@nitra/cursor 1.8.222 → 1.8.228
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +54 -0
- package/bin/n-cursor.js +3 -2
- package/mdc/abie.mdc +13 -0
- package/mdc/ci4.mdc +8 -0
- package/package.json +1 -1
- package/policy/abie/base_deployment_preem/base_deployment_preem.rego +56 -0
- package/policy/abie/base_deployment_preem/base_deployment_preem_test.rego +60 -0
- package/policy/abie/clean_merged_ignore_branches/clean_merged_ignore_branches.rego +100 -0
- package/policy/abie/clean_merged_ignore_branches/clean_merged_ignore_branches_test.rego +48 -0
- package/policy/abie/health_check_policy/health_check_policy.rego +91 -22
- package/policy/abie/health_check_policy/health_check_policy_test.rego +99 -0
- package/policy/abie/http_route_base/http_route_base_test.rego +64 -0
- package/scripts/check-abie.mjs +102 -369
- package/scripts/check-ga.mjs +89 -9
- package/scripts/check-k8s.mjs +128 -569
- package/scripts/lint-conftest.mjs +25 -2
- package/scripts/lint-ga.mjs +18 -132
- package/scripts/utils/run-conftest-batch.mjs +117 -0
|
@@ -0,0 +1,99 @@
|
|
|
1
|
+
# Тести для `abie.health_check_policy`. Запуск:
|
|
2
|
+
# conftest verify -p npm/policy/abie/health_check_policy
|
|
3
|
+
package abie.health_check_policy_test
|
|
4
|
+
|
|
5
|
+
import rego.v1
|
|
6
|
+
|
|
7
|
+
import data.abie.health_check_policy
|
|
8
|
+
|
|
9
|
+
valid_hcp := {
|
|
10
|
+
"apiVersion": "networking.gke.io/v1",
|
|
11
|
+
"kind": "HealthCheckPolicy",
|
|
12
|
+
"metadata": {"name": "api"},
|
|
13
|
+
"spec": {
|
|
14
|
+
"default": {"config": {
|
|
15
|
+
"type": "HTTP",
|
|
16
|
+
"httpHealthCheck": {"requestPath": "/healthz", "port": 8080},
|
|
17
|
+
}},
|
|
18
|
+
"targetRef": {"group": "", "kind": "Service", "name": "api-hl"},
|
|
19
|
+
},
|
|
20
|
+
}
|
|
21
|
+
|
|
22
|
+
# ── happy path ────────────────────────────────────────────────────────────
|
|
23
|
+
|
|
24
|
+
test_allow_canonical if {
|
|
25
|
+
count(health_check_policy.deny) == 0 with input as valid_hcp
|
|
26
|
+
}
|
|
27
|
+
|
|
28
|
+
# ── apiVersion ────────────────────────────────────────────────────────────
|
|
29
|
+
|
|
30
|
+
test_deny_wrong_api_version if {
|
|
31
|
+
bad := json.patch(valid_hcp, [{"op": "replace", "path": "/apiVersion", "value": "networking.gke.io/v1beta1"}])
|
|
32
|
+
count(health_check_policy.deny) > 0 with input as bad
|
|
33
|
+
}
|
|
34
|
+
|
|
35
|
+
# ── metadata.name ─────────────────────────────────────────────────────────
|
|
36
|
+
|
|
37
|
+
test_deny_empty_name if {
|
|
38
|
+
bad := json.patch(valid_hcp, [{"op": "replace", "path": "/metadata/name", "value": ""}])
|
|
39
|
+
count(health_check_policy.deny) > 0 with input as bad
|
|
40
|
+
}
|
|
41
|
+
|
|
42
|
+
# ── spec.default.config.type ──────────────────────────────────────────────
|
|
43
|
+
|
|
44
|
+
test_deny_config_type_not_http if {
|
|
45
|
+
bad := json.patch(valid_hcp, [{"op": "replace", "path": "/spec/default/config/type", "value": "TCP"}])
|
|
46
|
+
count(health_check_policy.deny) > 0 with input as bad
|
|
47
|
+
}
|
|
48
|
+
|
|
49
|
+
# ── requestPath ───────────────────────────────────────────────────────────
|
|
50
|
+
|
|
51
|
+
test_deny_empty_request_path if {
|
|
52
|
+
bad := json.patch(valid_hcp, [{
|
|
53
|
+
"op": "replace",
|
|
54
|
+
"path": "/spec/default/config/httpHealthCheck/requestPath",
|
|
55
|
+
"value": "",
|
|
56
|
+
}])
|
|
57
|
+
count(health_check_policy.deny) > 0 with input as bad
|
|
58
|
+
}
|
|
59
|
+
|
|
60
|
+
test_deny_request_path_without_slash if {
|
|
61
|
+
bad := json.patch(valid_hcp, [{
|
|
62
|
+
"op": "replace",
|
|
63
|
+
"path": "/spec/default/config/httpHealthCheck/requestPath",
|
|
64
|
+
"value": "healthz",
|
|
65
|
+
}])
|
|
66
|
+
count(health_check_policy.deny) > 0 with input as bad
|
|
67
|
+
}
|
|
68
|
+
|
|
69
|
+
# ── port ──────────────────────────────────────────────────────────────────
|
|
70
|
+
|
|
71
|
+
test_deny_port_not_8080 if {
|
|
72
|
+
bad := json.patch(valid_hcp, [{
|
|
73
|
+
"op": "replace",
|
|
74
|
+
"path": "/spec/default/config/httpHealthCheck/port",
|
|
75
|
+
"value": 9090,
|
|
76
|
+
}])
|
|
77
|
+
count(health_check_policy.deny) > 0 with input as bad
|
|
78
|
+
}
|
|
79
|
+
|
|
80
|
+
# ── targetRef ─────────────────────────────────────────────────────────────
|
|
81
|
+
|
|
82
|
+
test_deny_target_ref_kind_not_service if {
|
|
83
|
+
bad := json.patch(valid_hcp, [{"op": "replace", "path": "/spec/targetRef/kind", "value": "Gateway"}])
|
|
84
|
+
count(health_check_policy.deny) > 0 with input as bad
|
|
85
|
+
}
|
|
86
|
+
|
|
87
|
+
test_deny_target_ref_name_without_hl if {
|
|
88
|
+
bad := json.patch(valid_hcp, [{"op": "replace", "path": "/spec/targetRef/name", "value": "api"}])
|
|
89
|
+
count(health_check_policy.deny) > 0 with input as bad
|
|
90
|
+
}
|
|
91
|
+
|
|
92
|
+
# Не HCP — пакет не діє.
|
|
93
|
+
test_allow_other_kind if {
|
|
94
|
+
count(health_check_policy.deny) == 0 with input as {
|
|
95
|
+
"apiVersion": "v1",
|
|
96
|
+
"kind": "ConfigMap",
|
|
97
|
+
"metadata": {"name": "x"},
|
|
98
|
+
}
|
|
99
|
+
}
|
|
@@ -0,0 +1,64 @@
|
|
|
1
|
+
# Тести для `abie.http_route_base`. Запуск:
|
|
2
|
+
# conftest verify -p npm/policy/abie/http_route_base
|
|
3
|
+
package abie.http_route_base_test
|
|
4
|
+
|
|
5
|
+
import rego.v1
|
|
6
|
+
|
|
7
|
+
import data.abie.http_route_base
|
|
8
|
+
|
|
9
|
+
mk_route(hostnames) := {
|
|
10
|
+
"apiVersion": "gateway.networking.k8s.io/v1",
|
|
11
|
+
"kind": "HTTPRoute",
|
|
12
|
+
"metadata": {"name": "r", "namespace": "dev"},
|
|
13
|
+
"spec": {"hostnames": hostnames},
|
|
14
|
+
}
|
|
15
|
+
|
|
16
|
+
# ── allow ────────────────────────────────────────────────────────────────
|
|
17
|
+
|
|
18
|
+
test_allow_apex if {
|
|
19
|
+
count(http_route_base.deny) == 0 with input as mk_route(["aiml.live"])
|
|
20
|
+
}
|
|
21
|
+
|
|
22
|
+
test_allow_subdomain if {
|
|
23
|
+
count(http_route_base.deny) == 0 with input as mk_route(["api.aiml.live"])
|
|
24
|
+
}
|
|
25
|
+
|
|
26
|
+
test_allow_wildcard if {
|
|
27
|
+
count(http_route_base.deny) == 0 with input as mk_route(["*.aiml.live"])
|
|
28
|
+
}
|
|
29
|
+
|
|
30
|
+
test_allow_uppercase_apex if {
|
|
31
|
+
count(http_route_base.deny) == 0 with input as mk_route(["AIML.LIVE"])
|
|
32
|
+
}
|
|
33
|
+
|
|
34
|
+
test_allow_multiple_subdomains if {
|
|
35
|
+
count(http_route_base.deny) == 0 with input as mk_route(["api.aiml.live", "admin.aiml.live"])
|
|
36
|
+
}
|
|
37
|
+
|
|
38
|
+
# ── deny ─────────────────────────────────────────────────────────────────
|
|
39
|
+
|
|
40
|
+
test_deny_other_apex if {
|
|
41
|
+
count(http_route_base.deny) > 0 with input as mk_route(["example.com"])
|
|
42
|
+
}
|
|
43
|
+
|
|
44
|
+
test_deny_wrong_subdomain if {
|
|
45
|
+
count(http_route_base.deny) > 0 with input as mk_route(["api.example.com"])
|
|
46
|
+
}
|
|
47
|
+
|
|
48
|
+
test_deny_mixed_one_bad if {
|
|
49
|
+
count(http_route_base.deny) > 0 with input as mk_route(["api.aiml.live", "evil.com"])
|
|
50
|
+
}
|
|
51
|
+
|
|
52
|
+
test_deny_aiml_live_substring if {
|
|
53
|
+
# "aiml.live.example.com" не має закінчуватись на ".aiml.live" — це інший домен.
|
|
54
|
+
count(http_route_base.deny) > 0 with input as mk_route(["aiml.live.example.com"])
|
|
55
|
+
}
|
|
56
|
+
|
|
57
|
+
# Не HTTPRoute — пакет не діє.
|
|
58
|
+
test_allow_non_httproute if {
|
|
59
|
+
count(http_route_base.deny) == 0 with input as {
|
|
60
|
+
"apiVersion": "v1",
|
|
61
|
+
"kind": "Service",
|
|
62
|
+
"metadata": {"name": "x"},
|
|
63
|
+
}
|
|
64
|
+
}
|