kitos/Aegis
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

feat(phase-39): role-based access control overhaul + forced password change
Some checks failed
Aegis CI / lint-and-test (push) Has been cancelled
Details

Browse Source 
- Add must_change_password field to User model with migration b023

- Add POST /auth/change-password endpoint with password policy validation

- Add require_password_changed dependency to block requests until password is changed

- Add ChangePasswordModal with live password policy checklist (forced on first login)

- Show password policy in CreateUserModal and EditUserModal

- Fix backend permissions: tests, campaigns, templates, reports, evidence, worklogs

- red_tech/blue_tech: execute only, cannot create tests/campaigns/templates

- red_lead/blue_lead: create/edit tests/campaigns/templates, generate reports, no system access

- viewer: read-only everywhere, can generate reports

- Fix frontend role checks across TestDetailPage, TestDetailHeader, TeamTabs, TestsPage, CampaignsPage, CampaignDetailPage, Sidebar
This commit is contained in:
Kitos
2026-02-18 10:37:02 +01:00
parent 8f764d8e39
commit a4a2adccee
24 changed files with 338 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
backend/alembic/versions/b023_add_must_change_password.py Normal file
View File

@@ -0,0 +1,30 @@
"""add_must_change_password
Revision ID: b023mustchgpwd
Revises: b022osintitems
Create Date: 2026-02-17 23:00:00.000000
Add must_change_password column to users table to force password
change on first login.
"""
from alembic import op
revision = "b023mustchgpwd"
down_revision = "b022osintitems"
branch_labels = None
depends_on = None
def upgrade() -> None:
op.execute("""
ALTER TABLE users
ADD COLUMN IF NOT EXISTS must_change_password BOOLEAN DEFAULT true;
""")
def downgrade() -> None:
op.execute("""
ALTER TABLE users
DROP COLUMN IF EXISTS must_change_password;
""")

16
backend/app/dependencies/auth.py
View File

@@ -91,6 +91,22 @@ async def get_current_user(
# ---------------------------------------------------------------------------
async def require_password_changed(
current_user: User = Depends(get_current_user),
) -> User:
"""Block all requests when the user still needs to change their password.
Only ``/auth/change-password`` and ``/auth/me`` are exempt — those
endpoints do **not** depend on this function.
"""
if getattr(current_user, "must_change_password", False):
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="PASSWORD_CHANGE_REQUIRED",
)
return current_user
def require_role(required_role: str):
"""Return a FastAPI dependency that enforces *required_role*.

1
backend/app/models/user.py
View File

@@ -27,5 +27,6 @@ class User(Base):
hashed_password = Column(String, nullable=False)
role = Column(String, nullable=False, default="viewer")
is_active = Column(Boolean, default=True)
must_change_password = Column(Boolean, default=True)
created_at = Column(DateTime, default=datetime.utcnow)
last_login = Column(DateTime, nullable=True)

33
backend/app/routers/auth.py
View File

@@ -17,12 +17,13 @@ from sqlalchemy.orm import Session
from jose import jwt, JWTError
from app.auth import verify_password, create_access_token, blacklist_token
from app.auth import verify_password, hash_password, create_access_token, blacklist_token
from app.config import settings
from app.database import get_db
from app.dependencies.auth import get_current_user
from app.models.user import User
from app.schemas.auth import TokenResponse, UserOut
from app.schemas.user import PasswordChange
# Rate limiter instance (shares backend state via app.state.limiter)
limiter = Limiter(key_func=get_remote_address)
@@ -137,3 +138,33 @@ def logout(
def read_current_user(current_user: User = Depends(get_current_user)):
"""Return the profile of the currently authenticated user."""
return current_user
# ---------------------------------------------------------------------------
# POST /auth/change-password
# ---------------------------------------------------------------------------
@router.post("/change-password")
def change_password(
body: PasswordChange,
db: Session = Depends(get_db),
current_user: User = Depends(get_current_user),
):
"""Change the current user's password.
Requires the current password for verification. On success the
``must_change_password`` flag is cleared so the user can proceed
normally.
"""
if not verify_password(body.current_password, current_user.hashed_password):
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail="Current password is incorrect",
)
current_user.hashed_password = hash_password(body.new_password)
current_user.must_change_password = False
db.commit()
return {"detail": "Password changed successfully"}

14
backend/app/routers/campaigns.py
View File

@@ -198,7 +198,7 @@ def list_campaigns(
def create_campaign(
payload: CampaignCreate,
db: Session = Depends(get_db),
current_user: User = Depends(require_any_role("red_tech", "admin")),
current_user: User = Depends(require_any_role("red_lead", "blue_lead")),
):
"""Create a new campaign."""
campaign = Campaign(
@@ -254,7 +254,7 @@ def update_campaign(
campaign_id: str,
payload: CampaignUpdate,
db: Session = Depends(get_db),
current_user: User = Depends(require_any_role("red_tech", "admin")),
current_user: User = Depends(require_any_role("red_lead", "blue_lead")),
):
"""Update a campaign. Only allowed in draft or active state."""
campaign = db.query(Campaign).filter(Campaign.id == campaign_id).first()
@@ -299,7 +299,7 @@ def add_test_to_campaign(
campaign_id: str,
payload: AddTestPayload,
db: Session = Depends(get_db),
current_user: User = Depends(require_any_role("red_tech", "admin")),
current_user: User = Depends(require_any_role("red_lead", "blue_lead")),
):
"""Add a test to a campaign with optional ordering and dependency."""
campaign = db.query(Campaign).filter(Campaign.id == campaign_id).first()
@@ -370,7 +370,7 @@ def remove_test_from_campaign(
campaign_id: str,
campaign_test_id: str,
db: Session = Depends(get_db),
current_user: User = Depends(require_any_role("red_tech", "admin")),
current_user: User = Depends(require_any_role("red_lead", "blue_lead")),
):
"""Remove a test from a campaign."""
campaign = db.query(Campaign).filter(Campaign.id == campaign_id).first()
@@ -414,7 +414,7 @@ def remove_test_from_campaign(
def activate_campaign(
campaign_id: str,
db: Session = Depends(get_db),
current_user: User = Depends(require_any_role("red_tech", "admin")),
current_user: User = Depends(require_any_role("red_lead", "blue_lead")),
):
"""Activate a campaign, moving it from draft to active."""
campaign = db.query(Campaign).filter(Campaign.id == campaign_id).first()
@@ -524,7 +524,7 @@ def get_campaign_progress_endpoint(
def generate_campaign_from_actor(
actor_id: str,
db: Session = Depends(get_db),
current_user: User = Depends(require_any_role("red_tech", "admin")),
current_user: User = Depends(require_any_role("red_lead", "blue_lead")),
):
"""Auto-generate a campaign from a threat actor's uncovered techniques.
@@ -558,7 +558,7 @@ def schedule_campaign(
campaign_id: str,
payload: SchedulePayload,
db: Session = Depends(get_db),
current_user: User = Depends(require_any_role("admin")),
current_user: User = Depends(require_any_role("red_lead", "blue_lead")),
):
"""Configure or update the recurrence schedule for a campaign.

14
backend/app/routers/evidence.py
View File

@@ -98,11 +98,10 @@ def _validate_upload_permission(
return
if team == TeamSide.red:
# Only red_tech can upload red evidence
if user.role != "red_tech":
if user.role not in ("red_tech", "red_lead"):
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="Only red_tech or admin can upload red evidence",
detail="Only red_tech, red_lead or admin can upload red evidence",
)
if test.state not in _RED_EDITABLE_STATES:
raise HTTPException(
@@ -111,11 +110,10 @@ def _validate_upload_permission(
f"(allowed in: draft, red_executing)",
)
elif team == TeamSide.blue:
# Only blue_tech can upload blue evidence
if user.role != "blue_tech":
if user.role not in ("blue_tech", "blue_lead"):
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="Only blue_tech or admin can upload blue evidence",
detail="Only blue_tech, blue_lead or admin can upload blue evidence",
)
if test.state not in _BLUE_EDITABLE_STATES:
raise HTTPException(
@@ -150,7 +148,7 @@ def _validate_delete_permission(
status_code=status.HTTP_403_FORBIDDEN,
detail="Cannot delete red evidence outside draft/red_executing",
)
if user.role != "red_tech" and evidence.uploaded_by != user.id:
if user.role not in ("red_tech", "red_lead") and evidence.uploaded_by != user.id:
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="Not enough permissions to delete this evidence",
@@ -161,7 +159,7 @@ def _validate_delete_permission(
status_code=status.HTTP_403_FORBIDDEN,
detail="Cannot delete blue evidence outside blue_evaluating",
)
if user.role != "blue_tech" and evidence.uploaded_by != user.id:
if user.role not in ("blue_tech", "blue_lead") and evidence.uploaded_by != user.id:
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="Not enough permissions to delete this evidence",

6
backend/app/routers/professional_reports.py
View File

@@ -25,7 +25,7 @@ def generate_purple_report(
campaign_id: UUID,
format: str = Query("pdf", pattern="^(pdf|docx|html)$"),
db: Session = Depends(get_db),
user: User = Depends(require_any_role("red_lead", "blue_lead")),
user: User = Depends(require_any_role("red_lead", "blue_lead", "viewer")),
):
"""Generate a Purple Team campaign assessment report."""
filepath = report_generation_service.generate_purple_campaign_report(
@@ -42,7 +42,7 @@ def generate_purple_report(
def generate_coverage_report(
format: str = Query("pdf", pattern="^(pdf|docx|html)$"),
db: Session = Depends(get_db),
user: User = Depends(get_current_user),
user: User = Depends(require_any_role("red_lead", "blue_lead", "viewer")),
):
"""Generate an organization-wide MITRE ATT&CK coverage report."""
filepath = report_generation_service.generate_coverage_report(
@@ -59,7 +59,7 @@ def generate_coverage_report(
def generate_executive_report(
format: str = Query("pdf", pattern="^(pdf|docx|html)$"),
db: Session = Depends(get_db),
user: User = Depends(require_any_role("red_lead", "blue_lead")),
user: User = Depends(require_any_role("red_lead", "blue_lead", "viewer")),
):
"""Generate an executive security summary report."""
filepath = report_generation_service.generate_executive_summary(

24
backend/app/routers/test_templates.py
View File

@@ -30,7 +30,7 @@ from sqlalchemy import func, or_
from sqlalchemy.orm import Session
from app.database import get_db
from app.dependencies.auth import get_current_user, require_role
from app.dependencies.auth import get_current_user, require_role, require_any_role
from app.models.test_template import TestTemplate
from app.models.user import User
from app.schemas.test_template import (
@@ -103,7 +103,7 @@ def list_templates(
@router.get("/stats")
def template_stats(
db: Session = Depends(get_db),
current_user: User = Depends(require_role("admin")),
current_user: User = Depends(require_any_role("red_lead", "blue_lead")),
):
"""Return catalog statistics: totals by source, platform, active/inactive."""
@@ -151,9 +151,9 @@ def template_stats(
def bulk_activate_templates(
activate: bool = Query(True, description="True to activate all, False to deactivate all"),
db: Session = Depends(get_db),
current_user: User = Depends(require_role("admin")),
current_user: User = Depends(require_any_role("red_lead", "blue_lead")),
):
"""Set all templates to active or inactive. Admin only."""
"""Set all templates to active or inactive."""
count = (
db.query(TestTemplate)
.filter(TestTemplate.is_active != activate)
@@ -235,9 +235,9 @@ def get_template(
def create_template(
payload: TestTemplateCreate,
db: Session = Depends(get_db),
current_user: User = Depends(require_role("admin")),
current_user: User = Depends(require_any_role("red_lead", "blue_lead")),
):
"""Create a custom test template. Admin only."""
"""Create a custom test template."""
template = TestTemplate(**payload.model_dump())
db.add(template)
db.commit()
@@ -269,9 +269,9 @@ def update_template(
template_id: uuid.UUID,
payload: TestTemplateCreate,
db: Session = Depends(get_db),
current_user: User = Depends(require_role("admin")),
current_user: User = Depends(require_any_role("red_lead", "blue_lead")),
):
"""Update fields of an existing test template. Admin only."""
"""Update fields of an existing test template."""
template = db.query(TestTemplate).filter(TestTemplate.id == template_id).first()
if template is None:
raise HTTPException(
@@ -307,9 +307,9 @@ def update_template(
def toggle_template_active(
template_id: uuid.UUID,
db: Session = Depends(get_db),
current_user: User = Depends(require_role("admin")),
current_user: User = Depends(require_any_role("red_lead", "blue_lead")),
):
"""Toggle a template between active and inactive. Admin only."""
"""Toggle a template between active and inactive."""
template = db.query(TestTemplate).filter(TestTemplate.id == template_id).first()
if template is None:
raise HTTPException(
@@ -342,9 +342,9 @@ def toggle_template_active(
def delete_template(
template_id: uuid.UUID,
db: Session = Depends(get_db),
current_user: User = Depends(require_role("admin")),
current_user: User = Depends(require_any_role("red_lead", "blue_lead")),
):
"""Soft-delete a test template by setting ``is_active=False``. Admin only."""
"""Soft-delete a test template by setting ``is_active=False``."""
template = db.query(TestTemplate).filter(TestTemplate.id == template_id).first()
if template is None:
raise HTTPException(

26
backend/app/routers/tests.py
View File

@@ -143,7 +143,7 @@ def list_tests(
def create_test(
payload: TestCreate,
db: Session = Depends(get_db),
current_user: User = Depends(require_any_role("red_tech")),
current_user: User = Depends(require_any_role("red_lead", "blue_lead")),
):
"""Create a new test linked to an existing technique.
@@ -190,7 +190,7 @@ def create_test(
def create_test_from_template(
payload: TestTemplateInstantiate,
db: Session = Depends(get_db),
current_user: User = Depends(require_any_role("red_tech")),
current_user: User = Depends(require_any_role("red_lead", "blue_lead")),
):
"""Instantiate a real Test from an existing TestTemplate.
@@ -289,11 +289,11 @@ def update_test(
test_id: uuid.UUID,
payload: TestUpdate,
db: Session = Depends(get_db),
current_user: User = Depends(get_current_user),
current_user: User = Depends(require_any_role("red_lead", "blue_lead")),
):
"""Update one or more fields of an existing test.
Only the original creator or an admin can update.
Only leads or admins can update general test fields.
The test must be in ``draft`` or ``rejected`` state.
"""
test = _get_test_or_404(db, test_id)
@@ -343,7 +343,7 @@ def update_test_red(
test_id: uuid.UUID,
payload: TestRedUpdate,
db: Session = Depends(get_db),
current_user: User = Depends(require_any_role("red_tech")),
current_user: User = Depends(require_any_role("red_tech", "red_lead")),
):
"""Red Team updates their fields (allowed in ``draft`` and ``red_executing``)."""
test = _get_test_or_404(db, test_id)
@@ -387,7 +387,7 @@ def update_test_blue(
test_id: uuid.UUID,
payload: TestBlueUpdate,
db: Session = Depends(get_db),
current_user: User = Depends(require_any_role("blue_tech")),
current_user: User = Depends(require_any_role("blue_tech", "blue_lead")),
):
"""Blue Team updates their fields (allowed only in ``blue_evaluating``)."""
test = _get_test_or_404(db, test_id)
@@ -430,7 +430,7 @@ def update_test_blue(
def start_execution(
test_id: uuid.UUID,
db: Session = Depends(get_db),
current_user: User = Depends(require_any_role("red_tech")),
current_user: User = Depends(require_any_role("red_tech", "red_lead")),
):
"""Move a test from ``draft`` to ``red_executing``."""
test = _get_test_or_404(db, test_id)
@@ -448,7 +448,7 @@ def start_execution(
def submit_red(
test_id: uuid.UUID,
db: Session = Depends(get_db),
current_user: User = Depends(require_any_role("red_tech")),
current_user: User = Depends(require_any_role("red_tech", "red_lead")),
):
"""Red Team finalises — move from ``red_executing`` to ``blue_evaluating``."""
test = _get_test_or_404(db, test_id)
@@ -466,7 +466,7 @@ def submit_red(
def submit_blue(
test_id: uuid.UUID,
db: Session = Depends(get_db),
current_user: User = Depends(require_any_role("blue_tech")),
current_user: User = Depends(require_any_role("blue_tech", "blue_lead")),
):
"""Blue Team finalises — move from ``blue_evaluating`` to ``in_review``."""
test = _get_test_or_404(db, test_id)
@@ -484,7 +484,7 @@ def submit_blue(
def pause_timer(
test_id: uuid.UUID,
db: Session = Depends(get_db),
current_user: User = Depends(get_current_user),
current_user: User = Depends(require_any_role("red_tech", "blue_tech", "red_lead", "blue_lead")),
):
"""Pause the running timer for the current phase (red_executing or blue_evaluating)."""
test = _get_test_or_404(db, test_id)
@@ -502,7 +502,7 @@ def pause_timer(
def resume_timer(
test_id: uuid.UUID,
db: Session = Depends(get_db),
current_user: User = Depends(get_current_user),
current_user: User = Depends(require_any_role("red_tech", "blue_tech", "red_lead", "blue_lead")),
):
"""Resume the paused timer for the current phase."""
test = _get_test_or_404(db, test_id)
@@ -595,9 +595,9 @@ def update_remediation(
test_id: uuid.UUID,
payload: TestRemediationUpdate,
db: Session = Depends(get_db),
current_user: User = Depends(get_current_user),
current_user: User = Depends(require_any_role("red_lead", "blue_lead")),
):
"""Update remediation fields on a test (any authenticated user).
"""Update remediation fields on a test.
When ``remediation_status`` transitions to ``'completed'``, an automatic
re-test is created (subject to ``MAX_RETEST_COUNT``).

4
backend/app/routers/worklogs.py
View File

@@ -9,7 +9,7 @@ from pydantic import BaseModel, Field
from sqlalchemy.orm import Session
from app.database import get_db
from app.dependencies.auth import get_current_user
from app.dependencies.auth import get_current_user, require_any_role
from app.domain.exceptions import EntityNotFoundError
from app.models.user import User
from app.models.worklog import Worklog
@@ -56,7 +56,7 @@ class WorklogOut(BaseModel):
def create(
body: WorklogCreate,
db: Session = Depends(get_db),
user: User = Depends(get_current_user),
user: User = Depends(require_any_role("red_tech", "blue_tech", "red_lead", "blue_lead")),
):
"""Create a manually-logged worklog entry."""
wl = worklog_service.create_worklog(

1
backend/app/schemas/auth.py
View File

@@ -28,6 +28,7 @@ class UserOut(BaseModel):
email: str | None = None
role: str
is_active: bool
must_change_password: bool = True
class Config:
from_attributes = True

13
backend/app/schemas/user.py
View File

@@ -83,6 +83,18 @@ class UserUpdate(BaseModel):
# ── Read (full) ─────────────────────────────────────────────────────
class PasswordChange(BaseModel):
"""Payload for changing the current user's password."""
current_password: str
new_password: str
@field_validator("new_password")
@classmethod
def new_password_strength(cls, v: str) -> str:
return _validate_password_strength(v)
class UserOut(BaseModel):
"""Complete representation returned by the API."""
@@ -91,6 +103,7 @@ class UserOut(BaseModel):
email: str | None = None
role: str
is_active: bool
must_change_password: bool = True
created_at: datetime | None = None
last_login: datetime | None = None

11
frontend/src/api/auth.ts
View File

@@ -34,3 +34,14 @@ export async function getMe(): Promise<User> {
const { data } = await client.get<User>("/auth/me");
return data;
}
/** Change the current user's password. */
export async function changePassword(
currentPassword: string,
newPassword: string,
): Promise<void> {
await client.post("/auth/change-password", {
current_password: currentPassword,
new_password: newPassword,
});
}

148
frontend/src/components/ChangePasswordModal.tsx Normal file
View File

@@ -0,0 +1,148 @@
import { useState, useMemo } from "react";
import { changePassword } from "../api/auth";
interface PasswordRule {
label: string;
test: (pw: string) => boolean;
}
const PASSWORD_RULES: PasswordRule[] = [
{ label: "At least 12 characters", test: (pw) => pw.length >= 12 },
{ label: "At least one uppercase letter", test: (pw) => /[A-Z]/.test(pw) },
{ label: "At least one lowercase letter", test: (pw) => /[a-z]/.test(pw) },
{ label: "At least one digit", test: (pw) => /[0-9]/.test(pw) },
{
label: "At least one special character (!@#$%^&*…)",
test: (pw) => /[!@#$%^&*()_+\-=[\]{};':"\\|,.<>/?`~]/.test(pw),
},
];
export function PasswordPolicyChecklist({ password }: { password: string }) {
return (
<ul className="mt-2 space-y-1 text-xs">
{PASSWORD_RULES.map((rule) => {
const ok = password.length > 0 && rule.test(password);
return (
<li key={rule.label} className="flex items-center gap-1.5">
<span className={ok ? "text-green-400" : "text-gray-500"}>
{ok ? "✓" : "○"}
</span>
<span className={ok ? "text-green-300" : "text-gray-400"}>
{rule.label}
</span>
</li>
);
})}
</ul>
);
}
interface Props {
onSuccess: () => void;
isForced?: boolean;
}
export default function ChangePasswordModal({ onSuccess, isForced }: Props) {
const [currentPw, setCurrentPw] = useState("");
const [newPw, setNewPw] = useState("");
const [confirmPw, setConfirmPw] = useState("");
const [error, setError] = useState<string | null>(null);
const [loading, setLoading] = useState(false);
const allRulesPass = useMemo(
() => PASSWORD_RULES.every((r) => r.test(newPw)),
[newPw],
);
const canSubmit =
currentPw.length > 0 &&
allRulesPass &&
newPw === confirmPw &&
!loading;
async function handleSubmit(e: React.FormEvent) {
e.preventDefault();
if (!canSubmit) return;
setLoading(true);
setError(null);
try {
await changePassword(currentPw, newPw);
onSuccess();
} catch (err: unknown) {
const msg =
(err as { response?: { data?: { detail?: string } } })?.response?.data
?.detail ?? "Failed to change password";
setError(msg);
} finally {
setLoading(false);
}
}
return (
<div className="fixed inset-0 z-[100] flex items-center justify-center bg-black/70 backdrop-blur-sm">
<form
onSubmit={handleSubmit}
className="w-full max-w-md rounded-xl border border-gray-700 bg-gray-900 p-6 shadow-2xl"
>
<h2 className="mb-1 text-lg font-semibold text-white">
Change Password
</h2>
{isForced && (
<p className="mb-4 text-sm text-amber-400">
You must change your password before continuing.
</p>
)}
{error && (
<div className="mb-3 rounded bg-red-900/50 px-3 py-2 text-sm text-red-300">
{error}
</div>
)}
<label className="mb-1 block text-sm text-gray-400">
Current password
</label>
<input
type="password"
className="mb-4 w-full rounded-lg border border-gray-700 bg-gray-800 px-3 py-2 text-sm text-white focus:border-cyan-500 focus:outline-none"
value={currentPw}
onChange={(e) => setCurrentPw(e.target.value)}
autoFocus
/>
<label className="mb-1 block text-sm text-gray-400">
New password
</label>
<input
type="password"
className="w-full rounded-lg border border-gray-700 bg-gray-800 px-3 py-2 text-sm text-white focus:border-cyan-500 focus:outline-none"
value={newPw}
onChange={(e) => setNewPw(e.target.value)}
/>
<PasswordPolicyChecklist password={newPw} />
<label className="mb-1 mt-4 block text-sm text-gray-400">
Confirm new password
</label>
<input
type="password"
className="w-full rounded-lg border border-gray-700 bg-gray-800 px-3 py-2 text-sm text-white focus:border-cyan-500 focus:outline-none"
value={confirmPw}
onChange={(e) => setConfirmPw(e.target.value)}
/>
{confirmPw.length > 0 && newPw !== confirmPw && (
<p className="mt-1 text-xs text-red-400">Passwords do not match</p>
)}
<button
type="submit"
disabled={!canSubmit}
className="mt-6 w-full rounded-lg bg-cyan-600 py-2.5 text-sm font-medium text-white transition-colors hover:bg-cyan-500 disabled:cursor-not-allowed disabled:opacity-50"
>
{loading ? "Changing…" : "Change Password"}
</button>
</form>
</div>
);
}

4
frontend/src/components/Sidebar.tsx
View File

@@ -33,7 +33,7 @@ interface NavItem {
const mainLinks: NavItem[] = [
{ to: "/dashboard", label: "Dashboard", icon: LayoutDashboard },
{ to: "/executive-dashboard", label: "Executive Dashboard", icon: Gauge, roles: ["admin", "red_lead", "blue_lead"] },
{ to: "/executive-dashboard", label: "Executive Dashboard", icon: Gauge, roles: ["admin", "red_lead", "blue_lead", "viewer"] },
{ to: "/matrix", label: "ATT&CK Matrix", icon: Grid3X3 },
{
to: "/tests",
@@ -48,7 +48,7 @@ const mainLinks: NavItem[] = [
{ to: "/campaigns", label: "Campaigns", icon: Zap },
{ to: "/threat-actors", label: "Threat Actors", icon: Crosshair },
{ to: "/compliance", label: "Compliance", icon: ShieldCheck },
{ to: "/comparison", label: "Comparison", icon: GitCompareArrows, roles: ["admin", "red_lead", "blue_lead"] },
{ to: "/comparison", label: "Comparison", icon: GitCompareArrows, roles: ["admin", "red_lead", "blue_lead", "viewer"] },
{ to: "/reports", label: "Reports", icon: BarChart3 },
];

4
frontend/src/components/test-detail/TeamTabs.tsx
View File

@@ -119,11 +119,11 @@ export default function TeamTabs({
const canEditRed =
RED_EDITABLE_STATES.includes(test.state) &&
(role === "red_tech" || role === "admin");
(role === "red_tech" || role === "red_lead" || role === "admin");
const canEditBlue =
BLUE_EDITABLE_STATES.includes(test.state) &&
(role === "blue_tech" || role === "admin");
(role === "blue_tech" || role === "blue_lead" || role === "admin");
// ── Red Team Tab ─────────────────────────────────────────────────

16
frontend/src/components/test-detail/TestDetailHeader.tsx
View File

@@ -91,10 +91,10 @@ export default function TestDetailHeader({
const renderActions = () => {
const buttons: React.ReactNode[] = [];
// Red Tech in draft -> Start Execution
// Red Team in draft -> Start Execution
if (
test.state === "draft" &&
(role === "red_tech" || role === "admin")
(role === "red_tech" || role === "red_lead" || role === "admin")
) {
buttons.push(
<button
@@ -109,10 +109,10 @@ export default function TestDetailHeader({
);
}
// Red Tech in red_executing -> Submit to Blue Team
// Red Team in red_executing -> Submit to Blue Team
if (
test.state === "red_executing" &&
(role === "red_tech" || role === "admin")
(role === "red_tech" || role === "red_lead" || role === "admin")
) {
buttons.push(
<button
@@ -127,10 +127,10 @@ export default function TestDetailHeader({
);
}
// Blue Tech in blue_evaluating -> Submit for Review
// Blue Team in blue_evaluating -> Submit for Review
if (
test.state === "blue_evaluating" &&
(role === "blue_tech" || role === "admin")
(role === "blue_tech" || role === "blue_lead" || role === "admin")
) {
buttons.push(
<button
@@ -245,8 +245,8 @@ export default function TestDetailHeader({
// ── Live timer ───────────────────────────────────────────────────
const canControlTimer =
(test.state === "red_executing" && (role === "red_tech" || role === "admin")) ||
(test.state === "blue_evaluating" && (role === "blue_tech" || role === "admin"));
(test.state === "red_executing" && (role === "red_tech" || role === "red_lead" || role === "admin")) ||
(test.state === "blue_evaluating" && (role === "blue_tech" || role === "blue_lead" || role === "admin"));
const renderLiveTimer = () => {
if (test.state === "red_executing" && test.red_started_at) {

26
frontend/src/context/AuthContext.tsx
View File

@@ -12,6 +12,7 @@ import {
getMe,
} from "../api/auth";
import type { User } from "../types/models";
import ChangePasswordModal from "../components/ChangePasswordModal";
/* ── Context shape ────────────────────────────────────────────────── */
@@ -31,18 +32,20 @@ export function AuthProvider({ children }: { children: ReactNode }) {
const [user, setUser] = useState<User | null>(null);
const [isLoading, setIsLoading] = useState(true);
// On mount — try to hydrate the user from the existing HttpOnly cookie.
// If no valid cookie exists the /auth/me call will 401 and we stay
// unauthenticated — no localStorage involved.
useEffect(() => {
getMe()
.then(setUser)
.catch(() => setUser(null))
.finally(() => setIsLoading(false));
const refreshUser = useCallback(async () => {
try {
const me = await getMe();
setUser(me);
} catch {
setUser(null);
}
}, []);
useEffect(() => {
refreshUser().finally(() => setIsLoading(false));
}, [refreshUser]);
const login = useCallback(async (username: string, password: string) => {
// The backend sets the HttpOnly cookie automatically
await apiLogin(username, password);
const me = await getMe();
setUser(me);
@@ -53,6 +56,8 @@ export function AuthProvider({ children }: { children: ReactNode }) {
setUser(null);
}, []);
const mustChangePassword = user?.must_change_password === true;
return (
<AuthContext.Provider
value={{
@@ -64,6 +69,9 @@ export function AuthProvider({ children }: { children: ReactNode }) {
}}
>
{children}
{mustChangePassword && (
<ChangePasswordModal isForced onSuccess={refreshUser} />
)}
</AuthContext.Provider>
);
}

2
frontend/src/pages/CampaignDetailPage.tsx
View File

@@ -70,7 +70,7 @@ export default function CampaignDetailPage() {
};
const role = user?.role ?? "";
const canManage = role === "admin" || role === "red_tech";
const canManage = role === "admin" || role === "red_lead" || role === "blue_lead";
const canComplete = role === "admin" || role === "red_lead";
const {

2
frontend/src/pages/CampaignsPage.tsx
View File

@@ -56,7 +56,7 @@ export default function CampaignsPage() {
target_platform: "",
});
const canCreate = user?.role === "admin" || user?.role === "red_tech";
const canCreate = user?.role === "admin" || user?.role === "red_lead" || user?.role === "blue_lead";
const { data, isLoading, error } = useQuery({
queryKey: ["campaigns", filters],

4
frontend/src/pages/TestDetailPage.tsx
View File

@@ -344,10 +344,10 @@ export default function TestDetailPage() {
const role = user?.role ?? "";
const canSaveRed =
(test.state === "draft" || test.state === "red_executing") &&
(role === "red_tech" || role === "admin");
(role === "red_tech" || role === "red_lead" || role === "admin");
const canSaveBlue =
test.state === "blue_evaluating" &&
(role === "blue_tech" || role === "admin");
(role === "blue_tech" || role === "blue_lead" || role === "admin");
// ── Render ─────────────────────────────────────────────────────

2
frontend/src/pages/TestsPage.tsx
View File

@@ -75,7 +75,7 @@ export default function TestsPage() {
const { user } = useAuth();
const canCreate =
user?.role === "admin" || user?.role === "red_tech";
user?.role === "admin" || user?.role === "red_lead" || user?.role === "blue_lead";
// ── Filter state ──────────────────────────────────────────────────
const [stateFilter, setStateFilter] = useState<TestState | "">("");

8
frontend/src/pages/UsersPage.tsx
View File

@@ -12,6 +12,7 @@ import {
Edit,
} from "lucide-react";
import { getUsers, createUser, updateUser, type UserOut, type UserCreatePayload } from "../api/users";
import { PasswordPolicyChecklist } from "../components/ChangePasswordModal";
const ROLES = [
{ value: "viewer", label: "Viewer" },
@@ -323,7 +324,11 @@ function CreateUserModal({ onClose, onSubmit, isSubmitting, error }: CreateUserM
errors.password ? "border-red-500" : "border-gray-700"
}`}
/>
<PasswordPolicyChecklist password={formData.password} />
{errors.password && <p className="mt-1 text-sm text-red-400">{errors.password}</p>}
<p className="mt-1 text-xs text-amber-400/70">
The user will be required to change this password on first login.
</p>
</div>
<div>
@@ -446,6 +451,9 @@ function EditUserModal({ user, onClose, onSubmit, isSubmitting, error }: EditUse
className="mt-1 w-full rounded-lg border border-gray-700 bg-gray-800 px-3 py-2 text-gray-200"
placeholder="••••••••"
/>
{formData.password.length > 0 && (
<PasswordPolicyChecklist password={formData.password} />
)}
</div>
<div className="flex justify-end gap-3 pt-4">

1
frontend/src/types/models.ts
View File

@@ -6,6 +6,7 @@ export interface User {
id: string;
username: string;
role: string;
must_change_password?: boolean;
}
// ── Techniques ─────────────────────────────────────────────────────