Confirm whynot credential binding

This commit is contained in:
2026-06-27 23:45:31 +02:00
parent aee0dcefad
commit 52687d8b3e
6 changed files with 115 additions and 41 deletions

View File

@@ -29,8 +29,14 @@ class CredentialChangeTests(unittest.TestCase):
/ "credential-change-requests/CCR-2026-0002-issue-core-ingestion-api-key.yaml"
)
def test_sample_ccr_validates_with_bound_claim_warning(self) -> None:
_ccr, errors, warnings = credential_change.validate_ccr(self.sample)
def test_sample_ccr_validates_without_bound_claim_warning(self) -> None:
ccr, errors, warnings = credential_change.validate_ccr(self.sample)
self.assertEqual(errors, [])
self.assertEqual(warnings, [])
self.assertTrue(ccr["openbao"]["auth"]["bound_claims_confirmed"])
def test_unconfirmed_sibling_ccr_keeps_bound_claim_warning(self) -> None:
_ccr, errors, warnings = credential_change.validate_ccr(self.issue_core)
self.assertEqual(errors, [])
self.assertIn("bound claim is not confirmed", warnings[0])
@@ -56,6 +62,8 @@ class CredentialChangeTests(unittest.TestCase):
self.assertFalse(payload["frontdoor_resolvable"])
self.assertEqual(payload["access_frontdoor"]["readiness"], "template")
self.assertEqual(payload["access_frontdoor"]["catalog_id"], "whynot-design-npm-publish")
self.assertEqual(payload["apply_blockers"], ["apply requires status approved, got proposed"])
self.assertEqual(payload["warnings"], [])
self.assertIn("front door is marked resolvable=false", payload["frontdoor_blockers"])
def test_kubernetes_auth_payload_uses_service_account_bounds(self) -> None:
@@ -75,8 +83,8 @@ class CredentialChangeTests(unittest.TestCase):
tmp_path = Path(tmp)
ccr_dir = tmp_path / "ccrs"
ccr_dir.mkdir()
copied = ccr_dir / self.sample.name
shutil.copy2(self.sample, copied)
copied = ccr_dir / self.issue_core.name
shutil.copy2(self.issue_core, copied)
old_ccr_dir = os.environ.get("CCR_DIR")
os.environ["CCR_DIR"] = str(ccr_dir)
try:
@@ -89,7 +97,7 @@ class CredentialChangeTests(unittest.TestCase):
self.assertEqual(ccr["review"]["comments"][-1]["comment"], "looks right")
with self.assertRaises(SystemExit):
credential_change.command_apply_plan(
type("Args", (), {"ref": "CCR-2026-0001"})()
type("Args", (), {"ref": "CCR-2026-0002"})()
)
finally:
if old_ccr_dir is None:
@@ -97,6 +105,19 @@ class CredentialChangeTests(unittest.TestCase):
else:
os.environ["CCR_DIR"] = old_ccr_dir
def test_confirm_binding_records_comment_and_clears_warning(self) -> None:
with tempfile.TemporaryDirectory() as tmp:
copied = Path(tmp) / self.issue_core.name
shutil.copy2(self.issue_core, copied)
credential_change.confirm_binding(
copied, "unit-test", "service account binding confirmed"
)
ccr, errors, warnings = credential_change.validate_ccr(copied)
self.assertEqual(errors, [])
self.assertEqual(warnings, [])
self.assertTrue(ccr["openbao"]["auth"]["bound_claims_confirmed"])
self.assertEqual(ccr["review"]["comments"][-1]["decision"], "binding_confirmed")
def test_generated_policy_is_narrow(self) -> None:
ccr, _errors, _warnings = credential_change.validate_ccr(self.sample)
policy = credential_change.generated_policy_hcl(ccr)