backend/src/mimic/api/engagements.py

"""Engagement CRUD endpoints (flat, sprint 0)."""

from __future__ import annotations

from flask import Blueprint, abort, jsonify
from sqlalchemy import select

from mimic.api._helpers import jsonify_model, parse_body, parse_uuid
from mimic.db.models import Engagement
from mimic.db.types import EngagementStatus
from mimic.extensions import db
from mimic.rbac import Permission, require_perm
from mimic.schemas import EngagementCreate, EngagementRead, EngagementUpdate

bp = Blueprint("engagements", __name__)


@bp.get("")
@require_perm(Permission.ENGAGEMENT_READ)
def list_engagements():
    stmt = select(Engagement).order_by(Engagement.created_at.desc())
    rows = db.session.execute(stmt).scalars().all()
    return jsonify([EngagementRead.model_validate(row).model_dump(mode="json") for row in rows])


@bp.post("")
@require_perm(Permission.ENGAGEMENT_CREATE)
def create_engagement():
    payload = parse_body(EngagementCreate)
    engagement = Engagement(
        client_name=payload.client_name,
        description=payload.description,
        c2_type=payload.c2_type,
        start_date=payload.start_date,
        end_date=payload.end_date,
        status=EngagementStatus.DRAFT,
    )
    db.session.add(engagement)
    db.session.commit()
    return jsonify_model(EngagementRead.model_validate(engagement), status=201)


@bp.get("/<eid>")
@require_perm(Permission.ENGAGEMENT_READ)
def get_engagement(eid: str):
    engagement = db.session.get(Engagement, parse_uuid(eid))
    if engagement is None:
        abort(404)
    return jsonify_model(EngagementRead.model_validate(engagement))


@bp.put("/<eid>")
@require_perm(Permission.ENGAGEMENT_UPDATE)
def update_engagement(eid: str):
    engagement = db.session.get(Engagement, parse_uuid(eid))
    if engagement is None:
        abort(404)
    payload = parse_body(EngagementUpdate)
    for field, value in payload.model_dump(exclude_unset=True).items():
        setattr(engagement, field, value)
    db.session.commit()
    return jsonify_model(EngagementRead.model_validate(engagement))


@bp.delete("/<eid>")
@require_perm(Permission.ENGAGEMENT_DELETE)
def delete_engagement(eid: str):
    engagement = db.session.get(Engagement, parse_uuid(eid))
    if engagement is None:
        abort(404)
    engagement.status = EngagementStatus.ARCHIVED
    db.session.commit()
    return "", 204
feat(backend): add Flask app factory, audit writer, flat CRUD + CLI (B0.7) - Flask app factory wires SQLAlchemy / Migrate / Login / SocketIO and registers every blueprint. /healthz smoke endpoint included. - Pydantic 2 DTOs (request/response) for engagement / host / TTP / scenario aggregates with from_attributes=True conversion. - Flat CRUD blueprints under /api/v1/: * engagements (list / create / get / put / delete-as-archive) * hosts (engagement-scoped CRUD) * library/ttps (CRUD; promote requires the lead-only TTP_PROMOTE) * scenarios + steps (F3 invariant enforced: host.c2_type must match scenario.c2_type at compose time, 400 otherwise). - @require_perm guards every endpoint per the F11 matrix. - audit/ writer is hash-chained from v1 (SHA-256 of canonical record plus previous hash). The SQL-level write-only role enforcement ships in the deploy playbook (idempotent grants run at migration time). - mimic-cli (click): user create (seeds RT operator/lead with group membership), db dump / db restore (manual pg_dump/pg_restore, R-O1). No orchestrator, no WebSocket, no report generation — those land after PR1/PR2/PR3. 2026-05-21 20:33:45 +02:00			`"""Engagement CRUD endpoints (flat, sprint 0)."""`

			`from __future__ import annotations`

			`from flask import Blueprint, abort, jsonify`
			`from sqlalchemy import select`

			`from mimic.api._helpers import jsonify_model, parse_body, parse_uuid`
			`from mimic.db.models import Engagement`
			`from mimic.db.types import EngagementStatus`
			`from mimic.extensions import db`
			`from mimic.rbac import Permission, require_perm`
			`from mimic.schemas import EngagementCreate, EngagementRead, EngagementUpdate`

			`bp = Blueprint("engagements", __name__)`


			`@bp.get("")`
			`@require_perm(Permission.ENGAGEMENT_READ)`
			`def list_engagements():`
			`stmt = select(Engagement).order_by(Engagement.created_at.desc())`
			`rows = db.session.execute(stmt).scalars().all()`
			`return jsonify([EngagementRead.model_validate(row).model_dump(mode="json") for row in rows])`


			`@bp.post("")`
			`@require_perm(Permission.ENGAGEMENT_CREATE)`
			`def create_engagement():`
			`payload = parse_body(EngagementCreate)`
			`engagement = Engagement(`
			`client_name=payload.client_name,`
			`description=payload.description,`
			`c2_type=payload.c2_type,`
			`start_date=payload.start_date,`
			`end_date=payload.end_date,`
			`status=EngagementStatus.DRAFT,`
			`)`
			`db.session.add(engagement)`
			`db.session.commit()`
			`return jsonify_model(EngagementRead.model_validate(engagement), status=201)`


			`@bp.get("/<eid>")`
			`@require_perm(Permission.ENGAGEMENT_READ)`
			`def get_engagement(eid: str):`
			`engagement = db.session.get(Engagement, parse_uuid(eid))`
			`if engagement is None:`
			`abort(404)`
			`return jsonify_model(EngagementRead.model_validate(engagement))`


			`@bp.put("/<eid>")`
			`@require_perm(Permission.ENGAGEMENT_UPDATE)`
			`def update_engagement(eid: str):`
			`engagement = db.session.get(Engagement, parse_uuid(eid))`
			`if engagement is None:`
			`abort(404)`
			`payload = parse_body(EngagementUpdate)`
			`for field, value in payload.model_dump(exclude_unset=True).items():`
			`setattr(engagement, field, value)`
			`db.session.commit()`
			`return jsonify_model(EngagementRead.model_validate(engagement))`


			`@bp.delete("/<eid>")`
			`@require_perm(Permission.ENGAGEMENT_DELETE)`
			`def delete_engagement(eid: str):`
			`engagement = db.session.get(Engagement, parse_uuid(eid))`
			`if engagement is None:`
			`abort(404)`
			`engagement.status = EngagementStatus.ARCHIVED`
			`db.session.commit()`
			`return "", 204`