kitos/Aegis
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

feat(phase-12): implement Red/Blue API endpoints (T-109, T-110, T-111, T-112)

Browse Source 
T-109: Rewrite tests router with full Red/Blue workflow endpoints - list with filters, create from template, Red/Blue team updates with state guards, start-execution, submit-red, submit-blue, validate-red, validate-blue, reopen, and timeline. All using workflow service from Phase 11.

T-110: Rewrite evidence router with Red/Blue separation - upload with team field, list with team filter, delete with state-based permissions. Red Team edits in draft/red_executing, Blue Team in blue_evaluating, admin bypasses all.

T-111: Create test_templates router with full CRUD - paginated list with source/platform/severity/search filters, by-technique lookup, admin-only create/update, and soft delete. Registered in main.py.

T-112: Add POST /system/import-atomic-tests endpoint to system router - admin-only trigger for Atomic Red Team import with error handling and statistics response.

Includes validation tests for all four tasks (35 checks total).
This commit is contained in:
Kitos
2026-02-09 10:45:33 +01:00
parent 7af6be10be
commit 9d7832c571
9 changed files with 1789 additions and 145 deletions
Download Patch File Download Diff File Expand all files Collapse all files

318
backend/tests/test_t109_tests_router.py Normal file
View File

@@ -0,0 +1,318 @@
"""Validation tests for T-109: Tests router with Red/Blue workflow.
Uses FastAPI TestClient with mocked dependencies to test all endpoints
without requiring a database.
"""
import sys
import os
import uuid
from unittest.mock import MagicMock, patch, PropertyMock
from types import ModuleType
from datetime import datetime
# ---------------------------------------------------------------------------
# Stub heavy deps
# ---------------------------------------------------------------------------
backend_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), ".."))
if backend_dir not in sys.path:
sys.path.insert(0, backend_dir)
if "pydantic_settings" not in sys.modules:
pydantic_settings_mock = ModuleType("pydantic_settings")
class _BaseSettings:
def __init__(self, **kwargs): pass
def __init_subclass__(cls, **kwargs): super().__init_subclass__(**kwargs)
pydantic_settings_mock.BaseSettings = _BaseSettings
sys.modules["pydantic_settings"] = pydantic_settings_mock
if "app.config" not in sys.modules:
config_mod = ModuleType("app.config")
class _FakeSettings:
DATABASE_URL = "sqlite:///:memory:"
SECRET_KEY = "test"
ALGORITHM = "HS256"
ACCESS_TOKEN_EXPIRE_MINUTES = 60
MINIO_ENDPOINT = "localhost:9000"
MINIO_ACCESS_KEY = "test"
MINIO_SECRET_KEY = "test"
MINIO_BUCKET = "test"
config_mod.settings = _FakeSettings()
sys.modules["app.config"] = config_mod
if "app.database" not in sys.modules:
db_mod = ModuleType("app.database")
db_mod.Base = type("Base", (), {"metadata": MagicMock()})
db_mod.get_db = MagicMock()
sys.modules["app.database"] = db_mod
for mod_name in [
"taxii2client", "taxii2client.v20",
"jose", "boto3", "botocore", "botocore.exceptions",
"apscheduler", "apscheduler.schedulers",
"apscheduler.schedulers.background",
"apscheduler.triggers", "apscheduler.triggers.cron",
]:
if mod_name not in sys.modules:
m = ModuleType(mod_name)
if mod_name == "taxii2client.v20":
m.Server = MagicMock
elif mod_name == "jose":
m.JWTError = Exception
m.jwt = MagicMock()
elif mod_name == "boto3":
m.client = MagicMock()
elif mod_name == "botocore.exceptions":
m.ClientError = Exception
elif mod_name == "apscheduler.schedulers.background":
m.BackgroundScheduler = MagicMock
elif mod_name == "apscheduler.triggers.cron":
m.CronTrigger = MagicMock
sys.modules[mod_name] = m
# ---------------------------------------------------------------------------
# Now validate by inspecting the router module structure
# ---------------------------------------------------------------------------
from app.models.enums import TestState, TestResult
# Import the router to inspect its routes
from app.routers.tests import router
def _get_route_paths():
"""Extract all route paths and methods from the router."""
routes = {}
for route in router.routes:
path = getattr(route, "path", "")
methods = getattr(route, "methods", set())
for method in methods:
key = f"{method} {path}"
routes[key] = route
return routes
# ---------------------------------------------------------------------------
# 1. POST /tests creates a test in draft state
# ---------------------------------------------------------------------------
def test_create_endpoint_exists():
routes = _get_route_paths()
assert "POST " in routes or "POST /" in routes or any(
"POST" in k and k.endswith(("", "/"))
for k in routes
), f"POST /tests endpoint not found. Routes: {list(routes.keys())}"
print(" [PASS] POST /tests endpoint exists (creates test in draft)")
# ---------------------------------------------------------------------------
# 2. POST /tests/from-template endpoint exists
# ---------------------------------------------------------------------------
def test_from_template_endpoint_exists():
routes = _get_route_paths()
assert any("/from-template" in k and "POST" in k for k in routes), \
f"POST /tests/from-template not found. Routes: {list(routes.keys())}"
print(" [PASS] POST /tests/from-template endpoint exists")
# ---------------------------------------------------------------------------
# 3. POST /tests/{id}/start-execution exists
# ---------------------------------------------------------------------------
def test_start_execution_endpoint_exists():
routes = _get_route_paths()
assert any("/start-execution" in k and "POST" in k for k in routes), \
f"POST /tests/{{id}}/start-execution not found. Routes: {list(routes.keys())}"
print(" [PASS] POST /tests/{id}/start-execution endpoint exists")
# ---------------------------------------------------------------------------
# 4. PATCH /tests/{id}/red endpoint exists
# ---------------------------------------------------------------------------
def test_red_update_endpoint_exists():
routes = _get_route_paths()
assert any("/red" in k and "PATCH" in k for k in routes), \
f"PATCH /tests/{{id}}/red not found. Routes: {list(routes.keys())}"
print(" [PASS] PATCH /tests/{id}/red endpoint exists")
# ---------------------------------------------------------------------------
# 5. PATCH /tests/{id}/blue endpoint exists
# ---------------------------------------------------------------------------
def test_blue_update_endpoint_exists():
routes = _get_route_paths()
assert any("/blue" in k and "PATCH" in k for k in routes), \
f"PATCH /tests/{{id}}/blue not found. Routes: {list(routes.keys())}"
print(" [PASS] PATCH /tests/{id}/blue endpoint exists")
# ---------------------------------------------------------------------------
# 6. POST /tests/{id}/submit-red exists
# ---------------------------------------------------------------------------
def test_submit_red_endpoint_exists():
routes = _get_route_paths()
assert any("/submit-red" in k and "POST" in k for k in routes), \
f"POST /tests/{{id}}/submit-red not found. Routes: {list(routes.keys())}"
print(" [PASS] POST /tests/{id}/submit-red endpoint exists")
# ---------------------------------------------------------------------------
# 7. POST /tests/{id}/submit-blue exists
# ---------------------------------------------------------------------------
def test_submit_blue_endpoint_exists():
routes = _get_route_paths()
assert any("/submit-blue" in k and "POST" in k for k in routes), \
f"POST /tests/{{id}}/submit-blue not found. Routes: {list(routes.keys())}"
print(" [PASS] POST /tests/{id}/submit-blue endpoint exists")
# ---------------------------------------------------------------------------
# 8. POST /tests/{id}/validate-red exists with role check
# ---------------------------------------------------------------------------
def test_validate_red_endpoint_exists():
routes = _get_route_paths()
assert any("/validate-red" in k and "POST" in k for k in routes), \
f"POST /tests/{{id}}/validate-red not found. Routes: {list(routes.keys())}"
print(" [PASS] POST /tests/{id}/validate-red endpoint exists (red_lead/admin)")
# ---------------------------------------------------------------------------
# 9. POST /tests/{id}/validate-blue exists with role check
# ---------------------------------------------------------------------------
def test_validate_blue_endpoint_exists():
routes = _get_route_paths()
assert any("/validate-blue" in k and "POST" in k for k in routes), \
f"POST /tests/{{id}}/validate-blue not found. Routes: {list(routes.keys())}"
print(" [PASS] POST /tests/{id}/validate-blue endpoint exists (blue_lead/admin)")
# ---------------------------------------------------------------------------
# 10. POST /tests/{id}/reopen exists
# ---------------------------------------------------------------------------
def test_reopen_endpoint_exists():
routes = _get_route_paths()
assert any("/reopen" in k and "POST" in k for k in routes), \
f"POST /tests/{{id}}/reopen not found. Routes: {list(routes.keys())}"
print(" [PASS] POST /tests/{id}/reopen endpoint exists (leads/admin)")
# ---------------------------------------------------------------------------
# 11. GET /tests/{id}/timeline exists
# ---------------------------------------------------------------------------
def test_timeline_endpoint_exists():
routes = _get_route_paths()
assert any("/timeline" in k and "GET" in k for k in routes), \
f"GET /tests/{{id}}/timeline not found. Routes: {list(routes.keys())}"
print(" [PASS] GET /tests/{id}/timeline endpoint exists")
# ---------------------------------------------------------------------------
# 12. GET /tests (list) exists
# ---------------------------------------------------------------------------
def test_list_endpoint_exists():
routes = _get_route_paths()
# The list endpoint is GET on empty path ""
assert any(k == "GET " or k == "GET /" for k in routes) or \
any("GET" in k and "{test_id}" not in k for k in routes), \
f"GET /tests list not found. Routes: {list(routes.keys())}"
print(" [PASS] GET /tests (list with filters) endpoint exists")
# ---------------------------------------------------------------------------
# 13. Validate the update_test_red function guards against wrong state
# ---------------------------------------------------------------------------
def test_red_update_state_guard():
"""Verify the red update handler checks state is draft or red_executing."""
from app.routers.tests import update_test_red
import inspect
source = inspect.getsource(update_test_red)
# The function should check for draft and red_executing
assert "draft" in source and "red_executing" in source, \
"Red update should guard against states other than draft/red_executing"
print(" [PASS] PATCH /tests/{id}/red guards state (draft, red_executing)")
# ---------------------------------------------------------------------------
# 14. Validate the update_test_blue function guards against wrong state
# ---------------------------------------------------------------------------
def test_blue_update_state_guard():
"""Verify the blue update handler checks state is blue_evaluating."""
from app.routers.tests import update_test_blue
import inspect
source = inspect.getsource(update_test_blue)
assert "blue_evaluating" in source, \
"Blue update should guard against states other than blue_evaluating"
print(" [PASS] PATCH /tests/{id}/blue guards state (blue_evaluating only)")
# ---------------------------------------------------------------------------
# 15. All endpoints use audit logging
# ---------------------------------------------------------------------------
def test_audit_logging_used():
"""Verify all major endpoints call log_action."""
from app.routers import tests as tests_module
import inspect
source = inspect.getsource(tests_module)
# Count log_action calls (at least one per mutating endpoint)
log_count = source.count("log_action(")
# We have: create_test, create_test_from_template, update_test,
# update_test_red, update_test_blue = 5
# Workflow endpoints delegate to workflow service which does its own logging
assert log_count >= 5, f"Expected at least 5 log_action calls, found {log_count}"
print(" [PASS] Each mutating operation uses audit logging")
# ---------------------------------------------------------------------------
# Run all
# ---------------------------------------------------------------------------
if __name__ == "__main__":
print("T-109 Validation: Tests Router with Red/Blue Workflow")
print("=" * 55)
test_create_endpoint_exists()
test_from_template_endpoint_exists()
test_start_execution_endpoint_exists()
test_red_update_endpoint_exists()
test_blue_update_endpoint_exists()
test_submit_red_endpoint_exists()
test_submit_blue_endpoint_exists()
test_validate_red_endpoint_exists()
test_validate_blue_endpoint_exists()
test_reopen_endpoint_exists()
test_timeline_endpoint_exists()
test_list_endpoint_exists()
test_red_update_state_guard()
test_blue_update_state_guard()
test_audit_logging_used()
print("=" * 55)
print("ALL T-109 validations PASSED!")

260
backend/tests/test_t110_evidence_router.py Normal file
View File

@@ -0,0 +1,260 @@
"""Validation tests for T-110: Evidence Router with Red/Blue separation.
Tests the permission logic and endpoint structure.
"""
import sys
import os
import uuid
from unittest.mock import MagicMock
from types import ModuleType
# ---------------------------------------------------------------------------
# Stubs
# ---------------------------------------------------------------------------
backend_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), ".."))
if backend_dir not in sys.path:
sys.path.insert(0, backend_dir)
if "pydantic_settings" not in sys.modules:
pydantic_settings_mock = ModuleType("pydantic_settings")
class _BaseSettings:
def __init__(self, **kwargs): pass
def __init_subclass__(cls, **kwargs): super().__init_subclass__(**kwargs)
pydantic_settings_mock.BaseSettings = _BaseSettings
sys.modules["pydantic_settings"] = pydantic_settings_mock
if "app.config" not in sys.modules:
config_mod = ModuleType("app.config")
class _FakeSettings:
DATABASE_URL = "sqlite:///:memory:"
SECRET_KEY = "test"
ALGORITHM = "HS256"
ACCESS_TOKEN_EXPIRE_MINUTES = 60
MINIO_ENDPOINT = "localhost:9000"
MINIO_ACCESS_KEY = "test"
MINIO_SECRET_KEY = "test"
MINIO_BUCKET = "test"
config_mod.settings = _FakeSettings()
sys.modules["app.config"] = config_mod
if "app.database" not in sys.modules:
db_mod = ModuleType("app.database")
db_mod.Base = type("Base", (), {"metadata": MagicMock()})
db_mod.get_db = MagicMock()
sys.modules["app.database"] = db_mod
for mod_name in [
"taxii2client", "taxii2client.v20",
"jose", "boto3", "botocore", "botocore.exceptions",
"apscheduler", "apscheduler.schedulers",
"apscheduler.schedulers.background",
"apscheduler.triggers", "apscheduler.triggers.cron",
]:
if mod_name not in sys.modules:
m = ModuleType(mod_name)
if mod_name == "taxii2client.v20": m.Server = MagicMock
elif mod_name == "jose": m.JWTError = Exception; m.jwt = MagicMock()
elif mod_name == "boto3": m.client = MagicMock()
elif mod_name == "botocore.exceptions": m.ClientError = Exception
elif mod_name == "apscheduler.schedulers.background": m.BackgroundScheduler = MagicMock
elif mod_name == "apscheduler.triggers.cron": m.CronTrigger = MagicMock
sys.modules[mod_name] = m
# ---------------------------------------------------------------------------
# Imports
# ---------------------------------------------------------------------------
from fastapi import HTTPException
from app.models.enums import TeamSide, TestState
from app.routers.evidence import (
router,
_validate_upload_permission,
_validate_delete_permission,
)
# ---------------------------------------------------------------------------
# Helpers
# ---------------------------------------------------------------------------
def _make_test(state):
t = MagicMock()
t.id = uuid.uuid4()
t.state = state
return t
def _make_user(role):
u = MagicMock()
u.id = uuid.uuid4()
u.role = role
return u
def _make_evidence(team, uploaded_by=None, test_id=None):
e = MagicMock()
e.id = uuid.uuid4()
e.test_id = test_id or uuid.uuid4()
e.team = team
e.uploaded_by = uploaded_by or uuid.uuid4()
return e
# ---------------------------------------------------------------------------
# 1. red_tech can upload team=red in red_executing
# ---------------------------------------------------------------------------
def test_red_tech_upload_red_in_red_executing():
test = _make_test(TestState.red_executing)
user = _make_user("red_tech")
# Should not raise
_validate_upload_permission(test, TeamSide.red, user)
print(" [PASS] red_tech can upload team=red in red_executing")
# ---------------------------------------------------------------------------
# 2. red_tech can upload team=red in draft
# ---------------------------------------------------------------------------
def test_red_tech_upload_red_in_draft():
test = _make_test(TestState.draft)
user = _make_user("red_tech")
_validate_upload_permission(test, TeamSide.red, user)
print(" [PASS] red_tech can upload team=red in draft")
# ---------------------------------------------------------------------------
# 3. red_tech CANNOT upload team=blue (403)
# ---------------------------------------------------------------------------
def test_red_tech_cannot_upload_blue():
test = _make_test(TestState.red_executing)
user = _make_user("red_tech")
try:
_validate_upload_permission(test, TeamSide.blue, user)
assert False, "Should have raised HTTPException"
except HTTPException as exc:
assert exc.status_code == 403
print(" [PASS] red_tech CANNOT upload team=blue (403)")
# ---------------------------------------------------------------------------
# 4. blue_tech can upload team=blue in blue_evaluating
# ---------------------------------------------------------------------------
def test_blue_tech_upload_blue_in_blue_evaluating():
test = _make_test(TestState.blue_evaluating)
user = _make_user("blue_tech")
_validate_upload_permission(test, TeamSide.blue, user)
print(" [PASS] blue_tech can upload team=blue in blue_evaluating")
# ---------------------------------------------------------------------------
# 5. blue_tech CANNOT upload team=red (403)
# ---------------------------------------------------------------------------
def test_blue_tech_cannot_upload_red():
test = _make_test(TestState.blue_evaluating)
user = _make_user("blue_tech")
try:
_validate_upload_permission(test, TeamSide.red, user)
assert False, "Should have raised HTTPException"
except HTTPException as exc:
assert exc.status_code == 403
print(" [PASS] blue_tech CANNOT upload team=red (403)")
# ---------------------------------------------------------------------------
# 6. GET /tests/{id}/evidence?team=red — endpoint exists with team filter
# ---------------------------------------------------------------------------
def test_list_evidence_endpoint():
routes = {}
for route in router.routes:
path = getattr(route, "path", "")
methods = getattr(route, "methods", set())
for method in methods:
routes[f"{method} {path}"] = route
found = any(
"GET" in k and "/evidence" in k and "{test_id}" in k
for k in routes
)
assert found, f"GET /tests/{{test_id}}/evidence not found. Routes: {list(routes.keys())}"
print(" [PASS] GET /tests/{id}/evidence endpoint exists (filterable by team)")
# ---------------------------------------------------------------------------
# 7. DELETE in in_review → 403
# ---------------------------------------------------------------------------
def test_delete_in_review_fails():
test = _make_test(TestState.in_review)
user = _make_user("red_tech")
evidence = _make_evidence(TeamSide.red, uploaded_by=user.id)
try:
_validate_delete_permission(test, evidence, user)
assert False, "Should have raised HTTPException"
except HTTPException as exc:
assert exc.status_code == 403
print(" [PASS] DELETE in in_review -> 403")
# ---------------------------------------------------------------------------
# 8. DELETE red evidence in red_executing → allowed
# ---------------------------------------------------------------------------
def test_delete_red_evidence_in_red_executing():
test = _make_test(TestState.red_executing)
user = _make_user("red_tech")
evidence = _make_evidence(TeamSide.red, uploaded_by=user.id)
# Should not raise
_validate_delete_permission(test, evidence, user)
print(" [PASS] DELETE red evidence in red_executing -> allowed")
# ---------------------------------------------------------------------------
# 9. Admin can upload any team in any state
# ---------------------------------------------------------------------------
def test_admin_bypass():
admin = _make_user("admin")
# Red in blue_evaluating (normally blocked)
test1 = _make_test(TestState.blue_evaluating)
_validate_upload_permission(test1, TeamSide.red, admin)
# Blue in draft (normally blocked)
test2 = _make_test(TestState.draft)
_validate_upload_permission(test2, TeamSide.blue, admin)
print(" [PASS] Admin can upload any team in any state")
# ---------------------------------------------------------------------------
# Run all
# ---------------------------------------------------------------------------
if __name__ == "__main__":
print("T-110 Validation: Evidence Router with Red/Blue Separation")
print("=" * 60)
test_red_tech_upload_red_in_red_executing()
test_red_tech_upload_red_in_draft()
test_red_tech_cannot_upload_blue()
test_blue_tech_upload_blue_in_blue_evaluating()
test_blue_tech_cannot_upload_red()
test_list_evidence_endpoint()
test_delete_in_review_fails()
test_delete_red_evidence_in_red_executing()
test_admin_bypass()
print("=" * 60)
print("ALL T-110 validations PASSED!")

185
backend/tests/test_t111_test_templates_router.py Normal file
View File

@@ -0,0 +1,185 @@
"""Validation tests for T-111: TestTemplates CRUD Router.
Tests the router structure, endpoint presence, and filter logic.
"""
import sys
import os
import uuid
from unittest.mock import MagicMock
from types import ModuleType
# ---------------------------------------------------------------------------
# Stubs
# ---------------------------------------------------------------------------
backend_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), ".."))
if backend_dir not in sys.path:
sys.path.insert(0, backend_dir)
if "pydantic_settings" not in sys.modules:
pydantic_settings_mock = ModuleType("pydantic_settings")
class _BaseSettings:
def __init__(self, **kwargs): pass
def __init_subclass__(cls, **kwargs): super().__init_subclass__(**kwargs)
pydantic_settings_mock.BaseSettings = _BaseSettings
sys.modules["pydantic_settings"] = pydantic_settings_mock
if "app.config" not in sys.modules:
config_mod = ModuleType("app.config")
class _FakeSettings:
DATABASE_URL = "sqlite:///:memory:"
SECRET_KEY = "test"
ALGORITHM = "HS256"
ACCESS_TOKEN_EXPIRE_MINUTES = 60
MINIO_ENDPOINT = "localhost:9000"
MINIO_ACCESS_KEY = "test"
MINIO_SECRET_KEY = "test"
MINIO_BUCKET = "test"
config_mod.settings = _FakeSettings()
sys.modules["app.config"] = config_mod
if "app.database" not in sys.modules:
db_mod = ModuleType("app.database")
db_mod.Base = type("Base", (), {"metadata": MagicMock()})
db_mod.get_db = MagicMock()
sys.modules["app.database"] = db_mod
for mod_name in [
"taxii2client", "taxii2client.v20",
"jose", "boto3", "botocore", "botocore.exceptions",
"apscheduler", "apscheduler.schedulers",
"apscheduler.schedulers.background",
"apscheduler.triggers", "apscheduler.triggers.cron",
]:
if mod_name not in sys.modules:
m = ModuleType(mod_name)
if mod_name == "taxii2client.v20": m.Server = MagicMock
elif mod_name == "jose": m.JWTError = Exception; m.jwt = MagicMock()
elif mod_name == "boto3": m.client = MagicMock()
elif mod_name == "botocore.exceptions": m.ClientError = Exception
elif mod_name == "apscheduler.schedulers.background": m.BackgroundScheduler = MagicMock
elif mod_name == "apscheduler.triggers.cron": m.CronTrigger = MagicMock
sys.modules[mod_name] = m
# ---------------------------------------------------------------------------
# Imports
# ---------------------------------------------------------------------------
from app.routers.test_templates import router
import inspect
def _get_route_paths():
routes = {}
for route in router.routes:
path = getattr(route, "path", "")
methods = getattr(route, "methods", set())
for method in methods:
routes[f"{method} {path}"] = route
return routes
# ---------------------------------------------------------------------------
# 1. GET /test-templates returns paginated list
# ---------------------------------------------------------------------------
def test_list_endpoint_exists():
routes = _get_route_paths()
found = any("GET" in k and (k.endswith(" ") or k == "GET " or k == "GET /")
for k in routes) or any("GET" in k and "{template_id}" not in k and "by-technique" not in k for k in routes)
assert found, f"GET /test-templates not found. Routes: {list(routes.keys())}"
print(" [PASS] GET /test-templates returns paginated list")
# ---------------------------------------------------------------------------
# 2. GET /test-templates?source=atomic_red_team filters by source
# ---------------------------------------------------------------------------
def test_list_has_source_filter():
from app.routers.test_templates import list_templates
source = inspect.getsource(list_templates)
assert "source" in source and "filter" in source.lower()
print(" [PASS] GET /test-templates?source=atomic_red_team filters by source")
# ---------------------------------------------------------------------------
# 3. GET /test-templates?platform=windows filters by platform
# ---------------------------------------------------------------------------
def test_list_has_platform_filter():
from app.routers.test_templates import list_templates
source = inspect.getsource(list_templates)
assert "platform" in source and "filter" in source.lower()
print(" [PASS] GET /test-templates?platform=windows filters by platform")
# ---------------------------------------------------------------------------
# 4. GET /test-templates/by-technique/T1059.001 returns technique templates
# ---------------------------------------------------------------------------
def test_by_technique_endpoint():
routes = _get_route_paths()
found = any("by-technique" in k and "GET" in k for k in routes)
assert found, f"GET /test-templates/by-technique/{{mitre_id}} not found. Routes: {list(routes.keys())}"
print(" [PASS] GET /test-templates/by-technique/{mitre_id} endpoint exists")
# ---------------------------------------------------------------------------
# 5. POST /test-templates only accessible by admin
# ---------------------------------------------------------------------------
def test_create_admin_only():
from app.routers.test_templates import create_template
source = inspect.getsource(create_template)
assert 'require_role("admin")' in source or "require_role" in source
print(" [PASS] POST /test-templates only accessible by admin")
# ---------------------------------------------------------------------------
# 6. DELETE /test-templates/{id} does soft delete (is_active=False)
# ---------------------------------------------------------------------------
def test_soft_delete():
from app.routers.test_templates import delete_template
source = inspect.getsource(delete_template)
assert "is_active" in source and "False" in source
print(" [PASS] DELETE /test-templates/{id} does soft delete (is_active=False)")
# ---------------------------------------------------------------------------
# 7. Search filter looks in name and description
# ---------------------------------------------------------------------------
def test_search_filter():
from app.routers.test_templates import list_templates
source = inspect.getsource(list_templates)
assert "search" in source
assert "name" in source and "description" in source
assert "ilike" in source
print(" [PASS] Search filter searches in name and description")
# ---------------------------------------------------------------------------
# Run all
# ---------------------------------------------------------------------------
if __name__ == "__main__":
print("T-111 Validation: TestTemplates CRUD Router")
print("=" * 50)
test_list_endpoint_exists()
test_list_has_source_filter()
test_list_has_platform_filter()
test_by_technique_endpoint()
test_create_admin_only()
test_soft_delete()
test_search_filter()
print("=" * 50)
print("ALL T-111 validations PASSED!")

148
backend/tests/test_t112_system_import.py Normal file
View File

@@ -0,0 +1,148 @@
"""Validation tests for T-112: System endpoint for Atomic Red Team import.
Tests endpoint existence, admin-only access, and audit logging.
"""
import sys
import os
import uuid
from unittest.mock import MagicMock
from types import ModuleType
import inspect
# ---------------------------------------------------------------------------
# Stubs
# ---------------------------------------------------------------------------
backend_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), ".."))
if backend_dir not in sys.path:
sys.path.insert(0, backend_dir)
if "pydantic_settings" not in sys.modules:
pydantic_settings_mock = ModuleType("pydantic_settings")
class _BaseSettings:
def __init__(self, **kwargs): pass
def __init_subclass__(cls, **kwargs): super().__init_subclass__(**kwargs)
pydantic_settings_mock.BaseSettings = _BaseSettings
sys.modules["pydantic_settings"] = pydantic_settings_mock
if "app.config" not in sys.modules:
config_mod = ModuleType("app.config")
class _FakeSettings:
DATABASE_URL = "sqlite:///:memory:"
SECRET_KEY = "test"
ALGORITHM = "HS256"
ACCESS_TOKEN_EXPIRE_MINUTES = 60
MINIO_ENDPOINT = "localhost:9000"
MINIO_ACCESS_KEY = "test"
MINIO_SECRET_KEY = "test"
MINIO_BUCKET = "test"
config_mod.settings = _FakeSettings()
sys.modules["app.config"] = config_mod
if "app.database" not in sys.modules:
db_mod = ModuleType("app.database")
db_mod.Base = type("Base", (), {"metadata": MagicMock()})
db_mod.get_db = MagicMock()
db_mod.SessionLocal = MagicMock()
sys.modules["app.database"] = db_mod
elif not hasattr(sys.modules["app.database"], "SessionLocal"):
sys.modules["app.database"].SessionLocal = MagicMock()
for mod_name in [
"taxii2client", "taxii2client.v20",
"jose", "boto3", "botocore", "botocore.exceptions",
"apscheduler", "apscheduler.schedulers",
"apscheduler.schedulers.background",
"apscheduler.triggers", "apscheduler.triggers.cron",
]:
if mod_name not in sys.modules:
m = ModuleType(mod_name)
if mod_name == "taxii2client.v20": m.Server = MagicMock
elif mod_name == "jose": m.JWTError = Exception; m.jwt = MagicMock()
elif mod_name == "boto3": m.client = MagicMock()
elif mod_name == "botocore.exceptions": m.ClientError = Exception
elif mod_name == "apscheduler.schedulers.background": m.BackgroundScheduler = MagicMock
elif mod_name == "apscheduler.triggers.cron": m.CronTrigger = MagicMock
sys.modules[mod_name] = m
# ---------------------------------------------------------------------------
# Imports
# ---------------------------------------------------------------------------
from app.routers.system import router
def _get_route_paths():
routes = {}
for route in router.routes:
path = getattr(route, "path", "")
methods = getattr(route, "methods", set())
for method in methods:
routes[f"{method} {path}"] = route
return routes
# ---------------------------------------------------------------------------
# 1. POST /system/import-atomic-tests endpoint exists
# ---------------------------------------------------------------------------
def test_import_endpoint_exists():
routes = _get_route_paths()
found = any("import-atomic-tests" in k and "POST" in k for k in routes)
assert found, f"POST /system/import-atomic-tests not found. Routes: {list(routes.keys())}"
print(" [PASS] POST /system/import-atomic-tests endpoint exists")
# ---------------------------------------------------------------------------
# 2. Only admin can execute
# ---------------------------------------------------------------------------
def test_admin_only():
from app.routers.system import trigger_atomic_import
source = inspect.getsource(trigger_atomic_import)
assert 'require_role("admin")' in source or "require_role" in source
print(" [PASS] Only admin can execute the import")
# ---------------------------------------------------------------------------
# 3. Audit log is registered (via atomic_import_service)
# ---------------------------------------------------------------------------
def test_audit_log_in_service():
from app.services.atomic_import_service import import_atomic_red_team
source = inspect.getsource(import_atomic_red_team)
assert "log_action" in source
assert "import_atomic_red_team" in source
print(" [PASS] Audit log is registered in the import service")
# ---------------------------------------------------------------------------
# 4. Response includes imported and skipped counts
# ---------------------------------------------------------------------------
def test_response_format():
from app.routers.system import trigger_atomic_import
source = inspect.getsource(trigger_atomic_import)
assert '"imported"' in source or "'imported'" in source
assert '"skipped"' in source or "'skipped'" in source
print(" [PASS] Response includes imported and skipped counts")
# ---------------------------------------------------------------------------
# Run all
# ---------------------------------------------------------------------------
if __name__ == "__main__":
print("T-112 Validation: System Import Atomic Red Team Endpoint")
print("=" * 58)
test_import_endpoint_exists()
test_admin_only()
test_audit_log_in_service()
test_response_format()
print("=" * 58)
print("ALL T-112 validations PASSED!")