e923880694
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
- Introduced DigestUpsertRequest for handling digest upsert requests with properties like ChannelId, Recipient, DigestKey, Events, and CollectUntil. - Created LockEntity to represent a lightweight distributed lock entry with properties such as Id, TenantId, Resource, Owner, ExpiresAt, and CreatedAt. feat: Implement ILockRepository interface and LockRepository class - Defined ILockRepository interface with methods for acquiring and releasing locks. - Implemented LockRepository class with methods to try acquiring a lock and releasing it, using SQL for upsert operations. feat: Add SurfaceManifestPointer record for manifest pointers - Introduced SurfaceManifestPointer to represent a minimal pointer to a Surface.FS manifest associated with an image digest. feat: Create PolicySimulationInputLock and related validation logic - Added PolicySimulationInputLock record to describe policy simulation inputs and expected digests. - Implemented validation logic for policy simulation inputs, including checks for digest drift and shadow mode requirements. test: Add unit tests for ReplayVerificationService and ReplayVerifier - Created ReplayVerificationServiceTests to validate the behavior of the ReplayVerificationService under various scenarios. - Developed ReplayVerifierTests to ensure the correctness of the ReplayVerifier logic. test: Implement PolicySimulationInputLockValidatorTests - Added tests for PolicySimulationInputLockValidator to verify the validation logic against expected inputs and conditions. chore: Add cosign key example and signing scripts - Included a placeholder cosign key example for development purposes. - Added a script for signing Signals artifacts using cosign with support for both v2 and v3. chore: Create script for uploading evidence to the evidence locker - Developed a script to upload evidence to the evidence locker, ensuring required environment variables are set.
73 lines
2.0 KiB
C#
73 lines
2.0 KiB
C#
using StellaOps.AirGap.Importer.Contracts;
|
|
using StellaOps.AirGap.Importer.Validation;
|
|
|
|
namespace StellaOps.AirGap.Importer.Tests;
|
|
|
|
public class ReplayVerifierTests
|
|
{
|
|
private readonly ReplayVerifier _verifier = new();
|
|
|
|
[Fact]
|
|
public void FullRecompute_succeeds_when_hashes_match_and_fresh()
|
|
{
|
|
var now = DateTimeOffset.Parse("2025-12-02T01:00:00Z");
|
|
var request = new ReplayVerificationRequest(
|
|
"aa".PadRight(64, 'a'),
|
|
"bb".PadRight(64, 'b'),
|
|
"aa".PadRight(64, 'a'),
|
|
"bb".PadRight(64, 'b'),
|
|
now.AddHours(-4),
|
|
24,
|
|
"cc".PadRight(64, 'c'),
|
|
"cc".PadRight(64, 'c'),
|
|
ReplayDepth.FullRecompute);
|
|
|
|
var result = _verifier.Verify(request, now);
|
|
|
|
Assert.True(result.IsValid);
|
|
Assert.Equal("full-recompute-passed", result.Reason);
|
|
}
|
|
|
|
[Fact]
|
|
public void Detects_hash_drift()
|
|
{
|
|
var now = DateTimeOffset.UtcNow;
|
|
var request = new ReplayVerificationRequest(
|
|
"aa".PadRight(64, 'a'),
|
|
"bb".PadRight(64, 'b'),
|
|
"00".PadRight(64, '0'),
|
|
"bb".PadRight(64, 'b'),
|
|
now,
|
|
1,
|
|
null,
|
|
null,
|
|
ReplayDepth.HashOnly);
|
|
|
|
var result = _verifier.Verify(request, now);
|
|
|
|
Assert.False(result.IsValid);
|
|
Assert.Equal("manifest-hash-drift", result.Reason);
|
|
}
|
|
|
|
[Fact]
|
|
public void PolicyFreeze_requires_matching_policy_hash()
|
|
{
|
|
var now = DateTimeOffset.UtcNow;
|
|
var request = new ReplayVerificationRequest(
|
|
"aa".PadRight(64, 'a'),
|
|
"bb".PadRight(64, 'b'),
|
|
"aa".PadRight(64, 'a'),
|
|
"bb".PadRight(64, 'b'),
|
|
now,
|
|
12,
|
|
"bundle-policy",
|
|
"sealed-policy-other",
|
|
ReplayDepth.PolicyFreeze);
|
|
|
|
var result = _verifier.Verify(request, now);
|
|
|
|
Assert.False(result.IsValid);
|
|
Assert.Equal("policy-hash-drift", result.Reason);
|
|
}
|
|
}
|