Add comprehensive security tests for OWASP A02, A05, A07, and A08 categories

- Implemented tests for Cryptographic Failures (A02) to ensure proper handling of sensitive data, secure algorithms, and key management. - Added tests for Security Misconfiguration (A05) to validate production configurations, security headers, CORS settings, and feature management. - Developed tests for Authentication Failures (A07) to enforce strong password policies, rate limiting, session management, and MFA support. - Created tests for Software and Data Integrity Failures (A08) to verify artifact signatures, SBOM integrity, attestation chains, and feed updates.
2025-12-16 16:40:19 +02:00
parent 415eff1207
commit 2170a58734
206 changed files with 30547 additions and 534 deletions
--- a/src/Findings/StellaOps.Findings.Ledger.WebService/Contracts/AlertContracts.cs
+++ b/src/Findings/StellaOps.Findings.Ledger.WebService/Contracts/AlertContracts.cs
@@ -325,6 +325,47 @@ public sealed record VexStatusChange
    public required DateTimeOffset Timestamp { get; init; }
 }

+/// <summary>
+/// Request to verify an evidence bundle.
+/// Sprint: SPRINT_3602_0001_0001 - Task 10
+/// </summary>
+public sealed record BundleVerificationRequest
+{
+    [JsonPropertyName("bundle_hash")]
+    public required string BundleHash { get; init; }
+
+    [JsonPropertyName("signature")]
+    public string? Signature { get; init; }
+}
+
+/// <summary>
+/// Response for bundle verification.
+/// Sprint: SPRINT_3602_0001_0001 - Task 10
+/// </summary>
+public sealed record BundleVerificationResponse
+{
+    [JsonPropertyName("alert_id")]
+    public required string AlertId { get; init; }
+
+    [JsonPropertyName("is_valid")]
+    public required bool IsValid { get; init; }
+
+    [JsonPropertyName("verified_at")]
+    public required DateTimeOffset VerifiedAt { get; init; }
+
+    [JsonPropertyName("signature_valid")]
+    public bool SignatureValid { get; init; }
+
+    [JsonPropertyName("hash_valid")]
+    public bool HashValid { get; init; }
+
+    [JsonPropertyName("chain_valid")]
+    public bool ChainValid { get; init; }
+
+    [JsonPropertyName("errors")]
+    public IReadOnlyList<string>? Errors { get; init; }
+}
+
 /// <summary>
 /// Bundle verification result.
 /// </summary>
--- a/src/Findings/StellaOps.Findings.Ledger.WebService/Program.cs
+++ b/src/Findings/StellaOps.Findings.Ledger.WebService/Program.cs
@@ -1677,6 +1677,77 @@ app.MapGet("/v1/alerts/{alertId}/audit", async Task<Results<JsonHttpResult<Audit
 .Produces(StatusCodes.Status404NotFound)
 .ProducesProblem(StatusCodes.Status400BadRequest);

+// Sprint: SPRINT_3602_0001_0001 - Task 9: Bundle download endpoint
+app.MapGet("/v1/alerts/{alertId}/bundle", async Task<Results<FileStreamHttpResult, NotFound, ProblemHttpResult>> (
+    string alertId,
+    [FromServices] IAlertService alertService,
+    [FromServices] IEvidenceBundleService bundleService,
+    CancellationToken cancellationToken) =>
+{
+    var alert = await alertService.GetAlertAsync(alertId, cancellationToken).ConfigureAwait(false);
+    if (alert is null)
+    {
+        return TypedResults.NotFound();
+    }
+
+    var bundle = await bundleService.CreateBundleAsync(alertId, cancellationToken).ConfigureAwait(false);
+    if (bundle is null)
+    {
+        return TypedResults.Problem(
+            detail: "Failed to create evidence bundle",
+            statusCode: StatusCodes.Status500InternalServerError);
+    }
+
+    return TypedResults.File(
+        bundle.Content,
+        contentType: "application/gzip",
+        fileDownloadName: $"evidence-{alertId}.tar.gz");
+})
+.WithName("DownloadAlertBundle")
+.RequireAuthorization(AlertReadPolicy)
+.Produces<FileStreamHttpResult>(StatusCodes.Status200OK, "application/gzip")
+.Produces(StatusCodes.Status404NotFound)
+.ProducesProblem(StatusCodes.Status400BadRequest);
+
+// Sprint: SPRINT_3602_0001_0001 - Task 10: Bundle verify endpoint
+app.MapPost("/v1/alerts/{alertId}/bundle/verify", async Task<Results<Ok<BundleVerificationResponse>, NotFound, ProblemHttpResult>> (
+    string alertId,
+    [FromBody] BundleVerificationRequest request,
+    [FromServices] IAlertService alertService,
+    [FromServices] IEvidenceBundleService bundleService,
+    CancellationToken cancellationToken) =>
+{
+    var alert = await alertService.GetAlertAsync(alertId, cancellationToken).ConfigureAwait(false);
+    if (alert is null)
+    {
+        return TypedResults.NotFound();
+    }
+
+    var result = await bundleService.VerifyBundleAsync(
+        alertId,
+        request.BundleHash,
+        request.Signature,
+        cancellationToken).ConfigureAwait(false);
+
+    var response = new BundleVerificationResponse
+    {
+        AlertId = alertId,
+        IsValid = result.IsValid,
+        VerifiedAt = DateTimeOffset.UtcNow,
+        SignatureValid = result.SignatureValid,
+        HashValid = result.HashValid,
+        ChainValid = result.ChainValid,
+        Errors = result.Errors
+    };
+
+    return TypedResults.Ok(response);
+})
+.WithName("VerifyAlertBundle")
+.RequireAuthorization(AlertReadPolicy)
+.Produces(StatusCodes.Status200OK)
+.Produces(StatusCodes.Status404NotFound)
+.ProducesProblem(StatusCodes.Status400BadRequest);
+
 app.MapPost("/v1/vex-consensus/issuers", async Task<Results<Created<VexIssuerDetailResponse>, ProblemHttpResult>> (
    RegisterVexIssuerRequest request,
    VexConsensusService consensusService,