m/rdp-proxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5096155d83ecb2fe14dbde945b52386be7487eba
rdp-proxy/agents/rap-node-agent/internal/supervisor/supervisor_test.go
T

839 lines
38 KiB
Go
Raw Blame History

package supervisor
import (
"context"
"testing"
"github.com/example/remote-access-platform/agents/rap-node-agent/internal/client"
"github.com/example/remote-access-platform/agents/rap-node-agent/internal/webingress"
)
func TestStubSupervisorReportsDegradedForEnabledWorkload(t *testing.T) {
statuses, err := (StubSupervisor{Version: "test"}).Apply(context.Background(), []client.DesiredWorkload{
{ServiceType: "rdp-worker", DesiredState: "enabled", RuntimeMode: "container"},
})
if err != nil {
t.Fatalf("apply desired workload: %v", err)
}
if len(statuses) != 1 {
t.Fatalf("statuses length = %d", len(statuses))
}
if statuses[0].ReportedState != "degraded" {
t.Fatalf("ReportedState = %q", statuses[0].ReportedState)
}
}
func TestStubSupervisorReportsStoppedForDisabledWorkload(t *testing.T) {
statuses, err := (StubSupervisor{Version: "test"}).Apply(context.Background(), []client.DesiredWorkload{
{ServiceType: "relay-node", DesiredState: "disabled", RuntimeMode: "container"},
})
if err != nil {
t.Fatalf("apply desired workload: %v", err)
}
if statuses[0].ReportedState != "stopped" {
t.Fatalf("ReportedState = %q", statuses[0].ReportedState)
}
}
func TestStubSupervisorRunsInternalSyntheticEchoWorkload(t *testing.T) {
statuses, err := (StubSupervisor{Version: "test"}).Apply(context.Background(), []client.DesiredWorkload{
{ServiceType: "synthetic.echo", DesiredState: "enabled", RuntimeMode: "native"},
})
if err != nil {
t.Fatalf("apply desired workload: %v", err)
}
if statuses[0].ReportedState != "running" {
t.Fatalf("ReportedState = %q", statuses[0].ReportedState)
}
if statuses[0].StatusPayload["reason"] != "internal_synthetic_echo_ready" {
t.Fatalf("reason = %v", statuses[0].StatusPayload["reason"])
}
if statuses[0].StatusPayload["execution_mode"] != "builtin" {
t.Fatalf("execution_mode = %v", statuses[0].StatusPayload["execution_mode"])
}
}
func TestStubSupervisorReportsBuiltinFabricServicesRunning(t *testing.T) {
statuses, err := (StubSupervisor{Version: "test"}).Apply(context.Background(), []client.DesiredWorkload{
{ServiceType: "core-mesh", DesiredState: "enabled", RuntimeMode: "container"},
{ServiceType: "mesh-listener", DesiredState: "enabled", RuntimeMode: "container"},
})
if err != nil {
t.Fatalf("apply desired workload: %v", err)
}
if len(statuses) != 2 {
t.Fatalf("statuses length = %d", len(statuses))
}
for _, status := range statuses {
if status.ReportedState != "running" {
t.Fatalf("ReportedState = %q", status.ReportedState)
}
if status.StatusPayload["reason"] != "builtin_node_agent_service_ready" {
t.Fatalf("reason = %v", status.StatusPayload["reason"])
}
}
}
func TestStubSupervisorReportsVPNFabricOnlyContractsRunning(t *testing.T) {
statuses, err := (StubSupervisor{Version: "test"}).Apply(context.Background(), []client.DesiredWorkload{
{
ServiceType: "ipv4-egress",
DesiredState: "enabled",
RuntimeMode: "native",
Config: map[string]any{
"pool_id": "us-los-angeles-ipv4",
"region": "us-los-angeles",
"allowed_cidrs": []any{"0.0.0.0/0"},
"dns_servers": []any{"192.168.200.210"},
},
},
{
ServiceType: "vpn-client",
DesiredState: "enabled",
RuntimeMode: "native",
Config: map[string]any{
"exit_pool_id": "us-los-angeles-ipv4",
"listen_tcp_ports": []any{443, "8443"},
"listen_udp_ports": "443,51820",
},
},
})
if err != nil {
t.Fatalf("apply desired workload: %v", err)
}
if len(statuses) != 2 {
t.Fatalf("statuses length = %d", len(statuses))
}
for _, status := range statuses {
if status.ReportedState != "running" {
t.Fatalf("ReportedState = %q", status.ReportedState)
}
if status.StatusPayload["execution_mode"] != "contract_probe" {
t.Fatalf("execution_mode = %v", status.StatusPayload["execution_mode"])
}
if status.StatusPayload["fabric_transport"] != "quic_only" {
t.Fatalf("fabric_transport = %v", status.StatusPayload["fabric_transport"])
}
if status.StatusPayload["backend_relay_fallback"] != false {
t.Fatalf("backend_relay_fallback = %v", status.StatusPayload["backend_relay_fallback"])
}
if status.StatusPayload["legacy_protocol_compatibility"] != false {
t.Fatalf("legacy_protocol_compatibility = %v", status.StatusPayload["legacy_protocol_compatibility"])
}
}
if statuses[0].StatusPayload["role"] != "ipv4-egress" || statuses[0].StatusPayload["internet_egress"] != true {
t.Fatalf("ipv4 egress payload = %#v", statuses[0].StatusPayload)
}
if statuses[1].StatusPayload["role"] != "vpn-client" || statuses[1].StatusPayload["android_node_supported"] != true {
t.Fatalf("vpn client payload = %#v", statuses[1].StatusPayload)
}
exitBinding := statuses[0].StatusPayload["service_binding"].(map[string]any)
if exitBinding["type"] != "ipv4_egress" || exitBinding["accepts_from_fabric_only"] != true || exitBinding["exit_pool_id"] != "us-los-angeles-ipv4" {
t.Fatalf("ipv4 egress binding = %#v", exitBinding)
}
clientBinding := statuses[1].StatusPayload["service_binding"].(map[string]any)
if clientBinding["type"] != "local_ipv4_ingress" || clientBinding["preferred_exit_pool_id"] != "us-los-angeles-ipv4" || clientBinding["legacy_protocol_listener"] != false {
t.Fatalf("vpn client binding = %#v", clientBinding)
}
if got := clientBinding["listen_tcp_ports"].([]int); len(got) != 2 || got[0] != 443 || got[1] != 8443 {
t.Fatalf("listen_tcp_ports = %#v", got)
}
if got := clientBinding["listen_udp_ports"].([]int); len(got) != 2 || got[0] != 443 || got[1] != 51820 {
t.Fatalf("listen_udp_ports = %#v", got)
}
}
func TestStubSupervisorReportsWebIngressContractReady(t *testing.T) {
statuses, err := (StubSupervisor{Version: "test"}).Apply(context.Background(), []client.DesiredWorkload{
{
ServiceType: "admin-ingress",
DesiredState: "enabled",
RuntimeMode: "native",
Config: map[string]any{
"listen_http_port": 80,
"listen_https_port": 443,
"tls_mode": "terminate",
"scope": "platform",
"service_classes": []any{"platform_admin", "cluster_admin"},
},
},
})
if err != nil {
t.Fatalf("apply desired workload: %v", err)
}
if statuses[0].ReportedState != "running" {
t.Fatalf("ReportedState = %q", statuses[0].ReportedState)
}
payload := statuses[0].StatusPayload
if payload["reason"] != "web_ingress_contract_ready" ||
payload["fabric_transport"] != "quic_only" ||
payload["http_between_fabric_nodes"] != false ||
payload["authority_service"] != false ||
payload["real_listener_start_allowed"] != false ||
payload["runtime_handler_ready"] != true ||
payload["runtime_handler_payload_status"] != "fabric_service_channel_binding_not_implemented" ||
payload["ports_opened_by_stub"] != false {
t.Fatalf("unexpected payload: %#v", payload)
}
roles, ok := payload["runtime_roles_required"].([]string)
if !ok || !containsString(roles, "global-admin-runtime") || !containsString(roles, "policy-authority") {
t.Fatalf("runtime roles = %#v", payload["runtime_roles_required"])
}
}
func TestStubSupervisorBlocksWebIngressRealListenerWithoutRuntimeGate(t *testing.T) {
statuses, err := (StubSupervisor{Version: "test"}).Apply(context.Background(), []client.DesiredWorkload{
{
ServiceType: "admin-ingress",
DesiredState: "enabled",
RuntimeMode: "native",
Config: map[string]any{
"listen_http_port": 80,
"listen_https_port": 443,
"tls_mode": "terminate",
"scope": "platform",
"service_classes": []any{"platform_admin"},
"real_listener_enabled": true,
},
},
})
if err != nil {
t.Fatalf("apply desired workload: %v", err)
}
if statuses[0].ReportedState != "degraded" {
t.Fatalf("ReportedState = %q", statuses[0].ReportedState)
}
payload := statuses[0].StatusPayload
if payload["reason"] != "web_ingress_real_listener_gate_disabled" ||
payload["real_listener_requested"] != true ||
payload["real_listener_runtime_enabled"] != false ||
payload["real_listener_start_allowed"] != false ||
payload["ports_opened_by_stub"] != false {
t.Fatalf("unexpected payload: %#v", payload)
}
}
func TestStubSupervisorAllowsWebIngressRealListenerGateButDoesNotOpenPorts(t *testing.T) {
statuses, err := (StubSupervisor{Version: "test", WebIngressRuntimeEnabled: true}).Apply(context.Background(), []client.DesiredWorkload{
{
ServiceType: "admin-ingress",
DesiredState: "enabled",
RuntimeMode: "native",
Config: map[string]any{
"listen_http_port": 80,
"listen_https_port": 443,
"tls_mode": "terminate",
"scope": "platform",
"service_classes": []any{"platform_admin"},
"real_listener_enabled": true,
},
},
})
if err != nil {
t.Fatalf("apply desired workload: %v", err)
}
if statuses[0].ReportedState != "running" {
t.Fatalf("ReportedState = %q", statuses[0].ReportedState)
}
payload := statuses[0].StatusPayload
if payload["real_listener_requested"] != true ||
payload["real_listener_runtime_enabled"] != true ||
payload["real_listener_start_allowed"] != true ||
payload["ports_opened_by_stub"] != false {
t.Fatalf("unexpected payload: %#v", payload)
}
}
func TestStubSupervisorStartsWebIngressManagerWhenRealListenerAllowed(t *testing.T) {
manager := webingress.NewManager()
statuses, err := (StubSupervisor{Version: "test", WebIngressRuntimeEnabled: true, WebIngressManager: manager}).Apply(context.Background(), []client.DesiredWorkload{
{
ServiceType: "admin-ingress",
DesiredState: "enabled",
RuntimeMode: "native",
Config: map[string]any{
"listen_http_port": 80,
"listen_https_port": 443,
"listen_http_addr": "127.0.0.1:0",
"listen_https_addr": "127.0.0.1:0",
"tls_mode": "terminate",
"scope": "platform",
"service_classes": []any{"platform_admin"},
"real_listener_enabled": true,
},
},
})
if err != nil {
t.Fatalf("apply desired workload: %v", err)
}
if statuses[0].ReportedState != "degraded" {
t.Fatalf("ReportedState = %q", statuses[0].ReportedState)
}
payload := statuses[0].StatusPayload
listenerStatus, ok := payload["listener_status"].(webingress.ListenerStatus)
if !ok {
t.Fatalf("listener_status = %#v", payload["listener_status"])
}
if !listenerStatus.HTTPRunning || listenerStatus.HTTPSRunning || listenerStatus.HTTPAddr == "" {
t.Fatalf("listener status = %+v", listenerStatus)
}
if payload["reason"] != "web_ingress_listener_partial" || payload["ports_opened_by_runtime"] != true || payload["ports_opened_by_stub"] != false {
t.Fatalf("payload = %#v", payload)
}
_ = manager.Stop(context.Background())
}
func TestStubSupervisorBlocksInvalidWebIngressContract(t *testing.T) {
statuses, err := (StubSupervisor{Version: "test"}).Apply(context.Background(), []client.DesiredWorkload{
{
ServiceType: "public-ingress",
DesiredState: "enabled",
RuntimeMode: "native",
Config: map[string]any{
"listen_http_port": 8080,
"listen_https_port": 443,
"scope": "organization",
"service_classes": []any{"platform_admin"},
},
},
})
if err != nil {
t.Fatalf("apply desired workload: %v", err)
}
if statuses[0].ReportedState != "degraded" {
t.Fatalf("ReportedState = %q", statuses[0].ReportedState)
}
payload := statuses[0].StatusPayload
if payload["reason"] != "web_ingress_contract_invalid" || payload["traffic"] != "blocked" {
t.Fatalf("unexpected payload: %#v", payload)
}
missing, ok := payload["missing_checks"].([]string)
if !ok || !containsString(missing, "listen_http_port_must_be_80") || !containsString(missing, "service_class_not_allowed:platform_admin") {
t.Fatalf("missing checks = %#v", payload["missing_checks"])
}
}
func TestStubSupervisorKeepsUnsupportedEnabledWorkloadDegraded(t *testing.T) {
statuses, err := (StubSupervisor{Version: "test"}).Apply(context.Background(), []client.DesiredWorkload{
{ServiceType: "rdp-worker", DesiredState: "enabled", RuntimeMode: "container"},
})
if err != nil {
t.Fatalf("apply desired workload: %v", err)
}
if statuses[0].ReportedState != "degraded" {
t.Fatalf("ReportedState = %q", statuses[0].ReportedState)
}
if statuses[0].StatusPayload["reason"] != "service_runtime_not_implemented" {
t.Fatalf("reason = %v", statuses[0].StatusPayload["reason"])
}
}
func TestStubSupervisorRunsRDPWorkerAdapterContractProbeOnly(t *testing.T) {
statuses, err := (StubSupervisor{Version: "test"}).Apply(context.Background(), []client.DesiredWorkload{
{
ServiceType: "rdp-worker",
DesiredState: "enabled",
RuntimeMode: "native",
Config: map[string]any{
"adapter_contract_probe": true,
},
},
})
if err != nil {
t.Fatalf("apply desired workload: %v", err)
}
if statuses[0].ReportedState != "running" {
t.Fatalf("ReportedState = %q", statuses[0].ReportedState)
}
if statuses[0].StatusPayload["reason"] != "remote_workspace_adapter_contract_probe_ready" {
t.Fatalf("reason = %v", statuses[0].StatusPayload["reason"])
}
if statuses[0].StatusPayload["service_class"] != "remote_workspace" {
t.Fatalf("service_class = %v", statuses[0].StatusPayload["service_class"])
}
if statuses[0].StatusPayload["backend_relay_steady_state"] != false {
t.Fatalf("backend_relay_steady_state = %v", statuses[0].StatusPayload["backend_relay_steady_state"])
}
channels, ok := statuses[0].StatusPayload["channels"].([]map[string]any)
if !ok || len(channels) != 9 {
t.Fatalf("channels = %#v", statuses[0].StatusPayload["channels"])
}
if channels[0]["name"] != "input" || channels[0]["priority"] != "critical" || channels[0]["droppable"] != true || channels[0]["may_block_input"] != false {
t.Fatalf("unexpected input channel: %#v", channels[0])
}
frameBatch, ok := statuses[0].StatusPayload["frame_batch_contract"].(map[string]any)
if !ok {
t.Fatalf("frame_batch_contract = %#v", statuses[0].StatusPayload["frame_batch_contract"])
}
if frameBatch["schema_version"] != "rap.remote_workspace_frame_batch.v1" ||
frameBatch["payload_forwarding"] != "not_implemented" ||
frameBatch["service_class"] != "remote_workspace" {
t.Fatalf("unexpected frame batch contract: %#v", frameBatch)
}
realAdapter, ok := statuses[0].StatusPayload["real_adapter_supervision"].(map[string]any)
if !ok {
t.Fatalf("real_adapter_supervision = %#v", statuses[0].StatusPayload["real_adapter_supervision"])
}
if realAdapter["schema_version"] != "rap.remote_workspace_real_adapter_supervision.v1" ||
realAdapter["enabled"] != false ||
realAdapter["activation_state"] != "disabled_until_real_runtime_stage" ||
realAdapter["payload_traffic"] != "none" {
t.Fatalf("unexpected real adapter supervision contract: %#v", realAdapter)
}
if !realAdapterSupervisionContractCompatible(realAdapter) {
t.Fatalf("real adapter supervision contract is not compatible: %#v", realAdapter)
}
}
func TestStubSupervisorKeepsContractProbePrecedenceWhenRealAdapterAlsoRequested(t *testing.T) {
statuses, err := (StubSupervisor{
Version: "test",
RemoteWorkspaceRealAdapter: RemoteWorkspaceRealAdapterConfig{
EnabledRequested: true,
Command: "/opt/rap/bin/rdp-worker",
ArgsJSON: `["--future-probe"]`,
WorkDir: "/var/lib/rap-node-agent/rdp-worker",
},
}).Apply(context.Background(), []client.DesiredWorkload{
{
ServiceType: "rdp-worker",
DesiredState: "enabled",
RuntimeMode: "native",
Config: map[string]any{
"adapter_contract_probe": true,
"real_adapter_supervision": true,
},
},
})
if err != nil {
t.Fatalf("apply desired workload: %v", err)
}
if statuses[0].ReportedState != "running" {
t.Fatalf("ReportedState = %q", statuses[0].ReportedState)
}
payload := statuses[0].StatusPayload
if payload["execution_mode"] != "contract_probe" ||
payload["reason"] != "remote_workspace_adapter_contract_probe_ready" ||
payload["traffic"] != "none" {
t.Fatalf("contract probe did not retain precedence: %#v", payload)
}
realAdapter, ok := payload["real_adapter_supervision"].(map[string]any)
if !ok || !realAdapterSupervisionContractCompatible(realAdapter) {
t.Fatalf("real_adapter_supervision = %#v", payload["real_adapter_supervision"])
}
decision := realAdapter["activation_decision"].(map[string]any)
if realAdapter["enabled"] != false ||
decision["decision"] != "blocked" ||
decision["reason"] != "real_runtime_stage_not_enabled" ||
decision["payload_traffic"] != "none" {
t.Fatalf("unexpected activation decision under contract-probe precedence: %#v", realAdapter)
}
}
func TestStubSupervisorKeepsRealAdapterSupervisionDisabled(t *testing.T) {
statuses, err := (StubSupervisor{
Version: "test",
RemoteWorkspaceRealAdapter: RemoteWorkspaceRealAdapterConfig{
EnabledRequested: true,
Command: "/opt/rap/bin/rdp-worker",
ArgsJSON: `["--future-probe"]`,
WorkDir: "/var/lib/rap-node-agent/rdp-worker",
},
}).Apply(context.Background(), []client.DesiredWorkload{
{
ServiceType: "rdp-worker",
DesiredState: "enabled",
RuntimeMode: "native",
Config: map[string]any{
"real_adapter_supervision": true,
},
},
})
if err != nil {
t.Fatalf("apply desired workload: %v", err)
}
if statuses[0].ReportedState != "degraded" {
t.Fatalf("ReportedState = %q", statuses[0].ReportedState)
}
if statuses[0].StatusPayload["reason"] != "remote_workspace_real_adapter_supervision_disabled" ||
statuses[0].StatusPayload["execution_mode"] != "real_adapter_supervision_disabled" ||
statuses[0].StatusPayload["traffic"] != "blocked" ||
statuses[0].StatusPayload["payload_traffic"] != "none" {
t.Fatalf("unexpected real adapter disabled payload: %#v", statuses[0].StatusPayload)
}
realAdapter, ok := statuses[0].StatusPayload["real_adapter_supervision"].(map[string]any)
if !ok || !realAdapterSupervisionContractCompatible(realAdapter) {
t.Fatalf("real adapter supervision contract = %#v", statuses[0].StatusPayload["real_adapter_supervision"])
}
projection, ok := realAdapter["config_projection"].(map[string]any)
if !ok {
t.Fatalf("config_projection = %#v", realAdapter["config_projection"])
}
if realAdapter["enabled"] != false ||
projection["enabled_requested"] != true ||
projection["activation_allowed"] != false ||
projection["command_present"] != true ||
projection["args_json_present"] != true ||
projection["args_json_shape"] != "json_array" ||
projection["workdir_present"] != true ||
projection["raw_values_redacted"] != true {
t.Fatalf("unexpected config projection: %#v", projection)
}
decision, ok := realAdapter["activation_decision"].(map[string]any)
if !ok {
t.Fatalf("activation_decision = %#v", realAdapter["activation_decision"])
}
if decision["decision"] != "blocked" ||
decision["reason"] != "real_runtime_stage_not_enabled" ||
decision["enabled_requested"] != true ||
decision["activation_allowed"] != false ||
decision["payload_traffic"] != "none" {
t.Fatalf("unexpected activation decision: %#v", decision)
}
features, ok := realAdapter["features"].(map[string]any)
if !ok ||
features["config_projection"] != true ||
features["activation_decision"] != true ||
features["process_supervisor_preconditions"] != true ||
features["process_supervisor_start_disabled"] != true ||
features["missing_gates"] != true ||
features["raw_values_redacted"] != true {
t.Fatalf("unexpected real adapter features: %#v", realAdapter["features"])
}
preconditions, ok := realAdapter["process_supervisor_preconditions"].(map[string]any)
if !ok ||
preconditions["schema_version"] != "rap.remote_workspace_real_adapter_process_supervisor_preconditions.v1" ||
preconditions["process_start_allowed"] != false ||
preconditions["command_config_present"] != true ||
preconditions["args_config_present"] != true ||
preconditions["workdir_config_present"] != true {
t.Fatalf("unexpected process supervisor preconditions: %#v", realAdapter["process_supervisor_preconditions"])
}
healthProbe, ok := realAdapter["process_health_probe"].(map[string]any)
if !ok ||
healthProbe["schema_version"] != "rap.remote_workspace_real_adapter_process_health_probe.v1" ||
healthProbe["health_probe_enabled"] != false ||
healthProbe["payload_traffic"] != "none" {
t.Fatalf("unexpected process health probe: %#v", realAdapter["process_health_probe"])
}
}
func TestRealAdapterSupervisionContractCompatibility(t *testing.T) {
compatible := remoteWorkspaceRealAdapterSupervisionContract()
if !realAdapterSupervisionContractCompatible(compatible) {
t.Fatalf("expected real adapter supervision contract to be compatible")
}
tests := []struct {
name string
contract map[string]any
}{
{
name: "enabled",
contract: map[string]any{
"schema_version": "rap.remote_workspace_real_adapter_supervision.v1",
"enabled": true,
"activation_state": "disabled_until_real_runtime_stage",
"payload_traffic": "none",
"config_projection": map[string]any{"schema_version": "rap.remote_workspace_real_adapter_config_projection.v1", "activation_allowed": false, "raw_values_redacted": true},
"activation_decision": map[string]any{"schema_version": "rap.remote_workspace_real_adapter_activation_decision.v1", "decision": "blocked", "reason": "real_runtime_stage_not_enabled", "activation_allowed": false, "payload_traffic": "none", "required_gates": []string{"real_runtime_stage_enabled", "fabric_service_channel_runtime_ready", "adapter_process_supervisor_enabled", "payload_forwarding_contract_enabled"}, "missing_gates": []string{"real_runtime_stage_enabled", "fabric_service_channel_runtime_ready", "adapter_process_supervisor_enabled", "payload_forwarding_contract_enabled"}},
"process_supervisor_preconditions": map[string]any{"schema_version": "rap.remote_workspace_real_adapter_process_supervisor_preconditions.v1", "process_start_allowed": false, "reason": "disabled_until_real_runtime_stage", "required_checks": []string{"real_runtime_stage_enabled", "command_config_validated", "workdir_config_validated", "process_identity_policy_bound", "fabric_service_channel_runtime_ready", "payload_forwarding_contract_enabled", "health_probe_contract_enabled"}, "missing_checks": []string{"real_runtime_stage_enabled", "command_config_validated", "workdir_config_validated", "process_identity_policy_bound", "fabric_service_channel_runtime_ready", "payload_forwarding_contract_enabled", "health_probe_contract_enabled"}},
"process_health_probe": map[string]any{"schema_version": "rap.remote_workspace_real_adapter_process_health_probe.v1", "health_probe_enabled": false, "reason": "disabled_until_real_runtime_stage", "payload_traffic": "none", "probe_model": "external_process_health", "required_signals": []string{"process_started", "process_exit_status", "adapter_control_channel_ready", "fabric_service_channel_bound", "payload_forwarding_contract_ready"}, "missing_signals": []string{"process_started", "process_exit_status", "adapter_control_channel_ready", "fabric_service_channel_bound", "payload_forwarding_contract_ready"}},
"features": map[string]any{"config_projection": true, "activation_decision": true, "missing_gates": true, "process_health_probe": true, "process_health_probe_disabled": true, "process_supervisor_preconditions": true, "process_supervisor_start_disabled": true, "raw_values_redacted": true},
"config_env": []string{"RAP_REMOTE_WORKSPACE_REAL_ADAPTER_ENABLED", "RAP_REMOTE_WORKSPACE_REAL_ADAPTER_COMMAND", "RAP_REMOTE_WORKSPACE_REAL_ADAPTER_ARGS_JSON", "RAP_REMOTE_WORKSPACE_REAL_ADAPTER_WORKDIR"},
"status_contract": []string{"schema_version", "enabled", "activation_state", "execution_mode", "payload_traffic", "process_model", "config_projection", "activation_decision", "process_supervisor_preconditions", "process_health_probe", "features", "config_env", "status_contract"},
"guardrails": []string{"contract_probe_remains_default", "no_payload_forwarding_until_real_runtime_stage", "backend_relay_not_steady_state", "fabric_service_channel_required"},
},
},
{
name: "missing env",
contract: map[string]any{
"schema_version": "rap.remote_workspace_real_adapter_supervision.v1",
"enabled": false,
"activation_state": "disabled_until_real_runtime_stage",
"payload_traffic": "none",
"config_projection": map[string]any{"schema_version": "rap.remote_workspace_real_adapter_config_projection.v1", "activation_allowed": false, "raw_values_redacted": true},
"activation_decision": map[string]any{"schema_version": "rap.remote_workspace_real_adapter_activation_decision.v1", "decision": "blocked", "reason": "real_runtime_stage_not_enabled", "activation_allowed": false, "payload_traffic": "none", "required_gates": []string{"real_runtime_stage_enabled", "fabric_service_channel_runtime_ready", "adapter_process_supervisor_enabled", "payload_forwarding_contract_enabled"}, "missing_gates": []string{"real_runtime_stage_enabled", "fabric_service_channel_runtime_ready", "adapter_process_supervisor_enabled", "payload_forwarding_contract_enabled"}},
"process_supervisor_preconditions": map[string]any{"schema_version": "rap.remote_workspace_real_adapter_process_supervisor_preconditions.v1", "process_start_allowed": false, "reason": "disabled_until_real_runtime_stage", "required_checks": []string{"real_runtime_stage_enabled", "command_config_validated", "workdir_config_validated", "process_identity_policy_bound", "fabric_service_channel_runtime_ready", "payload_forwarding_contract_enabled", "health_probe_contract_enabled"}, "missing_checks": []string{"real_runtime_stage_enabled", "command_config_validated", "workdir_config_validated", "process_identity_policy_bound", "fabric_service_channel_runtime_ready", "payload_forwarding_contract_enabled", "health_probe_contract_enabled"}},
"process_health_probe": map[string]any{"schema_version": "rap.remote_workspace_real_adapter_process_health_probe.v1", "health_probe_enabled": false, "reason": "disabled_until_real_runtime_stage", "payload_traffic": "none", "probe_model": "external_process_health", "required_signals": []string{"process_started", "process_exit_status", "adapter_control_channel_ready", "fabric_service_channel_bound", "payload_forwarding_contract_ready"}, "missing_signals": []string{"process_started", "process_exit_status", "adapter_control_channel_ready", "fabric_service_channel_bound", "payload_forwarding_contract_ready"}},
"features": map[string]any{"config_projection": true, "activation_decision": true, "missing_gates": true, "process_health_probe": true, "process_health_probe_disabled": true, "process_supervisor_preconditions": true, "process_supervisor_start_disabled": true, "raw_values_redacted": true},
"config_env": []string{"RAP_REMOTE_WORKSPACE_REAL_ADAPTER_ENABLED"},
"status_contract": []string{"schema_version", "enabled", "activation_state", "execution_mode", "payload_traffic", "process_model", "config_projection", "activation_decision", "process_supervisor_preconditions", "process_health_probe", "features", "config_env", "status_contract"},
"guardrails": []string{"contract_probe_remains_default", "no_payload_forwarding_until_real_runtime_stage", "backend_relay_not_steady_state", "fabric_service_channel_required"},
},
},
{
name: "missing guardrail",
contract: map[string]any{
"schema_version": "rap.remote_workspace_real_adapter_supervision.v1",
"enabled": false,
"activation_state": "disabled_until_real_runtime_stage",
"payload_traffic": "none",
"config_projection": map[string]any{"schema_version": "rap.remote_workspace_real_adapter_config_projection.v1", "activation_allowed": false, "raw_values_redacted": true},
"activation_decision": map[string]any{"schema_version": "rap.remote_workspace_real_adapter_activation_decision.v1", "decision": "blocked", "reason": "real_runtime_stage_not_enabled", "activation_allowed": false, "payload_traffic": "none", "required_gates": []string{"real_runtime_stage_enabled", "fabric_service_channel_runtime_ready", "adapter_process_supervisor_enabled", "payload_forwarding_contract_enabled"}, "missing_gates": []string{"real_runtime_stage_enabled", "fabric_service_channel_runtime_ready", "adapter_process_supervisor_enabled", "payload_forwarding_contract_enabled"}},
"process_supervisor_preconditions": map[string]any{"schema_version": "rap.remote_workspace_real_adapter_process_supervisor_preconditions.v1", "process_start_allowed": false, "reason": "disabled_until_real_runtime_stage", "required_checks": []string{"real_runtime_stage_enabled", "command_config_validated", "workdir_config_validated", "process_identity_policy_bound", "fabric_service_channel_runtime_ready", "payload_forwarding_contract_enabled", "health_probe_contract_enabled"}, "missing_checks": []string{"real_runtime_stage_enabled", "command_config_validated", "workdir_config_validated", "process_identity_policy_bound", "fabric_service_channel_runtime_ready", "payload_forwarding_contract_enabled", "health_probe_contract_enabled"}},
"process_health_probe": map[string]any{"schema_version": "rap.remote_workspace_real_adapter_process_health_probe.v1", "health_probe_enabled": false, "reason": "disabled_until_real_runtime_stage", "payload_traffic": "none", "probe_model": "external_process_health", "required_signals": []string{"process_started", "process_exit_status", "adapter_control_channel_ready", "fabric_service_channel_bound", "payload_forwarding_contract_ready"}, "missing_signals": []string{"process_started", "process_exit_status", "adapter_control_channel_ready", "fabric_service_channel_bound", "payload_forwarding_contract_ready"}},
"features": map[string]any{"config_projection": true, "activation_decision": true, "missing_gates": true, "process_health_probe": true, "process_health_probe_disabled": true, "process_supervisor_preconditions": true, "process_supervisor_start_disabled": true, "raw_values_redacted": true},
"config_env": []string{"RAP_REMOTE_WORKSPACE_REAL_ADAPTER_ENABLED", "RAP_REMOTE_WORKSPACE_REAL_ADAPTER_COMMAND", "RAP_REMOTE_WORKSPACE_REAL_ADAPTER_ARGS_JSON", "RAP_REMOTE_WORKSPACE_REAL_ADAPTER_WORKDIR"},
"status_contract": []string{"schema_version", "enabled", "activation_state", "execution_mode", "payload_traffic", "process_model", "config_projection", "activation_decision", "process_supervisor_preconditions", "process_health_probe", "features", "config_env", "status_contract"},
"guardrails": []string{"contract_probe_remains_default"},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if realAdapterSupervisionContractCompatible(tt.contract) {
t.Fatalf("expected incompatible contract for %+v", tt.contract)
}
})
}
}
func TestRealAdapterConfigProjectionCompatibility(t *testing.T) {
tests := []struct {
name string
config RemoteWorkspaceRealAdapterConfig
enabledRequested bool
commandPresent bool
argsJSONPresent bool
argsJSONShape string
workdirPresent bool
}{
{
name: "default empty",
argsJSONShape: "absent",
},
{
name: "requested array args",
config: RemoteWorkspaceRealAdapterConfig{
EnabledRequested: true,
Command: "/opt/rap/bin/rdp-worker",
ArgsJSON: `["--future-probe"]`,
WorkDir: "/var/lib/rap-node-agent/rdp-worker",
},
enabledRequested: true,
commandPresent: true,
argsJSONPresent: true,
argsJSONShape: "json_array",
workdirPresent: true,
},
{
name: "object args shape",
config: RemoteWorkspaceRealAdapterConfig{
ArgsJSON: `{"arg":"value"}`,
},
argsJSONPresent: true,
argsJSONShape: "json_object",
},
{
name: "opaque args shape",
config: RemoteWorkspaceRealAdapterConfig{
ArgsJSON: "--future-probe",
},
argsJSONPresent: true,
argsJSONShape: "opaque",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
contract := remoteWorkspaceRealAdapterSupervisionContract(tt.config)
if !realAdapterSupervisionContractCompatible(contract) {
t.Fatalf("contract is not compatible: %#v", contract)
}
projection := contract["config_projection"].(map[string]any)
if projection["enabled_requested"] != tt.enabledRequested ||
projection["activation_allowed"] != false ||
projection["command_present"] != tt.commandPresent ||
projection["args_json_present"] != tt.argsJSONPresent ||
projection["args_json_shape"] != tt.argsJSONShape ||
projection["workdir_present"] != tt.workdirPresent ||
projection["raw_values_redacted"] != true {
t.Fatalf("unexpected config projection: %#v", projection)
}
})
}
}
func TestRealAdapterProjectionAndActivationDecisionStayAligned(t *testing.T) {
tests := []struct {
name string
config RemoteWorkspaceRealAdapterConfig
enabledRequested bool
}{
{name: "default"},
{
name: "requested",
config: RemoteWorkspaceRealAdapterConfig{
EnabledRequested: true,
Command: "/opt/rap/bin/rdp-worker",
ArgsJSON: `["--future-probe"]`,
WorkDir: "/var/lib/rap-node-agent/rdp-worker",
},
enabledRequested: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
contract := remoteWorkspaceRealAdapterSupervisionContract(tt.config)
projection := contract["config_projection"].(map[string]any)
decision := contract["activation_decision"].(map[string]any)
if projection["enabled_requested"] != decision["enabled_requested"] ||
projection["enabled_requested"] != tt.enabledRequested ||
projection["activation_allowed"] != false ||
decision["activation_allowed"] != false ||
contract["enabled"] != false ||
contract["payload_traffic"] != decision["payload_traffic"] {
t.Fatalf("projection and activation decision are not aligned: contract=%#v", contract)
}
})
}
}
func realAdapterSupervisionContractCompatible(contract map[string]any) bool {
if contract["schema_version"] != "rap.remote_workspace_real_adapter_supervision.v1" ||
contract["enabled"] != false ||
contract["activation_state"] != "disabled_until_real_runtime_stage" ||
contract["payload_traffic"] != "none" {
return false
}
projection, ok := contract["config_projection"].(map[string]any)
if !ok ||
projection["schema_version"] != "rap.remote_workspace_real_adapter_config_projection.v1" ||
projection["activation_allowed"] != false ||
projection["raw_values_redacted"] != true {
return false
}
decision, ok := contract["activation_decision"].(map[string]any)
if !ok ||
decision["schema_version"] != "rap.remote_workspace_real_adapter_activation_decision.v1" ||
decision["decision"] != "blocked" ||
decision["reason"] != "real_runtime_stage_not_enabled" ||
decision["activation_allowed"] != false ||
decision["payload_traffic"] != "none" {
return false
}
for _, item := range []string{
"real_runtime_stage_enabled",
"fabric_service_channel_runtime_ready",
"adapter_process_supervisor_enabled",
"payload_forwarding_contract_enabled",
} {
if !anyStringSliceContains(decision["required_gates"], item) || !anyStringSliceContains(decision["missing_gates"], item) {
return false
}
}
preconditions, ok := contract["process_supervisor_preconditions"].(map[string]any)
if !ok ||
preconditions["schema_version"] != "rap.remote_workspace_real_adapter_process_supervisor_preconditions.v1" ||
preconditions["process_start_allowed"] != false ||
preconditions["reason"] != "disabled_until_real_runtime_stage" {
return false
}
for _, item := range []string{
"real_runtime_stage_enabled",
"command_config_validated",
"workdir_config_validated",
"process_identity_policy_bound",
"fabric_service_channel_runtime_ready",
"payload_forwarding_contract_enabled",
"health_probe_contract_enabled",
} {
if !anyStringSliceContains(preconditions["required_checks"], item) || !anyStringSliceContains(preconditions["missing_checks"], item) {
return false
}
}
healthProbe, ok := contract["process_health_probe"].(map[string]any)
if !ok ||
healthProbe["schema_version"] != "rap.remote_workspace_real_adapter_process_health_probe.v1" ||
healthProbe["health_probe_enabled"] != false ||
healthProbe["reason"] != "disabled_until_real_runtime_stage" ||
healthProbe["payload_traffic"] != "none" ||
healthProbe["probe_model"] != "external_process_health" {
return false
}
for _, item := range []string{
"process_started",
"process_exit_status",
"adapter_control_channel_ready",
"fabric_service_channel_bound",
"payload_forwarding_contract_ready",
} {
if !anyStringSliceContains(healthProbe["required_signals"], item) || !anyStringSliceContains(healthProbe["missing_signals"], item) {
return false
}
}
features, ok := contract["features"].(map[string]any)
if !ok ||
features["config_projection"] != true ||
features["activation_decision"] != true ||
features["missing_gates"] != true ||
features["process_health_probe"] != true ||
features["process_health_probe_disabled"] != true ||
features["process_supervisor_preconditions"] != true ||
features["process_supervisor_start_disabled"] != true ||
features["raw_values_redacted"] != true {
return false
}
for _, item := range []string{
"RAP_REMOTE_WORKSPACE_REAL_ADAPTER_ENABLED",
"RAP_REMOTE_WORKSPACE_REAL_ADAPTER_COMMAND",
"RAP_REMOTE_WORKSPACE_REAL_ADAPTER_ARGS_JSON",
"RAP_REMOTE_WORKSPACE_REAL_ADAPTER_WORKDIR",
} {
if !anyStringSliceContains(contract["config_env"], item) {
return false
}
}
for _, item := range []string{
"schema_version",
"enabled",
"activation_state",
"execution_mode",
"payload_traffic",
"process_model",
"config_projection",
"activation_decision",
"process_supervisor_preconditions",
"process_health_probe",
"features",
"config_env",
"status_contract",
} {
if !anyStringSliceContains(contract["status_contract"], item) {
return false
}
}
for _, item := range []string{
"contract_probe_remains_default",
"no_payload_forwarding_until_real_runtime_stage",
"backend_relay_not_steady_state",
"fabric_service_channel_required",
} {
if !anyStringSliceContains(contract["guardrails"], item) {
return false
}
}
return true
}
func anyStringSliceContains(value any, want string) bool {
switch items := value.(type) {
case []string:
for _, item := range items {
if item == want {
return true
}
}
case []any:
for _, item := range items {
if item == want {
return true
}
}
}
return false
}
Reference in New Issue View Git Blame Copy Permalink