- Normalize rich proposals into atomic reviewed canonical graph bundles with exact row verification. - Harden reviewer/apply roles, upgrade ACLs, and prove generic plus Helmer lifecycles in isolated PostgreSQL. - Publish repo-native VPS/GCP/Cory skills and live-readonly GCP inventory without changing the live VPS runtime. `.agents/skills/crabbox/SKILL.md` `.agents/skills/teleo-gcp-parity-ops/SKILL.md` `.agents/skills/teleo-kb-db-change-workflow/SKILL.md` `.agents/skills/teleo-leo-onboarding/SKILL.md` `.agents/skills/teleo-vps-runtime-ops/SKILL.md` `.agents/skills/working-leo-cory-outcomes/SKILL.md` `docs/reports/leo-working-state-20260709/approve-claim-clone-canary-current.json` `docs/reports/leo-working-state-20260709/approve-claim-clone-canary-current.md` `docs/reports/leo-working-state-20260709/current-truth-index.md` `docs/reports/leo-working-state-20260709/gcp-cloud-sql-t3-live-readonly-current.json` `docs/reports/leo-working-state-20260709/gcp-cloud-sql-t3-live-readonly-current.md` `docs/reports/leo-working-state-20260709/gcp-cloudsql-studio-parity-gate-current.json` `docs/reports/leo-working-state-20260709/gcp-cloudsql-studio-parity-gate-current.md` `docs/reports/leo-working-state-20260709/gcp-parallel-delegation-current.json` `docs/reports/leo-working-state-20260709/helmer-approve-claim-clone-canary-current.json` `docs/reports/leo-working-state-20260709/helmer-approve-claim-normalization-current.json` `docs/reports/leo-working-state-20260709/skill-pack-manifest.json` `docs/reports/leo-working-state-20260709/skill-pack-readme.md` `docs/reports/leo-working-state-20260709/working-leo-current-state-20260709.md` `docs/reports/leo-working-state-20260709/working-leo-definition-20260709.md` `docs/reports/leo-working-state-20260709/working-leo-execution-plan-current.md` `scripts/apply_proposal.py` `scripts/apply_worker.py` `scripts/approve_proposal.py` `scripts/kb_apply_prereqs.sql` `scripts/kb_proposal_normalize.py` `scripts/probe_gcp_db_parity.py` `scripts/run_approve_claim_clone_canary.py` `scripts/run_approve_claim_isolated_container_canary.sh` `tests/test_apply_proposal.py` `tests/test_apply_worker.py` `tests/test_approve_proposal.py` `tests/test_kb_apply_prereqs.py` `tests/test_kb_proposal_normalize.py` `tests/test_kb_proposal_routes.py` `tests/test_probe_gcp_db_parity.py` `tests/test_repo_skill_pack.py`
498 lines
19 KiB
Python
498 lines
19 KiB
Python
from __future__ import annotations
|
|
|
|
import shutil
|
|
import subprocess
|
|
import time
|
|
import uuid
|
|
from collections.abc import Iterator
|
|
from pathlib import Path
|
|
|
|
import pytest
|
|
|
|
REPO_ROOT = Path(__file__).resolve().parents[1]
|
|
MIGRATION = REPO_ROOT / "scripts" / "kb_apply_prereqs.sql"
|
|
POSTGRES_IMAGE = "postgres:16-alpine"
|
|
DATABASE = "teleo_clone"
|
|
|
|
BOOTSTRAP_SQL = r"""
|
|
create role kb_gate_owner nologin inherit;
|
|
create role kb_review login inherit;
|
|
create role kb_apply login inherit;
|
|
create role broad_writer nologin;
|
|
create role rogue_owner nologin;
|
|
create role rogue_grantee nologin;
|
|
|
|
create schema kb_stage;
|
|
|
|
create table public.agents (
|
|
id uuid primary key,
|
|
handle text not null unique,
|
|
kind text not null
|
|
);
|
|
create table public.strategies (
|
|
id uuid primary key,
|
|
agent_id uuid not null,
|
|
active boolean not null default true
|
|
);
|
|
create table public.strategy_nodes (id uuid primary key);
|
|
create table public.claim_evidence (
|
|
id uuid primary key,
|
|
claim_id uuid not null,
|
|
source_id uuid not null,
|
|
role text not null
|
|
);
|
|
create table public.claim_edges (id uuid primary key);
|
|
create table public.claims (id uuid primary key);
|
|
create table public.sources (
|
|
id uuid primary key,
|
|
hash text not null
|
|
);
|
|
create table public.reasoning_tools (id uuid primary key);
|
|
|
|
insert into public.agents (id, handle, kind)
|
|
values ('11111111-1111-1111-1111-111111111111', 'm3ta', 'human');
|
|
|
|
create table kb_stage.kb_proposals (
|
|
id uuid primary key,
|
|
proposal_type text not null,
|
|
status text not null,
|
|
payload jsonb not null,
|
|
reviewed_by_handle text,
|
|
reviewed_by_agent_id uuid,
|
|
reviewed_at timestamptz,
|
|
review_note text,
|
|
applied_by_handle text,
|
|
applied_by_agent_id uuid,
|
|
applied_at timestamptz,
|
|
updated_at timestamptz not null default now()
|
|
);
|
|
create table kb_stage.kb_review_principals (
|
|
db_role name primary key,
|
|
reviewed_by_handle text not null,
|
|
reviewed_by_agent_id uuid not null references public.agents(id),
|
|
active boolean not null default true,
|
|
created_at timestamptz not null default now()
|
|
);
|
|
create table kb_stage.kb_proposal_approvals (
|
|
proposal_id uuid primary key references kb_stage.kb_proposals(id),
|
|
proposal_type text not null,
|
|
payload jsonb not null,
|
|
reviewed_by_handle text not null,
|
|
reviewed_by_agent_id uuid not null references public.agents(id),
|
|
reviewed_by_db_role name not null,
|
|
reviewed_at timestamptz not null,
|
|
review_note text not null
|
|
);
|
|
|
|
create function kb_stage.approve_strict_proposal(uuid, text, text)
|
|
returns jsonb language sql security definer
|
|
as $function$ select '{}'::jsonb $function$;
|
|
create function kb_stage.approve_strict_proposal(uuid, text, jsonb, text, text)
|
|
returns jsonb language sql security definer
|
|
as $function$ select '{}'::jsonb $function$;
|
|
create function kb_stage.assert_approved_proposal(
|
|
uuid, text, jsonb, text, uuid, timestamptz, text
|
|
) returns void language sql security definer
|
|
as $function$ select $function$;
|
|
create function kb_stage.finish_approved_proposal(
|
|
uuid, text, jsonb, text, uuid, timestamptz, text, text
|
|
) returns jsonb language sql security definer
|
|
as $function$ select '{}'::jsonb $function$;
|
|
|
|
grant all privileges on all tables in schema public
|
|
to kb_gate_owner, kb_apply, kb_review;
|
|
grant all privileges on all tables in schema kb_stage
|
|
to public, kb_gate_owner, kb_apply, kb_review;
|
|
grant all privileges on all functions in schema kb_stage
|
|
to public, kb_gate_owner, kb_apply, kb_review;
|
|
grant update (review_note) on kb_stage.kb_proposals to kb_apply;
|
|
grant select (review_note) on kb_stage.kb_proposals to public;
|
|
"""
|
|
|
|
|
|
def _psql(container: str, sql: str, *, check: bool = True) -> subprocess.CompletedProcess[str]:
|
|
completed = subprocess.run(
|
|
[
|
|
"docker",
|
|
"exec",
|
|
"-i",
|
|
container,
|
|
"psql",
|
|
"-X",
|
|
"-v",
|
|
"ON_ERROR_STOP=1",
|
|
"-U",
|
|
"postgres",
|
|
"-d",
|
|
DATABASE,
|
|
"-At",
|
|
"-F",
|
|
"|",
|
|
],
|
|
input=sql,
|
|
text=True,
|
|
capture_output=True,
|
|
check=False,
|
|
)
|
|
if check and completed.returncode != 0:
|
|
raise AssertionError(
|
|
f"psql failed with exit {completed.returncode}\nstdout:\n{completed.stdout}\nstderr:\n{completed.stderr}"
|
|
)
|
|
return completed
|
|
|
|
|
|
def _apply_migration(container: str, *, check: bool = True) -> subprocess.CompletedProcess[str]:
|
|
return _psql(container, MIGRATION.read_text(), check=check)
|
|
|
|
|
|
@pytest.fixture(scope="module")
|
|
def migrated_postgres() -> Iterator[str]:
|
|
if shutil.which("docker") is None:
|
|
pytest.skip("Docker is required for the disposable PostgreSQL migration canary")
|
|
|
|
container = f"kb-apply-prereqs-{uuid.uuid4().hex[:12]}"
|
|
started = subprocess.run(
|
|
[
|
|
"docker",
|
|
"run",
|
|
"--rm",
|
|
"-d",
|
|
"--name",
|
|
container,
|
|
"-e",
|
|
"POSTGRES_PASSWORD=postgres",
|
|
"-e",
|
|
f"POSTGRES_DB={DATABASE}",
|
|
POSTGRES_IMAGE,
|
|
],
|
|
text=True,
|
|
capture_output=True,
|
|
check=False,
|
|
)
|
|
if started.returncode != 0:
|
|
pytest.fail(f"could not start disposable PostgreSQL: {started.stderr}")
|
|
|
|
try:
|
|
for _ in range(120):
|
|
logs = subprocess.run(
|
|
["docker", "logs", container],
|
|
text=True,
|
|
capture_output=True,
|
|
check=False,
|
|
)
|
|
query = _psql(container, "select 1;", check=False)
|
|
ready_transitions = (logs.stdout + logs.stderr).count("database system is ready to accept connections")
|
|
if ready_transitions >= 2 and query.returncode == 0:
|
|
break
|
|
time.sleep(0.25)
|
|
else:
|
|
pytest.fail("disposable PostgreSQL did not become ready")
|
|
|
|
_psql(container, BOOTSTRAP_SQL)
|
|
_apply_migration(container)
|
|
yield container
|
|
finally:
|
|
subprocess.run(
|
|
["docker", "rm", "-f", container],
|
|
capture_output=True,
|
|
check=False,
|
|
)
|
|
|
|
|
|
def _lines(completed: subprocess.CompletedProcess[str]) -> set[str]:
|
|
return {line for line in completed.stdout.splitlines() if line}
|
|
|
|
|
|
def _catalog_snapshot(container: str) -> str:
|
|
return _psql(
|
|
container,
|
|
r"""
|
|
select 'role|' || rolname || '|' || rolcanlogin || '|' || rolinherit || '|' || rolsuper
|
|
from pg_catalog.pg_roles
|
|
where rolname in ('kb_gate_owner', 'kb_review', 'kb_apply')
|
|
order by rolname;
|
|
select 'owner|' || namespace.nspname || '|' || relation.relname || '|' || owner_role.rolname
|
|
from pg_catalog.pg_class relation
|
|
join pg_catalog.pg_namespace namespace on namespace.oid = relation.relnamespace
|
|
join pg_catalog.pg_roles owner_role on owner_role.oid = relation.relowner
|
|
where (namespace.nspname, relation.relname) in (
|
|
('public', 'agents'), ('public', 'strategies'), ('public', 'strategy_nodes'),
|
|
('public', 'claim_evidence'), ('public', 'claim_edges'), ('public', 'claims'),
|
|
('public', 'sources'), ('public', 'reasoning_tools'),
|
|
('kb_stage', 'kb_proposals'), ('kb_stage', 'kb_review_principals'),
|
|
('kb_stage', 'kb_proposal_approvals')
|
|
)
|
|
order by namespace.nspname, relation.relname;
|
|
select 'function|' || procedure.proname || '(' || pg_catalog.oidvectortypes(procedure.proargtypes) ||
|
|
')|' || owner_role.rolname || '|' || procedure.prosecdef || '|' || procedure.proconfig::text
|
|
from pg_catalog.pg_proc procedure
|
|
join pg_catalog.pg_namespace namespace on namespace.oid = procedure.pronamespace
|
|
join pg_catalog.pg_roles owner_role on owner_role.oid = procedure.proowner
|
|
where namespace.nspname = 'kb_stage'
|
|
and procedure.proname in (
|
|
'approve_strict_proposal', 'assert_approved_proposal', 'finish_approved_proposal'
|
|
)
|
|
order by procedure.proname, procedure.proargtypes::text;
|
|
select 'table_acl|' || namespace.nspname || '|' || relation.relname || '|' ||
|
|
case when acl.grantee = 0 then 'PUBLIC' else grantee_role.rolname end || '|' ||
|
|
pg_catalog.upper(acl.privilege_type) || '|' || acl.is_grantable
|
|
from pg_catalog.pg_class relation
|
|
join pg_catalog.pg_namespace namespace on namespace.oid = relation.relnamespace
|
|
cross join lateral pg_catalog.aclexplode(
|
|
coalesce(relation.relacl, pg_catalog.acldefault('r', relation.relowner))
|
|
) acl
|
|
left join pg_catalog.pg_roles grantee_role on grantee_role.oid = acl.grantee
|
|
where (namespace.nspname, relation.relname) in (
|
|
('public', 'agents'), ('public', 'strategies'), ('public', 'strategy_nodes'),
|
|
('public', 'claim_evidence'), ('public', 'claim_edges'), ('public', 'claims'),
|
|
('public', 'sources'), ('public', 'reasoning_tools'),
|
|
('kb_stage', 'kb_proposals'), ('kb_stage', 'kb_review_principals'),
|
|
('kb_stage', 'kb_proposal_approvals')
|
|
)
|
|
and acl.grantee <> relation.relowner
|
|
and (acl.grantee = 0 or grantee_role.rolname in ('kb_gate_owner', 'kb_review', 'kb_apply'))
|
|
order by namespace.nspname, relation.relname, grantee_role.rolname, acl.privilege_type;
|
|
select 'function_acl|' || procedure.proname || '(' ||
|
|
pg_catalog.oidvectortypes(procedure.proargtypes) || ')|' ||
|
|
case when acl.grantee = 0 then 'PUBLIC' else pg_catalog.pg_get_userbyid(acl.grantee) end ||
|
|
'|' || pg_catalog.upper(acl.privilege_type) || '|' || acl.is_grantable
|
|
from pg_catalog.pg_proc procedure
|
|
join pg_catalog.pg_namespace namespace on namespace.oid = procedure.pronamespace
|
|
cross join lateral pg_catalog.aclexplode(
|
|
coalesce(procedure.proacl, pg_catalog.acldefault('f', procedure.proowner))
|
|
) acl
|
|
where namespace.nspname = 'kb_stage'
|
|
and procedure.proname in (
|
|
'approve_strict_proposal', 'assert_approved_proposal', 'finish_approved_proposal'
|
|
)
|
|
and acl.grantee <> procedure.proowner
|
|
order by procedure.proname, procedure.proargtypes::text, acl.grantee;
|
|
""",
|
|
).stdout
|
|
|
|
|
|
def test_upgrade_normalizes_exact_role_ownership_and_acl_matrix(migrated_postgres: str) -> None:
|
|
role_rows = _lines(
|
|
_psql(
|
|
migrated_postgres,
|
|
"""
|
|
select rolname || '|' || rolcanlogin || '|' || rolinherit || '|' || rolsuper || '|' ||
|
|
rolcreatedb || '|' || rolcreaterole || '|' || rolreplication || '|' || rolbypassrls
|
|
from pg_catalog.pg_roles
|
|
where rolname in ('kb_gate_owner', 'kb_review', 'kb_apply')
|
|
order by rolname;
|
|
""",
|
|
)
|
|
)
|
|
assert role_rows == {
|
|
"kb_apply|true|false|false|false|false|false|false",
|
|
"kb_gate_owner|false|false|false|false|false|false|false",
|
|
"kb_review|true|false|false|false|false|false|false",
|
|
}
|
|
|
|
assert (
|
|
_psql(
|
|
migrated_postgres,
|
|
"""
|
|
select count(*)
|
|
from pg_catalog.pg_auth_members membership
|
|
join pg_catalog.pg_roles member_role on member_role.oid = membership.member
|
|
join pg_catalog.pg_roles granted_role on granted_role.oid = membership.roleid
|
|
where member_role.rolname in ('kb_gate_owner', 'kb_review', 'kb_apply')
|
|
or granted_role.rolname in ('kb_gate_owner', 'kb_review', 'kb_apply');
|
|
""",
|
|
).stdout.strip()
|
|
== "0"
|
|
)
|
|
|
|
schema_rows = _lines(
|
|
_psql(
|
|
migrated_postgres,
|
|
"""
|
|
select protected_role.rolname || '|' || protected_schema.nspname || '|' ||
|
|
pg_catalog.has_schema_privilege(protected_role.rolname, protected_schema.nspname, 'USAGE') || '|' ||
|
|
pg_catalog.has_schema_privilege(protected_role.rolname, protected_schema.nspname, 'CREATE')
|
|
from (values ('kb_gate_owner'), ('kb_review'), ('kb_apply')) protected_role(rolname)
|
|
cross join (values ('public'), ('kb_stage')) protected_schema(nspname);
|
|
""",
|
|
)
|
|
)
|
|
assert schema_rows == {
|
|
f"{role}|{schema}|true|false"
|
|
for role in ("kb_gate_owner", "kb_review", "kb_apply")
|
|
for schema in ("public", "kb_stage")
|
|
}
|
|
|
|
function_rows = _lines(
|
|
_psql(
|
|
migrated_postgres,
|
|
"""
|
|
select procedure.proname || '(' || pg_catalog.oidvectortypes(procedure.proargtypes) || ')|' ||
|
|
owner_role.rolname || '|' || procedure.prosecdef || '|' || procedure.proconfig::text
|
|
from pg_catalog.pg_proc procedure
|
|
join pg_catalog.pg_namespace namespace on namespace.oid = procedure.pronamespace
|
|
join pg_catalog.pg_roles owner_role on owner_role.oid = procedure.proowner
|
|
where namespace.nspname = 'kb_stage'
|
|
and procedure.proname in (
|
|
'approve_strict_proposal', 'assert_approved_proposal', 'finish_approved_proposal'
|
|
);
|
|
""",
|
|
)
|
|
)
|
|
assert function_rows == {
|
|
'approve_strict_proposal(uuid, text, jsonb, text, text)|kb_gate_owner|true|{"search_path=pg_catalog, pg_temp"}',
|
|
"assert_approved_proposal(uuid, text, jsonb, text, uuid, timestamp with time zone, text)|"
|
|
'kb_gate_owner|true|{"search_path=pg_catalog, pg_temp"}',
|
|
"finish_approved_proposal(uuid, text, jsonb, text, uuid, timestamp with time zone, text, text)|"
|
|
'kb_gate_owner|true|{"search_path=pg_catalog, pg_temp"}',
|
|
}
|
|
assert (
|
|
_psql(
|
|
migrated_postgres,
|
|
"select pg_catalog.to_regprocedure('kb_stage.approve_strict_proposal(uuid,text,text)') is null;",
|
|
).stdout.strip()
|
|
== "t"
|
|
)
|
|
assert (
|
|
_psql(
|
|
migrated_postgres,
|
|
"""
|
|
select count(*)
|
|
from pg_catalog.pg_attribute attribute
|
|
join pg_catalog.pg_class relation on relation.oid = attribute.attrelid
|
|
join pg_catalog.pg_namespace namespace on namespace.oid = relation.relnamespace
|
|
cross join lateral pg_catalog.aclexplode(attribute.attacl) acl
|
|
left join pg_catalog.pg_roles grantee_role on grantee_role.oid = acl.grantee
|
|
where (namespace.nspname, relation.relname) in (
|
|
('public', 'agents'), ('public', 'strategies'), ('public', 'strategy_nodes'),
|
|
('public', 'claim_evidence'), ('public', 'claim_edges'), ('public', 'claims'),
|
|
('public', 'sources'), ('public', 'reasoning_tools'),
|
|
('kb_stage', 'kb_proposals'), ('kb_stage', 'kb_review_principals'),
|
|
('kb_stage', 'kb_proposal_approvals')
|
|
)
|
|
and (acl.grantee = 0 or grantee_role.rolname in ('kb_gate_owner', 'kb_review', 'kb_apply'));
|
|
""",
|
|
).stdout.strip()
|
|
== "0"
|
|
)
|
|
|
|
for runtime_role, target_role in (
|
|
("kb_apply", "broad_writer"),
|
|
("kb_apply", "kb_gate_owner"),
|
|
("kb_review", "kb_gate_owner"),
|
|
):
|
|
denied = _psql(
|
|
migrated_postgres,
|
|
f"set session authorization {runtime_role}; set role {target_role};",
|
|
check=False,
|
|
)
|
|
assert denied.returncode != 0
|
|
assert "permission denied to set role" in denied.stderr
|
|
|
|
snapshot_lines = set(_catalog_snapshot(migrated_postgres).splitlines())
|
|
expected_table_acls = {
|
|
"table_acl|public|agents|kb_gate_owner|SELECT|false",
|
|
"table_acl|public|agents|kb_apply|SELECT|false",
|
|
"table_acl|public|agents|kb_review|SELECT|false",
|
|
"table_acl|public|strategies|kb_apply|SELECT|false",
|
|
"table_acl|public|strategies|kb_apply|INSERT|false",
|
|
"table_acl|public|strategies|kb_apply|UPDATE|false",
|
|
"table_acl|public|strategy_nodes|kb_apply|SELECT|false",
|
|
"table_acl|public|strategy_nodes|kb_apply|INSERT|false",
|
|
"table_acl|public|strategy_nodes|kb_apply|UPDATE|false",
|
|
"table_acl|public|claim_evidence|kb_apply|SELECT|false",
|
|
"table_acl|public|claim_evidence|kb_apply|INSERT|false",
|
|
"table_acl|public|claim_edges|kb_apply|SELECT|false",
|
|
"table_acl|public|claim_edges|kb_apply|INSERT|false",
|
|
"table_acl|public|claims|kb_apply|SELECT|false",
|
|
"table_acl|public|claims|kb_apply|INSERT|false",
|
|
"table_acl|public|sources|kb_apply|SELECT|false",
|
|
"table_acl|public|sources|kb_apply|INSERT|false",
|
|
"table_acl|public|reasoning_tools|kb_apply|SELECT|false",
|
|
"table_acl|public|reasoning_tools|kb_apply|INSERT|false",
|
|
"table_acl|kb_stage|kb_proposals|kb_gate_owner|SELECT|false",
|
|
"table_acl|kb_stage|kb_proposals|kb_gate_owner|UPDATE|false",
|
|
"table_acl|kb_stage|kb_proposals|kb_apply|SELECT|false",
|
|
"table_acl|kb_stage|kb_proposals|kb_review|SELECT|false",
|
|
}
|
|
assert {line for line in snapshot_lines if line.startswith("table_acl|")} == expected_table_acls
|
|
assert {line for line in snapshot_lines if line.startswith("function_acl|")} == {
|
|
"function_acl|approve_strict_proposal(uuid, text, jsonb, text, text)|kb_review|EXECUTE|false",
|
|
"function_acl|assert_approved_proposal(uuid, text, jsonb, text, uuid, timestamp with time zone, text)|"
|
|
"kb_apply|EXECUTE|false",
|
|
"function_acl|finish_approved_proposal(uuid, text, jsonb, text, uuid, timestamp with time zone, text, text)|"
|
|
"kb_apply|EXECUTE|false",
|
|
}
|
|
|
|
|
|
def test_migration_rerun_preserves_catalog_snapshot(migrated_postgres: str) -> None:
|
|
before = _catalog_snapshot(migrated_postgres)
|
|
_apply_migration(migrated_postgres)
|
|
assert _catalog_snapshot(migrated_postgres) == before
|
|
|
|
|
|
def _assert_migration_fails(container: str, expected_error: str) -> None:
|
|
completed = _apply_migration(container, check=False)
|
|
assert completed.returncode != 0
|
|
assert expected_error in completed.stderr
|
|
|
|
|
|
def test_migration_fails_closed_on_protected_role_membership(migrated_postgres: str) -> None:
|
|
_psql(migrated_postgres, "grant broad_writer to kb_apply;")
|
|
try:
|
|
_assert_migration_fails(migrated_postgres, "unexpected protected role membership")
|
|
finally:
|
|
_psql(migrated_postgres, "revoke broad_writer from kb_apply;")
|
|
|
|
|
|
def test_migration_fails_closed_on_ownership_drift(migrated_postgres: str) -> None:
|
|
_psql(migrated_postgres, "alter table kb_stage.kb_proposal_approvals owner to rogue_owner;")
|
|
try:
|
|
_assert_migration_fails(migrated_postgres, "unexpected protected table owner")
|
|
finally:
|
|
_psql(migrated_postgres, "alter table kb_stage.kb_proposal_approvals owner to kb_gate_owner;")
|
|
|
|
|
|
def test_migration_fails_closed_on_unexpected_table_grantee(migrated_postgres: str) -> None:
|
|
_psql(migrated_postgres, "grant select on kb_stage.kb_proposal_approvals to rogue_grantee;")
|
|
try:
|
|
_assert_migration_fails(migrated_postgres, "unexpected protected table grantee")
|
|
finally:
|
|
_psql(migrated_postgres, "revoke all on kb_stage.kb_proposal_approvals from rogue_grantee;")
|
|
|
|
|
|
def test_migration_fails_closed_on_unexpected_column_grantee(migrated_postgres: str) -> None:
|
|
_psql(
|
|
migrated_postgres,
|
|
"grant select (review_note) on kb_stage.kb_proposal_approvals to rogue_grantee;",
|
|
)
|
|
try:
|
|
_assert_migration_fails(migrated_postgres, "unexpected protected table grantee")
|
|
finally:
|
|
_psql(
|
|
migrated_postgres,
|
|
"revoke select (review_note) on kb_stage.kb_proposal_approvals from rogue_grantee;",
|
|
)
|
|
|
|
|
|
def test_migration_fails_closed_on_unexpected_function_grantee(migrated_postgres: str) -> None:
|
|
signature = "kb_stage.assert_approved_proposal(uuid,text,jsonb,text,uuid,timestamptz,text)"
|
|
_psql(migrated_postgres, f"grant execute on function {signature} to rogue_grantee;")
|
|
try:
|
|
_assert_migration_fails(migrated_postgres, "unexpected protected function grantee")
|
|
finally:
|
|
_psql(migrated_postgres, f"revoke all on function {signature} from rogue_grantee;")
|
|
|
|
|
|
def test_migration_fails_closed_on_unexpected_gate_overload(migrated_postgres: str) -> None:
|
|
_psql(
|
|
migrated_postgres,
|
|
"""
|
|
create function kb_stage.assert_approved_proposal(text)
|
|
returns void language sql security definer as $function$ select $function$;
|
|
""",
|
|
)
|
|
try:
|
|
_assert_migration_fails(migrated_postgres, "unexpected protected function overload")
|
|
finally:
|
|
_psql(migrated_postgres, "drop function kb_stage.assert_approved_proposal(text);")
|