stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

audit, advisories and doctors/setup work

Browse Source
This commit is contained in:
master
2026-01-13 18:53:39 +02:00
parent 9ca7cb183e
commit d7be6ba34b
811 changed files with 54242 additions and 4056 deletions
Download Patch File Download Diff File Expand all files Collapse all files

139
src/Policy/__Tests/StellaOps.Policy.Tests/ToolLattice/ToolAccessEvaluatorTests.cs Normal file
View File

@@ -0,0 +1,139 @@
using System.Collections.Generic;
using Microsoft.Extensions.Options;
using StellaOps.Policy.ToolLattice;
using StellaOps.TestKit;
using Xunit;
namespace StellaOps.Policy.Tests.ToolLattice;
public sealed class ToolAccessEvaluatorTests
{
[Trait("Category", TestCategories.Unit)]
[Fact]
public void DefaultRules_AllowReadTool_WhenScopeMatches()
{
var options = new ToolLatticeOptions
{
UseDefaultRules = true
};
var evaluator = new ToolAccessEvaluator(Options.Create(options));
var decision = evaluator.Evaluate(new ToolAccessContext
{
TenantId = "tenant-a",
Tool = "vex.query",
Action = "read",
Scopes = new[] { "vex:read" }
});
Assert.True(decision.Allowed);
Assert.Equal("rule_allow", decision.Reason);
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public void DefaultRules_DenyWhenScopeMissing()
{
var options = new ToolLatticeOptions
{
UseDefaultRules = true
};
var evaluator = new ToolAccessEvaluator(Options.Create(options));
var decision = evaluator.Evaluate(new ToolAccessContext
{
TenantId = "tenant-a",
Tool = "sbom.read",
Action = "read",
Scopes = new[] { "vex:read" }
});
Assert.False(decision.Allowed);
Assert.Equal("default_deny", decision.Reason);
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public void DefaultRules_DenyWhenActionMismatch()
{
var options = new ToolLatticeOptions
{
UseDefaultRules = true
};
var evaluator = new ToolAccessEvaluator(Options.Create(options));
var decision = evaluator.Evaluate(new ToolAccessContext
{
TenantId = "tenant-a",
Tool = "scanner.findings.topk",
Action = "action",
Scopes = new[] { "scanner:read" }
});
Assert.False(decision.Allowed);
Assert.Equal("default_deny", decision.Reason);
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public void CustomRule_RespectsTenantConstraint()
{
var options = new ToolLatticeOptions
{
UseDefaultRules = false
};
var rule = new ToolAccessRule
{
Tool = "vex.query",
Action = "read",
Effect = ToolAccessEffect.Allow
};
rule.Scopes.Add("vex:read");
rule.Tenants.Add("tenant-a");
options.Rules.Add(rule);
var evaluator = new ToolAccessEvaluator(Options.Create(options));
var decision = evaluator.Evaluate(new ToolAccessContext
{
TenantId = "tenant-b",
Tool = "vex.query",
Action = "read",
Scopes = new[] { "vex:read" }
});
Assert.False(decision.Allowed);
Assert.Equal("default_deny", decision.Reason);
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public void ScopeOrdering_DoesNotChangeDecision()
{
var options = new ToolLatticeOptions
{
UseDefaultRules = true
};
var evaluator = new ToolAccessEvaluator(Options.Create(options));
var decisionA = evaluator.Evaluate(new ToolAccessContext
{
TenantId = "tenant-a",
Tool = "scanner.findings.topk",
Action = "read",
Scopes = new[] { "findings:read", "scanner:read" }
});
var decisionB = evaluator.Evaluate(new ToolAccessContext
{
TenantId = "tenant-a",
Tool = "scanner.findings.topk",
Action = "read",
Scopes = new[] { "scanner:read", "findings:read" }
});
Assert.Equal(decisionA.Allowed, decisionB.Allowed);
Assert.Equal(decisionA.Reason, decisionB.Reason);
}
}