teleo-infrastructure/tests/test_capture_vps_canonical_postgres_snapshot.py

206 lines
7.2 KiB
Python

import json
from pathlib import Path
import pytest
from ops.capture_vps_canonical_postgres_snapshot import (
SAFE_AUTHORIZATION_REF_RE,
SAFE_SSH_TARGET_RE,
SOURCE_SNAPSHOT_RECEIPT_SCHEMA,
build_provenance_binding,
canonical_sha256,
cleanup_failed_output,
load_service_state,
load_snapshot_metadata,
parse_args,
remote_capture_script,
toc_counts,
)
def test_remote_capture_uses_one_exported_read_only_snapshot() -> None:
script = remote_capture_script(
run_id="canonical-20260711",
container="teleo-pg",
database="teleo",
service="leoclean-gateway.service",
)
assert "begin transaction isolation level repeatable read read only" in script
assert "select pg_export_snapshot()" in script
assert "[0-9A-F]+-[0-9A-F]+-[0-9]+" in script
assert '--snapshot="$snapshot_id"' in script
assert '-v "snapshot_id=$snapshot_id"' in script
assert "txid_current_snapshot()::text" in script
assert "pg_current_wal_lsn()::text" in script
assert "system_identifier::text from pg_control_system()" in script
assert "source-snapshot.json" in script
assert "--no-owner --no-acl" in script
assert "cmp -s" in script
assert 'assert_service_healthy "$remote_root/service-before.txt"' in script
assert 'assert_service_healthy "$remote_root/service-after.txt"' in script
assert "systemctl restart" not in script
assert "docker restart" not in script
def test_manifest_hash_order_is_collation_independent() -> None:
manifest = Path("ops/postgres_parity_manifest.sql").read_text()
assert 'collate "C"' in manifest
assert "'server_address', host(inet_server_addr())" in manifest
def test_toc_counts_database_objects(tmp_path: Path) -> None:
toc = tmp_path / "dump.toc"
toc.write_text(
"; header\n"
"1; 0 0 TABLE DATA public claims postgres\n"
"2; 0 0 CONSTRAINT public claims claims_pkey postgres\n"
"3; 0 0 FK CONSTRAINT public evidence evidence_claim_fkey postgres\n"
"4; 0 0 INDEX public claims claims_text_idx postgres\n"
)
assert toc_counts(toc) == {"entries": 4, "table_data": 1, "constraints": 2, "indexes": 1}
def test_failure_cleanup_never_removes_preexisting_output(tmp_path: Path) -> None:
existing = tmp_path / "existing"
existing.mkdir()
marker = existing / "user-file"
marker.write_text("keep")
cleanup_failed_output(existing, preexisting=True)
created_by_run = tmp_path / "created-by-run"
created_by_run.mkdir()
cleanup_failed_output(created_by_run, preexisting=False)
assert marker.read_text() == "keep"
assert not created_by_run.exists()
def test_source_service_state_requires_healthy_unchanged_capable_fields(tmp_path: Path) -> None:
state_path = tmp_path / "service.txt"
state_path.write_text("ActiveState=active\nSubState=running\nMainPID=347406\nNRestarts=0\n")
assert load_service_state(state_path)["MainPID"] == "347406"
state_path.write_text("ActiveState=failed\nSubState=dead\nMainPID=0\nNRestarts=0\n")
with pytest.raises(RuntimeError, match="not active/running"):
load_service_state(state_path)
def test_ssh_target_rejects_open_ssh_option_injection() -> None:
assert SAFE_SSH_TARGET_RE.fullmatch("root@77.42.65.182")
assert SAFE_SSH_TARGET_RE.fullmatch("teleo-staging-1.internal")
assert not SAFE_SSH_TARGET_RE.fullmatch("-oProxyCommand=malicious")
assert not SAFE_SSH_TARGET_RE.fullmatch("root@host command")
def test_source_snapshot_metadata_and_provenance_binding(tmp_path: Path) -> None:
snapshot_path = tmp_path / "source-snapshot.json"
snapshot_path.write_text(
json.dumps(
{
"exported_snapshot_id": "00000003-000001A2-1",
"txid_snapshot": "100:120:105,111",
"wal_lsn": "0/16B6C50",
"system_identifier": "7649789040005668902",
"captured_at_utc": "2026-07-15T01:02:03.456789+00:00",
}
)
)
snapshot = load_snapshot_metadata(snapshot_path)
binding = build_provenance_binding(
run_id="canonical-20260715",
authorization_ref="codex-delegation:019f47af-f2cc-7c10-b928-a9283afa2621",
source={
"ssh_target": "root@77.42.65.182",
"container": "teleo-pg",
"database": "teleo",
"service": "leoclean-gateway.service",
},
snapshot=snapshot,
dump_sha256="1" * 64,
manifest_sql_sha256="2" * 64,
source_manifest_sha256="3" * 64,
source_context_sha256="4" * 64,
)
assert binding["algorithm"] == "sha256"
assert binding["payload"] == {
"receipt_schema": SOURCE_SNAPSHOT_RECEIPT_SCHEMA,
"run_id": "canonical-20260715",
"capture_authorization_ref": "codex-delegation:019f47af-f2cc-7c10-b928-a9283afa2621",
"source": {
"ssh_target": "root@77.42.65.182",
"container": "teleo-pg",
"database": "teleo",
"service": "leoclean-gateway.service",
},
"exported_snapshot_id": "00000003-000001A2-1",
"txid_snapshot": "100:120:105,111",
"wal_lsn": "0/16B6C50",
"source_system_identifier": "7649789040005668902",
"dump_sha256": "1" * 64,
"manifest_sql_sha256": "2" * 64,
"source_manifest_sha256": "3" * 64,
"source_context_sha256": "4" * 64,
}
assert binding["sha256"] == canonical_sha256(binding["payload"])
@pytest.mark.parametrize(
("field", "value"),
[
("exported_snapshot_id", "unsafe snapshot"),
("txid_snapshot", "100:120:not-a-txid"),
("wal_lsn", "not-an-lsn"),
("system_identifier", "system-1"),
],
)
def test_source_snapshot_metadata_rejects_invalid_identity(tmp_path: Path, field: str, value: str) -> None:
payload = {
"exported_snapshot_id": "00000003-000001A2-1",
"txid_snapshot": "100:120:",
"wal_lsn": "0/16B6C50",
"system_identifier": "7649789040005668902",
"captured_at_utc": "2026-07-15T01:02:03+00:00",
}
payload[field] = value
path = tmp_path / "source-snapshot.json"
path.write_text(json.dumps(payload))
with pytest.raises(RuntimeError, match=field):
load_snapshot_metadata(path)
def test_authorization_ref_is_required_and_safe_metadata(tmp_path: Path) -> None:
ssh_key = tmp_path / "id_ed25519"
ssh_key.write_text("test-only")
manifest = tmp_path / "manifest.sql"
manifest.write_text("select 1;\n")
base = [
"--execute",
"--ssh-target",
"root@77.42.65.182",
"--ssh-key",
str(ssh_key),
"--manifest",
str(manifest),
"--run-id",
"canonical-20260715",
"--output-dir",
str(tmp_path / "capture"),
]
with pytest.raises(SystemExit):
parse_args(base)
with pytest.raises(SystemExit):
parse_args([*base, "--authorization-ref", "unsafe authorization ref"])
authorization_ref = "codex-delegation:019f47af-f2cc-7c10-b928-a9283afa2621"
args = parse_args([*base, "--authorization-ref", authorization_ref])
assert args.authorization_ref == authorization_ref
assert SAFE_AUTHORIZATION_REF_RE.fullmatch(authorization_ref)
assert not SAFE_AUTHORIZATION_REF_RE.fullmatch("authorization\nforged")