greentic-deployer-dev 1.1.27434236067

Greentic deployer runtime for plan construction and deployment-pack dispatch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161

use std::fs;
use std::path::{Path, PathBuf};

use greentic_deployer::contract::DeployerContractV1;
use serde_json::Value as JsonValue;
use serde_yaml_bw as serde_yaml;

fn fixture_root() -> PathBuf {
    PathBuf::from(env!("CARGO_MANIFEST_DIR")).join("fixtures/packs/snap")
}

fn load_json(path: &Path) -> JsonValue {
    let text = fs::read_to_string(path).expect("read json fixture");
    serde_json::from_str(&text).expect("parse json fixture")
}

fn validate_with_schema(schema_path: &Path, instance_path: &Path) {
    let schema = load_json(schema_path);
    let instance = load_json(instance_path);
    let compiled = jsonschema::validator_for(&schema).expect("compile schema");
    let errors = compiled.iter_errors(&instance).collect::<Vec<_>>();
    assert!(
        errors.is_empty(),
        "schema {} rejected {}: {:?}",
        schema_path.display(),
        instance_path.display(),
        errors
    );
}

fn load_snapcraft(path: &Path) -> serde_yaml::Value {
    let text = fs::read_to_string(path).expect("read snapcraft");
    serde_yaml::from_str(&text).expect("parse snapcraft")
}

#[test]
fn snap_contract_references_existing_assets() {
    let root = fixture_root();
    let contract_path = root.join("contract.greentic.deployer.v1.json");
    let contract: DeployerContractV1 =
        serde_json::from_value(load_json(&contract_path)).expect("parse contract");
    contract.validate().expect("valid contract");

    for capability in &contract.capabilities {
        for path in [
            capability.input_schema_ref.as_deref(),
            capability.output_schema_ref.as_deref(),
            capability.execution_output_schema_ref.as_deref(),
            capability.qa_spec_ref.as_deref(),
        ]
        .into_iter()
        .flatten()
        {
            assert!(
                root.join(path).exists(),
                "missing referenced asset {}",
                path
            );
        }
        for example in &capability.example_refs {
            assert!(root.join(example).exists(), "missing example {}", example);
        }
    }
}

#[test]
fn snap_examples_validate_against_pack_schemas() {
    let root = fixture_root();
    validate_with_schema(
        &root.join("assets/schemas/generate-input.schema.json"),
        &root.join("assets/examples/fetch-request.json"),
    );
    validate_with_schema(
        &root.join("assets/schemas/generate-input.schema.json"),
        &root.join("assets/examples/embedded-request.json"),
    );
    validate_with_schema(
        &root.join("assets/schemas/generate-output.schema.json"),
        &root.join("assets/examples/fetch-output.json"),
    );
    validate_with_schema(
        &root.join("assets/schemas/generate-output.schema.json"),
        &root.join("assets/examples/embedded-output.json"),
    );
}

#[test]
fn snap_fixture_has_both_fetch_and_embedded_outputs() {
    let root = fixture_root();
    assert!(root.join("snap/fetch/snapcraft.yaml").exists());
    assert!(root.join("snap/embedded/snapcraft.yaml").exists());
}

#[test]
fn snap_fetch_mode_models_runtime_fetch_and_writable_dirs() {
    let snapcraft = load_snapcraft(&fixture_root().join("snap/fetch/snapcraft.yaml"));
    let env = &snapcraft["apps"]["operator"]["environment"];

    assert_eq!(env["GREENTIC_BUNDLE_MODE"].as_str(), Some("fetch"));
    assert!(
        env["GREENTIC_BUNDLE_DIGEST"]
            .as_str()
            .expect("bundle digest")
            .starts_with("sha256:")
    );
    assert_eq!(
        env["GREENTIC_BUNDLE_READER"].as_str(),
        Some("userspace-squashfs")
    );
    assert_eq!(
        env["GREENTIC_STATE_PATH"].as_str(),
        Some("$SNAP_COMMON/state")
    );
    assert_eq!(
        env["GREENTIC_CACHE_PATH"].as_str(),
        Some("$SNAP_COMMON/cache")
    );
    assert_eq!(env["GREENTIC_LOG_PATH"].as_str(), Some("$SNAP_COMMON/logs"));
}

#[test]
fn snap_embedded_mode_requires_internal_bundle_path() {
    let snapcraft = load_snapcraft(&fixture_root().join("snap/embedded/snapcraft.yaml"));
    let env = &snapcraft["apps"]["operator"]["environment"];

    assert_eq!(env["GREENTIC_BUNDLE_MODE"].as_str(), Some("embedded"));
    assert_eq!(
        env["GREENTIC_BUNDLE_PATH"].as_str(),
        Some("$SNAP/bundles/operator.bundle")
    );
    assert_eq!(
        env["GREENTIC_BUNDLE_READER"].as_str(),
        Some("userspace-squashfs")
    );
}

#[test]
fn snap_security_defaults_avoid_shell_and_privileged_mounts() {
    let fetch = fs::read_to_string(fixture_root().join("snap/fetch/snapcraft.yaml"))
        .expect("read fetch snapcraft");
    let embedded = fs::read_to_string(fixture_root().join("snap/embedded/snapcraft.yaml"))
        .expect("read embedded snapcraft");
    let combined = format!("{fetch}\n{embedded}");

    assert!(!combined.contains("sh -c"));
    assert!(!combined.contains("mount-control"));
    assert!(!combined.contains("privileged"));
    assert!(combined.contains("network-bind"));
}

#[test]
fn snap_admin_and_runtime_paths_are_private_and_documented() {
    let fetch = load_snapcraft(&fixture_root().join("snap/fetch/snapcraft.yaml"));
    let env = &fetch["apps"]["operator"]["environment"];
    assert_eq!(
        env["GREENTIC_ADMIN_LISTEN"].as_str(),
        Some("127.0.0.1:8081")
    );
    assert_eq!(env["REDIS_URL"].as_str(), Some("redis://127.0.0.1:6379/0"));
    assert_eq!(env["GREENTIC_CACHE_SIZE_HINT_MB"].as_str(), Some("512"));
}