This commit is contained in:
StellaOps Bot
@@ -0,0 +1,40 @@
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Text.Json.Serialization;
|
||||
|
||||
namespace StellaOps.Excititor.WebService.Contracts;
|
||||
|
||||
public sealed record GraphLinkoutsRequest(
|
||||
[property: JsonPropertyName("tenant")] string Tenant,
|
||||
[property: JsonPropertyName("purls")] IReadOnlyList<string> Purls,
|
||||
[property: JsonPropertyName("includeJustifications")] bool IncludeJustifications = false,
|
||||
[property: JsonPropertyName("includeProvenance")] bool IncludeProvenance = true);
|
||||
|
||||
public sealed record GraphLinkoutsResponse(
|
||||
[property: JsonPropertyName("items")] IReadOnlyList<GraphLinkoutItem> Items,
|
||||
[property: JsonPropertyName("notFound")] IReadOnlyList<string> NotFound);
|
||||
|
||||
public sealed record GraphLinkoutItem(
|
||||
[property: JsonPropertyName("purl")] string Purl,
|
||||
[property: JsonPropertyName("advisories")] IReadOnlyList<GraphLinkoutAdvisory> Advisories,
|
||||
[property: JsonPropertyName("conflicts")] IReadOnlyList<GraphLinkoutConflict> Conflicts,
|
||||
[property: JsonPropertyName("truncated")] bool Truncated = false,
|
||||
[property: JsonPropertyName("nextCursor")] string? NextCursor = null);
|
||||
|
||||
public sealed record GraphLinkoutAdvisory(
|
||||
[property: JsonPropertyName("advisoryId")] string AdvisoryId,
|
||||
[property: JsonPropertyName("source")] string Source,
|
||||
[property: JsonPropertyName("status")] string Status,
|
||||
[property: JsonPropertyName("justification")] string? Justification,
|
||||
[property: JsonPropertyName("modifiedAt")] DateTimeOffset ModifiedAt,
|
||||
[property: JsonPropertyName("evidenceHash")] string EvidenceHash,
|
||||
[property: JsonPropertyName("connectorId")] string ConnectorId,
|
||||
[property: JsonPropertyName("dsseEnvelopeHash")] string? DsseEnvelopeHash);
|
||||
|
||||
public sealed record GraphLinkoutConflict(
|
||||
[property: JsonPropertyName("source")] string Source,
|
||||
[property: JsonPropertyName("status")] string Status,
|
||||
[property: JsonPropertyName("justification")] string? Justification,
|
||||
[property: JsonPropertyName("observedAt")] DateTimeOffset ObservedAt,
|
||||
[property: JsonPropertyName("evidenceHash")] string EvidenceHash);
|
||||
|
||||
@@ -0,0 +1,22 @@
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
|
||||
namespace StellaOps.Excititor.WebService.Contracts;
|
||||
|
||||
public sealed record VexConsoleStatementDto(
|
||||
string AdvisoryId,
|
||||
string ProductKey,
|
||||
string? Purl,
|
||||
string Status,
|
||||
string? Justification,
|
||||
string ProviderId,
|
||||
string ObservationId,
|
||||
DateTimeOffset CreatedAtUtc,
|
||||
IReadOnlyDictionary<string, string> Attributes);
|
||||
|
||||
public sealed record VexConsolePage(
|
||||
IReadOnlyList<VexConsoleStatementDto> Items,
|
||||
string? Cursor,
|
||||
bool HasMore,
|
||||
int Returned,
|
||||
IReadOnlyDictionary<string, int>? Counters = null);
|
||||
@@ -36,6 +36,8 @@ using StellaOps.Excititor.WebService.Contracts;
|
||||
using StellaOps.Excititor.WebService.Telemetry;
|
||||
using MongoDB.Driver;
|
||||
using MongoDB.Bson;
|
||||
using Microsoft.Extensions.Caching.Memory;
|
||||
using StellaOps.Excititor.WebService.Contracts;
|
||||
|
||||
var builder = WebApplication.CreateBuilder(args);
|
||||
var configuration = builder.Configuration;
|
||||
@@ -49,7 +51,11 @@ services.AddCsafNormalizer();
|
||||
services.AddCycloneDxNormalizer();
|
||||
services.AddOpenVexNormalizer();
|
||||
services.AddSingleton<IVexSignatureVerifier, NoopVexSignatureVerifier>();
|
||||
// TODO: replace NoopVexSignatureVerifier with hardened verifier once portable bundle signatures are finalized.
|
||||
services.AddSingleton<AirgapImportValidator>();
|
||||
services.AddSingleton<AirgapSignerTrustService>();
|
||||
services.AddSingleton<ConsoleTelemetry>();
|
||||
services.AddMemoryCache();
|
||||
services.AddScoped<IVexIngestOrchestrator, VexIngestOrchestrator>();
|
||||
services.AddOptions<ExcititorObservabilityOptions>()
|
||||
.Bind(configuration.GetSection("Excititor:Observability"));
|
||||
@@ -68,6 +74,7 @@ services.Configure<MirrorDistributionOptions>(configuration.GetSection(MirrorDis
|
||||
services.AddSingleton<MirrorRateLimiter>();
|
||||
services.TryAddSingleton(TimeProvider.System);
|
||||
services.AddSingleton<IVexObservationProjectionService, VexObservationProjectionService>();
|
||||
services.AddScoped<IVexObservationQueryService, VexObservationQueryService>();
|
||||
|
||||
var rekorSection = configuration.GetSection("Excititor:Attestation:Rekor");
|
||||
if (rekorSection.Exists())
|
||||
@@ -140,6 +147,7 @@ app.MapHealthChecks("/excititor/health");
|
||||
|
||||
app.MapPost("/airgap/v1/vex/import", async (
|
||||
[FromServices] AirgapImportValidator validator,
|
||||
[FromServices] AirgapSignerTrustService trustService,
|
||||
[FromServices] IAirgapImportStore store,
|
||||
[FromServices] TimeProvider timeProvider,
|
||||
[FromBody] AirgapImportRequest request,
|
||||
@@ -160,6 +168,18 @@ app.MapPost("/airgap/v1/vex/import", async (
|
||||
});
|
||||
}
|
||||
|
||||
if (!trustService.Validate(request, out var trustCode, out var trustMessage))
|
||||
{
|
||||
return Results.StatusCode(StatusCodes.Status403Forbidden, new
|
||||
{
|
||||
error = new
|
||||
{
|
||||
code = trustCode,
|
||||
message = trustMessage
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
var record = new AirgapImportRecord
|
||||
{
|
||||
Id = $"{request.BundleId}:{request.MirrorGeneration}",
|
||||
@@ -174,7 +194,21 @@ app.MapPost("/airgap/v1/vex/import", async (
|
||||
ImportedAt = nowUtc
|
||||
};
|
||||
|
||||
await store.SaveAsync(record, cancellationToken).ConfigureAwait(false);
|
||||
try
|
||||
{
|
||||
await store.SaveAsync(record, cancellationToken).ConfigureAwait(false);
|
||||
}
|
||||
catch (DuplicateAirgapImportException dup)
|
||||
{
|
||||
return Results.Conflict(new
|
||||
{
|
||||
error = new
|
||||
{
|
||||
code = "AIRGAP_IMPORT_DUPLICATE",
|
||||
message = dup.Message
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
return Results.Accepted($"/airgap/v1/vex/import/{request.BundleId}", new
|
||||
{
|
||||
@@ -296,6 +330,204 @@ app.MapPost("/excititor/admin/backfill-statements", async (
|
||||
});
|
||||
});
|
||||
|
||||
app.MapGet("/console/vex", async (
|
||||
HttpContext context,
|
||||
IOptions<VexMongoStorageOptions> storageOptions,
|
||||
IVexObservationQueryService queryService,
|
||||
ConsoleTelemetry telemetry,
|
||||
IMemoryCache cache,
|
||||
CancellationToken cancellationToken) =>
|
||||
{
|
||||
if (!TryResolveTenant(context, storageOptions.Value, requireHeader: true, out var tenant, out var tenantError))
|
||||
{
|
||||
return tenantError;
|
||||
}
|
||||
|
||||
var query = context.Request.Query;
|
||||
var purls = query["purl"].Where(static v => !string.IsNullOrWhiteSpace(v)).Select(static v => v.Trim()).ToArray();
|
||||
var advisories = query["advisoryId"].Where(static v => !string.IsNullOrWhiteSpace(v)).Select(static v => v.Trim()).ToArray();
|
||||
var statuses = new List<VexClaimStatus>();
|
||||
if (query.TryGetValue("status", out var statusValues))
|
||||
{
|
||||
foreach (var statusValue in statusValues)
|
||||
{
|
||||
if (Enum.TryParse<VexClaimStatus>(statusValue, ignoreCase: true, out var parsed))
|
||||
{
|
||||
statuses.Add(parsed);
|
||||
}
|
||||
else
|
||||
{
|
||||
return Results.BadRequest($"Unknown status '{statusValue}'.");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
var limit = query.TryGetValue("pageSize", out var pageSizeValues) && int.TryParse(pageSizeValues.FirstOrDefault(), out var pageSize)
|
||||
? pageSize
|
||||
: (int?)null;
|
||||
var cursor = query.TryGetValue("cursor", out var cursorValues) ? cursorValues.FirstOrDefault() : null;
|
||||
|
||||
telemetry.Requests.Add(1);
|
||||
|
||||
var cacheKey = $"console-vex:{tenant}:{string.Join(',', purls)}:{string.Join(',', advisories)}:{string.Join(',', statuses)}:{limit}:{cursor}";
|
||||
if (cache.TryGetValue(cacheKey, out VexConsolePage? cachedPage) && cachedPage is not null)
|
||||
{
|
||||
telemetry.CacheHits.Add(1);
|
||||
return Results.Ok(cachedPage);
|
||||
}
|
||||
telemetry.CacheMisses.Add(1);
|
||||
|
||||
var options = new VexObservationQueryOptions(
|
||||
tenant,
|
||||
observationIds: null,
|
||||
vulnerabilityIds: advisories,
|
||||
productKeys: null,
|
||||
purls: purls,
|
||||
cpes: null,
|
||||
providerIds: null,
|
||||
statuses: statuses,
|
||||
cursor: cursor,
|
||||
limit: limit);
|
||||
|
||||
VexObservationQueryResult result;
|
||||
try
|
||||
{
|
||||
result = await queryService.QueryAsync(options, cancellationToken).ConfigureAwait(false);
|
||||
}
|
||||
catch (FormatException ex)
|
||||
{
|
||||
return Results.BadRequest(ex.Message);
|
||||
}
|
||||
|
||||
var statements = result.Observations
|
||||
.SelectMany(obs => obs.Statements.Select(stmt => new VexConsoleStatementDto(
|
||||
AdvisoryId: stmt.VulnerabilityId,
|
||||
ProductKey: stmt.ProductKey,
|
||||
Purl: stmt.Purl ?? obs.Linkset.Purls.FirstOrDefault(),
|
||||
Status: stmt.Status.ToString().ToLowerInvariant(),
|
||||
Justification: stmt.Justification?.ToString(),
|
||||
ProviderId: obs.ProviderId,
|
||||
ObservationId: obs.ObservationId,
|
||||
CreatedAtUtc: obs.CreatedAt,
|
||||
Attributes: obs.Attributes)))
|
||||
.ToList();
|
||||
|
||||
var statusCounts = result.Observations
|
||||
.GroupBy(o => o.Status.ToString().ToLowerInvariant())
|
||||
.ToDictionary(g => g.Key, g => g.Count(), StringComparer.OrdinalIgnoreCase);
|
||||
|
||||
var response = new VexConsolePage(
|
||||
Items: statements,
|
||||
Cursor: result.NextCursor,
|
||||
HasMore: result.HasMore,
|
||||
Returned: statements.Count,
|
||||
Counters: statusCounts);
|
||||
|
||||
cache.Set(cacheKey, response, TimeSpan.FromSeconds(30));
|
||||
|
||||
return Results.Ok(response);
|
||||
}).WithName("GetConsoleVex");
|
||||
|
||||
// Cartographer linkouts
|
||||
app.MapPost("/internal/graph/linkouts", async (
|
||||
GraphLinkoutsRequest request,
|
||||
IVexObservationQueryService queryService,
|
||||
CancellationToken cancellationToken) =>
|
||||
{
|
||||
if (request is null || string.IsNullOrWhiteSpace(request.Tenant))
|
||||
{
|
||||
return Results.BadRequest("tenant is required.");
|
||||
}
|
||||
|
||||
if (request.Purls is null || request.Purls.Count == 0 || request.Purls.Count > 500)
|
||||
{
|
||||
return Results.BadRequest("purls are required (1-500).");
|
||||
}
|
||||
|
||||
var normalizedPurls = request.Purls
|
||||
.Where(p => !string.IsNullOrWhiteSpace(p))
|
||||
.Select(p => p.Trim().ToLowerInvariant())
|
||||
.Distinct()
|
||||
.ToArray();
|
||||
|
||||
if (normalizedPurls.Length == 0)
|
||||
{
|
||||
return Results.BadRequest("purls are required (1-500).");
|
||||
}
|
||||
|
||||
var options = new VexObservationQueryOptions(
|
||||
request.Tenant.Trim(),
|
||||
purls: normalizedPurls,
|
||||
includeJustifications: request.IncludeJustifications,
|
||||
includeProvenance: request.IncludeProvenance,
|
||||
limit: 200);
|
||||
|
||||
VexObservationQueryResult result;
|
||||
try
|
||||
{
|
||||
result = await queryService.QueryAsync(options, cancellationToken).ConfigureAwait(false);
|
||||
}
|
||||
catch (FormatException ex)
|
||||
{
|
||||
return Results.BadRequest(ex.Message);
|
||||
}
|
||||
|
||||
var observationsByPurl = result.Observations
|
||||
.SelectMany(obs => obs.Linkset.Purls.Select(purl => (purl, obs)))
|
||||
.GroupBy(tuple => tuple.purl, StringComparer.OrdinalIgnoreCase)
|
||||
.ToDictionary(g => g.Key, g => g.Select(t => t.obs).ToArray(), StringComparer.OrdinalIgnoreCase);
|
||||
|
||||
var items = new List<GraphLinkoutItem>(normalizedPurls.Length);
|
||||
var notFound = new List<string>();
|
||||
|
||||
foreach (var inputPurl in normalizedPurls)
|
||||
{
|
||||
if (!observationsByPurl.TryGetValue(inputPurl, out var obsForPurl))
|
||||
{
|
||||
notFound.Add(inputPurl);
|
||||
continue;
|
||||
}
|
||||
|
||||
var advisories = obsForPurl
|
||||
.SelectMany(obs => obs.Statements.Select(stmt => new GraphLinkoutAdvisory(
|
||||
AdvisoryId: stmt.VulnerabilityId,
|
||||
Source: obs.ProviderId,
|
||||
Status: stmt.Status.ToString().ToLowerInvariant(),
|
||||
Justification: request.IncludeJustifications ? stmt.Justification?.ToString() : null,
|
||||
ModifiedAt: obs.CreatedAt,
|
||||
EvidenceHash: obs.Linkset.ReferenceHash,
|
||||
ConnectorId: obs.ProviderId,
|
||||
DsseEnvelopeHash: request.IncludeProvenance ? obs.Linkset.ReferenceHash : null)))
|
||||
.OrderBy(a => a.AdvisoryId, StringComparer.Ordinal)
|
||||
.ThenBy(a => a.Source, StringComparer.Ordinal)
|
||||
.Take(200)
|
||||
.ToList();
|
||||
|
||||
var conflicts = obsForPurl
|
||||
.Where(obs => obs.Statements.Any(s => s.Status == VexClaimStatus.Conflict))
|
||||
.SelectMany(obs => obs.Statements
|
||||
.Where(s => s.Status == VexClaimStatus.Conflict)
|
||||
.Select(stmt => new GraphLinkoutConflict(
|
||||
Source: obs.ProviderId,
|
||||
Status: stmt.Status.ToString().ToLowerInvariant(),
|
||||
Justification: request.IncludeJustifications ? stmt.Justification?.ToString() : null,
|
||||
ObservedAt: obs.CreatedAt,
|
||||
EvidenceHash: obs.Linkset.ReferenceHash)))
|
||||
.OrderBy(c => c.Source, StringComparer.Ordinal)
|
||||
.ToList();
|
||||
|
||||
items.Add(new GraphLinkoutItem(
|
||||
Purl: inputPurl,
|
||||
Advisories: advisories,
|
||||
Conflicts: conflicts,
|
||||
Truncated: advisories.Count >= 200,
|
||||
NextCursor: advisories.Count >= 200 ? $"{advisories[^1].AdvisoryId}:{advisories[^1].Source}" : null));
|
||||
}
|
||||
|
||||
var response = new GraphLinkoutsResponse(items, notFound);
|
||||
return Results.Ok(response);
|
||||
}).WithName("PostGraphLinkouts");
|
||||
|
||||
app.MapPost("/ingest/vex", async (
|
||||
HttpContext context,
|
||||
VexIngestRequest request,
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
using System.Runtime.CompilerServices;
|
||||
|
||||
[assembly: InternalsVisibleTo("StellaOps.Excititor.WebService.Tests")]
|
||||
[assembly: InternalsVisibleTo("StellaOps.Excititor.WebService.Tests")]
|
||||
[assembly: InternalsVisibleTo("StellaOps.Excititor.Core.UnitTests")]
|
||||
|
||||
@@ -1,6 +1,8 @@
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Globalization;
|
||||
using System.Linq;
|
||||
using System.Text.RegularExpressions;
|
||||
using StellaOps.Excititor.WebService.Contracts;
|
||||
|
||||
namespace StellaOps.Excititor.WebService.Services;
|
||||
@@ -8,6 +10,8 @@ namespace StellaOps.Excititor.WebService.Services;
|
||||
internal sealed class AirgapImportValidator
|
||||
{
|
||||
private static readonly TimeSpan AllowedSkew = TimeSpan.FromSeconds(5);
|
||||
private static readonly Regex Sha256Pattern = new(@"^sha256:[A-Fa-f0-9]{64}$", RegexOptions.Compiled);
|
||||
private static readonly Regex MirrorGenerationPattern = new(@"^[0-9]+$", RegexOptions.Compiled);
|
||||
|
||||
public IReadOnlyList<ValidationError> Validate(AirgapImportRequest request, DateTimeOffset nowUtc)
|
||||
{
|
||||
@@ -23,26 +27,46 @@ internal sealed class AirgapImportValidator
|
||||
{
|
||||
errors.Add(new ValidationError("bundle_id_missing", "bundleId is required."));
|
||||
}
|
||||
else if (request.BundleId.Length > 256)
|
||||
{
|
||||
errors.Add(new ValidationError("bundle_id_too_long", "bundleId must be <= 256 characters."));
|
||||
}
|
||||
|
||||
if (string.IsNullOrWhiteSpace(request.MirrorGeneration))
|
||||
{
|
||||
errors.Add(new ValidationError("mirror_generation_missing", "mirrorGeneration is required."));
|
||||
}
|
||||
else if (!MirrorGenerationPattern.IsMatch(request.MirrorGeneration))
|
||||
{
|
||||
errors.Add(new ValidationError("mirror_generation_invalid", "mirrorGeneration must be a numeric string."));
|
||||
}
|
||||
|
||||
if (string.IsNullOrWhiteSpace(request.Publisher))
|
||||
{
|
||||
errors.Add(new ValidationError("publisher_missing", "publisher is required."));
|
||||
}
|
||||
else if (request.Publisher.Length > 256)
|
||||
{
|
||||
errors.Add(new ValidationError("publisher_too_long", "publisher must be <= 256 characters."));
|
||||
}
|
||||
|
||||
if (string.IsNullOrWhiteSpace(request.PayloadHash))
|
||||
{
|
||||
errors.Add(new ValidationError("payload_hash_missing", "payloadHash is required."));
|
||||
}
|
||||
else if (!Sha256Pattern.IsMatch(request.PayloadHash))
|
||||
{
|
||||
errors.Add(new ValidationError("payload_hash_invalid", "payloadHash must be sha256:<64-hex>."));
|
||||
}
|
||||
|
||||
if (string.IsNullOrWhiteSpace(request.Signature))
|
||||
{
|
||||
errors.Add(new ValidationError("AIRGAP_SIGNATURE_MISSING", "signature is required for air-gapped imports."));
|
||||
}
|
||||
else if (!IsBase64(request.Signature))
|
||||
{
|
||||
errors.Add(new ValidationError("AIRGAP_SIGNATURE_INVALID", "signature must be base64-encoded."));
|
||||
}
|
||||
|
||||
if (request.SignedAt is null)
|
||||
{
|
||||
@@ -62,5 +86,22 @@ internal sealed class AirgapImportValidator
|
||||
return errors;
|
||||
}
|
||||
|
||||
private static bool IsBase64(string value)
|
||||
{
|
||||
if (string.IsNullOrWhiteSpace(value) || value.Length % 4 != 0)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
try
|
||||
{
|
||||
_ = Convert.FromBase64String(value);
|
||||
return true;
|
||||
}
|
||||
catch
|
||||
{
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
public readonly record struct ValidationError(string Code, string Message);
|
||||
}
|
||||
|
||||
@@ -0,0 +1,82 @@
|
||||
using System;
|
||||
using System.IO;
|
||||
using System.Linq;
|
||||
using Microsoft.Extensions.Logging;
|
||||
using StellaOps.Excititor.Connectors.Abstractions.Trust;
|
||||
using StellaOps.Excititor.WebService.Contracts;
|
||||
|
||||
namespace StellaOps.Excititor.WebService.Services;
|
||||
|
||||
internal sealed class AirgapSignerTrustService
|
||||
{
|
||||
private readonly ILogger<AirgapSignerTrustService> _logger;
|
||||
private readonly string? _metadataPath;
|
||||
private ConnectorSignerMetadataSet? _metadata;
|
||||
|
||||
public AirgapSignerTrustService(ILogger<AirgapSignerTrustService> logger)
|
||||
{
|
||||
_logger = logger;
|
||||
_metadataPath = Environment.GetEnvironmentVariable("STELLAOPS_CONNECTOR_SIGNER_METADATA_PATH");
|
||||
}
|
||||
|
||||
public bool Validate(AirgapImportRequest request, out string? errorCode, out string? message)
|
||||
{
|
||||
errorCode = null;
|
||||
message = null;
|
||||
|
||||
if (string.IsNullOrWhiteSpace(_metadataPath) || !File.Exists(_metadataPath))
|
||||
{
|
||||
_logger.LogDebug("Airgap signer metadata not configured; skipping trust enforcement.");
|
||||
return true;
|
||||
}
|
||||
|
||||
_metadata ??= ConnectorSignerMetadataLoader.TryLoad(_metadataPath);
|
||||
if (_metadata is null)
|
||||
{
|
||||
_logger.LogWarning("Failed to load airgap signer metadata from {Path}; allowing import.", _metadataPath);
|
||||
return true;
|
||||
}
|
||||
|
||||
if (string.IsNullOrWhiteSpace(request.Publisher))
|
||||
{
|
||||
errorCode = "AIRGAP_SOURCE_UNTRUSTED";
|
||||
message = "publisher is required for trust enforcement.";
|
||||
return false;
|
||||
}
|
||||
|
||||
if (!_metadata.TryGet(request.Publisher, out var connector))
|
||||
{
|
||||
errorCode = "AIRGAP_SOURCE_UNTRUSTED";
|
||||
message = $"Publisher '{request.Publisher}' is not present in trusted signer metadata.";
|
||||
return false;
|
||||
}
|
||||
|
||||
if (connector.Revoked)
|
||||
{
|
||||
errorCode = "AIRGAP_SOURCE_UNTRUSTED";
|
||||
message = $"Publisher '{request.Publisher}' is revoked.";
|
||||
return false;
|
||||
}
|
||||
|
||||
if (connector.Bundle?.Digest is { } digest && !string.IsNullOrWhiteSpace(digest))
|
||||
{
|
||||
if (!string.Equals(digest.Trim(), request.PayloadHash?.Trim(), StringComparison.OrdinalIgnoreCase))
|
||||
{
|
||||
errorCode = "AIRGAP_PAYLOAD_MISMATCH";
|
||||
message = "Payload hash does not match trusted bundle digest.";
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
// Basic sanity: ensure at least one signer entry exists.
|
||||
if (connector.Signers.IsDefaultOrEmpty || connector.Signers.Sum(s => s.Fingerprints.Length) == 0)
|
||||
{
|
||||
errorCode = "AIRGAP_SOURCE_UNTRUSTED";
|
||||
message = $"Publisher '{request.Publisher}' has no trusted signers configured.";
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -19,6 +19,7 @@
|
||||
<ProjectReference Include="../__Libraries/StellaOps.Excititor.Core/StellaOps.Excititor.Core.csproj" />
|
||||
<ProjectReference Include="../__Libraries/StellaOps.Excititor.Storage.Mongo/StellaOps.Excititor.Storage.Mongo.csproj" />
|
||||
<ProjectReference Include="../__Libraries/StellaOps.Excititor.Export/StellaOps.Excititor.Export.csproj" />
|
||||
<ProjectReference Include="../__Libraries/StellaOps.Excititor.Connectors.Abstractions/StellaOps.Excititor.Connectors.Abstractions.csproj" />
|
||||
<ProjectReference Include="../__Libraries/StellaOps.Excititor.Policy/StellaOps.Excititor.Policy.csproj" />
|
||||
<ProjectReference Include="../__Libraries/StellaOps.Excititor.Attestation/StellaOps.Excititor.Attestation.csproj" />
|
||||
<ProjectReference Include="../__Libraries/StellaOps.Excititor.ArtifactStores.S3/StellaOps.Excititor.ArtifactStores.S3.csproj" />
|
||||
|
||||
@@ -0,0 +1,15 @@
|
||||
using System.Diagnostics.Metrics;
|
||||
|
||||
namespace StellaOps.Excititor.WebService.Telemetry;
|
||||
|
||||
internal sealed class ConsoleTelemetry
|
||||
{
|
||||
public const string MeterName = "StellaOps.Excititor.Console";
|
||||
|
||||
private static readonly Meter Meter = new(MeterName);
|
||||
|
||||
public Counter<long> Requests { get; } = Meter.CreateCounter<long>("console.vex.requests");
|
||||
public Counter<long> CacheHits { get; } = Meter.CreateCounter<long>("console.vex.cache_hits");
|
||||
public Counter<long> CacheMisses { get; } = Meter.CreateCounter<long>("console.vex.cache_misses");
|
||||
}
|
||||
|
||||
@@ -0,0 +1,29 @@
|
||||
using Microsoft.Extensions.Options;
|
||||
|
||||
namespace StellaOps.Excititor.Worker.Options;
|
||||
|
||||
internal sealed class TenantAuthorityOptionsValidator : IValidateOptions<TenantAuthorityOptions>
|
||||
{
|
||||
public ValidateOptionsResult Validate(string? name, TenantAuthorityOptions options)
|
||||
{
|
||||
if (options is null)
|
||||
{
|
||||
return ValidateOptionsResult.Fail("TenantAuthorityOptions is required.");
|
||||
}
|
||||
|
||||
if (options.BaseUrls.Count == 0)
|
||||
{
|
||||
return ValidateOptionsResult.Fail("Excititor:Authority:BaseUrls must define at least one tenant endpoint.");
|
||||
}
|
||||
|
||||
foreach (var kvp in options.BaseUrls)
|
||||
{
|
||||
if (string.IsNullOrWhiteSpace(kvp.Key) || string.IsNullOrWhiteSpace(kvp.Value))
|
||||
{
|
||||
return ValidateOptionsResult.Fail("Excititor:Authority:BaseUrls must include non-empty tenant keys and URLs.");
|
||||
}
|
||||
}
|
||||
|
||||
return ValidateOptionsResult.Success;
|
||||
}
|
||||
}
|
||||
@@ -20,15 +20,18 @@ using StellaOps.Excititor.Attestation.Extensions;
|
||||
using StellaOps.Excititor.Attestation.Verification;
|
||||
using StellaOps.IssuerDirectory.Client;
|
||||
|
||||
var builder = Host.CreateApplicationBuilder(args);
|
||||
var services = builder.Services;
|
||||
var configuration = builder.Configuration;
|
||||
var builder = Host.CreateApplicationBuilder(args);
|
||||
var services = builder.Services;
|
||||
var configuration = builder.Configuration;
|
||||
var workerConfig = configuration.GetSection("Excititor:Worker");
|
||||
var workerConfigSnapshot = workerConfig.Get<VexWorkerOptions>() ?? new VexWorkerOptions();
|
||||
services.AddOptions<VexWorkerOptions>()
|
||||
.Bind(configuration.GetSection("Excititor:Worker"))
|
||||
.Bind(workerConfig)
|
||||
.ValidateOnStart();
|
||||
|
||||
services.Configure<VexWorkerPluginOptions>(configuration.GetSection("Excititor:Worker:Plugins"));
|
||||
services.Configure<TenantAuthorityOptions>(configuration.GetSection("Excititor:Authority"));
|
||||
services.AddSingleton<IValidateOptions<TenantAuthorityOptions>, TenantAuthorityOptionsValidator>();
|
||||
services.PostConfigure<VexWorkerOptions>(options =>
|
||||
{
|
||||
if (options.DisableConsensus)
|
||||
@@ -101,10 +104,13 @@ services.AddSingleton<PluginCatalog>(provider =>
|
||||
});
|
||||
|
||||
services.AddSingleton<IVexProviderRunner, DefaultVexProviderRunner>();
|
||||
services.AddSingleton<VexConsensusRefreshService>();
|
||||
services.AddSingleton<IVexConsensusRefreshScheduler>(static provider => provider.GetRequiredService<VexConsensusRefreshService>());
|
||||
services.AddHostedService<VexWorkerHostedService>();
|
||||
services.AddHostedService(static provider => provider.GetRequiredService<VexConsensusRefreshService>());
|
||||
if (!workerConfigSnapshot.DisableConsensus)
|
||||
{
|
||||
services.AddSingleton<VexConsensusRefreshService>();
|
||||
services.AddSingleton<IVexConsensusRefreshScheduler>(static provider => provider.GetRequiredService<VexConsensusRefreshService>());
|
||||
services.AddHostedService(static provider => provider.GetRequiredService<VexConsensusRefreshService>());
|
||||
}
|
||||
services.AddSingleton<ITenantAuthorityClientFactory, TenantAuthorityClientFactory>();
|
||||
|
||||
var host = builder.Build();
|
||||
|
||||
@@ -0,0 +1,73 @@
|
||||
using System.Collections.Generic;
|
||||
using System.Collections.Immutable;
|
||||
using System.Linq;
|
||||
|
||||
namespace StellaOps.Excititor.Core.Observations;
|
||||
|
||||
/// <summary>
|
||||
/// Builds deterministic linkset update events from raw VEX observations
|
||||
/// without introducing consensus or derived semantics (AOC-19-002).
|
||||
/// </summary>
|
||||
public sealed class VexLinksetExtractionService
|
||||
{
|
||||
/// <summary>
|
||||
/// Groups observations by (vulnerabilityId, productKey) and emits a linkset update event
|
||||
/// for each group. Ordering is stable and case-insensitive on identifiers.
|
||||
/// </summary>
|
||||
public ImmutableArray<VexLinksetUpdatedEvent> Extract(
|
||||
string tenant,
|
||||
IEnumerable<VexObservation> observations,
|
||||
IEnumerable<VexObservationDisagreement>? disagreements = null)
|
||||
{
|
||||
if (observations is null)
|
||||
{
|
||||
return ImmutableArray<VexLinksetUpdatedEvent>.Empty;
|
||||
}
|
||||
|
||||
var observationList = observations
|
||||
.Where(o => o is not null)
|
||||
.ToList();
|
||||
|
||||
if (observationList.Count == 0)
|
||||
{
|
||||
return ImmutableArray<VexLinksetUpdatedEvent>.Empty;
|
||||
}
|
||||
|
||||
var groups = observationList
|
||||
.SelectMany(obs => obs.Statements.Select(stmt => (obs, stmt)))
|
||||
.GroupBy(x => new
|
||||
{
|
||||
VulnerabilityId = Normalize(x.stmt.VulnerabilityId),
|
||||
ProductKey = Normalize(x.stmt.ProductKey)
|
||||
})
|
||||
.OrderBy(g => g.Key.VulnerabilityId, StringComparer.OrdinalIgnoreCase)
|
||||
.ThenBy(g => g.Key.ProductKey, StringComparer.OrdinalIgnoreCase);
|
||||
|
||||
var now = observationList.Max(o => o.CreatedAt);
|
||||
|
||||
var events = new List<VexLinksetUpdatedEvent>();
|
||||
foreach (var group in groups)
|
||||
{
|
||||
var linksetId = BuildLinksetId(group.Key.VulnerabilityId, group.Key.ProductKey);
|
||||
var obsForGroup = group.Select(x => x.obs);
|
||||
|
||||
var evt = VexLinksetUpdatedEventFactory.Create(
|
||||
tenant,
|
||||
linksetId,
|
||||
group.Key.VulnerabilityId,
|
||||
group.Key.ProductKey,
|
||||
obsForGroup,
|
||||
disagreements ?? Enumerable.Empty<VexObservationDisagreement>(),
|
||||
now);
|
||||
|
||||
events.Add(evt);
|
||||
}
|
||||
|
||||
return events.ToImmutableArray();
|
||||
}
|
||||
|
||||
private static string BuildLinksetId(string vulnerabilityId, string productKey)
|
||||
=> $"vex:{vulnerabilityId}:{productKey}".ToLowerInvariant();
|
||||
|
||||
private static string Normalize(string value) => VexObservation.EnsureNotNullOrWhiteSpace(value, nameof(value));
|
||||
}
|
||||
@@ -10,6 +10,19 @@ public interface IAirgapImportStore
|
||||
Task SaveAsync(AirgapImportRecord record, CancellationToken cancellationToken);
|
||||
}
|
||||
|
||||
public sealed class DuplicateAirgapImportException : Exception
|
||||
{
|
||||
public string BundleId { get; }
|
||||
public string MirrorGeneration { get; }
|
||||
|
||||
public DuplicateAirgapImportException(string bundleId, string mirrorGeneration, Exception inner)
|
||||
: base($"Airgap import already exists for bundle '{bundleId}' generation '{mirrorGeneration}'.", inner)
|
||||
{
|
||||
BundleId = bundleId;
|
||||
MirrorGeneration = mirrorGeneration;
|
||||
}
|
||||
}
|
||||
|
||||
internal sealed class MongoAirgapImportStore : IAirgapImportStore
|
||||
{
|
||||
private readonly IMongoCollection<AirgapImportRecord> _collection;
|
||||
@@ -19,11 +32,30 @@ internal sealed class MongoAirgapImportStore : IAirgapImportStore
|
||||
ArgumentNullException.ThrowIfNull(database);
|
||||
VexMongoMappingRegistry.Register();
|
||||
_collection = database.GetCollection<AirgapImportRecord>(VexMongoCollectionNames.AirgapImports);
|
||||
|
||||
// Enforce idempotency on (bundleId, generation) via Id uniqueness and explicit index.
|
||||
var idIndex = Builders<AirgapImportRecord>.IndexKeys.Ascending(x => x.Id);
|
||||
var bundleIndex = Builders<AirgapImportRecord>.IndexKeys
|
||||
.Ascending(x => x.BundleId)
|
||||
.Ascending(x => x.MirrorGeneration);
|
||||
|
||||
_collection.Indexes.CreateMany(new[]
|
||||
{
|
||||
new CreateIndexModel<AirgapImportRecord>(idIndex, new CreateIndexOptions { Unique = true, Name = "airgap_import_id_unique" }),
|
||||
new CreateIndexModel<AirgapImportRecord>(bundleIndex, new CreateIndexOptions { Unique = true, Name = "airgap_bundle_generation_unique" })
|
||||
});
|
||||
}
|
||||
|
||||
public Task SaveAsync(AirgapImportRecord record, CancellationToken cancellationToken)
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(record);
|
||||
return _collection.InsertOneAsync(record, cancellationToken: cancellationToken);
|
||||
try
|
||||
{
|
||||
return _collection.InsertOneAsync(record, cancellationToken: cancellationToken);
|
||||
}
|
||||
catch (MongoWriteException ex) when (ex.WriteError.Category == ServerErrorCategory.DuplicateKey)
|
||||
{
|
||||
throw new DuplicateAirgapImportException(record.BundleId, record.MirrorGeneration, ex);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -124,11 +124,6 @@ public sealed class MongoVexRawStore : IVexRawStore
|
||||
|
||||
var sessionHandle = session ?? await _sessionProvider.StartSessionAsync(cancellationToken).ConfigureAwait(false);
|
||||
|
||||
if (!useInline)
|
||||
{
|
||||
newGridId = await UploadToGridFsAsync(document, sessionHandle, cancellationToken).ConfigureAwait(false);
|
||||
}
|
||||
|
||||
var supportsTransactions = sessionHandle.Client.Cluster.Description.Type != ClusterType.Standalone
|
||||
&& !sessionHandle.IsInTransaction;
|
||||
|
||||
@@ -183,6 +178,18 @@ public sealed class MongoVexRawStore : IVexRawStore
|
||||
IngestionTelemetry.RecordLatency(tenant, sourceVendor, IngestionTelemetry.PhaseFetch, fetchWatch.Elapsed);
|
||||
}
|
||||
|
||||
// Append-only: if the digest already exists, skip write
|
||||
if (existing is not null)
|
||||
{
|
||||
IngestionTelemetry.RecordWriteAttempt(tenant, sourceVendor, IngestionTelemetry.ResultNoop);
|
||||
return;
|
||||
}
|
||||
|
||||
if (!useInline)
|
||||
{
|
||||
newGridId = await UploadToGridFsAsync(document, sessionHandle, cancellationToken).ConfigureAwait(false);
|
||||
}
|
||||
|
||||
var record = VexRawDocumentRecord.FromDomain(document, includeContent: useInline);
|
||||
record.GridFsObjectId = useInline ? null : newGridId;
|
||||
|
||||
|
||||
@@ -0,0 +1,24 @@
|
||||
<Project Sdk="Microsoft.NET.Sdk">
|
||||
<PropertyGroup>
|
||||
<TargetFramework>net10.0</TargetFramework>
|
||||
<LangVersion>preview</LangVersion>
|
||||
<Nullable>enable</Nullable>
|
||||
<ImplicitUsings>enable</ImplicitUsings>
|
||||
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
|
||||
<OutputType>Library</OutputType>
|
||||
<IsPackable>false</IsPackable>
|
||||
<UseAppHost>false</UseAppHost>
|
||||
</PropertyGroup>
|
||||
<ItemGroup>
|
||||
<ProjectReference Include="../../__Libraries/StellaOps.Excititor.Core/StellaOps.Excititor.Core.csproj" />
|
||||
<PackageReference Include="FluentAssertions" Version="6.12.0" />
|
||||
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.0" />
|
||||
<PackageReference Include="xunit" Version="2.9.2" />
|
||||
<PackageReference Include="xunit.runner.visualstudio" Version="2.8.2" PrivateAssets="all" />
|
||||
<ProjectReference Include="../../__Libraries/StellaOps.Excititor.Storage.Mongo/StellaOps.Excititor.Storage.Mongo.csproj" />
|
||||
<ProjectReference Include="../../StellaOps.Excititor.WebService/StellaOps.Excititor.WebService.csproj" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<Using Include="Xunit" />
|
||||
</ItemGroup>
|
||||
</Project>
|
||||
@@ -0,0 +1,118 @@
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Collections.Immutable;
|
||||
using System.Linq;
|
||||
using System.Threading;
|
||||
using System.Threading.Tasks;
|
||||
using FluentAssertions;
|
||||
using MongoDB.Driver;
|
||||
using StellaOps.Excititor.Core;
|
||||
using StellaOps.Excititor.Storage.Mongo;
|
||||
using StellaOps.Excititor.WebService.Services;
|
||||
using Xunit;
|
||||
|
||||
namespace StellaOps.Excititor.Core.UnitTests;
|
||||
|
||||
public sealed class VexEvidenceChunkServiceTests
|
||||
{
|
||||
[Fact]
|
||||
public async Task QueryAsync_FiltersAndLimitsResults()
|
||||
{
|
||||
var now = new DateTimeOffset(2025, 11, 16, 12, 0, 0, TimeSpan.Zero);
|
||||
var claims = new[]
|
||||
{
|
||||
CreateClaim("provider-a", VexClaimStatus.Affected, now.AddHours(-6), now.AddHours(-5), score: 0.9),
|
||||
CreateClaim("provider-b", VexClaimStatus.NotAffected, now.AddHours(-4), now.AddHours(-3), score: 0.2)
|
||||
};
|
||||
|
||||
var service = new VexEvidenceChunkService(new FakeClaimStore(claims), new FixedTimeProvider(now));
|
||||
var request = new VexEvidenceChunkRequest(
|
||||
Tenant: "tenant-a",
|
||||
VulnerabilityId: "CVE-2025-0001",
|
||||
ProductKey: "pkg:docker/demo",
|
||||
ProviderIds: ImmutableHashSet.Create("provider-b"),
|
||||
Statuses: ImmutableHashSet.Create(VexClaimStatus.NotAffected),
|
||||
Since: now.AddHours(-12),
|
||||
Limit: 1);
|
||||
|
||||
var result = await service.QueryAsync(request, CancellationToken.None);
|
||||
|
||||
result.Truncated.Should().BeFalse();
|
||||
result.TotalCount.Should().Be(1);
|
||||
result.GeneratedAtUtc.Should().Be(now);
|
||||
var chunk = result.Chunks.Single();
|
||||
chunk.ProviderId.Should().Be("provider-b");
|
||||
chunk.Status.Should().Be(VexClaimStatus.NotAffected.ToString());
|
||||
chunk.ScopeScore.Should().Be(0.2);
|
||||
chunk.ObservationId.Should().Contain("provider-b");
|
||||
chunk.Document.Digest.Should().NotBeNullOrWhiteSpace();
|
||||
}
|
||||
|
||||
private static VexClaim CreateClaim(string providerId, VexClaimStatus status, DateTimeOffset firstSeen, DateTimeOffset lastSeen, double? score)
|
||||
{
|
||||
var product = new VexProduct("pkg:docker/demo", "demo", "1.0.0", "pkg:docker/demo:1.0.0", null, new[] { "component-a" });
|
||||
var document = new VexClaimDocument(
|
||||
VexDocumentFormat.CycloneDx,
|
||||
digest: Guid.NewGuid().ToString("N"),
|
||||
sourceUri: new Uri("https://example.test/vex.json"),
|
||||
revision: "r1",
|
||||
signature: new VexSignatureMetadata("cosign", "demo", "issuer", keyId: "kid", verifiedAt: firstSeen, transparencyLogReference: string.Empty));
|
||||
|
||||
var signals = score.HasValue
|
||||
? new VexSignalSnapshot(new VexSeveritySignal("cvss", score, "low", vector: null), kev: false, epss: null)
|
||||
: null;
|
||||
|
||||
return new VexClaim(
|
||||
"CVE-2025-0001",
|
||||
providerId,
|
||||
product,
|
||||
status,
|
||||
document,
|
||||
firstSeen,
|
||||
lastSeen,
|
||||
justification: VexJustification.ComponentNotPresent,
|
||||
detail: "demo detail",
|
||||
confidence: null,
|
||||
signals: signals,
|
||||
additionalMetadata: ImmutableDictionary<string, string>.Empty);
|
||||
}
|
||||
|
||||
private sealed class FakeClaimStore : IVexClaimStore
|
||||
{
|
||||
private readonly IReadOnlyCollection<VexClaim> _claims;
|
||||
|
||||
public FakeClaimStore(IReadOnlyCollection<VexClaim> claims)
|
||||
{
|
||||
_claims = claims;
|
||||
}
|
||||
|
||||
public ValueTask AppendAsync(IEnumerable<VexClaim> claims, DateTimeOffset observedAt, CancellationToken cancellationToken, IClientSessionHandle? session = null)
|
||||
=> throw new NotSupportedException();
|
||||
|
||||
public ValueTask<IReadOnlyCollection<VexClaim>> FindAsync(string vulnerabilityId, string productKey, DateTimeOffset? since, CancellationToken cancellationToken, IClientSessionHandle? session = null)
|
||||
{
|
||||
var query = _claims
|
||||
.Where(claim => claim.VulnerabilityId == vulnerabilityId)
|
||||
.Where(claim => claim.Product.Key == productKey);
|
||||
|
||||
if (since.HasValue)
|
||||
{
|
||||
query = query.Where(claim => claim.LastSeen >= since.Value);
|
||||
}
|
||||
|
||||
return ValueTask.FromResult<IReadOnlyCollection<VexClaim>>(query.ToList());
|
||||
}
|
||||
}
|
||||
|
||||
private sealed class FixedTimeProvider : TimeProvider
|
||||
{
|
||||
private readonly DateTimeOffset _timestamp;
|
||||
|
||||
public FixedTimeProvider(DateTimeOffset timestamp)
|
||||
{
|
||||
_timestamp = timestamp;
|
||||
}
|
||||
|
||||
public override DateTimeOffset GetUtcNow() => _timestamp;
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,115 @@
|
||||
using System;
|
||||
using System.Collections.Immutable;
|
||||
using System.Linq;
|
||||
using System.Text.Json.Nodes;
|
||||
using StellaOps.Excititor.Core.Observations;
|
||||
using Xunit;
|
||||
|
||||
namespace StellaOps.Excititor.Core.UnitTests;
|
||||
|
||||
public class VexLinksetExtractionServiceTests
|
||||
{
|
||||
[Fact]
|
||||
public void Extract_GroupsByVulnerabilityAndProduct_WithStableOrdering()
|
||||
{
|
||||
var obs1 = BuildObservation(
|
||||
id: "obs-1",
|
||||
provider: "provider-a",
|
||||
vuln: "CVE-2025-0001",
|
||||
product: "pkg:npm/leftpad",
|
||||
createdAt: DateTimeOffset.Parse("2025-11-20T10:00:00Z"));
|
||||
|
||||
var obs2 = BuildObservation(
|
||||
id: "obs-2",
|
||||
provider: "provider-b",
|
||||
vuln: "CVE-2025-0001",
|
||||
product: "pkg:npm/leftpad",
|
||||
createdAt: DateTimeOffset.Parse("2025-11-20T11:00:00Z"));
|
||||
|
||||
var obs3 = BuildObservation(
|
||||
id: "obs-3",
|
||||
provider: "provider-c",
|
||||
vuln: "CVE-2025-0002",
|
||||
product: "pkg:maven/org.example/app",
|
||||
createdAt: DateTimeOffset.Parse("2025-11-21T09:00:00Z"));
|
||||
|
||||
var service = new VexLinksetExtractionService();
|
||||
|
||||
var events = service.Extract("tenant-a", new[] { obs2, obs1, obs3 });
|
||||
|
||||
Assert.Equal(2, events.Length);
|
||||
|
||||
// First event should be CVE-2025-0001 because of ordering (vuln then product)
|
||||
var first = events[0];
|
||||
Assert.Equal("tenant-a", first.Tenant);
|
||||
Assert.Equal("cve-2025-0001", first.VulnerabilityId.ToLowerInvariant());
|
||||
Assert.Equal("pkg:npm/leftpad", first.ProductKey);
|
||||
Assert.Equal("vex:cve-2025-0001:pkg:npm/leftpad", first.LinksetId);
|
||||
// Should contain both observations, ordered by provider then observationId
|
||||
Assert.Equal(new[] { "obs-1", "obs-2" }, first.Observations.Select(o => o.ObservationId).ToArray());
|
||||
|
||||
// Second event corresponds to CVE-2025-0002
|
||||
var second = events[1];
|
||||
Assert.Equal("cve-2025-0002", second.VulnerabilityId.ToLowerInvariant());
|
||||
Assert.Equal("pkg:maven/org.example/app", second.ProductKey);
|
||||
Assert.Equal(new[] { "obs-3" }, second.Observations.Select(o => o.ObservationId).ToArray());
|
||||
// CreatedAt should reflect max CreatedAt among grouped observations
|
||||
Assert.Equal(DateTimeOffset.Parse("2025-11-21T09:00:00Z").ToUniversalTime(), second.CreatedAtUtc);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void Extract_FiltersNullsAndReturnsEmptyWhenNoObservations()
|
||||
{
|
||||
var service = new VexLinksetExtractionService();
|
||||
var events = service.Extract("tenant-a", Array.Empty<VexObservation>());
|
||||
Assert.Empty(events);
|
||||
}
|
||||
|
||||
private static VexObservation BuildObservation(string id, string provider, string vuln, string product, DateTimeOffset createdAt)
|
||||
{
|
||||
var statement = new VexObservationStatement(
|
||||
vulnerabilityId: vuln,
|
||||
productKey: product,
|
||||
status: VexClaimStatus.Affected,
|
||||
lastObserved: null,
|
||||
locator: null,
|
||||
justification: null,
|
||||
introducedVersion: null,
|
||||
fixedVersion: null,
|
||||
purl: product,
|
||||
cpe: null,
|
||||
evidence: null,
|
||||
metadata: null);
|
||||
|
||||
var upstream = new VexObservationUpstream(
|
||||
upstreamId: $"upstream-{id}",
|
||||
documentVersion: "1",
|
||||
fetchedAt: createdAt,
|
||||
receivedAt: createdAt,
|
||||
contentHash: "sha256:deadbeef",
|
||||
signature: new VexObservationSignature(false, null, null, null));
|
||||
|
||||
var content = new VexObservationContent(
|
||||
format: "openvex",
|
||||
specVersion: "1.0.0",
|
||||
raw: JsonNode.Parse("{}")!,
|
||||
metadata: null);
|
||||
|
||||
var linkset = new VexObservationLinkset(
|
||||
aliases: new[] { vuln },
|
||||
purls: new[] { product },
|
||||
cpes: Array.Empty<string>(),
|
||||
references: Array.Empty<VexObservationReference>());
|
||||
|
||||
return new VexObservation(
|
||||
observationId: id,
|
||||
tenant: "tenant-a",
|
||||
providerId: provider,
|
||||
streamId: "ingest",
|
||||
upstream: upstream,
|
||||
statements: ImmutableArray.Create(statement),
|
||||
content: content,
|
||||
linkset: linkset,
|
||||
createdAt: createdAt);
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,84 @@
|
||||
using System;
|
||||
using StellaOps.Excititor.WebService.Contracts;
|
||||
using StellaOps.Excititor.WebService.Services;
|
||||
using Xunit;
|
||||
|
||||
namespace StellaOps.Excititor.WebService.Tests;
|
||||
|
||||
public sealed class AirgapImportValidatorTests
|
||||
{
|
||||
private readonly AirgapImportValidator _validator = new();
|
||||
private readonly DateTimeOffset _now = DateTimeOffset.UtcNow;
|
||||
|
||||
[Fact]
|
||||
public void Validate_WhenValid_ReturnsEmpty()
|
||||
{
|
||||
var req = new AirgapImportRequest
|
||||
{
|
||||
BundleId = "bundle-123",
|
||||
MirrorGeneration = "5",
|
||||
Publisher = "stellaops",
|
||||
PayloadHash = "sha256:" + new string('a', 64),
|
||||
Signature = Convert.ToBase64String(new byte[]{1,2,3}),
|
||||
SignedAt = _now
|
||||
};
|
||||
|
||||
var result = _validator.Validate(req, _now);
|
||||
|
||||
Assert.Empty(result);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void Validate_InvalidHash_ReturnsError()
|
||||
{
|
||||
var req = Valid();
|
||||
req.PayloadHash = "not-a-hash";
|
||||
|
||||
var result = _validator.Validate(req, _now);
|
||||
|
||||
Assert.Contains(result, e => e.Code == "payload_hash_invalid");
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void Validate_InvalidSignature_ReturnsError()
|
||||
{
|
||||
var req = Valid();
|
||||
req.Signature = "???";
|
||||
|
||||
var result = _validator.Validate(req, _now);
|
||||
|
||||
Assert.Contains(result, e => e.Code == "AIRGAP_SIGNATURE_INVALID");
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void Validate_MirrorGenerationNonNumeric_ReturnsError()
|
||||
{
|
||||
var req = Valid();
|
||||
req.MirrorGeneration = "abc";
|
||||
|
||||
var result = _validator.Validate(req, _now);
|
||||
|
||||
Assert.Contains(result, e => e.Code == "mirror_generation_invalid");
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void Validate_SignedAtTooOld_ReturnsError()
|
||||
{
|
||||
var req = Valid();
|
||||
req.SignedAt = _now.AddSeconds(-10);
|
||||
|
||||
var result = _validator.Validate(req, _now);
|
||||
|
||||
Assert.Contains(result, e => e.Code == "AIRGAP_PAYLOAD_STALE");
|
||||
}
|
||||
|
||||
private AirgapImportRequest Valid() => new()
|
||||
{
|
||||
BundleId = "bundle-123",
|
||||
MirrorGeneration = "5",
|
||||
Publisher = "stellaops",
|
||||
PayloadHash = "sha256:" + new string('b', 64),
|
||||
Signature = Convert.ToBase64String(new byte[]{5,6,7}),
|
||||
SignedAt = _now
|
||||
};
|
||||
}
|
||||
@@ -0,0 +1,108 @@
|
||||
using System;
|
||||
using System.Collections.Immutable;
|
||||
using Microsoft.Extensions.Logging.Abstractions;
|
||||
using StellaOps.Excititor.Connectors.Abstractions.Trust;
|
||||
using StellaOps.Excititor.WebService.Contracts;
|
||||
using StellaOps.Excititor.WebService.Services;
|
||||
using Xunit;
|
||||
|
||||
namespace StellaOps.Excititor.WebService.Tests;
|
||||
|
||||
public class AirgapSignerTrustServiceTests
|
||||
{
|
||||
[Fact]
|
||||
public void Validate_Allows_When_Metadata_Not_Configured()
|
||||
{
|
||||
Environment.SetEnvironmentVariable("STELLAOPS_CONNECTOR_SIGNER_METADATA_PATH", null);
|
||||
var service = new AirgapSignerTrustService(NullLogger<AirgapSignerTrustService>.Instance);
|
||||
|
||||
var ok = service.Validate(ValidRequest(), out var code, out var msg);
|
||||
|
||||
Assert.True(ok);
|
||||
Assert.Null(code);
|
||||
Assert.Null(msg);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void Validate_Rejects_When_Publisher_Not_In_Metadata()
|
||||
{
|
||||
using var temp = ConnectorMetadataTempFile();
|
||||
Environment.SetEnvironmentVariable("STELLAOPS_CONNECTOR_SIGNER_METADATA_PATH", temp.Path);
|
||||
var service = new AirgapSignerTrustService(NullLogger<AirgapSignerTrustService>.Instance);
|
||||
|
||||
var req = ValidRequest();
|
||||
req.Publisher = "missing";
|
||||
var ok = service.Validate(req, out var code, out var msg);
|
||||
|
||||
Assert.False(ok);
|
||||
Assert.Equal("AIRGAP_SOURCE_UNTRUSTED", code);
|
||||
Assert.Contains("missing", msg);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void Validate_Rejects_On_Digest_Mismatch()
|
||||
{
|
||||
using var temp = ConnectorMetadataTempFile();
|
||||
Environment.SetEnvironmentVariable("STELLAOPS_CONNECTOR_SIGNER_METADATA_PATH", temp.Path);
|
||||
var service = new AirgapSignerTrustService(NullLogger<AirgapSignerTrustService>.Instance);
|
||||
|
||||
var req = ValidRequest();
|
||||
req.PayloadHash = "sha256:" + new string('b', 64);
|
||||
var ok = service.Validate(req, out var code, out var msg);
|
||||
|
||||
Assert.False(ok);
|
||||
Assert.Equal("AIRGAP_PAYLOAD_MISMATCH", code);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void Validate_Allows_On_Metadata_Match()
|
||||
{
|
||||
using var temp = ConnectorMetadataTempFile();
|
||||
Environment.SetEnvironmentVariable("STELLAOPS_CONNECTOR_SIGNER_METADATA_PATH", temp.Path);
|
||||
var service = new AirgapSignerTrustService(NullLogger<AirgapSignerTrustService>.Instance);
|
||||
|
||||
var req = ValidRequest();
|
||||
var ok = service.Validate(req, out var code, out var msg);
|
||||
|
||||
Assert.True(ok);
|
||||
Assert.Null(code);
|
||||
Assert.Null(msg);
|
||||
}
|
||||
|
||||
private static AirgapImportRequest ValidRequest() => new()
|
||||
{
|
||||
BundleId = "bundle-1",
|
||||
MirrorGeneration = "1",
|
||||
Publisher = "connector-a",
|
||||
PayloadHash = "sha256:" + new string('a', 64),
|
||||
Signature = Convert.ToBase64String(new byte[] {1,2,3}),
|
||||
SignedAt = DateTimeOffset.UtcNow
|
||||
};
|
||||
|
||||
private sealed class TempFile : IDisposable
|
||||
{
|
||||
public string Path { get; }
|
||||
public TempFile(string path) => Path = path;
|
||||
public void Dispose() { if (System.IO.File.Exists(Path)) System.IO.File.Delete(Path); }
|
||||
}
|
||||
|
||||
private static TempFile ConnectorMetadataTempFile()
|
||||
{
|
||||
var json = @"{
|
||||
\"schemaVersion\": \"1.0.0\",
|
||||
\"generatedAt\": \"2025-11-23T00:00:00Z\",
|
||||
\"connectors\": [
|
||||
{
|
||||
\"connectorId\": \"connector-a\",
|
||||
\"provider\": { \"name\": \"Connector A\", \"slug\": \"connector-a\" },
|
||||
\"issuerTier\": \"trusted\",
|
||||
\"signers\": [ { \"usage\": \"sign\", \"fingerprints\": [ { \"alg\": \"rsa\", \"format\": \"pem\", \"value\": \"fp1\" } ] } ],
|
||||
\"bundle\": { \"kind\": \"mirror\", \"uri\": \"file:///bundle\", \"digest\": \"sha256:" + new string('a',64) + "\" }
|
||||
}
|
||||
]
|
||||
}";
|
||||
var path = System.IO.Path.GetTempFileName();
|
||||
System.IO.File.WriteAllText(path, json);
|
||||
return new TempFile(path);
|
||||
}
|
||||
}
|
||||
@@ -1,4 +1,3 @@
|
||||
#if false
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Net;
|
||||
@@ -10,26 +9,22 @@ using Xunit;
|
||||
|
||||
namespace StellaOps.Excititor.WebService.Tests;
|
||||
|
||||
public sealed class AttestationVerifyEndpointTests : IClassFixture<TestWebApplicationFactory>
|
||||
public sealed class AttestationVerifyEndpointTests
|
||||
{
|
||||
private readonly TestWebApplicationFactory _factory;
|
||||
|
||||
public AttestationVerifyEndpointTests(TestWebApplicationFactory factory)
|
||||
{
|
||||
_factory = factory;
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Verify_ReturnsOk_WhenPayloadValid()
|
||||
{
|
||||
var client = _factory.CreateClient();
|
||||
using var factory = new TestWebApplicationFactory(
|
||||
configureServices: services => TestServiceOverrides.Apply(services));
|
||||
var client = factory.CreateClient();
|
||||
|
||||
var request = new AttestationVerifyRequest
|
||||
{
|
||||
ExportId = "export-123",
|
||||
QuerySignature = "purl=foo",
|
||||
ArtifactDigest = "sha256:deadbeef",
|
||||
Format = "VexJson",
|
||||
ArtifactDigest = "deadbeef",
|
||||
Format = "json",
|
||||
CreatedAt = DateTimeOffset.Parse("2025-11-20T00:00:00Z"),
|
||||
SourceProviders = new[] { "ghsa" },
|
||||
Metadata = new Dictionary<string, string> { { "foo", "bar" } },
|
||||
@@ -50,8 +45,12 @@ public sealed class AttestationVerifyEndpointTests : IClassFixture<TestWebApplic
|
||||
};
|
||||
|
||||
var response = await client.PostAsJsonAsync("/v1/attestations/verify", request);
|
||||
var raw = await response.Content.ReadAsStringAsync();
|
||||
|
||||
response.StatusCode.Should().Be(HttpStatusCode.OK);
|
||||
if (response.StatusCode != HttpStatusCode.OK)
|
||||
{
|
||||
throw new Xunit.Sdk.XunitException($"Unexpected status {(int)response.StatusCode} ({response.StatusCode}). Body: {raw}");
|
||||
}
|
||||
var body = await response.Content.ReadFromJsonAsync<AttestationVerifyResponse>();
|
||||
body.Should().NotBeNull();
|
||||
body!.Valid.Should().BeTrue();
|
||||
@@ -60,7 +59,9 @@ public sealed class AttestationVerifyEndpointTests : IClassFixture<TestWebApplic
|
||||
[Fact]
|
||||
public async Task Verify_ReturnsBadRequest_WhenFieldsMissing()
|
||||
{
|
||||
var client = _factory.CreateClient();
|
||||
using var factory = new TestWebApplicationFactory(
|
||||
configureServices: services => TestServiceOverrides.Apply(services));
|
||||
var client = factory.CreateClient();
|
||||
|
||||
var request = new AttestationVerifyRequest
|
||||
{
|
||||
@@ -76,5 +77,3 @@ public sealed class AttestationVerifyEndpointTests : IClassFixture<TestWebApplic
|
||||
response.StatusCode.Should().Be(HttpStatusCode.BadRequest);
|
||||
}
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
@@ -0,0 +1,13 @@
|
||||
// Stub to satisfy Razor dev runtime dependency when running tests without VS dev tools
|
||||
namespace Microsoft.CodeAnalysis.ExternalAccess.Razor
|
||||
{
|
||||
public interface IDevRuntimeEnvironment
|
||||
{
|
||||
bool IsSupported { get; }
|
||||
}
|
||||
|
||||
internal sealed class DefaultDevRuntimeEnvironment : IDevRuntimeEnvironment
|
||||
{
|
||||
public bool IsSupported => false;
|
||||
}
|
||||
}
|
||||
@@ -1,4 +1,3 @@
|
||||
<?xml version='1.0' encoding='utf-8'?>
|
||||
<Project Sdk="Microsoft.NET.Sdk">
|
||||
<PropertyGroup>
|
||||
<TargetFramework>net10.0</TargetFramework>
|
||||
@@ -7,8 +6,11 @@
|
||||
<ImplicitUsings>enable</ImplicitUsings>
|
||||
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
|
||||
<UseConcelierTestInfra>false</UseConcelierTestInfra>
|
||||
<UseAppHost>false</UseAppHost>
|
||||
<DisableRazorRuntimeCompilation>true</DisableRazorRuntimeCompilation>
|
||||
</PropertyGroup>
|
||||
<ItemGroup>
|
||||
<PackageReference Include="FluentAssertions" Version="6.12.0" />
|
||||
<PackageReference Include="EphemeralMongo" Version="3.0.0" />
|
||||
<PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="10.0.0-rc.2.25502.107" />
|
||||
<PackageReference Include="Microsoft.Extensions.TimeProvider.Testing" Version="9.10.0" />
|
||||
@@ -27,10 +29,11 @@
|
||||
<ItemGroup>
|
||||
<Compile Remove="**/*.cs" />
|
||||
<Compile Include="AirgapImportEndpointTests.cs" />
|
||||
<Compile Include="VexEvidenceChunkServiceTests.cs" />
|
||||
<Compile Include="EvidenceTelemetryTests.cs" />
|
||||
<Compile Include="DevRuntimeEnvironmentStub.cs" />
|
||||
<Compile Include="TestAuthentication.cs" />
|
||||
<Compile Include="TestServiceOverrides.cs" />
|
||||
<Compile Include="TestWebApplicationFactory.cs" />
|
||||
<Compile Include="AttestationVerifyEndpointTests.cs" />
|
||||
</ItemGroup>
|
||||
</Project>
|
||||
|
||||
@@ -11,8 +11,25 @@ namespace StellaOps.Excititor.WebService.Tests;
|
||||
|
||||
public sealed class TestWebApplicationFactory : WebApplicationFactory<Program>
|
||||
{
|
||||
private readonly Action<IConfigurationBuilder>? _configureConfiguration;
|
||||
private readonly Action<IServiceCollection>? _configureServices;
|
||||
|
||||
public TestWebApplicationFactory() : this(null, null)
|
||||
{
|
||||
}
|
||||
|
||||
internal TestWebApplicationFactory(
|
||||
Action<IConfigurationBuilder>? configureConfiguration = null,
|
||||
Action<IServiceCollection>? configureServices = null)
|
||||
{
|
||||
_configureConfiguration = configureConfiguration;
|
||||
_configureServices = configureServices;
|
||||
}
|
||||
|
||||
protected override void ConfigureWebHost(IWebHostBuilder builder)
|
||||
{
|
||||
// Avoid loading any external hosting startup assemblies (e.g., Razor dev tools)
|
||||
builder.UseSetting(WebHostDefaults.PreventHostingStartupKey, "true");
|
||||
builder.UseEnvironment("Production");
|
||||
builder.ConfigureAppConfiguration((_, config) =>
|
||||
{
|
||||
@@ -23,11 +40,13 @@ public sealed class TestWebApplicationFactory : WebApplicationFactory<Program>
|
||||
["Excititor:Storage:Mongo:DefaultTenant"] = "test",
|
||||
};
|
||||
config.AddInMemoryCollection(defaults);
|
||||
_configureConfiguration?.Invoke(config);
|
||||
});
|
||||
|
||||
builder.ConfigureServices(services =>
|
||||
{
|
||||
services.RemoveAll<IHostedService>();
|
||||
_configureServices?.Invoke(services);
|
||||
});
|
||||
}
|
||||
|
||||
|
||||
@@ -15,6 +15,7 @@ namespace StellaOps.Excititor.WebService.Tests;
|
||||
public sealed class VexEvidenceChunkServiceTests
|
||||
{
|
||||
[Fact]
|
||||
[Trait("Category", "VexEvidence")]
|
||||
public async Task QueryAsync_FiltersAndLimitsResults()
|
||||
{
|
||||
var now = new DateTimeOffset(2025, 11, 16, 12, 0, 0, TimeSpan.Zero);
|
||||
|
||||
@@ -0,0 +1,48 @@
|
||||
using System;
|
||||
using System.Net.Http.Headers;
|
||||
using FluentAssertions;
|
||||
using Microsoft.Extensions.Options;
|
||||
using StellaOps.Excititor.Worker.Auth;
|
||||
using StellaOps.Excititor.Worker.Options;
|
||||
using Xunit;
|
||||
|
||||
namespace StellaOps.Excititor.Worker.Tests;
|
||||
|
||||
public sealed class TenantAuthorityClientFactoryTests
|
||||
{
|
||||
[Fact]
|
||||
public void Create_WhenTenantConfigured_SetsBaseAddressAndTenantHeader()
|
||||
{
|
||||
var options = new TenantAuthorityOptions();
|
||||
options.BaseUrls.Add("tenant-a", "https://authority.example/");
|
||||
var factory = new TenantAuthorityClientFactory(Options.Create(options));
|
||||
|
||||
using var client = factory.Create("tenant-a");
|
||||
|
||||
client.BaseAddress.Should().Be(new Uri("https://authority.example/"));
|
||||
client.DefaultRequestHeaders.TryGetValues("X-Tenant", out var values).Should().BeTrue();
|
||||
values.Should().ContainSingle().Which.Should().Be("tenant-a");
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void Create_Throws_WhenTenantMissing()
|
||||
{
|
||||
var options = new TenantAuthorityOptions();
|
||||
options.BaseUrls.Add("tenant-a", "https://authority.example/");
|
||||
var factory = new TenantAuthorityClientFactory(Options.Create(options));
|
||||
|
||||
FluentActions.Invoking(() => factory.Create(string.Empty))
|
||||
.Should().Throw<ArgumentException>();
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void Create_Throws_WhenTenantNotConfigured()
|
||||
{
|
||||
var options = new TenantAuthorityOptions();
|
||||
options.BaseUrls.Add("tenant-a", "https://authority.example/");
|
||||
var factory = new TenantAuthorityClientFactory(Options.Create(options));
|
||||
|
||||
FluentActions.Invoking(() => factory.Create("tenant-b"))
|
||||
.Should().Throw<InvalidOperationException>();
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,43 @@
|
||||
using FluentAssertions;
|
||||
using Microsoft.Extensions.Options;
|
||||
using StellaOps.Excititor.Worker.Options;
|
||||
using Xunit;
|
||||
|
||||
namespace StellaOps.Excititor.Worker.Tests;
|
||||
|
||||
public sealed class TenantAuthorityOptionsValidatorTests
|
||||
{
|
||||
private readonly TenantAuthorityOptionsValidator _validator = new();
|
||||
|
||||
[Fact]
|
||||
public void Validate_Fails_When_BaseUrls_Empty()
|
||||
{
|
||||
var options = new TenantAuthorityOptions();
|
||||
|
||||
var result = _validator.Validate(null, options);
|
||||
|
||||
result.Failed.Should().BeTrue();
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void Validate_Fails_When_Key_Or_Value_Blank()
|
||||
{
|
||||
var options = new TenantAuthorityOptions();
|
||||
options.BaseUrls.Add("", "");
|
||||
|
||||
var result = _validator.Validate(null, options);
|
||||
|
||||
result.Failed.Should().BeTrue();
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void Validate_Succeeds_When_Valid()
|
||||
{
|
||||
var options = new TenantAuthorityOptions();
|
||||
options.BaseUrls.Add("tenant-a", "https://authority.example");
|
||||
|
||||
var result = _validator.Validate(null, options);
|
||||
|
||||
result.Succeeded.Should().BeTrue();
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user