stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

up
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Details
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Details
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Details
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Details
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
Details
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Details
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Details
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Details
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Details
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Details
devportal-offline / build-offline (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-13 18:08:55 +02:00
parent 6e45066e37
commit f1a39c4ce3
234 changed files with 24038 additions and 6910 deletions
Download Patch File Download Diff File Expand all files Collapse all files

342
src/Signals/__Tests/StellaOps.Signals.Tests/RuntimeFactsIngestionServiceTests.cs
View File

@@ -1,7 +1,9 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading;
using System.Threading.Tasks;
using FluentAssertions;
using Microsoft.Extensions.Logging.Abstractions;
using StellaOps.Signals.Models;
using StellaOps.Signals.Persistence;
@@ -148,4 +150,344 @@ public class RuntimeFactsIngestionServiceTests
});
}
}
#region Tenant Isolation Tests
[Fact]
public async Task IngestAsync_IsolatesFactsBySubjectKey_NoDataLeakBetweenTenants()
{
// Arrange: Two tenants with different subjects
var factRepository = new TenantAwareFactRepository();
var service = CreateService(factRepository);
var tenant1Request = new RuntimeFactsIngestRequest
{
Subject = new ReachabilitySubject { ScanId = "scan-tenant1" },
CallgraphId = "cg-tenant1",
Events = new List<RuntimeFactEvent>
{
new() { SymbolId = "tenant1.secret.func", HitCount = 1 }
}
};
var tenant2Request = new RuntimeFactsIngestRequest
{
Subject = new ReachabilitySubject { ScanId = "scan-tenant2" },
CallgraphId = "cg-tenant2",
Events = new List<RuntimeFactEvent>
{
new() { SymbolId = "tenant2.public.func", HitCount = 1 }
}
};
// Act
await service.IngestAsync(tenant1Request, CancellationToken.None);
await service.IngestAsync(tenant2Request, CancellationToken.None);
// Assert: Each tenant only sees their own data
var tenant1Facts = await factRepository.GetBySubjectAsync("scan-tenant1", CancellationToken.None);
var tenant2Facts = await factRepository.GetBySubjectAsync("scan-tenant2", CancellationToken.None);
tenant1Facts.Should().NotBeNull();
tenant1Facts!.RuntimeFacts.Should().ContainSingle(f => f.SymbolId == "tenant1.secret.func");
tenant1Facts.RuntimeFacts.Should().NotContain(f => f.SymbolId == "tenant2.public.func");
tenant2Facts.Should().NotBeNull();
tenant2Facts!.RuntimeFacts.Should().ContainSingle(f => f.SymbolId == "tenant2.public.func");
tenant2Facts.RuntimeFacts.Should().NotContain(f => f.SymbolId == "tenant1.secret.func");
}
[Fact]
public async Task IngestAsync_SubjectKeyIsDeterministic_ForSameInput()
{
// Arrange
var factRepository = new TenantAwareFactRepository();
var service = CreateService(factRepository);
var subject = new ReachabilitySubject { Component = "mylib", Version = "1.0.0" };
var request1 = new RuntimeFactsIngestRequest
{
Subject = subject,
CallgraphId = "cg-1",
Events = new List<RuntimeFactEvent> { new() { SymbolId = "sym1", HitCount = 1 } }
};
var request2 = new RuntimeFactsIngestRequest
{
Subject = new ReachabilitySubject { Component = "mylib", Version = "1.0.0" },
CallgraphId = "cg-2",
Events = new List<RuntimeFactEvent> { new() { SymbolId = "sym2", HitCount = 1 } }
};
// Act
var response1 = await service.IngestAsync(request1, CancellationToken.None);
var response2 = await service.IngestAsync(request2, CancellationToken.None);
// Assert: Same subject produces same key (deterministic)
response1.SubjectKey.Should().Be(response2.SubjectKey);
response1.SubjectKey.Should().Be("mylib|1.0.0");
}
[Fact]
public async Task IngestAsync_BuildIdCorrelation_PreservesPerFactBuildId()
{
// Arrange
var factRepository = new TenantAwareFactRepository();
var service = CreateService(factRepository);
var request = new RuntimeFactsIngestRequest
{
Subject = new ReachabilitySubject { ImageDigest = "sha256:abc123" },
CallgraphId = "cg-buildid-test",
Events = new List<RuntimeFactEvent>
{
new()
{
SymbolId = "libssl.SSL_read",
BuildId = "gnu-build-id:5f0c7c3cab2eb9bc",
HitCount = 10
},
new()
{
SymbolId = "libcrypto.EVP_encrypt",
BuildId = "gnu-build-id:a1b2c3d4e5f6",
HitCount = 5
}
}
};
// Act
var response = await service.IngestAsync(request, CancellationToken.None);
// Assert: Build-IDs are preserved per runtime fact
var persisted = await factRepository.GetBySubjectAsync(response.SubjectKey, CancellationToken.None);
persisted.Should().NotBeNull();
persisted!.RuntimeFacts.Should().HaveCount(2);
var sslFact = persisted.RuntimeFacts.Single(f => f.SymbolId == "libssl.SSL_read");
sslFact.BuildId.Should().Be("gnu-build-id:5f0c7c3cab2eb9bc");
var cryptoFact = persisted.RuntimeFacts.Single(f => f.SymbolId == "libcrypto.EVP_encrypt");
cryptoFact.BuildId.Should().Be("gnu-build-id:a1b2c3d4e5f6");
}
[Fact]
public async Task IngestAsync_CodeIdCorrelation_PreservesPerFactCodeId()
{
// Arrange
var factRepository = new TenantAwareFactRepository();
var service = CreateService(factRepository);
var request = new RuntimeFactsIngestRequest
{
Subject = new ReachabilitySubject { Component = "native-lib", Version = "2.0.0" },
CallgraphId = "cg-codeid-test",
Events = new List<RuntimeFactEvent>
{
new()
{
SymbolId = "stripped_func_0x1234",
CodeId = "code:binary:abc123xyz",
HitCount = 3
}
}
};
// Act
var response = await service.IngestAsync(request, CancellationToken.None);
// Assert: Code-ID is preserved for stripped binaries
var persisted = await factRepository.GetBySubjectAsync(response.SubjectKey, CancellationToken.None);
persisted.Should().NotBeNull();
persisted!.RuntimeFacts.Should().ContainSingle();
persisted.RuntimeFacts[0].CodeId.Should().Be("code:binary:abc123xyz");
}
[Fact]
public async Task IngestAsync_RejectsRequest_WhenSubjectMissing()
{
// Arrange
var service = CreateService(new TenantAwareFactRepository());
var request = new RuntimeFactsIngestRequest
{
Subject = null!,
CallgraphId = "cg-1",
Events = new List<RuntimeFactEvent> { new() { SymbolId = "sym", HitCount = 1 } }
};
// Act & Assert
await Assert.ThrowsAsync<RuntimeFactsValidationException>(
() => service.IngestAsync(request, CancellationToken.None));
}
[Fact]
public async Task IngestAsync_RejectsRequest_WhenCallgraphIdMissing()
{
// Arrange
var service = CreateService(new TenantAwareFactRepository());
var request = new RuntimeFactsIngestRequest
{
Subject = new ReachabilitySubject { ScanId = "scan-1" },
CallgraphId = null!,
Events = new List<RuntimeFactEvent> { new() { SymbolId = "sym", HitCount = 1 } }
};
// Act & Assert
await Assert.ThrowsAsync<RuntimeFactsValidationException>(
() => service.IngestAsync(request, CancellationToken.None));
}
[Fact]
public async Task IngestAsync_RejectsRequest_WhenEventsEmpty()
{
// Arrange
var service = CreateService(new TenantAwareFactRepository());
var request = new RuntimeFactsIngestRequest
{
Subject = new ReachabilitySubject { ScanId = "scan-1" },
CallgraphId = "cg-1",
Events = new List<RuntimeFactEvent>()
};
// Act & Assert
await Assert.ThrowsAsync<RuntimeFactsValidationException>(
() => service.IngestAsync(request, CancellationToken.None));
}
[Fact]
public async Task IngestAsync_RejectsRequest_WhenEventMissingSymbolId()
{
// Arrange
var service = CreateService(new TenantAwareFactRepository());
var request = new RuntimeFactsIngestRequest
{
Subject = new ReachabilitySubject { ScanId = "scan-1" },
CallgraphId = "cg-1",
Events = new List<RuntimeFactEvent>
{
new() { SymbolId = null!, HitCount = 1 }
}
};
// Act & Assert
await Assert.ThrowsAsync<RuntimeFactsValidationException>(
() => service.IngestAsync(request, CancellationToken.None));
}
#endregion
#region Evidence URI Tests
[Fact]
public async Task IngestAsync_PreservesEvidenceUri_FromRuntimeEvent()
{
// Arrange
var factRepository = new TenantAwareFactRepository();
var service = CreateService(factRepository);
var request = new RuntimeFactsIngestRequest
{
Subject = new ReachabilitySubject { ScanId = "scan-evidence" },
CallgraphId = "cg-evidence",
Events = new List<RuntimeFactEvent>
{
new()
{
SymbolId = "vulnerable.func",
HitCount = 1,
EvidenceUri = "cas://signals/evidence/sha256:deadbeef"
}
}
};
// Act
var response = await service.IngestAsync(request, CancellationToken.None);
// Assert
var persisted = await factRepository.GetBySubjectAsync(response.SubjectKey, CancellationToken.None);
persisted.Should().NotBeNull();
persisted!.RuntimeFacts.Should().ContainSingle();
persisted.RuntimeFacts[0].EvidenceUri.Should().Be("cas://signals/evidence/sha256:deadbeef");
}
#endregion
#region Helper Methods
private static RuntimeFactsIngestionService CreateService(IReachabilityFactRepository factRepository)
{
return new RuntimeFactsIngestionService(
factRepository,
TimeProvider.System,
new InMemoryReachabilityCache(),
new RecordingEventsPublisher(),
new RecordingScoringService(),
new RuntimeFactsProvenanceNormalizer(),
NullLogger<RuntimeFactsIngestionService>.Instance);
}
#endregion
#region Test Doubles
private sealed class TenantAwareFactRepository : IReachabilityFactRepository
{
private readonly Dictionary<string, ReachabilityFactDocument> _store = new(StringComparer.Ordinal);
public Task<ReachabilityFactDocument?> GetBySubjectAsync(string subjectKey, CancellationToken cancellationToken)
{
return Task.FromResult(_store.TryGetValue(subjectKey, out var doc) ? doc : null);
}
public Task<ReachabilityFactDocument> UpsertAsync(ReachabilityFactDocument document, CancellationToken cancellationToken)
{
_store[document.SubjectKey] = document;
return Task.FromResult(document);
}
public Task<IReadOnlyList<ReachabilityFactDocument>> GetExpiredAsync(DateTimeOffset cutoff, int limit, CancellationToken cancellationToken)
{
var expired = _store.Values
.Where(d => d.ComputedAt < cutoff)
.OrderBy(d => d.ComputedAt)
.Take(limit)
.ToList();
return Task.FromResult<IReadOnlyList<ReachabilityFactDocument>>(expired);
}
public Task<bool> DeleteAsync(string subjectKey, CancellationToken cancellationToken)
{
return Task.FromResult(_store.Remove(subjectKey));
}
public Task<int> GetRuntimeFactsCountAsync(string subjectKey, CancellationToken cancellationToken)
{
if (_store.TryGetValue(subjectKey, out var doc))
{
return Task.FromResult(doc.RuntimeFacts?.Count ?? 0);
}
return Task.FromResult(0);
}
public Task TrimRuntimeFactsAsync(string subjectKey, int maxCount, CancellationToken cancellationToken)
{
if (_store.TryGetValue(subjectKey, out var doc) && doc.RuntimeFacts is { Count: > 0 })
{
if (doc.RuntimeFacts.Count > maxCount)
{
doc.RuntimeFacts = doc.RuntimeFacts
.OrderByDescending(f => f.ObservedAt ?? DateTimeOffset.MinValue)
.Take(maxCount)
.ToList();
}
}
return Task.CompletedTask;
}
}
#endregion
}