Fix nested dependency depth tracking in PyPI cache worker

When the cache worker downloaded a package through the proxy, dependencies were always queued with depth=0 instead of depth+1. This meant depth limits weren't properly enforced for nested dependencies. Changes: - Add cache-depth query parameter to pypi_download_file endpoint - Worker now passes its current depth when fetching packages - Dependencies are queued at cache_depth+1 instead of hardcoded 0 - Add tests for depth tracking behavior
2026-02-02 13:47:22 -06:00
parent c7eca269f4
commit 5517048f05
3 changed files with 120 additions and 4 deletions
--- a/backend/tests/test_pypi_cache_worker.py
+++ b/backend/tests/test_pypi_cache_worker.py
@@ -261,3 +261,104 @@ class TestWorkerPoolLifecycle:
        # We just verify the functions are callable
        assert callable(init_cache_worker_pool)
        assert callable(shutdown_cache_worker_pool)
+
+
+class TestNestedDependencyDepthTracking:
+    """Tests for nested dependency depth tracking.
+
+    When the cache worker downloads a package, its dependencies should be
+    queued with depth = current_task_depth + 1, not depth = 0.
+    """
+
+    def test_enqueue_with_depth_increments_for_nested_deps(self):
+        """Test that enqueue_cache_task properly tracks depth for nested dependencies.
+
+        When a task at depth=2 discovers a new dependency, that dependency
+        should be queued at depth=3.
+        """
+        from unittest.mock import MagicMock, patch
+        from app.pypi_cache_worker import enqueue_cache_task
+
+        mock_db = MagicMock()
+
+        # No existing task for this package
+        mock_db.query.return_value.filter.return_value.first.return_value = None
+
+        # Mock _find_cached_package to return None (not cached)
+        with patch('app.pypi_cache_worker._find_cached_package', return_value=None):
+            task = enqueue_cache_task(
+                mock_db,
+                package_name="nested-dep",
+                version_constraint=">=1.0",
+                parent_task_id=None,
+                depth=3,  # Parent task was at depth 2, so this dep is at depth 3
+                triggered_by_artifact="abc123",
+            )
+
+        # Verify db.add was called
+        mock_db.add.assert_called_once()
+
+        # Get the task that was added
+        added_task = mock_db.add.call_args[0][0]
+
+        # The task should have the correct depth
+        assert added_task.depth == 3, f"Expected depth=3, got depth={added_task.depth}"
+        assert added_task.package_name == "nested-dep"
+
+    def test_proxy_download_accepts_cache_depth_param(self):
+        """Test that proxy download endpoint accepts cache-depth query parameter.
+
+        The cache worker should pass its current depth via query param so the proxy
+        can queue dependencies at the correct depth.
+        """
+        # Verify that pypi_download_file has a cache_depth parameter
+        import inspect
+        from app.pypi_proxy import pypi_download_file
+
+        sig = inspect.signature(pypi_download_file)
+        params = list(sig.parameters.keys())
+
+        # The endpoint should accept a cache_depth parameter
+        assert 'cache_depth' in params, \
+            f"pypi_download_file should accept cache_depth parameter. Got params: {params}"
+
+    def test_worker_sends_depth_in_url_when_fetching(self):
+        """Test that _fetch_and_cache_package includes depth in download URL.
+
+        When the worker fetches a package, it should include its current depth
+        in the URL query params so nested dependencies get queued at depth+1.
+        """
+        from unittest.mock import patch, MagicMock
+        import httpx
+
+        # We need to verify that the httpx.Client.get call includes the depth in URL
+        with patch('app.pypi_cache_worker.httpx.Client') as mock_client_class:
+            mock_client = MagicMock()
+            mock_client_class.return_value.__enter__ = MagicMock(return_value=mock_client)
+            mock_client_class.return_value.__exit__ = MagicMock(return_value=False)
+
+            # Mock successful responses
+            mock_response_index = MagicMock()
+            mock_response_index.status_code = 200
+            mock_response_index.text = '''
+            <html><body>
+            <a href="/pypi/simple/test-pkg/test_pkg-1.0.0-py3-none-any.whl?upstream=http%3A%2F%2Fexample.com">test_pkg-1.0.0-py3-none-any.whl</a>
+            </body></html>
+            '''
+
+            mock_response_download = MagicMock()
+            mock_response_download.status_code = 200
+            mock_response_download.headers = {"X-Checksum-SHA256": "abc123"}
+
+            mock_client.get.side_effect = [mock_response_index, mock_response_download]
+
+            from app.pypi_cache_worker import _fetch_and_cache_package_with_depth
+
+            # This function should exist and accept depth parameter
+            result = _fetch_and_cache_package_with_depth("test-pkg", None, depth=2)
+
+            # Verify the download request included the cache-depth query param
+            download_call = mock_client.get.call_args_list[1]
+            download_url = download_call[0][0]  # First positional arg is URL
+            assert "cache-depth=2" in download_url, \
+                f"Expected cache-depth=2 in URL, got: {download_url}"