fix(backend): post-review fixes sprint 2

- test_simulations_patch: remove false dict return annotation on _patch helper - simulation_workflow: validate executed_at upfront before any setattr (prevents partial mutation on bad payload) - api/simulations: remove unreachable role check in update_simulation (all valid roles are admin/redteam/soc) - Dockerfile: remove redundant COPY backend/data/ (already covered by COPY backend/) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-26 11:21:32 +02:00
parent 765bb5a1a4
commit 83bf60fb30
4 changed files with 40 additions and 18 deletions
--- a/backend/tests/test_simulations_patch.py
+++ b/backend/tests/test_simulations_patch.py
@@ -26,11 +26,10 @@ def _make_sim(client: FlaskClient, token: str, eid: int) -> dict:
    return resp.get_json()


-def _patch(client: FlaskClient, token: str, sid: int, payload: dict) -> dict:
-    resp = client.patch(
+def _patch(client: FlaskClient, token: str, sid: int, payload: dict):
+    return client.patch(
        f"/api/simulations/{sid}", headers=_h(token), json=payload
    )
-    return resp


 # ---------------------------------------------------------------------------
@@ -232,7 +231,7 @@ def test_soc_can_patch_when_review_required(


 def test_soc_can_patch_when_done(
-    client: FlaskClient, redteam_token: str, soc_token: str, admin_token: str
+    client: FlaskClient, redteam_token: str, soc_token: str
 ) -> None:
    eng = _make_engagement(client, redteam_token)
    sim = _make_sim(client, redteam_token, eng["id"])
@@ -270,3 +269,27 @@ def test_soc_cannot_edit_redteam_fields(
 def test_patch_simulation_404(client: FlaskClient, redteam_token: str) -> None:
    resp = _patch(client, redteam_token, 9999, {"name": "x"})
    assert resp.status_code == 404
+
+
+def test_invalid_executed_at_does_not_mutate_other_fields(
+    client: FlaskClient, redteam_token: str
+) -> None:
+    """invalid executed_at must return 400 without persisting other fields in the payload."""
+    eng = _make_engagement(client, redteam_token)
+    sim = _make_sim(client, redteam_token, eng["id"])
+    original_description = sim["description"]
+
+    resp = _patch(
+        client,
+        redteam_token,
+        sim["id"],
+        {"description": "should-not-stick", "executed_at": "not-a-date"},
+    )
+    assert resp.status_code == 400
+
+    get_resp = client.get(
+        f"/api/simulations/{sim['id']}",
+        headers={"Authorization": f"Bearer {redteam_token}"},
+    )
+    assert get_resp.status_code == 200
+    assert get_resp.get_json()["description"] == original_description