stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint: save features

Browse Source
This commit is contained in:
master
2026-02-12 10:27:23 +02:00
parent dca86e1248
commit 5bca406787
8837 changed files with 1796879 additions and 5294 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
docs/features/checked/scanner/api-gateway-boundary-extractor.md Normal file
View File

@@ -0,0 +1,37 @@
# API Gateway Boundary Extractor (Kong, Envoy/Istio, AWS API Gateway, Traefik)
## Module
Scanner
## Status
VERIFIED
## Description
Parses API gateway configurations from Kong, Envoy/Istio, AWS API Gateway, and Traefik to extract route-level boundary information for reachability analysis. Determines which internal services are exposed through gateway routes.
## Implementation Details
- **Core Extractor**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/GatewayBoundaryExtractor.cs` - `GatewayBoundaryExtractor` implements `IBoundaryProofExtractor`; parses Kong, Envoy/Istio, AWS API Gateway, and Traefik configurations
- Includes gateway-specific auth detection: `DetectKongAuth()`, `DetectEnvoyAuth()` (including Istio JWT/AuthorizationPolicy), `DetectTraefikAuth()`
- Identifies Istio mesh internal routes and external ingress routes
- **Supporting Infrastructure**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/IacBoundaryExtractor.cs` - Infrastructure-as-code boundary extraction
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/BoundaryServiceCollectionExtensions.cs` - DI registration for boundary extractors
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/BoundaryExtractionContext.cs` - Context model for boundary extraction
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/RichGraphBoundaryExtractor.cs` - Integrates boundary data into rich graphs
- **Tests**:
- `src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/GatewayBoundaryExtractorTests.cs`
## E2E Test Plan
- [ ] Provide a Kong configuration file with routes exposing internal services and verify extracted boundary information includes route paths, upstream services, and auth requirements
- [ ] Provide an Envoy/Istio configuration with VirtualService and AuthorizationPolicy and verify correct route-to-service mappings and auth detection
- [ ] Provide an AWS API Gateway configuration and verify correct extraction of REST/HTTP API routes with Lambda/ECS integrations
- [ ] Provide a Traefik configuration with middleware auth and verify correct route extraction with authentication metadata
- [ ] Verify extracted boundaries are reflected in the reachability rich graph via `GET /api/v1/scans/{scanId}/reachability`
- [ ] Verify that gated gateway routes (auth-required) reduce reachability risk scores compared to ungated routes
## Verification
- Run ID: run-001
- Verified at (UTC): 2026-02-12T06:59:12.7973839Z
- FLOW tiers: Tier 0 source verification, Tier 1 build/test/code review, Tier 2 integration verification.