownRedis: |
| 150 | + def eval(self, *args, **kwargs): |
| 151 | + raise RuntimeError("down") |
| 152 | + |
| 153 | + api = _api() |
| 154 | + RateLimiter( |
| 155 | + requests=1, period=60, backend=RedisBackend(client=DownRedis()) |
| 156 | + ).install(api) |
| 157 | + |
| 158 | + @api.get("/") |
| 159 | + def index(req, resp): |
| 160 | + resp.text = "never" |
| 161 | + |
| 162 | + response = TestClient(api, base_url="http://;").get("/") |
| 163 | + |
| 164 | + assert response.status_code == 503 |
| 165 | + assert response.headers["content-type"].startswith("application/problem+json") |
| 166 | + assert response.headers["Retry-After"] == "60" |
| 167 | + assert response.json()["title"] == "Service Unavailable" |
0 commit comments