CalejoControl/tests/integration/test_protocol_security.py

"""
Simplified integration tests for protocol security features.

Tests security integration across OPC UA, Modbus TCP, and REST API protocols
without actually starting the servers.
"""

import pytest
from unittest.mock import Mock, patch

from src.core.setpoint_manager import SetpointManager
from src.core.emergency_stop import EmergencyStopManager
from src.core.security import SecurityManager
from src.core.tls_manager import TLSManager
from src.core.compliance_audit import ComplianceAuditLogger
from src.protocols.opcua_server import OPCUAServer
from src.protocols.modbus_server import ModbusServer
from src.protocols.rest_api import RESTAPIServer


@pytest.fixture
def mock_db_client():
    """Create mock database client."""
    return Mock()


@pytest.fixture
def security_components(mock_db_client):
    """Create security components for testing."""
    security_manager = SecurityManager()
    tls_manager = TLSManager()
    audit_logger = ComplianceAuditLogger(db_client=mock_db_client)
    
    return security_manager, tls_manager, audit_logger


@pytest.fixture
def setpoint_manager(mock_db_client):
    """Create setpoint manager for testing."""
    # Create mock dependencies
    mock_discovery = Mock()
    mock_safety_enforcer = Mock()
    mock_emergency_stop_manager = Mock()
    mock_watchdog = Mock()
    
    # Configure mocks
    mock_safety_enforcer.enforce_limits = Mock(return_value=40.0)
    mock_emergency_stop_manager.is_emergency_stop_active = Mock(return_value=False)
    mock_watchdog.is_failsafe_active = Mock(return_value=False)
    
    manager = SetpointManager(
        discovery=mock_discovery,
        db_client=mock_db_client,
        safety_enforcer=mock_safety_enforcer,
        emergency_stop_manager=mock_emergency_stop_manager,
        watchdog=mock_watchdog
    )
    
    return manager


@pytest.fixture
def emergency_stop_manager(mock_db_client):
    """Create emergency stop manager for testing."""
    return EmergencyStopManager(db_client=mock_db_client)


class TestProtocolSecurityIntegration:
    """Integration tests for protocol security features."""
    
    def test_opcua_security_integration(
        self, 
        setpoint_manager, 
        security_components
    ):
        """Test OPC UA server security integration."""
        security_manager, tls_manager, audit_logger = security_components

        # Create OPC UA server with security enabled
        opcua_server = OPCUAServer(
            setpoint_manager=setpoint_manager,
            security_manager=security_manager,
            audit_logger=audit_logger,
            enable_security=True,
            endpoint="opc.tcp://127.0.0.1:4841"
        )

        # Verify security configuration
        security_status = opcua_server.get_security_status()
        assert security_status["security_enabled"] == True
        assert security_status["connected_clients"] == 0
        
        # Check that security manager is properly integrated
        assert opcua_server.security_manager == security_manager
        assert opcua_server.audit_logger == audit_logger
    
    def test_modbus_security_integration(
        self, 
        setpoint_manager, 
        security_components
    ):
        """Test Modbus TCP server security integration."""
        security_manager, tls_manager, audit_logger = security_components

        # Create Modbus server with security enabled
        modbus_server = ModbusServer(
            setpoint_manager=setpoint_manager,
            security_manager=security_manager,
            audit_logger=audit_logger,
            enable_security=True,
            allowed_ips=["127.0.0.1"],
            rate_limit_per_minute=100,
            host="127.0.0.1",
            port=5021
        )

        # Verify security configuration
        security_status = modbus_server.get_security_status()
        assert security_status["security_enabled"] == True
        assert security_status["connected_clients"] == 0
        assert security_status["allowed_ips"] == ["127.0.0.1"]
        assert security_status["rate_limit_per_minute"] == 100
        
        # Check that security manager is properly integrated
        assert modbus_server.security_manager == security_manager
        assert modbus_server.audit_logger == audit_logger
    
    def test_rest_api_security_integration(
        self, 
        setpoint_manager, 
        emergency_stop_manager,
        security_components
    ):
        """Test REST API security integration."""
        security_manager, tls_manager, audit_logger = security_components

        # Create REST API server
        rest_api = RESTAPIServer(
            setpoint_manager=setpoint_manager,
            emergency_stop_manager=emergency_stop_manager,
            host="127.0.0.1",
            port=8001
        )

        # Verify that security dependencies are properly configured
        assert rest_api.app is not None
        
        # Check that security endpoints are registered
        routes = [route.path for route in rest_api.app.routes]
        assert "/api/v1/auth/login" in routes
        assert "/api/v1/auth/me" in routes
        assert "/api/v1/security/status" in routes
    
    def test_protocol_security_audit_logging(
        self, 
        setpoint_manager, 
        security_components
    ):
        """Test that security events are properly logged across protocols."""
        security_manager, tls_manager, audit_logger = security_components

        # Create servers
        opcua_server = OPCUAServer(
            setpoint_manager=setpoint_manager,
            security_manager=security_manager,
            audit_logger=audit_logger,
            enable_security=True,
            endpoint="opc.tcp://127.0.0.1:4842"
        )

        modbus_server = ModbusServer(
            setpoint_manager=setpoint_manager,
            security_manager=security_manager,
            audit_logger=audit_logger,
            enable_security=True,
            host="127.0.0.1",
            port=5022
        )

        # Verify audit logger is shared between protocols
        assert opcua_server.audit_logger == audit_logger
        assert modbus_server.audit_logger == audit_logger
        
        # Verify security managers are shared
        assert opcua_server.security_manager == security_manager
        assert modbus_server.security_manager == security_manager
    
    def test_security_status_endpoints(
        self, 
        setpoint_manager, 
        security_components
    ):
        """Test that security status endpoints work correctly."""
        security_manager, tls_manager, audit_logger = security_components

        # Create servers
        opcua_server = OPCUAServer(
            setpoint_manager=setpoint_manager,
            security_manager=security_manager,
            audit_logger=audit_logger,
            enable_security=True,
            endpoint="opc.tcp://127.0.0.1:4843"
        )

        modbus_server = ModbusServer(
            setpoint_manager=setpoint_manager,
            security_manager=security_manager,
            audit_logger=audit_logger,
            enable_security=True,
            host="127.0.0.1",
            port=5023
        )

        # Test OPC UA security status
        opcua_status = opcua_server.get_security_status()
        assert isinstance(opcua_status, dict)
        assert 'security_enabled' in opcua_status
        assert 'connected_clients' in opcua_status
        assert 'certificate_configured' in opcua_status

        # Test Modbus security status
        modbus_status = modbus_server.get_security_status()
        assert isinstance(modbus_status, dict)
        assert 'security_enabled' in modbus_status
        assert 'connected_clients' in modbus_status
        assert 'allowed_ips' in modbus_status
        assert 'rate_limit_per_minute' in modbus_status


class TestProtocolSecurityConfiguration:
    """Tests for protocol security configuration options."""
    
    def test_opcua_security_disabled(self, setpoint_manager, security_components):
        """Test OPC UA server with security disabled."""
        security_manager, tls_manager, audit_logger = security_components

        opcua_server = OPCUAServer(
            setpoint_manager=setpoint_manager,
            security_manager=security_manager,
            audit_logger=audit_logger,
            enable_security=False,
            endpoint="opc.tcp://127.0.0.1:4844"
        )

        security_status = opcua_server.get_security_status()
        assert security_status["security_enabled"] == False
    
    def test_modbus_security_disabled(self, setpoint_manager, security_components):
        """Test Modbus server with security disabled."""
        security_manager, tls_manager, audit_logger = security_components

        modbus_server = ModbusServer(
            setpoint_manager=setpoint_manager,
            security_manager=security_manager,
            audit_logger=audit_logger,
            enable_security=False,
            host="127.0.0.1",
            port=5024
        )

        security_status = modbus_server.get_security_status()
        assert security_status["security_enabled"] == False
    
    def test_modbus_rate_limiting(self, setpoint_manager, security_components):
        """Test Modbus server rate limiting functionality."""
        security_manager, tls_manager, audit_logger = security_components

        modbus_server = ModbusServer(
            setpoint_manager=setpoint_manager,
            security_manager=security_manager,
            audit_logger=audit_logger,
            enable_security=True,
            rate_limit_per_minute=5,  # Very low limit for testing
            host="127.0.0.1",
            port=5025
        )

        # Test rate limiting configuration
        security_status = modbus_server.get_security_status()
        assert security_status["rate_limit_per_minute"] == 5
Phase 5: Complete Protocol Server Security Enhancement - Enhanced OPC UA Server with certificate-based authentication, RBAC, and security event logging - Enhanced Modbus TCP Server with IP-based access control, rate limiting, and security monitoring - Completed REST API security integration with setpoint write operations and security status endpoint - Created comprehensive protocol security integration tests (8/8 tests passing) - All 197 tests passing across the entire codebase Security Features Implemented: - OPC UA: Certificate authentication, client tracking, RBAC node access control - Modbus TCP: IP filtering, rate limiting, security monitoring, security registers - REST API: Setpoint write operations with authorization, security status endpoint - Cross-protocol: Shared security manager and audit logger integration 2025-10-27 20:59:19 +00:00			`"""`
			`Simplified integration tests for protocol security features.`

			`Tests security integration across OPC UA, Modbus TCP, and REST API protocols`
			`without actually starting the servers.`
			`"""`

			`import pytest`
			`from unittest.mock import Mock, patch`

			`from src.core.setpoint_manager import SetpointManager`
			`from src.core.emergency_stop import EmergencyStopManager`
			`from src.core.security import SecurityManager`
			`from src.core.tls_manager import TLSManager`
			`from src.core.compliance_audit import ComplianceAuditLogger`
			`from src.protocols.opcua_server import OPCUAServer`
			`from src.protocols.modbus_server import ModbusServer`
			`from src.protocols.rest_api import RESTAPIServer`


			`@pytest.fixture`
			`def mock_db_client():`
			`"""Create mock database client."""`
			`return Mock()`


			`@pytest.fixture`
			`def security_components(mock_db_client):`
			`"""Create security components for testing."""`
			`security_manager = SecurityManager()`
			`tls_manager = TLSManager()`
			`audit_logger = ComplianceAuditLogger(db_client=mock_db_client)`

			`return security_manager, tls_manager, audit_logger`


			`@pytest.fixture`
			`def setpoint_manager(mock_db_client):`
			`"""Create setpoint manager for testing."""`
			`# Create mock dependencies`
			`mock_discovery = Mock()`
			`mock_safety_enforcer = Mock()`
			`mock_emergency_stop_manager = Mock()`
			`mock_watchdog = Mock()`

			`# Configure mocks`
			`mock_safety_enforcer.enforce_limits = Mock(return_value=40.0)`
			`mock_emergency_stop_manager.is_emergency_stop_active = Mock(return_value=False)`
			`mock_watchdog.is_failsafe_active = Mock(return_value=False)`

			`manager = SetpointManager(`
			`discovery=mock_discovery,`
			`db_client=mock_db_client,`
			`safety_enforcer=mock_safety_enforcer,`
			`emergency_stop_manager=mock_emergency_stop_manager,`
			`watchdog=mock_watchdog`
			`)`

			`return manager`


			`@pytest.fixture`
			`def emergency_stop_manager(mock_db_client):`
			`"""Create emergency stop manager for testing."""`
			`return EmergencyStopManager(db_client=mock_db_client)`


			`class TestProtocolSecurityIntegration:`
			`"""Integration tests for protocol security features."""`

			`def test_opcua_security_integration(`
			`self,`
			`setpoint_manager,`
			`security_components`
			`):`
			`"""Test OPC UA server security integration."""`
			`security_manager, tls_manager, audit_logger = security_components`

			`# Create OPC UA server with security enabled`
			`opcua_server = OPCUAServer(`
			`setpoint_manager=setpoint_manager,`
			`security_manager=security_manager,`
			`audit_logger=audit_logger,`
			`enable_security=True,`
			`endpoint="opc.tcp://127.0.0.1:4841"`
			`)`

			`# Verify security configuration`
			`security_status = opcua_server.get_security_status()`
			`assert security_status["security_enabled"] == True`
			`assert security_status["connected_clients"] == 0`

			`# Check that security manager is properly integrated`
			`assert opcua_server.security_manager == security_manager`
			`assert opcua_server.audit_logger == audit_logger`

			`def test_modbus_security_integration(`
			`self,`
			`setpoint_manager,`
			`security_components`
			`):`
			`"""Test Modbus TCP server security integration."""`
			`security_manager, tls_manager, audit_logger = security_components`

			`# Create Modbus server with security enabled`
			`modbus_server = ModbusServer(`
			`setpoint_manager=setpoint_manager,`
			`security_manager=security_manager,`
			`audit_logger=audit_logger,`
			`enable_security=True,`
			`allowed_ips=["127.0.0.1"],`
			`rate_limit_per_minute=100,`
			`host="127.0.0.1",`
			`port=5021`
			`)`

			`# Verify security configuration`
			`security_status = modbus_server.get_security_status()`
			`assert security_status["security_enabled"] == True`
			`assert security_status["connected_clients"] == 0`
			`assert security_status["allowed_ips"] == ["127.0.0.1"]`
			`assert security_status["rate_limit_per_minute"] == 100`

			`# Check that security manager is properly integrated`
			`assert modbus_server.security_manager == security_manager`
			`assert modbus_server.audit_logger == audit_logger`

			`def test_rest_api_security_integration(`
			`self,`
			`setpoint_manager,`
			`emergency_stop_manager,`
			`security_components`
			`):`
			`"""Test REST API security integration."""`
			`security_manager, tls_manager, audit_logger = security_components`

			`# Create REST API server`
			`rest_api = RESTAPIServer(`
			`setpoint_manager=setpoint_manager,`
			`emergency_stop_manager=emergency_stop_manager,`
			`host="127.0.0.1",`
			`port=8001`
			`)`

			`# Verify that security dependencies are properly configured`
			`assert rest_api.app is not None`

			`# Check that security endpoints are registered`
			`routes = [route.path for route in rest_api.app.routes]`
			`assert "/api/v1/auth/login" in routes`
			`assert "/api/v1/auth/me" in routes`
			`assert "/api/v1/security/status" in routes`

			`def test_protocol_security_audit_logging(`
			`self,`
			`setpoint_manager,`
			`security_components`
			`):`
			`"""Test that security events are properly logged across protocols."""`
			`security_manager, tls_manager, audit_logger = security_components`

			`# Create servers`
			`opcua_server = OPCUAServer(`
			`setpoint_manager=setpoint_manager,`
			`security_manager=security_manager,`
			`audit_logger=audit_logger,`
			`enable_security=True,`
			`endpoint="opc.tcp://127.0.0.1:4842"`
			`)`

			`modbus_server = ModbusServer(`
			`setpoint_manager=setpoint_manager,`
			`security_manager=security_manager,`
			`audit_logger=audit_logger,`
			`enable_security=True,`
			`host="127.0.0.1",`
			`port=5022`
			`)`

			`# Verify audit logger is shared between protocols`
			`assert opcua_server.audit_logger == audit_logger`
			`assert modbus_server.audit_logger == audit_logger`

			`# Verify security managers are shared`
			`assert opcua_server.security_manager == security_manager`
			`assert modbus_server.security_manager == security_manager`

			`def test_security_status_endpoints(`
			`self,`
			`setpoint_manager,`
			`security_components`
			`):`
			`"""Test that security status endpoints work correctly."""`
			`security_manager, tls_manager, audit_logger = security_components`

			`# Create servers`
			`opcua_server = OPCUAServer(`
			`setpoint_manager=setpoint_manager,`
			`security_manager=security_manager,`
			`audit_logger=audit_logger,`
			`enable_security=True,`
			`endpoint="opc.tcp://127.0.0.1:4843"`
			`)`

			`modbus_server = ModbusServer(`
			`setpoint_manager=setpoint_manager,`
			`security_manager=security_manager,`
			`audit_logger=audit_logger,`
			`enable_security=True,`
			`host="127.0.0.1",`
			`port=5023`
			`)`

			`# Test OPC UA security status`
			`opcua_status = opcua_server.get_security_status()`
			`assert isinstance(opcua_status, dict)`
			`assert 'security_enabled' in opcua_status`
			`assert 'connected_clients' in opcua_status`
			`assert 'certificate_configured' in opcua_status`

			`# Test Modbus security status`
			`modbus_status = modbus_server.get_security_status()`
			`assert isinstance(modbus_status, dict)`
			`assert 'security_enabled' in modbus_status`
			`assert 'connected_clients' in modbus_status`
			`assert 'allowed_ips' in modbus_status`
			`assert 'rate_limit_per_minute' in modbus_status`


			`class TestProtocolSecurityConfiguration:`
			`"""Tests for protocol security configuration options."""`

			`def test_opcua_security_disabled(self, setpoint_manager, security_components):`
			`"""Test OPC UA server with security disabled."""`
			`security_manager, tls_manager, audit_logger = security_components`

			`opcua_server = OPCUAServer(`
			`setpoint_manager=setpoint_manager,`
			`security_manager=security_manager,`
			`audit_logger=audit_logger,`
			`enable_security=False,`
			`endpoint="opc.tcp://127.0.0.1:4844"`
			`)`

			`security_status = opcua_server.get_security_status()`
			`assert security_status["security_enabled"] == False`

			`def test_modbus_security_disabled(self, setpoint_manager, security_components):`
			`"""Test Modbus server with security disabled."""`
			`security_manager, tls_manager, audit_logger = security_components`

			`modbus_server = ModbusServer(`
			`setpoint_manager=setpoint_manager,`
			`security_manager=security_manager,`
			`audit_logger=audit_logger,`
			`enable_security=False,`
			`host="127.0.0.1",`
			`port=5024`
			`)`

			`security_status = modbus_server.get_security_status()`
			`assert security_status["security_enabled"] == False`

			`def test_modbus_rate_limiting(self, setpoint_manager, security_components):`
			`"""Test Modbus server rate limiting functionality."""`
			`security_manager, tls_manager, audit_logger = security_components`

			`modbus_server = ModbusServer(`
			`setpoint_manager=setpoint_manager,`
			`security_manager=security_manager,`
			`audit_logger=audit_logger,`
			`enable_security=True,`
			`rate_limit_per_minute=5, # Very low limit for testing`
			`host="127.0.0.1",`
			`port=5025`
			`)`

			`# Test rate limiting configuration`
			`security_status = modbus_server.get_security_status()`
			`assert security_status["rate_limit_per_minute"] == 5`