Defect A - invariants: - task_capability_map.ROLE_EXCLUSIVE_TASKS is now the single shared definition of role-exclusive tasks; the resolver's inline copy is gone (AC1/AC5 drift surface removed). - tests: every role-exclusive task must exist in the capability map; formal-review tasks stay role-exclusive; canonical merger satisfies merge_pr; canonical reconciler satisfies branch-cleanup tasks (extends the #722 break-glass invariant suite). Defect B - unactionable internal_error: - AC3: gitea_resolve_task_capability records the capability purity baseline first but stamps _preflight_resolved_role/_task only for an ALLOWED resolve; a denied resolve clears any stale stamp (_clear_resolved_capability_stamp) so later mutation preflights key off the real profile role. - AC4: _evaluate_pr_review_submission converts _verify_role_mutation_workspace failures (role binding, stale runtime) into result reasons with blocker_kind=workspace_role_binding instead of letting RuntimeError escape as a generic internal_error. - AC5: _build_runtime_task_capabilities applies the resolver's role-exclusive filter when given the active role kind and labels each entry role_filtered/permission_only; matching_configured_profiles honors declared profile roles for role-exclusive tasks. Validation: focused suites 22 passed (+48 subtests); adjacent resolver/ runtime/review suites 72 passed; full suite 2929 passed, 6 skipped, 221 subtests (single pre-existing Starlette warning, #682). Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
250 lines
8.9 KiB
Python
250 lines
8.9 KiB
Python
"""Invariant tests pinning task_capability_map role assignments (#722/#723).
|
|
|
|
Added with the operator-authorized break-glass repair for incident #722:
|
|
commit 970e68b remapped ten reviewer tasks to ``role="merger"`` while every
|
|
configured merger profile forbids the review permissions, so no configured
|
|
profile could resolve any formal review task (``matching_configured_profile``
|
|
was empty repository-wide). These tests fail loudly if that class of
|
|
regression recurs:
|
|
|
|
- every role-exclusive formal-review task must be satisfiable by at least one
|
|
canonical role profile (permission AND role together);
|
|
- the capability map must agree with ``role_session_router`` task sets;
|
|
- ``adopt_merger_pr_lease`` stays merger-only (the legitimate hunk of
|
|
970e68b, preserved by the repair);
|
|
- merger profiles must not be able to resolve review_pr/approve_pr.
|
|
"""
|
|
|
|
import unittest
|
|
|
|
import gitea_config
|
|
from role_session_router import MERGER_TASKS, REVIEWER_TASKS
|
|
from task_capability_map import (
|
|
ROLE_EXCLUSIVE_TASKS,
|
|
TASK_CAPABILITY_MAP,
|
|
required_permission,
|
|
required_role,
|
|
)
|
|
|
|
# Canonical role-profile permission shape. Mirrors the configured
|
|
# author/reviewer/merger/reconciler profiles (profiles.json v2 role split):
|
|
# reviewers review/approve/request changes but never merge; mergers merge but
|
|
# never review/approve/request changes.
|
|
CANONICAL_ROLE_PROFILES = {
|
|
"author": {
|
|
"allowed": [
|
|
"gitea.read",
|
|
"gitea.branch.create",
|
|
"gitea.branch.push",
|
|
"gitea.repo.commit",
|
|
"gitea.pr.create",
|
|
"gitea.pr.comment",
|
|
"gitea.issue.create",
|
|
"gitea.issue.comment",
|
|
"gitea.issue.close",
|
|
],
|
|
"forbidden": [
|
|
"gitea.pr.approve",
|
|
"gitea.pr.request_changes",
|
|
"gitea.pr.merge",
|
|
],
|
|
},
|
|
"reviewer": {
|
|
"allowed": [
|
|
"gitea.read",
|
|
"gitea.pr.review",
|
|
"gitea.pr.approve",
|
|
"gitea.pr.request_changes",
|
|
"gitea.pr.comment",
|
|
"gitea.issue.comment",
|
|
],
|
|
"forbidden": [
|
|
"gitea.branch.create",
|
|
"gitea.branch.push",
|
|
"gitea.repo.commit",
|
|
"gitea.pr.create",
|
|
"gitea.pr.merge",
|
|
],
|
|
},
|
|
"merger": {
|
|
"allowed": [
|
|
"gitea.read",
|
|
"gitea.pr.merge",
|
|
"gitea.pr.comment",
|
|
"gitea.issue.comment",
|
|
],
|
|
"forbidden": [
|
|
"gitea.branch.create",
|
|
"gitea.branch.push",
|
|
"gitea.repo.commit",
|
|
"gitea.pr.create",
|
|
"gitea.pr.approve",
|
|
"gitea.pr.review",
|
|
"gitea.pr.request_changes",
|
|
],
|
|
},
|
|
"reconciler": {
|
|
"allowed": [
|
|
"gitea.read",
|
|
"gitea.pr.close",
|
|
"gitea.pr.comment",
|
|
"gitea.issue.comment",
|
|
"gitea.branch.delete",
|
|
"gitea.decision_lock.irrecoverable_recovery",
|
|
],
|
|
"forbidden": [
|
|
"gitea.pr.approve",
|
|
"gitea.pr.merge",
|
|
"gitea.pr.review",
|
|
"gitea.pr.request_changes",
|
|
"gitea.pr.create",
|
|
"gitea.branch.create",
|
|
"gitea.branch.push",
|
|
"gitea.repo.commit",
|
|
],
|
|
},
|
|
}
|
|
|
|
# Role-exclusive formal-review tasks (mirrors the resolver's role-exclusive
|
|
# handling for review work): permission alone is not enough — the profile's
|
|
# role kind must also match, so both dimensions are pinned here.
|
|
FORMAL_REVIEW_TASKS = (
|
|
"review_pr",
|
|
"approve_pr",
|
|
"request_changes_pr",
|
|
"blind_pr_queue_review",
|
|
"pr_queue_cleanup",
|
|
"pr-queue-cleanup",
|
|
)
|
|
|
|
|
|
def _profile_satisfies(role_name, task):
|
|
"""True when the canonical *role_name* profile can perform *task*."""
|
|
profile = CANONICAL_ROLE_PROFILES[role_name]
|
|
ok, _reason = gitea_config.check_operation(
|
|
required_permission(task), profile["allowed"], profile["forbidden"]
|
|
)
|
|
return ok and role_name == required_role(task)
|
|
|
|
|
|
class TestFormalReviewProfileCoverage(unittest.TestCase):
|
|
"""#722: some configured profile must be able to formally review."""
|
|
|
|
def test_every_formal_review_task_has_a_satisfying_role_profile(self):
|
|
for task in FORMAL_REVIEW_TASKS:
|
|
with self.subTest(task=task):
|
|
satisfying = [
|
|
role
|
|
for role in CANONICAL_ROLE_PROFILES
|
|
if _profile_satisfies(role, task)
|
|
]
|
|
self.assertTrue(
|
|
satisfying,
|
|
f"no canonical role profile satisfies both permission "
|
|
f"{required_permission(task)!r} and role "
|
|
f"{required_role(task)!r} for task {task!r} — formal "
|
|
f"review would be impossible for every configured "
|
|
f"profile (incident #722)",
|
|
)
|
|
|
|
def test_formal_review_tasks_are_reviewer_role(self):
|
|
for task in FORMAL_REVIEW_TASKS:
|
|
with self.subTest(task=task):
|
|
self.assertEqual(required_role(task), "reviewer")
|
|
|
|
|
|
class TestMapRouterAgreement(unittest.TestCase):
|
|
"""#723 AC2: the map and the role session router must not drift."""
|
|
|
|
def test_reviewer_tasks_map_to_reviewer_role(self):
|
|
for task in sorted(REVIEWER_TASKS):
|
|
with self.subTest(task=task):
|
|
self.assertEqual(
|
|
required_role(task),
|
|
"reviewer",
|
|
f"router classifies {task!r} as a reviewer task but the "
|
|
f"capability map assigns role {required_role(task)!r}",
|
|
)
|
|
|
|
def test_merger_tasks_map_to_merger_role(self):
|
|
for task in sorted(MERGER_TASKS):
|
|
with self.subTest(task=task):
|
|
self.assertEqual(
|
|
required_role(task),
|
|
"merger",
|
|
f"router classifies {task!r} as a merger task but the "
|
|
f"capability map assigns role {required_role(task)!r}",
|
|
)
|
|
|
|
|
|
class TestMergerBoundary(unittest.TestCase):
|
|
"""Preserve the legitimate hunk of 970e68b and the merger fence."""
|
|
|
|
def test_adopt_merger_pr_lease_requires_merger_role(self):
|
|
self.assertEqual(required_role("adopt_merger_pr_lease"), "merger")
|
|
self.assertEqual(
|
|
required_permission("adopt_merger_pr_lease"), "gitea.pr.comment"
|
|
)
|
|
|
|
def test_merge_pr_requires_merger_role(self):
|
|
self.assertEqual(required_role("merge_pr"), "merger")
|
|
self.assertEqual(required_permission("merge_pr"), "gitea.pr.merge")
|
|
|
|
def test_merger_profile_cannot_resolve_formal_review_tasks(self):
|
|
merger = CANONICAL_ROLE_PROFILES["merger"]
|
|
for task in ("review_pr", "approve_pr", "request_changes_pr"):
|
|
with self.subTest(task=task):
|
|
ok, reason = gitea_config.check_operation(
|
|
required_permission(task),
|
|
merger["allowed"],
|
|
merger["forbidden"],
|
|
)
|
|
self.assertFalse(
|
|
ok,
|
|
f"merger profile must not hold {task!r} permission "
|
|
f"(got reason {reason!r})",
|
|
)
|
|
|
|
|
|
class TestRoleExclusiveSetIntegrity(unittest.TestCase):
|
|
"""#723 AC1/AC5: the shared role-exclusive set stays coherent."""
|
|
|
|
def test_every_role_exclusive_task_exists_in_capability_map(self):
|
|
for task in sorted(ROLE_EXCLUSIVE_TASKS):
|
|
with self.subTest(task=task):
|
|
self.assertIn(
|
|
task,
|
|
TASK_CAPABILITY_MAP,
|
|
f"role-exclusive task {task!r} missing from the "
|
|
f"capability map — required_role() would raise and the "
|
|
f"resolver would 500 instead of failing closed",
|
|
)
|
|
|
|
def test_formal_review_tasks_are_role_exclusive(self):
|
|
for task in FORMAL_REVIEW_TASKS:
|
|
with self.subTest(task=task):
|
|
self.assertIn(task, ROLE_EXCLUSIVE_TASKS)
|
|
|
|
def test_merge_pr_is_role_exclusive_and_merger_satisfiable(self):
|
|
"""AC1 merger equivalent: merging must stay possible for a canonical
|
|
merger profile (permission AND role together)."""
|
|
self.assertIn("merge_pr", ROLE_EXCLUSIVE_TASKS)
|
|
self.assertTrue(
|
|
_profile_satisfies("merger", "merge_pr"),
|
|
"no canonical merger profile satisfies merge_pr — merging would "
|
|
"be impossible for every configured profile",
|
|
)
|
|
|
|
def test_reconciler_cleanup_tasks_stay_reconciler_satisfiable(self):
|
|
for task in ("cleanup_merged_pr_branch", "reconciliation_cleanup"):
|
|
with self.subTest(task=task):
|
|
self.assertIn(task, ROLE_EXCLUSIVE_TASKS)
|
|
self.assertTrue(
|
|
_profile_satisfies("reconciler", task),
|
|
f"no canonical reconciler profile satisfies {task!r}",
|
|
)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
unittest.main()
|