//! Test harness for in-process integration tests. pub mod client; pub mod db; pub mod email; pub mod storage; pub mod stripe; /// Compute SHA-256 hash of a SyncKit API key (mirrors server's hash_api_key). pub fn hash_api_key(api_key: &str) -> String { use sha2::Digest; hex::encode(sha2::Sha256::digest(api_key.as_bytes())) } use makenotwork::config::{Config, ScanConfig, StripeConfig}; use docengine::DocLoader; use makenotwork::email::{EmailClient, EmailConfig}; use makenotwork::payments::{PaymentProvider, StripeClient}; use makenotwork::scanning::ScanPipeline; use makenotwork::{build_app, AppState}; use sqlx::PgPool; use std::sync::Arc; use std::time::Instant; use tower_sessions::cookie::time::Duration as CookieDuration; use tower_sessions::cookie::SameSite; use tower_sessions::{Expiry, SessionManagerLayer}; use tower_sessions_sqlx_store::PostgresStore; use makenotwork::db::UserId; use self::client::TestClient; use self::db::TestDb; use self::storage::InMemoryStorage; /// Record a test's wall-clock duration to a shared timing file. /// Call at the end of a test with the test name and start instant. /// Results are appended to `/tmp/mnw-test-timing.csv` for analysis. #[allow(dead_code)] pub fn record_test_timing(name: &str, start: std::time::Instant) { let elapsed_ms = start.elapsed().as_millis(); let line = format!("{},{}\n", name, elapsed_ms); use std::io::Write; if let Ok(mut f) = std::fs::OpenOptions::new() .create(true) .append(true) .open("/tmp/mnw-test-timing.csv") { let _ = f.write_all(line.as_bytes()); } } /// Result of setting up a test creator with project and item. #[allow(dead_code)] pub struct CreatorSetup { pub user_id: UserId, pub project_id: String, pub item_id: String, pub slug: String, } /// Options for customizing a test harness build. #[derive(Default)] pub struct BuildOptions { pub storage: Option>, pub synckit_storage: Option>, pub stripe_client: Option>, pub scanner: Option>, pub admin_user_id: Option, pub existing_db: Option, pub postmark_webhook_token: Option, pub postmark_broadcast_webhook_token: Option, pub git_repos_path: Option, pub build_trigger_token: Option, pub postmark_inbound_webhook_token: Option, pub mt_base_url: Option, pub internal_shared_secret: Option, pub cli_service_token: Option, pub mock_email: Option>, pub cdn_base_url: Option, /// Site access gate. Defaults to `Open`; set to `FanPlusOrCreator` to test /// the testnot-style gate. pub access_gate: makenotwork::config::AccessGate, /// Delegated-login (SSO) provider config. `None` = local password form. pub sso: Option, } /// Full test harness: isolated database, in-process app, cookie-aware client. #[allow(dead_code)] pub struct TestHarness { pub client: TestClient, pub db: PgPool, pub storage: Option>, /// Mock email transport, if configured. Use `.sent()` to inspect sent emails. pub mock_email: Option>, /// Mock payment provider, if configured. Use `.checkouts()` to inspect created sessions. pub mock_stripe: Option>, /// Pieces needed to drain the scan worker synchronously from tests /// (`drain_scan_jobs`). `None` when the harness wasn't built with a scanner. scan_deps: Option, _test_db: TestDb, } struct ScanDeps { s3: Arc, pipeline: Arc, semaphore: Arc, } impl TestHarness { /// Spin up a fresh database, build the app, and return a ready-to-use harness. pub async fn new() -> Self { Self::build(BuildOptions::default()).await } /// Harness with in-memory storage backend. #[allow(dead_code)] pub async fn with_storage() -> Self { let mem = Arc::new(InMemoryStorage::new()); Self::build(BuildOptions { storage: Some(mem), ..Default::default() }).await } /// Harness with SyncKit in-memory storage backend (for OTA tests). #[allow(dead_code)] pub async fn with_synckit_storage() -> Self { let mem = Arc::new(InMemoryStorage::new()); Self::build(BuildOptions { synckit_storage: Some(mem), ..Default::default() }).await } /// Harness with in-memory storage + file scanning pipeline. #[allow(dead_code)] pub async fn with_storage_and_scanner() -> Self { let mem = Arc::new(InMemoryStorage::new()); let scanner = Self::no_op_scanner(); Self::build(BuildOptions { storage: Some(mem), scanner: Some(Arc::new(scanner)), ..Default::default() }).await } /// Harness with admin user + in-memory storage + file scanning pipeline. /// Returns (harness, admin_user_id). #[allow(dead_code)] pub async fn with_admin_storage_and_scanner() -> (Self, UserId) { let test_db = TestDb::new().await; let pool = test_db.pool.clone(); let admin_id = Self::insert_admin_user(&pool).await; let mem = Arc::new(InMemoryStorage::new()); let scanner = Self::no_op_scanner(); let harness = Self::build(BuildOptions { storage: Some(mem), scanner: Some(Arc::new(scanner)), admin_user_id: Some(admin_id), existing_db: Some(test_db), ..Default::default() }).await; (harness, admin_id) } /// Harness with Stripe client configured (fake key, known webhook secrets). #[allow(dead_code)] pub async fn with_stripe() -> Self { let stripe_config = StripeConfig { secret_key: "sk_test_fake_key_for_testing".to_string(), webhook_secret: vec![stripe::TEST_WEBHOOK_SECRET.to_string()], webhook_secret_v2: Some(stripe::TEST_WEBHOOK_SECRET_V2.to_string()), }; let stripe_client: Arc = Arc::new(StripeClient::new(&stripe_config)); Self::build(BuildOptions { stripe_client: Some(stripe_client), ..Default::default() }).await } /// Harness with mock Stripe + mock email for full payment flow testing. /// Access mocks via `harness.mock_stripe` and `harness.mock_email`. #[allow(dead_code)] pub async fn with_mocks() -> Self { let mock_stripe = Arc::new(stripe::MockPaymentProvider::new()); let mock_email = Arc::new(email::MockEmailTransport::new()); let mem = Arc::new(InMemoryStorage::new()); let mut harness = Self::build(BuildOptions { storage: Some(mem), stripe_client: Some(mock_stripe.clone() as Arc), mock_email: Some(mock_email), ..Default::default() }).await; harness.mock_stripe = Some(mock_stripe); harness } /// Harness with admin user configured. Returns (harness, admin_user_id). #[allow(dead_code)] pub async fn with_admin() -> (Self, UserId) { let test_db = TestDb::new().await; let pool = test_db.pool.clone(); let admin_id = Self::insert_admin_user(&pool).await; let harness = Self::build(BuildOptions { admin_user_id: Some(admin_id), existing_db: Some(test_db), ..Default::default() }).await; (harness, admin_id) } /// Harness with Postmark webhook token configured. #[allow(dead_code)] pub async fn with_postmark() -> Self { Self::build(BuildOptions { postmark_webhook_token: Some("test-postmark-token".to_string()), postmark_broadcast_webhook_token: Some("test-broadcast-token".to_string()), ..Default::default() }).await } /// Harness with git repos path configured. #[allow(dead_code)] pub async fn with_git_repos(path: String) -> Self { Self::build(BuildOptions { git_repos_path: Some(path), ..Default::default() }).await } /// Insert an admin user and return the ID. async fn insert_admin_user(pool: &PgPool) -> UserId { let password_hash = makenotwork::auth::hash_password("password123") .expect("hash_password for admin"); sqlx::query_scalar( "INSERT INTO users (username, email, password_hash, email_verified) VALUES ('admin', 'admin@test.com', $1, true) RETURNING id", ) .bind(&password_hash) .fetch_one(pool) .await .expect("Failed to insert admin user") } /// Create a no-op scan pipeline for tests. fn no_op_scanner() -> ScanPipeline { let scan_config = ScanConfig { clamav_socket: None, yara_rules_dir: "/nonexistent".to_string(), malwarebazaar_enabled: false, urlhaus_enabled: false, abuse_ch_auth_key: None, metadefender_api_key: None, yara_min_rule_files: 0, }; ScanPipeline::new(&scan_config).expect("ScanPipeline::new with no-op config") } /// Builder shared by all constructors. Public so workflow tests can use custom `BuildOptions`. pub async fn build(opts: BuildOptions) -> Self { let t0 = std::time::Instant::now(); let test_db = match opts.existing_db { Some(db) => db, None => TestDb::new().await, }; let pool = test_db.pool.clone(); // Create session store (migration already applied in template DB) let session_store = PostgresStore::new(pool.clone()); if !test_db.session_migrated { session_store .migrate() .await .expect("Failed to migrate session store"); } let session_layer = SessionManagerLayer::new(session_store) .with_secure(false) .with_same_site(SameSite::Lax) .with_expiry(Expiry::OnInactivity(CookieDuration::days(1))); // Minimal config — no S3, no Stripe (those come from opts) let config = Config { host: "127.0.0.1".parse().unwrap(), port: 0, database_url: String::new(), host_url: std::sync::Arc::from("http://localhost:3000"), signing_secret: "test-signing-secret-for-integration-tests".to_string(), storage: None, synckit_storage: None, stripe: None, admin_user_id: opts.admin_user_id, synckit_jwt_secret: Some("test-synckit-jwt-secret".to_string()), scan: None, git_repos_path: opts.git_repos_path, postmark_webhook_token: opts.postmark_webhook_token, postmark_broadcast_webhook_token: opts.postmark_broadcast_webhook_token, git_ssh_host: None, mt_base_url: None, fan_plus_price_id: None, creator_tier_prices: std::collections::HashMap::new(), creator_tier_annual_prices: std::collections::HashMap::new(), creator_tier_founder_prices: std::collections::HashMap::new(), creator_tier_founder_annual_prices: std::collections::HashMap::new(), creator_founder_window_open: false, build_trigger_token: opts.build_trigger_token, build_host_linux: None, build_host_darwin: None, cdn_base_url: opts.cdn_base_url.clone(), postmark_inbound_webhook_token: opts.postmark_inbound_webhook_token, internal_shared_secret: opts.internal_shared_secret.clone(), cli_service_token: opts.cli_service_token.clone(), wam_url: None, access_gate: opts.access_gate, sso: opts.sso.clone(), }; let mock_email_ref = opts.mock_email.clone(); let email = if let Some(ref mock) = opts.mock_email { EmailClient::with_transport(mock.clone() as Arc) } else { EmailClient::new(EmailConfig { postmark_token: None, from_address: "test@makenot.work".to_string(), from_name: "Test".to_string(), }, Some(pool.clone())) }; let rp_origin = url::Url::parse(&config.host_url).expect("test HOST_URL"); let rp_id = rp_origin.host_str().expect("test HOST_URL host").to_string(); let webauthn = Arc::new( webauthn_rs::WebauthnBuilder::new(&rp_id, &rp_origin) .expect("WebauthnBuilder") .rp_name("Test") .build() .expect("Webauthn"), ); // Convert InMemoryStorage to trait object let storage = opts.storage; let s3 = storage.clone().map(|s| s as Arc); let synckit_s3 = opts.synckit_storage.map(|s| s as Arc); let state = AppState { db: pool.clone(), config, tier_prices: makenotwork::tier_prices::TierPrices::default(), cost_allocation: makenotwork::tier_prices::CostAllocation::default(), runway_config: makenotwork::tier_prices::RunwayConfig::default(), s3, synckit_s3, stripe: opts.stripe_client, email, docs: Arc::new(DocLoader::load(std::path::Path::new("."), &docengine::DocLoaderConfig { sections: vec![], link_prefix: "/docs".to_string(), unpublished_pattern: None, examples_path: None, pre_process: None, })), scanner: opts.scanner, webauthn, syntax: None, started_at: chrono::Utc::now(), start_instant: Instant::now(), session_cache: Arc::new(dashmap::DashMap::new()), mt_client: opts.mt_base_url.zip(opts.internal_shared_secret).map( |(url, secret)| makenotwork::mt_client::MtClient::new(url, secret), ), wam: None, domain_cache: Arc::new(dashmap::DashMap::new()), restart_at: Arc::new(std::sync::atomic::AtomicI64::new(0)), sync_notify: Arc::new(dashmap::DashMap::new()), sse_connections: Arc::new(dashmap::DashMap::new()), metrics_handle: None, scan_semaphore: Arc::new(tokio::sync::Semaphore::new(4)), caddy_ask_semaphore: Arc::new(tokio::sync::Semaphore::new(8)), page_view_tx: makenotwork::db::page_views::spawn_batcher(pool.clone()), bg: makenotwork::background::spawn_pool(), }; // Capture scan deps before `build_app` consumes `state`. let scan_deps = match (state.scanner.clone(), state.s3.clone()) { (Some(pipeline), Some(s3)) => Some(ScanDeps { s3, pipeline, semaphore: state.scan_semaphore.clone(), }), _ => None, }; let app = build_app(state, session_layer); let client = TestClient::new(app); // Extract mock_stripe: if the stripe_client is a MockPaymentProvider, // we stored the Arc in BuildOptions.stripe_client. We can't downcast the // trait object, so with_mocks() stores the mock ref separately. For the // general build path, mock_stripe is None. let mock_stripe = None; // Set by with_mocks() post-build via direct field access let build_ms = t0.elapsed().as_millis(); if build_ms > 1000 { eprintln!("[test-harness] SLOW harness build: {}ms", build_ms); } TestHarness { client, db: pool, storage, mock_email: mock_email_ref, mock_stripe, scan_deps, _test_db: test_db, } } /// Sign up a new user via POST /join. Returns the user's ID. pub async fn signup(&mut self, username: &str, email: &str, password: &str) -> UserId { // Fetch a page first to establish session + CSRF self.client.fetch_csrf_token().await; let body = format!( "username={}&email={}&password={}", urlencoding::encode(username), urlencoding::encode(email), urlencoding::encode(password), ); let resp = self.client.post_form("/join/step/account", &body).await; assert!( resp.status.is_success() || resp.status.is_redirection(), "Signup failed with status {}: {}", resp.status, resp.text ); // Login rotates the CSRF token — fetch the new one self.client.fetch_csrf_token().await; // Look up the user in the database sqlx::query_scalar::<_, UserId>("SELECT id FROM users WHERE username = $1") .bind(username) .fetch_one(&self.db) .await .expect("User not found after signup") } /// Grant creator permissions to a user via direct SQL. pub async fn grant_creator(&self, user_id: UserId) { sqlx::query("UPDATE users SET can_create_projects = true WHERE id = $1") .bind(user_id) .execute(&self.db) .await .expect("Failed to grant creator"); } /// Trust a user for uploads via direct SQL. pub async fn trust_user(&self, user_id: UserId) { sqlx::query("UPDATE users SET upload_trusted = true WHERE id = $1") .bind(user_id) .execute(&self.db) .await .expect("Failed to trust user"); } /// Give a user an active creator tier subscription via direct SQL. /// Also syncs the denormalized `creator_tier` column on the users table. pub async fn grant_tier(&self, user_id: UserId, tier: &str) { sqlx::query( r#"INSERT INTO creator_subscriptions (user_id, stripe_subscription_id, stripe_customer_id, tier, status) VALUES ($1, 'sub_test_' || $1::text, 'cus_test_' || $1::text, $2, 'active') ON CONFLICT (user_id) DO UPDATE SET tier = $2, status = 'active'"#, ) .bind(user_id) .bind(tier) .execute(&self.db) .await .expect("Failed to grant tier"); sqlx::query("UPDATE users SET creator_tier = $2 WHERE id = $1") .bind(user_id) .bind(tier) .execute(&self.db) .await .expect("Failed to sync creator_tier"); } /// Suspend a user via direct SQL. #[allow(dead_code)] pub async fn suspend_user(&self, user_id: UserId) { sqlx::query("UPDATE users SET suspended_at = NOW(), suspension_reason = 'test suspension' WHERE id = $1") .bind(user_id) .execute(&self.db) .await .expect("Failed to suspend user"); } /// POST a single login attempt and return the response. Refreshes the /// CSRF token first so the new Manual-posture `/login` (Phase 2) accepts /// the form even when a previous `/logout` invalidated the cached token. /// Use this for negative-path login tests (lockout, suspended, wrong /// password) that need to inspect the response rather than asserting /// success like `login()` does. pub async fn failed_login_attempt(&mut self, login: &str, password: &str) -> client::TestResponse { self.client.fetch_csrf_token().await; let body = format!( "login={}&password={}", urlencoding::encode(login), urlencoding::encode(password), ); self.client.post_form("/login", &body).await } /// Synchronously drain queued scan jobs by running the worker loop in- /// process until the queue is empty. Mirrors the production worker pool /// without spawning a background task — integration tests call this /// between upload-confirm and any assertion on `scan_status`. pub async fn drain_scan_jobs(&self) { let Some(deps) = &self.scan_deps else { return }; let ctx = makenotwork::scanning::worker::WorkerContext { db: self.db.clone(), s3: deps.s3.clone(), pipeline: deps.pipeline.clone(), scan_semaphore: deps.semaphore.clone(), wam: None, }; // Hard cap to avoid an infinite loop if a job re-enqueues itself. for _ in 0..256 { match makenotwork::scanning::worker::process_next_for_test(&ctx).await { Ok(true) => continue, Ok(false) => return, Err(e) => panic!("scan worker drain failed: {e}"), } } panic!("drain_scan_jobs did not terminate within 256 iterations"); } /// Log in as an existing user via POST /login. The client's session /// cookies are updated automatically. pub async fn login(&mut self, login: &str, password: &str) { // Fetch CSRF token first self.client.fetch_csrf_token().await; let body = format!( "login={}&password={}", urlencoding::encode(login), urlencoding::encode(password), ); let resp = self.client.post_form("/login", &body).await; assert!( resp.status.is_success() || resp.status.is_redirection(), "Login failed with status {}: {}", resp.status, resp.text ); // Login rotates the CSRF token — fetch the new one self.client.fetch_csrf_token().await; } /// Create a test creator: signup, grant creator access, re-login. /// Uses password "password123" and email "{username}@test.com". pub async fn create_creator(&mut self, username: &str) -> UserId { let user_id = self.signup(username, &format!("{}@test.com", username), "password123").await; self.grant_creator(user_id).await; self.client.post_form("/logout", "").await; self.login(username, "password123").await; user_id } /// Create a test creator with a project and one item. Creator is logged in afterward. /// Project slug: "{username}-proj". Returns all created IDs. pub async fn create_creator_with_item( &mut self, username: &str, item_type: &str, price_cents: i64, ) -> CreatorSetup { let user_id = self.create_creator(username).await; let slug = format!("{}-proj", username); let resp = self .client .post_form("/api/projects", &format!("slug={}&title=Test+Project", slug)) .await; assert!(resp.status.is_success(), "Create project failed: {}", resp.text); let project: serde_json::Value = resp.json(); let project_id = project["id"].as_str().unwrap().to_string(); let resp = self .client .post_form( &format!("/api/projects/{}/items", project_id), &format!("title=Test+Item&item_type={}&price_cents={}", item_type, price_cents), ) .await; assert!(resp.status.is_success(), "Create item failed: {}", resp.text); let item: serde_json::Value = resp.json(); let item_id = item["id"].as_str().unwrap().to_string(); CreatorSetup { user_id, project_id, item_id, slug } } /// Connect a user's Stripe account via direct SQL. /// Sets stripe_account_id, stripe_charges_enabled, and stripe_onboarding_complete. /// Use after `create_creator()` for tests that need a Stripe-connected seller. pub async fn connect_stripe(&self, user_id: UserId, account_id: &str) { sqlx::query( "UPDATE users SET stripe_account_id = $2, stripe_charges_enabled = true, \ stripe_onboarding_complete = true, stripe_payouts_enabled = true WHERE id = $1", ) .bind(user_id) .bind(account_id) .execute(&self.db) .await .expect("Failed to connect Stripe"); } /// Publish both a project and an item. pub async fn publish_project_and_item(&mut self, project_id: &str, item_id: &str) { self.client .put_json( &format!("/api/projects/{}", project_id), r#"{"is_public": true}"#, ) .await; self.client .put_form(&format!("/api/items/{}", item_id), "is_public=true") .await; } }