test(backend): add pytest baseline (B0.8)

Unit (SQLite, pure logic): - test_templating.py: Jinja2 sandbox, regex_extract, strict-undefined, sandbox blocks attribute-access escape, output blob 10 MB cap. - test_password.py: bcrypt hash + verify, empty / malformed handling. - test_soc_token.py: 256-bit url-safe token + bcrypt verification. - test_rbac_matrix.py: F11 invariants (lead ⊇ operator, SOC restricted to detection + report-read, audit_read & ttp_promote lead-only). - test_connector_factory.py: register / build / double-register-rejected, TaskStatus terminal helper, Mythic mapping vs empty Home mapping. - test_audit_hash.py: SHA-256 chain helper is deterministic and reacts to prev_hash / metadata changes. Integration scaffold (testcontainers Postgres): - tests/integration/conftest.py spins up postgres:16-alpine, monkeypatches MIMIC_DATABASE_URL, creates a Flask app + db.create_all. - test_healthz.py: end-to-end smoke through the Flask test client. 38 unit tests pass; ruff clean.
2026-05-21 20:34:11 +02:00
parent 9fa4d61304
commit 5d9415bb9f
12 changed files with 436 additions and 0 deletions
--- a/backend/tests/unit/test_audit_hash.py
+++ b/backend/tests/unit/test_audit_hash.py
@@ -0,0 +1,64 @@
+"""Audit log hash-chain helper tests (pure function, no DB)."""
+
+from __future__ import annotations
+
+from datetime import UTC, datetime
+from uuid import uuid4
+
+from mimic.audit.log import audit_hash
+
+
+def test_hash_changes_with_metadata() -> None:
+    ts = datetime(2026, 5, 21, 12, 0, tzinfo=UTC)
+    actor = uuid4()
+    base = {
+        "prev_hash": None,
+        "ts": ts,
+        "actor_id": actor,
+        "action": "ttp.create",
+        "resource_type": "ttp",
+        "resource_id": "t-1",
+        "metadata": {"name": "whoami"},
+    }
+    h1 = audit_hash(**base)
+    h2 = audit_hash(**{**base, "metadata": {"name": "whoami2"}})
+    assert h1 != h2
+    assert len(h1) == 64
+    assert all(c in "0123456789abcdef" for c in h1)
+
+
+def test_hash_changes_with_prev_hash() -> None:
+    ts = datetime(2026, 5, 21, 12, 0, tzinfo=UTC)
+    h_no_prev = audit_hash(
+        prev_hash=None,
+        ts=ts,
+        actor_id=None,
+        action="x",
+        resource_type="r",
+        resource_id="1",
+        metadata={},
+    )
+    h_with_prev = audit_hash(
+        prev_hash="abc",
+        ts=ts,
+        actor_id=None,
+        action="x",
+        resource_type="r",
+        resource_id="1",
+        metadata={},
+    )
+    assert h_no_prev != h_with_prev
+
+
+def test_hash_stable_for_same_input() -> None:
+    ts = datetime(2026, 5, 21, 12, 0, tzinfo=UTC)
+    base = {
+        "prev_hash": "aa",
+        "ts": ts,
+        "actor_id": None,
+        "action": "x",
+        "resource_type": "r",
+        "resource_id": "1",
+        "metadata": {"k": "v"},
+    }
+    assert audit_hash(**base) == audit_hash(**base)