roof
fa746a3b30
Unit Tests / test (push) Successful in 9m50s
`make reinstall`/`uninstall` run `rm -rf config/`, which deletes the git-tracked
config/cosign/cosign.pub. Nothing recreated it, so after any clean reinstall the
bind-mounted key was missing and cosign verification failed for EVERY store
service under the default enforce mode ("loading public key: open
/app/config/cosign/cosign.pub: no such file or directory") — store installs were
completely broken on a fresh install. Found during clean-build pic1 verification.
setup_cell.ensure_cosign_pubkey() now restores the key from git HEAD on every
setup (best-effort; warns rather than fails outside a git checkout). Also fixes
the stale service_composer comment that claimed a Dockerfile COPY that never
existed.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
68 lines
2.6 KiB
Python
68 lines
2.6 KiB
Python
"""Tests for scripts/setup_cell.py setup helpers."""
|
|
import os
|
|
import sys
|
|
import shutil
|
|
import subprocess
|
|
import tempfile
|
|
import unittest
|
|
from pathlib import Path
|
|
|
|
sys.path.insert(0, str(Path(__file__).parent.parent / 'scripts'))
|
|
import setup_cell # noqa: E402
|
|
|
|
|
|
class TestEnsureCosignPubkey(unittest.TestCase):
|
|
"""ensure_cosign_pubkey restores the tracked key after a `rm -rf config/`.
|
|
|
|
Regression: `make reinstall`/`uninstall` wipe config/, deleting the tracked
|
|
config/cosign/cosign.pub; without restore, enforce-mode store installs break.
|
|
"""
|
|
|
|
KEY_REL = os.path.join('config', 'cosign', 'cosign.pub')
|
|
KEY_BODY = '-----BEGIN PUBLIC KEY-----\nTESTKEYDATA\n-----END PUBLIC KEY-----\n'
|
|
|
|
def setUp(self):
|
|
self.tmp = tempfile.mkdtemp()
|
|
env = {**os.environ, 'GIT_CONFIG_GLOBAL': '/dev/null', 'GIT_CONFIG_SYSTEM': '/dev/null'}
|
|
subprocess.run(['git', 'init', '-q', self.tmp], check=True, env=env)
|
|
subprocess.run(['git', '-C', self.tmp, 'config', 'user.email', 't@t'], check=True)
|
|
subprocess.run(['git', '-C', self.tmp, 'config', 'user.name', 't'], check=True)
|
|
self.key = os.path.join(self.tmp, self.KEY_REL)
|
|
os.makedirs(os.path.dirname(self.key))
|
|
with open(self.key, 'w') as f:
|
|
f.write(self.KEY_BODY)
|
|
subprocess.run(['git', '-C', self.tmp, 'add', '-A'], check=True)
|
|
subprocess.run(['git', '-C', self.tmp, 'commit', '-qm', 'init'], check=True, env=env)
|
|
self._root = setup_cell.ROOT
|
|
setup_cell.ROOT = self.tmp
|
|
|
|
def tearDown(self):
|
|
setup_cell.ROOT = self._root
|
|
shutil.rmtree(self.tmp, ignore_errors=True)
|
|
|
|
def test_restores_key_when_wiped(self):
|
|
os.remove(self.key)
|
|
shutil.rmtree(os.path.dirname(self.key)) # mimic `rm -rf config/`
|
|
self.assertFalse(os.path.exists(self.key))
|
|
setup_cell.ensure_cosign_pubkey()
|
|
self.assertTrue(os.path.exists(self.key))
|
|
self.assertEqual(open(self.key).read(), self.KEY_BODY)
|
|
|
|
def test_noop_when_key_present(self):
|
|
setup_cell.ensure_cosign_pubkey()
|
|
self.assertEqual(open(self.key).read(), self.KEY_BODY)
|
|
|
|
def test_warns_not_raises_outside_git(self):
|
|
# Not a git checkout and key missing → must warn, never raise.
|
|
non_git = tempfile.mkdtemp()
|
|
setup_cell.ROOT = non_git
|
|
try:
|
|
setup_cell.ensure_cosign_pubkey() # should not raise
|
|
self.assertFalse(os.path.exists(os.path.join(non_git, self.KEY_REL)))
|
|
finally:
|
|
shutil.rmtree(non_git, ignore_errors=True)
|
|
|
|
|
|
if __name__ == '__main__':
|
|
unittest.main()
|