feat(backend): c2 crypto + config CRUD + adapter scaffolding (sprint 8 M1)

- Add Fernet crypto service (MIMIC_ENCRYPTION_KEY env, C2Disabled on absent key) - Add Alembic migration 0006: c2_config + c2_task tables with cascade FKs - Add C2Config and C2Task SQLAlchemy models - Add C2Adapter ABC with dataclasses (C2Health, C2Callback, C2TaskStatus, C2TaskPage) - Add FakeAdapter (deterministic in-memory, MIMIC_C2_ADAPTER=fake) - Add MythicAdapter scaffold: test_connection() live, M2+ raise NotImplementedError - Add decode_response_text() helper for base64/binary Mythic responses - Add GET/PUT/DELETE/POST-test /api/engagements/<id>/c2-config endpoints - RBAC: admin+redteam OK, SOC 403; 503 guard when encryption key absent - Token never returned in API responses; stored Fernet-encrypted only - 42 new tests (300 total, 258 baseline preserved green) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-10 19:20:52 +02:00
parent 813e69ee01
commit 9a9c98beab
18 changed files with 1300 additions and 2 deletions
--- a/backend/tests/test_migration_0006_c2.py
+++ b/backend/tests/test_migration_0006_c2.py
@@ -0,0 +1,204 @@
+"""Migration round-trip test for 0006_c2_layer.
+
+Verifies that upgrade() creates c2_config and c2_task with the expected schema,
+and that downgrade() removes both tables cleanly.
+
+Uses the resolved-path pattern (derives path from __file__) to avoid the
+hardcoded-path regression documented in lessons.md Sprint 4.
+"""
+from __future__ import annotations
+
+import importlib.util
+from pathlib import Path
+
+from alembic.operations import Operations
+from alembic.runtime.migration import MigrationContext
+from sqlalchemy import create_engine, inspect, text
+
+
+def _load_migration():
+    versions_dir = Path(__file__).resolve().parent.parent / "migrations" / "versions"
+    path = versions_dir / "0006_c2_layer.py"
+    spec = importlib.util.spec_from_file_location("migration_0006", path)
+    assert spec and spec.loader
+    mod = importlib.util.module_from_spec(spec)
+    spec.loader.exec_module(mod)  # type: ignore[union-attr]
+    return mod
+
+
+def _fresh_engine():
+    """In-memory SQLite with the tables that 0006 depends on already present."""
+    engine = create_engine("sqlite:///:memory:")
+    with engine.begin() as conn:
+        conn.execute(
+            text(
+                """
+                CREATE TABLE users (
+                    id INTEGER PRIMARY KEY,
+                    username TEXT NOT NULL UNIQUE,
+                    password_hash TEXT NOT NULL,
+                    role TEXT NOT NULL,
+                    created_at DATETIME NOT NULL
+                )
+                """
+            )
+        )
+        conn.execute(
+            text(
+                """
+                CREATE TABLE engagements (
+                    id INTEGER PRIMARY KEY,
+                    name TEXT NOT NULL,
+                    description TEXT,
+                    start_date DATE NOT NULL,
+                    end_date DATE,
+                    status TEXT NOT NULL DEFAULT 'planned',
+                    created_at DATETIME NOT NULL,
+                    created_by_id INTEGER NOT NULL REFERENCES users(id)
+                )
+                """
+            )
+        )
+        conn.execute(
+            text(
+                """
+                CREATE TABLE simulations (
+                    id INTEGER PRIMARY KEY,
+                    engagement_id INTEGER NOT NULL REFERENCES engagements(id),
+                    name TEXT NOT NULL,
+                    techniques JSON NOT NULL DEFAULT '[]',
+                    tactic_ids JSON NOT NULL DEFAULT '[]',
+                    description TEXT,
+                    commands TEXT,
+                    prerequisites TEXT,
+                    executed_at DATETIME,
+                    execution_result TEXT,
+                    log_source TEXT,
+                    logs TEXT,
+                    soc_comment TEXT,
+                    incident_number TEXT,
+                    status TEXT NOT NULL DEFAULT 'pending',
+                    created_at DATETIME NOT NULL,
+                    updated_at DATETIME,
+                    created_by_id INTEGER NOT NULL REFERENCES users(id)
+                )
+                """
+            )
+        )
+    return engine
+
+
+def _run_upgrade(engine, migration_mod):
+    with engine.begin() as conn:
+        ctx = MigrationContext.configure(conn)
+        ops = Operations(ctx)
+        # Patch op module for the migration
+        import alembic.op as alembic_op
+        original_proxy = alembic_op._proxy  # type: ignore[attr-defined]
+        alembic_op._proxy = ops  # type: ignore[attr-defined]
+        try:
+            migration_mod.upgrade()
+        finally:
+            alembic_op._proxy = original_proxy  # type: ignore[attr-defined]
+
+
+def _run_downgrade(engine, migration_mod):
+    with engine.begin() as conn:
+        ctx = MigrationContext.configure(conn)
+        ops = Operations(ctx)
+        import alembic.op as alembic_op
+        original_proxy = alembic_op._proxy  # type: ignore[attr-defined]
+        alembic_op._proxy = ops  # type: ignore[attr-defined]
+        try:
+            migration_mod.downgrade()
+        finally:
+            alembic_op._proxy = original_proxy  # type: ignore[attr-defined]
+
+
+class TestMigration0006Upgrade:
+    def test_c2_config_table_created(self):
+        engine = _fresh_engine()
+        mod = _load_migration()
+        _run_upgrade(engine, mod)
+
+        insp = inspect(engine)
+        assert "c2_config" in insp.get_table_names()
+
+    def test_c2_task_table_created(self):
+        engine = _fresh_engine()
+        mod = _load_migration()
+        _run_upgrade(engine, mod)
+
+        insp = inspect(engine)
+        assert "c2_task" in insp.get_table_names()
+
+    def test_c2_config_columns(self):
+        engine = _fresh_engine()
+        mod = _load_migration()
+        _run_upgrade(engine, mod)
+
+        insp = inspect(engine)
+        cols = {c["name"] for c in insp.get_columns("c2_config")}
+        assert {"id", "engagement_id", "url", "api_token_encrypted",
+                "verify_tls", "created_at", "updated_at"} <= cols
+
+    def test_c2_config_unique_constraint_on_engagement_id(self):
+        engine = _fresh_engine()
+        mod = _load_migration()
+        _run_upgrade(engine, mod)
+
+        # Insert a user and engagement first.
+        with engine.begin() as conn:
+            conn.execute(text(
+                "INSERT INTO users (id, username, password_hash, role, created_at) "
+                "VALUES (1, 'u', 'h', 'admin', '2026-01-01')"
+            ))
+            conn.execute(text(
+                "INSERT INTO engagements (id, name, start_date, status, created_at, created_by_id) "
+                "VALUES (1, 'Op', '2026-01-01', 'planned', '2026-01-01', 1)"
+            ))
+            conn.execute(text(
+                "INSERT INTO c2_config (engagement_id, url, api_token_encrypted, verify_tls, created_at) "
+                "VALUES (1, 'https://c2', 'tok', 1, '2026-01-01')"
+            ))
+            # Second insert on same engagement_id must fail.
+            try:
+                conn.execute(text(
+                    "INSERT INTO c2_config (engagement_id, url, api_token_encrypted, verify_tls, created_at) "
+                    "VALUES (1, 'https://c2b', 'tok2', 1, '2026-01-01')"
+                ))
+                raised = False
+            except Exception:
+                raised = True
+        assert raised, "UNIQUE constraint on c2_config.engagement_id must be enforced"
+
+    def test_c2_task_columns(self):
+        engine = _fresh_engine()
+        mod = _load_migration()
+        _run_upgrade(engine, mod)
+
+        insp = inspect(engine)
+        cols = {c["name"] for c in insp.get_columns("c2_task")}
+        assert {"id", "simulation_id", "mythic_task_display_id", "callback_display_id",
+                "command", "params", "status", "completed", "output", "source",
+                "created_at", "completed_at"} <= cols
+
+
+class TestMigration0006Downgrade:
+    def test_downgrade_removes_c2_config(self):
+        engine = _fresh_engine()
+        mod = _load_migration()
+        _run_upgrade(engine, mod)
+        _run_downgrade(engine, mod)
+
+        insp = inspect(engine)
+        assert "c2_config" not in insp.get_table_names()
+
+    def test_downgrade_removes_c2_task(self):
+        engine = _fresh_engine()
+        mod = _load_migration()
+        _run_upgrade(engine, mod)
+        _run_downgrade(engine, mod)
+
+        insp = inspect(engine)
+        assert "c2_task" not in insp.get_table_names()