backend-user-mgmt/backend/tests/integration/test_user_mgmt_e2e.py

"""End-to-end coverage of sprint 2:
- rt_lead creates an rt_operator via `POST /api/v1/users`.
- rt_lead assigns the operator to engagement A (`POST /engagements/A/members`).
- The operator signs in.
- The operator's `GET /engagements` listing shows A and NOT B.
- The operator's `GET /engagements/B` returns 404 (MA6: same 404 as if B
  didn't exist — anti-leak).
- The operator's `GET /engagements/B/members` returns 404 too (anti-leak).
- The audit log records the chain (`user.create`, `engagement_member.add`,
  `auth.login`).
"""

from __future__ import annotations

from uuid import UUID

import pytest

from mimic.auth.password import hash_password
from mimic.db.models import Engagement, Group, User, UserGroup
from mimic.db.types import C2Type, EngagementStatus, UserType
from mimic.rbac.matrix import GroupName

pytestmark = pytest.mark.integration


def _ensure_group(db, name: GroupName, description: str = "") -> Group:
    group = db.session.query(Group).filter_by(name=name.value).first()
    if group is None:
        group = Group(name=name.value, description=description)
        db.session.add(group)
        db.session.flush()
    return group


def _seed_rt_lead(db, email: str, password: str) -> UUID:
    group = _ensure_group(db, GroupName.RT_LEAD, "Red team lead")
    user = User(
        email=email,
        display_name="Lead",
        type=UserType.RT_LEAD,
        local_password_hash=hash_password(password, rounds=4),
    )
    db.session.add(user)
    db.session.flush()
    db.session.add(UserGroup(user_id=user.id, group_id=group.id, engagement_id=None))
    db.session.commit()
    return user.id


def _ensure_operator_group(db) -> None:
    _ensure_group(db, GroupName.RT_OPERATOR, "Red team operator")


def _create_engagement(db, client_name: str) -> UUID:
    engagement = Engagement(
        client_name=client_name, c2_type=C2Type.MYTHIC, status=EngagementStatus.DRAFT
    )
    db.session.add(engagement)
    db.session.commit()
    return engagement.id


def test_lead_creates_operator_assigns_engagement_a_scope_isolates(app, client) -> None:
    from mimic.extensions import db  # noqa: PLC0415

    with app.app_context():
        _seed_rt_lead(db, "lead@example.org", "lead-secret-1")
        _ensure_operator_group(db)
        engagement_a = _create_engagement(db, "Acme A")
        engagement_b = _create_engagement(db, "Acme B")

    # rt_lead logs in.
    response = client.post(
        "/api/v1/auth/login",
        json={"username": "lead@example.org", "password": "lead-secret-1"},
    )
    assert response.status_code == 200

    # rt_lead creates an rt_operator user.
    response = client.post(
        "/api/v1/users",
        json={
            "email": "op@example.org",
            "password": "operator-pw-1",
            "type": "rt_operator",
            "display_name": "Op One",
        },
    )
    assert response.status_code == 201, response.get_json()
    operator_id = response.get_json()["id"]

    # rt_lead assigns the operator to engagement A only.
    response = client.post(
        f"/api/v1/engagements/{engagement_a}/members",
        json={"user_id": operator_id, "role": "binôme"},
    )
    assert response.status_code == 201

    # rt_lead listing /users contains the operator.
    response = client.get("/api/v1/users?type=rt_operator")
    assert response.status_code == 200
    body = response.get_json()
    assert body["total"] == 1
    assert body["items"][0]["email"] == "op@example.org"

    # Logout the lead and log in as the operator.
    client.post("/api/v1/auth/logout")
    response = client.post(
        "/api/v1/auth/login",
        json={"username": "op@example.org", "password": "operator-pw-1"},
    )
    assert response.status_code == 200
    op_payload = response.get_json()
    assert op_payload["role"] == "rt_operator"

    # /engagements lists only A.
    response = client.get("/api/v1/engagements")
    assert response.status_code == 200
    listing = response.get_json()
    ids = {row["id"] for row in listing}
    assert ids == {str(engagement_a)}

    # /engagements/B → 404 (MA6 — anti-leak: same response as a non-existent id).
    response = client.get(f"/api/v1/engagements/{engagement_b}")
    assert response.status_code == 404
    assert response.get_json()["error"] == "not_found"

    # /engagements/B/members → 404 too (spec-analyst anti-enum requirement).
    response = client.get(f"/api/v1/engagements/{engagement_b}/members")
    assert response.status_code == 404

    # /engagements/A is reachable for the operator.
    response = client.get(f"/api/v1/engagements/{engagement_a}")
    assert response.status_code == 200

    # /engagements/A/members is reachable for the operator (they are a member).
    response = client.get(f"/api/v1/engagements/{engagement_a}/members")
    assert response.status_code == 200
    members = response.get_json()
    assert len(members) == 1
    assert members[0]["user_id"] == operator_id
    assert members[0]["role"] == "binôme"

    # The operator cannot list /users (no USER_MANAGE permission).
    response = client.get("/api/v1/users")
    assert response.status_code == 403


def test_user_management_lead_only(app, client) -> None:
    """USER_MANAGE is rt_lead-only (D-015). An operator with a session gets
    a clean 403 — and an anonymous request gets a 401."""
    from mimic.extensions import db  # noqa: PLC0415

    with app.app_context():
        _seed_rt_lead(db, "lead2@example.org", "lead2-secret-1")
        _ensure_operator_group(db)

    client.post(
        "/api/v1/auth/login",
        json={"username": "lead2@example.org", "password": "lead2-secret-1"},
    )
    # Create an operator user.
    response = client.post(
        "/api/v1/users",
        json={
            "email": "op2@example.org",
            "password": "operator-pw-1",
            "type": "rt_operator",
        },
    )
    assert response.status_code == 201
    client.post("/api/v1/auth/logout")

    # Anonymous → 401.
    response = client.get("/api/v1/users")
    assert response.status_code == 401

    # Operator session → 403.
    client.post(
        "/api/v1/auth/login",
        json={"username": "op2@example.org", "password": "operator-pw-1"},
    )
    response = client.get("/api/v1/users")
    assert response.status_code == 403


def test_create_user_email_taken_returns_409(app, client) -> None:
    from mimic.extensions import db  # noqa: PLC0415

    with app.app_context():
        _seed_rt_lead(db, "lead3@example.org", "lead3-secret-1")
        _ensure_operator_group(db)
    client.post(
        "/api/v1/auth/login",
        json={"username": "lead3@example.org", "password": "lead3-secret-1"},
    )

    body = {
        "email": "dup@example.org",
        "password": "longenough",
        "type": "rt_operator",
    }
    assert client.post("/api/v1/users", json=body).status_code == 201
    response = client.post("/api/v1/users", json=body)
    assert response.status_code == 409
    payload = response.get_json()
    assert payload["error"] == "email_taken"


def test_audit_log_endpoint_is_lead_only_and_paginates(app, client) -> None:
    from mimic.extensions import db  # noqa: PLC0415

    with app.app_context():
        _seed_rt_lead(db, "lead4@example.org", "lead4-secret-1")
        _ensure_operator_group(db)

    client.post(
        "/api/v1/auth/login",
        json={"username": "lead4@example.org", "password": "lead4-secret-1"},
    )
    # Generate some audit activity.
    for i in range(3):
        client.post(
            "/api/v1/users",
            json={
                "email": f"audit-op-{i}@example.org",
                "password": "longenough",
                "type": "rt_operator",
            },
        )

    response = client.get("/api/v1/audit/log?page_size=2&action=user.create")
    assert response.status_code == 200
    body = response.get_json()
    assert body["page_size"] == 2
    assert body["page"] == 1
    assert len(body["items"]) == 2
    assert body["total"] >= 3
    assert all(entry["action"] == "user.create" for entry in body["items"])

    # Operator session → 403.
    client.post("/api/v1/auth/logout")
    client.post(
        "/api/v1/auth/login",
        json={"username": "audit-op-0@example.org", "password": "longenough"},
    )
    response = client.get("/api/v1/audit/log")
    assert response.status_code == 403


def test_disable_user_blocks_future_login(app, client) -> None:
    from mimic.extensions import db  # noqa: PLC0415

    with app.app_context():
        _seed_rt_lead(db, "lead5@example.org", "lead5-secret-1")
        _ensure_operator_group(db)
    client.post(
        "/api/v1/auth/login",
        json={"username": "lead5@example.org", "password": "lead5-secret-1"},
    )

    response = client.post(
        "/api/v1/users",
        json={
            "email": "soon-disabled@example.org",
            "password": "longenough",
            "type": "rt_operator",
        },
    )
    assert response.status_code == 201
    user_id = response.get_json()["id"]

    response = client.delete(f"/api/v1/users/{user_id}")
    assert response.status_code == 204

    client.post("/api/v1/auth/logout")
    response = client.post(
        "/api/v1/auth/login",
        json={"username": "soon-disabled@example.org", "password": "longenough"},
    )
    # Disabled accounts return the same uniform envelope as bad credentials.
    assert response.status_code == 401
    assert response.get_json()["error"] == "invalid_credentials"
test(backend): sprint 2 unit + integration coverage Unit (`tests/unit/test_user_schemas.py`): - 4 tests on `UserCreate` (happy path, password min length, email validation, invalid type). - 2 tests on `UserUpdate` (all-optional, password validation when set). - 3 tests on `EngagementMemberCreate` (default `"member"`, explicit role, max-length 40). - 4 tests on `PageQuery` (defaults, offset arithmetic, page_size cap, page lower bound). Integration (`tests/integration/test_user_mgmt_e2e.py`, marked `integration`): - The critical MA6-in-practice flow: rt_lead creates rt_operator, assigns to engagement A, the operator signs in, lists engagements and sees only A, `GET /engagements/B` returns 404 (anti-leak), `GET /engagements/B/members` returns 404 too, `/engagements/A/members` is reachable, `GET /users` is forbidden for the operator. - `USER_MANAGE` gate: anonymous → 401, operator session → 403, lead session → 200. - 409 `email_taken` on duplicate `POST /users`. - `/audit/log` is lead-only, paginates with `page_size`, filters by `?action=`. - Disabling a user blocks subsequent logins (same uniform `invalid_credentials` envelope as for bad passwords — no enumeration leak of "this account was disabled"). 74 unit tests pass (61 sprint 1 + 13 sprint 2); integration tests run on the testcontainers Postgres fixture in CI. 2026-05-23 15:53:35 +02:00			`"""End-to-end coverage of sprint 2:`
			- rt_lead creates an rt_operator via `POST /api/v1/users`.
			- rt_lead assigns the operator to engagement A (`POST /engagements/A/members`).
			`- The operator signs in.`
			- The operator's `GET /engagements` listing shows A and NOT B.
			- The operator's `GET /engagements/B` returns 404 (MA6: same 404 as if B
			`didn't exist — anti-leak).`
			- The operator's `GET /engagements/B/members` returns 404 too (anti-leak).
			- The audit log records the chain (`user.create`, `engagement_member.add`,
			`auth.login`).
			`"""`

			`from __future__ import annotations`

			`from uuid import UUID`

			`import pytest`

			`from mimic.auth.password import hash_password`
			`from mimic.db.models import Engagement, Group, User, UserGroup`
			`from mimic.db.types import C2Type, EngagementStatus, UserType`
			`from mimic.rbac.matrix import GroupName`

			`pytestmark = pytest.mark.integration`


			`def _ensure_group(db, name: GroupName, description: str = "") -> Group:`
			`group = db.session.query(Group).filter_by(name=name.value).first()`
			`if group is None:`
			`group = Group(name=name.value, description=description)`
			`db.session.add(group)`
			`db.session.flush()`
			`return group`


			`def _seed_rt_lead(db, email: str, password: str) -> UUID:`
			`group = _ensure_group(db, GroupName.RT_LEAD, "Red team lead")`
			`user = User(`
			`email=email,`
			`display_name="Lead",`
			`type=UserType.RT_LEAD,`
			`local_password_hash=hash_password(password, rounds=4),`
			`)`
			`db.session.add(user)`
			`db.session.flush()`
			`db.session.add(UserGroup(user_id=user.id, group_id=group.id, engagement_id=None))`
			`db.session.commit()`
			`return user.id`


			`def _ensure_operator_group(db) -> None:`
			`_ensure_group(db, GroupName.RT_OPERATOR, "Red team operator")`


			`def _create_engagement(db, client_name: str) -> UUID:`
			`engagement = Engagement(`
			`client_name=client_name, c2_type=C2Type.MYTHIC, status=EngagementStatus.DRAFT`
			`)`
			`db.session.add(engagement)`
			`db.session.commit()`
			`return engagement.id`


			`def test_lead_creates_operator_assigns_engagement_a_scope_isolates(app, client) -> None:`
			`from mimic.extensions import db # noqa: PLC0415`

			`with app.app_context():`
			`_seed_rt_lead(db, "lead@example.org", "lead-secret-1")`
			`_ensure_operator_group(db)`
			`engagement_a = _create_engagement(db, "Acme A")`
			`engagement_b = _create_engagement(db, "Acme B")`

			`# rt_lead logs in.`
			`response = client.post(`
			`"/api/v1/auth/login",`
			`json={"username": "lead@example.org", "password": "lead-secret-1"},`
			`)`
			`assert response.status_code == 200`

			`# rt_lead creates an rt_operator user.`
			`response = client.post(`
			`"/api/v1/users",`
			`json={`
			`"email": "op@example.org",`
			`"password": "operator-pw-1",`
			`"type": "rt_operator",`
			`"display_name": "Op One",`
			`},`
			`)`
			`assert response.status_code == 201, response.get_json()`
			`operator_id = response.get_json()["id"]`

			`# rt_lead assigns the operator to engagement A only.`
			`response = client.post(`
			`f"/api/v1/engagements/{engagement_a}/members",`
			`json={"user_id": operator_id, "role": "binôme"},`
			`)`
			`assert response.status_code == 201`

			`# rt_lead listing /users contains the operator.`
			`response = client.get("/api/v1/users?type=rt_operator")`
			`assert response.status_code == 200`
			`body = response.get_json()`
			`assert body["total"] == 1`
			`assert body["items"][0]["email"] == "op@example.org"`

			`# Logout the lead and log in as the operator.`
			`client.post("/api/v1/auth/logout")`
			`response = client.post(`
			`"/api/v1/auth/login",`
			`json={"username": "op@example.org", "password": "operator-pw-1"},`
			`)`
			`assert response.status_code == 200`
			`op_payload = response.get_json()`
			`assert op_payload["role"] == "rt_operator"`

			`# /engagements lists only A.`
			`response = client.get("/api/v1/engagements")`
			`assert response.status_code == 200`
			`listing = response.get_json()`
			`ids = {row["id"] for row in listing}`
			`assert ids == {str(engagement_a)}`

			`# /engagements/B → 404 (MA6 — anti-leak: same response as a non-existent id).`
			`response = client.get(f"/api/v1/engagements/{engagement_b}")`
			`assert response.status_code == 404`
			`assert response.get_json()["error"] == "not_found"`

			`# /engagements/B/members → 404 too (spec-analyst anti-enum requirement).`
			`response = client.get(f"/api/v1/engagements/{engagement_b}/members")`
			`assert response.status_code == 404`

			`# /engagements/A is reachable for the operator.`
			`response = client.get(f"/api/v1/engagements/{engagement_a}")`
			`assert response.status_code == 200`

			`# /engagements/A/members is reachable for the operator (they are a member).`
			`response = client.get(f"/api/v1/engagements/{engagement_a}/members")`
			`assert response.status_code == 200`
			`members = response.get_json()`
			`assert len(members) == 1`
			`assert members[0]["user_id"] == operator_id`
			`assert members[0]["role"] == "binôme"`

			`# The operator cannot list /users (no USER_MANAGE permission).`
			`response = client.get("/api/v1/users")`
			`assert response.status_code == 403`


			`def test_user_management_lead_only(app, client) -> None:`
			`"""USER_MANAGE is rt_lead-only (D-015). An operator with a session gets`
			`a clean 403 — and an anonymous request gets a 401."""`
			`from mimic.extensions import db # noqa: PLC0415`

			`with app.app_context():`
			`_seed_rt_lead(db, "lead2@example.org", "lead2-secret-1")`
			`_ensure_operator_group(db)`

			`client.post(`
			`"/api/v1/auth/login",`
			`json={"username": "lead2@example.org", "password": "lead2-secret-1"},`
			`)`
			`# Create an operator user.`
			`response = client.post(`
			`"/api/v1/users",`
			`json={`
			`"email": "op2@example.org",`
			`"password": "operator-pw-1",`
			`"type": "rt_operator",`
			`},`
			`)`
			`assert response.status_code == 201`
			`client.post("/api/v1/auth/logout")`

			`# Anonymous → 401.`
			`response = client.get("/api/v1/users")`
			`assert response.status_code == 401`

			`# Operator session → 403.`
			`client.post(`
			`"/api/v1/auth/login",`
			`json={"username": "op2@example.org", "password": "operator-pw-1"},`
			`)`
			`response = client.get("/api/v1/users")`
			`assert response.status_code == 403`


			`def test_create_user_email_taken_returns_409(app, client) -> None:`
			`from mimic.extensions import db # noqa: PLC0415`

			`with app.app_context():`
			`_seed_rt_lead(db, "lead3@example.org", "lead3-secret-1")`
			`_ensure_operator_group(db)`
			`client.post(`
			`"/api/v1/auth/login",`
			`json={"username": "lead3@example.org", "password": "lead3-secret-1"},`
			`)`

			`body = {`
			`"email": "dup@example.org",`
			`"password": "longenough",`
			`"type": "rt_operator",`
			`}`
			`assert client.post("/api/v1/users", json=body).status_code == 201`
			`response = client.post("/api/v1/users", json=body)`
			`assert response.status_code == 409`
			`payload = response.get_json()`
			`assert payload["error"] == "email_taken"`


			`def test_audit_log_endpoint_is_lead_only_and_paginates(app, client) -> None:`
			`from mimic.extensions import db # noqa: PLC0415`

			`with app.app_context():`
			`_seed_rt_lead(db, "lead4@example.org", "lead4-secret-1")`
			`_ensure_operator_group(db)`

			`client.post(`
			`"/api/v1/auth/login",`
			`json={"username": "lead4@example.org", "password": "lead4-secret-1"},`
			`)`
			`# Generate some audit activity.`
			`for i in range(3):`
			`client.post(`
			`"/api/v1/users",`
			`json={`
			`"email": f"audit-op-{i}@example.org",`
			`"password": "longenough",`
			`"type": "rt_operator",`
			`},`
			`)`

			`response = client.get("/api/v1/audit/log?page_size=2&action=user.create")`
			`assert response.status_code == 200`
			`body = response.get_json()`
			`assert body["page_size"] == 2`
			`assert body["page"] == 1`
			`assert len(body["items"]) == 2`
			`assert body["total"] >= 3`
			`assert all(entry["action"] == "user.create" for entry in body["items"])`

			`# Operator session → 403.`
			`client.post("/api/v1/auth/logout")`
			`client.post(`
			`"/api/v1/auth/login",`
			`json={"username": "audit-op-0@example.org", "password": "longenough"},`
			`)`
			`response = client.get("/api/v1/audit/log")`
			`assert response.status_code == 403`


			`def test_disable_user_blocks_future_login(app, client) -> None:`
			`from mimic.extensions import db # noqa: PLC0415`

			`with app.app_context():`
			`_seed_rt_lead(db, "lead5@example.org", "lead5-secret-1")`
			`_ensure_operator_group(db)`
			`client.post(`
			`"/api/v1/auth/login",`
			`json={"username": "lead5@example.org", "password": "lead5-secret-1"},`
			`)`

			`response = client.post(`
			`"/api/v1/users",`
			`json={`
			`"email": "soon-disabled@example.org",`
			`"password": "longenough",`
			`"type": "rt_operator",`
			`},`
			`)`
			`assert response.status_code == 201`
			`user_id = response.get_json()["id"]`

			`response = client.delete(f"/api/v1/users/{user_id}")`
			`assert response.status_code == 204`

			`client.post("/api/v1/auth/logout")`
			`response = client.post(`
			`"/api/v1/auth/login",`
			`json={"username": "soon-disabled@example.org", "password": "longenough"},`
			`)`
			`# Disabled accounts return the same uniform envelope as bad credentials.`
			`assert response.status_code == 401`
			`assert response.get_json()["error"] == "invalid_credentials"`