-
Notifications
You must be signed in to change notification settings - Fork 0
658 lines (548 loc) · 20.6 KB
/
adversarial-testing-ci.yml
File metadata and controls
658 lines (548 loc) · 20.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
# Adversarial & Chaos Testing CI Pipeline
# Extended testing for security resilience and fault tolerance
name: Adversarial Testing CI
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main, develop ]
schedule:
# Run comprehensive adversarial tests nightly
- cron: '0 3 * * *'
workflow_dispatch:
inputs:
test_type:
description: 'Type of adversarial test to run'
required: true
default: 'all'
type: choice
options:
- all
- security
- chaos
- performance
permissions:
contents: read
security-events: write
actions: read
checks: write
pull-requests: write
options:
- all
- prompt_injection
- fault_injection
- rbac_edge_cases
- chaos_mode
duration_minutes:
description: 'Test duration in minutes'
required: false
default: '30'
type: string
env:
CARGO_TERM_COLOR: always
RUST_BACKTRACE: 1
# Adversarial testing configuration
ADVERSARIAL_MODE: true
CHAOS_PROBABILITY: 0.1
FUZZ_ITERATIONS: 1000
RBAC_EDGE_CASE_COUNT: 50
jobs:
# Adversarial prompt injection testing
prompt-injection-tests:
name: Prompt Injection & Evasion Tests
runs-on: ubuntu-latest
if: github.event.inputs.test_type == 'all' || github.event.inputs.test_type == 'prompt_injection' || github.event.inputs.test_type == ''
permissions:
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Clear Rust caches
run: |
rm -rf ~/.cargo/registry
rm -rf ~/.cargo/git
- name: Setup Rust toolchain
uses: actions-rs/toolchain@v1
with:
toolchain: stable
profile: minimal
override: true
- name: Cache dependencies
uses: actions/cache@v3
with:
path: |
~/.cargo/registry
~/.cargo/git
target/
key: ${{ runner.os }}-adversarial-${{ hashFiles('**/Cargo.lock') }}
- name: Install fuzzing tools
run: |
cargo install cargo-fuzz
sudo apt-get update
sudo apt-get install -y radamsa afl++
- name: Build with adversarial features
run: |
cargo build --release --features "adversarial-testing,fuzzing-support"
- name: Run SQL injection tests
run: |
cargo test --release --test adversarial::prompt_injection_tests::sql_injection -- --nocapture
- name: Run command injection tests
run: |
cargo test --release --test adversarial::prompt_injection_tests::command_injection -- --nocapture
- name: Run script injection tests
run: |
cargo test --release --test adversarial::prompt_injection_tests::script_injection -- --nocapture
- name: Run policy evasion tests
run: |
cargo test --release --test adversarial::prompt_injection_tests::policy_evasion -- --nocapture
- name: Run Unicode exploit tests
run: |
cargo test --release --test adversarial::prompt_injection_tests::unicode_exploits -- --nocapture
- name: Run comprehensive fuzzing
run: |
timeout 600 cargo test --release --test adversarial::prompt_injection_tests::run_fuzzing_tests -- --nocapture || true
- name: Generate injection test report
run: |
cargo test --release --test adversarial::prompt_injection_tests -- --format json > prompt_injection_results.json
- name: Upload prompt injection results
uses: actions/upload-artifact@v4
with:
name: prompt-injection-results
path: prompt_injection_results.json
# Fault injection and chaos testing
fault-injection-tests:
name: Fault Injection & Chaos Tests
runs-on: ubuntu-latest
if: github.event.inputs.test_type == 'all' || github.event.inputs.test_type == 'fault_injection' || github.event.inputs.test_type == 'chaos_mode' || github.event.inputs.test_type == ''
permissions:
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Clear Rust caches
run: |
rm -rf ~/.cargo/registry
rm -rf ~/.cargo/git
- name: Setup Rust toolchain
uses: actions-rs/toolchain@v1
with:
toolchain: stable
profile: minimal
override: true
- name: Setup chaos engineering tools
run: |
# Install stress testing tools
sudo apt-get update
sudo apt-get install -y stress-ng htop iotop
# Install network chaos tools
sudo apt-get install -y tc iproute2
# Install memory debugging tools
sudo apt-get install -y valgrind
- name: Build with fault injection support
run: |
cargo build --release --features "fault-injection,chaos-testing"
- name: Run TPM fault injection tests
run: |
cargo test --release --test chaos::fault_injection_tests::tpm_faults -- --nocapture
- name: Run HSM disconnection tests
run: |
cargo test --release --test chaos::fault_injection_tests::hsm_faults -- --nocapture
- name: Run enclave corruption tests
run: |
cargo test --release --test chaos::fault_injection_tests::enclave_faults -- --nocapture
- name: Run memory exhaustion tests
run: |
# Limit memory for testing
ulimit -v 1048576 # 1GB virtual memory limit
cargo test --release --test chaos::fault_injection_tests::memory_exhaustion -- --nocapture || true
- name: Run disk full simulation
run: |
# Create limited disk space
mkdir -p /tmp/limited_disk
sudo mount -t tmpfs -o size=100M tmpfs /tmp/limited_disk
TMPDIR=/tmp/limited_disk cargo test --release --test chaos::fault_injection_tests::disk_full -- --nocapture || true
sudo umount /tmp/limited_disk
- name: Run network partition tests
run: |
# Simulate network issues
sudo tc qdisc add dev lo root netem delay 1000ms loss 50%
cargo test --release --test chaos::fault_injection_tests::network_partition -- --nocapture || true
sudo tc qdisc del dev lo root
- name: Run race condition tests
run: |
cargo test --release --test chaos::fault_injection_tests::race_conditions -- --nocapture
- name: Run cascading failure tests
run: |
cargo test --release --test chaos::fault_injection_tests::cascading_failures -- --nocapture
- name: Run chaos mode
if: github.event.inputs.test_type == 'chaos_mode' || github.event_name == 'schedule'
run: |
timeout ${{ github.event.inputs.duration_minutes || '30' }}m cargo test --release --test chaos::fault_injection_tests::chaos_mode -- --nocapture || true
- name: Generate fault injection report
run: |
cargo test --release --test chaos::fault_injection_tests -- --format json > fault_injection_results.json
- name: Upload fault injection results
uses: actions/upload-artifact@v4
with:
name: fault-injection-results
path: fault_injection_results.json
# RBAC edge case and permission matrix testing
rbac-edge-case-tests:
name: RBAC Edge Cases & Permission Matrix
runs-on: ubuntu-latest
if: github.event.inputs.test_type == 'all' || github.event.inputs.test_type == 'rbac_edge_cases' || github.event.inputs.test_type == ''
permissions:
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Clear Rust caches
run: |
rm -rf ~/.cargo/registry
rm -rf ~/.cargo/git
- name: Setup Rust toolchain
uses: actions-rs/toolchain@v1
with:
toolchain: stable
profile: minimal
override: true
- name: Build with RBAC testing features
run: |
cargo build --release --features "rbac-testing,permission-matrix"
- name: Run permission matrix tests
run: |
cargo test --release --test rbac::permission_matrix_tests::permission_matrix -- --nocapture
- name: Run role inheritance tests
run: |
cargo test --release --test rbac::permission_matrix_tests::role_inheritance -- --nocapture
- name: Run privilege escalation tests
run: |
cargo test --release --test rbac::permission_matrix_tests::privilege_escalation -- --nocapture
- name: Run session management tests
run: |
cargo test --release --test rbac::permission_matrix_tests::session_management -- --nocapture
- name: Run MFA bypass tests
run: |
cargo test --release --test rbac::permission_matrix_tests::mfa_bypass -- --nocapture
- name: Run concurrent access tests
run: |
cargo test --release --test rbac::permission_matrix_tests::concurrent_access -- --nocapture
- name: Run time-based access tests
run: |
cargo test --release --test rbac::permission_matrix_tests::time_based_access -- --nocapture
- name: Run multi-party approval tests
run: |
cargo test --release --test rbac::permission_matrix_tests::multi_party_approval -- --nocapture
- name: Run JIT MFA workflow tests
run: |
cargo test --release --test rbac::permission_matrix_tests::jit_mfa_workflows -- --nocapture
- name: Generate RBAC test report
run: |
cargo test --release --test rbac::permission_matrix_tests -- --format json > rbac_results.json
- name: Upload RBAC results
uses: actions/upload-artifact@v4
with:
name: rbac-results
path: rbac_results.json
# Multi-day stability and soak testing
stability-soak-tests:
name: Multi-Day Stability Tests
runs-on: ubuntu-latest
if: github.event_name == 'schedule' || github.event.inputs.test_type == 'all'
timeout-minutes: 4320 # 72 hours
permissions:
contents: read
checks: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Clear Rust caches
run: |
rm -rf ~/.cargo/registry
rm -rf ~/.cargo/git
- name: Setup Rust toolchain
uses: actions-rs/toolchain@v1
with:
toolchain: stable
profile: minimal
override: true
- name: Setup monitoring tools
run: |
sudo apt-get update
sudo apt-get install -y htop iotop nethogs sysstat
# Start system monitoring
sar -u -r -n DEV 60 > system_stats.log &
MONITORING_PID=$!
echo "MONITORING_PID=$MONITORING_PID" >> $GITHUB_ENV
- name: Build optimized release
run: |
cargo build --release --features "stability-testing,memory-profiling"
- name: Run 72-hour stability test
run: |
timeout 259200 cargo test --release --test stability::soak_tests::long_running_stability -- --nocapture || true
- name: Run memory leak detection
run: |
valgrind --tool=memcheck --leak-check=full --show-leak-kinds=all --track-origins=yes \
cargo test --release --test stability::memory_tests::leak_detection -- --nocapture > valgrind_report.txt 2>&1 || true
- name: Run resource exhaustion tests
run: |
cargo test --release --test stability::resource_tests::exhaustion_scenarios -- --nocapture
- name: Analyze performance drift
run: |
cargo test --release --test stability::performance_tests::drift_analysis -- --nocapture
- name: Stop monitoring
run: |
kill $MONITORING_PID || true
- name: Upload stability results
uses: actions/upload-artifact@v4
with:
name: stability-results
path: |
system_stats.log
valgrind_report.txt
# Distributed load testing
distributed-load-tests:
name: Distributed Load Tests
runs-on: ubuntu-latest
if: github.event_name == 'schedule' || github.event.inputs.test_type == 'all'
permissions:
contents: read
checks: write
strategy:
matrix:
load_profile: [light, medium, heavy, extreme]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup load testing tools
run: |
# Install Apache Bench and wrk
sudo apt-get update
sudo apt-get install -y apache2-utils wrk
# Install Rust load testing tools
cargo install drill
- name: Build with load testing features
run: |
cargo build --release --features "load-testing,metrics"
- name: Start Governor service
run: |
cargo run --release --bin universal-ai-governor &
GOVERNOR_PID=$!
echo "GOVERNOR_PID=$GOVERNOR_PID" >> $GITHUB_ENV
sleep 10 # Wait for service to start
- name: Run load test - ${{ matrix.load_profile }}
run: |
case "${{ matrix.load_profile }}" in
light)
CONNECTIONS=10
DURATION=300
;;
medium)
CONNECTIONS=50
DURATION=600
;;
heavy)
CONNECTIONS=100
DURATION=900
;;
extreme)
CONNECTIONS=500
DURATION=1200
;;
esac
# Run attestation endpoint load test
wrk -t12 -c$CONNECTIONS -d${DURATION}s --script=scripts/attestation_load_test.lua \
http://localhost:8080/attestation > load_test_${{ matrix.load_profile }}.txt
# Run authentication load test
ab -n 10000 -c $CONNECTIONS -H "Content-Type: application/json" \
-p scripts/auth_payload.json http://localhost:8080/auth/login > auth_load_${{ matrix.load_profile }}.txt
- name: Stop Governor service
run: |
kill $GOVERNOR_PID || true
- name: Upload load test results
uses: actions/upload-artifact@v4
with:
name: load-test-results-${{ matrix.load_profile }}
path: |
load_test_${{ matrix.load_profile }}.txt
auth_load_${{ matrix.load_profile }}.txt
# Real hardware integration testing
real-hardware-tests:
name: Real Hardware Integration
runs-on: self-hosted # Requires self-hosted runner with actual hardware
if: github.event_name == 'schedule'
permissions:
contents: read
checks: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Detect available hardware
run: |
# Detect TPM
if [ -e /dev/tpm0 ]; then
echo "TPM_AVAILABLE=true" >> $GITHUB_ENV
tpm2_getcap properties-fixed
fi
# Detect HSM
if command -v pkcs11-tool &> /dev/null; then
echo "HSM_AVAILABLE=true" >> $GITHUB_ENV
pkcs11-tool --list-slots
fi
# Detect Secure Enclave (macOS)
if [[ "$OSTYPE" == "darwin"* ]]; then
echo "SECURE_ENCLAVE_AVAILABLE=true" >> $GITHUB_ENV
fi
- name: Build with real hardware support
run: |
cargo build --release --features "real-hardware,tpm-integration,hsm-integration"
- name: Run TPM hardware tests
if: env.TPM_AVAILABLE == 'true'
run: |
sudo cargo test --release --test hardware::real_tpm_tests -- --nocapture
- name: Run HSM hardware tests
if: env.HSM_AVAILABLE == 'true'
run: |
cargo test --release --test hardware::real_hsm_tests -- --nocapture
- name: Run Secure Enclave tests
if: env.SECURE_ENCLAVE_AVAILABLE == 'true'
run: |
cargo test --release --test hardware::real_enclave_tests -- --nocapture
- name: Run cross-hardware compatibility tests
run: |
cargo test --release --test hardware::compatibility_matrix -- --nocapture
- name: Upload real hardware results
uses: actions/upload-artifact@v4
with:
name: real-hardware-results
path: |
hardware_test_results.json
# Comprehensive report generation
generate-adversarial-report:
name: Generate Adversarial Test Report
runs-on: ubuntu-latest
needs: [prompt-injection-tests, fault-injection-tests, rbac-edge-case-tests, distributed-load-tests]
if: always()
permissions:
contents: read
pull-requests: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Download all test artifacts
uses: actions/download-artifact@v4
- name: Setup Python for report generation
uses: actions/setup-python@v4
with:
python-version: '3.11'
- name: Install report dependencies
run: |
pip install jinja2 matplotlib seaborn pandas numpy
- name: Generate comprehensive adversarial report
run: |
python scripts/generate_adversarial_report.py \
--prompt-injection-results prompt-injection-results/ \
--fault-injection-results fault-injection-results/ \
--rbac-results rbac-results/ \
--load-test-results load-test-results-*/ \
--output-dir adversarial-reports/
- name: Generate security assessment
run: |
python scripts/security_assessment.py \
--test-results adversarial-reports/ \
--output adversarial-reports/security_assessment.html
- name: Upload comprehensive report
uses: actions/upload-artifact@v4
with:
name: adversarial-test-report
path: adversarial-reports/
- name: Comment on PR with results
if: github.event_name == 'pull_request'
uses: actions/github-script@v6
with:
script: |
const fs = require('fs');
const path = 'adversarial-reports/summary.md';
if (fs.existsSync(path)) {
const summary = fs.readFileSync(path, 'utf8');
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: `## 🛡️ Adversarial Testing Results\n\n${summary}`
});
}
# Security alert notifications
security-notifications:
name: Security Alert Notifications
runs-on: ubuntu-latest
needs: [prompt-injection-tests, fault-injection-tests, rbac-edge-case-tests]
if: failure()
permissions:
contents: read
issues: write
steps:
- name: Send security alert
uses: 8398a7/action-slack@v3
with:
status: failure
channel: '#security-alerts'
webhook_url: ${{ secrets.SLACK_WEBHOOK }}
message: |
🚨 CRITICAL: Adversarial Testing Failures Detected
Repository: ${{ github.repository }}
Branch: ${{ github.ref }}
Commit: ${{ github.sha }}
Failed Tests:
- Prompt Injection: ${{ needs.prompt-injection-tests.result }}
- Fault Injection: ${{ needs.fault-injection-tests.result }}
- RBAC Edge Cases: ${{ needs.rbac-edge-case-tests.result }}
Immediate investigation required!
View Details: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
- name: Create security incident issue
if: github.ref == 'refs/heads/main'
uses: actions/github-script@v6
with:
script: |
github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: '🚨 SECURITY: Adversarial Testing Failures',
body: `## Security Incident Report
**Incident Type:** Adversarial Testing Failures
**Severity:** Critical
**Date:** ${new Date().toISOString()}
**Commit:** ${context.sha}
### Failed Tests
- Prompt Injection Tests: ${{ needs.prompt-injection-tests.result }}
- Fault Injection Tests: ${{ needs.fault-injection-tests.result }}
- RBAC Edge Case Tests: ${{ needs.rbac-edge-case-tests.result }}
### Required Actions
- [ ] Investigate test failures
- [ ] Assess security impact
- [ ] Implement fixes
- [ ] Re-run adversarial tests
- [ ] Update security documentation
### Links
- [Workflow Run](${context.payload.repository.html_url}/actions/runs/${context.runId})
- [Test Artifacts](${context.payload.repository.html_url}/actions/runs/${context.runId}#artifacts)
`,
labels: ['security', 'critical', 'incident']
});
# Workflow environment variables
env:
# Security testing configuration
SECURITY_TESTING_MODE: true
ADVERSARIAL_LOGGING_LEVEL: debug
# Chaos testing parameters
CHAOS_MONKEY_ENABLED: true
FAULT_INJECTION_RATE: 0.1
# Load testing configuration
MAX_CONCURRENT_CONNECTIONS: 1000
LOAD_TEST_DURATION_SECONDS: 3600
# Hardware testing
HARDWARE_TIMEOUT_SECONDS: 300
TPM_EMULATION_ENABLED: true