՞i4dZddlmZddlZddlmcmZddl Z ddl Z ddl Z ddl m Z mZddlZdZGddZGdd ZGd d ZGd d ZGddZGddZGddZy)ua tests/infra/test_secrets.py Test suite for core/secrets — GenesisSecrets client + migrate_secrets helpers. Coverage breakdown: BB1 get_secret returns env var value (3 tests) BB2 get_secret returns default when key missing (2 tests) BB3 get_secret raises KeyError when no default + missing (2 tests) BB4 parse_env_file parses KEY=VALUE, quotes, comments (4 tests) WB1 Infisical client skipped when token/project absent (2 tests) WB2 Cache prevents repeated Infisical / env lookups (2 tests) WB3 clear_cache resets cache (1 test) All Infisical SDK calls are mocked — no real network traffic. # VERIFICATION_STAMP # Story: M1.04 — tests/infra/test_secrets.py # Verified By: parallel-builder # Verified At: 2026-02-25 # Tests: 16/16 # Coverage: 100% ) annotationsN) MagicMockpatchcttjjD]}d|vstj|=t j dS)zFReturn a freshly imported core.secrets.client with no singleton state.z core.secretszcore.secrets.client)listsysmoduleskeys importlib import_module)mod_names 1/mnt/e/genesis-system/tests/infra/test_secrets.py_fresh_client_moduler%sM))+,& X % H%&  " "#8 99c"eZdZdZdZdZdZy)TestBB1EnvVarResolutionz?get_secret reads from os.environ when Infisical is unavailable.c|jdd|jdd|jddt}|j}d}||}d}||k(}|st j d|fd||fd t jvst j|rt j|nd t j|t j|t j|t j|d z}d d |iz} tt j| d x}x}x}x}}y )z0Single well-known env var is returned unchanged. MY_TEST_KEY hello_worldINFISICAL_TOKENFraisingINFISICAL_PROJECT_ID==zP%(py6)s {%(py6)s = %(py2)s {%(py2)s = %(py0)s.get_secret }(%(py4)s) } == %(py9)smodpy0py2py4py6py9assert %(py11)spy11N setenvdelenvr get_secret @pytest_ar_call_reprcompare @py_builtinslocals_should_repr_global_name _safereprAssertionError_format_explanation self monkeypatchr @py_assert1 @py_assert3 @py_assert5 @py_assert8 @py_assert7 @py_format10 @py_format12s rtest_bb1_simple_env_varz/TestBB1EnvVarResolution.test_bb1_simple_env_var5s=-8,e<15A"$~~=m=~m,= =, ====, ======s===s===~===m===,=== ========rc|jdd|jdd|jddt}|j}d}||}d}||k(}|st j d|fd||fd t jvst j|rt j|nd t j|t j|t j|t j|d z}d d |iz} tt j| d x}x}x}x}}y )z>Env vars containing special characters survive the round-trip. SPECIAL_KEYzp@ssw0rd!#$%^&*rFrrrrrrr$r%Nr&r2s r(test_bb1_env_var_with_special_charactersz@TestBB1EnvVarResolution.test_bb1_env_var_with_special_characters?s=*;<,e<15A"$~~AmA~m,A0AA,0AAAAA,0AAAAAAAsAAAsAAA~AAAmAAA,AAA0AAAAAAAAArc|jdd|jdd|jddt}|j}|j}d}||}d}||k(}|st j d|fd||fd tjvst j|rt j|nd t j|t j|t j|t j|d z} d d | iz} tt j| d x}x}x}x}}y )z9'>9999'>999999v999v999z999,999'999>99999999rN)__name__ __module__ __qualname____doc__r<r?rHrrrr2sI>B:rrceZdZdZdZdZy)TestBB2DefaultFallbackz>When a key is absent, the caller-supplied default is returned.c|jdd|jdd|jddt}|jdd}d}||k(}|stjd|fd ||fd t j vstj|rtj|nd tj|d z}d d |iz}ttj|dx}}y)NMISSING_KEY_XYZFrrrfallback_valuedefaultrz%(py0)s == %(py3)sresultrpy3assert %(py5)spy5 r(rr)r*r+r,r-r.r/r0r1r3r4rrV @py_assert2r5 @py_format4 @py_format6s r)test_bb2_default_returned_for_missing_keyz@TestBB2DefaultFallback.test_bb2_default_returned_for_missing_keyZs,e<,e<15A"$ 1;KL))v)))))v)))))))v)))v)))))))))))rc|jdd|jdd|jddt}|jdd}d}||k(}|stjd|fd ||fd t j vstj|rtj|nd tj|d z}d d |iz}ttj|dx}}y)zCEmpty string default is a valid explicit default (not falsy guard). ABSENT_KEYFrrrrSrrUrVrWrYrZNr[r\s r test_bb2_default_is_empty_stringz7TestBB2DefaultFallback.test_bb2_default_is_empty_stringcs<7,e<15A"$ b9v|vvvrN)rIrJrKrLr`rdrMrrrOrOWsH*rrOceZdZdZdZdZy)TestBB3KeyErrorOnMissingzCKeyError is raised when a key is absent and no default is provided.c |jdd|jdd|jddt}tjtd5|j ddddy#1swYyxYw)NTOTALLY_ABSENTFrrr)match)r(rpytestraisesKeyErrorr))r3r4rs r#test_bb3_keyerror_raised_no_defaultz._writes&:%A LL7L 3q6Mr)rrqreturnrqrM)r3rrs ` rtmp_envzTestBB4ParseEnvFile.tmp_envs  rcr|d}tjjddddl}|jj dd}|jj |}|jj||j|}ddi}||k(}|stjd |fd ||fd tjvstj|rtj|nd tj|d z} d d| iz} t!tj"| dx}}y)z'Unquoted KEY=VALUE is parsed correctly.zMY_KEY=my_value rz/mnt/e/genesis-system/scriptsNmigrate_secrets0/mnt/e/genesis-system/scripts/migrate_secrets.pyMY_KEYmy_valuerrUrVrWrYrZ)rpathinsertimportlib.utilutilspec_from_file_locationmodule_from_specloader exec_moduleparse_env_filer*r+r,r-r.r/r0r1) r3rrr specrrVr]r5r^r_s rtest_bb4_bare_key_valuez+TestBB4ParseEnvFile.test_bb4_bare_key_values*+ :;~~55  > nn--d3 $##D)"J//v/////v///////v///v///////////rc:|d}tjjdd}tjj|}|jj ||j |}ddi}||k(}|stjd|fd||fdtjvstj|rtj|ndtj|d z}d d |iz} ttj| d x}}y ) z*Double-quoted values have quotes stripped.zQUOTED_KEY="some value" migrate_secrets2r QUOTED_KEYz some valuerrUrVrWrYrZNr rrrrrrr*r+r,r-r.r/r0r1 r3rrrrrVr]r5r^r_s rtest_bb4_double_quoted_valuez0TestBB4ParseEnvFile.test_bb4_double_quoted_values23~~55  > nn--d3 $##D)& 55v55555v5555555v555v55555555555rc0|d}tjjdd}tjj|}|jj ||j |}d}||v}|stjd|fd||ftj|dtjvstj|rtj|nddz}d d |iz} ttj| d x}}|j} d } | | } d } | | k(}|stjd|fd| | fdtjvstj|rtj|ndtj| tj| tj| tj| dz}dd|iz}ttj|d x} x} x} x}} y )z:Lines starting with # are treated as comments and skipped.z(# this is a comment REAL_KEY=real_value migrate_secrets3rz# this is a comment)not in)z%(py1)s not in %(py3)srV)rsrXrYrZNREAL_KEY real_valuerrCrr$r%)r rrrrrrr*r+r/r,r-r.r0r1rG)r3rrrrrVrwr]r^r_r5r6r7r8r9r:r;s rtest_bb4_comment_lines_skippedz2TestBB4ParseEnvFile.test_bb4_comment_lines_skippedsSCD~~55  > nn--d3 $##D)$2$F2222$F222$222222F222F2222222zz5*5z*%55%5555%555555v555v555z555*555%55555555555rc<|d}tjjdd}tjj|}|jj ||j |}ddd}||k(}|stjd|fd||fd tjvstj|rtj|nd tj|d z}d d |iz} ttj| d x}}y )z6Blank lines are ignored and do not produce empty keys.z KEY_A=val_a KEY_B=val_b migrate_secrets4rval_aval_b)KEY_AKEY_BrrUrVrWrYrZNrrs rtest_bb4_blank_lines_skippedz0TestBB4ParseEnvFile.test_bb4_blank_lines_skippeds;<~~55  > nn--d3 $##D)#*W==v=====v=======v===v===========rN) rIrJrKrLrjfixturerrrrrrMrrr|r|s4AV^^ 0 6 6 >rr|ceZdZdZdZdZy)TestWB1InfisicalSkippedz_infisical_client remains None when INFISICAL_TOKEN is absent.rFrrNisz9%(py2)s {%(py2)s = %(py0)s._infisical_client } is %(py5)srDrr rZassert %(py7)spy7) r(rrF_infisical_clientr*r+r,r-r.r/r0r1) r3r4rrDr5 @py_assert4r6r_ @py_format8s r#test_wb1_no_token_no_infisical_initz;TestWB1InfisicalSkipped.test_wb1_no_token_no_infisical_inits,e<15A"$##%''/4/'4////'4//////v///v///'///4///////rc |jdd|jddt}ttdrtjnt fd}t d|5|j dd }d d d j}d }||u}|stjd |fd ||fd tjvstj|rtj|nd tj|tj|dz}dd|iz} ttj| d x}x}}y #1swYxYw)z._mock_imports,&!"CDD"49$9&9 9rzbuiltins.__import__) side_effect)infisical_token project_idNrrrDrrr)r'rhasattr __builtins__rrrFrr*r+r,r-r.r/r0r1) r3r4rrrDr5rr6r_rrs @r-test_wb1_sdk_import_error_falls_back_silentlyzETestWB1InfisicalSkipped.test_wb1_sdk_import_error_falls_back_silentlys,l;13DE"$6=\<5X,11^h : (l C '' ,,(F  ''/4/'4////'4//////v///v///'///4///////   s (E  EN)rIrJrKrLrrrMrrrrsF00rrceZdZdZdZdZy)TestWB2CacheBehaviourz:Once a secret is resolved, subsequent calls use the cache.c|jdd|jdd|jddt}|j}|j d}d}||k(}|st j d|fd||fd tjvst j|rt j|nd t j|d z}d d |iz}tt j|d x}}|jd|j d} d}| |k(}|st j d|fd| |fdtjvst j| rt j| ndt j|d z}d d |iz}tt j|d x}}y )u After the first get() call, removing the env var has no effect — the value is already in the cache. CACHED_KEYoriginal_valuerFrrrrUfirstrWrYrZNsecondrE) r3r4rrDrr]r5r^r_rs r&test_wb2_env_var_read_once_then_cachedzrsr,# * :::J6888>>>>J 0 0N%3%3X77r