Add unit tests for Router configuration and transport layers
- Implemented tests for RouterConfig, RoutingOptions, StaticInstanceConfig, and RouterConfigOptions to ensure default values are set correctly. - Added tests for RouterConfigProvider to validate configurations and ensure defaults are returned when no file is specified. - Created tests for ConfigValidationResult to check success and error scenarios. - Developed tests for ServiceCollectionExtensions to verify service registration for RouterConfig. - Introduced UdpTransportTests to validate serialization, connection, request-response, and error handling in UDP transport. - Added scripts for signing authority gaps and hashing DevPortal SDK snippets.
This commit is contained in:
StellaOps Bot
@@ -106,3 +106,19 @@ COSIGN_ALLOW_DEV_KEY=1 COSIGN_PASSWORD=stellaops-dev \
|
||||
2. `COSIGN_PRIVATE_KEY_B64` (decoded to temp file)
|
||||
3. `tools/cosign/cosign.key` (production drop-in)
|
||||
4. `tools/cosign/cosign.dev.key` (only if `COSIGN_ALLOW_DEV_KEY=1`)
|
||||
|
||||
### sign-authority-gaps.sh
|
||||
Signs Authority gap artefacts (AU1–AU10, RR1–RR10) under `docs/modules/authority/gaps/artifacts/`.
|
||||
|
||||
```
|
||||
# Production (Authority key via CI secret or cosign.key drop-in)
|
||||
OUT_DIR=docs/modules/authority/gaps/dsse/2025-12-04 tools/cosign/sign-authority-gaps.sh
|
||||
|
||||
# Development (dev key, smoke only)
|
||||
COSIGN_ALLOW_DEV_KEY=1 COSIGN_PASSWORD=stellaops-dev \
|
||||
OUT_DIR=docs/modules/authority/gaps/dev-smoke/2025-12-04 \
|
||||
tools/cosign/sign-authority-gaps.sh
|
||||
```
|
||||
|
||||
- Outputs bundles or dsse signatures plus `SHA256SUMS` in `OUT_DIR`.
|
||||
- tlog upload disabled (`--tlog-upload=false`) and prompts auto-accepted (`--yes`) for offline use.
|
||||
|
||||
106
tools/cosign/sign-authority-gaps.sh
Normal file
106
tools/cosign/sign-authority-gaps.sh
Normal file
@@ -0,0 +1,106 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
# Deterministic DSSE signing helper for Authority gap artefacts (AU1–AU10, RR1–RR10).
|
||||
# Prefers system cosign v3 (bundle) and falls back to repo-pinned v2.6.0.
|
||||
|
||||
ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
|
||||
COSIGN_BIN="${COSIGN_BIN:-}"
|
||||
|
||||
# Detect cosign binary
|
||||
if [[ -z "$COSIGN_BIN" ]]; then
|
||||
if command -v /usr/local/bin/cosign >/dev/null 2>&1; then
|
||||
COSIGN_BIN="/usr/local/bin/cosign"
|
||||
elif command -v cosign >/dev/null 2>&1; then
|
||||
COSIGN_BIN="$(command -v cosign)"
|
||||
elif [[ -x "$ROOT/tools/cosign/cosign" ]]; then
|
||||
COSIGN_BIN="$ROOT/tools/cosign/cosign"
|
||||
else
|
||||
echo "cosign not found; install or set COSIGN_BIN" >&2
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
# Resolve key
|
||||
TMP_KEY=""
|
||||
if [[ -n "${COSIGN_KEY_FILE:-}" ]]; then
|
||||
KEY_FILE="$COSIGN_KEY_FILE"
|
||||
elif [[ -n "${COSIGN_PRIVATE_KEY_B64:-}" ]]; then
|
||||
TMP_KEY="$(mktemp)"
|
||||
echo "$COSIGN_PRIVATE_KEY_B64" | base64 -d > "$TMP_KEY"
|
||||
chmod 600 "$TMP_KEY"
|
||||
KEY_FILE="$TMP_KEY"
|
||||
elif [[ -f "$ROOT/tools/cosign/cosign.key" ]]; then
|
||||
KEY_FILE="$ROOT/tools/cosign/cosign.key"
|
||||
elif [[ "${COSIGN_ALLOW_DEV_KEY:-0}" == "1" && -f "$ROOT/tools/cosign/cosign.dev.key" ]]; then
|
||||
echo "[warn] Using development key (tools/cosign/cosign.dev.key); NOT for production/Evidence Locker" >&2
|
||||
KEY_FILE="$ROOT/tools/cosign/cosign.dev.key"
|
||||
else
|
||||
echo "No signing key: set COSIGN_PRIVATE_KEY_B64 or COSIGN_KEY_FILE, or place key at tools/cosign/cosign.key" >&2
|
||||
exit 2
|
||||
fi
|
||||
|
||||
OUT_BASE="${OUT_DIR:-$ROOT/docs/modules/authority/gaps/dsse/2025-12-04}"
|
||||
if [[ "$OUT_BASE" != /* ]]; then
|
||||
OUT_BASE="$ROOT/$OUT_BASE"
|
||||
fi
|
||||
mkdir -p "$OUT_BASE"
|
||||
|
||||
ARTEFACTS=(
|
||||
"docs/modules/authority/gaps/artifacts/authority-scope-role-catalog.v1.json|authority-scope-role-catalog"
|
||||
"docs/modules/authority/gaps/artifacts/authority-jwks-metadata.schema.json|authority-jwks-metadata.schema"
|
||||
"docs/modules/authority/gaps/artifacts/crypto-profile-registry.v1.json|crypto-profile-registry"
|
||||
"docs/modules/authority/gaps/artifacts/authority-offline-verifier-bundle.v1.json|authority-offline-verifier-bundle"
|
||||
"docs/modules/authority/gaps/artifacts/authority-abac.schema.json|authority-abac.schema"
|
||||
"docs/modules/authority/gaps/artifacts/rekor-receipt-policy.v1.json|rekor-receipt-policy"
|
||||
"docs/modules/authority/gaps/artifacts/rekor-receipt.schema.json|rekor-receipt.schema"
|
||||
"docs/modules/authority/gaps/artifacts/rekor-receipt-bundle.v1.json|rekor-receipt-bundle"
|
||||
)
|
||||
|
||||
USE_BUNDLE=0
|
||||
if $COSIGN_BIN version --json 2>/dev/null | grep -q '"GitVersion":"v3'; then
|
||||
USE_BUNDLE=1
|
||||
elif $COSIGN_BIN version 2>/dev/null | grep -q 'GitVersion:.*v3\.'; then
|
||||
USE_BUNDLE=1
|
||||
fi
|
||||
|
||||
SHA_FILE="$OUT_BASE/SHA256SUMS"
|
||||
: > "$SHA_FILE"
|
||||
|
||||
for entry in "${ARTEFACTS[@]}"; do
|
||||
IFS="|" read -r path stem <<<"$entry"
|
||||
if [[ ! -f "$ROOT/$path" ]]; then
|
||||
echo "Missing artefact: $path" >&2
|
||||
exit 3
|
||||
fi
|
||||
if (( USE_BUNDLE )); then
|
||||
bundle="$OUT_BASE/${stem}.sigstore.json"
|
||||
COSIGN_PASSWORD="${COSIGN_PASSWORD:-}" \
|
||||
"$COSIGN_BIN" sign-blob \
|
||||
--key "$KEY_FILE" \
|
||||
--yes \
|
||||
--tlog-upload=false \
|
||||
--bundle "$bundle" \
|
||||
"$ROOT/$path"
|
||||
printf "%s %s\n" "$(sha256sum "$bundle" | cut -d' ' -f1)" "$(realpath --relative-to="$OUT_BASE" "$bundle")" >> "$SHA_FILE"
|
||||
else
|
||||
sig="$OUT_BASE/${stem}.dsse"
|
||||
COSIGN_PASSWORD="${COSIGN_PASSWORD:-}" \
|
||||
"$COSIGN_BIN" sign-blob \
|
||||
--key "$KEY_FILE" \
|
||||
--yes \
|
||||
--tlog-upload=false \
|
||||
--output-signature "$sig" \
|
||||
"$ROOT/$path"
|
||||
printf "%s %s\n" "$(sha256sum "$sig" | cut -d' ' -f1)" "$(realpath --relative-to="$OUT_BASE" "$sig")" >> "$SHA_FILE"
|
||||
fi
|
||||
|
||||
printf "%s %s\n" "$(sha256sum "$ROOT/$path" | cut -d' ' -f1)" "$(realpath --relative-to="$OUT_BASE" "$ROOT/$path")" >> "$SHA_FILE"
|
||||
echo "Signed $path"
|
||||
done
|
||||
|
||||
echo "Signed artefacts written to $OUT_BASE"
|
||||
|
||||
if [[ -n "$TMP_KEY" ]]; then
|
||||
rm -f "$TMP_KEY"
|
||||
fi
|
||||
28
tools/devportal/hash-snippets.sh
Normal file
28
tools/devportal/hash-snippets.sh
Normal file
@@ -0,0 +1,28 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
# Deterministic hashing helper for DevPortal SDK snippet packs and offline bundle artefacts.
|
||||
# Usage:
|
||||
# SNIPPET_DIR=src/DevPortal/StellaOps.DevPortal.Site/snippets \
|
||||
# OUT_SHA=src/DevPortal/StellaOps.DevPortal.Site/SHA256SUMS.devportal-stubs \
|
||||
# tools/devportal/hash-snippets.sh
|
||||
|
||||
ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
|
||||
SNIPPET_DIR="${SNIPPET_DIR:-$ROOT/src/DevPortal/StellaOps.DevPortal.Site/snippets}"
|
||||
OUT_SHA="${OUT_SHA:-$ROOT/src/DevPortal/StellaOps.DevPortal.Site/SHA256SUMS.devportal-stubs}"
|
||||
|
||||
if [[ ! -d "$SNIPPET_DIR" ]]; then
|
||||
echo "Snippet dir not found: $SNIPPET_DIR" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
mkdir -p "$(dirname "$OUT_SHA")"
|
||||
: > "$OUT_SHA"
|
||||
|
||||
cd "$SNIPPET_DIR"
|
||||
find . -type f -print0 | sort -z | while IFS= read -r -d '' f; do
|
||||
sha=$(sha256sum "$f" | cut -d' ' -f1)
|
||||
printf "%s %s\n" "$sha" "${SNIPPET_DIR#$ROOT/}/$f" >> "$OUT_SHA"
|
||||
echo "hashed $f"
|
||||
done
|
||||
|
||||
echo "Hashes written to $OUT_SHA"
|
||||
Reference in New Issue
Block a user