knacky/mimic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
mimic/e2e/fixtures/api.ts

172 lines
5.4 KiB
TypeScript
Raw Permalink Normal View History

feat: sprint 1 — auth + CRUD engagements Ship the first feature end-to-end on the UI: users log in with JWT, admins manage user accounts, and any authenticated user (per RBAC) can create, list, view, edit, and delete engagements. Backend (Flask + SQLAlchemy + SQLite, 63 pytest) - User / Engagement models, Alembic 0001 initial schema - argon2 password hashing, JWT bearer (60-min TTL), @login_required and @role_required decorators - 13 API endpoints under /api/*, including last-admin protection on DELETE/PATCH user and JSON 404 on unknown /api/* paths - `flask create-admin` CLI with duplicate / short-password handling Frontend (React + Vite + Tailwind + TanStack Query, 20 vitest) - Inter font bundled locally (no CDN), DESIGN.md tokens in Tailwind - LoginPage / EngagementsList / EngagementForm / EngagementDetail / UsersAdmin pages with role-aware UI - Layout, ProtectedRoute, StatusBadge, FormField, LoadingState, ErrorState, EmptyState, Toast + provider - Axios client: Bearer interceptor, 401 → purge + /login + "Session expirée" toast, 403 → "Accès refusé" toast (declarative <Navigate> for already-authed users, Fragment-keyed admin user rows) Deployment - Single multistage Dockerfile (node:20-alpine → python:3.12-slim) - docker/entrypoint.sh runs `flask db upgrade` before `flask run` - Makefile: build/start/stop/restart/update/logs/create-admin/ update-mitre/test-{backend,frontend,e2e}/clean - .env.example documenting MIMIC_JWT_SECRET / MIMIC_DB_PATH / MIMIC_PORT - SQLite at /data/mimic.sqlite on named volume mimic-data Acceptance suite (Playwright, 36 tests, all 27 ACs) - e2e/ scaffold with playwright.config + auth/api fixtures - One spec per user story (us1-bootstrap through us6-deployment) - Portable via MIMIC_CONTAINER_CMD / MIMIC_BASE_URL (docker or podman) Docs - README.md with quick-start and architecture overview - CHANGELOG.md updated with Sprint 1 deliverables - pyrightconfig.json so the Python LSP sees backend/.venv and resolves the `backend.app.*` absolute imports Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-26 09:37:53 +02:00
/**
* Thin axios client used by tests to seed/teardown users and engagements
* without going through the UI. The bootstrap admin is created out-of-band
* (via `make create-admin`) and logs in once to provision per-suite users.
*/
import axios, { AxiosInstance, isAxiosError } from 'axios';
export interface User {
id: number;
username: string;
role: 'admin' | 'redteam' | 'soc';
created_at: string | null;
}
export interface Engagement {
id: number;
name: string;
description: string | null;
start_date: string;
end_date: string | null;
status: 'planned' | 'active' | 'closed';
created_at: string | null;
created_by: { id: number; username: string } | null;
}
export type Role = User['role'];
const BASE_URL = process.env.MIMIC_BASE_URL ?? 'http://localhost:5000';
const BOOTSTRAP_ADMIN_USER = process.env.MIMIC_BOOTSTRAP_USER ?? 'root';
const BOOTSTRAP_ADMIN_PASS = process.env.MIMIC_BOOTSTRAP_PASS ?? 'rootpass8';
export function makeClient(token?: string): AxiosInstance {
return axios.create({
baseURL: `${BASE_URL}/api`,
headers: token ? { Authorization: `Bearer ${token}` } : undefined,
validateStatus: () => true, // tests assert on status themselves
});
}
export async function login(
username: string,
password: string,
): Promise<{ token: string; user: User }> {
const client = makeClient();
const r = await client.post('/auth/login', { username, password });
if (r.status !== 200) {
throw new Error(`login(${username}) failed: ${r.status} ${JSON.stringify(r.data)}`);
}
return { token: r.data.access_token as string, user: r.data.user as User };
}
export async function adminToken(): Promise<string> {
const { token } = await login(BOOTSTRAP_ADMIN_USER, BOOTSTRAP_ADMIN_PASS);
return token;
}
/**
* Idempotent helper: ensures a user with the given username/role exists and
* has the requested password. Returns the user record.
*
* Strategy:
* - try login: if it succeeds, we're done.
* - else: as admin, list users; if username found, PATCH password+role; else POST.
*/
export async function ensureUser(
username: string,
password: string,
role: Role,
): Promise<User> {
try {
const { user } = await login(username, password);
if (user.role !== role) {
const admin = await adminToken();
const client = makeClient(admin);
const r = await client.patch(`/users/${user.id}`, { role });
if (r.status !== 200) throw new Error(`patch role: ${r.status}`);
return r.data as User;
}
return user;
} catch {
// fall through to admin path
}
const admin = await adminToken();
const client = makeClient(admin);
const list = await client.get('/users');
if (list.status !== 200) {
throw new Error(`list users failed: ${list.status} ${JSON.stringify(list.data)}`);
}
const existing = (list.data as User[]).find((u) => u.username === username);
if (existing) {
const r = await client.patch(`/users/${existing.id}`, { password, role });
if (r.status !== 200) {
throw new Error(`patch user failed: ${r.status} ${JSON.stringify(r.data)}`);
}
return r.data as User;
}
const r = await client.post('/users', { username, password, role });
if (r.status !== 201) {
throw new Error(`create user failed: ${r.status} ${JSON.stringify(r.data)}`);
}
return r.data as User;
}
export async function deleteUserByUsername(token: string, username: string): Promise<void> {
const client = makeClient(token);
const list = await client.get('/users');
if (list.status !== 200) return;
const u = (list.data as User[]).find((x) => x.username === username);
if (!u) return;
await client.delete(`/users/${u.id}`);
}
export async function createEngagement(
token: string,
payload: Partial<Pick<Engagement, 'name' | 'description' | 'start_date' | 'end_date' | 'status'>>,
): Promise<Engagement> {
const client = makeClient(token);
const body = {
name: payload.name ?? 'Test Engagement',
description: payload.description,
start_date: payload.start_date ?? '2026-01-01',
end_date: payload.end_date,
status: payload.status ?? 'planned',
};
const r = await client.post('/engagements', body);
if (r.status !== 201) {
throw new Error(`create engagement failed: ${r.status} ${JSON.stringify(r.data)}`);
}
return r.data as Engagement;
}
export async function deleteEngagement(token: string, id: number): Promise<void> {
const client = makeClient(token);
await client.delete(`/engagements/${id}`);
}
export async function listEngagements(token: string): Promise<Engagement[]> {
const client = makeClient(token);
const r = await client.get('/engagements');
if (r.status !== 200) {
throw new Error(`list engagements failed: ${r.status}`);
}
return r.data as Engagement[];
}
export async function deleteAllEngagements(token: string): Promise<void> {
const items = await listEngagements(token);
await Promise.all(items.map((e) => deleteEngagement(token, e.id)));
}
export async function waitForHealth(timeoutMs = 30_000): Promise<void> {
const deadline = Date.now() + timeoutMs;
const client = makeClient();
let lastErr: unknown = null;
while (Date.now() < deadline) {
try {
const r = await client.get('/health');
if (r.status === 200) return;
} catch (e) {
lastErr = e;
}
await new Promise((r) => setTimeout(r, 500));
}
throw new Error(
`backend not healthy after ${timeoutMs}ms: ${
isAxiosError(lastErr) ? lastErr.message : String(lastErr)
}`,
);
}
export const BASE = BASE_URL;
Reference in New Issue Copy Permalink