backend/app/__init__.py

"""Flask application factory."""
from __future__ import annotations

import os
from pathlib import Path

from flask import Flask, jsonify, send_from_directory

from backend.app.api import auth_bp, c2_bp, engagements_bp, simulations_bp, templates_bp, users_bp
from backend.app.cli import register_cli
from backend.app.config import Config, TestConfig
from backend.app.errors import register_error_handlers
from backend.app.extensions import db, migrate


def create_app(config_object: object | None = None) -> Flask:
    """Application factory.

    `config_object` is an *instance* (not a class) of Config or a subclass.
    If None, picks TestConfig when MIMIC_TESTING=1, otherwise Config.
    """
    static_folder = str(Path(__file__).parent / "static")
    app = Flask(__name__, static_folder=static_folder, static_url_path="/static")

    if config_object is None:
        config_object = TestConfig() if os.environ.get("MIMIC_TESTING") == "1" else Config()
    app.config.from_object(config_object)

    db.init_app(app)
    migrations_dir = str(Path(__file__).parent.parent / "migrations")
    migrate.init_app(app, db, directory=migrations_dir)

    # Ensure models are imported so Alembic/metadata see them.
    from backend.app import models  # noqa: F401

    app.register_blueprint(auth_bp)
    app.register_blueprint(users_bp)
    app.register_blueprint(engagements_bp)
    app.register_blueprint(simulations_bp)
    app.register_blueprint(templates_bp)
    app.register_blueprint(c2_bp)

    from backend.app.services import mitre as mitre_svc
    mitre_svc.load_bundle()

    register_error_handlers(app)
    register_cli(app)

    static_root = Path(static_folder)

    @app.get("/api/health")
    def health():
        return {"status": "ok"}, 200

    # Serve the built frontend (Vite output copied into app/static at image build time).
    @app.get("/")
    def index():
        index_path = static_root / "index.html"
        if index_path.exists():
            return send_from_directory(static_folder, "index.html")
        return {"status": "ok", "message": "Mimic API running. Frontend not built."}, 200

    @app.get("/<path:path>")
    def spa_fallback(path: str):
        # Unknown /api/* paths must stay JSON 404 — never shadowed by index.html.
        if path.startswith("api/"):
            return jsonify({"error": "Not found"}), 404
        # Serve static assets if present; otherwise hand back index.html for client routing.
        candidate = static_root / path
        if candidate.is_file():
            return send_from_directory(static_folder, path)
        index_path = static_root / "index.html"
        if index_path.exists():
            return send_from_directory(static_folder, "index.html")
        return jsonify({"error": "Not found"}), 404

    return app
feat: sprint 1 — auth + CRUD engagements Ship the first feature end-to-end on the UI: users log in with JWT, admins manage user accounts, and any authenticated user (per RBAC) can create, list, view, edit, and delete engagements. Backend (Flask + SQLAlchemy + SQLite, 63 pytest) - User / Engagement models, Alembic 0001 initial schema - argon2 password hashing, JWT bearer (60-min TTL), @login_required and @role_required decorators - 13 API endpoints under /api/, including last-admin protection on DELETE/PATCH user and JSON 404 on unknown /api/ paths - `flask create-admin` CLI with duplicate / short-password handling Frontend (React + Vite + Tailwind + TanStack Query, 20 vitest) - Inter font bundled locally (no CDN), DESIGN.md tokens in Tailwind - LoginPage / EngagementsList / EngagementForm / EngagementDetail / UsersAdmin pages with role-aware UI - Layout, ProtectedRoute, StatusBadge, FormField, LoadingState, ErrorState, EmptyState, Toast + provider - Axios client: Bearer interceptor, 401 → purge + /login + "Session expirée" toast, 403 → "Accès refusé" toast (declarative <Navigate> for already-authed users, Fragment-keyed admin user rows) Deployment - Single multistage Dockerfile (node:20-alpine → python:3.12-slim) - docker/entrypoint.sh runs `flask db upgrade` before `flask run` - Makefile: build/start/stop/restart/update/logs/create-admin/ update-mitre/test-{backend,frontend,e2e}/clean - .env.example documenting MIMIC_JWT_SECRET / MIMIC_DB_PATH / MIMIC_PORT - SQLite at /data/mimic.sqlite on named volume mimic-data Acceptance suite (Playwright, 36 tests, all 27 ACs) - e2e/ scaffold with playwright.config + auth/api fixtures - One spec per user story (us1-bootstrap through us6-deployment) - Portable via MIMIC_CONTAINER_CMD / MIMIC_BASE_URL (docker or podman) Docs - README.md with quick-start and architecture overview - CHANGELOG.md updated with Sprint 1 deliverables - pyrightconfig.json so the Python LSP sees backend/.venv and resolves the `backend.app.*` absolute imports Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-26 09:37:53 +02:00			`"""Flask application factory."""`
			`from __future__ import annotations`

			`import os`
			`from pathlib import Path`

			`from flask import Flask, jsonify, send_from_directory`

feat(backend): c2 crypto + config CRUD + adapter scaffolding (sprint 8 M1) - Add Fernet crypto service (MIMIC_ENCRYPTION_KEY env, C2Disabled on absent key) - Add Alembic migration 0006: c2_config + c2_task tables with cascade FKs - Add C2Config and C2Task SQLAlchemy models - Add C2Adapter ABC with dataclasses (C2Health, C2Callback, C2TaskStatus, C2TaskPage) - Add FakeAdapter (deterministic in-memory, MIMIC_C2_ADAPTER=fake) - Add MythicAdapter scaffold: test_connection() live, M2+ raise NotImplementedError - Add decode_response_text() helper for base64/binary Mythic responses - Add GET/PUT/DELETE/POST-test /api/engagements/<id>/c2-config endpoints - RBAC: admin+redteam OK, SOC 403; 503 guard when encryption key absent - Token never returned in API responses; stored Fernet-encrypted only - 42 new tests (300 total, 258 baseline preserved green) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-06-10 19:20:52 +02:00			`from backend.app.api import auth_bp, c2_bp, engagements_bp, simulations_bp, templates_bp, users_bp`
feat: sprint 1 — auth + CRUD engagements Ship the first feature end-to-end on the UI: users log in with JWT, admins manage user accounts, and any authenticated user (per RBAC) can create, list, view, edit, and delete engagements. Backend (Flask + SQLAlchemy + SQLite, 63 pytest) - User / Engagement models, Alembic 0001 initial schema - argon2 password hashing, JWT bearer (60-min TTL), @login_required and @role_required decorators - 13 API endpoints under /api/, including last-admin protection on DELETE/PATCH user and JSON 404 on unknown /api/ paths - `flask create-admin` CLI with duplicate / short-password handling Frontend (React + Vite + Tailwind + TanStack Query, 20 vitest) - Inter font bundled locally (no CDN), DESIGN.md tokens in Tailwind - LoginPage / EngagementsList / EngagementForm / EngagementDetail / UsersAdmin pages with role-aware UI - Layout, ProtectedRoute, StatusBadge, FormField, LoadingState, ErrorState, EmptyState, Toast + provider - Axios client: Bearer interceptor, 401 → purge + /login + "Session expirée" toast, 403 → "Accès refusé" toast (declarative <Navigate> for already-authed users, Fragment-keyed admin user rows) Deployment - Single multistage Dockerfile (node:20-alpine → python:3.12-slim) - docker/entrypoint.sh runs `flask db upgrade` before `flask run` - Makefile: build/start/stop/restart/update/logs/create-admin/ update-mitre/test-{backend,frontend,e2e}/clean - .env.example documenting MIMIC_JWT_SECRET / MIMIC_DB_PATH / MIMIC_PORT - SQLite at /data/mimic.sqlite on named volume mimic-data Acceptance suite (Playwright, 36 tests, all 27 ACs) - e2e/ scaffold with playwright.config + auth/api fixtures - One spec per user story (us1-bootstrap through us6-deployment) - Portable via MIMIC_CONTAINER_CMD / MIMIC_BASE_URL (docker or podman) Docs - README.md with quick-start and architecture overview - CHANGELOG.md updated with Sprint 1 deliverables - pyrightconfig.json so the Python LSP sees backend/.venv and resolves the `backend.app.*` absolute imports Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-26 09:37:53 +02:00			`from backend.app.cli import register_cli`
			`from backend.app.config import Config, TestConfig`
			`from backend.app.errors import register_error_handlers`
			`from backend.app.extensions import db, migrate`


			`def create_app(config_object: object \| None = None) -> Flask:`
			`"""Application factory.`

			`config_object` is an instance (not a class) of Config or a subclass.
			`If None, picks TestConfig when MIMIC_TESTING=1, otherwise Config.`
			`"""`
			`static_folder = str(Path(__file__).parent / "static")`
			`app = Flask(__name__, static_folder=static_folder, static_url_path="/static")`

			`if config_object is None:`
			`config_object = TestConfig() if os.environ.get("MIMIC_TESTING") == "1" else Config()`
			`app.config.from_object(config_object)`

			`db.init_app(app)`
			`migrations_dir = str(Path(__file__).parent.parent / "migrations")`
			`migrate.init_app(app, db, directory=migrations_dir)`

			`# Ensure models are imported so Alembic/metadata see them.`
			`from backend.app import models # noqa: F401`

			`app.register_blueprint(auth_bp)`
			`app.register_blueprint(users_bp)`
			`app.register_blueprint(engagements_bp)`
feat(backend): sprint 2 — simulations + MITRE ATT&CK - Simulation model with full field set (redteam + SOC sides) and cascade delete - Alembic migration 0002 for simulations table - simulation_workflow service: PATCH RBAC field-level + auto-transition pending→in_progress + state machine - mitre service: STIX bundle loader (boot-safe) + ranked search (exact-id > prefix-id > name) - 7 new API endpoints: list/create/get/patch/delete simulations, transition, MITRE autocomplete - serialize_simulation added to serializers.py - Makefile update-mitre target with real curl + optional docker restart - Dockerfile updated to copy backend/data/ into image - MITRE enterprise-attack.json bundle committed (~45 MB) - 67 new tests (total 130 passing), ruff clean, mypy introduces no new errors Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-26 10:59:14 +02:00			`app.register_blueprint(simulations_bp)`
feat(backend): sprint 5 — SimulationTemplate CRUD + instantiation - SimulationTemplate model + migration 0005 (CREATE TABLE + name index) - 5 CRUD endpoints under /api/templates (admin\|redteam only, SOC 403) - POST /api/engagements/<eid>/simulations extended with optional template_id - serialize_template() reusing _enrich_techniques/_enrich_tactics helpers - IntegrityError → 409 for duplicate name on both POST and PATCH - 28 new tests (CRUD, RBAC, dedup, instantiation, migration round-trip) - 221 tests pass; ruff clean; mypy clean Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-28 06:25:19 +02:00			`app.register_blueprint(templates_bp)`
feat(backend): c2 crypto + config CRUD + adapter scaffolding (sprint 8 M1) - Add Fernet crypto service (MIMIC_ENCRYPTION_KEY env, C2Disabled on absent key) - Add Alembic migration 0006: c2_config + c2_task tables with cascade FKs - Add C2Config and C2Task SQLAlchemy models - Add C2Adapter ABC with dataclasses (C2Health, C2Callback, C2TaskStatus, C2TaskPage) - Add FakeAdapter (deterministic in-memory, MIMIC_C2_ADAPTER=fake) - Add MythicAdapter scaffold: test_connection() live, M2+ raise NotImplementedError - Add decode_response_text() helper for base64/binary Mythic responses - Add GET/PUT/DELETE/POST-test /api/engagements/<id>/c2-config endpoints - RBAC: admin+redteam OK, SOC 403; 503 guard when encryption key absent - Token never returned in API responses; stored Fernet-encrypted only - 42 new tests (300 total, 258 baseline preserved green) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-06-10 19:20:52 +02:00			`app.register_blueprint(c2_bp)`
feat(backend): sprint 2 — simulations + MITRE ATT&CK - Simulation model with full field set (redteam + SOC sides) and cascade delete - Alembic migration 0002 for simulations table - simulation_workflow service: PATCH RBAC field-level + auto-transition pending→in_progress + state machine - mitre service: STIX bundle loader (boot-safe) + ranked search (exact-id > prefix-id > name) - 7 new API endpoints: list/create/get/patch/delete simulations, transition, MITRE autocomplete - serialize_simulation added to serializers.py - Makefile update-mitre target with real curl + optional docker restart - Dockerfile updated to copy backend/data/ into image - MITRE enterprise-attack.json bundle committed (~45 MB) - 67 new tests (total 130 passing), ruff clean, mypy introduces no new errors Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-26 10:59:14 +02:00
			`from backend.app.services import mitre as mitre_svc`
			`mitre_svc.load_bundle()`
feat: sprint 1 — auth + CRUD engagements Ship the first feature end-to-end on the UI: users log in with JWT, admins manage user accounts, and any authenticated user (per RBAC) can create, list, view, edit, and delete engagements. Backend (Flask + SQLAlchemy + SQLite, 63 pytest) - User / Engagement models, Alembic 0001 initial schema - argon2 password hashing, JWT bearer (60-min TTL), @login_required and @role_required decorators - 13 API endpoints under /api/, including last-admin protection on DELETE/PATCH user and JSON 404 on unknown /api/ paths - `flask create-admin` CLI with duplicate / short-password handling Frontend (React + Vite + Tailwind + TanStack Query, 20 vitest) - Inter font bundled locally (no CDN), DESIGN.md tokens in Tailwind - LoginPage / EngagementsList / EngagementForm / EngagementDetail / UsersAdmin pages with role-aware UI - Layout, ProtectedRoute, StatusBadge, FormField, LoadingState, ErrorState, EmptyState, Toast + provider - Axios client: Bearer interceptor, 401 → purge + /login + "Session expirée" toast, 403 → "Accès refusé" toast (declarative <Navigate> for already-authed users, Fragment-keyed admin user rows) Deployment - Single multistage Dockerfile (node:20-alpine → python:3.12-slim) - docker/entrypoint.sh runs `flask db upgrade` before `flask run` - Makefile: build/start/stop/restart/update/logs/create-admin/ update-mitre/test-{backend,frontend,e2e}/clean - .env.example documenting MIMIC_JWT_SECRET / MIMIC_DB_PATH / MIMIC_PORT - SQLite at /data/mimic.sqlite on named volume mimic-data Acceptance suite (Playwright, 36 tests, all 27 ACs) - e2e/ scaffold with playwright.config + auth/api fixtures - One spec per user story (us1-bootstrap through us6-deployment) - Portable via MIMIC_CONTAINER_CMD / MIMIC_BASE_URL (docker or podman) Docs - README.md with quick-start and architecture overview - CHANGELOG.md updated with Sprint 1 deliverables - pyrightconfig.json so the Python LSP sees backend/.venv and resolves the `backend.app.*` absolute imports Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-26 09:37:53 +02:00
			`register_error_handlers(app)`
			`register_cli(app)`

			`static_root = Path(static_folder)`

			`@app.get("/api/health")`
			`def health():`
			`return {"status": "ok"}, 200`

			`# Serve the built frontend (Vite output copied into app/static at image build time).`
			`@app.get("/")`
			`def index():`
			`index_path = static_root / "index.html"`
			`if index_path.exists():`
			`return send_from_directory(static_folder, "index.html")`
			`return {"status": "ok", "message": "Mimic API running. Frontend not built."}, 200`

			`@app.get("/<path:path>")`
			`def spa_fallback(path: str):`
			`# Unknown /api/* paths must stay JSON 404 — never shadowed by index.html.`
			`if path.startswith("api/"):`
			`return jsonify({"error": "Not found"}), 404`
			`# Serve static assets if present; otherwise hand back index.html for client routing.`
			`candidate = static_root / path`
			`if candidate.is_file():`
			`return send_from_directory(static_folder, path)`
			`index_path = static_root / "index.html"`
			`if index_path.exists():`
			`return send_from_directory(static_folder, "index.html")`
			`return jsonify({"error": "Not found"}), 404`

			`return app`