Files
awoooi/apps/api/tests/test_iwooos_security_control_coverage.py
ogt 3f1a8aa53b
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / build-and-deploy (push) Has been cancelled
CD Pipeline / post-deploy-checks (push) Has been cancelled
CD Pipeline / tests (push) Has been cancelled
fix(iwooos): surface security governance review
2026-07-10 15:22:12 +08:00

138 lines
5.7 KiB
Python

from __future__ import annotations
from fastapi import FastAPI
from fastapi.testclient import TestClient
from src.api.v1.iwooos import router
from src.services.iwooos_security_control_coverage import (
load_latest_iwooos_security_control_coverage,
)
def _client() -> TestClient:
app = FastAPI()
app.include_router(router)
return TestClient(app)
def test_iwooos_security_control_coverage_rolls_up_core_scopes() -> None:
payload = load_latest_iwooos_security_control_coverage()
assert payload["schema_version"] == "iwooos_security_control_coverage_v1"
assert payload["status"] == "committed_scope_rollup_ready_with_controlled_apply_exception"
assert payload["summary"]["source_snapshot_count"] == 8
assert payload["summary"]["control_domain_count"] == 8
assert payload["summary"]["visible_scope_unit_count"] == 160
assert payload["summary"]["asset_group_count"] == 16
assert payload["summary"]["host_service_surface_count"] == 9
assert payload["summary"]["monitoring_surface_count"] == 60
assert payload["summary"]["ssh_network_surface_count"] == 16
assert payload["summary"]["runtime_surface_count"] == 22
assert payload["summary"]["wazuh_expected_host_scope_count"] == 6
assert payload["summary"]["agent_bounty_product_surface_count"] == 7
assert payload["summary"]["ai_agent_asset_count"] == 24
assert payload["summary"]["professional_review_finding_count"] == 6
assert payload["summary"]["professional_review_p0_work_item_count"] == 12
assert payload["summary"]["external_security_tool_track_count"] == 8
assert payload["summary"]["ai_security_automation_stage_count"] == 7
assert payload["summary"]["full_scope_contract_count"] == 8
assert payload["summary"]["ui_ux_control_room_requirement_count"] == 6
domain_ids = {domain["domain_id"] for domain in payload["domains"]}
assert domain_ids == {
"high_value_asset_control",
"host_service_runtime",
"monitoring_alerting_observability",
"ssh_firewall_network_access",
"awoooi_runtime_surfaces",
"wazuh_managed_host_coverage",
"agent_bounty_protocol",
"ai_agent_automation",
}
def test_iwooos_security_control_coverage_exposes_professional_review() -> None:
payload = load_latest_iwooos_security_control_coverage()
review = payload["professional_review"]
assert review["schema_version"] == "iwooos_security_governance_professional_review_v1"
assert review["completion_diagnosis"]["diagnosis"] == (
"control_plane_exists_runtime_security_closure_not_complete"
)
assert review["completion_diagnosis"]["actual_runtime_acceptance_percent"] == 0
assert review["root_cause_summary"][0]["finding_id"] == "F01"
assert review["root_cause_summary"][0]["severity"] == "P0"
assert {scope["scope_id"] for scope in review["scope_contract"]} == {
"hosts",
"services",
"products",
"websites",
"tools",
"packages",
"ai_agents",
"runtime_actions",
}
assert [item["priority"] for item in review["priority_work_items"][:3]] == [
"P0-01",
"P0-02",
"P0-03",
]
assert {tool["tool_id"] for tool in review["security_tool_integration_matrix"]} >= {
"wazuh",
"trivy",
"syft_grype",
"openssf_scorecard",
"kyverno_cosign",
"falco",
}
assert review["ai_automation_closure_loop"][0]["stage_id"] == "collect"
assert all(stage["runtime_write"] is False for stage in review["ai_automation_closure_loop"])
def test_iwooos_security_control_coverage_keeps_runtime_gates_closed() -> None:
payload = load_latest_iwooos_security_control_coverage()
summary = payload["summary"]
assert summary["actual_runtime_acceptance_percent"] == 0
assert summary["runtime_gate_count"] == 0
assert summary["owner_response_received_count"] == 0
assert summary["owner_response_accepted_count"] == 0
assert summary["live_evidence_accepted_count"] == 0
assert summary["wazuh_manager_registry_accepted_count"] == 6
assert summary["active_scan_authorized_count"] == 0
assert summary["active_response_authorized_count"] == 0
assert summary["telegram_send_authorized_count"] == 0
assert summary["host_write_authorized_count"] == 0
assert summary["secret_value_collected_count"] == 0
assert summary["agent_bounty_runtime_gate_open_count"] == 0
assert summary["ai_agent_runtime_write_gate_open_count"] == 0
assert summary["all_scope_runtime_controlled"] is False
assert summary["allowlisted_controlled_apply_bypasses_iwooos_ledger"] is True
assert (
summary["controlled_apply_policy"]
== "low_medium_high_allowed_after_allowlist_check_mode_rollback_verifier_km"
)
assert summary["critical_break_glass_required"] is True
assert all(
domain["accepted_count"] == (6 if domain["domain_id"] == "wazuh_managed_host_coverage" else 0)
for domain in payload["domains"]
)
def test_iwooos_security_control_coverage_api_is_public_safe() -> None:
response = _client().get("/api/v1/iwooos/security-control-coverage")
assert response.status_code == 200
data = response.json()
assert data["schema_version"] == "iwooos_security_control_coverage_v1"
assert data["summary"]["runtime_gate_count"] == 0
assert data["summary"]["visible_scope_unit_count"] == 160
assert data["professional_review"]["schema_version"] == (
"iwooos_security_governance_professional_review_v1"
)
assert any(action["priority"] == "P0-01" for action in data["p0_next_actions"])
assert "192.168.0." not in response.text
assert "runtime_control_blocked" not in response.text
assert "工作視窗" not in response.text
assert "批准!繼續" not in response.text