feat(api): MediosController + SeccionesController + ExceptionFilter mappings — ADM-001 B6

- POST/GET/PUT + deactivate/reactivate endpoints for /api/v1/admin/medios - POST/GET/PUT + deactivate/reactivate endpoints for /api/v1/admin/secciones - ExceptionFilter: add Medio/Seccion 404+409 mappings after RolInUseException - Integration tests: 19 scenarios covering 401/403/201/404/409/idempotency/AuditEvent - All 166 Api.Tests + 458 Application.Tests passing
2026-04-16 19:16:33 -03:00
parent a6f4011806
commit 13480ad8c2
5 changed files with 1236 additions and 0 deletions
--- a/tests/SIGCM2.Api.Tests/Admin/SeccionesControllerTests.cs
+++ b/tests/SIGCM2.Api.Tests/Admin/SeccionesControllerTests.cs
@@ -0,0 +1,429 @@
+using System.Net;
+using System.Net.Http.Headers;
+using System.Net.Http.Json;
+using System.Text.Json;
+using Dapper;
+using Microsoft.Data.SqlClient;
+using SIGCM2.TestSupport;
+
+namespace SIGCM2.Api.Tests.Admin;
+
+/// <summary>
+/// ADM-001 B6 — Integration tests for /api/v1/admin/secciones.
+/// All endpoints require permission 'administracion:secciones:gestionar'.
+/// </summary>
+[Collection("ApiIntegration")]
+public sealed class SeccionesControllerTests : IAsyncLifetime
+{
+    private const string TestConnectionString =
+        "Server=TECNICA3;Database=SIGCM2_Test;User Id=desarrollo;Password=desarrollo2026;TrustServerCertificate=True;";
+
+    private const string Endpoint = "/api/v1/admin/secciones";
+    private const string MediosEndpoint = "/api/v1/admin/medios";
+    private const string AdminUsername = "admin";
+    private const string AdminPassword = "@Diego550@";
+
+    private readonly HttpClient _client;
+
+    public SeccionesControllerTests(TestWebAppFactory factory)
+    {
+        _client = factory.CreateClient();
+    }
+
+    public Task InitializeAsync() => Task.CompletedTask;
+    public Task DisposeAsync() => Task.CompletedTask;
+
+    // ── Helpers ──────────────────────────────────────────────────────────────
+
+    private async Task<string> GetAdminTokenAsync()
+    {
+        var response = await _client.PostAsJsonAsync("/api/v1/auth/login", new
+        {
+            username = AdminUsername,
+            password = AdminPassword
+        });
+        response.EnsureSuccessStatusCode();
+        var json = await response.Content.ReadFromJsonAsync<JsonElement>();
+        return json.GetProperty("accessToken").GetString()!;
+    }
+
+    private async Task<string> GetCajeroTokenAsync(string username)
+    {
+        var adminToken = await GetAdminTokenAsync();
+
+        using var mkUser = BuildRequest(HttpMethod.Post, "/api/v1/users", new
+        {
+            username,
+            password = "Secure1234!",
+            nombre = "Cajero",
+            apellido = "Test",
+            email = (string?)null,
+            rol = "cajero"
+        }, adminToken);
+        var mkResp = await _client.SendAsync(mkUser);
+        if (mkResp.StatusCode != HttpStatusCode.Created && mkResp.StatusCode != HttpStatusCode.Conflict)
+            Assert.Fail($"Seed cajero failed: {mkResp.StatusCode}");
+
+        var loginResp = await _client.PostAsJsonAsync("/api/v1/auth/login", new
+        {
+            username,
+            password = "Secure1234!"
+        });
+        loginResp.EnsureSuccessStatusCode();
+        var loginJson = await loginResp.Content.ReadFromJsonAsync<JsonElement>();
+        return loginJson.GetProperty("accessToken").GetString()!;
+    }
+
+    private HttpRequestMessage BuildRequest(HttpMethod method, string url, object? body = null, string? bearerToken = null)
+    {
+        var request = new HttpRequestMessage(method, url);
+        if (bearerToken is not null)
+            request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", bearerToken);
+        if (body is not null)
+            request.Content = JsonContent.Create(body);
+        return request;
+    }
+
+    /// <summary>Creates a Medio via the API and returns its id.</summary>
+    private async Task<int> CreateMedioAsync(string codigo, string nombre, string token)
+    {
+        using var req = BuildRequest(HttpMethod.Post, MediosEndpoint, new
+        {
+            codigo,
+            nombre,
+            tipo = 1
+        }, token);
+        var resp = await _client.SendAsync(req);
+        resp.EnsureSuccessStatusCode();
+        var json = await resp.Content.ReadFromJsonAsync<JsonElement>();
+        return json.GetProperty("id").GetInt32();
+    }
+
+    private static async Task DeleteMedioIfExistsAsync(string codigo)
+    {
+        await using var conn = new SqlConnection(TestConnectionString);
+        await conn.OpenAsync();
+
+        var id = await conn.QuerySingleOrDefaultAsync<int?>(
+            "SELECT Id FROM dbo.Medio WHERE Codigo = @Codigo", new { Codigo = codigo });
+        if (id is null) return;
+
+        // Delete dependent secciones (disable versioning to clear history too)
+        await conn.ExecuteAsync("ALTER TABLE dbo.Seccion SET (SYSTEM_VERSIONING = OFF)");
+        await conn.ExecuteAsync("DELETE FROM dbo.Seccion_History WHERE MedioId = @id", new { id });
+        await conn.ExecuteAsync("DELETE FROM dbo.Seccion WHERE MedioId = @id", new { id });
+        await conn.ExecuteAsync(
+            "ALTER TABLE dbo.Seccion SET (SYSTEM_VERSIONING = ON (HISTORY_TABLE = dbo.Seccion_History, HISTORY_RETENTION_PERIOD = 10 YEARS))");
+
+        // Delete the medio itself
+        await conn.ExecuteAsync("ALTER TABLE dbo.Medio SET (SYSTEM_VERSIONING = OFF)");
+        await conn.ExecuteAsync("DELETE FROM dbo.Medio_History WHERE Id = @id", new { id });
+        await conn.ExecuteAsync("DELETE FROM dbo.Medio WHERE Id = @id", new { id });
+        await conn.ExecuteAsync(
+            "ALTER TABLE dbo.Medio SET (SYSTEM_VERSIONING = ON (HISTORY_TABLE = dbo.Medio_History, HISTORY_RETENTION_PERIOD = 10 YEARS))");
+    }
+
+    private static async Task DeleteUsuarioIfExistsAsync(string username)
+    {
+        await using var conn = new SqlConnection(TestConnectionString);
+        await conn.OpenAsync();
+        await conn.ExecuteAsync("""
+            DELETE rt FROM dbo.RefreshToken rt
+            INNER JOIN dbo.Usuario u ON u.Id = rt.UsuarioId
+            WHERE u.Username = @Username
+            """, new { Username = username });
+        await conn.ExecuteAsync("DELETE FROM dbo.Usuario WHERE Username = @Username", new { Username = username });
+    }
+
+    private static async Task<int> CountAuditEventsAsync(string action, string targetType, string targetId)
+    {
+        await using var conn = new SqlConnection(TestConnectionString);
+        await conn.OpenAsync();
+        return await conn.QuerySingleAsync<int>(
+            "SELECT COUNT(*) FROM dbo.AuditEvent WHERE Action = @Action AND TargetType = @TargetType AND TargetId = @TargetId",
+            new { Action = action, TargetType = targetType, TargetId = targetId });
+    }
+
+    // ── 401 / 403 guards ─────────────────────────────────────────────────────
+
+    [Fact]
+    public async Task CreateSeccion_WithoutAuth_Returns401()
+    {
+        using var req = BuildRequest(HttpMethod.Post, Endpoint, new
+        {
+            medioId = 1,
+            codigo = "SEC401",
+            nombre = "Seccion Test",
+            tipo = "clasificados"
+        });
+        var resp = await _client.SendAsync(req);
+        Assert.Equal(HttpStatusCode.Unauthorized, resp.StatusCode);
+    }
+
+    [Fact]
+    public async Task CreateSeccion_WithCajeroRole_Returns403()
+    {
+        const string username = "adm001_sec_cajero_403";
+        try
+        {
+            var token = await GetCajeroTokenAsync(username);
+            using var req = BuildRequest(HttpMethod.Post, Endpoint, new
+            {
+                medioId = 1,
+                codigo = "SEC403",
+                nombre = "Seccion Test",
+                tipo = "clasificados"
+            }, token);
+            var resp = await _client.SendAsync(req);
+            Assert.Equal(HttpStatusCode.Forbidden, resp.StatusCode);
+        }
+        finally
+        {
+            await DeleteUsuarioIfExistsAsync(username);
+        }
+    }
+
+    // ── CREATE ────────────────────────────────────────────────────────────────
+
+    [Fact]
+    public async Task CreateSeccion_WithAdmin_Returns201AndAuditEvent()
+    {
+        const string medioCodigo = "TESTSECMED201";
+        var token = await GetAdminTokenAsync();
+
+        try
+        {
+            var medioId = await CreateMedioAsync(medioCodigo, "Medio Para Seccion 201", token);
+
+            using var req = BuildRequest(HttpMethod.Post, Endpoint, new
+            {
+                medioId,
+                codigo = "SEC201",
+                nombre = "Seccion 201",
+                tipo = "clasificados"
+            }, token);
+            var resp = await _client.SendAsync(req);
+
+            Assert.Equal(HttpStatusCode.Created, resp.StatusCode);
+            Assert.NotNull(resp.Headers.Location);
+
+            var json = await resp.Content.ReadFromJsonAsync<JsonElement>();
+            Assert.True(json.TryGetProperty("id", out var idEl));
+            var secId = idEl.GetInt32();
+            Assert.True(secId > 0);
+            Assert.Equal(medioId, json.GetProperty("medioId").GetInt32());
+            Assert.Equal("SEC201", json.GetProperty("codigo").GetString());
+            Assert.Equal("clasificados", json.GetProperty("tipo").GetString());
+
+            // Verify AuditEvent
+            var auditCount = await CountAuditEventsAsync("seccion.create", "Seccion", secId.ToString());
+            Assert.Equal(1, auditCount);
+        }
+        finally
+        {
+            await DeleteMedioIfExistsAsync(medioCodigo);
+        }
+    }
+
+    [Fact]
+    public async Task CreateSeccion_WithNonExistentMedioId_Returns404()
+    {
+        var token = await GetAdminTokenAsync();
+
+        using var req = BuildRequest(HttpMethod.Post, Endpoint, new
+        {
+            medioId = 99999,
+            codigo = "SECNOTFOUND",
+            nombre = "Seccion Not Found",
+            tipo = "clasificados"
+        }, token);
+        var resp = await _client.SendAsync(req);
+
+        Assert.Equal(HttpStatusCode.NotFound, resp.StatusCode);
+        var json = await resp.Content.ReadFromJsonAsync<JsonElement>();
+        Assert.Equal("medio_not_found", json.GetProperty("error").GetString());
+    }
+
+    [Fact]
+    public async Task CreateSeccion_WithDuplicateCodigoInSameMedio_Returns409()
+    {
+        const string medioCodigo = "TESTSECDUP";
+        var token = await GetAdminTokenAsync();
+
+        try
+        {
+            var medioId = await CreateMedioAsync(medioCodigo, "Medio Dup Test", token);
+
+            // First seccion
+            using var first = BuildRequest(HttpMethod.Post, Endpoint, new
+            {
+                medioId,
+                codigo = "DUPCODE",
+                nombre = "Seccion Original",
+                tipo = "clasificados"
+            }, token);
+            var firstResp = await _client.SendAsync(first);
+            Assert.Equal(HttpStatusCode.Created, firstResp.StatusCode);
+
+            // Second with same medioId + codigo
+            using var second = BuildRequest(HttpMethod.Post, Endpoint, new
+            {
+                medioId,
+                codigo = "DUPCODE",
+                nombre = "Seccion Duplicada",
+                tipo = "notables"
+            }, token);
+            var secondResp = await _client.SendAsync(second);
+
+            Assert.Equal(HttpStatusCode.Conflict, secondResp.StatusCode);
+            var json = await secondResp.Content.ReadFromJsonAsync<JsonElement>();
+            Assert.Equal("seccion_codigo_duplicado_en_medio", json.GetProperty("error").GetString());
+        }
+        finally
+        {
+            await DeleteMedioIfExistsAsync(medioCodigo);
+        }
+    }
+
+    [Fact]
+    public async Task CreateSeccion_SameCodigoDifferentMedio_Returns201()
+    {
+        const string medio1Codigo = "TESTSECMULTI1";
+        const string medio2Codigo = "TESTSECMULTI2";
+        var token = await GetAdminTokenAsync();
+
+        try
+        {
+            var medioId1 = await CreateMedioAsync(medio1Codigo, "Medio Multi 1", token);
+            var medioId2 = await CreateMedioAsync(medio2Codigo, "Medio Multi 2", token);
+
+            using var req1 = BuildRequest(HttpMethod.Post, Endpoint, new
+            {
+                medioId = medioId1,
+                codigo = "SHAREDCODE",
+                nombre = "Seccion en Medio 1",
+                tipo = "clasificados"
+            }, token);
+            var resp1 = await _client.SendAsync(req1);
+            Assert.Equal(HttpStatusCode.Created, resp1.StatusCode);
+
+            // Same codigo but different medioId → should succeed (composite UQ)
+            using var req2 = BuildRequest(HttpMethod.Post, Endpoint, new
+            {
+                medioId = medioId2,
+                codigo = "SHAREDCODE",
+                nombre = "Seccion en Medio 2",
+                tipo = "notables"
+            }, token);
+            var resp2 = await _client.SendAsync(req2);
+            Assert.Equal(HttpStatusCode.Created, resp2.StatusCode);
+        }
+        finally
+        {
+            await DeleteMedioIfExistsAsync(medio1Codigo);
+            await DeleteMedioIfExistsAsync(medio2Codigo);
+        }
+    }
+
+    [Fact]
+    public async Task CreateSeccion_WithInactiveMedio_Returns404()
+    {
+        const string medioCodigo = "TESTSECDEACT";
+        var token = await GetAdminTokenAsync();
+
+        try
+        {
+            var medioId = await CreateMedioAsync(medioCodigo, "Medio Para Desactivar", token);
+
+            // Deactivate the medio
+            using var deactReq = BuildRequest(HttpMethod.Post, $"{MediosEndpoint}/{medioId}/deactivate", bearerToken: token);
+            var deactResp = await _client.SendAsync(deactReq);
+            Assert.Equal(HttpStatusCode.NoContent, deactResp.StatusCode);
+
+            // Try to create seccion in inactive medio
+            using var secReq = BuildRequest(HttpMethod.Post, Endpoint, new
+            {
+                medioId,
+                codigo = "SECINACTIVE",
+                nombre = "Seccion en Medio Inactivo",
+                tipo = "clasificados"
+            }, token);
+            var secResp = await _client.SendAsync(secReq);
+
+            Assert.Equal(HttpStatusCode.NotFound, secResp.StatusCode);
+            var json = await secResp.Content.ReadFromJsonAsync<JsonElement>();
+            Assert.Equal("medio_not_found", json.GetProperty("error").GetString());
+        }
+        finally
+        {
+            await DeleteMedioIfExistsAsync(medioCodigo);
+        }
+    }
+
+    // ── LIST ─────────────────────────────────────────────────────────────────
+
+    [Fact]
+    public async Task GetSecciones_WithAdmin_Returns200PagedResult()
+    {
+        var token = await GetAdminTokenAsync();
+        using var req = BuildRequest(HttpMethod.Get, Endpoint, bearerToken: token);
+        var resp = await _client.SendAsync(req);
+
+        Assert.Equal(HttpStatusCode.OK, resp.StatusCode);
+        var json = await resp.Content.ReadFromJsonAsync<JsonElement>();
+        Assert.True(json.TryGetProperty("items", out _), "Response must have 'items'");
+        Assert.True(json.TryGetProperty("total", out _), "Response must have 'total'");
+    }
+
+    // ── GET BY ID ────────────────────────────────────────────────────────────
+
+    [Fact]
+    public async Task GetSeccionById_NotFound_Returns404()
+    {
+        var token = await GetAdminTokenAsync();
+        using var req = BuildRequest(HttpMethod.Get, $"{Endpoint}/999999", bearerToken: token);
+        var resp = await _client.SendAsync(req);
+
+        Assert.Equal(HttpStatusCode.NotFound, resp.StatusCode);
+        var json = await resp.Content.ReadFromJsonAsync<JsonElement>();
+        Assert.Equal("seccion_not_found", json.GetProperty("error").GetString());
+    }
+
+    // ── DEACTIVATE ────────────────────────────────────────────────────────────
+
+    [Fact]
+    public async Task DeactivateSeccion_WithAdmin_Returns204AndAuditEvent()
+    {
+        const string medioCodigo = "TESTSECDEACT2";
+        var token = await GetAdminTokenAsync();
+
+        try
+        {
+            var medioId = await CreateMedioAsync(medioCodigo, "Medio Para Sec Deactivate", token);
+
+            using var createReq = BuildRequest(HttpMethod.Post, Endpoint, new
+            {
+                medioId,
+                codigo = "SECDEACT",
+                nombre = "Seccion Para Desactivar",
+                tipo = "clasificados"
+            }, token);
+            var createResp = await _client.SendAsync(createReq);
+            Assert.Equal(HttpStatusCode.Created, createResp.StatusCode);
+            var created = await createResp.Content.ReadFromJsonAsync<JsonElement>();
+            var secId = created.GetProperty("id").GetInt32();
+
+            using var deactReq = BuildRequest(HttpMethod.Post, $"{Endpoint}/{secId}/deactivate", bearerToken: token);
+            var deactResp = await _client.SendAsync(deactReq);
+
+            Assert.Equal(HttpStatusCode.NoContent, deactResp.StatusCode);
+
+            var auditCount = await CountAuditEventsAsync("seccion.deactivate", "Seccion", secId.ToString());
+            Assert.Equal(1, auditCount);
+        }
+        finally
+        {
+            await DeleteMedioIfExistsAsync(medioCodigo);
+        }
+    }
+}