Close admin trust audit gaps and stabilize live sweeps

2026-03-12 10:14:00 +02:00
parent a00efb7ab2
commit 6964a046a5
50 changed files with 5968 additions and 2850 deletions
--- a/src/Platform/__Tests/StellaOps.Platform.WebService.Tests/PackAdapterEndpointsTests.cs
+++ b/src/Platform/__Tests/StellaOps.Platform.WebService.Tests/PackAdapterEndpointsTests.cs
@@ -1,8 +1,10 @@
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Routing;
 using Microsoft.Extensions.DependencyInjection;
+using StellaOps.Platform.WebService.Contracts;
 using System.Linq;
 using System.Net;
+using System.Net.Http.Json;
 using System.Text.Json;
 using StellaOps.Platform.WebService.Constants;
 using StellaOps.TestKit;
@@ -146,6 +148,75 @@ public sealed class PackAdapterEndpointsTests : IClassFixture<PlatformWebApplica
        Assert.DoesNotContain(PlatformPolicies.SetupRead, policies);
    }

+    [Trait("Category", TestCategories.Unit)]
+    [Fact]
+    public async Task TrustSigningOverview_Uses_live_inventory_counts_for_selected_tenant()
+    {
+        using var client = CreateTenantClient("demo-prod");
+
+        var keyResponse = await client.PostAsJsonAsync(
+            "/api/v1/administration/trust-signing/keys",
+            new CreateAdministrationTrustKeyRequest(
+                Alias: "tenant-live-key",
+                Algorithm: "ed25519",
+                MetadataJson: "{\"owner\":\"secops\"}"),
+            TestContext.Current.CancellationToken);
+        Assert.Equal(HttpStatusCode.Created, keyResponse.StatusCode);
+        var key = await keyResponse.Content.ReadFromJsonAsync<AdministrationTrustKeySummary>(TestContext.Current.CancellationToken);
+        Assert.NotNull(key);
+
+        var issuerResponse = await client.PostAsJsonAsync(
+            "/api/v1/administration/trust-signing/issuers",
+            new RegisterAdministrationTrustIssuerRequest(
+                Name: "Tenant Live Root CA",
+                IssuerUri: "https://issuer.demo-prod.stella-ops.local/live",
+                TrustLevel: "high"),
+            TestContext.Current.CancellationToken);
+        Assert.Equal(HttpStatusCode.Created, issuerResponse.StatusCode);
+        var issuer = await issuerResponse.Content.ReadFromJsonAsync<AdministrationTrustIssuerSummary>(TestContext.Current.CancellationToken);
+        Assert.NotNull(issuer);
+
+        var certificateResponse = await client.PostAsJsonAsync(
+            "/api/v1/administration/trust-signing/certificates",
+            new RegisterAdministrationTrustCertificateRequest(
+                KeyId: key!.KeyId,
+                IssuerId: issuer!.IssuerId,
+                SerialNumber: "TENANT-LIVE-SER-0001",
+                NotBefore: DateTimeOffset.Parse("2026-02-01T00:00:00Z"),
+                NotAfter: DateTimeOffset.Parse("2026-02-25T00:00:00Z")),
+            TestContext.Current.CancellationToken);
+        Assert.Equal(HttpStatusCode.Created, certificateResponse.StatusCode);
+
+        var configureResponse = await client.PutAsJsonAsync(
+            "/api/v1/administration/trust-signing/transparency-log",
+            new ConfigureAdministrationTransparencyLogRequest(
+                LogUrl: "https://rekor.demo-prod.stella-ops.local",
+                WitnessUrl: "https://rekor-witness.demo-prod.stella-ops.local",
+                EnforceInclusion: true),
+            TestContext.Current.CancellationToken);
+        Assert.Equal(HttpStatusCode.OK, configureResponse.StatusCode);
+
+        var overviewResponse = await client.GetAsync("/api/v1/administration/trust-signing", TestContext.Current.CancellationToken);
+        Assert.Equal(HttpStatusCode.OK, overviewResponse.StatusCode);
+
+        using var document = JsonDocument.Parse(await overviewResponse.Content.ReadAsStringAsync(TestContext.Current.CancellationToken));
+        var item = document.RootElement.GetProperty("item");
+        Assert.Equal(1, item.GetProperty("inventory").GetProperty("keys").GetInt32());
+        Assert.Equal(1, item.GetProperty("inventory").GetProperty("issuers").GetInt32());
+        Assert.Equal(1, item.GetProperty("inventory").GetProperty("certificates").GetInt32());
+
+        var signals = item
+            .GetProperty("signals")
+            .EnumerateArray()
+            .ToDictionary(
+                signal => signal.GetProperty("signalId").GetString()!,
+                signal => signal.GetProperty("status").GetString()!,
+                StringComparer.Ordinal);
+
+        Assert.Equal("warning", signals["certificate-expiry"]);
+        Assert.Equal("healthy", signals["transparency-log"]);
+    }
+
    private HttpClient CreateTenantClient(string tenantId)
    {
        var client = _factory.CreateClient();
--- a/src/Platform/__Tests/StellaOps.Platform.WebService.Tests/TenantStorageKeyTests.cs
+++ b/src/Platform/__Tests/StellaOps.Platform.WebService.Tests/TenantStorageKeyTests.cs
@@ -0,0 +1,26 @@
+using FluentAssertions;
+using StellaOps.Platform.WebService.Services;
+using StellaOps.TestKit;
+
+namespace StellaOps.Platform.WebService.Tests;
+
+public sealed class TenantStorageKeyTests
+{
+    [Trait("Category", TestCategories.Unit)]
+    [Theory]
+    [InlineData("demo-prod", "3a5e72b6-ae6a-f8a4-2b6a-df2960d63016")]
+    [InlineData("default", "c1eea837-19ce-7d68-132f-e29051dca629")]
+    public void ParseTenantGuid_derives_deterministic_guid_for_slug_tenants(string tenantId, string expectedGuid)
+    {
+        TenantStorageKey.ParseTenantGuid(tenantId).Should().Be(Guid.Parse(expectedGuid));
+    }
+
+    [Trait("Category", TestCategories.Unit)]
+    [Fact]
+    public void ParseTenantGuid_returns_existing_guid_without_rehashing()
+    {
+        var tenantGuid = Guid.NewGuid();
+
+        TenantStorageKey.ParseTenantGuid(tenantGuid.ToString("D")).Should().Be(tenantGuid);
+    }
+}