diff --git a/tests/unit/test_f212_upgrade_convergence.py b/tests/unit/test_f212_upgrade_convergence.py new file mode 100644 index 0000000..6d09244 --- /dev/null +++ b/tests/unit/test_f212_upgrade_convergence.py @@ -0,0 +1,76 @@ +"""Unit tests for the F2-12 owned upgrade-convergence wait (P7-negative / non-vacuousness). + +F2-12 fix: the upgrade chaos redeploy runs with `abra … -c` (skips abra's own convergence monitor), +and the harness OWNS the verification via `lifecycle.wait_healthy` (services N/N + app HEALTH_PATH) +then `lifecycle.wait_ready_probes` (recipe READY_PROBE, e.g. collabora WOPI discovery → 200). Skipping +abra's monitor is only acceptable if the replacement genuinely FAILS a broken convergence rather than +green-washing it (plan §7.1 / Adversary pre-claim recon 2026-05-29). These tests prove exactly that, +deterministically (fake clock, no deploy): + - wait_ready_probes RAISES when the probe never returns an OK status (stuck service). + - wait_ready_probes RETURNS when the probe reaches OK (and is a no-op without a READY_PROBE). + - wait_healthy RAISES when services never converge, and when they converge but HTTP never serves OK. +So `-c` + owned-wait is non-vacuous: a genuinely-broken upgrade stays RED. +""" + +from __future__ import annotations + +import os +import sys + +import pytest + +sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner")) +from harness import lifecycle as lc # noqa: E402 + + +def _fake_clock(monkeypatch): + """Install a fake monotonic clock on lifecycle.time so sleeps advance it without real waiting.""" + state = {"t": 1000.0} + monkeypatch.setattr(lc.time, "time", lambda: state["t"]) + monkeypatch.setattr(lc.time, "sleep", lambda s: state.__setitem__("t", state["t"] + s)) + return state + + +_DRIVE_META = { + "READY_PROBE": lambda d: [{"host": f"collabora-{d}", "path": "/hosting/discovery", "ok": (200,)}] +} + + +def test_wait_ready_probes_raises_when_never_ready(monkeypatch): + """A READY_PROBE that never returns 200 (collabora discovery wedged) must raise TimeoutError — + NOT silently pass. This is what makes `-c` + owned-wait catch a genuinely stuck upgrade.""" + _fake_clock(monkeypatch) + monkeypatch.setattr(lc, "http_get", lambda host, path="/", timeout=15: 404) + with pytest.raises(TimeoutError): + lc.wait_ready_probes(_DRIVE_META, "lasu-x.ci.commoninternet.net", timeout=120) + + +def test_wait_ready_probes_returns_when_ready(monkeypatch): + """When the probe reaches 200, it returns (no raise).""" + _fake_clock(monkeypatch) + monkeypatch.setattr(lc, "http_get", lambda host, path="/", timeout=15: 200) + lc.wait_ready_probes(_DRIVE_META, "lasu-x.ci.commoninternet.net", timeout=120) # no raise + + +def test_wait_ready_probes_noop_without_probe(monkeypatch): + """A recipe with no READY_PROBE is a clean no-op (default behavior preserved for all recipes).""" + monkeypatch.setattr(lc, "http_get", lambda *a, **k: 599) # would fail if it were consulted + lc.wait_ready_probes({}, "x.ci.commoninternet.net", timeout=1) # no raise, no call + + +def test_wait_healthy_raises_when_services_never_converge(monkeypatch): + """If swarm services never reach N/N, wait_healthy must raise (the upgrade op then fails the tier).""" + _fake_clock(monkeypatch) + monkeypatch.setattr(lc, "services_converged", lambda domain: False) + monkeypatch.setattr(lc, "http_get", lambda *a, **k: 200) # irrelevant; convergence gates first + with pytest.raises(TimeoutError): + lc.wait_healthy("x.ci.commoninternet.net", deploy_timeout=60, http_timeout=60) + + +def test_wait_healthy_raises_when_converged_but_never_serves(monkeypatch): + """Services converged but the app never returns an OK status → wait_healthy raises (non-vacuous).""" + _fake_clock(monkeypatch) + monkeypatch.setattr(lc, "services_converged", lambda domain: True) + monkeypatch.setattr(lc, "http_get", lambda *a, **k: 502) + with pytest.raises(TimeoutError): + lc.wait_healthy("x.ci.commoninternet.net", ok_codes=(200,), deploy_timeout=60, http_timeout=60)