up

tests/AirGap/StellaOps.AirGap.Controller.Tests/AirGapStartupDiagnosticsHostedServiceTests.cs

@@ -0,0 +1,163 @@
+using Microsoft.Extensions.Logging.Abstractions;
+using Microsoft.Extensions.Options;
+using StellaOps.AirGap.Controller.Domain;
+using StellaOps.AirGap.Controller.Options;
+using StellaOps.AirGap.Controller.Services;
+using StellaOps.AirGap.Controller.Stores;
+using StellaOps.AirGap.Importer.Validation;
+using StellaOps.AirGap.Time.Models;
+using StellaOps.AirGap.Time.Services;
+using Xunit;
+
+namespace StellaOps.AirGap.Controller.Tests;
+
+public class AirGapStartupDiagnosticsHostedServiceTests
+{
+    [Fact]
+    public async Task Blocks_when_allowlist_missing_for_sealed_state()
+    {
+        var now = DateTimeOffset.UtcNow;
+        var store = new InMemoryAirGapStateStore();
+        await store.SetAsync(new AirGapState
+        {
+            TenantId = "default",
+            Sealed = true,
+            PolicyHash = "policy-x",
+            TimeAnchor = new TimeAnchor(now, "rough", "rough", "fp", "digest"),
+            StalenessBudget = new StalenessBudget(60, 120)
+        });
+
+        var trustDir = CreateTrustMaterial();
+        var options = BuildOptions(trustDir);
+        options.EgressAllowlist = null; // simulate missing config section
+
+        var service = CreateService(store, options, now);
+
+        var ex = await Assert.ThrowsAsync<InvalidOperationException>(() => service.StartAsync(CancellationToken.None));
+        Assert.Contains("egress-allowlist-missing", ex.Message);
+    }
+
+    [Fact]
+    public async Task Passes_when_materials_present_and_anchor_fresh()
+    {
+        var now = DateTimeOffset.UtcNow;
+        var store = new InMemoryAirGapStateStore();
+        await store.SetAsync(new AirGapState
+        {
+            TenantId = "default",
+            Sealed = true,
+            PolicyHash = "policy-ok",
+            TimeAnchor = new TimeAnchor(now.AddMinutes(-1), "rough", "rough", "fp", "digest"),
+            StalenessBudget = new StalenessBudget(300, 600)
+        });
+
+        var trustDir = CreateTrustMaterial();
+        var options = BuildOptions(trustDir, new[] { "127.0.0.1/32" });
+
+        var service = CreateService(store, options, now);
+
+        await service.StartAsync(CancellationToken.None); // should not throw
+    }
+
+    [Fact]
+    public async Task Blocks_when_anchor_is_stale()
+    {
+        var now = DateTimeOffset.UtcNow;
+        var store = new InMemoryAirGapStateStore();
+        await store.SetAsync(new AirGapState
+        {
+            TenantId = "default",
+            Sealed = true,
+            PolicyHash = "policy-stale",
+            TimeAnchor = new TimeAnchor(now.AddHours(-2), "rough", "rough", "fp", "digest"),
+            StalenessBudget = new StalenessBudget(60, 90)
+        });
+
+        var trustDir = CreateTrustMaterial();
+        var options = BuildOptions(trustDir, new[] { "10.0.0.0/24" });
+
+        var service = CreateService(store, options, now);
+
+        var ex = await Assert.ThrowsAsync<InvalidOperationException>(() => service.StartAsync(CancellationToken.None));
+        Assert.Contains("time-anchor-stale", ex.Message);
+    }
+
+    [Fact]
+    public async Task Blocks_when_rotation_pending_without_dual_approval()
+    {
+        var now = DateTimeOffset.UtcNow;
+        var store = new InMemoryAirGapStateStore();
+        await store.SetAsync(new AirGapState
+        {
+            TenantId = "default",
+            Sealed = true,
+            PolicyHash = "policy-rot",
+            TimeAnchor = new TimeAnchor(now, "rough", "rough", "fp", "digest"),
+            StalenessBudget = new StalenessBudget(120, 240)
+        });
+
+        var trustDir = CreateTrustMaterial();
+        var options = BuildOptions(trustDir, new[] { "10.10.0.0/16" });
+        options.Rotation.PendingKeys["k-new"] = Convert.ToBase64String(new byte[] { 1, 2, 3 });
+        options.Rotation.ActiveKeys["k-old"] = Convert.ToBase64String(new byte[] { 9, 9, 9 });
+        options.Rotation.ApproverIds.Add("approver-1");
+
+        var service = CreateService(store, options, now);
+
+        var ex = await Assert.ThrowsAsync<InvalidOperationException>(() => service.StartAsync(CancellationToken.None));
+        Assert.Contains("rotation:rotation-dual-approval-required", ex.Message);
+    }
+
+    private static AirGapStartupOptions BuildOptions(string trustDir, string[]? allowlist = null)
+    {
+        return new AirGapStartupOptions
+        {
+            TenantId = "default",
+            EgressAllowlist = allowlist,
+            Trust = new TrustMaterialOptions
+            {
+                RootJsonPath = Path.Combine(trustDir, "root.json"),
+                SnapshotJsonPath = Path.Combine(trustDir, "snapshot.json"),
+                TimestampJsonPath = Path.Combine(trustDir, "timestamp.json")
+            }
+        };
+    }
+
+    private static AirGapStartupDiagnosticsHostedService CreateService(IAirGapStateStore store, AirGapStartupOptions options, DateTimeOffset now)
+    {
+        return new AirGapStartupDiagnosticsHostedService(
+            store,
+            new StalenessCalculator(),
+            new FixedTimeProvider(now),
+            Microsoft.Extensions.Options.Options.Create(options),
+            NullLogger<AirGapStartupDiagnosticsHostedService>.Instance,
+            new AirGapTelemetry(NullLogger<AirGapTelemetry>.Instance),
+            new TufMetadataValidator(),
+            new RootRotationPolicy());
+    }
+
+    private static string CreateTrustMaterial()
+    {
+        var dir = Directory.CreateDirectory(Path.Combine(Path.GetTempPath(), "airgap-trust-" + Guid.NewGuid().ToString("N"))).FullName;
+        var expires = DateTimeOffset.UtcNow.AddDays(1).ToString("O");
+        const string hash = "abc123";
+
+        File.WriteAllText(Path.Combine(dir, "root.json"), $"{{\"version\":1,\"expiresUtc\":\"{expires}\"}}");
+        File.WriteAllText(Path.Combine(dir, "snapshot.json"), $"{{\"version\":1,\"expiresUtc\":\"{expires}\",\"meta\":{{\"snapshot\":{{\"hashes\":{{\"sha256\":\"{hash}\"}}}}}}}}");
+        File.WriteAllText(Path.Combine(dir, "timestamp.json"), $"{{\"version\":1,\"expiresUtc\":\"{expires}\",\"snapshot\":{{\"meta\":{{\"hashes\":{{\"sha256\":\"{hash}\"}}}}}}}}");
+
+        return dir;
+    }
+
+    private sealed class FixedTimeProvider : TimeProvider
+    {
+        private readonly DateTimeOffset _now;
+
+        public FixedTimeProvider(DateTimeOffset now)
+        {
+            _now = now;
+        }
+
+        public override DateTimeOffset GetUtcNow() => _now;
+    }
+}

tests/AirGap/StellaOps.AirGap.Controller.Tests/AirGapStateServiceTests.cs

@@ -32,6 +32,7 @@ public class AirGapStateServiceTests
         Assert.Equal("tenant-a", status.State.TenantId);
         Assert.True(status.Staleness.AgeSeconds > 0);
         Assert.True(status.Staleness.IsWarning);
+        Assert.Equal(120 - status.Staleness.AgeSeconds, status.Staleness.SecondsRemaining);
     }
 
     [Fact]

tests/AirGap/StellaOps.AirGap.Controller.Tests/MongoAirGapStateStoreTests.cs

@@ -1,3 +1,4 @@
+using MongoDB.Bson;
 using MongoDB.Driver;
 using StellaOps.AirGap.Controller.Domain;
 using StellaOps.AirGap.Controller.Stores;
@@ -66,6 +67,115 @@ public class MongoAirGapStateStoreTests : IDisposable
         Assert.Equal("absent", stored.TenantId);
     }
 
+    [Fact]
+    public async Task Creates_unique_index_on_tenant_and_id()
+    {
+        var indexes = await _collection.Indexes.List().ToListAsync();
+        var match = indexes.FirstOrDefault(idx =>
+        {
+            var key = idx["key"].AsBsonDocument;
+            return key.ElementCount == 2
+                   && key.Names.ElementAt(0) == "tenant_id"
+                   && key.Names.ElementAt(1) == "_id";
+        });
+
+        Assert.NotNull(match);
+        Assert.True(match!["unique"].AsBoolean);
+    }
+
+    [Fact]
+    public async Task Parallel_upserts_keep_single_document()
+    {
+        var tasks = Enumerable.Range(0, 20).Select(i =>
+        {
+            var state = new AirGapState
+            {
+                TenantId = "tenant-parallel",
+                Sealed = i % 2 == 0,
+                PolicyHash = $"hash-{i}"
+            };
+            return _store.SetAsync(state);
+        });
+
+        await Task.WhenAll(tasks);
+
+        var stored = await _store.GetAsync("tenant-parallel");
+        Assert.StartsWith("hash-", stored.PolicyHash);
+
+        var count = await _collection.CountDocumentsAsync(Builders<AirGapStateDocument>.Filter.Eq(x => x.TenantId, "tenant-parallel"));
+        Assert.Equal(1, count);
+    }
+
+    [Fact]
+    public async Task Multi_tenant_updates_do_not_collide()
+    {
+        var tenants = Enumerable.Range(0, 5).Select(i => $"t-{i}").ToArray();
+
+        var tasks = tenants.Select(t => _store.SetAsync(new AirGapState
+        {
+            TenantId = t,
+            Sealed = true,
+            PolicyHash = $"hash-{t}"
+        }));
+
+        await Task.WhenAll(tasks);
+
+        foreach (var t in tenants)
+        {
+            var stored = await _store.GetAsync(t);
+            Assert.Equal($"hash-{t}", stored.PolicyHash);
+        }
+
+        var totalDocs = await _collection.CountDocumentsAsync(FilterDefinition<AirGapStateDocument>.Empty);
+        Assert.Equal(tenants.Length, totalDocs);
+    }
+
+    [Fact]
+    public async Task Staleness_round_trip_matches_budget()
+    {
+        var anchor = new TimeAnchor(DateTimeOffset.UtcNow.AddMinutes(-3), "roughtime", "roughtime", "fp", "digest");
+        var budget = new StalenessBudget(60, 600);
+        await _store.SetAsync(new AirGapState
+        {
+            TenantId = "tenant-staleness",
+            Sealed = true,
+            PolicyHash = "hash-s",
+            TimeAnchor = anchor,
+            StalenessBudget = budget,
+            LastTransitionAt = DateTimeOffset.UtcNow
+        });
+
+        var stored = await _store.GetAsync("tenant-staleness");
+        Assert.Equal(anchor.TokenDigest, stored.TimeAnchor.TokenDigest);
+        Assert.Equal(budget.WarningSeconds, stored.StalenessBudget.WarningSeconds);
+        Assert.Equal(budget.BreachSeconds, stored.StalenessBudget.BreachSeconds);
+    }
+
+    [Fact]
+    public async Task Multi_tenant_states_preserve_transition_times()
+    {
+        var tenants = new[] { "a", "b", "c" };
+        var now = DateTimeOffset.UtcNow;
+
+        foreach (var t in tenants)
+        {
+            await _store.SetAsync(new AirGapState
+            {
+                TenantId = t,
+                Sealed = true,
+                PolicyHash = $"ph-{t}",
+                LastTransitionAt = now
+            });
+        }
+
+        foreach (var t in tenants)
+        {
+            var state = await _store.GetAsync(t);
+            Assert.Equal(now, state.LastTransitionAt);
+            Assert.Equal($"ph-{t}", state.PolicyHash);
+        }
+    }
+
     public void Dispose()
     {
         _mongo.Dispose();

tests/AirGap/StellaOps.AirGap.Controller.Tests/MongoRunnerFixture.cs

@@ -0,0 +1,24 @@
+using Mongo2Go;
+using MongoDB.Driver;
+using StellaOps.Testing;
+
+namespace StellaOps.AirGap.Controller.Tests;
+
+internal sealed class MongoRunnerFixture : IDisposable
+{
+    private readonly MongoDbRunner _runner;
+
+    public MongoRunnerFixture()
+    {
+        OpenSslAutoInit.Init();
+        _runner = MongoDbRunner.Start(singleNodeReplSet: true);
+        Client = new MongoClient(_runner.ConnectionString);
+    }
+
+    public IMongoClient Client { get; }
+
+    public void Dispose()
+    {
+        _runner.Dispose();
+    }
+}

tests/AirGap/StellaOps.AirGap.Controller.Tests/StellaOps.AirGap.Controller.Tests.csproj

@@ -9,9 +9,10 @@
     <PackageReference Include="xunit" Version="2.9.2" />
     <PackageReference Include="xunit.runner.visualstudio" Version="2.8.2" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.10.0" />
+    <PackageReference Include="Mongo2Go" Version="4.1.0" />
   </ItemGroup>
   <ItemGroup>
-    <ProjectReference Include="../../shared/Testing.Shared/Testing.Shared.csproj" />
     <ProjectReference Include="../../../src/AirGap/StellaOps.AirGap.Controller/StellaOps.AirGap.Controller.csproj" />
+    <Compile Include="../../shared/*.cs" Link="Shared/%(Filename)%(Extension)" />
   </ItemGroup>
 </Project>