feat(ui): ship reachability witnessing shell

2026-03-07 19:44:25 +02:00
parent 536d3fe6bd
commit 1088ae1bc4
29 changed files with 3858 additions and 1288 deletions
--- a/src/Web/StellaOps.Web/tests/e2e/reachability-witnessing.spec.ts
+++ b/src/Web/StellaOps.Web/tests/e2e/reachability-witnessing.spec.ts
@@ -0,0 +1,265 @@
+import { expect, test, type Page, type Route } from '@playwright/test';
+
+import type { StubAuthSession } from '../../src/app/testing/auth-fixtures';
+
+const adminSession: StubAuthSession = {
+  subjectId: 'reachability-e2e-user',
+  tenant: 'tenant-default',
+  scopes: [
+    'admin',
+    'ui.read',
+    'scanner:read',
+    'sbom:read',
+    'advisory:read',
+    'vex:read',
+    'exception:read',
+    'findings:read',
+    'vuln:view',
+    'release:read',
+    'policy:read',
+    'policy:audit',
+  ],
+};
+
+const mockConfig = {
+  authority: {
+    issuer: '/authority',
+    clientId: 'stella-ops-ui',
+    authorizeEndpoint: '/authority/connect/authorize',
+    tokenEndpoint: '/authority/connect/token',
+    logoutEndpoint: '/authority/connect/logout',
+    redirectUri: 'https://127.0.0.1:4400/auth/callback',
+    postLogoutRedirectUri: 'https://127.0.0.1:4400/',
+    scope: 'openid profile email ui.read',
+    audience: '/gateway',
+    dpopAlgorithms: ['ES256'],
+    refreshLeewaySeconds: 60,
+  },
+  apiBaseUrls: {
+    authority: '/authority',
+    scanner: '/scanner',
+    policy: '/policy',
+    concelier: '/concelier',
+    attestor: '/attestor',
+    gateway: '/gateway',
+  },
+  quickstartMode: true,
+  setup: 'complete',
+};
+
+const witnessFixtures = [
+  {
+    witnessId: 'wit-api-001',
+    scanId: 'scan-release-orchestrator-prod',
+    tenantId: 'tenant-default',
+    vulnId: 'finding-api-001',
+    cveId: 'CVE-2026-4001',
+    packageName: 'api-gateway',
+    packageVersion: '1.8.4',
+    purl: 'pkg:oci/api-gateway@sha256:api001',
+    confidenceTier: 'confirmed',
+    confidenceScore: 0.94,
+    isReachable: true,
+    callPath: [
+      { nodeId: 'n-api-1', symbol: 'IngressController.route()', file: 'src/ingress/controller.ts', line: 18 },
+      { nodeId: 'n-api-2', symbol: 'AuthContext.load()', file: 'src/auth/context.ts', line: 44 },
+      { nodeId: 'n-api-3', symbol: 'ReleaseResolver.resolve()', file: 'src/release/resolver.ts', line: 91 },
+    ],
+    entrypoint: {
+      nodeId: 'n-api-1',
+      symbol: 'IngressController.route()',
+      file: 'src/ingress/controller.ts',
+      line: 18,
+      httpRoute: '/releases/{id}',
+      httpMethod: 'GET',
+    },
+    sink: {
+      nodeId: 'n-api-4',
+      symbol: 'JacksonDeserializer.readValue()',
+      package: 'com.fasterxml.jackson.databind',
+      method: 'readValue',
+    },
+    gates: [
+      {
+        gateType: 'auth',
+        symbol: 'jwt.required',
+        confidence: 0.91,
+        description: 'JWT auth gate precedes the vulnerable parser path.',
+        file: 'src/auth/context.ts',
+        line: 22,
+      },
+    ],
+    evidence: {
+      analysisMethod: 'hybrid',
+      toolVersion: 'reachability-ui-fixture-v2',
+      callGraphHash: 'blake3:api-gateway-callgraph',
+      surfaceHash: 'sha256:api-gateway-surface',
+      dsseUri: '/evidence/capsules/cap-api-001',
+      rekorUri: 'https://rekor.example.dev/entries/498201',
+      callGraphUri: '/security/reachability?graph=api-gateway',
+      artifacts: [
+        { type: 'call-graph', hash: 'blake3:api-gateway-callgraph', algorithm: 'blake3', uri: '/security/reachability?graph=api-gateway' },
+      ],
+    },
+    signature: {
+      algorithm: 'ed25519',
+      keyId: 'reachability-signer-1',
+      signature: 'sig-api-001',
+      verified: true,
+      verifiedAt: '2026-03-07T15:20:00Z',
+    },
+    observedAt: '2026-03-07T15:14:00Z',
+    vexRecommendation: 'affected',
+    runtimeEvidence: {
+      available: true,
+      source: 'ebpf',
+      lastObservedAt: '2026-03-07T15:14:00Z',
+      invocationCount: 182,
+      confirmsStatic: true,
+      observationType: 'confirmed',
+      rekorLogIndex: 498201,
+      isStale: false,
+      containerContext: {
+        containerId: 'ctr-api-11',
+        imageDigest: 'sha256:api001',
+        environment: 'prod-eu',
+      },
+    },
+  },
+];
+
+async function fulfillJson(route: Route, body: unknown): Promise<void> {
+  await route.fulfill({
+    status: 200,
+    contentType: 'application/json',
+    body: JSON.stringify(body),
+  });
+}
+
+async function setupHarness(page: Page): Promise<void> {
+  await page.addInitScript((session) => {
+    (window as { __stellaopsTestSession?: unknown }).__stellaopsTestSession = session;
+  }, adminSession);
+
+  await page.route('**/platform/envsettings.json', (route) => fulfillJson(route, mockConfig));
+  await page.route('**/config.json', (route) => fulfillJson(route, mockConfig));
+  await page.route('**/.well-known/openid-configuration', (route) =>
+    fulfillJson(route, {
+      issuer: 'https://127.0.0.1:4400/authority',
+      authorization_endpoint: 'https://127.0.0.1:4400/authority/connect/authorize',
+      token_endpoint: 'https://127.0.0.1:4400/authority/connect/token',
+      jwks_uri: 'https://127.0.0.1:4400/authority/.well-known/jwks.json',
+      response_types_supported: ['code'],
+      subject_types_supported: ['public'],
+      id_token_signing_alg_values_supported: ['RS256'],
+    })
+  );
+  await page.route('**/authority/.well-known/jwks.json', (route) => fulfillJson(route, { keys: [] }));
+  await page.route('**/console/profile**', (route) =>
+    fulfillJson(route, {
+      subjectId: adminSession.subjectId,
+      username: 'reachability-e2e',
+      displayName: 'Reachability E2E',
+      tenant: adminSession.tenant,
+      roles: ['admin'],
+      scopes: adminSession.scopes,
+    })
+  );
+  await page.route('**/console/token/introspect**', (route) =>
+    fulfillJson(route, {
+      active: true,
+      tenant: adminSession.tenant,
+      subject: adminSession.subjectId,
+      scopes: adminSession.scopes,
+    })
+  );
+  await page.route('**/api/v2/context/regions', (route) =>
+    fulfillJson(route, [{ regionId: 'eu-west', displayName: 'EU West', sortOrder: 1, enabled: true }])
+  );
+  await page.route('**/api/v2/context/environments**', (route) =>
+    fulfillJson(route, [
+      {
+        environmentId: 'prod',
+        regionId: 'eu-west',
+        environmentType: 'prod',
+        displayName: 'Prod',
+        sortOrder: 1,
+        enabled: true,
+      },
+    ])
+  );
+  await page.route('**/api/v2/context/preferences', (route) =>
+    fulfillJson(route, {
+      tenantId: adminSession.tenant,
+      actorId: adminSession.subjectId,
+      regions: ['eu-west'],
+      environments: ['prod'],
+      timeWindow: '24h',
+      stage: 'all',
+      updatedAt: '2026-03-07T12:00:00Z',
+      updatedBy: adminSession.subjectId,
+    })
+  );
+  await page.route('**/doctor/api/v1/doctor/trends**', (route) => fulfillJson(route, []));
+  await page.route('**/api/v1/approvals**', (route) => fulfillJson(route, []));
+  await page.route('**/api/v1/witnesses?*', (route) =>
+    fulfillJson(route, {
+      witnesses: witnessFixtures,
+      total: witnessFixtures.length,
+      page: 1,
+      pageSize: 50,
+      hasMore: false,
+    })
+  );
+  await page.route('**/api/v1/witnesses/wit-api-001', (route) =>
+    fulfillJson(route, witnessFixtures[0])
+  );
+  await page.route('**/api/v1/witnesses/wit-api-001/verify', (route) =>
+    fulfillJson(route, {
+      witnessId: 'wit-api-001',
+      verified: true,
+      algorithm: 'ed25519',
+      keyId: 'reachability-signer-1',
+      verifiedAt: '2026-03-07T16:30:00Z',
+    })
+  );
+}
+
+test.beforeEach(async ({ page }) => {
+  await setupHarness(page);
+});
+
+test('reachability shell, witness detail, and PoE permalink stay in one canonical flow', async ({ page }) => {
+  await page.goto('/security/reachability/witnesses?search=CVE-2026-4001', {
+    waitUntil: 'networkidle',
+  });
+
+  await expect(page.getByTestId('reachability-page')).toBeVisible();
+  await expect(page.getByTestId('reachability-tab-witnesses')).toHaveClass(/active/);
+  await expect(page.getByTestId('witness-row')).toHaveCount(1);
+
+  await page.getByRole('link', { name: 'Open witness' }).click();
+  await expect(page).toHaveURL(/\/security\/reachability\/witnesses\/wit-api-001/);
+  await expect(page.getByTestId('witness-page')).toBeVisible();
+
+  await page.getByTestId('open-poe-btn').click();
+  await expect(page.getByTestId('poe-drawer')).toHaveClass(/poe-drawer--open/);
+  await page.getByTestId('poe-drawer-close').click();
+
+  await page.getByRole('button', { name: 'Permalink' }).click();
+  await expect(page).toHaveURL(/\/security\/reachability\/poe\/cve-2026-4001/);
+  await expect(page.getByTestId('poe-drawer')).toHaveClass(/poe-drawer--open/);
+});
+
+test('verify and replay hands off into the canonical reachability witness workspace', async ({ page }) => {
+  await page.goto('/evidence/verify-replay?releaseId=rel-ops-42&runId=run-ops-42&requestId=rr-003', {
+    waitUntil: 'networkidle',
+  });
+
+  await expect(page.getByText('Context:')).toBeVisible();
+  await page.getByRole('button', { name: 'Open reachability proof' }).click();
+
+  await expect(page).toHaveURL(/\/security\/reachability\/witnesses/);
+  await expect(page.url()).toContain('returnTo=%2Fevidence%2Fverify-replay%3FrequestId%3Drr-003%26releaseId%3Drel-ops-42%26runId%3Drun-ops-42');
+  await expect(page.getByTestId('reachability-page')).toBeVisible();
+});