generated from coulomb/repo-seed
feat: close WP-0009/WP-0013 production integration stewardship strand
Ship flex-auth policy gate registry and smoke evidence, archive WP-0009 through WP-0013, and add integration docs: ops-bridge cert_command migration playbook, operator OpenBao token hygiene, principals drift check script, and 2026-06-24 INTENT/SCOPE gap analysis.
This commit is contained in:
105
scripts/policy_gate_production_smoke.sh
Executable file
105
scripts/policy_gate_production_smoke.sh
Executable file
@@ -0,0 +1,105 @@
|
||||
#!/usr/bin/env bash
|
||||
# Production policy-gate smoke for WARDEN-WP-0009 T02.
|
||||
#
|
||||
# Validates flex-auth registry (from inventory), allow/deny paths through
|
||||
# warden sign, and optionally OpenBao-backed signing when VAULT_TOKEN works.
|
||||
#
|
||||
# Usage:
|
||||
# ./scripts/policy_gate_production_smoke.sh
|
||||
# INVENTORY=~/.config/warden/inventory.yaml ./scripts/policy_gate_production_smoke.sh
|
||||
# SMOKE_VAULT=1 ./scripts/policy_gate_production_smoke.sh # also test backend: vault
|
||||
set -euo pipefail
|
||||
|
||||
ROOT="$(cd "$(dirname "$0")/.." && pwd)"
|
||||
INVENTORY="${INVENTORY:-$HOME/.config/warden/inventory.yaml}"
|
||||
REGISTRY="$ROOT/registry/flex-auth/production_registry_snapshot.json"
|
||||
POLICY="${FLEX_AUTH_POLICY:-$HOME/flex-auth/examples/ops-warden/policy_package.md}"
|
||||
FLEX_AUTH_BIN="${FLEX_AUTH_BIN:-/tmp/flex-auth}"
|
||||
ADDR="${FLEX_AUTH_ADDR:-127.0.0.1:18090}"
|
||||
PUBKEY="${PUBKEY:-$HOME/.ssh/agt-state-hub-bridge_ed25519.pub}"
|
||||
ACTOR="${ACTOR:-agt-state-hub-bridge}"
|
||||
SMOKE_DIR="$(mktemp -d /tmp/warden-prod-policy-smoke-XXXXXX)"
|
||||
|
||||
cleanup() {
|
||||
if [[ -n "${FA_PID:-}" ]] && kill -0 "$FA_PID" 2>/dev/null; then
|
||||
kill "$FA_PID" 2>/dev/null || true
|
||||
wait "$FA_PID" 2>/dev/null || true
|
||||
fi
|
||||
}
|
||||
trap cleanup EXIT
|
||||
|
||||
echo "==> Building registry from $INVENTORY"
|
||||
uv run --directory "$ROOT" python scripts/build_flex_auth_registry.py \
|
||||
"$INVENTORY" -o "$REGISTRY"
|
||||
"$FLEX_AUTH_BIN" load-registry --file "$REGISTRY" >/dev/null
|
||||
|
||||
echo "==> Starting flex-auth on $ADDR"
|
||||
"$FLEX_AUTH_BIN" serve \
|
||||
--addr "$ADDR" \
|
||||
--registry "$REGISTRY" \
|
||||
--policy "$POLICY" \
|
||||
--log "$SMOKE_DIR/flex-auth-decisions.jsonl" &
|
||||
FA_PID=$!
|
||||
sleep 0.6
|
||||
|
||||
ssh-keygen -t ed25519 -f "$SMOKE_DIR/ca_key" -N "" -q
|
||||
|
||||
cat >"$SMOKE_DIR/warden.yaml" <<EOF
|
||||
backend: local
|
||||
ca_key: $SMOKE_DIR/ca_key
|
||||
state_dir: $SMOKE_DIR/state
|
||||
inventory_path: $INVENTORY
|
||||
policy:
|
||||
enabled: true
|
||||
flex_auth_url: http://$ADDR
|
||||
fail_closed: true
|
||||
tenant: tenant:platform
|
||||
system: ops-warden
|
||||
EOF
|
||||
|
||||
export WARDEN_CONFIG="$SMOKE_DIR/warden.yaml"
|
||||
|
||||
echo "==> Allow path: warden sign $ACTOR"
|
||||
uv run --directory "$ROOT" warden sign "$ACTOR" --pubkey "$PUBKEY" >/dev/null
|
||||
ALLOW_LINE="$(tail -1 "$SMOKE_DIR/state/signatures.log")"
|
||||
python3 -c "import json,sys; e=json.loads(sys.argv[1]); assert e.get('policy_decision_id'), e; print('policy_decision_id:', e['policy_decision_id'])" "$ALLOW_LINE"
|
||||
|
||||
echo "==> Deny path: ttl above max"
|
||||
set +e
|
||||
DENY_OUT="$(uv run --directory "$ROOT" warden sign "$ACTOR" --pubkey "$PUBKEY" --ttl 999 2>&1)"
|
||||
DENY_RC=$?
|
||||
set -e
|
||||
if [[ "$DENY_RC" -ne 1 ]]; then
|
||||
echo "expected deny exit 1, got $DENY_RC" >&2
|
||||
exit 1
|
||||
fi
|
||||
echo "$DENY_OUT" | grep -q "ttl_out_of_bounds"
|
||||
|
||||
if [[ "${SMOKE_VAULT:-0}" == "1" ]]; then
|
||||
echo "==> Vault-backed allow (requires scoped VAULT_TOKEN)"
|
||||
cat >"$SMOKE_DIR/warden-vault.yaml" <<EOF
|
||||
backend: vault
|
||||
vault:
|
||||
addr: https://bao.coulomb.social
|
||||
mount: ssh
|
||||
role_map:
|
||||
adm: adm-role
|
||||
agt: agt-role
|
||||
atm: atm-role
|
||||
token_env: VAULT_TOKEN
|
||||
inventory_path: $INVENTORY
|
||||
state_dir: $SMOKE_DIR/state-vault
|
||||
policy:
|
||||
enabled: true
|
||||
flex_auth_url: http://$ADDR
|
||||
fail_closed: true
|
||||
tenant: tenant:platform
|
||||
system: ops-warden
|
||||
EOF
|
||||
export WARDEN_CONFIG="$SMOKE_DIR/warden-vault.yaml"
|
||||
uv run --directory "$ROOT" warden sign "$ACTOR" --pubkey "$PUBKEY" >/dev/null
|
||||
VAULT_LINE="$(tail -1 "$SMOKE_DIR/state-vault/signatures.log")"
|
||||
python3 -c "import json,sys; e=json.loads(sys.argv[1]); assert e.get('backend')=='vault' and e.get('policy_decision_id'); print('vault policy_decision_id:', e['policy_decision_id'])" "$VAULT_LINE"
|
||||
fi
|
||||
|
||||
echo "OK — production registry policy gate smoke passed"
|
||||
Reference in New Issue
Block a user