git.stella-ops.org/tests/AirGap/StellaOps.AirGap.Importer.Tests/ImportValidatorTests.cs

using System.Security.Cryptography;
using StellaOps.AirGap.Importer.Contracts;
using StellaOps.AirGap.Importer.Validation;

namespace StellaOps.AirGap.Importer.Tests;

public class ImportValidatorTests
{
    [Fact]
    public void FailsWhenTufInvalid()
    {
        var request = BuildRequest(rootJson: "{}", snapshotJson: "{}", timestampJson: "{}");
        var result = new ImportValidator().Validate(request);
        Assert.False(result.IsValid);
        Assert.StartsWith("tuf:", result.Reason);
    }

    [Fact]
    public void SucceedsWhenAllChecksPass()
    {
        var root = "{\"version\":1,\"expiresUtc\":\"2030-01-01T00:00:00Z\"}";
        var snapshot = "{\"version\":1,\"expiresUtc\":\"2030-01-01T00:00:00Z\",\"meta\":{\"snapshot\":{\"hashes\":{\"sha256\":\"abc\"}}}}";
        var timestamp = "{\"version\":1,\"expiresUtc\":\"2030-01-01T00:00:00Z\",\"snapshot\":{\"meta\":{\"hashes\":{\"sha256\":\"abc\"}}}}";

        using var rsa = RSA.Create(2048);
        var pub = rsa.ExportSubjectPublicKeyInfo();

        var payload = "bundle-body";
        var payloadType = "application/vnd.stella.bundle";
        var pae = BuildPae(payloadType, payload);
        var sig = rsa.SignData(pae, HashAlgorithmName.SHA256, RSASignaturePadding.Pss);

        var envelope = new DsseEnvelope(payloadType, Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(payload)), new[]
        {
            new DsseSignature("k1", Convert.ToBase64String(sig))
        });

        var trustStore = new TrustStore();
        trustStore.LoadActive(new Dictionary<string, byte[]> { ["k1"] = pub });
        trustStore.StagePending(new Dictionary<string, byte[]> { ["k2"] = pub });

        var request = new ImportValidationRequest(
            envelope,
            new TrustRootConfig("/tmp/root.json", new[] { Fingerprint(pub) }, new[] { "rsassa-pss-sha256" }, null, null, new Dictionary<string, byte[]> { ["k1"] = pub }),
            root,
            snapshot,
            timestamp,
            new List<NamedStream> { new("a.txt", new MemoryStream("data"u8.ToArray())) },
            trustStore,
            new[] { "approver-1", "approver-2" });

        var result = new ImportValidator().Validate(request);

        Assert.True(result.IsValid);
        Assert.Equal("import-validated", result.Reason);
    }

    private static byte[] BuildPae(string payloadType, string payload)
    {
        var parts = new[] { "DSSEv1", payloadType, payload };
        var paeBuilder = new System.Text.StringBuilder();
        paeBuilder.Append("PAE:");
        paeBuilder.Append(parts.Length);
        foreach (var part in parts)
        {
            paeBuilder.Append(' ');
            paeBuilder.Append(part.Length);
            paeBuilder.Append(' ');
            paeBuilder.Append(part);
        }

        return System.Text.Encoding.UTF8.GetBytes(paeBuilder.ToString());
    }

    private static string Fingerprint(byte[] pub) => Convert.ToHexString(SHA256.HashData(pub)).ToLowerInvariant();

    private static ImportValidationRequest BuildRequest(string rootJson, string snapshotJson, string timestampJson)
    {
        var envelope = new DsseEnvelope("text/plain", Convert.ToBase64String("hi"u8), Array.Empty<DsseSignature>());
        var trustRoot = TrustRootConfig.Empty("/tmp");
        var trustStore = new TrustStore();
        return new ImportValidationRequest(
            envelope,
            trustRoot,
            rootJson,
            snapshotJson,
            timestampJson,
            Array.Empty<NamedStream>(),
            trustStore,
            Array.Empty<string>());
    }
}