Use exact m3taversal handle in permission canary
This commit is contained in:
parent
9512dcba77
commit
a3275ee88e
2 changed files with 24 additions and 5 deletions
|
|
@ -29,6 +29,7 @@ APPLY_PREREQS_SQL = ROOT / "scripts" / "kb_apply_prereqs.sql"
|
||||||
READ_ROLE_SQL = ROOT / "ops" / "observatory_read_role.sql"
|
READ_ROLE_SQL = ROOT / "ops" / "observatory_read_role.sql"
|
||||||
DATABASE = "teleo_canonical"
|
DATABASE = "teleo_canonical"
|
||||||
IAM_USER = "sa-observatory-read-adapter@teleo-501523.iam"
|
IAM_USER = "sa-observatory-read-adapter@teleo-501523.iam"
|
||||||
|
PARTICIPANT_HANDLE = "m3taversal"
|
||||||
DEFAULT_IMAGE = "postgres:16-alpine"
|
DEFAULT_IMAGE = "postgres:16-alpine"
|
||||||
CANARY_LABEL = "leo-negative-permissions"
|
CANARY_LABEL = "leo-negative-permissions"
|
||||||
|
|
||||||
|
|
@ -72,7 +73,7 @@ create table public.private_notes (
|
||||||
);
|
);
|
||||||
|
|
||||||
insert into public.agents (id, handle, kind)
|
insert into public.agents (id, handle, kind)
|
||||||
values ('11111111-1111-1111-1111-111111111111', 'm3ta', 'human');
|
values ('11111111-1111-1111-1111-111111111111', '__PARTICIPANT_HANDLE__', 'human');
|
||||||
|
|
||||||
create table kb_stage.kb_proposals (
|
create table kb_stage.kb_proposals (
|
||||||
id uuid primary key,
|
id uuid primary key,
|
||||||
|
|
@ -280,6 +281,11 @@ def fingerprint(container: str) -> dict[str, Any]:
|
||||||
query = f"""
|
query = f"""
|
||||||
select jsonb_build_object(
|
select jsonb_build_object(
|
||||||
'database', current_database(),
|
'database', current_database(),
|
||||||
|
'participant_handle', (
|
||||||
|
select handle
|
||||||
|
from public.agents
|
||||||
|
where id = '11111111-1111-1111-1111-111111111111'
|
||||||
|
),
|
||||||
'principal', (
|
'principal', (
|
||||||
select jsonb_build_object(
|
select jsonb_build_object(
|
||||||
'rolname', rolname,
|
'rolname', rolname,
|
||||||
|
|
@ -371,6 +377,7 @@ def operation_suite(container: str, password: str) -> list[dict[str, Any]]:
|
||||||
fake_payload = "'{\"apply_payload\":{}}'::jsonb"
|
fake_payload = "'{\"apply_payload\":{}}'::jsonb"
|
||||||
proposal_id = "'55555555-5555-5555-5555-555555555555'::uuid"
|
proposal_id = "'55555555-5555-5555-5555-555555555555'::uuid"
|
||||||
reviewer_id = "'11111111-1111-1111-1111-111111111111'::uuid"
|
reviewer_id = "'11111111-1111-1111-1111-111111111111'::uuid"
|
||||||
|
reviewer_handle = sql_literal(PARTICIPANT_HANDLE)
|
||||||
operations = [
|
operations = [
|
||||||
allowed_operation(
|
allowed_operation(
|
||||||
"session_read_only_defaults",
|
"session_read_only_defaults",
|
||||||
|
|
@ -477,7 +484,7 @@ def operation_suite(container: str, password: str) -> list[dict[str, Any]]:
|
||||||
password,
|
password,
|
||||||
[
|
[
|
||||||
"select kb_stage.approve_strict_proposal("
|
"select kb_stage.approve_strict_proposal("
|
||||||
f"{proposal_id}, 'revise_strategy', {fake_payload}, 'm3ta', "
|
f"{proposal_id}, 'revise_strategy', {fake_payload}, {reviewer_handle}, "
|
||||||
"'I approve this in chat')"
|
"'I approve this in chat')"
|
||||||
],
|
],
|
||||||
),
|
),
|
||||||
|
|
@ -491,7 +498,7 @@ def operation_suite(container: str, password: str) -> list[dict[str, Any]]:
|
||||||
password,
|
password,
|
||||||
[
|
[
|
||||||
"select kb_stage.assert_approved_proposal("
|
"select kb_stage.assert_approved_proposal("
|
||||||
f"{proposal_id}, 'revise_strategy', {fake_payload}, 'm3ta', {reviewer_id}, "
|
f"{proposal_id}, 'revise_strategy', {fake_payload}, {reviewer_handle}, {reviewer_id}, "
|
||||||
"now(), 'fake review')"
|
"now(), 'fake review')"
|
||||||
],
|
],
|
||||||
),
|
),
|
||||||
|
|
@ -505,7 +512,7 @@ def operation_suite(container: str, password: str) -> list[dict[str, Any]]:
|
||||||
password,
|
password,
|
||||||
[
|
[
|
||||||
"select kb_stage.finish_approved_proposal("
|
"select kb_stage.finish_approved_proposal("
|
||||||
f"{proposal_id}, 'revise_strategy', {fake_payload}, 'm3ta', {reviewer_id}, "
|
f"{proposal_id}, 'revise_strategy', {fake_payload}, {reviewer_handle}, {reviewer_id}, "
|
||||||
"now(), 'fake review', 'kb-apply')"
|
"now(), 'fake review', 'kb-apply')"
|
||||||
],
|
],
|
||||||
),
|
),
|
||||||
|
|
@ -606,6 +613,11 @@ def main() -> int:
|
||||||
"production_contacted": False,
|
"production_contacted": False,
|
||||||
"canonical_production_rows_contacted": False,
|
"canonical_production_rows_contacted": False,
|
||||||
},
|
},
|
||||||
|
"identity_policy": {
|
||||||
|
"participant_handle": PARTICIPANT_HANDLE,
|
||||||
|
"reviewer_handle": PARTICIPANT_HANDLE,
|
||||||
|
"exact_handle_required": True,
|
||||||
|
},
|
||||||
"operations": [],
|
"operations": [],
|
||||||
"passed": False,
|
"passed": False,
|
||||||
}
|
}
|
||||||
|
|
@ -680,7 +692,7 @@ def main() -> int:
|
||||||
}:
|
}:
|
||||||
raise CanaryError(f"disposable container isolation mismatch: {isolation}")
|
raise CanaryError(f"disposable container isolation mismatch: {isolation}")
|
||||||
|
|
||||||
admin_psql(container, BOOTSTRAP_SQL)
|
admin_psql(container, BOOTSTRAP_SQL.replace("__PARTICIPANT_HANDLE__", PARTICIPANT_HANDLE))
|
||||||
admin_psql(container, APPLY_PREREQS_SQL.read_text(encoding="utf-8"))
|
admin_psql(container, APPLY_PREREQS_SQL.read_text(encoding="utf-8"))
|
||||||
admin_psql(
|
admin_psql(
|
||||||
container,
|
container,
|
||||||
|
|
|
||||||
|
|
@ -28,6 +28,11 @@ def test_leo_negative_permissions_canary_runs_real_postgres_lifecycle(tmp_path:
|
||||||
receipt = json.loads(output.read_text(encoding="utf-8"))
|
receipt = json.loads(output.read_text(encoding="utf-8"))
|
||||||
assert receipt["passed"] is True
|
assert receipt["passed"] is True
|
||||||
assert receipt["current_tier"] == "T2_runtime"
|
assert receipt["current_tier"] == "T2_runtime"
|
||||||
|
assert receipt["identity_policy"] == {
|
||||||
|
"exact_handle_required": True,
|
||||||
|
"participant_handle": "m3taversal",
|
||||||
|
"reviewer_handle": "m3taversal",
|
||||||
|
}
|
||||||
assert receipt["scope"] == {
|
assert receipt["scope"] == {
|
||||||
"canonical_production_rows_contacted": False,
|
"canonical_production_rows_contacted": False,
|
||||||
"container_network": "none",
|
"container_network": "none",
|
||||||
|
|
@ -65,6 +70,8 @@ def test_leo_negative_permissions_canary_runs_real_postgres_lifecycle(tmp_path:
|
||||||
"claim_table_ownership_escalation",
|
"claim_table_ownership_escalation",
|
||||||
}
|
}
|
||||||
assert all(operation["passed"] for operation in operations.values())
|
assert all(operation["passed"] for operation in operations.values())
|
||||||
|
assert receipt["fingerprint"]["before"]["participant_handle"] == "m3taversal"
|
||||||
|
assert receipt["fingerprint"]["after"]["participant_handle"] == "m3taversal"
|
||||||
assert receipt["fingerprint"]["unchanged"] is True
|
assert receipt["fingerprint"]["unchanged"] is True
|
||||||
assert receipt["fingerprint"]["before_sha256"] == receipt["fingerprint"]["after_sha256"]
|
assert receipt["fingerprint"]["before_sha256"] == receipt["fingerprint"]["after_sha256"]
|
||||||
assert receipt["cleanup"]["passed"] is True
|
assert receipt["cleanup"]["passed"] is True
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue