[WIP] Bring atomicreadme up to date with master (ref PR #59)

[Copilot]

Description

Merges master into atomicreadme (PR #59) to resolve the 15-commit drift. Also fixes the CI breakage that affected both branches: tox.ini was configured to clone caldera before running tests, but the modern test suite uses conftest.py stubs and is self-contained, and newer tox rejects glob patterns in allowlist_externals.

tox.ini — complete rewrite of [testenv]:

• Remove caldera clone/copy commands (tests stub all caldera imports via conftest.py)
• Drop allowlist_externals entirely (no external binaries needed)
• Update envlist from py38 to py310–py313 to match the CI workflow matrix
• Remove unused deps (pre-commit, pytest-aiohttp, codecov, virtualenv)

tests/test_hook.py — fix PropertyMock assertion in test_enable_accesses_app:

• type(mock).attr.assert_called() fails because accessing a PropertyMock descriptor through the class invokes it, returning its return value instead of the mock itself
• Fix: capture the PropertyMock reference before assigning it to the type, assert on that reference

# Before (broken)
type(mock_app_svc).application = PropertyMock(return_value=mock_app)
# ...
type(mock_app_svc).application.assert_called()  # AssertionError: Expected 'mock' to have been called

# After (correct)
mock_application_prop = PropertyMock(return_value=mock_app)
type(mock_app_svc).application = mock_application_prop
# ...
mock_application_prop.assert_called()

README.md — update Python requirement from 3.8+ to 3.10+ to match the updated tox.ini test matrix.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• This change requires a documentation update

How Has This Been Tested?

python -m pytest tests/ --tb=short — 144 passed, 1 skipped, 5 xpassed.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works

Original prompt

Create a WIP pull request in mitre/atomic that updates the existing PR branch atomicreadme (PR #59) to be up-to-date with the repository's master branch.

Requirements:

• Target repository: mitre/atomic.
• Base branch: master.
• Head branch: atomicreadme (or a new branch derived from it if direct updates are not appropriate).
• Goal: incorporate the latest master changes into the PR branch so PR readme #59 becomes up-to-date (e.g., via merge commit or rebase, whichever is acceptable for the repo’s workflow).
• Create a new WIP PR (draft) that merges master into the PR branch (or merges the updated branch back into atomicreadme), clearly titled as WIP and referencing PR readme #59.
• Ensure CI passes or, if there are expected failures, document them in the PR description with next steps.

Context:

• PR readme #59 is readme #59.
• Current PR head SHA: 693e1c3.
• Current base (master) SHA: 2cee995.

Deliverables:

• A draft/WIP PR that brings atomicreadme up to date with master.
• PR description should include what was done (merge/rebase), how to reproduce locally, and any conflict resolutions performed.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: Please find a solution for failing job 73813874722. Use the logs, job definition, and any referenced files where the failure occurred. Keep your response focused on the solution and include code suggestions when appropriate.

Assistant: The job is failing because tox is trying to run an external command (/usr/bin/git clone ...) but that executable is not permitted in the environment that actually ran (note the log shows py311, not py38). As a result, the test env never runs, no coverage files are produced, and then coverage-ci fails with No data to combine.

Fix 1 (recommended): Allow git (and other externals) for the env that ran (py311)

In tox.ini, your base [testenv] has the commands that call git:

commands =
    /usr/bin/git clone https://github.com/mitre/caldera.git --recursive {homedir}/tmp
    ...

…but the allowlist does not include /bin/rm, and the failure indicates git is not allowlisted for the env that executed. The simplest robust fix is:

1. Ensure allowlist_externals includes every external you invoke (git, rm, cp).
2. Don’t hardcode absolute paths (they can vary on runners). Use git, rm, cp.

Suggested edit:

[testenv]
changedir = {homedir}/tmp
allowlist_externals =
    git
    rm
    cp
commands =
    git clone https://github.com/mitre/caldera.git --recursive {homedir}/tmp
    rm -rf {homedir}/tmp/plugins/atomic
    python -m pip install -r {homedir}/tmp/requirements.txt
    cp -R {toxinidir} {homedir}/tmp/plugins/atomic
    coverage run -p -m pytest --tb=short --rootdir={homedir}/tmp -Werror plugins/atomic/tests

Also update [testenv:py38] similarly (or remove the duplicated commands and inherit from [testenv]).

This directly addresses the log line:

/usr/bin/git ... is not allowed, use allowlist_externals to allow it

Fix 2: Align workflow Python with what tox is running

Your workflow pins Python 3.8:

python-version: 3.8
toxenv: py38,coverage-ci

…but the failing log clearly shows py311, which means the workflow/job configuration being executed is not aligned with this file, or tox is selecting a different env in the run.

To make this consistent and future-proof, update the workflow to test the intended versions explicitly (example: 3.11), or update tox envlist/matrix to match what you want to support. For example, if you want CI on 3.11:

- python-version: "3.11"
  toxenv: py311,coverage-ci

and add a [testenv:py311] (or just rely on [testenv] if you don’t need per-version sections).

Fix 3 (optional but helpful): Prevent coverage-ci from failing when tests didn’t run

Right now, once tests fail, coverage-ci will also fail with:

No data to combine

After fixing the git allowlist, you likely won’t need this; but if you want coverage-ci to be more resilient, you can change its command to not error when there’s nothing to combine:

[testenv:coverage-ci]
commands =
    python -m coverage combine || true
    python -m coverage xml
    python -m coverage report

(Use this only if you intentionally want coverage steps to continue even when tests fail.)

Minimal change that should unblock the job

Update tox.ini to:

• allow git/rm/cp as externals, and
• avoid /usr/bin/... hardcoding.

That will allow the clone step to run, tests to execute, and coverage data to exist so coverage-ci can combine successfully.

User: is this branch not up to date with master?

Assistant: Yes — PR #59 (atomicreadme) is not up to date with master.

Evidence from the PR metadata shows different tip SHAs:

• base (master) SHA: `2cee9...

This pull request was created from Copilot chat.

[deacon-mp]

Superseded by #63 (which now has CI green and consolidates the tox fix).