gendesign/backend/tests
Light1YT 3651c85f9b feat(rbac): enforce role-based access via X-Authenticated-User middleware
Backend-side enforcement поверх Caddy basic_auth — defense-in-depth для
12-юзеров на gendsgn.ru (admin + kopylov + 10 пилотных слотов).

- `auth/roles.yaml` — single source of truth: 2 роли (admin, pilot)
  + 12 user→role mappings. Bind-mounted в обоих backend контейнерах.
- `app/core/auth.py` (main + tradein-mvp mirror) — YAML loader через
  `pyyaml`, `get_role`/`get_user_scope`/`is_path_allowed` с fnmatch globs.
  Custom `_glob_to_regex` чтобы `/**` ≠ `/*` (matches multi-segment paths).
- `GET /api/v1/me` (main + tradein) — фронт читает scope при login,
  фильтрует nav по `allowed_paths`/`deny_paths`.
- `rbac_guard` middleware (main + tradein):
  * любой non-public path требует `X-Authenticated-User` → иначе 401
  * юзер должен быть в roles.yaml → иначе 403 («человек без ролей
    вообще ничего не видит» — decided 2026-05-25)
  * /api/v1/admin/* — только role=admin, иначе 403
- `Caddyfile` — `header_up X-Authenticated-User {http.auth.user.id}` в
  6 reverse_proxy блоках (gendsgn.ru main + trade-in + git.gendsgn.ru).
- Tests: 20 unit + integration в обоих стэках. Покрытие:
  no-header / unknown user / pilot / admin × admin-path / non-admin path.
  `_build_test_app()` копирует middleware inline, чтобы обойти heavy
  imports (weasyprint dlopen падает на macOS dev).

Public paths (/health, /docs, /redoc, /openapi.json) пропускаются —
X-Authenticated-User там просто не приходит из Caddy.

Frontend nav-filter + 403 fullscreen — отдельный PR B.
2026-05-26 11:14:47 +05:00
..
api feat(sf-b1): GET /parcels/by-bbox — map entry endpoint + parcel_user_status table (#336) 2026-05-17 21:25:48 +00:00
integration test(infra): integration phantom column gate (#197) (#216) 2026-05-16 13:07:13 +00:00
scrapers fix(#231): repair test_rate_limit_semaphore regression + docstring sync 2026-05-17 10:22:16 +03:00
services feat(22d): domrf_catalog_object scraper — fill ~25 NULL kn_objects cols from SSR __NEXT_DATA__ (#335) 2026-05-17 21:26:22 +00:00
smoke fix(parcels): _parse_floors handle int (post-migration #169) (#176) 2026-05-15 15:08:16 +03:00
workers feat(22d): catalog scraper — skip-today filter + force flag (#348) 2026-05-17 23:15:22 +00:00
__init__.py init 2026-04-25 13:45:19 +03:00
test_admin_weight_profiles.py feat(#114): seed 3 default weight presets + include_system API param 2026-05-16 22:49:56 +03:00
test_concepts_stub.py init 2026-04-25 13:45:19 +03:00
test_gate_verdict.py feat(#29,#232): wire cad_parcels.permitted_use in analyze + cad_zouit fallback (G2+G3) 2026-05-17 08:17:22 +03:00
test_health.py init 2026-04-25 13:45:19 +03:00
test_layout_signature.py feat(parcels): layout signature schemas + extractor (#113 PR A) (#193) 2026-05-16 07:52:34 +00:00
test_layout_tz_pdf.py feat(layouts): PDF ТЗ endpoint + BestLayoutsBlock UI (#113 PR D) (#199) 2026-05-16 09:53:05 +00:00
test_nspd_client.py fix(#231): address re-review blockers — per-instance semaphore + time_limit + test mocks 2026-05-17 10:13:34 +03:00
test_nspd_sync.py fix(#244): harvest_quarter — CAST CASE WHEN params (psycopg3 AmbiguousParameter) (#246) 2026-05-17 05:53:08 +00:00
test_poi_score.py feat(sf-b6): GET /parcels/{cad}/poi-score — weighted top-7 (#333) 2026-05-17 21:11:25 +00:00
test_quarter_dump_lookup.py feat(site-finder): integrate nspd_quarter_dumps cache в analyze_parcel (#94 Sprint 1.1 FINAL) (#116) 2026-05-13 09:14:19 +03:00
test_rbac.py feat(rbac): enforce role-based access via X-Authenticated-User middleware 2026-05-26 11:14:47 +05:00
test_sentry_init.py feat(backend): sentry-sdk init для FastAPI + Celery (#204 backend) (#207) 2026-05-16 15:09:16 +00:00
test_velocity.py feat(obj-3): SF backend migrate to objective_lots ground truth (price 0.3% -> 81%) (#324) 2026-05-17 20:08:17 +00:00
test_weight_profiles.py feat(site-finder): weight profiles service — Pydantic + CRUD (#114 sub-PR 2/4) (#137) 2026-05-15 00:29:37 +03:00