Benjamin_Boenisch/breakpilot-compliance
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Alle 5 verbleibenden SDK-Module auf 100% — RAG, Security-Backlog, Quality, Notfallplan, Loeschfristen
All checks were successful
CI / go-lint (push) Has been skipped
Details
CI / python-lint (push) Has been skipped
Details
CI / nodejs-lint (push) Has been skipped
Details
CI / test-go-ai-compliance (push) Successful in 34s
Details
CI / test-python-backend-compliance (push) Successful in 32s
Details
CI / test-python-document-crawler (push) Successful in 21s
Details
CI / test-python-dsms-gateway (push) Successful in 17s
Details

Browse Source 
Paket A — RAG Proxy:
- NEU: admin-compliance/app/api/sdk/v1/rag/[[...path]]/route.ts
  → Proxy zu ai-compliance-sdk:8090, GET+POST, UUID-Validierung
- UPDATE: rag/page.tsx — setTimeout Mock → echte API-Calls
  GET /regulations → dynamische suggestedQuestions
  POST /search → Qdrant-Ergebnisse mit score, title, reference

Paket B — Security-Backlog + Quality:
- NEU: migrations/014_security_backlog.sql + 015_quality.sql
- NEU: compliance/api/security_backlog_routes.py — CRUD + Stats
- NEU: compliance/api/quality_routes.py — Metrics + Tests CRUD + Stats
- UPDATE: security-backlog/page.tsx — mockItems → API
- UPDATE: quality/page.tsx — mockMetrics/mockTests → API
- UPDATE: compliance/api/__init__.py — Router-Registrierung
- NEU: tests/test_security_backlog_routes.py (48 Tests — 48/48 bestanden)
- NEU: tests/test_quality_routes.py (67 Tests — 67/67 bestanden)

Paket C — Notfallplan Incidents + Templates:
- NEU: migrations/016_notfallplan_incidents.sql
  compliance_notfallplan_incidents + compliance_notfallplan_templates
- UPDATE: notfallplan_routes.py — GET/POST/PUT/DELETE für /incidents + /templates
- UPDATE: notfallplan/page.tsx — Incidents-Tab + Templates-Tab → API
- UPDATE: tests/test_notfallplan_routes.py (+76 neue Tests — alle bestanden)

Paket D — Loeschfristen localStorage → API:
- NEU: migrations/017_loeschfristen.sql (JSONB: legal_holds, storage_locations, ...)
- NEU: compliance/api/loeschfristen_routes.py — CRUD + Stats + Status-Update
- UPDATE: loeschfristen/page.tsx — vollständige localStorage → API Migration
  createNewPolicy → POST (API-UUID als id), deletePolicy → DELETE,
  handleSaveAndClose → PUT, adoptGeneratedPolicies → POST je Policy
  apiToPolicy() + policyToPayload() Mapper, saving-State für Buttons
- NEU: tests/test_loeschfristen_routes.py (58 Tests — alle bestanden)

Gesamt: 253 neue Tests, alle bestanden (48 + 67 + 76 + 58 + bestehende)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Benjamin Admin
2026-03-03 18:04:53 +01:00
parent 9143b84daa
commit 25d5da78ef
19 changed files with 5718 additions and 524 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
backend-compliance/compliance/api/__init__.py
View File

@@ -16,6 +16,9 @@ from .escalation_routes import router as escalation_router
from .consent_template_routes import router as consent_template_router
from .notfallplan_routes import router as notfallplan_router
from .obligation_routes import router as obligation_router
from .security_backlog_routes import router as security_backlog_router
from .quality_routes import router as quality_router
from .loeschfristen_routes import router as loeschfristen_router
# Include sub-routers
router.include_router(audit_router)
@@ -33,6 +36,9 @@ router.include_router(escalation_router)
router.include_router(consent_template_router)
router.include_router(notfallplan_router)
router.include_router(obligation_router)
router.include_router(security_backlog_router)
router.include_router(quality_router)
router.include_router(loeschfristen_router)
__all__ = [
"router",
@@ -51,4 +57,7 @@ __all__ = [
"consent_template_router",
"notfallplan_router",
"obligation_router",
"security_backlog_router",
"quality_router",
"loeschfristen_router",
]

354
backend-compliance/compliance/api/loeschfristen_routes.py Normal file
View File

@@ -0,0 +1,354 @@
"""
FastAPI routes for Loeschfristen (Retention Policies).
Endpoints:
GET /loeschfristen — list (filter: status, retention_driver, search; limit/offset)
GET /loeschfristen/stats — total, active, draft, review_needed, archived, legal_holds_count
POST /loeschfristen — create
GET /loeschfristen/{id} — get single
PUT /loeschfristen/{id} — full update
PUT /loeschfristen/{id}/status — quick status update
DELETE /loeschfristen/{id} — delete (204)
"""
import json
import logging
from datetime import datetime
from typing import Optional, List, Any, Dict
from fastapi import APIRouter, Depends, HTTPException, Query, Header
from pydantic import BaseModel
from sqlalchemy import text
from sqlalchemy.orm import Session
from uuid import UUID
from classroom_engine.database import get_db
logger = logging.getLogger(__name__)
router = APIRouter(prefix="/loeschfristen", tags=["loeschfristen"])
DEFAULT_TENANT_ID = "9282a473-5c95-4b3a-bf78-0ecc0ec71d3e"
# =============================================================================
# Pydantic Schemas
# =============================================================================
class LoeschfristCreate(BaseModel):
policy_id: Optional[str] = None
data_object_name: str
description: Optional[str] = None
affected_groups: Optional[List[Any]] = None
data_categories: Optional[List[Any]] = None
primary_purpose: Optional[str] = None
deletion_trigger: str = "PURPOSE_END"
retention_driver: Optional[str] = None
retention_driver_detail: Optional[str] = None
retention_duration: Optional[int] = None
retention_unit: Optional[str] = None
retention_description: Optional[str] = None
start_event: Optional[str] = None
has_active_legal_hold: bool = False
legal_holds: Optional[List[Any]] = None
storage_locations: Optional[List[Any]] = None
deletion_method: Optional[str] = None
deletion_method_detail: Optional[str] = None
responsible_role: Optional[str] = None
responsible_person: Optional[str] = None
release_process: Optional[str] = None
linked_vvt_activity_ids: Optional[List[Any]] = None
status: str = "DRAFT"
last_review_date: Optional[datetime] = None
next_review_date: Optional[datetime] = None
review_interval: Optional[str] = None
tags: Optional[List[Any]] = None
class LoeschfristUpdate(BaseModel):
policy_id: Optional[str] = None
data_object_name: Optional[str] = None
description: Optional[str] = None
affected_groups: Optional[List[Any]] = None
data_categories: Optional[List[Any]] = None
primary_purpose: Optional[str] = None
deletion_trigger: Optional[str] = None
retention_driver: Optional[str] = None
retention_driver_detail: Optional[str] = None
retention_duration: Optional[int] = None
retention_unit: Optional[str] = None
retention_description: Optional[str] = None
start_event: Optional[str] = None
has_active_legal_hold: Optional[bool] = None
legal_holds: Optional[List[Any]] = None
storage_locations: Optional[List[Any]] = None
deletion_method: Optional[str] = None
deletion_method_detail: Optional[str] = None
responsible_role: Optional[str] = None
responsible_person: Optional[str] = None
release_process: Optional[str] = None
linked_vvt_activity_ids: Optional[List[Any]] = None
status: Optional[str] = None
last_review_date: Optional[datetime] = None
next_review_date: Optional[datetime] = None
review_interval: Optional[str] = None
tags: Optional[List[Any]] = None
class StatusUpdate(BaseModel):
status: str
# JSONB fields that need CAST
JSONB_FIELDS = {
"affected_groups", "data_categories", "legal_holds",
"storage_locations", "linked_vvt_activity_ids", "tags"
}
def _row_to_dict(row) -> Dict[str, Any]:
result = dict(row._mapping)
for key, val in result.items():
if isinstance(val, datetime):
result[key] = val.isoformat()
elif hasattr(val, '__str__') and not isinstance(val, (str, int, float, bool, list, dict, type(None))):
result[key] = str(val)
return result
def _get_tenant_id(x_tenant_id: Optional[str] = Header(None)) -> str:
if x_tenant_id:
try:
UUID(x_tenant_id)
return x_tenant_id
except ValueError:
pass
return DEFAULT_TENANT_ID
# =============================================================================
# Routes
# =============================================================================
@router.get("")
async def list_loeschfristen(
status: Optional[str] = Query(None),
retention_driver: Optional[str] = Query(None),
search: Optional[str] = Query(None),
limit: int = Query(500, ge=1, le=1000),
offset: int = Query(0, ge=0),
db: Session = Depends(get_db),
x_tenant_id: Optional[str] = Header(None),
):
"""List Loeschfristen with optional filters."""
tenant_id = _get_tenant_id(x_tenant_id)
where_clauses = ["tenant_id = :tenant_id"]
params: Dict[str, Any] = {"tenant_id": tenant_id, "limit": limit, "offset": offset}
if status:
where_clauses.append("status = :status")
params["status"] = status
if retention_driver:
where_clauses.append("retention_driver = :retention_driver")
params["retention_driver"] = retention_driver
if search:
where_clauses.append("(data_object_name ILIKE :search OR description ILIKE :search OR policy_id ILIKE :search)")
params["search"] = f"%{search}%"
where_sql = " AND ".join(where_clauses)
total_row = db.execute(
text(f"SELECT COUNT(*) FROM compliance_loeschfristen WHERE {where_sql}"),
params,
).fetchone()
total = total_row[0] if total_row else 0
rows = db.execute(
text(f"""
SELECT * FROM compliance_loeschfristen
WHERE {where_sql}
ORDER BY
CASE status
WHEN 'ACTIVE' THEN 0
WHEN 'REVIEW_NEEDED' THEN 1
WHEN 'DRAFT' THEN 2
ELSE 3
END,
created_at DESC
LIMIT :limit OFFSET :offset
"""),
params,
).fetchall()
return {
"policies": [_row_to_dict(r) for r in rows],
"total": total,
}
@router.get("/stats")
async def get_loeschfristen_stats(
db: Session = Depends(get_db),
x_tenant_id: Optional[str] = Header(None),
):
"""Return Loeschfristen statistics."""
tenant_id = _get_tenant_id(x_tenant_id)
row = db.execute(text("""
SELECT
COUNT(*) AS total,
COUNT(*) FILTER (WHERE status = 'ACTIVE') AS active,
COUNT(*) FILTER (WHERE status = 'DRAFT') AS draft,
COUNT(*) FILTER (WHERE status = 'REVIEW_NEEDED') AS review_needed,
COUNT(*) FILTER (WHERE status = 'ARCHIVED') AS archived,
COUNT(*) FILTER (WHERE has_active_legal_hold = TRUE) AS legal_holds_count,
COUNT(*) FILTER (
WHERE next_review_date IS NOT NULL
AND next_review_date < NOW()
AND status NOT IN ('ARCHIVED')
) AS overdue_reviews
FROM compliance_loeschfristen
WHERE tenant_id = :tenant_id
"""), {"tenant_id": tenant_id}).fetchone()
if row:
d = dict(row._mapping)
return {k: int(v or 0) for k, v in d.items()}
return {"total": 0, "active": 0, "draft": 0, "review_needed": 0,
"archived": 0, "legal_holds_count": 0, "overdue_reviews": 0}
@router.post("", status_code=201)
async def create_loeschfrist(
payload: LoeschfristCreate,
db: Session = Depends(get_db),
x_tenant_id: Optional[str] = Header(None),
):
"""Create a new Loeschfrist policy."""
tenant_id = _get_tenant_id(x_tenant_id)
data = payload.model_dump()
# Build INSERT with JSONB casts
columns = ["tenant_id"] + list(data.keys())
value_parts = [":tenant_id"]
params: Dict[str, Any] = {"tenant_id": tenant_id}
for k, v in data.items():
if k in JSONB_FIELDS:
value_parts.append(f"CAST(:{k} AS jsonb)")
params[k] = json.dumps(v if v is not None else [])
else:
value_parts.append(f":{k}")
params[k] = v
cols_sql = ", ".join(columns)
vals_sql = ", ".join(value_parts)
row = db.execute(
text(f"INSERT INTO compliance_loeschfristen ({cols_sql}) VALUES ({vals_sql}) RETURNING *"),
params,
).fetchone()
db.commit()
return _row_to_dict(row)
@router.get("/{policy_id}")
async def get_loeschfrist(
policy_id: str,
db: Session = Depends(get_db),
x_tenant_id: Optional[str] = Header(None),
):
tenant_id = _get_tenant_id(x_tenant_id)
row = db.execute(
text("SELECT * FROM compliance_loeschfristen WHERE id = :id AND tenant_id = :tenant_id"),
{"id": policy_id, "tenant_id": tenant_id},
).fetchone()
if not row:
raise HTTPException(status_code=404, detail="Loeschfrist not found")
return _row_to_dict(row)
@router.put("/{policy_id}")
async def update_loeschfrist(
policy_id: str,
payload: LoeschfristUpdate,
db: Session = Depends(get_db),
x_tenant_id: Optional[str] = Header(None),
):
"""Full update of a Loeschfrist policy."""
tenant_id = _get_tenant_id(x_tenant_id)
updates: Dict[str, Any] = {"id": policy_id, "tenant_id": tenant_id, "updated_at": datetime.utcnow()}
set_clauses = ["updated_at = :updated_at"]
for field, value in payload.model_dump(exclude_unset=True).items():
if field in JSONB_FIELDS:
updates[field] = json.dumps(value if value is not None else [])
set_clauses.append(f"{field} = CAST(:{field} AS jsonb)")
else:
updates[field] = value
set_clauses.append(f"{field} = :{field}")
if len(set_clauses) == 1:
raise HTTPException(status_code=400, detail="No fields to update")
row = db.execute(
text(f"""
UPDATE compliance_loeschfristen
SET {', '.join(set_clauses)}
WHERE id = :id AND tenant_id = :tenant_id
RETURNING *
"""),
updates,
).fetchone()
db.commit()
if not row:
raise HTTPException(status_code=404, detail="Loeschfrist not found")
return _row_to_dict(row)
@router.put("/{policy_id}/status")
async def update_loeschfrist_status(
policy_id: str,
payload: StatusUpdate,
db: Session = Depends(get_db),
x_tenant_id: Optional[str] = Header(None),
):
"""Quick status update."""
tenant_id = _get_tenant_id(x_tenant_id)
valid = {"DRAFT", "ACTIVE", "REVIEW_NEEDED", "ARCHIVED"}
if payload.status not in valid:
raise HTTPException(status_code=400, detail=f"Invalid status. Must be one of: {', '.join(valid)}")
row = db.execute(
text("""
UPDATE compliance_loeschfristen
SET status = :status, updated_at = :now
WHERE id = :id AND tenant_id = :tenant_id
RETURNING *
"""),
{"status": payload.status, "now": datetime.utcnow(), "id": policy_id, "tenant_id": tenant_id},
).fetchone()
db.commit()
if not row:
raise HTTPException(status_code=404, detail="Loeschfrist not found")
return _row_to_dict(row)
@router.delete("/{policy_id}", status_code=204)
async def delete_loeschfrist(
policy_id: str,
db: Session = Depends(get_db),
x_tenant_id: Optional[str] = Header(None),
):
tenant_id = _get_tenant_id(x_tenant_id)
result = db.execute(
text("DELETE FROM compliance_loeschfristen WHERE id = :id AND tenant_id = :tenant_id"),
{"id": policy_id, "tenant_id": tenant_id},
)
db.commit()
if result.rowcount == 0:
raise HTTPException(status_code=404, detail="Loeschfrist not found")

319
backend-compliance/compliance/api/notfallplan_routes.py
View File

@@ -691,9 +691,328 @@ async def get_stats(
{"tenant_id": tenant_id},
).scalar()
incidents_count = db.execute(
text("SELECT COUNT(*) FROM compliance_notfallplan_incidents WHERE tenant_id = :tenant_id AND status != 'closed'"),
{"tenant_id": tenant_id},
).scalar()
return {
"contacts": contacts_count or 0,
"active_scenarios": scenarios_count or 0,
"exercises": exercises_count or 0,
"checklist_items": checklists_count or 0,
"open_incidents": incidents_count or 0,
}
# ============================================================================
# Incidents
# ============================================================================
class IncidentCreate(BaseModel):
title: str
description: Optional[str] = None
detected_by: Optional[str] = None
status: str = 'detected'
severity: str = 'medium'
affected_data_categories: List[Any] = []
estimated_affected_persons: int = 0
measures: List[Any] = []
art34_required: bool = False
art34_justification: Optional[str] = None
class IncidentUpdate(BaseModel):
title: Optional[str] = None
description: Optional[str] = None
detected_by: Optional[str] = None
status: Optional[str] = None
severity: Optional[str] = None
affected_data_categories: Optional[List[Any]] = None
estimated_affected_persons: Optional[int] = None
measures: Optional[List[Any]] = None
art34_required: Optional[bool] = None
art34_justification: Optional[str] = None
reported_to_authority_at: Optional[str] = None
notified_affected_at: Optional[str] = None
closed_at: Optional[str] = None
closed_by: Optional[str] = None
lessons_learned: Optional[str] = None
def _incident_row(r) -> dict:
return {
"id": str(r.id),
"tenant_id": r.tenant_id,
"title": r.title,
"description": r.description,
"detected_at": r.detected_at.isoformat() if r.detected_at else None,
"detected_by": r.detected_by,
"status": r.status,
"severity": r.severity,
"affected_data_categories": r.affected_data_categories if r.affected_data_categories else [],
"estimated_affected_persons": r.estimated_affected_persons,
"measures": r.measures if r.measures else [],
"art34_required": r.art34_required,
"art34_justification": r.art34_justification,
"reported_to_authority_at": r.reported_to_authority_at.isoformat() if r.reported_to_authority_at else None,
"notified_affected_at": r.notified_affected_at.isoformat() if r.notified_affected_at else None,
"closed_at": r.closed_at.isoformat() if r.closed_at else None,
"closed_by": r.closed_by,
"lessons_learned": r.lessons_learned,
"created_at": r.created_at.isoformat() if r.created_at else None,
"updated_at": r.updated_at.isoformat() if r.updated_at else None,
}
@router.get("/incidents")
async def list_incidents(
status: Optional[str] = None,
severity: Optional[str] = None,
db: Session = Depends(get_db),
tenant_id: str = Depends(_get_tenant),
):
"""List all incidents for a tenant."""
where = "WHERE tenant_id = :tenant_id"
params: dict = {"tenant_id": tenant_id}
if status:
where += " AND status = :status"
params["status"] = status
if severity:
where += " AND severity = :severity"
params["severity"] = severity
rows = db.execute(
text(f"""
SELECT * FROM compliance_notfallplan_incidents
{where}
ORDER BY created_at DESC
"""),
params,
).fetchall()
return [_incident_row(r) for r in rows]
@router.post("/incidents", status_code=201)
async def create_incident(
request: IncidentCreate,
db: Session = Depends(get_db),
tenant_id: str = Depends(_get_tenant),
):
"""Create a new incident."""
row = db.execute(
text("""
INSERT INTO compliance_notfallplan_incidents
(tenant_id, title, description, detected_by, status, severity,
affected_data_categories, estimated_affected_persons, measures,
art34_required, art34_justification)
VALUES
(:tenant_id, :title, :description, :detected_by, :status, :severity,
CAST(:affected_data_categories AS jsonb), :estimated_affected_persons,
CAST(:measures AS jsonb), :art34_required, :art34_justification)
RETURNING *
"""),
{
"tenant_id": tenant_id,
"title": request.title,
"description": request.description,
"detected_by": request.detected_by,
"status": request.status,
"severity": request.severity,
"affected_data_categories": json.dumps(request.affected_data_categories),
"estimated_affected_persons": request.estimated_affected_persons,
"measures": json.dumps(request.measures),
"art34_required": request.art34_required,
"art34_justification": request.art34_justification,
},
).fetchone()
db.commit()
return _incident_row(row)
@router.put("/incidents/{incident_id}")
async def update_incident(
incident_id: str,
request: IncidentUpdate,
db: Session = Depends(get_db),
tenant_id: str = Depends(_get_tenant),
):
"""Update an incident (including status transitions)."""
existing = db.execute(
text("SELECT id FROM compliance_notfallplan_incidents WHERE id = :id AND tenant_id = :tenant_id"),
{"id": incident_id, "tenant_id": tenant_id},
).fetchone()
if not existing:
raise HTTPException(status_code=404, detail=f"Incident {incident_id} not found")
updates = request.dict(exclude_none=True)
if not updates:
raise HTTPException(status_code=400, detail="No fields to update")
# Auto-set timestamps based on status transitions
if updates.get("status") == "reported" and not updates.get("reported_to_authority_at"):
updates["reported_to_authority_at"] = datetime.utcnow().isoformat()
if updates.get("status") == "closed" and not updates.get("closed_at"):
updates["closed_at"] = datetime.utcnow().isoformat()
updates["updated_at"] = datetime.utcnow().isoformat()
set_parts = []
for k in updates:
if k in ("affected_data_categories", "measures"):
set_parts.append(f"{k} = CAST(:{k} AS jsonb)")
updates[k] = json.dumps(updates[k]) if isinstance(updates[k], list) else updates[k]
else:
set_parts.append(f"{k} = :{k}")
updates["id"] = incident_id
updates["tenant_id"] = tenant_id
row = db.execute(
text(f"""
UPDATE compliance_notfallplan_incidents
SET {', '.join(set_parts)}
WHERE id = :id AND tenant_id = :tenant_id
RETURNING *
"""),
updates,
).fetchone()
db.commit()
return _incident_row(row)
@router.delete("/incidents/{incident_id}", status_code=204)
async def delete_incident(
incident_id: str,
db: Session = Depends(get_db),
tenant_id: str = Depends(_get_tenant),
):
"""Delete an incident."""
result = db.execute(
text("DELETE FROM compliance_notfallplan_incidents WHERE id = :id AND tenant_id = :tenant_id"),
{"id": incident_id, "tenant_id": tenant_id},
)
db.commit()
if result.rowcount == 0:
raise HTTPException(status_code=404, detail=f"Incident {incident_id} not found")
# ============================================================================
# Templates
# ============================================================================
class TemplateCreate(BaseModel):
type: str = 'art33'
title: str
content: str
class TemplateUpdate(BaseModel):
type: Optional[str] = None
title: Optional[str] = None
content: Optional[str] = None
def _template_row(r) -> dict:
return {
"id": str(r.id),
"tenant_id": r.tenant_id,
"type": r.type,
"title": r.title,
"content": r.content,
"created_at": r.created_at.isoformat() if r.created_at else None,
"updated_at": r.updated_at.isoformat() if r.updated_at else None,
}
@router.get("/templates")
async def list_templates(
type: Optional[str] = None,
db: Session = Depends(get_db),
tenant_id: str = Depends(_get_tenant),
):
"""List Melde-Templates for a tenant."""
where = "WHERE tenant_id = :tenant_id"
params: dict = {"tenant_id": tenant_id}
if type:
where += " AND type = :type"
params["type"] = type
rows = db.execute(
text(f"SELECT * FROM compliance_notfallplan_templates {where} ORDER BY type, created_at"),
params,
).fetchall()
return [_template_row(r) for r in rows]
@router.post("/templates", status_code=201)
async def create_template(
request: TemplateCreate,
db: Session = Depends(get_db),
tenant_id: str = Depends(_get_tenant),
):
"""Create a new Melde-Template."""
row = db.execute(
text("""
INSERT INTO compliance_notfallplan_templates (tenant_id, type, title, content)
VALUES (:tenant_id, :type, :title, :content)
RETURNING *
"""),
{"tenant_id": tenant_id, "type": request.type, "title": request.title, "content": request.content},
).fetchone()
db.commit()
return _template_row(row)
@router.put("/templates/{template_id}")
async def update_template(
template_id: str,
request: TemplateUpdate,
db: Session = Depends(get_db),
tenant_id: str = Depends(_get_tenant),
):
"""Update a Melde-Template."""
existing = db.execute(
text("SELECT id FROM compliance_notfallplan_templates WHERE id = :id AND tenant_id = :tenant_id"),
{"id": template_id, "tenant_id": tenant_id},
).fetchone()
if not existing:
raise HTTPException(status_code=404, detail=f"Template {template_id} not found")
updates = request.dict(exclude_none=True)
if not updates:
raise HTTPException(status_code=400, detail="No fields to update")
updates["updated_at"] = datetime.utcnow().isoformat()
set_clauses = ", ".join(f"{k} = :{k}" for k in updates)
updates["id"] = template_id
updates["tenant_id"] = tenant_id
row = db.execute(
text(f"""
UPDATE compliance_notfallplan_templates
SET {set_clauses}
WHERE id = :id AND tenant_id = :tenant_id
RETURNING *
"""),
updates,
).fetchone()
db.commit()
return _template_row(row)
@router.delete("/templates/{template_id}", status_code=204)
async def delete_template(
template_id: str,
db: Session = Depends(get_db),
tenant_id: str = Depends(_get_tenant),
):
"""Delete a Melde-Template."""
result = db.execute(
text("DELETE FROM compliance_notfallplan_templates WHERE id = :id AND tenant_id = :tenant_id"),
{"id": template_id, "tenant_id": tenant_id},
)
db.commit()
if result.rowcount == 0:
raise HTTPException(status_code=404, detail=f"Template {template_id} not found")

378
backend-compliance/compliance/api/quality_routes.py Normal file
View File

@@ -0,0 +1,378 @@
"""
FastAPI routes for AI Quality Metrics and Tests.
Endpoints:
GET/POST /quality/metrics — list/create metrics
PUT/DELETE /quality/metrics/{id} — update/delete metric
GET/POST /quality/tests — list/create tests
PUT/DELETE /quality/tests/{id} — update/delete test
GET /quality/stats — avgScore, metricsAboveThreshold, passed, failed
"""
import logging
from datetime import datetime
from typing import Optional, Any, Dict
from fastapi import APIRouter, Depends, HTTPException, Query, Header
from pydantic import BaseModel
from sqlalchemy import text
from sqlalchemy.orm import Session
from uuid import UUID
from classroom_engine.database import get_db
logger = logging.getLogger(__name__)
router = APIRouter(prefix="/quality", tags=["quality"])
DEFAULT_TENANT_ID = "9282a473-5c95-4b3a-bf78-0ecc0ec71d3e"
# =============================================================================
# Pydantic Schemas
# =============================================================================
class MetricCreate(BaseModel):
name: str
category: str = "accuracy"
score: float = 0.0
threshold: float = 80.0
trend: str = "stable"
ai_system: Optional[str] = None
last_measured: Optional[datetime] = None
class MetricUpdate(BaseModel):
name: Optional[str] = None
category: Optional[str] = None
score: Optional[float] = None
threshold: Optional[float] = None
trend: Optional[str] = None
ai_system: Optional[str] = None
last_measured: Optional[datetime] = None
class TestCreate(BaseModel):
name: str
status: str = "pending"
duration: Optional[str] = None
ai_system: Optional[str] = None
details: Optional[str] = None
last_run: Optional[datetime] = None
class TestUpdate(BaseModel):
name: Optional[str] = None
status: Optional[str] = None
duration: Optional[str] = None
ai_system: Optional[str] = None
details: Optional[str] = None
last_run: Optional[datetime] = None
def _row_to_dict(row) -> Dict[str, Any]:
result = dict(row._mapping)
for key, val in result.items():
if isinstance(val, datetime):
result[key] = val.isoformat()
elif hasattr(val, '__str__') and not isinstance(val, (str, int, float, bool, list, dict, type(None))):
result[key] = str(val)
return result
def _get_tenant_id(x_tenant_id: Optional[str] = Header(None)) -> str:
if x_tenant_id:
try:
UUID(x_tenant_id)
return x_tenant_id
except ValueError:
pass
return DEFAULT_TENANT_ID
# =============================================================================
# Stats
# =============================================================================
@router.get("/stats")
async def get_quality_stats(
db: Session = Depends(get_db),
x_tenant_id: Optional[str] = Header(None),
):
"""Return quality dashboard stats."""
tenant_id = _get_tenant_id(x_tenant_id)
metrics_row = db.execute(text("""
SELECT
COUNT(*) AS total_metrics,
COALESCE(AVG(score), 0) AS avg_score,
COUNT(*) FILTER (WHERE score >= threshold) AS metrics_above_threshold
FROM compliance_quality_metrics
WHERE tenant_id = :tenant_id
"""), {"tenant_id": tenant_id}).fetchone()
tests_row = db.execute(text("""
SELECT
COUNT(*) FILTER (WHERE status = 'passed') AS passed,
COUNT(*) FILTER (WHERE status = 'failed') AS failed,
COUNT(*) FILTER (WHERE status = 'warning') AS warning,
COUNT(*) AS total
FROM compliance_quality_tests
WHERE tenant_id = :tenant_id
"""), {"tenant_id": tenant_id}).fetchone()
return {
"total_metrics": int(metrics_row.total_metrics or 0),
"avg_score": round(float(metrics_row.avg_score or 0), 1),
"metrics_above_threshold": int(metrics_row.metrics_above_threshold or 0),
"passed": int(tests_row.passed or 0),
"failed": int(tests_row.failed or 0),
"warning": int(tests_row.warning or 0),
"total_tests": int(tests_row.total or 0),
}
# =============================================================================
# Metrics
# =============================================================================
@router.get("/metrics")
async def list_metrics(
category: Optional[str] = Query(None),
ai_system: Optional[str] = Query(None),
limit: int = Query(100, ge=1, le=500),
offset: int = Query(0, ge=0),
db: Session = Depends(get_db),
x_tenant_id: Optional[str] = Header(None),
):
"""List quality metrics."""
tenant_id = _get_tenant_id(x_tenant_id)
where_clauses = ["tenant_id = :tenant_id"]
params: Dict[str, Any] = {"tenant_id": tenant_id, "limit": limit, "offset": offset}
if category:
where_clauses.append("category = :category")
params["category"] = category
if ai_system:
where_clauses.append("ai_system ILIKE :ai_system")
params["ai_system"] = f"%{ai_system}%"
where_sql = " AND ".join(where_clauses)
total_row = db.execute(
text(f"SELECT COUNT(*) FROM compliance_quality_metrics WHERE {where_sql}"), params
).fetchone()
total = total_row[0] if total_row else 0
rows = db.execute(
text(f"""
SELECT * FROM compliance_quality_metrics
WHERE {where_sql}
ORDER BY category, name
LIMIT :limit OFFSET :offset
"""),
params,
).fetchall()
return {"metrics": [_row_to_dict(r) for r in rows], "total": total}
@router.post("/metrics", status_code=201)
async def create_metric(
payload: MetricCreate,
db: Session = Depends(get_db),
x_tenant_id: Optional[str] = Header(None),
):
"""Create a new quality metric."""
tenant_id = _get_tenant_id(x_tenant_id)
row = db.execute(text("""
INSERT INTO compliance_quality_metrics
(tenant_id, name, category, score, threshold, trend, ai_system, last_measured)
VALUES
(:tenant_id, :name, :category, :score, :threshold, :trend, :ai_system, :last_measured)
RETURNING *
"""), {
"tenant_id": tenant_id,
"name": payload.name,
"category": payload.category,
"score": payload.score,
"threshold": payload.threshold,
"trend": payload.trend,
"ai_system": payload.ai_system,
"last_measured": payload.last_measured or datetime.utcnow(),
}).fetchone()
db.commit()
return _row_to_dict(row)
@router.put("/metrics/{metric_id}")
async def update_metric(
metric_id: str,
payload: MetricUpdate,
db: Session = Depends(get_db),
x_tenant_id: Optional[str] = Header(None),
):
"""Update a quality metric."""
tenant_id = _get_tenant_id(x_tenant_id)
updates: Dict[str, Any] = {"id": metric_id, "tenant_id": tenant_id, "updated_at": datetime.utcnow()}
set_clauses = ["updated_at = :updated_at"]
for field, value in payload.model_dump(exclude_unset=True).items():
updates[field] = value
set_clauses.append(f"{field} = :{field}")
if len(set_clauses) == 1:
raise HTTPException(status_code=400, detail="No fields to update")
row = db.execute(text(f"""
UPDATE compliance_quality_metrics
SET {', '.join(set_clauses)}
WHERE id = :id AND tenant_id = :tenant_id
RETURNING *
"""), updates).fetchone()
db.commit()
if not row:
raise HTTPException(status_code=404, detail="Metric not found")
return _row_to_dict(row)
@router.delete("/metrics/{metric_id}", status_code=204)
async def delete_metric(
metric_id: str,
db: Session = Depends(get_db),
x_tenant_id: Optional[str] = Header(None),
):
tenant_id = _get_tenant_id(x_tenant_id)
result = db.execute(text("""
DELETE FROM compliance_quality_metrics
WHERE id = :id AND tenant_id = :tenant_id
"""), {"id": metric_id, "tenant_id": tenant_id})
db.commit()
if result.rowcount == 0:
raise HTTPException(status_code=404, detail="Metric not found")
# =============================================================================
# Tests
# =============================================================================
@router.get("/tests")
async def list_tests(
status: Optional[str] = Query(None),
ai_system: Optional[str] = Query(None),
limit: int = Query(100, ge=1, le=500),
offset: int = Query(0, ge=0),
db: Session = Depends(get_db),
x_tenant_id: Optional[str] = Header(None),
):
"""List quality tests."""
tenant_id = _get_tenant_id(x_tenant_id)
where_clauses = ["tenant_id = :tenant_id"]
params: Dict[str, Any] = {"tenant_id": tenant_id, "limit": limit, "offset": offset}
if status:
where_clauses.append("status = :status")
params["status"] = status
if ai_system:
where_clauses.append("ai_system ILIKE :ai_system")
params["ai_system"] = f"%{ai_system}%"
where_sql = " AND ".join(where_clauses)
total_row = db.execute(
text(f"SELECT COUNT(*) FROM compliance_quality_tests WHERE {where_sql}"), params
).fetchone()
total = total_row[0] if total_row else 0
rows = db.execute(
text(f"""
SELECT * FROM compliance_quality_tests
WHERE {where_sql}
ORDER BY last_run DESC NULLS LAST, created_at DESC
LIMIT :limit OFFSET :offset
"""),
params,
).fetchall()
return {"tests": [_row_to_dict(r) for r in rows], "total": total}
@router.post("/tests", status_code=201)
async def create_test(
payload: TestCreate,
db: Session = Depends(get_db),
x_tenant_id: Optional[str] = Header(None),
):
"""Create a new quality test entry."""
tenant_id = _get_tenant_id(x_tenant_id)
row = db.execute(text("""
INSERT INTO compliance_quality_tests
(tenant_id, name, status, duration, ai_system, details, last_run)
VALUES
(:tenant_id, :name, :status, :duration, :ai_system, :details, :last_run)
RETURNING *
"""), {
"tenant_id": tenant_id,
"name": payload.name,
"status": payload.status,
"duration": payload.duration,
"ai_system": payload.ai_system,
"details": payload.details,
"last_run": payload.last_run or datetime.utcnow(),
}).fetchone()
db.commit()
return _row_to_dict(row)
@router.put("/tests/{test_id}")
async def update_test(
test_id: str,
payload: TestUpdate,
db: Session = Depends(get_db),
x_tenant_id: Optional[str] = Header(None),
):
"""Update a quality test."""
tenant_id = _get_tenant_id(x_tenant_id)
updates: Dict[str, Any] = {"id": test_id, "tenant_id": tenant_id, "updated_at": datetime.utcnow()}
set_clauses = ["updated_at = :updated_at"]
for field, value in payload.model_dump(exclude_unset=True).items():
updates[field] = value
set_clauses.append(f"{field} = :{field}")
if len(set_clauses) == 1:
raise HTTPException(status_code=400, detail="No fields to update")
row = db.execute(text(f"""
UPDATE compliance_quality_tests
SET {', '.join(set_clauses)}
WHERE id = :id AND tenant_id = :tenant_id
RETURNING *
"""), updates).fetchone()
db.commit()
if not row:
raise HTTPException(status_code=404, detail="Test not found")
return _row_to_dict(row)
@router.delete("/tests/{test_id}", status_code=204)
async def delete_test(
test_id: str,
db: Session = Depends(get_db),
x_tenant_id: Optional[str] = Header(None),
):
tenant_id = _get_tenant_id(x_tenant_id)
result = db.execute(text("""
DELETE FROM compliance_quality_tests
WHERE id = :id AND tenant_id = :tenant_id
"""), {"id": test_id, "tenant_id": tenant_id})
db.commit()
if result.rowcount == 0:
raise HTTPException(status_code=404, detail="Test not found")

270
backend-compliance/compliance/api/security_backlog_routes.py Normal file
View File

@@ -0,0 +1,270 @@
"""
FastAPI routes for Security Backlog Tracking.
Endpoints:
GET /security-backlog — list with filters (status, severity, type, search; limit/offset)
GET /security-backlog/stats — open, critical, high, overdue counts
POST /security-backlog — create finding
PUT /security-backlog/{id} — update finding
DELETE /security-backlog/{id} — delete finding (204)
"""
import logging
from datetime import datetime
from typing import Optional, Any, Dict
from fastapi import APIRouter, Depends, HTTPException, Query, Header
from pydantic import BaseModel
from sqlalchemy import text
from sqlalchemy.orm import Session
from uuid import UUID
from classroom_engine.database import get_db
logger = logging.getLogger(__name__)
router = APIRouter(prefix="/security-backlog", tags=["security-backlog"])
DEFAULT_TENANT_ID = "9282a473-5c95-4b3a-bf78-0ecc0ec71d3e"
# =============================================================================
# Pydantic Schemas
# =============================================================================
class SecurityItemCreate(BaseModel):
title: str
description: Optional[str] = None
type: str = "vulnerability"
severity: str = "medium"
status: str = "open"
source: Optional[str] = None
cve: Optional[str] = None
cvss: Optional[float] = None
affected_asset: Optional[str] = None
assigned_to: Optional[str] = None
due_date: Optional[datetime] = None
remediation: Optional[str] = None
class SecurityItemUpdate(BaseModel):
title: Optional[str] = None
description: Optional[str] = None
type: Optional[str] = None
severity: Optional[str] = None
status: Optional[str] = None
source: Optional[str] = None
cve: Optional[str] = None
cvss: Optional[float] = None
affected_asset: Optional[str] = None
assigned_to: Optional[str] = None
due_date: Optional[datetime] = None
remediation: Optional[str] = None
def _row_to_dict(row) -> Dict[str, Any]:
result = dict(row._mapping)
for key, val in result.items():
if isinstance(val, datetime):
result[key] = val.isoformat()
elif hasattr(val, '__str__') and not isinstance(val, (str, int, float, bool, list, dict, type(None))):
result[key] = str(val)
return result
def _get_tenant_id(x_tenant_id: Optional[str] = Header(None)) -> str:
if x_tenant_id:
try:
UUID(x_tenant_id)
return x_tenant_id
except ValueError:
pass
return DEFAULT_TENANT_ID
# =============================================================================
# Routes
# =============================================================================
@router.get("")
async def list_security_items(
status: Optional[str] = Query(None),
severity: Optional[str] = Query(None),
type: Optional[str] = Query(None),
search: Optional[str] = Query(None),
limit: int = Query(100, ge=1, le=500),
offset: int = Query(0, ge=0),
db: Session = Depends(get_db),
x_tenant_id: Optional[str] = Header(None),
):
"""List security backlog items with optional filters."""
tenant_id = _get_tenant_id(x_tenant_id)
where_clauses = ["tenant_id = :tenant_id"]
params: Dict[str, Any] = {"tenant_id": tenant_id, "limit": limit, "offset": offset}
if status:
where_clauses.append("status = :status")
params["status"] = status
if severity:
where_clauses.append("severity = :severity")
params["severity"] = severity
if type:
where_clauses.append("type = :type")
params["type"] = type
if search:
where_clauses.append("(title ILIKE :search OR description ILIKE :search)")
params["search"] = f"%{search}%"
where_sql = " AND ".join(where_clauses)
total_row = db.execute(
text(f"SELECT COUNT(*) FROM compliance_security_backlog WHERE {where_sql}"),
params,
).fetchone()
total = total_row[0] if total_row else 0
rows = db.execute(
text(f"""
SELECT * FROM compliance_security_backlog
WHERE {where_sql}
ORDER BY
CASE severity
WHEN 'critical' THEN 0
WHEN 'high' THEN 1
WHEN 'medium' THEN 2
ELSE 3
END,
CASE status
WHEN 'open' THEN 0
WHEN 'in-progress' THEN 1
WHEN 'accepted-risk' THEN 2
ELSE 3
END,
created_at DESC
LIMIT :limit OFFSET :offset
"""),
params,
).fetchall()
return {
"items": [_row_to_dict(r) for r in rows],
"total": total,
}
@router.get("/stats")
async def get_security_stats(
db: Session = Depends(get_db),
x_tenant_id: Optional[str] = Header(None),
):
"""Return security backlog counts."""
tenant_id = _get_tenant_id(x_tenant_id)
rows = db.execute(text("""
SELECT
COUNT(*) FILTER (WHERE status = 'open') AS open,
COUNT(*) FILTER (WHERE status = 'in-progress') AS in_progress,
COUNT(*) FILTER (WHERE status = 'resolved') AS resolved,
COUNT(*) FILTER (WHERE status = 'accepted-risk') AS accepted_risk,
COUNT(*) FILTER (WHERE severity = 'critical' AND status != 'resolved') AS critical,
COUNT(*) FILTER (WHERE severity = 'high' AND status != 'resolved') AS high,
COUNT(*) FILTER (
WHERE due_date IS NOT NULL
AND due_date < NOW()
AND status NOT IN ('resolved', 'accepted-risk')
) AS overdue,
COUNT(*) AS total
FROM compliance_security_backlog
WHERE tenant_id = :tenant_id
"""), {"tenant_id": tenant_id}).fetchone()
if rows:
d = dict(rows._mapping)
return {k: (v or 0) for k, v in d.items()}
return {"open": 0, "in_progress": 0, "resolved": 0, "accepted_risk": 0,
"critical": 0, "high": 0, "overdue": 0, "total": 0}
@router.post("", status_code=201)
async def create_security_item(
payload: SecurityItemCreate,
db: Session = Depends(get_db),
x_tenant_id: Optional[str] = Header(None),
):
"""Create a new security backlog item."""
tenant_id = _get_tenant_id(x_tenant_id)
row = db.execute(text("""
INSERT INTO compliance_security_backlog
(tenant_id, title, description, type, severity, status,
source, cve, cvss, affected_asset, assigned_to, due_date, remediation)
VALUES
(:tenant_id, :title, :description, :type, :severity, :status,
:source, :cve, :cvss, :affected_asset, :assigned_to, :due_date, :remediation)
RETURNING *
"""), {
"tenant_id": tenant_id,
"title": payload.title,
"description": payload.description,
"type": payload.type,
"severity": payload.severity,
"status": payload.status,
"source": payload.source,
"cve": payload.cve,
"cvss": payload.cvss,
"affected_asset": payload.affected_asset,
"assigned_to": payload.assigned_to,
"due_date": payload.due_date,
"remediation": payload.remediation,
}).fetchone()
db.commit()
return _row_to_dict(row)
@router.put("/{item_id}")
async def update_security_item(
item_id: str,
payload: SecurityItemUpdate,
db: Session = Depends(get_db),
x_tenant_id: Optional[str] = Header(None),
):
"""Update a security backlog item."""
tenant_id = _get_tenant_id(x_tenant_id)
updates: Dict[str, Any] = {"id": item_id, "tenant_id": tenant_id, "updated_at": datetime.utcnow()}
set_clauses = ["updated_at = :updated_at"]
for field, value in payload.model_dump(exclude_unset=True).items():
updates[field] = value
set_clauses.append(f"{field} = :{field}")
if len(set_clauses) == 1:
raise HTTPException(status_code=400, detail="No fields to update")
row = db.execute(text(f"""
UPDATE compliance_security_backlog
SET {', '.join(set_clauses)}
WHERE id = :id AND tenant_id = :tenant_id
RETURNING *
"""), updates).fetchone()
db.commit()
if not row:
raise HTTPException(status_code=404, detail="Security item not found")
return _row_to_dict(row)
@router.delete("/{item_id}", status_code=204)
async def delete_security_item(
item_id: str,
db: Session = Depends(get_db),
x_tenant_id: Optional[str] = Header(None),
):
tenant_id = _get_tenant_id(x_tenant_id)
result = db.execute(text("""
DELETE FROM compliance_security_backlog
WHERE id = :id AND tenant_id = :tenant_id
"""), {"id": item_id, "tenant_id": tenant_id})
db.commit()
if result.rowcount == 0:
raise HTTPException(status_code=404, detail="Security item not found")

28
backend-compliance/migrations/014_security_backlog.sql Normal file
View File

@@ -0,0 +1,28 @@
-- Migration 014: Security Backlog
-- Tracking security findings, vulnerabilities, and compliance issues
CREATE TABLE IF NOT EXISTS compliance_security_backlog (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
tenant_id UUID NOT NULL DEFAULT '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e',
title TEXT NOT NULL,
description TEXT,
type TEXT NOT NULL DEFAULT 'vulnerability',
-- vulnerability | misconfiguration | compliance | hardening
severity TEXT NOT NULL DEFAULT 'medium',
-- critical | high | medium | low
status TEXT NOT NULL DEFAULT 'open',
-- open | in-progress | resolved | accepted-risk
source TEXT,
cve TEXT,
cvss NUMERIC(4,1),
affected_asset TEXT,
assigned_to TEXT,
due_date TIMESTAMPTZ,
remediation TEXT,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_security_backlog_tenant ON compliance_security_backlog(tenant_id);
CREATE INDEX IF NOT EXISTS idx_security_backlog_status ON compliance_security_backlog(status);
CREATE INDEX IF NOT EXISTS idx_security_backlog_severity ON compliance_security_backlog(severity);

36
backend-compliance/migrations/015_quality.sql Normal file
View File

@@ -0,0 +1,36 @@
-- Migration 015: AI Quality Metrics and Tests
-- Tracking AI system quality metrics and test results
CREATE TABLE IF NOT EXISTS compliance_quality_metrics (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
tenant_id UUID NOT NULL DEFAULT '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e',
name TEXT NOT NULL,
category TEXT NOT NULL DEFAULT 'accuracy',
-- accuracy | fairness | robustness | explainability | performance
score NUMERIC(5,2) NOT NULL DEFAULT 0,
threshold NUMERIC(5,2) NOT NULL DEFAULT 80,
trend TEXT DEFAULT 'stable',
-- up | down | stable
ai_system TEXT,
last_measured TIMESTAMPTZ DEFAULT NOW(),
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_quality_metrics_tenant ON compliance_quality_metrics(tenant_id);
CREATE TABLE IF NOT EXISTS compliance_quality_tests (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
tenant_id UUID NOT NULL DEFAULT '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e',
name TEXT NOT NULL,
status TEXT NOT NULL DEFAULT 'pending',
-- passed | failed | warning | pending
duration TEXT,
ai_system TEXT,
details TEXT,
last_run TIMESTAMPTZ DEFAULT NOW(),
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_quality_tests_tenant ON compliance_quality_tests(tenant_id);

43
backend-compliance/migrations/016_notfallplan_incidents.sql Normal file
View File

@@ -0,0 +1,43 @@
-- Migration 016: Notfallplan Incidents and Melde-Templates
-- Extends Notfallplan module with incident register and template management
CREATE TABLE IF NOT EXISTS compliance_notfallplan_incidents (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
tenant_id TEXT NOT NULL DEFAULT 'default',
title TEXT NOT NULL,
description TEXT,
detected_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
detected_by TEXT,
status TEXT NOT NULL DEFAULT 'detected',
-- detected | classified | assessed | reported | not_reportable | closed
severity TEXT NOT NULL DEFAULT 'medium',
-- low | medium | high | critical
affected_data_categories JSONB DEFAULT '[]'::jsonb,
estimated_affected_persons INTEGER DEFAULT 0,
measures JSONB DEFAULT '[]'::jsonb,
art34_required BOOLEAN DEFAULT FALSE,
art34_justification TEXT,
reported_to_authority_at TIMESTAMPTZ,
notified_affected_at TIMESTAMPTZ,
closed_at TIMESTAMPTZ,
closed_by TEXT,
lessons_learned TEXT,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_incidents_tenant ON compliance_notfallplan_incidents(tenant_id);
CREATE INDEX IF NOT EXISTS idx_incidents_status ON compliance_notfallplan_incidents(status);
CREATE TABLE IF NOT EXISTS compliance_notfallplan_templates (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
tenant_id TEXT NOT NULL DEFAULT 'default',
type TEXT NOT NULL DEFAULT 'art33',
-- art33 | art34
title TEXT NOT NULL,
content TEXT NOT NULL,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_templates_tenant ON compliance_notfallplan_templates(tenant_id);

45
backend-compliance/migrations/017_loeschfristen.sql Normal file
View File

@@ -0,0 +1,45 @@
-- Migration 017: Loeschfristen (Retention Policies)
-- Full retention policy management with legal holds and storage locations
CREATE TABLE IF NOT EXISTS compliance_loeschfristen (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
tenant_id UUID NOT NULL DEFAULT '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e',
policy_id TEXT, -- "LF-2026-001"
data_object_name TEXT NOT NULL,
description TEXT,
affected_groups JSONB DEFAULT '[]'::jsonb,
data_categories JSONB DEFAULT '[]'::jsonb,
primary_purpose TEXT,
deletion_trigger TEXT NOT NULL DEFAULT 'PURPOSE_END',
-- PURPOSE_END | RETENTION_DRIVER | LEGAL_HOLD
retention_driver TEXT,
-- AO_147 | HGB_257 | USTG_14B | BGB_195 | ARBZG_16 | AGG_15 | BDSG_35 | BSIG | CUSTOM
retention_driver_detail TEXT,
retention_duration INTEGER,
retention_unit TEXT, -- DAYS | MONTHS | YEARS
retention_description TEXT,
start_event TEXT,
has_active_legal_hold BOOLEAN DEFAULT FALSE,
legal_holds JSONB DEFAULT '[]'::jsonb,
storage_locations JSONB DEFAULT '[]'::jsonb,
deletion_method TEXT DEFAULT 'MANUAL_REVIEW_DELETE',
deletion_method_detail TEXT,
responsible_role TEXT,
responsible_person TEXT,
release_process TEXT,
linked_vvt_activity_ids JSONB DEFAULT '[]'::jsonb,
status TEXT NOT NULL DEFAULT 'DRAFT',
-- DRAFT | ACTIVE | REVIEW_NEEDED | ARCHIVED
last_review_date TIMESTAMPTZ,
next_review_date TIMESTAMPTZ,
review_interval TEXT DEFAULT 'ANNUAL',
-- QUARTERLY | SEMI_ANNUAL | ANNUAL
tags JSONB DEFAULT '[]'::jsonb,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_loeschfristen_tenant ON compliance_loeschfristen(tenant_id);
CREATE INDEX IF NOT EXISTS idx_loeschfristen_status ON compliance_loeschfristen(status);
CREATE INDEX IF NOT EXISTS idx_loeschfristen_driver ON compliance_loeschfristen(retention_driver);
CREATE INDEX IF NOT EXISTS idx_loeschfristen_review ON compliance_loeschfristen(next_review_date) WHERE next_review_date IS NOT NULL;

630
backend-compliance/tests/test_loeschfristen_routes.py Normal file
View File

@@ -0,0 +1,630 @@
"""Tests for Loeschfristen routes and schemas (loeschfristen_routes.py)."""
import pytest
from unittest.mock import MagicMock
from fastapi.testclient import TestClient
from fastapi import FastAPI
from datetime import datetime
from compliance.api.loeschfristen_routes import (
LoeschfristCreate,
LoeschfristUpdate,
StatusUpdate,
_row_to_dict,
_get_tenant_id,
DEFAULT_TENANT_ID,
JSONB_FIELDS,
router,
)
app = FastAPI()
app.include_router(router)
client = TestClient(app)
DEFAULT_TENANT = DEFAULT_TENANT_ID # "9282a473-5c95-4b3a-bf78-0ecc0ec71d3e"
POLICY_ID = "ffffffff-0001-0001-0001-000000000001"
UNKNOWN_ID = "aaaaaaaa-9999-9999-9999-999999999999"
# =============================================================================
# Helpers
# =============================================================================
def make_policy_row(overrides=None):
data = {
"id": POLICY_ID,
"tenant_id": DEFAULT_TENANT,
"policy_id": "LF-2024-001",
"data_object_name": "Kundendaten",
"description": "Kundendaten Loeschfrist",
"affected_groups": [],
"data_categories": [],
"primary_purpose": "Vertrag",
"deletion_trigger": "PURPOSE_END",
"retention_driver": "HGB_257",
"retention_driver_detail": None,
"retention_duration": 10,
"retention_unit": "YEARS",
"retention_description": None,
"start_event": None,
"has_active_legal_hold": False,
"legal_holds": [],
"storage_locations": [],
"deletion_method": "MANUAL_REVIEW_DELETE",
"deletion_method_detail": None,
"responsible_role": None,
"responsible_person": None,
"release_process": None,
"linked_vvt_activity_ids": [],
"status": "DRAFT",
"last_review_date": None,
"next_review_date": None,
"review_interval": "ANNUAL",
"tags": [],
"created_at": datetime(2024, 1, 1),
"updated_at": datetime(2024, 1, 1),
}
if overrides:
data.update(overrides)
row = MagicMock()
row._mapping = data
return row
def make_stats_row(overrides=None):
data = {
"total": 0,
"active": 0,
"draft": 0,
"review_needed": 0,
"archived": 0,
"legal_holds_count": 0,
"overdue_reviews": 0,
}
if overrides:
data.update(overrides)
row = MagicMock()
row._mapping = data
return row
@pytest.fixture
def mock_db():
from classroom_engine.database import get_db
db = MagicMock()
app.dependency_overrides[get_db] = lambda: db
yield db
app.dependency_overrides.clear()
# =============================================================================
# Helper / Utility Tests
# =============================================================================
class TestRowToDict:
def test_converts_datetime_to_isoformat(self):
row = make_policy_row({"created_at": datetime(2024, 6, 1, 12, 0, 0)})
result = _row_to_dict(row)
assert result["created_at"] == "2024-06-01T12:00:00"
def test_converts_none_datetime_remains_none(self):
row = make_policy_row({"next_review_date": None})
result = _row_to_dict(row)
assert result["next_review_date"] is None
def test_preserves_string_values(self):
row = make_policy_row({"data_object_name": "Mitarbeiterdaten"})
result = _row_to_dict(row)
assert result["data_object_name"] == "Mitarbeiterdaten"
def test_preserves_list_values(self):
row = make_policy_row({"tags": ["dsgvo", "hgb"]})
result = _row_to_dict(row)
assert result["tags"] == ["dsgvo", "hgb"]
def test_preserves_int_values(self):
row = make_policy_row({"retention_duration": 7})
result = _row_to_dict(row)
assert result["retention_duration"] == 7
class TestGetTenantId:
def test_valid_uuid_is_returned(self):
assert _get_tenant_id("9282a473-5c95-4b3a-bf78-0ecc0ec71d3e") == "9282a473-5c95-4b3a-bf78-0ecc0ec71d3e"
def test_invalid_uuid_returns_default(self):
assert _get_tenant_id("not-a-uuid") == DEFAULT_TENANT_ID
def test_none_returns_default(self):
assert _get_tenant_id(None) == DEFAULT_TENANT_ID
class TestJsonbFields:
def test_jsonb_fields_set(self):
expected = {"affected_groups", "data_categories", "legal_holds",
"storage_locations", "linked_vvt_activity_ids", "tags"}
assert JSONB_FIELDS == expected
# =============================================================================
# Schema Tests — LoeschfristCreate
# =============================================================================
class TestLoeschfristCreate:
def test_minimal_requires_data_object_name(self):
obj = LoeschfristCreate(data_object_name="Kundendaten")
assert obj.data_object_name == "Kundendaten"
assert obj.deletion_trigger == "PURPOSE_END"
assert obj.status == "DRAFT"
assert obj.has_active_legal_hold is False
def test_full_object(self):
obj = LoeschfristCreate(
data_object_name="Mitarbeiterdaten",
description="HR-Daten",
primary_purpose="Arbeitsvertrag",
retention_driver="AO_147",
retention_duration=6,
retention_unit="YEARS",
status="ACTIVE",
tags=["hr", "personal"],
data_categories=["name", "address"],
)
assert obj.retention_duration == 6
assert obj.retention_unit == "YEARS"
assert obj.status == "ACTIVE"
assert len(obj.tags) == 2
def test_missing_data_object_name_raises_validation_error(self):
import pydantic
with pytest.raises(pydantic.ValidationError):
LoeschfristCreate()
def test_optional_fields_default_to_none(self):
obj = LoeschfristCreate(data_object_name="Test")
assert obj.description is None
assert obj.retention_duration is None
assert obj.responsible_role is None
assert obj.policy_id is None
class TestLoeschfristUpdate:
def test_empty_update(self):
obj = LoeschfristUpdate()
data = obj.model_dump(exclude_unset=True)
assert data == {}
def test_partial_update_status(self):
obj = LoeschfristUpdate(status="ACTIVE")
data = obj.model_dump(exclude_unset=True)
assert data == {"status": "ACTIVE"}
def test_partial_update_multiple_fields(self):
obj = LoeschfristUpdate(
data_object_name="Neuer Name",
retention_duration=5,
retention_unit="YEARS",
)
data = obj.model_dump(exclude_unset=True)
assert data["data_object_name"] == "Neuer Name"
assert data["retention_duration"] == 5
assert "status" not in data
class TestStatusUpdateSchema:
def test_valid_status(self):
obj = StatusUpdate(status="ACTIVE")
assert obj.status == "ACTIVE"
def test_all_valid_statuses(self):
for s in ("DRAFT", "ACTIVE", "REVIEW_NEEDED", "ARCHIVED"):
obj = StatusUpdate(status=s)
assert obj.status == s
# =============================================================================
# GET /loeschfristen — List
# =============================================================================
class TestListLoeschfristen:
def test_list_returns_empty(self, mock_db):
mock_db.execute.return_value.fetchone.return_value = MagicMock(__getitem__=lambda s, i: 0)
mock_db.execute.return_value.fetchall.return_value = []
# Two execute calls: COUNT then SELECT
count_result = MagicMock()
count_result.__getitem__ = lambda s, i: 0
list_result = MagicMock()
list_result.fetchall.return_value = []
mock_db.execute.side_effect = [
MagicMock(fetchone=lambda: count_result),
list_result,
]
resp = client.get("/loeschfristen")
assert resp.status_code == 200
body = resp.json()
assert "policies" in body
assert "total" in body
def test_list_returns_policies(self, mock_db):
count_result = MagicMock()
count_result.__getitem__ = lambda s, i: 1
policy_row = make_policy_row()
list_result = MagicMock()
list_result.fetchall.return_value = [policy_row]
mock_db.execute.side_effect = [
MagicMock(fetchone=lambda: count_result),
list_result,
]
resp = client.get("/loeschfristen")
assert resp.status_code == 200
body = resp.json()
assert len(body["policies"]) == 1
assert body["policies"][0]["data_object_name"] == "Kundendaten"
def test_list_filter_by_status(self, mock_db):
count_result = MagicMock()
count_result.__getitem__ = lambda s, i: 0
list_result = MagicMock()
list_result.fetchall.return_value = []
mock_db.execute.side_effect = [
MagicMock(fetchone=lambda: count_result),
list_result,
]
resp = client.get("/loeschfristen?status=ACTIVE")
assert resp.status_code == 200
def test_list_filter_by_retention_driver(self, mock_db):
count_result = MagicMock()
count_result.__getitem__ = lambda s, i: 0
list_result = MagicMock()
list_result.fetchall.return_value = []
mock_db.execute.side_effect = [
MagicMock(fetchone=lambda: count_result),
list_result,
]
resp = client.get("/loeschfristen?retention_driver=HGB_257")
assert resp.status_code == 200
def test_list_filter_by_search(self, mock_db):
count_result = MagicMock()
count_result.__getitem__ = lambda s, i: 0
list_result = MagicMock()
list_result.fetchall.return_value = []
mock_db.execute.side_effect = [
MagicMock(fetchone=lambda: count_result),
list_result,
]
resp = client.get("/loeschfristen?search=Kunden")
assert resp.status_code == 200
def test_list_uses_default_tenant(self, mock_db):
count_result = MagicMock()
count_result.__getitem__ = lambda s, i: 0
list_result = MagicMock()
list_result.fetchall.return_value = []
mock_db.execute.side_effect = [
MagicMock(fetchone=lambda: count_result),
list_result,
]
client.get("/loeschfristen")
# First call is the COUNT query
first_call_params = mock_db.execute.call_args_list[0][0][1]
assert first_call_params["tenant_id"] == DEFAULT_TENANT
def test_list_pagination_params(self, mock_db):
count_result = MagicMock()
count_result.__getitem__ = lambda s, i: 0
list_result = MagicMock()
list_result.fetchall.return_value = []
mock_db.execute.side_effect = [
MagicMock(fetchone=lambda: count_result),
list_result,
]
resp = client.get("/loeschfristen?limit=10&offset=20")
assert resp.status_code == 200
# =============================================================================
# GET /loeschfristen/stats
# =============================================================================
class TestGetLoeschfristenStats:
def test_stats_returns_all_keys(self, mock_db):
stats_row = make_stats_row()
mock_db.execute.return_value.fetchone.return_value = stats_row
resp = client.get("/loeschfristen/stats")
assert resp.status_code == 200
body = resp.json()
for key in ("total", "active", "draft", "review_needed", "archived",
"legal_holds_count", "overdue_reviews"):
assert key in body, f"Missing key: {key}"
def test_stats_returns_correct_counts(self, mock_db):
stats_row = make_stats_row({
"total": 10,
"active": 4,
"draft": 3,
"review_needed": 2,
"archived": 1,
"legal_holds_count": 1,
"overdue_reviews": 0,
})
mock_db.execute.return_value.fetchone.return_value = stats_row
resp = client.get("/loeschfristen/stats")
assert resp.status_code == 200
body = resp.json()
assert body["total"] == 10
assert body["active"] == 4
assert body["draft"] == 3
assert body["review_needed"] == 2
assert body["archived"] == 1
assert body["legal_holds_count"] == 1
def test_stats_all_zeros_when_no_data(self, mock_db):
stats_row = make_stats_row()
mock_db.execute.return_value.fetchone.return_value = stats_row
resp = client.get("/loeschfristen/stats")
assert resp.status_code == 200
body = resp.json()
for key in ("total", "active", "draft", "review_needed", "archived",
"legal_holds_count", "overdue_reviews"):
assert body[key] == 0
def test_stats_uses_default_tenant(self, mock_db):
stats_row = make_stats_row()
mock_db.execute.return_value.fetchone.return_value = stats_row
client.get("/loeschfristen/stats")
call_params = mock_db.execute.call_args[0][1]
assert call_params["tenant_id"] == DEFAULT_TENANT
def test_stats_with_valid_tenant_header(self, mock_db):
stats_row = make_stats_row()
mock_db.execute.return_value.fetchone.return_value = stats_row
client.get(
"/loeschfristen/stats",
headers={"x-tenant-id": "9282a473-5c95-4b3a-bf78-0ecc0ec71d3e"},
)
call_params = mock_db.execute.call_args[0][1]
assert call_params["tenant_id"] == "9282a473-5c95-4b3a-bf78-0ecc0ec71d3e"
# =============================================================================
# POST /loeschfristen
# =============================================================================
class TestCreateLoeschfrist:
def test_create_minimal(self, mock_db):
row = make_policy_row()
mock_db.execute.return_value.fetchone.return_value = row
resp = client.post("/loeschfristen", json={"data_object_name": "Kundendaten"})
assert resp.status_code == 201
assert resp.json()["data_object_name"] == "Kundendaten"
def test_create_missing_data_object_name_returns_422(self, mock_db):
resp = client.post("/loeschfristen", json={"description": "No name"})
assert resp.status_code == 422
def test_create_full_payload(self, mock_db):
row = make_policy_row({
"data_object_name": "Mitarbeiterdaten",
"status": "ACTIVE",
"retention_duration": 6,
"retention_unit": "YEARS",
})
mock_db.execute.return_value.fetchone.return_value = row
resp = client.post("/loeschfristen", json={
"data_object_name": "Mitarbeiterdaten",
"description": "HR-Datensatz",
"retention_driver": "AO_147",
"retention_duration": 6,
"retention_unit": "YEARS",
"status": "ACTIVE",
})
assert resp.status_code == 201
data = resp.json()
assert data["status"] == "ACTIVE"
assert data["retention_duration"] == 6
def test_create_commits(self, mock_db):
row = make_policy_row()
mock_db.execute.return_value.fetchone.return_value = row
client.post("/loeschfristen", json={"data_object_name": "X"})
mock_db.commit.assert_called_once()
def test_create_uses_default_tenant(self, mock_db):
row = make_policy_row()
mock_db.execute.return_value.fetchone.return_value = row
client.post("/loeschfristen", json={"data_object_name": "X"})
call_params = mock_db.execute.call_args[0][1]
assert call_params["tenant_id"] == DEFAULT_TENANT
def test_create_jsonb_fields_are_json_encoded(self, mock_db):
row = make_policy_row()
mock_db.execute.return_value.fetchone.return_value = row
client.post("/loeschfristen", json={
"data_object_name": "Test",
"tags": ["a", "b"],
"data_categories": ["name"],
})
call_params = mock_db.execute.call_args[0][1]
import json
# JSONB fields must be JSON strings for CAST
assert json.loads(call_params["tags"]) == ["a", "b"]
assert json.loads(call_params["data_categories"]) == ["name"]
# =============================================================================
# GET /loeschfristen/{id}
# =============================================================================
class TestGetLoeschfrist:
def test_get_existing_policy(self, mock_db):
row = make_policy_row()
mock_db.execute.return_value.fetchone.return_value = row
resp = client.get(f"/loeschfristen/{POLICY_ID}")
assert resp.status_code == 200
assert resp.json()["data_object_name"] == "Kundendaten"
def test_get_not_found_returns_404(self, mock_db):
mock_db.execute.return_value.fetchone.return_value = None
resp = client.get(f"/loeschfristen/{UNKNOWN_ID}")
assert resp.status_code == 404
def test_get_passes_id_and_tenant(self, mock_db):
row = make_policy_row()
mock_db.execute.return_value.fetchone.return_value = row
client.get(f"/loeschfristen/{POLICY_ID}")
call_params = mock_db.execute.call_args[0][1]
assert call_params["id"] == POLICY_ID
assert call_params["tenant_id"] == DEFAULT_TENANT
def test_get_all_fields_present(self, mock_db):
row = make_policy_row()
mock_db.execute.return_value.fetchone.return_value = row
resp = client.get(f"/loeschfristen/{POLICY_ID}")
assert resp.status_code == 200
body = resp.json()
for field in ("id", "tenant_id", "data_object_name", "status",
"retention_duration", "retention_unit", "created_at", "updated_at"):
assert field in body, f"Missing field: {field}"
# =============================================================================
# PUT /loeschfristen/{id}
# =============================================================================
class TestUpdateLoeschfrist:
def test_update_success(self, mock_db):
updated_row = make_policy_row({"data_object_name": "Neuer Name"})
mock_db.execute.return_value.fetchone.return_value = updated_row
resp = client.put(f"/loeschfristen/{POLICY_ID}", json={"data_object_name": "Neuer Name"})
assert resp.status_code == 200
assert resp.json()["data_object_name"] == "Neuer Name"
def test_update_not_found_returns_404(self, mock_db):
mock_db.execute.return_value.fetchone.return_value = None
resp = client.put(f"/loeschfristen/{UNKNOWN_ID}", json={"data_object_name": "X"})
assert resp.status_code == 404
def test_update_empty_body_returns_400(self, mock_db):
resp = client.put(f"/loeschfristen/{POLICY_ID}", json={})
assert resp.status_code == 400
def test_update_jsonb_field(self, mock_db):
updated_row = make_policy_row({"tags": ["urgent"]})
mock_db.execute.return_value.fetchone.return_value = updated_row
resp = client.put(f"/loeschfristen/{POLICY_ID}", json={"tags": ["urgent"]})
assert resp.status_code == 200
call_params = mock_db.execute.call_args[0][1]
import json
assert json.loads(call_params["tags"]) == ["urgent"]
def test_update_sets_updated_at(self, mock_db):
updated_row = make_policy_row()
mock_db.execute.return_value.fetchone.return_value = updated_row
client.put(f"/loeschfristen/{POLICY_ID}", json={"status": "ACTIVE"})
call_params = mock_db.execute.call_args[0][1]
assert "updated_at" in call_params
def test_update_commits(self, mock_db):
updated_row = make_policy_row()
mock_db.execute.return_value.fetchone.return_value = updated_row
client.put(f"/loeschfristen/{POLICY_ID}", json={"status": "ACTIVE"})
mock_db.commit.assert_called_once()
# =============================================================================
# PUT /loeschfristen/{id}/status
# =============================================================================
class TestUpdateLoeschfristStatus:
def test_valid_status_active(self, mock_db):
updated_row = make_policy_row({"status": "ACTIVE"})
mock_db.execute.return_value.fetchone.return_value = updated_row
resp = client.put(f"/loeschfristen/{POLICY_ID}/status", json={"status": "ACTIVE"})
assert resp.status_code == 200
assert resp.json()["status"] == "ACTIVE"
def test_valid_status_archived(self, mock_db):
updated_row = make_policy_row({"status": "ARCHIVED"})
mock_db.execute.return_value.fetchone.return_value = updated_row
resp = client.put(f"/loeschfristen/{POLICY_ID}/status", json={"status": "ARCHIVED"})
assert resp.status_code == 200
def test_valid_status_review_needed(self, mock_db):
updated_row = make_policy_row({"status": "REVIEW_NEEDED"})
mock_db.execute.return_value.fetchone.return_value = updated_row
resp = client.put(f"/loeschfristen/{POLICY_ID}/status", json={"status": "REVIEW_NEEDED"})
assert resp.status_code == 200
def test_valid_status_draft(self, mock_db):
updated_row = make_policy_row({"status": "DRAFT"})
mock_db.execute.return_value.fetchone.return_value = updated_row
resp = client.put(f"/loeschfristen/{POLICY_ID}/status", json={"status": "DRAFT"})
assert resp.status_code == 200
def test_invalid_status_returns_400(self, mock_db):
resp = client.put(f"/loeschfristen/{POLICY_ID}/status", json={"status": "INVALID_STATUS"})
assert resp.status_code == 400
def test_status_not_found_returns_404(self, mock_db):
mock_db.execute.return_value.fetchone.return_value = None
resp = client.put(f"/loeschfristen/{UNKNOWN_ID}/status", json={"status": "ACTIVE"})
assert resp.status_code == 404
def test_status_update_commits(self, mock_db):
updated_row = make_policy_row()
mock_db.execute.return_value.fetchone.return_value = updated_row
client.put(f"/loeschfristen/{POLICY_ID}/status", json={"status": "ACTIVE"})
mock_db.commit.assert_called_once()
def test_status_update_passes_correct_params(self, mock_db):
updated_row = make_policy_row({"status": "ACTIVE"})
mock_db.execute.return_value.fetchone.return_value = updated_row
client.put(f"/loeschfristen/{POLICY_ID}/status", json={"status": "ACTIVE"})
call_params = mock_db.execute.call_args[0][1]
assert call_params["status"] == "ACTIVE"
assert call_params["id"] == POLICY_ID
assert call_params["tenant_id"] == DEFAULT_TENANT
# =============================================================================
# DELETE /loeschfristen/{id}
# =============================================================================
class TestDeleteLoeschfrist:
def test_delete_success_returns_204(self, mock_db):
mock_db.execute.return_value.rowcount = 1
resp = client.delete(f"/loeschfristen/{POLICY_ID}")
assert resp.status_code == 204
def test_delete_not_found_returns_404(self, mock_db):
mock_db.execute.return_value.rowcount = 0
resp = client.delete(f"/loeschfristen/{UNKNOWN_ID}")
assert resp.status_code == 404
def test_delete_commits(self, mock_db):
mock_db.execute.return_value.rowcount = 1
client.delete(f"/loeschfristen/{POLICY_ID}")
mock_db.commit.assert_called_once()
def test_delete_commits_before_rowcount_check(self, mock_db):
mock_db.execute.return_value.rowcount = 0
client.delete(f"/loeschfristen/{UNKNOWN_ID}")
mock_db.commit.assert_called_once()
def test_delete_passes_correct_id_and_tenant(self, mock_db):
mock_db.execute.return_value.rowcount = 1
client.delete(f"/loeschfristen/{POLICY_ID}")
call_params = mock_db.execute.call_args[0][1]
assert call_params["id"] == POLICY_ID
assert call_params["tenant_id"] == DEFAULT_TENANT
def test_delete_with_custom_tenant(self, mock_db):
mock_db.execute.return_value.rowcount = 1
client.delete(
f"/loeschfristen/{POLICY_ID}",
headers={"x-tenant-id": "9282a473-5c95-4b3a-bf78-0ecc0ec71d3e"},
)
call_params = mock_db.execute.call_args[0][1]
assert call_params["tenant_id"] == "9282a473-5c95-4b3a-bf78-0ecc0ec71d3e"

653
backend-compliance/tests/test_notfallplan_routes.py
View File

@@ -1,6 +1,14 @@
"""Tests for Notfallplan routes and schemas (notfallplan_routes.py)."""
"""Tests for Notfallplan routes and schemas (notfallplan_routes.py).
Covers existing schema tests plus the new incidents and templates HTTP endpoints.
"""
import pytest
from unittest.mock import MagicMock
from fastapi.testclient import TestClient
from fastapi import FastAPI
from datetime import datetime
from compliance.api.notfallplan_routes import (
ContactCreate,
ContactUpdate,
@@ -8,11 +16,87 @@ from compliance.api.notfallplan_routes import (
ScenarioUpdate,
ChecklistCreate,
ExerciseCreate,
IncidentCreate,
TemplateCreate,
router,
)
app = FastAPI()
app.include_router(router)
client = TestClient(app)
DEFAULT_TENANT = "default"
INCIDENT_ID = "dddddddd-0001-0001-0001-000000000001"
TEMPLATE_ID = "eeeeeeee-0001-0001-0001-000000000001"
UNKNOWN_ID = "aaaaaaaa-9999-9999-9999-999999999999"
# =============================================================================
# Schema Tests — ContactCreate
# Helpers
# =============================================================================
def make_incident_row(overrides=None):
data = {
"id": INCIDENT_ID,
"tenant_id": DEFAULT_TENANT,
"title": "Test Incident",
"description": "An incident occurred",
"detected_at": datetime(2024, 1, 1),
"detected_by": "System",
"status": "detected",
"severity": "medium",
"affected_data_categories": [],
"estimated_affected_persons": 0,
"measures": [],
"art34_required": False,
"art34_justification": None,
"reported_to_authority_at": None,
"notified_affected_at": None,
"closed_at": None,
"closed_by": None,
"lessons_learned": None,
"created_at": datetime(2024, 1, 1),
"updated_at": datetime(2024, 1, 1),
}
if overrides:
data.update(overrides)
row = MagicMock()
for k, v in data.items():
setattr(row, k, v)
row._mapping = data
return row
def make_template_row(overrides=None):
data = {
"id": TEMPLATE_ID,
"tenant_id": DEFAULT_TENANT,
"type": "art33",
"title": "Art. 33 Template",
"content": "Sehr geehrte Behoerde...",
"created_at": datetime(2024, 1, 1),
"updated_at": datetime(2024, 1, 1),
}
if overrides:
data.update(overrides)
row = MagicMock()
for k, v in data.items():
setattr(row, k, v)
row._mapping = data
return row
@pytest.fixture
def mock_db():
from classroom_engine.database import get_db
db = MagicMock()
app.dependency_overrides[get_db] = lambda: db
yield db
app.dependency_overrides.clear()
# =============================================================================
# Existing Schema Tests — ContactCreate
# =============================================================================
class TestContactCreate:
@@ -46,7 +130,7 @@ class TestContactCreate:
# =============================================================================
# Schema Tests — ContactUpdate
# Existing Schema Tests — ContactUpdate
# =============================================================================
class TestContactUpdate:
@@ -62,7 +146,7 @@ class TestContactUpdate:
# =============================================================================
# Schema Tests — ScenarioCreate
# Existing Schema Tests — ScenarioCreate
# =============================================================================
class TestScenarioCreate:
@@ -100,7 +184,7 @@ class TestScenarioCreate:
# =============================================================================
# Schema Tests — ScenarioUpdate
# Existing Schema Tests — ScenarioUpdate
# =============================================================================
class TestScenarioUpdate:
@@ -121,7 +205,7 @@ class TestScenarioUpdate:
# =============================================================================
# Schema Tests — ChecklistCreate
# Existing Schema Tests — ChecklistCreate
# =============================================================================
class TestChecklistCreate:
@@ -144,7 +228,7 @@ class TestChecklistCreate:
# =============================================================================
# Schema Tests — ExerciseCreate
# Existing Schema Tests — ExerciseCreate
# =============================================================================
class TestExerciseCreate:
@@ -165,3 +249,558 @@ class TestExerciseCreate:
assert req.outcome == "passed"
assert len(req.participants) == 2
assert req.notes == "Übung verlief planmäßig"
# =============================================================================
# New Schema Tests — IncidentCreate / TemplateCreate
# =============================================================================
class TestIncidentCreateSchema:
def test_incident_create_minimal(self):
inc = IncidentCreate(title="Breach")
assert inc.title == "Breach"
assert inc.status == "detected"
assert inc.severity == "medium"
assert inc.estimated_affected_persons == 0
assert inc.art34_required is False
assert inc.affected_data_categories == []
assert inc.measures == []
def test_incident_create_full(self):
inc = IncidentCreate(
title="Big Breach",
description="Ransomware attack",
detected_by="SIEM",
status="assessed",
severity="critical",
affected_data_categories=["personal", "health"],
estimated_affected_persons=1000,
measures=["isolation", "backup restore"],
art34_required=True,
art34_justification="High risk to data subjects",
)
assert inc.severity == "critical"
assert inc.estimated_affected_persons == 1000
assert len(inc.affected_data_categories) == 2
assert inc.art34_required is True
def test_incident_create_serialization_excludes_none(self):
inc = IncidentCreate(title="T")
data = inc.model_dump(exclude_none=True)
assert data["title"] == "T"
assert "art34_justification" not in data
assert "description" not in data
class TestTemplateCreateSchema:
def test_template_create_requires_title_content(self):
t = TemplateCreate(title="T", content="C", type="art33")
assert t.title == "T"
assert t.content == "C"
assert t.type == "art33"
def test_template_create_default_type(self):
t = TemplateCreate(title="T", content="C")
assert t.type == "art33"
def test_template_create_art34_type(self):
t = TemplateCreate(title="Notification Letter", content="Dear...", type="art34")
assert t.type == "art34"
# =============================================================================
# Incidents — GET /notfallplan/incidents
# =============================================================================
class TestListIncidents:
def test_list_incidents_returns_empty_list(self, mock_db):
mock_db.execute.return_value.fetchall.return_value = []
resp = client.get("/notfallplan/incidents")
assert resp.status_code == 200
assert resp.json() == []
def test_list_incidents_returns_one_incident(self, mock_db):
row = make_incident_row()
mock_db.execute.return_value.fetchall.return_value = [row]
resp = client.get("/notfallplan/incidents")
assert resp.status_code == 200
data = resp.json()
assert len(data) == 1
assert data[0]["title"] == "Test Incident"
assert data[0]["status"] == "detected"
assert data[0]["severity"] == "medium"
def test_list_incidents_returns_multiple(self, mock_db):
rows = [
make_incident_row({"id": "id-1", "title": "Incident A"}),
make_incident_row({"id": "id-2", "title": "Incident B"}),
]
mock_db.execute.return_value.fetchall.return_value = rows
resp = client.get("/notfallplan/incidents")
assert resp.status_code == 200
assert len(resp.json()) == 2
def test_list_incidents_filter_by_status(self, mock_db):
mock_db.execute.return_value.fetchall.return_value = []
resp = client.get("/notfallplan/incidents?status=closed")
assert resp.status_code == 200
call_params = mock_db.execute.call_args[0][1]
assert call_params.get("status") == "closed"
def test_list_incidents_filter_by_severity(self, mock_db):
mock_db.execute.return_value.fetchall.return_value = []
resp = client.get("/notfallplan/incidents?severity=high")
assert resp.status_code == 200
call_params = mock_db.execute.call_args[0][1]
assert call_params.get("severity") == "high"
def test_list_incidents_filter_combined(self, mock_db):
mock_db.execute.return_value.fetchall.return_value = []
resp = client.get("/notfallplan/incidents?status=detected&severity=critical")
assert resp.status_code == 200
call_params = mock_db.execute.call_args[0][1]
assert call_params.get("status") == "detected"
assert call_params.get("severity") == "critical"
def test_list_incidents_uses_default_tenant(self, mock_db):
mock_db.execute.return_value.fetchall.return_value = []
resp = client.get("/notfallplan/incidents")
assert resp.status_code == 200
call_params = mock_db.execute.call_args[0][1]
assert call_params.get("tenant_id") == DEFAULT_TENANT
def test_list_incidents_custom_tenant_header(self, mock_db):
mock_db.execute.return_value.fetchall.return_value = []
resp = client.get("/notfallplan/incidents", headers={"X-Tenant-ID": "my-tenant"})
assert resp.status_code == 200
call_params = mock_db.execute.call_args[0][1]
assert call_params.get("tenant_id") == "my-tenant"
def test_list_incidents_all_fields_present(self, mock_db):
row = make_incident_row()
mock_db.execute.return_value.fetchall.return_value = [row]
resp = client.get("/notfallplan/incidents")
item = resp.json()[0]
expected_fields = (
"id", "tenant_id", "title", "description", "detected_at",
"detected_by", "status", "severity", "affected_data_categories",
"estimated_affected_persons", "measures", "art34_required",
"art34_justification", "reported_to_authority_at",
"notified_affected_at", "closed_at", "closed_by",
"lessons_learned", "created_at", "updated_at",
)
for field in expected_fields:
assert field in item, f"Missing field: {field}"
# =============================================================================
# Incidents — POST /notfallplan/incidents
# =============================================================================
class TestCreateIncident:
def test_create_incident_minimal(self, mock_db):
row = make_incident_row()
mock_db.execute.return_value.fetchone.return_value = row
resp = client.post("/notfallplan/incidents", json={"title": "New Incident"})
assert resp.status_code == 201
assert resp.json()["title"] == "Test Incident"
def test_create_incident_full_payload(self, mock_db):
row = make_incident_row({
"title": "Critical Breach",
"description": "Database exposed",
"detected_by": "SOC Team",
"status": "assessed",
"severity": "critical",
"estimated_affected_persons": 500,
})
mock_db.execute.return_value.fetchone.return_value = row
resp = client.post("/notfallplan/incidents", json={
"title": "Critical Breach",
"description": "Database exposed",
"detected_by": "SOC Team",
"status": "assessed",
"severity": "critical",
"estimated_affected_persons": 500,
})
assert resp.status_code == 201
data = resp.json()
assert data["severity"] == "critical"
assert data["estimated_affected_persons"] == 500
def test_create_incident_missing_title_returns_422(self, mock_db):
resp = client.post("/notfallplan/incidents", json={"description": "No title here"})
assert resp.status_code == 422
def test_create_incident_default_status_passed_to_db(self, mock_db):
row = make_incident_row()
mock_db.execute.return_value.fetchone.return_value = row
client.post("/notfallplan/incidents", json={"title": "T"})
call_params = mock_db.execute.call_args[0][1]
assert call_params["status"] == "detected"
assert call_params["severity"] == "medium"
def test_create_incident_commits(self, mock_db):
row = make_incident_row()
mock_db.execute.return_value.fetchone.return_value = row
client.post("/notfallplan/incidents", json={"title": "T"})
mock_db.commit.assert_called_once()
def test_create_incident_with_art34_required(self, mock_db):
row = make_incident_row({"art34_required": True, "art34_justification": "Hohe Risikobewertung"})
mock_db.execute.return_value.fetchone.return_value = row
resp = client.post("/notfallplan/incidents", json={
"title": "High Risk",
"art34_required": True,
"art34_justification": "Hohe Risikobewertung",
})
assert resp.status_code == 201
assert resp.json()["art34_required"] is True
def test_create_incident_passes_tenant_id(self, mock_db):
row = make_incident_row()
mock_db.execute.return_value.fetchone.return_value = row
client.post("/notfallplan/incidents",
json={"title": "T"},
headers={"X-Tenant-ID": "custom-org"})
call_params = mock_db.execute.call_args[0][1]
assert call_params["tenant_id"] == "custom-org"
# =============================================================================
# Incidents — PUT /notfallplan/incidents/{id}
# =============================================================================
class TestUpdateIncident:
def test_update_incident_success(self, mock_db):
existing = MagicMock()
updated_row = make_incident_row({"status": "assessed"})
mock_db.execute.return_value.fetchone.side_effect = [existing, updated_row]
resp = client.put(f"/notfallplan/incidents/{INCIDENT_ID}", json={"status": "assessed"})
assert resp.status_code == 200
assert resp.json()["status"] == "assessed"
def test_update_incident_not_found_returns_404(self, mock_db):
mock_db.execute.return_value.fetchone.return_value = None
resp = client.put(f"/notfallplan/incidents/{UNKNOWN_ID}", json={"status": "closed"})
assert resp.status_code == 404
def test_update_incident_empty_body_returns_400(self, mock_db):
existing = MagicMock()
mock_db.execute.return_value.fetchone.return_value = existing
resp = client.put(f"/notfallplan/incidents/{INCIDENT_ID}", json={})
assert resp.status_code == 400
def test_update_incident_status_to_reported_auto_sets_timestamp(self, mock_db):
existing = MagicMock()
updated_row = make_incident_row({"status": "reported"})
mock_db.execute.return_value.fetchone.side_effect = [existing, updated_row]
resp = client.put(f"/notfallplan/incidents/{INCIDENT_ID}", json={"status": "reported"})
assert resp.status_code == 200
call_params = mock_db.execute.call_args[0][1]
assert "reported_to_authority_at" in call_params
def test_update_incident_status_to_closed_auto_sets_closed_at(self, mock_db):
existing = MagicMock()
updated_row = make_incident_row({"status": "closed"})
mock_db.execute.return_value.fetchone.side_effect = [existing, updated_row]
resp = client.put(f"/notfallplan/incidents/{INCIDENT_ID}", json={"status": "closed"})
assert resp.status_code == 200
call_params = mock_db.execute.call_args[0][1]
assert "closed_at" in call_params
def test_update_incident_lessons_learned(self, mock_db):
existing = MagicMock()
updated_row = make_incident_row({"lessons_learned": "Besseres Monitoring nötig"})
mock_db.execute.return_value.fetchone.side_effect = [existing, updated_row]
resp = client.put(
f"/notfallplan/incidents/{INCIDENT_ID}",
json={"lessons_learned": "Besseres Monitoring nötig"},
)
assert resp.status_code == 200
assert resp.json()["lessons_learned"] == "Besseres Monitoring nötig"
def test_update_incident_severity(self, mock_db):
existing = MagicMock()
updated_row = make_incident_row({"severity": "high"})
mock_db.execute.return_value.fetchone.side_effect = [existing, updated_row]
resp = client.put(f"/notfallplan/incidents/{INCIDENT_ID}", json={"severity": "high"})
assert resp.status_code == 200
assert resp.json()["severity"] == "high"
def test_update_incident_commits(self, mock_db):
existing = MagicMock()
updated_row = make_incident_row()
mock_db.execute.return_value.fetchone.side_effect = [existing, updated_row]
client.put(f"/notfallplan/incidents/{INCIDENT_ID}", json={"severity": "low"})
mock_db.commit.assert_called()
def test_update_incident_always_sets_updated_at(self, mock_db):
existing = MagicMock()
updated_row = make_incident_row()
mock_db.execute.return_value.fetchone.side_effect = [existing, updated_row]
client.put(f"/notfallplan/incidents/{INCIDENT_ID}", json={"title": "Renamed"})
call_params = mock_db.execute.call_args[0][1]
assert "updated_at" in call_params
# =============================================================================
# Incidents — DELETE /notfallplan/incidents/{id}
# =============================================================================
class TestDeleteIncident:
def test_delete_incident_success_returns_204(self, mock_db):
mock_db.execute.return_value.rowcount = 1
resp = client.delete(f"/notfallplan/incidents/{INCIDENT_ID}")
assert resp.status_code == 204
def test_delete_incident_not_found_returns_404(self, mock_db):
mock_db.execute.return_value.rowcount = 0
resp = client.delete(f"/notfallplan/incidents/{UNKNOWN_ID}")
assert resp.status_code == 404
def test_delete_incident_commits(self, mock_db):
mock_db.execute.return_value.rowcount = 1
client.delete(f"/notfallplan/incidents/{INCIDENT_ID}")
mock_db.commit.assert_called_once()
def test_delete_incident_commits_even_when_not_found(self, mock_db):
# Commit is called before the rowcount check in the implementation
mock_db.execute.return_value.rowcount = 0
client.delete(f"/notfallplan/incidents/{UNKNOWN_ID}")
mock_db.commit.assert_called_once()
def test_delete_incident_passes_tenant_id(self, mock_db):
mock_db.execute.return_value.rowcount = 1
client.delete(
f"/notfallplan/incidents/{INCIDENT_ID}",
headers={"X-Tenant-ID": "acme"},
)
call_params = mock_db.execute.call_args[0][1]
assert call_params["tenant_id"] == "acme"
# =============================================================================
# Templates — GET /notfallplan/templates
# =============================================================================
class TestListTemplates:
def test_list_templates_returns_empty_list(self, mock_db):
mock_db.execute.return_value.fetchall.return_value = []
resp = client.get("/notfallplan/templates")
assert resp.status_code == 200
assert resp.json() == []
def test_list_templates_returns_one(self, mock_db):
row = make_template_row()
mock_db.execute.return_value.fetchall.return_value = [row]
resp = client.get("/notfallplan/templates")
assert resp.status_code == 200
data = resp.json()
assert len(data) == 1
assert data[0]["title"] == "Art. 33 Template"
assert data[0]["type"] == "art33"
def test_list_templates_returns_multiple(self, mock_db):
rows = [
make_template_row({"id": "id-1", "type": "art33", "title": "Meldung Art.33"}),
make_template_row({"id": "id-2", "type": "art34", "title": "Meldung Art.34"}),
]
mock_db.execute.return_value.fetchall.return_value = rows
resp = client.get("/notfallplan/templates")
assert resp.status_code == 200
assert len(resp.json()) == 2
def test_list_templates_filter_by_type(self, mock_db):
mock_db.execute.return_value.fetchall.return_value = []
resp = client.get("/notfallplan/templates?type=art34")
assert resp.status_code == 200
call_params = mock_db.execute.call_args[0][1]
assert call_params.get("type") == "art34"
def test_list_templates_without_type_no_type_param_sent(self, mock_db):
mock_db.execute.return_value.fetchall.return_value = []
resp = client.get("/notfallplan/templates")
assert resp.status_code == 200
call_params = mock_db.execute.call_args[0][1]
assert "type" not in call_params
def test_list_templates_uses_default_tenant(self, mock_db):
mock_db.execute.return_value.fetchall.return_value = []
client.get("/notfallplan/templates")
call_params = mock_db.execute.call_args[0][1]
assert call_params["tenant_id"] == DEFAULT_TENANT
def test_list_templates_custom_tenant_header(self, mock_db):
mock_db.execute.return_value.fetchall.return_value = []
client.get("/notfallplan/templates", headers={"X-Tenant-ID": "acme"})
call_params = mock_db.execute.call_args[0][1]
assert call_params["tenant_id"] == "acme"
def test_list_templates_all_fields_present(self, mock_db):
row = make_template_row()
mock_db.execute.return_value.fetchall.return_value = [row]
resp = client.get("/notfallplan/templates")
item = resp.json()[0]
for field in ("id", "tenant_id", "type", "title", "content", "created_at", "updated_at"):
assert field in item, f"Missing field: {field}"
# =============================================================================
# Templates — POST /notfallplan/templates
# =============================================================================
class TestCreateTemplate:
def test_create_template_success(self, mock_db):
row = make_template_row()
mock_db.execute.return_value.fetchone.return_value = row
resp = client.post("/notfallplan/templates", json={
"title": "Art. 33 Template",
"content": "Sehr geehrte Behoerde...",
"type": "art33",
})
assert resp.status_code == 201
assert resp.json()["title"] == "Art. 33 Template"
def test_create_template_missing_title_returns_422(self, mock_db):
resp = client.post("/notfallplan/templates", json={
"content": "Some content",
"type": "art33",
})
assert resp.status_code == 422
def test_create_template_missing_content_returns_422(self, mock_db):
resp = client.post("/notfallplan/templates", json={
"title": "Template",
"type": "art33",
})
assert resp.status_code == 422
def test_create_template_missing_type_uses_default_art33(self, mock_db):
row = make_template_row()
mock_db.execute.return_value.fetchone.return_value = row
resp = client.post("/notfallplan/templates", json={"title": "T", "content": "C"})
assert resp.status_code == 201
call_params = mock_db.execute.call_args[0][1]
assert call_params["type"] == "art33"
def test_create_template_art34_type(self, mock_db):
row = make_template_row({"type": "art34"})
mock_db.execute.return_value.fetchone.return_value = row
resp = client.post("/notfallplan/templates", json={
"title": "Art. 34 Notification",
"content": "Sehr geehrte Betroffene...",
"type": "art34",
})
assert resp.status_code == 201
assert resp.json()["type"] == "art34"
def test_create_template_commits(self, mock_db):
row = make_template_row()
mock_db.execute.return_value.fetchone.return_value = row
client.post("/notfallplan/templates", json={"title": "T", "content": "C", "type": "art33"})
mock_db.commit.assert_called_once()
def test_create_template_passes_tenant_id(self, mock_db):
row = make_template_row()
mock_db.execute.return_value.fetchone.return_value = row
client.post(
"/notfallplan/templates",
json={"title": "T", "content": "C", "type": "art33"},
headers={"X-Tenant-ID": "my-org"},
)
call_params = mock_db.execute.call_args[0][1]
assert call_params["tenant_id"] == "my-org"
# =============================================================================
# Templates — PUT /notfallplan/templates/{id}
# =============================================================================
class TestUpdateTemplate:
def test_update_template_title_success(self, mock_db):
existing = MagicMock()
updated_row = make_template_row({"title": "Updated Title"})
mock_db.execute.return_value.fetchone.side_effect = [existing, updated_row]
resp = client.put(f"/notfallplan/templates/{TEMPLATE_ID}", json={"title": "Updated Title"})
assert resp.status_code == 200
assert resp.json()["title"] == "Updated Title"
def test_update_template_not_found_returns_404(self, mock_db):
mock_db.execute.return_value.fetchone.return_value = None
resp = client.put(f"/notfallplan/templates/{UNKNOWN_ID}", json={"title": "X"})
assert resp.status_code == 404
def test_update_template_empty_body_returns_400(self, mock_db):
existing = MagicMock()
mock_db.execute.return_value.fetchone.return_value = existing
resp = client.put(f"/notfallplan/templates/{TEMPLATE_ID}", json={})
assert resp.status_code == 400
def test_update_template_content(self, mock_db):
existing = MagicMock()
updated_row = make_template_row({"content": "New body text"})
mock_db.execute.return_value.fetchone.side_effect = [existing, updated_row]
resp = client.put(
f"/notfallplan/templates/{TEMPLATE_ID}",
json={"content": "New body text"},
)
assert resp.status_code == 200
assert resp.json()["content"] == "New body text"
def test_update_template_type(self, mock_db):
existing = MagicMock()
updated_row = make_template_row({"type": "internal"})
mock_db.execute.return_value.fetchone.side_effect = [existing, updated_row]
resp = client.put(f"/notfallplan/templates/{TEMPLATE_ID}", json={"type": "internal"})
assert resp.status_code == 200
def test_update_template_commits(self, mock_db):
existing = MagicMock()
updated_row = make_template_row()
mock_db.execute.return_value.fetchone.side_effect = [existing, updated_row]
client.put(f"/notfallplan/templates/{TEMPLATE_ID}", json={"title": "New"})
mock_db.commit.assert_called()
def test_update_template_sets_updated_at(self, mock_db):
existing = MagicMock()
updated_row = make_template_row()
mock_db.execute.return_value.fetchone.side_effect = [existing, updated_row]
client.put(f"/notfallplan/templates/{TEMPLATE_ID}", json={"title": "New"})
call_params = mock_db.execute.call_args[0][1]
assert "updated_at" in call_params
# =============================================================================
# Templates — DELETE /notfallplan/templates/{id}
# =============================================================================
class TestDeleteTemplate:
def test_delete_template_success_returns_204(self, mock_db):
mock_db.execute.return_value.rowcount = 1
resp = client.delete(f"/notfallplan/templates/{TEMPLATE_ID}")
assert resp.status_code == 204
def test_delete_template_not_found_returns_404(self, mock_db):
mock_db.execute.return_value.rowcount = 0
resp = client.delete(f"/notfallplan/templates/{UNKNOWN_ID}")
assert resp.status_code == 404
def test_delete_template_commits_on_success(self, mock_db):
mock_db.execute.return_value.rowcount = 1
client.delete(f"/notfallplan/templates/{TEMPLATE_ID}")
mock_db.commit.assert_called_once()
def test_delete_template_commits_even_when_not_found(self, mock_db):
mock_db.execute.return_value.rowcount = 0
client.delete(f"/notfallplan/templates/{UNKNOWN_ID}")
mock_db.commit.assert_called_once()
def test_delete_template_passes_correct_tenant_id(self, mock_db):
mock_db.execute.return_value.rowcount = 1
client.delete(
f"/notfallplan/templates/{TEMPLATE_ID}",
headers={"X-Tenant-ID": "acme"},
)
call_params = mock_db.execute.call_args[0][1]
assert call_params["tenant_id"] == "acme"

937
backend-compliance/tests/test_quality_routes.py Normal file
View File

@@ -0,0 +1,937 @@
"""Tests for AI Quality Metrics and Tests routes (quality_routes.py).
Covers:
- Schema validation (MetricCreate, MetricUpdate, TestCreate, TestUpdate)
- Helper functions (_row_to_dict, _get_tenant_id)
- HTTP endpoints via FastAPI TestClient with mocked DB session
"""
import pytest
from unittest.mock import MagicMock
from datetime import datetime
from fastapi import FastAPI
from fastapi.testclient import TestClient
from compliance.api.quality_routes import (
router,
MetricCreate,
MetricUpdate,
TestCreate,
TestUpdate,
_row_to_dict,
_get_tenant_id,
DEFAULT_TENANT_ID,
)
from classroom_engine.database import get_db
# =============================================================================
# TestClient Setup
# =============================================================================
app = FastAPI()
app.include_router(router)
client = TestClient(app)
DEFAULT_TENANT = "9282a473-5c95-4b3a-bf78-0ecc0ec71d3e"
OTHER_TENANT = "bbbbbbbb-cccc-dddd-eeee-ffffffffffff"
METRIC_ID = "bbbbbbbb-0001-0001-0001-000000000001"
TEST_ID = "cccccccc-0001-0001-0001-000000000001"
def make_metric_row(overrides=None):
data = {
"id": METRIC_ID,
"tenant_id": DEFAULT_TENANT,
"name": "Test Metric",
"category": "accuracy",
"score": 85.0,
"threshold": 80.0,
"trend": "stable",
"ai_system": None,
"last_measured": datetime(2024, 1, 1),
"created_at": datetime(2024, 1, 1),
"updated_at": datetime(2024, 1, 1),
}
if overrides:
data.update(overrides)
row = MagicMock()
row._mapping = data
return row
def make_test_row(overrides=None):
data = {
"id": TEST_ID,
"tenant_id": DEFAULT_TENANT,
"name": "Test Run",
"status": "passed",
"duration": "1.2s",
"ai_system": None,
"details": None,
"last_run": datetime(2024, 1, 1),
"created_at": datetime(2024, 1, 1),
"updated_at": datetime(2024, 1, 1),
}
if overrides:
data.update(overrides)
row = MagicMock()
row._mapping = data
return row
@pytest.fixture
def mock_db():
db = MagicMock()
def override_get_db():
yield db
app.dependency_overrides[get_db] = override_get_db
yield db
app.dependency_overrides.clear()
# =============================================================================
# Schema Tests — MetricCreate
# =============================================================================
class TestMetricCreate:
def test_minimal_valid(self):
req = MetricCreate(name="Accuracy Score")
assert req.name == "Accuracy Score"
assert req.category == "accuracy"
assert req.score == 0.0
assert req.threshold == 80.0
assert req.trend == "stable"
assert req.ai_system is None
assert req.last_measured is None
def test_full_values(self):
ts = datetime(2026, 3, 1)
req = MetricCreate(
name="Fairness Score",
category="fairness",
score=92.5,
threshold=85.0,
trend="improving",
ai_system="RecSys-v2",
last_measured=ts,
)
assert req.name == "Fairness Score"
assert req.category == "fairness"
assert req.score == 92.5
assert req.trend == "improving"
assert req.ai_system == "RecSys-v2"
assert req.last_measured == ts
def test_serialization_excludes_none(self):
req = MetricCreate(name="Drift Score", score=75.0)
data = req.model_dump(exclude_none=True)
assert data["name"] == "Drift Score"
assert data["score"] == 75.0
assert "ai_system" not in data
assert "last_measured" not in data
def test_default_trend_stable(self):
req = MetricCreate(name="Test")
assert req.trend == "stable"
def test_default_score_zero(self):
req = MetricCreate(name="Test")
assert req.score == 0.0
# =============================================================================
# Schema Tests — MetricUpdate
# =============================================================================
class TestMetricUpdate:
def test_empty_update(self):
req = MetricUpdate()
data = req.model_dump(exclude_unset=True)
assert data == {}
def test_partial_score_update(self):
req = MetricUpdate(score=95.0)
data = req.model_dump(exclude_unset=True)
assert data == {"score": 95.0}
def test_trend_and_threshold_update(self):
req = MetricUpdate(trend="declining", threshold=90.0)
data = req.model_dump(exclude_unset=True)
assert data["trend"] == "declining"
assert data["threshold"] == 90.0
assert "name" not in data
def test_full_update(self):
req = MetricUpdate(
name="New Name",
category="robustness",
score=88.0,
threshold=85.0,
trend="improving",
ai_system="ModelB",
)
data = req.model_dump(exclude_unset=True)
assert len(data) == 6
assert data["category"] == "robustness"
# =============================================================================
# Schema Tests — TestCreate
# =============================================================================
class TestTestCreate:
def test_minimal_valid(self):
req = TestCreate(name="Bias Detection Test")
assert req.name == "Bias Detection Test"
assert req.status == "pending"
assert req.duration is None
assert req.ai_system is None
assert req.details is None
assert req.last_run is None
def test_full_values(self):
ts = datetime(2026, 3, 1, 12, 0, 0)
req = TestCreate(
name="Accuracy Test Suite",
status="passed",
duration="3.45s",
ai_system="ClassifierV3",
details="All 500 samples passed",
last_run=ts,
)
assert req.status == "passed"
assert req.duration == "3.45s"
assert req.ai_system == "ClassifierV3"
assert req.details == "All 500 samples passed"
assert req.last_run == ts
def test_failed_status(self):
req = TestCreate(name="Fairness Check", status="failed")
assert req.status == "failed"
def test_serialization_excludes_none(self):
req = TestCreate(name="Quick Test", status="passed")
data = req.model_dump(exclude_none=True)
assert "duration" not in data
assert "ai_system" not in data
# =============================================================================
# Schema Tests — TestUpdate
# =============================================================================
class TestTestUpdate:
def test_empty_update(self):
req = TestUpdate()
data = req.model_dump(exclude_unset=True)
assert data == {}
def test_status_update(self):
req = TestUpdate(status="failed")
data = req.model_dump(exclude_unset=True)
assert data == {"status": "failed"}
def test_duration_and_details_update(self):
req = TestUpdate(duration="10.5s", details="Timeout on 3 samples")
data = req.model_dump(exclude_unset=True)
assert data["duration"] == "10.5s"
assert data["details"] == "Timeout on 3 samples"
assert "name" not in data
# =============================================================================
# Helper Tests — _row_to_dict
# =============================================================================
class TestRowToDict:
def test_basic_metric_conversion(self):
row = make_metric_row()
result = _row_to_dict(row)
assert result["id"] == METRIC_ID
assert result["name"] == "Test Metric"
assert result["score"] == 85.0
assert result["threshold"] == 80.0
def test_datetime_serialized(self):
ts = datetime(2024, 6, 15, 9, 0, 0)
row = make_metric_row({"created_at": ts, "last_measured": ts})
result = _row_to_dict(row)
assert result["created_at"] == ts.isoformat()
assert result["last_measured"] == ts.isoformat()
def test_none_values_preserved(self):
row = make_metric_row()
result = _row_to_dict(row)
assert result["ai_system"] is None
def test_uuid_converted_to_string(self):
import uuid
uid = uuid.UUID(DEFAULT_TENANT)
row = MagicMock()
row._mapping = {"id": uid, "tenant_id": uid}
result = _row_to_dict(row)
assert result["id"] == str(uid)
def test_numeric_fields_unchanged(self):
row = MagicMock()
row._mapping = {"score": 92.5, "threshold": 80.0, "count": 10}
result = _row_to_dict(row)
assert result["score"] == 92.5
assert result["threshold"] == 80.0
assert result["count"] == 10
# =============================================================================
# Helper Tests — _get_tenant_id
# =============================================================================
class TestGetTenantId:
def test_valid_uuid_returned(self):
result = _get_tenant_id(x_tenant_id=DEFAULT_TENANT)
assert result == DEFAULT_TENANT
def test_none_returns_default(self):
result = _get_tenant_id(x_tenant_id=None)
assert result == DEFAULT_TENANT_ID
def test_invalid_uuid_returns_default(self):
result = _get_tenant_id(x_tenant_id="invalid-uuid")
assert result == DEFAULT_TENANT_ID
def test_empty_string_returns_default(self):
result = _get_tenant_id(x_tenant_id="")
assert result == DEFAULT_TENANT_ID
def test_other_valid_tenant(self):
result = _get_tenant_id(x_tenant_id=OTHER_TENANT)
assert result == OTHER_TENANT
# =============================================================================
# HTTP Tests — GET /quality/stats
# =============================================================================
class TestGetQualityStats:
def test_stats_all_zeros(self, mock_db):
metrics_row = MagicMock()
metrics_row.total_metrics = 0
metrics_row.avg_score = 0
metrics_row.metrics_above_threshold = 0
tests_row = MagicMock()
tests_row.passed = 0
tests_row.failed = 0
tests_row.warning = 0
tests_row.total = 0
mock_db.execute.return_value.fetchone.side_effect = [metrics_row, tests_row]
response = client.get("/quality/stats")
assert response.status_code == 200
data = response.json()
assert data["total_metrics"] == 0
assert data["avg_score"] == 0.0
assert data["metrics_above_threshold"] == 0
assert data["passed"] == 0
assert data["failed"] == 0
assert data["warning"] == 0
assert data["total_tests"] == 0
def test_stats_with_data(self, mock_db):
metrics_row = MagicMock()
metrics_row.total_metrics = 5
metrics_row.avg_score = 87.4
metrics_row.metrics_above_threshold = 4
tests_row = MagicMock()
tests_row.passed = 10
tests_row.failed = 2
tests_row.warning = 1
tests_row.total = 13
mock_db.execute.return_value.fetchone.side_effect = [metrics_row, tests_row]
response = client.get("/quality/stats")
assert response.status_code == 200
data = response.json()
assert data["total_metrics"] == 5
assert data["avg_score"] == 87.4
assert data["metrics_above_threshold"] == 4
assert data["passed"] == 10
assert data["failed"] == 2
assert data["warning"] == 1
assert data["total_tests"] == 13
def test_stats_none_values_become_zero(self, mock_db):
metrics_row = MagicMock()
metrics_row.total_metrics = None
metrics_row.avg_score = None
metrics_row.metrics_above_threshold = None
tests_row = MagicMock()
tests_row.passed = None
tests_row.failed = None
tests_row.warning = None
tests_row.total = None
mock_db.execute.return_value.fetchone.side_effect = [metrics_row, tests_row]
response = client.get("/quality/stats")
assert response.status_code == 200
data = response.json()
assert data["total_metrics"] == 0
assert data["avg_score"] == 0.0
assert data["total_tests"] == 0
def test_stats_with_tenant_header(self, mock_db):
metrics_row = MagicMock()
metrics_row.total_metrics = 2
metrics_row.avg_score = 90.0
metrics_row.metrics_above_threshold = 2
tests_row = MagicMock()
tests_row.passed = 5
tests_row.failed = 0
tests_row.warning = 0
tests_row.total = 5
mock_db.execute.return_value.fetchone.side_effect = [metrics_row, tests_row]
response = client.get(
"/quality/stats",
headers={"X-Tenant-Id": OTHER_TENANT},
)
assert response.status_code == 200
assert response.json()["total_metrics"] == 2
# =============================================================================
# HTTP Tests — GET /quality/metrics
# =============================================================================
class TestListMetrics:
def test_empty_list(self, mock_db):
count_row = MagicMock()
count_row.__getitem__ = lambda self, i: 0
execute_result = MagicMock()
execute_result.fetchone.return_value = count_row
execute_result.fetchall.return_value = []
mock_db.execute.return_value = execute_result
response = client.get("/quality/metrics")
assert response.status_code == 200
data = response.json()
assert data["metrics"] == []
assert data["total"] == 0
def test_list_with_data(self, mock_db):
count_row = MagicMock()
count_row.__getitem__ = lambda self, i: 2
m1 = make_metric_row()
m2 = make_metric_row({"id": "bbbbbbbb-0002-0002-0002-000000000002", "name": "Second Metric"})
execute_result = MagicMock()
execute_result.fetchone.return_value = count_row
execute_result.fetchall.return_value = [m1, m2]
mock_db.execute.return_value = execute_result
response = client.get("/quality/metrics")
assert response.status_code == 200
data = response.json()
assert len(data["metrics"]) == 2
assert data["total"] == 2
def test_filter_by_category(self, mock_db):
count_row = MagicMock()
count_row.__getitem__ = lambda self, i: 1
execute_result = MagicMock()
execute_result.fetchone.return_value = count_row
execute_result.fetchall.return_value = [make_metric_row({"category": "fairness"})]
mock_db.execute.return_value = execute_result
response = client.get("/quality/metrics?category=fairness")
assert response.status_code == 200
data = response.json()
assert data["metrics"][0]["category"] == "fairness"
def test_filter_by_ai_system(self, mock_db):
count_row = MagicMock()
count_row.__getitem__ = lambda self, i: 1
execute_result = MagicMock()
execute_result.fetchone.return_value = count_row
execute_result.fetchall.return_value = [make_metric_row({"ai_system": "ModelAlpha"})]
mock_db.execute.return_value = execute_result
response = client.get("/quality/metrics?ai_system=ModelAlpha")
assert response.status_code == 200
data = response.json()
assert data["metrics"][0]["ai_system"] == "ModelAlpha"
def test_pagination(self, mock_db):
count_row = MagicMock()
count_row.__getitem__ = lambda self, i: 20
execute_result = MagicMock()
execute_result.fetchone.return_value = count_row
execute_result.fetchall.return_value = [make_metric_row()]
mock_db.execute.return_value = execute_result
response = client.get("/quality/metrics?limit=1&offset=10")
assert response.status_code == 200
data = response.json()
assert data["total"] == 20
assert len(data["metrics"]) == 1
# =============================================================================
# HTTP Tests — POST /quality/metrics
# =============================================================================
class TestCreateMetric:
def test_create_success(self, mock_db):
created_row = make_metric_row({"name": "New Metric"})
mock_db.execute.return_value.fetchone.return_value = created_row
response = client.post(
"/quality/metrics",
json={"name": "New Metric"},
)
assert response.status_code == 201
data = response.json()
assert data["name"] == "New Metric"
mock_db.commit.assert_called_once()
def test_create_full_metric(self, mock_db):
created_row = make_metric_row({
"name": "Robustness Score",
"category": "robustness",
"score": 78.5,
"threshold": 75.0,
"trend": "improving",
})
mock_db.execute.return_value.fetchone.return_value = created_row
response = client.post("/quality/metrics", json={
"name": "Robustness Score",
"category": "robustness",
"score": 78.5,
"threshold": 75.0,
"trend": "improving",
})
assert response.status_code == 201
data = response.json()
assert data["category"] == "robustness"
assert data["score"] == 78.5
def test_create_missing_name_fails(self, mock_db):
response = client.post("/quality/metrics", json={"score": 90.0})
assert response.status_code == 422
def test_create_with_tenant_header(self, mock_db):
created_row = make_metric_row({"tenant_id": OTHER_TENANT})
mock_db.execute.return_value.fetchone.return_value = created_row
response = client.post(
"/quality/metrics",
json={"name": "Tenant B metric"},
headers={"X-Tenant-Id": OTHER_TENANT},
)
assert response.status_code == 201
assert mock_db.commit.called
# =============================================================================
# HTTP Tests — PUT /quality/metrics/{id}
# =============================================================================
class TestUpdateMetric:
def test_update_success(self, mock_db):
updated_row = make_metric_row({"score": 95.0, "trend": "improving"})
mock_db.execute.return_value.fetchone.return_value = updated_row
response = client.put(
f"/quality/metrics/{METRIC_ID}",
json={"score": 95.0, "trend": "improving"},
)
assert response.status_code == 200
data = response.json()
assert data["score"] == 95.0
assert data["trend"] == "improving"
mock_db.commit.assert_called_once()
def test_update_not_found_returns_404(self, mock_db):
mock_db.execute.return_value.fetchone.return_value = None
response = client.put(
"/quality/metrics/nonexistent-id",
json={"score": 50.0},
)
assert response.status_code == 404
assert "not found" in response.json()["detail"].lower()
def test_update_no_fields_returns_400(self, mock_db):
response = client.put(f"/quality/metrics/{METRIC_ID}", json={})
assert response.status_code == 400
def test_partial_update_category(self, mock_db):
updated_row = make_metric_row({"category": "explainability"})
mock_db.execute.return_value.fetchone.return_value = updated_row
response = client.put(
f"/quality/metrics/{METRIC_ID}",
json={"category": "explainability"},
)
assert response.status_code == 200
assert response.json()["category"] == "explainability"
# =============================================================================
# HTTP Tests — DELETE /quality/metrics/{id}
# =============================================================================
class TestDeleteMetric:
def test_delete_success_204(self, mock_db):
delete_result = MagicMock()
delete_result.rowcount = 1
mock_db.execute.return_value = delete_result
response = client.delete(f"/quality/metrics/{METRIC_ID}")
assert response.status_code == 204
mock_db.commit.assert_called_once()
def test_delete_not_found_returns_404(self, mock_db):
delete_result = MagicMock()
delete_result.rowcount = 0
mock_db.execute.return_value = delete_result
response = client.delete("/quality/metrics/nonexistent-id")
assert response.status_code == 404
assert "not found" in response.json()["detail"].lower()
def test_delete_with_tenant_header(self, mock_db):
delete_result = MagicMock()
delete_result.rowcount = 1
mock_db.execute.return_value = delete_result
response = client.delete(
f"/quality/metrics/{METRIC_ID}",
headers={"X-Tenant-Id": OTHER_TENANT},
)
assert response.status_code == 204
# =============================================================================
# HTTP Tests — GET /quality/tests
# =============================================================================
class TestListQualityTests:
def test_empty_list(self, mock_db):
count_row = MagicMock()
count_row.__getitem__ = lambda self, i: 0
execute_result = MagicMock()
execute_result.fetchone.return_value = count_row
execute_result.fetchall.return_value = []
mock_db.execute.return_value = execute_result
response = client.get("/quality/tests")
assert response.status_code == 200
data = response.json()
assert data["tests"] == []
assert data["total"] == 0
def test_list_with_data(self, mock_db):
count_row = MagicMock()
count_row.__getitem__ = lambda self, i: 2
t1 = make_test_row()
t2 = make_test_row({"id": "cccccccc-0002-0002-0002-000000000002", "name": "Second Test"})
execute_result = MagicMock()
execute_result.fetchone.return_value = count_row
execute_result.fetchall.return_value = [t1, t2]
mock_db.execute.return_value = execute_result
response = client.get("/quality/tests")
assert response.status_code == 200
data = response.json()
assert len(data["tests"]) == 2
assert data["total"] == 2
def test_filter_by_status(self, mock_db):
count_row = MagicMock()
count_row.__getitem__ = lambda self, i: 1
execute_result = MagicMock()
execute_result.fetchone.return_value = count_row
execute_result.fetchall.return_value = [make_test_row({"status": "failed"})]
mock_db.execute.return_value = execute_result
response = client.get("/quality/tests?status=failed")
assert response.status_code == 200
data = response.json()
assert data["tests"][0]["status"] == "failed"
def test_filter_by_ai_system(self, mock_db):
count_row = MagicMock()
count_row.__getitem__ = lambda self, i: 1
execute_result = MagicMock()
execute_result.fetchone.return_value = count_row
execute_result.fetchall.return_value = [make_test_row({"ai_system": "ModelBeta"})]
mock_db.execute.return_value = execute_result
response = client.get("/quality/tests?ai_system=ModelBeta")
assert response.status_code == 200
data = response.json()
assert data["tests"][0]["ai_system"] == "ModelBeta"
def test_pagination(self, mock_db):
count_row = MagicMock()
count_row.__getitem__ = lambda self, i: 50
execute_result = MagicMock()
execute_result.fetchone.return_value = count_row
execute_result.fetchall.return_value = [make_test_row()]
mock_db.execute.return_value = execute_result
response = client.get("/quality/tests?limit=1&offset=5")
assert response.status_code == 200
assert response.json()["total"] == 50
# =============================================================================
# HTTP Tests — POST /quality/tests
# =============================================================================
class TestCreateQualityTest:
def test_create_success(self, mock_db):
created_row = make_test_row({"name": "New Test Run"})
mock_db.execute.return_value.fetchone.return_value = created_row
response = client.post(
"/quality/tests",
json={"name": "New Test Run"},
)
assert response.status_code == 201
data = response.json()
assert data["name"] == "New Test Run"
mock_db.commit.assert_called_once()
def test_create_full_test(self, mock_db):
created_row = make_test_row({
"name": "Full Test Suite",
"status": "passed",
"duration": "5.0s",
"ai_system": "Classifier",
"details": "All assertions passed",
})
mock_db.execute.return_value.fetchone.return_value = created_row
response = client.post("/quality/tests", json={
"name": "Full Test Suite",
"status": "passed",
"duration": "5.0s",
"ai_system": "Classifier",
"details": "All assertions passed",
})
assert response.status_code == 201
data = response.json()
assert data["status"] == "passed"
assert data["duration"] == "5.0s"
def test_create_missing_name_fails(self, mock_db):
response = client.post("/quality/tests", json={"status": "passed"})
assert response.status_code == 422
def test_create_failed_status(self, mock_db):
created_row = make_test_row({"status": "failed"})
mock_db.execute.return_value.fetchone.return_value = created_row
response = client.post(
"/quality/tests",
json={"name": "Failing test", "status": "failed"},
)
assert response.status_code == 201
assert response.json()["status"] == "failed"
# =============================================================================
# HTTP Tests — PUT /quality/tests/{id}
# =============================================================================
class TestUpdateQualityTest:
def test_update_success(self, mock_db):
updated_row = make_test_row({"status": "failed", "details": "Assertion error on line 42"})
mock_db.execute.return_value.fetchone.return_value = updated_row
response = client.put(
f"/quality/tests/{TEST_ID}",
json={"status": "failed", "details": "Assertion error on line 42"},
)
assert response.status_code == 200
data = response.json()
assert data["status"] == "failed"
assert data["details"] == "Assertion error on line 42"
mock_db.commit.assert_called_once()
def test_update_not_found_returns_404(self, mock_db):
mock_db.execute.return_value.fetchone.return_value = None
response = client.put(
"/quality/tests/nonexistent-id",
json={"status": "passed"},
)
assert response.status_code == 404
assert "not found" in response.json()["detail"].lower()
def test_update_no_fields_returns_400(self, mock_db):
response = client.put(f"/quality/tests/{TEST_ID}", json={})
assert response.status_code == 400
def test_update_duration_only(self, mock_db):
updated_row = make_test_row({"duration": "2.8s"})
mock_db.execute.return_value.fetchone.return_value = updated_row
response = client.put(
f"/quality/tests/{TEST_ID}",
json={"duration": "2.8s"},
)
assert response.status_code == 200
assert response.json()["duration"] == "2.8s"
def test_update_with_tenant_header(self, mock_db):
updated_row = make_test_row({"tenant_id": OTHER_TENANT, "status": "warning"})
mock_db.execute.return_value.fetchone.return_value = updated_row
response = client.put(
f"/quality/tests/{TEST_ID}",
json={"status": "warning"},
headers={"X-Tenant-Id": OTHER_TENANT},
)
assert response.status_code == 200
assert response.json()["status"] == "warning"
# =============================================================================
# HTTP Tests — DELETE /quality/tests/{id}
# =============================================================================
class TestDeleteQualityTest:
def test_delete_success_204(self, mock_db):
delete_result = MagicMock()
delete_result.rowcount = 1
mock_db.execute.return_value = delete_result
response = client.delete(f"/quality/tests/{TEST_ID}")
assert response.status_code == 204
mock_db.commit.assert_called_once()
def test_delete_not_found_returns_404(self, mock_db):
delete_result = MagicMock()
delete_result.rowcount = 0
mock_db.execute.return_value = delete_result
response = client.delete("/quality/tests/nonexistent-id")
assert response.status_code == 404
assert "not found" in response.json()["detail"].lower()
def test_delete_with_tenant_header(self, mock_db):
delete_result = MagicMock()
delete_result.rowcount = 1
mock_db.execute.return_value = delete_result
response = client.delete(
f"/quality/tests/{TEST_ID}",
headers={"X-Tenant-Id": OTHER_TENANT},
)
assert response.status_code == 204
assert mock_db.commit.called
# =============================================================================
# Tenant Isolation Tests
# =============================================================================
class TestTenantIsolation:
def test_metrics_tenant_isolation(self, mock_db):
"""Tenant A sees 3 metrics, Tenant B sees 0."""
def side_effect(query, params):
result = MagicMock()
tid = params.get("tenant_id", "")
if tid == DEFAULT_TENANT:
count_row = MagicMock()
count_row.__getitem__ = lambda self, i: 3
result.fetchone.return_value = count_row
result.fetchall.return_value = [
make_metric_row(),
make_metric_row({"id": "bbbbbbbb-0002-0002-0002-000000000002"}),
make_metric_row({"id": "bbbbbbbb-0003-0003-0003-000000000003"}),
]
else:
count_row = MagicMock()
count_row.__getitem__ = lambda self, i: 0
result.fetchone.return_value = count_row
result.fetchall.return_value = []
return result
mock_db.execute.side_effect = side_effect
resp_a = client.get(
"/quality/metrics",
headers={"X-Tenant-Id": DEFAULT_TENANT},
)
assert resp_a.json()["total"] == 3
resp_b = client.get(
"/quality/metrics",
headers={"X-Tenant-Id": OTHER_TENANT},
)
assert resp_b.json()["total"] == 0
def test_tests_tenant_isolation(self, mock_db):
"""Tenant A sees 2 tests, Tenant B sees 0."""
def side_effect(query, params):
result = MagicMock()
tid = params.get("tenant_id", "")
if tid == DEFAULT_TENANT:
count_row = MagicMock()
count_row.__getitem__ = lambda self, i: 2
result.fetchone.return_value = count_row
result.fetchall.return_value = [make_test_row(), make_test_row({"id": "cccccccc-0002-0002-0002-000000000002"})]
else:
count_row = MagicMock()
count_row.__getitem__ = lambda self, i: 0
result.fetchone.return_value = count_row
result.fetchall.return_value = []
return result
mock_db.execute.side_effect = side_effect
resp_a = client.get("/quality/tests", headers={"X-Tenant-Id": DEFAULT_TENANT})
assert resp_a.json()["total"] == 2
resp_b = client.get("/quality/tests", headers={"X-Tenant-Id": OTHER_TENANT})
assert resp_b.json()["total"] == 0
def test_invalid_tenant_header_falls_back_to_default(self, mock_db):
count_row = MagicMock()
count_row.__getitem__ = lambda self, i: 0
execute_result = MagicMock()
execute_result.fetchone.return_value = count_row
execute_result.fetchall.return_value = []
mock_db.execute.return_value = execute_result
response = client.get(
"/quality/metrics",
headers={"X-Tenant-Id": "bad-uuid"},
)
assert response.status_code == 200
def test_delete_wrong_tenant_returns_404(self, mock_db):
"""Deleting a metric that belongs to a different tenant returns 404."""
delete_result = MagicMock()
delete_result.rowcount = 0
mock_db.execute.return_value = delete_result
response = client.delete(
f"/quality/metrics/{METRIC_ID}",
headers={"X-Tenant-Id": OTHER_TENANT},
)
assert response.status_code == 404

698
backend-compliance/tests/test_security_backlog_routes.py Normal file
View File

@@ -0,0 +1,698 @@
"""Tests for Security Backlog routes (security_backlog_routes.py).
Covers:
- Schema validation (SecurityItemCreate, SecurityItemUpdate)
- Helper functions (_row_to_dict, _get_tenant_id)
- HTTP endpoints via FastAPI TestClient with mocked DB session
"""
import pytest
from unittest.mock import MagicMock
from datetime import datetime
from fastapi import FastAPI
from fastapi.testclient import TestClient
from compliance.api.security_backlog_routes import (
router,
SecurityItemCreate,
SecurityItemUpdate,
_row_to_dict,
_get_tenant_id,
DEFAULT_TENANT_ID,
)
from classroom_engine.database import get_db
# =============================================================================
# TestClient Setup
# =============================================================================
app = FastAPI()
app.include_router(router)
DEFAULT_TENANT = "9282a473-5c95-4b3a-bf78-0ecc0ec71d3e"
OTHER_TENANT = "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
ITEM_ID = "aaaaaaaa-0001-0001-0001-000000000001"
def make_item_row(overrides=None):
data = {
"id": ITEM_ID,
"tenant_id": DEFAULT_TENANT,
"title": "Test Item",
"description": "Test description",
"type": "vulnerability",
"severity": "medium",
"status": "open",
"source": None,
"cve": None,
"cvss": None,
"affected_asset": None,
"assigned_to": None,
"due_date": None,
"remediation": None,
"created_at": datetime(2024, 1, 1),
"updated_at": datetime(2024, 1, 1),
}
if overrides:
data.update(overrides)
row = MagicMock()
row._mapping = data
return row
def make_stats_row(overrides=None):
data = {
"open": 3,
"in_progress": 1,
"resolved": 2,
"accepted_risk": 0,
"critical": 1,
"high": 2,
"overdue": 1,
"total": 6,
}
if overrides:
data.update(overrides)
row = MagicMock()
row._mapping = data
return row
@pytest.fixture
def mock_db():
db = MagicMock()
def override_get_db():
yield db
app.dependency_overrides[get_db] = override_get_db
yield db
app.dependency_overrides.clear()
@pytest.fixture
def test_client():
return TestClient(app)
# Module-level client for simple tests that set up their own mocks per test
client = TestClient(app)
# =============================================================================
# Schema Tests — SecurityItemCreate
# =============================================================================
class TestSecurityItemCreate:
def test_minimal_valid(self):
req = SecurityItemCreate(title="SQL Injection in Login")
assert req.title == "SQL Injection in Login"
assert req.type == "vulnerability"
assert req.severity == "medium"
assert req.status == "open"
assert req.description is None
assert req.source is None
assert req.cve is None
assert req.cvss is None
assert req.affected_asset is None
assert req.assigned_to is None
assert req.due_date is None
assert req.remediation is None
def test_full_values(self):
due = datetime(2026, 6, 30)
req = SecurityItemCreate(
title="CVE-2024-1234",
description="Remote code execution in parser",
type="cve",
severity="critical",
status="in-progress",
source="NVD",
cve="CVE-2024-1234",
cvss=9.8,
affected_asset="api-server",
assigned_to="security-team",
due_date=due,
remediation="Upgrade to v2.1.0",
)
assert req.title == "CVE-2024-1234"
assert req.type == "cve"
assert req.severity == "critical"
assert req.cvss == 9.8
assert req.cve == "CVE-2024-1234"
assert req.assigned_to == "security-team"
def test_serialization_excludes_none(self):
req = SecurityItemCreate(title="Patch missing", severity="high")
data = req.model_dump(exclude_none=True)
assert data["title"] == "Patch missing"
assert data["severity"] == "high"
assert "description" not in data
assert "cve" not in data
def test_serialization_includes_defaults(self):
req = SecurityItemCreate(title="Test")
data = req.model_dump()
assert data["type"] == "vulnerability"
assert data["severity"] == "medium"
assert data["status"] == "open"
# =============================================================================
# Schema Tests — SecurityItemUpdate
# =============================================================================
class TestSecurityItemUpdate:
def test_empty_update(self):
req = SecurityItemUpdate()
data = req.model_dump(exclude_unset=True)
assert data == {}
def test_partial_update_status(self):
req = SecurityItemUpdate(status="resolved")
data = req.model_dump(exclude_unset=True)
assert data == {"status": "resolved"}
def test_partial_update_severity(self):
req = SecurityItemUpdate(severity="critical", assigned_to="john@example.com")
data = req.model_dump(exclude_unset=True)
assert data["severity"] == "critical"
assert data["assigned_to"] == "john@example.com"
assert "title" not in data
def test_full_update(self):
req = SecurityItemUpdate(
title="Updated Title",
description="New desc",
type="misconfiguration",
severity="low",
status="accepted-risk",
remediation="Accept the risk",
)
data = req.model_dump(exclude_unset=True)
assert len(data) == 6
assert data["type"] == "misconfiguration"
assert data["status"] == "accepted-risk"
# =============================================================================
# Helper Tests — _row_to_dict
# =============================================================================
class TestRowToDict:
def test_basic_conversion(self):
row = make_item_row()
result = _row_to_dict(row)
assert result["id"] == ITEM_ID
assert result["title"] == "Test Item"
assert result["severity"] == "medium"
def test_datetime_serialized(self):
ts = datetime(2024, 6, 15, 10, 30, 0)
row = make_item_row({"created_at": ts, "updated_at": ts})
result = _row_to_dict(row)
assert result["created_at"] == ts.isoformat()
assert result["updated_at"] == ts.isoformat()
def test_none_values_preserved(self):
row = make_item_row()
result = _row_to_dict(row)
assert result["source"] is None
assert result["cve"] is None
assert result["cvss"] is None
assert result["affected_asset"] is None
assert result["due_date"] is None
def test_uuid_converted_to_string(self):
import uuid
uid = uuid.UUID(DEFAULT_TENANT)
row = MagicMock()
row._mapping = {"id": uid, "tenant_id": uid}
result = _row_to_dict(row)
assert result["id"] == str(uid)
assert result["tenant_id"] == str(uid)
def test_string_and_numeric_unchanged(self):
row = MagicMock()
row._mapping = {"title": "Test", "cvss": 7.5, "active": True}
result = _row_to_dict(row)
assert result["title"] == "Test"
assert result["cvss"] == 7.5
assert result["active"] is True
# =============================================================================
# Helper Tests — _get_tenant_id
# =============================================================================
class TestGetTenantId:
def test_valid_uuid_returned(self):
result = _get_tenant_id(x_tenant_id=DEFAULT_TENANT)
assert result == DEFAULT_TENANT
def test_none_returns_default(self):
result = _get_tenant_id(x_tenant_id=None)
assert result == DEFAULT_TENANT_ID
def test_invalid_uuid_returns_default(self):
result = _get_tenant_id(x_tenant_id="not-a-uuid")
assert result == DEFAULT_TENANT_ID
def test_empty_string_returns_default(self):
result = _get_tenant_id(x_tenant_id="")
assert result == DEFAULT_TENANT_ID
def test_different_valid_tenant(self):
result = _get_tenant_id(x_tenant_id=OTHER_TENANT)
assert result == OTHER_TENANT
def test_partial_uuid_returns_default(self):
result = _get_tenant_id(x_tenant_id="9282a473-5c95-4b3a")
assert result == DEFAULT_TENANT_ID
# =============================================================================
# HTTP Tests — GET /security-backlog
# =============================================================================
class TestListSecurityItems:
def test_empty_list(self, mock_db):
count_row = MagicMock()
count_row.__getitem__ = lambda self, i: 0
mock_db.execute.return_value.fetchone.return_value = count_row
mock_db.execute.return_value.fetchall.return_value = []
response = client.get("/security-backlog")
assert response.status_code == 200
data = response.json()
assert data["items"] == []
assert data["total"] == 0
def test_list_with_data(self, mock_db):
count_row = MagicMock()
count_row.__getitem__ = lambda self, i: 2
item1 = make_item_row()
item2 = make_item_row({"id": "aaaaaaaa-0002-0002-0002-000000000002", "title": "Second Item"})
execute_result = MagicMock()
execute_result.fetchone.return_value = count_row
execute_result.fetchall.return_value = [item1, item2]
mock_db.execute.return_value = execute_result
response = client.get("/security-backlog")
assert response.status_code == 200
data = response.json()
assert len(data["items"]) == 2
assert data["total"] == 2
assert data["items"][0]["title"] == "Test Item"
def test_filter_by_status(self, mock_db):
count_row = MagicMock()
count_row.__getitem__ = lambda self, i: 1
execute_result = MagicMock()
execute_result.fetchone.return_value = count_row
execute_result.fetchall.return_value = [make_item_row({"status": "resolved"})]
mock_db.execute.return_value = execute_result
response = client.get("/security-backlog?status=resolved")
assert response.status_code == 200
data = response.json()
assert data["items"][0]["status"] == "resolved"
def test_filter_by_severity(self, mock_db):
count_row = MagicMock()
count_row.__getitem__ = lambda self, i: 1
execute_result = MagicMock()
execute_result.fetchone.return_value = count_row
execute_result.fetchall.return_value = [make_item_row({"severity": "critical"})]
mock_db.execute.return_value = execute_result
response = client.get("/security-backlog?severity=critical")
assert response.status_code == 200
data = response.json()
assert data["items"][0]["severity"] == "critical"
def test_filter_by_type(self, mock_db):
count_row = MagicMock()
count_row.__getitem__ = lambda self, i: 1
execute_result = MagicMock()
execute_result.fetchone.return_value = count_row
execute_result.fetchall.return_value = [make_item_row({"type": "misconfiguration"})]
mock_db.execute.return_value = execute_result
response = client.get("/security-backlog?type=misconfiguration")
assert response.status_code == 200
data = response.json()
assert data["items"][0]["type"] == "misconfiguration"
def test_filter_by_search(self, mock_db):
count_row = MagicMock()
count_row.__getitem__ = lambda self, i: 1
execute_result = MagicMock()
execute_result.fetchone.return_value = count_row
execute_result.fetchall.return_value = [make_item_row({"title": "SQL Injection"})]
mock_db.execute.return_value = execute_result
response = client.get("/security-backlog?search=SQL")
assert response.status_code == 200
data = response.json()
assert "SQL" in data["items"][0]["title"]
def test_pagination_limit_offset(self, mock_db):
count_row = MagicMock()
count_row.__getitem__ = lambda self, i: 10
execute_result = MagicMock()
execute_result.fetchone.return_value = count_row
execute_result.fetchall.return_value = [make_item_row()]
mock_db.execute.return_value = execute_result
response = client.get("/security-backlog?limit=1&offset=5")
assert response.status_code == 200
data = response.json()
assert data["total"] == 10
assert len(data["items"]) == 1
def test_default_tenant_used_without_header(self, mock_db):
count_row = MagicMock()
count_row.__getitem__ = lambda self, i: 0
execute_result = MagicMock()
execute_result.fetchone.return_value = count_row
execute_result.fetchall.return_value = []
mock_db.execute.return_value = execute_result
response = client.get("/security-backlog")
assert response.status_code == 200
# Verify execute was called (tenant was resolved internally)
assert mock_db.execute.called
# =============================================================================
# HTTP Tests — GET /security-backlog/stats
# =============================================================================
class TestGetSecurityStats:
def test_stats_all_zeros_empty(self, mock_db):
zero_row = MagicMock()
zero_row._mapping = {
"open": 0, "in_progress": 0, "resolved": 0, "accepted_risk": 0,
"critical": 0, "high": 0, "overdue": 0, "total": 0,
}
mock_db.execute.return_value.fetchone.return_value = zero_row
response = client.get("/security-backlog/stats")
assert response.status_code == 200
data = response.json()
assert data["total"] == 0
assert data["open"] == 0
assert data["critical"] == 0
assert data["overdue"] == 0
def test_stats_with_data(self, mock_db):
stats_row = make_stats_row()
mock_db.execute.return_value.fetchone.return_value = stats_row
response = client.get("/security-backlog/stats")
assert response.status_code == 200
data = response.json()
assert data["total"] == 6
assert data["open"] == 3
assert data["critical"] == 1
assert data["high"] == 2
assert data["overdue"] == 1
assert data["in_progress"] == 1
assert data["resolved"] == 2
assert data["accepted_risk"] == 0
def test_stats_none_values_become_zero(self, mock_db):
none_row = MagicMock()
none_row._mapping = {
"open": None, "in_progress": None, "resolved": None, "accepted_risk": None,
"critical": None, "high": None, "overdue": None, "total": None,
}
mock_db.execute.return_value.fetchone.return_value = none_row
response = client.get("/security-backlog/stats")
assert response.status_code == 200
data = response.json()
for key in ("open", "in_progress", "resolved", "accepted_risk", "critical", "high", "overdue", "total"):
assert data[key] == 0
def test_stats_with_tenant_header(self, mock_db):
stats_row = make_stats_row({"total": 1, "open": 1})
mock_db.execute.return_value.fetchone.return_value = stats_row
response = client.get(
"/security-backlog/stats",
headers={"X-Tenant-Id": OTHER_TENANT},
)
assert response.status_code == 200
assert response.json()["total"] == 1
# =============================================================================
# HTTP Tests — POST /security-backlog
# =============================================================================
class TestCreateSecurityItem:
def test_create_success(self, mock_db):
created_row = make_item_row({"title": "New Vulnerability"})
mock_db.execute.return_value.fetchone.return_value = created_row
response = client.post(
"/security-backlog",
json={"title": "New Vulnerability"},
)
assert response.status_code == 201
data = response.json()
assert data["title"] == "New Vulnerability"
assert data["id"] == ITEM_ID
mock_db.commit.assert_called_once()
def test_create_full_item(self, mock_db):
created_row = make_item_row({
"title": "CVE-2024-9999",
"type": "cve",
"severity": "critical",
"status": "open",
"cve": "CVE-2024-9999",
"cvss": 9.8,
})
mock_db.execute.return_value.fetchone.return_value = created_row
response = client.post("/security-backlog", json={
"title": "CVE-2024-9999",
"type": "cve",
"severity": "critical",
"cve": "CVE-2024-9999",
"cvss": 9.8,
})
assert response.status_code == 201
data = response.json()
assert data["severity"] == "critical"
assert data["cvss"] == 9.8
def test_create_missing_title_fails(self, mock_db):
response = client.post("/security-backlog", json={"severity": "high"})
assert response.status_code == 422
def test_create_with_tenant_header(self, mock_db):
created_row = make_item_row({"tenant_id": OTHER_TENANT})
mock_db.execute.return_value.fetchone.return_value = created_row
response = client.post(
"/security-backlog",
json={"title": "Tenant-specific item"},
headers={"X-Tenant-Id": OTHER_TENANT},
)
assert response.status_code == 201
assert mock_db.commit.called
def test_create_default_type_and_severity(self, mock_db):
created_row = make_item_row()
mock_db.execute.return_value.fetchone.return_value = created_row
response = client.post("/security-backlog", json={"title": "Basic item"})
assert response.status_code == 201
data = response.json()
assert data["type"] == "vulnerability"
assert data["severity"] == "medium"
assert data["status"] == "open"
# =============================================================================
# HTTP Tests — PUT /security-backlog/{id}
# =============================================================================
class TestUpdateSecurityItem:
def test_update_success(self, mock_db):
updated_row = make_item_row({"status": "resolved", "severity": "low"})
mock_db.execute.return_value.fetchone.return_value = updated_row
response = client.put(
f"/security-backlog/{ITEM_ID}",
json={"status": "resolved", "severity": "low"},
)
assert response.status_code == 200
data = response.json()
assert data["status"] == "resolved"
assert data["severity"] == "low"
mock_db.commit.assert_called_once()
def test_update_partial_title_only(self, mock_db):
updated_row = make_item_row({"title": "Updated Title"})
mock_db.execute.return_value.fetchone.return_value = updated_row
response = client.put(
f"/security-backlog/{ITEM_ID}",
json={"title": "Updated Title"},
)
assert response.status_code == 200
assert response.json()["title"] == "Updated Title"
def test_update_not_found_returns_404(self, mock_db):
mock_db.execute.return_value.fetchone.return_value = None
response = client.put(
"/security-backlog/nonexistent-id",
json={"status": "resolved"},
)
assert response.status_code == 404
assert "not found" in response.json()["detail"].lower()
def test_update_no_fields_returns_400(self, mock_db):
response = client.put(f"/security-backlog/{ITEM_ID}", json={})
assert response.status_code == 400
def test_update_with_tenant_header(self, mock_db):
updated_row = make_item_row({"tenant_id": OTHER_TENANT, "status": "in-progress"})
mock_db.execute.return_value.fetchone.return_value = updated_row
response = client.put(
f"/security-backlog/{ITEM_ID}",
json={"status": "in-progress"},
headers={"X-Tenant-Id": OTHER_TENANT},
)
assert response.status_code == 200
assert response.json()["status"] == "in-progress"
# =============================================================================
# HTTP Tests — DELETE /security-backlog/{id}
# =============================================================================
class TestDeleteSecurityItem:
def test_delete_success_204(self, mock_db):
delete_result = MagicMock()
delete_result.rowcount = 1
mock_db.execute.return_value = delete_result
response = client.delete(f"/security-backlog/{ITEM_ID}")
assert response.status_code == 204
mock_db.commit.assert_called_once()
def test_delete_not_found_returns_404(self, mock_db):
delete_result = MagicMock()
delete_result.rowcount = 0
mock_db.execute.return_value = delete_result
response = client.delete("/security-backlog/nonexistent-id")
assert response.status_code == 404
assert "not found" in response.json()["detail"].lower()
def test_delete_with_tenant_header(self, mock_db):
delete_result = MagicMock()
delete_result.rowcount = 1
mock_db.execute.return_value = delete_result
response = client.delete(
f"/security-backlog/{ITEM_ID}",
headers={"X-Tenant-Id": OTHER_TENANT},
)
assert response.status_code == 204
assert mock_db.commit.called
# =============================================================================
# Tenant Isolation Tests
# =============================================================================
class TestTenantIsolation:
def test_different_tenant_sees_different_items(self, mock_db):
"""Tenant A has 3 items, Tenant B has 0 — each sees only their own data."""
call_count = 0
def side_effect(query, params):
nonlocal call_count
result = MagicMock()
tid = params.get("tenant_id", "")
if tid == DEFAULT_TENANT:
count_row = MagicMock()
count_row.__getitem__ = lambda self, i: 3
result.fetchone.return_value = count_row
result.fetchall.return_value = [
make_item_row(),
make_item_row({"id": "aaaaaaaa-0002-0002-0002-000000000002"}),
make_item_row({"id": "aaaaaaaa-0003-0003-0003-000000000003"}),
]
else:
count_row = MagicMock()
count_row.__getitem__ = lambda self, i: 0
result.fetchone.return_value = count_row
result.fetchall.return_value = []
return result
mock_db.execute.side_effect = side_effect
resp_a = client.get(
"/security-backlog",
headers={"X-Tenant-Id": DEFAULT_TENANT},
)
assert resp_a.status_code == 200
assert resp_a.json()["total"] == 3
resp_b = client.get(
"/security-backlog",
headers={"X-Tenant-Id": OTHER_TENANT},
)
assert resp_b.status_code == 200
assert resp_b.json()["total"] == 0
def test_invalid_tenant_header_falls_back_to_default(self, mock_db):
count_row = MagicMock()
count_row.__getitem__ = lambda self, i: 0
execute_result = MagicMock()
execute_result.fetchone.return_value = count_row
execute_result.fetchall.return_value = []
mock_db.execute.return_value = execute_result
response = client.get(
"/security-backlog",
headers={"X-Tenant-Id": "not-a-real-uuid"},
)
assert response.status_code == 200
# Should succeed (falls back to DEFAULT_TENANT_ID)
assert "items" in response.json()
def test_create_uses_tenant_from_header(self, mock_db):
created_row = make_item_row({"tenant_id": OTHER_TENANT})
mock_db.execute.return_value.fetchone.return_value = created_row
response = client.post(
"/security-backlog",
json={"title": "Tenant B item"},
headers={"X-Tenant-Id": OTHER_TENANT},
)
assert response.status_code == 201
assert mock_db.commit.called
def test_delete_tenant_isolation_not_found_for_wrong_tenant(self, mock_db):
"""Deleting an item that belongs to a different tenant returns 404."""
delete_result = MagicMock()
delete_result.rowcount = 0 # No rows deleted (item belongs to other tenant)
mock_db.execute.return_value = delete_result
response = client.delete(
f"/security-backlog/{ITEM_ID}",
headers={"X-Tenant-Id": OTHER_TENANT},
)
assert response.status_code == 404