fix(iwooos): add wazuh alert verifier readback
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / build-and-deploy (push) Has been cancelled
CD Pipeline / post-deploy-checks (push) Has been cancelled
CD Pipeline / tests (push) Has been cancelled
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / build-and-deploy (push) Has been cancelled
CD Pipeline / post-deploy-checks (push) Has been cancelled
CD Pipeline / tests (push) Has been cancelled
This commit is contained in:
@@ -22,13 +22,21 @@ def test_iwooos_security_tool_closure_readback_rolls_up_tool_tracks() -> None:
|
||||
assert payload["status"] == (
|
||||
"tool_closure_readback_ready_controlled_apply_policy_active"
|
||||
)
|
||||
assert payload["summary"]["source_readback_count"] == 7
|
||||
assert payload["summary"]["source_readback_count"] == 8
|
||||
assert payload["summary"]["tool_track_count"] == 8
|
||||
assert payload["summary"]["p0_tool_track_count"] == 3
|
||||
assert payload["summary"]["wazuh_expected_host_scope_count"] == 6
|
||||
assert payload["summary"]["wazuh_manager_registry_accepted_count"] == 6
|
||||
assert payload["summary"]["wazuh_registry_complete_count"] == 1
|
||||
assert payload["summary"]["wazuh_fim_vulnerability_alert_closed_count"] == 0
|
||||
assert (
|
||||
payload["summary"]["wazuh_fim_vulnerability_alert_verifier_ready_count"]
|
||||
== 0
|
||||
)
|
||||
assert (
|
||||
payload["summary"]["wazuh_fim_vulnerability_alert_verifier_ready_signal_count"]
|
||||
== 5
|
||||
)
|
||||
assert payload["summary"]["supply_chain_scan_closed_count"] == 0
|
||||
assert payload["summary"]["runtime_detection_closed_count"] == 0
|
||||
assert payload["summary"]["web_api_dast_closed_count"] == 0
|
||||
@@ -85,8 +93,8 @@ def test_iwooos_security_tool_closure_readback_marks_partial_vs_missing_tracks()
|
||||
assert tracks["wazuh_detection_response"]["closure_state"] == (
|
||||
"partial_readback_missing_verifier"
|
||||
)
|
||||
assert tracks["wazuh_detection_response"]["ready_signal_count"] == 1
|
||||
assert tracks["wazuh_detection_response"]["missing_signal_count"] == 5
|
||||
assert tracks["wazuh_detection_response"]["ready_signal_count"] == 5
|
||||
assert tracks["wazuh_detection_response"]["missing_signal_count"] == 1
|
||||
assert tracks["supply_chain_sbom_scan"]["closure_state"] == "required_not_closed"
|
||||
assert tracks["runtime_threat_detection"]["tool_ids"] == ["falco"]
|
||||
assert tracks["web_api_dast"]["tool_ids"] == ["owasp_zap_or_equivalent_dast"]
|
||||
@@ -107,7 +115,16 @@ def test_iwooos_security_tool_closure_readback_accepts_alert_receipt_signal() ->
|
||||
|
||||
assert payload["summary"]["alert_receipt_accepted_count"] == 1
|
||||
assert payload["summary"]["alert_receipt_observed_count"] == 1
|
||||
assert tracks["wazuh_detection_response"]["ready_signal_count"] == 2
|
||||
assert payload["summary"]["wazuh_fim_vulnerability_alert_closed_count"] == 1
|
||||
assert (
|
||||
payload["summary"]["wazuh_fim_vulnerability_alert_verifier_ready_count"]
|
||||
== 1
|
||||
)
|
||||
assert tracks["wazuh_detection_response"]["ready_signal_count"] == 6
|
||||
assert tracks["wazuh_detection_response"]["missing_signal_count"] == 0
|
||||
assert tracks["wazuh_detection_response"]["closure_state"] == (
|
||||
"ready_for_controlled_apply_candidate"
|
||||
)
|
||||
assert tracks["normalized_detection_schema"]["ready_signal_count"] == 1
|
||||
assert payload["summary"]["controlled_apply_policy_active_count"] == 1
|
||||
|
||||
@@ -133,6 +150,7 @@ def test_iwooos_security_tool_closure_readback_api_is_public_safe(monkeypatch) -
|
||||
assert data["schema_version"] == "iwooos_security_tool_closure_readback_v1"
|
||||
assert data["summary"]["tool_track_count"] == 8
|
||||
assert data["summary"]["alert_receipt_accepted_count"] == 1
|
||||
assert data["summary"]["wazuh_fim_vulnerability_alert_closed_count"] == 1
|
||||
assert data["summary"]["controlled_apply_policy_active_count"] == 1
|
||||
assert data["boundaries"]["controlled_apply_policy_active"] is True
|
||||
assert any(
|
||||
|
||||
@@ -0,0 +1,186 @@
|
||||
from __future__ import annotations
|
||||
|
||||
from fastapi import FastAPI
|
||||
from fastapi.testclient import TestClient
|
||||
|
||||
from src.api.v1.iwooos import router
|
||||
from src.services.iwooos_wazuh_fim_vulnerability_alert_verifier import (
|
||||
load_latest_iwooos_wazuh_fim_vulnerability_alert_verifier,
|
||||
validate_iwooos_wazuh_fim_vulnerability_alert_verifier_packet,
|
||||
)
|
||||
|
||||
|
||||
def _client() -> TestClient:
|
||||
app = FastAPI()
|
||||
app.include_router(router)
|
||||
return TestClient(app)
|
||||
|
||||
|
||||
def _alert_receipt() -> dict[str, object]:
|
||||
return {
|
||||
"events": [{"provider_event_id": "alertmanager:received:wazuh-verifier"}],
|
||||
"total": 1,
|
||||
"limit": 5,
|
||||
"source_status": "ready",
|
||||
}
|
||||
|
||||
|
||||
def _valid_verifier_packet() -> dict[str, object]:
|
||||
return {
|
||||
"verifier_role": "IwoooS reviewer",
|
||||
"decision": "accept_wazuh_fim_vulnerability_alert_verifier_for_review",
|
||||
"decision_reason": "FIM persistence, CVE KEV and alert receipt refs are redacted and reviewable.",
|
||||
"scope_aliases": ["managed_core_node_a", "managed_core_node_b"],
|
||||
"fim_persistence_evidence_refs": ["evidence-ref-fim-persistence"],
|
||||
"vulnerability_kev_evidence_refs": ["evidence-ref-kev-owner-sla"],
|
||||
"alert_receipt_ref": "evidence-ref-alertmanager-receipt",
|
||||
"source_snapshot_refs": [
|
||||
"docs/security/wazuh-iwooos-intrusion-readback-plan.snapshot.json",
|
||||
"docs/security/soc-siem-kali-wazuh-integration-control.snapshot.json",
|
||||
],
|
||||
"post_verifier_ref": "evidence-ref-wazuh-post-verifier",
|
||||
"reviewed_at": "2026-07-10T16:20:00+08:00",
|
||||
"followup_owner": "IwoooS reviewer",
|
||||
"rollback_owner": "IwoooS runtime owner",
|
||||
}
|
||||
|
||||
|
||||
def test_iwooos_wazuh_fim_vulnerability_alert_verifier_waits_for_alert_receipt() -> None:
|
||||
payload = load_latest_iwooos_wazuh_fim_vulnerability_alert_verifier()
|
||||
|
||||
assert (
|
||||
payload["schema_version"]
|
||||
== "iwooos_wazuh_fim_vulnerability_alert_verifier_readback_v1"
|
||||
)
|
||||
assert (
|
||||
payload["status"]
|
||||
== "wazuh_fim_vulnerability_alert_verifier_waiting_alert_receipt_or_refs"
|
||||
)
|
||||
assert payload["summary"]["wazuh_registry_complete_count"] == 1
|
||||
assert payload["summary"]["fim_persistence_signal_ready_count"] == 1
|
||||
assert payload["summary"]["vulnerability_kev_signal_ready_count"] == 1
|
||||
assert payload["summary"]["wazuh_siem_correlation_domain_ready_count"] == 1
|
||||
assert payload["summary"]["stable_dedupe_fingerprint_rule_count"] == 1
|
||||
assert payload["summary"]["alert_receipt_ready_count"] == 0
|
||||
assert payload["summary"]["verifier_ready_signal_count"] == 5
|
||||
assert payload["summary"]["wazuh_fim_vulnerability_alert_closed_count"] == 0
|
||||
assert payload["summary"]["runtime_gate_count"] == 0
|
||||
assert payload["boundaries"]["runtime_execution_authorized"] is False
|
||||
assert payload["boundaries"]["wazuh_active_response_authorized"] is False
|
||||
assert payload["boundaries"]["secret_value_collection_allowed"] is False
|
||||
|
||||
|
||||
def test_iwooos_wazuh_fim_vulnerability_alert_verifier_accepts_alert_receipt_signal() -> None:
|
||||
payload = load_latest_iwooos_wazuh_fim_vulnerability_alert_verifier(
|
||||
alert_receipt_readback=_alert_receipt()
|
||||
)
|
||||
|
||||
assert (
|
||||
payload["status"]
|
||||
== "wazuh_fim_vulnerability_alert_verifier_ready_no_runtime_action"
|
||||
)
|
||||
assert payload["summary"]["alert_receipt_accepted_count"] == 1
|
||||
assert payload["summary"]["alert_receipt_ready_count"] == 1
|
||||
assert payload["summary"]["verifier_ready_signal_count"] == 6
|
||||
assert (
|
||||
payload["summary"]["wazuh_fim_vulnerability_alert_verifier_ready_count"]
|
||||
== 1
|
||||
)
|
||||
assert payload["summary"]["wazuh_fim_vulnerability_alert_closed_count"] == 1
|
||||
assert all(item["ready"] is True for item in payload["verifier_items"])
|
||||
|
||||
|
||||
def test_iwooos_wazuh_fim_vulnerability_alert_verifier_api_is_public_safe(
|
||||
monkeypatch,
|
||||
) -> None:
|
||||
async def fake_recent_events(**_: object) -> dict[str, object]:
|
||||
return _alert_receipt()
|
||||
|
||||
monkeypatch.setattr(
|
||||
"src.api.v1.iwooos.list_recent_channel_events",
|
||||
fake_recent_events,
|
||||
)
|
||||
|
||||
response = _client().get("/api/v1/iwooos/wazuh-fim-vulnerability-alert-verifier")
|
||||
|
||||
assert response.status_code == 200
|
||||
data = response.json()
|
||||
assert (
|
||||
data["schema_version"]
|
||||
== "iwooos_wazuh_fim_vulnerability_alert_verifier_readback_v1"
|
||||
)
|
||||
assert data["summary"]["wazuh_fim_vulnerability_alert_closed_count"] == 1
|
||||
assert data["summary"]["active_response_authorized_count"] == 0
|
||||
assert data["summary"]["runtime_gate_count"] == 0
|
||||
assert data["boundaries"]["readback_endpoint_is_executor"] is False
|
||||
assert any(
|
||||
marker == "wazuh_fim_vulnerability_alert_closed_count=1"
|
||||
for marker in data["boundary_markers"]
|
||||
)
|
||||
assert "192.168.0." not in response.text
|
||||
assert "工作視窗" not in response.text
|
||||
assert "批准!繼續" not in response.text
|
||||
assert "source_thread_id" not in response.text
|
||||
assert "WAZUH_API_PASSWORD" not in response.text
|
||||
|
||||
|
||||
def test_iwooos_wazuh_fim_vulnerability_alert_verifier_packet_validation_accepts_redacted_packet() -> None:
|
||||
payload = validate_iwooos_wazuh_fim_vulnerability_alert_verifier_packet(
|
||||
_valid_verifier_packet()
|
||||
)
|
||||
|
||||
assert (
|
||||
payload["schema_version"]
|
||||
== "iwooos_wazuh_fim_vulnerability_alert_verifier_validation_result_v1"
|
||||
)
|
||||
assert payload["status"] == (
|
||||
"accepted_for_wazuh_fim_vulnerability_alert_verifier_review_only"
|
||||
)
|
||||
assert payload["accepted_for_verifier_review_only"] is True
|
||||
assert payload["summary"]["verifier_packet_review_ready_count"] == 1
|
||||
assert payload["summary"]["wazuh_fim_vulnerability_alert_closed_count"] == 0
|
||||
assert payload["summary"]["runtime_gate_count"] == 0
|
||||
assert payload["boundaries"]["payload_persisted"] is False
|
||||
assert payload["boundaries"]["verifier_readback_updated"] is False
|
||||
assert payload["boundaries"]["runtime_execution_authorized"] is False
|
||||
|
||||
|
||||
def test_iwooos_wazuh_fim_vulnerability_alert_verifier_packet_validation_requests_missing_fields() -> None:
|
||||
candidate = _valid_verifier_packet()
|
||||
candidate.pop("post_verifier_ref")
|
||||
|
||||
payload = validate_iwooos_wazuh_fim_vulnerability_alert_verifier_packet(candidate)
|
||||
|
||||
assert payload["status"] == "request_verifier_packet_supplement"
|
||||
assert payload["accepted_for_verifier_review_only"] is False
|
||||
assert payload["summary"]["verifier_packet_supplement_required_count"] == 1
|
||||
assert any(
|
||||
"post_verifier_ref" in finding["field_paths"]
|
||||
for finding in payload["validation_findings"]
|
||||
)
|
||||
|
||||
|
||||
def test_iwooos_wazuh_fim_vulnerability_alert_verifier_packet_validation_quarantines_sensitive_payload() -> None:
|
||||
candidate = _valid_verifier_packet()
|
||||
candidate["alert_receipt_ref"] = "receipt accidentally included 10.250.250.250"
|
||||
|
||||
payload = validate_iwooos_wazuh_fim_vulnerability_alert_verifier_packet(candidate)
|
||||
|
||||
assert payload["status"] == "quarantine_sensitive_payload"
|
||||
assert payload["quarantined"] is True
|
||||
assert payload["summary"]["verifier_packet_quarantined_count"] == 1
|
||||
assert "10.250.250.250" not in str(payload)
|
||||
assert any(finding["check_id"] == "WVA-04" for finding in payload["validation_findings"])
|
||||
|
||||
|
||||
def test_iwooos_wazuh_fim_vulnerability_alert_verifier_packet_validation_rejects_runtime_action_request() -> None:
|
||||
candidate = _valid_verifier_packet()
|
||||
candidate["requested_actions"] = ["wazuh_active_response"]
|
||||
|
||||
payload = validate_iwooos_wazuh_fim_vulnerability_alert_verifier_packet(candidate)
|
||||
|
||||
assert payload["status"] == "reject_runtime_action_request"
|
||||
assert payload["runtime_action_rejected"] is True
|
||||
assert payload["summary"]["verifier_packet_runtime_action_rejected_count"] == 1
|
||||
assert payload["summary"]["runtime_gate_count"] == 0
|
||||
assert any(finding["check_id"] == "WVA-05" for finding in payload["validation_findings"])
|
||||
Reference in New Issue
Block a user