kitos/Aegis
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix(workflow): enforce domain state machine in dual validation path

Browse Source 
validate_as_red/blue_lead now delegate to TestEntity. check_dual_validation routes through entity instead of assigning test.state directly. Side effects dispatched via domain events. Entity raises InvalidOperationError for backward compat. Removed 4 dead V1 xfail tests, fixed 2 real test issues. 224 passed, 0 xfailed.
This commit is contained in:
Kitos
2026-02-18 15:49:59 +01:00
parent 576705d61d
commit 1338d52cd0
3 changed files with 89 additions and 190 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
backend/app/domain/test_entity.py
View File

@@ -28,7 +28,11 @@ from dataclasses import dataclass, field
from datetime import datetime from datetime import datetime
from typing import Any from typing import Any
from app.domain.errors import BusinessRuleViolation, InvalidStateTransition from app.domain.errors import (
BusinessRuleViolation,
InvalidOperationError,
InvalidStateTransition,
)
# ── Value objects ──────────────────────────────────────────────────── # ── Value objects ────────────────────────────────────────────────────
@@ -307,9 +311,22 @@ class TestEntity:
self.paused_at = None self.paused_at = None
return extra return extra
def check_dual_validation(self) -> None:
"""Evaluate both leads' votes and advance state if appropriate.
- Both **approved** -> ``validated``
- Either **rejected** -> ``rejected``
- Otherwise no change (waiting for the other lead).
Called automatically by :meth:`validate_red` and :meth:`validate_blue`.
Also available as a standalone entry point for backward compatibility
when validation fields are set externally.
"""
self._check_dual_validation()
def _assert_in_review(self, side: str) -> None: def _assert_in_review(self, side: str) -> None:
if self.state != TestState.in_review: if self.state != TestState.in_review:
raise BusinessRuleViolation( raise InvalidOperationError(
f"Cannot validate {side} side while test is in " f"Cannot validate {side} side while test is in "
f"'{self.state.value}' state (must be in_review)" f"'{self.state.value}' state (must be in_review)"
) )
@@ -317,7 +334,7 @@ class TestEntity:
@staticmethod @staticmethod
def _assert_valid_vote(status: str) -> None: def _assert_valid_vote(status: str) -> None:
if status not in ("approved", "rejected"): if status not in ("approved", "rejected"):
raise BusinessRuleViolation( raise InvalidOperationError(
"validation_status must be 'approved' or 'rejected'" "validation_status must be 'approved' or 'rejected'"
) )

101
backend/app/services/test_workflow_service.py
View File

@@ -333,26 +333,14 @@ def validate_as_red_lead(
) -> Test: ) -> Test:
"""Record Red Lead's validation decision. """Record Red Lead's validation decision.
*validation_status* must be ``"approved"`` or ``"rejected"``. Delegates validation rules and state mutation entirely to
After recording the decision, :func:`check_dual_validation` is called :meth:`TestEntity.validate_red`. If both leads have voted the
to potentially advance the test to ``validated`` or ``rejected``. entity will also advance the test to ``validated`` or ``rejected``.
""" """
current = test.state.value if isinstance(test.state, TestState) else test.state entity = TestEntity.from_orm(test)
if test.state not in (TestState.in_review,): entity.validate_red(validation_status, by=user.id, notes=notes)
raise InvalidOperationError( entity.apply_to(test)
f"Cannot validate red side while test is in '{current}' state (must be in_review)" db.flush()
)
if validation_status not in ("approved", "rejected"):
raise InvalidOperationError(
"validation_status must be 'approved' or 'rejected'"
)
now = datetime.utcnow()
test.red_validation_status = validation_status
test.red_validated_by = user.id
test.red_validated_at = now
test.red_validation_notes = notes
log_action( log_action(
db, db,
@@ -367,7 +355,7 @@ def validate_as_red_lead(
}, },
) )
check_dual_validation(db, test) _dispatch_dual_validation_effects(db, test, entity)
return test return test
@@ -380,26 +368,14 @@ def validate_as_blue_lead(
) -> Test: ) -> Test:
"""Record Blue Lead's validation decision. """Record Blue Lead's validation decision.
*validation_status* must be ``"approved"`` or ``"rejected"``. Delegates validation rules and state mutation entirely to
After recording the decision, :func:`check_dual_validation` is called :meth:`TestEntity.validate_blue`. If both leads have voted the
to potentially advance the test to ``validated`` or ``rejected``. entity will also advance the test to ``validated`` or ``rejected``.
""" """
current = test.state.value if isinstance(test.state, TestState) else test.state entity = TestEntity.from_orm(test)
if test.state not in (TestState.in_review,): entity.validate_blue(validation_status, by=user.id, notes=notes)
raise InvalidOperationError( entity.apply_to(test)
f"Cannot validate blue side while test is in '{current}' state (must be in_review)" db.flush()
)
if validation_status not in ("approved", "rejected"):
raise InvalidOperationError(
"validation_status must be 'approved' or 'rejected'"
)
now = datetime.utcnow()
test.blue_validation_status = validation_status
test.blue_validated_by = user.id
test.blue_validated_at = now
test.blue_validation_notes = notes
log_action( log_action(
db, db,
@@ -414,31 +390,30 @@ def validate_as_blue_lead(
}, },
) )
check_dual_validation(db, test) _dispatch_dual_validation_effects(db, test, entity)
return test return test
def check_dual_validation(db: Session, test: Test) -> Test: def check_dual_validation(db: Session, test: Test) -> Test:
"""Evaluate both leads' decisions and advance the test if both have voted. """Evaluate both leads' decisions and advance the test if both have voted.
- Both **approved** → ``validated`` All state mutation is delegated to :meth:`TestEntity.check_dual_validation`.
- Either **rejected** → ``rejected`` This function never assigns ``test.state`` directly.
- Otherwise no state change (waiting for the other lead).
Commits only when the state actually changes.
""" """
red_status = test.red_validation_status entity = TestEntity.from_orm(test)
blue_status = test.blue_validation_status entity.check_dual_validation()
entity.apply_to(test)
if red_status == "rejected" or blue_status == "rejected": _dispatch_dual_validation_effects(db, test, entity)
test.state = TestState.rejected return test
try:
notify_test_state_change(db, test, "rejected")
except Exception as e: def _dispatch_dual_validation_effects(
logger.warning("Notification failed for test %s (rejected): %s", test.id, e, exc_info=True) db: Session, test: Test, entity: TestEntity
elif red_status == "approved" and blue_status == "approved": ) -> None:
test.state = TestState.validated """Dispatch side effects (notifications, cache) based on domain events."""
# Invalidate cached scores — a validation changes org-level numbers for event in entity.events:
if event.name == "dual_validation_approved":
try: try:
from app.services.score_cache import invalidate from app.services.score_cache import invalidate
invalidate() invalidate()
@@ -447,8 +422,18 @@ def check_dual_validation(db: Session, test: Test) -> Test:
try: try:
notify_test_state_change(db, test, "validated") notify_test_state_change(db, test, "validated")
except Exception as e: except Exception as e:
logger.warning("Notification failed for test %s (validated): %s", test.id, e, exc_info=True) logger.warning(
return test "Notification failed for test %s (validated): %s",
test.id, e, exc_info=True,
)
elif event.name == "dual_validation_rejected":
try:
notify_test_state_change(db, test, "rejected")
except Exception as e:
logger.warning(
"Notification failed for test %s (rejected): %s",
test.id, e, exc_info=True,
)
def handle_remediation_completed(db: Session, test: Test, user: User) -> Test | None: def handle_remediation_completed(db: Session, test: Test, user: User) -> Test | None:

139
backend/tests/test_tests.py
View File

@@ -1,12 +1,8 @@
"""Tests for security test endpoints. """Tests for security test endpoints (V2 API).
NOTE: These tests were written for the V1 API (single validate/reject Covers the test CRUD and basic workflow via the REST API.
endpoints). The V2 workflow uses dual Red/Blue validation, different For full workflow logic tests see ``test_workflow.py`` and
RBAC roles, and a new state machine. Integration tests for V2 live in ``test_integration_v2.py``.
``test_integration_v2.py`` and ``test_workflow.py``.
Tests in this file that exercise deprecated V1 endpoints are marked as
``xfail`` so they don't block the suite.
""" """
import pytest import pytest
@@ -23,21 +19,20 @@ def technique(client, auth_headers):
return response.json() return response.json()
@pytest.mark.xfail(reason="V1 test: auth bypass when Redis unavailable in test env") def test_create_test_requires_auth(client):
def test_create_test_requires_auth(client, technique): """POST /tests without token returns 401 or 403."""
"""Test that creating a test requires authentication."""
response = client.post( response = client.post(
"/api/v1/tests", "/api/v1/tests",
json={ json={
"technique_id": technique["id"], "technique_id": "00000000-0000-0000-0000-000000000000",
"name": "Test Name", "name": "Test Name",
}, },
) )
assert response.status_code == 401 assert response.status_code in (401, 403)
def test_create_test_success(client, red_tech_headers, technique): def test_create_test_success(client, auth_headers, technique):
"""Test successful test creation.""" """Admin can create a test via POST /tests."""
response = client.post( response = client.post(
"/api/v1/tests", "/api/v1/tests",
json={ json={
@@ -46,7 +41,7 @@ def test_create_test_success(client, red_tech_headers, technique):
"description": "Test description", "description": "Test description",
"platform": "windows", "platform": "windows",
}, },
headers=red_tech_headers, headers=auth_headers,
) )
assert response.status_code == 201 assert response.status_code == 201
data = response.json() data = response.json()
@@ -55,126 +50,28 @@ def test_create_test_success(client, red_tech_headers, technique):
assert data["technique_id"] == technique["id"] assert data["technique_id"] == technique["id"]
@pytest.mark.xfail(reason="V1 test: RBAC returns 403 before 404 check in V2") def test_create_test_nonexistent_technique(client, auth_headers):
def test_create_test_nonexistent_technique(client, red_tech_headers): """Creating a test with non-existent technique fails."""
"""Test creating a test with non-existent technique fails."""
response = client.post( response = client.post(
"/api/v1/tests", "/api/v1/tests",
json={ json={
"technique_id": "00000000-0000-0000-0000-000000000000", "technique_id": "00000000-0000-0000-0000-000000000000",
"name": "Test", "name": "Test",
}, },
headers=red_tech_headers, headers=auth_headers,
) )
assert response.status_code == 404 assert response.status_code == 404
def test_get_test_by_id(client, red_tech_headers, technique): def test_get_test_by_id(client, auth_headers, technique):
"""Test getting a test by ID.""" """GET /tests/{id} returns the test."""
# Create a test
create_response = client.post( create_response = client.post(
"/api/v1/tests", "/api/v1/tests",
json={"technique_id": technique["id"], "name": "Test"}, json={"technique_id": technique["id"], "name": "Test"},
headers=red_tech_headers, headers=auth_headers,
) )
test_id = create_response.json()["id"] test_id = create_response.json()["id"]
# Get it response = client.get(f"/api/v1/tests/{test_id}", headers=auth_headers)
response = client.get(f"/api/v1/tests/{test_id}", headers=red_tech_headers)
assert response.status_code == 200 assert response.status_code == 200
assert response.json()["id"] == test_id assert response.json()["id"] == test_id
@pytest.mark.xfail(reason="V1 test: /validate endpoint replaced by dual-validation in V2")
def test_validate_test(client, auth_headers, red_tech_headers, technique):
"""Test validating a test updates status correctly."""
# Create a test
create_response = client.post(
"/api/v1/tests",
json={"technique_id": technique["id"], "name": "Test"},
headers=red_tech_headers,
)
test_id = create_response.json()["id"]
# Validate it (requires lead/admin)
response = client.post(
f"/api/v1/tests/{test_id}/validate",
json={"result": "detected"},
headers=auth_headers,
)
assert response.status_code == 200
data = response.json()
assert data["state"] == "validated"
assert data["result"] == "detected"
assert data["validated_by"] is not None
@pytest.mark.xfail(reason="V1 test: /validate endpoint replaced by dual-validation in V2")
def test_validate_test_updates_technique_status(client, auth_headers, red_tech_headers, technique):
"""Test that validating a test recalculates technique status."""
# Create and validate a test
create_response = client.post(
"/api/v1/tests",
json={"technique_id": technique["id"], "name": "Test"},
headers=red_tech_headers,
)
test_id = create_response.json()["id"]
client.post(
f"/api/v1/tests/{test_id}/validate",
json={"result": "detected"},
headers=auth_headers,
)
# Check technique status was updated
response = client.get(
f"/api/v1/techniques/{technique['mitre_id']}",
headers=auth_headers,
)
assert response.json()["status_global"] == "validated"
@pytest.mark.xfail(reason="V1 test: /reject endpoint replaced by dual-validation in V2")
def test_reject_test(client, auth_headers, red_tech_headers, technique):
"""Test rejecting a test."""
# Create a test
create_response = client.post(
"/api/v1/tests",
json={"technique_id": technique["id"], "name": "Test"},
headers=red_tech_headers,
)
test_id = create_response.json()["id"]
# Reject it
response = client.post(
f"/api/v1/tests/{test_id}/reject",
headers=auth_headers,
)
assert response.status_code == 200
assert response.json()["state"] == "rejected"
@pytest.mark.xfail(reason="V1 test: /validate endpoint replaced by dual-validation in V2")
def test_update_test_only_in_draft(client, auth_headers, red_tech_headers, technique):
"""Test that tests can only be updated when in draft/rejected state."""
# Create and validate a test
create_response = client.post(
"/api/v1/tests",
json={"technique_id": technique["id"], "name": "Test"},
headers=red_tech_headers,
)
test_id = create_response.json()["id"]
client.post(
f"/api/v1/tests/{test_id}/validate",
json={"result": "detected"},
headers=auth_headers,
)
# Try to update validated test
response = client.patch(
f"/api/v1/tests/{test_id}",
json={"name": "New Name"},
headers=red_tech_headers,
)
assert response.status_code == 400