File: test_webhooks.py

package info (click to toggle)
python-openai 1.99.9-1
links: PTS, VCS
area: main
in suites: forky, sid
size: 6,784 kB
sloc: python: 57,274; sh: 140; makefile: 7
file content (284 lines) | stat: -rw-r--r-- 15,389 bytes
# File generated from our OpenAPI spec by Stainless. See CONTRIBUTING.md for details.

from __future__ import annotations

import os
from unittest import mock

import pytest

import openai
from openai._exceptions import InvalidWebhookSignatureError

base_url = os.environ.get("TEST_API_BASE_URL", "http://127.0.0.1:4010")

# Standardized test constants (matches TypeScript implementation)
TEST_SECRET = "whsec_RdvaYFYUXuIFuEbvZHwMfYFhUf7aMYjYcmM24+Aj40c="
TEST_PAYLOAD = '{"id": "evt_685c059ae3a481909bdc86819b066fb6", "object": "event", "created_at": 1750861210, "type": "response.completed", "data": {"id": "resp_123"}}'
TEST_TIMESTAMP = 1750861210  # Fixed timestamp that matches our test signature
TEST_WEBHOOK_ID = "wh_685c059ae39c8190af8c71ed1022a24d"
TEST_SIGNATURE = "v1,gUAg4R2hWouRZqRQG4uJypNS8YK885G838+EHb4nKBY="


def create_test_headers(
    timestamp: int | None = None, signature: str | None = None, webhook_id: str | None = None
) -> dict[str, str]:
    """Helper function to create test headers"""
    return {
        "webhook-signature": signature or TEST_SIGNATURE,
        "webhook-timestamp": str(timestamp or TEST_TIMESTAMP),
        "webhook-id": webhook_id or TEST_WEBHOOK_ID,
    }


class TestWebhooks:
    parametrize = pytest.mark.parametrize("client", [False, True], indirect=True, ids=["loose", "strict"])

    @mock.patch("time.time", mock.MagicMock(return_value=TEST_TIMESTAMP))
    @parametrize
    def test_unwrap_with_secret(self, client: openai.OpenAI) -> None:
        headers = create_test_headers()
        unwrapped = client.webhooks.unwrap(TEST_PAYLOAD, headers, secret=TEST_SECRET)
        assert unwrapped.id == "evt_685c059ae3a481909bdc86819b066fb6"
        assert unwrapped.created_at == 1750861210

    @parametrize
    def test_unwrap_without_secret(self, client: openai.OpenAI) -> None:
        headers = create_test_headers()
        with pytest.raises(ValueError, match="The webhook secret must either be set"):
            client.webhooks.unwrap(TEST_PAYLOAD, headers)

    @mock.patch("time.time", mock.MagicMock(return_value=TEST_TIMESTAMP))
    @parametrize
    def test_verify_signature_valid(self, client: openai.OpenAI) -> None:
        headers = create_test_headers()
        # Should not raise - this is a truly valid signature for this timestamp
        client.webhooks.verify_signature(TEST_PAYLOAD, headers, secret=TEST_SECRET)

    @parametrize
    def test_verify_signature_invalid_secret_format(self, client: openai.OpenAI) -> None:
        headers = create_test_headers()
        with pytest.raises(ValueError, match="The webhook secret must either be set"):
            client.webhooks.verify_signature(TEST_PAYLOAD, headers, secret=None)

    @mock.patch("time.time", mock.MagicMock(return_value=TEST_TIMESTAMP))
    @parametrize
    def test_verify_signature_invalid(self, client: openai.OpenAI) -> None:
        headers = create_test_headers()
        with pytest.raises(InvalidWebhookSignatureError, match="The given webhook signature does not match"):
            client.webhooks.verify_signature(TEST_PAYLOAD, headers, secret="invalid_secret")

    @parametrize
    def test_verify_signature_missing_webhook_signature_header(self, client: openai.OpenAI) -> None:
        headers = create_test_headers(signature=None)
        del headers["webhook-signature"]
        with pytest.raises(ValueError, match="Could not find webhook-signature header"):
            client.webhooks.verify_signature(TEST_PAYLOAD, headers, secret=TEST_SECRET)

    @parametrize
    def test_verify_signature_missing_webhook_timestamp_header(self, client: openai.OpenAI) -> None:
        headers = create_test_headers()
        del headers["webhook-timestamp"]
        with pytest.raises(ValueError, match="Could not find webhook-timestamp header"):
            client.webhooks.verify_signature(TEST_PAYLOAD, headers, secret=TEST_SECRET)

    @parametrize
    def test_verify_signature_missing_webhook_id_header(self, client: openai.OpenAI) -> None:
        headers = create_test_headers()
        del headers["webhook-id"]
        with pytest.raises(ValueError, match="Could not find webhook-id header"):
            client.webhooks.verify_signature(TEST_PAYLOAD, headers, secret=TEST_SECRET)

    @mock.patch("time.time", mock.MagicMock(return_value=TEST_TIMESTAMP))
    @parametrize
    def test_verify_signature_payload_bytes(self, client: openai.OpenAI) -> None:
        headers = create_test_headers()
        client.webhooks.verify_signature(TEST_PAYLOAD.encode("utf-8"), headers, secret=TEST_SECRET)

    @mock.patch("time.time", mock.MagicMock(return_value=TEST_TIMESTAMP))
    def test_unwrap_with_client_secret(self) -> None:
        test_client = openai.OpenAI(base_url=base_url, api_key="test-api-key", webhook_secret=TEST_SECRET)
        headers = create_test_headers()

        unwrapped = test_client.webhooks.unwrap(TEST_PAYLOAD, headers)
        assert unwrapped.id == "evt_685c059ae3a481909bdc86819b066fb6"
        assert unwrapped.created_at == 1750861210

    @parametrize
    def test_verify_signature_timestamp_too_old(self, client: openai.OpenAI) -> None:
        # Use a timestamp that's older than 5 minutes from our test timestamp
        old_timestamp = TEST_TIMESTAMP - 400  # 6 minutes 40 seconds ago
        headers = create_test_headers(timestamp=old_timestamp, signature="v1,dummy_signature")

        with pytest.raises(InvalidWebhookSignatureError, match="Webhook timestamp is too old"):
            client.webhooks.verify_signature(TEST_PAYLOAD, headers, secret=TEST_SECRET)

    @mock.patch("time.time", mock.MagicMock(return_value=TEST_TIMESTAMP))
    @parametrize
    def test_verify_signature_timestamp_too_new(self, client: openai.OpenAI) -> None:
        # Use a timestamp that's in the future beyond tolerance from our test timestamp
        future_timestamp = TEST_TIMESTAMP + 400  # 6 minutes 40 seconds in the future
        headers = create_test_headers(timestamp=future_timestamp, signature="v1,dummy_signature")

        with pytest.raises(InvalidWebhookSignatureError, match="Webhook timestamp is too new"):
            client.webhooks.verify_signature(TEST_PAYLOAD, headers, secret=TEST_SECRET)

    @mock.patch("time.time", mock.MagicMock(return_value=TEST_TIMESTAMP))
    @parametrize
    def test_verify_signature_custom_tolerance(self, client: openai.OpenAI) -> None:
        # Use a timestamp that's older than default tolerance but within custom tolerance
        old_timestamp = TEST_TIMESTAMP - 400  # 6 minutes 40 seconds ago from test timestamp
        headers = create_test_headers(timestamp=old_timestamp, signature="v1,dummy_signature")

        # Should fail with default tolerance
        with pytest.raises(InvalidWebhookSignatureError, match="Webhook timestamp is too old"):
            client.webhooks.verify_signature(TEST_PAYLOAD, headers, secret=TEST_SECRET)

        # Should also fail with custom tolerance of 10 minutes (signature won't match)
        with pytest.raises(InvalidWebhookSignatureError, match="The given webhook signature does not match"):
            client.webhooks.verify_signature(TEST_PAYLOAD, headers, secret=TEST_SECRET, tolerance=600)

    @mock.patch("time.time", mock.MagicMock(return_value=TEST_TIMESTAMP))
    @parametrize
    def test_verify_signature_recent_timestamp_succeeds(self, client: openai.OpenAI) -> None:
        # Use a recent timestamp with dummy signature
        headers = create_test_headers(signature="v1,dummy_signature")

        # Should fail on signature verification (not timestamp validation)
        with pytest.raises(InvalidWebhookSignatureError, match="The given webhook signature does not match"):
            client.webhooks.verify_signature(TEST_PAYLOAD, headers, secret=TEST_SECRET)

    @mock.patch("time.time", mock.MagicMock(return_value=TEST_TIMESTAMP))
    @parametrize
    def test_verify_signature_multiple_signatures_one_valid(self, client: openai.OpenAI) -> None:
        # Test multiple signatures: one invalid, one valid
        multiple_signatures = f"v1,invalid_signature {TEST_SIGNATURE}"
        headers = create_test_headers(signature=multiple_signatures)

        # Should not raise when at least one signature is valid
        client.webhooks.verify_signature(TEST_PAYLOAD, headers, secret=TEST_SECRET)

    @mock.patch("time.time", mock.MagicMock(return_value=TEST_TIMESTAMP))
    @parametrize
    def test_verify_signature_multiple_signatures_all_invalid(self, client: openai.OpenAI) -> None:
        # Test multiple invalid signatures
        multiple_invalid_signatures = "v1,invalid_signature1 v1,invalid_signature2"
        headers = create_test_headers(signature=multiple_invalid_signatures)

        with pytest.raises(InvalidWebhookSignatureError, match="The given webhook signature does not match"):
            client.webhooks.verify_signature(TEST_PAYLOAD, headers, secret=TEST_SECRET)


class TestAsyncWebhooks:
    parametrize = pytest.mark.parametrize(
        "async_client", [False, True, {"http_client": "aiohttp"}], indirect=True, ids=["loose", "strict", "aiohttp"]
    )

    @mock.patch("time.time", mock.MagicMock(return_value=TEST_TIMESTAMP))
    @parametrize
    async def test_unwrap_with_secret(self, async_client: openai.AsyncOpenAI) -> None:
        headers = create_test_headers()
        unwrapped = async_client.webhooks.unwrap(TEST_PAYLOAD, headers, secret=TEST_SECRET)
        assert unwrapped.id == "evt_685c059ae3a481909bdc86819b066fb6"
        assert unwrapped.created_at == 1750861210

    @parametrize
    async def test_unwrap_without_secret(self, async_client: openai.AsyncOpenAI) -> None:
        headers = create_test_headers()
        with pytest.raises(ValueError, match="The webhook secret must either be set"):
            async_client.webhooks.unwrap(TEST_PAYLOAD, headers)

    @mock.patch("time.time", mock.MagicMock(return_value=TEST_TIMESTAMP))
    @parametrize
    async def test_verify_signature_valid(self, async_client: openai.AsyncOpenAI) -> None:
        headers = create_test_headers()
        # Should not raise - this is a truly valid signature for this timestamp
        async_client.webhooks.verify_signature(TEST_PAYLOAD, headers, secret=TEST_SECRET)

    @parametrize
    async def test_verify_signature_invalid_secret_format(self, async_client: openai.AsyncOpenAI) -> None:
        headers = create_test_headers()
        with pytest.raises(ValueError, match="The webhook secret must either be set"):
            async_client.webhooks.verify_signature(TEST_PAYLOAD, headers, secret=None)

    @mock.patch("time.time", mock.MagicMock(return_value=TEST_TIMESTAMP))
    @parametrize
    async def test_verify_signature_invalid(self, async_client: openai.AsyncOpenAI) -> None:
        headers = create_test_headers()
        with pytest.raises(InvalidWebhookSignatureError, match="The given webhook signature does not match"):
            async_client.webhooks.verify_signature(TEST_PAYLOAD, headers, secret="invalid_secret")

    @parametrize
    async def test_verify_signature_missing_webhook_signature_header(self, async_client: openai.AsyncOpenAI) -> None:
        headers = create_test_headers()
        del headers["webhook-signature"]
        with pytest.raises(ValueError, match="Could not find webhook-signature header"):
            async_client.webhooks.verify_signature(TEST_PAYLOAD, headers, secret=TEST_SECRET)

    @parametrize
    async def test_verify_signature_missing_webhook_timestamp_header(self, async_client: openai.AsyncOpenAI) -> None:
        headers = create_test_headers()
        del headers["webhook-timestamp"]
        with pytest.raises(ValueError, match="Could not find webhook-timestamp header"):
            async_client.webhooks.verify_signature(TEST_PAYLOAD, headers, secret=TEST_SECRET)

    @parametrize
    async def test_verify_signature_missing_webhook_id_header(self, async_client: openai.AsyncOpenAI) -> None:
        headers = create_test_headers()
        del headers["webhook-id"]
        with pytest.raises(ValueError, match="Could not find webhook-id header"):
            async_client.webhooks.verify_signature(TEST_PAYLOAD, headers, secret=TEST_SECRET)

    @mock.patch("time.time", mock.MagicMock(return_value=TEST_TIMESTAMP))
    @parametrize
    async def test_verify_signature_payload_bytes(self, async_client: openai.AsyncOpenAI) -> None:
        headers = create_test_headers()
        async_client.webhooks.verify_signature(TEST_PAYLOAD.encode("utf-8"), headers, secret=TEST_SECRET)

    @mock.patch("time.time", mock.MagicMock(return_value=TEST_TIMESTAMP))
    async def test_unwrap_with_client_secret(self) -> None:
        test_async_client = openai.AsyncOpenAI(base_url=base_url, api_key="test-api-key", webhook_secret=TEST_SECRET)
        headers = create_test_headers()

        unwrapped = test_async_client.webhooks.unwrap(TEST_PAYLOAD, headers)
        assert unwrapped.id == "evt_685c059ae3a481909bdc86819b066fb6"
        assert unwrapped.created_at == 1750861210

    @parametrize
    async def test_verify_signature_timestamp_too_old(self, async_client: openai.AsyncOpenAI) -> None:
        # Use a timestamp that's older than 5 minutes from our test timestamp
        old_timestamp = TEST_TIMESTAMP - 400  # 6 minutes 40 seconds ago
        headers = create_test_headers(timestamp=old_timestamp, signature="v1,dummy_signature")

        with pytest.raises(InvalidWebhookSignatureError, match="Webhook timestamp is too old"):
            async_client.webhooks.verify_signature(TEST_PAYLOAD, headers, secret=TEST_SECRET)

    @mock.patch("time.time", mock.MagicMock(return_value=TEST_TIMESTAMP))
    @parametrize
    async def test_verify_signature_timestamp_too_new(self, async_client: openai.AsyncOpenAI) -> None:
        # Use a timestamp that's in the future beyond tolerance from our test timestamp
        future_timestamp = TEST_TIMESTAMP + 400  # 6 minutes 40 seconds in the future
        headers = create_test_headers(timestamp=future_timestamp, signature="v1,dummy_signature")

        with pytest.raises(InvalidWebhookSignatureError, match="Webhook timestamp is too new"):
            async_client.webhooks.verify_signature(TEST_PAYLOAD, headers, secret=TEST_SECRET)

    @mock.patch("time.time", mock.MagicMock(return_value=TEST_TIMESTAMP))
    @parametrize
    async def test_verify_signature_multiple_signatures_one_valid(self, async_client: openai.AsyncOpenAI) -> None:
        # Test multiple signatures: one invalid, one valid
        multiple_signatures = f"v1,invalid_signature {TEST_SIGNATURE}"
        headers = create_test_headers(signature=multiple_signatures)

        # Should not raise when at least one signature is valid
        async_client.webhooks.verify_signature(TEST_PAYLOAD, headers, secret=TEST_SECRET)

    @mock.patch("time.time", mock.MagicMock(return_value=TEST_TIMESTAMP))
    @parametrize
    async def test_verify_signature_multiple_signatures_all_invalid(self, async_client: openai.AsyncOpenAI) -> None:
        # Test multiple invalid signatures
        multiple_invalid_signatures = "v1,invalid_signature1 v1,invalid_signature2"
        headers = create_test_headers(signature=multiple_invalid_signatures)

        with pytest.raises(InvalidWebhookSignatureError, match="The given webhook signature does not match"):
            async_client.webhooks.verify_signature(TEST_PAYLOAD, headers, secret=TEST_SECRET)