Skip to content

Commit 43d93f2

Browse files
synthesis: add kubeconfig leak examples
1 parent ecda7a4 commit 43d93f2

1 file changed

Lines changed: 28 additions & 0 deletions

File tree

rust/modality/src/cmds/synthesize.rs

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -493,6 +493,8 @@ const FORMULA_EXAMPLE_GROUPS: &[FormulaExampleGroup] = &[
493493
r#"always([+REVOKE_SERVICE_ACCOUNT_KEY] true -> eventually(<+NOTIFY_SERVICE_OWNER> true))"#,
494494
r#"always([+CONTAINER_REGISTRY_TOKEN_LEAKED] true -> (<+ROTATE_REGISTRY_TOKEN> true | <+DISABLE_REGISTRY_PUSH> true))"#,
495495
r#"always([+ROTATE_REGISTRY_TOKEN] true -> eventually(<+NOTIFY_REGISTRY_OWNER> true))"#,
496+
r#"always([+KUBECONFIG_LEAKED] true -> (<+ROTATE_CLUSTER_CREDENTIALS> true | <+DISABLE_CLUSTER_ACCESS> true))"#,
497+
r#"always([+ROTATE_CLUSTER_CREDENTIALS] true -> eventually(<+NOTIFY_CLUSTER_OWNER> true))"#,
496498
r#"next(<+APPROVE> true)"#,
497499
r#"next((<+APPROVE> true | [<+REJECT>] true))"#,
498500
r#"<+WAIT> true until <+APPROVE> true"#,
@@ -5005,6 +5007,18 @@ F2: formula generated_2 {
50055007
));
50065008
}
50075009

5010+
#[test]
5011+
fn synthesis_list_includes_kubeconfig_leak_prompt_examples() {
5012+
let output = synthesis_list_text();
5013+
5014+
assert!(output.contains(
5015+
"always([+KUBECONFIG_LEAKED] true -> (<+ROTATE_CLUSTER_CREDENTIALS> true | <+DISABLE_CLUSTER_ACCESS> true))"
5016+
));
5017+
assert!(output.contains(
5018+
"always([+ROTATE_CLUSTER_CREDENTIALS] true -> eventually(<+NOTIFY_CLUSTER_OWNER> true))"
5019+
));
5020+
}
5021+
50085022
#[test]
50095023
fn synthesis_list_includes_escrow_progression_prompt_examples() {
50105024
let output = synthesis_list_text();
@@ -14950,6 +14964,20 @@ gfp(X, []((X)) & ([<+ARCHIVE>] true))
1495014964
verify_synthesized_model(&model, &formulas).unwrap();
1495114965
}
1495214966

14967+
#[test]
14968+
fn verify_synthesized_model_accepts_kubeconfig_leak_prompt_examples() {
14969+
let formulas = parse_formula_strings(&[
14970+
"always([+KUBECONFIG_LEAKED] true -> (<+ROTATE_CLUSTER_CREDENTIALS> true | <+DISABLE_CLUSTER_ACCESS> true))"
14971+
.to_string(),
14972+
"always([+ROTATE_CLUSTER_CREDENTIALS] true -> eventually(<+NOTIFY_CLUSTER_OWNER> true))"
14973+
.to_string(),
14974+
]);
14975+
let model =
14976+
modality_lang::formula_synthesis::synthesize_from_formulas("KubeconfigLeak", &formulas);
14977+
14978+
verify_synthesized_model(&model, &formulas).unwrap();
14979+
}
14980+
1495314981
#[test]
1495414982
fn verify_synthesized_model_accepts_mixed_alternatives_with_signer_requirement() {
1495514983
let formulas = parse_formula_strings(&[

0 commit comments

Comments
 (0)