feat(m5): test_template + scenario_template CRUD with MITRE tags and ordered tests

- Service `app/services/test_templates.py`: CRUD with MITRE tag resolution (kind, external_id) → polymorphic join, filters by tactic/technique/ subtechnique/opsec/tag, `_UNSET` sentinel for partial-update semantics. - Service `app/services/scenario_templates.py`: ordered test list, reorder via full-replace (atomic w.r.t. UNIQUE(position) constraint), soft-delete. - REST endpoints on /api/v1/test-templates and /scenario-templates with pydantic schemas + perm gating (test_template.* and scenario_template.*). - /diag/reset truncates the 4 new tables before MITRE (FK ordering). - 19 pytest covering CRUD, MITRE tag merge, soft-delete chaining, perm enforcement, and reorder atomicity. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 19:57:33 +02:00
parent e5f3de8f55
commit b8fd99a5f4
7 changed files with 1600 additions and 0 deletions
--- a/backend/app/api/diag.py
+++ b/backend/app/api/diag.py
@@ -73,6 +73,17 @@ def reset_test_state():
                    "user_groups, settings, groups RESTART IDENTITY CASCADE"
                )
            )
+            # Template catalogue reset (M5). The MITRE truncate below cascades to
+            # the polymorphic tag join, but the template rows themselves must be
+            # wiped first because `scenario_template_tests.test_template_id` is
+            # ON DELETE RESTRICT.
+            conn.execute(
+                text(
+                    "TRUNCATE scenario_template_tests, scenario_templates, "
+                    "test_template_mitre_tags, test_templates "
+                    "RESTART IDENTITY CASCADE"
+                )
+            )
            # MITRE reference reset — kept in sync with `settings` so a freshly
            # reset stack has `GET /mitre/status` and `GET /mitre/tactics` agree
            # ("no data, no last_sync"). The e2e suite re-syncs via /mitre/sync
--- a/backend/app/api/scenario_templates.py
+++ b/backend/app/api/scenario_templates.py
@@ -0,0 +1,208 @@
+"""Scenario-template CRUD + reorder endpoints.
+
+`PUT /<id>/tests` is the reorder/replace endpoint — it takes the full ordered
+list and rewrites the join rows. There's no partial mutation API for the test
+list: the wire contract is simpler and the client (drag-and-drop) already
+holds the full ordering.
+"""
+
+from __future__ import annotations
+
+import logging
+import uuid
+from typing import Any
+
+from flask import Blueprint, jsonify, request
+from pydantic import BaseModel, Field, ValidationError
+
+from app.core.auth_decorators import require_auth, require_perm
+from app.services import scenario_templates as svc
+
+bp = Blueprint("scenario_templates", __name__, url_prefix="/scenario-templates")
+log = logging.getLogger("metamorph.api.scenario_templates")
+
+
+class CreateScenarioPayload(BaseModel):
+    name: str = Field(min_length=1, max_length=255)
+    description: str | None = Field(default=None, max_length=4000)
+    test_template_ids: list[uuid.UUID] = Field(default_factory=list, max_length=512)
+
+    model_config = {"extra": "forbid"}
+
+
+class UpdateScenarioPayload(BaseModel):
+    name: str | None = Field(default=None, min_length=1, max_length=255)
+    description: str | None = Field(default=None, max_length=4000)
+
+    model_config = {"extra": "forbid"}
+
+
+class SetTestsPayload(BaseModel):
+    test_template_ids: list[uuid.UUID] = Field(default_factory=list, max_length=512)
+
+    model_config = {"extra": "forbid"}
+
+
+def _serialize(sc: svc.ScenarioTemplateView) -> dict[str, Any]:
+    return {
+        "id": str(sc.id),
+        "name": sc.name,
+        "description": sc.description,
+        "tests": [
+            {
+                "position": t.position,
+                "test_template_id": str(t.test_template_id),
+                "test_template_name": t.test_template_name,
+                "test_template_deleted": t.test_template_deleted,
+            }
+            for t in sc.tests
+        ],
+        "tests_count": sc.tests_count,
+        "deleted_at": sc.deleted_at.isoformat() if sc.deleted_at else None,
+        "created_at": sc.created_at.isoformat(),
+        "updated_at": sc.updated_at.isoformat(),
+    }
+
+
+def _parse_uuid_or_400(raw: str):
+    try:
+        return uuid.UUID(raw)
+    except ValueError:
+        return None
+
+
+def _pagination_args() -> tuple[int, int] | tuple[None, tuple[int, str]]:
+    try:
+        limit = int(request.args.get("limit", "100"))
+        offset = int(request.args.get("offset", "0"))
+    except ValueError:
+        return None, (400, "invalid_pagination")
+    return max(1, min(limit, 500)), max(0, offset)
+
+
+@bp.get("")
+@require_auth
+@require_perm("scenario_template.read")
+def list_scenario_templates():
+    paging = _pagination_args()
+    if paging[0] is None:
+        return jsonify({"error": paging[1][1]}), paging[1][0]
+    limit, offset = paging
+    q = request.args.get("q") or None
+    include_deleted = request.args.get("include_deleted", "false").lower() == "true"
+    items, total = svc.list_scenario_templates(
+        q=q, include_deleted=include_deleted, limit=limit, offset=offset
+    )
+    return jsonify(
+        {
+            "items": [_serialize(it) for it in items],
+            "total": total,
+            "limit": limit,
+            "offset": offset,
+        }
+    )
+
+
+@bp.get("/<scenario_id>")
+@require_auth
+@require_perm("scenario_template.read")
+def get_scenario_template(scenario_id: str):
+    sid = _parse_uuid_or_400(scenario_id)
+    if sid is None:
+        return jsonify({"error": "invalid_id"}), 400
+    include_deleted = request.args.get("include_deleted", "false").lower() == "true"
+    try:
+        view = svc.get_scenario_template(sid, include_deleted=include_deleted)
+    except svc.ScenarioTemplateNotFound:
+        return jsonify({"error": "not_found"}), 404
+    return jsonify(_serialize(view))
+
+
+@bp.post("")
+@require_auth
+@require_perm("scenario_template.create")
+def create_scenario_template():
+    try:
+        payload = CreateScenarioPayload.model_validate(request.get_json(silent=True) or {})
+    except ValidationError as e:
+        return jsonify({"error": "invalid_request", "details": e.errors()}), 400
+    try:
+        view = svc.create_scenario_template(
+            name=payload.name,
+            description=payload.description,
+            test_template_ids=payload.test_template_ids,
+        )
+    except svc.UnknownTestTemplate as e:
+        return jsonify({"error": "unknown_test_template", "message": str(e)}), 400
+    except ValueError as e:
+        return jsonify({"error": "invalid_request", "message": str(e)}), 400
+    log.info(
+        "metamorph.scenario_template.created",
+        extra={"id": str(view.id), "tests": len(view.tests)},
+    )
+    return jsonify(_serialize(view)), 201
+
+
+@bp.patch("/<scenario_id>")
+@require_auth
+@require_perm("scenario_template.update")
+def update_scenario_template(scenario_id: str):
+    sid = _parse_uuid_or_400(scenario_id)
+    if sid is None:
+        return jsonify({"error": "invalid_id"}), 400
+    raw = request.get_json(silent=True) or {}
+    try:
+        payload = UpdateScenarioPayload.model_validate(raw)
+    except ValidationError as e:
+        return jsonify({"error": "invalid_request", "details": e.errors()}), 400
+    kwargs: dict[str, Any] = {}
+    if "name" in raw:
+        kwargs["name"] = payload.name
+    if "description" in raw:
+        kwargs["description"] = payload.description
+    try:
+        view = svc.update_scenario_template(sid, **kwargs)
+    except svc.ScenarioTemplateNotFound:
+        return jsonify({"error": "not_found"}), 404
+    except ValueError as e:
+        return jsonify({"error": "invalid_request", "message": str(e)}), 400
+    return jsonify(_serialize(view))
+
+
+@bp.put("/<scenario_id>/tests")
+@require_auth
+@require_perm("scenario_template.update")
+def set_scenario_tests(scenario_id: str):
+    sid = _parse_uuid_or_400(scenario_id)
+    if sid is None:
+        return jsonify({"error": "invalid_id"}), 400
+    try:
+        payload = SetTestsPayload.model_validate(request.get_json(silent=True) or {})
+    except ValidationError as e:
+        return jsonify({"error": "invalid_request", "details": e.errors()}), 400
+    try:
+        view = svc.set_scenario_tests(sid, payload.test_template_ids)
+    except svc.ScenarioTemplateNotFound:
+        return jsonify({"error": "not_found"}), 404
+    except svc.UnknownTestTemplate as e:
+        return jsonify({"error": "unknown_test_template", "message": str(e)}), 400
+    log.info(
+        "metamorph.scenario_template.tests_set",
+        extra={"id": str(sid), "tests": len(view.tests)},
+    )
+    return jsonify(_serialize(view))
+
+
+@bp.delete("/<scenario_id>")
+@require_auth
+@require_perm("scenario_template.delete")
+def soft_delete_scenario_template(scenario_id: str):
+    sid = _parse_uuid_or_400(scenario_id)
+    if sid is None:
+        return jsonify({"error": "invalid_id"}), 400
+    try:
+        svc.soft_delete_scenario_template(sid)
+    except svc.ScenarioTemplateNotFound:
+        return jsonify({"error": "not_found"}), 404
+    log.info("metamorph.scenario_template.soft_deleted", extra={"id": str(sid)})
+    return jsonify({"ok": True})
--- a/backend/app/api/test_templates.py
+++ b/backend/app/api/test_templates.py
@@ -0,0 +1,250 @@
+"""Test-template CRUD endpoints.
+
+Reads gated by `test_template.read`. Writes gated by `test_template.{create,
+update,delete}`. Service layer handles all DB work; this module only validates
+the wire payload and shapes the JSON response.
+"""
+
+from __future__ import annotations
+
+import logging
+import uuid
+from typing import Any
+
+from flask import Blueprint, jsonify, request
+from pydantic import BaseModel, Field, ValidationError
+
+from app.core.auth_decorators import require_auth, require_perm
+from app.services import test_templates as svc
+
+bp = Blueprint("test_templates", __name__, url_prefix="/test-templates")
+log = logging.getLogger("metamorph.api.test_templates")
+
+
+# === Payload schemas ==========================================================
+
+
+class MitreTagIn(BaseModel):
+    kind: str = Field(min_length=1)
+    external_id: str = Field(min_length=1, max_length=16)
+
+    model_config = {"extra": "forbid"}
+
+
+class CreateTestTemplatePayload(BaseModel):
+    name: str = Field(min_length=1, max_length=255)
+    description: str | None = Field(default=None, max_length=4000)
+    objective: str | None = Field(default=None, max_length=4000)
+    procedure_md: str | None = Field(default=None, max_length=32_000)
+    prerequisites_md: str | None = Field(default=None, max_length=32_000)
+    expected_result_red_md: str | None = Field(default=None, max_length=32_000)
+    expected_detection_blue_md: str | None = Field(default=None, max_length=32_000)
+    opsec_level: str = Field(default="medium")
+    tags: list[str] = Field(default_factory=list, max_length=64)
+    expected_iocs: list[str] = Field(default_factory=list, max_length=128)
+    mitre_tags: list[MitreTagIn] = Field(default_factory=list, max_length=64)
+
+    model_config = {"extra": "forbid"}
+
+
+class UpdateTestTemplatePayload(BaseModel):
+    name: str | None = Field(default=None, min_length=1, max_length=255)
+    description: str | None = Field(default=None, max_length=4000)
+    objective: str | None = Field(default=None, max_length=4000)
+    procedure_md: str | None = Field(default=None, max_length=32_000)
+    prerequisites_md: str | None = Field(default=None, max_length=32_000)
+    expected_result_red_md: str | None = Field(default=None, max_length=32_000)
+    expected_detection_blue_md: str | None = Field(default=None, max_length=32_000)
+    opsec_level: str | None = None
+    tags: list[str] | None = Field(default=None, max_length=64)
+    expected_iocs: list[str] | None = Field(default=None, max_length=128)
+    mitre_tags: list[MitreTagIn] | None = Field(default=None, max_length=64)
+
+    model_config = {"extra": "forbid"}
+
+
+# === Serializers ==============================================================
+
+
+def _serialize(t: svc.TestTemplateView) -> dict[str, Any]:
+    return {
+        "id": str(t.id),
+        "name": t.name,
+        "description": t.description,
+        "objective": t.objective,
+        "procedure_md": t.procedure_md,
+        "prerequisites_md": t.prerequisites_md,
+        "expected_result_red_md": t.expected_result_red_md,
+        "expected_detection_blue_md": t.expected_detection_blue_md,
+        "opsec_level": t.opsec_level,
+        "tags": list(t.tags),
+        "expected_iocs": list(t.expected_iocs),
+        "mitre_tags": [
+            {"kind": tag.kind, "external_id": tag.external_id, "name": tag.name, "url": tag.url}
+            for tag in t.mitre_tags
+        ],
+        "deleted_at": t.deleted_at.isoformat() if t.deleted_at else None,
+        "created_at": t.created_at.isoformat(),
+        "updated_at": t.updated_at.isoformat(),
+    }
+
+
+def _parse_uuid_or_400(raw: str):
+    try:
+        return uuid.UUID(raw)
+    except ValueError:
+        return None
+
+
+def _pagination_args() -> tuple[int, int] | tuple[None, tuple[int, str]]:
+    try:
+        limit = int(request.args.get("limit", "100"))
+        offset = int(request.args.get("offset", "0"))
+    except ValueError:
+        return None, (400, "invalid_pagination")
+    return max(1, min(limit, 500)), max(0, offset)
+
+
+# === Endpoints ================================================================
+
+
+@bp.get("")
+@require_auth
+@require_perm("test_template.read")
+def list_test_templates():
+    paging = _pagination_args()
+    if paging[0] is None:
+        return jsonify({"error": paging[1][1]}), paging[1][0]
+    limit, offset = paging
+    q = request.args.get("q") or None
+    tactic = request.args.get("tactic") or None
+    technique = request.args.get("technique") or None
+    subtechnique = request.args.get("subtechnique") or None
+    opsec_level = request.args.get("opsec") or None
+    tag = request.args.get("tag") or None
+    include_deleted = request.args.get("include_deleted", "false").lower() == "true"
+    try:
+        items, total = svc.list_test_templates(
+            q=q,
+            tactic=tactic,
+            technique=technique,
+            subtechnique=subtechnique,
+            opsec_level=opsec_level,
+            tag=tag,
+            include_deleted=include_deleted,
+            limit=limit,
+            offset=offset,
+        )
+    except ValueError as e:
+        return jsonify({"error": "invalid_request", "message": str(e)}), 400
+    return jsonify(
+        {
+            "items": [_serialize(it) for it in items],
+            "total": total,
+            "limit": limit,
+            "offset": offset,
+        }
+    )
+
+
+@bp.get("/<template_id>")
+@require_auth
+@require_perm("test_template.read")
+def get_test_template(template_id: str):
+    tid = _parse_uuid_or_400(template_id)
+    if tid is None:
+        return jsonify({"error": "invalid_id"}), 400
+    include_deleted = request.args.get("include_deleted", "false").lower() == "true"
+    try:
+        view = svc.get_test_template(tid, include_deleted=include_deleted)
+    except svc.TestTemplateNotFound:
+        return jsonify({"error": "not_found"}), 404
+    return jsonify(_serialize(view))
+
+
+@bp.post("")
+@require_auth
+@require_perm("test_template.create")
+def create_test_template():
+    try:
+        payload = CreateTestTemplatePayload.model_validate(request.get_json(silent=True) or {})
+    except ValidationError as e:
+        return jsonify({"error": "invalid_request", "details": e.errors()}), 400
+    try:
+        view = svc.create_test_template(
+            name=payload.name,
+            description=payload.description,
+            objective=payload.objective,
+            procedure_md=payload.procedure_md,
+            prerequisites_md=payload.prerequisites_md,
+            expected_result_red_md=payload.expected_result_red_md,
+            expected_detection_blue_md=payload.expected_detection_blue_md,
+            opsec_level=payload.opsec_level,
+            tags=payload.tags,
+            expected_iocs=payload.expected_iocs,
+            mitre_tags=[svc.MitreTagRef(kind=t.kind, external_id=t.external_id) for t in payload.mitre_tags],
+        )
+    except svc.UnknownMitreTag as e:
+        return jsonify({"error": "unknown_mitre_tag", "message": str(e)}), 400
+    except ValueError as e:
+        return jsonify({"error": "invalid_request", "message": str(e)}), 400
+    log.info(
+        "metamorph.test_template.created",
+        extra={"id": str(view.id), "template_name": view.name},
+    )
+    return jsonify(_serialize(view)), 201
+
+
+@bp.put("/<template_id>")
+@require_auth
+@require_perm("test_template.update")
+def update_test_template(template_id: str):
+    tid = _parse_uuid_or_400(template_id)
+    if tid is None:
+        return jsonify({"error": "invalid_id"}), 400
+    raw = request.get_json(silent=True) or {}
+    try:
+        payload = UpdateTestTemplatePayload.model_validate(raw)
+    except ValidationError as e:
+        return jsonify({"error": "invalid_request", "details": e.errors()}), 400
+
+    # Only forward keys actually present in the body — model_validate leaves
+    # missing fields as None and we can't distinguish "explicitly null" from
+    # "omitted". The set of keys in `raw` is the wire-level intent.
+    kwargs: dict[str, Any] = {}
+    for field_name in (
+        "name", "description", "objective", "procedure_md", "prerequisites_md",
+        "expected_result_red_md", "expected_detection_blue_md",
+        "opsec_level", "tags", "expected_iocs",
+    ):
+        if field_name in raw:
+            kwargs[field_name] = getattr(payload, field_name)
+    if "mitre_tags" in raw:
+        kwargs["mitre_tags"] = (
+            [svc.MitreTagRef(kind=t.kind, external_id=t.external_id) for t in (payload.mitre_tags or [])]
+        )
+    try:
+        view = svc.update_test_template(tid, **kwargs)
+    except svc.TestTemplateNotFound:
+        return jsonify({"error": "not_found"}), 404
+    except svc.UnknownMitreTag as e:
+        return jsonify({"error": "unknown_mitre_tag", "message": str(e)}), 400
+    except ValueError as e:
+        return jsonify({"error": "invalid_request", "message": str(e)}), 400
+    log.info("metamorph.test_template.updated", extra={"id": str(tid), "fields": sorted(kwargs.keys())})
+    return jsonify(_serialize(view))
+
+
+@bp.delete("/<template_id>")
+@require_auth
+@require_perm("test_template.delete")
+def soft_delete_test_template(template_id: str):
+    tid = _parse_uuid_or_400(template_id)
+    if tid is None:
+        return jsonify({"error": "invalid_id"}), 400
+    try:
+        svc.soft_delete_test_template(tid)
+    except svc.TestTemplateNotFound:
+        return jsonify({"error": "not_found"}), 404
+    log.info("metamorph.test_template.soft_deleted", extra={"id": str(tid)})
+    return jsonify({"ok": True})
--- a/backend/app/api/v1.py
+++ b/backend/app/api/v1.py
@@ -11,7 +11,9 @@ from app.api.health import bp as health_bp
 from app.api.invitations import bp as invitations_bp
 from app.api.mitre import bp as mitre_bp
 from app.api.permissions import bp as permissions_bp
+from app.api.scenario_templates import bp as scenario_templates_bp
 from app.api.setup import bp as setup_bp
+from app.api.test_templates import bp as test_templates_bp
 from app.api.users import bp as users_bp

 bp = Blueprint("v1", __name__, url_prefix="/api/v1")
@@ -24,3 +26,5 @@ bp.register_blueprint(users_bp)
 bp.register_blueprint(groups_bp)
 bp.register_blueprint(permissions_bp)
 bp.register_blueprint(mitre_bp)
+bp.register_blueprint(test_templates_bp)
+bp.register_blueprint(scenario_templates_bp)