git.stella-ops.org/src/AirGap/StellaOps.AirGap.Policy/StellaOps.AirGap.Policy.Tests/EgressPolicyTests.cs

using StellaOps.AirGap.Policy;
using StellaOps.TestKit;
using System;
using Xunit;

namespace StellaOps.AirGap.Policy.Tests;

public sealed partial class EgressPolicyTests
{
    [Trait("Category", TestCategories.Unit)]
    [Fact]
    public void Evaluate_UnsealedEnvironment_AllowsRequest()
    {
        var options = new EgressPolicyOptions
        {
            Mode = EgressPolicyMode.Unsealed,
        };

        var policy = new EgressPolicy(options);
        var request = new EgressRequest("PolicyEngine", new Uri("https://example.com"), "advisory-sync");

        var decision = policy.Evaluate(request);

        Assert.True(decision.IsAllowed);
        Assert.Null(decision.Reason);
    }

    [Trait("Category", TestCategories.Unit)]
    [Fact]
    public void EnsureAllowed_SealedEnvironmentWithMatchingRule_Allows()
    {
        var options = new EgressPolicyOptions
        {
            Mode = EgressPolicyMode.Sealed,
        };
        options.AddAllowRule("api.example.com", 443, EgressTransport.Https);

        var policy = new EgressPolicy(options);
        var request = new EgressRequest("PolicyEngine", new Uri("https://api.example.com/v1/status"), "advisory-sync");

        policy.EnsureAllowed(request);
    }

    [Trait("Category", TestCategories.Unit)]
    [Fact]
    public void EnsureAllowed_SealedEnvironmentWithoutRule_ThrowsWithGuidance()
    {
        var options = new EgressPolicyOptions
        {
            Mode = EgressPolicyMode.Sealed,
            RemediationDocumentationUrl = "https://docs.stella-ops.org/airgap/egress",
            SupportContact = "airgap-oncall@example.org",
        };

        var policy = new EgressPolicy(options);
        var request = new EgressRequest("PolicyEngine", new Uri("https://unauthorized.example.com"), "advisory-sync", operation: "fetch-advisories");

        var exception = Assert.Throws<AirGapEgressBlockedException>(() => policy.EnsureAllowed(request));

        Assert.Contains(AirGapEgressBlockedException.ErrorCode, exception.Message, StringComparison.Ordinal);
        Assert.Contains("unauthorized.example.com", exception.Message, StringComparison.OrdinalIgnoreCase);
        Assert.Contains("airgap.egressAllowlist", exception.Remediation, StringComparison.OrdinalIgnoreCase);
        Assert.Equal(request, exception.Request);
        Assert.Equal(options.RemediationDocumentationUrl, exception.DocumentationUrl);
        Assert.Equal(options.SupportContact, exception.SupportContact);
    }
}