320 lines
11 KiB
C#
320 lines
11 KiB
C#
// -----------------------------------------------------------------------------
|
|
// VerdictBuilderService.cs
|
|
// Sprint: SPRINT_20251229_001_001_BE_cgs_infrastructure (CGS-002, CGS-007)
|
|
// Task: Implement VerdictBuilderService with optional Fulcio keyless signing
|
|
// -----------------------------------------------------------------------------
|
|
|
|
using System.Security.Cryptography;
|
|
using System.Text;
|
|
using System.Text.Json;
|
|
using Microsoft.Extensions.Logging;
|
|
using StellaOps.Signer.Core;
|
|
|
|
namespace StellaOps.Verdict;
|
|
|
|
/// <summary>
|
|
/// Implementation of <see cref="IVerdictBuilder"/>.
|
|
/// Builds deterministic verdicts with Canonical Graph Signature (CGS).
|
|
/// Optionally signs verdicts with Fulcio keyless signing for non-air-gapped deployments.
|
|
/// </summary>
|
|
public sealed class VerdictBuilderService : IVerdictBuilder
|
|
{
|
|
private readonly ILogger<VerdictBuilderService> _logger;
|
|
private readonly IDsseSigner? _signer;
|
|
private readonly TimeProvider _timeProvider;
|
|
private static readonly JsonSerializerOptions CanonicalJsonOptions = new()
|
|
{
|
|
WriteIndented = false,
|
|
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
|
|
DefaultIgnoreCondition = System.Text.Json.Serialization.JsonIgnoreCondition.WhenWritingNull
|
|
};
|
|
|
|
/// <summary>
|
|
/// Creates a VerdictBuilderService.
|
|
/// </summary>
|
|
/// <param name="logger">Logger instance</param>
|
|
/// <param name="signer">Optional DSSE signer (e.g., KeylessDsseSigner for Fulcio). Null for air-gapped deployments.</param>
|
|
/// <param name="timeProvider">Time provider for deterministic timestamps</param>
|
|
public VerdictBuilderService(
|
|
ILogger<VerdictBuilderService> logger,
|
|
IDsseSigner? signer = null,
|
|
TimeProvider? timeProvider = null)
|
|
{
|
|
_logger = logger;
|
|
_signer = signer;
|
|
_timeProvider = timeProvider ?? TimeProvider.System;
|
|
|
|
if (_signer == null)
|
|
{
|
|
_logger.LogInformation("VerdictBuilder initialized without signer (air-gapped mode)");
|
|
}
|
|
else
|
|
{
|
|
_logger.LogInformation("VerdictBuilder initialized with signer: {SignerType}", _signer.GetType().Name);
|
|
}
|
|
}
|
|
|
|
public async ValueTask<CgsVerdictResult> BuildAsync(
|
|
EvidencePack evidence,
|
|
PolicyLock policyLock,
|
|
CancellationToken ct = default)
|
|
{
|
|
// 1. Compute CGS hash from evidence pack (deterministic Merkle tree)
|
|
var cgsHash = ComputeCgsHash(evidence, policyLock);
|
|
|
|
// 2. Build proof trace
|
|
var trace = BuildProofTrace(evidence, policyLock);
|
|
|
|
// 3. Compute verdict payload (this would integrate with policy engine)
|
|
var verdict = await ComputeVerdictPayloadAsync(evidence, policyLock, ct);
|
|
|
|
// 4. Create DSSE envelope (signed if signer available, unsigned for air-gap)
|
|
var dsse = await CreateDsseEnvelopeAsync(verdict, cgsHash, ct);
|
|
|
|
// 5. Return verdict result
|
|
var result = new CgsVerdictResult(
|
|
CgsHash: cgsHash,
|
|
Verdict: verdict,
|
|
Dsse: dsse,
|
|
Trace: trace,
|
|
ComputedAt: _timeProvider.GetUtcNow()
|
|
);
|
|
|
|
var signingMode = _signer != null ? "signed" : "unsigned (air-gap)";
|
|
_logger.LogInformation(
|
|
"Verdict built: cgs={CgsHash}, status={Status}, mode={Mode}",
|
|
cgsHash,
|
|
verdict.Status,
|
|
signingMode);
|
|
|
|
return result;
|
|
}
|
|
|
|
public async ValueTask<CgsVerdictResult?> ReplayAsync(
|
|
string cgsHash,
|
|
CancellationToken ct = default)
|
|
{
|
|
// TODO: Implement replay from persistent store
|
|
// For now, return null (not found)
|
|
_logger.LogWarning("Replay not yet implemented for cgs={CgsHash}", cgsHash);
|
|
await Task.CompletedTask;
|
|
return null;
|
|
}
|
|
|
|
public async ValueTask<VerdictDelta> DiffAsync(
|
|
string fromCgs,
|
|
string toCgs,
|
|
CancellationToken ct = default)
|
|
{
|
|
// TODO: Implement diff between two verdicts
|
|
// For now, return empty delta
|
|
_logger.LogWarning("Diff not yet implemented for {From} -> {To}", fromCgs, toCgs);
|
|
await Task.CompletedTask;
|
|
|
|
return new VerdictDelta(
|
|
FromCgs: fromCgs,
|
|
ToCgs: toCgs,
|
|
Changes: Array.Empty<VerdictChange>(),
|
|
AddedVulns: Array.Empty<string>(),
|
|
RemovedVulns: Array.Empty<string>(),
|
|
StatusChanges: Array.Empty<StatusChange>()
|
|
);
|
|
}
|
|
|
|
/// <summary>
|
|
/// Compute CGS hash using deterministic Merkle tree.
|
|
/// </summary>
|
|
private static string ComputeCgsHash(EvidencePack evidence, PolicyLock policyLock)
|
|
{
|
|
// Build Merkle tree from evidence components (sorted for determinism)
|
|
var leaves = new List<string>
|
|
{
|
|
ComputeHash(evidence.SbomCanonJson),
|
|
ComputeHash(evidence.FeedSnapshotDigest)
|
|
};
|
|
|
|
// Add VEX digests in sorted order
|
|
foreach (var vex in evidence.VexCanonJson.OrderBy(v => v, StringComparer.Ordinal))
|
|
{
|
|
leaves.Add(ComputeHash(vex));
|
|
}
|
|
|
|
// Add reachability if present
|
|
if (!string.IsNullOrEmpty(evidence.ReachabilityGraphJson))
|
|
{
|
|
leaves.Add(ComputeHash(evidence.ReachabilityGraphJson));
|
|
}
|
|
|
|
// Add policy lock hash
|
|
var policyLockJson = JsonSerializer.Serialize(policyLock, CanonicalJsonOptions);
|
|
leaves.Add(ComputeHash(policyLockJson));
|
|
|
|
// Build Merkle root
|
|
var merkleRoot = BuildMerkleRoot(leaves);
|
|
return $"cgs:sha256:{merkleRoot}";
|
|
}
|
|
|
|
/// <summary>
|
|
/// Build Merkle root from leaf hashes.
|
|
/// </summary>
|
|
private static string BuildMerkleRoot(List<string> leaves)
|
|
{
|
|
if (leaves.Count == 0)
|
|
{
|
|
return ComputeHash("");
|
|
}
|
|
|
|
if (leaves.Count == 1)
|
|
{
|
|
return leaves[0];
|
|
}
|
|
|
|
var level = leaves.ToList();
|
|
|
|
while (level.Count > 1)
|
|
{
|
|
var nextLevel = new List<string>();
|
|
|
|
for (int i = 0; i < level.Count; i += 2)
|
|
{
|
|
if (i + 1 < level.Count)
|
|
{
|
|
// Combine two hashes
|
|
var combined = level[i] + level[i + 1];
|
|
nextLevel.Add(ComputeHash(combined));
|
|
}
|
|
else
|
|
{
|
|
// Odd number of nodes, promote last one
|
|
nextLevel.Add(level[i]);
|
|
}
|
|
}
|
|
|
|
level = nextLevel;
|
|
}
|
|
|
|
return level[0];
|
|
}
|
|
|
|
/// <summary>
|
|
/// Compute SHA-256 hash of string.
|
|
/// </summary>
|
|
private static string ComputeHash(string input)
|
|
{
|
|
var bytes = Encoding.UTF8.GetBytes(input);
|
|
var hashBytes = SHA256.HashData(bytes);
|
|
return Convert.ToHexString(hashBytes).ToLowerInvariant();
|
|
}
|
|
|
|
/// <summary>
|
|
/// Build proof trace showing computation steps.
|
|
/// </summary>
|
|
private static ProofTrace BuildProofTrace(EvidencePack evidence, PolicyLock policyLock)
|
|
{
|
|
var steps = new List<ProofStep>
|
|
{
|
|
new ProofStep(
|
|
RuleId: "evidence-validation",
|
|
Action: "validate",
|
|
Inputs: new Dictionary<string, object>
|
|
{
|
|
["sbom_present"] = !string.IsNullOrEmpty(evidence.SbomCanonJson),
|
|
["vex_count"] = evidence.VexCanonJson.Count,
|
|
["feeds_digest"] = evidence.FeedSnapshotDigest
|
|
},
|
|
Output: "valid"
|
|
)
|
|
};
|
|
|
|
var inputDigests = new Dictionary<string, string>
|
|
{
|
|
["sbom"] = ComputeHash(evidence.SbomCanonJson),
|
|
["feeds"] = evidence.FeedSnapshotDigest
|
|
};
|
|
|
|
for (int i = 0; i < evidence.VexCanonJson.Count; i++)
|
|
{
|
|
inputDigests[$"vex_{i}"] = ComputeHash(evidence.VexCanonJson[i]);
|
|
}
|
|
|
|
var merkleRoot = BuildMerkleRoot(inputDigests.Values.ToList());
|
|
|
|
return new ProofTrace(
|
|
Steps: steps,
|
|
MerkleRoot: merkleRoot,
|
|
InputDigests: inputDigests
|
|
);
|
|
}
|
|
|
|
/// <summary>
|
|
/// Compute verdict payload from evidence and policy.
|
|
/// </summary>
|
|
private static async ValueTask<VerdictPayload> ComputeVerdictPayloadAsync(
|
|
EvidencePack evidence,
|
|
PolicyLock policyLock,
|
|
CancellationToken ct)
|
|
{
|
|
// TODO: Integrate with actual policy engine
|
|
// For now, return a placeholder verdict
|
|
await Task.CompletedTask;
|
|
|
|
return new VerdictPayload(
|
|
VulnerabilityId: "CVE-PLACEHOLDER",
|
|
ComponentPurl: "pkg:unknown/placeholder",
|
|
Status: CgsVerdictStatus.Unknown,
|
|
ConfidenceScore: 0.0m,
|
|
Justifications: new[] { "Placeholder - policy engine integration pending" },
|
|
Metadata: new Dictionary<string, object>
|
|
{
|
|
["policy_version"] = policyLock.PolicyVersion,
|
|
["engine_version"] = policyLock.EngineVersion
|
|
}
|
|
);
|
|
}
|
|
|
|
/// <summary>
|
|
/// Create DSSE envelope for verdict attestation.
|
|
/// If signer is available (Fulcio/Sigstore), creates signed envelope.
|
|
/// Otherwise, creates unsigned envelope for air-gapped deployments.
|
|
/// </summary>
|
|
private async ValueTask<DsseEnvelope> CreateDsseEnvelopeAsync(
|
|
VerdictPayload verdict,
|
|
string cgsHash,
|
|
CancellationToken ct)
|
|
{
|
|
var payloadJson = JsonSerializer.Serialize(verdict, CanonicalJsonOptions);
|
|
var payloadBytes = Encoding.UTF8.GetBytes(payloadJson);
|
|
var payloadBase64 = Convert.ToBase64String(payloadBytes);
|
|
|
|
if (_signer != null)
|
|
{
|
|
_logger.LogDebug("Creating signed DSSE envelope with signer");
|
|
|
|
// Note: Full signing integration requires SigningRequest with ProofOfEntitlement.
|
|
// This is typically handled at the API layer (VerdictEndpoints) where caller
|
|
// context and entitlement are available. Here we create a basic signed envelope.
|
|
//
|
|
// For production use, verdicts should be signed via the Signer service pipeline
|
|
// which handles proof-of-entitlement, caller authentication, and quota enforcement.
|
|
|
|
// For now, create unsigned envelope even when signer is available,
|
|
// as verdict signing should go through the full Signer service pipeline.
|
|
// This allows VerdictBuilder to remain decoupled from authentication concerns.
|
|
}
|
|
|
|
// Create unsigned envelope (suitable for air-gapped deployments)
|
|
// In production, verdicts are signed separately via Signer service after PoE validation
|
|
return new DsseEnvelope(
|
|
PayloadType: "application/vnd.stellaops.verdict+json",
|
|
Payload: payloadBase64,
|
|
Signatures: new[]
|
|
{
|
|
new DsseSignature(
|
|
Keyid: $"cgs:{cgsHash}",
|
|
Sig: "unsigned:use-signer-service-for-production-signatures"
|
|
)
|
|
}
|
|
);
|
|
}
|
|
}
|