backend-user-mgmt/backend/tests/unit/test_audit_hash.py

"""Audit log hash-chain helper tests (pure function, no DB)."""

from __future__ import annotations

from datetime import UTC, datetime
from uuid import uuid4

from mimic.audit.log import audit_hash


def test_hash_changes_with_metadata() -> None:
    ts = datetime(2026, 5, 21, 12, 0, tzinfo=UTC)
    actor = uuid4()
    base = {
        "prev_hash": None,
        "ts": ts,
        "actor_id": actor,
        "action": "ttp.create",
        "resource_type": "ttp",
        "resource_id": "t-1",
        "metadata": {"name": "whoami"},
    }
    h1 = audit_hash(**base)
    h2 = audit_hash(**{**base, "metadata": {"name": "whoami2"}})
    assert h1 != h2
    assert len(h1) == 64
    assert all(c in "0123456789abcdef" for c in h1)


def test_hash_changes_with_prev_hash() -> None:
    ts = datetime(2026, 5, 21, 12, 0, tzinfo=UTC)
    h_no_prev = audit_hash(
        prev_hash=None,
        ts=ts,
        actor_id=None,
        action="x",
        resource_type="r",
        resource_id="1",
        metadata={},
    )
    h_with_prev = audit_hash(
        prev_hash="abc",
        ts=ts,
        actor_id=None,
        action="x",
        resource_type="r",
        resource_id="1",
        metadata={},
    )
    assert h_no_prev != h_with_prev


def test_hash_stable_for_same_input() -> None:
    ts = datetime(2026, 5, 21, 12, 0, tzinfo=UTC)
    base = {
        "prev_hash": "aa",
        "ts": ts,
        "actor_id": None,
        "action": "x",
        "resource_type": "r",
        "resource_id": "1",
        "metadata": {"k": "v"},
    }
    assert audit_hash(**base) == audit_hash(**base)
test(backend): add pytest baseline (B0.8) Unit (SQLite, pure logic): - test_templating.py: Jinja2 sandbox, regex_extract, strict-undefined, sandbox blocks attribute-access escape, output blob 10 MB cap. - test_password.py: bcrypt hash + verify, empty / malformed handling. - test_soc_token.py: 256-bit url-safe token + bcrypt verification. - test_rbac_matrix.py: F11 invariants (lead ⊇ operator, SOC restricted to detection + report-read, audit_read & ttp_promote lead-only). - test_connector_factory.py: register / build / double-register-rejected, TaskStatus terminal helper, Mythic mapping vs empty Home mapping. - test_audit_hash.py: SHA-256 chain helper is deterministic and reacts to prev_hash / metadata changes. Integration scaffold (testcontainers Postgres): - tests/integration/conftest.py spins up postgres:16-alpine, monkeypatches MIMIC_DATABASE_URL, creates a Flask app + db.create_all. - test_healthz.py: end-to-end smoke through the Flask test client. 38 unit tests pass; ruff clean. 2026-05-21 20:34:11 +02:00			`"""Audit log hash-chain helper tests (pure function, no DB)."""`

			`from __future__ import annotations`

			`from datetime import UTC, datetime`
			`from uuid import uuid4`

			`from mimic.audit.log import audit_hash`


			`def test_hash_changes_with_metadata() -> None:`
			`ts = datetime(2026, 5, 21, 12, 0, tzinfo=UTC)`
			`actor = uuid4()`
			`base = {`
			`"prev_hash": None,`
			`"ts": ts,`
			`"actor_id": actor,`
			`"action": "ttp.create",`
			`"resource_type": "ttp",`
			`"resource_id": "t-1",`
			`"metadata": {"name": "whoami"},`
			`}`
			`h1 = audit_hash(**base)`
			`h2 = audit_hash({base, "metadata": {"name": "whoami2"}})`
			`assert h1 != h2`
			`assert len(h1) == 64`
			`assert all(c in "0123456789abcdef" for c in h1)`


			`def test_hash_changes_with_prev_hash() -> None:`
			`ts = datetime(2026, 5, 21, 12, 0, tzinfo=UTC)`
			`h_no_prev = audit_hash(`
			`prev_hash=None,`
			`ts=ts,`
			`actor_id=None,`
			`action="x",`
			`resource_type="r",`
			`resource_id="1",`
			`metadata={},`
			`)`
			`h_with_prev = audit_hash(`
			`prev_hash="abc",`
			`ts=ts,`
			`actor_id=None,`
			`action="x",`
			`resource_type="r",`
			`resource_id="1",`
			`metadata={},`
			`)`
			`assert h_no_prev != h_with_prev`


			`def test_hash_stable_for_same_input() -> None:`
			`ts = datetime(2026, 5, 21, 12, 0, tzinfo=UTC)`
			`base = {`
			`"prev_hash": "aa",`
			`"ts": ts,`
			`"actor_id": None,`
			`"action": "x",`
			`"resource_type": "r",`
			`"resource_id": "1",`
			`"metadata": {"k": "v"},`
			`}`
			`assert audit_hash(base) == audit_hash(base)`