Restructure solution layout by module

2025-10-28 15:10:40 +02:00
parent 95daa159c4
commit d870da18ce
4103 changed files with 192899 additions and 187024 deletions
--- a/src/Excititor/__Tests/StellaOps.Excititor.Attestation.Tests/StellaOps.Excititor.Attestation.Tests.csproj
+++ b/src/Excititor/__Tests/StellaOps.Excititor.Attestation.Tests/StellaOps.Excititor.Attestation.Tests.csproj
@@ -0,0 +1,14 @@
+<?xml version='1.0' encoding='utf-8'?>
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <LangVersion>preview</LangVersion>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+  </PropertyGroup>
+  <ItemGroup>
+    <ProjectReference Include="../../__Libraries/StellaOps.Excititor.Attestation/StellaOps.Excititor.Attestation.csproj" />
+    <ProjectReference Include="../../__Libraries/StellaOps.Excititor.Core/StellaOps.Excititor.Core.csproj" />
+  </ItemGroup>
+</Project>
--- a/src/Excititor/__Tests/StellaOps.Excititor.Attestation.Tests/VexAttestationClientTests.cs
+++ b/src/Excititor/__Tests/StellaOps.Excititor.Attestation.Tests/VexAttestationClientTests.cs
@@ -0,0 +1,90 @@
+using System.Collections.Immutable;
+using Microsoft.Extensions.Logging.Abstractions;
+using Microsoft.Extensions.Options;
+using StellaOps.Excititor.Attestation.Dsse;
+using StellaOps.Excititor.Attestation.Signing;
+using StellaOps.Excititor.Attestation.Transparency;
+using StellaOps.Excititor.Attestation.Verification;
+using StellaOps.Excititor.Core;
+
+namespace StellaOps.Excititor.Attestation.Tests;
+
+public sealed class VexAttestationClientTests
+{
+    [Fact]
+    public async Task SignAsync_ReturnsEnvelopeDigestAndDiagnostics()
+    {
+        var signer = new FakeSigner();
+        var builder = new VexDsseBuilder(signer, NullLogger<VexDsseBuilder>.Instance);
+        var options = Options.Create(new VexAttestationClientOptions());
+        var verifier = new FakeVerifier();
+        var client = new VexAttestationClient(builder, options, NullLogger<VexAttestationClient>.Instance, verifier);
+
+        var request = new VexAttestationRequest(
+            ExportId: "exports/456",
+            QuerySignature: new VexQuerySignature("filters"),
+            Artifact: new VexContentAddress("sha256", "deadbeef"),
+            Format: VexExportFormat.Json,
+            CreatedAt: DateTimeOffset.UtcNow,
+            SourceProviders: ImmutableArray.Create("vendor"),
+            Metadata: ImmutableDictionary<string, string>.Empty);
+
+        var response = await client.SignAsync(request, CancellationToken.None);
+
+        Assert.NotNull(response.Attestation);
+        Assert.NotNull(response.Attestation.EnvelopeDigest);
+        Assert.True(response.Diagnostics.ContainsKey("envelope"));
+    }
+
+    [Fact]
+    public async Task SignAsync_SubmitsToTransparencyLog_WhenConfigured()
+    {
+        var signer = new FakeSigner();
+        var builder = new VexDsseBuilder(signer, NullLogger<VexDsseBuilder>.Instance);
+        var options = Options.Create(new VexAttestationClientOptions());
+        var transparency = new FakeTransparencyLogClient();
+        var verifier = new FakeVerifier();
+        var client = new VexAttestationClient(builder, options, NullLogger<VexAttestationClient>.Instance, verifier, transparencyLogClient: transparency);
+
+        var request = new VexAttestationRequest(
+            ExportId: "exports/789",
+            QuerySignature: new VexQuerySignature("filters"),
+            Artifact: new VexContentAddress("sha256", "deadbeef"),
+            Format: VexExportFormat.Json,
+            CreatedAt: DateTimeOffset.UtcNow,
+            SourceProviders: ImmutableArray.Create("vendor"),
+            Metadata: ImmutableDictionary<string, string>.Empty);
+
+        var response = await client.SignAsync(request, CancellationToken.None);
+
+        Assert.NotNull(response.Attestation.Rekor);
+        Assert.True(response.Diagnostics.ContainsKey("rekorLocation"));
+        Assert.True(transparency.SubmitCalled);
+    }
+
+    private sealed class FakeSigner : IVexSigner
+    {
+        public ValueTask<VexSignedPayload> SignAsync(ReadOnlyMemory<byte> payload, CancellationToken cancellationToken)
+            => ValueTask.FromResult(new VexSignedPayload("signature", "key"));
+    }
+
+    private sealed class FakeTransparencyLogClient : ITransparencyLogClient
+    {
+        public bool SubmitCalled { get; private set; }
+
+        public ValueTask<TransparencyLogEntry> SubmitAsync(DsseEnvelope envelope, CancellationToken cancellationToken)
+        {
+            SubmitCalled = true;
+            return ValueTask.FromResult(new TransparencyLogEntry(Guid.NewGuid().ToString(), "https://rekor.example/entries/123", "23", null));
+        }
+
+        public ValueTask<bool> VerifyAsync(string entryLocation, CancellationToken cancellationToken)
+            => ValueTask.FromResult(true);
+    }
+
+    private sealed class FakeVerifier : IVexAttestationVerifier
+    {
+        public ValueTask<VexAttestationVerification> VerifyAsync(VexAttestationVerificationRequest request, CancellationToken cancellationToken)
+            => ValueTask.FromResult(new VexAttestationVerification(true, ImmutableDictionary<string, string>.Empty));
+    }
+}
--- a/src/Excititor/__Tests/StellaOps.Excititor.Attestation.Tests/VexAttestationVerifierTests.cs
+++ b/src/Excititor/__Tests/StellaOps.Excititor.Attestation.Tests/VexAttestationVerifierTests.cs
@@ -0,0 +1,132 @@
+using System.Collections.Immutable;
+using Microsoft.Extensions.Logging.Abstractions;
+using Microsoft.Extensions.Options;
+using StellaOps.Excititor.Attestation.Dsse;
+using StellaOps.Excititor.Attestation.Signing;
+using StellaOps.Excititor.Attestation.Transparency;
+using StellaOps.Excititor.Attestation.Verification;
+using StellaOps.Excititor.Core;
+
+namespace StellaOps.Excititor.Attestation.Tests;
+
+public sealed class VexAttestationVerifierTests : IDisposable
+{
+    private readonly VexAttestationMetrics _metrics = new();
+
+    [Fact]
+    public async Task VerifyAsync_ReturnsValid_WhenEnvelopeMatches()
+    {
+        var (request, metadata, envelope) = await CreateSignedAttestationAsync();
+        var verifier = CreateVerifier(options => options.RequireTransparencyLog = false);
+
+        var verification = await verifier.VerifyAsync(
+            new VexAttestationVerificationRequest(request, metadata, envelope),
+            CancellationToken.None);
+
+        Assert.True(verification.IsValid);
+        Assert.Equal("valid", verification.Diagnostics["result"]);
+    }
+
+    [Fact]
+    public async Task VerifyAsync_ReturnsInvalid_WhenDigestMismatch()
+    {
+        var (request, metadata, envelope) = await CreateSignedAttestationAsync();
+        var verifier = CreateVerifier(options => options.RequireTransparencyLog = false);
+
+        var tamperedMetadata = new VexAttestationMetadata(
+            metadata.PredicateType,
+            metadata.Rekor,
+            "sha256:deadbeef",
+            metadata.SignedAt);
+
+        var verification = await verifier.VerifyAsync(
+            new VexAttestationVerificationRequest(request, tamperedMetadata, envelope),
+            CancellationToken.None);
+
+        Assert.False(verification.IsValid);
+        Assert.Equal("invalid", verification.Diagnostics["result"]);
+        Assert.Equal("sha256:deadbeef", verification.Diagnostics["metadata.envelopeDigest"]);
+    }
+
+    [Fact]
+    public async Task VerifyAsync_AllowsOfflineTransparency_WhenConfigured()
+    {
+        var (request, metadata, envelope) = await CreateSignedAttestationAsync(includeRekor: true);
+        var transparency = new ThrowingTransparencyLogClient();
+        var verifier = CreateVerifier(options =>
+        {
+            options.AllowOfflineTransparency = true;
+            options.RequireTransparencyLog = true;
+        }, transparency);
+
+        var verification = await verifier.VerifyAsync(
+            new VexAttestationVerificationRequest(request, metadata, envelope),
+            CancellationToken.None);
+
+        Assert.True(verification.IsValid);
+        Assert.Equal("offline", verification.Diagnostics["rekor.state"]);
+    }
+
+    private async Task<(VexAttestationRequest Request, VexAttestationMetadata Metadata, string Envelope)> CreateSignedAttestationAsync(bool includeRekor = false)
+    {
+        var signer = new FakeSigner();
+        var builder = new VexDsseBuilder(signer, NullLogger<VexDsseBuilder>.Instance);
+        var options = Options.Create(new VexAttestationClientOptions());
+        var transparency = includeRekor ? new FakeTransparencyLogClient() : null;
+        var verifier = CreateVerifier(options => options.RequireTransparencyLog = false);
+        var client = new VexAttestationClient(builder, options, NullLogger<VexAttestationClient>.Instance, verifier, transparency);
+
+        var request = new VexAttestationRequest(
+            ExportId: "exports/unit-test",
+            QuerySignature: new VexQuerySignature("filters"),
+            Artifact: new VexContentAddress("sha256", "cafebabe"),
+            Format: VexExportFormat.Json,
+            CreatedAt: DateTimeOffset.UtcNow,
+            SourceProviders: ImmutableArray.Create("provider-a"),
+            Metadata: ImmutableDictionary<string, string>.Empty);
+
+        var response = await client.SignAsync(request, CancellationToken.None);
+        var envelope = response.Diagnostics["envelope"];
+        return (request, response.Attestation, envelope);
+    }
+
+    private VexAttestationVerifier CreateVerifier(Action<VexAttestationVerificationOptions>? configureOptions = null, ITransparencyLogClient? transparency = null)
+    {
+        var options = new VexAttestationVerificationOptions();
+        configureOptions?.Invoke(options);
+        return new VexAttestationVerifier(
+            NullLogger<VexAttestationVerifier>.Instance,
+            transparency,
+            Options.Create(options),
+            _metrics);
+    }
+
+    public void Dispose()
+    {
+        _metrics.Dispose();
+    }
+
+    private sealed class FakeSigner : IVexSigner
+    {
+        public ValueTask<VexSignedPayload> SignAsync(ReadOnlyMemory<byte> payload, CancellationToken cancellationToken)
+            => ValueTask.FromResult(new VexSignedPayload("signature", "key"));
+    }
+
+    private sealed class FakeTransparencyLogClient : ITransparencyLogClient
+    {
+        public ValueTask<TransparencyLogEntry> SubmitAsync(DsseEnvelope envelope, CancellationToken cancellationToken)
+            => ValueTask.FromResult(new TransparencyLogEntry(Guid.NewGuid().ToString(), "https://rekor.example/entries/123", "42", null));
+
+        public ValueTask<bool> VerifyAsync(string entryLocation, CancellationToken cancellationToken)
+            => ValueTask.FromResult(true);
+    }
+
+    private sealed class ThrowingTransparencyLogClient : ITransparencyLogClient
+    {
+        public ValueTask<TransparencyLogEntry> SubmitAsync(DsseEnvelope envelope, CancellationToken cancellationToken)
+            => throw new NotSupportedException();
+
+        public ValueTask<bool> VerifyAsync(string entryLocation, CancellationToken cancellationToken)
+            => throw new HttpRequestException("rekor unavailable");
+    }
+}
--- a/src/Excititor/__Tests/StellaOps.Excititor.Attestation.Tests/VexDsseBuilderTests.cs
+++ b/src/Excititor/__Tests/StellaOps.Excititor.Attestation.Tests/VexDsseBuilderTests.cs
@@ -0,0 +1,52 @@
+using System.Collections.Immutable;
+using Microsoft.Extensions.Logging.Abstractions;
+using StellaOps.Excititor.Attestation.Dsse;
+using StellaOps.Excititor.Attestation.Models;
+using StellaOps.Excititor.Attestation.Signing;
+using StellaOps.Excititor.Core;
+
+namespace StellaOps.Excititor.Attestation.Tests;
+
+public sealed class VexDsseBuilderTests
+{
+    [Fact]
+    public async Task CreateEnvelopeAsync_ProducesDeterministicPayload()
+    {
+        var signer = new FakeSigner("signature-value", "key-1");
+        var builder = new VexDsseBuilder(signer, NullLogger<VexDsseBuilder>.Instance);
+
+        var request = new VexAttestationRequest(
+            ExportId: "exports/123",
+            QuerySignature: new VexQuerySignature("filters"),
+            Artifact: new VexContentAddress("sha256", "deadbeef"),
+            Format: VexExportFormat.Json,
+            CreatedAt: DateTimeOffset.UtcNow,
+            SourceProviders: ImmutableArray.Create("vendor"),
+            Metadata: ImmutableDictionary<string, string>.Empty);
+
+        var envelope = await builder.CreateEnvelopeAsync(request, request.Metadata, CancellationToken.None);
+
+        Assert.Equal("application/vnd.in-toto+json", envelope.PayloadType);
+        Assert.Single(envelope.Signatures);
+        Assert.Equal("signature-value", envelope.Signatures[0].Signature);
+        Assert.Equal("key-1", envelope.Signatures[0].KeyId);
+
+        var digest = VexDsseBuilder.ComputeEnvelopeDigest(envelope);
+        Assert.StartsWith("sha256:", digest);
+    }
+
+    private sealed class FakeSigner : IVexSigner
+    {
+        private readonly string _signature;
+        private readonly string _keyId;
+
+        public FakeSigner(string signature, string keyId)
+        {
+            _signature = signature;
+            _keyId = keyId;
+        }
+
+        public ValueTask<VexSignedPayload> SignAsync(ReadOnlyMemory<byte> payload, CancellationToken cancellationToken)
+            => ValueTask.FromResult(new VexSignedPayload(_signature, _keyId));
+    }
+}