generated from coulomb/repo-seed
feat: close WP-0009/WP-0013 production integration stewardship strand
Ship flex-auth policy gate registry and smoke evidence, archive WP-0009 through WP-0013, and add integration docs: ops-bridge cert_command migration playbook, operator OpenBao token hygiene, principals drift check script, and 2026-06-24 INTENT/SCOPE gap analysis.
This commit is contained in:
34
tests/test_flex_auth_registry.py
Normal file
34
tests/test_flex_auth_registry.py
Normal file
@@ -0,0 +1,34 @@
|
||||
"""Tests for scripts/build_flex_auth_registry.py."""
|
||||
import json
|
||||
import subprocess
|
||||
import sys
|
||||
from pathlib import Path
|
||||
|
||||
import yaml
|
||||
|
||||
ROOT = Path(__file__).resolve().parents[1]
|
||||
SCRIPT = ROOT / "scripts" / "build_flex_auth_registry.py"
|
||||
INVENTORY = ROOT / "examples" / "inventory.seed.yaml"
|
||||
|
||||
|
||||
def test_build_registry_from_inventory_seed(tmp_path):
|
||||
out = tmp_path / "registry.json"
|
||||
subprocess.run(
|
||||
[sys.executable, str(SCRIPT), str(INVENTORY), "-o", str(out)],
|
||||
check=True,
|
||||
cwd=ROOT,
|
||||
)
|
||||
registry = json.loads(out.read_text())
|
||||
actors = yaml.safe_load(INVENTORY.read_text())["actors"]
|
||||
|
||||
assert len(registry["subjects"]) == len(actors)
|
||||
assert len(registry["resource_manifests"][0]["resources"]) == len(actors)
|
||||
|
||||
bridge = next(
|
||||
r
|
||||
for r in registry["resource_manifests"][0]["resources"]
|
||||
if r["id"] == "ssh-cert:actor/agt-state-hub-bridge"
|
||||
)
|
||||
assert bridge["attributes"]["actor_type"] == "agt"
|
||||
assert bridge["attributes"]["max_ttl_hours"] == 24
|
||||
assert "agt-task-bridge" in bridge["attributes"]["allowed_principals"]
|
||||
48
tests/test_principals_drift.py
Normal file
48
tests/test_principals_drift.py
Normal file
@@ -0,0 +1,48 @@
|
||||
"""Tests for scripts/check_principals_drift.py."""
|
||||
import subprocess
|
||||
import sys
|
||||
from pathlib import Path
|
||||
|
||||
import yaml
|
||||
|
||||
ROOT = Path(__file__).resolve().parents[1]
|
||||
SCRIPT = ROOT / "scripts" / "check_principals_drift.py"
|
||||
|
||||
|
||||
def test_no_drift_when_aligned(tmp_path):
|
||||
inv = tmp_path / "inventory.yaml"
|
||||
infra = tmp_path / "ssh_principals.yaml"
|
||||
inv.write_text(yaml.dump({
|
||||
"actors": {"agt-test": {"type": "agt", "principals": ["agt-task-bridge"], "ttl_hours": 24}},
|
||||
"hosts": {"host1": {"allowed_principals": {"agt": ["agt-task-bridge"]}}},
|
||||
}))
|
||||
infra.write_text(yaml.dump({
|
||||
"ssh_principals": {"Host1": {"users": {"user1": ["agt-task-bridge"]}}},
|
||||
}))
|
||||
result = subprocess.run(
|
||||
[sys.executable, str(SCRIPT), "--inventory", str(inv), "--infra", str(infra)],
|
||||
cwd=ROOT,
|
||||
capture_output=True,
|
||||
text=True,
|
||||
)
|
||||
assert result.returncode == 0
|
||||
assert "OK" in result.stdout
|
||||
|
||||
|
||||
def test_drift_detected(tmp_path):
|
||||
inv = tmp_path / "inventory.yaml"
|
||||
infra = tmp_path / "ssh_principals.yaml"
|
||||
inv.write_text(yaml.dump({
|
||||
"hosts": {"host1": {"allowed_principals": {"agt": ["agt-missing"]}}},
|
||||
}))
|
||||
infra.write_text(yaml.dump({
|
||||
"ssh_principals": {"Host1": {"users": {"user1": ["agt-other"]}}},
|
||||
}))
|
||||
result = subprocess.run(
|
||||
[sys.executable, str(SCRIPT), "--inventory", str(inv), "--infra", str(infra)],
|
||||
cwd=ROOT,
|
||||
capture_output=True,
|
||||
text=True,
|
||||
)
|
||||
assert result.returncode == 1
|
||||
assert "DRIFT" in result.stdout
|
||||
Reference in New Issue
Block a user