aminghadersohi commented on code in PR #41497: URL: https://github.com/apache/superset/pull/41497#discussion_r3524914612
########## tests/unit_tests/mcp_service/theme/tool/test_create_theme.py: ########## @@ -0,0 +1,171 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +"""Unit tests for the create_theme MCP tool.""" + +import importlib +from unittest.mock import MagicMock, Mock, patch + +import pytest +from fastmcp import Client +from marshmallow import ValidationError + +from superset.mcp_service.app import mcp +from superset.utils import json + +# Resolve the module object directly so patch.object targets the module, not +# the function re-exported through __init__.py. +create_theme_module = importlib.import_module( + "superset.mcp_service.theme.tool.create_theme" +) + + +def _make_mock_theme( + theme_id: int = 7, + theme_name: str = "Corporate Blue", + uuid: str = "22222222-2222-2222-2222-222222222222", +) -> MagicMock: + theme = MagicMock() + theme.id = theme_id + theme.theme_name = theme_name + theme.uuid = uuid + return theme + + [email protected] +def mcp_server(): + return mcp + + [email protected](autouse=True) +def mock_auth(): + with patch("superset.mcp_service.auth.get_user_from_request") as mock_get_user: + mock_user = Mock() + mock_user.id = 1 + mock_user.username = "admin" + mock_get_user.return_value = mock_user + yield mock_get_user + + [email protected](create_theme_module.db.session, "commit") +@patch("superset.daos.theme.ThemeDAO.create") [email protected](create_theme_module, "_sanitize_and_validate_theme_config") [email protected] +async def test_create_theme_success_with_dict( + mock_sanitize, mock_create, mock_commit, mcp_server +): + """Happy path: dict json_data is sanitized, persisted, and id/uuid returned.""" + config = {"token": {"colorPrimary": "#1d4ed8"}} + mock_sanitize.return_value = config + mock_create.return_value = _make_mock_theme() + + async with Client(mcp_server) as client: + result = await client.call_tool( + "create_theme", + { + "request": { + "theme_name": "Corporate Blue", + "json_data": config, + } + }, + ) + data = json.loads(result.content[0].text) + + assert data["success"] is True + assert data["id"] == 7 + assert data["uuid"] == "22222222-2222-2222-2222-222222222222" + assert data["theme_name"] == "Corporate Blue" + mock_sanitize.assert_called_once_with(config) + # json_data persisted as a serialized string + create_kwargs = mock_create.call_args.kwargs["attributes"] + assert isinstance(create_kwargs["json_data"], str) + assert json.loads(create_kwargs["json_data"]) == config + mock_commit.assert_called_once() + + [email protected](create_theme_module.db.session, "commit") +@patch("superset.daos.theme.ThemeDAO.create") [email protected](create_theme_module, "_sanitize_and_validate_theme_config") [email protected] +async def test_create_theme_success_with_json_string( + mock_sanitize, mock_create, mock_commit, mcp_server +): + """json_data supplied as a JSON string is parsed and accepted.""" + config = {"token": {"colorPrimary": "#abcdef"}} + mock_sanitize.return_value = config + mock_create.return_value = _make_mock_theme(theme_id=9) + + async with Client(mcp_server) as client: + result = await client.call_tool( + "create_theme", + { + "request": { + "theme_name": "From String", + "json_data": json.dumps(config), + } + }, + ) + data = json.loads(result.content[0].text) + + assert data["success"] is True + assert data["id"] == 9 + mock_sanitize.assert_called_once_with(config) + + +@patch("superset.daos.theme.ThemeDAO.create") [email protected](create_theme_module, "_sanitize_and_validate_theme_config") [email protected] +async def test_create_theme_invalid_config(mock_sanitize, mock_create, mcp_server): + """Sanitizer ValidationError yields a ValidationError response, no DAO call.""" + mock_sanitize.side_effect = ValidationError("Invalid theme configuration structure") + + async with Client(mcp_server) as client: + result = await client.call_tool( + "create_theme", + { + "request": { + "theme_name": "Bad", + "json_data": {"not": "a theme"}, + } + }, + ) + data = json.loads(result.content[0].text) + + assert data["success"] is False + assert data["error_type"] == "ValidationError" + mock_create.assert_not_called() + + +@patch("superset.daos.theme.ThemeDAO.create") [email protected] +async def test_create_theme_invalid_json_string(mock_create, mcp_server): + """A malformed JSON string is rejected before sanitization.""" + async with Client(mcp_server) as client: + result = await client.call_tool( + "create_theme", + { + "request": { + "theme_name": "Broken", + "json_data": "{not valid json", + } + }, + ) + data = json.loads(result.content[0].text) + + assert data["success"] is False + assert data["error_type"] == "ValidationError" + mock_create.assert_not_called() Review Comment: MEDIUM: No test exercises the RBAC-denied path for `create_theme` (a caller lacking `can_write` on `Theme`). The sibling `create_dataset` tool established the convention of a per-tool denied-path test for new mutate tools (`test_create_dataset_access_denied` in tests/unit_tests/mcp_service/dataset/tool/test_create_dataset.py:345). `test_auth_rbac.py` only exercises the RBAC mechanism against synthetic stand-in functions, not `create_theme`'s actual decorator wiring — so a copy-paste error in `class_permission_name`/`method_permission_name` on this tool specifically wouldn't be caught by any existing test. Worth adding a test with a non-privileged user (or RBAC enabled + `can_access` mocked to False) asserting the call is denied. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
