feat: initial release

2025-12-18 19:16:04 +01:00
commit f038d6a3fc
38 changed files with 6765 additions and 0 deletions
--- a/tests/test_compliance.py
+++ b/tests/test_compliance.py
@@ -0,0 +1,73 @@
+"""Tests for compliance checking functionality."""
+
+from datetime import datetime
+
+
+class TestComplianceChecks:
+    """Tests for compliance validation logic."""
+
+    def test_check_bsi_validity(self) -> None:
+        """Test BSI cipher suite validity checking."""
+        # Valid BSI-approved cipher suite (not expired)
+        cipher_suite_valid = {
+            "name": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+            "iana_recommended": "N",
+            "bsi_approved": True,
+            "bsi_valid_until": "2029",
+        }
+        # Check that current year is before 2029
+        current_year = datetime.now().year
+        assert current_year < 2029, "Test assumes current year < 2029"
+        # BSI-approved and valid should be compliant
+        assert cipher_suite_valid["bsi_approved"] is True
+        assert int(cipher_suite_valid["bsi_valid_until"]) > current_year
+
+        # Expired BSI-approved cipher suite
+        cipher_suite_expired = {
+            "name": "TLS_OLD_CIPHER",
+            "iana_recommended": "N",
+            "bsi_approved": True,
+            "bsi_valid_until": "2020",
+        }
+        # BSI-approved but expired should not be compliant
+        assert cipher_suite_expired["bsi_approved"] is True
+        assert int(cipher_suite_expired["bsi_valid_until"]) < current_year
+
+        # No BSI data
+        cipher_suite_no_bsi = {
+            "name": "TLS_CHACHA20_POLY1305_SHA256",
+            "iana_recommended": "Y",
+            "bsi_approved": False,
+            "bsi_valid_until": None,
+        }
+        # Without BSI approval, compliance depends on IANA
+        assert cipher_suite_no_bsi["bsi_approved"] is False
+
+    def test_check_iana_recommendation(self) -> None:
+        """Test IANA recommendation checking."""
+        # IANA recommended cipher suite
+        cipher_suite_recommended = {
+            "name": "TLS_AES_256_GCM_SHA384",
+            "iana_recommended": "Y",
+            "bsi_approved": True,
+            "bsi_valid_until": "2031",
+        }
+        assert cipher_suite_recommended["iana_recommended"] == "Y"
+
+        # IANA not recommended cipher suite
+        cipher_suite_not_recommended = {
+            "name": "TLS_RSA_WITH_AES_128_CBC_SHA",
+            "iana_recommended": "N",
+            "bsi_approved": False,
+            "bsi_valid_until": None,
+        }
+        assert cipher_suite_not_recommended["iana_recommended"] == "N"
+
+        # No IANA data (should default to non-compliant)
+        cipher_suite_no_iana = {
+            "name": "TLS_UNKNOWN_CIPHER",
+            "iana_recommended": None,
+            "bsi_approved": False,
+            "bsi_valid_until": None,
+        }
+        assert cipher_suite_no_iana["iana_recommended"] is None