doctor enhancements, setup, enhancements, ui functionality and design consolidation and , test projects fixes , product advisory attestation/rekor and delta verfications enhancements

2026-01-19 09:02:59 +02:00
parent 8c4bf54aed
commit 17419ba7c4
809 changed files with 170738 additions and 12244 deletions
--- a/examples/policies/opa/cve-gate-base_test.rego
+++ b/examples/policies/opa/cve-gate-base_test.rego
@@ -0,0 +1,103 @@
+# -----------------------------------------------------------------------------
+# cve-gate-base_test.rego
+# Tests for base attestation verification policy
+# -----------------------------------------------------------------------------
+
+package stellaops.gates.base
+
+import future.keywords.if
+
+# Test valid attestation with DSSE and Rekor
+test_valid_attestation_with_rekor if {
+    valid_attestation with input as {
+        "attestation": {
+            "dsse_envelope": {
+                "payloadType": "application/vnd.in-toto+json",
+                "payload": "eyJzdWJqZWN0IjpbXX0=",
+                "signatures": [{"keyid": "key-1", "sig": "abc123"}]
+            },
+            "rekor_entry": {
+                "log_index": 12345,
+                "integrated_time": 1705689600,
+                "inclusion_proof": {"root_hash": "abc", "tree_size": 100, "hashes": []}
+            },
+            "trusted_keys": ["key-1"]
+        },
+        "config": {"require_rekor": true}
+    }
+}
+
+# Test valid attestation without Rekor when not required
+test_valid_attestation_no_rekor_not_required if {
+    valid_attestation with input as {
+        "attestation": {
+            "dsse_envelope": {
+                "payloadType": "application/vnd.in-toto+json",
+                "payload": "eyJzdWJqZWN0IjpbXX0=",
+                "signatures": [{"keyid": "key-1", "sig": "abc123"}]
+            },
+            "trusted_keys": ["key-1"]
+        },
+        "config": {"require_rekor": false}
+    }
+}
+
+# Test invalid - missing DSSE envelope
+test_invalid_missing_dsse if {
+    not valid_attestation with input as {
+        "attestation": {},
+        "config": {}
+    }
+}
+
+# Test invalid - untrusted key
+test_invalid_untrusted_key if {
+    not valid_attestation with input as {
+        "attestation": {
+            "dsse_envelope": {
+                "payloadType": "application/vnd.in-toto+json",
+                "payload": "eyJzdWJqZWN0IjpbXX0=",
+                "signatures": [{"keyid": "untrusted-key", "sig": "abc123"}]
+            },
+            "trusted_keys": ["key-1"]
+        },
+        "config": {}
+    }
+}
+
+# Test invalid - Rekor required but missing
+test_invalid_rekor_required_but_missing if {
+    not valid_attestation with input as {
+        "attestation": {
+            "dsse_envelope": {
+                "payloadType": "application/vnd.in-toto+json",
+                "payload": "eyJzdWJqZWN0IjpbXX0=",
+                "signatures": [{"keyid": "key-1", "sig": "abc123"}]
+            },
+            "trusted_keys": ["key-1"]
+        },
+        "config": {"require_rekor": true}
+    }
+}
+
+# Test denial messages
+test_deny_missing_dsse if {
+    "Missing DSSE envelope in attestation" in deny with input as {
+        "attestation": {},
+        "config": {}
+    }
+}
+
+test_deny_no_valid_signature if {
+    "No valid signature from trusted key" in deny with input as {
+        "attestation": {
+            "dsse_envelope": {
+                "payloadType": "application/vnd.in-toto+json",
+                "payload": "eyJzdWJqZWN0IjpbXX0=",
+                "signatures": [{"keyid": "bad-key", "sig": "abc123"}]
+            },
+            "trusted_keys": ["key-1"]
+        },
+        "config": {}
+    }
+}