feat: sprint 1 — auth + CRUD engagements

Ship the first feature end-to-end on the UI: users log in with JWT, admins manage user accounts, and any authenticated user (per RBAC) can create, list, view, edit, and delete engagements. Backend (Flask + SQLAlchemy + SQLite, 63 pytest) - User / Engagement models, Alembic 0001 initial schema - argon2 password hashing, JWT bearer (60-min TTL), @login_required and @role_required decorators - 13 API endpoints under /api/*, including last-admin protection on DELETE/PATCH user and JSON 404 on unknown /api/* paths - `flask create-admin` CLI with duplicate / short-password handling Frontend (React + Vite + Tailwind + TanStack Query, 20 vitest) - Inter font bundled locally (no CDN), DESIGN.md tokens in Tailwind - LoginPage / EngagementsList / EngagementForm / EngagementDetail / UsersAdmin pages with role-aware UI - Layout, ProtectedRoute, StatusBadge, FormField, LoadingState, ErrorState, EmptyState, Toast + provider - Axios client: Bearer interceptor, 401 → purge + /login + "Session expirée" toast, 403 → "Accès refusé" toast (declarative <Navigate> for already-authed users, Fragment-keyed admin user rows) Deployment - Single multistage Dockerfile (node:20-alpine → python:3.12-slim) - docker/entrypoint.sh runs `flask db upgrade` before `flask run` - Makefile: build/start/stop/restart/update/logs/create-admin/ update-mitre/test-{backend,frontend,e2e}/clean - .env.example documenting MIMIC_JWT_SECRET / MIMIC_DB_PATH / MIMIC_PORT - SQLite at /data/mimic.sqlite on named volume mimic-data Acceptance suite (Playwright, 36 tests, all 27 ACs) - e2e/ scaffold with playwright.config + auth/api fixtures - One spec per user story (us1-bootstrap through us6-deployment) - Portable via MIMIC_CONTAINER_CMD / MIMIC_BASE_URL (docker or podman) Docs - README.md with quick-start and architecture overview - CHANGELOG.md updated with Sprint 1 deliverables - pyrightconfig.json so the Python LSP sees backend/.venv and resolves the `backend.app.*` absolute imports Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-26 09:37:53 +02:00
parent be266d4879
commit 5104f7c429
95 changed files with 13801 additions and 5 deletions
--- a/backend/tests/init.py
+++ b/backend/tests/init.py
--- a/backend/tests/conftest.py
+++ b/backend/tests/conftest.py
@@ -0,0 +1,92 @@
+"""Shared pytest fixtures."""
+from __future__ import annotations
+
+from collections.abc import Generator
+
+import pytest
+from flask import Flask
+from flask.testing import FlaskClient
+
+from backend.app import create_app
+from backend.app.auth import hash_password
+from backend.app.config import TestConfig
+from backend.app.extensions import db
+from backend.app.models import User, UserRole
+
+
+@pytest.fixture()
+def app() -> Generator[Flask, None, None]:
+    application = create_app(TestConfig())
+    with application.app_context():
+        db.create_all()
+        yield application
+        db.session.remove()
+        db.drop_all()
+
+
+@pytest.fixture()
+def client(app: Flask) -> FlaskClient:
+    return app.test_client()
+
+
+@pytest.fixture()
+def admin_user(app: Flask) -> User:
+    user = User(
+        username="admin1",
+        password_hash=hash_password("adminpass1"),
+        role=UserRole.ADMIN,
+    )
+    db.session.add(user)
+    db.session.commit()
+    return user
+
+
+@pytest.fixture()
+def redteam_user(app: Flask) -> User:
+    user = User(
+        username="redteam1",
+        password_hash=hash_password("redteampass1"),
+        role=UserRole.REDTEAM,
+    )
+    db.session.add(user)
+    db.session.commit()
+    return user
+
+
+@pytest.fixture()
+def soc_user(app: Flask) -> User:
+    user = User(
+        username="soc1",
+        password_hash=hash_password("socpass1"),
+        role=UserRole.SOC,
+    )
+    db.session.add(user)
+    db.session.commit()
+    return user
+
+
+def _login(client: FlaskClient, username: str, password: str) -> str:
+    resp = client.post(
+        "/api/auth/login", json={"username": username, "password": password}
+    )
+    assert resp.status_code == 200, resp.get_json()
+    return resp.get_json()["access_token"]
+
+
+@pytest.fixture()
+def admin_token(client: FlaskClient, admin_user: User) -> str:
+    return _login(client, "admin1", "adminpass1")
+
+
+@pytest.fixture()
+def redteam_token(client: FlaskClient, redteam_user: User) -> str:
+    return _login(client, "redteam1", "redteampass1")
+
+
+@pytest.fixture()
+def soc_token(client: FlaskClient, soc_user: User) -> str:
+    return _login(client, "soc1", "socpass1")
+
+
+def auth_headers(token: str) -> dict[str, str]:
+    return {"Authorization": f"Bearer {token}"}
--- a/backend/tests/test_app.py
+++ b/backend/tests/test_app.py
@@ -0,0 +1,41 @@
+"""App-level tests: SPA fallback, health, error shapes."""
+from __future__ import annotations
+
+from flask.testing import FlaskClient
+
+
+def test_health_endpoint(client: FlaskClient) -> None:
+    resp = client.get("/api/health")
+    assert resp.status_code == 200
+    assert resp.get_json() == {"status": "ok"}
+
+
+def test_unknown_api_path_returns_json_404(client: FlaskClient) -> None:
+    """SPA fallback must not shadow unknown /api/* routes with index.html."""
+    resp = client.get("/api/nonexistent")
+    assert resp.status_code == 404
+    assert resp.is_json, f"expected JSON, got Content-Type={resp.content_type}"
+    assert resp.get_json() == {"error": "Not found"}
+
+
+def test_unknown_nested_api_path_returns_json_404(client: FlaskClient) -> None:
+    resp = client.get("/api/foo/bar/baz")
+    assert resp.status_code == 404
+    assert resp.is_json
+    assert resp.get_json() == {"error": "Not found"}
+
+
+def test_wrong_method_on_api_returns_json(client: FlaskClient) -> None:
+    # PUT is not defined on /api/auth/login — should stay JSON, not HTML.
+    resp = client.put("/api/auth/login")
+    assert resp.status_code in (404, 405)
+    assert resp.is_json
+
+
+def test_index_without_built_frontend_returns_json(client: FlaskClient) -> None:
+    resp = client.get("/")
+    assert resp.status_code == 200
+    # Tests run with no built frontend → factory falls back to a JSON status payload.
+    assert resp.is_json
+    body = resp.get_json()
+    assert body["status"] == "ok"
--- a/backend/tests/test_auth.py
+++ b/backend/tests/test_auth.py
@@ -0,0 +1,93 @@
+"""Auth endpoint tests."""
+from __future__ import annotations
+
+from datetime import UTC, datetime, timedelta
+
+import jwt
+from flask import Flask
+from flask.testing import FlaskClient
+
+from backend.app.models import User
+
+
+def test_login_success(client: FlaskClient, admin_user: User) -> None:
+    resp = client.post(
+        "/api/auth/login", json={"username": "admin1", "password": "adminpass1"}
+    )
+    assert resp.status_code == 200
+    body = resp.get_json()
+    assert "access_token" in body and body["access_token"]
+    assert body["user"] == {"id": admin_user.id, "username": "admin1", "role": "admin"}
+
+
+def test_login_wrong_password(client: FlaskClient, admin_user: User) -> None:
+    resp = client.post(
+        "/api/auth/login", json={"username": "admin1", "password": "wrong"}
+    )
+    assert resp.status_code == 401
+    assert resp.get_json() == {"error": "Invalid credentials"}
+
+
+def test_login_unknown_user(client: FlaskClient) -> None:
+    resp = client.post(
+        "/api/auth/login", json={"username": "ghost", "password": "anything!!"}
+    )
+    assert resp.status_code == 401
+    # Generic message — must not leak whether username exists.
+    assert resp.get_json() == {"error": "Invalid credentials"}
+
+
+def test_login_missing_fields(client: FlaskClient) -> None:
+    resp = client.post("/api/auth/login", json={})
+    assert resp.status_code == 401
+
+
+def test_me_requires_token(client: FlaskClient) -> None:
+    resp = client.get("/api/auth/me")
+    assert resp.status_code == 401
+
+
+def test_me_returns_current_user(
+    client: FlaskClient, admin_user: User, admin_token: str
+) -> None:
+    resp = client.get("/api/auth/me", headers={"Authorization": f"Bearer {admin_token}"})
+    assert resp.status_code == 200
+    body = resp.get_json()
+    assert body["username"] == "admin1"
+    assert body["role"] == "admin"
+    assert "password_hash" not in body
+
+
+def test_me_with_invalid_token(client: FlaskClient) -> None:
+    resp = client.get("/api/auth/me", headers={"Authorization": "Bearer not.a.jwt"})
+    assert resp.status_code == 401
+
+
+def test_me_with_expired_token(
+    app: Flask, client: FlaskClient, admin_user: User
+) -> None:
+    now = datetime.now(UTC) - timedelta(minutes=120)
+    payload = {
+        "sub": str(admin_user.id),
+        "role": "admin",
+        "iat": int(now.timestamp()),
+        "exp": int((now + timedelta(minutes=1)).timestamp()),
+    }
+    token = jwt.encode(
+        payload, app.config["JWT_SECRET"], algorithm=app.config["JWT_ALGORITHM"]
+    )
+    resp = client.get("/api/auth/me", headers={"Authorization": f"Bearer {token}"})
+    assert resp.status_code == 401
+    assert resp.get_json() == {"error": "Token expired"}
+
+
+def test_logout_ok_with_token(client: FlaskClient, admin_token: str) -> None:
+    resp = client.post(
+        "/api/auth/logout", headers={"Authorization": f"Bearer {admin_token}"}
+    )
+    assert resp.status_code == 200
+
+
+def test_logout_without_token_is_401(client: FlaskClient) -> None:
+    resp = client.post("/api/auth/logout")
+    assert resp.status_code == 401
--- a/backend/tests/test_cli_create_admin.py
+++ b/backend/tests/test_cli_create_admin.py
@@ -0,0 +1,47 @@
+"""CLI tests for `flask create-admin`."""
+from __future__ import annotations
+
+from flask import Flask
+
+from backend.app.auth import hash_password
+from backend.app.extensions import db
+from backend.app.models import User, UserRole
+
+
+def test_create_admin_success(app: Flask) -> None:
+    runner = app.test_cli_runner()
+    result = runner.invoke(args=["create-admin", "alice", "p4ssw0rd"])
+    assert result.exit_code == 0, result.output
+    assert "created" in result.output.lower()
+    user = User.query.filter_by(username="alice").first()
+    assert user is not None
+    assert user.role == UserRole.ADMIN
+
+
+def test_create_admin_duplicate_username(app: Flask) -> None:
+    existing = User(
+        username="bob", password_hash=hash_password("originalpw"), role=UserRole.ADMIN
+    )
+    db.session.add(existing)
+    db.session.commit()
+
+    runner = app.test_cli_runner()
+    result = runner.invoke(args=["create-admin", "bob", "anotherpw1"])
+    assert result.exit_code != 0
+    assert "exists" in (result.output + (result.stderr_bytes.decode() if result.stderr_bytes else "")).lower()
+
+
+def test_create_admin_short_password(app: Flask) -> None:
+    runner = app.test_cli_runner()
+    result = runner.invoke(args=["create-admin", "charlie", "abc"])
+    assert result.exit_code != 0
+    combined = (result.output + (result.stderr_bytes.decode() if result.stderr_bytes else "")).lower()
+    assert "8 characters" in combined
+    assert User.query.filter_by(username="charlie").first() is None
+
+
+def test_create_admin_missing_args(app: Flask) -> None:
+    runner = app.test_cli_runner()
+    result = runner.invoke(args=["create-admin"])
+    # Click's UsageError exits with code 2
+    assert result.exit_code != 0
--- a/backend/tests/test_engagements.py
+++ b/backend/tests/test_engagements.py
@@ -0,0 +1,281 @@
+"""Engagement endpoint tests."""
+from __future__ import annotations
+
+from flask.testing import FlaskClient
+
+from backend.app.models import User
+from backend.tests.conftest import auth_headers as _h
+
+
+def _create(
+    client: FlaskClient, token: str, **overrides: object
+) -> dict[str, object]:
+    payload: dict[str, object] = {
+        "name": "Op Alpha",
+        "description": "first engagement",
+        "start_date": "2026-06-01",
+        "end_date": "2026-06-10",
+        "status": "planned",
+    }
+    payload.update(overrides)
+    resp = client.post("/api/engagements", headers=_h(token), json=payload)
+    assert resp.status_code == 201, resp.get_json()
+    return resp.get_json()
+
+
+def test_create_engagement_as_redteam(
+    client: FlaskClient, redteam_user: User, redteam_token: str
+) -> None:
+    body = _create(client, redteam_token)
+    assert body["name"] == "Op Alpha"
+    assert body["status"] == "planned"
+    assert body["created_by"] == {"id": redteam_user.id, "username": "redteam1"}
+
+
+def test_create_engagement_as_admin(
+    client: FlaskClient, admin_user: User, admin_token: str
+) -> None:
+    body = _create(client, admin_token, name="Op Admin")
+    assert body["created_by"]["username"] == "admin1"
+
+
+def test_create_engagement_soc_forbidden(
+    client: FlaskClient, soc_token: str
+) -> None:
+    resp = client.post(
+        "/api/engagements",
+        headers=_h(soc_token),
+        json={"name": "x", "start_date": "2026-06-01"},
+    )
+    assert resp.status_code == 403
+
+
+def test_create_engagement_unauth(client: FlaskClient) -> None:
+    resp = client.post(
+        "/api/engagements", json={"name": "x", "start_date": "2026-06-01"}
+    )
+    assert resp.status_code == 401
+
+
+def test_create_engagement_missing_name(
+    client: FlaskClient, redteam_token: str
+) -> None:
+    resp = client.post(
+        "/api/engagements",
+        headers=_h(redteam_token),
+        json={"start_date": "2026-06-01"},
+    )
+    assert resp.status_code == 400
+
+
+def test_create_engagement_bad_date(
+    client: FlaskClient, redteam_token: str
+) -> None:
+    resp = client.post(
+        "/api/engagements",
+        headers=_h(redteam_token),
+        json={"name": "bad", "start_date": "not-a-date"},
+    )
+    assert resp.status_code == 400
+
+
+def test_create_engagement_end_before_start(
+    client: FlaskClient, redteam_token: str
+) -> None:
+    resp = client.post(
+        "/api/engagements",
+        headers=_h(redteam_token),
+        json={
+            "name": "bad",
+            "start_date": "2026-06-10",
+            "end_date": "2026-06-01",
+        },
+    )
+    assert resp.status_code == 400
+
+
+def test_create_engagement_bad_status(
+    client: FlaskClient, redteam_token: str
+) -> None:
+    resp = client.post(
+        "/api/engagements",
+        headers=_h(redteam_token),
+        json={"name": "bad", "start_date": "2026-06-01", "status": "wat"},
+    )
+    assert resp.status_code == 400
+
+
+def test_create_engagement_default_status_planned(
+    client: FlaskClient, redteam_token: str
+) -> None:
+    resp = client.post(
+        "/api/engagements",
+        headers=_h(redteam_token),
+        json={"name": "Op default", "start_date": "2026-06-01"},
+    )
+    assert resp.status_code == 201
+    assert resp.get_json()["status"] == "planned"
+
+
+def test_list_engagements_all_roles_can_read(
+    client: FlaskClient,
+    redteam_token: str,
+    soc_token: str,
+    admin_token: str,
+) -> None:
+    _create(client, redteam_token)
+    for token in (redteam_token, soc_token, admin_token):
+        resp = client.get("/api/engagements", headers=_h(token))
+        assert resp.status_code == 200
+        body = resp.get_json()
+        assert isinstance(body, list)
+        assert len(body) >= 1
+        assert body[0]["created_by"] == {
+            "id": body[0]["created_by"]["id"],
+            "username": body[0]["created_by"]["username"],
+        }
+
+
+def test_get_engagement_404(client: FlaskClient, redteam_token: str) -> None:
+    resp = client.get("/api/engagements/9999", headers=_h(redteam_token))
+    assert resp.status_code == 404
+
+
+def test_get_engagement_ok(client: FlaskClient, redteam_token: str) -> None:
+    created = _create(client, redteam_token)
+    resp = client.get(
+        f"/api/engagements/{created['id']}", headers=_h(redteam_token)
+    )
+    assert resp.status_code == 200
+    assert resp.get_json()["id"] == created["id"]
+
+
+def test_patch_engagement_redteam(
+    client: FlaskClient, redteam_token: str
+) -> None:
+    created = _create(client, redteam_token)
+    resp = client.patch(
+        f"/api/engagements/{created['id']}",
+        headers=_h(redteam_token),
+        json={"status": "active", "description": "now in progress"},
+    )
+    assert resp.status_code == 200
+    body = resp.get_json()
+    assert body["status"] == "active"
+    assert body["description"] == "now in progress"
+
+
+def test_patch_engagement_admin(
+    client: FlaskClient, redteam_token: str, admin_token: str
+) -> None:
+    created = _create(client, redteam_token)
+    resp = client.patch(
+        f"/api/engagements/{created['id']}",
+        headers=_h(admin_token),
+        json={"name": "Op renamed"},
+    )
+    assert resp.status_code == 200
+    assert resp.get_json()["name"] == "Op renamed"
+
+
+def test_patch_engagement_bad_status(
+    client: FlaskClient, redteam_token: str
+) -> None:
+    created = _create(client, redteam_token)
+    resp = client.patch(
+        f"/api/engagements/{created['id']}",
+        headers=_h(redteam_token),
+        json={"status": "wat"},
+    )
+    assert resp.status_code == 400
+
+
+def test_patch_engagement_soc_forbidden(
+    client: FlaskClient, redteam_token: str, soc_token: str
+) -> None:
+    created = _create(client, redteam_token)
+    resp = client.patch(
+        f"/api/engagements/{created['id']}",
+        headers=_h(soc_token),
+        json={"status": "closed"},
+    )
+    assert resp.status_code == 403
+
+
+def test_patch_engagement_end_before_start(
+    client: FlaskClient, redteam_token: str
+) -> None:
+    created = _create(client, redteam_token, start_date="2026-06-01")
+    resp = client.patch(
+        f"/api/engagements/{created['id']}",
+        headers=_h(redteam_token),
+        json={"end_date": "2026-05-30"},
+    )
+    assert resp.status_code == 400
+
+
+def test_patch_engagement_clear_end_date(
+    client: FlaskClient, redteam_token: str
+) -> None:
+    created = _create(client, redteam_token, end_date="2026-06-30")
+    resp = client.patch(
+        f"/api/engagements/{created['id']}",
+        headers=_h(redteam_token),
+        json={"end_date": None},
+    )
+    assert resp.status_code == 200
+    assert resp.get_json()["end_date"] is None
+
+
+def test_patch_engagement_empty_name_rejected(
+    client: FlaskClient, redteam_token: str
+) -> None:
+    created = _create(client, redteam_token)
+    resp = client.patch(
+        f"/api/engagements/{created['id']}",
+        headers=_h(redteam_token),
+        json={"name": "   "},
+    )
+    assert resp.status_code == 400
+
+
+def test_patch_engagement_404(client: FlaskClient, redteam_token: str) -> None:
+    resp = client.patch(
+        "/api/engagements/9999", headers=_h(redteam_token), json={"name": "x"}
+    )
+    assert resp.status_code == 404
+
+
+def test_delete_engagement_redteam(
+    client: FlaskClient, redteam_token: str
+) -> None:
+    created = _create(client, redteam_token)
+    resp = client.delete(
+        f"/api/engagements/{created['id']}", headers=_h(redteam_token)
+    )
+    assert resp.status_code == 204
+
+
+def test_delete_engagement_admin(
+    client: FlaskClient, redteam_token: str, admin_token: str
+) -> None:
+    created = _create(client, redteam_token)
+    resp = client.delete(
+        f"/api/engagements/{created['id']}", headers=_h(admin_token)
+    )
+    assert resp.status_code == 204
+
+
+def test_delete_engagement_soc_forbidden(
+    client: FlaskClient, redteam_token: str, soc_token: str
+) -> None:
+    created = _create(client, redteam_token)
+    resp = client.delete(
+        f"/api/engagements/{created['id']}", headers=_h(soc_token)
+    )
+    assert resp.status_code == 403
+
+
+def test_delete_engagement_404(client: FlaskClient, redteam_token: str) -> None:
+    resp = client.delete("/api/engagements/9999", headers=_h(redteam_token))
+    assert resp.status_code == 404
--- a/backend/tests/test_users.py
+++ b/backend/tests/test_users.py
@@ -0,0 +1,201 @@
+"""User management endpoint tests."""
+from __future__ import annotations
+
+from flask.testing import FlaskClient
+
+from backend.app.auth import hash_password
+from backend.app.extensions import db
+from backend.app.models import User, UserRole
+from backend.tests.conftest import auth_headers as _h
+
+
+def test_list_users_admin_only(
+    client: FlaskClient, admin_user: User, admin_token: str
+) -> None:
+    resp = client.get("/api/users", headers=_h(admin_token))
+    assert resp.status_code == 200
+    body = resp.get_json()
+    assert isinstance(body, list)
+    assert any(u["username"] == "admin1" for u in body)
+    assert all("password_hash" not in u for u in body)
+
+
+def test_list_users_forbidden_for_redteam(
+    client: FlaskClient, redteam_token: str
+) -> None:
+    resp = client.get("/api/users", headers=_h(redteam_token))
+    assert resp.status_code == 403
+
+
+def test_list_users_forbidden_for_soc(client: FlaskClient, soc_token: str) -> None:
+    resp = client.get("/api/users", headers=_h(soc_token))
+    assert resp.status_code == 403
+
+
+def test_list_users_unauth(client: FlaskClient) -> None:
+    resp = client.get("/api/users")
+    assert resp.status_code == 401
+
+
+def test_create_user_success(client: FlaskClient, admin_token: str) -> None:
+    resp = client.post(
+        "/api/users",
+        headers=_h(admin_token),
+        json={"username": "newbie", "password": "longenough1", "role": "redteam"},
+    )
+    assert resp.status_code == 201
+    body = resp.get_json()
+    assert body["username"] == "newbie"
+    assert body["role"] == "redteam"
+    assert "password_hash" not in body
+
+
+def test_create_user_duplicate_username(
+    client: FlaskClient, admin_user: User, admin_token: str
+) -> None:
+    resp = client.post(
+        "/api/users",
+        headers=_h(admin_token),
+        json={"username": "admin1", "password": "longenough1", "role": "redteam"},
+    )
+    assert resp.status_code == 400
+    assert "exists" in resp.get_json()["error"]
+
+
+def test_create_user_short_password(client: FlaskClient, admin_token: str) -> None:
+    resp = client.post(
+        "/api/users",
+        headers=_h(admin_token),
+        json={"username": "short", "password": "abc", "role": "soc"},
+    )
+    assert resp.status_code == 400
+    assert "8 characters" in resp.get_json()["error"]
+
+
+def test_create_user_invalid_role(client: FlaskClient, admin_token: str) -> None:
+    resp = client.post(
+        "/api/users",
+        headers=_h(admin_token),
+        json={"username": "x", "password": "longenough1", "role": "godmode"},
+    )
+    assert resp.status_code == 400
+
+
+def test_create_user_forbidden_for_non_admin(
+    client: FlaskClient, redteam_token: str
+) -> None:
+    resp = client.post(
+        "/api/users",
+        headers=_h(redteam_token),
+        json={"username": "x", "password": "longenough1", "role": "soc"},
+    )
+    assert resp.status_code == 403
+
+
+def test_patch_user_change_role(
+    client: FlaskClient, admin_token: str, soc_user: User
+) -> None:
+    resp = client.patch(
+        f"/api/users/{soc_user.id}",
+        headers=_h(admin_token),
+        json={"role": "redteam"},
+    )
+    assert resp.status_code == 200
+    assert resp.get_json()["role"] == "redteam"
+
+
+def test_patch_user_change_password(
+    client: FlaskClient, admin_token: str, soc_user: User
+) -> None:
+    resp = client.patch(
+        f"/api/users/{soc_user.id}",
+        headers=_h(admin_token),
+        json={"password": "anotherone1"},
+    )
+    assert resp.status_code == 200
+    # New password should now allow login.
+    login = client.post(
+        "/api/auth/login", json={"username": "soc1", "password": "anotherone1"}
+    )
+    assert login.status_code == 200
+
+
+def test_patch_user_short_password(
+    client: FlaskClient, admin_token: str, soc_user: User
+) -> None:
+    resp = client.patch(
+        f"/api/users/{soc_user.id}",
+        headers=_h(admin_token),
+        json={"password": "no"},
+    )
+    assert resp.status_code == 400
+
+
+def test_patch_user_404(client: FlaskClient, admin_token: str) -> None:
+    resp = client.patch(
+        "/api/users/9999", headers=_h(admin_token), json={"role": "soc"}
+    )
+    assert resp.status_code == 404
+
+
+def test_patch_user_forbidden_for_redteam(
+    client: FlaskClient, redteam_token: str, soc_user: User
+) -> None:
+    resp = client.patch(
+        f"/api/users/{soc_user.id}", headers=_h(redteam_token), json={"role": "admin"}
+    )
+    assert resp.status_code == 403
+
+
+def test_delete_user_success(
+    client: FlaskClient, admin_token: str, soc_user: User
+) -> None:
+    resp = client.delete(f"/api/users/{soc_user.id}", headers=_h(admin_token))
+    assert resp.status_code == 204
+
+
+def test_delete_last_admin_blocked(
+    client: FlaskClient, admin_user: User, admin_token: str
+) -> None:
+    resp = client.delete(f"/api/users/{admin_user.id}", headers=_h(admin_token))
+    assert resp.status_code == 409
+    assert "last admin" in resp.get_json()["error"]
+
+
+def test_delete_admin_when_other_admin_exists(
+    client: FlaskClient, admin_user: User, admin_token: str
+) -> None:
+    other = User(
+        username="admin2",
+        password_hash=hash_password("adminpass2"),
+        role=UserRole.ADMIN,
+    )
+    db.session.add(other)
+    db.session.commit()
+    other_id = other.id
+
+    resp = client.delete(f"/api/users/{other_id}", headers=_h(admin_token))
+    assert resp.status_code == 204
+
+
+def test_demote_last_admin_blocked(
+    client: FlaskClient, admin_user: User, admin_token: str
+) -> None:
+    resp = client.patch(
+        f"/api/users/{admin_user.id}",
+        headers=_h(admin_token),
+        json={"role": "redteam"},
+    )
+    assert resp.status_code == 409
+
+
+def test_delete_user_404(client: FlaskClient, admin_token: str) -> None:
+    resp = client.delete("/api/users/9999", headers=_h(admin_token))
+    assert resp.status_code == 404
+
+
+def test_delete_user_forbidden_for_soc(
+    client: FlaskClient, soc_token: str, redteam_user: User
+) -> None:
+    resp = client.delete(f"/api/users/{redteam_user.id}", headers=_h(soc_token))
+    assert resp.status_code == 403