stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
80257a4538c79c1100316110224532caa5441cc3
git.stella-ops.org/src/Web/StellaOps.Web/tests/e2e/reachability-witnessing.spec.ts
master 1088ae1bc4 feat(ui): ship reachability witnessing shell
2026-03-07 19:44:25 +02:00

266 lines
8.7 KiB
TypeScript
Raw Blame History

import { expect, test, type Page, type Route } from '@playwright/test';
import type { StubAuthSession } from '../../src/app/testing/auth-fixtures';
const adminSession: StubAuthSession = {
subjectId: 'reachability-e2e-user',
tenant: 'tenant-default',
scopes: [
'admin',
'ui.read',
'scanner:read',
'sbom:read',
'advisory:read',
'vex:read',
'exception:read',
'findings:read',
'vuln:view',
'release:read',
'policy:read',
'policy:audit',
],
};
const mockConfig = {
authority: {
issuer: '/authority',
clientId: 'stella-ops-ui',
authorizeEndpoint: '/authority/connect/authorize',
tokenEndpoint: '/authority/connect/token',
logoutEndpoint: '/authority/connect/logout',
redirectUri: 'https://127.0.0.1:4400/auth/callback',
postLogoutRedirectUri: 'https://127.0.0.1:4400/',
scope: 'openid profile email ui.read',
audience: '/gateway',
dpopAlgorithms: ['ES256'],
refreshLeewaySeconds: 60,
},
apiBaseUrls: {
authority: '/authority',
scanner: '/scanner',
policy: '/policy',
concelier: '/concelier',
attestor: '/attestor',
gateway: '/gateway',
},
quickstartMode: true,
setup: 'complete',
};
const witnessFixtures = [
{
witnessId: 'wit-api-001',
scanId: 'scan-release-orchestrator-prod',
tenantId: 'tenant-default',
vulnId: 'finding-api-001',
cveId: 'CVE-2026-4001',
packageName: 'api-gateway',
packageVersion: '1.8.4',
purl: 'pkg:oci/api-gateway@sha256:api001',
confidenceTier: 'confirmed',
confidenceScore: 0.94,
isReachable: true,
callPath: [
{ nodeId: 'n-api-1', symbol: 'IngressController.route()', file: 'src/ingress/controller.ts', line: 18 },
{ nodeId: 'n-api-2', symbol: 'AuthContext.load()', file: 'src/auth/context.ts', line: 44 },
{ nodeId: 'n-api-3', symbol: 'ReleaseResolver.resolve()', file: 'src/release/resolver.ts', line: 91 },
],
entrypoint: {
nodeId: 'n-api-1',
symbol: 'IngressController.route()',
file: 'src/ingress/controller.ts',
line: 18,
httpRoute: '/releases/{id}',
httpMethod: 'GET',
},
sink: {
nodeId: 'n-api-4',
symbol: 'JacksonDeserializer.readValue()',
package: 'com.fasterxml.jackson.databind',
method: 'readValue',
},
gates: [
{
gateType: 'auth',
symbol: 'jwt.required',
confidence: 0.91,
description: 'JWT auth gate precedes the vulnerable parser path.',
file: 'src/auth/context.ts',
line: 22,
},
],
evidence: {
analysisMethod: 'hybrid',
toolVersion: 'reachability-ui-fixture-v2',
callGraphHash: 'blake3:api-gateway-callgraph',
surfaceHash: 'sha256:api-gateway-surface',
dsseUri: '/evidence/capsules/cap-api-001',
rekorUri: 'https://rekor.example.dev/entries/498201',
callGraphUri: '/security/reachability?graph=api-gateway',
artifacts: [
{ type: 'call-graph', hash: 'blake3:api-gateway-callgraph', algorithm: 'blake3', uri: '/security/reachability?graph=api-gateway' },
],
},
signature: {
algorithm: 'ed25519',
keyId: 'reachability-signer-1',
signature: 'sig-api-001',
verified: true,
verifiedAt: '2026-03-07T15:20:00Z',
},
observedAt: '2026-03-07T15:14:00Z',
vexRecommendation: 'affected',
runtimeEvidence: {
available: true,
source: 'ebpf',
lastObservedAt: '2026-03-07T15:14:00Z',
invocationCount: 182,
confirmsStatic: true,
observationType: 'confirmed',
rekorLogIndex: 498201,
isStale: false,
containerContext: {
containerId: 'ctr-api-11',
imageDigest: 'sha256:api001',
environment: 'prod-eu',
},
},
},
];
async function fulfillJson(route: Route, body: unknown): Promise<void> {
await route.fulfill({
status: 200,
contentType: 'application/json',
body: JSON.stringify(body),
});
}
async function setupHarness(page: Page): Promise<void> {
await page.addInitScript((session) => {
(window as { __stellaopsTestSession?: unknown }).__stellaopsTestSession = session;
}, adminSession);
await page.route('**/platform/envsettings.json', (route) => fulfillJson(route, mockConfig));
await page.route('**/config.json', (route) => fulfillJson(route, mockConfig));
await page.route('**/.well-known/openid-configuration', (route) =>
fulfillJson(route, {
issuer: 'https://127.0.0.1:4400/authority',
authorization_endpoint: 'https://127.0.0.1:4400/authority/connect/authorize',
token_endpoint: 'https://127.0.0.1:4400/authority/connect/token',
jwks_uri: 'https://127.0.0.1:4400/authority/.well-known/jwks.json',
response_types_supported: ['code'],
subject_types_supported: ['public'],
id_token_signing_alg_values_supported: ['RS256'],
})
);
await page.route('**/authority/.well-known/jwks.json', (route) => fulfillJson(route, { keys: [] }));
await page.route('**/console/profile**', (route) =>
fulfillJson(route, {
subjectId: adminSession.subjectId,
username: 'reachability-e2e',
displayName: 'Reachability E2E',
tenant: adminSession.tenant,
roles: ['admin'],
scopes: adminSession.scopes,
})
);
await page.route('**/console/token/introspect**', (route) =>
fulfillJson(route, {
active: true,
tenant: adminSession.tenant,
subject: adminSession.subjectId,
scopes: adminSession.scopes,
})
);
await page.route('**/api/v2/context/regions', (route) =>
fulfillJson(route, [{ regionId: 'eu-west', displayName: 'EU West', sortOrder: 1, enabled: true }])
);
await page.route('**/api/v2/context/environments**', (route) =>
fulfillJson(route, [
{
environmentId: 'prod',
regionId: 'eu-west',
environmentType: 'prod',
displayName: 'Prod',
sortOrder: 1,
enabled: true,
},
])
);
await page.route('**/api/v2/context/preferences', (route) =>
fulfillJson(route, {
tenantId: adminSession.tenant,
actorId: adminSession.subjectId,
regions: ['eu-west'],
environments: ['prod'],
timeWindow: '24h',
stage: 'all',
updatedAt: '2026-03-07T12:00:00Z',
updatedBy: adminSession.subjectId,
})
);
await page.route('**/doctor/api/v1/doctor/trends**', (route) => fulfillJson(route, []));
await page.route('**/api/v1/approvals**', (route) => fulfillJson(route, []));
await page.route('**/api/v1/witnesses?*', (route) =>
fulfillJson(route, {
witnesses: witnessFixtures,
total: witnessFixtures.length,
page: 1,
pageSize: 50,
hasMore: false,
})
);
await page.route('**/api/v1/witnesses/wit-api-001', (route) =>
fulfillJson(route, witnessFixtures[0])
);
await page.route('**/api/v1/witnesses/wit-api-001/verify', (route) =>
fulfillJson(route, {
witnessId: 'wit-api-001',
verified: true,
algorithm: 'ed25519',
keyId: 'reachability-signer-1',
verifiedAt: '2026-03-07T16:30:00Z',
})
);
}
test.beforeEach(async ({ page }) => {
await setupHarness(page);
});
test('reachability shell, witness detail, and PoE permalink stay in one canonical flow', async ({ page }) => {
await page.goto('/security/reachability/witnesses?search=CVE-2026-4001', {
waitUntil: 'networkidle',
});
await expect(page.getByTestId('reachability-page')).toBeVisible();
await expect(page.getByTestId('reachability-tab-witnesses')).toHaveClass(/active/);
await expect(page.getByTestId('witness-row')).toHaveCount(1);
await page.getByRole('link', { name: 'Open witness' }).click();
await expect(page).toHaveURL(/\/security\/reachability\/witnesses\/wit-api-001/);
await expect(page.getByTestId('witness-page')).toBeVisible();
await page.getByTestId('open-poe-btn').click();
await expect(page.getByTestId('poe-drawer')).toHaveClass(/poe-drawer--open/);
await page.getByTestId('poe-drawer-close').click();
await page.getByRole('button', { name: 'Permalink' }).click();
await expect(page).toHaveURL(/\/security\/reachability\/poe\/cve-2026-4001/);
await expect(page.getByTestId('poe-drawer')).toHaveClass(/poe-drawer--open/);
});
test('verify and replay hands off into the canonical reachability witness workspace', async ({ page }) => {
await page.goto('/evidence/verify-replay?releaseId=rel-ops-42&runId=run-ops-42&requestId=rr-003', {
waitUntil: 'networkidle',
});
await expect(page.getByText('Context:')).toBeVisible();
await page.getByRole('button', { name: 'Open reachability proof' }).click();
await expect(page).toHaveURL(/\/security\/reachability\/witnesses/);
await expect(page.url()).toContain('returnTo=%2Fevidence%2Fverify-replay%3FrequestId%3Drr-003%26releaseId%3Drel-ops-42%26runId%3Drun-ops-42');
await expect(page.getByTestId('reachability-page')).toBeVisible();
});
Reference in New Issue View Git Blame Copy Permalink