backend/tests/integration/conftest.py

"""Integration-level fixtures: testcontainers Postgres + Flask app + db session.

NF-state: SQLite is reserved for pure-logic unit tests; anything touching
constraints, RBAC role grants, or audit-log SQL behavior must run on a real
Postgres via testcontainers (spec H38).
"""

from __future__ import annotations

from collections.abc import Iterator

import pytest

try:
    from testcontainers.postgres import PostgresContainer
except ImportError:  # pragma: no cover
    PostgresContainer = None  # type: ignore[assignment]


@pytest.fixture(scope="session")
def postgres_dsn() -> Iterator[str]:
    if PostgresContainer is None:
        pytest.skip("testcontainers not installed")
    with PostgresContainer("postgres:16-alpine") as pg:
        url = pg.get_connection_url().replace("postgresql+psycopg2", "postgresql+psycopg")
        yield url


@pytest.fixture
def app(postgres_dsn: str, monkeypatch: pytest.MonkeyPatch):
    monkeypatch.setenv("MIMIC_DATABASE_URL", postgres_dsn)
    monkeypatch.setenv("MIMIC_ENV", "testing")
    monkeypatch.setenv("MIMIC_SECRET_KEY", "test-not-real")

    from mimic.app import create_app  # noqa: PLC0415  (must follow env mutation)
    from mimic.extensions import db  # noqa: PLC0415

    application = create_app()
    with application.app_context():
        # TODO (N6 follow-up, sprint 1): run Alembic migrations instead of
        # db.create_all() so the integration tests exercise the real schema
        # including the audit_log role grants and the F11 seed.
        db.create_all()
        yield application
        db.session.remove()
        db.drop_all()


@pytest.fixture
def client(app):
    return app.test_client()
test(backend): add pytest baseline (B0.8) Unit (SQLite, pure logic): - test_templating.py: Jinja2 sandbox, regex_extract, strict-undefined, sandbox blocks attribute-access escape, output blob 10 MB cap. - test_password.py: bcrypt hash + verify, empty / malformed handling. - test_soc_token.py: 256-bit url-safe token + bcrypt verification. - test_rbac_matrix.py: F11 invariants (lead ⊇ operator, SOC restricted to detection + report-read, audit_read & ttp_promote lead-only). - test_connector_factory.py: register / build / double-register-rejected, TaskStatus terminal helper, Mythic mapping vs empty Home mapping. - test_audit_hash.py: SHA-256 chain helper is deterministic and reacts to prev_hash / metadata changes. Integration scaffold (testcontainers Postgres): - tests/integration/conftest.py spins up postgres:16-alpine, monkeypatches MIMIC_DATABASE_URL, creates a Flask app + db.create_all. - test_healthz.py: end-to-end smoke through the Flask test client. 38 unit tests pass; ruff clean. 2026-05-21 20:34:11 +02:00			`"""Integration-level fixtures: testcontainers Postgres + Flask app + db session.`

			`NF-state: SQLite is reserved for pure-logic unit tests; anything touching`
			`constraints, RBAC role grants, or audit-log SQL behavior must run on a real`
			`Postgres via testcontainers (spec H38).`
			`"""`

			`from __future__ import annotations`

			`from collections.abc import Iterator`

			`import pytest`

			`try:`
			`from testcontainers.postgres import PostgresContainer`
			`except ImportError: # pragma: no cover`
			`PostgresContainer = None # type: ignore[assignment]`


			`@pytest.fixture(scope="session")`
			`def postgres_dsn() -> Iterator[str]:`
			`if PostgresContainer is None:`
			`pytest.skip("testcontainers not installed")`
			`with PostgresContainer("postgres:16-alpine") as pg:`
chore(backend): mypy strict clean + ruff format pass Pre-merge sanity per devops checklist (ruff format --check, mypy --strict). Type fixes: - ORM models: `Mapped[dict]` → `Mapped[dict[str, Any]]` (audit, scenario, run, report, ttp, detection.artifact_files_json). Equivalent on Pydantic DTOs (TtpBase.params_schema_json, ScenarioStepBase.params_override_json). - Rename `TtpRead.current_version` → `TtpRead.version` to mirror the ORM column (which itself was renamed in D-009 cleanup). - Flask blueprints: add `-> ResponseReturnValue` to every view, plus typed UUID params on `_validate_step_consistency`. - `templating/filters.py`: rewrite the conditional re2 import so mypy can narrow the union (`ModuleType \| None`); the runtime branch on `_re2 is not None` removes the unused-ignore that was triggered by warn_unused_ignores. - `pyproject.toml`: add `flask_login.` and `pythonjsonlogger.` to the `[[tool.mypy.overrides]]` `ignore_missing_imports` list (both ship without typed marker). - Misc: drop stale `# type: ignore` comments (`app.py:36`, `rbac/decorators.py:35`) flagged by `warn_unused_ignores`. Keep `logging.JsonFormatter` ignore because the symbol exists at runtime but is not re-exported through the typed surface. Formatting: - `ruff format` applied (15 files normalized; line-length unchanged at 100). Verification on this commit: - `ruff check` → All checks passed. - `ruff format --check` → 68 files already formatted. - `mypy --strict src` → Success: no issues found in 54 source files. - `pytest tests/unit` → 49 passed. 2026-05-22 05:10:51 +02:00			`url = pg.get_connection_url().replace("postgresql+psycopg2", "postgresql+psycopg")`
test(backend): add pytest baseline (B0.8) Unit (SQLite, pure logic): - test_templating.py: Jinja2 sandbox, regex_extract, strict-undefined, sandbox blocks attribute-access escape, output blob 10 MB cap. - test_password.py: bcrypt hash + verify, empty / malformed handling. - test_soc_token.py: 256-bit url-safe token + bcrypt verification. - test_rbac_matrix.py: F11 invariants (lead ⊇ operator, SOC restricted to detection + report-read, audit_read & ttp_promote lead-only). - test_connector_factory.py: register / build / double-register-rejected, TaskStatus terminal helper, Mythic mapping vs empty Home mapping. - test_audit_hash.py: SHA-256 chain helper is deterministic and reacts to prev_hash / metadata changes. Integration scaffold (testcontainers Postgres): - tests/integration/conftest.py spins up postgres:16-alpine, monkeypatches MIMIC_DATABASE_URL, creates a Flask app + db.create_all. - test_healthz.py: end-to-end smoke through the Flask test client. 38 unit tests pass; ruff clean. 2026-05-21 20:34:11 +02:00			`yield url`


			`@pytest.fixture`
			`def app(postgres_dsn: str, monkeypatch: pytest.MonkeyPatch):`
			`monkeypatch.setenv("MIMIC_DATABASE_URL", postgres_dsn)`
			`monkeypatch.setenv("MIMIC_ENV", "testing")`
			`monkeypatch.setenv("MIMIC_SECRET_KEY", "test-not-real")`

			`from mimic.app import create_app # noqa: PLC0415 (must follow env mutation)`
			`from mimic.extensions import db # noqa: PLC0415`

			`application = create_app()`
			`with application.app_context():`
docs(backend): track sprint-0 follow-ups + flag integration migration gap - `tasks/todo.md`: B0.5 description updated (re2 hard dep, no fallback); add a "Backend follow-ups (sprint 1+)" section with M1-M7 + N1-N6 from the code-review verdict. - `CHANGELOG.md`: backend skeleton bullets refreshed (no re fallback, streaming blob store, audit + scope on CRUD, 56 unit tests); new "Code-review remediation" subsection lists B1 / MA1-MA6 / N4 / N6 / M8 with one-line rationale each. - `tests/integration/conftest.py`: leave `db.create_all()` in place but add an inline TODO (N6) pointing at the Alembic switchover that will exercise the F11 seed + audit-log role grants in CI. 2026-05-22 05:25:04 +02:00			`# TODO (N6 follow-up, sprint 1): run Alembic migrations instead of`
			`# db.create_all() so the integration tests exercise the real schema`
			`# including the audit_log role grants and the F11 seed.`
test(backend): add pytest baseline (B0.8) Unit (SQLite, pure logic): - test_templating.py: Jinja2 sandbox, regex_extract, strict-undefined, sandbox blocks attribute-access escape, output blob 10 MB cap. - test_password.py: bcrypt hash + verify, empty / malformed handling. - test_soc_token.py: 256-bit url-safe token + bcrypt verification. - test_rbac_matrix.py: F11 invariants (lead ⊇ operator, SOC restricted to detection + report-read, audit_read & ttp_promote lead-only). - test_connector_factory.py: register / build / double-register-rejected, TaskStatus terminal helper, Mythic mapping vs empty Home mapping. - test_audit_hash.py: SHA-256 chain helper is deterministic and reacts to prev_hash / metadata changes. Integration scaffold (testcontainers Postgres): - tests/integration/conftest.py spins up postgres:16-alpine, monkeypatches MIMIC_DATABASE_URL, creates a Flask app + db.create_all. - test_healthz.py: end-to-end smoke through the Flask test client. 38 unit tests pass; ruff clean. 2026-05-21 20:34:11 +02:00			`db.create_all()`
			`yield application`
			`db.session.remove()`
			`db.drop_all()`


			`@pytest.fixture`
			`def client(app):`
			`return app.test_client()`