stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat: Implement Wine CSP HTTP provider for GOST cryptographic operations
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Details
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details

Browse Source 
- Added WineCspHttpProvider class to interface with Wine-hosted CryptoPro CSP.
- Implemented ICryptoProvider, ICryptoProviderDiagnostics, and IDisposable interfaces.
- Introduced WineCspHttpSigner and WineCspHttpHasher for signing and hashing operations.
- Created WineCspProviderOptions for configuration settings including service URL and key options.
- Developed CryptoProGostSigningService to handle GOST signing operations and key management.
- Implemented HTTP service for the Wine CSP with endpoints for signing, verification, and hashing.
- Added Swagger documentation for API endpoints.
- Included health checks and error handling for service availability.
- Established DTOs for request and response models in the service.
This commit is contained in:
StellaOps Bot
2025-12-07 14:02:42 +02:00
parent 965cbf9574
commit bd2529502e
56 changed files with 9438 additions and 699 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
src/Signals/__Tests/StellaOps.Signals.Tests/RuntimeFactsIngestionServiceTests.cs
View File

@@ -17,12 +17,14 @@ public class RuntimeFactsIngestionServiceTests
var scoringService = new RecordingScoringService();
var cache = new InMemoryReachabilityCache();
var eventsPublisher = new RecordingEventsPublisher();
var provenanceNormalizer = new RuntimeFactsProvenanceNormalizer();
var service = new RuntimeFactsIngestionService(
factRepository,
TimeProvider.System,
cache,
eventsPublisher,
scoringService,
provenanceNormalizer,
NullLogger<RuntimeFactsIngestionService>.Instance);
var request = new RuntimeFactsIngestRequest
@@ -61,6 +63,21 @@ public class RuntimeFactsIngestionServiceTests
Assert.Equal("runtime", persisted.Metadata?["provenance.source"]);
Assert.Equal("cg-123", persisted.Metadata?["provenance.callgraphId"]);
Assert.NotNull(persisted.Metadata?["provenance.ingestedAt"]);
// Verify context_facts with AOC provenance (SIGNALS-24-003)
Assert.NotNull(persisted.ContextFacts);
Assert.NotNull(persisted.ContextFacts.Provenance);
Assert.Equal(1, persisted.ContextFacts.Provenance.SchemaVersion);
Assert.Equal(ProvenanceFeedType.RuntimeFacts, persisted.ContextFacts.Provenance.FeedType);
Assert.Equal(3, persisted.ContextFacts.RecordCount); // Three events (provenance tracks each observation)
Assert.NotEmpty(persisted.ContextFacts.Provenance.Records);
Assert.All(persisted.ContextFacts.Provenance.Records, record =>
{
Assert.NotEmpty(record.RecordId);
Assert.NotEmpty(record.RecordType);
Assert.NotNull(record.Subject);
Assert.NotNull(record.Facts);
});
}
private sealed class InMemoryReachabilityFactRepository : IReachabilityFactRepository

400
src/Signals/__Tests/StellaOps.Signals.Tests/RuntimeFactsProvenanceNormalizerTests.cs Normal file
View File

@@ -0,0 +1,400 @@
using System;
using System.Collections.Generic;
using System.Linq;
using StellaOps.Signals.Models;
using StellaOps.Signals.Services;
using Xunit;
namespace StellaOps.Signals.Tests;
public class RuntimeFactsProvenanceNormalizerTests
{
private readonly RuntimeFactsProvenanceNormalizer _normalizer = new();
[Fact]
public void NormalizeToFeed_CreatesValidProvenanceFeed()
{
var events = new List<RuntimeFactEvent>
{
new() { SymbolId = "svc.foo", HitCount = 5 },
new() { SymbolId = "svc.bar", HitCount = 3 }
};
var subject = new ReachabilitySubject { Component = "web", Version = "1.0.0" };
var timestamp = DateTimeOffset.Parse("2025-12-07T10:00:00Z");
var feed = _normalizer.NormalizeToFeed(events, subject, "cg-123", null, timestamp);
Assert.Equal(1, feed.SchemaVersion);
Assert.Equal(ProvenanceFeedType.RuntimeFacts, feed.FeedType);
Assert.NotEmpty(feed.FeedId);
Assert.Equal(timestamp, feed.GeneratedAt);
Assert.Equal("signals-runtime-ingestion", feed.SourceService);
Assert.Equal("cg-123", feed.CorrelationId);
Assert.Equal(2, feed.Records.Count);
}
[Fact]
public void NormalizeToFeed_PopulatesAocMetadata()
{
var events = new List<RuntimeFactEvent>
{
new() { SymbolId = "svc.foo", HitCount = 1 }
};
var subject = new ReachabilitySubject { Component = "web", Version = "1.0.0" };
var requestMetadata = new Dictionary<string, string?> { ["source"] = "ebpf-agent" };
var feed = _normalizer.NormalizeToFeed(events, subject, "cg-456", requestMetadata, DateTimeOffset.UtcNow);
Assert.NotNull(feed.Metadata);
Assert.Equal("1", feed.Metadata["aoc.version"]);
Assert.Equal("SGSI0101", feed.Metadata["aoc.contract"]);
Assert.Equal("cg-456", feed.Metadata["callgraphId"]);
Assert.Equal("web|1.0.0", feed.Metadata["subjectKey"]);
Assert.Equal("ebpf-agent", feed.Metadata["request.source"]);
}
[Fact]
public void NormalizeToFeed_SetsRecordTypeBasedOnProcessMetadata()
{
var evt = new RuntimeFactEvent
{
SymbolId = "svc.foo",
ProcessName = "python3",
ProcessId = 12345,
HitCount = 1
};
var subject = new ReachabilitySubject { Component = "api", Version = "2.0.0" };
var feed = _normalizer.NormalizeToFeed(new[] { evt }, subject, "cg-test", null, DateTimeOffset.UtcNow);
Assert.Single(feed.Records);
Assert.Equal("runtime.process.observed", feed.Records[0].RecordType);
Assert.Equal(ProvenanceSubjectType.Process, feed.Records[0].Subject.Type);
}
[Fact]
public void NormalizeToFeed_SetsRecordTypeForNetworkConnection()
{
var evt = new RuntimeFactEvent
{
SymbolId = "net.connect",
SocketAddress = "10.0.0.1:8080",
HitCount = 1
};
var subject = new ReachabilitySubject { Component = "gateway", Version = "1.0.0" };
var feed = _normalizer.NormalizeToFeed(new[] { evt }, subject, "cg-net", null, DateTimeOffset.UtcNow);
Assert.Single(feed.Records);
Assert.Equal("runtime.network.connection", feed.Records[0].RecordType);
}
[Fact]
public void NormalizeToFeed_SetsRecordTypeForContainerActivity()
{
var evt = new RuntimeFactEvent
{
SymbolId = "container.exec",
ContainerId = "abc123def456",
HitCount = 1
};
var subject = new ReachabilitySubject { ImageDigest = "sha256:deadbeef" };
var feed = _normalizer.NormalizeToFeed(new[] { evt }, subject, "cg-container", null, DateTimeOffset.UtcNow);
Assert.Single(feed.Records);
Assert.Equal("runtime.container.activity", feed.Records[0].RecordType);
Assert.Equal(ProvenanceSubjectType.Container, feed.Records[0].Subject.Type);
}
[Fact]
public void NormalizeToFeed_SetsRecordTypeForPackageLoaded()
{
var evt = new RuntimeFactEvent
{
SymbolId = "pkg.load",
Purl = "pkg:npm/lodash@4.17.21",
HitCount = 1
};
var subject = new ReachabilitySubject { Component = "webapp", Version = "1.0.0" };
var feed = _normalizer.NormalizeToFeed(new[] { evt }, subject, "cg-pkg", null, DateTimeOffset.UtcNow);
Assert.Single(feed.Records);
Assert.Equal("runtime.package.loaded", feed.Records[0].RecordType);
Assert.Equal(ProvenanceSubjectType.Package, feed.Records[0].Subject.Type);
Assert.Equal("pkg:npm/lodash@4.17.21", feed.Records[0].Subject.Identifier);
}
[Fact]
public void NormalizeToFeed_PopulatesRuntimeProvenanceFacts()
{
var evt = new RuntimeFactEvent
{
SymbolId = "svc.handler",
ProcessName = "java",
ProcessId = 9999,
SocketAddress = "localhost:3306",
ContainerId = "k8s_pod_abc",
HitCount = 42,
Purl = "pkg:maven/com.example/lib@1.0.0",
CodeId = "code-123",
BuildId = "build-456",
LoaderBase = "/usr/lib/jvm",
Metadata = new Dictionary<string, string?> { ["env"] = "prod" }
};
var subject = new ReachabilitySubject { Component = "svc", Version = "3.0.0" };
var feed = _normalizer.NormalizeToFeed(new[] { evt }, subject, "cg-full", null, DateTimeOffset.UtcNow);
Assert.Single(feed.Records);
var facts = feed.Records[0].Facts;
Assert.NotNull(facts);
Assert.Equal("svc.handler", facts.SymbolId);
Assert.Equal("java", facts.ProcessName);
Assert.Equal(9999, facts.ProcessId);
Assert.Equal("localhost:3306", facts.SocketAddress);
Assert.Equal("k8s_pod_abc", facts.ContainerId);
Assert.Equal(42, facts.HitCount);
Assert.Equal("pkg:maven/com.example/lib@1.0.0", facts.Purl);
Assert.Equal("code-123", facts.CodeId);
Assert.Equal("build-456", facts.BuildId);
Assert.Equal("/usr/lib/jvm", facts.LoaderBase);
Assert.NotNull(facts.Metadata);
Assert.Equal("prod", facts.Metadata["env"]);
}
[Fact]
public void NormalizeToFeed_SetsConfidenceBasedOnEvidence()
{
var evtWithFullEvidence = new RuntimeFactEvent
{
SymbolId = "svc.full",
ProcessName = "node",
ProcessId = 1234,
SymbolDigest = "sha256:abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890",
EvidenceUri = "s3://bucket/evidence.json",
HitCount = 1
};
var evtMinimal = new RuntimeFactEvent
{
SymbolId = "svc.minimal",
HitCount = 1
};
var subject = new ReachabilitySubject { Component = "app", Version = "1.0.0" };
var feed = _normalizer.NormalizeToFeed(new[] { evtWithFullEvidence, evtMinimal }, subject, "cg-conf", null, DateTimeOffset.UtcNow);
Assert.Equal(2, feed.Records.Count);
var fullRecord = feed.Records.First(r => r.Facts?.SymbolId == "svc.full");
var minimalRecord = feed.Records.First(r => r.Facts?.SymbolId == "svc.minimal");
Assert.True(fullRecord.Confidence > minimalRecord.Confidence);
Assert.True(fullRecord.Confidence >= 0.95);
Assert.True(minimalRecord.Confidence >= 0.95);
}
[Fact]
public void NormalizeToFeed_BuildsEvidenceWithCaptureMethod()
{
var evt = new RuntimeFactEvent
{
SymbolId = "svc.traced",
SymbolDigest = "abc123",
EvidenceUri = "s3://evidence/trace.json",
ProcessId = 5678,
HitCount = 1,
Metadata = new Dictionary<string, string?> { ["captureMethod"] = "eBPF" }
};
var subject = new ReachabilitySubject { Component = "traced", Version = "1.0.0" };
var feed = _normalizer.NormalizeToFeed(new[] { evt }, subject, "cg-evidence", null, DateTimeOffset.UtcNow);
Assert.Single(feed.Records);
var evidence = feed.Records[0].Evidence;
Assert.NotNull(evidence);
Assert.Equal(EvidenceCaptureMethod.EBpf, evidence.CaptureMethod);
Assert.Equal("s3://evidence/trace.json", evidence.RawDataRef);
}
[Fact]
public void NormalizeToFeed_NormalizesDigestWithSha256Prefix()
{
var evt = new RuntimeFactEvent
{
SymbolId = "svc.digested",
SymbolDigest = "abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890",
HitCount = 1
};
var subject = new ReachabilitySubject { Component = "app", Version = "1.0.0" };
var feed = _normalizer.NormalizeToFeed(new[] { evt }, subject, "cg-digest", null, DateTimeOffset.UtcNow);
Assert.Single(feed.Records);
var evidence = feed.Records[0].Evidence;
Assert.NotNull(evidence);
Assert.StartsWith("sha256:", evidence.SourceDigest);
}
[Fact]
public void NormalizeToFeed_SkipsEventsWithEmptySymbolId()
{
var events = new List<RuntimeFactEvent>
{
new() { SymbolId = "valid.symbol", HitCount = 1 },
new() { SymbolId = "", HitCount = 1 },
new() { SymbolId = " ", HitCount = 1 },
new() { SymbolId = null!, HitCount = 1 }
};
var subject = new ReachabilitySubject { Component = "app", Version = "1.0.0" };
var feed = _normalizer.NormalizeToFeed(events, subject, "cg-filter", null, DateTimeOffset.UtcNow);
Assert.Single(feed.Records);
Assert.Equal("valid.symbol", feed.Records[0].Facts?.SymbolId);
}
[Fact]
public void CreateContextFacts_ReturnsPopulatedContextFacts()
{
var events = new List<RuntimeFactEvent>
{
new() { SymbolId = "svc.a", HitCount = 1 },
new() { SymbolId = "svc.b", HitCount = 2 },
new() { SymbolId = "svc.c", HitCount = 3 }
};
var subject = new ReachabilitySubject { Component = "svc", Version = "1.0.0" };
var timestamp = DateTimeOffset.Parse("2025-12-07T12:00:00Z");
var contextFacts = _normalizer.CreateContextFacts(events, subject, "cg-ctx", null, timestamp);
Assert.NotNull(contextFacts);
Assert.NotNull(contextFacts.Provenance);
Assert.Equal(timestamp, contextFacts.LastUpdatedAt);
Assert.Equal(3, contextFacts.RecordCount);
Assert.Equal(3, contextFacts.Provenance.Records.Count);
}
[Fact]
public void NormalizeToFeed_DeterminesObserverFromContainerContext()
{
var evt = new RuntimeFactEvent
{
SymbolId = "container.runtime",
ContainerId = "docker_abc123",
HitCount = 1
};
var subject = new ReachabilitySubject { ImageDigest = "sha256:test" };
var feed = _normalizer.NormalizeToFeed(new[] { evt }, subject, "cg-observer", null, DateTimeOffset.UtcNow);
Assert.Single(feed.Records);
Assert.Equal("container-runtime-agent", feed.Records[0].ObservedBy);
}
[Fact]
public void NormalizeToFeed_DeterminesObserverFromProcessContext()
{
var evt = new RuntimeFactEvent
{
SymbolId = "process.runtime",
ProcessId = 12345,
HitCount = 1
};
var subject = new ReachabilitySubject { Component = "app", Version = "1.0.0" };
var feed = _normalizer.NormalizeToFeed(new[] { evt }, subject, "cg-proc", null, DateTimeOffset.UtcNow);
Assert.Single(feed.Records);
Assert.Equal("process-monitor-agent", feed.Records[0].ObservedBy);
}
[Fact]
public void NormalizeToFeed_UsesObservedAtFromEvent()
{
var observedTime = DateTimeOffset.Parse("2025-12-06T08:00:00Z");
var generatedTime = DateTimeOffset.Parse("2025-12-07T10:00:00Z");
var evt = new RuntimeFactEvent
{
SymbolId = "svc.timed",
ObservedAt = observedTime,
HitCount = 1
};
var subject = new ReachabilitySubject { Component = "timed", Version = "1.0.0" };
var feed = _normalizer.NormalizeToFeed(new[] { evt }, subject, "cg-time", null, generatedTime);
Assert.Single(feed.Records);
Assert.Equal(observedTime, feed.Records[0].OccurredAt);
}
[Fact]
public void NormalizeToFeed_FallsBackToGeneratedAtWhenNoObservedAt()
{
var generatedTime = DateTimeOffset.Parse("2025-12-07T10:00:00Z");
var evt = new RuntimeFactEvent
{
SymbolId = "svc.notime",
HitCount = 1
};
var subject = new ReachabilitySubject { Component = "notime", Version = "1.0.0" };
var feed = _normalizer.NormalizeToFeed(new[] { evt }, subject, "cg-notime", null, generatedTime);
Assert.Single(feed.Records);
Assert.Equal(generatedTime, feed.Records[0].OccurredAt);
}
[Fact]
public void NormalizeToFeed_BuildsSubjectIdentifierFromPurl()
{
var evt = new RuntimeFactEvent
{
SymbolId = "lib.call",
Purl = "pkg:npm/express@4.18.0",
HitCount = 1
};
var subject = new ReachabilitySubject { Component = "webapp", Version = "1.0.0" };
var feed = _normalizer.NormalizeToFeed(new[] { evt }, subject, "cg-purl", null, DateTimeOffset.UtcNow);
Assert.Single(feed.Records);
Assert.Equal("pkg:npm/express@4.18.0", feed.Records[0].Subject.Identifier);
}
[Fact]
public void NormalizeToFeed_BuildsSubjectIdentifierFromComponent()
{
var evt = new RuntimeFactEvent
{
SymbolId = "svc.call",
HitCount = 1
};
var subject = new ReachabilitySubject { Component = "my-service", Version = "2.0.0" };
var feed = _normalizer.NormalizeToFeed(new[] { evt }, subject, "cg-comp", null, DateTimeOffset.UtcNow);
Assert.Single(feed.Records);
Assert.Equal("my-service@2.0.0", feed.Records[0].Subject.Identifier);
}
[Fact]
public void NormalizeToFeed_UsesImageDigestAsSubjectForContainers()
{
var evt = new RuntimeFactEvent
{
SymbolId = "container.exec",
HitCount = 1
};
var subject = new ReachabilitySubject
{
ImageDigest = "sha256:abc123def456"
};
var feed = _normalizer.NormalizeToFeed(new[] { evt }, subject, "cg-image", null, DateTimeOffset.UtcNow);
Assert.Single(feed.Records);
Assert.Equal(ProvenanceSubjectType.Image, feed.Records[0].Subject.Type);
Assert.Equal("sha256:abc123def456", feed.Records[0].Subject.Identifier);
}
}