feat(backend): wire created_by_id, audit log, F11 scope into CRUD (MA4/5/6)

Three follow-ups on the flat CRUD blueprints triggered by code-review + spec-analyst (MA4, MA5, MA6). **MA4 — `created_by_id`** — engagements, TTPs and scenarios now record the creator from `current_user.id` instead of leaving the FK NULL. The new `api._helpers.current_user_id()` exposes the UUID safely (returns None when the request is unauthenticated, e.g. during /healthz). **MA5 — Audit log integration** — `api._helpers.audit_write(...)` wraps the hash-chained `AuditWriter` and is called after every successful commit in the 4 blueprints (engagement / host / ttp / scenario incl. step), recording the actor, action, resource type/id, IP, user agent, and small metadata (field list, names, engagement scope). F13 "Toute mutation tracée" now holds end-to-end. **MA6 — RT operator scope on engagements** — F11 limits RT operators to "engagements assignés". The previous implementation let them list / read every engagement and every nested resource. Fix: `is_rt_lead()` short- circuits the check for RT leads; otherwise a membership probe against `engagement_member` runs on every list/read and on `_engagement_or_404` in `hosts.py` and `scenarios.py`. Listings now `JOIN engagement_member` and filter by `current_user.id`. `audit_write` casts `db.session` (a `scoped_session` proxy) to the unwrapped `sqlalchemy.orm.Session` that `AuditWriter` expects; the two are interchangeable at runtime. The promotion-perm check on TTPs no longer needs a lazy `flask_login` import since the decorator scope already brings `current_user` in.
2026-05-22 05:24:54 +02:00
parent 36c1ed5ffb
commit 3a3e3ff0ec
5 changed files with 237 additions and 23 deletions
--- a/backend/src/mimic/api/hosts.py
+++ b/backend/src/mimic/api/hosts.py
@@ -6,8 +6,15 @@ from flask import Blueprint, abort, jsonify
 from flask.typing import ResponseReturnValue
 from sqlalchemy import select

-from mimic.api._helpers import jsonify_model, parse_body, parse_uuid
-from mimic.db.models import Engagement, Host
+from mimic.api._helpers import (
+    audit_write,
+    current_user_id,
+    is_rt_lead,
+    jsonify_model,
+    parse_body,
+    parse_uuid,
+)
+from mimic.db.models import Engagement, EngagementMember, Host
 from mimic.db.types import HostStatus
 from mimic.extensions import db
 from mimic.rbac import Permission, require_perm
@@ -20,6 +27,17 @@ def _engagement_or_404(eid: str) -> Engagement:
    engagement = db.session.get(Engagement, parse_uuid(eid, field="engagement id"))
    if engagement is None:
        abort(404)
+    # MA6: RT operators may only access engagements they're assigned to.
+    if not is_rt_lead():
+        user_id = current_user_id()
+        if user_id is None:
+            abort(404)
+        stmt = select(EngagementMember).where(
+            EngagementMember.engagement_id == engagement.id,
+            EngagementMember.user_id == user_id,
+        )
+        if db.session.execute(stmt).scalar_one_or_none() is None:
+            abort(404)
    return engagement


@@ -48,6 +66,12 @@ def create_host(eid: str) -> ResponseReturnValue:
    )
    db.session.add(host)
    db.session.commit()
+    audit_write(
+        action="host.create",
+        resource_type="host",
+        resource_id=host.id,
+        metadata={"engagement_id": str(engagement.id), "hostname": host.hostname},
+    )
    return jsonify_model(HostRead.model_validate(host), status=201)


@@ -59,9 +83,16 @@ def update_host(eid: str, hid: str) -> ResponseReturnValue:
    if host is None or host.engagement_id != engagement.id:
        abort(404)
    payload = parse_body(HostUpdate)
-    for field, value in payload.model_dump(exclude_unset=True).items():
+    changes = payload.model_dump(exclude_unset=True)
+    for field, value in changes.items():
        setattr(host, field, value)
    db.session.commit()
+    audit_write(
+        action="host.update",
+        resource_type="host",
+        resource_id=host.id,
+        metadata={"engagement_id": str(engagement.id), "fields": sorted(changes.keys())},
+    )
    return jsonify_model(HostRead.model_validate(host))


@@ -72,6 +103,13 @@ def delete_host(eid: str, hid: str) -> ResponseReturnValue:
    host = db.session.get(Host, parse_uuid(hid, field="host id"))
    if host is None or host.engagement_id != engagement.id:
        abort(404)
+    host_id = host.id
    db.session.delete(host)
    db.session.commit()
+    audit_write(
+        action="host.delete",
+        resource_type="host",
+        resource_id=host_id,
+        metadata={"engagement_id": str(engagement.id)},
+    )
    return "", 204