feat(governance): expose credential escrow intake readiness
This commit is contained in:
@@ -0,0 +1,133 @@
|
||||
from __future__ import annotations
|
||||
|
||||
import json
|
||||
|
||||
import pytest
|
||||
from fastapi import FastAPI
|
||||
from fastapi.testclient import TestClient
|
||||
|
||||
from src.api.v1.agents import router
|
||||
from src.services.credential_escrow_evidence_intake_readiness import (
|
||||
load_latest_credential_escrow_evidence_intake_readiness,
|
||||
)
|
||||
|
||||
|
||||
def test_credential_escrow_evidence_intake_reports_p0_blocker():
|
||||
payload = load_latest_credential_escrow_evidence_intake_readiness()
|
||||
|
||||
assert payload["schema_version"] == "credential_escrow_evidence_intake_readiness_v1"
|
||||
assert payload["priority"] == "P0-005"
|
||||
assert payload["status"] == "blocked_waiting_non_secret_credential_escrow_evidence"
|
||||
assert payload["rollups"]["required_item_count"] == 5
|
||||
assert payload["rollups"]["missing_item_count"] == 5
|
||||
assert payload["rollups"]["effective_escrow_missing_count"] == 5
|
||||
assert payload["rollups"]["owner_response_received_count"] == 0
|
||||
assert payload["rollups"]["owner_response_accepted_count"] == 0
|
||||
assert payload["rollups"]["runtime_gate_count"] == 0
|
||||
assert payload["rollups"]["credential_marker_write_authorized_count"] == 0
|
||||
assert payload["rollups"]["secret_value_collection_allowed"] is False
|
||||
assert payload["operation_boundaries"]["credential_marker_write_allowed"] is False
|
||||
assert payload["operation_boundaries"]["credential_read_allowed"] is False
|
||||
assert payload["operation_boundaries"]["secret_plaintext_allowed"] is False
|
||||
assert payload["operation_boundaries"]["raw_session_or_sqlite_read_allowed"] is False
|
||||
assert "restic_repository_password" in payload["rollups"]["blocked_item_ids"]
|
||||
assert all(
|
||||
item["contains_secret_value_allowed"] is False
|
||||
for item in payload["required_evidence_items"]
|
||||
)
|
||||
|
||||
|
||||
def test_credential_escrow_evidence_intake_endpoint_returns_readiness():
|
||||
app = FastAPI()
|
||||
app.include_router(router, prefix="/api/v1")
|
||||
client = TestClient(app)
|
||||
|
||||
response = client.get("/api/v1/agents/credential-escrow-evidence-intake-readiness")
|
||||
|
||||
assert response.status_code == 200
|
||||
data = response.json()
|
||||
assert data["priority"] == "P0-005"
|
||||
assert data["rollups"]["missing_item_count"] == 5
|
||||
assert data["operation_boundaries"]["restore_execution_allowed"] is False
|
||||
assert data["operation_boundaries"]["workflow_trigger_allowed"] is False
|
||||
|
||||
|
||||
def test_credential_escrow_evidence_intake_rejects_secret_collection(tmp_path):
|
||||
security_dir = tmp_path / "security"
|
||||
security_dir.mkdir()
|
||||
owner_request = {
|
||||
"scope": "credential_escrow_evidence_owner_request",
|
||||
"generated_at": "2026-06-29T00:00:00+08:00",
|
||||
"missing_items": [
|
||||
{
|
||||
"item": "restic_repository_password",
|
||||
"status": "missing",
|
||||
"allowed_evidence_id_types": ["vault_item_id"],
|
||||
}
|
||||
],
|
||||
"forbidden_values": ["password"],
|
||||
"gates": {
|
||||
"secret_value_collection_authorized": True,
|
||||
"marker_write_completed": False,
|
||||
},
|
||||
}
|
||||
(security_dir / "credential-escrow-evidence-owner-request.snapshot.json").write_text(
|
||||
json.dumps(owner_request),
|
||||
encoding="utf-8",
|
||||
)
|
||||
|
||||
with pytest.raises(ValueError, match="secret value collection"):
|
||||
load_latest_credential_escrow_evidence_intake_readiness(
|
||||
security_dir,
|
||||
backup_dr_readiness_matrix=_backup_matrix(),
|
||||
)
|
||||
|
||||
|
||||
def test_credential_escrow_evidence_intake_rejects_marker_write_authorization(tmp_path):
|
||||
security_dir = tmp_path / "security"
|
||||
security_dir.mkdir()
|
||||
owner_request = {
|
||||
"scope": "credential_escrow_evidence_owner_request",
|
||||
"generated_at": "2026-06-29T00:00:00+08:00",
|
||||
"missing_items": [
|
||||
{
|
||||
"item": "restic_repository_password",
|
||||
"status": "missing",
|
||||
"allowed_evidence_id_types": ["vault_item_id"],
|
||||
}
|
||||
],
|
||||
"forbidden_values": ["password"],
|
||||
"gates": {
|
||||
"secret_value_collection_authorized": False,
|
||||
"marker_write_completed": False,
|
||||
},
|
||||
}
|
||||
(security_dir / "credential-escrow-evidence-owner-request.snapshot.json").write_text(
|
||||
json.dumps(owner_request),
|
||||
encoding="utf-8",
|
||||
)
|
||||
matrix = _backup_matrix()
|
||||
matrix["rollups"]["credential_marker_write_authorized_count"] = 1
|
||||
|
||||
with pytest.raises(ValueError, match="credential marker write"):
|
||||
load_latest_credential_escrow_evidence_intake_readiness(
|
||||
security_dir,
|
||||
backup_dr_readiness_matrix=matrix,
|
||||
)
|
||||
|
||||
|
||||
def _backup_matrix() -> dict:
|
||||
return {
|
||||
"rollups": {
|
||||
"credential_escrow_intake_status": (
|
||||
"blocked_waiting_non_secret_credential_escrow_evidence"
|
||||
),
|
||||
"credential_escrow_effective_missing_count": 1,
|
||||
"credential_escrow_owner_response_received_count": 0,
|
||||
"credential_escrow_owner_response_accepted_count": 0,
|
||||
"credential_escrow_runtime_gate_count": 0,
|
||||
"credential_marker_write_authorized_count": 0,
|
||||
"credential_escrow_secret_value_collection_allowed": False,
|
||||
"credential_escrow_forbidden_true_field_count": 0,
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user