generated from coulomb/repo-seed
tegwick
90007c2cda
Ship flex-auth policy gate registry and smoke evidence, archive WP-0009 through WP-0013, and add integration docs: ops-bridge cert_command migration playbook, operator OpenBao token hygiene, principals drift check script, and 2026-06-24 INTENT/SCOPE gap analysis.
48 lines
1.5 KiB
Python
48 lines
1.5 KiB
Python
"""Tests for scripts/check_principals_drift.py."""
|
|
import subprocess
|
|
import sys
|
|
from pathlib import Path
|
|
|
|
import yaml
|
|
|
|
ROOT = Path(__file__).resolve().parents[1]
|
|
SCRIPT = ROOT / "scripts" / "check_principals_drift.py"
|
|
|
|
|
|
def test_no_drift_when_aligned(tmp_path):
|
|
inv = tmp_path / "inventory.yaml"
|
|
infra = tmp_path / "ssh_principals.yaml"
|
|
inv.write_text(yaml.dump({
|
|
"actors": {"agt-test": {"type": "agt", "principals": ["agt-task-bridge"], "ttl_hours": 24}},
|
|
"hosts": {"host1": {"allowed_principals": {"agt": ["agt-task-bridge"]}}},
|
|
}))
|
|
infra.write_text(yaml.dump({
|
|
"ssh_principals": {"Host1": {"users": {"user1": ["agt-task-bridge"]}}},
|
|
}))
|
|
result = subprocess.run(
|
|
[sys.executable, str(SCRIPT), "--inventory", str(inv), "--infra", str(infra)],
|
|
cwd=ROOT,
|
|
capture_output=True,
|
|
text=True,
|
|
)
|
|
assert result.returncode == 0
|
|
assert "OK" in result.stdout
|
|
|
|
|
|
def test_drift_detected(tmp_path):
|
|
inv = tmp_path / "inventory.yaml"
|
|
infra = tmp_path / "ssh_principals.yaml"
|
|
inv.write_text(yaml.dump({
|
|
"hosts": {"host1": {"allowed_principals": {"agt": ["agt-missing"]}}},
|
|
}))
|
|
infra.write_text(yaml.dump({
|
|
"ssh_principals": {"Host1": {"users": {"user1": ["agt-other"]}}},
|
|
}))
|
|
result = subprocess.run(
|
|
[sys.executable, str(SCRIPT), "--inventory", str(inv), "--infra", str(infra)],
|
|
cwd=ROOT,
|
|
capture_output=True,
|
|
text=True,
|
|
)
|
|
assert result.returncode == 1
|
|
assert "DRIFT" in result.stdout |