sneakygeek/SneakyScan
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

updating docs

Browse Source
This commit is contained in:
Phillip Tarrant
2025-11-17 15:50:15 -06:00
parent 72c4f3d29b
commit 456e052389
9 changed files with 166 additions and 8550 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
docs/ai/API_REFERENCE.md → docs/API_REFERENCE.md
View File

0
docs/ai/DEPLOYMENT.md → docs/DEPLOYMENT.md
View File

570
docs/ai/ROADMAP.md → docs/ROADMAP.md
View File

@@ -4,33 +4,19 @@
## Progress Overview ## Progress Overview
- ✅ **Phase 1: Foundation** - Complete (2025-11-13) - ✅ **Phase 1: Foundation** - Complete (2025-11-13)
- Database schema & SQLAlchemy models - Database schema, SQLAlchemy models, settings system, Flask app structure
- Settings system with encryption
- Flask app structure with API blueprints
- Docker deployment support
- ✅ **Phase 2: Flask Web App Core** - Complete (2025-11-14) - ✅ **Phase 2: Flask Web App Core** - Complete (2025-11-14)
- REST API for scan management (5 endpoints) - REST API, background jobs, authentication, web UI, testing (100 tests)
- Background job queue with APScheduler
- Session-based authentication system
- Basic UI templates (dashboard, scans, login)
- Comprehensive error handling and logging
- 100 tests passing (1,825 lines of test code)
- ✅ **Phase 3: Dashboard & Scheduling** - Complete (2025-11-14) - ✅ **Phase 3: Dashboard & Scheduling** - Complete (2025-11-14)
- Dashboard with summary stats and recent scans - Dashboard, scan history, scheduled scans, trend charts
- Scan history browser with detail pages
- Scheduled scan management UI
- Background scheduler with APScheduler
- Trend charts with Chart.js
- ✅ **Phase 4: Config Creator** - Complete (2025-11-17) - ✅ **Phase 4: Config Creator** - Complete (2025-11-17)
- CIDR-based config creation (simplified workflow) - CIDR-based config creation, YAML editor, config management UI
- YAML editor with CodeMirror (syntax highlighting) - 📋 **Phase 5: Email & Comparisons** - Next Up
- Config management UI (list, view, edit, download, delete) - Email notifications, alert rules, scan comparison
- Direct YAML upload for advanced users
- Full REST API for config operations
- Schedule dependency protection (delete blocking)
- 📋 **Phase 5: Email & Comparisons** - Next up
- 📋 **Phase 6: CLI as API Client** - Planned - 📋 **Phase 6: CLI as API Client** - Planned
- 📋 **Phase 7: Advanced Features** - Planned - CLI for scripting and automation via API
- 📋 **Phase 7: Advanced Features** - Future
- CVE integration, timeline view, PDF export, enhanced reports
## Recent Bug Fixes ## Recent Bug Fixes
@@ -55,16 +41,19 @@
## Vision & Goals ## Vision & Goals
SneakyScanner is evolving from a CLI-based network scanning tool into a comprehensive **Flask web application** for infrastructure monitoring and security auditing. The web application will provide: SneakyScanner is a comprehensive **Flask web application** for infrastructure monitoring and security auditing. The primary interface is the web GUI, with a CLI API client planned for scripting and automation needs.
**Core Features:**
- **Centralized dashboard** for viewing scan history and trends - **Centralized dashboard** for viewing scan history and trends
- **Scheduled scanning** for continuous infrastructure monitoring - **Scheduled scanning** for continuous infrastructure monitoring
- **Email notifications** for critical changes and certificate expirations - **Email notifications** for critical changes and certificate expirations (coming soon)
- **Historical analysis** with charts, graphs, and comparison reports - **Historical analysis** with charts, graphs, and comparison reports
- **Config creator** for easy CIDR-based scan configuration
- **RESTful API** for integration and automation - **RESTful API** for integration and automation
- **Simple deployment** using SQLite3 (single-user, self-hosted) - **Simple deployment** using SQLite3 (single-user, self-hosted)
The CLI scanner will evolve into an **API client**, maintaining backward compatibility while enabling web-based management and visualization. **Planned:**
- **CLI API client** for scripting and automation workflows (Phase 6)
## Target Users ## Target Users
@@ -391,441 +380,213 @@ All API endpoints return JSON and follow RESTful conventions.
### Phase 1: Foundation ✅ COMPLETE ### Phase 1: Foundation ✅ COMPLETE
**Completed:** 2025-11-13 **Completed:** 2025-11-13
**Priority: CRITICAL** - Database and settings infrastructure
**Goals:**
- ✅ Establish database schema
- ✅ Create settings system
- ✅ Set up Flask project structure
**Tasks:**
1. ✅ Create SQLite database schema (use Alembic for migrations)
2. ✅ Implement SQLAlchemy models for all tables (11 models)
3. ✅ Create database initialization script (`init_db.py`)
4. ✅ Implement settings system:
- ✅ Settings model with get/set methods
- ✅ Default settings initialization
- ✅ Encrypted storage for passwords (cryptography library + bcrypt)
- ✅ PasswordManager for bcrypt password hashing
5. ✅ Set up Flask project structure:
```
SneakyScanner/
├── src/
│ ├── scanner.py (existing)
│ ├── screenshot_capture.py (existing)
│ └── report_generator.py (existing)
├── web/ ✅ CREATED
│ ├── __init__.py ✅
│ ├── app.py (Flask app factory) ✅
│ ├── models.py (SQLAlchemy models) ✅
│ ├── api/ (API blueprints) ✅
│ │ ├── __init__.py ✅
│ │ ├── scans.py ✅
│ │ ├── schedules.py ✅
│ │ ├── alerts.py ✅
│ │ └── settings.py ✅ (Fully functional!)
│ ├── templates/ (Jinja2 templates) ✅
│ ├── static/ (CSS, JS, images) ✅
│ │ ├── css/ ✅
│ │ ├── js/ ✅
│ │ └── images/ ✅
│ └── utils/ (helpers, decorators) ✅
│ ├── __init__.py ✅
│ └── settings.py ✅
├── migrations/ (Alembic migrations) ✅
│ ├── env.py ✅
│ ├── script.py.mako ✅
│ └── versions/ ✅
│ └── 001_initial_schema.py ✅
├── alembic.ini ✅
├── configs/ (existing)
├── output/ (existing)
└── templates/ (existing - for reports)
```
6. ✅ Create `requirements-web.txt` for Flask dependencies
7. ✅ Update Dockerfile to support Flask app
8. ✅ Create `docker-compose-web.yml` for web deployment
9. ✅ Create `validate_phase1.py` for verification
**Deliverables:** **Deliverables:**
- ✅ Working database with schema (SQLite3 + Alembic migrations) - SQLite database with 11 tables (scans, sites, IPs, ports, services, certificates, TLS versions, schedules, alerts, alert_rules, settings)
- ✅ Settings CRUD functionality (with encryption for sensitive values) - SQLAlchemy ORM models with relationships
- ✅ Flask app skeleton with functional Settings API - Alembic migration system
- ✅ Database migration system (Alembic) - Settings system with encryption (bcrypt for passwords, Fernet for sensitive data)
- ✅ API blueprint stubs (scans, schedules, alerts, settings) - Flask app structure with API blueprints
- Docker support (Dockerfile updated, docker-compose-web.yml created) - Docker Compose deployment configuration
- Validation script for verification
**Testing:**
- ✅ Database creates successfully (`init_db.py` works)
- ✅ Settings can be stored/retrieved (encryption working)
- ✅ Flask app starts without errors (`python3 -m web.app` works)
- ✅ All validation checks pass (`validate_phase1.py` ✓)
- ✅ All 11 database models defined correctly
- ✅ Settings API endpoints functional and tested
**Documentation:**
- ✅ `PHASE1_COMPLETE.md` - Complete Phase 1 summary with API reference and deployment guide
- ✅ `validate_phase1.py` - Automated validation script
--- ---
### Phase 2: Flask Web App Core ✅ COMPLETE ### Phase 2: Flask Web App Core ✅ COMPLETE
**Completed:** 2025-11-14 **Completed:** 2025-11-14
**Duration:** 14 days (Weeks 3-4)
**Priority:** HIGH
**Goals:**
- ✅ Implement REST API for scans
- ✅ Add background job queue
- ✅ Create simple authentication
- ✅ Integrate scanner with database
**Deliverables Completed:**
- ✅ **REST API** - 5 scan endpoints (trigger, list, get, status, delete) + 3 settings endpoints
- ✅ **Background Jobs** - APScheduler with ThreadPoolExecutor (up to 3 concurrent scans)
- ✅ **Authentication** - Flask-Login session-based auth (login, logout, decorators)
- ✅ **Database Integration** - Complete scan results saved to normalized schema
- ✅ **Web UI** - Dashboard, scans list/detail, login, error templates
- ✅ **Error Handling** - Content negotiation (JSON/HTML), custom error pages, request IDs
- ✅ **Logging** - Rotating file handlers (10MB max), request timing, structured logs
- ✅ **Docker Deployment** - Production-ready docker-compose with healthcheck
- ✅ **Testing** - 100 test functions, 1,825 lines of test code, all passing
- ✅ **Documentation** - API_REFERENCE.md, DEPLOYMENT.md, PHASE2_COMPLETE.md
**Files Created:** 34 files, ~7,500+ lines of code
**Key Features:**
- Scans execute in background without blocking HTTP requests
- Status tracking: `running``completed`/`failed`
- Pagination and filtering for scan lists
- Complete scan details with all relationships (sites, IPs, ports, services, certs, TLS)
- Secure password hashing with bcrypt
- SQLite WAL mode for better concurrency
- Request IDs for debugging and correlation
- Comprehensive error handling for all HTTP status codes
**Testing Results:**
- ✅ All API endpoints tested (24 integration tests)
- ✅ Service layer tested (15 unit tests)
- ✅ Authentication tested (30+ tests)
- ✅ Background jobs tested (13 tests)
- ✅ Error handling tested (18+ tests)
- ✅ All 100 tests passing
**Documentation:**
- [PHASE2_COMPLETE.md](PHASE2_COMPLETE.md) - Complete Phase 2 summary
- [API_REFERENCE.md](API_REFERENCE.md) - Comprehensive API documentation
- [DEPLOYMENT.md](DEPLOYMENT.md) - Production deployment guide
- README.md updated with Phase 2 features
---
### Phase 3: Dashboard & Scheduling (Weeks 5-6)
**Priority: HIGH** - User's top requested features
**Goals:**
- Build web dashboard with scan history
- Implement trend charts
- Add scheduled scan management UI
- Real-time scan progress
**Tasks:**
1. Dashboard implementation:
- Summary cards (total scans, last scan, total IPs, open ports)
- Recent scans table (clickable to view details)
- Security warnings section (expiring certs, weak TLS)
- Drift alerts section (unexpected ports, new services)
2. Scan detail page:
- Display full scan results (sites, IPs, services)
- Embedded screenshots or links
- Download buttons (JSON, HTML, ZIP)
- Delete scan button
3. Trend charts with Chart.js:
- Port count over time (line chart)
- Service distribution (bar chart)
- Certificate expiration timeline (timeline chart)
- Charts update based on date range selector
4. Scheduled scans UI:
- List all schedules (table with enable/disable toggle)
- Create schedule form (name, config file, cron expression)
- Edit schedule form
- Delete schedule button
- Next run time display
5. APScheduler integration:
- Schedule manager class
- Load schedules from DB on app start
- Add/remove jobs dynamically
- Cron expression validation
- Update `next_run` and `last_run` in DB
6. Manual scan trigger:
- "Run Scan Now" button on dashboard
- Config file selector
- Show real-time progress (polling or WebSocket)
7. Navigation menu:
- Dashboard
- Scans
- Schedules
- Alerts (placeholder)
- Settings (placeholder)
**Deliverables:** **Deliverables:**
- Functional dashboard with charts - REST API with 8 endpoints (scans: trigger, list, get, status, delete; settings: get, update, test-email)
- Scan history browser - Background job queue using APScheduler (up to 3 concurrent scans)
- Scheduled scan management UI - Session-based authentication with Flask-Login
- Background scheduler running scans - Database integration for scan results (full normalized schema population)
- Web UI templates (dashboard, scan list/detail, login, error pages)
**Testing:** - Error handling with content negotiation (JSON/HTML) and request IDs
- Dashboard displays accurate summary stats - Logging system with rotating file handlers
- Charts render correctly with real data - Production Docker Compose deployment
- Scheduled scans execute at specified times - Comprehensive test suite (100 tests, all passing)
- Manual scan trigger works - Documentation (API_REFERENCE.md, DEPLOYMENT.md)
- Real-time progress updates
--- ---
### Phase 4: Email & Comparisons (Weeks 7-8) ### Phase 3: Dashboard & Scheduling ✅ COMPLETE
**Priority: MEDIUM** - Monitoring and analysis features **Completed:** 2025-11-14
**Deliverables:**
- Dashboard with summary stats (total scans, IPs, ports, services)
- Recent scans table with clickable details
- Scan detail page with full results display
- Historical trend charts using Chart.js (port counts over time)
- Scheduled scan management UI (create, edit, delete, enable/disable)
- Schedule execution with APScheduler and cron expressions
- Manual scan trigger from web UI
- Navigation menu (Dashboard, Scans, Schedules, Configs, Settings)
- Download buttons for scan reports (JSON, HTML, ZIP)
---
### Phase 4: Config Creator ✅ COMPLETE
**Completed:** 2025-11-17
**Deliverables:**
- CIDR-based config creation UI (simplified workflow for quick config generation)
- YAML editor with CodeMirror (syntax highlighting, line numbers)
- Config management UI (list, view, edit, download, delete)
- Direct YAML upload for advanced users
- REST API for config operations (7 endpoints: list, get, create, update, delete, upload, download)
- Schedule dependency protection (prevents deleting configs used by schedules)
- Comprehensive testing (25+ unit and integration tests)
---
### Phase 5: Email & Comparisons
**Status:** Next Up
**Priority:** MEDIUM
**Goals:** **Goals:**
- Implement email notification system - Implement email notification system
- Create scan comparison reports - Create scan comparison reports
- Add alert rule configuration - Add alert rule configuration
**Tasks:** **Planned Features:**
1. Email notification system: 1. **Email Notifications:**
- SMTP integration (using `smtplib` or `Flask-Mail`) - SMTP integration with configurable settings
- Email template for alerts (Jinja2 HTML email) - Alert email templates (Jinja2 HTML)
- Settings page for SMTP configuration - Test email functionality
- Test email button - Email triggers for critical events
2. Alert rule engine:
- Define alert rule types: 2. **Alert Rule Engine:**
- Unexpected TCP/UDP port opened - Alert types: unexpected ports, cert expiry, service changes, host down, weak TLS
- Expected port missing - Alert rule creation and management UI
- Certificate expiring in < N days - Automatic evaluation after each scan
- Certificate expired - Alert history with severity filtering
- Service version changed
- Ping failed (host down) 3. **Scan Comparison:**
- Weak TLS version detected (1.0/1.1)
- Alert rule creation UI
- Alert rule evaluation after each scan
- Store alerts in `alerts` table
3. Alert history page:
- List all alerts (filterable by type, severity, date)
- Mark alerts as "acknowledged"
- Alert detail view
4. Scan comparison:
- Compare two scans API endpoint - Compare two scans API endpoint
- Comparison algorithm: - Diff detection (new/removed ports, service changes, cert changes)
- New ports/services - Visual comparison UI with highlighting
- Removed ports/services - "Compare" button on scan list
- Service version changes
- Certificate changes
- TLS configuration changes
- Comparison report UI:
- Side-by-side view
- Diff highlighting (green = added, red = removed, yellow = changed)
- "Compare" button on scan list (select 2 scans)
5. Email notification triggers:
- Send email when alert rule triggered
- Daily digest email (summary of all alerts)
- Weekly scan summary email
6. Settings page:
- SMTP configuration form
- Alert rule management
- Email recipient list
- Test email button
**Deliverables:**
- Working email notification system
- Alert rules with email triggers
- Scan comparison functionality
- Settings UI for configuration
**Testing:**
- Email sends successfully with SMTP config
- Alert rules trigger correctly
- Comparison shows accurate diffs
- Settings persist correctly
--- ---
### Phase 5: CLI as API Client (Week 9) ### Phase 6: CLI as API Client
**Priority: MEDIUM** - Backward compatibility and automation **Status:** Planned
**Priority:** MEDIUM
**Goals:** **Goals:**
- Refactor CLI to optionally call Flask API - Create CLI API client for scripting and automation
- Maintain standalone mode for testing - Maintain standalone mode for testing
- API token authentication - API token authentication
**Tasks:** **Planned Features:**
1. API client mode for `scanner.py`: 1. **API Client Mode:**
- Add `--api-mode` flag - `--api-mode` flag to enable API client mode
- Add `--api-url` and `--api-token` arguments - `--api-url` and `--api-token` arguments
- When `--api-mode` enabled: - Trigger scans via API, poll for status, download results
- Send scan request to `POST /api/scans`
- Poll `GET /api/scans/{id}/status` for progress
- Download results when complete
- When `--api-mode` disabled (default):
- Run standalone as currently works
2. API token generation:
- UI to generate API tokens (settings page)
- Store tokens in `api_tokens` table (hashed)
- API token authentication middleware
- Token expiration and revocation
3. CLI documentation:
- Update README.md with API mode usage
- Example commands for API mode
- Token generation instructions
4. Benefits of API mode:
- Scans stored centrally in database - Scans stored centrally in database
- Standalone mode still available for testing
2. **API Token System:**
- Token generation UI in settings page
- Secure token storage (hashed in database)
- Token authentication middleware
- Token expiration and revocation
3. **Benefits:**
- Centralized scan history accessible via web dashboard
- No need to mount volumes for output - No need to mount volumes for output
- Scheduled scans managed through web UI - Scheduled scans managed through web UI
- Scan history accessible via web dashboard - Scriptable automation while leveraging web features
**Deliverables:**
- CLI with `--api-mode` flag
- API token system
- Updated documentation
**Testing:**
- CLI can trigger scan via API
- API token authentication works
- Standalone mode still functional
- Token revocation works
--- ---
### Phase 6: Advanced Features (Weeks 10+) ### Phase 7: Advanced Features
**Priority: LOW** - Nice-to-have enhancements **Status:** Future/Deferred
**Priority:** LOW
**Goals:** **Planned Features:**
- Enhanced interactive reports 1. **Enhanced Reports:**
- Vulnerability detection
- PDF export
- Timeline view
**Tasks:**
1. Enhanced HTML reports:
- Sortable/filterable tables (DataTables.js) - Sortable/filterable tables (DataTables.js)
- Inline screenshot thumbnails (lightbox on click) - Inline screenshot thumbnails with lightbox
- Export to PDF button (WeasyPrint or pdfkit) - PDF export (WeasyPrint)
- Print-friendly CSS
2. Vulnerability detection: 2. **Vulnerability Detection:**
- Integrate with CVE databases (NVD API or Vulners API) - CVE database integration (NVD API)
- Match detected services/versions to known CVEs - Service version matching to known CVEs
- Display CVE list with severity scores (CVSS) - CVSS severity scores
- CVE detail page with description, remediation - Alert rules for critical CVEs
- Alert rule for new critical CVEs
3. Timeline view: 3. **Timeline View:**
- Visual timeline of all scans - Visual scan history timeline
- Filter by site or IP - Filter by site/IP
- Click on timeline event to view scan - Event annotations
- Annotations for important events (cert renewals, config changes)
4. Advanced charts: 4. **Advanced Charts:**
- Heatmap of port activity - Port activity heatmap
- Service version tracking over time - Service version tracking
- Certificate expiration forecast - Certificate expiration forecast
- Top 10 services pie chart
5. Export/Import: 5. **Integrations:**
- Export scan data to CSV - Slack notifications
- Import scan configs from CSV - Webhook support
- Bulk schedule creation
6. Additional integrations:
- Slack notifications (in addition to email)
- Webhook support (POST to custom URL on events)
- Prometheus metrics export - Prometheus metrics export
- CSV export/import
**Deliverables:**
- Interactive sortable tables
- CVE integration
- PDF export
- Timeline view
- Additional integrations
**Testing:**
- DataTables work with large datasets
- CVE data fetches correctly
- PDF exports render properly
- Timeline view performs well with many scans
--- ---
## Migration Strategy ## Current Architecture
### From Current CLI to Web App **Primary Interface:** Web GUI (Phases 1-4 Complete)
- Full-featured Flask web application
- Dashboard, scan management, scheduling, config creator
- REST API for all operations
- Single-user deployment with SQLite
**Current State:** **Coming Soon:** CLI API Client (Phase 6 Planned)
- CLI tool (`scanner.py`) runs standalone - Thin client for scripting and automation
- Outputs JSON, HTML, ZIP files - Calls Flask API for scan operations
- No database, no web UI - Results stored centrally in database
- Access to all web features via command line
**Migration Path:** **Core Scanning Engine:**
- Masscan for port discovery
- Nmap for service detection
- Playwright for screenshots
- sslyze for SSL/TLS analysis
#### Step 1: Add Database Layer (Phase 1) **Deployment:**
- Database runs alongside CLI - Docker Compose for easy deployment
- CLI can optionally save to DB (flag: `--save-to-db`) - SQLite database (single-user, embedded)
- No breaking changes - Gunicorn WSGI server
- Optional Nginx reverse proxy
#### Step 2: Launch Web App (Phase 2-3)
- Web app reads from DB
- Users can trigger scans via web UI
- CLI still works standalone
#### Step 3: Transition Period (Phase 4-5)
- Users gradually adopt web UI
- CLI used for scripting/automation
- Both modes fully supported
#### Step 4: API Client Mode (Phase 5)
- CLI becomes thin API client
- All scans stored in central DB
- Standalone mode remains for testing
#### Step 5: Full Web App (Phase 6+)
- Primary interface is web UI
- CLI optional for power users
### Backward Compatibility
**Maintained:**
- Existing YAML config format
- JSON/HTML/ZIP output files
- Screenshot capture
- Docker deployment
**Deprecated (eventually):**
- Standalone CLI mode (Phase 6+)
- Direct file output (replaced by DB + API)
## Prioritized Feature List ## Prioritized Feature List
### Must-Have (Phases 1-3) ### Completed ✅ (Phases 1-4)
1. **Database foundation** (SQLite3 + SQLAlchemy) 1. **Database foundation** (SQLite3 + SQLAlchemy)
2. **Flask web app core** (REST API, authentication) 2. **Flask web app core** (REST API, authentication)
3. **Dashboard with scan history** (list, detail, delete) 3. **Dashboard with scan history** (list, detail, delete)
4. **Trend charts** (Chart.js - port counts, service distribution) 4. **Trend charts** (Chart.js - port counts over time)
5. **Scheduled scans** (APScheduler + cron expressions) 5. **Scheduled scans** (APScheduler + cron expressions)
6. **Manual scan trigger** (web UI button) 6. **Config creator** (CIDR-based, YAML editor)
### Should-Have (Phase 4) ### Next Up (Phase 5)
7. **Email notifications** (SMTP integration) 7. **Email notifications** (SMTP integration)
8. **Alert rules** (cert expiry, unexpected ports, etc.) 8. **Alert rules** (cert expiry, unexpected ports, etc.)
9. **Scan comparison reports** (diff view) 9. **Scan comparison reports** (diff view)
10. **Settings UI** (SMTP, alerts, retention)
### Nice-to-Have (Phases 5-6) ### Planned (Phase 6-7)
11. **CLI as API client** (token auth, backward compat) 10. **CLI as API client** (token auth, scripting)
12. **Sortable/filterable tables** (DataTables.js) 11. **Sortable/filterable tables** (DataTables.js)
13. **PDF export** (WeasyPrint) 12. **PDF export** (WeasyPrint)
14. **Vulnerability detection** (CVE integration) 13. **Vulnerability detection** (CVE integration)
15. **Timeline view** (visual scan history) 14. **Timeline view** (visual scan history)
16. **Embedded screenshot thumbnails** (lightbox)
### Future/Deferred ### Future/Deferred
17. **Multi-user support** (if requirements change) 15. **Multi-user support** (if requirements change)
18. **Slack/webhook integrations** 16. **Slack/webhook integrations**
19. **Prometheus metrics** 17. **Prometheus metrics**
20. **Mobile-responsive dashboard** (Bootstrap handles basics) 18. **Advanced charts** (heatmaps, forecasts)
## Development Workflow ## Development Workflow
@@ -900,7 +661,7 @@ All API endpoints return JSON and follow RESTful conventions.
- [ ] API tokens work for authentication - [ ] API tokens work for authentication
- [ ] Standalone CLI mode still functional - [ ] Standalone CLI mode still functional
### Phase 6+ Success ### Phase 7 Success (Advanced Features)
- [ ] CVE integration provides actionable vulnerability data - [ ] CVE integration provides actionable vulnerability data
- [ ] Timeline view helps track infrastructure changes - [ ] Timeline view helps track infrastructure changes
- [ ] PDF exports are shareable and professional - [ ] PDF exports are shareable and professional
@@ -947,6 +708,7 @@ All API endpoints return JSON and follow RESTful conventions.
| 2025-11-14 | 1.2 | **Phase 2 COMPLETE** - REST API (5 scan endpoints, 3 settings endpoints), background jobs (APScheduler), authentication (Flask-Login), web UI (dashboard, scans, login, errors), error handling (content negotiation, request IDs, logging), 100 tests passing, comprehensive documentation (API_REFERENCE.md, DEPLOYMENT.md, PHASE2_COMPLETE.md) | | 2025-11-14 | 1.2 | **Phase 2 COMPLETE** - REST API (5 scan endpoints, 3 settings endpoints), background jobs (APScheduler), authentication (Flask-Login), web UI (dashboard, scans, login, errors), error handling (content negotiation, request IDs, logging), 100 tests passing, comprehensive documentation (API_REFERENCE.md, DEPLOYMENT.md, PHASE2_COMPLETE.md) |
| 2025-11-17 | 1.3 | **Bug Fix** - Fixed Chart.js infinite canvas growth issue in scan detail page (duplicate initialization, missing chart.destroy(), missing fixed-height container) | | 2025-11-17 | 1.3 | **Bug Fix** - Fixed Chart.js infinite canvas growth issue in scan detail page (duplicate initialization, missing chart.destroy(), missing fixed-height container) |
| 2025-11-17 | 1.4 | **Phase 4 COMPLETE** - Config Creator with CIDR-based creation, YAML editor (CodeMirror), config management UI (list/edit/delete), REST API (7 endpoints), Docker volume permissions fix, comprehensive testing and documentation | | 2025-11-17 | 1.4 | **Phase 4 COMPLETE** - Config Creator with CIDR-based creation, YAML editor (CodeMirror), config management UI (list/edit/delete), REST API (7 endpoints), Docker volume permissions fix, comprehensive testing and documentation |
| 2025-11-17 | 1.5 | **Roadmap Compression** - Condensed completed phases (1-4) into concise summaries, updated project scope to emphasize web GUI frontend with CLI as API client coming soon (Phase 6), reorganized phases for clarity |
--- ---

876
docs/ai/MANUAL_TESTING.md
View File

@@ -1,876 +0,0 @@
# SneakyScanner Phase 2 - Manual Testing Checklist
**Version:** 2.0 (Phase 2)
**Last Updated:** 2025-11-14
This document provides a comprehensive manual testing checklist for validating the SneakyScanner web application. Use this checklist to verify all features work correctly before deployment or release.
---
## Table of Contents
1. [Prerequisites](#prerequisites)
2. [Deployment & Startup](#deployment--startup)
3. [Authentication](#authentication)
4. [Scan Management (Web UI)](#scan-management-web-ui)
5. [Scan Management (API)](#scan-management-api)
6. [Error Handling](#error-handling)
7. [Performance & Concurrency](#performance--concurrency)
8. [Data Persistence](#data-persistence)
9. [Security](#security)
10. [Cleanup](#cleanup)
---
## Prerequisites
Before starting manual testing:
- [ ] Docker and Docker Compose installed
- [ ] `.env` file configured with proper keys
- [ ] Test scan configuration available (e.g., `configs/example-site.yaml`)
- [ ] Network access for scanning (if using real targets)
- [ ] Browser for web UI testing (Chrome, Firefox, Safari, Edge)
- [ ] `curl` and `jq` for API testing
- [ ] At least 2GB free disk space for scan results
**Recommended Test Environment:**
- Clean database (no existing scans)
- Test config with 1-2 IPs, 2-3 expected ports
- Expected scan duration: 1-3 minutes
---
## Deployment & Startup
### Test 1: Environment Configuration
**Objective:** Verify environment variables are properly configured.
**Steps:**
1. Check `.env` file exists:
```bash
ls -la .env
```
2. Verify required keys are set (not defaults):
```bash
grep SECRET_KEY .env
grep SNEAKYSCANNER_ENCRYPTION_KEY .env
```
3. Verify keys are not default values:
```bash
grep -v "your-secret-key-here" .env | grep SECRET_KEY
```
**Expected Result:**
- [ ] `.env` file exists
- [ ] `SECRET_KEY` is set to unique value (not `your-secret-key-here`)
- [ ] `SNEAKYSCANNER_ENCRYPTION_KEY` is set to unique value
- [ ] All required environment variables present
### Test 2: Docker Compose Startup
**Objective:** Verify web application starts successfully.
**Steps:**
1. Start services:
```bash
docker-compose -f docker-compose-web.yml up -d
```
2. Check container status:
```bash
docker-compose -f docker-compose-web.yml ps
```
3. Check logs for errors:
```bash
docker-compose -f docker-compose-web.yml logs web | tail -50
```
4. Wait 30 seconds for healthcheck to pass
**Expected Result:**
- [ ] Container starts without errors
- [ ] Status shows "Up" or "healthy"
- [ ] No error messages in logs
- [ ] Port 5000 is listening
### Test 3: Health Check
**Objective:** Verify health check endpoint responds correctly.
**Steps:**
1. Call health endpoint:
```bash
curl -s http://localhost:5000/api/settings/health | jq '.'
```
**Expected Result:**
- [ ] HTTP 200 status code
- [ ] Response: `{"status": "healthy", "database": "connected"}`
- [ ] No authentication required
### Test 4: Database Initialization
**Objective:** Verify database was created and initialized.
**Steps:**
1. Check database file exists:
```bash
docker exec sneakyscanner_web ls -lh /app/data/sneakyscanner.db
```
2. Verify database has tables:
```bash
docker exec sneakyscanner_web sqlite3 /app/data/sneakyscanner.db ".tables"
```
**Expected Result:**
- [ ] Database file exists (`sneakyscanner.db`)
- [ ] Database file size > 0 bytes
- [ ] All 11 tables present: `scans`, `scan_sites`, `scan_ips`, `scan_ports`, `scan_services`, `scan_certificates`, `scan_tls_versions`, `schedules`, `alerts`, `alert_rules`, `settings`
---
## Authentication
### Test 5: Login Page Access
**Objective:** Verify unauthenticated users are redirected to login.
**Steps:**
1. Open browser to http://localhost:5000/dashboard (without logging in)
2. Observe redirect
**Expected Result:**
- [ ] Redirected to http://localhost:5000/login
- [ ] Login page displays correctly
- [ ] Dark theme applied (slate/grey colors)
- [ ] Username and password fields visible
- [ ] "Login" button visible
### Test 6: Login with Correct Password
**Objective:** Verify successful login flow.
**Steps:**
1. Navigate to http://localhost:5000/login
2. Enter password (default: `admin`)
3. Click "Login" button
**Expected Result:**
- [ ] Redirected to http://localhost:5000/dashboard
- [ ] No error messages
- [ ] Navigation bar shows "Dashboard", "Scans", "Settings", "Logout"
- [ ] Welcome message displayed
### Test 7: Login with Incorrect Password
**Objective:** Verify failed login handling.
**Steps:**
1. Navigate to http://localhost:5000/login
2. Enter incorrect password (e.g., `wrongpassword`)
3. Click "Login" button
**Expected Result:**
- [ ] Stays on login page (no redirect)
- [ ] Error message displayed: "Invalid password"
- [ ] Password field cleared
- [ ] Can retry login
### Test 8: Logout
**Objective:** Verify logout destroys session.
**Steps:**
1. Login successfully
2. Navigate to http://localhost:5000/dashboard
3. Click "Logout" in navigation bar
4. Try to access http://localhost:5000/dashboard again
**Expected Result:**
- [ ] Logout redirects to login page
- [ ] Flash message: "Logged out successfully"
- [ ] Session destroyed (redirected to login when accessing protected pages)
- [ ] Cannot access dashboard without re-logging in
### Test 9: API Authentication (Session Cookie)
**Objective:** Verify API endpoints require authentication.
**Steps:**
1. Call API endpoint without authentication:
```bash
curl -i http://localhost:5000/api/scans
```
2. Login and save session cookie:
```bash
curl -X POST http://localhost:5000/auth/login \
-H "Content-Type: application/json" \
-d '{"password":"admin"}' \
-c cookies.txt
```
3. Call API endpoint with session cookie:
```bash
curl -b cookies.txt http://localhost:5000/api/scans
```
**Expected Result:**
- [ ] Request without auth returns 401 Unauthorized
- [ ] Login returns 200 OK with session cookie
- [ ] Request with auth cookie returns 200 OK with scan data
---
## Scan Management (Web UI)
### Test 10: Dashboard Display
**Objective:** Verify dashboard loads and displays correctly.
**Steps:**
1. Login successfully
2. Navigate to http://localhost:5000/dashboard
3. Observe page content
**Expected Result:**
- [ ] Dashboard loads without errors
- [ ] Welcome message displayed
- [ ] "Run Scan Now" button visible
- [ ] Recent scans section visible (may be empty)
- [ ] Navigation works
### Test 11: Trigger Scan via Web UI
**Objective:** Verify scan can be triggered from dashboard.
**Steps:**
1. Login and go to dashboard
2. Click "Run Scan Now" button
3. Observe scan starts
4. Wait for scan to complete (1-3 minutes)
**Expected Result:**
- [ ] Scan starts (status shows "Running")
- [ ] Scan appears in recent scans list
- [ ] Scan ID assigned and displayed
- [ ] Status updates to "Completed" after scan finishes
- [ ] No error messages
**Note:** If "Run Scan Now" button not yet implemented, use API to trigger scan (Test 15).
### Test 12: View Scan List
**Objective:** Verify scan list page displays correctly.
**Steps:**
1. Login successfully
2. Navigate to http://localhost:5000/scans
3. Trigger at least 3 scans (via API or UI)
4. Refresh scan list page
**Expected Result:**
- [ ] Scan list page loads
- [ ] All scans displayed in table
- [ ] Columns: ID, Timestamp, Title, Status, Actions
- [ ] Pagination controls visible (if > 20 scans)
- [ ] Each scan has "View" and "Delete" buttons
### Test 13: View Scan Details
**Objective:** Verify scan detail page displays complete results.
**Steps:**
1. From scan list, click "View" on a completed scan
2. Observe scan details page
**Expected Result:**
- [ ] Scan details page loads (http://localhost:5000/scans/{id})
- [ ] Scan metadata displayed (ID, timestamp, duration, status)
- [ ] Sites section visible
- [ ] IPs section visible with ping status
- [ ] Ports section visible (TCP/UDP)
- [ ] Services section visible with product/version
- [ ] HTTPS services show certificate details (if applicable)
- [ ] TLS versions displayed (if applicable)
- [ ] Screenshot links work (if screenshots captured)
- [ ] Download buttons for JSON/HTML/ZIP files
### Test 14: Delete Scan via Web UI
**Objective:** Verify scan deletion removes all data and files.
**Steps:**
1. Login and navigate to scan list
2. Note a scan ID to delete
3. Click "Delete" button on scan
4. Confirm deletion
5. Check database and filesystem
**Expected Result:**
- [ ] Confirmation prompt appears
- [ ] After confirmation, scan removed from list
- [ ] Scan no longer appears in database
- [ ] JSON/HTML/ZIP files deleted from filesystem
- [ ] Screenshot directory deleted
- [ ] Success message displayed
---
## Scan Management (API)
### Test 15: Trigger Scan via API
**Objective:** Verify scan can be triggered via REST API.
**Steps:**
1. Login and save session cookie (see Test 9)
2. Trigger scan:
```bash
curl -X POST http://localhost:5000/api/scans \
-H "Content-Type: application/json" \
-d '{"config_file":"/app/configs/example-site.yaml"}' \
-b cookies.txt | jq '.'
```
3. Note the `scan_id` from response
**Expected Result:**
- [ ] HTTP 201 Created response
- [ ] Response includes `scan_id` (integer)
- [ ] Response includes `status: "running"`
- [ ] Response includes `message: "Scan queued successfully"`
### Test 16: Poll Scan Status
**Objective:** Verify scan status can be polled via API.
**Steps:**
1. Trigger a scan (Test 15) and note `scan_id`
2. Poll status immediately:
```bash
curl -b cookies.txt http://localhost:5000/api/scans/{scan_id}/status | jq '.'
```
3. Wait 30 seconds and poll again
4. Continue polling until status is `completed` or `failed`
**Expected Result:**
- [ ] Initial status: `"running"`
- [ ] Response includes `started_at` timestamp
- [ ] Response includes `completed_at: null` while running
- [ ] After completion: status changes to `"completed"` or `"failed"`
- [ ] `completed_at` timestamp set when done
- [ ] If failed, `error_message` is present
### Test 17: Get Scan Details via API
**Objective:** Verify complete scan details can be retrieved via API.
**Steps:**
1. Trigger a scan and wait for completion
2. Get scan details:
```bash
curl -b cookies.txt http://localhost:5000/api/scans/{scan_id} | jq '.'
```
**Expected Result:**
- [ ] HTTP 200 OK response
- [ ] Response includes all scan metadata (id, timestamp, duration, status, title)
- [ ] Response includes file paths (json_path, html_path, zip_path, screenshot_dir)
- [ ] Response includes `sites` array
- [ ] Each site includes `ips` array
- [ ] Each IP includes `ports` array
- [ ] Each port includes `services` array
- [ ] HTTPS services include `certificates` array (if applicable)
- [ ] Certificates include `tls_versions` array (if applicable)
- [ ] All relationships properly nested
### Test 18: List Scans with Pagination
**Objective:** Verify scan list API supports pagination.
**Steps:**
1. Trigger at least 25 scans
2. List first page:
```bash
curl -b cookies.txt "http://localhost:5000/api/scans?page=1&per_page=20" | jq '.'
```
3. List second page:
```bash
curl -b cookies.txt "http://localhost:5000/api/scans?page=2&per_page=20" | jq '.'
```
**Expected Result:**
- [ ] First page returns 20 scans
- [ ] Response includes `total` (total count)
- [ ] Response includes `page: 1` and `pages` (total pages)
- [ ] Response includes `per_page: 20`
- [ ] Second page returns remaining scans
- [ ] No duplicate scans between pages
### Test 19: Filter Scans by Status
**Objective:** Verify scan list can be filtered by status.
**Steps:**
1. Trigger scans with different statuses (running, completed, failed)
2. Filter by running:
```bash
curl -b cookies.txt "http://localhost:5000/api/scans?status=running" | jq '.'
```
3. Filter by completed:
```bash
curl -b cookies.txt "http://localhost:5000/api/scans?status=completed" | jq '.'
```
4. Filter by failed:
```bash
curl -b cookies.txt "http://localhost:5000/api/scans?status=failed" | jq '.'
```
**Expected Result:**
- [ ] Each filter returns only scans with matching status
- [ ] Total count reflects filtered results
- [ ] Empty status filter returns all scans
### Test 20: Delete Scan via API
**Objective:** Verify scan deletion via REST API.
**Steps:**
1. Trigger a scan and wait for completion
2. Note the `scan_id`
3. Delete scan:
```bash
curl -X DELETE -b cookies.txt http://localhost:5000/api/scans/{scan_id} | jq '.'
```
4. Verify deletion:
```bash
curl -b cookies.txt http://localhost:5000/api/scans/{scan_id}
```
5. Check filesystem for scan files
**Expected Result:**
- [ ] Delete returns HTTP 200 OK
- [ ] Delete response: `{"message": "Scan {id} deleted successfully"}`
- [ ] Subsequent GET returns HTTP 404 Not Found
- [ ] JSON/HTML/ZIP files deleted from filesystem
- [ ] Screenshot directory deleted
- [ ] Database record removed
---
## Error Handling
### Test 21: Invalid Config File
**Objective:** Verify proper error handling for invalid config files.
**Steps:**
1. Trigger scan with non-existent config:
```bash
curl -X POST http://localhost:5000/api/scans \
-H "Content-Type: application/json" \
-d '{"config_file":"/app/configs/nonexistent.yaml"}' \
-b cookies.txt | jq '.'
```
**Expected Result:**
- [ ] HTTP 400 Bad Request
- [ ] Response includes `error` and `message` fields
- [ ] Error message indicates config file invalid/not found
- [ ] No scan record created in database
### Test 22: Missing Required Field
**Objective:** Verify API validates required fields.
**Steps:**
1. Trigger scan without config_file:
```bash
curl -X POST http://localhost:5000/api/scans \
-H "Content-Type: application/json" \
-d '{}' \
-b cookies.txt | jq '.'
```
**Expected Result:**
- [ ] HTTP 400 Bad Request
- [ ] Error message indicates missing required field
### Test 23: Non-Existent Scan ID
**Objective:** Verify 404 handling for non-existent scans.
**Steps:**
1. Get scan with invalid ID:
```bash
curl -b cookies.txt http://localhost:5000/api/scans/99999 | jq '.'
```
**Expected Result:**
- [ ] HTTP 404 Not Found
- [ ] Response: `{"error": "Scan not found", "message": "Scan with ID 99999 does not exist"}`
### Test 24: Invalid Pagination Parameters
**Objective:** Verify pagination parameter validation.
**Steps:**
1. Request with invalid page number:
```bash
curl -b cookies.txt "http://localhost:5000/api/scans?page=-1" | jq '.'
```
2. Request with invalid per_page:
```bash
curl -b cookies.txt "http://localhost:5000/api/scans?per_page=1000" | jq '.'
```
**Expected Result:**
- [ ] HTTP 400 Bad Request for negative page
- [ ] per_page capped at maximum (100)
- [ ] Error message indicates validation failure
### Test 25: Content Negotiation
**Objective:** Verify API returns JSON and web UI returns HTML for errors.
**Steps:**
1. Access non-existent scan via API:
```bash
curl -H "Accept: application/json" http://localhost:5000/api/scans/99999
```
2. Access non-existent scan via browser:
- Open http://localhost:5000/scans/99999 in browser
**Expected Result:**
- [ ] API request returns JSON error
- [ ] Browser request returns HTML error page
- [ ] HTML error page matches dark theme
- [ ] HTML error page has navigation back to dashboard
### Test 26: Error Templates
**Objective:** Verify custom error templates render correctly.
**Steps:**
1. Trigger 400 error (bad request)
2. Trigger 401 error (unauthorized - access API without login)
3. Trigger 404 error (non-existent page - http://localhost:5000/nonexistent)
4. Trigger 405 error (method not allowed - POST to GET-only endpoint)
**Expected Result:**
- [ ] Each error displays custom error page
- [ ] Error pages use dark theme
- [ ] Error pages include error code and message
- [ ] Error pages have "Back to Dashboard" link
- [ ] Navigation bar visible on error pages (if authenticated)
### Test 27: Request ID Tracking
**Objective:** Verify request IDs are generated and included in responses.
**Steps:**
1. Make API request and check headers:
```bash
curl -i -b cookies.txt http://localhost:5000/api/scans
```
**Expected Result:**
- [ ] Response includes `X-Request-ID` header
- [ ] Request ID is 8-character hex string
- [ ] Response includes `X-Request-Duration-Ms` header
- [ ] Duration is positive integer (milliseconds)
### Test 28: Logging
**Objective:** Verify requests are logged with request IDs.
**Steps:**
1. Make API request
2. Check logs:
```bash
docker-compose -f docker-compose-web.yml logs web | tail -20
```
**Expected Result:**
- [ ] Logs include request ID in brackets `[a1b2c3d4]`
- [ ] Logs include HTTP method, path, status code
- [ ] Logs include request duration in milliseconds
- [ ] Error logs include stack traces (if applicable)
---
## Performance & Concurrency
### Test 29: Concurrent Scans
**Objective:** Verify multiple scans can run concurrently.
**Steps:**
1. Trigger 3 scans simultaneously:
```bash
curl -X POST http://localhost:5000/api/scans \
-H "Content-Type: application/json" \
-d '{"config_file":"/app/configs/example-site.yaml"}' \
-b cookies.txt &
curl -X POST http://localhost:5000/api/scans \
-H "Content-Type: application/json" \
-d '{"config_file":"/app/configs/example-site.yaml"}' \
-b cookies.txt &
curl -X POST http://localhost:5000/api/scans \
-H "Content-Type: application/json" \
-d '{"config_file":"/app/configs/example-site.yaml"}' \
-b cookies.txt &
```
2. Check all scans are running:
```bash
curl -b cookies.txt "http://localhost:5000/api/scans?status=running" | jq '.total'
```
**Expected Result:**
- [ ] All 3 scans start successfully
- [ ] All 3 scans have status "running"
- [ ] No database locking errors in logs
- [ ] All 3 scans eventually complete
### Test 30: API Responsiveness During Scan
**Objective:** Verify web UI and API remain responsive during long-running scans.
**Steps:**
1. Trigger a long-running scan (5+ minutes)
2. While scan is running, perform these actions:
- Navigate to dashboard
- List scans via API
- Get scan status via API
- Login/logout
**Expected Result:**
- [ ] Web UI loads quickly (< 2 seconds)
- [ ] API requests respond quickly (< 500ms)
- [ ] No timeouts or slow responses
- [ ] Background scan does not block HTTP requests
---
## Data Persistence
### Test 31: Database Persistence Across Restarts
**Objective:** Verify database persists across container restarts.
**Steps:**
1. Trigger a scan and wait for completion
2. Note the scan ID
3. Restart container:
```bash
docker-compose -f docker-compose-web.yml restart web
```
4. Wait for container to restart (check health)
5. Query scan via API
**Expected Result:**
- [ ] Container restarts successfully
- [ ] Database file persists
- [ ] Scan still accessible after restart
- [ ] All scan data intact
### Test 32: File Persistence
**Objective:** Verify scan files persist in volume.
**Steps:**
1. Trigger a scan and wait for completion
2. Note the file paths (JSON, HTML, ZIP, screenshots)
3. Verify files exist:
```bash
docker exec sneakyscanner_web ls -lh /app/output/scan_report_*.json
```
4. Restart container
5. Verify files still exist
**Expected Result:**
- [ ] All scan files created (JSON, HTML, ZIP, screenshots)
- [ ] Files persist after container restart
- [ ] Files accessible from host (mounted volume)
- [ ] File sizes are non-zero
---
## Security
### Test 33: Password Hashing
**Objective:** Verify passwords are hashed with bcrypt.
**Steps:**
1. Check password in database:
```bash
docker exec sneakyscanner_web sqlite3 /app/data/sneakyscanner.db \
"SELECT value FROM settings WHERE key='app_password';"
```
**Expected Result:**
- [ ] Password is not stored in plaintext
- [ ] Password starts with `$2b$` (bcrypt hash)
- [ ] Hash is ~60 characters long
### Test 34: Session Cookie Security
**Objective:** Verify session cookies have secure attributes (in production).
**Steps:**
1. Login via browser (with developer tools open)
2. Inspect cookies (Application > Cookies)
3. Check session cookie attributes
**Expected Result:**
- [ ] Session cookie has `HttpOnly` flag
- [ ] Session cookie has `Secure` flag (if HTTPS)
- [ ] Session cookie has `SameSite` attribute
- [ ] Session cookie expires on logout
### Test 35: SQL Injection Protection
**Objective:** Verify inputs are sanitized against SQL injection.
**Steps:**
1. Attempt SQL injection in scan list filter:
```bash
curl -b cookies.txt "http://localhost:5000/api/scans?status='; DROP TABLE scans; --"
```
2. Check database is intact:
```bash
docker exec sneakyscanner_web sqlite3 /app/data/sneakyscanner.db ".tables"
```
**Expected Result:**
- [ ] No SQL injection occurs
- [ ] Database tables intact
- [ ] API returns validation error or empty results
- [ ] No database errors in logs
### Test 36: File Path Traversal Protection
**Objective:** Verify config file paths are validated against path traversal.
**Steps:**
1. Attempt path traversal in config_file:
```bash
curl -X POST http://localhost:5000/api/scans \
-H "Content-Type: application/json" \
-d '{"config_file":"../../../etc/passwd"}' \
-b cookies.txt
```
**Expected Result:**
- [ ] Request rejected with 400 Bad Request
- [ ] Error message indicates invalid config file
- [ ] No file outside /app/configs accessed
- [ ] Security error logged
---
## Cleanup
### Test 37: Stop Services
**Objective:** Gracefully stop all services.
**Steps:**
1. Stop services:
```bash
docker-compose -f docker-compose-web.yml down
```
2. Verify containers stopped:
```bash
docker-compose -f docker-compose-web.yml ps
```
**Expected Result:**
- [ ] Services stop gracefully (no kill signals)
- [ ] All containers stopped
- [ ] No error messages in logs
- [ ] Volumes preserved (data, output, logs, configs)
### Test 38: Volume Cleanup (Optional)
**Objective:** Remove all data volumes (only if needed).
**Steps:**
1. Stop and remove volumes:
```bash
docker-compose -f docker-compose-web.yml down -v
```
2. Verify volumes removed:
```bash
docker volume ls | grep sneakyscanner
```
**Expected Result:**
- [ ] All volumes removed
- [ ] Database deleted
- [ ] Scan results deleted
- [ ] Logs deleted
**Warning:** This is destructive and removes all data!
---
## Summary
### Test Results Summary
Total Tests: 38
| Category | Tests | Passed | Failed |
|----------|-------|--------|--------|
| Deployment & Startup | 4 | | |
| Authentication | 5 | | |
| Scan Management (Web UI) | 5 | | |
| Scan Management (API) | 6 | | |
| Error Handling | 8 | | |
| Performance & Concurrency | 2 | | |
| Data Persistence | 2 | | |
| Security | 4 | | |
| Cleanup | 2 | | |
| **Total** | **38** | | |
### Critical Tests (Must Pass)
These tests are critical and must pass for Phase 2 to be considered complete:
- [ ] Test 2: Docker Compose Startup
- [ ] Test 3: Health Check
- [ ] Test 6: Login with Correct Password
- [ ] Test 15: Trigger Scan via API
- [ ] Test 16: Poll Scan Status
- [ ] Test 17: Get Scan Details via API
- [ ] Test 18: List Scans with Pagination
- [ ] Test 20: Delete Scan via API
- [ ] Test 29: Concurrent Scans
- [ ] Test 31: Database Persistence Across Restarts
### Known Issues
Document any known issues or test failures here:
1. **Issue:** [Description]
- **Severity:** Critical | High | Medium | Low
- **Workaround:** [Workaround if available]
- **Fix:** [Planned fix]
---
## Notes
- Tests should be run in order, as later tests may depend on earlier setup
- Some tests require multiple scans - consider batch creating scans for efficiency
- Performance tests are environment-dependent (Docker resources, network speed)
- Security tests are basic - professional security audit recommended for production
- Manual testing complements automated tests - both are important
---
**Manual Testing Checklist Version:** 1.0
**Phase:** 2 - Flask Web App Core
**Last Updated:** 2025-11-14

404
docs/ai/PHASE1_COMPLETE.md
View File

@@ -1,404 +0,0 @@
# Phase 1: Foundation - COMPLETE ✓
**Date Completed:** 2025-11-13
Phase 1 of the SneakyScanner roadmap has been successfully implemented. This document summarizes what was delivered and how to use the new infrastructure.
---
## ✓ Deliverables Completed
### 1. Database Schema & Models
- **SQLAlchemy models** for all 11 database tables (`web/models.py`)
- Core tables: `Scan`, `ScanSite`, `ScanIP`, `ScanPort`, `ScanService`, `ScanCertificate`, `ScanTLSVersion`
- Scheduling tables: `Schedule`, `Alert`, `AlertRule`
- Configuration: `Setting`
- **Alembic migrations** system configured (`migrations/`)
- **Initial migration** created (`migrations/versions/001_initial_schema.py`)
### 2. Settings System with Encryption
- **SettingsManager** class with CRUD operations (`web/utils/settings.py`)
- **Automatic encryption** for sensitive values (SMTP passwords, API tokens)
- **PasswordManager** for bcrypt password hashing
- **Default settings initialization** for SMTP, authentication, retention policies
### 3. Flask Application Structure
- **Flask app factory** pattern implemented (`web/app.py`)
- **API blueprints** for all major endpoints:
- `/api/scans` - Scan management (stub for Phase 2)
- `/api/schedules` - Schedule management (stub for Phase 3)
- `/api/alerts` - Alert management (stub for Phase 4)
- `/api/settings` - Settings API (functional in Phase 1!)
- **Error handlers** for common HTTP status codes
- **CORS support** for API access
- **Logging** to file and console
- **Database session management** with scoped sessions
### 4. Database Initialization
- **init_db.py** script for easy database setup
- Supports both Alembic migrations and direct table creation
- Password setting during initialization
- Database verification and settings display
### 5. Docker Support
- **Updated Dockerfile** with Flask dependencies
- **docker-compose-web.yml** for running the web application
- Separate service definition for database initialization
- Volume mounts for persistence (database, output, logs)
### 6. Validation & Testing
- **validate_phase1.py** script to verify all deliverables
- Validates directory structure, files, Python syntax, models, and API endpoints
- All checks passing ✓
---
## 📁 New Project Structure
```
SneakyScanner/
├── web/ # Flask web application (NEW)
│ ├── __init__.py
│ ├── app.py # Flask app factory
│ ├── models.py # SQLAlchemy models (11 tables)
│ ├── api/ # API blueprints
│ │ ├── __init__.py
│ │ ├── scans.py # Scans API
│ │ ├── schedules.py # Schedules API
│ │ ├── alerts.py # Alerts API
│ │ └── settings.py # Settings API (functional!)
│ ├── templates/ # Jinja2 templates (for Phase 3)
│ ├── static/ # CSS, JS, images (for Phase 3)
│ │ ├── css/
│ │ ├── js/
│ │ └── images/
│ └── utils/ # Utility modules
│ ├── __init__.py
│ └── settings.py # Settings manager with encryption
├── migrations/ # Alembic migrations (NEW)
│ ├── env.py # Alembic environment
│ ├── script.py.mako # Migration template
│ └── versions/
│ └── 001_initial_schema.py # Initial database migration
├── alembic.ini # Alembic configuration (NEW)
├── init_db.py # Database initialization script (NEW)
├── validate_phase1.py # Phase 1 validation script (NEW)
├── requirements-web.txt # Flask dependencies (NEW)
├── docker-compose-web.yml # Docker Compose for web app (NEW)
├── Dockerfile # Updated with Flask support
├── src/ # Existing scanner code (unchanged)
├── templates/ # Existing report templates (unchanged)
├── configs/ # Existing YAML configs (unchanged)
└── output/ # Existing scan outputs (unchanged)
```
---
## 🚀 Getting Started
### Option 1: Local Development (without Docker)
#### 1. Install Dependencies
```bash
# Install Flask and web dependencies
pip install -r requirements-web.txt
```
#### 2. Initialize Database
```bash
# Create database and set password
python3 init_db.py --password YOUR_SECURE_PASSWORD
# Verify database
python3 init_db.py --verify-only
```
#### 3. Run Flask Application
```bash
# Run development server
python3 -m web.app
# Application will be available at http://localhost:5000
```
#### 4. Test API Endpoints
```bash
# Health check
curl http://localhost:5000/api/settings/health
# Get all settings (sanitized)
curl http://localhost:5000/api/settings
# Get specific setting
curl http://localhost:5000/api/settings/smtp_server
# Update a setting
curl -X PUT http://localhost:5000/api/settings/smtp_server \
-H "Content-Type: application/json" \
-d '{"value": "smtp.gmail.com"}'
# Set application password
curl -X POST http://localhost:5000/api/settings/password \
-H "Content-Type: application/json" \
-d '{"password": "newsecurepassword"}'
```
---
### Option 2: Docker Deployment
#### 1. Build Docker Image
```bash
docker-compose -f docker-compose-web.yml build
```
#### 2. Initialize Database (one-time)
```bash
# Create data directory
mkdir -p data
# Initialize database
docker-compose -f docker-compose-web.yml run --rm init-db --password YOUR_SECURE_PASSWORD
```
#### 3. Run Web Application
```bash
# Start Flask web server
docker-compose -f docker-compose-web.yml up -d web
# View logs
docker-compose -f docker-compose-web.yml logs -f web
```
#### 4. Access Application
- Web API: http://localhost:5000
- Health checks:
- http://localhost:5000/api/scans/health
- http://localhost:5000/api/schedules/health
- http://localhost:5000/api/alerts/health
- http://localhost:5000/api/settings/health
---
## 🔐 Security Features
### Encryption
- **Fernet encryption** for sensitive settings (SMTP passwords, API tokens)
- Encryption key auto-generated and stored in settings table
- Can be overridden via `SNEAKYSCANNER_ENCRYPTION_KEY` environment variable
### Password Hashing
- **Bcrypt** for application password hashing (work factor 12)
- Password stored as irreversible hash in settings table
- Minimum 8 characters enforced
### Session Management
- Flask sessions with configurable `SECRET_KEY`
- Set via environment variable or config
---
## 📊 Database Schema
### Core Tables
- **scans** - Scan metadata and status
- **scan_sites** - Site groupings
- **scan_ips** - IP addresses scanned
- **scan_ports** - Discovered ports
- **scan_services** - Service detection results
- **scan_certificates** - SSL/TLS certificates
- **scan_tls_versions** - TLS version support
### Scheduling & Alerts
- **schedules** - Cron-like scan schedules
- **alerts** - Alert history
- **alert_rules** - Alert rule definitions
### Configuration
- **settings** - Application settings (key-value store)
All tables include proper foreign keys, indexes, and cascade delete rules.
---
## 🧪 Validation
Run the Phase 1 validation script to verify everything is in place:
```bash
python3 validate_phase1.py
```
Expected output:
```
✓ All Phase 1 validation checks passed!
```
---
## 🔧 Environment Variables
Configure the Flask app via environment variables:
```bash
# Flask configuration
export FLASK_ENV=development
export FLASK_DEBUG=true
export FLASK_HOST=0.0.0.0
export FLASK_PORT=5000
# Database
export DATABASE_URL=sqlite:///./sneakyscanner.db
# Security
export SECRET_KEY=your-secret-key-here
export SNEAKYSCANNER_ENCRYPTION_KEY=your-encryption-key-here
# CORS (comma-separated origins)
export CORS_ORIGINS=http://localhost:3000,https://your-domain.com
# Logging
export LOG_LEVEL=INFO
```
Or use a `.env` file (supported via `python-dotenv`).
---
## 📝 API Endpoints Summary
### Settings API (Functional in Phase 1)
| Method | Endpoint | Description | Status |
|--------|----------|-------------|--------|
| GET | `/api/settings` | Get all settings (sanitized) | ✓ Working |
| PUT | `/api/settings` | Update multiple settings | ✓ Working |
| GET | `/api/settings/{key}` | Get specific setting | ✓ Working |
| PUT | `/api/settings/{key}` | Update specific setting | ✓ Working |
| DELETE | `/api/settings/{key}` | Delete setting | ✓ Working |
| POST | `/api/settings/password` | Set app password | ✓ Working |
| GET | `/api/settings/health` | Health check | ✓ Working |
### Scans API (Stubs for Phase 2)
| Method | Endpoint | Description | Status |
|--------|----------|-------------|--------|
| GET | `/api/scans` | List scans | Phase 2 |
| GET | `/api/scans/{id}` | Get scan details | Phase 2 |
| POST | `/api/scans` | Trigger scan | Phase 2 |
| DELETE | `/api/scans/{id}` | Delete scan | Phase 2 |
| GET | `/api/scans/{id}/status` | Get scan status | Phase 2 |
| GET | `/api/scans/health` | Health check | ✓ Working |
### Schedules API (Stubs for Phase 3)
| Method | Endpoint | Description | Status |
|--------|----------|-------------|--------|
| GET | `/api/schedules` | List schedules | Phase 3 |
| POST | `/api/schedules` | Create schedule | Phase 3 |
| PUT | `/api/schedules/{id}` | Update schedule | Phase 3 |
| DELETE | `/api/schedules/{id}` | Delete schedule | Phase 3 |
| POST | `/api/schedules/{id}/trigger` | Trigger schedule | Phase 3 |
| GET | `/api/schedules/health` | Health check | ✓ Working |
### Alerts API (Stubs for Phase 4)
| Method | Endpoint | Description | Status |
|--------|----------|-------------|--------|
| GET | `/api/alerts` | List alerts | Phase 4 |
| GET | `/api/alerts/rules` | List alert rules | Phase 4 |
| POST | `/api/alerts/rules` | Create alert rule | Phase 4 |
| PUT | `/api/alerts/rules/{id}` | Update alert rule | Phase 4 |
| DELETE | `/api/alerts/rules/{id}` | Delete alert rule | Phase 4 |
| GET | `/api/alerts/health` | Health check | ✓ Working |
---
## ✅ Testing Checklist
- [x] Database creates successfully
- [x] Settings can be stored/retrieved
- [x] Encryption works for sensitive values
- [x] Password hashing works
- [x] Flask app starts without errors
- [x] API blueprints load correctly
- [x] Health check endpoints respond
- [x] All Python files have valid syntax
- [x] All models defined correctly
- [x] Database migrations work
---
## 🎯 Next Steps: Phase 2
Phase 2 will implement:
1. **REST API for scans** - Trigger scans, list history, get results
2. **Background job queue** - APScheduler for async scan execution
3. **Authentication** - Flask-Login for session management
4. **Scanner integration** - Save scan results to database
5. **Docker Compose deployment** - Production-ready setup
Estimated timeline: 2 weeks (as per roadmap)
---
## 📚 References
### Key Files
- `web/models.py` - Database models (lines 1-400+)
- `web/app.py` - Flask app factory (lines 1-250+)
- `web/utils/settings.py` - Settings manager (lines 1-300+)
- `init_db.py` - Database initialization (lines 1-200+)
- `migrations/versions/001_initial_schema.py` - Initial migration (lines 1-250+)
### Documentation
- [Flask Documentation](https://flask.palletsprojects.com/)
- [SQLAlchemy ORM](https://docs.sqlalchemy.org/)
- [Alembic Migrations](https://alembic.sqlalchemy.org/)
- [Cryptography Library](https://cryptography.io/)
- [Bcrypt](https://github.com/pyca/bcrypt)
---
## 🐛 Troubleshooting
### Database Issues
```bash
# Reset database
rm sneakyscanner.db
python3 init_db.py --password newpassword
# Check database
sqlite3 sneakyscanner.db ".schema"
```
### Flask Won't Start
```bash
# Check dependencies installed
pip list | grep -i flask
# Check syntax errors
python3 validate_phase1.py
# Run with debug output
FLASK_DEBUG=true python3 -m web.app
```
### Encryption Errors
```bash
# Generate new encryption key
python3 -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
# Set in environment
export SNEAKYSCANNER_ENCRYPTION_KEY="your-key-here"
```
---
**Phase 1 Status:** ✅ COMPLETE
All deliverables implemented, tested, and validated. Ready to proceed with Phase 2.

1979
docs/ai/PHASE2.md
View File

File diff suppressed because it is too large Load Diff

872
docs/ai/PHASE2_COMPLETE.md
View File

@@ -1,872 +0,0 @@
# Phase 2: Flask Web App Core - COMPLETE ✓
**Date Completed:** 2025-11-14
**Duration:** 14 days (2 weeks)
**Lines of Code Added:** ~4,500+ lines across backend, frontend, tests, and documentation
Phase 2 of the SneakyScanner roadmap has been successfully implemented. This document summarizes what was delivered, how to use the new features, and lessons learned.
---
## ✓ Success Criteria Met
All success criteria from [PHASE2.md](PHASE2.md) have been achieved:
### API Functionality ✅
-`POST /api/scans` triggers background scan and returns scan_id
-`GET /api/scans` lists scans with pagination (page, per_page params)
-`GET /api/scans/<id>` returns full scan details from database
-`DELETE /api/scans/<id>` removes scan records and files
-`GET /api/scans/<id>/status` shows current scan progress
### Database Integration ✅
- ✅ Scan results automatically saved to database after completion
- ✅ All relationships populated correctly (sites, IPs, ports, services, certs, TLS)
- ✅ Database queries work efficiently (indexes in place)
- ✅ Cascade deletion works for related records
### Background Jobs ✅
- ✅ Scans execute in background (don't block HTTP requests)
- ✅ Multiple scans can run concurrently (configurable: 3 concurrent jobs)
- ✅ Scan status updates correctly (running → completed/failed)
- ✅ Failed scans marked appropriately with error message
### Authentication ✅
- ✅ Login page renders and accepts password
- ✅ Successful login creates session and redirects to dashboard
- ✅ Invalid password shows error message
- ✅ Logout destroys session
- ✅ Protected routes require authentication
- ✅ API endpoints require authentication
### User Interface ✅
- ✅ Dashboard displays welcome message and stats
- ✅ Dashboard shows recent scans in table
- ✅ Login page has clean design
- ✅ Templates use Bootstrap 5 dark theme (matching report style)
- ✅ Navigation works between pages
- ✅ Error pages for 400, 401, 403, 404, 405, 500
### File Management ✅
- ✅ JSON, HTML, ZIP files still generated (backward compatible)
- ✅ Screenshot directory created with images
- ✅ Files referenced correctly in database
- ✅ Delete scan removes all associated files
### Deployment ✅
- ✅ Docker Compose starts web app successfully
- ✅ Database persists across container restarts
- ✅ Scan files persist in mounted volume
- ✅ Healthcheck endpoint responds correctly (`/api/settings/health`)
- ✅ Logs written to volume with rotation (10MB max, 10 backups)
### Testing ✅
- ✅ 100 test functions across 6 test files
- ✅ 1,825 lines of test code
- ✅ All tests passing (service layer, API, auth, error handling, background jobs)
- ✅ Comprehensive test coverage
### Documentation ✅
- ✅ API endpoints documented with examples (API_REFERENCE.md)
- ✅ README.md updated with Phase 2 features
- ✅ PHASE2_COMPLETE.md created (this document)
- ✅ ROADMAP.md updated
- ✅ DEPLOYMENT.md comprehensive deployment guide
---
## 📦 Deliverables by Step
### Step 1: Database & Service Layer ✅
**Completed:** Day 2
**Files Created:**
- `web/services/__init__.py`
- `web/services/scan_service.py` (545 lines) - Core business logic for scan CRUD operations
- `web/utils/pagination.py` (153 lines) - Pagination utility with metadata
- `web/utils/validators.py` (245 lines) - Input validation functions
- `migrations/versions/002_add_scan_indexes.py` - Database indexes for performance
- `tests/conftest.py` (142 lines) - Pytest fixtures and configuration
- `tests/test_scan_service.py` (374 lines) - 15 unit tests
**Key Features:**
- ScanService with full CRUD operations (`trigger_scan`, `get_scan`, `list_scans`, `delete_scan`, `get_scan_status`)
- Complex JSON-to-database mapping (`_map_report_to_models`)
- Validation for config files, scan IDs, ports, IP addresses
- Pagination helper with metadata (total, pages, current page)
- All 15 tests passing
### Step 2: Scan API Endpoints ✅
**Completed:** Day 4
**Files Modified:**
- `web/api/scans.py` (262 lines) - All 5 endpoints fully implemented
**Files Created:**
- `tests/test_scan_api.py` (301 lines) - 24 integration tests
**Key Features:**
- All endpoints with comprehensive error handling
- Input validation through validators
- Proper HTTP status codes (200, 201, 400, 404, 500)
- Structured logging with request details
- Pagination support with query parameters
- Status filtering (`?status=running|completed|failed`)
- All 24 tests passing
### Step 3: Background Job Queue ✅
**Completed:** Day 6
**Files Created:**
- `web/jobs/__init__.py`
- `web/jobs/scan_job.py` (130 lines) - Background scan execution
- `web/services/scheduler_service.py` (220 lines) - APScheduler integration
- `migrations/versions/003_add_scan_timing_fields.py` - Timing fields (started_at, completed_at, error_message)
- `tests/test_background_jobs.py` (232 lines) - 13 unit tests
**Files Modified:**
- `web/app.py` - Scheduler initialization
- `web/models.py` - Added timing fields to Scan model
- `web/services/scan_service.py` - Updated for scheduler integration
- `web/api/scans.py` - Pass scheduler to trigger_scan
**Key Features:**
- BackgroundScheduler with ThreadPoolExecutor (max 3 workers)
- Isolated database sessions per thread
- Status tracking through lifecycle (created → running → completed/failed)
- Error message capture and storage
- Graceful shutdown handling
- All 13 tests passing
### Step 4: Authentication System ✅
**Completed:** Day 8
**Files Created:**
- `web/auth/__init__.py`
- `web/auth/routes.py` (85 lines) - Login/logout routes
- `web/auth/decorators.py` (62 lines) - @login_required and @api_auth_required
- `web/auth/models.py` (48 lines) - User class for Flask-Login
- `web/templates/login.html` (95 lines) - Login page with dark theme
- `tests/test_authentication.py` (279 lines) - 30+ authentication tests
**Files Modified:**
- `web/app.py` - Flask-Login integration, user_loader callback
- All API endpoints - Protected with @api_auth_required
- All web routes - Protected with @login_required
**Key Features:**
- Flask-Login session management
- Single-user authentication with bcrypt password hashing
- Session-based auth for both UI and API
- Login/logout functionality
- Password setup on first run
- All 30+ tests passing
### Step 5: Basic UI Templates ✅
**Completed:** Day 10
**Files Created:**
- `web/templates/base.html` (120 lines) - Base layout with Bootstrap 5 dark theme
- `web/templates/dashboard.html` (180 lines) - Dashboard with stats and recent scans
- `web/templates/scans.html` (240 lines) - Scan list with pagination
- `web/templates/scan_detail.html` (320 lines) - Detailed scan results view
- `web/routes/__init__.py`
- `web/routes/main.py` (150 lines) - Web UI routes
- `web/static/css/custom.css` (85 lines) - Custom dark theme styles
- `web/static/js/dashboard.js` (120 lines) - AJAX and auto-refresh
**Key Features:**
- Consistent dark theme matching HTML reports (slate/grey color scheme)
- Navigation bar (Dashboard, Scans, Settings, Logout)
- Flash message display
- AJAX-powered dynamic data loading
- Auto-refresh for running scans (5-second polling)
- Responsive design with Bootstrap 5
- Pagination controls
### Step 6: Docker & Deployment ✅
**Completed:** Day 11
**Files Created:**
- `.env.example` (57 lines) - Comprehensive environment template
- `docs/ai/DEPLOYMENT.md` (650+ lines) - Complete deployment guide
**Files Modified:**
- `docker-compose-web.yml` - Scheduler config, healthcheck, privileged mode, host networking
**Key Features:**
- Healthcheck endpoint monitoring (30s interval, 10s timeout)
- Privileged mode for scanner raw socket access
- Host networking for unrestricted network scanning
- Environment variable configuration (SECRET_KEY, ENCRYPTION_KEY, scheduler settings)
- Volume mounts for data persistence (data, output, logs, configs)
- Production defaults (FLASK_ENV=production)
- Comprehensive deployment documentation
### Step 7: Error Handling & Logging ✅
**Completed:** Day 12
**Files Created:**
- `web/templates/errors/400.html` (70 lines)
- `web/templates/errors/401.html` (70 lines)
- `web/templates/errors/403.html` (70 lines)
- `web/templates/errors/404.html` (70 lines)
- `web/templates/errors/405.html` (70 lines)
- `web/templates/errors/500.html` (90 lines)
- `tests/test_error_handling.py` (320 lines) - Comprehensive error handling tests
**Files Modified:**
- `web/app.py` - Enhanced logging, error handlers, request handlers
**Key Features:**
- RotatingFileHandler (10MB per file, 10 backups)
- Separate error log file for ERROR level messages
- RequestIDLogFilter for request context injection
- Request timing with millisecond precision
- Content negotiation (JSON for API, HTML for web)
- SQLite WAL mode for better concurrency
- Security headers (X-Content-Type-Options, X-Frame-Options, X-XSS-Protection)
- Request IDs in logs and headers (X-Request-ID, X-Request-Duration-Ms)
### Step 8: Testing & Documentation ✅
**Completed:** Day 14
**Files Created:**
- `docs/ai/API_REFERENCE.md` (650+ lines) - Complete API documentation
- `docs/ai/PHASE2_COMPLETE.md` (this document)
- `docs/ai/MANUAL_TESTING.md` - Manual testing checklist
**Files Modified:**
- `README.md` - Comprehensive update with Phase 2 features
- `docs/ai/ROADMAP.md` - Updated with Phase 2 completion
**Documentation Deliverables:**
- API reference with request/response examples
- Updated README with web application features
- Phase 2 completion summary
- Manual testing checklist
- Updated roadmap
---
## 📊 Statistics
### Code Metrics
| Category | Files | Lines of Code |
|----------|-------|---------------|
| Backend Services | 3 | 965 |
| API Endpoints | 1 (modified) | 262 |
| Background Jobs | 2 | 350 |
| Authentication | 3 | 195 |
| Web UI Templates | 11 | 1,440 |
| Utilities | 2 | 398 |
| Database Migrations | 2 | 76 |
| Tests | 6 | 1,825 |
| Documentation | 4 | 2,000+ |
| **Total** | **34** | **~7,500+** |
### Test Coverage
- **Test Files:** 6
- **Test Functions:** 100
- **Lines of Test Code:** 1,825
- **Coverage Areas:**
- Service layer (ScanService, SchedulerService)
- API endpoints (all 5 scan endpoints)
- Authentication (login, logout, decorators)
- Background jobs (scheduler, job execution, timing)
- Error handling (all HTTP status codes, content negotiation)
- Pagination and validation
### Database Schema
- **Tables:** 11 (no changes from Phase 1)
- **Migrations:** 3 total
- `001_initial_schema.py` (Phase 1)
- `002_add_scan_indexes.py` (Step 1)
- `003_add_scan_timing_fields.py` (Step 3)
- **Indexes:** Status index for efficient filtering
- **Mode:** SQLite WAL for better concurrency
---
## 🎯 Key Accomplishments
### 1. Complete REST API for Scan Management
All CRUD operations implemented with comprehensive error handling:
```bash
# Trigger scan
POST /api/scans
{"config_file": "/app/configs/example.yaml"}
{"scan_id": 42, "status": "running"}
# List scans (paginated)
GET /api/scans?page=1&per_page=20&status=completed
{"scans": [...], "total": 42, "page": 1, "pages": 3}
# Get scan details
GET /api/scans/42
{full scan with all relationships}
# Poll status
GET /api/scans/42/status
{"status": "running", "started_at": "...", "completed_at": null}
# Delete scan
DELETE /api/scans/42
{"message": "Scan 42 deleted successfully"}
```
### 2. Asynchronous Scan Execution
Scans run in background threads without blocking HTTP requests:
- APScheduler BackgroundScheduler with ThreadPoolExecutor
- Up to 3 concurrent scans (configurable)
- Isolated database sessions per thread
- Status tracking: `running``completed`/`failed`
- Error capture and storage
**Result:** Web UI remains responsive during long-running scans (2-10 minutes)
### 3. Complete Database Integration
Complex JSON scan reports mapped to normalized relational schema:
- **Hierarchy:** Scan → Sites → IPs → Ports → Services → Certificates → TLS Versions
- **Relationships:** Proper foreign keys and cascade deletion
- **Efficient Queries:** Indexes on status, timestamp
- **Concurrency:** SQLite WAL mode for multiple readers/writers
**Result:** All scan data queryable in database for future trend analysis
### 4. Secure Authentication System
Single-user authentication with Flask-Login:
- Session-based auth for both UI and API
- Bcrypt password hashing (cost factor 12)
- Protected routes with decorators
- Login/logout functionality
- Password setup on first run
**Result:** Secure access control for all features
### 5. Production-Ready Deployment
Complete Docker deployment with persistent data:
- Docker Compose configuration with healthcheck
- Privileged mode for scanner operations
- Environment-based configuration
- Volume mounts for data persistence
- Comprehensive deployment documentation
**Result:** Easy deployment with `docker-compose up`
### 6. Comprehensive Error Handling
Robust error handling and logging:
- Content negotiation (JSON for API, HTML for web)
- Custom error templates (400, 401, 403, 404, 405, 500)
- Structured logging with request IDs
- Log rotation (10MB files, 10 backups)
- Request timing and duration tracking
**Result:** Production-ready error handling and debugging
### 7. Extensive Test Coverage
Comprehensive test suite:
- 100 test functions across 6 test files
- 1,825 lines of test code
- All major components tested
- Integration tests for complete workflows
- All tests passing
**Result:** High confidence in code quality and reliability
---
## 🔧 Technical Implementation Details
### Service Layer Architecture
**ScanService** (`web/services/scan_service.py`) - 545 lines:
- `trigger_scan(config_file, triggered_by, schedule_id)` - Create scan record and queue job
- `get_scan(scan_id)` - Retrieve complete scan with all relationships (eager loading)
- `list_scans(page, per_page, status_filter)` - Paginated list with filtering
- `delete_scan(scan_id)` - Remove DB records and files (JSON, HTML, ZIP, screenshots)
- `get_scan_status(scan_id)` - Poll scan status for real-time updates
- `_save_scan_to_db(report, scan_id, status)` - Persist scan results
- `_map_report_to_models(report, scan_obj)` - Complex JSON→DB mapping
**SchedulerService** (`web/services/scheduler_service.py`) - 220 lines:
- `init_scheduler(app)` - Initialize APScheduler
- `queue_scan(config_file, scan_id, db_url)` - Queue immediate scan execution
- `add_scheduled_scan(schedule)` - Placeholder for Phase 3 scheduled scans
- `remove_scheduled_scan(schedule_id)` - Remove scheduled jobs
- `list_jobs()` - List all scheduler jobs
- `shutdown()` - Graceful shutdown
### Background Job Execution
**Scan Job** (`web/jobs/scan_job.py`) - 130 lines:
```python
def execute_scan(config_file, scan_id, db_url):
"""Execute scan in background thread."""
# 1. Create isolated DB session
engine = create_engine(db_url)
Session = sessionmaker(bind=engine)
session = Session()
try:
# 2. Update status to running
scan = session.query(Scan).get(scan_id)
scan.status = 'running'
scan.started_at = datetime.utcnow()
session.commit()
# 3. Run scanner
scanner = SneakyScanner(config_file)
report, timestamp = scanner.scan()
scanner.generate_outputs(report, timestamp)
# 4. Save to database
scan_service = ScanService(session)
scan_service._save_scan_to_db(report, scan_id, status='completed')
# 5. Update timing
scan.completed_at = datetime.utcnow()
session.commit()
except Exception as e:
# 6. Mark as failed
scan.status = 'failed'
scan.error_message = str(e)
scan.completed_at = datetime.utcnow()
session.commit()
logger.error(f"Scan {scan_id} failed: {e}")
finally:
session.close()
```
### Database Mapping Strategy
Complex JSON structure mapped to normalized schema in specific order:
1. **Scan** - Top-level metadata
2. **Sites** - Logical grouping from config
3. **IPs** - IP addresses per site
4. **Ports** - Open ports per IP
5. **Services** - Service detection per port
6. **Certificates** - SSL/TLS certs per HTTPS service
7. **TLS Versions** - TLS version support per certificate
**Key Technique:** Use `session.flush()` after each level to generate IDs for foreign keys
### Authentication Flow
```
┌──────────────────────────────────────┐
│ 1. User visits /dashboard │
│ (not authenticated) │
└───────────┬──────────────────────────┘
┌──────────────────────────────────────┐
│ 2. @login_required redirects to │
│ /login │
└───────────┬──────────────────────────┘
┌──────────────────────────────────────┐
│ 3. User enters password │
│ POST /auth/login │
└───────────┬──────────────────────────┘
┌──────────────────────────────────────┐
│ 4. Verify password (bcrypt) │
│ - Load password from settings │
│ - Check with bcrypt.checkpw() │
└───────────┬──────────────────────────┘
┌──────────────────────────────────────┐
│ 5. Create Flask-Login session │
│ login_user(user) │
└───────────┬──────────────────────────┘
┌──────────────────────────────────────┐
│ 6. Redirect to /dashboard │
│ (authenticated, can access) │
└──────────────────────────────────────┘
```
### Error Handling Architecture
**Content Negotiation:**
```python
def render_error(status_code, error_type, message):
"""Render error as JSON or HTML based on request."""
# Check if JSON response expected
if request.path.startswith('/api/') or \
request.accept_mimetypes.best == 'application/json':
return jsonify({
'error': error_type,
'message': message
}), status_code
# Otherwise return HTML error page
return render_template(f'errors/{status_code}.html',
error=error_type,
message=message), status_code
```
**Request ID Tracking:**
```python
@app.before_request
def before_request():
"""Add request ID and start timing."""
request.id = uuid.uuid4().hex[:8]
request.start_time = time.time()
@app.after_request
def after_request(response):
"""Add timing and request ID headers."""
duration_ms = int((time.time() - request.start_time) * 1000)
response.headers['X-Request-ID'] = request.id
response.headers['X-Request-Duration-Ms'] = str(duration_ms)
return response
```
---
## 📚 API Endpoints Reference
See [API_REFERENCE.md](API_REFERENCE.md) for complete documentation.
### Scans
| Method | Endpoint | Description |
|--------|----------|-------------|
| POST | `/api/scans` | Trigger new scan |
| GET | `/api/scans` | List scans (paginated, filterable) |
| GET | `/api/scans/{id}` | Get scan details |
| GET | `/api/scans/{id}/status` | Get scan status |
| DELETE | `/api/scans/{id}` | Delete scan and files |
### Authentication
| Method | Endpoint | Description |
|--------|----------|-------------|
| POST | `/auth/login` | Login and create session |
| GET | `/auth/logout` | Logout and destroy session |
### Settings
| Method | Endpoint | Description |
|--------|----------|-------------|
| GET | `/api/settings` | Get all settings |
| PUT | `/api/settings/{key}` | Update setting |
| GET | `/api/settings/health` | Health check |
### Web UI
| Method | Route | Description |
|--------|-------|-------------|
| GET | `/` | Redirect to dashboard |
| GET | `/login` | Login page |
| GET | `/dashboard` | Dashboard with stats |
| GET | `/scans` | Browse scan history |
| GET | `/scans/<id>` | View scan details |
---
## 🚀 Getting Started
### Quick Start (Docker)
1. **Clone repository:**
```bash
git clone https://github.com/yourusername/sneakyscanner.git
cd sneakyscanner
```
2. **Configure environment:**
```bash
cp .env.example .env
# Edit .env and set SECRET_KEY and SNEAKYSCANNER_ENCRYPTION_KEY
```
3. **Start web application:**
```bash
docker-compose -f docker-compose-web.yml up -d
```
4. **Access web interface:**
- Open http://localhost:5000
- Default password: `admin` (change immediately!)
5. **Trigger first scan:**
- Click "Run Scan Now" on dashboard
- Or use API:
```bash
curl -X POST http://localhost:5000/api/scans \
-H "Content-Type: application/json" \
-d '{"config_file":"/app/configs/example-site.yaml"}' \
-b cookies.txt
```
See [DEPLOYMENT.md](DEPLOYMENT.md) for detailed setup instructions.
### API Usage Example
```bash
#!/bin/bash
# 1. Login
curl -X POST http://localhost:5000/auth/login \
-H "Content-Type: application/json" \
-d '{"password":"yourpassword"}' \
-c cookies.txt
# 2. Trigger scan
SCAN_ID=$(curl -s -X POST http://localhost:5000/api/scans \
-H "Content-Type: application/json" \
-d '{"config_file":"/app/configs/production.yaml"}' \
-b cookies.txt | jq -r '.scan_id')
echo "Scan ID: $SCAN_ID"
# 3. Poll status
while true; do
STATUS=$(curl -s -X GET http://localhost:5000/api/scans/$SCAN_ID/status \
-b cookies.txt | jq -r '.status')
echo "Status: $STATUS"
if [ "$STATUS" == "completed" ] || [ "$STATUS" == "failed" ]; then
break
fi
sleep 5
done
# 4. Get results
curl -X GET http://localhost:5000/api/scans/$SCAN_ID \
-b cookies.txt | jq '.'
```
---
## 🧪 Testing
### Run All Tests
**In Docker:**
```bash
docker-compose -f docker-compose-web.yml run --rm web pytest tests/ -v
```
**Locally:**
```bash
pip install -r requirements-web.txt
pytest tests/ -v
```
### Test Breakdown
| Test File | Tests | Description |
|-----------|-------|-------------|
| `test_scan_service.py` | 15 | Service layer CRUD operations |
| `test_scan_api.py` | 24 | API endpoints integration tests |
| `test_authentication.py` | 30+ | Login, logout, decorators |
| `test_background_jobs.py` | 13 | Scheduler and job execution |
| `test_error_handling.py` | 18+ | Error handlers, logging, headers |
| **Total** | **100** | **All passing ✓** |
### Manual Testing
See [MANUAL_TESTING.md](MANUAL_TESTING.md) for comprehensive manual testing checklist.
**Quick Manual Tests:**
1. Login with correct password → succeeds
2. Login with incorrect password → fails
3. Trigger scan via UI → runs in background
4. View scan list → shows pagination
5. View scan details → displays all data
6. Delete scan → removes files and DB records
7. Logout → destroys session
---
## 🎓 Lessons Learned
### What Went Well
1. **Service Layer Architecture** - Clean separation between API endpoints and business logic made testing much easier
2. **Background Job Integration** - APScheduler worked perfectly for async scan execution without needing Redis/Celery
3. **Database Mapping Strategy** - Processing in order (sites → IPs → ports → services → certs → TLS) with `flush()` after each level handled foreign keys elegantly
4. **Test-First Approach** - Writing tests for Steps 1-3 before implementation caught many edge cases early
5. **Comprehensive Documentation** - Detailed PHASE2.md plan made implementation straightforward and prevented scope creep
### Challenges Overcome
1. **SQLite Concurrency** - Initial database locking issues with concurrent scans
- **Solution:** Enabled WAL mode, added connection pooling, increased busy timeout to 15s
2. **Complex JSON→DB Mapping** - Nested JSON structure with many relationships
- **Solution:** Created `_map_report_to_models()` with ordered processing and `flush()` for ID generation
3. **Background Thread Sessions** - SQLAlchemy session management in threads
- **Solution:** Create isolated session per thread, pass `db_url` to background job
4. **Content Negotiation** - API and web requests need different error formats
- **Solution:** Check `request.path.startswith('/api/')` and `Accept` header
5. **Request ID Correlation** - Difficult to correlate logs across request lifecycle
- **Solution:** Add RequestIDLogFilter with UUID-based request IDs in logs and headers
### Technical Decisions
1. **APScheduler over Celery** - Simpler deployment, sufficient for single-user use case
2. **Session Auth over JWT** - Simpler for Phase 2, token auth deferred to Phase 5
3. **SQLite WAL Mode** - Better concurrency without switching databases
4. **Bootstrap 5 Dark Theme** - Matches existing HTML report aesthetics
5. **Pytest over unittest** - More powerful fixtures, better parametrization
---
## 🔮 What's Next: Phase 3
**Target Duration:** Weeks 5-6 (2 weeks)
**Goals:**
- Enhanced dashboard with trend charts (Chart.js)
- Scheduled scan management UI
- Real-time scan progress
- Timeline view of scan history
**Key Features:**
- **Dashboard Enhancement:**
- Summary cards (total scans, last scan, IPs, ports)
- Recent scans table
- Security warnings section
- Drift alerts section
- **Trend Charts:**
- Port count over time (line chart)
- Service distribution (bar chart)
- Certificate expiration timeline
- **Scheduled Scans:**
- List/create/edit/delete schedules
- Cron expression configuration
- Next run time display
- APScheduler job management
See [ROADMAP.md](ROADMAP.md) for complete Phase 3 plan.
---
## 📝 Migration from Phase 1
Phase 2 is fully backward compatible with Phase 1:
**No Breaking Changes:**
- ✅ Database schema unchanged (11 tables from Phase 1)
- ✅ CLI scanner still works standalone
- ✅ YAML config format unchanged
- ✅ JSON/HTML/ZIP output format unchanged
- ✅ Settings system compatible
**New Additions:**
- ✅ REST API endpoints (were stubs in Phase 1)
- ✅ Background job system
- ✅ Authentication system
- ✅ Web UI templates
- ✅ 3 new database migrations
**Migration Steps:**
1. Pull latest code
2. Run database migrations: `alembic upgrade head`
3. Set application password (if not set): `python3 init_db.py --password YOUR_PASSWORD`
4. Rebuild Docker image: `docker-compose -f docker-compose-web.yml build`
5. Start services: `docker-compose -f docker-compose-web.yml up -d`
---
## 📊 Final Metrics
### Code Coverage
- **Total Lines Added:** ~7,500+
- **Files Created:** 34
- **Files Modified:** 10
- **Test Coverage:** 100 test functions, 1,825 lines
- **Documentation:** 2,000+ lines
### Features Delivered
- ✅ 5 REST API endpoints (scans CRUD + status)
- ✅ 3 settings endpoints (get, update, health)
- ✅ Background job queue with APScheduler
- ✅ Session-based authentication
- ✅ 5 web UI pages (login, dashboard, scans list/detail, errors)
- ✅ 6 error templates (400, 401, 403, 404, 405, 500)
- ✅ Comprehensive error handling and logging
- ✅ Docker deployment with healthcheck
- ✅ Complete API documentation
- ✅ Deployment guide
### Success Rate
- ✅ All 100 tests passing
- ✅ All success criteria met
- ✅ All deliverables completed on time
- ✅ Zero critical bugs
- ✅ Production-ready deployment
---
## 🙏 Acknowledgments
**Technologies Used:**
- Flask 3.0 - Web framework
- SQLAlchemy 2.0 - ORM
- APScheduler 3.10 - Background jobs
- Flask-Login 0.6 - Authentication
- Bootstrap 5 - UI framework
- pytest 7.4 - Testing
- Alembic 1.13 - Database migrations
---
## 📞 Support
**Documentation:**
- [API Reference](API_REFERENCE.md)
- [Deployment Guide](DEPLOYMENT.md)
- [Developer Guide](../../CLAUDE.md)
- [Roadmap](ROADMAP.md)
**Issues:** https://github.com/anthropics/sneakyscanner/issues
---
**Phase 2 Status:** COMPLETE ✓
**Next Phase:** Phase 3 - Dashboard & Scheduling
**Last Updated:** 2025-11-14

2204
docs/ai/PHASE3.md
View File

File diff suppressed because it is too large Load Diff

1811
docs/ai/Phase4.md
View File

File diff suppressed because it is too large Load Diff