""" Tests for ФАВТ Regulator Panel endpoints. Verifies access control, data format, and legal basis fields. """ import pytest from tests.conftest import * class TestRegulatorAccess: """Regulator endpoints require favt_inspector or admin role.""" def test_overview_requires_auth(self, client): resp = client.get("/api/v1/regulator/overview") assert resp.status_code in [401, 403] def test_overview_with_admin(self, client, auth_headers): resp = client.get("/api/v1/regulator/overview", headers=auth_headers) assert resp.status_code == 200 data = resp.json() assert "aircraft" in data assert "certification" in data assert "safety" in data assert "legal_basis" in data def test_overview_has_legal_basis(self, client, auth_headers): resp = client.get("/api/v1/regulator/overview", headers=auth_headers) data = resp.json() basis = data.get("legal_basis", []) assert any("ВК РФ" in b for b in basis) assert any("ICAO" in b for b in basis) def test_aircraft_register(self, client, auth_headers): resp = client.get("/api/v1/regulator/aircraft-register", headers=auth_headers) assert resp.status_code == 200 data = resp.json() assert "total" in data assert "items" in data assert "legal_basis" in data def test_aircraft_register_no_sensitive_data(self, client, auth_headers): """Verify no sensitive data (serial numbers, cost) is exposed.""" resp = client.get("/api/v1/regulator/aircraft-register", headers=auth_headers) data = resp.json() for item in data.get("items", []): assert "serial_number" not in item assert "cost" not in item assert "engine_serial" not in item def test_certifications(self, client, auth_headers): resp = client.get("/api/v1/regulator/certifications", headers=auth_headers) assert resp.status_code == 200 data = resp.json() assert "legal_basis" in data assert "ФАП-246" in data["legal_basis"] def test_certifications_no_personal_data(self, client, auth_headers): """Verify no personal data of applicants is exposed.""" resp = client.get("/api/v1/regulator/certifications", headers=auth_headers) data = resp.json() for item in data.get("items", []): assert "applicant_phone" not in item assert "applicant_email" not in item assert "passport" not in item def test_safety_indicators(self, client, auth_headers): resp = client.get("/api/v1/regulator/safety-indicators?days=90", headers=auth_headers) assert resp.status_code == 200 data = resp.json() assert "severity_distribution" in data assert "critical_unresolved" in data assert "ICAO Annex 19" in data.get("legal_basis", "") def test_audits(self, client, auth_headers): resp = client.get("/api/v1/regulator/audits?days=90", headers=auth_headers) assert resp.status_code == 200 data = resp.json() assert "total" in data assert "items" in data def test_audits_no_inspector_names(self, client, auth_headers): """Verify inspector names are not exposed.""" resp = client.get("/api/v1/regulator/audits", headers=auth_headers) data = resp.json() for item in data.get("items", []): assert "inspector_name" not in item assert "inspector_email" not in item def test_report_generation(self, client, auth_headers): resp = client.get("/api/v1/regulator/report", headers=auth_headers) assert resp.status_code == 200 data = resp.json() assert data["report_type"] == "ФАВТ oversight report" assert "overview" in data assert "safety" in data assert len(data.get("legal_basis", [])) >= 5 def test_report_has_all_legal_frameworks(self, client, auth_headers): """Report must cite all three legal frameworks: RF, ICAO, EASA.""" resp = client.get("/api/v1/regulator/report", headers=auth_headers) data = resp.json() basis = " ".join(data.get("legal_basis", [])) assert "ВК РФ" in basis, "Must cite Russian aviation code" assert "ICAO" in basis, "Must cite ICAO standards" assert "EASA" in basis, "Must cite EASA regulations" assert "ФАП" in basis, "Must cite Federal Aviation Rules"