Files
awoooi/apps/api/tests/test_workload_database_identity_projection.py
ogt 0660813781
All checks were successful
CD Pipeline / workflow-shape (push) Successful in 1s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Successful in 2m19s
CD Pipeline / build-and-deploy (push) Successful in 6m54s
CD Pipeline / post-deploy-checks (push) Successful in 2m6s
AWOOOI Harbor 110 Local Repair / workflow-shape (push) Successful in 1s
AWOOOI Harbor 110 Local Repair / harbor-110-local-repair (push) Successful in 48s
fix(security): verify workload DB concurrency budget
2026-07-11 04:44:23 +08:00

140 lines
5.0 KiB
Python

from pathlib import Path
import yaml
REPO_ROOT = Path(__file__).resolve().parents[3]
def _deployment_container(path: str, container_name: str) -> dict:
documents = yaml.safe_load_all((REPO_ROOT / path).read_text())
deployment = next(
document
for document in documents
if document and document.get("kind") == "Deployment"
)
return next(
container
for container in deployment["spec"]["template"]["spec"]["containers"]
if container["name"] == container_name
)
def _env_by_name(container: dict) -> dict[str, dict]:
return {entry["name"]: entry for entry in container.get("env", [])}
def test_runtime_workloads_use_distinct_database_secret_projections() -> None:
workload_specs = {
"api": (
"k8s/awoooi-prod/06-deployment-api.yaml",
"api",
"awoooi-api-db",
),
"worker": (
"k8s/awoooi-prod/08-deployment-worker.yaml",
"worker",
"awoooi-worker-db",
),
"broker": (
"k8s/awoooi-prod/08-deployment-ansible-executor-broker.yaml",
"broker",
"awoooi-broker-db",
),
}
observed_database_secret_refs: set[str] = set()
for workload_id, (path, container_name, expected_secret) in workload_specs.items():
container = _deployment_container(path, container_name)
secret_env_from = [
source
for source in container.get("envFrom", [])
if source.get("secretRef")
]
assert secret_env_from == [], workload_id
env_names = [entry["name"] for entry in container.get("env", [])]
assert len(env_names) == len(set(env_names)), workload_id
env = _env_by_name(container)
database_ref = env["DATABASE_URL"]["valueFrom"]["secretKeyRef"]
assert database_ref == {
"name": expected_secret,
"key": "DATABASE_URL",
}
observed_database_secret_refs.add(database_ref["name"])
assert env["DATABASE_NULL_POOL"]["value"] == "true"
assert observed_database_secret_refs == {
"awoooi-api-db",
"awoooi-worker-db",
"awoooi-broker-db",
}
def test_api_and_worker_project_shared_secrets_explicitly() -> None:
for path, container_name in (
("k8s/awoooi-prod/06-deployment-api.yaml", "api"),
("k8s/awoooi-prod/08-deployment-worker.yaml", "worker"),
):
env = _env_by_name(_deployment_container(path, container_name))
for env_name in (
"REDIS_URL",
"GEMINI_API_KEY",
"OPENCLAW_TG_BOT_TOKEN",
"SRE_GROUP_CHAT_ID",
"WEBHOOK_HMAC_SECRET",
"AWOOOP_OPERATOR_API_KEY",
):
secret_ref = env[env_name]["valueFrom"]["secretKeyRef"]
assert secret_ref["name"] == "awoooi-secrets"
assert secret_ref["key"] == env_name
assert secret_ref["optional"] is True
def test_workload_database_bootstrap_keeps_secret_values_off_output() -> None:
script = (
REPO_ROOT / "scripts/ops/awoooi-workload-db-identity-bootstrap.sh"
).read_text()
assert "set +x" in script
assert "openssl rand -hex 32" in script
assert "--from-file=DATABASE_URL=/dev/stdin" in script
assert "--from-literal=DATABASE_URL" not in script
assert "docker exec -i -u postgres" in script
assert "table_privilege_gap_count" in script
assert "sequence_privilege_gap_count" in script
assert "REQUIRED_CONCURRENT_CONNECTIONS" in script
assert "concurrent_connection_probe_count" in script
assert 'text("SELECT pg_sleep(0.25)")' in script
assert "api) printf '12'" in script
assert "worker) printf '8'" in script
assert "broker) printf '4'" in script
assert '"incidents"' in script
assert '"knowledge_entries"' in script
assert '"awooop_run_state"' in script
assert "ALTER ROLE %I NOLOGIN" in script
assert "DROP ROLE" not in script.upper()
assert "base64 -d" not in script
assert "GITHUB_RUN_ID" not in script
assert 'check|apply|verify|disable' in script
assert '"secret_value_exposed": False' in script
assert '"secret_value_logged": False' in script
assert "secret_value_read" not in script
def test_cd_uses_live_spec_rollback_and_non_mutating_post_verifier() -> None:
workflow = (REPO_ROOT / ".gitea/workflows/cd.yaml").read_text()
assert "WORKLOAD_DB_ROLLBACK_FILE" in workflow
assert "WORKLOAD_DB_SECRET_PREEXISTENCE_FILE" in workflow
assert "restore_workload_database_projection" in workflow
assert "bash -s -- apply" in workflow
assert "bash -s -- verify" in workflow
assert workflow.index("bash -s -- apply") < workflow.index(
"bash -s -- verify"
)
assert '"spec": item["spec"]' in workflow
assert '"data": item' not in workflow
assert "get secret '${secret_name}' -n awoooi-prod -o jsonpath" not in workflow
assert "get secret awoooi-api-db -n awoooi-prod -o jsonpath" not in workflow
assert "HEAD^" not in workflow