feat(ui): ship topology and trust admin cutover

2026-03-08 10:12:13 +02:00
parent 8b1fe49f35
commit 56143d12b7
19 changed files with 985 additions and 70 deletions
--- a/src/Web/StellaOps.Web/tests/e2e/topology-trust-admin-cutover.spec.ts
+++ b/src/Web/StellaOps.Web/tests/e2e/topology-trust-admin-cutover.spec.ts
@@ -0,0 +1,287 @@
+import { expect, test, type Page, type Route } from '@playwright/test';
+
+import type { StubAuthSession } from '../../src/app/testing/auth-fixtures';
+
+const operatorSession: StubAuthSession = {
+  subjectId: 'setup-e2e-user',
+  tenant: 'tenant-default',
+  scopes: [
+    'admin',
+    'ui.read',
+    'ui.admin',
+    'orch:read',
+    'orch:operate',
+    'release:read',
+    'signer:read',
+  ],
+};
+
+const mockConfig = {
+  authority: {
+    issuer: '/authority',
+    clientId: 'stella-ops-ui',
+    authorizeEndpoint: '/authority/connect/authorize',
+    tokenEndpoint: '/authority/connect/token',
+    logoutEndpoint: '/authority/connect/logout',
+    redirectUri: 'https://127.0.0.1:4400/auth/callback',
+    postLogoutRedirectUri: 'https://127.0.0.1:4400/',
+    scope: 'openid profile email ui.read',
+    audience: '/gateway',
+    dpopAlgorithms: ['ES256'],
+    refreshLeewaySeconds: 60,
+  },
+  apiBaseUrls: {
+    authority: '/authority',
+    scanner: '/scanner',
+    policy: '/policy',
+    concelier: '/concelier',
+    attestor: '/attestor',
+    gateway: '/gateway',
+  },
+  quickstartMode: true,
+  setup: 'complete',
+};
+
+const trustDashboardSummary = {
+  keys: {
+    total: 4,
+    active: 3,
+    expiringSoon: 1,
+    expired: 0,
+    revoked: 0,
+    pendingRotation: 0,
+  },
+  issuers: {
+    total: 2,
+    fullTrust: 1,
+    partialTrust: 1,
+    minimalTrust: 0,
+    untrusted: 0,
+    blocked: 0,
+    averageTrustScore: 89.5,
+  },
+  certificates: {
+    total: 3,
+    valid: 3,
+    expiringSoon: 0,
+    expired: 0,
+    revoked: 0,
+    invalidChains: 0,
+  },
+  recentEvents: [],
+  expiryAlerts: [],
+};
+
+const trustIssuers = {
+  items: [
+    {
+      issuerId: 'issuer-001',
+      tenantId: 'tenant-default',
+      name: 'github-security-advisories',
+      displayName: 'GitHub Security Advisories',
+      description: 'Official GitHub advisory issuer',
+      issuerType: 'csaf_publisher',
+      trustLevel: 'full',
+      trustScore: 95,
+      publicKeyFingerprints: ['SHA256:issuer-001'],
+      documentCount: 1200,
+      verificationCount: 1188,
+      weights: {
+        baseWeight: 80,
+        recencyFactor: 10,
+        verificationBonus: 15,
+        volumePenalty: 2,
+        manualAdjustment: 0,
+      },
+      validFrom: '2025-01-01T00:00:00Z',
+      lastVerifiedAt: '2026-03-08T06:00:00Z',
+      isActive: true,
+      createdAt: '2025-01-01T00:00:00Z',
+      updatedAt: '2026-03-08T06:00:00Z',
+    },
+  ],
+  pageNumber: 1,
+  pageSize: 20,
+  totalCount: 1,
+  totalPages: 1,
+};
+
+const topologyRegions = [
+  { regionId: 'eu-west', displayName: 'EU West', environmentCount: 1, targetCount: 2 },
+];
+
+const topologyEnvironments = [
+  {
+    environmentId: 'prod',
+    regionId: 'eu-west',
+    environmentType: 'prod',
+    displayName: 'Production',
+    targetCount: 2,
+  },
+];
+
+const topologyTargets = [
+  {
+    targetId: 'target-001',
+    environmentId: 'prod',
+    regionId: 'eu-west',
+    name: 'Gateway',
+    targetType: 'vm',
+    healthStatus: 'healthy',
+    agentId: 'agent-001',
+  },
+];
+
+const topologyAgents = [
+  {
+    agentId: 'agent-001',
+    agentName: 'Agent One',
+    regionId: 'eu-west',
+    environmentId: 'prod',
+    status: 'active',
+    assignedTargetCount: 2,
+  },
+];
+
+const promotionPaths = [
+  {
+    pathId: 'path-001',
+    regionId: 'eu-west',
+    sourceEnvironmentId: 'stage',
+    targetEnvironmentId: 'prod',
+    status: 'running',
+    requiredApprovals: 1,
+  },
+];
+
+async function fulfillJson(route: Route, body: unknown, status = 200): Promise<void> {
+  await route.fulfill({
+    status,
+    contentType: 'application/json',
+    body: JSON.stringify(body),
+  });
+}
+
+async function setupHarness(page: Page): Promise<void> {
+  await page.addInitScript((session) => {
+    (window as { __stellaopsTestSession?: unknown }).__stellaopsTestSession = session;
+  }, operatorSession);
+
+  await page.route('**/api/**', (route) => fulfillJson(route, {}));
+  await page.route('**/platform/envsettings.json', (route) => fulfillJson(route, mockConfig));
+  await page.route('**/platform/i18n/*.json', (route) => fulfillJson(route, {}));
+  await page.route('**/config.json', (route) => fulfillJson(route, mockConfig));
+  await page.route('**/.well-known/openid-configuration', (route) =>
+    fulfillJson(route, {
+      issuer: 'https://127.0.0.1:4400/authority',
+      authorization_endpoint: 'https://127.0.0.1:4400/authority/connect/authorize',
+      token_endpoint: 'https://127.0.0.1:4400/authority/connect/token',
+      jwks_uri: 'https://127.0.0.1:4400/authority/.well-known/jwks.json',
+      response_types_supported: ['code'],
+      subject_types_supported: ['public'],
+      id_token_signing_alg_values_supported: ['RS256'],
+    }),
+  );
+  await page.route('**/authority/.well-known/jwks.json', (route) => fulfillJson(route, { keys: [] }));
+  await page.route('**/console/branding**', (route) =>
+    fulfillJson(route, {
+      tenantId: operatorSession.tenant,
+      appName: 'Stella Ops',
+      logoUrl: null,
+      cssVariables: {},
+    }),
+  );
+  await page.route('**/console/profile**', (route) =>
+    fulfillJson(route, {
+      subjectId: operatorSession.subjectId,
+      username: 'setup-e2e',
+      displayName: 'Setup E2E',
+      tenant: operatorSession.tenant,
+      roles: ['platform-admin'],
+      scopes: operatorSession.scopes,
+    }),
+  );
+  await page.route('**/console/token/introspect**', (route) =>
+    fulfillJson(route, {
+      active: true,
+      tenant: operatorSession.tenant,
+      subject: operatorSession.subjectId,
+      scopes: operatorSession.scopes,
+    }),
+  );
+  await page.route('**/authority/console/tenants**', (route) =>
+    fulfillJson(route, {
+      tenants: [
+        {
+          tenantId: operatorSession.tenant,
+          displayName: 'Default Tenant',
+          isDefault: true,
+          isActive: true,
+        },
+      ],
+    }),
+  );
+  await page.route('**/api/v2/context/regions**', (route) =>
+    fulfillJson(route, [{ regionId: 'eu-west', displayName: 'EU West', sortOrder: 1, enabled: true }]),
+  );
+  await page.route('**/api/v2/context/environments**', (route) =>
+    fulfillJson(route, [
+      {
+        environmentId: 'prod',
+        regionId: 'eu-west',
+        environmentType: 'prod',
+        displayName: 'Production',
+        sortOrder: 1,
+        enabled: true,
+      },
+    ]),
+  );
+  await page.route('**/api/v2/context/preferences**', (route) =>
+    fulfillJson(route, {
+      tenantId: operatorSession.tenant,
+      actorId: operatorSession.subjectId,
+      regions: ['eu-west'],
+      environments: ['prod'],
+      timeWindow: '24h',
+      stage: 'all',
+      updatedAt: '2026-03-08T07:00:00Z',
+      updatedBy: operatorSession.subjectId,
+    }),
+  );
+
+  await page.route(/\/api\/v1\/trust\/dashboard(?:\?.*)?$/, (route) => fulfillJson(route, trustDashboardSummary));
+  await page.route(/\/api\/v1\/trust\/issuers(?:\?.*)?$/, (route) => fulfillJson(route, trustIssuers));
+  await page.route(/\/api\/v2\/topology\/regions(?:\?.*)?$/, (route) => fulfillJson(route, topologyRegions));
+  await page.route(/\/api\/v2\/topology\/environments(?:\?.*)?$/, (route) =>
+    fulfillJson(route, topologyEnvironments),
+  );
+  await page.route(/\/api\/v2\/topology\/targets(?:\?.*)?$/, (route) => fulfillJson(route, topologyTargets));
+  await page.route(/\/api\/v2\/topology\/agents(?:\?.*)?$/, (route) => fulfillJson(route, topologyAgents));
+  await page.route(/\/api\/v2\/topology\/promotion-paths(?:\?.*)?$/, (route) =>
+    fulfillJson(route, promotionPaths),
+  );
+}
+
+test.beforeEach(async ({ page }) => {
+  await setupHarness(page);
+});
+
+test('topology and trust cutover keeps setup handoffs and legacy trust entry points usable', async ({ page }) => {
+  await page.goto('/settings/trust', { waitUntil: 'networkidle' });
+  await expect(page).toHaveURL(/\/setup\/trust-signing(?:\?.*)?$/);
+  await expect(page.getByRole('heading', { name: 'Trust Management' })).toBeVisible();
+  await page.getByRole('tab', { name: 'Trusted Issuers' }).click();
+  await expect(page).toHaveURL(/\/setup\/trust-signing\/issuers(?:\?.*)?$/);
+  await expect(page.getByText('GitHub Security Advisories')).toBeVisible();
+
+  await page.goto('/admin/trust', { waitUntil: 'networkidle' });
+  await expect(page).toHaveURL(/\/setup\/trust-signing(?:\?.*)?$/);
+  await expect(page.getByRole('tab', { name: 'Watchlist' })).toBeVisible();
+
+  await page.goto('/ops/platform-setup', { waitUntil: 'networkidle' });
+  const regionsCard = page.locator('.setup-home__card').filter({ hasText: 'Regions & Environments' });
+  await regionsCard.getByRole('link', { name: 'Open' }).click();
+  await expect(page).toHaveURL(/\/setup\/topology\/regions(?:\?.*)?$/);
+  await expect(page.getByRole('heading', { name: 'Topology' })).toBeVisible();
+  await expect(page.getByRole('heading', { name: 'Regions & Environments' })).toBeVisible();
+});