Confirm whynot credential binding
This commit is contained in:
@@ -29,8 +29,14 @@ class CredentialChangeTests(unittest.TestCase):
|
||||
/ "credential-change-requests/CCR-2026-0002-issue-core-ingestion-api-key.yaml"
|
||||
)
|
||||
|
||||
def test_sample_ccr_validates_with_bound_claim_warning(self) -> None:
|
||||
_ccr, errors, warnings = credential_change.validate_ccr(self.sample)
|
||||
def test_sample_ccr_validates_without_bound_claim_warning(self) -> None:
|
||||
ccr, errors, warnings = credential_change.validate_ccr(self.sample)
|
||||
self.assertEqual(errors, [])
|
||||
self.assertEqual(warnings, [])
|
||||
self.assertTrue(ccr["openbao"]["auth"]["bound_claims_confirmed"])
|
||||
|
||||
def test_unconfirmed_sibling_ccr_keeps_bound_claim_warning(self) -> None:
|
||||
_ccr, errors, warnings = credential_change.validate_ccr(self.issue_core)
|
||||
self.assertEqual(errors, [])
|
||||
self.assertIn("bound claim is not confirmed", warnings[0])
|
||||
|
||||
@@ -56,6 +62,8 @@ class CredentialChangeTests(unittest.TestCase):
|
||||
self.assertFalse(payload["frontdoor_resolvable"])
|
||||
self.assertEqual(payload["access_frontdoor"]["readiness"], "template")
|
||||
self.assertEqual(payload["access_frontdoor"]["catalog_id"], "whynot-design-npm-publish")
|
||||
self.assertEqual(payload["apply_blockers"], ["apply requires status approved, got proposed"])
|
||||
self.assertEqual(payload["warnings"], [])
|
||||
self.assertIn("front door is marked resolvable=false", payload["frontdoor_blockers"])
|
||||
|
||||
def test_kubernetes_auth_payload_uses_service_account_bounds(self) -> None:
|
||||
@@ -75,8 +83,8 @@ class CredentialChangeTests(unittest.TestCase):
|
||||
tmp_path = Path(tmp)
|
||||
ccr_dir = tmp_path / "ccrs"
|
||||
ccr_dir.mkdir()
|
||||
copied = ccr_dir / self.sample.name
|
||||
shutil.copy2(self.sample, copied)
|
||||
copied = ccr_dir / self.issue_core.name
|
||||
shutil.copy2(self.issue_core, copied)
|
||||
old_ccr_dir = os.environ.get("CCR_DIR")
|
||||
os.environ["CCR_DIR"] = str(ccr_dir)
|
||||
try:
|
||||
@@ -89,7 +97,7 @@ class CredentialChangeTests(unittest.TestCase):
|
||||
self.assertEqual(ccr["review"]["comments"][-1]["comment"], "looks right")
|
||||
with self.assertRaises(SystemExit):
|
||||
credential_change.command_apply_plan(
|
||||
type("Args", (), {"ref": "CCR-2026-0001"})()
|
||||
type("Args", (), {"ref": "CCR-2026-0002"})()
|
||||
)
|
||||
finally:
|
||||
if old_ccr_dir is None:
|
||||
@@ -97,6 +105,19 @@ class CredentialChangeTests(unittest.TestCase):
|
||||
else:
|
||||
os.environ["CCR_DIR"] = old_ccr_dir
|
||||
|
||||
def test_confirm_binding_records_comment_and_clears_warning(self) -> None:
|
||||
with tempfile.TemporaryDirectory() as tmp:
|
||||
copied = Path(tmp) / self.issue_core.name
|
||||
shutil.copy2(self.issue_core, copied)
|
||||
credential_change.confirm_binding(
|
||||
copied, "unit-test", "service account binding confirmed"
|
||||
)
|
||||
ccr, errors, warnings = credential_change.validate_ccr(copied)
|
||||
self.assertEqual(errors, [])
|
||||
self.assertEqual(warnings, [])
|
||||
self.assertTrue(ccr["openbao"]["auth"]["bound_claims_confirmed"])
|
||||
self.assertEqual(ccr["review"]["comments"][-1]["decision"], "binding_confirmed")
|
||||
|
||||
def test_generated_policy_is_narrow(self) -> None:
|
||||
ccr, _errors, _warnings = credential_change.validate_ccr(self.sample)
|
||||
policy = credential_change.generated_policy_hcl(ccr)
|
||||
|
||||
Reference in New Issue
Block a user