Update tests

Author: ahmedxgouda

backend/.env.example

@@ -4,7 +4,7 @@ DJANGO_ALGOLIA_WRITE_API_KEY=None
 DJANGO_ALLOWED_HOSTS=*
 DJANGO_AWS_ACCESS_KEY_ID=None
 DJANGO_AWS_KMS_KEY_ID=None
-DJANGO_AWS_REGION=None
+DJANGO_AWS_REGION=your-aws-region
 DJANGO_AWS_SECRET_ACCESS_KEY=None
 DJANGO_CONFIGURATION=Test
 DJANGO_DB_HOST=None

backend/apps/common/clients.py

@@ -29,8 +29,6 @@ def __init__(self):
         self.client = boto3.client(
             "kms",
             region_name=settings.AWS_REGION,
-            aws_access_key_id=settings.AWS_ACCESS_KEY_ID,
-            aws_secret_access_key=settings.AWS_SECRET_ACCESS_KEY,
         )
 
     def decrypt(self, text: bytes) -> str:

backend/settings/base.py

@@ -15,10 +15,10 @@ class Base(Configuration):
 
     ALLOWED_HOSTS = values.ListValue()
     AUTH_USER_MODEL = "nest.User"
-    AWS_ACCESS_KEY_ID = None
-    AWS_KMS_KEY_ID = None
-    AWS_REGION = None
-    AWS_SECRET_ACCESS_KEY = None
+    AWS_KMS_KEY_ID = values.Value(environ_name="AWS_KMS_KEY_ID", default=None)
+    AWS_ACCESS_KEY_ID = values.SecretValue(environ_name="AWS_ACCESS_KEY_ID", default=None)
+    AWS_SECRET_ACCESS_KEY = values.SecretValue(environ_name="AWS_SECRET_ACCESS_KEY", default=None)
+    AWS_REGION = values.Value(environ_name="AWS_REGION", default=None)
     CORS_ALLOW_CREDENTIALS = True
     DEBUG = False
     GITHUB_APP_ID = None
@@ -29,12 +29,6 @@ class Base(Configuration):
 
     IS_AWS_KMS_ENABLED = values.BooleanValue(environ_name="IS_AWS_KMS_ENABLED", default=False)
 
-    if IS_AWS_KMS_ENABLED:
-        AWS_KMS_KEY_ID = values.Value(environ_name="AWS_KMS_KEY_ID")
-        AWS_ACCESS_KEY_ID = values.SecretValue(environ_name="AWS_ACCESS_KEY_ID")
-        AWS_SECRET_ACCESS_KEY = values.SecretValue(environ_name="AWS_SECRET_ACCESS_KEY")
-        AWS_REGION = values.Value(environ_name="AWS_REGION")
-
     IS_GOOGLE_AUTH_ENABLED = all(
         value not in (None, "None", "")
         for value in (GOOGLE_AUTH_CLIENT_ID, GOOGLE_AUTH_CLIENT_SECRET, GOOGLE_AUTH_REDIRECT_URI)

backend/tests/apps/common/clients_test.py

@@ -0,0 +1,42 @@
+"""Test cases for API clients."""
+
+from unittest.mock import Mock, patch
+
+import pytest
+from django.test.utils import override_settings
+
+from apps.common.clients import KmsClient
+
+
+class TestKmsClient:
+    """Test cases for KMS client."""
+
+    @pytest.fixture(autouse=True)
+    def setup(self):
+        """Set up mock KMS client."""
+        with patch("boto3.client") as mock_boto3_client:
+            self.mock_boto3_client = mock_boto3_client
+            self.mock_kms_client = Mock()
+            self.mock_boto3_client.return_value = self.mock_kms_client
+            self.kms_client = KmsClient()
+
+    @override_settings(AWS_REGION="us-west-2", AWS_KMS_KEY_ID="test_key_id")
+    def test_encrypt(self):
+        """Test encryption."""
+        plaintext = "test"
+        self.mock_kms_client.encrypt.return_value = {"CiphertextBlob": b"encrypted"}
+        ciphertext = self.kms_client.encrypt(plaintext)
+        assert ciphertext != plaintext
+        self.mock_kms_client.encrypt.assert_called_once_with(
+            Plaintext=plaintext.encode("utf-8"), KeyId="test_key_id"
+        )
+
+    @override_settings(AWS_REGION="us-west-2", AWS_KMS_KEY_ID="test_key_id")
+    def test_decrypt(self):
+        """Test decryption."""
+        self.mock_kms_client.decrypt.return_value = {"Plaintext": b"test"}
+        decrypted = self.kms_client.decrypt(b"encrypted")
+        assert decrypted == "test"
+        self.mock_kms_client.decrypt.assert_called_once_with(
+            CiphertextBlob=b"encrypted", KeyId="test_key_id"
+        )

backend/tests/apps/slack/models/google_auth_test.py

@@ -24,6 +24,10 @@ def setUp(self):
         self.valid_refresh_token = b"valid_refresh_token"
         self.expired_time = timezone.now() - timedelta(hours=1)
         self.future_time = timezone.now() + timedelta(hours=1)
+        with patch("boto3.client") as mock_boto3_client:
+            self.mock_boto3_client = mock_boto3_client
+            self.mock_kms_client = Mock()
+            self.mock_boto3_client.return_value = self.mock_kms_client
 
     def test_google_auth_creation(self):
         """Test GoogleAuth model creation."""
@@ -261,8 +265,15 @@ def test_authenticate_callback_google_auth_disabled(self):
         with pytest.raises(ValueError, match="Google OAuth client ID"):
             GoogleAuth.authenticate_callback(auth_response={}, member_id=4)
 
+    @override_settings(IS_AWS_KMS_ENABLED=False, IS_GOOGLE_AUTH_ENABLED=True)
+    def test_authenticate_callback_kms_disabled(self):
+        """Test authenticate_callback raises error when AWS KMS is disabled."""
+        with pytest.raises(ValueError, match="AWS KMS is not enabled"):
+            GoogleAuth.authenticate_callback(auth_response={}, member_id=4)
+
     @override_settings(
         IS_GOOGLE_AUTH_ENABLED=True,
+        IS_AWS_KMS_ENABLED=True,
         GOOGLE_AUTH_CLIENT_ID="test_client_id",
         GOOGLE_AUTH_CLIENT_SECRET="test_client_secret",  # noqa: S106
         GOOGLE_AUTH_REDIRECT_URI="http://localhost:8000/callback",
@@ -271,8 +282,9 @@ def test_authenticate_callback_google_auth_disabled(self):
     @patch("apps.slack.models.google_auth.GoogleAuth.objects.get_or_create")
     @patch("apps.slack.models.google_auth.GoogleAuth.save")
     @patch("apps.slack.models.google_auth.Member.objects.get")
+    @patch("apps.slack.models.google_auth.GoogleAuth.get_kms_client")
     def test_authenticate_callback_success(
-        self, mock_member_get, mock_save, mock_get_or_create, mock_get_flow
+        self, mock_get_kms_client, mock_member_get, mock_save, mock_get_or_create, mock_get_flow
     ):
         """Test successful authenticate_callback."""
         mock_credentials = Mock()
@@ -285,17 +297,22 @@ def test_authenticate_callback_success(
         mock_member_get.return_value = self.member
         mock_get_flow.return_value = mock_flow_instance
         mock_get_or_create.return_value = (GoogleAuth(member=self.member), False)
+
+        mock_get_kms_client.return_value.encrypt.return_value = b"encrypted_token"
         result = GoogleAuth.authenticate_callback({}, member_id=self.member.slack_user_id)
 
-        assert result.access_token == b"token"
-        assert result.refresh_token == b"refresh_token"
+        assert result.access_token == b"encrypted_token"
+        assert result.refresh_token == b"encrypted_token"
         assert result.expires_at == self.future_time
         mock_get_or_create.assert_called_once_with(member=self.member)
         mock_save.assert_called_once()
         mock_flow_instance.fetch_token.assert_called_once_with(authorization_response={})
+        mock_get_kms_client.return_value.encrypt.assert_any_call(b"token")
+        mock_get_kms_client.return_value.encrypt.assert_any_call(b"refresh_token")
 
     @override_settings(
         IS_GOOGLE_AUTH_ENABLED=True,
+        IS_AWS_KMS_ENABLED=True,
         GOOGLE_AUTH_CLIENT_ID="test_client_id",
         GOOGLE_AUTH_CLIENT_SECRET="test_client_secret",  # noqa: S106
         GOOGLE_AUTH_REDIRECT_URI="http://localhost:8000/callback",
@@ -306,3 +323,49 @@ def test_authenticate_callback_member_not_found(self, mock_member_get):
         mock_member_get.side_effect = Member.DoesNotExist
         with pytest.raises(ValidationError, match="Member with Slack ID 4 does not exist."):
             GoogleAuth.authenticate_callback(auth_response={}, member_id=4)
+
+    @override_settings(
+        IS_GOOGLE_AUTH_ENABLED=True,
+        IS_AWS_KMS_ENABLED=True,
+        GOOGLE_AUTH_CLIENT_ID="test_client_id",
+        GOOGLE_AUTH_CLIENT_SECRET="test_client_secret",  # noqa: S106
+        GOOGLE_AUTH_REDIRECT_URI="http://localhost:8000/callback",
+    )
+    @patch("apps.slack.models.google_auth.GoogleAuth.get_kms_client")
+    def test_return_decrypted_access_token(self, mock_get_kms_client):
+        """Test return_decrypted_access_token returns decrypted token."""
+        auth = GoogleAuth(
+            member=self.member,
+            access_token=b"encrypted_token",
+            refresh_token=b"encrypted_token",
+            expires_at=self.future_time,
+        )
+        mock_get_kms_client.return_value.decrypt.return_value = "decrypted_token"
+        result = auth.access_token_str
+        assert result == "decrypted_token"
+
+    @override_settings(
+        IS_GOOGLE_AUTH_ENABLED=True,
+        IS_AWS_KMS_ENABLED=True,
+        GOOGLE_AUTH_CLIENT_ID="test_client_id",
+        GOOGLE_AUTH_CLIENT_SECRET="test_client_secret",  # noqa: S106
+        GOOGLE_AUTH_REDIRECT_URI="http://localhost:8000/callback",
+    )
+    @patch("apps.slack.models.google_auth.GoogleAuth.get_kms_client")
+    def test_return_decrypted_refresh_token(self, mock_get_kms_client):
+        """Test return_decrypted_refresh_token returns decrypted token."""
+        auth = GoogleAuth(
+            member=self.member,
+            access_token=b"encrypted_token",
+            refresh_token=b"encrypted_token",
+            expires_at=self.future_time,
+        )
+        mock_get_kms_client.return_value.decrypt.return_value = "decrypted_token"
+        result = auth.refresh_token_str
+        assert result == "decrypted_token"
+
+    @override_settings(IS_AWS_KMS_ENABLED=False)
+    def test_get_kms_client_error(self):
+        """Test get_kms_client raises error when KMS is disabled."""
+        with pytest.raises(ValueError, match="AWS KMS is not enabled."):
+            GoogleAuth.get_kms_client()