Release prep: 54 engines, self-hosted signatures, i18n, dashboard updates

2026-04-26 12:56:21 +02:00 · 2026-03-23 16:45:40 +10:00 · 2026-03-23 16:45:40 +10:00 · 41cbfd6e0a
commit 41cbfd6e0a
parent 694e32be26
178 changed files with 36008 additions and 399 deletions
--- a/internal/infrastructure/zerotrust/zerotrust_test.go
+++ b/internal/infrastructure/zerotrust/zerotrust_test.go
@ -0,0 +1,109 @@
+package zerotrust
+
+import (
+	"testing"
+)
+
+func TestNewIdentity(t *testing.T) {
+	id, err := NewIdentity("soc-ingest", SPIFFEIngest)
+	if err != nil {
+		t.Fatalf("NewIdentity: %v", err)
+	}
+
+	if id.SPIFFEID() != SPIFFEIngest {
+		t.Errorf("spiffe_id = %s, want %s", id.SPIFFEID(), SPIFFEIngest)
+	}
+
+	stats := id.Stats()
+	if stats.CertRotations != 1 {
+		t.Errorf("cert_rotations = %d, want 1", stats.CertRotations)
+	}
+}
+
+func TestCertPEM(t *testing.T) {
+	id, err := NewIdentity("soc-ingest", SPIFFEIngest)
+	if err != nil {
+		t.Fatalf("NewIdentity: %v", err)
+	}
+
+	pem := id.CertPEM()
+	if len(pem) == 0 {
+		t.Error("CertPEM is empty")
+	}
+}
+
+func TestServerTLSConfig(t *testing.T) {
+	id, err := NewIdentity("soc-ingest", SPIFFEIngest)
+	if err != nil {
+		t.Fatalf("NewIdentity: %v", err)
+	}
+
+	cfg := id.ServerTLSConfig()
+	if cfg.MinVersion != 0x0304 { // TLS 1.3
+		t.Errorf("min version = %x, want 0x0304 (TLS 1.3)", cfg.MinVersion)
+	}
+	if cfg.ClientAuth != 4 { // RequireAndVerifyClientCert
+		t.Errorf("client_auth = %d, want 4", cfg.ClientAuth)
+	}
+	if cfg.ClientCAs == nil {
+		t.Error("ClientCAs should not be nil")
+	}
+}
+
+func TestClientTLSConfig(t *testing.T) {
+	id, err := NewIdentity("soc-correlate", SPIFFECorrelate)
+	if err != nil {
+		t.Fatalf("NewIdentity: %v", err)
+	}
+
+	cfg := id.ClientTLSConfig()
+	if cfg.MinVersion != 0x0304 {
+		t.Errorf("min version = %x, want TLS 1.3", cfg.MinVersion)
+	}
+	if cfg.RootCAs == nil {
+		t.Error("RootCAs should not be nil")
+	}
+}
+
+func TestCertRotation(t *testing.T) {
+	id, err := NewIdentity("soc-respond", SPIFFERespond)
+	if err != nil {
+		t.Fatalf("NewIdentity: %v", err)
+	}
+
+	pem1 := string(id.CertPEM())
+
+	if err := id.RotateCert(); err != nil {
+		t.Fatalf("RotateCert: %v", err)
+	}
+
+	pem2 := string(id.CertPEM())
+	if pem1 == pem2 {
+		t.Error("cert should change after rotation")
+	}
+
+	stats := id.Stats()
+	if stats.CertRotations != 2 {
+		t.Errorf("rotations = %d, want 2", stats.CertRotations)
+	}
+}
+
+func TestAuthzPolicy(t *testing.T) {
+	// Check ingest accepts immune, shield, sidecar, dashboard.
+	allowed := AuthzPolicy[SPIFFEIngest]
+	if len(allowed) != 4 {
+		t.Errorf("ingest allowed_callers = %d, want 4", len(allowed))
+	}
+
+	// Correlate only accepts ingest.
+	allowed = AuthzPolicy[SPIFFECorrelate]
+	if len(allowed) != 1 || allowed[0] != SPIFFEIngest {
+		t.Errorf("correlate allowed = %v, want [ingest]", allowed)
+	}
+
+	// Respond only accepts correlate.
+	allowed = AuthzPolicy[SPIFFERespond]
+	if len(allowed) != 1 || allowed[0] != SPIFFECorrelate {
+		t.Errorf("respond allowed = %v, want [correlate]", allowed)
+	}
+}