feat(api): validate gitea owner attestation intake
All checks were successful
CD Pipeline / workflow-shape (push) Successful in 1s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Successful in 19s
CD Pipeline / build-and-deploy (push) Successful in 4m29s
CD Pipeline / post-deploy-checks (push) Successful in 59s

This commit is contained in:
Your Name
2026-06-29 19:47:59 +08:00
parent 8e3449f9e2
commit b9293b76b5
5 changed files with 609 additions and 0 deletions

View File

@@ -10,6 +10,9 @@ from src.api.v1.agents import router
from src.services.gitea_authenticated_inventory_payload_validation import (
validate_gitea_authenticated_inventory_payload,
)
from src.services.gitea_owner_coverage_attestation_validation import (
validate_gitea_owner_coverage_attestation,
)
from src.services.gitea_private_inventory_p0_scorecard import (
load_latest_gitea_private_inventory_p0_scorecard,
)
@@ -201,6 +204,105 @@ def test_gitea_authenticated_inventory_payload_endpoint_validates_without_persis
assert data["operation_boundaries"]["raw_session_or_sqlite_read_performed"] is False
def test_gitea_owner_coverage_attestation_validator_accepts_redacted_response():
payload = validate_gitea_owner_coverage_attestation(
_valid_owner_coverage_attestation_payload(),
scorecard=_scorecard_readback(),
)
assert payload["schema_version"] == "gitea_owner_coverage_attestation_validation_v1"
assert payload["status"] == "accepted_for_owner_coverage_attestation_review_only"
assert payload["result"]["accepted_attestation_packet_count"] == 1
assert payload["result"]["required_response_item_count"] == 5
assert payload["result"]["provided_response_item_count"] == 5
assert payload["result"]["accepted_response_count"] == 5
assert payload["result"]["current_active_blocker_count"] == 4
assert payload["result"]["projected_active_blocker_count"] == 3
assert (
payload["result"][
"projected_active_blocker_count_after_redacted_inventory_receipt_writeback"
]
== 0
)
assert payload["result"]["projected_owner_coverage_attestation_accepted_count"] == 1
assert payload["result"]["runtime_gate_count"] == 0
assert payload["operation_boundaries"]["payload_persisted"] is False
assert payload["operation_boundaries"]["gitea_api_called"] is False
assert payload["operation_boundaries"]["repo_write_performed"] is False
assert payload["operation_boundaries"]["refs_sync_performed"] is False
assert payload["operation_boundaries"]["github_api_used"] is False
assert payload["operation_boundaries"]["secret_plaintext_read"] is False
assert (
payload["reviewer_readiness"]["status"]
== "ready_for_private_inventory_closeout_after_inventory_receipt_writeback"
)
assert (
payload["reviewer_readiness"][
"redacted_owner_attestation_receipt_writeback_ready_count"
]
== 1
)
assert payload["reviewer_readiness"]["repo_write_authorized_count"] == 0
def test_gitea_owner_coverage_attestation_endpoint_validates_without_persisting():
app = FastAPI()
app.include_router(router, prefix="/api/v1")
client = TestClient(app)
response = client.post(
"/api/v1/agents/gitea-private-inventory-p0-scorecard/validate-owner-coverage-attestation",
json=_valid_owner_coverage_attestation_payload(),
)
assert response.status_code == 200
data = response.json()
assert data["status"] == "accepted_for_owner_coverage_attestation_review_only"
assert data["result"]["accepted_attestation_packet_count"] == 1
assert data["result"]["projected_active_blocker_count"] == 3
assert (
data["reviewer_readiness"][
"redacted_owner_attestation_receipt_writeback_ready_count"
]
== 1
)
assert data["operation_boundaries"]["payload_persisted"] is False
assert data["operation_boundaries"]["gitea_write_performed"] is False
assert data["operation_boundaries"]["raw_session_or_sqlite_read_performed"] is False
def test_gitea_owner_coverage_attestation_validator_quarantines_secret_material():
payload = _valid_owner_coverage_attestation_payload()
payload["responses"][0]["evidence_refs"] = [
"https://gitea.example/wooo/awoooi?token=secret-value"
]
validation = validate_gitea_owner_coverage_attestation(
payload,
scorecard=_scorecard_readback(),
)
assert validation["status"] == "quarantined_sensitive_payload"
assert validation["result"]["accepted_attestation_packet_count"] == 0
assert validation["result"]["sensitive_payload_hit_count"] >= 1
assert validation["operation_boundaries"]["payload_persisted"] is False
def test_gitea_owner_coverage_attestation_validator_rejects_execution_request():
payload = _valid_owner_coverage_attestation_payload()
payload["write_to_gitea"] = True
validation = validate_gitea_owner_coverage_attestation(
payload,
scorecard=_scorecard_readback(),
)
assert validation["status"] == "rejected_execution_request"
assert validation["result"]["accepted_attestation_packet_count"] == 0
assert validation["result"]["forbidden_true_field_count"] == 1
assert validation["operation_boundaries"]["repo_write_performed"] is False
def test_gitea_authenticated_inventory_payload_validator_quarantines_secret_material():
payload = _valid_authenticated_inventory_payload()
payload["repos"][0]["clone_url_redacted"] = "https://user:password@example.test/repo.git"
@@ -417,6 +519,81 @@ def _valid_authenticated_inventory_payload() -> dict:
}
def _valid_owner_coverage_attestation_payload() -> dict:
return {
"schema_version": "gitea_inventory_owner_attestation_response_v1",
"lane_id": "s4_9_gitea_inventory_owner_attestation_response",
"runtime_execution_authorized": False,
"token_value_collection_allowed": False,
"secret_value_collection_allowed": False,
"gitea_repo_write_authorized": False,
"refs_sync_authorized": False,
"github_primary_switch_authorized": False,
"action_buttons_allowed": False,
"responses": [
{
"attestation_item_id": "public_only_vs_local_gitea_gap",
"owner_role_or_team": "platform-security-owner",
"decision": "in_scope",
"decision_reason": "admin export must cover the public-only gap",
"affected_repos": ["wooo/awoooi", "wooo/ewoooc"],
"evidence_refs": [
"docs/security/gitea-repo-inventory.snapshot.json",
"docs/security/gitea-org-repo-inventory-blocked.snapshot.json",
],
"followup_owner": "platform-security-owner",
},
{
"attestation_item_id": "org_user_endpoint_identity",
"owner_role_or_team": "platform-security-owner",
"decision": "in_scope",
"decision_reason": "wooo namespace is the canonical Gitea scope",
"canonical_namespace": "wooo",
"evidence_refs": [
"docs/security/gitea-org-repo-inventory-blocked.snapshot.json"
],
"followup_owner": "platform-security-owner",
},
{
"attestation_item_id": "internal_110_adjacent_scope",
"owner_role_or_team": "platform-security-owner",
"decision": "in_scope",
"decision_reason": "internal adjacent source is covered by redacted metadata",
"affected_sources": ["gitea-ssh-main-redacted", "public-route-redacted"],
"evidence_refs": [
"docs/security/git-remote-refs-bitan-exposure.snapshot.json"
],
"followup_owner": "platform-security-owner",
},
{
"attestation_item_id": "repo_owner_canonical_scope",
"owner_role_or_team": "platform-security-owner",
"decision": "in_scope",
"decision_reason": "repo owner and canonical source remain Gitea-only",
"repo_owner": "wooo",
"canonical_source": "gitea",
"github_target_candidate": "stopped_retired_do_not_use",
"visibility_review_owner": "platform-security-owner",
"evidence_refs": [
"docs/operations/awoooi-gitea-private-inventory-p0-scorecard.snapshot.json"
],
},
{
"attestation_item_id": "legacy_or_inaccessible_repo_disposition",
"owner_role_or_team": "platform-security-owner",
"decision": "legacy_archived",
"decision_reason": "legacy or inaccessible sources stay outside active P0 apply",
"affected_repos_or_sources": ["legacy-github-mirror-retired"],
"disposition": "stopped_retired_do_not_use",
"evidence_refs": [
"docs/security/gitea-inventory-owner-attestation-response.snapshot.json"
],
"followup_owner": "platform-security-owner",
},
],
}
def _repo(full_name: str) -> dict:
_, name = full_name.split("/", 1)
return {