busya
274510fc38
- Replaced @TIER: TRIVIAL with @COMPLEXITY: 1 - Replaced @TIER: STANDARD with @COMPLEXITY: 3 - Replaced @TIER: CRITICAL with @COMPLEXITY: 5 - Manually elevated specific critical/complex components to levels 2 and 4 - Ignored legacy, specs, and node_modules directories - Updated generated semantic map
106 lines
4.5 KiB
Python
106 lines
4.5 KiB
Python
# [DEF:backend.tests.services.clean_release.test_policy_resolution_service:Module]
|
|
# @COMPLEXITY: 5
|
|
# @SEMANTICS: clean-release, policy-resolution, trusted-snapshots, contracts
|
|
# @PURPOSE: Verify trusted policy snapshot resolution contract and error guards.
|
|
# @LAYER: Tests
|
|
# @RELATION: DEPENDS_ON -> backend.src.services.clean_release.policy_resolution_service
|
|
# @RELATION: DEPENDS_ON -> backend.src.services.clean_release.repository
|
|
# @RELATION: DEPENDS_ON -> backend.src.services.clean_release.exceptions
|
|
# @INVARIANT: Resolution uses only ConfigManager active IDs and rejects runtime override attempts.
|
|
|
|
from __future__ import annotations
|
|
|
|
from types import SimpleNamespace
|
|
|
|
import pytest
|
|
|
|
from src.models.clean_release import CleanPolicySnapshot, SourceRegistrySnapshot
|
|
from src.services.clean_release.exceptions import PolicyResolutionError
|
|
from src.services.clean_release.policy_resolution_service import resolve_trusted_policy_snapshots
|
|
from src.services.clean_release.repository import CleanReleaseRepository
|
|
|
|
|
|
# [DEF:_config_manager:Function]
|
|
# @PURPOSE: Build deterministic ConfigManager-like stub for tests.
|
|
# @PRE: policy_id and registry_id may be None or non-empty strings.
|
|
# @POST: Returns object exposing get_config().settings.clean_release active IDs.
|
|
def _config_manager(policy_id, registry_id):
|
|
clean_release = SimpleNamespace(active_policy_id=policy_id, active_registry_id=registry_id)
|
|
settings = SimpleNamespace(clean_release=clean_release)
|
|
config = SimpleNamespace(settings=settings)
|
|
return SimpleNamespace(get_config=lambda: config)
|
|
# [/DEF:_config_manager:Function]
|
|
|
|
|
|
# [DEF:test_resolve_trusted_policy_snapshots_missing_profile:Function]
|
|
# @PURPOSE: Ensure resolution fails when trusted profile is not configured.
|
|
# @PRE: active_policy_id is None.
|
|
# @POST: Raises PolicyResolutionError with missing trusted profile reason.
|
|
def test_resolve_trusted_policy_snapshots_missing_profile():
|
|
repository = CleanReleaseRepository()
|
|
config_manager = _config_manager(policy_id=None, registry_id="registry-1")
|
|
|
|
with pytest.raises(PolicyResolutionError, match="missing trusted profile"):
|
|
resolve_trusted_policy_snapshots(
|
|
config_manager=config_manager,
|
|
repository=repository,
|
|
)
|
|
# [/DEF:test_resolve_trusted_policy_snapshots_missing_profile:Function]
|
|
|
|
|
|
# [DEF:test_resolve_trusted_policy_snapshots_missing_registry:Function]
|
|
# @PURPOSE: Ensure resolution fails when trusted registry is not configured.
|
|
# @PRE: active_registry_id is None and active_policy_id is set.
|
|
# @POST: Raises PolicyResolutionError with missing trusted registry reason.
|
|
def test_resolve_trusted_policy_snapshots_missing_registry():
|
|
repository = CleanReleaseRepository()
|
|
config_manager = _config_manager(policy_id="policy-1", registry_id=None)
|
|
|
|
with pytest.raises(PolicyResolutionError, match="missing trusted registry"):
|
|
resolve_trusted_policy_snapshots(
|
|
config_manager=config_manager,
|
|
repository=repository,
|
|
)
|
|
# [/DEF:test_resolve_trusted_policy_snapshots_missing_registry:Function]
|
|
|
|
|
|
# [DEF:test_resolve_trusted_policy_snapshots_rejects_override_attempt:Function]
|
|
# @PURPOSE: Ensure runtime override attempt is rejected even if snapshots exist.
|
|
# @PRE: valid trusted snapshots exist in repository and override is provided.
|
|
# @POST: Raises PolicyResolutionError with override forbidden reason.
|
|
def test_resolve_trusted_policy_snapshots_rejects_override_attempt():
|
|
repository = CleanReleaseRepository()
|
|
repository.save_policy(
|
|
CleanPolicySnapshot(
|
|
id="policy-1",
|
|
policy_id="baseline",
|
|
policy_version="1.0.0",
|
|
content_json={"rules": []},
|
|
registry_snapshot_id="registry-1",
|
|
immutable=True,
|
|
)
|
|
)
|
|
repository.save_registry(
|
|
SourceRegistrySnapshot(
|
|
id="registry-1",
|
|
registry_id="trusted",
|
|
registry_version="1.0.0",
|
|
allowed_hosts=["internal.local"],
|
|
allowed_schemes=["https"],
|
|
allowed_source_types=["repo"],
|
|
immutable=True,
|
|
)
|
|
)
|
|
|
|
config_manager = _config_manager(policy_id="policy-1", registry_id="registry-1")
|
|
|
|
with pytest.raises(PolicyResolutionError, match="override attempt is forbidden"):
|
|
resolve_trusted_policy_snapshots(
|
|
config_manager=config_manager,
|
|
repository=repository,
|
|
policy_id_override="policy-override",
|
|
)
|
|
# [/DEF:test_resolve_trusted_policy_snapshots_rejects_override_attempt:Function]
|
|
|
|
# [/DEF:backend.tests.services.clean_release.test_policy_resolution_service:Module]
|