Add tests and implement timeline ingestion options with NATS and Redis subscribers

- Introduced `BinaryReachabilityLifterTests` to validate binary lifting functionality. - Created `PackRunWorkerOptions` for configuring worker paths and execution persistence. - Added `TimelineIngestionOptions` for configuring NATS and Redis ingestion transports. - Implemented `NatsTimelineEventSubscriber` for subscribing to NATS events. - Developed `RedisTimelineEventSubscriber` for reading from Redis Streams. - Added `TimelineEnvelopeParser` to normalize incoming event envelopes. - Created unit tests for `TimelineEnvelopeParser` to ensure correct field mapping. - Implemented `TimelineAuthorizationAuditSink` for logging authorization outcomes.
2025-12-03 09:46:48 +02:00
parent e923880694
commit 35c8f9216f
520 changed files with 4416 additions and 31492 deletions
--- a/src/ExportCenter/StellaOps.ExportCenter.RiskBundles/RiskBundleJob.cs
+++ b/src/ExportCenter/StellaOps.ExportCenter.RiskBundles/RiskBundleJob.cs
@@ -1,3 +1,6 @@
+using System.Text;
+using System.Text.Json;
+using System.Text.Json.Serialization;
 using Microsoft.Extensions.Logging;

 namespace StellaOps.ExportCenter.RiskBundles;
@@ -14,25 +17,30 @@ public sealed record RiskBundleJobOutcome(
    RiskBundleStorageMetadata ManifestStorage,
    RiskBundleStorageMetadata ManifestSignatureStorage,
    RiskBundleStorageMetadata BundleStorage,
+    RiskBundleStorageMetadata BundleSignatureStorage,
    string ManifestJson,
    string ManifestSignatureJson,
+    string BundleSignature,
    string RootHash);

 public sealed class RiskBundleJob
 {
    private readonly RiskBundleBuilder _builder;
    private readonly IRiskBundleManifestSigner _signer;
+    private readonly IRiskBundleArchiveSigner _archiveSigner;
    private readonly IRiskBundleObjectStore _objectStore;
    private readonly ILogger<RiskBundleJob> _logger;

    public RiskBundleJob(
        RiskBundleBuilder builder,
        IRiskBundleManifestSigner signer,
+        IRiskBundleArchiveSigner archiveSigner,
        IRiskBundleObjectStore objectStore,
        ILogger<RiskBundleJob> logger)
    {
        _builder = builder ?? throw new ArgumentNullException(nameof(builder));
        _signer = signer ?? throw new ArgumentNullException(nameof(signer));
+        _archiveSigner = archiveSigner ?? throw new ArgumentNullException(nameof(archiveSigner));
        _objectStore = objectStore ?? throw new ArgumentNullException(nameof(objectStore));
        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
    }
@@ -42,43 +50,61 @@ public sealed class RiskBundleJob
        ArgumentNullException.ThrowIfNull(request);
        cancellationToken.ThrowIfCancellationRequested();

-        var build = _builder.Build(request.BuildRequest, cancellationToken);
-        _logger.LogInformation("Risk bundle built with {ProviderCount} providers.", build.Manifest.Providers.Count);
+        var bundleFileName = string.IsNullOrWhiteSpace(request.BundleFileName)
+            ? "risk-bundle.tar.gz"
+            : request.BundleFileName;

-        var signature = await _signer.SignAsync(build.ManifestJson, cancellationToken).ConfigureAwait(false);
-        var signatureJson = System.Text.Json.JsonSerializer.Serialize(signature, new System.Text.Json.JsonSerializerOptions
+        var prepared = _builder.Prepare(request.BuildRequest, cancellationToken);
+        _logger.LogInformation("Risk bundle built with {ProviderCount} providers (prepared).", prepared.Manifest.Providers.Count);
+
+        var manifestSignature = await _signer.SignAsync(prepared.ManifestJson, cancellationToken).ConfigureAwait(false);
+        var signatureJson = JsonSerializer.Serialize(manifestSignature, SerializerOptions);
+
+        var additionalFiles = new[]
        {
-            PropertyNamingPolicy = System.Text.Json.JsonNamingPolicy.CamelCase,
-            DefaultIgnoreCondition = System.Text.Json.Serialization.JsonIgnoreCondition.WhenWritingNull,
-            WriteIndented = false
-        });
+            RiskBundleAdditionalFile.FromText($"signatures/{request.BuildRequest.ManifestDsseFileName}", signatureJson)
+        };
+
+        var build = _builder.Build(request.BuildRequest, additionalFiles, prepared, cancellationToken);
+
+        var bundleSignature = await _archiveSigner.SignArchiveAsync(build.BundleStream, cancellationToken).ConfigureAwait(false);
+        var bundleSignatureFileName = $"{bundleFileName}.sig";

        var manifestKey = Combine(request.StoragePrefix, request.BuildRequest.ManifestFileName);
-        var manifestSigKey = Combine(request.StoragePrefix, request.BuildRequest.ManifestDsseFileName);
-        var bundleKey = Combine(request.StoragePrefix, request.BundleFileName);
+        var manifestSigKey = Combine(request.StoragePrefix, $"signatures/{request.BuildRequest.ManifestDsseFileName}");
+        var bundleKey = Combine(request.StoragePrefix, bundleFileName);
+        var bundleSigKey = Combine(request.StoragePrefix, $"signatures/{bundleSignatureFileName}");

        var manifestStorage = await _objectStore.StoreAsync(
            new RiskBundleObjectStoreOptions(manifestKey, "application/json"),
-            new MemoryStream(System.Text.Encoding.UTF8.GetBytes(build.ManifestJson)),
+            new MemoryStream(Encoding.UTF8.GetBytes(build.ManifestJson)),
            cancellationToken).ConfigureAwait(false);

        var signatureStorage = await _objectStore.StoreAsync(
            new RiskBundleObjectStoreOptions(manifestSigKey, "application/json"),
-            new MemoryStream(System.Text.Encoding.UTF8.GetBytes(signatureJson)),
+            new MemoryStream(Encoding.UTF8.GetBytes(signatureJson)),
            cancellationToken).ConfigureAwait(false);

+        build.BundleStream.Position = 0;
        var bundleStorage = await _objectStore.StoreAsync(
            new RiskBundleObjectStoreOptions(bundleKey, "application/gzip"),
            build.BundleStream,
            cancellationToken).ConfigureAwait(false);

+        var bundleSignatureStorage = await _objectStore.StoreAsync(
+            new RiskBundleObjectStoreOptions(bundleSigKey, "application/vnd.stellaops.signature"),
+            new MemoryStream(Encoding.UTF8.GetBytes(bundleSignature)),
+            cancellationToken).ConfigureAwait(false);
+
        return new RiskBundleJobOutcome(
            build.Manifest,
            manifestStorage,
            signatureStorage,
            bundleStorage,
+            bundleSignatureStorage,
            build.ManifestJson,
            signatureJson,
+            bundleSignature,
            build.RootHash);
    }

@@ -94,4 +120,11 @@ public sealed class RiskBundleJob
            ? fileName
            : $"{sanitizedPrefix}/{fileName}";
    }
+
+    private static readonly JsonSerializerOptions SerializerOptions = new()
+    {
+        PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
+        DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull,
+        WriteIndented = false
+    };
 }