forjar 1.4.2

Rust-native Infrastructure as Code — bare-metal first, BLAKE3 state, provenance tracing
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180

//! Coverage tests for validate_ordering_b.rs — FJ-953→FJ-985.

#![allow(unused_imports)]
use super::validate_ordering_b::*;
use std::io::Write;

#[cfg(test)]
mod tests {
    use super::*;

    fn write_cfg(yaml: &str) -> tempfile::NamedTempFile {
        let mut f = tempfile::NamedTempFile::new().unwrap();
        f.write_all(yaml.as_bytes()).unwrap();
        f.flush().unwrap();
        f
    }

    const BASE: &str = "version: '1'\nname: test\nmachines:\n  m1:\n    hostname: m1\n    addr: 1.2.3.4\n";

    // FJ-961: dependency refs
    #[test]
    fn test_dep_refs_valid() {
        let f = write_cfg(&format!("{BASE}resources:\n  a:\n    machine: m1\n    type: file\n    path: /a\n    content: a\n    depends_on:\n      - b\n  b:\n    machine: m1\n    type: file\n    path: /b\n    content: b\n"));
        assert!(cmd_validate_check_resource_dependency_refs(f.path(), false).is_ok());
    }

    #[test]
    fn test_dep_refs_missing() {
        let f = write_cfg(&format!("{BASE}resources:\n  a:\n    machine: m1\n    type: file\n    path: /a\n    content: a\n    depends_on:\n      - ghost\n"));
        assert!(cmd_validate_check_resource_dependency_refs(f.path(), false).is_ok());
    }

    #[test]
    fn test_dep_refs_missing_trigger() {
        let f = write_cfg(&format!("{BASE}resources:\n  a:\n    machine: m1\n    type: file\n    path: /a\n    content: a\n    triggers:\n      - ghost\n"));
        assert!(cmd_validate_check_resource_dependency_refs(f.path(), false).is_ok());
    }

    #[test]
    fn test_dep_refs_json() {
        let f = write_cfg(&format!("{BASE}resources:\n  a:\n    machine: m1\n    type: file\n    path: /a\n    content: a\n    depends_on:\n      - ghost\n"));
        assert!(cmd_validate_check_resource_dependency_refs(f.path(), true).is_ok());
    }

    // FJ-965: trigger refs
    #[test]
    fn test_trigger_refs_valid() {
        let f = write_cfg(&format!("{BASE}resources:\n  a:\n    machine: m1\n    type: file\n    path: /a\n    content: a\n    triggers:\n      - b\n  b:\n    machine: m1\n    type: service\n    name: nginx\n"));
        assert!(cmd_validate_check_resource_trigger_refs(f.path(), false).is_ok());
    }

    #[test]
    fn test_trigger_refs_invalid() {
        let f = write_cfg(&format!("{BASE}resources:\n  a:\n    machine: m1\n    type: file\n    path: /a\n    content: a\n    triggers:\n      - nonexistent\n"));
        assert!(cmd_validate_check_resource_trigger_refs(f.path(), false).is_ok());
    }

    #[test]
    fn test_trigger_refs_json() {
        let f = write_cfg(&format!("{BASE}resources:\n  a:\n    machine: m1\n    type: file\n    path: /a\n    content: a\n    triggers:\n      - ghost\n"));
        assert!(cmd_validate_check_resource_trigger_refs(f.path(), true).is_ok());
    }

    // FJ-969: param type safety
    #[test]
    fn test_param_type_safety_ok() {
        let f = write_cfg(&format!("{BASE}params:\n  http_port: 8080\n  app_path: /opt/app\nresources:\n  pkg:\n    machine: m1\n    type: package\n    name: nginx\n"));
        assert!(cmd_validate_check_resource_param_type_safety(f.path(), false).is_ok());
    }

    #[test]
    fn test_param_type_safety_bad_port() {
        let f = write_cfg(&format!("{BASE}params:\n  http_port: not_a_number\nresources:\n  pkg:\n    machine: m1\n    type: package\n    name: nginx\n"));
        assert!(cmd_validate_check_resource_param_type_safety(f.path(), false).is_ok());
    }

    #[test]
    fn test_param_type_safety_bad_path() {
        let f = write_cfg(&format!("{BASE}params:\n  data_dir: relative_path\nresources:\n  pkg:\n    machine: m1\n    type: package\n    name: nginx\n"));
        assert!(cmd_validate_check_resource_param_type_safety(f.path(), false).is_ok());
    }

    #[test]
    fn test_param_type_safety_json() {
        let f = write_cfg(&format!("{BASE}params:\n  http_port: abc\nresources:\n  pkg:\n    machine: m1\n    type: package\n    name: nginx\n"));
        assert!(cmd_validate_check_resource_param_type_safety(f.path(), true).is_ok());
    }

    // FJ-953: machine balance
    #[test]
    fn test_machine_balance_balanced() {
        let yaml = "version: '1'\nname: test\nmachines:\n  m1:\n    hostname: m1\n    addr: 1.2.3.4\n  m2:\n    hostname: m2\n    addr: 5.6.7.8\nresources:\n  a:\n    machine: m1\n    type: package\n    name: nginx\n  b:\n    machine: m2\n    type: package\n    name: curl\n";
        let f = write_cfg(yaml);
        assert!(cmd_validate_check_resource_machine_balance(f.path(), false).is_ok());
    }

    #[test]
    fn test_machine_balance_imbalanced() {
        let yaml = "version: '1'\nname: test\nmachines:\n  m1:\n    hostname: m1\n    addr: 1.2.3.4\n  m2:\n    hostname: m2\n    addr: 5.6.7.8\nresources:\n  a:\n    machine: m1\n    type: package\n    name: nginx\n  b:\n    machine: m1\n    type: package\n    name: curl\n  c:\n    machine: m1\n    type: package\n    name: vim\n";
        let f = write_cfg(yaml);
        assert!(cmd_validate_check_resource_machine_balance(f.path(), false).is_ok());
    }

    #[test]
    fn test_machine_balance_json() {
        let yaml = "version: '1'\nname: test\nmachines:\n  m1:\n    hostname: m1\n    addr: 1.2.3.4\nresources:\n  a:\n    machine: m1\n    type: package\n    name: nginx\n";
        let f = write_cfg(yaml);
        assert!(cmd_validate_check_resource_machine_balance(f.path(), true).is_ok());
    }

    // FJ-973: env consistency
    #[test]
    fn test_env_consistency_ok() {
        let f = write_cfg(&format!("{BASE}params:\n  port: 8080\nresources:\n  cfg:\n    machine: m1\n    type: file\n    path: /a\n    content: \"port={{{{port}}}}\"\n"));
        assert!(cmd_validate_check_resource_env_consistency(f.path(), false).is_ok());
    }

    #[test]
    fn test_env_consistency_undeclared() {
        let f = write_cfg(&format!("{BASE}resources:\n  cfg:\n    machine: m1\n    type: file\n    path: /a\n    content: \"port={{{{undeclared}}}}\"\n"));
        assert!(cmd_validate_check_resource_env_consistency(f.path(), false).is_ok());
    }

    #[test]
    fn test_env_consistency_json() {
        let f = write_cfg(&format!("{BASE}resources:\n  cfg:\n    machine: m1\n    type: file\n    path: /a\n    content: \"{{{{missing}}}}\"\n"));
        assert!(cmd_validate_check_resource_env_consistency(f.path(), true).is_ok());
    }

    // FJ-977: secret rotation
    #[test]
    fn test_secret_rotation_ok() {
        let f = write_cfg(&format!("{BASE}resources:\n  db-secret:\n    machine: m1\n    type: file\n    path: /etc/secret\n    content: s3cr3t\n    tags:\n      - rotate-90d\n"));
        assert!(cmd_validate_check_resource_secret_rotation(f.path(), false).is_ok());
    }

    #[test]
    fn test_secret_rotation_missing_tags() {
        let f = write_cfg(&format!("{BASE}resources:\n  db-secret:\n    machine: m1\n    type: file\n    path: /etc/secret\n    content: s3cr3t\n"));
        assert!(cmd_validate_check_resource_secret_rotation(f.path(), false).is_ok());
    }

    #[test]
    fn test_secret_rotation_json() {
        let f = write_cfg(&format!("{BASE}resources:\n  api-token:\n    machine: m1\n    type: file\n    path: /etc/token\n    content: tok\n"));
        assert!(cmd_validate_check_resource_secret_rotation(f.path(), true).is_ok());
    }

    // FJ-981: lifecycle completeness
    #[test]
    fn test_lifecycle_complete() {
        let f = write_cfg(&format!("{BASE}resources:\n  cfg:\n    machine: m1\n    type: file\n    path: /a\n    content: hi\n    tags:\n      - web\n"));
        assert!(cmd_validate_check_resource_lifecycle_completeness(f.path(), false).is_ok());
    }

    #[test]
    fn test_lifecycle_incomplete() {
        let f = write_cfg(&format!("{BASE}resources:\n  pkg:\n    machine: m1\n    type: package\n    name: nginx\n"));
        assert!(cmd_validate_check_resource_lifecycle_completeness(f.path(), false).is_ok());
    }

    #[test]
    fn test_lifecycle_json() {
        let f = write_cfg(&format!("{BASE}resources:\n  pkg:\n    machine: m1\n    type: package\n    name: nginx\n"));
        assert!(cmd_validate_check_resource_lifecycle_completeness(f.path(), true).is_ok());
    }

    // FJ-985: provider compatibility
    #[test]
    fn test_provider_compat_ok() {
        let f = write_cfg(&format!("{BASE}resources:\n  pkg:\n    machine: m1\n    type: package\n    name: nginx\n"));
        assert!(cmd_validate_check_resource_provider_compatibility(f.path(), false).is_ok());
    }

    #[test]
    fn test_provider_compat_json() {
        let f = write_cfg(&format!("{BASE}resources:\n  pkg:\n    machine: m1\n    type: package\n    name: nginx\n"));
        assert!(cmd_validate_check_resource_provider_compatibility(f.path(), true).is_ok());
    }
}