fix(ci): remove tpm2-tools from system dependencies in codeql-advance… #49
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Adversarial & Chaos Testing CI Pipeline | ||
| # Extended testing for security resilience and fault tolerance | ||
| name: Adversarial Testing CI | ||
| on: | ||
| push: | ||
| branches: [ main, develop ] | ||
| pull_request: | ||
| branches: [ main, develop ] | ||
| schedule: | ||
| # Run comprehensive adversarial tests nightly | ||
| - cron: '0 3 * * *' | ||
| workflow_dispatch: | ||
| inputs: | ||
| test_type: | ||
| description: 'Type of adversarial test to run' | ||
| required: true | ||
| default: 'all' | ||
| type: choice | ||
| options: | ||
| - all | ||
| - security | ||
| - chaos | ||
| - performance | ||
| permissions: | ||
| contents: read | ||
| security-events: write | ||
| actions: read | ||
| checks: write | ||
| pull-requests: write | ||
| options: | ||
| - all | ||
| - prompt_injection | ||
| - fault_injection | ||
| - rbac_edge_cases | ||
| - chaos_mode | ||
| duration_minutes: | ||
| description: 'Test duration in minutes' | ||
| required: false | ||
| default: '30' | ||
| type: string | ||
| env: | ||
| CARGO_TERM_COLOR: always | ||
| RUST_BACKTRACE: 1 | ||
| # Adversarial testing configuration | ||
| ADVERSARIAL_MODE: true | ||
| CHAOS_PROBABILITY: 0.1 | ||
| FUZZ_ITERATIONS: 1000 | ||
| RBAC_EDGE_CASE_COUNT: 50 | ||
| jobs: | ||
| # Adversarial prompt injection testing | ||
| prompt-injection-tests: | ||
| name: Prompt Injection & Evasion Tests | ||
| runs-on: ubuntu-latest | ||
| if: github.event.inputs.test_type == 'all' || github.event.inputs.test_type == 'prompt_injection' || github.event.inputs.test_type == '' | ||
| permissions: | ||
| contents: read | ||
| security-events: write | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| - name: Clear Rust caches | ||
| run: | | ||
| rm -rf ~/.cargo/registry | ||
| rm -rf ~/.cargo/git | ||
| - name: Setup Rust toolchain | ||
| uses: actions-rs/toolchain@v1 | ||
| with: | ||
| toolchain: stable | ||
| profile: minimal | ||
| override: true | ||
| - name: Cache dependencies | ||
| uses: actions/cache@v3 | ||
| with: | ||
| path: | | ||
| ~/.cargo/registry | ||
| ~/.cargo/git | ||
| target/ | ||
| key: ${{ runner.os }}-adversarial-${{ hashFiles('**/Cargo.lock') }} | ||
| - name: Install fuzzing tools | ||
| run: | | ||
| cargo install cargo-fuzz | ||
| sudo apt-get update | ||
| sudo apt-get install -y radamsa afl++ | ||
| - name: Build with adversarial features | ||
| run: | | ||
| cargo build --release --features "adversarial-testing,fuzzing-support" | ||
| - name: Run SQL injection tests | ||
| run: | | ||
| cargo test --release --test adversarial::prompt_injection_tests::sql_injection -- --nocapture | ||
| - name: Run command injection tests | ||
| run: | | ||
| cargo test --release --test adversarial::prompt_injection_tests::command_injection -- --nocapture | ||
| - name: Run script injection tests | ||
| run: | | ||
| cargo test --release --test adversarial::prompt_injection_tests::script_injection -- --nocapture | ||
| - name: Run policy evasion tests | ||
| run: | | ||
| cargo test --release --test adversarial::prompt_injection_tests::policy_evasion -- --nocapture | ||
| - name: Run Unicode exploit tests | ||
| run: | | ||
| cargo test --release --test adversarial::prompt_injection_tests::unicode_exploits -- --nocapture | ||
| - name: Run comprehensive fuzzing | ||
| run: | | ||
| timeout 600 cargo test --release --test adversarial::prompt_injection_tests::run_fuzzing_tests -- --nocapture || true | ||
| - name: Generate injection test report | ||
| run: | | ||
| cargo test --release --test adversarial::prompt_injection_tests -- --format json > prompt_injection_results.json | ||
| - name: Upload prompt injection results | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: prompt-injection-results | ||
| path: prompt_injection_results.json | ||
| # Fault injection and chaos testing | ||
| fault-injection-tests: | ||
| name: Fault Injection & Chaos Tests | ||
| runs-on: ubuntu-latest | ||
| if: github.event.inputs.test_type == 'all' || github.event.inputs.test_type == 'fault_injection' || github.event.inputs.test_type == 'chaos_mode' || github.event.inputs.test_type == '' | ||
| permissions: | ||
| contents: read | ||
| security-events: write | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| - name: Clear Rust caches | ||
| run: | | ||
| rm -rf ~/.cargo/registry | ||
| rm -rf ~/.cargo/git | ||
| - name: Setup Rust toolchain | ||
| uses: actions-rs/toolchain@v1 | ||
| with: | ||
| toolchain: stable | ||
| profile: minimal | ||
| override: true | ||
| - name: Setup chaos engineering tools | ||
| run: | | ||
| # Install stress testing tools | ||
| sudo apt-get update | ||
| sudo apt-get install -y stress-ng htop iotop | ||
| # Install network chaos tools | ||
| sudo apt-get install -y tc iproute2 | ||
| # Install memory debugging tools | ||
| sudo apt-get install -y valgrind | ||
| - name: Build with fault injection support | ||
| run: | | ||
| cargo build --release --features "fault-injection,chaos-testing" | ||
| - name: Run TPM fault injection tests | ||
| run: | | ||
| cargo test --release --test chaos::fault_injection_tests::tpm_faults -- --nocapture | ||
| - name: Run HSM disconnection tests | ||
| run: | | ||
| cargo test --release --test chaos::fault_injection_tests::hsm_faults -- --nocapture | ||
| - name: Run enclave corruption tests | ||
| run: | | ||
| cargo test --release --test chaos::fault_injection_tests::enclave_faults -- --nocapture | ||
| - name: Run memory exhaustion tests | ||
| run: | | ||
| # Limit memory for testing | ||
| ulimit -v 1048576 # 1GB virtual memory limit | ||
| cargo test --release --test chaos::fault_injection_tests::memory_exhaustion -- --nocapture || true | ||
| - name: Run disk full simulation | ||
| run: | | ||
| # Create limited disk space | ||
| mkdir -p /tmp/limited_disk | ||
| sudo mount -t tmpfs -o size=100M tmpfs /tmp/limited_disk | ||
| TMPDIR=/tmp/limited_disk cargo test --release --test chaos::fault_injection_tests::disk_full -- --nocapture || true | ||
| sudo umount /tmp/limited_disk | ||
| - name: Run network partition tests | ||
| run: | | ||
| # Simulate network issues | ||
| sudo tc qdisc add dev lo root netem delay 1000ms loss 50% | ||
| cargo test --release --test chaos::fault_injection_tests::network_partition -- --nocapture || true | ||
| sudo tc qdisc del dev lo root | ||
| - name: Run race condition tests | ||
| run: | | ||
| cargo test --release --test chaos::fault_injection_tests::race_conditions -- --nocapture | ||
| - name: Run cascading failure tests | ||
| run: | | ||
| cargo test --release --test chaos::fault_injection_tests::cascading_failures -- --nocapture | ||
| - name: Run chaos mode | ||
| if: github.event.inputs.test_type == 'chaos_mode' || github.event_name == 'schedule' | ||
| run: | | ||
| timeout ${{ github.event.inputs.duration_minutes || '30' }}m cargo test --release --test chaos::fault_injection_tests::chaos_mode -- --nocapture || true | ||
| - name: Generate fault injection report | ||
| run: | | ||
| cargo test --release --test chaos::fault_injection_tests -- --format json > fault_injection_results.json | ||
| - name: Upload fault injection results | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: fault-injection-results | ||
| path: fault_injection_results.json | ||
| # RBAC edge case and permission matrix testing | ||
| rbac-edge-case-tests: | ||
| name: RBAC Edge Cases & Permission Matrix | ||
| runs-on: ubuntu-latest | ||
| if: github.event.inputs.test_type == 'all' || github.event.inputs.test_type == 'rbac_edge_cases' || github.event.inputs.test_type == '' | ||
| permissions: | ||
| contents: read | ||
| security-events: write | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| - name: Clear Rust caches | ||
| run: | | ||
| rm -rf ~/.cargo/registry | ||
| rm -rf ~/.cargo/git | ||
| - name: Setup Rust toolchain | ||
| uses: actions-rs/toolchain@v1 | ||
| with: | ||
| toolchain: stable | ||
| profile: minimal | ||
| override: true | ||
| - name: Build with RBAC testing features | ||
| run: | | ||
| cargo build --release --features "rbac-testing,permission-matrix" | ||
| - name: Run permission matrix tests | ||
| run: | | ||
| cargo test --release --test rbac::permission_matrix_tests::permission_matrix -- --nocapture | ||
| - name: Run role inheritance tests | ||
| run: | | ||
| cargo test --release --test rbac::permission_matrix_tests::role_inheritance -- --nocapture | ||
| - name: Run privilege escalation tests | ||
| run: | | ||
| cargo test --release --test rbac::permission_matrix_tests::privilege_escalation -- --nocapture | ||
| - name: Run session management tests | ||
| run: | | ||
| cargo test --release --test rbac::permission_matrix_tests::session_management -- --nocapture | ||
| - name: Run MFA bypass tests | ||
| run: | | ||
| cargo test --release --test rbac::permission_matrix_tests::mfa_bypass -- --nocapture | ||
| - name: Run concurrent access tests | ||
| run: | | ||
| cargo test --release --test rbac::permission_matrix_tests::concurrent_access -- --nocapture | ||
| - name: Run time-based access tests | ||
| run: | | ||
| cargo test --release --test rbac::permission_matrix_tests::time_based_access -- --nocapture | ||
| - name: Run multi-party approval tests | ||
| run: | | ||
| cargo test --release --test rbac::permission_matrix_tests::multi_party_approval -- --nocapture | ||
| - name: Run JIT MFA workflow tests | ||
| run: | | ||
| cargo test --release --test rbac::permission_matrix_tests::jit_mfa_workflows -- --nocapture | ||
| - name: Generate RBAC test report | ||
| run: | | ||
| cargo test --release --test rbac::permission_matrix_tests -- --format json > rbac_results.json | ||
| - name: Upload RBAC results | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: rbac-results | ||
| path: rbac_results.json | ||
| # Multi-day stability and soak testing | ||
| stability-soak-tests: | ||
| name: Multi-Day Stability Tests | ||
| runs-on: ubuntu-latest | ||
| if: github.event_name == 'schedule' || github.event.inputs.test_type == 'all' | ||
| timeout-minutes: 4320 # 72 hours | ||
| permissions: | ||
| contents: read | ||
| checks: write | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| - name: Clear Rust caches | ||
| run: | | ||
| rm -rf ~/.cargo/registry | ||
| rm -rf ~/.cargo/git | ||
| - name: Setup Rust toolchain | ||
| uses: actions-rs/toolchain@v1 | ||
| with: | ||
| toolchain: stable | ||
| profile: minimal | ||
| override: true | ||
| - name: Setup monitoring tools | ||
| run: | | ||
| sudo apt-get update | ||
| sudo apt-get install -y htop iotop nethogs sysstat | ||
| # Start system monitoring | ||
| sar -u -r -n DEV 60 > system_stats.log & | ||
| MONITORING_PID=$! | ||
| echo "MONITORING_PID=$MONITORING_PID" >> $GITHUB_ENV | ||
| - name: Build optimized release | ||
| run: | | ||
| cargo build --release --features "stability-testing,memory-profiling" | ||
| - name: Run 72-hour stability test | ||
| run: | | ||
| timeout 259200 cargo test --release --test stability::soak_tests::long_running_stability -- --nocapture || true | ||
| - name: Run memory leak detection | ||
| run: | | ||
| valgrind --tool=memcheck --leak-check=full --show-leak-kinds=all --track-origins=yes \ | ||
| cargo test --release --test stability::memory_tests::leak_detection -- --nocapture > valgrind_report.txt 2>&1 || true | ||
| - name: Run resource exhaustion tests | ||
| run: | | ||
| cargo test --release --test stability::resource_tests::exhaustion_scenarios -- --nocapture | ||
| - name: Analyze performance drift | ||
| run: | | ||
| cargo test --release --test stability::performance_tests::drift_analysis -- --nocapture | ||
| - name: Stop monitoring | ||
| run: | | ||
| kill $MONITORING_PID || true | ||
| - name: Upload stability results | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: stability-results | ||
| path: | | ||
| system_stats.log | ||
| valgrind_report.txt | ||
| # Distributed load testing | ||
| distributed-load-tests: | ||
| name: Distributed Load Tests | ||
| runs-on: ubuntu-latest | ||
| if: github.event_name == 'schedule' || github.event.inputs.test_type == 'all' | ||
| permissions: | ||
| contents: read | ||
| checks: write | ||
| strategy: | ||
| matrix: | ||
| load_profile: [light, medium, heavy, extreme] | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| - name: Setup load testing tools | ||
| run: | | ||
| # Install Apache Bench and wrk | ||
| sudo apt-get update | ||
| sudo apt-get install -y apache2-utils wrk | ||
| # Install Rust load testing tools | ||
| cargo install drill | ||
| - name: Build with load testing features | ||
| run: | | ||
| cargo build --release --features "load-testing,metrics" | ||
| - name: Start Governor service | ||
| run: | | ||
| cargo run --release --bin universal-ai-governor & | ||
| GOVERNOR_PID=$! | ||
| echo "GOVERNOR_PID=$GOVERNOR_PID" >> $GITHUB_ENV | ||
| sleep 10 # Wait for service to start | ||
| - name: Run load test - ${{ matrix.load_profile }} | ||
| run: | | ||
| case "${{ matrix.load_profile }}" in | ||
| light) | ||
| CONNECTIONS=10 | ||
| DURATION=300 | ||
| ;; | ||
| medium) | ||
| CONNECTIONS=50 | ||
| DURATION=600 | ||
| ;; | ||
| heavy) | ||
| CONNECTIONS=100 | ||
| DURATION=900 | ||
| ;; | ||
| extreme) | ||
| CONNECTIONS=500 | ||
| DURATION=1200 | ||
| ;; | ||
| esac | ||
| # Run attestation endpoint load test | ||
| wrk -t12 -c$CONNECTIONS -d${DURATION}s --script=scripts/attestation_load_test.lua \ | ||
| http://localhost:8080/attestation > load_test_${{ matrix.load_profile }}.txt | ||
| # Run authentication load test | ||
| ab -n 10000 -c $CONNECTIONS -H "Content-Type: application/json" \ | ||
| -p scripts/auth_payload.json http://localhost:8080/auth/login > auth_load_${{ matrix.load_profile }}.txt | ||
| - name: Stop Governor service | ||
| run: | | ||
| kill $GOVERNOR_PID || true | ||
| - name: Upload load test results | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: load-test-results-${{ matrix.load_profile }} | ||
| path: | | ||
| load_test_${{ matrix.load_profile }}.txt | ||
| auth_load_${{ matrix.load_profile }}.txt | ||
| # Real hardware integration testing | ||
| real-hardware-tests: | ||
| name: Real Hardware Integration | ||
| runs-on: self-hosted # Requires self-hosted runner with actual hardware | ||
| if: github.event_name == 'schedule' | ||
| permissions: | ||
| contents: read | ||
| checks: write | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| - name: Detect available hardware | ||
| run: | | ||
| # Detect TPM | ||
| if [ -e /dev/tpm0 ]; then | ||
| echo "TPM_AVAILABLE=true" >> $GITHUB_ENV | ||
| tpm2_getcap properties-fixed | ||
| fi | ||
| # Detect HSM | ||
| if command -v pkcs11-tool &> /dev/null; then | ||
| echo "HSM_AVAILABLE=true" >> $GITHUB_ENV | ||
| pkcs11-tool --list-slots | ||
| fi | ||
| # Detect Secure Enclave (macOS) | ||
| if [[ "$OSTYPE" == "darwin"* ]]; then | ||
| echo "SECURE_ENCLAVE_AVAILABLE=true" >> $GITHUB_ENV | ||
| fi | ||
| - name: Build with real hardware support | ||
| run: | | ||
| cargo build --release --features "real-hardware,tpm-integration,hsm-integration" | ||
| - name: Run TPM hardware tests | ||
| if: env.TPM_AVAILABLE == 'true' | ||
| run: | | ||
| sudo cargo test --release --test hardware::real_tpm_tests -- --nocapture | ||
| - name: Run HSM hardware tests | ||
| if: env.HSM_AVAILABLE == 'true' | ||
| run: | | ||
| cargo test --release --test hardware::real_hsm_tests -- --nocapture | ||
| - name: Run Secure Enclave tests | ||
| if: env.SECURE_ENCLAVE_AVAILABLE == 'true' | ||
| run: | | ||
| cargo test --release --test hardware::real_enclave_tests -- --nocapture | ||
| - name: Run cross-hardware compatibility tests | ||
| run: | | ||
| cargo test --release --test hardware::compatibility_matrix -- --nocapture | ||
| - name: Upload real hardware results | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: real-hardware-results | ||
| path: | | ||
| hardware_test_results.json | ||
| # Comprehensive report generation | ||
| generate-adversarial-report: | ||
| name: Generate Adversarial Test Report | ||
| runs-on: ubuntu-latest | ||
| needs: [prompt-injection-tests, fault-injection-tests, rbac-edge-case-tests, distributed-load-tests] | ||
| if: always() | ||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| - name: Download all test artifacts | ||
| uses: actions/download-artifact@v4 | ||
| - name: Setup Python for report generation | ||
| uses: actions/setup-python@v4 | ||
| with: | ||
| python-version: '3.11' | ||
| - name: Install report dependencies | ||
| run: | | ||
| pip install jinja2 matplotlib seaborn pandas numpy | ||
| - name: Generate comprehensive adversarial report | ||
| run: | | ||
| python scripts/generate_adversarial_report.py \ | ||
| --prompt-injection-results prompt-injection-results/ \ | ||
| --fault-injection-results fault-injection-results/ \ | ||
| --rbac-results rbac-results/ \ | ||
| --load-test-results load-test-results-*/ \ | ||
| --output-dir adversarial-reports/ | ||
| - name: Generate security assessment | ||
| run: | | ||
| python scripts/security_assessment.py \ | ||
| --test-results adversarial-reports/ \ | ||
| --output adversarial-reports/security_assessment.html | ||
| - name: Upload comprehensive report | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: adversarial-test-report | ||
| path: adversarial-reports/ | ||
| - name: Comment on PR with results | ||
| if: github.event_name == 'pull_request' | ||
| uses: actions/github-script@v6 | ||
| with: | ||
| script: | | ||
| const fs = require('fs'); | ||
| const path = 'adversarial-reports/summary.md'; | ||
| if (fs.existsSync(path)) { | ||
| const summary = fs.readFileSync(path, 'utf8'); | ||
| github.rest.issues.createComment({ | ||
| issue_number: context.issue.number, | ||
| owner: context.repo.owner, | ||
| repo: context.repo.repo, | ||
| body: `## 🛡️ Adversarial Testing Results\n\n${summary}` | ||
| }); | ||
| } | ||
| # Security alert notifications | ||
| security-notifications: | ||
| name: Security Alert Notifications | ||
| runs-on: ubuntu-latest | ||
| needs: [prompt-injection-tests, fault-injection-tests, rbac-edge-case-tests] | ||
| if: failure() | ||
| permissions: | ||
| contents: read | ||
| issues: write | ||
| steps: | ||
| - name: Send security alert | ||
| uses: 8398a7/action-slack@v3 | ||
| with: | ||
| status: failure | ||
| channel: '#security-alerts' | ||
| webhook_url: ${{ secrets.SLACK_WEBHOOK }} | ||
| message: | | ||
| 🚨 CRITICAL: Adversarial Testing Failures Detected | ||
| Repository: ${{ github.repository }} | ||
| Branch: ${{ github.ref }} | ||
| Commit: ${{ github.sha }} | ||
| Failed Tests: | ||
| - Prompt Injection: ${{ needs.prompt-injection-tests.result }} | ||
| - Fault Injection: ${{ needs.fault-injection-tests.result }} | ||
| - RBAC Edge Cases: ${{ needs.rbac-edge-case-tests.result }} | ||
| Immediate investigation required! | ||
| View Details: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} | ||
| - name: Create security incident issue | ||
| if: github.ref == 'refs/heads/main' | ||
| uses: actions/github-script@v6 | ||
| with: | ||
| script: | | ||
| github.rest.issues.create({ | ||
| owner: context.repo.owner, | ||
| repo: context.repo.repo, | ||
| title: '🚨 SECURITY: Adversarial Testing Failures', | ||
| body: `## Security Incident Report | ||
| **Incident Type:** Adversarial Testing Failures | ||
| **Severity:** Critical | ||
| **Date:** ${new Date().toISOString()} | ||
| **Commit:** ${context.sha} | ||
| ### Failed Tests | ||
| - Prompt Injection Tests: ${{ needs.prompt-injection-tests.result }} | ||
| - Fault Injection Tests: ${{ needs.fault-injection-tests.result }} | ||
| - RBAC Edge Case Tests: ${{ needs.rbac-edge-case-tests.result }} | ||
| ### Required Actions | ||
| - [ ] Investigate test failures | ||
| - [ ] Assess security impact | ||
| - [ ] Implement fixes | ||
| - [ ] Re-run adversarial tests | ||
| - [ ] Update security documentation | ||
| ### Links | ||
| - [Workflow Run](${context.payload.repository.html_url}/actions/runs/${context.runId}) | ||
| - [Test Artifacts](${context.payload.repository.html_url}/actions/runs/${context.runId}#artifacts) | ||
| `, | ||
| labels: ['security', 'critical', 'incident'] | ||
| }); | ||
| # Workflow environment variables | ||
| env: | ||
| # Security testing configuration | ||
| SECURITY_TESTING_MODE: true | ||
| ADVERSARIAL_LOGGING_LEVEL: debug | ||
| # Chaos testing parameters | ||
| CHAOS_MONKEY_ENABLED: true | ||
| FAULT_INJECTION_RATE: 0.1 | ||
| # Load testing configuration | ||
| MAX_CONCURRENT_CONNECTIONS: 1000 | ||
| LOAD_TEST_DURATION_SECONDS: 3600 | ||
| # Hardware testing | ||
| HARDWARE_TIMEOUT_SECONDS: 300 | ||
| TPM_EMULATION_ENABLED: true | ||
