Add tests and implement timeline ingestion options with NATS and Redis subscribers

- Introduced `BinaryReachabilityLifterTests` to validate binary lifting functionality. - Created `PackRunWorkerOptions` for configuring worker paths and execution persistence. - Added `TimelineIngestionOptions` for configuring NATS and Redis ingestion transports. - Implemented `NatsTimelineEventSubscriber` for subscribing to NATS events. - Developed `RedisTimelineEventSubscriber` for reading from Redis Streams. - Added `TimelineEnvelopeParser` to normalize incoming event envelopes. - Created unit tests for `TimelineEnvelopeParser` to ensure correct field mapping. - Implemented `TimelineAuthorizationAuditSink` for logging authorization outcomes.
2025-12-03 09:46:48 +02:00
parent e923880694
commit 35c8f9216f
520 changed files with 4416 additions and 31492 deletions
--- a/ops/devops/docker/Dockerfile.console
+++ b/ops/devops/docker/Dockerfile.console
@@ -0,0 +1,40 @@
+# syntax=docker/dockerfile:1.7
+# Multi-stage Angular console image with non-root runtime (DOCKER-44-001)
+ARG NODE_IMAGE=node:20-bullseye-slim
+ARG NGINX_IMAGE=nginxinc/nginx-unprivileged:1.27-alpine
+ARG APP_DIR=src/UI/StellaOps.UI
+ARG DIST_DIR=dist
+ARG APP_PORT=8080
+
+FROM ${NODE_IMAGE} AS build
+ENV npm_config_fund=false npm_config_audit=false SOURCE_DATE_EPOCH=1704067200
+WORKDIR /app
+COPY ${APP_DIR}/package*.json ./
+RUN npm ci --prefer-offline --no-progress --cache .npm
+COPY ${APP_DIR}/ ./
+RUN npm run build -- --configuration=production --output-path=${DIST_DIR}
+
+FROM ${NGINX_IMAGE} AS runtime
+ARG APP_PORT
+ENV APP_PORT=${APP_PORT}
+USER 101
+WORKDIR /
+COPY --from=build /app/${DIST_DIR}/ /usr/share/nginx/html/
+COPY ops/devops/docker/healthcheck-frontend.sh /usr/local/bin/healthcheck-frontend.sh
+RUN rm -f /etc/nginx/conf.d/default.conf && \
+    cat > /etc/nginx/conf.d/default.conf <<CONF
+server {
+    listen ${APP_PORT};
+    listen [::]:${APP_PORT};
+    server_name _;
+    root /usr/share/nginx/html;
+    location / {
+        try_files $$uri $$uri/ /index.html;
+    }
+}
+CONF
+
+EXPOSE ${APP_PORT}
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+  CMD /usr/local/bin/healthcheck-frontend.sh
+CMD ["nginx","-g","daemon off;"]
--- a/ops/devops/docker/Dockerfile.hardened.template
+++ b/ops/devops/docker/Dockerfile.hardened.template
@@ -7,6 +7,7 @@ ARG RUNTIME_IMAGE=mcr.microsoft.com/dotnet/aspnet:10.0-bookworm-slim
 ARG APP_PROJECT=src/Service/Service.csproj
 ARG CONFIGURATION=Release
 ARG PUBLISH_DIR=/app/publish
+ARG APP_BINARY=StellaOps.Service
 ARG APP_USER=stella
 ARG APP_UID=10001
 ARG APP_GID=10001
@@ -38,7 +39,8 @@ COPY --chown=${APP_UID}:${APP_GID} ops/devops/docker/healthcheck.sh /usr/local/b
 ENV ASPNETCORE_URLS=http://+:${APP_PORT} \
    DOTNET_EnableDiagnostics=0 \
    DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1 \
-    COMPlus_EnableDiagnostics=0
+    COMPlus_EnableDiagnostics=0 \
+    APP_BINARY=${APP_BINARY}

 USER ${APP_UID}:${APP_GID}
 EXPOSE ${APP_PORT}
@@ -50,4 +52,5 @@ RUN chmod 500 /app && \
    find /app -maxdepth 1 -type f -exec chmod 400 {} \; && \
    find /app -maxdepth 1 -type d -exec chmod 500 {} \;

-ENTRYPOINT ["./StellaOps.Service"]
+# Use shell form so APP_BINARY env can be expanded without duplicating the template per service
+ENTRYPOINT ["sh","-c","exec ./\"$APP_BINARY\""]
--- a/ops/devops/docker/base-image-guidelines.md
+++ b/ops/devops/docker/base-image-guidelines.md
@@ -6,6 +6,7 @@ The reusable multi-stage scaffold lives at `ops/devops/docker/Dockerfile.hardene
 - .NET 10 SDK/runtime images provided via offline mirror (`SDK_IMAGE` / `RUNTIME_IMAGE`).
 - `APP_PROJECT` path to the service csproj.
 - `healthcheck.sh` copied from `ops/devops/docker/` (already referenced by the template).
+- Optional: `APP_BINARY` (assembly name, defaults to `StellaOps.Service`) and `APP_PORT`.

 Copy the template next to the service and set build args in CI (per-service matrix) to avoid maintaining divergent Dockerfiles.

@@ -41,7 +42,7 @@ USER ${APP_UID}:${APP_GID}
 EXPOSE ${APP_PORT}
 HEALTHCHECK --interval=30s --timeout=5s --start-period=15s --retries=3 CMD /usr/local/bin/healthcheck.sh
 RUN chmod 500 /app && find /app -maxdepth 1 -type f -exec chmod 400 {} \; && find /app -maxdepth 1 -type d -exec chmod 500 {} \;
-ENTRYPOINT ["./StellaOps.Service"]
+ENTRYPOINT ["sh","-c","exec ./\"$APP_BINARY\""]
 ```

 Build stage (per service) should:
@@ -56,6 +57,13 @@ Required checks:
 - Health endpoints exposed: `/health/liveness`, `/health/readiness`, `/version`, `/metrics`.
 - Image SBOM generated (syft) in pipeline; attach cosign attestations (see DOCKER-44-002).

+Service matrix & helper:
+- Build args for the core services are enumerated in `ops/devops/docker/services-matrix.env` (API, Console, Orchestrator, Task Runner, Concelier, Excititor, Policy, Notify, Export, AdvisoryAI).
+- `ops/devops/docker/build-all.sh` reads the matrix and builds/tag images from the shared template with consistent non-root/health defaults. Override `REGISTRY` and `TAG_SUFFIX` to publish.
+
+Console (Angular) image:
+- Use `ops/devops/docker/Dockerfile.console` for the UI (Angular v17). It builds with `node:20-bullseye-slim`, serves via `nginxinc/nginx-unprivileged`, includes `healthcheck-frontend.sh`, and runs as non-root UID 101. Build with `docker build -f ops/devops/docker/Dockerfile.console --build-arg APP_DIR=src/UI/StellaOps.UI .`.
+
 SBOM & attestation helper (DOCKER-44-002):
 - Script: `ops/devops/docker/sbom_attest.sh <image> [out-dir] [cosign-key]`
 - Emits SPDX (`*.spdx.json`) and CycloneDX (`*.cdx.json`) with `SOURCE_DATE_EPOCH` pinned for reproducibility.
--- a/ops/devops/docker/build-all.sh
+++ b/ops/devops/docker/build-all.sh
@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+# Build hardened images for the core services using the shared template/matrix (DOCKER-44-001)
+set -euo pipefail
+
+ROOT=${ROOT:-"$(git rev-parse --show-toplevel)"}
+MATRIX=${MATRIX:-"${ROOT}/ops/devops/docker/services-matrix.env"}
+REGISTRY=${REGISTRY:-"stellaops"}
+TAG_SUFFIX=${TAG_SUFFIX:-"dev"}
+SDK_IMAGE=${SDK_IMAGE:-"mcr.microsoft.com/dotnet/sdk:10.0-bookworm-slim"}
+RUNTIME_IMAGE=${RUNTIME_IMAGE:-"mcr.microsoft.com/dotnet/aspnet:10.0-bookworm-slim"}
+
+if [[ ! -f "${MATRIX}" ]]; then
+  echo "matrix file not found: ${MATRIX}" >&2
+  exit 1
+fi
+
+echo "Building services from ${MATRIX} -> ${REGISTRY}/<service>:${TAG_SUFFIX}" >&2
+
+while IFS='|' read -r service dockerfile project binary port; do
+  [[ -z "${service}" || "${service}" =~ ^# ]] && continue
+  image="${REGISTRY}/${service}:${TAG_SUFFIX}"
+  df_path="${ROOT}/${dockerfile}"
+  if [[ ! -f "${df_path}" ]]; then
+    echo "skipping ${service}: dockerfile missing (${df_path})" >&2
+    continue
+  fi
+
+  if [[ "${dockerfile}" == *"Dockerfile.console"* ]]; then
+    # Angular console build uses its dedicated Dockerfile
+    echo "[console] ${service} -> ${image}" >&2
+    docker build \
+      -f "${df_path}" "${ROOT}" \
+      --build-arg APP_DIR="${project}" \
+      --build-arg APP_PORT="${port}" \
+      -t "${image}"
+  else
+    echo "[service] ${service} -> ${image}" >&2
+    docker build \
+      -f "${df_path}" "${ROOT}" \
+      --build-arg SDK_IMAGE="${SDK_IMAGE}" \
+      --build-arg RUNTIME_IMAGE="${RUNTIME_IMAGE}" \
+      --build-arg APP_PROJECT="${project}" \
+      --build-arg APP_BINARY="${binary}" \
+      --build-arg APP_PORT="${port}" \
+      -t "${image}"
+  fi
+
+done < "${MATRIX}"
+
+echo "Build complete. Remember to enforce readOnlyRootFilesystem at deploy time and run sbom_attest.sh (DOCKER-44-002)." >&2
--- a/ops/devops/docker/healthcheck-frontend.sh
+++ b/ops/devops/docker/healthcheck-frontend.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+set -eu
+HOST="${HEALTH_HOST:-127.0.0.1}"
+PORT="${HEALTH_PORT:-8080}"
+PATH_CHECK="${HEALTH_PATH:-/}"
+USER_AGENT="stellaops-frontend-healthcheck"
+
+wget -qO- "http://${HOST}:${PORT}${PATH_CHECK}" \
+  --header="User-Agent: ${USER_AGENT}" \
+  --timeout="${HEALTH_TIMEOUT:-4}" >/dev/null
--- a/ops/devops/docker/services-matrix.env
+++ b/ops/devops/docker/services-matrix.env
@@ -0,0 +1,12 @@
+# service|dockerfile|project|binary|port
+# Paths are relative to repo root; dockerfile is usually the shared hardened template.
+api|ops/devops/docker/Dockerfile.hardened.template|src/VulnExplorer/StellaOps.VulnExplorer.Api/StellaOps.VulnExplorer.Api.csproj|StellaOps.VulnExplorer.Api|8080
+orchestrator|ops/devops/docker/Dockerfile.hardened.template|src/Orchestrator/StellaOps.Orchestrator.WebService/StellaOps.Orchestrator.WebService.csproj|StellaOps.Orchestrator.WebService|8080
+task-runner|ops/devops/docker/Dockerfile.hardened.template|src/Orchestrator/StellaOps.Orchestrator.Worker/StellaOps.Orchestrator.Worker.csproj|StellaOps.Orchestrator.Worker|8081
+concelier|ops/devops/docker/Dockerfile.hardened.template|src/Concelier/StellaOps.Concelier.WebService/StellaOps.Concelier.WebService.csproj|StellaOps.Concelier.WebService|8080
+excititor|ops/devops/docker/Dockerfile.hardened.template|src/Excititor/StellaOps.Excititor.WebService/StellaOps.Excititor.WebService.csproj|StellaOps.Excititor.WebService|8080
+policy|ops/devops/docker/Dockerfile.hardened.template|src/Policy/StellaOps.Policy.Gateway/StellaOps.Policy.Gateway.csproj|StellaOps.Policy.Gateway|8084
+notify|ops/devops/docker/Dockerfile.hardened.template|src/Notify/StellaOps.Notify.WebService/StellaOps.Notify.WebService.csproj|StellaOps.Notify.WebService|8080
+export|ops/devops/docker/Dockerfile.hardened.template|src/ExportCenter/StellaOps.ExportCenter.WebService/StellaOps.ExportCenter.WebService.csproj|StellaOps.ExportCenter.WebService|8080
+advisoryai|ops/devops/docker/Dockerfile.hardened.template|src/AdvisoryAI/StellaOps.AdvisoryAI.WebService/StellaOps.AdvisoryAI.WebService.csproj|StellaOps.AdvisoryAI.WebService|8080
+console|ops/devops/docker/Dockerfile.console|src/UI/StellaOps.UI|StellaOps.UI|8080