< Summary

Information

Class:	AsiBackbone.Core.Signing.VerificationPolicyOutcome
Assembly:	AsiBackbone.Core
File(s):	/home/runner/work/AsiBackbone/AsiBackbone/src/AsiBackbone.Core/Signing/VerificationPolicyOutcome.cs

Line coverage

94%

Covered lines:	127
Uncovered lines:	7
Coverable lines:	134
Total lines:	276
Line coverage:	94.7%

Branch coverage

84%

Covered branches:	27
Total branches:	32
Branch coverage:	84.3%

Method coverage

Feature is only available for sponsors

Upgrade to PRO version

Metrics

Method	Branch coverage	Crap Score	Cyclomatic complexity	Line coverage
.cctor()	100%	2	1	0%
.ctor(...)	50%	4	4	95.12%
get_IsVerified()	100%	1	1	100%
get_Category()	100%	1	1	100%
get_Action()	100%	1	1	100%
get_ShouldAllow()	100%	1	1	100%
get_Status()	100%	1	1	100%
get_FailureCode()	100%	1	1	100%
get_FailureMessage()	100%	1	1	100%
get_ArtifactType()	100%	1	1	100%
get_ArtifactId()	100%	1	1	100%
get_SigningHash()	100%	2	1	0%
get_HashAlgorithm()	100%	2	1	0%
get_KeyId()	100%	1	1	100%
get_KeyVersion()	100%	1	1	100%
get_SignatureAlgorithm()	100%	1	1	100%
get_Provider()	100%	1	1	100%
get_SafeMetadata()	100%	1	1	100%
Create(...)	100%	1	1	100%
CreateCore(...)	100%	2	2	100%
BuildSafeMetadata(...)	75%	12	12	100%
AddIfPresent(...)	100%	2	2	100%
IsSafeSigningMetadataKey(...)	100%	10	10	100%
NormalizeOptional(...)	100%	2	2	100%

File(s)

/home/runner/work/AsiBackbone/AsiBackbone/src/AsiBackbone.Core/Signing/VerificationPolicyOutcome.cs

#	Line	Line coverage
	`1`	`using System.Collections.ObjectModel;`
	`2`
	`3`	`namespace AsiBackbone.Core.Signing;`
	`4`
	`5`	`/// <summary>`
	`6`	`/// Represents the host-facing outcome of signature verification policy evaluation.`
	`7`	`/// </summary>`
	`8`	`public sealed class VerificationPolicyOutcome`
	`9`	`{`
0	`10`	`private static readonly IReadOnlyDictionary<string, string> EmptyMetadata =`
0	`11`	`new ReadOnlyDictionary<string, string>(`
0	`12`	`new Dictionary<string, string>(StringComparer.Ordinal));`
	`13`
34	`14`	`private VerificationPolicyOutcome(`
34	`15`	`bool isVerified,`
34	`16`	`SignatureVerificationCategory category,`
34	`17`	`VerificationPolicyAction action,`
34	`18`	`string status,`
34	`19`	`string? failureCode,`
34	`20`	`string? failureMessage,`
34	`21`	`string artifactType,`
34	`22`	`string artifactId,`
34	`23`	`string signingHash,`
34	`24`	`string hashAlgorithm,`
34	`25`	`string? keyId,`
34	`26`	`string? keyVersion,`
34	`27`	`string? signatureAlgorithm,`
34	`28`	`string? provider,`
34	`29`	`IReadOnlyDictionary<string, string> safeMetadata)`
	`30`	`{`
34	`31`	`ArgumentException.ThrowIfNullOrWhiteSpace(status);`
34	`32`	`ArgumentException.ThrowIfNullOrWhiteSpace(artifactType);`
34	`33`	`ArgumentException.ThrowIfNullOrWhiteSpace(artifactId);`
34	`34`	`ArgumentException.ThrowIfNullOrWhiteSpace(signingHash);`
34	`35`	`ArgumentException.ThrowIfNullOrWhiteSpace(hashAlgorithm);`
	`36`
34	`37`	`if (!Enum.IsDefined(category))`
	`38`	`{`
0	`39`	`throw new ArgumentOutOfRangeException(nameof(category), category, "Verification category must be defined.");`
	`40`	`}`
	`41`
34	`42`	`if (!Enum.IsDefined(action))`
	`43`	`{`
0	`44`	`throw new ArgumentOutOfRangeException(nameof(action), action, "Verification policy action must be defined.")`
	`45`	`}`
	`46`
34	`47`	`IsVerified = isVerified;`
34	`48`	`Category = category;`
34	`49`	`Action = action;`
34	`50`	`Status = status.Trim();`
34	`51`	`FailureCode = NormalizeOptional(failureCode);`
34	`52`	`FailureMessage = NormalizeOptional(failureMessage);`
34	`53`	`ArtifactType = artifactType.Trim();`
34	`54`	`ArtifactId = artifactId.Trim();`
34	`55`	`SigningHash = signingHash.Trim();`
34	`56`	`HashAlgorithm = hashAlgorithm.Trim();`
34	`57`	`KeyId = NormalizeOptional(keyId);`
34	`58`	`KeyVersion = NormalizeOptional(keyVersion);`
34	`59`	`SignatureAlgorithm = NormalizeOptional(signatureAlgorithm);`
34	`60`	`Provider = NormalizeOptional(provider);`
34	`61`	`SafeMetadata = safeMetadata;`
34	`62`	`}`
	`63`
	`64`	`/// <summary>`
	`65`	`/// Gets a value indicating whether verification succeeded.`
	`66`	`/// </summary>`
23	`67`	`public bool IsVerified { get; }`
	`68`
	`69`	`/// <summary>`
	`70`	`/// Gets the provider-neutral verification category.`
	`71`	`/// </summary>`
32	`72`	`public SignatureVerificationCategory Category { get; }`
	`73`
	`74`	`/// <summary>`
	`75`	`/// Gets the host-facing action selected by verification policy.`
	`76`	`/// </summary>`
46	`77`	`public VerificationPolicyAction Action { get; }`
	`78`
	`79`	`/// <summary>`
	`80`	`/// Gets a value indicating whether the policy selected the allow action.`
	`81`	`/// </summary>`
14	`82`	`public bool ShouldAllow => Action is VerificationPolicyAction.Allow;`
	`83`
	`84`	`/// <summary>`
	`85`	`/// Gets the provider-neutral verification status.`
	`86`	`/// </summary>`
1	`87`	`public string Status { get; }`
	`88`
	`89`	`/// <summary>`
	`90`	`/// Gets the provider-neutral failure code, when verification did not succeed.`
	`91`	`/// </summary>`
30	`92`	`public string? FailureCode { get; }`
	`93`
	`94`	`/// <summary>`
	`95`	`/// Gets the provider-neutral failure message, when verification did not succeed.`
	`96`	`/// </summary>`
10	`97`	`public string? FailureMessage { get; }`
	`98`
	`99`	`/// <summary>`
	`100`	`/// Gets the artifact type that was verified or evaluated.`
	`101`	`/// </summary>`
1	`102`	`public string ArtifactType { get; }`
	`103`
	`104`	`/// <summary>`
	`105`	`/// Gets the artifact identifier that was verified or evaluated.`
	`106`	`/// </summary>`
1	`107`	`public string ArtifactId { get; }`
	`108`
	`109`	`/// <summary>`
	`110`	`/// Gets the signing hash expected for verification.`
	`111`	`/// </summary>`
0	`112`	`public string SigningHash { get; }`
	`113`
	`114`	`/// <summary>`
	`115`	`/// Gets the hash algorithm expected for verification.`
	`116`	`/// </summary>`
0	`117`	`public string HashAlgorithm { get; }`
	`118`
	`119`	`/// <summary>`
	`120`	`/// Gets the signing key identifier, when supplied.`
	`121`	`/// </summary>`
2	`122`	`public string? KeyId { get; }`
	`123`
	`124`	`/// <summary>`
	`125`	`/// Gets the signing key version, when supplied.`
	`126`	`/// </summary>`
2	`127`	`public string? KeyVersion { get; }`
	`128`
	`129`	`/// <summary>`
	`130`	`/// Gets the signature algorithm descriptor, when supplied.`
	`131`	`/// </summary>`
1	`132`	`public string? SignatureAlgorithm { get; }`
	`133`
	`134`	`/// <summary>`
	`135`	`/// Gets the signing provider descriptor, when supplied.`
	`136`	`/// </summary>`
1	`137`	`public string? Provider { get; }`
	`138`
	`139`	`/// <summary>`
	`140`	`/// Gets safe-to-log verification metadata. Signature values and secrets are never included.`
	`141`	`/// </summary>`
26	`142`	`public IReadOnlyDictionary<string, string> SafeMetadata { get; }`
	`143`
	`144`	`/// <summary>`
	`145`	`/// Creates a verification policy outcome.`
	`146`	`/// </summary>`
	`147`	`public static VerificationPolicyOutcome Create<TArtifact>(`
	`148`	`SignedGovernanceArtifact<TArtifact> artifact,`
	`149`	`SignatureVerificationResult verificationResult,`
	`150`	`VerificationPolicyOptions? options = null)`
	`151`	`{`
2	`152`	`ArgumentNullException.ThrowIfNull(artifact);`
	`153`
2	`154`	`return CreateCore(`
2	`155`	`artifact.ArtifactType,`
2	`156`	`artifact.ArtifactId,`
2	`157`	`artifact.SigningHash,`
2	`158`	`artifact.HashAlgorithm,`
2	`159`	`artifact.SigningMetadata,`
2	`160`	`verificationResult,`
2	`161`	`options);`
	`162`	`}`
	`163`
	`164`	`internal static VerificationPolicyOutcome CreateCore(`
	`165`	`string artifactType,`
	`166`	`string artifactId,`
	`167`	`string signingHash,`
	`168`	`string hashAlgorithm,`
	`169`	`SigningMetadata signingMetadata,`
	`170`	`SignatureVerificationResult verificationResult,`
	`171`	`VerificationPolicyOptions? options = null)`
	`172`	`{`
34	`173`	`ArgumentNullException.ThrowIfNull(signingMetadata);`
34	`174`	`ArgumentNullException.ThrowIfNull(verificationResult);`
	`175`
34	`176`	`VerificationPolicyOptions effectiveOptions = options ?? VerificationPolicyOptions.Default;`
34	`177`	`SignatureVerificationCategory category = VerificationPolicyEvaluator.Categorize(verificationResult);`
34	`178`	`VerificationPolicyAction action = effectiveOptions.GetAction(category);`
34	`179`	`IReadOnlyDictionary<string, string> safeMetadata = BuildSafeMetadata(`
34	`180`	`artifactType,`
34	`181`	`artifactId,`
34	`182`	`signingHash,`
34	`183`	`hashAlgorithm,`
34	`184`	`signingMetadata,`
34	`185`	`verificationResult,`
34	`186`	`category,`
34	`187`	`action);`
	`188`
34	`189`	`return new VerificationPolicyOutcome(`
34	`190`	`verificationResult.IsValid,`
34	`191`	`category,`
34	`192`	`action,`
34	`193`	`verificationResult.Status,`
34	`194`	`verificationResult.FailureCode,`
34	`195`	`verificationResult.FailureMessage,`
34	`196`	`artifactType,`
34	`197`	`artifactId,`
34	`198`	`signingHash,`
34	`199`	`hashAlgorithm,`
34	`200`	`signingMetadata.KeyId,`
34	`201`	`signingMetadata.KeyVersion,`
34	`202`	`signingMetadata.SignatureAlgorithm,`
34	`203`	`signingMetadata.Provider,`
34	`204`	`safeMetadata);`
	`205`	`}`
	`206`
	`207`	`private static IReadOnlyDictionary<string, string> BuildSafeMetadata(`
	`208`	`string artifactType,`
	`209`	`string artifactId,`
	`210`	`string signingHash,`
	`211`	`string hashAlgorithm,`
	`212`	`SigningMetadata signingMetadata,`
	`213`	`SignatureVerificationResult verificationResult,`
	`214`	`SignatureVerificationCategory category,`
	`215`	`VerificationPolicyAction action)`
	`216`	`{`
34	`217`	`Dictionary<string, string> metadata = new(StringComparer.Ordinal)`
34	`218`	`{`
34	`219`	`["artifact_id"] = artifactId,`
34	`220`	`["artifact_type"] = artifactType,`
34	`221`	`["category"] = category.ToString(),`
34	`222`	`["hash_algorithm"] = hashAlgorithm,`
34	`223`	`["policy_action"] = action.ToString(),`
34	`224`	`["signing_hash"] = signingHash,`
34	`225`	`["status"] = verificationResult.Status`
34	`226`	`};`
	`227`
34	`228`	`AddIfPresent(metadata, "failure_code", verificationResult.FailureCode);`
34	`229`	`AddIfPresent(metadata, "key_id", signingMetadata.KeyId);`
34	`230`	`AddIfPresent(metadata, "key_version", signingMetadata.KeyVersion);`
34	`231`	`AddIfPresent(metadata, "provider", signingMetadata.Provider);`
34	`232`	`AddIfPresent(metadata, "signature_algorithm", signingMetadata.SignatureAlgorithm);`
	`233`
34	`234`	`if (signingMetadata.SignedUtc.HasValue)`
	`235`	`{`
30	`236`	`metadata["signed_utc"] = signingMetadata.SignedUtc.Value.ToString("O", System.Globalization.CultureInfo.Inva`
	`237`	`}`
	`238`
418	`239`	`foreach (KeyValuePair<string, string> item in signingMetadata.Metadata)`
	`240`	`{`
175	`241`	`if (IsSafeSigningMetadataKey(item.Key))`
	`242`	`{`
170	`243`	`metadata[item.Key.Trim()] = item.Value?.Trim() ?? string.Empty;`
	`244`	`}`
	`245`	`}`
	`246`
34	`247`	`return metadata.Count == 0`
34	`248`	`? EmptyMetadata`
34	`249`	`: new ReadOnlyDictionary<string, string>(metadata);`
	`250`	`}`
	`251`
	`252`	`private static void AddIfPresent(Dictionary<string, string> metadata, string key, string? value)`
	`253`	`{`
170	`254`	`if (!string.IsNullOrWhiteSpace(value))`
	`255`	`{`
150	`256`	`metadata[key] = value.Trim();`
	`257`	`}`
170	`258`	`}`
	`259`
	`260`	`private static bool IsSafeSigningMetadataKey(string key)`
	`261`	`{`
175	`262`	`return !string.IsNullOrWhiteSpace(key)`
175	`263`	`&& !key.Contains("signature", StringComparison.OrdinalIgnoreCase)`
175	`264`	`&& !key.Contains("secret", StringComparison.OrdinalIgnoreCase)`
175	`265`	`&& !key.Contains("token", StringComparison.OrdinalIgnoreCase)`
175	`266`	`&& !key.Contains("credential", StringComparison.OrdinalIgnoreCase)`
175	`267`	`&& !key.Contains("private", StringComparison.OrdinalIgnoreCase);`
	`268`	`}`
	`269`
	`270`	`private static string? NormalizeOptional(string? value)`
	`271`	`{`
204	`272`	`return string.IsNullOrWhiteSpace(value)`
204	`273`	`? null`
204	`274`	`: value.Trim();`
	`275`	`}`
	`276`	`}`

< Summary

Metrics

File(s)

/home/runner/work/AsiBackbone/AsiBackbone/src/AsiBackbone.Core/Signing/VerificationPolicyOutcome.cs

Methods/Properties