stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Restructure solution layout by module

Browse Source
This commit is contained in:
master
2025-10-28 15:10:40 +02:00
parent 95daa159c4
commit d870da18ce
4103 changed files with 192899 additions and 187024 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/Zastava/StellaOps.Zastava.Observer/Backend/IRuntimePolicyClient.cs Normal file
View File

@@ -0,0 +1,9 @@
using System.Threading;
using System.Threading.Tasks;
namespace StellaOps.Zastava.Observer.Backend;
internal interface IRuntimePolicyClient
{
Task<RuntimePolicyResponse> EvaluateAsync(RuntimePolicyRequest request, CancellationToken cancellationToken = default);
}

237
src/Zastava/StellaOps.Zastava.Observer/Backend/RuntimeEventsClient.cs Normal file
View File

@@ -0,0 +1,237 @@
using System.Linq;
using System.Net;
using System.Net.Http.Headers;
using System.Text.Json;
using System.Text.Json.Serialization;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Zastava.Core.Configuration;
using StellaOps.Zastava.Core.Contracts;
using StellaOps.Zastava.Core.Diagnostics;
using StellaOps.Zastava.Core.Security;
using StellaOps.Zastava.Core.Serialization;
using StellaOps.Zastava.Observer.Configuration;
namespace StellaOps.Zastava.Observer.Backend;
internal interface IRuntimeEventsClient
{
Task<RuntimeEventPublishResult> PublishAsync(RuntimeEventsIngestRequest request, CancellationToken cancellationToken);
}
internal sealed class RuntimeEventsClient : IRuntimeEventsClient
{
private static readonly JsonSerializerOptions SerializerOptions = new()
{
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull
};
static RuntimeEventsClient()
{
SerializerOptions.Converters.Add(new JsonStringEnumConverter(JsonNamingPolicy.CamelCase, allowIntegerValues: false));
}
private readonly HttpClient httpClient;
private readonly IZastavaAuthorityTokenProvider authorityTokenProvider;
private readonly IOptionsMonitor<ZastavaRuntimeOptions> runtimeOptions;
private readonly IOptionsMonitor<ZastavaObserverOptions> observerOptions;
private readonly IZastavaRuntimeMetrics runtimeMetrics;
private readonly ILogger<RuntimeEventsClient> logger;
public RuntimeEventsClient(
HttpClient httpClient,
IZastavaAuthorityTokenProvider authorityTokenProvider,
IOptionsMonitor<ZastavaRuntimeOptions> runtimeOptions,
IOptionsMonitor<ZastavaObserverOptions> observerOptions,
IZastavaRuntimeMetrics runtimeMetrics,
ILogger<RuntimeEventsClient> logger)
{
this.httpClient = httpClient ?? throw new ArgumentNullException(nameof(httpClient));
this.authorityTokenProvider = authorityTokenProvider ?? throw new ArgumentNullException(nameof(authorityTokenProvider));
this.runtimeOptions = runtimeOptions ?? throw new ArgumentNullException(nameof(runtimeOptions));
this.observerOptions = observerOptions ?? throw new ArgumentNullException(nameof(observerOptions));
this.runtimeMetrics = runtimeMetrics ?? throw new ArgumentNullException(nameof(runtimeMetrics));
this.logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
public async Task<RuntimeEventPublishResult> PublishAsync(RuntimeEventsIngestRequest request, CancellationToken cancellationToken)
{
ArgumentNullException.ThrowIfNull(request);
if (request.Events.Count == 0)
{
return RuntimeEventPublishResult.Empty;
}
var runtime = runtimeOptions.CurrentValue;
var authority = runtime.Authority;
var audience = authority.Audience.FirstOrDefault() ?? "scanner";
var scopes = authority.Scopes ?? Array.Empty<string>();
var token = await authorityTokenProvider.GetAsync(audience, scopes, cancellationToken).ConfigureAwait(false);
var backend = observerOptions.CurrentValue.Backend;
var requestPath = backend.EventsPath;
using var httpRequest = new HttpRequestMessage(HttpMethod.Post, requestPath);
var payload = ZastavaCanonicalJsonSerializer.SerializeToUtf8Bytes(request);
httpRequest.Content = new ByteArrayContent(payload);
httpRequest.Content.Headers.ContentType = new MediaTypeHeaderValue("application/json");
httpRequest.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
httpRequest.Headers.Authorization = CreateAuthorizationHeader(token);
var stopwatch = System.Diagnostics.Stopwatch.StartNew();
try
{
using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
stopwatch.Stop();
RecordLatency(stopwatch.Elapsed.TotalMilliseconds, success: response.IsSuccessStatusCode);
if (response.IsSuccessStatusCode)
{
var body = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
RuntimeEventsIngestResponse? parsed = null;
if (!string.IsNullOrWhiteSpace(body))
{
parsed = JsonSerializer.Deserialize<RuntimeEventsIngestResponse>(body, SerializerOptions);
}
var accepted = parsed?.Accepted ?? request.Events.Count;
var duplicates = parsed?.Duplicates ?? 0;
logger.LogDebug("Published runtime events batch (batchId={BatchId}, accepted={Accepted}, duplicates={Duplicates}).",
request.BatchId,
accepted,
duplicates);
return RuntimeEventPublishResult.Successful(accepted, duplicates);
}
if (response.StatusCode == HttpStatusCode.TooManyRequests)
{
var retryAfter = ParseRetryAfter(response.Headers.RetryAfter) ?? TimeSpan.FromSeconds(5);
logger.LogWarning("Runtime events publish rate limited (batchId={BatchId}, retryAfter={RetryAfter}).", request.BatchId, retryAfter);
return RuntimeEventPublishResult.FromRateLimit(retryAfter);
}
var errorBody = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
logger.LogWarning("Runtime events publish failed with status {Status} (batchId={BatchId}): {Payload}",
(int)response.StatusCode,
request.BatchId,
Truncate(errorBody));
throw new RuntimeEventsException($"Runtime events publish failed with status {(int)response.StatusCode}", response.StatusCode);
}
catch (RuntimeEventsException)
{
throw;
}
catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
{
throw;
}
catch (Exception ex)
{
stopwatch.Stop();
RecordLatency(stopwatch.Elapsed.TotalMilliseconds, success: false);
logger.LogWarning(ex, "Runtime events publish encountered an exception (batchId={BatchId}).", request.BatchId);
throw new RuntimeEventsException("Runtime events publish failed due to network error.", HttpStatusCode.ServiceUnavailable, ex);
}
}
private AuthenticationHeaderValue CreateAuthorizationHeader(ZastavaOperationalToken token)
{
var scheme = string.Equals(token.TokenType, "dpop", StringComparison.OrdinalIgnoreCase)
? "DPoP"
: token.TokenType;
return new AuthenticationHeaderValue(scheme, token.AccessToken);
}
private void RecordLatency(double elapsedMs, bool success)
{
var tags = runtimeMetrics.DefaultTags
.Concat(new[]
{
new KeyValuePair<string, object?>("endpoint", "runtime-events"),
new KeyValuePair<string, object?>("success", success ? "true" : "false")
})
.ToArray();
runtimeMetrics.BackendLatencyMs.Record(elapsedMs, tags);
}
private static TimeSpan? ParseRetryAfter(RetryConditionHeaderValue? retryAfter)
{
if (retryAfter is null)
{
return null;
}
if (retryAfter.Delta.HasValue)
{
return retryAfter.Delta.Value;
}
if (retryAfter.Date.HasValue)
{
var delta = retryAfter.Date.Value.UtcDateTime - DateTime.UtcNow;
return delta > TimeSpan.Zero ? delta : TimeSpan.Zero;
}
return null;
}
private static string Truncate(string? value, int maxLength = 512)
{
if (string.IsNullOrEmpty(value))
{
return string.Empty;
}
return value.Length <= maxLength ? value : value[..maxLength] + "…";
}
}
internal sealed record RuntimeEventsIngestRequest
{
[JsonPropertyName("batchId")]
public string? BatchId { get; init; }
[JsonPropertyName("events")]
public IReadOnlyList<RuntimeEventEnvelope> Events { get; init; } = Array.Empty<RuntimeEventEnvelope>();
}
internal sealed record RuntimeEventsIngestResponse
{
[JsonPropertyName("accepted")]
public int Accepted { get; init; }
[JsonPropertyName("duplicates")]
public int Duplicates { get; init; }
}
internal readonly record struct RuntimeEventPublishResult(
bool Success,
bool RateLimited,
TimeSpan RetryAfter,
int Accepted,
int Duplicates)
{
public static RuntimeEventPublishResult Empty => new(true, false, TimeSpan.Zero, 0, 0);
public static RuntimeEventPublishResult Successful(int accepted, int duplicates)
=> new(true, false, TimeSpan.Zero, accepted, duplicates);
public static RuntimeEventPublishResult FromRateLimit(TimeSpan retryAfter)
=> new(false, true, retryAfter, 0, 0);
}
internal sealed class RuntimeEventsException : Exception
{
public RuntimeEventsException(string message, HttpStatusCode statusCode, Exception? innerException = null)
: base(message, innerException)
{
StatusCode = statusCode;
}
public HttpStatusCode StatusCode { get; }
}

128
src/Zastava/StellaOps.Zastava.Observer/Backend/RuntimePolicyClient.cs Normal file
View File

@@ -0,0 +1,128 @@
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
using System.Net.Http;
using System.Net.Http.Headers;
using System.Text;
using System.Text.Json;
using System.Text.Json.Serialization;
using System.Threading;
using System.Threading.Tasks;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Zastava.Core.Configuration;
using StellaOps.Zastava.Core.Diagnostics;
using StellaOps.Zastava.Core.Security;
using StellaOps.Zastava.Observer.Configuration;
namespace StellaOps.Zastava.Observer.Backend;
internal sealed class RuntimePolicyClient : IRuntimePolicyClient
{
private static readonly JsonSerializerOptions SerializerOptions = new()
{
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull
};
static RuntimePolicyClient()
{
SerializerOptions.Converters.Add(new JsonStringEnumConverter(JsonNamingPolicy.CamelCase, allowIntegerValues: false));
}
private readonly HttpClient httpClient;
private readonly IZastavaAuthorityTokenProvider authorityTokenProvider;
private readonly IOptionsMonitor<ZastavaRuntimeOptions> runtimeOptions;
private readonly IOptionsMonitor<ZastavaObserverOptions> observerOptions;
private readonly IZastavaRuntimeMetrics runtimeMetrics;
private readonly ILogger<RuntimePolicyClient> logger;
public RuntimePolicyClient(
HttpClient httpClient,
IZastavaAuthorityTokenProvider authorityTokenProvider,
IOptionsMonitor<ZastavaRuntimeOptions> runtimeOptions,
IOptionsMonitor<ZastavaObserverOptions> observerOptions,
IZastavaRuntimeMetrics runtimeMetrics,
ILogger<RuntimePolicyClient> logger)
{
this.httpClient = httpClient ?? throw new ArgumentNullException(nameof(httpClient));
this.authorityTokenProvider = authorityTokenProvider ?? throw new ArgumentNullException(nameof(authorityTokenProvider));
this.runtimeOptions = runtimeOptions ?? throw new ArgumentNullException(nameof(runtimeOptions));
this.observerOptions = observerOptions ?? throw new ArgumentNullException(nameof(observerOptions));
this.runtimeMetrics = runtimeMetrics ?? throw new ArgumentNullException(nameof(runtimeMetrics));
this.logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
public async Task<RuntimePolicyResponse> EvaluateAsync(RuntimePolicyRequest request, CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(request);
var runtime = runtimeOptions.CurrentValue;
var authority = runtime.Authority;
var audience = authority.Audience.FirstOrDefault() ?? "scanner";
var token = await authorityTokenProvider
.GetAsync(audience, authority.Scopes ?? Array.Empty<string>(), cancellationToken)
.ConfigureAwait(false);
var backend = observerOptions.CurrentValue.Backend;
EnsureBackendGuardrails(backend);
using var httpRequest = new HttpRequestMessage(HttpMethod.Post, backend.PolicyPath)
{
Content = new StringContent(JsonSerializer.Serialize(request, SerializerOptions), Encoding.UTF8, "application/json")
};
httpRequest.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
httpRequest.Headers.Authorization = CreateAuthorizationHeader(token);
var stopwatch = Stopwatch.StartNew();
try
{
using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
if (!response.IsSuccessStatusCode)
{
logger.LogWarning("Runtime policy call returned {StatusCode}: {Payload}", (int)response.StatusCode, payload);
throw new RuntimePolicyException($"Runtime policy call failed with status {(int)response.StatusCode}", response.StatusCode);
}
var result = JsonSerializer.Deserialize<RuntimePolicyResponse>(payload, SerializerOptions);
if (result is null)
{
throw new RuntimePolicyException("Runtime policy response payload was empty or invalid.", response.StatusCode);
}
return result;
}
finally
{
stopwatch.Stop();
RecordLatency(stopwatch.Elapsed.TotalMilliseconds);
}
}
private AuthenticationHeaderValue CreateAuthorizationHeader(ZastavaOperationalToken token)
{
var scheme = string.Equals(token.TokenType, "dpop", StringComparison.OrdinalIgnoreCase) ? "DPoP" : token.TokenType;
return new AuthenticationHeaderValue(scheme, token.AccessToken);
}
private void RecordLatency(double elapsedMs)
{
var tags = runtimeMetrics.DefaultTags
.Concat(new[] { new KeyValuePair<string, object?>("endpoint", "policy") })
.ToArray();
runtimeMetrics.BackendLatencyMs.Record(elapsedMs, tags);
}
private static void EnsureBackendGuardrails(ZastavaObserverBackendOptions backend)
{
if (!backend.AllowInsecureHttp && !string.Equals(backend.BaseAddress.Scheme, Uri.UriSchemeHttps, StringComparison.OrdinalIgnoreCase))
{
throw new InvalidOperationException("Observer backend baseAddress must use HTTPS unless allowInsecureHttp is true.");
}
}
}

73
src/Zastava/StellaOps.Zastava.Observer/Backend/RuntimePolicyContracts.cs Normal file
View File

@@ -0,0 +1,73 @@
using System;
using System.Collections.Generic;
using System.Text.Json.Serialization;
using StellaOps.Zastava.Core.Contracts;
namespace StellaOps.Zastava.Observer.Backend;
internal sealed record RuntimePolicyRequest
{
[JsonPropertyName("namespace")]
[JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
public string? Namespace { get; init; }
[JsonPropertyName("labels")]
[JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
public IReadOnlyDictionary<string, string>? Labels { get; init; }
[JsonPropertyName("images")]
public required IReadOnlyList<string> Images { get; init; }
}
internal sealed record RuntimePolicyResponse
{
[JsonPropertyName("ttlSeconds")]
public int TtlSeconds { get; init; }
[JsonPropertyName("expiresAtUtc")]
public DateTimeOffset ExpiresAtUtc { get; init; }
[JsonPropertyName("policyRevision")]
[JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
public string? PolicyRevision { get; init; }
[JsonPropertyName("results")]
public IReadOnlyDictionary<string, RuntimePolicyImageResult> Results { get; init; } = new Dictionary<string, RuntimePolicyImageResult>(StringComparer.Ordinal);
}
internal sealed record RuntimePolicyImageResult
{
[JsonPropertyName("policyVerdict")]
public PolicyVerdict PolicyVerdict { get; init; } = PolicyVerdict.Error;
[JsonPropertyName("signed")]
public bool Signed { get; init; }
[JsonPropertyName("hasSbomReferrers")]
public bool HasSbomReferrers { get; init; }
[JsonPropertyName("hasSbom")]
public bool HasSbomLegacy { get; init; }
[JsonPropertyName("reasons")]
public IReadOnlyList<string> Reasons { get; init; } = Array.Empty<string>();
[JsonPropertyName("rekor")]
[JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
public RuntimePolicyRekorResult? Rekor { get; init; }
}
internal sealed record RuntimePolicyRekorResult
{
[JsonPropertyName("uuid")]
[JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
public string? Uuid { get; init; }
[JsonPropertyName("url")]
[JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
public string? Url { get; init; }
[JsonPropertyName("verified")]
[JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
public bool? Verified { get; init; }
}

21
src/Zastava/StellaOps.Zastava.Observer/Backend/RuntimePolicyException.cs Normal file
View File

@@ -0,0 +1,21 @@
using System;
using System.Net;
namespace StellaOps.Zastava.Observer.Backend;
internal sealed class RuntimePolicyException : Exception
{
public RuntimePolicyException(string message, HttpStatusCode statusCode)
: base(message)
{
StatusCode = statusCode;
}
public RuntimePolicyException(string message, HttpStatusCode statusCode, Exception innerException)
: base(message, innerException)
{
StatusCode = statusCode;
}
public HttpStatusCode StatusCode { get; }
}

242
src/Zastava/StellaOps.Zastava.Observer/Configuration/ZastavaObserverOptions.cs Normal file
View File

@@ -0,0 +1,242 @@
using System.ComponentModel.DataAnnotations;
using System.IO;
namespace StellaOps.Zastava.Observer.Configuration;
/// <summary>
/// Observer-specific configuration applied on top of the shared runtime options.
/// </summary>
public sealed class ZastavaObserverOptions
{
public const string SectionName = "zastava:observer";
private const string DefaultContainerdSocket = "unix:///run/containerd/containerd.sock";
/// <summary>
/// Logical node identifier emitted with runtime events (defaults to environment hostname).
/// </summary>
[Required(AllowEmptyStrings = false)]
public string NodeName { get; set; } =
Environment.GetEnvironmentVariable("ZASTAVA_NODE_NAME")
?? Environment.GetEnvironmentVariable("KUBERNETES_NODE_NAME")
?? Environment.MachineName;
/// <summary>
/// Baseline polling interval when watching CRI runtimes.
/// </summary>
[Range(typeof(TimeSpan), "00:00:01", "00:10:00")]
public TimeSpan PollInterval { get; set; } = TimeSpan.FromSeconds(2);
/// <summary>
/// Maximum number of runtime events held in the in-memory buffer.
/// </summary>
[Range(16, 65536)]
public int MaxInMemoryBuffer { get; set; } = 2048;
/// <summary>
/// Number of runtime events drained in one batch by downstream publishers.
/// </summary>
[Range(1, 512)]
public int PublishBatchSize { get; set; } = 32;
/// <summary>
/// Maximum interval (seconds) that events may remain buffered before forcing a publish.
/// </summary>
[Range(typeof(double), "0.1", "30")]
public double PublishFlushIntervalSeconds { get; set; } = 2;
/// <summary>
/// Directory used for disk-backed runtime event buffering.
/// </summary>
[Required(AllowEmptyStrings = false)]
public string EventBufferPath { get; set; } = Path.Combine(Path.GetTempPath(), "zastava-observer", "runtime-events");
/// <summary>
/// Maximum on-disk bytes retained for buffered runtime events.
/// </summary>
[Range(typeof(long), "1048576", "1073741824")]
public long MaxDiskBufferBytes { get; set; } = 64 * 1024 * 1024; // 64 MiB
/// <summary>
/// Connectivity/backoff settings applied when CRI endpoints fail temporarily.
/// </summary>
[Required]
public ObserverBackoffOptions Backoff { get; set; } = new();
/// <summary>
/// CRI runtime endpoints to monitor.
/// </summary>
[Required]
public IList<ContainerRuntimeEndpointOptions> Runtimes { get; set; } = new List<ContainerRuntimeEndpointOptions>
{
new()
{
Name = "containerd",
Engine = ContainerRuntimeEngine.Containerd,
Endpoint = DefaultContainerdSocket,
Enabled = true
}
};
/// <summary>
/// Scanner backend configuration for posture checks and event ingestion.
/// </summary>
[Required]
public ZastavaObserverBackendOptions Backend { get; set; } = new();
/// <summary>
/// Posture-specific configuration values.
/// </summary>
[Required]
public ZastavaObserverPostureOptions Posture { get; set; } = new();
/// <summary>
/// Root path for accessing host process information (defaults to /host/proc).
/// </summary>
[Required(AllowEmptyStrings = false)]
public string ProcRootPath { get; set; } = "/host/proc";
/// <summary>
/// Maximum number of loaded libraries captured per process.
/// </summary>
[Range(8, 4096)]
public int MaxTrackedLibraries { get; set; } = 256;
/// <summary>
/// Maximum size (in bytes) of a library file to hash when collecting loaded libraries.
/// </summary>
[Range(typeof(long), "1024", "1073741824")]
public long MaxLibraryBytes { get; set; } = 33554432; // 32 MiB
/// <summary>
/// Maximum cumulative bytes hashed across libraries for a single process capture.
/// </summary>
[Range(typeof(long), "1024", "2147483647")]
public long MaxLibraryHashBytes { get; set; } = 64_000_000; // ~61 MiB budget
/// <summary>
/// Maximum number of entrypoint arguments captured for reporting.
/// </summary>
[Range(1, 128)]
public int MaxEntrypointArguments { get; set; } = 32;
}
public sealed class ZastavaObserverBackendOptions
{
/// <summary>
/// Base address for Scanner WebService runtime APIs.
/// </summary>
[Required]
public Uri BaseAddress { get; init; } = new("https://scanner.internal");
/// <summary>
/// Runtime policy endpoint path.
/// </summary>
[Required(AllowEmptyStrings = false)]
public string PolicyPath { get; init; } = "/api/v1/scanner/policy/runtime";
/// <summary>
/// Runtime events ingestion endpoint path.
/// </summary>
[Required(AllowEmptyStrings = false)]
public string EventsPath { get; init; } = "/api/v1/runtime/events";
/// <summary>
/// Request timeout for backend calls in seconds.
/// </summary>
[Range(typeof(double), "1", "120")]
public double RequestTimeoutSeconds { get; init; } = 5;
/// <summary>
/// Allows plain HTTP endpoints when true (default false for safety).
/// </summary>
public bool AllowInsecureHttp { get; init; }
}
public sealed class ZastavaObserverPostureOptions
{
/// <summary>
/// Path where posture cache entries are persisted across restarts.
/// </summary>
[Required(AllowEmptyStrings = false)]
public string CachePath { get; init; } = Path.Combine(Path.GetTempPath(), "zastava-observer", "posture-cache.json");
/// <summary>
/// Fallback TTL (seconds) applied when backend omits an explicit expiry.
/// </summary>
[Range(30, 86400)]
public int FallbackTtlSeconds { get; init; } = 300;
/// <summary>
/// Threshold (seconds) after expiration where stale cache usage triggers warnings.
/// </summary>
[Range(30, 86400)]
public int StaleWarningThresholdSeconds { get; init; } = 900;
}
public sealed class ObserverBackoffOptions
{
/// <summary>
/// Initial backoff delay applied after the first failure.
/// </summary>
[Range(typeof(TimeSpan), "00:00:01", "00:05:00")]
public TimeSpan Initial { get; set; } = TimeSpan.FromSeconds(1);
/// <summary>
/// Maximum backoff delay after repeated failures.
/// </summary>
[Range(typeof(TimeSpan), "00:00:01", "00:10:00")]
public TimeSpan Max { get; set; } = TimeSpan.FromSeconds(30);
/// <summary>
/// Jitter ratio applied to the computed delay (0 disables jitter).
/// </summary>
[Range(0.0, 0.5)]
public double JitterRatio { get; set; } = 0.2;
}
public sealed class ContainerRuntimeEndpointOptions
{
/// <summary>
/// Friendly name used for logging/metrics (defaults to engine identifier).
/// </summary>
public string? Name { get; set; }
/// <summary>
/// Runtime engine backing the endpoint.
/// </summary>
public ContainerRuntimeEngine Engine { get; set; } = ContainerRuntimeEngine.Containerd;
/// <summary>
/// Endpoint URI (unix:///run/containerd/containerd.sock, npipe://./pipe/dockershim, https://127.0.0.1:1234, ...).
/// </summary>
[Required(AllowEmptyStrings = false)]
public string Endpoint { get; set; } = "unix:///run/containerd/containerd.sock";
/// <summary>
/// Optional explicit polling interval for this endpoint (falls back to global PollInterval).
/// </summary>
[Range(typeof(TimeSpan), "00:00:01", "00:10:00")]
public TimeSpan? PollInterval { get; set; }
/// <summary>
/// Optional connection timeout override.
/// </summary>
[Range(typeof(TimeSpan), "00:00:01", "00:01:00")]
public TimeSpan? ConnectTimeout { get; set; }
/// <summary>
/// Flag to allow disabling endpoints without removing configuration entries.
/// </summary>
public bool Enabled { get; set; } = true;
public string ResolveName()
=> string.IsNullOrWhiteSpace(Name) ? Engine.ToString().ToLowerInvariant() : Name!;
}
public enum ContainerRuntimeEngine
{
Containerd,
CriO,
Docker
}

134
src/Zastava/StellaOps.Zastava.Observer/ContainerRuntime/ContainerStateTracker.cs Normal file
View File

@@ -0,0 +1,134 @@
using StellaOps.Zastava.Observer.ContainerRuntime.Cri;
namespace StellaOps.Zastava.Observer.ContainerRuntime;
internal sealed class ContainerStateTracker
{
private readonly Dictionary<string, ContainerStateEntry> entries = new(StringComparer.Ordinal);
public void BeginCycle()
{
foreach (var entry in entries.Values)
{
entry.SeenInCycle = false;
}
}
public ContainerLifecycleEvent? MarkRunning(CriContainerInfo snapshot, DateTimeOffset fallbackTimestamp)
{
ArgumentNullException.ThrowIfNull(snapshot);
var timestamp = snapshot.StartedAt ?? snapshot.CreatedAt;
if (timestamp <= DateTimeOffset.MinValue)
{
timestamp = fallbackTimestamp;
}
if (!entries.TryGetValue(snapshot.Id, out var entry))
{
entry = new ContainerStateEntry(snapshot);
entries[snapshot.Id] = entry;
entry.SeenInCycle = true;
entry.State = ContainerLifecycleState.Running;
entry.LastStart = timestamp;
entry.LastSnapshot = snapshot;
return new ContainerLifecycleEvent(ContainerLifecycleEventKind.Start, timestamp, snapshot);
}
entry.SeenInCycle = true;
if (timestamp > entry.LastStart)
{
entry.LastStart = timestamp;
entry.State = ContainerLifecycleState.Running;
entry.LastSnapshot = snapshot;
return new ContainerLifecycleEvent(ContainerLifecycleEventKind.Start, timestamp, snapshot);
}
entry.State = ContainerLifecycleState.Running;
entry.LastSnapshot = snapshot;
return null;
}
public async Task<IReadOnlyList<ContainerLifecycleEvent>> CompleteCycleAsync(
Func<string, Task<CriContainerInfo?>> statusProvider,
DateTimeOffset fallbackTimestamp,
CancellationToken cancellationToken)
{
ArgumentNullException.ThrowIfNull(statusProvider);
var events = new List<ContainerLifecycleEvent>();
foreach (var (containerId, entry) in entries.ToArray())
{
if (entry.SeenInCycle)
{
continue;
}
CriContainerInfo? status = null;
if (entry.LastSnapshot is not null && entry.LastSnapshot.FinishedAt is not null)
{
status = entry.LastSnapshot;
}
else
{
status = await statusProvider(containerId).ConfigureAwait(false) ?? entry.LastSnapshot;
}
var stopTimestamp = status?.FinishedAt ?? fallbackTimestamp;
if (stopTimestamp <= DateTimeOffset.MinValue)
{
stopTimestamp = fallbackTimestamp;
}
if (entry.LastStop is not null && stopTimestamp <= entry.LastStop)
{
entries.Remove(containerId);
continue;
}
var snapshot = status ?? entry.LastSnapshot ?? entry.MetadataFallback;
var stopEvent = new ContainerLifecycleEvent(ContainerLifecycleEventKind.Stop, stopTimestamp, snapshot);
events.Add(stopEvent);
entry.LastStop = stopTimestamp;
entry.State = ContainerLifecycleState.Stopped;
entries.Remove(containerId);
}
return events
.OrderBy(static e => e.Timestamp)
.ThenBy(static e => e.Snapshot.Id, StringComparer.Ordinal)
.ToArray();
}
private sealed class ContainerStateEntry
{
public ContainerStateEntry(CriContainerInfo seed)
{
MetadataFallback = seed;
LastSnapshot = seed;
}
public ContainerLifecycleState State { get; set; } = ContainerLifecycleState.Unknown;
public bool SeenInCycle { get; set; }
public DateTimeOffset LastStart { get; set; } = DateTimeOffset.MinValue;
public DateTimeOffset? LastStop { get; set; }
public CriContainerInfo MetadataFallback { get; }
public CriContainerInfo? LastSnapshot { get; set; }
}
}
internal enum ContainerLifecycleState
{
Unknown,
Running,
Stopped
}
internal sealed record ContainerLifecycleEvent(ContainerLifecycleEventKind Kind, DateTimeOffset Timestamp, CriContainerInfo Snapshot);
internal enum ContainerLifecycleEventKind
{
Start,
Stop
}

7
src/Zastava/StellaOps.Zastava.Observer/ContainerRuntime/ContainerStateTrackerFactory.cs Normal file
View File

@@ -0,0 +1,7 @@
namespace StellaOps.Zastava.Observer.ContainerRuntime;
internal sealed class ContainerStateTrackerFactory
{
public ContainerStateTracker Create()
=> new();
}

78
src/Zastava/StellaOps.Zastava.Observer/ContainerRuntime/Cri/CriConversions.cs Normal file
View File

@@ -0,0 +1,78 @@
using StellaOps.Zastava.Observer.Cri;
namespace StellaOps.Zastava.Observer.ContainerRuntime.Cri;
internal static class CriConversions
{
private const long NanosecondsPerTick = 100;
public static CriContainerInfo ToContainerInfo(Container container)
{
ArgumentNullException.ThrowIfNull(container);
return new CriContainerInfo(
Id: container.Id ?? string.Empty,
PodSandboxId: container.PodSandboxId ?? string.Empty,
Name: container.Metadata?.Name ?? string.Empty,
Attempt: container.Metadata?.Attempt ?? 0,
Image: container.Image?.Image,
ImageRef: container.ImageRef,
Labels: container.Labels?.ToDictionary(static pair => pair.Key, static pair => pair.Value, StringComparer.Ordinal) ?? new Dictionary<string, string>(StringComparer.Ordinal),
Annotations: container.Annotations?.ToDictionary(static pair => pair.Key, static pair => pair.Value, StringComparer.Ordinal) ?? new Dictionary<string, string>(StringComparer.Ordinal),
CreatedAt: FromUnixNanoseconds(container.CreatedAt),
StartedAt: null,
FinishedAt: null,
ExitCode: null,
Reason: null,
Message: null,
Pid: null);
}
public static CriContainerInfo MergeStatus(CriContainerInfo baseline, ContainerStatus? status)
{
if (status is null)
{
return baseline;
}
var labels = status.Labels?.ToDictionary(static pair => pair.Key, static pair => pair.Value, StringComparer.Ordinal)
?? baseline.Labels;
var annotations = status.Annotations?.ToDictionary(static pair => pair.Key, static pair => pair.Value, StringComparer.Ordinal)
?? baseline.Annotations;
return baseline with
{
CreatedAt = status.CreatedAt > 0 ? FromUnixNanoseconds(status.CreatedAt) : baseline.CreatedAt,
StartedAt = status.StartedAt > 0 ? FromUnixNanoseconds(status.StartedAt) : baseline.StartedAt,
FinishedAt = status.FinishedAt > 0 ? FromUnixNanoseconds(status.FinishedAt) : baseline.FinishedAt,
ExitCode = status.ExitCode != 0 ? status.ExitCode : baseline.ExitCode,
Reason = string.IsNullOrWhiteSpace(status.Reason) ? baseline.Reason : status.Reason,
Message = string.IsNullOrWhiteSpace(status.Message) ? baseline.Message : status.Message,
Pid = baseline.Pid,
Image = status.Image?.Image ?? baseline.Image,
ImageRef = string.IsNullOrWhiteSpace(status.ImageRef) ? baseline.ImageRef : status.ImageRef,
Labels = labels,
Annotations = annotations
};
}
public static DateTimeOffset FromUnixNanoseconds(long nanoseconds)
{
if (nanoseconds <= 0)
{
return DateTimeOffset.MinValue;
}
var seconds = Math.DivRem(nanoseconds, 1_000_000_000, out var remainder);
var ticks = remainder / NanosecondsPerTick;
try
{
var baseTime = DateTimeOffset.FromUnixTimeSeconds(seconds);
return baseTime.AddTicks(ticks);
}
catch (ArgumentOutOfRangeException)
{
return DateTimeOffset.UnixEpoch;
}
}
}

45
src/Zastava/StellaOps.Zastava.Observer/ContainerRuntime/Cri/CriModels.cs Normal file
View File

@@ -0,0 +1,45 @@
using StellaOps.Zastava.Observer.Configuration;
namespace StellaOps.Zastava.Observer.ContainerRuntime.Cri;
internal sealed record CriRuntimeIdentity(
string RuntimeName,
string RuntimeVersion,
string RuntimeApiVersion);
internal sealed record CriContainerInfo(
string Id,
string PodSandboxId,
string Name,
uint Attempt,
string? Image,
string? ImageRef,
IReadOnlyDictionary<string, string> Labels,
IReadOnlyDictionary<string, string> Annotations,
DateTimeOffset CreatedAt,
DateTimeOffset? StartedAt,
DateTimeOffset? FinishedAt,
int? ExitCode,
string? Reason,
string? Message,
int? Pid);
internal static class CriLabelKeys
{
public const string PodName = "io.kubernetes.pod.name";
public const string PodNamespace = "io.kubernetes.pod.namespace";
public const string PodUid = "io.kubernetes.pod.uid";
public const string ContainerName = "io.kubernetes.container.name";
}
internal static class ContainerRuntimeEngineExtensions
{
public static string ToEngineString(this ContainerRuntimeEngine engine)
=> engine switch
{
ContainerRuntimeEngine.Containerd => "containerd",
ContainerRuntimeEngine.CriO => "cri-o",
ContainerRuntimeEngine.Docker => "docker",
_ => "unknown"
};
}

254
src/Zastava/StellaOps.Zastava.Observer/ContainerRuntime/Cri/CriRuntimeClient.cs Normal file
View File

@@ -0,0 +1,254 @@
using System.IO;
using System.Linq;
using System.Net.Sockets;
using System.Text.Json;
using Grpc.Core;
using Grpc.Net.Client;
using Microsoft.Extensions.Logging;
using StellaOps.Zastava.Observer.Configuration;
using StellaOps.Zastava.Observer.Cri;
namespace StellaOps.Zastava.Observer.ContainerRuntime.Cri;
internal interface ICriRuntimeClient : IAsyncDisposable
{
ContainerRuntimeEndpointOptions Endpoint { get; }
Task<CriRuntimeIdentity> GetIdentityAsync(CancellationToken cancellationToken);
Task<IReadOnlyList<CriContainerInfo>> ListContainersAsync(ContainerState state, CancellationToken cancellationToken);
Task<CriContainerInfo?> GetContainerStatusAsync(string containerId, CancellationToken cancellationToken);
}
internal sealed class CriRuntimeClient : ICriRuntimeClient
{
private static readonly object SwitchLock = new();
private static bool http2SwitchApplied;
private readonly GrpcChannel channel;
private readonly RuntimeService.RuntimeServiceClient client;
private readonly ILogger<CriRuntimeClient> logger;
public CriRuntimeClient(ContainerRuntimeEndpointOptions endpoint, ILogger<CriRuntimeClient> logger)
{
ArgumentNullException.ThrowIfNull(endpoint);
this.logger = logger ?? throw new ArgumentNullException(nameof(logger));
Endpoint = endpoint;
EnsureHttp2Switch();
channel = CreateChannel(endpoint);
client = new RuntimeService.RuntimeServiceClient(channel);
}
public ContainerRuntimeEndpointOptions Endpoint { get; }
public async Task<CriRuntimeIdentity> GetIdentityAsync(CancellationToken cancellationToken)
{
var response = await client.VersionAsync(new VersionRequest(), cancellationToken: cancellationToken).ConfigureAwait(false);
return new CriRuntimeIdentity(
RuntimeName: response.RuntimeName ?? Endpoint.Engine.ToEngineString(),
RuntimeVersion: response.RuntimeVersion ?? "unknown",
RuntimeApiVersion: response.RuntimeApiVersion ?? response.Version ?? "unknown");
}
public async Task<IReadOnlyList<CriContainerInfo>> ListContainersAsync(ContainerState state, CancellationToken cancellationToken)
{
var request = new ListContainersRequest
{
Filter = new ContainerFilter
{
State = new ContainerStateValue
{
State = state
}
}
};
try
{
var response = await client.ListContainersAsync(request, cancellationToken: cancellationToken).ConfigureAwait(false);
if (response.Containers is null || response.Containers.Count == 0)
{
return Array.Empty<CriContainerInfo>();
}
return response.Containers
.Select(CriConversions.ToContainerInfo)
.ToArray();
}
catch (RpcException ex) when (ex.StatusCode == StatusCode.Unimplemented)
{
logger.LogWarning(ex, "Runtime endpoint {Endpoint} does not support ListContainers for state {State}.", Endpoint.Endpoint, state);
throw;
}
}
public async Task<CriContainerInfo?> GetContainerStatusAsync(string containerId, CancellationToken cancellationToken)
{
if (string.IsNullOrWhiteSpace(containerId))
{
return null;
}
try
{
var response = await client.ContainerStatusAsync(new ContainerStatusRequest
{
ContainerId = containerId,
Verbose = true
}, cancellationToken: cancellationToken).ConfigureAwait(false);
if (response.Status is null)
{
return null;
}
var baseline = CriConversions.ToContainerInfo(new Container
{
Id = response.Status.Id,
PodSandboxId = response.Status.Metadata?.Name ?? string.Empty,
Metadata = response.Status.Metadata,
Image = response.Status.Image,
ImageRef = response.Status.ImageRef,
Labels = { response.Status.Labels },
Annotations = { response.Status.Annotations },
CreatedAt = response.Status.CreatedAt
});
var merged = CriConversions.MergeStatus(baseline, response.Status);
if (response.Info is { Count: > 0 } && TryExtractPid(response.Info, out var pid))
{
merged = merged with { Pid = pid };
}
return merged;
}
catch (RpcException ex) when (ex.StatusCode is StatusCode.NotFound or StatusCode.DeadlineExceeded)
{
logger.LogDebug(ex, "Container {ContainerId} no longer available when querying status.", containerId);
return null;
}
}
private static bool TryExtractPid(IDictionary<string, string> info, out int pid)
{
if (info.TryGetValue("pid", out var value) && int.TryParse(value, out pid))
{
return true;
}
foreach (var entry in info.Values)
{
if (string.IsNullOrWhiteSpace(entry))
{
continue;
}
try
{
using var document = JsonDocument.Parse(entry);
if (document.RootElement.TryGetProperty("pid", out var pidElement) && pidElement.TryGetInt32(out pid))
{
return true;
}
}
catch (JsonException)
{
}
}
pid = default;
return false;
}
public ValueTask DisposeAsync()
{
try
{
channel.Dispose();
}
catch (InvalidOperationException)
{
// Channel already disposed.
}
return ValueTask.CompletedTask;
}
private static void EnsureHttp2Switch()
{
if (http2SwitchApplied)
{
return;
}
lock (SwitchLock)
{
if (!http2SwitchApplied)
{
AppContext.SetSwitch("System.Net.Http.SocketsHttpHandler.Http2UnencryptedSupport", true);
http2SwitchApplied = true;
}
}
}
private GrpcChannel CreateChannel(ContainerRuntimeEndpointOptions endpoint)
{
if (IsUnixEndpoint(endpoint.Endpoint, out var unixPath))
{
var resolvedPath = unixPath;
var handler = new SocketsHttpHandler
{
ConnectCallback = (context, cancellationToken) => ConnectUnixDomainSocketAsync(resolvedPath, cancellationToken),
EnableMultipleHttp2Connections = true
};
if (endpoint.ConnectTimeout is { } timeout && timeout > TimeSpan.Zero)
{
handler.ConnectTimeout = timeout;
}
return GrpcChannel.ForAddress("http://unix.local", new GrpcChannelOptions
{
HttpHandler = handler,
DisposeHttpClient = true
});
}
return GrpcChannel.ForAddress(endpoint.Endpoint, new GrpcChannelOptions
{
DisposeHttpClient = true
});
}
private static bool IsUnixEndpoint(string endpoint, out string path)
{
if (endpoint.StartsWith("unix://", StringComparison.OrdinalIgnoreCase))
{
path = endpoint["unix://".Length..];
return true;
}
path = string.Empty;
return false;
}
private static async ValueTask<Stream> ConnectUnixDomainSocketAsync(string unixPath, CancellationToken cancellationToken)
{
var socket = new Socket(AddressFamily.Unix, SocketType.Stream, ProtocolType.Unspecified)
{
NoDelay = true
};
try
{
var endpoint = new UnixDomainSocketEndPoint(unixPath);
await socket.ConnectAsync(endpoint, cancellationToken).ConfigureAwait(false);
return new NetworkStream(socket, ownsSocket: true);
}
catch
{
socket.Dispose();
throw;
}
}
}

26
src/Zastava/StellaOps.Zastava.Observer/ContainerRuntime/Cri/CriRuntimeClientFactory.cs Normal file
View File

@@ -0,0 +1,26 @@
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using StellaOps.Zastava.Observer.Configuration;
namespace StellaOps.Zastava.Observer.ContainerRuntime.Cri;
internal interface ICriRuntimeClientFactory
{
ICriRuntimeClient Create(ContainerRuntimeEndpointOptions endpoint);
}
internal sealed class CriRuntimeClientFactory : ICriRuntimeClientFactory
{
private readonly IServiceProvider serviceProvider;
public CriRuntimeClientFactory(IServiceProvider serviceProvider)
{
this.serviceProvider = serviceProvider ?? throw new ArgumentNullException(nameof(serviceProvider));
}
public ICriRuntimeClient Create(ContainerRuntimeEndpointOptions endpoint)
{
var logger = serviceProvider.GetRequiredService<ILogger<CriRuntimeClient>>();
return new CriRuntimeClient(endpoint, logger);
}
}

103
src/Zastava/StellaOps.Zastava.Observer/DependencyInjection/ObserverServiceCollectionExtensions.cs Normal file
View File

@@ -0,0 +1,103 @@
using System;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection.Extensions;
using Microsoft.Extensions.Options;
using StellaOps.Zastava.Core.Configuration;
using StellaOps.Zastava.Observer.Configuration;
using StellaOps.Zastava.Observer.ContainerRuntime.Cri;
using StellaOps.Zastava.Observer.ContainerRuntime;
using StellaOps.Zastava.Observer.Posture;
using StellaOps.Zastava.Observer.Runtime;
using StellaOps.Zastava.Observer.Worker;
using StellaOps.Zastava.Observer.Backend;
namespace Microsoft.Extensions.DependencyInjection;
public static class ObserverServiceCollectionExtensions
{
public static IServiceCollection AddZastavaObserver(this IServiceCollection services, IConfiguration configuration)
{
ArgumentNullException.ThrowIfNull(services);
ArgumentNullException.ThrowIfNull(configuration);
services.AddZastavaRuntimeCore(configuration, componentName: "observer");
services.AddOptions<ZastavaObserverOptions>()
.Bind(configuration.GetSection(ZastavaObserverOptions.SectionName))
.ValidateDataAnnotations()
.PostConfigure(options =>
{
if (options.Backoff.Initial <= TimeSpan.Zero)
{
options.Backoff.Initial = TimeSpan.FromSeconds(1);
}
if (options.Backoff.Max < options.Backoff.Initial)
{
options.Backoff.Max = options.Backoff.Initial;
}
if (!options.Backend.AllowInsecureHttp && !string.Equals(options.Backend.BaseAddress.Scheme, Uri.UriSchemeHttps, StringComparison.OrdinalIgnoreCase))
{
throw new InvalidOperationException("Observer backend baseAddress must use HTTPS unless allowInsecureHttp is explicitly enabled.");
}
if (!options.Backend.PolicyPath.StartsWith("/", StringComparison.Ordinal))
{
throw new InvalidOperationException("Observer backend policyPath must be absolute (start with '/').");
}
if (!options.Backend.EventsPath.StartsWith("/", StringComparison.Ordinal))
{
throw new InvalidOperationException("Observer backend eventsPath must be absolute (start with '/').");
}
})
.ValidateOnStart();
services.TryAddSingleton(TimeProvider.System);
services.TryAddSingleton<ICriRuntimeClientFactory, CriRuntimeClientFactory>();
services.TryAddSingleton<IRuntimeEventBuffer, RuntimeEventBuffer>();
services.TryAddSingleton<IRuntimeProcessCollector, RuntimeProcessCollector>();
services.TryAddSingleton<IRuntimePostureCache, RuntimePostureCache>();
services.TryAddSingleton<IRuntimePostureEvaluator, RuntimePostureEvaluator>();
services.TryAddSingleton<ContainerStateTrackerFactory>();
services.TryAddSingleton<ContainerRuntimePoller>();
services.AddHttpClient<IRuntimePolicyClient, RuntimePolicyClient>()
.ConfigureHttpClient((provider, client) =>
{
var optionsMonitor = provider.GetRequiredService<IOptionsMonitor<ZastavaObserverOptions>>();
var backend = optionsMonitor.CurrentValue.Backend;
client.BaseAddress = backend.BaseAddress;
client.Timeout = TimeSpan.FromSeconds(Math.Clamp(backend.RequestTimeoutSeconds, 1, 120));
});
services.AddHttpClient<IRuntimeEventsClient, RuntimeEventsClient>()
.ConfigureHttpClient((provider, client) =>
{
var optionsMonitor = provider.GetRequiredService<IOptionsMonitor<ZastavaObserverOptions>>();
var backend = optionsMonitor.CurrentValue.Backend;
client.BaseAddress = backend.BaseAddress;
client.Timeout = TimeSpan.FromSeconds(Math.Clamp(backend.RequestTimeoutSeconds, 1, 120));
});
services.TryAddEnumerable(ServiceDescriptor.Singleton<IPostConfigureOptions<ZastavaRuntimeOptions>, ObserverRuntimeOptionsPostConfigure>());
services.AddHostedService<ObserverBootstrapService>();
services.AddHostedService<ContainerLifecycleHostedService>();
services.AddHostedService<RuntimeEventDispatchService>();
return services;
}
}
internal sealed class ObserverRuntimeOptionsPostConfigure : IPostConfigureOptions<ZastavaRuntimeOptions>
{
public void PostConfigure(string? name, ZastavaRuntimeOptions options)
{
if (string.IsNullOrWhiteSpace(options.Component))
{
options.Component = "observer";
}
}
}

12
src/Zastava/StellaOps.Zastava.Observer/Posture/IRuntimePostureCache.cs Normal file
View File

@@ -0,0 +1,12 @@
using System;
using StellaOps.Zastava.Core.Contracts;
namespace StellaOps.Zastava.Observer.Posture;
internal interface IRuntimePostureCache
{
RuntimePostureCacheEntry? Get(string key);
void Set(string key, RuntimePosture posture, DateTimeOffset expiresAtUtc, DateTimeOffset storedAtUtc);
}

10
src/Zastava/StellaOps.Zastava.Observer/Posture/IRuntimePostureEvaluator.cs Normal file
View File

@@ -0,0 +1,10 @@
using System.Threading;
using System.Threading.Tasks;
using StellaOps.Zastava.Observer.ContainerRuntime.Cri;
namespace StellaOps.Zastava.Observer.Posture;
internal interface IRuntimePostureEvaluator
{
Task<RuntimePostureEvaluationResult> EvaluateAsync(CriContainerInfo container, CancellationToken cancellationToken);
}

180
src/Zastava/StellaOps.Zastava.Observer/Posture/RuntimePostureCache.cs Normal file
View File

@@ -0,0 +1,180 @@
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Text.Json;
using System.Text.Json.Serialization;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Zastava.Core.Contracts;
using StellaOps.Zastava.Observer.Configuration;
namespace StellaOps.Zastava.Observer.Posture;
internal sealed class RuntimePostureCache : IRuntimePostureCache
{
private const int CurrentVersion = 1;
private static readonly JsonSerializerOptions SerializerOptions = new()
{
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull
};
private readonly IOptionsMonitor<ZastavaObserverOptions> optionsMonitor;
private readonly ILogger<RuntimePostureCache> logger;
private readonly object entriesLock = new();
private readonly object fileLock = new();
private readonly Dictionary<string, RuntimePostureCacheEntry> entries = new(StringComparer.Ordinal);
public RuntimePostureCache(
IOptionsMonitor<ZastavaObserverOptions> optionsMonitor,
ILogger<RuntimePostureCache> logger)
{
this.optionsMonitor = optionsMonitor ?? throw new ArgumentNullException(nameof(optionsMonitor));
this.logger = logger ?? throw new ArgumentNullException(nameof(logger));
Load();
}
public RuntimePostureCacheEntry? Get(string key)
{
if (string.IsNullOrWhiteSpace(key))
{
return null;
}
lock (entriesLock)
{
return entries.TryGetValue(key, out var entry) ? entry : null;
}
}
public void Set(string key, RuntimePosture posture, DateTimeOffset expiresAtUtc, DateTimeOffset storedAtUtc)
{
if (string.IsNullOrWhiteSpace(key))
{
return;
}
ArgumentNullException.ThrowIfNull(posture);
var normalizedKey = key.Trim();
var entry = new RuntimePostureCacheEntry(posture, expiresAtUtc, storedAtUtc);
lock (entriesLock)
{
entries[normalizedKey] = entry;
}
Persist();
}
private void Load()
{
var path = GetCachePath();
if (!File.Exists(path))
{
return;
}
try
{
var json = File.ReadAllText(path);
var snapshot = JsonSerializer.Deserialize<CacheFileModel>(json, SerializerOptions);
if (snapshot?.Entries is null)
{
return;
}
lock (entriesLock)
{
entries.Clear();
foreach (var entry in snapshot.Entries)
{
if (string.IsNullOrWhiteSpace(entry.Key) || entry.Posture is null)
{
continue;
}
entries[entry.Key] = new RuntimePostureCacheEntry(
entry.Posture,
entry.ExpiresAtUtc,
entry.StoredAtUtc);
}
}
}
catch (Exception ex)
{
logger.LogWarning(ex, "Failed to load runtime posture cache from {CachePath}; starting empty.", path);
}
}
private void Persist()
{
var path = GetCachePath();
var directory = Path.GetDirectoryName(path);
if (!string.IsNullOrEmpty(directory))
{
Directory.CreateDirectory(directory);
}
CacheFileModel snapshot;
lock (entriesLock)
{
var ordered = entries
.OrderBy(pair => pair.Key, StringComparer.Ordinal)
.Select(pair => new CacheFileEntry
{
Key = pair.Key,
ExpiresAtUtc = pair.Value.ExpiresAtUtc,
StoredAtUtc = pair.Value.StoredAtUtc,
Posture = pair.Value.Posture
})
.ToList();
snapshot = new CacheFileModel
{
Version = CurrentVersion,
Entries = ordered
};
}
var json = JsonSerializer.Serialize(snapshot, SerializerOptions);
lock (fileLock)
{
var tempPath = path + ".tmp";
File.WriteAllText(tempPath, json);
File.Move(tempPath, path, overwrite: true);
}
}
private string GetCachePath()
{
return optionsMonitor.CurrentValue.Posture.CachePath;
}
private sealed record CacheFileModel
{
[JsonPropertyName("version")]
public int Version { get; init; }
[JsonPropertyName("entries")]
public List<CacheFileEntry> Entries { get; init; } = new();
}
private sealed record CacheFileEntry
{
[JsonPropertyName("key")]
public string Key { get; init; } = string.Empty;
[JsonPropertyName("expiresAtUtc")]
public DateTimeOffset ExpiresAtUtc { get; init; }
[JsonPropertyName("storedAtUtc")]
public DateTimeOffset StoredAtUtc { get; init; }
[JsonPropertyName("posture")]
public RuntimePosture? Posture { get; init; }
}
}

12
src/Zastava/StellaOps.Zastava.Observer/Posture/RuntimePostureCacheEntry.cs Normal file
View File

@@ -0,0 +1,12 @@
using System;
using StellaOps.Zastava.Core.Contracts;
namespace StellaOps.Zastava.Observer.Posture;
internal sealed record RuntimePostureCacheEntry(RuntimePosture Posture, DateTimeOffset ExpiresAtUtc, DateTimeOffset StoredAtUtc)
{
public bool IsExpired(DateTimeOffset now) => now >= ExpiresAtUtc;
public bool IsStale(DateTimeOffset now, TimeSpan staleThreshold)
=> now - ExpiresAtUtc >= staleThreshold;
}

6
src/Zastava/StellaOps.Zastava.Observer/Posture/RuntimePostureEvaluationResult.cs Normal file
View File

@@ -0,0 +1,6 @@
using System.Collections.Generic;
using StellaOps.Zastava.Core.Contracts;
namespace StellaOps.Zastava.Observer.Posture;
internal sealed record RuntimePostureEvaluationResult(RuntimePosture? Posture, IReadOnlyList<RuntimeEvidence> Evidence);

188
src/Zastava/StellaOps.Zastava.Observer/Posture/RuntimePostureEvaluator.cs Normal file
View File

@@ -0,0 +1,188 @@
using System;
using System.Collections.Generic;
using System.Globalization;
using System.Linq;
using System.Threading;
using System.Threading.Tasks;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Zastava.Core.Contracts;
using StellaOps.Zastava.Observer.Backend;
using StellaOps.Zastava.Observer.Configuration;
using StellaOps.Zastava.Observer.ContainerRuntime.Cri;
namespace StellaOps.Zastava.Observer.Posture;
internal sealed class RuntimePostureEvaluator : IRuntimePostureEvaluator
{
private readonly IRuntimePolicyClient policyClient;
private readonly IRuntimePostureCache cache;
private readonly IOptionsMonitor<ZastavaObserverOptions> optionsMonitor;
private readonly TimeProvider timeProvider;
private readonly ILogger<RuntimePostureEvaluator> logger;
public RuntimePostureEvaluator(
IRuntimePolicyClient policyClient,
IRuntimePostureCache cache,
IOptionsMonitor<ZastavaObserverOptions> optionsMonitor,
TimeProvider timeProvider,
ILogger<RuntimePostureEvaluator> logger)
{
this.policyClient = policyClient ?? throw new ArgumentNullException(nameof(policyClient));
this.cache = cache ?? throw new ArgumentNullException(nameof(cache));
this.optionsMonitor = optionsMonitor ?? throw new ArgumentNullException(nameof(optionsMonitor));
this.timeProvider = timeProvider ?? TimeProvider.System;
this.logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
public async Task<RuntimePostureEvaluationResult> EvaluateAsync(CriContainerInfo container, CancellationToken cancellationToken)
{
ArgumentNullException.ThrowIfNull(container);
var evidence = new List<RuntimeEvidence>();
var now = timeProvider.GetUtcNow();
var cacheOptions = optionsMonitor.CurrentValue.Posture;
var fallbackTtl = TimeSpan.FromSeconds(Math.Clamp(cacheOptions.FallbackTtlSeconds, 30, 86400));
var staleThreshold = TimeSpan.FromSeconds(Math.Clamp(cacheOptions.StaleWarningThresholdSeconds, 30, 86400));
var imageKey = ResolveImageKey(container);
if (string.IsNullOrWhiteSpace(imageKey))
{
evidence.Add(new RuntimeEvidence
{
Signal = "runtime.posture.skipped",
Value = "no-image-ref"
});
return new RuntimePostureEvaluationResult(null, evidence);
}
var cached = cache.Get(imageKey);
if (cached is not null && !cached.IsExpired(now))
{
evidence.Add(new RuntimeEvidence
{
Signal = "runtime.posture.cache",
Value = "hit"
});
return new RuntimePostureEvaluationResult(cached.Posture, evidence);
}
try
{
var request = BuildRequest(container, imageKey);
var response = await policyClient.EvaluateAsync(request, cancellationToken).ConfigureAwait(false);
if (!response.Results.TryGetValue(imageKey, out var imageResult))
{
evidence.Add(new RuntimeEvidence
{
Signal = "runtime.posture.missing",
Value = "policy-empty"
});
return new RuntimePostureEvaluationResult(null, evidence);
}
var posture = MapPosture(imageResult);
var expiresAt = response.ExpiresAtUtc != default
? response.ExpiresAtUtc
: now.AddSeconds(response.TtlSeconds > 0 ? response.TtlSeconds : fallbackTtl.TotalSeconds);
cache.Set(imageKey, posture, expiresAt, now);
evidence.Add(new RuntimeEvidence
{
Signal = "runtime.posture.source",
Value = "backend"
});
evidence.Add(new RuntimeEvidence
{
Signal = "runtime.posture.ttl",
Value = expiresAt.ToString("O", CultureInfo.InvariantCulture)
});
return new RuntimePostureEvaluationResult(posture, evidence);
}
catch (Exception ex) when (!cancellationToken.IsCancellationRequested)
{
logger.LogWarning(ex, "Runtime posture evaluation failed for image {ImageRef}.", imageKey);
if (cached is not null)
{
var cacheSignal = cached.IsExpired(now)
? cached.IsStale(now, staleThreshold) ? "stale-warning" : "stale"
: "hit";
evidence.Add(new RuntimeEvidence
{
Signal = "runtime.posture.cache",
Value = cacheSignal
});
evidence.Add(new RuntimeEvidence
{
Signal = "runtime.posture.error",
Value = ex.GetType().Name
});
return new RuntimePostureEvaluationResult(cached.Posture, evidence);
}
evidence.Add(new RuntimeEvidence
{
Signal = "runtime.posture.error",
Value = ex.GetType().Name
});
return new RuntimePostureEvaluationResult(null, evidence);
}
}
private static string? ResolveImageKey(CriContainerInfo container)
{
if (!string.IsNullOrWhiteSpace(container.ImageRef))
{
return container.ImageRef;
}
return string.IsNullOrWhiteSpace(container.Image) ? null : container.Image;
}
private static RuntimePolicyRequest BuildRequest(CriContainerInfo container, string imageKey)
{
var labels = container.Labels.Count == 0
? null
: new Dictionary<string, string>(container.Labels, StringComparer.Ordinal);
labels?.Remove(CriLabelKeys.PodUid);
return new RuntimePolicyRequest
{
Namespace = container.Labels.TryGetValue(CriLabelKeys.PodNamespace, out var ns) ? ns : null,
Labels = labels,
Images = new[] { imageKey }
};
}
private static RuntimePosture MapPosture(RuntimePolicyImageResult result)
{
var posture = new RuntimePosture
{
ImageSigned = result.Signed,
SbomReferrer = result.HasSbomReferrers ? "present" : "missing"
};
if (result.Rekor is not null)
{
posture = posture with
{
Attestation = new RuntimeAttestation
{
Uuid = result.Rekor.Uuid,
Verified = result.Rekor.Verified
}
};
}
return posture;
}
}

9
src/Zastava/StellaOps.Zastava.Observer/Program.cs Normal file
View File

@@ -0,0 +1,9 @@
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using StellaOps.Zastava.Observer.Worker;
var builder = Host.CreateApplicationBuilder(args);
builder.Services.AddZastavaObserver(builder.Configuration);
await builder.Build().RunAsync();

3
src/Zastava/StellaOps.Zastava.Observer/Properties/AssemblyInfo.cs Normal file
View File

@@ -0,0 +1,3 @@
using System.Runtime.CompilerServices;
[assembly: InternalsVisibleTo("StellaOps.Zastava.Observer.Tests")]

1855
src/Zastava/StellaOps.Zastava.Observer/Protos/runtime/v1/runtime.proto Normal file
View File

File diff suppressed because it is too large Load Diff

287
src/Zastava/StellaOps.Zastava.Observer/Runtime/ElfBuildIdReader.cs Normal file
View File

@@ -0,0 +1,287 @@
using System.Buffers.Binary;
using System.IO;
using System.Text;
using System.Threading;
using System.Threading.Tasks;
namespace StellaOps.Zastava.Observer.Runtime;
internal static class ElfBuildIdReader
{
private const int ElfIdentificationSize = 16;
private const byte ElfClass32 = 1;
private const byte ElfClass64 = 2;
private const byte ElfDataLittleEndian = 1;
private const byte ElfDataBigEndian = 2;
private const uint ProgramHeaderTypeNote = 4;
private const uint NoteTypeGnuBuildId = 3;
private const int Alignment = 4;
private const int MaxNoteSegmentBytes = 1 << 20; // 1 MiB
public static async Task<string?> TryReadBuildIdAsync(string path, CancellationToken cancellationToken)
{
if (string.IsNullOrWhiteSpace(path))
{
return null;
}
try
{
using var stream = new FileStream(path, FileMode.Open, FileAccess.Read, FileShare.ReadWrite | FileShare.Delete);
var header = await ReadHeaderAsync(stream, cancellationToken).ConfigureAwait(false);
if (header is null)
{
return null;
}
return await ReadBuildIdFromNotesAsync(stream, header.Value, cancellationToken).ConfigureAwait(false);
}
catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
{
throw;
}
catch (Exception ex) when (ex is IOException or UnauthorizedAccessException or NotSupportedException)
{
return null;
}
}
private static async Task<string?> ReadBuildIdFromNotesAsync(Stream stream, ElfHeader header, CancellationToken cancellationToken)
{
if (header.ProgramHeaderEntrySize is 0 || header.ProgramHeaderCount is 0)
{
return null;
}
var entryBuffer = new byte[header.ProgramHeaderEntrySize];
for (var index = 0; index < header.ProgramHeaderCount; index++)
{
var entryOffset = header.ProgramHeaderOffset + (ulong)header.ProgramHeaderEntrySize * (ulong)index;
if (entryOffset > (ulong)stream.Length)
{
break;
}
stream.Seek((long)entryOffset, SeekOrigin.Begin);
if (!await ReadExactlyAsync(stream, entryBuffer.AsMemory(0, header.ProgramHeaderEntrySize), cancellationToken).ConfigureAwait(false))
{
break;
}
var entry = entryBuffer.AsSpan(0, header.ProgramHeaderEntrySize);
var type = ReadUInt32(entry, 0, header.IsLittleEndian);
if (type != ProgramHeaderTypeNote)
{
continue;
}
ulong segmentOffset;
ulong segmentSize;
if (header.Class == ElfClass64)
{
segmentOffset = ReadUInt64(entry, 8, header.IsLittleEndian);
segmentSize = ReadUInt64(entry, 32, header.IsLittleEndian);
}
else
{
segmentOffset = ReadUInt32(entry, 4, header.IsLittleEndian);
segmentSize = ReadUInt32(entry, 16, header.IsLittleEndian);
}
if (segmentSize == 0 || segmentOffset > (ulong)stream.Length)
{
continue;
}
var boundedSize = (int)Math.Min(segmentSize, (ulong)MaxNoteSegmentBytes);
if (boundedSize <= 0)
{
continue;
}
stream.Seek((long)segmentOffset, SeekOrigin.Begin);
var segmentBuffer = new byte[boundedSize];
if (!await ReadExactlyAsync(stream, segmentBuffer.AsMemory(0, boundedSize), cancellationToken).ConfigureAwait(false))
{
continue;
}
var buildId = ParseNoteSegment(segmentBuffer.AsSpan(0, boundedSize), header.IsLittleEndian);
if (buildId is not null)
{
return buildId;
}
}
return null;
}
private static string? ParseNoteSegment(ReadOnlySpan<byte> segment, bool isLittleEndian)
{
var offset = 0;
while (offset + 12 <= segment.Length)
{
var nameSize = ReadUInt32(segment, offset, isLittleEndian);
var descSize = ReadUInt32(segment, offset + 4, isLittleEndian);
var type = ReadUInt32(segment, offset + 8, isLittleEndian);
offset += 12;
if (nameSize > int.MaxValue || descSize > int.MaxValue)
{
return null;
}
var alignedNameSize = Align((int)nameSize);
var alignedDescSize = Align((int)descSize);
if (offset + alignedNameSize + alignedDescSize > segment.Length)
{
return null;
}
var nameBytes = segment.Slice(offset, (int)nameSize);
offset += alignedNameSize;
var descriptorBytes = segment.Slice(offset, (int)descSize);
offset += alignedDescSize;
if (type == NoteTypeGnuBuildId && IsGnuName(nameBytes))
{
return Convert.ToHexString(descriptorBytes).ToLowerInvariant();
}
}
return null;
}
private static bool IsGnuName(ReadOnlySpan<byte> name)
{
var length = name.IndexOf((byte)0);
if (length < 0)
{
length = name.Length;
}
if (length != 3)
{
return false;
}
return name[0] == (byte)'G'
&& name[1] == (byte)'N'
&& name[2] == (byte)'U';
}
private static async Task<ElfHeader?> ReadHeaderAsync(Stream stream, CancellationToken cancellationToken)
{
stream.Seek(0, SeekOrigin.Begin);
var identBuffer = new byte[ElfIdentificationSize];
if (!await ReadExactlyAsync(stream, identBuffer.AsMemory(0, ElfIdentificationSize), cancellationToken).ConfigureAwait(false))
{
return null;
}
var ident = identBuffer.AsSpan();
if (ident[0] != 0x7F || ident[1] != (byte)'E' || ident[2] != (byte)'L' || ident[3] != (byte)'F')
{
return null;
}
var elfClass = ident[4];
if (elfClass != ElfClass32 && elfClass != ElfClass64)
{
return null;
}
var dataEncoding = ident[5];
var isLittleEndian = dataEncoding is ElfDataLittleEndian or 0;
if (dataEncoding == 0)
{
isLittleEndian = true;
}
else if (dataEncoding != ElfDataLittleEndian && dataEncoding != ElfDataBigEndian)
{
return null;
}
var remainingHeaderSize = elfClass == ElfClass64 ? 64 - ElfIdentificationSize : 52 - ElfIdentificationSize;
var buffer = new byte[remainingHeaderSize];
if (!await ReadExactlyAsync(stream, buffer.AsMemory(0, remainingHeaderSize), cancellationToken).ConfigureAwait(false))
{
return null;
}
var span = buffer.AsSpan(0, remainingHeaderSize);
ulong programHeaderOffset;
ushort programHeaderEntrySize;
ushort programHeaderCount;
if (elfClass == ElfClass64)
{
programHeaderOffset = ReadUInt64(span, 16, isLittleEndian);
programHeaderEntrySize = ReadUInt16(span, 38, isLittleEndian);
programHeaderCount = ReadUInt16(span, 40, isLittleEndian);
}
else
{
programHeaderOffset = ReadUInt32(span, 12, isLittleEndian);
programHeaderEntrySize = ReadUInt16(span, 26, isLittleEndian);
programHeaderCount = ReadUInt16(span, 28, isLittleEndian);
}
return new ElfHeader(elfClass, isLittleEndian, programHeaderOffset, programHeaderEntrySize, programHeaderCount);
}
private static uint ReadUInt32(ReadOnlySpan<byte> buffer, int offset, bool isLittleEndian)
{
var slice = buffer.Slice(offset, sizeof(uint));
return isLittleEndian
? BinaryPrimitives.ReadUInt32LittleEndian(slice)
: BinaryPrimitives.ReadUInt32BigEndian(slice);
}
private static ulong ReadUInt64(ReadOnlySpan<byte> buffer, int offset, bool isLittleEndian)
{
var slice = buffer.Slice(offset, sizeof(ulong));
return isLittleEndian
? BinaryPrimitives.ReadUInt64LittleEndian(slice)
: BinaryPrimitives.ReadUInt64BigEndian(slice);
}
private static ushort ReadUInt16(ReadOnlySpan<byte> buffer, int offset, bool isLittleEndian)
{
var slice = buffer.Slice(offset, sizeof(ushort));
return isLittleEndian
? BinaryPrimitives.ReadUInt16LittleEndian(slice)
: BinaryPrimitives.ReadUInt16BigEndian(slice);
}
private static int Align(int value)
=> (value + (Alignment - 1)) & ~(Alignment - 1);
private static async Task<bool> ReadExactlyAsync(Stream stream, Memory<byte> buffer, CancellationToken cancellationToken)
{
var total = 0;
while (total < buffer.Length)
{
var read = await stream.ReadAsync(buffer.Slice(total), cancellationToken).ConfigureAwait(false);
if (read == 0)
{
return false;
}
total += read;
}
return true;
}
private readonly record struct ElfHeader(byte Class, bool IsLittleEndian, ulong ProgramHeaderOffset, ushort ProgramHeaderEntrySize, ushort ProgramHeaderCount)
{
public byte Class { get; } = Class;
public bool IsLittleEndian { get; } = IsLittleEndian;
public ulong ProgramHeaderOffset { get; } = ProgramHeaderOffset;
public ushort ProgramHeaderEntrySize { get; } = ProgramHeaderEntrySize;
public ushort ProgramHeaderCount { get; } = ProgramHeaderCount;
}
}

297
src/Zastava/StellaOps.Zastava.Observer/Runtime/RuntimeEventBuffer.cs Normal file
View File

@@ -0,0 +1,297 @@
using System.Collections.Concurrent;
using System.Linq;
using System.Runtime.CompilerServices;
using System.Threading.Channels;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Zastava.Core.Contracts;
using StellaOps.Zastava.Core.Serialization;
using StellaOps.Zastava.Observer.Configuration;
namespace StellaOps.Zastava.Observer.Runtime;
internal interface IRuntimeEventBuffer
{
ValueTask WriteBatchAsync(IReadOnlyList<RuntimeEventEnvelope> envelopes, CancellationToken cancellationToken);
IAsyncEnumerable<RuntimeEventBufferItem> ReadAllAsync(CancellationToken cancellationToken);
}
internal sealed record RuntimeEventBufferItem(
RuntimeEventEnvelope Envelope,
Func<ValueTask> CompleteAsync,
Func<CancellationToken, ValueTask> RequeueAsync);
internal sealed class RuntimeEventBuffer : IRuntimeEventBuffer
{
private static readonly string FileExtension = ".json";
private readonly Channel<string> channel;
private readonly ConcurrentDictionary<string, byte> inFlight = new(StringComparer.OrdinalIgnoreCase);
private readonly object capacityLock = new();
private readonly string spoolPath;
private readonly ILogger<RuntimeEventBuffer> logger;
private readonly TimeProvider timeProvider;
private readonly long maxDiskBytes;
private long currentBytes;
private readonly int capacity;
public RuntimeEventBuffer(
IOptions<ZastavaObserverOptions> observerOptions,
TimeProvider timeProvider,
ILogger<RuntimeEventBuffer> logger)
{
ArgumentNullException.ThrowIfNull(observerOptions);
this.timeProvider = timeProvider ?? throw new ArgumentNullException(nameof(timeProvider));
this.logger = logger ?? throw new ArgumentNullException(nameof(logger));
var options = observerOptions.Value ?? throw new ArgumentNullException(nameof(observerOptions));
capacity = Math.Clamp(options.MaxInMemoryBuffer, 16, 65536);
spoolPath = EnsureSpoolDirectory(options.EventBufferPath);
maxDiskBytes = Math.Clamp(options.MaxDiskBufferBytes, 1_048_576L, 1_073_741_824L); // 1 MiB 1 GiB
var channelOptions = new BoundedChannelOptions(capacity)
{
AllowSynchronousContinuations = false,
FullMode = BoundedChannelFullMode.Wait,
SingleReader = false,
SingleWriter = false
};
channel = Channel.CreateBounded<string>(channelOptions);
var existingFiles = Directory.EnumerateFiles(spoolPath, $"*{FileExtension}", SearchOption.TopDirectoryOnly)
.OrderBy(static path => path, StringComparer.Ordinal)
.ToArray();
foreach (var path in existingFiles)
{
var size = TryGetLength(path);
if (size > 0)
{
Interlocked.Add(ref currentBytes, size);
}
// enqueue existing events for replay
if (!channel.Writer.TryWrite(path))
{
_ = channel.Writer.WriteAsync(path);
}
}
if (existingFiles.Length > 0)
{
logger.LogInformation("Runtime event buffer restored {Count} pending events ({Bytes} bytes) from disk spool.",
existingFiles.Length,
Interlocked.Read(ref currentBytes));
}
}
public async ValueTask WriteBatchAsync(IReadOnlyList<RuntimeEventEnvelope> envelopes, CancellationToken cancellationToken)
{
if (envelopes is null || envelopes.Count == 0)
{
return;
}
foreach (var envelope in envelopes)
{
cancellationToken.ThrowIfCancellationRequested();
var payload = ZastavaCanonicalJsonSerializer.SerializeToUtf8Bytes(envelope);
var filePath = await PersistAsync(payload, cancellationToken).ConfigureAwait(false);
await channel.Writer.WriteAsync(filePath, cancellationToken).ConfigureAwait(false);
}
if (envelopes.Count > capacity / 2)
{
logger.LogDebug("Buffered {Count} runtime events; channel capacity {Capacity}.", envelopes.Count, capacity);
}
}
public async IAsyncEnumerable<RuntimeEventBufferItem> ReadAllAsync([EnumeratorCancellation] CancellationToken cancellationToken)
{
while (await channel.Reader.WaitToReadAsync(cancellationToken).ConfigureAwait(false))
{
while (channel.Reader.TryRead(out var filePath))
{
cancellationToken.ThrowIfCancellationRequested();
if (!File.Exists(filePath))
{
RemoveMetricsForMissingFile(filePath);
continue;
}
RuntimeEventEnvelope? envelope = null;
try
{
var json = await File.ReadAllTextAsync(filePath, cancellationToken).ConfigureAwait(false);
envelope = ZastavaCanonicalJsonSerializer.Deserialize<RuntimeEventEnvelope>(json);
}
catch (Exception ex)
{
logger.LogWarning(ex, "Failed to read runtime event payload from {Path}; dropping.", filePath);
await DeleteFileSilentlyAsync(filePath).ConfigureAwait(false);
continue;
}
var currentPath = filePath;
inFlight[currentPath] = 0;
yield return new RuntimeEventBufferItem(
envelope,
CompleteAsync(currentPath),
RequeueAsync(currentPath));
}
}
}
private Func<ValueTask> CompleteAsync(string filePath)
=> async () =>
{
try
{
await DeleteFileSilentlyAsync(filePath).ConfigureAwait(false);
}
finally
{
inFlight.TryRemove(filePath, out _);
}
};
private Func<CancellationToken, ValueTask> RequeueAsync(string filePath)
=> async cancellationToken =>
{
inFlight.TryRemove(filePath, out _);
if (!File.Exists(filePath))
{
RemoveMetricsForMissingFile(filePath);
return;
}
await channel.Writer.WriteAsync(filePath, cancellationToken).ConfigureAwait(false);
};
private async Task<string> PersistAsync(byte[] payload, CancellationToken cancellationToken)
{
var timestamp = timeProvider.GetUtcNow().UtcTicks;
var fileName = $"{timestamp:D20}-{Guid.NewGuid():N}{FileExtension}";
var filePath = Path.Combine(spoolPath, fileName);
Directory.CreateDirectory(spoolPath);
await File.WriteAllBytesAsync(filePath, payload, cancellationToken).ConfigureAwait(false);
Interlocked.Add(ref currentBytes, payload.Length);
EnforceCapacity();
return filePath;
}
private void EnforceCapacity()
{
if (Volatile.Read(ref currentBytes) <= maxDiskBytes)
{
return;
}
lock (capacityLock)
{
if (currentBytes <= maxDiskBytes)
{
return;
}
var candidates = Directory.EnumerateFiles(spoolPath, $"*{FileExtension}", SearchOption.TopDirectoryOnly)
.OrderBy(static path => path, StringComparer.Ordinal)
.ToArray();
foreach (var file in candidates)
{
if (currentBytes <= maxDiskBytes)
{
break;
}
if (inFlight.ContainsKey(file))
{
continue;
}
var length = TryGetLength(file);
try
{
File.Delete(file);
if (length > 0)
{
Interlocked.Add(ref currentBytes, -length);
}
logger.LogWarning("Dropped runtime event {FileName} to enforce disk buffer capacity (limit {MaxBytes} bytes).",
Path.GetFileName(file),
maxDiskBytes);
}
catch (Exception ex)
{
logger.LogWarning(ex, "Failed to purge runtime event buffer file {FileName}.", Path.GetFileName(file));
}
}
}
}
private Task DeleteFileSilentlyAsync(string filePath)
{
if (!File.Exists(filePath))
{
return Task.CompletedTask;
}
var length = TryGetLength(filePath);
try
{
File.Delete(filePath);
if (length > 0)
{
Interlocked.Add(ref currentBytes, -length);
}
}
catch (Exception ex)
{
logger.LogWarning(ex, "Failed to delete runtime event buffer file {FileName}.", Path.GetFileName(filePath));
}
return Task.CompletedTask;
}
private void RemoveMetricsForMissingFile(string filePath)
{
var length = TryGetLength(filePath);
if (length > 0)
{
Interlocked.Add(ref currentBytes, -length);
}
}
private static string EnsureSpoolDirectory(string? value)
{
var path = string.IsNullOrWhiteSpace(value)
? Path.Combine(Path.GetTempPath(), "zastava-observer", "runtime-events")
: value!;
Directory.CreateDirectory(path);
return path;
}
private static long TryGetLength(string path)
{
try
{
var info = new FileInfo(path);
return info.Exists ? info.Length : 0;
}
catch
{
return 0;
}
}
}

525
src/Zastava/StellaOps.Zastava.Observer/Runtime/RuntimeProcessCollector.cs Normal file
View File

@@ -0,0 +1,525 @@
using System.Buffers;
using System.Collections.Generic;
using System.Globalization;
using System.IO;
using System.Security.Cryptography;
using System.Text;
using System.Text.RegularExpressions;
using System.Runtime.CompilerServices;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Zastava.Core.Contracts;
using StellaOps.Zastava.Observer.Configuration;
using StellaOps.Zastava.Observer.ContainerRuntime.Cri;
namespace StellaOps.Zastava.Observer.Runtime;
internal interface IRuntimeProcessCollector
{
Task<RuntimeProcessCapture?> CollectAsync(CriContainerInfo container, CancellationToken cancellationToken);
}
internal sealed class RuntimeProcessCollector : IRuntimeProcessCollector
{
private static readonly Regex ShellRegex = new(@"(^|/)(ba)?sh$", RegexOptions.IgnoreCase | RegexOptions.CultureInvariant | RegexOptions.Compiled);
private static readonly Regex PythonRegex = new(@"(^|/)(python)(\d+(\.\d+)*)?$", RegexOptions.IgnoreCase | RegexOptions.CultureInvariant | RegexOptions.Compiled);
private static readonly Regex NodeRegex = new(@"(^|/)(node|npm|npx)$", RegexOptions.IgnoreCase | RegexOptions.CultureInvariant | RegexOptions.Compiled);
private const string SyntheticArgvFile = "<argv>";
private const int MaxInterpreterTargetLength = 512;
private readonly ZastavaObserverOptions options;
private readonly ILogger<RuntimeProcessCollector> logger;
public RuntimeProcessCollector(IOptions<ZastavaObserverOptions> options, ILogger<RuntimeProcessCollector> logger)
{
ArgumentNullException.ThrowIfNull(options);
this.options = options.Value;
this.logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
public async Task<RuntimeProcessCapture?> CollectAsync(CriContainerInfo container, CancellationToken cancellationToken)
{
ArgumentNullException.ThrowIfNull(container);
if (container.Pid is null or <= 0)
{
logger.LogDebug("Container {ContainerId} lacks PID information; skipping process capture.", container.Id);
return null;
}
var pid = container.Pid.Value;
var procRoot = options.ProcRootPath.TrimEnd(Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar);
var pidDirectory = Path.Combine(procRoot, pid.ToString(CultureInfo.InvariantCulture));
try
{
var process = await ReadProcessAsync(pidDirectory, pid, cancellationToken).ConfigureAwait(false);
if (process is null)
{
logger.LogDebug("No cmdline information available for PID {Pid}; skipping process capture.", pid);
return null;
}
var buildId = await ElfBuildIdReader.TryReadBuildIdAsync(Path.Combine(pidDirectory, "exe"), cancellationToken).ConfigureAwait(false);
if (!string.IsNullOrWhiteSpace(buildId))
{
process = process with { BuildId = buildId };
}
var (libraries, evidence) = await ReadLibrariesAsync(pidDirectory, cancellationToken).ConfigureAwait(false);
evidence.Insert(0, new RuntimeEvidence
{
Signal = "procfs.cmdline",
Value = $"{pid}:{string.Join(' ', process.Entrypoint)}"
});
if (!string.IsNullOrWhiteSpace(buildId))
{
evidence.Add(new RuntimeEvidence
{
Signal = "procfs.buildId",
Value = buildId
});
}
return new RuntimeProcessCapture(process, libraries, evidence);
}
catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
{
throw;
}
catch (Exception ex)
{
logger.LogWarning(ex, "Failed to capture process information for container {ContainerId} (PID {Pid}).", container.Id, pid);
return null;
}
}
private async Task<RuntimeProcess?> ReadProcessAsync(string pidDirectory, int pid, CancellationToken cancellationToken)
{
var cmdlinePath = Path.Combine(pidDirectory, "cmdline");
if (!File.Exists(cmdlinePath))
{
return null;
}
var content = await File.ReadAllBytesAsync(cmdlinePath, cancellationToken).ConfigureAwait(false);
if (content.Length == 0)
{
return null;
}
var arguments = ParseCmdline(content, options.MaxEntrypointArguments);
if (arguments.Count == 0)
{
return null;
}
var entryTrace = BuildEntryTrace(arguments);
return new RuntimeProcess
{
Pid = pid,
Entrypoint = arguments,
EntryTrace = entryTrace
};
}
private async Task<(IReadOnlyList<RuntimeLoadedLibrary> Libraries, List<RuntimeEvidence> Evidence)> ReadLibrariesAsync(
string pidDirectory,
CancellationToken cancellationToken)
{
var mapsPath = Path.Combine(pidDirectory, "maps");
var libraries = new List<RuntimeLoadedLibrary>();
var evidence = new List<RuntimeEvidence>();
if (!File.Exists(mapsPath))
{
return (libraries, evidence);
}
var seen = new HashSet<string>(StringComparer.Ordinal);
var limit = Math.Max(1, options.MaxTrackedLibraries);
var perFileLimit = Math.Max(1024L, options.MaxLibraryBytes);
var hashBudget = options.MaxLibraryHashBytes <= 0
? long.MaxValue
: Math.Max(perFileLimit, options.MaxLibraryHashBytes);
long hashedBytes = 0;
var budgetSignaled = false;
await foreach (var line in ReadLinesAsync(mapsPath, cancellationToken))
{
if (!TryParseMapsEntry(line, out var path, out var baseAddress))
{
continue;
}
if (!seen.Add(path))
{
continue;
}
if (libraries.Count >= limit)
{
evidence.Add(new RuntimeEvidence
{
Signal = "procfs.maps.truncated",
Value = $"limit={limit}"
});
break;
}
long length;
long? inode;
try
{
var fileInfo = new FileInfo(path);
length = fileInfo.Length;
inode = TryGetInode(fileInfo);
}
catch (Exception ex) when (ex is IOException or UnauthorizedAccessException)
{
evidence.Add(new RuntimeEvidence
{
Signal = "procfs.maps.error",
Value = $"{path}:{ex.GetType().Name}"
});
continue;
}
var sizeExceeded = length > perFileLimit;
string? hash = null;
if (!sizeExceeded && length > 0)
{
var remainingBudget = hashBudget - hashedBytes;
if (remainingBudget <= 0 || length > remainingBudget)
{
if (!budgetSignaled && hashBudget != long.MaxValue)
{
evidence.Add(new RuntimeEvidence
{
Signal = "procfs.maps.hashBudget",
Value = $"limit={hashBudget}"
});
budgetSignaled = true;
}
}
else
{
try
{
using var stream = new FileStream(path, FileMode.Open, FileAccess.Read, FileShare.ReadWrite | FileShare.Delete);
hash = await ComputeSha256Async(stream, cancellationToken).ConfigureAwait(false);
hashedBytes += length;
}
catch (Exception ex) when (ex is IOException or UnauthorizedAccessException)
{
evidence.Add(new RuntimeEvidence
{
Signal = "procfs.maps.error",
Value = $"{path}:{ex.GetType().Name}"
});
}
}
}
if (sizeExceeded)
{
evidence.Add(new RuntimeEvidence
{
Signal = "procfs.maps.skipped",
Value = $"{path}:size>{perFileLimit}"
});
}
var library = new RuntimeLoadedLibrary
{
Path = path,
Inode = inode,
Sha256 = hash
};
libraries.Add(library);
var value = baseAddress is null ? path : $"{path}@{baseAddress}";
evidence.Add(new RuntimeEvidence
{
Signal = "procfs.maps",
Value = value
});
}
evidence.Add(new RuntimeEvidence
{
Signal = "procfs.maps.count",
Value = libraries.Count.ToString(CultureInfo.InvariantCulture)
});
return (libraries, evidence);
}
private static async IAsyncEnumerable<string> ReadLinesAsync(string path, [EnumeratorCancellation] CancellationToken cancellationToken)
{
using var stream = new FileStream(path, FileMode.Open, FileAccess.Read, FileShare.ReadWrite | FileShare.Delete);
using var reader = new StreamReader(stream, Encoding.UTF8);
while (true)
{
cancellationToken.ThrowIfCancellationRequested();
var line = await reader.ReadLineAsync().ConfigureAwait(false);
if (line is null)
{
yield break;
}
yield return line;
}
}
private static bool TryParseMapsEntry(string line, out string path, out string? baseAddress)
{
path = string.Empty;
baseAddress = null;
if (string.IsNullOrWhiteSpace(line))
{
return false;
}
var span = line.AsSpan().Trim();
var lastSpace = span.LastIndexOf(' ');
if (lastSpace < 0 || lastSpace >= span.Length - 1)
{
return false;
}
var candidate = span[(lastSpace + 1)..].Trim();
if (candidate.IsEmpty || candidate[0] == '[')
{
return false;
}
path = candidate.ToString();
var firstSpace = span.IndexOf(' ');
if (firstSpace > 0)
{
var rangeSpan = span[..firstSpace];
var dashIndex = rangeSpan.IndexOf('-');
if (dashIndex > 0)
{
var startSpan = rangeSpan[..dashIndex];
if (!startSpan.IsEmpty)
{
baseAddress = startSpan.StartsWith("0x", StringComparison.OrdinalIgnoreCase)
? startSpan.ToString()
: $"0x{startSpan.ToString()}";
}
}
}
return true;
}
private static async Task<string> ComputeSha256Async(Stream stream, CancellationToken cancellationToken)
{
using var sha = SHA256.Create();
var buffer = ArrayPool<byte>.Shared.Rent(8192);
try
{
int read;
while ((read = await stream.ReadAsync(buffer.AsMemory(0, buffer.Length), cancellationToken).ConfigureAwait(false)) > 0)
{
sha.TransformBlock(buffer, 0, read, null, 0);
}
sha.TransformFinalBlock(Array.Empty<byte>(), 0, 0);
return Convert.ToHexString(sha.Hash!).ToLowerInvariant();
}
finally
{
ArrayPool<byte>.Shared.Return(buffer);
}
}
private static long? TryGetInode(FileInfo fileInfo) => null;
private static List<string> ParseCmdline(byte[] content, int maxArguments)
{
var segments = Encoding.UTF8.GetString(content).Split('\0', StringSplitOptions.RemoveEmptyEntries);
var list = segments.Take(maxArguments).ToList();
return list;
}
private static IReadOnlyList<RuntimeEntryTrace> BuildEntryTrace(IReadOnlyList<string> arguments)
{
var traces = new List<RuntimeEntryTrace>();
if (arguments.Count == 0)
{
return traces;
}
var first = arguments[0];
traces.Add(new RuntimeEntryTrace
{
File = first,
Op = "exec",
Target = first
});
if (arguments.Count >= 3 && ShellRegex.IsMatch(first) && string.Equals(arguments[1], "-c", StringComparison.Ordinal))
{
var script = arguments[2];
var tokens = TokenizeCommand(script);
if (tokens.Count > 0)
{
traces.Add(new RuntimeEntryTrace
{
File = tokens[0],
Op = "shell",
Target = script
});
TryAddInterpreterTrace(traces, tokens);
}
}
else
{
TryAddInterpreterTrace(traces, arguments);
}
return traces;
}
private static void TryAddInterpreterTrace(List<RuntimeEntryTrace> traces, IReadOnlyList<string> tokens)
{
if (tokens.Count == 0)
{
return;
}
var interpreter = tokens[0];
if (PythonRegex.IsMatch(interpreter))
{
var target = ResolveInterpreterTarget(tokens, 1);
if (!string.IsNullOrEmpty(target))
{
traces.Add(new RuntimeEntryTrace
{
File = SyntheticArgvFile,
Op = "python",
Target = TrimTarget(target!)
});
}
}
else if (NodeRegex.IsMatch(interpreter))
{
var target = ResolveInterpreterTarget(tokens, 1);
if (!string.IsNullOrEmpty(target))
{
traces.Add(new RuntimeEntryTrace
{
File = SyntheticArgvFile,
Op = "node",
Target = TrimTarget(target!)
});
}
}
}
private static string? ResolveInterpreterTarget(IReadOnlyList<string> tokens, int startIndex)
{
for (var i = startIndex; i < tokens.Count; i++)
{
var candidate = tokens[i];
if (string.IsNullOrWhiteSpace(candidate))
{
continue;
}
if (candidate.StartsWith("-", StringComparison.Ordinal))
{
if ((string.Equals(candidate, "-m", StringComparison.Ordinal)
|| string.Equals(candidate, "-c", StringComparison.Ordinal)
|| string.Equals(candidate, "-e", StringComparison.Ordinal))
&& i + 1 < tokens.Count)
{
return tokens[i + 1];
}
continue;
}
return candidate;
}
return null;
}
private static string TrimTarget(string value)
{
if (value.Length <= MaxInterpreterTargetLength)
{
return value;
}
return value[..MaxInterpreterTargetLength];
}
private static List<string> TokenizeCommand(string command)
{
var tokens = new List<string>();
if (string.IsNullOrWhiteSpace(command))
{
return tokens;
}
var current = new StringBuilder();
bool inQuotes = false;
char quoteChar = '"';
foreach (var ch in command)
{
if (inQuotes)
{
if (ch == quoteChar)
{
inQuotes = false;
}
else
{
current.Append(ch);
}
}
else
{
if (ch == '"' || ch == '\'')
{
inQuotes = true;
quoteChar = ch;
}
else if (char.IsWhiteSpace(ch))
{
if (current.Length > 0)
{
tokens.Add(current.ToString());
current.Clear();
}
}
else
{
current.Append(ch);
}
}
}
if (current.Length > 0)
{
tokens.Add(current.ToString());
}
return tokens;
}
}
internal sealed record RuntimeProcessCapture(
RuntimeProcess Process,
IReadOnlyList<RuntimeLoadedLibrary> Libraries,
IReadOnlyList<RuntimeEvidence> Evidence);

24
src/Zastava/StellaOps.Zastava.Observer/StellaOps.Zastava.Observer.csproj Normal file
View File

@@ -0,0 +1,24 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<OutputType>Exe</OutputType>
<TargetFramework>net10.0</TargetFramework>
<LangVersion>preview</LangVersion>
<Nullable>enable</Nullable>
<ImplicitUsings>enable</ImplicitUsings>
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Google.Protobuf" Version="3.27.2" />
<PackageReference Include="Grpc.Net.Client" Version="2.65.0" />
<PackageReference Include="Grpc.Tools" Version="2.65.0">
<PrivateAssets>All</PrivateAssets>
</PackageReference>
<PackageReference Include="Serilog.Extensions.Hosting" Version="8.0.0" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\StellaOps.Zastava.Core\StellaOps.Zastava.Core.csproj" />
</ItemGroup>
<ItemGroup>
<Protobuf Include="Protos/runtime/v1/runtime.proto" GrpcServices="Client" />
</ItemGroup>
</Project>

11
src/Zastava/StellaOps.Zastava.Observer/TASKS.md Normal file
View File

@@ -0,0 +1,11 @@
# Zastava Observer Task Board
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
| ZASTAVA-OBS-12-001 | DONE (2025-10-24) | Zastava Observer Guild | ZASTAVA-CORE-12-201 | Build container lifecycle watcher that tails CRI (containerd/cri-o/docker) events and emits deterministic runtime records with buffering + backoff. | Fixture cluster produces start/stop events with stable ordering, jitter/backoff tested, metrics/logging wired. |
| ZASTAVA-OBS-12-002 | DONE (2025-10-24) | Zastava Observer Guild | ZASTAVA-OBS-12-001 | Capture entrypoint traces and loaded libraries, hashing binaries and correlating to SBOM baseline per architecture sections 2.1 and 10. | EntryTrace parser covers shell/python/node launchers, loaded library hashes recorded, fixtures assert linkage to SBOM usage view. |
| ZASTAVA-OBS-12-003 | DONE (2025-10-24) | Zastava Observer Guild | ZASTAVA-OBS-12-002 | Implement runtime posture checks (signature/SBOM/attestation presence) with offline caching and warning surfaces. | Observer marks posture status, caches refresh across restarts, integration tests prove offline tolerance. |
| ZASTAVA-OBS-12-004 | DONE (2025-10-24) | Zastava Observer Guild | ZASTAVA-OBS-12-002 | Batch `/runtime/events` submissions with disk-backed buffer, rate limits, and deterministic envelopes. | Buffered submissions survive restart, rate-limits enforced in tests, JSON envelopes match schema in docs/events. |
| ZASTAVA-OBS-17-005 | DONE (2025-10-25) | Zastava Observer Guild | ZASTAVA-OBS-12-002 | Collect GNU build-id for ELF processes and attach it to emitted runtime events to enable symbol lookup + debug-store correlation. | Build-id extraction feeds RuntimeEvent envelopes plus Scanner policy downstream; unit tests cover capture + envelope wiring, and ops runbook documents retrieval + debug-store mapping. |
> 2025-10-24: Observer unit tests pending; `dotnet restore` requires offline copies of `Google.Protobuf`, `Grpc.Net.Client`, `Grpc.Tools` in `local-nuget` before execution can be verified.

26
src/Zastava/StellaOps.Zastava.Observer/Worker/BackoffCalculator.cs Normal file
View File

@@ -0,0 +1,26 @@
using StellaOps.Zastava.Observer.Configuration;
namespace StellaOps.Zastava.Observer.Worker;
internal static class BackoffCalculator
{
public static TimeSpan ComputeDelay(ObserverBackoffOptions options, int attempt, Random random)
{
ArgumentNullException.ThrowIfNull(options);
ArgumentNullException.ThrowIfNull(random);
var cappedAttempt = Math.Max(1, attempt);
var baseDelayMs = options.Initial.TotalMilliseconds * Math.Pow(2, cappedAttempt - 1);
baseDelayMs = Math.Min(baseDelayMs, options.Max.TotalMilliseconds);
if (options.JitterRatio <= 0)
{
return TimeSpan.FromMilliseconds(baseDelayMs);
}
var jitterWindow = baseDelayMs * options.JitterRatio;
var jitter = (random.NextDouble() * 2 - 1) * jitterWindow;
var jittered = Math.Clamp(baseDelayMs + jitter, options.Initial.TotalMilliseconds, options.Max.TotalMilliseconds);
return TimeSpan.FromMilliseconds(jittered);
}
}

197
src/Zastava/StellaOps.Zastava.Observer/Worker/ContainerLifecycleHostedService.cs Normal file
View File

@@ -0,0 +1,197 @@
using System.Collections.Generic;
using System.Linq;
using Microsoft.Extensions.Hosting;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Zastava.Core.Contracts;
using StellaOps.Zastava.Core.Configuration;
using StellaOps.Zastava.Core.Diagnostics;
using StellaOps.Zastava.Observer.Configuration;
using StellaOps.Zastava.Observer.ContainerRuntime;
using StellaOps.Zastava.Observer.ContainerRuntime.Cri;
using StellaOps.Zastava.Observer.Runtime;
namespace StellaOps.Zastava.Observer.Worker;
internal sealed class ContainerLifecycleHostedService : BackgroundService
{
private readonly ICriRuntimeClientFactory clientFactory;
private readonly IOptionsMonitor<ZastavaObserverOptions> observerOptions;
private readonly IOptionsMonitor<ZastavaRuntimeOptions> runtimeOptions;
private readonly IZastavaLogScopeBuilder logScopeBuilder;
private readonly IZastavaRuntimeMetrics runtimeMetrics;
private readonly IRuntimeEventBuffer eventBuffer;
private readonly ContainerStateTrackerFactory trackerFactory;
private readonly ContainerRuntimePoller poller;
private readonly IRuntimeProcessCollector processCollector;
private readonly TimeProvider timeProvider;
private readonly ILogger<ContainerLifecycleHostedService> logger;
private readonly Random jitterRandom = new();
public ContainerLifecycleHostedService(
ICriRuntimeClientFactory clientFactory,
IOptionsMonitor<ZastavaObserverOptions> observerOptions,
IOptionsMonitor<ZastavaRuntimeOptions> runtimeOptions,
IZastavaLogScopeBuilder logScopeBuilder,
IZastavaRuntimeMetrics runtimeMetrics,
IRuntimeEventBuffer eventBuffer,
ContainerStateTrackerFactory trackerFactory,
ContainerRuntimePoller poller,
IRuntimeProcessCollector processCollector,
TimeProvider timeProvider,
ILogger<ContainerLifecycleHostedService> logger)
{
this.clientFactory = clientFactory ?? throw new ArgumentNullException(nameof(clientFactory));
this.observerOptions = observerOptions ?? throw new ArgumentNullException(nameof(observerOptions));
this.runtimeOptions = runtimeOptions ?? throw new ArgumentNullException(nameof(runtimeOptions));
this.logScopeBuilder = logScopeBuilder ?? throw new ArgumentNullException(nameof(logScopeBuilder));
this.runtimeMetrics = runtimeMetrics ?? throw new ArgumentNullException(nameof(runtimeMetrics));
this.eventBuffer = eventBuffer ?? throw new ArgumentNullException(nameof(eventBuffer));
this.trackerFactory = trackerFactory ?? throw new ArgumentNullException(nameof(trackerFactory));
this.poller = poller ?? throw new ArgumentNullException(nameof(poller));
this.processCollector = processCollector ?? throw new ArgumentNullException(nameof(processCollector));
this.timeProvider = timeProvider ?? throw new ArgumentNullException(nameof(timeProvider));
this.logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
protected override Task ExecuteAsync(CancellationToken stoppingToken)
{
var options = observerOptions.CurrentValue;
var activeEndpoints = options.Runtimes
.Where(static runtime => runtime.Enabled)
.ToArray();
if (activeEndpoints.Length == 0)
{
logger.LogWarning("No container runtime endpoints configured; lifecycle watcher idle.");
return Task.CompletedTask;
}
var tasks = activeEndpoints
.Select(endpoint => MonitorRuntimeAsync(endpoint, stoppingToken))
.ToArray();
return Task.WhenAll(tasks);
}
private async Task MonitorRuntimeAsync(ContainerRuntimeEndpointOptions endpoint, CancellationToken cancellationToken)
{
var runtime = runtimeOptions.CurrentValue;
var tenant = runtime.Tenant;
var nodeName = observerOptions.CurrentValue.NodeName;
var pollInterval = endpoint.PollInterval ?? observerOptions.CurrentValue.PollInterval;
var backoffOptions = observerOptions.CurrentValue.Backoff;
while (!cancellationToken.IsCancellationRequested)
{
await using var client = clientFactory.Create(endpoint);
CriRuntimeIdentity identity;
try
{
identity = await client.GetIdentityAsync(cancellationToken).ConfigureAwait(false);
}
catch (Exception ex) when (!cancellationToken.IsCancellationRequested)
{
await HandleFailureAsync(endpoint, 1, backoffOptions, ex, cancellationToken).ConfigureAwait(false);
continue;
}
var tracker = trackerFactory.Create();
var failureCount = 0;
while (!cancellationToken.IsCancellationRequested)
{
try
{
var envelopes = await poller.PollAsync(
tracker,
client,
endpoint,
identity,
tenant,
nodeName,
timeProvider,
processCollector,
cancellationToken).ConfigureAwait(false);
if (envelopes.Count > 0)
{
await PublishAsync(endpoint, envelopes, cancellationToken).ConfigureAwait(false);
}
failureCount = 0;
await Task.Delay(pollInterval, cancellationToken).ConfigureAwait(false);
}
catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
{
return;
}
catch (Exception ex) when (!cancellationToken.IsCancellationRequested)
{
failureCount++;
await HandleFailureAsync(endpoint, failureCount, backoffOptions, ex, cancellationToken).ConfigureAwait(false);
break; // recreate client
}
}
}
}
private async Task PublishAsync(ContainerRuntimeEndpointOptions endpoint, IReadOnlyList<RuntimeEventEnvelope> envelopes, CancellationToken cancellationToken)
{
var endpointName = endpoint.ResolveName();
foreach (var envelope in envelopes)
{
var tags = runtimeMetrics.DefaultTags
.Concat(new[]
{
new KeyValuePair<string, object?>("runtime_endpoint", endpointName),
new KeyValuePair<string, object?>("event_kind", envelope.Event.Kind.ToString().ToLowerInvariant())
})
.ToArray();
runtimeMetrics.RuntimeEvents.Add(1, tags);
var scope = logScopeBuilder.BuildScope(
correlationId: envelope.Event.EventId,
node: envelope.Event.Node,
workload: envelope.Event.Workload.ContainerId,
eventId: envelope.Event.EventId,
additional: new Dictionary<string, string>
{
["runtimeEndpoint"] = endpointName,
["kind"] = envelope.Event.Kind.ToString()
});
using (logger.BeginScope(scope))
{
logger.LogInformation("Observed container {ContainerId} ({Kind}) for node {Node}.",
envelope.Event.Workload.ContainerId,
envelope.Event.Kind,
envelope.Event.Node);
}
}
await eventBuffer.WriteBatchAsync(envelopes, cancellationToken).ConfigureAwait(false);
}
private async Task HandleFailureAsync(
ContainerRuntimeEndpointOptions endpoint,
int failureCount,
ObserverBackoffOptions backoffOptions,
Exception exception,
CancellationToken cancellationToken)
{
var delay = BackoffCalculator.ComputeDelay(backoffOptions, failureCount, jitterRandom);
logger.LogWarning(exception, "Runtime watcher for {Endpoint} encountered error (attempt {Attempt}); retrying after {Delay}.",
endpoint.ResolveName(),
failureCount,
delay);
try
{
await Task.Delay(delay, cancellationToken).ConfigureAwait(false);
}
catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
{
}
}
}

124
src/Zastava/StellaOps.Zastava.Observer/Worker/ContainerRuntimePoller.cs Normal file
View File

@@ -0,0 +1,124 @@
using Microsoft.Extensions.Logging;
using StellaOps.Zastava.Core.Contracts;
using StellaOps.Zastava.Observer.Configuration;
using StellaOps.Zastava.Observer.ContainerRuntime;
using StellaOps.Zastava.Observer.ContainerRuntime.Cri;
using StellaOps.Zastava.Observer.Cri;
using StellaOps.Zastava.Observer.Posture;
using StellaOps.Zastava.Observer.Runtime;
namespace StellaOps.Zastava.Observer.Worker;
internal sealed class ContainerRuntimePoller
{
private readonly ILogger<ContainerRuntimePoller> logger;
private readonly IRuntimePostureEvaluator? postureEvaluator;
public ContainerRuntimePoller(ILogger<ContainerRuntimePoller> logger, IRuntimePostureEvaluator? postureEvaluator = null)
{
this.logger = logger ?? throw new ArgumentNullException(nameof(logger));
this.postureEvaluator = postureEvaluator;
}
public async Task<IReadOnlyList<RuntimeEventEnvelope>> PollAsync(
ContainerStateTracker tracker,
ICriRuntimeClient client,
ContainerRuntimeEndpointOptions endpoint,
CriRuntimeIdentity identity,
string tenant,
string nodeName,
TimeProvider timeProvider,
IRuntimeProcessCollector? processCollector,
CancellationToken cancellationToken)
{
ArgumentNullException.ThrowIfNull(tracker);
ArgumentNullException.ThrowIfNull(client);
ArgumentNullException.ThrowIfNull(endpoint);
ArgumentNullException.ThrowIfNull(identity);
ArgumentNullException.ThrowIfNull(timeProvider);
var pollTimestamp = timeProvider.GetUtcNow();
tracker.BeginCycle();
var runningContainers = await client.ListContainersAsync(ContainerState.ContainerRunning, cancellationToken).ConfigureAwait(false);
var generated = new List<RuntimeEventEnvelope>();
if (runningContainers.Count > 0)
{
foreach (var container in runningContainers)
{
var enriched = container;
var status = await client.GetContainerStatusAsync(container.Id, cancellationToken).ConfigureAwait(false);
if (status is not null)
{
enriched = status;
}
var lifecycleEvent = tracker.MarkRunning(enriched, pollTimestamp);
if (lifecycleEvent is null)
{
continue;
}
RuntimeProcessCapture? capture = null;
if (processCollector is not null && lifecycleEvent.Kind == ContainerLifecycleEventKind.Start)
{
capture = await processCollector.CollectAsync(enriched, cancellationToken).ConfigureAwait(false);
}
RuntimePostureEvaluationResult? posture = null;
if (this.postureEvaluator is not null)
{
posture = await this.postureEvaluator.EvaluateAsync(enriched, cancellationToken).ConfigureAwait(false);
}
generated.Add(RuntimeEventFactory.Create(
lifecycleEvent,
endpoint,
identity,
tenant,
nodeName,
capture,
posture?.Posture,
posture?.Evidence));
}
}
var stopEvents = await tracker.CompleteCycleAsync(
id => client.GetContainerStatusAsync(id, cancellationToken),
pollTimestamp,
cancellationToken).ConfigureAwait(false);
foreach (var lifecycleEvent in stopEvents)
{
RuntimePostureEvaluationResult? posture = null;
if (this.postureEvaluator is not null)
{
posture = await this.postureEvaluator.EvaluateAsync(lifecycleEvent.Snapshot, cancellationToken).ConfigureAwait(false);
}
generated.Add(RuntimeEventFactory.Create(
lifecycleEvent,
endpoint,
identity,
tenant,
nodeName,
null,
posture?.Posture,
posture?.Evidence));
}
if (generated.Count == 0)
{
return Array.Empty<RuntimeEventEnvelope>();
}
var ordered = generated
.OrderBy(static envelope => envelope.Event.When)
.ThenBy(static envelope => envelope.Event.Workload.ContainerId, StringComparer.Ordinal)
.ToArray();
logger.LogDebug("Generated {Count} runtime events for endpoint {EndpointName}.", ordered.Length, endpoint.ResolveName());
return ordered;
}
}

51
src/Zastava/StellaOps.Zastava.Observer/Worker/ObserverBootstrapService.cs Normal file
View File

@@ -0,0 +1,51 @@
using Microsoft.Extensions.Hosting;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Zastava.Core.Configuration;
using StellaOps.Zastava.Core.Diagnostics;
using StellaOps.Zastava.Core.Security;
namespace StellaOps.Zastava.Observer.Worker;
/// <summary>
/// Minimal bootstrap worker ensuring runtime core wiring is exercised.
/// </summary>
internal sealed class ObserverBootstrapService : BackgroundService
{
private readonly IZastavaLogScopeBuilder logScopeBuilder;
private readonly IZastavaRuntimeMetrics runtimeMetrics;
private readonly IZastavaAuthorityTokenProvider authorityTokenProvider;
private readonly IHostApplicationLifetime applicationLifetime;
private readonly ILogger<ObserverBootstrapService> logger;
private readonly ZastavaRuntimeOptions runtimeOptions;
public ObserverBootstrapService(
IZastavaLogScopeBuilder logScopeBuilder,
IZastavaRuntimeMetrics runtimeMetrics,
IZastavaAuthorityTokenProvider authorityTokenProvider,
IOptions<ZastavaRuntimeOptions> runtimeOptions,
IHostApplicationLifetime applicationLifetime,
ILogger<ObserverBootstrapService> logger)
{
this.logScopeBuilder = logScopeBuilder;
this.runtimeMetrics = runtimeMetrics;
this.authorityTokenProvider = authorityTokenProvider;
this.applicationLifetime = applicationLifetime;
this.logger = logger;
this.runtimeOptions = runtimeOptions.Value;
}
protected override Task ExecuteAsync(CancellationToken stoppingToken)
{
var scope = logScopeBuilder.BuildScope(eventId: "observer.bootstrap");
using (logger.BeginScope(scope))
{
logger.LogInformation("Zastava observer runtime core initialised for tenant {Tenant}, component {Component}.", runtimeOptions.Tenant, runtimeOptions.Component);
logger.LogDebug("Observer metrics meter {MeterName} registered with {TagCount} default tags.", runtimeMetrics.Meter.Name, runtimeMetrics.DefaultTags.Count);
}
// Observer implementation will hook into the authority token provider when connectors arrive.
applicationLifetime.ApplicationStarted.Register(() => logger.LogInformation("Observer bootstrap complete."));
return Task.CompletedTask;
}
}

225
src/Zastava/StellaOps.Zastava.Observer/Worker/RuntimeEventDispatchService.cs Normal file
View File

@@ -0,0 +1,225 @@
using System.Linq;
using System.Net;
using Microsoft.Extensions.Hosting;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Zastava.Observer.Backend;
using StellaOps.Zastava.Observer.Configuration;
using StellaOps.Zastava.Observer.Runtime;
namespace StellaOps.Zastava.Observer.Worker;
internal sealed class RuntimeEventDispatchService : BackgroundService
{
private readonly IRuntimeEventBuffer buffer;
private readonly IRuntimeEventsClient eventsClient;
private readonly IOptionsMonitor<ZastavaObserverOptions> observerOptions;
private readonly TimeProvider timeProvider;
private readonly ILogger<RuntimeEventDispatchService> logger;
public RuntimeEventDispatchService(
IRuntimeEventBuffer buffer,
IRuntimeEventsClient eventsClient,
IOptionsMonitor<ZastavaObserverOptions> observerOptions,
TimeProvider timeProvider,
ILogger<RuntimeEventDispatchService> logger)
{
this.buffer = buffer ?? throw new ArgumentNullException(nameof(buffer));
this.eventsClient = eventsClient ?? throw new ArgumentNullException(nameof(eventsClient));
this.observerOptions = observerOptions ?? throw new ArgumentNullException(nameof(observerOptions));
this.timeProvider = timeProvider ?? throw new ArgumentNullException(nameof(timeProvider));
this.logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
protected override async Task ExecuteAsync(CancellationToken stoppingToken)
{
var batch = new List<RuntimeEventBufferItem>();
var enumerator = buffer.ReadAllAsync(stoppingToken).GetAsyncEnumerator(stoppingToken);
Task<bool>? moveNextTask = null;
Task? flushDelayTask = null;
CancellationTokenSource? flushDelayCts = null;
try
{
while (!stoppingToken.IsCancellationRequested)
{
moveNextTask ??= enumerator.MoveNextAsync().AsTask();
if (batch.Count > 0 && flushDelayTask is null)
{
StartFlushTimer(ref flushDelayTask, ref flushDelayCts, stoppingToken);
}
Task completedTask;
if (flushDelayTask is null)
{
completedTask = await Task.WhenAny(moveNextTask).ConfigureAwait(false);
}
else
{
completedTask = await Task.WhenAny(moveNextTask, flushDelayTask).ConfigureAwait(false);
}
if (completedTask == moveNextTask)
{
if (!await moveNextTask.ConfigureAwait(false))
{
break;
}
var item = enumerator.Current;
batch.Add(item);
moveNextTask = null;
var options = observerOptions.CurrentValue;
var batchSize = Math.Clamp(options.PublishBatchSize, 1, 512);
if (batch.Count >= batchSize)
{
ResetFlushTimer(ref flushDelayTask, ref flushDelayCts);
await FlushAsync(batch, stoppingToken).ConfigureAwait(false);
}
}
else
{
// flush timer triggered
ResetFlushTimer(ref flushDelayTask, ref flushDelayCts);
if (batch.Count > 0)
{
await FlushAsync(batch, stoppingToken).ConfigureAwait(false);
}
}
}
}
finally
{
ResetFlushTimer(ref flushDelayTask, ref flushDelayCts);
if (batch.Count > 0 && !stoppingToken.IsCancellationRequested)
{
await FlushAsync(batch, stoppingToken).ConfigureAwait(false);
}
if (moveNextTask is not null)
{
try { await moveNextTask.ConfigureAwait(false); }
catch { /* ignored */ }
}
await enumerator.DisposeAsync().ConfigureAwait(false);
}
}
private async Task FlushAsync(List<RuntimeEventBufferItem> batch, CancellationToken cancellationToken)
{
if (batch.Count == 0)
{
return;
}
var request = new RuntimeEventsIngestRequest
{
BatchId = $"obs-{timeProvider.GetUtcNow():yyyyMMddTHHmmssfff}-{Guid.NewGuid():N}",
Events = batch.Select(item => item.Envelope).ToArray()
};
try
{
var result = await eventsClient.PublishAsync(request, cancellationToken).ConfigureAwait(false);
if (result.Success)
{
foreach (var item in batch)
{
await item.CompleteAsync().ConfigureAwait(false);
}
logger.LogInformation("Runtime events batch published (batchId={BatchId}, accepted={Accepted}, duplicates={Duplicates}).",
request.BatchId,
result.Accepted,
result.Duplicates);
}
else if (result.RateLimited)
{
await RequeueBatchAsync(batch, cancellationToken).ConfigureAwait(false);
await DelayAsync(result.RetryAfter, cancellationToken).ConfigureAwait(false);
}
}
catch (RuntimeEventsException ex) when (!cancellationToken.IsCancellationRequested)
{
logger.LogWarning(ex, "Runtime events publish failed (status={StatusCode}); batch will be retried.", (int)ex.StatusCode);
await RequeueBatchAsync(batch, cancellationToken).ConfigureAwait(false);
var backoff = ex.StatusCode == HttpStatusCode.ServiceUnavailable
? TimeSpan.FromSeconds(5)
: TimeSpan.FromSeconds(2);
await DelayAsync(backoff, cancellationToken).ConfigureAwait(false);
}
catch (Exception ex) when (!cancellationToken.IsCancellationRequested)
{
logger.LogWarning(ex, "Runtime events publish encountered an unexpected error; batch will be retried.");
await RequeueBatchAsync(batch, cancellationToken).ConfigureAwait(false);
await DelayAsync(TimeSpan.FromSeconds(5), cancellationToken).ConfigureAwait(false);
}
finally
{
batch.Clear();
}
}
private async Task RequeueBatchAsync(IEnumerable<RuntimeEventBufferItem> batch, CancellationToken cancellationToken)
{
foreach (var item in batch)
{
try
{
await item.RequeueAsync(cancellationToken).ConfigureAwait(false);
}
catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
{
throw;
}
catch (Exception ex)
{
logger.LogWarning(ex, "Failed to requeue runtime event {EventId}; dropping.", item.Envelope.Event.EventId);
await item.CompleteAsync().ConfigureAwait(false);
}
}
}
private async Task DelayAsync(TimeSpan delay, CancellationToken cancellationToken)
{
if (delay <= TimeSpan.Zero)
{
return;
}
try
{
await Task.Delay(delay, cancellationToken).ConfigureAwait(false);
}
catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
{
}
}
private void StartFlushTimer(ref Task? flushTask, ref CancellationTokenSource? cts, CancellationToken stoppingToken)
{
var options = observerOptions.CurrentValue;
var flushIntervalSeconds = Math.Clamp(options.PublishFlushIntervalSeconds, 0.1, 30);
var flushInterval = TimeSpan.FromSeconds(flushIntervalSeconds);
cts = CancellationTokenSource.CreateLinkedTokenSource(stoppingToken);
flushTask = Task.Delay(flushInterval, cts.Token);
}
private void ResetFlushTimer(ref Task? flushTask, ref CancellationTokenSource? cts)
{
if (cts is not null)
{
try { cts.Cancel(); } catch { /* ignore */ }
cts.Dispose();
cts = null;
}
flushTask = null;
}
}

148
src/Zastava/StellaOps.Zastava.Observer/Worker/RuntimeEventFactory.cs Normal file
View File

@@ -0,0 +1,148 @@
using System.Collections.Generic;
using System.Security.Cryptography;
using System.Text;
using StellaOps.Zastava.Core.Contracts;
using StellaOps.Zastava.Observer.Configuration;
using StellaOps.Zastava.Observer.ContainerRuntime;
using StellaOps.Zastava.Observer.ContainerRuntime.Cri;
using StellaOps.Zastava.Observer.Runtime;
namespace StellaOps.Zastava.Observer.Worker;
internal static class RuntimeEventFactory
{
public static RuntimeEventEnvelope Create(
ContainerLifecycleEvent lifecycleEvent,
ContainerRuntimeEndpointOptions endpoint,
CriRuntimeIdentity identity,
string tenant,
string nodeName,
RuntimeProcessCapture? capture = null,
RuntimePosture? posture = null,
IReadOnlyList<RuntimeEvidence>? additionalEvidence = null)
{
ArgumentNullException.ThrowIfNull(lifecycleEvent);
ArgumentNullException.ThrowIfNull(endpoint);
ArgumentNullException.ThrowIfNull(identity);
ArgumentNullException.ThrowIfNull(tenant);
ArgumentNullException.ThrowIfNull(nodeName);
var snapshot = lifecycleEvent.Snapshot;
var workloadLabels = snapshot.Labels ?? new Dictionary<string, string>(StringComparer.Ordinal);
var annotations = snapshot.Annotations is null
? new Dictionary<string, string>(StringComparer.Ordinal)
: new Dictionary<string, string>(snapshot.Annotations, StringComparer.Ordinal);
var platform = ResolvePlatform(workloadLabels, endpoint);
var runtimeEvent = new RuntimeEvent
{
EventId = ComputeEventId(nodeName, lifecycleEvent),
When = lifecycleEvent.Timestamp,
Kind = lifecycleEvent.Kind == ContainerLifecycleEventKind.Start
? RuntimeEventKind.ContainerStart
: RuntimeEventKind.ContainerStop,
Tenant = tenant,
Node = nodeName,
Runtime = new RuntimeEngine
{
Engine = endpoint.Engine.ToEngineString(),
Version = identity.RuntimeVersion
},
Workload = new RuntimeWorkload
{
Platform = platform,
Namespace = TryGet(workloadLabels, CriLabelKeys.PodNamespace),
Pod = TryGet(workloadLabels, CriLabelKeys.PodName),
Container = TryGet(workloadLabels, CriLabelKeys.ContainerName) ?? snapshot.Name,
ContainerId = $"{endpoint.Engine.ToEngineString()}://{snapshot.Id}",
ImageRef = ResolveImageRef(snapshot),
Owner = null
},
Process = capture?.Process,
LoadedLibraries = capture?.Libraries ?? Array.Empty<RuntimeLoadedLibrary>(),
Posture = posture,
Evidence = MergeEvidence(capture?.Evidence, additionalEvidence),
Annotations = annotations.Count == 0 ? null : new SortedDictionary<string, string>(annotations, StringComparer.Ordinal)
};
return RuntimeEventEnvelope.Create(runtimeEvent, ZastavaContractVersions.RuntimeEvent);
}
private static string ResolvePlatform(IReadOnlyDictionary<string, string> labels, ContainerRuntimeEndpointOptions endpoint)
{
if (labels.ContainsKey(CriLabelKeys.PodName))
{
return "kubernetes";
}
return endpoint.Engine.ToEngineString();
}
private static IReadOnlyList<RuntimeEvidence> MergeEvidence(
IReadOnlyList<RuntimeEvidence>? primary,
IReadOnlyList<RuntimeEvidence>? secondary)
{
if ((primary is null || primary.Count == 0) && (secondary is null || secondary.Count == 0))
{
return Array.Empty<RuntimeEvidence>();
}
if (secondary is null || secondary.Count == 0)
{
return primary ?? Array.Empty<RuntimeEvidence>();
}
if (primary is null || primary.Count == 0)
{
return secondary;
}
var merged = new List<RuntimeEvidence>(primary.Count + secondary.Count);
merged.AddRange(primary);
merged.AddRange(secondary);
return merged;
}
private static string? ResolveImageRef(CriContainerInfo snapshot)
{
if (!string.IsNullOrWhiteSpace(snapshot.ImageRef))
{
return snapshot.ImageRef;
}
return snapshot.Image;
}
private static string? TryGet(IReadOnlyDictionary<string, string> dictionary, string key)
{
if (dictionary.TryGetValue(key, out var value) && !string.IsNullOrWhiteSpace(value))
{
return value;
}
return null;
}
private static string ComputeEventId(string nodeName, ContainerLifecycleEvent lifecycleEvent)
{
var builder = new StringBuilder()
.Append(nodeName)
.Append('|')
.Append(lifecycleEvent.Snapshot.Id)
.Append('|')
.Append(lifecycleEvent.Timestamp.ToUniversalTime().Ticks)
.Append('|')
.Append((int)lifecycleEvent.Kind);
var bytes = Encoding.UTF8.GetBytes(builder.ToString());
Span<byte> hash = stackalloc byte[16];
if (!MD5.TryHashData(bytes, hash, out _))
{
using var md5 = MD5.Create();
hash = md5.ComputeHash(bytes).AsSpan(0, 16);
}
var guid = new Guid(hash);
return guid.ToString("N");
}
}

97
src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionEndpoint.cs Normal file
View File

@@ -0,0 +1,97 @@
using System.Globalization;
using System.Text.Json;
using Microsoft.Extensions.Logging;
using StellaOps.Zastava.Core.Diagnostics;
namespace StellaOps.Zastava.Webhook.Admission;
internal static class AdmissionEndpoint
{
private static readonly JsonSerializerOptions SerializerOptions = new(JsonSerializerDefaults.Web);
public static async Task<IResult> HandleAsync(
HttpContext httpContext,
AdmissionReviewParser parser,
AdmissionResponseBuilder responseBuilder,
IRuntimeAdmissionPolicyService policyService,
IZastavaLogScopeBuilder logScopeBuilder,
ILogger<AdmissionEndpointMarker> logger,
CancellationToken cancellationToken)
{
AdmissionReviewRequestDto? dto;
try
{
dto = await httpContext.Request.ReadFromJsonAsync<AdmissionReviewRequestDto>(SerializerOptions, cancellationToken).ConfigureAwait(false);
}
catch (JsonException ex)
{
logger.LogWarning(ex, "Failed to deserialize AdmissionReview payload.");
return Results.Problem(
statusCode: StatusCodes.Status400BadRequest,
title: "Invalid AdmissionReview",
detail: "Request body was not a valid AdmissionReview document.",
type: "https://stellaops.org/problems/admission.review.invalid-json");
}
AdmissionRequestContext context;
try
{
context = parser.Parse(dto!);
}
catch (AdmissionReviewParseException ex)
{
logger.LogWarning("AdmissionReview parse failure ({Code}): {Message}", ex.Code, ex.Message);
return Results.Problem(
statusCode: StatusCodes.Status400BadRequest,
title: "Invalid AdmissionReview",
detail: ex.Message,
type: $"https://stellaops.org/problems/{ex.Code}");
}
using var scope = logger.BeginScope(logScopeBuilder.BuildScope(
correlationId: context.Uid,
node: null,
workload: context.Namespace,
eventId: context.Uid,
additional: new Dictionary<string, string>
{
["namespace"] = context.Namespace,
["containerCount"] = context.Containers.Count.ToString(CultureInfo.InvariantCulture)
}));
var request = new RuntimeAdmissionRequest(
context.Namespace,
context.Labels,
context.Containers.Select(static c => c.Image).ToArray());
RuntimeAdmissionEvaluation evaluation;
try
{
evaluation = await policyService.EvaluateAsync(request, cancellationToken).ConfigureAwait(false);
}
catch (Exception ex) when (!cancellationToken.IsCancellationRequested)
{
logger.LogError(ex, "Admission evaluation failed unexpectedly.");
return Results.Problem(
statusCode: StatusCodes.Status500InternalServerError,
title: "Admission evaluation failed",
detail: "An unexpected error occurred while evaluating admission policy.",
type: "https://stellaops.org/problems/admission.evaluation.failed");
}
var (envelope, response) = responseBuilder.Build(context, evaluation);
var allowed = evaluation.Decisions.All(static d => d.Allowed);
logger.LogInformation("Admission decision computed (allowed={Allowed}, containers={Count}, failOpen={FailOpen}).",
allowed,
context.Containers.Count,
evaluation.FailOpenApplied);
httpContext.Response.ContentType = "application/json";
return Results.Json(response, SerializerOptions);
}
}
internal sealed class AdmissionEndpointMarker
{
}

15
src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionRequestContext.cs Normal file
View File

@@ -0,0 +1,15 @@
using System.Text.Json;
namespace StellaOps.Zastava.Webhook.Admission;
internal sealed record AdmissionRequestContext(
string ApiVersion,
string Kind,
string Uid,
string Namespace,
IReadOnlyDictionary<string, string> Labels,
IReadOnlyList<AdmissionContainerReference> Containers,
JsonElement PodObject,
JsonElement PodSpec);
internal sealed record AdmissionContainerReference(string Name, string Image);

219
src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionResponseBuilder.cs Normal file
View File

@@ -0,0 +1,219 @@
using System.Buffers;
using System.Linq;
using System.Text.Encodings.Web;
using System.Text.Json;
using StellaOps.Zastava.Core.Contracts;
using StellaOps.Zastava.Core.Hashing;
using StellaOps.Zastava.Core.Serialization;
namespace StellaOps.Zastava.Webhook.Admission;
internal sealed class AdmissionResponseBuilder
{
public (AdmissionDecisionEnvelope Envelope, AdmissionReviewResponseDto Response) Build(
AdmissionRequestContext context,
RuntimeAdmissionEvaluation evaluation)
{
var decision = BuildDecision(context, evaluation);
var envelope = AdmissionDecisionEnvelope.Create(decision, ZastavaContractVersions.AdmissionDecision);
var auditAnnotations = CreateAuditAnnotations(envelope, evaluation);
var warnings = BuildWarnings(evaluation);
var allowed = evaluation.Decisions.All(static d => d.Allowed);
var status = allowed
? null
: new AdmissionReviewStatus
{
Code = 403,
Message = BuildFailureMessage(evaluation)
};
var response = new AdmissionReviewResponseDto
{
ApiVersion = context.ApiVersion,
Kind = context.Kind,
Response = new AdmissionReviewResponsePayload
{
Uid = context.Uid,
Allowed = allowed,
Status = status,
Warnings = warnings,
AuditAnnotations = auditAnnotations
}
};
return (envelope, response);
}
private static AdmissionDecision BuildDecision(AdmissionRequestContext context, RuntimeAdmissionEvaluation evaluation)
{
var images = new List<AdmissionImageVerdict>(evaluation.Decisions.Count);
for (var i = 0; i < evaluation.Decisions.Count; i++)
{
var decision = evaluation.Decisions[i];
var container = context.Containers[Math.Min(i, context.Containers.Count - 1)];
var metadata = new Dictionary<string, string>(StringComparer.Ordinal)
{
["image"] = decision.OriginalImage
};
if (!string.Equals(container.Image, container.Name, StringComparison.Ordinal))
{
metadata["container"] = container.Name;
}
if (decision.FromCache)
{
metadata["cache"] = "hit";
}
var resolved = decision.ResolvedDigest ?? decision.OriginalImage;
images.Add(new AdmissionImageVerdict
{
Name = container.Name,
Resolved = resolved,
Signed = decision.Policy?.Signed ?? false,
HasSbomReferrers = decision.Policy?.HasSbom ?? false,
PolicyVerdict = decision.Verdict,
Reasons = decision.Reasons,
Rekor = decision.Policy?.Rekor,
Metadata = metadata
});
}
return new AdmissionDecision
{
AdmissionId = context.Uid,
Namespace = context.Namespace,
PodSpecDigest = ComputePodSpecDigest(context.PodSpec),
Images = images,
Decision = evaluation.Decisions.All(static d => d.Allowed)
? AdmissionDecisionOutcome.Allow
: AdmissionDecisionOutcome.Deny,
TtlSeconds = Math.Max(0, evaluation.TtlSeconds),
Annotations = BuildAnnotations(evaluation)
};
}
private static IReadOnlyDictionary<string, string>? BuildAnnotations(RuntimeAdmissionEvaluation evaluation)
{
if (!evaluation.BackendFailed && !evaluation.FailOpenApplied && evaluation.FailureReason is null)
{
return null;
}
var annotations = new Dictionary<string, string>(StringComparer.Ordinal);
if (evaluation.BackendFailed)
{
annotations["zastava.backend.failed"] = "true";
}
if (evaluation.FailOpenApplied)
{
annotations["zastava.failOpen"] = "true";
}
if (!string.IsNullOrWhiteSpace(evaluation.FailureReason))
{
annotations["zastava.failureReason"] = evaluation.FailureReason!;
}
return annotations;
}
private static IReadOnlyDictionary<string, string> CreateAuditAnnotations(AdmissionDecisionEnvelope envelope, RuntimeAdmissionEvaluation evaluation)
{
var annotations = new Dictionary<string, string>(StringComparer.Ordinal)
{
["zastava.stellaops/admission"] = ZastavaCanonicalJsonSerializer.Serialize(envelope)
};
if (evaluation.FailOpenApplied)
{
annotations["zastava.stellaops/failOpen"] = "true";
}
return annotations;
}
private static IReadOnlyList<string>? BuildWarnings(RuntimeAdmissionEvaluation evaluation)
{
var warnings = new List<string>();
if (evaluation.FailOpenApplied)
{
warnings.Add("zastava.fail_open.applied");
}
foreach (var decision in evaluation.Decisions)
{
if (decision.Verdict == PolicyVerdict.Warn)
{
warnings.Add($"policy.warn:{decision.OriginalImage}");
}
}
return warnings.Count == 0 ? null : warnings;
}
private static string BuildFailureMessage(RuntimeAdmissionEvaluation evaluation)
{
if (!string.IsNullOrWhiteSpace(evaluation.FailureReason))
{
return evaluation.FailureReason!;
}
var denied = evaluation.Decisions
.Where(static d => !d.Allowed)
.SelectMany(static d => d.Reasons)
.Distinct(StringComparer.Ordinal)
.ToArray();
return denied.Length > 0
? string.Join(", ", denied)
: "admission.denied";
}
private static string ComputePodSpecDigest(JsonElement podSpec)
{
var buffer = new ArrayBufferWriter<byte>();
using (var writer = new Utf8JsonWriter(buffer, new JsonWriterOptions
{
Encoder = JavaScriptEncoder.UnsafeRelaxedJsonEscaping,
Indented = false
}))
{
WriteCanonical(podSpec, writer);
}
return ZastavaHashing.ComputeMultihash(buffer.WrittenSpan);
}
private static void WriteCanonical(JsonElement element, Utf8JsonWriter writer)
{
switch (element.ValueKind)
{
case JsonValueKind.Object:
writer.WriteStartObject();
foreach (var property in element.EnumerateObject().OrderBy(static p => p.Name, StringComparer.Ordinal))
{
writer.WritePropertyName(property.Name);
WriteCanonical(property.Value, writer);
}
writer.WriteEndObject();
break;
case JsonValueKind.Array:
writer.WriteStartArray();
foreach (var item in element.EnumerateArray())
{
WriteCanonical(item, writer);
}
writer.WriteEndArray();
break;
default:
element.WriteTo(writer);
break;
}
}
}

88
src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionReviewModels.cs Normal file
View File

@@ -0,0 +1,88 @@
using System.Text.Json;
using System.Text.Json.Serialization;
namespace StellaOps.Zastava.Webhook.Admission;
internal sealed record AdmissionReviewRequestDto
{
[JsonPropertyName("apiVersion")]
public string? ApiVersion { get; init; }
[JsonPropertyName("kind")]
public string? Kind { get; init; }
[JsonPropertyName("request")]
public AdmissionReviewRequestPayload? Request { get; init; }
}
internal sealed record AdmissionReviewRequestPayload
{
[JsonPropertyName("uid")]
public string? Uid { get; init; }
[JsonPropertyName("kind")]
public AdmissionReviewGroupVersionKind? Kind { get; init; }
[JsonPropertyName("namespace")]
public string? Namespace { get; init; }
[JsonPropertyName("name")]
public string? Name { get; init; }
[JsonPropertyName("object")]
public JsonElement Object { get; init; }
[JsonPropertyName("dryRun")]
public bool? DryRun { get; init; }
}
internal sealed record AdmissionReviewGroupVersionKind
{
[JsonPropertyName("group")]
public string? Group { get; init; }
[JsonPropertyName("version")]
public string? Version { get; init; }
[JsonPropertyName("kind")]
public string? Kind { get; init; }
}
internal sealed record AdmissionReviewResponseDto
{
[JsonPropertyName("apiVersion")]
public string ApiVersion { get; init; } = "admission.k8s.io/v1";
[JsonPropertyName("kind")]
public string Kind { get; init; } = "AdmissionReview";
[JsonPropertyName("response")]
public required AdmissionReviewResponsePayload Response { get; init; }
}
internal sealed record AdmissionReviewResponsePayload
{
[JsonPropertyName("uid")]
public required string Uid { get; init; }
[JsonPropertyName("allowed")]
public required bool Allowed { get; init; }
[JsonPropertyName("status")]
public AdmissionReviewStatus? Status { get; init; }
[JsonPropertyName("warnings")]
public IReadOnlyList<string>? Warnings { get; init; }
[JsonPropertyName("auditAnnotations")]
public IReadOnlyDictionary<string, string>? AuditAnnotations { get; init; }
}
internal sealed record AdmissionReviewStatus
{
[JsonPropertyName("code")]
public int? Code { get; init; }
[JsonPropertyName("message")]
public string? Message { get; init; }
}

154
src/Zastava/StellaOps.Zastava.Webhook/Admission/AdmissionReviewParser.cs Normal file
View File

@@ -0,0 +1,154 @@
using System.Text.Json;
namespace StellaOps.Zastava.Webhook.Admission;
internal sealed class AdmissionReviewParser
{
public AdmissionRequestContext Parse(AdmissionReviewRequestDto dto)
{
if (dto is null)
{
throw new AdmissionReviewParseException("admission.review.invalid", "AdmissionReview payload was empty.");
}
if (!string.Equals(dto.Kind, "AdmissionReview", StringComparison.OrdinalIgnoreCase))
{
throw new AdmissionReviewParseException("admission.review.kind", "AdmissionReview.kind must equal 'AdmissionReview'.");
}
if (string.IsNullOrWhiteSpace(dto.ApiVersion))
{
throw new AdmissionReviewParseException("admission.review.apiVersion", "AdmissionReview.apiVersion is required.");
}
var payload = dto.Request ?? throw new AdmissionReviewParseException("admission.review.request", "AdmissionReview.request is required.");
if (string.IsNullOrWhiteSpace(payload.Uid))
{
throw new AdmissionReviewParseException("admission.review.uid", "AdmissionReview.request.uid is required.");
}
if (payload.Object.ValueKind is not JsonValueKind.Object)
{
throw new AdmissionReviewParseException("admission.review.object", "AdmissionReview.request.object must be a JSON object.");
}
var podObject = payload.Object;
if (!podObject.TryGetProperty("spec", out var podSpec) || podSpec.ValueKind is not JsonValueKind.Object)
{
throw new AdmissionReviewParseException("admission.review.podSpec", "AdmissionReview.request.object.spec is required.");
}
var podNamespace = payload.Namespace
?? TryGetProperty(podObject, "metadata", "namespace")
?? throw new AdmissionReviewParseException("admission.review.namespace", "Namespace could not be determined for the pod.");
var labels = ReadLabels(podObject);
var containers = ReadContainers(podSpec);
if (containers.Count == 0)
{
throw new AdmissionReviewParseException("admission.review.containers", "No containers were found in the pod spec.");
}
return new AdmissionRequestContext(
ApiVersion: dto.ApiVersion!,
Kind: dto.Kind!,
Uid: payload.Uid!,
Namespace: podNamespace,
Labels: labels,
Containers: containers,
PodObject: podObject,
PodSpec: podSpec);
}
private static IReadOnlyDictionary<string, string> ReadLabels(JsonElement podObject)
{
if (!podObject.TryGetProperty("metadata", out var metadata) || metadata.ValueKind is not JsonValueKind.Object)
{
return new Dictionary<string, string>(StringComparer.Ordinal);
}
if (!metadata.TryGetProperty("labels", out var labelsElement) || labelsElement.ValueKind is not JsonValueKind.Object)
{
return new Dictionary<string, string>(StringComparer.Ordinal);
}
var labels = new Dictionary<string, string>(StringComparer.Ordinal);
foreach (var property in labelsElement.EnumerateObject())
{
if (property.Value.ValueKind is JsonValueKind.String)
{
labels[property.Name] = property.Value.GetString() ?? string.Empty;
}
}
return labels;
}
private static IReadOnlyList<AdmissionContainerReference> ReadContainers(JsonElement podSpec)
{
var containers = new List<AdmissionContainerReference>();
CollectContainers(podSpec, "containers", containers);
CollectContainers(podSpec, "initContainers", containers);
CollectContainers(podSpec, "ephemeralContainers", containers);
return containers;
}
private static void CollectContainers(JsonElement spec, string propertyName, ICollection<AdmissionContainerReference> sink)
{
if (!spec.TryGetProperty(propertyName, out var array) || array.ValueKind is not JsonValueKind.Array)
{
return;
}
foreach (var element in array.EnumerateArray())
{
if (element.ValueKind is not JsonValueKind.Object)
{
continue;
}
var image = TryGetProperty(element, "image");
if (string.IsNullOrWhiteSpace(image))
{
continue;
}
var name = TryGetProperty(element, "name") ?? image;
sink.Add(new AdmissionContainerReference(name, image));
}
}
private static string? TryGetProperty(JsonElement element, string propertyName)
{
if (element.ValueKind is not JsonValueKind.Object)
{
return null;
}
return element.TryGetProperty(propertyName, out var property) && property.ValueKind is JsonValueKind.String
? property.GetString()
: null;
}
private static string? TryGetProperty(JsonElement element, string firstProperty, string nestedProperty)
{
if (!element.TryGetProperty(firstProperty, out var nested) || nested.ValueKind is not JsonValueKind.Object)
{
return null;
}
return TryGetProperty(nested, nestedProperty);
}
}
internal sealed class AdmissionReviewParseException : Exception
{
public AdmissionReviewParseException(string code, string message)
: base(message)
{
Code = code;
}
public string Code { get; }
}

52
src/Zastava/StellaOps.Zastava.Webhook/Admission/ImageDigestResolver.cs Normal file
View File

@@ -0,0 +1,52 @@
using System.Text.RegularExpressions;
namespace StellaOps.Zastava.Webhook.Admission;
internal interface IImageDigestResolver
{
Task<ImageResolutionResult> ResolveAsync(string imageReference, CancellationToken cancellationToken);
}
internal sealed class ImageDigestResolver : IImageDigestResolver
{
private static readonly Regex DigestPattern = new(@"(?<algorithm>[a-z0-9_+.-]+):(?<digest>[a-f0-9]{32,})", RegexOptions.Compiled | RegexOptions.CultureInvariant | RegexOptions.IgnoreCase);
public Task<ImageResolutionResult> ResolveAsync(string imageReference, CancellationToken cancellationToken)
{
if (string.IsNullOrWhiteSpace(imageReference))
{
return Task.FromResult(ImageResolutionResult.CreateFailure(imageReference, "image.reference.empty"));
}
if (imageReference.Contains('@', StringComparison.Ordinal))
{
var digest = imageReference[(imageReference.IndexOf('@') + 1)..];
if (DigestPattern.IsMatch(digest))
{
return Task.FromResult(ImageResolutionResult.CreateSuccess(imageReference, digest));
}
return Task.FromResult(ImageResolutionResult.CreateFailure(imageReference, "image.reference.invalid_digest"));
}
if (DigestPattern.IsMatch(imageReference))
{
return Task.FromResult(ImageResolutionResult.CreateSuccess(imageReference, imageReference));
}
return Task.FromResult(ImageResolutionResult.CreateFailure(imageReference, "image.reference.tag_unresolved"));
}
}
internal sealed record ImageResolutionResult(
string Original,
string? ResolvedDigest,
bool Success,
string? FailureReason)
{
public static ImageResolutionResult CreateSuccess(string original, string digest)
=> new(original, digest, true, null);
public static ImageResolutionResult CreateFailure(string original, string reason)
=> new(original, null, false, reason);
}

312
src/Zastava/StellaOps.Zastava.Webhook/Admission/RuntimeAdmissionPolicyService.cs Normal file
View File

@@ -0,0 +1,312 @@
using System.Collections.Generic;
using System.Linq;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Zastava.Core.Contracts;
using StellaOps.Zastava.Core.Diagnostics;
using StellaOps.Zastava.Webhook.Backend;
using StellaOps.Zastava.Webhook.Configuration;
namespace StellaOps.Zastava.Webhook.Admission;
internal interface IRuntimeAdmissionPolicyService
{
Task<RuntimeAdmissionEvaluation> EvaluateAsync(RuntimeAdmissionRequest request, CancellationToken cancellationToken);
}
internal sealed class RuntimeAdmissionPolicyService : IRuntimeAdmissionPolicyService
{
private readonly IRuntimePolicyClient policyClient;
private readonly IImageDigestResolver digestResolver;
private readonly RuntimePolicyCache cache;
private readonly IOptionsMonitor<ZastavaWebhookOptions> options;
private readonly IZastavaRuntimeMetrics runtimeMetrics;
private readonly TimeProvider timeProvider;
private readonly ILogger<RuntimeAdmissionPolicyService> logger;
public RuntimeAdmissionPolicyService(
IRuntimePolicyClient policyClient,
IImageDigestResolver digestResolver,
RuntimePolicyCache cache,
IOptionsMonitor<ZastavaWebhookOptions> options,
IZastavaRuntimeMetrics runtimeMetrics,
TimeProvider timeProvider,
ILogger<RuntimeAdmissionPolicyService> logger)
{
this.policyClient = policyClient ?? throw new ArgumentNullException(nameof(policyClient));
this.digestResolver = digestResolver ?? throw new ArgumentNullException(nameof(digestResolver));
this.cache = cache ?? throw new ArgumentNullException(nameof(cache));
this.options = options ?? throw new ArgumentNullException(nameof(options));
this.runtimeMetrics = runtimeMetrics ?? throw new ArgumentNullException(nameof(runtimeMetrics));
this.timeProvider = timeProvider ?? throw new ArgumentNullException(nameof(timeProvider));
this.logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
public async Task<RuntimeAdmissionEvaluation> EvaluateAsync(RuntimeAdmissionRequest request, CancellationToken cancellationToken)
{
ArgumentNullException.ThrowIfNull(request);
if (request.Images.Count == 0)
{
return RuntimeAdmissionEvaluation.Empty();
}
var admissionOptions = options.CurrentValue.Admission;
var resolutionResults = new List<ImageResolutionResult>(request.Images.Count);
foreach (var image in request.Images)
{
var resolution = await digestResolver.ResolveAsync(image, cancellationToken).ConfigureAwait(false);
resolutionResults.Add(resolution);
}
var resolved = resolutionResults.Where(static r => r.Success && r.ResolvedDigest is not null)
.GroupBy(r => r.ResolvedDigest!, StringComparer.Ordinal)
.Select(group => new ResolvedDigest(group.Key, group.ToArray()))
.ToArray();
var combinedResults = new Dictionary<string, RuntimePolicyImageResult>(StringComparer.Ordinal);
var backendMisses = new List<string>();
var fromCache = new HashSet<string>(StringComparer.Ordinal);
foreach (var digest in resolved)
{
if (cache.TryGet(digest.Digest, out var cached))
{
combinedResults[digest.Digest] = cached;
fromCache.Add(digest.Digest);
}
else
{
backendMisses.Add(digest.Digest);
}
}
RuntimePolicyResponse? backendResponse = null;
bool backendFailed = false;
var ttlSeconds = 300;
if (backendMisses.Count > 0)
{
try
{
backendResponse = await policyClient.EvaluateAsync(new RuntimePolicyRequest
{
Namespace = request.Namespace ?? string.Empty,
Labels = request.Labels,
Images = backendMisses
}, cancellationToken).ConfigureAwait(false);
var now = timeProvider.GetUtcNow();
var expiry = CalculateExpiry(backendResponse);
ttlSeconds = Math.Max(1, (int)Math.Ceiling((expiry - now).TotalSeconds));
foreach (var pair in backendResponse.Results)
{
combinedResults[pair.Key] = pair.Value;
cache.Set(pair.Key, pair.Value, expiry);
}
}
catch (Exception ex) when (!cancellationToken.IsCancellationRequested)
{
backendFailed = true;
logger.LogWarning(ex, "Runtime policy backend call failed for namespace {Namespace}.", request.Namespace ?? "<none>");
}
}
var failOpenApplied = false;
var decisions = new List<RuntimeAdmissionDecision>(request.Images.Count);
var effectiveTtl = backendResponse?.TtlSeconds is > 0 ? backendResponse.TtlSeconds : ttlSeconds;
if (backendFailed && backendMisses.Count > 0)
{
failOpenApplied = ShouldFailOpen(admissionOptions, request.Namespace);
foreach (var resolution in resolutionResults)
{
if (resolution.Success && resolution.ResolvedDigest is not null)
{
var allowed = failOpenApplied;
var reasons = failOpenApplied
? new[] { "zastava.fail_open.backend_unavailable" }
: new[] { "zastava.backend.unavailable" };
RecordDecisionMetrics(allowed, true, failOpenApplied, RuntimeEventKind.ContainerStart);
decisions.Add(new RuntimeAdmissionDecision
{
OriginalImage = resolution.Original,
ResolvedDigest = resolution.ResolvedDigest,
Verdict = allowed ? PolicyVerdict.Warn : PolicyVerdict.Error,
Allowed = allowed,
Policy = null,
Reasons = reasons,
FromCache = false,
ResolutionFailed = false
});
}
else
{
decisions.Add(CreateResolutionFailureDecision(resolution));
}
}
return new RuntimeAdmissionEvaluation
{
Decisions = decisions,
BackendFailed = true,
FailOpenApplied = failOpenApplied,
FailureReason = failOpenApplied ? null : "backend.unavailable",
TtlSeconds = effectiveTtl
};
}
foreach (var resolution in resolutionResults)
{
if (!resolution.Success || resolution.ResolvedDigest is null)
{
var failureDecision = CreateResolutionFailureDecision(resolution);
RecordDecisionMetrics(failureDecision.Allowed, false, false, RuntimeEventKind.ContainerStart);
decisions.Add(failureDecision);
continue;
}
if (!combinedResults.TryGetValue(resolution.ResolvedDigest, out var policyResult))
{
var synthetic = new RuntimeAdmissionDecision
{
OriginalImage = resolution.Original,
ResolvedDigest = resolution.ResolvedDigest,
Verdict = PolicyVerdict.Error,
Allowed = false,
Policy = null,
Reasons = new[] { "zastava.policy.result.missing" },
FromCache = false,
ResolutionFailed = false
};
RecordDecisionMetrics(false, false, false, RuntimeEventKind.ContainerStart);
decisions.Add(synthetic);
continue;
}
var allowed = policyResult.PolicyVerdict is PolicyVerdict.Pass or PolicyVerdict.Warn;
var cached = fromCache.Contains(resolution.ResolvedDigest);
var reasons = policyResult.Reasons.Count > 0 ? policyResult.Reasons : Array.Empty<string>();
RecordDecisionMetrics(allowed, cached, false, RuntimeEventKind.ContainerStart);
decisions.Add(new RuntimeAdmissionDecision
{
OriginalImage = resolution.Original,
ResolvedDigest = resolution.ResolvedDigest,
Verdict = policyResult.PolicyVerdict,
Allowed = allowed,
Policy = policyResult,
Reasons = reasons,
FromCache = cached,
ResolutionFailed = false
});
}
return new RuntimeAdmissionEvaluation
{
Decisions = decisions,
BackendFailed = backendFailed,
FailOpenApplied = failOpenApplied,
FailureReason = null,
TtlSeconds = effectiveTtl
};
}
private static RuntimeAdmissionDecision CreateResolutionFailureDecision(ImageResolutionResult resolution)
=> new RuntimeAdmissionDecision
{
OriginalImage = resolution.Original,
ResolvedDigest = null,
Verdict = PolicyVerdict.Fail,
Allowed = false,
Policy = null,
Reasons = new[] { resolution.FailureReason ?? "image.resolution.failed" },
FromCache = false,
ResolutionFailed = true
};
private void RecordDecisionMetrics(bool allowed, bool fromCache, bool failOpen, RuntimeEventKind eventKind)
{
var tags = runtimeMetrics.DefaultTags
.Concat(new[]
{
new KeyValuePair<string, object?>("decision", allowed ? "allow" : "deny"),
new KeyValuePair<string, object?>("source", fromCache ? "cache" : "backend"),
new KeyValuePair<string, object?>("fail_open", failOpen ? "true" : "false"),
new KeyValuePair<string, object?>("event", eventKind.ToString())
})
.ToArray();
runtimeMetrics.AdmissionDecisions.Add(1, tags);
}
private bool ShouldFailOpen(ZastavaWebhookAdmissionOptions admission, string? @namespace)
{
if (@namespace is null)
{
return admission.FailOpenByDefault;
}
if (admission.FailClosedNamespaces.Contains(@namespace))
{
return false;
}
if (admission.FailOpenNamespaces.Contains(@namespace))
{
return true;
}
return admission.FailOpenByDefault;
}
private DateTimeOffset CalculateExpiry(RuntimePolicyResponse response)
{
var now = timeProvider.GetUtcNow();
var ttlSeconds = Math.Max(1, response.TtlSeconds);
var intended = now.AddSeconds(ttlSeconds);
if (response.ExpiresAtUtc != default)
{
return response.ExpiresAtUtc < intended ? response.ExpiresAtUtc : intended;
}
return intended;
}
private sealed record ResolvedDigest(string Digest, IReadOnlyList<ImageResolutionResult> Entries);
}
internal sealed record RuntimeAdmissionRequest(
string? Namespace,
IReadOnlyDictionary<string, string> Labels,
IReadOnlyList<string> Images);
internal sealed record RuntimeAdmissionDecision
{
public required string OriginalImage { get; init; }
public string? ResolvedDigest { get; init; }
public PolicyVerdict Verdict { get; init; }
public bool Allowed { get; init; }
public RuntimePolicyImageResult? Policy { get; init; }
public IReadOnlyList<string> Reasons { get; init; } = Array.Empty<string>();
public bool FromCache { get; init; }
public bool ResolutionFailed { get; init; }
}
internal sealed record RuntimeAdmissionEvaluation
{
public required IReadOnlyList<RuntimeAdmissionDecision> Decisions { get; init; }
public bool BackendFailed { get; init; }
public bool FailOpenApplied { get; init; }
public string? FailureReason { get; init; }
public int TtlSeconds { get; init; }
public static RuntimeAdmissionEvaluation Empty()
=> new()
{
Decisions = Array.Empty<RuntimeAdmissionDecision>(),
BackendFailed = false,
FailOpenApplied = false,
FailureReason = null,
TtlSeconds = 0
};
}

83
src/Zastava/StellaOps.Zastava.Webhook/Admission/RuntimePolicyCache.cs Normal file
View File

@@ -0,0 +1,83 @@
using System.Collections.Concurrent;
using System.Text.Json;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Zastava.Webhook.Backend;
using StellaOps.Zastava.Webhook.Configuration;
namespace StellaOps.Zastava.Webhook.Admission;
internal sealed class RuntimePolicyCache
{
private readonly ConcurrentDictionary<string, CacheEntry> entries = new(StringComparer.Ordinal);
private readonly ILogger<RuntimePolicyCache> logger;
private readonly TimeProvider timeProvider;
public RuntimePolicyCache(IOptions<ZastavaWebhookOptions> options, TimeProvider timeProvider, ILogger<RuntimePolicyCache> logger)
{
this.timeProvider = timeProvider ?? throw new ArgumentNullException(nameof(timeProvider));
this.logger = logger ?? throw new ArgumentNullException(nameof(logger));
ArgumentNullException.ThrowIfNull(options);
var admission = options.Value.Admission;
if (!string.IsNullOrWhiteSpace(admission.CacheSeedPath) && File.Exists(admission.CacheSeedPath))
{
TryLoadSeed(admission.CacheSeedPath!);
}
}
public bool TryGet(string digest, out RuntimePolicyImageResult result)
{
if (entries.TryGetValue(digest, out var entry))
{
if (timeProvider.GetUtcNow() <= entry.ExpiresAtUtc)
{
result = entry.Result;
return true;
}
entries.TryRemove(digest, out _);
}
result = default!;
return false;
}
public void Set(string digest, RuntimePolicyImageResult result, DateTimeOffset expiresAtUtc)
{
entries[digest] = new CacheEntry(result, expiresAtUtc);
}
private void TryLoadSeed(string path)
{
try
{
var payload = File.ReadAllText(path);
var seed = JsonSerializer.Deserialize<RuntimePolicyResponse>(payload, new JsonSerializerOptions
{
PropertyNamingPolicy = JsonNamingPolicy.CamelCase
});
if (seed?.Results is null || seed.Results.Count == 0)
{
logger.LogDebug("Runtime policy cache seed file {Path} empty or invalid.", path);
return;
}
var ttlSeconds = Math.Max(1, seed.TtlSeconds);
var expires = timeProvider.GetUtcNow().AddSeconds(ttlSeconds);
foreach (var pair in seed.Results)
{
Set(pair.Key, pair.Value, expires);
}
logger.LogInformation("Loaded {Count} runtime policy cache seed entries from {Path}.", seed.Results.Count, path);
}
catch (Exception ex)
{
logger.LogWarning(ex, "Failed to load runtime policy cache seed from {Path}.", path);
}
}
private sealed record CacheEntry(RuntimePolicyImageResult Result, DateTimeOffset ExpiresAtUtc);
}

51
src/Zastava/StellaOps.Zastava.Webhook/Authority/AuthorityTokenProvider.cs Normal file
View File

@@ -0,0 +1,51 @@
using System;
using System.Collections.Generic;
using System.Linq;
using Microsoft.Extensions.Diagnostics.HealthChecks;
using Microsoft.Extensions.Options;
using Microsoft.Extensions.Logging;
using StellaOps.Zastava.Core.Configuration;
using StellaOps.Zastava.Core.Security;
namespace StellaOps.Zastava.Webhook.Authority;
public sealed class AuthorityTokenHealthCheck : IHealthCheck
{
private readonly IZastavaAuthorityTokenProvider authorityTokenProvider;
private readonly IOptionsMonitor<ZastavaRuntimeOptions> runtimeOptions;
private readonly ILogger<AuthorityTokenHealthCheck> logger;
public AuthorityTokenHealthCheck(
IZastavaAuthorityTokenProvider authorityTokenProvider,
IOptionsMonitor<ZastavaRuntimeOptions> runtimeOptions,
ILogger<AuthorityTokenHealthCheck> logger)
{
this.authorityTokenProvider = authorityTokenProvider ?? throw new ArgumentNullException(nameof(authorityTokenProvider));
this.runtimeOptions = runtimeOptions ?? throw new ArgumentNullException(nameof(runtimeOptions));
this.logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
public async Task<HealthCheckResult> CheckHealthAsync(HealthCheckContext context, CancellationToken cancellationToken = default)
{
try
{
var runtime = runtimeOptions.CurrentValue;
var authority = runtime.Authority;
var audience = authority.Audience.FirstOrDefault() ?? "scanner";
var token = await authorityTokenProvider.GetAsync(audience, authority.Scopes ?? Array.Empty<string>(), cancellationToken);
return HealthCheckResult.Healthy(
"Authority token acquired.",
data: new Dictionary<string, object>
{
["expiresAtUtc"] = token.ExpiresAtUtc?.ToString("O") ?? "static",
["tokenType"] = token.TokenType
});
}
catch (Exception ex)
{
logger.LogError(ex, "Failed to obtain Authority token via runtime core.");
return HealthCheckResult.Unhealthy("Failed to obtain Authority token via runtime core.", ex);
}
}
}

9
src/Zastava/StellaOps.Zastava.Webhook/Backend/IRuntimePolicyClient.cs Normal file
View File

@@ -0,0 +1,9 @@
using System.Threading;
using System.Threading.Tasks;
namespace StellaOps.Zastava.Webhook.Backend;
public interface IRuntimePolicyClient
{
Task<RuntimePolicyResponse> EvaluateAsync(RuntimePolicyRequest request, CancellationToken cancellationToken = default);
}

115
src/Zastava/StellaOps.Zastava.Webhook/Backend/RuntimePolicyClient.cs Normal file
View File

@@ -0,0 +1,115 @@
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
using System.Net.Http;
using System.Net.Http.Headers;
using System.Text;
using System.Text.Json;
using System.Text.Json.Serialization;
using System.Threading;
using System.Threading.Tasks;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Zastava.Core.Configuration;
using StellaOps.Zastava.Core.Diagnostics;
using StellaOps.Zastava.Core.Security;
using StellaOps.Zastava.Webhook.Configuration;
namespace StellaOps.Zastava.Webhook.Backend;
internal sealed class RuntimePolicyClient : IRuntimePolicyClient
{
private static readonly JsonSerializerOptions SerializerOptions = new()
{
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull
};
static RuntimePolicyClient()
{
SerializerOptions.Converters.Add(new JsonStringEnumConverter(JsonNamingPolicy.CamelCase, allowIntegerValues: false));
}
private readonly HttpClient httpClient;
private readonly IZastavaAuthorityTokenProvider authorityTokenProvider;
private readonly IOptionsMonitor<ZastavaRuntimeOptions> runtimeOptions;
private readonly IOptionsMonitor<ZastavaWebhookOptions> webhookOptions;
private readonly IZastavaRuntimeMetrics runtimeMetrics;
private readonly ILogger<RuntimePolicyClient> logger;
public RuntimePolicyClient(
HttpClient httpClient,
IZastavaAuthorityTokenProvider authorityTokenProvider,
IOptionsMonitor<ZastavaRuntimeOptions> runtimeOptions,
IOptionsMonitor<ZastavaWebhookOptions> webhookOptions,
IZastavaRuntimeMetrics runtimeMetrics,
ILogger<RuntimePolicyClient> logger)
{
this.httpClient = httpClient ?? throw new ArgumentNullException(nameof(httpClient));
this.authorityTokenProvider = authorityTokenProvider ?? throw new ArgumentNullException(nameof(authorityTokenProvider));
this.runtimeOptions = runtimeOptions ?? throw new ArgumentNullException(nameof(runtimeOptions));
this.webhookOptions = webhookOptions ?? throw new ArgumentNullException(nameof(webhookOptions));
this.runtimeMetrics = runtimeMetrics ?? throw new ArgumentNullException(nameof(runtimeMetrics));
this.logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
public async Task<RuntimePolicyResponse> EvaluateAsync(RuntimePolicyRequest request, CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(request);
var runtime = runtimeOptions.CurrentValue;
var authority = runtime.Authority;
var audience = authority.Audience.FirstOrDefault() ?? "scanner";
var token = await authorityTokenProvider.GetAsync(audience, authority.Scopes ?? Array.Empty<string>(), cancellationToken).ConfigureAwait(false);
var backend = webhookOptions.CurrentValue.Backend;
using var httpRequest = new HttpRequestMessage(HttpMethod.Post, backend.PolicyPath)
{
Content = new StringContent(JsonSerializer.Serialize(request, SerializerOptions), Encoding.UTF8, "application/json")
};
httpRequest.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
httpRequest.Headers.Authorization = CreateAuthorizationHeader(token);
var stopwatch = Stopwatch.StartNew();
try
{
using var response = await httpClient.SendAsync(httpRequest, cancellationToken).ConfigureAwait(false);
var payload = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
if (!response.IsSuccessStatusCode)
{
logger.LogWarning("Runtime policy call returned {StatusCode}: {Payload}", (int)response.StatusCode, payload);
throw new RuntimePolicyException($"Runtime policy call failed with status {(int)response.StatusCode}", response.StatusCode);
}
var result = JsonSerializer.Deserialize<RuntimePolicyResponse>(payload, SerializerOptions);
if (result is null)
{
throw new RuntimePolicyException("Runtime policy response payload was empty or invalid.", response.StatusCode);
}
return result;
}
finally
{
stopwatch.Stop();
RecordLatency(stopwatch.Elapsed.TotalMilliseconds);
}
}
private AuthenticationHeaderValue CreateAuthorizationHeader(ZastavaOperationalToken token)
{
var scheme = string.Equals(token.TokenType, "dpop", StringComparison.OrdinalIgnoreCase) ? "DPoP" : token.TokenType;
return new AuthenticationHeaderValue(scheme, token.AccessToken);
}
private void RecordLatency(double elapsedMs)
{
var tags = runtimeMetrics.DefaultTags
.Concat(new[] { new KeyValuePair<string, object?>("endpoint", "policy") })
.ToArray();
runtimeMetrics.BackendLatencyMs.Record(elapsedMs, tags);
}
}

21
src/Zastava/StellaOps.Zastava.Webhook/Backend/RuntimePolicyException.cs Normal file
View File

@@ -0,0 +1,21 @@
using System;
using System.Net;
namespace StellaOps.Zastava.Webhook.Backend;
public sealed class RuntimePolicyException : Exception
{
public RuntimePolicyException(string message, HttpStatusCode statusCode)
: base(message)
{
StatusCode = statusCode;
}
public RuntimePolicyException(string message, HttpStatusCode statusCode, Exception innerException)
: base(message, innerException)
{
StatusCode = statusCode;
}
public HttpStatusCode StatusCode { get; }
}

16
src/Zastava/StellaOps.Zastava.Webhook/Backend/RuntimePolicyRequest.cs Normal file
View File

@@ -0,0 +1,16 @@
using System.Collections.Generic;
using System.Text.Json.Serialization;
namespace StellaOps.Zastava.Webhook.Backend;
public sealed record RuntimePolicyRequest
{
[JsonPropertyName("namespace")]
public required string Namespace { get; init; }
[JsonPropertyName("labels")]
public IReadOnlyDictionary<string, string>? Labels { get; init; }
[JsonPropertyName("images")]
public required IReadOnlyList<string> Images { get; init; }
}

39
src/Zastava/StellaOps.Zastava.Webhook/Backend/RuntimePolicyResponse.cs Normal file
View File

@@ -0,0 +1,39 @@
using System;
using System.Collections.Generic;
using System.Text.Json.Serialization;
using StellaOps.Zastava.Core.Contracts;
namespace StellaOps.Zastava.Webhook.Backend;
public sealed record RuntimePolicyResponse
{
[JsonPropertyName("ttlSeconds")]
public int TtlSeconds { get; init; }
[JsonPropertyName("expiresAtUtc")]
public DateTimeOffset ExpiresAtUtc { get; init; }
[JsonPropertyName("policyRevision")]
public string? PolicyRevision { get; init; }
[JsonPropertyName("results")]
public IReadOnlyDictionary<string, RuntimePolicyImageResult> Results { get; init; } = new Dictionary<string, RuntimePolicyImageResult>();
}
public sealed record RuntimePolicyImageResult
{
[JsonPropertyName("signed")]
public bool Signed { get; init; }
[JsonPropertyName("hasSbom")]
public bool HasSbom { get; init; }
[JsonPropertyName("policyVerdict")]
public PolicyVerdict PolicyVerdict { get; init; }
[JsonPropertyName("reasons")]
public IReadOnlyList<string> Reasons { get; init; } = Array.Empty<string>();
[JsonPropertyName("rekor")]
public AdmissionRekorEvidence? Rekor { get; init; }
}

25
src/Zastava/StellaOps.Zastava.Webhook/Certificates/CsrCertificateSource.cs Normal file
View File

@@ -0,0 +1,25 @@
using System.Security.Cryptography.X509Certificates;
using StellaOps.Zastava.Webhook.Configuration;
namespace StellaOps.Zastava.Webhook.Certificates;
/// <summary>
/// Placeholder implementation for CSR-based certificate provisioning.
/// </summary>
public sealed class CsrCertificateSource : IWebhookCertificateSource
{
private readonly ILogger<CsrCertificateSource> _logger;
public CsrCertificateSource(ILogger<CsrCertificateSource> logger)
{
_logger = logger;
}
public bool CanHandle(ZastavaWebhookTlsMode mode) => mode == ZastavaWebhookTlsMode.CertificateSigningRequest;
public X509Certificate2 LoadCertificate(ZastavaWebhookTlsOptions options)
{
_logger.LogError("CSR certificate mode is not implemented yet. Configuration requested CSR mode.");
throw new NotSupportedException("CSR certificate provisioning is not implemented (tracked by ZASTAVA-WEBHOOK-12-101).");
}
}

49
src/Zastava/StellaOps.Zastava.Webhook/Certificates/IWebhookCertificateProvider.cs Normal file
View File

@@ -0,0 +1,49 @@
using System.Security.Cryptography.X509Certificates;
using Microsoft.Extensions.Options;
using StellaOps.Zastava.Webhook.Configuration;
namespace StellaOps.Zastava.Webhook.Certificates;
public interface IWebhookCertificateProvider
{
X509Certificate2 GetCertificate();
}
public sealed class WebhookCertificateProvider : IWebhookCertificateProvider
{
private readonly ILogger<WebhookCertificateProvider> _logger;
private readonly ZastavaWebhookTlsOptions _options;
private readonly Lazy<X509Certificate2> _certificate;
private readonly IWebhookCertificateSource _certificateSource;
public WebhookCertificateProvider(
IOptions<ZastavaWebhookOptions> options,
IEnumerable<IWebhookCertificateSource> certificateSources,
ILogger<WebhookCertificateProvider> logger)
{
_logger = logger;
_options = options.Value.Tls;
_certificateSource = certificateSources.FirstOrDefault(source => source.CanHandle(_options.Mode))
?? throw new InvalidOperationException($"No certificate source registered for mode {_options.Mode}.");
_certificate = new Lazy<X509Certificate2>(LoadCertificate, LazyThreadSafetyMode.ExecutionAndPublication);
}
public X509Certificate2 GetCertificate() => _certificate.Value;
private X509Certificate2 LoadCertificate()
{
_logger.LogInformation("Loading webhook TLS certificate using {Mode} mode.", _options.Mode);
var certificate = _certificateSource.LoadCertificate(_options);
_logger.LogInformation("Loaded webhook TLS certificate with subject {Subject} and thumbprint {Thumbprint}.",
certificate.Subject, certificate.Thumbprint);
return certificate;
}
}
public interface IWebhookCertificateSource
{
bool CanHandle(ZastavaWebhookTlsMode mode);
X509Certificate2 LoadCertificate(ZastavaWebhookTlsOptions options);
}

103
src/Zastava/StellaOps.Zastava.Webhook/Certificates/SecretFileCertificateSource.cs Normal file
View File

@@ -0,0 +1,103 @@
using System.Security.Cryptography.X509Certificates;
using Microsoft.Extensions.Logging;
using StellaOps.Zastava.Webhook.Configuration;
namespace StellaOps.Zastava.Webhook.Certificates;
public sealed class SecretFileCertificateSource : IWebhookCertificateSource
{
private readonly ILogger<SecretFileCertificateSource> _logger;
public SecretFileCertificateSource(ILogger<SecretFileCertificateSource> logger)
{
_logger = logger;
}
public bool CanHandle(ZastavaWebhookTlsMode mode) => mode == ZastavaWebhookTlsMode.Secret;
public X509Certificate2 LoadCertificate(ZastavaWebhookTlsOptions options)
{
if (options is null)
{
throw new ArgumentNullException(nameof(options));
}
if (!string.IsNullOrWhiteSpace(options.PfxPath))
{
return LoadFromPfx(options.PfxPath, options.PfxPassword);
}
if (string.IsNullOrWhiteSpace(options.CertificatePath) || string.IsNullOrWhiteSpace(options.PrivateKeyPath))
{
throw new InvalidOperationException("TLS mode 'Secret' requires either a PFX bundle or both PEM certificate and private key paths.");
}
if (!File.Exists(options.CertificatePath))
{
throw new FileNotFoundException("Webhook certificate file not found.", options.CertificatePath);
}
if (!File.Exists(options.PrivateKeyPath))
{
throw new FileNotFoundException("Webhook certificate private key file not found.", options.PrivateKeyPath);
}
try
{
var certificate = X509Certificate2.CreateFromPemFile(options.CertificatePath, options.PrivateKeyPath)
.WithExportablePrivateKey();
_logger.LogDebug("Loaded certificate {Subject} from PEM secret files.", certificate.Subject);
return certificate;
}
catch (Exception ex)
{
_logger.LogError(ex, "Failed to load webhook certificate from PEM files {CertPath} / {KeyPath}.",
options.CertificatePath, options.PrivateKeyPath);
throw;
}
}
private X509Certificate2 LoadFromPfx(string pfxPath, string? password)
{
if (!File.Exists(pfxPath))
{
throw new FileNotFoundException("Webhook certificate PFX bundle not found.", pfxPath);
}
try
{
var storageFlags = X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.EphemeralKeySet;
var certificate = X509CertificateLoader.LoadPkcs12FromFile(pfxPath, password, storageFlags);
_logger.LogDebug("Loaded certificate {Subject} from PFX bundle.", certificate.Subject);
return certificate;
}
catch (Exception ex)
{
_logger.LogError(ex, "Failed to load webhook certificate from PFX bundle {PfxPath}.", pfxPath);
throw;
}
}
}
internal static class X509Certificate2Extensions
{
public static X509Certificate2 WithExportablePrivateKey(this X509Certificate2 certificate)
{
// Ensure the private key is exportable for Kestrel; CreateFromPemFile returns a temporary key material otherwise.
if (certificate.HasPrivateKey)
{
return certificate;
}
using var rsa = certificate.GetRSAPrivateKey();
if (rsa is null)
{
return certificate;
}
var certificateWithKey = certificate.CopyWithPrivateKey(rsa);
certificate.Dispose();
return certificateWithKey;
}
}

56
src/Zastava/StellaOps.Zastava.Webhook/Certificates/WebhookCertificateHealthCheck.cs Normal file
View File

@@ -0,0 +1,56 @@
using Microsoft.Extensions.Diagnostics.HealthChecks;
namespace StellaOps.Zastava.Webhook.Certificates;
public sealed class WebhookCertificateHealthCheck : IHealthCheck
{
private readonly IWebhookCertificateProvider _certificateProvider;
private readonly ILogger<WebhookCertificateHealthCheck> _logger;
private readonly TimeSpan _expiryThreshold = TimeSpan.FromDays(7);
public WebhookCertificateHealthCheck(
IWebhookCertificateProvider certificateProvider,
ILogger<WebhookCertificateHealthCheck> logger)
{
_certificateProvider = certificateProvider;
_logger = logger;
}
public Task<HealthCheckResult> CheckHealthAsync(HealthCheckContext context, CancellationToken cancellationToken = default)
{
try
{
var certificate = _certificateProvider.GetCertificate();
var expires = certificate.NotAfter.ToUniversalTime();
var remaining = expires - DateTimeOffset.UtcNow;
if (remaining <= TimeSpan.Zero)
{
return Task.FromResult(HealthCheckResult.Unhealthy("Webhook certificate expired.", data: new Dictionary<string, object>
{
["expiresAtUtc"] = expires.ToString("O")
}));
}
if (remaining <= _expiryThreshold)
{
return Task.FromResult(HealthCheckResult.Degraded("Webhook certificate nearing expiry.", data: new Dictionary<string, object>
{
["expiresAtUtc"] = expires.ToString("O"),
["daysRemaining"] = remaining.TotalDays
}));
}
return Task.FromResult(HealthCheckResult.Healthy("Webhook certificate valid.", data: new Dictionary<string, object>
{
["expiresAtUtc"] = expires.ToString("O"),
["daysRemaining"] = remaining.TotalDays
}));
}
catch (Exception ex)
{
_logger.LogError(ex, "Failed to load webhook certificate.");
return Task.FromResult(HealthCheckResult.Unhealthy("Failed to load webhook certificate.", ex));
}
}
}

175
src/Zastava/StellaOps.Zastava.Webhook/Configuration/ZastavaWebhookOptions.cs Normal file
View File

@@ -0,0 +1,175 @@
using System.ComponentModel.DataAnnotations;
namespace StellaOps.Zastava.Webhook.Configuration;
public sealed class ZastavaWebhookOptions
{
public const string SectionName = "zastava:webhook";
[Required]
public ZastavaWebhookTlsOptions Tls { get; init; } = new();
[Required]
public ZastavaWebhookAuthorityOptions Authority { get; init; } = new();
[Required]
public ZastavaWebhookAdmissionOptions Admission { get; init; } = new();
[Required]
public ZastavaWebhookBackendOptions Backend { get; init; } = new();
}
public sealed class ZastavaWebhookAdmissionOptions
{
/// <summary>
/// Namespaces that default to fail-open when backend calls fail.
/// </summary>
public HashSet<string> FailOpenNamespaces { get; init; } = new(StringComparer.Ordinal);
/// <summary>
/// Namespaces that must fail-closed even if the global default is fail-open.
/// </summary>
public HashSet<string> FailClosedNamespaces { get; init; } = new(StringComparer.Ordinal);
/// <summary>
/// Global fail-open toggle. When true, namespaces not in <see cref="FailClosedNamespaces"/> will allow requests on backend failures.
/// </summary>
public bool FailOpenByDefault { get; init; }
/// <summary>
/// Enables tag resolution to immutable digests when set.
/// </summary>
public bool ResolveTags { get; init; } = true;
/// <summary>
/// Optional cache seed path for pre-computed runtime verdicts.
/// </summary>
public string? CacheSeedPath { get; init; }
}
public enum ZastavaWebhookTlsMode
{
Secret = 0,
CertificateSigningRequest = 1
}
public sealed class ZastavaWebhookTlsOptions
{
[Required]
public ZastavaWebhookTlsMode Mode { get; init; } = ZastavaWebhookTlsMode.Secret;
/// <summary>
/// PEM certificate path when using <see cref="ZastavaWebhookTlsMode.Secret"/>.
/// </summary>
public string? CertificatePath { get; init; }
/// <summary>
/// PEM private key path when using <see cref="ZastavaWebhookTlsMode.Secret"/>.
/// </summary>
public string? PrivateKeyPath { get; init; }
/// <summary>
/// Optional PFX bundle path; takes precedence over PEM values when provided.
/// </summary>
public string? PfxPath { get; init; }
/// <summary>
/// Optional password for the PFX bundle.
/// </summary>
public string? PfxPassword { get; init; }
/// <summary>
/// Optional CA bundle path to present to Kubernetes when configuring webhook registration.
/// </summary>
public string? CaBundlePath { get; init; }
/// <summary>
/// CSR related settings when <see cref="Mode"/> equals <see cref="ZastavaWebhookTlsMode.CertificateSigningRequest"/>.
/// </summary>
public ZastavaWebhookTlsCsrOptions Csr { get; init; } = new();
}
public sealed class ZastavaWebhookTlsCsrOptions
{
/// <summary>
/// Kubernetes namespace that owns the <c>CertificateSigningRequest</c> object.
/// </summary>
[Required(AllowEmptyStrings = false)]
public string Namespace { get; init; } = "stellaops";
/// <summary>
/// CSR object name; defaults to <c>zastava-webhook</c>.
/// </summary>
[Required(AllowEmptyStrings = false)]
[MaxLength(253)]
public string Name { get; init; } = "zastava-webhook";
/// <summary>
/// DNS names placed in the CSR <c>subjectAltName</c>.
/// </summary>
[MinLength(1)]
public string[] DnsNames { get; init; } = Array.Empty<string>();
/// <summary>
/// Where the signed certificate is persisted after approval (mounted emptyDir).
/// </summary>
[Required(AllowEmptyStrings = false)]
public string PersistPath { get; init; } = "/var/run/zastava-webhook/certs";
}
public sealed class ZastavaWebhookAuthorityOptions
{
/// <summary>
/// Authority issuer URL for token acquisition.
/// </summary>
[Required(AllowEmptyStrings = false)]
public Uri Issuer { get; init; } = new("https://authority.internal");
/// <summary>
/// Audience that tokens must target.
/// </summary>
[MinLength(1)]
public string[] Audience { get; init; } = new[] { "scanner", "zastava" };
/// <summary>
/// Optional path to static OpTok for bootstrap environments.
/// </summary>
public string? StaticTokenPath { get; init; }
/// <summary>
/// Optional literal token value (test only). Takes precedence over <see cref="StaticTokenPath"/>.
/// </summary>
public string? StaticTokenValue { get; init; }
/// <summary>
/// Interval for refreshing cached tokens before expiry.
/// </summary>
[Range(typeof(double), "1", "3600")]
public double RefreshSkewSeconds { get; init; } = TimeSpan.FromMinutes(5).TotalSeconds;
}
public sealed class ZastavaWebhookBackendOptions
{
/// <summary>
/// Base address for Scanner WebService policy requests.
/// </summary>
[Required]
public Uri BaseAddress { get; init; } = new("https://scanner.internal");
/// <summary>
/// Relative path for runtime policy endpoint.
/// </summary>
[Required(AllowEmptyStrings = false)]
public string PolicyPath { get; init; } = "/api/v1/scanner/policy/runtime";
/// <summary>
/// Timeout in seconds for backend calls (default 5 s).
/// </summary>
[Range(typeof(double), "1", "120")]
public double RequestTimeoutSeconds { get; init; } = 5;
/// <summary>
/// Allows HTTP (non-TLS) endpoints when set. Defaults to false for safety.
/// </summary>
public bool AllowInsecureHttp { get; init; }
}

60
src/Zastava/StellaOps.Zastava.Webhook/DependencyInjection/ServiceCollectionExtensions.cs Normal file
View File

@@ -0,0 +1,60 @@
using System;
using Microsoft.Extensions.DependencyInjection.Extensions;
using Microsoft.Extensions.Options;
using StellaOps.Zastava.Core.Configuration;
using StellaOps.Zastava.Webhook.Admission;
using StellaOps.Zastava.Webhook.Authority;
using StellaOps.Zastava.Webhook.Backend;
using StellaOps.Zastava.Webhook.Certificates;
using StellaOps.Zastava.Webhook.Configuration;
using StellaOps.Zastava.Webhook.Hosting;
using StellaOps.Zastava.Webhook.DependencyInjection;
namespace Microsoft.Extensions.DependencyInjection;
public static class ServiceCollectionExtensions
{
public static IServiceCollection AddZastavaWebhook(this IServiceCollection services, IConfiguration configuration)
{
services.AddZastavaRuntimeCore(configuration, "webhook");
services.AddOptions<ZastavaWebhookOptions>()
.Bind(configuration.GetSection(ZastavaWebhookOptions.SectionName))
.ValidateDataAnnotations()
.ValidateOnStart();
services.TryAddSingleton(TimeProvider.System);
services.TryAddEnumerable(ServiceDescriptor.Singleton<IWebhookCertificateSource, SecretFileCertificateSource>());
services.TryAddEnumerable(ServiceDescriptor.Singleton<IWebhookCertificateSource, CsrCertificateSource>());
services.TryAddSingleton<IWebhookCertificateProvider, WebhookCertificateProvider>();
services.TryAddSingleton<WebhookCertificateHealthCheck>();
services.TryAddEnumerable(ServiceDescriptor.Singleton<IPostConfigureOptions<ZastavaRuntimeOptions>, WebhookRuntimeOptionsPostConfigure>());
services.TryAddSingleton<AdmissionReviewParser>();
services.TryAddSingleton<AdmissionResponseBuilder>();
services.TryAddSingleton<RuntimePolicyCache>();
services.TryAddSingleton<IImageDigestResolver, ImageDigestResolver>();
services.TryAddSingleton<IRuntimeAdmissionPolicyService, RuntimeAdmissionPolicyService>();
services.AddHttpClient<IRuntimePolicyClient, RuntimePolicyClient>((provider, client) =>
{
var backend = provider.GetRequiredService<IOptions<ZastavaWebhookOptions>>().Value.Backend;
if (!backend.AllowInsecureHttp && backend.BaseAddress.Scheme.Equals(Uri.UriSchemeHttp, StringComparison.OrdinalIgnoreCase))
{
throw new InvalidOperationException("HTTP backend URLs are disabled unless AllowInsecureHttp is true.");
}
client.BaseAddress = backend.BaseAddress;
client.Timeout = TimeSpan.FromSeconds(backend.RequestTimeoutSeconds);
});
services.TryAddSingleton<AuthorityTokenHealthCheck>();
services.AddHostedService<StartupValidationHostedService>();
services.AddHealthChecks()
.AddCheck<WebhookCertificateHealthCheck>("webhook_tls")
.AddCheck<AuthorityTokenHealthCheck>("authority_token");
return services;
}
}

52
src/Zastava/StellaOps.Zastava.Webhook/DependencyInjection/WebhookRuntimeOptionsPostConfigure.cs Normal file
View File

@@ -0,0 +1,52 @@
using System;
using Microsoft.Extensions.Options;
using StellaOps.Zastava.Core.Configuration;
using StellaOps.Zastava.Webhook.Configuration;
namespace StellaOps.Zastava.Webhook.DependencyInjection;
/// <summary>
/// Ensures legacy webhook authority options propagate to runtime options when not explicitly configured.
/// </summary>
internal sealed class WebhookRuntimeOptionsPostConfigure : IPostConfigureOptions<ZastavaRuntimeOptions>
{
private readonly IOptionsMonitor<ZastavaWebhookOptions> webhookOptions;
public WebhookRuntimeOptionsPostConfigure(IOptionsMonitor<ZastavaWebhookOptions> webhookOptions)
{
this.webhookOptions = webhookOptions ?? throw new ArgumentNullException(nameof(webhookOptions));
}
public void PostConfigure(string? name, ZastavaRuntimeOptions runtimeOptions)
{
ArgumentNullException.ThrowIfNull(runtimeOptions);
var snapshot = webhookOptions.Get(name ?? Options.DefaultName);
var source = snapshot.Authority;
if (source is null)
{
return;
}
runtimeOptions.Authority ??= new ZastavaAuthorityOptions();
var authority = runtimeOptions.Authority;
if (ShouldCopyStaticTokenValue(authority.StaticTokenValue, source.StaticTokenValue))
{
authority.StaticTokenValue = source.StaticTokenValue;
}
if (ShouldCopyStaticTokenValue(authority.StaticTokenPath, source.StaticTokenPath))
{
authority.StaticTokenPath = source.StaticTokenPath;
}
if (!string.IsNullOrWhiteSpace(source.StaticTokenValue) || !string.IsNullOrWhiteSpace(source.StaticTokenPath))
{
authority.AllowStaticTokenFallback = true;
}
}
private static bool ShouldCopyStaticTokenValue(string? current, string? source)
=> string.IsNullOrWhiteSpace(current) && !string.IsNullOrWhiteSpace(source);
}

39
src/Zastava/StellaOps.Zastava.Webhook/Hosting/StartupValidationHostedService.cs Normal file
View File

@@ -0,0 +1,39 @@
using System.Linq;
using Microsoft.Extensions.Options;
using StellaOps.Zastava.Core.Configuration;
using StellaOps.Zastava.Core.Security;
using StellaOps.Zastava.Webhook.Certificates;
namespace StellaOps.Zastava.Webhook.Hosting;
public sealed class StartupValidationHostedService : IHostedService
{
private readonly IWebhookCertificateProvider _certificateProvider;
private readonly IZastavaAuthorityTokenProvider _authorityTokenProvider;
private readonly IOptionsMonitor<ZastavaRuntimeOptions> _runtimeOptions;
private readonly ILogger<StartupValidationHostedService> _logger;
public StartupValidationHostedService(
IWebhookCertificateProvider certificateProvider,
IZastavaAuthorityTokenProvider authorityTokenProvider,
IOptionsMonitor<ZastavaRuntimeOptions> runtimeOptions,
ILogger<StartupValidationHostedService> logger)
{
_certificateProvider = certificateProvider;
_authorityTokenProvider = authorityTokenProvider;
_runtimeOptions = runtimeOptions;
_logger = logger;
}
public async Task StartAsync(CancellationToken cancellationToken)
{
_logger.LogInformation("Running webhook startup validation.");
_certificateProvider.GetCertificate();
var authority = _runtimeOptions.CurrentValue.Authority;
var audience = authority.Audience.FirstOrDefault() ?? "scanner";
await _authorityTokenProvider.GetAsync(audience, authority.Scopes, cancellationToken);
_logger.LogInformation("Webhook startup validation complete.");
}
public Task StopAsync(CancellationToken cancellationToken) => Task.CompletedTask;
}

105
src/Zastava/StellaOps.Zastava.Webhook/IMPLEMENTATION_PLAN.md Normal file
View File

@@ -0,0 +1,105 @@
# Zastava Webhook · Wave 0 Implementation Notes
> Authored 2025-10-19 by Zastava Webhook Guild.
## ZASTAVA-WEBHOOK-12-101 — Admission Controller Host (TLS bootstrap + Authority auth)
**Objectives**
- Provide a deterministic, restart-safe .NET 10 host that exposes a Kubernetes ValidatingAdmissionWebhook endpoint.
- Load serving certificates at start-up only (per restart-time plug-in rule) and surface reload guidance via documentation rather than hot-reload.
- Authenticate outbound calls to Authority/Scanner using OpTok + DPoP as defined in `docs/ARCHITECTURE_ZASTAVA.md`.
**Plan**
1. **Project scaffolding**
- Create `StellaOps.Zastava.Webhook` project with minimal API pipeline (`Program.cs`, `Startup` equivalent via extension methods).
- Reference shared helpers once `ZASTAVA-CORE-12-201/202` land; temporarily stub interfaces behind `IZastavaAdmissionRequest`/`IZastavaAdmissionResult`.
2. **TLS bootstrap**
- Support two certificate sources:
1. Mounted secret path (`/var/run/secrets/zastava-webhook/tls.{crt,key}`) with optional CA bundle.
2. CSR workflow: generate CSR + private key, submit to Kubernetes Certificates API when `admission.tls.autoApprove` enabled; persist signed cert/key to mounted emptyDir for reuse across replicas.
- Validate cert/key pair on boot; abort start-up if invalid to preserve deterministic behavior.
- Configure Kestrel for mutual TLS off (API Server already provides client auth) but enforce minimum TLS 1.3, strong cipher suite list, HTTP/2 disabled (K8s uses HTTP/1.1).
3. **Authority auth**
- Bootstrap Authority client via shared runtime core (`AddZastavaRuntimeCore` + `IZastavaAuthorityTokenProvider`) so webhook reuses multitenant OpTok caching and guardrails.
- Implement DPoP proof generator bound to webhook host keypair (prefer Ed25519) with configurable rotation period (default 24h, triggered at restart).
- Add background health check verifying token freshness and surfacing metrics (`zastava.authority_token_renew_failures_total`).
4. **Hosting concerns**
- Configure structured logging with correlation id from AdmissionReview UID.
- Expose `/healthz` (reads cert expiry, Authority token status) and `/metrics` (Prometheus).
- Add readiness gate that requires initial TLS and Authority bootstrap to succeed.
**Deliverables**
- Compilable host project with integration tests covering TLS load (mounted files + CSR mock) and Authority token acquisition.
- Documentation snippet for deploy charts describing secret/CSR wiring.
**Open Questions**
- Need confirmation from Core guild on DTO naming (`AdmissionReviewEnvelope`, `AdmissionDecision`) to avoid rework.
- Determine whether CSR auto-approval is acceptable for air-gapped clusters without Kubernetes cert-manager; may require fallback manual cert import path.
## ZASTAVA-WEBHOOK-12-102 — Backend policy query & digest resolution
**Objectives**
- Resolve all images within AdmissionReview to immutable digests before policy evaluation.
- Call Scanner WebService `/api/v1/scanner/policy/runtime` with namespace/labels/images payload, enforce verdicts with deterministic error messaging.
**Plan**
1. **Image resolution**
- Implement resolver service with pluggable strategies:
- Use existing digest if present.
- Resolve tags via registry HEAD (respecting `admission.resolveTags` flag); fallback to Observer-provided digest once core DTOs available.
- Cache per-registry auth to minimise latency; adhere to allow/deny lists from configuration.
2. **Scanner client**
- Define typed request/response models mirroring `docs/ARCHITECTURE_ZASTAVA.md` structure (`ttlSeconds`, `results[digest] -> { signed, hasSbom, policyVerdict, reasons, rekor }`).
- Implement retry policy (3 attempts, exponential backoff) and map HTTP errors to webhook fail-open/closed depending on namespace configuration.
- Instrument latency (`zastava.backend_latency_seconds`) and failure counts.
3. **Verdict enforcement**
- Evaluate per-image results: if any `policyVerdict != pass` (or `warn` when `enforceWarnings=false`), deny with aggregated reasons.
- Attach `ttlSeconds` to admission response annotations for auditing.
- Record structured logs with namespace, pod, image digest, decision, reasons, backend latency.
4. **Contract coordination**
- Schedule joint review with Scanner WebService guild once SCANNER-RUNTIME-12-302 schema stabilises; track in TASKS sub-items.
- Provide sample payload fixtures for CLI team (`CLI-RUNTIME-13-005`) to validate table output; ensure field names stay aligned.
**Deliverables**
- Registry resolver unit tests (tag->digest) with deterministic fixtures.
- HTTP client integration tests using Scanner stub returning varied verdict combinations.
- Documentation update summarising contract and failure handling.
**Open Questions**
- Confirm expected policy verdict enumeration (`pass|warn|fail|error`?) and textual reason codes.
- Need TTL behaviour: should webhook reduce TTL when backend returns > configured max?
## ZASTAVA-WEBHOOK-12-103 — Caching, fail-open/closed toggles, metrics/logging
**Objectives**
- Provide deterministic caching layer respecting backend TTL while ensuring eviction on policy mutation.
- Allow namespace-scoped fail-open behaviour with explicit metrics and alerts.
- Surface actionable metrics/logging aligned with Architecture doc.
**Plan**
1. **Cache design**
- In-memory LRU keyed by image digest; value carries verdict payload + expiry timestamp.
- Support optional persistent seed (read-only) to prime hot digests for offline clusters (config: `admission.cache.seedPath`).
- On startup, load seed file and emit metric `zastava.cache_seed_entries_total`.
- Evict entries on TTL or when `policyRevision` annotation in AdmissionReview changes (requires hook from Core DTO).
2. **Fail-open/closed toggles**
- Configuration: global default + namespace overrides through `admission.failOpenNamespaces`, `admission.failClosedNamespaces`.
- Decision matrix:
- Backend success + verdict PASS → allow.
- Backend success + non-pass → deny unless namespace override says warn allowed.
- Backend failure → allow if namespace fail-open, deny otherwise; annotate response with `zastava.ops/fail-open=true`.
- Implement policy change event hook (future) to clear cache if observer signals revocation.
3. **Metrics & logging**
- Counters: `zastava.admission_requests_total{decision}`, `zastava.cache_hits_total{result=hit|miss}`, `zastava.fail_open_total`, `zastava.backend_failures_total{stage}`.
- Histograms: `zastava.admission_latency_seconds` (overall), `zastava.resolve_latency_seconds`.
- Logs: structured JSON with `decision`, `namespace`, `pod`, `imageDigest`, `reasons`, `cacheStatus`, `failMode`.
- Optionally emit OpenTelemetry span for admission path with attributes capturing backend latency + cache path.
4. **Testing & ops hooks**
- Unit tests for cache TTL, namespace override logic, fail-open metric increments.
- Integration test simulating backend outage ensuring fail-open/closed behaviour matches config.
- Document runbook snippet describing interpreting metrics and toggling namespaces.
**Open Questions**
- Confirm whether cache entries should include `policyRevision` to detect backend policy updates; requires coordination with Policy guild.
- Need guidance on maximum cache size (default suggestions: 5k entries per replica?) to avoid memory blow-up.

68
src/Zastava/StellaOps.Zastava.Webhook/Program.cs Normal file
View File

@@ -0,0 +1,68 @@
using System.Security.Authentication;
using Microsoft.AspNetCore.Diagnostics.HealthChecks;
using Serilog;
using Serilog.Events;
using StellaOps.Zastava.Webhook.Admission;
using StellaOps.Zastava.Webhook.Authority;
using StellaOps.Zastava.Webhook.Certificates;
using StellaOps.Zastava.Webhook.Configuration;
var builder = WebApplication.CreateBuilder(args);
builder.Host.UseSerilog((context, services, loggerConfiguration) =>
{
loggerConfiguration
.MinimumLevel.Information()
.MinimumLevel.Override("Microsoft.Hosting.Lifetime", LogEventLevel.Information)
.MinimumLevel.Override("Microsoft.AspNetCore", LogEventLevel.Warning)
.Enrich.FromLogContext()
.WriteTo.Console();
});
builder.Services.AddRouting();
builder.Services.AddProblemDetails();
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddHttpClient();
builder.Services.AddZastavaWebhook(builder.Configuration);
builder.WebHost.ConfigureKestrel((context, options) =>
{
options.AddServerHeader = false;
options.Limits.MinRequestBodyDataRate = null; // Admission payloads are small; relax defaults for determinism.
options.ConfigureHttpsDefaults(httpsOptions =>
{
var certificateProvider = options.ApplicationServices?.GetRequiredService<IWebhookCertificateProvider>()
?? throw new InvalidOperationException("Webhook certificate provider unavailable.");
httpsOptions.SslProtocols = SslProtocols.Tls13;
httpsOptions.ClientCertificateMode = Microsoft.AspNetCore.Server.Kestrel.Https.ClientCertificateMode.NoCertificate;
httpsOptions.CheckCertificateRevocation = false; // Kubernetes API server terminates client auth; revocation handled upstream.
httpsOptions.ServerCertificate = certificateProvider.GetCertificate();
});
});
var app = builder.Build();
app.UseSerilogRequestLogging();
app.UseRouting();
app.UseStatusCodePages();
// Health endpoints.
app.MapHealthChecks("/healthz/ready", new HealthCheckOptions
{
AllowCachingResponses = false
});
app.MapHealthChecks("/healthz/live", new HealthCheckOptions
{
AllowCachingResponses = false,
Predicate = _ => false
});
app.MapPost("/admission", AdmissionEndpoint.HandleAsync)
.WithName("AdmissionReview");
app.MapGet("/", () => Results.Ok(new { status = "ok", service = "zastava-webhook" }));
app.Run();

3
src/Zastava/StellaOps.Zastava.Webhook/Properties/AssemblyInfo.cs Normal file
View File

@@ -0,0 +1,3 @@
using System.Runtime.CompilerServices;
[assembly: InternalsVisibleTo("StellaOps.Zastava.Webhook.Tests")]

20
src/Zastava/StellaOps.Zastava.Webhook/StellaOps.Zastava.Webhook.csproj Normal file
View File

@@ -0,0 +1,20 @@
<?xml version='1.0' encoding='utf-8'?>
<Project Sdk="Microsoft.NET.Sdk.Web">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<LangVersion>preview</LangVersion>
<Nullable>enable</Nullable>
<ImplicitUsings>enable</ImplicitUsings>
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
<RootNamespace>StellaOps.Zastava.Webhook</RootNamespace>
<NoWarn>$(NoWarn);CA2254</NoWarn>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.Extensions.Http.Polly" Version="10.0.0-rc.2.25502.107" />
<PackageReference Include="Serilog.AspNetCore" Version="8.0.1" />
<PackageReference Include="Serilog.Sinks.Console" Version="5.0.1" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="../__Libraries/StellaOps.Zastava.Core/StellaOps.Zastava.Core.csproj" />
</ItemGroup>
</Project>

10
src/Zastava/StellaOps.Zastava.Webhook/TASKS.md Normal file
View File

@@ -0,0 +1,10 @@
# Zastava Webhook Task Board
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
| ZASTAVA-WEBHOOK-12-101 | DONE (2025-10-24) | Zastava Webhook Guild | — | Admission controller host with TLS bootstrap and Authority auth. | Webhook host boots with deterministic TLS bootstrap, enforces Authority-issued credentials, e2e smoke proves admission callback lifecycle, structured logs + metrics emit on each decision. |
| ZASTAVA-WEBHOOK-12-102 | DONE (2025-10-24) | Zastava Webhook Guild | — | Query Scanner `/policy/runtime`, resolve digests, enforce verdicts. | Scanner client resolves image digests + policy verdicts, unit tests cover allow/deny, integration harness rejects/admits workloads per policy with deterministic payloads. |
| ZASTAVA-WEBHOOK-12-103 | DONE (2025-10-24) | Zastava Webhook Guild | — | Caching, fail-open/closed toggles, metrics/logging for admission decisions. | Configurable cache TTL + seeds survive restart, fail-open/closed toggles verified via tests, metrics/logging exported per decision path, docs note operational knobs. |
| ZASTAVA-WEBHOOK-12-104 | DONE (2025-10-24) | Zastava Webhook Guild | ZASTAVA-WEBHOOK-12-102 | Wire `/admission` endpoint to runtime policy client and emit allow/deny envelopes. | Admission handler resolves pods to digests, invokes policy client, returns canonical `AdmissionDecisionEnvelope` with deterministic logging and metrics. |
> Status update · 2025-10-19: Confirmed no prerequisites for ZASTAVA-WEBHOOK-12-101/102/103; tasks moved to DOING for kickoff. Implementation plan covering TLS bootstrap, backend contract, caching/metrics recorded in `IMPLEMENTATION_PLAN.md`.

199
src/Zastava/StellaOps.Zastava.sln Normal file
View File

@@ -0,0 +1,199 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 17
VisualStudioVersion = 17.0.31903.59
MinimumVisualStudioVersion = 10.0.40219.1
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Zastava.Webhook", "StellaOps.Zastava.Webhook\StellaOps.Zastava.Webhook.csproj", "{7DFF8D67-7FCD-4324-B75E-2FBF8DFAF78E}"
EndProject
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "__Libraries", "__Libraries", "{41F15E67-7190-CF23-3BC4-77E87134CADD}"
EndProject
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Zastava.Core", "__Libraries\StellaOps.Zastava.Core\StellaOps.Zastava.Core.csproj", "{F21DE368-1D4F-4D10-823F-5BDB6B812745}"
EndProject
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Auth.Client", "..\Authority\StellaOps.Authority\StellaOps.Auth.Client\StellaOps.Auth.Client.csproj", "{D7545C96-B68C-4D74-A76A-CE5E496D5486}"
EndProject
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Auth.Abstractions", "..\Authority\StellaOps.Authority\StellaOps.Auth.Abstractions\StellaOps.Auth.Abstractions.csproj", "{6C65EC84-B36C-466B-9B9E-0CD47665F765}"
EndProject
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Configuration", "..\__Libraries\StellaOps.Configuration\StellaOps.Configuration.csproj", "{3266C0B0-063D-4FB5-A28A-F7C062FB6BEB}"
EndProject
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Authority.Plugins.Abstractions", "..\Authority\StellaOps.Authority\StellaOps.Authority.Plugins.Abstractions\StellaOps.Authority.Plugins.Abstractions.csproj", "{E7713D51-9773-4545-8FFA-F76B1834A5CA}"
EndProject
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Cryptography", "..\__Libraries\StellaOps.Cryptography\StellaOps.Cryptography.csproj", "{007BF6CD-AE9D-4F03-B84B-6EF43CA29BC6}"
EndProject
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Auth.Security", "..\__Libraries\StellaOps.Auth.Security\StellaOps.Auth.Security.csproj", "{DE2E6231-9BD7-4D39-8302-F03A399BA128}"
EndProject
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Zastava.Observer", "StellaOps.Zastava.Observer\StellaOps.Zastava.Observer.csproj", "{42426AB9-790F-4432-9943-837145B1BD2C}"
EndProject
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "__Tests", "__Tests", "{56BCE1BF-7CBA-7CE8-203D-A88051F1D642}"
EndProject
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Zastava.Core.Tests", "__Tests\StellaOps.Zastava.Core.Tests\StellaOps.Zastava.Core.Tests.csproj", "{51F41A02-1A15-4D95-B8A1-888073349A2D}"
EndProject
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Zastava.Observer.Tests", "__Tests\StellaOps.Zastava.Observer.Tests\StellaOps.Zastava.Observer.Tests.csproj", "{22443733-DA1C-47E3-ABC5-3030709110DE}"
EndProject
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Zastava.Webhook.Tests", "__Tests\StellaOps.Zastava.Webhook.Tests\StellaOps.Zastava.Webhook.Tests.csproj", "{C7098645-40A2-4990-ACBB-1051009C53D2}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|Any CPU = Release|Any CPU
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{7DFF8D67-7FCD-4324-B75E-2FBF8DFAF78E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{7DFF8D67-7FCD-4324-B75E-2FBF8DFAF78E}.Debug|Any CPU.Build.0 = Debug|Any CPU
{7DFF8D67-7FCD-4324-B75E-2FBF8DFAF78E}.Debug|x64.ActiveCfg = Debug|Any CPU
{7DFF8D67-7FCD-4324-B75E-2FBF8DFAF78E}.Debug|x64.Build.0 = Debug|Any CPU
{7DFF8D67-7FCD-4324-B75E-2FBF8DFAF78E}.Debug|x86.ActiveCfg = Debug|Any CPU
{7DFF8D67-7FCD-4324-B75E-2FBF8DFAF78E}.Debug|x86.Build.0 = Debug|Any CPU
{7DFF8D67-7FCD-4324-B75E-2FBF8DFAF78E}.Release|Any CPU.ActiveCfg = Release|Any CPU
{7DFF8D67-7FCD-4324-B75E-2FBF8DFAF78E}.Release|Any CPU.Build.0 = Release|Any CPU
{7DFF8D67-7FCD-4324-B75E-2FBF8DFAF78E}.Release|x64.ActiveCfg = Release|Any CPU
{7DFF8D67-7FCD-4324-B75E-2FBF8DFAF78E}.Release|x64.Build.0 = Release|Any CPU
{7DFF8D67-7FCD-4324-B75E-2FBF8DFAF78E}.Release|x86.ActiveCfg = Release|Any CPU
{7DFF8D67-7FCD-4324-B75E-2FBF8DFAF78E}.Release|x86.Build.0 = Release|Any CPU
{F21DE368-1D4F-4D10-823F-5BDB6B812745}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{F21DE368-1D4F-4D10-823F-5BDB6B812745}.Debug|Any CPU.Build.0 = Debug|Any CPU
{F21DE368-1D4F-4D10-823F-5BDB6B812745}.Debug|x64.ActiveCfg = Debug|Any CPU
{F21DE368-1D4F-4D10-823F-5BDB6B812745}.Debug|x64.Build.0 = Debug|Any CPU
{F21DE368-1D4F-4D10-823F-5BDB6B812745}.Debug|x86.ActiveCfg = Debug|Any CPU
{F21DE368-1D4F-4D10-823F-5BDB6B812745}.Debug|x86.Build.0 = Debug|Any CPU
{F21DE368-1D4F-4D10-823F-5BDB6B812745}.Release|Any CPU.ActiveCfg = Release|Any CPU
{F21DE368-1D4F-4D10-823F-5BDB6B812745}.Release|Any CPU.Build.0 = Release|Any CPU
{F21DE368-1D4F-4D10-823F-5BDB6B812745}.Release|x64.ActiveCfg = Release|Any CPU
{F21DE368-1D4F-4D10-823F-5BDB6B812745}.Release|x64.Build.0 = Release|Any CPU
{F21DE368-1D4F-4D10-823F-5BDB6B812745}.Release|x86.ActiveCfg = Release|Any CPU
{F21DE368-1D4F-4D10-823F-5BDB6B812745}.Release|x86.Build.0 = Release|Any CPU
{D7545C96-B68C-4D74-A76A-CE5E496D5486}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{D7545C96-B68C-4D74-A76A-CE5E496D5486}.Debug|Any CPU.Build.0 = Debug|Any CPU
{D7545C96-B68C-4D74-A76A-CE5E496D5486}.Debug|x64.ActiveCfg = Debug|Any CPU
{D7545C96-B68C-4D74-A76A-CE5E496D5486}.Debug|x64.Build.0 = Debug|Any CPU
{D7545C96-B68C-4D74-A76A-CE5E496D5486}.Debug|x86.ActiveCfg = Debug|Any CPU
{D7545C96-B68C-4D74-A76A-CE5E496D5486}.Debug|x86.Build.0 = Debug|Any CPU
{D7545C96-B68C-4D74-A76A-CE5E496D5486}.Release|Any CPU.ActiveCfg = Release|Any CPU
{D7545C96-B68C-4D74-A76A-CE5E496D5486}.Release|Any CPU.Build.0 = Release|Any CPU
{D7545C96-B68C-4D74-A76A-CE5E496D5486}.Release|x64.ActiveCfg = Release|Any CPU
{D7545C96-B68C-4D74-A76A-CE5E496D5486}.Release|x64.Build.0 = Release|Any CPU
{D7545C96-B68C-4D74-A76A-CE5E496D5486}.Release|x86.ActiveCfg = Release|Any CPU
{D7545C96-B68C-4D74-A76A-CE5E496D5486}.Release|x86.Build.0 = Release|Any CPU
{6C65EC84-B36C-466B-9B9E-0CD47665F765}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{6C65EC84-B36C-466B-9B9E-0CD47665F765}.Debug|Any CPU.Build.0 = Debug|Any CPU
{6C65EC84-B36C-466B-9B9E-0CD47665F765}.Debug|x64.ActiveCfg = Debug|Any CPU
{6C65EC84-B36C-466B-9B9E-0CD47665F765}.Debug|x64.Build.0 = Debug|Any CPU
{6C65EC84-B36C-466B-9B9E-0CD47665F765}.Debug|x86.ActiveCfg = Debug|Any CPU
{6C65EC84-B36C-466B-9B9E-0CD47665F765}.Debug|x86.Build.0 = Debug|Any CPU
{6C65EC84-B36C-466B-9B9E-0CD47665F765}.Release|Any CPU.ActiveCfg = Release|Any CPU
{6C65EC84-B36C-466B-9B9E-0CD47665F765}.Release|Any CPU.Build.0 = Release|Any CPU
{6C65EC84-B36C-466B-9B9E-0CD47665F765}.Release|x64.ActiveCfg = Release|Any CPU
{6C65EC84-B36C-466B-9B9E-0CD47665F765}.Release|x64.Build.0 = Release|Any CPU
{6C65EC84-B36C-466B-9B9E-0CD47665F765}.Release|x86.ActiveCfg = Release|Any CPU
{6C65EC84-B36C-466B-9B9E-0CD47665F765}.Release|x86.Build.0 = Release|Any CPU
{3266C0B0-063D-4FB5-A28A-F7C062FB6BEB}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{3266C0B0-063D-4FB5-A28A-F7C062FB6BEB}.Debug|Any CPU.Build.0 = Debug|Any CPU
{3266C0B0-063D-4FB5-A28A-F7C062FB6BEB}.Debug|x64.ActiveCfg = Debug|Any CPU
{3266C0B0-063D-4FB5-A28A-F7C062FB6BEB}.Debug|x64.Build.0 = Debug|Any CPU
{3266C0B0-063D-4FB5-A28A-F7C062FB6BEB}.Debug|x86.ActiveCfg = Debug|Any CPU
{3266C0B0-063D-4FB5-A28A-F7C062FB6BEB}.Debug|x86.Build.0 = Debug|Any CPU
{3266C0B0-063D-4FB5-A28A-F7C062FB6BEB}.Release|Any CPU.ActiveCfg = Release|Any CPU
{3266C0B0-063D-4FB5-A28A-F7C062FB6BEB}.Release|Any CPU.Build.0 = Release|Any CPU
{3266C0B0-063D-4FB5-A28A-F7C062FB6BEB}.Release|x64.ActiveCfg = Release|Any CPU
{3266C0B0-063D-4FB5-A28A-F7C062FB6BEB}.Release|x64.Build.0 = Release|Any CPU
{3266C0B0-063D-4FB5-A28A-F7C062FB6BEB}.Release|x86.ActiveCfg = Release|Any CPU
{3266C0B0-063D-4FB5-A28A-F7C062FB6BEB}.Release|x86.Build.0 = Release|Any CPU
{E7713D51-9773-4545-8FFA-F76B1834A5CA}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{E7713D51-9773-4545-8FFA-F76B1834A5CA}.Debug|Any CPU.Build.0 = Debug|Any CPU
{E7713D51-9773-4545-8FFA-F76B1834A5CA}.Debug|x64.ActiveCfg = Debug|Any CPU
{E7713D51-9773-4545-8FFA-F76B1834A5CA}.Debug|x64.Build.0 = Debug|Any CPU
{E7713D51-9773-4545-8FFA-F76B1834A5CA}.Debug|x86.ActiveCfg = Debug|Any CPU
{E7713D51-9773-4545-8FFA-F76B1834A5CA}.Debug|x86.Build.0 = Debug|Any CPU
{E7713D51-9773-4545-8FFA-F76B1834A5CA}.Release|Any CPU.ActiveCfg = Release|Any CPU
{E7713D51-9773-4545-8FFA-F76B1834A5CA}.Release|Any CPU.Build.0 = Release|Any CPU
{E7713D51-9773-4545-8FFA-F76B1834A5CA}.Release|x64.ActiveCfg = Release|Any CPU
{E7713D51-9773-4545-8FFA-F76B1834A5CA}.Release|x64.Build.0 = Release|Any CPU
{E7713D51-9773-4545-8FFA-F76B1834A5CA}.Release|x86.ActiveCfg = Release|Any CPU
{E7713D51-9773-4545-8FFA-F76B1834A5CA}.Release|x86.Build.0 = Release|Any CPU
{007BF6CD-AE9D-4F03-B84B-6EF43CA29BC6}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{007BF6CD-AE9D-4F03-B84B-6EF43CA29BC6}.Debug|Any CPU.Build.0 = Debug|Any CPU
{007BF6CD-AE9D-4F03-B84B-6EF43CA29BC6}.Debug|x64.ActiveCfg = Debug|Any CPU
{007BF6CD-AE9D-4F03-B84B-6EF43CA29BC6}.Debug|x64.Build.0 = Debug|Any CPU
{007BF6CD-AE9D-4F03-B84B-6EF43CA29BC6}.Debug|x86.ActiveCfg = Debug|Any CPU
{007BF6CD-AE9D-4F03-B84B-6EF43CA29BC6}.Debug|x86.Build.0 = Debug|Any CPU
{007BF6CD-AE9D-4F03-B84B-6EF43CA29BC6}.Release|Any CPU.ActiveCfg = Release|Any CPU
{007BF6CD-AE9D-4F03-B84B-6EF43CA29BC6}.Release|Any CPU.Build.0 = Release|Any CPU
{007BF6CD-AE9D-4F03-B84B-6EF43CA29BC6}.Release|x64.ActiveCfg = Release|Any CPU
{007BF6CD-AE9D-4F03-B84B-6EF43CA29BC6}.Release|x64.Build.0 = Release|Any CPU
{007BF6CD-AE9D-4F03-B84B-6EF43CA29BC6}.Release|x86.ActiveCfg = Release|Any CPU
{007BF6CD-AE9D-4F03-B84B-6EF43CA29BC6}.Release|x86.Build.0 = Release|Any CPU
{DE2E6231-9BD7-4D39-8302-F03A399BA128}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{DE2E6231-9BD7-4D39-8302-F03A399BA128}.Debug|Any CPU.Build.0 = Debug|Any CPU
{DE2E6231-9BD7-4D39-8302-F03A399BA128}.Debug|x64.ActiveCfg = Debug|Any CPU
{DE2E6231-9BD7-4D39-8302-F03A399BA128}.Debug|x64.Build.0 = Debug|Any CPU
{DE2E6231-9BD7-4D39-8302-F03A399BA128}.Debug|x86.ActiveCfg = Debug|Any CPU
{DE2E6231-9BD7-4D39-8302-F03A399BA128}.Debug|x86.Build.0 = Debug|Any CPU
{DE2E6231-9BD7-4D39-8302-F03A399BA128}.Release|Any CPU.ActiveCfg = Release|Any CPU
{DE2E6231-9BD7-4D39-8302-F03A399BA128}.Release|Any CPU.Build.0 = Release|Any CPU
{DE2E6231-9BD7-4D39-8302-F03A399BA128}.Release|x64.ActiveCfg = Release|Any CPU
{DE2E6231-9BD7-4D39-8302-F03A399BA128}.Release|x64.Build.0 = Release|Any CPU
{DE2E6231-9BD7-4D39-8302-F03A399BA128}.Release|x86.ActiveCfg = Release|Any CPU
{DE2E6231-9BD7-4D39-8302-F03A399BA128}.Release|x86.Build.0 = Release|Any CPU
{42426AB9-790F-4432-9943-837145B1BD2C}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{42426AB9-790F-4432-9943-837145B1BD2C}.Debug|Any CPU.Build.0 = Debug|Any CPU
{42426AB9-790F-4432-9943-837145B1BD2C}.Debug|x64.ActiveCfg = Debug|Any CPU
{42426AB9-790F-4432-9943-837145B1BD2C}.Debug|x64.Build.0 = Debug|Any CPU
{42426AB9-790F-4432-9943-837145B1BD2C}.Debug|x86.ActiveCfg = Debug|Any CPU
{42426AB9-790F-4432-9943-837145B1BD2C}.Debug|x86.Build.0 = Debug|Any CPU
{42426AB9-790F-4432-9943-837145B1BD2C}.Release|Any CPU.ActiveCfg = Release|Any CPU
{42426AB9-790F-4432-9943-837145B1BD2C}.Release|Any CPU.Build.0 = Release|Any CPU
{42426AB9-790F-4432-9943-837145B1BD2C}.Release|x64.ActiveCfg = Release|Any CPU
{42426AB9-790F-4432-9943-837145B1BD2C}.Release|x64.Build.0 = Release|Any CPU
{42426AB9-790F-4432-9943-837145B1BD2C}.Release|x86.ActiveCfg = Release|Any CPU
{42426AB9-790F-4432-9943-837145B1BD2C}.Release|x86.Build.0 = Release|Any CPU
{51F41A02-1A15-4D95-B8A1-888073349A2D}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{51F41A02-1A15-4D95-B8A1-888073349A2D}.Debug|Any CPU.Build.0 = Debug|Any CPU
{51F41A02-1A15-4D95-B8A1-888073349A2D}.Debug|x64.ActiveCfg = Debug|Any CPU
{51F41A02-1A15-4D95-B8A1-888073349A2D}.Debug|x64.Build.0 = Debug|Any CPU
{51F41A02-1A15-4D95-B8A1-888073349A2D}.Debug|x86.ActiveCfg = Debug|Any CPU
{51F41A02-1A15-4D95-B8A1-888073349A2D}.Debug|x86.Build.0 = Debug|Any CPU
{51F41A02-1A15-4D95-B8A1-888073349A2D}.Release|Any CPU.ActiveCfg = Release|Any CPU
{51F41A02-1A15-4D95-B8A1-888073349A2D}.Release|Any CPU.Build.0 = Release|Any CPU
{51F41A02-1A15-4D95-B8A1-888073349A2D}.Release|x64.ActiveCfg = Release|Any CPU
{51F41A02-1A15-4D95-B8A1-888073349A2D}.Release|x64.Build.0 = Release|Any CPU
{51F41A02-1A15-4D95-B8A1-888073349A2D}.Release|x86.ActiveCfg = Release|Any CPU
{51F41A02-1A15-4D95-B8A1-888073349A2D}.Release|x86.Build.0 = Release|Any CPU
{22443733-DA1C-47E3-ABC5-3030709110DE}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{22443733-DA1C-47E3-ABC5-3030709110DE}.Debug|Any CPU.Build.0 = Debug|Any CPU
{22443733-DA1C-47E3-ABC5-3030709110DE}.Debug|x64.ActiveCfg = Debug|Any CPU
{22443733-DA1C-47E3-ABC5-3030709110DE}.Debug|x64.Build.0 = Debug|Any CPU
{22443733-DA1C-47E3-ABC5-3030709110DE}.Debug|x86.ActiveCfg = Debug|Any CPU
{22443733-DA1C-47E3-ABC5-3030709110DE}.Debug|x86.Build.0 = Debug|Any CPU
{22443733-DA1C-47E3-ABC5-3030709110DE}.Release|Any CPU.ActiveCfg = Release|Any CPU
{22443733-DA1C-47E3-ABC5-3030709110DE}.Release|Any CPU.Build.0 = Release|Any CPU
{22443733-DA1C-47E3-ABC5-3030709110DE}.Release|x64.ActiveCfg = Release|Any CPU
{22443733-DA1C-47E3-ABC5-3030709110DE}.Release|x64.Build.0 = Release|Any CPU
{22443733-DA1C-47E3-ABC5-3030709110DE}.Release|x86.ActiveCfg = Release|Any CPU
{22443733-DA1C-47E3-ABC5-3030709110DE}.Release|x86.Build.0 = Release|Any CPU
{C7098645-40A2-4990-ACBB-1051009C53D2}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{C7098645-40A2-4990-ACBB-1051009C53D2}.Debug|Any CPU.Build.0 = Debug|Any CPU
{C7098645-40A2-4990-ACBB-1051009C53D2}.Debug|x64.ActiveCfg = Debug|Any CPU
{C7098645-40A2-4990-ACBB-1051009C53D2}.Debug|x64.Build.0 = Debug|Any CPU
{C7098645-40A2-4990-ACBB-1051009C53D2}.Debug|x86.ActiveCfg = Debug|Any CPU
{C7098645-40A2-4990-ACBB-1051009C53D2}.Debug|x86.Build.0 = Debug|Any CPU
{C7098645-40A2-4990-ACBB-1051009C53D2}.Release|Any CPU.ActiveCfg = Release|Any CPU
{C7098645-40A2-4990-ACBB-1051009C53D2}.Release|Any CPU.Build.0 = Release|Any CPU
{C7098645-40A2-4990-ACBB-1051009C53D2}.Release|x64.ActiveCfg = Release|Any CPU
{C7098645-40A2-4990-ACBB-1051009C53D2}.Release|x64.Build.0 = Release|Any CPU
{C7098645-40A2-4990-ACBB-1051009C53D2}.Release|x86.ActiveCfg = Release|Any CPU
{C7098645-40A2-4990-ACBB-1051009C53D2}.Release|x86.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(NestedProjects) = preSolution
{F21DE368-1D4F-4D10-823F-5BDB6B812745} = {41F15E67-7190-CF23-3BC4-77E87134CADD}
{42426AB9-790F-4432-9943-837145B1BD2C} = {41F15E67-7190-CF23-3BC4-77E87134CADD}
{51F41A02-1A15-4D95-B8A1-888073349A2D} = {56BCE1BF-7CBA-7CE8-203D-A88051F1D642}
{22443733-DA1C-47E3-ABC5-3030709110DE} = {56BCE1BF-7CBA-7CE8-203D-A88051F1D642}
{C7098645-40A2-4990-ACBB-1051009C53D2} = {56BCE1BF-7CBA-7CE8-203D-A88051F1D642}
EndGlobalSection
EndGlobal

68
src/Zastava/__Libraries/StellaOps.Zastava.Core/Configuration/ZastavaAuthorityOptions.cs Normal file
View File

@@ -0,0 +1,68 @@
using System.ComponentModel.DataAnnotations;
namespace StellaOps.Zastava.Core.Configuration;
/// <summary>
/// Authority client configuration shared by Zastava runtime components.
/// </summary>
public sealed class ZastavaAuthorityOptions
{
/// <summary>
/// Authority issuer URL.
/// </summary>
[Required]
public Uri Issuer { get; set; } = new("https://authority.internal");
/// <summary>
/// OAuth client identifier used by runtime services.
/// </summary>
[Required(AllowEmptyStrings = false)]
public string ClientId { get; set; } = "zastava-runtime";
/// <summary>
/// Optional client secret when using confidential clients.
/// </summary>
public string? ClientSecret { get; set; }
/// <summary>
/// Audience claims required on issued tokens.
/// </summary>
[MinLength(1)]
public string[] Audience { get; set; } = new[] { "scanner" };
/// <summary>
/// Additional scopes requested for the runtime plane.
/// </summary>
public string[] Scopes { get; set; } = Array.Empty<string>();
/// <summary>
/// Seconds before expiry when a cached token should be refreshed.
/// </summary>
[Range(typeof(double), "0", "3600")]
public double RefreshSkewSeconds { get; set; } = 120;
/// <summary>
/// Require the Authority to issue DPoP (proof-of-possession) tokens.
/// </summary>
public bool RequireDpop { get; set; } = true;
/// <summary>
/// Require the Authority client to present mTLS during token acquisition.
/// </summary>
public bool RequireMutualTls { get; set; } = true;
/// <summary>
/// Allow falling back to static tokens when Authority is unavailable.
/// </summary>
public bool AllowStaticTokenFallback { get; set; }
/// <summary>
/// Optional path to a static fallback token (PEM/plain text).
/// </summary>
public string? StaticTokenPath { get; set; }
/// <summary>
/// Optional literal static token (test/bootstrap only). Takes precedence over <see cref="StaticTokenPath"/>.
/// </summary>
public string? StaticTokenValue { get; set; }
}

84
src/Zastava/__Libraries/StellaOps.Zastava.Core/Configuration/ZastavaRuntimeOptions.cs Normal file
View File

@@ -0,0 +1,84 @@
using System.ComponentModel.DataAnnotations;
namespace StellaOps.Zastava.Core.Configuration;
/// <summary>
/// Common runtime configuration shared by Zastava components (observer, webhook, agent).
/// </summary>
public sealed class ZastavaRuntimeOptions
{
public const string SectionName = "zastava:runtime";
/// <summary>
/// Tenant identifier used for scoping logs and metrics.
/// </summary>
[Required(AllowEmptyStrings = false)]
public string Tenant { get; set; } = "default";
/// <summary>
/// Deployment environment (prod, staging, etc.) used in telemetry dimensions.
/// </summary>
[Required(AllowEmptyStrings = false)]
public string Environment { get; set; } = "local";
/// <summary>
/// Component name (observer/webhook/agent) injected into scopes and metrics.
/// </summary>
public string? Component { get; set; }
/// <summary>
/// Optional deployment identifier (cluster, region, etc.).
/// </summary>
public string? Deployment { get; set; }
[Required]
public ZastavaRuntimeLoggingOptions Logging { get; set; } = new();
[Required]
public ZastavaRuntimeMetricsOptions Metrics { get; set; } = new();
[Required]
public ZastavaAuthorityOptions Authority { get; set; } = new();
}
public sealed class ZastavaRuntimeLoggingOptions
{
/// <summary>
/// Whether scopes should be enabled on the logger factory.
/// </summary>
public bool IncludeScopes { get; init; } = true;
/// <summary>
/// Whether activity tracking metadata (TraceId/SpanId) should be captured.
/// </summary>
public bool IncludeActivityTracking { get; init; } = true;
/// <summary>
/// Optional static key/value pairs appended to every log scope.
/// </summary>
public IDictionary<string, string> StaticScope { get; init; } = new Dictionary<string, string>(StringComparer.Ordinal);
}
public sealed class ZastavaRuntimeMetricsOptions
{
/// <summary>
/// Enables metrics emission.
/// </summary>
public bool Enabled { get; init; } = true;
/// <summary>
/// Meter name used for all runtime instrumentation.
/// </summary>
[Required(AllowEmptyStrings = false)]
public string MeterName { get; init; } = "StellaOps.Zastava";
/// <summary>
/// Optional meter semantic version.
/// </summary>
public string? MeterVersion { get; init; } = "1.0.0";
/// <summary>
/// Common dimensions attached to every metric emitted by the runtime plane.
/// </summary>
public IDictionary<string, string> CommonTags { get; init; } = new Dictionary<string, string>(StringComparer.Ordinal);
}

86
src/Zastava/__Libraries/StellaOps.Zastava.Core/Contracts/AdmissionDecision.cs Normal file
View File

@@ -0,0 +1,86 @@
namespace StellaOps.Zastava.Core.Contracts;
/// <summary>
/// Envelope returned by the admission webhook to the Kubernetes API server.
/// </summary>
public sealed record class AdmissionDecisionEnvelope
{
public required string SchemaVersion { get; init; }
public required AdmissionDecision Decision { get; init; }
public static AdmissionDecisionEnvelope Create(AdmissionDecision decision, ZastavaContractVersions.ContractVersion contract)
{
ArgumentNullException.ThrowIfNull(decision);
return new AdmissionDecisionEnvelope
{
SchemaVersion = contract.ToString(),
Decision = decision
};
}
public bool IsSupported()
=> ZastavaContractVersions.IsAdmissionDecisionSupported(SchemaVersion);
}
/// <summary>
/// Canonical admission decision payload.
/// </summary>
public sealed record class AdmissionDecision
{
public required string AdmissionId { get; init; }
[JsonPropertyName("namespace")]
public required string Namespace { get; init; }
public required string PodSpecDigest { get; init; }
public IReadOnlyList<AdmissionImageVerdict> Images { get; init; } = Array.Empty<AdmissionImageVerdict>();
public required AdmissionDecisionOutcome Decision { get; init; }
public int TtlSeconds { get; init; }
public IReadOnlyDictionary<string, string>? Annotations { get; init; }
}
public enum AdmissionDecisionOutcome
{
Allow,
Deny
}
public sealed record class AdmissionImageVerdict
{
public required string Name { get; init; }
public required string Resolved { get; init; }
public bool Signed { get; init; }
[JsonPropertyName("hasSbomReferrers")]
public bool HasSbomReferrers { get; init; }
public PolicyVerdict PolicyVerdict { get; init; }
public IReadOnlyList<string> Reasons { get; init; } = Array.Empty<string>();
public AdmissionRekorEvidence? Rekor { get; init; }
public IReadOnlyDictionary<string, string>? Metadata { get; init; }
}
public enum PolicyVerdict
{
Pass,
Warn,
Fail,
Error
}
public sealed record class AdmissionRekorEvidence
{
public string? Uuid { get; init; }
public bool? Verified { get; init; }
}

181
src/Zastava/__Libraries/StellaOps.Zastava.Core/Contracts/RuntimeEvent.cs Normal file
View File

@@ -0,0 +1,181 @@
namespace StellaOps.Zastava.Core.Contracts;
/// <summary>
/// Envelope published by the observer towards Scanner runtime ingestion.
/// </summary>
public sealed record class RuntimeEventEnvelope
{
/// <summary>
/// Contract identifier consumed by negotiation logic (<c>zastava.runtime.event@v1</c>).
/// </summary>
public required string SchemaVersion { get; init; }
/// <summary>
/// Runtime event payload.
/// </summary>
public required RuntimeEvent Event { get; init; }
/// <summary>
/// Creates an envelope using the provided runtime contract version.
/// </summary>
public static RuntimeEventEnvelope Create(RuntimeEvent runtimeEvent, ZastavaContractVersions.ContractVersion contract)
{
ArgumentNullException.ThrowIfNull(runtimeEvent);
return new RuntimeEventEnvelope
{
SchemaVersion = contract.ToString(),
Event = runtimeEvent
};
}
/// <summary>
/// Checks whether the envelope schema is supported by the current runtime.
/// </summary>
public bool IsSupported()
=> ZastavaContractVersions.IsRuntimeEventSupported(SchemaVersion);
}
/// <summary>
/// Canonical runtime event emitted by the observer.
/// </summary>
public sealed record class RuntimeEvent
{
public required string EventId { get; init; }
public required DateTimeOffset When { get; init; }
public required RuntimeEventKind Kind { get; init; }
public required string Tenant { get; init; }
public required string Node { get; init; }
public required RuntimeEngine Runtime { get; init; }
public required RuntimeWorkload Workload { get; init; }
public RuntimeProcess? Process { get; init; }
[JsonPropertyName("loadedLibs")]
public IReadOnlyList<RuntimeLoadedLibrary> LoadedLibraries { get; init; } = Array.Empty<RuntimeLoadedLibrary>();
public RuntimePosture? Posture { get; init; }
public RuntimeDelta? Delta { get; init; }
public IReadOnlyList<RuntimeEvidence> Evidence { get; init; } = Array.Empty<RuntimeEvidence>();
public IReadOnlyDictionary<string, string>? Annotations { get; init; }
}
public enum RuntimeEventKind
{
ContainerStart,
ContainerStop,
Drift,
PolicyViolation,
AttestationStatus
}
public sealed record class RuntimeEngine
{
public required string Engine { get; init; }
public string? Version { get; init; }
}
public sealed record class RuntimeWorkload
{
public required string Platform { get; init; }
[JsonPropertyName("namespace")]
public string? Namespace { get; init; }
public string? Pod { get; init; }
public string? Container { get; init; }
public string? ContainerId { get; init; }
public string? ImageRef { get; init; }
public RuntimeWorkloadOwner? Owner { get; init; }
}
public sealed record class RuntimeWorkloadOwner
{
public string? Kind { get; init; }
public string? Name { get; init; }
}
public sealed record class RuntimeProcess
{
public int Pid { get; init; }
public IReadOnlyList<string> Entrypoint { get; init; } = Array.Empty<string>();
[JsonPropertyName("entryTrace")]
public IReadOnlyList<RuntimeEntryTrace> EntryTrace { get; init; } = Array.Empty<RuntimeEntryTrace>();
public string? BuildId { get; init; }
}
public sealed record class RuntimeEntryTrace
{
public string? File { get; init; }
public int? Line { get; init; }
public string? Op { get; init; }
public string? Target { get; init; }
}
public sealed record class RuntimeLoadedLibrary
{
public required string Path { get; init; }
public long? Inode { get; init; }
public string? Sha256 { get; init; }
}
public sealed record class RuntimePosture
{
public bool? ImageSigned { get; init; }
public string? SbomReferrer { get; init; }
public RuntimeAttestation? Attestation { get; init; }
}
public sealed record class RuntimeAttestation
{
public string? Uuid { get; init; }
public bool? Verified { get; init; }
}
public sealed record class RuntimeDelta
{
public string? BaselineImageDigest { get; init; }
public IReadOnlyList<string> ChangedFiles { get; init; } = Array.Empty<string>();
public IReadOnlyList<RuntimeNewBinary> NewBinaries { get; init; } = Array.Empty<RuntimeNewBinary>();
}
public sealed record class RuntimeNewBinary
{
public required string Path { get; init; }
public string? Sha256 { get; init; }
}
public sealed record class RuntimeEvidence
{
public required string Signal { get; init; }
public string? Value { get; init; }
}

173
src/Zastava/__Libraries/StellaOps.Zastava.Core/Contracts/ZastavaContractVersions.cs Normal file
View File

@@ -0,0 +1,173 @@
namespace StellaOps.Zastava.Core.Contracts;
/// <summary>
/// Centralises schema identifiers and version negotiation rules for Zastava contracts.
/// </summary>
public static class ZastavaContractVersions
{
/// <summary>
/// Current local runtime event contract (major version 1).
/// </summary>
public static ContractVersion RuntimeEvent { get; } = new("zastava.runtime.event", new Version(1, 0));
/// <summary>
/// Current local admission decision contract (major version 1).
/// </summary>
public static ContractVersion AdmissionDecision { get; } = new("zastava.admission.decision", new Version(1, 0));
/// <summary>
/// Determines whether the provided schema string is supported for runtime events.
/// </summary>
public static bool IsRuntimeEventSupported(string schemaVersion)
=> ContractVersion.TryParse(schemaVersion, out var candidate) && candidate.IsCompatibleWith(RuntimeEvent);
/// <summary>
/// Determines whether the provided schema string is supported for admission decisions.
/// </summary>
public static bool IsAdmissionDecisionSupported(string schemaVersion)
=> ContractVersion.TryParse(schemaVersion, out var candidate) && candidate.IsCompatibleWith(AdmissionDecision);
/// <summary>
/// Selects the newest runtime event contract shared between the local implementation and a remote peer.
/// </summary>
public static ContractVersion NegotiateRuntimeEvent(IEnumerable<string> offeredSchemaVersions)
=> Negotiate(RuntimeEvent, offeredSchemaVersions);
/// <summary>
/// Selects the newest admission decision contract shared between the local implementation and a remote peer.
/// </summary>
public static ContractVersion NegotiateAdmissionDecision(IEnumerable<string> offeredSchemaVersions)
=> Negotiate(AdmissionDecision, offeredSchemaVersions);
private static ContractVersion Negotiate(ContractVersion local, IEnumerable<string> offered)
{
ArgumentNullException.ThrowIfNull(offered);
ContractVersion? best = null;
foreach (var entry in offered)
{
if (!ContractVersion.TryParse(entry, out var candidate))
{
continue;
}
if (!candidate.Schema.Equals(local.Schema, StringComparison.Ordinal))
{
continue;
}
if (candidate.Version.Major != local.Version.Major)
{
continue;
}
if (candidate.Version > local.Version)
{
continue;
}
if (best is null || candidate.Version > best.Value.Version)
{
best = candidate;
}
}
return best ?? local;
}
/// <summary>
/// Represents a schema + semantic version pairing in canonical form.
/// </summary>
public readonly record struct ContractVersion
{
public ContractVersion(string schema, Version version)
{
if (string.IsNullOrWhiteSpace(schema))
{
throw new ArgumentException("Schema cannot be null or whitespace.", nameof(schema));
}
Schema = schema.Trim();
Version = new Version(Math.Max(version.Major, 0), Math.Max(version.Minor, 0));
}
/// <summary>
/// Schema identifier (e.g. <c>zastava.runtime.event</c>).
/// </summary>
public string Schema { get; }
/// <summary>
/// Major/minor version recognised by the implementation.
/// </summary>
public Version Version { get; }
/// <summary>
/// Canonical string representation (schema@vMajor.Minor).
/// </summary>
public override string ToString()
=> $"{Schema}@v{Version.ToString(2)}";
/// <summary>
/// Determines whether a remote contract is compatible with the local definition.
/// </summary>
public bool IsCompatibleWith(ContractVersion local)
{
if (!Schema.Equals(local.Schema, StringComparison.Ordinal))
{
return false;
}
if (Version.Major != local.Version.Major)
{
return false;
}
return Version <= local.Version;
}
/// <summary>
/// Attempts to parse a schema string in canonical format.
/// </summary>
public static bool TryParse(string? value, out ContractVersion contract)
{
contract = default;
if (string.IsNullOrWhiteSpace(value))
{
return false;
}
var trimmed = value.Trim();
var separator = trimmed.IndexOf('@');
if (separator < 0)
{
return false;
}
var schema = trimmed[..separator];
if (!schema.Contains('.', StringComparison.Ordinal))
{
return false;
}
var versionToken = trimmed[(separator + 1)..];
if (versionToken.Length == 0)
{
return false;
}
if (versionToken[0] is 'v' or 'V')
{
versionToken = versionToken[1..];
}
if (!Version.TryParse(versionToken, out var parsed))
{
return false;
}
var canonical = new Version(Math.Max(parsed.Major, 0), Math.Max(parsed.Minor, 0));
contract = new ContractVersion(schema, canonical);
return true;
}
}
}

98
src/Zastava/__Libraries/StellaOps.Zastava.Core/DependencyInjection/ZastavaServiceCollectionExtensions.cs Normal file
View File

@@ -0,0 +1,98 @@
using System.Collections.Generic;
using System.Linq;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection.Extensions;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Auth.Client;
using StellaOps.Zastava.Core.Configuration;
using StellaOps.Zastava.Core.Diagnostics;
using StellaOps.Zastava.Core.Security;
namespace Microsoft.Extensions.DependencyInjection;
public static class ZastavaServiceCollectionExtensions
{
public static IServiceCollection AddZastavaRuntimeCore(
this IServiceCollection services,
IConfiguration configuration,
string componentName)
{
ArgumentNullException.ThrowIfNull(services);
ArgumentNullException.ThrowIfNull(configuration);
if (string.IsNullOrWhiteSpace(componentName))
{
throw new ArgumentException("Component name is required.", nameof(componentName));
}
services.AddOptions<ZastavaRuntimeOptions>()
.Bind(configuration.GetSection(ZastavaRuntimeOptions.SectionName))
.ValidateDataAnnotations()
.Validate(static options => !string.IsNullOrWhiteSpace(options.Tenant), "Tenant is required.")
.Validate(static options => !string.IsNullOrWhiteSpace(options.Environment), "Environment is required.")
.PostConfigure(options =>
{
if (string.IsNullOrWhiteSpace(options.Component))
{
options.Component = componentName;
}
})
.ValidateOnStart();
services.TryAddEnumerable(ServiceDescriptor.Singleton<IConfigureOptions<LoggerFactoryOptions>, ZastavaLoggerFactoryOptionsConfigurator>());
services.TryAddSingleton<IZastavaLogScopeBuilder, ZastavaLogScopeBuilder>();
services.TryAddSingleton<IZastavaRuntimeMetrics, ZastavaRuntimeMetrics>();
ConfigureAuthorityServices(services, configuration);
services.TryAddSingleton<IZastavaAuthorityTokenProvider, ZastavaAuthorityTokenProvider>();
return services;
}
private static void ConfigureAuthorityServices(IServiceCollection services, IConfiguration configuration)
{
var authoritySection = configuration.GetSection($"{ZastavaRuntimeOptions.SectionName}:authority");
var authorityOptions = new ZastavaAuthorityOptions();
authoritySection.Bind(authorityOptions);
services.AddStellaOpsAuthClient(options =>
{
options.Authority = authorityOptions.Issuer.ToString();
options.ClientId = authorityOptions.ClientId;
options.ClientSecret = authorityOptions.ClientSecret;
options.AllowOfflineCacheFallback = authorityOptions.AllowStaticTokenFallback;
options.ExpirationSkew = TimeSpan.FromSeconds(Math.Clamp(authorityOptions.RefreshSkewSeconds, 0, 300));
options.DefaultScopes.Clear();
var normalized = new SortedSet<string>(StringComparer.Ordinal);
if (authorityOptions.Audience is not null)
{
foreach (var audience in authorityOptions.Audience)
{
if (string.IsNullOrWhiteSpace(audience))
{
continue;
}
normalized.Add($"aud:{audience.Trim().ToLowerInvariant()}");
}
}
if (authorityOptions.Scopes is not null)
{
foreach (var scope in authorityOptions.Scopes)
{
if (!string.IsNullOrWhiteSpace(scope))
{
normalized.Add(scope.Trim());
}
}
}
foreach (var scope in normalized)
{
options.DefaultScopes.Add(scope);
}
});
}
}

90
src/Zastava/__Libraries/StellaOps.Zastava.Core/Diagnostics/ZastavaLogScopeBuilder.cs Normal file
View File

@@ -0,0 +1,90 @@
using System.Linq;
using Microsoft.Extensions.Options;
using StellaOps.Zastava.Core.Configuration;
namespace StellaOps.Zastava.Core.Diagnostics;
public interface IZastavaLogScopeBuilder
{
/// <summary>
/// Builds a deterministic logging scope containing tenant/component metadata.
/// </summary>
IReadOnlyDictionary<string, object?> BuildScope(
string? correlationId = null,
string? node = null,
string? workload = null,
string? eventId = null,
IReadOnlyDictionary<string, string>? additional = null);
}
internal sealed class ZastavaLogScopeBuilder : IZastavaLogScopeBuilder
{
private readonly ZastavaRuntimeOptions options;
private readonly IReadOnlyDictionary<string, string> staticScope;
public ZastavaLogScopeBuilder(IOptions<ZastavaRuntimeOptions> options)
{
ArgumentNullException.ThrowIfNull(options);
this.options = options.Value;
staticScope = (this.options.Logging.StaticScope ?? new Dictionary<string, string>(StringComparer.Ordinal))
.ToImmutableDictionary(pair => pair.Key, pair => pair.Value, StringComparer.Ordinal);
}
public IReadOnlyDictionary<string, object?> BuildScope(
string? correlationId = null,
string? node = null,
string? workload = null,
string? eventId = null,
IReadOnlyDictionary<string, string>? additional = null)
{
var scope = new Dictionary<string, object?>(StringComparer.Ordinal)
{
["tenant"] = options.Tenant,
["component"] = options.Component,
["environment"] = options.Environment
};
if (!string.IsNullOrWhiteSpace(options.Deployment))
{
scope["deployment"] = options.Deployment;
}
foreach (var pair in staticScope)
{
scope[pair.Key] = pair.Value;
}
if (!string.IsNullOrWhiteSpace(correlationId))
{
scope["correlationId"] = correlationId;
}
if (!string.IsNullOrWhiteSpace(node))
{
scope["node"] = node;
}
if (!string.IsNullOrWhiteSpace(workload))
{
scope["workload"] = workload;
}
if (!string.IsNullOrWhiteSpace(eventId))
{
scope["eventId"] = eventId;
}
if (additional is not null)
{
foreach (var pair in additional)
{
if (!string.IsNullOrWhiteSpace(pair.Key))
{
scope[pair.Key] = pair.Value;
}
}
}
return scope.ToImmutableDictionary(StringComparer.Ordinal);
}
}

30
src/Zastava/__Libraries/StellaOps.Zastava.Core/Diagnostics/ZastavaLoggerFactoryOptionsConfigurator.cs Normal file
View File

@@ -0,0 +1,30 @@
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Zastava.Core.Configuration;
namespace StellaOps.Zastava.Core.Diagnostics;
internal sealed class ZastavaLoggerFactoryOptionsConfigurator : IConfigureOptions<LoggerFactoryOptions>
{
private readonly IOptions<ZastavaRuntimeOptions> options;
public ZastavaLoggerFactoryOptionsConfigurator(IOptions<ZastavaRuntimeOptions> options)
{
ArgumentNullException.ThrowIfNull(options);
this.options = options;
}
public void Configure(LoggerFactoryOptions options)
{
ArgumentNullException.ThrowIfNull(options);
var runtimeOptions = this.options.Value;
if (runtimeOptions.Logging.IncludeActivityTracking)
{
options.ActivityTrackingOptions |= ActivityTrackingOptions.TraceId | ActivityTrackingOptions.SpanId | ActivityTrackingOptions.ParentId;
}
else if (runtimeOptions.Logging.IncludeScopes)
{
options.ActivityTrackingOptions |= ActivityTrackingOptions.TraceId | ActivityTrackingOptions.SpanId;
}
}
}

78
src/Zastava/__Libraries/StellaOps.Zastava.Core/Diagnostics/ZastavaRuntimeMetrics.cs Normal file
View File

@@ -0,0 +1,78 @@
using System.Linq;
using Microsoft.Extensions.Options;
using StellaOps.Zastava.Core.Configuration;
namespace StellaOps.Zastava.Core.Diagnostics;
public interface IZastavaRuntimeMetrics : IDisposable
{
Meter Meter { get; }
Counter<long> RuntimeEvents { get; }
Counter<long> AdmissionDecisions { get; }
Histogram<double> BackendLatencyMs { get; }
IReadOnlyList<KeyValuePair<string, object?>> DefaultTags { get; }
}
internal sealed class ZastavaRuntimeMetrics : IZastavaRuntimeMetrics
{
private readonly Meter meter;
private readonly IReadOnlyList<KeyValuePair<string, object?>> defaultTags;
private readonly bool enabled;
public ZastavaRuntimeMetrics(IOptions<ZastavaRuntimeOptions> options)
{
ArgumentNullException.ThrowIfNull(options);
var runtimeOptions = options.Value;
var metrics = runtimeOptions.Metrics ?? new ZastavaRuntimeMetricsOptions();
enabled = metrics.Enabled;
meter = new Meter(metrics.MeterName, metrics.MeterVersion);
RuntimeEvents = meter.CreateCounter<long>("zastava.runtime.events.total", unit: "1", description: "Total runtime events emitted by observers.");
AdmissionDecisions = meter.CreateCounter<long>("zastava.admission.decisions.total", unit: "1", description: "Total admission decisions returned by the webhook.");
BackendLatencyMs = meter.CreateHistogram<double>("zastava.runtime.backend.latency.ms", unit: "ms", description: "Round-trip latency to Scanner backend APIs.");
var baseline = new List<KeyValuePair<string, object?>>
{
new("tenant", runtimeOptions.Tenant),
new("component", runtimeOptions.Component),
new("environment", runtimeOptions.Environment)
};
if (!string.IsNullOrWhiteSpace(runtimeOptions.Deployment))
{
baseline.Add(new("deployment", runtimeOptions.Deployment));
}
if (metrics.CommonTags is not null)
{
foreach (var pair in metrics.CommonTags)
{
if (!string.IsNullOrWhiteSpace(pair.Key))
{
baseline.Add(new(pair.Key, pair.Value));
}
}
}
defaultTags = baseline.ToImmutableArray();
}
public Meter Meter => meter;
public Counter<long> RuntimeEvents { get; }
public Counter<long> AdmissionDecisions { get; }
public Histogram<double> BackendLatencyMs { get; }
public IReadOnlyList<KeyValuePair<string, object?>> DefaultTags => defaultTags;
public void Dispose()
{
if (enabled)
{
meter.Dispose();
}
}
}

10
src/Zastava/__Libraries/StellaOps.Zastava.Core/GlobalUsings.cs Normal file
View File

@@ -0,0 +1,10 @@
global using System.Collections.Generic;
global using System.Collections.Immutable;
global using System.Diagnostics;
global using System.Diagnostics.Metrics;
global using System.Security.Cryptography;
global using System.Text;
global using System.Text.Json;
global using System.Text.Json.Serialization;
global using System.Text.Json.Serialization.Metadata;
global using System.Globalization;

59
src/Zastava/__Libraries/StellaOps.Zastava.Core/Hashing/ZastavaHashing.cs Normal file
View File

@@ -0,0 +1,59 @@
using StellaOps.Zastava.Core.Serialization;
namespace StellaOps.Zastava.Core.Hashing;
/// <summary>
/// Produces deterministic multihashes for runtime and admission payloads.
/// </summary>
public static class ZastavaHashing
{
public const string DefaultAlgorithm = "sha256";
/// <summary>
/// Serialises the payload using canonical options and computes a multihash string.
/// </summary>
public static string ComputeMultihash<T>(T value, string? algorithm = null)
{
ArgumentNullException.ThrowIfNull(value);
var bytes = ZastavaCanonicalJsonSerializer.SerializeToUtf8Bytes(value);
return ComputeMultihash(bytes, algorithm);
}
/// <summary>
/// Computes a multihash string from the provided payload.
/// </summary>
public static string ComputeMultihash(ReadOnlySpan<byte> payload, string? algorithm = null)
{
var normalized = NormalizeAlgorithm(algorithm);
var digest = normalized switch
{
"sha256" => SHA256.HashData(payload),
"sha512" => SHA512.HashData(payload),
_ => throw new NotSupportedException($"Hash algorithm '{normalized}' is not supported.")
};
return $"{normalized}-{ToBase64Url(digest)}";
}
private static string NormalizeAlgorithm(string? algorithm)
{
if (string.IsNullOrWhiteSpace(algorithm))
{
return DefaultAlgorithm;
}
var normalized = algorithm.Trim().ToLowerInvariant();
return normalized switch
{
"sha-256" or "sha256" => "sha256",
"sha-512" or "sha512" => "sha512",
_ => normalized
};
}
private static string ToBase64Url(ReadOnlySpan<byte> bytes)
{
var base64 = Convert.ToBase64String(bytes);
return base64.TrimEnd('=').Replace('+', '-').Replace('/', '_');
}
}

3
src/Zastava/__Libraries/StellaOps.Zastava.Core/Properties/AssemblyInfo.cs Normal file
View File

@@ -0,0 +1,3 @@
using System.Runtime.CompilerServices;
[assembly: InternalsVisibleTo("StellaOps.Zastava.Core.Tests")]

14
src/Zastava/__Libraries/StellaOps.Zastava.Core/Security/IZastavaAuthorityTokenProvider.cs Normal file
View File

@@ -0,0 +1,14 @@
namespace StellaOps.Zastava.Core.Security;
public interface IZastavaAuthorityTokenProvider
{
ValueTask<ZastavaOperationalToken> GetAsync(
string audience,
IEnumerable<string>? additionalScopes = null,
CancellationToken cancellationToken = default);
ValueTask InvalidateAsync(
string audience,
IEnumerable<string>? additionalScopes = null,
CancellationToken cancellationToken = default);
}

314
src/Zastava/__Libraries/StellaOps.Zastava.Core/Security/ZastavaAuthorityTokenProvider.cs Normal file
View File

@@ -0,0 +1,314 @@
using System.Collections.Concurrent;
using System.Globalization;
using System.IO;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using StellaOps.Auth.Client;
using StellaOps.Zastava.Core.Configuration;
using StellaOps.Zastava.Core.Diagnostics;
namespace StellaOps.Zastava.Core.Security;
internal sealed class ZastavaAuthorityTokenProvider : IZastavaAuthorityTokenProvider
{
private readonly IStellaOpsTokenClient tokenClient;
private readonly IOptionsMonitor<ZastavaRuntimeOptions> optionsMonitor;
private readonly IZastavaLogScopeBuilder scopeBuilder;
private readonly TimeProvider timeProvider;
private readonly ILogger<ZastavaAuthorityTokenProvider> logger;
private readonly ConcurrentDictionary<string, CacheEntry> cache = new(StringComparer.Ordinal);
private readonly ConcurrentDictionary<string, SemaphoreSlim> locks = new(StringComparer.Ordinal);
private readonly object guardrailLock = new();
private bool guardrailsLogged;
private ZastavaOperationalToken? staticFallbackToken;
public ZastavaAuthorityTokenProvider(
IStellaOpsTokenClient tokenClient,
IOptionsMonitor<ZastavaRuntimeOptions> optionsMonitor,
IZastavaLogScopeBuilder scopeBuilder,
TimeProvider? timeProvider = null,
ILogger<ZastavaAuthorityTokenProvider>? logger = null)
{
this.tokenClient = tokenClient ?? throw new ArgumentNullException(nameof(tokenClient));
this.optionsMonitor = optionsMonitor ?? throw new ArgumentNullException(nameof(optionsMonitor));
this.scopeBuilder = scopeBuilder ?? throw new ArgumentNullException(nameof(scopeBuilder));
this.timeProvider = timeProvider ?? TimeProvider.System;
this.logger = logger ?? NullLogger<ZastavaAuthorityTokenProvider>.Instance;
}
public async ValueTask<ZastavaOperationalToken> GetAsync(
string audience,
IEnumerable<string>? additionalScopes = null,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(audience);
var options = optionsMonitor.CurrentValue.Authority;
EnsureGuardrails(options);
if (options.AllowStaticTokenFallback && TryGetStaticToken(options) is { } staticToken)
{
return staticToken;
}
var normalizedAudience = NormalizeAudience(audience);
var normalizedScopes = BuildScopes(options, normalizedAudience, additionalScopes);
var cacheKey = BuildCacheKey(normalizedAudience, normalizedScopes);
var refreshSkew = GetRefreshSkew(options);
if (cache.TryGetValue(cacheKey, out var cached) && !cached.Token.IsExpired(timeProvider, refreshSkew))
{
return cached.Token;
}
var mutex = locks.GetOrAdd(cacheKey, static _ => new SemaphoreSlim(1, 1));
await mutex.WaitAsync(cancellationToken).ConfigureAwait(false);
try
{
if (cache.TryGetValue(cacheKey, out cached) && !cached.Token.IsExpired(timeProvider, refreshSkew))
{
return cached.Token;
}
var scopeString = string.Join(' ', normalizedScopes);
var tokenResult = await tokenClient.RequestClientCredentialsTokenAsync(scopeString, null, cancellationToken).ConfigureAwait(false);
ValidateToken(tokenResult, options, normalizedAudience);
var token = ZastavaOperationalToken.FromResult(
tokenResult.AccessToken,
tokenResult.TokenType,
tokenResult.ExpiresAtUtc,
tokenResult.Scopes);
cache[cacheKey] = new CacheEntry(token);
var scope = scopeBuilder.BuildScope(
correlationId: null,
node: null,
workload: null,
eventId: "authority.token.issue",
additional: new Dictionary<string, string>
{
["audience"] = normalizedAudience,
["expiresAt"] = token.ExpiresAtUtc?.ToString("O", CultureInfo.InvariantCulture) ?? "static",
["scopes"] = scopeString
});
using (logger.BeginScope(scope))
{
logger.LogInformation("Issued runtime OpTok for {Audience} (scopes: {Scopes}).", normalizedAudience, scopeString);
}
return token;
}
catch (Exception ex) when (options.AllowStaticTokenFallback && TryGetStaticToken(options) is { } fallback)
{
var scope = scopeBuilder.BuildScope(
eventId: "authority.token.fallback",
additional: new Dictionary<string, string>
{
["audience"] = audience
});
using (logger.BeginScope(scope))
{
logger.LogWarning(ex, "Authority token acquisition failed; using static fallback token.");
}
return fallback;
}
finally
{
mutex.Release();
}
}
public ValueTask InvalidateAsync(
string audience,
IEnumerable<string>? additionalScopes = null,
CancellationToken cancellationToken = default)
{
ArgumentException.ThrowIfNullOrWhiteSpace(audience);
var normalizedAudience = NormalizeAudience(audience);
var normalizedScopes = BuildScopes(optionsMonitor.CurrentValue.Authority, normalizedAudience, additionalScopes);
var cacheKey = BuildCacheKey(normalizedAudience, normalizedScopes);
cache.TryRemove(cacheKey, out _);
if (locks.TryRemove(cacheKey, out var mutex))
{
mutex.Dispose();
}
var scope = scopeBuilder.BuildScope(
eventId: "authority.token.invalidate",
additional: new Dictionary<string, string>
{
["audience"] = normalizedAudience,
["cacheKey"] = cacheKey
});
using (logger.BeginScope(scope))
{
logger.LogInformation("Invalidated runtime OpTok cache entry.");
}
return ValueTask.CompletedTask;
}
private void EnsureGuardrails(ZastavaAuthorityOptions options)
{
if (guardrailsLogged)
{
return;
}
lock (guardrailLock)
{
if (guardrailsLogged)
{
return;
}
var scope = scopeBuilder.BuildScope(eventId: "authority.guardrails");
using (logger.BeginScope(scope))
{
if (!options.RequireMutualTls)
{
logger.LogWarning("Mutual TLS requirement disabled for Authority token acquisition. This should only be used in controlled test environments.");
}
if (!options.RequireDpop)
{
logger.LogWarning("DPoP requirement disabled for runtime plane. Tokens will be issued without proof-of-possession.");
}
if (options.AllowStaticTokenFallback)
{
logger.LogWarning("Static Authority token fallback enabled. Ensure bootstrap tokens are rotated frequently.");
}
}
guardrailsLogged = true;
}
}
private ZastavaOperationalToken? TryGetStaticToken(ZastavaAuthorityOptions options)
{
if (!options.AllowStaticTokenFallback)
{
return null;
}
if (options.StaticTokenValue is null && options.StaticTokenPath is null)
{
return null;
}
if (staticFallbackToken is { } cached)
{
return cached;
}
lock (guardrailLock)
{
if (staticFallbackToken is { } existing)
{
return existing;
}
var tokenValue = options.StaticTokenValue;
if (string.IsNullOrWhiteSpace(tokenValue) && !string.IsNullOrWhiteSpace(options.StaticTokenPath))
{
if (!File.Exists(options.StaticTokenPath))
{
throw new FileNotFoundException("Static Authority token file not found.", options.StaticTokenPath);
}
tokenValue = File.ReadAllText(options.StaticTokenPath);
}
if (string.IsNullOrWhiteSpace(tokenValue))
{
throw new InvalidOperationException("Static Authority token fallback is enabled but no token value/path is configured.");
}
staticFallbackToken = ZastavaOperationalToken.FromResult(
tokenValue.Trim(),
tokenType: "Bearer",
expiresAtUtc: null,
scopes: Array.Empty<string>());
return staticFallbackToken;
}
}
private void ValidateToken(StellaOpsTokenResult tokenResult, ZastavaAuthorityOptions options, string normalizedAudience)
{
if (options.RequireDpop && !string.Equals(tokenResult.TokenType, "DPoP", StringComparison.OrdinalIgnoreCase))
{
throw new InvalidOperationException("Authority returned a token without DPoP token type while RequireDpop is enabled.");
}
if (tokenResult.Scopes is not null)
{
var audienceScope = $"aud:{normalizedAudience}";
if (!tokenResult.Scopes.Contains(audienceScope, StringComparer.OrdinalIgnoreCase))
{
throw new InvalidOperationException($"Authority token missing required audience scope '{audienceScope}'.");
}
}
}
private static string NormalizeAudience(string audience)
=> audience.Trim().ToLowerInvariant();
private static IReadOnlyList<string> BuildScopes(
ZastavaAuthorityOptions options,
string normalizedAudience,
IEnumerable<string>? additionalScopes)
{
var scopeSet = new SortedSet<string>(StringComparer.Ordinal)
{
$"aud:{normalizedAudience}"
};
if (options.Scopes is not null)
{
foreach (var scope in options.Scopes)
{
if (!string.IsNullOrWhiteSpace(scope))
{
scopeSet.Add(scope.Trim());
}
}
}
if (additionalScopes is not null)
{
foreach (var scope in additionalScopes)
{
if (!string.IsNullOrWhiteSpace(scope))
{
scopeSet.Add(scope.Trim());
}
}
}
return scopeSet.ToArray();
}
private static string BuildCacheKey(string audience, IReadOnlyList<string> scopes)
=> Convert.ToHexString(SHA256.HashData(Encoding.UTF8.GetBytes($"{audience}|{string.Join(' ', scopes)}")));
private static TimeSpan GetRefreshSkew(ZastavaAuthorityOptions options)
{
var seconds = Math.Clamp(options.RefreshSkewSeconds, 0, 3600);
return TimeSpan.FromSeconds(seconds);
}
private readonly record struct CacheEntry(ZastavaOperationalToken Token);
}

70
src/Zastava/__Libraries/StellaOps.Zastava.Core/Security/ZastavaOperationalToken.cs Normal file
View File

@@ -0,0 +1,70 @@
using System.Collections.ObjectModel;
using System.Linq;
namespace StellaOps.Zastava.Core.Security;
public readonly record struct ZastavaOperationalToken(
string AccessToken,
string TokenType,
DateTimeOffset? ExpiresAtUtc,
IReadOnlyList<string> Scopes)
{
public bool IsExpired(TimeProvider timeProvider, TimeSpan refreshSkew)
{
ArgumentNullException.ThrowIfNull(timeProvider);
if (ExpiresAtUtc is null)
{
return false;
}
return timeProvider.GetUtcNow() >= ExpiresAtUtc.Value - refreshSkew;
}
public static ZastavaOperationalToken FromResult(
string accessToken,
string tokenType,
DateTimeOffset? expiresAtUtc,
IEnumerable<string> scopes)
{
ArgumentException.ThrowIfNullOrWhiteSpace(accessToken);
ArgumentException.ThrowIfNullOrWhiteSpace(tokenType);
IReadOnlyList<string> normalized = scopes switch
{
null => Array.Empty<string>(),
IReadOnlyList<string> readOnly => readOnly.Count == 0 ? Array.Empty<string>() : readOnly,
ICollection<string> collection => NormalizeCollection(collection),
_ => NormalizeEnumerable(scopes)
};
return new ZastavaOperationalToken(
accessToken,
tokenType,
expiresAtUtc,
normalized);
}
private static IReadOnlyList<string> NormalizeCollection(ICollection<string> collection)
{
if (collection.Count == 0)
{
return Array.Empty<string>();
}
if (collection is IReadOnlyList<string> readOnly)
{
return readOnly;
}
var buffer = new string[collection.Count];
collection.CopyTo(buffer, 0);
return new ReadOnlyCollection<string>(buffer);
}
private static IReadOnlyList<string> NormalizeEnumerable(IEnumerable<string> scopes)
{
var buffer = scopes.ToArray();
return buffer.Length == 0 ? Array.Empty<string>() : new ReadOnlyCollection<string>(buffer);
}
}

119
src/Zastava/__Libraries/StellaOps.Zastava.Core/Serialization/ZastavaCanonicalJsonSerializer.cs Normal file
View File

@@ -0,0 +1,119 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text.Encodings.Web;
using System.Text.Json;
using System.Text.Json.Serialization;
using System.Text.Json.Serialization.Metadata;
using StellaOps.Zastava.Core.Contracts;
namespace StellaOps.Zastava.Core.Serialization;
/// <summary>
/// Deterministic serializer used for runtime/admission contracts.
/// </summary>
public static class ZastavaCanonicalJsonSerializer
{
private static readonly JsonSerializerOptions CompactOptions = CreateOptions(writeIndented: false);
private static readonly JsonSerializerOptions PrettyOptions = CreateOptions(writeIndented: true);
private static readonly IReadOnlyDictionary<Type, string[]> PropertyOrderOverrides = new Dictionary<Type, string[]>
{
{ typeof(RuntimeEventEnvelope), new[] { "schemaVersion", "event" } },
{ typeof(RuntimeEvent), new[] { "eventId", "when", "kind", "tenant", "node", "runtime", "workload", "process", "loadedLibs", "posture", "delta", "evidence", "annotations" } },
{ typeof(RuntimeEngine), new[] { "engine", "version" } },
{ typeof(RuntimeWorkload), new[] { "platform", "namespace", "pod", "container", "containerId", "imageRef", "owner" } },
{ typeof(RuntimeWorkloadOwner), new[] { "kind", "name" } },
{ typeof(RuntimeProcess), new[] { "pid", "entrypoint", "entryTrace", "buildId" } },
{ typeof(RuntimeEntryTrace), new[] { "file", "line", "op", "target" } },
{ typeof(RuntimeLoadedLibrary), new[] { "path", "inode", "sha256" } },
{ typeof(RuntimePosture), new[] { "imageSigned", "sbomReferrer", "attestation" } },
{ typeof(RuntimeAttestation), new[] { "uuid", "verified" } },
{ typeof(RuntimeDelta), new[] { "baselineImageDigest", "changedFiles", "newBinaries" } },
{ typeof(RuntimeNewBinary), new[] { "path", "sha256" } },
{ typeof(RuntimeEvidence), new[] { "signal", "value" } },
{ typeof(AdmissionDecisionEnvelope), new[] { "schemaVersion", "decision" } },
{ typeof(AdmissionDecision), new[] { "admissionId", "namespace", "podSpecDigest", "images", "decision", "ttlSeconds", "annotations" } },
{ typeof(AdmissionImageVerdict), new[] { "name", "resolved", "signed", "hasSbomReferrers", "policyVerdict", "reasons", "rekor", "metadata" } },
{ typeof(AdmissionRekorEvidence), new[] { "uuid", "verified" } },
{ typeof(ZastavaContractVersions.ContractVersion), new[] { "schema", "version" } }
};
public static string Serialize<T>(T value)
=> JsonSerializer.Serialize(value, CompactOptions);
public static string SerializeIndented<T>(T value)
=> JsonSerializer.Serialize(value, PrettyOptions);
public static byte[] SerializeToUtf8Bytes<T>(T value)
=> JsonSerializer.SerializeToUtf8Bytes(value, CompactOptions);
public static T Deserialize<T>(string json)
=> JsonSerializer.Deserialize<T>(json, CompactOptions)!;
private static JsonSerializerOptions CreateOptions(bool writeIndented)
{
var options = new JsonSerializerOptions
{
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
DictionaryKeyPolicy = JsonNamingPolicy.CamelCase,
DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull,
WriteIndented = writeIndented,
Encoder = JavaScriptEncoder.UnsafeRelaxedJsonEscaping
};
var baselineResolver = options.TypeInfoResolver ?? new DefaultJsonTypeInfoResolver();
options.TypeInfoResolver = new DeterministicTypeInfoResolver(baselineResolver);
options.Converters.Add(new JsonStringEnumConverter(JsonNamingPolicy.CamelCase, allowIntegerValues: false));
return options;
}
private sealed class DeterministicTypeInfoResolver : IJsonTypeInfoResolver
{
private readonly IJsonTypeInfoResolver inner;
public DeterministicTypeInfoResolver(IJsonTypeInfoResolver inner)
{
this.inner = inner ?? throw new ArgumentNullException(nameof(inner));
}
public JsonTypeInfo GetTypeInfo(Type type, JsonSerializerOptions options)
{
var info = inner.GetTypeInfo(type, options);
if (info is null)
{
throw new InvalidOperationException($"Unable to resolve JsonTypeInfo for '{type}'.");
}
if (info.Kind is JsonTypeInfoKind.Object && info.Properties is { Count: > 1 })
{
var ordered = info.Properties
.OrderBy(property => GetPropertyOrder(type, property.Name))
.ThenBy(property => property.Name, StringComparer.Ordinal)
.ToArray();
info.Properties.Clear();
foreach (var property in ordered)
{
info.Properties.Add(property);
}
}
return info;
}
private static int GetPropertyOrder(Type type, string propertyName)
{
if (PropertyOrderOverrides.TryGetValue(type, out var order))
{
var index = Array.IndexOf(order, propertyName);
if (index >= 0)
{
return index;
}
}
return int.MaxValue;
}
}
}

21
src/Zastava/__Libraries/StellaOps.Zastava.Core/StellaOps.Zastava.Core.csproj Normal file
View File

@@ -0,0 +1,21 @@
<?xml version='1.0' encoding='utf-8'?>
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<LangVersion>preview</LangVersion>
<Nullable>enable</Nullable>
<ImplicitUsings>enable</ImplicitUsings>
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.Extensions.Configuration.Abstractions" Version="10.0.0-rc.2.25502.107" />
<PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.0-rc.2.25502.107" />
<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.0-rc.2.25502.107" />
<PackageReference Include="Microsoft.Extensions.Options" Version="10.0.0-rc.2.25502.107" />
<PackageReference Include="Microsoft.Extensions.Diagnostics.Abstractions" Version="10.0.0-rc.2.25502.107" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="../../../Authority/StellaOps.Authority/StellaOps.Auth.Client/StellaOps.Auth.Client.csproj" />
<ProjectReference Include="../../../__Libraries/StellaOps.Auth.Security/StellaOps.Auth.Security.csproj" />
</ItemGroup>
</Project>

10
src/Zastava/__Libraries/StellaOps.Zastava.Core/TASKS.md Normal file
View File

@@ -0,0 +1,10 @@
# Zastava Core Task Board
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
| ZASTAVA-CORE-12-201 | DONE (2025-10-23) | Zastava Core Guild | — | Define runtime event/admission DTOs, hashing helpers, and versioning strategy. | DTOs cover runtime events and admission verdict envelopes with canonical JSON schema; hashing helpers accept payloads and yield deterministic multihash outputs; version negotiation rules documented and exercised by serialization tests. |
| ZASTAVA-CORE-12-202 | DONE (2025-10-23) | Zastava Core Guild | — | Provide configuration/logging/metrics utilities shared by Observer/Webhook. | Shared options bind from configuration with validation; logging scopes/metrics exporters registered via reusable DI extension; integration test host demonstrates Observer/Webhook consumption with deterministic instrumentation. |
| ZASTAVA-CORE-12-203 | DONE (2025-10-23) | Zastava Core Guild | — | Authority client helpers, OpTok caching, and security guardrails for runtime services. | Typed Authority client surfaces OpTok retrieval + renewal with configurable cache; guardrails enforce DPoP/mTLS expectations and emit structured audit logs; negative-path tests cover expired/invalid tokens and configuration toggles. |
| ZASTAVA-OPS-12-204 | DONE (2025-10-23) | Zastava Core Guild | — | Operational runbooks, alert rules, and dashboard exports for runtime plane. | Runbooks capture install/upgrade/rollback + incident handling; alert rules and dashboard JSON exported for Prometheus/Grafana bundle; docs reference Offline Kit packaging and verification checklist. |
> Remark (2025-10-19): Prerequisites reviewed—none outstanding. ZASTAVA-CORE-12-201, ZASTAVA-CORE-12-202, ZASTAVA-CORE-12-203, and ZASTAVA-OPS-12-204 moved to DOING for Wave 0 kickoff.

101
src/Zastava/__Tests/StellaOps.Zastava.Core.Tests/Contracts/ZastavaContractVersionsTests.cs Normal file
View File

@@ -0,0 +1,101 @@
using StellaOps.Zastava.Core.Contracts;
namespace StellaOps.Zastava.Core.Tests.Contracts;
public sealed class ZastavaContractVersionsTests
{
[Theory]
[InlineData("zastava.runtime.event@v1.0", "zastava.runtime.event", 1, 0)]
[InlineData("zastava.admission.decision@v1.2", "zastava.admission.decision", 1, 2)]
public void TryParse_ParsesCanonicalForms(string input, string schema, int major, int minor)
{
var success = ZastavaContractVersions.ContractVersion.TryParse(input, out var contract);
Assert.True(success);
Assert.Equal(schema, contract.Schema);
Assert.Equal(new Version(major, minor), contract.Version);
Assert.Equal($"{schema}@v{major}.{minor}", contract.ToString());
}
[Theory]
[InlineData("")]
[InlineData("zastava.runtime.event")]
[InlineData("runtime@1.0")]
[InlineData("zastava.runtime.event@vinvalid")]
public void TryParse_InvalidInputs_ReturnsFalse(string input)
{
var success = ZastavaContractVersions.ContractVersion.TryParse(input, out _);
Assert.False(success);
}
[Fact]
public void IsRuntimeEventSupported_RespectsMajorCompatibility()
{
Assert.True(ZastavaContractVersions.ContractVersion.TryParse("zastava.runtime.event@v1.0", out var candidate));
Assert.True(candidate.IsCompatibleWith(ZastavaContractVersions.RuntimeEvent), $"Candidate {candidate} incompatible with {ZastavaContractVersions.RuntimeEvent}");
Assert.True(ZastavaContractVersions.IsRuntimeEventSupported("zastava.runtime.event@v1.0"));
Assert.False(ZastavaContractVersions.IsRuntimeEventSupported("zastava.runtime.event@v2.0"));
Assert.False(ZastavaContractVersions.IsRuntimeEventSupported("zastava.admission.decision@v1"));
}
[Fact]
public void IsAdmissionDecisionSupported_RespectsMajorCompatibility()
{
Assert.True(ZastavaContractVersions.ContractVersion.TryParse("zastava.admission.decision@v1.0", out var candidate));
Assert.True(candidate.IsCompatibleWith(ZastavaContractVersions.AdmissionDecision), $"Candidate {candidate} incompatible with {ZastavaContractVersions.AdmissionDecision}");
Assert.True(ZastavaContractVersions.IsAdmissionDecisionSupported("zastava.admission.decision@v1.0"));
Assert.False(ZastavaContractVersions.IsAdmissionDecisionSupported("zastava.admission.decision@v0.9"));
Assert.False(ZastavaContractVersions.IsAdmissionDecisionSupported("zastava.runtime.event@v1"));
}
[Fact]
public void NegotiateRuntimeEvent_PicksHighestCommonVersion()
{
var negotiated = ZastavaContractVersions.NegotiateRuntimeEvent(new[]
{
"zastava.runtime.event@v1.0",
"zastava.runtime.event@v0.9",
"zastava.admission.decision@v1"
});
Assert.Equal("zastava.runtime.event@v1.0", negotiated.ToString());
}
[Fact]
public void NegotiateAdmissionDecision_PicksHighestCommonVersion()
{
var negotiated = ZastavaContractVersions.NegotiateAdmissionDecision(new[]
{
"zastava.admission.decision@v1.2",
"zastava.admission.decision@v1.0",
"zastava.runtime.event@v1.0"
});
Assert.Equal(ZastavaContractVersions.AdmissionDecision.ToString(), negotiated.ToString());
}
[Fact]
public void NegotiateRuntimeEvent_FallsBackToLocalWhenNoMatch()
{
var negotiated = ZastavaContractVersions.NegotiateRuntimeEvent(new[]
{
"zastava.runtime.event@v2.0",
"zastava.admission.decision@v2.0"
});
Assert.Equal(ZastavaContractVersions.RuntimeEvent.ToString(), negotiated.ToString());
}
[Fact]
public void NegotiateAdmissionDecision_FallsBackToLocalWhenNoMatch()
{
var negotiated = ZastavaContractVersions.NegotiateAdmissionDecision(new[]
{
"zastava.admission.decision@v2.0",
"zastava.runtime.event@v2.0"
});
Assert.Equal(ZastavaContractVersions.AdmissionDecision.ToString(), negotiated.ToString());
}
}

122
src/Zastava/__Tests/StellaOps.Zastava.Core.Tests/DependencyInjection/ZastavaServiceCollectionExtensionsTests.cs Normal file
View File

@@ -0,0 +1,122 @@
using System.Linq;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Zastava.Core.Configuration;
using StellaOps.Zastava.Core.Diagnostics;
using StellaOps.Zastava.Core.Security;
namespace StellaOps.Zastava.Core.Tests.DependencyInjection;
public sealed class ZastavaServiceCollectionExtensionsTests
{
[Fact]
public void AddZastavaRuntimeCore_BindsOptionsAndProvidesDiagnostics()
{
var configuration = new ConfigurationBuilder()
.AddInMemoryCollection(new Dictionary<string, string?>
{
["zastava:runtime:tenant"] = "tenant-42",
["zastava:runtime:environment"] = "prod",
["zastava:runtime:deployment"] = "cluster-a",
["zastava:runtime:metrics:meterName"] = "stellaops.zastava.runtime",
["zastava:runtime:metrics:meterVersion"] = "2.0.0",
["zastava:runtime:metrics:commonTags:cluster"] = "prod-cluster",
["zastava:runtime:logging:staticScope:plane"] = "runtime",
["zastava:runtime:authority:clientId"] = "zastava-observer",
["zastava:runtime:authority:audience:0"] = "scanner",
["zastava:runtime:authority:audience:1"] = "zastava",
["zastava:runtime:authority:scopes:0"] = "aud:scanner",
["zastava:runtime:authority:scopes:1"] = "api:scanner.runtime.write",
["zastava:runtime:authority:allowStaticTokenFallback"] = "false"
})
.Build();
var services = new ServiceCollection();
services.AddLogging();
services.AddZastavaRuntimeCore(configuration, componentName: "observer");
using var provider = services.BuildServiceProvider();
var runtimeOptions = provider.GetRequiredService<IOptions<ZastavaRuntimeOptions>>().Value;
Assert.Equal("tenant-42", runtimeOptions.Tenant);
Assert.Equal("prod", runtimeOptions.Environment);
Assert.Equal("observer", runtimeOptions.Component);
Assert.Equal("cluster-a", runtimeOptions.Deployment);
Assert.Equal("stellaops.zastava.runtime", runtimeOptions.Metrics.MeterName);
Assert.Equal("2.0.0", runtimeOptions.Metrics.MeterVersion);
Assert.Equal("runtime", runtimeOptions.Logging.StaticScope["plane"]);
Assert.Equal("zastava-observer", runtimeOptions.Authority.ClientId);
Assert.Contains("scanner", runtimeOptions.Authority.Audience);
Assert.Contains("zastava", runtimeOptions.Authority.Audience);
Assert.Equal(new[] { "aud:scanner", "api:scanner.runtime.write" }, runtimeOptions.Authority.Scopes);
Assert.False(runtimeOptions.Authority.AllowStaticTokenFallback);
var scopeBuilder = provider.GetRequiredService<IZastavaLogScopeBuilder>();
var scope = scopeBuilder.BuildScope(
correlationId: "corr-1",
node: "node-1",
workload: "payments/api",
eventId: "evt-123",
additional: new Dictionary<string, string>
{
["pod"] = "api-12345"
});
Assert.Equal("tenant-42", scope["tenant"]);
Assert.Equal("observer", scope["component"]);
Assert.Equal("prod", scope["environment"]);
Assert.Equal("cluster-a", scope["deployment"]);
Assert.Equal("runtime", scope["plane"]);
Assert.Equal("corr-1", scope["correlationId"]);
Assert.Equal("node-1", scope["node"]);
Assert.Equal("payments/api", scope["workload"]);
Assert.Equal("evt-123", scope["eventId"]);
Assert.Equal("api-12345", scope["pod"]);
var metrics = provider.GetRequiredService<IZastavaRuntimeMetrics>();
Assert.Equal("stellaops.zastava.runtime", metrics.Meter.Name);
Assert.Equal("2.0.0", metrics.Meter.Version);
var authorityProvider = provider.GetRequiredService<IZastavaAuthorityTokenProvider>();
Assert.NotNull(authorityProvider);
var defaultTags = metrics.DefaultTags.ToArray();
Assert.Contains(defaultTags, kvp => kvp.Key == "tenant" && (string?)kvp.Value == "tenant-42");
Assert.Contains(defaultTags, kvp => kvp.Key == "component" && (string?)kvp.Value == "observer");
Assert.Contains(defaultTags, kvp => kvp.Key == "environment" && (string?)kvp.Value == "prod");
Assert.Contains(defaultTags, kvp => kvp.Key == "deployment" && (string?)kvp.Value == "cluster-a");
Assert.Contains(defaultTags, kvp => kvp.Key == "cluster" && (string?)kvp.Value == "prod-cluster");
metrics.RuntimeEvents.Add(1, defaultTags);
metrics.AdmissionDecisions.Add(1, defaultTags);
metrics.BackendLatencyMs.Record(12.5, defaultTags);
var loggerFactoryOptions = provider.GetRequiredService<IOptionsMonitor<LoggerFactoryOptions>>().CurrentValue;
Assert.True(loggerFactoryOptions.ActivityTrackingOptions.HasFlag(ActivityTrackingOptions.TraceId));
Assert.True(loggerFactoryOptions.ActivityTrackingOptions.HasFlag(ActivityTrackingOptions.SpanId));
}
[Fact]
public void AddZastavaRuntimeCore_ThrowsForInvalidTenant()
{
var configuration = new ConfigurationBuilder()
.AddInMemoryCollection(new Dictionary<string, string?>
{
["zastava:runtime:tenant"] = "",
["zastava:runtime:environment"] = "prod"
})
.Build();
var services = new ServiceCollection();
services.AddLogging();
services.AddZastavaRuntimeCore(configuration, "observer");
Assert.Throws<OptionsValidationException>(() =>
{
using var provider = services.BuildServiceProvider();
_ = provider.GetRequiredService<IOptions<ZastavaRuntimeOptions>>().Value;
});
}
}

228
src/Zastava/__Tests/StellaOps.Zastava.Core.Tests/Security/ZastavaAuthorityTokenProviderTests.cs Normal file
View File

@@ -0,0 +1,228 @@
using System.Collections.Generic;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using Microsoft.IdentityModel.Tokens;
using StellaOps.Auth.Client;
using StellaOps.Zastava.Core.Configuration;
using StellaOps.Zastava.Core.Diagnostics;
using StellaOps.Zastava.Core.Security;
namespace StellaOps.Zastava.Core.Tests.Security;
public sealed class ZastavaAuthorityTokenProviderTests
{
[Fact]
public async Task GetAsync_UsesCacheUntilRefreshWindow()
{
var timeProvider = new TestTimeProvider(DateTimeOffset.Parse("2025-10-23T12:00:00Z"));
var runtimeOptions = CreateRuntimeOptions(refreshSkewSeconds: 120);
var tokenClient = new StubTokenClient();
tokenClient.EnqueueToken(new StellaOpsTokenResult(
"token-1",
"DPoP",
timeProvider.GetUtcNow() + TimeSpan.FromMinutes(10),
new[] { "aud:scanner", "api:scanner.runtime.write" }));
tokenClient.EnqueueToken(new StellaOpsTokenResult(
"token-2",
"DPoP",
timeProvider.GetUtcNow() + TimeSpan.FromMinutes(10),
new[] { "aud:scanner", "api:scanner.runtime.write" }));
var provider = CreateProvider(runtimeOptions, tokenClient, timeProvider);
var tokenA = await provider.GetAsync("scanner");
Assert.Equal("token-1", tokenA.AccessToken);
Assert.Equal(1, tokenClient.RequestCount);
// Move time forward but still before refresh window (refresh skew = 2 minutes)
timeProvider.Advance(TimeSpan.FromMinutes(5));
var tokenB = await provider.GetAsync("scanner");
Assert.Equal("token-1", tokenB.AccessToken);
Assert.Equal(1, tokenClient.RequestCount);
// Cross refresh window to trigger renewal
timeProvider.Advance(TimeSpan.FromMinutes(5));
var tokenC = await provider.GetAsync("scanner");
Assert.Equal("token-2", tokenC.AccessToken);
Assert.Equal(2, tokenClient.RequestCount);
}
[Fact]
public async Task GetAsync_ThrowsWhenMissingAudienceScope()
{
var runtimeOptions = CreateRuntimeOptions();
var tokenClient = new StubTokenClient();
tokenClient.EnqueueToken(new StellaOpsTokenResult(
"token",
"DPoP",
DateTimeOffset.UtcNow + TimeSpan.FromMinutes(5),
new[] { "api:scanner.runtime.write" }));
var provider = CreateProvider(runtimeOptions, tokenClient, new TestTimeProvider(DateTimeOffset.UtcNow));
var ex = await Assert.ThrowsAsync<InvalidOperationException>(() => provider.GetAsync("scanner").AsTask());
Assert.Contains("audience scope", ex.Message, StringComparison.OrdinalIgnoreCase);
}
[Fact]
public async Task GetAsync_StaticFallbackUsedWhenEnabled()
{
var runtimeOptions = CreateRuntimeOptions(allowFallback: true, staticToken: "static-token", requireDpop: false);
var tokenClient = new StubTokenClient();
tokenClient.FailWith(new InvalidOperationException("offline"));
var provider = CreateProvider(runtimeOptions, tokenClient, new TestTimeProvider(DateTimeOffset.UtcNow));
var token = await provider.GetAsync("scanner");
Assert.Equal("static-token", token.AccessToken);
Assert.Null(token.ExpiresAtUtc);
Assert.Equal(0, tokenClient.RequestCount);
}
[Fact]
public async Task GetAsync_ThrowsWhenDpopRequiredButTokenTypeIsBearer()
{
var runtimeOptions = CreateRuntimeOptions(requireDpop: true);
var tokenClient = new StubTokenClient();
tokenClient.EnqueueToken(new StellaOpsTokenResult(
"token",
"Bearer",
DateTimeOffset.UtcNow + TimeSpan.FromMinutes(5),
new[] { "aud:scanner" }));
var provider = CreateProvider(runtimeOptions, tokenClient, new TestTimeProvider(DateTimeOffset.UtcNow));
await Assert.ThrowsAsync<InvalidOperationException>(() => provider.GetAsync("scanner").AsTask());
}
private static ZastavaRuntimeOptions CreateRuntimeOptions(
double refreshSkewSeconds = 60,
bool allowFallback = false,
string? staticToken = null,
bool requireDpop = true)
=> new()
{
Tenant = "tenant-x",
Environment = "test",
Component = "observer",
Authority = new ZastavaAuthorityOptions
{
Issuer = new Uri("https://authority.internal"),
ClientId = "zastava-runtime",
Audience = new[] { "scanner" },
Scopes = new[] { "api:scanner.runtime.write" },
RefreshSkewSeconds = refreshSkewSeconds,
RequireDpop = requireDpop,
RequireMutualTls = true,
AllowStaticTokenFallback = allowFallback,
StaticTokenValue = staticToken
}
};
private static ZastavaAuthorityTokenProvider CreateProvider(
ZastavaRuntimeOptions runtimeOptions,
IStellaOpsTokenClient tokenClient,
TimeProvider timeProvider)
{
var optionsMonitor = new StaticOptionsMonitor<ZastavaRuntimeOptions>(runtimeOptions);
var scopeBuilder = new ZastavaLogScopeBuilder(Options.Create(runtimeOptions));
return new ZastavaAuthorityTokenProvider(
tokenClient,
optionsMonitor,
scopeBuilder,
timeProvider,
NullLogger<ZastavaAuthorityTokenProvider>.Instance);
}
private sealed class StubTokenClient : IStellaOpsTokenClient
{
private readonly Queue<Func<CancellationToken, Task<StellaOpsTokenResult>>> responses = new();
private Exception? failure;
public int RequestCount { get; private set; }
public IReadOnlyDictionary<string, string>? LastAdditionalParameters { get; private set; }
public void EnqueueToken(StellaOpsTokenResult result)
=> responses.Enqueue(_ => Task.FromResult(result));
public void FailWith(Exception exception)
=> failure = exception;
public Task<StellaOpsTokenResult> RequestClientCredentialsTokenAsync(string? scope = null, IReadOnlyDictionary<string, string>? additionalParameters = null, CancellationToken cancellationToken = default)
{
RequestCount++;
LastAdditionalParameters = additionalParameters;
if (failure is not null)
{
throw failure;
}
if (responses.TryDequeue(out var factory))
{
return factory(cancellationToken);
}
throw new InvalidOperationException("No token responses queued.");
}
public Task<StellaOpsTokenResult> RequestPasswordTokenAsync(string username, string password, string? scope = null, IReadOnlyDictionary<string, string>? additionalParameters = null, CancellationToken cancellationToken = default)
=> throw new NotImplementedException();
public Task<JsonWebKeySet> GetJsonWebKeySetAsync(CancellationToken cancellationToken = default)
=> throw new NotImplementedException();
public ValueTask<StellaOpsTokenCacheEntry?> GetCachedTokenAsync(string key, CancellationToken cancellationToken = default)
=> ValueTask.FromResult<StellaOpsTokenCacheEntry?>(null);
public ValueTask CacheTokenAsync(string key, StellaOpsTokenCacheEntry entry, CancellationToken cancellationToken = default)
=> ValueTask.CompletedTask;
public ValueTask ClearCachedTokenAsync(string key, CancellationToken cancellationToken = default)
=> ValueTask.CompletedTask;
}
private sealed class StaticOptionsMonitor<T> : IOptionsMonitor<T>
{
public StaticOptionsMonitor(T value)
{
CurrentValue = value;
}
public T CurrentValue { get; }
public T Get(string? name) => CurrentValue;
public IDisposable OnChange(Action<T, string> listener) => NullDisposable.Instance;
private sealed class NullDisposable : IDisposable
{
public static readonly NullDisposable Instance = new();
public void Dispose()
{
}
}
}
private sealed class TestTimeProvider : TimeProvider
{
private DateTimeOffset current;
public TestTimeProvider(DateTimeOffset initial)
{
current = initial;
}
public override DateTimeOffset GetUtcNow() => current;
public void Advance(TimeSpan delta)
{
current = current.Add(delta);
}
}
}

195
src/Zastava/__Tests/StellaOps.Zastava.Core.Tests/Serialization/ZastavaCanonicalJsonSerializerTests.cs Normal file
View File

@@ -0,0 +1,195 @@
using System;
using System.Text;
using System.Security.Cryptography;
using StellaOps.Zastava.Core.Contracts;
using StellaOps.Zastava.Core.Hashing;
using StellaOps.Zastava.Core.Serialization;
namespace StellaOps.Zastava.Core.Tests.Serialization;
public sealed class ZastavaCanonicalJsonSerializerTests
{
[Fact]
public void Serialize_RuntimeEventEnvelope_ProducesDeterministicOrdering()
{
var runtimeEvent = new RuntimeEvent
{
EventId = "evt-123",
When = DateTimeOffset.Parse("2025-10-19T12:34:56Z"),
Kind = RuntimeEventKind.ContainerStart,
Tenant = "tenant-01",
Node = "node-a",
Runtime = new RuntimeEngine
{
Engine = "containerd",
Version = "1.7.19"
},
Workload = new RuntimeWorkload
{
Platform = "kubernetes",
Namespace = "payments",
Pod = "api-7c9fbbd8b7-ktd84",
Container = "api",
ContainerId = "containerd://abc",
ImageRef = "ghcr.io/acme/api@sha256:abcd",
Owner = new RuntimeWorkloadOwner
{
Kind = "Deployment",
Name = "api"
}
},
Process = new RuntimeProcess
{
Pid = 12345,
Entrypoint = new[] { "/entrypoint.sh", "--serve" },
EntryTrace = new[]
{
new RuntimeEntryTrace
{
File = "/entrypoint.sh",
Line = 3,
Op = "exec",
Target = "/usr/bin/python3"
}
}
},
LoadedLibraries = new[]
{
new RuntimeLoadedLibrary
{
Path = "/lib/x86_64-linux-gnu/libssl.so.3",
Inode = 123456,
Sha256 = "abc123"
}
},
Posture = new RuntimePosture
{
ImageSigned = true,
SbomReferrer = "present",
Attestation = new RuntimeAttestation
{
Uuid = "rekor-uuid",
Verified = true
}
},
Delta = new RuntimeDelta
{
BaselineImageDigest = "sha256:abcd",
ChangedFiles = new[] { "/opt/app/server.py" },
NewBinaries = new[]
{
new RuntimeNewBinary
{
Path = "/usr/local/bin/helper",
Sha256 = "def456"
}
}
},
Evidence = new[]
{
new RuntimeEvidence
{
Signal = "procfs.maps",
Value = "/lib/.../libssl.so.3@0x7f..."
}
},
Annotations = new Dictionary<string, string>
{
["source"] = "unit-test"
}
};
var envelope = RuntimeEventEnvelope.Create(runtimeEvent, ZastavaContractVersions.RuntimeEvent);
var json = ZastavaCanonicalJsonSerializer.Serialize(envelope);
var expectedOrder = new[]
{
"\"schemaVersion\"",
"\"event\"",
"\"eventId\"",
"\"when\"",
"\"kind\"",
"\"tenant\"",
"\"node\"",
"\"runtime\"",
"\"engine\"",
"\"version\"",
"\"workload\"",
"\"platform\"",
"\"namespace\"",
"\"pod\"",
"\"container\"",
"\"containerId\"",
"\"imageRef\"",
"\"owner\"",
"\"kind\"",
"\"name\"",
"\"process\"",
"\"pid\"",
"\"entrypoint\"",
"\"entryTrace\"",
"\"loadedLibs\"",
"\"posture\"",
"\"imageSigned\"",
"\"sbomReferrer\"",
"\"attestation\"",
"\"uuid\"",
"\"verified\"",
"\"delta\"",
"\"baselineImageDigest\"",
"\"changedFiles\"",
"\"newBinaries\"",
"\"path\"",
"\"sha256\"",
"\"evidence\"",
"\"signal\"",
"\"value\"",
"\"annotations\"",
"\"source\""
};
var cursor = -1;
foreach (var token in expectedOrder)
{
var position = json.IndexOf(token, cursor + 1, StringComparison.Ordinal);
Assert.True(position > cursor, $"Property token {token} not found in the expected order.");
cursor = position;
}
Assert.DoesNotContain(" ", json, StringComparison.Ordinal);
Assert.StartsWith("{\"schemaVersion\"", json, StringComparison.Ordinal);
Assert.EndsWith("}}", json, StringComparison.Ordinal);
}
[Fact]
public void ComputeMultihash_ProducesStableBase64UrlDigest()
{
var payloadBytes = Encoding.UTF8.GetBytes("{\"value\":42}");
var expectedDigestBytes = SHA256.HashData(payloadBytes);
var expected = $"sha256-{Convert.ToBase64String(expectedDigestBytes).TrimEnd('=').Replace('+', '-').Replace('/', '_')}";
var hash = ZastavaHashing.ComputeMultihash(new ReadOnlySpan<byte>(payloadBytes));
Assert.Equal(expected, hash);
var sha512 = ZastavaHashing.ComputeMultihash(new ReadOnlySpan<byte>(payloadBytes), "sha512");
Assert.StartsWith("sha512-", sha512, StringComparison.Ordinal);
}
[Fact]
public void ComputeMultihash_NormalizesAlgorithmAliases()
{
var bytes = Encoding.UTF8.GetBytes("sample");
var digestDefault = ZastavaHashing.ComputeMultihash(new ReadOnlySpan<byte>(bytes));
var digestAlias = ZastavaHashing.ComputeMultihash(new ReadOnlySpan<byte>(bytes), "sha-256");
Assert.Equal(digestDefault, digestAlias);
}
[Fact]
public void ComputeMultihash_UnknownAlgorithm_Throws()
{
var ex = Assert.Throws<NotSupportedException>(() => ZastavaHashing.ComputeMultihash(new ReadOnlySpan<byte>(Array.Empty<byte>()), "unsupported"));
Assert.Contains("unsupported", ex.Message, StringComparison.OrdinalIgnoreCase);
}
}

15
src/Zastava/__Tests/StellaOps.Zastava.Core.Tests/StellaOps.Zastava.Core.Tests.csproj Normal file
View File

@@ -0,0 +1,15 @@
<?xml version='1.0' encoding='utf-8'?>
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<LangVersion>preview</LangVersion>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
</PropertyGroup>
<ItemGroup>
<ProjectReference Include="../../__Libraries/StellaOps.Zastava.Core/StellaOps.Zastava.Core.csproj" />
<ProjectReference Include="../../../Authority/StellaOps.Authority/StellaOps.Auth.Client/StellaOps.Auth.Client.csproj" />
<ProjectReference Include="../../../Authority/StellaOps.Authority/StellaOps.Auth.Abstractions/StellaOps.Auth.Abstractions.csproj" />
<ProjectReference Include="../../../__Libraries/StellaOps.Auth.Security/StellaOps.Auth.Security.csproj" />
</ItemGroup>
</Project>

282
src/Zastava/__Tests/StellaOps.Zastava.Observer.Tests/ContainerRuntimePollerTests.cs Normal file
View File

@@ -0,0 +1,282 @@
using System;
using System.Collections.Generic;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Time.Testing;
using StellaOps.Zastava.Core.Contracts;
using StellaOps.Zastava.Observer.Configuration;
using StellaOps.Zastava.Observer.ContainerRuntime;
using StellaOps.Zastava.Observer.ContainerRuntime.Cri;
using StellaOps.Zastava.Observer.Posture;
using StellaOps.Zastava.Observer.Worker;
using StellaOps.Zastava.Observer.Cri;
namespace StellaOps.Zastava.Observer.Tests;
public sealed class ContainerRuntimePollerTests
{
[Fact]
public async Task PollAsync_ProducesStartEvents_InStableOrder()
{
var timeProvider = new FakeTimeProvider(new DateTimeOffset(2025, 10, 24, 12, 0, 0, TimeSpan.Zero));
var tracker = new ContainerStateTracker();
var client = new StubCriRuntimeClient();
var containerA = CreateContainer("container-a", "pod-a", timeProvider.GetUtcNow().AddSeconds(5));
var containerB = CreateContainer("container-b", "pod-b", timeProvider.GetUtcNow().AddSeconds(10));
client.EnqueueList(containerA, containerB);
var endpoint = new ContainerRuntimeEndpointOptions
{
Engine = ContainerRuntimeEngine.Containerd,
Endpoint = "unix:///run/containerd/containerd.sock"
};
var identity = new CriRuntimeIdentity("containerd", "1.7.19", "1.6.0");
var poller = new ContainerRuntimePoller(NullLogger<ContainerRuntimePoller>.Instance);
var envelopes = await poller.PollAsync(
tracker,
client,
endpoint,
identity,
tenant: "tenant-alpha",
nodeName: "node-01",
timeProvider,
processCollector: null,
CancellationToken.None);
Assert.Equal(2, envelopes.Count);
Assert.Collection(
envelopes,
first =>
{
Assert.Equal(RuntimeEventKind.ContainerStart, first.Event.Kind);
Assert.Equal("containerd://container-a", first.Event.Workload.ContainerId);
},
second =>
{
Assert.Equal(RuntimeEventKind.ContainerStart, second.Event.Kind);
Assert.Equal("containerd://container-b", second.Event.Workload.ContainerId);
});
Assert.True(envelopes[0].Event.When <= envelopes[1].Event.When);
// Subsequent poll without changes should yield no additional events.
client.EnqueueList(Array.Empty<CriContainerInfo>());
var secondPass = await poller.PollAsync(
tracker,
client,
endpoint,
identity,
tenant: "tenant-alpha",
nodeName: "node-01",
timeProvider,
processCollector: null,
CancellationToken.None);
Assert.Equal(2, secondPass.Count);
Assert.All(secondPass, evt => Assert.Equal(RuntimeEventKind.ContainerStop, evt.Event.Kind));
}
[Fact]
public async Task PollAsync_EmitsStopEvent_WhenContainerMissing()
{
var timeProvider = new FakeTimeProvider(new DateTimeOffset(2025, 10, 24, 12, 0, 0, TimeSpan.Zero));
var tracker = new ContainerStateTracker();
var client = new StubCriRuntimeClient();
var endpoint = new ContainerRuntimeEndpointOptions
{
Engine = ContainerRuntimeEngine.Containerd,
Endpoint = "unix:///run/containerd/containerd.sock"
};
var identity = new CriRuntimeIdentity("containerd", "1.7.19", "1.6.0");
var poller = new ContainerRuntimePoller(NullLogger<ContainerRuntimePoller>.Instance);
var container = CreateContainer("container-c", "pod-c", timeProvider.GetUtcNow().AddSeconds(2));
client.EnqueueList(container);
await poller.PollAsync(
tracker,
client,
endpoint,
identity,
tenant: "tenant-alpha",
nodeName: "node-02",
timeProvider,
processCollector: null,
CancellationToken.None);
var finished = container with { FinishedAt = timeProvider.GetUtcNow().AddSeconds(30), ExitCode = 0 };
client.EnqueueStatus(container.Id, finished);
client.EnqueueList(Array.Empty<CriContainerInfo>());
timeProvider.Advance(TimeSpan.FromSeconds(30));
var stopEvents = await poller.PollAsync(
tracker,
client,
endpoint,
identity,
tenant: "tenant-alpha",
nodeName: "node-02",
timeProvider,
processCollector: null,
CancellationToken.None);
var stop = Assert.Single(stopEvents);
Assert.Equal(RuntimeEventKind.ContainerStop, stop.Event.Kind);
Assert.Equal(finished.FinishedAt, stop.Event.When);
}
[Fact]
public async Task PollAsync_IncludesPostureInformation()
{
var timeProvider = new FakeTimeProvider(new DateTimeOffset(2025, 10, 24, 12, 0, 0, TimeSpan.Zero));
var tracker = new ContainerStateTracker();
var client = new StubCriRuntimeClient();
var endpoint = new ContainerRuntimeEndpointOptions
{
Engine = ContainerRuntimeEngine.Containerd,
Endpoint = "unix:///run/containerd/containerd.sock"
};
var identity = new CriRuntimeIdentity("containerd", "1.7.19", "1.6.0");
var posture = new RuntimePosture
{
ImageSigned = true,
SbomReferrer = "present",
Attestation = new RuntimeAttestation
{
Uuid = "rekor-1",
Verified = true
}
};
var postureEvaluator = new StubPostureEvaluator(posture);
var poller = new ContainerRuntimePoller(NullLogger<ContainerRuntimePoller>.Instance, postureEvaluator);
var container = CreateContainer("container-d", "pod-d", timeProvider.GetUtcNow().AddSeconds(2));
client.EnqueueList(container);
var envelopes = await poller.PollAsync(
tracker,
client,
endpoint,
identity,
tenant: "tenant-beta",
nodeName: "node-03",
timeProvider,
processCollector: null,
CancellationToken.None);
var runtimeEvent = Assert.Single(envelopes).Event;
Assert.NotNull(runtimeEvent.Posture);
Assert.True(runtimeEvent.Posture!.ImageSigned);
Assert.Equal("present", runtimeEvent.Posture.SbomReferrer);
Assert.Contains(runtimeEvent.Evidence, e => e.Signal.StartsWith("runtime.posture", StringComparison.Ordinal));
}
[Fact]
public void BackoffCalculator_ComputesDelayWithinBounds()
{
var options = new ObserverBackoffOptions
{
Initial = TimeSpan.FromSeconds(1),
Max = TimeSpan.FromSeconds(30),
JitterRatio = 0.25
};
var random = new Random(1234);
var delay = BackoffCalculator.ComputeDelay(options, attempt: 3, random);
Assert.InRange(delay, TimeSpan.FromSeconds(1), options.Max);
var expectedBase = TimeSpan.FromSeconds(4); // initial * 2^(attempt-1)
Assert.InRange(delay.TotalMilliseconds, expectedBase.TotalMilliseconds * 0.75, expectedBase.TotalMilliseconds * 1.25);
}
private static CriContainerInfo CreateContainer(string id, string podName, DateTimeOffset startedAt)
{
var labels = new Dictionary<string, string>(StringComparer.Ordinal)
{
[CriLabelKeys.PodName] = podName,
[CriLabelKeys.PodNamespace] = "default",
[CriLabelKeys.ContainerName] = $"{podName}-container"
};
return new CriContainerInfo(
Id: id,
PodSandboxId: $"{podName}-sandbox",
Name: $"{podName}-container",
Attempt: 1,
Image: "ghcr.io/example/app:1.0.0",
ImageRef: $"ghcr.io/example/app@sha256:{id}",
Labels: labels,
Annotations: new Dictionary<string, string>(StringComparer.Ordinal),
CreatedAt: startedAt.AddSeconds(-5),
StartedAt: startedAt,
FinishedAt: null,
ExitCode: null,
Reason: null,
Message: null,
Pid: null);
}
private sealed class StubCriRuntimeClient : ICriRuntimeClient
{
private readonly Queue<IReadOnlyList<CriContainerInfo>> listResponses = new();
private readonly Dictionary<string, CriContainerInfo?> status = new(StringComparer.Ordinal);
public ContainerRuntimeEndpointOptions Endpoint => new();
public void EnqueueList(params CriContainerInfo[] containers)
=> listResponses.Enqueue(containers);
public void EnqueueList(IReadOnlyList<CriContainerInfo> containers)
=> listResponses.Enqueue(containers);
public void EnqueueStatus(string containerId, CriContainerInfo snapshot)
=> status[containerId] = snapshot;
public ValueTask DisposeAsync() => ValueTask.CompletedTask;
public Task<CriRuntimeIdentity> GetIdentityAsync(CancellationToken cancellationToken)
=> Task.FromResult(new CriRuntimeIdentity("containerd", "1.7.19", "1.6.0"));
public Task<IReadOnlyList<CriContainerInfo>> ListContainersAsync(ContainerState state, CancellationToken cancellationToken)
{
if (listResponses.Count == 0)
{
return Task.FromResult<IReadOnlyList<CriContainerInfo>>(Array.Empty<CriContainerInfo>());
}
return Task.FromResult(listResponses.Dequeue());
}
public Task<CriContainerInfo?> GetContainerStatusAsync(string containerId, CancellationToken cancellationToken)
{
if (status.TryGetValue(containerId, out var info))
{
return Task.FromResult<CriContainerInfo?>(info);
}
return Task.FromResult<CriContainerInfo?>(null);
}
}
private sealed class StubPostureEvaluator : IRuntimePostureEvaluator
{
private readonly RuntimePostureEvaluationResult result;
public StubPostureEvaluator(RuntimePosture posture)
{
var evidence = new[]
{
new RuntimeEvidence
{
Signal = "runtime.posture.source",
Value = "stub"
}
};
result = new RuntimePostureEvaluationResult(posture, evidence);
}
public Task<RuntimePostureEvaluationResult> EvaluateAsync(CriContainerInfo container, CancellationToken cancellationToken)
=> Task.FromResult(result);
}
}

191
src/Zastava/__Tests/StellaOps.Zastava.Observer.Tests/Posture/RuntimePostureEvaluatorTests.cs Normal file
View File

@@ -0,0 +1,191 @@
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Threading.Tasks;
using System.Threading;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using Microsoft.Extensions.Time.Testing;
using StellaOps.Zastava.Core.Contracts;
using StellaOps.Zastava.Observer.Backend;
using StellaOps.Zastava.Observer.Configuration;
using StellaOps.Zastava.Observer.ContainerRuntime.Cri;
using StellaOps.Zastava.Observer.Posture;
using Xunit;
namespace StellaOps.Zastava.Observer.Tests.Posture;
public sealed class RuntimePostureEvaluatorTests
{
[Fact]
public async Task EvaluateAsync_BacksOffToBackendAndCachesEntry()
{
var timeProvider = new FakeTimeProvider(new DateTimeOffset(2025, 10, 24, 12, 0, 0, TimeSpan.Zero));
var cache = new StubPostureCache();
var options = CreateOptions();
var client = new StubPolicyClient(image =>
{
var result = new RuntimePolicyImageResult
{
Signed = true,
HasSbomReferrers = true,
Rekor = new RuntimePolicyRekorResult
{
Uuid = "rekor-123",
Verified = true
}
};
return new RuntimePolicyResponse
{
TtlSeconds = 600,
ExpiresAtUtc = timeProvider.GetUtcNow().AddMinutes(10),
Results = new Dictionary<string, RuntimePolicyImageResult>(StringComparer.Ordinal)
{
[image] = result
}
};
});
var evaluator = new RuntimePostureEvaluator(client, cache, options, timeProvider, NullLogger<RuntimePostureEvaluator>.Instance);
var container = CreateContainerInfo();
var evaluation = await evaluator.EvaluateAsync(container, CancellationToken.None);
Assert.NotNull(evaluation.Posture);
Assert.True(evaluation.Posture!.ImageSigned);
Assert.Equal("present", evaluation.Posture.SbomReferrer);
Assert.Contains(evaluation.Evidence, e => e.Signal == "runtime.posture.source" && e.Value == "backend");
var cached = cache.Get(container.ImageRef!);
Assert.NotNull(cached);
}
[Fact]
public async Task EvaluateAsync_UsesCacheWhenBackendFails()
{
var timeProvider = new FakeTimeProvider(new DateTimeOffset(2025, 10, 24, 12, 0, 0, TimeSpan.Zero));
var cache = new StubPostureCache();
var options = CreateOptions();
var imageRef = "ghcr.io/example/app@sha256:deadbeef";
var cachedPosture = new RuntimePosture
{
ImageSigned = false,
SbomReferrer = "missing"
};
cache.Seed(imageRef, cachedPosture, timeProvider.GetUtcNow().AddMinutes(-1), timeProvider.GetUtcNow().AddMinutes(-10));
var client = new StubPolicyClient(_ => throw new InvalidOperationException("backend unavailable"));
var evaluator = new RuntimePostureEvaluator(client, cache, options, timeProvider, NullLogger<RuntimePostureEvaluator>.Instance);
var container = CreateContainerInfo(imageRef);
var evaluation = await evaluator.EvaluateAsync(container, CancellationToken.None);
Assert.NotNull(evaluation.Posture);
Assert.False(evaluation.Posture!.ImageSigned);
Assert.Contains(evaluation.Evidence, e => e.Signal == "runtime.posture.cache");
Assert.Contains(evaluation.Evidence, e => e.Signal == "runtime.posture.error");
}
private static CriContainerInfo CreateContainerInfo(string? imageRef = null)
{
var labels = new Dictionary<string, string>(StringComparer.Ordinal)
{
[CriLabelKeys.PodNamespace] = "payments",
[CriLabelKeys.PodName] = "api-pod",
[CriLabelKeys.ContainerName] = "api"
};
return new CriContainerInfo(
Id: "container-a",
PodSandboxId: "sandbox-a",
Name: "api",
Attempt: 1,
Image: "ghcr.io/example/app:1.0.0",
ImageRef: imageRef ?? "ghcr.io/example/app@sha256:deadbeef",
Labels: labels,
Annotations: new Dictionary<string, string>(StringComparer.Ordinal),
CreatedAt: DateTimeOffset.UtcNow,
StartedAt: DateTimeOffset.UtcNow,
FinishedAt: null,
ExitCode: null,
Reason: null,
Message: null,
Pid: 1234);
}
private static TestOptionsMonitor<ZastavaObserverOptions> CreateOptions()
{
var options = new ZastavaObserverOptions
{
Posture = new ZastavaObserverPostureOptions
{
CachePath = Path.Combine(Path.GetTempPath(), "zastava-observer-tests", Guid.NewGuid().ToString("N"), "posture-cache.json"),
FallbackTtlSeconds = 300,
StaleWarningThresholdSeconds = 600
}
};
return new TestOptionsMonitor<ZastavaObserverOptions>(options);
}
private sealed class StubPolicyClient : IRuntimePolicyClient
{
private readonly Func<string, RuntimePolicyResponse> factory;
public StubPolicyClient(Func<string, RuntimePolicyResponse> factory)
{
this.factory = factory;
}
public Task<RuntimePolicyResponse> EvaluateAsync(RuntimePolicyRequest request, CancellationToken cancellationToken = default)
{
var image = request.Images.First();
return Task.FromResult(factory(image));
}
}
private sealed class StubPostureCache : IRuntimePostureCache
{
private readonly Dictionary<string, RuntimePostureCacheEntry> entries = new(StringComparer.Ordinal);
public RuntimePostureCacheEntry? Get(string key)
{
entries.TryGetValue(key, out var entry);
return entry;
}
public void Seed(string key, RuntimePosture posture, DateTimeOffset expiresAt, DateTimeOffset storedAt)
{
entries[key] = new RuntimePostureCacheEntry(posture, expiresAt, storedAt);
}
public void Set(string key, RuntimePosture posture, DateTimeOffset expiresAtUtc, DateTimeOffset storedAtUtc)
{
entries[key] = new RuntimePostureCacheEntry(posture, expiresAtUtc, storedAtUtc);
}
}
private sealed class TestOptionsMonitor<T> : IOptionsMonitor<T>
{
private readonly T value;
public TestOptionsMonitor(T value)
{
this.value = value;
}
public T CurrentValue => value;
public T Get(string? name) => value;
public IDisposable OnChange(Action<T, string?> listener) => NullDisposable.Instance;
private sealed class NullDisposable : IDisposable
{
public static readonly NullDisposable Instance = new();
public void Dispose()
{
}
}
}
}

60
src/Zastava/__Tests/StellaOps.Zastava.Observer.Tests/Runtime/ElfBuildIdReaderTests.cs Normal file
View File

@@ -0,0 +1,60 @@
using System.Linq;
using StellaOps.Zastava.Observer.Runtime;
using StellaOps.Zastava.Observer.Tests.TestSupport;
using Xunit;
namespace StellaOps.Zastava.Observer.Tests.Runtime;
public sealed class ElfBuildIdReaderTests
{
[Fact]
public async Task TryReadBuildIdAsync_ReturnsExpectedHex()
{
using var temp = new TempDirectory();
var elfPath = Path.Combine(temp.RootPath, "bin", "example");
var buildIdBytes = Enumerable.Range(0, 20).Select(static index => (byte)(index + 1)).ToArray();
ElfTestFileBuilder.CreateElfWithBuildId(elfPath, buildIdBytes);
var buildId = await ElfBuildIdReader.TryReadBuildIdAsync(elfPath, CancellationToken.None);
Assert.Equal(Convert.ToHexString(buildIdBytes).ToLowerInvariant(), buildId);
}
[Fact]
public async Task TryReadBuildIdAsync_InvalidFileReturnsNull()
{
using var temp = new TempDirectory();
var path = Path.Combine(temp.RootPath, "bin", "invalid");
Directory.CreateDirectory(Path.GetDirectoryName(path)!);
await File.WriteAllTextAsync(path, "not-an-elf");
var buildId = await ElfBuildIdReader.TryReadBuildIdAsync(path, CancellationToken.None);
Assert.Null(buildId);
}
private sealed class TempDirectory : IDisposable
{
public TempDirectory()
{
RootPath = Path.Combine(Path.GetTempPath(), "elf-buildid-tests", Guid.NewGuid().ToString("N"));
Directory.CreateDirectory(RootPath);
}
public string RootPath { get; }
public void Dispose()
{
try
{
if (Directory.Exists(RootPath))
{
Directory.Delete(RootPath, recursive: true);
}
}
catch
{
}
}
}
}

218
src/Zastava/__Tests/StellaOps.Zastava.Observer.Tests/Runtime/RuntimeEventBufferTests.cs Normal file
View File

@@ -0,0 +1,218 @@
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using StellaOps.Zastava.Core.Contracts;
using StellaOps.Zastava.Observer.Configuration;
using StellaOps.Zastava.Observer.Runtime;
using Xunit;
namespace StellaOps.Zastava.Observer.Tests.Runtime;
public sealed class RuntimeEventBufferTests
{
[Fact]
public async Task WriteBatchAsync_PersistsAndAcksRemoveFiles()
{
using var temp = new TempDirectory();
var options = Options.Create(new ZastavaObserverOptions
{
EventBufferPath = temp.CreateSubdirectory("buffer"),
MaxDiskBufferBytes = 1024 * 1024,
MaxInMemoryBuffer = 32,
PublishBatchSize = 8
});
var buffer = new RuntimeEventBuffer(options, TimeProvider.System, NullLogger<RuntimeEventBuffer>.Instance);
await buffer.WriteBatchAsync(new[]
{
CreateEnvelope("evt-1"),
CreateEnvelope("evt-2")
}, CancellationToken.None);
var enumerator = buffer.ReadAllAsync(CancellationToken.None).GetAsyncEnumerator();
var first = await ReadNextAsync(enumerator);
Assert.Equal("evt-1", first.Envelope.Event.EventId);
await first.CompleteAsync();
var second = await ReadNextAsync(enumerator);
Assert.Equal("evt-2", second.Envelope.Event.EventId);
await second.CompleteAsync();
Assert.Empty(Directory.GetFiles(options.Value.EventBufferPath));
}
[Fact]
public async Task ReadAllAsync_RestoresPendingEventsAfterRestart()
{
using var temp = new TempDirectory();
var bufferPath = temp.CreateSubdirectory("buffer");
var options = Options.Create(new ZastavaObserverOptions
{
EventBufferPath = bufferPath,
MaxDiskBufferBytes = 1024 * 1024,
MaxInMemoryBuffer = 16,
PublishBatchSize = 4
});
var initial = new RuntimeEventBuffer(options, TimeProvider.System, NullLogger<RuntimeEventBuffer>.Instance);
await initial.WriteBatchAsync(new[]
{
CreateEnvelope("evt-1"),
CreateEnvelope("evt-2"),
CreateEnvelope("evt-3")
}, CancellationToken.None);
// Do not drain; instantiate a fresh buffer to simulate restart.
var restored = new RuntimeEventBuffer(options, TimeProvider.System, NullLogger<RuntimeEventBuffer>.Instance);
var restoredIds = new List<string>();
var enumerator = restored.ReadAllAsync(CancellationToken.None).GetAsyncEnumerator();
for (var i = 0; i < 3; i++)
{
var item = await ReadNextAsync(enumerator);
restoredIds.Add(item.Envelope.Event.EventId);
await item.CompleteAsync();
}
Assert.Contains("evt-1", restoredIds);
Assert.Contains("evt-3", restoredIds);
Assert.Empty(Directory.GetFiles(bufferPath));
}
[Fact]
public async Task WriteBatchAsync_EnforcesDiskCapacity()
{
using var temp = new TempDirectory();
var bufferPath = temp.CreateSubdirectory("buffer");
var options = Options.Create(new ZastavaObserverOptions
{
EventBufferPath = bufferPath,
MaxDiskBufferBytes = 4096, // small cap to force eviction
MaxInMemoryBuffer = 16,
PublishBatchSize = 4
});
var buffer = new RuntimeEventBuffer(options, TimeProvider.System, NullLogger<RuntimeEventBuffer>.Instance);
for (var i = 0; i < 5; i++)
{
var envelope = CreateEnvelope($"evt-{i}", annotationSize: 2048);
await buffer.WriteBatchAsync(new[] { envelope }, CancellationToken.None);
}
// Rehydrate to read what remained after capacity enforcement.
var restored = new RuntimeEventBuffer(options, TimeProvider.System, NullLogger<RuntimeEventBuffer>.Instance);
var enumerator = restored.ReadAllAsync(CancellationToken.None).GetAsyncEnumerator();
var ids = new List<string>();
while (true)
{
RuntimeEventBufferItem item;
try
{
var hasNext = await enumerator.MoveNextAsync().AsTask().WaitAsync(TimeSpan.FromMilliseconds(200));
if (!hasNext)
{
break;
}
item = enumerator.Current;
}
catch (TimeoutException)
{
break;
}
ids.Add(item.Envelope.Event.EventId);
await item.CompleteAsync();
}
// Oldest events should have been dropped; ensure fewer than written remain.
var totalBytes = Directory.GetFiles(bufferPath)
.Select(path => new FileInfo(path).Length)
.Sum();
Assert.True(totalBytes <= options.Value.MaxDiskBufferBytes, "Runtime event buffer exceeded configured capacity.");
Assert.True(ids.Count > 0, "Expected at least one runtime event to remain buffered.");
Assert.True(ids.Contains("evt-4"), "Most recent event should remain in buffer.");
}
private static RuntimeEventEnvelope CreateEnvelope(string id, int annotationSize = 0)
{
var annotations = annotationSize > 0
? new Dictionary<string, string> { ["blob"] = new string('x', annotationSize) }
: null;
var runtimeEvent = new RuntimeEvent
{
EventId = id,
When = DateTimeOffset.UtcNow,
Kind = RuntimeEventKind.ContainerStart,
Tenant = "tenant-a",
Node = "node-1",
Runtime = new RuntimeEngine
{
Engine = "containerd",
Version = "1.7.0"
},
Workload = new RuntimeWorkload
{
Platform = "kubernetes",
Namespace = "default",
Pod = "pod-1",
Container = "app",
ContainerId = "containerd://abc",
ImageRef = "ghcr.io/example/app@sha256:deadbeef"
},
Annotations = annotations
};
return RuntimeEventEnvelope.Create(runtimeEvent, ZastavaContractVersions.RuntimeEvent);
}
private static async Task<RuntimeEventBufferItem> ReadNextAsync(IAsyncEnumerator<RuntimeEventBufferItem> enumerator)
{
try
{
var hasNext = await enumerator.MoveNextAsync().AsTask().WaitAsync(TimeSpan.FromSeconds(1));
Assert.True(hasNext, "Expected runtime event to be available in buffer.");
}
catch (TimeoutException)
{
Assert.Fail("Timed out waiting for runtime event from buffer.");
}
return enumerator.Current;
}
private sealed class TempDirectory : IDisposable
{
public TempDirectory()
{
RootPath = Path.Combine(Path.GetTempPath(), "observer-buffer-tests", Guid.NewGuid().ToString("N"));
Directory.CreateDirectory(RootPath);
}
public string RootPath { get; }
public string CreateSubdirectory(string name)
{
var path = Path.Combine(RootPath, name);
Directory.CreateDirectory(path);
return path;
}
public void Dispose()
{
try
{
if (Directory.Exists(RootPath))
{
Directory.Delete(RootPath, recursive: true);
}
}
catch
{
}
}
}
}

156
src/Zastava/__Tests/StellaOps.Zastava.Observer.Tests/Runtime/RuntimeProcessCollectorTests.cs Normal file
View File

@@ -0,0 +1,156 @@
using System.Linq;
using System.Security.Cryptography;
using System.Text;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using StellaOps.Zastava.Observer.Configuration;
using StellaOps.Zastava.Observer.ContainerRuntime.Cri;
using StellaOps.Zastava.Observer.Runtime;
using StellaOps.Zastava.Observer.Tests.TestSupport;
using Xunit;
namespace StellaOps.Zastava.Observer.Tests.Runtime;
public sealed class RuntimeProcessCollectorTests
{
[Fact]
public async Task CollectAsync_ParsesCmdlineAndLibraries()
{
using var temp = new TempDirectory();
var procRoot = temp.CreateSubdirectory("proc");
var pidDir = Path.Combine(procRoot, "1234");
Directory.CreateDirectory(pidDir);
var cmdlineContent = Encoding.UTF8.GetBytes("/bin/bash\0-c\0python /app/server.py\0");
await File.WriteAllBytesAsync(Path.Combine(pidDir, "cmdline"), cmdlineContent);
var libPath = Path.Combine(temp.RootPath, "libs", "libexample.so");
Directory.CreateDirectory(Path.GetDirectoryName(libPath)!);
await File.WriteAllTextAsync(libPath, "library-bytes");
var buildIdBytes = Enumerable.Range(0, 20).Select(static index => (byte)(index + 1)).ToArray();
var exePath = Path.Combine(pidDir, "exe");
ElfTestFileBuilder.CreateElfWithBuildId(exePath, buildIdBytes);
var mapsLine = $"7f6d8c900000-7f6d8ca00000 r-xp 00000000 00:00 0 {libPath}";
await File.WriteAllTextAsync(Path.Combine(pidDir, "maps"), mapsLine + Environment.NewLine);
var options = Options.Create(new ZastavaObserverOptions
{
ProcRootPath = procRoot,
MaxTrackedLibraries = 8,
MaxEntrypointArguments = 16,
MaxLibraryBytes = 1024 * 1024
});
var collector = new RuntimeProcessCollector(options, NullLogger<RuntimeProcessCollector>.Instance);
var container = new CriContainerInfo(
Id: "container-1",
PodSandboxId: "sandbox",
Name: "example",
Attempt: 1,
Image: "ghcr.io/example/app:1.0",
ImageRef: "ghcr.io/example/app@sha256:deadbeef",
Labels: new Dictionary<string, string>(StringComparer.Ordinal),
Annotations: new Dictionary<string, string>(StringComparer.Ordinal),
CreatedAt: DateTimeOffset.UtcNow,
StartedAt: DateTimeOffset.UtcNow,
FinishedAt: null,
ExitCode: null,
Reason: null,
Message: null,
Pid: 1234);
var capture = await collector.CollectAsync(container, CancellationToken.None);
Assert.NotNull(capture);
Assert.NotNull(capture!.Process);
Assert.Contains("/bin/bash", capture.Process.Entrypoint);
Assert.Contains(capture.Process.EntryTrace, trace => trace.Op == "shell" && trace.Target == "python /app/server.py");
Assert.Contains(capture.Process.EntryTrace, trace => trace.Op == "python" && trace.Target == "/app/server.py");
Assert.NotEmpty(capture.Libraries);
var expectedHash = Convert.ToHexString(SHA256.HashData(Encoding.UTF8.GetBytes("library-bytes"))).ToLowerInvariant();
Assert.Contains(capture.Libraries, lib => lib.Path == libPath && lib.Sha256 == expectedHash);
Assert.Contains(capture.Evidence, item => item.Signal == "procfs.maps" && item.Value == $"{libPath}@0x7f6d8c900000");
Assert.Contains(capture.Evidence, item => item.Signal == "procfs.maps.count" && item.Value == "1");
Assert.Contains(capture.Evidence, item => item.Signal == "procfs.cmdline");
Assert.Equal(Convert.ToHexString(buildIdBytes).ToLowerInvariant(), capture.Process.BuildId);
Assert.Contains(capture.Evidence, item => item.Signal == "procfs.buildId");
}
[Fact]
public async Task CollectAsync_NodeEntrypointProducesTrace()
{
using var temp = new TempDirectory();
var procRoot = temp.CreateSubdirectory("proc");
var pidDir = Path.Combine(procRoot, "4321");
Directory.CreateDirectory(pidDir);
await File.WriteAllBytesAsync(Path.Combine(pidDir, "cmdline"), Encoding.UTF8.GetBytes("/usr/bin/node\0/app/index.js\0"));
await File.WriteAllTextAsync(Path.Combine(pidDir, "maps"), string.Empty);
var options = Options.Create(new ZastavaObserverOptions
{
ProcRootPath = procRoot,
MaxTrackedLibraries = 8,
MaxEntrypointArguments = 16
});
var collector = new RuntimeProcessCollector(options, NullLogger<RuntimeProcessCollector>.Instance);
var container = new CriContainerInfo(
Id: "container-node",
PodSandboxId: "sandbox-node",
Name: "node-app",
Attempt: 1,
Image: "ghcr.io/example/node:1.0",
ImageRef: "ghcr.io/example/node@sha256:feedface",
Labels: new Dictionary<string, string>(StringComparer.Ordinal),
Annotations: new Dictionary<string, string>(StringComparer.Ordinal),
CreatedAt: DateTimeOffset.UtcNow,
StartedAt: DateTimeOffset.UtcNow,
FinishedAt: null,
ExitCode: null,
Reason: null,
Message: null,
Pid: 4321);
var capture = await collector.CollectAsync(container, CancellationToken.None);
Assert.NotNull(capture);
Assert.NotNull(capture!.Process);
Assert.Contains("/usr/bin/node", capture.Process.Entrypoint);
Assert.Contains(capture.Process.EntryTrace, trace => trace.Op == "node" && trace.Target == "/app/index.js");
}
private sealed class TempDirectory : IDisposable
{
public TempDirectory()
{
RootPath = Path.Combine(Path.GetTempPath(), "observer-tests", Guid.NewGuid().ToString("N"));
Directory.CreateDirectory(RootPath);
}
public string RootPath { get; }
public string CreateSubdirectory(string name)
{
var path = Path.Combine(RootPath, name);
Directory.CreateDirectory(path);
return path;
}
public void Dispose()
{
try
{
if (Directory.Exists(RootPath))
{
Directory.Delete(RootPath, recursive: true);
}
}
catch
{
}
}
}
}

13
src/Zastava/__Tests/StellaOps.Zastava.Observer.Tests/StellaOps.Zastava.Observer.Tests.csproj Normal file
View File

@@ -0,0 +1,13 @@
<?xml version='1.0' encoding='utf-8'?>
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<LangVersion>preview</LangVersion>
<Nullable>enable</Nullable>
<ImplicitUsings>enable</ImplicitUsings>
<IsPackable>false</IsPackable>
</PropertyGroup>
<ItemGroup>
<ProjectReference Include="../../StellaOps.Zastava.Observer/StellaOps.Zastava.Observer.csproj" />
</ItemGroup>
</Project>

73
src/Zastava/__Tests/StellaOps.Zastava.Observer.Tests/TestSupport/ElfTestFileBuilder.cs Normal file
View File

@@ -0,0 +1,73 @@
using System.Buffers.Binary;
using System.IO;
namespace StellaOps.Zastava.Observer.Tests.TestSupport;
internal static class ElfTestFileBuilder
{
private const int HeaderSize = 64;
private const int ProgramHeaderSize = 56;
private const uint ProgramHeaderTypeNote = 4;
private const uint NoteTypeGnuBuildId = 3;
public static void CreateElfWithBuildId(string path, ReadOnlySpan<byte> buildId)
{
if (string.IsNullOrWhiteSpace(path))
{
throw new ArgumentException("Path cannot be null or whitespace.", nameof(path));
}
var directory = Path.GetDirectoryName(path);
if (!string.IsNullOrEmpty(directory))
{
Directory.CreateDirectory(directory);
}
var nameBytes = new byte[] { (byte)'G', (byte)'N', (byte)'U', 0 };
var alignedNameSize = Align(nameBytes.Length);
var alignedDescSize = Align(buildId.Length);
var noteSize = 12 + alignedNameSize + alignedDescSize;
var noteOffset = HeaderSize + ProgramHeaderSize;
var totalSize = noteOffset + noteSize;
var buffer = new byte[totalSize];
var span = buffer.AsSpan();
// ELF ident
span[0] = 0x7F;
span[1] = (byte)'E';
span[2] = (byte)'L';
span[3] = (byte)'F';
span[4] = 2; // 64-bit
span[5] = 1; // little-endian
span[6] = 1; // version
BinaryPrimitives.WriteUInt16LittleEndian(span.Slice(16, 2), 2); // e_type
BinaryPrimitives.WriteUInt16LittleEndian(span.Slice(18, 2), 0x3E); // e_machine (x86-64)
BinaryPrimitives.WriteUInt32LittleEndian(span.Slice(20, 4), 1); // e_version
BinaryPrimitives.WriteUInt64LittleEndian(span.Slice(32, 8), HeaderSize); // e_phoff
BinaryPrimitives.WriteUInt16LittleEndian(span.Slice(52, 2), HeaderSize); // e_ehsize
BinaryPrimitives.WriteUInt16LittleEndian(span.Slice(54, 2), ProgramHeaderSize); // e_phentsize
BinaryPrimitives.WriteUInt16LittleEndian(span.Slice(56, 2), 1); // e_phnum
var programHeader = span.Slice(HeaderSize, ProgramHeaderSize);
BinaryPrimitives.WriteUInt32LittleEndian(programHeader.Slice(0, 4), ProgramHeaderTypeNote);
BinaryPrimitives.WriteUInt64LittleEndian(programHeader.Slice(8, 8), (ulong)noteOffset);
BinaryPrimitives.WriteUInt64LittleEndian(programHeader.Slice(32, 8), (ulong)noteSize);
BinaryPrimitives.WriteUInt64LittleEndian(programHeader.Slice(40, 8), (ulong)noteSize);
BinaryPrimitives.WriteUInt64LittleEndian(programHeader.Slice(48, 8), 4);
var note = span.Slice(noteOffset, noteSize);
BinaryPrimitives.WriteUInt32LittleEndian(note.Slice(0, 4), (uint)nameBytes.Length);
BinaryPrimitives.WriteUInt32LittleEndian(note.Slice(4, 4), (uint)buildId.Length);
BinaryPrimitives.WriteUInt32LittleEndian(note.Slice(8, 4), NoteTypeGnuBuildId);
nameBytes.CopyTo(note.Slice(12, nameBytes.Length));
var descriptorStart = 12 + alignedNameSize;
buildId.CopyTo(note.Slice(descriptorStart, buildId.Length));
File.WriteAllBytes(path, buffer);
}
private static int Align(int value) => (value + 3) & ~3;
}

74
src/Zastava/__Tests/StellaOps.Zastava.Observer.Tests/Worker/RuntimeEventFactoryTests.cs Normal file
View File

@@ -0,0 +1,74 @@
using System;
using System.Collections.Generic;
using StellaOps.Zastava.Core.Contracts;
using StellaOps.Zastava.Observer.Configuration;
using StellaOps.Zastava.Observer.ContainerRuntime;
using StellaOps.Zastava.Observer.ContainerRuntime.Cri;
using StellaOps.Zastava.Observer.Runtime;
using StellaOps.Zastava.Observer.Worker;
using Xunit;
namespace StellaOps.Zastava.Observer.Tests.Worker;
public sealed class RuntimeEventFactoryTests
{
[Fact]
public void Create_AttachesBuildIdFromProcessCapture()
{
var timestamp = DateTimeOffset.UtcNow;
var snapshot = new CriContainerInfo(
Id: "container-a",
PodSandboxId: "sandbox-a",
Name: "api",
Attempt: 1,
Image: "ghcr.io/example/api:1.0",
ImageRef: "ghcr.io/example/api@sha256:deadbeef",
Labels: new Dictionary<string, string>
{
[CriLabelKeys.PodName] = "api-abc",
[CriLabelKeys.PodNamespace] = "payments",
[CriLabelKeys.ContainerName] = "api"
},
Annotations: new Dictionary<string, string>(),
CreatedAt: timestamp,
StartedAt: timestamp,
FinishedAt: null,
ExitCode: null,
Reason: null,
Message: null,
Pid: 4321);
var lifecycleEvent = new ContainerLifecycleEvent(ContainerLifecycleEventKind.Start, timestamp, snapshot);
var endpoint = new ContainerRuntimeEndpointOptions
{
Engine = ContainerRuntimeEngine.Containerd,
Endpoint = "unix:///run/containerd/containerd.sock",
Name = "containerd"
};
var identity = new CriRuntimeIdentity("containerd", "1.7.19", "v1");
var process = new RuntimeProcess
{
Pid = 4321,
Entrypoint = new[] { "/entrypoint.sh" },
EntryTrace = Array.Empty<RuntimeEntryTrace>(),
BuildId = "5f0c7c3cb4d9f8a4"
};
var capture = new RuntimeProcessCapture(
process,
Array.Empty<RuntimeLoadedLibrary>(),
new List<RuntimeEvidence>());
var envelope = RuntimeEventFactory.Create(
lifecycleEvent,
endpoint,
identity,
tenant: "tenant-alpha",
nodeName: "node-1",
capture: capture,
posture: null,
additionalEvidence: null);
Assert.NotNull(envelope.Event.Process);
Assert.Equal("5f0c7c3cb4d9f8a4", envelope.Event.Process!.BuildId);
}
}

131
src/Zastava/__Tests/StellaOps.Zastava.Webhook.Tests/Admission/AdmissionResponseBuilderTests.cs Normal file
View File

@@ -0,0 +1,131 @@
using System.Linq;
using System.Text.Json;
using StellaOps.Zastava.Core.Contracts;
using StellaOps.Zastava.Webhook.Backend;
using StellaOps.Zastava.Webhook.Admission;
using Xunit;
namespace StellaOps.Zastava.Webhook.Tests.Admission;
public sealed class AdmissionResponseBuilderTests
{
[Fact]
public void Build_AllowsWhenAllDecisionsPass()
{
using var document = JsonDocument.Parse("""
{
"metadata": { "namespace": "payments" },
"spec": {
"containers": [ { "name": "api", "image": "ghcr.io/example/api:1.0" } ]
}
}
""");
var pod = document.RootElement;
var spec = pod.GetProperty("spec");
var context = new AdmissionRequestContext(
ApiVersion: "admission.k8s.io/v1",
Kind: "AdmissionReview",
Uid: "abc",
Namespace: "payments",
Labels: new Dictionary<string, string>(),
Containers: new[] { new AdmissionContainerReference("api", "ghcr.io/example/api:1.0") },
PodObject: pod,
PodSpec: spec);
var evaluation = new RuntimeAdmissionEvaluation
{
Decisions = new[]
{
new RuntimeAdmissionDecision
{
OriginalImage = "ghcr.io/example/api:1.0",
ResolvedDigest = "ghcr.io/example/api@sha256:deadbeef",
Verdict = PolicyVerdict.Pass,
Allowed = true,
Policy = new RuntimePolicyImageResult
{
PolicyVerdict = PolicyVerdict.Pass,
HasSbom = true,
Signed = true
},
Reasons = Array.Empty<string>(),
FromCache = false,
ResolutionFailed = false
}
},
BackendFailed = false,
FailOpenApplied = false,
FailureReason = null,
TtlSeconds = 300
};
var builder = new AdmissionResponseBuilder();
var (envelope, response) = builder.Build(context, evaluation);
Assert.Equal("admission.k8s.io/v1", response.ApiVersion);
Assert.True(response.Response.Allowed);
Assert.Null(response.Response.Status);
Assert.NotNull(response.Response.AuditAnnotations);
Assert.True(envelope.Decision.Images.First().HasSbomReferrers);
Assert.StartsWith("sha256-", envelope.Decision.PodSpecDigest, StringComparison.Ordinal);
}
[Fact]
public void Build_DeniedIncludesStatusAndWarnings()
{
using var document = JsonDocument.Parse("""
{
"metadata": { "namespace": "ops" },
"spec": {
"containers": [ { "name": "app", "image": "ghcr.io/example/app:latest" } ]
}
}
""");
var pod = document.RootElement;
var spec = pod.GetProperty("spec");
var context = new AdmissionRequestContext(
"admission.k8s.io/v1",
"AdmissionReview",
"uid-123",
"ops",
new Dictionary<string, string>(),
new[] { new AdmissionContainerReference("app", "ghcr.io/example/app:latest") },
pod,
spec);
var evaluation = new RuntimeAdmissionEvaluation
{
Decisions = new[]
{
new RuntimeAdmissionDecision
{
OriginalImage = "ghcr.io/example/app:latest",
ResolvedDigest = null,
Verdict = PolicyVerdict.Fail,
Allowed = false,
Policy = null,
Reasons = new[] { "policy.fail" },
FromCache = false,
ResolutionFailed = true
}
},
BackendFailed = true,
FailOpenApplied = false,
FailureReason = "backend.unavailable",
TtlSeconds = 60
};
var builder = new AdmissionResponseBuilder();
var (_, response) = builder.Build(context, evaluation);
Assert.False(response.Response.Allowed);
Assert.NotNull(response.Response.Status);
Assert.Equal(403, response.Response.Status!.Code);
Assert.NotNull(response.Response.AuditAnnotations);
Assert.Contains("zastava.stellaops/admission", response.Response.AuditAnnotations!.Keys);
}
}

102
src/Zastava/__Tests/StellaOps.Zastava.Webhook.Tests/Admission/AdmissionReviewParserTests.cs Normal file
View File

@@ -0,0 +1,102 @@
using System.Text.Json;
using StellaOps.Zastava.Webhook.Admission;
using Xunit;
namespace StellaOps.Zastava.Webhook.Tests.Admission;
public sealed class AdmissionReviewParserTests
{
private static readonly JsonSerializerOptions SerializerOptions = new(JsonSerializerDefaults.Web);
[Fact]
public void Parse_ValidRequestExtractsContainers()
{
var dto = Deserialize("""
{
"apiVersion": "admission.k8s.io/v1",
"kind": "AdmissionReview",
"request": {
"uid": "abc-123",
"object": {
"metadata": {
"namespace": "payments",
"labels": { "app": "demo" }
},
"spec": {
"containers": [
{ "name": "api", "image": "ghcr.io/example/api:1.2.3" }
],
"initContainers": [
{ "name": "init", "image": "ghcr.io/example/init:1.0" }
]
}
}
}
}
""");
var parser = new AdmissionReviewParser();
var context = parser.Parse(dto);
Assert.Equal("admission.k8s.io/v1", context.ApiVersion);
Assert.Equal("AdmissionReview", context.Kind);
Assert.Equal("abc-123", context.Uid);
Assert.Equal("payments", context.Namespace);
Assert.Equal("demo", context.Labels["app"]);
Assert.Equal(2, context.Containers.Count);
Assert.Contains(context.Containers, c => c.Name == "api" && c.Image == "ghcr.io/example/api:1.2.3");
Assert.Contains(context.Containers, c => c.Name == "init" && c.Image == "ghcr.io/example/init:1.0");
}
[Fact]
public void Parse_UsesRequestNamespaceWhenAvailable()
{
var dto = Deserialize("""
{
"apiVersion": "admission.k8s.io/v1",
"kind": "AdmissionReview",
"request": {
"uid": "uid-456",
"namespace": "critical",
"object": {
"metadata": {
"labels": { }
},
"spec": {
"containers": [ { "name": "app", "image": "ghcr.io/example/app:latest" } ]
}
}
}
}
""");
var parser = new AdmissionReviewParser();
var context = parser.Parse(dto);
Assert.Equal("critical", context.Namespace);
}
[Fact]
public void Parse_ThrowsWhenNoContainers()
{
var dto = Deserialize("""
{
"apiVersion": "admission.k8s.io/v1",
"kind": "AdmissionReview",
"request": {
"uid": "uid-789",
"object": {
"metadata": { "namespace": "ops" },
"spec": { }
}
}
}
""");
var parser = new AdmissionReviewParser();
var ex = Assert.Throws<AdmissionReviewParseException>(() => parser.Parse(dto));
Assert.Equal("admission.review.containers", ex.Code);
}
private static AdmissionReviewRequestDto Deserialize(string json)
=> JsonSerializer.Deserialize<AdmissionReviewRequestDto>(json, SerializerOptions)!;
}

266
src/Zastava/__Tests/StellaOps.Zastava.Webhook.Tests/Admission/RuntimeAdmissionPolicyServiceTests.cs Normal file
View File

@@ -0,0 +1,266 @@
using System;
using System.Collections.Generic;
using System.Diagnostics.Metrics;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using StellaOps.Zastava.Core.Configuration;
using StellaOps.Zastava.Core.Diagnostics;
using StellaOps.Zastava.Core.Contracts;
using StellaOps.Zastava.Webhook.Admission;
using StellaOps.Zastava.Webhook.Backend;
using StellaOps.Zastava.Webhook.Configuration;
using Xunit;
namespace StellaOps.Zastava.Webhook.Tests.Admission;
public sealed class RuntimeAdmissionPolicyServiceTests
{
private const string SampleDigest = "sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef";
[Fact]
public async Task EvaluateAsync_UsesCacheOnSubsequentCalls()
{
var timeProvider = new TestTimeProvider(new DateTimeOffset(2025, 10, 24, 12, 0, 0, TimeSpan.Zero));
var policyClient = new StubRuntimePolicyClient(new RuntimePolicyResponse
{
TtlSeconds = 600,
Results = new Dictionary<string, RuntimePolicyImageResult>
{
[SampleDigest] = new RuntimePolicyImageResult
{
PolicyVerdict = PolicyVerdict.Pass,
Signed = true,
HasSbom = true,
Reasons = Array.Empty<string>()
}
}
});
var runtimeMetrics = new StubRuntimeMetrics();
var optionsMonitor = new StaticOptionsMonitor<ZastavaWebhookOptions>(new ZastavaWebhookOptions());
var cache = new RuntimePolicyCache(Options.Create(optionsMonitor.CurrentValue), timeProvider, NullLogger<RuntimePolicyCache>.Instance);
var resolver = new ImageDigestResolver();
var service = new RuntimeAdmissionPolicyService(
policyClient,
resolver,
cache,
optionsMonitor,
runtimeMetrics,
timeProvider,
NullLogger<RuntimeAdmissionPolicyService>.Instance);
var request = new RuntimeAdmissionRequest(
Namespace: "payments",
Labels: new Dictionary<string, string>(),
Images: new[] { $"ghcr.io/example/api@{SampleDigest}" });
var first = await service.EvaluateAsync(request, CancellationToken.None);
Assert.Single(first.Decisions);
Assert.False(first.BackendFailed);
Assert.Equal(600, first.TtlSeconds);
Assert.Equal(1, policyClient.CallCount);
var second = await service.EvaluateAsync(request, CancellationToken.None);
Assert.Single(second.Decisions);
Assert.Equal(1, policyClient.CallCount); // no additional backend call
Assert.True(second.Decisions[0].FromCache);
Assert.Equal(300, second.TtlSeconds);
}
[Fact]
public async Task EvaluateAsync_FailOpenWhenBackendUnavailable()
{
var timeProvider = new TestTimeProvider(new DateTimeOffset(2025, 10, 24, 12, 0, 0, TimeSpan.Zero));
var policyClient = new StubRuntimePolicyClient(new RuntimePolicyException("backend", System.Net.HttpStatusCode.BadGateway));
var options = new ZastavaWebhookOptions
{
Admission = new ZastavaWebhookAdmissionOptions
{
FailOpenByDefault = false,
FailOpenNamespaces = new HashSet<string>(StringComparer.Ordinal) { "payments" }
}
};
var optionsMonitor = new StaticOptionsMonitor<ZastavaWebhookOptions>(options);
var cache = new RuntimePolicyCache(Options.Create(optionsMonitor.CurrentValue), timeProvider, NullLogger<RuntimePolicyCache>.Instance);
var service = new RuntimeAdmissionPolicyService(
policyClient,
new ImageDigestResolver(),
cache,
optionsMonitor,
new StubRuntimeMetrics(),
timeProvider,
NullLogger<RuntimeAdmissionPolicyService>.Instance);
var request = new RuntimeAdmissionRequest(
"payments",
new Dictionary<string, string>(),
new[] { $"ghcr.io/example/api@{SampleDigest}" });
var evaluation = await service.EvaluateAsync(request, CancellationToken.None);
Assert.True(evaluation.BackendFailed);
Assert.True(evaluation.FailOpenApplied);
Assert.Equal(300, evaluation.TtlSeconds);
var decision = Assert.Single(evaluation.Decisions);
Assert.True(decision.Allowed);
Assert.Contains("zastava.fail_open.backend_unavailable", decision.Reasons);
}
[Fact]
public async Task EvaluateAsync_FailClosedWhenNamespaceConfigured()
{
var timeProvider = new TestTimeProvider(new DateTimeOffset(2025, 10, 24, 12, 0, 0, TimeSpan.Zero));
var policyClient = new StubRuntimePolicyClient(new RuntimePolicyException("backend", System.Net.HttpStatusCode.BadGateway));
var options = new ZastavaWebhookOptions
{
Admission = new ZastavaWebhookAdmissionOptions
{
FailOpenByDefault = true,
FailClosedNamespaces = new HashSet<string>(StringComparer.Ordinal) { "critical" }
}
};
var optionsMonitor = new StaticOptionsMonitor<ZastavaWebhookOptions>(options);
var cache = new RuntimePolicyCache(Options.Create(optionsMonitor.CurrentValue), timeProvider, NullLogger<RuntimePolicyCache>.Instance);
var service = new RuntimeAdmissionPolicyService(
policyClient,
new ImageDigestResolver(),
cache,
optionsMonitor,
new StubRuntimeMetrics(),
timeProvider,
NullLogger<RuntimeAdmissionPolicyService>.Instance);
var request = new RuntimeAdmissionRequest(
"critical",
new Dictionary<string, string>(),
new[] { $"ghcr.io/example/api@{SampleDigest}" });
var evaluation = await service.EvaluateAsync(request, CancellationToken.None);
Assert.True(evaluation.BackendFailed);
Assert.False(evaluation.FailOpenApplied);
Assert.Equal(300, evaluation.TtlSeconds);
var decision = Assert.Single(evaluation.Decisions);
Assert.False(decision.Allowed);
Assert.Contains("zastava.backend.unavailable", decision.Reasons);
}
[Fact]
public async Task EvaluateAsync_ResolutionFailureProducesDeny()
{
var timeProvider = new TestTimeProvider(new DateTimeOffset(2025, 10, 24, 12, 0, 0, TimeSpan.Zero));
var policyClient = new StubRuntimePolicyClient(new RuntimePolicyResponse { TtlSeconds = 300 });
var optionsMonitor = new StaticOptionsMonitor<ZastavaWebhookOptions>(new ZastavaWebhookOptions());
var cache = new RuntimePolicyCache(Options.Create(optionsMonitor.CurrentValue), timeProvider, NullLogger<RuntimePolicyCache>.Instance);
var service = new RuntimeAdmissionPolicyService(
policyClient,
new ImageDigestResolver(),
cache,
optionsMonitor,
new StubRuntimeMetrics(),
timeProvider,
NullLogger<RuntimeAdmissionPolicyService>.Instance);
var request = new RuntimeAdmissionRequest(
Namespace: "payments",
Labels: new Dictionary<string, string>(),
Images: new[] { "ghcr.io/example/api:latest" });
var evaluation = await service.EvaluateAsync(request, CancellationToken.None);
Assert.Equal(300, evaluation.TtlSeconds);
var decision = Assert.Single(evaluation.Decisions);
Assert.False(decision.Allowed);
Assert.True(decision.ResolutionFailed);
Assert.Contains("image.reference.tag_unresolved", decision.Reasons);
}
private sealed class StubRuntimePolicyClient : IRuntimePolicyClient
{
private readonly RuntimePolicyResponse? response;
private readonly Exception? exception;
public StubRuntimePolicyClient(RuntimePolicyResponse response)
{
this.response = response;
}
public StubRuntimePolicyClient(Exception exception)
{
this.exception = exception;
}
public int CallCount { get; private set; }
public Task<RuntimePolicyResponse> EvaluateAsync(RuntimePolicyRequest request, CancellationToken cancellationToken)
{
CallCount++;
if (exception is not null)
{
throw exception;
}
return Task.FromResult(response ?? new RuntimePolicyResponse());
}
}
private sealed class StubRuntimeMetrics : IZastavaRuntimeMetrics
{
public StubRuntimeMetrics()
{
Meter = new Meter("Test.Zastava.Webhook");
RuntimeEvents = Meter.CreateCounter<long>("test.runtime.events");
AdmissionDecisions = Meter.CreateCounter<long>("test.admission.decisions");
BackendLatencyMs = Meter.CreateHistogram<double>("test.backend.latency");
DefaultTags = Array.Empty<KeyValuePair<string, object?>>();
}
public Meter Meter { get; }
public Counter<long> RuntimeEvents { get; }
public Counter<long> AdmissionDecisions { get; }
public Histogram<double> BackendLatencyMs { get; }
public IReadOnlyList<KeyValuePair<string, object?>> DefaultTags { get; }
public void Dispose() => Meter.Dispose();
}
private sealed class StaticOptionsMonitor<T> : IOptionsMonitor<T>
{
public StaticOptionsMonitor(T currentValue)
{
CurrentValue = currentValue;
}
public T CurrentValue { get; }
public T Get(string? name) => CurrentValue;
public IDisposable OnChange(Action<T, string?> listener) => NullDisposable.Instance;
private sealed class NullDisposable : IDisposable
{
public static readonly NullDisposable Instance = new();
public void Dispose()
{
}
}
}
private sealed class TestTimeProvider : TimeProvider
{
private DateTimeOffset now;
public TestTimeProvider(DateTimeOffset initial)
{
now = initial;
}
public override DateTimeOffset GetUtcNow() => now;
public void Advance(TimeSpan delta) => now = now.Add(delta);
}
}

198
src/Zastava/__Tests/StellaOps.Zastava.Webhook.Tests/Backend/RuntimePolicyClientTests.cs Normal file
View File

@@ -0,0 +1,198 @@
using System;
using System.Collections.Generic;
using System.Diagnostics.Metrics;
using System.Net;
using System.Net.Http;
using System.Text;
using System.Text.Json;
using Xunit;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using StellaOps.Zastava.Core.Configuration;
using StellaOps.Zastava.Core.Diagnostics;
using StellaOps.Zastava.Core.Security;
using StellaOps.Zastava.Webhook.Backend;
using StellaOps.Zastava.Webhook.Configuration;
namespace StellaOps.Zastava.Webhook.Tests.Backend;
public sealed class RuntimePolicyClientTests
{
[Fact]
public async Task EvaluateAsync_SendsDpOpHeaderAndParsesResponse()
{
var requestCapture = new List<HttpRequestMessage>();
var handler = new StubHttpMessageHandler(message =>
{
requestCapture.Add(message);
var response = new HttpResponseMessage(HttpStatusCode.OK)
{
Content = new StringContent(JsonSerializer.Serialize(new
{
ttlSeconds = 120,
results = new
{
image = new
{
signed = true,
hasSbom = true,
policyVerdict = "pass",
reasons = Array.Empty<string>()
}
}
}), Encoding.UTF8, "application/json")
};
return response;
});
var httpClient = new HttpClient(handler)
{
BaseAddress = new Uri("https://scanner.internal")
};
var runtimeOptions = Options.Create(new ZastavaRuntimeOptions
{
Tenant = "tenant-1",
Environment = "test",
Component = "webhook",
Authority = new ZastavaAuthorityOptions
{
Audience = new[] { "scanner" },
Scopes = new[] { "aud:scanner" }
},
Logging = new ZastavaRuntimeLoggingOptions(),
Metrics = new ZastavaRuntimeMetricsOptions()
});
var webhookOptions = Options.Create(new ZastavaWebhookOptions
{
Backend = new ZastavaWebhookBackendOptions
{
BaseAddress = new Uri("https://scanner.internal"),
PolicyPath = "/api/v1/scanner/policy/runtime"
}
});
using var metrics = new StubRuntimeMetrics();
var client = new RuntimePolicyClient(
httpClient,
new StubAuthorityTokenProvider(),
new StaticOptionsMonitor<ZastavaRuntimeOptions>(runtimeOptions.Value),
new StaticOptionsMonitor<ZastavaWebhookOptions>(webhookOptions.Value),
metrics,
NullLogger<RuntimePolicyClient>.Instance);
var response = await client.EvaluateAsync(new RuntimePolicyRequest
{
Namespace = "payments",
Labels = new Dictionary<string, string> { ["app"] = "api" },
Images = new[] { "image" }
});
Assert.Equal(120, response.TtlSeconds);
Assert.True(response.Results.ContainsKey("image"));
var request = Assert.Single(requestCapture);
Assert.Equal("DPoP", request.Headers.Authorization?.Scheme);
Assert.Equal("runtime-token", request.Headers.Authorization?.Parameter);
Assert.Equal("/api/v1/scanner/policy/runtime", request.RequestUri?.PathAndQuery);
}
[Fact]
public async Task EvaluateAsync_NonSuccess_ThrowsRuntimePolicyException()
{
var handler = new StubHttpMessageHandler(_ => new HttpResponseMessage(HttpStatusCode.BadGateway)
{
Content = new StringContent("upstream error")
});
var client = new RuntimePolicyClient(
new HttpClient(handler) { BaseAddress = new Uri("https://scanner.internal") },
new StubAuthorityTokenProvider(),
new StaticOptionsMonitor<ZastavaRuntimeOptions>(new ZastavaRuntimeOptions
{
Tenant = "tenant",
Environment = "test",
Component = "webhook",
Authority = new ZastavaAuthorityOptions { Audience = new[] { "scanner" } },
Logging = new ZastavaRuntimeLoggingOptions(),
Metrics = new ZastavaRuntimeMetricsOptions()
}),
new StaticOptionsMonitor<ZastavaWebhookOptions>(new ZastavaWebhookOptions()),
new StubRuntimeMetrics(),
NullLogger<RuntimePolicyClient>.Instance);
await Assert.ThrowsAsync<RuntimePolicyException>(() => client.EvaluateAsync(new RuntimePolicyRequest
{
Namespace = "payments",
Labels = null,
Images = new[] { "image" }
}));
}
private sealed class StubAuthorityTokenProvider : IZastavaAuthorityTokenProvider
{
public ValueTask InvalidateAsync(string audience, IEnumerable<string>? additionalScopes = null, CancellationToken cancellationToken = default)
=> ValueTask.CompletedTask;
public ValueTask<ZastavaOperationalToken> GetAsync(string audience, IEnumerable<string>? additionalScopes = null, CancellationToken cancellationToken = default)
=> ValueTask.FromResult(new ZastavaOperationalToken("runtime-token", "DPoP", DateTimeOffset.UtcNow.AddMinutes(5), Array.Empty<string>()));
}
private sealed class StubRuntimeMetrics : IZastavaRuntimeMetrics
{
public StubRuntimeMetrics()
{
Meter = new Meter("Test.Zastava.Webhook");
RuntimeEvents = Meter.CreateCounter<long>("test.events");
AdmissionDecisions = Meter.CreateCounter<long>("test.decisions");
BackendLatencyMs = Meter.CreateHistogram<double>("test.backend.latency");
DefaultTags = Array.Empty<KeyValuePair<string, object?>>();
}
public Meter Meter { get; }
public Counter<long> RuntimeEvents { get; }
public Counter<long> AdmissionDecisions { get; }
public Histogram<double> BackendLatencyMs { get; }
public IReadOnlyList<KeyValuePair<string, object?>> DefaultTags { get; }
public void Dispose() => Meter.Dispose();
}
private sealed class StaticOptionsMonitor<T> : IOptionsMonitor<T>
{
public StaticOptionsMonitor(T value)
{
CurrentValue = value;
}
public T CurrentValue { get; }
public T Get(string? name) => CurrentValue;
public IDisposable OnChange(Action<T, string?> listener) => NullDisposable.Instance;
private sealed class NullDisposable : IDisposable
{
public static readonly NullDisposable Instance = new();
public void Dispose()
{
}
}
}
private sealed class StubHttpMessageHandler : HttpMessageHandler
{
private readonly Func<HttpRequestMessage, HttpResponseMessage> responder;
public StubHttpMessageHandler(Func<HttpRequestMessage, HttpResponseMessage> responder)
{
this.responder = responder;
}
protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
=> Task.FromResult(responder(request));
}
}

78
src/Zastava/__Tests/StellaOps.Zastava.Webhook.Tests/Certificates/SecretFileCertificateSourceTests.cs Normal file
View File

@@ -0,0 +1,78 @@
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using Microsoft.Extensions.Logging.Abstractions;
using StellaOps.Zastava.Webhook.Certificates;
using StellaOps.Zastava.Webhook.Configuration;
using Xunit;
namespace StellaOps.Zastava.Webhook.Tests.Certificates;
public sealed class SecretFileCertificateSourceTests
{
[Fact]
public void LoadCertificate_FromPemPair_Succeeds()
{
using var rsa = RSA.Create(2048);
var request = new CertificateRequest("CN=zastava-webhook", rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
using var certificateWithKey = request.CreateSelfSigned(DateTimeOffset.UtcNow.AddMinutes(-5), DateTimeOffset.UtcNow.AddHours(1));
var certificatePath = Path.GetTempFileName();
var privateKeyPath = Path.GetTempFileName();
try
{
File.WriteAllText(certificatePath, certificateWithKey.ExportCertificatePem());
using var exportRsa = certificateWithKey.GetRSAPrivateKey() ?? throw new InvalidOperationException("Missing RSA private key");
var privateKeyPem = PemEncoding.Write("PRIVATE KEY", exportRsa.ExportPkcs8PrivateKey());
File.WriteAllText(privateKeyPath, privateKeyPem);
var source = new SecretFileCertificateSource(NullLogger<SecretFileCertificateSource>.Instance);
var options = new ZastavaWebhookTlsOptions
{
Mode = ZastavaWebhookTlsMode.Secret,
CertificatePath = certificatePath,
PrivateKeyPath = privateKeyPath
};
using var loaded = source.LoadCertificate(options);
Assert.Equal(certificateWithKey.Thumbprint, loaded.Thumbprint);
Assert.NotNull(loaded.GetRSAPrivateKey());
}
finally
{
File.Delete(certificatePath);
File.Delete(privateKeyPath);
}
}
[Fact]
public void LoadCertificate_FromPfx_Succeeds()
{
using var rsa = RSA.Create(2048);
var request = new CertificateRequest("CN=zastava-webhook", rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
using var certificateWithKey = request.CreateSelfSigned(DateTimeOffset.UtcNow.AddMinutes(-5), DateTimeOffset.UtcNow.AddHours(1));
var pfxPath = Path.GetTempFileName();
try
{
var pfxBytes = certificateWithKey.Export(X509ContentType.Pfx, "test");
File.WriteAllBytes(pfxPath, pfxBytes);
var source = new SecretFileCertificateSource(NullLogger<SecretFileCertificateSource>.Instance);
var options = new ZastavaWebhookTlsOptions
{
Mode = ZastavaWebhookTlsMode.Secret,
PfxPath = pfxPath,
PfxPassword = "test"
};
using var loaded = source.LoadCertificate(options);
Assert.Equal(certificateWithKey.Thumbprint, loaded.Thumbprint);
}
finally
{
File.Delete(pfxPath);
}
}
}

43
src/Zastava/__Tests/StellaOps.Zastava.Webhook.Tests/Certificates/WebhookCertificateProviderTests.cs Normal file
View File

@@ -0,0 +1,43 @@
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using StellaOps.Zastava.Webhook.Certificates;
using StellaOps.Zastava.Webhook.Configuration;
using Xunit;
namespace StellaOps.Zastava.Webhook.Tests.Certificates;
public sealed class WebhookCertificateProviderTests
{
[Fact]
public void Provider_UsesMatchingSource()
{
var options = Options.Create(new ZastavaWebhookOptions
{
Tls = new ZastavaWebhookTlsOptions
{
Mode = ZastavaWebhookTlsMode.Secret,
CertificatePath = "/tmp/cert.pem",
PrivateKeyPath = "/tmp/key.pem"
}
});
var source = new ThrowingCertificateSource();
var provider = new WebhookCertificateProvider(options, new[] { source }, NullLogger<WebhookCertificateProvider>.Instance);
Assert.Throws<InvalidOperationException>(() => provider.GetCertificate());
Assert.True(source.Requested);
}
private sealed class ThrowingCertificateSource : IWebhookCertificateSource
{
public bool Requested { get; private set; }
public bool CanHandle(ZastavaWebhookTlsMode mode) => true;
public System.Security.Cryptography.X509Certificates.X509Certificate2 LoadCertificate(ZastavaWebhookTlsOptions options)
{
Requested = true;
throw new InvalidOperationException("test");
}
}
}

20
src/Zastava/__Tests/StellaOps.Zastava.Webhook.Tests/StellaOps.Zastava.Webhook.Tests.csproj Normal file
View File

@@ -0,0 +1,20 @@
<?xml version='1.0' encoding='utf-8'?>
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<LangVersion>preview</LangVersion>
<Nullable>enable</Nullable>
<ImplicitUsings>enable</ImplicitUsings>
<IsPackable>false</IsPackable>
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
<UseConcelierTestInfra>false</UseConcelierTestInfra>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.0" />
<PackageReference Include="xunit" Version="2.9.2" />
<PackageReference Include="xunit.runner.visualstudio" Version="2.8.2" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="../../StellaOps.Zastava.Webhook/StellaOps.Zastava.Webhook.csproj" />
</ItemGroup>
</Project>