feat: Document completed tasks for KMS, Cryptography, and Plugin Libraries

- Added detailed task completion records for KMS interface implementation and CLI support for file-based keys. - Documented security enhancements including Argon2id password hashing, audit event contracts, and rate limiting configurations. - Included scoped service support and integration updates for the Plugin platform, ensuring proper DI handling and testing coverage.
2025-10-31 14:37:45 +02:00
parent 240e8ff25d
commit 15b4a1de6a
312 changed files with 6399 additions and 3319 deletions
--- a/src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/PlatformEventSamplesTests.cs
+++ b/src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/PlatformEventSamplesTests.cs
@@ -34,8 +34,8 @@ public sealed class PlatformEventSamplesTests
        Assert.NotEqual(Guid.Empty, orchestratorEvent.EventId);
        Assert.NotNull(orchestratorEvent.Payload);

-        AssertCanonical(json, orchestratorEvent);
        AssertReportConsistency(orchestratorEvent);
+        AssertCanonical(json, orchestratorEvent);
    }

    private static void AssertCanonical(string originalJson, OrchestratorEvent orchestratorEvent)
@@ -58,18 +58,38 @@ public sealed class PlatformEventSamplesTests
                Assert.Equal(ready.ReportId, ready.Report.ReportId);
                Assert.Equal(ready.ScanId, ready.Report.ReportId);
                AssertDsseMatchesReport(ready.Dsse, ready.Report);
-                Assert.False(string.IsNullOrWhiteSpace(ready.Links.Ui));
-                Assert.False(string.IsNullOrWhiteSpace(ready.Links.Report));
-                Assert.False(string.IsNullOrWhiteSpace(ready.Links.Attestation));
+                Assert.NotNull(ready.Links.Report);
+                Assert.False(string.IsNullOrWhiteSpace(ready.Links.Report!.Ui));
+                Assert.False(string.IsNullOrWhiteSpace(ready.Links.Report!.Api));
+                if (ready.Links.Policy is not null)
+                {
+                    Assert.False(string.IsNullOrWhiteSpace(ready.Links.Policy.Ui));
+                    Assert.False(string.IsNullOrWhiteSpace(ready.Links.Policy.Api));
+                }
+                if (ready.Links.Attestation is not null)
+                {
+                    Assert.False(string.IsNullOrWhiteSpace(ready.Links.Attestation.Ui));
+                    Assert.False(string.IsNullOrWhiteSpace(ready.Links.Attestation.Api));
+                }
                break;
            case ScanCompletedEventPayload completed:
                Assert.Equal(completed.ReportId, completed.Report.ReportId);
                Assert.Equal(completed.ScanId, completed.Report.ReportId);
                AssertDsseMatchesReport(completed.Dsse, completed.Report);
                Assert.NotEmpty(completed.Findings);
-                Assert.False(string.IsNullOrWhiteSpace(completed.Links.Ui));
-                Assert.False(string.IsNullOrWhiteSpace(completed.Links.Report));
-                Assert.False(string.IsNullOrWhiteSpace(completed.Links.Attestation));
+                Assert.NotNull(completed.Links.Report);
+                Assert.False(string.IsNullOrWhiteSpace(completed.Links.Report!.Ui));
+                Assert.False(string.IsNullOrWhiteSpace(completed.Links.Report!.Api));
+                if (completed.Links.Policy is not null)
+                {
+                    Assert.False(string.IsNullOrWhiteSpace(completed.Links.Policy.Ui));
+                    Assert.False(string.IsNullOrWhiteSpace(completed.Links.Policy.Api));
+                }
+                if (completed.Links.Attestation is not null)
+                {
+                    Assert.False(string.IsNullOrWhiteSpace(completed.Links.Attestation.Ui));
+                    Assert.False(string.IsNullOrWhiteSpace(completed.Links.Attestation.Api));
+                }
                break;
            default:
                throw new InvalidOperationException($"Unexpected payload type {orchestratorEvent.Payload.GetType().Name}.");
@@ -118,6 +138,16 @@ public sealed class PlatformEventSamplesTests
            _ => throw new InvalidOperationException("Unexpected event kind.")
        };

+        if (payload is ReportReadyEventPayload readyPayload && string.IsNullOrEmpty(readyPayload.ReportId))
+        {
+            throw new InvalidOperationException("ReportId was not parsed from sample payload.");
+        }
+
+        if (payload is ScanCompletedEventPayload completedPayload && string.IsNullOrEmpty(completedPayload.ReportId))
+        {
+            throw new InvalidOperationException("ReportId was not parsed from scan completed payload.");
+        }
+
        return new OrchestratorEvent
        {
            EventId = Guid.Parse(root["eventId"]!.GetValue<string>()),
--- a/src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/ReportEventDispatcherTests.cs
+++ b/src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/ReportEventDispatcherTests.cs
@@ -10,9 +10,11 @@ using System.Threading.Tasks;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Logging.Abstractions;
+using Microsoft.Extensions.Options;
 using StellaOps.Auth.Abstractions;
 using StellaOps.Policy;
 using StellaOps.Scanner.WebService.Contracts;
+using StellaOps.Scanner.WebService.Options;
 using StellaOps.Scanner.WebService.Services;

 namespace StellaOps.Scanner.WebService.Tests;
@@ -28,7 +30,7 @@ public sealed class ReportEventDispatcherTests
    public async Task PublishAsync_EmitsReportReadyAndScanCompleted()
    {
        var publisher = new RecordingEventPublisher();
-        var dispatcher = new ReportEventDispatcher(publisher, TimeProvider.System, NullLogger<ReportEventDispatcher>.Instance);
+        var dispatcher = new ReportEventDispatcher(publisher, Microsoft.Extensions.Options.Options.Create(new ScannerWebServiceOptions()), TimeProvider.System, NullLogger<ReportEventDispatcher>.Instance);
        var cancellationToken = CancellationToken.None;

        var request = new ReportRequestDto
@@ -132,10 +134,12 @@ public sealed class ReportEventDispatcherTests
        Assert.NotNull(readyPayload.Delta);
        Assert.Equal(1, readyPayload.Delta?.NewCritical);
        Assert.Contains("CVE-2024-9999", readyPayload.Delta?.Kev ?? Array.Empty<string>());
-        Assert.Equal("https://scanner.example/ui/reports/report-abc", readyPayload.Links.Ui);
-        Assert.Equal("https://scanner.example/api/v1/reports/report-abc", readyPayload.Links.Report);
-        Assert.Equal("https://scanner.example/api/v1/policy/revisions/rev-42", readyPayload.Links.Policy);
-        Assert.Equal("https://scanner.example/ui/attestations/report-abc", readyPayload.Links.Attestation);
+        Assert.Equal("https://scanner.example/ui/reports/report-abc", readyPayload.Links.Report?.Ui);
+        Assert.Equal("https://scanner.example/api/v1/reports/report-abc", readyPayload.Links.Report?.Api);
+        Assert.Equal("https://scanner.example/ui/policy/revisions/rev-42", readyPayload.Links.Policy?.Ui);
+        Assert.Equal("https://scanner.example/api/v1/policy/revisions/rev-42", readyPayload.Links.Policy?.Api);
+        Assert.Equal("https://scanner.example/ui/attestations/report-abc", readyPayload.Links.Attestation?.Ui);
+        Assert.Equal("https://scanner.example/api/v1/reports/report-abc/attestation", readyPayload.Links.Attestation?.Api);
        Assert.Equal(envelope.Payload, readyPayload.Dsse?.Payload);
        Assert.Equal("blocked", readyPayload.Report.Verdict);

@@ -151,9 +155,12 @@ public sealed class ReportEventDispatcherTests
        Assert.Equal("finding-1", finding.Id);
        Assert.Equal("runtime", finding.Reachability);
        Assert.Equal("CVE-2024-9999", finding.Cve);
-        Assert.Equal("https://scanner.example/api/v1/reports/report-abc", scanPayload.Links.Report);
-        Assert.Equal("https://scanner.example/api/v1/policy/revisions/rev-42", scanPayload.Links.Policy);
-        Assert.Equal("https://scanner.example/ui/attestations/report-abc", scanPayload.Links.Attestation);
+        Assert.Equal("https://scanner.example/api/v1/reports/report-abc", scanPayload.Links.Report?.Api);
+        Assert.Equal("https://scanner.example/ui/reports/report-abc", scanPayload.Links.Report?.Ui);
+        Assert.Equal("https://scanner.example/ui/policy/revisions/rev-42", scanPayload.Links.Policy?.Ui);
+        Assert.Equal("https://scanner.example/api/v1/policy/revisions/rev-42", scanPayload.Links.Policy?.Api);
+        Assert.Equal("https://scanner.example/ui/attestations/report-abc", scanPayload.Links.Attestation?.Ui);
+        Assert.Equal("https://scanner.example/api/v1/reports/report-abc/attestation", scanPayload.Links.Attestation?.Api);
        Assert.Equal(envelope.Payload, scanPayload.Dsse?.Payload);
        Assert.Equal("blocked", scanPayload.Report.Verdict);
    }
--- a/src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/ReportsEndpointsTests.cs
+++ b/src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/ReportsEndpointsTests.cs
@@ -218,23 +218,28 @@ rules:
        Assert.Equal("sha256:cafebabe", ready.Scope?.Digest);
        Assert.NotNull(readyPayload.Dsse);
        Assert.Equal(readyPayload.ReportId, readyPayload.Report.ReportId);
-        Assert.Equal("http://localhost/ui/reports/" + readyPayload.ReportId, readyPayload.Links.Ui);
-        Assert.Equal("http://localhost/api/v1/reports/" + readyPayload.ReportId, readyPayload.Links.Report);
+        Assert.Equal("http://localhost/ui/reports/" + readyPayload.ReportId, readyPayload.Links.Report?.Ui);
+        Assert.Equal("http://localhost/api/v1/reports/" + readyPayload.ReportId, readyPayload.Links.Report?.Api);
        if (!string.IsNullOrWhiteSpace(revisionId))
        {
-            Assert.Equal("http://localhost/api/v1/policy/revisions/" + revisionId, readyPayload.Links.Policy);
+            Assert.Equal("http://localhost/ui/policy/revisions/" + revisionId, readyPayload.Links.Policy?.Ui);
+            Assert.Equal("http://localhost/api/v1/policy/revisions/" + revisionId, readyPayload.Links.Policy?.Api);
        }
-        Assert.Equal("http://localhost/ui/attestations/" + readyPayload.ReportId, readyPayload.Links.Attestation);
+        Assert.Equal("http://localhost/ui/attestations/" + readyPayload.ReportId, readyPayload.Links.Attestation?.Ui);
+        Assert.Equal("http://localhost/api/v1/reports/" + readyPayload.ReportId + "/attestation", readyPayload.Links.Attestation?.Api);

        Assert.Equal("fail", completedPayload.Verdict);
        Assert.NotEmpty(completedPayload.Findings);
        Assert.Equal("finding-42", completedPayload.Findings[0].Id);
-        Assert.Equal("http://localhost/api/v1/reports/" + completedPayload.ReportId, completedPayload.Links.Report);
+        Assert.Equal("http://localhost/api/v1/reports/" + completedPayload.ReportId, completedPayload.Links.Report?.Api);
+        Assert.Equal("http://localhost/ui/reports/" + completedPayload.ReportId, completedPayload.Links.Report?.Ui);
        if (!string.IsNullOrWhiteSpace(revisionId))
        {
-            Assert.Equal("http://localhost/api/v1/policy/revisions/" + revisionId, completedPayload.Links.Policy);
+            Assert.Equal("http://localhost/ui/policy/revisions/" + revisionId, completedPayload.Links.Policy?.Ui);
+            Assert.Equal("http://localhost/api/v1/policy/revisions/" + revisionId, completedPayload.Links.Policy?.Api);
        }
-        Assert.Equal("http://localhost/ui/attestations/" + completedPayload.ReportId, completedPayload.Links.Attestation);
+        Assert.Equal("http://localhost/ui/attestations/" + completedPayload.ReportId, completedPayload.Links.Attestation?.Ui);
+        Assert.Equal("http://localhost/api/v1/reports/" + completedPayload.ReportId + "/attestation", completedPayload.Links.Attestation?.Api);
    }

    private sealed class RecordingPlatformEventPublisher : IPlatformEventPublisher