Add credential CCR operator handoff

This commit is contained in:
2026-06-28 00:21:02 +02:00
parent a27a114491
commit 248bc58b6a
4 changed files with 104 additions and 7 deletions

View File

@@ -126,6 +126,36 @@ class CredentialChangeTests(unittest.TestCase):
with self.assertRaises(SystemExit):
credential_change.command_apply_plan(type("Args", (), {"ref": str(self.issue_core)})())
def test_operator_commands_render_non_secret_policy_and_role_handoff(self) -> None:
ccr, errors, warnings = credential_change.validate_ccr(self.sample)
self.assertEqual(errors, [])
self.assertEqual(warnings, [])
rendered = credential_change.render_operator_commands(ccr)
self.assertIn(
"bao policy write workload-kv-read-whynot-design-npm-publish",
rendered,
)
self.assertIn(
"bao write auth/netkingdom/role/whynot-design-workload-kv-read",
rendered,
)
self.assertIn(
'bound_claims={"groups":["whynot-design"]}',
rendered,
)
self.assertIn(
"# bao kv put platform/workloads/whynot-design/whynot-design/npm-publish",
rendered,
)
self.assertIn("NPM_AUTH_TOKEN=<enter-through-approved-custody>", rendered)
self.assertNotIn("npm_", rendered)
def test_operator_commands_refuse_unapproved_ccr(self) -> None:
with self.assertRaises(SystemExit):
credential_change.command_operator_commands(
type("Args", (), {"ref": str(self.issue_core)})()
)
def test_approve_records_comment_but_unconfirmed_claim_still_blocks_apply(self) -> None:
with tempfile.TemporaryDirectory() as tmp:
tmp_path = Path(tmp)