Add OpenSslLegacyShim to ensure OpenSSL 1.1 libraries are accessible on Linux

This commit introduces the OpenSslLegacyShim class, which sets the LD_LIBRARY_PATH environment variable to include the directory containing OpenSSL 1.1 native libraries. This is necessary for Mongo2Go to function correctly on Linux platforms that do not ship these libraries by default. The shim checks if the current operating system is Linux and whether the required directory exists before modifying the environment variable.
2025-11-02 21:41:03 +02:00
parent f98cea3bcf
commit 1d962ee6fc
71 changed files with 3675 additions and 1255 deletions
--- a/src/Authority/StellaOps.Authority/StellaOps.Auth.ServerIntegration.Tests/StellaOpsResourceServerPoliciesTests.cs
+++ b/src/Authority/StellaOps.Authority/StellaOps.Auth.ServerIntegration.Tests/StellaOpsResourceServerPoliciesTests.cs
@@ -28,6 +28,19 @@ public class StellaOpsResourceServerPoliciesTests
        AssertPolicy(options, StellaOpsResourceServerPolicies.ExportAdmin, StellaOpsScopes.ExportAdmin);
    }

+    [Fact]
+    public void AddPacksResourcePolicies_RegistersExpectedPolicies()
+    {
+        var options = new AuthorizationOptions();
+
+        options.AddPacksResourcePolicies();
+
+        AssertPolicy(options, StellaOpsResourceServerPolicies.PacksRead, StellaOpsScopes.PacksRead);
+        AssertPolicy(options, StellaOpsResourceServerPolicies.PacksWrite, StellaOpsScopes.PacksWrite);
+        AssertPolicy(options, StellaOpsResourceServerPolicies.PacksRun, StellaOpsScopes.PacksRun);
+        AssertPolicy(options, StellaOpsResourceServerPolicies.PacksApprove, StellaOpsScopes.PacksApprove);
+    }
+
    private static void AssertPolicy(AuthorizationOptions options, string policyName, string expectedScope)
    {
        var policy = options.GetPolicy(policyName);
--- a/src/Authority/StellaOps.Authority/StellaOps.Auth.ServerIntegration.Tests/StellaOpsScopeAuthorizationHandlerTests.cs
+++ b/src/Authority/StellaOps.Authority/StellaOps.Auth.ServerIntegration.Tests/StellaOpsScopeAuthorizationHandlerTests.cs
@@ -290,7 +290,70 @@ public class StellaOpsScopeAuthorizationHandlerTests
        Assert.Equal(freshAuthTime.ToString("o", CultureInfo.InvariantCulture), GetPropertyValue(record, "incident.auth_time"));
        Assert.Equal("Sev1 drill", GetPropertyValue(record, "incident.reason"));
    }
-
+
+    [Fact]
+    public async Task HandleRequirement_Fails_WhenBackfillMetadataMissing()
+    {
+        var optionsMonitor = CreateOptionsMonitor(options =>
+        {
+            options.Authority = "https://authority.example";
+            options.RequiredTenants.Add("tenant-alpha");
+            options.Validate();
+        });
+
+        var (handler, accessor, sink) = CreateHandler(optionsMonitor, IPAddress.Parse("10.0.0.77"));
+        var requirement = new StellaOpsScopeRequirement(new[] { StellaOpsScopes.OrchBackfill });
+        var principal = new StellaOpsPrincipalBuilder()
+            .WithSubject("orch-admin")
+            .WithClientId("orch-control")
+            .WithTenant("tenant-alpha")
+            .WithScopes(new[] { StellaOpsScopes.OrchBackfill })
+            .Build();
+
+        var context = new AuthorizationHandlerContext(new[] { requirement }, principal, accessor.HttpContext);
+
+        await handler.HandleAsync(context);
+
+        Assert.False(context.HasSucceeded);
+        var record = Assert.Single(sink.Records);
+        Assert.Equal(AuthEventOutcome.Failure, record.Outcome);
+        Assert.Equal("Backfill scope requires reason and ticket.", record.Reason);
+        Assert.Equal("false", GetPropertyValue(record, "backfill.metadata_satisfied"));
+    }
+
+    [Fact]
+    public async Task HandleRequirement_Succeeds_WhenBackfillMetadataPresent()
+    {
+        var optionsMonitor = CreateOptionsMonitor(options =>
+        {
+            options.Authority = "https://authority.example";
+            options.RequiredTenants.Add("tenant-alpha");
+            options.Validate();
+        });
+
+        var (handler, accessor, sink) = CreateHandler(optionsMonitor, IPAddress.Parse("10.0.0.88"));
+        var requirement = new StellaOpsScopeRequirement(new[] { StellaOpsScopes.OrchBackfill });
+        var principal = new StellaOpsPrincipalBuilder()
+            .WithSubject("orch-admin")
+            .WithClientId("orch-control")
+            .WithTenant("tenant-alpha")
+            .WithScopes(new[] { StellaOpsScopes.OrchBackfill })
+            .AddClaim(StellaOpsClaimTypes.BackfillReason, "Quota recovery backfill")
+            .AddClaim(StellaOpsClaimTypes.BackfillTicket, "INC-741")
+            .Build();
+
+        var context = new AuthorizationHandlerContext(new[] { requirement }, principal, accessor.HttpContext);
+
+        await handler.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+        var record = Assert.Single(sink.Records);
+        Assert.Equal(AuthEventOutcome.Success, record.Outcome);
+        Assert.Equal("true", GetPropertyValue(record, "backfill.metadata_satisfied"));
+        Assert.Equal("Quota recovery backfill", GetPropertyValue(record, "backfill.reason"));
+        Assert.Equal("INC-741", GetPropertyValue(record, "backfill.ticket"));
+    }
+
    private static (StellaOpsScopeAuthorizationHandler Handler, IHttpContextAccessor Accessor, RecordingAuthEventSink Sink) CreateHandler(IOptionsMonitor<StellaOpsResourceServerOptions> optionsMonitor, IPAddress remoteAddress, TimeProvider? timeProvider = null)
    {
        var accessor = new HttpContextAccessor();