Link CCR approval to State Hub decision
This commit is contained in:
@@ -64,8 +64,52 @@ class CredentialChangeTests(unittest.TestCase):
|
||||
self.assertEqual(payload["access_frontdoor"]["catalog_id"], "whynot-design-npm-publish")
|
||||
self.assertEqual(payload["apply_blockers"], ["apply requires status approved, got proposed"])
|
||||
self.assertEqual(payload["warnings"], [])
|
||||
self.assertEqual(
|
||||
payload["state_hub"]["decision_id"],
|
||||
"250669d0-8475-4527-9624-cd072249f9a9",
|
||||
)
|
||||
self.assertIn("front door is marked resolvable=false", payload["frontdoor_blockers"])
|
||||
|
||||
def test_state_hub_rationale_prefix_maps_to_ccr_status(self) -> None:
|
||||
cases = {
|
||||
"APPROVE: scoped path and binding are correct": "approved",
|
||||
"DENY: wrong tenant": "denied",
|
||||
"NEEDS_CHANGES: use a read-only token": "needs_changes",
|
||||
"request changes: clarify service account": "needs_changes",
|
||||
}
|
||||
for rationale, expected in cases.items():
|
||||
with self.subTest(rationale=rationale):
|
||||
self.assertEqual(
|
||||
credential_change.ccr_status_from_state_hub_rationale(rationale),
|
||||
expected,
|
||||
)
|
||||
with self.assertRaises(SystemExit):
|
||||
credential_change.ccr_status_from_state_hub_rationale("looks good")
|
||||
|
||||
def test_sync_state_hub_decision_updates_ccr_status(self) -> None:
|
||||
with tempfile.TemporaryDirectory() as tmp:
|
||||
copied = Path(tmp) / self.sample.name
|
||||
shutil.copy2(self.sample, copied)
|
||||
original = credential_change.state_hub_decision_status
|
||||
try:
|
||||
credential_change.state_hub_decision_status = lambda _ccr, _url: {
|
||||
"id": "250669d0-8475-4527-9624-cd072249f9a9",
|
||||
"status": "resolved",
|
||||
"rationale": "APPROVE: scoped path and confirmed binding are acceptable",
|
||||
"decided_by": "unit-test",
|
||||
"decided_at": "2026-06-27T22:00:00Z",
|
||||
}
|
||||
credential_change.sync_state_hub_decision(copied, "http://state-hub.test")
|
||||
finally:
|
||||
credential_change.state_hub_decision_status = original
|
||||
ccr, errors, warnings = credential_change.validate_ccr(copied)
|
||||
self.assertEqual(errors, [])
|
||||
self.assertEqual(warnings, [])
|
||||
self.assertEqual(ccr["status"], "approved")
|
||||
self.assertEqual(ccr["review"]["comments"][-1]["reviewer"], "unit-test")
|
||||
self.assertIn("State Hub decision", ccr["review"]["comments"][-1]["comment"])
|
||||
self.assertEqual(ccr["state_hub"]["decision_resolved_at"], "2026-06-27T22:00:00Z")
|
||||
|
||||
def test_kubernetes_auth_payload_uses_service_account_bounds(self) -> None:
|
||||
ccr, errors, _warnings = credential_change.validate_ccr(self.issue_core)
|
||||
self.assertEqual(errors, [])
|
||||
|
||||
Reference in New Issue
Block a user