gomcp/internal/infrastructure/tpmaudit/tpmaudit_test.go

package tpmaudit

import (
	"os"
	"testing"
)

func TestNewSealedLogger(t *testing.T) {
	dir := t.TempDir()
	logger, err := NewSealedLogger(dir, "test-secret")
	if err != nil {
		t.Fatalf("NewSealedLogger: %v", err)
	}
	defer logger.Close()

	if logger.ChainLength() != 0 {
		t.Errorf("chain length = %d, want 0", logger.ChainLength())
	}

	stats := logger.Stats()
	if stats.Mode != SealSoftware {
		t.Errorf("mode = %s, want software (no TPM in CI)", stats.Mode)
	}
}

func TestLogDecision(t *testing.T) {
	dir := t.TempDir()
	logger, err := NewSealedLogger(dir, "test-secret")
	if err != nil {
		t.Fatalf("NewSealedLogger: %v", err)
	}
	defer logger.Close()

	sealed, err := logger.LogDecision(DecisionEntry{
		Action:   "ingest",
		Decision: "allow",
		Reason:   "event passed secret scanner",
		EventID:  "EVT-001",
	})
	if err != nil {
		t.Fatalf("LogDecision: %v", err)
	}

	if sealed.Hash == "" {
		t.Error("hash is empty")
	}
	if sealed.Signature == "" {
		t.Error("signature is empty")
	}
	if sealed.Entry.PreviousHash != "genesis" {
		t.Errorf("first entry previous_hash = %s, want genesis", sealed.Entry.PreviousHash)
	}
	if sealed.ChainIdx != 0 {
		t.Errorf("chain_idx = %d, want 0", sealed.ChainIdx)
	}
}

func TestChainLinking(t *testing.T) {
	dir := t.TempDir()
	logger, err := NewSealedLogger(dir, "test-secret")
	if err != nil {
		t.Fatalf("NewSealedLogger: %v", err)
	}
	defer logger.Close()

	s1, _ := logger.LogDecision(DecisionEntry{Action: "ingest", Decision: "allow", Reason: "ok"})
	s2, _ := logger.LogDecision(DecisionEntry{Action: "correlate", Decision: "escalate", Reason: "high severity"})
	s3, _ := logger.LogDecision(DecisionEntry{Action: "respond", Decision: "allow", Reason: "playbook matched"})

	// Verify chain links.
	if s2.Entry.PreviousHash != s1.Hash {
		t.Error("entry 2 not linked to entry 1")
	}
	if s3.Entry.PreviousHash != s2.Hash {
		t.Error("entry 3 not linked to entry 2")
	}

	if logger.ChainLength() != 3 {
		t.Errorf("chain length = %d, want 3", logger.ChainLength())
	}
}

func TestVerifyChain_Valid(t *testing.T) {
	dir := t.TempDir()
	logger, err := NewSealedLogger(dir, "test-secret")
	if err != nil {
		t.Fatalf("NewSealedLogger: %v", err)
	}
	defer logger.Close()

	logger.LogDecision(DecisionEntry{Action: "ingest", Decision: "allow", Reason: "ok"})
	logger.LogDecision(DecisionEntry{Action: "correlate", Decision: "allow", Reason: "ok"})
	logger.LogDecision(DecisionEntry{Action: "respond", Decision: "allow", Reason: "ok"})

	result := logger.VerifyChain()
	if !result.Valid {
		t.Errorf("chain invalid: %s at index %d", result.BrokenReason, result.BrokenAtIndex)
	}
	if result.VerifiedCount != 3 {
		t.Errorf("verified = %d, want 3", result.VerifiedCount)
	}
}

func TestVerifyChain_Tampered(t *testing.T) {
	dir := t.TempDir()
	logger, err := NewSealedLogger(dir, "test-secret")
	if err != nil {
		t.Fatalf("NewSealedLogger: %v", err)
	}
	defer logger.Close()

	logger.LogDecision(DecisionEntry{Action: "ingest", Decision: "allow", Reason: "ok"})
	logger.LogDecision(DecisionEntry{Action: "correlate", Decision: "allow", Reason: "ok"})

	// Tamper with chain.
	logger.chain[1].Hash = "tampered-hash"

	result := logger.VerifyChain()
	if result.Valid {
		t.Error("expected chain to be invalid after tampering")
	}
	if result.BrokenAtIndex != 1 {
		t.Errorf("broken at = %d, want 1", result.BrokenAtIndex)
	}
}

func TestPCRExtension(t *testing.T) {
	dir := t.TempDir()
	logger, err := NewSealedLogger(dir, "test-secret")
	if err != nil {
		t.Fatalf("NewSealedLogger: %v", err)
	}
	defer logger.Close()

	s1, _ := logger.LogDecision(DecisionEntry{Action: "a", Decision: "allow", Reason: "ok"})
	s2, _ := logger.LogDecision(DecisionEntry{Action: "b", Decision: "allow", Reason: "ok"})

	// PCR values should be different (extended with each entry).
	if s1.PCRValue == s2.PCRValue {
		t.Error("PCR values should differ after extension")
	}
	// PCR should not be the initial zero value.
	if s1.PCRValue == "0000000000000000000000000000000000000000000000000000000000000000" {
		t.Error("PCR should have been extended from zero")
	}
}

func TestPersistence(t *testing.T) {
	dir := t.TempDir()

	// Write entries.
	{
		logger, err := NewSealedLogger(dir, "test-secret")
		if err != nil {
			t.Fatalf("NewSealedLogger: %v", err)
		}
		logger.LogDecision(DecisionEntry{Action: "ingest", Decision: "allow", Reason: "ok"})
		logger.LogDecision(DecisionEntry{Action: "correlate", Decision: "deny", Reason: "blocked"})
		logger.Close()
	}

	// Reopen and verify chain was loaded.
	{
		logger, err := NewSealedLogger(dir, "test-secret")
		if err != nil {
			t.Fatalf("NewSealedLogger reopen: %v", err)
		}
		defer logger.Close()

		if logger.ChainLength() != 2 {
			t.Errorf("chain length after reopen = %d, want 2", logger.ChainLength())
		}
	}

	// Verify file exists.
	if _, err := os.Stat(dir + "/decisions_sealed.jsonl"); err != nil {
		t.Errorf("log file not found: %v", err)
	}
}

func TestStats(t *testing.T) {
	dir := t.TempDir()
	logger, err := NewSealedLogger(dir, "test-secret")
	if err != nil {
		t.Fatalf("NewSealedLogger: %v", err)
	}
	defer logger.Close()

	logger.LogDecision(DecisionEntry{Action: "a", Decision: "allow", Reason: "ok"})
	logger.LogDecision(DecisionEntry{Action: "b", Decision: "deny", Reason: "blocked"})

	stats := logger.Stats()
	if stats.TotalEntries != 2 {
		t.Errorf("total_entries = %d, want 2", stats.TotalEntries)
	}
	if !stats.ChainIntegrity {
		t.Error("chain integrity should be true")
	}
}
Release prep: 54 engines, self-hosted signatures, i18n, dashboard updates 2026-03-23 16:45:40 +10:00			`package tpmaudit`

			`import (`
			`"os"`
			`"testing"`
			`)`

			`func TestNewSealedLogger(t *testing.T) {`
			`dir := t.TempDir()`
			`logger, err := NewSealedLogger(dir, "test-secret")`
			`if err != nil {`
			`t.Fatalf("NewSealedLogger: %v", err)`
			`}`
			`defer logger.Close()`

			`if logger.ChainLength() != 0 {`
			`t.Errorf("chain length = %d, want 0", logger.ChainLength())`
			`}`

			`stats := logger.Stats()`
			`if stats.Mode != SealSoftware {`
			`t.Errorf("mode = %s, want software (no TPM in CI)", stats.Mode)`
			`}`
			`}`

			`func TestLogDecision(t *testing.T) {`
			`dir := t.TempDir()`
			`logger, err := NewSealedLogger(dir, "test-secret")`
			`if err != nil {`
			`t.Fatalf("NewSealedLogger: %v", err)`
			`}`
			`defer logger.Close()`

			`sealed, err := logger.LogDecision(DecisionEntry{`
			`Action: "ingest",`
			`Decision: "allow",`
			`Reason: "event passed secret scanner",`
			`EventID: "EVT-001",`
			`})`
			`if err != nil {`
			`t.Fatalf("LogDecision: %v", err)`
			`}`

			`if sealed.Hash == "" {`
			`t.Error("hash is empty")`
			`}`
			`if sealed.Signature == "" {`
			`t.Error("signature is empty")`
			`}`
			`if sealed.Entry.PreviousHash != "genesis" {`
			`t.Errorf("first entry previous_hash = %s, want genesis", sealed.Entry.PreviousHash)`
			`}`
			`if sealed.ChainIdx != 0 {`
			`t.Errorf("chain_idx = %d, want 0", sealed.ChainIdx)`
			`}`
			`}`

			`func TestChainLinking(t *testing.T) {`
			`dir := t.TempDir()`
			`logger, err := NewSealedLogger(dir, "test-secret")`
			`if err != nil {`
			`t.Fatalf("NewSealedLogger: %v", err)`
			`}`
			`defer logger.Close()`

			`s1, _ := logger.LogDecision(DecisionEntry{Action: "ingest", Decision: "allow", Reason: "ok"})`
			`s2, _ := logger.LogDecision(DecisionEntry{Action: "correlate", Decision: "escalate", Reason: "high severity"})`
			`s3, _ := logger.LogDecision(DecisionEntry{Action: "respond", Decision: "allow", Reason: "playbook matched"})`

			`// Verify chain links.`
			`if s2.Entry.PreviousHash != s1.Hash {`
			`t.Error("entry 2 not linked to entry 1")`
			`}`
			`if s3.Entry.PreviousHash != s2.Hash {`
			`t.Error("entry 3 not linked to entry 2")`
			`}`

			`if logger.ChainLength() != 3 {`
			`t.Errorf("chain length = %d, want 3", logger.ChainLength())`
			`}`
			`}`

			`func TestVerifyChain_Valid(t *testing.T) {`
			`dir := t.TempDir()`
			`logger, err := NewSealedLogger(dir, "test-secret")`
			`if err != nil {`
			`t.Fatalf("NewSealedLogger: %v", err)`
			`}`
			`defer logger.Close()`

			`logger.LogDecision(DecisionEntry{Action: "ingest", Decision: "allow", Reason: "ok"})`
			`logger.LogDecision(DecisionEntry{Action: "correlate", Decision: "allow", Reason: "ok"})`
			`logger.LogDecision(DecisionEntry{Action: "respond", Decision: "allow", Reason: "ok"})`

			`result := logger.VerifyChain()`
			`if !result.Valid {`
			`t.Errorf("chain invalid: %s at index %d", result.BrokenReason, result.BrokenAtIndex)`
			`}`
			`if result.VerifiedCount != 3 {`
			`t.Errorf("verified = %d, want 3", result.VerifiedCount)`
			`}`
			`}`

			`func TestVerifyChain_Tampered(t *testing.T) {`
			`dir := t.TempDir()`
			`logger, err := NewSealedLogger(dir, "test-secret")`
			`if err != nil {`
			`t.Fatalf("NewSealedLogger: %v", err)`
			`}`
			`defer logger.Close()`

			`logger.LogDecision(DecisionEntry{Action: "ingest", Decision: "allow", Reason: "ok"})`
			`logger.LogDecision(DecisionEntry{Action: "correlate", Decision: "allow", Reason: "ok"})`

			`// Tamper with chain.`
			`logger.chain[1].Hash = "tampered-hash"`

			`result := logger.VerifyChain()`
			`if result.Valid {`
			`t.Error("expected chain to be invalid after tampering")`
			`}`
			`if result.BrokenAtIndex != 1 {`
			`t.Errorf("broken at = %d, want 1", result.BrokenAtIndex)`
			`}`
			`}`

			`func TestPCRExtension(t *testing.T) {`
			`dir := t.TempDir()`
			`logger, err := NewSealedLogger(dir, "test-secret")`
			`if err != nil {`
			`t.Fatalf("NewSealedLogger: %v", err)`
			`}`
			`defer logger.Close()`

			`s1, _ := logger.LogDecision(DecisionEntry{Action: "a", Decision: "allow", Reason: "ok"})`
			`s2, _ := logger.LogDecision(DecisionEntry{Action: "b", Decision: "allow", Reason: "ok"})`

			`// PCR values should be different (extended with each entry).`
			`if s1.PCRValue == s2.PCRValue {`
			`t.Error("PCR values should differ after extension")`
			`}`
			`// PCR should not be the initial zero value.`
			`if s1.PCRValue == "0000000000000000000000000000000000000000000000000000000000000000" {`
			`t.Error("PCR should have been extended from zero")`
			`}`
			`}`

			`func TestPersistence(t *testing.T) {`
			`dir := t.TempDir()`

			`// Write entries.`
			`{`
			`logger, err := NewSealedLogger(dir, "test-secret")`
			`if err != nil {`
			`t.Fatalf("NewSealedLogger: %v", err)`
			`}`
			`logger.LogDecision(DecisionEntry{Action: "ingest", Decision: "allow", Reason: "ok"})`
			`logger.LogDecision(DecisionEntry{Action: "correlate", Decision: "deny", Reason: "blocked"})`
			`logger.Close()`
			`}`

			`// Reopen and verify chain was loaded.`
			`{`
			`logger, err := NewSealedLogger(dir, "test-secret")`
			`if err != nil {`
			`t.Fatalf("NewSealedLogger reopen: %v", err)`
			`}`
			`defer logger.Close()`

			`if logger.ChainLength() != 2 {`
			`t.Errorf("chain length after reopen = %d, want 2", logger.ChainLength())`
			`}`
			`}`

			`// Verify file exists.`
			`if _, err := os.Stat(dir + "/decisions_sealed.jsonl"); err != nil {`
			`t.Errorf("log file not found: %v", err)`
			`}`
			`}`

			`func TestStats(t *testing.T) {`
			`dir := t.TempDir()`
			`logger, err := NewSealedLogger(dir, "test-secret")`
			`if err != nil {`
			`t.Fatalf("NewSealedLogger: %v", err)`
			`}`
			`defer logger.Close()`

			`logger.LogDecision(DecisionEntry{Action: "a", Decision: "allow", Reason: "ok"})`
			`logger.LogDecision(DecisionEntry{Action: "b", Decision: "deny", Reason: "blocked"})`

			`stats := logger.Stats()`
			`if stats.TotalEntries != 2 {`
			`t.Errorf("total_entries = %d, want 2", stats.TotalEntries)`
			`}`
			`if !stats.ChainIntegrity {`
			`t.Error("chain integrity should be true")`
			`}`
			`}`