stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

license switch agpl -> busl1, sprints work, new product advisories

Browse Source
This commit is contained in:
master
2026-01-20 15:32:20 +02:00
parent 4903395618
commit c32fff8f86
1835 changed files with 38630 additions and 4359 deletions
Download Patch File Download Diff File Expand all files Collapse all files

288
src/Cryptography/__Tests/StellaOps.Cryptography.Tests/Eidas/QualifiedTsaProviderTests.cs Normal file
View File

@@ -0,0 +1,288 @@
// -----------------------------------------------------------------------------
// QualifiedTsaProviderTests.cs
// Sprint: SPRINT_20260119_011 eIDAS Qualified Timestamp Support
// Task: QTS-001 - Unit tests for qualification checks
// Description: Unit tests for qualified TSA provider configuration.
// -----------------------------------------------------------------------------
using StellaOps.Cryptography.Plugin.Eidas.Timestamping;
using Xunit;
namespace StellaOps.Cryptography.Tests.Eidas;
public class QualifiedTsaProviderTests
{
#region Provider Configuration
[Fact]
public void QualifiedTsaProvider_DefaultProperties_AreCorrect()
{
// Arrange & Act
var provider = new QualifiedTsaProvider
{
Name = "test-tsa",
Url = "https://tsa.test.com"
};
// Assert
Assert.False(provider.Qualified);
Assert.Null(provider.TrustListRef);
Assert.Null(provider.RequiredForEnvironments);
Assert.Null(provider.RequiredForTags);
Assert.Equal(CadesLevel.CadesT, provider.SignatureFormat);
}
[Fact]
public void QualifiedTsaProvider_QualifiedProvider_HasCorrectFlags()
{
// Arrange & Act
var provider = new QualifiedTsaProvider
{
Name = "d-trust-qts",
Url = "https://qts.d-trust.net/tsp",
Qualified = true,
TrustListRef = "eu-tl",
SignatureFormat = CadesLevel.CadesLT
};
// Assert
Assert.True(provider.Qualified);
Assert.Equal("eu-tl", provider.TrustListRef);
Assert.Equal(CadesLevel.CadesLT, provider.SignatureFormat);
}
[Fact]
public void QualifiedTsaProvider_RequiredForEnvironments_ConfiguredCorrectly()
{
// Arrange & Act
var provider = new QualifiedTsaProvider
{
Name = "prod-qts",
Url = "https://qts.example.com",
Qualified = true,
RequiredForEnvironments = ["production", "staging"]
};
// Assert
Assert.NotNull(provider.RequiredForEnvironments);
Assert.Equal(2, provider.RequiredForEnvironments.Count);
Assert.Contains("production", provider.RequiredForEnvironments);
Assert.Contains("staging", provider.RequiredForEnvironments);
}
[Fact]
public void QualifiedTsaProvider_RequiredForTags_ConfiguredCorrectly()
{
// Arrange & Act
var provider = new QualifiedTsaProvider
{
Name = "compliance-qts",
Url = "https://qts.example.com",
Qualified = true,
RequiredForTags = ["eidas-required", "pci-dss", "regulated"]
};
// Assert
Assert.NotNull(provider.RequiredForTags);
Assert.Equal(3, provider.RequiredForTags.Count);
Assert.Contains("eidas-required", provider.RequiredForTags);
}
#endregion
#region Configuration Validation
[Fact]
public void QualifiedTimestampingConfiguration_DefaultMode_Rfc3161()
{
// Arrange & Act
var config = new QualifiedTimestampingConfiguration();
// Assert
Assert.Equal(TimestampMode.Rfc3161, config.DefaultMode);
}
[Fact]
public void QualifiedTimestampingConfiguration_Providers_EmptyByDefault()
{
// Arrange & Act
var config = new QualifiedTimestampingConfiguration();
// Assert
Assert.Empty(config.Providers);
}
[Fact]
public void QualifiedTimestampingConfiguration_Overrides_EmptyByDefault()
{
// Arrange & Act
var config = new QualifiedTimestampingConfiguration();
// Assert
Assert.Empty(config.Overrides);
}
[Fact]
public void QualifiedTimestampingConfiguration_CompleteSetup_IsValid()
{
// Arrange & Act
var config = new QualifiedTimestampingConfiguration
{
DefaultMode = TimestampMode.Rfc3161,
Providers =
[
new QualifiedTsaProvider
{
Name = "digicert",
Url = "https://timestamp.digicert.com",
Qualified = false
},
new QualifiedTsaProvider
{
Name = "d-trust",
Url = "https://qts.d-trust.net/tsp",
Qualified = true,
TrustListRef = "eu-tl"
}
],
Overrides =
[
new TimestampPolicyOverride
{
Match = new OverrideMatchCriteria { Environments = ["production"] },
Mode = TimestampMode.Qualified,
TsaProvider = "d-trust"
}
],
TrustList = new EuTrustListConfiguration
{
LotlUrl = "https://ec.europa.eu/tools/lotl/eu-lotl.xml",
CacheTtl = TimeSpan.FromHours(24),
OfflinePath = "/etc/stella/eu-lotl.xml"
}
};
// Assert
Assert.Equal(2, config.Providers.Count);
Assert.Single(config.Overrides);
Assert.NotNull(config.TrustList);
Assert.Equal(24, config.TrustList.CacheTtl.TotalHours);
}
#endregion
#region Match Criteria Tests
[Fact]
public void OverrideMatchCriteria_EmptyMatch_MatchesNothing()
{
// Arrange
var match = new OverrideMatchCriteria();
// Assert - empty match has no requirements
Assert.Null(match.Environments);
Assert.Null(match.Tags);
Assert.Null(match.Repositories);
}
[Fact]
public void OverrideMatchCriteria_WithEnvironments_ConfiguredCorrectly()
{
// Arrange & Act
var match = new OverrideMatchCriteria
{
Environments = ["production", "staging"]
};
// Assert
Assert.NotNull(match.Environments);
Assert.Equal(2, match.Environments.Count);
}
[Fact]
public void OverrideMatchCriteria_WithRepositoryPatterns_ConfiguredCorrectly()
{
// Arrange & Act
var match = new OverrideMatchCriteria
{
Repositories = ["finance-*", "banking-*", "core-platform"]
};
// Assert
Assert.NotNull(match.Repositories);
Assert.Equal(3, match.Repositories.Count);
Assert.Contains("finance-*", match.Repositories);
}
#endregion
#region Timestamp Policy Tests
[Fact]
public void TimestampPolicy_RequiredProperties_AreSet()
{
// Arrange & Act
var policy = new TimestampPolicy
{
Mode = TimestampMode.Qualified,
TsaProvider = "test-qts",
SignatureFormat = CadesLevel.CadesLT,
MatchedPolicy = "override:production"
};
// Assert
Assert.Equal(TimestampMode.Qualified, policy.Mode);
Assert.Equal("test-qts", policy.TsaProvider);
Assert.Equal(CadesLevel.CadesLT, policy.SignatureFormat);
Assert.Equal("override:production", policy.MatchedPolicy);
}
#endregion
#region CAdES Level Tests
[Theory]
[InlineData(CadesLevel.CadesB, "CadesB")]
[InlineData(CadesLevel.CadesT, "CadesT")]
[InlineData(CadesLevel.CadesC, "CadesC")]
[InlineData(CadesLevel.CadesLT, "CadesLT")]
[InlineData(CadesLevel.CadesLTA, "CadesLTA")]
public void CadesLevel_AllLevels_HaveCorrectNames(CadesLevel level, string expectedName)
{
// Assert
Assert.Equal(expectedName, level.ToString());
}
[Fact]
public void CadesLevel_Ordering_IsCorrect()
{
// Arrange - levels should be ordered from basic to most complete
var levels = new[] { CadesLevel.CadesB, CadesLevel.CadesT, CadesLevel.CadesC, CadesLevel.CadesLT, CadesLevel.CadesLTA };
// Assert
for (var i = 0; i < levels.Length - 1; i++)
{
Assert.True(levels[i] < levels[i + 1], $"{levels[i]} should be less than {levels[i + 1]}");
}
}
#endregion
#region Timestamp Mode Tests
[Theory]
[InlineData(TimestampMode.None, false)]
[InlineData(TimestampMode.Rfc3161, false)]
[InlineData(TimestampMode.Qualified, true)]
[InlineData(TimestampMode.QualifiedLtv, true)]
public void TimestampMode_QualifiedModes_IdentifiedCorrectly(TimestampMode mode, bool isQualified)
{
// Act
var actual = mode == TimestampMode.Qualified || mode == TimestampMode.QualifiedLtv;
// Assert
Assert.Equal(isQualified, actual);
}
#endregion
}

384
src/Cryptography/__Tests/StellaOps.Cryptography.Tests/Eidas/TimestampModeSelectorTests.cs Normal file
View File

@@ -0,0 +1,384 @@
// -----------------------------------------------------------------------------
// TimestampModeSelectorTests.cs
// Sprint: SPRINT_20260119_011 eIDAS Qualified Timestamp Support
// Task: QTS-005 - Unit tests for override scenarios
// Description: Unit tests for TimestampModeSelector.
// -----------------------------------------------------------------------------
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using StellaOps.Cryptography.Plugin.Eidas.Timestamping;
using Xunit;
namespace StellaOps.Cryptography.Tests.Eidas;
public class TimestampModeSelectorTests
{
private static ITimestampModeSelector CreateSelector(QualifiedTimestampingConfiguration config)
{
var options = Options.Create(config);
var logger = NullLogger<TimestampModeSelector>.Instance;
return new TimestampModeSelector(options, logger);
}
#region Default Mode Selection
[Fact]
public void SelectMode_NoContext_ReturnsDefaultMode()
{
// Arrange
var config = new QualifiedTimestampingConfiguration
{
DefaultMode = TimestampMode.Rfc3161,
Providers = [new QualifiedTsaProvider { Name = "default-tsa", Url = "https://tsa.example.com", Qualified = false }]
};
var selector = CreateSelector(config);
var context = new TimestampContext();
// Act
var mode = selector.SelectMode(context);
// Assert
Assert.Equal(TimestampMode.Rfc3161, mode);
}
[Fact]
public void SelectMode_DefaultQualifiedMode_ReturnsQualified()
{
// Arrange
var config = new QualifiedTimestampingConfiguration
{
DefaultMode = TimestampMode.Qualified,
Providers = [new QualifiedTsaProvider { Name = "qualified-tsa", Url = "https://qts.example.com", Qualified = true }]
};
var selector = CreateSelector(config);
var context = new TimestampContext();
// Act
var mode = selector.SelectMode(context);
// Assert
Assert.Equal(TimestampMode.Qualified, mode);
}
#endregion
#region Environment Override
[Fact]
public void SelectMode_MatchingEnvironment_ReturnsOverrideMode()
{
// Arrange
var config = new QualifiedTimestampingConfiguration
{
DefaultMode = TimestampMode.Rfc3161,
Providers =
[
new QualifiedTsaProvider { Name = "default-tsa", Url = "https://tsa.example.com", Qualified = false },
new QualifiedTsaProvider { Name = "qualified-tsa", Url = "https://qts.example.com", Qualified = true }
],
Overrides =
[
new TimestampPolicyOverride
{
Match = new OverrideMatchCriteria { Environments = ["production"] },
Mode = TimestampMode.Qualified,
TsaProvider = "qualified-tsa"
}
]
};
var selector = CreateSelector(config);
var context = new TimestampContext { Environment = "production" };
// Act
var mode = selector.SelectMode(context);
// Assert
Assert.Equal(TimestampMode.Qualified, mode);
}
[Fact]
public void SelectMode_NonMatchingEnvironment_ReturnsDefaultMode()
{
// Arrange
var config = new QualifiedTimestampingConfiguration
{
DefaultMode = TimestampMode.Rfc3161,
Providers = [new QualifiedTsaProvider { Name = "default-tsa", Url = "https://tsa.example.com", Qualified = false }],
Overrides =
[
new TimestampPolicyOverride
{
Match = new OverrideMatchCriteria { Environments = ["production"] },
Mode = TimestampMode.Qualified
}
]
};
var selector = CreateSelector(config);
var context = new TimestampContext { Environment = "staging" };
// Act
var mode = selector.SelectMode(context);
// Assert
Assert.Equal(TimestampMode.Rfc3161, mode);
}
#endregion
#region Tag Override
[Fact]
public void SelectMode_MatchingTag_ReturnsOverrideMode()
{
// Arrange
var config = new QualifiedTimestampingConfiguration
{
DefaultMode = TimestampMode.Rfc3161,
Providers =
[
new QualifiedTsaProvider { Name = "default-tsa", Url = "https://tsa.example.com", Qualified = false },
new QualifiedTsaProvider { Name = "qualified-tsa", Url = "https://qts.example.com", Qualified = true }
],
Overrides =
[
new TimestampPolicyOverride
{
Match = new OverrideMatchCriteria { Tags = ["eidas-required", "pci-dss"] },
Mode = TimestampMode.Qualified,
TsaProvider = "qualified-tsa"
}
]
};
var selector = CreateSelector(config);
var context = new TimestampContext { Tags = ["eidas-required"] };
// Act
var mode = selector.SelectMode(context);
// Assert
Assert.Equal(TimestampMode.Qualified, mode);
}
[Fact]
public void SelectMode_MultipleTagsOneMatch_ReturnsOverrideMode()
{
// Arrange
var config = new QualifiedTimestampingConfiguration
{
DefaultMode = TimestampMode.Rfc3161,
Providers = [new QualifiedTsaProvider { Name = "qualified-tsa", Url = "https://qts.example.com", Qualified = true }],
Overrides =
[
new TimestampPolicyOverride
{
Match = new OverrideMatchCriteria { Tags = ["high-value"] },
Mode = TimestampMode.QualifiedLtv,
TsaProvider = "qualified-tsa"
}
]
};
var selector = CreateSelector(config);
var context = new TimestampContext { Tags = ["internal", "high-value", "release"] };
// Act
var mode = selector.SelectMode(context);
// Assert
Assert.Equal(TimestampMode.QualifiedLtv, mode);
}
#endregion
#region Repository Pattern Override
[Fact]
public void SelectMode_WildcardRepositoryMatch_ReturnsOverrideMode()
{
// Arrange
var config = new QualifiedTimestampingConfiguration
{
DefaultMode = TimestampMode.Rfc3161,
Providers = [new QualifiedTsaProvider { Name = "qualified-tsa", Url = "https://qts.example.com", Qualified = true }],
Overrides =
[
new TimestampPolicyOverride
{
Match = new OverrideMatchCriteria { Repositories = ["finance-*"] },
Mode = TimestampMode.Qualified,
TsaProvider = "qualified-tsa"
}
]
};
var selector = CreateSelector(config);
var context = new TimestampContext { Repository = "finance-core" };
// Act
var mode = selector.SelectMode(context);
// Assert
Assert.Equal(TimestampMode.Qualified, mode);
}
[Fact]
public void SelectMode_ExactRepositoryMatch_ReturnsOverrideMode()
{
// Arrange
var config = new QualifiedTimestampingConfiguration
{
DefaultMode = TimestampMode.Rfc3161,
Providers = [new QualifiedTsaProvider { Name = "qualified-tsa", Url = "https://qts.example.com", Qualified = true }],
Overrides =
[
new TimestampPolicyOverride
{
Match = new OverrideMatchCriteria { Repositories = ["core-platform"] },
Mode = TimestampMode.Qualified,
TsaProvider = "qualified-tsa"
}
]
};
var selector = CreateSelector(config);
var context = new TimestampContext { Repository = "core-platform" };
// Act
var mode = selector.SelectMode(context);
// Assert
Assert.Equal(TimestampMode.Qualified, mode);
}
#endregion
#region Provider Selection
[Fact]
public void SelectProvider_WithOverride_ReturnsOverrideProvider()
{
// Arrange
var config = new QualifiedTimestampingConfiguration
{
DefaultMode = TimestampMode.Rfc3161,
Providers =
[
new QualifiedTsaProvider { Name = "default-tsa", Url = "https://tsa.example.com", Qualified = false },
new QualifiedTsaProvider { Name = "d-trust-qts", Url = "https://qts.d-trust.net", Qualified = true }
],
Overrides =
[
new TimestampPolicyOverride
{
Match = new OverrideMatchCriteria { Environments = ["production"] },
Mode = TimestampMode.Qualified,
TsaProvider = "d-trust-qts"
}
]
};
var selector = CreateSelector(config);
var context = new TimestampContext { Environment = "production" };
// Act
var provider = selector.SelectProvider(context, TimestampMode.Qualified);
// Assert
Assert.Equal("d-trust-qts", provider);
}
[Fact]
public void GetPolicy_ReturnsCompletePolicy()
{
// Arrange
var config = new QualifiedTimestampingConfiguration
{
DefaultMode = TimestampMode.Rfc3161,
Providers =
[
new QualifiedTsaProvider { Name = "default-tsa", Url = "https://tsa.example.com", Qualified = false },
new QualifiedTsaProvider { Name = "eu-qts", Url = "https://qts.eu.example.com", Qualified = true }
],
Overrides =
[
new TimestampPolicyOverride
{
Match = new OverrideMatchCriteria { Tags = ["regulated"] },
Mode = TimestampMode.QualifiedLtv,
TsaProvider = "eu-qts",
SignatureFormat = CadesLevel.CadesLT
}
]
};
var selector = CreateSelector(config);
var context = new TimestampContext { Tags = ["regulated", "production"] };
// Act
var policy = selector.GetPolicy(context);
// Assert
Assert.Equal(TimestampMode.QualifiedLtv, policy.Mode);
Assert.Equal("eu-qts", policy.TsaProvider);
Assert.Equal(CadesLevel.CadesLT, policy.SignatureFormat);
Assert.Contains("override", policy.MatchedPolicy);
}
#endregion
#region Provider Requirements
[Fact]
public void SelectMode_ProviderRequiredForEnvironment_ReturnsQualified()
{
// Arrange
var config = new QualifiedTimestampingConfiguration
{
DefaultMode = TimestampMode.Rfc3161,
Providers =
[
new QualifiedTsaProvider
{
Name = "special-qts",
Url = "https://qts.example.com",
Qualified = true,
RequiredForEnvironments = ["production", "staging"]
}
]
};
var selector = CreateSelector(config);
var context = new TimestampContext { Environment = "production" };
// Act
var mode = selector.SelectMode(context);
// Assert
Assert.Equal(TimestampMode.Qualified, mode);
}
[Fact]
public void SelectMode_ProviderRequiredForTag_ReturnsQualified()
{
// Arrange
var config = new QualifiedTimestampingConfiguration
{
DefaultMode = TimestampMode.Rfc3161,
Providers =
[
new QualifiedTsaProvider
{
Name = "compliance-qts",
Url = "https://qts.example.com",
Qualified = true,
RequiredForTags = ["sox-compliance"]
}
]
};
var selector = CreateSelector(config);
var context = new TimestampContext { Tags = ["internal", "sox-compliance"] };
// Act
var mode = selector.SelectMode(context);
// Assert
Assert.Equal(TimestampMode.Qualified, mode);
}
#endregion
}

2
src/Cryptography/__Tests/StellaOps.Cryptography.Tests/ShamirSecretSharingTests.cs
View File

@@ -1,5 +1,5 @@
// Copyright © StellaOps. All rights reserved.
// SPDX-License-Identifier: AGPL-3.0-or-later
// SPDX-License-Identifier: BUSL-1.1
// Sprint: SPRINT_20260112_018_CRYPTO_key_escrow_shamir
// Tasks: ESCROW-011

1
src/Cryptography/__Tests/StellaOps.Cryptography.Tests/StellaOps.Cryptography.Tests.csproj
View File

@@ -21,6 +21,7 @@
<ItemGroup>
<ProjectReference Include="..\..\StellaOps.Cryptography\StellaOps.Cryptography.csproj" />
<ProjectReference Include="..\..\StellaOps.Cryptography.Plugin.Eidas\StellaOps.Cryptography.Plugin.Eidas.csproj" />
<ProjectReference Include="..\..\StellaOps.Cryptography.Plugin.Hsm\StellaOps.Cryptography.Plugin.Hsm.csproj" />
</ItemGroup>