Resolve Concelier/Excititor merge conflicts
This commit is contained in:
root
@@ -1,106 +1,106 @@
|
||||
# Authority Threat Model (STRIDE)
|
||||
|
||||
> Prepared by Security Guild — 2025-10-12. Scope covers Authority host, Standard plug-in, CLI, bootstrap workflow, and offline revocation distribution.
|
||||
|
||||
## 1. Scope & Method
|
||||
|
||||
- Methodology: STRIDE applied to primary Authority surfaces (token issuance, bootstrap, revocation, operator tooling, plug-in extensibility).
|
||||
- Assets in scope: identity credentials, OAuth tokens (access/refresh), bootstrap invites, revocation manifests, signing keys, audit telemetry.
|
||||
- Out of scope: Third-party IdPs federated via OpenIddict (tracked separately in SEC6 backlog).
|
||||
|
||||
## 2. Assets & Entry Points
|
||||
|
||||
| Asset / Surface | Description | Primary Actors |
|
||||
|-----------------|-------------|----------------|
|
||||
| Token issuance APIs (`/token`, `/authorize`) | OAuth/OIDC endpoints mediated by OpenIddict | CLI, UI, automation agents |
|
||||
| Bootstrap channel | Initial admin invite + bootstrap CLI workflow | Platform operators |
|
||||
| Revocation bundle | Offline JSON + detached JWS consumed by agents | Feedser, Agents, Zastava |
|
||||
| Plug-in manifests | Standard plug-in configuration and password policy overrides | Operators, DevOps |
|
||||
| Signing keys | ES256 signing keys backing tokens and revocation manifests | Security Guild, HSM/KeyOps |
|
||||
| Audit telemetry | Structured login/audit stream persisted to Mongo/observability stack | SOC, SecOps |
|
||||
|
||||
## 3. Trust Boundaries
|
||||
|
||||
| Boundary | Rationale | Controls |
|
||||
|----------|-----------|----------|
|
||||
| TB1 — Public network ↔️ Authority ingress | Internet/extranet exposure for `/token`, `/authorize`, `/bootstrap` | TLS 1.3, reverse proxy ACLs, rate limiting (SEC3.A / CORE8.RL) |
|
||||
| TB2 — Authority host ↔️ Mongo storage | Credential store, revocation state, audit log persistence | Authenticated Mongo, network segmentation, deterministic serializers |
|
||||
| TB3 — Authority host ↔️ Plug-in sandbox | Plug-ins may override password policy and bootstrap flows | Code signing, manifest validation, restart-time loading only |
|
||||
| TB4 — Operator workstation ↔️ CLI | CLI holds bootstrap secrets and revocation bundles | OS keychain storage, MFA on workstations, offline kit checksum |
|
||||
| TB5 — Authority ↔️ Downstream agents | Revocation bundle consumption, token validation | Mutual TLS (planned), detached JWS signatures, bundle freshness checks |
|
||||
|
||||
## 4. Data Flow Diagrams
|
||||
|
||||
### 4.1 Runtime token issuance
|
||||
|
||||
```mermaid
|
||||
flowchart LR
|
||||
subgraph Client Tier
|
||||
CLI[StellaOps CLI]
|
||||
UI[UI / Automation]
|
||||
end
|
||||
subgraph Perimeter
|
||||
RP[Reverse Proxy / WAF]
|
||||
end
|
||||
subgraph Authority
|
||||
AUTH[Authority Host]
|
||||
PLGIN[Standard Plug-in]
|
||||
STORE[(Mongo Credential Store)]
|
||||
end
|
||||
CLI -->|OAuth password / client creds| RP --> AUTH
|
||||
UI -->|OAuth flows| RP
|
||||
AUTH -->|PasswordHashOptions + Secrets| PLGIN
|
||||
AUTH -->|Verify / Persist hashes| STORE
|
||||
STORE -->|Rehash needed| AUTH
|
||||
AUTH -->|Access / refresh token| RP --> Client Tier
|
||||
```
|
||||
|
||||
### 4.2 Bootstrap & revocation
|
||||
|
||||
```mermaid
|
||||
flowchart LR
|
||||
subgraph Operator
|
||||
OPS[Operator Workstation]
|
||||
end
|
||||
subgraph Authority
|
||||
AUTH[Authority Host]
|
||||
STORE[(Mongo)]
|
||||
end
|
||||
subgraph Distribution
|
||||
OFFKIT[Offline Kit Bundle]
|
||||
AGENT[Authorized Agent / Feedser]
|
||||
end
|
||||
OPS -->|Bootstrap CLI (`stellaops auth bootstrap`)| AUTH
|
||||
AUTH -->|One-time invite + Argon2 hash| STORE
|
||||
AUTH -->|Revocation export (`stellaops auth revoke export`)| OFFKIT
|
||||
OFFKIT -->|Signed JSON + .jws| AGENT
|
||||
AGENT -->|Revocation ACK / telemetry| AUTH
|
||||
```
|
||||
|
||||
## 5. STRIDE Analysis
|
||||
|
||||
| Threat | STRIDE Vector | Surface | Risk (L×I) | Existing Controls | Gaps / Actions | Owner |
|
||||
|--------|---------------|---------|------------|-------------------|----------------|-------|
|
||||
| Spoofed revocation bundle | Spoofing | TB5 — Authority ↔️ Agents | Med×High | Detached JWS signature (planned), offline kit checksums | Finalise signing key registry & verification script (SEC4.B/SEC4.HOST); add bundle freshness requirement | Security Guild (follow-up: **SEC5.B**) |
|
||||
| Parameter tampering on `/token` | Tampering | TB1 — Public ingress | Med×High | ASP.NET model validation, OpenIddict, rate limiter (CORE8.RL) | Tampered requests emit `authority.token.tamper` audit events (`request.tampered`, unexpected parameter names) correlating with `/token` outcomes (SEC5.C) | Security Guild + Authority Core (follow-up: **SEC5.C**) |
|
||||
| Bootstrap invite replay | Repudiation | TB4 — Operator CLI ↔️ Authority | Low×High | One-time bootstrap tokens, Argon2id hashing on creation | Invites expire automatically and emit audit events on consumption/expiration (SEC5.D) | Security Guild |
|
||||
| Token replay by stolen agent | Information Disclosure | TB5 | Med×High | Signed revocation bundles, device fingerprint heuristics, optional mTLS | Monitor revocation acknowledgement latency via Zastava and tune replay alerting thresholds | Security Guild + Zastava (follow-up: **SEC5.E**) |
|
||||
| Privilege escalation via plug-in override | Elevation of Privilege | TB3 — Plug-in sandbox | Med×High | Signed plug-ins, restart-only loading, configuration validation | Add static analysis on manifest overrides + runtime warning when policy weaker than host | Security Guild + DevOps (follow-up: **SEC5.F**) |
|
||||
| Offline bundle tampering | Tampering | Distribution | Low×High | SHA256 manifest, signed bundles (planned) | Add supply-chain attestation for Offline Kit, publish verification CLI in docs | Security Guild + Ops (follow-up: **SEC5.G**) |
|
||||
| Failure to log denied tokens | Repudiation | TB2 — Authority ↔️ Mongo | Med×Med | Serilog structured events (partial), Mongo persistence path (planned) | Finalise audit schema (SEC2.A) and ensure `/token` denies include subject/client/IP fields | Security Guild + Authority Core (follow-up: **SEC5.H**) |
|
||||
|
||||
Risk scoring uses qualitative scale (Low/Med/High) for likelihood × impact; mitigation priority follows High > Med > Low.
|
||||
|
||||
## 6. Follow-up Backlog Hooks
|
||||
|
||||
| Backlog ID | Linked Threat | Summary | Target Owners |
|
||||
|------------|---------------|---------|---------------|
|
||||
| SEC5.B | Spoofed revocation bundle | Complete libsodium/Core signing integration and ship revocation verification script. | Security Guild + Authority Core |
|
||||
| SEC5.C | Parameter tampering on `/token` | Finalise audit contract (`SEC2.A`) and add request tamper logging. | Security Guild + Authority Core |
|
||||
| SEC5.D | Bootstrap invite replay | Implement expiry enforcement + audit coverage for unused bootstrap invites. | Security Guild |
|
||||
| SEC5.E | Token replay by stolen agent | Coordinate Zastava alerting with the new device fingerprint heuristics and surface stale revocation acknowledgements. | Security Guild + Zastava |
|
||||
| SEC5.F | Plug-in override escalation | Static analysis of plug-in manifests; warn on weaker password policy overrides. | Security Guild + DevOps |
|
||||
| SEC5.G | Offline bundle tampering | Extend Offline Kit build to include attested manifest + verification CLI sample. | Security Guild + Ops |
|
||||
| SEC5.H | Failure to log denied tokens | Ensure audit persistence for all `/token` denials with correlation IDs. | Security Guild + Authority Core |
|
||||
|
||||
Update `src/StellaOps.Cryptography/TASKS.md` (Security Guild board) with the above backlog entries to satisfy SEC5.A exit criteria.
|
||||
# Authority Threat Model (STRIDE)
|
||||
|
||||
> Prepared by Security Guild — 2025-10-12. Scope covers Authority host, Standard plug-in, CLI, bootstrap workflow, and offline revocation distribution.
|
||||
|
||||
## 1. Scope & Method
|
||||
|
||||
- Methodology: STRIDE applied to primary Authority surfaces (token issuance, bootstrap, revocation, operator tooling, plug-in extensibility).
|
||||
- Assets in scope: identity credentials, OAuth tokens (access/refresh), bootstrap invites, revocation manifests, signing keys, audit telemetry.
|
||||
- Out of scope: Third-party IdPs federated via OpenIddict (tracked separately in SEC6 backlog).
|
||||
|
||||
## 2. Assets & Entry Points
|
||||
|
||||
| Asset / Surface | Description | Primary Actors |
|
||||
|-----------------|-------------|----------------|
|
||||
| Token issuance APIs (`/token`, `/authorize`) | OAuth/OIDC endpoints mediated by OpenIddict | CLI, UI, automation agents |
|
||||
| Bootstrap channel | Initial admin invite + bootstrap CLI workflow | Platform operators |
|
||||
| Revocation bundle | Offline JSON + detached JWS consumed by agents | Concelier, Agents, Zastava |
|
||||
| Plug-in manifests | Standard plug-in configuration and password policy overrides | Operators, DevOps |
|
||||
| Signing keys | ES256 signing keys backing tokens and revocation manifests | Security Guild, HSM/KeyOps |
|
||||
| Audit telemetry | Structured login/audit stream persisted to Mongo/observability stack | SOC, SecOps |
|
||||
|
||||
## 3. Trust Boundaries
|
||||
|
||||
| Boundary | Rationale | Controls |
|
||||
|----------|-----------|----------|
|
||||
| TB1 — Public network ↔️ Authority ingress | Internet/extranet exposure for `/token`, `/authorize`, `/bootstrap` | TLS 1.3, reverse proxy ACLs, rate limiting (SEC3.A / CORE8.RL) |
|
||||
| TB2 — Authority host ↔️ Mongo storage | Credential store, revocation state, audit log persistence | Authenticated Mongo, network segmentation, deterministic serializers |
|
||||
| TB3 — Authority host ↔️ Plug-in sandbox | Plug-ins may override password policy and bootstrap flows | Code signing, manifest validation, restart-time loading only |
|
||||
| TB4 — Operator workstation ↔️ CLI | CLI holds bootstrap secrets and revocation bundles | OS keychain storage, MFA on workstations, offline kit checksum |
|
||||
| TB5 — Authority ↔️ Downstream agents | Revocation bundle consumption, token validation | Mutual TLS (planned), detached JWS signatures, bundle freshness checks |
|
||||
|
||||
## 4. Data Flow Diagrams
|
||||
|
||||
### 4.1 Runtime token issuance
|
||||
|
||||
```mermaid
|
||||
flowchart LR
|
||||
subgraph Client Tier
|
||||
CLI[StellaOps CLI]
|
||||
UI[UI / Automation]
|
||||
end
|
||||
subgraph Perimeter
|
||||
RP[Reverse Proxy / WAF]
|
||||
end
|
||||
subgraph Authority
|
||||
AUTH[Authority Host]
|
||||
PLGIN[Standard Plug-in]
|
||||
STORE[(Mongo Credential Store)]
|
||||
end
|
||||
CLI -->|OAuth password / client creds| RP --> AUTH
|
||||
UI -->|OAuth flows| RP
|
||||
AUTH -->|PasswordHashOptions + Secrets| PLGIN
|
||||
AUTH -->|Verify / Persist hashes| STORE
|
||||
STORE -->|Rehash needed| AUTH
|
||||
AUTH -->|Access / refresh token| RP --> Client Tier
|
||||
```
|
||||
|
||||
### 4.2 Bootstrap & revocation
|
||||
|
||||
```mermaid
|
||||
flowchart LR
|
||||
subgraph Operator
|
||||
OPS[Operator Workstation]
|
||||
end
|
||||
subgraph Authority
|
||||
AUTH[Authority Host]
|
||||
STORE[(Mongo)]
|
||||
end
|
||||
subgraph Distribution
|
||||
OFFKIT[Offline Kit Bundle]
|
||||
AGENT[Authorized Agent / Concelier]
|
||||
end
|
||||
OPS -->|Bootstrap CLI (`stellaops auth bootstrap`)| AUTH
|
||||
AUTH -->|One-time invite + Argon2 hash| STORE
|
||||
AUTH -->|Revocation export (`stellaops auth revoke export`)| OFFKIT
|
||||
OFFKIT -->|Signed JSON + .jws| AGENT
|
||||
AGENT -->|Revocation ACK / telemetry| AUTH
|
||||
```
|
||||
|
||||
## 5. STRIDE Analysis
|
||||
|
||||
| Threat | STRIDE Vector | Surface | Risk (L×I) | Existing Controls | Gaps / Actions | Owner |
|
||||
|--------|---------------|---------|------------|-------------------|----------------|-------|
|
||||
| Spoofed revocation bundle | Spoofing | TB5 — Authority ↔️ Agents | Med×High | Detached JWS signature (planned), offline kit checksums | Finalise signing key registry & verification script (SEC4.B/SEC4.HOST); add bundle freshness requirement | Security Guild (follow-up: **SEC5.B**) |
|
||||
| Parameter tampering on `/token` | Tampering | TB1 — Public ingress | Med×High | ASP.NET model validation, OpenIddict, rate limiter (CORE8.RL) | Tampered requests emit `authority.token.tamper` audit events (`request.tampered`, unexpected parameter names) correlating with `/token` outcomes (SEC5.C) | Security Guild + Authority Core (follow-up: **SEC5.C**) |
|
||||
| Bootstrap invite replay | Repudiation | TB4 — Operator CLI ↔️ Authority | Low×High | One-time bootstrap tokens, Argon2id hashing on creation | Invites expire automatically and emit audit events on consumption/expiration (SEC5.D) | Security Guild |
|
||||
| Token replay by stolen agent | Information Disclosure | TB5 | Med×High | Signed revocation bundles, device fingerprint heuristics, optional mTLS | Monitor revocation acknowledgement latency via Zastava and tune replay alerting thresholds | Security Guild + Zastava (follow-up: **SEC5.E**) |
|
||||
| Privilege escalation via plug-in override | Elevation of Privilege | TB3 — Plug-in sandbox | Med×High | Signed plug-ins, restart-only loading, configuration validation | Add static analysis on manifest overrides + runtime warning when policy weaker than host | Security Guild + DevOps (follow-up: **SEC5.F**) |
|
||||
| Offline bundle tampering | Tampering | Distribution | Low×High | SHA256 manifest, signed bundles (planned) | Add supply-chain attestation for Offline Kit, publish verification CLI in docs | Security Guild + Ops (follow-up: **SEC5.G**) |
|
||||
| Failure to log denied tokens | Repudiation | TB2 — Authority ↔️ Mongo | Med×Med | Serilog structured events (partial), Mongo persistence path (planned) | Finalise audit schema (SEC2.A) and ensure `/token` denies include subject/client/IP fields | Security Guild + Authority Core (follow-up: **SEC5.H**) |
|
||||
|
||||
Risk scoring uses qualitative scale (Low/Med/High) for likelihood × impact; mitigation priority follows High > Med > Low.
|
||||
|
||||
## 6. Follow-up Backlog Hooks
|
||||
|
||||
| Backlog ID | Linked Threat | Summary | Target Owners |
|
||||
|------------|---------------|---------|---------------|
|
||||
| SEC5.B | Spoofed revocation bundle | Complete libsodium/Core signing integration and ship revocation verification script. | Security Guild + Authority Core |
|
||||
| SEC5.C | Parameter tampering on `/token` | Finalise audit contract (`SEC2.A`) and add request tamper logging. | Security Guild + Authority Core |
|
||||
| SEC5.D | Bootstrap invite replay | Implement expiry enforcement + audit coverage for unused bootstrap invites. | Security Guild |
|
||||
| SEC5.E | Token replay by stolen agent | Coordinate Zastava alerting with the new device fingerprint heuristics and surface stale revocation acknowledgements. | Security Guild + Zastava |
|
||||
| SEC5.F | Plug-in override escalation | Static analysis of plug-in manifests; warn on weaker password policy overrides. | Security Guild + DevOps |
|
||||
| SEC5.G | Offline bundle tampering | Extend Offline Kit build to include attested manifest + verification CLI sample. | Security Guild + Ops |
|
||||
| SEC5.H | Failure to log denied tokens | Ensure audit persistence for all `/token` denials with correlation IDs. | Security Guild + Authority Core |
|
||||
|
||||
Update `src/StellaOps.Cryptography/TASKS.md` (Security Guild board) with the above backlog entries to satisfy SEC5.A exit criteria.
|
||||
|
||||
Reference in New Issue
Block a user