Link CCR approval to State Hub decision

This commit is contained in:
2026-06-28 00:00:02 +02:00
parent 52687d8b3e
commit 3706ff703e
6 changed files with 173 additions and 1 deletions

View File

@@ -64,8 +64,52 @@ class CredentialChangeTests(unittest.TestCase):
self.assertEqual(payload["access_frontdoor"]["catalog_id"], "whynot-design-npm-publish")
self.assertEqual(payload["apply_blockers"], ["apply requires status approved, got proposed"])
self.assertEqual(payload["warnings"], [])
self.assertEqual(
payload["state_hub"]["decision_id"],
"250669d0-8475-4527-9624-cd072249f9a9",
)
self.assertIn("front door is marked resolvable=false", payload["frontdoor_blockers"])
def test_state_hub_rationale_prefix_maps_to_ccr_status(self) -> None:
cases = {
"APPROVE: scoped path and binding are correct": "approved",
"DENY: wrong tenant": "denied",
"NEEDS_CHANGES: use a read-only token": "needs_changes",
"request changes: clarify service account": "needs_changes",
}
for rationale, expected in cases.items():
with self.subTest(rationale=rationale):
self.assertEqual(
credential_change.ccr_status_from_state_hub_rationale(rationale),
expected,
)
with self.assertRaises(SystemExit):
credential_change.ccr_status_from_state_hub_rationale("looks good")
def test_sync_state_hub_decision_updates_ccr_status(self) -> None:
with tempfile.TemporaryDirectory() as tmp:
copied = Path(tmp) / self.sample.name
shutil.copy2(self.sample, copied)
original = credential_change.state_hub_decision_status
try:
credential_change.state_hub_decision_status = lambda _ccr, _url: {
"id": "250669d0-8475-4527-9624-cd072249f9a9",
"status": "resolved",
"rationale": "APPROVE: scoped path and confirmed binding are acceptable",
"decided_by": "unit-test",
"decided_at": "2026-06-27T22:00:00Z",
}
credential_change.sync_state_hub_decision(copied, "http://state-hub.test")
finally:
credential_change.state_hub_decision_status = original
ccr, errors, warnings = credential_change.validate_ccr(copied)
self.assertEqual(errors, [])
self.assertEqual(warnings, [])
self.assertEqual(ccr["status"], "approved")
self.assertEqual(ccr["review"]["comments"][-1]["reviewer"], "unit-test")
self.assertIn("State Hub decision", ccr["review"]["comments"][-1]["comment"])
self.assertEqual(ccr["state_hub"]["decision_resolved_at"], "2026-06-27T22:00:00Z")
def test_kubernetes_auth_payload_uses_service_account_bounds(self) -> None:
ccr, errors, _warnings = credential_change.validate_ccr(self.issue_core)
self.assertEqual(errors, [])