Files
pikasTech-unidesk/scripts/hwlab-cd-wrapper-contract-test.ts
T
2026-05-23 16:21:45 +00:00

211 lines
9.2 KiB
TypeScript

import { spawnSync } from "node:child_process";
import { mkdirSync, writeFileSync } from "node:fs";
import { tmpdir } from "node:os";
import { join } from "node:path";
import assert from "node:assert/strict";
type JsonRecord = Record<string, unknown>;
function runCli(args: string[], env: NodeJS.ProcessEnv = {}): JsonRecord {
const result = spawnSync("bun", ["scripts/cli.ts", ...args], {
cwd: process.cwd(),
env: { ...process.env, ...env },
encoding: "utf8",
timeout: 20_000,
});
assert.equal(result.stderr, "", `stderr should be empty: ${result.stderr}`);
assert.notEqual(result.stdout.trim(), "", "CLI must not produce empty output");
const parsed = JSON.parse(result.stdout) as JsonRecord;
if (result.status !== 0) {
assert.equal(parsed.ok, false, `nonzero CLI should return ok=false: ${result.stdout}`);
}
return parsed;
}
function makeFakeHwlabRepo(): string {
const root = join(tmpdir(), `unidesk-hwlab-cd-wrapper-${process.pid}-${Date.now()}`);
mkdirSync(join(root, "scripts"), { recursive: true });
writeFileSync(join(root, "scripts/dev-cd-apply.mjs"), "process.stdout.write(JSON.stringify({ok:true}))\n");
writeFileSync(join(root, "scripts/dev-deploy-apply.mjs"), [
"const dryRun = process.argv.includes('--dry-run');",
"const kubeconfigIndex = process.argv.indexOf('--kubeconfig');",
"process.stdout.write(JSON.stringify({",
" reportVersion: 'v1',",
" status: dryRun ? 'pass' : 'blocked',",
" commitId: 'abc1234',",
" namespace: 'hwlab-dev',",
" endpoint: 'http://74.48.78.17:16667',",
" blockers: [],",
" devDeployApply: {",
" conclusion: { status: 'ready', blockerCount: 0 },",
" artifactPlan: { expectedArtifactCommit: 'abc1234', deployCommitId: 'abc1234', catalogCommitId: 'abc1234', published: true, registryVerified: true, imageCount: 13, requiredServiceCount: 13, unpublishedServices: [] },",
" applyBoundary: { currentMode: 'dry-run', defaultNoWrite: true, mutationAttempted: false, mutationAllowed: false, kubeconfigSource: 'flag:--kubeconfig', writeScope: 'KUBECONFIG=/etc/rancher/k3s/k3s.yaml kubectl apply -k deploy/k8s/dev', noWriteScope: 'server-side dry-run only', forbiddenActions: ['prod-deploy'] },",
" applyStep: { status: 'pass', command: 'KUBECONFIG=/etc/rancher/k3s/k3s.yaml kubectl apply --dry-run=server -k deploy/k8s/dev', mutationAttempted: false },",
" manualCommands: { status: 'ready' }",
" },",
" kubeconfig: kubeconfigIndex >= 0 ? process.argv[kubeconfigIndex + 1] : null",
"}, null, 2));",
].join("\n"));
writeFileSync(join(root, "scripts/deploy-desired-state-plan.mjs"), [
"process.stdout.write(JSON.stringify({",
" kind: 'hwlab-deploy-desired-state-plan',",
" status: 'pass',",
" summary: { desiredCommitId: 'abc1234', desiredImageTag: 'abc1234', artifactState: 'published', ciPublished: true, registryVerified: true, services: 13, workloadContainers: 13, diagnostics: 0, blockers: 0, targetConvergence: 'not_requested' }",
"}, null, 2));",
].join("\n"));
return root;
}
function makeFakeBin(mode: "native" | "desktop" | "stale-default" | "wrong-node"): string {
const bin = join(tmpdir(), `unidesk-hwlab-cd-bin-${process.pid}-${Date.now()}-${mode}`);
mkdirSync(bin, { recursive: true });
const explicitContext = mode === "desktop" ? "docker-desktop" : "default";
const explicitServer = mode === "desktop" ? "https://127.0.0.1:11700" : "https://127.0.0.1:6443";
const explicitNodes = mode === "desktop" ? "desktop-control-plane" : mode === "wrong-node" ? "d602" : "d601";
const defaultContext = mode === "stale-default" ? "docker-desktop" : explicitContext;
const defaultServer = mode === "stale-default" ? "https://127.0.0.1:11700" : explicitServer;
const defaultNodes = mode === "stale-default" ? "desktop-control-plane" : explicitNodes;
writeFileSync(join(bin, "kubectl"), [
"#!/usr/bin/env bash",
"set -euo pipefail",
"printf 'KUBECONFIG=%s\\n' \"${KUBECONFIG:-}\" >&2",
"context=" + JSON.stringify(explicitContext),
"server=" + JSON.stringify(explicitServer),
"nodes=" + JSON.stringify(explicitNodes),
"if [[ \"${KUBECONFIG:-}\" == '' ]]; then",
" context=" + JSON.stringify(defaultContext),
" server=" + JSON.stringify(defaultServer),
" nodes=" + JSON.stringify(defaultNodes),
"fi",
"if [[ \"$*\" == 'config current-context' ]]; then printf '%s\\n' \"$context\"; exit 0; fi",
"if [[ \"$*\" == 'config view --minify -o jsonpath={.clusters[0].cluster.server}' ]]; then printf '%s' \"$server\"; exit 0; fi",
"if [[ \"$*\" == 'get nodes -o jsonpath={range .items[*]}{.metadata.name}{\"\\n\"}{end}' ]]; then printf '%s\\n' \"$nodes\"; exit 0; fi",
"if [[ \"$*\" == '-n hwlab-dev get lease hwlab-dev-cd-lock -o json' ]]; then printf 'Error from server (NotFound): leases.coordination.k8s.io \"hwlab-dev-cd-lock\" not found\\n' >&2; exit 1; fi",
"printf '{}\\n'",
].join("\n"));
spawnSync("chmod", ["+x", join(bin, "kubectl")]);
return bin;
}
const fakeRepo = makeFakeHwlabRepo();
const nativeBin = makeFakeBin("native");
const desktopBin = makeFakeBin("desktop");
const staleDefaultBin = makeFakeBin("stale-default");
const wrongNodeBin = makeFakeBin("wrong-node");
const liveBody = "data:application/json,%7B%22serviceId%22%3A%22hwlab-cloud-web%22%2C%22environment%22%3A%22dev%22%2C%22status%22%3A%22ok%22%2C%22revision%22%3A%22abc1234%22%7D";
const apiBody = "data:application/json,%7B%22serviceId%22%3A%22hwlab-cloud-api%22%2C%22environment%22%3A%22dev%22%2C%22status%22%3A%22ok%22%2C%22revision%22%3A%22abc1234%22%7D";
const help = runCli(["hwlab", "help"]);
assert.equal(help.ok, true);
assert.equal((help.data as JsonRecord).command, "hwlab cd");
const applyDryRun = runCli([
"hwlab",
"cd",
"apply",
"--env",
"dev",
"--dry-run",
"--hwlab-repo",
fakeRepo,
], {
PATH: `${nativeBin}:${process.env.PATH ?? ""}`,
});
assert.equal(applyDryRun.ok, true);
const dryRunData = applyDryRun.data as JsonRecord;
assert.equal(dryRunData.dryRun, true);
assert.equal(dryRunData.mutation, false);
assert.equal(((dryRunData.d601NativeK3sGuard as JsonRecord).injectedEnv as JsonRecord).KUBECONFIG, "/etc/rancher/k3s/k3s.yaml");
assert.equal((dryRunData.d601NativeK3sGuard as JsonRecord).requiredNodePresent, true);
assert.equal((dryRunData.controlledDryRun as JsonRecord).commandOk, true);
assert.equal(((dryRunData.hostCommanderOnlyLiveApply as JsonRecord).commandShape as unknown[]).includes("scripts/dev-cd-apply.mjs"), true);
const realApply = runCli([
"hwlab",
"cd",
"apply",
"--env",
"dev",
"--hwlab-repo",
fakeRepo,
], {
PATH: `${nativeBin}:${process.env.PATH ?? ""}`,
});
assert.equal(realApply.ok, false);
assert.equal((realApply.data as JsonRecord).error, "host-commander-only-real-apply");
const status = runCli([
"hwlab",
"cd",
"status",
"--env",
"dev",
"--hwlab-repo",
fakeRepo,
], {
PATH: `${nativeBin}:${process.env.PATH ?? ""}`,
UNIDESK_HWLAB_CD_TEST_FRONTEND_LIVE_URL: liveBody,
UNIDESK_HWLAB_CD_TEST_API_LIVE_URL: apiBody,
});
assert.equal(status.ok, true);
const statusData = status.data as JsonRecord;
assert.equal(((statusData.d601NativeK3sGuard as JsonRecord).injectedEnv as JsonRecord).KUBECONFIG, "/etc/rancher/k3s/k3s.yaml");
assert.equal((statusData.liveRevisions as JsonRecord).status, "observed");
assert.ok(typeof statusData.dumpDir === "string" && String(statusData.dumpDir).includes(".state/hwlab-cd"));
const staleDefaultOk = runCli([
"hwlab",
"cd",
"apply",
"--env",
"dev",
"--dry-run",
"--hwlab-repo",
fakeRepo,
], {
PATH: `${staleDefaultBin}:${process.env.PATH ?? ""}`,
KUBECONFIG: "",
});
assert.equal(staleDefaultOk.ok, true);
const staleDefaultGuard = (staleDefaultOk.data as JsonRecord).d601NativeK3sGuard as JsonRecord;
assert.equal(staleDefaultGuard.status, "pass");
assert.equal(staleDefaultGuard.refusal, false);
assert.equal((staleDefaultGuard.defaultKubectlDiagnostic as JsonRecord).status, "stale-forbidden-default");
assert.deepEqual((staleDefaultGuard.defaultKubectlDiagnostic as JsonRecord).refusalSignals, ["docker-desktop", "desktop-control-plane", "127.0.0.1:11700"]);
const desktopRefusal = runCli([
"hwlab",
"cd",
"apply",
"--env",
"dev",
"--dry-run",
"--hwlab-repo",
fakeRepo,
], {
PATH: `${desktopBin}:${process.env.PATH ?? ""}`,
});
assert.equal(desktopRefusal.ok, false);
assert.equal((desktopRefusal.data as JsonRecord).error, "native-k3s-guard-refused");
assert.deepEqual((desktopRefusal.data as JsonRecord).d601NativeK3sGuard && ((desktopRefusal.data as JsonRecord).d601NativeK3sGuard as JsonRecord).refusalSignals, ["docker-desktop", "desktop-control-plane", "127.0.0.1:11700"]);
const wrongNodeBlocked = runCli([
"hwlab",
"cd",
"apply",
"--env",
"dev",
"--dry-run",
"--hwlab-repo",
fakeRepo,
], {
PATH: `${wrongNodeBin}:${process.env.PATH ?? ""}`,
});
assert.equal(wrongNodeBlocked.ok, true);
const wrongNodeGuard = (wrongNodeBlocked.data as JsonRecord).d601NativeK3sGuard as JsonRecord;
assert.equal(wrongNodeGuard.status, "blocked");
assert.equal(wrongNodeGuard.requiredNodePresent, false);
assert.equal(((wrongNodeBlocked.data as JsonRecord).blockers as JsonRecord[]).some((blocker) => blocker.scope === "d601-native-k3s-guard"), true);
console.log(JSON.stringify({ ok: true, checked: "hwlab-cd-wrapper-contract" }));