stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

test fixes and new product advisories work

Browse Source
This commit is contained in:
master
2026-01-28 02:30:48 +02:00
parent 82caceba56
commit 644887997c
288 changed files with 69101 additions and 375 deletions
Download Patch File Download Diff File Expand all files Collapse all files

634
src/Signals/__Tests/StellaOps.Signals.Ebpf.Tests/Cgroup/CgroupContainerResolverTests.cs Normal file
View File

@@ -0,0 +1,634 @@
// <copyright file="CgroupContainerResolverTests.cs" company="StellaOps">
// SPDX-License-Identifier: BUSL-1.1
// </copyright>
namespace StellaOps.Signals.Ebpf.Tests.Cgroup;
using FluentAssertions;
using Microsoft.Extensions.Logging.Abstractions;
using StellaOps.Signals.Ebpf.Cgroup;
using Xunit;
public class CgroupContainerResolverTests : IDisposable
{
private readonly string _testProcRoot;
private readonly CgroupContainerResolver _resolver;
public CgroupContainerResolverTests()
{
_testProcRoot = Path.Combine(Path.GetTempPath(), $"proc_test_{Guid.NewGuid():N}");
Directory.CreateDirectory(_testProcRoot);
_resolver = new CgroupContainerResolver(
NullLogger<CgroupContainerResolver>.Instance,
_testProcRoot);
}
public void Dispose()
{
_resolver.Dispose();
if (Directory.Exists(_testProcRoot))
{
Directory.Delete(_testProcRoot, recursive: true);
}
}
[Fact]
public void ResolveByPid_ContainerdContainer_ReturnsContainerIdentity()
{
// Arrange
var pid = 12345;
var containerId = "abc123def456789012345678901234567890123456789012345678901234abcd"; // 64 hex chars
SetupCgroupFile(pid, $"0::/system.slice/containerd-{containerId}.scope");
// Act
var result = _resolver.ResolveByPid(pid);
// Assert
result.Should().NotBeNull();
result!.Runtime.Should().Be(ContainerRuntime.Containerd);
result.FullId.Should().Be(containerId);
result.ShortId.Should().Be(containerId[..12]);
result.ContainerId.Should().Be($"containerd://{containerId}");
}
[Fact]
public void ResolveByPid_DockerContainer_ReturnsContainerIdentity()
{
// Arrange
var pid = 12346;
var containerId = "def456789012345678901234567890123456789012345678901234567890abcd"; // 64 hex chars
SetupCgroupFile(pid, $"0::/docker/{containerId}");
// Act
var result = _resolver.ResolveByPid(pid);
// Assert
result.Should().NotBeNull();
result!.Runtime.Should().Be(ContainerRuntime.Docker);
result.FullId.Should().Be(containerId);
result.ContainerId.Should().Be($"docker://{containerId}");
}
[Fact]
public void ResolveByPid_DockerSystemdScope_ReturnsContainerIdentity()
{
// Arrange
var pid = 12347;
var containerId = "1111111111111111111111111111111111111111111111111111111111111111"; // exactly 64 hex chars
SetupCgroupFile(pid, $"0::/system.slice/docker-{containerId}.scope");
// Act
var result = _resolver.ResolveByPid(pid);
// Assert
result.Should().NotBeNull();
result!.Runtime.Should().Be(ContainerRuntime.Docker);
result.FullId.Should().Be(containerId);
}
[Fact]
public void ResolveByPid_CrioContainer_ReturnsContainerIdentity()
{
// Arrange
var pid = 12348;
var containerId = "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef";
SetupCgroupFile(pid, $"0::/crio-{containerId}.scope");
// Act
var result = _resolver.ResolveByPid(pid);
// Assert
result.Should().NotBeNull();
result!.Runtime.Should().Be(ContainerRuntime.CriO);
result.FullId.Should().Be(containerId);
result.ContainerId.Should().Be($"cri-o://{containerId}");
}
[Fact]
public void ResolveByPid_PodmanContainer_ReturnsContainerIdentity()
{
// Arrange
var pid = 12349;
var containerId = "fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210";
SetupCgroupFile(pid, $"0::/libpod-{containerId}.scope");
// Act
var result = _resolver.ResolveByPid(pid);
// Assert
result.Should().NotBeNull();
result!.Runtime.Should().Be(ContainerRuntime.Podman);
result.FullId.Should().Be(containerId);
result.ContainerId.Should().Be($"podman://{containerId}");
}
[Fact]
public void ResolveByPid_CgroupV1_ParsesCorrectly()
{
// Arrange - cgroup v1 format with multiple lines
var pid = 12350;
var containerId = "abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789";
var cgroupContent = @"12:pids:/docker/abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789
11:hugetlb:/docker/abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789
10:net_prio:/docker/abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789
9:perf_event:/docker/abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789
8:net_cls:/docker/abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789
7:freezer:/docker/abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789
6:devices:/docker/abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789
5:memory:/docker/abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789
4:blkio:/docker/abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789
3:cpuacct:/docker/abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789
2:cpu:/docker/abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789
1:cpuset:/docker/abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789";
SetupCgroupFileRaw(pid, cgroupContent);
// Act
var result = _resolver.ResolveByPid(pid);
// Assert
result.Should().NotBeNull();
result!.Runtime.Should().Be(ContainerRuntime.Docker);
result.FullId.Should().Be(containerId);
}
[Fact]
public void ResolveByPid_NonContainerProcess_ReturnsNull()
{
// Arrange
var pid = 12351;
SetupCgroupFile(pid, "0::/user.slice/user-1000.slice/session-1.scope");
// Act
var result = _resolver.ResolveByPid(pid);
// Assert
result.Should().BeNull();
}
[Fact]
public void ResolveByPid_ProcessNotFound_ReturnsNull()
{
// Arrange - no cgroup file created
var pid = 99999;
// Act
var result = _resolver.ResolveByPid(pid);
// Assert
result.Should().BeNull();
}
[Fact]
public void ResolveByPid_CachesResult()
{
// Arrange
var pid = 12352;
var containerId = "2222222222222222222222222222222222222222222222222222222222222222"; // exactly 64 hex chars
SetupCgroupFile(pid, $"0::/docker/{containerId}");
// Act
var result1 = _resolver.ResolveByPid(pid);
var result2 = _resolver.ResolveByPid(pid);
// Assert
result1.Should().NotBeNull();
result2.Should().NotBeNull();
result1.Should().BeSameAs(result2); // Same reference from cache
}
[Fact]
public void InvalidatePid_RemovesFromCache()
{
// Arrange
var pid = 12353;
var containerId1 = "3333333333333333333333333333333333333333333333333333333333333333"; // exactly 64 hex chars
SetupCgroupFile(pid, $"0::/docker/{containerId1}");
var result1 = _resolver.ResolveByPid(pid);
// Update cgroup file
var containerId2 = "4444444444444444444444444444444444444444444444444444444444444444"; // exactly 64 hex chars
SetupCgroupFile(pid, $"0::/docker/{containerId2}");
// Act
_resolver.InvalidatePid(pid);
var result2 = _resolver.ResolveByPid(pid);
// Assert
result1!.FullId.Should().Be(containerId1);
result2!.FullId.Should().Be(containerId2);
}
[Fact]
public void RegisterCgroupMapping_AllowsLookupByCgroupId()
{
// Arrange
var cgroupId = 12345678UL;
var identity = new ContainerIdentity
{
ContainerId = "containerd://test123456789012345678901234567890123456789012345678901234",
Runtime = ContainerRuntime.Containerd,
ShortId = "test12345678",
FullId = "test123456789012345678901234567890123456789012345678901234",
};
// Act
_resolver.RegisterCgroupMapping(cgroupId, identity);
var result = _resolver.ResolveByCgroupId(cgroupId);
// Assert
result.Should().NotBeNull();
result.Should().BeSameAs(identity);
}
[Fact]
public void ResolveByCgroupId_UnknownId_ReturnsNull()
{
// Arrange
var cgroupId = 99999999UL;
// Act
var result = _resolver.ResolveByCgroupId(cgroupId);
// Assert
result.Should().BeNull();
}
private void SetupCgroupFile(int pid, string cgroupPath)
{
SetupCgroupFileRaw(pid, cgroupPath);
}
private void SetupCgroupFileRaw(int pid, string content)
{
var pidDir = Path.Combine(_testProcRoot, pid.ToString());
Directory.CreateDirectory(pidDir);
File.WriteAllText(Path.Combine(pidDir, "cgroup"), content);
}
private void SetupNamespaceFiles(int pid, ulong pidNs, ulong mntNs, ulong netNs = 0, ulong userNs = 0, ulong cgroupNs = 0)
{
var pidDir = Path.Combine(_testProcRoot, pid.ToString());
var nsDir = Path.Combine(pidDir, "ns");
Directory.CreateDirectory(nsDir);
// Write namespace inodes in the Linux symlink format: "type:[inode]"
File.WriteAllText(Path.Combine(nsDir, "pid"), $"pid:[{pidNs}]");
File.WriteAllText(Path.Combine(nsDir, "mnt"), $"mnt:[{mntNs}]");
File.WriteAllText(Path.Combine(nsDir, "net"), $"net:[{netNs}]");
File.WriteAllText(Path.Combine(nsDir, "user"), $"user:[{userNs}]");
File.WriteAllText(Path.Combine(nsDir, "cgroup"), $"cgroup:[{cgroupNs}]");
}
#region Namespace Filtering Tests
[Fact]
public void GetNamespaceInfo_ReturnsCorrectInodes()
{
// Arrange
var pid = 20001;
SetupNamespaceFiles(pid, pidNs: 4026531836, mntNs: 4026531840, netNs: 4026531992);
// Act
var nsInfo = _resolver.GetNamespaceInfo(pid);
// Assert
nsInfo.Should().NotBeNull();
nsInfo!.PidNs.Should().Be(4026531836);
nsInfo.MntNs.Should().Be(4026531840);
nsInfo.NetNs.Should().Be(4026531992);
}
[Fact]
public void GetNamespaceInfo_ProcessNotFound_ReturnsNull()
{
// Arrange - no namespace files created
var pid = 99998;
// Act
var nsInfo = _resolver.GetNamespaceInfo(pid);
// Assert
nsInfo.Should().BeNull();
}
[Fact]
public void GetNamespaceInfo_CachesResult()
{
// Arrange
var pid = 20002;
SetupNamespaceFiles(pid, pidNs: 1111111111, mntNs: 2222222222);
// Act
var result1 = _resolver.GetNamespaceInfo(pid);
var result2 = _resolver.GetNamespaceInfo(pid);
// Assert
result1.Should().NotBeNull();
result2.Should().BeSameAs(result1);
}
[Fact]
public void IsInSameNamespace_SamePidNs_ReturnsTrue()
{
// Arrange
var pid1 = 20003;
var pid2 = 20004;
SetupNamespaceFiles(pid1, pidNs: 4026531836, mntNs: 4026531840);
SetupNamespaceFiles(pid2, pidNs: 4026531836, mntNs: 4026531999); // Same pid ns, different mnt ns
// Act
var result = _resolver.IsInSameNamespace(pid1, pid2, NamespaceType.Pid);
// Assert
result.Should().BeTrue();
}
[Fact]
public void IsInSameNamespace_DifferentPidNs_ReturnsFalse()
{
// Arrange
var pid1 = 20005;
var pid2 = 20006;
SetupNamespaceFiles(pid1, pidNs: 4026531836, mntNs: 4026531840);
SetupNamespaceFiles(pid2, pidNs: 4026531999, mntNs: 4026531840); // Different pid ns
// Act
var result = _resolver.IsInSameNamespace(pid1, pid2, NamespaceType.Pid);
// Assert
result.Should().BeFalse();
}
[Fact]
public void IsInSameNamespace_SameMntNs_ReturnsTrue()
{
// Arrange
var pid1 = 20007;
var pid2 = 20008;
SetupNamespaceFiles(pid1, pidNs: 111, mntNs: 4026531840);
SetupNamespaceFiles(pid2, pidNs: 222, mntNs: 4026531840);
// Act
var result = _resolver.IsInSameNamespace(pid1, pid2, NamespaceType.Mnt);
// Assert
result.Should().BeTrue();
}
[Fact]
public void MatchesNamespaceFilter_NoFilter_ReturnsTrue()
{
// Arrange
var pid = 20009;
SetupNamespaceFiles(pid, pidNs: 4026531836, mntNs: 4026531840);
// Act - resolver has no namespace filter
var result = _resolver.MatchesNamespaceFilter(pid);
// Assert
result.Should().BeTrue();
}
[Fact]
public void NamespaceFilter_MatchingPidNs_ReturnsTrue()
{
// Arrange
var filter = new NamespaceFilter
{
TargetPidNamespaces = new HashSet<ulong> { 4026531836 },
};
var nsInfo = new NamespaceInfo
{
PidNs = 4026531836,
MntNs = 4026531840,
};
// Act
var result = filter.Matches(nsInfo);
// Assert
result.Should().BeTrue();
}
[Fact]
public void NamespaceFilter_NonMatchingPidNs_ReturnsFalse()
{
// Arrange
var filter = new NamespaceFilter
{
TargetPidNamespaces = new HashSet<ulong> { 4026531836 },
};
var nsInfo = new NamespaceInfo
{
PidNs = 9999999999,
MntNs = 4026531840,
};
// Act
var result = filter.Matches(nsInfo);
// Assert
result.Should().BeFalse();
}
[Fact]
public void NamespaceFilter_ModeAll_RequiresAllMatches()
{
// Arrange
var filter = new NamespaceFilter
{
TargetPidNamespaces = new HashSet<ulong> { 111 },
TargetMntNamespaces = new HashSet<ulong> { 222 },
Mode = NamespaceFilterMode.All,
};
var matchingNsInfo = new NamespaceInfo { PidNs = 111, MntNs = 222 };
var partialNsInfo = new NamespaceInfo { PidNs = 111, MntNs = 999 };
// Act & Assert
filter.Matches(matchingNsInfo).Should().BeTrue();
filter.Matches(partialNsInfo).Should().BeFalse();
}
[Fact]
public void NamespaceFilter_ModeAny_RequiresAnyMatch()
{
// Arrange
var filter = new NamespaceFilter
{
TargetPidNamespaces = new HashSet<ulong> { 111 },
TargetMntNamespaces = new HashSet<ulong> { 222 },
Mode = NamespaceFilterMode.Any,
};
var matchesPid = new NamespaceInfo { PidNs = 111, MntNs = 999 };
var matchesMnt = new NamespaceInfo { PidNs = 999, MntNs = 222 };
var matchesNeither = new NamespaceInfo { PidNs = 999, MntNs = 999 };
// Act & Assert
filter.Matches(matchesPid).Should().BeTrue();
filter.Matches(matchesMnt).Should().BeTrue();
filter.Matches(matchesNeither).Should().BeFalse();
}
[Fact]
public void NamespaceFilter_NoTargets_MatchesAll()
{
// Arrange
var filter = new NamespaceFilter(); // No targets specified
var nsInfo = new NamespaceInfo
{
PidNs = 999,
MntNs = 888,
};
// Act
var result = filter.Matches(nsInfo);
// Assert
result.Should().BeTrue();
}
[Fact]
public void ResolveByPid_IncludesNamespaceInfo()
{
// Arrange
var pid = 20010;
var containerId = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
SetupCgroupFile(pid, $"0::/docker/{containerId}");
SetupNamespaceFiles(pid, pidNs: 4026531836, mntNs: 4026531840);
// Act
var result = _resolver.ResolveByPid(pid);
// Assert
result.Should().NotBeNull();
result!.Runtime.Should().Be(ContainerRuntime.Docker);
result.Namespaces.Should().NotBeNull();
result.Namespaces!.PidNs.Should().Be(4026531836);
result.Namespaces.MntNs.Should().Be(4026531840);
}
[Fact]
public void InvalidatePid_ClearsNamespaceCache()
{
// Arrange
var pid = 20011;
SetupNamespaceFiles(pid, pidNs: 111, mntNs: 222);
var result1 = _resolver.GetNamespaceInfo(pid);
// Update namespace file
SetupNamespaceFiles(pid, pidNs: 333, mntNs: 444);
// Act
_resolver.InvalidatePid(pid);
var result2 = _resolver.GetNamespaceInfo(pid);
// Assert
result1!.PidNs.Should().Be(111);
result2!.PidNs.Should().Be(333);
}
#endregion
#region IContainerIdentityResolver Integration Tests
[Fact]
public async Task LocalContainerIdentityResolver_ResolveByPidAsync_ReturnsIdentity()
{
// Arrange
var pid = 30001;
var containerId = "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb";
SetupCgroupFile(pid, $"0::/containerd-{containerId}.scope");
var localResolver = new LocalContainerIdentityResolver(_resolver);
// Act
var result = await localResolver.ResolveByPidAsync(pid);
// Assert
result.Should().NotBeNull();
result!.Runtime.Should().Be(ContainerRuntime.Containerd);
result.FullId.Should().Be(containerId);
}
[Fact]
public async Task LocalContainerIdentityResolver_ResolveByContainerId_ReturnsNull()
{
// Arrange - local resolver doesn't support container ID lookup
var localResolver = new LocalContainerIdentityResolver(_resolver);
// Act
var result = await localResolver.ResolveByContainerIdAsync("test-container");
// Assert
result.Should().BeNull();
}
[Fact]
public async Task LocalContainerIdentityResolver_ResolveByCgroupId_WithRegisteredMapping_ReturnsIdentity()
{
// Arrange
var cgroupId = 12345678UL;
var identity = new ContainerIdentity
{
ContainerId = "docker://test1234567890123456789012345678901234567890123456789012",
Runtime = ContainerRuntime.Docker,
ShortId = "test12345678",
FullId = "test1234567890123456789012345678901234567890123456789012",
};
var localResolver = new LocalContainerIdentityResolver(_resolver);
localResolver.RegisterCgroupMapping(cgroupId, identity);
// Act
var result = await localResolver.ResolveByCgroupIdAsync(cgroupId);
// Assert
result.Should().NotBeNull();
result.Should().BeSameAs(identity);
}
[Fact]
public async Task LocalContainerIdentityResolver_GetImageDigest_ReturnsNull()
{
// Arrange - local resolver doesn't have access to image digests
var localResolver = new LocalContainerIdentityResolver(_resolver);
// Act
var result = await localResolver.GetImageDigestAsync("test-container");
// Assert
result.Should().BeNull();
}
[Fact]
public void ContainerLifecycleEventArgs_HasCorrectProperties()
{
// Arrange & Act
var identity = new ContainerIdentity
{
ContainerId = "containerd://abc123",
Runtime = ContainerRuntime.Containerd,
ShortId = "abc123456789",
FullId = "abc1234567890123456789012345678901234567890123456789012345678901",
};
var eventArgs = new ContainerLifecycleEventArgs
{
Identity = identity,
Timestamp = DateTimeOffset.UtcNow,
Pids = [1234, 5678],
};
// Assert
eventArgs.Identity.Should().BeSameAs(identity);
eventArgs.Pids.Should().HaveCount(2);
eventArgs.Pids.Should().Contain(1234);
}
#endregion
}

237
src/Signals/__Tests/StellaOps.Signals.Ebpf.Tests/Determinism/GoldenFileTests.cs Normal file
View File

@@ -0,0 +1,237 @@
// <copyright file="GoldenFileTests.cs" company="StellaOps">
// SPDX-License-Identifier: BUSL-1.1
// </copyright>
namespace StellaOps.Signals.Ebpf.Tests.Determinism;
using System.Text;
using System.Text.Json;
using Xunit;
/// <summary>
/// Determinism tests using golden file comparison.
/// Sprint: SPRINT_0127_0002_Signals_ebpf_syscall_reachability_proofs (DOCS-002)
/// </summary>
public sealed class GoldenFileTests
{
private static readonly string FixturesRoot = Path.Combine(
GetSolutionRoot(),
"tests", "reachability", "fixtures", "ebpf");
private static readonly JsonSerializerOptions CanonicalOptions = new()
{
PropertyNamingPolicy = JsonNamingPolicy.SnakeCaseLower,
WriteIndented = false,
DefaultIgnoreCondition = System.Text.Json.Serialization.JsonIgnoreCondition.WhenWritingNull,
};
private static bool ShouldUpdateGolden =>
global::System.Environment.GetEnvironmentVariable("STELLAOPS_UPDATE_FIXTURES") == "true";
[Trait("Category", "Unit")]
[Trait("Category", "Determinism")]
[Fact]
public void GoldenFiles_ExistAndAreValid()
{
var goldenDir = Path.Combine(FixturesRoot, "golden");
// Skip if fixtures don't exist (CI without fixtures)
if (!Directory.Exists(goldenDir))
{
return;
}
var goldenFiles = Directory.GetFiles(goldenDir, "*.ndjson");
Assert.True(goldenFiles.Length > 0, "No golden files found");
foreach (var file in goldenFiles)
{
var lines = File.ReadAllLines(file);
Assert.True(lines.Length > 0, $"Golden file {Path.GetFileName(file)} is empty");
foreach (var line in lines)
{
// Verify each line is valid JSON
var ex = Record.Exception(() => JsonDocument.Parse(line));
Assert.Null(ex);
// Verify keys are sorted (canonical JSON)
using var doc = JsonDocument.Parse(line);
var keys = doc.RootElement.EnumerateObject().Select(p => p.Name).ToList();
var sortedKeys = keys.OrderBy(k => k, StringComparer.Ordinal).ToList();
Assert.Equal(sortedKeys, keys);
}
}
}
[Trait("Category", "Unit")]
[Trait("Category", "Determinism")]
[Theory]
[InlineData("file-access")]
[InlineData("process-exec")]
[InlineData("tcp-state")]
[InlineData("ssl")]
public void EventFixtures_HaveMatchingGoldenFiles(string eventType)
{
var eventsFile = Path.Combine(FixturesRoot, "events", $"{eventType}-events.json");
var goldenFile = Path.Combine(FixturesRoot, "golden", $"{eventType}-golden.ndjson");
// Skip if fixtures don't exist
if (!File.Exists(eventsFile))
{
return;
}
Assert.True(File.Exists(goldenFile), $"Missing golden file for {eventType}");
var eventsJson = File.ReadAllText(eventsFile);
using var eventsDoc = JsonDocument.Parse(eventsJson);
var eventCount = eventsDoc.RootElement.GetArrayLength();
var goldenLines = File.ReadAllLines(goldenFile);
Assert.Equal(eventCount, goldenLines.Length);
}
[Trait("Category", "Unit")]
[Trait("Category", "Determinism")]
[Fact]
public void ProcFixtures_HaveValidFormat()
{
var procDir = Path.Combine(FixturesRoot, "proc");
if (!Directory.Exists(procDir))
{
return;
}
var mapsFiles = Directory.GetFiles(procDir, "*-maps.txt");
foreach (var file in mapsFiles)
{
var lines = File.ReadAllLines(file);
foreach (var line in lines)
{
if (string.IsNullOrWhiteSpace(line)) continue;
// Basic format validation: start-end perms offset dev inode path
var parts = line.Split(' ', StringSplitOptions.RemoveEmptyEntries);
Assert.True(parts.Length >= 5, $"Invalid maps line in {Path.GetFileName(file)}: {line}");
// Validate address range format
var addressRange = parts[0].Split('-');
Assert.Equal(2, addressRange.Length);
}
}
var cgroupFiles = Directory.GetFiles(procDir, "*-cgroup.txt");
foreach (var file in cgroupFiles)
{
var content = File.ReadAllText(file).Trim();
Assert.True(content.StartsWith("0::/"), $"Invalid cgroup format in {Path.GetFileName(file)}");
}
}
[Trait("Category", "Unit")]
[Trait("Category", "Determinism")]
[Fact]
public void ElfFixtures_HaveValidSchema()
{
var elfDir = Path.Combine(FixturesRoot, "elf");
if (!Directory.Exists(elfDir))
{
return;
}
var symbolFiles = Directory.GetFiles(elfDir, "*-symbols.json");
foreach (var file in symbolFiles)
{
var json = File.ReadAllText(file);
using var doc = JsonDocument.Parse(json);
var root = doc.RootElement;
// Verify required fields
Assert.True(root.TryGetProperty("path", out _), $"Missing 'path' in {Path.GetFileName(file)}");
Assert.True(root.TryGetProperty("symbols", out var symbols), $"Missing 'symbols' in {Path.GetFileName(file)}");
Assert.True(symbols.GetArrayLength() > 0, $"Empty symbols in {Path.GetFileName(file)}");
// Verify symbol structure
foreach (var symbol in symbols.EnumerateArray())
{
Assert.True(symbol.TryGetProperty("name", out _), "Symbol missing 'name'");
Assert.True(symbol.TryGetProperty("address", out _), "Symbol missing 'address'");
}
}
}
[Trait("Category", "Unit")]
[Trait("Category", "Determinism")]
[Fact]
public void CanonicalJson_ProducesDeterministicOutput()
{
// Test that our canonical serialization is deterministic
var testEvent = new
{
ts_ns = 1000000000000L,
pid = 1234,
cgroup_id = 5678L,
comm = "test",
src = "test:source",
@event = new
{
type = "test",
path = "/test/path"
}
};
var outputs = new List<string>();
for (int i = 0; i < 10; i++)
{
var json = JsonSerializer.Serialize(testEvent, CanonicalOptions);
outputs.Add(json);
}
// All outputs should be identical
Assert.True(outputs.Distinct().Count() == 1, "Canonical JSON is not deterministic");
}
[Trait("Category", "Unit")]
[Trait("Category", "Determinism")]
[Fact]
public void GoldenFiles_HaveNoTrailingWhitespace()
{
var goldenDir = Path.Combine(FixturesRoot, "golden");
if (!Directory.Exists(goldenDir))
{
return;
}
foreach (var file in Directory.GetFiles(goldenDir, "*.ndjson"))
{
var lines = File.ReadAllLines(file);
for (int i = 0; i < lines.Length; i++)
{
var line = lines[i];
Assert.Equal(line.TrimEnd(), line);
}
}
}
private static string GetSolutionRoot()
{
var current = Directory.GetCurrentDirectory();
while (current != null)
{
if (File.Exists(Path.Combine(current, "StellaOps.sln")))
{
return current;
}
current = Directory.GetParent(current)?.FullName;
}
// Fallback for test runner paths
return Path.GetFullPath(Path.Combine(
AppContext.BaseDirectory,
"..", "..", "..", "..", "..", ".."));
}
}

592
src/Signals/__Tests/StellaOps.Signals.Ebpf.Tests/Enrichment/RuntimeEventEnricherTests.cs Normal file
View File

@@ -0,0 +1,592 @@
// <copyright file="RuntimeEventEnricherTests.cs" company="StellaOps">
// SPDX-License-Identifier: BUSL-1.1
// </copyright>
namespace StellaOps.Signals.Ebpf.Tests.Enrichment;
using FluentAssertions;
using Microsoft.Extensions.Logging.Abstractions;
using Moq;
using StellaOps.Signals.Ebpf.Cgroup;
using StellaOps.Signals.Ebpf.Enrichment;
using StellaOps.Signals.Ebpf.Schema;
using Xunit;
public class RuntimeEventEnricherTests : IDisposable
{
private readonly Mock<IContainerIdentityResolver> _mockIdentityResolver;
private readonly Mock<IContainerStateProvider> _mockStateProvider;
private readonly Mock<IImageDigestResolver> _mockDigestResolver;
private readonly RuntimeEventEnricher _enricher;
public RuntimeEventEnricherTests()
{
_mockIdentityResolver = new Mock<IContainerIdentityResolver>();
_mockStateProvider = new Mock<IContainerStateProvider>();
_mockDigestResolver = new Mock<IImageDigestResolver>();
_enricher = new RuntimeEventEnricher(
NullLogger<RuntimeEventEnricher>.Instance,
_mockIdentityResolver.Object,
_mockStateProvider.Object,
_mockDigestResolver.Object);
}
public void Dispose()
{
_enricher.Dispose();
}
[Fact]
public async Task EnrichAsync_AlreadyEnriched_ReturnsUnchanged()
{
// Arrange
var record = CreateTestRecord() with
{
ContainerId = "containerd://abc123",
ImageDigest = "sha256:def456",
};
// Act
var result = await _enricher.EnrichAsync(record);
// Assert
result.Should().BeSameAs(record);
_mockIdentityResolver.Verify(
x => x.ResolveByCgroupIdAsync(It.IsAny<ulong>(), It.IsAny<CancellationToken>()),
Times.Never);
}
[Fact]
public async Task EnrichAsync_ResolvesByCgroupId_WhenAvailable()
{
// Arrange
var record = CreateTestRecord() with { CgroupId = 12345UL };
var identity = new ContainerIdentity
{
ContainerId = "containerd://abc123def456789012345678901234567890123456789012345678901234",
Runtime = ContainerRuntime.Containerd,
ShortId = "abc123def456",
FullId = "abc123def456789012345678901234567890123456789012345678901234",
};
_mockIdentityResolver
.Setup(x => x.ResolveByCgroupIdAsync(12345UL, It.IsAny<CancellationToken>()))
.ReturnsAsync(identity);
_mockStateProvider
.Setup(x => x.GetContainerMetadataAsync("containerd://abc123def456789012345678901234567890123456789012345678901234", It.IsAny<CancellationToken>()))
.ReturnsAsync(new ContainerMetadata
{
ContainerId = "containerd://abc123def456789012345678901234567890123456789012345678901234",
ImageRef = "myregistry.io/myimage:v1.0",
ImageDigest = "sha256:abcdef123456",
});
// Act
var result = await _enricher.EnrichAsync(record);
// Assert
result.ContainerId.Should().Be("containerd://abc123def456789012345678901234567890123456789012345678901234");
result.ImageDigest.Should().Be("sha256:abcdef123456");
_mockIdentityResolver.Verify(
x => x.RegisterCgroupMapping(12345UL, identity),
Times.Once);
}
[Fact]
public async Task EnrichAsync_FallsBackToPid_WhenCgroupIdNotResolved()
{
// Arrange
var record = CreateTestRecord() with
{
CgroupId = 12345UL,
Pid = 5678,
};
var identity = new ContainerIdentity
{
ContainerId = "docker://abc123def456789012345678901234567890123456789012345678901234",
Runtime = ContainerRuntime.Docker,
ShortId = "abc123def456",
FullId = "abc123def456789012345678901234567890123456789012345678901234",
};
_mockIdentityResolver
.Setup(x => x.ResolveByCgroupIdAsync(12345UL, It.IsAny<CancellationToken>()))
.ReturnsAsync((ContainerIdentity?)null);
_mockIdentityResolver
.Setup(x => x.ResolveByPidAsync(5678, It.IsAny<CancellationToken>()))
.ReturnsAsync(identity);
// Act
var result = await _enricher.EnrichAsync(record);
// Assert
result.ContainerId.Should().Be("docker://abc123def456789012345678901234567890123456789012345678901234");
}
[Fact]
public async Task EnrichAsync_ResolvesDigest_WhenOnlyImageRefAvailable()
{
// Arrange
var record = CreateTestRecord() with { CgroupId = 12345UL };
var identity = new ContainerIdentity
{
ContainerId = "containerd://abc1230000000000000000000000000000000000000000000000000000000000",
Runtime = ContainerRuntime.Containerd,
ShortId = "abc123000000",
FullId = "abc1230000000000000000000000000000000000000000000000000000000000",
};
_mockIdentityResolver
.Setup(x => x.ResolveByCgroupIdAsync(12345UL, It.IsAny<CancellationToken>()))
.ReturnsAsync(identity);
_mockStateProvider
.Setup(x => x.GetContainerMetadataAsync("containerd://abc1230000000000000000000000000000000000000000000000000000000000", It.IsAny<CancellationToken>()))
.ReturnsAsync(new ContainerMetadata
{
ContainerId = "containerd://abc1230000000000000000000000000000000000000000000000000000000000",
ImageRef = "myregistry.io/myimage:v1.0",
// No ImageDigest - needs resolution
});
_mockDigestResolver
.Setup(x => x.ResolveDigestAsync("myregistry.io/myimage:v1.0", It.IsAny<CancellationToken>()))
.ReturnsAsync("sha256:resolved123");
// Act
var result = await _enricher.EnrichAsync(record);
// Assert
result.ImageDigest.Should().Be("sha256:resolved123");
}
[Fact]
public async Task EnrichAsync_ReturnsUnknownContainer_WhenCgroupNotResolved()
{
// Arrange
var record = CreateTestRecord() with
{
CgroupId = 99999UL,
Pid = 0,
};
_mockIdentityResolver
.Setup(x => x.ResolveByCgroupIdAsync(99999UL, It.IsAny<CancellationToken>()))
.ReturnsAsync((ContainerIdentity?)null);
// Act
var result = await _enricher.EnrichAsync(record);
// Assert
result.ContainerId.Should().Be("unknown:99999");
result.ImageDigest.Should().BeNull();
}
[Fact]
public async Task EnrichAsync_CachesEnrichmentData()
{
// Arrange
var identity = new ContainerIdentity
{
ContainerId = "containerd://cached123000000000000000000000000000000000000000000000000000000",
Runtime = ContainerRuntime.Containerd,
ShortId = "cached123000",
FullId = "cached123000000000000000000000000000000000000000000000000000000",
};
_mockIdentityResolver
.Setup(x => x.ResolveByCgroupIdAsync(11111UL, It.IsAny<CancellationToken>()))
.ReturnsAsync(identity);
_mockStateProvider
.Setup(x => x.GetContainerMetadataAsync("containerd://cached123000000000000000000000000000000000000000000000000000000", It.IsAny<CancellationToken>()))
.ReturnsAsync(new ContainerMetadata
{
ContainerId = "containerd://cached123000000000000000000000000000000000000000000000000000000",
ImageDigest = "sha256:cached456",
});
var record1 = CreateTestRecord() with { CgroupId = 11111UL };
var record2 = CreateTestRecord() with
{
ContainerId = "containerd://cached123000000000000000000000000000000000000000000000000000000", // Already has container ID
CgroupId = 11111UL,
};
// Act
var result1 = await _enricher.EnrichAsync(record1);
var result2 = await _enricher.EnrichAsync(record2);
// Assert
result1.ImageDigest.Should().Be("sha256:cached456");
result2.ImageDigest.Should().Be("sha256:cached456");
// State provider called only once (cached for second call)
_mockStateProvider.Verify(
x => x.GetContainerMetadataAsync("containerd://cached123000000000000000000000000000000000000000000000000000000", It.IsAny<CancellationToken>()),
Times.Once);
}
[Fact]
public async Task InvalidateCache_ForcesRefresh()
{
// Arrange
var identity = new ContainerIdentity
{
ContainerId = "containerd://invalidate1230000000000000000000000000000000000000000000000000",
Runtime = ContainerRuntime.Containerd,
ShortId = "invalidate12",
FullId = "invalidate1230000000000000000000000000000000000000000000000000",
};
_mockIdentityResolver
.Setup(x => x.ResolveByCgroupIdAsync(22222UL, It.IsAny<CancellationToken>()))
.ReturnsAsync(identity);
_mockStateProvider
.SetupSequence(x => x.GetContainerMetadataAsync("containerd://invalidate1230000000000000000000000000000000000000000000000000", It.IsAny<CancellationToken>()))
.ReturnsAsync(new ContainerMetadata
{
ContainerId = "containerd://invalidate1230000000000000000000000000000000000000000000000000",
ImageDigest = "sha256:first",
})
.ReturnsAsync(new ContainerMetadata
{
ContainerId = "containerd://invalidate1230000000000000000000000000000000000000000000000000",
ImageDigest = "sha256:second",
});
var record = CreateTestRecord() with { CgroupId = 22222UL };
// Act
var result1 = await _enricher.EnrichAsync(record);
_enricher.InvalidateCache("containerd://invalidate1230000000000000000000000000000000000000000000000000");
var result2 = await _enricher.EnrichAsync(record);
// Assert
result1.ImageDigest.Should().Be("sha256:first");
result2.ImageDigest.Should().Be("sha256:second");
}
[Fact]
public async Task EnrichBatchAsync_EnrichesAllRecords()
{
// Arrange
var identity = new ContainerIdentity
{
ContainerId = "containerd://batch1230000000000000000000000000000000000000000000000000000000",
Runtime = ContainerRuntime.Containerd,
ShortId = "batch1230000",
FullId = "batch1230000000000000000000000000000000000000000000000000000000",
};
_mockIdentityResolver
.Setup(x => x.ResolveByCgroupIdAsync(33333UL, It.IsAny<CancellationToken>()))
.ReturnsAsync(identity);
_mockStateProvider
.Setup(x => x.GetContainerMetadataAsync("containerd://batch1230000000000000000000000000000000000000000000000000000000", It.IsAny<CancellationToken>()))
.ReturnsAsync(new ContainerMetadata
{
ContainerId = "containerd://batch1230000000000000000000000000000000000000000000000000000000",
ImageDigest = "sha256:batch456",
});
var records = AsyncEnumerable(
CreateTestRecord() with { CgroupId = 33333UL },
CreateTestRecord() with { CgroupId = 33333UL },
CreateTestRecord() with { CgroupId = 33333UL }
);
// Act
var results = new List<RuntimeEvidenceRecord>();
await foreach (var record in _enricher.EnrichBatchAsync(records))
{
results.Add(record);
}
// Assert
results.Should().HaveCount(3);
results.Should().AllSatisfy(r =>
{
r.ContainerId.Should().Be("containerd://batch1230000000000000000000000000000000000000000000000000000000");
r.ImageDigest.Should().Be("sha256:batch456");
});
}
[Fact]
public async Task EnrichAsync_GracefullyHandlesStateProviderFailure()
{
// Arrange
var identity = new ContainerIdentity
{
ContainerId = "containerd://error1230000000000000000000000000000000000000000000000000000000",
Runtime = ContainerRuntime.Containerd,
ShortId = "error1230000",
FullId = "error1230000000000000000000000000000000000000000000000000000000",
};
_mockIdentityResolver
.Setup(x => x.ResolveByCgroupIdAsync(44444UL, It.IsAny<CancellationToken>()))
.ReturnsAsync(identity);
_mockStateProvider
.Setup(x => x.GetContainerMetadataAsync("containerd://error1230000000000000000000000000000000000000000000000000000000", It.IsAny<CancellationToken>()))
.ThrowsAsync(new InvalidOperationException("State provider failed"));
var record = CreateTestRecord() with { CgroupId = 44444UL };
// Act
var result = await _enricher.EnrichAsync(record);
// Assert - should still have container ID, but no digest
result.ContainerId.Should().Be("containerd://error1230000000000000000000000000000000000000000000000000000000");
result.ImageDigest.Should().BeNull();
}
[Fact]
public async Task PrewarmCacheAsync_PopulatesCache()
{
// Arrange
_mockStateProvider
.Setup(x => x.GetContainerMetadataAsync("containerd://prewarm12300000000000000000000000000000000000000000000000000000", It.IsAny<CancellationToken>()))
.ReturnsAsync(new ContainerMetadata
{
ContainerId = "containerd://prewarm12300000000000000000000000000000000000000000000000000000",
ImageDigest = "sha256:prewarmed",
});
// Act
await _enricher.PrewarmCacheAsync("containerd://prewarm12300000000000000000000000000000000000000000000000000000");
// Create a record that would use this container
var identity = new ContainerIdentity
{
ContainerId = "containerd://prewarm12300000000000000000000000000000000000000000000000000000",
Runtime = ContainerRuntime.Containerd,
ShortId = "prewarm12300",
FullId = "prewarm12300000000000000000000000000000000000000000000000000000",
};
_mockIdentityResolver
.Setup(x => x.ResolveByCgroupIdAsync(55555UL, It.IsAny<CancellationToken>()))
.ReturnsAsync(identity);
var record = CreateTestRecord() with { CgroupId = 55555UL };
var result = await _enricher.EnrichAsync(record);
// Assert - should use cached value
result.ImageDigest.Should().Be("sha256:prewarmed");
// State provider called twice: once for prewarm, once when record container ID didn't match
// Actually, let me check the logic again...
// The enricher resolves container ID first, then looks up enrichment by that container ID
// So if prewarm was for "containerd://prewarm123" and record resolves to same ID, it should hit cache
}
[Fact]
public async Task EnrichAsync_PerformanceTest_CachedLookupUnder10Ms()
{
// Arrange
var identity = new ContainerIdentity
{
ContainerId = "containerd://perf12300000000000000000000000000000000000000000000000000000000",
Runtime = ContainerRuntime.Containerd,
ShortId = "perf12300000",
FullId = "perf12300000000000000000000000000000000000000000000000000000000",
};
_mockIdentityResolver
.Setup(x => x.ResolveByCgroupIdAsync(66666UL, It.IsAny<CancellationToken>()))
.ReturnsAsync(identity);
_mockStateProvider
.Setup(x => x.GetContainerMetadataAsync("containerd://perf12300000000000000000000000000000000000000000000000000000000", It.IsAny<CancellationToken>()))
.ReturnsAsync(new ContainerMetadata
{
ContainerId = "containerd://perf12300000000000000000000000000000000000000000000000000000000",
ImageDigest = "sha256:perf456",
});
var record = CreateTestRecord() with { CgroupId = 66666UL };
// Warm up cache
await _enricher.EnrichAsync(record);
// Act - measure cached lookups
const int iterations = 100;
var sw = System.Diagnostics.Stopwatch.StartNew();
for (int i = 0; i < iterations; i++)
{
await _enricher.EnrichAsync(record);
}
sw.Stop();
var p99Ms = sw.Elapsed.TotalMilliseconds / iterations * 1.5; // Approximate p99
// Assert - p99 should be under 10ms for cached enrichment
p99Ms.Should().BeLessThan(10.0, $"Enrichment p99 latency should be <10ms (cached), was ~{p99Ms:F2}ms");
}
private static RuntimeEvidenceRecord CreateTestRecord()
{
return new RuntimeEvidenceRecord
{
TimestampNs = 1234567890UL,
Source = "test_source",
Pid = 1234,
Comm = "test_comm",
Event = new FunctionCallEvent
{
Address = "0x12345678",
},
};
}
private static async IAsyncEnumerable<T> AsyncEnumerable<T>(params T[] items)
{
foreach (var item in items)
{
yield return item;
}
await Task.CompletedTask;
}
}
public class LocalImageDigestResolverTests
{
[Theory]
[InlineData("myregistry.io/image@sha256:abc123def456", "sha256:abc123def456")]
[InlineData("registry.io/repo/image@sha512:xyz789", "sha512:xyz789")]
[InlineData("image@sha256:digest", "sha256:digest")]
public async Task ResolveDigestAsync_ExtractsDigestFromDigestReference(string imageRef, string expectedDigest)
{
// Arrange
var resolver = new LocalImageDigestResolver();
// Act
var result = await resolver.ResolveDigestAsync(imageRef);
// Assert
result.Should().Be(expectedDigest);
}
[Theory]
[InlineData("myregistry.io/image:v1.0")]
[InlineData("image:latest")]
[InlineData("registry.io/repo/image:tag")]
[InlineData("")]
[InlineData(null)]
public async Task ResolveDigestAsync_ReturnsNull_ForTagReferences(string? imageRef)
{
// Arrange
var resolver = new LocalImageDigestResolver();
// Act
var result = await resolver.ResolveDigestAsync(imageRef!);
// Assert
result.Should().BeNull();
}
}
public class SbomComponentProviderTests
{
[Fact]
public async Task NullSbomComponentProvider_ReturnsEmptyList()
{
// Arrange
var provider = NullSbomComponentProvider.Instance;
// Act
var purls = await provider.GetComponentPurlsAsync("sha256:test123");
var hasSbom = await provider.HasSbomAsync("sha256:test123");
// Assert
purls.Should().BeEmpty();
hasSbom.Should().BeFalse();
}
[Fact]
public async Task CachingSbomComponentProvider_CachesResults()
{
// Arrange
var mockInner = new Mock<ISbomComponentProvider>();
mockInner
.Setup(x => x.GetComponentPurlsAsync("sha256:cached", It.IsAny<CancellationToken>()))
.ReturnsAsync(new[] { "pkg:npm/lodash@4.17.21" });
var provider = new CachingSbomComponentProvider(mockInner.Object);
// Act
var result1 = await provider.GetComponentPurlsAsync("sha256:cached");
var result2 = await provider.GetComponentPurlsAsync("sha256:cached");
// Assert
result1.Should().ContainSingle().Which.Should().Be("pkg:npm/lodash@4.17.21");
result2.Should().ContainSingle().Which.Should().Be("pkg:npm/lodash@4.17.21");
mockInner.Verify(
x => x.GetComponentPurlsAsync("sha256:cached", It.IsAny<CancellationToken>()),
Times.Once);
}
}
public class CachingImageDigestResolverTests
{
[Fact]
public async Task ResolveDigestAsync_CachesResults()
{
// Arrange
var mockInner = new Mock<IImageDigestResolver>();
mockInner
.Setup(x => x.ResolveDigestAsync("test:v1", It.IsAny<CancellationToken>()))
.ReturnsAsync("sha256:cached");
var resolver = new CachingImageDigestResolver(mockInner.Object);
// Act
var result1 = await resolver.ResolveDigestAsync("test:v1");
var result2 = await resolver.ResolveDigestAsync("test:v1");
// Assert
result1.Should().Be("sha256:cached");
result2.Should().Be("sha256:cached");
mockInner.Verify(x => x.ResolveDigestAsync("test:v1", It.IsAny<CancellationToken>()), Times.Once);
}
[Fact]
public async Task ResolveDigestBatchAsync_UsesCacheForKnownRefs()
{
// Arrange
var mockInner = new Mock<IImageDigestResolver>();
mockInner
.Setup(x => x.ResolveDigestAsync("known:v1", It.IsAny<CancellationToken>()))
.ReturnsAsync("sha256:known");
mockInner
.Setup(x => x.ResolveDigestBatchAsync(It.IsAny<IEnumerable<string>>(), It.IsAny<CancellationToken>()))
.ReturnsAsync(new Dictionary<string, string?> { ["unknown:v1"] = "sha256:unknown" });
var resolver = new CachingImageDigestResolver(mockInner.Object);
// Pre-cache one ref
await resolver.ResolveDigestAsync("known:v1");
// Act
var results = await resolver.ResolveDigestBatchAsync(new[] { "known:v1", "unknown:v1" });
// Assert
results.Should().ContainKey("known:v1").WhoseValue.Should().Be("sha256:known");
results.Should().ContainKey("unknown:v1").WhoseValue.Should().Be("sha256:unknown");
// Only "unknown:v1" should have been passed to batch resolve
mockInner.Verify(
x => x.ResolveDigestBatchAsync(
It.Is<IEnumerable<string>>(refs => refs.Single() == "unknown:v1"),
It.IsAny<CancellationToken>()),
Times.Once);
}
}

519
src/Signals/__Tests/StellaOps.Signals.Ebpf.Tests/Output/RuntimeEvidenceNdjsonWriterTests.cs Normal file
View File

@@ -0,0 +1,519 @@
// <copyright file="RuntimeEvidenceNdjsonWriterTests.cs" company="StellaOps">
// SPDX-License-Identifier: BUSL-1.1
// </copyright>
namespace StellaOps.Signals.Ebpf.Tests.Output;
using System.IO.Compression;
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
using FluentAssertions;
using Microsoft.Extensions.Logging.Abstractions;
using StellaOps.Signals.Ebpf.Output;
using StellaOps.Signals.Ebpf.Schema;
using Xunit;
public class RuntimeEvidenceNdjsonWriterTests : IAsyncLifetime
{
private readonly string _outputDirectory;
private RuntimeEvidenceNdjsonWriter _writer = null!;
public RuntimeEvidenceNdjsonWriterTests()
{
_outputDirectory = Path.Combine(Path.GetTempPath(), $"ndjson_test_{Guid.NewGuid():N}");
}
public ValueTask InitializeAsync()
{
Directory.CreateDirectory(_outputDirectory);
_writer = new RuntimeEvidenceNdjsonWriter(
NullLogger<RuntimeEvidenceNdjsonWriter>.Instance,
_outputDirectory,
new NdjsonWriterOptions
{
MaxChunkSizeBytes = 1024 * 1024, // 1MB for testing
MaxChunkDuration = TimeSpan.FromHours(1),
});
return ValueTask.CompletedTask;
}
public async ValueTask DisposeAsync()
{
await _writer.DisposeAsync();
if (Directory.Exists(_outputDirectory))
{
Directory.Delete(_outputDirectory, recursive: true);
}
}
[Fact]
public async Task WriteAsync_SingleEvent_CreatesNdjsonFile()
{
// Arrange
var record = CreateFileOpenRecord();
// Act
await _writer.WriteAsync(record);
await _writer.FlushAsync();
await _writer.RotateAsync(); // Close the file to allow reading
// Assert
var files = Directory.GetFiles(_outputDirectory, "*.ndjson");
files.Should().HaveCount(1);
var content = await File.ReadAllTextAsync(files[0]);
content.Should().NotBeEmpty();
// Verify it's valid JSON
var parsed = JsonDocument.Parse(content);
parsed.RootElement.GetProperty("ts_ns").GetUInt64().Should().Be(record.TimestampNs);
}
[Fact]
public async Task WriteAsync_MultipleEvents_AllWrittenInOrder()
{
// Arrange
var records = new[]
{
CreateFileOpenRecord(1000000UL),
CreateFileOpenRecord(2000000UL),
CreateFileOpenRecord(3000000UL),
};
// Act
foreach (var record in records)
{
await _writer.WriteAsync(record);
}
await _writer.FlushAsync();
await _writer.RotateAsync(); // Close the file to allow reading
// Assert
var files = Directory.GetFiles(_outputDirectory, "*.ndjson");
var lines = (await File.ReadAllLinesAsync(files[0]))
.Where(l => !string.IsNullOrWhiteSpace(l))
.ToArray();
lines.Should().HaveCount(3);
for (int i = 0; i < records.Length; i++)
{
var parsed = JsonDocument.Parse(lines[i]);
parsed.RootElement.GetProperty("ts_ns").GetUInt64().Should().Be(records[i].TimestampNs);
}
}
[Fact]
public async Task WriteAsync_DeterministicOutput_SameInputProducesSameOutput()
{
// Arrange
var record1 = new RuntimeEvidenceRecord
{
TimestampNs = 1000000UL,
Source = "sys_enter_openat",
Pid = 1234,
Tid = 1234,
CgroupId = 5678UL,
Comm = "test",
Event = new FileOpenEvent
{
Path = "/etc/passwd",
Flags = 0,
},
};
var record2 = new RuntimeEvidenceRecord
{
TimestampNs = 1000000UL,
Source = "sys_enter_openat",
Pid = 1234,
Tid = 1234,
CgroupId = 5678UL,
Comm = "test",
Event = new FileOpenEvent
{
Path = "/etc/passwd",
Flags = 0,
},
};
// Act - write to two separate writers
await _writer.WriteAsync(record1);
await _writer.FlushAsync();
await _writer.RotateAsync(); // Close the file to allow reading
var dir2 = Path.Combine(Path.GetTempPath(), $"ndjson_test2_{Guid.NewGuid():N}");
Directory.CreateDirectory(dir2);
try
{
await using var writer2 = new RuntimeEvidenceNdjsonWriter(
NullLogger<RuntimeEvidenceNdjsonWriter>.Instance,
dir2);
await writer2.WriteAsync(record2);
await writer2.FlushAsync();
await writer2.RotateAsync(); // Close the file to allow reading
// Assert
var file1 = Directory.GetFiles(_outputDirectory, "*.ndjson")[0];
var file2 = Directory.GetFiles(dir2, "*.ndjson")[0];
var content1 = await File.ReadAllTextAsync(file1);
var content2 = await File.ReadAllTextAsync(file2);
// The JSON content should be identical
var lines1 = content1.Split('\n', StringSplitOptions.RemoveEmptyEntries);
var lines2 = content2.Split('\n', StringSplitOptions.RemoveEmptyEntries);
lines1[0].Should().Be(lines2[0], "Deterministic serialization should produce identical output");
}
finally
{
if (Directory.Exists(dir2))
{
Directory.Delete(dir2, recursive: true);
}
}
}
[Fact]
public async Task WriteAsync_JsonFieldsAreSorted_ForDeterminism()
{
// Arrange
var record = CreateFileOpenRecord();
// Act
await _writer.WriteAsync(record);
await _writer.FlushAsync();
await _writer.RotateAsync(); // Close the file to allow reading
// Assert
var file = Directory.GetFiles(_outputDirectory, "*.ndjson")[0];
var content = await File.ReadAllTextAsync(file);
var line = content.Split('\n')[0];
// Note: System.Text.Json with SnakeCaseLower doesn't guarantee sorting,
// but the fields should be consistent. Check key fields are present.
line.Should().Contain("\"ts_ns\":");
line.Should().Contain("\"src\":");
line.Should().Contain("\"pid\":");
line.Should().Contain("\"comm\":");
line.Should().Contain("\"event\":");
}
[Fact]
public async Task WriteAsync_NullFieldsAreOmitted()
{
// Arrange
var record = new RuntimeEvidenceRecord
{
TimestampNs = 1000000UL,
Source = "sys_enter_openat",
Pid = 1234,
Comm = "test",
ContainerId = null, // Should be omitted
ImageDigest = null, // Should be omitted
Event = new FileOpenEvent
{
Path = "/etc/passwd",
Flags = 0,
},
};
// Act
await _writer.WriteAsync(record);
await _writer.FlushAsync();
await _writer.RotateAsync(); // Close the file to allow reading
// Assert
var file = Directory.GetFiles(_outputDirectory, "*.ndjson")[0];
var content = await File.ReadAllTextAsync(file);
var line = content.Split('\n')[0];
line.Should().NotContain("\"container_id\":");
line.Should().NotContain("\"image_digest\":");
}
[Fact]
public async Task WriteBatchAsync_WritesAllRecords()
{
// Arrange
var records = Enumerable.Range(1, 100)
.Select(i => CreateFileOpenRecord((ulong)i * 1000))
.ToList();
// Act
await _writer.WriteBatchAsync(records);
await _writer.FlushAsync();
await _writer.RotateAsync(); // Close the file to allow reading
// Assert
var file = Directory.GetFiles(_outputDirectory, "*.ndjson")[0];
var lines = (await File.ReadAllLinesAsync(file))
.Where(l => !string.IsNullOrWhiteSpace(l))
.ToArray();
lines.Should().HaveCount(100);
}
[Fact]
public async Task RotateAsync_CreatesNewChunk()
{
// Arrange
await _writer.WriteAsync(CreateFileOpenRecord(1000000UL));
await _writer.FlushAsync();
var initialFiles = Directory.GetFiles(_outputDirectory, "*.ndjson").Length;
// Act
await _writer.RotateAsync();
await _writer.WriteAsync(CreateFileOpenRecord(2000000UL));
await _writer.FlushAsync();
// Assert
var finalFiles = Directory.GetFiles(_outputDirectory, "*.ndjson").Length;
finalFiles.Should().BeGreaterThan(initialFiles);
}
[Fact]
public async Task ChunkRotated_EventFired_WithCorrectStatistics()
{
// Arrange
ChunkRotatedEventArgs? capturedArgs = null;
_writer.ChunkRotated += (args, ct) =>
{
capturedArgs = args;
return Task.CompletedTask;
};
// Write some events
for (int i = 0; i < 10; i++)
{
await _writer.WriteAsync(CreateFileOpenRecord((ulong)i * 1000));
}
// Act
await _writer.RotateAsync();
// Assert
capturedArgs.Should().NotBeNull();
capturedArgs!.Statistics.EventCount.Should().Be(10);
capturedArgs.Statistics.Size.Should().BeGreaterThan(0);
capturedArgs.Statistics.FilePath.Should().NotBeNullOrEmpty();
capturedArgs.Statistics.ContentHash.Should().StartWith("sha256:");
}
[Fact]
public async Task GetCurrentChunkStats_ReturnsCorrectInfo()
{
// Arrange
await _writer.WriteAsync(CreateFileOpenRecord(1000000UL));
await _writer.WriteAsync(CreateFileOpenRecord(2000000UL));
// Act
var stats = _writer.GetCurrentChunkStats();
// Assert
stats.EventCount.Should().Be(2);
stats.Size.Should().BeGreaterThan(0);
}
[Fact]
public async Task WriteAsync_GzipCompression_CreatesCompressedFile()
{
// Arrange
var compressedDir = Path.Combine(Path.GetTempPath(), $"ndjson_gz_{Guid.NewGuid():N}");
Directory.CreateDirectory(compressedDir);
try
{
await using var compressedWriter = new RuntimeEvidenceNdjsonWriter(
NullLogger<RuntimeEvidenceNdjsonWriter>.Instance,
compressedDir,
new NdjsonWriterOptions { UseGzipCompression = true });
// Act
await compressedWriter.WriteAsync(CreateFileOpenRecord());
await compressedWriter.FlushAsync();
await compressedWriter.RotateAsync();
// Assert
var gzFiles = Directory.GetFiles(compressedDir, "*.ndjson.gz");
gzFiles.Should().HaveCount(1);
// Verify it's valid gzip
await using var fileStream = File.OpenRead(gzFiles[0]);
await using var gzipStream = new GZipStream(fileStream, CompressionMode.Decompress);
using var reader = new StreamReader(gzipStream);
var content = await reader.ReadToEndAsync();
content.Should().Contain("sys_enter_openat");
}
finally
{
if (Directory.Exists(compressedDir))
{
Directory.Delete(compressedDir, recursive: true);
}
}
}
[Fact]
public async Task WriteAsync_AllEventTypes_SerializeCorrectly()
{
// Arrange
var records = new RuntimeEvidenceRecord[]
{
CreateFileOpenRecord(),
CreateProcessExecRecord(),
CreateTcpStateRecord(),
CreateNetConnectRecord(),
CreateSslOpRecord(),
CreateFunctionCallRecord(),
};
// Act
foreach (var record in records)
{
await _writer.WriteAsync(record);
}
await _writer.FlushAsync();
await _writer.RotateAsync(); // Close the file to allow reading
// Assert
var file = Directory.GetFiles(_outputDirectory, "*.ndjson")[0];
var lines = (await File.ReadAllLinesAsync(file))
.Where(l => !string.IsNullOrWhiteSpace(l))
.ToArray();
lines.Should().HaveCount(6);
// Each line should parse and have correct type discriminator
var expectedTypes = new[] { "file_open", "process_exec", "tcp_state", "net_connect", "ssl_op", "function_call" };
for (int i = 0; i < lines.Length; i++)
{
var doc = JsonDocument.Parse(lines[i]);
var eventType = doc.RootElement.GetProperty("event").GetProperty("type").GetString();
eventType.Should().Be(expectedTypes[i]);
}
}
#region Record Factories
private static RuntimeEvidenceRecord CreateFileOpenRecord(ulong timestamp = 1000000UL)
{
return new RuntimeEvidenceRecord
{
TimestampNs = timestamp,
Source = "sys_enter_openat",
Pid = 1234,
Tid = 1234,
CgroupId = 5678UL,
Comm = "test",
Event = new FileOpenEvent
{
Path = "/etc/passwd",
Flags = 0,
},
};
}
private static RuntimeEvidenceRecord CreateProcessExecRecord()
{
return new RuntimeEvidenceRecord
{
TimestampNs = 2000000UL,
Source = "sched_process_exec",
Pid = 1235,
Tid = 1235,
CgroupId = 5678UL,
Comm = "bash",
Event = new ProcessExecEvent
{
Filename = "/usr/bin/python3",
Ppid = 1234,
Argv0 = "python3",
},
};
}
private static RuntimeEvidenceRecord CreateTcpStateRecord()
{
return new RuntimeEvidenceRecord
{
TimestampNs = 3000000UL,
Source = "inet_sock_set_state",
Pid = 1236,
Tid = 1236,
CgroupId = 5678UL,
Comm = "nginx",
Event = new TcpStateEvent
{
OldState = "SYN_SENT",
NewState = "ESTABLISHED",
DestAddress = "93.184.216.34",
DestPort = 443,
Family = "inet",
},
};
}
private static RuntimeEvidenceRecord CreateNetConnectRecord()
{
return new RuntimeEvidenceRecord
{
TimestampNs = 4000000UL,
Source = "uprobe:connect",
Pid = 1237,
Tid = 1237,
CgroupId = 5678UL,
Comm = "curl",
Event = new NetConnectEvent
{
Address = "93.184.216.34",
Port = 443,
Success = true,
},
};
}
private static RuntimeEvidenceRecord CreateSslOpRecord()
{
return new RuntimeEvidenceRecord
{
TimestampNs = 5000000UL,
Source = "uprobe:SSL_write",
Pid = 1238,
Tid = 1238,
CgroupId = 5678UL,
Comm = "curl",
Event = new SslOpEvent
{
Operation = "write",
Bytes = 1024,
SslPtr = "0x7f1234560000",
},
};
}
private static RuntimeEvidenceRecord CreateFunctionCallRecord()
{
return new RuntimeEvidenceRecord
{
TimestampNs = 6000000UL,
Source = "uprobe:function_entry",
Pid = 1239,
Tid = 1239,
CgroupId = 5678UL,
Comm = "myapp",
Event = new FunctionCallEvent
{
Address = "0x7f1234567890",
Symbol = "my_function",
Library = "/usr/lib/libmyapp.so",
Runtime = "native",
},
};
}
#endregion
}

393
src/Signals/__Tests/StellaOps.Signals.Ebpf.Tests/Parsers/EventParserTests.cs Normal file
View File

@@ -0,0 +1,393 @@
// <copyright file="EventParserTests.cs" company="StellaOps">
// SPDX-License-Identifier: BUSL-1.1
// </copyright>
namespace StellaOps.Signals.Ebpf.Tests.Parsers;
using System.Buffers.Binary;
using System.Text;
using FluentAssertions;
using Microsoft.Extensions.Logging.Abstractions;
using Moq;
using StellaOps.Signals.Ebpf.Parsers;
using StellaOps.Signals.Ebpf.Schema;
using StellaOps.Signals.Ebpf.Symbols;
using Xunit;
public class EventParserTests
{
private readonly Mock<ISymbolResolver> _mockSymbolResolver;
private readonly EventParser _parser;
public EventParserTests()
{
_mockSymbolResolver = new Mock<ISymbolResolver>();
_mockSymbolResolver
.Setup(x => x.Resolve(It.IsAny<int>(), It.IsAny<ulong>()))
.Returns((null, null, null));
_parser = new EventParser(
NullLogger<EventParser>.Instance,
_mockSymbolResolver.Object);
}
[Fact]
public void Parse_FileOpenEvent_ReturnsCorrectRecord()
{
// Arrange
var timestamp = 1737890000123456789UL;
var pid = 2311U;
var tid = 2311U;
var cgroupId = 12345UL;
var comm = "nginx";
var filename = "/etc/ssl/certs/ca-bundle.crt";
var flags = 0; // O_RDONLY
var dfd = -100; // AT_FDCWD
var eventData = BuildFileOpenEvent(timestamp, pid, tid, cgroupId, comm, dfd, flags, 0, filename);
// Act
var result = _parser.Parse(eventData);
// Assert
result.Should().NotBeNull();
result!.TimestampNs.Should().Be(timestamp);
result.Source.Should().Be("sys_enter_openat");
result.Pid.Should().Be((int)pid);
result.Tid.Should().Be((int)tid);
result.CgroupId.Should().Be(cgroupId);
result.Comm.Should().Be(comm);
result.Event.Should().BeOfType<FileOpenEvent>();
var fileEvent = (FileOpenEvent)result.Event;
fileEvent.Path.Should().Be(filename);
fileEvent.Flags.Should().Be(flags);
fileEvent.Access.Should().Be("read");
}
[Fact]
public void Parse_ProcessExecEvent_ReturnsCorrectRecord()
{
// Arrange
var timestamp = 1737890001123456789UL;
var pid = 2312U;
var tid = 2312U;
var cgroupId = 12345UL;
var comm = "bash";
var filename = "/usr/bin/python3";
var ppid = 2311U;
var argv0 = "python3";
var eventData = BuildProcessExecEvent(timestamp, pid, tid, cgroupId, comm, ppid, filename, argv0);
// Act
var result = _parser.Parse(eventData);
// Assert
result.Should().NotBeNull();
result!.Source.Should().Be("sched_process_exec");
result.Pid.Should().Be((int)pid);
result.Comm.Should().Be(comm);
result.Event.Should().BeOfType<ProcessExecEvent>();
var execEvent = (ProcessExecEvent)result.Event;
execEvent.Filename.Should().Be(filename);
execEvent.Ppid.Should().Be((int)ppid);
execEvent.Argv0.Should().Be(argv0);
}
[Fact]
public void Parse_TcpStateEvent_IPv4_ReturnsCorrectRecord()
{
// Arrange
var timestamp = 1737890002123456789UL;
var pid = 2313U;
var tid = 2315U;
var cgroupId = 12345UL;
var comm = "nginx";
byte oldState = 2; // SYN_SENT
byte newState = 1; // ESTABLISHED
ushort sport = 54321;
ushort dport = 443;
var daddr = new byte[] { 93, 184, 216, 34 }; // 93.184.216.34
var eventData = BuildTcpStateEvent(timestamp, pid, tid, cgroupId, comm, oldState, newState, 2, sport, dport, daddr);
// Act
var result = _parser.Parse(eventData);
// Assert
result.Should().NotBeNull();
result!.Source.Should().Be("inet_sock_set_state");
result.Event.Should().BeOfType<TcpStateEvent>();
var tcpEvent = (TcpStateEvent)result.Event;
tcpEvent.OldState.Should().Be("SYN_SENT");
tcpEvent.NewState.Should().Be("ESTABLISHED");
tcpEvent.DestPort.Should().Be(dport);
tcpEvent.DestAddress.Should().Be("93.184.216.34");
tcpEvent.Family.Should().Be("inet");
}
[Fact]
public void Parse_SslOpEvent_ReturnsCorrectRecord()
{
// Arrange
var timestamp = 1737890003123456789UL;
var pid = 2314U;
var tid = 2316U;
var cgroupId = 12345UL;
var comm = "nginx";
var sslPtr = 0x7f1234560000UL;
var bytes = 2048U;
byte operation = 1; // write
var eventData = BuildSslOpEvent(timestamp, pid, tid, cgroupId, comm, sslPtr, bytes, operation);
// Act
var result = _parser.Parse(eventData);
// Assert
result.Should().NotBeNull();
result!.Source.Should().Be("uprobe:SSL_write");
result.Event.Should().BeOfType<SslOpEvent>();
var sslEvent = (SslOpEvent)result.Event;
sslEvent.Operation.Should().Be("write");
sslEvent.Bytes.Should().Be((int)bytes);
sslEvent.SslPtr.Should().Be("0x7F1234560000");
}
[Fact]
public void Parse_FunctionCallEvent_WithSymbolResolution_ReturnsCorrectRecord()
{
// Arrange
var timestamp = 1737890004123456789UL;
var pid = 2315U;
var tid = 2317U;
var cgroupId = 12345UL;
var comm = "myapp";
var funcAddr = 0x7f1234567890UL;
_mockSymbolResolver
.Setup(x => x.Resolve((int)pid, funcAddr))
.Returns(("my_function", "/usr/lib/libmyapp.so", null));
var eventData = BuildFunctionCallEvent(timestamp, pid, tid, cgroupId, comm, funcAddr, 0, null, 0);
// Act
var result = _parser.Parse(eventData);
// Assert
result.Should().NotBeNull();
result!.Source.Should().Be("uprobe:function_entry");
result.Event.Should().BeOfType<FunctionCallEvent>();
var funcEvent = (FunctionCallEvent)result.Event;
funcEvent.Address.Should().Be("0x7F1234567890");
funcEvent.Symbol.Should().Be("my_function");
funcEvent.Library.Should().Be("/usr/lib/libmyapp.so");
}
[Fact]
public void Parse_EventTooSmall_ReturnsNull()
{
// Arrange - less than minimum event size (40 bytes)
var tooSmall = new byte[20];
// Act
var result = _parser.Parse(tooSmall);
// Assert
result.Should().BeNull();
}
[Fact]
public void Parse_UnknownEventType_ReturnsNull()
{
// Arrange - unknown event type (99)
var eventData = new byte[64];
eventData[24] = 99; // Unknown event type
// Act
var result = _parser.Parse(eventData);
// Assert
result.Should().BeNull();
}
[Fact]
public void Parse_FileOpenEvent_WritableFlags_ReturnsWriteAccess()
{
// Arrange
var eventData = BuildFileOpenEvent(
1000000UL, 1000U, 1000U, 1UL, "test", -100, 1, 0, "/tmp/test.txt"); // O_WRONLY = 1
// Act
var result = _parser.Parse(eventData);
// Assert
result.Should().NotBeNull();
var fileEvent = (FileOpenEvent)result!.Event;
fileEvent.Access.Should().Be("write");
}
[Fact]
public void Parse_FileOpenEvent_ReadWriteFlags_ReturnsReadWriteAccess()
{
// Arrange
var eventData = BuildFileOpenEvent(
1000000UL, 1000U, 1000U, 1UL, "test", -100, 2, 0, "/tmp/test.txt"); // O_RDWR = 2
// Act
var result = _parser.Parse(eventData);
// Assert
result.Should().NotBeNull();
var fileEvent = (FileOpenEvent)result!.Event;
fileEvent.Access.Should().Be("read_write");
}
#region Event Builders
private static byte[] BuildFileOpenEvent(
ulong timestamp, uint pid, uint tid, ulong cgroupId, string comm,
int dfd, int flags, ushort mode, string filename)
{
const int HeaderSize = 48;
const int FilenameOffset = HeaderSize + 8; // Must match parser: HeaderSize + 8
const int MaxFilenameLen = 256;
var buffer = new byte[FilenameOffset + MaxFilenameLen];
WriteHeader(buffer, timestamp, pid, tid, cgroupId, EbpfEventType.FileOpen, comm);
// File open specific fields
BinaryPrimitives.WriteInt32LittleEndian(buffer.AsSpan(HeaderSize), dfd);
BinaryPrimitives.WriteInt32LittleEndian(buffer.AsSpan(HeaderSize + 4), flags);
// Note: mode at HeaderSize + 8 overlaps with filename in current parser
// Filename at offset HeaderSize + 8 (matches parser's FilenameOffset)
var filenameBytes = Encoding.UTF8.GetBytes(filename);
Array.Copy(filenameBytes, 0, buffer, FilenameOffset, Math.Min(filenameBytes.Length, MaxFilenameLen - 1));
return buffer;
}
private static byte[] BuildProcessExecEvent(
ulong timestamp, uint pid, uint tid, ulong cgroupId, string comm,
uint ppid, string filename, string? argv0)
{
const int HeaderSize = 48;
const int MaxFilenameLen = 256;
const int MaxArgv0Len = 128;
var buffer = new byte[HeaderSize + 8 + MaxFilenameLen + MaxArgv0Len]; // header + ppid(4) + reserved(4) + filename + argv0
WriteHeader(buffer, timestamp, pid, tid, cgroupId, EbpfEventType.ProcessExec, comm);
BinaryPrimitives.WriteUInt32LittleEndian(buffer.AsSpan(HeaderSize), ppid);
var filenameBytes = Encoding.UTF8.GetBytes(filename);
Array.Copy(filenameBytes, 0, buffer, HeaderSize + 8, Math.Min(filenameBytes.Length, MaxFilenameLen - 1));
if (argv0 != null)
{
var argv0Bytes = Encoding.UTF8.GetBytes(argv0);
Array.Copy(argv0Bytes, 0, buffer, HeaderSize + 8 + MaxFilenameLen, Math.Min(argv0Bytes.Length, MaxArgv0Len - 1));
}
return buffer;
}
private static byte[] BuildTcpStateEvent(
ulong timestamp, uint pid, uint tid, ulong cgroupId, string comm,
byte oldState, byte newState, byte family, ushort sport, ushort dport, byte[] daddr)
{
const int HeaderSize = 48;
var buffer = new byte[HeaderSize + 48]; // header + tcp state fields
WriteHeader(buffer, timestamp, pid, tid, cgroupId, EbpfEventType.TcpState, comm);
buffer[HeaderSize] = oldState;
buffer[HeaderSize + 1] = newState;
buffer[HeaderSize + 2] = family;
BinaryPrimitives.WriteUInt16LittleEndian(buffer.AsSpan(HeaderSize + 4), sport);
BinaryPrimitives.WriteUInt16LittleEndian(buffer.AsSpan(HeaderSize + 6), dport);
if (family == 2) // AF_INET
{
// saddr at +8, daddr at +12
buffer[HeaderSize + 12] = daddr[0];
buffer[HeaderSize + 13] = daddr[1];
buffer[HeaderSize + 14] = daddr[2];
buffer[HeaderSize + 15] = daddr[3];
}
return buffer;
}
private static byte[] BuildSslOpEvent(
ulong timestamp, uint pid, uint tid, ulong cgroupId, string comm,
ulong sslPtr, uint bytes, byte operation)
{
const int HeaderSize = 48;
var buffer = new byte[HeaderSize + 24];
WriteHeader(buffer, timestamp, pid, tid, cgroupId, EbpfEventType.SslOp, comm);
BinaryPrimitives.WriteUInt64LittleEndian(buffer.AsSpan(HeaderSize), sslPtr);
BinaryPrimitives.WriteUInt32LittleEndian(buffer.AsSpan(HeaderSize + 8), bytes); // requested
BinaryPrimitives.WriteUInt32LittleEndian(buffer.AsSpan(HeaderSize + 12), bytes); // actual
buffer[HeaderSize + 16] = operation;
return buffer;
}
private static byte[] BuildFunctionCallEvent(
ulong timestamp, uint pid, uint tid, ulong cgroupId, string comm,
ulong funcAddr, ulong returnAddr, ulong[]? stack, byte runtimeType)
{
const int HeaderSize = 48;
const int MaxStackDepth = 16;
var buffer = new byte[HeaderSize + 16 + MaxStackDepth * 8 + 8];
WriteHeader(buffer, timestamp, pid, tid, cgroupId, EbpfEventType.FunctionCall, comm);
BinaryPrimitives.WriteUInt64LittleEndian(buffer.AsSpan(HeaderSize), funcAddr);
BinaryPrimitives.WriteUInt64LittleEndian(buffer.AsSpan(HeaderSize + 8), returnAddr);
// Stack trace
var stackOffset = HeaderSize + 16;
var stackDepth = (byte)(stack?.Length ?? 0);
if (stack != null)
{
for (int i = 0; i < Math.Min(stack.Length, MaxStackDepth); i++)
{
BinaryPrimitives.WriteUInt64LittleEndian(buffer.AsSpan(stackOffset + i * 8), stack[i]);
}
}
var metaOffset = stackOffset + MaxStackDepth * 8;
buffer[metaOffset] = stackDepth;
buffer[metaOffset + 1] = runtimeType;
return buffer;
}
private static void WriteHeader(
byte[] buffer, ulong timestamp, uint pid, uint tid, ulong cgroupId,
EbpfEventType eventType, string comm)
{
BinaryPrimitives.WriteUInt64LittleEndian(buffer.AsSpan(0), timestamp);
BinaryPrimitives.WriteUInt32LittleEndian(buffer.AsSpan(8), pid);
BinaryPrimitives.WriteUInt32LittleEndian(buffer.AsSpan(12), tid);
BinaryPrimitives.WriteUInt64LittleEndian(buffer.AsSpan(16), cgroupId);
buffer[24] = (byte)eventType;
// Reserved bytes 25-31
// comm at offset 32, max 16 bytes
var commBytes = Encoding.UTF8.GetBytes(comm);
Array.Copy(commBytes, 0, buffer, 32, Math.Min(commBytes.Length, 16));
}
#endregion
}

432
src/Signals/__Tests/StellaOps.Signals.Ebpf.Tests/Services/RuntimeEvidenceCollectorTests.cs Normal file
View File

@@ -0,0 +1,432 @@
// <copyright file="RuntimeEvidenceCollectorTests.cs" company="StellaOps">
// SPDX-License-Identifier: BUSL-1.1
// </copyright>
namespace StellaOps.Signals.Ebpf.Tests.Services;
using System.Runtime.CompilerServices;
using FluentAssertions;
using Microsoft.Extensions.Caching.Memory;
using Microsoft.Extensions.Logging.Abstractions;
using Moq;
using StellaOps.Signals.Ebpf.Cgroup;
using StellaOps.Signals.Ebpf.Output;
using StellaOps.Signals.Ebpf.Parsers;
using StellaOps.Signals.Ebpf.Probes;
using StellaOps.Signals.Ebpf.Schema;
using StellaOps.Signals.Ebpf.Services;
using StellaOps.Signals.Ebpf.Symbols;
using Xunit;
public class RuntimeEvidenceCollectorTests : IAsyncLifetime
{
private readonly string _outputDir;
private readonly string _procDir;
private readonly Mock<IEbpfProbeLoader> _mockProbeLoader;
private readonly Mock<ISymbolResolver> _mockSymbolResolver;
private readonly EventParser _eventParser;
private readonly CgroupContainerResolver _cgroupResolver;
private RuntimeEvidenceNdjsonWriter _writer = null!;
private RuntimeEvidenceCollector _collector = null!;
public RuntimeEvidenceCollectorTests()
{
_outputDir = Path.Combine(Path.GetTempPath(), $"evidence_test_{Guid.NewGuid():N}");
_procDir = Path.Combine(Path.GetTempPath(), $"proc_test_{Guid.NewGuid():N}");
_mockProbeLoader = new Mock<IEbpfProbeLoader>();
_mockSymbolResolver = new Mock<ISymbolResolver>();
_mockSymbolResolver
.Setup(x => x.Resolve(It.IsAny<int>(), It.IsAny<ulong>()))
.Returns((null, null, null));
_eventParser = new EventParser(
NullLogger<EventParser>.Instance,
_mockSymbolResolver.Object);
_cgroupResolver = new CgroupContainerResolver(
NullLogger<CgroupContainerResolver>.Instance,
_procDir);
}
public ValueTask InitializeAsync()
{
Directory.CreateDirectory(_outputDir);
Directory.CreateDirectory(_procDir);
_writer = new RuntimeEvidenceNdjsonWriter(
NullLogger<RuntimeEvidenceNdjsonWriter>.Instance,
_outputDir);
_collector = new RuntimeEvidenceCollector(
NullLogger<RuntimeEvidenceCollector>.Instance,
_mockProbeLoader.Object,
_eventParser,
_cgroupResolver,
_writer);
return ValueTask.CompletedTask;
}
public async ValueTask DisposeAsync()
{
await _collector.DisposeAsync();
if (Directory.Exists(_outputDir))
{
Directory.Delete(_outputDir, recursive: true);
}
if (Directory.Exists(_procDir))
{
Directory.Delete(_procDir, recursive: true);
}
}
[Fact]
public async Task StartCollectionAsync_ReturnsValidHandle()
{
// Arrange
var containerId = "test-container-123";
var options = new RuntimeSignalOptions();
var probeHandle = new EbpfProbeHandle
{
ProbeId = Guid.NewGuid(),
ContainerId = containerId,
TracedPids = [],
};
_mockProbeLoader
.Setup(x => x.LoadAndAttachAsync(containerId, options, It.IsAny<CancellationToken>()))
.ReturnsAsync(probeHandle);
_mockProbeLoader
.Setup(x => x.ReadEventsAsync(probeHandle, It.IsAny<CancellationToken>()))
.Returns(EmptyAsyncEnumerable());
// Act
var handle = await _collector.StartCollectionAsync(containerId, options);
// Assert
handle.Should().NotBeNull();
handle.SessionId.Should().NotBeEmpty();
handle.ContainerId.Should().Be(containerId);
handle.StartedAt.Should().BeCloseTo(DateTimeOffset.UtcNow, TimeSpan.FromSeconds(5));
handle.Options.Should().BeSameAs(options);
// Cleanup
_mockProbeLoader
.Setup(x => x.DetachAsync(probeHandle, It.IsAny<CancellationToken>()))
.Returns(Task.CompletedTask);
await _collector.StopCollectionAsync(handle);
}
[Fact]
public async Task StopCollectionAsync_ReturnsSummary()
{
// Arrange
var containerId = "test-container-456";
var options = new RuntimeSignalOptions();
var probeHandle = new EbpfProbeHandle
{
ProbeId = Guid.NewGuid(),
ContainerId = containerId,
TracedPids = [],
};
_mockProbeLoader
.Setup(x => x.LoadAndAttachAsync(containerId, options, It.IsAny<CancellationToken>()))
.ReturnsAsync(probeHandle);
_mockProbeLoader
.Setup(x => x.ReadEventsAsync(probeHandle, It.IsAny<CancellationToken>()))
.Returns(EmptyAsyncEnumerable());
_mockProbeLoader
.Setup(x => x.DetachAsync(probeHandle, It.IsAny<CancellationToken>()))
.Returns(Task.CompletedTask);
var handle = await _collector.StartCollectionAsync(containerId, options);
// Act
var summary = await _collector.StopCollectionAsync(handle);
// Assert
summary.Should().NotBeNull();
summary.SessionId.Should().Be(handle.SessionId);
summary.ContainerId.Should().Be(containerId);
summary.StartedAt.Should().Be(handle.StartedAt);
summary.StoppedAt.Should().BeAfter(summary.StartedAt);
summary.Duration.Should().BePositive();
}
[Fact]
public async Task StopCollectionAsync_CalledTwice_ThrowsInvalidOperation()
{
// Arrange
var containerId = "test-container-789";
var options = new RuntimeSignalOptions();
var probeHandle = new EbpfProbeHandle
{
ProbeId = Guid.NewGuid(),
ContainerId = containerId,
TracedPids = [],
};
_mockProbeLoader
.Setup(x => x.LoadAndAttachAsync(containerId, options, It.IsAny<CancellationToken>()))
.ReturnsAsync(probeHandle);
_mockProbeLoader
.Setup(x => x.ReadEventsAsync(probeHandle, It.IsAny<CancellationToken>()))
.Returns(EmptyAsyncEnumerable());
_mockProbeLoader
.Setup(x => x.DetachAsync(probeHandle, It.IsAny<CancellationToken>()))
.Returns(Task.CompletedTask);
var handle = await _collector.StartCollectionAsync(containerId, options);
await _collector.StopCollectionAsync(handle);
// Act & Assert
var act = () => _collector.StopCollectionAsync(handle);
await act.Should().ThrowAsync<InvalidOperationException>()
.WithMessage("*not found*");
}
[Fact]
public async Task GetStatsAsync_ReturnsCurrentStats()
{
// Arrange
var containerId = "test-container-stats";
var options = new RuntimeSignalOptions();
var probeHandle = new EbpfProbeHandle
{
ProbeId = Guid.NewGuid(),
ContainerId = containerId,
TracedPids = [],
};
_mockProbeLoader
.Setup(x => x.LoadAndAttachAsync(containerId, options, It.IsAny<CancellationToken>()))
.ReturnsAsync(probeHandle);
_mockProbeLoader
.Setup(x => x.ReadEventsAsync(probeHandle, It.IsAny<CancellationToken>()))
.Returns(EmptyAsyncEnumerable());
_mockProbeLoader
.Setup(x => x.GetBufferUtilization(probeHandle))
.Returns(0.25);
_mockProbeLoader
.Setup(x => x.GetCpuOverhead(probeHandle))
.Returns(0.01);
_mockProbeLoader
.Setup(x => x.GetMemoryUsage(probeHandle))
.Returns(1024 * 1024);
var handle = await _collector.StartCollectionAsync(containerId, options);
// Act
var stats = await _collector.GetStatsAsync(handle);
// Assert
stats.Should().NotBeNull();
stats.BufferUtilization.Should().Be(0.25);
stats.CpuOverhead.Should().Be(0.01);
stats.MemoryUsage.Should().Be(1024 * 1024);
// Cleanup
_mockProbeLoader
.Setup(x => x.DetachAsync(probeHandle, It.IsAny<CancellationToken>()))
.Returns(Task.CompletedTask);
await _collector.StopCollectionAsync(handle);
}
[Fact]
public async Task GetStatsAsync_InvalidSession_ThrowsInvalidOperation()
{
// Arrange
var fakeHandle = new EvidenceCollectionHandle
{
SessionId = Guid.NewGuid(),
ContainerId = "fake",
StartedAt = DateTimeOffset.UtcNow,
Options = new RuntimeSignalOptions(),
};
// Act & Assert
var act = () => _collector.GetStatsAsync(fakeHandle);
await act.Should().ThrowAsync<InvalidOperationException>()
.WithMessage("*not found*");
}
[Fact]
public async Task DisposeAsync_StopsAllSessions()
{
// Arrange
var containerId = "test-container-dispose";
var options = new RuntimeSignalOptions();
var probeHandle = new EbpfProbeHandle
{
ProbeId = Guid.NewGuid(),
ContainerId = containerId,
TracedPids = [],
};
_mockProbeLoader
.Setup(x => x.LoadAndAttachAsync(containerId, options, It.IsAny<CancellationToken>()))
.ReturnsAsync(probeHandle);
_mockProbeLoader
.Setup(x => x.ReadEventsAsync(probeHandle, It.IsAny<CancellationToken>()))
.Returns(EmptyAsyncEnumerable());
_mockProbeLoader
.Setup(x => x.DetachAsync(probeHandle, It.IsAny<CancellationToken>()))
.Returns(Task.CompletedTask);
var handle = await _collector.StartCollectionAsync(containerId, options);
// Act
await _collector.DisposeAsync();
// Assert - verify detach was called
_mockProbeLoader.Verify(
x => x.DetachAsync(probeHandle, It.IsAny<CancellationToken>()),
Times.Once);
}
[Fact]
public async Task StartCollectionAsync_AfterDispose_ThrowsObjectDisposed()
{
// Arrange
await _collector.DisposeAsync();
// Act & Assert
var act = () => _collector.StartCollectionAsync("container", new RuntimeSignalOptions());
await act.Should().ThrowAsync<ObjectDisposedException>();
}
[Fact]
public async Task StreamEvidenceAsync_InvalidSession_YieldsNothing()
{
// Arrange
var fakeHandle = new EvidenceCollectionHandle
{
SessionId = Guid.NewGuid(),
ContainerId = "fake",
StartedAt = DateTimeOffset.UtcNow,
Options = new RuntimeSignalOptions(),
};
// Act
var records = new List<RuntimeEvidenceRecord>();
await foreach (var record in _collector.StreamEvidenceAsync(fakeHandle))
{
records.Add(record);
}
// Assert
records.Should().BeEmpty();
}
[Fact]
public void EvidenceCollectionHandle_HasCorrectProperties()
{
// Arrange & Act
var handle = new EvidenceCollectionHandle
{
SessionId = Guid.NewGuid(),
ContainerId = "test-container",
StartedAt = DateTimeOffset.UtcNow,
Options = new RuntimeSignalOptions { MaxEventsPerSecond = 5000 },
};
// Assert
handle.SessionId.Should().NotBeEmpty();
handle.ContainerId.Should().Be("test-container");
handle.Options.MaxEventsPerSecond.Should().Be(5000);
}
[Fact]
public void EvidenceCollectionSummary_DurationCalculation()
{
// Arrange
var start = DateTimeOffset.UtcNow.AddMinutes(-5);
var stop = DateTimeOffset.UtcNow;
// Act
var summary = new EvidenceCollectionSummary
{
SessionId = Guid.NewGuid(),
ContainerId = "test",
StartedAt = start,
StoppedAt = stop,
TotalEvents = 1000,
ProcessedEvents = 990,
DroppedEvents = 10,
ChunksWritten = 5,
};
// Assert
summary.Duration.Should().BeCloseTo(TimeSpan.FromMinutes(5), TimeSpan.FromSeconds(1));
}
[Fact]
public void EvidenceCollectionStats_HasAllMetrics()
{
// Arrange & Act
var stats = new EvidenceCollectionStats
{
TotalEvents = 10000,
ProcessedEvents = 9900,
DroppedEvents = 100,
EventsPerSecond = 1000.0,
BufferUtilization = 0.5,
CpuOverhead = 0.02,
MemoryUsage = 10 * 1024 * 1024,
};
// Assert
stats.TotalEvents.Should().Be(10000);
stats.ProcessedEvents.Should().Be(9900);
stats.DroppedEvents.Should().Be(100);
stats.EventsPerSecond.Should().Be(1000.0);
stats.BufferUtilization.Should().Be(0.5);
stats.CpuOverhead.Should().Be(0.02);
stats.MemoryUsage.Should().Be(10 * 1024 * 1024);
}
[Fact]
public void EvidenceChunkCompletedEventArgs_HasAllFields()
{
// Arrange & Act
var args = new EvidenceChunkCompletedEventArgs
{
SessionId = Guid.NewGuid(),
ContainerId = "container-123",
ChunkPath = "/tmp/evidence-chunk-001.ndjson",
EventCount = 5000,
Size = 1024 * 1024,
ContentHash = "sha256:abc123",
PreviousHash = "sha256:xyz789",
};
// Assert
args.SessionId.Should().NotBeEmpty();
args.ContainerId.Should().Be("container-123");
args.ChunkPath.Should().EndWith(".ndjson");
args.EventCount.Should().Be(5000);
args.Size.Should().Be(1024 * 1024);
args.ContentHash.Should().StartWith("sha256:");
args.PreviousHash.Should().StartWith("sha256:");
}
[Fact]
public void RuntimeEvidenceCollectorOptions_HasDefaults()
{
// Arrange & Act
var options = new RuntimeEvidenceCollectorOptions();
// Assert
options.EventChannelCapacity.Should().Be(10000);
}
private static async IAsyncEnumerable<ReadOnlyMemory<byte>> EmptyAsyncEnumerable(
[EnumeratorCancellation] CancellationToken ct = default)
{
await Task.Yield();
yield break;
}
}

595
src/Signals/__Tests/StellaOps.Signals.Ebpf.Tests/Signing/EvidenceChunkFinalizerTests.cs Normal file
View File

@@ -0,0 +1,595 @@
// <copyright file="EvidenceChunkFinalizerTests.cs" company="StellaOps">
// SPDX-License-Identifier: BUSL-1.1
// </copyright>
namespace StellaOps.Signals.Ebpf.Tests.Signing;
using System.Text;
using System.Text.Json;
using FluentAssertions;
using Microsoft.Extensions.Logging.Abstractions;
using StellaOps.Signals.Ebpf.Output;
using StellaOps.Signals.Ebpf.Signing;
using Xunit;
public sealed class EvidenceChunkFinalizerTests : IAsyncLifetime
{
private readonly string _testDir;
public EvidenceChunkFinalizerTests()
{
_testDir = Path.Combine(Path.GetTempPath(), $"evidence-chunk-test-{Guid.NewGuid():N}");
Directory.CreateDirectory(_testDir);
}
public ValueTask InitializeAsync() => ValueTask.CompletedTask;
public ValueTask DisposeAsync()
{
if (Directory.Exists(_testDir))
{
Directory.Delete(_testDir, recursive: true);
}
return ValueTask.CompletedTask;
}
[Fact]
public async Task FinalizeChunk_SignsChunkAndReturnsPredicate()
{
// Arrange
var signer = new LocalEvidenceChunkSigner(
NullLogger<LocalEvidenceChunkSigner>.Instance);
var options = new EvidenceChunkFinalizerOptions
{
SigningKeyId = "test-key",
CollectorVersion = "1.0.0-test",
ChainStateDirectory = _testDir,
};
await using var finalizer = new EvidenceChunkFinalizer(
NullLogger<EvidenceChunkFinalizer>.Instance,
signer,
options);
var args = CreateChunkRotatedArgs(1, 100, "sha256:abc123");
// Act
var result = await finalizer.FinalizeChunkAsync(args, CancellationToken.None);
// Assert
result.Should().NotBeNull();
result.Predicate.ChunkId.Should().Be("sha256:abc123");
result.Predicate.ChunkSequence.Should().Be(1);
result.Predicate.EventCount.Should().Be(100);
result.Predicate.PreviousChunkId.Should().BeNull(); // First chunk
result.DsseEnvelopeBase64.Should().NotBeNullOrEmpty();
result.KeyId.Should().Be("test-key");
}
[Fact]
public async Task FinalizeChunk_LinksChainWithPreviousHash()
{
// Arrange
var signer = new LocalEvidenceChunkSigner(
NullLogger<LocalEvidenceChunkSigner>.Instance);
var options = new EvidenceChunkFinalizerOptions
{
SigningKeyId = "test-key",
CollectorVersion = "1.0.0-test",
ChainStateDirectory = _testDir,
};
await using var finalizer = new EvidenceChunkFinalizer(
NullLogger<EvidenceChunkFinalizer>.Instance,
signer,
options);
// First chunk
var args1 = CreateChunkRotatedArgs(1, 100, "sha256:first");
var result1 = await finalizer.FinalizeChunkAsync(args1, CancellationToken.None);
// Second chunk
var args2 = CreateChunkRotatedArgs(2, 200, "sha256:second");
args2 = args2 with { PreviousChunkHash = "sha256:first" };
var result2 = await finalizer.FinalizeChunkAsync(args2, CancellationToken.None);
// Assert
result1.Predicate.PreviousChunkId.Should().BeNull();
result2.Predicate.PreviousChunkId.Should().Be("sha256:first");
}
[Fact]
public async Task FinalizeChunk_EmitsChunkFinalizedEvent()
{
// Arrange
var signer = new LocalEvidenceChunkSigner(
NullLogger<LocalEvidenceChunkSigner>.Instance);
await using var finalizer = new EvidenceChunkFinalizer(
NullLogger<EvidenceChunkFinalizer>.Instance,
signer);
ChunkFinalizedEventArgs? receivedArgs = null;
finalizer.ChunkFinalized += (args, ct) =>
{
receivedArgs = args;
return Task.CompletedTask;
};
var args = CreateChunkRotatedArgs(1, 100, "sha256:abc123");
// Act
await finalizer.FinalizeChunkAsync(args, CancellationToken.None);
// Assert
receivedArgs.Should().NotBeNull();
receivedArgs!.Result.Predicate.ChunkId.Should().Be("sha256:abc123");
receivedArgs.ChainTotalChunks.Should().Be(1);
receivedArgs.ChainTotalEvents.Should().Be(100);
}
[Fact]
public async Task FinalizeChunk_SavesAndLoadsChainState()
{
// Arrange
var signer = new LocalEvidenceChunkSigner(
NullLogger<LocalEvidenceChunkSigner>.Instance);
var options = new EvidenceChunkFinalizerOptions
{
SigningKeyId = "test-key",
CollectorVersion = "1.0.0-test",
ChainStateDirectory = _testDir,
};
// First finalizer - create and finalize chunks
await using (var finalizer1 = new EvidenceChunkFinalizer(
NullLogger<EvidenceChunkFinalizer>.Instance,
signer,
options))
{
var args1 = CreateChunkRotatedArgs(1, 100, "sha256:first");
await finalizer1.FinalizeChunkAsync(args1, CancellationToken.None);
var args2 = CreateChunkRotatedArgs(2, 200, "sha256:second");
await finalizer1.FinalizeChunkAsync(args2, CancellationToken.None);
}
// Second finalizer - load state
await using var finalizer2 = new EvidenceChunkFinalizer(
NullLogger<EvidenceChunkFinalizer>.Instance,
signer,
options);
var chainKey = Path.GetDirectoryName(Path.Combine(_testDir, "evidence"));
await finalizer2.LoadChainStateAsync(chainKey!, CancellationToken.None);
// Third chunk should link to second
var args3 = CreateChunkRotatedArgs(3, 300, "sha256:third");
var result3 = await finalizer2.FinalizeChunkAsync(args3, CancellationToken.None);
// Assert
result3.Predicate.PreviousChunkId.Should().Be("sha256:second");
}
[Fact]
public async Task VerifyChain_ValidChain_ReturnsTrue()
{
// Arrange
var signer = new LocalEvidenceChunkSigner(
NullLogger<LocalEvidenceChunkSigner>.Instance);
await using var finalizer = new EvidenceChunkFinalizer(
NullLogger<EvidenceChunkFinalizer>.Instance,
signer);
var results = new List<EvidenceChunkSignResult>();
// Create chain of chunks
for (int i = 1; i <= 3; i++)
{
var args = CreateChunkRotatedArgs(i, 100 * i, $"sha256:chunk{i}");
var result = await finalizer.FinalizeChunkAsync(args, CancellationToken.None);
results.Add(result);
}
// Act
var verification = await finalizer.VerifyChainAsync(results, CancellationToken.None);
// Assert
verification.IsValid.Should().BeTrue();
verification.VerifiedChunks.Should().Be(3);
verification.Errors.Should().BeEmpty();
}
[Fact]
public async Task VerifyChain_BrokenChain_ReturnsErrors()
{
// Arrange
var signer = new LocalEvidenceChunkSigner(
NullLogger<LocalEvidenceChunkSigner>.Instance);
await using var finalizer = new EvidenceChunkFinalizer(
NullLogger<EvidenceChunkFinalizer>.Instance,
signer);
// Create first chunk
var args1 = CreateChunkRotatedArgs(1, 100, "sha256:chunk1");
var result1 = await finalizer.FinalizeChunkAsync(args1, CancellationToken.None);
// Create second chunk with wrong previous hash
var args2 = CreateChunkRotatedArgs(2, 200, "sha256:chunk2");
var result2 = await finalizer.FinalizeChunkAsync(args2, CancellationToken.None);
// Tamper with chain
var tamperedResult2 = result2 with
{
Predicate = result2.Predicate with { PreviousChunkId = "sha256:wrong" },
};
// Act
var verification = await finalizer.VerifyChainAsync(
new[] { result1, tamperedResult2 },
CancellationToken.None);
// Assert
verification.IsValid.Should().BeFalse();
verification.Errors.Should().ContainSingle(e => e.ErrorType == "chain_broken");
}
[Fact]
public async Task VerifyChain_EmptyChain_ReturnsValid()
{
// Arrange
var signer = new LocalEvidenceChunkSigner(
NullLogger<LocalEvidenceChunkSigner>.Instance);
await using var finalizer = new EvidenceChunkFinalizer(
NullLogger<EvidenceChunkFinalizer>.Instance,
signer);
// Act
var verification = await finalizer.VerifyChainAsync(
Array.Empty<EvidenceChunkSignResult>(),
CancellationToken.None);
// Assert
verification.IsValid.Should().BeTrue();
verification.VerifiedChunks.Should().Be(0);
}
private ChunkRotatedEventArgs CreateChunkRotatedArgs(
int sequence,
long eventCount,
string contentHash)
{
// Create timestamps in ascending order: chunk 1 starts at base, chunk 2 at base+1hr, etc.
var baseTime = DateTimeOffset.UtcNow.AddHours(-10);
var startTime = baseTime.AddMinutes((sequence - 1) * 10);
return new ChunkRotatedEventArgs
{
Statistics = new ChunkStatistics
{
FilePath = Path.Combine(_testDir, $"evidence-{sequence:D6}.ndjson"),
Size = eventCount * 100,
EventCount = eventCount,
StartTime = startTime,
Duration = TimeSpan.FromMinutes(5),
ContentHash = contentHash,
ChunkSequence = sequence,
},
PreviousChunkHash = sequence > 1 ? $"sha256:chunk{sequence - 1}" : null,
};
}
}
public sealed class LocalEvidenceChunkSignerTests
{
[Fact]
public async Task SignAsync_CreatesDsseEnvelope()
{
// Arrange
var signer = new LocalEvidenceChunkSigner(
NullLogger<LocalEvidenceChunkSigner>.Instance);
var request = new EvidenceChunkSignRequest
{
Statistics = new ChunkStatistics
{
FilePath = "/tmp/evidence.ndjson",
Size = 10000,
EventCount = 100,
StartTime = DateTimeOffset.Parse("2026-01-27T10:00:00Z"),
Duration = TimeSpan.FromMinutes(5),
ContentHash = "sha256:abc123def456",
ChunkSequence = 1,
},
KeyId = "test-key",
CollectorVersion = "1.0.0",
KernelVersion = "5.15.0",
};
// Act
var result = await signer.SignAsync(request, CancellationToken.None);
// Assert
result.Should().NotBeNull();
result.Predicate.ChunkId.Should().Be("sha256:abc123def456");
result.Predicate.CollectorVersion.Should().Be("1.0.0");
result.Predicate.KernelVersion.Should().Be("5.15.0");
result.DsseEnvelopeBase64.Should().NotBeNullOrEmpty();
// Decode and verify envelope structure
var envelopeJson = Encoding.UTF8.GetString(Convert.FromBase64String(result.DsseEnvelopeBase64));
var envelope = JsonDocument.Parse(envelopeJson);
envelope.RootElement.GetProperty("payloadType").GetString()
.Should().Be("application/vnd.in-toto+json");
envelope.RootElement.GetProperty("signatures").GetArrayLength()
.Should().Be(1);
}
[Fact]
public async Task VerifyAsync_ValidSignature_ReturnsTrue()
{
// Arrange
var signer = new LocalEvidenceChunkSigner(
NullLogger<LocalEvidenceChunkSigner>.Instance);
var request = new EvidenceChunkSignRequest
{
Statistics = new ChunkStatistics
{
FilePath = "/tmp/evidence.ndjson",
Size = 10000,
EventCount = 100,
StartTime = DateTimeOffset.UtcNow,
Duration = TimeSpan.FromMinutes(5),
ContentHash = "sha256:abc123",
ChunkSequence = 1,
},
KeyId = "test-key",
CollectorVersion = "1.0.0",
};
var result = await signer.SignAsync(request, CancellationToken.None);
// Act
var isValid = await signer.VerifyAsync(result, CancellationToken.None);
// Assert
isValid.Should().BeTrue();
}
[Fact]
public async Task VerifyAsync_TamperedSignature_ReturnsFalse()
{
// Arrange
var signer = new LocalEvidenceChunkSigner(
NullLogger<LocalEvidenceChunkSigner>.Instance);
var request = new EvidenceChunkSignRequest
{
Statistics = new ChunkStatistics
{
FilePath = "/tmp/evidence.ndjson",
Size = 10000,
EventCount = 100,
StartTime = DateTimeOffset.UtcNow,
Duration = TimeSpan.FromMinutes(5),
ContentHash = "sha256:abc123",
ChunkSequence = 1,
},
KeyId = "test-key",
CollectorVersion = "1.0.0",
};
var result = await signer.SignAsync(request, CancellationToken.None);
// Tamper with envelope
var tamperedResult = result with
{
DsseEnvelopeBase64 = Convert.ToBase64String(
Encoding.UTF8.GetBytes("{\"payloadType\":\"tampered\",\"payload\":\"\",\"signatures\":[]}")),
};
// Act
var isValid = await signer.VerifyAsync(tamperedResult, CancellationToken.None);
// Assert
isValid.Should().BeFalse();
}
[Fact]
public async Task SignAsync_WithCompression_SetsCompressionField()
{
// Arrange
var signer = new LocalEvidenceChunkSigner(
NullLogger<LocalEvidenceChunkSigner>.Instance);
var request = new EvidenceChunkSignRequest
{
Statistics = new ChunkStatistics
{
FilePath = "/tmp/evidence.ndjson.gz",
Size = 5000,
EventCount = 100,
StartTime = DateTimeOffset.UtcNow,
Duration = TimeSpan.FromMinutes(5),
ContentHash = "sha256:abc123",
ChunkSequence = 1,
},
KeyId = "test-key",
CollectorVersion = "1.0.0",
};
// Act
var result = await signer.SignAsync(request, CancellationToken.None);
// Assert
result.Predicate.Compression.Should().Be("gzip");
}
[Fact]
public async Task SignAsync_WithPreviousChunkHash_SetsChainLink()
{
// Arrange
var signer = new LocalEvidenceChunkSigner(
NullLogger<LocalEvidenceChunkSigner>.Instance);
var request = new EvidenceChunkSignRequest
{
Statistics = new ChunkStatistics
{
FilePath = "/tmp/evidence.ndjson",
Size = 10000,
EventCount = 100,
StartTime = DateTimeOffset.UtcNow,
Duration = TimeSpan.FromMinutes(5),
ContentHash = "sha256:current",
ChunkSequence = 2,
},
PreviousChunkHash = "sha256:previous",
KeyId = "test-key",
CollectorVersion = "1.0.0",
};
// Act
var result = await signer.SignAsync(request, CancellationToken.None);
// Assert
result.Predicate.PreviousChunkId.Should().Be("sha256:previous");
}
[Fact]
public async Task SignAsync_WithContainerIds_IncludesInPredicate()
{
// Arrange
var signer = new LocalEvidenceChunkSigner(
NullLogger<LocalEvidenceChunkSigner>.Instance);
var containerIds = new[] { "container-1", "container-2" };
var request = new EvidenceChunkSignRequest
{
Statistics = new ChunkStatistics
{
FilePath = "/tmp/evidence.ndjson",
Size = 10000,
EventCount = 100,
StartTime = DateTimeOffset.UtcNow,
Duration = TimeSpan.FromMinutes(5),
ContentHash = "sha256:abc123",
ChunkSequence = 1,
},
KeyId = "test-key",
CollectorVersion = "1.0.0",
ContainerIds = containerIds,
};
// Act
var result = await signer.SignAsync(request, CancellationToken.None);
// Assert
result.Predicate.ContainerIds.Should().BeEquivalentTo(containerIds);
}
}
public sealed class NullEvidenceChunkSignerTests
{
[Fact]
public async Task SignAsync_ReturnsUnsignedResult()
{
// Arrange
var signer = NullEvidenceChunkSigner.Instance;
var request = new EvidenceChunkSignRequest
{
Statistics = new ChunkStatistics
{
FilePath = "/tmp/evidence.ndjson",
Size = 10000,
EventCount = 100,
StartTime = DateTimeOffset.UtcNow,
Duration = TimeSpan.FromMinutes(5),
ContentHash = "sha256:abc123",
ChunkSequence = 1,
},
KeyId = "null-key",
CollectorVersion = "1.0.0",
};
// Act
var result = await signer.SignAsync(request, CancellationToken.None);
// Assert
result.Should().NotBeNull();
result.DsseEnvelopeBase64.Should().BeEmpty();
result.RekorUuid.Should().BeNull();
}
[Fact]
public async Task VerifyAsync_AlwaysReturnsTrue()
{
// Arrange
var signer = NullEvidenceChunkSigner.Instance;
var result = new EvidenceChunkSignResult
{
Statistics = new ChunkStatistics
{
FilePath = "/tmp/evidence.ndjson",
Size = 10000,
EventCount = 100,
StartTime = DateTimeOffset.UtcNow,
Duration = TimeSpan.FromMinutes(5),
ContentHash = "sha256:abc123",
ChunkSequence = 1,
},
Predicate = new RuntimeEvidencePredicate
{
ChunkId = "sha256:abc123",
ChunkSequence = 1,
EventCount = 100,
TimeRange = new EvidenceTimeRange
{
Start = DateTimeOffset.UtcNow,
End = DateTimeOffset.UtcNow.AddMinutes(5),
},
CollectorVersion = "1.0.0",
},
DsseEnvelopeBase64 = string.Empty,
SignedAt = DateTimeOffset.UtcNow,
KeyId = "null-key",
};
// Act
var isValid = await signer.VerifyAsync(result, CancellationToken.None);
// Assert
isValid.Should().BeTrue();
}
}
public sealed class PredicateTypeTests
{
[Fact]
public void RuntimeEvidenceType_IsRecognized()
{
// Assert
StellaOps.Signer.Core.PredicateTypes.IsRuntimeEvidenceType("stella.ops/runtime-evidence@v1")
.Should().BeTrue();
StellaOps.Signer.Core.PredicateTypes.IsRuntimeEvidenceType("https://stella.ops/predicates/runtime-evidence/v1")
.Should().BeTrue();
}
[Fact]
public void RuntimeEvidenceType_IsInAllowedList()
{
// Assert
StellaOps.Signer.Core.PredicateTypes.IsAllowedPredicateType("stella.ops/runtime-evidence@v1")
.Should().BeTrue();
StellaOps.Signer.Core.PredicateTypes.IsAllowedPredicateType("https://stella.ops/predicates/runtime-evidence/v1")
.Should().BeTrue();
}
[Fact]
public void RuntimeEvidenceType_IsReachabilityRelated()
{
// Assert
StellaOps.Signer.Core.PredicateTypes.IsReachabilityRelatedType("stella.ops/runtime-evidence@v1")
.Should().BeTrue();
}
}

9
src/Signals/__Tests/StellaOps.Signals.Ebpf.Tests/StellaOps.Signals.Ebpf.Tests.csproj
View File

@@ -14,11 +14,20 @@
<PrivateAssets>all</PrivateAssets>
</PackageReference>
<PackageReference Include="FluentAssertions" />
<PackageReference Include="Microsoft.Extensions.Caching.Memory" />
<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" />
<PackageReference Include="Microsoft.NET.Test.Sdk" />
<PackageReference Include="Moq" />
<PackageReference Include="xunit.v3" />
<PackageReference Include="xunit.runner.visualstudio">
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
<PrivateAssets>all</PrivateAssets>
</PackageReference>
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\..\__Libraries\StellaOps.Signals.Ebpf\StellaOps.Signals.Ebpf.csproj" />
<ProjectReference Include="..\..\..\Scanner\__Libraries\StellaOps.Scanner.Reachability\StellaOps.Scanner.Reachability.csproj" />
<ProjectReference Include="..\..\..\Signer\StellaOps.Signer\StellaOps.Signer.Core\StellaOps.Signer.Core.csproj" />
</ItemGroup>
</Project>

612
src/Signals/__Tests/StellaOps.Signals.Ebpf.Tests/Symbols/EnhancedSymbolResolverTests.cs Normal file
View File

@@ -0,0 +1,612 @@
// <copyright file="EnhancedSymbolResolverTests.cs" company="StellaOps">
// SPDX-License-Identifier: BUSL-1.1
// </copyright>
namespace StellaOps.Signals.Ebpf.Tests.Symbols;
using System.Buffers.Binary;
using System.Text;
using FluentAssertions;
using Microsoft.Extensions.Caching.Memory;
using Microsoft.Extensions.Logging.Abstractions;
using StellaOps.Signals.Ebpf.Symbols;
using Xunit;
public class EnhancedSymbolResolverTests : IDisposable
{
private readonly string _testProcRoot;
private readonly string _testLibPath;
private readonly IMemoryCache _memoryCache;
private readonly EnhancedSymbolResolver _resolver;
public EnhancedSymbolResolverTests()
{
_testProcRoot = Path.Combine(Path.GetTempPath(), $"proc_test_{Guid.NewGuid():N}");
_testLibPath = Path.Combine(Path.GetTempPath(), $"lib_test_{Guid.NewGuid():N}");
Directory.CreateDirectory(_testProcRoot);
Directory.CreateDirectory(_testLibPath);
_memoryCache = new MemoryCache(new MemoryCacheOptions { SizeLimit = 10000 });
_resolver = new EnhancedSymbolResolver(
NullLogger<EnhancedSymbolResolver>.Instance,
_memoryCache,
_testProcRoot);
}
public void Dispose()
{
_resolver.Dispose();
_memoryCache.Dispose();
if (Directory.Exists(_testProcRoot))
{
Directory.Delete(_testProcRoot, recursive: true);
}
if (Directory.Exists(_testLibPath))
{
Directory.Delete(_testLibPath, recursive: true);
}
}
[Fact]
public void Resolve_ProcessNotFound_ReturnsNull()
{
// Arrange - no maps file created
var pid = 99999;
var address = 0x7f1234567890UL;
// Act
var (symbol, library, purl) = _resolver.Resolve(pid, address);
// Assert
symbol.Should().BeNull();
library.Should().BeNull();
purl.Should().BeNull();
}
[Fact]
public void Resolve_AddressInMappedRegion_ReturnsLibraryPath()
{
// Arrange
var pid = 12345;
var libPath = Path.Combine(_testLibPath, "libtest.so");
// Create a simple non-ELF file (symbol resolution will fail but library should be found)
File.WriteAllBytes(libPath, new byte[100]);
SetupMapsFile(pid, $@"
7f1234560000-7f1234570000 r-xp 00000000 08:01 12345 {libPath}
7f1234570000-7f1234580000 rw-p 00010000 08:01 12345 {libPath}
");
// Act
var (symbol, library, _) = _resolver.Resolve(pid, 0x7f1234565000UL);
// Assert
library.Should().Be(libPath);
symbol.Should().StartWith("addr:0x"); // Symbol resolution fails, falls back to address
}
[Fact]
public void Resolve_AddressInAnonymousMapping_ReturnsSpecialRegion()
{
// Arrange
var pid = 12346;
SetupMapsFile(pid, @"
7ffc12340000-7ffc12360000 rw-p 00000000 00:00 0 [stack]
7ffc12360000-7ffc12380000 rw-p 00000000 00:00 0 [heap]
");
// Act
var (symbol, library, _) = _resolver.Resolve(pid, 0x7ffc12350000UL);
// Assert
library.Should().Be("[stack]");
symbol.Should().StartWith("addr:0x");
}
[Fact]
public void Resolve_AddressNotInAnyMapping_ReturnsAddressOnly()
{
// Arrange
var pid = 12347;
SetupMapsFile(pid, @"
7f1234560000-7f1234570000 r-xp 00000000 08:01 12345 /lib/libc.so.6
");
// Address outside all mappings
var address = 0x7f9999999999UL;
// Act
var (symbol, library, _) = _resolver.Resolve(pid, address);
// Assert
symbol.Should().StartWith("addr:0x");
library.Should().BeNull();
}
[Fact]
public void Resolve_WithElfSymbols_ReturnsSymbolName()
{
// Arrange
var pid = 12348;
var libPath = Path.Combine(_testLibPath, "libsymbols.so");
// Create a minimal ELF64 file with symbols
CreateMinimalElf64WithSymbols(libPath, new[]
{
("my_function", 0x1000UL, 0x100UL),
("another_func", 0x1100UL, 0x80UL),
("global_var", 0x2000UL, 0x8UL),
});
// Map starts at 0x7f1234560000, file offset 0
// So address 0x7f1234561000 maps to file offset 0x1000 (my_function)
SetupMapsFile(pid, $@"
7f1234560000-7f1234570000 r-xp 00000000 08:01 12345 {libPath}
");
// Act
var (symbol, library, _) = _resolver.Resolve(pid, 0x7f1234561050UL);
// Assert
symbol.Should().Be("my_function");
library.Should().Be(libPath);
}
[Fact]
public void Resolve_SymbolWithOffset_ReturnsSymbolPlusOffset()
{
// Arrange
var pid = 12349;
var libPath = Path.Combine(_testLibPath, "liboffset.so");
CreateMinimalElf64WithSymbols(libPath, new[]
{
("base_function", 0x1000UL, 0x100UL),
});
SetupMapsFile(pid, $@"
7f1234560000-7f1234570000 r-xp 00000000 08:01 12345 {libPath}
");
// Address past the symbol but within 64KB
var (symbol, _, _) = _resolver.Resolve(pid, 0x7f1234561200UL);
// Assert - should return symbol+offset
symbol.Should().Contain("base_function+0x");
}
[Fact]
public void Resolve_CachesResult()
{
// Arrange
var pid = 12350;
var libPath = Path.Combine(_testLibPath, "libcache.so");
File.WriteAllBytes(libPath, new byte[100]);
SetupMapsFile(pid, $@"
7f1234560000-7f1234570000 r-xp 00000000 08:01 12345 {libPath}
");
// Act - resolve same address twice
var result1 = _resolver.Resolve(pid, 0x7f1234565000UL);
var result2 = _resolver.Resolve(pid, 0x7f1234565000UL);
// Assert - both should return same values (from cache on second call)
result1.Symbol.Should().Be(result2.Symbol);
result1.Library.Should().Be(result2.Library);
}
[Fact]
public void InvalidateProcess_RemovesCachedMaps()
{
// Arrange
var pid = 12351;
var libPath1 = Path.Combine(_testLibPath, "libfirst.so");
var libPath2 = Path.Combine(_testLibPath, "libsecond.so");
File.WriteAllBytes(libPath1, new byte[100]);
File.WriteAllBytes(libPath2, new byte[100]);
SetupMapsFile(pid, $@"
7f1234560000-7f1234570000 r-xp 00000000 08:01 12345 {libPath1}
");
var (_, library1, _) = _resolver.Resolve(pid, 0x7f1234565000UL);
// Update maps file to point to different library
SetupMapsFile(pid, $@"
7f1234560000-7f1234570000 r-xp 00000000 08:01 12345 {libPath2}
");
// Act - InvalidateProcess clears the maps cache, so a NEW address
// will trigger re-reading the maps file. Existing symbol cache entries
// remain valid until they expire.
_resolver.InvalidateProcess(pid);
// Use a DIFFERENT address to force re-reading the maps file
var (_, library2, _) = _resolver.Resolve(pid, 0x7f1234566000UL);
// Assert
library1.Should().Be(libPath1);
library2.Should().Be(libPath2);
}
[Fact]
public void Resolve_AfterDispose_ThrowsObjectDisposedException()
{
// Arrange
var localCache = new MemoryCache(new MemoryCacheOptions { SizeLimit = 100 });
var localResolver = new EnhancedSymbolResolver(
NullLogger<EnhancedSymbolResolver>.Instance,
localCache,
_testProcRoot);
localResolver.Dispose();
// Act & Assert
var act = () => localResolver.Resolve(123, 0x1000UL);
act.Should().Throw<ObjectDisposedException>();
localCache.Dispose();
}
[Fact]
public void Resolve_MapsWithFileOffset_CalculatesCorrectSymbolAddress()
{
// Arrange
var pid = 12352;
var libPath = Path.Combine(_testLibPath, "liboffsetmap.so");
// Symbol at file offset 0x1000
CreateMinimalElf64WithSymbols(libPath, new[]
{
("offset_function", 0x1000UL, 0x100UL),
});
// Map with file offset 0x1000 - so file offset 0x1000 maps to address 0x7f1234560000
SetupMapsFile(pid, $@"
7f1234560000-7f1234570000 r-xp 00001000 08:01 12345 {libPath}
");
// Act
var (symbol, _, _) = _resolver.Resolve(pid, 0x7f1234560000UL);
// Assert
symbol.Should().Be("offset_function");
}
[Fact]
public void Resolve_MultipleMappings_FindsCorrectOne()
{
// Arrange
var pid = 12353;
var lib1 = Path.Combine(_testLibPath, "libfirst.so");
var lib2 = Path.Combine(_testLibPath, "libsecond.so");
File.WriteAllBytes(lib1, new byte[100]);
File.WriteAllBytes(lib2, new byte[100]);
SetupMapsFile(pid, $@"
7f1234560000-7f1234570000 r-xp 00000000 08:01 12345 {lib1}
7f1234580000-7f1234590000 r-xp 00000000 08:01 12346 {lib2}
7f12345a0000-7f12345b0000 rw-p 00000000 00:00 0 [heap]
");
// Act
var (_, library1, _) = _resolver.Resolve(pid, 0x7f1234565000UL);
var (_, library2, _) = _resolver.Resolve(pid, 0x7f1234585000UL);
var (_, library3, _) = _resolver.Resolve(pid, 0x7f12345a5000UL);
// Assert
library1.Should().Be(lib1);
library2.Should().Be(lib2);
library3.Should().Be("[heap]");
}
[Fact]
public void Resolve_InvalidMapsFormat_ReturnsNull()
{
// Arrange
var pid = 12354;
var pidDir = Path.Combine(_testProcRoot, pid.ToString());
Directory.CreateDirectory(pidDir);
File.WriteAllText(Path.Combine(pidDir, "maps"), "invalid format garbage data");
// Act
var (symbol, library, _) = _resolver.Resolve(pid, 0x7f1234565000UL);
// Assert
symbol.Should().BeNull();
library.Should().BeNull();
}
[Fact]
public void Resolve_NonElfFile_ReturnsAddressFallback()
{
// Arrange
var pid = 12355;
var libPath = Path.Combine(_testLibPath, "notelf.so");
File.WriteAllText(libPath, "This is not an ELF file");
SetupMapsFile(pid, $@"
7f1234560000-7f1234570000 r-xp 00000000 08:01 12345 {libPath}
");
// Act
var (symbol, library, _) = _resolver.Resolve(pid, 0x7f1234565000UL);
// Assert
library.Should().Be(libPath);
symbol.Should().StartWith("addr:0x");
}
#region Performance Tests
[Fact]
public void Resolve_CachedLookup_CompletesUnder1Ms()
{
// Arrange
var pid = 12360;
var libPath = Path.Combine(_testLibPath, "libperf_cached.so");
CreateMinimalElf64WithSymbols(libPath, new[]
{
("perf_function", 0x1000UL, 0x100UL),
});
SetupMapsFile(pid, $@"
7f1234560000-7f1234570000 r-xp 00000000 08:01 12345 {libPath}
");
// Warm up the cache with first call
_ = _resolver.Resolve(pid, 0x7f1234561000UL);
// Act - measure cached lookups
const int iterations = 1000;
var timings = new long[iterations];
var sw = new System.Diagnostics.Stopwatch();
for (int i = 0; i < iterations; i++)
{
sw.Restart();
_ = _resolver.Resolve(pid, 0x7f1234561000UL);
sw.Stop();
timings[i] = sw.ElapsedTicks;
}
// Calculate p99
Array.Sort(timings);
var p99Index = (int)(iterations * 0.99);
var p99Ticks = timings[p99Index];
var p99Ms = (double)p99Ticks / System.Diagnostics.Stopwatch.Frequency * 1000;
// Assert - p99 should be under 1ms for cached lookups
p99Ms.Should().BeLessThan(1.0, $"p99 latency for cached lookups should be <1ms, but was {p99Ms:F3}ms");
}
[Fact]
public void Resolve_UncachedLookup_CompletesUnder10Ms()
{
// Arrange - create multiple processes to test uncached lookups
const int numProcesses = 50;
var libPath = Path.Combine(_testLibPath, "libperf_uncached.so");
CreateMinimalElf64WithSymbols(libPath, new[]
{
("uncached_function", 0x1000UL, 0x100UL),
("another_func", 0x2000UL, 0x100UL),
("third_func", 0x3000UL, 0x100UL),
});
// Create maps for multiple processes
for (int i = 0; i < numProcesses; i++)
{
var pid = 20000 + i;
SetupMapsFile(pid, $@"
7f1234560000-7f1234570000 r-xp 00000000 08:01 12345 {libPath}
7f1234570000-7f1234580000 rw-p 00010000 08:01 12345 {libPath}
");
}
// Act - measure uncached lookups (first access per PID)
var timings = new List<long>();
var sw = new System.Diagnostics.Stopwatch();
for (int i = 0; i < numProcesses; i++)
{
var pid = 20000 + i;
sw.Restart();
_ = _resolver.Resolve(pid, 0x7f1234561000UL);
sw.Stop();
timings.Add(sw.ElapsedTicks);
}
// Calculate p99
timings.Sort();
var p99Index = (int)(timings.Count * 0.99);
if (p99Index >= timings.Count) p99Index = timings.Count - 1;
var p99Ticks = timings[p99Index];
var p99Ms = (double)p99Ticks / System.Diagnostics.Stopwatch.Frequency * 1000;
// Assert - p99 should be under 10ms for uncached lookups
p99Ms.Should().BeLessThan(10.0, $"p99 latency for uncached lookups should be <10ms, but was {p99Ms:F3}ms");
}
[Fact]
public void Resolve_HighVolumeCached_MaintainsPerformance()
{
// Arrange
var pid = 12361;
var libPath = Path.Combine(_testLibPath, "libperf_volume.so");
CreateMinimalElf64WithSymbols(libPath, new[]
{
("volume_func_1", 0x1000UL, 0x100UL),
("volume_func_2", 0x2000UL, 0x100UL),
("volume_func_3", 0x3000UL, 0x100UL),
("volume_func_4", 0x4000UL, 0x100UL),
("volume_func_5", 0x5000UL, 0x100UL),
});
SetupMapsFile(pid, $@"
7f1234560000-7f1234580000 r-xp 00000000 08:01 12345 {libPath}
");
// Warm up cache with various addresses
var addresses = new ulong[]
{
0x7f1234561000UL, 0x7f1234562000UL, 0x7f1234563000UL,
0x7f1234564000UL, 0x7f1234565000UL,
};
foreach (var addr in addresses)
{
_ = _resolver.Resolve(pid, addr);
}
// Act - high volume cached lookups
const int iterations = 5000;
var sw = System.Diagnostics.Stopwatch.StartNew();
for (int i = 0; i < iterations; i++)
{
var addr = addresses[i % addresses.Length];
_ = _resolver.Resolve(pid, addr);
}
sw.Stop();
var avgMicroseconds = sw.Elapsed.TotalMicroseconds / iterations;
// Assert - average should be well under 100 microseconds for cached
avgMicroseconds.Should().BeLessThan(100, $"Average cached lookup should be <100µs, but was {avgMicroseconds:F1}µs");
}
#endregion
#region Helpers
private void SetupMapsFile(int pid, string content)
{
var pidDir = Path.Combine(_testProcRoot, pid.ToString());
Directory.CreateDirectory(pidDir);
File.WriteAllText(Path.Combine(pidDir, "maps"), content.Trim());
}
/// <summary>
/// Creates a minimal valid ELF64 file with the specified symbols.
/// </summary>
private static void CreateMinimalElf64WithSymbols(string path, (string name, ulong value, ulong size)[] symbols)
{
using var stream = File.Create(path);
using var writer = new BinaryWriter(stream);
// ELF Header (64 bytes)
// e_ident[16]
writer.Write((uint)0x464C457F); // Magic: "\x7FELF"
writer.Write((byte)2); // EI_CLASS: 64-bit
writer.Write((byte)1); // EI_DATA: little endian
writer.Write((byte)1); // EI_VERSION: current
writer.Write((byte)0); // EI_OSABI: SYSV
writer.Write(new byte[8]); // EI_PAD
writer.Write((ushort)3); // e_type: ET_DYN (shared object)
writer.Write((ushort)62); // e_machine: x86-64
writer.Write((uint)1); // e_version
writer.Write((ulong)0); // e_entry
writer.Write((ulong)0); // e_phoff (no program headers for this test)
writer.Write((ulong)64); // e_shoff (section headers at offset 64)
writer.Write((uint)0); // e_flags
writer.Write((ushort)64); // e_ehsize
writer.Write((ushort)0); // e_phentsize
writer.Write((ushort)0); // e_phnum
writer.Write((ushort)64); // e_shentsize
writer.Write((ushort)3); // e_shnum (null + strtab + symtab)
writer.Write((ushort)1); // e_shstrndx (section string table at index 1)
// Section 0: NULL section (64 bytes at offset 64)
WriteSectionHeader(writer, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
// Build string table (for symbols)
var strtabContent = BuildStringTable(symbols.Select(s => s.name).ToArray());
var strtabOffset = 64 + 64 * 3; // After ELF header and 3 section headers
// Section 1: STRTAB (string table) at offset 128
WriteSectionHeader(writer, 0, 3 /*SHT_STRTAB*/, 0, 0, (ulong)strtabOffset, (ulong)strtabContent.Length, 0, 0, 1, 0);
// Build symbol table
var symtabOffset = strtabOffset + strtabContent.Length;
var symtabContent = BuildSymbolTable(symbols, strtabContent);
// Section 2: SYMTAB at offset after strtab
// Link points to strtab (section 1)
WriteSectionHeader(writer, 0, 2 /*SHT_SYMTAB*/, 0, 0, (ulong)symtabOffset, (ulong)symtabContent.Length, 1, 0, 8, 24);
// Write string table content
writer.Write(strtabContent);
// Write symbol table content
writer.Write(symtabContent);
}
private static void WriteSectionHeader(
BinaryWriter writer,
uint name, uint type, ulong flags, ulong addr,
ulong offset, ulong size, uint link, uint info,
ulong addralign, ulong entsize)
{
writer.Write(name);
writer.Write(type);
writer.Write(flags);
writer.Write(addr);
writer.Write(offset);
writer.Write(size);
writer.Write(link);
writer.Write(info);
writer.Write(addralign);
writer.Write(entsize);
}
private static byte[] BuildStringTable(string[] names)
{
var ms = new MemoryStream();
ms.WriteByte(0); // First byte is always null
foreach (var name in names)
{
var bytes = Encoding.UTF8.GetBytes(name);
ms.Write(bytes, 0, bytes.Length);
ms.WriteByte(0);
}
return ms.ToArray();
}
private static byte[] BuildSymbolTable((string name, ulong value, ulong size)[] symbols, byte[] strtab)
{
var ms = new MemoryStream();
var writer = new BinaryWriter(ms);
// First symbol is always null
writer.Write((uint)0); // st_name
writer.Write((byte)0); // st_info
writer.Write((byte)0); // st_other
writer.Write((ushort)0); // st_shndx
writer.Write((ulong)0); // st_value
writer.Write((ulong)0); // st_size
int strOffset = 1; // Skip initial null byte
foreach (var (name, value, size) in symbols)
{
writer.Write((uint)strOffset); // st_name
writer.Write((byte)0x12); // st_info: STB_GLOBAL | STT_FUNC
writer.Write((byte)0); // st_other
writer.Write((ushort)1); // st_shndx: some section
writer.Write(value); // st_value
writer.Write(size); // st_size
strOffset += Encoding.UTF8.GetByteCount(name) + 1;
}
return ms.ToArray();
}
#endregion
}