stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Archive live search ingestion browser validation sprint

Browse Source
This commit is contained in:
master
2026-03-08 10:47:19 +02:00
parent af09659f30
commit d0f2cc3b2c
16 changed files with 926 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

328
src/Web/StellaOps.Web/tests/e2e/security-operations-leaves-cutover.spec.ts Normal file
View File

@@ -0,0 +1,328 @@
import { expect, test, type Page, type Route } from '@playwright/test';
import type { StubAuthSession } from '../../src/app/testing/auth-fixtures';
const operatorSession: StubAuthSession = {
subjectId: 'security-ops-e2e-user',
tenant: 'tenant-default',
scopes: [
'admin',
'ui.read',
'ui.admin',
'release:read',
'scanner:read',
'sbom:read',
'orch:read',
'notify.viewer',
'signer:read',
],
};
const mockConfig = {
authority: {
issuer: '/authority',
clientId: 'stella-ops-ui',
authorizeEndpoint: '/authority/connect/authorize',
tokenEndpoint: '/authority/connect/token',
logoutEndpoint: '/authority/connect/logout',
redirectUri: 'https://127.0.0.1:4400/auth/callback',
postLogoutRedirectUri: 'https://127.0.0.1:4400/',
scope: 'openid profile email ui.read',
audience: '/gateway',
dpopAlgorithms: ['ES256'],
refreshLeewaySeconds: 60,
},
apiBaseUrls: {
authority: '/authority',
scanner: '/scanner',
policy: '/policy',
concelier: '/concelier',
attestor: '/attestor',
gateway: '/gateway',
},
quickstartMode: true,
setup: 'complete',
};
const unknownsList = {
items: [
{
id: 'unknown-101',
type: 'binary',
name: 'openssl',
path: '/usr/lib/libssl.so',
artifactDigest: 'sha256:artifact-a',
artifactRef: 'registry.example/app@sha256:artifact-a',
sha256: 'sha256:file-a',
status: 'open',
confidence: 92,
createdAt: '2026-03-08T07:00:00Z',
updatedAt: '2026-03-08T07:10:00Z',
},
],
total: 1,
};
const unknownsStats = {
total: 7,
byType: {
binary: 4,
symbol: 2,
package: 1,
file: 0,
license: 0,
},
byStatus: {
open: 5,
pending: 1,
resolved: 1,
unresolvable: 0,
},
resolutionRate: 14.2,
avgConfidence: 73.4,
lastUpdated: '2026-03-08T07:10:00Z',
};
const unknownDetail = {
unknown: {
id: 'unknown-101',
type: 'binary',
name: 'openssl',
path: '/usr/lib/libssl.so',
artifactDigest: 'sha256:artifact-a',
artifactRef: 'registry.example/app@sha256:artifact-a',
sha256: 'sha256:file-a',
status: 'open',
confidence: 92,
createdAt: '2026-03-08T07:00:00Z',
updatedAt: '2026-03-08T07:10:00Z',
},
candidates: [
{
rank: 1,
name: 'openssl',
purl: 'pkg:generic/openssl@3.0.14',
cpe: 'cpe:2.3:a:openssl:openssl:3.0.14:*:*:*:*:*:*:*',
confidence: 96,
source: 'fingerprint',
matchDetails: 'Fingerprint digest match',
},
],
fingerprintAnalysis: {
matchType: 'exact',
matchPercentage: 98,
missingInfo: [],
},
symbolResolution: {
totalSymbols: 15,
resolvedSymbols: 14,
missingSymbols: ['SSL_CTX_new'],
symbolServerStatus: 'partial',
},
similarCount: 3,
sbomImpact: {
currentCompleteness: 91,
impactDelta: 4,
knownCves: 2,
message: 'Resolution improves SBOM completeness and vulnerability attribution.',
},
};
const notifyChannels = [
{
channelId: 'chn-alerts',
tenantId: 'tenant-default',
name: 'slack-alerts',
displayName: 'Slack Alerts',
type: 'Slack',
enabled: true,
config: {
secretRef: 'secret://notify/slack-alerts',
target: '#security-alerts',
},
labels: {},
metadata: {},
createdAt: '2026-03-08T07:00:00Z',
updatedAt: '2026-03-08T07:10:00Z',
},
];
const notifyRules = [
{
ruleId: 'rule-alerts',
tenantId: 'tenant-default',
name: 'Critical findings',
enabled: true,
match: {
minSeverity: 'critical',
eventKinds: ['scanner.report.ready'],
},
actions: [
{
actionId: 'act-alerts',
channel: 'chn-alerts',
digest: 'instant',
enabled: true,
},
],
createdAt: '2026-03-08T07:00:00Z',
updatedAt: '2026-03-08T07:10:00Z',
},
];
const notifyDeliveries = {
items: [
{
deliveryId: 'delivery-001',
tenantId: 'tenant-default',
ruleId: 'rule-alerts',
actionId: 'act-alerts',
eventId: 'event-001',
kind: 'scanner.report.ready',
status: 'Sent',
rendered: {
channelType: 'Slack',
format: 'Slack',
target: '#security-alerts',
title: 'Critical finding detected',
body: 'A critical finding requires operator review.',
},
createdAt: '2026-03-08T07:10:00Z',
},
],
count: 1,
continuationToken: null,
};
async function fulfillJson(route: Route, body: unknown, status = 200): Promise<void> {
await route.fulfill({
status,
contentType: 'application/json',
body: JSON.stringify(body),
});
}
async function setupHarness(page: Page): Promise<void> {
await page.addInitScript((session) => {
(window as { __stellaopsTestSession?: unknown }).__stellaopsTestSession = session;
}, operatorSession);
await page.route('**/api/**', (route) => fulfillJson(route, {}));
await page.route('**/platform/envsettings.json', (route) => fulfillJson(route, mockConfig));
await page.route('**/platform/i18n/*.json', (route) => fulfillJson(route, {}));
await page.route('**/config.json', (route) => fulfillJson(route, mockConfig));
await page.route('**/.well-known/openid-configuration', (route) =>
fulfillJson(route, {
issuer: 'https://127.0.0.1:4400/authority',
authorization_endpoint: 'https://127.0.0.1:4400/authority/connect/authorize',
token_endpoint: 'https://127.0.0.1:4400/authority/connect/token',
jwks_uri: 'https://127.0.0.1:4400/authority/.well-known/jwks.json',
response_types_supported: ['code'],
subject_types_supported: ['public'],
id_token_signing_alg_values_supported: ['RS256'],
}),
);
await page.route('**/authority/.well-known/jwks.json', (route) => fulfillJson(route, { keys: [] }));
await page.route('**/console/branding**', (route) =>
fulfillJson(route, {
tenantId: operatorSession.tenant,
appName: 'Stella Ops',
logoUrl: null,
cssVariables: {},
}),
);
await page.route('**/console/profile**', (route) =>
fulfillJson(route, {
subjectId: operatorSession.subjectId,
username: 'security-ops-e2e',
displayName: 'Security Ops E2E',
tenant: operatorSession.tenant,
roles: ['platform-admin'],
scopes: operatorSession.scopes,
}),
);
await page.route('**/console/token/introspect**', (route) =>
fulfillJson(route, {
active: true,
tenant: operatorSession.tenant,
subject: operatorSession.subjectId,
scopes: operatorSession.scopes,
}),
);
await page.route('**/authority/console/tenants**', (route) =>
fulfillJson(route, {
tenants: [
{
tenantId: operatorSession.tenant,
displayName: 'Default Tenant',
isDefault: true,
isActive: true,
},
],
}),
);
await page.route('**/api/v2/context/regions**', (route) =>
fulfillJson(route, [{ regionId: 'eu-west', displayName: 'EU West', sortOrder: 1, enabled: true }]),
);
await page.route('**/api/v2/context/environments**', (route) =>
fulfillJson(route, [
{
environmentId: 'prod',
regionId: 'eu-west',
environmentType: 'prod',
displayName: 'Production',
sortOrder: 1,
enabled: true,
},
]),
);
await page.route('**/api/v2/context/preferences**', (route) =>
fulfillJson(route, {
tenantId: operatorSession.tenant,
actorId: operatorSession.subjectId,
regions: ['eu-west'],
environments: ['prod'],
timeWindow: '24h',
stage: 'all',
updatedAt: '2026-03-08T07:00:00Z',
updatedBy: operatorSession.subjectId,
}),
);
await page.route(/\/api\/v1\/scanner\/unknowns\/stats(?:\?.*)?$/, (route) => fulfillJson(route, unknownsStats));
await page.route(/\/api\/v1\/scanner\/unknowns\/unknown-101(?:\?.*)?$/, (route) => fulfillJson(route, unknownDetail));
await page.route(/\/api\/v1\/scanner\/unknowns(?:\?.*)?$/, (route) => fulfillJson(route, unknownsList));
await page.route(/\/api\/v1\/notify\/channels(?:\?.*)?$/, (route) => fulfillJson(route, notifyChannels));
await page.route(/\/api\/v1\/notify\/rules(?:\?.*)?$/, (route) => fulfillJson(route, notifyRules));
await page.route(/\/api\/v1\/notify\/deliveries(?:\?.*)?$/, (route) => fulfillJson(route, notifyDeliveries));
}
test.beforeEach(async ({ page }) => {
await setupHarness(page);
});
test('security operations leaves keep aliases and canonical shells usable', async ({ page }) => {
await page.goto('/analyze/unknowns', { waitUntil: 'networkidle' });
await expect(page).toHaveURL(/\/security\/unknowns(?:\?.*)?$/);
await expect(page.getByRole('heading', { name: 'Unknowns Tracking' })).toBeVisible();
await page.getByRole('link', { name: 'Identify' }).click();
await expect(page).toHaveURL(/\/security\/unknowns\/unknown-101(?:\?.*)?$/);
await expect(page.getByRole('heading', { name: 'openssl' })).toBeVisible();
// `/notify` is reserved by the local dev proxy, so the alias contract is verified
// in route-level tests while the browser run covers the mounted canonical page.
await page.goto('/ops/operations/notifications', { waitUntil: 'networkidle' });
await expect(page).toHaveURL(/\/ops\/operations\/notifications(?:\?.*)?$/);
await expect(page.getByRole('heading', { name: 'Notify control plane' })).toBeVisible();
await expect(page.getByRole('link', { name: 'Review watchlist alerts' })).toBeVisible();
await page.goto('/mission-control/alerts', { waitUntil: 'networkidle' });
await expect(page.getByRole('heading', { name: 'Mission Alerts' })).toBeVisible();
await expect(
page.getByRole('link', { name: 'Identity watchlist alert requires signer review' }),
).toBeVisible();
await page.goto('/mission-control/activity', { waitUntil: 'networkidle' });
await expect(page.getByRole('heading', { name: 'Mission Activity' })).toBeVisible();
await expect(page.getByRole('link', { name: 'Open Audit Log' })).toBeVisible();
});