stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity

Add OpenSslLegacyShim to ensure OpenSSL 1.1 libraries are accessible on Linux
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details

Browse Source 
This commit introduces the OpenSslLegacyShim class, which sets the LD_LIBRARY_PATH environment variable to include the directory containing OpenSSL 1.1 native libraries. This is necessary for Mongo2Go to function correctly on Linux platforms that do not ship these libraries by default. The shim checks if the current operating system is Linux and whether the required directory exists before modifying the environment variable.
This commit is contained in:
master
2025-11-02 21:41:03 +02:00
parent f98cea3bcf
commit 1d962ee6fc
71 changed files with 3675 additions and 1255 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
src/Authority/StellaOps.Authority/StellaOps.Auth.ServerIntegration/StellaOpsResourceServerPolicies.cs
View File

@@ -64,6 +64,26 @@ public static class StellaOpsResourceServerPolicies
/// </summary>
public const string ExportAdmin = StellaOpsScopes.ExportAdmin;
/// <summary>
/// Pack read policy name.
/// </summary>
public const string PacksRead = StellaOpsScopes.PacksRead;
/// <summary>
/// Pack write policy name.
/// </summary>
public const string PacksWrite = StellaOpsScopes.PacksWrite;
/// <summary>
/// Pack run policy name.
/// </summary>
public const string PacksRun = StellaOpsScopes.PacksRun;
/// <summary>
/// Pack approval policy name.
/// </summary>
public const string PacksApprove = StellaOpsScopes.PacksApprove;
/// <summary>
/// Registers all observability, timeline, evidence, attestation, and export authorization policies.
/// </summary>
@@ -83,4 +103,18 @@ public static class StellaOpsResourceServerPolicies
options.AddStellaOpsScopePolicy(ExportOperator, StellaOpsScopes.ExportOperator);
options.AddStellaOpsScopePolicy(ExportAdmin, StellaOpsScopes.ExportAdmin);
}
/// <summary>
/// Registers Task Pack registry, execution, and approval authorization policies.
/// </summary>
/// <param name="options">The authorization options to update.</param>
public static void AddPacksResourcePolicies(this AuthorizationOptions options)
{
ArgumentNullException.ThrowIfNull(options);
options.AddStellaOpsScopePolicy(PacksRead, StellaOpsScopes.PacksRead);
options.AddStellaOpsScopePolicy(PacksWrite, StellaOpsScopes.PacksWrite);
options.AddStellaOpsScopePolicy(PacksRun, StellaOpsScopes.PacksRun);
options.AddStellaOpsScopePolicy(PacksApprove, StellaOpsScopes.PacksApprove);
}
}

98
src/Authority/StellaOps.Authority/StellaOps.Auth.ServerIntegration/StellaOpsScopeAuthorizationHandler.cs
View File

@@ -98,10 +98,19 @@ internal sealed class StellaOpsScopeAuthorizationHandler : AuthorizationHandler<
string? incidentReasonClaim = null;
DateTimeOffset? incidentAuthTime = null;
string? incidentFailureReason = null;
var backfillMetadataRequired = combinedScopes.Contains(StellaOpsScopes.OrchBackfill);
var backfillMetadataSatisfied = true;
string? backfillReasonClaim = null;
string? backfillTicketClaim = null;
string? backfillFailureReason = null;
if (principalAuthenticated)
{
incidentReasonClaim = principal!.FindFirstValue(StellaOpsClaimTypes.IncidentReason);
backfillReasonClaim = principal!.FindFirstValue(StellaOpsClaimTypes.BackfillReason);
backfillTicketClaim = principal!.FindFirstValue(StellaOpsClaimTypes.BackfillTicket);
backfillReasonClaim = backfillReasonClaim?.Trim();
backfillTicketClaim = backfillTicketClaim?.Trim();
}
if (principalAuthenticated && allScopesSatisfied)
@@ -119,6 +128,15 @@ internal sealed class StellaOpsScopeAuthorizationHandler : AuthorizationHandler<
out incidentFailureReason);
}
if (principalAuthenticated && tenantAllowed && allScopesSatisfied && backfillMetadataRequired)
{
if (string.IsNullOrWhiteSpace(backfillReasonClaim) || string.IsNullOrWhiteSpace(backfillTicketClaim))
{
backfillMetadataSatisfied = false;
backfillFailureReason = "Backfill scope requires reason and ticket.";
}
}
var bypassed = false;
if ((!principalAuthenticated || !allScopesSatisfied || !tenantAllowed || !incidentFreshAuthSatisfied) &&
@@ -133,10 +151,12 @@ internal sealed class StellaOpsScopeAuthorizationHandler : AuthorizationHandler<
incidentFreshAuthSatisfied = true;
incidentFailureReason = null;
incidentAuthTime = null;
backfillMetadataSatisfied = true;
backfillFailureReason = null;
bypassed = true;
}
if (tenantAllowed && allScopesSatisfied && incidentFreshAuthSatisfied)
if (tenantAllowed && allScopesSatisfied && incidentFreshAuthSatisfied && backfillMetadataSatisfied)
{
context.Succeed(requirement);
}
@@ -181,9 +201,18 @@ internal sealed class StellaOpsScopeAuthorizationHandler : AuthorizationHandler<
ObservabilityIncidentFreshAuthWindow,
httpContext?.Connection.RemoteIpAddress);
}
if (backfillMetadataRequired && !backfillMetadataSatisfied)
{
logger.LogDebug(
"Backfill scope metadata requirement not satisfied. ReasonPresent={ReasonPresent}; TicketPresent={TicketPresent}; Remote={Remote}",
!string.IsNullOrWhiteSpace(backfillReasonClaim),
!string.IsNullOrWhiteSpace(backfillTicketClaim),
httpContext?.Connection.RemoteIpAddress);
}
}
var reason = incidentFailureReason ?? DetermineFailureReason(
var reason = backfillFailureReason ?? incidentFailureReason ?? DetermineFailureReason(
principalAuthenticated,
allScopesSatisfied,
anyScopeMatched,
@@ -202,7 +231,7 @@ internal sealed class StellaOpsScopeAuthorizationHandler : AuthorizationHandler<
resourceOptions,
normalizedTenant,
missingScopes,
tenantAllowed && allScopesSatisfied && incidentFreshAuthSatisfied,
tenantAllowed && allScopesSatisfied && incidentFreshAuthSatisfied && backfillMetadataSatisfied,
bypassed,
reason,
principalAuthenticated,
@@ -212,7 +241,11 @@ internal sealed class StellaOpsScopeAuthorizationHandler : AuthorizationHandler<
incidentFreshAuthRequired,
incidentFreshAuthSatisfied,
incidentReasonClaim,
incidentAuthTime).ConfigureAwait(false);
incidentAuthTime,
backfillMetadataRequired,
backfillMetadataSatisfied,
backfillReasonClaim,
backfillTicketClaim).ConfigureAwait(false);
}
private static string? DetermineFailureReason(
@@ -293,7 +326,11 @@ internal sealed class StellaOpsScopeAuthorizationHandler : AuthorizationHandler<
bool incidentFreshAuthRequired,
bool incidentFreshAuthSatisfied,
string? incidentReason,
DateTimeOffset? incidentAuthTime)
DateTimeOffset? incidentAuthTime,
bool backfillMetadataRequired,
bool backfillMetadataSatisfied,
string? backfillReason,
string? backfillTicket)
{
if (!auditSinks.Any())
{
@@ -320,7 +357,11 @@ internal sealed class StellaOpsScopeAuthorizationHandler : AuthorizationHandler<
incidentFreshAuthRequired,
incidentFreshAuthSatisfied,
incidentReason,
incidentAuthTime);
incidentAuthTime,
backfillMetadataRequired,
backfillMetadataSatisfied,
backfillReason,
backfillTicket);
var cancellationToken = httpContext?.RequestAborted ?? CancellationToken.None;
@@ -353,7 +394,11 @@ internal sealed class StellaOpsScopeAuthorizationHandler : AuthorizationHandler<
bool incidentFreshAuthRequired,
bool incidentFreshAuthSatisfied,
string? incidentReason,
DateTimeOffset? incidentAuthTime)
DateTimeOffset? incidentAuthTime,
bool backfillMetadataRequired,
bool backfillMetadataSatisfied,
string? backfillReason,
string? backfillTicket)
{
var correlationId = ResolveCorrelationId(httpContext);
var subject = BuildSubject(principal);
@@ -373,7 +418,11 @@ internal sealed class StellaOpsScopeAuthorizationHandler : AuthorizationHandler<
incidentFreshAuthRequired,
incidentFreshAuthSatisfied,
incidentReason,
incidentAuthTime);
incidentAuthTime,
backfillMetadataRequired,
backfillMetadataSatisfied,
backfillReason,
backfillTicket);
return new AuthEventRecord
{
@@ -403,7 +452,11 @@ internal sealed class StellaOpsScopeAuthorizationHandler : AuthorizationHandler<
bool incidentFreshAuthRequired,
bool incidentFreshAuthSatisfied,
string? incidentReason,
DateTimeOffset? incidentAuthTime)
DateTimeOffset? incidentAuthTime,
bool backfillMetadataRequired,
bool backfillMetadataSatisfied,
string? backfillReason,
string? backfillTicket)
{
var properties = new List<AuthEventProperty>();
@@ -507,6 +560,33 @@ internal sealed class StellaOpsScopeAuthorizationHandler : AuthorizationHandler<
}
}
if (backfillMetadataRequired)
{
properties.Add(new AuthEventProperty
{
Name = "backfill.metadata_satisfied",
Value = ClassifiedString.Public(backfillMetadataSatisfied ? "true" : "false")
});
if (!string.IsNullOrWhiteSpace(backfillReason))
{
properties.Add(new AuthEventProperty
{
Name = "backfill.reason",
Value = ClassifiedString.Sensitive(backfillReason!)
});
}
if (!string.IsNullOrWhiteSpace(backfillTicket))
{
properties.Add(new AuthEventProperty
{
Name = "backfill.ticket",
Value = ClassifiedString.Sensitive(backfillTicket!)
});
}
}
return properties;
}