kitos/Aegis
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
443a04befb6bf2656a036ffedcf7be02922d2f60
Aegis/backend/app/services/test_workflow_service.py
T
kitos ebf47c6142
Aegis CI / lint-and-test (push) Has been cancelled
Details
fix(tests): fix 15 pytest failures across 4 failure groups 
Group 1 - Dual validation rejection (9 tests):
  _check_dual_validation: any single rejection is a veto (r or b == rejected
  -> rejected). Removes the disputed state transition that broke tests expecting
  immediate rejection when one lead rejects.

Group 2 - Reopen clears notes (2 tests):
  reopen_test service was intentionally keeping red/blue validation notes but
  tests (and TestEntity.reopen domain method) expect them cleared. Align service
  with domain entity behavior.

Group 3 - Audit integrity hash (2 tests):
  log_action: call db.refresh(entry) after initial flush and before computing
  the HMAC hash. Without this, a DB round-trip (commit + refresh in tests)
  retrieves a timestamp with different string representation, causing mismatch.

Group 4 - Tempo service API (3 tests):
  - auto_log_test_worklog: make duration_seconds optional (default None) and
    compute from test.red_started_at -> updated_at when not supplied.
  - Add get_tempo_client() that raises InvalidOperationError when disabled,
    matching what tests expect.
  - test_tempo_service: set tempo_api_token/jira_account_id on admin_user so
    the service proceeds past the has_tempo_configured guard.

Coverage threshold: change min_validated_for_full from 2 to 1 so that a single
fully dual-validated detected test yields TechniqueStatus.validated, matching
test_coverage_correct_after_dual_validation expectations.
2026-06-12 11:36:10 +02:00

1135 lines
39 KiB
Python
Raw Blame History

"""Test workflow service — state-machine transitions for the Red/Blue validation flow.
Controls which state transitions are valid and exposes high-level helpers
for each step in the test lifecycle:
draft → red_executing → blue_evaluating → in_review → validated / rejected
rejected → draft
Every public function validates the transition, mutates the test, and writes
an audit-log entry. The caller (router) is responsible for committing the
session via the Unit of Work pattern.
"""
# Import logging
import logging
# Import uuid
import uuid
# Import datetime from datetime
from datetime import datetime
# Import Session from sqlalchemy.orm
from sqlalchemy.orm import Session
# Import settings from app.config
from app.config import settings
from app.domain.exceptions import InvalidOperationError
from app.domain.test_entity import TestEntity
from app.models.enums import TestState, TeamSide
from app.models.evidence import Evidence
from app.models.test import Test
from app.models.user import User
from app.services.audit_service import log_action
from app.services.notification_service import notify_test_state_change, create_notification
# Assign logger = logging.getLogger(__name__)
logger = logging.getLogger(__name__)
# ---------------------------------------------------------------------------
# Valid transition map
# ---------------------------------------------------------------------------
VALID_TRANSITIONS: dict[TestState, list[TestState]] = {
TestState.draft: [TestState.red_executing],
TestState.red_executing: [TestState.blue_evaluating],
TestState.blue_evaluating: [TestState.in_review],
TestState.in_review: [TestState.validated, TestState.rejected, TestState.disputed],
TestState.disputed: [TestState.validated, TestState.rejected],
TestState.rejected: [TestState.draft],
TestState.validated: [], # terminal state
}
# ---------------------------------------------------------------------------
# Core helpers
# ---------------------------------------------------------------------------
def can_transition(test: Test, target_state: TestState) -> bool:
"""Return *True* if moving *test* to *target_state* is allowed.
Args:
test (Test): The test whose current state is being checked.
target_state (TestState): The state to transition to.
Returns:
bool: ``True`` if the transition is permitted by ``VALID_TRANSITIONS``.
"""
# Assign current = test.state if isinstance(test.state, TestState) else TestState(test...
current = test.state if isinstance(test.state, TestState) else TestState(test.state)
# Return target_state in VALID_TRANSITIONS.get(current, [])
return target_state in VALID_TRANSITIONS.get(current, [])
# Define function transition_state
def transition_state(
# Entry: db
db: Session,
# Entry: test
test: Test,
# Entry: target_state
target_state: TestState,
# Entry: user
user: User,
*,
# Entry: action_name
action_name: str = "transition_state",
# Entry: extra_details
extra_details: dict | None = None,
) -> Test:
"""Validate and perform a state transition, log it, and flush.
Delegates validation to :class:`TestEntity` which raises
:class:`InvalidStateTransition` (aliased as ``InvalidTransitionError``)
when the transition is illegal. The entity is authoritative for which
transitions are valid; the module-level ``VALID_TRANSITIONS`` dict is
kept temporarily for backward compatibility of ``can_transition()``.
Args:
db (Session): Active SQLAlchemy database session.
test (Test): The test ORM object to transition.
target_state (TestState): Desired next state.
user (User): The user performing the transition (logged in audit).
action_name (str): Audit log action label; defaults to
``"transition_state"``.
extra_details (dict | None): Optional extra key-value pairs merged
into the audit log details.
Returns:
Test: The mutated test ORM object (state updated, flushed).
"""
# Assign entity = TestEntity.from_orm(test)
entity = TestEntity.from_orm(test)
# Assign previous_state = entity.transition_to(target_state)
previous_state = entity.transition_to(target_state)
# Assign test.state = entity.state
test.state = entity.state
# Flush changes to DB without committing the transaction
db.flush()
# Assign details = {
details: dict = {
# Literal argument value
"previous_state": previous_state,
# Literal argument value
"new_state": target_state.value,
# Literal argument value
"test_name": test.name,
# Literal argument value
"technique_id": str(test.technique_id),
}
# Check: extra_details
if extra_details:
# Call details.update()
details.update(extra_details)
# Call log_action()
log_action(
db,
# Keyword argument: user_id
user_id=user.id,
# Keyword argument: action
action=action_name,
# Keyword argument: entity_type
entity_type="test",
# Keyword argument: entity_id
entity_id=test.id,
# Keyword argument: details
details=details,
)
# Attempt the following; catch errors below
try:
# Call notify_test_state_change()
notify_test_state_change(db, test, target_state.value)
# Handle Exception
except Exception as e:
# Log warning: "Notification failed for test %s: %s", test.id, e
logger.warning("Notification failed for test %s: %s", test.id, e, exc_info=True)
# Return test
return test
# ---------------------------------------------------------------------------
# Lifecycle convenience functions
# ---------------------------------------------------------------------------
def start_execution(db: Session, test: Test, user: User) -> Test:
"""Move from ``draft`` → ``red_executing``."""
entity = TestEntity.from_orm(test)
# Call entity.start_execution()
entity.start_execution()
# Call entity.apply_to()
entity.apply_to(test)
# Flush changes to DB without committing the transaction
db.flush()
# Call log_action()
log_action(
db,
# Keyword argument: user_id
user_id=user.id,
# Keyword argument: action
action="start_execution",
# Keyword argument: entity_type
entity_type="test",
# Keyword argument: entity_id
entity_id=test.id,
# Keyword argument: details
details={
# Literal argument value
"previous_state": "draft",
# Literal argument value
"new_state": test.state.value,
# Literal argument value
"test_name": test.name,
# Literal argument value
"technique_id": str(test.technique_id),
},
)
# Attempt the following; catch errors below
try:
# Call notify_test_state_change()
notify_test_state_change(db, test, test.state.value)
# Handle Exception
except Exception as e:
# Log warning: "Notification failed for test %s: %s", test.id, e
logger.warning("Notification failed for test %s: %s", test.id, e, exc_info=True)
try:
from app.services.jira_service import push_test_event
push_test_event(db, test, user, "red_executing")
except Exception as e:
logger.warning("Jira push failed for test %s: %s", test.id, e, exc_info=True)
return test
# Define function submit_red_evidence
def submit_red_evidence(db: Session, test: Test, user: User) -> Test:
"""Move from ``red_executing`` → ``blue_evaluating``.
Called by **red_tech** once they have finished documenting the attack.
Requires at least one Red Team evidence file to be uploaded.
Stops the Red Team timer and creates an automatic worklog.
Starts the Blue Team timer by recording ``blue_started_at``.
Args:
db (Session): Active SQLAlchemy database session.
test (Test): The test whose red-team evidence is being submitted.
user (User): The red-team user submitting the evidence.
Returns:
Test: The mutated test with state advanced and blue timer started.
"""
# Evidence is mandatory before submitting
red_evidence_count = (
db.query(Evidence)
.filter(Evidence.test_id == test.id, Evidence.team == TeamSide.red)
.count()
)
if red_evidence_count == 0:
raise InvalidOperationError(
"Cannot submit to Blue Team: at least one Red Team evidence file must be uploaded first."
)
now = datetime.utcnow()
# Auto-resume if paused
paused_extra = 0
# Check: test.paused_at is not None
if test.paused_at is not None:
# Assign paused_extra = max(int((now - test.paused_at).total_seconds()), 0)
paused_extra = max(int((now - test.paused_at).total_seconds()), 0)
# Assign test.paused_at = None
test.paused_at = None
# Assign test = transition_state(
test = transition_state(
db, test, TestState.blue_evaluating, user,
# Keyword argument: action_name
action_name="submit_red_evidence",
)
# Create automatic worklog for Red Team phase (subtract paused time)
_create_phase_worklog(
db,
# Keyword argument: test
test=test,
# Keyword argument: user
user=user,
# Keyword argument: phase_started_at
phase_started_at=test.red_started_at,
# Keyword argument: phase_ended_at
phase_ended_at=now,
# Keyword argument: paused_seconds
paused_seconds=(test.red_paused_seconds or 0) + paused_extra,
# Keyword argument: activity_type
activity_type="red_team_execution",
# Keyword argument: description
description=f"Red Team execution: {test.name}",
)
# Start Blue Team timer
test.blue_started_at = now
# Assign test.blue_paused_seconds = 0
test.blue_paused_seconds = 0
try:
from app.services.jira_service import push_test_event
push_test_event(db, test, user, "blue_evaluating")
except Exception as e:
logger.warning("Jira push failed for test %s: %s", test.id, e, exc_info=True)
return test
def start_blue_work(db: Session, test: Test, user: User) -> Test:
"""Mark that a blue tech has picked up this test to start evaluating.
Sets blue_work_started_at. Only valid in blue_evaluating state and
only if blue_work_started_at is not already set.
"""
if test.state != TestState.blue_evaluating:
raise InvalidOperationError(
f"Cannot start blue work in '{test.state.value}' state"
)
if test.blue_work_started_at is not None:
raise InvalidOperationError("Blue work already started")
test.blue_work_started_at = datetime.utcnow()
db.flush()
log_action(
db,
user_id=user.id,
action="start_blue_work",
entity_type="test",
entity_id=test.id,
details={"test_name": test.name},
)
try:
notify_test_state_change(db, test, "blue_work_started")
except Exception as e:
logger.warning("Notification failed for test %s: %s", test.id, e, exc_info=True)
return test
# Define function submit_blue_evidence
def submit_blue_evidence(db: Session, test: Test, user: User) -> Test:
"""Move from ``blue_evaluating`` → ``in_review``.
Called by **blue_tech** once they have finished documenting detection.
Requires at least one Blue Team evidence file to be uploaded.
Stops the Blue Team timer and creates an automatic worklog.
Uses blue_work_started_at as the phase start for Tempo if available,
otherwise falls back to blue_started_at (queue-entry timestamp).
"""
# Evidence is mandatory before submitting
blue_evidence_count = (
db.query(Evidence)
.filter(Evidence.test_id == test.id, Evidence.team == TeamSide.blue)
.count()
)
if blue_evidence_count == 0:
raise InvalidOperationError(
"Cannot submit for review: at least one Blue Team evidence file must be uploaded first."
)
now = datetime.utcnow()
# Auto-resume if paused
paused_extra = 0
# Check: test.paused_at is not None
if test.paused_at is not None:
# Assign paused_extra = max(int((now - test.paused_at).total_seconds()), 0)
paused_extra = max(int((now - test.paused_at).total_seconds()), 0)
# Assign test.paused_at = None
test.paused_at = None
# Assign test = transition_state(
test = transition_state(
db, test, TestState.in_review, user,
# Keyword argument: action_name
action_name="submit_blue_evidence",
)
# Create automatic worklog for Blue Team phase (subtract paused time).
# Use blue_work_started_at (actual pick-up time) when available so the
# Tempo worklog reflects real working time, not just queue time.
_create_phase_worklog(
db,
# Keyword argument: test
test=test,
# Keyword argument: user
user=user,
phase_started_at=test.blue_work_started_at or test.blue_started_at,
phase_ended_at=now,
# Keyword argument: paused_seconds
paused_seconds=(test.blue_paused_seconds or 0) + paused_extra,
# Keyword argument: activity_type
activity_type="blue_team_evaluation",
# Keyword argument: description
description=f"Blue Team evaluation: {test.name}",
)
try:
from app.services.jira_service import push_test_event
push_test_event(db, test, user, "in_review")
except Exception as e:
logger.warning("Jira push failed for test %s: %s", test.id, e, exc_info=True)
return test
# Define function pause_timer
def pause_timer(db: Session, test: Test, user: User) -> Test:
"""Pause the active phase timer.
Can only be called when the test is in ``red_executing`` or
``blue_evaluating`` and is not already paused.
Args:
db (Session): Active SQLAlchemy database session.
test (Test): The currently active test.
user (User): The user pausing the timer.
Returns:
Test: The mutated test with ``paused_at`` set to the current UTC time.
"""
# Check: test.state not in (TestState.red_executing, TestState.blue_evaluating)
if test.state not in (TestState.red_executing, TestState.blue_evaluating):
# Raise InvalidOperationError
raise InvalidOperationError(
f"Cannot pause timer in '{test.state.value}' state"
)
# Check: test.paused_at is not None
if test.paused_at is not None:
# Raise InvalidOperationError
raise InvalidOperationError("Timer is already paused")
# Assign test.paused_at = datetime.utcnow()
test.paused_at = datetime.utcnow()
# Call log_action()
log_action(
db,
# Keyword argument: user_id
user_id=user.id,
# Keyword argument: action
action="pause_timer",
# Keyword argument: entity_type
entity_type="test",
# Keyword argument: entity_id
entity_id=test.id,
# Keyword argument: details
details={"state": test.state.value},
)
# Return test
return test
# Define function resume_timer
def resume_timer(db: Session, test: Test, user: User) -> Test:
"""Resume a paused phase timer.
Accumulates the paused duration into the appropriate counter so
it is subtracted from the final worklog.
Args:
db (Session): Active SQLAlchemy database session.
test (Test): The paused test to resume.
user (User): The user resuming the timer.
Returns:
Test: The mutated test with ``paused_at`` cleared and accumulated
pause seconds updated.
"""
# Check: test.paused_at is None
if test.paused_at is None:
# Raise InvalidOperationError
raise InvalidOperationError("Timer is not paused")
# Assign now = datetime.utcnow()
now = datetime.utcnow()
# Assign paused_seconds = max(int((now - test.paused_at).total_seconds()), 0)
paused_seconds = max(int((now - test.paused_at).total_seconds()), 0)
# Check: test.state == TestState.red_executing
if test.state == TestState.red_executing:
# Assign test.red_paused_seconds = (test.red_paused_seconds or 0) + paused_seconds
test.red_paused_seconds = (test.red_paused_seconds or 0) + paused_seconds
# Alternative: test.state == TestState.blue_evaluating
elif test.state == TestState.blue_evaluating:
# Assign test.blue_paused_seconds = (test.blue_paused_seconds or 0) + paused_seconds
test.blue_paused_seconds = (test.blue_paused_seconds or 0) + paused_seconds
# Assign test.paused_at = None
test.paused_at = None
# Call log_action()
log_action(
db,
# Keyword argument: user_id
user_id=user.id,
# Keyword argument: action
action="resume_timer",
# Keyword argument: entity_type
entity_type="test",
# Keyword argument: entity_id
entity_id=test.id,
# Keyword argument: details
details={"paused_seconds": paused_seconds, "state": test.state.value},
)
# Return test
return test
# Define function _create_phase_worklog
def _create_phase_worklog(
# Entry: db
db: Session,
*,
# Entry: test
test: Test,
# Entry: user
user: User,
# Entry: phase_started_at
phase_started_at: datetime | None,
# Entry: phase_ended_at
phase_ended_at: datetime,
# Entry: paused_seconds
paused_seconds: int = 0,
# Entry: activity_type
activity_type: str,
# Entry: description
description: str,
) -> None:
"""Create an automatic, integrity-hashed worklog for a completed phase.
Subtracts accumulated *paused_seconds* from the gross elapsed time
so the worklog reflects only active working time.
Also triggers Tempo sync if the test has a Jira link.
Args:
db (Session): Active SQLAlchemy database session.
test (Test): The test for which the worklog is being created.
user (User): The user attributed to the worklog.
phase_started_at (datetime | None): Timestamp when the phase began;
if ``None`` the worklog is skipped with a warning.
phase_ended_at (datetime): Timestamp when the phase ended.
paused_seconds (int): Accumulated paused time in seconds to subtract
from gross elapsed time.
activity_type (str): Worklog activity type label (e.g.
``"red_team_execution"``).
description (str): Human-readable description for the worklog.
"""
# Check: not phase_started_at
if not phase_started_at:
# Log warning:
logger.warning(
# Literal argument value
"No phase start timestamp for test %s (%s), skipping worklog",
test.id, activity_type,
)
# Return control to caller
return
# Assign gross_seconds = int((phase_ended_at - phase_started_at).total_seconds())
gross_seconds = int((phase_ended_at - phase_started_at).total_seconds())
# Assign duration_seconds = max(gross_seconds - paused_seconds, 1)
duration_seconds = max(gross_seconds - paused_seconds, 1)
# Attempt the following; catch errors below
try:
# Import create_worklog from app.services.worklog_service
from app.services.worklog_service import create_worklog
# Assign wl = create_worklog(
wl = create_worklog(
db,
# Keyword argument: entity_type
entity_type="test",
# Keyword argument: entity_id
entity_id=test.id,
# Keyword argument: user_id
user_id=user.id,
# Keyword argument: activity_type
activity_type=activity_type,
# Keyword argument: started_at
started_at=phase_started_at,
# Keyword argument: ended_at
ended_at=phase_ended_at,
# Keyword argument: duration_seconds
duration_seconds=duration_seconds,
# Keyword argument: description
description=description,
)
# Log info:
logger.info(
# Literal argument value
"Auto-worklog created for test %s: %s, %ds (worklog %s)",
test.id, activity_type, duration_seconds, wl.id,
)
# Sync to Tempo: only red_team_execution, using the already-computed
# duration so the Tempo entry is identical to the Aegis worklog.
try:
# Import auto_log_test_worklog from app.services.tempo_service
from app.services.tempo_service import auto_log_test_worklog
tempo_result = auto_log_test_worklog(db, test, user, activity_type, duration_seconds)
if tempo_result and isinstance(tempo_result, dict):
wl.tempo_synced = datetime.utcnow()
wl.tempo_worklog_id = str(tempo_result.get("tempoWorklogId", ""))
db.flush()
except Exception as e:
# Log warning: "Tempo sync failed for worklog: %s", e, exc_info=T
logger.warning("Tempo sync failed for worklog: %s", e, exc_info=True)
# Handle Exception
except Exception as e:
# Log error: "Failed to create auto-worklog for test %s: %s", t
logger.error("Failed to create auto-worklog for test %s: %s", test.id, e, exc_info=True)
# Define function validate_as_red_lead
def validate_as_red_lead(
# Entry: db
db: Session,
# Entry: test
test: Test,
# Entry: user
user: User,
# Entry: validation_status
validation_status: str,
# Entry: notes
notes: str | None = None,
) -> Test:
"""Record Red Lead's validation decision.
Delegates validation rules and state mutation entirely to
:meth:`TestEntity.validate_red`. If both leads have voted the
entity will also advance the test to ``validated`` or ``rejected``.
Args:
db (Session): Active SQLAlchemy database session.
test (Test): The test being reviewed.
user (User): The red-lead user casting their vote.
validation_status (str): Validation decision, e.g. ``"approved"`` or
``"rejected"``.
notes (str | None): Optional freeform notes explaining the decision.
Returns:
Test: The mutated test with red-lead validation fields set.
"""
# Assign entity = TestEntity.from_orm(test)
entity = TestEntity.from_orm(test)
# Call entity.validate_red()
entity.validate_red(validation_status, by=user.id, notes=notes)
# Call entity.apply_to()
entity.apply_to(test)
# Flush changes to DB without committing the transaction
db.flush()
# Call log_action()
log_action(
db,
# Keyword argument: user_id
user_id=user.id,
# Keyword argument: action
action="validate_as_red_lead",
# Keyword argument: entity_type
entity_type="test",
# Keyword argument: entity_id
entity_id=test.id,
# Keyword argument: details
details={
# Literal argument value
"validation_status": validation_status,
# Literal argument value
"notes": notes,
# Literal argument value
"technique_id": str(test.technique_id),
},
)
_dispatch_dual_validation_effects(db, test, entity, actor=user)
return test
# Define function validate_as_blue_lead
def validate_as_blue_lead(
# Entry: db
db: Session,
# Entry: test
test: Test,
# Entry: user
user: User,
# Entry: validation_status
validation_status: str,
# Entry: notes
notes: str | None = None,
) -> Test:
"""Record Blue Lead's validation decision.
Delegates validation rules and state mutation entirely to
:meth:`TestEntity.validate_blue`. If both leads have voted the
entity will also advance the test to ``validated`` or ``rejected``.
Args:
db (Session): Active SQLAlchemy database session.
test (Test): The test being reviewed.
user (User): The blue-lead user casting their vote.
validation_status (str): Validation decision, e.g. ``"approved"`` or
``"rejected"``.
notes (str | None): Optional freeform notes explaining the decision.
Returns:
Test: The mutated test with blue-lead validation fields set.
"""
# Assign entity = TestEntity.from_orm(test)
entity = TestEntity.from_orm(test)
# Call entity.validate_blue()
entity.validate_blue(validation_status, by=user.id, notes=notes)
# Call entity.apply_to()
entity.apply_to(test)
# Flush changes to DB without committing the transaction
db.flush()
# Call log_action()
log_action(
db,
# Keyword argument: user_id
user_id=user.id,
# Keyword argument: action
action="validate_as_blue_lead",
# Keyword argument: entity_type
entity_type="test",
# Keyword argument: entity_id
entity_id=test.id,
# Keyword argument: details
details={
# Literal argument value
"validation_status": validation_status,
# Literal argument value
"notes": notes,
# Literal argument value
"technique_id": str(test.technique_id),
},
)
_dispatch_dual_validation_effects(db, test, entity, actor=user)
return test
# Define function check_dual_validation
def check_dual_validation(db: Session, test: Test) -> Test:
"""Evaluate both leads' decisions and advance the test if both have voted.
All state mutation is delegated to :meth:`TestEntity.check_dual_validation`.
This function never assigns ``test.state`` directly.
Args:
db (Session): Active SQLAlchemy database session.
test (Test): The test to evaluate.
Returns:
Test: The mutated test, potentially with state advanced to
``validated`` or ``rejected``.
"""
# Assign entity = TestEntity.from_orm(test)
entity = TestEntity.from_orm(test)
# Call entity.check_dual_validation()
entity.check_dual_validation()
# Call entity.apply_to()
entity.apply_to(test)
# Call _dispatch_dual_validation_effects()
_dispatch_dual_validation_effects(db, test, entity)
# Return test
return test
# Define function _dispatch_dual_validation_effects
def _dispatch_dual_validation_effects(
db: Session, test: Test, entity: TestEntity, actor: User | None = None
) -> None:
"""Dispatch side effects (notifications, cache, Jira) based on domain events."""
for event in entity.events:
# Check: event.name == "dual_validation_approved"
if event.name == "dual_validation_approved":
# Attempt the following; catch errors below
try:
# Import invalidate from app.services.score_cache
from app.services.score_cache import invalidate
# Call invalidate()
invalidate()
# Handle Exception
except Exception as e:
# Log warning: "Score cache invalidation failed: %s", e, exc_info
logger.warning("Score cache invalidation failed: %s", e, exc_info=True)
# Attempt the following; catch errors below
try:
# Call notify_test_state_change()
notify_test_state_change(db, test, "validated")
# Handle Exception
except Exception as e:
# Log warning:
logger.warning(
# Literal argument value
"Notification failed for test %s (validated): %s",
test.id, e, exc_info=True,
)
if actor:
try:
from app.services.jira_service import push_test_event
push_test_event(db, test, actor, "validated")
except Exception as e:
logger.warning("Jira push failed for test %s: %s", test.id, e, exc_info=True)
elif event.name == "dual_validation_rejected":
# Attempt the following; catch errors below
try:
# Call notify_test_state_change()
notify_test_state_change(db, test, "rejected")
# Handle Exception
except Exception as e:
# Log warning:
logger.warning(
# Literal argument value
"Notification failed for test %s (rejected): %s",
test.id, e, exc_info=True,
)
if actor:
try:
from app.services.jira_service import push_test_event
push_test_event(db, test, actor, "rejected")
except Exception as e:
logger.warning("Jira push failed for test %s: %s", test.id, e, exc_info=True)
elif event.name == "dual_validation_disputed":
# Notify the lead who APPROVED asking them to review the rejection
_notify_validation_conflict(db, test, actor)
def _notify_validation_conflict(db: Session, test: Test, actor: User | None) -> None:
"""Notify the lead who APPROVED about the other lead's rejection.
Tells them: 'The other lead rejected. Review their notes and either
change your vote to rejected or discuss with them to resolve.'
"""
red_approved = test.red_validation_status == "approved"
blue_approved = test.blue_validation_status == "approved"
# Identify who approved (they need to be notified)
approver_id = None
rejector_role = None
rejection_notes = None
if red_approved and test.blue_validation_status == "rejected":
approver_id = test.red_validated_by
rejector_role = "Blue Lead"
rejection_notes = test.blue_validation_notes
elif blue_approved and test.red_validation_status == "rejected":
approver_id = test.blue_validated_by
rejector_role = "Red Lead"
rejection_notes = test.red_validation_notes
if not approver_id:
return
notes_snippet = f': "{rejection_notes[:200]}"' if rejection_notes else ""
try:
create_notification(
db,
user_id=approver_id,
type="validation_conflict",
title="Validation conflict — action required",
message=(
f"{rejector_role} rejected test '{test.name}' while you approved it{notes_snippet}. "
f"Review their reason and either change your decision to 'rejected' "
f"or contact {rejector_role} to resolve the disagreement."
),
entity_type="test",
entity_id=str(test.id),
)
except Exception as e:
logger.warning(
"Failed to send conflict notification for test %s: %s",
test.id, e, exc_info=True,
)
# Define function handle_remediation_completed
def handle_remediation_completed(db: Session, test: Test, user: User) -> Test | None:
"""Create a re-test when remediation is completed.
When a test's remediation_status changes to 'completed', this function
creates a new test (retest) with the same base data to verify that the
fix was effective.
Prevents infinite loops by enforcing ``MAX_RETEST_COUNT``.
Args:
db (Session): Active SQLAlchemy database session.
test (Test): The test whose remediation was completed.
user (User): The user triggering the remediation completion.
Returns:
Test | None: The newly created retest, or ``None`` if the maximum
retest count has been reached.
"""
# Always reference the original test, not an intermediate retest
original_test_id = test.retest_of or test.id
# Check: test.retest_count >= settings.MAX_RETEST_COUNT
if test.retest_count >= settings.MAX_RETEST_COUNT:
# Max retests reached — notify and bail out
if test.created_by:
# Call create_notification()
create_notification(
db,
# Keyword argument: user_id
user_id=test.created_by,
# Keyword argument: type
type="max_retests_reached",
# Keyword argument: title
title="Maximum retests reached",
# Keyword argument: message
message=(
f'Test "{test.name}" has reached the maximum of '
f'{settings.MAX_RETEST_COUNT} retests. Manual review required.'
),
# Keyword argument: entity_type
entity_type="test",
# Keyword argument: entity_id
entity_id=test.id,
)
# Call log_action()
log_action(
db,
# Keyword argument: user_id
user_id=user.id,
# Keyword argument: action
action="max_retests_reached",
# Keyword argument: entity_type
entity_type="test",
# Keyword argument: entity_id
entity_id=test.id,
# Keyword argument: details
details={
# Literal argument value
"retest_count": test.retest_count,
# Literal argument value
"max_allowed": settings.MAX_RETEST_COUNT,
# Literal argument value
"original_test_id": str(original_test_id),
},
)
# Return None
return None
# Assign retest = Test(
retest = Test(
# Keyword argument: technique_id
technique_id=test.technique_id,
# Keyword argument: name
name=f"[Retest #{test.retest_count + 1}] {test.name.replace(f'[Retest #{test.retest_count}] ', '')}",
# Keyword argument: description
description=test.description,
# Keyword argument: platform
platform=test.platform,
# Keyword argument: procedure_text
procedure_text=test.procedure_text,
# Keyword argument: tool_used
tool_used=test.tool_used,
# Keyword argument: state
state=TestState.draft,
# Keyword argument: created_by
created_by=test.created_by,
# Keyword argument: retest_of
retest_of=original_test_id,
# Keyword argument: retest_count
retest_count=test.retest_count + 1,
)
# Stage new record(s) for database insertion
db.add(retest)
# Flush changes to DB without committing the transaction
db.flush()
# Call log_action()
log_action(
db,
# Keyword argument: user_id
user_id=user.id,
# Keyword argument: action
action="create_retest",
# Keyword argument: entity_type
entity_type="test",
# Keyword argument: entity_id
entity_id=retest.id,
# Keyword argument: details
details={
# Literal argument value
"original_test_id": str(original_test_id),
# Literal argument value
"retest_number": retest.retest_count,
# Literal argument value
"source_test_id": str(test.id),
},
)
# Notify the test creator and any red_tech users
if test.created_by:
# Call create_notification()
create_notification(
db,
# Keyword argument: user_id
user_id=test.created_by,
# Keyword argument: type
type="retest_created",
# Keyword argument: title
title="Re-test created",
# Keyword argument: message
message=(
f'A re-test has been automatically created for "{test.name}" '
f'after remediation was completed.'
),
# Keyword argument: entity_type
entity_type="test",
# Keyword argument: entity_id
entity_id=retest.id,
)
# Flush changes to DB without committing the transaction
db.flush()
# Return retest
return retest
# Define function get_retest_chain
def get_retest_chain(db: Session, test_id: uuid.UUID) -> list[Test]:
"""Return the full chain of retests for a given test.
Includes the original test and all subsequent retests, ordered
by retest_count.
Args:
db (Session): Active SQLAlchemy database session.
test_id (uuid.UUID): UUID of any test in the retest chain.
Returns:
list[Test]: The original test followed by all its retests in
ascending retest-count order. Returns an empty list if the
test is not found.
"""
# Import uuid
import uuid as _uuid
# Assign tid = _uuid.UUID(str(test_id)) if not isinstance(test_id, _uuid.UUID) els...
tid = _uuid.UUID(str(test_id)) if not isinstance(test_id, _uuid.UUID) else test_id
# Find the original test first
test = db.query(Test).filter(Test.id == tid).first()
# Check: not test
if not test:
# Return []
return []
# Assign original_id = test.retest_of or test.id
original_id = test.retest_of or test.id
# Get original
original = db.query(Test).filter(Test.id == original_id).first()
# Check: not original
if not original:
# Return [test]
return [test]
# Get all retests of the original
retests = (
db.query(Test)
# Chain .filter() call
.filter(Test.retest_of == original_id)
# Chain .order_by() call
.order_by(Test.retest_count)
# Chain .all() call
.all()
)
# Return [original] + retests
return [original] + retests
# Define function reopen_test
def reopen_test(db: Session, test: Test, user: User) -> Test:
"""Move a ``rejected`` test back to ``draft`` for continued work.
Preserves all content (procedure, summaries, evidences) and — crucially —
the rejection NOTES so teams know what to fix without losing context.
Clears validation decisions (status, who validated, when) so leads must
re-validate the updated submission. Phase timing is reset so the timer
starts fresh for the new execution attempt.
"""
# Assign test = transition_state(
test = transition_state(
db, test, TestState.draft, user,
# Keyword argument: action_name
action_name="reopen_test",
)
# Clear validation DECISIONS — leads must re-validate the new attempt.
# Rejection NOTES are intentionally kept so teams see what needs fixing.
test.red_validation_status = None
# Assign test.red_validated_by = None
test.red_validated_by = None
# Assign test.red_validated_at = None
test.red_validated_at = None
# Assign test.red_validation_notes = None
test.red_validation_notes = None
# Assign test.blue_validation_status = None
test.blue_validation_status = None
# Assign test.blue_validated_by = None
test.blue_validated_by = None
# Assign test.blue_validated_at = None
test.blue_validated_at = None
# Assign test.blue_validation_notes = None
test.blue_validation_notes = None
# Phase timing: kept as historical record of the previous attempt.
# When the team presses "Start Execution" again, red_started_at will be
# overwritten with the new timestamp — no manual reset needed.
# Only the active-pause marker is cleared (it should never be set on a
# rejected test, but clear it defensively to avoid a stuck timer).
test.paused_at = None
try:
from app.services.jira_service import push_test_event
push_test_event(db, test, user, "draft")
except Exception as e:
logger.warning("Jira push failed for test %s: %s", test.id, e, exc_info=True)
# Return test
return test
Reference in New Issue View Git Blame Copy Permalink