stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

up
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Details
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Details
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Details
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Details
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
Details

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-13 00:20:26 +02:00
parent e1f1bef4c1
commit 564df71bfb
2376 changed files with 334389 additions and 328032 deletions
Download Patch File Download Diff File Expand all files Collapse all files

254
src/Signer/StellaOps.Signer/StellaOps.Signer.Tests/SignerEndpointsTests.cs
View File

@@ -1,127 +1,127 @@
using System.Collections.Generic;
using System.Net;
using System.Net.Http;
using System.Net.Http.Headers;
using System.Net.Http.Json;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Testing;
using StellaOps.Signer.WebService.Contracts;
using Xunit;
namespace StellaOps.Signer.Tests;
public sealed class SignerEndpointsTests : IClassFixture<WebApplicationFactory<Program>>
{
private readonly WebApplicationFactory<Program> _factory;
private const string TrustedDigest = "sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef";
public SignerEndpointsTests(WebApplicationFactory<Program> factory)
{
_factory = factory;
}
[Fact]
public async Task SignDsse_ReturnsBundle_WhenRequestValid()
{
var client = CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(new
{
subject = new[]
{
new
{
name = "pkg:npm/example",
digest = new Dictionary<string, string> { ["sha256"] = "4d5f" },
},
},
predicateType = "https://in-toto.io/Statement/v0.1",
predicate = new { result = "pass" },
scannerImageDigest = TrustedDigest,
poe = new { format = "jwt", value = "valid-poe" },
options = new { signingMode = "kms", expirySeconds = 600, returnBundle = "dsse+cert" },
})
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request.Headers.Add("DPoP", "stub-proof");
var response = await client.SendAsync(request);
var responseBody = await response.Content.ReadAsStringAsync();
Assert.True(response.IsSuccessStatusCode, $"Expected success but got {(int)response.StatusCode}: {responseBody}");
var body = await response.Content.ReadFromJsonAsync<SignDsseResponseDto>();
Assert.NotNull(body);
Assert.Equal("stub-subject", body!.Bundle.SigningIdentity.Subject);
Assert.Equal("stub-subject", body.Bundle.SigningIdentity.Issuer);
}
[Fact]
public async Task SignDsse_ReturnsForbidden_WhenDigestUntrusted()
{
var client = CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(new
{
subject = new[]
{
new
{
name = "pkg:npm/example",
digest = new Dictionary<string, string> { ["sha256"] = "4d5f" },
},
},
predicateType = "https://in-toto.io/Statement/v0.1",
predicate = new { result = "pass" },
scannerImageDigest = "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
poe = new { format = "jwt", value = "valid-poe" },
options = new { signingMode = "kms", expirySeconds = 600, returnBundle = "dsse+cert" },
})
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request.Headers.Add("DPoP", "stub-proof");
var response = await client.SendAsync(request);
var problemJson = await response.Content.ReadAsStringAsync();
Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);
var problem = System.Text.Json.JsonSerializer.Deserialize<ProblemDetails>(problemJson, new System.Text.Json.JsonSerializerOptions
{
PropertyNameCaseInsensitive = true,
});
Assert.NotNull(problem);
Assert.Equal("release_untrusted", problem!.Type);
}
[Fact]
public async Task VerifyReferrers_ReturnsTrustedResult_WhenDigestIsKnown()
{
var client = CreateClient();
var request = new HttpRequestMessage(HttpMethod.Get, $"/api/v1/signer/verify/referrers?digest={TrustedDigest}");
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
var response = await client.SendAsync(request);
var responseBody = await response.Content.ReadAsStringAsync();
Assert.True(response.IsSuccessStatusCode, $"Expected success but got {(int)response.StatusCode}: {responseBody}");
var body = await response.Content.ReadFromJsonAsync<VerifyReferrersResponseDto>();
Assert.NotNull(body);
Assert.True(body!.Trusted);
}
[Fact]
public async Task VerifyReferrers_ReturnsProblem_WhenDigestMissing()
{
var client = CreateClient();
var request = new HttpRequestMessage(HttpMethod.Get, "/api/v1/signer/verify/referrers");
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
var response = await client.SendAsync(request);
Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
}
private HttpClient CreateClient() => _factory.CreateClient();
}
using System.Collections.Generic;
using System.Net;
using System.Net.Http;
using System.Net.Http.Headers;
using System.Net.Http.Json;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Testing;
using StellaOps.Signer.WebService.Contracts;
using Xunit;
namespace StellaOps.Signer.Tests;
public sealed class SignerEndpointsTests : IClassFixture<WebApplicationFactory<Program>>
{
private readonly WebApplicationFactory<Program> _factory;
private const string TrustedDigest = "sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef";
public SignerEndpointsTests(WebApplicationFactory<Program> factory)
{
_factory = factory;
}
[Fact]
public async Task SignDsse_ReturnsBundle_WhenRequestValid()
{
var client = CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(new
{
subject = new[]
{
new
{
name = "pkg:npm/example",
digest = new Dictionary<string, string> { ["sha256"] = "4d5f" },
},
},
predicateType = "https://in-toto.io/Statement/v0.1",
predicate = new { result = "pass" },
scannerImageDigest = TrustedDigest,
poe = new { format = "jwt", value = "valid-poe" },
options = new { signingMode = "kms", expirySeconds = 600, returnBundle = "dsse+cert" },
})
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request.Headers.Add("DPoP", "stub-proof");
var response = await client.SendAsync(request);
var responseBody = await response.Content.ReadAsStringAsync();
Assert.True(response.IsSuccessStatusCode, $"Expected success but got {(int)response.StatusCode}: {responseBody}");
var body = await response.Content.ReadFromJsonAsync<SignDsseResponseDto>();
Assert.NotNull(body);
Assert.Equal("stub-subject", body!.Bundle.SigningIdentity.Subject);
Assert.Equal("stub-subject", body.Bundle.SigningIdentity.Issuer);
}
[Fact]
public async Task SignDsse_ReturnsForbidden_WhenDigestUntrusted()
{
var client = CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(new
{
subject = new[]
{
new
{
name = "pkg:npm/example",
digest = new Dictionary<string, string> { ["sha256"] = "4d5f" },
},
},
predicateType = "https://in-toto.io/Statement/v0.1",
predicate = new { result = "pass" },
scannerImageDigest = "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
poe = new { format = "jwt", value = "valid-poe" },
options = new { signingMode = "kms", expirySeconds = 600, returnBundle = "dsse+cert" },
})
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request.Headers.Add("DPoP", "stub-proof");
var response = await client.SendAsync(request);
var problemJson = await response.Content.ReadAsStringAsync();
Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);
var problem = System.Text.Json.JsonSerializer.Deserialize<ProblemDetails>(problemJson, new System.Text.Json.JsonSerializerOptions
{
PropertyNameCaseInsensitive = true,
});
Assert.NotNull(problem);
Assert.Equal("release_untrusted", problem!.Type);
}
[Fact]
public async Task VerifyReferrers_ReturnsTrustedResult_WhenDigestIsKnown()
{
var client = CreateClient();
var request = new HttpRequestMessage(HttpMethod.Get, $"/api/v1/signer/verify/referrers?digest={TrustedDigest}");
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
var response = await client.SendAsync(request);
var responseBody = await response.Content.ReadAsStringAsync();
Assert.True(response.IsSuccessStatusCode, $"Expected success but got {(int)response.StatusCode}: {responseBody}");
var body = await response.Content.ReadFromJsonAsync<VerifyReferrersResponseDto>();
Assert.NotNull(body);
Assert.True(body!.Trusted);
}
[Fact]
public async Task VerifyReferrers_ReturnsProblem_WhenDigestMissing()
{
var client = CreateClient();
var request = new HttpRequestMessage(HttpMethod.Get, "/api/v1/signer/verify/referrers");
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
var response = await client.SendAsync(request);
Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
}
private HttpClient CreateClient() => _factory.CreateClient();
}