Kitos
1338d52cd0
validate_as_red/blue_lead now delegate to TestEntity. check_dual_validation routes through entity instead of assigning test.state directly. Side effects dispatched via domain events. Entity raises InvalidOperationError for backward compat. Removed 4 dead V1 xfail tests, fixed 2 real test issues. 224 passed, 0 xfailed.
78 lines
2.2 KiB
Python
78 lines
2.2 KiB
Python
"""Tests for security test endpoints (V2 API).
|
|
|
|
Covers the test CRUD and basic workflow via the REST API.
|
|
For full workflow logic tests see ``test_workflow.py`` and
|
|
``test_integration_v2.py``.
|
|
"""
|
|
|
|
import pytest
|
|
|
|
|
|
@pytest.fixture
|
|
def technique(client, auth_headers):
|
|
"""Create a technique for test association."""
|
|
response = client.post(
|
|
"/api/v1/techniques",
|
|
json={"mitre_id": "T1059", "name": "Test Technique"},
|
|
headers=auth_headers,
|
|
)
|
|
return response.json()
|
|
|
|
|
|
def test_create_test_requires_auth(client):
|
|
"""POST /tests without token returns 401 or 403."""
|
|
response = client.post(
|
|
"/api/v1/tests",
|
|
json={
|
|
"technique_id": "00000000-0000-0000-0000-000000000000",
|
|
"name": "Test Name",
|
|
},
|
|
)
|
|
assert response.status_code in (401, 403)
|
|
|
|
|
|
def test_create_test_success(client, auth_headers, technique):
|
|
"""Admin can create a test via POST /tests."""
|
|
response = client.post(
|
|
"/api/v1/tests",
|
|
json={
|
|
"technique_id": technique["id"],
|
|
"name": "My Security Test",
|
|
"description": "Test description",
|
|
"platform": "windows",
|
|
},
|
|
headers=auth_headers,
|
|
)
|
|
assert response.status_code == 201
|
|
data = response.json()
|
|
assert data["name"] == "My Security Test"
|
|
assert data["state"] == "draft"
|
|
assert data["technique_id"] == technique["id"]
|
|
|
|
|
|
def test_create_test_nonexistent_technique(client, auth_headers):
|
|
"""Creating a test with non-existent technique fails."""
|
|
response = client.post(
|
|
"/api/v1/tests",
|
|
json={
|
|
"technique_id": "00000000-0000-0000-0000-000000000000",
|
|
"name": "Test",
|
|
},
|
|
headers=auth_headers,
|
|
)
|
|
assert response.status_code == 404
|
|
|
|
|
|
def test_get_test_by_id(client, auth_headers, technique):
|
|
"""GET /tests/{id} returns the test."""
|
|
create_response = client.post(
|
|
"/api/v1/tests",
|
|
json={"technique_id": technique["id"], "name": "Test"},
|
|
headers=auth_headers,
|
|
)
|
|
test_id = create_response.json()["id"]
|
|
|
|
response = client.get(f"/api/v1/tests/{test_id}", headers=auth_headers)
|
|
assert response.status_code == 200
|
|
assert response.json()["id"] == test_id
|