railiance-platform/tests/test_credential_change.py

from __future__ import annotations

import importlib.util
import os
import shutil
import sys
import tempfile
import unittest
from pathlib import Path

REPO_DIR = Path(__file__).resolve().parents[1]
SPEC = importlib.util.spec_from_file_location(
    "credential_change", REPO_DIR / "scripts/credential-change.py"
)
credential_change = importlib.util.module_from_spec(SPEC)
assert SPEC.loader is not None
sys.modules[SPEC.name] = credential_change
SPEC.loader.exec_module(credential_change)


class CredentialChangeTests(unittest.TestCase):
    def setUp(self) -> None:
        self.sample = (
            REPO_DIR
            / "credential-change-requests/CCR-2026-0001-whynot-design-npm-publish.yaml"
        )
        self.issue_core = (
            REPO_DIR
            / "credential-change-requests/CCR-2026-0002-issue-core-ingestion-api-key.yaml"
        )

    def test_sample_ccr_validates_with_bound_claim_warning(self) -> None:
        _ccr, errors, warnings = credential_change.validate_ccr(self.sample)
        self.assertEqual(errors, [])
        self.assertIn("bound claim is not confirmed", warnings[0])

    def test_all_repo_ccrs_validate(self) -> None:
        for path in sorted((REPO_DIR / "credential-change-requests").glob("*.yaml")):
            with self.subTest(path=path.name):
                _ccr, errors, _warnings = credential_change.validate_ccr(path)
                self.assertEqual(errors, [])

    def test_render_summary_contains_review_fields(self) -> None:
        ccr, _errors, warnings = credential_change.validate_ccr(self.sample)
        rendered = credential_change.render_summary(ccr, warnings)
        self.assertIn("whynot-design npm publish token lane", rendered)
        self.assertIn("platform/workloads/whynot-design/whynot-design/npm-publish", rendered)
        self.assertIn("whynot-design-npm-publish", rendered)
        self.assertIn("readiness: template resolvable=False", rendered)
        self.assertIn("approve | deny | needs_changes", rendered)

    def test_status_payload_marks_template_not_resolvable(self) -> None:
        ccr, _errors, warnings = credential_change.validate_ccr(self.sample)
        payload = credential_change.status_payload(ccr, warnings)
        self.assertFalse(payload["apply_allowed"])
        self.assertFalse(payload["frontdoor_resolvable"])
        self.assertEqual(payload["access_frontdoor"]["readiness"], "template")
        self.assertEqual(payload["access_frontdoor"]["catalog_id"], "whynot-design-npm-publish")
        self.assertIn("front door is marked resolvable=false", payload["frontdoor_blockers"])

    def test_kubernetes_auth_payload_uses_service_account_bounds(self) -> None:
        ccr, errors, _warnings = credential_change.validate_ccr(self.issue_core)
        self.assertEqual(errors, [])
        payload = credential_change.auth_payload(ccr)
        self.assertEqual(payload["bound_service_account_names"], ["issue-core"])
        self.assertEqual(payload["bound_service_account_namespaces"], ["issue-core"])
        self.assertNotIn("bound_claims", payload)

    def test_apply_plan_refuses_unapproved_ccr(self) -> None:
        with self.assertRaises(SystemExit):
            credential_change.command_apply_plan(type("Args", (), {"ref": str(self.sample)})())

    def test_approve_records_comment_but_unconfirmed_claim_still_blocks_apply(self) -> None:
        with tempfile.TemporaryDirectory() as tmp:
            tmp_path = Path(tmp)
            ccr_dir = tmp_path / "ccrs"
            ccr_dir.mkdir()
            copied = ccr_dir / self.sample.name
            shutil.copy2(self.sample, copied)
            old_ccr_dir = os.environ.get("CCR_DIR")
            os.environ["CCR_DIR"] = str(ccr_dir)
            try:
                credential_change.append_decision(
                    copied, "approved", "unit-test", "looks right"
                )
                ccr, errors, _warnings = credential_change.validate_ccr(copied)
                self.assertEqual(errors, [])
                self.assertEqual(ccr["status"], "approved")
                self.assertEqual(ccr["review"]["comments"][-1]["comment"], "looks right")
                with self.assertRaises(SystemExit):
                    credential_change.command_apply_plan(
                        type("Args", (), {"ref": "CCR-2026-0001"})()
                    )
            finally:
                if old_ccr_dir is None:
                    os.environ.pop("CCR_DIR", None)
                else:
                    os.environ["CCR_DIR"] = old_ccr_dir

    def test_generated_policy_is_narrow(self) -> None:
        ccr, _errors, _warnings = credential_change.validate_ccr(self.sample)
        policy = credential_change.generated_policy_hcl(ccr)
        self.assertIn('path "platform/data/workloads/whynot-design/whynot-design/npm-publish"', policy)
        self.assertNotIn("*", policy)
        self.assertNotIn("delete", policy)


if __name__ == "__main__":
    unittest.main()