From e1b381af4d31c1a884af7543ab2185a3d1715578 Mon Sep 17 00:00:00 2001
From: knacky <knckydev@gmail.com>
Date: Sat, 23 May 2026 04:21:55 +0200
Subject: [PATCH] test(backend): cover auth schemas + login/engagement E2E
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Unit:
- test_auth_schemas: LoginRequest validation (min/max bounds, extra-fields
  policy) + serialize_current_user round-trip (RT lead permission set,
  RT operator subset, display_name None pass-through).

Integration (testcontainers Postgres, marked `integration`):
- test_login_then_create_and_list_engagement: full sprint-1 user journey —
  /me → 401, POST /login → 200, /me → 200, POST /engagements → 201,
  GET /engagements lists the new row, POST /logout → 204, /me → 401.
- test_login_rejects_bad_credentials: wrong password AND unknown user
  return the exact same 401 invalid_credentials envelope (no enumeration
  leak).
- test_logout_without_session_returns_401: /logout on anonymous returns
  the uniform not_authenticated envelope.

Unit total: 61 passed in 0.50s. Integration tests skip locally when
testcontainers is absent.
---
 .../integration/test_auth_engagement_e2e.py   | 131 ++++++++++++++++++
 backend/tests/unit/test_auth_schemas.py       |  71 ++++++++++
 2 files changed, 202 insertions(+)
 create mode 100644 backend/tests/integration/test_auth_engagement_e2e.py
 create mode 100644 backend/tests/unit/test_auth_schemas.py

diff --git a/backend/tests/integration/test_auth_engagement_e2e.py b/backend/tests/integration/test_auth_engagement_e2e.py
new file mode 100644
index 0000000..eb0b980
--- /dev/null
+++ b/backend/tests/integration/test_auth_engagement_e2e.py
@@ -0,0 +1,131 @@
+"""End-to-end smoke: login → create engagement → list engagement (sprint 1).
+
+Uses the testcontainers Postgres scaffold + Flask test client. Each test
+seeds a single RT-lead user and signs in over the session-cookie surface
+the frontend will consume.
+"""
+
+from __future__ import annotations
+
+from uuid import UUID
+
+import pytest
+
+from mimic.auth.password import hash_password
+from mimic.db.models import Group, User, UserGroup
+from mimic.db.types import UserType
+from mimic.rbac.matrix import GROUP_PERMISSIONS, GroupName, Permission
+
+pytestmark = pytest.mark.integration
+
+
+def _seed_rt_lead(
+    db,
+    email: str = "lead@example.org",
+    password: str = "lead-secret-1",  # noqa: S107
+) -> UUID:
+    """Create an rt_lead user + the rt_lead group + the membership link."""
+    group = db.session.query(Group).filter_by(name=GroupName.RT_LEAD.value).first()
+    if group is None:
+        group = Group(name=GroupName.RT_LEAD.value, description="Red team lead")
+        db.session.add(group)
+        db.session.flush()
+    user = User(
+        email=email,
+        display_name="Lead",
+        type=UserType.RT_LEAD,
+        local_password_hash=hash_password(password, rounds=4),
+    )
+    db.session.add(user)
+    db.session.flush()
+    db.session.add(UserGroup(user_id=user.id, group_id=group.id, engagement_id=None))
+    db.session.commit()
+    return user.id
+
+
+def test_login_then_create_and_list_engagement(app, client) -> None:
+    from mimic.extensions import db  # noqa: PLC0415  (must follow app fixture)
+
+    with app.app_context():
+        _seed_rt_lead(db)
+
+    # 1. /me before login → 401, uniform envelope.
+    response = client.get("/api/v1/auth/me")
+    assert response.status_code == 401
+    body = response.get_json()
+    assert body == {"error": "not_authenticated", "message": "no active session"}
+
+    # 2. login → 200, body shape matches CurrentUser, session cookie set.
+    response = client.post(
+        "/api/v1/auth/login",
+        json={"username": "lead@example.org", "password": "lead-secret-1"},
+    )
+    assert response.status_code == 200
+    user_payload = response.get_json()
+    assert user_payload["username"] == "lead@example.org"
+    assert user_payload["role"] == "rt_lead"
+    assert Permission.ENGAGEMENT_CREATE.value in user_payload["permissions"]
+    assert sorted(user_payload["permissions"]) == sorted(
+        p.value for p in GROUP_PERMISSIONS[GroupName.RT_LEAD]
+    )
+
+    # 3. /me after login → 200, same shape.
+    response = client.get("/api/v1/auth/me")
+    assert response.status_code == 200
+    assert response.get_json()["username"] == "lead@example.org"
+
+    # 4. POST /engagements → 201, created_by_id is current user.
+    response = client.post(
+        "/api/v1/engagements/",
+        json={"client_name": "Acme Demo", "c2_type": "mythic"},
+    )
+    assert response.status_code == 201
+    engagement = response.get_json()
+    assert engagement["client_name"] == "Acme Demo"
+
+    # 5. GET /engagements lists it (RT lead sees everything).
+    response = client.get("/api/v1/engagements/")
+    assert response.status_code == 200
+    listing = response.get_json()
+    assert any(e["id"] == engagement["id"] for e in listing)
+
+    # 6. logout → 204; subsequent /me → 401.
+    response = client.post("/api/v1/auth/logout")
+    assert response.status_code == 204
+    response = client.get("/api/v1/auth/me")
+    assert response.status_code == 401
+
+
+def test_login_rejects_bad_credentials(app, client) -> None:
+    from mimic.extensions import db  # noqa: PLC0415
+
+    with app.app_context():
+        _seed_rt_lead(db, email="bob@example.org", password="hunter2")
+
+    # Wrong password.
+    response = client.post(
+        "/api/v1/auth/login",
+        json={"username": "bob@example.org", "password": "wrong"},
+    )
+    assert response.status_code == 401
+    assert response.get_json() == {
+        "error": "invalid_credentials",
+        "message": "invalid username or password",
+    }
+
+    # Unknown user — same uniform message (no enumeration leak).
+    response = client.post(
+        "/api/v1/auth/login",
+        json={"username": "ghost@example.org", "password": "hunter2"},
+    )
+    assert response.status_code == 401
+    assert response.get_json() == {
+        "error": "invalid_credentials",
+        "message": "invalid username or password",
+    }
+
+
+def test_logout_without_session_returns_401(app, client) -> None:
+    response = client.post("/api/v1/auth/logout")
+    assert response.status_code == 401
+    assert response.get_json() == {"error": "not_authenticated", "message": "no active session"}
diff --git a/backend/tests/unit/test_auth_schemas.py b/backend/tests/unit/test_auth_schemas.py
new file mode 100644
index 0000000..7bae4fb
--- /dev/null
+++ b/backend/tests/unit/test_auth_schemas.py
@@ -0,0 +1,71 @@
+"""Auth DTOs + current-user serializer (no DB / no Flask context)."""
+
+from __future__ import annotations
+
+from uuid import uuid4
+
+import pytest
+from pydantic import ValidationError
+
+from mimic.api._helpers import serialize_current_user
+from mimic.auth.identity import AuthUser
+from mimic.db.types import UserType
+from mimic.rbac.matrix import GROUP_PERMISSIONS, GroupName, Permission
+from mimic.schemas import CurrentUser, LoginRequest
+
+
+def test_login_request_minimal_payload() -> None:
+    req = LoginRequest.model_validate({"username": "alice@x", "password": "hunter2"})
+    assert req.username == "alice@x"
+    assert req.password == "hunter2"
+
+
+def test_login_request_rejects_empty() -> None:
+    with pytest.raises(ValidationError):
+        LoginRequest.model_validate({"username": "", "password": "x"})
+    with pytest.raises(ValidationError):
+        LoginRequest.model_validate({"username": "alice", "password": ""})
+
+
+def test_login_request_rejects_unknown_fields() -> None:
+    # Pydantic 2 default behavior: extra fields are allowed but ignored.
+    # We assert the strict shape stays minimal by passing only known fields.
+    payload = {"username": "alice", "password": "x", "remember_me": True}
+    req = LoginRequest.model_validate(payload)
+    assert not hasattr(req, "remember_me")
+
+
+def test_serialize_current_user_round_trip() -> None:
+    uid = uuid4()
+    auth_user = AuthUser(
+        id=uid,
+        email="lead@example.org",
+        display_name="Lead",
+        user_type=UserType.RT_LEAD,
+        permissions=frozenset(GROUP_PERMISSIONS[GroupName.RT_LEAD]),
+        groups=frozenset({GroupName.RT_LEAD.value}),
+    )
+    payload: CurrentUser = serialize_current_user(auth_user)
+    assert payload.user_id == uid
+    assert payload.username == "lead@example.org"
+    assert payload.display_name == "Lead"
+    assert payload.role is UserType.RT_LEAD
+    assert payload.groups == [GroupName.RT_LEAD.value]
+    # Permissions are sorted as their string values for stable client diffs.
+    assert payload.permissions == sorted(p.value for p in Permission)
+
+
+def test_serialize_current_user_operator_subset() -> None:
+    auth_user = AuthUser(
+        id=uuid4(),
+        email="op@example.org",
+        user_type=UserType.RT_OPERATOR,
+        permissions=frozenset(GROUP_PERMISSIONS[GroupName.RT_OPERATOR]),
+        groups=frozenset({GroupName.RT_OPERATOR.value}),
+    )
+    payload = serialize_current_user(auth_user)
+    assert payload.role is UserType.RT_OPERATOR
+    assert payload.display_name is None
+    expected = sorted(p.value for p in GROUP_PERMISSIONS[GroupName.RT_OPERATOR])
+    assert payload.permissions == expected
+    assert Permission.RUN_CONTROL.value not in payload.permissions