stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

consolidation of some of the modules, localization fixes, product advisories work, qa work

Browse Source
This commit is contained in:
master
2026-03-05 03:54:22 +02:00
parent 7bafcc3eef
commit 8e1cb9448d
3878 changed files with 72600 additions and 46861 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
src/Attestor/StellaOps.Signer/AGENTS.md Normal file
View File

@@ -0,0 +1,32 @@
# Signer Guild
## Mission
Operate the StellaOps Signer service: authenticate trusted callers, enforce proofofentitlement and release integrity policy, and mint verifiable DSSE bundles (keyless or KMS-backed) for downstream attestation.
## Teams On Call
- Team 11 (Signer API)
- Team 12 (Signer Reliability & Quotas)
## Operating Principles
- Accept requests only with Authority-issued OpToks plus DPoP or mTLS sender binding; reject unsigned/cross-tenant traffic.
- Treat PoE claims as hard gates for quota, version windows, and license validity; cache results deterministically with bounded TTLs.
- Verify scanner image release signatures via OCI Referrers before signing; fail closed on ambiguity.
- Keep the hot path stateless and deterministic; persist audit trails with structured logging, metrics, and correlation IDs.
- Update `TASKS.md`, architecture notes, and tests whenever behaviour or contracts evolve.
## Key Directories
- `src/Signer/StellaOps.Signer/StellaOps.Signer.WebService/` — Minimal API host and HTTP surface (to be scaffolded).
- `src/Signer/StellaOps.Signer/StellaOps.Signer.Core/` — Domain contracts, signing pipeline, quota enforcement (to be scaffolded).
- `src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/` — External clients (Authority, Licensing, Fulcio/KMS, OCI) and persistence (to be scaffolded).
- `src/Signer/StellaOps.Signer/StellaOps.Signer.Tests/` — Unit/integration test suites (to be scaffolded).
## Required Reading
- `docs/modules/signer/architecture.md`
- `docs/modules/platform/architecture-overview.md`
## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

233
src/Attestor/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/CeremonyAuditEvents.cs Normal file
View File

@@ -0,0 +1,233 @@
// -----------------------------------------------------------------------------
// CeremonyAuditEvents.cs
// Sprint: SPRINT_20260112_018_SIGNER_dual_control_ceremonies
// Tasks: DUAL-008
// Description: Audit event definitions for dual-control ceremonies.
// -----------------------------------------------------------------------------
using System;
namespace StellaOps.Signer.Core.Ceremonies;
/// <summary>
/// Audit event types for ceremonies.
/// </summary>
public static class CeremonyAuditEvents
{
/// <summary>
/// Ceremony was created.
/// </summary>
public const string Initiated = "signer.ceremony.initiated";
/// <summary>
/// Approval was submitted.
/// </summary>
public const string Approved = "signer.ceremony.approved";
/// <summary>
/// Threshold was reached.
/// </summary>
public const string ThresholdReached = "signer.ceremony.threshold_reached";
/// <summary>
/// Operation was executed.
/// </summary>
public const string Executed = "signer.ceremony.executed";
/// <summary>
/// Ceremony expired.
/// </summary>
public const string Expired = "signer.ceremony.expired";
/// <summary>
/// Ceremony was cancelled.
/// </summary>
public const string Cancelled = "signer.ceremony.cancelled";
/// <summary>
/// Approval was rejected (invalid signature, unauthorized, etc.).
/// </summary>
public const string ApprovalRejected = "signer.ceremony.approval_rejected";
}
/// <summary>
/// Base audit event for ceremonies.
/// </summary>
public abstract record CeremonyAuditEvent
{
/// <summary>
/// Event type.
/// </summary>
public required string EventType { get; init; }
/// <summary>
/// Ceremony ID.
/// </summary>
public required Guid CeremonyId { get; init; }
/// <summary>
/// Operation type.
/// </summary>
public required CeremonyOperationType OperationType { get; init; }
/// <summary>
/// Event timestamp (UTC).
/// </summary>
public required DateTimeOffset Timestamp { get; init; }
/// <summary>
/// Actor identity.
/// </summary>
public required string Actor { get; init; }
/// <summary>
/// Tenant ID.
/// </summary>
public string? TenantId { get; init; }
/// <summary>
/// Request trace ID.
/// </summary>
public string? TraceId { get; init; }
}
/// <summary>
/// Audit event for ceremony initiation.
/// </summary>
public sealed record CeremonyInitiatedEvent : CeremonyAuditEvent
{
/// <summary>
/// Threshold required.
/// </summary>
public required int ThresholdRequired { get; init; }
/// <summary>
/// Expiration time.
/// </summary>
public required DateTimeOffset ExpiresAt { get; init; }
/// <summary>
/// Operation description.
/// </summary>
public string? Description { get; init; }
}
/// <summary>
/// Audit event for ceremony approval.
/// </summary>
public sealed record CeremonyApprovedEvent : CeremonyAuditEvent
{
/// <summary>
/// Approver identity.
/// </summary>
public required string Approver { get; init; }
/// <summary>
/// Current approval count.
/// </summary>
public required int ApprovalCount { get; init; }
/// <summary>
/// Required threshold.
/// </summary>
public required int ThresholdRequired { get; init; }
/// <summary>
/// Approval reason.
/// </summary>
public string? ApprovalReason { get; init; }
/// <summary>
/// Whether threshold was reached with this approval.
/// </summary>
public required bool ThresholdReached { get; init; }
}
/// <summary>
/// Audit event for ceremony execution.
/// </summary>
public sealed record CeremonyExecutedEvent : CeremonyAuditEvent
{
/// <summary>
/// Executor identity.
/// </summary>
public required string Executor { get; init; }
/// <summary>
/// Total approvals.
/// </summary>
public required int TotalApprovals { get; init; }
/// <summary>
/// Execution result.
/// </summary>
public required bool Success { get; init; }
/// <summary>
/// Error message if failed.
/// </summary>
public string? Error { get; init; }
/// <summary>
/// Result payload (key ID, etc.).
/// </summary>
public string? ResultPayload { get; init; }
}
/// <summary>
/// Audit event for ceremony expiration.
/// </summary>
public sealed record CeremonyExpiredEvent : CeremonyAuditEvent
{
/// <summary>
/// Approvals received before expiration.
/// </summary>
public required int ApprovalsReceived { get; init; }
/// <summary>
/// Threshold that was required.
/// </summary>
public required int ThresholdRequired { get; init; }
}
/// <summary>
/// Audit event for ceremony cancellation.
/// </summary>
public sealed record CeremonyCancelledEvent : CeremonyAuditEvent
{
/// <summary>
/// Cancellation reason.
/// </summary>
public string? Reason { get; init; }
/// <summary>
/// State at time of cancellation.
/// </summary>
public required CeremonyState StateAtCancellation { get; init; }
/// <summary>
/// Approvals received before cancellation.
/// </summary>
public required int ApprovalsReceived { get; init; }
}
/// <summary>
/// Audit event for rejected approval.
/// </summary>
public sealed record CeremonyApprovalRejectedEvent : CeremonyAuditEvent
{
/// <summary>
/// Attempted approver.
/// </summary>
public required string AttemptedApprover { get; init; }
/// <summary>
/// Rejection reason.
/// </summary>
public required string RejectionReason { get; init; }
/// <summary>
/// Error code.
/// </summary>
public required CeremonyErrorCode ErrorCode { get; init; }
}

380
src/Attestor/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/CeremonyModels.cs Normal file
View File

@@ -0,0 +1,380 @@
// -----------------------------------------------------------------------------
// CeremonyModels.cs
// Sprint: SPRINT_20260112_018_SIGNER_dual_control_ceremonies
// Tasks: DUAL-001, DUAL-003, DUAL-004
// Description: Models for M-of-N dual-control signing ceremonies.
// -----------------------------------------------------------------------------
using System;
using System.Collections.Generic;
namespace StellaOps.Signer.Core.Ceremonies;
/// <summary>
/// State of a signing ceremony.
/// </summary>
public enum CeremonyState
{
/// <summary>
/// Ceremony created, awaiting approvals.
/// </summary>
Pending,
/// <summary>
/// Some approvals received, but threshold not yet reached.
/// </summary>
PartiallyApproved,
/// <summary>
/// Threshold reached, operation approved for execution.
/// </summary>
Approved,
/// <summary>
/// Operation executed successfully.
/// </summary>
Executed,
/// <summary>
/// Ceremony expired before threshold was reached.
/// </summary>
Expired,
/// <summary>
/// Ceremony cancelled by initiator or admin.
/// </summary>
Cancelled
}
/// <summary>
/// Type of key operation requiring ceremony approval.
/// </summary>
public enum CeremonyOperationType
{
/// <summary>
/// Generate a new signing key.
/// </summary>
KeyGeneration,
/// <summary>
/// Rotate an existing key.
/// </summary>
KeyRotation,
/// <summary>
/// Revoke a key.
/// </summary>
KeyRevocation,
/// <summary>
/// Export a key (for escrow or backup).
/// </summary>
KeyExport,
/// <summary>
/// Import a key from escrow or backup.
/// </summary>
KeyImport,
/// <summary>
/// Emergency key recovery.
/// </summary>
KeyRecovery
}
/// <summary>
/// A signing ceremony requiring M-of-N approvals.
/// </summary>
public sealed record Ceremony
{
/// <summary>
/// Unique ceremony identifier.
/// </summary>
public required Guid CeremonyId { get; init; }
/// <summary>
/// Type of operation being approved.
/// </summary>
public required CeremonyOperationType OperationType { get; init; }
/// <summary>
/// Operation-specific payload (key ID, parameters, etc.).
/// </summary>
public required CeremonyOperationPayload Payload { get; init; }
/// <summary>
/// Number of approvals required (M in M-of-N).
/// </summary>
public required int ThresholdRequired { get; init; }
/// <summary>
/// Current number of approvals received.
/// </summary>
public required int ThresholdReached { get; init; }
/// <summary>
/// Current ceremony state.
/// </summary>
public required CeremonyState State { get; init; }
/// <summary>
/// Identity of the ceremony initiator.
/// </summary>
public required string InitiatedBy { get; init; }
/// <summary>
/// When the ceremony was initiated (UTC).
/// </summary>
public required DateTimeOffset InitiatedAt { get; init; }
/// <summary>
/// When the ceremony expires (UTC).
/// </summary>
public required DateTimeOffset ExpiresAt { get; init; }
/// <summary>
/// When the operation was executed (UTC), if executed.
/// </summary>
public DateTimeOffset? ExecutedAt { get; init; }
/// <summary>
/// Collected approvals.
/// </summary>
public IReadOnlyList<CeremonyApproval> Approvals { get; init; } = [];
/// <summary>
/// Human-readable description of the ceremony.
/// </summary>
public string? Description { get; init; }
/// <summary>
/// Tenant ID if multi-tenant.
/// </summary>
public string? TenantId { get; init; }
}
/// <summary>
/// Operation-specific payload for a ceremony.
/// </summary>
public sealed record CeremonyOperationPayload
{
/// <summary>
/// Key identifier (for rotation, revocation, export).
/// </summary>
public string? KeyId { get; init; }
/// <summary>
/// Key algorithm (for generation).
/// </summary>
public string? Algorithm { get; init; }
/// <summary>
/// Key size in bits (for generation).
/// </summary>
public int? KeySize { get; init; }
/// <summary>
/// Key usage constraints.
/// </summary>
public IReadOnlyList<string>? KeyUsages { get; init; }
/// <summary>
/// Reason for the operation.
/// </summary>
public string? Reason { get; init; }
/// <summary>
/// Additional metadata.
/// </summary>
public IReadOnlyDictionary<string, string>? Metadata { get; init; }
}
/// <summary>
/// An approval for a ceremony.
/// </summary>
public sealed record CeremonyApproval
{
/// <summary>
/// Unique approval identifier.
/// </summary>
public required Guid ApprovalId { get; init; }
/// <summary>
/// Ceremony being approved.
/// </summary>
public required Guid CeremonyId { get; init; }
/// <summary>
/// Identity of the approver.
/// </summary>
public required string ApproverIdentity { get; init; }
/// <summary>
/// When the approval was given (UTC).
/// </summary>
public required DateTimeOffset ApprovedAt { get; init; }
/// <summary>
/// Cryptographic signature over the ceremony details.
/// </summary>
public required byte[] ApprovalSignature { get; init; }
/// <summary>
/// Optional reason or comment for approval.
/// </summary>
public string? ApprovalReason { get; init; }
/// <summary>
/// Key ID used for signing the approval.
/// </summary>
public string? SigningKeyId { get; init; }
/// <summary>
/// Signature algorithm used.
/// </summary>
public string? SignatureAlgorithm { get; init; }
}
/// <summary>
/// Request to create a new ceremony.
/// </summary>
public sealed record CreateCeremonyRequest
{
/// <summary>
/// Type of operation.
/// </summary>
public required CeremonyOperationType OperationType { get; init; }
/// <summary>
/// Operation payload.
/// </summary>
public required CeremonyOperationPayload Payload { get; init; }
/// <summary>
/// Override threshold (uses config default if null).
/// </summary>
public int? ThresholdOverride { get; init; }
/// <summary>
/// Override expiration minutes (uses config default if null).
/// </summary>
public int? ExpirationMinutesOverride { get; init; }
/// <summary>
/// Human-readable description.
/// </summary>
public string? Description { get; init; }
/// <summary>
/// Tenant ID if multi-tenant.
/// </summary>
public string? TenantId { get; init; }
}
/// <summary>
/// Request to approve a ceremony.
/// </summary>
public sealed record ApproveCeremonyRequest
{
/// <summary>
/// Ceremony to approve.
/// </summary>
public required Guid CeremonyId { get; init; }
/// <summary>
/// Cryptographic signature over ceremony details.
/// </summary>
public required byte[] ApprovalSignature { get; init; }
/// <summary>
/// Optional reason for approval.
/// </summary>
public string? ApprovalReason { get; init; }
/// <summary>
/// Key ID used for signing.
/// </summary>
public string? SigningKeyId { get; init; }
/// <summary>
/// Signature algorithm.
/// </summary>
public string? SignatureAlgorithm { get; init; }
}
/// <summary>
/// Result of a ceremony operation.
/// </summary>
public sealed record CeremonyResult
{
/// <summary>
/// Whether the operation succeeded.
/// </summary>
public required bool Success { get; init; }
/// <summary>
/// Updated ceremony state.
/// </summary>
public Ceremony? Ceremony { get; init; }
/// <summary>
/// Error message if failed.
/// </summary>
public string? Error { get; init; }
/// <summary>
/// Error code if failed.
/// </summary>
public CeremonyErrorCode? ErrorCode { get; init; }
}
/// <summary>
/// Ceremony error codes.
/// </summary>
public enum CeremonyErrorCode
{
/// <summary>
/// Ceremony not found.
/// </summary>
NotFound,
/// <summary>
/// Ceremony has expired.
/// </summary>
Expired,
/// <summary>
/// Ceremony already executed.
/// </summary>
AlreadyExecuted,
/// <summary>
/// Ceremony was cancelled.
/// </summary>
Cancelled,
/// <summary>
/// Approver has already approved this ceremony.
/// </summary>
DuplicateApproval,
/// <summary>
/// Approver is not authorized for this operation.
/// </summary>
UnauthorizedApprover,
/// <summary>
/// Invalid approval signature.
/// </summary>
InvalidSignature,
/// <summary>
/// Threshold configuration error.
/// </summary>
InvalidThreshold,
/// <summary>
/// Internal error.
/// </summary>
InternalError
}

159
src/Attestor/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/CeremonyOptions.cs Normal file
View File

@@ -0,0 +1,159 @@
// -----------------------------------------------------------------------------
// CeremonyOptions.cs
// Sprint: SPRINT_20260112_018_SIGNER_dual_control_ceremonies
// Tasks: DUAL-001
// Description: Configuration options for dual-control ceremonies.
// -----------------------------------------------------------------------------
using System;
using System.Collections.Generic;
using System.ComponentModel.DataAnnotations;
namespace StellaOps.Signer.Core.Ceremonies;
/// <summary>
/// Configuration for dual-control signing ceremonies.
/// </summary>
public sealed class CeremonyOptions
{
/// <summary>
/// Configuration section name.
/// </summary>
public const string SectionName = "Signer:Ceremonies";
/// <summary>
/// Whether ceremony support is enabled.
/// </summary>
public bool Enabled { get; set; } = true;
/// <summary>
/// Default approval threshold (M in M-of-N).
/// </summary>
[Range(1, 10)]
public int DefaultThreshold { get; set; } = 2;
/// <summary>
/// Default ceremony expiration in minutes.
/// </summary>
[Range(5, 1440)]
public int ExpirationMinutes { get; set; } = 60;
/// <summary>
/// Per-operation configuration.
/// </summary>
public Dictionary<string, OperationCeremonyConfig> Operations { get; set; } = new();
/// <summary>
/// Notification configuration.
/// </summary>
public CeremonyNotificationConfig Notifications { get; set; } = new();
/// <summary>
/// Gets the threshold for a specific operation type.
/// </summary>
public int GetThreshold(CeremonyOperationType operationType)
{
var key = operationType.ToString().ToLowerInvariant();
if (Operations.TryGetValue(key, out var config) && config.Threshold.HasValue)
{
return config.Threshold.Value;
}
return DefaultThreshold;
}
/// <summary>
/// Gets the expiration minutes for a specific operation type.
/// </summary>
public int GetExpirationMinutes(CeremonyOperationType operationType)
{
var key = operationType.ToString().ToLowerInvariant();
if (Operations.TryGetValue(key, out var config) && config.ExpirationMinutes.HasValue)
{
return config.ExpirationMinutes.Value;
}
return ExpirationMinutes;
}
/// <summary>
/// Gets the required roles for a specific operation type.
/// </summary>
public IReadOnlyList<string> GetRequiredRoles(CeremonyOperationType operationType)
{
var key = operationType.ToString().ToLowerInvariant();
if (Operations.TryGetValue(key, out var config) && config.RequiredRoles is { Count: > 0 })
{
return config.RequiredRoles;
}
return Array.Empty<string>();
}
}
/// <summary>
/// Per-operation ceremony configuration.
/// </summary>
public sealed class OperationCeremonyConfig
{
/// <summary>
/// Approval threshold override.
/// </summary>
[Range(1, 10)]
public int? Threshold { get; set; }
/// <summary>
/// Expiration minutes override.
/// </summary>
[Range(5, 1440)]
public int? ExpirationMinutes { get; set; }
/// <summary>
/// Roles required to approve this operation.
/// </summary>
public List<string> RequiredRoles { get; set; } = [];
/// <summary>
/// Whether this operation requires a ceremony (false to bypass).
/// </summary>
public bool RequiresCeremony { get; set; } = true;
}
/// <summary>
/// Notification configuration for ceremonies.
/// </summary>
public sealed class CeremonyNotificationConfig
{
/// <summary>
/// Notification channels to use.
/// </summary>
public List<string> Channels { get; set; } = ["email"];
/// <summary>
/// Whether to notify on ceremony creation.
/// </summary>
public bool NotifyOnCreate { get; set; } = true;
/// <summary>
/// Whether to notify on each approval.
/// </summary>
public bool NotifyOnApproval { get; set; } = true;
/// <summary>
/// Whether to notify on threshold reached.
/// </summary>
public bool NotifyOnThresholdReached { get; set; } = true;
/// <summary>
/// Whether to notify on execution.
/// </summary>
public bool NotifyOnExecution { get; set; } = true;
/// <summary>
/// Whether to notify on expiration warning.
/// </summary>
public bool NotifyOnExpirationWarning { get; set; } = true;
/// <summary>
/// Minutes before expiration to send warning.
/// </summary>
[Range(5, 60)]
public int ExpirationWarningMinutes { get; set; } = 15;
}

552
src/Attestor/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/CeremonyOrchestrator.cs Normal file
View File

@@ -0,0 +1,552 @@
// -----------------------------------------------------------------------------
// CeremonyOrchestrator.cs
// Sprint: SPRINT_20260112_018_SIGNER_dual_control_ceremonies
// Tasks: DUAL-005, DUAL-006, DUAL-007
// Description: Implementation of M-of-N dual-control ceremony orchestration.
// -----------------------------------------------------------------------------
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using System;
using System.Collections.Generic;
using System.Globalization;
using System.Threading;
using System.Threading.Tasks;
namespace StellaOps.Signer.Core.Ceremonies;
/// <summary>
/// Orchestrates M-of-N dual-control signing ceremonies.
/// </summary>
public sealed class CeremonyOrchestrator : ICeremonyOrchestrator
{
private readonly ICeremonyRepository _repository;
private readonly ICeremonyAuditSink _auditSink;
private readonly ICeremonyApproverValidator _approverValidator;
private readonly TimeProvider _timeProvider;
private readonly CeremonyOptions _options;
private readonly ILogger<CeremonyOrchestrator> _logger;
public CeremonyOrchestrator(
ICeremonyRepository repository,
ICeremonyAuditSink auditSink,
ICeremonyApproverValidator approverValidator,
TimeProvider timeProvider,
IOptions<CeremonyOptions> options,
ILogger<CeremonyOrchestrator> logger)
{
_repository = repository ?? throw new ArgumentNullException(nameof(repository));
_auditSink = auditSink ?? throw new ArgumentNullException(nameof(auditSink));
_approverValidator = approverValidator ?? throw new ArgumentNullException(nameof(approverValidator));
_timeProvider = timeProvider ?? throw new ArgumentNullException(nameof(timeProvider));
_options = options?.Value ?? throw new ArgumentNullException(nameof(options));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
public async Task<CeremonyResult> CreateCeremonyAsync(
CreateCeremonyRequest request,
string initiator,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(request);
ArgumentException.ThrowIfNullOrWhiteSpace(initiator);
if (!_options.Enabled)
{
return new CeremonyResult
{
Success = false,
Error = "Ceremonies are disabled",
ErrorCode = CeremonyErrorCode.InternalError
};
}
var now = _timeProvider.GetUtcNow();
var threshold = request.ThresholdOverride ?? _options.GetThreshold(request.OperationType);
var expirationMinutes = request.ExpirationMinutesOverride ?? _options.GetExpirationMinutes(request.OperationType);
if (threshold < 1)
{
return new CeremonyResult
{
Success = false,
Error = "Invalid threshold: must be at least 1",
ErrorCode = CeremonyErrorCode.InvalidThreshold
};
}
var ceremony = new Ceremony
{
CeremonyId = Guid.NewGuid(),
OperationType = request.OperationType,
Payload = request.Payload,
ThresholdRequired = threshold,
ThresholdReached = 0,
State = CeremonyState.Pending,
InitiatedBy = initiator,
InitiatedAt = now,
ExpiresAt = now.AddMinutes(expirationMinutes),
Description = request.Description,
TenantId = request.TenantId,
Approvals = []
};
var created = await _repository.CreateAsync(ceremony, cancellationToken);
await _auditSink.WriteAsync(new CeremonyInitiatedEvent
{
EventType = CeremonyAuditEvents.Initiated,
CeremonyId = created.CeremonyId,
OperationType = created.OperationType,
Timestamp = now,
Actor = initiator,
TenantId = request.TenantId,
ThresholdRequired = threshold,
ExpiresAt = created.ExpiresAt,
Description = request.Description
}, cancellationToken);
_logger.LogInformation(
"Ceremony {CeremonyId} created for {OperationType} by {Initiator}, threshold {Threshold}, expires {ExpiresAt}",
created.CeremonyId,
created.OperationType,
initiator,
threshold,
created.ExpiresAt.ToString("o", CultureInfo.InvariantCulture));
return new CeremonyResult
{
Success = true,
Ceremony = created
};
}
public async Task<CeremonyResult> ApproveCeremonyAsync(
ApproveCeremonyRequest request,
string approver,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(request);
ArgumentException.ThrowIfNullOrWhiteSpace(approver);
var now = _timeProvider.GetUtcNow();
var ceremony = await _repository.GetByIdAsync(request.CeremonyId, cancellationToken);
if (ceremony is null)
{
return new CeremonyResult
{
Success = false,
Error = "Ceremony not found",
ErrorCode = CeremonyErrorCode.NotFound
};
}
// Check expiration
if (now >= ceremony.ExpiresAt)
{
await _auditSink.WriteAsync(new CeremonyApprovalRejectedEvent
{
EventType = CeremonyAuditEvents.ApprovalRejected,
CeremonyId = ceremony.CeremonyId,
OperationType = ceremony.OperationType,
Timestamp = now,
Actor = approver,
AttemptedApprover = approver,
RejectionReason = "Ceremony has expired",
ErrorCode = CeremonyErrorCode.Expired
}, cancellationToken);
return new CeremonyResult
{
Success = false,
Error = "Ceremony has expired",
ErrorCode = CeremonyErrorCode.Expired
};
}
// Check state allows approval
if (!CeremonyStateMachine.CanAcceptApproval(ceremony.State))
{
var errorCode = ceremony.State switch
{
CeremonyState.Executed => CeremonyErrorCode.AlreadyExecuted,
CeremonyState.Expired => CeremonyErrorCode.Expired,
CeremonyState.Cancelled => CeremonyErrorCode.Cancelled,
_ => CeremonyErrorCode.InternalError
};
return new CeremonyResult
{
Success = false,
Error = $"Ceremony cannot accept approvals in state {ceremony.State}",
ErrorCode = errorCode
};
}
// Check for duplicate approval
if (await _repository.HasApprovedAsync(request.CeremonyId, approver, cancellationToken))
{
await _auditSink.WriteAsync(new CeremonyApprovalRejectedEvent
{
EventType = CeremonyAuditEvents.ApprovalRejected,
CeremonyId = ceremony.CeremonyId,
OperationType = ceremony.OperationType,
Timestamp = now,
Actor = approver,
AttemptedApprover = approver,
RejectionReason = "Approver has already approved this ceremony",
ErrorCode = CeremonyErrorCode.DuplicateApproval
}, cancellationToken);
return new CeremonyResult
{
Success = false,
Error = "You have already approved this ceremony",
ErrorCode = CeremonyErrorCode.DuplicateApproval
};
}
// Validate approver authorization
var validationResult = await _approverValidator.ValidateApproverAsync(
approver,
ceremony.OperationType,
request.ApprovalSignature,
cancellationToken);
if (!validationResult.IsValid)
{
await _auditSink.WriteAsync(new CeremonyApprovalRejectedEvent
{
EventType = CeremonyAuditEvents.ApprovalRejected,
CeremonyId = ceremony.CeremonyId,
OperationType = ceremony.OperationType,
Timestamp = now,
Actor = approver,
AttemptedApprover = approver,
RejectionReason = validationResult.Error ?? "Approver validation failed",
ErrorCode = validationResult.ErrorCode ?? CeremonyErrorCode.UnauthorizedApprover
}, cancellationToken);
return new CeremonyResult
{
Success = false,
Error = validationResult.Error ?? "Approver validation failed",
ErrorCode = validationResult.ErrorCode ?? CeremonyErrorCode.UnauthorizedApprover
};
}
// Add approval
var approval = new CeremonyApproval
{
ApprovalId = Guid.NewGuid(),
CeremonyId = request.CeremonyId,
ApproverIdentity = approver,
ApprovedAt = now,
ApprovalSignature = request.ApprovalSignature,
ApprovalReason = request.ApprovalReason,
SigningKeyId = request.SigningKeyId,
SignatureAlgorithm = request.SignatureAlgorithm
};
await _repository.AddApprovalAsync(approval, cancellationToken);
// Compute new state
var newThresholdReached = ceremony.ThresholdReached + 1;
var newState = CeremonyStateMachine.ComputeStateAfterApproval(
ceremony.State,
ceremony.ThresholdRequired,
newThresholdReached);
var updated = await _repository.UpdateStateAsync(
ceremony.CeremonyId,
newState,
newThresholdReached,
cancellationToken: cancellationToken);
var thresholdReached = newThresholdReached >= ceremony.ThresholdRequired;
await _auditSink.WriteAsync(new CeremonyApprovedEvent
{
EventType = CeremonyAuditEvents.Approved,
CeremonyId = ceremony.CeremonyId,
OperationType = ceremony.OperationType,
Timestamp = now,
Actor = approver,
Approver = approver,
ApprovalCount = newThresholdReached,
ThresholdRequired = ceremony.ThresholdRequired,
ApprovalReason = request.ApprovalReason,
ThresholdReached = thresholdReached
}, cancellationToken);
if (thresholdReached)
{
await _auditSink.WriteAsync(new CeremonyApprovedEvent
{
EventType = CeremonyAuditEvents.ThresholdReached,
CeremonyId = ceremony.CeremonyId,
OperationType = ceremony.OperationType,
Timestamp = now,
Actor = approver,
Approver = approver,
ApprovalCount = newThresholdReached,
ThresholdRequired = ceremony.ThresholdRequired,
ThresholdReached = true
}, cancellationToken);
_logger.LogInformation(
"Ceremony {CeremonyId} reached threshold {Threshold}, ready for execution",
ceremony.CeremonyId,
ceremony.ThresholdRequired);
}
_logger.LogInformation(
"Ceremony {CeremonyId} approved by {Approver}, {Current}/{Required} approvals",
ceremony.CeremonyId,
approver,
newThresholdReached,
ceremony.ThresholdRequired);
return new CeremonyResult
{
Success = true,
Ceremony = updated
};
}
public async Task<Ceremony?> GetCeremonyAsync(
Guid ceremonyId,
CancellationToken cancellationToken = default)
{
return await _repository.GetByIdAsync(ceremonyId, cancellationToken);
}
public async Task<IReadOnlyList<Ceremony>> ListCeremoniesAsync(
CeremonyFilter? filter = null,
CancellationToken cancellationToken = default)
{
return await _repository.ListAsync(filter, cancellationToken);
}
public async Task<CeremonyResult> ExecuteCeremonyAsync(
Guid ceremonyId,
string executor,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(executor);
var now = _timeProvider.GetUtcNow();
var ceremony = await _repository.GetByIdAsync(ceremonyId, cancellationToken);
if (ceremony is null)
{
return new CeremonyResult
{
Success = false,
Error = "Ceremony not found",
ErrorCode = CeremonyErrorCode.NotFound
};
}
if (!CeremonyStateMachine.CanExecute(ceremony.State))
{
return new CeremonyResult
{
Success = false,
Error = $"Ceremony cannot be executed in state {ceremony.State}",
ErrorCode = ceremony.State == CeremonyState.Executed
? CeremonyErrorCode.AlreadyExecuted
: CeremonyErrorCode.InternalError
};
}
// Check expiration
if (now >= ceremony.ExpiresAt)
{
return new CeremonyResult
{
Success = false,
Error = "Ceremony execution window has expired",
ErrorCode = CeremonyErrorCode.Expired
};
}
var updated = await _repository.UpdateStateAsync(
ceremonyId,
CeremonyState.Executed,
ceremony.ThresholdReached,
now,
cancellationToken);
await _auditSink.WriteAsync(new CeremonyExecutedEvent
{
EventType = CeremonyAuditEvents.Executed,
CeremonyId = ceremonyId,
OperationType = ceremony.OperationType,
Timestamp = now,
Actor = executor,
Executor = executor,
TotalApprovals = ceremony.ThresholdReached,
Success = true
}, cancellationToken);
_logger.LogInformation(
"Ceremony {CeremonyId} executed by {Executor}",
ceremonyId,
executor);
return new CeremonyResult
{
Success = true,
Ceremony = updated
};
}
public async Task<CeremonyResult> CancelCeremonyAsync(
Guid ceremonyId,
string canceller,
string? reason = null,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(canceller);
var now = _timeProvider.GetUtcNow();
var ceremony = await _repository.GetByIdAsync(ceremonyId, cancellationToken);
if (ceremony is null)
{
return new CeremonyResult
{
Success = false,
Error = "Ceremony not found",
ErrorCode = CeremonyErrorCode.NotFound
};
}
if (!CeremonyStateMachine.CanCancel(ceremony.State))
{
return new CeremonyResult
{
Success = false,
Error = $"Ceremony cannot be cancelled in state {ceremony.State}",
ErrorCode = CeremonyErrorCode.InternalError
};
}
var previousState = ceremony.State;
var updated = await _repository.UpdateStateAsync(
ceremonyId,
CeremonyState.Cancelled,
ceremony.ThresholdReached,
cancellationToken: cancellationToken);
await _auditSink.WriteAsync(new CeremonyCancelledEvent
{
EventType = CeremonyAuditEvents.Cancelled,
CeremonyId = ceremonyId,
OperationType = ceremony.OperationType,
Timestamp = now,
Actor = canceller,
Reason = reason,
StateAtCancellation = previousState,
ApprovalsReceived = ceremony.ThresholdReached
}, cancellationToken);
_logger.LogInformation(
"Ceremony {CeremonyId} cancelled by {Canceller}: {Reason}",
ceremonyId,
canceller,
reason ?? "(no reason provided)");
return new CeremonyResult
{
Success = true,
Ceremony = updated
};
}
public async Task<int> ProcessExpiredCeremoniesAsync(
CancellationToken cancellationToken = default)
{
var now = _timeProvider.GetUtcNow();
var expired = await _repository.GetExpiredCeremoniesAsync(now, cancellationToken);
if (expired.Count == 0)
{
return 0;
}
var ids = new List<Guid>(expired.Count);
foreach (var ceremony in expired)
{
ids.Add(ceremony.CeremonyId);
await _auditSink.WriteAsync(new CeremonyExpiredEvent
{
EventType = CeremonyAuditEvents.Expired,
CeremonyId = ceremony.CeremonyId,
OperationType = ceremony.OperationType,
Timestamp = now,
Actor = "system",
ApprovalsReceived = ceremony.ThresholdReached,
ThresholdRequired = ceremony.ThresholdRequired
}, cancellationToken);
}
var count = await _repository.MarkExpiredAsync(ids, cancellationToken);
_logger.LogInformation("Marked {Count} ceremonies as expired", count);
return count;
}
}
/// <summary>
/// Interface for ceremony audit logging.
/// </summary>
public interface ICeremonyAuditSink
{
/// <summary>
/// Writes an audit event.
/// </summary>
Task WriteAsync(CeremonyAuditEvent auditEvent, CancellationToken cancellationToken = default);
}
/// <summary>
/// Interface for validating ceremony approvers.
/// </summary>
public interface ICeremonyApproverValidator
{
/// <summary>
/// Validates an approver for a ceremony operation.
/// </summary>
Task<ApproverValidationResult> ValidateApproverAsync(
string approverIdentity,
CeremonyOperationType operationType,
byte[] signature,
CancellationToken cancellationToken = default);
}
/// <summary>
/// Result of approver validation.
/// </summary>
public sealed record ApproverValidationResult
{
/// <summary>
/// Whether the approver is valid.
/// </summary>
public required bool IsValid { get; init; }
/// <summary>
/// Error message if invalid.
/// </summary>
public string? Error { get; init; }
/// <summary>
/// Error code if invalid.
/// </summary>
public CeremonyErrorCode? ErrorCode { get; init; }
}

140
src/Attestor/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/CeremonyStateMachine.cs Normal file
View File

@@ -0,0 +1,140 @@
// -----------------------------------------------------------------------------
// CeremonyStateMachine.cs
// Sprint: SPRINT_20260112_018_SIGNER_dual_control_ceremonies
// Tasks: DUAL-003
// Description: State machine for ceremony lifecycle management.
// -----------------------------------------------------------------------------
using System;
namespace StellaOps.Signer.Core.Ceremonies;
/// <summary>
/// Manages ceremony state transitions.
/// </summary>
public static class CeremonyStateMachine
{
/// <summary>
/// Determines if a state transition is valid.
/// </summary>
/// <param name="currentState">Current ceremony state.</param>
/// <param name="targetState">Target state.</param>
/// <returns>True if transition is valid.</returns>
public static bool IsValidTransition(CeremonyState currentState, CeremonyState targetState)
{
return (currentState, targetState) switch
{
// From Pending
(CeremonyState.Pending, CeremonyState.PartiallyApproved) => true,
(CeremonyState.Pending, CeremonyState.Approved) => true, // Direct approval if threshold = 1
(CeremonyState.Pending, CeremonyState.Expired) => true,
(CeremonyState.Pending, CeremonyState.Cancelled) => true,
// From PartiallyApproved
(CeremonyState.PartiallyApproved, CeremonyState.PartiallyApproved) => true, // More approvals
(CeremonyState.PartiallyApproved, CeremonyState.Approved) => true,
(CeremonyState.PartiallyApproved, CeremonyState.Expired) => true,
(CeremonyState.PartiallyApproved, CeremonyState.Cancelled) => true,
// From Approved
(CeremonyState.Approved, CeremonyState.Executed) => true,
(CeremonyState.Approved, CeremonyState.Expired) => true, // Execution window expired
(CeremonyState.Approved, CeremonyState.Cancelled) => true,
// Terminal states - no transitions
(CeremonyState.Executed, _) => false,
(CeremonyState.Expired, _) => false,
(CeremonyState.Cancelled, _) => false,
// Same state is not a transition
_ when currentState == targetState => false,
// All other transitions are invalid
_ => false
};
}
/// <summary>
/// Computes the next state after an approval.
/// </summary>
/// <param name="currentState">Current ceremony state.</param>
/// <param name="thresholdRequired">Number of approvals required.</param>
/// <param name="thresholdReached">Number of approvals received (after this approval).</param>
/// <returns>Next state.</returns>
public static CeremonyState ComputeStateAfterApproval(
CeremonyState currentState,
int thresholdRequired,
int thresholdReached)
{
if (currentState is CeremonyState.Executed or CeremonyState.Expired or CeremonyState.Cancelled)
{
throw new InvalidOperationException($"Cannot approve ceremony in state {currentState}");
}
if (thresholdReached >= thresholdRequired)
{
return CeremonyState.Approved;
}
return CeremonyState.PartiallyApproved;
}
/// <summary>
/// Checks if a ceremony can accept approvals.
/// </summary>
/// <param name="state">Current ceremony state.</param>
/// <returns>True if approvals can be added.</returns>
public static bool CanAcceptApproval(CeremonyState state)
{
return state is CeremonyState.Pending or CeremonyState.PartiallyApproved;
}
/// <summary>
/// Checks if a ceremony can be executed.
/// </summary>
/// <param name="state">Current ceremony state.</param>
/// <returns>True if the ceremony can be executed.</returns>
public static bool CanExecute(CeremonyState state)
{
return state == CeremonyState.Approved;
}
/// <summary>
/// Checks if a ceremony can be cancelled.
/// </summary>
/// <param name="state">Current ceremony state.</param>
/// <returns>True if the ceremony can be cancelled.</returns>
public static bool CanCancel(CeremonyState state)
{
return state is CeremonyState.Pending or CeremonyState.PartiallyApproved or CeremonyState.Approved;
}
/// <summary>
/// Checks if a ceremony is in a terminal state.
/// </summary>
/// <param name="state">Current ceremony state.</param>
/// <returns>True if the ceremony is in a terminal state.</returns>
public static bool IsTerminalState(CeremonyState state)
{
return state is CeremonyState.Executed or CeremonyState.Expired or CeremonyState.Cancelled;
}
/// <summary>
/// Gets a human-readable description of the state.
/// </summary>
/// <param name="state">Ceremony state.</param>
/// <returns>Human-readable description.</returns>
public static string GetStateDescription(CeremonyState state)
{
return state switch
{
CeremonyState.Pending => "Awaiting approvals",
CeremonyState.PartiallyApproved => "Some approvals received, awaiting more",
CeremonyState.Approved => "All approvals received, ready for execution",
CeremonyState.Executed => "Operation executed successfully",
CeremonyState.Expired => "Ceremony expired before completion",
CeremonyState.Cancelled => "Ceremony was cancelled",
_ => "Unknown state"
};
}
}

153
src/Attestor/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/ICeremonyOrchestrator.cs Normal file
View File

@@ -0,0 +1,153 @@
// -----------------------------------------------------------------------------
// ICeremonyOrchestrator.cs
// Sprint: SPRINT_20260112_018_SIGNER_dual_control_ceremonies
// Tasks: DUAL-002
// Description: Interface for M-of-N dual-control ceremony orchestration.
// -----------------------------------------------------------------------------
using System;
using System.Collections.Generic;
using System.Threading;
using System.Threading.Tasks;
namespace StellaOps.Signer.Core.Ceremonies;
/// <summary>
/// Orchestrates M-of-N dual-control signing ceremonies.
/// </summary>
public interface ICeremonyOrchestrator
{
/// <summary>
/// Creates a new ceremony for the specified operation.
/// </summary>
/// <param name="request">Ceremony creation request.</param>
/// <param name="initiator">Identity of the ceremony initiator.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Result containing the created ceremony or error.</returns>
Task<CeremonyResult> CreateCeremonyAsync(
CreateCeremonyRequest request,
string initiator,
CancellationToken cancellationToken = default);
/// <summary>
/// Submits an approval for a ceremony.
/// </summary>
/// <param name="request">Approval request.</param>
/// <param name="approver">Identity of the approver.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Result containing the updated ceremony or error.</returns>
Task<CeremonyResult> ApproveCeremonyAsync(
ApproveCeremonyRequest request,
string approver,
CancellationToken cancellationToken = default);
/// <summary>
/// Gets a ceremony by ID.
/// </summary>
/// <param name="ceremonyId">Ceremony identifier.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>The ceremony or null if not found.</returns>
Task<Ceremony?> GetCeremonyAsync(
Guid ceremonyId,
CancellationToken cancellationToken = default);
/// <summary>
/// Lists ceremonies with optional filters.
/// </summary>
/// <param name="filter">Optional filter criteria.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>List of ceremonies matching the filter.</returns>
Task<IReadOnlyList<Ceremony>> ListCeremoniesAsync(
CeremonyFilter? filter = null,
CancellationToken cancellationToken = default);
/// <summary>
/// Executes an approved ceremony.
/// </summary>
/// <param name="ceremonyId">Ceremony to execute.</param>
/// <param name="executor">Identity of the executor.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Result of the execution.</returns>
Task<CeremonyResult> ExecuteCeremonyAsync(
Guid ceremonyId,
string executor,
CancellationToken cancellationToken = default);
/// <summary>
/// Cancels a pending ceremony.
/// </summary>
/// <param name="ceremonyId">Ceremony to cancel.</param>
/// <param name="canceller">Identity of the canceller.</param>
/// <param name="reason">Reason for cancellation.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Result of the cancellation.</returns>
Task<CeremonyResult> CancelCeremonyAsync(
Guid ceremonyId,
string canceller,
string? reason = null,
CancellationToken cancellationToken = default);
/// <summary>
/// Processes expired ceremonies (background task).
/// </summary>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Number of ceremonies marked as expired.</returns>
Task<int> ProcessExpiredCeremoniesAsync(
CancellationToken cancellationToken = default);
}
/// <summary>
/// Filter criteria for listing ceremonies.
/// </summary>
public sealed record CeremonyFilter
{
/// <summary>
/// Filter by state.
/// </summary>
public CeremonyState? State { get; init; }
/// <summary>
/// Filter by operation type.
/// </summary>
public CeremonyOperationType? OperationType { get; init; }
/// <summary>
/// Filter by initiator.
/// </summary>
public string? InitiatedBy { get; init; }
/// <summary>
/// Filter by pending approver (shows ceremonies the user can approve).
/// </summary>
public string? PendingApprover { get; init; }
/// <summary>
/// Filter ceremonies initiated after this time.
/// </summary>
public DateTimeOffset? InitiatedAfter { get; init; }
/// <summary>
/// Filter ceremonies initiated before this time.
/// </summary>
public DateTimeOffset? InitiatedBefore { get; init; }
/// <summary>
/// Include expired ceremonies.
/// </summary>
public bool IncludeExpired { get; init; }
/// <summary>
/// Maximum number of results.
/// </summary>
public int? Limit { get; init; }
/// <summary>
/// Offset for pagination.
/// </summary>
public int? Offset { get; init; }
/// <summary>
/// Tenant ID filter.
/// </summary>
public string? TenantId { get; init; }
}

117
src/Attestor/StellaOps.Signer/StellaOps.Signer.Core/Ceremonies/ICeremonyRepository.cs Normal file
View File

@@ -0,0 +1,117 @@
// -----------------------------------------------------------------------------
// ICeremonyRepository.cs
// Sprint: SPRINT_20260112_018_SIGNER_dual_control_ceremonies
// Tasks: DUAL-009
// Description: Repository interface for ceremony persistence.
// -----------------------------------------------------------------------------
using System;
using System.Collections.Generic;
using System.Threading;
using System.Threading.Tasks;
namespace StellaOps.Signer.Core.Ceremonies;
/// <summary>
/// Repository for ceremony persistence.
/// </summary>
public interface ICeremonyRepository
{
/// <summary>
/// Creates a new ceremony.
/// </summary>
/// <param name="ceremony">Ceremony to create.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Created ceremony with generated ID.</returns>
Task<Ceremony> CreateAsync(
Ceremony ceremony,
CancellationToken cancellationToken = default);
/// <summary>
/// Gets a ceremony by ID.
/// </summary>
/// <param name="ceremonyId">Ceremony ID.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>The ceremony or null if not found.</returns>
Task<Ceremony?> GetByIdAsync(
Guid ceremonyId,
CancellationToken cancellationToken = default);
/// <summary>
/// Updates a ceremony's state and threshold.
/// </summary>
/// <param name="ceremonyId">Ceremony ID.</param>
/// <param name="newState">New state.</param>
/// <param name="thresholdReached">New threshold reached count.</param>
/// <param name="executedAt">Execution timestamp if executed.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Updated ceremony.</returns>
Task<Ceremony?> UpdateStateAsync(
Guid ceremonyId,
CeremonyState newState,
int thresholdReached,
DateTimeOffset? executedAt = null,
CancellationToken cancellationToken = default);
/// <summary>
/// Adds an approval to a ceremony.
/// </summary>
/// <param name="approval">Approval to add.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Created approval.</returns>
Task<CeremonyApproval> AddApprovalAsync(
CeremonyApproval approval,
CancellationToken cancellationToken = default);
/// <summary>
/// Checks if an approver has already approved a ceremony.
/// </summary>
/// <param name="ceremonyId">Ceremony ID.</param>
/// <param name="approverIdentity">Approver identity.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>True if already approved.</returns>
Task<bool> HasApprovedAsync(
Guid ceremonyId,
string approverIdentity,
CancellationToken cancellationToken = default);
/// <summary>
/// Gets approvals for a ceremony.
/// </summary>
/// <param name="ceremonyId">Ceremony ID.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>List of approvals.</returns>
Task<IReadOnlyList<CeremonyApproval>> GetApprovalsAsync(
Guid ceremonyId,
CancellationToken cancellationToken = default);
/// <summary>
/// Lists ceremonies matching a filter.
/// </summary>
/// <param name="filter">Filter criteria.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>List of ceremonies.</returns>
Task<IReadOnlyList<Ceremony>> ListAsync(
CeremonyFilter? filter = null,
CancellationToken cancellationToken = default);
/// <summary>
/// Gets ceremonies that have expired but are not yet marked as expired.
/// </summary>
/// <param name="asOf">Time to check expiration against.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>List of expired ceremonies.</returns>
Task<IReadOnlyList<Ceremony>> GetExpiredCeremoniesAsync(
DateTimeOffset asOf,
CancellationToken cancellationToken = default);
/// <summary>
/// Marks ceremonies as expired in bulk.
/// </summary>
/// <param name="ceremonyIds">Ceremony IDs to expire.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>Number of ceremonies updated.</returns>
Task<int> MarkExpiredAsync(
IEnumerable<Guid> ceremonyIds,
CancellationToken cancellationToken = default);
}

396
src/Attestor/StellaOps.Signer/StellaOps.Signer.Core/PredicateTypes.cs Normal file
View File

@@ -0,0 +1,396 @@
using System.Collections.Generic;
using System.Linq;
namespace StellaOps.Signer.Core;
/// <summary>
/// Well-known predicate type URIs used in StellaOps attestations.
/// </summary>
public static class PredicateTypes
{
/// <summary>
/// SLSA Provenance v0.2 predicate type.
/// </summary>
public const string SlsaProvenanceV02 = "https://slsa.dev/provenance/v0.2";
/// <summary>
/// SLSA Provenance v1.0 predicate type.
/// </summary>
public const string SlsaProvenanceV1 = "https://slsa.dev/provenance/v1";
/// <summary>
/// StellaOps Promotion attestation predicate type.
/// </summary>
public const string StellaOpsPromotion = "stella.ops/promotion@v1";
/// <summary>
/// StellaOps SBOM attestation predicate type.
/// </summary>
public const string StellaOpsSbom = "stella.ops/sbom@v1";
/// <summary>
/// StellaOps VEX attestation predicate type.
/// </summary>
public const string StellaOpsVex = "stella.ops/vex@v1";
/// <summary>
/// StellaOps Replay manifest attestation predicate type.
/// </summary>
public const string StellaOpsReplay = "stella.ops/replay@v1";
/// <summary>
/// StellaOps Policy evaluation result predicate type.
/// </summary>
public const string StellaOpsPolicy = "stella.ops/policy@v1";
/// <summary>
/// StellaOps Policy Decision attestation predicate type.
/// Sprint: SPRINT_3801_0001_0001_policy_decision_attestation
/// Captures policy gate results with references to input evidence (SBOM, VEX, RichGraph).
/// </summary>
public const string StellaOpsPolicyDecision = "stella.ops/policy-decision@v1";
/// <summary>
/// StellaOps Evidence chain predicate type.
/// </summary>
public const string StellaOpsEvidence = "stella.ops/evidence@v1";
/// <summary>
/// StellaOps VEX Decision predicate type for OpenVEX policy decisions.
/// Used by Policy Engine to sign per-finding OpenVEX statements with reachability evidence.
/// </summary>
public const string StellaOpsVexDecision = "stella.ops/vexDecision@v1";
/// <summary>
/// StellaOps Graph predicate type for reachability call-graph attestations.
/// Used by Scanner to sign richgraph-v1 manifests with deterministic ordering.
/// </summary>
public const string StellaOpsGraph = "stella.ops/graph@v1";
/// <summary>
/// StellaOps Reachability Witness predicate type for DSSE attestations.
/// Sprint: SPRINT_3620_0001_0001_reachability_witness_dsse
/// Cryptographic proof that specific reachability analysis was performed.
/// </summary>
public const string StellaOpsReachabilityWitness = "stella.ops/reachabilityWitness@v1";
/// <summary>
/// StellaOps Path Witness predicate type for DSSE attestations.
/// Sprint: SPRINT_3700_0001_0001 (WIT-007C)
/// Cryptographic proof of a specific entrypoint to sink path.
/// Used by PathWitnessBuilder to sign individual path witnesses.
/// </summary>
public const string StellaOpsPathWitness = "stella.ops/pathWitness@v1";
// Sprint: SPRINT_20260112_015_SIGNER_path_witness_predicate (SIGNER-PW-001)
// Canonical predicate type and aliases for path witness attestations.
/// <summary>
/// Canonical Path Witness predicate type (SIGNER-PW-001).
/// </summary>
public const string PathWitnessCanonical = "https://stella.ops/predicates/path-witness/v1";
/// <summary>
/// Path Witness predicate alias 1 (SIGNER-PW-001).
/// </summary>
public const string PathWitnessAlias1 = "stella.ops/pathWitness@v1";
/// <summary>
/// Path Witness predicate alias 2 (SIGNER-PW-001).
/// </summary>
public const string PathWitnessAlias2 = "https://stella.ops/pathWitness/v1";
/// <summary>
/// StellaOps Reachability Drift predicate type for DSSE attestations.
/// Sprint: SPRINT_3600_0004_0001_ui_evidence_chain (UI-014)
/// Cryptographic proof of reachability changes between scans.
/// Used by DriftAttestationService to sign drift analysis results.
/// </summary>
public const string StellaOpsReachabilityDrift = "stellaops.dev/predicates/reachability-drift@v1";
/// <summary>
/// StellaOps Verdict predicate type for security assessment results.
/// Sprint: SPRINT_20251226_001_SIGNER_fulcio_keyless_client
/// Captures the final security verdict for an artifact, including:
/// - Pass/Warn/Fail status with gate evaluation results
/// - Delta summary (newly reachable/unreachable CVEs)
/// - References to supporting evidence (SBOM, VEX, reachability graph)
/// - Risk metrics (CVSS, EPSS, KEV status)
/// Used by keyless signing workflows to attest verdicts in CI/CD pipelines.
/// </summary>
public const string StellaOpsVerdict = "stella.ops/verdict@v1";
/// <summary>
/// StellaOps Verdict predicate type alternate URI form (legacy compatibility).
/// </summary>
public const string StellaOpsVerdictAlt = "verdict.stella/v1";
// -------------------------------------------------------------------------
// Delta Predicate Types
// Sprint: SPRINT_20251228_007_BE_sbom_lineage_graph_ii (LIN-BE-024)
// Delta attestations capture changes between lineage node versions.
// -------------------------------------------------------------------------
/// <summary>
/// StellaOps VEX Delta predicate type.
/// Captures changes in VEX consensus status between two SBOM versions.
/// Contains: from_digest, to_digest, status_changes[], new_vulns[], resolved_vulns[].
/// </summary>
public const string StellaOpsVexDelta = "stella.ops/vex-delta@v1";
/// <summary>
/// StellaOps SBOM Delta predicate type.
/// Captures changes in SBOM composition between two versions.
/// Contains: from_digest, to_digest, components_added[], components_removed[],
/// version_changes[], license_changes[].
/// </summary>
public const string StellaOpsSbomDelta = "stella.ops/sbom-delta@v1";
/// <summary>
/// StellaOps Verdict Delta predicate type.
/// Captures changes in security verdicts between two evaluations.
/// Contains: from_digest, to_digest, gate_changes[], risk_delta,
/// reachability_delta, attestation_refs[].
/// </summary>
public const string StellaOpsVerdictDelta = "stella.ops/verdict-delta@v1";
/// <summary>
/// StellaOps Reachability Delta predicate type.
/// Captures changes in reachability analysis between two versions.
/// Contains: from_digest, to_digest, paths_added, paths_removed,
/// gates_changed[], entrypoints_changed[].
/// </summary>
public const string StellaOpsReachabilityDelta = "stella.ops/reachability-delta@v1";
// -------------------------------------------------------------------------
// Runtime Linkage Verification Types
// Sprint: SPRINT_20260122_039_Scanner_runtime_linkage_verification (RLV-001)
// Function map predicates for runtime→static linkage verification.
// -------------------------------------------------------------------------
/// <summary>
/// StellaOps Function Map predicate type (canonical).
/// Declares expected call-paths for runtime observation verification.
/// Contains: service, expectedPaths[], coverage thresholds.
/// Used by runtime linkage verification to prove runtime matches static analysis.
/// </summary>
public const string StellaOpsFunctionMap = "https://stella.ops/predicates/function-map/v1";
/// <summary>
/// StellaOps Function Map predicate type (legacy alias).
/// </summary>
public const string StellaOpsFunctionMapAlias = "stella.ops/functionMap@v1";
// -------------------------------------------------------------------------
// Runtime Evidence Types
// Sprint: SPRINT_0127_0002_Signals_ebpf_syscall_reachability_proofs (SIGNING-001)
// Runtime evidence predicates for eBPF-collected syscall/uprobe evidence chunks.
// -------------------------------------------------------------------------
/// <summary>
/// StellaOps Runtime Evidence predicate type.
/// Captures signed evidence chunks from eBPF runtime observation.
/// Contains: chunk_id, chunk_sequence, previous_chunk_id, event_count,
/// time_range, collector_version, kernel_version.
/// Used by EvidenceChunkFinalizer to sign rotating NDJSON chunks.
/// </summary>
public const string StellaOpsRuntimeEvidence = "stella.ops/runtime-evidence@v1";
/// <summary>
/// StellaOps Runtime Evidence predicate type (canonical URL form).
/// </summary>
public const string StellaOpsRuntimeEvidenceCanonical = "https://stella.ops/predicates/runtime-evidence/v1";
/// <summary>
/// CycloneDX SBOM predicate type.
/// </summary>
public const string CycloneDxSbom = "https://cyclonedx.org/bom";
/// <summary>
/// SPDX SBOM predicate type.
/// </summary>
public const string SpdxSbom = "https://spdx.dev/Document";
/// <summary>
/// OpenVEX predicate type.
/// </summary>
public const string OpenVex = "https://openvex.dev/ns";
/// <summary>
/// Determines if the predicate type is a well-known StellaOps type.
/// Sprint: SPRINT_20260112_015_SIGNER_path_witness_predicate (SIGNER-PW-003)
/// Updated to recognize https://stella.ops/ and https://stella-ops.org/ URIs as StellaOps types.
/// </summary>
public static bool IsStellaOpsType(string predicateType)
{
if (string.IsNullOrEmpty(predicateType))
return false;
// Legacy format: stella.ops/type@version
if (predicateType.StartsWith("stella.ops/", StringComparison.Ordinal))
return true;
// Canonical HTTPS format: https://stella.ops/predicates/...
if (predicateType.StartsWith("https://stella.ops/", StringComparison.Ordinal))
return true;
// Alternate domain format: https://stella-ops.org/predicates/...
if (predicateType.StartsWith("https://stella-ops.org/", StringComparison.Ordinal))
return true;
return false;
}
/// <summary>
/// Determines if the predicate type is a SLSA provenance type.
/// </summary>
public static bool IsSlsaProvenance(string predicateType)
{
return predicateType?.StartsWith("https://slsa.dev/provenance/", StringComparison.Ordinal) == true;
}
/// <summary>
/// Determines if the predicate type is a VEX-related type that should contain OpenVEX payload.
/// </summary>
public static bool IsVexRelatedType(string predicateType)
{
return predicateType == StellaOpsVex
|| predicateType == StellaOpsVexDecision
|| predicateType == OpenVex;
}
/// <summary>
/// Determines if the predicate type is a reachability-related type.
/// </summary>
public static bool IsReachabilityRelatedType(string predicateType)
{
return predicateType == StellaOpsGraph
|| predicateType == StellaOpsReplay
|| predicateType == StellaOpsEvidence
|| predicateType == StellaOpsReachabilityWitness
|| predicateType == StellaOpsPathWitness
|| predicateType == StellaOpsReachabilityDrift
|| predicateType == StellaOpsReachabilityDelta
// Path Witness canonical and aliases (SIGNER-PW-001)
|| predicateType == PathWitnessCanonical
|| predicateType == PathWitnessAlias1
|| predicateType == PathWitnessAlias2
// Function Map types (RLV-001)
|| predicateType == StellaOpsFunctionMap
|| predicateType == StellaOpsFunctionMapAlias
// Runtime Evidence types (SIGNING-001)
|| predicateType == StellaOpsRuntimeEvidence
|| predicateType == StellaOpsRuntimeEvidenceCanonical;
}
/// <summary>
/// Determines if the predicate type is a function map type (canonical or alias).
/// Sprint: SPRINT_20260122_039_Scanner_runtime_linkage_verification (RLV-001)
/// </summary>
public static bool IsFunctionMapType(string predicateType)
{
return predicateType == StellaOpsFunctionMap
|| predicateType == StellaOpsFunctionMapAlias;
}
/// <summary>
/// Determines if the predicate type is a runtime evidence type (canonical or legacy).
/// Sprint: SPRINT_0127_0002_Signals_ebpf_syscall_reachability_proofs (SIGNING-001)
/// </summary>
public static bool IsRuntimeEvidenceType(string predicateType)
{
return predicateType == StellaOpsRuntimeEvidence
|| predicateType == StellaOpsRuntimeEvidenceCanonical;
}
/// <summary>
/// Determines if the predicate type is a path witness type (canonical or alias).
/// Sprint: SPRINT_20260112_015_SIGNER_path_witness_predicate (SIGNER-PW-001)
/// </summary>
public static bool IsPathWitnessType(string predicateType)
{
return predicateType == PathWitnessCanonical
|| predicateType == PathWitnessAlias1
|| predicateType == PathWitnessAlias2
|| predicateType == StellaOpsPathWitness;
}
/// <summary>
/// Determines if the predicate type is a verdict/decision type.
/// </summary>
public static bool IsVerdictType(string predicateType)
{
return predicateType == StellaOpsVerdict
|| predicateType == StellaOpsVerdictAlt
|| predicateType == StellaOpsPolicy
|| predicateType == StellaOpsPolicyDecision
|| predicateType == StellaOpsVerdictDelta;
}
/// <summary>
/// Determines if the predicate type is a delta/change tracking type.
/// Sprint: LIN-BE-024
/// </summary>
public static bool IsDeltaType(string predicateType)
{
return predicateType == StellaOpsVexDelta
|| predicateType == StellaOpsSbomDelta
|| predicateType == StellaOpsVerdictDelta
|| predicateType == StellaOpsReachabilityDelta;
}
/// <summary>
/// Gets the list of all allowed predicate types for the Signer.
/// </summary>
public static IReadOnlyList<string> GetAllowedPredicateTypes()
{
return new[]
{
// SLSA types
SlsaProvenanceV02,
SlsaProvenanceV1,
// StellaOps types
StellaOpsPromotion,
StellaOpsSbom,
StellaOpsVex,
StellaOpsReplay,
StellaOpsPolicy,
StellaOpsPolicyDecision,
StellaOpsEvidence,
StellaOpsVexDecision,
StellaOpsGraph,
StellaOpsReachabilityWitness,
StellaOpsPathWitness,
StellaOpsReachabilityDrift,
StellaOpsVerdict,
StellaOpsVerdictAlt,
// Path Witness canonical + aliases (SIGNER-PW-001)
PathWitnessCanonical,
PathWitnessAlias1,
PathWitnessAlias2,
// Delta types (LIN-BE-024)
StellaOpsVexDelta,
StellaOpsSbomDelta,
StellaOpsVerdictDelta,
StellaOpsReachabilityDelta,
// Function Map types (RLV-001)
StellaOpsFunctionMap,
StellaOpsFunctionMapAlias,
// Runtime Evidence types (SIGNING-001)
StellaOpsRuntimeEvidence,
StellaOpsRuntimeEvidenceCanonical,
// Third-party types
CycloneDxSbom,
SpdxSbom,
OpenVex
};
}
/// <summary>
/// Determines if the predicate type is an allowed/known type.
/// </summary>
public static bool IsAllowedPredicateType(string predicateType)
{
return GetAllowedPredicateTypes().Contains(predicateType);
}
}

462
src/Attestor/StellaOps.Signer/StellaOps.Signer.Core/Predicates/DeltaPredicateSchemas.cs Normal file
View File

@@ -0,0 +1,462 @@
// -----------------------------------------------------------------------------
// DeltaPredicateSchemas.cs
// Sprint: SPRINT_20251228_007_BE_sbom_lineage_graph_ii (LIN-BE-024)
// Task: Define delta predicate schemas for lineage change tracking
// Description: JSON-serializable models for delta predicate payloads.
// -----------------------------------------------------------------------------
using System.Collections.Immutable;
using System.Text.Json.Serialization;
namespace StellaOps.Signer.Core.Predicates;
/// <summary>
/// Base class for delta predicates capturing changes between lineage versions.
/// </summary>
public abstract record DeltaPredicateBase
{
/// <summary>
/// Digest of the source/from artifact.
/// </summary>
[JsonPropertyName("fromDigest")]
public required string FromDigest { get; init; }
/// <summary>
/// Digest of the target/to artifact.
/// </summary>
[JsonPropertyName("toDigest")]
public required string ToDigest { get; init; }
/// <summary>
/// UTC timestamp when the delta was computed.
/// </summary>
[JsonPropertyName("computedAt")]
public required DateTimeOffset ComputedAt { get; init; }
/// <summary>
/// Tenant identifier for multi-tenancy.
/// </summary>
[JsonPropertyName("tenantId")]
public string? TenantId { get; init; }
}
/// <summary>
/// VEX Delta predicate capturing VEX consensus status changes.
/// Predicate type: stella.ops/vex-delta@v1
/// </summary>
public sealed record VexDeltaPredicate : DeltaPredicateBase
{
/// <summary>
/// VEX status changes between versions.
/// </summary>
[JsonPropertyName("statusChanges")]
public ImmutableArray<VexStatusChange> StatusChanges { get; init; } = ImmutableArray<VexStatusChange>.Empty;
/// <summary>
/// New vulnerabilities discovered in the target version.
/// </summary>
[JsonPropertyName("newVulnerabilities")]
public ImmutableArray<VexVulnerabilityEntry> NewVulnerabilities { get; init; } = ImmutableArray<VexVulnerabilityEntry>.Empty;
/// <summary>
/// Vulnerabilities resolved (fixed or not_affected) in target version.
/// </summary>
[JsonPropertyName("resolvedVulnerabilities")]
public ImmutableArray<VexVulnerabilityEntry> ResolvedVulnerabilities { get; init; } = ImmutableArray<VexVulnerabilityEntry>.Empty;
/// <summary>
/// Summary statistics.
/// </summary>
[JsonPropertyName("summary")]
public required VexDeltaSummary Summary { get; init; }
}
/// <summary>
/// Individual VEX status change entry.
/// </summary>
public sealed record VexStatusChange
{
[JsonPropertyName("cve")]
public required string Cve { get; init; }
[JsonPropertyName("fromStatus")]
public required string FromStatus { get; init; }
[JsonPropertyName("toStatus")]
public required string ToStatus { get; init; }
[JsonPropertyName("fromJustification")]
public string? FromJustification { get; init; }
[JsonPropertyName("toJustification")]
public string? ToJustification { get; init; }
[JsonPropertyName("product")]
public string? Product { get; init; }
[JsonPropertyName("reason")]
public string? Reason { get; init; }
}
/// <summary>
/// Vulnerability entry in a VEX delta.
/// </summary>
public sealed record VexVulnerabilityEntry
{
[JsonPropertyName("cve")]
public required string Cve { get; init; }
[JsonPropertyName("status")]
public required string Status { get; init; }
[JsonPropertyName("severity")]
public string? Severity { get; init; }
[JsonPropertyName("cvss")]
public double? Cvss { get; init; }
[JsonPropertyName("product")]
public string? Product { get; init; }
}
/// <summary>
/// Summary of VEX delta changes.
/// </summary>
public sealed record VexDeltaSummary
{
[JsonPropertyName("statusChangeCount")]
public int StatusChangeCount { get; init; }
[JsonPropertyName("newVulnCount")]
public int NewVulnCount { get; init; }
[JsonPropertyName("resolvedVulnCount")]
public int ResolvedVulnCount { get; init; }
[JsonPropertyName("criticalNew")]
public int CriticalNew { get; init; }
[JsonPropertyName("highNew")]
public int HighNew { get; init; }
}
/// <summary>
/// SBOM Delta predicate capturing composition changes.
/// Predicate type: stella.ops/sbom-delta@v1
/// </summary>
public sealed record SbomDeltaPredicate : DeltaPredicateBase
{
/// <summary>
/// Components added in the target version.
/// </summary>
[JsonPropertyName("componentsAdded")]
public ImmutableArray<SbomComponentEntry> ComponentsAdded { get; init; } = ImmutableArray<SbomComponentEntry>.Empty;
/// <summary>
/// Components removed in the target version.
/// </summary>
[JsonPropertyName("componentsRemoved")]
public ImmutableArray<SbomComponentEntry> ComponentsRemoved { get; init; } = ImmutableArray<SbomComponentEntry>.Empty;
/// <summary>
/// Components with version changes.
/// </summary>
[JsonPropertyName("versionChanges")]
public ImmutableArray<SbomVersionChangeEntry> VersionChanges { get; init; } = ImmutableArray<SbomVersionChangeEntry>.Empty;
/// <summary>
/// Components with license changes.
/// </summary>
[JsonPropertyName("licenseChanges")]
public ImmutableArray<SbomLicenseChangeEntry> LicenseChanges { get; init; } = ImmutableArray<SbomLicenseChangeEntry>.Empty;
/// <summary>
/// Summary statistics.
/// </summary>
[JsonPropertyName("summary")]
public required SbomDeltaSummary Summary { get; init; }
}
/// <summary>
/// Component entry in SBOM delta.
/// </summary>
public sealed record SbomComponentEntry
{
[JsonPropertyName("purl")]
public string? Purl { get; init; }
[JsonPropertyName("name")]
public required string Name { get; init; }
[JsonPropertyName("version")]
public string? Version { get; init; }
[JsonPropertyName("license")]
public string? License { get; init; }
}
/// <summary>
/// Version change entry in SBOM delta.
/// </summary>
public sealed record SbomVersionChangeEntry
{
[JsonPropertyName("purl")]
public string? Purl { get; init; }
[JsonPropertyName("name")]
public required string Name { get; init; }
[JsonPropertyName("fromVersion")]
public required string FromVersion { get; init; }
[JsonPropertyName("toVersion")]
public required string ToVersion { get; init; }
}
/// <summary>
/// License change entry in SBOM delta.
/// </summary>
public sealed record SbomLicenseChangeEntry
{
[JsonPropertyName("purl")]
public string? Purl { get; init; }
[JsonPropertyName("name")]
public required string Name { get; init; }
[JsonPropertyName("fromLicense")]
public string? FromLicense { get; init; }
[JsonPropertyName("toLicense")]
public string? ToLicense { get; init; }
}
/// <summary>
/// Summary of SBOM delta changes.
/// </summary>
public sealed record SbomDeltaSummary
{
[JsonPropertyName("addedCount")]
public int AddedCount { get; init; }
[JsonPropertyName("removedCount")]
public int RemovedCount { get; init; }
[JsonPropertyName("versionChangedCount")]
public int VersionChangedCount { get; init; }
[JsonPropertyName("licenseChangedCount")]
public int LicenseChangedCount { get; init; }
}
/// <summary>
/// Verdict Delta predicate capturing security verdict changes.
/// Predicate type: stella.ops/verdict-delta@v1
/// </summary>
public sealed record VerdictDeltaPredicate : DeltaPredicateBase
{
/// <summary>
/// Gate evaluation changes.
/// </summary>
[JsonPropertyName("gateChanges")]
public ImmutableArray<GateChangeEntry> GateChanges { get; init; } = ImmutableArray<GateChangeEntry>.Empty;
/// <summary>
/// Change in overall risk assessment.
/// </summary>
[JsonPropertyName("riskDelta")]
public RiskDelta? RiskDelta { get; init; }
/// <summary>
/// Summary of reachability changes.
/// </summary>
[JsonPropertyName("reachabilityDelta")]
public ReachabilityDeltaSummary? ReachabilityDelta { get; init; }
/// <summary>
/// References to supporting attestations.
/// </summary>
[JsonPropertyName("attestationRefs")]
public ImmutableArray<AttestationRef> AttestationRefs { get; init; } = ImmutableArray<AttestationRef>.Empty;
/// <summary>
/// Summary statistics.
/// </summary>
[JsonPropertyName("summary")]
public required VerdictDeltaSummary Summary { get; init; }
}
/// <summary>
/// Gate change entry in verdict delta.
/// </summary>
public sealed record GateChangeEntry
{
[JsonPropertyName("gateName")]
public required string GateName { get; init; }
[JsonPropertyName("fromResult")]
public required string FromResult { get; init; }
[JsonPropertyName("toResult")]
public required string ToResult { get; init; }
[JsonPropertyName("reason")]
public string? Reason { get; init; }
}
/// <summary>
/// Risk score delta.
/// </summary>
public sealed record RiskDelta
{
[JsonPropertyName("fromScore")]
public double FromScore { get; init; }
[JsonPropertyName("toScore")]
public double ToScore { get; init; }
[JsonPropertyName("fromCvssMax")]
public double? FromCvssMax { get; init; }
[JsonPropertyName("toCvssMax")]
public double? ToCvssMax { get; init; }
[JsonPropertyName("kevCountChange")]
public int KevCountChange { get; init; }
}
/// <summary>
/// Reachability changes summary.
/// </summary>
public sealed record ReachabilityDeltaSummary
{
[JsonPropertyName("pathsAdded")]
public int PathsAdded { get; init; }
[JsonPropertyName("pathsRemoved")]
public int PathsRemoved { get; init; }
[JsonPropertyName("newlyReachableCves")]
public ImmutableArray<string> NewlyReachableCves { get; init; } = ImmutableArray<string>.Empty;
[JsonPropertyName("newlyUnreachableCves")]
public ImmutableArray<string> NewlyUnreachableCves { get; init; } = ImmutableArray<string>.Empty;
}
/// <summary>
/// Reference to a supporting attestation.
/// </summary>
public sealed record AttestationRef
{
[JsonPropertyName("digest")]
public required string Digest { get; init; }
[JsonPropertyName("predicateType")]
public required string PredicateType { get; init; }
[JsonPropertyName("timestamp")]
public DateTimeOffset? Timestamp { get; init; }
}
/// <summary>
/// Summary of verdict delta changes.
/// </summary>
public sealed record VerdictDeltaSummary
{
[JsonPropertyName("gateChangeCount")]
public int GateChangeCount { get; init; }
[JsonPropertyName("overallStatusChange")]
public bool OverallStatusChange { get; init; }
[JsonPropertyName("fromStatus")]
public string? FromStatus { get; init; }
[JsonPropertyName("toStatus")]
public string? ToStatus { get; init; }
}
/// <summary>
/// Reachability Delta predicate capturing call-graph changes.
/// Predicate type: stella.ops/reachability-delta@v1
/// </summary>
public sealed record ReachabilityDeltaPredicate : DeltaPredicateBase
{
/// <summary>
/// CVE identifier if this delta is for a specific vulnerability.
/// </summary>
[JsonPropertyName("cve")]
public string? Cve { get; init; }
/// <summary>
/// Number of paths added.
/// </summary>
[JsonPropertyName("pathsAdded")]
public int PathsAdded { get; init; }
/// <summary>
/// Number of paths removed.
/// </summary>
[JsonPropertyName("pathsRemoved")]
public int PathsRemoved { get; init; }
/// <summary>
/// New entrypoints discovered.
/// </summary>
[JsonPropertyName("entrypointsAdded")]
public ImmutableArray<string> EntrypointsAdded { get; init; } = ImmutableArray<string>.Empty;
/// <summary>
/// Entrypoints no longer present.
/// </summary>
[JsonPropertyName("entrypointsRemoved")]
public ImmutableArray<string> EntrypointsRemoved { get; init; } = ImmutableArray<string>.Empty;
/// <summary>
/// Gates that changed status.
/// </summary>
[JsonPropertyName("gatesChanged")]
public ImmutableArray<GateStatusChange> GatesChanged { get; init; } = ImmutableArray<GateStatusChange>.Empty;
/// <summary>
/// Summary statistics.
/// </summary>
[JsonPropertyName("summary")]
public required ReachabilityDeltaDetailSummary Summary { get; init; }
}
/// <summary>
/// Gate status change in reachability delta.
/// </summary>
public sealed record GateStatusChange
{
[JsonPropertyName("gateName")]
public required string GateName { get; init; }
[JsonPropertyName("fromStatus")]
public required string FromStatus { get; init; }
[JsonPropertyName("toStatus")]
public required string ToStatus { get; init; }
}
/// <summary>
/// Detailed summary for reachability delta.
/// </summary>
public sealed record ReachabilityDeltaDetailSummary
{
[JsonPropertyName("totalPathsAdded")]
public int TotalPathsAdded { get; init; }
[JsonPropertyName("totalPathsRemoved")]
public int TotalPathsRemoved { get; init; }
[JsonPropertyName("entrypointChangeCount")]
public int EntrypointChangeCount { get; init; }
[JsonPropertyName("gateChangeCount")]
public int GateChangeCount { get; init; }
[JsonPropertyName("reachabilityChanged")]
public bool ReachabilityChanged { get; init; }
}

55
src/Attestor/StellaOps.Signer/StellaOps.Signer.Core/SignerAbstractions.cs Normal file
View File

@@ -0,0 +1,55 @@
using System.Threading;
using System.Threading.Tasks;
namespace StellaOps.Signer.Core;
public interface IProofOfEntitlementIntrospector
{
ValueTask<ProofOfEntitlementResult> IntrospectAsync(
ProofOfEntitlement proof,
CallerContext caller,
CancellationToken cancellationToken);
}
public interface IReleaseIntegrityVerifier
{
ValueTask<ReleaseVerificationResult> VerifyAsync(
string scannerImageDigest,
CancellationToken cancellationToken);
}
public interface ISignerQuotaService
{
ValueTask EnsureWithinLimitsAsync(
SigningRequest request,
ProofOfEntitlementResult entitlement,
CallerContext caller,
CancellationToken cancellationToken);
}
public interface IDsseSigner
{
ValueTask<SigningBundle> SignAsync(
SigningRequest request,
ProofOfEntitlementResult entitlement,
CallerContext caller,
CancellationToken cancellationToken);
}
public interface ISignerAuditSink
{
ValueTask<string> WriteAsync(
SigningRequest request,
SigningBundle bundle,
ProofOfEntitlementResult entitlement,
CallerContext caller,
CancellationToken cancellationToken);
}
public interface ISignerPipeline
{
ValueTask<SigningOutcome> SignAsync(
SigningRequest request,
CallerContext caller,
CancellationToken cancellationToken);
}

105
src/Attestor/StellaOps.Signer/StellaOps.Signer.Core/SignerContracts.cs Normal file
View File

@@ -0,0 +1,105 @@
using System;
using System.Collections.Generic;
using System.Text.Json;
namespace StellaOps.Signer.Core;
public enum SignerPoEFormat
{
Jwt,
Mtls,
}
public enum SigningMode
{
Keyless,
Kms,
}
public sealed record SigningSubject(
string Name,
IReadOnlyDictionary<string, string> Digest);
public sealed record ProofOfEntitlement(
SignerPoEFormat Format,
string Value);
public sealed record SigningOptions(
SigningMode Mode,
int? ExpirySeconds,
string ReturnBundle);
public sealed record SigningRequest(
IReadOnlyList<SigningSubject> Subjects,
string PredicateType,
JsonDocument Predicate,
string ScannerImageDigest,
ProofOfEntitlement ProofOfEntitlement,
SigningOptions Options);
public sealed record CallerContext(
string Subject,
string Tenant,
IReadOnlyList<string> Scopes,
IReadOnlyList<string> Audiences,
string? SenderBinding,
string? ClientCertificateThumbprint);
public sealed record ProofOfEntitlementResult(
string LicenseId,
string CustomerId,
string Plan,
int MaxArtifactBytes,
int QpsLimit,
int QpsRemaining,
DateTimeOffset ExpiresAtUtc);
public sealed record ReleaseVerificationResult(
bool Trusted,
string? ReleaseSigner);
public sealed record SigningIdentity(
string Mode,
string Issuer,
string Subject,
DateTimeOffset? ExpiresAtUtc);
public sealed record SigningMetadata(
SigningIdentity Identity,
IReadOnlyList<string> CertificateChain,
string ProviderName,
string AlgorithmId);
public sealed record SigningBundle(
DsseEnvelope Envelope,
SigningMetadata Metadata);
public sealed record PolicyCounters(
string Plan,
int MaxArtifactBytes,
int QpsRemaining);
public sealed record SigningOutcome(
SigningBundle Bundle,
PolicyCounters Policy,
string AuditId);
public sealed record SignerAuditEntry(
string AuditId,
DateTimeOffset TimestampUtc,
string Subject,
string Tenant,
string Plan,
string ScannerImageDigest,
string SigningMode,
string ProviderName,
IReadOnlyList<SigningSubject> Subjects);
public sealed record DsseEnvelope(
string Payload,
string PayloadType,
IReadOnlyList<DsseSignature> Signatures);
public sealed record DsseSignature(
string Signature,
string? KeyId);

46
src/Attestor/StellaOps.Signer/StellaOps.Signer.Core/SignerExceptions.cs Normal file
View File

@@ -0,0 +1,46 @@
using System;
namespace StellaOps.Signer.Core;
public abstract class SignerException : Exception
{
protected SignerException(string code, string message)
: base(message)
{
Code = code;
}
public string Code { get; }
}
public sealed class SignerValidationException : SignerException
{
public SignerValidationException(string code, string message)
: base(code, message)
{
}
}
public sealed class SignerAuthorizationException : SignerException
{
public SignerAuthorizationException(string code, string message)
: base(code, message)
{
}
}
public sealed class SignerReleaseVerificationException : SignerException
{
public SignerReleaseVerificationException(string code, string message)
: base(code, message)
{
}
}
public sealed class SignerQuotaException : SignerException
{
public SignerQuotaException(string code, string message)
: base(code, message)
{
}
}

147
src/Attestor/StellaOps.Signer/StellaOps.Signer.Core/SignerPipeline.cs Normal file
View File

@@ -0,0 +1,147 @@
using System;
using System.Linq;
using System.Text.Json;
using System.Threading;
using System.Threading.Tasks;
namespace StellaOps.Signer.Core;
public sealed class SignerPipeline : ISignerPipeline
{
private const string RequiredScope = "signer.sign";
private const string RequiredAudience = "signer";
private readonly IProofOfEntitlementIntrospector _poe;
private readonly IReleaseIntegrityVerifier _releaseVerifier;
private readonly ISignerQuotaService _quotaService;
private readonly IDsseSigner _signer;
private readonly ISignerAuditSink _auditSink;
private readonly TimeProvider _timeProvider;
public SignerPipeline(
IProofOfEntitlementIntrospector poe,
IReleaseIntegrityVerifier releaseVerifier,
ISignerQuotaService quotaService,
IDsseSigner signer,
ISignerAuditSink auditSink,
TimeProvider timeProvider)
{
_poe = poe ?? throw new ArgumentNullException(nameof(poe));
_releaseVerifier = releaseVerifier ?? throw new ArgumentNullException(nameof(releaseVerifier));
_quotaService = quotaService ?? throw new ArgumentNullException(nameof(quotaService));
_signer = signer ?? throw new ArgumentNullException(nameof(signer));
_auditSink = auditSink ?? throw new ArgumentNullException(nameof(auditSink));
_timeProvider = timeProvider ?? TimeProvider.System;
}
public async ValueTask<SigningOutcome> SignAsync(
SigningRequest request,
CallerContext caller,
CancellationToken cancellationToken)
{
ArgumentNullException.ThrowIfNull(request);
ArgumentNullException.ThrowIfNull(caller);
ValidateCaller(caller);
ValidateRequest(request);
var entitlement = await _poe
.IntrospectAsync(request.ProofOfEntitlement, caller, cancellationToken)
.ConfigureAwait(false);
if (entitlement.ExpiresAtUtc <= _timeProvider.GetUtcNow())
{
throw new SignerAuthorizationException("entitlement_denied", "Proof of entitlement is expired.");
}
var releaseResult = await _releaseVerifier
.VerifyAsync(request.ScannerImageDigest, cancellationToken)
.ConfigureAwait(false);
if (!releaseResult.Trusted)
{
throw new SignerReleaseVerificationException("release_untrusted", "Scanner image digest failed release verification.");
}
await _quotaService
.EnsureWithinLimitsAsync(request, entitlement, caller, cancellationToken)
.ConfigureAwait(false);
var bundle = await _signer
.SignAsync(request, entitlement, caller, cancellationToken)
.ConfigureAwait(false);
var auditId = await _auditSink
.WriteAsync(request, bundle, entitlement, caller, cancellationToken)
.ConfigureAwait(false);
var outcome = new SigningOutcome(
bundle,
new PolicyCounters(entitlement.Plan, entitlement.MaxArtifactBytes, entitlement.QpsRemaining),
auditId);
return outcome;
}
private static void ValidateCaller(CallerContext caller)
{
if (string.IsNullOrWhiteSpace(caller.Subject))
{
throw new SignerAuthorizationException("invalid_caller", "Caller subject is required.");
}
if (string.IsNullOrWhiteSpace(caller.Tenant))
{
throw new SignerAuthorizationException("invalid_caller", "Caller tenant is required.");
}
if (!caller.Scopes.Contains(RequiredScope, StringComparer.OrdinalIgnoreCase))
{
throw new SignerAuthorizationException("insufficient_scope", $"Scope '{RequiredScope}' is required.");
}
if (!caller.Audiences.Contains(RequiredAudience, StringComparer.OrdinalIgnoreCase))
{
throw new SignerAuthorizationException("invalid_audience", $"Audience '{RequiredAudience}' is required.");
}
}
private static void ValidateRequest(SigningRequest request)
{
if (request.Subjects.Count == 0)
{
throw new SignerValidationException("subject_missing", "At least one subject must be provided.");
}
foreach (var subject in request.Subjects)
{
if (string.IsNullOrWhiteSpace(subject.Name))
{
throw new SignerValidationException("subject_invalid", "Subject name is required.");
}
if (subject.Digest is null || subject.Digest.Count == 0)
{
throw new SignerValidationException("subject_digest_invalid", "Subject digest is required.");
}
}
if (string.IsNullOrWhiteSpace(request.PredicateType))
{
throw new SignerValidationException("predicate_type_missing", "Predicate type is required.");
}
if (request.Predicate is null || request.Predicate.RootElement.ValueKind == JsonValueKind.Undefined)
{
throw new SignerValidationException("predicate_missing", "Predicate payload is required.");
}
if (string.IsNullOrWhiteSpace(request.ScannerImageDigest))
{
throw new SignerValidationException("scanner_digest_missing", "Scanner image digest is required.");
}
if (request.ProofOfEntitlement is null)
{
throw new SignerValidationException("poe_missing", "Proof of entitlement is required.");
}
}
}

170
src/Attestor/StellaOps.Signer/StellaOps.Signer.Core/SignerStatementBuilder.cs Normal file
View File

@@ -0,0 +1,170 @@
using StellaOps.Provenance.Attestation;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
namespace StellaOps.Signer.Core;
/// <summary>
/// Builder for in-toto statement payloads with support for StellaOps predicate types.
/// Delegates canonicalization to the Provenance library for deterministic serialization.
/// </summary>
public static class SignerStatementBuilder
{
private const string InTotoStatementTypeV01 = "https://in-toto.io/Statement/v0.1";
private const string InTotoStatementTypeV1 = "https://in-toto.io/Statement/v1";
/// <summary>
/// Builds an in-toto statement payload from a signing request.
/// Uses canonical JSON serialization for deterministic output.
/// </summary>
/// <param name="request">The signing request containing subjects and predicate.</param>
/// <returns>UTF-8 encoded canonical JSON bytes.</returns>
public static byte[] BuildStatementPayload(SigningRequest request)
{
ArgumentNullException.ThrowIfNull(request);
return BuildStatementPayload(request, InTotoStatementTypeV01);
}
/// <summary>
/// Builds an in-toto statement payload with explicit statement type version.
/// </summary>
/// <param name="request">The signing request.</param>
/// <param name="statementType">The in-toto statement type URI.</param>
/// <returns>UTF-8 encoded canonical JSON bytes.</returns>
public static byte[] BuildStatementPayload(SigningRequest request, string statementType)
{
ArgumentNullException.ThrowIfNull(request);
ArgumentException.ThrowIfNullOrWhiteSpace(statementType);
var statement = BuildStatement(request, statementType);
return SerializeCanonical(statement);
}
/// <summary>
/// Builds an in-toto statement object from a signing request.
/// </summary>
public static InTotoStatement BuildStatement(SigningRequest request, string? statementType = null)
{
ArgumentNullException.ThrowIfNull(request);
var subjects = BuildSubjects(request.Subjects);
var predicateType = NormalizePredicateType(request.PredicateType);
return new InTotoStatement(
Type: statementType ?? InTotoStatementTypeV01,
PredicateType: predicateType,
Subject: subjects,
Predicate: request.Predicate.RootElement);
}
/// <summary>
/// Builds statement subjects with canonicalized digest entries.
/// </summary>
private static IReadOnlyList<InTotoSubject> BuildSubjects(IReadOnlyList<SigningSubject> requestSubjects)
{
var subjects = new List<InTotoSubject>(requestSubjects.Count);
foreach (var subject in requestSubjects)
{
// Sort digest keys and normalize to lowercase for determinism
var digest = new SortedDictionary<string, string>(StringComparer.Ordinal);
foreach (var kvp in subject.Digest)
{
digest[kvp.Key.ToLowerInvariant()] = kvp.Value;
}
subjects.Add(new InTotoSubject(subject.Name, digest));
}
return subjects;
}
/// <summary>
/// Normalizes predicate type URIs for consistency.
/// </summary>
private static string NormalizePredicateType(string predicateType)
{
ArgumentException.ThrowIfNullOrWhiteSpace(predicateType);
// Normalize common variations
return predicateType.Trim();
}
/// <summary>
/// Serializes the statement to canonical JSON bytes using Provenance library.
/// </summary>
private static byte[] SerializeCanonical(InTotoStatement statement)
{
// Build the statement object for serialization
var statementObj = new
{
_type = statement.Type,
predicateType = statement.PredicateType,
subject = statement.Subject.Select(s => new
{
name = s.Name,
digest = s.Digest
}).ToArray(),
predicate = statement.Predicate
};
// Use CanonicalJson from Provenance library for deterministic serialization
return CanonicalJson.SerializeToUtf8Bytes(statementObj);
}
/// <summary>
/// Validates that a predicate type is well-known and supported.
/// </summary>
/// <param name="predicateType">The predicate type URI to validate.</param>
/// <returns>True if the predicate type is well-known; false otherwise.</returns>
public static bool IsWellKnownPredicateType(string predicateType)
{
if (string.IsNullOrWhiteSpace(predicateType))
{
return false;
}
return PredicateTypes.IsStellaOpsType(predicateType) ||
PredicateTypes.IsSlsaProvenance(predicateType) ||
predicateType == PredicateTypes.CycloneDxSbom ||
predicateType == PredicateTypes.SpdxSbom ||
predicateType == PredicateTypes.OpenVex;
}
/// <summary>
/// Gets the recommended statement type version for a given predicate type.
/// </summary>
/// <param name="predicateType">The predicate type URI.</param>
/// <returns>The recommended in-toto statement type URI.</returns>
public static string GetRecommendedStatementType(string predicateType)
{
// SLSA v1 and StellaOps types should use Statement v1
if (predicateType == PredicateTypes.SlsaProvenanceV1 ||
PredicateTypes.IsStellaOpsType(predicateType))
{
return InTotoStatementTypeV1;
}
// Default to v0.1 for backwards compatibility
return InTotoStatementTypeV01;
}
}
/// <summary>
/// Represents an in-toto statement.
/// </summary>
public sealed record InTotoStatement(
string Type,
string PredicateType,
IReadOnlyList<InTotoSubject> Subject,
JsonElement Predicate);
/// <summary>
/// Represents a subject in an in-toto statement.
/// </summary>
public sealed record InTotoSubject(
string Name,
IReadOnlyDictionary<string, string> Digest);

12
src/Attestor/StellaOps.Signer/StellaOps.Signer.Core/StellaOps.Signer.Core.csproj Normal file
View File

@@ -0,0 +1,12 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<LangVersion>preview</LangVersion>
<Nullable>enable</Nullable>
<ImplicitUsings>enable</ImplicitUsings>
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
</PropertyGroup>
<ItemGroup>
<ProjectReference Include="..\..\StellaOps.Provenance.Attestation\StellaOps.Provenance.Attestation.csproj" />
</ItemGroup>
</Project>

8
src/Attestor/StellaOps.Signer/StellaOps.Signer.Core/TASKS.md Normal file
View File

@@ -0,0 +1,8 @@
# StellaOps.Signer.Core Task Board
This board mirrors active sprint tasks for this module.
Source of truth: `docs/implplan/SPRINT_20260130_002_Tools_csproj_remediation_solid_review.md`.
| Task ID | Status | Notes |
| --- | --- | --- |
| REMED-05 | TODO | Remediation checklist: docs/implplan/audits/csproj-standards/remediation/checklists/src/Signer/StellaOps.Signer/StellaOps.Signer.Core/StellaOps.Signer.Core.md. |
| REMED-06 | DONE | SOLID review notes captured for SPRINT_20260130_002. |

56
src/Attestor/StellaOps.Signer/StellaOps.Signer.Infrastructure/Auditing/InMemorySignerAuditSink.cs Normal file
View File

@@ -0,0 +1,56 @@
using Microsoft.Extensions.Logging;
using StellaOps.Determinism;
using StellaOps.Signer.Core;
using System;
using System.Collections.Concurrent;
using System.Threading;
using System.Threading.Tasks;
namespace StellaOps.Signer.Infrastructure.Auditing;
public sealed class InMemorySignerAuditSink : ISignerAuditSink
{
private readonly ConcurrentDictionary<string, SignerAuditEntry> _entries = new(StringComparer.Ordinal);
private readonly TimeProvider _timeProvider;
private readonly IGuidProvider _guidProvider;
private readonly ILogger<InMemorySignerAuditSink> _logger;
public InMemorySignerAuditSink(
TimeProvider timeProvider,
ILogger<InMemorySignerAuditSink> logger,
IGuidProvider? guidProvider = null)
{
_timeProvider = timeProvider ?? TimeProvider.System;
_guidProvider = guidProvider ?? SystemGuidProvider.Instance;
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
public ValueTask<string> WriteAsync(
SigningRequest request,
SigningBundle bundle,
ProofOfEntitlementResult entitlement,
CallerContext caller,
CancellationToken cancellationToken)
{
ArgumentNullException.ThrowIfNull(bundle);
ArgumentNullException.ThrowIfNull(entitlement);
ArgumentNullException.ThrowIfNull(caller);
var auditId = _guidProvider.NewGuid().ToString("d");
var entry = new SignerAuditEntry(
auditId,
_timeProvider.GetUtcNow(),
caller.Subject,
caller.Tenant,
entitlement.Plan,
request.ScannerImageDigest,
bundle.Metadata.Identity.Mode,
bundle.Metadata.ProviderName,
request.Subjects);
_entries[auditId] = entry;
_logger.LogInformation("Signer audit event {AuditId} recorded for tenant {Tenant}", auditId, caller.Tenant);
return ValueTask.FromResult(auditId);
}
}

16
src/Attestor/StellaOps.Signer/StellaOps.Signer.Infrastructure/Options/SignerCryptoOptions.cs Normal file
View File

@@ -0,0 +1,16 @@
using System;
namespace StellaOps.Signer.Infrastructure.Options;
public sealed class SignerCryptoOptions
{
public string KeyId { get; set; } = "signer-kms-default";
public string AlgorithmId { get; set; } = "HS256";
public string Secret { get; set; } = Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes("stellaops-signer-secret"));
public string ProviderName { get; set; } = "InMemoryHmacProvider";
public string Mode { get; set; } = "kms";
}

19
src/Attestor/StellaOps.Signer/StellaOps.Signer.Infrastructure/Options/SignerEntitlementOptions.cs Normal file
View File

@@ -0,0 +1,19 @@
using System;
using System.Collections.Generic;
namespace StellaOps.Signer.Infrastructure.Options;
public sealed class SignerEntitlementOptions
{
public IDictionary<string, SignerEntitlementDefinition> Tokens { get; } =
new Dictionary<string, SignerEntitlementDefinition>(StringComparer.Ordinal);
}
public sealed record SignerEntitlementDefinition(
string LicenseId,
string CustomerId,
string Plan,
int MaxArtifactBytes,
int QpsLimit,
int QpsRemaining,
DateTimeOffset ExpiresAtUtc);

11
src/Attestor/StellaOps.Signer/StellaOps.Signer.Infrastructure/Options/SignerReleaseVerificationOptions.cs Normal file
View File

@@ -0,0 +1,11 @@
using System;
using System.Collections.Generic;
namespace StellaOps.Signer.Infrastructure.Options;
public sealed class SignerReleaseVerificationOptions
{
public ISet<string> TrustedScannerDigests { get; } = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
public string TrustedSigner { get; set; } = "StellaOps Release";
}

56
src/Attestor/StellaOps.Signer/StellaOps.Signer.Infrastructure/ProofOfEntitlement/InMemoryProofOfEntitlementIntrospector.cs Normal file
View File

@@ -0,0 +1,56 @@
using Microsoft.Extensions.Options;
using ProofOfEntitlementRecord = StellaOps.Signer.Core.ProofOfEntitlement;
using StellaOps.Signer.Core;
using StellaOps.Signer.Infrastructure.Options;
using System;
using System.Threading;
using System.Threading.Tasks;
namespace StellaOps.Signer.Infrastructure.ProofOfEntitlement;
public sealed class InMemoryProofOfEntitlementIntrospector : IProofOfEntitlementIntrospector
{
private readonly IOptionsMonitor<SignerEntitlementOptions> _options;
private readonly TimeProvider _timeProvider;
public InMemoryProofOfEntitlementIntrospector(
IOptionsMonitor<SignerEntitlementOptions> options,
TimeProvider timeProvider)
{
_options = options ?? throw new ArgumentNullException(nameof(options));
_timeProvider = timeProvider ?? TimeProvider.System;
}
public ValueTask<ProofOfEntitlementResult> IntrospectAsync(
ProofOfEntitlementRecord proof,
CallerContext caller,
CancellationToken cancellationToken)
{
ArgumentNullException.ThrowIfNull(proof);
ArgumentNullException.ThrowIfNull(caller);
var token = proof.Value ?? string.Empty;
var snapshot = _options.CurrentValue;
if (!snapshot.Tokens.TryGetValue(token, out var definition))
{
throw new SignerAuthorizationException("entitlement_denied", "Proof of entitlement is invalid or revoked.");
}
if (definition.ExpiresAtUtc <= _timeProvider.GetUtcNow())
{
throw new SignerAuthorizationException("entitlement_denied", "Proof of entitlement has expired.");
}
var result = new ProofOfEntitlementResult(
definition.LicenseId,
definition.CustomerId,
definition.Plan,
definition.MaxArtifactBytes,
definition.QpsLimit,
definition.QpsRemaining,
definition.ExpiresAtUtc);
return ValueTask.FromResult(result);
}
}

101
src/Attestor/StellaOps.Signer/StellaOps.Signer.Infrastructure/Quotas/InMemoryQuotaService.cs Normal file
View File

@@ -0,0 +1,101 @@
using Microsoft.Extensions.Logging;
using StellaOps.Signer.Core;
using System;
using System.Collections.Concurrent;
using System.Text;
using System.Threading;
using System.Threading.Tasks;
namespace StellaOps.Signer.Infrastructure.Quotas;
public sealed class InMemoryQuotaService : ISignerQuotaService
{
private readonly ConcurrentDictionary<string, QuotaWindow> _windows = new(StringComparer.Ordinal);
private readonly TimeProvider _timeProvider;
private readonly ILogger<InMemoryQuotaService> _logger;
public InMemoryQuotaService(TimeProvider timeProvider, ILogger<InMemoryQuotaService> logger)
{
_timeProvider = timeProvider ?? TimeProvider.System;
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
public ValueTask EnsureWithinLimitsAsync(
SigningRequest request,
ProofOfEntitlementResult entitlement,
CallerContext caller,
CancellationToken cancellationToken)
{
ArgumentNullException.ThrowIfNull(request);
ArgumentNullException.ThrowIfNull(entitlement);
ArgumentNullException.ThrowIfNull(caller);
var payloadSize = EstimatePayloadSize(request);
if (payloadSize > entitlement.MaxArtifactBytes)
{
throw new SignerQuotaException("artifact_too_large", $"Artifact size {payloadSize} exceeds plan cap ({entitlement.MaxArtifactBytes}).");
}
if (entitlement.QpsLimit <= 0)
{
return ValueTask.CompletedTask;
}
var window = _windows.GetOrAdd(caller.Tenant, static _ => new QuotaWindow());
lock (window)
{
var now = _timeProvider.GetUtcNow();
if (window.ResetAt <= now)
{
window.Reset(now, entitlement.QpsLimit);
}
if (window.Remaining <= 0)
{
_logger.LogWarning("Quota exceeded for tenant {Tenant}", caller.Tenant);
throw new SignerQuotaException("plan_throttled", "Plan QPS limit exceeded.");
}
window.Remaining--;
window.LastUpdated = now;
}
return ValueTask.CompletedTask;
}
private static int EstimatePayloadSize(SigningRequest request)
{
var predicateBytes = request.Predicate is null
? Array.Empty<byte>()
: Encoding.UTF8.GetBytes(request.Predicate.RootElement.GetRawText());
var subjectBytes = 0;
foreach (var subject in request.Subjects)
{
subjectBytes += subject.Name.Length;
foreach (var digest in subject.Digest)
{
subjectBytes += digest.Key.Length + digest.Value.Length;
}
}
return predicateBytes.Length + subjectBytes;
}
private sealed class QuotaWindow
{
public DateTimeOffset ResetAt { get; private set; } = DateTimeOffset.MinValue;
public int Remaining { get; set; }
public DateTimeOffset LastUpdated { get; set; }
public void Reset(DateTimeOffset now, int limit)
{
ResetAt = now.AddSeconds(1);
Remaining = limit;
LastUpdated = now;
}
}
}

39
src/Attestor/StellaOps.Signer/StellaOps.Signer.Infrastructure/ReleaseVerification/DefaultReleaseIntegrityVerifier.cs Normal file
View File

@@ -0,0 +1,39 @@
using Microsoft.Extensions.Options;
using StellaOps.Signer.Core;
using StellaOps.Signer.Infrastructure.Options;
using System;
using System.Text.RegularExpressions;
using System.Threading;
using System.Threading.Tasks;
namespace StellaOps.Signer.Infrastructure.ReleaseVerification;
public sealed class DefaultReleaseIntegrityVerifier : IReleaseIntegrityVerifier
{
private static readonly Regex DigestPattern = new("^sha256:[a-fA-F0-9]{64}$", RegexOptions.Compiled | RegexOptions.CultureInvariant);
private readonly IOptionsMonitor<SignerReleaseVerificationOptions> _options;
public DefaultReleaseIntegrityVerifier(IOptionsMonitor<SignerReleaseVerificationOptions> options)
{
_options = options ?? throw new ArgumentNullException(nameof(options));
}
public ValueTask<ReleaseVerificationResult> VerifyAsync(string scannerImageDigest, CancellationToken cancellationToken)
{
if (string.IsNullOrWhiteSpace(scannerImageDigest) || !DigestPattern.IsMatch(scannerImageDigest))
{
throw new SignerReleaseVerificationException("release_digest_invalid", "Scanner image digest must be a valid sha256 string.");
}
var options = _options.CurrentValue;
if (options.TrustedScannerDigests.Count > 0 &&
!options.TrustedScannerDigests.Contains(scannerImageDigest))
{
return ValueTask.FromResult(new ReleaseVerificationResult(false, null));
}
return ValueTask.FromResult(new ReleaseVerificationResult(true, options.TrustedSigner));
}
}

26
src/Attestor/StellaOps.Signer/StellaOps.Signer.Infrastructure/ServiceCollectionExtensions.cs Normal file
View File

@@ -0,0 +1,26 @@
using Microsoft.Extensions.DependencyInjection;
using StellaOps.Cryptography;
using StellaOps.Signer.Core;
using StellaOps.Signer.Infrastructure.Auditing;
using StellaOps.Signer.Infrastructure.ProofOfEntitlement;
using StellaOps.Signer.Infrastructure.Quotas;
using StellaOps.Signer.Infrastructure.ReleaseVerification;
using StellaOps.Signer.Infrastructure.Signing;
namespace StellaOps.Signer.Infrastructure;
public static class ServiceCollectionExtensions
{
public static IServiceCollection AddSignerPipeline(this IServiceCollection services)
{
services.AddSingleton<ISignerPipeline, SignerPipeline>();
services.AddSingleton<IProofOfEntitlementIntrospector, InMemoryProofOfEntitlementIntrospector>();
services.AddSingleton<IReleaseIntegrityVerifier, DefaultReleaseIntegrityVerifier>();
services.AddSingleton<ISignerQuotaService, InMemoryQuotaService>();
services.AddSingleton<IDsseSigner, HmacDsseSigner>();
services.AddSingleton<ISignerAuditSink, InMemorySignerAuditSink>();
services.AddSingleton(TimeProvider.System);
services.AddSingleton<ICryptoHmac, DefaultCryptoHmac>();
return services;
}
}

281
src/Attestor/StellaOps.Signer/StellaOps.Signer.Infrastructure/Signing/CryptoDsseSigner.cs Normal file
View File

@@ -0,0 +1,281 @@
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Cryptography;
using StellaOps.Signer.Core;
using System;
using System.Collections.Generic;
using System.Text;
using System.Threading;
using System.Threading.Tasks;
namespace StellaOps.Signer.Infrastructure.Signing;
/// <summary>
/// DSSE signer implementation that uses StellaOps.Cryptography providers
/// for keyless (ephemeral) or KMS-backed signing operations.
/// Produces cosign-compatible DSSE envelopes.
/// </summary>
public sealed class CryptoDsseSigner : IDsseSigner
{
private const string DssePayloadType = "application/vnd.in-toto+json";
private const string PreAuthenticationEncodingPrefix = "DSSEv1";
private readonly ICryptoProviderRegistry _cryptoRegistry;
private readonly ISigningKeyResolver _keyResolver;
private readonly ILogger<CryptoDsseSigner> _logger;
private readonly DsseSignerOptions _options;
public CryptoDsseSigner(
ICryptoProviderRegistry cryptoRegistry,
ISigningKeyResolver keyResolver,
IOptions<DsseSignerOptions> options,
ILogger<CryptoDsseSigner> logger)
{
_cryptoRegistry = cryptoRegistry ?? throw new ArgumentNullException(nameof(cryptoRegistry));
_keyResolver = keyResolver ?? throw new ArgumentNullException(nameof(keyResolver));
_options = options?.Value ?? throw new ArgumentNullException(nameof(options));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
public async ValueTask<SigningBundle> SignAsync(
SigningRequest request,
ProofOfEntitlementResult entitlement,
CallerContext caller,
CancellationToken cancellationToken)
{
ArgumentNullException.ThrowIfNull(request);
ArgumentNullException.ThrowIfNull(entitlement);
ArgumentNullException.ThrowIfNull(caller);
var signingMode = request.Options.Mode;
var algorithmId = ResolveAndValidateAlgorithm(null, signingMode);
_logger.LogDebug(
"Starting DSSE signing for tenant {Tenant} with mode {Mode} and algorithm {Algorithm}",
caller.Tenant,
signingMode,
algorithmId);
// Build the in-toto statement payload
var statementPayload = SignerStatementBuilder.BuildStatementPayload(request);
// Encode payload as base64url for DSSE
var payloadBase64 = Convert.ToBase64String(statementPayload)
.TrimEnd('=')
.Replace('+', '-')
.Replace('/', '_');
// Build PAE (Pre-Authentication Encoding) for signing
var paeBytes = BuildPae(DssePayloadType, statementPayload);
// Resolve signing key and provider
var keyResolution = await _keyResolver
.ResolveKeyAsync(signingMode, caller.Tenant, cancellationToken)
.ConfigureAwait(false);
var keyReference = new CryptoKeyReference(keyResolution.KeyId, keyResolution.ProviderHint);
// Get signer from crypto registry
var signerResolution = _cryptoRegistry.ResolveSigner(
CryptoCapability.Signing,
algorithmId,
keyReference,
keyResolution.ProviderHint);
var signer = signerResolution.Signer;
// Sign the PAE (primary)
var signatureBytes = await signer
.SignAsync(paeBytes, cancellationToken)
.ConfigureAwait(false);
// Encode signature as base64url (cosign-compatible)
var signatureBase64 = Convert.ToBase64String(signatureBytes)
.TrimEnd('=')
.Replace('+', '-')
.Replace('/', '_');
_logger.LogInformation(
"DSSE signing completed for tenant {Tenant} using provider {Provider} with key {KeyId}",
caller.Tenant,
signerResolution.ProviderName,
signer.KeyId);
// Build certificate chain if available
var certChain = BuildCertificateChain(signer, keyResolution);
var signatures = new List<DsseSignature>
{
new DsseSignature(signatureBase64, signer.KeyId)
};
if (!string.IsNullOrWhiteSpace(_options.SecondaryAlgorithm))
{
var secondaryAlgorithm = ResolveAndValidateAlgorithm(_options.SecondaryAlgorithm, signingMode);
var secondaryKeyId = _options.SecondaryKeyId ?? keyReference.KeyId;
var secondaryProviderHint = _options.SecondaryProvider ?? keyResolution.ProviderHint;
var secondaryRef = new CryptoKeyReference(secondaryKeyId, secondaryProviderHint);
var secondaryResolution = _cryptoRegistry.ResolveSigner(
CryptoCapability.Signing,
secondaryAlgorithm,
secondaryRef,
secondaryProviderHint);
var secondarySignatureBytes = await secondaryResolution.Signer
.SignAsync(paeBytes, cancellationToken)
.ConfigureAwait(false);
var secondarySignatureBase64 = Convert.ToBase64String(secondarySignatureBytes)
.TrimEnd('=')
.Replace('+', '-')
.Replace('/', '_');
signatures.Add(new DsseSignature(secondarySignatureBase64, secondaryResolution.Signer.KeyId));
_logger.LogInformation(
"Added secondary DSSE signature using provider {Provider} algorithm {Algorithm} key {KeyId}",
secondaryResolution.ProviderName,
secondaryAlgorithm,
secondaryResolution.Signer.KeyId);
}
// Build DSSE envelope
var envelope = new DsseEnvelope(
Payload: payloadBase64,
PayloadType: DssePayloadType,
Signatures: signatures);
// Build signing metadata
var identity = new SigningIdentity(
Mode: signingMode.ToString().ToLowerInvariant(),
Issuer: keyResolution.Issuer ?? _options.DefaultIssuer,
Subject: keyResolution.Subject ?? caller.Subject,
ExpiresAtUtc: keyResolution.ExpiresAtUtc);
var metadata = new SigningMetadata(
Identity: identity,
CertificateChain: certChain,
ProviderName: signerResolution.ProviderName,
AlgorithmId: algorithmId);
return new SigningBundle(envelope, metadata);
}
/// <summary>
/// Builds the PAE (Pre-Authentication Encoding) as per DSSE specification.
/// PAE = "DSSEv1" || SP || LEN(type) || SP || type || SP || LEN(payload) || SP || payload
/// where SP is space (0x20) and LEN is decimal ASCII length.
/// </summary>
private static byte[] BuildPae(string payloadType, byte[] payload)
{
var typeBytes = Encoding.UTF8.GetBytes(payloadType);
// Calculate total length
var prefixBytes = Encoding.UTF8.GetBytes(PreAuthenticationEncodingPrefix);
var typeLenStr = typeBytes.Length.ToString();
var payloadLenStr = payload.Length.ToString();
var totalLen = prefixBytes.Length + 1 +
typeLenStr.Length + 1 +
typeBytes.Length + 1 +
payloadLenStr.Length + 1 +
payload.Length;
var pae = new byte[totalLen];
var offset = 0;
// DSSEv1
Buffer.BlockCopy(prefixBytes, 0, pae, offset, prefixBytes.Length);
offset += prefixBytes.Length;
pae[offset++] = 0x20; // space
// LEN(type)
var typeLenBytes = Encoding.UTF8.GetBytes(typeLenStr);
Buffer.BlockCopy(typeLenBytes, 0, pae, offset, typeLenBytes.Length);
offset += typeLenBytes.Length;
pae[offset++] = 0x20; // space
// type
Buffer.BlockCopy(typeBytes, 0, pae, offset, typeBytes.Length);
offset += typeBytes.Length;
pae[offset++] = 0x20; // space
// LEN(payload)
var payloadLenBytes = Encoding.UTF8.GetBytes(payloadLenStr);
Buffer.BlockCopy(payloadLenBytes, 0, pae, offset, payloadLenBytes.Length);
offset += payloadLenBytes.Length;
pae[offset++] = 0x20; // space
// payload
Buffer.BlockCopy(payload, 0, pae, offset, payload.Length);
return pae;
}
private string ResolveAndValidateAlgorithm(string? preferredOverride, SigningMode mode)
{
var preferred = mode switch
{
SigningMode.Keyless => preferredOverride ?? _options.KeylessAlgorithm ?? SignatureAlgorithms.Es256,
SigningMode.Kms => preferredOverride ?? _options.KmsAlgorithm ?? SignatureAlgorithms.Es256,
_ => SignatureAlgorithms.Es256
};
ValidateAlgorithmGate(preferred);
return preferred;
}
private static void ValidateAlgorithmGate(string algorithm)
{
if (string.Equals(algorithm, SignatureAlgorithms.Dilithium3, StringComparison.OrdinalIgnoreCase) ||
string.Equals(algorithm, SignatureAlgorithms.Falcon512, StringComparison.OrdinalIgnoreCase))
{
if (!string.Equals(Environment.GetEnvironmentVariable("PQ_SOFT_ALLOWED"), "1", StringComparison.OrdinalIgnoreCase))
{
throw new InvalidOperationException("PQ signing requested but PQ_SOFT_ALLOWED is not enabled.");
}
}
if (string.Equals(algorithm, SignatureAlgorithms.Sm2, StringComparison.OrdinalIgnoreCase))
{
if (!string.Equals(Environment.GetEnvironmentVariable("SM_SOFT_ALLOWED"), "1", StringComparison.OrdinalIgnoreCase))
{
throw new InvalidOperationException("SM2 signing requested but SM_SOFT_ALLOWED is not enabled.");
}
}
}
private static IReadOnlyList<string> BuildCertificateChain(
ICryptoSigner signer,
SigningKeyResolution keyResolution)
{
var chain = new List<string>();
// Export public key as JWK for verification
try
{
var jwk = signer.ExportPublicJsonWebKey();
if (jwk is not null)
{
// Convert JWK to PEM-like representation for certificate chain
// In keyless mode, this represents the ephemeral signing certificate
var jwkJson = System.Text.Json.JsonSerializer.Serialize(jwk);
chain.Add(Convert.ToBase64String(Encoding.UTF8.GetBytes(jwkJson)));
}
}
catch
{
// Some signers may not support JWK export
}
// Add any additional certificates from key resolution
if (keyResolution.CertificateChain is { Count: > 0 })
{
chain.AddRange(keyResolution.CertificateChain);
}
return chain;
}
}

100
src/Attestor/StellaOps.Signer/StellaOps.Signer.Infrastructure/Signing/DefaultSigningKeyResolver.cs Normal file
View File

@@ -0,0 +1,100 @@
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Determinism;
using StellaOps.Signer.Core;
using System;
using System.Threading;
using System.Threading.Tasks;
namespace StellaOps.Signer.Infrastructure.Signing;
/// <summary>
/// Default signing key resolver that supports both keyless (ephemeral) and KMS modes.
/// </summary>
public sealed class DefaultSigningKeyResolver : ISigningKeyResolver
{
private const string KeylessKeyIdPrefix = "ephemeral:";
private const int KeylessExpiryMinutes = 10;
private readonly DsseSignerOptions _options;
private readonly TimeProvider _timeProvider;
private readonly IGuidProvider _guidProvider;
private readonly ILogger<DefaultSigningKeyResolver> _logger;
public DefaultSigningKeyResolver(
IOptions<DsseSignerOptions> options,
TimeProvider timeProvider,
ILogger<DefaultSigningKeyResolver> logger,
IGuidProvider? guidProvider = null)
{
_options = options?.Value ?? throw new ArgumentNullException(nameof(options));
_timeProvider = timeProvider ?? TimeProvider.System;
_guidProvider = guidProvider ?? SystemGuidProvider.Instance;
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
public ValueTask<SigningKeyResolution> ResolveKeyAsync(
SigningMode mode,
string tenant,
CancellationToken cancellationToken)
{
ArgumentException.ThrowIfNullOrWhiteSpace(tenant);
var resolution = mode switch
{
SigningMode.Keyless => ResolveKeylessKey(tenant),
SigningMode.Kms => ResolveKmsKey(tenant),
_ => throw new ArgumentOutOfRangeException(nameof(mode), mode, "Unsupported signing mode")
};
_logger.LogDebug(
"Resolved signing key {KeyId} for tenant {Tenant} in mode {Mode}",
resolution.KeyId,
tenant,
mode);
return ValueTask.FromResult(resolution);
}
private SigningKeyResolution ResolveKeylessKey(string tenant)
{
// Generate ephemeral key identifier using timestamp for uniqueness
var now = _timeProvider.GetUtcNow();
var keyId = $"{KeylessKeyIdPrefix}{tenant}:{now:yyyyMMddHHmmss}:{_guidProvider.NewGuid():N}";
var expiresAt = now.AddMinutes(KeylessExpiryMinutes);
return new SigningKeyResolution(
KeyId: keyId,
ProviderHint: _options.PreferredProvider,
Issuer: _options.DefaultIssuer,
Subject: $"keyless:{tenant}",
ExpiresAtUtc: expiresAt);
}
private SigningKeyResolution ResolveKmsKey(string tenant)
{
// Check for tenant-specific KMS key
string? kmsKeyId = null;
if (_options.TenantKmsKeys.TryGetValue(tenant, out var tenantKey))
{
kmsKeyId = tenantKey;
}
else if (!string.IsNullOrWhiteSpace(_options.DefaultKmsKeyId))
{
kmsKeyId = _options.DefaultKmsKeyId;
}
if (string.IsNullOrWhiteSpace(kmsKeyId))
{
throw new InvalidOperationException(
$"No KMS key configured for tenant '{tenant}' and no default KMS key is set.");
}
return new SigningKeyResolution(
KeyId: kmsKeyId,
ProviderHint: _options.PreferredProvider,
Issuer: _options.DefaultIssuer,
Subject: $"kms:{tenant}");
}
}

70
src/Attestor/StellaOps.Signer/StellaOps.Signer.Infrastructure/Signing/DsseSignerOptions.cs Normal file
View File

@@ -0,0 +1,70 @@
using System.Collections.Generic;
namespace StellaOps.Signer.Infrastructure.Signing;
/// <summary>
/// Configuration options for the DSSE signer.
/// </summary>
public sealed class DsseSignerOptions
{
/// <summary>
/// Gets or sets the default algorithm for keyless (ephemeral) signing.
/// Defaults to ES256.
/// </summary>
public string? KeylessAlgorithm { get; set; }
/// <summary>
/// Gets or sets the default algorithm for KMS-backed signing.
/// Defaults to ES256.
/// </summary>
public string? KmsAlgorithm { get; set; }
/// <summary>
/// Optional override for SM2 signing when SM_SOFT_ALLOWED=1 and profile requires SM.
/// </summary>
public string? SmAlgorithm { get; set; }
/// <summary>
/// Optional secondary algorithm for dual-signing (e.g., PQ co-sign).
/// When set, a second DSSE signature is added using the specified algorithm.
/// </summary>
public string? SecondaryAlgorithm { get; set; }
/// <summary>
/// Optional provider hint for the secondary signature.
/// </summary>
public string? SecondaryProvider { get; set; }
/// <summary>
/// Optional key identifier for the secondary signature. Falls back to the primary key id when null.
/// </summary>
public string? SecondaryKeyId { get; set; }
/// <summary>
/// Gets or sets the default issuer for signing identity metadata.
/// </summary>
public string DefaultIssuer { get; set; } = "https://stellaops.io";
/// <summary>
/// Gets or sets the default KMS key identifier for KMS signing mode.
/// </summary>
public string? DefaultKmsKeyId { get; set; }
/// <summary>
/// Gets or sets the preferred crypto provider name.
/// When null, the registry uses its default ordering.
/// </summary>
public string? PreferredProvider { get; set; }
/// <summary>
/// Gets or sets per-tenant KMS key mappings.
/// Key is tenant identifier, value is KMS key ID.
/// </summary>
public Dictionary<string, string> TenantKmsKeys { get; set; } = new();
/// <summary>
/// Gets or sets whether to include JWK in certificate chain output.
/// Defaults to true.
/// </summary>
public bool IncludeJwkInChain { get; set; } = true;
}

68
src/Attestor/StellaOps.Signer/StellaOps.Signer.Infrastructure/Signing/HmacDsseSigner.cs Normal file
View File

@@ -0,0 +1,68 @@
using Microsoft.Extensions.Options;
using StellaOps.Cryptography;
using StellaOps.Signer.Core;
using StellaOps.Signer.Infrastructure.Options;
using System;
using System.Collections.Generic;
using System.Text;
using System.Threading;
using System.Threading.Tasks;
namespace StellaOps.Signer.Infrastructure.Signing;
public sealed class HmacDsseSigner : IDsseSigner
{
private readonly IOptionsMonitor<SignerCryptoOptions> _options;
private readonly ICryptoHmac _cryptoHmac;
private readonly TimeProvider _timeProvider;
public HmacDsseSigner(
IOptionsMonitor<SignerCryptoOptions> options,
ICryptoHmac cryptoHmac,
TimeProvider timeProvider)
{
_options = options ?? throw new ArgumentNullException(nameof(options));
_cryptoHmac = cryptoHmac ?? throw new ArgumentNullException(nameof(cryptoHmac));
_timeProvider = timeProvider ?? TimeProvider.System;
}
public ValueTask<SigningBundle> SignAsync(
SigningRequest request,
ProofOfEntitlementResult entitlement,
CallerContext caller,
CancellationToken cancellationToken)
{
ArgumentNullException.ThrowIfNull(request);
ArgumentNullException.ThrowIfNull(entitlement);
ArgumentNullException.ThrowIfNull(caller);
var options = _options.CurrentValue;
var payloadBytes = SignerStatementBuilder.BuildStatementPayload(request);
var secretBytes = Convert.FromBase64String(options.Secret);
var signature = _cryptoHmac.ComputeHmacBase64ForPurpose(secretBytes, payloadBytes, HmacPurpose.Signing);
var payloadBase64 = Convert.ToBase64String(payloadBytes);
var envelope = new DsseEnvelope(
payloadBase64,
"application/vnd.in-toto+json",
new[]
{
new DsseSignature(signature, options.KeyId),
});
var metadata = new SigningMetadata(
new SigningIdentity(
options.Mode,
caller.Subject,
caller.Subject,
_timeProvider.GetUtcNow().AddMinutes(10)),
Array.Empty<string>(),
options.ProviderName,
options.AlgorithmId);
var bundle = new SigningBundle(envelope, metadata);
return ValueTask.FromResult(bundle);
}
}

37
src/Attestor/StellaOps.Signer/StellaOps.Signer.Infrastructure/Signing/ISigningKeyResolver.cs Normal file
View File

@@ -0,0 +1,37 @@
using StellaOps.Signer.Core;
using System;
using System.Collections.Generic;
using System.Threading;
using System.Threading.Tasks;
namespace StellaOps.Signer.Infrastructure.Signing;
/// <summary>
/// Resolves signing keys based on signing mode and tenant context.
/// </summary>
public interface ISigningKeyResolver
{
/// <summary>
/// Resolves the signing key for the given mode and tenant.
/// </summary>
/// <param name="mode">The signing mode (Keyless or KMS).</param>
/// <param name="tenant">The tenant identifier.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>The resolved key information.</returns>
ValueTask<SigningKeyResolution> ResolveKeyAsync(
SigningMode mode,
string tenant,
CancellationToken cancellationToken);
}
/// <summary>
/// Result of key resolution containing key reference and identity metadata.
/// </summary>
public sealed record SigningKeyResolution(
string KeyId,
string? ProviderHint = null,
string? Issuer = null,
string? Subject = null,
DateTimeOffset? ExpiresAtUtc = null,
IReadOnlyList<string>? CertificateChain = null);

84
src/Attestor/StellaOps.Signer/StellaOps.Signer.Infrastructure/Signing/SigningServiceCollectionExtensions.cs Normal file
View File

@@ -0,0 +1,84 @@
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.DependencyInjection.Extensions;
using StellaOps.Signer.Core;
using System;
namespace StellaOps.Signer.Infrastructure.Signing;
/// <summary>
/// Extension methods for registering signing services with dependency injection.
/// </summary>
public static class SigningServiceCollectionExtensions
{
/// <summary>
/// Adds the DSSE signing services to the service collection.
/// </summary>
/// <param name="services">The service collection.</param>
/// <param name="configure">Optional configuration action for signer options.</param>
/// <returns>The service collection for chaining.</returns>
public static IServiceCollection AddDsseSigning(
this IServiceCollection services,
Action<DsseSignerOptions>? configure = null)
{
ArgumentNullException.ThrowIfNull(services);
// Register options
var optionsBuilder = services.AddOptions<DsseSignerOptions>();
if (configure is not null)
{
optionsBuilder.Configure(configure);
}
// Register time provider if not already registered
services.TryAddSingleton(TimeProvider.System);
// Register signing key resolver
services.TryAddSingleton<ISigningKeyResolver, DefaultSigningKeyResolver>();
// Register DSSE signer
services.TryAddSingleton<IDsseSigner, CryptoDsseSigner>();
return services;
}
/// <summary>
/// Adds the DSSE signing services with KMS configuration.
/// </summary>
/// <param name="services">The service collection.</param>
/// <param name="defaultKmsKeyId">The default KMS key identifier.</param>
/// <param name="configure">Additional configuration action.</param>
/// <returns>The service collection for chaining.</returns>
public static IServiceCollection AddDsseSigningWithKms(
this IServiceCollection services,
string defaultKmsKeyId,
Action<DsseSignerOptions>? configure = null)
{
ArgumentNullException.ThrowIfNull(services);
ArgumentException.ThrowIfNullOrWhiteSpace(defaultKmsKeyId);
return services.AddDsseSigning(options =>
{
options.DefaultKmsKeyId = defaultKmsKeyId;
configure?.Invoke(options);
});
}
/// <summary>
/// Adds the DSSE signing services configured for keyless (ephemeral) signing only.
/// </summary>
/// <param name="services">The service collection.</param>
/// <param name="issuer">The issuer URL for keyless certificates.</param>
/// <returns>The service collection for chaining.</returns>
public static IServiceCollection AddDsseSigningKeyless(
this IServiceCollection services,
string issuer = "https://stellaops.io")
{
ArgumentNullException.ThrowIfNull(services);
return services.AddDsseSigning(options =>
{
options.DefaultIssuer = issuer;
});
}
}

191
src/Attestor/StellaOps.Signer/StellaOps.Signer.Infrastructure/Sigstore/FulcioHttpClient.cs Normal file
View File

@@ -0,0 +1,191 @@
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using System;
using System.Collections.Generic;
using System.Net.Http;
using System.Net.Http.Json;
using System.Security.Cryptography.X509Certificates;
using System.Text;
using System.Text.Json;
using System.Text.Json.Serialization;
using System.Threading;
using System.Threading.Tasks;
namespace StellaOps.Signer.Infrastructure.Sigstore;
/// <summary>
/// HTTP client for Sigstore Fulcio certificate authority.
/// Supports both public Sigstore and self-hosted deployments.
/// </summary>
public sealed class FulcioHttpClient : IFulcioClient, IDisposable
{
private readonly HttpClient _httpClient;
private readonly SigstoreOptions _options;
private readonly ILogger<FulcioHttpClient> _logger;
public FulcioHttpClient(
HttpClient httpClient,
IOptions<SigstoreOptions> options,
ILogger<FulcioHttpClient> logger)
{
_httpClient = httpClient ?? throw new ArgumentNullException(nameof(httpClient));
_options = options?.Value ?? throw new ArgumentNullException(nameof(options));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
_httpClient.BaseAddress = new Uri(_options.FulcioUrl.TrimEnd('/') + "/");
_httpClient.Timeout = TimeSpan.FromSeconds(_options.TimeoutSeconds);
}
public async ValueTask<FulcioCertificateResult> GetCertificateAsync(
string identityToken,
string publicKey,
byte[] proofOfPossession,
CancellationToken cancellationToken)
{
ArgumentException.ThrowIfNullOrWhiteSpace(identityToken);
ArgumentException.ThrowIfNullOrWhiteSpace(publicKey);
ArgumentNullException.ThrowIfNull(proofOfPossession);
_logger.LogDebug("Requesting signing certificate from Fulcio at {Url}", _options.FulcioUrl);
var request = new FulcioSigningCertificateRequest
{
PublicKeyRequest = new PublicKeyRequest
{
PublicKey = new PublicKeyContent
{
Algorithm = "ECDSA",
Content = publicKey
},
ProofOfPossession = Convert.ToBase64String(proofOfPossession)
}
};
using var httpRequest = new HttpRequestMessage(HttpMethod.Post, "api/v2/signingCert");
httpRequest.Headers.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", identityToken);
httpRequest.Content = JsonContent.Create(request, options: JsonOptions);
using var response = await _httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
if (!response.IsSuccessStatusCode)
{
var errorBody = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
_logger.LogError("Fulcio certificate request failed: {StatusCode} - {Error}", response.StatusCode, errorBody);
throw new SigstoreException($"Fulcio certificate request failed: {response.StatusCode} - {errorBody}");
}
var result = await response.Content.ReadFromJsonAsync<FulcioSigningCertificateResponse>(JsonOptions, cancellationToken)
.ConfigureAwait(false);
if (result?.SignedCertificateEmbeddedSct?.Chain?.Certificates is not { Count: > 0 })
{
throw new SigstoreException("Fulcio returned empty certificate chain");
}
var certificates = result.SignedCertificateEmbeddedSct.Chain.Certificates;
var signingCert = certificates[0];
var chain = certificates.Count > 1 ? certificates.GetRange(1, certificates.Count - 1) : [];
// Parse certificate to extract metadata
var cert = X509Certificate2.CreateFromPem(signingCert);
var expiresAt = cert.NotAfter.ToUniversalTime();
// Extract OIDC claims from certificate extensions
var (subject, issuer) = ExtractOidcClaims(cert);
_logger.LogInformation(
"Obtained Fulcio certificate for subject {Subject} from issuer {Issuer}, expires {ExpiresAt}",
subject, issuer, expiresAt);
return new FulcioCertificateResult(
Certificate: signingCert,
CertificateChain: chain,
SignedCertificateTimestamp: result.SignedCertificateEmbeddedSct.Sct,
ExpiresAtUtc: new DateTimeOffset(expiresAt, TimeSpan.Zero),
Subject: subject,
Issuer: issuer);
}
private static (string Subject, string Issuer) ExtractOidcClaims(X509Certificate2 cert)
{
// Fulcio embeds OIDC claims in certificate extensions
// OID 1.3.6.1.4.1.57264.1.1 = Issuer
// OID 1.3.6.1.4.1.57264.1.7 = Subject (email or workflow identity)
var issuer = "unknown";
var subject = cert.Subject;
foreach (var ext in cert.Extensions)
{
if (ext.Oid?.Value == "1.3.6.1.4.1.57264.1.1")
{
issuer = Encoding.UTF8.GetString(ext.RawData).Trim('\0');
}
else if (ext.Oid?.Value == "1.3.6.1.4.1.57264.1.7")
{
subject = Encoding.UTF8.GetString(ext.RawData).Trim('\0');
}
}
// Fallback to SAN email if no extension
if (subject == cert.Subject)
{
var sanExt = cert.Extensions["2.5.29.17"];
if (sanExt is X509SubjectAlternativeNameExtension san)
{
foreach (var name in san.EnumerateDnsNames())
{
subject = name;
break;
}
}
}
return (subject, issuer);
}
public void Dispose()
{
_httpClient.Dispose();
}
private static readonly JsonSerializerOptions JsonOptions = new()
{
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull
};
// Fulcio API DTOs
private sealed record FulcioSigningCertificateRequest
{
public PublicKeyRequest? PublicKeyRequest { get; init; }
}
private sealed record PublicKeyRequest
{
public PublicKeyContent? PublicKey { get; init; }
public string? ProofOfPossession { get; init; }
}
private sealed record PublicKeyContent
{
public string? Algorithm { get; init; }
public string? Content { get; init; }
}
private sealed record FulcioSigningCertificateResponse
{
public SignedCertificateEmbeddedSct? SignedCertificateEmbeddedSct { get; init; }
}
private sealed record SignedCertificateEmbeddedSct
{
public CertificateChain? Chain { get; init; }
public string? Sct { get; init; }
}
private sealed record CertificateChain
{
public List<string>? Certificates { get; init; }
}
}

100
src/Attestor/StellaOps.Signer/StellaOps.Signer.Infrastructure/Sigstore/ISigstoreClients.cs Normal file
View File

@@ -0,0 +1,100 @@
using System.Threading;
using System.Threading.Tasks;
namespace StellaOps.Signer.Infrastructure.Sigstore;
/// <summary>
/// Client interface for Sigstore Fulcio certificate authority.
/// Obtains short-lived signing certificates using OIDC identity tokens.
/// </summary>
public interface IFulcioClient
{
/// <summary>
/// Requests a signing certificate from Fulcio using an OIDC identity token.
/// </summary>
/// <param name="identityToken">The OIDC identity token (JWT).</param>
/// <param name="publicKey">The public key (PEM format) to bind to the certificate.</param>
/// <param name="proofOfPossession">Signature proving possession of the private key.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>The Fulcio certificate result.</returns>
ValueTask<FulcioCertificateResult> GetCertificateAsync(
string identityToken,
string publicKey,
byte[] proofOfPossession,
CancellationToken cancellationToken);
}
/// <summary>
/// Client interface for Sigstore Rekor transparency log.
/// Uploads signatures to the append-only transparency log.
/// </summary>
public interface IRekorClient
{
/// <summary>
/// Uploads an artifact signature to the Rekor transparency log.
/// </summary>
/// <param name="artifactHash">SHA-256 hash of the artifact being signed.</param>
/// <param name="signature">The signature bytes.</param>
/// <param name="publicKey">The public key (PEM format).</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>The Rekor entry result with log index and inclusion proof.</returns>
ValueTask<RekorEntryResult> UploadAsync(
string artifactHash,
byte[] signature,
string publicKey,
CancellationToken cancellationToken);
/// <summary>
/// Verifies an entry exists in the Rekor log.
/// </summary>
/// <param name="uuid">The entry UUID.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>The entry if found, null otherwise.</returns>
ValueTask<RekorEntryResult?> GetEntryAsync(
string uuid,
CancellationToken cancellationToken);
/// <summary>
/// Searches for entries by artifact hash.
/// </summary>
/// <param name="artifactHash">SHA-256 hash of the artifact.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>List of matching entry UUIDs.</returns>
ValueTask<string[]> SearchByHashAsync(
string artifactHash,
CancellationToken cancellationToken);
}
/// <summary>
/// Orchestrates keyless signing using Sigstore infrastructure.
/// </summary>
public interface ISigstoreSigningService
{
/// <summary>
/// Performs keyless signing of an artifact using Sigstore (Fulcio + Rekor).
/// </summary>
/// <param name="artifactBytes">The artifact bytes to sign.</param>
/// <param name="identityToken">The OIDC identity token for Fulcio.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>The complete Sigstore signing result.</returns>
ValueTask<SigstoreSigningResult> SignKeylessAsync(
byte[] artifactBytes,
string identityToken,
CancellationToken cancellationToken);
/// <summary>
/// Verifies a keyless signature against Sigstore transparency log.
/// </summary>
/// <param name="artifactBytes">The artifact bytes.</param>
/// <param name="signature">The signature to verify.</param>
/// <param name="certificate">The signing certificate (PEM).</param>
/// <param name="rekorUuid">Optional Rekor entry UUID for verification.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>True if signature is valid and (optionally) in Rekor.</returns>
ValueTask<bool> VerifyKeylessAsync(
byte[] artifactBytes,
byte[] signature,
string certificate,
string? rekorUuid,
CancellationToken cancellationToken);
}

269
src/Attestor/StellaOps.Signer/StellaOps.Signer.Infrastructure/Sigstore/RekorHttpClient.cs Normal file
View File

@@ -0,0 +1,269 @@
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using System;
using System.Collections.Generic;
using System.Net.Http;
using System.Net.Http.Json;
using System.Text;
using System.Text.Json;
using System.Text.Json.Serialization;
using System.Threading;
using System.Threading.Tasks;
namespace StellaOps.Signer.Infrastructure.Sigstore;
/// <summary>
/// HTTP client for Sigstore Rekor transparency log.
/// Supports both public Sigstore and self-hosted deployments.
/// </summary>
public sealed class RekorHttpClient : IRekorClient, IDisposable
{
private readonly HttpClient _httpClient;
private readonly SigstoreOptions _options;
private readonly ILogger<RekorHttpClient> _logger;
public RekorHttpClient(
HttpClient httpClient,
IOptions<SigstoreOptions> options,
ILogger<RekorHttpClient> logger)
{
_httpClient = httpClient ?? throw new ArgumentNullException(nameof(httpClient));
_options = options?.Value ?? throw new ArgumentNullException(nameof(options));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
_httpClient.BaseAddress = new Uri(_options.RekorUrl.TrimEnd('/') + "/");
_httpClient.Timeout = TimeSpan.FromSeconds(_options.TimeoutSeconds);
}
public async ValueTask<RekorEntryResult> UploadAsync(
string artifactHash,
byte[] signature,
string publicKey,
CancellationToken cancellationToken)
{
ArgumentException.ThrowIfNullOrWhiteSpace(artifactHash);
ArgumentNullException.ThrowIfNull(signature);
ArgumentException.ThrowIfNullOrWhiteSpace(publicKey);
_logger.LogDebug("Uploading signature to Rekor at {Url} for artifact hash {Hash}",
_options.RekorUrl, artifactHash[..16] + "...");
// Create hashedrekord entry type
var request = new RekorCreateEntryRequest
{
ApiVersion = "0.0.1",
Kind = "hashedrekord",
Spec = new HashedRekordSpec
{
Data = new HashedRekordData
{
Hash = new HashSpec
{
Algorithm = "sha256",
Value = artifactHash
}
},
Signature = new SignatureSpec
{
Content = Convert.ToBase64String(signature),
PublicKey = new PublicKeySpec
{
Content = Convert.ToBase64String(Encoding.UTF8.GetBytes(publicKey))
}
}
}
};
using var response = await _httpClient.PostAsJsonAsync(
"api/v1/log/entries",
request,
JsonOptions,
cancellationToken).ConfigureAwait(false);
if (!response.IsSuccessStatusCode)
{
var errorBody = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
_logger.LogError("Rekor upload failed: {StatusCode} - {Error}", response.StatusCode, errorBody);
throw new RekorException($"Rekor upload failed: {response.StatusCode} - {errorBody}");
}
var result = await response.Content.ReadFromJsonAsync<Dictionary<string, RekorEntryResponse>>(JsonOptions, cancellationToken)
.ConfigureAwait(false);
if (result is null || result.Count == 0)
{
throw new RekorException("Rekor returned empty response");
}
// Response is a dictionary with UUID as key
foreach (var (uuid, entry) in result)
{
_logger.LogInformation(
"Signature uploaded to Rekor with UUID {Uuid} at log index {LogIndex}",
uuid, entry.LogIndex);
return new RekorEntryResult(
Uuid: uuid,
LogIndex: entry.LogIndex,
IntegratedTime: entry.IntegratedTime,
LogId: entry.LogId ?? string.Empty,
InclusionProof: ParseInclusionProof(entry.Verification?.InclusionProof),
SignedEntryTimestamp: entry.Verification?.SignedEntryTimestamp);
}
throw new RekorException("Rekor returned unexpected response format");
}
public async ValueTask<RekorEntryResult?> GetEntryAsync(string uuid, CancellationToken cancellationToken)
{
ArgumentException.ThrowIfNullOrWhiteSpace(uuid);
_logger.LogDebug("Fetching Rekor entry {Uuid}", uuid);
using var response = await _httpClient.GetAsync($"api/v1/log/entries/{uuid}", cancellationToken)
.ConfigureAwait(false);
if (response.StatusCode == System.Net.HttpStatusCode.NotFound)
{
return null;
}
if (!response.IsSuccessStatusCode)
{
var errorBody = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
throw new RekorException($"Rekor get entry failed: {response.StatusCode} - {errorBody}");
}
var result = await response.Content.ReadFromJsonAsync<Dictionary<string, RekorEntryResponse>>(JsonOptions, cancellationToken)
.ConfigureAwait(false);
if (result is null || !result.TryGetValue(uuid, out var entry))
{
return null;
}
return new RekorEntryResult(
Uuid: uuid,
LogIndex: entry.LogIndex,
IntegratedTime: entry.IntegratedTime,
LogId: entry.LogId ?? string.Empty,
InclusionProof: ParseInclusionProof(entry.Verification?.InclusionProof),
SignedEntryTimestamp: entry.Verification?.SignedEntryTimestamp);
}
public async ValueTask<string[]> SearchByHashAsync(string artifactHash, CancellationToken cancellationToken)
{
ArgumentException.ThrowIfNullOrWhiteSpace(artifactHash);
_logger.LogDebug("Searching Rekor for artifact hash {Hash}", artifactHash[..16] + "...");
var request = new RekorSearchRequest
{
Hash = $"sha256:{artifactHash}"
};
using var response = await _httpClient.PostAsJsonAsync(
"api/v1/index/retrieve",
request,
JsonOptions,
cancellationToken).ConfigureAwait(false);
if (!response.IsSuccessStatusCode)
{
var errorBody = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
throw new RekorException($"Rekor search failed: {response.StatusCode} - {errorBody}");
}
var uuids = await response.Content.ReadFromJsonAsync<string[]>(JsonOptions, cancellationToken)
.ConfigureAwait(false);
return uuids ?? [];
}
private static RekorInclusionProof? ParseInclusionProof(InclusionProofResponse? proof)
{
if (proof is null)
return null;
return new RekorInclusionProof(
LogIndex: proof.LogIndex,
RootHash: proof.RootHash ?? string.Empty,
TreeSize: proof.TreeSize,
Hashes: proof.Hashes ?? []);
}
public void Dispose()
{
_httpClient.Dispose();
}
private static readonly JsonSerializerOptions JsonOptions = new()
{
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull
};
// Rekor API DTOs
private sealed record RekorCreateEntryRequest
{
public string? ApiVersion { get; init; }
public string? Kind { get; init; }
public HashedRekordSpec? Spec { get; init; }
}
private sealed record HashedRekordSpec
{
public HashedRekordData? Data { get; init; }
public SignatureSpec? Signature { get; init; }
}
private sealed record HashedRekordData
{
public HashSpec? Hash { get; init; }
}
private sealed record HashSpec
{
public string? Algorithm { get; init; }
public string? Value { get; init; }
}
private sealed record SignatureSpec
{
public string? Content { get; init; }
public PublicKeySpec? PublicKey { get; init; }
}
private sealed record PublicKeySpec
{
public string? Content { get; init; }
}
private sealed record RekorSearchRequest
{
public string? Hash { get; init; }
}
private sealed record RekorEntryResponse
{
public long LogIndex { get; init; }
public long IntegratedTime { get; init; }
public string? LogId { get; init; }
public VerificationResponse? Verification { get; init; }
}
private sealed record VerificationResponse
{
public InclusionProofResponse? InclusionProof { get; init; }
public string? SignedEntryTimestamp { get; init; }
}
private sealed record InclusionProofResponse
{
public long LogIndex { get; init; }
public string? RootHash { get; init; }
public long TreeSize { get; init; }
public List<string>? Hashes { get; init; }
}
}

30
src/Attestor/StellaOps.Signer/StellaOps.Signer.Infrastructure/Sigstore/SigstoreExceptions.cs Normal file
View File

@@ -0,0 +1,30 @@
using System;
namespace StellaOps.Signer.Infrastructure.Sigstore;
/// <summary>
/// Exception thrown when Sigstore operations fail.
/// </summary>
public class SigstoreException : Exception
{
public SigstoreException(string message) : base(message) { }
public SigstoreException(string message, Exception innerException) : base(message, innerException) { }
}
/// <summary>
/// Exception thrown when Fulcio certificate request fails.
/// </summary>
public class FulcioException : SigstoreException
{
public FulcioException(string message) : base(message) { }
public FulcioException(string message, Exception innerException) : base(message, innerException) { }
}
/// <summary>
/// Exception thrown when Rekor transparency log operations fail.
/// </summary>
public class RekorException : SigstoreException
{
public RekorException(string message) : base(message) { }
public RekorException(string message, Exception innerException) : base(message, innerException) { }
}

66
src/Attestor/StellaOps.Signer/StellaOps.Signer.Infrastructure/Sigstore/SigstoreModels.cs Normal file
View File

@@ -0,0 +1,66 @@
using System;
using System.Collections.Generic;
namespace StellaOps.Signer.Infrastructure.Sigstore;
/// <summary>
/// Result of a Fulcio certificate signing request.
/// </summary>
public sealed record FulcioCertificateResult(
/// <summary>The PEM-encoded signing certificate.</summary>
string Certificate,
/// <summary>The certificate chain (intermediate + root).</summary>
IReadOnlyList<string> CertificateChain,
/// <summary>The Signed Certificate Timestamp from CT log (if available).</summary>
string? SignedCertificateTimestamp,
/// <summary>When the certificate expires.</summary>
DateTimeOffset ExpiresAtUtc,
/// <summary>The OIDC subject (email or workflow identity).</summary>
string Subject,
/// <summary>The OIDC issuer.</summary>
string Issuer);
/// <summary>
/// Result of a Rekor transparency log entry.
/// </summary>
public sealed record RekorEntryResult(
/// <summary>The Rekor log entry UUID.</summary>
string Uuid,
/// <summary>The log index number.</summary>
long LogIndex,
/// <summary>The integrated timestamp (Unix epoch).</summary>
long IntegratedTime,
/// <summary>The log ID (tree hash).</summary>
string LogId,
/// <summary>The inclusion proof for verification.</summary>
RekorInclusionProof? InclusionProof,
/// <summary>The Signed Entry Timestamp.</summary>
string? SignedEntryTimestamp);
/// <summary>
/// Merkle tree inclusion proof from Rekor.
/// </summary>
public sealed record RekorInclusionProof(
/// <summary>The log index.</summary>
long LogIndex,
/// <summary>The root hash of the tree.</summary>
string RootHash,
/// <summary>The tree size at time of inclusion.</summary>
long TreeSize,
/// <summary>The hash path from leaf to root.</summary>
IReadOnlyList<string> Hashes);
/// <summary>
/// Combined result of keyless signing with Sigstore.
/// </summary>
public sealed record SigstoreSigningResult(
/// <summary>The signature bytes (base64-encoded).</summary>
string Signature,
/// <summary>The Fulcio certificate result.</summary>
FulcioCertificateResult Certificate,
/// <summary>The Rekor entry result (if transparency logging enabled).</summary>
RekorEntryResult? RekorEntry,
/// <summary>The public key used for signing (PEM format).</summary>
string PublicKey,
/// <summary>The algorithm used.</summary>
string Algorithm);

87
src/Attestor/StellaOps.Signer/StellaOps.Signer.Infrastructure/Sigstore/SigstoreOptions.cs Normal file
View File

@@ -0,0 +1,87 @@
namespace StellaOps.Signer.Infrastructure.Sigstore;
/// <summary>
/// Configuration for self-hosted Sigstore infrastructure.
/// Supports on-premise deployments with custom Fulcio/Rekor endpoints.
/// </summary>
public sealed class SigstoreOptions
{
/// <summary>
/// Section name in configuration.
/// </summary>
public const string SectionName = "Sigstore";
/// <summary>
/// Gets or sets whether Sigstore keyless signing is enabled.
/// </summary>
public bool Enabled { get; set; }
/// <summary>
/// Gets or sets the Fulcio certificate authority URL.
/// For self-hosted: e.g., "https://fulcio.internal.example.com"
/// For public Sigstore: "https://fulcio.sigstore.dev"
/// </summary>
public string FulcioUrl { get; set; } = "https://fulcio.sigstore.dev";
/// <summary>
/// Gets or sets the Rekor transparency log URL.
/// For self-hosted: e.g., "https://rekor.internal.example.com"
/// For public Sigstore: "https://rekor.sigstore.dev"
/// </summary>
public string RekorUrl { get; set; } = "https://rekor.sigstore.dev";
/// <summary>
/// Gets or sets the OIDC issuer URL for identity tokens.
/// For self-hosted: e.g., "https://keycloak.internal.example.com/realms/stellaops"
/// For public: "https://oauth2.sigstore.dev/auth"
/// </summary>
public string OidcIssuer { get; set; } = "https://oauth2.sigstore.dev/auth";
/// <summary>
/// Gets or sets the OIDC client ID for token exchange.
/// </summary>
public string OidcClientId { get; set; } = "sigstore";
/// <summary>
/// Gets or sets the OIDC audience for token validation.
/// </summary>
public string OidcAudience { get; set; } = "sigstore";
/// <summary>
/// Gets or sets the path to custom CA certificate bundle for self-hosted TLS.
/// When null, system certificates are used.
/// </summary>
public string? CaBundlePath { get; set; }
/// <summary>
/// Gets or sets whether to skip TLS verification (NOT recommended for production).
/// </summary>
public bool InsecureSkipVerify { get; set; }
/// <summary>
/// Gets or sets the timeout for Sigstore API calls in seconds.
/// </summary>
public int TimeoutSeconds { get; set; } = 30;
/// <summary>
/// Gets or sets whether to require Rekor transparency log entry.
/// When true, signing fails if Rekor upload fails.
/// </summary>
public bool RequireRekorEntry { get; set; } = true;
/// <summary>
/// Gets or sets whether to embed the Signed Certificate Timestamp (SCT) in signatures.
/// </summary>
public bool EmbedSct { get; set; } = true;
/// <summary>
/// Gets or sets fallback to key-based signing if OIDC is unavailable.
/// </summary>
public bool FallbackToKeyBased { get; set; } = true;
/// <summary>
/// Gets or sets the certificate validity duration in minutes.
/// Fulcio issues short-lived certificates; default is 10 minutes.
/// </summary>
public int CertificateValidityMinutes { get; set; } = 10;
}

84
src/Attestor/StellaOps.Signer/StellaOps.Signer.Infrastructure/Sigstore/SigstoreServiceCollectionExtensions.cs Normal file
View File

@@ -0,0 +1,84 @@
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Options;
using System;
using System.Net.Http;
using System.Security.Cryptography.X509Certificates;
namespace StellaOps.Signer.Infrastructure.Sigstore;
/// <summary>
/// Extension methods for registering Sigstore services.
/// </summary>
public static class SigstoreServiceCollectionExtensions
{
/// <summary>
/// Adds self-hosted Sigstore services (Fulcio + Rekor) for keyless signing.
/// </summary>
/// <param name="services">The service collection.</param>
/// <param name="configuration">Configuration containing Sigstore settings.</param>
/// <returns>The service collection for chaining.</returns>
public static IServiceCollection AddSigstoreKeylessSigning(
this IServiceCollection services,
IConfiguration configuration)
{
// Bind configuration
services.Configure<SigstoreOptions>(configuration.GetSection(SigstoreOptions.SectionName));
// Register Fulcio client with custom HttpClient
services.AddHttpClient<IFulcioClient, FulcioHttpClient>((sp, client) =>
{
var options = sp.GetRequiredService<IOptions<SigstoreOptions>>().Value;
client.BaseAddress = new Uri(options.FulcioUrl.TrimEnd('/') + "/");
client.Timeout = TimeSpan.FromSeconds(options.TimeoutSeconds);
})
.ConfigurePrimaryHttpMessageHandler(sp =>
{
var options = sp.GetRequiredService<IOptions<SigstoreOptions>>().Value;
return CreateHttpHandler(options);
});
// Register Rekor client with custom HttpClient
services.AddHttpClient<IRekorClient, RekorHttpClient>((sp, client) =>
{
var options = sp.GetRequiredService<IOptions<SigstoreOptions>>().Value;
client.BaseAddress = new Uri(options.RekorUrl.TrimEnd('/') + "/");
client.Timeout = TimeSpan.FromSeconds(options.TimeoutSeconds);
})
.ConfigurePrimaryHttpMessageHandler(sp =>
{
var options = sp.GetRequiredService<IOptions<SigstoreOptions>>().Value;
return CreateHttpHandler(options);
});
// Register orchestrating service
services.AddSingleton<ISigstoreSigningService, SigstoreSigningService>();
return services;
}
/// <summary>
/// Creates HTTP handler with custom CA bundle support for self-hosted deployments.
/// </summary>
private static HttpMessageHandler CreateHttpHandler(SigstoreOptions options)
{
var handler = new HttpClientHandler();
// Configure custom CA bundle for self-hosted TLS
if (!string.IsNullOrEmpty(options.CaBundlePath))
{
var customCert = X509Certificate2.CreateFromPemFile(options.CaBundlePath);
handler.ClientCertificates.Add(customCert);
}
// Allow insecure for development (NOT for production)
if (options.InsecureSkipVerify)
{
handler.ServerCertificateCustomValidationCallback =
HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;
}
return handler;
}
}

200
src/Attestor/StellaOps.Signer/StellaOps.Signer.Infrastructure/Sigstore/SigstoreSigningService.cs Normal file
View File

@@ -0,0 +1,200 @@
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using System;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Text;
using System.Threading;
using System.Threading.Tasks;
namespace StellaOps.Signer.Infrastructure.Sigstore;
/// <summary>
/// Orchestrates keyless signing using self-hosted Sigstore infrastructure.
/// Coordinates Fulcio (certificates) and Rekor (transparency) for complete keyless signing.
/// </summary>
public sealed class SigstoreSigningService : ISigstoreSigningService
{
private readonly IFulcioClient _fulcioClient;
private readonly IRekorClient _rekorClient;
private readonly SigstoreOptions _options;
private readonly TimeProvider _timeProvider;
private readonly ILogger<SigstoreSigningService> _logger;
public SigstoreSigningService(
IFulcioClient fulcioClient,
IRekorClient rekorClient,
IOptions<SigstoreOptions> options,
ILogger<SigstoreSigningService> logger,
TimeProvider? timeProvider = null)
{
_fulcioClient = fulcioClient ?? throw new ArgumentNullException(nameof(fulcioClient));
_rekorClient = rekorClient ?? throw new ArgumentNullException(nameof(rekorClient));
_options = options?.Value ?? throw new ArgumentNullException(nameof(options));
_timeProvider = timeProvider ?? TimeProvider.System;
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
public async ValueTask<SigstoreSigningResult> SignKeylessAsync(
byte[] artifactBytes,
string identityToken,
CancellationToken cancellationToken)
{
ArgumentNullException.ThrowIfNull(artifactBytes);
ArgumentException.ThrowIfNullOrWhiteSpace(identityToken);
_logger.LogInformation("Starting Sigstore keyless signing for artifact of {Size} bytes", artifactBytes.Length);
// 1. Generate ephemeral key pair
using var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP256);
var publicKeyPem = ExportPublicKeyPem(ecdsa);
// 2. Compute artifact hash
var artifactHash = SHA256.HashData(artifactBytes);
var artifactHashHex = Convert.ToHexString(artifactHash).ToLowerInvariant();
// 3. Create proof of possession (sign the OIDC identity token)
var tokenBytes = Encoding.UTF8.GetBytes(identityToken);
var proofOfPossession = ecdsa.SignData(tokenBytes, HashAlgorithmName.SHA256);
// 4. Request certificate from Fulcio
_logger.LogDebug("Requesting signing certificate from Fulcio");
var certificate = await _fulcioClient.GetCertificateAsync(
identityToken,
publicKeyPem,
proofOfPossession,
cancellationToken).ConfigureAwait(false);
// 5. Sign the artifact
var signature = ecdsa.SignData(artifactBytes, HashAlgorithmName.SHA256);
var signatureBase64 = Convert.ToBase64String(signature);
_logger.LogDebug("Artifact signed with ephemeral key");
// 6. Upload to Rekor transparency log (if required)
RekorEntryResult? rekorEntry = null;
if (_options.RequireRekorEntry)
{
_logger.LogDebug("Uploading signature to Rekor transparency log");
try
{
rekorEntry = await _rekorClient.UploadAsync(
artifactHashHex,
signature,
publicKeyPem,
cancellationToken).ConfigureAwait(false);
_logger.LogInformation(
"Signature recorded in Rekor at log index {LogIndex} with UUID {Uuid}",
rekorEntry.LogIndex, rekorEntry.Uuid);
}
catch (RekorException ex) when (!_options.RequireRekorEntry)
{
_logger.LogWarning(ex, "Rekor upload failed but not required; continuing without transparency entry");
}
}
return new SigstoreSigningResult(
Signature: signatureBase64,
Certificate: certificate,
RekorEntry: rekorEntry,
PublicKey: publicKeyPem,
Algorithm: "ES256");
}
public async ValueTask<bool> VerifyKeylessAsync(
byte[] artifactBytes,
byte[] signature,
string certificate,
string? rekorUuid,
CancellationToken cancellationToken)
{
ArgumentNullException.ThrowIfNull(artifactBytes);
ArgumentNullException.ThrowIfNull(signature);
ArgumentException.ThrowIfNullOrWhiteSpace(certificate);
_logger.LogDebug("Verifying keyless signature");
try
{
// 1. Parse certificate and extract public key
using var cert = System.Security.Cryptography.X509Certificates.X509Certificate2.CreateFromPem(certificate);
using var ecdsa = cert.GetECDsaPublicKey();
if (ecdsa is null)
{
_logger.LogWarning("Certificate does not contain ECDSA public key");
return false;
}
// 2. Verify signature
var isValidSignature = ecdsa.VerifyData(artifactBytes, signature, HashAlgorithmName.SHA256);
if (!isValidSignature)
{
_logger.LogWarning("Signature verification failed");
return false;
}
// 3. Check certificate validity
var now = _timeProvider.GetUtcNow();
if (now < cert.NotBefore || now > cert.NotAfter)
{
_logger.LogWarning(
"Certificate expired or not yet valid. NotBefore={NotBefore}, NotAfter={NotAfter}, Now={Now}",
cert.NotBefore, cert.NotAfter, now);
// Note: For keyless signing, certificate expiry at verification time is expected
// The important thing is that the certificate was valid at signing time
// This is proven by the Rekor entry timestamp
}
// 4. Verify Rekor entry if UUID provided
if (!string.IsNullOrEmpty(rekorUuid))
{
var entry = await _rekorClient.GetEntryAsync(rekorUuid, cancellationToken).ConfigureAwait(false);
if (entry is null)
{
_logger.LogWarning("Rekor entry {Uuid} not found", rekorUuid);
return false;
}
// Verify the entry timestamp is within certificate validity period
var entryTime = DateTimeOffset.FromUnixTimeSeconds(entry.IntegratedTime);
if (entryTime < cert.NotBefore || entryTime > cert.NotAfter)
{
_logger.LogWarning(
"Rekor entry timestamp {EntryTime} is outside certificate validity window",
entryTime);
return false;
}
_logger.LogDebug("Rekor entry verified at log index {LogIndex}", entry.LogIndex);
}
_logger.LogInformation("Keyless signature verification successful");
return true;
}
catch (Exception ex)
{
_logger.LogError(ex, "Keyless signature verification failed with exception");
return false;
}
}
private static string ExportPublicKeyPem(ECDsa ecdsa)
{
var publicKeyBytes = ecdsa.ExportSubjectPublicKeyInfo();
var base64 = Convert.ToBase64String(publicKeyBytes);
var sb = new StringBuilder();
sb.AppendLine("-----BEGIN PUBLIC KEY-----");
for (int i = 0; i < base64.Length; i += 64)
{
sb.AppendLine(base64.Substring(i, Math.Min(64, base64.Length - i)));
}
sb.AppendLine("-----END PUBLIC KEY-----");
return sb.ToString();
}
}

21
src/Attestor/StellaOps.Signer/StellaOps.Signer.Infrastructure/StellaOps.Signer.Infrastructure.csproj Normal file
View File

@@ -0,0 +1,21 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<LangVersion>preview</LangVersion>
<Nullable>enable</Nullable>
<ImplicitUsings>enable</ImplicitUsings>
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
</PropertyGroup>
<ItemGroup>
<ProjectReference Include="..\StellaOps.Signer.Core\StellaOps.Signer.Core.csproj" />
<ProjectReference Include="..\..\..\__Libraries\StellaOps.Cryptography\StellaOps.Cryptography.csproj" />
<ProjectReference Include="..\..\..\__Libraries\StellaOps.Determinism.Abstractions\StellaOps.Determinism.Abstractions.csproj" />
</ItemGroup>
<ItemGroup>
<PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" />
<PackageReference Include="Microsoft.Extensions.Http" />
<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" />
<PackageReference Include="Microsoft.Extensions.Options" />
<PackageReference Include="StackExchange.Redis" />
</ItemGroup>
</Project>

8
src/Attestor/StellaOps.Signer/StellaOps.Signer.Infrastructure/TASKS.md Normal file
View File

@@ -0,0 +1,8 @@
# StellaOps.Signer.Infrastructure Task Board
This board mirrors active sprint tasks for this module.
Source of truth: `docs/implplan/SPRINT_20260130_002_Tools_csproj_remediation_solid_review.md`.
| Task ID | Status | Notes |
| --- | --- | --- |
| REMED-05 | TODO | Remediation checklist: docs/implplan/audits/csproj-standards/remediation/checklists/src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/StellaOps.Signer.Infrastructure.md. |
| REMED-06 | DONE | SOLID review notes captured for SPRINT_20260130_002. |

411
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/Auth/SignerAuthTests.cs Normal file
View File

@@ -0,0 +1,411 @@
// -----------------------------------------------------------------------------
// SignerAuthTests.cs
// Sprint: SPRINT_5100_0009_0006 - Signer Module Test Implementation
// Task: SIGNER-5100-012 - Add auth tests: verify signing requires elevated permissions; unauthorized requests denied
// Description: Authentication and authorization tests for Signer WebService
// -----------------------------------------------------------------------------
using System.Net;
using System.Net.Http.Headers;
using System.Net.Http.Json;
using FluentAssertions;
using Microsoft.AspNetCore.Mvc.Testing;
using Xunit;
namespace StellaOps.Signer.Tests.Auth;
/// <summary>
/// Authentication and authorization tests for Signer WebService.
/// Validates:
/// - Signing requires elevated permissions
/// - Unauthorized requests are denied
/// - Token validation (missing, invalid, expired)
/// - DPoP proof requirements
/// </summary>
[Trait("Category", "Auth")]
[Trait("Category", "Security")]
[Trait("Category", "W1")]
public sealed class SignerAuthTests : IClassFixture<WebApplicationFactory<Program>>
{
private readonly WebApplicationFactory<Program> _factory;
private readonly ITestOutputHelper _output;
public SignerAuthTests(WebApplicationFactory<Program> factory, ITestOutputHelper output)
{
_factory = factory;
_output = output;
}
#region Missing Token Tests
[Fact]
public async Task SignDsse_NoAuthHeader_Returns401()
{
// Arrange
var client = _factory.CreateClient();
var content = JsonContent.Create(CreateBasicSignRequest());
// Act - no authorization header
var response = await client.PostAsync("/api/v1/signer/sign/dsse", content);
// Assert
response.StatusCode.Should().BeOneOf(
HttpStatusCode.Unauthorized,
HttpStatusCode.Forbidden);
_output.WriteLine("✓ No auth header → 401/403");
}
[Fact]
public async Task VerifyDsse_NoAuthHeader_MayBeAllowed()
{
// Arrange
var client = _factory.CreateClient();
var content = JsonContent.Create(new { bundle = new { } });
// Act - verification may have different auth requirements than signing
var response = await client.PostAsync("/api/v1/signer/verify/dsse", content);
// Assert - verify might be less restricted than sign
_output.WriteLine($"✓ Verify without auth → {response.StatusCode}");
// If 404, endpoint doesn't exist (skip)
if (response.StatusCode == HttpStatusCode.NotFound)
{
_output.WriteLine(" (verify endpoint not found)");
return;
}
// Document the auth requirement
var requiresAuth = response.StatusCode == HttpStatusCode.Unauthorized ||
response.StatusCode == HttpStatusCode.Forbidden;
_output.WriteLine($" Requires auth: {requiresAuth}");
}
#endregion
#region Invalid Token Tests
[Fact]
public async Task SignDsse_EmptyBearerToken_Returns401()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(CreateBasicSignRequest())
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "");
// Act
var response = await client.SendAsync(request);
// Assert
response.StatusCode.Should().BeOneOf(
HttpStatusCode.Unauthorized,
HttpStatusCode.Forbidden);
_output.WriteLine("✓ Empty bearer token → 401/403");
}
[Fact]
public async Task SignDsse_MalformedBearerToken_Returns401()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(CreateBasicSignRequest())
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "not.a.valid.jwt");
// Act
var response = await client.SendAsync(request);
// Assert
response.StatusCode.Should().BeOneOf(
HttpStatusCode.Unauthorized,
HttpStatusCode.Forbidden);
_output.WriteLine("✓ Malformed bearer token → 401/403");
}
[Fact]
public async Task SignDsse_WrongAuthScheme_Returns401()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(CreateBasicSignRequest())
};
request.Headers.Authorization = new AuthenticationHeaderValue("Basic", "dXNlcjpwYXNz"); // user:pass
// Act
var response = await client.SendAsync(request);
// Assert
response.StatusCode.Should().BeOneOf(
HttpStatusCode.Unauthorized,
HttpStatusCode.Forbidden);
_output.WriteLine("✓ Wrong auth scheme (Basic) → 401/403");
}
[Fact]
public async Task SignDsse_RandomStringToken_Returns401()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(CreateBasicSignRequest())
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", Guid.NewGuid().ToString());
// Act
var response = await client.SendAsync(request);
// Assert
response.StatusCode.Should().BeOneOf(
HttpStatusCode.Unauthorized,
HttpStatusCode.Forbidden);
_output.WriteLine("✓ Random string token → 401/403");
}
#endregion
#region DPoP Tests
[Fact]
public async Task SignDsse_MissingDPoP_MayBeRequired()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(CreateBasicSignRequest())
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
// Note: NOT adding DPoP header
// Act
var response = await client.SendAsync(request);
// Assert - DPoP may or may not be required
_output.WriteLine($"✓ Without DPoP → {response.StatusCode}");
if (response.StatusCode == HttpStatusCode.Forbidden)
{
_output.WriteLine(" DPoP appears to be required for signing");
}
}
[Fact]
public async Task SignDsse_MalformedDPoP_Returns401()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(CreateBasicSignRequest())
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request.Headers.Add("DPoP", "invalid-dpop-proof");
// Act
var response = await client.SendAsync(request);
// Assert
response.StatusCode.Should().BeOneOf(
HttpStatusCode.Unauthorized,
HttpStatusCode.Forbidden,
HttpStatusCode.BadRequest);
_output.WriteLine($"✓ Malformed DPoP → {response.StatusCode}");
}
#endregion
#region Permission Tests
[Fact]
public async Task SignDsse_RequiresElevatedPermissions()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(CreateBasicSignRequest())
};
// Use a stub token that passes validation but lacks signing permissions
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-readonly-token");
request.Headers.Add("DPoP", "stub-proof");
// Act
var response = await client.SendAsync(request);
// Assert - signing should require specific permissions
if (response.StatusCode == HttpStatusCode.Forbidden)
{
_output.WriteLine("✓ Signing requires elevated permissions (403 Forbidden)");
}
else
{
_output.WriteLine($" Response: {response.StatusCode} (stub token behavior)");
}
}
#endregion
#region Security Header Tests
[Fact]
public async Task Response_ShouldNotExposeSensitiveHeaders()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(CreateBasicSignRequest())
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request.Headers.Add("DPoP", "stub-proof");
// Act
var response = await client.SendAsync(request);
// Assert - should not expose internal details
response.Headers.Should().NotContainKey("X-Powered-By");
response.Headers.Should().NotContainKey("Server"); // If present, should not expose version
_output.WriteLine("✓ Response does not expose sensitive headers");
}
[Fact]
public async Task Error_ShouldNotExposeStackTrace()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(new { invalid = true })
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
// Act
var response = await client.SendAsync(request);
// Assert
var content = await response.Content.ReadAsStringAsync();
content.Should().NotContain("System.Exception");
content.Should().NotContain("at StellaOps.");
content.Should().NotContain("StackTrace");
_output.WriteLine("✓ Error response does not expose stack trace");
}
#endregion
#region Injection Attack Tests
[Theory]
[InlineData("' OR '1'='1")]
[InlineData("'; DROP TABLE users; --")]
[InlineData("<script>alert('xss')</script>")]
[InlineData("{{7*7}}")]
[InlineData("${7*7}")]
public async Task SignDsse_InjectionInAuth_HandledSafely(string maliciousValue)
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(CreateBasicSignRequest())
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", maliciousValue);
// Act
var response = await client.SendAsync(request);
// Assert - should reject, not execute
response.StatusCode.Should().BeOneOf(
HttpStatusCode.Unauthorized,
HttpStatusCode.Forbidden,
HttpStatusCode.BadRequest);
var content = await response.Content.ReadAsStringAsync();
content.Should().NotContain("49"); // 7*7 result
content.Should().NotContain("<script>");
_output.WriteLine($"✓ Injection '{maliciousValue[..Math.Min(20, maliciousValue.Length)]}...' handled safely");
}
#endregion
#region Token Replay Tests
[Fact]
public async Task SignDsse_TokenReplay_ShouldBeDetectable()
{
// Note: This tests the infrastructure for replay detection
// Actual replay detection depends on DPoP nonce or token tracking
var client = _factory.CreateClient();
var request1 = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(CreateBasicSignRequest())
};
request1.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request1.Headers.Add("DPoP", "stub-proof-1");
var request2 = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(CreateBasicSignRequest())
};
request2.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request2.Headers.Add("DPoP", "stub-proof-1"); // Same proof
// Act
var response1 = await client.SendAsync(request1);
var response2 = await client.SendAsync(request2);
// Assert - at minimum, document the behavior
_output.WriteLine($"✓ First request: {response1.StatusCode}");
_output.WriteLine($"✓ Second request (replay): {response2.StatusCode}");
// If replay detection is active, second should fail
if (response1.IsSuccessStatusCode && !response2.IsSuccessStatusCode)
{
_output.WriteLine(" Replay detection appears active");
}
}
#endregion
#region Helper Methods
private static object CreateBasicSignRequest()
{
return new
{
subject = new[]
{
new
{
name = "pkg:npm/example@1.0.0",
digest = new Dictionary<string, string> { ["sha256"] = "4d5f6e7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e" }
}
},
predicateType = "https://in-toto.io/Statement/v0.1",
predicate = new { result = "pass" },
scannerImageDigest = "sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
poe = new { format = "jwt", value = "valid-poe" },
options = new { signingMode = "kms", expirySeconds = 600, returnBundle = "dsse+cert" }
};
}
#endregion
}

702
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/Availability/PluginAvailabilityTests.cs Normal file
View File

@@ -0,0 +1,702 @@
// -----------------------------------------------------------------------------
// PluginAvailabilityTests.cs
// Sprint: SPRINT_5100_0009_0006 - Signer Module Test Implementation
// Task: SIGNER-5100-017 - Add plugin availability tests: plugin unavailable → graceful degradation or clear error
// Description: Tests for plugin availability detection and graceful degradation
// -----------------------------------------------------------------------------
using System.Security.Cryptography;
using System.Text;
using FluentAssertions;
using Xunit;
namespace StellaOps.Signer.Tests.Availability;
/// <summary>
/// Tests for crypto plugin availability and graceful degradation.
/// Validates:
/// - Unavailable plugins return clear error codes
/// - Fallback to alternative plugins works when configured
/// - Plugin health checks report accurate status
/// - Error messages are deterministic and actionable
/// </summary>
[Trait("Category", "Availability")]
[Trait("Category", "GracefulDegradation")]
[Trait("Category", "Plugin")]
public sealed class PluginAvailabilityTests
{
private readonly ITestOutputHelper _output;
// Error codes for plugin availability
private const string PluginUnavailableCode = "SIGNER_PLUGIN_UNAVAILABLE";
private const string AlgorithmUnsupportedCode = "SIGNER_ALGORITHM_UNSUPPORTED";
private const string FallbackUsedCode = "SIGNER_FALLBACK_USED";
private const string NoPluginAvailableCode = "SIGNER_NO_PLUGIN_AVAILABLE";
public PluginAvailabilityTests(ITestOutputHelper output)
{
_output = output;
}
#region Plugin Unavailable Tests
[Fact]
public void UnavailablePlugin_ReturnsPluginUnavailableError()
{
// Arrange
var registry = new TestPluginRegistry();
registry.RegisterPlugin(new UnavailablePlugin("CryptoPro", "GOST_R3410_2012_256"));
// Act
var result = registry.TrySign("GOST_R3410_2012_256", CreateTestPayload());
// Assert
result.Success.Should().BeFalse();
result.ErrorCode.Should().Be(PluginUnavailableCode);
result.ErrorMessage.Should().Contain("CryptoPro");
result.ErrorMessage.Should().Contain("unavailable");
_output.WriteLine($"Error code: {result.ErrorCode}");
_output.WriteLine($"Error message: {result.ErrorMessage}");
}
[Fact]
public void UnavailablePlugin_ErrorMessageIsActionable()
{
// Arrange
var registry = new TestPluginRegistry();
registry.RegisterPlugin(new UnavailablePlugin("HSM-PKCS11", "ES256",
"HSM connection failed: Connection refused"));
// Act
var result = registry.TrySign("ES256", CreateTestPayload());
// Assert
result.Success.Should().BeFalse();
result.ErrorMessage.Should().Contain("HSM");
result.ErrorMessage.Should().Contain("Connection refused");
// Error should suggest remediation
result.Remediation.Should().NotBeNullOrEmpty();
_output.WriteLine($"Error: {result.ErrorMessage}");
_output.WriteLine($"Remediation: {result.Remediation}");
}
[Fact]
public void UnavailablePlugin_ErrorCodeIsDeterministic()
{
// Arrange
var registry = new TestPluginRegistry();
registry.RegisterPlugin(new UnavailablePlugin("TestPlugin", "TestAlgorithm"));
// Act - call multiple times
var results = Enumerable.Range(0, 5)
.Select(_ => registry.TrySign("TestAlgorithm", CreateTestPayload()))
.ToList();
// Assert - all error codes should be identical
results.Should().AllSatisfy(r =>
{
r.ErrorCode.Should().Be(PluginUnavailableCode);
});
_output.WriteLine("Deterministic error code verified across 5 calls");
}
#endregion
#region Algorithm Unsupported Tests
[Fact]
public void UnsupportedAlgorithm_ReturnsAlgorithmUnsupportedError()
{
// Arrange
var registry = new TestPluginRegistry();
registry.RegisterPlugin(new AvailablePlugin("BouncyCastle", new[] { "Ed25519", "ES256" }));
// Act
var result = registry.TrySign("GOST_R3410_2012_256", CreateTestPayload());
// Assert
result.Success.Should().BeFalse();
result.ErrorCode.Should().Be(AlgorithmUnsupportedCode);
result.ErrorMessage.Should().Contain("GOST_R3410_2012_256");
_output.WriteLine($"Error: {result.ErrorMessage}");
}
[Fact]
public void UnsupportedAlgorithm_ListsAvailableAlternatives()
{
// Arrange
var registry = new TestPluginRegistry();
registry.RegisterPlugin(new AvailablePlugin("BouncyCastle", new[] { "Ed25519", "ES256", "RS256" }));
// Act
var result = registry.TrySign("SM2", CreateTestPayload());
// Assert
result.Success.Should().BeFalse();
result.AvailableAlgorithms.Should().Contain("Ed25519");
result.AvailableAlgorithms.Should().Contain("ES256");
result.AvailableAlgorithms.Should().Contain("RS256");
_output.WriteLine($"Available alternatives: {string.Join(", ", result.AvailableAlgorithms)}");
}
#endregion
#region Fallback Plugin Tests
[Fact]
public void UnavailablePrimaryPlugin_FallbackToSecondary()
{
// Arrange
var registry = new TestPluginRegistry();
registry.RegisterPlugin(new UnavailablePlugin("CryptoPro-HSM", "ES256"), priority: 1);
registry.RegisterPlugin(new AvailablePlugin("BouncyCastle-Software", new[] { "ES256" }), priority: 2);
registry.EnableFallback = true;
// Act
var result = registry.TrySign("ES256", CreateTestPayload());
// Assert
result.Success.Should().BeTrue("fallback plugin should succeed");
result.UsedPlugin.Should().Be("BouncyCastle-Software");
result.WasFallback.Should().BeTrue();
_output.WriteLine($"Primary unavailable, used fallback: {result.UsedPlugin}");
}
[Fact]
public void FallbackUsed_IncludesWarningCode()
{
// Arrange
var registry = new TestPluginRegistry();
registry.RegisterPlugin(new UnavailablePlugin("PreferredPlugin", "Ed25519"), priority: 1);
registry.RegisterPlugin(new AvailablePlugin("FallbackPlugin", new[] { "Ed25519" }), priority: 2);
registry.EnableFallback = true;
// Act
var result = registry.TrySign("Ed25519", CreateTestPayload());
// Assert
result.Success.Should().BeTrue();
result.WarningCode.Should().Be(FallbackUsedCode);
result.WarningMessage.Should().Contain("fallback");
_output.WriteLine($"Warning: {result.WarningCode} - {result.WarningMessage}");
}
[Fact]
public void FallbackDisabled_NoFallbackAttempted()
{
// Arrange
var registry = new TestPluginRegistry();
registry.RegisterPlugin(new UnavailablePlugin("PrimaryPlugin", "Ed25519"), priority: 1);
registry.RegisterPlugin(new AvailablePlugin("FallbackPlugin", new[] { "Ed25519" }), priority: 2);
registry.EnableFallback = false; // Disabled
// Act
var result = registry.TrySign("Ed25519", CreateTestPayload());
// Assert
result.Success.Should().BeFalse("fallback is disabled");
result.ErrorCode.Should().Be(PluginUnavailableCode);
_output.WriteLine("Fallback disabled - failed as expected");
}
[Fact]
public void AllPluginsUnavailable_ReturnsNoPluginAvailableError()
{
// Arrange
var registry = new TestPluginRegistry();
registry.RegisterPlugin(new UnavailablePlugin("Plugin1", "Ed25519"));
registry.RegisterPlugin(new UnavailablePlugin("Plugin2", "Ed25519"));
registry.RegisterPlugin(new UnavailablePlugin("Plugin3", "Ed25519"));
registry.EnableFallback = true;
// Act
var result = registry.TrySign("Ed25519", CreateTestPayload());
// Assert
result.Success.Should().BeFalse();
result.ErrorCode.Should().Be(NoPluginAvailableCode);
result.ErrorMessage.Should().ContainEquivalentOf("no plugin available");
_output.WriteLine($"All plugins unavailable: {result.ErrorMessage}");
}
#endregion
#region Plugin Health Check Tests
[Fact]
public void PluginHealthCheck_ReportsAccurateStatus()
{
// Arrange
var registry = new TestPluginRegistry();
registry.RegisterPlugin(new AvailablePlugin("HealthyPlugin", new[] { "Ed25519" }));
registry.RegisterPlugin(new UnavailablePlugin("UnhealthyPlugin", "GOST"));
// Act
var healthReport = registry.GetHealthReport();
// Assert
_output.WriteLine("=== Plugin Health Report ===");
foreach (var plugin in healthReport.Plugins)
{
var status = plugin.IsHealthy ? "✓ Healthy" : "✗ Unhealthy";
_output.WriteLine($" {plugin.Name}: {status}");
if (!plugin.IsHealthy)
{
_output.WriteLine($" Reason: {plugin.HealthCheckError}");
}
}
healthReport.Plugins.Should().Contain(p => p.Name == "HealthyPlugin" && p.IsHealthy);
healthReport.Plugins.Should().Contain(p => p.Name == "UnhealthyPlugin" && !p.IsHealthy);
}
[Fact]
public void PluginHealthCheck_IncludesLastCheckTime()
{
// Arrange
var registry = new TestPluginRegistry();
registry.RegisterPlugin(new AvailablePlugin("TestPlugin", new[] { "Ed25519" }));
// Act
var healthReport = registry.GetHealthReport();
// Assert
healthReport.CheckedAt.Should().BeCloseTo(DateTime.UtcNow, TimeSpan.FromSeconds(5));
healthReport.Plugins.Should().AllSatisfy(p =>
p.LastChecked.Should().BeCloseTo(DateTime.UtcNow, TimeSpan.FromSeconds(5)));
_output.WriteLine($"Health check timestamp: {healthReport.CheckedAt:O}");
}
[Fact]
public void PluginHealthCheck_ListsCapabilities()
{
// Arrange
var registry = new TestPluginRegistry();
registry.RegisterPlugin(new AvailablePlugin("MultiCapPlugin",
new[] { "Ed25519", "ES256", "ES384", "RS256" }));
// Act
var healthReport = registry.GetHealthReport();
var plugin = healthReport.Plugins.First(p => p.Name == "MultiCapPlugin");
// Assert
plugin.SupportedAlgorithms.Should().HaveCount(4);
plugin.SupportedAlgorithms.Should().Contain("Ed25519");
plugin.SupportedAlgorithms.Should().Contain("ES256");
_output.WriteLine($"Capabilities: {string.Join(", ", plugin.SupportedAlgorithms)}");
}
#endregion
#region Degraded Mode Tests
[Fact]
public void DegradedMode_PartialFunctionality()
{
// Arrange - some plugins available, some not
var registry = new TestPluginRegistry();
registry.RegisterPlugin(new AvailablePlugin("BouncyCastle", new[] { "Ed25519", "ES256" }));
registry.RegisterPlugin(new UnavailablePlugin("CryptoPro", "GOST_R3410_2012_256"));
registry.RegisterPlugin(new UnavailablePlugin("SimRemote", "SM2"));
// Act
var status = registry.GetServiceStatus();
// Assert
status.Mode.Should().Be(ServiceMode.Degraded);
status.AvailableAlgorithms.Should().Contain("Ed25519");
status.AvailableAlgorithms.Should().Contain("ES256");
status.UnavailableAlgorithms.Should().Contain("GOST_R3410_2012_256");
status.UnavailableAlgorithms.Should().Contain("SM2");
_output.WriteLine($"Service mode: {status.Mode}");
_output.WriteLine($"Available: {string.Join(", ", status.AvailableAlgorithms)}");
_output.WriteLine($"Unavailable: {string.Join(", ", status.UnavailableAlgorithms)}");
}
[Fact]
public void FullyDegraded_ReturnsServiceUnavailable()
{
// Arrange - all plugins unavailable
var registry = new TestPluginRegistry();
registry.RegisterPlugin(new UnavailablePlugin("Plugin1", "Ed25519"));
registry.RegisterPlugin(new UnavailablePlugin("Plugin2", "ES256"));
// Act
var status = registry.GetServiceStatus();
// Assert
status.Mode.Should().Be(ServiceMode.Unavailable);
status.AvailableAlgorithms.Should().BeEmpty();
_output.WriteLine($"Service mode: {status.Mode}");
}
[Fact]
public void FullyHealthy_ReturnsOperational()
{
// Arrange - all plugins available
var registry = new TestPluginRegistry();
registry.RegisterPlugin(new AvailablePlugin("Plugin1", new[] { "Ed25519" }));
registry.RegisterPlugin(new AvailablePlugin("Plugin2", new[] { "ES256" }));
// Act
var status = registry.GetServiceStatus();
// Assert
status.Mode.Should().Be(ServiceMode.Operational);
_output.WriteLine($"Service mode: {status.Mode}");
}
#endregion
#region Transient Failure Tests
[Fact]
public void TransientFailure_RetrySucceeds()
{
// Arrange
var plugin = new TransientFailurePlugin("FlakeyPlugin", "Ed25519", failCount: 2);
var registry = new TestPluginRegistry();
registry.RegisterPlugin(plugin);
registry.RetryCount = 3;
// Act
var result = registry.TrySignWithRetry("Ed25519", CreateTestPayload());
// Assert
result.Success.Should().BeTrue("should succeed after retries");
result.RetryCount.Should().Be(2, "should have retried twice before success");
_output.WriteLine($"Succeeded after {result.RetryCount} retries");
}
[Fact]
public void TransientFailure_ExceedsRetryLimit_Fails()
{
// Arrange
var plugin = new TransientFailurePlugin("FlakeyPlugin", "Ed25519", failCount: 5);
var registry = new TestPluginRegistry();
registry.RegisterPlugin(plugin);
registry.RetryCount = 3;
// Act
var result = registry.TrySignWithRetry("Ed25519", CreateTestPayload());
// Assert
result.Success.Should().BeFalse("should fail after exhausting retries");
result.RetryCount.Should().Be(3);
result.ErrorMessage.Should().Contain("exhausted");
_output.WriteLine($"Failed after {result.RetryCount} retries");
}
#endregion
#region Helper Methods
private static byte[] CreateTestPayload()
{
return Encoding.UTF8.GetBytes("{\"test\":\"payload\"}");
}
#endregion
#region Test Infrastructure
private enum ServiceMode { Operational, Degraded, Unavailable }
private record SignResult(
bool Success,
byte[]? Signature = null,
string ErrorCode = "",
string ErrorMessage = "",
string Remediation = "",
string WarningCode = "",
string WarningMessage = "",
string UsedPlugin = "",
bool WasFallback = false,
int RetryCount = 0,
IReadOnlyList<string>? AvailableAlgorithms = null);
private record HealthReport(
DateTime CheckedAt,
IReadOnlyList<PluginHealth> Plugins);
private record PluginHealth(
string Name,
bool IsHealthy,
string HealthCheckError,
DateTime LastChecked,
IReadOnlyList<string> SupportedAlgorithms);
private record ServiceStatus(
ServiceMode Mode,
IReadOnlyList<string> AvailableAlgorithms,
IReadOnlyList<string> UnavailableAlgorithms);
private interface ITestPlugin
{
string Name { get; }
bool IsAvailable { get; }
string AvailabilityError { get; }
IReadOnlyList<string> SupportedAlgorithms { get; }
byte[] Sign(byte[] payload);
}
private sealed class AvailablePlugin : ITestPlugin
{
private readonly byte[] _key;
public AvailablePlugin(string name, string[] algorithms)
{
Name = name;
SupportedAlgorithms = algorithms;
_key = SHA256.HashData(Encoding.UTF8.GetBytes(name));
}
public string Name { get; }
public bool IsAvailable => true;
public string AvailabilityError => "";
public IReadOnlyList<string> SupportedAlgorithms { get; }
public byte[] Sign(byte[] payload)
{
using var hmac = new HMACSHA256(_key);
return hmac.ComputeHash(payload);
}
}
private sealed class UnavailablePlugin : ITestPlugin
{
public UnavailablePlugin(string name, string algorithm, string error = "Plugin unavailable")
{
Name = name;
SupportedAlgorithms = new[] { algorithm };
AvailabilityError = error;
}
public string Name { get; }
public bool IsAvailable => false;
public string AvailabilityError { get; }
public IReadOnlyList<string> SupportedAlgorithms { get; }
public byte[] Sign(byte[] payload)
{
throw new InvalidOperationException(AvailabilityError);
}
}
private sealed class TransientFailurePlugin : ITestPlugin
{
private readonly byte[] _key;
private int _failuresRemaining;
public TransientFailurePlugin(string name, string algorithm, int failCount)
{
Name = name;
SupportedAlgorithms = new[] { algorithm };
_failuresRemaining = failCount;
_key = SHA256.HashData(Encoding.UTF8.GetBytes(name));
}
public string Name { get; }
public bool IsAvailable => true;
public string AvailabilityError => "";
public IReadOnlyList<string> SupportedAlgorithms { get; }
public byte[] Sign(byte[] payload)
{
if (_failuresRemaining > 0)
{
_failuresRemaining--;
throw new InvalidOperationException("Transient failure");
}
using var hmac = new HMACSHA256(_key);
return hmac.ComputeHash(payload);
}
}
private sealed class TestPluginRegistry
{
private readonly List<(ITestPlugin Plugin, int Priority)> _plugins = new();
public bool EnableFallback { get; set; } = false;
public int RetryCount { get; set; } = 0;
public void RegisterPlugin(ITestPlugin plugin, int priority = 0)
{
_plugins.Add((plugin, priority));
}
public SignResult TrySign(string algorithm, byte[] payload)
{
var availableAlgorithms = _plugins
.Where(p => p.Plugin.IsAvailable)
.SelectMany(p => p.Plugin.SupportedAlgorithms)
.Distinct()
.ToList();
var candidates = _plugins
.Where(p => p.Plugin.SupportedAlgorithms.Contains(algorithm))
.OrderBy(p => p.Priority)
.ToList();
if (!candidates.Any())
{
return new SignResult(
Success: false,
ErrorCode: AlgorithmUnsupportedCode,
ErrorMessage: $"Algorithm '{algorithm}' not supported by any registered plugin",
AvailableAlgorithms: availableAlgorithms);
}
foreach (var (plugin, _) in candidates)
{
if (!plugin.IsAvailable)
{
if (!EnableFallback)
{
return new SignResult(
Success: false,
ErrorCode: PluginUnavailableCode,
ErrorMessage: $"Plugin '{plugin.Name}' unavailable: {plugin.AvailabilityError}",
Remediation: "Check plugin configuration and connectivity");
}
continue; // Try fallback
}
try
{
var signature = plugin.Sign(payload);
var wasFallback = candidates.First().Plugin != plugin;
return new SignResult(
Success: true,
Signature: signature,
UsedPlugin: plugin.Name,
WasFallback: wasFallback,
WarningCode: wasFallback ? FallbackUsedCode : "",
WarningMessage: wasFallback ? $"Using fallback plugin {plugin.Name}" : "",
AvailableAlgorithms: availableAlgorithms);
}
catch (Exception ex)
{
if (!EnableFallback)
{
return new SignResult(
Success: false,
ErrorCode: PluginUnavailableCode,
ErrorMessage: $"Plugin '{plugin.Name}' failed: {ex.Message}",
AvailableAlgorithms: availableAlgorithms);
}
}
}
return new SignResult(
Success: false,
ErrorCode: NoPluginAvailableCode,
ErrorMessage: $"No plugin available for algorithm '{algorithm}'",
AvailableAlgorithms: availableAlgorithms);
}
public SignResult TrySignWithRetry(string algorithm, byte[] payload)
{
var retries = 0;
var candidates = _plugins
.Where(p => p.Plugin.SupportedAlgorithms.Contains(algorithm))
.OrderBy(p => p.Priority)
.ToList();
if (!candidates.Any())
{
return new SignResult(
Success: false,
ErrorCode: AlgorithmUnsupportedCode,
ErrorMessage: $"Algorithm '{algorithm}' not supported");
}
var plugin = candidates.First().Plugin;
while (true)
{
try
{
var signature = plugin.Sign(payload);
return new SignResult(
Success: true,
Signature: signature,
UsedPlugin: plugin.Name,
RetryCount: retries);
}
catch
{
if (retries >= RetryCount)
{
break;
}
retries++;
}
}
return new SignResult(
Success: false,
ErrorCode: PluginUnavailableCode,
ErrorMessage: $"Retries exhausted after {retries} retries",
RetryCount: retries);
}
public HealthReport GetHealthReport()
{
var now = DateTime.UtcNow;
var pluginHealths = _plugins.Select(p => new PluginHealth(
Name: p.Plugin.Name,
IsHealthy: p.Plugin.IsAvailable,
HealthCheckError: p.Plugin.AvailabilityError,
LastChecked: now,
SupportedAlgorithms: p.Plugin.SupportedAlgorithms.ToList()
)).ToList();
return new HealthReport(now, pluginHealths);
}
public ServiceStatus GetServiceStatus()
{
var available = _plugins
.Where(p => p.Plugin.IsAvailable)
.SelectMany(p => p.Plugin.SupportedAlgorithms)
.Distinct()
.ToList();
var unavailable = _plugins
.Where(p => !p.Plugin.IsAvailable)
.SelectMany(p => p.Plugin.SupportedAlgorithms)
.Except(available)
.Distinct()
.ToList();
var mode = available.Any()
? (unavailable.Any() ? ServiceMode.Degraded : ServiceMode.Operational)
: ServiceMode.Unavailable;
return new ServiceStatus(mode, available, unavailable);
}
}
#endregion
}

416
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/Ceremonies/CeremonyOrchestratorIntegrationTests.cs Normal file
View File

@@ -0,0 +1,416 @@
// -----------------------------------------------------------------------------
// CeremonyOrchestratorIntegrationTests.cs
// Sprint: SPRINT_20260112_018_SIGNER_dual_control_ceremonies
// Task: DUAL-012
// Description: Integration tests for multi-approver ceremony workflows.
// -----------------------------------------------------------------------------
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading;
using System.Threading.Tasks;
using FluentAssertions;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using NSubstitute;
using StellaOps.Signer.Core.Ceremonies;
using StellaOps.TestKit;
using Xunit;
namespace StellaOps.Signer.Tests.Ceremonies;
/// <summary>
/// Integration tests for dual-control ceremony workflows.
/// Tests full ceremony lifecycle including multi-approver scenarios.
/// </summary>
[Trait("Category", TestCategories.Integration)]
public sealed class CeremonyOrchestratorIntegrationTests : IAsyncLifetime
{
private readonly ICeremonyRepository _mockRepository;
private readonly ICeremonyAuditSink _mockAuditSink;
private readonly ICeremonyApproverValidator _mockApproverValidator;
private readonly MockTimeProvider _mockTimeProvider;
private readonly CeremonyOrchestrator _orchestrator;
private readonly Dictionary<Guid, Ceremony> _ceremoniesStore;
private readonly List<CeremonyAuditEvent> _auditEvents;
public CeremonyOrchestratorIntegrationTests()
{
_mockRepository = Substitute.For<ICeremonyRepository>();
_mockAuditSink = Substitute.For<ICeremonyAuditSink>();
_mockApproverValidator = Substitute.For<ICeremonyApproverValidator>();
_mockTimeProvider = new MockTimeProvider();
_ceremoniesStore = new Dictionary<Guid, Ceremony>();
_auditEvents = new List<CeremonyAuditEvent>();
var options = Options.Create(new CeremonyOptions
{
Enabled = true,
DefaultThreshold = 2,
ExpirationMinutes = 60
});
var logger = Substitute.For<ILogger<CeremonyOrchestrator>>();
SetupRepositoryMock();
SetupAuditSinkMock();
SetupApproverValidatorMock();
_orchestrator = new CeremonyOrchestrator(
_mockRepository,
_mockAuditSink,
_mockApproverValidator,
_mockTimeProvider,
options,
logger);
}
public ValueTask InitializeAsync() => ValueTask.CompletedTask;
public ValueTask DisposeAsync() => ValueTask.CompletedTask;
#region Creation Tests
[Fact]
public async Task CreateCeremony_WithValidRequest_Succeeds()
{
// Arrange
var request = new CreateCeremonyRequest
{
OperationType = CeremonyOperationType.KeyRotation,
Payload = new CeremonyOperationPayload
{
KeyId = "signing-key-001",
Reason = "Scheduled rotation"
},
ThresholdOverride = 2
};
// Act
var result = await _orchestrator.CreateCeremonyAsync(request, "initiator@example.com");
// Assert
result.Success.Should().BeTrue();
result.Ceremony.Should().NotBeNull();
result.Ceremony!.State.Should().Be(CeremonyState.Pending);
result.Ceremony.OperationType.Should().Be(CeremonyOperationType.KeyRotation);
}
[Fact]
public async Task CreateCeremony_WithSingleApprover_ApprovedImmediately()
{
// Arrange - threshold of 1
var request = new CreateCeremonyRequest
{
OperationType = CeremonyOperationType.KeyRotation,
Payload = new CeremonyOperationPayload
{
KeyId = "minor-key",
Reason = "Minor rotation"
},
ThresholdOverride = 1
};
// Create
var createResult = await _orchestrator.CreateCeremonyAsync(request, "initiator@example.com");
createResult.Success.Should().BeTrue();
var ceremonyId = createResult.Ceremony!.CeremonyId;
// Single approval should immediately move to Approved
var approvalResult = await _orchestrator.ApproveCeremonyAsync(
new ApproveCeremonyRequest
{
CeremonyId = ceremonyId,
ApprovalSignature = Convert.FromBase64String("c2lnbmF0dXJl"),
ApprovalReason = "Approved"
},
"approver@example.com");
approvalResult.Success.Should().BeTrue();
approvalResult.Ceremony!.State.Should().Be(CeremonyState.Approved);
}
#endregion
#region Approval Tests
[Fact]
public async Task ApproveCeremony_DuplicateApprover_IsRejected()
{
// Arrange
var request = new CreateCeremonyRequest
{
OperationType = CeremonyOperationType.KeyRotation,
Payload = new CeremonyOperationPayload { KeyId = "key-001" },
ThresholdOverride = 2
};
var createResult = await _orchestrator.CreateCeremonyAsync(request, "initiator@example.com");
var ceremonyId = createResult.Ceremony!.CeremonyId;
// First approval succeeds
var approval1 = await _orchestrator.ApproveCeremonyAsync(
new ApproveCeremonyRequest
{
CeremonyId = ceremonyId,
ApprovalSignature = Convert.FromBase64String("c2lnMQ=="),
ApprovalReason = "First"
},
"approver@example.com");
approval1.Success.Should().BeTrue();
// Second approval from same approver should fail
var approval2 = await _orchestrator.ApproveCeremonyAsync(
new ApproveCeremonyRequest
{
CeremonyId = ceremonyId,
ApprovalSignature = Convert.FromBase64String("c2lnMg=="),
ApprovalReason = "Second"
},
"approver@example.com");
approval2.Success.Should().BeFalse();
approval2.ErrorCode.Should().Be(CeremonyErrorCode.DuplicateApproval);
}
#endregion
#region Cancellation Tests
[Fact]
public async Task CancelCeremony_WhenPending_Succeeds()
{
// Arrange
var request = new CreateCeremonyRequest
{
OperationType = CeremonyOperationType.KeyRotation,
Payload = new CeremonyOperationPayload { KeyId = "key-001" }
};
var createResult = await _orchestrator.CreateCeremonyAsync(request, "initiator@example.com");
var ceremonyId = createResult.Ceremony!.CeremonyId;
// Act
var cancelResult = await _orchestrator.CancelCeremonyAsync(
ceremonyId,
"admin@example.com",
"Cancelled for testing");
// Assert
cancelResult.Success.Should().BeTrue();
cancelResult.Ceremony!.State.Should().Be(CeremonyState.Cancelled);
}
[Fact]
public async Task CancelledCeremony_CannotBeApproved()
{
// Arrange
var request = new CreateCeremonyRequest
{
OperationType = CeremonyOperationType.KeyRotation,
Payload = new CeremonyOperationPayload { KeyId = "key-001" }
};
var createResult = await _orchestrator.CreateCeremonyAsync(request, "initiator@example.com");
var ceremonyId = createResult.Ceremony!.CeremonyId;
// Cancel
await _orchestrator.CancelCeremonyAsync(ceremonyId, "admin@example.com", "Cancelled");
// Attempt approval should fail
var approval = await _orchestrator.ApproveCeremonyAsync(
new ApproveCeremonyRequest
{
CeremonyId = ceremonyId,
ApprovalSignature = Convert.FromBase64String("c2ln"),
ApprovalReason = "Too late"
},
"approver@example.com");
approval.Success.Should().BeFalse();
}
#endregion
#region Get and List Tests
[Fact]
public async Task GetCeremony_WhenExists_ReturnsCeremony()
{
// Arrange
var request = new CreateCeremonyRequest
{
OperationType = CeremonyOperationType.KeyGeneration,
Payload = new CeremonyOperationPayload
{
Algorithm = "ed25519",
Reason = "New signing key"
}
};
var createResult = await _orchestrator.CreateCeremonyAsync(request, "initiator@example.com");
var ceremonyId = createResult.Ceremony!.CeremonyId;
// Act
var ceremony = await _orchestrator.GetCeremonyAsync(ceremonyId);
// Assert
ceremony.Should().NotBeNull();
ceremony!.CeremonyId.Should().Be(ceremonyId);
}
[Fact]
public async Task ListCeremonies_WithFilter_ReturnsFilteredResults()
{
// Arrange - create multiple ceremonies
for (int i = 0; i < 3; i++)
{
await _orchestrator.CreateCeremonyAsync(new CreateCeremonyRequest
{
OperationType = CeremonyOperationType.KeyRotation,
Payload = new CeremonyOperationPayload { KeyId = $"key-{i}" }
}, "initiator@example.com");
}
// Act
var ceremonies = await _orchestrator.ListCeremoniesAsync(new CeremonyFilter
{
State = CeremonyState.Pending
});
// Assert
ceremonies.Should().HaveCount(3);
ceremonies.Should().OnlyContain(c => c.State == CeremonyState.Pending);
}
#endregion
#region Setup Helpers
private void SetupRepositoryMock()
{
_mockRepository
.CreateAsync(Arg.Any<Ceremony>(), Arg.Any<CancellationToken>())
.Returns(callInfo =>
{
var c = callInfo.Arg<Ceremony>();
_ceremoniesStore[c.CeremonyId] = c;
return Task.FromResult(c);
});
_mockRepository
.GetByIdAsync(Arg.Any<Guid>(), Arg.Any<CancellationToken>())
.Returns(callInfo =>
{
var id = callInfo.Arg<Guid>();
_ceremoniesStore.TryGetValue(id, out var ceremony);
return Task.FromResult(ceremony);
});
_mockRepository
.UpdateStateAsync(
Arg.Any<Guid>(),
Arg.Any<CeremonyState>(),
Arg.Any<int>(),
Arg.Any<DateTimeOffset?>(),
Arg.Any<CancellationToken>())
.Returns(callInfo =>
{
var id = callInfo.Arg<Guid>();
var state = callInfo.ArgAt<CeremonyState>(1);
var threshold = callInfo.ArgAt<int>(2);
if (_ceremoniesStore.TryGetValue(id, out var c))
{
var updated = c with { State = state, ThresholdReached = threshold };
_ceremoniesStore[id] = updated;
return Task.FromResult<Ceremony?>(updated);
}
return Task.FromResult<Ceremony?>(null);
});
_mockRepository
.ListAsync(Arg.Any<CeremonyFilter>(), Arg.Any<CancellationToken>())
.Returns(callInfo =>
{
var filter = callInfo.Arg<CeremonyFilter>();
var query = _ceremoniesStore.Values.AsEnumerable();
if (filter?.State != null)
query = query.Where(c => c.State == filter.State.Value);
if (filter?.OperationType != null)
query = query.Where(c => c.OperationType == filter.OperationType);
return Task.FromResult(query.ToList() as IReadOnlyList<Ceremony>);
});
_mockRepository
.AddApprovalAsync(Arg.Any<CeremonyApproval>(), Arg.Any<CancellationToken>())
.Returns(callInfo =>
{
var approval = callInfo.Arg<CeremonyApproval>();
// Update the ceremony in the store with the new approval
if (_ceremoniesStore.TryGetValue(approval.CeremonyId, out var ceremony))
{
var newApprovals = ceremony.Approvals.ToList();
newApprovals.Add(approval);
_ceremoniesStore[approval.CeremonyId] = ceremony with { Approvals = newApprovals };
}
return Task.FromResult(approval);
});
_mockRepository
.HasApprovedAsync(Arg.Any<Guid>(), Arg.Any<string>(), Arg.Any<CancellationToken>())
.Returns(callInfo =>
{
var ceremonyId = callInfo.Arg<Guid>();
var approverIdentity = callInfo.ArgAt<string>(1);
// Check if already approved (simple check)
if (_ceremoniesStore.TryGetValue(ceremonyId, out var ceremony))
{
var alreadyApproved = ceremony.Approvals.Any(a => a.ApproverIdentity == approverIdentity);
return Task.FromResult(alreadyApproved);
}
return Task.FromResult(false);
});
}
private void SetupAuditSinkMock()
{
_mockAuditSink
.WriteAsync(Arg.Any<CeremonyAuditEvent>(), Arg.Any<CancellationToken>())
.Returns(callInfo =>
{
var evt = callInfo.Arg<CeremonyAuditEvent>();
_auditEvents.Add(evt);
return Task.CompletedTask;
});
}
private void SetupApproverValidatorMock()
{
// Default: all approvers valid
_mockApproverValidator
.ValidateApproverAsync(
Arg.Any<string>(),
Arg.Any<CeremonyOperationType>(),
Arg.Any<byte[]>(),
Arg.Any<CancellationToken>())
.Returns(new ApproverValidationResult { IsValid = true });
}
#endregion
}
/// <summary>
/// Mock time provider for testing time-dependent behavior.
/// </summary>
internal sealed class MockTimeProvider : TimeProvider
{
private DateTimeOffset _now = DateTimeOffset.UtcNow;
public override DateTimeOffset GetUtcNow() => _now;
public void Advance(TimeSpan duration) => _now = _now.Add(duration);
public void SetNow(DateTimeOffset now) => _now = now;
}

162
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/Ceremonies/CeremonyStateMachineTests.cs Normal file
View File

@@ -0,0 +1,162 @@
// -----------------------------------------------------------------------------
// CeremonyStateMachineTests.cs
// Sprint: SPRINT_20260112_018_SIGNER_dual_control_ceremonies
// Tasks: DUAL-011
// Description: Unit tests for ceremony state machine.
// -----------------------------------------------------------------------------
using StellaOps.Signer.Core.Ceremonies;
using Xunit;
namespace StellaOps.Signer.Tests.Ceremonies;
[Trait("Category", "Unit")]
public sealed class CeremonyStateMachineTests
{
[Theory]
[InlineData(CeremonyState.Pending, CeremonyState.PartiallyApproved, true)]
[InlineData(CeremonyState.Pending, CeremonyState.Approved, true)]
[InlineData(CeremonyState.Pending, CeremonyState.Expired, true)]
[InlineData(CeremonyState.Pending, CeremonyState.Cancelled, true)]
[InlineData(CeremonyState.Pending, CeremonyState.Executed, false)]
[InlineData(CeremonyState.PartiallyApproved, CeremonyState.PartiallyApproved, true)]
[InlineData(CeremonyState.PartiallyApproved, CeremonyState.Approved, true)]
[InlineData(CeremonyState.PartiallyApproved, CeremonyState.Expired, true)]
[InlineData(CeremonyState.PartiallyApproved, CeremonyState.Cancelled, true)]
[InlineData(CeremonyState.PartiallyApproved, CeremonyState.Pending, false)]
[InlineData(CeremonyState.Approved, CeremonyState.Executed, true)]
[InlineData(CeremonyState.Approved, CeremonyState.Expired, true)]
[InlineData(CeremonyState.Approved, CeremonyState.Cancelled, true)]
[InlineData(CeremonyState.Approved, CeremonyState.Pending, false)]
[InlineData(CeremonyState.Approved, CeremonyState.PartiallyApproved, false)]
[InlineData(CeremonyState.Executed, CeremonyState.Pending, false)]
[InlineData(CeremonyState.Executed, CeremonyState.Cancelled, false)]
[InlineData(CeremonyState.Expired, CeremonyState.Pending, false)]
[InlineData(CeremonyState.Expired, CeremonyState.Approved, false)]
[InlineData(CeremonyState.Cancelled, CeremonyState.Pending, false)]
[InlineData(CeremonyState.Cancelled, CeremonyState.Approved, false)]
public void IsValidTransition_ReturnsExpectedResult(
CeremonyState currentState,
CeremonyState targetState,
bool expected)
{
var result = CeremonyStateMachine.IsValidTransition(currentState, targetState);
Assert.Equal(expected, result);
}
[Fact]
public void IsValidTransition_SameState_ReturnsFalse()
{
foreach (var state in Enum.GetValues<CeremonyState>())
{
// PartiallyApproved -> PartiallyApproved is intentionally allowed (more approvals)
if (state == CeremonyState.PartiallyApproved)
{
Assert.True(CeremonyStateMachine.IsValidTransition(state, state));
}
else
{
Assert.False(CeremonyStateMachine.IsValidTransition(state, state));
}
}
}
[Theory]
[InlineData(CeremonyState.Pending, 2, 1, CeremonyState.PartiallyApproved)]
[InlineData(CeremonyState.Pending, 2, 2, CeremonyState.Approved)]
[InlineData(CeremonyState.Pending, 1, 1, CeremonyState.Approved)]
[InlineData(CeremonyState.PartiallyApproved, 3, 2, CeremonyState.PartiallyApproved)]
[InlineData(CeremonyState.PartiallyApproved, 3, 3, CeremonyState.Approved)]
[InlineData(CeremonyState.PartiallyApproved, 2, 3, CeremonyState.Approved)] // Over threshold
public void ComputeStateAfterApproval_ReturnsExpectedState(
CeremonyState currentState,
int thresholdRequired,
int thresholdReached,
CeremonyState expectedState)
{
var result = CeremonyStateMachine.ComputeStateAfterApproval(
currentState,
thresholdRequired,
thresholdReached);
Assert.Equal(expectedState, result);
}
[Theory]
[InlineData(CeremonyState.Executed)]
[InlineData(CeremonyState.Expired)]
[InlineData(CeremonyState.Cancelled)]
public void ComputeStateAfterApproval_TerminalState_ThrowsException(CeremonyState state)
{
Assert.Throws<InvalidOperationException>(() =>
CeremonyStateMachine.ComputeStateAfterApproval(state, 2, 1));
}
[Theory]
[InlineData(CeremonyState.Pending, true)]
[InlineData(CeremonyState.PartiallyApproved, true)]
[InlineData(CeremonyState.Approved, false)]
[InlineData(CeremonyState.Executed, false)]
[InlineData(CeremonyState.Expired, false)]
[InlineData(CeremonyState.Cancelled, false)]
public void CanAcceptApproval_ReturnsExpectedResult(CeremonyState state, bool expected)
{
Assert.Equal(expected, CeremonyStateMachine.CanAcceptApproval(state));
}
[Theory]
[InlineData(CeremonyState.Pending, false)]
[InlineData(CeremonyState.PartiallyApproved, false)]
[InlineData(CeremonyState.Approved, true)]
[InlineData(CeremonyState.Executed, false)]
[InlineData(CeremonyState.Expired, false)]
[InlineData(CeremonyState.Cancelled, false)]
public void CanExecute_ReturnsExpectedResult(CeremonyState state, bool expected)
{
Assert.Equal(expected, CeremonyStateMachine.CanExecute(state));
}
[Theory]
[InlineData(CeremonyState.Pending, true)]
[InlineData(CeremonyState.PartiallyApproved, true)]
[InlineData(CeremonyState.Approved, true)]
[InlineData(CeremonyState.Executed, false)]
[InlineData(CeremonyState.Expired, false)]
[InlineData(CeremonyState.Cancelled, false)]
public void CanCancel_ReturnsExpectedResult(CeremonyState state, bool expected)
{
Assert.Equal(expected, CeremonyStateMachine.CanCancel(state));
}
[Theory]
[InlineData(CeremonyState.Pending, false)]
[InlineData(CeremonyState.PartiallyApproved, false)]
[InlineData(CeremonyState.Approved, false)]
[InlineData(CeremonyState.Executed, true)]
[InlineData(CeremonyState.Expired, true)]
[InlineData(CeremonyState.Cancelled, true)]
public void IsTerminalState_ReturnsExpectedResult(CeremonyState state, bool expected)
{
Assert.Equal(expected, CeremonyStateMachine.IsTerminalState(state));
}
[Fact]
public void GetStateDescription_ReturnsNonEmptyString()
{
foreach (var state in Enum.GetValues<CeremonyState>())
{
var description = CeremonyStateMachine.GetStateDescription(state);
Assert.False(string.IsNullOrWhiteSpace(description));
}
}
[Theory]
[InlineData(CeremonyState.Pending, "Awaiting approvals")]
[InlineData(CeremonyState.Approved, "All approvals received, ready for execution")]
[InlineData(CeremonyState.Executed, "Operation executed successfully")]
[InlineData(CeremonyState.Expired, "Ceremony expired before completion")]
public void GetStateDescription_ReturnsExpectedDescription(CeremonyState state, string expected)
{
Assert.Equal(expected, CeremonyStateMachine.GetStateDescription(state));
}
}

183
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/Contract/PredicateTypesTests.cs Normal file
View File

@@ -0,0 +1,183 @@
// <copyright file="PredicateTypesTests.cs" company="StellaOps">
// SPDX-License-Identifier: BUSL-1.1
// Sprint: SPRINT_20260112_015_SIGNER_path_witness_predicate (SIGNER-PW-002)
// </copyright>
using FluentAssertions;
using StellaOps.Signer.Core;
using StellaOps.TestKit;
using Xunit;
namespace StellaOps.Signer.Tests.Contract;
/// <summary>
/// Tests for PredicateTypes classification and allowlist behavior.
/// Sprint: SPRINT_20260112_015_SIGNER_path_witness_predicate (SIGNER-PW-002)
/// </summary>
[Trait("Category", TestCategories.Unit)]
public sealed class PredicateTypesTests
{
[Theory]
[InlineData(PredicateTypes.PathWitnessCanonical)]
[InlineData(PredicateTypes.PathWitnessAlias1)]
[InlineData(PredicateTypes.PathWitnessAlias2)]
// Note: StellaOpsPathWitness equals PathWitnessAlias1, so not included to avoid duplicate
public void IsPathWitnessType_ReturnsTrueForAllPathWitnessTypes(string predicateType)
{
// Act
var result = PredicateTypes.IsPathWitnessType(predicateType);
// Assert
result.Should().BeTrue($"{predicateType} should be recognized as a path witness type");
}
[Theory]
[InlineData(PredicateTypes.StellaOpsSbom)]
[InlineData(PredicateTypes.StellaOpsVex)]
[InlineData(PredicateTypes.StellaOpsPolicy)]
[InlineData(PredicateTypes.SlsaProvenanceV1)]
[InlineData("some-unknown-type")]
public void IsPathWitnessType_ReturnsFalseForNonPathWitnessTypes(string predicateType)
{
// Act
var result = PredicateTypes.IsPathWitnessType(predicateType);
// Assert
result.Should().BeFalse($"{predicateType} should not be recognized as a path witness type");
}
[Theory]
[InlineData(PredicateTypes.PathWitnessCanonical)]
[InlineData(PredicateTypes.PathWitnessAlias1)]
[InlineData(PredicateTypes.PathWitnessAlias2)]
// Note: StellaOpsPathWitness equals PathWitnessAlias1, so not included to avoid duplicate
public void IsReachabilityRelatedType_ReturnsTrueForPathWitnessTypes(string predicateType)
{
// Act
var result = PredicateTypes.IsReachabilityRelatedType(predicateType);
// Assert
result.Should().BeTrue($"{predicateType} should be classified as reachability-related");
}
[Theory]
[InlineData(PredicateTypes.StellaOpsGraph)]
[InlineData(PredicateTypes.StellaOpsReachabilityWitness)]
[InlineData(PredicateTypes.StellaOpsReachabilityDrift)]
public void IsReachabilityRelatedType_ReturnsTrueForOtherReachabilityTypes(string predicateType)
{
// Act
var result = PredicateTypes.IsReachabilityRelatedType(predicateType);
// Assert
result.Should().BeTrue($"{predicateType} should be classified as reachability-related");
}
[Fact]
public void GetAllowedPredicateTypes_ContainsAllPathWitnessTypes()
{
// Act
var allowedTypes = PredicateTypes.GetAllowedPredicateTypes().ToList();
// Assert
allowedTypes.Should().Contain(PredicateTypes.PathWitnessCanonical);
allowedTypes.Should().Contain(PredicateTypes.PathWitnessAlias1);
allowedTypes.Should().Contain(PredicateTypes.PathWitnessAlias2);
allowedTypes.Should().Contain(PredicateTypes.StellaOpsPathWitness);
}
[Theory]
[InlineData(PredicateTypes.PathWitnessCanonical)]
[InlineData(PredicateTypes.PathWitnessAlias1)]
[InlineData(PredicateTypes.PathWitnessAlias2)]
// Note: StellaOpsPathWitness equals PathWitnessAlias1, so not included to avoid duplicate
public void IsAllowedPredicateType_ReturnsTrueForPathWitnessTypes(string predicateType)
{
// Act
var result = PredicateTypes.IsAllowedPredicateType(predicateType);
// Assert
result.Should().BeTrue($"{predicateType} should be in the allowed predicate list");
}
[Theory]
[InlineData("https://stella.ops/predicates/path-witness/v1")]
[InlineData("https://stella.ops/pathWitness/v1")]
[InlineData("https://stella.ops/other/predicate")]
[InlineData("https://stella-ops.org/predicates/test")]
public void IsStellaOpsType_RecognizesStellaOpsUriPrefixes(string predicateType)
{
// Act
var result = PredicateTypes.IsStellaOpsType(predicateType);
// Assert
result.Should().BeTrue($"{predicateType} should be recognized as a StellaOps type");
}
[Theory]
[InlineData("stella.ops/pathWitness@v1")]
[InlineData("stella.ops/sbom@v1")]
[InlineData("stella.ops/vex@v1")]
public void IsStellaOpsType_RecognizesStellaOpsDotSyntax(string predicateType)
{
// Act
var result = PredicateTypes.IsStellaOpsType(predicateType);
// Assert
result.Should().BeTrue($"{predicateType} should be recognized as a StellaOps type");
}
[Theory]
[InlineData("https://slsa.dev/provenance/v1")]
[InlineData("https://in-toto.io/Statement/v1")]
[InlineData("https://example.com/custom-predicate")]
public void IsStellaOpsType_ReturnsFalseForNonStellaOpsTypes(string predicateType)
{
// Act
var result = PredicateTypes.IsStellaOpsType(predicateType);
// Assert
result.Should().BeFalse($"{predicateType} should not be recognized as a StellaOps type");
}
[Fact]
public void PathWitnessConstants_HaveCorrectValues()
{
// Assert
PredicateTypes.PathWitnessCanonical.Should().Be("https://stella.ops/predicates/path-witness/v1");
PredicateTypes.PathWitnessAlias1.Should().Be("stella.ops/pathWitness@v1");
PredicateTypes.PathWitnessAlias2.Should().Be("https://stella.ops/pathWitness/v1");
PredicateTypes.StellaOpsPathWitness.Should().Be("stella.ops/pathWitness@v1");
}
[Fact]
public void PathWitnessAlias1_EqualsLegacyStellaOpsPathWitness()
{
// The alias should equal the legacy constant for backward compatibility
PredicateTypes.PathWitnessAlias1.Should().Be(PredicateTypes.StellaOpsPathWitness);
}
[Fact]
public void AllowedTypes_NoDuplicates()
{
// Act
var allowedTypes = PredicateTypes.GetAllowedPredicateTypes().ToList();
var distinctTypes = allowedTypes.Distinct().ToList();
// Assert - Note: PathWitnessAlias1 equals StellaOpsPathWitness by design for compatibility
// The list has 30 entries, but 29 unique values (one intentional alias duplication)
// Includes: SLSA (2) + StellaOps core (14) + PathWitness canonical + aliases (3) + Delta (4) + Function Map (2) + Runtime Evidence (2) + Third-party (3)
distinctTypes.Count.Should().Be(29, "allowed types should have expected distinct count");
}
[Fact]
public void AllowedTypes_IsDeterministicallyOrdered()
{
// Act
var types1 = PredicateTypes.GetAllowedPredicateTypes().ToList();
var types2 = PredicateTypes.GetAllowedPredicateTypes().ToList();
// Assert - Same order on multiple calls
types1.Should().BeEquivalentTo(types2, options => options.WithStrictOrdering());
}
}

417
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/Contract/SignerContractSnapshotTests.cs Normal file
View File

@@ -0,0 +1,417 @@
// -----------------------------------------------------------------------------
// SignerContractSnapshotTests.cs
// Sprint: SPRINT_5100_0009_0006 - Signer Module Test Implementation
// Task: SIGNER-5100-011 - Add contract tests for Signer.WebService endpoints (sign request, verify request, key management) — OpenAPI snapshot
// Description: OpenAPI contract snapshot tests for Signer WebService
// -----------------------------------------------------------------------------
using System.Net;
using System.Net.Http.Headers;
using System.Net.Http.Json;
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
using FluentAssertions;
using Microsoft.AspNetCore.Mvc.Testing;
using Xunit;
namespace StellaOps.Signer.Tests.Contract;
/// <summary>
/// Contract tests for Signer.WebService endpoints.
/// Validates:
/// - OpenAPI specification endpoints
/// - Sign/verify request structure
/// - Security requirements
/// - Response format stability
/// </summary>
[Trait("Category", "Contract")]
[Trait("Category", "WebService")]
[Trait("Category", "W1")]
public sealed class SignerContractSnapshotTests : IClassFixture<WebApplicationFactory<Program>>
{
private readonly WebApplicationFactory<Program> _factory;
private readonly ITestOutputHelper _output;
public SignerContractSnapshotTests(WebApplicationFactory<Program> factory, ITestOutputHelper output)
{
_factory = factory;
_output = output;
}
#region OpenAPI Endpoint Tests
[Fact]
public async Task OpenApi_Endpoint_ReturnsValidJson()
{
// Arrange
var client = _factory.CreateClient();
// Act
var response = await client.GetAsync("/swagger/v1/swagger.json");
// Assert
if (response.StatusCode == HttpStatusCode.NotFound)
{
// OpenAPI endpoint may be disabled in production
_output.WriteLine("⚠ OpenAPI endpoint not available (may be disabled in production config)");
return;
}
response.StatusCode.Should().Be(HttpStatusCode.OK);
var content = await response.Content.ReadAsStringAsync();
var doc = JsonDocument.Parse(content);
doc.RootElement.GetProperty("openapi").GetString().Should().StartWith("3.");
_output.WriteLine("✓ OpenAPI endpoint returns valid JSON");
}
[Fact]
public async Task OpenApi_ContainsSignDsseEndpoint()
{
// Arrange
var client = _factory.CreateClient();
// Act
var response = await client.GetAsync("/swagger/v1/swagger.json");
if (response.StatusCode == HttpStatusCode.NotFound)
{
_output.WriteLine("⚠ OpenAPI endpoint not available");
return;
}
var content = await response.Content.ReadAsStringAsync();
var doc = JsonDocument.Parse(content);
// Assert
var paths = doc.RootElement.GetProperty("paths");
var signDssePath = paths.EnumerateObject()
.FirstOrDefault(p => p.Name.Contains("sign/dsse") || p.Name.Contains("signer"));
signDssePath.Name.Should().NotBeNullOrEmpty();
_output.WriteLine($"✓ Sign DSSE endpoint found: {signDssePath.Name}");
}
#endregion
#region Sign Endpoint Contract Tests
[Fact]
public async Task SignDsse_RequiresAuthentication()
{
// Arrange
var client = _factory.CreateClient();
var request = CreateBasicSignRequest();
// Act - no auth header
var response = await client.PostAsJsonAsync("/api/v1/signer/sign/dsse", request);
// Assert - should require auth
response.StatusCode.Should().BeOneOf(
HttpStatusCode.Unauthorized,
HttpStatusCode.Forbidden);
_output.WriteLine("✓ Sign DSSE endpoint requires authentication");
}
[Fact]
public async Task SignDsse_ValidRequest_ReturnsExpectedStructure()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(CreateBasicSignRequest())
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request.Headers.Add("DPoP", "stub-proof");
// Act
var response = await client.SendAsync(request);
// Assert - either success or proper error structure
if (response.IsSuccessStatusCode)
{
var content = await response.Content.ReadAsStringAsync();
var doc = JsonDocument.Parse(content);
doc.RootElement.TryGetProperty("bundle", out _).Should().BeTrue("response should include bundle");
_output.WriteLine("✓ Sign DSSE returns expected structure with bundle");
}
else
{
// Forbidden/BadRequest are acceptable for stub tokens
response.StatusCode.Should().BeOneOf(
HttpStatusCode.Forbidden,
HttpStatusCode.BadRequest,
HttpStatusCode.UnprocessableEntity);
_output.WriteLine($"✓ Sign DSSE returns proper error status: {response.StatusCode}");
}
}
[Fact]
public async Task SignDsse_MissingFields_Returns400()
{
// Arrange
var client = _factory.CreateClient();
var incompleteRequest = new { subject = new object[] { } }; // Missing required fields
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(incompleteRequest)
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
// Act
var response = await client.SendAsync(request);
// Assert
response.StatusCode.Should().BeOneOf(
HttpStatusCode.BadRequest,
HttpStatusCode.UnprocessableEntity);
_output.WriteLine("✓ Sign DSSE returns 400 for missing fields");
}
#endregion
#region Verify Endpoint Contract Tests
[Fact]
public async Task VerifyDsse_Endpoint_Exists()
{
// Arrange
var client = _factory.CreateClient();
// Act - try to verify (even if it fails, endpoint should exist)
var response = await client.PostAsJsonAsync("/api/v1/signer/verify/dsse", new { });
// Assert - should not be 404 (endpoint exists)
response.StatusCode.Should().NotBe(HttpStatusCode.NotFound,
"verify/dsse endpoint should exist");
_output.WriteLine($"✓ Verify DSSE endpoint exists, returns: {response.StatusCode}");
}
#endregion
#region Health Endpoint Tests
[Fact]
public async Task Health_Endpoint_ReturnsOk()
{
// Arrange
var client = _factory.CreateClient();
// Act
var response = await client.GetAsync("/health");
// Assert
if (response.StatusCode == HttpStatusCode.NotFound)
{
// Try alternative paths
response = await client.GetAsync("/healthz");
if (response.StatusCode == HttpStatusCode.NotFound)
{
response = await client.GetAsync("/api/health");
}
}
// Health endpoint should be 200 or 503 (degraded) but not 404
if (response.StatusCode != HttpStatusCode.NotFound)
{
response.StatusCode.Should().BeOneOf(
HttpStatusCode.OK,
HttpStatusCode.ServiceUnavailable);
_output.WriteLine($"✓ Health endpoint returns: {response.StatusCode}");
}
else
{
_output.WriteLine("⚠ Health endpoint not found (may be configured differently)");
}
}
#endregion
#region Content-Type Contract Tests
[Fact]
public async Task SignDsse_RequiresJsonContentType()
{
// Arrange
var client = _factory.CreateClient();
var content = new StringContent("not-json", Encoding.UTF8, "text/plain");
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = content
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
// Act
var response = await client.SendAsync(request);
// Assert
response.StatusCode.Should().BeOneOf(
HttpStatusCode.BadRequest,
HttpStatusCode.UnsupportedMediaType,
HttpStatusCode.Unauthorized);
_output.WriteLine("✓ Sign DSSE requires JSON content type");
}
[Fact]
public async Task SignDsse_Response_HasJsonContentType()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(CreateBasicSignRequest())
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request.Headers.Add("DPoP", "stub-proof");
// Act
var response = await client.SendAsync(request);
// Assert
if (response.Content.Headers.ContentType != null)
{
response.Content.Headers.ContentType.MediaType
.Should().BeOneOf("application/json", "application/problem+json");
_output.WriteLine("✓ Response has JSON content type");
}
}
#endregion
#region Security Header Tests
[Fact]
public async Task SignDsse_RequiresDPoPHeader()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(CreateBasicSignRequest())
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
// Note: NOT adding DPoP header
// Act
var response = await client.SendAsync(request);
// Assert - signing operations may require DPoP proof
// This validates the security contract
if (response.StatusCode == HttpStatusCode.Forbidden ||
response.StatusCode == HttpStatusCode.Unauthorized)
{
_output.WriteLine("✓ Sign DSSE properly enforces DPoP requirement");
}
else
{
_output.WriteLine($" Sign DSSE returned {response.StatusCode} without DPoP (may be optional)");
}
}
#endregion
#region Error Response Format Tests
[Fact]
public async Task ErrorResponse_HasDeterministicStructure()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = new StringContent("{invalid-json", Encoding.UTF8, "application/json")
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
// Act
var response = await client.SendAsync(request);
// Assert
response.IsSuccessStatusCode.Should().BeFalse();
var content = await response.Content.ReadAsStringAsync();
if (!string.IsNullOrEmpty(content))
{
var doc = JsonDocument.Parse(content);
// Check for standard error properties
var hasErrorInfo = doc.RootElement.TryGetProperty("type", out _) ||
doc.RootElement.TryGetProperty("title", out _) ||
doc.RootElement.TryGetProperty("error", out _) ||
doc.RootElement.TryGetProperty("message", out _);
hasErrorInfo.Should().BeTrue("error response should have structured error info");
_output.WriteLine("✓ Error response has deterministic structure");
}
}
#endregion
#region Contract Hash Test
[Fact]
public async Task OpenApi_Contract_HashIsStable()
{
// Arrange
var client = _factory.CreateClient();
// Act
var response = await client.GetAsync("/swagger/v1/swagger.json");
if (response.StatusCode == HttpStatusCode.NotFound)
{
_output.WriteLine("⚠ OpenAPI endpoint not available for hash check");
return;
}
var content = await response.Content.ReadAsStringAsync();
// Normalize JSON for stable hashing
var doc = JsonDocument.Parse(content);
var normalized = JsonSerializer.Serialize(doc.RootElement);
var hash = Convert.ToHexString(SHA256.HashData(Encoding.UTF8.GetBytes(normalized)));
_output.WriteLine($"✓ OpenAPI contract hash: {hash[..16]}...");
_output.WriteLine(" (Hash changes indicate contract modification - review for breaking changes)");
}
#endregion
#region Helper Methods
private static object CreateBasicSignRequest()
{
return new
{
subject = new[]
{
new
{
name = "pkg:npm/example@1.0.0",
digest = new Dictionary<string, string> { ["sha256"] = "4d5f6e7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e" }
}
},
predicateType = "https://in-toto.io/Statement/v0.1",
predicate = new { result = "pass", timestamp = DateTimeOffset.UtcNow.ToString("o") },
scannerImageDigest = "sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
poe = new { format = "jwt", value = "valid-poe" },
options = new { signingMode = "kms", expirySeconds = 600, returnBundle = "dsse+cert" }
};
}
#endregion
}

170
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/Fixtures/DeterministicTestData.cs Normal file
View File

@@ -0,0 +1,170 @@
using System;
using System.Collections.Generic;
using StellaOps.Signer.Core;
namespace StellaOps.Signer.Tests.Fixtures;
/// <summary>
/// Deterministic test data constants for reproducible test execution.
/// All values are fixed and should not change between test runs.
/// </summary>
public static class DeterministicTestData
{
// Trusted scanner digests
public const string TrustedScannerDigest = "sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef";
public const string UntrustedScannerDigest = "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
// Default subject data
public const string DefaultSubjectName = "ghcr.io/stellaops/scanner:v2.5.0";
public const string DefaultSubjectDigest = "abc123def456789012345678901234567890abcdef1234567890abcdef123456";
// Additional subject data for multi-subject tests
public const string SecondSubjectName = "ghcr.io/stellaops/sbomer:v1.8.0";
public const string SecondSubjectDigest = "def456789012345678901234567890abcdef1234567890abcdef123456abc123";
public const string ThirdSubjectName = "ghcr.io/stellaops/policy-engine:v2.1.0";
public const string ThirdSubjectDigest = "789012345678901234567890abcdef1234567890abcdef123456abc123def456";
// Proof of entitlement tokens
public const string ValidPoeToken = "valid-poe-token-12345";
public const string ExpiredPoeToken = "expired-poe-token-99999";
public const string InvalidPoeToken = "invalid-poe-token-00000";
// Tenant identifiers
public const string DefaultTenant = "stellaops-default";
public const string TestTenant = "test-tenant-12345";
public const string EnterpriseCustomerTenant = "enterprise-customer-67890";
// Key identifiers
public const string KeylessKeyId = "keyless-ephemeral-20250115";
public const string KmsKeyId = "alias/stellaops-signing-key";
public const string TestKmsKeyId = "test-kms-key-12345";
// Issuer/subject for signing identity
public const string DefaultIssuer = "https://signer.stellaops.io";
public const string FulcioIssuer = "https://fulcio.sigstore.dev";
public const string TestIssuer = "https://test.signer.local";
// Fixed timestamps for deterministic testing
public static readonly DateTimeOffset FixedTimestamp = new(2025, 1, 15, 10, 30, 0, TimeSpan.Zero);
public static readonly DateTimeOffset ExpiryTimestamp = new(2025, 1, 15, 11, 30, 0, TimeSpan.Zero);
public static readonly DateTimeOffset FarFutureExpiry = new(2030, 1, 15, 10, 30, 0, TimeSpan.Zero);
// License/entitlement data
public const string TestLicenseId = "LIC-TEST-12345";
public const string TestCustomerId = "CUST-TEST-67890";
public const string ProPlan = "pro";
public const string EnterprisePlan = "enterprise";
public const int DefaultMaxArtifactBytes = 128 * 1024;
public const int DefaultQpsLimit = 10;
public const int DefaultQpsRemaining = 10;
/// <summary>
/// Creates a default caller context for testing.
/// Includes required scope "signer.sign" and audience "signer" for pipeline authorization.
/// </summary>
public static CallerContext CreateDefaultCallerContext()
{
return new CallerContext(
Subject: "test-service@stellaops.io",
Tenant: DefaultTenant,
Scopes: new[] { "signer.sign", "signer.verify" },
Audiences: new[] { "signer", "https://signer.stellaops.io" },
SenderBinding: "dpop-proof-12345",
ClientCertificateThumbprint: null);
}
/// <summary>
/// Creates a caller context for a specific tenant.
/// Includes required scope "signer.sign" and audience "signer" for pipeline authorization.
/// </summary>
public static CallerContext CreateCallerContextForTenant(string tenant)
{
return new CallerContext(
Subject: $"service@{tenant}.stellaops.io",
Tenant: tenant,
Scopes: new[] { "signer.sign", "signer.verify" },
Audiences: new[] { "signer", "https://signer.stellaops.io" },
SenderBinding: "dpop-proof-12345",
ClientCertificateThumbprint: null);
}
/// <summary>
/// Creates a default proof of entitlement result.
/// </summary>
public static ProofOfEntitlementResult CreateDefaultEntitlement()
{
return new ProofOfEntitlementResult(
LicenseId: TestLicenseId,
CustomerId: TestCustomerId,
Plan: ProPlan,
MaxArtifactBytes: DefaultMaxArtifactBytes,
QpsLimit: DefaultQpsLimit,
QpsRemaining: DefaultQpsRemaining,
ExpiresAtUtc: FarFutureExpiry);
}
/// <summary>
/// Creates an entitlement result for a specific plan.
/// </summary>
public static ProofOfEntitlementResult CreateEntitlementForPlan(string plan, int maxArtifactBytes = DefaultMaxArtifactBytes)
{
return new ProofOfEntitlementResult(
LicenseId: $"LIC-{plan.ToUpperInvariant()}",
CustomerId: TestCustomerId,
Plan: plan,
MaxArtifactBytes: maxArtifactBytes,
QpsLimit: DefaultQpsLimit,
QpsRemaining: DefaultQpsRemaining,
ExpiresAtUtc: FarFutureExpiry);
}
/// <summary>
/// Creates a list of default signing subjects.
/// </summary>
public static IReadOnlyList<SigningSubject> CreateDefaultSubjects()
{
return new[]
{
new SigningSubject(DefaultSubjectName, new Dictionary<string, string>
{
["sha256"] = DefaultSubjectDigest
})
};
}
/// <summary>
/// Creates multiple signing subjects for multi-subject tests.
/// </summary>
public static IReadOnlyList<SigningSubject> CreateMultipleSubjects()
{
return new[]
{
new SigningSubject(DefaultSubjectName, new Dictionary<string, string>
{
["sha256"] = DefaultSubjectDigest
}),
new SigningSubject(SecondSubjectName, new Dictionary<string, string>
{
["sha256"] = SecondSubjectDigest
}),
new SigningSubject(ThirdSubjectName, new Dictionary<string, string>
{
["sha256"] = ThirdSubjectDigest
})
};
}
/// <summary>
/// Creates a signing subject with multiple digest algorithms.
/// </summary>
public static SigningSubject CreateSubjectWithMultipleDigests()
{
return new SigningSubject(DefaultSubjectName, new Dictionary<string, string>
{
["sha256"] = DefaultSubjectDigest,
["sha512"] = "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
["sha384"] = "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
});
}
}

580
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/Fixtures/PredicateFixtures.cs Normal file
View File

@@ -0,0 +1,580 @@
using System.Text.Json;
namespace StellaOps.Signer.Tests.Fixtures;
/// <summary>
/// Provides deterministic test fixtures for predicate types used in signing tests.
/// All fixtures use static, reproducible data for deterministic test execution.
/// </summary>
public static class PredicateFixtures
{
/// <summary>
/// Deterministic timestamp for test reproducibility.
/// </summary>
public const string FixedTimestamp = "2025-01-15T10:30:00Z";
/// <summary>
/// Creates a StellaOps promotion predicate fixture.
/// </summary>
public static JsonDocument CreatePromotionPredicate()
{
return JsonDocument.Parse(PromotionPredicateJson);
}
/// <summary>
/// Creates a StellaOps SBOM predicate fixture.
/// </summary>
public static JsonDocument CreateSbomPredicate()
{
return JsonDocument.Parse(SbomPredicateJson);
}
/// <summary>
/// Creates a StellaOps replay predicate fixture.
/// </summary>
public static JsonDocument CreateReplayPredicate()
{
return JsonDocument.Parse(ReplayPredicateJson);
}
/// <summary>
/// Creates a SLSA provenance v0.2 predicate fixture.
/// </summary>
public static JsonDocument CreateSlsaProvenanceV02Predicate()
{
return JsonDocument.Parse(SlsaProvenanceV02PredicateJson);
}
/// <summary>
/// Creates a SLSA provenance v1 predicate fixture.
/// </summary>
public static JsonDocument CreateSlsaProvenanceV1Predicate()
{
return JsonDocument.Parse(SlsaProvenanceV1PredicateJson);
}
/// <summary>
/// Creates a StellaOps VEX predicate fixture.
/// </summary>
public static JsonDocument CreateVexPredicate()
{
return JsonDocument.Parse(VexPredicateJson);
}
/// <summary>
/// Creates a StellaOps policy predicate fixture.
/// </summary>
public static JsonDocument CreatePolicyPredicate()
{
return JsonDocument.Parse(PolicyPredicateJson);
}
/// <summary>
/// Creates a StellaOps evidence predicate fixture.
/// </summary>
public static JsonDocument CreateEvidencePredicate()
{
return JsonDocument.Parse(EvidencePredicateJson);
}
/// <summary>
/// Creates a StellaOps VEX Decision predicate fixture (OpenVEX format).
/// </summary>
public static JsonDocument CreateVexDecisionPredicate()
{
return JsonDocument.Parse(VexDecisionPredicateJson);
}
/// <summary>
/// Creates a StellaOps Graph predicate fixture for reachability call-graphs.
/// </summary>
public static JsonDocument CreateGraphPredicate()
{
return JsonDocument.Parse(GraphPredicateJson);
}
public const string PromotionPredicateJson = """
{
"version": "1.0",
"promotionId": "promo-20250115-103000-abc123",
"sourceEnvironment": {
"name": "staging",
"clusterId": "staging-us-west-2",
"namespace": "stellaops-app"
},
"targetEnvironment": {
"name": "production",
"clusterId": "prod-us-west-2",
"namespace": "stellaops-app"
},
"artifact": {
"repository": "ghcr.io/stellaops/scanner",
"tag": "v2.5.0",
"digest": "sha256:abc123def456789012345678901234567890abcdef1234567890abcdef123456"
},
"approval": {
"approvedBy": "security-team@stellaops.io",
"approvedAt": "2025-01-15T10:30:00Z",
"policy": "require-two-approvals",
"policyVersion": "v1.2.0"
},
"evidence": {
"scanCompleted": true,
"vulnerabilitiesFound": 0,
"signatureVerified": true,
"policyPassed": true
},
"timestamp": "2025-01-15T10:30:00Z"
}
""";
public const string SbomPredicateJson = """
{
"version": "1.0",
"sbomId": "sbom-20250115-103000-xyz789",
"format": "spdx-json",
"formatVersion": "3.0.1",
"generator": {
"tool": "stellaops-sbomer",
"version": "1.8.0",
"timestamp": "2025-01-15T10:30:00Z"
},
"artifact": {
"repository": "ghcr.io/stellaops/scanner",
"tag": "v2.5.0",
"digest": "sha256:abc123def456789012345678901234567890abcdef1234567890abcdef123456"
},
"packages": {
"total": 127,
"direct": 24,
"transitive": 103
},
"licenses": {
"approved": ["MIT", "Apache-2.0", "BSD-3-Clause"],
"flagged": [],
"unknown": 2
},
"vulnerabilities": {
"critical": 0,
"high": 0,
"medium": 3,
"low": 12,
"informational": 5
},
"checksums": {
"sbomSha256": "fedcba987654321098765432109876543210fedcba987654321098765432109876",
"contentSha256": "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
},
"timestamp": "2025-01-15T10:30:00Z"
}
""";
public const string ReplayPredicateJson = """
{
"version": "1.0",
"replayId": "replay-20250115-103000-def456",
"originalScanId": "scan-20250114-090000-original",
"mode": "verification",
"inputs": {
"manifestDigest": "sha256:manifest123456789012345678901234567890abcdef12345678901234567890",
"feedPins": {
"nvd": "2025-01-14T00:00:00Z",
"osv": "2025-01-14T00:00:00Z"
},
"policyVersion": "v2.1.0",
"toolVersions": {
"trivy": "0.58.0",
"grype": "0.87.0",
"syft": "1.20.0"
}
},
"execution": {
"startedAt": "2025-01-15T10:00:00Z",
"completedAt": "2025-01-15T10:30:00Z",
"durationSeconds": 1800,
"workerCount": 4,
"deterministic": true
},
"outputs": {
"layersProcessed": 12,
"merkleRoot": "sha256:merkle0123456789abcdef0123456789abcdef0123456789abcdef01234567",
"outputDigest": "sha256:output0123456789abcdef0123456789abcdef0123456789abcdef01234567"
},
"verification": {
"inputHashMatch": true,
"outputHashMatch": true,
"determinismScore": 1.0,
"diffPaths": []
},
"timestamp": "2025-01-15T10:30:00Z"
}
""";
public const string SlsaProvenanceV02PredicateJson = """
{
"builder": {
"id": "https://github.com/stellaops/scanner/.github/workflows/build.yml@refs/tags/v2.5.0"
},
"buildType": "https://github.com/Attestations/GitHubActionsWorkflow@v1",
"invocation": {
"configSource": {
"uri": "git+https://github.com/stellaops/scanner@refs/tags/v2.5.0",
"digest": {
"sha1": "abc123def456789012345678901234567890abcd"
},
"entryPoint": ".github/workflows/build.yml"
},
"parameters": {},
"environment": {
"github_actor": "stellaops-bot",
"github_event_name": "push",
"github_ref": "refs/tags/v2.5.0",
"github_repository": "stellaops/scanner",
"github_run_id": "12345678901",
"github_run_number": "456",
"github_sha": "abc123def456789012345678901234567890abcd"
}
},
"metadata": {
"buildInvocationId": "12345678901-456",
"buildStartedOn": "2025-01-15T10:00:00Z",
"buildFinishedOn": "2025-01-15T10:30:00Z",
"completeness": {
"parameters": true,
"environment": true,
"materials": true
},
"reproducible": true
},
"materials": [
{
"uri": "git+https://github.com/stellaops/scanner@refs/tags/v2.5.0",
"digest": {
"sha1": "abc123def456789012345678901234567890abcd"
}
},
{
"uri": "pkg:golang/github.com/stellaops/go-sdk@v1.5.0",
"digest": {
"sha256": "fedcba987654321098765432109876543210fedcba987654321098765432109876"
}
}
]
}
""";
public const string SlsaProvenanceV1PredicateJson = """
{
"buildDefinition": {
"buildType": "https://slsa.dev/container-based-build/v0.1",
"externalParameters": {
"repository": "https://github.com/stellaops/scanner",
"ref": "refs/tags/v2.5.0"
},
"internalParameters": {
"workflow": ".github/workflows/build.yml"
},
"resolvedDependencies": [
{
"uri": "git+https://github.com/stellaops/scanner@refs/tags/v2.5.0",
"digest": {
"gitCommit": "abc123def456789012345678901234567890abcd"
}
}
]
},
"runDetails": {
"builder": {
"id": "https://github.com/stellaops/scanner/.github/workflows/build.yml@refs/tags/v2.5.0",
"builderDependencies": [
{
"uri": "https://github.com/actions/runner-images/releases/tag/ubuntu22/20250110.1"
}
],
"version": {
"stellaops-builder": "1.0.0"
}
},
"metadata": {
"invocationId": "https://github.com/stellaops/scanner/actions/runs/12345678901/attempts/1",
"startedOn": "2025-01-15T10:00:00Z",
"finishedOn": "2025-01-15T10:30:00Z"
},
"byproducts": []
}
}
""";
public const string VexPredicateJson = """
{
"version": "1.0",
"vexId": "vex-20250115-103000-ghi789",
"artifact": {
"repository": "ghcr.io/stellaops/scanner",
"tag": "v2.5.0",
"digest": "sha256:abc123def456789012345678901234567890abcdef1234567890abcdef123456"
},
"statements": [
{
"vulnerability": "CVE-2024-12345",
"status": "not_affected",
"justification": "vulnerable_code_not_present",
"impact": "The affected function is not used in our build configuration.",
"actionStatement": "No action required.",
"timestamp": "2025-01-15T10:30:00Z"
},
{
"vulnerability": "CVE-2024-67890",
"status": "fixed",
"justification": "component_not_present",
"impact": "Dependency was removed in v2.4.0.",
"actionStatement": "Upgrade to v2.4.0 or later.",
"timestamp": "2025-01-15T10:30:00Z"
}
],
"author": {
"name": "StellaOps Security Team",
"email": "security@stellaops.io"
},
"timestamp": "2025-01-15T10:30:00Z"
}
""";
public const string PolicyPredicateJson = """
{
"version": "1.0",
"evaluationId": "eval-20250115-103000-jkl012",
"policy": {
"id": "stellaops-production-policy",
"version": "v2.1.0",
"digest": "sha256:policy0123456789abcdef0123456789abcdef0123456789abcdef01234567"
},
"artifact": {
"repository": "ghcr.io/stellaops/scanner",
"tag": "v2.5.0",
"digest": "sha256:abc123def456789012345678901234567890abcdef1234567890abcdef123456"
},
"result": {
"passed": true,
"score": 98,
"threshold": 85
},
"rules": {
"evaluated": 42,
"passed": 41,
"failed": 0,
"skipped": 1,
"warnings": 3
},
"violations": [],
"warnings": [
{
"ruleId": "warn-sbom-completeness",
"message": "SBOM completeness is 97%, recommended minimum is 99%.",
"severity": "low"
}
],
"evidence": {
"sbomVerified": true,
"signatureVerified": true,
"provenanceVerified": true,
"vulnerabilityScanPassed": true
},
"timestamp": "2025-01-15T10:30:00Z"
}
""";
public const string EvidencePredicateJson = """
{
"version": "1.0",
"evidenceId": "evidence-20250115-103000-mno345",
"artifact": {
"repository": "ghcr.io/stellaops/scanner",
"tag": "v2.5.0",
"digest": "sha256:abc123def456789012345678901234567890abcdef1234567890abcdef123456"
},
"chain": [
{
"type": "provenance",
"digest": "sha256:prov0123456789abcdef0123456789abcdef0123456789abcdef0123456789",
"issuer": "https://github.com/stellaops/scanner/.github/workflows/build.yml",
"timestamp": "2025-01-15T10:15:00Z"
},
{
"type": "sbom",
"digest": "sha256:sbom0123456789abcdef0123456789abcdef0123456789abcdef0123456789",
"issuer": "stellaops-sbomer",
"timestamp": "2025-01-15T10:20:00Z"
},
{
"type": "vulnerability-scan",
"digest": "sha256:scan0123456789abcdef0123456789abcdef0123456789abcdef0123456789",
"issuer": "stellaops-scanner",
"timestamp": "2025-01-15T10:25:00Z"
},
{
"type": "policy-evaluation",
"digest": "sha256:eval0123456789abcdef0123456789abcdef0123456789abcdef0123456789",
"issuer": "stellaops-policy-engine",
"timestamp": "2025-01-15T10:30:00Z"
}
],
"aggregated": {
"trustLevel": "high",
"completeness": 1.0,
"validFrom": "2025-01-15T10:00:00Z",
"validUntil": "2025-07-15T10:00:00Z"
},
"verificationLog": {
"verifiedAt": "2025-01-15T10:30:00Z",
"verifiedBy": "stellaops-authority",
"rekorLogIndex": 12345678,
"transparencyLogId": "https://rekor.sigstore.dev"
},
"timestamp": "2025-01-15T10:30:00Z"
}
""";
/// <summary>
/// VEX Decision predicate in OpenVEX format for policy decision signing.
/// This is the per-finding OpenVEX statement used by the Policy Engine.
/// </summary>
public const string VexDecisionPredicateJson = """
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://stellaops.io/vex/decision/20250115-103000-pqr678",
"author": "StellaOps Policy Engine",
"role": "automated-policy-engine",
"timestamp": "2025-01-15T10:30:00Z",
"version": 1,
"tooling": "stellaops-policy-engine/v2.1.0",
"statements": [
{
"vulnerability": {
"@id": "https://nvd.nist.gov/vuln/detail/CVE-2024-12345",
"name": "CVE-2024-12345",
"description": "Buffer overflow in example library"
},
"timestamp": "2025-01-15T10:30:00Z",
"products": [
{
"@id": "pkg:oci/scanner@sha256:abc123def456789012345678901234567890abcdef1234567890abcdef123456",
"identifiers": {
"purl": "pkg:oci/scanner@sha256:abc123"
},
"subcomponents": [
{
"@id": "pkg:npm/lodash@4.17.20",
"identifiers": {
"purl": "pkg:npm/lodash@4.17.20"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"impact_statement": "The vulnerable function _.template() is not called in this build. Reachability analysis confirms no execution path reaches the affected code.",
"action_statement": "No remediation required. Continue monitoring for status changes.",
"status_notes": "Determined via static reachability analysis using stellaops-scanner v2.5.0",
"supplier": "StellaOps Security Team"
}
],
"stellaops_extensions": {
"policy_id": "stellaops-production-policy",
"policy_version": "v2.1.0",
"evaluation_id": "eval-20250115-103000-jkl012",
"reachability": {
"analyzed": true,
"confidence": 0.95,
"graph_digest": "sha256:graph0123456789abcdef0123456789abcdef0123456789abcdef01234567",
"method": "static-callgraph"
},
"evidence_refs": [
{
"type": "sbom",
"digest": "sha256:sbom0123456789abcdef0123456789abcdef0123456789abcdef0123456789"
},
{
"type": "scan-report",
"digest": "sha256:scan0123456789abcdef0123456789abcdef0123456789abcdef0123456789"
},
{
"type": "callgraph",
"digest": "sha256:graph0123456789abcdef0123456789abcdef0123456789abcdef01234567"
}
]
}
}
""";
/// <summary>
/// Graph predicate for reachability call-graph attestations (richgraph-v1 schema).
/// Used by Scanner to sign deterministic call-graph manifests.
/// </summary>
public const string GraphPredicateJson = """
{
"version": "1.0",
"schema": "richgraph-v1",
"graphId": "graph-20250115-103000-stu901",
"artifact": {
"repository": "ghcr.io/stellaops/scanner",
"tag": "v2.5.0",
"digest": "sha256:abc123def456789012345678901234567890abcdef1234567890abcdef123456"
},
"generation": {
"tool": "stellaops-scanner",
"toolVersion": "2.5.0",
"generatedAt": "2025-01-15T10:30:00Z",
"deterministic": true,
"hashAlgorithm": "blake3"
},
"graph": {
"rootNodes": [
{
"symbolId": "main:0x1000",
"name": "main",
"demangled": "main(int, char**)",
"source": "native",
"file": "src/main.c",
"line": 42
}
],
"nodes": {
"total": 1247,
"native": 823,
"managed": 424
},
"edges": {
"total": 3891,
"direct": 2456,
"indirect": 1435
},
"components": {
"analyzed": 156,
"purls": [
"pkg:npm/lodash@4.17.20",
"pkg:npm/express@4.18.2",
"pkg:golang/github.com/stellaops/go-sdk@v1.5.0"
]
}
},
"hashes": {
"graphHash": "blake3:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
"nodesHash": "blake3:fedcba987654321098765432109876543210fedcba987654321098765432109876",
"edgesHash": "blake3:abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789"
},
"cas": {
"location": "cas://reachability/graphs/0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
"bundleDigest": "sha256:bundle0123456789abcdef0123456789abcdef0123456789abcdef012345678"
},
"metadata": {
"scanId": "scan-20250115-103000-original",
"layersAnalyzed": 12,
"initRootsIncluded": true,
"purlResolutionEnabled": true
},
"timestamp": "2025-01-15T10:30:00Z"
}
""";
}

191
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/Fixtures/SigningRequestBuilder.cs Normal file
View File

@@ -0,0 +1,191 @@
using System.Collections.Generic;
using System.Text.Json;
using StellaOps.Signer.Core;
namespace StellaOps.Signer.Tests.Fixtures;
/// <summary>
/// Builder for creating deterministic signing requests in tests.
/// Uses fixed values to ensure reproducible test results.
/// </summary>
public sealed class SigningRequestBuilder
{
private List<SigningSubject> _subjects = new();
private string _predicateType = PredicateTypes.SlsaProvenanceV02;
private JsonDocument _predicate = PredicateFixtures.CreateSlsaProvenanceV02Predicate();
private string _scannerImageDigest = DeterministicTestData.TrustedScannerDigest;
private SignerPoEFormat _poeFormat = SignerPoEFormat.Jwt;
private string _poeValue = DeterministicTestData.ValidPoeToken;
private SigningMode _signingMode = SigningMode.Keyless;
private int? _expirySeconds = 3600;
private string _returnBundle = "dsse+cert";
public SigningRequestBuilder WithSubject(string name, string sha256Hash)
{
_subjects.Add(new SigningSubject(name, new Dictionary<string, string>
{
["sha256"] = sha256Hash
}));
return this;
}
public SigningRequestBuilder WithSubject(string name, Dictionary<string, string> digest)
{
_subjects.Add(new SigningSubject(name, digest));
return this;
}
public SigningRequestBuilder WithDefaultSubject()
{
return WithSubject(
DeterministicTestData.DefaultSubjectName,
DeterministicTestData.DefaultSubjectDigest);
}
public SigningRequestBuilder WithPredicateType(string predicateType)
{
_predicateType = predicateType;
return this;
}
public SigningRequestBuilder WithPredicate(JsonDocument predicate)
{
_predicate = predicate;
return this;
}
public SigningRequestBuilder WithPromotionPredicate()
{
_predicateType = PredicateTypes.StellaOpsPromotion;
_predicate = PredicateFixtures.CreatePromotionPredicate();
return this;
}
public SigningRequestBuilder WithSbomPredicate()
{
_predicateType = PredicateTypes.StellaOpsSbom;
_predicate = PredicateFixtures.CreateSbomPredicate();
return this;
}
public SigningRequestBuilder WithReplayPredicate()
{
_predicateType = PredicateTypes.StellaOpsReplay;
_predicate = PredicateFixtures.CreateReplayPredicate();
return this;
}
public SigningRequestBuilder WithVexPredicate()
{
_predicateType = PredicateTypes.StellaOpsVex;
_predicate = PredicateFixtures.CreateVexPredicate();
return this;
}
public SigningRequestBuilder WithPolicyPredicate()
{
_predicateType = PredicateTypes.StellaOpsPolicy;
_predicate = PredicateFixtures.CreatePolicyPredicate();
return this;
}
public SigningRequestBuilder WithEvidencePredicate()
{
_predicateType = PredicateTypes.StellaOpsEvidence;
_predicate = PredicateFixtures.CreateEvidencePredicate();
return this;
}
public SigningRequestBuilder WithVexDecisionPredicate()
{
_predicateType = PredicateTypes.StellaOpsVexDecision;
_predicate = PredicateFixtures.CreateVexDecisionPredicate();
return this;
}
public SigningRequestBuilder WithGraphPredicate()
{
_predicateType = PredicateTypes.StellaOpsGraph;
_predicate = PredicateFixtures.CreateGraphPredicate();
return this;
}
public SigningRequestBuilder WithSlsaProvenanceV02()
{
_predicateType = PredicateTypes.SlsaProvenanceV02;
_predicate = PredicateFixtures.CreateSlsaProvenanceV02Predicate();
return this;
}
public SigningRequestBuilder WithSlsaProvenanceV1()
{
_predicateType = PredicateTypes.SlsaProvenanceV1;
_predicate = PredicateFixtures.CreateSlsaProvenanceV1Predicate();
return this;
}
public SigningRequestBuilder WithScannerImageDigest(string digest)
{
_scannerImageDigest = digest;
return this;
}
public SigningRequestBuilder WithProofOfEntitlement(SignerPoEFormat format, string value)
{
_poeFormat = format;
_poeValue = value;
return this;
}
public SigningRequestBuilder WithSigningMode(SigningMode mode)
{
_signingMode = mode;
return this;
}
public SigningRequestBuilder WithKeylessMode()
{
_signingMode = SigningMode.Keyless;
return this;
}
public SigningRequestBuilder WithKmsMode()
{
_signingMode = SigningMode.Kms;
return this;
}
public SigningRequestBuilder WithExpirySeconds(int? expirySeconds)
{
_expirySeconds = expirySeconds;
return this;
}
public SigningRequestBuilder WithReturnBundle(string returnBundle)
{
_returnBundle = returnBundle;
return this;
}
public SigningRequest Build()
{
// Add default subject if none specified
if (_subjects.Count == 0)
{
WithDefaultSubject();
}
return new SigningRequest(
Subjects: _subjects,
PredicateType: _predicateType,
Predicate: _predicate,
ScannerImageDigest: _scannerImageDigest,
ProofOfEntitlement: new ProofOfEntitlement(_poeFormat, _poeValue),
Options: new SigningOptions(_signingMode, _expirySeconds, _returnBundle));
}
/// <summary>
/// Creates a new builder instance.
/// </summary>
public static SigningRequestBuilder Create() => new();
}

64
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/Fixtures/TestCryptoFactory.Sm.cs Normal file
View File

@@ -0,0 +1,64 @@
using System;
using System.Collections.Generic;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Options;
using Org.BouncyCastle.Pkcs;
using Org.BouncyCastle.Crypto.Generators;
using Org.BouncyCastle.Crypto.Parameters;
using Org.BouncyCastle.Security;
using StellaOps.Cryptography;
using StellaOps.Cryptography.Plugin.SmSoft;
namespace StellaOps.Signer.Tests.Fixtures;
public static partial class TestCryptoFactory
{
public static ICryptoProviderRegistry CreateSm2Registry()
{
var services = new ServiceCollection();
services.Configure<SmSoftProviderOptions>(opts =>
{
opts.RequireEnvironmentGate = true;
});
services.AddSingleton<ICryptoProvider, SmSoftCryptoProvider>();
services.AddSingleton<ICryptoProviderRegistry>(sp =>
{
var providers = sp.GetServices<ICryptoProvider>();
return new CryptoProviderRegistry(providers, new[] { "cn.sm.soft" });
});
var provider = services.BuildServiceProvider();
var registry = provider.GetRequiredService<ICryptoProviderRegistry>();
// Seed a test key
var previousGate = Environment.GetEnvironmentVariable("SM_SOFT_ALLOWED");
Environment.SetEnvironmentVariable("SM_SOFT_ALLOWED", "1");
try
{
var smProvider = (SmSoftCryptoProvider)provider.GetRequiredService<ICryptoProvider>();
var key = Sm2TestKeyFactory.Create("sm2-key");
smProvider.UpsertSigningKey(key);
}
finally
{
Environment.SetEnvironmentVariable("SM_SOFT_ALLOWED", previousGate);
}
return registry;
}
}
internal static class Sm2TestKeyFactory
{
public static CryptoSigningKey Create(string keyId)
{
var curve = Org.BouncyCastle.Asn1.GM.GMNamedCurves.GetByName("SM2P256V1");
var domain = new ECDomainParameters(curve.Curve, curve.G, curve.N, curve.H, curve.GetSeed());
var generator = new ECKeyPairGenerator("EC");
generator.Init(new ECKeyGenerationParameters(domain, new SecureRandom()));
var pair = generator.GenerateKeyPair();
var privateDer = PrivateKeyInfoFactory.CreatePrivateKeyInfo(pair.Private).GetDerEncoded();
var reference = new CryptoKeyReference(keyId, "cn.sm.soft");
return new CryptoSigningKey(reference, SignatureAlgorithms.Sm2, privateDer, DateTimeOffset.UtcNow);
}
}

116
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/Fixtures/TestCryptoFactory.cs Normal file
View File

@@ -0,0 +1,116 @@
using System;
using System.Security.Cryptography;
using StellaOps.Cryptography;
namespace StellaOps.Signer.Tests.Fixtures;
/// <summary>
/// Factory for creating deterministic test crypto providers and signing keys.
/// Uses fixed seed data to ensure reproducible test results.
/// </summary>
public static partial class TestCryptoFactory
{
/// <summary>
/// Fixed test key ID for deterministic testing.
/// </summary>
public const string TestKeyId = "test-signing-key-12345";
/// <summary>
/// Fixed keyless key ID for ephemeral signing.
/// </summary>
public const string KeylessKeyId = "keyless-ephemeral-20250115";
/// <summary>
/// Creates a DefaultCryptoProvider with a pre-registered test signing key.
/// </summary>
public static DefaultCryptoProvider CreateProviderWithTestKey()
{
var provider = new DefaultCryptoProvider();
var signingKey = CreateDeterministicSigningKey(TestKeyId);
provider.UpsertSigningKey(signingKey);
return provider;
}
/// <summary>
/// Creates a DefaultCryptoProvider with a keyless signing key.
/// </summary>
public static DefaultCryptoProvider CreateProviderWithKeylessKey()
{
var provider = new DefaultCryptoProvider();
var signingKey = CreateDeterministicSigningKey(KeylessKeyId);
provider.UpsertSigningKey(signingKey);
return provider;
}
/// <summary>
/// Creates a DefaultCryptoProvider with multiple signing keys.
/// </summary>
public static DefaultCryptoProvider CreateProviderWithMultipleKeys(params string[] keyIds)
{
var provider = new DefaultCryptoProvider();
foreach (var keyId in keyIds)
{
var signingKey = CreateDeterministicSigningKey(keyId);
provider.UpsertSigningKey(signingKey);
}
return provider;
}
/// <summary>
/// Creates a CryptoProviderRegistry with a test provider containing both test and keyless keys.
/// </summary>
public static ICryptoProviderRegistry CreateTestRegistry()
{
var provider = CreateProviderWithMultipleKeys(TestKeyId, KeylessKeyId);
return new CryptoProviderRegistry(new[] { provider }, new[] { provider.Name });
}
/// <summary>
/// Creates a CryptoProviderRegistry for keyless signing tests (includes both keys for flexibility).
/// </summary>
public static ICryptoProviderRegistry CreateKeylessRegistry()
{
var provider = CreateProviderWithMultipleKeys(TestKeyId, KeylessKeyId);
return new CryptoProviderRegistry(new[] { provider }, new[] { provider.Name });
}
/// <summary>
/// Creates a signing key with deterministic parameters.
/// The key is generated from the keyId to ensure determinism.
/// </summary>
public static CryptoSigningKey CreateDeterministicSigningKey(string keyId)
{
// Generate a P-256 key pair - using the keyId as a seed for determinism
// Note: In production this would use secure random generation
using var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP256);
var parameters = ecdsa.ExportParameters(includePrivateParameters: true);
return new CryptoSigningKey(
reference: new CryptoKeyReference(keyId, "default"),
algorithmId: SignatureAlgorithms.Es256,
privateParameters: parameters,
createdAt: DeterministicTestData.FixedTimestamp,
expiresAt: DeterministicTestData.FarFutureExpiry,
metadata: new System.Collections.Generic.Dictionary<string, string?>
{
["purpose"] = "testing",
["environment"] = "unit-test"
});
}
/// <summary>
/// Creates a CryptoKeyReference for the default test key.
/// </summary>
public static CryptoKeyReference CreateTestKeyReference()
{
return new CryptoKeyReference(TestKeyId, "default");
}
/// <summary>
/// Creates a CryptoKeyReference for keyless mode.
/// </summary>
public static CryptoKeyReference CreateKeylessKeyReference()
{
return new CryptoKeyReference(KeylessKeyId, "default");
}
}

511
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/Integration/CryptoDsseSignerIntegrationTests.cs Normal file
View File

@@ -0,0 +1,511 @@
using System;
using System.Text;
using System.Text.Json;
using System.Threading;
using System.Threading.Tasks;
using FluentAssertions;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using NSubstitute;
using StellaOps.Cryptography;
using StellaOps.Signer.Core;
using StellaOps.Signer.Infrastructure.Signing;
using StellaOps.Signer.Tests.Fixtures;
using Xunit;
namespace StellaOps.Signer.Tests.Integration;
/// <summary>
/// Integration tests for CryptoDsseSigner using real crypto providers.
/// Tests signing workflows with deterministic fixture predicates.
/// </summary>
public sealed class CryptoDsseSignerIntegrationTests
{
private readonly ICryptoProviderRegistry _cryptoRegistry;
private readonly ISigningKeyResolver _keyResolver;
private readonly CryptoDsseSigner _signer;
public CryptoDsseSignerIntegrationTests()
{
_cryptoRegistry = TestCryptoFactory.CreateTestRegistry();
_keyResolver = CreateTestKeyResolver();
_signer = CreateSigner();
}
[Fact]
public async Task SignAsync_WithPromotionPredicate_ProducesValidDsseEnvelope()
{
// Arrange
var request = SigningRequestBuilder.Create()
.WithDefaultSubject()
.WithPromotionPredicate()
.WithKeylessMode()
.Build();
var entitlement = DeterministicTestData.CreateDefaultEntitlement();
var caller = DeterministicTestData.CreateDefaultCallerContext();
// Act
var bundle = await _signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert
bundle.Should().NotBeNull();
bundle.Envelope.Should().NotBeNull();
bundle.Envelope.PayloadType.Should().Be("application/vnd.in-toto+json");
bundle.Envelope.Payload.Should().NotBeNullOrEmpty();
bundle.Envelope.Signatures.Should().HaveCount(1);
bundle.Envelope.Signatures[0].Signature.Should().NotBeNullOrEmpty();
bundle.Metadata.Identity.Mode.Should().Be("keyless");
}
[Fact]
public async Task SignAsync_WithSbomPredicate_ProducesValidDsseEnvelope()
{
// Arrange
var request = SigningRequestBuilder.Create()
.WithDefaultSubject()
.WithSbomPredicate()
.WithKeylessMode()
.Build();
var entitlement = DeterministicTestData.CreateDefaultEntitlement();
var caller = DeterministicTestData.CreateDefaultCallerContext();
// Act
var bundle = await _signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert
bundle.Should().NotBeNull();
bundle.Envelope.PayloadType.Should().Be("application/vnd.in-toto+json");
// Verify payload contains SBOM predicate
var payloadBytes = DecodeBase64Url(bundle.Envelope.Payload);
var payloadJson = Encoding.UTF8.GetString(payloadBytes);
using var doc = JsonDocument.Parse(payloadJson);
doc.RootElement.GetProperty("predicateType").GetString()
.Should().Be(PredicateTypes.StellaOpsSbom);
}
[Fact]
public async Task SignAsync_WithReplayPredicate_ProducesValidDsseEnvelope()
{
// Arrange
var request = SigningRequestBuilder.Create()
.WithDefaultSubject()
.WithReplayPredicate()
.WithKeylessMode()
.Build();
var entitlement = DeterministicTestData.CreateDefaultEntitlement();
var caller = DeterministicTestData.CreateDefaultCallerContext();
// Act
var bundle = await _signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert
bundle.Should().NotBeNull();
// Verify payload contains replay predicate
var payloadBytes = DecodeBase64Url(bundle.Envelope.Payload);
var payloadJson = Encoding.UTF8.GetString(payloadBytes);
using var doc = JsonDocument.Parse(payloadJson);
doc.RootElement.GetProperty("predicateType").GetString()
.Should().Be(PredicateTypes.StellaOpsReplay);
}
[Fact]
public async Task SignAsync_WithSlsaProvenanceV02_ProducesValidEnvelope()
{
// Arrange
var request = SigningRequestBuilder.Create()
.WithDefaultSubject()
.WithSlsaProvenanceV02()
.WithKmsMode()
.Build();
var entitlement = DeterministicTestData.CreateDefaultEntitlement();
var caller = DeterministicTestData.CreateDefaultCallerContext();
// Act
var bundle = await _signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert
bundle.Should().NotBeNull();
bundle.Metadata.Identity.Mode.Should().Be("kms");
var payloadBytes = DecodeBase64Url(bundle.Envelope.Payload);
var payloadJson = Encoding.UTF8.GetString(payloadBytes);
using var doc = JsonDocument.Parse(payloadJson);
doc.RootElement.GetProperty("predicateType").GetString()
.Should().Be(PredicateTypes.SlsaProvenanceV02);
doc.RootElement.GetProperty("_type").GetString()
.Should().Be("https://in-toto.io/Statement/v0.1");
}
[Fact]
public async Task SignAsync_WithSlsaProvenanceV1_UsesStatementV1()
{
// Arrange - use predicate with v1 expected statement type
var request = SigningRequestBuilder.Create()
.WithDefaultSubject()
.WithSlsaProvenanceV1()
.WithKeylessMode()
.Build();
var entitlement = DeterministicTestData.CreateDefaultEntitlement();
var caller = DeterministicTestData.CreateDefaultCallerContext();
// Act
var bundle = await _signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert
bundle.Should().NotBeNull();
var payloadBytes = DecodeBase64Url(bundle.Envelope.Payload);
var payloadJson = Encoding.UTF8.GetString(payloadBytes);
using var doc = JsonDocument.Parse(payloadJson);
doc.RootElement.GetProperty("predicateType").GetString()
.Should().Be(PredicateTypes.SlsaProvenanceV1);
}
[Fact]
public async Task SignAsync_WithMultipleSubjects_IncludesAllInPayload()
{
// Arrange
var request = SigningRequestBuilder.Create()
.WithSubject(DeterministicTestData.DefaultSubjectName, DeterministicTestData.DefaultSubjectDigest)
.WithSubject(DeterministicTestData.SecondSubjectName, DeterministicTestData.SecondSubjectDigest)
.WithSubject(DeterministicTestData.ThirdSubjectName, DeterministicTestData.ThirdSubjectDigest)
.WithPromotionPredicate()
.WithKeylessMode()
.Build();
var entitlement = DeterministicTestData.CreateDefaultEntitlement();
var caller = DeterministicTestData.CreateDefaultCallerContext();
// Act
var bundle = await _signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert
var payloadBytes = DecodeBase64Url(bundle.Envelope.Payload);
var payloadJson = Encoding.UTF8.GetString(payloadBytes);
using var doc = JsonDocument.Parse(payloadJson);
doc.RootElement.GetProperty("subject").GetArrayLength().Should().Be(3);
}
[Fact]
public async Task SignAsync_WithVexPredicate_ProducesValidEnvelope()
{
// Arrange
var request = SigningRequestBuilder.Create()
.WithDefaultSubject()
.WithVexPredicate()
.WithKeylessMode()
.Build();
var entitlement = DeterministicTestData.CreateDefaultEntitlement();
var caller = DeterministicTestData.CreateDefaultCallerContext();
// Act
var bundle = await _signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert
bundle.Should().NotBeNull();
var payloadBytes = DecodeBase64Url(bundle.Envelope.Payload);
var payloadJson = Encoding.UTF8.GetString(payloadBytes);
using var doc = JsonDocument.Parse(payloadJson);
doc.RootElement.GetProperty("predicateType").GetString()
.Should().Be(PredicateTypes.StellaOpsVex);
}
[Fact]
public async Task SignAsync_WithPolicyPredicate_ProducesValidEnvelope()
{
// Arrange
var request = SigningRequestBuilder.Create()
.WithDefaultSubject()
.WithPolicyPredicate()
.WithKeylessMode()
.Build();
var entitlement = DeterministicTestData.CreateDefaultEntitlement();
var caller = DeterministicTestData.CreateDefaultCallerContext();
// Act
var bundle = await _signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert
bundle.Should().NotBeNull();
var payloadBytes = DecodeBase64Url(bundle.Envelope.Payload);
var payloadJson = Encoding.UTF8.GetString(payloadBytes);
using var doc = JsonDocument.Parse(payloadJson);
doc.RootElement.GetProperty("predicateType").GetString()
.Should().Be(PredicateTypes.StellaOpsPolicy);
}
[Fact]
public async Task SignAsync_WithEvidencePredicate_ProducesValidEnvelope()
{
// Arrange
var request = SigningRequestBuilder.Create()
.WithDefaultSubject()
.WithEvidencePredicate()
.WithKeylessMode()
.Build();
var entitlement = DeterministicTestData.CreateDefaultEntitlement();
var caller = DeterministicTestData.CreateDefaultCallerContext();
// Act
var bundle = await _signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert
bundle.Should().NotBeNull();
var payloadBytes = DecodeBase64Url(bundle.Envelope.Payload);
var payloadJson = Encoding.UTF8.GetString(payloadBytes);
using var doc = JsonDocument.Parse(payloadJson);
doc.RootElement.GetProperty("predicateType").GetString()
.Should().Be(PredicateTypes.StellaOpsEvidence);
}
[Fact]
public async Task SignAsync_ProducesBase64UrlEncodedSignature()
{
// Arrange
var request = SigningRequestBuilder.Create()
.WithDefaultSubject()
.WithPromotionPredicate()
.Build();
var entitlement = DeterministicTestData.CreateDefaultEntitlement();
var caller = DeterministicTestData.CreateDefaultCallerContext();
// Act
var bundle = await _signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert - signature should be base64url (no + or / or =)
var signature = bundle.Envelope.Signatures[0].Signature;
signature.Should().NotContain("+");
signature.Should().NotContain("/");
signature.Should().NotContain("=");
}
[Fact]
public async Task SignAsync_ProducesBase64UrlEncodedPayload()
{
// Arrange
var request = SigningRequestBuilder.Create()
.WithDefaultSubject()
.WithPromotionPredicate()
.Build();
var entitlement = DeterministicTestData.CreateDefaultEntitlement();
var caller = DeterministicTestData.CreateDefaultCallerContext();
// Act
var bundle = await _signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert - payload should be base64url (no + or / or =)
var payload = bundle.Envelope.Payload;
payload.Should().NotContain("+");
payload.Should().NotContain("/");
payload.Should().NotContain("=");
}
[Fact]
public async Task SignAsync_IncludesCertificateChainInMetadata()
{
// Arrange
var request = SigningRequestBuilder.Create()
.WithDefaultSubject()
.WithPromotionPredicate()
.WithKeylessMode()
.Build();
var entitlement = DeterministicTestData.CreateDefaultEntitlement();
var caller = DeterministicTestData.CreateDefaultCallerContext();
// Act
var bundle = await _signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert
bundle.Metadata.CertificateChain.Should().NotBeEmpty();
}
[Fact]
public async Task SignAsync_SetsCorrectAlgorithmId()
{
// Arrange
var request = SigningRequestBuilder.Create()
.WithDefaultSubject()
.WithPromotionPredicate()
.Build();
var entitlement = DeterministicTestData.CreateDefaultEntitlement();
var caller = DeterministicTestData.CreateDefaultCallerContext();
// Act
var bundle = await _signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert
bundle.Metadata.AlgorithmId.Should().Be(SignatureAlgorithms.Es256);
}
[Fact]
public async Task SignAsync_SetsProviderNameInMetadata()
{
// Arrange
var request = SigningRequestBuilder.Create()
.WithDefaultSubject()
.WithPromotionPredicate()
.Build();
var entitlement = DeterministicTestData.CreateDefaultEntitlement();
var caller = DeterministicTestData.CreateDefaultCallerContext();
// Act
var bundle = await _signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert
bundle.Metadata.ProviderName.Should().Be("default");
}
[Fact]
public async Task SignAsync_WithDifferentTenants_UsesCorrectKeyResolution()
{
// Arrange
var request = SigningRequestBuilder.Create()
.WithDefaultSubject()
.WithPromotionPredicate()
.Build();
var entitlement = DeterministicTestData.CreateDefaultEntitlement();
var caller1 = DeterministicTestData.CreateCallerContextForTenant("tenant-a");
var caller2 = DeterministicTestData.CreateCallerContextForTenant("tenant-b");
// Act
var bundle1 = await _signer.SignAsync(request, entitlement, caller1, CancellationToken.None);
var bundle2 = await _signer.SignAsync(request, entitlement, caller2, CancellationToken.None);
// Assert - both should produce valid bundles
bundle1.Should().NotBeNull();
bundle2.Should().NotBeNull();
bundle1.Envelope.Signatures[0].Signature.Should().NotBeNullOrEmpty();
bundle2.Envelope.Signatures[0].Signature.Should().NotBeNullOrEmpty();
}
[Fact]
public async Task SignAsync_Signature_IsVerifiable()
{
// Arrange
var request = SigningRequestBuilder.Create()
.WithDefaultSubject()
.WithPromotionPredicate()
.Build();
var entitlement = DeterministicTestData.CreateDefaultEntitlement();
var caller = DeterministicTestData.CreateDefaultCallerContext();
// Act
var bundle = await _signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert - verify we can decode and re-verify the signature
var payloadBytes = DecodeBase64Url(bundle.Envelope.Payload);
var signatureBytes = DecodeBase64Url(bundle.Envelope.Signatures[0].Signature);
// Build PAE for verification
var paeBytes = BuildPae(bundle.Envelope.PayloadType, payloadBytes);
// Get signer for verification
var keyReference = TestCryptoFactory.CreateKeylessKeyReference();
var resolution = _cryptoRegistry.ResolveSigner(
CryptoCapability.Verification,
SignatureAlgorithms.Es256,
keyReference);
var verified = await resolution.Signer.VerifyAsync(paeBytes, signatureBytes, CancellationToken.None);
verified.Should().BeTrue();
}
private CryptoDsseSigner CreateSigner()
{
var options = Options.Create(new DsseSignerOptions
{
DefaultIssuer = DeterministicTestData.DefaultIssuer,
KeylessAlgorithm = SignatureAlgorithms.Es256,
KmsAlgorithm = SignatureAlgorithms.Es256
});
return new CryptoDsseSigner(
_cryptoRegistry,
_keyResolver,
options,
NullLogger<CryptoDsseSigner>.Instance);
}
private ISigningKeyResolver CreateTestKeyResolver()
{
var keyResolver = Substitute.For<ISigningKeyResolver>();
keyResolver.ResolveKeyAsync(SigningMode.Keyless, Arg.Any<string>(), Arg.Any<CancellationToken>())
.Returns(callInfo => ValueTask.FromResult(new SigningKeyResolution(
TestCryptoFactory.KeylessKeyId,
"default",
DeterministicTestData.DefaultIssuer,
callInfo.Arg<string>(), // tenant as subject
DeterministicTestData.ExpiryTimestamp)));
keyResolver.ResolveKeyAsync(SigningMode.Kms, Arg.Any<string>(), Arg.Any<CancellationToken>())
.Returns(ValueTask.FromResult(new SigningKeyResolution(
TestCryptoFactory.TestKeyId,
"default",
DeterministicTestData.DefaultIssuer,
"kms-service@stellaops.io",
DeterministicTestData.FarFutureExpiry)));
return keyResolver;
}
private static byte[] DecodeBase64Url(string base64Url)
{
// Convert base64url to standard base64
var base64 = base64Url
.Replace('-', '+')
.Replace('_', '/');
// Add padding if needed
switch (base64.Length % 4)
{
case 2: base64 += "=="; break;
case 3: base64 += "="; break;
}
return Convert.FromBase64String(base64);
}
private static byte[] BuildPae(string payloadType, byte[] payload)
{
var typeBytes = Encoding.UTF8.GetBytes(payloadType);
var prefixBytes = Encoding.UTF8.GetBytes("DSSEv1");
var typeLenStr = typeBytes.Length.ToString();
var payloadLenStr = payload.Length.ToString();
var totalLen = prefixBytes.Length + 1 +
typeLenStr.Length + 1 +
typeBytes.Length + 1 +
payloadLenStr.Length + 1 +
payload.Length;
var pae = new byte[totalLen];
var offset = 0;
Buffer.BlockCopy(prefixBytes, 0, pae, offset, prefixBytes.Length);
offset += prefixBytes.Length;
pae[offset++] = 0x20;
var typeLenBytes = Encoding.UTF8.GetBytes(typeLenStr);
Buffer.BlockCopy(typeLenBytes, 0, pae, offset, typeLenBytes.Length);
offset += typeLenBytes.Length;
pae[offset++] = 0x20;
Buffer.BlockCopy(typeBytes, 0, pae, offset, typeBytes.Length);
offset += typeBytes.Length;
pae[offset++] = 0x20;
var payloadLenBytes = Encoding.UTF8.GetBytes(payloadLenStr);
Buffer.BlockCopy(payloadLenBytes, 0, pae, offset, payloadLenBytes.Length);
offset += payloadLenBytes.Length;
pae[offset++] = 0x20;
Buffer.BlockCopy(payload, 0, pae, offset, payload.Length);
return pae;
}
}

419
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/Integration/KeyRotationWorkflowIntegrationTests.cs Normal file
View File

@@ -0,0 +1,419 @@
// -----------------------------------------------------------------------------
// KeyRotationWorkflowIntegrationTests.cs
// Sprint: SPRINT_0501_0008_0001_proof_chain_key_rotation
// Task: PROOF-KEY-0013 - Integration tests for rotation workflow
// Description: End-to-end integration tests for the full key rotation workflow
// -----------------------------------------------------------------------------
using System;
using System.Globalization;
using System.Net;
using System.Net.Http.Headers;
using System.Net.Http.Json;
using System.Threading.Tasks;
using FluentAssertions;
using Microsoft.AspNetCore.Mvc.Testing;
using Microsoft.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore.Storage;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.DependencyInjection.Extensions;
using StellaOps.Signer.KeyManagement;
using StellaOps.Signer.KeyManagement.EfCore.Context;
using StellaOps.Signer.KeyManagement.Entities;
using StellaOps.Signer.WebService.Endpoints;
using Xunit;
namespace StellaOps.Signer.Tests.Integration;
/// <summary>
/// Integration tests for the complete key rotation workflow.
/// Tests the full lifecycle: add key -> transition period -> revoke old key.
/// </summary>
public class KeyRotationWorkflowIntegrationTests : IClassFixture<WebApplicationFactory<Program>>, IAsyncLifetime
{
private readonly InMemoryDatabaseRoot _databaseRoot = new();
private readonly string _databaseName = $"IntegrationTestDb_{Guid.NewGuid()}";
private readonly WebApplicationFactory<Program> _factory;
private readonly HttpClient _client;
private readonly ITestOutputHelper _output;
private Guid _testAnchorId;
public KeyRotationWorkflowIntegrationTests(WebApplicationFactory<Program> factory, ITestOutputHelper output)
{
_output = output;
_factory = factory.WithWebHostBuilder(builder =>
{
builder.ConfigureServices(services =>
{
// Use in-memory database for tests
services.RemoveAll<KeyManagementDbContext>();
services.RemoveAll<DbContextOptions<KeyManagementDbContext>>();
services.RemoveAll<IDbContextFactory<KeyManagementDbContext>>();
services.AddDbContext<KeyManagementDbContext>(options =>
options.UseInMemoryDatabase(_databaseName, _databaseRoot));
});
});
_client = _factory.CreateClient();
_client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
}
private async Task DumpResponseAsync(HttpResponseMessage response)
{
var body = await response.Content.ReadAsStringAsync();
_output.WriteLine($"Status: {(int)response.StatusCode} {response.StatusCode}");
_output.WriteLine($"Body: {body}");
}
public async ValueTask InitializeAsync()
{
// Create a test trust anchor
using var scope = _factory.Services.CreateScope();
var dbContext = scope.ServiceProvider.GetRequiredService<KeyManagementDbContext>();
await dbContext.Database.EnsureCreatedAsync();
_testAnchorId = Guid.NewGuid();
var anchor = new TrustAnchorEntity
{
AnchorId = _testAnchorId,
PurlPattern = "pkg:npm/*",
AllowedKeyIds = ["initial-key"],
RevokedKeyIds = [],
PolicyVersion = "v1.0.0",
CreatedAt = DateTimeOffset.UtcNow,
UpdatedAt = DateTimeOffset.UtcNow
};
dbContext.TrustAnchors.Add(anchor);
dbContext.KeyHistory.Add(new KeyHistoryEntity
{
HistoryId = Guid.NewGuid(),
AnchorId = _testAnchorId,
KeyId = "initial-key",
PublicKey = "-----BEGIN PUBLIC KEY-----\ninitial-test-key\n-----END PUBLIC KEY-----",
Algorithm = "Ed25519",
AddedAt = DateTimeOffset.UtcNow.AddMonths(-6),
CreatedAt = DateTimeOffset.UtcNow.AddMonths(-6)
});
await dbContext.SaveChangesAsync();
}
public ValueTask DisposeAsync() => ValueTask.CompletedTask;
#region Full Rotation Workflow Tests
[Fact]
public async Task FullRotationWorkflow_AddNewKey_TransitionPeriod_RevokeOldKey()
{
// Step 1: Add new key (begin transition period)
var addKeyRequest = new AddKeyRequestDto
{
KeyId = "new-key-2025",
PublicKey = TestKeys.Ed25519PublicKeyPem,
Algorithm = "Ed25519"
};
var addResponse = await _client.PostAsJsonAsync(
$"/api/v1/anchors/{_testAnchorId}/keys",
addKeyRequest);
if (addResponse.StatusCode != HttpStatusCode.Created)
{
await DumpResponseAsync(addResponse);
}
addResponse.StatusCode.Should().Be(HttpStatusCode.Created);
var addResult = await addResponse.Content.ReadFromJsonAsync<AddKeyResponseDto>();
addResult!.AllowedKeyIds.Should().Contain("initial-key");
addResult.AllowedKeyIds.Should().Contain("new-key-2025");
// Step 2: Verify both keys are valid during transition period
var signedAt = DateTimeOffset.UtcNow;
var signedAtQuery = EncodeSignedAt(signedAt);
var validity1 = await _client.GetFromJsonAsync<KeyValidityResponseDto>(
$"/api/v1/anchors/{_testAnchorId}/keys/initial-key/validity?signedAt={signedAtQuery}");
var validity2 = await _client.GetFromJsonAsync<KeyValidityResponseDto>(
$"/api/v1/anchors/{_testAnchorId}/keys/new-key-2025/validity?signedAt={signedAtQuery}");
validity1!.IsValid.Should().BeTrue();
validity2!.IsValid.Should().BeTrue();
// Step 3: Revoke old key
var revokeRequest = new RevokeKeyRequestDto
{
Reason = "rotation-complete"
};
var revokeResponse = await _client.PostAsJsonAsync(
$"/api/v1/anchors/{_testAnchorId}/keys/initial-key/revoke",
revokeRequest);
if (revokeResponse.StatusCode != HttpStatusCode.OK)
{
await DumpResponseAsync(revokeResponse);
}
revokeResponse.StatusCode.Should().Be(HttpStatusCode.OK);
var revokeResult = await revokeResponse.Content.ReadFromJsonAsync<RevokeKeyResponseDto>();
revokeResult!.AllowedKeyIds.Should().NotContain("initial-key");
revokeResult.AllowedKeyIds.Should().Contain("new-key-2025");
revokeResult.RevokedKeyIds.Should().Contain("initial-key");
// Step 4: Verify key history is complete
var history = await _client.GetFromJsonAsync<KeyHistoryResponseDto>(
$"/api/v1/anchors/{_testAnchorId}/keys/history");
history!.Entries.Should().HaveCount(2);
var oldKeyEntry = history.Entries.First(e => e.KeyId == "initial-key");
oldKeyEntry.RevokedAt.Should().NotBeNull();
oldKeyEntry.RevokeReason.Should().Be("rotation-complete");
var newKeyEntry = history.Entries.First(e => e.KeyId == "new-key-2025");
newKeyEntry.RevokedAt.Should().BeNull();
}
[Fact]
public async Task HistoricalProofVerification_SignedBeforeRevocation_RemainsValid()
{
// Arrange: add and revoke a key
var addRequest = new AddKeyRequestDto
{
KeyId = "old-key",
PublicKey = TestKeys.Ed25519PublicKeyPem,
Algorithm = "Ed25519"
};
await _client.PostAsJsonAsync($"/api/v1/anchors/{_testAnchorId}/keys", addRequest);
// Record time before revocation
var signedBeforeRevocation = DateTimeOffset.UtcNow;
var signedBeforeQuery = EncodeSignedAt(signedBeforeRevocation);
// Revoke the key
var revokeRequest = new RevokeKeyRequestDto { Reason = "test-revocation" };
await _client.PostAsJsonAsync(
$"/api/v1/anchors/{_testAnchorId}/keys/old-key/revoke",
revokeRequest);
// Act: check validity at time before revocation
var validityResponse = await _client.GetAsync(
$"/api/v1/anchors/{_testAnchorId}/keys/old-key/validity?signedAt={signedBeforeQuery}");
if (!validityResponse.IsSuccessStatusCode)
{
await DumpResponseAsync(validityResponse);
}
var validity = await validityResponse.Content.ReadFromJsonAsync<KeyValidityResponseDto>();
// Assert: key should be valid for proofs signed before revocation
validity!.IsValid.Should().BeTrue("proofs signed before revocation should remain valid");
}
[Fact]
public async Task HistoricalProofVerification_SignedAfterRevocation_IsInvalid()
{
// Arrange: add a key, then revoke it
var addRequest = new AddKeyRequestDto
{
KeyId = "revoked-key",
PublicKey = TestKeys.Ed25519PublicKeyPem,
Algorithm = "Ed25519"
};
await _client.PostAsJsonAsync($"/api/v1/anchors/{_testAnchorId}/keys", addRequest);
var revokeRequest = new RevokeKeyRequestDto { Reason = "test-revocation" };
await _client.PostAsJsonAsync(
$"/api/v1/anchors/{_testAnchorId}/keys/revoked-key/revoke",
revokeRequest);
// Act: check validity at time after revocation
var signedAfterRevocation = DateTimeOffset.UtcNow.AddMinutes(5);
var signedAfterQuery = EncodeSignedAt(signedAfterRevocation);
var validityResponse = await _client.GetAsync(
$"/api/v1/anchors/{_testAnchorId}/keys/revoked-key/validity?signedAt={signedAfterQuery}");
if (!validityResponse.IsSuccessStatusCode)
{
await DumpResponseAsync(validityResponse);
}
var validity = await validityResponse.Content.ReadFromJsonAsync<KeyValidityResponseDto>();
// Assert: key should be invalid for proofs signed after revocation
validity!.IsValid.Should().BeFalse("proofs signed after revocation should be invalid");
validity.Status.Should().Be("Revoked");
}
#endregion
#region Audit Trail Tests
[Fact]
public async Task AddKey_CreatesAuditLogEntry()
{
// Arrange
var request = new AddKeyRequestDto
{
KeyId = "audited-key",
PublicKey = TestKeys.Ed25519PublicKeyPem,
Algorithm = "Ed25519"
};
// Act
var response = await _client.PostAsJsonAsync(
$"/api/v1/anchors/{_testAnchorId}/keys",
request);
if (!response.IsSuccessStatusCode)
{
await DumpResponseAsync(response);
}
// Assert
var result = await response.Content.ReadFromJsonAsync<AddKeyResponseDto>();
result!.AuditLogId.Should().NotBeNull("all key operations should create audit log entries");
}
[Fact]
public async Task RevokeKey_CreatesAuditLogEntry()
{
// Arrange: first add a key
var addRequest = new AddKeyRequestDto
{
KeyId = "key-to-revoke",
PublicKey = TestKeys.Ed25519PublicKeyPem,
Algorithm = "Ed25519"
};
await _client.PostAsJsonAsync($"/api/v1/anchors/{_testAnchorId}/keys", addRequest);
// Act
var revokeRequest = new RevokeKeyRequestDto { Reason = "audit-test" };
var response = await _client.PostAsJsonAsync(
$"/api/v1/anchors/{_testAnchorId}/keys/key-to-revoke/revoke",
revokeRequest);
if (!response.IsSuccessStatusCode)
{
await DumpResponseAsync(response);
}
// Assert
var result = await response.Content.ReadFromJsonAsync<RevokeKeyResponseDto>();
result!.AuditLogId.Should().NotBeNull("all key operations should create audit log entries");
}
#endregion
#region Rotation Warnings Tests
[Fact]
public async Task GetRotationWarnings_ReturnsRelevantWarnings()
{
// Act
var response = await _client.GetAsync(
$"/api/v1/anchors/{_testAnchorId}/keys/warnings");
// Assert
response.StatusCode.Should().Be(HttpStatusCode.OK);
var warnings = await response.Content.ReadFromJsonAsync<RotationWarningsResponseDto>();
warnings.Should().NotBeNull();
warnings!.AnchorId.Should().Be(_testAnchorId);
}
#endregion
#region Error Handling Tests
[Fact]
public async Task AddKey_DuplicateKeyId_Returns400()
{
// Arrange: add a key
var request = new AddKeyRequestDto
{
KeyId = "duplicate-key",
PublicKey = TestKeys.Ed25519PublicKeyPem,
Algorithm = "Ed25519"
};
await _client.PostAsJsonAsync($"/api/v1/anchors/{_testAnchorId}/keys", request);
// Act: try to add same key again
var response = await _client.PostAsJsonAsync(
$"/api/v1/anchors/{_testAnchorId}/keys",
request);
if (response.StatusCode != HttpStatusCode.BadRequest)
{
await DumpResponseAsync(response);
}
// Assert
response.StatusCode.Should().Be(HttpStatusCode.BadRequest);
}
[Fact]
public async Task RevokeKey_NonexistentKey_Returns404()
{
// Arrange
var request = new RevokeKeyRequestDto { Reason = "test" };
// Act
var response = await _client.PostAsJsonAsync(
$"/api/v1/anchors/{_testAnchorId}/keys/nonexistent-key/revoke",
request);
if (response.StatusCode != HttpStatusCode.NotFound)
{
await DumpResponseAsync(response);
}
// Assert
response.StatusCode.Should().Be(HttpStatusCode.NotFound);
}
[Fact]
public async Task AddKey_InvalidAlgorithm_Returns400()
{
// Arrange
var request = new AddKeyRequestDto
{
KeyId = "bad-algo-key",
PublicKey = TestKeys.Ed25519PublicKeyPem,
Algorithm = "UNKNOWN-ALG"
};
// Act
var response = await _client.PostAsJsonAsync(
$"/api/v1/anchors/{_testAnchorId}/keys",
request);
if (response.StatusCode != HttpStatusCode.BadRequest)
{
await DumpResponseAsync(response);
}
// Assert
response.StatusCode.Should().Be(HttpStatusCode.BadRequest);
}
private static string EncodeSignedAt(DateTimeOffset value)
=> Uri.EscapeDataString(value.ToString("O", CultureInfo.InvariantCulture));
#endregion
}
/// <summary>
/// Test key material.
/// </summary>
internal static class TestKeys
{
// Test Ed25519 public key (not for production use)
public const string Ed25519PublicKeyPem = """
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEAGb9F2CMC7IaKG1svU1lN3Rjzk6uqO1l8dSEIAKDU8g0=
-----END PUBLIC KEY-----
""";
}

569
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/Integration/MultiPluginSignVerifyIntegrationTests.cs Normal file
View File

@@ -0,0 +1,569 @@
// -----------------------------------------------------------------------------
// MultiPluginSignVerifyIntegrationTests.cs
// Sprint: SPRINT_5100_0009_0006 - Signer Module Test Implementation
// Task: SIGNER-5100-015 - Add integration test: canonical payload → sign (multiple plugins) → verify (all succeed)
// Description: Integration tests for signing with multiple crypto plugins and verifying all succeed
// -----------------------------------------------------------------------------
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
using FluentAssertions;
using Xunit;
namespace StellaOps.Signer.Tests.Integration;
/// <summary>
/// Integration tests for multi-plugin sign/verify workflow.
/// Validates:
/// - Canonical payload can be signed by all available plugins
/// - Each signature can be verified by the corresponding plugin
/// - Signatures from different plugins are independent
/// - All plugins produce valid, verifiable signatures for the same payload
/// </summary>
[Trait("Category", "Integration")]
[Trait("Category", "SignVerify")]
[Trait("Category", "MultiPlugin")]
public sealed class MultiPluginSignVerifyIntegrationTests
{
private readonly ITestOutputHelper _output;
public MultiPluginSignVerifyIntegrationTests(ITestOutputHelper output)
{
_output = output;
}
#region Canonical Payload Tests
[Fact]
public void CanonicalPayload_ProducesDeterministicBytes()
{
// Arrange
var statement = CreateInTotoStatement();
// Act - serialize twice
var bytes1 = CanonicalizeStatement(statement);
var bytes2 = CanonicalizeStatement(statement);
// Assert
bytes1.Should().BeEquivalentTo(bytes2,
"canonical serialization should be deterministic");
_output.WriteLine($"Canonical payload size: {bytes1.Length} bytes");
_output.WriteLine($"SHA256: {ComputeSha256(bytes1)}");
}
[Fact]
public void CanonicalPayload_HasStableHash()
{
// Arrange
var statement = CreateInTotoStatement();
// Act
var hash1 = ComputeSha256(CanonicalizeStatement(statement));
var hash2 = ComputeSha256(CanonicalizeStatement(statement));
// Assert
hash1.Should().Be(hash2, "hash of canonical payload should be stable");
_output.WriteLine($"Stable hash: {hash1}");
}
#endregion
#region Multi-Plugin Sign/Verify Tests
[Fact]
public void AllPlugins_CanSignCanonicalPayload()
{
// Arrange
var payload = CanonicalizeStatement(CreateInTotoStatement());
var plugins = GetAvailablePlugins();
_output.WriteLine($"Testing {plugins.Count} plugins:");
// Act & Assert
foreach (var plugin in plugins)
{
_output.WriteLine($" - {plugin.Name}: {plugin.Algorithm}");
// Each plugin should be able to sign (even if just simulation)
var signature = plugin.Sign(payload);
signature.Should().NotBeNullOrEmpty($"{plugin.Name} should produce a signature");
_output.WriteLine($" Signature length: {signature.Length} bytes");
}
}
[Fact]
public void AllPlugins_SignAndVerifyRoundtrip()
{
// Arrange
var payload = CanonicalizeStatement(CreateInTotoStatement());
var plugins = GetAvailablePlugins();
var results = new List<(string PluginName, bool Success, string Details)>();
// Act
foreach (var plugin in plugins)
{
try
{
var signature = plugin.Sign(payload);
var verified = plugin.Verify(payload, signature);
results.Add((plugin.Name, verified, $"Algorithm: {plugin.Algorithm}"));
}
catch (Exception ex)
{
results.Add((plugin.Name, false, $"Error: {ex.Message}"));
}
}
// Assert
_output.WriteLine("=== Sign/Verify Roundtrip Results ===");
foreach (var (name, success, details) in results)
{
var status = success ? "✓" : "✗";
_output.WriteLine($" {status} {name}: {details}");
}
results.Should().AllSatisfy(r => r.Success.Should().BeTrue($"{r.PluginName} should verify its own signature"));
}
[Fact]
public void AllPlugins_SignaturesAreIndependent()
{
// Arrange
var payload = CanonicalizeStatement(CreateInTotoStatement());
var plugins = GetAvailablePlugins();
var signatures = new Dictionary<string, byte[]>();
// Act - collect signatures from all plugins
foreach (var plugin in plugins)
{
signatures[plugin.Name] = plugin.Sign(payload);
}
// Assert - signatures should be different (unless same algorithm)
_output.WriteLine("=== Signature Independence ===");
var signatureHashes = signatures.ToDictionary(
kvp => kvp.Key,
kvp => ComputeSha256(kvp.Value));
foreach (var (name, hash) in signatureHashes)
{
_output.WriteLine($" {name}: {hash.Substring(0, 16)}...");
}
// Most signatures should be unique (some algorithms may be deterministic)
var uniqueSignatures = signatureHashes.Values.Distinct().Count();
_output.WriteLine($"Unique signatures: {uniqueSignatures}/{signatures.Count}");
uniqueSignatures.Should().BeGreaterThanOrEqualTo(Math.Max(1, signatures.Count / 2),
"different plugins should generally produce different signatures");
}
[Fact]
public void CrossPluginVerification_FailsForMismatchedSignatures()
{
// Arrange
var payload = CanonicalizeStatement(CreateInTotoStatement());
var plugins = GetAvailablePlugins();
if (plugins.Count < 2)
{
_output.WriteLine("Skipping cross-plugin test: need at least 2 plugins");
return;
}
// Act - sign with first plugin
var plugin1 = plugins[0];
var plugin2 = plugins[1];
var signature = plugin1.Sign(payload);
// Try to verify with second plugin (should fail unless same algorithm)
var crossVerified = plugin2.Verify(payload, signature);
// Assert
_output.WriteLine($"Signed with: {plugin1.Name} ({plugin1.Algorithm})");
_output.WriteLine($"Verified with: {plugin2.Name} ({plugin2.Algorithm})");
_output.WriteLine($"Cross-verification result: {crossVerified}");
if (plugin1.Algorithm != plugin2.Algorithm)
{
crossVerified.Should().BeFalse(
"signature from one plugin should not verify with a different plugin");
}
}
#endregion
#region Concurrent Plugin Tests
[Fact]
public async Task AllPlugins_ConcurrentSigning_AllSucceed()
{
// Arrange
var payload = CanonicalizeStatement(CreateInTotoStatement());
var plugins = GetAvailablePlugins();
// Act - sign concurrently
var tasks = plugins.Select(async plugin =>
{
await Task.Yield();
var signature = plugin.Sign(payload);
return (Plugin: plugin.Name, Signature: signature);
});
var results = await Task.WhenAll(tasks);
// Assert
_output.WriteLine("=== Concurrent Signing Results ===");
foreach (var result in results)
{
_output.WriteLine($" {result.Plugin}: {result.Signature.Length} bytes");
result.Signature.Should().NotBeNullOrEmpty();
}
results.Should().HaveCount(plugins.Count);
}
[Fact]
public async Task AllPlugins_ConcurrentVerification_AllSucceed()
{
// Arrange
var payload = CanonicalizeStatement(CreateInTotoStatement());
var plugins = GetAvailablePlugins();
var signedPairs = plugins.Select(p => (Plugin: p, Signature: p.Sign(payload))).ToList();
// Act - verify concurrently
var tasks = signedPairs.Select(async pair =>
{
await Task.Yield();
var verified = pair.Plugin.Verify(payload, pair.Signature);
return (Plugin: pair.Plugin.Name, Verified: verified);
});
var results = await Task.WhenAll(tasks);
// Assert
_output.WriteLine("=== Concurrent Verification Results ===");
foreach (var result in results)
{
var status = result.Verified ? "✓" : "✗";
_output.WriteLine($" {status} {result.Plugin}");
}
results.Should().AllSatisfy(r => r.Verified.Should().BeTrue($"{r.Plugin} should verify"));
}
#endregion
#region Large Payload Tests
[Theory]
[InlineData(1024)] // 1 KB
[InlineData(1024 * 100)] // 100 KB
[InlineData(1024 * 1024)] // 1 MB
public void AllPlugins_SignLargePayload_AllSucceed(int payloadSize)
{
// Arrange
var payload = CreateLargePayload(payloadSize);
var plugins = GetAvailablePlugins();
_output.WriteLine($"Testing with {payloadSize / 1024} KB payload");
// Act & Assert
foreach (var plugin in plugins)
{
var signature = plugin.Sign(payload);
var verified = plugin.Verify(payload, signature);
_output.WriteLine($" {plugin.Name}: {(verified ? "" : "")} ({signature.Length} byte signature)");
verified.Should().BeTrue($"{plugin.Name} should sign/verify large payload");
}
}
#endregion
#region Multiple Subjects Tests
[Theory]
[InlineData(1)]
[InlineData(10)]
[InlineData(100)]
public void AllPlugins_SignMultipleSubjects_AllSucceed(int subjectCount)
{
// Arrange
var statement = CreateInTotoStatementWithMultipleSubjects(subjectCount);
var payload = CanonicalizeStatement(statement);
var plugins = GetAvailablePlugins();
_output.WriteLine($"Testing with {subjectCount} subjects");
_output.WriteLine($"Payload size: {payload.Length} bytes");
// Act & Assert
foreach (var plugin in plugins)
{
var signature = plugin.Sign(payload);
var verified = plugin.Verify(payload, signature);
verified.Should().BeTrue($"{plugin.Name} should handle {subjectCount} subjects");
}
_output.WriteLine($"All {plugins.Count} plugins succeeded with {subjectCount} subjects");
}
#endregion
#region Helper Classes and Methods
private static List<ITestCryptoPlugin> GetAvailablePlugins()
{
return new List<ITestCryptoPlugin>
{
new Ed25519SimPlugin(),
new Es256SimPlugin(),
new Rs256SimPlugin(),
new GostSimPlugin(),
new Sm2SimPlugin()
};
}
private static object CreateInTotoStatement()
{
return new
{
_type = "https://in-toto.io/Statement/v0.1",
subject = new[]
{
new
{
name = "pkg:npm/example@1.0.0",
digest = new Dictionary<string, string>
{
["sha256"] = "4d5f6e7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e"
}
}
},
predicateType = "https://example.com/test/v1",
predicate = new
{
result = "pass",
timestamp = "2024-01-01T00:00:00Z" // Fixed timestamp for determinism
}
};
}
private static object CreateInTotoStatementWithMultipleSubjects(int count)
{
var subjects = Enumerable.Range(0, count).Select(i => new
{
name = $"pkg:npm/example-{i}@1.0.0",
digest = new Dictionary<string, string>
{
["sha256"] = Convert.ToHexString(SHA256.HashData(Encoding.UTF8.GetBytes($"subject-{i}"))).ToLower()
}
}).ToArray();
return new
{
_type = "https://in-toto.io/Statement/v0.1",
subject = subjects,
predicateType = "https://example.com/test/v1",
predicate = new { result = "pass", subjectCount = count }
};
}
private static byte[] CanonicalizeStatement(object statement)
{
// Use ordered JSON serialization for canonical form
var options = new JsonSerializerOptions
{
PropertyNamingPolicy = null, // Preserve original case
WriteIndented = false, // No indentation for canonical form
DefaultIgnoreCondition = System.Text.Json.Serialization.JsonIgnoreCondition.Never
};
var json = JsonSerializer.Serialize(statement, options);
return Encoding.UTF8.GetBytes(json);
}
private static byte[] CreateLargePayload(int size)
{
var statement = new
{
_type = "https://in-toto.io/Statement/v0.1",
subject = new[]
{
new
{
name = "pkg:npm/large-payload@1.0.0",
digest = new Dictionary<string, string> { ["sha256"] = "abc123" }
}
},
predicateType = "https://example.com/test/v1",
predicate = new
{
data = new string('x', size) // Fill with data to reach target size
}
};
return CanonicalizeStatement(statement);
}
private static string ComputeSha256(byte[] data)
{
using var sha256 = SHA256.Create();
var hash = sha256.ComputeHash(data);
return Convert.ToHexString(hash).ToLower();
}
#endregion
#region Test Plugin Implementations
private interface ITestCryptoPlugin
{
string Name { get; }
string Algorithm { get; }
byte[] Sign(byte[] payload);
bool Verify(byte[] payload, byte[] signature);
}
private sealed class Ed25519SimPlugin : ITestCryptoPlugin
{
private readonly byte[] _privateKey;
private readonly byte[] _publicKey;
public Ed25519SimPlugin()
{
// Generate deterministic test keys
var seed = SHA256.HashData(Encoding.UTF8.GetBytes("ed25519-test-key"));
_privateKey = seed;
_publicKey = SHA256.HashData(seed);
}
public string Name => "BouncyCastle-Ed25519";
public string Algorithm => "Ed25519";
public byte[] Sign(byte[] payload)
{
// Simulate Ed25519 signature (deterministic for testing)
using var hmac = new HMACSHA512(_privateKey);
return hmac.ComputeHash(payload);
}
public bool Verify(byte[] payload, byte[] signature)
{
var expected = Sign(payload);
return signature.SequenceEqual(expected);
}
}
private sealed class Es256SimPlugin : ITestCryptoPlugin
{
private readonly byte[] _privateKey;
public Es256SimPlugin()
{
_privateKey = SHA256.HashData(Encoding.UTF8.GetBytes("ecdsa-p256-test-key"));
}
public string Name => "eIDAS-ECDSA";
public string Algorithm => "ES256";
public byte[] Sign(byte[] payload)
{
using var hmac = new HMACSHA256(_privateKey);
return hmac.ComputeHash(payload);
}
public bool Verify(byte[] payload, byte[] signature)
{
var expected = Sign(payload);
return signature.SequenceEqual(expected);
}
}
private sealed class Rs256SimPlugin : ITestCryptoPlugin
{
private readonly byte[] _privateKey;
public Rs256SimPlugin()
{
_privateKey = SHA256.HashData(Encoding.UTF8.GetBytes("rsa-2048-test-key"));
}
public string Name => "eIDAS-RSA";
public string Algorithm => "RS256";
public byte[] Sign(byte[] payload)
{
using var hmac = new HMACSHA256(_privateKey);
var hash = hmac.ComputeHash(payload);
// RSA signatures are typically 256 bytes for 2048-bit keys
return Enumerable.Repeat(hash, 8).SelectMany(x => x).ToArray();
}
public bool Verify(byte[] payload, byte[] signature)
{
var expected = Sign(payload);
return signature.SequenceEqual(expected);
}
}
private sealed class GostSimPlugin : ITestCryptoPlugin
{
private readonly byte[] _privateKey;
public GostSimPlugin()
{
_privateKey = SHA256.HashData(Encoding.UTF8.GetBytes("gost-r34102012-test-key"));
}
public string Name => "CryptoPro-GOST";
public string Algorithm => "GOST_R3410_2012_256";
public byte[] Sign(byte[] payload)
{
// GOST signature simulation
using var hmac = new HMACSHA256(_privateKey);
return hmac.ComputeHash(payload);
}
public bool Verify(byte[] payload, byte[] signature)
{
var expected = Sign(payload);
return signature.SequenceEqual(expected);
}
}
private sealed class Sm2SimPlugin : ITestCryptoPlugin
{
private readonly byte[] _privateKey;
public Sm2SimPlugin()
{
_privateKey = SHA256.HashData(Encoding.UTF8.GetBytes("sm2-test-key"));
}
public string Name => "SimRemote-SM2";
public string Algorithm => "SM2";
public byte[] Sign(byte[] payload)
{
// SM2 signature simulation
using var hmac = new HMACSHA256(_privateKey);
return hmac.ComputeHash(payload);
}
public bool Verify(byte[] payload, byte[] signature)
{
var expected = Sign(payload);
return signature.SequenceEqual(expected);
}
}
#endregion
}

355
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/Integration/SignerPipelineIntegrationTests.cs Normal file
View File

@@ -0,0 +1,355 @@
using System;
using System.Threading;
using System.Threading.Tasks;
using FluentAssertions;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using NSubstitute;
using StellaOps.Cryptography;
using StellaOps.Signer.Core;
using StellaOps.Signer.Infrastructure.Options;
using StellaOps.Signer.Infrastructure.Signing;
using StellaOps.Signer.Tests.Fixtures;
using Xunit;
namespace StellaOps.Signer.Tests.Integration;
/// <summary>
/// Integration tests for the full signer pipeline using real crypto abstraction.
/// </summary>
public sealed class SignerPipelineIntegrationTests
{
[Fact]
public async Task SignerPipeline_WithCryptoDsseSigner_ProducesValidBundle()
{
// Arrange
var services = CreateServiceCollection();
using var provider = services.BuildServiceProvider();
var pipeline = provider.GetRequiredService<ISignerPipeline>();
var request = SigningRequestBuilder.Create()
.WithDefaultSubject()
.WithPromotionPredicate()
.WithKeylessMode()
.Build();
var caller = DeterministicTestData.CreateDefaultCallerContext();
// Act
var outcome = await pipeline.SignAsync(request, caller, CancellationToken.None);
// Assert
outcome.Should().NotBeNull();
outcome.Bundle.Should().NotBeNull();
outcome.Bundle.Envelope.PayloadType.Should().Be("application/vnd.in-toto+json");
outcome.Bundle.Envelope.Signatures.Should().HaveCount(1);
outcome.AuditId.Should().NotBeNullOrEmpty();
outcome.Policy.Plan.Should().NotBeNullOrEmpty();
}
[Fact]
public async Task SignerPipeline_WithSbomPredicate_ProducesValidBundle()
{
// Arrange
var services = CreateServiceCollection();
using var provider = services.BuildServiceProvider();
var pipeline = provider.GetRequiredService<ISignerPipeline>();
var request = SigningRequestBuilder.Create()
.WithDefaultSubject()
.WithSbomPredicate()
.Build();
var caller = DeterministicTestData.CreateDefaultCallerContext();
// Act
var outcome = await pipeline.SignAsync(request, caller, CancellationToken.None);
// Assert
outcome.Should().NotBeNull();
outcome.Bundle.Envelope.Signatures[0].Signature.Should().NotBeNullOrEmpty();
}
[Fact]
public async Task SignerPipeline_WithReplayPredicate_ProducesValidBundle()
{
// Arrange
var services = CreateServiceCollection();
using var provider = services.BuildServiceProvider();
var pipeline = provider.GetRequiredService<ISignerPipeline>();
var request = SigningRequestBuilder.Create()
.WithDefaultSubject()
.WithReplayPredicate()
.Build();
var caller = DeterministicTestData.CreateDefaultCallerContext();
// Act
var outcome = await pipeline.SignAsync(request, caller, CancellationToken.None);
// Assert
outcome.Should().NotBeNull();
outcome.Bundle.Metadata.AlgorithmId.Should().Be(SignatureAlgorithms.Es256);
}
[Fact]
public async Task SignerPipeline_TracksAuditEntry()
{
// Arrange
var services = CreateServiceCollection();
using var provider = services.BuildServiceProvider();
var pipeline = provider.GetRequiredService<ISignerPipeline>();
var request = SigningRequestBuilder.Create()
.WithDefaultSubject()
.WithPromotionPredicate()
.Build();
var caller = DeterministicTestData.CreateDefaultCallerContext();
// Act
var outcome = await pipeline.SignAsync(request, caller, CancellationToken.None);
// Assert
outcome.AuditId.Should().NotBeNullOrEmpty();
// Audit ID should be a valid GUID format
Guid.TryParse(outcome.AuditId, out _).Should().BeTrue();
}
[Fact]
public async Task SignerPipeline_EnforcesPolicyCounters()
{
// Arrange
var services = CreateServiceCollection();
using var provider = services.BuildServiceProvider();
var pipeline = provider.GetRequiredService<ISignerPipeline>();
var request = SigningRequestBuilder.Create()
.WithDefaultSubject()
.WithPromotionPredicate()
.Build();
var caller = DeterministicTestData.CreateDefaultCallerContext();
// Act
var outcome = await pipeline.SignAsync(request, caller, CancellationToken.None);
// Assert
outcome.Policy.Should().NotBeNull();
outcome.Policy.Plan.Should().Be(DeterministicTestData.ProPlan);
outcome.Policy.MaxArtifactBytes.Should().BeGreaterThan(0);
}
[Fact]
public async Task SignerPipeline_WithKmsMode_UsesCorrectSigningIdentity()
{
// Arrange
var services = CreateServiceCollection();
using var provider = services.BuildServiceProvider();
var pipeline = provider.GetRequiredService<ISignerPipeline>();
var request = SigningRequestBuilder.Create()
.WithDefaultSubject()
.WithSlsaProvenanceV02()
.WithKmsMode()
.Build();
var caller = DeterministicTestData.CreateDefaultCallerContext();
// Act
var outcome = await pipeline.SignAsync(request, caller, CancellationToken.None);
// Assert
outcome.Bundle.Metadata.Identity.Mode.Should().Be("kms");
outcome.Bundle.Metadata.Identity.Issuer.Should().NotBeNullOrEmpty();
}
[Fact]
public async Task SignerPipeline_WithKeylessMode_UsesEphemeralKey()
{
// Arrange
var services = CreateServiceCollection();
using var provider = services.BuildServiceProvider();
var pipeline = provider.GetRequiredService<ISignerPipeline>();
var request = SigningRequestBuilder.Create()
.WithDefaultSubject()
.WithPromotionPredicate()
.WithKeylessMode()
.Build();
var caller = DeterministicTestData.CreateDefaultCallerContext();
// Act
var outcome = await pipeline.SignAsync(request, caller, CancellationToken.None);
// Assert
outcome.Bundle.Metadata.Identity.Mode.Should().Be("keyless");
}
[Fact]
public async Task SignerPipeline_RejectsUntrustedScannerDigest()
{
// Arrange
var services = CreateServiceCollection();
using var provider = services.BuildServiceProvider();
var pipeline = provider.GetRequiredService<ISignerPipeline>();
var request = SigningRequestBuilder.Create()
.WithDefaultSubject()
.WithPromotionPredicate()
.WithScannerImageDigest(DeterministicTestData.UntrustedScannerDigest)
.Build();
var caller = DeterministicTestData.CreateDefaultCallerContext();
// Act
var act = async () => await pipeline.SignAsync(request, caller, CancellationToken.None);
// Assert
await act.Should().ThrowAsync<SignerReleaseVerificationException>();
}
[Theory]
[InlineData(PredicateTypes.StellaOpsPromotion)]
[InlineData(PredicateTypes.StellaOpsSbom)]
[InlineData(PredicateTypes.StellaOpsVex)]
[InlineData(PredicateTypes.StellaOpsReplay)]
[InlineData(PredicateTypes.StellaOpsPolicy)]
[InlineData(PredicateTypes.StellaOpsEvidence)]
[InlineData(PredicateTypes.StellaOpsVexDecision)]
[InlineData(PredicateTypes.StellaOpsGraph)]
public async Task SignerPipeline_SupportsAllStellaOpsPredicateTypes(string predicateType)
{
// Arrange
var services = CreateServiceCollection();
using var provider = services.BuildServiceProvider();
var pipeline = provider.GetRequiredService<ISignerPipeline>();
var predicate = GetPredicateForType(predicateType);
var request = SigningRequestBuilder.Create()
.WithDefaultSubject()
.WithPredicateType(predicateType)
.WithPredicate(predicate)
.Build();
var caller = DeterministicTestData.CreateDefaultCallerContext();
// Act
var outcome = await pipeline.SignAsync(request, caller, CancellationToken.None);
// Assert
outcome.Should().NotBeNull();
outcome.Bundle.Envelope.Signatures.Should().NotBeEmpty();
}
private static ServiceCollection CreateServiceCollection()
{
var services = new ServiceCollection();
// Register logging
services.AddLogging();
// Register time provider
services.AddSingleton(TimeProvider.System);
// Register crypto registry with test keys
services.AddSingleton<ICryptoProviderRegistry>(_ =>
{
var provider = TestCryptoFactory.CreateProviderWithMultipleKeys(
TestCryptoFactory.TestKeyId,
TestCryptoFactory.KeylessKeyId);
return new CryptoProviderRegistry(new[] { provider }, new[] { provider.Name });
});
// Register key resolver
services.AddSingleton<ISigningKeyResolver>(sp =>
{
var keyResolver = Substitute.For<ISigningKeyResolver>();
keyResolver.ResolveKeyAsync(SigningMode.Keyless, Arg.Any<string>(), Arg.Any<CancellationToken>())
.Returns(ValueTask.FromResult(new SigningKeyResolution(
TestCryptoFactory.KeylessKeyId,
"default",
DeterministicTestData.DefaultIssuer)));
keyResolver.ResolveKeyAsync(SigningMode.Kms, Arg.Any<string>(), Arg.Any<CancellationToken>())
.Returns(ValueTask.FromResult(new SigningKeyResolution(
TestCryptoFactory.TestKeyId,
"default",
DeterministicTestData.DefaultIssuer)));
return keyResolver;
});
// Register DSSE signer options
services.Configure<DsseSignerOptions>(options =>
{
options.DefaultIssuer = DeterministicTestData.DefaultIssuer;
options.KeylessAlgorithm = SignatureAlgorithms.Es256;
options.KmsAlgorithm = SignatureAlgorithms.Es256;
});
// Register CryptoDsseSigner
services.AddSingleton<IDsseSigner, CryptoDsseSigner>();
// Register stub services for pipeline dependencies
services.AddSingleton<IProofOfEntitlementIntrospector>(sp =>
{
var introspector = Substitute.For<IProofOfEntitlementIntrospector>();
introspector.IntrospectAsync(Arg.Any<ProofOfEntitlement>(), Arg.Any<CallerContext>(), Arg.Any<CancellationToken>())
.Returns(ValueTask.FromResult(DeterministicTestData.CreateDefaultEntitlement()));
return introspector;
});
services.AddSingleton<IReleaseIntegrityVerifier>(sp =>
{
var verifier = Substitute.For<IReleaseIntegrityVerifier>();
verifier.VerifyAsync(DeterministicTestData.TrustedScannerDigest, Arg.Any<CancellationToken>())
.Returns(ValueTask.FromResult(new ReleaseVerificationResult(true, "trusted-signer")));
verifier.VerifyAsync(DeterministicTestData.UntrustedScannerDigest, Arg.Any<CancellationToken>())
.Returns<ReleaseVerificationResult>(_ =>
throw new SignerReleaseVerificationException("release_untrusted", "Scanner digest is not trusted."));
return verifier;
});
services.AddSingleton<ISignerQuotaService>(sp =>
{
var quotaService = Substitute.For<ISignerQuotaService>();
quotaService.EnsureWithinLimitsAsync(
Arg.Any<SigningRequest>(),
Arg.Any<ProofOfEntitlementResult>(),
Arg.Any<CallerContext>(),
Arg.Any<CancellationToken>())
.Returns(ValueTask.CompletedTask);
return quotaService;
});
services.AddSingleton<ISignerAuditSink>(sp =>
{
var auditSink = Substitute.For<ISignerAuditSink>();
auditSink.WriteAsync(
Arg.Any<SigningRequest>(),
Arg.Any<SigningBundle>(),
Arg.Any<ProofOfEntitlementResult>(),
Arg.Any<CallerContext>(),
Arg.Any<CancellationToken>())
.Returns(callInfo => ValueTask.FromResult(Guid.NewGuid().ToString()));
return auditSink;
});
// Register the pipeline
services.AddSingleton<ISignerPipeline, SignerPipeline>();
return services;
}
private static System.Text.Json.JsonDocument GetPredicateForType(string predicateType)
{
return predicateType switch
{
PredicateTypes.StellaOpsPromotion => PredicateFixtures.CreatePromotionPredicate(),
PredicateTypes.StellaOpsSbom => PredicateFixtures.CreateSbomPredicate(),
PredicateTypes.StellaOpsVex => PredicateFixtures.CreateVexPredicate(),
PredicateTypes.StellaOpsReplay => PredicateFixtures.CreateReplayPredicate(),
PredicateTypes.StellaOpsPolicy => PredicateFixtures.CreatePolicyPredicate(),
PredicateTypes.StellaOpsEvidence => PredicateFixtures.CreateEvidencePredicate(),
PredicateTypes.StellaOpsVexDecision => PredicateFixtures.CreateVexDecisionPredicate(),
PredicateTypes.StellaOpsGraph => PredicateFixtures.CreateGraphPredicate(),
_ => PredicateFixtures.CreateSlsaProvenanceV02Predicate()
};
}
}

790
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/Integration/TamperedPayloadVerificationTests.cs Normal file
View File

@@ -0,0 +1,790 @@
// -----------------------------------------------------------------------------
// TamperedPayloadVerificationTests.cs
// Sprint: SPRINT_5100_0009_0006 - Signer Module Test Implementation
// Task: SIGNER-5100-016 - Add integration test: tampered payload → verify fails with deterministic error
// Description: Integration tests verifying tampered payloads fail verification with deterministic errors
// -----------------------------------------------------------------------------
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
using FluentAssertions;
using Xunit;
namespace StellaOps.Signer.Tests.Integration;
/// <summary>
/// Integration tests for tampered payload detection.
/// Validates:
/// - Any modification to signed payload causes verification failure
/// - Tampering detection is deterministic across runs
/// - Error codes/messages are consistent for tampered payloads
/// - Different types of tampering are all detected
/// </summary>
[Trait("Category", "Integration")]
[Trait("Category", "TamperDetection")]
[Trait("Category", "Security")]
public sealed class TamperedPayloadVerificationTests
{
private readonly ITestOutputHelper _output;
// Expected error codes for tampering detection
private const string TamperErrorCode = "SIGNER_SIGNATURE_INVALID";
private const string TamperErrorMessage = "signature verification failed";
public TamperedPayloadVerificationTests(ITestOutputHelper output)
{
_output = output;
}
#region Basic Tampering Tests
[Fact]
public void TamperedPayload_SingleBitFlip_VerificationFails()
{
// Arrange
var plugin = new Ed25519SimPlugin();
var originalPayload = CreateCanonicalPayload();
var signature = plugin.Sign(originalPayload);
// Tamper: flip a single bit
var tamperedPayload = (byte[])originalPayload.Clone();
tamperedPayload[tamperedPayload.Length / 2] ^= 0x01;
// Act
var originalVerifies = plugin.Verify(originalPayload, signature);
var tamperedVerifies = plugin.Verify(tamperedPayload, signature);
// Assert
originalVerifies.Should().BeTrue("original payload should verify");
tamperedVerifies.Should().BeFalse("tampered payload should NOT verify");
_output.WriteLine("✓ Single bit flip detected");
_output.WriteLine($" Original: verified={originalVerifies}");
_output.WriteLine($" Tampered: verified={tamperedVerifies}");
}
[Fact]
public void TamperedPayload_PrependedByte_VerificationFails()
{
// Arrange
var plugin = new Ed25519SimPlugin();
var originalPayload = CreateCanonicalPayload();
var signature = plugin.Sign(originalPayload);
// Tamper: prepend a byte
var tamperedPayload = new byte[originalPayload.Length + 1];
tamperedPayload[0] = 0xFF;
Array.Copy(originalPayload, 0, tamperedPayload, 1, originalPayload.Length);
// Act
var tamperedVerifies = plugin.Verify(tamperedPayload, signature);
// Assert
tamperedVerifies.Should().BeFalse("prepended payload should NOT verify");
_output.WriteLine("✓ Prepended byte detected");
}
[Fact]
public void TamperedPayload_AppendedByte_VerificationFails()
{
// Arrange
var plugin = new Ed25519SimPlugin();
var originalPayload = CreateCanonicalPayload();
var signature = plugin.Sign(originalPayload);
// Tamper: append a byte
var tamperedPayload = new byte[originalPayload.Length + 1];
Array.Copy(originalPayload, tamperedPayload, originalPayload.Length);
tamperedPayload[^1] = 0xFF;
// Act
var tamperedVerifies = plugin.Verify(tamperedPayload, signature);
// Assert
tamperedVerifies.Should().BeFalse("appended payload should NOT verify");
_output.WriteLine("✓ Appended byte detected");
}
[Fact]
public void TamperedPayload_RemovedByte_VerificationFails()
{
// Arrange
var plugin = new Ed25519SimPlugin();
var originalPayload = CreateCanonicalPayload();
var signature = plugin.Sign(originalPayload);
// Tamper: remove last byte
var tamperedPayload = originalPayload[..^1];
// Act
var tamperedVerifies = plugin.Verify(tamperedPayload, signature);
// Assert
tamperedVerifies.Should().BeFalse("truncated payload should NOT verify");
_output.WriteLine("✓ Removed byte detected");
}
[Fact]
public void TamperedPayload_SwappedBytes_VerificationFails()
{
// Arrange
var plugin = new Ed25519SimPlugin();
var originalPayload = CreateCanonicalPayload();
var signature = plugin.Sign(originalPayload);
// Tamper: swap two adjacent bytes
var tamperedPayload = (byte[])originalPayload.Clone();
var midpoint = tamperedPayload.Length / 2;
(tamperedPayload[midpoint], tamperedPayload[midpoint + 1]) =
(tamperedPayload[midpoint + 1], tamperedPayload[midpoint]);
// Act
var tamperedVerifies = plugin.Verify(tamperedPayload, signature);
// Assert
tamperedVerifies.Should().BeFalse("byte-swapped payload should NOT verify");
_output.WriteLine("✓ Swapped bytes detected");
}
#endregion
#region JSON Content Tampering Tests
[Fact]
public void TamperedPayload_ModifiedDigest_VerificationFails()
{
// Arrange
var plugin = new Ed25519SimPlugin();
var statement = CreateStatement();
var originalPayload = SerializeToCanonical(statement);
var signature = plugin.Sign(originalPayload);
// Tamper: modify the digest
var tamperedStatement = CreateStatementWithModifiedDigest();
var tamperedPayload = SerializeToCanonical(tamperedStatement);
// Act
var tamperedVerifies = plugin.Verify(tamperedPayload, signature);
// Assert
tamperedPayload.Should().NotBeEquivalentTo(originalPayload,
"tampered payload should be different");
tamperedVerifies.Should().BeFalse("modified digest should NOT verify");
_output.WriteLine("✓ Modified digest detected");
}
[Fact]
public void TamperedPayload_ModifiedSubjectName_VerificationFails()
{
// Arrange
var plugin = new Ed25519SimPlugin();
var statement = CreateStatement();
var originalPayload = SerializeToCanonical(statement);
var signature = plugin.Sign(originalPayload);
// Tamper: modify subject name
var tamperedStatement = CreateStatementWithModifiedSubjectName();
var tamperedPayload = SerializeToCanonical(tamperedStatement);
// Act
var tamperedVerifies = plugin.Verify(tamperedPayload, signature);
// Assert
tamperedVerifies.Should().BeFalse("modified subject name should NOT verify");
_output.WriteLine("✓ Modified subject name detected");
}
[Fact]
public void TamperedPayload_ModifiedPredicateType_VerificationFails()
{
// Arrange
var plugin = new Ed25519SimPlugin();
var statement = CreateStatement();
var originalPayload = SerializeToCanonical(statement);
var signature = plugin.Sign(originalPayload);
// Tamper: modify predicate type
var tamperedStatement = CreateStatementWithModifiedPredicateType();
var tamperedPayload = SerializeToCanonical(tamperedStatement);
// Act
var tamperedVerifies = plugin.Verify(tamperedPayload, signature);
// Assert
tamperedVerifies.Should().BeFalse("modified predicate type should NOT verify");
_output.WriteLine("✓ Modified predicate type detected");
}
[Fact]
public void TamperedPayload_ModifiedPredicateContent_VerificationFails()
{
// Arrange
var plugin = new Ed25519SimPlugin();
var statement = CreateStatement();
var originalPayload = SerializeToCanonical(statement);
var signature = plugin.Sign(originalPayload);
// Tamper: modify predicate content
var tamperedStatement = CreateStatementWithModifiedPredicate();
var tamperedPayload = SerializeToCanonical(tamperedStatement);
// Act
var tamperedVerifies = plugin.Verify(tamperedPayload, signature);
// Assert
tamperedVerifies.Should().BeFalse("modified predicate should NOT verify");
_output.WriteLine("✓ Modified predicate content detected");
}
[Fact]
public void TamperedPayload_AddedSubject_VerificationFails()
{
// Arrange
var plugin = new Ed25519SimPlugin();
var statement = CreateStatement();
var originalPayload = SerializeToCanonical(statement);
var signature = plugin.Sign(originalPayload);
// Tamper: add extra subject
var tamperedStatement = CreateStatementWithAddedSubject();
var tamperedPayload = SerializeToCanonical(tamperedStatement);
// Act
var tamperedVerifies = plugin.Verify(tamperedPayload, signature);
// Assert
tamperedVerifies.Should().BeFalse("added subject should NOT verify");
_output.WriteLine("✓ Added subject detected");
}
[Fact]
public void TamperedPayload_RemovedSubject_VerificationFails()
{
// Arrange
var plugin = new Ed25519SimPlugin();
var statement = CreateStatementWithMultipleSubjects();
var originalPayload = SerializeToCanonical(statement);
var signature = plugin.Sign(originalPayload);
// Tamper: remove a subject
var tamperedStatement = CreateStatement(); // Single subject version
var tamperedPayload = SerializeToCanonical(tamperedStatement);
// Act
var tamperedVerifies = plugin.Verify(tamperedPayload, signature);
// Assert
tamperedVerifies.Should().BeFalse("removed subject should NOT verify");
_output.WriteLine("✓ Removed subject detected");
}
#endregion
#region Deterministic Error Code Tests
[Fact]
public void TamperedPayload_ErrorCode_IsDeterministic()
{
// Arrange
var plugin = new Ed25519SimPlugin();
var originalPayload = CreateCanonicalPayload();
var signature = plugin.Sign(originalPayload);
var tamperedPayload = (byte[])originalPayload.Clone();
tamperedPayload[0] ^= 0xFF;
// Act - verify multiple times
var results = new List<VerificationResult>();
for (int i = 0; i < 10; i++)
{
results.Add(plugin.VerifyWithResult(tamperedPayload, signature));
}
// Assert - all results should be identical
var firstResult = results[0];
results.Should().AllSatisfy(r =>
{
r.Success.Should().Be(firstResult.Success);
r.ErrorCode.Should().Be(firstResult.ErrorCode);
});
_output.WriteLine($"Deterministic error code: {firstResult.ErrorCode}");
_output.WriteLine($"Verified across {results.Count} runs");
}
[Fact]
public void TamperedPayload_ErrorMessage_IsConsistent()
{
// Arrange
var plugins = GetAllPlugins();
var originalPayload = CreateCanonicalPayload();
_output.WriteLine("=== Error Messages for Tampered Payloads ===");
foreach (var plugin in plugins)
{
var signature = plugin.Sign(originalPayload);
var tamperedPayload = (byte[])originalPayload.Clone();
tamperedPayload[0] ^= 0xFF;
// Act
var result = plugin.VerifyWithResult(tamperedPayload, signature);
// Assert
result.Success.Should().BeFalse();
result.ErrorCode.Should().NotBeNullOrEmpty();
result.ErrorMessage.Should().NotBeNullOrEmpty();
_output.WriteLine($" {plugin.Name}:");
_output.WriteLine($" Code: {result.ErrorCode}");
_output.WriteLine($" Message: {result.ErrorMessage}");
}
}
#endregion
#region Multi-Plugin Tampering Tests
[Fact]
public void AllPlugins_DetectTampering()
{
// Arrange
var plugins = GetAllPlugins();
var originalPayload = CreateCanonicalPayload();
_output.WriteLine("=== Tampering Detection Across Plugins ===");
foreach (var plugin in plugins)
{
// Sign original
var signature = plugin.Sign(originalPayload);
// Create tampered version
var tamperedPayload = (byte[])originalPayload.Clone();
tamperedPayload[tamperedPayload.Length / 2] ^= 0x42;
// Verify
var originalVerifies = plugin.Verify(originalPayload, signature);
var tamperedVerifies = plugin.Verify(tamperedPayload, signature);
_output.WriteLine($" {plugin.Name} ({plugin.Algorithm}):");
_output.WriteLine($" Original: {(originalVerifies ? "" : "")}");
_output.WriteLine($" Tampered: {(tamperedVerifies ? " FAIL" : " Detected")}");
// Assert
originalVerifies.Should().BeTrue($"{plugin.Name} should verify original");
tamperedVerifies.Should().BeFalse($"{plugin.Name} should detect tampering");
}
}
#endregion
#region Signature Tampering Tests
[Fact]
public void TamperedSignature_SingleBitFlip_VerificationFails()
{
// Arrange
var plugin = new Ed25519SimPlugin();
var payload = CreateCanonicalPayload();
var signature = plugin.Sign(payload);
// Tamper signature
var tamperedSignature = (byte[])signature.Clone();
tamperedSignature[0] ^= 0x01;
// Act
var originalVerifies = plugin.Verify(payload, signature);
var tamperedVerifies = plugin.Verify(payload, tamperedSignature);
// Assert
originalVerifies.Should().BeTrue();
tamperedVerifies.Should().BeFalse("tampered signature should NOT verify");
_output.WriteLine("✓ Tampered signature detected");
}
[Fact]
public void TamperedSignature_Truncated_VerificationFails()
{
// Arrange
var plugin = new Ed25519SimPlugin();
var payload = CreateCanonicalPayload();
var signature = plugin.Sign(payload);
// Truncate signature
var truncatedSignature = signature[..^10];
// Act
var tamperedVerifies = plugin.Verify(payload, truncatedSignature);
// Assert
tamperedVerifies.Should().BeFalse("truncated signature should NOT verify");
_output.WriteLine("✓ Truncated signature detected");
}
[Fact]
public void TamperedSignature_Extended_VerificationFails()
{
// Arrange
var plugin = new Ed25519SimPlugin();
var payload = CreateCanonicalPayload();
var signature = plugin.Sign(payload);
// Extend signature
var extendedSignature = new byte[signature.Length + 10];
Array.Copy(signature, extendedSignature, signature.Length);
// Act
var tamperedVerifies = plugin.Verify(payload, extendedSignature);
// Assert
tamperedVerifies.Should().BeFalse("extended signature should NOT verify");
_output.WriteLine("✓ Extended signature detected");
}
[Fact]
public void WrongSignature_DifferentPayload_VerificationFails()
{
// Arrange
var plugin = new Ed25519SimPlugin();
var payload1 = CreateCanonicalPayload();
var payload2 = SerializeToCanonical(CreateStatementWithModifiedDigest());
var signature1 = plugin.Sign(payload1);
var signature2 = plugin.Sign(payload2);
// Act - cross verify
var crossVerify1 = plugin.Verify(payload1, signature2);
var crossVerify2 = plugin.Verify(payload2, signature1);
// Assert
crossVerify1.Should().BeFalse("wrong signature should NOT verify");
crossVerify2.Should().BeFalse("wrong signature should NOT verify");
_output.WriteLine("✓ Wrong signature detected (payload/signature mismatch)");
}
#endregion
#region Helper Classes and Methods
private static byte[] CreateCanonicalPayload()
{
return SerializeToCanonical(CreateStatement());
}
private static object CreateStatement()
{
return new
{
_type = "https://in-toto.io/Statement/v0.1",
subject = new[]
{
new
{
name = "pkg:npm/example@1.0.0",
digest = new Dictionary<string, string>
{
["sha256"] = "4d5f6e7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e"
}
}
},
predicateType = "https://example.com/test/v1",
predicate = new { result = "pass" }
};
}
private static object CreateStatementWithModifiedDigest()
{
return new
{
_type = "https://in-toto.io/Statement/v0.1",
subject = new[]
{
new
{
name = "pkg:npm/example@1.0.0",
digest = new Dictionary<string, string>
{
["sha256"] = "0000000000000000000000000000000000000000000000000000000000000000" // Modified
}
}
},
predicateType = "https://example.com/test/v1",
predicate = new { result = "pass" }
};
}
private static object CreateStatementWithModifiedSubjectName()
{
return new
{
_type = "https://in-toto.io/Statement/v0.1",
subject = new[]
{
new
{
name = "pkg:npm/malicious@1.0.0", // Modified
digest = new Dictionary<string, string>
{
["sha256"] = "4d5f6e7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e"
}
}
},
predicateType = "https://example.com/test/v1",
predicate = new { result = "pass" }
};
}
private static object CreateStatementWithModifiedPredicateType()
{
return new
{
_type = "https://in-toto.io/Statement/v0.1",
subject = new[]
{
new
{
name = "pkg:npm/example@1.0.0",
digest = new Dictionary<string, string>
{
["sha256"] = "4d5f6e7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e"
}
}
},
predicateType = "https://malicious.com/attack/v1", // Modified
predicate = new { result = "pass" }
};
}
private static object CreateStatementWithModifiedPredicate()
{
return new
{
_type = "https://in-toto.io/Statement/v0.1",
subject = new[]
{
new
{
name = "pkg:npm/example@1.0.0",
digest = new Dictionary<string, string>
{
["sha256"] = "4d5f6e7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e"
}
}
},
predicateType = "https://example.com/test/v1",
predicate = new { result = "fail" } // Modified
};
}
private static object CreateStatementWithAddedSubject()
{
return new
{
_type = "https://in-toto.io/Statement/v0.1",
subject = new[]
{
new
{
name = "pkg:npm/example@1.0.0",
digest = new Dictionary<string, string>
{
["sha256"] = "4d5f6e7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e"
}
},
new // Added
{
name = "pkg:npm/malicious@1.0.0",
digest = new Dictionary<string, string>
{
["sha256"] = "1111111111111111111111111111111111111111111111111111111111111111"
}
}
},
predicateType = "https://example.com/test/v1",
predicate = new { result = "pass" }
};
}
private static object CreateStatementWithMultipleSubjects()
{
return new
{
_type = "https://in-toto.io/Statement/v0.1",
subject = new[]
{
new
{
name = "pkg:npm/example@1.0.0",
digest = new Dictionary<string, string>
{
["sha256"] = "4d5f6e7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e"
}
},
new
{
name = "pkg:npm/example2@1.0.0",
digest = new Dictionary<string, string>
{
["sha256"] = "5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f"
}
}
},
predicateType = "https://example.com/test/v1",
predicate = new { result = "pass" }
};
}
private static byte[] SerializeToCanonical(object obj)
{
var options = new JsonSerializerOptions
{
PropertyNamingPolicy = null,
WriteIndented = false
};
var json = JsonSerializer.Serialize(obj, options);
return Encoding.UTF8.GetBytes(json);
}
private static List<ITestCryptoPlugin> GetAllPlugins()
{
return new List<ITestCryptoPlugin>
{
new Ed25519SimPlugin(),
new Es256SimPlugin(),
new GostSimPlugin()
};
}
#endregion
#region Test Plugin Implementations
private record VerificationResult(bool Success, string ErrorCode, string ErrorMessage);
private interface ITestCryptoPlugin
{
string Name { get; }
string Algorithm { get; }
byte[] Sign(byte[] payload);
bool Verify(byte[] payload, byte[] signature);
VerificationResult VerifyWithResult(byte[] payload, byte[] signature);
}
private sealed class Ed25519SimPlugin : ITestCryptoPlugin
{
private readonly byte[] _privateKey;
public Ed25519SimPlugin()
{
_privateKey = SHA256.HashData(Encoding.UTF8.GetBytes("ed25519-test-key"));
}
public string Name => "BouncyCastle-Ed25519";
public string Algorithm => "Ed25519";
public byte[] Sign(byte[] payload)
{
using var hmac = new HMACSHA512(_privateKey);
return hmac.ComputeHash(payload);
}
public bool Verify(byte[] payload, byte[] signature)
{
return VerifyWithResult(payload, signature).Success;
}
public VerificationResult VerifyWithResult(byte[] payload, byte[] signature)
{
var expected = Sign(payload);
if (signature.Length != expected.Length)
{
return new VerificationResult(false, TamperErrorCode,
$"{TamperErrorMessage}: signature length mismatch");
}
if (signature.SequenceEqual(expected))
{
return new VerificationResult(true, "", "");
}
return new VerificationResult(false, TamperErrorCode, TamperErrorMessage);
}
}
private sealed class Es256SimPlugin : ITestCryptoPlugin
{
private readonly byte[] _privateKey;
public Es256SimPlugin()
{
_privateKey = SHA256.HashData(Encoding.UTF8.GetBytes("ecdsa-p256-test-key"));
}
public string Name => "eIDAS-ECDSA";
public string Algorithm => "ES256";
public byte[] Sign(byte[] payload)
{
using var hmac = new HMACSHA256(_privateKey);
return hmac.ComputeHash(payload);
}
public bool Verify(byte[] payload, byte[] signature)
{
return VerifyWithResult(payload, signature).Success;
}
public VerificationResult VerifyWithResult(byte[] payload, byte[] signature)
{
var expected = Sign(payload);
if (signature.SequenceEqual(expected))
{
return new VerificationResult(true, "", "");
}
return new VerificationResult(false, TamperErrorCode, TamperErrorMessage);
}
}
private sealed class GostSimPlugin : ITestCryptoPlugin
{
private readonly byte[] _privateKey;
public GostSimPlugin()
{
_privateKey = SHA256.HashData(Encoding.UTF8.GetBytes("gost-test-key"));
}
public string Name => "CryptoPro-GOST";
public string Algorithm => "GOST_R3410_2012_256";
public byte[] Sign(byte[] payload)
{
using var hmac = new HMACSHA256(_privateKey);
return hmac.ComputeHash(payload);
}
public bool Verify(byte[] payload, byte[] signature)
{
return VerifyWithResult(payload, signature).Success;
}
public VerificationResult VerifyWithResult(byte[] payload, byte[] signature)
{
var expected = Sign(payload);
if (signature.SequenceEqual(expected))
{
return new VerificationResult(true, "", "");
}
return new VerificationResult(false, TamperErrorCode, TamperErrorMessage);
}
}
#endregion
}

658
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/KeyManagement/KeyRotationServiceTests.cs Normal file
View File

@@ -0,0 +1,658 @@
using System;
using System.Collections.Generic;
using System.Threading;
using System.Threading.Tasks;
using FluentAssertions;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using NSubstitute;
using StellaOps.Signer.KeyManagement;
using StellaOps.Signer.KeyManagement.EfCore.Context;
using StellaOps.Signer.KeyManagement.Entities;
using Xunit;
namespace StellaOps.Signer.Tests.KeyManagement;
/// <summary>
/// Unit tests for KeyRotationService.
/// Tests tasks PROOF-KEY-0003 through PROOF-KEY-0006.
/// </summary>
public class KeyRotationServiceTests : IDisposable
{
private readonly KeyManagementDbContext _dbContext;
private readonly KeyRotationService _service;
private readonly FakeTimeProvider _timeProvider;
public KeyRotationServiceTests()
{
var options = new DbContextOptionsBuilder<KeyManagementDbContext>()
.UseInMemoryDatabase(databaseName: $"TestDb_{Guid.NewGuid()}")
.Options;
_dbContext = new KeyManagementDbContext(options);
_timeProvider = new FakeTimeProvider(new DateTimeOffset(2025, 6, 15, 12, 0, 0, TimeSpan.Zero));
_service = new KeyRotationService(
_dbContext,
NullLogger<KeyRotationService>.Instance,
Options.Create(new KeyRotationOptions
{
DefaultActor = "test-user",
ExpiryWarningDays = 60,
MaxKeyAgeDays = 365,
DeprecatedAlgorithms = ["RSA-2048", "SHA1-RSA"]
}),
_timeProvider);
}
public void Dispose()
{
_dbContext.Dispose();
GC.SuppressFinalize(this);
}
private async Task<TrustAnchorEntity> CreateTestAnchorAsync(
string purlPattern = "pkg:npm/*",
List<string>? allowedKeyIds = null,
List<string>? revokedKeyIds = null)
{
var anchor = new TrustAnchorEntity
{
AnchorId = Guid.NewGuid(),
PurlPattern = purlPattern,
AllowedKeyIds = allowedKeyIds ?? [],
RevokedKeyIds = revokedKeyIds ?? [],
IsActive = true,
CreatedAt = _timeProvider.GetUtcNow(),
UpdatedAt = _timeProvider.GetUtcNow()
};
_dbContext.TrustAnchors.Add(anchor);
await _dbContext.SaveChangesAsync();
return anchor;
}
#region AddKeyAsync Tests (PROOF-KEY-0003)
[Fact]
public async Task AddKeyAsync_NewKey_UpdatesAllowedKeyIds()
{
// Arrange
var anchor = await CreateTestAnchorAsync(allowedKeyIds: ["key-1"]);
// Act
var result = await _service.AddKeyAsync(anchor.AnchorId, new AddKeyRequest
{
KeyId = "key-2",
PublicKey = "-----BEGIN PUBLIC KEY-----\ntest\n-----END PUBLIC KEY-----",
Algorithm = "Ed25519"
});
// Assert
result.Success.Should().BeTrue();
result.AllowedKeyIds.Should().Contain("key-2");
result.AllowedKeyIds.Should().Contain("key-1");
result.AuditLogId.Should().NotBeNull();
}
[Fact]
public async Task AddKeyAsync_DuplicateKey_ReturnsError()
{
// Arrange
var anchor = await CreateTestAnchorAsync(allowedKeyIds: ["key-1"]);
// Add the key first
await _service.AddKeyAsync(anchor.AnchorId, new AddKeyRequest
{
KeyId = "key-dup",
PublicKey = "-----BEGIN PUBLIC KEY-----\ntest\n-----END PUBLIC KEY-----",
Algorithm = "Ed25519"
});
// Act - try to add same key again
var result = await _service.AddKeyAsync(anchor.AnchorId, new AddKeyRequest
{
KeyId = "key-dup",
PublicKey = "-----BEGIN PUBLIC KEY-----\ntest2\n-----END PUBLIC KEY-----",
Algorithm = "Ed25519"
});
// Assert
result.Success.Should().BeFalse();
result.ErrorMessage.Should().Contain("already exists");
}
[Fact]
public async Task AddKeyAsync_NonExistentAnchor_ReturnsError()
{
// Act
var result = await _service.AddKeyAsync(Guid.NewGuid(), new AddKeyRequest
{
KeyId = "key-1",
PublicKey = "-----BEGIN PUBLIC KEY-----\ntest\n-----END PUBLIC KEY-----",
Algorithm = "Ed25519"
});
// Assert
result.Success.Should().BeFalse();
result.ErrorMessage.Should().Contain("not found");
}
[Fact]
public async Task AddKeyAsync_CreatesKeyHistory()
{
// Arrange
var anchor = await CreateTestAnchorAsync();
// Act
await _service.AddKeyAsync(anchor.AnchorId, new AddKeyRequest
{
KeyId = "key-1",
PublicKey = "-----BEGIN PUBLIC KEY-----\ntest\n-----END PUBLIC KEY-----",
Algorithm = "Ed25519",
ExpiresAt = _timeProvider.GetUtcNow().AddDays(365)
});
// Assert
var keyHistory = await _dbContext.KeyHistory
.FirstOrDefaultAsync(k => k.AnchorId == anchor.AnchorId && k.KeyId == "key-1");
keyHistory.Should().NotBeNull();
keyHistory!.Algorithm.Should().Be("Ed25519");
keyHistory.ExpiresAt.Should().NotBeNull();
}
[Fact]
public async Task AddKeyAsync_CreatesAuditLog()
{
// Arrange
var anchor = await CreateTestAnchorAsync();
// Act
var result = await _service.AddKeyAsync(anchor.AnchorId, new AddKeyRequest
{
KeyId = "key-1",
PublicKey = "-----BEGIN PUBLIC KEY-----\ntest\n-----END PUBLIC KEY-----",
Algorithm = "Ed25519"
});
// Assert
var auditLog = await _dbContext.KeyAuditLog
.FirstOrDefaultAsync(a => a.LogId == result.AuditLogId);
auditLog.Should().NotBeNull();
auditLog!.Operation.Should().Be(KeyOperation.Add);
auditLog.KeyId.Should().Be("key-1");
auditLog.Actor.Should().Be("test-user");
}
#endregion
#region RevokeKeyAsync Tests (PROOF-KEY-0004)
[Fact]
public async Task RevokeKeyAsync_ExistingKey_MovesToRevokedKeys()
{
// Arrange
var anchor = await CreateTestAnchorAsync(allowedKeyIds: ["key-1", "key-2"]);
// Add key to history
await _service.AddKeyAsync(anchor.AnchorId, new AddKeyRequest
{
KeyId = "key-1",
PublicKey = "-----BEGIN PUBLIC KEY-----\ntest\n-----END PUBLIC KEY-----",
Algorithm = "Ed25519"
});
// Act
var result = await _service.RevokeKeyAsync(anchor.AnchorId, "key-1", new RevokeKeyRequest
{
Reason = "rotation-complete"
});
// Assert
result.Success.Should().BeTrue();
result.AllowedKeyIds.Should().NotContain("key-1");
result.RevokedKeyIds.Should().Contain("key-1");
result.AuditLogId.Should().NotBeNull();
}
[Fact]
public async Task RevokeKeyAsync_AlreadyRevoked_ReturnsError()
{
// Arrange
var anchor = await CreateTestAnchorAsync();
await _service.AddKeyAsync(anchor.AnchorId, new AddKeyRequest
{
KeyId = "key-1",
PublicKey = "-----BEGIN PUBLIC KEY-----\ntest\n-----END PUBLIC KEY-----",
Algorithm = "Ed25519"
});
await _service.RevokeKeyAsync(anchor.AnchorId, "key-1", new RevokeKeyRequest
{
Reason = "first-revocation"
});
// Act
var result = await _service.RevokeKeyAsync(anchor.AnchorId, "key-1", new RevokeKeyRequest
{
Reason = "second-revocation"
});
// Assert
result.Success.Should().BeFalse();
result.ErrorMessage.Should().Contain("already revoked");
}
[Fact]
public async Task RevokeKeyAsync_NonExistentKey_ReturnsError()
{
// Arrange
var anchor = await CreateTestAnchorAsync();
// Act
var result = await _service.RevokeKeyAsync(anchor.AnchorId, "non-existent", new RevokeKeyRequest
{
Reason = "test"
});
// Assert
result.Success.Should().BeFalse();
result.ErrorMessage.Should().Contain("not found");
}
[Fact]
public async Task RevokeKeyAsync_SetsRevokedAtTime()
{
// Arrange
var anchor = await CreateTestAnchorAsync();
await _service.AddKeyAsync(anchor.AnchorId, new AddKeyRequest
{
KeyId = "key-1",
PublicKey = "-----BEGIN PUBLIC KEY-----\ntest\n-----END PUBLIC KEY-----",
Algorithm = "Ed25519"
});
var effectiveAt = _timeProvider.GetUtcNow().AddDays(7);
// Act
await _service.RevokeKeyAsync(anchor.AnchorId, "key-1", new RevokeKeyRequest
{
Reason = "scheduled-rotation",
EffectiveAt = effectiveAt
});
// Assert
var keyHistory = await _dbContext.KeyHistory
.FirstOrDefaultAsync(k => k.KeyId == "key-1");
keyHistory!.RevokedAt.Should().Be(effectiveAt);
keyHistory.RevokeReason.Should().Be("scheduled-rotation");
}
#endregion
#region CheckKeyValidityAsync Tests (PROOF-KEY-0005)
[Fact]
public async Task CheckKeyValidityAsync_ActiveKey_IsValid()
{
// Arrange
var anchor = await CreateTestAnchorAsync();
await _service.AddKeyAsync(anchor.AnchorId, new AddKeyRequest
{
KeyId = "key-1",
PublicKey = "-----BEGIN PUBLIC KEY-----\ntest\n-----END PUBLIC KEY-----",
Algorithm = "Ed25519"
});
var signedAt = _timeProvider.GetUtcNow().AddHours(1);
// Act
var result = await _service.CheckKeyValidityAsync(anchor.AnchorId, "key-1", signedAt);
// Assert
result.IsValid.Should().BeTrue();
result.Status.Should().Be(KeyStatus.Active);
}
[Fact]
public async Task CheckKeyValidityAsync_RevokedKeyBeforeRevocation_IsValid()
{
// Arrange
var anchor = await CreateTestAnchorAsync();
// Add key at T0
await _service.AddKeyAsync(anchor.AnchorId, new AddKeyRequest
{
KeyId = "key-1",
PublicKey = "-----BEGIN PUBLIC KEY-----\ntest\n-----END PUBLIC KEY-----",
Algorithm = "Ed25519"
});
var addedAt = _timeProvider.GetUtcNow();
// Advance time and revoke at T+10 days
_timeProvider.Advance(TimeSpan.FromDays(10));
await _service.RevokeKeyAsync(anchor.AnchorId, "key-1", new RevokeKeyRequest
{
Reason = "rotation"
});
// Check validity at T+5 days (before revocation)
var signedAt = addedAt.AddDays(5);
// Act
var result = await _service.CheckKeyValidityAsync(anchor.AnchorId, "key-1", signedAt);
// Assert
result.IsValid.Should().BeTrue();
result.Status.Should().Be(KeyStatus.Revoked); // Key is revoked now but was valid at signedAt
}
[Fact]
public async Task CheckKeyValidityAsync_RevokedKeyAfterRevocation_IsInvalid()
{
// Arrange
var anchor = await CreateTestAnchorAsync();
await _service.AddKeyAsync(anchor.AnchorId, new AddKeyRequest
{
KeyId = "key-1",
PublicKey = "-----BEGIN PUBLIC KEY-----\ntest\n-----END PUBLIC KEY-----",
Algorithm = "Ed25519"
});
// Revoke immediately
await _service.RevokeKeyAsync(anchor.AnchorId, "key-1", new RevokeKeyRequest
{
Reason = "compromised"
});
// Try to verify signature made after revocation
var signedAt = _timeProvider.GetUtcNow().AddHours(1);
// Act
var result = await _service.CheckKeyValidityAsync(anchor.AnchorId, "key-1", signedAt);
// Assert
result.IsValid.Should().BeFalse();
result.Status.Should().Be(KeyStatus.Revoked);
result.InvalidReason.Should().Contain("revoked");
}
[Fact]
public async Task CheckKeyValidityAsync_KeyNotYetValid_IsInvalid()
{
// Arrange
var anchor = await CreateTestAnchorAsync();
await _service.AddKeyAsync(anchor.AnchorId, new AddKeyRequest
{
KeyId = "key-1",
PublicKey = "-----BEGIN PUBLIC KEY-----\ntest\n-----END PUBLIC KEY-----",
Algorithm = "Ed25519"
});
// Try to verify signature made before key was added
var signedAt = _timeProvider.GetUtcNow().AddDays(-1);
// Act
var result = await _service.CheckKeyValidityAsync(anchor.AnchorId, "key-1", signedAt);
// Assert
result.IsValid.Should().BeFalse();
result.Status.Should().Be(KeyStatus.NotYetValid);
}
[Fact]
public async Task CheckKeyValidityAsync_ExpiredKey_IsInvalid()
{
// Arrange
var anchor = await CreateTestAnchorAsync();
var expiresAt = _timeProvider.GetUtcNow().AddDays(30);
await _service.AddKeyAsync(anchor.AnchorId, new AddKeyRequest
{
KeyId = "key-1",
PublicKey = "-----BEGIN PUBLIC KEY-----\ntest\n-----END PUBLIC KEY-----",
Algorithm = "Ed25519",
ExpiresAt = expiresAt
});
// Try to verify signature made after expiry
var signedAt = expiresAt.AddDays(1);
// Act
var result = await _service.CheckKeyValidityAsync(anchor.AnchorId, "key-1", signedAt);
// Assert
result.IsValid.Should().BeFalse();
result.Status.Should().Be(KeyStatus.Expired);
}
[Fact]
public async Task CheckKeyValidityAsync_UnknownKey_IsInvalid()
{
// Arrange
var anchor = await CreateTestAnchorAsync();
// Act
var result = await _service.CheckKeyValidityAsync(anchor.AnchorId, "unknown-key", _timeProvider.GetUtcNow());
// Assert
result.IsValid.Should().BeFalse();
result.Status.Should().Be(KeyStatus.Unknown);
}
#endregion
#region GetRotationWarningsAsync Tests (PROOF-KEY-0006)
[Fact]
public async Task GetRotationWarningsAsync_ExpiringKey_ReturnsWarning()
{
// Arrange
var anchor = await CreateTestAnchorAsync();
var expiresAt = _timeProvider.GetUtcNow().AddDays(30); // Within 60-day warning window
await _service.AddKeyAsync(anchor.AnchorId, new AddKeyRequest
{
KeyId = "expiring-key",
PublicKey = "-----BEGIN PUBLIC KEY-----\ntest\n-----END PUBLIC KEY-----",
Algorithm = "Ed25519",
ExpiresAt = expiresAt
});
// Act
var warnings = await _service.GetRotationWarningsAsync(anchor.AnchorId);
// Assert
warnings.Should().ContainSingle();
warnings[0].KeyId.Should().Be("expiring-key");
warnings[0].WarningType.Should().Be(RotationWarningType.ExpiryApproaching);
warnings[0].CriticalAt.Should().Be(expiresAt);
}
[Fact]
public async Task GetRotationWarningsAsync_ExpiredKey_ReturnsWarning()
{
// Arrange
var anchor = await CreateTestAnchorAsync();
var expiresAt = _timeProvider.GetUtcNow().AddDays(-1); // Already expired
_dbContext.KeyHistory.Add(new KeyHistoryEntity
{
HistoryId = Guid.NewGuid(),
AnchorId = anchor.AnchorId,
KeyId = "expired-key",
PublicKey = "-----BEGIN PUBLIC KEY-----\ntest\n-----END PUBLIC KEY-----",
Algorithm = "Ed25519",
AddedAt = _timeProvider.GetUtcNow().AddDays(-30),
ExpiresAt = expiresAt,
CreatedAt = _timeProvider.GetUtcNow().AddDays(-30)
});
await _dbContext.SaveChangesAsync();
// Act
var warnings = await _service.GetRotationWarningsAsync(anchor.AnchorId);
// Assert
warnings.Should().Contain(w => w.KeyId == "expired-key" && w.WarningType == RotationWarningType.ExpiryApproaching);
}
[Fact]
public async Task GetRotationWarningsAsync_LongLivedKey_ReturnsWarning()
{
// Arrange
var anchor = await CreateTestAnchorAsync();
// Key added 400 days ago (exceeds 365-day max)
_dbContext.KeyHistory.Add(new KeyHistoryEntity
{
HistoryId = Guid.NewGuid(),
AnchorId = anchor.AnchorId,
KeyId = "old-key",
PublicKey = "-----BEGIN PUBLIC KEY-----\ntest\n-----END PUBLIC KEY-----",
Algorithm = "Ed25519",
AddedAt = _timeProvider.GetUtcNow().AddDays(-400),
CreatedAt = _timeProvider.GetUtcNow().AddDays(-400)
});
await _dbContext.SaveChangesAsync();
// Act
var warnings = await _service.GetRotationWarningsAsync(anchor.AnchorId);
// Assert
warnings.Should().Contain(w => w.KeyId == "old-key" && w.WarningType == RotationWarningType.LongLived);
}
[Fact]
public async Task GetRotationWarningsAsync_DeprecatedAlgorithm_ReturnsWarning()
{
// Arrange
var anchor = await CreateTestAnchorAsync();
await _service.AddKeyAsync(anchor.AnchorId, new AddKeyRequest
{
KeyId = "weak-key",
PublicKey = "-----BEGIN PUBLIC KEY-----\ntest\n-----END PUBLIC KEY-----",
Algorithm = "RSA-2048" // Deprecated algorithm
});
// Act
var warnings = await _service.GetRotationWarningsAsync(anchor.AnchorId);
// Assert
warnings.Should().Contain(w => w.KeyId == "weak-key" && w.WarningType == RotationWarningType.AlgorithmDeprecating);
}
[Fact]
public async Task GetRotationWarningsAsync_NoIssues_ReturnsEmpty()
{
// Arrange
var anchor = await CreateTestAnchorAsync();
await _service.AddKeyAsync(anchor.AnchorId, new AddKeyRequest
{
KeyId = "healthy-key",
PublicKey = "-----BEGIN PUBLIC KEY-----\ntest\n-----END PUBLIC KEY-----",
Algorithm = "Ed25519",
ExpiresAt = _timeProvider.GetUtcNow().AddDays(365) // Far in future
});
// Act
var warnings = await _service.GetRotationWarningsAsync(anchor.AnchorId);
// Assert
warnings.Should().BeEmpty();
}
[Fact]
public async Task GetRotationWarningsAsync_RevokedKeys_NotIncluded()
{
// Arrange
var anchor = await CreateTestAnchorAsync();
await _service.AddKeyAsync(anchor.AnchorId, new AddKeyRequest
{
KeyId = "revoked-key",
PublicKey = "-----BEGIN PUBLIC KEY-----\ntest\n-----END PUBLIC KEY-----",
Algorithm = "RSA-2048" // Deprecated but revoked
});
await _service.RevokeKeyAsync(anchor.AnchorId, "revoked-key", new RevokeKeyRequest
{
Reason = "rotation"
});
// Act
var warnings = await _service.GetRotationWarningsAsync(anchor.AnchorId);
// Assert
warnings.Should().NotContain(w => w.KeyId == "revoked-key");
}
#endregion
#region GetKeyHistoryAsync Tests
[Fact]
public async Task GetKeyHistoryAsync_ReturnsOrderedHistory()
{
// Arrange
var anchor = await CreateTestAnchorAsync();
await _service.AddKeyAsync(anchor.AnchorId, new AddKeyRequest
{
KeyId = "key-1",
PublicKey = "-----BEGIN PUBLIC KEY-----\ntest1\n-----END PUBLIC KEY-----",
Algorithm = "Ed25519"
});
_timeProvider.Advance(TimeSpan.FromDays(1));
await _service.AddKeyAsync(anchor.AnchorId, new AddKeyRequest
{
KeyId = "key-2",
PublicKey = "-----BEGIN PUBLIC KEY-----\ntest2\n-----END PUBLIC KEY-----",
Algorithm = "Ed25519"
});
// Act
var history = await _service.GetKeyHistoryAsync(anchor.AnchorId);
// Assert
history.Should().HaveCount(2);
history[0].KeyId.Should().Be("key-2"); // Most recent first
history[1].KeyId.Should().Be("key-1");
}
#endregion
}
/// <summary>
/// Fake time provider for testing.
/// </summary>
internal sealed class FakeTimeProvider : TimeProvider
{
private DateTimeOffset _now;
public FakeTimeProvider(DateTimeOffset initialTime)
{
_now = initialTime;
}
public override DateTimeOffset GetUtcNow() => _now;
public void Advance(TimeSpan duration) => _now = _now.Add(duration);
public void SetTime(DateTimeOffset time) => _now = time;
}

408
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/KeyManagement/TemporalKeyVerificationTests.cs Normal file
View File

@@ -0,0 +1,408 @@
// -----------------------------------------------------------------------------
// TemporalKeyVerificationTests.cs
// Sprint: SPRINT_0501_0008_0001_proof_chain_key_rotation
// Task: PROOF-KEY-0014 - Temporal verification tests (key valid at time T)
// Description: Tests verifying key validity at specific points in time
// -----------------------------------------------------------------------------
using System;
using System.Threading.Tasks;
using FluentAssertions;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using StellaOps.Signer.KeyManagement;
using StellaOps.Signer.KeyManagement.EfCore.Context;
using StellaOps.Signer.KeyManagement.Entities;
using Xunit;
namespace StellaOps.Signer.Tests.KeyManagement;
/// <summary>
/// Temporal key verification tests.
/// Validates that keys are correctly checked for validity at specific points in time.
/// This is critical for verifying historical proofs that were signed before key rotation.
/// </summary>
public class TemporalKeyVerificationTests : IDisposable
{
private readonly KeyManagementDbContext _dbContext;
private readonly KeyRotationService _service;
private readonly FakeTimeProvider _timeProvider;
// Timeline:
// 2024-01-15: key-2024 added
// 2024-06-15: key-2025 added (overlap period begins)
// 2025-01-15: key-2024 revoked (overlap period ends)
// 2025-06-15: current time
private readonly DateTimeOffset _key2024AddedAt = new(2024, 1, 15, 0, 0, 0, TimeSpan.Zero);
private readonly DateTimeOffset _key2025AddedAt = new(2024, 6, 15, 0, 0, 0, TimeSpan.Zero);
private readonly DateTimeOffset _key2024RevokedAt = new(2025, 1, 15, 0, 0, 0, TimeSpan.Zero);
private readonly DateTimeOffset _currentTime = new(2025, 6, 15, 12, 0, 0, TimeSpan.Zero);
public TemporalKeyVerificationTests()
{
var options = new DbContextOptionsBuilder<KeyManagementDbContext>()
.UseInMemoryDatabase(databaseName: $"TemporalTestDb_{Guid.NewGuid()}")
.Options;
_dbContext = new KeyManagementDbContext(options);
_timeProvider = new FakeTimeProvider(_currentTime);
_service = new KeyRotationService(
_dbContext,
NullLogger<KeyRotationService>.Instance,
Options.Create(new KeyRotationOptions
{
DefaultActor = "test-user",
ExpiryWarningDays = 60,
MaxKeyAgeDays = 365,
DeprecatedAlgorithms = ["RSA-2048", "SHA1-RSA"]
}),
_timeProvider);
}
public void Dispose()
{
_dbContext.Dispose();
GC.SuppressFinalize(this);
}
#region Key Lifecycle Timeline Tests
[Fact]
public async Task CheckKeyValidity_KeyNotYetAdded_ReturnsNotYetValid()
{
// Arrange
var anchor = await CreateTestAnchorWithTimelineAsync();
var beforeKeyAdded = _key2024AddedAt.AddDays(-30); // Dec 2023
// Act
var result = await _service.CheckKeyValidityAsync(anchor.AnchorId, "key-2024", beforeKeyAdded);
// Assert
result.IsValid.Should().BeFalse();
result.Status.Should().Be(KeyStatus.NotYetValid);
result.InvalidReason.Should().Contain("Key was added");
}
[Fact]
public async Task CheckKeyValidity_KeyActiveNoRevocation_ReturnsValid()
{
// Arrange
var anchor = await CreateTestAnchorWithTimelineAsync();
var duringActiveWindow = _key2025AddedAt.AddMonths(1); // July 2024
// Act
var result = await _service.CheckKeyValidityAsync(anchor.AnchorId, "key-2025", duringActiveWindow);
// Assert
result.IsValid.Should().BeTrue();
result.Status.Should().Be(KeyStatus.Active);
result.AddedAt.Should().Be(_key2025AddedAt);
}
[Fact]
public async Task CheckKeyValidity_KeyRevokedButSignedBefore_ReturnsValid()
{
// Arrange - proof was signed during overlap period before key-2024 was revoked
var anchor = await CreateTestAnchorWithTimelineAsync();
var signedDuringOverlap = _key2024RevokedAt.AddDays(-30); // Dec 2024
// Act
var result = await _service.CheckKeyValidityAsync(anchor.AnchorId, "key-2024", signedDuringOverlap);
// Assert - key-2024 should be valid because signature was made before revocation
result.IsValid.Should().BeTrue();
result.Status.Should().Be(KeyStatus.Revoked);
}
[Fact]
public async Task CheckKeyValidity_KeyRevokedAndSignedAfter_ReturnsRevoked()
{
// Arrange - proof was signed after key-2024 was revoked
var anchor = await CreateTestAnchorWithTimelineAsync();
var signedAfterRevocation = _key2024RevokedAt.AddDays(30); // Feb 2025
// Act
var result = await _service.CheckKeyValidityAsync(anchor.AnchorId, "key-2024", signedAfterRevocation);
// Assert - key-2024 should be invalid because signature was made after revocation
result.IsValid.Should().BeFalse();
result.Status.Should().Be(KeyStatus.Revoked);
result.RevokedAt.Should().Be(_key2024RevokedAt);
}
[Fact]
public async Task CheckKeyValidity_NewKeyAfterOldRevoked_ReturnsValid()
{
// Arrange - proof was signed with key-2025 after key-2024 was revoked
var anchor = await CreateTestAnchorWithTimelineAsync();
var signedWithNewKey = _key2024RevokedAt.AddDays(30); // Feb 2025
// Act
var result = await _service.CheckKeyValidityAsync(anchor.AnchorId, "key-2025", signedWithNewKey);
// Assert - key-2025 should be valid
result.IsValid.Should().BeTrue();
result.Status.Should().Be(KeyStatus.Active);
result.AddedAt.Should().Be(_key2025AddedAt);
}
#endregion
#region Overlap Period Tests
[Fact]
public async Task CheckKeyValidity_BothKeysValidDuringOverlap_BothReturnValid()
{
// Arrange - during overlap period (Jun 2024 - Jan 2025), both keys should be valid
var anchor = await CreateTestAnchorWithTimelineAsync();
var duringOverlap = new DateTimeOffset(2024, 9, 15, 0, 0, 0, TimeSpan.Zero); // Sep 2024
// Act
var result2024 = await _service.CheckKeyValidityAsync(anchor.AnchorId, "key-2024", duringOverlap);
var result2025 = await _service.CheckKeyValidityAsync(anchor.AnchorId, "key-2025", duringOverlap);
// Assert - both keys should be valid during overlap
result2024.IsValid.Should().BeTrue();
result2024.Status.Should().Be(KeyStatus.Revoked);
result2025.IsValid.Should().BeTrue();
result2025.Status.Should().Be(KeyStatus.Active);
}
[Fact]
public async Task CheckKeyValidity_ExactlyAtRevocationTime_ReturnsRevoked()
{
// Arrange - checking exactly at the moment of revocation
var anchor = await CreateTestAnchorWithTimelineAsync();
// Act - at exact revocation time, key is already revoked
var result = await _service.CheckKeyValidityAsync(anchor.AnchorId, "key-2024", _key2024RevokedAt);
// Assert - at revocation time, key should be considered revoked
result.IsValid.Should().BeFalse();
result.Status.Should().Be(KeyStatus.Revoked);
}
[Fact]
public async Task CheckKeyValidity_OneMillisecondBeforeRevocation_ReturnsValid()
{
// Arrange - one millisecond before revocation
var anchor = await CreateTestAnchorWithTimelineAsync();
var justBeforeRevocation = _key2024RevokedAt.AddMilliseconds(-1);
// Act
var result = await _service.CheckKeyValidityAsync(anchor.AnchorId, "key-2024", justBeforeRevocation);
// Assert - key should still be valid
result.IsValid.Should().BeTrue();
result.Status.Should().Be(KeyStatus.Revoked);
}
#endregion
#region Key Expiry Tests
[Fact]
public async Task CheckKeyValidity_KeyExpiredButSignedBefore_ReturnsValid()
{
// Arrange - key with expiry date
var anchor = await CreateTestAnchorWithExpiringKeyAsync();
var expiryDate = new DateTimeOffset(2025, 3, 1, 0, 0, 0, TimeSpan.Zero);
var signedBeforeExpiry = expiryDate.AddDays(-30); // Feb 2025
// Act
var result = await _service.CheckKeyValidityAsync(anchor.AnchorId, "expiring-key", signedBeforeExpiry);
// Assert - should be valid because signed before expiry
result.IsValid.Should().BeTrue();
result.Status.Should().Be(KeyStatus.Active);
}
[Fact]
public async Task CheckKeyValidity_KeyExpiredAndSignedAfter_ReturnsExpired()
{
// Arrange - key with expiry date
var anchor = await CreateTestAnchorWithExpiringKeyAsync();
var expiryDate = new DateTimeOffset(2025, 3, 1, 0, 0, 0, TimeSpan.Zero);
var signedAfterExpiry = expiryDate.AddDays(30); // April 2025
// Act
var result = await _service.CheckKeyValidityAsync(anchor.AnchorId, "expiring-key", signedAfterExpiry);
// Assert - should be invalid because signed after expiry
result.IsValid.Should().BeFalse();
result.Status.Should().Be(KeyStatus.Expired);
}
#endregion
#region Unknown Key Tests
[Fact]
public async Task CheckKeyValidity_UnknownKey_ReturnsUnknown()
{
// Arrange
var anchor = await CreateTestAnchorWithTimelineAsync();
// Act
var result = await _service.CheckKeyValidityAsync(anchor.AnchorId, "nonexistent-key", _currentTime);
// Assert
result.IsValid.Should().BeFalse();
result.Status.Should().Be(KeyStatus.Unknown);
result.InvalidReason.Should().Contain("not found");
}
[Fact]
public async Task CheckKeyValidity_UnknownAnchor_ThrowsKeyNotFoundException()
{
// Arrange
var unknownAnchorId = Guid.NewGuid();
// Act
var result = await _service.CheckKeyValidityAsync(unknownAnchorId, "any-key", _currentTime);
// Assert
result.IsValid.Should().BeFalse();
result.Status.Should().Be(KeyStatus.Unknown);
}
#endregion
#region Determinism Tests
[Fact]
public async Task CheckKeyValidity_SameInputs_ReturnsSameResult()
{
// Arrange - determinism is critical for audit verification
var anchor = await CreateTestAnchorWithTimelineAsync();
var checkTime = new DateTimeOffset(2024, 9, 15, 10, 30, 45, TimeSpan.Zero);
// Act - call multiple times
var result1 = await _service.CheckKeyValidityAsync(anchor.AnchorId, "key-2024", checkTime);
var result2 = await _service.CheckKeyValidityAsync(anchor.AnchorId, "key-2024", checkTime);
var result3 = await _service.CheckKeyValidityAsync(anchor.AnchorId, "key-2024", checkTime);
// Assert - all results should be identical
result1.Should().BeEquivalentTo(result2);
result2.Should().BeEquivalentTo(result3);
}
[Fact]
public async Task CheckKeyValidity_DifferentTimezones_SameUtcTime_ReturnsSameResult()
{
// Arrange - different timezone representations of same moment
var anchor = await CreateTestAnchorWithTimelineAsync();
var utcTime = new DateTimeOffset(2024, 9, 15, 12, 0, 0, TimeSpan.Zero);
var pstTime = new DateTimeOffset(2024, 9, 15, 4, 0, 0, TimeSpan.FromHours(-8));
var jstTime = new DateTimeOffset(2024, 9, 15, 21, 0, 0, TimeSpan.FromHours(9));
// Act
var resultUtc = await _service.CheckKeyValidityAsync(anchor.AnchorId, "key-2024", utcTime);
var resultPst = await _service.CheckKeyValidityAsync(anchor.AnchorId, "key-2024", pstTime);
var resultJst = await _service.CheckKeyValidityAsync(anchor.AnchorId, "key-2024", jstTime);
// Assert - all should return same result (same UTC instant)
resultUtc.IsValid.Should().Be(resultPst.IsValid);
resultPst.IsValid.Should().Be(resultJst.IsValid);
resultUtc.Status.Should().Be(resultPst.Status);
resultPst.Status.Should().Be(resultJst.Status);
}
#endregion
#region Helper Methods
private async Task<TrustAnchorEntity> CreateTestAnchorWithTimelineAsync()
{
var anchor = new TrustAnchorEntity
{
AnchorId = Guid.NewGuid(),
PurlPattern = "pkg:npm/*",
AllowedKeyIds = ["key-2024", "key-2025"],
RevokedKeyIds = ["key-2024"],
PolicyVersion = "v1.0.0",
CreatedAt = _key2024AddedAt,
UpdatedAt = _key2024RevokedAt
};
var keyHistory = new[]
{
new KeyHistoryEntity
{
HistoryId = Guid.NewGuid(),
AnchorId = anchor.AnchorId,
KeyId = "key-2024",
PublicKey = "-----BEGIN PUBLIC KEY-----\ntest-key-2024\n-----END PUBLIC KEY-----",
Algorithm = "Ed25519",
AddedAt = _key2024AddedAt,
RevokedAt = _key2024RevokedAt,
RevokeReason = "annual-rotation",
CreatedAt = _key2024AddedAt
},
new KeyHistoryEntity
{
HistoryId = Guid.NewGuid(),
AnchorId = anchor.AnchorId,
KeyId = "key-2025",
PublicKey = "-----BEGIN PUBLIC KEY-----\ntest-key-2025\n-----END PUBLIC KEY-----",
Algorithm = "Ed25519",
AddedAt = _key2025AddedAt,
RevokedAt = null,
RevokeReason = null,
CreatedAt = _key2025AddedAt
}
};
_dbContext.TrustAnchors.Add(anchor);
_dbContext.KeyHistory.AddRange(keyHistory);
await _dbContext.SaveChangesAsync();
return anchor;
}
private async Task<TrustAnchorEntity> CreateTestAnchorWithExpiringKeyAsync()
{
var anchor = new TrustAnchorEntity
{
AnchorId = Guid.NewGuid(),
PurlPattern = "pkg:pypi/*",
AllowedKeyIds = ["expiring-key"],
RevokedKeyIds = [],
PolicyVersion = "v1.0.0",
CreatedAt = new DateTimeOffset(2025, 1, 1, 0, 0, 0, TimeSpan.Zero),
UpdatedAt = new DateTimeOffset(2025, 1, 1, 0, 0, 0, TimeSpan.Zero)
};
var keyHistory = new KeyHistoryEntity
{
HistoryId = Guid.NewGuid(),
AnchorId = anchor.AnchorId,
KeyId = "expiring-key",
PublicKey = "-----BEGIN PUBLIC KEY-----\ntest-expiring-key\n-----END PUBLIC KEY-----",
Algorithm = "Ed25519",
AddedAt = new DateTimeOffset(2025, 1, 1, 0, 0, 0, TimeSpan.Zero),
ExpiresAt = new DateTimeOffset(2025, 3, 1, 0, 0, 0, TimeSpan.Zero),
RevokedAt = null,
RevokeReason = null,
CreatedAt = new DateTimeOffset(2025, 1, 1, 0, 0, 0, TimeSpan.Zero)
};
_dbContext.TrustAnchors.Add(anchor);
_dbContext.KeyHistory.Add(keyHistory);
await _dbContext.SaveChangesAsync();
return anchor;
}
#endregion
}
// Note: FakeTimeProvider is defined in KeyRotationServiceTests.cs

506
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/KeyManagement/TrustAnchorManagerTests.cs Normal file
View File

@@ -0,0 +1,506 @@
using System;
using System.Collections.Generic;
using System.Threading.Tasks;
using FluentAssertions;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using StellaOps.Signer.KeyManagement;
using StellaOps.Signer.KeyManagement.EfCore.Context;
using StellaOps.Signer.KeyManagement.Entities;
using Xunit;
namespace StellaOps.Signer.Tests.KeyManagement;
/// <summary>
/// Tests for TrustAnchorManager and PURL pattern matching.
/// Tests tasks PROOF-KEY-0008 (PURL pattern matching) and PROOF-KEY-0009 (signature verification).
/// </summary>
public class TrustAnchorManagerTests : IDisposable
{
private readonly KeyManagementDbContext _dbContext;
private readonly KeyRotationService _rotationService;
private readonly TrustAnchorManager _manager;
private readonly FakeTimeProvider _timeProvider;
public TrustAnchorManagerTests()
{
var options = new DbContextOptionsBuilder<KeyManagementDbContext>()
.UseInMemoryDatabase(databaseName: $"TestDb_{Guid.NewGuid()}")
.Options;
_dbContext = new KeyManagementDbContext(options);
_timeProvider = new FakeTimeProvider(new DateTimeOffset(2025, 6, 15, 12, 0, 0, TimeSpan.Zero));
_rotationService = new KeyRotationService(
_dbContext,
NullLogger<KeyRotationService>.Instance,
Options.Create(new KeyRotationOptions()),
_timeProvider);
_manager = new TrustAnchorManager(
_dbContext,
_rotationService,
NullLogger<TrustAnchorManager>.Instance,
_timeProvider);
}
public void Dispose()
{
_dbContext.Dispose();
GC.SuppressFinalize(this);
}
#region PURL Pattern Matching Tests (PROOF-KEY-0008)
[Theory]
[InlineData("pkg:npm/*", true)]
[InlineData("pkg:maven/org.apache/*", true)]
[InlineData("pkg:npm/lodash", true)]
[InlineData("pkg:pypi/requests@2.28.0", true)]
[InlineData("npm/*", false)] // Missing pkg: prefix
[InlineData("pkg:", false)] // Missing type
[InlineData("", false)]
[InlineData(null, false)]
public void IsValidPattern_ValidatesCorrectly(string? pattern, bool expected)
{
PurlPatternMatcher.IsValidPattern(pattern!).Should().Be(expected);
}
[Theory]
[InlineData("pkg:npm/*", "pkg:npm/lodash@4.17.21", true)]
[InlineData("pkg:npm/*", "pkg:npm/@scope/package@1.0.0", true)]
[InlineData("pkg:npm/*", "pkg:pypi/requests@2.28.0", false)]
[InlineData("pkg:maven/org.apache/*", "pkg:maven/org.apache/commons-lang3@3.12.0", true)]
[InlineData("pkg:maven/org.apache/*", "pkg:maven/com.google/guava@31.0", false)]
[InlineData("pkg:npm/lodash", "pkg:npm/lodash", true)]
[InlineData("pkg:npm/lodash", "pkg:npm/lodash@4.17.21", false)] // Exact match only
[InlineData("pkg:npm/lodash*", "pkg:npm/lodash@4.17.21", true)] // Wildcard at end
public void Matches_EvaluatesCorrectly(string pattern, string purl, bool expected)
{
PurlPatternMatcher.Matches(pattern, purl).Should().Be(expected);
}
[Theory]
[InlineData("pkg:npm/*", 15)] // 2 segments * 10 - 1 wildcard * 5 = 15
[InlineData("pkg:maven/org.apache/*", 25)] // 3 segments * 10 - 1 wildcard * 5 = 25
[InlineData("pkg:npm/lodash", 20)] // 2 segments * 10 - 0 wildcards = 20
[InlineData("*", 5)] // 1 segment * 10 - 1 wildcard * 5 = 5
public void GetSpecificity_CalculatesCorrectly(string pattern, int expectedSpecificity)
{
PurlPatternMatcher.GetSpecificity(pattern).Should().Be(expectedSpecificity);
}
[Fact]
public async Task FindAnchorForPurl_SelectsMostSpecificMatch()
{
// Arrange - Create anchors with different specificity
await _manager.CreateAnchorAsync(new CreateTrustAnchorRequest
{
PurlPattern = "pkg:npm/*",
AllowedKeyIds = ["key-npm-general"]
});
await _manager.CreateAnchorAsync(new CreateTrustAnchorRequest
{
PurlPattern = "pkg:npm/@myorg/*",
AllowedKeyIds = ["key-npm-myorg"]
});
await _manager.CreateAnchorAsync(new CreateTrustAnchorRequest
{
PurlPattern = "pkg:npm/@myorg/specific-package*",
AllowedKeyIds = ["key-npm-specific"]
});
// Act & Assert - Most specific should be selected
var result1 = await _manager.FindAnchorForPurlAsync("pkg:npm/lodash@4.17.21");
result1.Should().NotBeNull();
result1!.AllowedKeyIds.Should().Contain("key-npm-general");
var result2 = await _manager.FindAnchorForPurlAsync("pkg:npm/@myorg/other-package@1.0.0");
result2.Should().NotBeNull();
result2!.AllowedKeyIds.Should().Contain("key-npm-myorg");
var result3 = await _manager.FindAnchorForPurlAsync("pkg:npm/@myorg/specific-package@2.0.0");
result3.Should().NotBeNull();
result3!.AllowedKeyIds.Should().Contain("key-npm-specific");
}
[Fact]
public async Task FindAnchorForPurl_NoMatch_ReturnsNull()
{
// Arrange
await _manager.CreateAnchorAsync(new CreateTrustAnchorRequest
{
PurlPattern = "pkg:npm/*",
AllowedKeyIds = ["key-1"]
});
// Act
var result = await _manager.FindAnchorForPurlAsync("pkg:maven/org.apache/commons@3.0");
// Assert
result.Should().BeNull();
}
[Fact]
public async Task FindAnchorForPurl_InactiveAnchor_NotReturned()
{
// Arrange
var anchor = await _manager.CreateAnchorAsync(new CreateTrustAnchorRequest
{
PurlPattern = "pkg:npm/*",
AllowedKeyIds = ["key-1"]
});
await _manager.DeactivateAnchorAsync(anchor.AnchorId);
// Act
var result = await _manager.FindAnchorForPurlAsync("pkg:npm/lodash@4.17.21");
// Assert
result.Should().BeNull();
}
#endregion
#region Signature Verification with Key History Tests (PROOF-KEY-0009)
[Fact]
public async Task VerifySignatureAuthorization_ValidKey_Succeeds()
{
// Arrange
var anchor = await _manager.CreateAnchorAsync(new CreateTrustAnchorRequest
{
PurlPattern = "pkg:npm/*",
AllowedKeyIds = []
});
await _rotationService.AddKeyAsync(anchor.AnchorId, new AddKeyRequest
{
KeyId = "key-1",
PublicKey = "-----BEGIN PUBLIC KEY-----\ntest\n-----END PUBLIC KEY-----",
Algorithm = "Ed25519"
});
var signedAt = _timeProvider.GetUtcNow().AddHours(1);
// Act
var result = await _manager.VerifySignatureAuthorizationAsync(
anchor.AnchorId, "key-1", signedAt);
// Assert
result.IsAuthorized.Should().BeTrue();
result.KeyStatus.Should().Be(KeyStatus.Active);
}
[Fact]
public async Task VerifySignatureAuthorization_RevokedKeyBeforeRevocation_Succeeds()
{
// Arrange
var anchor = await _manager.CreateAnchorAsync(new CreateTrustAnchorRequest
{
PurlPattern = "pkg:npm/*",
AllowedKeyIds = []
});
await _rotationService.AddKeyAsync(anchor.AnchorId, new AddKeyRequest
{
KeyId = "key-1",
PublicKey = "-----BEGIN PUBLIC KEY-----\ntest\n-----END PUBLIC KEY-----",
Algorithm = "Ed25519"
});
var signedAt = _timeProvider.GetUtcNow().AddHours(1);
// Advance time and revoke
_timeProvider.Advance(TimeSpan.FromDays(30));
await _rotationService.RevokeKeyAsync(anchor.AnchorId, "key-1", new RevokeKeyRequest
{
Reason = "rotation"
});
// Act - Verify signature made before revocation
var result = await _manager.VerifySignatureAuthorizationAsync(
anchor.AnchorId, "key-1", signedAt);
// Assert - Should succeed because signature was made before revocation
result.IsAuthorized.Should().BeTrue();
result.KeyStatus.Should().Be(KeyStatus.Revoked); // Key is revoked now
}
[Fact]
public async Task VerifySignatureAuthorization_RevokedKeyAfterRevocation_Fails()
{
// Arrange
var anchor = await _manager.CreateAnchorAsync(new CreateTrustAnchorRequest
{
PurlPattern = "pkg:npm/*",
AllowedKeyIds = []
});
await _rotationService.AddKeyAsync(anchor.AnchorId, new AddKeyRequest
{
KeyId = "key-1",
PublicKey = "-----BEGIN PUBLIC KEY-----\ntest\n-----END PUBLIC KEY-----",
Algorithm = "Ed25519"
});
// Revoke immediately
await _rotationService.RevokeKeyAsync(anchor.AnchorId, "key-1", new RevokeKeyRequest
{
Reason = "compromised"
});
// Try to verify signature made after revocation
var signedAt = _timeProvider.GetUtcNow().AddHours(1);
// Act
var result = await _manager.VerifySignatureAuthorizationAsync(
anchor.AnchorId, "key-1", signedAt);
// Assert
result.IsAuthorized.Should().BeFalse();
result.KeyStatus.Should().Be(KeyStatus.Revoked);
result.FailureReason.Should().Contain("revoked");
}
[Fact]
public async Task VerifySignatureAuthorization_UnknownKey_Fails()
{
// Arrange
var anchor = await _manager.CreateAnchorAsync(new CreateTrustAnchorRequest
{
PurlPattern = "pkg:npm/*",
AllowedKeyIds = []
});
// Act
var result = await _manager.VerifySignatureAuthorizationAsync(
anchor.AnchorId, "unknown-key", _timeProvider.GetUtcNow());
// Assert
result.IsAuthorized.Should().BeFalse();
result.KeyStatus.Should().Be(KeyStatus.Unknown);
}
[Fact]
public async Task VerifySignatureAuthorization_PredicateTypeAllowed_Succeeds()
{
// Arrange
var anchor = await _manager.CreateAnchorAsync(new CreateTrustAnchorRequest
{
PurlPattern = "pkg:npm/*",
AllowedKeyIds = [],
AllowedPredicateTypes = ["evidence.stella/v1", "reasoning.stella/v1"]
});
await _rotationService.AddKeyAsync(anchor.AnchorId, new AddKeyRequest
{
KeyId = "key-1",
PublicKey = "-----BEGIN PUBLIC KEY-----\ntest\n-----END PUBLIC KEY-----",
Algorithm = "Ed25519"
});
// Act
var result = await _manager.VerifySignatureAuthorizationAsync(
anchor.AnchorId, "key-1", _timeProvider.GetUtcNow().AddHours(1), "evidence.stella/v1");
// Assert
result.IsAuthorized.Should().BeTrue();
result.PredicateTypeAllowed.Should().BeTrue();
}
[Fact]
public async Task VerifySignatureAuthorization_PredicateTypeNotAllowed_Fails()
{
// Arrange
var anchor = await _manager.CreateAnchorAsync(new CreateTrustAnchorRequest
{
PurlPattern = "pkg:npm/*",
AllowedKeyIds = [],
AllowedPredicateTypes = ["evidence.stella/v1"] // Only evidence allowed
});
await _rotationService.AddKeyAsync(anchor.AnchorId, new AddKeyRequest
{
KeyId = "key-1",
PublicKey = "-----BEGIN PUBLIC KEY-----\ntest\n-----END PUBLIC KEY-----",
Algorithm = "Ed25519"
});
// Act
var result = await _manager.VerifySignatureAuthorizationAsync(
anchor.AnchorId, "key-1", _timeProvider.GetUtcNow().AddHours(1), "vex.stella/v1");
// Assert
result.IsAuthorized.Should().BeFalse();
result.PredicateTypeAllowed.Should().BeFalse();
result.FailureReason.Should().Contain("not allowed");
}
[Fact]
public async Task VerifySignatureAuthorization_NoPredicateRestriction_AllAllowed()
{
// Arrange - No AllowedPredicateTypes means all are allowed
var anchor = await _manager.CreateAnchorAsync(new CreateTrustAnchorRequest
{
PurlPattern = "pkg:npm/*",
AllowedKeyIds = [],
AllowedPredicateTypes = null
});
await _rotationService.AddKeyAsync(anchor.AnchorId, new AddKeyRequest
{
KeyId = "key-1",
PublicKey = "-----BEGIN PUBLIC KEY-----\ntest\n-----END PUBLIC KEY-----",
Algorithm = "Ed25519"
});
// Act
var result = await _manager.VerifySignatureAuthorizationAsync(
anchor.AnchorId, "key-1", _timeProvider.GetUtcNow().AddHours(1), "any.predicate/v1");
// Assert
result.IsAuthorized.Should().BeTrue();
result.PredicateTypeAllowed.Should().BeTrue();
}
#endregion
#region CRUD Operations Tests
[Fact]
public async Task CreateAnchor_ValidRequest_Succeeds()
{
// Act
var anchor = await _manager.CreateAnchorAsync(new CreateTrustAnchorRequest
{
PurlPattern = "pkg:npm/*",
AllowedKeyIds = ["key-1", "key-2"],
AllowedPredicateTypes = ["evidence.stella/v1"],
PolicyRef = "policy-001",
PolicyVersion = "v1.0"
});
// Assert
anchor.Should().NotBeNull();
anchor.AnchorId.Should().NotBeEmpty();
anchor.PurlPattern.Should().Be("pkg:npm/*");
anchor.AllowedKeyIds.Should().Contain(["key-1", "key-2"]);
anchor.AllowedPredicateTypes.Should().Contain("evidence.stella/v1");
anchor.IsActive.Should().BeTrue();
}
[Fact]
public async Task GetAnchor_Exists_ReturnsAnchor()
{
// Arrange
var created = await _manager.CreateAnchorAsync(new CreateTrustAnchorRequest
{
PurlPattern = "pkg:npm/*",
AllowedKeyIds = ["key-1"]
});
// Act
var anchor = await _manager.GetAnchorAsync(created.AnchorId);
// Assert
anchor.Should().NotBeNull();
anchor!.AnchorId.Should().Be(created.AnchorId);
}
[Fact]
public async Task GetAnchor_NotExists_ReturnsNull()
{
// Act
var anchor = await _manager.GetAnchorAsync(Guid.NewGuid());
// Assert
anchor.Should().BeNull();
}
[Fact]
public async Task UpdateAnchor_ValidRequest_UpdatesFields()
{
// Arrange
var created = await _manager.CreateAnchorAsync(new CreateTrustAnchorRequest
{
PurlPattern = "pkg:npm/*",
AllowedKeyIds = [],
PolicyVersion = "v1.0"
});
_timeProvider.Advance(TimeSpan.FromMinutes(1));
// Act
var updated = await _manager.UpdateAnchorAsync(created.AnchorId, new UpdateTrustAnchorRequest
{
PolicyVersion = "v2.0",
AllowedPredicateTypes = ["new.predicate/v1"]
});
// Assert
updated.PolicyVersion.Should().Be("v2.0");
updated.AllowedPredicateTypes.Should().Contain("new.predicate/v1");
updated.UpdatedAt.Should().BeAfter(created.CreatedAt);
}
[Fact]
public async Task DeactivateAnchor_SetsInactive()
{
// Arrange
var created = await _manager.CreateAnchorAsync(new CreateTrustAnchorRequest
{
PurlPattern = "pkg:npm/*",
AllowedKeyIds = []
});
// Act
await _manager.DeactivateAnchorAsync(created.AnchorId);
// Assert
var anchor = await _manager.GetAnchorAsync(created.AnchorId);
anchor!.IsActive.Should().BeFalse();
}
[Fact]
public async Task GetActiveAnchors_ReturnsOnlyActive()
{
// Arrange
var active1 = await _manager.CreateAnchorAsync(new CreateTrustAnchorRequest
{
PurlPattern = "pkg:npm/*",
AllowedKeyIds = []
});
var inactive = await _manager.CreateAnchorAsync(new CreateTrustAnchorRequest
{
PurlPattern = "pkg:pypi/*",
AllowedKeyIds = []
});
await _manager.DeactivateAnchorAsync(inactive.AnchorId);
var active2 = await _manager.CreateAnchorAsync(new CreateTrustAnchorRequest
{
PurlPattern = "pkg:maven/*",
AllowedKeyIds = []
});
// Act
var anchors = await _manager.GetActiveAnchorsAsync();
// Assert
anchors.Should().HaveCount(2);
anchors.Should().Contain(a => a.AnchorId == active1.AnchorId);
anchors.Should().Contain(a => a.AnchorId == active2.AnchorId);
anchors.Should().NotContain(a => a.AnchorId == inactive.AnchorId);
}
#endregion
}

562
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/Keyless/CertificateChainValidatorTests.cs Normal file
View File

@@ -0,0 +1,562 @@
// -----------------------------------------------------------------------------
// CertificateChainValidatorTests.cs
// Sprint: SPRINT_20251226_001_SIGNER_fulcio_keyless_client
// Task: 0016 - Unit tests for Certificate chain validation
// Description: Tests for validating Fulcio certificate chains and identity
// -----------------------------------------------------------------------------
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using FluentAssertions;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using StellaOps.Signer.Keyless;
using Xunit;
namespace StellaOps.Signer.Tests.Keyless;
public sealed class CertificateChainValidatorTests : IDisposable
{
private readonly SignerKeylessOptions _options;
private readonly IOptions<SignerKeylessOptions> _optionsWrapper;
private readonly FakeTimeProvider _timeProvider;
private readonly List<X509Certificate2> _generatedCerts = [];
public CertificateChainValidatorTests()
{
_timeProvider = new FakeTimeProvider(DateTimeOffset.UtcNow);
_options = new SignerKeylessOptions
{
Enabled = true,
Certificate = new CertificateOptions
{
ValidateChain = true,
RequireSct = false,
RootBundlePath = string.Empty,
AdditionalRoots = []
},
Identity = new IdentityOptions
{
ExpectedIssuers = [],
ExpectedSubjectPatterns = []
}
};
_optionsWrapper = Options.Create(_options);
}
public void Dispose()
{
foreach (var cert in _generatedCerts)
{
cert.Dispose();
}
}
[Fact]
public async Task ValidateAsync_ValidChain_ReturnsSuccess()
{
// Arrange
var (root, intermediate, leaf) = CreateValidCertificateChain();
_options.Certificate.AdditionalRoots.Add(ExportToPem(root));
var validator = new CertificateChainValidator(
_optionsWrapper,
NullLogger<CertificateChainValidator>.Instance,
_timeProvider);
// Act
var result = await validator.ValidateAsync(
leaf.RawData,
[intermediate.RawData]);
// Assert
result.IsValid.Should().BeTrue(result.ErrorMessage ?? "expected chain to be valid");
result.ErrorMessage.Should().BeNull();
}
[Fact]
public async Task ValidateAsync_ExpiredCertificate_ReturnsFailure()
{
// Arrange
var (root, intermediate, leaf) = CreateCertificateChainWithExpiredLeaf();
_options.Certificate.AdditionalRoots.Add(ExportToPem(root));
// Set time to after certificate expiry
_timeProvider.SetUtcNow(DateTimeOffset.UtcNow.AddDays(30));
var validator = new CertificateChainValidator(
_optionsWrapper,
NullLogger<CertificateChainValidator>.Instance,
_timeProvider);
// Act
var result = await validator.ValidateAsync(
leaf.RawData,
[intermediate.RawData]);
// Assert
result.IsValid.Should().BeFalse();
result.ErrorMessage.Should().Contain("expired");
}
[Fact]
public async Task ValidateAsync_NotYetValidCertificate_ReturnsFailure()
{
// Arrange
var (root, intermediate, leaf) = CreateCertificateChainWithFutureLeaf();
_options.Certificate.AdditionalRoots.Add(ExportToPem(root));
// Set time to before certificate validity
_timeProvider.SetUtcNow(DateTimeOffset.UtcNow.AddDays(-30));
var validator = new CertificateChainValidator(
_optionsWrapper,
NullLogger<CertificateChainValidator>.Instance,
_timeProvider);
// Act
var result = await validator.ValidateAsync(
leaf.RawData,
[intermediate.RawData]);
// Assert
result.IsValid.Should().BeFalse();
result.ErrorMessage.Should().Contain("not yet valid");
}
[Fact]
public async Task ValidateAsync_UntrustedRoot_ReturnsFailureWhenValidationEnabled()
{
// Arrange - don't add root to trusted roots
var (_, intermediate, leaf) = CreateValidCertificateChain();
var validator = new CertificateChainValidator(
_optionsWrapper,
NullLogger<CertificateChainValidator>.Instance,
_timeProvider);
// Act
var result = await validator.ValidateAsync(
leaf.RawData,
[intermediate.RawData]);
// Assert
result.IsValid.Should().BeFalse();
result.ErrorMessage.Should().Contain("validation failed");
}
[Fact]
public async Task ValidateAsync_NullLeafCertificate_ThrowsArgumentNullException()
{
// Arrange
var validator = new CertificateChainValidator(
_optionsWrapper,
NullLogger<CertificateChainValidator>.Instance,
_timeProvider);
// Act
var act = async () => await validator.ValidateAsync(null!, []);
// Assert
await act.Should().ThrowAsync<ArgumentNullException>();
}
[Fact]
public async Task ValidateAsync_NullChain_ThrowsArgumentNullException()
{
// Arrange
var (_, _, leaf) = CreateValidCertificateChain();
var validator = new CertificateChainValidator(
_optionsWrapper,
NullLogger<CertificateChainValidator>.Instance,
_timeProvider);
// Act
var act = async () => await validator.ValidateAsync(leaf.RawData, null!);
// Assert
await act.Should().ThrowAsync<ArgumentNullException>();
}
[Fact]
public async Task ValidateAsync_InvalidCertificateData_ReturnsFailure()
{
// Arrange
var validator = new CertificateChainValidator(
_optionsWrapper,
NullLogger<CertificateChainValidator>.Instance,
_timeProvider);
var invalidData = new byte[] { 1, 2, 3, 4, 5 };
// Act
var result = await validator.ValidateAsync(invalidData, []);
// Assert
result.IsValid.Should().BeFalse();
result.ErrorMessage.Should().Contain("error");
}
[Fact]
public void ValidateIdentity_ValidCertificate_ReturnsSuccess()
{
// Arrange
var cert = CreateCertificateWithFulcioExtensions("https://test.auth", "test@test.com");
_options.Identity.ExpectedIssuers.Add("https://test.auth");
_options.Identity.ExpectedSubjectPatterns.Add(".*@test\\.com");
var validator = new CertificateChainValidator(
_optionsWrapper,
NullLogger<CertificateChainValidator>.Instance,
_timeProvider);
// Act
var result = validator.ValidateIdentity(cert);
// Assert
result.IsValid.Should().BeTrue();
result.Issuer.Should().Be("https://test.auth");
}
[Fact]
public void ValidateIdentity_UnexpectedIssuer_ReturnsFailure()
{
// Arrange
var cert = CreateCertificateWithFulcioExtensions("https://untrusted.auth", "test@test.com");
_options.Identity.ExpectedIssuers.Add("https://trusted.auth");
var validator = new CertificateChainValidator(
_optionsWrapper,
NullLogger<CertificateChainValidator>.Instance,
_timeProvider);
// Act
var result = validator.ValidateIdentity(cert);
// Assert
result.IsValid.Should().BeFalse();
result.ErrorMessage.Should().Contain("not in the expected issuers list");
}
[Fact]
public void ValidateIdentity_SubjectNotMatchingPattern_ReturnsFailure()
{
// Arrange
var cert = CreateCertificateWithFulcioExtensions("https://test.auth", "bad@evil.com");
_options.Identity.ExpectedSubjectPatterns.Add(".*@trusted\\.com");
var validator = new CertificateChainValidator(
_optionsWrapper,
NullLogger<CertificateChainValidator>.Instance,
_timeProvider);
// Act
var result = validator.ValidateIdentity(cert);
// Assert
result.IsValid.Should().BeFalse();
result.ErrorMessage.Should().Contain("does not match any expected pattern");
}
[Fact]
public void ValidateIdentity_NoExpectedIssuersConfigured_AcceptsAnyIssuer()
{
// Arrange
var cert = CreateCertificateWithFulcioExtensions("https://any.auth", "test@test.com");
// Leave ExpectedIssuers empty
var validator = new CertificateChainValidator(
_optionsWrapper,
NullLogger<CertificateChainValidator>.Instance,
_timeProvider);
// Act
var result = validator.ValidateIdentity(cert);
// Assert
result.IsValid.Should().BeTrue();
result.Issuer.Should().Be("https://any.auth");
}
[Fact]
public void ValidateIdentity_NoSubjectPatternsConfigured_AcceptsAnySubject()
{
// Arrange
var cert = CreateCertificateWithFulcioExtensions("https://test.auth", "any@any.com");
// Leave ExpectedSubjectPatterns empty
var validator = new CertificateChainValidator(
_optionsWrapper,
NullLogger<CertificateChainValidator>.Instance,
_timeProvider);
// Act
var result = validator.ValidateIdentity(cert);
// Assert
result.IsValid.Should().BeTrue();
}
[Fact]
public void ValidateIdentity_NullCertificate_ThrowsArgumentNullException()
{
// Arrange
var validator = new CertificateChainValidator(
_optionsWrapper,
NullLogger<CertificateChainValidator>.Instance,
_timeProvider);
// Act
Action act = () => validator.ValidateIdentity(null!);
// Assert
act.Should().Throw<ArgumentNullException>();
}
[Fact]
public void ValidateIdentity_CertificateWithoutOidcIssuer_ReturnsFailure()
{
// Arrange - create a cert without Fulcio OIDC issuer extension
using var rsa = RSA.Create(2048);
var request = new CertificateRequest(
"CN=Test",
rsa,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
var cert = request.CreateSelfSigned(
DateTimeOffset.UtcNow.AddMinutes(-5),
DateTimeOffset.UtcNow.AddMinutes(10));
var validator = new CertificateChainValidator(
_optionsWrapper,
NullLogger<CertificateChainValidator>.Instance,
_timeProvider);
// Act
var result = validator.ValidateIdentity(cert);
// Assert
result.IsValid.Should().BeFalse();
result.ErrorMessage.Should().Contain("OIDC issuer extension");
}
// Helper methods for certificate generation
private (X509Certificate2 Root, X509Certificate2 Intermediate, X509Certificate2 Leaf) CreateValidCertificateChain()
{
// Create CA root
using var rootKey = RSA.Create(2048);
var rootRequest = new CertificateRequest(
"CN=Test Root CA, O=Test",
rootKey,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
rootRequest.CertificateExtensions.Add(new X509BasicConstraintsExtension(true, false, 0, true));
rootRequest.CertificateExtensions.Add(new X509KeyUsageExtension(
X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.CrlSign,
true));
var root = rootRequest.CreateSelfSigned(
DateTimeOffset.UtcNow.AddYears(-1),
DateTimeOffset.UtcNow.AddYears(10));
_generatedCerts.Add(root);
// Create intermediate
using var intermediateKey = RSA.Create(2048);
var intermediateRequest = new CertificateRequest(
"CN=Test Intermediate CA, O=Test",
intermediateKey,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
intermediateRequest.CertificateExtensions.Add(new X509BasicConstraintsExtension(true, false, 0, true));
intermediateRequest.CertificateExtensions.Add(new X509KeyUsageExtension(
X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.CrlSign,
true));
var intermediateSerial = new byte[16];
RandomNumberGenerator.Fill(intermediateSerial);
var intermediate = intermediateRequest.Create(
root,
DateTimeOffset.UtcNow.AddYears(-1),
DateTimeOffset.UtcNow.AddYears(5),
intermediateSerial);
_generatedCerts.Add(intermediate);
// Create leaf
using var leafKey = RSA.Create(2048);
var leafRequest = new CertificateRequest(
"CN=Test Leaf, O=Test",
leafKey,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
var leafSerial = new byte[16];
RandomNumberGenerator.Fill(leafSerial);
var leaf = leafRequest.Create(
intermediate.CopyWithPrivateKey(intermediateKey),
DateTimeOffset.UtcNow.AddMinutes(-5),
DateTimeOffset.UtcNow.AddMinutes(10),
leafSerial);
_generatedCerts.Add(leaf);
return (root, intermediate, leaf);
}
private (X509Certificate2 Root, X509Certificate2 Intermediate, X509Certificate2 Leaf) CreateCertificateChainWithExpiredLeaf()
{
using var rootKey = RSA.Create(2048);
var rootRequest = new CertificateRequest(
"CN=Test Root CA, O=Test",
rootKey,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
rootRequest.CertificateExtensions.Add(new X509BasicConstraintsExtension(true, false, 0, true));
rootRequest.CertificateExtensions.Add(new X509KeyUsageExtension(
X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.CrlSign,
true));
var root = rootRequest.CreateSelfSigned(
DateTimeOffset.UtcNow.AddYears(-1),
DateTimeOffset.UtcNow.AddYears(10));
_generatedCerts.Add(root);
using var intermediateKey = RSA.Create(2048);
var intermediateRequest = new CertificateRequest(
"CN=Test Intermediate CA, O=Test",
intermediateKey,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
intermediateRequest.CertificateExtensions.Add(new X509BasicConstraintsExtension(true, false, 0, true));
intermediateRequest.CertificateExtensions.Add(new X509KeyUsageExtension(
X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.CrlSign,
true));
var intermediateSerial = new byte[16];
RandomNumberGenerator.Fill(intermediateSerial);
var intermediate = intermediateRequest.Create(
root,
DateTimeOffset.UtcNow.AddYears(-1),
DateTimeOffset.UtcNow.AddYears(5),
intermediateSerial);
_generatedCerts.Add(intermediate);
using var leafKey = RSA.Create(2048);
var leafRequest = new CertificateRequest(
"CN=Test Leaf, O=Test",
leafKey,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
var leafSerial = new byte[16];
RandomNumberGenerator.Fill(leafSerial);
// Expired leaf
var leaf = leafRequest.Create(
intermediate.CopyWithPrivateKey(intermediateKey),
DateTimeOffset.UtcNow.AddDays(-10),
DateTimeOffset.UtcNow.AddDays(-1), // Already expired
leafSerial);
_generatedCerts.Add(leaf);
return (root, intermediate, leaf);
}
private (X509Certificate2 Root, X509Certificate2 Intermediate, X509Certificate2 Leaf) CreateCertificateChainWithFutureLeaf()
{
using var rootKey = RSA.Create(2048);
var rootRequest = new CertificateRequest(
"CN=Test Root CA, O=Test",
rootKey,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
rootRequest.CertificateExtensions.Add(new X509BasicConstraintsExtension(true, false, 0, true));
rootRequest.CertificateExtensions.Add(new X509KeyUsageExtension(
X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.CrlSign,
true));
var root = rootRequest.CreateSelfSigned(
DateTimeOffset.UtcNow.AddYears(-1),
DateTimeOffset.UtcNow.AddYears(10));
_generatedCerts.Add(root);
using var intermediateKey = RSA.Create(2048);
var intermediateRequest = new CertificateRequest(
"CN=Test Intermediate CA, O=Test",
intermediateKey,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
intermediateRequest.CertificateExtensions.Add(new X509BasicConstraintsExtension(true, false, 0, true));
intermediateRequest.CertificateExtensions.Add(new X509KeyUsageExtension(
X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.CrlSign,
true));
var intermediateSerial = new byte[16];
RandomNumberGenerator.Fill(intermediateSerial);
var intermediate = intermediateRequest.Create(
root,
DateTimeOffset.UtcNow.AddYears(-1),
DateTimeOffset.UtcNow.AddYears(5),
intermediateSerial);
_generatedCerts.Add(intermediate);
using var leafKey = RSA.Create(2048);
var leafRequest = new CertificateRequest(
"CN=Test Leaf, O=Test",
leafKey,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
var leafSerial = new byte[16];
RandomNumberGenerator.Fill(leafSerial);
// Future leaf - not yet valid
var leaf = leafRequest.Create(
intermediate.CopyWithPrivateKey(intermediateKey),
DateTimeOffset.UtcNow.AddDays(10), // Starts in the future
DateTimeOffset.UtcNow.AddDays(20),
leafSerial);
_generatedCerts.Add(leaf);
return (root, intermediate, leaf);
}
private X509Certificate2 CreateCertificateWithFulcioExtensions(string issuer, string subject)
{
using var rsa = RSA.Create(2048);
var request = new CertificateRequest(
$"CN={subject}",
rsa,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
// Add Fulcio OIDC issuer extension (OID: 1.3.6.1.4.1.57264.1.1)
var issuerOid = new Oid("1.3.6.1.4.1.57264.1.1");
var issuerBytes = System.Text.Encoding.UTF8.GetBytes(issuer);
var issuerExtension = new X509Extension(issuerOid, issuerBytes, false);
request.CertificateExtensions.Add(issuerExtension);
// Add SAN extension with email
var sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddEmailAddress(subject);
request.CertificateExtensions.Add(sanBuilder.Build());
var cert = request.CreateSelfSigned(
DateTimeOffset.UtcNow.AddMinutes(-5),
DateTimeOffset.UtcNow.AddMinutes(10));
_generatedCerts.Add(cert);
return cert;
}
private static string ExportToPem(X509Certificate2 cert)
{
return $"-----BEGIN CERTIFICATE-----\n{Convert.ToBase64String(cert.RawData)}\n-----END CERTIFICATE-----";
}
/// <summary>
/// Fake time provider for testing time-dependent logic.
/// </summary>
private sealed class FakeTimeProvider : TimeProvider
{
private DateTimeOffset _utcNow;
public FakeTimeProvider(DateTimeOffset utcNow)
{
_utcNow = utcNow;
}
public override DateTimeOffset GetUtcNow() => _utcNow;
public void SetUtcNow(DateTimeOffset utcNow) => _utcNow = utcNow;
}
}

247
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/Keyless/EphemeralKeyGeneratorTests.cs Normal file
View File

@@ -0,0 +1,247 @@
// -----------------------------------------------------------------------------
// EphemeralKeyGeneratorTests.cs
// Sprint: SPRINT_20251226_001_SIGNER_fulcio_keyless_client
// Task: 0013 - Unit tests for EphemeralKeyGenerator
// Description: Tests for ephemeral key generation and secure disposal
// -----------------------------------------------------------------------------
using FluentAssertions;
using Microsoft.Extensions.Logging.Abstractions;
using StellaOps.Signer.Keyless;
using Xunit;
namespace StellaOps.Signer.Tests.Keyless;
public sealed class EphemeralKeyGeneratorTests
{
private readonly EphemeralKeyGenerator _generator = new(NullLogger<EphemeralKeyGenerator>.Instance);
[Fact]
public void Generate_EcdsaP256_ReturnsValidKeyPair()
{
// Act
using var keyPair = _generator.Generate(KeylessAlgorithms.EcdsaP256);
// Assert
keyPair.Should().NotBeNull();
keyPair.Algorithm.Should().Be(KeylessAlgorithms.EcdsaP256);
keyPair.PublicKey.IsEmpty.Should().BeFalse();
keyPair.CreatedAt.Should().BeCloseTo(DateTimeOffset.UtcNow, TimeSpan.FromSeconds(5));
}
[Fact]
public void Generate_EcdsaP256_ReturnsSpkiPublicKey()
{
// Act
using var keyPair = _generator.Generate(KeylessAlgorithms.EcdsaP256);
// Assert - SPKI format for P-256 is typically 91 bytes
keyPair.PublicKey.Length.Should().BeGreaterThan(60);
}
[Fact]
public void Generate_Ed25519_ThrowsNotImplemented()
{
// Act
var act = () => _generator.Generate(KeylessAlgorithms.Ed25519);
// Assert - Ed25519 is not yet implemented
act.Should().Throw<EphemeralKeyGenerationException>()
.WithMessage("*Ed25519*");
}
[Fact]
public void Generate_UnsupportedAlgorithm_ThrowsException()
{
// Act
var act = () => _generator.Generate("UNSUPPORTED_ALG");
// Assert
act.Should().Throw<EphemeralKeyGenerationException>()
.WithMessage("*UNSUPPORTED_ALG*");
}
[Fact]
public void Generate_MultipleCalls_ReturnsDifferentKeys()
{
// Act
using var keyPair1 = _generator.Generate(KeylessAlgorithms.EcdsaP256);
using var keyPair2 = _generator.Generate(KeylessAlgorithms.EcdsaP256);
// Assert - Each call should generate a unique key pair
keyPair1.PublicKey.ToArray().Should().NotEqual(keyPair2.PublicKey.ToArray());
}
[Fact]
public void Sign_WithEcdsaP256Key_ProducesValidSignature()
{
// Arrange
using var keyPair = _generator.Generate(KeylessAlgorithms.EcdsaP256);
var data = "Test data to sign"u8.ToArray();
// Act
var signature = keyPair.Sign(data);
// Assert
signature.Should().NotBeNullOrEmpty();
signature.Length.Should().BeGreaterThan(0);
}
[Fact]
public void Sign_DifferentData_ProducesDifferentSignatures()
{
// Arrange
using var keyPair = _generator.Generate(KeylessAlgorithms.EcdsaP256);
var data1 = "First message"u8.ToArray();
var data2 = "Second message"u8.ToArray();
// Act
var signature1 = keyPair.Sign(data1);
var signature2 = keyPair.Sign(data2);
// Assert
signature1.Should().NotEqual(signature2);
}
[Fact]
public void Dispose_KeyPair_AllowsPublicKeyAccess()
{
// Arrange
var keyPair = _generator.Generate(KeylessAlgorithms.EcdsaP256);
var publicKeyBefore = keyPair.PublicKey.ToArray();
// Act
keyPair.Dispose();
// Assert - Public key should still be accessible after dispose
keyPair.PublicKey.ToArray().Should().Equal(publicKeyBefore);
}
[Fact]
public void Sign_AfterDispose_ThrowsException()
{
// Arrange
var keyPair = _generator.Generate(KeylessAlgorithms.EcdsaP256);
keyPair.Dispose();
var data = "Test data"u8.ToArray();
// Act
var act = () => keyPair.Sign(data);
// Assert
act.Should().Throw<ObjectDisposedException>();
}
[Fact]
public void Generate_NullAlgorithm_ThrowsException()
{
// Act
var act = () => _generator.Generate(null!);
// Assert
act.Should().Throw<Exception>(); // Either ArgumentNullException or EphemeralKeyGenerationException
}
[Fact]
public void Generate_EmptyAlgorithm_ThrowsException()
{
// Act
var act = () => _generator.Generate(string.Empty);
// Assert
act.Should().Throw<EphemeralKeyGenerationException>();
}
[Fact]
public void Sign_EmptyData_ProducesValidSignature()
{
// Arrange
using var keyPair = _generator.Generate(KeylessAlgorithms.EcdsaP256);
var emptyData = Array.Empty<byte>();
// Act
var signature = keyPair.Sign(emptyData);
// Assert - Should still produce a valid signature
signature.Should().NotBeNullOrEmpty();
}
[Fact]
public void Sign_LargeData_ProducesValidSignature()
{
// Arrange
using var keyPair = _generator.Generate(KeylessAlgorithms.EcdsaP256);
var largeData = new byte[1024 * 1024]; // 1 MB
Random.Shared.NextBytes(largeData);
// Act
var signature = keyPair.Sign(largeData);
// Assert
signature.Should().NotBeNullOrEmpty();
}
[Fact]
public void PrivateKey_AfterDispose_ThrowsException()
{
// Arrange
var keyPair = _generator.Generate(KeylessAlgorithms.EcdsaP256);
keyPair.Dispose();
// Act
Action act = () => _ = keyPair.PrivateKey;
// Assert
act.Should().Throw<ObjectDisposedException>();
}
[Fact]
public void PrivateKey_BeforeDispose_IsAccessible()
{
// Arrange
using var keyPair = _generator.Generate(KeylessAlgorithms.EcdsaP256);
// Act & Assert
keyPair.PrivateKey.IsEmpty.Should().BeFalse();
}
}
/// <summary>
/// Tests for KeylessAlgorithms constants.
/// </summary>
public sealed class KeylessAlgorithmsTests
{
[Fact]
public void EcdsaP256_HasCorrectValue()
{
KeylessAlgorithms.EcdsaP256.Should().Be("ECDSA_P256");
}
[Fact]
public void Ed25519_HasCorrectValue()
{
KeylessAlgorithms.Ed25519.Should().Be("Ed25519");
}
[Fact]
public void IsSupported_ValidAlgorithm_ReturnsTrue()
{
KeylessAlgorithms.IsSupported(KeylessAlgorithms.EcdsaP256).Should().BeTrue();
KeylessAlgorithms.IsSupported(KeylessAlgorithms.Ed25519).Should().BeTrue();
}
[Fact]
public void IsSupported_InvalidAlgorithm_ReturnsFalse()
{
KeylessAlgorithms.IsSupported("RSA_2048").Should().BeFalse();
KeylessAlgorithms.IsSupported("UNKNOWN").Should().BeFalse();
}
[Fact]
public void IsSupported_CaseInsensitive()
{
KeylessAlgorithms.IsSupported("ecdsa_p256").Should().BeTrue();
KeylessAlgorithms.IsSupported("ed25519").Should().BeTrue();
}
}

481
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/Keyless/HttpFulcioClientTests.cs Normal file
View File

@@ -0,0 +1,481 @@
// -----------------------------------------------------------------------------
// HttpFulcioClientTests.cs
// Sprint: SPRINT_20251226_001_SIGNER_fulcio_keyless_client
// Task: 0014 - Unit tests for HttpFulcioClient (mocked)
// Description: Tests for HTTP client interactions with Fulcio CA
// -----------------------------------------------------------------------------
using System.Net;
using System.Text.Json;
using FluentAssertions;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using NSubstitute;
using StellaOps.Signer.Keyless;
using Xunit;
namespace StellaOps.Signer.Tests.Keyless;
public sealed class HttpFulcioClientTests
{
private readonly SignerKeylessOptions _options;
private readonly IOptions<SignerKeylessOptions> _optionsWrapper;
public HttpFulcioClientTests()
{
_options = new SignerKeylessOptions
{
Enabled = true,
Fulcio = new FulcioOptions
{
Url = "https://fulcio.test",
Timeout = TimeSpan.FromSeconds(30),
Retries = 3,
BackoffBase = TimeSpan.FromMilliseconds(100),
BackoffMax = TimeSpan.FromSeconds(5)
},
Algorithms = new AlgorithmOptions
{
Preferred = KeylessAlgorithms.EcdsaP256,
Allowed = [KeylessAlgorithms.EcdsaP256, KeylessAlgorithms.Ed25519]
}
};
_optionsWrapper = Options.Create(_options);
}
[Fact]
public async Task GetCertificateAsync_SuccessfulResponse_ReturnsCertificateResult()
{
// Arrange
var handler = new MockHttpMessageHandler(CreateSuccessfulFulcioResponse());
var httpClient = new HttpClient(handler) { BaseAddress = new Uri("https://fulcio.test") };
var client = new HttpFulcioClient(httpClient, _optionsWrapper, NullLogger<HttpFulcioClient>.Instance);
var request = CreateValidRequest();
// Act
var result = await client.GetCertificateAsync(request);
// Assert
result.Should().NotBeNull();
result.Certificate.Should().NotBeEmpty();
result.CertificateChain.Should().NotBeEmpty();
result.Identity.Should().NotBeNull();
}
[Fact]
public async Task GetCertificateAsync_SuccessfulResponse_ExtractsNotBeforeAndNotAfter()
{
// Arrange
var handler = new MockHttpMessageHandler(CreateSuccessfulFulcioResponse());
var httpClient = new HttpClient(handler) { BaseAddress = new Uri("https://fulcio.test") };
var client = new HttpFulcioClient(httpClient, _optionsWrapper, NullLogger<HttpFulcioClient>.Instance);
var request = CreateValidRequest();
// Act
var result = await client.GetCertificateAsync(request);
// Assert
result.NotBefore.Should().BeBefore(result.NotAfter);
result.Validity.Should().BeGreaterThan(TimeSpan.Zero);
}
[Fact]
public async Task GetCertificateAsync_BadRequest_ThrowsWithoutRetry()
{
// Arrange
var callCount = 0;
var handler = new MockHttpMessageHandler(_ =>
{
callCount++;
return new HttpResponseMessage(HttpStatusCode.BadRequest)
{
Content = new StringContent("{\"error\": \"Invalid request\"}")
};
});
var httpClient = new HttpClient(handler) { BaseAddress = new Uri("https://fulcio.test") };
var client = new HttpFulcioClient(httpClient, _optionsWrapper, NullLogger<HttpFulcioClient>.Instance);
var request = CreateValidRequest();
// Act
var act = async () => await client.GetCertificateAsync(request);
// Assert
await act.Should().ThrowAsync<FulcioUnavailableException>()
.Where(e => e.HttpStatus == 400);
callCount.Should().Be(1, "Bad requests should not be retried");
}
[Fact]
public async Task GetCertificateAsync_Unauthorized_ThrowsWithoutRetry()
{
// Arrange
var callCount = 0;
var handler = new MockHttpMessageHandler(_ =>
{
callCount++;
return new HttpResponseMessage(HttpStatusCode.Unauthorized)
{
Content = new StringContent("{\"error\": \"Invalid token\"}")
};
});
var httpClient = new HttpClient(handler) { BaseAddress = new Uri("https://fulcio.test") };
var client = new HttpFulcioClient(httpClient, _optionsWrapper, NullLogger<HttpFulcioClient>.Instance);
var request = CreateValidRequest();
// Act
var act = async () => await client.GetCertificateAsync(request);
// Assert
await act.Should().ThrowAsync<FulcioUnavailableException>()
.Where(e => e.HttpStatus == 401);
callCount.Should().Be(1, "Unauthorized requests should not be retried");
}
[Fact]
public async Task GetCertificateAsync_Forbidden_ThrowsWithoutRetry()
{
// Arrange
var callCount = 0;
var handler = new MockHttpMessageHandler(_ =>
{
callCount++;
return new HttpResponseMessage(HttpStatusCode.Forbidden)
{
Content = new StringContent("{\"error\": \"Access denied\"}")
};
});
var httpClient = new HttpClient(handler) { BaseAddress = new Uri("https://fulcio.test") };
var client = new HttpFulcioClient(httpClient, _optionsWrapper, NullLogger<HttpFulcioClient>.Instance);
var request = CreateValidRequest();
// Act
var act = async () => await client.GetCertificateAsync(request);
// Assert
await act.Should().ThrowAsync<FulcioUnavailableException>()
.Where(e => e.HttpStatus == 403);
callCount.Should().Be(1, "Forbidden requests should not be retried");
}
[Fact]
public async Task GetCertificateAsync_ServiceUnavailable_RetriesWithBackoff()
{
// Arrange
var callCount = 0;
var handler = new MockHttpMessageHandler(_ =>
{
callCount++;
if (callCount < 3)
{
return new HttpResponseMessage(HttpStatusCode.ServiceUnavailable)
{
Content = new StringContent("{\"error\": \"Service unavailable\"}")
};
}
return CreateSuccessfulFulcioResponse();
});
var httpClient = new HttpClient(handler) { BaseAddress = new Uri("https://fulcio.test") };
var client = new HttpFulcioClient(httpClient, _optionsWrapper, NullLogger<HttpFulcioClient>.Instance);
var request = CreateValidRequest();
// Act
var result = await client.GetCertificateAsync(request);
// Assert
result.Should().NotBeNull();
callCount.Should().Be(3, "Should retry until success");
}
[Fact]
public async Task GetCertificateAsync_AllRetriesFail_ThrowsException()
{
// Arrange
var callCount = 0;
var handler = new MockHttpMessageHandler(_ =>
{
callCount++;
return new HttpResponseMessage(HttpStatusCode.ServiceUnavailable)
{
Content = new StringContent("{\"error\": \"Service unavailable\"}")
};
});
var httpClient = new HttpClient(handler) { BaseAddress = new Uri("https://fulcio.test") };
var client = new HttpFulcioClient(httpClient, _optionsWrapper, NullLogger<HttpFulcioClient>.Instance);
var request = CreateValidRequest();
// Act
var act = async () => await client.GetCertificateAsync(request);
// Assert
await act.Should().ThrowAsync<FulcioUnavailableException>()
.Where(e => e.Message.Contains("after 3 attempts"));
callCount.Should().Be(3, "Should exhaust all retries");
}
[Fact]
public async Task GetCertificateAsync_NetworkError_RetriesWithBackoff()
{
// Arrange
var callCount = 0;
var handler = new MockHttpMessageHandler(_ =>
{
callCount++;
if (callCount < 3)
{
throw new HttpRequestException("Network error");
}
return CreateSuccessfulFulcioResponse();
});
var httpClient = new HttpClient(handler) { BaseAddress = new Uri("https://fulcio.test") };
var client = new HttpFulcioClient(httpClient, _optionsWrapper, NullLogger<HttpFulcioClient>.Instance);
var request = CreateValidRequest();
// Act
var result = await client.GetCertificateAsync(request);
// Assert
result.Should().NotBeNull();
callCount.Should().Be(3, "Should retry on network errors");
}
[Fact]
public async Task GetCertificateAsync_EmptyResponse_ThrowsException()
{
// Arrange
var handler = new MockHttpMessageHandler(new HttpResponseMessage(HttpStatusCode.OK)
{
Content = new StringContent("{}")
});
var httpClient = new HttpClient(handler) { BaseAddress = new Uri("https://fulcio.test") };
var client = new HttpFulcioClient(httpClient, _optionsWrapper, NullLogger<HttpFulcioClient>.Instance);
var request = CreateValidRequest();
// Act
var act = async () => await client.GetCertificateAsync(request);
// Assert
await act.Should().ThrowAsync<FulcioUnavailableException>()
.Where(e => e.Message.Contains("No certificates"));
}
[Fact]
public async Task GetCertificateAsync_EmptyCertificateChain_ThrowsException()
{
// Arrange
var response = new
{
signedCertificateEmbeddedSct = new
{
chain = new { certificates = Array.Empty<string>() }
}
};
var handler = new MockHttpMessageHandler(new HttpResponseMessage(HttpStatusCode.OK)
{
Content = new StringContent(JsonSerializer.Serialize(response))
});
var httpClient = new HttpClient(handler) { BaseAddress = new Uri("https://fulcio.test") };
var client = new HttpFulcioClient(httpClient, _optionsWrapper, NullLogger<HttpFulcioClient>.Instance);
var request = CreateValidRequest();
// Act
var act = async () => await client.GetCertificateAsync(request);
// Assert
await act.Should().ThrowAsync<FulcioUnavailableException>()
.Where(e => e.Message.Contains("Empty certificate chain"));
}
[Fact]
public async Task GetCertificateAsync_CancellationRequested_ThrowsOperationCanceledException()
{
// Arrange
var handler = new MockHttpMessageHandler(async _ =>
{
await Task.Delay(5000);
return CreateSuccessfulFulcioResponse();
});
var httpClient = new HttpClient(handler) { BaseAddress = new Uri("https://fulcio.test") };
var client = new HttpFulcioClient(httpClient, _optionsWrapper, NullLogger<HttpFulcioClient>.Instance);
var request = CreateValidRequest();
using var cts = new CancellationTokenSource(100);
// Act
var act = async () => await client.GetCertificateAsync(request, cts.Token);
// Assert
await act.Should().ThrowAsync<OperationCanceledException>();
}
[Fact]
public async Task GetCertificateAsync_NullPublicKey_ThrowsArgumentException()
{
// Arrange
var handler = new MockHttpMessageHandler(CreateSuccessfulFulcioResponse());
var httpClient = new HttpClient(handler) { BaseAddress = new Uri("https://fulcio.test") };
var client = new HttpFulcioClient(httpClient, _optionsWrapper, NullLogger<HttpFulcioClient>.Instance);
var request = new FulcioCertificateRequest(null!, KeylessAlgorithms.EcdsaP256, "token");
// Act
var act = async () => await client.GetCertificateAsync(request);
// Assert
await act.Should().ThrowAsync<ArgumentException>()
.Where(e => e.Message.Contains("PublicKey"));
}
[Fact]
public async Task GetCertificateAsync_EmptyOidcToken_ThrowsArgumentException()
{
// Arrange
var handler = new MockHttpMessageHandler(CreateSuccessfulFulcioResponse());
var httpClient = new HttpClient(handler) { BaseAddress = new Uri("https://fulcio.test") };
var client = new HttpFulcioClient(httpClient, _optionsWrapper, NullLogger<HttpFulcioClient>.Instance);
var request = new FulcioCertificateRequest(
new byte[] { 1, 2, 3 },
KeylessAlgorithms.EcdsaP256,
string.Empty);
// Act
var act = async () => await client.GetCertificateAsync(request);
// Assert
await act.Should().ThrowAsync<ArgumentException>()
.Where(e => e.Message.Contains("OidcIdentityToken"));
}
[Fact]
public async Task GetCertificateAsync_UnsupportedAlgorithm_ThrowsArgumentException()
{
// Arrange
var handler = new MockHttpMessageHandler(CreateSuccessfulFulcioResponse());
var httpClient = new HttpClient(handler) { BaseAddress = new Uri("https://fulcio.test") };
var client = new HttpFulcioClient(httpClient, _optionsWrapper, NullLogger<HttpFulcioClient>.Instance);
var request = new FulcioCertificateRequest(
new byte[] { 1, 2, 3 },
"UNSUPPORTED",
"token");
// Act
var act = async () => await client.GetCertificateAsync(request);
// Assert
await act.Should().ThrowAsync<ArgumentException>()
.Where(e => e.Message.Contains("Unsupported algorithm"));
}
[Fact]
public async Task GetCertificateAsync_IncludesSignedCertificateTimestamp()
{
// Arrange
var handler = new MockHttpMessageHandler(CreateSuccessfulFulcioResponse());
var httpClient = new HttpClient(handler) { BaseAddress = new Uri("https://fulcio.test") };
var client = new HttpFulcioClient(httpClient, _optionsWrapper, NullLogger<HttpFulcioClient>.Instance);
var request = CreateValidRequest();
// Act
var result = await client.GetCertificateAsync(request);
// Assert
result.SignedCertificateTimestamp.Should().NotBeNullOrEmpty();
}
// Helper methods
private static FulcioCertificateRequest CreateValidRequest()
{
return new FulcioCertificateRequest(
PublicKey: GenerateTestPublicKey(),
Algorithm: KeylessAlgorithms.EcdsaP256,
OidcIdentityToken: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL3Rlc3QuYXV0aCIsInN1YiI6InRlc3RAdGVzdC5jb20iLCJleHAiOjk5OTk5OTk5OTl9.sig");
}
private static byte[] GenerateTestPublicKey()
{
using var ecdsa = System.Security.Cryptography.ECDsa.Create(
System.Security.Cryptography.ECCurve.NamedCurves.nistP256);
return ecdsa.ExportSubjectPublicKeyInfo();
}
private static HttpResponseMessage CreateSuccessfulFulcioResponse()
{
// Generate a real self-signed test certificate for realistic testing
using var rsa = System.Security.Cryptography.RSA.Create(2048);
var request = new System.Security.Cryptography.X509Certificates.CertificateRequest(
"CN=Test Certificate, O=Test Org",
rsa,
System.Security.Cryptography.HashAlgorithmName.SHA256,
System.Security.Cryptography.RSASignaturePadding.Pkcs1);
var cert = request.CreateSelfSigned(
DateTimeOffset.UtcNow.AddMinutes(-5),
DateTimeOffset.UtcNow.AddMinutes(10));
var certPem = $"-----BEGIN CERTIFICATE-----\n{Convert.ToBase64String(cert.RawData)}\n-----END CERTIFICATE-----";
var response = new
{
signedCertificateEmbeddedSct = new
{
chain = new
{
certificates = new[] { certPem, certPem } // Leaf + intermediate
},
sct = "test-sct-value"
}
};
return new HttpResponseMessage(HttpStatusCode.OK)
{
Content = new StringContent(JsonSerializer.Serialize(response, new JsonSerializerOptions
{
PropertyNamingPolicy = JsonNamingPolicy.CamelCase
}))
};
}
/// <summary>
/// Mock HTTP message handler for testing.
/// </summary>
private sealed class MockHttpMessageHandler : HttpMessageHandler
{
private readonly Func<HttpRequestMessage, Task<HttpResponseMessage>> _handler;
public MockHttpMessageHandler(HttpResponseMessage response)
: this(_ => Task.FromResult(response))
{
}
public MockHttpMessageHandler(Func<HttpRequestMessage, HttpResponseMessage> handler)
: this(request => Task.FromResult(handler(request)))
{
}
public MockHttpMessageHandler(Func<HttpRequestMessage, Task<HttpResponseMessage>> handler)
{
_handler = handler;
}
protected override Task<HttpResponseMessage> SendAsync(
HttpRequestMessage request,
CancellationToken cancellationToken)
{
cancellationToken.ThrowIfCancellationRequested();
return _handler(request);
}
}
}

401
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/Keyless/KeylessDsseSignerTests.cs Normal file
View File

@@ -0,0 +1,401 @@
// -----------------------------------------------------------------------------
// KeylessDsseSignerTests.cs
// Sprint: SPRINT_20251226_001_SIGNER_fulcio_keyless_client
// Task: 0015 - Unit tests for KeylessDsseSigner
// Description: Tests for keyless DSSE signing with Fulcio certificates
// -----------------------------------------------------------------------------
using System.Text.Json;
using FluentAssertions;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using NSubstitute;
using StellaOps.Signer.Core;
using StellaOps.Signer.Keyless;
using Xunit;
namespace StellaOps.Signer.Tests.Keyless;
public sealed class KeylessDsseSignerTests : IDisposable
{
private readonly IEphemeralKeyGenerator _keyGenerator;
private readonly IFulcioClient _fulcioClient;
private readonly IOidcTokenProvider _tokenProvider;
private readonly IOptions<SignerKeylessOptions> _options;
private readonly ILogger<KeylessDsseSigner> _logger;
private readonly KeylessDsseSigner _signer;
// Test data
private readonly byte[] _testCertificate;
private readonly byte[][] _testCertChain;
private const string TestOidcToken = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL3Rlc3QuYXV0aCIsInN1YiI6InRlc3RAdGVzdC5jb20iLCJleHAiOjk5OTk5OTk5OTl9.signature";
public KeylessDsseSignerTests()
{
// Generate a self-signed test certificate
_testCertificate = GenerateTestCertificate();
_testCertChain = [GenerateTestCertificate()];
// Use real key generator for realistic tests
_keyGenerator = new EphemeralKeyGenerator(NullLogger<EphemeralKeyGenerator>.Instance);
_fulcioClient = Substitute.For<IFulcioClient>();
_tokenProvider = Substitute.For<IOidcTokenProvider>();
_options = Options.Create(new SignerKeylessOptions
{
Enabled = true,
Algorithms = new AlgorithmOptions
{
Preferred = KeylessAlgorithms.EcdsaP256,
Allowed = [KeylessAlgorithms.EcdsaP256, KeylessAlgorithms.Ed25519]
}
});
_logger = NullLogger<KeylessDsseSigner>.Instance;
// Configure default mock behavior
_tokenProvider.AcquireTokenAsync(Arg.Any<CancellationToken>())
.Returns(new OidcTokenResult
{
IdentityToken = TestOidcToken,
ExpiresAt = DateTimeOffset.UtcNow.AddHours(1),
Subject = "test@test.com",
Email = "test@test.com"
});
_fulcioClient.GetCertificateAsync(Arg.Any<FulcioCertificateRequest>(), Arg.Any<CancellationToken>())
.Returns(new FulcioCertificateResult(
Certificate: _testCertificate,
CertificateChain: _testCertChain,
SignedCertificateTimestamp: "test-sct",
NotBefore: DateTimeOffset.UtcNow.AddMinutes(-1),
NotAfter: DateTimeOffset.UtcNow.AddMinutes(10),
Identity: new FulcioIdentity(
Issuer: "https://test.auth",
Subject: "test@test.com",
SubjectAlternativeName: "test@test.com")));
_signer = new KeylessDsseSigner(
_keyGenerator,
_fulcioClient,
_tokenProvider,
_options,
_logger);
}
public void Dispose()
{
_signer.Dispose();
}
[Fact]
public async Task SignAsync_ValidRequest_ReturnsSigningBundle()
{
// Arrange
var request = CreateTestSigningRequest();
var entitlement = CreateTestEntitlement();
var caller = CreateTestCallerContext();
// Act
var bundle = await _signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert
bundle.Should().NotBeNull();
bundle.Envelope.Should().NotBeNull();
bundle.Envelope.Payload.Should().NotBeNullOrEmpty();
bundle.Envelope.Signatures.Should().HaveCount(1);
bundle.Metadata.Should().NotBeNull();
}
[Fact]
public async Task SignAsync_AcquiresOidcToken()
{
// Arrange
var request = CreateTestSigningRequest();
var entitlement = CreateTestEntitlement();
var caller = CreateTestCallerContext();
// Act
await _signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert
await _tokenProvider.Received(1).AcquireTokenAsync(Arg.Any<CancellationToken>());
}
[Fact]
public async Task SignAsync_RequestsFulcioCertificate()
{
// Arrange
var request = CreateTestSigningRequest();
var entitlement = CreateTestEntitlement();
var caller = CreateTestCallerContext();
// Act
await _signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert
await _fulcioClient.Received(1).GetCertificateAsync(
Arg.Is<FulcioCertificateRequest>(r =>
r.OidcIdentityToken == TestOidcToken &&
r.Algorithm == KeylessAlgorithms.EcdsaP256),
Arg.Any<CancellationToken>());
}
[Fact]
public async Task SignAsync_IncludesCertificateChainInMetadata()
{
// Arrange
var request = CreateTestSigningRequest();
var entitlement = CreateTestEntitlement();
var caller = CreateTestCallerContext();
// Act
var bundle = await _signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert
bundle.Metadata.CertificateChain.Should().NotBeNullOrEmpty();
bundle.Metadata.CertificateChain.Should().HaveCountGreaterThanOrEqualTo(1);
}
[Fact]
public async Task SignAsync_IncludesIdentityInMetadata()
{
// Arrange
var request = CreateTestSigningRequest();
var entitlement = CreateTestEntitlement();
var caller = CreateTestCallerContext();
// Act
var bundle = await _signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert
bundle.Metadata.Identity.Should().NotBeNull();
bundle.Metadata.Identity.Issuer.Should().Be("https://test.auth");
bundle.Metadata.Identity.Subject.Should().Be("test@test.com");
bundle.Metadata.Identity.Mode.Should().Be("keyless");
}
[Fact]
public async Task SignAsync_OidcTokenAcquisitionFails_ThrowsException()
{
// Arrange
_tokenProvider.AcquireTokenAsync(Arg.Any<CancellationToken>())
.Returns<OidcTokenResult>(_ => throw new OidcTokenAcquisitionException(
"https://test.auth", "Token acquisition failed"));
var request = CreateTestSigningRequest();
var entitlement = CreateTestEntitlement();
var caller = CreateTestCallerContext();
// Act
var act = async () => await _signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert
await act.Should().ThrowAsync<OidcTokenAcquisitionException>();
}
[Fact]
public async Task SignAsync_FulcioUnavailable_ThrowsException()
{
// Arrange
_fulcioClient.GetCertificateAsync(Arg.Any<FulcioCertificateRequest>(), Arg.Any<CancellationToken>())
.Returns<FulcioCertificateResult>(_ => throw new FulcioUnavailableException(
"https://fulcio.test", "Service unavailable"));
var request = CreateTestSigningRequest();
var entitlement = CreateTestEntitlement();
var caller = CreateTestCallerContext();
// Act
var act = async () => await _signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert
await act.Should().ThrowAsync<FulcioUnavailableException>();
}
[Fact]
public async Task SignAsync_NullRequest_ThrowsArgumentNullException()
{
// Arrange
var entitlement = CreateTestEntitlement();
var caller = CreateTestCallerContext();
// Act
var act = async () => await _signer.SignAsync(null!, entitlement, caller, CancellationToken.None);
// Assert
await act.Should().ThrowAsync<ArgumentNullException>();
}
[Fact]
public async Task SignAsync_NullEntitlement_ThrowsArgumentNullException()
{
// Arrange
var request = CreateTestSigningRequest();
var caller = CreateTestCallerContext();
// Act
var act = async () => await _signer.SignAsync(request, null!, caller, CancellationToken.None);
// Assert
await act.Should().ThrowAsync<ArgumentNullException>();
}
[Fact]
public async Task SignAsync_NullCaller_ThrowsArgumentNullException()
{
// Arrange
var request = CreateTestSigningRequest();
var entitlement = CreateTestEntitlement();
// Act
var act = async () => await _signer.SignAsync(request, entitlement, null!, CancellationToken.None);
// Assert
await act.Should().ThrowAsync<ArgumentNullException>();
}
[Fact]
public void Algorithm_ReturnsPreferredAlgorithm()
{
// Assert
_signer.Algorithm.Should().Be(KeylessAlgorithms.EcdsaP256);
}
[Fact]
public async Task SignAsync_AfterDispose_ThrowsObjectDisposedException()
{
// Arrange
_signer.Dispose();
var request = CreateTestSigningRequest();
var entitlement = CreateTestEntitlement();
var caller = CreateTestCallerContext();
// Act
var act = async () => await _signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert
await act.Should().ThrowAsync<ObjectDisposedException>();
}
[Fact]
public async Task SignAsync_MultipleSubjects_IncludesAllInStatement()
{
// Arrange
var subjects = new List<SigningSubject>
{
new("artifact1", new Dictionary<string, string> { ["sha256"] = "abc123" }),
new("artifact2", new Dictionary<string, string> { ["sha256"] = "def456" })
};
var predicate = JsonDocument.Parse("""{"verdict": "pass"}""");
var request = new SigningRequest(
Subjects: subjects,
PredicateType: "application/vnd.in-toto+json",
Predicate: predicate,
ScannerImageDigest: "sha256:test",
ProofOfEntitlement: new ProofOfEntitlement(SignerPoEFormat.Jwt, "test-token"),
Options: new SigningOptions(SigningMode.Keyless, null, "full"));
var entitlement = CreateTestEntitlement();
var caller = CreateTestCallerContext();
// Act
var bundle = await _signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert
bundle.Should().NotBeNull();
// The payload should contain both subjects
var payloadJson = Convert.FromBase64String(bundle.Envelope.Payload);
var payload = JsonDocument.Parse(payloadJson);
payload.RootElement.GetProperty("subject").GetArrayLength().Should().Be(2);
}
[Fact]
public async Task SignAsync_CancellationRequested_ThrowsOperationCanceledException()
{
// Arrange
var request = CreateTestSigningRequest();
var entitlement = CreateTestEntitlement();
var caller = CreateTestCallerContext();
using var cts = new CancellationTokenSource();
cts.Cancel();
// Configure mock to respect cancellation
_tokenProvider.AcquireTokenAsync(Arg.Any<CancellationToken>())
.Returns<OidcTokenResult>(_ => throw new OperationCanceledException());
// Act
var act = async () => await _signer.SignAsync(request, entitlement, caller, cts.Token);
// Assert
await act.Should().ThrowAsync<OperationCanceledException>();
}
// Helper methods
private static SigningRequest CreateTestSigningRequest()
{
var predicate = JsonDocument.Parse("""
{
"verdict": "pass",
"gates": [
{"name": "drift-gate", "result": "pass"}
]
}
""");
return new SigningRequest(
Subjects:
[
new SigningSubject("test-artifact", new Dictionary<string, string>
{
["sha256"] = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
})
],
PredicateType: "application/vnd.in-toto+json",
Predicate: predicate,
ScannerImageDigest: "sha256:abc123",
ProofOfEntitlement: new ProofOfEntitlement(SignerPoEFormat.Jwt, "test-poe"),
Options: new SigningOptions(SigningMode.Keyless, null, "full"));
}
private static ProofOfEntitlementResult CreateTestEntitlement()
{
return new ProofOfEntitlementResult(
LicenseId: "test-license",
CustomerId: "test-customer",
Plan: "enterprise",
MaxArtifactBytes: 1000000,
QpsLimit: 100,
QpsRemaining: 50,
ExpiresAtUtc: DateTimeOffset.UtcNow.AddDays(30));
}
private static CallerContext CreateTestCallerContext()
{
return new CallerContext(
Subject: "test@test.com",
Tenant: "test-tenant",
Scopes: ["signer:sign"],
Audiences: ["signer"],
SenderBinding: null,
ClientCertificateThumbprint: null);
}
private static byte[] GenerateTestCertificate()
{
// Generate a minimal self-signed certificate for testing
using var rsa = System.Security.Cryptography.RSA.Create(2048);
var request = new System.Security.Cryptography.X509Certificates.CertificateRequest(
"CN=Test Certificate",
rsa,
System.Security.Cryptography.HashAlgorithmName.SHA256,
System.Security.Cryptography.RSASignaturePadding.Pkcs1);
var cert = request.CreateSelfSigned(
DateTimeOffset.UtcNow.AddMinutes(-5),
DateTimeOffset.UtcNow.AddMinutes(10));
return cert.RawData;
}
}

610
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/Keyless/KeylessSigningIntegrationTests.cs Normal file
View File

@@ -0,0 +1,610 @@
// -----------------------------------------------------------------------------
// KeylessSigningIntegrationTests.cs
// Sprint: SPRINT_20251226_001_SIGNER_fulcio_keyless_client
// Tasks: 0017, 0018 - Integration tests for full keyless signing flow
// Description: End-to-end integration tests with mock Fulcio server
// -----------------------------------------------------------------------------
using System.Net;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Text;
using System.Text.Json;
using FluentAssertions;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using NSubstitute;
using StellaOps.Signer.Core;
using StellaOps.Signer.Keyless;
using Xunit;
namespace StellaOps.Signer.Tests.Keyless;
/// <summary>
/// Integration tests for the full keyless signing flow.
/// Validates the complete pipeline: OIDC token -> Fulcio cert -> DSSE signing.
/// </summary>
public sealed class KeylessSigningIntegrationTests : IDisposable
{
private readonly MockFulcioServer _mockFulcio;
private readonly SignerKeylessOptions _options;
private readonly List<IDisposable> _disposables = [];
public KeylessSigningIntegrationTests()
{
_mockFulcio = new MockFulcioServer();
_options = new SignerKeylessOptions
{
Enabled = true,
Fulcio = new FulcioOptions
{
Url = "https://fulcio.test",
Timeout = TimeSpan.FromSeconds(30),
Retries = 3,
BackoffBase = TimeSpan.FromMilliseconds(10),
BackoffMax = TimeSpan.FromMilliseconds(100)
},
Algorithms = new AlgorithmOptions
{
Preferred = KeylessAlgorithms.EcdsaP256,
Allowed = [KeylessAlgorithms.EcdsaP256, KeylessAlgorithms.Ed25519]
},
Certificate = new CertificateOptions
{
ValidateChain = false, // Disable for tests with self-signed certs
RequireSct = false
},
Identity = new IdentityOptions
{
ExpectedIssuers = [],
ExpectedSubjectPatterns = []
}
};
}
public void Dispose()
{
foreach (var d in _disposables)
d.Dispose();
_mockFulcio.Dispose();
}
[Fact]
public async Task FullKeylessFlow_ValidOidcToken_ProducesDsseBundle()
{
// Arrange
var keyGenerator = new EphemeralKeyGenerator(NullLogger<EphemeralKeyGenerator>.Instance);
var fulcioClient = CreateMockFulcioClient();
var tokenProvider = CreateMockTokenProvider("test@example.com");
var signer = new KeylessDsseSigner(
keyGenerator,
fulcioClient,
tokenProvider,
Options.Create(_options),
NullLogger<KeylessDsseSigner>.Instance);
_disposables.Add(signer);
var request = CreateSigningRequest();
var entitlement = CreateEntitlement();
var caller = CreateCallerContext();
// Act
var bundle = await signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert
bundle.Should().NotBeNull();
bundle.Envelope.Should().NotBeNull();
bundle.Envelope.PayloadType.Should().Be("application/vnd.in-toto+json");
bundle.Envelope.Payload.Should().NotBeNullOrEmpty();
bundle.Envelope.Signatures.Should().HaveCount(1);
bundle.Envelope.Signatures[0].Signature.Should().NotBeNullOrEmpty();
}
[Fact]
public async Task FullKeylessFlow_ProducesValidInTotoStatement()
{
// Arrange
var keyGenerator = new EphemeralKeyGenerator(NullLogger<EphemeralKeyGenerator>.Instance);
var fulcioClient = CreateMockFulcioClient();
var tokenProvider = CreateMockTokenProvider("test@example.com");
var signer = new KeylessDsseSigner(
keyGenerator,
fulcioClient,
tokenProvider,
Options.Create(_options),
NullLogger<KeylessDsseSigner>.Instance);
_disposables.Add(signer);
var request = CreateSigningRequest();
var entitlement = CreateEntitlement();
var caller = CreateCallerContext();
// Act
var bundle = await signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert - decode and validate the in-toto statement
var payloadBytes = Convert.FromBase64String(bundle.Envelope.Payload);
var statement = JsonDocument.Parse(payloadBytes);
statement.RootElement.GetProperty("_type").GetString()
.Should().Be("https://in-toto.io/Statement/v1");
statement.RootElement.GetProperty("subject").GetArrayLength()
.Should().BeGreaterThan(0);
}
[Fact]
public async Task FullKeylessFlow_IncludesCertificateChain()
{
// Arrange
var keyGenerator = new EphemeralKeyGenerator(NullLogger<EphemeralKeyGenerator>.Instance);
var fulcioClient = CreateMockFulcioClient();
var tokenProvider = CreateMockTokenProvider("test@example.com");
var signer = new KeylessDsseSigner(
keyGenerator,
fulcioClient,
tokenProvider,
Options.Create(_options),
NullLogger<KeylessDsseSigner>.Instance);
_disposables.Add(signer);
var request = CreateSigningRequest();
var entitlement = CreateEntitlement();
var caller = CreateCallerContext();
// Act
var bundle = await signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert
bundle.Metadata.CertificateChain.Should().NotBeNullOrEmpty();
bundle.Metadata.CertificateChain.Should().HaveCountGreaterThanOrEqualTo(1);
}
[Fact]
public async Task FullKeylessFlow_IncludesSigningIdentity()
{
// Arrange
var keyGenerator = new EphemeralKeyGenerator(NullLogger<EphemeralKeyGenerator>.Instance);
var fulcioClient = CreateMockFulcioClient();
var tokenProvider = CreateMockTokenProvider("ci@github.com");
var signer = new KeylessDsseSigner(
keyGenerator,
fulcioClient,
tokenProvider,
Options.Create(_options),
NullLogger<KeylessDsseSigner>.Instance);
_disposables.Add(signer);
var request = CreateSigningRequest();
var entitlement = CreateEntitlement();
var caller = CreateCallerContext();
// Act
var bundle = await signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert
bundle.Metadata.Identity.Should().NotBeNull();
bundle.Metadata.Identity.Mode.Should().Be("keyless");
bundle.Metadata.Identity.Subject.Should().Be("ci@github.com");
}
[Fact]
public async Task FullKeylessFlow_EachSigningProducesDifferentSignature()
{
// Arrange - ephemeral keys mean different signatures each time
var keyGenerator = new EphemeralKeyGenerator(NullLogger<EphemeralKeyGenerator>.Instance);
var fulcioClient = CreateMockFulcioClient();
var tokenProvider = CreateMockTokenProvider("test@example.com");
var signer = new KeylessDsseSigner(
keyGenerator,
fulcioClient,
tokenProvider,
Options.Create(_options),
NullLogger<KeylessDsseSigner>.Instance);
_disposables.Add(signer);
var request = CreateSigningRequest();
var entitlement = CreateEntitlement();
var caller = CreateCallerContext();
// Act
var bundle1 = await signer.SignAsync(request, entitlement, caller, CancellationToken.None);
var bundle2 = await signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert - different ephemeral keys = different signatures
bundle1.Envelope.Signatures[0].Signature.Should()
.NotBe(bundle2.Envelope.Signatures[0].Signature,
"each signing should use a new ephemeral key");
}
[Fact]
public async Task FullKeylessFlow_FulcioUnavailable_ThrowsException()
{
// Arrange
var keyGenerator = new EphemeralKeyGenerator(NullLogger<EphemeralKeyGenerator>.Instance);
var fulcioClient = Substitute.For<IFulcioClient>();
fulcioClient.GetCertificateAsync(Arg.Any<FulcioCertificateRequest>(), Arg.Any<CancellationToken>())
.Returns<FulcioCertificateResult>(_ => throw new FulcioUnavailableException(
"https://fulcio.test", "Service unavailable"));
var tokenProvider = CreateMockTokenProvider("test@example.com");
var signer = new KeylessDsseSigner(
keyGenerator,
fulcioClient,
tokenProvider,
Options.Create(_options),
NullLogger<KeylessDsseSigner>.Instance);
_disposables.Add(signer);
var request = CreateSigningRequest();
var entitlement = CreateEntitlement();
var caller = CreateCallerContext();
// Act
var act = async () => await signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert
await act.Should().ThrowAsync<FulcioUnavailableException>();
}
[Fact]
public async Task FullKeylessFlow_OidcTokenInvalid_ThrowsException()
{
// Arrange
var keyGenerator = new EphemeralKeyGenerator(NullLogger<EphemeralKeyGenerator>.Instance);
var fulcioClient = CreateMockFulcioClient();
var tokenProvider = Substitute.For<IOidcTokenProvider>();
tokenProvider.AcquireTokenAsync(Arg.Any<CancellationToken>())
.Returns<OidcTokenResult>(_ => throw new OidcTokenAcquisitionException(
"https://auth.test", "Token expired"));
var signer = new KeylessDsseSigner(
keyGenerator,
fulcioClient,
tokenProvider,
Options.Create(_options),
NullLogger<KeylessDsseSigner>.Instance);
_disposables.Add(signer);
var request = CreateSigningRequest();
var entitlement = CreateEntitlement();
var caller = CreateCallerContext();
// Act
var act = async () => await signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert
await act.Should().ThrowAsync<OidcTokenAcquisitionException>();
}
[Fact]
public async Task SignedBundle_CanBeVerified_WithEmbeddedCertificate()
{
// Arrange
var keyGenerator = new EphemeralKeyGenerator(NullLogger<EphemeralKeyGenerator>.Instance);
var fulcioClient = CreateMockFulcioClient();
var tokenProvider = CreateMockTokenProvider("test@example.com");
var signer = new KeylessDsseSigner(
keyGenerator,
fulcioClient,
tokenProvider,
Options.Create(_options),
NullLogger<KeylessDsseSigner>.Instance);
_disposables.Add(signer);
var request = CreateSigningRequest();
var entitlement = CreateEntitlement();
var caller = CreateCallerContext();
// Act
var bundle = await signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert - the bundle should contain all data needed for verification
bundle.Should().NotBeNull();
bundle.Metadata.CertificateChain.Should().NotBeEmpty(
"bundle must include certificate chain for verification");
bundle.Envelope.Signatures[0].Signature.Should().NotBeNullOrEmpty(
"bundle must include signature");
bundle.Envelope.Payload.Should().NotBeNullOrEmpty(
"bundle must include payload for verification");
// Verify the certificate chain can be parsed
var leafCertBase64 = bundle.Metadata.CertificateChain.First();
var act = () =>
{
var pemContent = Encoding.UTF8.GetString(Convert.FromBase64String(leafCertBase64));
return true;
};
act.Should().NotThrow("certificate should be valid base64");
}
[Fact]
public async Task MultipleSubjects_AllIncludedInStatement()
{
// Arrange
var keyGenerator = new EphemeralKeyGenerator(NullLogger<EphemeralKeyGenerator>.Instance);
var fulcioClient = CreateMockFulcioClient();
var tokenProvider = CreateMockTokenProvider("test@example.com");
var signer = new KeylessDsseSigner(
keyGenerator,
fulcioClient,
tokenProvider,
Options.Create(_options),
NullLogger<KeylessDsseSigner>.Instance);
_disposables.Add(signer);
// Create request with multiple subjects
var subjects = new List<SigningSubject>
{
new("artifact-1", new Dictionary<string, string> { ["sha256"] = "abc123" }),
new("artifact-2", new Dictionary<string, string> { ["sha256"] = "def456" }),
new("artifact-3", new Dictionary<string, string> { ["sha256"] = "ghi789" })
};
var predicate = JsonDocument.Parse("{\"verdict\": \"pass\"}");
var request = new SigningRequest(
Subjects: subjects,
PredicateType: "application/vnd.in-toto+json",
Predicate: predicate,
ScannerImageDigest: "sha256:test",
ProofOfEntitlement: new ProofOfEntitlement(SignerPoEFormat.Jwt, "test"),
Options: new SigningOptions(SigningMode.Keyless, null, "full"));
var entitlement = CreateEntitlement();
var caller = CreateCallerContext();
// Act
var bundle = await signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert
var payloadBytes = Convert.FromBase64String(bundle.Envelope.Payload);
var statement = JsonDocument.Parse(payloadBytes);
statement.RootElement.GetProperty("subject").GetArrayLength().Should().Be(3);
}
// Helper methods
private IFulcioClient CreateMockFulcioClient()
{
var client = Substitute.For<IFulcioClient>();
client.GetCertificateAsync(Arg.Any<FulcioCertificateRequest>(), Arg.Any<CancellationToken>())
.Returns(callInfo =>
{
var request = callInfo.Arg<FulcioCertificateRequest>();
return _mockFulcio.IssueCertificate(request);
});
return client;
}
private static IOidcTokenProvider CreateMockTokenProvider(string subject)
{
var provider = Substitute.For<IOidcTokenProvider>();
var issuer = "https://test.auth";
provider.AcquireTokenAsync(Arg.Any<CancellationToken>())
.Returns(new OidcTokenResult
{
IdentityToken = CreateOidcToken(subject, issuer),
ExpiresAt = DateTimeOffset.UtcNow.AddHours(1),
Subject = subject,
Email = subject
});
return provider;
}
private static string CreateOidcToken(string subject, string issuer)
{
var header = Base64UrlEncode("{\"typ\":\"JWT\",\"alg\":\"RS256\"}");
var payload = JsonSerializer.Serialize(new
{
iss = issuer,
sub = subject,
email = subject,
exp = 9999999999L
});
var payloadEncoded = Base64UrlEncode(payload);
return $"{header}.{payloadEncoded}.sig";
}
private static string Base64UrlEncode(string value)
{
var bytes = Encoding.UTF8.GetBytes(value);
return Convert.ToBase64String(bytes).TrimEnd('=').Replace('+', '-').Replace('/', '_');
}
private static byte[] Base64UrlDecode(string value)
{
var padded = value.Replace('-', '+').Replace('_', '/');
var remainder = padded.Length % 4;
if (remainder == 2)
{
padded += "==";
}
else if (remainder == 3)
{
padded += "=";
}
return Convert.FromBase64String(padded);
}
private static SigningRequest CreateSigningRequest()
{
var predicate = JsonDocument.Parse("""
{
"verdict": "pass",
"gates": [{"name": "drift", "result": "pass"}]
}
""");
return new SigningRequest(
Subjects:
[
new SigningSubject("test-artifact", new Dictionary<string, string>
{
["sha256"] = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
})
],
PredicateType: "application/vnd.in-toto+json",
Predicate: predicate,
ScannerImageDigest: "sha256:abc123",
ProofOfEntitlement: new ProofOfEntitlement(SignerPoEFormat.Jwt, "test-poe"),
Options: new SigningOptions(SigningMode.Keyless, null, "full"));
}
private static ProofOfEntitlementResult CreateEntitlement()
{
return new ProofOfEntitlementResult(
LicenseId: "test-license",
CustomerId: "test-customer",
Plan: "enterprise",
MaxArtifactBytes: 1000000,
QpsLimit: 100,
QpsRemaining: 50,
ExpiresAtUtc: DateTimeOffset.UtcNow.AddDays(30));
}
private static CallerContext CreateCallerContext()
{
return new CallerContext(
Subject: "test@test.com",
Tenant: "test-tenant",
Scopes: ["signer:sign"],
Audiences: ["signer"],
SenderBinding: null,
ClientCertificateThumbprint: null);
}
/// <summary>
/// Mock Fulcio server for integration testing.
/// </summary>
private sealed class MockFulcioServer : IDisposable
{
private readonly X509Certificate2 _rootCa;
private readonly RSA _rootKey;
public MockFulcioServer()
{
_rootKey = RSA.Create(2048);
var request = new CertificateRequest(
"CN=Mock Fulcio Root CA, O=Test",
_rootKey,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509BasicConstraintsExtension(true, false, 0, true));
_rootCa = request.CreateSelfSigned(
DateTimeOffset.UtcNow.AddYears(-1),
DateTimeOffset.UtcNow.AddYears(10));
}
public FulcioCertificateResult IssueCertificate(FulcioCertificateRequest request)
{
var (issuer, subject) = TryParseOidcIdentity(request.OidcIdentityToken);
var resolvedIssuer = string.IsNullOrWhiteSpace(issuer) ? "https://test.auth" : issuer;
var resolvedSubject = string.IsNullOrWhiteSpace(subject) ? "test@test.com" : subject;
// Create a leaf certificate signed by our mock CA
using var leafKey = RSA.Create(2048);
var leafRequest = new CertificateRequest(
$"CN={resolvedSubject}, O=Test",
leafKey,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
// Add Fulcio OIDC issuer extension
var issuerOid = new Oid("1.3.6.1.4.1.57264.1.1");
var issuerBytes = Encoding.UTF8.GetBytes(resolvedIssuer);
leafRequest.CertificateExtensions.Add(new X509Extension(issuerOid, issuerBytes, false));
var serial = new byte[16];
RandomNumberGenerator.Fill(serial);
var leafCert = leafRequest.Create(
_rootCa,
DateTimeOffset.UtcNow.AddMinutes(-1),
DateTimeOffset.UtcNow.AddMinutes(10),
serial);
var notBefore = new DateTimeOffset(leafCert.NotBefore.ToUniversalTime());
var notAfter = new DateTimeOffset(leafCert.NotAfter.ToUniversalTime());
return new FulcioCertificateResult(
Certificate: leafCert.RawData,
CertificateChain: [_rootCa.RawData],
SignedCertificateTimestamp: "mock-sct",
NotBefore: notBefore,
NotAfter: notAfter,
Identity: new FulcioIdentity(
Issuer: resolvedIssuer,
Subject: resolvedSubject,
SubjectAlternativeName: resolvedSubject));
}
private static (string? Issuer, string? Subject) TryParseOidcIdentity(string token)
{
if (string.IsNullOrWhiteSpace(token))
{
return (null, null);
}
var parts = token.Split('.');
if (parts.Length < 2)
{
return (null, null);
}
try
{
var payloadBytes = Base64UrlDecode(parts[1]);
using var doc = JsonDocument.Parse(payloadBytes);
var root = doc.RootElement;
string? issuer = null;
if (root.TryGetProperty("iss", out var issProp))
{
issuer = issProp.GetString();
}
string? subject = null;
if (root.TryGetProperty("email", out var emailProp))
{
subject = emailProp.GetString();
}
if (string.IsNullOrWhiteSpace(subject) && root.TryGetProperty("sub", out var subProp))
{
subject = subProp.GetString();
}
return (issuer, subject);
}
catch (JsonException)
{
return (null, null);
}
catch (FormatException)
{
return (null, null);
}
}
public void Dispose()
{
_rootCa.Dispose();
_rootKey.Dispose();
}
}
}

751
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/Negative/SignerNegativeTests.cs Normal file
View File

@@ -0,0 +1,751 @@
// -----------------------------------------------------------------------------
// SignerNegativeTests.cs
// Sprint: SPRINT_5100_0009_0006 - Signer Module Test Implementation
// Task: SIGNER-5100-014 - Add negative tests: unsupported algorithms, malformed payloads, oversized inputs
// Description: Comprehensive negative tests for Signer WebService
// -----------------------------------------------------------------------------
using System.Net;
using System.Net.Http.Headers;
using System.Net.Http.Json;
using System.Text;
using System.Text.Json;
using FluentAssertions;
using Microsoft.AspNetCore.Mvc.Testing;
using StellaOps.Signer.Tests.Fixtures;
using Xunit;
namespace StellaOps.Signer.Tests.Negative;
/// <summary>
/// Negative tests for Signer WebService.
/// Validates:
/// - Unsupported algorithm rejection with clear error codes
/// - Malformed payload handling with deterministic errors
/// - Oversized input rejection with appropriate limits
/// - Invalid request structure handling
/// </summary>
[Trait("Category", "Negative")]
[Trait("Category", "ErrorHandling")]
[Trait("Category", "W1")]
public sealed class SignerNegativeTests : IClassFixture<WebApplicationFactory<Program>>
{
private readonly WebApplicationFactory<Program> _factory;
private readonly ITestOutputHelper _output;
// Size limits for testing
private const int MaxPayloadSizeBytes = 10 * 1024 * 1024; // 10 MB
private const int MaxSubjectCount = 1000;
public SignerNegativeTests(WebApplicationFactory<Program> factory, ITestOutputHelper output)
{
_factory = factory;
_output = output;
}
#region Unsupported Algorithm Tests
[Theory]
[InlineData("MD5")]
[InlineData("SHA1")]
[InlineData("DSA")]
[InlineData("RSA-PKCS1")]
[InlineData("unknown-algorithm")]
[InlineData("FOOBAR256")]
public async Task SignDsse_UnsupportedSigningMode_Returns400WithErrorCode(string algorithm)
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(new
{
subject = new[] { CreateValidSubject() },
predicateType = "https://in-toto.io/Statement/v0.1",
predicate = new { result = "pass" },
scannerImageDigest = "sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
poe = CreateValidPoe(),
options = new { signingMode = algorithm }
})
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request.Headers.Add("DPoP", "stub-proof");
// Act
var response = await client.SendAsync(request);
// Assert
response.StatusCode.Should().Be(HttpStatusCode.BadRequest);
var content = await response.Content.ReadAsStringAsync();
_output.WriteLine($"Algorithm '{algorithm}': {response.StatusCode}");
_output.WriteLine($"Response: {content}");
content.Should().Contain("signing_mode_invalid", "error message should reference the signing mode");
}
[Fact]
public async Task SignDsse_NullAlgorithm_UsesDefault()
{
// Arrange - when algorithm is not specified, should use default
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(new
{
subject = new[] { CreateValidSubject() },
predicateType = "https://in-toto.io/Statement/v0.1",
predicate = new { result = "pass" },
poe = CreateValidPoe()
// No algorithm specified - should use default
})
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request.Headers.Add("DPoP", "stub-proof");
// Act
var response = await client.SendAsync(request);
// Assert - should not fail due to missing algorithm (400 is ok for other reasons)
_output.WriteLine($"No algorithm specified: {response.StatusCode}");
// If we get 400, it should NOT be about the algorithm
if (response.StatusCode == HttpStatusCode.BadRequest)
{
var content = await response.Content.ReadAsStringAsync();
content.Should().NotContain("unsupported algorithm",
"missing algorithm should use default, not fail");
}
}
#endregion
#region Malformed Payload Tests
[Fact]
public async Task SignDsse_EmptyBody_Returns400()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = new StringContent("", Encoding.UTF8, "application/json")
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
// Act
var response = await client.SendAsync(request);
// Assert
response.StatusCode.Should().Be(HttpStatusCode.BadRequest);
_output.WriteLine($"Empty body: {response.StatusCode}");
}
[Fact]
public async Task SignDsse_InvalidJson_Returns400()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = new StringContent("{invalid json", Encoding.UTF8, "application/json")
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
// Act
var response = await client.SendAsync(request);
// Assert
response.StatusCode.Should().Be(HttpStatusCode.BadRequest);
var content = await response.Content.ReadAsStringAsync();
_output.WriteLine($"Invalid JSON: {response.StatusCode}");
_output.WriteLine($"Response: {content}");
}
[Fact]
public async Task SignDsse_MissingSubject_Returns400WithFieldError()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(new
{
predicateType = "https://in-toto.io/Statement/v0.1",
predicate = new { result = "pass" },
poe = CreateValidPoe()
// Missing 'subject' field
})
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request.Headers.Add("DPoP", "stub-proof");
// Act
var response = await client.SendAsync(request);
// Assert
response.StatusCode.Should().Be(HttpStatusCode.BadRequest);
var content = await response.Content.ReadAsStringAsync();
_output.WriteLine($"Missing subject: {response.StatusCode}");
_output.WriteLine($"Response: {content}");
content.ToLower().Should().Contain("subject", "error should mention missing subject field");
}
[Fact]
public async Task SignDsse_EmptySubjectArray_Returns400()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(new
{
subject = Array.Empty<object>(), // Empty array
predicateType = "https://in-toto.io/Statement/v0.1",
predicate = new { result = "pass" },
poe = CreateValidPoe()
})
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request.Headers.Add("DPoP", "stub-proof");
// Act
var response = await client.SendAsync(request);
// Assert
response.StatusCode.Should().Be(HttpStatusCode.BadRequest);
var content = await response.Content.ReadAsStringAsync();
_output.WriteLine($"Empty subject array: {response.StatusCode}");
_output.WriteLine($"Response: {content}");
}
[Fact]
public async Task SignDsse_SubjectMissingName_Returns400()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(new
{
subject = new[]
{
new
{
// Missing 'name'
digest = new Dictionary<string, string> { ["sha256"] = "abc123" }
}
},
predicateType = "https://in-toto.io/Statement/v0.1",
predicate = new { result = "pass" },
poe = CreateValidPoe()
})
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request.Headers.Add("DPoP", "stub-proof");
// Act
var response = await client.SendAsync(request);
// Assert
response.StatusCode.Should().Be(HttpStatusCode.BadRequest);
var content = await response.Content.ReadAsStringAsync();
_output.WriteLine($"Subject missing name: {response.StatusCode}");
_output.WriteLine($"Response: {content}");
}
[Fact]
public async Task SignDsse_SubjectMissingDigest_Returns400()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(new
{
subject = new[]
{
new
{
name = "pkg:npm/example@1.0.0"
// Missing 'digest'
}
},
predicateType = "https://in-toto.io/Statement/v0.1",
predicate = new { result = "pass" },
poe = CreateValidPoe()
})
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request.Headers.Add("DPoP", "stub-proof");
// Act
var response = await client.SendAsync(request);
// Assert
response.StatusCode.Should().Be(HttpStatusCode.BadRequest);
var content = await response.Content.ReadAsStringAsync();
_output.WriteLine($"Subject missing digest: {response.StatusCode}");
_output.WriteLine($"Response: {content}");
}
[Theory]
[InlineData("not-a-valid-purl")]
[InlineData("http://example.com/not-a-purl")]
[InlineData("pkg:")]
[InlineData("pkg:invalid")]
public async Task SignDsse_InvalidPurl_Returns400(string invalidPurl)
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(new
{
subject = new[]
{
new
{
name = invalidPurl,
digest = new Dictionary<string, string> { ["sha256"] = "abc123" }
}
},
predicateType = "https://in-toto.io/Statement/v0.1",
predicate = new { result = "pass" },
poe = CreateValidPoe()
})
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request.Headers.Add("DPoP", "stub-proof");
// Act
var response = await client.SendAsync(request);
// Assert - may or may not validate PURL format
_output.WriteLine($"Invalid PURL '{invalidPurl}': {response.StatusCode}");
if (response.StatusCode == HttpStatusCode.BadRequest)
{
var content = await response.Content.ReadAsStringAsync();
_output.WriteLine($"Response: {content}");
}
}
[Theory]
[InlineData("md5", "d41d8cd98f00b204e9800998ecf8427e")] // MD5 is insecure
[InlineData("sha1", "da39a3ee5e6b4b0d3255bfef95601890afd80709")] // SHA1 is deprecated
public async Task SignDsse_InsecureDigestAlgorithm_Returns400(string algorithm, string hash)
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(new
{
subject = new[]
{
new
{
name = "pkg:npm/example@1.0.0",
digest = new Dictionary<string, string> { [algorithm] = hash }
}
},
predicateType = "https://in-toto.io/Statement/v0.1",
predicate = new { result = "pass" },
poe = CreateValidPoe()
})
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request.Headers.Add("DPoP", "stub-proof");
// Act
var response = await client.SendAsync(request);
// Assert
_output.WriteLine($"Insecure digest algorithm '{algorithm}': {response.StatusCode}");
if (response.StatusCode == HttpStatusCode.BadRequest)
{
var content = await response.Content.ReadAsStringAsync();
_output.WriteLine($"Response: {content}");
content.ToLower().Should().ContainAny(
"algorithm", "digest", "insecure", "deprecated", "sha256");
}
}
[Fact]
public async Task SignDsse_MissingPredicateType_Returns400()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(new
{
subject = new[] { CreateValidSubject() },
// Missing predicateType
predicate = new { result = "pass" },
poe = CreateValidPoe()
})
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request.Headers.Add("DPoP", "stub-proof");
// Act
var response = await client.SendAsync(request);
// Assert
response.StatusCode.Should().Be(HttpStatusCode.BadRequest);
var content = await response.Content.ReadAsStringAsync();
_output.WriteLine($"Missing predicateType: {response.StatusCode}");
_output.WriteLine($"Response: {content}");
}
#endregion
#region Oversized Input Tests
[Fact]
public async Task SignDsse_OversizedPayload_Returns413OrRejects()
{
// Arrange - Create a large payload that exceeds reasonable limits
var largePayload = new string('x', MaxPayloadSizeBytes + 1);
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(new
{
subject = new[] { CreateValidSubject() },
predicateType = "https://in-toto.io/Statement/v0.1",
predicate = new { data = largePayload },
poe = CreateValidPoe()
})
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request.Headers.Add("DPoP", "stub-proof");
// Act
var response = await client.SendAsync(request);
// Assert - should be either 413 (Payload Too Large) or 400 (Bad Request)
response.StatusCode.Should().BeOneOf(
HttpStatusCode.RequestEntityTooLarge,
HttpStatusCode.BadRequest);
_output.WriteLine($"Oversized payload (~{MaxPayloadSizeBytes / 1024 / 1024}+ MB): {response.StatusCode}");
}
[Fact]
public async Task SignDsse_TooManySubjects_Returns400()
{
// Arrange - Create request with many subjects
var subjects = Enumerable.Range(0, MaxSubjectCount + 1)
.Select(i => new
{
name = $"pkg:npm/example-{i}@1.0.0",
digest = new Dictionary<string, string> { ["sha256"] = $"{i:x64}" }
})
.ToArray();
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(new
{
subject = subjects,
predicateType = "https://in-toto.io/Statement/v0.1",
predicate = new { result = "pass" },
poe = CreateValidPoe()
})
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request.Headers.Add("DPoP", "stub-proof");
// Act
var response = await client.SendAsync(request);
// Assert - should be rejected or limited
_output.WriteLine($"Too many subjects ({MaxSubjectCount + 1}): {response.StatusCode}");
if (response.StatusCode == HttpStatusCode.BadRequest)
{
var content = await response.Content.ReadAsStringAsync();
_output.WriteLine($"Response: {content.Substring(0, Math.Min(500, content.Length))}...");
}
}
[Fact]
public async Task SignDsse_VeryLongSubjectName_Returns400()
{
// Arrange
var longName = "pkg:npm/" + new string('a', 65536) + "@1.0.0"; // 64KB name
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(new
{
subject = new[]
{
new
{
name = longName,
digest = new Dictionary<string, string> { ["sha256"] = "abc123" }
}
},
predicateType = "https://in-toto.io/Statement/v0.1",
predicate = new { result = "pass" },
poe = CreateValidPoe()
})
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request.Headers.Add("DPoP", "stub-proof");
// Act
var response = await client.SendAsync(request);
// Assert
response.StatusCode.Should().BeOneOf(
HttpStatusCode.BadRequest,
HttpStatusCode.RequestEntityTooLarge);
_output.WriteLine($"Very long subject name (64KB): {response.StatusCode}");
}
[Fact]
public async Task SignDsse_DeeplyNestedPredicate_HandledGracefully()
{
// Arrange - Create deeply nested JSON
var nested = BuildNestedObject(100);
var client = _factory.CreateClient();
var jsonOptions = new JsonSerializerOptions { MaxDepth = 256 };
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(new
{
subject = new[] { CreateValidSubject() },
predicateType = "https://in-toto.io/Statement/v0.1",
predicate = nested,
poe = CreateValidPoe()
}, options: jsonOptions)
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request.Headers.Add("DPoP", "stub-proof");
// Act
var response = await client.SendAsync(request);
// Assert - should be handled (either accepted or rejected gracefully)
_output.WriteLine($"Deeply nested predicate (100 levels): {response.StatusCode}");
// Should not be 500 (server error)
response.StatusCode.Should().NotBe(HttpStatusCode.InternalServerError);
}
#endregion
#region Invalid Request Structure Tests
[Fact]
public async Task SignDsse_WrongContentType_Returns415()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = new StringContent("{}", Encoding.UTF8, "text/plain")
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
// Act
var response = await client.SendAsync(request);
// Assert - should be 415 (Unsupported Media Type) or 400
response.StatusCode.Should().BeOneOf(
HttpStatusCode.UnsupportedMediaType,
HttpStatusCode.BadRequest);
_output.WriteLine($"Wrong content type (text/plain): {response.StatusCode}");
}
[Fact]
public async Task SignDsse_XmlPayload_Returns400()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = new StringContent("<request><subject/></request>", Encoding.UTF8, "application/xml")
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
// Act
var response = await client.SendAsync(request);
// Assert
response.StatusCode.Should().BeOneOf(
HttpStatusCode.UnsupportedMediaType,
HttpStatusCode.BadRequest);
_output.WriteLine($"XML payload: {response.StatusCode}");
}
[Fact]
public async Task SignDsse_NullBody_Returns400()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = new StringContent("null", Encoding.UTF8, "application/json")
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
// Act
var response = await client.SendAsync(request);
// Assert
response.StatusCode.Should().Be(HttpStatusCode.BadRequest);
_output.WriteLine($"Null JSON body: {response.StatusCode}");
}
[Fact]
public async Task SignDsse_ArrayBody_Returns400()
{
// Arrange - JSON array instead of object
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = new StringContent("[1,2,3]", Encoding.UTF8, "application/json")
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
// Act
var response = await client.SendAsync(request);
// Assert
response.StatusCode.Should().Be(HttpStatusCode.BadRequest);
_output.WriteLine($"Array JSON body: {response.StatusCode}");
}
#endregion
#region Error Response Format Tests
[Fact]
public async Task SignDsse_Error_ReturnsStructuredErrorResponse()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(new { invalid = "request" })
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
// Act
var response = await client.SendAsync(request);
// Assert
response.StatusCode.Should().Be(HttpStatusCode.BadRequest);
var content = await response.Content.ReadAsStringAsync();
_output.WriteLine($"Error response: {content}");
// Error response should be valid JSON
Action parseJson = () => JsonDocument.Parse(content);
parseJson.Should().NotThrow("error response should be valid JSON");
// Should have consistent structure
using var doc = JsonDocument.Parse(content);
var root = doc.RootElement;
// Check for common error response fields
var hasErrorField = root.TryGetProperty("error", out _) ||
root.TryGetProperty("errors", out _) ||
root.TryGetProperty("title", out _) ||
root.TryGetProperty("message", out _);
hasErrorField.Should().BeTrue("error response should have error information");
}
[Fact]
public async Task SignDsse_Error_ResponseIncludesRequestId()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(new { invalid = "request" })
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request.Headers.Add("X-Request-ID", "test-request-123");
// Act
var response = await client.SendAsync(request);
// Assert
response.StatusCode.Should().Be(HttpStatusCode.BadRequest);
// Check for request ID in response
if (response.Headers.TryGetValues("X-Request-ID", out var requestIds))
{
_output.WriteLine($"Request ID in response: {string.Join(", ", requestIds)}");
requestIds.Should().Contain("test-request-123");
}
else
{
_output.WriteLine(" X-Request-ID not echoed in response headers");
}
}
#endregion
#region Helper Methods
private static object CreateValidSubject()
{
return new
{
name = "pkg:npm/example@1.0.0",
digest = new Dictionary<string, string>
{
["sha256"] = "4d5f6e7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e"
}
};
}
private static object BuildNestedObject(int depth)
{
if (depth <= 0)
{
return "leaf";
}
return new Dictionary<string, object>
{
["level"] = depth,
["nested"] = BuildNestedObject(depth - 1)
};
}
private static object CreateValidPoe()
{
return new
{
format = "jwt",
value = "valid-poe"
};
}
#endregion
}

389
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/Observability/SignerOTelTraceTests.cs Normal file
View File

@@ -0,0 +1,389 @@
// -----------------------------------------------------------------------------
// SignerOTelTraceTests.cs
// Sprint: SPRINT_5100_0009_0006 - Signer Module Test Implementation
// Task: SIGNER-5100-013 - Add OTel trace assertions (verify key_id, algorithm, signature_id tags)
// Description: OpenTelemetry trace assertion tests for Signer WebService
// -----------------------------------------------------------------------------
using System.Diagnostics;
using System.Net;
using System.Net.Http.Headers;
using System.Net.Http.Json;
using FluentAssertions;
using Microsoft.AspNetCore.Mvc.Testing;
using Xunit;
namespace StellaOps.Signer.Tests.Observability;
/// <summary>
/// OpenTelemetry trace assertion tests for Signer WebService.
/// Validates:
/// - Traces are created for signing operations
/// - Traces include key_id, algorithm, signature_id attributes
/// - Error spans record exception details
/// - Semantic conventions are followed
/// </summary>
[Trait("Category", "OTel")]
[Trait("Category", "Observability")]
[Trait("Category", "W1")]
public sealed class SignerOTelTraceTests : IClassFixture<WebApplicationFactory<Program>>
{
private readonly WebApplicationFactory<Program> _factory;
private readonly ITestOutputHelper _output;
public SignerOTelTraceTests(WebApplicationFactory<Program> factory, ITestOutputHelper output)
{
_factory = factory;
_output = output;
}
#region Trace Creation Tests
[Fact]
public async Task SignDsse_CreatesRequestTrace()
{
// Arrange
var collectedActivities = new List<Activity>();
using var listener = new ActivityListener
{
ShouldListenTo = source => source.Name.Contains("Signer") ||
source.Name.Contains("StellaOps") ||
source.Name.Contains("Microsoft.AspNetCore"),
Sample = (ref ActivityCreationOptions<ActivityContext> _) => ActivitySamplingResult.AllDataAndRecorded,
ActivityStarted = activity => collectedActivities.Add(activity)
};
ActivitySource.AddActivityListener(listener);
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(CreateBasicSignRequest())
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request.Headers.Add("DPoP", "stub-proof");
// Act
var response = await client.SendAsync(request);
// Assert
// Allow some time for traces to be recorded
await Task.Delay(100);
_output.WriteLine($"Response status: {response.StatusCode}");
_output.WriteLine($"Activities collected: {collectedActivities.Count}");
foreach (var activity in collectedActivities)
{
_output.WriteLine($" - {activity.DisplayName} ({activity.Source.Name})");
foreach (var tag in activity.Tags)
{
_output.WriteLine($" {tag.Key}: {tag.Value}");
}
}
// At minimum, we should have HTTP request activity
collectedActivities.Should().NotBeEmpty("request should create at least one activity");
_output.WriteLine("✓ Request creates trace activities");
}
#endregion
#region Signer-Specific Attribute Tests
[Fact]
public async Task SignDsse_TraceMayIncludeKeyId()
{
// Arrange
var collectedActivities = new List<Activity>();
using var listener = new ActivityListener
{
ShouldListenTo = source => source.Name.Contains("Signer") || source.Name.Contains("Crypto"),
Sample = (ref ActivityCreationOptions<ActivityContext> _) => ActivitySamplingResult.AllDataAndRecorded,
ActivityStarted = activity => collectedActivities.Add(activity)
};
ActivitySource.AddActivityListener(listener);
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(CreateBasicSignRequest())
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request.Headers.Add("DPoP", "stub-proof");
// Act
var response = await client.SendAsync(request);
await Task.Delay(100);
// Assert - look for signing-related attributes
var signingActivities = collectedActivities
.Where(a => a.Tags.Any(t =>
t.Key.Contains("key") ||
t.Key.Contains("algorithm") ||
t.Key.Contains("signer")))
.ToList();
if (signingActivities.Any())
{
foreach (var activity in signingActivities)
{
_output.WriteLine($"Signing activity: {activity.DisplayName}");
foreach (var tag in activity.Tags)
{
_output.WriteLine($" {tag.Key}: {tag.Value}");
}
}
_output.WriteLine("✓ Signing trace includes key/algorithm attributes");
}
else
{
_output.WriteLine(" No signing-specific activities captured (may be internal)");
}
}
[Fact]
public async Task SignDsse_ExpectedAttributes()
{
// Document the expected attributes that SHOULD be present
// These are the semantic conventions for signing operations
var expectedAttributes = new[]
{
"signer.key_id",
"signer.algorithm",
"signer.signature_id",
"signer.subject_count",
"signer.predicate_type",
"signer.signing_mode"
};
_output.WriteLine("=== Expected Signer Trace Attributes (Semantic Conventions) ===");
foreach (var attr in expectedAttributes)
{
_output.WriteLine($" - {attr}");
}
_output.WriteLine("");
_output.WriteLine("Standard HTTP attributes:");
_output.WriteLine(" - http.method");
_output.WriteLine(" - http.url");
_output.WriteLine(" - http.status_code");
_output.WriteLine(" - http.request_content_length");
_output.WriteLine("");
_output.WriteLine("Error attributes (on failure):");
_output.WriteLine(" - exception.type");
_output.WriteLine(" - exception.message");
_output.WriteLine(" - otel.status_code = ERROR");
expectedAttributes.Should().NotBeEmpty();
}
#endregion
#region Error Trace Tests
[Fact]
public async Task SignDsse_Error_RecordsExceptionInTrace()
{
// Arrange
var collectedActivities = new List<Activity>();
using var listener = new ActivityListener
{
ShouldListenTo = source => true,
Sample = (ref ActivityCreationOptions<ActivityContext> _) => ActivitySamplingResult.AllDataAndRecorded,
ActivityStarted = activity => collectedActivities.Add(activity),
ActivityStopped = activity =>
{
// Capture on stop to ensure all tags are present
}
};
ActivitySource.AddActivityListener(listener);
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(new { invalid = "request" })
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
// Act
var response = await client.SendAsync(request);
await Task.Delay(100);
// Assert
response.IsSuccessStatusCode.Should().BeFalse();
// Look for error indicators in activities
var errorActivities = collectedActivities
.Where(a =>
a.Status == ActivityStatusCode.Error ||
a.Tags.Any(t => t.Key.Contains("error") || t.Key.Contains("exception")))
.ToList();
_output.WriteLine($"Error activities found: {errorActivities.Count}");
foreach (var activity in errorActivities)
{
_output.WriteLine($" {activity.DisplayName}: Status={activity.Status}");
foreach (var ev in activity.Events)
{
_output.WriteLine($" Event: {ev.Name}");
}
}
// At minimum, HTTP activity should record the error status code
var httpActivities = collectedActivities
.Where(a => a.Tags.Any(t => t.Key == "http.status_code"))
.ToList();
if (httpActivities.Any())
{
var statusCodeTag = httpActivities.First().Tags
.FirstOrDefault(t => t.Key == "http.status_code");
_output.WriteLine($"✓ HTTP status code recorded: {statusCodeTag.Value}");
}
}
#endregion
#region Trace Correlation Tests
[Fact]
public async Task SignDsse_PreservesTraceContext()
{
// Arrange
var parentTraceId = ActivityTraceId.CreateRandom().ToString();
var parentSpanId = ActivitySpanId.CreateRandom().ToString();
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(CreateBasicSignRequest())
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request.Headers.Add("DPoP", "stub-proof");
request.Headers.Add("traceparent", $"00-{parentTraceId}-{parentSpanId}-01");
// Act
var response = await client.SendAsync(request);
// Assert
// The response should ideally preserve the trace context
_output.WriteLine($"Parent trace ID: {parentTraceId}");
_output.WriteLine($"Parent span ID: {parentSpanId}");
_output.WriteLine($"Response status: {response.StatusCode}");
// Check if traceresponse header is present
if (response.Headers.TryGetValues("traceresponse", out var traceResponse))
{
_output.WriteLine($"Trace response: {string.Join(", ", traceResponse)}");
_output.WriteLine("✓ Trace context is propagated");
}
else
{
_output.WriteLine(" No traceresponse header (may not be configured)");
}
}
#endregion
#region Performance Attribute Tests
[Fact]
public async Task SignDsse_IncludesDurationMetrics()
{
// Arrange
var collectedActivities = new List<Activity>();
using var listener = new ActivityListener
{
ShouldListenTo = source => true,
Sample = (ref ActivityCreationOptions<ActivityContext> _) => ActivitySamplingResult.AllDataAndRecorded,
ActivityStopped = activity => collectedActivities.Add(activity)
};
ActivitySource.AddActivityListener(listener);
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(CreateBasicSignRequest())
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request.Headers.Add("DPoP", "stub-proof");
// Act
var stopwatch = System.Diagnostics.Stopwatch.StartNew();
var response = await client.SendAsync(request);
stopwatch.Stop();
await Task.Delay(100);
// Assert
_output.WriteLine($"Request duration: {stopwatch.ElapsedMilliseconds}ms");
_output.WriteLine($"Activities with duration:");
foreach (var activity in collectedActivities.Where(a => a.Duration > TimeSpan.Zero))
{
_output.WriteLine($" {activity.DisplayName}: {activity.Duration.TotalMilliseconds:F2}ms");
}
// Activities should have non-zero duration
collectedActivities.Where(a => a.Duration > TimeSpan.Zero)
.Should().NotBeEmpty("activities should track duration");
_output.WriteLine("✓ Duration metrics recorded");
}
#endregion
#region Attribute Summary
[Fact]
public void AttributeDocumentation_SummarizesExpectedTags()
{
_output.WriteLine("=== Signer OTel Attribute Reference ===");
_output.WriteLine("");
_output.WriteLine("Signing Operation Attributes:");
_output.WriteLine(" signer.key_id - Key identifier used for signing");
_output.WriteLine(" signer.algorithm - Signing algorithm (ES256, Ed25519, etc.)");
_output.WriteLine(" signer.signature_id - Unique identifier for the signature");
_output.WriteLine(" signer.bundle_type - Type of bundle returned (dsse, dsse+cert)");
_output.WriteLine(" signer.subject_count - Number of subjects in the statement");
_output.WriteLine(" signer.predicate_type - Predicate type URL");
_output.WriteLine("");
_output.WriteLine("Security Attributes:");
_output.WriteLine(" auth.method - Authentication method used");
_output.WriteLine(" auth.has_dpop - Whether DPoP proof was provided");
_output.WriteLine(" poe.format - Proof of execution format");
_output.WriteLine("");
_output.WriteLine("Performance Attributes:");
_output.WriteLine(" signer.canonicalization_ms - Time spent canonicalizing payload");
_output.WriteLine(" signer.signing_ms - Time spent on crypto operation");
_output.WriteLine(" signer.bundle_assembly_ms - Time spent assembling bundle");
}
#endregion
#region Helper Methods
private static object CreateBasicSignRequest()
{
return new
{
subject = new[]
{
new
{
name = "pkg:npm/example@1.0.0",
digest = new Dictionary<string, string> { ["sha256"] = "4d5f6e7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e" }
}
},
predicateType = "https://in-toto.io/Statement/v0.1",
predicate = new { result = "pass" },
scannerImageDigest = "sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
poe = new { format = "jwt", value = "valid-poe" },
options = new { signingMode = "kms", expirySeconds = 600, returnBundle = "dsse+cert" }
};
}
#endregion
}

316
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/SignerEndpointsTests.cs Normal file
View File

@@ -0,0 +1,316 @@
using System.Collections.Generic;
using System.Net;
using System.Net.Http;
using System.Net.Http.Headers;
using System.Net.Http.Json;
using System.Text;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Testing;
using StellaOps.Signer.WebService.Contracts;
using Xunit;
using StellaOps.TestKit;
namespace StellaOps.Signer.Tests;
public sealed class SignerEndpointsTests : IClassFixture<WebApplicationFactory<Program>>
{
private readonly WebApplicationFactory<Program> _factory;
private const string TrustedDigest = "sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef";
public SignerEndpointsTests(WebApplicationFactory<Program> factory)
{
_factory = factory;
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public async Task SignDsse_ReturnsBundle_WhenRequestValid()
{
var client = CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(new
{
subject = new[]
{
new
{
name = "pkg:npm/example",
digest = new Dictionary<string, string> { ["sha256"] = "4d5f" },
},
},
predicateType = "https://in-toto.io/Statement/v0.1",
predicate = new { result = "pass" },
scannerImageDigest = TrustedDigest,
poe = new { format = "jwt", value = "valid-poe" },
options = new { signingMode = "kms", expirySeconds = 600, returnBundle = "dsse+cert" },
})
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request.Headers.Add("DPoP", "stub-proof");
var response = await client.SendAsync(request);
var responseBody = await response.Content.ReadAsStringAsync();
Assert.True(response.IsSuccessStatusCode, $"Expected success but got {(int)response.StatusCode}: {responseBody}");
var body = await response.Content.ReadFromJsonAsync<SignDsseResponseDto>();
Assert.NotNull(body);
Assert.Equal("stub-subject", body!.Bundle.SigningIdentity.Subject);
Assert.Equal("stub-subject", body.Bundle.SigningIdentity.Issuer);
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public async Task SignDsse_ReturnsForbidden_WhenDigestUntrusted()
{
var client = CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(new
{
subject = new[]
{
new
{
name = "pkg:npm/example",
digest = new Dictionary<string, string> { ["sha256"] = "4d5f" },
},
},
predicateType = "https://in-toto.io/Statement/v0.1",
predicate = new { result = "pass" },
scannerImageDigest = "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
poe = new { format = "jwt", value = "valid-poe" },
options = new { signingMode = "kms", expirySeconds = 600, returnBundle = "dsse+cert" },
})
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request.Headers.Add("DPoP", "stub-proof");
var response = await client.SendAsync(request);
var problemJson = await response.Content.ReadAsStringAsync();
Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);
var problem = System.Text.Json.JsonSerializer.Deserialize<ProblemDetails>(problemJson, new System.Text.Json.JsonSerializerOptions
{
PropertyNameCaseInsensitive = true,
});
Assert.NotNull(problem);
Assert.Equal("release_untrusted", problem!.Type);
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public async Task VerifyReferrers_ReturnsTrustedResult_WhenDigestIsKnown()
{
var client = CreateClient();
var request = new HttpRequestMessage(HttpMethod.Get, $"/api/v1/signer/verify/referrers?digest={TrustedDigest}");
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
var response = await client.SendAsync(request);
var responseBody = await response.Content.ReadAsStringAsync();
Assert.True(response.IsSuccessStatusCode, $"Expected success but got {(int)response.StatusCode}: {responseBody}");
var body = await response.Content.ReadFromJsonAsync<VerifyReferrersResponseDto>();
Assert.NotNull(body);
Assert.True(body!.Trusted);
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public async Task VerifyReferrers_ReturnsProblem_WhenDigestMissing()
{
var client = CreateClient();
var request = new HttpRequestMessage(HttpMethod.Get, "/api/v1/signer/verify/referrers");
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
var response = await client.SendAsync(request);
Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public async Task VerifyDsse_ReturnsVerifiedTrue_ForFreshSignature()
{
var client = CreateClient();
var signRequest = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(new
{
subject = new[]
{
new
{
name = "pkg:npm/example",
digest = new Dictionary<string, string> { ["sha256"] = "4d5f" },
},
},
predicateType = "https://in-toto.io/Statement/v0.1",
predicate = new { result = "pass" },
scannerImageDigest = TrustedDigest,
poe = new { format = "jwt", value = "valid-poe" },
options = new { signingMode = "kms", expirySeconds = 600, returnBundle = "dsse+cert" },
})
};
signRequest.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
signRequest.Headers.Add("DPoP", "stub-proof");
var signResponse = await client.SendAsync(signRequest);
Assert.True(signResponse.IsSuccessStatusCode);
var signed = await signResponse.Content.ReadFromJsonAsync<SignDsseResponseDto>();
Assert.NotNull(signed);
var verifyRequest = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/verify/dsse")
{
Content = JsonContent.Create(new { bundle = new { dsse = signed!.Bundle.Dsse } })
};
verifyRequest.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
var verifyResponse = await client.SendAsync(verifyRequest);
var verifyBody = await verifyResponse.Content.ReadAsStringAsync();
Assert.True(verifyResponse.IsSuccessStatusCode, $"Expected verification success but got {(int)verifyResponse.StatusCode}: {verifyBody}");
var verification = await verifyResponse.Content.ReadFromJsonAsync<VerifyDsseResponseDto>();
Assert.NotNull(verification);
Assert.True(verification!.Verified);
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public async Task VerifyDsse_ReturnsVerifiedFalse_WhenPayloadIsTampered()
{
var client = CreateClient();
var signRequest = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(new
{
subject = new[]
{
new
{
name = "pkg:npm/example",
digest = new Dictionary<string, string> { ["sha256"] = "4d5f" },
},
},
predicateType = "https://in-toto.io/Statement/v0.1",
predicate = new { result = "pass" },
scannerImageDigest = TrustedDigest,
poe = new { format = "jwt", value = "valid-poe" },
options = new { signingMode = "kms", expirySeconds = 600, returnBundle = "dsse+cert" },
})
};
signRequest.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
signRequest.Headers.Add("DPoP", "stub-proof");
var signResponse = await client.SendAsync(signRequest);
Assert.True(signResponse.IsSuccessStatusCode);
var signed = await signResponse.Content.ReadFromJsonAsync<SignDsseResponseDto>();
Assert.NotNull(signed);
var payloadBytes = Convert.FromBase64String(signed!.Bundle.Dsse.Payload);
payloadBytes[0] ^= 0x01;
var tamperedPayload = Convert.ToBase64String(payloadBytes);
var verifyRequest = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/verify/dsse")
{
Content = JsonContent.Create(new
{
dsse = new
{
payloadType = signed.Bundle.Dsse.PayloadType,
payload = tamperedPayload,
signatures = signed.Bundle.Dsse.Signatures
}
})
};
verifyRequest.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
var verifyResponse = await client.SendAsync(verifyRequest);
Assert.Equal(HttpStatusCode.OK, verifyResponse.StatusCode);
var verification = await verifyResponse.Content.ReadFromJsonAsync<VerifyDsseResponseDto>();
Assert.NotNull(verification);
Assert.False(verification!.Verified);
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public async Task CeremoniesRoute_IsMapped_AndProtectedByAuthorization()
{
var client = CreateClient();
var response = await client.GetAsync("/api/v1/ceremonies/");
Assert.True(
response.StatusCode is HttpStatusCode.Unauthorized or HttpStatusCode.Forbidden,
$"Expected unauthorized/forbidden for mapped ceremonies route, got {(int)response.StatusCode}.");
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public async Task Ceremonies_CreateAndGet_WorksForAuthenticatedCaller()
{
var client = CreateClient();
var createRequest = new HttpRequestMessage(HttpMethod.Post, "/api/v1/ceremonies/")
{
Content = JsonContent.Create(new
{
operationType = "keygeneration",
thresholdRequired = 2,
description = "endpoint test"
})
};
createRequest.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
var createResponse = await client.SendAsync(createRequest);
var createBody = await createResponse.Content.ReadAsStringAsync();
Assert.True(createResponse.IsSuccessStatusCode, $"Expected ceremony creation success but got {(int)createResponse.StatusCode}: {createBody}");
Assert.Equal(HttpStatusCode.Created, createResponse.StatusCode);
using var doc = System.Text.Json.JsonDocument.Parse(createBody);
var ceremonyId = doc.RootElement.GetProperty("ceremonyId").GetGuid();
var getRequest = new HttpRequestMessage(HttpMethod.Get, $"/api/v1/ceremonies/{ceremonyId}");
getRequest.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
var getResponse = await client.SendAsync(getRequest);
Assert.Equal(HttpStatusCode.OK, getResponse.StatusCode);
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public async Task Ceremonies_Create_ReturnsBadRequest_ForUnknownOperationType()
{
var client = CreateClient();
var createRequest = new HttpRequestMessage(HttpMethod.Post, "/api/v1/ceremonies/")
{
Content = JsonContent.Create(new
{
operationType = "not_real",
thresholdRequired = 1,
})
};
createRequest.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
var createResponse = await client.SendAsync(createRequest);
var responseBody = await createResponse.Content.ReadAsStringAsync();
Assert.Equal(HttpStatusCode.BadRequest, createResponse.StatusCode);
Assert.Contains("Unknown operation type", responseBody);
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public async Task KeyValidity_ReturnsNotFound_ForUnknownAnchorOrKey()
{
var client = CreateClient();
var request = new HttpRequestMessage(
HttpMethod.Get,
"/api/v1/anchors/11111111-1111-1111-1111-111111111111/keys/missing-key/validity");
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
var response = await client.SendAsync(request);
Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
}
private HttpClient CreateClient() => _factory.CreateClient();
}

427
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/Signing/CanonicalPayloadDeterminismTests.cs Normal file
View File

@@ -0,0 +1,427 @@
// -----------------------------------------------------------------------------
// CanonicalPayloadDeterminismTests.cs
// Sprint: SPRINT_5100_0009_0006_signer_tests
// Tasks: SIGNER-5100-001, SIGNER-5100-002, SIGNER-5100-003
// Description: Model L0 tests for canonical payload and digest determinism
// -----------------------------------------------------------------------------
using System.Text;
using System.Text.Json;
using FluentAssertions;
using StellaOps.Canonical.Json;
using StellaOps.Signer.Core;
using StellaOps.Signer.Tests.Fixtures;
using Xunit;
namespace StellaOps.Signer.Tests.Signing;
/// <summary>
/// Tests for canonical payload bytes and deterministic hash computation.
/// Implements Model L0 test requirements:
/// - SIGNER-5100-001: Canonical payload bytes snapshot tests for DSSE/in-toto envelopes
/// - SIGNER-5100-002: Stable digest computation tests: same input -> same SHA-256 hash
/// - SIGNER-5100-003: Determinism test: canonical payload hash stable across runs
/// </summary>
[Trait("Category", "Unit")]
[Trait("Category", "Determinism")]
[Trait("Category", "CanonicalPayload")]
public sealed class CanonicalPayloadDeterminismTests
{
// SIGNER-5100-001: Canonical payload bytes snapshot tests
[Fact]
public void InTotoStatement_CanonicalBytes_MatchesExpectedSnapshot()
{
// Arrange - Create a deterministic in-toto statement
var statement = CreateDeterministicInTotoStatement();
// Act
var canonicalBytes = CanonJson.Canonicalize(statement);
var canonicalJson = Encoding.UTF8.GetString(canonicalBytes);
// Assert - Keys should be sorted, no whitespace
canonicalJson.Should().NotContain("\n", "canonical JSON should have no newlines");
canonicalJson.Should().NotContain(" ", "canonical JSON should have no extra spaces");
// Verify key ordering (alphabetical)
var predicateIndex = canonicalJson.IndexOf("\"predicate\"", StringComparison.Ordinal);
var predicateTypeIndex = canonicalJson.IndexOf("\"predicateType\"", StringComparison.Ordinal);
var subjectIndex = canonicalJson.IndexOf("\"subject\"", StringComparison.Ordinal);
var typeIndex = canonicalJson.IndexOf("\"_type\"", StringComparison.Ordinal);
typeIndex.Should().BeLessThan(predicateIndex, "_type should come before predicate (alphabetical)");
predicateIndex.Should().BeLessThan(predicateTypeIndex, "predicate should come before predicateType");
predicateTypeIndex.Should().BeLessThan(subjectIndex, "predicateType should come before subject");
}
[Fact]
public void InTotoStatement_DifferentKeyOrder_ProducesSameCanonicalBytes()
{
// Arrange - Create same data with different key order in source JSON
var json1 = """{"predicateType":"https://slsa.dev/provenance/v1","_type":"https://in-toto.io/Statement/v1","predicate":{"builder":{"id":"test"}},"subject":[{"name":"artifact","digest":{"sha256":"abc123"}}]}""";
var json2 = """{"_type":"https://in-toto.io/Statement/v1","subject":[{"name":"artifact","digest":{"sha256":"abc123"}}],"predicateType":"https://slsa.dev/provenance/v1","predicate":{"builder":{"id":"test"}}}""";
// Act
var bytes1 = CanonJson.CanonicalizeParsedJson(Encoding.UTF8.GetBytes(json1));
var bytes2 = CanonJson.CanonicalizeParsedJson(Encoding.UTF8.GetBytes(json2));
// Assert
bytes1.Should().BeEquivalentTo(bytes2, "canonical bytes should be identical regardless of input key order");
}
[Fact]
public void DsseEnvelope_CanonicalBytes_PayloadTypePreserved()
{
// Arrange
var envelope = CreateDeterministicDsseEnvelope();
// Act
var canonicalBytes = CanonJson.Canonicalize(envelope);
var canonicalJson = Encoding.UTF8.GetString(canonicalBytes);
// Assert
canonicalJson.Should().Contain("\"payloadType\":\"application/vnd.in-toto+json\"");
}
[Fact]
public void DsseEnvelope_CanonicalBytes_SignaturesArrayPreserved()
{
// Arrange
var envelope = CreateDeterministicDsseEnvelope();
// Act
var canonicalBytes = CanonJson.Canonicalize(envelope);
var canonicalJson = Encoding.UTF8.GetString(canonicalBytes);
// Assert
canonicalJson.Should().Contain("\"signatures\":[");
canonicalJson.Should().Contain("\"keyId\":\"test-key-id\"");
}
[Fact]
public void InTotoStatement_MultipleSubjects_CanonicalOrderPreserved()
{
// Arrange - Statement with multiple subjects
var statement = new
{
_type = "https://in-toto.io/Statement/v1",
predicateType = "https://slsa.dev/provenance/v1",
subject = new[]
{
new { name = "artifact-b", digest = new { sha256 = "def456" } },
new { name = "artifact-a", digest = new { sha256 = "abc123" } },
new { name = "artifact-c", digest = new { sha256 = "ghi789" } }
},
predicate = new { builder = new { id = "test-builder" } }
};
// Act
var canonicalBytes = CanonJson.Canonicalize(statement);
var canonicalJson = Encoding.UTF8.GetString(canonicalBytes);
// Assert - Array order should be preserved (not sorted)
var indexB = canonicalJson.IndexOf("artifact-b", StringComparison.Ordinal);
var indexA = canonicalJson.IndexOf("artifact-a", StringComparison.Ordinal);
var indexC = canonicalJson.IndexOf("artifact-c", StringComparison.Ordinal);
indexB.Should().BeLessThan(indexA, "array order should be preserved");
indexA.Should().BeLessThan(indexC, "array order should be preserved");
}
// SIGNER-5100-002: Stable digest computation tests
[Fact]
public void Sha256Hash_SameInput_ProducesIdenticalHash()
{
// Arrange
var statement = CreateDeterministicInTotoStatement();
// Act
var hash1 = CanonJson.Hash(statement);
var hash2 = CanonJson.Hash(statement);
// Assert
hash1.Should().Be(hash2, "same input should produce same hash");
hash1.Length.Should().Be(64, "SHA-256 hash should be 64 hex characters");
}
[Fact]
public void Sha256Hash_LowercaseHex_Format()
{
// Arrange
var statement = CreateDeterministicInTotoStatement();
// Act
var hash = CanonJson.Hash(statement);
// Assert
hash.Should().MatchRegex("^[0-9a-f]{64}$", "hash should be lowercase hex");
hash.Should().NotMatchRegex("[A-F]", "hash should not contain uppercase letters");
}
[Fact]
public void Sha256Hash_Prefixed_HasCorrectPrefix()
{
// Arrange
var statement = CreateDeterministicInTotoStatement();
// Act
var prefixedHash = CanonJson.HashPrefixed(statement);
// Assert
prefixedHash.Should().StartWith("sha256:");
prefixedHash.Length.Should().Be(71, "sha256: prefix (7) + hash (64) = 71");
}
[Fact]
public void Sha256Hash_DifferentInputs_ProduceDifferentHashes()
{
// Arrange
var statement1 = new { type = "test", value = "input1" };
var statement2 = new { type = "test", value = "input2" };
// Act
var hash1 = CanonJson.Hash(statement1);
var hash2 = CanonJson.Hash(statement2);
// Assert
hash1.Should().NotBe(hash2, "different inputs should produce different hashes");
}
[Fact]
public void Sha256Hash_EmptyObject_ProducesConsistentHash()
{
// Arrange
var emptyObject = new { };
// Act
var hash1 = CanonJson.Hash(emptyObject);
var hash2 = CanonJson.Hash(emptyObject);
// Assert
hash1.Should().Be(hash2);
hash1.Should().Be("44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
"empty object {} should have deterministic hash");
}
[Fact]
public void Sha256Hash_NestedObject_ProducesConsistentHash()
{
// Arrange
var nested = new
{
level1 = new
{
level2 = new
{
level3 = new
{
value = "deep"
}
}
}
};
// Act
var hash1 = CanonJson.Hash(nested);
var hash2 = CanonJson.Hash(nested);
// Assert
hash1.Should().Be(hash2, "nested objects should produce consistent hashes");
}
// SIGNER-5100-003: Determinism test - hash stable across runs
[Fact]
public void CanonicalPayload_HashStableAcrossMultipleRuns()
{
// Arrange - Create identical statements multiple times
var hashes = new HashSet<string>();
// Act - Generate hash 100 times
for (int i = 0; i < 100; i++)
{
var statement = CreateDeterministicInTotoStatement();
var hash = CanonJson.Hash(statement);
hashes.Add(hash);
}
// Assert - All hashes should be identical
hashes.Should().HaveCount(1, "all 100 runs should produce the same hash");
}
[Fact]
public void CanonicalPayload_StableWithTimestampField()
{
// Arrange - Fixed timestamp for determinism
var fixedTimestamp = DeterministicTestData.FixedTimestamp;
var statement = new
{
_type = "https://in-toto.io/Statement/v1",
timestamp = fixedTimestamp.ToString("O"),
subject = new[] { new { name = "test", digest = new { sha256 = "abc" } } }
};
// Act
var hash1 = CanonJson.Hash(statement);
var hash2 = CanonJson.Hash(statement);
// Assert
hash1.Should().Be(hash2, "fixed timestamp should produce stable hash");
}
[Fact]
public void CanonicalPayload_DeterministicWithSigningSubjects()
{
// Arrange - Use DeterministicTestData for subjects
var subjects = DeterministicTestData.CreateDefaultSubjects();
// Act
var hash1 = CanonJson.Hash(subjects);
var hash2 = CanonJson.Hash(subjects);
// Assert
hash1.Should().Be(hash2, "signing subjects should hash deterministically");
}
[Fact]
public void CanonicalPayload_DeterministicWithMultipleSubjects()
{
// Arrange
var subjects = DeterministicTestData.CreateMultipleSubjects();
// Act
var hash1 = CanonJson.Hash(subjects);
var hash2 = CanonJson.Hash(subjects);
// Assert
hash1.Should().Be(hash2, "multiple subjects should hash deterministically");
}
[Fact]
public void CanonicalPayload_UnicodeCharacters_HashDeterministically()
{
// Arrange - Statement with Unicode characters
var statement = new
{
_type = "https://in-toto.io/Statement/v1",
subject = new[]
{
new { name = "artifact-\u4e2d\u6587", digest = new { sha256 = "abc123" } }, // Chinese characters
new { name = "artifact-\u00e9\u00e8\u00ea", digest = new { sha256 = "def456" } } // French accents
}
};
// Act
var hash1 = CanonJson.Hash(statement);
var hash2 = CanonJson.Hash(statement);
// Assert
hash1.Should().Be(hash2, "Unicode characters should hash deterministically");
}
[Fact]
public void CanonicalPayload_NumbersPreserved_HashDeterministically()
{
// Arrange - Statement with various number types
var statement = new
{
integer = 42,
negative = -17,
floating = 3.14159,
scientific = 1.5e-10,
large = 9007199254740992L
};
// Act
var hash1 = CanonJson.Hash(statement);
var hash2 = CanonJson.Hash(statement);
// Assert
hash1.Should().Be(hash2, "numbers should hash deterministically");
}
[Fact]
public void CanonicalPayload_BooleanAndNull_HashDeterministically()
{
// Arrange
var statement = new
{
active = true,
disabled = false,
missing = (string?)null
};
// Act
var hash1 = CanonJson.Hash(statement);
var hash2 = CanonJson.Hash(statement);
// Assert
hash1.Should().Be(hash2, "boolean and null values should hash deterministically");
}
[Fact]
public void DssePayload_Base64Url_DeterministicEncoding()
{
// Arrange - Create statement that would have base64url special chars
var statement = new
{
_type = "https://in-toto.io/Statement/v1",
binary = Convert.ToBase64String(new byte[] { 0xFB, 0xFF, 0xFE })
};
// Act
var hash1 = CanonJson.Hash(statement);
var hash2 = CanonJson.Hash(statement);
// Assert
hash1.Should().Be(hash2);
}
// Helper methods
private static object CreateDeterministicInTotoStatement()
{
return new
{
_type = "https://in-toto.io/Statement/v1",
predicateType = "https://slsa.dev/provenance/v1",
subject = new[]
{
new
{
name = DeterministicTestData.DefaultSubjectName,
digest = new { sha256 = DeterministicTestData.DefaultSubjectDigest }
}
},
predicate = new
{
builder = new { id = "https://github.com/stellaops/scanner-action@v2" },
buildType = "https://slsa.dev/container-build/v0.1",
invocation = new
{
configSource = new { uri = "git+https://github.com/stellaops/example@refs/heads/main" }
}
}
};
}
private static DsseEnvelope CreateDeterministicDsseEnvelope()
{
var payloadBytes = Encoding.UTF8.GetBytes(CanonJson.Serialize(CreateDeterministicInTotoStatement()));
var payloadBase64 = Convert.ToBase64String(payloadBytes)
.Replace('+', '-')
.Replace('/', '_')
.TrimEnd('=');
return new DsseEnvelope(
Payload: payloadBase64,
PayloadType: "application/vnd.in-toto+json",
Signatures: new[]
{
new DsseSignature(
Signature: "MEUCIQD_test_signature_base64url",
KeyId: "test-key-id")
});
}
}

303
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/Signing/CryptoDsseSignerTests.cs Normal file
View File

@@ -0,0 +1,303 @@
using System;
using System.Collections.Generic;
using System.Text.Json;
using System.Threading;
using System.Threading.Tasks;
using FluentAssertions;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using Microsoft.IdentityModel.Tokens;
using NSubstitute;
using StellaOps.Cryptography;
using StellaOps.Signer.Core;
using StellaOps.Signer.Infrastructure.Signing;
using Xunit;
namespace StellaOps.Signer.Tests.Signing;
public sealed class CryptoDsseSignerTests
{
private readonly ICryptoProviderRegistry _mockRegistry;
private readonly ISigningKeyResolver _mockKeyResolver;
private readonly ICryptoSigner _mockCryptoSigner;
private readonly DsseSignerOptions _options;
private readonly CryptoDsseSigner _signer;
public CryptoDsseSignerTests()
{
_mockRegistry = Substitute.For<ICryptoProviderRegistry>();
_mockKeyResolver = Substitute.For<ISigningKeyResolver>();
_mockCryptoSigner = Substitute.For<ICryptoSigner>();
_options = new DsseSignerOptions
{
DefaultIssuer = "https://test.stellaops.io",
KeylessAlgorithm = SignatureAlgorithms.Es256
};
_signer = new CryptoDsseSigner(
_mockRegistry,
_mockKeyResolver,
Options.Create(_options),
NullLogger<CryptoDsseSigner>.Instance);
}
[Fact]
public async Task SignAsync_ProducesValidDsseEnvelope()
{
// Arrange
var request = CreateSigningRequest();
var entitlement = CreateEntitlement();
var caller = CreateCallerContext();
var keyResolution = new SigningKeyResolution("test-key-id", "default");
var signatureBytes = new byte[] { 0x01, 0x02, 0x03, 0x04 };
_mockKeyResolver
.ResolveKeyAsync(Arg.Any<SigningMode>(), Arg.Any<string>(), Arg.Any<CancellationToken>())
.Returns(ValueTask.FromResult(keyResolution));
_mockCryptoSigner.KeyId.Returns("test-key-id");
_mockCryptoSigner.AlgorithmId.Returns(SignatureAlgorithms.Es256);
_mockCryptoSigner
.SignAsync(Arg.Any<ReadOnlyMemory<byte>>(), Arg.Any<CancellationToken>())
.Returns(ValueTask.FromResult(signatureBytes));
_mockCryptoSigner
.ExportPublicJsonWebKey()
.Returns(new JsonWebKey { KeyId = "test-key-id", Kty = "EC" });
_mockRegistry
.ResolveSigner(
Arg.Any<CryptoCapability>(),
Arg.Any<string>(),
Arg.Any<CryptoKeyReference>(),
Arg.Any<string?>())
.Returns(new CryptoSignerResolution(_mockCryptoSigner, "default"));
// Act
var result = await _signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert
result.Should().NotBeNull();
result.Envelope.Should().NotBeNull();
result.Envelope.PayloadType.Should().Be("application/vnd.in-toto+json");
result.Envelope.Payload.Should().NotBeNullOrEmpty();
result.Envelope.Signatures.Should().HaveCount(1);
result.Envelope.Signatures[0].Signature.Should().NotBeNullOrEmpty();
result.Envelope.Signatures[0].KeyId.Should().Be("test-key-id");
}
[Fact]
public async Task SignAsync_SetsCorrectSigningMetadata()
{
// Arrange
var request = CreateSigningRequest();
var entitlement = CreateEntitlement();
var caller = CreateCallerContext();
var keyResolution = new SigningKeyResolution(
"kms-key-123",
"default",
"https://custom.issuer.io",
"service-account@tenant.stellaops.io",
DateTimeOffset.UtcNow.AddHours(1));
var signatureBytes = new byte[] { 0xAB, 0xCD };
_mockKeyResolver
.ResolveKeyAsync(Arg.Any<SigningMode>(), Arg.Any<string>(), Arg.Any<CancellationToken>())
.Returns(ValueTask.FromResult(keyResolution));
_mockCryptoSigner.KeyId.Returns("kms-key-123");
_mockCryptoSigner.AlgorithmId.Returns(SignatureAlgorithms.Es256);
_mockCryptoSigner
.SignAsync(Arg.Any<ReadOnlyMemory<byte>>(), Arg.Any<CancellationToken>())
.Returns(ValueTask.FromResult(signatureBytes));
_mockCryptoSigner
.ExportPublicJsonWebKey()
.Returns(new JsonWebKey { KeyId = "kms-key-123", Kty = "EC" });
_mockRegistry
.ResolveSigner(
Arg.Any<CryptoCapability>(),
Arg.Any<string>(),
Arg.Any<CryptoKeyReference>(),
Arg.Any<string?>())
.Returns(new CryptoSignerResolution(_mockCryptoSigner, "kms-provider"));
// Act
var result = await _signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert
result.Metadata.Should().NotBeNull();
result.Metadata.ProviderName.Should().Be("kms-provider");
result.Metadata.AlgorithmId.Should().Be(SignatureAlgorithms.Es256);
result.Metadata.Identity.Should().NotBeNull();
result.Metadata.Identity.Issuer.Should().Be("https://custom.issuer.io");
result.Metadata.Identity.Subject.Should().Be("service-account@tenant.stellaops.io");
result.Metadata.Identity.Mode.Should().Be("keyless");
}
[Fact]
public async Task SignAsync_UsesKmsMode_WhenRequested()
{
// Arrange
var request = CreateSigningRequest(SigningMode.Kms);
var entitlement = CreateEntitlement();
var caller = CreateCallerContext();
var keyResolution = new SigningKeyResolution("kms-key-abc", "kms-provider");
var signatureBytes = new byte[] { 0x11, 0x22, 0x33 };
_mockKeyResolver
.ResolveKeyAsync(SigningMode.Kms, caller.Tenant, Arg.Any<CancellationToken>())
.Returns(ValueTask.FromResult(keyResolution));
_mockCryptoSigner.KeyId.Returns("kms-key-abc");
_mockCryptoSigner.AlgorithmId.Returns(SignatureAlgorithms.Es256);
_mockCryptoSigner
.SignAsync(Arg.Any<ReadOnlyMemory<byte>>(), Arg.Any<CancellationToken>())
.Returns(ValueTask.FromResult(signatureBytes));
_mockCryptoSigner
.ExportPublicJsonWebKey()
.Returns(new JsonWebKey { KeyId = "kms-key-abc", Kty = "EC" });
_mockRegistry
.ResolveSigner(
CryptoCapability.Signing,
Arg.Any<string>(),
Arg.Is<CryptoKeyReference>(k => k.KeyId == "kms-key-abc"),
"kms-provider")
.Returns(new CryptoSignerResolution(_mockCryptoSigner, "kms-provider"));
// Act
var result = await _signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert
result.Metadata.Identity.Mode.Should().Be("kms");
await _mockKeyResolver.Received(1).ResolveKeyAsync(SigningMode.Kms, caller.Tenant, Arg.Any<CancellationToken>());
}
[Fact]
public async Task SignAsync_ProducesCosignCompatibleBase64Url()
{
// Arrange
var request = CreateSigningRequest();
var entitlement = CreateEntitlement();
var caller = CreateCallerContext();
var keyResolution = new SigningKeyResolution("test-key");
// Use signature bytes that would produce + and / in standard base64
var signatureBytes = new byte[] { 0xFB, 0xFF, 0xFE, 0x00, 0x01 };
_mockKeyResolver
.ResolveKeyAsync(Arg.Any<SigningMode>(), Arg.Any<string>(), Arg.Any<CancellationToken>())
.Returns(ValueTask.FromResult(keyResolution));
_mockCryptoSigner.KeyId.Returns("test-key");
_mockCryptoSigner.AlgorithmId.Returns(SignatureAlgorithms.Es256);
_mockCryptoSigner
.SignAsync(Arg.Any<ReadOnlyMemory<byte>>(), Arg.Any<CancellationToken>())
.Returns(ValueTask.FromResult(signatureBytes));
_mockCryptoSigner
.ExportPublicJsonWebKey()
.Returns(new JsonWebKey { KeyId = "test-key", Kty = "EC" });
_mockRegistry
.ResolveSigner(
Arg.Any<CryptoCapability>(),
Arg.Any<string>(),
Arg.Any<CryptoKeyReference>(),
Arg.Any<string?>())
.Returns(new CryptoSignerResolution(_mockCryptoSigner, "default"));
// Act
var result = await _signer.SignAsync(request, entitlement, caller, CancellationToken.None);
// Assert
var signature = result.Envelope.Signatures[0].Signature;
signature.Should().NotContain("+");
signature.Should().NotContain("/");
signature.Should().NotContain("=");
// Verify payload is also base64url encoded
result.Envelope.Payload.Should().NotContain("+");
result.Envelope.Payload.Should().NotContain("/");
result.Envelope.Payload.Should().NotEndWith("=");
}
[Fact]
public async Task SignAsync_ThrowsArgumentNullException_WhenRequestIsNull()
{
// Arrange
var entitlement = CreateEntitlement();
var caller = CreateCallerContext();
// Act & Assert
var act = async () => await _signer.SignAsync(null!, entitlement, caller, CancellationToken.None);
await act.Should().ThrowAsync<ArgumentNullException>()
.Where(e => e.ParamName == "request");
}
[Fact]
public async Task SignAsync_ThrowsArgumentNullException_WhenEntitlementIsNull()
{
// Arrange
var request = CreateSigningRequest();
var caller = CreateCallerContext();
// Act & Assert
var act = async () => await _signer.SignAsync(request, null!, caller, CancellationToken.None);
await act.Should().ThrowAsync<ArgumentNullException>()
.Where(e => e.ParamName == "entitlement");
}
[Fact]
public async Task SignAsync_ThrowsArgumentNullException_WhenCallerIsNull()
{
// Arrange
var request = CreateSigningRequest();
var entitlement = CreateEntitlement();
// Act & Assert
var act = async () => await _signer.SignAsync(request, entitlement, null!, CancellationToken.None);
await act.Should().ThrowAsync<ArgumentNullException>()
.Where(e => e.ParamName == "caller");
}
private static SigningRequest CreateSigningRequest(SigningMode mode = SigningMode.Keyless)
{
var predicate = JsonDocument.Parse("""{"builder": {"id": "test-builder"}, "invocation": {}}""");
return new SigningRequest(
Subjects:
[
new SigningSubject("artifact.tar.gz", new Dictionary<string, string>
{
["sha256"] = "abc123def456"
})
],
PredicateType: "https://slsa.dev/provenance/v0.2",
Predicate: predicate,
ScannerImageDigest: "sha256:scanner123",
ProofOfEntitlement: new ProofOfEntitlement(SignerPoEFormat.Jwt, "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."),
Options: new SigningOptions(mode, 3600, "bundle"));
}
private static ProofOfEntitlementResult CreateEntitlement()
{
return new ProofOfEntitlementResult(
LicenseId: "lic-123",
CustomerId: "cust-456",
Plan: "enterprise",
MaxArtifactBytes: 100_000_000,
QpsLimit: 100,
QpsRemaining: 95,
ExpiresAtUtc: DateTimeOffset.UtcNow.AddHours(1));
}
private static CallerContext CreateCallerContext()
{
return new CallerContext(
Subject: "user@example.com",
Tenant: "test-tenant",
Scopes: ["signer.sign"],
Audiences: ["signer"],
SenderBinding: null,
ClientCertificateThumbprint: null);
}
}

165
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/Signing/DefaultSigningKeyResolverTests.cs Normal file
View File

@@ -0,0 +1,165 @@
using System;
using System.Collections.Generic;
using System.Threading;
using System.Threading.Tasks;
using FluentAssertions;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using StellaOps.Signer.Core;
using StellaOps.Signer.Infrastructure.Signing;
using Xunit;
namespace StellaOps.Signer.Tests.Signing;
public sealed class DefaultSigningKeyResolverTests
{
private readonly DsseSignerOptions _options;
private readonly FakeTimeProvider _timeProvider;
private readonly DefaultSigningKeyResolver _resolver;
public DefaultSigningKeyResolverTests()
{
_options = new DsseSignerOptions
{
DefaultIssuer = "https://test.stellaops.io",
PreferredProvider = "test-provider"
};
_timeProvider = new FakeTimeProvider(new DateTimeOffset(2025, 11, 26, 12, 0, 0, TimeSpan.Zero));
_resolver = new DefaultSigningKeyResolver(
Options.Create(_options),
_timeProvider,
NullLogger<DefaultSigningKeyResolver>.Instance);
}
[Fact]
public async Task ResolveKeyAsync_KeylessMode_ReturnsEphemeralKey()
{
// Act
var result = await _resolver.ResolveKeyAsync(SigningMode.Keyless, "tenant-123", CancellationToken.None);
// Assert
result.Should().NotBeNull();
result.KeyId.Should().StartWith("ephemeral:tenant-123:");
result.ProviderHint.Should().Be("test-provider");
result.Issuer.Should().Be("https://test.stellaops.io");
result.Subject.Should().Be("keyless:tenant-123");
result.ExpiresAtUtc.Should().NotBeNull();
result.ExpiresAtUtc!.Value.Should().Be(_timeProvider.GetUtcNow().AddMinutes(10));
}
[Fact]
public async Task ResolveKeyAsync_KeylessMode_GeneratesUniqueKeyIds()
{
// Act
var result1 = await _resolver.ResolveKeyAsync(SigningMode.Keyless, "tenant-123", CancellationToken.None);
var result2 = await _resolver.ResolveKeyAsync(SigningMode.Keyless, "tenant-123", CancellationToken.None);
// Assert
result1.KeyId.Should().NotBe(result2.KeyId);
}
[Fact]
public async Task ResolveKeyAsync_KmsMode_ReturnsDefaultKmsKey()
{
// Arrange
_options.DefaultKmsKeyId = "projects/test/locations/global/keyRings/ring/cryptoKeys/key";
// Act
var result = await _resolver.ResolveKeyAsync(SigningMode.Kms, "tenant-456", CancellationToken.None);
// Assert
result.Should().NotBeNull();
result.KeyId.Should().Be("projects/test/locations/global/keyRings/ring/cryptoKeys/key");
result.ProviderHint.Should().Be("test-provider");
result.Issuer.Should().Be("https://test.stellaops.io");
result.Subject.Should().Be("kms:tenant-456");
result.ExpiresAtUtc.Should().BeNull();
}
[Fact]
public async Task ResolveKeyAsync_KmsMode_UsesTenantSpecificKey()
{
// Arrange
_options.DefaultKmsKeyId = "default-key";
_options.TenantKmsKeys = new Dictionary<string, string>
{
["tenant-special"] = "tenant-special-key"
};
// Act
var result = await _resolver.ResolveKeyAsync(SigningMode.Kms, "tenant-special", CancellationToken.None);
// Assert
result.KeyId.Should().Be("tenant-special-key");
result.Subject.Should().Be("kms:tenant-special");
}
[Fact]
public async Task ResolveKeyAsync_KmsMode_FallsBackToDefaultKey()
{
// Arrange
_options.DefaultKmsKeyId = "fallback-key";
_options.TenantKmsKeys = new Dictionary<string, string>
{
["other-tenant"] = "other-tenant-key"
};
// Act
var result = await _resolver.ResolveKeyAsync(SigningMode.Kms, "tenant-without-mapping", CancellationToken.None);
// Assert
result.KeyId.Should().Be("fallback-key");
}
[Fact]
public async Task ResolveKeyAsync_KmsMode_ThrowsWhenNoKeyConfigured()
{
// Arrange
_options.DefaultKmsKeyId = null;
_options.TenantKmsKeys.Clear();
// Act & Assert
var act = async () => await _resolver.ResolveKeyAsync(SigningMode.Kms, "tenant-123", CancellationToken.None);
await act.Should().ThrowAsync<InvalidOperationException>()
.Where(e => e.Message.Contains("No KMS key configured") && e.Message.Contains("tenant-123"));
}
[Fact]
public async Task ResolveKeyAsync_ThrowsArgumentException_WhenTenantIsEmpty()
{
// Act & Assert
var act = async () => await _resolver.ResolveKeyAsync(SigningMode.Keyless, "", CancellationToken.None);
await act.Should().ThrowAsync<ArgumentException>()
.Where(e => e.ParamName == "tenant");
}
[Fact]
public async Task ResolveKeyAsync_ThrowsArgumentException_WhenTenantIsWhitespace()
{
// Act & Assert
var act = async () => await _resolver.ResolveKeyAsync(SigningMode.Keyless, " ", CancellationToken.None);
await act.Should().ThrowAsync<ArgumentException>()
.Where(e => e.ParamName == "tenant");
}
[Fact]
public async Task ResolveKeyAsync_ThrowsForUnknownSigningMode()
{
// Act & Assert
var act = async () => await _resolver.ResolveKeyAsync((SigningMode)99, "tenant-123", CancellationToken.None);
await act.Should().ThrowAsync<ArgumentOutOfRangeException>()
.Where(e => e.ParamName == "mode");
}
private sealed class FakeTimeProvider : TimeProvider
{
private readonly DateTimeOffset _now;
public FakeTimeProvider(DateTimeOffset now)
{
_now = now;
}
public override DateTimeOffset GetUtcNow() => _now;
}
}

135
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/Signing/DualSignTests.cs Normal file
View File

@@ -0,0 +1,135 @@
using System;
using System.Collections.Generic;
using System.Threading;
using System.Threading.Tasks;
using System.Text.Json;
using FluentAssertions;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using StellaOps.Cryptography;
using StellaOps.Signer.Core;
using StellaOps.Signer.Infrastructure.Signing;
using Xunit;
namespace StellaOps.Signer.Tests.Signing;
public class DualSignTests
{
[Fact]
public async Task AddsSecondarySignature_WhenConfigured()
{
Environment.SetEnvironmentVariable("PQ_SOFT_ALLOWED", "1");
var registry = new CryptoProviderRegistry(new ICryptoProvider[] { new StubProvider() });
var resolver = new StubKeyResolver("primary-key", "stub");
var options = Options.Create(new DsseSignerOptions
{
KeylessAlgorithm = SignatureAlgorithms.Es256,
SecondaryAlgorithm = SignatureAlgorithms.Falcon512,
SecondaryProvider = "stub",
SecondaryKeyId = "secondary-key"
});
var signer = new CryptoDsseSigner(registry, resolver, options, NullLogger<CryptoDsseSigner>.Instance);
var request = new SigningRequest(
Subjects: Array.Empty<SigningSubject>(),
PredicateType: "demo",
Predicate: JsonDocument.Parse("{}"),
ScannerImageDigest: "sha256:dummydigest",
ProofOfEntitlement: new ProofOfEntitlement(SignerPoEFormat.Jwt, "ok"),
Options: new SigningOptions(SigningMode.Keyless, ExpirySeconds: null, ReturnBundle: "full"));
var entitlement = new ProofOfEntitlementResult(
LicenseId: "lic",
CustomerId: "cust",
Plan: "plan",
MaxArtifactBytes: 1024 * 1024,
QpsLimit: 10,
QpsRemaining: 10,
ExpiresAtUtc: DateTimeOffset.UtcNow.AddMinutes(5));
var caller = new CallerContext(
Subject: "subject",
Tenant: "tenant",
Scopes: Array.Empty<string>(),
Audiences: Array.Empty<string>(),
SenderBinding: null,
ClientCertificateThumbprint: null);
var bundle = await signer.SignAsync(request, entitlement, caller, CancellationToken.None);
bundle.Envelope.Signatures.Should().HaveCount(2);
bundle.Envelope.Signatures[0].KeyId.Should().Be("primary-key");
bundle.Envelope.Signatures[1].KeyId.Should().Be("secondary-key");
}
private sealed class StubProvider : ICryptoProvider
{
public string Name => "stub";
public bool Supports(CryptoCapability capability, string algorithmId) =>
capability == CryptoCapability.Signing;
public IPasswordHasher GetPasswordHasher(string algorithmId) => throw new NotSupportedException();
public ICryptoHasher GetHasher(string algorithmId) => throw new NotSupportedException();
public ICryptoSigner GetSigner(string algorithmId, CryptoKeyReference keyReference) =>
new StubSigner(keyReference.KeyId, algorithmId);
public void UpsertSigningKey(CryptoSigningKey signingKey) { }
public bool RemoveSigningKey(string keyId) => true;
public IReadOnlyCollection<CryptoSigningKey> GetSigningKeys() => Array.Empty<CryptoSigningKey>();
}
private sealed class StubSigner : ICryptoSigner
{
public StubSigner(string keyId, string algorithmId)
{
KeyId = keyId;
AlgorithmId = algorithmId;
}
public string KeyId { get; }
public string AlgorithmId { get; }
public ValueTask<byte[]> SignAsync(ReadOnlyMemory<byte> data, CancellationToken cancellationToken = default)
{
var payload = System.Text.Encoding.UTF8.GetBytes($"{AlgorithmId}:{KeyId}");
return ValueTask.FromResult(payload);
}
public ValueTask<bool> VerifyAsync(ReadOnlyMemory<byte> data, ReadOnlyMemory<byte> signature, CancellationToken cancellationToken = default)
=> ValueTask.FromResult(true);
public Microsoft.IdentityModel.Tokens.JsonWebKey ExportPublicJsonWebKey()
=> new() { Kid = KeyId, Alg = AlgorithmId, Kty = "oct" };
}
private sealed class StubKeyResolver : ISigningKeyResolver
{
private readonly string keyId;
private readonly string provider;
public StubKeyResolver(string keyId, string provider)
{
this.keyId = keyId;
this.provider = provider;
}
public ValueTask<SigningKeyResolution> ResolveKeyAsync(SigningMode mode, string tenant, CancellationToken cancellationToken)
{
return ValueTask.FromResult(new SigningKeyResolution(
keyId,
provider,
null,
null,
null,
Array.Empty<string>()));
}
}
}

372
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/Signing/SignerStatementBuilderTests.cs Normal file
View File

@@ -0,0 +1,372 @@
using System;
using System.Collections.Generic;
using System.Text;
using System.Text.Json;
using FluentAssertions;
using StellaOps.Signer.Core;
using Xunit;
namespace StellaOps.Signer.Tests.Signing;
public sealed class SignerStatementBuilderTests
{
[Fact]
public void BuildStatementPayload_CreatesValidStatement()
{
// Arrange
var request = CreateSigningRequest();
// Act
var payload = SignerStatementBuilder.BuildStatementPayload(request);
// Assert
payload.Should().NotBeNullOrEmpty();
var json = Encoding.UTF8.GetString(payload);
using var doc = JsonDocument.Parse(json);
var root = doc.RootElement;
root.GetProperty("_type").GetString().Should().Be("https://in-toto.io/Statement/v0.1");
root.GetProperty("predicateType").GetString().Should().Be("https://slsa.dev/provenance/v0.2");
root.GetProperty("subject").GetArrayLength().Should().Be(1);
}
[Fact]
public void BuildStatementPayload_UsesDeterministicSerialization()
{
// Arrange
var request = CreateSigningRequest();
// Act
var payload1 = SignerStatementBuilder.BuildStatementPayload(request);
var payload2 = SignerStatementBuilder.BuildStatementPayload(request);
// Assert - Same input should produce identical output
payload1.Should().BeEquivalentTo(payload2);
}
[Fact]
public void BuildStatementPayload_SortsDigestKeys()
{
// Arrange - Use unsorted digest keys
var predicate = JsonDocument.Parse("""{"builder": {"id": "test"}}""");
var request = new SigningRequest(
Subjects:
[
new SigningSubject("artifact.tar.gz", new Dictionary<string, string>
{
["SHA512"] = "xyz789",
["sha256"] = "abc123",
["MD5"] = "def456"
})
],
PredicateType: PredicateTypes.SlsaProvenanceV02,
Predicate: predicate,
ScannerImageDigest: "sha256:scanner",
ProofOfEntitlement: new ProofOfEntitlement(SignerPoEFormat.Jwt, "token"),
Options: new SigningOptions(SigningMode.Keyless, null, "bundle"));
// Act
var payload = SignerStatementBuilder.BuildStatementPayload(request);
var json = Encoding.UTF8.GetString(payload);
// Assert - Digest keys should be lowercase and sorted alphabetically
json.Should().Contain("\"md5\"");
json.Should().Contain("\"sha256\"");
json.Should().Contain("\"sha512\"");
// Verify order: md5 < sha256 < sha512
var md5Index = json.IndexOf("\"md5\"", StringComparison.Ordinal);
var sha256Index = json.IndexOf("\"sha256\"", StringComparison.Ordinal);
var sha512Index = json.IndexOf("\"sha512\"", StringComparison.Ordinal);
md5Index.Should().BeLessThan(sha256Index);
sha256Index.Should().BeLessThan(sha512Index);
}
[Fact]
public void BuildStatementPayload_WithExplicitStatementType_UsesProvided()
{
// Arrange
var request = CreateSigningRequest();
// Act
var payload = SignerStatementBuilder.BuildStatementPayload(request, "https://in-toto.io/Statement/v1");
var json = Encoding.UTF8.GetString(payload);
// Assert
using var doc = JsonDocument.Parse(json);
doc.RootElement.GetProperty("_type").GetString().Should().Be("https://in-toto.io/Statement/v1");
}
[Fact]
public void BuildStatement_ReturnsInTotoStatement()
{
// Arrange
var request = CreateSigningRequest();
// Act
var statement = SignerStatementBuilder.BuildStatement(request);
// Assert
statement.Should().NotBeNull();
statement.Type.Should().Be("https://in-toto.io/Statement/v0.1");
statement.PredicateType.Should().Be(PredicateTypes.SlsaProvenanceV02);
statement.Subject.Should().HaveCount(1);
statement.Subject[0].Name.Should().Be("artifact.tar.gz");
statement.Predicate.ValueKind.Should().Be(JsonValueKind.Object);
}
[Fact]
public void BuildStatementPayload_ThrowsArgumentNullException_WhenRequestIsNull()
{
// Act
var act = () => SignerStatementBuilder.BuildStatementPayload(null!);
// Assert
act.Should().Throw<ArgumentNullException>()
.WithParameterName("request");
}
[Fact]
public void BuildStatementPayload_WithStatementType_ThrowsWhenTypeIsEmpty()
{
// Arrange
var request = CreateSigningRequest();
// Act
var act = () => SignerStatementBuilder.BuildStatementPayload(request, "");
// Assert
act.Should().Throw<ArgumentException>()
.WithParameterName("statementType");
}
[Theory]
[InlineData(PredicateTypes.StellaOpsPromotion, true)]
[InlineData(PredicateTypes.StellaOpsSbom, true)]
[InlineData(PredicateTypes.StellaOpsVex, true)]
[InlineData(PredicateTypes.StellaOpsReplay, true)]
[InlineData(PredicateTypes.StellaOpsPolicy, true)]
[InlineData(PredicateTypes.StellaOpsEvidence, true)]
[InlineData(PredicateTypes.StellaOpsVexDecision, true)]
[InlineData(PredicateTypes.StellaOpsGraph, true)]
[InlineData(PredicateTypes.SlsaProvenanceV02, true)]
[InlineData(PredicateTypes.SlsaProvenanceV1, true)]
[InlineData(PredicateTypes.CycloneDxSbom, true)]
[InlineData(PredicateTypes.SpdxSbom, true)]
[InlineData(PredicateTypes.OpenVex, true)]
[InlineData("custom/predicate@v1", false)]
[InlineData("", false)]
[InlineData(null, false)]
public void IsWellKnownPredicateType_ReturnsExpected(string? predicateType, bool expected)
{
// Act
var result = SignerStatementBuilder.IsWellKnownPredicateType(predicateType!);
// Assert
result.Should().Be(expected);
}
[Theory]
[InlineData(PredicateTypes.SlsaProvenanceV1, "https://in-toto.io/Statement/v1")]
[InlineData(PredicateTypes.StellaOpsPromotion, "https://in-toto.io/Statement/v1")]
[InlineData(PredicateTypes.StellaOpsSbom, "https://in-toto.io/Statement/v1")]
[InlineData(PredicateTypes.SlsaProvenanceV02, "https://in-toto.io/Statement/v0.1")]
[InlineData(PredicateTypes.CycloneDxSbom, "https://in-toto.io/Statement/v0.1")]
public void GetRecommendedStatementType_ReturnsCorrectVersion(string predicateType, string expectedStatementType)
{
// Act
var result = SignerStatementBuilder.GetRecommendedStatementType(predicateType);
// Assert
result.Should().Be(expectedStatementType);
}
[Fact]
public void PredicateTypes_IsStellaOpsType_IdentifiesStellaOpsTypes()
{
// Assert
PredicateTypes.IsStellaOpsType("stella.ops/promotion@v1").Should().BeTrue();
PredicateTypes.IsStellaOpsType("stella.ops/custom@v2").Should().BeTrue();
PredicateTypes.IsStellaOpsType("https://slsa.dev/provenance/v1").Should().BeFalse();
PredicateTypes.IsStellaOpsType(null!).Should().BeFalse();
}
[Fact]
public void PredicateTypes_IsSlsaProvenance_IdentifiesSlsaTypes()
{
// Assert
PredicateTypes.IsSlsaProvenance("https://slsa.dev/provenance/v0.2").Should().BeTrue();
PredicateTypes.IsSlsaProvenance("https://slsa.dev/provenance/v1").Should().BeTrue();
PredicateTypes.IsSlsaProvenance("https://slsa.dev/provenance/v2").Should().BeTrue();
PredicateTypes.IsSlsaProvenance("stella.ops/promotion@v1").Should().BeFalse();
PredicateTypes.IsSlsaProvenance(null!).Should().BeFalse();
}
[Fact]
public void PredicateTypes_IsVexRelatedType_IdentifiesVexTypes()
{
// Assert
PredicateTypes.IsVexRelatedType(PredicateTypes.StellaOpsVex).Should().BeTrue();
PredicateTypes.IsVexRelatedType(PredicateTypes.StellaOpsVexDecision).Should().BeTrue();
PredicateTypes.IsVexRelatedType(PredicateTypes.OpenVex).Should().BeTrue();
PredicateTypes.IsVexRelatedType(PredicateTypes.StellaOpsSbom).Should().BeFalse();
PredicateTypes.IsVexRelatedType(PredicateTypes.StellaOpsGraph).Should().BeFalse();
PredicateTypes.IsVexRelatedType(null!).Should().BeFalse();
}
[Fact]
public void PredicateTypes_IsReachabilityRelatedType_IdentifiesReachabilityTypes()
{
// Assert
PredicateTypes.IsReachabilityRelatedType(PredicateTypes.StellaOpsGraph).Should().BeTrue();
PredicateTypes.IsReachabilityRelatedType(PredicateTypes.StellaOpsReplay).Should().BeTrue();
PredicateTypes.IsReachabilityRelatedType(PredicateTypes.StellaOpsEvidence).Should().BeTrue();
PredicateTypes.IsReachabilityRelatedType(PredicateTypes.StellaOpsVex).Should().BeFalse();
PredicateTypes.IsReachabilityRelatedType(PredicateTypes.StellaOpsSbom).Should().BeFalse();
PredicateTypes.IsReachabilityRelatedType(null!).Should().BeFalse();
}
[Fact]
public void PredicateTypes_GetAllowedPredicateTypes_ReturnsAllKnownTypes()
{
// Act
var allowedTypes = PredicateTypes.GetAllowedPredicateTypes();
// Assert
allowedTypes.Should().Contain(PredicateTypes.StellaOpsPromotion);
allowedTypes.Should().Contain(PredicateTypes.StellaOpsSbom);
allowedTypes.Should().Contain(PredicateTypes.StellaOpsVex);
allowedTypes.Should().Contain(PredicateTypes.StellaOpsReplay);
allowedTypes.Should().Contain(PredicateTypes.StellaOpsPolicy);
allowedTypes.Should().Contain(PredicateTypes.StellaOpsEvidence);
allowedTypes.Should().Contain(PredicateTypes.StellaOpsVexDecision);
allowedTypes.Should().Contain(PredicateTypes.StellaOpsGraph);
allowedTypes.Should().Contain(PredicateTypes.StellaOpsPathWitness);
allowedTypes.Should().Contain(PredicateTypes.StellaOpsReachabilityDrift);
allowedTypes.Should().Contain(PredicateTypes.StellaOpsVerdict);
allowedTypes.Should().Contain(PredicateTypes.StellaOpsVexDelta);
allowedTypes.Should().Contain(PredicateTypes.StellaOpsSbomDelta);
allowedTypes.Should().Contain(PredicateTypes.StellaOpsVerdictDelta);
allowedTypes.Should().Contain(PredicateTypes.StellaOpsReachabilityDelta);
allowedTypes.Should().Contain(PredicateTypes.SlsaProvenanceV02);
allowedTypes.Should().Contain(PredicateTypes.SlsaProvenanceV1);
allowedTypes.Should().Contain(PredicateTypes.CycloneDxSbom);
allowedTypes.Should().Contain(PredicateTypes.SpdxSbom);
allowedTypes.Should().Contain(PredicateTypes.OpenVex);
// 30 entries: SLSA (2) + StellaOps core (14) + PathWitness canonical + aliases (3) + Delta (4) + Function Map (2) + Runtime Evidence (2) + Third-party (3)
allowedTypes.Should().HaveCount(30);
}
[Theory]
[InlineData(PredicateTypes.StellaOpsVexDecision, true)]
[InlineData(PredicateTypes.StellaOpsGraph, true)]
[InlineData(PredicateTypes.StellaOpsPromotion, true)]
[InlineData("custom/predicate@v1", false)]
[InlineData("", false)]
public void PredicateTypes_IsAllowedPredicateType_ReturnsExpected(string predicateType, bool expected)
{
// Act
var result = PredicateTypes.IsAllowedPredicateType(predicateType);
// Assert
result.Should().Be(expected);
}
[Fact]
public void BuildStatementPayload_HandlesMultipleSubjects()
{
// Arrange
var predicate = JsonDocument.Parse("""{"builder": {"id": "test"}}""");
var request = new SigningRequest(
Subjects:
[
new SigningSubject("artifact1.tar.gz", new Dictionary<string, string>
{
["sha256"] = "hash1"
}),
new SigningSubject("artifact2.tar.gz", new Dictionary<string, string>
{
["sha256"] = "hash2"
}),
new SigningSubject("artifact3.tar.gz", new Dictionary<string, string>
{
["sha256"] = "hash3"
})
],
PredicateType: PredicateTypes.SlsaProvenanceV02,
Predicate: predicate,
ScannerImageDigest: "sha256:scanner",
ProofOfEntitlement: new ProofOfEntitlement(SignerPoEFormat.Jwt, "token"),
Options: new SigningOptions(SigningMode.Keyless, null, "bundle"));
// Act
var payload = SignerStatementBuilder.BuildStatementPayload(request);
var json = Encoding.UTF8.GetString(payload);
// Assert
using var doc = JsonDocument.Parse(json);
doc.RootElement.GetProperty("subject").GetArrayLength().Should().Be(3);
}
[Fact]
public void BuildStatementPayload_PreservesPredicateContent()
{
// Arrange
var predicateContent = """
{
"builder": { "id": "https://github.com/actions" },
"buildType": "https://github.com/Attestations/GitHubActionsWorkflow@v1",
"invocation": {
"configSource": {
"uri": "git+https://github.com/test/repo@refs/heads/main"
}
}
}
""";
var predicate = JsonDocument.Parse(predicateContent);
var request = new SigningRequest(
Subjects:
[
new SigningSubject("artifact.tar.gz", new Dictionary<string, string>
{
["sha256"] = "abc123"
})
],
PredicateType: PredicateTypes.SlsaProvenanceV02,
Predicate: predicate,
ScannerImageDigest: "sha256:scanner",
ProofOfEntitlement: new ProofOfEntitlement(SignerPoEFormat.Jwt, "token"),
Options: new SigningOptions(SigningMode.Keyless, null, "bundle"));
// Act
var payload = SignerStatementBuilder.BuildStatementPayload(request);
var json = Encoding.UTF8.GetString(payload);
// Assert
using var doc = JsonDocument.Parse(json);
var resultPredicate = doc.RootElement.GetProperty("predicate");
resultPredicate.GetProperty("builder").GetProperty("id").GetString()
.Should().Be("https://github.com/actions");
resultPredicate.GetProperty("buildType").GetString()
.Should().Be("https://github.com/Attestations/GitHubActionsWorkflow@v1");
}
private static SigningRequest CreateSigningRequest()
{
var predicate = JsonDocument.Parse("""{"builder": {"id": "test-builder"}, "invocation": {}}""");
return new SigningRequest(
Subjects:
[
new SigningSubject("artifact.tar.gz", new Dictionary<string, string>
{
["sha256"] = "abc123def456"
})
],
PredicateType: PredicateTypes.SlsaProvenanceV02,
Predicate: predicate,
ScannerImageDigest: "sha256:scanner123",
ProofOfEntitlement: new ProofOfEntitlement(SignerPoEFormat.Jwt, "token"),
Options: new SigningOptions(SigningMode.Keyless, 3600, "bundle"));
}
}

182
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/Signing/SigningServiceCollectionExtensionsTests.cs Normal file
View File

@@ -0,0 +1,182 @@
using System;
using FluentAssertions;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Options;
using StellaOps.Signer.Core;
using StellaOps.Signer.Infrastructure.Signing;
using Xunit;
namespace StellaOps.Signer.Tests.Signing;
public sealed class SigningServiceCollectionExtensionsTests
{
[Fact]
public void AddDsseSigning_RegistersRequiredServices()
{
// Arrange
var services = new ServiceCollection();
services.AddLogging();
// Act
services.AddDsseSigning();
var provider = services.BuildServiceProvider();
// Assert
provider.GetService<ISigningKeyResolver>().Should().NotBeNull();
provider.GetService<IOptions<DsseSignerOptions>>().Should().NotBeNull();
}
[Fact]
public void AddDsseSigning_AllowsCustomConfiguration()
{
// Arrange
var services = new ServiceCollection();
services.AddLogging();
// Act
services.AddDsseSigning(options =>
{
options.DefaultIssuer = "https://custom.issuer.io";
options.KeylessAlgorithm = "ES384";
});
var provider = services.BuildServiceProvider();
var options = provider.GetRequiredService<IOptions<DsseSignerOptions>>().Value;
// Assert
options.DefaultIssuer.Should().Be("https://custom.issuer.io");
options.KeylessAlgorithm.Should().Be("ES384");
}
[Fact]
public void AddDsseSigningWithKms_SetsDefaultKmsKeyId()
{
// Arrange
var services = new ServiceCollection();
services.AddLogging();
// Act
services.AddDsseSigningWithKms("projects/my-project/locations/global/keyRings/ring/cryptoKeys/key");
var provider = services.BuildServiceProvider();
var options = provider.GetRequiredService<IOptions<DsseSignerOptions>>().Value;
// Assert
options.DefaultKmsKeyId.Should().Be("projects/my-project/locations/global/keyRings/ring/cryptoKeys/key");
}
[Fact]
public void AddDsseSigningWithKms_AllowsAdditionalConfiguration()
{
// Arrange
var services = new ServiceCollection();
services.AddLogging();
// Act
services.AddDsseSigningWithKms(
"default-key",
options => options.PreferredProvider = "kms-provider");
var provider = services.BuildServiceProvider();
var options = provider.GetRequiredService<IOptions<DsseSignerOptions>>().Value;
// Assert
options.DefaultKmsKeyId.Should().Be("default-key");
options.PreferredProvider.Should().Be("kms-provider");
}
[Fact]
public void AddDsseSigningKeyless_SetsDefaultIssuer()
{
// Arrange
var services = new ServiceCollection();
services.AddLogging();
// Act
services.AddDsseSigningKeyless("https://keyless.stellaops.io");
var provider = services.BuildServiceProvider();
var options = provider.GetRequiredService<IOptions<DsseSignerOptions>>().Value;
// Assert
options.DefaultIssuer.Should().Be("https://keyless.stellaops.io");
}
[Fact]
public void AddDsseSigningKeyless_UsesDefaultIssuerWhenNotSpecified()
{
// Arrange
var services = new ServiceCollection();
services.AddLogging();
// Act
services.AddDsseSigningKeyless();
var provider = services.BuildServiceProvider();
var options = provider.GetRequiredService<IOptions<DsseSignerOptions>>().Value;
// Assert
options.DefaultIssuer.Should().Be("https://stellaops.io");
}
[Fact]
public void AddDsseSigning_ThrowsArgumentNullException_WhenServicesIsNull()
{
// Arrange
IServiceCollection? services = null;
// Act
var act = () => services!.AddDsseSigning();
// Assert
act.Should().Throw<ArgumentNullException>()
.WithParameterName("services");
}
[Fact]
public void AddDsseSigningWithKms_ThrowsArgumentException_WhenKeyIdIsEmpty()
{
// Arrange
var services = new ServiceCollection();
// Act
var act = () => services.AddDsseSigningWithKms("");
// Assert
act.Should().Throw<ArgumentException>()
.WithParameterName("defaultKmsKeyId");
}
[Fact]
public void AddDsseSigning_RegistersTimeProvider()
{
// Arrange
var services = new ServiceCollection();
services.AddLogging();
// Act
services.AddDsseSigning();
var provider = services.BuildServiceProvider();
// Assert
provider.GetService<TimeProvider>().Should().NotBeNull();
}
[Fact]
public void AddDsseSigning_DoesNotOverrideExistingTimeProvider()
{
// Arrange
var services = new ServiceCollection();
services.AddLogging();
var customTimeProvider = new FakeTimeProvider();
services.AddSingleton<TimeProvider>(customTimeProvider);
// Act
services.AddDsseSigning();
var provider = services.BuildServiceProvider();
var resolvedProvider = provider.GetRequiredService<TimeProvider>();
// Assert
resolvedProvider.Should().BeSameAs(customTimeProvider);
}
private sealed class FakeTimeProvider : TimeProvider
{
public override DateTimeOffset GetUtcNow() => new(2025, 1, 1, 0, 0, 0, TimeSpan.Zero);
}
}

121
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/Signing/Sm2SigningTests.cs Normal file
View File

@@ -0,0 +1,121 @@
using System;
using System.Text;
using System.Text.Json;
using System.Threading;
using System.Threading.Tasks;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using StellaOps.Cryptography;
using StellaOps.Cryptography.Plugin.SmSoft;
using StellaOps.Signer.Core;
using StellaOps.Signer.Infrastructure.Signing;
using StellaOps.Signer.Tests.Fixtures;
using Xunit;
namespace StellaOps.Signer.Tests.Signing;
public class Sm2SigningTests : IDisposable
{
private readonly string? _gate;
public Sm2SigningTests()
{
_gate = Environment.GetEnvironmentVariable("SM_SOFT_ALLOWED");
Environment.SetEnvironmentVariable("SM_SOFT_ALLOWED", "1");
}
[Fact]
public async Task Sign_Sm2_Succeeds_WhenGateOn()
{
var registry = TestCryptoFactory.CreateSm2Registry();
var keyResolver = new StubKeyResolver("sm2-key", SignatureAlgorithms.Sm2, "cn.sm.soft");
var options = Options.Create(new DsseSignerOptions
{
KeylessAlgorithm = SignatureAlgorithms.Sm2,
KmsAlgorithm = SignatureAlgorithms.Sm2,
PreferredProvider = "cn.sm.soft"
});
var signer = new CryptoDsseSigner(
registry,
keyResolver,
options,
NullLogger<CryptoDsseSigner>.Instance);
var request = BuildRequest();
var entitlement = new ProofOfEntitlementResult("lic", "cust", "plan", 0, 0, 0, DateTimeOffset.UtcNow.AddHours(1));
var caller = BuildCaller();
var bundle = await signer.SignAsync(request, entitlement, caller, default);
Assert.Equal(SignatureAlgorithms.Sm2, bundle.Metadata.AlgorithmId);
Assert.Equal("cn.sm.soft", bundle.Metadata.ProviderName);
}
[Fact]
public async Task Sign_Sm2_Fails_WhenGateOff()
{
Environment.SetEnvironmentVariable("SM_SOFT_ALLOWED", null);
var registry = TestCryptoFactory.CreateSm2Registry();
var keyResolver = new StubKeyResolver("sm2-key", SignatureAlgorithms.Sm2, "cn.sm.soft");
var options = Options.Create(new DsseSignerOptions { KeylessAlgorithm = SignatureAlgorithms.Sm2 });
var signer = new CryptoDsseSigner(
registry,
keyResolver,
options,
NullLogger<CryptoDsseSigner>.Instance);
var request = BuildRequest();
var entitlement = new ProofOfEntitlementResult("lic", "cust", "plan", 0, 0, 0, DateTimeOffset.UtcNow.AddHours(1));
var caller = BuildCaller();
await Assert.ThrowsAsync<InvalidOperationException>(() => signer.SignAsync(request, entitlement, caller, default).AsTask());
}
private class StubKeyResolver : ISigningKeyResolver
{
private readonly string _keyId;
private readonly string _alg;
private readonly string _provider;
public StubKeyResolver(string keyId, string alg, string provider)
{
_keyId = keyId;
_alg = alg;
_provider = provider;
}
public ValueTask<SigningKeyResolution> ResolveKeyAsync(SigningMode mode, string tenant, CancellationToken cancellationToken)
{
var resolution = new SigningKeyResolution(_keyId, _provider, "https://sm.test", "sm2-subject");
return ValueTask.FromResult(resolution);
}
}
public void Dispose()
{
Environment.SetEnvironmentVariable("SM_SOFT_ALLOWED", _gate);
}
private static SigningRequest BuildRequest()
{
var subject = new SigningSubject("pkg", new Dictionary<string, string> { ["sha256"] = "00" });
return new SigningRequest(
new[] { subject },
"test-predicate",
JsonDocument.Parse("{}"),
"sha256:00",
new ProofOfEntitlement(SignerPoEFormat.Jwt, "stub"),
new SigningOptions(SigningMode.Keyless, null, "dsse"));
}
private static CallerContext BuildCaller() => new(
Subject: "subject-1",
Tenant: "tenant-1",
Scopes: Array.Empty<string>(),
Audiences: Array.Empty<string>(),
SenderBinding: string.Empty,
ClientCertificateThumbprint: string.Empty);
}

31
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/StellaOps.Signer.Tests.csproj Normal file
View File

@@ -0,0 +1,31 @@
<?xml version='1.0' encoding='utf-8'?>
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<LangVersion>preview</LangVersion>
<Nullable>enable</Nullable>
<ImplicitUsings>enable</ImplicitUsings>
<TreatWarningsAsErrors>false</TreatWarningsAsErrors>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="BouncyCastle.Cryptography" />
<PackageReference Include="Microsoft.EntityFrameworkCore.InMemory" />
<PackageReference Include="FluentAssertions" />
<PackageReference Include="NSubstitute" />
</ItemGroup>
<ItemGroup> </ItemGroup>
<ItemGroup>
<ProjectReference Include="..\StellaOps.Signer.WebService\StellaOps.Signer.WebService.csproj" />
<ProjectReference Include="..\StellaOps.Signer.Infrastructure\StellaOps.Signer.Infrastructure.csproj" />
<ProjectReference Include="..\StellaOps.Signer.Core\StellaOps.Signer.Core.csproj" />
<ProjectReference Include="..\..\__Libraries\StellaOps.Signer.KeyManagement\StellaOps.Signer.KeyManagement.csproj" />
<ProjectReference Include="..\..\__Libraries\StellaOps.Signer.Keyless\StellaOps.Signer.Keyless.csproj" />
<ProjectReference Include="../../../__Libraries/StellaOps.Configuration/StellaOps.Configuration.csproj" />
<ProjectReference Include="../../../__Libraries/StellaOps.DependencyInjection/StellaOps.DependencyInjection.csproj" />
<ProjectReference Include="../../../__Libraries/StellaOps.Cryptography/StellaOps.Cryptography.csproj" />
<ProjectReference Include="../../../__Libraries/StellaOps.Canonical.Json/StellaOps.Canonical.Json.csproj" />
<ProjectReference Include="../../../__Libraries/StellaOps.TestKit/StellaOps.TestKit.csproj" />
</ItemGroup>
</Project>

8
src/Attestor/StellaOps.Signer/StellaOps.Signer.Tests/TASKS.md Normal file
View File

@@ -0,0 +1,8 @@
# StellaOps.Signer.Tests Task Board
This board mirrors active sprint tasks for this module.
Source of truth: `docs/implplan/SPRINT_20260130_002_Tools_csproj_remediation_solid_review.md`.
| Task ID | Status | Notes |
| --- | --- | --- |
| REMED-05 | TODO | Remediation checklist: docs/implplan/audits/csproj-standards/remediation/checklists/src/Signer/StellaOps.Signer/StellaOps.Signer.Tests/StellaOps.Signer.Tests.md. |
| REMED-06 | DONE | SOLID review notes captured for SPRINT_20260130_002. |

293
src/Attestor/StellaOps.Signer/StellaOps.Signer.WebService/Ceremonies/InMemoryCeremonyServices.cs Normal file
View File

@@ -0,0 +1,293 @@
using StellaOps.Signer.Core.Ceremonies;
namespace StellaOps.Signer.WebService.Ceremonies;
public sealed class InMemoryCeremonyRepository : ICeremonyRepository
{
private readonly Dictionary<Guid, Ceremony> _ceremonies = new();
private readonly object _sync = new();
public Task<Ceremony> CreateAsync(Ceremony ceremony, CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(ceremony);
lock (_sync)
{
_ceremonies[ceremony.CeremonyId] = CloneCeremony(ceremony);
return Task.FromResult(CloneCeremony(_ceremonies[ceremony.CeremonyId]));
}
}
public Task<Ceremony?> GetByIdAsync(Guid ceremonyId, CancellationToken cancellationToken = default)
{
lock (_sync)
{
return Task.FromResult(_ceremonies.TryGetValue(ceremonyId, out var ceremony)
? CloneCeremony(ceremony)
: null);
}
}
public Task<Ceremony?> UpdateStateAsync(
Guid ceremonyId,
CeremonyState newState,
int thresholdReached,
DateTimeOffset? executedAt = null,
CancellationToken cancellationToken = default)
{
lock (_sync)
{
if (!_ceremonies.TryGetValue(ceremonyId, out var ceremony))
{
return Task.FromResult<Ceremony?>(null);
}
var updated = ceremony with
{
State = newState,
ThresholdReached = thresholdReached,
ExecutedAt = executedAt ?? ceremony.ExecutedAt
};
_ceremonies[ceremonyId] = updated;
return Task.FromResult<Ceremony?>(CloneCeremony(updated));
}
}
public Task<CeremonyApproval> AddApprovalAsync(CeremonyApproval approval, CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(approval);
lock (_sync)
{
if (_ceremonies.TryGetValue(approval.CeremonyId, out var ceremony))
{
var approvals = ceremony.Approvals.Concat(new[] { CloneApproval(approval) }).ToArray();
_ceremonies[approval.CeremonyId] = ceremony with { Approvals = approvals };
}
return Task.FromResult(CloneApproval(approval));
}
}
public Task<bool> HasApprovedAsync(
Guid ceremonyId,
string approverIdentity,
CancellationToken cancellationToken = default)
{
lock (_sync)
{
var approved = _ceremonies.TryGetValue(ceremonyId, out var ceremony) &&
ceremony.Approvals.Any(a => string.Equals(a.ApproverIdentity, approverIdentity, StringComparison.OrdinalIgnoreCase));
return Task.FromResult(approved);
}
}
public Task<IReadOnlyList<CeremonyApproval>> GetApprovalsAsync(Guid ceremonyId, CancellationToken cancellationToken = default)
{
lock (_sync)
{
if (!_ceremonies.TryGetValue(ceremonyId, out var ceremony))
{
return Task.FromResult<IReadOnlyList<CeremonyApproval>>(Array.Empty<CeremonyApproval>());
}
return Task.FromResult<IReadOnlyList<CeremonyApproval>>(ceremony.Approvals.Select(CloneApproval).ToArray());
}
}
public Task<IReadOnlyList<Ceremony>> ListAsync(CeremonyFilter? filter = null, CancellationToken cancellationToken = default)
{
lock (_sync)
{
IEnumerable<Ceremony> query = _ceremonies.Values;
if (filter is not null)
{
if (filter.State.HasValue)
{
query = query.Where(c => c.State == filter.State.Value);
}
if (filter.OperationType.HasValue)
{
query = query.Where(c => c.OperationType == filter.OperationType.Value);
}
if (!string.IsNullOrWhiteSpace(filter.InitiatedBy))
{
query = query.Where(c => string.Equals(c.InitiatedBy, filter.InitiatedBy, StringComparison.OrdinalIgnoreCase));
}
if (!string.IsNullOrWhiteSpace(filter.PendingApprover))
{
query = query.Where(c =>
c.State is CeremonyState.Pending or CeremonyState.PartiallyApproved &&
!c.Approvals.Any(a => string.Equals(a.ApproverIdentity, filter.PendingApprover, StringComparison.OrdinalIgnoreCase)));
}
if (filter.InitiatedAfter.HasValue)
{
query = query.Where(c => c.InitiatedAt >= filter.InitiatedAfter.Value);
}
if (filter.InitiatedBefore.HasValue)
{
query = query.Where(c => c.InitiatedAt <= filter.InitiatedBefore.Value);
}
if (!filter.IncludeExpired)
{
query = query.Where(c => c.State != CeremonyState.Expired);
}
if (!string.IsNullOrWhiteSpace(filter.TenantId))
{
query = query.Where(c => string.Equals(c.TenantId, filter.TenantId, StringComparison.OrdinalIgnoreCase));
}
}
query = query.OrderByDescending(c => c.InitiatedAt);
if (filter?.Offset is > 0)
{
query = query.Skip(filter.Offset.Value);
}
if (filter?.Limit is > 0)
{
query = query.Take(filter.Limit.Value);
}
return Task.FromResult<IReadOnlyList<Ceremony>>(query.Select(CloneCeremony).ToArray());
}
}
public Task<IReadOnlyList<Ceremony>> GetExpiredCeremoniesAsync(DateTimeOffset asOf, CancellationToken cancellationToken = default)
{
lock (_sync)
{
var expired = _ceremonies.Values
.Where(c => c.ExpiresAt <= asOf && c.State is CeremonyState.Pending or CeremonyState.PartiallyApproved or CeremonyState.Approved)
.Select(CloneCeremony)
.ToArray();
return Task.FromResult<IReadOnlyList<Ceremony>>(expired);
}
}
public Task<int> MarkExpiredAsync(IEnumerable<Guid> ceremonyIds, CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(ceremonyIds);
var count = 0;
lock (_sync)
{
foreach (var ceremonyId in ceremonyIds)
{
if (!_ceremonies.TryGetValue(ceremonyId, out var ceremony))
{
continue;
}
if (ceremony.State is CeremonyState.Executed or CeremonyState.Cancelled or CeremonyState.Expired)
{
continue;
}
_ceremonies[ceremonyId] = ceremony with { State = CeremonyState.Expired };
count++;
}
}
return Task.FromResult(count);
}
private static Ceremony CloneCeremony(Ceremony ceremony)
{
return ceremony with
{
Payload = ClonePayload(ceremony.Payload),
Approvals = ceremony.Approvals.Select(CloneApproval).ToArray()
};
}
private static CeremonyOperationPayload ClonePayload(CeremonyOperationPayload payload)
{
return payload with
{
KeyUsages = payload.KeyUsages?.ToArray(),
Metadata = payload.Metadata is null ? null : new Dictionary<string, string>(payload.Metadata)
};
}
private static CeremonyApproval CloneApproval(CeremonyApproval approval)
{
return approval with { ApprovalSignature = approval.ApprovalSignature.ToArray() };
}
}
public sealed class InMemoryCeremonyAuditSink : ICeremonyAuditSink
{
private readonly List<CeremonyAuditEvent> _events = new();
private readonly object _sync = new();
public Task WriteAsync(CeremonyAuditEvent auditEvent, CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(auditEvent);
lock (_sync)
{
_events.Add(auditEvent);
}
return Task.CompletedTask;
}
public IReadOnlyList<CeremonyAuditEvent> Events
{
get
{
lock (_sync)
{
return _events.ToArray();
}
}
}
}
public sealed class AllowAllCeremonyApproverValidator : ICeremonyApproverValidator
{
public Task<ApproverValidationResult> ValidateApproverAsync(
string approverIdentity,
CeremonyOperationType operationType,
byte[] signature,
CancellationToken cancellationToken = default)
{
if (string.IsNullOrWhiteSpace(approverIdentity))
{
return Task.FromResult(new ApproverValidationResult
{
IsValid = false,
Error = "Approver identity is required.",
ErrorCode = CeremonyErrorCode.UnauthorizedApprover
});
}
if (signature is null || signature.Length == 0)
{
return Task.FromResult(new ApproverValidationResult
{
IsValid = false,
Error = "Approval signature is required.",
ErrorCode = CeremonyErrorCode.InvalidSignature
});
}
return Task.FromResult(new ApproverValidationResult
{
IsValid = true
});
}
}

36
src/Attestor/StellaOps.Signer/StellaOps.Signer.WebService/Contracts/SignDsseContracts.cs Normal file
View File

@@ -0,0 +1,36 @@
using System.Collections.Generic;
using System.Text.Json;
namespace StellaOps.Signer.WebService.Contracts;
public sealed record SignDsseSubjectDto(string Name, Dictionary<string, string> Digest);
public sealed record SignDssePoeDto(string Format, string Value);
public sealed record SignDsseOptionsDto(string? SigningMode, int? ExpirySeconds, string? ReturnBundle);
public sealed record SignDsseRequestDto(
List<SignDsseSubjectDto> Subject,
string PredicateType,
JsonElement Predicate,
string ScannerImageDigest,
SignDssePoeDto Poe,
SignDsseOptionsDto? Options);
public sealed record SignDsseResponseDto(SignDsseBundleDto Bundle, SignDssePolicyDto Policy, string AuditId);
public sealed record SignDsseBundleDto(SignDsseEnvelopeDto Dsse, IReadOnlyList<string> CertificateChain, string Mode, SignDsseIdentityDto SigningIdentity);
public sealed record SignDsseEnvelopeDto(string PayloadType, string Payload, IReadOnlyList<SignDsseSignatureDto> Signatures);
public sealed record SignDsseSignatureDto(string Signature, string? KeyId);
public sealed record SignDsseIdentityDto(string Issuer, string Subject, string? CertExpiry);
public sealed record SignDssePolicyDto(string Plan, int MaxArtifactBytes, int QpsRemaining);
public sealed record VerifyReferrersResponseDto(bool Trusted, string? TrustedSigner);
public sealed record VerifyDsseRequestDto(SignDsseEnvelopeDto Dsse);
public sealed record VerifyDsseResponseDto(bool Verified, string? KeyId, string? Reason);

611
src/Attestor/StellaOps.Signer/StellaOps.Signer.WebService/Endpoints/CeremonyEndpoints.cs Normal file
View File

@@ -0,0 +1,611 @@
// -----------------------------------------------------------------------------
// CeremonyEndpoints.cs
// Sprint: SPRINT_20260112_018_SIGNER_dual_control_ceremonies
// Tasks: DUAL-010
// Description: API endpoints for dual-control signing ceremonies.
// -----------------------------------------------------------------------------
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using static StellaOps.Localization.T;
using Microsoft.Extensions.Logging;
using StellaOps.Signer.Core.Ceremonies;
using StellaOps.Signer.WebService.Contracts;
using System.Security.Claims;
using System.Text.Json;
using StellaOps.Auth.ServerIntegration.Tenancy;
namespace StellaOps.Signer.WebService.Endpoints;
/// <summary>
/// API endpoints for M-of-N dual-control signing ceremonies.
/// </summary>
public static class CeremonyEndpoints
{
private static readonly JsonSerializerOptions SerializerOptions = new()
{
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
WriteIndented = false,
};
/// <summary>
/// Maps ceremony endpoints to the endpoint route builder.
/// </summary>
public static IEndpointRouteBuilder MapCeremonyEndpoints(this IEndpointRouteBuilder endpoints)
{
var group = endpoints.MapGroup("/api/v1/ceremonies")
.WithTags("Ceremonies")
.RequireAuthorization("ceremony:read")
.RequireTenant();
// Create ceremony
group.MapPost("/", CreateCeremonyAsync)
.WithName("CreateCeremony")
.WithSummary("Create a new signing ceremony")
.WithDescription(_t("signer.ceremony.create_description"))
.RequireAuthorization("ceremony:create")
.Produces<CeremonyResponseDto>(StatusCodes.Status201Created)
.ProducesProblem(StatusCodes.Status400BadRequest)
.ProducesProblem(StatusCodes.Status403Forbidden);
// List ceremonies
group.MapGet("/", ListCeremoniesAsync)
.WithName("ListCeremonies")
.WithSummary("List ceremonies with optional filters")
.WithDescription(_t("signer.ceremony.list_description"))
.Produces<CeremonyListResponseDto>(StatusCodes.Status200OK);
// Get ceremony by ID
group.MapGet("/{ceremonyId:guid}", GetCeremonyAsync)
.WithName("GetCeremony")
.WithSummary("Get a ceremony by ID")
.WithDescription(_t("signer.ceremony.get_description"))
.Produces<CeremonyResponseDto>(StatusCodes.Status200OK)
.ProducesProblem(StatusCodes.Status404NotFound);
// Submit approval
group.MapPost("/{ceremonyId:guid}/approve", ApproveCeremonyAsync)
.WithName("ApproveCeremony")
.WithSummary("Submit an approval for a ceremony")
.WithDescription(_t("signer.ceremony.approve_description"))
.RequireAuthorization("ceremony:approve")
.Produces<CeremonyResponseDto>(StatusCodes.Status200OK)
.ProducesProblem(StatusCodes.Status400BadRequest)
.ProducesProblem(StatusCodes.Status404NotFound)
.ProducesProblem(StatusCodes.Status409Conflict);
// Execute ceremony
group.MapPost("/{ceremonyId:guid}/execute", ExecuteCeremonyAsync)
.WithName("ExecuteCeremony")
.WithSummary("Execute an approved ceremony")
.WithDescription(_t("signer.ceremony.execute_description"))
.RequireAuthorization("ceremony:execute")
.Produces<CeremonyResponseDto>(StatusCodes.Status200OK)
.ProducesProblem(StatusCodes.Status400BadRequest)
.ProducesProblem(StatusCodes.Status404NotFound)
.ProducesProblem(StatusCodes.Status409Conflict);
// Cancel ceremony
group.MapDelete("/{ceremonyId:guid}", CancelCeremonyAsync)
.WithName("CancelCeremony")
.WithSummary("Cancel a pending ceremony")
.WithDescription(_t("signer.ceremony.cancel_description"))
.RequireAuthorization("ceremony:cancel")
.Produces(StatusCodes.Status204NoContent)
.ProducesProblem(StatusCodes.Status404NotFound)
.ProducesProblem(StatusCodes.Status409Conflict);
return endpoints;
}
/// <summary>
/// POST /api/v1/ceremonies - Create a new ceremony.
/// </summary>
private static async Task<IResult> CreateCeremonyAsync(
HttpContext httpContext,
[FromBody] CreateCeremonyRequestDto request,
[FromServices] ICeremonyOrchestrator orchestrator,
ILoggerFactory loggerFactory,
CancellationToken cancellationToken)
{
var logger = loggerFactory.CreateLogger("CeremonyEndpoints.CreateCeremony");
var initiator = GetCallerIdentity(httpContext);
logger.LogInformation(
"Creating ceremony: Type={OperationType}, Initiator={Initiator}",
request.OperationType, initiator);
CeremonyOperationType operationType;
try
{
operationType = MapOperationType(request.OperationType);
}
catch (ArgumentException ex)
{
logger.LogWarning(ex, "Invalid ceremony operation type: {OperationType}", request.OperationType);
return CreateProblem("invalid_operation_type", ex.Message, StatusCodes.Status400BadRequest);
}
var ceremonyRequest = new CreateCeremonyRequest
{
OperationType = operationType,
Payload = MapPayload(request.Payload),
ThresholdOverride = request.ThresholdRequired,
ExpirationMinutesOverride = request.TimeoutMinutes,
Description = request.Description,
TenantId = request.TenantId,
};
var result = await orchestrator.CreateCeremonyAsync(
ceremonyRequest,
initiator,
cancellationToken);
if (!result.Success)
{
logger.LogWarning("Failed to create ceremony: {Error}", result.Error);
return CreateProblem(result.ErrorCode?.ToString() ?? "ceremony_creation_failed", result.Error!, StatusCodes.Status400BadRequest);
}
var response = MapToResponseDto(result.Ceremony!);
return Results.Created($"/api/v1/ceremonies/{result.Ceremony!.CeremonyId}", response);
}
/// <summary>
/// GET /api/v1/ceremonies - List ceremonies.
/// </summary>
private static async Task<IResult> ListCeremoniesAsync(
HttpContext httpContext,
[FromServices] ICeremonyOrchestrator orchestrator,
[FromQuery] string? state,
[FromQuery] string? operationType,
[FromQuery] string? initiatedBy,
[FromQuery] string? tenantId,
[FromQuery] int? limit,
[FromQuery] int? offset,
CancellationToken cancellationToken)
{
var filter = new CeremonyFilter
{
State = ParseState(state),
OperationType = ParseOperationType(operationType),
InitiatedBy = initiatedBy,
TenantId = tenantId,
Limit = limit ?? 50,
Offset = offset ?? 0,
};
var ceremonies = await orchestrator.ListCeremoniesAsync(filter, cancellationToken);
var response = new CeremonyListResponseDto
{
Ceremonies = ceremonies.Select(MapToResponseDto).ToList(),
TotalCount = ceremonies.Count,
Limit = filter.Limit ?? 50,
Offset = filter.Offset ?? 0,
};
return Results.Ok(response);
}
/// <summary>
/// GET /api/v1/ceremonies/{ceremonyId} - Get ceremony by ID.
/// </summary>
private static async Task<IResult> GetCeremonyAsync(
HttpContext httpContext,
Guid ceremonyId,
[FromServices] ICeremonyOrchestrator orchestrator,
CancellationToken cancellationToken)
{
var ceremony = await orchestrator.GetCeremonyAsync(ceremonyId, cancellationToken);
if (ceremony == null)
{
return CreateProblem("ceremony_not_found", _t("signer.ceremony.error.not_found", ceremonyId), StatusCodes.Status404NotFound);
}
return Results.Ok(MapToResponseDto(ceremony));
}
/// <summary>
/// POST /api/v1/ceremonies/{ceremonyId}/approve - Submit approval.
/// </summary>
private static async Task<IResult> ApproveCeremonyAsync(
HttpContext httpContext,
Guid ceremonyId,
[FromBody] ApproveCeremonyRequestDto request,
[FromServices] ICeremonyOrchestrator orchestrator,
ILoggerFactory loggerFactory,
CancellationToken cancellationToken)
{
var logger = loggerFactory.CreateLogger("CeremonyEndpoints.ApproveCeremony");
var approver = GetCallerIdentity(httpContext);
logger.LogInformation(
"Approving ceremony: CeremonyId={CeremonyId}, Approver={Approver}",
ceremonyId, approver);
if (string.IsNullOrWhiteSpace(request.Signature))
{
return CreateProblem("approval_signature_missing", _t("signer.ceremony.error.signature_required"), StatusCodes.Status400BadRequest);
}
byte[] approvalSignature;
try
{
approvalSignature = Convert.FromBase64String(request.Signature);
}
catch (FormatException)
{
return CreateProblem("approval_signature_invalid", _t("signer.ceremony.error.signature_invalid_base64"), StatusCodes.Status400BadRequest);
}
var approvalRequest = new ApproveCeremonyRequest
{
CeremonyId = ceremonyId,
ApprovalReason = request.Reason,
ApprovalSignature = approvalSignature,
SigningKeyId = request.SigningKeyId,
};
var result = await orchestrator.ApproveCeremonyAsync(
approvalRequest,
approver,
cancellationToken);
if (!result.Success)
{
var statusCode = result.ErrorCode switch
{
CeremonyErrorCode.NotFound => StatusCodes.Status404NotFound,
CeremonyErrorCode.DuplicateApproval => StatusCodes.Status409Conflict,
CeremonyErrorCode.AlreadyExecuted => StatusCodes.Status409Conflict,
CeremonyErrorCode.Cancelled => StatusCodes.Status409Conflict,
CeremonyErrorCode.Expired => StatusCodes.Status409Conflict,
CeremonyErrorCode.UnauthorizedApprover => StatusCodes.Status403Forbidden,
CeremonyErrorCode.InvalidSignature => StatusCodes.Status400BadRequest,
_ => StatusCodes.Status400BadRequest,
};
logger.LogWarning("Failed to approve ceremony {CeremonyId}: {Error}", ceremonyId, result.Error);
return CreateProblem(result.ErrorCode?.ToString() ?? "approval_failed", result.Error!, statusCode);
}
return Results.Ok(MapToResponseDto(result.Ceremony!));
}
/// <summary>
/// POST /api/v1/ceremonies/{ceremonyId}/execute - Execute approved ceremony.
/// </summary>
private static async Task<IResult> ExecuteCeremonyAsync(
HttpContext httpContext,
Guid ceremonyId,
[FromServices] ICeremonyOrchestrator orchestrator,
ILoggerFactory loggerFactory,
CancellationToken cancellationToken)
{
var logger = loggerFactory.CreateLogger("CeremonyEndpoints.ExecuteCeremony");
var executor = GetCallerIdentity(httpContext);
logger.LogInformation(
"Executing ceremony: CeremonyId={CeremonyId}, Executor={Executor}",
ceremonyId, executor);
var result = await orchestrator.ExecuteCeremonyAsync(
ceremonyId,
executor,
cancellationToken);
if (!result.Success)
{
var statusCode = result.ErrorCode switch
{
CeremonyErrorCode.NotFound => StatusCodes.Status404NotFound,
CeremonyErrorCode.AlreadyExecuted => StatusCodes.Status409Conflict,
CeremonyErrorCode.Expired => StatusCodes.Status409Conflict,
CeremonyErrorCode.Cancelled => StatusCodes.Status409Conflict,
_ => StatusCodes.Status400BadRequest,
};
logger.LogWarning("Failed to execute ceremony {CeremonyId}: {Error}", ceremonyId, result.Error);
return CreateProblem(result.ErrorCode?.ToString() ?? "execution_failed", result.Error!, statusCode);
}
return Results.Ok(MapToResponseDto(result.Ceremony!));
}
/// <summary>
/// DELETE /api/v1/ceremonies/{ceremonyId} - Cancel ceremony.
/// </summary>
private static async Task<IResult> CancelCeremonyAsync(
HttpContext httpContext,
Guid ceremonyId,
[FromQuery] string? reason,
[FromServices] ICeremonyOrchestrator orchestrator,
ILoggerFactory loggerFactory,
CancellationToken cancellationToken)
{
var logger = loggerFactory.CreateLogger("CeremonyEndpoints.CancelCeremony");
var canceller = GetCallerIdentity(httpContext);
logger.LogInformation(
"Cancelling ceremony: CeremonyId={CeremonyId}, Canceller={Canceller}",
ceremonyId, canceller);
var result = await orchestrator.CancelCeremonyAsync(
ceremonyId,
canceller,
reason,
cancellationToken);
if (!result.Success)
{
var statusCode = result.ErrorCode switch
{
CeremonyErrorCode.NotFound => StatusCodes.Status404NotFound,
CeremonyErrorCode.AlreadyExecuted => StatusCodes.Status409Conflict,
CeremonyErrorCode.Expired => StatusCodes.Status409Conflict,
CeremonyErrorCode.Cancelled => StatusCodes.Status409Conflict,
_ => StatusCodes.Status400BadRequest,
};
logger.LogWarning("Failed to cancel ceremony {CeremonyId}: {Error}", ceremonyId, result.Error);
return CreateProblem(result.ErrorCode?.ToString() ?? "cancellation_failed", result.Error!, statusCode);
}
return Results.NoContent();
}
// ═══════════════════════════════════════════════════════════════════════════
// Helper Methods
// ═══════════════════════════════════════════════════════════════════════════
private static string GetCallerIdentity(HttpContext httpContext)
{
return httpContext.User.FindFirst(ClaimTypes.NameIdentifier)?.Value
?? httpContext.User.FindFirst("sub")?.Value
?? "anonymous";
}
private static CeremonyOperationType MapOperationType(string operationType)
{
return operationType.ToLowerInvariant() switch
{
"keygeneration" or "key_generation" => CeremonyOperationType.KeyGeneration,
"keyrotation" or "key_rotation" => CeremonyOperationType.KeyRotation,
"keyrevocation" or "key_revocation" => CeremonyOperationType.KeyRevocation,
"keyexport" or "key_export" => CeremonyOperationType.KeyExport,
"keyimport" or "key_import" => CeremonyOperationType.KeyImport,
"keyrecovery" or "key_recovery" => CeremonyOperationType.KeyRecovery,
_ => throw new ArgumentException($"Unknown operation type: {operationType}"),
};
}
private static CeremonyState? ParseState(string? state)
{
if (string.IsNullOrEmpty(state)) return null;
return state.ToLowerInvariant() switch
{
"pending" => CeremonyState.Pending,
"partiallyapproved" or "partially_approved" => CeremonyState.PartiallyApproved,
"approved" => CeremonyState.Approved,
"executed" => CeremonyState.Executed,
"expired" => CeremonyState.Expired,
"cancelled" => CeremonyState.Cancelled,
_ => null,
};
}
private static CeremonyOperationType? ParseOperationType(string? operationType)
{
if (string.IsNullOrEmpty(operationType)) return null;
try
{
return MapOperationType(operationType);
}
catch
{
return null;
}
}
private static CeremonyOperationPayload MapPayload(CreateCeremonyPayloadDto? dto)
{
if (dto == null) return new CeremonyOperationPayload();
return new CeremonyOperationPayload
{
KeyId = dto.KeyId,
Algorithm = dto.Algorithm,
KeySize = dto.KeySize,
KeyUsages = dto.KeyUsages,
Reason = dto.Reason,
Metadata = dto.Metadata,
};
}
private static CeremonyResponseDto MapToResponseDto(Ceremony ceremony)
{
return new CeremonyResponseDto
{
CeremonyId = ceremony.CeremonyId,
OperationType = ceremony.OperationType.ToString(),
State = ceremony.State.ToString(),
ThresholdRequired = ceremony.ThresholdRequired,
ThresholdReached = ceremony.ThresholdReached,
InitiatedBy = ceremony.InitiatedBy,
InitiatedAt = ceremony.InitiatedAt,
ExpiresAt = ceremony.ExpiresAt,
ExecutedAt = ceremony.ExecutedAt,
Description = ceremony.Description,
TenantId = ceremony.TenantId,
Payload = MapPayloadToDto(ceremony.Payload),
Approvals = ceremony.Approvals.Select(MapApprovalToDto).ToList(),
};
}
private static CeremonyPayloadDto MapPayloadToDto(CeremonyOperationPayload payload)
{
return new CeremonyPayloadDto
{
KeyId = payload.KeyId,
Algorithm = payload.Algorithm,
KeySize = payload.KeySize,
KeyUsages = payload.KeyUsages?.ToList(),
Reason = payload.Reason,
Metadata = payload.Metadata?.ToDictionary(x => x.Key, x => x.Value),
};
}
private static CeremonyApprovalDto MapApprovalToDto(CeremonyApproval approval)
{
return new CeremonyApprovalDto
{
ApprovalId = approval.ApprovalId,
ApproverIdentity = approval.ApproverIdentity,
ApprovedAt = approval.ApprovedAt,
Reason = approval.ApprovalReason,
};
}
private static IResult CreateProblem(string code, string detail, int statusCode)
{
return Results.Problem(
detail: detail,
statusCode: statusCode,
title: code,
type: $"https://stellaops.io/errors/{code}");
}
}
// ═══════════════════════════════════════════════════════════════════════════
// DTO Classes
// ═══════════════════════════════════════════════════════════════════════════
/// <summary>
/// Request to create a new ceremony.
/// </summary>
public sealed record CreateCeremonyRequestDto
{
/// <summary>
/// Type of operation (KeyGeneration, KeyRotation, KeyRevocation, KeyExport, KeyImport, KeyRecovery).
/// </summary>
public required string OperationType { get; init; }
/// <summary>
/// Operation-specific payload.
/// </summary>
public CreateCeremonyPayloadDto? Payload { get; init; }
/// <summary>
/// Number of approvals required.
/// </summary>
public required int ThresholdRequired { get; init; }
/// <summary>
/// Ceremony timeout in minutes (default: 60).
/// </summary>
public int? TimeoutMinutes { get; init; }
/// <summary>
/// Human-readable description.
/// </summary>
public string? Description { get; init; }
/// <summary>
/// Tenant ID for multi-tenant deployments.
/// </summary>
public string? TenantId { get; init; }
}
/// <summary>
/// Operation payload for ceremony creation.
/// </summary>
public sealed record CreateCeremonyPayloadDto
{
public string? KeyId { get; init; }
public string? Algorithm { get; init; }
public int? KeySize { get; init; }
public List<string>? KeyUsages { get; init; }
public string? Reason { get; init; }
public Dictionary<string, string>? Metadata { get; init; }
}
/// <summary>
/// Request to approve a ceremony.
/// </summary>
public sealed record ApproveCeremonyRequestDto
{
/// <summary>
/// Reason for approval.
/// </summary>
public string? Reason { get; init; }
/// <summary>
/// Approval signature (base64 encoded).
/// </summary>
public string? Signature { get; init; }
/// <summary>
/// Key ID used for signing the approval.
/// </summary>
public string? SigningKeyId { get; init; }
}
/// <summary>
/// Response containing ceremony details.
/// </summary>
public sealed record CeremonyResponseDto
{
public required Guid CeremonyId { get; init; }
public required string OperationType { get; init; }
public required string State { get; init; }
public required int ThresholdRequired { get; init; }
public required int ThresholdReached { get; init; }
public required string InitiatedBy { get; init; }
public required DateTimeOffset InitiatedAt { get; init; }
public required DateTimeOffset ExpiresAt { get; init; }
public DateTimeOffset? ExecutedAt { get; init; }
public string? Description { get; init; }
public string? TenantId { get; init; }
public required CeremonyPayloadDto Payload { get; init; }
public required List<CeremonyApprovalDto> Approvals { get; init; }
}
/// <summary>
/// Ceremony payload in response.
/// </summary>
public sealed record CeremonyPayloadDto
{
public string? KeyId { get; init; }
public string? Algorithm { get; init; }
public int? KeySize { get; init; }
public List<string>? KeyUsages { get; init; }
public string? Reason { get; init; }
public Dictionary<string, string>? Metadata { get; init; }
}
/// <summary>
/// Approval information in response.
/// </summary>
public sealed record CeremonyApprovalDto
{
public required Guid ApprovalId { get; init; }
public required string ApproverIdentity { get; init; }
public required DateTimeOffset ApprovedAt { get; init; }
public string? Reason { get; init; }
}
/// <summary>
/// Response containing list of ceremonies.
/// </summary>
public sealed record CeremonyListResponseDto
{
public required List<CeremonyResponseDto> Ceremonies { get; init; }
public required int TotalCount { get; init; }
public required int Limit { get; init; }
public required int Offset { get; init; }
}

469
src/Attestor/StellaOps.Signer/StellaOps.Signer.WebService/Endpoints/KeyRotationEndpoints.cs Normal file
View File

@@ -0,0 +1,469 @@
// -----------------------------------------------------------------------------
// KeyRotationEndpoints.cs
// Sprint: SPRINT_0501_0008_0001_proof_chain_key_rotation
// Task: PROOF-KEY-0010 - Implement key rotation API endpoints
// Description: API endpoints for key rotation and trust anchor management
// -----------------------------------------------------------------------------
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using static StellaOps.Localization.T;
using Microsoft.Extensions.Logging;
using StellaOps.Signer.KeyManagement;
using System.ComponentModel.DataAnnotations;
using StellaOps.Auth.ServerIntegration.Tenancy;
namespace StellaOps.Signer.WebService.Endpoints;
/// <summary>
/// API endpoints for key rotation operations.
/// Implements advisory §8.2 key rotation workflow.
/// </summary>
public static class KeyRotationEndpoints
{
/// <summary>
/// Map key rotation endpoints to the router.
/// </summary>
public static IEndpointRouteBuilder MapKeyRotationEndpoints(this IEndpointRouteBuilder endpoints)
{
var group = endpoints.MapGroup("/api/v1/anchors")
.WithTags("KeyRotation", "TrustAnchors")
.RequireAuthorization("KeyManagement")
.RequireTenant();
// Key management endpoints
group.MapPost("/{anchorId:guid}/keys", AddKeyAsync)
.WithName("AddKey")
.WithSummary("Add a new signing key to a trust anchor")
.WithDescription(_t("signer.anchor.add_key_description"))
.Produces<AddKeyResponseDto>(StatusCodes.Status201Created)
.Produces<ProblemDetails>(StatusCodes.Status400BadRequest)
.Produces<ProblemDetails>(StatusCodes.Status404NotFound);
group.MapPost("/{anchorId:guid}/keys/{keyId}/revoke", RevokeKeyAsync)
.WithName("RevokeKey")
.WithSummary("Revoke a signing key from a trust anchor")
.WithDescription(_t("signer.anchor.revoke_key_description"))
.Produces<RevokeKeyResponseDto>(StatusCodes.Status200OK)
.Produces<ProblemDetails>(StatusCodes.Status400BadRequest)
.Produces<ProblemDetails>(StatusCodes.Status404NotFound);
group.MapGet("/{anchorId:guid}/keys/{keyId}/validity", CheckKeyValidityAsync)
.WithName("CheckKeyValidity")
.WithSummary("Check if a key was valid at a specific time")
.WithDescription(_t("signer.anchor.check_validity_description"))
.Produces<KeyValidityResponseDto>(StatusCodes.Status200OK)
.Produces<ProblemDetails>(StatusCodes.Status404NotFound);
group.MapGet("/{anchorId:guid}/keys/history", GetKeyHistoryAsync)
.WithName("GetKeyHistory")
.WithSummary("Get the full key history for a trust anchor")
.WithDescription(_t("signer.anchor.key_history_description"))
.Produces<KeyHistoryResponseDto>(StatusCodes.Status200OK)
.Produces<ProblemDetails>(StatusCodes.Status404NotFound);
group.MapGet("/{anchorId:guid}/keys/warnings", GetRotationWarningsAsync)
.WithName("GetRotationWarnings")
.WithSummary("Get rotation warnings for a trust anchor")
.WithDescription(_t("signer.anchor.rotation_warnings_description"))
.Produces<RotationWarningsResponseDto>(StatusCodes.Status200OK)
.Produces<ProblemDetails>(StatusCodes.Status404NotFound);
return endpoints;
}
/// <summary>
/// Add a new signing key to a trust anchor.
/// </summary>
private static async Task<IResult> AddKeyAsync(
[FromRoute] Guid anchorId,
[FromBody] AddKeyRequestDto request,
IKeyRotationService rotationService,
ILoggerFactory loggerFactory,
CancellationToken ct)
{
var logger = loggerFactory.CreateLogger("KeyRotationEndpoints.AddKey");
if (request is null)
{
return Results.Problem(
title: "Invalid request",
detail: _t("signer.error.request_required"),
statusCode: StatusCodes.Status400BadRequest);
}
try
{
var addRequest = new AddKeyRequest
{
KeyId = request.KeyId,
PublicKey = request.PublicKey,
Algorithm = request.Algorithm,
ExpiresAt = request.ExpiresAt,
Metadata = request.Metadata
};
var result = await rotationService.AddKeyAsync(anchorId, addRequest, ct);
if (!result.Success)
{
var statusCode = IsNotFound(result.ErrorMessage)
? StatusCodes.Status404NotFound
: StatusCodes.Status400BadRequest;
return Results.Problem(
title: _t("signer.error.key_addition_failed"),
detail: result.ErrorMessage,
statusCode: statusCode);
}
logger.LogInformation(
"Added key {KeyId} to anchor {AnchorId}, audit log {AuditLogId}",
request.KeyId, anchorId, result.AuditLogId);
var response = new AddKeyResponseDto
{
KeyId = request.KeyId,
AnchorId = anchorId,
AllowedKeyIds = result.AllowedKeyIds.ToList(),
AuditLogId = result.AuditLogId
};
return Results.Created($"/api/v1/anchors/{anchorId}/keys/{request.KeyId}", response);
}
catch (KeyNotFoundException)
{
return Results.Problem(
title: "Anchor not found",
detail: _t("signer.error.anchor_not_found", anchorId),
statusCode: StatusCodes.Status404NotFound);
}
catch (Exception ex)
{
logger.LogError(ex, "Failed to add key {KeyId} to anchor {AnchorId}", request.KeyId, anchorId);
return Results.Problem(
title: "Internal error",
detail: _t("signer.error.unexpected"),
statusCode: StatusCodes.Status500InternalServerError);
}
}
/// <summary>
/// Revoke a signing key from a trust anchor.
/// </summary>
private static async Task<IResult> RevokeKeyAsync(
[FromRoute] Guid anchorId,
[FromRoute] string keyId,
[FromBody] RevokeKeyRequestDto request,
IKeyRotationService rotationService,
ILoggerFactory loggerFactory,
TimeProvider timeProvider,
CancellationToken ct)
{
var logger = loggerFactory.CreateLogger("KeyRotationEndpoints.RevokeKey");
if (request is null || string.IsNullOrWhiteSpace(request.Reason))
{
return Results.Problem(
title: "Invalid request",
detail: _t("signer.error.revocation_reason_required"),
statusCode: StatusCodes.Status400BadRequest);
}
try
{
var revokeRequest = new RevokeKeyRequest
{
Reason = request.Reason,
EffectiveAt = request.EffectiveAt
};
var result = await rotationService.RevokeKeyAsync(anchorId, keyId, revokeRequest, ct);
if (!result.Success)
{
var statusCode = IsNotFound(result.ErrorMessage)
? StatusCodes.Status404NotFound
: StatusCodes.Status400BadRequest;
return Results.Problem(
title: _t("signer.error.key_revocation_failed"),
detail: result.ErrorMessage,
statusCode: statusCode);
}
logger.LogInformation(
"Revoked key {KeyId} from anchor {AnchorId}, reason: {Reason}, audit log {AuditLogId}",
keyId, anchorId, request.Reason, result.AuditLogId);
var response = new RevokeKeyResponseDto
{
KeyId = keyId,
AnchorId = anchorId,
RevokedAt = request.EffectiveAt ?? timeProvider.GetUtcNow(),
Reason = request.Reason,
AllowedKeyIds = result.AllowedKeyIds.ToList(),
RevokedKeyIds = result.RevokedKeyIds.ToList(),
AuditLogId = result.AuditLogId
};
return Results.Ok(response);
}
catch (KeyNotFoundException)
{
return Results.Problem(
title: "Key or anchor not found",
detail: _t("signer.error.key_or_anchor_not_found", anchorId, keyId),
statusCode: StatusCodes.Status404NotFound);
}
catch (Exception ex)
{
logger.LogError(ex, "Failed to revoke key {KeyId} from anchor {AnchorId}", keyId, anchorId);
return Results.Problem(
title: "Internal error",
detail: _t("signer.error.unexpected"),
statusCode: StatusCodes.Status500InternalServerError);
}
}
/// <summary>
/// Check if a key was valid at a specific time.
/// </summary>
private static async Task<IResult> CheckKeyValidityAsync(
[FromRoute] Guid anchorId,
[FromRoute] string keyId,
[FromQuery] DateTimeOffset? signedAt,
IKeyRotationService rotationService,
TimeProvider timeProvider,
CancellationToken ct)
{
var checkTime = signedAt ?? timeProvider.GetUtcNow();
try
{
var result = await rotationService.CheckKeyValidityAsync(anchorId, keyId, checkTime, ct);
if (result.Status == KeyStatus.Unknown)
{
return Results.Problem(
title: "Key or anchor not found",
detail: result.InvalidReason ?? _t("signer.error.key_or_anchor_not_found", anchorId, keyId),
statusCode: StatusCodes.Status404NotFound);
}
var response = new KeyValidityResponseDto
{
KeyId = keyId,
AnchorId = anchorId,
CheckedAt = checkTime,
IsValid = result.IsValid,
Status = result.Status.ToString(),
AddedAt = result.AddedAt,
RevokedAt = result.RevokedAt,
InvalidReason = result.InvalidReason
};
return Results.Ok(response);
}
catch (KeyNotFoundException)
{
return Results.Problem(
title: "Key or anchor not found",
detail: _t("signer.error.key_or_anchor_not_found", anchorId, keyId),
statusCode: StatusCodes.Status404NotFound);
}
}
/// <summary>
/// Get the full key history for a trust anchor.
/// </summary>
private static async Task<IResult> GetKeyHistoryAsync(
[FromRoute] Guid anchorId,
IKeyRotationService rotationService,
CancellationToken ct)
{
try
{
var history = await rotationService.GetKeyHistoryAsync(anchorId, ct);
var response = new KeyHistoryResponseDto
{
AnchorId = anchorId,
Entries = history.Select(e => new KeyHistoryEntryDto
{
KeyId = e.KeyId,
Algorithm = e.Algorithm,
AddedAt = e.AddedAt,
RevokedAt = e.RevokedAt,
RevokeReason = e.RevokeReason,
ExpiresAt = e.ExpiresAt
}).ToList()
};
return Results.Ok(response);
}
catch (KeyNotFoundException)
{
return Results.Problem(
title: "Anchor not found",
detail: _t("signer.error.anchor_not_found", anchorId),
statusCode: StatusCodes.Status404NotFound);
}
}
/// <summary>
/// Get rotation warnings for a trust anchor.
/// </summary>
private static async Task<IResult> GetRotationWarningsAsync(
[FromRoute] Guid anchorId,
IKeyRotationService rotationService,
CancellationToken ct)
{
try
{
var warnings = await rotationService.GetRotationWarningsAsync(anchorId, ct);
var response = new RotationWarningsResponseDto
{
AnchorId = anchorId,
Warnings = warnings.Select(w => new RotationWarningDto
{
KeyId = w.KeyId,
WarningType = w.WarningType.ToString(),
Message = w.Message,
CriticalAt = w.CriticalAt
}).ToList()
};
return Results.Ok(response);
}
catch (KeyNotFoundException)
{
return Results.Problem(
title: "Anchor not found",
detail: _t("signer.error.anchor_not_found", anchorId),
statusCode: StatusCodes.Status404NotFound);
}
}
private static bool IsNotFound(string? errorMessage)
{
return !string.IsNullOrWhiteSpace(errorMessage) &&
errorMessage.Contains("not found", StringComparison.OrdinalIgnoreCase);
}
}
#region Request/Response DTOs
/// <summary>
/// Request DTO for adding a key.
/// </summary>
public sealed record AddKeyRequestDto
{
[Required]
public required string KeyId { get; init; }
[Required]
public required string PublicKey { get; init; }
[Required]
public required string Algorithm { get; init; }
public DateTimeOffset? ExpiresAt { get; init; }
public IReadOnlyDictionary<string, string>? Metadata { get; init; }
}
/// <summary>
/// Response DTO for adding a key.
/// </summary>
public sealed record AddKeyResponseDto
{
public required string KeyId { get; init; }
public required Guid AnchorId { get; init; }
public required List<string> AllowedKeyIds { get; init; }
public Guid? AuditLogId { get; init; }
}
/// <summary>
/// Request DTO for revoking a key.
/// </summary>
public sealed record RevokeKeyRequestDto
{
[Required]
public required string Reason { get; init; }
public DateTimeOffset? EffectiveAt { get; init; }
}
/// <summary>
/// Response DTO for revoking a key.
/// </summary>
public sealed record RevokeKeyResponseDto
{
public required string KeyId { get; init; }
public required Guid AnchorId { get; init; }
public required DateTimeOffset RevokedAt { get; init; }
public required string Reason { get; init; }
public required List<string> AllowedKeyIds { get; init; }
public required List<string> RevokedKeyIds { get; init; }
public Guid? AuditLogId { get; init; }
}
/// <summary>
/// Response DTO for key validity check.
/// </summary>
public sealed record KeyValidityResponseDto
{
public required string KeyId { get; init; }
public required Guid AnchorId { get; init; }
public required DateTimeOffset CheckedAt { get; init; }
public required bool IsValid { get; init; }
public required string Status { get; init; }
public required DateTimeOffset AddedAt { get; init; }
public DateTimeOffset? RevokedAt { get; init; }
public string? InvalidReason { get; init; }
}
/// <summary>
/// Response DTO for key history.
/// </summary>
public sealed record KeyHistoryResponseDto
{
public required Guid AnchorId { get; init; }
public required List<KeyHistoryEntryDto> Entries { get; init; }
}
/// <summary>
/// DTO for a key history entry.
/// </summary>
public sealed record KeyHistoryEntryDto
{
public required string KeyId { get; init; }
public required string Algorithm { get; init; }
public required DateTimeOffset AddedAt { get; init; }
public DateTimeOffset? RevokedAt { get; init; }
public string? RevokeReason { get; init; }
public DateTimeOffset? ExpiresAt { get; init; }
}
/// <summary>
/// Response DTO for rotation warnings.
/// </summary>
public sealed record RotationWarningsResponseDto
{
public required Guid AnchorId { get; init; }
public required List<RotationWarningDto> Warnings { get; init; }
}
/// <summary>
/// DTO for a rotation warning.
/// </summary>
public sealed record RotationWarningDto
{
public required string KeyId { get; init; }
public required string WarningType { get; init; }
public required string Message { get; init; }
public DateTimeOffset? CriticalAt { get; init; }
}
#endregion

482
src/Attestor/StellaOps.Signer/StellaOps.Signer.WebService/Endpoints/SignerEndpoints.cs Normal file
View File

@@ -0,0 +1,482 @@
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using static StellaOps.Localization.T;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Auth.Abstractions;
using StellaOps.Cryptography;
using StellaOps.Signer.Core;
using StellaOps.Signer.Infrastructure.Options;
using StellaOps.Signer.WebService.Contracts;
using StellaOps.Signer.WebService.Security;
using System;
using System.Collections.Generic;
using System.Globalization;
using System.Linq;
using System.Security.Cryptography;
using System.Security.Claims;
using System.Text;
using System.Text.Json;
using System.Threading;
using System.Threading.Tasks;
using StellaOps.Auth.ServerIntegration.Tenancy;
namespace StellaOps.Signer.WebService.Endpoints;
public static class SignerEndpoints
{
public static IEndpointRouteBuilder MapSignerEndpoints(this IEndpointRouteBuilder endpoints)
{
var group = endpoints.MapGroup("/api/v1/signer")
.WithTags("Signer")
.RequireAuthorization(SignerPolicies.Verify)
.RequireTenant();
group.MapPost("/sign/dsse", SignDsseAsync)
.WithName("SignDsse")
.WithDescription(_t("signer.dsse.sign_description"))
.RequireAuthorization(SignerPolicies.Sign);
group.MapPost("/verify/dsse", VerifyDsseAsync)
.WithName("VerifyDsse")
.WithDescription(_t("signer.dsse.verify_description"));
group.MapGet("/verify/referrers", VerifyReferrersAsync)
.WithName("VerifyReferrers")
.WithDescription(_t("signer.dsse.verify_referrers_description"));
return endpoints;
}
private static async Task<IResult> SignDsseAsync(
HttpContext httpContext,
ISignerPipeline pipeline,
ILoggerFactory loggerFactory,
CancellationToken cancellationToken)
{
var requestBody = await ReadBodyAsync(httpContext.Request, cancellationToken).ConfigureAwait(false);
if (string.IsNullOrWhiteSpace(requestBody))
{
return CreateProblem("invalid_request", _t("signer.error.body_required"), StatusCodes.Status400BadRequest);
}
SignDsseRequestDto? requestDto;
try
{
requestDto = JsonSerializer.Deserialize<SignDsseRequestDto>(requestBody, SerializerOptions);
}
catch (JsonException)
{
return CreateProblem("invalid_json", _t("signer.error.malformed_json"), StatusCodes.Status400BadRequest);
}
if (requestDto is null)
{
return CreateProblem("invalid_request", _t("signer.error.body_required"), StatusCodes.Status400BadRequest);
}
var logger = loggerFactory.CreateLogger("SignerEndpoints.SignDsse");
try
{
var caller = BuildCallerContext(httpContext);
ValidateSenderBinding(httpContext, requestDto.Poe, caller);
if (requestDto.Predicate.ValueKind is JsonValueKind.Undefined or JsonValueKind.Null)
{
throw new SignerValidationException("predicate_missing", "Predicate payload is required.");
}
using var predicateDocument = JsonDocument.Parse(requestDto.Predicate.GetRawText());
var signingRequest = new SigningRequest(
ConvertSubjects(requestDto.Subject),
requestDto.PredicateType,
predicateDocument,
requestDto.ScannerImageDigest,
new ProofOfEntitlement(
ParsePoeFormat(requestDto.Poe.Format),
requestDto.Poe.Value),
ConvertOptions(requestDto.Options));
var outcome = await pipeline.SignAsync(signingRequest, caller, cancellationToken).ConfigureAwait(false);
var response = ConvertOutcome(outcome);
return Json(response);
}
catch (SignerValidationException ex)
{
logger.LogWarning(ex, "Validation failure while signing DSSE.");
return CreateProblem(ex.Code, ex.Message, StatusCodes.Status400BadRequest);
}
catch (SignerAuthorizationException ex)
{
logger.LogWarning(ex, "Authorization failure while signing DSSE.");
return CreateProblem(ex.Code, ex.Message, StatusCodes.Status403Forbidden);
}
catch (SignerReleaseVerificationException ex)
{
logger.LogWarning(ex, "Release verification failed.");
return CreateProblem(ex.Code, ex.Message, StatusCodes.Status403Forbidden);
}
catch (SignerQuotaException ex)
{
logger.LogWarning(ex, "Quota enforcement rejected request.");
return CreateProblem(ex.Code, ex.Message, StatusCodes.Status429TooManyRequests);
}
catch (Exception ex)
{
logger.LogError(ex, "Unexpected error while signing DSSE.");
return CreateProblem("signing_unavailable", _t("signer.error.internal_server_error"), StatusCodes.Status500InternalServerError);
}
}
private static async Task<IResult> VerifyReferrersAsync(
[FromQuery] string digest,
IReleaseIntegrityVerifier verifier,
CancellationToken cancellationToken)
{
if (string.IsNullOrWhiteSpace(digest))
{
return CreateProblem("invalid_digest", _t("signer.error.digest_required"), StatusCodes.Status400BadRequest);
}
try
{
var verification = await verifier.VerifyAsync(digest.Trim(), cancellationToken).ConfigureAwait(false);
var response = new VerifyReferrersResponseDto(verification.Trusted, verification.ReleaseSigner);
return Json(response);
}
catch (SignerReleaseVerificationException ex)
{
return CreateProblem(ex.Code, ex.Message, StatusCodes.Status400BadRequest);
}
}
private static IResult VerifyDsseAsync(
[FromBody] JsonElement request,
IOptionsMonitor<SignerCryptoOptions> signerCryptoOptions,
ICryptoHmac cryptoHmac)
{
if (!TryExtractEnvelope(request, out var envelope, out var extractError))
{
return CreateProblem("invalid_request", extractError, StatusCodes.Status400BadRequest);
}
byte[] payloadBytes;
try
{
payloadBytes = Convert.FromBase64String(envelope.Payload);
}
catch (FormatException)
{
return CreateProblem("invalid_payload", _t("signer.error.payload_invalid_base64"), StatusCodes.Status400BadRequest);
}
var options = signerCryptoOptions.CurrentValue;
byte[] secretBytes;
try
{
secretBytes = Convert.FromBase64String(options.Secret);
}
catch (FormatException)
{
return CreateProblem("verify_unavailable", _t("signer.error.key_material_misconfigured"), StatusCodes.Status500InternalServerError);
}
var expectedSignature = cryptoHmac.ComputeHmacBase64ForPurpose(
secretBytes,
payloadBytes,
HmacPurpose.Signing);
var verified = envelope.Signatures.Any(signature =>
SignatureMatches(signature.Signature, expectedSignature) &&
(string.IsNullOrWhiteSpace(signature.KeyId) || string.Equals(signature.KeyId, options.KeyId, StringComparison.Ordinal)));
var response = new VerifyDsseResponseDto(
verified,
options.KeyId,
verified ? null : _t("signer.error.signature_mismatch"));
return Json(response);
}
private static IResult CreateProblem(string type, string detail, int statusCode)
{
var problem = new ProblemDetails
{
Type = type,
Title = type,
Detail = detail,
Status = statusCode,
};
return Json(problem, statusCode);
}
private static readonly JsonSerializerOptions SerializerOptions = new(JsonSerializerDefaults.Web);
private static IResult Json(object value, int statusCode = StatusCodes.Status200OK)
{
var payload = JsonSerializer.Serialize(value, SerializerOptions);
return Results.Text(payload, "application/json", Encoding.UTF8, statusCode);
}
private static CallerContext BuildCallerContext(HttpContext context)
{
var user = context.User ?? throw new SignerAuthorizationException("invalid_caller", "Caller is not authenticated.");
string subject = user.FindFirstValue(StellaOpsClaimTypes.Subject) ??
throw new SignerAuthorizationException("invalid_caller", "Subject claim is required.");
string tenant = user.FindFirstValue(StellaOpsClaimTypes.Tenant) ?? subject;
var scopes = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
if (user.HasClaim(c => c.Type == StellaOpsClaimTypes.Scope))
{
foreach (var value in user.FindAll(StellaOpsClaimTypes.Scope))
{
foreach (var scope in value.Value.Split(' ', StringSplitOptions.RemoveEmptyEntries))
{
scopes.Add(scope);
}
}
}
foreach (var scopeClaim in user.FindAll(StellaOpsClaimTypes.ScopeItem))
{
scopes.Add(scopeClaim.Value);
}
var audiences = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
foreach (var audClaim in user.FindAll(StellaOpsClaimTypes.Audience))
{
if (audClaim.Value.Contains(' '))
{
foreach (var aud in audClaim.Value.Split(' ', StringSplitOptions.RemoveEmptyEntries))
{
audiences.Add(aud);
}
}
else
{
audiences.Add(audClaim.Value);
}
}
if (audiences.Count == 0)
{
throw new SignerAuthorizationException("invalid_audience", "Audience claim is required.");
}
var sender = context.Request.Headers.TryGetValue("DPoP", out var dpop)
? dpop.ToString()
: null;
var clientCert = context.Connection.ClientCertificate?.Thumbprint;
return new CallerContext(
subject,
tenant,
scopes.ToArray(),
audiences.ToArray(),
sender,
clientCert);
}
private static void ValidateSenderBinding(HttpContext context, SignDssePoeDto poe, CallerContext caller)
{
if (poe is null)
{
throw new SignerValidationException("poe_missing", "Proof of entitlement is required.");
}
var format = ParsePoeFormat(poe.Format);
if (format == SignerPoEFormat.Jwt)
{
if (string.IsNullOrWhiteSpace(caller.SenderBinding))
{
throw new SignerAuthorizationException("invalid_token", "DPoP proof is required for JWT PoE.");
}
if (!IsDpopProofValid(caller.SenderBinding))
{
throw new SignerAuthorizationException("invalid_token", "DPoP proof is malformed.");
}
}
else if (format == SignerPoEFormat.Mtls)
{
if (string.IsNullOrWhiteSpace(caller.ClientCertificateThumbprint))
{
throw new SignerAuthorizationException("invalid_token", "Client certificate is required for mTLS PoE.");
}
}
}
private static bool IsDpopProofValid(string senderBinding)
{
if (string.IsNullOrWhiteSpace(senderBinding))
{
return false;
}
if (senderBinding.StartsWith("stub-", StringComparison.Ordinal))
{
return true;
}
var parts = senderBinding.Split('.');
if (parts.Length != 3)
{
return false;
}
return parts.All(part => !string.IsNullOrWhiteSpace(part));
}
private static async Task<string> ReadBodyAsync(HttpRequest request, CancellationToken cancellationToken)
{
if (request.Body is null)
{
return string.Empty;
}
using var reader = new StreamReader(request.Body, Encoding.UTF8, detectEncodingFromByteOrderMarks: false, leaveOpen: true);
return await reader.ReadToEndAsync(cancellationToken).ConfigureAwait(false);
}
private static IReadOnlyList<SigningSubject> ConvertSubjects(List<SignDsseSubjectDto> subjects)
{
if (subjects is null || subjects.Count == 0)
{
throw new SignerValidationException("subject_missing", "At least one subject is required.");
}
return subjects.Select(subject =>
{
if (subject.Digest is null || subject.Digest.Count == 0)
{
throw new SignerValidationException("subject_digest_invalid", $"Digest for subject '{subject.Name}' is required.");
}
return new SigningSubject(subject.Name, subject.Digest);
}).ToArray();
}
private static SigningOptions ConvertOptions(SignDsseOptionsDto? optionsDto)
{
if (optionsDto is null)
{
return new SigningOptions(SigningMode.Kms, null, "dsse+cert");
}
var mode = optionsDto.SigningMode switch
{
null or "" => SigningMode.Kms,
"kms" or "KMS" => SigningMode.Kms,
"keyless" or "KEYLESS" => SigningMode.Keyless,
_ => throw new SignerValidationException("signing_mode_invalid", $"Unsupported signing mode '{optionsDto.SigningMode}'."),
};
return new SigningOptions(mode, optionsDto.ExpirySeconds, optionsDto.ReturnBundle ?? "dsse+cert");
}
private static SignerPoEFormat ParsePoeFormat(string? format)
{
return format?.ToLowerInvariant() switch
{
"jwt" => SignerPoEFormat.Jwt,
"mtls" => SignerPoEFormat.Mtls,
_ => throw new SignerValidationException("poe_invalid", $"Unsupported PoE format '{format}'."),
};
}
private static SignDsseResponseDto ConvertOutcome(SigningOutcome outcome)
{
var signatures = outcome.Bundle.Envelope.Signatures
.Select(signature => new SignDsseSignatureDto(signature.Signature, signature.KeyId))
.ToArray();
var bundle = new SignDsseBundleDto(
new SignDsseEnvelopeDto(
outcome.Bundle.Envelope.PayloadType,
outcome.Bundle.Envelope.Payload,
signatures),
outcome.Bundle.Metadata.CertificateChain,
outcome.Bundle.Metadata.Identity.Mode,
new SignDsseIdentityDto(
outcome.Bundle.Metadata.Identity.Issuer,
outcome.Bundle.Metadata.Identity.Subject,
outcome.Bundle.Metadata.Identity.ExpiresAtUtc?.ToString("O", CultureInfo.InvariantCulture)));
var policy = new SignDssePolicyDto(
outcome.Policy.Plan,
outcome.Policy.MaxArtifactBytes,
outcome.Policy.QpsRemaining);
return new SignDsseResponseDto(bundle, policy, outcome.AuditId);
}
private static bool TryExtractEnvelope(
JsonElement request,
out SignDsseEnvelopeDto envelope,
out string error)
{
envelope = default!;
error = string.Empty;
JsonElement envelopeElement;
if (request.ValueKind != JsonValueKind.Object)
{
error = _t("signer.error.request_body_json_object");
return false;
}
if (request.TryGetProperty("bundle", out var bundleElement) &&
bundleElement.ValueKind == JsonValueKind.Object &&
bundleElement.TryGetProperty("dsse", out envelopeElement))
{
// Expected shape from SignDsse response.
}
else if (request.TryGetProperty("dsse", out envelopeElement))
{
// Direct dsse wrapper.
}
else
{
envelopeElement = request;
}
try
{
var parsed = JsonSerializer.Deserialize<SignDsseEnvelopeDto>(envelopeElement.GetRawText(), SerializerOptions);
if (parsed is null)
{
error = _t("signer.error.envelope_required");
return false;
}
if (parsed.Signatures is null || parsed.Signatures.Count == 0)
{
error = _t("signer.error.signature_required");
return false;
}
if (string.IsNullOrWhiteSpace(parsed.Payload))
{
error = _t("signer.error.payload_required");
return false;
}
envelope = parsed;
return true;
}
catch (JsonException)
{
error = _t("signer.error.malformed_envelope");
return false;
}
}
private static bool SignatureMatches(string actualSignature, string expectedSignature)
{
var actualBytes = Encoding.UTF8.GetBytes(actualSignature);
var expectedBytes = Encoding.UTF8.GetBytes(expectedSignature);
return CryptographicOperations.FixedTimeEquals(actualBytes, expectedBytes);
}
}

134
src/Attestor/StellaOps.Signer/StellaOps.Signer.WebService/Program.cs Normal file
View File

@@ -0,0 +1,134 @@
using Microsoft.AspNetCore.Authentication;
using Microsoft.EntityFrameworkCore;
using StellaOps.Auth.Abstractions;
using StellaOps.Localization;
using StellaOps.Cryptography.DependencyInjection;
using StellaOps.Auth.ServerIntegration;
using StellaOps.Auth.ServerIntegration.Tenancy;
using StellaOps.Router.AspNet;
using StellaOps.Signer.Infrastructure;
using StellaOps.Signer.Infrastructure.Options;
using StellaOps.Signer.KeyManagement;
using StellaOps.Signer.KeyManagement.EfCore.Context;
using StellaOps.Signer.Core.Ceremonies;
using StellaOps.Signer.WebService.Endpoints;
using StellaOps.Signer.WebService.Security;
using StellaOps.Signer.WebService.Ceremonies;
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddLogging();
builder.Services.AddAuthentication(StubBearerAuthenticationDefaults.AuthenticationScheme)
.AddScheme<AuthenticationSchemeOptions, StubBearerAuthenticationHandler>(
StubBearerAuthenticationDefaults.AuthenticationScheme,
_ => { });
builder.Services.AddAuthorization(options =>
{
options.AddStellaOpsScopePolicy(SignerPolicies.Sign, StellaOpsScopes.SignerSign);
options.AddStellaOpsScopePolicy(SignerPolicies.Verify, StellaOpsScopes.SignerRead);
options.AddStellaOpsScopePolicy(SignerPolicies.KeyManagement, StellaOpsScopes.SignerRotate);
options.AddStellaOpsScopePolicy(SignerPolicies.CeremonyRead, StellaOpsScopes.SignerRead);
options.AddStellaOpsScopePolicy(SignerPolicies.CeremonyCreate, StellaOpsScopes.SignerSign);
options.AddStellaOpsScopePolicy(SignerPolicies.CeremonyApprove, StellaOpsScopes.SignerSign);
options.AddStellaOpsScopePolicy(SignerPolicies.CeremonyExecute, StellaOpsScopes.SignerAdmin);
options.AddStellaOpsScopePolicy(SignerPolicies.CeremonyCancel, StellaOpsScopes.SignerAdmin);
// Legacy policy name aliases kept for backward compatibility.
options.AddStellaOpsScopePolicy("KeyManagement", StellaOpsScopes.SignerRotate);
options.AddStellaOpsScopePolicy("ceremony:read", StellaOpsScopes.SignerRead);
options.AddStellaOpsScopePolicy("ceremony:create", StellaOpsScopes.SignerSign);
options.AddStellaOpsScopePolicy("ceremony:approve", StellaOpsScopes.SignerSign);
options.AddStellaOpsScopePolicy("ceremony:execute", StellaOpsScopes.SignerAdmin);
options.AddStellaOpsScopePolicy("ceremony:cancel", StellaOpsScopes.SignerAdmin);
});
builder.Services.AddSignerPipeline();
// Configure TimeProvider for deterministic testing support
builder.Services.AddSingleton(TimeProvider.System);
// Ceremony services
builder.Services.Configure<CeremonyOptions>(builder.Configuration.GetSection(CeremonyOptions.SectionName));
builder.Services.AddSingleton<ICeremonyRepository, InMemoryCeremonyRepository>();
builder.Services.AddSingleton<ICeremonyAuditSink, InMemoryCeremonyAuditSink>();
builder.Services.AddSingleton<ICeremonyApproverValidator, AllowAllCeremonyApproverValidator>();
builder.Services.AddSingleton<ICeremonyOrchestrator, CeremonyOrchestrator>();
var keyManagementConnection = builder.Configuration.GetConnectionString("KeyManagement");
if (string.IsNullOrWhiteSpace(keyManagementConnection))
{
builder.Services.AddDbContext<KeyManagementDbContext>(options =>
options.UseInMemoryDatabase("SignerKeyManagement"));
}
else
{
builder.Services.AddDbContext<KeyManagementDbContext>(options =>
options.UseNpgsql(keyManagementConnection));
}
builder.Services.AddScoped<IKeyRotationService, KeyRotationService>();
builder.Services.AddScoped<ITrustAnchorManager, TrustAnchorManager>();
builder.Services.Configure<SignerEntitlementOptions>(options =>
{
// Note: Using 1-hour expiry for demo/test tokens.
// Actual expiry is calculated at runtime relative to TimeProvider.
options.Tokens["valid-poe"] = new SignerEntitlementDefinition(
LicenseId: "LIC-TEST",
CustomerId: "CUST-TEST",
Plan: "pro",
MaxArtifactBytes: 128 * 1024,
QpsLimit: 5,
QpsRemaining: 5,
ExpiresAtUtc: DateTimeOffset.UtcNow.AddHours(1));
});
builder.Services.Configure<SignerReleaseVerificationOptions>(options =>
{
options.TrustedScannerDigests.Add("sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef");
});
builder.Services.Configure<SignerCryptoOptions>(_ => { });
builder.Services.AddStellaOpsCryptoRu(builder.Configuration, CryptoProviderRegistryValidator.EnforceRuLinuxDefaults);
builder.Services.AddStellaOpsTenantServices();
builder.Services.AddStellaOpsCors(builder.Environment, builder.Configuration);
builder.Services.AddStellaOpsLocalization(builder.Configuration);
builder.Services.AddTranslationBundle(System.Reflection.Assembly.GetExecutingAssembly());
// Stella Router integration
var routerEnabled = builder.Services.AddRouterMicroservice(
builder.Configuration,
serviceName: "signer",
version: System.Reflection.CustomAttributeExtensions.GetCustomAttribute<System.Reflection.AssemblyInformationalVersionAttribute>(System.Reflection.Assembly.GetExecutingAssembly())?.InformationalVersion ?? "1.0.0",
routerOptionsSection: "Router");
builder.TryAddStellaOpsLocalBinding("signer");
var app = builder.Build();
app.LogStellaOpsLocalHostname("signer");
app.UseStellaOpsCors();
app.UseStellaOpsLocalization();
app.UseAuthentication();
app.UseAuthorization();
app.UseStellaOpsTenantMiddleware();
app.TryUseStellaRouter(routerEnabled);
await app.LoadTranslationsAsync();
app.MapGet("/", () => Results.Ok("StellaOps Signer service ready."));
app.MapSignerEndpoints();
app.MapKeyRotationEndpoints();
app.MapCeremonyEndpoints();
// Refresh Router endpoint cache
app.TryRefreshStellaRouterEndpoints(routerEnabled);
await app.RunAsync().ConfigureAwait(false);
// Expose Program class for WebApplicationFactory in tests
public partial class Program;

14
src/Attestor/StellaOps.Signer/StellaOps.Signer.WebService/Properties/launchSettings.json Normal file
View File

@@ -0,0 +1,14 @@
{
"profiles": {
"StellaOps.Signer.WebService": {
"commandName": "Project",
"launchBrowser": true,
"environmentVariables": {
"ASPNETCORE_ENVIRONMENT": "Development",
"STELLAOPS_WEBSERVICES_CORS": "true",
"STELLAOPS_WEBSERVICES_CORS_ORIGIN": "https://stella-ops.local,https://stella-ops.local:10000,https://localhost:10000"
},
"applicationUrl": "https://localhost:10300;http://localhost:10301"
}
}
}

34
src/Attestor/StellaOps.Signer/StellaOps.Signer.WebService/Security/SignerPolicies.cs Normal file
View File

@@ -0,0 +1,34 @@
// Copyright (c) StellaOps. Licensed under the BUSL-1.1.
namespace StellaOps.Signer.WebService.Security;
/// <summary>
/// Named authorization policy constants for the Signer service.
/// Policies are registered via AddStellaOpsScopePolicy in Program.cs.
/// </summary>
internal static class SignerPolicies
{
/// <summary>Policy for signing operations (POST /sign/dsse). Requires signer:sign scope.</summary>
public const string Sign = "Signer.Sign";
/// <summary>Policy for DSSE verification (POST /verify/dsse, GET /verify/referrers). Requires signer:read scope.</summary>
public const string Verify = "Signer.Verify";
/// <summary>Policy for key management operations. Requires signer:rotate scope.</summary>
public const string KeyManagement = "Signer.KeyManagement";
/// <summary>Policy for reading ceremony state. Requires signer:read scope.</summary>
public const string CeremonyRead = "Signer.CeremonyRead";
/// <summary>Policy for creating and mutating ceremonies. Requires signer:sign scope.</summary>
public const string CeremonyCreate = "Signer.CeremonyCreate";
/// <summary>Policy for approving ceremonies. Requires signer:sign scope.</summary>
public const string CeremonyApprove = "Signer.CeremonyApprove";
/// <summary>Policy for executing ceremonies. Requires signer:admin scope.</summary>
public const string CeremonyExecute = "Signer.CeremonyExecute";
/// <summary>Policy for cancelling ceremonies. Requires signer:admin scope.</summary>
public const string CeremonyCancel = "Signer.CeremonyCancel";
}

6
src/Attestor/StellaOps.Signer/StellaOps.Signer.WebService/Security/StubBearerAuthenticationDefaults.cs Normal file
View File

@@ -0,0 +1,6 @@
namespace StellaOps.Signer.WebService.Security;
public static class StubBearerAuthenticationDefaults
{
public const string AuthenticationScheme = "StubBearer";
}

56
src/Attestor/StellaOps.Signer/StellaOps.Signer.WebService/Security/StubBearerAuthenticationHandler.cs Normal file
View File

@@ -0,0 +1,56 @@
using Microsoft.AspNetCore.Authentication;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Auth.Abstractions;
using System;
using System.Collections.Generic;
using System.Security.Claims;
using System.Text.Encodings.Web;
using System.Threading.Tasks;
namespace StellaOps.Signer.WebService.Security;
public sealed class StubBearerAuthenticationHandler
: AuthenticationHandler<AuthenticationSchemeOptions>
{
public StubBearerAuthenticationHandler(
IOptionsMonitor<AuthenticationSchemeOptions> options,
ILoggerFactory logger,
UrlEncoder encoder)
: base(options, logger, encoder)
{
}
protected override Task<AuthenticateResult> HandleAuthenticateAsync()
{
var authorization = Request.Headers.Authorization.ToString();
if (string.IsNullOrWhiteSpace(authorization) ||
!authorization.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
{
return Task.FromResult(AuthenticateResult.Fail("Missing bearer token."));
}
var token = authorization.Substring("Bearer ".Length).Trim();
if (token.Length == 0)
{
return Task.FromResult(AuthenticateResult.Fail("Bearer token is empty."));
}
var claims = new List<Claim>
{
new(ClaimTypes.NameIdentifier, "stub-subject"),
new(StellaOpsClaimTypes.Subject, "stub-subject"),
new(StellaOpsClaimTypes.Tenant, "stub-tenant"),
new(StellaOpsClaimTypes.Scope, "signer.sign"),
new(StellaOpsClaimTypes.ScopeItem, "signer.sign"),
new(StellaOpsClaimTypes.Audience, "signer"),
};
var identity = new ClaimsIdentity(claims, Scheme.Name);
var principal = new ClaimsPrincipal(identity);
var ticket = new AuthenticationTicket(principal, Scheme.Name);
return Task.FromResult(AuthenticateResult.Success(ticket));
}
}

41
src/Attestor/StellaOps.Signer/StellaOps.Signer.WebService/StellaOps.Signer.WebService.csproj Normal file
View File

@@ -0,0 +1,41 @@
<?xml version='1.0' encoding='utf-8'?>
<Project Sdk="Microsoft.NET.Sdk.Web">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<LangVersion>preview</LangVersion>
<Nullable>enable</Nullable>
<ImplicitUsings>enable</ImplicitUsings>
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.AspNetCore.OpenApi" />
<PackageReference Include="Microsoft.EntityFrameworkCore.InMemory" />
<PackageReference Include="OpenTelemetry.Extensions.Hosting" />
<PackageReference Include="OpenTelemetry.Instrumentation.AspNetCore" />
<PackageReference Include="OpenTelemetry.Instrumentation.Http" />
<PackageReference Include="OpenTelemetry.Instrumentation.Runtime" />
<PackageReference Include="Serilog.AspNetCore" />
<PackageReference Include="Serilog.Sinks.Console" />
<PackageReference Include="StackExchange.Redis" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\StellaOps.Signer.Core\StellaOps.Signer.Core.csproj" />
<ProjectReference Include="..\StellaOps.Signer.Infrastructure\StellaOps.Signer.Infrastructure.csproj" />
<ProjectReference Include="..\..\__Libraries\StellaOps.Signer.KeyManagement\StellaOps.Signer.KeyManagement.csproj" />
<ProjectReference Include="../../../__Libraries/StellaOps.Configuration/StellaOps.Configuration.csproj" />
<ProjectReference Include="../../../__Libraries/StellaOps.DependencyInjection/StellaOps.DependencyInjection.csproj" />
<ProjectReference Include="../../../__Libraries/StellaOps.Cryptography/StellaOps.Cryptography.csproj" />
<ProjectReference Include="../../../Authority/StellaOps.Authority/StellaOps.Auth.Abstractions/StellaOps.Auth.Abstractions.csproj" />
<ProjectReference Include="../../../Authority/StellaOps.Authority/StellaOps.Auth.Client/StellaOps.Auth.Client.csproj" />
<ProjectReference Include="../../../Authority/StellaOps.Authority/StellaOps.Auth.ServerIntegration/StellaOps.Auth.ServerIntegration.csproj" />
<ProjectReference Include="../../../Router/__Libraries/StellaOps.Router.AspNet/StellaOps.Router.AspNet.csproj" />
<ProjectReference Include="../../../__Libraries/StellaOps.Localization/StellaOps.Localization.csproj" />
</ItemGroup>
<ItemGroup>
<EmbeddedResource Include="Translations\*.json" />
</ItemGroup>
<PropertyGroup Label="StellaOpsReleaseVersion">
<Version>1.0.0-alpha1</Version>
<InformationalVersion>1.0.0-alpha1</InformationalVersion>
</PropertyGroup>
</Project>

8
src/Attestor/StellaOps.Signer/StellaOps.Signer.WebService/TASKS.md Normal file
View File

@@ -0,0 +1,8 @@
# StellaOps.Signer.WebService Task Board
This board mirrors active sprint tasks for this module.
Source of truth: `docs/implplan/SPRINT_20260130_002_Tools_csproj_remediation_solid_review.md`.
| Task ID | Status | Notes |
| --- | --- | --- |
| REMED-05 | TODO | Remediation checklist: docs/implplan/audits/csproj-standards/remediation/checklists/src/Signer/StellaOps.Signer/StellaOps.Signer.WebService/StellaOps.Signer.WebService.md. |
| REMED-06 | DONE | SOLID review notes captured for SPRINT_20260130_002. |

45
src/Attestor/StellaOps.Signer/StellaOps.Signer.WebService/Translations/en-US.signer.json Normal file
View File

@@ -0,0 +1,45 @@
{
"_meta": { "locale": "en-US", "namespace": "signer", "version": "1.0" },
"signer.dsse.sign_description": "Signs a payload using DSSE (Dead Simple Signing Envelope) with the configured KMS or keyless signing mode. Requires a proof-of-entitlement (PoE) in JWT or mTLS format. Returns the signed DSSE bundle including envelope, certificate chain, and signing policy metadata.",
"signer.dsse.verify_description": "Verifies a DSSE envelope signature against the configured signing key. Accepts the full bundle or a raw DSSE envelope. Returns a verification result indicating whether the signature matches the configured key ID.",
"signer.dsse.verify_referrers_description": "Verifies the release integrity of a container image or artifact by digest using the OCI referrers API. Returns whether the artifact has a trusted signature from the configured release signer.",
"signer.error.body_required": "Request body is required.",
"signer.error.malformed_json": "Malformed JSON payload.",
"signer.error.internal_server_error": "Internal server error.",
"signer.error.digest_required": "Digest parameter is required.",
"signer.error.key_material_misconfigured": "Signer key material is misconfigured.",
"signer.error.signature_mismatch": "Signature does not match the configured signing key.",
"signer.error.request_body_json_object": "Request body must be a JSON object.",
"signer.error.envelope_required": "DSSE envelope is required.",
"signer.error.signature_required": "At least one DSSE signature is required.",
"signer.error.payload_required": "DSSE payload is required.",
"signer.error.malformed_envelope": "Malformed DSSE envelope payload.",
"signer.error.payload_invalid_base64": "DSSE payload must be valid base64.",
"signer.anchor.add_key_description": "Adds a new public signing key to the specified trust anchor, recording the addition in the audit log. Returns 201 Created with the updated allowed key IDs and audit log reference. Returns 404 if the anchor is not found. Requires KeyManagement authorization.",
"signer.anchor.revoke_key_description": "Revokes a specific signing key from a trust anchor with a mandatory reason and optional effective timestamp. Records the revocation in the audit log. Returns the updated allowed and revoked key lists. Requires KeyManagement authorization.",
"signer.anchor.check_validity_description": "Checks whether a specific key was in a valid (non-revoked, non-expired) state at the given timestamp. Defaults to the current time if no signedAt is provided. Used for retrospective signature verification. Requires KeyManagement authorization.",
"signer.anchor.key_history_description": "Returns the complete key lifecycle history for a trust anchor including all added, revoked, and expired keys with their timestamps and revocation reasons. Requires KeyManagement authorization.",
"signer.anchor.rotation_warnings_description": "Returns active rotation warnings for a trust anchor such as keys approaching expiry or requiring rotation. Includes the warning type, message, and critical deadline timestamp. Requires KeyManagement authorization.",
"signer.error.request_required": "Request body is required.",
"signer.error.key_addition_failed": "Key addition failed",
"signer.error.anchor_not_found": "Trust anchor {0} not found.",
"signer.error.unexpected": "An unexpected error occurred.",
"signer.error.revocation_reason_required": "Revocation reason is required.",
"signer.error.key_revocation_failed": "Key revocation failed",
"signer.error.key_or_anchor_not_found": "Trust anchor {0} or key {1} not found.",
"signer.ceremony.create_description": "Initiates a new M-of-N dual-control signing ceremony for key management operations such as key generation, rotation, revocation, or recovery. Returns 201 Created with the ceremony record including required approval threshold and expiry. Requires ceremony:create authorization.",
"signer.ceremony.list_description": "Returns a paginated list of signing ceremonies optionally filtered by state, operation type, initiator, or tenant. Supports limit and offset for pagination. Requires ceremony:read authorization.",
"signer.ceremony.get_description": "Returns the full ceremony record including operation type, state, approvals received, approval threshold, and expiry. Returns 404 if the ceremony is not found. Requires ceremony:read authorization.",
"signer.ceremony.approve_description": "Submits a signed approval for a dual-control ceremony. Requires a valid base64-encoded approval signature and optional signing key ID. Returns 409 Conflict on duplicate approval or terminal ceremony state. Requires ceremony:approve authorization.",
"signer.ceremony.execute_description": "Executes a fully approved signing ceremony once the approval threshold has been reached. Performs the key operation and records the execution. Returns 409 Conflict if the ceremony is not fully approved, already executed, expired, or cancelled. Requires ceremony:execute authorization.",
"signer.ceremony.cancel_description": "Cancels a pending or partially approved signing ceremony with an optional reason. Returns 204 No Content on success. Returns 409 Conflict if the ceremony has already been executed, expired, or cancelled. Requires ceremony:cancel authorization.",
"signer.ceremony.error.not_found": "Ceremony {0} not found.",
"signer.ceremony.error.signature_required": "Approval signature is required.",
"signer.ceremony.error.signature_invalid_base64": "Approval signature must be valid base64."
}

7
src/Attestor/StellaOps.Signer/TASKS.completed.md Normal file
View File

@@ -0,0 +1,7 @@
# Completed Tasks
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
| SIGNER-API-11-101 | DONE (2025-10-21) | Signer Guild | — | `/sign/dsse` pipeline with Authority auth, PoE introspection, release verification, DSSE signing. | ✅ `POST /api/v1/signer/sign/dsse` enforces OpTok audience/scope, DPoP/mTLS binding, PoE introspection, and rejects untrusted scanner digests.<br>✅ Signing pipeline supports keyless (Fulcio) plus optional KMS modes, returning DSSE bundles + cert metadata; deterministic audits persisted.<br>✅ Regression coverage in `SignerEndpointsTests` (`dotnet test src/Signer/StellaOps.Signer/StellaOps.Signer.Tests/StellaOps.Signer.Tests.csproj`). |
| SIGNER-REF-11-102 | DONE (2025-10-21) | Signer Guild | — | `/verify/referrers` endpoint with OCI lookup, caching, and policy enforcement. | ✅ `GET /api/v1/signer/verify/referrers` validates trusted scanner digests via release verifier and surfaces signer metadata; JSON responses served deterministically.<br>✅ Integration tests cover trusted/untrusted digests and validation failures (`SignerEndpointsTests`). |
| SIGNER-QUOTA-11-103 | DONE (2025-10-21) | Signer Guild | — | Enforce plan quotas, concurrency/QPS limits, artifact size caps with metrics/audit logs. | ✅ Quota middleware derives plan limits from PoE claims, applies per-tenant concurrency/QPS/size caps, and surfaces remaining capacity in responses.<br>✅ Unit coverage exercises throttled/artifact-too-large paths via in-memory quota service. |

33
src/Attestor/StellaOps.Signer/stryker-config.json Normal file
View File

@@ -0,0 +1,33 @@
{
"$schema": "https://raw.githubusercontent.com/stryker-mutator/stryker-net/master/src/Stryker.Core/Stryker.Core/assets/stryker-config.schema.json",
"stryker-config": {
"project": "StellaOps.Signer.csproj",
"test-project": "../__Tests/StellaOps.Signer.Tests/StellaOps.Signer.Tests.csproj",
"solution": "../../../../StellaOps.Router.slnx",
"thresholds": {
"high": 80,
"low": 70,
"break": 60
},
"mutate": [
"**/*.cs",
"!**/obj/**",
"!**/bin/**"
],
"excluded-mutations": [
"String"
],
"ignore-mutations": [
"Linq.FirstOrDefault",
"Linq.SingleOrDefault"
],
"reporters": [
"html",
"json",
"progress"
],
"concurrency": 4,
"log-to-file": true,
"dashboard-compare-enabled": true
}
}