up
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
This commit is contained in:
StellaOps Bot
@@ -1,101 +1,101 @@
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
|
||||
namespace StellaOps.Cartographer.Options;
|
||||
|
||||
/// <summary>
|
||||
/// Configuration controlling Authority-backed authentication for the Cartographer service.
|
||||
/// </summary>
|
||||
public sealed class CartographerAuthorityOptions
|
||||
{
|
||||
/// <summary>
|
||||
/// Enables Authority-backed authentication for Cartographer endpoints.
|
||||
/// </summary>
|
||||
public bool Enabled { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// Allows anonymous access when Authority integration is enabled (development only).
|
||||
/// </summary>
|
||||
public bool AllowAnonymousFallback { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// Authority issuer URL exposed via OpenID discovery.
|
||||
/// </summary>
|
||||
public string Issuer { get; set; } = string.Empty;
|
||||
|
||||
/// <summary>
|
||||
/// Whether HTTPS metadata is required when fetching Authority discovery documents.
|
||||
/// </summary>
|
||||
public bool RequireHttpsMetadata { get; set; } = true;
|
||||
|
||||
/// <summary>
|
||||
/// Optional explicit metadata endpoint for Authority discovery.
|
||||
/// </summary>
|
||||
public string? MetadataAddress { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// Timeout (seconds) applied to Authority back-channel HTTP calls.
|
||||
/// </summary>
|
||||
public int BackchannelTimeoutSeconds { get; set; } = 30;
|
||||
|
||||
/// <summary>
|
||||
/// Allowed token clock skew (seconds) when validating Authority-issued tokens.
|
||||
/// </summary>
|
||||
public int TokenClockSkewSeconds { get; set; } = 60;
|
||||
|
||||
/// <summary>
|
||||
/// Accepted audiences for Cartographer access tokens.
|
||||
/// </summary>
|
||||
public IList<string> Audiences { get; } = new List<string>();
|
||||
|
||||
/// <summary>
|
||||
/// Scopes required for Cartographer operations.
|
||||
/// </summary>
|
||||
public IList<string> RequiredScopes { get; } = new List<string>();
|
||||
|
||||
/// <summary>
|
||||
/// Tenants permitted to access Cartographer resources.
|
||||
/// </summary>
|
||||
public IList<string> RequiredTenants { get; } = new List<string>();
|
||||
|
||||
/// <summary>
|
||||
/// Networks allowed to bypass authentication enforcement.
|
||||
/// </summary>
|
||||
public IList<string> BypassNetworks { get; } = new List<string>();
|
||||
|
||||
/// <summary>
|
||||
/// Validates configured values and throws <see cref="InvalidOperationException"/> on failure.
|
||||
/// </summary>
|
||||
public void Validate()
|
||||
{
|
||||
if (!Enabled)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
if (string.IsNullOrWhiteSpace(Issuer))
|
||||
{
|
||||
throw new InvalidOperationException("Cartographer Authority issuer must be configured when Authority integration is enabled.");
|
||||
}
|
||||
|
||||
if (!Uri.TryCreate(Issuer.Trim(), UriKind.Absolute, out var issuerUri))
|
||||
{
|
||||
throw new InvalidOperationException("Cartographer Authority issuer must be an absolute URI.");
|
||||
}
|
||||
|
||||
if (RequireHttpsMetadata && !issuerUri.IsLoopback && !string.Equals(issuerUri.Scheme, Uri.UriSchemeHttps, StringComparison.OrdinalIgnoreCase))
|
||||
{
|
||||
throw new InvalidOperationException("Cartographer Authority issuer must use HTTPS unless running on loopback.");
|
||||
}
|
||||
|
||||
if (BackchannelTimeoutSeconds <= 0)
|
||||
{
|
||||
throw new InvalidOperationException("Cartographer Authority back-channel timeout must be greater than zero seconds.");
|
||||
}
|
||||
|
||||
if (TokenClockSkewSeconds < 0 || TokenClockSkewSeconds > 300)
|
||||
{
|
||||
throw new InvalidOperationException("Cartographer Authority token clock skew must be between 0 and 300 seconds.");
|
||||
}
|
||||
}
|
||||
}
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
|
||||
namespace StellaOps.Cartographer.Options;
|
||||
|
||||
/// <summary>
|
||||
/// Configuration controlling Authority-backed authentication for the Cartographer service.
|
||||
/// </summary>
|
||||
public sealed class CartographerAuthorityOptions
|
||||
{
|
||||
/// <summary>
|
||||
/// Enables Authority-backed authentication for Cartographer endpoints.
|
||||
/// </summary>
|
||||
public bool Enabled { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// Allows anonymous access when Authority integration is enabled (development only).
|
||||
/// </summary>
|
||||
public bool AllowAnonymousFallback { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// Authority issuer URL exposed via OpenID discovery.
|
||||
/// </summary>
|
||||
public string Issuer { get; set; } = string.Empty;
|
||||
|
||||
/// <summary>
|
||||
/// Whether HTTPS metadata is required when fetching Authority discovery documents.
|
||||
/// </summary>
|
||||
public bool RequireHttpsMetadata { get; set; } = true;
|
||||
|
||||
/// <summary>
|
||||
/// Optional explicit metadata endpoint for Authority discovery.
|
||||
/// </summary>
|
||||
public string? MetadataAddress { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// Timeout (seconds) applied to Authority back-channel HTTP calls.
|
||||
/// </summary>
|
||||
public int BackchannelTimeoutSeconds { get; set; } = 30;
|
||||
|
||||
/// <summary>
|
||||
/// Allowed token clock skew (seconds) when validating Authority-issued tokens.
|
||||
/// </summary>
|
||||
public int TokenClockSkewSeconds { get; set; } = 60;
|
||||
|
||||
/// <summary>
|
||||
/// Accepted audiences for Cartographer access tokens.
|
||||
/// </summary>
|
||||
public IList<string> Audiences { get; } = new List<string>();
|
||||
|
||||
/// <summary>
|
||||
/// Scopes required for Cartographer operations.
|
||||
/// </summary>
|
||||
public IList<string> RequiredScopes { get; } = new List<string>();
|
||||
|
||||
/// <summary>
|
||||
/// Tenants permitted to access Cartographer resources.
|
||||
/// </summary>
|
||||
public IList<string> RequiredTenants { get; } = new List<string>();
|
||||
|
||||
/// <summary>
|
||||
/// Networks allowed to bypass authentication enforcement.
|
||||
/// </summary>
|
||||
public IList<string> BypassNetworks { get; } = new List<string>();
|
||||
|
||||
/// <summary>
|
||||
/// Validates configured values and throws <see cref="InvalidOperationException"/> on failure.
|
||||
/// </summary>
|
||||
public void Validate()
|
||||
{
|
||||
if (!Enabled)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
if (string.IsNullOrWhiteSpace(Issuer))
|
||||
{
|
||||
throw new InvalidOperationException("Cartographer Authority issuer must be configured when Authority integration is enabled.");
|
||||
}
|
||||
|
||||
if (!Uri.TryCreate(Issuer.Trim(), UriKind.Absolute, out var issuerUri))
|
||||
{
|
||||
throw new InvalidOperationException("Cartographer Authority issuer must be an absolute URI.");
|
||||
}
|
||||
|
||||
if (RequireHttpsMetadata && !issuerUri.IsLoopback && !string.Equals(issuerUri.Scheme, Uri.UriSchemeHttps, StringComparison.OrdinalIgnoreCase))
|
||||
{
|
||||
throw new InvalidOperationException("Cartographer Authority issuer must use HTTPS unless running on loopback.");
|
||||
}
|
||||
|
||||
if (BackchannelTimeoutSeconds <= 0)
|
||||
{
|
||||
throw new InvalidOperationException("Cartographer Authority back-channel timeout must be greater than zero seconds.");
|
||||
}
|
||||
|
||||
if (TokenClockSkewSeconds < 0 || TokenClockSkewSeconds > 300)
|
||||
{
|
||||
throw new InvalidOperationException("Cartographer Authority token clock skew must be between 0 and 300 seconds.");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,37 +1,37 @@
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Linq;
|
||||
using StellaOps.Auth.Abstractions;
|
||||
|
||||
namespace StellaOps.Cartographer.Options;
|
||||
|
||||
/// <summary>
|
||||
/// Applies Cartographer-specific defaults to <see cref="CartographerAuthorityOptions"/>.
|
||||
/// </summary>
|
||||
internal static class CartographerAuthorityOptionsConfigurator
|
||||
{
|
||||
/// <summary>
|
||||
/// Ensures required scopes are present and duplicates are removed case-insensitively.
|
||||
/// </summary>
|
||||
/// <param name="options">Target options.</param>
|
||||
public static void ApplyDefaults(CartographerAuthorityOptions options)
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(options);
|
||||
|
||||
EnsureScope(options.RequiredScopes, StellaOpsScopes.GraphRead);
|
||||
EnsureScope(options.RequiredScopes, StellaOpsScopes.GraphWrite);
|
||||
}
|
||||
|
||||
private static void EnsureScope(ICollection<string> scopes, string scope)
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(scopes);
|
||||
ArgumentException.ThrowIfNullOrEmpty(scope);
|
||||
|
||||
if (scopes.Any(existing => string.Equals(existing, scope, StringComparison.OrdinalIgnoreCase)))
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
scopes.Add(scope);
|
||||
}
|
||||
}
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Linq;
|
||||
using StellaOps.Auth.Abstractions;
|
||||
|
||||
namespace StellaOps.Cartographer.Options;
|
||||
|
||||
/// <summary>
|
||||
/// Applies Cartographer-specific defaults to <see cref="CartographerAuthorityOptions"/>.
|
||||
/// </summary>
|
||||
internal static class CartographerAuthorityOptionsConfigurator
|
||||
{
|
||||
/// <summary>
|
||||
/// Ensures required scopes are present and duplicates are removed case-insensitively.
|
||||
/// </summary>
|
||||
/// <param name="options">Target options.</param>
|
||||
public static void ApplyDefaults(CartographerAuthorityOptions options)
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(options);
|
||||
|
||||
EnsureScope(options.RequiredScopes, StellaOpsScopes.GraphRead);
|
||||
EnsureScope(options.RequiredScopes, StellaOpsScopes.GraphWrite);
|
||||
}
|
||||
|
||||
private static void EnsureScope(ICollection<string> scopes, string scope)
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(scopes);
|
||||
ArgumentException.ThrowIfNullOrEmpty(scope);
|
||||
|
||||
if (scopes.Any(existing => string.Equals(existing, scope, StringComparison.OrdinalIgnoreCase)))
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
scopes.Add(scope);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,39 +1,39 @@
|
||||
using StellaOps.Cartographer.Options;
|
||||
|
||||
var builder = WebApplication.CreateBuilder(args);
|
||||
|
||||
builder.Configuration
|
||||
.AddJsonFile("appsettings.json", optional: true, reloadOnChange: true)
|
||||
.AddEnvironmentVariables("CARTOGRAPHER_");
|
||||
|
||||
builder.Services.AddOptions();
|
||||
builder.Services.AddLogging();
|
||||
|
||||
var authoritySection = builder.Configuration.GetSection("Cartographer:Authority");
|
||||
var authorityOptions = new CartographerAuthorityOptions();
|
||||
authoritySection.Bind(authorityOptions);
|
||||
CartographerAuthorityOptionsConfigurator.ApplyDefaults(authorityOptions);
|
||||
authorityOptions.Validate();
|
||||
|
||||
builder.Services.AddSingleton(authorityOptions);
|
||||
builder.Services.AddOptions<CartographerAuthorityOptions>()
|
||||
.Bind(authoritySection)
|
||||
.PostConfigure(CartographerAuthorityOptionsConfigurator.ApplyDefaults);
|
||||
|
||||
// TODO: register Cartographer graph builders, overlay workers, and Authority client once implementations land.
|
||||
|
||||
var app = builder.Build();
|
||||
|
||||
if (!authorityOptions.Enabled)
|
||||
{
|
||||
app.Logger.LogWarning("Cartographer Authority authentication is disabled; enable it before production deployments.");
|
||||
}
|
||||
else if (authorityOptions.AllowAnonymousFallback)
|
||||
{
|
||||
app.Logger.LogWarning("Cartographer Authority allows anonymous fallback; disable fallback before production rollout.");
|
||||
}
|
||||
|
||||
app.MapGet("/healthz", () => Results.Ok(new { status = "ok" }));
|
||||
app.MapGet("/readyz", () => Results.Ok(new { status = "warming" }));
|
||||
|
||||
app.Run();
|
||||
using StellaOps.Cartographer.Options;
|
||||
|
||||
var builder = WebApplication.CreateBuilder(args);
|
||||
|
||||
builder.Configuration
|
||||
.AddJsonFile("appsettings.json", optional: true, reloadOnChange: true)
|
||||
.AddEnvironmentVariables("CARTOGRAPHER_");
|
||||
|
||||
builder.Services.AddOptions();
|
||||
builder.Services.AddLogging();
|
||||
|
||||
var authoritySection = builder.Configuration.GetSection("Cartographer:Authority");
|
||||
var authorityOptions = new CartographerAuthorityOptions();
|
||||
authoritySection.Bind(authorityOptions);
|
||||
CartographerAuthorityOptionsConfigurator.ApplyDefaults(authorityOptions);
|
||||
authorityOptions.Validate();
|
||||
|
||||
builder.Services.AddSingleton(authorityOptions);
|
||||
builder.Services.AddOptions<CartographerAuthorityOptions>()
|
||||
.Bind(authoritySection)
|
||||
.PostConfigure(CartographerAuthorityOptionsConfigurator.ApplyDefaults);
|
||||
|
||||
// TODO: register Cartographer graph builders, overlay workers, and Authority client once implementations land.
|
||||
|
||||
var app = builder.Build();
|
||||
|
||||
if (!authorityOptions.Enabled)
|
||||
{
|
||||
app.Logger.LogWarning("Cartographer Authority authentication is disabled; enable it before production deployments.");
|
||||
}
|
||||
else if (authorityOptions.AllowAnonymousFallback)
|
||||
{
|
||||
app.Logger.LogWarning("Cartographer Authority allows anonymous fallback; disable fallback before production rollout.");
|
||||
}
|
||||
|
||||
app.MapGet("/healthz", () => Results.Ok(new { status = "ok" }));
|
||||
app.MapGet("/readyz", () => Results.Ok(new { status = "warming" }));
|
||||
|
||||
app.Run();
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
using System.Runtime.CompilerServices;
|
||||
|
||||
[assembly: InternalsVisibleTo("StellaOps.Cartographer.Tests")]
|
||||
using System.Runtime.CompilerServices;
|
||||
|
||||
[assembly: InternalsVisibleTo("StellaOps.Cartographer.Tests")]
|
||||
|
||||
Reference in New Issue
Block a user