from __future__ import annotations from pathlib import Path import yaml ROOT = Path(__file__).resolve().parents[3] ALERTMANAGER_CONFIG = ROOT / "ops" / "alertmanager" / "alertmanager.yml" DEPLOY_SCRIPT = ROOT / "scripts" / "ops" / "deploy-alertmanager-config.sh" def _config() -> dict: return yaml.safe_load(ALERTMANAGER_CONFIG.read_text(encoding="utf-8")) def _receiver(name: str) -> dict: return next(item for item in _config()["receivers"] if item["name"] == name) def test_awoooi_webhook_uses_public_api_route_not_dead_vip() -> None: receiver = _receiver("awoooi-webhook") urls = [ item["url"] for item in receiver.get("webhook_configs", []) if item.get("url") ] assert urls == ["https://awoooi.wooo.work/api/v1/webhooks/alertmanager"] assert all("192.168.0.125:32334" not in url for url in urls) assert all("/api/v1/webhooks/alertmanager" in url for url in urls) def test_emergency_direct_telegram_stays_limited_to_alert_chain() -> None: receiver = _receiver("telegram-direct") assert receiver.get("telegram_configs") route_text = str(_config()["route"]) assert "AWOOOIApiDown" in route_text assert 'severity="critical"' in route_text def test_emergency_card_is_bounded_and_has_honest_automation_attribution() -> None: receiver = _receiver("telegram-direct") telegram = receiver["telegram_configs"][0] message = telegram["message"] assert "SRE BYPASS|告警主鏈異常" in message assert "Prometheus deterministic rule(未呼叫 LLM)" in message assert "Executor:none" in message assert "未宣稱已修復" in message assert "Verifier:source-specific delivery metric" in message assert "故障主機" not in message telegram_route = next( route for route in _config()["route"]["routes"] if route["receiver"] == "telegram-direct" ) assert telegram_route["repeat_interval"] == "2h" def test_alertmanager_has_no_agent99_inbound_receiver_or_secret_first_hop() -> None: config = _config() assert all( item.get("receiver") != "agent99-alert-chain-relay" for item in config["route"]["routes"] ) assert all( receiver.get("name") != "agent99-alert-chain-relay" for receiver in config["receivers"] ) source = ALERTMANAGER_CONFIG.read_text(encoding="utf-8") assert "192.168.0.99:8787" not in source assert "AGENT99_SRE_RELAY_TOKEN_PLACEHOLDER" not in source assert "authorization:" not in source def test_alertmanager_deploy_does_not_inject_agent99_relay_secret() -> None: source = DEPLOY_SCRIPT.read_text(encoding="utf-8") assert "AGENT99_SRE_ALERT_RELAY_TOKEN" not in source assert 'os.environ["AGENT99_SRE_RELAY_TOKEN"]' not in source assert "AGENT99_SRE_RELAY_TOKEN_PLACEHOLDER" not in source assert "unreplaced secret placeholder remains" in source assert "set -x" not in source def test_secret_bearing_alertmanager_config_and_backups_are_not_world_readable() -> None: source = DEPLOY_SCRIPT.read_text(encoding="utf-8") assert "install -m 0600" in source assert 'chmod 0600 "\\$legacy_backup"' in source assert 'chmod 0400 "\\$target"' in source assert 'chmod 0000 "\\$target"' in source assert "chmod 0644" not in source assert "/proc/\\${container_pid}/status" in source assert "runtime_uid" in source assert "runtime_gid" in source assert "test -r /etc/alertmanager/alertmanager.yml" in source assert "rollback_secure" in source assert "secure rollback attempted" in source assert "amtool check-config /etc/alertmanager/alertmanager.yml" in source assert "amtool check-config /dev/stdin" in source assert "/tmp/alertmanager-rendered.yml" not in source assert "trap 'rm -f \"\\$staged\"' EXIT" in source assert source.index('chmod 0000 "\\$target"') < source.index( "sudo -n sh -c 'cat \"\\$1\" > \"\\$2\"'" )