feat(backup): validate credential escrow redacted evidence
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Successful in 19s
CD Pipeline / post-deploy-checks (push) Has been cancelled
CD Pipeline / build-and-deploy (push) Has been cancelled
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Successful in 19s
CD Pipeline / post-deploy-checks (push) Has been cancelled
CD Pipeline / build-and-deploy (push) Has been cancelled
This commit is contained in:
@@ -10,6 +10,18 @@ from src.api.v1.agents import router
|
||||
from src.services.credential_escrow_evidence_intake_readiness import (
|
||||
load_latest_credential_escrow_evidence_intake_readiness,
|
||||
)
|
||||
from src.services.credential_escrow_evidence_intake_readiness import (
|
||||
validate_credential_escrow_evidence_owner_response,
|
||||
)
|
||||
|
||||
|
||||
ESCROW_ITEMS = [
|
||||
"restic_repository_password",
|
||||
"offsite_provider_credentials",
|
||||
"break_glass_admin_credentials",
|
||||
"dns_registrar_recovery",
|
||||
"oauth_ai_provider_recovery",
|
||||
]
|
||||
|
||||
|
||||
def test_credential_escrow_evidence_intake_reports_p0_blocker():
|
||||
@@ -52,6 +64,79 @@ def test_credential_escrow_evidence_intake_endpoint_returns_readiness():
|
||||
assert data["operation_boundaries"]["workflow_trigger_allowed"] is False
|
||||
|
||||
|
||||
def test_credential_escrow_evidence_owner_response_validator_accepts_redacted_refs_only():
|
||||
payload = validate_credential_escrow_evidence_owner_response(
|
||||
_valid_redacted_owner_response(),
|
||||
readiness={"status": "blocked_waiting_non_secret_credential_escrow_evidence"},
|
||||
)
|
||||
|
||||
assert payload["schema_version"] == "credential_escrow_evidence_owner_response_validation_v1"
|
||||
assert payload["status"] == "accepted_for_independent_reviewer_readiness_only"
|
||||
assert payload["result"]["owner_response_received_count"] == 1
|
||||
assert payload["result"]["owner_response_accepted_count"] == 1
|
||||
assert payload["result"]["required_item_count"] == 5
|
||||
assert payload["result"]["accepted_item_count"] == 5
|
||||
assert payload["result"]["runtime_gate_count"] == 0
|
||||
assert payload["result"]["credential_marker_write_authorized_count"] == 0
|
||||
assert payload["result"]["secret_value_collection_allowed"] is False
|
||||
assert payload["operation_boundaries"]["payload_persisted"] is False
|
||||
assert payload["operation_boundaries"]["credential_read_performed"] is False
|
||||
assert payload["operation_boundaries"]["credential_marker_write_performed"] is False
|
||||
assert payload["operation_boundaries"]["runtime_action_performed"] is False
|
||||
|
||||
|
||||
def test_credential_escrow_evidence_owner_response_validator_quarantines_secret_payload():
|
||||
response = _valid_redacted_owner_response()
|
||||
response["responses"][0]["redacted_evidence_refs"] = [
|
||||
"password=not-allowed-even-in-tests"
|
||||
]
|
||||
|
||||
payload = validate_credential_escrow_evidence_owner_response(
|
||||
response,
|
||||
readiness={"status": "blocked_waiting_non_secret_credential_escrow_evidence"},
|
||||
)
|
||||
|
||||
assert payload["status"] == "quarantined_sensitive_payload"
|
||||
assert payload["result"]["owner_response_accepted_count"] == 0
|
||||
assert payload["result"]["sensitive_payload_hit_count"] == 1
|
||||
assert payload["operation_boundaries"]["payload_persisted"] is False
|
||||
|
||||
|
||||
def test_credential_escrow_evidence_owner_response_validator_rejects_runtime_or_marker_action():
|
||||
response = _valid_redacted_owner_response()
|
||||
response["responses"][0]["runtime_action_authorized"] = True
|
||||
response["responses"][0]["credential_marker_write_authorized"] = True
|
||||
|
||||
payload = validate_credential_escrow_evidence_owner_response(
|
||||
response,
|
||||
readiness={"status": "blocked_waiting_non_secret_credential_escrow_evidence"},
|
||||
)
|
||||
|
||||
assert payload["status"] == "rejected_runtime_or_marker_action"
|
||||
assert payload["result"]["owner_response_accepted_count"] == 0
|
||||
assert payload["result"]["forbidden_true_field_count"] == 2
|
||||
assert payload["operation_boundaries"]["credential_marker_write_performed"] is False
|
||||
|
||||
|
||||
def test_credential_escrow_evidence_owner_response_endpoint_validates_without_persisting():
|
||||
app = FastAPI()
|
||||
app.include_router(router, prefix="/api/v1")
|
||||
client = TestClient(app)
|
||||
|
||||
response = client.post(
|
||||
"/api/v1/agents/credential-escrow-evidence-intake-readiness/validate-owner-response",
|
||||
json=_valid_redacted_owner_response(),
|
||||
)
|
||||
|
||||
assert response.status_code == 200
|
||||
data = response.json()
|
||||
assert data["status"] == "accepted_for_independent_reviewer_readiness_only"
|
||||
assert data["result"]["owner_response_accepted_count"] == 1
|
||||
assert data["operation_boundaries"]["payload_persisted"] is False
|
||||
assert data["operation_boundaries"]["secret_plaintext_read"] is False
|
||||
assert data["operation_boundaries"]["host_or_k8s_write_performed"] is False
|
||||
|
||||
|
||||
def test_credential_escrow_evidence_intake_rejects_secret_collection(tmp_path):
|
||||
security_dir = tmp_path / "security"
|
||||
security_dir.mkdir()
|
||||
@@ -131,3 +216,40 @@ def _backup_matrix() -> dict:
|
||||
"credential_escrow_forbidden_true_field_count": 0,
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
def _valid_redacted_owner_response() -> dict:
|
||||
return {
|
||||
"schema_version": "awoooi_post_reboot_next_gate_owner_response_v1",
|
||||
"responses": [
|
||||
{
|
||||
"gate_id": "credential_escrow_evidence",
|
||||
"owner_role": "backup_dr_owner",
|
||||
"owner_team": "platform_security",
|
||||
"decision": "accepted",
|
||||
"decision_reason": "reviewed redacted non-secret evidence refs only",
|
||||
"affected_scope": "P0-005 DR credential escrow evidence",
|
||||
"redacted_evidence_refs": ["review-ticket-20260629-p0-005"],
|
||||
"followup_owner": "backup_dr_owner",
|
||||
"runtime_action_requested": False,
|
||||
"runtime_action_authorized": False,
|
||||
"host_write_requested": False,
|
||||
"host_write_authorized": False,
|
||||
"secret_value_included": False,
|
||||
"secret_value_collection_allowed": False,
|
||||
"credential_marker_write_requested": False,
|
||||
"credential_marker_write_authorized": False,
|
||||
"escrow_items": [
|
||||
{
|
||||
"item_id": item_id,
|
||||
"non_secret_evidence_ref": f"review-ticket-20260629-p0-005-{index}",
|
||||
"recovery_owner": "backup_dr_owner",
|
||||
"reviewer": "security_reviewer",
|
||||
"last_reviewed_at": "2026-06-29",
|
||||
"contains_secret_value": False,
|
||||
}
|
||||
for index, item_id in enumerate(ESCROW_ITEMS)
|
||||
],
|
||||
}
|
||||
],
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user