stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
726d70dc7f2b82de97a62855db3ec6727cd1aeb6
git.stella-ops.org/src/Policy/__Tests/StellaOps.Policy.Engine.Tests/PolicyRuntimeEvaluationServiceTests.cs
master 726d70dc7f tests fixes and sprints work
2026-01-22 19:08:46 +02:00

553 lines
21 KiB
C#
Raw Blame History

using System.Collections.Immutable;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using StellaOps.Policy.Engine.Caching;
using StellaOps.Policy.Engine.Compilation;
using StellaOps.Policy.Engine.Domain;
using StellaOps.Policy.Engine.Evaluation;
using StellaOps.Policy.Engine.ReachabilityFacts;
using StellaOps.Policy.Engine.Options;
using StellaOps.Policy.Engine.Services;
using StellaOps.Policy.Engine.Signals.Entropy;
using StellaOps.Policy.Licensing;
using StellaOps.PolicyDsl;
using Xunit;
using StellaOps.TestKit;
namespace StellaOps.Policy.Engine.Tests;
public sealed class PolicyRuntimeEvaluationServiceTests
{
private const string TestPolicy = """
policy "Test Policy" syntax "stella-dsl@1" {
rule block_critical priority 10 {
when severity.normalized == "Critical"
then status := "blocked"
because "Block critical findings"
}
rule warn_high priority 20 {
when severity.normalized == "High"
then status := "warn"
because "Warn on high severity findings"
}
rule allow_default priority 100 {
when true
then status := "affected"
because "Default affected status"
}
}
""";
[Trait("Category", TestCategories.Unit)]
[Fact]
public async Task EvaluateAsync_ReturnsDecisionFromCompiledPolicy()
{
var harness = CreateHarness();
await harness.StoreTestPolicyAsync("pack-1", 1, TestPolicy);
var request = CreateRequest("pack-1", 1, severity: "Critical");
var response = await harness.Service.EvaluateAsync(request, TestContext.Current.CancellationToken);
Assert.Equal("pack-1", response.PackId);
Assert.Equal(1, response.Version);
Assert.NotNull(response.PolicyDigest);
Assert.NotNull(response.Confidence);
Assert.False(response.Cached);
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public async Task EvaluateAsync_UsesCacheOnSecondCall()
{
var harness = CreateHarness();
await harness.StoreTestPolicyAsync("pack-1", 1, TestPolicy);
var request = CreateRequest("pack-1", 1, severity: "High");
// First call - cache miss
var response1 = await harness.Service.EvaluateAsync(request, TestContext.Current.CancellationToken);
Assert.False(response1.Cached);
// Second call - cache hit
var response2 = await harness.Service.EvaluateAsync(request, TestContext.Current.CancellationToken);
Assert.True(response2.Cached);
Assert.Equal(CacheSource.InMemory, response2.CacheSource);
Assert.Equal(response1.Status, response2.Status);
Assert.Equal(response1.CorrelationId, response2.CorrelationId);
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public async Task EvaluateAsync_BypassCacheWhenRequested()
{
var harness = CreateHarness();
await harness.StoreTestPolicyAsync("pack-1", 1, TestPolicy);
var request = CreateRequest("pack-1", 1, severity: "Medium");
// First call
var response1 = await harness.Service.EvaluateAsync(request, TestContext.Current.CancellationToken);
Assert.False(response1.Cached);
// Second call with bypass
var bypassRequest = request with { BypassCache = true };
var response2 = await harness.Service.EvaluateAsync(bypassRequest, TestContext.Current.CancellationToken);
Assert.False(response2.Cached);
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public async Task EvaluateAsync_ThrowsOnMissingBundle()
{
var harness = CreateHarness();
var request = CreateRequest("non-existent", 1, severity: "Low");
await Assert.ThrowsAsync<InvalidOperationException>(
() => harness.Service.EvaluateAsync(request, TestContext.Current.CancellationToken));
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public async Task EvaluateAsync_GeneratesDeterministicCorrelationId()
{
var harness = CreateHarness();
await harness.StoreTestPolicyAsync("pack-1", 1, TestPolicy);
var request = CreateRequest("pack-1", 1, severity: "High");
var response1 = await harness.Service.EvaluateAsync(request, TestContext.Current.CancellationToken);
// Create a new harness with fresh cache
var harness2 = CreateHarness();
await harness2.StoreTestPolicyAsync("pack-1", 1, TestPolicy);
var response2 = await harness2.Service.EvaluateAsync(request, TestContext.Current.CancellationToken);
// Same inputs should produce same correlation ID
Assert.Equal(response1.CorrelationId, response2.CorrelationId);
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public async Task EvaluateBatchAsync_ReturnsMultipleResults()
{
var harness = CreateHarness();
await harness.StoreTestPolicyAsync("pack-1", 1, TestPolicy);
var requests = new[]
{
CreateRequest("pack-1", 1, severity: "Critical", subjectPurl: "pkg:npm/lodash@4.17.0"),
CreateRequest("pack-1", 1, severity: "High", subjectPurl: "pkg:npm/express@4.18.0"),
CreateRequest("pack-1", 1, severity: "Medium", subjectPurl: "pkg:npm/axios@1.0.0"),
};
var responses = await harness.Service.EvaluateBatchAsync(requests, TestContext.Current.CancellationToken);
Assert.Equal(3, responses.Count);
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public async Task EvaluateBatchAsync_UsesCacheForDuplicates()
{
var harness = CreateHarness();
await harness.StoreTestPolicyAsync("pack-1", 1, TestPolicy);
// Pre-populate cache
var request = CreateRequest("pack-1", 1, severity: "Critical");
await harness.Service.EvaluateAsync(request, TestContext.Current.CancellationToken);
var requests = new[]
{
request, // Should be cached
CreateRequest("pack-1", 1, severity: "High"), // New
};
var responses = await harness.Service.EvaluateBatchAsync(requests, TestContext.Current.CancellationToken);
Assert.Equal(2, responses.Count);
Assert.Contains(responses, r => r.Cached);
Assert.Contains(responses, r => !r.Cached);
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public async Task EvaluateAsync_DifferentContextsGetDifferentCacheKeys()
{
var harness = CreateHarness();
await harness.StoreTestPolicyAsync("pack-1", 1, TestPolicy);
var request1 = CreateRequest("pack-1", 1, severity: "High");
var request2 = CreateRequest("pack-1", 1, severity: "Critical");
var response1 = await harness.Service.EvaluateAsync(request1, TestContext.Current.CancellationToken);
var response2 = await harness.Service.EvaluateAsync(request2, TestContext.Current.CancellationToken);
// Both should be cache misses (different severity = different context)
Assert.False(response1.Cached);
Assert.False(response2.Cached);
// Different inputs = different correlation IDs
Assert.NotEqual(response1.CorrelationId, response2.CorrelationId);
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public async Task EvaluateAsync_EnrichesReachabilityFromFacts()
{
const string policy = """
policy "Reachability policy" syntax "stella-dsl@1" {
rule reachable_then_warn priority 5 {
when reachability.state == "reachable"
then status := "warn"
because "reachable path detected"
}
rule default priority 100 {
when true
then status := "affected"
because "default"
}
}
""";
var harness = CreateHarness();
await harness.StoreTestPolicyAsync("pack-2", 1, policy);
var fact = new ReachabilityFact
{
Id = "fact-1",
TenantId = "tenant-1",
ComponentPurl = "pkg:npm/lodash@4.17.21",
AdvisoryId = "CVE-2024-0001",
State = ReachabilityState.Reachable,
Confidence = 0.92m,
Score = 0.85m,
HasRuntimeEvidence = true,
Source = "graph-analyzer",
Method = AnalysisMethod.Hybrid,
EvidenceRef = "evidence/callgraph.json",
ComputedAt = new DateTimeOffset(2025, 1, 1, 0, 0, 0, TimeSpan.Zero),
ExpiresAt = null,
Metadata = new Dictionary<string, object?>()
};
await harness.ReachabilityStore.SaveAsync(fact, TestContext.Current.CancellationToken);
var request = CreateRequest("pack-2", 1, severity: "Low");
var response = await harness.Service.EvaluateAsync(request, TestContext.Current.CancellationToken);
Assert.Equal("warn", response.Status);
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public async Task EvaluateAsync_GatesUnreachableWithoutEvidenceRef_ToUnderInvestigation()
{
const string policy = """
policy "Reachability gate policy" syntax "stella-dsl@1" {
rule unreachable_to_not_affected priority 10 {
when reachability.state == "unreachable"
then status := "not_affected"
because "unreachable + evidence"
}
rule gated_to_under_investigation priority 20 {
when reachability.state == "under_investigation"
then status := "under_investigation"
because "unreachable but missing evidence"
}
rule default priority 100 {
when true
then status := "affected"
because "default"
}
}
""";
var harness = CreateHarness();
await harness.StoreTestPolicyAsync("pack-3", 1, policy);
var fact = new ReachabilityFact
{
Id = "fact-1",
TenantId = "tenant-1",
ComponentPurl = "pkg:npm/lodash@4.17.21",
AdvisoryId = "CVE-2024-0001",
State = ReachabilityState.Unreachable,
Confidence = 0.92m,
Score = 0m,
HasRuntimeEvidence = false,
Source = "graph-analyzer",
Method = AnalysisMethod.Static,
EvidenceRef = null,
EvidenceHash = "sha256:deadbeef",
ComputedAt = new DateTimeOffset(2025, 1, 1, 0, 0, 0, TimeSpan.Zero),
Metadata = new Dictionary<string, object?>()
};
await harness.ReachabilityStore.SaveAsync(fact, TestContext.Current.CancellationToken);
var request = CreateRequest("pack-3", 1, severity: "Low");
var response = await harness.Service.EvaluateAsync(request, TestContext.Current.CancellationToken);
Assert.Equal("under_investigation", response.Status);
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public async Task EvaluateAsync_GatesUnreachableWithLowConfidence_ToUnderInvestigation()
{
const string policy = """
policy "Reachability gate policy" syntax "stella-dsl@1" {
rule unreachable_to_not_affected priority 10 {
when reachability.state == "unreachable"
then status := "not_affected"
because "unreachable + evidence"
}
rule gated_to_under_investigation priority 20 {
when reachability.state == "under_investigation"
then status := "under_investigation"
because "unreachable but low confidence"
}
rule default priority 100 {
when true
then status := "affected"
because "default"
}
}
""";
var harness = CreateHarness();
await harness.StoreTestPolicyAsync("pack-4", 1, policy);
var fact = new ReachabilityFact
{
Id = "fact-1",
TenantId = "tenant-1",
ComponentPurl = "pkg:npm/lodash@4.17.21",
AdvisoryId = "CVE-2024-0001",
State = ReachabilityState.Unreachable,
Confidence = 0.7m,
Score = 0m,
HasRuntimeEvidence = false,
Source = "graph-analyzer",
Method = AnalysisMethod.Static,
EvidenceRef = "cas://reachability/facts/fact-1",
EvidenceHash = "sha256:deadbeef",
ComputedAt = new DateTimeOffset(2025, 1, 1, 0, 0, 0, TimeSpan.Zero),
Metadata = new Dictionary<string, object?>()
};
await harness.ReachabilityStore.SaveAsync(fact, TestContext.Current.CancellationToken);
var request = CreateRequest("pack-4", 1, severity: "Low");
var response = await harness.Service.EvaluateAsync(request, TestContext.Current.CancellationToken);
Assert.Equal("under_investigation", response.Status);
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public async Task EvaluateAsync_AllowsUnreachableWithEvidenceRefAndHighConfidence()
{
const string policy = """
policy "Reachability gate policy" syntax "stella-dsl@1" {
rule unreachable_to_not_affected priority 10 {
when reachability.state == "unreachable"
then status := "not_affected"
because "unreachable + evidence"
}
rule gated_to_under_investigation priority 20 {
when reachability.state == "under_investigation"
then status := "under_investigation"
because "gated"
}
rule default priority 100 {
when true
then status := "affected"
because "default"
}
}
""";
var harness = CreateHarness();
await harness.StoreTestPolicyAsync("pack-5", 1, policy);
var fact = new ReachabilityFact
{
Id = "fact-1",
TenantId = "tenant-1",
ComponentPurl = "pkg:npm/lodash@4.17.21",
AdvisoryId = "CVE-2024-0001",
State = ReachabilityState.Unreachable,
Confidence = 0.92m,
Score = 0m,
HasRuntimeEvidence = false,
Source = "graph-analyzer",
Method = AnalysisMethod.Static,
EvidenceRef = "cas://reachability/facts/fact-1",
EvidenceHash = "sha256:deadbeef",
ComputedAt = new DateTimeOffset(2025, 1, 1, 0, 0, 0, TimeSpan.Zero),
Metadata = new Dictionary<string, object?>()
};
await harness.ReachabilityStore.SaveAsync(fact, TestContext.Current.CancellationToken);
var request = CreateRequest("pack-5", 1, severity: "Low");
var response = await harness.Service.EvaluateAsync(request, TestContext.Current.CancellationToken);
Assert.Equal("not_affected", response.Status);
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public async Task EvaluateAsync_BlocksOnLicenseComplianceFailure()
{
var harness = CreateHarness();
await harness.StoreTestPolicyAsync("pack-6", 1, TestPolicy);
var component = new PolicyEvaluationComponent(
Name: "example",
Version: "1.0.0",
Type: "library",
Purl: "pkg:npm/example@1.0.0",
Metadata: ImmutableDictionary<string, string>.Empty.Add("license_expression", "GPL-3.0-only"));
var sbom = new PolicyEvaluationSbom(
ImmutableHashSet<string>.Empty.WithComparer(StringComparer.OrdinalIgnoreCase),
ImmutableArray.Create(component));
var request = CreateRequest("pack-6", 1, severity: "Low", sbom: sbom);
var response = await harness.Service.EvaluateAsync(request, TestContext.Current.CancellationToken);
Assert.Equal("blocked", response.Status);
Assert.Contains(response.Annotations, pair => pair.Key == "license.status" && pair.Value == "fail");
}
private static RuntimeEvaluationRequest CreateRequest(
string packId,
int version,
string severity,
string tenantId = "tenant-1",
string subjectPurl = "pkg:npm/lodash@4.17.21",
string advisoryId = "CVE-2024-0001",
PolicyEvaluationSbom? sbom = null)
{
return new RuntimeEvaluationRequest(
packId,
version,
tenantId,
subjectPurl,
advisoryId,
Severity: new PolicyEvaluationSeverity(severity, null),
Advisory: new PolicyEvaluationAdvisory("NVD", ImmutableDictionary<string, string>.Empty),
Vex: PolicyEvaluationVexEvidence.Empty,
Sbom: sbom ?? PolicyEvaluationSbom.Empty,
Exceptions: PolicyEvaluationExceptions.Empty,
Reachability: PolicyEvaluationReachability.Unknown,
EntropyLayerSummary: null,
EntropyReport: null,
ProvenanceAttested: null,
EvaluationTimestamp: new DateTimeOffset(2025, 1, 1, 0, 0, 0, TimeSpan.Zero),
BypassCache: false);
}
private static TestHarness CreateHarness()
{
var repository = new InMemoryPolicyPackRepository(TimeProvider.System);
var cacheLogger = NullLogger<InMemoryPolicyEvaluationCache>.Instance;
var serviceLogger = NullLogger<PolicyRuntimeEvaluationService>.Instance;
var options = Microsoft.Extensions.Options.Options.Create(new PolicyEngineOptions());
var cache = new InMemoryPolicyEvaluationCache(cacheLogger, TimeProvider.System, options);
var evaluator = new PolicyEvaluator();
var entropy = new EntropyPenaltyCalculator(options, NullLogger<EntropyPenaltyCalculator>.Instance);
var licenseOptions = Microsoft.Extensions.Options.Options.Create(new LicenseComplianceOptions
{
Enabled = true,
Policy = LicensePolicyDefaults.Default
});
var licenseComplianceService = new LicenseComplianceService(
new LicenseComplianceEvaluator(LicenseKnowledgeBase.LoadDefault()),
new LicensePolicyLoader(),
licenseOptions,
NullLogger<LicenseComplianceService>.Instance);
var reachabilityStore = new InMemoryReachabilityFactsStore(TimeProvider.System);
var reachabilityCache = new InMemoryReachabilityFactsOverlayCache(
NullLogger<InMemoryReachabilityFactsOverlayCache>.Instance,
TimeProvider.System,
Microsoft.Extensions.Options.Options.Create(new PolicyEngineOptions()));
var reachabilityService = new ReachabilityFactsJoiningService(
reachabilityStore,
reachabilityCache,
NullLogger<ReachabilityFactsJoiningService>.Instance,
TimeProvider.System);
var compilationService = CreateCompilationService();
var service = new PolicyRuntimeEvaluationService(
repository,
cache,
evaluator,
reachabilityService,
entropy,
licenseComplianceService,
ntiaCompliance: null,
TimeProvider.System,
serviceLogger);
return new TestHarness(service, repository, compilationService, reachabilityStore);
}
private static PolicyCompilationService CreateCompilationService()
{
var compiler = new PolicyCompiler();
var analyzer = new PolicyComplexityAnalyzer();
var options = new PolicyEngineOptions();
var optionsMonitor = new StaticOptionsMonitor(options);
var metadataExtractor = new PolicyMetadataExtractor();
return new PolicyCompilationService(compiler, analyzer, metadataExtractor, optionsMonitor, TimeProvider.System);
}
private sealed record TestHarness(
PolicyRuntimeEvaluationService Service,
InMemoryPolicyPackRepository Repository,
PolicyCompilationService CompilationService,
InMemoryReachabilityFactsStore ReachabilityStore)
{
public async Task StoreTestPolicyAsync(string packId, int version, string dsl)
{
var bundleService = new PolicyBundleService(CompilationService, Repository, TimeProvider.System);
var request = new PolicyBundleRequest(new PolicyDslPayload("stella-dsl@1", dsl), SigningKeyId: null);
await bundleService.CompileAndStoreAsync(packId, version, request, TestContext.Current.CancellationToken);
}
}
private sealed class StaticOptionsMonitor : IOptionsMonitor<PolicyEngineOptions>
{
private readonly PolicyEngineOptions _value;
public StaticOptionsMonitor(PolicyEngineOptions value) => _value = value;
public PolicyEngineOptions CurrentValue => _value;
public PolicyEngineOptions Get(string? name) => _value;
public IDisposable OnChange(Action<PolicyEngineOptions, string> listener) => NullDisposable.Instance;
private sealed class NullDisposable : IDisposable
{
public static readonly NullDisposable Instance = new();
public void Dispose() { }
}
}
}
Reference in New Issue View Git Blame Copy Permalink