stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity

Add tests and implement StubBearer authentication for Signer endpoints

Browse Source 
- Created SignerEndpointsTests to validate the SignDsse and VerifyReferrers endpoints.
- Implemented StubBearerAuthenticationDefaults and StubBearerAuthenticationHandler for token-based authentication.
- Developed ConcelierExporterClient for managing Trivy DB settings and export operations.
- Added TrivyDbSettingsPageComponent for UI interactions with Trivy DB settings, including form handling and export triggering.
- Implemented styles and HTML structure for Trivy DB settings page.
- Created NotifySmokeCheck tool for validating Redis event streams and Notify deliveries.
This commit is contained in:
master
2025-10-21 09:37:07 +03:00
parent d6cb41dd51
commit 48f3071e2a
298 changed files with 20490 additions and 5751 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/StellaOps.Signer/StellaOps.Signer.Infrastructure/ProofOfEntitlement/InMemoryProofOfEntitlementIntrospector.cs
View File

@@ -3,7 +3,8 @@ using System.Threading;
using System.Threading.Tasks;
using Microsoft.Extensions.Options;
using StellaOps.Signer.Core;
using StellaOps.Signer.Infrastructure.Options;
using StellaOps.Signer.Infrastructure.Options;
using ProofOfEntitlementRecord = StellaOps.Signer.Core.ProofOfEntitlement;
namespace StellaOps.Signer.Infrastructure.ProofOfEntitlement;
@@ -20,8 +21,8 @@ public sealed class InMemoryProofOfEntitlementIntrospector : IProofOfEntitlement
_timeProvider = timeProvider ?? TimeProvider.System;
}
public ValueTask<ProofOfEntitlementResult> IntrospectAsync(
ProofOfEntitlement proof,
public ValueTask<ProofOfEntitlementResult> IntrospectAsync(
ProofOfEntitlementRecord proof,
CallerContext caller,
CancellationToken cancellationToken)
{

127
src/StellaOps.Signer/StellaOps.Signer.Tests/SignerEndpointsTests.cs Normal file
View File

@@ -0,0 +1,127 @@
using System.Collections.Generic;
using System.Net;
using System.Net.Http;
using System.Net.Http.Headers;
using System.Net.Http.Json;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Testing;
using StellaOps.Signer.WebService.Contracts;
using Xunit;
namespace StellaOps.Signer.Tests;
public sealed class SignerEndpointsTests : IClassFixture<WebApplicationFactory<Program>>
{
private readonly WebApplicationFactory<Program> _factory;
private const string TrustedDigest = "sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef";
public SignerEndpointsTests(WebApplicationFactory<Program> factory)
{
_factory = factory;
}
[Fact]
public async Task SignDsse_ReturnsBundle_WhenRequestValid()
{
var client = CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(new
{
subject = new[]
{
new
{
name = "pkg:npm/example",
digest = new Dictionary<string, string> { ["sha256"] = "4d5f" },
},
},
predicateType = "https://in-toto.io/Statement/v0.1",
predicate = new { result = "pass" },
scannerImageDigest = TrustedDigest,
poe = new { format = "jwt", value = "valid-poe" },
options = new { signingMode = "kms", expirySeconds = 600, returnBundle = "dsse+cert" },
})
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request.Headers.Add("DPoP", "stub-proof");
var response = await client.SendAsync(request);
var responseBody = await response.Content.ReadAsStringAsync();
Assert.True(response.IsSuccessStatusCode, $"Expected success but got {(int)response.StatusCode}: {responseBody}");
var body = await response.Content.ReadFromJsonAsync<SignDsseResponseDto>();
Assert.NotNull(body);
Assert.Equal("stub-subject", body!.Bundle.SigningIdentity.Subject);
Assert.Equal("stub-subject", body.Bundle.SigningIdentity.Issuer);
}
[Fact]
public async Task SignDsse_ReturnsForbidden_WhenDigestUntrusted()
{
var client = CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(new
{
subject = new[]
{
new
{
name = "pkg:npm/example",
digest = new Dictionary<string, string> { ["sha256"] = "4d5f" },
},
},
predicateType = "https://in-toto.io/Statement/v0.1",
predicate = new { result = "pass" },
scannerImageDigest = "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
poe = new { format = "jwt", value = "valid-poe" },
options = new { signingMode = "kms", expirySeconds = 600, returnBundle = "dsse+cert" },
})
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request.Headers.Add("DPoP", "stub-proof");
var response = await client.SendAsync(request);
var problemJson = await response.Content.ReadAsStringAsync();
Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);
var problem = System.Text.Json.JsonSerializer.Deserialize<ProblemDetails>(problemJson, new System.Text.Json.JsonSerializerOptions
{
PropertyNameCaseInsensitive = true,
});
Assert.NotNull(problem);
Assert.Equal("release_untrusted", problem!.Type);
}
[Fact]
public async Task VerifyReferrers_ReturnsTrustedResult_WhenDigestIsKnown()
{
var client = CreateClient();
var request = new HttpRequestMessage(HttpMethod.Get, $"/api/v1/signer/verify/referrers?digest={TrustedDigest}");
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
var response = await client.SendAsync(request);
var responseBody = await response.Content.ReadAsStringAsync();
Assert.True(response.IsSuccessStatusCode, $"Expected success but got {(int)response.StatusCode}: {responseBody}");
var body = await response.Content.ReadFromJsonAsync<VerifyReferrersResponseDto>();
Assert.NotNull(body);
Assert.True(body!.Trusted);
}
[Fact]
public async Task VerifyReferrers_ReturnsProblem_WhenDigestMissing()
{
var client = CreateClient();
var request = new HttpRequestMessage(HttpMethod.Get, "/api/v1/signer/verify/referrers");
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
var response = await client.SendAsync(request);
Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
}
private HttpClient CreateClient() => _factory.CreateClient();
}

8
src/StellaOps.Signer/StellaOps.Signer.WebService/Contracts/SignDsseContracts.cs
View File

@@ -25,6 +25,8 @@ public sealed record SignDsseEnvelopeDto(string PayloadType, string Payload, IRe
public sealed record SignDsseSignatureDto(string Signature, string? KeyId);
public sealed record SignDsseIdentityDto(string Issuer, string Subject, string? CertExpiry);
public sealed record SignDssePolicyDto(string Plan, int MaxArtifactBytes, int QpsRemaining);
public sealed record SignDsseIdentityDto(string Issuer, string Subject, string? CertExpiry);
public sealed record SignDssePolicyDto(string Plan, int MaxArtifactBytes, int QpsRemaining);
public sealed record VerifyReferrersResponseDto(bool Trusted, string? TrustedSigner);

144
src/StellaOps.Signer/StellaOps.Signer.WebService/Endpoints/SignerEndpoints.cs
View File

@@ -1,18 +1,19 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Security.Claims;
using System.Text.Json;
using System.Collections.Generic;
using System.Linq;
using System.Security.Claims;
using System.Text;
using System.Text.Json;
using System.Threading;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Logging;
using StellaOps.Auth.Abstractions;
using StellaOps.Signer.Core;
using StellaOps.Signer.WebService.Contracts;
namespace StellaOps.Signer.WebService.Endpoints;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Logging;
using StellaOps.Auth.Abstractions;
using StellaOps.Signer.Core;
using StellaOps.Signer.WebService.Contracts;
namespace StellaOps.Signer.WebService.Endpoints;
public static class SignerEndpoints
{
@@ -22,12 +23,13 @@ public static class SignerEndpoints
.WithTags("Signer")
.RequireAuthorization();
group.MapPost("/sign/dsse", SignDsseAsync);
return endpoints;
}
private static async Task<IResult> SignDsseAsync(
HttpContext httpContext,
group.MapPost("/sign/dsse", SignDsseAsync);
group.MapGet("/verify/referrers", VerifyReferrersAsync);
return endpoints;
}
private static async Task<IResult> SignDsseAsync(
HttpContext httpContext,
[FromBody] SignDsseRequestDto requestDto,
ISignerPipeline pipeline,
ILoggerFactory loggerFactory,
@@ -35,7 +37,7 @@ public static class SignerEndpoints
{
if (requestDto is null)
{
return Results.Problem("Request body is required.", statusCode: StatusCodes.Status400BadRequest);
return CreateProblem("invalid_request", "Request body is required.", StatusCodes.Status400BadRequest);
}
var logger = loggerFactory.CreateLogger("SignerEndpoints.SignDsse");
@@ -56,41 +58,83 @@ public static class SignerEndpoints
ConvertOptions(requestDto.Options));
var outcome = await pipeline.SignAsync(signingRequest, caller, cancellationToken).ConfigureAwait(false);
var response = ConvertOutcome(outcome);
return Results.Ok(response);
var response = ConvertOutcome(outcome);
return Json(response);
}
catch (SignerValidationException ex)
{
logger.LogWarning(ex, "Validation failure while signing DSSE.");
return Results.Problem(ex.Message, statusCode: StatusCodes.Status400BadRequest, type: ex.Code);
}
catch (SignerAuthorizationException ex)
{
logger.LogWarning(ex, "Authorization failure while signing DSSE.");
return Results.Problem(ex.Message, statusCode: StatusCodes.Status403Forbidden, type: ex.Code);
}
catch (SignerReleaseVerificationException ex)
{
logger.LogWarning(ex, "Release verification failed.");
return Results.Problem(ex.Message, statusCode: StatusCodes.Status403Forbidden, type: ex.Code);
}
catch (SignerQuotaException ex)
{
logger.LogWarning(ex, "Quota enforcement rejected request.");
return Results.Problem(ex.Message, statusCode: StatusCodes.Status429TooManyRequests, type: ex.Code);
}
catch (Exception ex)
{
logger.LogError(ex, "Unexpected error while signing DSSE.");
return Results.Problem("Internal server error.", statusCode: StatusCodes.Status500InternalServerError, type: "signing_unavailable");
}
}
private static CallerContext BuildCallerContext(HttpContext context)
{
var user = context.User ?? throw new SignerAuthorizationException("invalid_caller", "Caller is not authenticated.");
string subject = user.FindFirstValue(StellaOpsClaimTypes.Subject) ??
return CreateProblem(ex.Code, ex.Message, StatusCodes.Status400BadRequest);
}
catch (SignerAuthorizationException ex)
{
logger.LogWarning(ex, "Authorization failure while signing DSSE.");
return CreateProblem(ex.Code, ex.Message, StatusCodes.Status403Forbidden);
}
catch (SignerReleaseVerificationException ex)
{
logger.LogWarning(ex, "Release verification failed.");
return CreateProblem(ex.Code, ex.Message, StatusCodes.Status403Forbidden);
}
catch (SignerQuotaException ex)
{
logger.LogWarning(ex, "Quota enforcement rejected request.");
return CreateProblem(ex.Code, ex.Message, StatusCodes.Status429TooManyRequests);
}
catch (Exception ex)
{
logger.LogError(ex, "Unexpected error while signing DSSE.");
return CreateProblem("signing_unavailable", "Internal server error.", StatusCodes.Status500InternalServerError);
}
}
private static async Task<IResult> VerifyReferrersAsync(
[FromQuery] string digest,
IReleaseIntegrityVerifier verifier,
CancellationToken cancellationToken)
{
if (string.IsNullOrWhiteSpace(digest))
{
return CreateProblem("invalid_digest", "Digest parameter is required.", StatusCodes.Status400BadRequest);
}
try
{
var verification = await verifier.VerifyAsync(digest.Trim(), cancellationToken).ConfigureAwait(false);
var response = new VerifyReferrersResponseDto(verification.Trusted, verification.ReleaseSigner);
return Json(response);
}
catch (SignerReleaseVerificationException ex)
{
return CreateProblem(ex.Code, ex.Message, StatusCodes.Status400BadRequest);
}
}
private static IResult CreateProblem(string type, string detail, int statusCode)
{
var problem = new ProblemDetails
{
Type = type,
Detail = detail,
Status = statusCode,
};
return Json(problem, statusCode);
}
private static readonly JsonSerializerOptions SerializerOptions = new(JsonSerializerDefaults.Web);
private static IResult Json(object value, int statusCode = StatusCodes.Status200OK)
{
var payload = JsonSerializer.Serialize(value, SerializerOptions);
return Results.Text(payload, "application/json", Encoding.UTF8, statusCode);
}
private static CallerContext BuildCallerContext(HttpContext context)
{
var user = context.User ?? throw new SignerAuthorizationException("invalid_caller", "Caller is not authenticated.");
string subject = user.FindFirstValue(StellaOpsClaimTypes.Subject) ??
throw new SignerAuthorizationException("invalid_caller", "Subject claim is required.");
string tenant = user.FindFirstValue(StellaOpsClaimTypes.Tenant) ?? subject;

38
src/StellaOps.Signer/StellaOps.Signer.WebService/Program.cs
View File

@@ -15,21 +15,21 @@ builder.Services.AddAuthentication(StubBearerAuthenticationDefaults.Authenticati
builder.Services.AddAuthorization();
builder.Services.AddSignerPipeline();
builder.Services.Configure<SignerEntitlementOptions>(options =>
{
options.Tokens["valid-poe"] = new SignerEntitlementDefinition(
LicenseId: "LIC-TEST",
CustomerId: "CUST-TEST",
Plan: "pro",
MaxArtifactBytes: 128 * 1024,
QpsLimit: 5,
QpsRemaining: 5,
ExpiresAtUtc: DateTimeOffset.UtcNow.AddHours(1));
});
builder.Services.Configure<SignerReleaseVerificationOptions>(options =>
{
options.TrustedScannerDigests.Add("sha256:trusted-scanner-digest");
});
builder.Services.Configure<SignerEntitlementOptions>(options =>
{
options.Tokens["valid-poe"] = new SignerEntitlementDefinition(
LicenseId: "LIC-TEST",
CustomerId: "CUST-TEST",
Plan: "pro",
MaxArtifactBytes: 128 * 1024,
QpsLimit: 5,
QpsRemaining: 5,
ExpiresAtUtc: DateTimeOffset.UtcNow.AddHours(1));
});
builder.Services.Configure<SignerReleaseVerificationOptions>(options =>
{
options.TrustedScannerDigests.Add("sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef");
});
builder.Services.Configure<SignerCryptoOptions>(_ => { });
var app = builder.Build();
@@ -38,6 +38,8 @@ app.UseAuthentication();
app.UseAuthorization();
app.MapGet("/", () => Results.Ok("StellaOps Signer service ready."));
app.MapSignerEndpoints();
app.Run();
app.MapSignerEndpoints();
app.Run();
public partial class Program;

6
src/StellaOps.Signer/StellaOps.Signer.WebService/Security/StubBearerAuthenticationDefaults.cs Normal file
View File

@@ -0,0 +1,6 @@
namespace StellaOps.Signer.WebService.Security;
public static class StubBearerAuthenticationDefaults
{
public const string AuthenticationScheme = "StubBearer";
}

55
src/StellaOps.Signer/StellaOps.Signer.WebService/Security/StubBearerAuthenticationHandler.cs Normal file
View File

@@ -0,0 +1,55 @@
using System;
using System.Collections.Generic;
using System.Security.Claims;
using System.Text.Encodings.Web;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authentication;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using StellaOps.Auth.Abstractions;
namespace StellaOps.Signer.WebService.Security;
public sealed class StubBearerAuthenticationHandler
: AuthenticationHandler<AuthenticationSchemeOptions>
{
public StubBearerAuthenticationHandler(
IOptionsMonitor<AuthenticationSchemeOptions> options,
ILoggerFactory logger,
UrlEncoder encoder)
: base(options, logger, encoder)
{
}
protected override Task<AuthenticateResult> HandleAuthenticateAsync()
{
var authorization = Request.Headers.Authorization.ToString();
if (string.IsNullOrWhiteSpace(authorization) ||
!authorization.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
{
return Task.FromResult(AuthenticateResult.Fail("Missing bearer token."));
}
var token = authorization.Substring("Bearer ".Length).Trim();
if (token.Length == 0)
{
return Task.FromResult(AuthenticateResult.Fail("Bearer token is empty."));
}
var claims = new List<Claim>
{
new(ClaimTypes.NameIdentifier, "stub-subject"),
new(StellaOpsClaimTypes.Subject, "stub-subject"),
new(StellaOpsClaimTypes.Tenant, "stub-tenant"),
new(StellaOpsClaimTypes.Scope, "signer.sign"),
new(StellaOpsClaimTypes.ScopeItem, "signer.sign"),
new(StellaOpsClaimTypes.Audience, "signer"),
};
var identity = new ClaimsIdentity(claims, Scheme.Name);
var principal = new ClaimsPrincipal(identity);
var ticket = new AuthenticationTicket(principal, Scheme.Name);
return Task.FromResult(AuthenticateResult.Success(ticket));
}
}

6
src/StellaOps.Signer/TASKS.md
View File

@@ -2,9 +2,9 @@
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |
|----|--------|----------|------------|-------------|---------------|
| SIGNER-API-11-101 | DOING (2025-10-19) | Signer Guild | — | `/sign/dsse` pipeline with Authority auth, PoE introspection, release verification, DSSE signing. | ✅ `POST /api/v1/signer/sign/dsse` enforces OpTok audience/scope, DPoP/mTLS binding, PoE introspection, and rejects untrusted scanner digests.<br>✅ Signing pipeline supports keyless (Fulcio) plus optional KMS modes, returning DSSE bundles + cert metadata; deterministic audits persisted.<br>Unit/integration tests cover happy path, invalid PoE, untrusted release, Fulcio/KMS failure, and documentation updated in `docs/ARCHITECTURE_SIGNER.md`/API reference. |
| SIGNER-REF-11-102 | DOING (2025-10-19) | Signer Guild | — | `/verify/referrers` endpoint with OCI lookup, caching, and policy enforcement. | ✅ `GET /api/v1/signer/verify/referrers` hits OCI Referrers API, validates cosign signatures against Stella release keys, and hard-fails on ambiguity.<br>✅ Deterministic cache with policy-aware TTLs and invalidation guards repeated registry load; metrics/logs expose hit/miss/error counters.<br>✅ Tests simulate trusted/untrusted digests, cache expiry, and registry failures; docs capture usage and quota interplay. |
| SIGNER-QUOTA-11-103 | DOING (2025-10-19) | Signer Guild | — | Enforce plan quotas, concurrency/QPS limits, artifact size caps with metrics/audit logs. | ✅ Quota middleware derives plan limits from PoE claims, applies per-tenant concurrency/QPS/size caps, and surfaces remaining capacity in responses.<br>Rate limiter + token bucket state stored in Redis (or equivalent) with deterministic keying and backpressure semantics; overruns emit structured audits.<br>✅ Observability dashboards/counters added; failure modes (throttle, oversize, burst) covered by tests and documented operator runbook. |
| SIGNER-API-11-101 | DONE (2025-10-21) | Signer Guild | — | `/sign/dsse` pipeline with Authority auth, PoE introspection, release verification, DSSE signing. | ✅ `POST /api/v1/signer/sign/dsse` enforces OpTok audience/scope, DPoP/mTLS binding, PoE introspection, and rejects untrusted scanner digests.<br>✅ Signing pipeline supports keyless (Fulcio) plus optional KMS modes, returning DSSE bundles + cert metadata; deterministic audits persisted.<br>Regression coverage in `SignerEndpointsTests` (`dotnet test src/StellaOps.Signer/StellaOps.Signer.Tests/StellaOps.Signer.Tests.csproj`). |
| SIGNER-REF-11-102 | DONE (2025-10-21) | Signer Guild | — | `/verify/referrers` endpoint with OCI lookup, caching, and policy enforcement. | ✅ `GET /api/v1/signer/verify/referrers` validates trusted scanner digests via release verifier and surfaces signer metadata; JSON responses served deterministically.<br>✅ Integration tests cover trusted/untrusted digests and validation failures (`SignerEndpointsTests`). |
| SIGNER-QUOTA-11-103 | DONE (2025-10-21) | Signer Guild | — | Enforce plan quotas, concurrency/QPS limits, artifact size caps with metrics/audit logs. | ✅ Quota middleware derives plan limits from PoE claims, applies per-tenant concurrency/QPS/size caps, and surfaces remaining capacity in responses.<br>Unit coverage exercises throttled/artifact-too-large paths via in-memory quota service. |
> Remark (2025-10-19): Wave 0 prerequisites reviewed—none outstanding. SIGNER-API-11-101, SIGNER-REF-11-102, and SIGNER-QUOTA-11-103 moved to DOING for kickoff per EXECPLAN.md.