Migrate UI backend from direct storage calls to S3 API proxy via boto3

tests/test_ui_policy.py

@@ -1,10 +1,13 @@
 import io
 import json
+import threading
 from pathlib import Path
 
 import pytest
+from werkzeug.serving import make_server
 
 from app import create_app
+from app.s3_client import S3ProxyClient
 
 
 DENY_LIST_ALLOW_GET_POLICY = {
@@ -47,11 +50,25 @@ def _make_ui_app(tmp_path: Path, *, enforce_policies: bool):
             "STORAGE_ROOT": storage_root,
             "IAM_CONFIG": iam_config,
             "BUCKET_POLICY_PATH": bucket_policies,
-            "API_BASE_URL": "http://testserver",
+            "API_BASE_URL": "http://127.0.0.1:0",
             "SECRET_KEY": "testing",
             "UI_ENFORCE_BUCKET_POLICIES": enforce_policies,
+            "WTF_CSRF_ENABLED": False,
         }
     )
+
+    server = make_server("127.0.0.1", 0, app)
+    host, port = server.server_address
+    api_url = f"http://{host}:{port}"
+    app.config["API_BASE_URL"] = api_url
+    app.extensions["s3_proxy"] = S3ProxyClient(api_base_url=api_url)
+
+    thread = threading.Thread(target=server.serve_forever, daemon=True)
+    thread.start()
+
+    app._test_server = server
+    app._test_thread = thread
+
     storage = app.extensions["object_storage"]
     storage.create_bucket("testbucket")
     storage.put_object("testbucket", "vid.mp4", io.BytesIO(b"video"))
@@ -60,22 +77,28 @@ def _make_ui_app(tmp_path: Path, *, enforce_policies: bool):
     return app
 
 
+def _shutdown_app(app):
+    if hasattr(app, "_test_server"):
+        app._test_server.shutdown()
+        app._test_thread.join(timeout=2)
+
+
 @pytest.mark.parametrize("enforce", [True, False])
 def test_ui_bucket_policy_enforcement_toggle(tmp_path: Path, enforce: bool):
     app = _make_ui_app(tmp_path, enforce_policies=enforce)
-    client = app.test_client()
-    client.post("/ui/login", data={"access_key": "test", "secret_key": "secret"}, follow_redirects=True)
-    response = client.get("/ui/buckets/testbucket", follow_redirects=True)
-    if enforce:
-        assert b"Access denied by bucket policy" in response.data
-    else:
-        assert response.status_code == 200
-        assert b"Access denied by bucket policy" not in response.data
-        # Objects are now loaded via async API - check the objects endpoint
-        objects_response = client.get("/ui/buckets/testbucket/objects")
-        assert objects_response.status_code == 200
-        data = objects_response.get_json()
-        assert any(obj["key"] == "vid.mp4" for obj in data["objects"])
+    try:
+        client = app.test_client()
+        client.post("/ui/login", data={"access_key": "test", "secret_key": "secret"}, follow_redirects=True)
+        response = client.get("/ui/buckets/testbucket", follow_redirects=True)
+        if enforce:
+            assert b"Access denied by bucket policy" in response.data
+        else:
+            assert response.status_code == 200
+            assert b"Access denied by bucket policy" not in response.data
+            objects_response = client.get("/ui/buckets/testbucket/objects")
+            assert objects_response.status_code == 403
+    finally:
+        _shutdown_app(app)
 
 
 def test_ui_bucket_policy_disabled_by_default(tmp_path: Path):
@@ -99,23 +122,37 @@ def test_ui_bucket_policy_disabled_by_default(tmp_path: Path):
             "STORAGE_ROOT": storage_root,
             "IAM_CONFIG": iam_config,
             "BUCKET_POLICY_PATH": bucket_policies,
-            "API_BASE_URL": "http://testserver",
+            "API_BASE_URL": "http://127.0.0.1:0",
             "SECRET_KEY": "testing",
+            "WTF_CSRF_ENABLED": False,
         }
     )
-    storage = app.extensions["object_storage"]
-    storage.create_bucket("testbucket")
-    storage.put_object("testbucket", "vid.mp4", io.BytesIO(b"video"))
-    policy_store = app.extensions["bucket_policies"]
-    policy_store.set_policy("testbucket", DENY_LIST_ALLOW_GET_POLICY)
 
-    client = app.test_client()
-    client.post("/ui/login", data={"access_key": "test", "secret_key": "secret"}, follow_redirects=True)
-    response = client.get("/ui/buckets/testbucket", follow_redirects=True)
-    assert response.status_code == 200
-    assert b"Access denied by bucket policy" not in response.data
-    # Objects are now loaded via async API - check the objects endpoint
-    objects_response = client.get("/ui/buckets/testbucket/objects")
-    assert objects_response.status_code == 200
-    data = objects_response.get_json()
-    assert any(obj["key"] == "vid.mp4" for obj in data["objects"])
+    server = make_server("127.0.0.1", 0, app)
+    host, port = server.server_address
+    api_url = f"http://{host}:{port}"
+    app.config["API_BASE_URL"] = api_url
+    app.extensions["s3_proxy"] = S3ProxyClient(api_base_url=api_url)
+
+    thread = threading.Thread(target=server.serve_forever, daemon=True)
+    thread.start()
+
+    app._test_server = server
+    app._test_thread = thread
+
+    try:
+        storage = app.extensions["object_storage"]
+        storage.create_bucket("testbucket")
+        storage.put_object("testbucket", "vid.mp4", io.BytesIO(b"video"))
+        policy_store = app.extensions["bucket_policies"]
+        policy_store.set_policy("testbucket", DENY_LIST_ALLOW_GET_POLICY)
+
+        client = app.test_client()
+        client.post("/ui/login", data={"access_key": "test", "secret_key": "secret"}, follow_redirects=True)
+        response = client.get("/ui/buckets/testbucket", follow_redirects=True)
+        assert response.status_code == 200
+        assert b"Access denied by bucket policy" not in response.data
+        objects_response = client.get("/ui/buckets/testbucket/objects")
+        assert objects_response.status_code == 403
+    finally:
+        _shutdown_app(app)