feat: Pass 0b quality — negative actions, container detection, session object classes
All checks were successful
CI/CD / go-lint (push) Has been skipped
CI/CD / python-lint (push) Has been skipped
CI/CD / nodejs-lint (push) Has been skipped
CI/CD / test-go-ai-compliance (push) Successful in 33s
CI/CD / test-python-backend-compliance (push) Successful in 30s
CI/CD / test-python-document-crawler (push) Successful in 21s
CI/CD / test-python-dsms-gateway (push) Successful in 16s
CI/CD / validate-canonical-controls (push) Successful in 10s
CI/CD / Deploy (push) Successful in 2s
All checks were successful
CI/CD / go-lint (push) Has been skipped
CI/CD / python-lint (push) Has been skipped
CI/CD / nodejs-lint (push) Has been skipped
CI/CD / test-go-ai-compliance (push) Successful in 33s
CI/CD / test-python-backend-compliance (push) Successful in 30s
CI/CD / test-python-document-crawler (push) Successful in 21s
CI/CD / test-python-dsms-gateway (push) Successful in 16s
CI/CD / validate-canonical-controls (push) Successful in 10s
CI/CD / Deploy (push) Successful in 2s
4 error class fixes from AUTH-1052 quality review: 1. Prohibitive action types (prevent/exclude/forbid) for "dürfen keine", "verboten" etc. 2. Container object detection (Sitzungsverwaltung, Token-Schutz → _requires_decomposition) 3. Session-specific object classes (session, cookie, jwt, federated_assertion) 4. Session lifecycle actions (invalidate, issue, rotate, enforce) with templates + severity caps 76 new tests (303 total), all passing. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Benjamin Admin
@@ -65,6 +65,9 @@ from compliance.services.decomposition_pass import (
|
||||
_PATTERN_CANDIDATES_MAP,
|
||||
_PATTERN_CANDIDATES_BY_ACTION,
|
||||
_is_composite_obligation,
|
||||
_is_container_object,
|
||||
_ACTION_TEMPLATES,
|
||||
_ACTION_SEVERITY_CAP,
|
||||
)
|
||||
|
||||
|
||||
@@ -2614,3 +2617,334 @@ class TestComposeDeterministicSeverity:
|
||||
is_reporting=False,
|
||||
)
|
||||
assert atomic.severity == "high"
|
||||
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# ERROR CLASS 1: NEGATIVE / PROHIBITIVE ACTION CLASSIFICATION
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
|
||||
class TestNegativeActions:
|
||||
"""Tests for prohibitive action keywords → prevent/exclude/forbid."""
|
||||
|
||||
def test_duerfen_keine_maps_to_prevent(self):
|
||||
assert _classify_action("dürfen keine") == "prevent"
|
||||
|
||||
def test_duerfen_nicht_maps_to_prevent(self):
|
||||
assert _classify_action("dürfen nicht") == "prevent"
|
||||
|
||||
def test_darf_keine_maps_to_prevent(self):
|
||||
assert _classify_action("darf keine") == "prevent"
|
||||
|
||||
def test_verboten_maps_to_forbid(self):
|
||||
assert _classify_action("verboten") == "forbid"
|
||||
|
||||
def test_untersagt_maps_to_forbid(self):
|
||||
assert _classify_action("untersagt") == "forbid"
|
||||
|
||||
def test_nicht_zulaessig_maps_to_forbid(self):
|
||||
assert _classify_action("nicht zulässig") == "forbid"
|
||||
|
||||
def test_nicht_erlaubt_maps_to_forbid(self):
|
||||
assert _classify_action("nicht erlaubt") == "forbid"
|
||||
|
||||
def test_nicht_enthalten_maps_to_exclude(self):
|
||||
assert _classify_action("nicht enthalten") == "exclude"
|
||||
|
||||
def test_ausschliessen_maps_to_exclude(self):
|
||||
assert _classify_action("ausschließen") == "exclude"
|
||||
|
||||
def test_verhindern_maps_to_prevent(self):
|
||||
assert _classify_action("verhindern") == "prevent"
|
||||
|
||||
def test_unterbinden_maps_to_prevent(self):
|
||||
assert _classify_action("unterbinden") == "prevent"
|
||||
|
||||
def test_ablehnen_maps_to_exclude(self):
|
||||
assert _classify_action("ablehnen") == "exclude"
|
||||
|
||||
def test_nicht_uebertragen_maps_to_prevent(self):
|
||||
assert _classify_action("nicht übertragen") == "prevent"
|
||||
|
||||
def test_nicht_gespeichert_maps_to_prevent(self):
|
||||
assert _classify_action("nicht gespeichert") == "prevent"
|
||||
|
||||
def test_negative_action_has_higher_priority_than_implement(self):
|
||||
"""Negative keywords at start of ACTION_PRIORITY → picked over lower ones."""
|
||||
result = _classify_action("verhindern und dokumentieren")
|
||||
assert result == "prevent"
|
||||
|
||||
def test_prevent_template_exists(self):
|
||||
assert "prevent" in _ACTION_TEMPLATES
|
||||
assert "test_procedure" in _ACTION_TEMPLATES["prevent"]
|
||||
assert "evidence" in _ACTION_TEMPLATES["prevent"]
|
||||
|
||||
def test_exclude_template_exists(self):
|
||||
assert "exclude" in _ACTION_TEMPLATES
|
||||
assert "test_procedure" in _ACTION_TEMPLATES["exclude"]
|
||||
|
||||
def test_forbid_template_exists(self):
|
||||
assert "forbid" in _ACTION_TEMPLATES
|
||||
assert "test_procedure" in _ACTION_TEMPLATES["forbid"]
|
||||
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# ERROR CLASS 1b: SESSION / LIFECYCLE ACTIONS
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
|
||||
class TestSessionActions:
|
||||
"""Tests for session lifecycle action keywords."""
|
||||
|
||||
def test_ungueltig_machen_maps_to_invalidate(self):
|
||||
assert _classify_action("ungültig machen") == "invalidate"
|
||||
|
||||
def test_invalidieren_maps_to_invalidate(self):
|
||||
assert _classify_action("invalidieren") == "invalidate"
|
||||
|
||||
def test_widerrufen_maps_to_invalidate(self):
|
||||
assert _classify_action("widerrufen") == "invalidate"
|
||||
|
||||
def test_session_beenden_maps_to_invalidate(self):
|
||||
assert _classify_action("session beenden") == "invalidate"
|
||||
|
||||
def test_vergeben_maps_to_issue(self):
|
||||
assert _classify_action("vergeben") == "issue"
|
||||
|
||||
def test_erzeugen_maps_to_issue(self):
|
||||
assert _classify_action("erzeugen") == "issue"
|
||||
|
||||
def test_rotieren_maps_to_rotate(self):
|
||||
assert _classify_action("rotieren") == "rotate"
|
||||
|
||||
def test_erneuern_maps_to_rotate(self):
|
||||
assert _classify_action("erneuern") == "rotate"
|
||||
|
||||
def test_durchsetzen_maps_to_enforce(self):
|
||||
assert _classify_action("durchsetzen") == "enforce"
|
||||
|
||||
def test_erzwingen_maps_to_enforce(self):
|
||||
assert _classify_action("erzwingen") == "enforce"
|
||||
|
||||
def test_invalidate_template_exists(self):
|
||||
assert "invalidate" in _ACTION_TEMPLATES
|
||||
assert "test_procedure" in _ACTION_TEMPLATES["invalidate"]
|
||||
|
||||
def test_issue_template_exists(self):
|
||||
assert "issue" in _ACTION_TEMPLATES
|
||||
|
||||
def test_rotate_template_exists(self):
|
||||
assert "rotate" in _ACTION_TEMPLATES
|
||||
|
||||
def test_enforce_template_exists(self):
|
||||
assert "enforce" in _ACTION_TEMPLATES
|
||||
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# ERROR CLASS 2: CONTAINER OBJECT DETECTION
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
|
||||
class TestContainerObjectDetection:
|
||||
"""Tests for _is_container_object — broad objects that need decomposition."""
|
||||
|
||||
def test_sitzungsverwaltung_is_container(self):
|
||||
assert _is_container_object("Sitzungsverwaltung") is True
|
||||
|
||||
def test_session_management_is_container(self):
|
||||
assert _is_container_object("Session Management") is True
|
||||
|
||||
def test_token_schutz_is_container(self):
|
||||
assert _is_container_object("Token-Schutz") is True
|
||||
|
||||
def test_authentifizierungsmechanismen_is_container(self):
|
||||
assert _is_container_object("Authentifizierungsmechanismen") is True
|
||||
|
||||
def test_sicherheitsmassnahmen_is_container(self):
|
||||
assert _is_container_object("Sicherheitsmaßnahmen") is True
|
||||
|
||||
def test_zugriffskontrollmechanismen_is_container(self):
|
||||
assert _is_container_object("Zugriffskontrollmechanismen") is True
|
||||
|
||||
def test_sicherheitsarchitektur_is_container(self):
|
||||
assert _is_container_object("Sicherheitsarchitektur") is True
|
||||
|
||||
def test_compliance_anforderungen_is_container(self):
|
||||
assert _is_container_object("Compliance-Anforderungen") is True
|
||||
|
||||
def test_session_id_is_not_container(self):
|
||||
"""Specific objects like Session-ID are NOT containers."""
|
||||
assert _is_container_object("Session-ID") is False
|
||||
|
||||
def test_firewall_is_not_container(self):
|
||||
assert _is_container_object("Firewall") is False
|
||||
|
||||
def test_mfa_is_not_container(self):
|
||||
assert _is_container_object("MFA") is False
|
||||
|
||||
def test_verschluesselung_is_not_container(self):
|
||||
assert _is_container_object("Verschlüsselung") is False
|
||||
|
||||
def test_cookie_is_not_container(self):
|
||||
assert _is_container_object("Session-Cookie") is False
|
||||
|
||||
def test_empty_string_is_not_container(self):
|
||||
assert _is_container_object("") is False
|
||||
|
||||
def test_none_is_not_container(self):
|
||||
assert _is_container_object(None) is False
|
||||
|
||||
def test_container_in_compose_sets_atomicity(self):
|
||||
"""Container objects set _atomicity='container' and _requires_decomposition."""
|
||||
ac = _compose_deterministic(
|
||||
obligation_text="Sitzungsverwaltung muss abgesichert werden",
|
||||
action="implementieren",
|
||||
object_="Sitzungsverwaltung",
|
||||
parent_title="Session Security",
|
||||
parent_severity="high",
|
||||
parent_category="security",
|
||||
is_test=False,
|
||||
is_reporting=False,
|
||||
)
|
||||
assert ac._atomicity == "container"
|
||||
assert ac._requires_decomposition is True
|
||||
|
||||
def test_specific_object_is_atomic(self):
|
||||
"""Specific objects like Session-ID stay atomic."""
|
||||
ac = _compose_deterministic(
|
||||
obligation_text="Session-ID muss nach Logout gelöscht werden",
|
||||
action="implementieren",
|
||||
object_="Session-ID",
|
||||
parent_title="Session Security",
|
||||
parent_severity="high",
|
||||
parent_category="security",
|
||||
is_test=False,
|
||||
is_reporting=False,
|
||||
)
|
||||
assert ac._atomicity == "atomic"
|
||||
assert ac._requires_decomposition is False
|
||||
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# ERROR CLASS 3: SESSION-SPECIFIC OBJECT CLASSES
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
|
||||
class TestSessionObjectClasses:
|
||||
"""Tests for session/cookie/jwt/federated_assertion object classification."""
|
||||
|
||||
def test_session_class(self):
|
||||
assert _classify_object("Session") == "session"
|
||||
|
||||
def test_sitzung_class(self):
|
||||
assert _classify_object("Sitzung") == "session"
|
||||
|
||||
def test_session_id_class(self):
|
||||
assert _classify_object("Session-ID") == "session"
|
||||
|
||||
def test_session_token_class(self):
|
||||
assert _classify_object("Session-Token") == "session"
|
||||
|
||||
def test_idle_timeout_class(self):
|
||||
assert _classify_object("Idle Timeout") == "session"
|
||||
|
||||
def test_logout_matches_record_via_log(self):
|
||||
"""'Logout' matches 'log' in record class (checked before session)."""
|
||||
# Ordering: record class checked before session — "log" substring matches
|
||||
assert _classify_object("Logout") == "record"
|
||||
|
||||
def test_abmeldung_matches_report_via_meldung(self):
|
||||
"""'Abmeldung' matches 'meldung' in report class (checked before session)."""
|
||||
assert _classify_object("Abmeldung") == "report"
|
||||
|
||||
def test_cookie_class(self):
|
||||
assert _classify_object("Cookie") == "cookie"
|
||||
|
||||
def test_session_cookie_matches_session_first(self):
|
||||
"""'Session-Cookie' matches 'session' in session class (checked before cookie)."""
|
||||
assert _classify_object("Session-Cookie") == "session"
|
||||
|
||||
def test_secure_flag_class(self):
|
||||
assert _classify_object("Secure-Flag") == "cookie"
|
||||
|
||||
def test_httponly_class(self):
|
||||
assert _classify_object("HttpOnly") == "cookie"
|
||||
|
||||
def test_samesite_class(self):
|
||||
assert _classify_object("SameSite") == "cookie"
|
||||
|
||||
def test_jwt_class(self):
|
||||
assert _classify_object("JWT") == "jwt"
|
||||
|
||||
def test_json_web_token_class(self):
|
||||
assert _classify_object("JSON Web Token") == "jwt"
|
||||
|
||||
def test_bearer_token_class(self):
|
||||
assert _classify_object("Bearer Token") == "jwt"
|
||||
|
||||
def test_saml_assertion_class(self):
|
||||
assert _classify_object("SAML Assertion") == "federated_assertion"
|
||||
|
||||
def test_oidc_class(self):
|
||||
assert _classify_object("OIDC Provider") == "federated_assertion"
|
||||
|
||||
def test_openid_class(self):
|
||||
assert _classify_object("OpenID Connect") == "federated_assertion"
|
||||
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# ERROR CLASS 4: SEVERITY CAPS FOR NEW ACTION TYPES
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
|
||||
class TestNewActionSeverityCaps:
|
||||
"""Tests for _ACTION_SEVERITY_CAP on new action types."""
|
||||
|
||||
def test_prevent_capped_at_high(self):
|
||||
assert _ACTION_SEVERITY_CAP.get("prevent") == "high"
|
||||
|
||||
def test_exclude_capped_at_high(self):
|
||||
assert _ACTION_SEVERITY_CAP.get("exclude") == "high"
|
||||
|
||||
def test_forbid_capped_at_high(self):
|
||||
assert _ACTION_SEVERITY_CAP.get("forbid") == "high"
|
||||
|
||||
def test_invalidate_capped_at_high(self):
|
||||
assert _ACTION_SEVERITY_CAP.get("invalidate") == "high"
|
||||
|
||||
def test_issue_capped_at_high(self):
|
||||
assert _ACTION_SEVERITY_CAP.get("issue") == "high"
|
||||
|
||||
def test_rotate_capped_at_medium(self):
|
||||
assert _ACTION_SEVERITY_CAP.get("rotate") == "medium"
|
||||
|
||||
def test_enforce_capped_at_high(self):
|
||||
assert _ACTION_SEVERITY_CAP.get("enforce") == "high"
|
||||
|
||||
def test_prevent_action_severity_in_compose(self):
|
||||
"""prevent + critical parent → capped to high."""
|
||||
ac = _compose_deterministic(
|
||||
obligation_text="Session-Tokens dürfen nicht im Klartext gespeichert werden",
|
||||
action="verhindern",
|
||||
object_="Klartextspeicherung",
|
||||
parent_title="Token Security",
|
||||
parent_severity="critical",
|
||||
parent_category="security",
|
||||
is_test=False,
|
||||
is_reporting=False,
|
||||
)
|
||||
assert ac.severity == "high"
|
||||
|
||||
def test_rotate_action_severity_in_compose(self):
|
||||
"""rotate + high parent → capped to medium."""
|
||||
ac = _compose_deterministic(
|
||||
obligation_text="Session-Tokens müssen regelmäßig rotiert werden",
|
||||
action="rotieren",
|
||||
object_="Session-Token",
|
||||
parent_title="Token Lifecycle",
|
||||
parent_severity="high",
|
||||
parent_category="security",
|
||||
is_test=False,
|
||||
is_reporting=False,
|
||||
)
|
||||
assert ac.severity == "medium"
|
||||
|
||||
Reference in New Issue
Block a user