docs(security): 新增 Monitoring owner request draft [skip ci]
This commit is contained in:
@@ -109,6 +109,9 @@ def validate(root: Path) -> None:
|
||||
monitoring_alerting_observability_inventory = load_json(
|
||||
security_dir / "monitoring-alerting-observability-inventory.snapshot.json"
|
||||
)
|
||||
monitoring_owner_request_draft = load_json(
|
||||
security_dir / "monitoring-owner-request-draft.snapshot.json"
|
||||
)
|
||||
domain_tls_inventory = load_json(security_dir / "domain-tls-certbot-inventory.snapshot.json")
|
||||
domain_tls_owner_confirmation_request = load_json(
|
||||
security_dir / "domain-tls-certbot-owner-confirmation-request.snapshot.json"
|
||||
@@ -3468,6 +3471,159 @@ def validate(root: Path) -> None:
|
||||
[item["surface_id"] for item in monitoring_alerting_observability_inventory["write_capable_surfaces"]],
|
||||
surface_id,
|
||||
)
|
||||
assert_equal(
|
||||
"monitoring_owner_request_draft.schema",
|
||||
monitoring_owner_request_draft["schema_version"],
|
||||
"monitoring_owner_request_draft_v1",
|
||||
)
|
||||
assert_equal(
|
||||
"monitoring_owner_request_draft.status",
|
||||
monitoring_owner_request_draft["status"],
|
||||
"owner_request_draft_ready_not_dispatched",
|
||||
)
|
||||
assert_equal(
|
||||
"monitoring_owner_request_draft.source_inventory_schema_version",
|
||||
monitoring_owner_request_draft["source_inventory_schema_version"],
|
||||
"monitoring_alerting_observability_inventory_v1",
|
||||
)
|
||||
assert_equal(
|
||||
"monitoring_owner_request_draft.source_inventory_status",
|
||||
monitoring_owner_request_draft["source_inventory_status"],
|
||||
"repo_only_inventory_ready",
|
||||
)
|
||||
expected_monitoring_owner_request_summary = {
|
||||
"request_draft_count": 60,
|
||||
"write_capable_request_draft_count": 11,
|
||||
"live_evidence_required_request_count": 60,
|
||||
"request_field_count": 24,
|
||||
"required_owner_field_count": 14,
|
||||
"blocked_action_count": 24,
|
||||
"request_sent_count": 0,
|
||||
"recipient_confirmed_count": 0,
|
||||
"owner_response_received_count": 0,
|
||||
"owner_response_accepted_count": 0,
|
||||
"live_evidence_received_count": 0,
|
||||
"reload_owner_accepted_count": 0,
|
||||
"receiver_owner_accepted_count": 0,
|
||||
"route_smoke_accepted_count": 0,
|
||||
"maintenance_window_accepted_count": 0,
|
||||
"rollback_owner_accepted_count": 0,
|
||||
"validation_plan_accepted_count": 0,
|
||||
"prometheus_reload_authorized_count": 0,
|
||||
"alertmanager_reload_authorized_count": 0,
|
||||
"grafana_dashboard_apply_authorized_count": 0,
|
||||
"signoz_rule_apply_authorized_count": 0,
|
||||
"sentry_deploy_authorized_count": 0,
|
||||
"langfuse_config_change_authorized_count": 0,
|
||||
"otel_collector_reload_authorized_count": 0,
|
||||
"receiver_route_change_authorized_count": 0,
|
||||
"silence_policy_change_authorized_count": 0,
|
||||
"telegram_send_authorized_count": 0,
|
||||
"notification_route_change_authorized_count": 0,
|
||||
"webhook_receiver_change_authorized_count": 0,
|
||||
"remote_write_change_authorized_count": 0,
|
||||
"exporter_deploy_authorized_count": 0,
|
||||
"live_alert_fire_authorized_count": 0,
|
||||
"alert_chain_smoke_authorized_count": 0,
|
||||
"ssh_read_authorized_count": 0,
|
||||
"ssh_write_authorized_count": 0,
|
||||
"kubectl_action_authorized_count": 0,
|
||||
"secret_value_collection_allowed_count": 0,
|
||||
"host_write_authorized_count": 0,
|
||||
"active_scan_authorized_count": 0,
|
||||
"production_write_authorized_count": 0,
|
||||
"runtime_gate_count": 0,
|
||||
"action_button_count": 0,
|
||||
}
|
||||
for key, expected in expected_monitoring_owner_request_summary.items():
|
||||
assert_equal(
|
||||
f"monitoring_owner_request_draft.summary.{key}",
|
||||
monitoring_owner_request_draft["summary"][key],
|
||||
expected,
|
||||
)
|
||||
for key, value in monitoring_owner_request_draft["execution_boundaries"].items():
|
||||
if key == "not_authorization":
|
||||
assert_true(f"monitoring_owner_request_draft.execution_boundaries.{key}", value)
|
||||
else:
|
||||
assert_false(f"monitoring_owner_request_draft.execution_boundaries.{key}", value)
|
||||
assert_equal(
|
||||
"monitoring_owner_request_draft.request_drafts.count",
|
||||
len(monitoring_owner_request_draft["request_drafts"]),
|
||||
60,
|
||||
)
|
||||
monitoring_owner_request_ids = [
|
||||
item["request_id"] for item in monitoring_owner_request_draft["request_drafts"]
|
||||
]
|
||||
for request_id in [
|
||||
"monitoring_owner_request:alertmanager_receiver_config",
|
||||
"monitoring_owner_request:deploy_alertmanager_config_script",
|
||||
"monitoring_owner_request:telegram_gateway_service",
|
||||
"monitoring_owner_request:fire_live_alert_script",
|
||||
"monitoring_owner_request:sentry_self_hosted_deploy",
|
||||
"monitoring_owner_request:langfuse_compose",
|
||||
]:
|
||||
assert_contains(
|
||||
"monitoring_owner_request_draft.request_drafts",
|
||||
monitoring_owner_request_ids,
|
||||
request_id,
|
||||
)
|
||||
for draft in monitoring_owner_request_draft["request_drafts"]:
|
||||
assert_equal(
|
||||
f"monitoring_owner_request_draft.{draft['request_id']}.required_owner_fields",
|
||||
len(draft["required_owner_fields"]),
|
||||
14,
|
||||
)
|
||||
assert_equal(
|
||||
f"monitoring_owner_request_draft.{draft['request_id']}.blocked_actions",
|
||||
len(draft["blocked_actions"]),
|
||||
24,
|
||||
)
|
||||
assert_true(
|
||||
f"monitoring_owner_request_draft.{draft['request_id']}.not_approval",
|
||||
draft["not_approval"],
|
||||
)
|
||||
for false_key in [
|
||||
"request_sent",
|
||||
"recipient_confirmed",
|
||||
"owner_response_received",
|
||||
"owner_response_accepted",
|
||||
"live_evidence_received",
|
||||
"reload_owner_accepted",
|
||||
"receiver_owner_accepted",
|
||||
"route_smoke_accepted",
|
||||
"maintenance_window_accepted",
|
||||
"rollback_owner_accepted",
|
||||
"validation_plan_accepted",
|
||||
"prometheus_reload_authorized",
|
||||
"alertmanager_reload_authorized",
|
||||
"grafana_dashboard_apply_authorized",
|
||||
"signoz_rule_apply_authorized",
|
||||
"sentry_deploy_authorized",
|
||||
"langfuse_config_change_authorized",
|
||||
"otel_collector_reload_authorized",
|
||||
"receiver_route_change_authorized",
|
||||
"silence_policy_change_authorized",
|
||||
"telegram_send_authorized",
|
||||
"notification_route_change_authorized",
|
||||
"webhook_receiver_change_authorized",
|
||||
"remote_write_change_authorized",
|
||||
"exporter_deploy_authorized",
|
||||
"live_alert_fire_authorized",
|
||||
"alert_chain_smoke_authorized",
|
||||
"ssh_read_authorized",
|
||||
"ssh_write_authorized",
|
||||
"kubectl_action_authorized",
|
||||
"secret_value_collection_allowed",
|
||||
"host_write_authorized",
|
||||
"active_scan_authorized",
|
||||
"production_write_authorized",
|
||||
"runtime_gate",
|
||||
"action_buttons_allowed",
|
||||
]:
|
||||
assert_false(
|
||||
f"monitoring_owner_request_draft.{draft['request_id']}.{false_key}",
|
||||
draft[false_key],
|
||||
)
|
||||
assert_equal(
|
||||
"public_gateway_preflight_inventory.schema",
|
||||
public_gateway_preflight_inventory["schema_version"],
|
||||
|
||||
Reference in New Issue
Block a user