feat(api): expose gitea owner response validation
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Successful in 17s
CD Pipeline / post-deploy-checks (push) Has been cancelled
CD Pipeline / build-and-deploy (push) Has been cancelled
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Successful in 17s
CD Pipeline / post-deploy-checks (push) Has been cancelled
CD Pipeline / build-and-deploy (push) Has been cancelled
This commit is contained in:
@@ -33,6 +33,14 @@ def parse_args() -> argparse.Namespace:
|
||||
type=Path,
|
||||
default=ROOT / "docs/security/gitea-inventory-coverage-attestation.snapshot.json",
|
||||
)
|
||||
parser.add_argument(
|
||||
"--owner-response-validation-rollup",
|
||||
type=Path,
|
||||
default=(
|
||||
ROOT
|
||||
/ "docs/security/source-control-owner-response-validation-rollup.snapshot.json"
|
||||
),
|
||||
)
|
||||
parser.add_argument(
|
||||
"--payload-validation",
|
||||
type=Path,
|
||||
@@ -102,12 +110,69 @@ def build_product_rows(remaining: dict[str, Any]) -> list[dict[str, Any]]:
|
||||
return rows
|
||||
|
||||
|
||||
def find_validation_lane(rollup: dict[str, Any], lane_id: str) -> dict[str, Any]:
|
||||
for lane in as_list(rollup.get("validation_lanes")):
|
||||
if isinstance(lane, dict) and lane.get("lane_id") == lane_id:
|
||||
return lane
|
||||
return {}
|
||||
|
||||
|
||||
def build_owner_response_validation(rollup: dict[str, Any]) -> dict[str, Any]:
|
||||
summary = as_dict(rollup.get("summary"))
|
||||
lane = find_validation_lane(
|
||||
rollup,
|
||||
"s4_9_gitea_inventory_owner_attestation_response",
|
||||
)
|
||||
next_candidate = as_dict(rollup.get("next_collection_candidate"))
|
||||
latest_validation = as_dict(rollup.get("latest_local_validation"))
|
||||
return {
|
||||
"schema_version": rollup.get("schema_version", ""),
|
||||
"status": str(rollup.get("status", "not_run")),
|
||||
"rollup_status": str(summary.get("rollup_status", "unknown")),
|
||||
"lane_id": str(lane.get("lane_id", "")),
|
||||
"source_contract": str(lane.get("source_contract", "")),
|
||||
"response_packet": str(lane.get("response_packet", "")),
|
||||
"response_template_count": as_int(lane.get("response_template_count")),
|
||||
"received_response_count": as_int(lane.get("received_response_count")),
|
||||
"accepted_response_count": as_int(lane.get("accepted_response_count")),
|
||||
"rejected_response_count": as_int(lane.get("rejected_response_count")),
|
||||
"next_collection_candidate_lane_id": str(next_candidate.get("lane_id", "")),
|
||||
"next_collection_candidate_status": str(
|
||||
next_candidate.get("display_status", "")
|
||||
),
|
||||
"latest_local_validation_status": str(latest_validation.get("status", "")),
|
||||
"latest_local_validation_result": str(latest_validation.get("result", "")),
|
||||
"validator_source": "scripts/security/source-control-owner-response-guard.py",
|
||||
"runtime_execution_authorized": bool(
|
||||
summary.get("runtime_execution_authorized", False)
|
||||
),
|
||||
"token_value_collection_allowed": bool(
|
||||
summary.get("token_value_collection_allowed", False)
|
||||
),
|
||||
"secret_value_collection_allowed": bool(
|
||||
summary.get("secret_value_collection_allowed", False)
|
||||
),
|
||||
"gitea_repo_write_authorized": bool(
|
||||
summary.get("gitea_repo_write_authorized", False)
|
||||
),
|
||||
"refs_sync_authorized": bool(summary.get("refs_sync_authorized", False)),
|
||||
"github_primary_switch_authorized": bool(
|
||||
summary.get("github_primary_switch_authorized", False)
|
||||
),
|
||||
"action_buttons_allowed": bool(summary.get("action_buttons_allowed", False)),
|
||||
}
|
||||
|
||||
|
||||
def build_scorecard(args: argparse.Namespace) -> dict[str, Any]:
|
||||
gitea_inventory = load_json(args.gitea_inventory)
|
||||
import_acceptance = load_json(args.import_acceptance)
|
||||
coverage_attestation = load_json(args.coverage_attestation)
|
||||
owner_response_validation_rollup = load_json(args.owner_response_validation_rollup)
|
||||
payload_validation = load_optional_json(args.payload_validation)
|
||||
remaining_products = load_json(args.remaining_products)
|
||||
owner_response_validation = build_owner_response_validation(
|
||||
owner_response_validation_rollup
|
||||
)
|
||||
|
||||
rows = build_product_rows(remaining_products)
|
||||
summary = remaining_products.get("summary", {})
|
||||
@@ -192,6 +257,7 @@ def build_scorecard(args: argparse.Namespace) -> dict[str, Any]:
|
||||
),
|
||||
"execution_authorized": bool(coverage_attestation.get("execution_authorized", False)),
|
||||
},
|
||||
"owner_response_validation": owner_response_validation,
|
||||
"product_row_coverage": {
|
||||
"expected_product_count": expected_product_count,
|
||||
"present_product_row_count": len(rows),
|
||||
|
||||
@@ -56,6 +56,28 @@ def test_scorecard_preserves_current_gitea_inventory_blocker() -> None:
|
||||
== "scripts/security/gitea-authenticated-inventory-payload-validator.py"
|
||||
)
|
||||
assert scorecard["coverage_attestation"]["received_attestation_count"] == 0
|
||||
assert (
|
||||
scorecard["owner_response_validation"]["lane_id"]
|
||||
== "s4_9_gitea_inventory_owner_attestation_response"
|
||||
)
|
||||
assert scorecard["owner_response_validation"]["response_template_count"] == 5
|
||||
assert scorecard["owner_response_validation"]["received_response_count"] == 0
|
||||
assert scorecard["owner_response_validation"]["accepted_response_count"] == 0
|
||||
assert (
|
||||
scorecard["owner_response_validation"]["next_collection_candidate_lane_id"]
|
||||
== "s4_9_gitea_inventory_owner_attestation_response"
|
||||
)
|
||||
assert (
|
||||
scorecard["owner_response_validation"]["latest_local_validation_result"]
|
||||
== "SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK"
|
||||
)
|
||||
assert (
|
||||
scorecard["owner_response_validation"]["validator_source"]
|
||||
== "scripts/security/source-control-owner-response-guard.py"
|
||||
)
|
||||
assert scorecard["owner_response_validation"]["runtime_execution_authorized"] is False
|
||||
assert scorecard["owner_response_validation"]["gitea_repo_write_authorized"] is False
|
||||
assert scorecard["owner_response_validation"]["refs_sync_authorized"] is False
|
||||
assert "gitea_repo_inventory_status_not_ok" in scorecard["active_blockers"]
|
||||
assert "gitea_authenticated_inventory_payload_not_accepted" in scorecard["active_blockers"]
|
||||
|
||||
|
||||
Reference in New Issue
Block a user