git.stella-ops.org/src/Policy/StellaOps.Policy.Registry/Testing/PolicyRegistryTestFixtures.cs

using StellaOps.Policy.Registry.Contracts;
using StellaOps.Policy.Registry.Services;

namespace StellaOps.Policy.Registry.Testing;

/// <summary>
/// Test fixtures and data generators for Policy Registry testing.
/// </summary>
public static class PolicyRegistryTestFixtures
{
    /// <summary>
    /// Creates basic policy rules for testing.
    /// </summary>
    public static IReadOnlyList<PolicyRule> CreateBasicRules()
    {
        return
        [
            new PolicyRule
            {
                RuleId = "test-rule-001",
                Name = "Deny Critical CVEs",
                Description = "Blocks any image with critical CVEs",
                Severity = Severity.Critical,
                Rego = @"
                    package stellaops.policy.test

                    default deny = false

                    deny {
                        input.vulnerabilities[_].severity == ""critical""
                    }
                ",
                Enabled = true
            },
            new PolicyRule
            {
                RuleId = "test-rule-002",
                Name = "Require SBOM",
                Description = "Requires valid SBOM for all images",
                Severity = Severity.High,
                Rego = @"
                    package stellaops.policy.test

                    default require_sbom = false

                    require_sbom {
                        input.sbom != null
                        count(input.sbom.packages) > 0
                    }
                ",
                Enabled = true
            },
            new PolicyRule
            {
                RuleId = "test-rule-003",
                Name = "Warn on Medium CVEs",
                Description = "Warns when medium severity CVEs are present",
                Severity = Severity.Medium,
                Rego = @"
                    package stellaops.policy.test

                    warn[msg] {
                        vuln := input.vulnerabilities[_]
                        vuln.severity == ""medium""
                        msg := sprintf(""Medium CVE found: %s"", [vuln.id])
                    }
                ",
                Enabled = true
            }
        ];
    }

    /// <summary>
    /// Creates rules with Rego syntax errors for testing compilation failures.
    /// </summary>
    public static IReadOnlyList<PolicyRule> CreateInvalidRegoRules()
    {
        return
        [
            new PolicyRule
            {
                RuleId = "invalid-rule-001",
                Name = "Invalid Syntax",
                Description = "Rule with syntax errors",
                Severity = Severity.High,
                Rego = @"
                    package stellaops.policy.test

                    deny {
                        input.something == ""value
                    }  // missing closing quote
                ",
                Enabled = true
            }
        ];
    }

    /// <summary>
    /// Creates rules without Rego code for testing name-based matching.
    /// </summary>
    public static IReadOnlyList<PolicyRule> CreateRulesWithoutRego()
    {
        return
        [
            new PolicyRule
            {
                RuleId = "no-rego-001",
                Name = "Vulnerability Check",
                Description = "Checks for vulnerabilities",
                Severity = Severity.High,
                Enabled = true
            },
            new PolicyRule
            {
                RuleId = "no-rego-002",
                Name = "License Compliance",
                Description = "Verifies license compliance",
                Severity = Severity.Medium,
                Enabled = true
            }
        ];
    }

    /// <summary>
    /// Creates test simulation input.
    /// </summary>
    public static IReadOnlyDictionary<string, object> CreateTestSimulationInput()
    {
        return new Dictionary<string, object>
        {
            ["subject"] = new Dictionary<string, object>
            {
                ["type"] = "container_image",
                ["name"] = "myregistry.io/myapp",
                ["digest"] = "sha256:abc123"
            },
            ["vulnerabilities"] = new[]
            {
                new Dictionary<string, object>
                {
                    ["id"] = "CVE-2024-1234",
                    ["severity"] = "critical",
                    ["package"] = "openssl",
                    ["version"] = "1.1.1"
                },
                new Dictionary<string, object>
                {
                    ["id"] = "CVE-2024-5678",
                    ["severity"] = "medium",
                    ["package"] = "curl",
                    ["version"] = "7.88.0"
                }
            },
            ["sbom"] = new Dictionary<string, object>
            {
                ["format"] = "spdx",
                ["packages"] = new[]
                {
                    new Dictionary<string, object> { ["name"] = "openssl", ["version"] = "1.1.1" },
                    new Dictionary<string, object> { ["name"] = "curl", ["version"] = "7.88.0" }
                }
            },
            ["context"] = new Dictionary<string, object>
            {
                ["environment"] = "production",
                ["namespace"] = "default"
            }
        };
    }

    /// <summary>
    /// Creates batch simulation inputs.
    /// </summary>
    public static IReadOnlyList<BatchSimulationInput> CreateBatchSimulationInputs(int count = 5)
    {
        var inputs = new List<BatchSimulationInput>();

        for (int i = 0; i < count; i++)
        {
            inputs.Add(new BatchSimulationInput
            {
                InputId = $"input-{i:D3}",
                Input = CreateTestSimulationInput(),
                Tags = new Dictionary<string, string>
                {
                    ["test_batch"] = "true",
                    ["index"] = i.ToString()
                }
            });
        }

        return inputs;
    }

    /// <summary>
    /// Creates a verification policy request.
    /// </summary>
    public static CreateVerificationPolicyRequest CreateVerificationPolicyRequest(
        string? policyId = null)
    {
        return new CreateVerificationPolicyRequest
        {
            PolicyId = policyId ?? $"test-policy-{Guid.NewGuid():N}",
            Version = "1.0.0",
            Description = "Test verification policy",
            TenantScope = "*",
            PredicateTypes = ["https://slsa.dev/provenance/v1", "https://spdx.dev/Document"],
            SignerRequirements = new SignerRequirements
            {
                MinimumSignatures = 1,
                TrustedKeyFingerprints = ["SHA256:test-fingerprint-1", "SHA256:test-fingerprint-2"],
                RequireRekor = false
            },
            ValidityWindow = new ValidityWindow
            {
                MaxAttestationAge = 86400 // 24 hours
            }
        };
    }

    /// <summary>
    /// Creates a snapshot request.
    /// </summary>
    public static CreateSnapshotRequest CreateSnapshotRequest(params Guid[] packIds)
    {
        return new CreateSnapshotRequest
        {
            Description = "Test snapshot",
            PackIds = packIds.Length > 0 ? packIds.ToList() : [Guid.NewGuid()],
            Metadata = new Dictionary<string, object>
            {
                ["created_for_test"] = true
            }
        };
    }

    /// <summary>
    /// Creates a violation request.
    /// </summary>
    public static CreateViolationRequest CreateViolationRequest(
        string? ruleId = null,
        Severity severity = Severity.High)
    {
        return new CreateViolationRequest
        {
            RuleId = ruleId ?? "test-rule-001",
            Severity = severity,
            Message = $"Test violation for rule {ruleId ?? "test-rule-001"}",
            Purl = "pkg:npm/lodash@4.17.20",
            CveId = "CVE-2024-1234",
            Context = new Dictionary<string, object>
            {
                ["environment"] = "test",
                ["detected_at"] = DateTimeOffset.UtcNow.ToString("O")
            }
        };
    }

    /// <summary>
    /// Creates an override request.
    /// </summary>
    public static CreateOverrideRequest CreateOverrideRequest(
        string? ruleId = null)
    {
        return new CreateOverrideRequest
        {
            RuleId = ruleId ?? "test-rule-001",
            Reason = "Test override for false positive",
            Scope = new OverrideScope
            {
                Purl = "pkg:npm/lodash@4.17.20",
                Environment = "development"
            },
            ExpiresAt = DateTimeOffset.UtcNow.AddDays(30)
        };
    }
}