Resolve Concelier/Excititor merge conflicts

2025-10-20 14:19:25 +03:00
parent 67d581d2e8 5fd4032c7c
commit 09b6a28172
2687 changed files with 212646 additions and 85913 deletions
--- a/src/StellaOps.Auth.Security/Dpop/DpopValidationOptions.cs
+++ b/src/StellaOps.Auth.Security/Dpop/DpopValidationOptions.cs
@@ -0,0 +1,77 @@
+using System.Collections.Immutable;
+using System.Collections.Generic;
+using System.Linq;
+
+namespace StellaOps.Auth.Security.Dpop;
+
+/// <summary>
+/// Configures acceptable algorithms and replay windows for DPoP proof validation.
+/// </summary>
+public sealed class DpopValidationOptions
+{
+    private readonly HashSet<string> allowedAlgorithms = new(StringComparer.Ordinal);
+
+    public DpopValidationOptions()
+    {
+        allowedAlgorithms.Add("ES256");
+        allowedAlgorithms.Add("ES384");
+    }
+
+    /// <summary>
+    /// Maximum age a proof is considered valid relative to <see cref="IssuedAt"/>.
+    /// </summary>
+    public TimeSpan ProofLifetime { get; set; } = TimeSpan.FromMinutes(2);
+
+    /// <summary>
+    /// Allowed clock skew when evaluating <c>iat</c>.
+    /// </summary>
+    public TimeSpan AllowedClockSkew { get; set; } = TimeSpan.FromSeconds(30);
+
+    /// <summary>
+    /// Duration a successfully validated proof is tracked to prevent replay.
+    /// </summary>
+    public TimeSpan ReplayWindow { get; set; } = TimeSpan.FromMinutes(5);
+
+    /// <summary>
+    /// Algorithms (JWA) permitted for DPoP proofs.
+    /// </summary>
+    public ISet<string> AllowedAlgorithms => allowedAlgorithms;
+
+    /// <summary>
+    /// Normalised, upper-case representation of allowed algorithms.
+    /// </summary>
+    public IReadOnlySet<string> NormalizedAlgorithms { get; private set; } = ImmutableHashSet<string>.Empty;
+
+    public void Validate()
+    {
+        if (ProofLifetime <= TimeSpan.Zero)
+        {
+            throw new InvalidOperationException("DPoP proof lifetime must be greater than zero.");
+        }
+
+        if (AllowedClockSkew < TimeSpan.Zero || AllowedClockSkew > TimeSpan.FromMinutes(5))
+        {
+            throw new InvalidOperationException("DPoP allowed clock skew must be between 0 seconds and 5 minutes.");
+        }
+
+        if (ReplayWindow < TimeSpan.Zero)
+        {
+            throw new InvalidOperationException("DPoP replay window must be greater than or equal to zero.");
+        }
+
+        if (allowedAlgorithms.Count == 0)
+        {
+            throw new InvalidOperationException("At least one allowed DPoP algorithm must be configured.");
+        }
+
+        NormalizedAlgorithms = allowedAlgorithms
+            .Select(static algorithm => algorithm.Trim().ToUpperInvariant())
+            .Where(static algorithm => algorithm.Length > 0)
+            .ToImmutableHashSet(StringComparer.Ordinal);
+
+        if (NormalizedAlgorithms.Count == 0)
+        {
+            throw new InvalidOperationException("Allowed DPoP algorithms cannot be empty after normalization.");
+        }
+    }
+}