feat(backup): validate credential escrow redacted evidence
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Successful in 19s
CD Pipeline / post-deploy-checks (push) Has been cancelled
CD Pipeline / build-and-deploy (push) Has been cancelled

This commit is contained in:
Your Name
2026-06-29 15:23:17 +08:00
parent fe42ed1b43
commit 69e3caa277
3 changed files with 410 additions and 0 deletions

View File

@@ -10,6 +10,18 @@ from src.api.v1.agents import router
from src.services.credential_escrow_evidence_intake_readiness import (
load_latest_credential_escrow_evidence_intake_readiness,
)
from src.services.credential_escrow_evidence_intake_readiness import (
validate_credential_escrow_evidence_owner_response,
)
ESCROW_ITEMS = [
"restic_repository_password",
"offsite_provider_credentials",
"break_glass_admin_credentials",
"dns_registrar_recovery",
"oauth_ai_provider_recovery",
]
def test_credential_escrow_evidence_intake_reports_p0_blocker():
@@ -52,6 +64,79 @@ def test_credential_escrow_evidence_intake_endpoint_returns_readiness():
assert data["operation_boundaries"]["workflow_trigger_allowed"] is False
def test_credential_escrow_evidence_owner_response_validator_accepts_redacted_refs_only():
payload = validate_credential_escrow_evidence_owner_response(
_valid_redacted_owner_response(),
readiness={"status": "blocked_waiting_non_secret_credential_escrow_evidence"},
)
assert payload["schema_version"] == "credential_escrow_evidence_owner_response_validation_v1"
assert payload["status"] == "accepted_for_independent_reviewer_readiness_only"
assert payload["result"]["owner_response_received_count"] == 1
assert payload["result"]["owner_response_accepted_count"] == 1
assert payload["result"]["required_item_count"] == 5
assert payload["result"]["accepted_item_count"] == 5
assert payload["result"]["runtime_gate_count"] == 0
assert payload["result"]["credential_marker_write_authorized_count"] == 0
assert payload["result"]["secret_value_collection_allowed"] is False
assert payload["operation_boundaries"]["payload_persisted"] is False
assert payload["operation_boundaries"]["credential_read_performed"] is False
assert payload["operation_boundaries"]["credential_marker_write_performed"] is False
assert payload["operation_boundaries"]["runtime_action_performed"] is False
def test_credential_escrow_evidence_owner_response_validator_quarantines_secret_payload():
response = _valid_redacted_owner_response()
response["responses"][0]["redacted_evidence_refs"] = [
"password=not-allowed-even-in-tests"
]
payload = validate_credential_escrow_evidence_owner_response(
response,
readiness={"status": "blocked_waiting_non_secret_credential_escrow_evidence"},
)
assert payload["status"] == "quarantined_sensitive_payload"
assert payload["result"]["owner_response_accepted_count"] == 0
assert payload["result"]["sensitive_payload_hit_count"] == 1
assert payload["operation_boundaries"]["payload_persisted"] is False
def test_credential_escrow_evidence_owner_response_validator_rejects_runtime_or_marker_action():
response = _valid_redacted_owner_response()
response["responses"][0]["runtime_action_authorized"] = True
response["responses"][0]["credential_marker_write_authorized"] = True
payload = validate_credential_escrow_evidence_owner_response(
response,
readiness={"status": "blocked_waiting_non_secret_credential_escrow_evidence"},
)
assert payload["status"] == "rejected_runtime_or_marker_action"
assert payload["result"]["owner_response_accepted_count"] == 0
assert payload["result"]["forbidden_true_field_count"] == 2
assert payload["operation_boundaries"]["credential_marker_write_performed"] is False
def test_credential_escrow_evidence_owner_response_endpoint_validates_without_persisting():
app = FastAPI()
app.include_router(router, prefix="/api/v1")
client = TestClient(app)
response = client.post(
"/api/v1/agents/credential-escrow-evidence-intake-readiness/validate-owner-response",
json=_valid_redacted_owner_response(),
)
assert response.status_code == 200
data = response.json()
assert data["status"] == "accepted_for_independent_reviewer_readiness_only"
assert data["result"]["owner_response_accepted_count"] == 1
assert data["operation_boundaries"]["payload_persisted"] is False
assert data["operation_boundaries"]["secret_plaintext_read"] is False
assert data["operation_boundaries"]["host_or_k8s_write_performed"] is False
def test_credential_escrow_evidence_intake_rejects_secret_collection(tmp_path):
security_dir = tmp_path / "security"
security_dir.mkdir()
@@ -131,3 +216,40 @@ def _backup_matrix() -> dict:
"credential_escrow_forbidden_true_field_count": 0,
}
}
def _valid_redacted_owner_response() -> dict:
return {
"schema_version": "awoooi_post_reboot_next_gate_owner_response_v1",
"responses": [
{
"gate_id": "credential_escrow_evidence",
"owner_role": "backup_dr_owner",
"owner_team": "platform_security",
"decision": "accepted",
"decision_reason": "reviewed redacted non-secret evidence refs only",
"affected_scope": "P0-005 DR credential escrow evidence",
"redacted_evidence_refs": ["review-ticket-20260629-p0-005"],
"followup_owner": "backup_dr_owner",
"runtime_action_requested": False,
"runtime_action_authorized": False,
"host_write_requested": False,
"host_write_authorized": False,
"secret_value_included": False,
"secret_value_collection_allowed": False,
"credential_marker_write_requested": False,
"credential_marker_write_authorized": False,
"escrow_items": [
{
"item_id": item_id,
"non_secret_evidence_ref": f"review-ticket-20260629-p0-005-{index}",
"recovery_owner": "backup_dr_owner",
"reviewer": "security_reviewer",
"last_reviewed_at": "2026-06-29",
"contains_secret_value": False,
}
for index, item_id in enumerate(ESCROW_ITEMS)
],
}
],
}