stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity

Restructure solution layout by module
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details

Browse Source
This commit is contained in:
root
2025-10-28 15:10:40 +02:00
parent 4e3e575db5
commit 68da90a11a
4103 changed files with 192899 additions and 187024 deletions
Download Patch File Download Diff File Expand all files Collapse all files

412
etc/authority.yaml
View File

@@ -1,206 +1,206 @@
# StellaOps Authority configuration (dev profile)
# Derived from etc/authority.yaml.sample; trimmed to the services needed for local
# stacks and kept under version control so compose/helm bundles mount a working config.
schemaVersion: 1
issuer: "https://authority.localtest.me"
accessTokenLifetime: "00:02:00"
refreshTokenLifetime: "30.00:00:00"
identityTokenLifetime: "00:05:00"
authorizationCodeLifetime: "00:05:00"
deviceCodeLifetime: "00:15:00"
storage:
connectionString: "mongodb://stellaops:stellaops@mongo:27017/stellaops_authority"
databaseName: "stellaops_authority"
commandTimeout: "00:00:30"
signing:
enabled: true
activeKeyId: "authority-signing-dev"
keyPath: "../certificates/authority-signing-dev.pem"
algorithm: "ES256"
keySource: "file"
bootstrap:
enabled: false
apiKey: "change-me"
defaultIdentityProvider: "standard"
pluginDirectories:
- "../StellaOps.Authority.PluginBinaries"
plugins:
configurationDirectory: "../etc/authority.plugins"
descriptors:
standard:
type: "standard"
assemblyName: "StellaOps.Authority.Plugin.Standard"
enabled: true
configFile: "standard.yaml"
capabilities:
- password
- bootstrap
- clientProvisioning
metadata:
defaultRole: "operators"
clients:
- clientId: "policy-engine"
displayName: "Policy Engine Service"
grantTypes: [ "client_credentials" ]
audiences: [ "api://policy-engine" ]
scopes: [ "policy:run", "findings:read", "effective:write" ]
tenant: "tenant-default"
properties:
serviceIdentity: "policy-engine"
senderConstraint: "dpop"
auth:
type: "client_secret"
secretFile: "../secrets/policy-engine.secret"
- clientId: "policy-cli"
displayName: "Policy Automation CLI"
grantTypes: [ "client_credentials" ]
audiences: [ "api://policy-engine" ]
scopes: [ "policy:read", "policy:author", "policy:review", "policy:simulate", "findings:read" ]
tenant: "tenant-default"
senderConstraint: "dpop"
auth:
type: "client_secret"
secretFile: "../secrets/policy-cli.secret"
- clientId: "cartographer-service"
displayName: "Cartographer Service"
grantTypes: [ "client_credentials" ]
audiences: [ "api://cartographer" ]
scopes: [ "graph:write", "graph:read" ]
tenant: "tenant-default"
properties:
serviceIdentity: "cartographer"
senderConstraint: "dpop"
auth:
type: "client_secret"
secretFile: "../secrets/cartographer-service.secret"
- clientId: "graph-api"
displayName: "Graph API Gateway"
grantTypes: [ "client_credentials" ]
audiences: [ "api://graph-api" ]
scopes: [ "graph:read", "graph:export", "graph:simulate" ]
tenant: "tenant-default"
senderConstraint: "dpop"
auth:
type: "client_secret"
secretFile: "../secrets/graph-api.secret"
- clientId: "export-center-operator"
displayName: "Export Center Operator"
grantTypes: [ "client_credentials" ]
audiences: [ "api://export-center" ]
scopes: [ "export.viewer", "export.operator" ]
tenant: "tenant-default"
senderConstraint: "dpop"
auth:
type: "client_secret"
secretFile: "../secrets/export-center-operator.secret"
- clientId: "export-center-admin"
displayName: "Export Center Admin"
grantTypes: [ "client_credentials" ]
audiences: [ "api://export-center" ]
scopes: [ "export.viewer", "export.operator", "export.admin" ]
tenant: "tenant-default"
senderConstraint: "dpop"
auth:
type: "client_secret"
secretFile: "../secrets/export-center-admin.secret"
- clientId: "concelier-ingest"
displayName: "Concelier Ingestion"
grantTypes: [ "client_credentials" ]
audiences: [ "api://concelier" ]
scopes: [ "advisory:ingest", "advisory:read" ]
tenant: "tenant-default"
senderConstraint: "dpop"
auth:
type: "client_secret"
secretFile: "../secrets/concelier-ingest.secret"
- clientId: "excitor-ingest"
displayName: "Excititor VEX Ingestion"
grantTypes: [ "client_credentials" ]
audiences: [ "api://excitor" ]
scopes: [ "vex:ingest", "vex:read" ]
tenant: "tenant-default"
senderConstraint: "dpop"
auth:
type: "client_secret"
secretFile: "../secrets/excitor-ingest.secret"
- clientId: "graph-api-cli"
displayName: "Graph Explorer CLI"
grantTypes: [ "client_credentials" ]
audiences: [ "api://graph-api" ]
scopes: [ "graph:read", "graph:export" ]
tenant: "tenant-default"
senderConstraint: "dpop"
auth:
type: "client_secret"
secretFile: "../secrets/graph-api-cli.secret"
tenants:
- name: "tenant-default"
roles:
orch-viewer:
scopes: [ "orch:read" ]
orch-operator:
scopes: [ "orch:read", "orch:operate" ]
export-viewer:
scopes: [ "export.viewer" ]
export-operator:
scopes: [ "export.viewer", "export.operator" ]
export-admin:
scopes: [ "export.viewer", "export.operator", "export.admin" ]
policy-author:
scopes: [ "policy:author", "policy:read", "policy:simulate", "findings:read" ]
policy-reviewer:
scopes: [ "policy:review", "policy:read", "policy:simulate", "findings:read" ]
policy-approver:
scopes: [ "policy:approve", "policy:review", "policy:read", "policy:simulate", "findings:read" ]
policy-operator:
scopes: [ "policy:operate", "policy:run", "policy:activate", "policy:read", "policy:simulate", "findings:read" ]
policy-auditor:
scopes: [ "policy:audit", "policy:read", "policy:simulate", "findings:read" ]
security:
rateLimiting:
token:
enabled: true
permitLimit: 30
window: "00:01:00"
queueLimit: 0
authorize:
enabled: true
permitLimit: 60
window: "00:01:00"
queueLimit: 10
passwordHashing:
algorithm: "Argon2id"
memorySizeInKib: 19456
iterations: 2
parallelism: 1
senderConstraints:
dpop:
enabled: true
proofLifetime: "00:05:00"
allowedClockSkew: "00:00:10"
replayWindow: "00:10:00"
nonce:
enabled: false
mtls:
enabled: false
bypassNetworks:
- "127.0.0.1/32"
- "::1/128"
# StellaOps Authority configuration (dev profile)
# Derived from etc/authority.yaml.sample; trimmed to the services needed for local
# stacks and kept under version control so compose/helm bundles mount a working config.
schemaVersion: 1
issuer: "https://authority.localtest.me"
accessTokenLifetime: "00:02:00"
refreshTokenLifetime: "30.00:00:00"
identityTokenLifetime: "00:05:00"
authorizationCodeLifetime: "00:05:00"
deviceCodeLifetime: "00:15:00"
storage:
connectionString: "mongodb://stellaops:stellaops@mongo:27017/stellaops_authority"
databaseName: "stellaops_authority"
commandTimeout: "00:00:30"
signing:
enabled: true
activeKeyId: "authority-signing-dev"
keyPath: "../certificates/authority-signing-dev.pem"
algorithm: "ES256"
keySource: "file"
bootstrap:
enabled: false
apiKey: "change-me"
defaultIdentityProvider: "standard"
pluginDirectories:
- "../StellaOps.Authority.PluginBinaries"
plugins:
configurationDirectory: "../etc/authority.plugins"
descriptors:
standard:
type: "standard"
assemblyName: "StellaOps.Authority.Plugin.Standard"
enabled: true
configFile: "standard.yaml"
capabilities:
- password
- bootstrap
- clientProvisioning
metadata:
defaultRole: "operators"
clients:
- clientId: "policy-engine"
displayName: "Policy Engine Service"
grantTypes: [ "client_credentials" ]
audiences: [ "api://policy-engine" ]
scopes: [ "policy:run", "findings:read", "effective:write" ]
tenant: "tenant-default"
properties:
serviceIdentity: "policy-engine"
senderConstraint: "dpop"
auth:
type: "client_secret"
secretFile: "../secrets/policy-engine.secret"
- clientId: "policy-cli"
displayName: "Policy Automation CLI"
grantTypes: [ "client_credentials" ]
audiences: [ "api://policy-engine" ]
scopes: [ "policy:read", "policy:author", "policy:review", "policy:simulate", "findings:read" ]
tenant: "tenant-default"
senderConstraint: "dpop"
auth:
type: "client_secret"
secretFile: "../secrets/policy-cli.secret"
- clientId: "cartographer-service"
displayName: "Cartographer Service"
grantTypes: [ "client_credentials" ]
audiences: [ "api://cartographer" ]
scopes: [ "graph:write", "graph:read" ]
tenant: "tenant-default"
properties:
serviceIdentity: "cartographer"
senderConstraint: "dpop"
auth:
type: "client_secret"
secretFile: "../secrets/cartographer-service.secret"
- clientId: "graph-api"
displayName: "Graph API Gateway"
grantTypes: [ "client_credentials" ]
audiences: [ "api://graph-api" ]
scopes: [ "graph:read", "graph:export", "graph:simulate" ]
tenant: "tenant-default"
senderConstraint: "dpop"
auth:
type: "client_secret"
secretFile: "../secrets/graph-api.secret"
- clientId: "export-center-operator"
displayName: "Export Center Operator"
grantTypes: [ "client_credentials" ]
audiences: [ "api://export-center" ]
scopes: [ "export.viewer", "export.operator" ]
tenant: "tenant-default"
senderConstraint: "dpop"
auth:
type: "client_secret"
secretFile: "../secrets/export-center-operator.secret"
- clientId: "export-center-admin"
displayName: "Export Center Admin"
grantTypes: [ "client_credentials" ]
audiences: [ "api://export-center" ]
scopes: [ "export.viewer", "export.operator", "export.admin" ]
tenant: "tenant-default"
senderConstraint: "dpop"
auth:
type: "client_secret"
secretFile: "../secrets/export-center-admin.secret"
- clientId: "concelier-ingest"
displayName: "Concelier Ingestion"
grantTypes: [ "client_credentials" ]
audiences: [ "api://concelier" ]
scopes: [ "advisory:ingest", "advisory:read" ]
tenant: "tenant-default"
senderConstraint: "dpop"
auth:
type: "client_secret"
secretFile: "../secrets/concelier-ingest.secret"
- clientId: "excitor-ingest"
displayName: "Excititor VEX Ingestion"
grantTypes: [ "client_credentials" ]
audiences: [ "api://excitor" ]
scopes: [ "vex:ingest", "vex:read" ]
tenant: "tenant-default"
senderConstraint: "dpop"
auth:
type: "client_secret"
secretFile: "../secrets/excitor-ingest.secret"
- clientId: "graph-api-cli"
displayName: "Graph Explorer CLI"
grantTypes: [ "client_credentials" ]
audiences: [ "api://graph-api" ]
scopes: [ "graph:read", "graph:export" ]
tenant: "tenant-default"
senderConstraint: "dpop"
auth:
type: "client_secret"
secretFile: "../secrets/graph-api-cli.secret"
tenants:
- name: "tenant-default"
roles:
orch-viewer:
scopes: [ "orch:read" ]
orch-operator:
scopes: [ "orch:read", "orch:operate" ]
export-viewer:
scopes: [ "export.viewer" ]
export-operator:
scopes: [ "export.viewer", "export.operator" ]
export-admin:
scopes: [ "export.viewer", "export.operator", "export.admin" ]
policy-author:
scopes: [ "policy:author", "policy:read", "policy:simulate", "findings:read" ]
policy-reviewer:
scopes: [ "policy:review", "policy:read", "policy:simulate", "findings:read" ]
policy-approver:
scopes: [ "policy:approve", "policy:review", "policy:read", "policy:simulate", "findings:read" ]
policy-operator:
scopes: [ "policy:operate", "policy:run", "policy:activate", "policy:read", "policy:simulate", "findings:read" ]
policy-auditor:
scopes: [ "policy:audit", "policy:read", "policy:simulate", "findings:read" ]
security:
rateLimiting:
token:
enabled: true
permitLimit: 30
window: "00:01:00"
queueLimit: 0
authorize:
enabled: true
permitLimit: 60
window: "00:01:00"
queueLimit: 10
passwordHashing:
algorithm: "Argon2id"
memorySizeInKib: 19456
iterations: 2
parallelism: 1
senderConstraints:
dpop:
enabled: true
proofLifetime: "00:05:00"
allowedClockSkew: "00:00:10"
replayWindow: "00:10:00"
nonce:
enabled: false
mtls:
enabled: false
bypassNetworks:
- "127.0.0.1/32"
- "::1/128"