generated from coulomb/repo-seed
tegwick
1f87be4c6b
Add reachability enrichment (tunnel metadata, ops-bridge pointer), secret_refs boundary resolution, profile.agent-dev and profile.build, CLI reachability show, API endpoint, consumer smoke scripts, and tests.
51 lines
1.6 KiB
Python
51 lines
1.6 KiB
Python
"""Setup secret resolution tests."""
|
|
|
|
from __future__ import annotations
|
|
|
|
import pytest
|
|
|
|
from sandboxer.models import Profile, SetupSpec
|
|
from sandboxer.secrets.resolver import resolve_secret_ref, resolve_setup_secrets
|
|
|
|
|
|
def test_resolve_secret_ref_from_env(monkeypatch: pytest.MonkeyPatch) -> None:
|
|
monkeypatch.setenv("SANDBOXER_SECRET_BUILD_REGISTRY_TOKEN", "tok123")
|
|
assert resolve_secret_ref("build-registry-token") == "tok123"
|
|
|
|
|
|
def test_resolve_setup_secrets_success(monkeypatch: pytest.MonkeyPatch) -> None:
|
|
monkeypatch.setenv("SANDBOXER_SECRET_BUILD_REGISTRY_TOKEN", "tok123")
|
|
profile = Profile.model_validate(
|
|
{
|
|
"id": "profile.build",
|
|
"version": "1.0.0",
|
|
"extension": "ext.vm-packer",
|
|
"setup": SetupSpec(secret_refs=["build-registry-token"]).model_dump(),
|
|
}
|
|
)
|
|
secrets = resolve_setup_secrets(profile)
|
|
assert secrets["build-registry-token"] == "tok123"
|
|
|
|
|
|
def test_resolve_setup_secrets_missing_raises() -> None:
|
|
profile = Profile.model_validate(
|
|
{
|
|
"id": "profile.build",
|
|
"version": "1.0.0",
|
|
"extension": "ext.vm-packer",
|
|
"setup": SetupSpec(secret_refs=["missing-ref"]).model_dump(),
|
|
}
|
|
)
|
|
with pytest.raises(ValueError, match="Unresolved secret_refs"):
|
|
resolve_setup_secrets(profile)
|
|
|
|
|
|
def test_empty_secret_refs() -> None:
|
|
profile = Profile.model_validate(
|
|
{
|
|
"id": "profile.compose-e2e",
|
|
"version": "1.0.0",
|
|
"extension": "ext.compose-ssh",
|
|
}
|
|
)
|
|
assert resolve_setup_secrets(profile) == {} |