test fixes and new product advisories work
This commit is contained in:
master
@@ -39,6 +39,7 @@ public static class SignalsCommandGroup
|
||||
signalsCommand.Add(BuildInspectCommand(services, verboseOption, cancellationToken));
|
||||
signalsCommand.Add(BuildListCommand(services, verboseOption, cancellationToken));
|
||||
signalsCommand.Add(BuildSummaryCommand(services, verboseOption, cancellationToken));
|
||||
signalsCommand.Add(BuildVerifyChainCommand(services, verboseOption, cancellationToken));
|
||||
|
||||
return signalsCommand;
|
||||
}
|
||||
@@ -304,6 +305,252 @@ public static class SignalsCommandGroup
|
||||
|
||||
#endregion
|
||||
|
||||
#region Verify Chain Command (SIGNING-002)
|
||||
|
||||
/// <summary>
|
||||
/// Build the 'signals verify-chain' command.
|
||||
/// Sprint: SPRINT_0127_0002_Signals_ebpf_syscall_reachability_proofs (SIGNING-002)
|
||||
/// Verifies integrity of signed runtime evidence chain.
|
||||
/// </summary>
|
||||
private static Command BuildVerifyChainCommand(
|
||||
IServiceProvider services,
|
||||
Option<bool> verboseOption,
|
||||
CancellationToken cancellationToken)
|
||||
{
|
||||
var pathArg = new Argument<string>("path")
|
||||
{
|
||||
Description = "Path to evidence directory containing signed chunks"
|
||||
};
|
||||
|
||||
var offlineOption = new Option<bool>("--offline")
|
||||
{
|
||||
Description = "Offline mode - skip Rekor verification"
|
||||
};
|
||||
|
||||
var reportOption = new Option<string?>("--report", "-r")
|
||||
{
|
||||
Description = "Output path for JSON verification report"
|
||||
};
|
||||
|
||||
var formatOption = new Option<string>("--format", "-f")
|
||||
{
|
||||
Description = "Output format: text (default), json"
|
||||
};
|
||||
formatOption.SetDefaultValue("text");
|
||||
|
||||
var verifyChainCommand = new Command("verify-chain", "Verify integrity of signed runtime evidence chain")
|
||||
{
|
||||
pathArg,
|
||||
offlineOption,
|
||||
reportOption,
|
||||
formatOption,
|
||||
verboseOption
|
||||
};
|
||||
|
||||
verifyChainCommand.SetAction(async (parseResult, ct) =>
|
||||
{
|
||||
var path = parseResult.GetValue(pathArg) ?? string.Empty;
|
||||
var offline = parseResult.GetValue(offlineOption);
|
||||
var reportPath = parseResult.GetValue(reportOption);
|
||||
var format = parseResult.GetValue(formatOption) ?? "text";
|
||||
var verbose = parseResult.GetValue(verboseOption);
|
||||
|
||||
if (!Directory.Exists(path))
|
||||
{
|
||||
Console.Error.WriteLine($"Error: Directory not found: {path}");
|
||||
return 1;
|
||||
}
|
||||
|
||||
// Find signed chunk files (look for .dsse.json sidecar files)
|
||||
var dsseFiles = Directory.GetFiles(path, "*.dsse.json", SearchOption.TopDirectoryOnly)
|
||||
.OrderBy(f => f)
|
||||
.ToList();
|
||||
|
||||
// Also look for chain state file
|
||||
var chainStateFiles = Directory.GetFiles(path, "chain-*.json", SearchOption.TopDirectoryOnly);
|
||||
|
||||
if (dsseFiles.Count == 0)
|
||||
{
|
||||
Console.Error.WriteLine($"Error: No signed chunks found in: {path}");
|
||||
Console.Error.WriteLine("Looking for: *.dsse.json files");
|
||||
return 1;
|
||||
}
|
||||
|
||||
var report = new ChainVerificationReport
|
||||
{
|
||||
Path = path,
|
||||
VerifiedAt = DateTimeOffset.UtcNow,
|
||||
OfflineMode = offline,
|
||||
TotalChunks = dsseFiles.Count,
|
||||
ChunkResults = []
|
||||
};
|
||||
|
||||
if (!format.Equals("json", StringComparison.OrdinalIgnoreCase))
|
||||
{
|
||||
Console.WriteLine("Evidence Chain Verification");
|
||||
Console.WriteLine("===========================");
|
||||
Console.WriteLine();
|
||||
Console.WriteLine($"Path: {path}");
|
||||
Console.WriteLine($"Chunks: {dsseFiles.Count}");
|
||||
Console.WriteLine($"Mode: {(offline ? "Offline" : "Online")}");
|
||||
Console.WriteLine();
|
||||
}
|
||||
|
||||
string? expectedPreviousHash = null;
|
||||
int expectedSequence = -1;
|
||||
DateTimeOffset? previousEndTime = null;
|
||||
int passedCount = 0;
|
||||
int failedCount = 0;
|
||||
|
||||
foreach (var dsseFile in dsseFiles)
|
||||
{
|
||||
var chunkResult = new ChunkVerificationResult
|
||||
{
|
||||
FilePath = dsseFile,
|
||||
Errors = []
|
||||
};
|
||||
|
||||
try
|
||||
{
|
||||
var dsseJson = await File.ReadAllTextAsync(dsseFile, ct);
|
||||
var envelope = JsonSerializer.Deserialize<DsseEnvelopeInfo>(dsseJson, JsonOptions);
|
||||
|
||||
if (envelope == null)
|
||||
{
|
||||
chunkResult.Errors.Add("Failed to parse DSSE envelope");
|
||||
report.ChunkResults.Add(chunkResult);
|
||||
failedCount++;
|
||||
continue;
|
||||
}
|
||||
|
||||
// Decode payload to get predicate
|
||||
var payloadJson = System.Text.Encoding.UTF8.GetString(
|
||||
Convert.FromBase64String(envelope.Payload));
|
||||
var statement = JsonSerializer.Deserialize<InTotoStatementInfo>(payloadJson, JsonOptions);
|
||||
|
||||
if (statement?.Predicate == null)
|
||||
{
|
||||
chunkResult.Errors.Add("Failed to parse in-toto statement");
|
||||
report.ChunkResults.Add(chunkResult);
|
||||
failedCount++;
|
||||
continue;
|
||||
}
|
||||
|
||||
var predicate = statement.Predicate;
|
||||
chunkResult.ChunkId = predicate.ChunkId;
|
||||
chunkResult.ChunkSequence = predicate.ChunkSequence;
|
||||
chunkResult.EventCount = predicate.EventCount;
|
||||
chunkResult.TimeRange = new TimeRangeInfo
|
||||
{
|
||||
Start = predicate.TimeRange?.Start,
|
||||
End = predicate.TimeRange?.End
|
||||
};
|
||||
|
||||
// Initialize expected sequence from first chunk
|
||||
if (expectedSequence < 0)
|
||||
{
|
||||
expectedSequence = predicate.ChunkSequence;
|
||||
}
|
||||
|
||||
// Verify chain linkage
|
||||
if (expectedPreviousHash != null && predicate.PreviousChunkId != expectedPreviousHash)
|
||||
{
|
||||
chunkResult.Errors.Add($"Chain broken: expected previous_chunk_id={expectedPreviousHash}, got={predicate.PreviousChunkId}");
|
||||
}
|
||||
|
||||
// Verify sequence continuity
|
||||
if (predicate.ChunkSequence != expectedSequence)
|
||||
{
|
||||
chunkResult.Errors.Add($"Sequence gap: expected={expectedSequence}, got={predicate.ChunkSequence}");
|
||||
}
|
||||
|
||||
// Verify time monotonicity
|
||||
if (previousEndTime.HasValue && predicate.TimeRange?.Start < previousEndTime)
|
||||
{
|
||||
chunkResult.Errors.Add($"Time overlap: chunk starts at {predicate.TimeRange?.Start}, but previous ended at {previousEndTime}");
|
||||
}
|
||||
|
||||
// Verify signature is present
|
||||
if (envelope.Signatures == null || envelope.Signatures.Count == 0)
|
||||
{
|
||||
chunkResult.Errors.Add("No signatures found in envelope");
|
||||
}
|
||||
|
||||
// Note: Full cryptographic verification would require the signing keys
|
||||
// In offline mode, we only verify structural integrity
|
||||
|
||||
chunkResult.Passed = chunkResult.Errors.Count == 0;
|
||||
if (chunkResult.Passed)
|
||||
{
|
||||
passedCount++;
|
||||
}
|
||||
else
|
||||
{
|
||||
failedCount++;
|
||||
}
|
||||
|
||||
// Update expectations for next chunk
|
||||
expectedPreviousHash = predicate.ChunkId;
|
||||
expectedSequence++;
|
||||
previousEndTime = predicate.TimeRange?.End;
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
chunkResult.Errors.Add($"Exception: {ex.Message}");
|
||||
failedCount++;
|
||||
}
|
||||
|
||||
report.ChunkResults.Add(chunkResult);
|
||||
|
||||
if (verbose && !format.Equals("json", StringComparison.OrdinalIgnoreCase))
|
||||
{
|
||||
var status = chunkResult.Passed ? "✓" : "✗";
|
||||
Console.WriteLine($" {status} {Path.GetFileName(dsseFile)}: seq={chunkResult.ChunkSequence}, events={chunkResult.EventCount}");
|
||||
foreach (var error in chunkResult.Errors)
|
||||
{
|
||||
Console.WriteLine($" Error: {error}");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
report.PassedChunks = passedCount;
|
||||
report.FailedChunks = failedCount;
|
||||
report.IsValid = failedCount == 0;
|
||||
|
||||
// Output report
|
||||
if (format.Equals("json", StringComparison.OrdinalIgnoreCase))
|
||||
{
|
||||
Console.WriteLine(JsonSerializer.Serialize(report, JsonOptions));
|
||||
}
|
||||
else
|
||||
{
|
||||
Console.WriteLine($"Results:");
|
||||
Console.WriteLine($" Passed: {passedCount}");
|
||||
Console.WriteLine($" Failed: {failedCount}");
|
||||
Console.WriteLine();
|
||||
Console.WriteLine($"Chain Status: {(report.IsValid ? "✓ VALID" : "✗ INVALID")}");
|
||||
}
|
||||
|
||||
// Save report if requested
|
||||
if (!string.IsNullOrEmpty(reportPath))
|
||||
{
|
||||
var reportJson = JsonSerializer.Serialize(report, JsonOptions);
|
||||
await File.WriteAllTextAsync(reportPath, reportJson, ct);
|
||||
if (!format.Equals("json", StringComparison.OrdinalIgnoreCase))
|
||||
{
|
||||
Console.WriteLine();
|
||||
Console.WriteLine($"Report saved to: {reportPath}");
|
||||
}
|
||||
}
|
||||
|
||||
return report.IsValid ? 0 : 1;
|
||||
});
|
||||
|
||||
return verifyChainCommand;
|
||||
}
|
||||
|
||||
#endregion
|
||||
|
||||
#region Sample Data
|
||||
|
||||
private static List<RuntimeSignal> GetSignals(string target)
|
||||
@@ -362,5 +609,74 @@ public static class SignalsCommandGroup
|
||||
public int ReachableVulnerabilities { get; set; }
|
||||
}
|
||||
|
||||
// SIGNING-002 DTOs for chain verification
|
||||
private sealed class ChainVerificationReport
|
||||
{
|
||||
public string Path { get; set; } = string.Empty;
|
||||
public DateTimeOffset VerifiedAt { get; set; }
|
||||
public bool OfflineMode { get; set; }
|
||||
public int TotalChunks { get; set; }
|
||||
public int PassedChunks { get; set; }
|
||||
public int FailedChunks { get; set; }
|
||||
public bool IsValid { get; set; }
|
||||
public List<ChunkVerificationResult> ChunkResults { get; set; } = [];
|
||||
}
|
||||
|
||||
private sealed class ChunkVerificationResult
|
||||
{
|
||||
public string FilePath { get; set; } = string.Empty;
|
||||
public string? ChunkId { get; set; }
|
||||
public int? ChunkSequence { get; set; }
|
||||
public long? EventCount { get; set; }
|
||||
public TimeRangeInfo? TimeRange { get; set; }
|
||||
public bool Passed { get; set; }
|
||||
public List<string> Errors { get; set; } = [];
|
||||
}
|
||||
|
||||
private sealed class TimeRangeInfo
|
||||
{
|
||||
public DateTimeOffset? Start { get; set; }
|
||||
public DateTimeOffset? End { get; set; }
|
||||
}
|
||||
|
||||
private sealed class DsseEnvelopeInfo
|
||||
{
|
||||
public string PayloadType { get; set; } = string.Empty;
|
||||
public string Payload { get; set; } = string.Empty;
|
||||
public List<DsseSignatureInfo>? Signatures { get; set; }
|
||||
}
|
||||
|
||||
private sealed class DsseSignatureInfo
|
||||
{
|
||||
public string? KeyId { get; set; }
|
||||
public string Sig { get; set; } = string.Empty;
|
||||
}
|
||||
|
||||
private sealed class InTotoStatementInfo
|
||||
{
|
||||
[JsonPropertyName("_type")]
|
||||
public string? Type { get; set; }
|
||||
public string? PredicateType { get; set; }
|
||||
public RuntimeEvidencePredicateInfo? Predicate { get; set; }
|
||||
}
|
||||
|
||||
private sealed class RuntimeEvidencePredicateInfo
|
||||
{
|
||||
[JsonPropertyName("chunk_id")]
|
||||
public string? ChunkId { get; set; }
|
||||
|
||||
[JsonPropertyName("chunk_sequence")]
|
||||
public int ChunkSequence { get; set; }
|
||||
|
||||
[JsonPropertyName("previous_chunk_id")]
|
||||
public string? PreviousChunkId { get; set; }
|
||||
|
||||
[JsonPropertyName("event_count")]
|
||||
public long EventCount { get; set; }
|
||||
|
||||
[JsonPropertyName("time_range")]
|
||||
public TimeRangeInfo? TimeRange { get; set; }
|
||||
}
|
||||
|
||||
#endregion
|
||||
}
|
||||
|
||||
@@ -1,7 +1,8 @@
|
||||
// -----------------------------------------------------------------------------
|
||||
// SignalsCommandTests.cs
|
||||
// Sprint: SPRINT_20260117_006_CLI_reachability_analysis (RCA-006, RCA-007)
|
||||
// Description: Unit tests for signals inspect command
|
||||
// Sprint: SPRINT_0127_0002_Signals_ebpf_syscall_reachability_proofs (SIGNING-002)
|
||||
// Description: Unit tests for signals inspect and verify-chain commands
|
||||
// -----------------------------------------------------------------------------
|
||||
|
||||
using System.CommandLine;
|
||||
@@ -13,8 +14,24 @@ using Xunit;
|
||||
|
||||
namespace StellaOps.Cli.Tests.Commands;
|
||||
|
||||
public sealed class SignalsCommandTests
|
||||
public sealed class SignalsCommandTests : IDisposable
|
||||
{
|
||||
private readonly string _testDir;
|
||||
|
||||
public SignalsCommandTests()
|
||||
{
|
||||
_testDir = Path.Combine(Path.GetTempPath(), $"signals-test-{Guid.NewGuid():N}");
|
||||
Directory.CreateDirectory(_testDir);
|
||||
}
|
||||
|
||||
public void Dispose()
|
||||
{
|
||||
if (Directory.Exists(_testDir))
|
||||
{
|
||||
Directory.Delete(_testDir, recursive: true);
|
||||
}
|
||||
}
|
||||
|
||||
private static RootCommand BuildSignalsRoot()
|
||||
{
|
||||
var services = new ServiceCollection().BuildServiceProvider();
|
||||
@@ -47,4 +64,397 @@ public sealed class SignalsCommandTests
|
||||
using var doc = JsonDocument.Parse(writer.ToString());
|
||||
Assert.True(doc.RootElement.GetArrayLength() > 0);
|
||||
}
|
||||
|
||||
#region Verify-Chain Tests (SIGNING-002)
|
||||
|
||||
[Trait("Category", TestCategories.Unit)]
|
||||
[Fact]
|
||||
public async Task VerifyChain_DirectoryNotFound_ReturnsError()
|
||||
{
|
||||
var root = BuildSignalsRoot();
|
||||
var nonExistentPath = Path.Combine(_testDir, "nonexistent");
|
||||
|
||||
var errorWriter = new StringWriter();
|
||||
var originalErr = Console.Error;
|
||||
int exitCode;
|
||||
try
|
||||
{
|
||||
Console.SetError(errorWriter);
|
||||
exitCode = await root.Parse($"signals verify-chain \"{nonExistentPath}\"").InvokeAsync();
|
||||
}
|
||||
finally
|
||||
{
|
||||
Console.SetError(originalErr);
|
||||
}
|
||||
|
||||
Assert.Equal(1, exitCode);
|
||||
Assert.Contains("Directory not found", errorWriter.ToString());
|
||||
}
|
||||
|
||||
[Trait("Category", TestCategories.Unit)]
|
||||
[Fact]
|
||||
public async Task VerifyChain_NoChunksFound_ReturnsError()
|
||||
{
|
||||
var root = BuildSignalsRoot();
|
||||
var emptyDir = Path.Combine(_testDir, "empty");
|
||||
Directory.CreateDirectory(emptyDir);
|
||||
|
||||
var errorWriter = new StringWriter();
|
||||
var originalErr = Console.Error;
|
||||
int exitCode;
|
||||
try
|
||||
{
|
||||
Console.SetError(errorWriter);
|
||||
exitCode = await root.Parse($"signals verify-chain \"{emptyDir}\"").InvokeAsync();
|
||||
}
|
||||
finally
|
||||
{
|
||||
Console.SetError(originalErr);
|
||||
}
|
||||
|
||||
Assert.Equal(1, exitCode);
|
||||
Assert.Contains("No signed chunks found", errorWriter.ToString());
|
||||
}
|
||||
|
||||
[Trait("Category", TestCategories.Unit)]
|
||||
[Fact]
|
||||
public async Task VerifyChain_ValidChain_ReturnsSuccess()
|
||||
{
|
||||
var root = BuildSignalsRoot();
|
||||
var chainDir = Path.Combine(_testDir, "valid-chain");
|
||||
Directory.CreateDirectory(chainDir);
|
||||
|
||||
// Create a valid 3-chunk chain
|
||||
await CreateValidChainAsync(chainDir, chunkCount: 3);
|
||||
|
||||
var writer = new StringWriter();
|
||||
var originalOut = Console.Out;
|
||||
int exitCode;
|
||||
try
|
||||
{
|
||||
Console.SetOut(writer);
|
||||
exitCode = await root.Parse($"signals verify-chain \"{chainDir}\"").InvokeAsync();
|
||||
}
|
||||
finally
|
||||
{
|
||||
Console.SetOut(originalOut);
|
||||
}
|
||||
|
||||
Assert.Equal(0, exitCode);
|
||||
Assert.Contains("VALID", writer.ToString());
|
||||
}
|
||||
|
||||
[Trait("Category", TestCategories.Unit)]
|
||||
[Fact]
|
||||
public async Task VerifyChain_BrokenChain_ReturnsFailure()
|
||||
{
|
||||
var root = BuildSignalsRoot();
|
||||
var chainDir = Path.Combine(_testDir, "broken-chain");
|
||||
Directory.CreateDirectory(chainDir);
|
||||
|
||||
// Create chain with broken linkage
|
||||
await CreateBrokenChainAsync(chainDir);
|
||||
|
||||
var writer = new StringWriter();
|
||||
var originalOut = Console.Out;
|
||||
int exitCode;
|
||||
try
|
||||
{
|
||||
Console.SetOut(writer);
|
||||
exitCode = await root.Parse($"signals verify-chain \"{chainDir}\" --verbose").InvokeAsync();
|
||||
}
|
||||
finally
|
||||
{
|
||||
Console.SetOut(originalOut);
|
||||
}
|
||||
|
||||
Assert.Equal(1, exitCode);
|
||||
Assert.Contains("INVALID", writer.ToString());
|
||||
}
|
||||
|
||||
[Trait("Category", TestCategories.Unit)]
|
||||
[Fact]
|
||||
public async Task VerifyChain_JsonFormat_ReturnsReport()
|
||||
{
|
||||
var root = BuildSignalsRoot();
|
||||
var chainDir = Path.Combine(_testDir, "json-chain");
|
||||
Directory.CreateDirectory(chainDir);
|
||||
|
||||
await CreateValidChainAsync(chainDir, chunkCount: 2);
|
||||
|
||||
var writer = new StringWriter();
|
||||
var originalOut = Console.Out;
|
||||
int exitCode;
|
||||
try
|
||||
{
|
||||
Console.SetOut(writer);
|
||||
exitCode = await root.Parse($"signals verify-chain \"{chainDir}\" --format json").InvokeAsync();
|
||||
}
|
||||
finally
|
||||
{
|
||||
Console.SetOut(originalOut);
|
||||
}
|
||||
|
||||
Assert.Equal(0, exitCode);
|
||||
|
||||
using var doc = JsonDocument.Parse(writer.ToString());
|
||||
var root2 = doc.RootElement;
|
||||
Assert.True(root2.GetProperty("isValid").GetBoolean());
|
||||
Assert.Equal(2, root2.GetProperty("totalChunks").GetInt32());
|
||||
Assert.Equal(2, root2.GetProperty("passedChunks").GetInt32());
|
||||
Assert.Equal(0, root2.GetProperty("failedChunks").GetInt32());
|
||||
}
|
||||
|
||||
[Trait("Category", TestCategories.Unit)]
|
||||
[Fact]
|
||||
public async Task VerifyChain_SaveReport_WritesFile()
|
||||
{
|
||||
var root = BuildSignalsRoot();
|
||||
var chainDir = Path.Combine(_testDir, "report-chain");
|
||||
Directory.CreateDirectory(chainDir);
|
||||
var reportPath = Path.Combine(_testDir, "report.json");
|
||||
|
||||
await CreateValidChainAsync(chainDir, chunkCount: 2);
|
||||
|
||||
var writer = new StringWriter();
|
||||
var originalOut = Console.Out;
|
||||
int exitCode;
|
||||
try
|
||||
{
|
||||
Console.SetOut(writer);
|
||||
exitCode = await root.Parse($"signals verify-chain \"{chainDir}\" --report \"{reportPath}\"").InvokeAsync();
|
||||
}
|
||||
finally
|
||||
{
|
||||
Console.SetOut(originalOut);
|
||||
}
|
||||
|
||||
Assert.Equal(0, exitCode);
|
||||
Assert.True(File.Exists(reportPath));
|
||||
|
||||
var reportJson = await File.ReadAllTextAsync(reportPath);
|
||||
using var doc = JsonDocument.Parse(reportJson);
|
||||
Assert.True(doc.RootElement.GetProperty("isValid").GetBoolean());
|
||||
}
|
||||
|
||||
[Trait("Category", TestCategories.Unit)]
|
||||
[Fact]
|
||||
public async Task VerifyChain_SequenceGap_ReturnsFailure()
|
||||
{
|
||||
var root = BuildSignalsRoot();
|
||||
var chainDir = Path.Combine(_testDir, "sequence-gap");
|
||||
Directory.CreateDirectory(chainDir);
|
||||
|
||||
// Create chain with sequence gap (1, 3 instead of 1, 2)
|
||||
await CreateChainWithSequenceGapAsync(chainDir);
|
||||
|
||||
var writer = new StringWriter();
|
||||
var originalOut = Console.Out;
|
||||
int exitCode;
|
||||
try
|
||||
{
|
||||
Console.SetOut(writer);
|
||||
exitCode = await root.Parse($"signals verify-chain \"{chainDir}\" --verbose").InvokeAsync();
|
||||
}
|
||||
finally
|
||||
{
|
||||
Console.SetOut(originalOut);
|
||||
}
|
||||
|
||||
Assert.Equal(1, exitCode);
|
||||
Assert.Contains("Sequence gap", writer.ToString());
|
||||
}
|
||||
|
||||
[Trait("Category", TestCategories.Unit)]
|
||||
[Fact]
|
||||
public async Task VerifyChain_TimeOverlap_ReturnsFailure()
|
||||
{
|
||||
var root = BuildSignalsRoot();
|
||||
var chainDir = Path.Combine(_testDir, "time-overlap");
|
||||
Directory.CreateDirectory(chainDir);
|
||||
|
||||
// Create chain with time overlap
|
||||
await CreateChainWithTimeOverlapAsync(chainDir);
|
||||
|
||||
var writer = new StringWriter();
|
||||
var originalOut = Console.Out;
|
||||
int exitCode;
|
||||
try
|
||||
{
|
||||
Console.SetOut(writer);
|
||||
exitCode = await root.Parse($"signals verify-chain \"{chainDir}\" --verbose").InvokeAsync();
|
||||
}
|
||||
finally
|
||||
{
|
||||
Console.SetOut(originalOut);
|
||||
}
|
||||
|
||||
Assert.Equal(1, exitCode);
|
||||
Assert.Contains("Time overlap", writer.ToString());
|
||||
}
|
||||
|
||||
#endregion
|
||||
|
||||
#region Test Helpers
|
||||
|
||||
private static async Task CreateValidChainAsync(string dir, int chunkCount)
|
||||
{
|
||||
string? previousChunkId = null;
|
||||
var baseTime = DateTimeOffset.UtcNow.AddHours(-chunkCount);
|
||||
|
||||
for (int i = 1; i <= chunkCount; i++)
|
||||
{
|
||||
var chunkId = $"sha256:{new string((char)('a' + i - 1), 64)}";
|
||||
var startTime = baseTime.AddMinutes((i - 1) * 10);
|
||||
var endTime = startTime.AddMinutes(5);
|
||||
|
||||
var envelope = CreateDsseEnvelope(
|
||||
chunkId: chunkId,
|
||||
chunkSequence: i,
|
||||
previousChunkId: previousChunkId,
|
||||
eventCount: 100 * i,
|
||||
startTime: startTime,
|
||||
endTime: endTime);
|
||||
|
||||
var filePath = Path.Combine(dir, $"chunk-{i:D4}.dsse.json");
|
||||
await File.WriteAllTextAsync(filePath, envelope);
|
||||
|
||||
previousChunkId = chunkId;
|
||||
}
|
||||
}
|
||||
|
||||
private static async Task CreateBrokenChainAsync(string dir)
|
||||
{
|
||||
var baseTime = DateTimeOffset.UtcNow.AddHours(-2);
|
||||
|
||||
// First chunk
|
||||
var envelope1 = CreateDsseEnvelope(
|
||||
chunkId: "sha256:" + new string('a', 64),
|
||||
chunkSequence: 1,
|
||||
previousChunkId: null,
|
||||
eventCount: 100,
|
||||
startTime: baseTime,
|
||||
endTime: baseTime.AddMinutes(5));
|
||||
await File.WriteAllTextAsync(Path.Combine(dir, "chunk-0001.dsse.json"), envelope1);
|
||||
|
||||
// Second chunk with wrong previous_chunk_id (broken chain)
|
||||
var envelope2 = CreateDsseEnvelope(
|
||||
chunkId: "sha256:" + new string('b', 64),
|
||||
chunkSequence: 2,
|
||||
previousChunkId: "sha256:" + new string('x', 64), // Wrong! Should be 'a's
|
||||
eventCount: 200,
|
||||
startTime: baseTime.AddMinutes(10),
|
||||
endTime: baseTime.AddMinutes(15));
|
||||
await File.WriteAllTextAsync(Path.Combine(dir, "chunk-0002.dsse.json"), envelope2);
|
||||
}
|
||||
|
||||
private static async Task CreateChainWithSequenceGapAsync(string dir)
|
||||
{
|
||||
var baseTime = DateTimeOffset.UtcNow.AddHours(-2);
|
||||
|
||||
// Chunk 1
|
||||
var envelope1 = CreateDsseEnvelope(
|
||||
chunkId: "sha256:" + new string('a', 64),
|
||||
chunkSequence: 1,
|
||||
previousChunkId: null,
|
||||
eventCount: 100,
|
||||
startTime: baseTime,
|
||||
endTime: baseTime.AddMinutes(5));
|
||||
await File.WriteAllTextAsync(Path.Combine(dir, "chunk-0001.dsse.json"), envelope1);
|
||||
|
||||
// Chunk 3 (sequence gap - skipped 2)
|
||||
var envelope2 = CreateDsseEnvelope(
|
||||
chunkId: "sha256:" + new string('b', 64),
|
||||
chunkSequence: 3, // Should be 2
|
||||
previousChunkId: "sha256:" + new string('a', 64),
|
||||
eventCount: 200,
|
||||
startTime: baseTime.AddMinutes(10),
|
||||
endTime: baseTime.AddMinutes(15));
|
||||
await File.WriteAllTextAsync(Path.Combine(dir, "chunk-0002.dsse.json"), envelope2);
|
||||
}
|
||||
|
||||
private static async Task CreateChainWithTimeOverlapAsync(string dir)
|
||||
{
|
||||
var baseTime = DateTimeOffset.UtcNow.AddHours(-2);
|
||||
|
||||
// Chunk 1: ends at baseTime + 10 min
|
||||
var envelope1 = CreateDsseEnvelope(
|
||||
chunkId: "sha256:" + new string('a', 64),
|
||||
chunkSequence: 1,
|
||||
previousChunkId: null,
|
||||
eventCount: 100,
|
||||
startTime: baseTime,
|
||||
endTime: baseTime.AddMinutes(10));
|
||||
await File.WriteAllTextAsync(Path.Combine(dir, "chunk-0001.dsse.json"), envelope1);
|
||||
|
||||
// Chunk 2: starts at baseTime + 5 min (overlaps with chunk 1)
|
||||
var envelope2 = CreateDsseEnvelope(
|
||||
chunkId: "sha256:" + new string('b', 64),
|
||||
chunkSequence: 2,
|
||||
previousChunkId: "sha256:" + new string('a', 64),
|
||||
eventCount: 200,
|
||||
startTime: baseTime.AddMinutes(5), // Overlaps! Should be >= baseTime + 10
|
||||
endTime: baseTime.AddMinutes(15));
|
||||
await File.WriteAllTextAsync(Path.Combine(dir, "chunk-0002.dsse.json"), envelope2);
|
||||
}
|
||||
|
||||
private static string CreateDsseEnvelope(
|
||||
string chunkId,
|
||||
int chunkSequence,
|
||||
string? previousChunkId,
|
||||
long eventCount,
|
||||
DateTimeOffset startTime,
|
||||
DateTimeOffset endTime)
|
||||
{
|
||||
// Build the in-toto statement predicate
|
||||
var predicate = new
|
||||
{
|
||||
chunk_id = chunkId,
|
||||
chunk_sequence = chunkSequence,
|
||||
previous_chunk_id = previousChunkId,
|
||||
event_count = eventCount,
|
||||
time_range = new
|
||||
{
|
||||
start = startTime,
|
||||
end = endTime
|
||||
}
|
||||
};
|
||||
|
||||
var statement = new
|
||||
{
|
||||
_type = "https://in-toto.io/Statement/v0.1",
|
||||
predicateType = "stella.ops/runtime-evidence@v1",
|
||||
predicate
|
||||
};
|
||||
|
||||
var statementJson = JsonSerializer.Serialize(statement, new JsonSerializerOptions
|
||||
{
|
||||
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
|
||||
WriteIndented = false
|
||||
});
|
||||
var payloadBase64 = Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(statementJson));
|
||||
|
||||
// Build DSSE envelope
|
||||
var envelope = new
|
||||
{
|
||||
payloadType = "application/vnd.in-toto+json",
|
||||
payload = payloadBase64,
|
||||
signatures = new[]
|
||||
{
|
||||
new
|
||||
{
|
||||
keyid = "test-key",
|
||||
sig = Convert.ToBase64String(new byte[64]) // Dummy signature
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
return JsonSerializer.Serialize(envelope, new JsonSerializerOptions
|
||||
{
|
||||
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
|
||||
WriteIndented = true
|
||||
});
|
||||
}
|
||||
|
||||
#endregion
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user