feat(clean-release): complete compliance redesign phases and polish tasks T047-T052
This commit is contained in:
@@ -0,0 +1,105 @@
|
||||
# [DEF:backend.tests.services.clean_release.test_policy_resolution_service:Module]
|
||||
# @TIER: CRITICAL
|
||||
# @SEMANTICS: clean-release, policy-resolution, trusted-snapshots, contracts
|
||||
# @PURPOSE: Verify trusted policy snapshot resolution contract and error guards.
|
||||
# @LAYER: Tests
|
||||
# @RELATION: DEPENDS_ON -> backend.src.services.clean_release.policy_resolution_service
|
||||
# @RELATION: DEPENDS_ON -> backend.src.services.clean_release.repository
|
||||
# @RELATION: DEPENDS_ON -> backend.src.services.clean_release.exceptions
|
||||
# @INVARIANT: Resolution uses only ConfigManager active IDs and rejects runtime override attempts.
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
from types import SimpleNamespace
|
||||
|
||||
import pytest
|
||||
|
||||
from backend.src.models.clean_release import CleanPolicySnapshot, SourceRegistrySnapshot
|
||||
from backend.src.services.clean_release.exceptions import PolicyResolutionError
|
||||
from backend.src.services.clean_release.policy_resolution_service import resolve_trusted_policy_snapshots
|
||||
from backend.src.services.clean_release.repository import CleanReleaseRepository
|
||||
|
||||
|
||||
# [DEF:_config_manager:Function]
|
||||
# @PURPOSE: Build deterministic ConfigManager-like stub for tests.
|
||||
# @PRE: policy_id and registry_id may be None or non-empty strings.
|
||||
# @POST: Returns object exposing get_config().settings.clean_release active IDs.
|
||||
def _config_manager(policy_id, registry_id):
|
||||
clean_release = SimpleNamespace(active_policy_id=policy_id, active_registry_id=registry_id)
|
||||
settings = SimpleNamespace(clean_release=clean_release)
|
||||
config = SimpleNamespace(settings=settings)
|
||||
return SimpleNamespace(get_config=lambda: config)
|
||||
# [/DEF:_config_manager:Function]
|
||||
|
||||
|
||||
# [DEF:test_resolve_trusted_policy_snapshots_missing_profile:Function]
|
||||
# @PURPOSE: Ensure resolution fails when trusted profile is not configured.
|
||||
# @PRE: active_policy_id is None.
|
||||
# @POST: Raises PolicyResolutionError with missing trusted profile reason.
|
||||
def test_resolve_trusted_policy_snapshots_missing_profile():
|
||||
repository = CleanReleaseRepository()
|
||||
config_manager = _config_manager(policy_id=None, registry_id="registry-1")
|
||||
|
||||
with pytest.raises(PolicyResolutionError, match="missing trusted profile"):
|
||||
resolve_trusted_policy_snapshots(
|
||||
config_manager=config_manager,
|
||||
repository=repository,
|
||||
)
|
||||
# [/DEF:test_resolve_trusted_policy_snapshots_missing_profile:Function]
|
||||
|
||||
|
||||
# [DEF:test_resolve_trusted_policy_snapshots_missing_registry:Function]
|
||||
# @PURPOSE: Ensure resolution fails when trusted registry is not configured.
|
||||
# @PRE: active_registry_id is None and active_policy_id is set.
|
||||
# @POST: Raises PolicyResolutionError with missing trusted registry reason.
|
||||
def test_resolve_trusted_policy_snapshots_missing_registry():
|
||||
repository = CleanReleaseRepository()
|
||||
config_manager = _config_manager(policy_id="policy-1", registry_id=None)
|
||||
|
||||
with pytest.raises(PolicyResolutionError, match="missing trusted registry"):
|
||||
resolve_trusted_policy_snapshots(
|
||||
config_manager=config_manager,
|
||||
repository=repository,
|
||||
)
|
||||
# [/DEF:test_resolve_trusted_policy_snapshots_missing_registry:Function]
|
||||
|
||||
|
||||
# [DEF:test_resolve_trusted_policy_snapshots_rejects_override_attempt:Function]
|
||||
# @PURPOSE: Ensure runtime override attempt is rejected even if snapshots exist.
|
||||
# @PRE: valid trusted snapshots exist in repository and override is provided.
|
||||
# @POST: Raises PolicyResolutionError with override forbidden reason.
|
||||
def test_resolve_trusted_policy_snapshots_rejects_override_attempt():
|
||||
repository = CleanReleaseRepository()
|
||||
repository.save_policy(
|
||||
CleanPolicySnapshot(
|
||||
id="policy-1",
|
||||
policy_id="baseline",
|
||||
policy_version="1.0.0",
|
||||
content_json={"rules": []},
|
||||
registry_snapshot_id="registry-1",
|
||||
immutable=True,
|
||||
)
|
||||
)
|
||||
repository.save_registry(
|
||||
SourceRegistrySnapshot(
|
||||
id="registry-1",
|
||||
registry_id="trusted",
|
||||
registry_version="1.0.0",
|
||||
allowed_hosts=["internal.local"],
|
||||
allowed_schemes=["https"],
|
||||
allowed_source_types=["repo"],
|
||||
immutable=True,
|
||||
)
|
||||
)
|
||||
|
||||
config_manager = _config_manager(policy_id="policy-1", registry_id="registry-1")
|
||||
|
||||
with pytest.raises(PolicyResolutionError, match="override attempt is forbidden"):
|
||||
resolve_trusted_policy_snapshots(
|
||||
config_manager=config_manager,
|
||||
repository=repository,
|
||||
policy_id_override="policy-override",
|
||||
)
|
||||
# [/DEF:test_resolve_trusted_policy_snapshots_rejects_override_attempt:Function]
|
||||
|
||||
# [/DEF:backend.tests.services.clean_release.test_policy_resolution_service:Module]
|
||||
Reference in New Issue
Block a user