up
This commit is contained in:
StellaOps Bot
@@ -8,5 +8,7 @@ namespace StellaOps.Policy.Scoring.Receipts;
|
||||
/// </summary>
|
||||
public interface IReceiptRepository
|
||||
{
|
||||
Task<CvssScoreReceipt> SaveAsync(CvssScoreReceipt receipt, CancellationToken cancellationToken = default);
|
||||
Task<CvssScoreReceipt> SaveAsync(string tenantId, CvssScoreReceipt receipt, CancellationToken cancellationToken = default);
|
||||
Task<CvssScoreReceipt?> GetAsync(string tenantId, string receiptId, CancellationToken cancellationToken = default);
|
||||
Task<CvssScoreReceipt> UpdateAsync(string tenantId, CvssScoreReceipt receipt, CancellationToken cancellationToken = default);
|
||||
}
|
||||
|
||||
@@ -4,6 +4,7 @@ using System.Text;
|
||||
using System.Text.Encodings.Web;
|
||||
using System.Text.Json;
|
||||
using System.Text.Json.Serialization;
|
||||
using StellaOps.Attestor.Envelope;
|
||||
using StellaOps.Policy.Scoring.Engine;
|
||||
|
||||
namespace StellaOps.Policy.Scoring.Receipts;
|
||||
@@ -20,6 +21,7 @@ public sealed record CreateReceiptRequest
|
||||
public CvssEnvironmentalMetrics? EnvironmentalMetrics { get; init; }
|
||||
public CvssSupplementalMetrics? SupplementalMetrics { get; init; }
|
||||
public ImmutableList<CvssEvidenceItem> Evidence { get; init; } = [];
|
||||
public EnvelopeKey? SigningKey { get; init; }
|
||||
}
|
||||
|
||||
public interface IReceiptBuilder
|
||||
@@ -32,7 +34,7 @@ public interface IReceiptBuilder
|
||||
/// </summary>
|
||||
public sealed class ReceiptBuilder : IReceiptBuilder
|
||||
{
|
||||
private static readonly JsonSerializerOptions CanonicalSerializerOptions = new()
|
||||
internal static readonly JsonSerializerOptions SerializerOptions = new()
|
||||
{
|
||||
PropertyNamingPolicy = null,
|
||||
DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull,
|
||||
@@ -42,11 +44,13 @@ public sealed class ReceiptBuilder : IReceiptBuilder
|
||||
|
||||
private readonly ICvssV4Engine _engine;
|
||||
private readonly IReceiptRepository _repository;
|
||||
private readonly EnvelopeSignatureService _signatureService;
|
||||
|
||||
public ReceiptBuilder(ICvssV4Engine engine, IReceiptRepository repository)
|
||||
{
|
||||
_engine = engine;
|
||||
_repository = repository;
|
||||
_signatureService = new EnvelopeSignatureService();
|
||||
}
|
||||
|
||||
public async Task<CvssScoreReceipt> CreateAsync(CreateReceiptRequest request, CancellationToken cancellationToken = default)
|
||||
@@ -115,7 +119,15 @@ public sealed class ReceiptBuilder : IReceiptBuilder
|
||||
SupersededReason = null
|
||||
};
|
||||
|
||||
return await _repository.SaveAsync(receipt, cancellationToken).ConfigureAwait(false);
|
||||
if (request.SigningKey is not null)
|
||||
{
|
||||
receipt = receipt with
|
||||
{
|
||||
AttestationRefs = CreateAttestationRefs(receipt, request.SigningKey)
|
||||
};
|
||||
}
|
||||
|
||||
return await _repository.SaveAsync(request.TenantId, receipt, cancellationToken).ConfigureAwait(false);
|
||||
}
|
||||
|
||||
private static void ValidateEvidence(CvssPolicy policy, ImmutableList<CvssEvidenceItem> evidence)
|
||||
@@ -170,34 +182,34 @@ public sealed class ReceiptBuilder : IReceiptBuilder
|
||||
writer.WriteString("vector", vector);
|
||||
|
||||
writer.WritePropertyName("baseMetrics");
|
||||
WriteCanonical(JsonSerializer.SerializeToElement(request.BaseMetrics, CanonicalSerializerOptions), writer);
|
||||
WriteCanonical(JsonSerializer.SerializeToElement(request.BaseMetrics, SerializerOptions), writer);
|
||||
|
||||
writer.WritePropertyName("threatMetrics");
|
||||
if (request.ThreatMetrics is not null)
|
||||
WriteCanonical(JsonSerializer.SerializeToElement(request.ThreatMetrics, CanonicalSerializerOptions), writer);
|
||||
WriteCanonical(JsonSerializer.SerializeToElement(request.ThreatMetrics, SerializerOptions), writer);
|
||||
else
|
||||
writer.WriteNullValue();
|
||||
|
||||
writer.WritePropertyName("environmentalMetrics");
|
||||
if (request.EnvironmentalMetrics is not null)
|
||||
WriteCanonical(JsonSerializer.SerializeToElement(request.EnvironmentalMetrics, CanonicalSerializerOptions), writer);
|
||||
WriteCanonical(JsonSerializer.SerializeToElement(request.EnvironmentalMetrics, SerializerOptions), writer);
|
||||
else
|
||||
writer.WriteNullValue();
|
||||
|
||||
writer.WritePropertyName("supplementalMetrics");
|
||||
if (request.SupplementalMetrics is not null)
|
||||
WriteCanonical(JsonSerializer.SerializeToElement(request.SupplementalMetrics, CanonicalSerializerOptions), writer);
|
||||
WriteCanonical(JsonSerializer.SerializeToElement(request.SupplementalMetrics, SerializerOptions), writer);
|
||||
else
|
||||
writer.WriteNullValue();
|
||||
|
||||
writer.WritePropertyName("scores");
|
||||
WriteCanonical(JsonSerializer.SerializeToElement(scores, CanonicalSerializerOptions), writer);
|
||||
WriteCanonical(JsonSerializer.SerializeToElement(scores, SerializerOptions), writer);
|
||||
|
||||
writer.WritePropertyName("evidence");
|
||||
writer.WriteStartArray();
|
||||
foreach (var ev in evidence)
|
||||
{
|
||||
WriteCanonical(JsonSerializer.SerializeToElement(ev, CanonicalSerializerOptions), writer);
|
||||
WriteCanonical(JsonSerializer.SerializeToElement(ev, SerializerOptions), writer);
|
||||
}
|
||||
writer.WriteEndArray();
|
||||
|
||||
@@ -208,6 +220,41 @@ public sealed class ReceiptBuilder : IReceiptBuilder
|
||||
return Convert.ToHexString(hash).ToLowerInvariant();
|
||||
}
|
||||
|
||||
private ImmutableList<string> CreateAttestationRefs(CvssScoreReceipt receipt, EnvelopeKey signingKey)
|
||||
{
|
||||
// Serialize receipt deterministically as DSSE payload
|
||||
var payload = JsonSerializer.SerializeToUtf8Bytes(receipt, SerializerOptions);
|
||||
|
||||
var signatureResult = _signatureService.Sign(payload, signingKey);
|
||||
if (!signatureResult.IsSuccess)
|
||||
{
|
||||
throw new InvalidOperationException($"Failed to sign receipt: {signatureResult.Error?.Message}");
|
||||
}
|
||||
|
||||
var envelope = new DsseEnvelope(
|
||||
payloadType: "stella.ops/cvssReceipt@v1",
|
||||
payload: payload,
|
||||
signatures: new[] { DsseSignature.FromBytes(signatureResult.Value.Value.Span, signatureResult.Value.KeyId) });
|
||||
|
||||
var serialized = DsseEnvelopeSerializer.Serialize(envelope, new DsseEnvelopeSerializationOptions
|
||||
{
|
||||
EmitCompactJson = true,
|
||||
EmitExpandedJson = false,
|
||||
CompressionAlgorithm = DsseCompressionAlgorithm.None
|
||||
});
|
||||
|
||||
// store compact JSON as base64 for transport; include payload hash for lookup
|
||||
var compactBase64 = serialized.CompactJson is null
|
||||
? null
|
||||
: Convert.ToBase64String(serialized.CompactJson);
|
||||
|
||||
var refString = compactBase64 is null
|
||||
? $"dsse:{serialized.PayloadSha256}:{signingKey.KeyId}"
|
||||
: $"dsse:{serialized.PayloadSha256}:{signingKey.KeyId}:{compactBase64}";
|
||||
|
||||
return ImmutableList<string>.Empty.Add(refString);
|
||||
}
|
||||
|
||||
private static void WriteCanonical(JsonElement element, Utf8JsonWriter writer)
|
||||
{
|
||||
switch (element.ValueKind)
|
||||
|
||||
@@ -0,0 +1,107 @@
|
||||
using System.Collections.Immutable;
|
||||
using StellaOps.Attestor.Envelope;
|
||||
|
||||
namespace StellaOps.Policy.Scoring.Receipts;
|
||||
|
||||
public sealed record AmendReceiptRequest
|
||||
{
|
||||
public required string ReceiptId { get; init; }
|
||||
public required string TenantId { get; init; }
|
||||
public required string Actor { get; init; }
|
||||
public required string Field { get; init; }
|
||||
public string? PreviousValue { get; init; }
|
||||
public string? NewValue { get; init; }
|
||||
public required string Reason { get; init; }
|
||||
public string? ReferenceUri { get; init; }
|
||||
public EnvelopeKey? SigningKey { get; init; }
|
||||
}
|
||||
|
||||
public interface IReceiptHistoryService
|
||||
{
|
||||
Task<CvssScoreReceipt> AmendAsync(AmendReceiptRequest request, CancellationToken cancellationToken = default);
|
||||
}
|
||||
|
||||
public sealed class ReceiptHistoryService : IReceiptHistoryService
|
||||
{
|
||||
private readonly IReceiptRepository _repository;
|
||||
private readonly EnvelopeSignatureService _signatureService = new();
|
||||
|
||||
public ReceiptHistoryService(IReceiptRepository repository)
|
||||
{
|
||||
_repository = repository;
|
||||
}
|
||||
|
||||
public async Task<CvssScoreReceipt> AmendAsync(AmendReceiptRequest request, CancellationToken cancellationToken = default)
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(request);
|
||||
|
||||
var existing = await _repository.GetAsync(request.TenantId, request.ReceiptId, cancellationToken)
|
||||
?? throw new InvalidOperationException($"Receipt '{request.ReceiptId}' not found.");
|
||||
|
||||
var now = DateTimeOffset.UtcNow;
|
||||
var historyId = Guid.NewGuid().ToString("N");
|
||||
|
||||
var newHistory = existing.History.Add(new ReceiptHistoryEntry
|
||||
{
|
||||
HistoryId = historyId,
|
||||
Timestamp = now,
|
||||
Actor = request.Actor,
|
||||
ChangeType = ReceiptChangeType.Amended,
|
||||
Field = request.Field,
|
||||
PreviousValue = request.PreviousValue,
|
||||
NewValue = request.NewValue,
|
||||
Reason = request.Reason,
|
||||
ReferenceUri = request.ReferenceUri,
|
||||
Signature = null
|
||||
});
|
||||
|
||||
var amended = existing with
|
||||
{
|
||||
ModifiedAt = now,
|
||||
ModifiedBy = request.Actor,
|
||||
History = newHistory
|
||||
};
|
||||
|
||||
if (request.SigningKey is not null)
|
||||
{
|
||||
amended = amended with
|
||||
{
|
||||
AttestationRefs = SignReceipt(amended, request.SigningKey)
|
||||
};
|
||||
}
|
||||
|
||||
return await _repository.UpdateAsync(request.TenantId, amended, cancellationToken).ConfigureAwait(false);
|
||||
}
|
||||
|
||||
private ImmutableList<string> SignReceipt(CvssScoreReceipt receipt, EnvelopeKey signingKey)
|
||||
{
|
||||
var payload = System.Text.Json.JsonSerializer.SerializeToUtf8Bytes(receipt, ReceiptBuilder.SerializerOptions);
|
||||
var signatureResult = _signatureService.Sign(payload, signingKey);
|
||||
if (!signatureResult.IsSuccess)
|
||||
{
|
||||
throw new InvalidOperationException($"Failed to sign amended receipt: {signatureResult.Error?.Message}");
|
||||
}
|
||||
|
||||
var envelope = new DsseEnvelope(
|
||||
payloadType: "stella.ops/cvssReceipt@v1",
|
||||
payload: payload,
|
||||
signatures: new[] { DsseSignature.FromBytes(signatureResult.Value.Value.Span, signatureResult.Value.KeyId) });
|
||||
|
||||
var serialized = DsseEnvelopeSerializer.Serialize(envelope, new DsseEnvelopeSerializationOptions
|
||||
{
|
||||
EmitCompactJson = true,
|
||||
EmitExpandedJson = false,
|
||||
CompressionAlgorithm = DsseCompressionAlgorithm.None
|
||||
});
|
||||
|
||||
var compactBase64 = serialized.CompactJson is null
|
||||
? null
|
||||
: Convert.ToBase64String(serialized.CompactJson);
|
||||
|
||||
var refString = compactBase64 is null
|
||||
? $"dsse:{serialized.PayloadSha256}:{signingKey.KeyId}"
|
||||
: $"dsse:{serialized.PayloadSha256}:{signingKey.KeyId}:{compactBase64}";
|
||||
|
||||
return ImmutableList<string>.Empty.Add(refString);
|
||||
}
|
||||
}
|
||||
@@ -12,6 +12,7 @@
|
||||
<PackageReference Include="System.Text.Json" Version="10.0.0" />
|
||||
<PackageReference Include="JsonSchema.Net" Version="5.3.0" />
|
||||
<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.0-rc.2.25502.107" />
|
||||
<ProjectReference Include="..\..\Attestor\StellaOps.Attestor.Envelope\StellaOps.Attestor.Envelope.csproj" />
|
||||
</ItemGroup>
|
||||
|
||||
<ItemGroup>
|
||||
|
||||
Reference in New Issue
Block a user