up
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
This commit is contained in:
StellaOps Bot
@@ -1,65 +1,65 @@
|
||||
using System.Collections.Generic;
|
||||
using System.Diagnostics;
|
||||
using System.Text;
|
||||
using System.Text.Json;
|
||||
using Microsoft.AspNetCore.Builder;
|
||||
using Microsoft.AspNetCore.Http;
|
||||
using Microsoft.AspNetCore.Routing;
|
||||
using System.Text;
|
||||
using System.Text.Json;
|
||||
using Microsoft.AspNetCore.Builder;
|
||||
using Microsoft.AspNetCore.Http;
|
||||
using Microsoft.AspNetCore.Routing;
|
||||
using Microsoft.Extensions.Logging;
|
||||
using Microsoft.Extensions.Options;
|
||||
using StellaOps.Scanner.WebService.Diagnostics;
|
||||
using StellaOps.Scanner.WebService.Options;
|
||||
using StellaOps.Scanner.Surface.Env;
|
||||
using StellaOps.Scanner.Surface.Validation;
|
||||
|
||||
namespace StellaOps.Scanner.WebService.Endpoints;
|
||||
|
||||
internal static class HealthEndpoints
|
||||
{
|
||||
private static readonly JsonSerializerOptions JsonOptions = new(JsonSerializerDefaults.Web);
|
||||
|
||||
public static void MapHealthEndpoints(this IEndpointRouteBuilder endpoints)
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(endpoints);
|
||||
|
||||
var group = endpoints.MapGroup("/");
|
||||
group.MapGet("/healthz", HandleHealth)
|
||||
.WithName("scanner.health")
|
||||
.Produces<HealthDocument>(StatusCodes.Status200OK)
|
||||
.AllowAnonymous();
|
||||
|
||||
group.MapGet("/readyz", HandleReady)
|
||||
.WithName("scanner.ready")
|
||||
.Produces<ReadyDocument>(StatusCodes.Status200OK)
|
||||
.AllowAnonymous();
|
||||
}
|
||||
|
||||
private static IResult HandleHealth(
|
||||
ServiceStatus status,
|
||||
IOptions<ScannerWebServiceOptions> options,
|
||||
HttpContext context)
|
||||
{
|
||||
ApplyNoCache(context.Response);
|
||||
|
||||
var snapshot = status.CreateSnapshot();
|
||||
var uptimeSeconds = Math.Max((snapshot.CapturedAt - snapshot.StartedAt).TotalSeconds, 0d);
|
||||
|
||||
var telemetry = new TelemetrySnapshot(
|
||||
Enabled: options.Value.Telemetry.Enabled,
|
||||
Logging: options.Value.Telemetry.EnableLogging,
|
||||
Metrics: options.Value.Telemetry.EnableMetrics,
|
||||
Tracing: options.Value.Telemetry.EnableTracing);
|
||||
|
||||
var document = new HealthDocument(
|
||||
Status: "healthy",
|
||||
StartedAt: snapshot.StartedAt,
|
||||
CapturedAt: snapshot.CapturedAt,
|
||||
UptimeSeconds: uptimeSeconds,
|
||||
Telemetry: telemetry);
|
||||
|
||||
return Json(document, StatusCodes.Status200OK);
|
||||
}
|
||||
|
||||
|
||||
namespace StellaOps.Scanner.WebService.Endpoints;
|
||||
|
||||
internal static class HealthEndpoints
|
||||
{
|
||||
private static readonly JsonSerializerOptions JsonOptions = new(JsonSerializerDefaults.Web);
|
||||
|
||||
public static void MapHealthEndpoints(this IEndpointRouteBuilder endpoints)
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(endpoints);
|
||||
|
||||
var group = endpoints.MapGroup("/");
|
||||
group.MapGet("/healthz", HandleHealth)
|
||||
.WithName("scanner.health")
|
||||
.Produces<HealthDocument>(StatusCodes.Status200OK)
|
||||
.AllowAnonymous();
|
||||
|
||||
group.MapGet("/readyz", HandleReady)
|
||||
.WithName("scanner.ready")
|
||||
.Produces<ReadyDocument>(StatusCodes.Status200OK)
|
||||
.AllowAnonymous();
|
||||
}
|
||||
|
||||
private static IResult HandleHealth(
|
||||
ServiceStatus status,
|
||||
IOptions<ScannerWebServiceOptions> options,
|
||||
HttpContext context)
|
||||
{
|
||||
ApplyNoCache(context.Response);
|
||||
|
||||
var snapshot = status.CreateSnapshot();
|
||||
var uptimeSeconds = Math.Max((snapshot.CapturedAt - snapshot.StartedAt).TotalSeconds, 0d);
|
||||
|
||||
var telemetry = new TelemetrySnapshot(
|
||||
Enabled: options.Value.Telemetry.Enabled,
|
||||
Logging: options.Value.Telemetry.EnableLogging,
|
||||
Metrics: options.Value.Telemetry.EnableMetrics,
|
||||
Tracing: options.Value.Telemetry.EnableTracing);
|
||||
|
||||
var document = new HealthDocument(
|
||||
Status: "healthy",
|
||||
StartedAt: snapshot.StartedAt,
|
||||
CapturedAt: snapshot.CapturedAt,
|
||||
UptimeSeconds: uptimeSeconds,
|
||||
Telemetry: telemetry);
|
||||
|
||||
return Json(document, StatusCodes.Status200OK);
|
||||
}
|
||||
|
||||
private static async Task<IResult> HandleReady(
|
||||
ServiceStatus status,
|
||||
ISurfaceValidatorRunner validatorRunner,
|
||||
@@ -123,36 +123,36 @@ internal static class HealthEndpoints
|
||||
var statusCode = success ? StatusCodes.Status200OK : StatusCodes.Status503ServiceUnavailable;
|
||||
return Json(document, statusCode);
|
||||
}
|
||||
|
||||
private static void ApplyNoCache(HttpResponse response)
|
||||
{
|
||||
response.Headers.CacheControl = "no-store, no-cache, max-age=0, must-revalidate";
|
||||
response.Headers.Pragma = "no-cache";
|
||||
response.Headers["Expires"] = "0";
|
||||
}
|
||||
|
||||
private static IResult Json<T>(T value, int statusCode)
|
||||
{
|
||||
var payload = JsonSerializer.Serialize(value, JsonOptions);
|
||||
return Results.Content(payload, "application/json", Encoding.UTF8, statusCode);
|
||||
}
|
||||
|
||||
internal sealed record TelemetrySnapshot(
|
||||
bool Enabled,
|
||||
bool Logging,
|
||||
bool Metrics,
|
||||
bool Tracing);
|
||||
|
||||
internal sealed record HealthDocument(
|
||||
string Status,
|
||||
DateTimeOffset StartedAt,
|
||||
DateTimeOffset CapturedAt,
|
||||
double UptimeSeconds,
|
||||
TelemetrySnapshot Telemetry);
|
||||
|
||||
internal sealed record ReadyDocument(
|
||||
string Status,
|
||||
DateTimeOffset CheckedAt,
|
||||
double? LatencyMs,
|
||||
string? Error);
|
||||
}
|
||||
|
||||
private static void ApplyNoCache(HttpResponse response)
|
||||
{
|
||||
response.Headers.CacheControl = "no-store, no-cache, max-age=0, must-revalidate";
|
||||
response.Headers.Pragma = "no-cache";
|
||||
response.Headers["Expires"] = "0";
|
||||
}
|
||||
|
||||
private static IResult Json<T>(T value, int statusCode)
|
||||
{
|
||||
var payload = JsonSerializer.Serialize(value, JsonOptions);
|
||||
return Results.Content(payload, "application/json", Encoding.UTF8, statusCode);
|
||||
}
|
||||
|
||||
internal sealed record TelemetrySnapshot(
|
||||
bool Enabled,
|
||||
bool Logging,
|
||||
bool Metrics,
|
||||
bool Tracing);
|
||||
|
||||
internal sealed record HealthDocument(
|
||||
string Status,
|
||||
DateTimeOffset StartedAt,
|
||||
DateTimeOffset CapturedAt,
|
||||
double UptimeSeconds,
|
||||
TelemetrySnapshot Telemetry);
|
||||
|
||||
internal sealed record ReadyDocument(
|
||||
string Status,
|
||||
DateTimeOffset CheckedAt,
|
||||
double? LatencyMs,
|
||||
string? Error);
|
||||
}
|
||||
|
||||
@@ -1,88 +1,88 @@
|
||||
using System.Collections.Generic;
|
||||
using System.Collections.Immutable;
|
||||
using System.Collections.ObjectModel;
|
||||
using System.Linq;
|
||||
using System.Security.Cryptography;
|
||||
using System.Text;
|
||||
using System.Text.Json;
|
||||
using System.Text.Json.Serialization;
|
||||
using Microsoft.AspNetCore.Http;
|
||||
using Microsoft.AspNetCore.Routing;
|
||||
using StellaOps.Policy;
|
||||
using StellaOps.Scanner.Surface.Env;
|
||||
using StellaOps.Scanner.WebService.Constants;
|
||||
using StellaOps.Scanner.WebService.Contracts;
|
||||
using StellaOps.Scanner.WebService.Infrastructure;
|
||||
using StellaOps.Scanner.WebService.Security;
|
||||
using StellaOps.Scanner.WebService.Services;
|
||||
using StellaOps.Zastava.Core.Contracts;
|
||||
using RuntimePolicyVerdict = StellaOps.Zastava.Core.Contracts.PolicyVerdict;
|
||||
|
||||
namespace StellaOps.Scanner.WebService.Endpoints;
|
||||
|
||||
#pragma warning disable ASPDEPR002
|
||||
|
||||
internal static class PolicyEndpoints
|
||||
{
|
||||
private static readonly JsonSerializerOptions SerializerOptions = new(JsonSerializerDefaults.Web)
|
||||
{
|
||||
DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull
|
||||
};
|
||||
public static void MapPolicyEndpoints(this RouteGroupBuilder apiGroup, string policySegment)
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(apiGroup);
|
||||
|
||||
var policyGroup = apiGroup
|
||||
.MapGroup(NormalizeSegment(policySegment))
|
||||
.WithTags("Policy");
|
||||
|
||||
policyGroup.MapGet("/schema", HandleSchemaAsync)
|
||||
.WithName("scanner.policy.schema")
|
||||
.Produces(StatusCodes.Status200OK)
|
||||
.RequireAuthorization(ScannerPolicies.Reports)
|
||||
.WithOpenApi(operation =>
|
||||
{
|
||||
operation.Summary = "Retrieve the embedded policy JSON schema.";
|
||||
operation.Description = "Returns the policy schema (`policy-schema@1`) used to validate YAML or JSON rulesets.";
|
||||
return operation;
|
||||
});
|
||||
|
||||
policyGroup.MapPost("/diagnostics", HandleDiagnosticsAsync)
|
||||
.WithName("scanner.policy.diagnostics")
|
||||
.Produces<PolicyDiagnosticsResponseDto>(StatusCodes.Status200OK)
|
||||
.Produces(StatusCodes.Status400BadRequest)
|
||||
.RequireAuthorization(ScannerPolicies.Reports)
|
||||
.WithOpenApi(operation =>
|
||||
{
|
||||
operation.Summary = "Run policy diagnostics.";
|
||||
operation.Description = "Accepts YAML or JSON policy content and returns normalization issues plus recommendations (ignore rules, VEX include/exclude, vendor precedence).";
|
||||
return operation;
|
||||
});
|
||||
|
||||
policyGroup.MapPost("/preview", HandlePreviewAsync)
|
||||
.WithName("scanner.policy.preview")
|
||||
.Produces<PolicyPreviewResponseDto>(StatusCodes.Status200OK)
|
||||
.Produces(StatusCodes.Status400BadRequest)
|
||||
.RequireAuthorization(ScannerPolicies.Reports)
|
||||
.WithOpenApi(operation =>
|
||||
{
|
||||
operation.Summary = "Preview policy impact against findings.";
|
||||
operation.Description = "Evaluates the supplied findings against the active or proposed policy, returning diffs, quieted verdicts, and actionable validation messages.";
|
||||
return operation;
|
||||
});
|
||||
|
||||
policyGroup.MapPost("/runtime", HandleRuntimePolicyAsync)
|
||||
.WithName("scanner.policy.runtime")
|
||||
.Produces<RuntimePolicyResponseDto>(StatusCodes.Status200OK)
|
||||
.Produces(StatusCodes.Status400BadRequest)
|
||||
.RequireAuthorization(ScannerPolicies.Reports)
|
||||
.WithOpenApi(operation =>
|
||||
{
|
||||
operation.Summary = "Evaluate runtime policy for digests.";
|
||||
operation.Description = "Returns per-image policy verdicts, signature and SBOM metadata, and cache hints for admission controllers.";
|
||||
return operation;
|
||||
});
|
||||
|
||||
using System.Collections.Generic;
|
||||
using System.Collections.Immutable;
|
||||
using System.Collections.ObjectModel;
|
||||
using System.Linq;
|
||||
using System.Security.Cryptography;
|
||||
using System.Text;
|
||||
using System.Text.Json;
|
||||
using System.Text.Json.Serialization;
|
||||
using Microsoft.AspNetCore.Http;
|
||||
using Microsoft.AspNetCore.Routing;
|
||||
using StellaOps.Policy;
|
||||
using StellaOps.Scanner.Surface.Env;
|
||||
using StellaOps.Scanner.WebService.Constants;
|
||||
using StellaOps.Scanner.WebService.Contracts;
|
||||
using StellaOps.Scanner.WebService.Infrastructure;
|
||||
using StellaOps.Scanner.WebService.Security;
|
||||
using StellaOps.Scanner.WebService.Services;
|
||||
using StellaOps.Zastava.Core.Contracts;
|
||||
using RuntimePolicyVerdict = StellaOps.Zastava.Core.Contracts.PolicyVerdict;
|
||||
|
||||
namespace StellaOps.Scanner.WebService.Endpoints;
|
||||
|
||||
#pragma warning disable ASPDEPR002
|
||||
|
||||
internal static class PolicyEndpoints
|
||||
{
|
||||
private static readonly JsonSerializerOptions SerializerOptions = new(JsonSerializerDefaults.Web)
|
||||
{
|
||||
DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull
|
||||
};
|
||||
public static void MapPolicyEndpoints(this RouteGroupBuilder apiGroup, string policySegment)
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(apiGroup);
|
||||
|
||||
var policyGroup = apiGroup
|
||||
.MapGroup(NormalizeSegment(policySegment))
|
||||
.WithTags("Policy");
|
||||
|
||||
policyGroup.MapGet("/schema", HandleSchemaAsync)
|
||||
.WithName("scanner.policy.schema")
|
||||
.Produces(StatusCodes.Status200OK)
|
||||
.RequireAuthorization(ScannerPolicies.Reports)
|
||||
.WithOpenApi(operation =>
|
||||
{
|
||||
operation.Summary = "Retrieve the embedded policy JSON schema.";
|
||||
operation.Description = "Returns the policy schema (`policy-schema@1`) used to validate YAML or JSON rulesets.";
|
||||
return operation;
|
||||
});
|
||||
|
||||
policyGroup.MapPost("/diagnostics", HandleDiagnosticsAsync)
|
||||
.WithName("scanner.policy.diagnostics")
|
||||
.Produces<PolicyDiagnosticsResponseDto>(StatusCodes.Status200OK)
|
||||
.Produces(StatusCodes.Status400BadRequest)
|
||||
.RequireAuthorization(ScannerPolicies.Reports)
|
||||
.WithOpenApi(operation =>
|
||||
{
|
||||
operation.Summary = "Run policy diagnostics.";
|
||||
operation.Description = "Accepts YAML or JSON policy content and returns normalization issues plus recommendations (ignore rules, VEX include/exclude, vendor precedence).";
|
||||
return operation;
|
||||
});
|
||||
|
||||
policyGroup.MapPost("/preview", HandlePreviewAsync)
|
||||
.WithName("scanner.policy.preview")
|
||||
.Produces<PolicyPreviewResponseDto>(StatusCodes.Status200OK)
|
||||
.Produces(StatusCodes.Status400BadRequest)
|
||||
.RequireAuthorization(ScannerPolicies.Reports)
|
||||
.WithOpenApi(operation =>
|
||||
{
|
||||
operation.Summary = "Preview policy impact against findings.";
|
||||
operation.Description = "Evaluates the supplied findings against the active or proposed policy, returning diffs, quieted verdicts, and actionable validation messages.";
|
||||
return operation;
|
||||
});
|
||||
|
||||
policyGroup.MapPost("/runtime", HandleRuntimePolicyAsync)
|
||||
.WithName("scanner.policy.runtime")
|
||||
.Produces<RuntimePolicyResponseDto>(StatusCodes.Status200OK)
|
||||
.Produces(StatusCodes.Status400BadRequest)
|
||||
.RequireAuthorization(ScannerPolicies.Reports)
|
||||
.WithOpenApi(operation =>
|
||||
{
|
||||
operation.Summary = "Evaluate runtime policy for digests.";
|
||||
operation.Description = "Returns per-image policy verdicts, signature and SBOM metadata, and cache hints for admission controllers.";
|
||||
return operation;
|
||||
});
|
||||
|
||||
policyGroup.MapPost("/overlay", HandlePolicyOverlayAsync)
|
||||
.WithName("scanner.policy.overlay")
|
||||
.Produces<PolicyOverlayResponseDto>(StatusCodes.Status200OK)
|
||||
@@ -107,184 +107,184 @@ internal static class PolicyEndpoints
|
||||
return operation;
|
||||
});
|
||||
}
|
||||
|
||||
private static IResult HandleSchemaAsync(HttpContext context)
|
||||
{
|
||||
var schema = PolicySchemaResource.ReadSchemaJson();
|
||||
return Results.Text(schema, "application/schema+json", Encoding.UTF8);
|
||||
}
|
||||
|
||||
private static IResult HandleDiagnosticsAsync(
|
||||
PolicyDiagnosticsRequestDto request,
|
||||
TimeProvider timeProvider,
|
||||
HttpContext context)
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(request);
|
||||
ArgumentNullException.ThrowIfNull(timeProvider);
|
||||
|
||||
if (request.Policy is null || string.IsNullOrWhiteSpace(request.Policy.Content))
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid policy diagnostics request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: "Policy content is required for diagnostics.");
|
||||
}
|
||||
|
||||
var format = PolicyDtoMapper.ParsePolicyFormat(request.Policy.Format);
|
||||
var binding = PolicyBinder.Bind(request.Policy.Content, format);
|
||||
var diagnostics = PolicyDiagnostics.Create(binding, timeProvider);
|
||||
|
||||
var response = new PolicyDiagnosticsResponseDto
|
||||
{
|
||||
Success = diagnostics.ErrorCount == 0,
|
||||
Version = diagnostics.Version,
|
||||
RuleCount = diagnostics.RuleCount,
|
||||
ErrorCount = diagnostics.ErrorCount,
|
||||
WarningCount = diagnostics.WarningCount,
|
||||
GeneratedAt = diagnostics.GeneratedAt,
|
||||
Issues = diagnostics.Issues.Select(PolicyDtoMapper.ToIssueDto).ToImmutableArray(),
|
||||
Recommendations = diagnostics.Recommendations
|
||||
};
|
||||
|
||||
return Json(response);
|
||||
}
|
||||
|
||||
private static async Task<IResult> HandlePreviewAsync(
|
||||
PolicyPreviewRequestDto request,
|
||||
PolicyPreviewService previewService,
|
||||
HttpContext context,
|
||||
CancellationToken cancellationToken)
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(request);
|
||||
ArgumentNullException.ThrowIfNull(previewService);
|
||||
|
||||
if (string.IsNullOrWhiteSpace(request.ImageDigest))
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid policy preview request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: "imageDigest is required.");
|
||||
}
|
||||
|
||||
if (!request.ImageDigest.Contains(':', StringComparison.Ordinal))
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid policy preview request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: "imageDigest must include algorithm prefix (e.g. sha256:...).");
|
||||
}
|
||||
|
||||
if (request.Findings is not null)
|
||||
{
|
||||
var missingIds = request.Findings.Any(f => string.IsNullOrWhiteSpace(f.Id));
|
||||
if (missingIds)
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid policy preview request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: "All findings must include an id value.");
|
||||
}
|
||||
}
|
||||
|
||||
var domainRequest = PolicyDtoMapper.ToDomain(request);
|
||||
var response = await previewService.PreviewAsync(domainRequest, cancellationToken).ConfigureAwait(false);
|
||||
var payload = PolicyDtoMapper.ToDto(response);
|
||||
return Json(payload);
|
||||
}
|
||||
|
||||
|
||||
private static IResult HandleSchemaAsync(HttpContext context)
|
||||
{
|
||||
var schema = PolicySchemaResource.ReadSchemaJson();
|
||||
return Results.Text(schema, "application/schema+json", Encoding.UTF8);
|
||||
}
|
||||
|
||||
private static IResult HandleDiagnosticsAsync(
|
||||
PolicyDiagnosticsRequestDto request,
|
||||
TimeProvider timeProvider,
|
||||
HttpContext context)
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(request);
|
||||
ArgumentNullException.ThrowIfNull(timeProvider);
|
||||
|
||||
if (request.Policy is null || string.IsNullOrWhiteSpace(request.Policy.Content))
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid policy diagnostics request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: "Policy content is required for diagnostics.");
|
||||
}
|
||||
|
||||
var format = PolicyDtoMapper.ParsePolicyFormat(request.Policy.Format);
|
||||
var binding = PolicyBinder.Bind(request.Policy.Content, format);
|
||||
var diagnostics = PolicyDiagnostics.Create(binding, timeProvider);
|
||||
|
||||
var response = new PolicyDiagnosticsResponseDto
|
||||
{
|
||||
Success = diagnostics.ErrorCount == 0,
|
||||
Version = diagnostics.Version,
|
||||
RuleCount = diagnostics.RuleCount,
|
||||
ErrorCount = diagnostics.ErrorCount,
|
||||
WarningCount = diagnostics.WarningCount,
|
||||
GeneratedAt = diagnostics.GeneratedAt,
|
||||
Issues = diagnostics.Issues.Select(PolicyDtoMapper.ToIssueDto).ToImmutableArray(),
|
||||
Recommendations = diagnostics.Recommendations
|
||||
};
|
||||
|
||||
return Json(response);
|
||||
}
|
||||
|
||||
private static async Task<IResult> HandlePreviewAsync(
|
||||
PolicyPreviewRequestDto request,
|
||||
PolicyPreviewService previewService,
|
||||
HttpContext context,
|
||||
CancellationToken cancellationToken)
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(request);
|
||||
ArgumentNullException.ThrowIfNull(previewService);
|
||||
|
||||
if (string.IsNullOrWhiteSpace(request.ImageDigest))
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid policy preview request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: "imageDigest is required.");
|
||||
}
|
||||
|
||||
if (!request.ImageDigest.Contains(':', StringComparison.Ordinal))
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid policy preview request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: "imageDigest must include algorithm prefix (e.g. sha256:...).");
|
||||
}
|
||||
|
||||
if (request.Findings is not null)
|
||||
{
|
||||
var missingIds = request.Findings.Any(f => string.IsNullOrWhiteSpace(f.Id));
|
||||
if (missingIds)
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid policy preview request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: "All findings must include an id value.");
|
||||
}
|
||||
}
|
||||
|
||||
var domainRequest = PolicyDtoMapper.ToDomain(request);
|
||||
var response = await previewService.PreviewAsync(domainRequest, cancellationToken).ConfigureAwait(false);
|
||||
var payload = PolicyDtoMapper.ToDto(response);
|
||||
return Json(payload);
|
||||
}
|
||||
|
||||
private static async Task<IResult> HandleRuntimePolicyAsync(
|
||||
RuntimePolicyRequestDto request,
|
||||
IRuntimePolicyService runtimePolicyService,
|
||||
HttpContext context,
|
||||
CancellationToken cancellationToken)
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(request);
|
||||
ArgumentNullException.ThrowIfNull(runtimePolicyService);
|
||||
|
||||
if (request.Images is null || request.Images.Count == 0)
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid runtime policy request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: "images collection must include at least one digest.");
|
||||
}
|
||||
|
||||
var normalizedImages = new List<string>();
|
||||
var seen = new HashSet<string>(StringComparer.Ordinal);
|
||||
foreach (var image in request.Images)
|
||||
{
|
||||
if (string.IsNullOrWhiteSpace(image))
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid runtime policy request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: "Image digests must be non-empty.");
|
||||
}
|
||||
|
||||
var trimmed = image.Trim();
|
||||
if (!trimmed.Contains(':', StringComparison.Ordinal))
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid runtime policy request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: "Image digests must include an algorithm prefix (e.g. sha256:...).");
|
||||
}
|
||||
|
||||
if (seen.Add(trimmed))
|
||||
{
|
||||
normalizedImages.Add(trimmed);
|
||||
}
|
||||
}
|
||||
|
||||
if (normalizedImages.Count == 0)
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid runtime policy request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: "images collection must include at least one unique digest.");
|
||||
}
|
||||
|
||||
var namespaceValue = string.IsNullOrWhiteSpace(request.Namespace) ? null : request.Namespace.Trim();
|
||||
var normalizedLabels = new Dictionary<string, string>(StringComparer.Ordinal);
|
||||
if (request.Labels is not null)
|
||||
{
|
||||
foreach (var pair in request.Labels)
|
||||
{
|
||||
if (string.IsNullOrWhiteSpace(pair.Key))
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
var key = pair.Key.Trim();
|
||||
var value = pair.Value?.Trim() ?? string.Empty;
|
||||
normalizedLabels[key] = value;
|
||||
}
|
||||
}
|
||||
|
||||
var evaluationRequest = new RuntimePolicyEvaluationRequest(
|
||||
namespaceValue,
|
||||
new ReadOnlyDictionary<string, string>(normalizedLabels),
|
||||
normalizedImages);
|
||||
|
||||
var evaluation = await runtimePolicyService.EvaluateAsync(evaluationRequest, cancellationToken).ConfigureAwait(false);
|
||||
|
||||
var resultPayload = MapRuntimePolicyResponse(evaluation);
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(request);
|
||||
ArgumentNullException.ThrowIfNull(runtimePolicyService);
|
||||
|
||||
if (request.Images is null || request.Images.Count == 0)
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid runtime policy request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: "images collection must include at least one digest.");
|
||||
}
|
||||
|
||||
var normalizedImages = new List<string>();
|
||||
var seen = new HashSet<string>(StringComparer.Ordinal);
|
||||
foreach (var image in request.Images)
|
||||
{
|
||||
if (string.IsNullOrWhiteSpace(image))
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid runtime policy request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: "Image digests must be non-empty.");
|
||||
}
|
||||
|
||||
var trimmed = image.Trim();
|
||||
if (!trimmed.Contains(':', StringComparison.Ordinal))
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid runtime policy request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: "Image digests must include an algorithm prefix (e.g. sha256:...).");
|
||||
}
|
||||
|
||||
if (seen.Add(trimmed))
|
||||
{
|
||||
normalizedImages.Add(trimmed);
|
||||
}
|
||||
}
|
||||
|
||||
if (normalizedImages.Count == 0)
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid runtime policy request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: "images collection must include at least one unique digest.");
|
||||
}
|
||||
|
||||
var namespaceValue = string.IsNullOrWhiteSpace(request.Namespace) ? null : request.Namespace.Trim();
|
||||
var normalizedLabels = new Dictionary<string, string>(StringComparer.Ordinal);
|
||||
if (request.Labels is not null)
|
||||
{
|
||||
foreach (var pair in request.Labels)
|
||||
{
|
||||
if (string.IsNullOrWhiteSpace(pair.Key))
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
var key = pair.Key.Trim();
|
||||
var value = pair.Value?.Trim() ?? string.Empty;
|
||||
normalizedLabels[key] = value;
|
||||
}
|
||||
}
|
||||
|
||||
var evaluationRequest = new RuntimePolicyEvaluationRequest(
|
||||
namespaceValue,
|
||||
new ReadOnlyDictionary<string, string>(normalizedLabels),
|
||||
normalizedImages);
|
||||
|
||||
var evaluation = await runtimePolicyService.EvaluateAsync(evaluationRequest, cancellationToken).ConfigureAwait(false);
|
||||
|
||||
var resultPayload = MapRuntimePolicyResponse(evaluation);
|
||||
return Json(resultPayload);
|
||||
}
|
||||
|
||||
@@ -375,53 +375,53 @@ internal static class PolicyEndpoints
|
||||
|
||||
return Json(response);
|
||||
}
|
||||
|
||||
private static string NormalizeSegment(string segment)
|
||||
{
|
||||
if (string.IsNullOrWhiteSpace(segment))
|
||||
{
|
||||
return "/policy";
|
||||
}
|
||||
|
||||
var trimmed = segment.Trim('/');
|
||||
return "/" + trimmed;
|
||||
}
|
||||
|
||||
private static IResult Json<T>(T value)
|
||||
{
|
||||
var payload = JsonSerializer.Serialize(value, SerializerOptions);
|
||||
return Results.Content(payload, "application/json", Encoding.UTF8);
|
||||
}
|
||||
|
||||
private static RuntimePolicyResponseDto MapRuntimePolicyResponse(RuntimePolicyEvaluationResult evaluation)
|
||||
{
|
||||
var results = new Dictionary<string, RuntimePolicyImageResponseDto>(evaluation.Results.Count, StringComparer.Ordinal);
|
||||
foreach (var pair in evaluation.Results)
|
||||
{
|
||||
var decision = pair.Value;
|
||||
RuntimePolicyRekorDto? rekor = null;
|
||||
if (decision.Rekor is not null)
|
||||
{
|
||||
rekor = new RuntimePolicyRekorDto
|
||||
{
|
||||
Uuid = decision.Rekor.Uuid,
|
||||
Url = decision.Rekor.Url,
|
||||
Verified = decision.Rekor.Verified
|
||||
};
|
||||
}
|
||||
|
||||
string? metadata = null;
|
||||
if (decision.Metadata is not null && decision.Metadata.Count > 0)
|
||||
{
|
||||
metadata = JsonSerializer.Serialize(decision.Metadata, SerializerOptions);
|
||||
}
|
||||
|
||||
results[pair.Key] = new RuntimePolicyImageResponseDto
|
||||
{
|
||||
PolicyVerdict = ToCamelCase(decision.PolicyVerdict),
|
||||
Signed = decision.Signed,
|
||||
HasSbomReferrers = decision.HasSbomReferrers,
|
||||
HasSbomLegacy = decision.HasSbomReferrers,
|
||||
|
||||
private static string NormalizeSegment(string segment)
|
||||
{
|
||||
if (string.IsNullOrWhiteSpace(segment))
|
||||
{
|
||||
return "/policy";
|
||||
}
|
||||
|
||||
var trimmed = segment.Trim('/');
|
||||
return "/" + trimmed;
|
||||
}
|
||||
|
||||
private static IResult Json<T>(T value)
|
||||
{
|
||||
var payload = JsonSerializer.Serialize(value, SerializerOptions);
|
||||
return Results.Content(payload, "application/json", Encoding.UTF8);
|
||||
}
|
||||
|
||||
private static RuntimePolicyResponseDto MapRuntimePolicyResponse(RuntimePolicyEvaluationResult evaluation)
|
||||
{
|
||||
var results = new Dictionary<string, RuntimePolicyImageResponseDto>(evaluation.Results.Count, StringComparer.Ordinal);
|
||||
foreach (var pair in evaluation.Results)
|
||||
{
|
||||
var decision = pair.Value;
|
||||
RuntimePolicyRekorDto? rekor = null;
|
||||
if (decision.Rekor is not null)
|
||||
{
|
||||
rekor = new RuntimePolicyRekorDto
|
||||
{
|
||||
Uuid = decision.Rekor.Uuid,
|
||||
Url = decision.Rekor.Url,
|
||||
Verified = decision.Rekor.Verified
|
||||
};
|
||||
}
|
||||
|
||||
string? metadata = null;
|
||||
if (decision.Metadata is not null && decision.Metadata.Count > 0)
|
||||
{
|
||||
metadata = JsonSerializer.Serialize(decision.Metadata, SerializerOptions);
|
||||
}
|
||||
|
||||
results[pair.Key] = new RuntimePolicyImageResponseDto
|
||||
{
|
||||
PolicyVerdict = ToCamelCase(decision.PolicyVerdict),
|
||||
Signed = decision.Signed,
|
||||
HasSbomReferrers = decision.HasSbomReferrers,
|
||||
HasSbomLegacy = decision.HasSbomReferrers,
|
||||
Reasons = decision.Reasons.ToArray(),
|
||||
Rekor = rekor,
|
||||
Confidence = Math.Round(decision.Confidence, 6, MidpointRounding.AwayFromZero),
|
||||
@@ -432,154 +432,154 @@ internal static class PolicyEndpoints
|
||||
Linksets = decision.Linksets is { Count: > 0 } ? decision.Linksets.ToArray() : null
|
||||
};
|
||||
}
|
||||
|
||||
return new RuntimePolicyResponseDto
|
||||
{
|
||||
TtlSeconds = evaluation.TtlSeconds,
|
||||
ExpiresAtUtc = evaluation.ExpiresAtUtc,
|
||||
PolicyRevision = evaluation.PolicyRevision,
|
||||
Results = results
|
||||
};
|
||||
}
|
||||
|
||||
private static string ToCamelCase(RuntimePolicyVerdict verdict)
|
||||
=> verdict switch
|
||||
{
|
||||
RuntimePolicyVerdict.Pass => "pass",
|
||||
RuntimePolicyVerdict.Warn => "warn",
|
||||
RuntimePolicyVerdict.Fail => "fail",
|
||||
RuntimePolicyVerdict.Error => "error",
|
||||
_ => "unknown"
|
||||
};
|
||||
|
||||
private static async Task<IResult> HandlePolicyOverlayAsync(
|
||||
PolicyOverlayRequestDto request,
|
||||
IRuntimePolicyService runtimePolicyService,
|
||||
ISurfaceEnvironment surfaceEnvironment,
|
||||
TimeProvider timeProvider,
|
||||
HttpContext context,
|
||||
CancellationToken cancellationToken)
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(request);
|
||||
ArgumentNullException.ThrowIfNull(runtimePolicyService);
|
||||
ArgumentNullException.ThrowIfNull(surfaceEnvironment);
|
||||
ArgumentNullException.ThrowIfNull(timeProvider);
|
||||
|
||||
if (request.Nodes is null || request.Nodes.Count == 0)
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid policy overlay request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: "nodes collection must include at least one node.");
|
||||
}
|
||||
|
||||
var tenant = !string.IsNullOrWhiteSpace(request.Tenant)
|
||||
? request.Tenant.Trim()
|
||||
: surfaceEnvironment.Settings.Tenant;
|
||||
|
||||
var overlayKind = !string.IsNullOrWhiteSpace(request.OverlayKind)
|
||||
? request.OverlayKind.Trim()
|
||||
: "policy.overlay.v1";
|
||||
|
||||
var imageDigests = request.Nodes
|
||||
.Where(n => !string.IsNullOrWhiteSpace(n.ImageDigest))
|
||||
.Select(n => n.ImageDigest!.Trim())
|
||||
.Distinct(StringComparer.Ordinal)
|
||||
.ToList();
|
||||
|
||||
RuntimePolicyEvaluationResult? evaluation = null;
|
||||
if (imageDigests.Count > 0)
|
||||
{
|
||||
var evalRequest = new RuntimePolicyEvaluationRequest(
|
||||
null,
|
||||
new ReadOnlyDictionary<string, string>(new Dictionary<string, string>(StringComparer.Ordinal)),
|
||||
imageDigests);
|
||||
evaluation = await runtimePolicyService.EvaluateAsync(evalRequest, cancellationToken).ConfigureAwait(false);
|
||||
}
|
||||
|
||||
var overlays = new List<PolicyOverlayDto>(request.Nodes.Count);
|
||||
foreach (var node in request.Nodes)
|
||||
{
|
||||
if (string.IsNullOrWhiteSpace(node.NodeId))
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
var nodeId = node.NodeId.Trim();
|
||||
var overlayId = ComputeOverlayId(tenant, nodeId, overlayKind);
|
||||
|
||||
string verdict = "unknown";
|
||||
IReadOnlyList<string> reasons = Array.Empty<string>();
|
||||
double? confidence = null;
|
||||
bool? quieted = null;
|
||||
PolicyOverlayEvidenceDto? evidence = null;
|
||||
|
||||
if (!string.IsNullOrWhiteSpace(node.ImageDigest) &&
|
||||
evaluation?.Results.TryGetValue(node.ImageDigest.Trim(), out var decision) == true)
|
||||
{
|
||||
verdict = ToCamelCase(decision.PolicyVerdict);
|
||||
reasons = decision.Reasons.ToArray();
|
||||
confidence = Math.Round(decision.Confidence, 6, MidpointRounding.AwayFromZero);
|
||||
quieted = decision.Quieted;
|
||||
|
||||
if (request.IncludeEvidence)
|
||||
{
|
||||
RuntimePolicyRekorDto? rekor = null;
|
||||
if (decision.Rekor is not null)
|
||||
{
|
||||
rekor = new RuntimePolicyRekorDto
|
||||
{
|
||||
Uuid = decision.Rekor.Uuid,
|
||||
Url = decision.Rekor.Url,
|
||||
Verified = decision.Rekor.Verified
|
||||
};
|
||||
}
|
||||
|
||||
evidence = new PolicyOverlayEvidenceDto
|
||||
{
|
||||
Signed = decision.Signed,
|
||||
HasSbomReferrers = decision.HasSbomReferrers,
|
||||
Rekor = rekor,
|
||||
BuildIds = decision.BuildIds is { Count: > 0 } ? decision.BuildIds.ToArray() : null,
|
||||
Metadata = decision.Metadata is { Count: > 0 }
|
||||
? new ReadOnlyDictionary<string, string>(decision.Metadata.ToDictionary(kv => kv.Key, kv => kv.Value, StringComparer.Ordinal))
|
||||
: null
|
||||
};
|
||||
}
|
||||
}
|
||||
|
||||
overlays.Add(new PolicyOverlayDto
|
||||
{
|
||||
OverlayId = overlayId,
|
||||
NodeId = nodeId,
|
||||
OverlayKind = overlayKind,
|
||||
Verdict = verdict,
|
||||
Reasons = reasons,
|
||||
Confidence = confidence,
|
||||
Quieted = quieted,
|
||||
Evidence = evidence
|
||||
});
|
||||
}
|
||||
|
||||
var response = new PolicyOverlayResponseDto
|
||||
{
|
||||
Tenant = tenant,
|
||||
GeneratedAt = timeProvider.GetUtcNow(),
|
||||
PolicyRevision = evaluation?.PolicyRevision,
|
||||
Overlays = overlays.OrderBy(o => o.NodeId, StringComparer.Ordinal).ToArray()
|
||||
};
|
||||
|
||||
return Json(response);
|
||||
}
|
||||
|
||||
private static string ComputeOverlayId(string tenant, string nodeId, string overlayKind)
|
||||
{
|
||||
var input = $"{tenant}|{nodeId}|{overlayKind}";
|
||||
var hash = SHA256.HashData(Encoding.UTF8.GetBytes(input));
|
||||
return $"sha256:{Convert.ToHexString(hash).ToLowerInvariant()}";
|
||||
}
|
||||
}
|
||||
|
||||
#pragma warning restore ASPDEPR002
|
||||
|
||||
return new RuntimePolicyResponseDto
|
||||
{
|
||||
TtlSeconds = evaluation.TtlSeconds,
|
||||
ExpiresAtUtc = evaluation.ExpiresAtUtc,
|
||||
PolicyRevision = evaluation.PolicyRevision,
|
||||
Results = results
|
||||
};
|
||||
}
|
||||
|
||||
private static string ToCamelCase(RuntimePolicyVerdict verdict)
|
||||
=> verdict switch
|
||||
{
|
||||
RuntimePolicyVerdict.Pass => "pass",
|
||||
RuntimePolicyVerdict.Warn => "warn",
|
||||
RuntimePolicyVerdict.Fail => "fail",
|
||||
RuntimePolicyVerdict.Error => "error",
|
||||
_ => "unknown"
|
||||
};
|
||||
|
||||
private static async Task<IResult> HandlePolicyOverlayAsync(
|
||||
PolicyOverlayRequestDto request,
|
||||
IRuntimePolicyService runtimePolicyService,
|
||||
ISurfaceEnvironment surfaceEnvironment,
|
||||
TimeProvider timeProvider,
|
||||
HttpContext context,
|
||||
CancellationToken cancellationToken)
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(request);
|
||||
ArgumentNullException.ThrowIfNull(runtimePolicyService);
|
||||
ArgumentNullException.ThrowIfNull(surfaceEnvironment);
|
||||
ArgumentNullException.ThrowIfNull(timeProvider);
|
||||
|
||||
if (request.Nodes is null || request.Nodes.Count == 0)
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid policy overlay request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: "nodes collection must include at least one node.");
|
||||
}
|
||||
|
||||
var tenant = !string.IsNullOrWhiteSpace(request.Tenant)
|
||||
? request.Tenant.Trim()
|
||||
: surfaceEnvironment.Settings.Tenant;
|
||||
|
||||
var overlayKind = !string.IsNullOrWhiteSpace(request.OverlayKind)
|
||||
? request.OverlayKind.Trim()
|
||||
: "policy.overlay.v1";
|
||||
|
||||
var imageDigests = request.Nodes
|
||||
.Where(n => !string.IsNullOrWhiteSpace(n.ImageDigest))
|
||||
.Select(n => n.ImageDigest!.Trim())
|
||||
.Distinct(StringComparer.Ordinal)
|
||||
.ToList();
|
||||
|
||||
RuntimePolicyEvaluationResult? evaluation = null;
|
||||
if (imageDigests.Count > 0)
|
||||
{
|
||||
var evalRequest = new RuntimePolicyEvaluationRequest(
|
||||
null,
|
||||
new ReadOnlyDictionary<string, string>(new Dictionary<string, string>(StringComparer.Ordinal)),
|
||||
imageDigests);
|
||||
evaluation = await runtimePolicyService.EvaluateAsync(evalRequest, cancellationToken).ConfigureAwait(false);
|
||||
}
|
||||
|
||||
var overlays = new List<PolicyOverlayDto>(request.Nodes.Count);
|
||||
foreach (var node in request.Nodes)
|
||||
{
|
||||
if (string.IsNullOrWhiteSpace(node.NodeId))
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
var nodeId = node.NodeId.Trim();
|
||||
var overlayId = ComputeOverlayId(tenant, nodeId, overlayKind);
|
||||
|
||||
string verdict = "unknown";
|
||||
IReadOnlyList<string> reasons = Array.Empty<string>();
|
||||
double? confidence = null;
|
||||
bool? quieted = null;
|
||||
PolicyOverlayEvidenceDto? evidence = null;
|
||||
|
||||
if (!string.IsNullOrWhiteSpace(node.ImageDigest) &&
|
||||
evaluation?.Results.TryGetValue(node.ImageDigest.Trim(), out var decision) == true)
|
||||
{
|
||||
verdict = ToCamelCase(decision.PolicyVerdict);
|
||||
reasons = decision.Reasons.ToArray();
|
||||
confidence = Math.Round(decision.Confidence, 6, MidpointRounding.AwayFromZero);
|
||||
quieted = decision.Quieted;
|
||||
|
||||
if (request.IncludeEvidence)
|
||||
{
|
||||
RuntimePolicyRekorDto? rekor = null;
|
||||
if (decision.Rekor is not null)
|
||||
{
|
||||
rekor = new RuntimePolicyRekorDto
|
||||
{
|
||||
Uuid = decision.Rekor.Uuid,
|
||||
Url = decision.Rekor.Url,
|
||||
Verified = decision.Rekor.Verified
|
||||
};
|
||||
}
|
||||
|
||||
evidence = new PolicyOverlayEvidenceDto
|
||||
{
|
||||
Signed = decision.Signed,
|
||||
HasSbomReferrers = decision.HasSbomReferrers,
|
||||
Rekor = rekor,
|
||||
BuildIds = decision.BuildIds is { Count: > 0 } ? decision.BuildIds.ToArray() : null,
|
||||
Metadata = decision.Metadata is { Count: > 0 }
|
||||
? new ReadOnlyDictionary<string, string>(decision.Metadata.ToDictionary(kv => kv.Key, kv => kv.Value, StringComparer.Ordinal))
|
||||
: null
|
||||
};
|
||||
}
|
||||
}
|
||||
|
||||
overlays.Add(new PolicyOverlayDto
|
||||
{
|
||||
OverlayId = overlayId,
|
||||
NodeId = nodeId,
|
||||
OverlayKind = overlayKind,
|
||||
Verdict = verdict,
|
||||
Reasons = reasons,
|
||||
Confidence = confidence,
|
||||
Quieted = quieted,
|
||||
Evidence = evidence
|
||||
});
|
||||
}
|
||||
|
||||
var response = new PolicyOverlayResponseDto
|
||||
{
|
||||
Tenant = tenant,
|
||||
GeneratedAt = timeProvider.GetUtcNow(),
|
||||
PolicyRevision = evaluation?.PolicyRevision,
|
||||
Overlays = overlays.OrderBy(o => o.NodeId, StringComparer.Ordinal).ToArray()
|
||||
};
|
||||
|
||||
return Json(response);
|
||||
}
|
||||
|
||||
private static string ComputeOverlayId(string tenant, string nodeId, string overlayKind)
|
||||
{
|
||||
var input = $"{tenant}|{nodeId}|{overlayKind}";
|
||||
var hash = SHA256.HashData(Encoding.UTF8.GetBytes(input));
|
||||
return $"sha256:{Convert.ToHexString(hash).ToLowerInvariant()}";
|
||||
}
|
||||
}
|
||||
|
||||
#pragma warning restore ASPDEPR002
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
using System.Collections.Generic;
|
||||
using System.Linq;
|
||||
using System.Collections.Generic;
|
||||
using System.Linq;
|
||||
using System.Security.Cryptography;
|
||||
using System.Text;
|
||||
using System.Text.Json;
|
||||
@@ -13,43 +13,43 @@ using StellaOps.Scanner.WebService.Contracts;
|
||||
using StellaOps.Scanner.WebService.Infrastructure;
|
||||
using StellaOps.Scanner.WebService.Security;
|
||||
using StellaOps.Scanner.WebService.Services;
|
||||
|
||||
|
||||
namespace StellaOps.Scanner.WebService.Endpoints;
|
||||
|
||||
#pragma warning disable ASPDEPR002
|
||||
|
||||
internal static class ReportEndpoints
|
||||
{
|
||||
private const string PayloadType = "application/vnd.stellaops.report+json";
|
||||
|
||||
private static readonly JsonSerializerOptions SerializerOptions = new(JsonSerializerDefaults.Web)
|
||||
{
|
||||
DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull,
|
||||
Converters = { new JsonStringEnumConverter() }
|
||||
};
|
||||
|
||||
{
|
||||
private const string PayloadType = "application/vnd.stellaops.report+json";
|
||||
|
||||
private static readonly JsonSerializerOptions SerializerOptions = new(JsonSerializerDefaults.Web)
|
||||
{
|
||||
DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull,
|
||||
Converters = { new JsonStringEnumConverter() }
|
||||
};
|
||||
|
||||
public static void MapReportEndpoints(this RouteGroupBuilder apiGroup, string reportsSegment)
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(apiGroup);
|
||||
|
||||
var reports = apiGroup
|
||||
.MapGroup(NormalizeSegment(reportsSegment))
|
||||
.WithTags("Reports");
|
||||
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(apiGroup);
|
||||
|
||||
var reports = apiGroup
|
||||
.MapGroup(NormalizeSegment(reportsSegment))
|
||||
.WithTags("Reports");
|
||||
|
||||
reports.MapPost("/", HandleCreateReportAsync)
|
||||
.WithName("scanner.reports.create")
|
||||
.Produces<ReportResponseDto>(StatusCodes.Status200OK)
|
||||
.Produces(StatusCodes.Status400BadRequest)
|
||||
.Produces(StatusCodes.Status503ServiceUnavailable)
|
||||
.RequireAuthorization(ScannerPolicies.Reports)
|
||||
.WithOpenApi(operation =>
|
||||
{
|
||||
operation.Summary = "Assemble a signed scan report.";
|
||||
operation.Description = "Aggregates latest findings with the active policy snapshot, returning verdicts plus an optional DSSE envelope.";
|
||||
return operation;
|
||||
});
|
||||
}
|
||||
|
||||
.RequireAuthorization(ScannerPolicies.Reports)
|
||||
.WithOpenApi(operation =>
|
||||
{
|
||||
operation.Summary = "Assemble a signed scan report.";
|
||||
operation.Description = "Aggregates latest findings with the active policy snapshot, returning verdicts plus an optional DSSE envelope.";
|
||||
return operation;
|
||||
});
|
||||
}
|
||||
|
||||
private static async Task<IResult> HandleCreateReportAsync(
|
||||
ReportRequestDto request,
|
||||
PolicyPreviewService previewService,
|
||||
@@ -76,60 +76,60 @@ internal static class ReportEndpoints
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid report request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: "imageDigest is required.");
|
||||
}
|
||||
|
||||
if (!request.ImageDigest.Contains(':', StringComparison.Ordinal))
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid report request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: "imageDigest must include algorithm prefix (e.g. sha256:...).");
|
||||
}
|
||||
|
||||
if (request.Findings is not null && request.Findings.Any(f => string.IsNullOrWhiteSpace(f.Id)))
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid report request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: "All findings must include an id value.");
|
||||
}
|
||||
|
||||
var previewDto = new PolicyPreviewRequestDto
|
||||
{
|
||||
ImageDigest = request.ImageDigest,
|
||||
Findings = request.Findings,
|
||||
Baseline = request.Baseline,
|
||||
Policy = null
|
||||
};
|
||||
|
||||
var domainRequest = PolicyDtoMapper.ToDomain(previewDto) with { ProposedPolicy = null };
|
||||
var preview = await previewService.PreviewAsync(domainRequest, cancellationToken).ConfigureAwait(false);
|
||||
|
||||
if (!preview.Success)
|
||||
{
|
||||
var issues = preview.Issues.Select(PolicyDtoMapper.ToIssueDto).ToArray();
|
||||
var extensions = new Dictionary<string, object?>(StringComparer.Ordinal)
|
||||
{
|
||||
["issues"] = issues
|
||||
};
|
||||
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Unable to assemble report",
|
||||
StatusCodes.Status503ServiceUnavailable,
|
||||
detail: "No policy snapshot is available or validation failed.",
|
||||
extensions: extensions);
|
||||
}
|
||||
|
||||
ProblemTypes.Validation,
|
||||
"Invalid report request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: "imageDigest is required.");
|
||||
}
|
||||
|
||||
if (!request.ImageDigest.Contains(':', StringComparison.Ordinal))
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid report request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: "imageDigest must include algorithm prefix (e.g. sha256:...).");
|
||||
}
|
||||
|
||||
if (request.Findings is not null && request.Findings.Any(f => string.IsNullOrWhiteSpace(f.Id)))
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid report request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: "All findings must include an id value.");
|
||||
}
|
||||
|
||||
var previewDto = new PolicyPreviewRequestDto
|
||||
{
|
||||
ImageDigest = request.ImageDigest,
|
||||
Findings = request.Findings,
|
||||
Baseline = request.Baseline,
|
||||
Policy = null
|
||||
};
|
||||
|
||||
var domainRequest = PolicyDtoMapper.ToDomain(previewDto) with { ProposedPolicy = null };
|
||||
var preview = await previewService.PreviewAsync(domainRequest, cancellationToken).ConfigureAwait(false);
|
||||
|
||||
if (!preview.Success)
|
||||
{
|
||||
var issues = preview.Issues.Select(PolicyDtoMapper.ToIssueDto).ToArray();
|
||||
var extensions = new Dictionary<string, object?>(StringComparer.Ordinal)
|
||||
{
|
||||
["issues"] = issues
|
||||
};
|
||||
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Unable to assemble report",
|
||||
StatusCodes.Status503ServiceUnavailable,
|
||||
detail: "No policy snapshot is available or validation failed.",
|
||||
extensions: extensions);
|
||||
}
|
||||
|
||||
var projectedVerdicts = preview.Diffs
|
||||
.Select(diff => PolicyDtoMapper.ToVerdictDto(diff.Projected))
|
||||
.ToArray();
|
||||
@@ -177,124 +177,124 @@ internal static class ReportEndpoints
|
||||
Surface = surfacePointers,
|
||||
Linksets = linksets.Count == 0 ? null : linksets
|
||||
};
|
||||
|
||||
var payloadBytes = JsonSerializer.SerializeToUtf8Bytes(document, SerializerOptions);
|
||||
var signature = signer.Sign(payloadBytes);
|
||||
DsseEnvelopeDto? envelope = null;
|
||||
if (signature is not null)
|
||||
{
|
||||
envelope = new DsseEnvelopeDto
|
||||
{
|
||||
PayloadType = PayloadType,
|
||||
Payload = Convert.ToBase64String(payloadBytes),
|
||||
Signatures = new[]
|
||||
{
|
||||
new DsseSignatureDto
|
||||
{
|
||||
KeyId = signature.KeyId,
|
||||
Algorithm = signature.Algorithm,
|
||||
Signature = signature.Signature
|
||||
}
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
|
||||
var payloadBytes = JsonSerializer.SerializeToUtf8Bytes(document, SerializerOptions);
|
||||
var signature = signer.Sign(payloadBytes);
|
||||
DsseEnvelopeDto? envelope = null;
|
||||
if (signature is not null)
|
||||
{
|
||||
envelope = new DsseEnvelopeDto
|
||||
{
|
||||
PayloadType = PayloadType,
|
||||
Payload = Convert.ToBase64String(payloadBytes),
|
||||
Signatures = new[]
|
||||
{
|
||||
new DsseSignatureDto
|
||||
{
|
||||
KeyId = signature.KeyId,
|
||||
Algorithm = signature.Algorithm,
|
||||
Signature = signature.Signature
|
||||
}
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
var response = new ReportResponseDto
|
||||
{
|
||||
Report = document,
|
||||
Dsse = envelope
|
||||
};
|
||||
|
||||
await eventDispatcher
|
||||
.PublishAsync(request, preview, document, envelope, context, cancellationToken)
|
||||
.ConfigureAwait(false);
|
||||
|
||||
return Json(response);
|
||||
}
|
||||
|
||||
private static ReportSummaryDto BuildSummary(IReadOnlyList<PolicyPreviewVerdictDto> verdicts)
|
||||
{
|
||||
if (verdicts.Count == 0)
|
||||
{
|
||||
return new ReportSummaryDto { Total = 0 };
|
||||
}
|
||||
|
||||
var blocked = verdicts.Count(v => string.Equals(v.Status, nameof(PolicyVerdictStatus.Blocked), StringComparison.OrdinalIgnoreCase));
|
||||
var warned = verdicts.Count(v =>
|
||||
string.Equals(v.Status, nameof(PolicyVerdictStatus.Warned), StringComparison.OrdinalIgnoreCase)
|
||||
|| string.Equals(v.Status, nameof(PolicyVerdictStatus.Deferred), StringComparison.OrdinalIgnoreCase)
|
||||
|| string.Equals(v.Status, nameof(PolicyVerdictStatus.RequiresVex), StringComparison.OrdinalIgnoreCase)
|
||||
|| string.Equals(v.Status, nameof(PolicyVerdictStatus.Escalated), StringComparison.OrdinalIgnoreCase));
|
||||
var ignored = verdicts.Count(v => string.Equals(v.Status, nameof(PolicyVerdictStatus.Ignored), StringComparison.OrdinalIgnoreCase));
|
||||
var quieted = verdicts.Count(v => v.Quiet is true);
|
||||
|
||||
return new ReportSummaryDto
|
||||
{
|
||||
Total = verdicts.Count,
|
||||
Blocked = blocked,
|
||||
Warned = warned,
|
||||
Ignored = ignored,
|
||||
Quieted = quieted
|
||||
};
|
||||
}
|
||||
|
||||
private static string ComputeVerdict(IReadOnlyList<PolicyPreviewVerdictDto> verdicts)
|
||||
{
|
||||
if (verdicts.Count == 0)
|
||||
{
|
||||
return "unknown";
|
||||
}
|
||||
|
||||
if (verdicts.Any(v => string.Equals(v.Status, nameof(PolicyVerdictStatus.Blocked), StringComparison.OrdinalIgnoreCase)))
|
||||
{
|
||||
return "blocked";
|
||||
}
|
||||
|
||||
if (verdicts.Any(v => string.Equals(v.Status, nameof(PolicyVerdictStatus.Escalated), StringComparison.OrdinalIgnoreCase)))
|
||||
{
|
||||
return "escalated";
|
||||
}
|
||||
|
||||
if (verdicts.Any(v =>
|
||||
string.Equals(v.Status, nameof(PolicyVerdictStatus.Warned), StringComparison.OrdinalIgnoreCase)
|
||||
|| string.Equals(v.Status, nameof(PolicyVerdictStatus.Deferred), StringComparison.OrdinalIgnoreCase)
|
||||
|| string.Equals(v.Status, nameof(PolicyVerdictStatus.RequiresVex), StringComparison.OrdinalIgnoreCase)))
|
||||
{
|
||||
return "warn";
|
||||
}
|
||||
|
||||
return "pass";
|
||||
}
|
||||
|
||||
private static string CreateReportId(string imageDigest, string policyDigest)
|
||||
{
|
||||
var builder = new StringBuilder();
|
||||
builder.Append(imageDigest.Trim());
|
||||
builder.Append('|');
|
||||
builder.Append(policyDigest ?? string.Empty);
|
||||
|
||||
using var sha256 = SHA256.Create();
|
||||
var hash = sha256.ComputeHash(Encoding.UTF8.GetBytes(builder.ToString()));
|
||||
var hex = Convert.ToHexString(hash.AsSpan(0, 10)).ToLowerInvariant();
|
||||
return $"report-{hex}";
|
||||
}
|
||||
|
||||
private static string NormalizeSegment(string segment)
|
||||
{
|
||||
if (string.IsNullOrWhiteSpace(segment))
|
||||
{
|
||||
return "/reports";
|
||||
}
|
||||
|
||||
var trimmed = segment.Trim('/');
|
||||
return "/" + trimmed;
|
||||
}
|
||||
|
||||
private static IResult Json<T>(T value)
|
||||
{
|
||||
var payload = JsonSerializer.Serialize(value, SerializerOptions);
|
||||
return Results.Content(payload, "application/json", Encoding.UTF8);
|
||||
}
|
||||
|
||||
await eventDispatcher
|
||||
.PublishAsync(request, preview, document, envelope, context, cancellationToken)
|
||||
.ConfigureAwait(false);
|
||||
|
||||
return Json(response);
|
||||
}
|
||||
|
||||
private static ReportSummaryDto BuildSummary(IReadOnlyList<PolicyPreviewVerdictDto> verdicts)
|
||||
{
|
||||
if (verdicts.Count == 0)
|
||||
{
|
||||
return new ReportSummaryDto { Total = 0 };
|
||||
}
|
||||
|
||||
var blocked = verdicts.Count(v => string.Equals(v.Status, nameof(PolicyVerdictStatus.Blocked), StringComparison.OrdinalIgnoreCase));
|
||||
var warned = verdicts.Count(v =>
|
||||
string.Equals(v.Status, nameof(PolicyVerdictStatus.Warned), StringComparison.OrdinalIgnoreCase)
|
||||
|| string.Equals(v.Status, nameof(PolicyVerdictStatus.Deferred), StringComparison.OrdinalIgnoreCase)
|
||||
|| string.Equals(v.Status, nameof(PolicyVerdictStatus.RequiresVex), StringComparison.OrdinalIgnoreCase)
|
||||
|| string.Equals(v.Status, nameof(PolicyVerdictStatus.Escalated), StringComparison.OrdinalIgnoreCase));
|
||||
var ignored = verdicts.Count(v => string.Equals(v.Status, nameof(PolicyVerdictStatus.Ignored), StringComparison.OrdinalIgnoreCase));
|
||||
var quieted = verdicts.Count(v => v.Quiet is true);
|
||||
|
||||
return new ReportSummaryDto
|
||||
{
|
||||
Total = verdicts.Count,
|
||||
Blocked = blocked,
|
||||
Warned = warned,
|
||||
Ignored = ignored,
|
||||
Quieted = quieted
|
||||
};
|
||||
}
|
||||
|
||||
private static string ComputeVerdict(IReadOnlyList<PolicyPreviewVerdictDto> verdicts)
|
||||
{
|
||||
if (verdicts.Count == 0)
|
||||
{
|
||||
return "unknown";
|
||||
}
|
||||
|
||||
if (verdicts.Any(v => string.Equals(v.Status, nameof(PolicyVerdictStatus.Blocked), StringComparison.OrdinalIgnoreCase)))
|
||||
{
|
||||
return "blocked";
|
||||
}
|
||||
|
||||
if (verdicts.Any(v => string.Equals(v.Status, nameof(PolicyVerdictStatus.Escalated), StringComparison.OrdinalIgnoreCase)))
|
||||
{
|
||||
return "escalated";
|
||||
}
|
||||
|
||||
if (verdicts.Any(v =>
|
||||
string.Equals(v.Status, nameof(PolicyVerdictStatus.Warned), StringComparison.OrdinalIgnoreCase)
|
||||
|| string.Equals(v.Status, nameof(PolicyVerdictStatus.Deferred), StringComparison.OrdinalIgnoreCase)
|
||||
|| string.Equals(v.Status, nameof(PolicyVerdictStatus.RequiresVex), StringComparison.OrdinalIgnoreCase)))
|
||||
{
|
||||
return "warn";
|
||||
}
|
||||
|
||||
return "pass";
|
||||
}
|
||||
|
||||
private static string CreateReportId(string imageDigest, string policyDigest)
|
||||
{
|
||||
var builder = new StringBuilder();
|
||||
builder.Append(imageDigest.Trim());
|
||||
builder.Append('|');
|
||||
builder.Append(policyDigest ?? string.Empty);
|
||||
|
||||
using var sha256 = SHA256.Create();
|
||||
var hash = sha256.ComputeHash(Encoding.UTF8.GetBytes(builder.ToString()));
|
||||
var hex = Convert.ToHexString(hash.AsSpan(0, 10)).ToLowerInvariant();
|
||||
return $"report-{hex}";
|
||||
}
|
||||
|
||||
private static string NormalizeSegment(string segment)
|
||||
{
|
||||
if (string.IsNullOrWhiteSpace(segment))
|
||||
{
|
||||
return "/reports";
|
||||
}
|
||||
|
||||
var trimmed = segment.Trim('/');
|
||||
return "/" + trimmed;
|
||||
}
|
||||
|
||||
private static IResult Json<T>(T value)
|
||||
{
|
||||
var payload = JsonSerializer.Serialize(value, SerializerOptions);
|
||||
return Results.Content(payload, "application/json", Encoding.UTF8);
|
||||
}
|
||||
}
|
||||
|
||||
#pragma warning restore ASPDEPR002
|
||||
|
||||
@@ -1,253 +1,253 @@
|
||||
using System.Collections.Generic;
|
||||
using System.Globalization;
|
||||
using System.Text;
|
||||
using System.Text.Json;
|
||||
using System.Text.Json.Serialization;
|
||||
using Microsoft.AspNetCore.Http;
|
||||
using Microsoft.AspNetCore.Routing;
|
||||
using Microsoft.Extensions.Options;
|
||||
using StellaOps.Scanner.WebService.Constants;
|
||||
using StellaOps.Scanner.WebService.Contracts;
|
||||
using StellaOps.Scanner.WebService.Infrastructure;
|
||||
using StellaOps.Scanner.WebService.Options;
|
||||
using StellaOps.Scanner.WebService.Security;
|
||||
using StellaOps.Scanner.WebService.Services;
|
||||
using StellaOps.Zastava.Core.Contracts;
|
||||
|
||||
namespace StellaOps.Scanner.WebService.Endpoints;
|
||||
|
||||
internal static class RuntimeEndpoints
|
||||
{
|
||||
private static readonly JsonSerializerOptions SerializerOptions = new(JsonSerializerDefaults.Web)
|
||||
{
|
||||
DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull
|
||||
};
|
||||
|
||||
public static void MapRuntimeEndpoints(this RouteGroupBuilder apiGroup, string runtimeSegment)
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(apiGroup);
|
||||
|
||||
var runtime = apiGroup
|
||||
.MapGroup(NormalizeSegment(runtimeSegment))
|
||||
.WithTags("Runtime");
|
||||
|
||||
runtime.MapPost("/events", HandleRuntimeEventsAsync)
|
||||
.WithName("scanner.runtime.events.ingest")
|
||||
.Produces<RuntimeEventsIngestResponseDto>(StatusCodes.Status202Accepted)
|
||||
.Produces(StatusCodes.Status400BadRequest)
|
||||
.Produces(StatusCodes.Status429TooManyRequests)
|
||||
.RequireAuthorization(ScannerPolicies.RuntimeIngest);
|
||||
}
|
||||
|
||||
private static async Task<IResult> HandleRuntimeEventsAsync(
|
||||
RuntimeEventsIngestRequestDto request,
|
||||
IRuntimeEventIngestionService ingestionService,
|
||||
IOptions<ScannerWebServiceOptions> options,
|
||||
HttpContext context,
|
||||
CancellationToken cancellationToken)
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(request);
|
||||
ArgumentNullException.ThrowIfNull(ingestionService);
|
||||
ArgumentNullException.ThrowIfNull(options);
|
||||
|
||||
var runtimeOptions = options.Value.Runtime ?? new ScannerWebServiceOptions.RuntimeOptions();
|
||||
var validationError = ValidateRequest(request, runtimeOptions, context, out var envelopes);
|
||||
if (validationError is { } problem)
|
||||
{
|
||||
return problem;
|
||||
}
|
||||
|
||||
var result = await ingestionService.IngestAsync(envelopes, request.BatchId, cancellationToken).ConfigureAwait(false);
|
||||
if (result.IsPayloadTooLarge)
|
||||
{
|
||||
var extensions = new Dictionary<string, object?>
|
||||
{
|
||||
["payloadBytes"] = result.PayloadBytes,
|
||||
["maxPayloadBytes"] = result.PayloadLimit
|
||||
};
|
||||
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Runtime event batch too large",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: "Runtime batch payload exceeds configured budget.",
|
||||
extensions: extensions);
|
||||
}
|
||||
|
||||
if (result.IsRateLimited)
|
||||
{
|
||||
var retryAfterSeconds = Math.Max(1, (int)Math.Ceiling(result.RetryAfter.TotalSeconds));
|
||||
context.Response.Headers.RetryAfter = retryAfterSeconds.ToString(CultureInfo.InvariantCulture);
|
||||
|
||||
var extensions = new Dictionary<string, object?>
|
||||
{
|
||||
["scope"] = result.RateLimitedScope,
|
||||
["key"] = result.RateLimitedKey,
|
||||
["retryAfterSeconds"] = retryAfterSeconds
|
||||
};
|
||||
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.RateLimited,
|
||||
"Runtime ingestion rate limited",
|
||||
StatusCodes.Status429TooManyRequests,
|
||||
detail: "Runtime ingestion exceeded configured rate limits.",
|
||||
extensions: extensions);
|
||||
}
|
||||
|
||||
var payload = new RuntimeEventsIngestResponseDto
|
||||
{
|
||||
Accepted = result.Accepted,
|
||||
Duplicates = result.Duplicates
|
||||
};
|
||||
|
||||
return Json(payload, StatusCodes.Status202Accepted);
|
||||
}
|
||||
|
||||
private static IResult? ValidateRequest(
|
||||
RuntimeEventsIngestRequestDto request,
|
||||
ScannerWebServiceOptions.RuntimeOptions runtimeOptions,
|
||||
HttpContext context,
|
||||
out IReadOnlyList<RuntimeEventEnvelope> envelopes)
|
||||
{
|
||||
envelopes = request.Events ?? Array.Empty<RuntimeEventEnvelope>();
|
||||
if (envelopes.Count == 0)
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid runtime ingest request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: "events array must include at least one item.");
|
||||
}
|
||||
|
||||
if (envelopes.Count > runtimeOptions.MaxBatchSize)
|
||||
{
|
||||
var extensions = new Dictionary<string, object?>
|
||||
{
|
||||
["maxBatchSize"] = runtimeOptions.MaxBatchSize,
|
||||
["eventCount"] = envelopes.Count
|
||||
};
|
||||
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid runtime ingest request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: "events array exceeds allowed batch size.",
|
||||
extensions: extensions);
|
||||
}
|
||||
|
||||
var seenEventIds = new HashSet<string>(StringComparer.Ordinal);
|
||||
for (var i = 0; i < envelopes.Count; i++)
|
||||
{
|
||||
var envelope = envelopes[i];
|
||||
if (envelope is null)
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid runtime ingest request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: $"events[{i}] must not be null.");
|
||||
}
|
||||
|
||||
if (!envelope.IsSupported())
|
||||
{
|
||||
var extensions = new Dictionary<string, object?>
|
||||
{
|
||||
["schemaVersion"] = envelope.SchemaVersion
|
||||
};
|
||||
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Unsupported runtime schema version",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: "Runtime event schemaVersion is not supported.",
|
||||
extensions: extensions);
|
||||
}
|
||||
|
||||
var runtimeEvent = envelope.Event;
|
||||
if (runtimeEvent is null)
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid runtime ingest request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: $"events[{i}].event must not be null.");
|
||||
}
|
||||
|
||||
if (string.IsNullOrWhiteSpace(runtimeEvent.EventId))
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid runtime ingest request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: $"events[{i}].eventId is required.");
|
||||
}
|
||||
|
||||
if (!seenEventIds.Add(runtimeEvent.EventId))
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid runtime ingest request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: $"Duplicate eventId detected within batch ('{runtimeEvent.EventId}').");
|
||||
}
|
||||
|
||||
if (string.IsNullOrWhiteSpace(runtimeEvent.Tenant))
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid runtime ingest request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: $"events[{i}].tenant is required.");
|
||||
}
|
||||
|
||||
if (string.IsNullOrWhiteSpace(runtimeEvent.Node))
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid runtime ingest request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: $"events[{i}].node is required.");
|
||||
}
|
||||
|
||||
if (runtimeEvent.Workload is null)
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid runtime ingest request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: $"events[{i}].workload is required.");
|
||||
}
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
private static string NormalizeSegment(string segment)
|
||||
{
|
||||
if (string.IsNullOrWhiteSpace(segment))
|
||||
{
|
||||
return "/runtime";
|
||||
}
|
||||
|
||||
var trimmed = segment.Trim('/');
|
||||
return "/" + trimmed;
|
||||
}
|
||||
|
||||
private static IResult Json<T>(T value, int statusCode)
|
||||
{
|
||||
var payload = JsonSerializer.Serialize(value, SerializerOptions);
|
||||
return Results.Content(payload, "application/json", Encoding.UTF8, statusCode);
|
||||
}
|
||||
}
|
||||
using System.Collections.Generic;
|
||||
using System.Globalization;
|
||||
using System.Text;
|
||||
using System.Text.Json;
|
||||
using System.Text.Json.Serialization;
|
||||
using Microsoft.AspNetCore.Http;
|
||||
using Microsoft.AspNetCore.Routing;
|
||||
using Microsoft.Extensions.Options;
|
||||
using StellaOps.Scanner.WebService.Constants;
|
||||
using StellaOps.Scanner.WebService.Contracts;
|
||||
using StellaOps.Scanner.WebService.Infrastructure;
|
||||
using StellaOps.Scanner.WebService.Options;
|
||||
using StellaOps.Scanner.WebService.Security;
|
||||
using StellaOps.Scanner.WebService.Services;
|
||||
using StellaOps.Zastava.Core.Contracts;
|
||||
|
||||
namespace StellaOps.Scanner.WebService.Endpoints;
|
||||
|
||||
internal static class RuntimeEndpoints
|
||||
{
|
||||
private static readonly JsonSerializerOptions SerializerOptions = new(JsonSerializerDefaults.Web)
|
||||
{
|
||||
DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull
|
||||
};
|
||||
|
||||
public static void MapRuntimeEndpoints(this RouteGroupBuilder apiGroup, string runtimeSegment)
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(apiGroup);
|
||||
|
||||
var runtime = apiGroup
|
||||
.MapGroup(NormalizeSegment(runtimeSegment))
|
||||
.WithTags("Runtime");
|
||||
|
||||
runtime.MapPost("/events", HandleRuntimeEventsAsync)
|
||||
.WithName("scanner.runtime.events.ingest")
|
||||
.Produces<RuntimeEventsIngestResponseDto>(StatusCodes.Status202Accepted)
|
||||
.Produces(StatusCodes.Status400BadRequest)
|
||||
.Produces(StatusCodes.Status429TooManyRequests)
|
||||
.RequireAuthorization(ScannerPolicies.RuntimeIngest);
|
||||
}
|
||||
|
||||
private static async Task<IResult> HandleRuntimeEventsAsync(
|
||||
RuntimeEventsIngestRequestDto request,
|
||||
IRuntimeEventIngestionService ingestionService,
|
||||
IOptions<ScannerWebServiceOptions> options,
|
||||
HttpContext context,
|
||||
CancellationToken cancellationToken)
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(request);
|
||||
ArgumentNullException.ThrowIfNull(ingestionService);
|
||||
ArgumentNullException.ThrowIfNull(options);
|
||||
|
||||
var runtimeOptions = options.Value.Runtime ?? new ScannerWebServiceOptions.RuntimeOptions();
|
||||
var validationError = ValidateRequest(request, runtimeOptions, context, out var envelopes);
|
||||
if (validationError is { } problem)
|
||||
{
|
||||
return problem;
|
||||
}
|
||||
|
||||
var result = await ingestionService.IngestAsync(envelopes, request.BatchId, cancellationToken).ConfigureAwait(false);
|
||||
if (result.IsPayloadTooLarge)
|
||||
{
|
||||
var extensions = new Dictionary<string, object?>
|
||||
{
|
||||
["payloadBytes"] = result.PayloadBytes,
|
||||
["maxPayloadBytes"] = result.PayloadLimit
|
||||
};
|
||||
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Runtime event batch too large",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: "Runtime batch payload exceeds configured budget.",
|
||||
extensions: extensions);
|
||||
}
|
||||
|
||||
if (result.IsRateLimited)
|
||||
{
|
||||
var retryAfterSeconds = Math.Max(1, (int)Math.Ceiling(result.RetryAfter.TotalSeconds));
|
||||
context.Response.Headers.RetryAfter = retryAfterSeconds.ToString(CultureInfo.InvariantCulture);
|
||||
|
||||
var extensions = new Dictionary<string, object?>
|
||||
{
|
||||
["scope"] = result.RateLimitedScope,
|
||||
["key"] = result.RateLimitedKey,
|
||||
["retryAfterSeconds"] = retryAfterSeconds
|
||||
};
|
||||
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.RateLimited,
|
||||
"Runtime ingestion rate limited",
|
||||
StatusCodes.Status429TooManyRequests,
|
||||
detail: "Runtime ingestion exceeded configured rate limits.",
|
||||
extensions: extensions);
|
||||
}
|
||||
|
||||
var payload = new RuntimeEventsIngestResponseDto
|
||||
{
|
||||
Accepted = result.Accepted,
|
||||
Duplicates = result.Duplicates
|
||||
};
|
||||
|
||||
return Json(payload, StatusCodes.Status202Accepted);
|
||||
}
|
||||
|
||||
private static IResult? ValidateRequest(
|
||||
RuntimeEventsIngestRequestDto request,
|
||||
ScannerWebServiceOptions.RuntimeOptions runtimeOptions,
|
||||
HttpContext context,
|
||||
out IReadOnlyList<RuntimeEventEnvelope> envelopes)
|
||||
{
|
||||
envelopes = request.Events ?? Array.Empty<RuntimeEventEnvelope>();
|
||||
if (envelopes.Count == 0)
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid runtime ingest request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: "events array must include at least one item.");
|
||||
}
|
||||
|
||||
if (envelopes.Count > runtimeOptions.MaxBatchSize)
|
||||
{
|
||||
var extensions = new Dictionary<string, object?>
|
||||
{
|
||||
["maxBatchSize"] = runtimeOptions.MaxBatchSize,
|
||||
["eventCount"] = envelopes.Count
|
||||
};
|
||||
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid runtime ingest request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: "events array exceeds allowed batch size.",
|
||||
extensions: extensions);
|
||||
}
|
||||
|
||||
var seenEventIds = new HashSet<string>(StringComparer.Ordinal);
|
||||
for (var i = 0; i < envelopes.Count; i++)
|
||||
{
|
||||
var envelope = envelopes[i];
|
||||
if (envelope is null)
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid runtime ingest request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: $"events[{i}] must not be null.");
|
||||
}
|
||||
|
||||
if (!envelope.IsSupported())
|
||||
{
|
||||
var extensions = new Dictionary<string, object?>
|
||||
{
|
||||
["schemaVersion"] = envelope.SchemaVersion
|
||||
};
|
||||
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Unsupported runtime schema version",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: "Runtime event schemaVersion is not supported.",
|
||||
extensions: extensions);
|
||||
}
|
||||
|
||||
var runtimeEvent = envelope.Event;
|
||||
if (runtimeEvent is null)
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid runtime ingest request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: $"events[{i}].event must not be null.");
|
||||
}
|
||||
|
||||
if (string.IsNullOrWhiteSpace(runtimeEvent.EventId))
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid runtime ingest request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: $"events[{i}].eventId is required.");
|
||||
}
|
||||
|
||||
if (!seenEventIds.Add(runtimeEvent.EventId))
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid runtime ingest request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: $"Duplicate eventId detected within batch ('{runtimeEvent.EventId}').");
|
||||
}
|
||||
|
||||
if (string.IsNullOrWhiteSpace(runtimeEvent.Tenant))
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid runtime ingest request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: $"events[{i}].tenant is required.");
|
||||
}
|
||||
|
||||
if (string.IsNullOrWhiteSpace(runtimeEvent.Node))
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid runtime ingest request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: $"events[{i}].node is required.");
|
||||
}
|
||||
|
||||
if (runtimeEvent.Workload is null)
|
||||
{
|
||||
return ProblemResultFactory.Create(
|
||||
context,
|
||||
ProblemTypes.Validation,
|
||||
"Invalid runtime ingest request",
|
||||
StatusCodes.Status400BadRequest,
|
||||
detail: $"events[{i}].workload is required.");
|
||||
}
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
private static string NormalizeSegment(string segment)
|
||||
{
|
||||
if (string.IsNullOrWhiteSpace(segment))
|
||||
{
|
||||
return "/runtime";
|
||||
}
|
||||
|
||||
var trimmed = segment.Trim('/');
|
||||
return "/" + trimmed;
|
||||
}
|
||||
|
||||
private static IResult Json<T>(T value, int statusCode)
|
||||
{
|
||||
var payload = JsonSerializer.Serialize(value, SerializerOptions);
|
||||
return Results.Content(payload, "application/json", Encoding.UTF8, statusCode);
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user