stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

sprints and audit work

Browse Source
This commit is contained in:
StellaOps Bot
2026-01-07 09:36:16 +02:00
parent 05833e0af2
commit ab364c6032
377 changed files with 64534 additions and 1627 deletions
Download Patch File Download Diff File Expand all files Collapse all files

451
src/Scanner/__Tests/StellaOps.Scanner.Surface.FS.Tests/FacetSealE2ETests.cs Normal file
View File

@@ -0,0 +1,451 @@
// <copyright file="FacetSealE2ETests.cs" company="StellaOps">
// Copyright (c) StellaOps. Licensed under AGPL-3.0-or-later.
// </copyright>
// -----------------------------------------------------------------------------
// FacetSealE2ETests.cs
// Sprint: SPRINT_20260105_002_002_FACET
// Task: FCT-025 - E2E test: Scan -> facet seal generation
// Description: End-to-end tests verifying facet seals are properly generated
// and included in SurfaceManifestDocument during scan workflow.
// -----------------------------------------------------------------------------
using System.Collections.Immutable;
using System.Formats.Tar;
using System.IO.Compression;
using System.Text;
using System.Text.Json;
using FluentAssertions;
using Microsoft.Extensions.Time.Testing;
using StellaOps.Facet;
namespace StellaOps.Scanner.Surface.FS.Tests;
/// <summary>
/// End-to-end tests for the complete scan to facet seal generation workflow.
/// These tests verify that facet seals flow correctly from extraction through
/// to inclusion in the SurfaceManifestDocument.
/// </summary>
[Trait("Category", "E2E")]
public sealed class FacetSealE2ETests : IDisposable
{
private readonly FakeTimeProvider _timeProvider;
private readonly GlobFacetExtractor _facetExtractor;
private readonly FacetSealExtractor _sealExtractor;
private readonly string _testDir;
private static readonly DateTimeOffset TestTimestamp = new(2026, 1, 7, 12, 0, 0, TimeSpan.Zero);
public FacetSealE2ETests()
{
_timeProvider = new FakeTimeProvider(TestTimestamp);
_facetExtractor = new GlobFacetExtractor(_timeProvider);
_sealExtractor = new FacetSealExtractor(_facetExtractor, _timeProvider);
_testDir = Path.Combine(Path.GetTempPath(), $"facet-e2e-{Guid.NewGuid():N}");
Directory.CreateDirectory(_testDir);
}
public void Dispose()
{
if (Directory.Exists(_testDir))
{
Directory.Delete(_testDir, recursive: true);
}
}
#region Helper Methods
private void CreateTestDirectory(Dictionary<string, string> files)
{
foreach (var (relativePath, content) in files)
{
var fullPath = Path.Combine(_testDir, relativePath.TrimStart('/').Replace('/', Path.DirectorySeparatorChar));
var directory = Path.GetDirectoryName(fullPath);
if (!string.IsNullOrEmpty(directory))
{
Directory.CreateDirectory(directory);
}
File.WriteAllText(fullPath, content);
}
}
private MemoryStream CreateOciLayerFromDirectory(Dictionary<string, string> files)
{
var tarStream = new MemoryStream();
using (var tarWriter = new TarWriter(tarStream, TarEntryFormat.Pax, leaveOpen: true))
{
foreach (var (path, content) in files)
{
var entry = new PaxTarEntry(TarEntryType.RegularFile, path.TrimStart('/'))
{
DataStream = new MemoryStream(Encoding.UTF8.GetBytes(content))
};
tarWriter.WriteEntry(entry);
}
}
tarStream.Position = 0;
var gzipStream = new MemoryStream();
using (var gzip = new GZipStream(gzipStream, CompressionMode.Compress, leaveOpen: true))
{
tarStream.CopyTo(gzip);
}
gzipStream.Position = 0;
return gzipStream;
}
private static SurfaceManifestDocument CreateManifestWithFacetSeals(
SurfaceFacetSeals? facetSeals,
string imageDigest = "sha256:abc123",
string scanId = "scan-001")
{
return new SurfaceManifestDocument
{
Schema = SurfaceManifestDocument.DefaultSchema,
Tenant = "test-tenant",
ImageDigest = imageDigest,
ScanId = scanId,
GeneratedAt = TestTimestamp,
FacetSeals = facetSeals,
Artifacts = ImmutableArray<SurfaceManifestArtifact>.Empty
};
}
#endregion
#region E2E Workflow Tests
[Fact]
public async Task E2E_ScanDirectory_GeneratesFacetSeals_InSurfaceManifest()
{
// Arrange - Create a realistic directory structure simulating an unpacked image
var imageFiles = new Dictionary<string, string>
{
// OS packages (dpkg)
{ "/var/lib/dpkg/status", "Package: nginx\nVersion: 1.18.0\nStatus: installed\n\nPackage: openssl\nVersion: 3.0.0\nStatus: installed" },
{ "/var/lib/dpkg/info/nginx.list", "/usr/sbin/nginx\n/etc/nginx/nginx.conf" },
// Language dependencies (npm)
{ "/app/node_modules/express/package.json", "{\"name\":\"express\",\"version\":\"4.18.2\"}" },
{ "/app/node_modules/lodash/package.json", "{\"name\":\"lodash\",\"version\":\"4.17.21\"}" },
{ "/app/package-lock.json", "{\"lockfileVersion\":3,\"packages\":{}}" },
// Configuration
{ "/etc/nginx/nginx.conf", "worker_processes auto;\nevents { worker_connections 1024; }" },
{ "/etc/ssl/openssl.cnf", "[openssl_init]\nproviders = provider_sect" },
// Certificates
{ "/etc/ssl/certs/ca-certificates.crt", "-----BEGIN CERTIFICATE-----\nMIIExample\n-----END CERTIFICATE-----" },
// Binaries
{ "/usr/bin/nginx", "ELF binary placeholder" }
};
CreateTestDirectory(imageFiles);
// Act - Extract facet seals (simulating what happens during a scan)
var facetSeals = await _sealExtractor.ExtractFromDirectoryAsync(
_testDir,
FacetSealExtractionOptions.Default,
TestContext.Current.CancellationToken);
// Create surface manifest document with facet seals (simulating publish step)
var manifest = CreateManifestWithFacetSeals(
facetSeals,
imageDigest: "sha256:e2e_test_image",
scanId: "e2e-scan-001");
// Assert - Verify facet seals are properly included in the manifest
manifest.FacetSeals.Should().NotBeNull("Facet seals should be included in the manifest");
manifest.FacetSeals!.CombinedMerkleRoot.Should().StartWith("sha256:", "Combined Merkle root should be a SHA-256 hash");
manifest.FacetSeals.Facets.Should().NotBeEmpty("At least one facet should be extracted");
manifest.FacetSeals.CreatedAt.Should().Be(TestTimestamp);
// Verify specific facets are present
var facetIds = manifest.FacetSeals.Facets.Select(f => f.FacetId).ToList();
facetIds.Should().Contain("os-packages-dpkg", "DPKG packages facet should be present");
facetIds.Should().Contain("lang-deps-npm", "NPM dependencies facet should be present");
// Verify facet entries have valid data
foreach (var facet in manifest.FacetSeals.Facets)
{
facet.FacetId.Should().NotBeNullOrWhiteSpace();
facet.Name.Should().NotBeNullOrWhiteSpace();
facet.Category.Should().NotBeNullOrWhiteSpace();
facet.MerkleRoot.Should().StartWith("sha256:");
facet.FileCount.Should().BeGreaterThan(0);
}
// Verify stats
manifest.FacetSeals.Stats.Should().NotBeNull();
manifest.FacetSeals.Stats!.TotalFilesProcessed.Should().BeGreaterThan(0);
manifest.FacetSeals.Stats.FilesMatched.Should().BeGreaterThan(0);
}
[Fact]
public async Task E2E_ScanOciLayers_GeneratesFacetSeals_InSurfaceManifest()
{
// Arrange - Create OCI layers simulating a real container image
var baseLayerFiles = new Dictionary<string, string>
{
{ "/var/lib/dpkg/status", "Package: base-files\nVersion: 12.0\nStatus: installed" },
{ "/etc/passwd", "root:x:0:0:root:/root:/bin/bash" }
};
var appLayerFiles = new Dictionary<string, string>
{
{ "/app/node_modules/express/package.json", "{\"name\":\"express\",\"version\":\"4.18.2\"}" },
{ "/app/src/index.js", "const express = require('express');" }
};
var configLayerFiles = new Dictionary<string, string>
{
{ "/etc/nginx/nginx.conf", "server { listen 80; }" },
{ "/etc/ssl/certs/custom.pem", "-----BEGIN CERTIFICATE-----" }
};
using var baseLayer = CreateOciLayerFromDirectory(baseLayerFiles);
using var appLayer = CreateOciLayerFromDirectory(appLayerFiles);
using var configLayer = CreateOciLayerFromDirectory(configLayerFiles);
var layers = new[] { baseLayer as Stream, appLayer as Stream, configLayer as Stream };
// Act - Extract facet seals from OCI layers
var facetSeals = await _sealExtractor.ExtractFromOciLayersAsync(
layers,
FacetSealExtractionOptions.Default,
TestContext.Current.CancellationToken);
// Create surface manifest document
var manifest = CreateManifestWithFacetSeals(
facetSeals,
imageDigest: "sha256:oci_multilayer_test",
scanId: "e2e-oci-scan-001");
// Assert
manifest.FacetSeals.Should().NotBeNull();
manifest.FacetSeals!.Facets.Should().NotBeEmpty();
manifest.FacetSeals.CombinedMerkleRoot.Should().NotBeNullOrWhiteSpace();
// Verify layers were merged (files from all layers should be processed)
manifest.FacetSeals.Stats.Should().NotBeNull();
manifest.FacetSeals.Stats!.TotalFilesProcessed.Should().BeGreaterThanOrEqualTo(6);
}
[Fact]
public async Task E2E_ScanToManifest_SerializesWithFacetSeals()
{
// Arrange
var imageFiles = new Dictionary<string, string>
{
{ "/var/lib/dpkg/status", "Package: test\nVersion: 1.0" },
{ "/app/node_modules/test/package.json", "{\"name\":\"test\"}" }
};
CreateTestDirectory(imageFiles);
// Act
var facetSeals = await _sealExtractor.ExtractFromDirectoryAsync(
_testDir,
ct: TestContext.Current.CancellationToken);
var manifest = CreateManifestWithFacetSeals(facetSeals);
// Serialize and deserialize (verifying JSON round-trip)
var json = JsonSerializer.Serialize(manifest, new JsonSerializerOptions { WriteIndented = true });
var deserialized = JsonSerializer.Deserialize<SurfaceManifestDocument>(json);
// Assert
deserialized.Should().NotBeNull();
deserialized!.FacetSeals.Should().NotBeNull();
deserialized.FacetSeals!.CombinedMerkleRoot.Should().Be(manifest.FacetSeals!.CombinedMerkleRoot);
deserialized.FacetSeals.Facets.Should().HaveCount(manifest.FacetSeals.Facets.Count);
// Verify JSON contains expected fields
json.Should().Contain("\"facetSeals\"");
json.Should().Contain("\"combinedMerkleRoot\"");
json.Should().Contain("\"facets\"");
}
[Fact]
public async Task E2E_ScanToManifest_DeterministicFacetSeals()
{
// Arrange - same files should produce same facet seals
var imageFiles = new Dictionary<string, string>
{
{ "/var/lib/dpkg/status", "Package: nginx\nVersion: 1.0" },
{ "/etc/nginx/nginx.conf", "server { listen 80; }" }
};
CreateTestDirectory(imageFiles);
// Act - Run extraction twice
var facetSeals1 = await _sealExtractor.ExtractFromDirectoryAsync(_testDir, ct: TestContext.Current.CancellationToken);
var facetSeals2 = await _sealExtractor.ExtractFromDirectoryAsync(_testDir, ct: TestContext.Current.CancellationToken);
var manifest1 = CreateManifestWithFacetSeals(facetSeals1);
var manifest2 = CreateManifestWithFacetSeals(facetSeals2);
// Assert - Both manifests should have identical facet seals
manifest1.FacetSeals!.CombinedMerkleRoot.Should().Be(manifest2.FacetSeals!.CombinedMerkleRoot);
manifest1.FacetSeals.Facets.Count.Should().Be(manifest2.FacetSeals.Facets.Count);
for (int i = 0; i < manifest1.FacetSeals.Facets.Count; i++)
{
manifest1.FacetSeals.Facets[i].MerkleRoot.Should().Be(manifest2.FacetSeals.Facets[i].MerkleRoot);
}
}
[Fact]
public async Task E2E_ScanToManifest_ContentChangeAffectsFacetSeals()
{
// Arrange
var imageFiles = new Dictionary<string, string>
{
{ "/var/lib/dpkg/status", "Package: nginx\nVersion: 1.0" }
};
CreateTestDirectory(imageFiles);
// Act - Extract first version
var facetSeals1 = await _sealExtractor.ExtractFromDirectoryAsync(_testDir, ct: TestContext.Current.CancellationToken);
// Modify content
File.WriteAllText(
Path.Combine(_testDir, "var", "lib", "dpkg", "status"),
"Package: nginx\nVersion: 2.0");
// Extract second version
var facetSeals2 = await _sealExtractor.ExtractFromDirectoryAsync(_testDir, ct: TestContext.Current.CancellationToken);
// Assert - Merkle roots should differ
facetSeals1!.CombinedMerkleRoot.Should().NotBe(facetSeals2!.CombinedMerkleRoot);
}
[Fact]
public async Task E2E_ScanDisabled_ManifestHasNoFacetSeals()
{
// Arrange
var imageFiles = new Dictionary<string, string>
{
{ "/var/lib/dpkg/status", "Package: test" }
};
CreateTestDirectory(imageFiles);
// Act - Extract with disabled options
var facetSeals = await _sealExtractor.ExtractFromDirectoryAsync(
_testDir,
FacetSealExtractionOptions.Disabled,
TestContext.Current.CancellationToken);
var manifest = CreateManifestWithFacetSeals(facetSeals);
// Assert
manifest.FacetSeals.Should().BeNull("Facet seals should be null when extraction is disabled");
}
#endregion
#region Multi-Facet Category Tests
[Fact]
public async Task E2E_ScanWithAllFacetCategories_AllCategoriesInManifest()
{
// Arrange - Create files for all facet categories
var imageFiles = new Dictionary<string, string>
{
// OS Packages
{ "/var/lib/dpkg/status", "Package: nginx" },
{ "/var/lib/rpm/Packages", "rpm db" },
{ "/lib/apk/db/installed", "apk db" },
// Language Dependencies
{ "/app/node_modules/pkg/package.json", "{\"name\":\"pkg\"}" },
{ "/app/requirements.txt", "flask==2.0.0" },
{ "/app/Gemfile.lock", "GEM specs" },
// Configuration
{ "/etc/nginx/nginx.conf", "config" },
{ "/etc/app/config.yaml", "key: value" },
// Certificates
{ "/etc/ssl/certs/ca.crt", "-----BEGIN CERTIFICATE-----" },
{ "/etc/pki/tls/certs/server.crt", "-----BEGIN CERTIFICATE-----" },
// Binaries
{ "/usr/bin/app", "binary" },
{ "/usr/lib/libapp.so", "shared library" }
};
CreateTestDirectory(imageFiles);
// Act
var facetSeals = await _sealExtractor.ExtractFromDirectoryAsync(
_testDir,
ct: TestContext.Current.CancellationToken);
var manifest = CreateManifestWithFacetSeals(facetSeals);
// Assert
manifest.FacetSeals.Should().NotBeNull();
var categories = manifest.FacetSeals!.Facets
.Select(f => f.Category)
.Distinct()
.ToList();
// Should have multiple categories represented
categories.Should().HaveCountGreaterThanOrEqualTo(2,
"Multiple facet categories should be extracted from diverse file structure");
// Stats should reflect comprehensive extraction
manifest.FacetSeals.Stats!.TotalFilesProcessed.Should().BeGreaterThanOrEqualTo(10);
}
#endregion
#region Edge Cases
[Fact]
public async Task E2E_EmptyDirectory_ManifestHasEmptyFacetSeals()
{
// Arrange - empty directory
// Act
var facetSeals = await _sealExtractor.ExtractFromDirectoryAsync(
_testDir,
ct: TestContext.Current.CancellationToken);
var manifest = CreateManifestWithFacetSeals(facetSeals);
// Assert
manifest.FacetSeals.Should().NotBeNull();
manifest.FacetSeals!.Facets.Should().BeEmpty("No facets should be extracted from empty directory");
}
[Fact]
public async Task E2E_NoMatchingFiles_ManifestHasEmptyFacets()
{
// Arrange - files that don't match any facet selectors
var imageFiles = new Dictionary<string, string>
{
{ "/random/file.txt", "random content" },
{ "/another/unknown.dat", "unknown data" }
};
CreateTestDirectory(imageFiles);
// Act
var facetSeals = await _sealExtractor.ExtractFromDirectoryAsync(
_testDir,
ct: TestContext.Current.CancellationToken);
var manifest = CreateManifestWithFacetSeals(facetSeals);
// Assert
manifest.FacetSeals.Should().NotBeNull();
manifest.FacetSeals!.Stats!.FilesUnmatched.Should().Be(2);
}
#endregion
}

234
src/Scanner/__Tests/StellaOps.Scanner.Surface.FS.Tests/FacetSealExtractorTests.cs Normal file
View File

@@ -0,0 +1,234 @@
// <copyright file="FacetSealExtractorTests.cs" company="StellaOps">
// Copyright (c) StellaOps. Licensed under AGPL-3.0-or-later.
// </copyright>
// -----------------------------------------------------------------------------
// FacetSealExtractorTests.cs
// Sprint: SPRINT_20260105_002_002_FACET
// Task: FCT-024 - Unit tests: Surface manifest with facets
// Description: Unit tests for FacetSealExtractor integration.
// -----------------------------------------------------------------------------
using System.Text;
using FluentAssertions;
using Microsoft.Extensions.Time.Testing;
using StellaOps.Facet;
namespace StellaOps.Scanner.Surface.FS.Tests;
/// <summary>
/// Tests for <see cref="FacetSealExtractor"/>.
/// </summary>
[Trait("Category", "Unit")]
public sealed class FacetSealExtractorTests : IDisposable
{
private readonly FakeTimeProvider _timeProvider;
private readonly GlobFacetExtractor _facetExtractor;
private readonly FacetSealExtractor _sealExtractor;
private readonly string _testDir;
public FacetSealExtractorTests()
{
_timeProvider = new FakeTimeProvider(new DateTimeOffset(2026, 1, 6, 12, 0, 0, TimeSpan.Zero));
_facetExtractor = new GlobFacetExtractor(_timeProvider);
_sealExtractor = new FacetSealExtractor(_facetExtractor, _timeProvider);
_testDir = Path.Combine(Path.GetTempPath(), $"facet-seal-test-{Guid.NewGuid():N}");
Directory.CreateDirectory(_testDir);
}
public void Dispose()
{
if (Directory.Exists(_testDir))
{
Directory.Delete(_testDir, recursive: true);
}
}
#region Helper Methods
private void CreateFile(string relativePath, string content)
{
var fullPath = Path.Combine(_testDir, relativePath.TrimStart('/'));
var dir = Path.GetDirectoryName(fullPath);
if (!string.IsNullOrEmpty(dir) && !Directory.Exists(dir))
{
Directory.CreateDirectory(dir);
}
File.WriteAllText(fullPath, content, Encoding.UTF8);
}
#endregion
#region Basic Extraction Tests
[Fact]
public async Task ExtractFromDirectoryAsync_Enabled_ReturnsSurfaceFacetSeals()
{
// Arrange
CreateFile("/etc/nginx/nginx.conf", "server { listen 80; }");
CreateFile("/var/lib/dpkg/status", "Package: nginx\nVersion: 1.0");
// Act
var result = await _sealExtractor.ExtractFromDirectoryAsync(
_testDir,
FacetSealExtractionOptions.Default,
TestContext.Current.CancellationToken);
// Assert
result.Should().NotBeNull();
result!.Facets.Should().NotBeEmpty();
result.CombinedMerkleRoot.Should().NotBeNullOrEmpty();
result.CombinedMerkleRoot.Should().StartWith("sha256:");
result.CreatedAt.Should().Be(_timeProvider.GetUtcNow());
}
[Fact]
public async Task ExtractFromDirectoryAsync_Disabled_ReturnsNull()
{
// Arrange
CreateFile("/etc/test.conf", "content");
// Act
var result = await _sealExtractor.ExtractFromDirectoryAsync(
_testDir,
FacetSealExtractionOptions.Disabled,
TestContext.Current.CancellationToken);
// Assert
result.Should().BeNull();
}
[Fact]
public async Task ExtractFromDirectoryAsync_EmptyDirectory_ReturnsEmptyFacets()
{
// Act
var result = await _sealExtractor.ExtractFromDirectoryAsync(
_testDir,
ct: TestContext.Current.CancellationToken);
// Assert
result.Should().NotBeNull();
result!.Facets.Should().BeEmpty();
}
#endregion
#region Statistics Tests
[Fact]
public async Task ExtractFromDirectoryAsync_ReturnsCorrectStats()
{
// Arrange
CreateFile("/var/lib/dpkg/status", "Package: nginx\nVersion: 1.0");
CreateFile("/etc/nginx/nginx.conf", "server {}");
CreateFile("/random/file.txt", "unmatched");
// Act
var result = await _sealExtractor.ExtractFromDirectoryAsync(
_testDir,
ct: TestContext.Current.CancellationToken);
// Assert
result.Should().NotBeNull();
result!.Stats.Should().NotBeNull();
result.Stats!.TotalFilesProcessed.Should().BeGreaterThanOrEqualTo(3);
result.Stats.DurationMs.Should().BeGreaterThanOrEqualTo(0);
}
#endregion
#region Facet Entry Tests
[Fact]
public async Task ExtractFromDirectoryAsync_PopulatesFacetEntryFields()
{
// Arrange - create dpkg status file to match os-packages-dpkg facet
CreateFile("/var/lib/dpkg/status", "Package: test\nVersion: 1.0.0");
// Act
var result = await _sealExtractor.ExtractFromDirectoryAsync(
_testDir,
ct: TestContext.Current.CancellationToken);
// Assert
result.Should().NotBeNull();
var dpkgFacet = result!.Facets.FirstOrDefault(f => f.FacetId == "os-packages-dpkg");
dpkgFacet.Should().NotBeNull();
dpkgFacet!.Name.Should().NotBeNullOrEmpty();
dpkgFacet.Category.Should().NotBeNullOrEmpty();
dpkgFacet.MerkleRoot.Should().StartWith("sha256:");
dpkgFacet.FileCount.Should().BeGreaterThan(0);
dpkgFacet.TotalBytes.Should().BeGreaterThan(0);
}
#endregion
#region Determinism Tests
[Fact]
public async Task ExtractFromDirectoryAsync_SameInput_ProducesSameMerkleRoot()
{
// Arrange
CreateFile("/var/lib/dpkg/status", "Package: nginx\nVersion: 1.0");
CreateFile("/etc/nginx/nginx.conf", "server { listen 80; }");
// Act - extract twice
var result1 = await _sealExtractor.ExtractFromDirectoryAsync(
_testDir,
ct: TestContext.Current.CancellationToken);
var result2 = await _sealExtractor.ExtractFromDirectoryAsync(
_testDir,
ct: TestContext.Current.CancellationToken);
// Assert
result1.Should().NotBeNull();
result2.Should().NotBeNull();
result1!.CombinedMerkleRoot.Should().Be(result2!.CombinedMerkleRoot);
}
[Fact]
public async Task ExtractFromDirectoryAsync_DifferentInput_ProducesDifferentMerkleRoot()
{
// Arrange - first extraction
CreateFile("/var/lib/dpkg/status", "Package: nginx\nVersion: 1.0");
var result1 = await _sealExtractor.ExtractFromDirectoryAsync(
_testDir,
ct: TestContext.Current.CancellationToken);
// Modify content
CreateFile("/var/lib/dpkg/status", "Package: nginx\nVersion: 2.0");
var result2 = await _sealExtractor.ExtractFromDirectoryAsync(
_testDir,
ct: TestContext.Current.CancellationToken);
// Assert
result1.Should().NotBeNull();
result2.Should().NotBeNull();
result1!.CombinedMerkleRoot.Should().NotBe(result2!.CombinedMerkleRoot);
}
#endregion
#region Schema Version Tests
[Fact]
public async Task ExtractFromDirectoryAsync_SetsSchemaVersion()
{
// Arrange
CreateFile("/var/lib/dpkg/status", "Package: test");
// Act
var result = await _sealExtractor.ExtractFromDirectoryAsync(
_testDir,
ct: TestContext.Current.CancellationToken);
// Assert
result.Should().NotBeNull();
result!.SchemaVersion.Should().Be("1.0.0");
}
#endregion
}

378
src/Scanner/__Tests/StellaOps.Scanner.Surface.FS.Tests/FacetSealIntegrationTests.cs Normal file
View File

@@ -0,0 +1,378 @@
// <copyright file="FacetSealIntegrationTests.cs" company="StellaOps">
// Copyright (c) StellaOps. Licensed under AGPL-3.0-or-later.
// </copyright>
// -----------------------------------------------------------------------------
// FacetSealIntegrationTests.cs
// Sprint: SPRINT_20260105_002_002_FACET
// Task: FCT-020 - Integration tests: Extraction from real image layers
// Description: Integration tests for facet seal extraction from tar and OCI layers.
// -----------------------------------------------------------------------------
using System.Formats.Tar;
using System.IO.Compression;
using System.Text;
using FluentAssertions;
using Microsoft.Extensions.Time.Testing;
using StellaOps.Facet;
namespace StellaOps.Scanner.Surface.FS.Tests;
/// <summary>
/// Integration tests for facet seal extraction from tar and OCI layers.
/// </summary>
[Trait("Category", "Integration")]
public sealed class FacetSealIntegrationTests : IDisposable
{
private readonly FakeTimeProvider _timeProvider;
private readonly GlobFacetExtractor _facetExtractor;
private readonly FacetSealExtractor _sealExtractor;
private readonly string _testDir;
public FacetSealIntegrationTests()
{
_timeProvider = new FakeTimeProvider(new DateTimeOffset(2026, 1, 6, 12, 0, 0, TimeSpan.Zero));
_facetExtractor = new GlobFacetExtractor(_timeProvider);
_sealExtractor = new FacetSealExtractor(_facetExtractor, _timeProvider);
_testDir = Path.Combine(Path.GetTempPath(), $"facet-integration-{Guid.NewGuid():N}");
Directory.CreateDirectory(_testDir);
}
public void Dispose()
{
if (Directory.Exists(_testDir))
{
Directory.Delete(_testDir, recursive: true);
}
}
#region Helper Methods
private MemoryStream CreateTarArchive(Dictionary<string, string> files)
{
var stream = new MemoryStream();
using (var tarWriter = new TarWriter(stream, TarEntryFormat.Pax, leaveOpen: true))
{
foreach (var (path, content) in files)
{
var entry = new PaxTarEntry(TarEntryType.RegularFile, path.TrimStart('/'))
{
DataStream = new MemoryStream(Encoding.UTF8.GetBytes(content))
};
tarWriter.WriteEntry(entry);
}
}
stream.Position = 0;
return stream;
}
private MemoryStream CreateOciLayer(Dictionary<string, string> files)
{
var tarStream = CreateTarArchive(files);
var gzipStream = new MemoryStream();
using (var gzip = new GZipStream(gzipStream, CompressionMode.Compress, leaveOpen: true))
{
tarStream.CopyTo(gzip);
}
gzipStream.Position = 0;
return gzipStream;
}
#endregion
#region Tar Extraction Tests
[Fact]
public async Task ExtractFromTarAsync_ValidTar_ExtractsFacets()
{
// Arrange
var files = new Dictionary<string, string>
{
{ "/var/lib/dpkg/status", "Package: nginx\nVersion: 1.0" },
{ "/etc/nginx/nginx.conf", "server { listen 80; }" },
{ "/usr/bin/nginx", "binary_content" }
};
using var tarStream = CreateTarArchive(files);
// Act
var result = await _sealExtractor.ExtractFromTarAsync(
tarStream,
ct: TestContext.Current.CancellationToken);
// Assert
result.Should().NotBeNull();
result!.Facets.Should().NotBeEmpty();
result.CombinedMerkleRoot.Should().StartWith("sha256:");
result.Stats.Should().NotBeNull();
result.Stats!.TotalFilesProcessed.Should().BeGreaterThanOrEqualTo(3);
}
[Fact]
public async Task ExtractFromTarAsync_EmptyTar_ReturnsEmptyFacets()
{
// Arrange
using var tarStream = CreateTarArchive(new Dictionary<string, string>());
// Act
var result = await _sealExtractor.ExtractFromTarAsync(
tarStream,
ct: TestContext.Current.CancellationToken);
// Assert
result.Should().NotBeNull();
result!.Facets.Should().BeEmpty();
}
[Fact]
public async Task ExtractFromTarAsync_MatchesDpkgFacet()
{
// Arrange
var files = new Dictionary<string, string>
{
{ "/var/lib/dpkg/status", "Package: openssl\nVersion: 3.0.0" },
{ "/var/lib/dpkg/info/openssl.list", "/usr/lib/libssl.so" }
};
using var tarStream = CreateTarArchive(files);
// Act
var result = await _sealExtractor.ExtractFromTarAsync(
tarStream,
ct: TestContext.Current.CancellationToken);
// Assert
result.Should().NotBeNull();
var dpkgFacet = result!.Facets.FirstOrDefault(f => f.FacetId == "os-packages-dpkg");
dpkgFacet.Should().NotBeNull();
dpkgFacet!.FileCount.Should().BeGreaterThanOrEqualTo(1);
}
[Fact]
public async Task ExtractFromTarAsync_MatchesNodeModulesFacet()
{
// Arrange
var files = new Dictionary<string, string>
{
{ "/app/node_modules/express/package.json", "{\"name\":\"express\",\"version\":\"4.18.0\"}" },
{ "/app/package-lock.json", "{\"lockfileVersion\":3}" }
};
using var tarStream = CreateTarArchive(files);
// Act
var result = await _sealExtractor.ExtractFromTarAsync(
tarStream,
ct: TestContext.Current.CancellationToken);
// Assert
result.Should().NotBeNull();
var npmFacet = result!.Facets.FirstOrDefault(f => f.FacetId == "lang-deps-npm");
npmFacet.Should().NotBeNull();
}
#endregion
#region OCI Layer Extraction Tests
[Fact]
public async Task ExtractFromOciLayersAsync_SingleLayer_ExtractsFacets()
{
// Arrange
var files = new Dictionary<string, string>
{
{ "/var/lib/dpkg/status", "Package: curl\nVersion: 7.0" },
{ "/etc/hosts", "127.0.0.1 localhost" }
};
using var layerStream = CreateOciLayer(files);
var layers = new[] { layerStream as Stream };
// Act
var result = await _sealExtractor.ExtractFromOciLayersAsync(
layers,
ct: TestContext.Current.CancellationToken);
// Assert
result.Should().NotBeNull();
result!.Facets.Should().NotBeEmpty();
result.CombinedMerkleRoot.Should().StartWith("sha256:");
}
[Fact]
public async Task ExtractFromOciLayersAsync_MultipleLayers_MergesFacets()
{
// Arrange - base layer has dpkg, upper layer adds config
var baseLayerFiles = new Dictionary<string, string>
{
{ "/var/lib/dpkg/status", "Package: base\nVersion: 1.0" }
};
var upperLayerFiles = new Dictionary<string, string>
{
{ "/etc/nginx/nginx.conf", "server {}" }
};
using var baseLayer = CreateOciLayer(baseLayerFiles);
using var upperLayer = CreateOciLayer(upperLayerFiles);
var layers = new[] { baseLayer as Stream, upperLayer as Stream };
// Act
var result = await _sealExtractor.ExtractFromOciLayersAsync(
layers,
ct: TestContext.Current.CancellationToken);
// Assert
result.Should().NotBeNull();
result!.Stats.Should().NotBeNull();
result.Stats!.TotalFilesProcessed.Should().BeGreaterThanOrEqualTo(2);
}
#endregion
#region Determinism Tests
[Fact]
public async Task ExtractFromTarAsync_SameTar_ProducesSameMerkleRoot()
{
// Arrange
var files = new Dictionary<string, string>
{
{ "/var/lib/dpkg/status", "Package: test\nVersion: 1.0" },
{ "/etc/test.conf", "config content" }
};
using var tarStream1 = CreateTarArchive(files);
using var tarStream2 = CreateTarArchive(files);
// Act
var result1 = await _sealExtractor.ExtractFromTarAsync(
tarStream1,
ct: TestContext.Current.CancellationToken);
var result2 = await _sealExtractor.ExtractFromTarAsync(
tarStream2,
ct: TestContext.Current.CancellationToken);
// Assert
result1.Should().NotBeNull();
result2.Should().NotBeNull();
result1!.CombinedMerkleRoot.Should().Be(result2!.CombinedMerkleRoot);
}
[Fact]
public async Task ExtractFromTarAsync_DifferentContent_ProducesDifferentMerkleRoot()
{
// Arrange
var files1 = new Dictionary<string, string>
{
{ "/var/lib/dpkg/status", "Package: test\nVersion: 1.0" }
};
var files2 = new Dictionary<string, string>
{
{ "/var/lib/dpkg/status", "Package: test\nVersion: 2.0" }
};
using var tarStream1 = CreateTarArchive(files1);
using var tarStream2 = CreateTarArchive(files2);
// Act
var result1 = await _sealExtractor.ExtractFromTarAsync(
tarStream1,
ct: TestContext.Current.CancellationToken);
var result2 = await _sealExtractor.ExtractFromTarAsync(
tarStream2,
ct: TestContext.Current.CancellationToken);
// Assert
result1.Should().NotBeNull();
result2.Should().NotBeNull();
result1!.CombinedMerkleRoot.Should().NotBe(result2!.CombinedMerkleRoot);
}
#endregion
#region Options Tests
[Fact]
public async Task ExtractFromTarAsync_Disabled_ReturnsNull()
{
// Arrange
var files = new Dictionary<string, string>
{
{ "/var/lib/dpkg/status", "Package: test" }
};
using var tarStream = CreateTarArchive(files);
// Act
var result = await _sealExtractor.ExtractFromTarAsync(
tarStream,
FacetSealExtractionOptions.Disabled,
TestContext.Current.CancellationToken);
// Assert
result.Should().BeNull();
}
[Fact]
public async Task ExtractFromOciLayersAsync_Disabled_ReturnsNull()
{
// Arrange
using var layer = CreateOciLayer(new Dictionary<string, string>
{
{ "/etc/test.conf", "content" }
});
// Act
var result = await _sealExtractor.ExtractFromOciLayersAsync(
[layer],
FacetSealExtractionOptions.Disabled,
TestContext.Current.CancellationToken);
// Assert
result.Should().BeNull();
}
#endregion
#region Multi-Facet Category Tests
[Fact]
public async Task ExtractFromTarAsync_MultipleCategories_AllCategoriesRepresented()
{
// Arrange - files for multiple facet categories
var files = new Dictionary<string, string>
{
// OS Packages
{ "/var/lib/dpkg/status", "Package: nginx" },
// Language Dependencies
{ "/app/node_modules/express/package.json", "{\"name\":\"express\"}" },
// Configuration
{ "/etc/nginx/nginx.conf", "server {}" },
// Certificates
{ "/etc/ssl/certs/ca-cert.pem", "-----BEGIN CERTIFICATE-----" }
};
using var tarStream = CreateTarArchive(files);
// Act
var result = await _sealExtractor.ExtractFromTarAsync(
tarStream,
ct: TestContext.Current.CancellationToken);
// Assert
result.Should().NotBeNull();
result!.Facets.Should().HaveCountGreaterThanOrEqualTo(2);
var categories = result.Facets.Select(f => f.Category).Distinct().ToList();
categories.Should().HaveCountGreaterThan(1);
}
#endregion
}

2
src/Scanner/__Tests/StellaOps.Scanner.Surface.FS.Tests/StellaOps.Scanner.Surface.FS.Tests.csproj
View File

@@ -11,6 +11,8 @@
</PropertyGroup>
<ItemGroup>
<PackageReference Include="xunit.v3" />
<PackageReference Include="FluentAssertions" />
<PackageReference Include="Microsoft.Extensions.TimeProvider.Testing" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="../../__Libraries/StellaOps.Scanner.Surface.FS/StellaOps.Scanner.Surface.FS.csproj" />