BED-6620 fix(AGT): get selector members not respecting certification

[mistahj67]

Description

Describe your changes in detail
Added filter for certified nodes only when asset group tag has certified required while getting selector members

Motivation and Context

Resolves BED-6620

Why is this change required? What problem does it solve?

How Has This Been Tested?

Have certify required disabled and then enabled and see the members list decrease with the latter

Please describe in detail how you tested your changes.
Include details of your testing environment, and the tests you ran to
see how your change affects other areas of the code, etc.

Screenshots (optional):

Types of changes

• Bug fix (non-breaking change which fixes an issue)

Checklist:

• I have met the contributing prerequisites
  • Assigned myself to this PR
  • Added the appropriate labels
  • Associated an issue: Issues and Pull Requests README #672
  • Read the Contributing guide: https://github.com/SpecterOps/BloodHound/wiki/Contributing
• I have ensured that related documentation is up-to-date
  • Open API docs
  • Code comments (GoDocs / JSDocs)
• I have followed proper test practices
  • Added/updated tests to cover my changes
  • All new and existing tests passed

Summary by CodeRabbit

• Bug Fixes
  • Selector-based asset group membership now enforces certification requirements, excluding revoked or uncertified assets when certification is required.
  • Improves accuracy and consistency of group membership in views, reports, and exports that rely on selector-based groups.

[coderabbitai]

Walkthrough

Adds a conditional certification filter to selector-based asset group member retrieval: when RequireCertify.ValueOrZero() is true, the SQL predicate AND certified > ? with model.AssetGroupCertificationRevoked is appended before executing the query. No other logic or signatures changed.

Changes

Cohort / File(s)	Summary
API v2: Asset group tag selector certification filter cmd/api/src/api/v2/assetgrouptags.go	In GetAssetGroupMembersBySelector, after environment filtering, conditionally appends AND certified > ? with parameter model.AssetGroupCertificationRevoked when RequireCertify.ValueOrZero() is true, narrowing selector results under certification constraints.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant C as Client
  participant A as API (GetAssetGroupMembersBySelector)
  participant DB as Database

  C->>A: Request selector-based members
  A->>A: Load AssetGroupTag + selector config
  alt RequireCertify = true
    A->>A: Append SQL filter: certified > REVOKED
  else RequireCertify = false
    A->>A: Build base selector SQL
  end
  A->>DB: Execute query with parameters
  DB-->>A: Rows (filtered by certification if applied)
  A-->>C: Return members

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• BED-6621 fix(AGT): Get /selectors member counts not respecting certified #1972 — Adds the same conditional AND certified > ? filter to GetAssetGroupMembersBySelector and updates DB call/tests accordingly.

Suggested labels

bug, api

Suggested reviewers

• sirisjo
• urangel

Poem

A hop, I check each tag with care,
Revoked ones stop mid-air.
The query trims, the list grows small,
Certified only join the ball.
Thump! — a rabbit's tidy call. 🐇

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The description includes the required section headings but still contains placeholder text in the Description, Motivation and Context, and How Has This Been Tested sections, and lacks a clear explanation of why the change is required and detailed testing environment information.	Please remove all placeholder text and provide a detailed description of the changes, explain why this change is required under Motivation and Context, and expand the How Has This Been Tested section with concrete test steps and environment details.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title clearly references the bug being fixed by adding certification filtering to the asset group tag selector members and aligns with the primary change in the diff. It is concise, specific, and directly relates to the main change without unnecessary detail.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch BED-6620

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 864912d and 34f72db.

📒 Files selected for processing (1)

• cmd/api/src/api/v2/assetgrouptags.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• cmd/api/src/api/v2/assetgrouptags.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Build BloodHound Container Image / Build and Package Container
• GitHub Check: run-tests
• GitHub Check: run-tests
• GitHub Check: build-ui
• GitHub Check: run-analysis

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

cmd/api/src/api/v2/assetgrouptags.go (1)

771-774: LGTM! The certification filter correctly enforces RequireCertify constraints.

The implementation properly filters out revoked and non-certified nodes when the asset group tag requires certification. The SQL concatenation pattern is consistent with the environment filter above (lines 766-769), and the use of ValueOrZero() safely handles null values.

Consider adding a brief inline comment to document the filter's purpose:

 		if assetGroupTag.RequireCertify.ValueOrZero() {
+			// Exclude revoked/non-certified nodes when certification is required
 			filter.SQLString += " AND certified > ?"
 			filter.Params = append(filter.Params, model.AssetGroupCertificationRevoked)
 		}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0345491 and 0f03ad9.

📒 Files selected for processing (1)

• cmd/api/src/api/v2/assetgrouptags.go (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-07-09T00:36:54.112Z

Learnt from: mistahj67
PR: SpecterOps/BloodHound#1648
File: cmd/api/src/api/v2/assetgrouptags.go:763-766
Timestamp: 2025-07-09T00:36:54.112Z
Learning: In cmd/api/src/api/v2/assetgrouptags.go, the SearchAssetGroupTags method intentionally fetches all asset group tags and selectors without database-level filtering because it needs to build a complete `kinds` array from all relevant tags for the graph query filter. This allows members to be searched across all tags of the requested type while still filtering the returned tags/selectors by name match.

Applied to files:

• cmd/api/src/api/v2/assetgrouptags.go

🧬 Code graph analysis (1)

cmd/api/src/api/v2/assetgrouptags.go (1)

cmd/api/src/model/assetgrouptags.go (1)

• AssetGroupCertificationRevoked (58-58)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Build BloodHound Container Image / Build and Package Container
• GitHub Check: run-tests
• GitHub Check: run-analysis
• GitHub Check: build-ui
• GitHub Check: run-tests