generated from coulomb/repo-seed
tegwick
9857ed1424
T1 — TTL max enforcement: - models.py: MAX_TTL_HOURS policy constant - ca.py: _enforce_ttl() raises CAError when spec.ttl_hours > type max - Called at top of LocalCA.sign() and VaultCA.sign() - scorecard.py: check_ttl_policy() — flags certs with issued TTL > type max - run_scorecard() now returns 5 checks T2 — Stale cert cleanup: - ca.py: _evict_cert() removes existing cert before writing new one (no accumulation) - cli.py: warden cleanup [actor] [--dry-run] command - check_no_stale_certs detail suggests 'warden cleanup' when stale certs found T3 — Outgoing signatures log: - ca.py: _append_signature_log() writes JSONL to state_dir/signatures.log - Called after every successful sign() in LocalCA and VaultCA - cli.py: warden log [actor] [--last N] [--json] command - parse_cert_metadata now also returns valid_from (needed for TTL policy check) 61 tests passing, ruff clean. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
177 lines
5.8 KiB
Python
177 lines
5.8 KiB
Python
"""Tests for warden.scorecard."""
|
|
from pathlib import Path
|
|
|
|
|
|
from warden.inventory import ActorEntry, PrincipalsInventory
|
|
from warden.models import ActorType
|
|
from unittest.mock import patch
|
|
from datetime import datetime, timezone
|
|
|
|
from warden.scorecard import (
|
|
check_actor_name_prefixes,
|
|
check_all_actors_have_principals,
|
|
check_no_stale_certs,
|
|
check_no_expired_certs,
|
|
check_ttl_policy,
|
|
run_scorecard,
|
|
)
|
|
|
|
|
|
def make_inventory(*actors):
|
|
inv = PrincipalsInventory()
|
|
for name, atype, principals in actors:
|
|
inv.actors[name] = ActorEntry(
|
|
name=name, actor_type=atype, principals=principals, ttl_hours=24
|
|
)
|
|
return inv
|
|
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# check_actor_name_prefixes
|
|
# ---------------------------------------------------------------------------
|
|
|
|
def test_prefix_check_pass():
|
|
inv = make_inventory(
|
|
("adm-bernd", ActorType.ADM, ["adm-full"]),
|
|
("agt-bridge", ActorType.AGT, ["agt-task-bridge"]),
|
|
("atm-cron", ActorType.ATM, ["atm-cron"]),
|
|
)
|
|
result = check_actor_name_prefixes(inv)
|
|
assert result.passed
|
|
|
|
|
|
def test_prefix_check_fail_bad_name():
|
|
# Bypass validate_actor_name by inserting directly
|
|
inv = PrincipalsInventory()
|
|
inv.actors["bad-name"] = ActorEntry(
|
|
name="bad-name", actor_type=ActorType.AGT, principals=["x"], ttl_hours=24
|
|
)
|
|
result = check_actor_name_prefixes(inv)
|
|
assert not result.passed
|
|
assert "bad-name" in result.detail
|
|
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# check_all_actors_have_principals
|
|
# ---------------------------------------------------------------------------
|
|
|
|
def test_principals_check_pass():
|
|
inv = make_inventory(("agt-bridge", ActorType.AGT, ["agt-task-bridge"]))
|
|
result = check_all_actors_have_principals(inv)
|
|
assert result.passed
|
|
|
|
|
|
def test_principals_check_fail_empty():
|
|
inv = PrincipalsInventory()
|
|
inv.actors["agt-bridge"] = ActorEntry(
|
|
name="agt-bridge", actor_type=ActorType.AGT, principals=[], ttl_hours=24
|
|
)
|
|
result = check_all_actors_have_principals(inv)
|
|
assert not result.passed
|
|
assert "agt-bridge" in result.detail
|
|
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# check_no_stale_certs
|
|
# ---------------------------------------------------------------------------
|
|
|
|
def test_no_stale_certs_nonexistent_dir():
|
|
result = check_no_stale_certs(Path("/nonexistent/state/dir"))
|
|
assert result.passed
|
|
|
|
|
|
def test_no_stale_certs_empty_dir(tmp_path):
|
|
result = check_no_stale_certs(tmp_path)
|
|
assert result.passed
|
|
|
|
|
|
def test_no_expired_certs_empty_dir(tmp_path):
|
|
result = check_no_expired_certs(tmp_path)
|
|
assert result.passed
|
|
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# run_scorecard
|
|
# ---------------------------------------------------------------------------
|
|
|
|
def test_run_scorecard_clean(tmp_path):
|
|
inv = make_inventory(
|
|
("agt-bridge", ActorType.AGT, ["agt-task-bridge"]),
|
|
)
|
|
results = run_scorecard(tmp_path, inv)
|
|
assert all(r.passed for r in results)
|
|
assert len(results) == 5
|
|
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# check_ttl_policy
|
|
# ---------------------------------------------------------------------------
|
|
|
|
def test_ttl_policy_no_state_dir():
|
|
inv = make_inventory(("agt-bridge", ActorType.AGT, ["agt-task-bridge"]))
|
|
result = check_ttl_policy(Path("/nonexistent/state"), inv)
|
|
assert result.passed
|
|
|
|
|
|
def test_ttl_policy_empty_dir(tmp_path):
|
|
inv = make_inventory(("agt-bridge", ActorType.AGT, ["agt-task-bridge"]))
|
|
result = check_ttl_policy(tmp_path, inv)
|
|
assert result.passed
|
|
|
|
|
|
def test_ttl_policy_pass(tmp_path):
|
|
inv = make_inventory(("agt-bridge", ActorType.AGT, ["agt-task-bridge"]))
|
|
cert_path = tmp_path / "agt-bridge-cert.pub"
|
|
cert_path.write_text("fake")
|
|
# 24h window — exactly at AGT max
|
|
meta = {
|
|
"identity": "agt-bridge",
|
|
"valid_before": datetime(2026, 3, 29, 10, 0, 0, tzinfo=timezone.utc),
|
|
"valid_from": datetime(2026, 3, 28, 10, 0, 0, tzinfo=timezone.utc),
|
|
"principals": ["agt-task-bridge"],
|
|
}
|
|
with patch("warden.scorecard.parse_cert_metadata", return_value=meta):
|
|
result = check_ttl_policy(tmp_path, inv)
|
|
assert result.passed
|
|
|
|
|
|
def test_ttl_policy_fail(tmp_path):
|
|
inv = make_inventory(("agt-bridge", ActorType.AGT, ["agt-task-bridge"]))
|
|
cert_path = tmp_path / "agt-bridge-cert.pub"
|
|
cert_path.write_text("fake")
|
|
# 48h window — exceeds AGT max of 24h
|
|
meta = {
|
|
"identity": "agt-bridge",
|
|
"valid_before": datetime(2026, 3, 30, 10, 0, 0, tzinfo=timezone.utc),
|
|
"valid_from": datetime(2026, 3, 28, 10, 0, 0, tzinfo=timezone.utc),
|
|
"principals": ["agt-task-bridge"],
|
|
}
|
|
with patch("warden.scorecard.parse_cert_metadata", return_value=meta):
|
|
result = check_ttl_policy(tmp_path, inv)
|
|
assert not result.passed
|
|
assert "agt-bridge" in result.detail
|
|
|
|
|
|
def test_ttl_policy_skips_unknown_actor(tmp_path):
|
|
inv = PrincipalsInventory() # empty — no actors
|
|
cert_path = tmp_path / "agt-unknown-cert.pub"
|
|
cert_path.write_text("fake")
|
|
result = check_ttl_policy(tmp_path, inv)
|
|
assert result.passed # unknown actor skipped, not a violation
|
|
|
|
|
|
def test_stale_certs_detail_suggests_cleanup(tmp_path):
|
|
cert_path = tmp_path / "agt-bridge-cert.pub"
|
|
cert_path.write_text("fake")
|
|
# Expired well over 5 minutes ago
|
|
meta = {
|
|
"identity": "agt-bridge",
|
|
"valid_before": datetime(2020, 1, 1, tzinfo=timezone.utc),
|
|
"valid_from": datetime(2019, 12, 31, tzinfo=timezone.utc),
|
|
"principals": [],
|
|
}
|
|
with patch("warden.scorecard.parse_cert_metadata", return_value=meta):
|
|
result = check_no_stale_certs(tmp_path)
|
|
assert not result.passed
|
|
assert "warden cleanup" in result.detail
|