work

2025-11-25 08:01:23 +02:00
parent d92973d6fd
commit 6bee1fdcf5
207 changed files with 12816 additions and 2295 deletions
--- a/src/Excititor/__Tests/StellaOps.Excititor.WebService.Tests/AirgapImportValidatorTests.cs
+++ b/src/Excititor/__Tests/StellaOps.Excititor.WebService.Tests/AirgapImportValidatorTests.cs
@@ -31,8 +31,15 @@ public sealed class AirgapImportValidatorTests
    [Fact]
    public void Validate_InvalidHash_ReturnsError()
    {
-        var req = Valid();
-        req.PayloadHash = "not-a-hash";
+        var req = new AirgapImportRequest
+        {
+            BundleId = "bundle-123",
+            MirrorGeneration = "5",
+            Publisher = "stellaops",
+            PayloadHash = "not-a-hash",
+            Signature = Convert.ToBase64String(new byte[] { 5, 6, 7 }),
+            SignedAt = _now
+        };

        var result = _validator.Validate(req, _now);

@@ -42,8 +49,15 @@ public sealed class AirgapImportValidatorTests
    [Fact]
    public void Validate_InvalidSignature_ReturnsError()
    {
-        var req = Valid();
-        req.Signature = "???";
+        var req = new AirgapImportRequest
+        {
+            BundleId = "bundle-123",
+            MirrorGeneration = "5",
+            Publisher = "stellaops",
+            PayloadHash = "sha256:" + new string('b', 64),
+            Signature = "???",
+            SignedAt = _now
+        };

        var result = _validator.Validate(req, _now);

@@ -53,8 +67,15 @@ public sealed class AirgapImportValidatorTests
    [Fact]
    public void Validate_MirrorGenerationNonNumeric_ReturnsError()
    {
-        var req = Valid();
-        req.MirrorGeneration = "abc";
+        var req = new AirgapImportRequest
+        {
+            BundleId = "bundle-123",
+            MirrorGeneration = "abc",
+            Publisher = "stellaops",
+            PayloadHash = "sha256:" + new string('b', 64),
+            Signature = Convert.ToBase64String(new byte[] { 5, 6, 7 }),
+            SignedAt = _now
+        };

        var result = _validator.Validate(req, _now);

@@ -64,8 +85,15 @@ public sealed class AirgapImportValidatorTests
    [Fact]
    public void Validate_SignedAtTooOld_ReturnsError()
    {
-        var req = Valid();
-        req.SignedAt = _now.AddSeconds(-10);
+        var req = new AirgapImportRequest
+        {
+            BundleId = "bundle-123",
+            MirrorGeneration = "5",
+            Publisher = "stellaops",
+            PayloadHash = "sha256:" + new string('b', 64),
+            Signature = Convert.ToBase64String(new byte[] { 5, 6, 7 }),
+            SignedAt = _now.AddSeconds(-10)
+        };

        var result = _validator.Validate(req, _now);

--- a/src/Excititor/__Tests/StellaOps.Excititor.WebService.Tests/AirgapModeEnforcerTests.cs
+++ b/src/Excititor/__Tests/StellaOps.Excititor.WebService.Tests/AirgapModeEnforcerTests.cs
@@ -0,0 +1,44 @@
+using Microsoft.Extensions.Logging.Abstractions;
+using Microsoft.Extensions.Options;
+using StellaOps.Excititor.WebService.Contracts;
+using StellaOps.Excititor.WebService.Options;
+using StellaOps.Excititor.WebService.Services;
+using Xunit;
+
+namespace StellaOps.Excititor.WebService.Tests;
+
+public class AirgapModeEnforcerTests
+{
+    [Fact]
+    public void Validate_Allows_WhenNotSealed()
+    {
+        var enforcer = new AirgapModeEnforcer(Microsoft.Extensions.Options.Options.Create(new AirgapOptions { SealedMode = false }), NullLogger<AirgapModeEnforcer>.Instance);
+        var ok = enforcer.Validate(new AirgapImportRequest { PayloadUrl = "https://example.com" }, out var code, out var message);
+
+        Assert.True(ok);
+        Assert.Null(code);
+        Assert.Null(message);
+    }
+
+    [Fact]
+    public void Validate_Blocks_ExternalUrl_WhenSealed()
+    {
+        var enforcer = new AirgapModeEnforcer(Microsoft.Extensions.Options.Options.Create(new AirgapOptions { SealedMode = true, MirrorOnly = true }), NullLogger<AirgapModeEnforcer>.Instance);
+        var ok = enforcer.Validate(new AirgapImportRequest { PayloadUrl = "https://example.com" }, out var code, out var message);
+
+        Assert.False(ok);
+        Assert.Equal("AIRGAP_EGRESS_BLOCKED", code);
+        Assert.NotNull(message);
+    }
+
+    [Fact]
+    public void Validate_Blocks_Untrusted_Publisher_WhenAllowlistSet()
+    {
+        var enforcer = new AirgapModeEnforcer(Microsoft.Extensions.Options.Options.Create(new AirgapOptions { SealedMode = true, TrustedPublishers = { "mirror-a" } }), NullLogger<AirgapModeEnforcer>.Instance);
+        var ok = enforcer.Validate(new AirgapImportRequest { Publisher = "mirror-b" }, out var code, out var message);
+
+        Assert.False(ok);
+        Assert.Equal("AIRGAP_SOURCE_UNTRUSTED", code);
+        Assert.NotNull(message);
+    }
+}
--- a/src/Excititor/__Tests/StellaOps.Excititor.WebService.Tests/StellaOps.Excititor.WebService.Tests.csproj
+++ b/src/Excititor/__Tests/StellaOps.Excititor.WebService.Tests/StellaOps.Excititor.WebService.Tests.csproj
@@ -29,6 +29,8 @@
  <ItemGroup>
    <Compile Remove="**/*.cs" />
    <Compile Include="AirgapImportEndpointTests.cs" />
+    <Compile Include="AirgapImportValidatorTests.cs" />
+    <Compile Include="AirgapModeEnforcerTests.cs" />
    <Compile Include="EvidenceTelemetryTests.cs" />
    <Compile Include="DevRuntimeEnvironmentStub.cs" />
    <Compile Include="TestAuthentication.cs" />