coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
55c3404741c5371658796622afd5fdcb573ddc8a
ops-warden/tests/test_posture_conformance.py
tegwick 41a55c95b0 feat(WARDEN-WP-0015): T3 conformance checker + T4 dev-tier contract doubles 
Finish the Workload Security Posture workplan (all five tasks done).

T3 — scripts/check_secret_posture_conformance.py: read-only checker that asserts
env-posture conformance (backend/unseal/real_values per tier) and evaluates the
secret-flow lattice via posture.can_deliver. Metadata-only manifest, no secret
values, exit 0/1/2. examples/posture-conformance.example.yaml as the reference.

T4 — src/warden/doubles.py: generalizes "fake bao" into materialize_doubles() —
hermetic, synthetic-only (synthetic- prefix) stand-ins for bao/key-cape honoring
each argv/stdout/exit contract, for fully offline dev/test access flows. Documented
as the sanctioned dev backend in WorkloadSecurityPosture.md R1.

T5 — INTENT/SCOPE/wiki aligned; canon landing in net-kingdom/info-tech-canon left
owner-driven (tracked via coordination messages).

16 new tests, 200 passing, ruff clean. Archived WP-0012/0014/0015 to
workplans/archived/ with 260627- prefix.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-27 19:30:30 +02:00

99 lines
3.2 KiB
Python
Raw Blame History

"""Tests for the read-only posture conformance checker (WP-0015 T3)."""
from __future__ import annotations
import importlib.util
from pathlib import Path
import pytest
from warden.posture import load_posture
# Load the script module by path (it lives under scripts/, not the package).
_SCRIPT = Path(__file__).resolve().parent.parent / "scripts" / "check_secret_posture_conformance.py"
_spec = importlib.util.spec_from_file_location("check_secret_posture_conformance", _SCRIPT)
conformance = importlib.util.module_from_spec(_spec)
_spec.loader.exec_module(conformance)
@pytest.fixture
def cat():
return load_posture()
def test_example_manifest_reports_expected_deny(cat):
"""The shipped example deliberately includes one denied flow (dev/M0 <- M3)."""
import yaml
manifest = yaml.safe_load(
(Path(__file__).resolve().parent.parent / "examples" / "posture-conformance.example.yaml").read_text()
)
violations = conformance.run(manifest, cat)
assert len(violations) == 1
assert "regulated-export-cred" in violations[0]
assert "DENIED" in violations[0]
def test_fully_conformant_manifest_has_no_violations(cat):
manifest = {
"environments": {"prod": {"backend": "openbao-sealed-shamir"}},
"workloads": [{"id": "w1", "env_posture": "prod", "maturity": "M3"}],
"secret_requests": [
{"secret": "s1", "to_workload": "w1", "required_maturity": "M2", "dataclass": "confidential"}
],
}
assert conformance.run(manifest, cat) == []
def test_env_posture_mismatch_flagged(cat):
manifest = {"environments": {"prod": {"backend": "mock-or-contract-double"}}}
violations = conformance.run(manifest, cat)
assert any("backend" in v and "prod" in v for v in violations)
def test_unknown_environment_flagged(cat):
violations = conformance.run({"environments": {"staging": {}}}, cat)
assert any("staging" in v for v in violations)
def test_lattice_denies_non_prod_env(cat):
manifest = {
"workloads": [{"id": "w", "env_posture": "test", "maturity": "M3"}],
"secret_requests": [{"secret": "s", "to_workload": "w", "required_maturity": "M0"}],
}
violations = conformance.run(manifest, cat)
assert any("env posture" in v for v in violations)
def test_missing_target_workload_flagged(cat):
manifest = {
"secret_requests": [{"secret": "s", "to_workload": "ghost", "required_maturity": "M0"}],
}
violations = conformance.run(manifest, cat)
assert any("ghost" in v for v in violations)
def test_main_exit_codes(tmp_path, capsys):
import yaml
conformant = tmp_path / "ok.yaml"
conformant.write_text(
yaml.safe_dump(
{
"workloads": [{"id": "w", "env_posture": "prod", "maturity": "M3"}],
"secret_requests": [
{"secret": "s", "to_workload": "w", "required_maturity": "M3", "dataclass": "restricted"}
],
}
)
)
import sys
argv = sys.argv
try:
sys.argv = ["check", "--manifest", str(conformant)]
assert conformance.main() == 0
sys.argv = ["check", "--manifest", str(tmp_path / "missing.yaml")]
assert conformance.main() == 2
finally:
sys.argv = argv
Reference in New Issue View Git Blame Copy Permalink