anti
1d3086a5c7
Surfaces the intrusion-set reverse index from the loaded ATT&CK
bundle: given a technique, returns the list of groups MITRE has
documented as using it. Read-only — explicitly NOT an attribution
claim about a DECNET attacker. The frontend pulls this lazily when
the operator expands a technique panel; payload-size cost on every
TTPTagDetailRow makes embedding wasteful for techniques with 50+
documented groups.
- decnet/web/router/ttp/api_get_groups_for_technique.py exposes
GET /api/v1/ttp/techniques/{technique_id}/groups, response_model
list[GroupRef]. Same JWT-viewer auth gating as the rest of the
TTP router. 404 when the technique_id doesn't resolve in the
bundle.
- Sub-techniques are queried directly (no auto-union with parent)
to match ATT&CK Navigator semantics; callers that want a broader
view query the parent themselves.
- tests/ttp/test_groups_for_technique.py covers happy path, 404,
sub-technique attribution independence, empty-list-on-zero-groups,
and that responses include mitre_url + aliases.
- tests/web/test_api_attackers.py: fix pre-existing fixture drift
introduced by a2a61b63 — three TestGetAttackerDetail cases were
missing AsyncMock for repo.latest_observation_per_primitive,
causing TypeError on await of MagicMock. The new groups endpoint
doesn't share code with attacker_detail; this is a drive-by fix
surfaced by the same suite run.
108 lines
3.6 KiB
Python
108 lines
3.6 KiB
Python
"""Router-level coverage for GET /api/v1/ttp/techniques/{tid}/groups.
|
|
|
|
Calls the handler directly (no TestClient) — the auth dependency is
|
|
satisfied by passing a fake user dict. The handler delegates almost
|
|
everything to ``attack_stix.groups_using_technique``, which has its
|
|
own coverage in ``test_attack_url.py``; the focus here is the 404
|
|
path and the empty-list-on-zero-groups behavior.
|
|
"""
|
|
from __future__ import annotations
|
|
|
|
from pathlib import Path
|
|
|
|
import pytest
|
|
from fastapi import HTTPException
|
|
|
|
from decnet.ttp import attack_stix
|
|
from decnet.web.router.ttp.api_get_groups_for_technique import (
|
|
api_groups_for_technique,
|
|
)
|
|
|
|
_REPO_BUNDLE = Path(__file__).resolve().parents[2] / "enterprise-attack-19.0.json"
|
|
|
|
|
|
@pytest.fixture(autouse=True)
|
|
def _pin_bundle(monkeypatch: pytest.MonkeyPatch, tmp_path: Path) -> None:
|
|
license_path = tmp_path / "LICENSE.txt"
|
|
license_path.write_text("placeholder", encoding="utf-8")
|
|
monkeypatch.setenv("DECNET_ATTACK_BUNDLE", str(_REPO_BUNDLE))
|
|
monkeypatch.setenv("DECNET_ATTACK_LICENSE", str(license_path))
|
|
attack_stix._data = None
|
|
attack_stix._loaded_path = None
|
|
attack_stix._attack_pattern_by_id.cache_clear()
|
|
attack_stix._tactic_by_id.cache_clear()
|
|
attack_stix._tactic_by_short_name.cache_clear()
|
|
attack_stix.groups_using_technique.cache_clear()
|
|
|
|
|
|
_FAKE_USER: dict = {"uuid": "test-user", "role": "viewer"}
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_returns_grouprefs_for_known_technique() -> None:
|
|
result = await api_groups_for_technique(
|
|
technique_id="T1059", user=_FAKE_USER,
|
|
)
|
|
assert isinstance(result, list)
|
|
assert len(result) >= 5
|
|
assert all(isinstance(g, attack_stix.GroupRef) for g in result)
|
|
# Sorted ordering preserved.
|
|
ids = [g.group_id for g in result]
|
|
assert ids == sorted(ids)
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_returns_404_for_unknown_technique() -> None:
|
|
with pytest.raises(HTTPException) as exc:
|
|
await api_groups_for_technique(
|
|
technique_id="T9999", user=_FAKE_USER,
|
|
)
|
|
assert exc.value.status_code == 404
|
|
assert "T9999" in str(exc.value.detail)
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_subtechnique_returns_distinct_group_set() -> None:
|
|
parent = await api_groups_for_technique(
|
|
technique_id="T1059", user=_FAKE_USER,
|
|
)
|
|
sub = await api_groups_for_technique(
|
|
technique_id="T1059.004", user=_FAKE_USER,
|
|
)
|
|
assert len(sub) >= 1
|
|
# Sub-technique attribution is independent of parent (see
|
|
# ATT&CK Navigator semantics) — sub may have groups not in parent.
|
|
# Just assert both are populated.
|
|
assert len(parent) >= len(sub)
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_empty_list_for_known_technique_with_no_documented_groups(
|
|
monkeypatch: pytest.MonkeyPatch,
|
|
) -> None:
|
|
"""A real-bundle technique with zero documented groups returns []."""
|
|
# Force the cache to return () for a real technique.
|
|
attack_stix.groups_using_technique.cache_clear()
|
|
monkeypatch.setattr(
|
|
attack_stix,
|
|
"groups_using_technique",
|
|
lambda tid: () if tid == "T1110" else attack_stix.groups_using_technique(tid),
|
|
)
|
|
result = await api_groups_for_technique(
|
|
technique_id="T1110", user=_FAKE_USER,
|
|
)
|
|
assert result == []
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_response_includes_mitre_url_and_aliases() -> None:
|
|
result = await api_groups_for_technique(
|
|
technique_id="T1059", user=_FAKE_USER,
|
|
)
|
|
assert all(
|
|
g.mitre_url and g.mitre_url.startswith("https://attack.mitre.org/groups/G")
|
|
for g in result
|
|
)
|
|
# At least one group has multiple aliases.
|
|
assert any(len(g.aliases) >= 2 for g in result)
|