fix(agent99): hash baseline evidence identity
This commit is contained in:
@@ -265,11 +265,18 @@ def test_receiver_rolls_back_failed_deploy_or_failed_independent_post_verifier()
|
||||
assert "$runtimeManifest.sourceRevision -eq $sourceRevision" in source
|
||||
assert '$runtimeManifest.fileCount -eq 18' in source
|
||||
assert "function Invoke-AgentWindowsControlBaseline" in source
|
||||
assert "function Get-AgentRunEvidenceToken" in source
|
||||
assert "$evidenceRunToken = Get-AgentRunEvidenceToken -Value $RunId" in source
|
||||
assert '"agent99-WindowsControlBaseline-$evidenceRunToken.json"' in source
|
||||
assert '"agent99-WindowsControlBaseline-$RunId.json"' not in source
|
||||
assert '"agent99-windows-control-baseline.ps1"' in source
|
||||
assert '"-Mode", "Apply"' in source
|
||||
assert '"agent99_windows_control_baseline_v1"' in source
|
||||
assert '"runtime_verified_controlled_apply"' in source
|
||||
assert '"runtime_verified_healthy_no_write"' in source
|
||||
assert '[string]$evidence.evidenceIdentity.algorithm -eq "sha256_utf8"' in source
|
||||
assert '[string]$evidence.evidenceIdentity.runToken -eq $evidenceRunToken' in source
|
||||
assert "$evidence.evidenceIdentity.rawIdentityInFileName -eq $false" in source
|
||||
assert "$evidence.transport.inputMethodIndependent -eq $true" in source
|
||||
assert "$evidence.risk.hostReboot -eq $false" in source
|
||||
assert "$evidence.risk.userLogoff -eq $false" in source
|
||||
|
||||
@@ -3,6 +3,7 @@ from pathlib import Path
|
||||
|
||||
ROOT = Path(__file__).resolve().parents[3]
|
||||
BASELINE = ROOT / "agent99-windows-control-baseline.ps1"
|
||||
CONTROL_PLANE = ROOT / "agent99-control-plane.ps1"
|
||||
|
||||
|
||||
def _source() -> str:
|
||||
@@ -41,6 +42,32 @@ def test_baseline_supports_check_apply_independent_verify_and_rollback() -> None
|
||||
assert '"degraded_with_safe_next_action"' in source
|
||||
|
||||
|
||||
def test_baseline_accepts_transport_run_ids_but_hashes_the_evidence_filename() -> None:
|
||||
source = _source()
|
||||
|
||||
safe_identity_pattern = "^[A-Za-z0-9][A-Za-z0-9._:@+-]{0,127}$"
|
||||
assert source.count(f'[ValidatePattern("{safe_identity_pattern}")]') == 3
|
||||
assert "function Get-AgentRunEvidenceToken" in source
|
||||
assert "$EvidenceRunToken = Get-AgentRunEvidenceToken -Value $RunId" in source
|
||||
assert '"agent99-WindowsControlBaseline-$EvidenceRunToken.json"' in source
|
||||
assert '"agent99-WindowsControlBaseline-$RunId.json"' not in source
|
||||
assert 'algorithm = "sha256_utf8"' in source
|
||||
assert "runToken = $EvidenceRunToken" in source
|
||||
assert "rawIdentityInFileName = $false" in source
|
||||
|
||||
|
||||
def test_control_plane_reads_the_same_hashed_baseline_receipt() -> None:
|
||||
source = CONTROL_PLANE.read_text(encoding="utf-8")
|
||||
|
||||
assert "function Get-AgentSha256Hex" in source
|
||||
assert "$evidenceRunToken = Get-AgentSha256Hex $runId" in source
|
||||
assert '"agent99-WindowsControlBaseline-$evidenceRunToken.json"' in source
|
||||
assert '"agent99-WindowsControlBaseline-$runId.json"' not in source
|
||||
assert '[string]$receipt.evidenceIdentity.algorithm -eq "sha256_utf8"' in source
|
||||
assert '[string]$receipt.evidenceIdentity.runToken -eq $evidenceRunToken' in source
|
||||
assert "$receipt.evidenceIdentity.rawIdentityInFileName -eq $false" in source
|
||||
|
||||
|
||||
def test_baseline_sets_only_the_bounded_control_settings() -> None:
|
||||
source = _source()
|
||||
|
||||
|
||||
Reference in New Issue
Block a user