feat: Initialize Zastava Webhook service with TLS and Authority authentication

- Added Program.cs to set up the web application with Serilog for logging, health check endpoints, and a placeholder admission endpoint. - Configured Kestrel server to use TLS 1.3 and handle client certificates appropriately. - Created StellaOps.Zastava.Webhook.csproj with necessary dependencies including Serilog and Polly. - Documented tasks in TASKS.md for the Zastava Webhook project, outlining current work and exit criteria for each task.
2025-10-19 18:36:22 +03:00
parent 2062da7a8b
commit d099a90f9b
966 changed files with 91038 additions and 1850 deletions
--- a/src/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests/Descriptor/DescriptorGeneratorTests.cs
+++ b/src/StellaOps.Scanner.Sbomer.BuildXPlugin.Tests/Descriptor/DescriptorGeneratorTests.cs
@@ -61,6 +61,76 @@ public sealed class DescriptorGeneratorTests
        var expectedDsse = ComputeExpectedDsse(request.ImageDigest, expectedSbomDigest, document.Provenance.Nonce);
        Assert.Equal(expectedDsse, document.Provenance.ExpectedDsseSha256);
        Assert.Equal(expectedDsse, document.Artifact.Annotations["org.stellaops.provenance.dsse.sha256"]);
+        Assert.Equal(document.Provenance.Nonce, document.Artifact.Annotations["org.stellaops.provenance.nonce"]);
+    }
+
+    [Fact]
+    public async Task CreateAsync_RepeatedInvocationsReuseDeterministicNonce()
+    {
+        await using var temp = new TempDirectory();
+        var sbomPath = Path.Combine(temp.Path, "sample.cdx.json");
+        await File.WriteAllTextAsync(sbomPath, "{\"bomFormat\":\"CycloneDX\",\"specVersion\":\"1.5\"}");
+
+        var fakeTime = new FakeTimeProvider(new DateTimeOffset(2025, 10, 18, 12, 0, 0, TimeSpan.Zero));
+        var generator = new DescriptorGenerator(fakeTime);
+
+        var request = new DescriptorRequest
+        {
+            ImageDigest = "sha256:0123456789abcdef",
+            SbomPath = sbomPath,
+            SbomMediaType = "application/vnd.cyclonedx+json",
+            SbomFormat = "cyclonedx-json",
+            SbomKind = "inventory",
+            SbomArtifactType = "application/vnd.stellaops.sbom.layer+json",
+            SubjectMediaType = "application/vnd.oci.image.manifest.v1+json",
+            GeneratorVersion = "1.2.3",
+            GeneratorName = "StellaOps.Scanner.Sbomer.BuildXPlugin",
+            LicenseId = "lic-123",
+            SbomName = "sample.cdx.json",
+            Repository = "git.stella-ops.org/stellaops",
+            BuildRef = "refs/heads/main",
+            AttestorUri = "https://attestor.local/api/v1/provenance"
+        }.Validate();
+
+        var first = await generator.CreateAsync(request, CancellationToken.None);
+        var second = await generator.CreateAsync(request, CancellationToken.None);
+
+        Assert.Equal(first.Provenance.Nonce, second.Provenance.Nonce);
+        Assert.Equal(first.Provenance.ExpectedDsseSha256, second.Provenance.ExpectedDsseSha256);
+        Assert.Equal(first.Artifact.Annotations["org.stellaops.provenance.nonce"], second.Artifact.Annotations["org.stellaops.provenance.nonce"]);
+        Assert.Equal(first.Artifact.Annotations["org.stellaops.provenance.dsse.sha256"], second.Artifact.Annotations["org.stellaops.provenance.dsse.sha256"]);
+    }
+
+    [Fact]
+    public async Task CreateAsync_MetadataDifferencesYieldDistinctNonce()
+    {
+        await using var temp = new TempDirectory();
+        var sbomPath = Path.Combine(temp.Path, "sample.cdx.json");
+        await File.WriteAllTextAsync(sbomPath, "{\"bomFormat\":\"CycloneDX\",\"specVersion\":\"1.5\"}");
+
+        var fakeTime = new FakeTimeProvider(new DateTimeOffset(2025, 10, 18, 12, 0, 0, TimeSpan.Zero));
+        var generator = new DescriptorGenerator(fakeTime);
+
+        var baseline = new DescriptorRequest
+        {
+            ImageDigest = "sha256:0123456789abcdef",
+            SbomPath = sbomPath,
+            Repository = "git.stella-ops.org/stellaops",
+            BuildRef = "refs/heads/main"
+        }.Validate();
+
+        var variant = baseline with
+        {
+            BuildRef = "refs/heads/feature",
+            Repository = "git.stella-ops.org/stellaops/feature"
+        };
+        variant = variant.Validate();
+
+        var baselineDocument = await generator.CreateAsync(baseline, CancellationToken.None);
+        var variantDocument = await generator.CreateAsync(variant, CancellationToken.None);
+
+        Assert.NotEqual(baselineDocument.Provenance.Nonce, variantDocument.Provenance.Nonce);
+        Assert.NotEqual(baselineDocument.Provenance.ExpectedDsseSha256, variantDocument.Provenance.ExpectedDsseSha256);
    }

    private static string ComputeSha256File(string path)