feat(api): validate gitea owner attestation intake
All checks were successful
CD Pipeline / workflow-shape (push) Successful in 1s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Successful in 19s
CD Pipeline / build-and-deploy (push) Successful in 4m29s
CD Pipeline / post-deploy-checks (push) Successful in 59s
All checks were successful
CD Pipeline / workflow-shape (push) Successful in 1s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Successful in 19s
CD Pipeline / build-and-deploy (push) Successful in 4m29s
CD Pipeline / post-deploy-checks (push) Successful in 59s
This commit is contained in:
@@ -10,6 +10,9 @@ from src.api.v1.agents import router
|
||||
from src.services.gitea_authenticated_inventory_payload_validation import (
|
||||
validate_gitea_authenticated_inventory_payload,
|
||||
)
|
||||
from src.services.gitea_owner_coverage_attestation_validation import (
|
||||
validate_gitea_owner_coverage_attestation,
|
||||
)
|
||||
from src.services.gitea_private_inventory_p0_scorecard import (
|
||||
load_latest_gitea_private_inventory_p0_scorecard,
|
||||
)
|
||||
@@ -201,6 +204,105 @@ def test_gitea_authenticated_inventory_payload_endpoint_validates_without_persis
|
||||
assert data["operation_boundaries"]["raw_session_or_sqlite_read_performed"] is False
|
||||
|
||||
|
||||
def test_gitea_owner_coverage_attestation_validator_accepts_redacted_response():
|
||||
payload = validate_gitea_owner_coverage_attestation(
|
||||
_valid_owner_coverage_attestation_payload(),
|
||||
scorecard=_scorecard_readback(),
|
||||
)
|
||||
|
||||
assert payload["schema_version"] == "gitea_owner_coverage_attestation_validation_v1"
|
||||
assert payload["status"] == "accepted_for_owner_coverage_attestation_review_only"
|
||||
assert payload["result"]["accepted_attestation_packet_count"] == 1
|
||||
assert payload["result"]["required_response_item_count"] == 5
|
||||
assert payload["result"]["provided_response_item_count"] == 5
|
||||
assert payload["result"]["accepted_response_count"] == 5
|
||||
assert payload["result"]["current_active_blocker_count"] == 4
|
||||
assert payload["result"]["projected_active_blocker_count"] == 3
|
||||
assert (
|
||||
payload["result"][
|
||||
"projected_active_blocker_count_after_redacted_inventory_receipt_writeback"
|
||||
]
|
||||
== 0
|
||||
)
|
||||
assert payload["result"]["projected_owner_coverage_attestation_accepted_count"] == 1
|
||||
assert payload["result"]["runtime_gate_count"] == 0
|
||||
assert payload["operation_boundaries"]["payload_persisted"] is False
|
||||
assert payload["operation_boundaries"]["gitea_api_called"] is False
|
||||
assert payload["operation_boundaries"]["repo_write_performed"] is False
|
||||
assert payload["operation_boundaries"]["refs_sync_performed"] is False
|
||||
assert payload["operation_boundaries"]["github_api_used"] is False
|
||||
assert payload["operation_boundaries"]["secret_plaintext_read"] is False
|
||||
assert (
|
||||
payload["reviewer_readiness"]["status"]
|
||||
== "ready_for_private_inventory_closeout_after_inventory_receipt_writeback"
|
||||
)
|
||||
assert (
|
||||
payload["reviewer_readiness"][
|
||||
"redacted_owner_attestation_receipt_writeback_ready_count"
|
||||
]
|
||||
== 1
|
||||
)
|
||||
assert payload["reviewer_readiness"]["repo_write_authorized_count"] == 0
|
||||
|
||||
|
||||
def test_gitea_owner_coverage_attestation_endpoint_validates_without_persisting():
|
||||
app = FastAPI()
|
||||
app.include_router(router, prefix="/api/v1")
|
||||
client = TestClient(app)
|
||||
|
||||
response = client.post(
|
||||
"/api/v1/agents/gitea-private-inventory-p0-scorecard/validate-owner-coverage-attestation",
|
||||
json=_valid_owner_coverage_attestation_payload(),
|
||||
)
|
||||
|
||||
assert response.status_code == 200
|
||||
data = response.json()
|
||||
assert data["status"] == "accepted_for_owner_coverage_attestation_review_only"
|
||||
assert data["result"]["accepted_attestation_packet_count"] == 1
|
||||
assert data["result"]["projected_active_blocker_count"] == 3
|
||||
assert (
|
||||
data["reviewer_readiness"][
|
||||
"redacted_owner_attestation_receipt_writeback_ready_count"
|
||||
]
|
||||
== 1
|
||||
)
|
||||
assert data["operation_boundaries"]["payload_persisted"] is False
|
||||
assert data["operation_boundaries"]["gitea_write_performed"] is False
|
||||
assert data["operation_boundaries"]["raw_session_or_sqlite_read_performed"] is False
|
||||
|
||||
|
||||
def test_gitea_owner_coverage_attestation_validator_quarantines_secret_material():
|
||||
payload = _valid_owner_coverage_attestation_payload()
|
||||
payload["responses"][0]["evidence_refs"] = [
|
||||
"https://gitea.example/wooo/awoooi?token=secret-value"
|
||||
]
|
||||
|
||||
validation = validate_gitea_owner_coverage_attestation(
|
||||
payload,
|
||||
scorecard=_scorecard_readback(),
|
||||
)
|
||||
|
||||
assert validation["status"] == "quarantined_sensitive_payload"
|
||||
assert validation["result"]["accepted_attestation_packet_count"] == 0
|
||||
assert validation["result"]["sensitive_payload_hit_count"] >= 1
|
||||
assert validation["operation_boundaries"]["payload_persisted"] is False
|
||||
|
||||
|
||||
def test_gitea_owner_coverage_attestation_validator_rejects_execution_request():
|
||||
payload = _valid_owner_coverage_attestation_payload()
|
||||
payload["write_to_gitea"] = True
|
||||
|
||||
validation = validate_gitea_owner_coverage_attestation(
|
||||
payload,
|
||||
scorecard=_scorecard_readback(),
|
||||
)
|
||||
|
||||
assert validation["status"] == "rejected_execution_request"
|
||||
assert validation["result"]["accepted_attestation_packet_count"] == 0
|
||||
assert validation["result"]["forbidden_true_field_count"] == 1
|
||||
assert validation["operation_boundaries"]["repo_write_performed"] is False
|
||||
|
||||
|
||||
def test_gitea_authenticated_inventory_payload_validator_quarantines_secret_material():
|
||||
payload = _valid_authenticated_inventory_payload()
|
||||
payload["repos"][0]["clone_url_redacted"] = "https://user:password@example.test/repo.git"
|
||||
@@ -417,6 +519,81 @@ def _valid_authenticated_inventory_payload() -> dict:
|
||||
}
|
||||
|
||||
|
||||
def _valid_owner_coverage_attestation_payload() -> dict:
|
||||
return {
|
||||
"schema_version": "gitea_inventory_owner_attestation_response_v1",
|
||||
"lane_id": "s4_9_gitea_inventory_owner_attestation_response",
|
||||
"runtime_execution_authorized": False,
|
||||
"token_value_collection_allowed": False,
|
||||
"secret_value_collection_allowed": False,
|
||||
"gitea_repo_write_authorized": False,
|
||||
"refs_sync_authorized": False,
|
||||
"github_primary_switch_authorized": False,
|
||||
"action_buttons_allowed": False,
|
||||
"responses": [
|
||||
{
|
||||
"attestation_item_id": "public_only_vs_local_gitea_gap",
|
||||
"owner_role_or_team": "platform-security-owner",
|
||||
"decision": "in_scope",
|
||||
"decision_reason": "admin export must cover the public-only gap",
|
||||
"affected_repos": ["wooo/awoooi", "wooo/ewoooc"],
|
||||
"evidence_refs": [
|
||||
"docs/security/gitea-repo-inventory.snapshot.json",
|
||||
"docs/security/gitea-org-repo-inventory-blocked.snapshot.json",
|
||||
],
|
||||
"followup_owner": "platform-security-owner",
|
||||
},
|
||||
{
|
||||
"attestation_item_id": "org_user_endpoint_identity",
|
||||
"owner_role_or_team": "platform-security-owner",
|
||||
"decision": "in_scope",
|
||||
"decision_reason": "wooo namespace is the canonical Gitea scope",
|
||||
"canonical_namespace": "wooo",
|
||||
"evidence_refs": [
|
||||
"docs/security/gitea-org-repo-inventory-blocked.snapshot.json"
|
||||
],
|
||||
"followup_owner": "platform-security-owner",
|
||||
},
|
||||
{
|
||||
"attestation_item_id": "internal_110_adjacent_scope",
|
||||
"owner_role_or_team": "platform-security-owner",
|
||||
"decision": "in_scope",
|
||||
"decision_reason": "internal adjacent source is covered by redacted metadata",
|
||||
"affected_sources": ["gitea-ssh-main-redacted", "public-route-redacted"],
|
||||
"evidence_refs": [
|
||||
"docs/security/git-remote-refs-bitan-exposure.snapshot.json"
|
||||
],
|
||||
"followup_owner": "platform-security-owner",
|
||||
},
|
||||
{
|
||||
"attestation_item_id": "repo_owner_canonical_scope",
|
||||
"owner_role_or_team": "platform-security-owner",
|
||||
"decision": "in_scope",
|
||||
"decision_reason": "repo owner and canonical source remain Gitea-only",
|
||||
"repo_owner": "wooo",
|
||||
"canonical_source": "gitea",
|
||||
"github_target_candidate": "stopped_retired_do_not_use",
|
||||
"visibility_review_owner": "platform-security-owner",
|
||||
"evidence_refs": [
|
||||
"docs/operations/awoooi-gitea-private-inventory-p0-scorecard.snapshot.json"
|
||||
],
|
||||
},
|
||||
{
|
||||
"attestation_item_id": "legacy_or_inaccessible_repo_disposition",
|
||||
"owner_role_or_team": "platform-security-owner",
|
||||
"decision": "legacy_archived",
|
||||
"decision_reason": "legacy or inaccessible sources stay outside active P0 apply",
|
||||
"affected_repos_or_sources": ["legacy-github-mirror-retired"],
|
||||
"disposition": "stopped_retired_do_not_use",
|
||||
"evidence_refs": [
|
||||
"docs/security/gitea-inventory-owner-attestation-response.snapshot.json"
|
||||
],
|
||||
"followup_owner": "platform-security-owner",
|
||||
},
|
||||
],
|
||||
}
|
||||
|
||||
|
||||
def _repo(full_name: str) -> dict:
|
||||
_, name = full_name.split("/", 1)
|
||||
return {
|
||||
|
||||
Reference in New Issue
Block a user