awoooi/apps/api/tests/test_iwooos_security_control_coverage.py

from __future__ import annotations

from fastapi import FastAPI
from fastapi.testclient import TestClient

from src.api.v1.iwooos import router
from src.services.iwooos_security_control_coverage import (
    load_latest_iwooos_security_control_coverage,
)


def _client() -> TestClient:
    app = FastAPI()
    app.include_router(router)
    return TestClient(app)


def test_iwooos_security_control_coverage_rolls_up_core_scopes() -> None:
    payload = load_latest_iwooos_security_control_coverage()

    assert payload["schema_version"] == "iwooos_security_control_coverage_v1"
    assert payload["status"] == "committed_scope_rollup_ready_with_controlled_apply_exception"
    assert payload["summary"]["source_snapshot_count"] == 8
    assert payload["summary"]["control_domain_count"] == 8
    assert payload["summary"]["visible_scope_unit_count"] == 160
    assert payload["summary"]["asset_group_count"] == 16
    assert payload["summary"]["host_service_surface_count"] == 9
    assert payload["summary"]["monitoring_surface_count"] == 60
    assert payload["summary"]["ssh_network_surface_count"] == 16
    assert payload["summary"]["runtime_surface_count"] == 22
    assert payload["summary"]["wazuh_expected_host_scope_count"] == 6
    assert payload["summary"]["agent_bounty_product_surface_count"] == 7
    assert payload["summary"]["ai_agent_asset_count"] == 24

    domain_ids = {domain["domain_id"] for domain in payload["domains"]}
    assert domain_ids == {
        "high_value_asset_control",
        "host_service_runtime",
        "monitoring_alerting_observability",
        "ssh_firewall_network_access",
        "awoooi_runtime_surfaces",
        "wazuh_managed_host_coverage",
        "agent_bounty_protocol",
        "ai_agent_automation",
    }


def test_iwooos_security_control_coverage_keeps_runtime_gates_closed() -> None:
    payload = load_latest_iwooos_security_control_coverage()
    summary = payload["summary"]

    assert summary["actual_runtime_acceptance_percent"] == 0
    assert summary["runtime_gate_count"] == 0
    assert summary["owner_response_received_count"] == 0
    assert summary["owner_response_accepted_count"] == 0
    assert summary["live_evidence_accepted_count"] == 0
    assert summary["wazuh_manager_registry_accepted_count"] == 0
    assert summary["active_scan_authorized_count"] == 0
    assert summary["active_response_authorized_count"] == 0
    assert summary["telegram_send_authorized_count"] == 0
    assert summary["host_write_authorized_count"] == 0
    assert summary["secret_value_collected_count"] == 0
    assert summary["agent_bounty_runtime_gate_open_count"] == 0
    assert summary["ai_agent_runtime_write_gate_open_count"] == 0
    assert summary["all_scope_runtime_controlled"] is False
    assert summary["allowlisted_controlled_apply_bypasses_iwooos_ledger"] is True
    assert (
        summary["controlled_apply_policy"]
        == "low_medium_high_allowed_after_allowlist_check_mode_rollback_verifier_km"
    )
    assert summary["critical_break_glass_required"] is True
    assert all(domain["accepted_count"] == 0 for domain in payload["domains"])


def test_iwooos_security_control_coverage_api_is_public_safe() -> None:
    response = _client().get("/api/v1/iwooos/security-control-coverage")

    assert response.status_code == 200
    data = response.json()
    assert data["schema_version"] == "iwooos_security_control_coverage_v1"
    assert data["summary"]["runtime_gate_count"] == 0
    assert data["summary"]["visible_scope_unit_count"] == 160
    assert any(action["priority"] == "P0-01" for action in data["p0_next_actions"])
    assert "192.168.0." not in response.text
    assert "runtime_control_blocked" not in response.text
    assert "工作視窗" not in response.text
    assert "批准！繼續" not in response.text