Implement MongoDB-based storage for Pack Run approval, artifact, log, and state management

- Added MongoPackRunApprovalStore for managing approval states with MongoDB. - Introduced MongoPackRunArtifactUploader for uploading and storing artifacts. - Created MongoPackRunLogStore to handle logging of pack run events. - Developed MongoPackRunStateStore for persisting and retrieving pack run states. - Implemented unit tests for MongoDB stores to ensure correct functionality. - Added MongoTaskRunnerTestContext for setting up MongoDB test environment. - Enhanced PackRunStateFactory to correctly initialize state with gate reasons.
2025-11-07 10:01:35 +02:00
parent e5ffcd6535
commit a1ce3f74fa
122 changed files with 8730 additions and 914 deletions
--- a/src/Scanner/__Tests/StellaOps.Scanner.Surface.Secrets.Tests/RegistryAccessSecretParserTests.cs
+++ b/src/Scanner/__Tests/StellaOps.Scanner.Surface.Secrets.Tests/RegistryAccessSecretParserTests.cs
@@ -0,0 +1,112 @@
+using System;
+using System.Collections.Generic;
+using System.Text;
+using StellaOps.Scanner.Surface.Secrets;
+using Xunit;
+
+namespace StellaOps.Scanner.Surface.Secrets.Tests;
+
+public sealed class RegistryAccessSecretParserTests
+{
+    [Fact]
+    public void ParseRegistrySecret_WithEntriesArray_ReturnsCredential()
+    {
+        const string json = """
+        {
+          "defaultRegistry": "registry.example.com",
+          "entries": [
+            {
+              "registry": "registry.example.com",
+              "username": "demo",
+              "password": "s3cret",
+              "token": "token-123",
+              "identityToken": "identity-token",
+              "refreshToken": "refresh-token",
+              "expiresAt": "2025-12-01T10:00:00Z",
+              "allowInsecureTls": false,
+              "scopes": ["repo:sample:pull"],
+              "headers": {
+                "X-Test": "value"
+              },
+              "email": "demo@example.com"
+            }
+          ]
+        }
+        """;
+
+        using var handle = SurfaceSecretHandle.FromBytes(Encoding.UTF8.GetBytes(json));
+        var secret = SurfaceSecretParser.ParseRegistryAccessSecret(handle);
+
+        Assert.Equal("registry.example.com", secret.DefaultRegistry);
+        var entry = Assert.Single(secret.Entries);
+        Assert.Equal("registry.example.com", entry.Registry);
+        Assert.Equal("demo", entry.Username);
+        Assert.Equal("s3cret", entry.Password);
+        Assert.Equal("token-123", entry.RegistryToken);
+        Assert.Equal("identity-token", entry.IdentityToken);
+        Assert.Equal("refresh-token", entry.RefreshToken);
+        Assert.Equal("demo@example.com", entry.Email);
+        Assert.Equal(new DateTimeOffset(2025, 12, 1, 10, 0, 0, TimeSpan.Zero), entry.ExpiresAt);
+        Assert.Equal(false, entry.AllowInsecureTls);
+        Assert.Contains("repo:sample:pull", entry.Scopes);
+        Assert.Equal("value", entry.Headers["X-Test"]);
+    }
+
+    [Fact]
+    public void ParseRegistrySecret_WithDockerAuthsObject_DecodesBasicAuth()
+    {
+        const string json = """
+        {
+          "auths": {
+            "ghcr.io": {
+              "auth": "ZGVtbzpwYXNz",
+              "identitytoken": "id-token"
+            }
+          }
+        }
+        """;
+
+        var metadata = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase)
+        {
+            ["token"] = "metadata-token"
+        };
+
+        using var handle = SurfaceSecretHandle.FromBytes(Encoding.UTF8.GetBytes(json), metadata);
+        var secret = SurfaceSecretParser.ParseRegistryAccessSecret(handle);
+
+        var entry = Assert.Single(secret.Entries);
+        Assert.Equal("ghcr.io", entry.Registry);
+        Assert.Equal("demo", entry.Username);
+        Assert.Equal("pass", entry.Password);
+        Assert.Equal("metadata-token", entry.RegistryToken);
+        Assert.Equal("id-token", entry.IdentityToken);
+    }
+
+    [Fact]
+    public void ParseRegistrySecret_MetadataFallback_ReturnsCredential()
+    {
+        var metadata = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase)
+        {
+            ["registry"] = "registry.internal",
+            ["username"] = "meta-user",
+            ["password"] = "meta-pass",
+            ["scope:0"] = "repo:internal:pull",
+            ["header:X-From"] = "metadata",
+            ["defaultRegistry"] = "registry.internal",
+            ["expiresAt"] = "2025-11-10T00:00:00Z",
+            ["allowInsecureTls"] = "true"
+        };
+
+        using var handle = SurfaceSecretHandle.FromBytes(ReadOnlySpan<byte>.Empty, metadata);
+        var secret = SurfaceSecretParser.ParseRegistryAccessSecret(handle);
+
+        var entry = Assert.Single(secret.Entries);
+        Assert.Equal("registry.internal", entry.Registry);
+        Assert.Equal("meta-user", entry.Username);
+        Assert.Equal("meta-pass", entry.Password);
+        Assert.Contains("repo:internal:pull", entry.Scopes);
+        Assert.Equal("metadata", entry.Headers["X-From"]);
+        Assert.True(entry.AllowInsecureTls);
+        Assert.Equal("registry.internal", secret.DefaultRegistry);
+    }
+}