Add credential CCR operator handoff
This commit is contained in:
@@ -126,6 +126,36 @@ class CredentialChangeTests(unittest.TestCase):
|
||||
with self.assertRaises(SystemExit):
|
||||
credential_change.command_apply_plan(type("Args", (), {"ref": str(self.issue_core)})())
|
||||
|
||||
def test_operator_commands_render_non_secret_policy_and_role_handoff(self) -> None:
|
||||
ccr, errors, warnings = credential_change.validate_ccr(self.sample)
|
||||
self.assertEqual(errors, [])
|
||||
self.assertEqual(warnings, [])
|
||||
rendered = credential_change.render_operator_commands(ccr)
|
||||
self.assertIn(
|
||||
"bao policy write workload-kv-read-whynot-design-npm-publish",
|
||||
rendered,
|
||||
)
|
||||
self.assertIn(
|
||||
"bao write auth/netkingdom/role/whynot-design-workload-kv-read",
|
||||
rendered,
|
||||
)
|
||||
self.assertIn(
|
||||
'bound_claims={"groups":["whynot-design"]}',
|
||||
rendered,
|
||||
)
|
||||
self.assertIn(
|
||||
"# bao kv put platform/workloads/whynot-design/whynot-design/npm-publish",
|
||||
rendered,
|
||||
)
|
||||
self.assertIn("NPM_AUTH_TOKEN=<enter-through-approved-custody>", rendered)
|
||||
self.assertNotIn("npm_", rendered)
|
||||
|
||||
def test_operator_commands_refuse_unapproved_ccr(self) -> None:
|
||||
with self.assertRaises(SystemExit):
|
||||
credential_change.command_operator_commands(
|
||||
type("Args", (), {"ref": str(self.issue_core)})()
|
||||
)
|
||||
|
||||
def test_approve_records_comment_but_unconfirmed_claim_still_blocks_apply(self) -> None:
|
||||
with tempfile.TemporaryDirectory() as tmp:
|
||||
tmp_path = Path(tmp)
|
||||
|
||||
Reference in New Issue
Block a user