Updated unit tests for the recentchanges, rename secret and environment variable functions for clarity and consistency

Author: fox-techniques

janux_auth_gateway/__init__.py

@@ -16,4 +16,17 @@
 Author: FOX Techniques <[email protected]>
 """
 
+from .config import Config, _read_secret, _read_jwt_key, _get_env_variable
+
+# Only allow these functions to be imported within the package
+__module_exports__ = ["Config", "_read_secret", "_read_jwt_key", "_get_env_variable"]
+
+
+# Make sure internal functions can only be imported within package
+def __getattr__(name):
+    if name in __module_exports__:
+        return globals()[name]  # Allow internal access within the package
+    raise AttributeError(f"Module '{__name__}' has no attribute '{name}'")
+
+
 __version__ = "0.1.0"

janux_auth_gateway/config/__init__.py

@@ -13,6 +13,7 @@
 Author: FOX Techniques <[email protected]>
 """
 
-from .config import Config, get_env_variable
+from .config import Config, _read_secret, _read_jwt_key, _get_env_variable
 
-__all__ = ["Config", "get_env_variable"]
+# Expose the Config class for external use.
+__all__ = ["Config"]

janux_auth_gateway/config/config.py

@@ -16,7 +16,7 @@
 from typing import Optional, List
 
 
-def read_secret(secret_name):
+def _read_secret(secret_name):
     """
     Reads secrets from:
     1. `/run/secrets/` (Docker Secrets in Production)
@@ -36,11 +36,7 @@ def read_secret(secret_name):
     return os.getenv(secret_name)  # Fallback to environment variable
 
 
-import os
-import glob
-
-
-def read_jwt_key(key_type: str) -> str:
+def _read_jwt_key(key_type: str) -> str:
     """
     Reads a private or public key from Docker Secrets or local development folder.
 
@@ -77,7 +73,7 @@ def read_jwt_key(key_type: str) -> str:
     raise ValueError(f"No {key_type} key file found in {search_paths}")
 
 
-def get_env_variable(var_name: str, default: Optional[str] = None) -> str:
+def _get_env_variable(var_name: str, default: Optional[str] = None) -> str:
     """
     Retrieve non-sensitive environment variables with an optional default.
 
@@ -107,48 +103,48 @@ class Config:
     """
 
     # Application settings
-    ENVIRONMENT = get_env_variable("ENVIRONMENT", "local")
-    ALLOWED_ORIGINS: List[str] = get_env_variable("ALLOWED_ORIGINS", "*").split(",")
+    ENVIRONMENT = _get_env_variable("ENVIRONMENT", "local")
+    ALLOWED_ORIGINS: List[str] = _get_env_variable("ALLOWED_ORIGINS", "*").split(",")
 
     # 🔐 Encryption Key (AES)
-    JANUX_ENCRYPTION_KEY = read_secret("janux_encryption_key")
+    JANUX_ENCRYPTION_KEY = _read_secret("janux_encryption_key")
 
     # 🔑 JWT Authentication Keys
-    JWT_PRIVATE_KEY = read_jwt_key(key_type="private")
-    JWT_PUBLIC_KEY = read_jwt_key(key_type="public")
+    JWT_PRIVATE_KEY = _read_jwt_key(key_type="private")
+    JWT_PUBLIC_KEY = _read_jwt_key(key_type="public")
 
     JWT_ALGORITHM = "RS256"
 
     # 🔥 JWT Token Settings
     ACCESS_TOKEN_EXPIRE_MINUTES = int(
-        get_env_variable("ACCESS_TOKEN_EXPIRE_MINUTES", "20")
+        _get_env_variable("ACCESS_TOKEN_EXPIRE_MINUTES", "20")
     )
-    TOKEN_ISSUER = get_env_variable("TOKEN_ISSUER", "JANUX-server")
-    TOKEN_AUDIENCE = get_env_variable("TOKEN_AUDIENCE", "JANUX-application")
+    ISSUER = _get_env_variable("TOKEN_ISSUER", "JANUX-server")
+    AUDIENCE = _get_env_variable("TOKEN_AUDIENCE", "JANUX-application")
 
     # 🗝️ Token Endpoints
-    USER_TOKEN_URL = get_env_variable("USER_TOKEN_URL", "/auth/login")
-    ADMIN_TOKEN_URL = get_env_variable("ADMIN_TOKEN_URL", "/auth/login")
+    USER_TOKEN_URL = _get_env_variable("USER_TOKEN_URL", "/auth/login")
+    ADMIN_TOKEN_URL = _get_env_variable("ADMIN_TOKEN_URL", "/auth/login")
 
     # 🛢️ Database (MongoDB)
-    MONGO_URI = read_secret("mongo_uri")
-    MONGO_DATABASE_NAME = get_env_variable("MONGO_DATABASE_NAME", "users_db")
+    MONGO_URI = _read_secret("mongo_uri")
+    MONGO_DATABASE_NAME = _get_env_variable("MONGO_DATABASE_NAME", "users_db")
 
     # 👤 MongoDB Initial Admin Credentials
-    MONGO_ADMIN_EMAIL = read_secret("mongo_admin_email")
-    MONGO_ADMIN_PASSWORD = read_secret("mongo_admin_password")
-    MONGO_ADMIN_FULLNAME = read_secret("mongo_admin_fullname")
-    MONGO_ADMIN_ROLE = read_secret("mongo_admin_role")
+    MONGO_ADMIN_EMAIL = _read_secret("mongo_admin_email")
+    MONGO_ADMIN_PASSWORD = _read_secret("mongo_admin_password")
+    MONGO_ADMIN_FULLNAME = _read_secret("mongo_admin_fullname")
+    MONGO_ADMIN_ROLE = _read_secret("mongo_admin_role")
 
     # 👤 MongoDB Initial User Credentials
-    MONGO_USER_EMAIL = read_secret("mongo_user_email")
-    MONGO_USER_PASSWORD = read_secret("mongo_user_password")
-    MONGO_USER_FULLNAME = read_secret("mongo_user_fullname")
-    MONGO_USER_ROLE = read_secret("mongo_user_role")
+    MONGO_USER_EMAIL = _read_secret("mongo_user_email")
+    MONGO_USER_PASSWORD = _read_secret("mongo_user_password")
+    MONGO_USER_FULLNAME = _read_secret("mongo_user_fullname")
+    MONGO_USER_ROLE = _read_secret("mongo_user_role")
 
     # 🔄 Redis Configuration
-    REDIS_HOST = get_env_variable("REDIS_HOST", "localhost")
-    REDIS_PORT = int(get_env_variable("REDIS_PORT", "6379"))
+    REDIS_HOST = _get_env_variable("REDIS_HOST", "localhost")
+    REDIS_PORT = int(_get_env_variable("REDIS_PORT", "6379"))
 
     @staticmethod
     def validate():

janux_auth_gateway/database/mongoDB.py

@@ -20,7 +20,6 @@
 from janux_auth_gateway.auth.passwords import verify_password, hash_password
 from janux_auth_gateway.config import Config
 from janux_auth_gateway.debug.custom_logger import get_logger
-from janux_auth_gateway.utils.email_utils import mask_email
 from janux_auth_gateway.models.user_model import User
 from janux_auth_gateway.models.admin_model import Admin
 

tests/auth/test_jwt.py

@@ -57,8 +57,8 @@ def mock_keys(mocker):
     )
 
     # Mock Config values with valid RSA keys
-    mocker.patch.object(Config, "PRIVATE_KEY", private_pem)
-    mocker.patch.object(Config, "PUBLIC_KEY", public_pem)
+    mocker.patch.object(Config, "JWT_PRIVATE_KEY", private_pem)
+    mocker.patch.object(Config, "JWT_PUBLIC_KEY", public_pem)
 
 
 @pytest.fixture()
@@ -130,7 +130,7 @@ def test_verify_expired_jwt(mock_keys, fake_redis):
     """
     expired_token = jwt.encode(
         {"sub": "testuser", "exp": 0},
-        Config.PRIVATE_KEY,
+        Config.JWT_PRIVATE_KEY,
         algorithm="RS256",
     )
 

tests/config/test_config.py

@@ -6,20 +6,27 @@
 Tests:
 - Retrieval of environment variables with defaults.
 - Handling of missing required environment variables.
-- Config validation without exposing secret values.
+- Secure handling of secrets using file-based and environment-based approaches.
+- Validation of critical configuration settings.
+- Proper loading of JWT private and public keys.
+- Ensuring Redis and MongoDB configurations are correctly loaded.
 
 Features:
 - Uses `pytest-mock` to override environment variables.
-- Mocks private/public key file reads to avoid file system dependencies.
-- Ensures secure validation without printing sensitive information.
+- Mocks file reading operations to avoid filesystem dependencies.
+- Ensures security best practices for managing secrets and keys.
+- Validates behavior when secrets are missing or invalid.
 
 Author: FOX Techniques <[email protected]>
 """
 
 import pytest
 import os
 from unittest.mock import patch, mock_open
-from janux_auth_gateway.config import get_env_variable, Config
+from janux_auth_gateway.config import Config
+
+# In your test file
+from janux_auth_gateway.config import _read_secret, _read_jwt_key, _get_env_variable
 
 
 def test_get_env_variable_with_existing_value(mocker):
@@ -31,7 +38,7 @@ def test_get_env_variable_with_existing_value(mocker):
     """
     mocker.patch.dict(os.environ, {"TEST_ENV_VAR": "test_value"})
 
-    assert get_env_variable("TEST_ENV_VAR") == "test_value"
+    assert _get_env_variable("TEST_ENV_VAR") == "test_value"
 
 
 def test_get_env_variable_with_default_value():
@@ -41,7 +48,7 @@ def test_get_env_variable_with_default_value():
     Expected Outcome:
     - The function should return the default value if the variable is not set.
     """
-    assert get_env_variable("NON_EXISTENT_VAR", "default_value") == "default_value"
+    assert _get_env_variable("NON_EXISTENT_VAR", "default_value") == "default_value"
 
 
 def test_get_env_variable_missing_without_default():
@@ -52,10 +59,10 @@ def test_get_env_variable_missing_without_default():
     - The function should raise a ValueError if no default is provided.
     """
     with pytest.raises(ValueError, match="Missing environment variable: 'MISSING_VAR'"):
-        get_env_variable("MISSING_VAR")
+        _get_env_variable("MISSING_VAR")
 
 
-@pytest.fixture()
+@pytest.fixture
 def mock_config(mocker):
     """
     Mock the entire Config class properties without exposing secrets.
@@ -65,35 +72,34 @@ def mock_config(mocker):
         {
             "ENVIRONMENT": "test",
             "ALLOWED_ORIGINS": "http://localhost,http://127.0.0.1",
-            "CONTAINER": "False",
-            "AUTH_PRIVATE_KEY_PATH": "/fake/private.pem",
-            "AUTH_PUBLIC_KEY_PATH": "/fake/public.pem",
             "ACCESS_TOKEN_EXPIRE_MINUTES": "30",
-            "USER_TOKEN_URL": "http://localhost/token",
-            "ADMIN_TOKEN_URL": "http://localhost/admin-token",
-            "MONGO_URI": "mongodb://localhost:27017/test_db",
-            "MONGO_DATABASE_NAME": "test_db",
-            "ISSUER": "JANUX-server",
-            "AUDIENCE": "JANUX-application",
-            "MONGO_ADMIN_EMAIL": "[email protected]",
-            "MONGO_ADMIN_PASSWORD": "adminpassword",
-            "MONGO_ADMIN_FULLNAME": "Admin User",
-            "MONGO_ADMIN_ROLE": "super_admin",
-            "MONGO_USER_EMAIL": "[email protected]",
-            "MONGO_USER_PASSWORD": "userpassword",
-            "MONGO_USER_FULLNAME": "Test User",
-            "MONGO_USER_ROLE": "user",
+            "TOKEN_ISSUER": "JANUX-server",
+            "TOKEN_AUDIENCE": "JANUX-application",
+            "USER_TOKEN_URL": "/auth/login",
+            "ADMIN_TOKEN_URL": "/auth/login",
             "REDIS_HOST": "localhost",
             "REDIS_PORT": "6379",
         },
     )
 
+    # Mock secrets
+    mocker.patch(
+        "janux_auth_gateway.config._read_secret",
+        side_effect=lambda key: f"mocked_{key}",
+    )
+
+    # Mock JWT key reading
     fake_private_key = "-----BEGIN PRIVATE KEY-----\nFAKEKEY\n-----END PRIVATE KEY-----"
     fake_public_key = "-----BEGIN PUBLIC KEY-----\nFAKEKEY\n-----END PUBLIC KEY-----"
 
-    mocker.patch("builtins.open", mock_open(read_data=fake_private_key), create=True)
-    with patch("builtins.open", mock_open(read_data=fake_public_key)):
-        yield
+    mocker.patch(
+        "janux_auth_gateway.config._read_jwt_key",
+        side_effect=lambda key_type: (
+            fake_private_key if key_type == "private" else fake_public_key
+        ),
+    )
+
+    yield
 
 
 def test_config_validation_success(mock_config):
@@ -116,10 +122,12 @@ def test_config_validation_failure_invalid_keys(mocker):
     Expected Outcome:
     - Should raise a ValueError if private or public keys are invalid.
     """
-    mocker.patch.object(Config, "PRIVATE_KEY", "INVALID_KEY")
-    mocker.patch.object(Config, "PUBLIC_KEY", "INVALID_KEY")
+    mocker.patch.object(Config, "JWT_PRIVATE_KEY", "INVALID_KEY")
+    mocker.patch.object(Config, "JWT_PUBLIC_KEY", "INVALID_KEY")
 
-    with pytest.raises(ValueError, match="Invalid configuration for PRIVATE_KEY"):
+    with pytest.raises(
+        ValueError, match="Invalid or missing `jwt_private_key` for signing JWTs."
+    ):
         Config.validate()
 
 
@@ -128,56 +136,81 @@ def test_config_validation_failure_invalid_mongo_uri(mocker):
     Test that Config.validate() raises an error if MongoDB URI is invalid.
 
     Expected Outcome:
-    - Should raise a ValueError if the MongoDB URI does not start with the expected prefix.
+    - Should raise a ValueError if the MongoDB URI is missing.
     """
-    mocker.patch.object(Config, "MONGO_URI", "invalid_uri")
+    mocker.patch.object(Config, "MONGO_URI", "")
 
-    with pytest.raises(ValueError, match="Invalid configuration for MONGO_URI"):
+    with pytest.raises(
+        ValueError, match="Missing `mongo_uri` for database connection."
+    ):
         Config.validate()
 
 
-def test_config_missing_critical_vars(mocker):
+def test_config_missing_critical_secrets(mocker):
     """
-    Test that Config.validate() raises an error when a required variable is missing.
+    Test that Config.validate() raises an error when a required secret is missing.
 
     Expected Outcome:
-    - Should raise a ValueError when a critical variable like PRIVATE_KEY is missing.
+    - Should raise a ValueError when a critical secret is missing.
     """
-    mocker.patch.object(Config, "PRIVATE_KEY", "")
+    mocker.patch.object(Config, "JANUX_ENCRYPTION_KEY", "")
 
-    with pytest.raises(ValueError, match="Invalid configuration for PRIVATE_KEY"):
+    with pytest.raises(
+        ValueError, match="Missing `janux_encryption_key` for encryption."
+    ):
         Config.validate()
 
 
-def test_config_redis_connection(mocker):
+def test_read_secret_from_file(mocker):
     """
-    Test that Redis host and port are set correctly.
+    Test that secrets are correctly read from files.
 
     Expected Outcome:
-    - Config should properly set REDIS_HOST and REDIS_PORT.
+    - The function should return the secret value from a file.
     """
-    mocker.patch.object(Config, "REDIS_HOST", "fake_redis_host")
-    mocker.patch.object(Config, "REDIS_PORT", "6380")
+    secret_value = "mocked_secret_value"
+    mock_open_file = mock_open(read_data=secret_value)
 
-    assert Config.REDIS_HOST == "fake_redis_host"
-    assert Config.REDIS_PORT == "6380"
+    with patch("builtins.open", mock_open_file):
+        with patch("os.path.exists", return_value=True):
+            assert _read_secret("test_secret") == secret_value
 
 
-def test_config_secure_admin_defaults(mock_config):
+def test_read_secret_from_env(mocker):
     """
-    Test that the default admin role is set correctly.
+    Test that secrets are read from environment variables if files are unavailable.
 
     Expected Outcome:
-    - Default admin role should be 'super_admin'.
+    - The function should return the secret value from environment variables.
     """
-    assert Config.MONGO_ADMIN_ROLE == "super_admin"
+    mocker.patch.dict(os.environ, {"test_secret": "mocked_secret_from_env"})
+
+    with patch("os.path.exists", return_value=False):
+        assert _read_secret("test_secret") == "mocked_secret_from_env"
+
+
+def test_read_jwt_key_from_file(mocker):
+    """
+    Test that JWT keys are correctly read from files.
+
+    Expected Outcome:
+    - The function should return the key content from a file.
+    """
+    jwt_key_value = "mocked_jwt_key"
+    mock_open_file = mock_open(read_data=jwt_key_value)
+
+    with patch("builtins.open", mock_open_file):
+        with patch("os.path.exists", return_value=True):
+            assert _read_jwt_key("private") == jwt_key_value
 
 
-def test_config_secure_user_defaults(mock_config):
+def test_read_jwt_key_missing(mocker):
     """
-    Test that the default user role is set correctly.
+    Test that a ValueError is raised when no JWT key is found.
 
     Expected Outcome:
-    - Default user role should be 'user'.
+    - The function should raise a ValueError if no key file is found.
     """
-    assert Config.MONGO_USER_ROLE == "user"
+    with patch("os.path.exists", return_value=False):
+        with pytest.raises(ValueError, match="No private key file found"):
+            _read_jwt_key("private")