forked from baron/baron-sso
Add personnel dataset backup filtering
This commit is contained in:
74
test/personnel_dataset_backup_policy_test.sh
Normal file
74
test/personnel_dataset_backup_policy_test.sh
Normal file
@@ -0,0 +1,74 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
||||
|
||||
fail() {
|
||||
echo "ERROR: $*" >&2
|
||||
exit 1
|
||||
}
|
||||
|
||||
assert_contains() {
|
||||
local output="$1"
|
||||
local expected="$2"
|
||||
grep -Fq -- "$expected" <<<"$output" || fail "output must contain: $expected"
|
||||
}
|
||||
|
||||
assert_not_exists() {
|
||||
local path="$1"
|
||||
[[ ! -e "$path" ]] || fail "path must not exist: $path"
|
||||
}
|
||||
|
||||
source "$repo_root/scripts/backup/lib/common.sh"
|
||||
source "$repo_root/scripts/backup/lib/manifest.sh"
|
||||
source "$repo_root/scripts/backup/lib/personnel_dataset.sh"
|
||||
|
||||
[[ "$(normalize_dataset_profile full)" == "full" ]] || fail "full dataset profile must be accepted"
|
||||
[[ "$(normalize_dataset_profile personnel)" == "personnel" ]] || fail "personnel dataset profile must be accepted"
|
||||
|
||||
if normalize_dataset_profile unknown >/tmp/baron-sso-dataset-profile.out 2>&1; then
|
||||
fail "unknown dataset profile must be rejected"
|
||||
fi
|
||||
assert_contains "$(cat /tmp/baron-sso-dataset-profile.out)" "unknown backup dataset"
|
||||
|
||||
tmp_dir="$(mktemp -d /tmp/baron-sso-personnel-dataset.XXXXXX)"
|
||||
trap 'rm -rf "$tmp_dir"' EXIT INT TERM
|
||||
|
||||
create_manifest "$tmp_dir" "maintenance" "postgres ory-postgres" "personnel"
|
||||
jq -e '.dataset == "personnel" and .environment_scope == "staging-rehearsal"' "$tmp_dir/manifest.json" >/dev/null \
|
||||
|| fail "personnel manifest must mark the staging rehearsal dataset scope"
|
||||
|
||||
mkdir -p "$tmp_dir/datasets/personnel/reports"
|
||||
write_personnel_dataset_manifest "$tmp_dir" "postgres ory-postgres"
|
||||
|
||||
dataset_manifest="$tmp_dir/datasets/personnel/dataset-manifest.json"
|
||||
jq -e '
|
||||
.dataset == "personnel"
|
||||
and (.excluded.databases | index("ory_hydra"))
|
||||
and (.excluded.tables | index("public.relying_parties"))
|
||||
and (.excluded.tables | index("public.rp_user_metadata"))
|
||||
and (.excluded.tables | index("public.client_consents"))
|
||||
and (.restore_policy.reset_credentials == true)
|
||||
' "$dataset_manifest" >/dev/null || fail "personnel dataset manifest must document Hydra/RP exclusions and credential reset policy"
|
||||
|
||||
assert_not_exists "$tmp_dir/postgres/ory_hydra.dump"
|
||||
assert_not_exists "$tmp_dir/postgres/baron.dump"
|
||||
|
||||
dump_dry_run="$(
|
||||
make --dry-run --always-make -C "$repo_root" dump \
|
||||
DUMP_SERVICES="postgres,ory-postgres" \
|
||||
DUMP_DATASET="personnel" \
|
||||
DUMP_MODE="maintenance" 2>&1
|
||||
)"
|
||||
assert_contains "$dump_dry_run" 'DUMP_DATASET="personnel"'
|
||||
|
||||
restore_dry_run="$(
|
||||
make --dry-run --always-make -C "$repo_root" restore \
|
||||
BACKUP="backups/example" \
|
||||
RESTORE_SERVICES="postgres,ory-postgres" \
|
||||
RESTORE_DATASET="personnel" \
|
||||
CONFIRM_RESTORE="baron-sso" 2>&1
|
||||
)"
|
||||
assert_contains "$restore_dry_run" 'RESTORE_DATASET="personnel"'
|
||||
|
||||
echo "OK: personnel dataset backup policy excludes Hydra/RP data and exposes Makefile controls"
|
||||
Reference in New Issue
Block a user