generated from coulomb/repo-seed
tegwick
90007c2cda
Ship flex-auth policy gate registry and smoke evidence, archive WP-0009 through WP-0013, and add integration docs: ops-bridge cert_command migration playbook, operator OpenBao token hygiene, principals drift check script, and 2026-06-24 INTENT/SCOPE gap analysis.
105 lines
3.5 KiB
Bash
Executable File
105 lines
3.5 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Production policy-gate smoke for WARDEN-WP-0009 T02.
|
|
#
|
|
# Validates flex-auth registry (from inventory), allow/deny paths through
|
|
# warden sign, and optionally OpenBao-backed signing when VAULT_TOKEN works.
|
|
#
|
|
# Usage:
|
|
# ./scripts/policy_gate_production_smoke.sh
|
|
# INVENTORY=~/.config/warden/inventory.yaml ./scripts/policy_gate_production_smoke.sh
|
|
# SMOKE_VAULT=1 ./scripts/policy_gate_production_smoke.sh # also test backend: vault
|
|
set -euo pipefail
|
|
|
|
ROOT="$(cd "$(dirname "$0")/.." && pwd)"
|
|
INVENTORY="${INVENTORY:-$HOME/.config/warden/inventory.yaml}"
|
|
REGISTRY="$ROOT/registry/flex-auth/production_registry_snapshot.json"
|
|
POLICY="${FLEX_AUTH_POLICY:-$HOME/flex-auth/examples/ops-warden/policy_package.md}"
|
|
FLEX_AUTH_BIN="${FLEX_AUTH_BIN:-/tmp/flex-auth}"
|
|
ADDR="${FLEX_AUTH_ADDR:-127.0.0.1:18090}"
|
|
PUBKEY="${PUBKEY:-$HOME/.ssh/agt-state-hub-bridge_ed25519.pub}"
|
|
ACTOR="${ACTOR:-agt-state-hub-bridge}"
|
|
SMOKE_DIR="$(mktemp -d /tmp/warden-prod-policy-smoke-XXXXXX)"
|
|
|
|
cleanup() {
|
|
if [[ -n "${FA_PID:-}" ]] && kill -0 "$FA_PID" 2>/dev/null; then
|
|
kill "$FA_PID" 2>/dev/null || true
|
|
wait "$FA_PID" 2>/dev/null || true
|
|
fi
|
|
}
|
|
trap cleanup EXIT
|
|
|
|
echo "==> Building registry from $INVENTORY"
|
|
uv run --directory "$ROOT" python scripts/build_flex_auth_registry.py \
|
|
"$INVENTORY" -o "$REGISTRY"
|
|
"$FLEX_AUTH_BIN" load-registry --file "$REGISTRY" >/dev/null
|
|
|
|
echo "==> Starting flex-auth on $ADDR"
|
|
"$FLEX_AUTH_BIN" serve \
|
|
--addr "$ADDR" \
|
|
--registry "$REGISTRY" \
|
|
--policy "$POLICY" \
|
|
--log "$SMOKE_DIR/flex-auth-decisions.jsonl" &
|
|
FA_PID=$!
|
|
sleep 0.6
|
|
|
|
ssh-keygen -t ed25519 -f "$SMOKE_DIR/ca_key" -N "" -q
|
|
|
|
cat >"$SMOKE_DIR/warden.yaml" <<EOF
|
|
backend: local
|
|
ca_key: $SMOKE_DIR/ca_key
|
|
state_dir: $SMOKE_DIR/state
|
|
inventory_path: $INVENTORY
|
|
policy:
|
|
enabled: true
|
|
flex_auth_url: http://$ADDR
|
|
fail_closed: true
|
|
tenant: tenant:platform
|
|
system: ops-warden
|
|
EOF
|
|
|
|
export WARDEN_CONFIG="$SMOKE_DIR/warden.yaml"
|
|
|
|
echo "==> Allow path: warden sign $ACTOR"
|
|
uv run --directory "$ROOT" warden sign "$ACTOR" --pubkey "$PUBKEY" >/dev/null
|
|
ALLOW_LINE="$(tail -1 "$SMOKE_DIR/state/signatures.log")"
|
|
python3 -c "import json,sys; e=json.loads(sys.argv[1]); assert e.get('policy_decision_id'), e; print('policy_decision_id:', e['policy_decision_id'])" "$ALLOW_LINE"
|
|
|
|
echo "==> Deny path: ttl above max"
|
|
set +e
|
|
DENY_OUT="$(uv run --directory "$ROOT" warden sign "$ACTOR" --pubkey "$PUBKEY" --ttl 999 2>&1)"
|
|
DENY_RC=$?
|
|
set -e
|
|
if [[ "$DENY_RC" -ne 1 ]]; then
|
|
echo "expected deny exit 1, got $DENY_RC" >&2
|
|
exit 1
|
|
fi
|
|
echo "$DENY_OUT" | grep -q "ttl_out_of_bounds"
|
|
|
|
if [[ "${SMOKE_VAULT:-0}" == "1" ]]; then
|
|
echo "==> Vault-backed allow (requires scoped VAULT_TOKEN)"
|
|
cat >"$SMOKE_DIR/warden-vault.yaml" <<EOF
|
|
backend: vault
|
|
vault:
|
|
addr: https://bao.coulomb.social
|
|
mount: ssh
|
|
role_map:
|
|
adm: adm-role
|
|
agt: agt-role
|
|
atm: atm-role
|
|
token_env: VAULT_TOKEN
|
|
inventory_path: $INVENTORY
|
|
state_dir: $SMOKE_DIR/state-vault
|
|
policy:
|
|
enabled: true
|
|
flex_auth_url: http://$ADDR
|
|
fail_closed: true
|
|
tenant: tenant:platform
|
|
system: ops-warden
|
|
EOF
|
|
export WARDEN_CONFIG="$SMOKE_DIR/warden-vault.yaml"
|
|
uv run --directory "$ROOT" warden sign "$ACTOR" --pubkey "$PUBKEY" >/dev/null
|
|
VAULT_LINE="$(tail -1 "$SMOKE_DIR/state-vault/signatures.log")"
|
|
python3 -c "import json,sys; e=json.loads(sys.argv[1]); assert e.get('backend')=='vault' and e.get('policy_decision_id'); print('vault policy_decision_id:', e['policy_decision_id'])" "$VAULT_LINE"
|
|
fi
|
|
|
|
echo "OK — production registry policy gate smoke passed" |