Reject placeholder OpenBao drill evidence
This commit is contained in:
@@ -95,6 +95,16 @@ for marker in secret_markers:
|
||||
if marker in encoded:
|
||||
errors.append(f"secret-looking marker present: {marker}")
|
||||
|
||||
placeholder_markers = [
|
||||
"YYYY-MM-DD",
|
||||
"example",
|
||||
"Do not record",
|
||||
"<",
|
||||
]
|
||||
for marker in placeholder_markers:
|
||||
if marker in encoded:
|
||||
errors.append(f"template placeholder present: {marker}")
|
||||
|
||||
if errors:
|
||||
for error in errors:
|
||||
print(f"[FAIL] {error}", file=sys.stderr)
|
||||
|
||||
@@ -81,6 +81,9 @@ for key in ("snapshot_sha256", "encrypted_snapshot_sha256"):
|
||||
value = str(data.get(key, ""))
|
||||
if value and not sha_pattern.match(value):
|
||||
errors.append(f"{key} must be a sha256 hex digest, optionally prefixed with sha256:")
|
||||
digest = value.removeprefix("sha256:").lower()
|
||||
if digest and len(set(digest)) <= 1:
|
||||
errors.append(f"{key} must not be a placeholder digest")
|
||||
|
||||
for key in required_true:
|
||||
if data.get(key) is not True:
|
||||
@@ -100,6 +103,19 @@ for marker in secret_markers:
|
||||
if marker in encoded:
|
||||
errors.append(f"secret-looking marker present: {marker}")
|
||||
|
||||
placeholder_markers = [
|
||||
"YYYY-MM-DD",
|
||||
"example",
|
||||
"operator-local encrypted restore drill workspace",
|
||||
"approved encrypted custody location",
|
||||
"disposable cluster, VM, or namespace reference",
|
||||
"Do not record",
|
||||
"<",
|
||||
]
|
||||
for marker in placeholder_markers:
|
||||
if marker in encoded:
|
||||
errors.append(f"template placeholder present: {marker}")
|
||||
|
||||
if errors:
|
||||
for error in errors:
|
||||
print(f"[FAIL] {error}", file=sys.stderr)
|
||||
|
||||
Reference in New Issue
Block a user