Add tests and implement StubBearer authentication for Signer endpoints

- Created SignerEndpointsTests to validate the SignDsse and VerifyReferrers endpoints. - Implemented StubBearerAuthenticationDefaults and StubBearerAuthenticationHandler for token-based authentication. - Developed ConcelierExporterClient for managing Trivy DB settings and export operations. - Added TrivyDbSettingsPageComponent for UI interactions with Trivy DB settings, including form handling and export triggering. - Implemented styles and HTML structure for Trivy DB settings page. - Created NotifySmokeCheck tool for validating Redis event streams and Notify deliveries.
2025-10-21 09:37:07 +03:00
parent d6cb41dd51
commit 48f3071e2a
298 changed files with 20490 additions and 5751 deletions
--- a/docs/ARCHITECTURE_AUTHORITY.md
+++ b/docs/ARCHITECTURE_AUTHORITY.md
@@ -275,24 +275,56 @@ Every Stella Ops service that consumes Authority tokens **must**:
 ```yaml
 authority:
  issuer: "https://authority.internal"
-  keys:
-    algs: [ "EdDSA", "ES256" ]
-    rotationDays: 60
-    storage: kms://cluster-kms/authority-signing
-  tokens:
-    accessTtlSeconds: 180
-    enableRefreshTokens: false
-    clockSkewSeconds: 60
-  dpop:
-    enable: true
-    nonce:
-      enable: true
-      ttlSeconds: 600
-      store: redis
-      redisConnectionString: "redis://authority-redis:6379?ssl=false"
-  mtls:
-    enable: true
-    caBundleFile: /etc/ssl/mtls/clients-ca.pem
+  signing:
+    enabled: true
+    activeKeyId: "authority-signing-2025"
+    keyPath: "../certificates/authority-signing-2025.pem"
+    algorithm: "ES256"
+    keySource: "file"
+  security:
+    rateLimiting:
+      token:
+        enabled: true
+        permitLimit: 30
+        window: "00:01:00"
+        queueLimit: 0
+      authorize:
+        enabled: true
+        permitLimit: 60
+        window: "00:01:00"
+        queueLimit: 10
+      internal:
+        enabled: false
+        permitLimit: 5
+        window: "00:01:00"
+        queueLimit: 0
+    senderConstraints:
+      dpop:
+        enabled: true
+        allowedAlgorithms: [ "ES256", "ES384" ]
+        proofLifetime: "00:02:00"
+        allowedClockSkew: "00:00:30"
+        replayWindow: "00:05:00"
+        nonce:
+          enabled: true
+          ttl: "00:10:00"
+          maxIssuancePerMinute: 120
+          store: "redis"
+          redisConnectionString: "redis://authority-redis:6379?ssl=false"
+          requiredAudiences:
+            - "signer"
+            - "attestor"
+      mtls:
+        enabled: true
+        requireChainValidation: true
+        rotationGrace: "00:15:00"
+        enforceForAudiences:
+          - "signer"
+        allowedSanTypes:
+          - "dns"
+          - "uri"
+        allowedCertificateAuthorities:
+          - "/etc/ssl/mtls/clients-ca.pem"
  clients:
    - clientId: scanner-web
      grantTypes: [ "client_credentials" ]
@@ -407,4 +439,3 @@ Signer validates that `hash(JWK)` in the proof matches `cnf.jkt` in the token.
 2. **Add**: mTLS‑bound tokens for Signer/Attestor; device code for CLI; optional introspection.
 3. **Hardening**: DPoP nonce support; full audit pipeline; HA tuning.
 4. **UX**: Tenant/installation admin UI; role→scope editors; client bootstrap wizards.
-