stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Close admin trust audit gaps and stabilize live sweeps

Browse Source
This commit is contained in:
master
2026-03-12 10:14:00 +02:00
parent a00efb7ab2
commit 6964a046a5
50 changed files with 5968 additions and 2850 deletions
Download Patch File Download Diff File Expand all files Collapse all files

242
src/Platform/__Libraries/StellaOps.Platform.Database/Migrations/Release/058_TrustSigningDemoSeed.sql Normal file
View File

@@ -0,0 +1,242 @@
-- Scratch-install trust-signing seed for canonical demo tenants.
-- Tenant GUIDs are derived with the same deterministic SHA-256 -> Guid mapping used in Platform stores.
INSERT INTO release.trust_keys (
id,
tenant_id,
key_alias,
algorithm,
status,
current_version,
metadata_json,
created_at,
updated_at,
created_by,
updated_by
)
SELECT
'a9adf36f-2f4d-4f31-9b0b-138e3f6f1f61'::uuid,
'3a5e72b6-ae6a-f8a4-2b6a-df2960d63016'::uuid,
'demo-prod-core-signing',
'ed25519',
'active',
3,
'{"owner":"secops","region":"us-east"}'::jsonb,
'2026-03-01T00:00:00Z'::timestamptz,
'2026-03-09T00:00:00Z'::timestamptz,
'system',
'system'
WHERE NOT EXISTS (
SELECT 1
FROM release.trust_keys
WHERE tenant_id = '3a5e72b6-ae6a-f8a4-2b6a-df2960d63016'::uuid
AND lower(key_alias) = lower('demo-prod-core-signing')
);
INSERT INTO release.trust_issuers (
id,
tenant_id,
issuer_name,
issuer_uri,
trust_level,
status,
created_at,
updated_at,
created_by,
updated_by
)
SELECT
'4ac7e1d4-7a2e-4b4d-9e12-5d42e3168a91'::uuid,
'3a5e72b6-ae6a-f8a4-2b6a-df2960d63016'::uuid,
'Demo Prod Root CA',
'https://issuer.demo-prod.stella-ops.local/root',
'high',
'active',
'2026-03-01T00:00:00Z'::timestamptz,
'2026-03-09T00:00:00Z'::timestamptz,
'system',
'system'
WHERE NOT EXISTS (
SELECT 1
FROM release.trust_issuers
WHERE tenant_id = '3a5e72b6-ae6a-f8a4-2b6a-df2960d63016'::uuid
AND lower(issuer_uri) = lower('https://issuer.demo-prod.stella-ops.local/root')
);
INSERT INTO release.trust_certificates (
id,
tenant_id,
key_id,
issuer_id,
serial_number,
status,
not_before,
not_after,
created_at,
updated_at,
created_by,
updated_by
)
SELECT
'8d1f0b75-3d56-4d8f-a40b-52f5e52e7fb1'::uuid,
'3a5e72b6-ae6a-f8a4-2b6a-df2960d63016'::uuid,
'a9adf36f-2f4d-4f31-9b0b-138e3f6f1f61'::uuid,
'4ac7e1d4-7a2e-4b4d-9e12-5d42e3168a91'::uuid,
'DEMO-PROD-SER-0001',
'active',
'2026-03-01T00:00:00Z'::timestamptz,
'2026-03-18T00:00:00Z'::timestamptz,
'2026-03-01T00:00:00Z'::timestamptz,
'2026-03-09T00:00:00Z'::timestamptz,
'system',
'system'
WHERE NOT EXISTS (
SELECT 1
FROM release.trust_certificates
WHERE tenant_id = '3a5e72b6-ae6a-f8a4-2b6a-df2960d63016'::uuid
AND lower(serial_number) = lower('DEMO-PROD-SER-0001')
);
INSERT INTO release.trust_transparency_configs (
tenant_id,
log_url,
witness_url,
enforce_inclusion,
updated_at,
updated_by
)
VALUES (
'3a5e72b6-ae6a-f8a4-2b6a-df2960d63016'::uuid,
'https://rekor.demo-prod.stella-ops.local',
'https://rekor-witness.demo-prod.stella-ops.local',
true,
'2026-03-09T00:00:00Z'::timestamptz,
'system'
)
ON CONFLICT (tenant_id) DO UPDATE
SET
log_url = EXCLUDED.log_url,
witness_url = EXCLUDED.witness_url,
enforce_inclusion = EXCLUDED.enforce_inclusion,
updated_at = EXCLUDED.updated_at,
updated_by = EXCLUDED.updated_by;
INSERT INTO release.trust_keys (
id,
tenant_id,
key_alias,
algorithm,
status,
current_version,
metadata_json,
created_at,
updated_at,
created_by,
updated_by
)
SELECT
'5fdf7b2d-9d32-4b69-874f-9b22a4d22f21'::uuid,
'c1eea837-19ce-7d68-132f-e29051dca629'::uuid,
'default-core-signing',
'ed25519',
'active',
1,
'{"owner":"bootstrap","region":"global"}'::jsonb,
'2026-03-01T00:00:00Z'::timestamptz,
'2026-03-01T00:00:00Z'::timestamptz,
'system',
'system'
WHERE NOT EXISTS (
SELECT 1
FROM release.trust_keys
WHERE tenant_id = 'c1eea837-19ce-7d68-132f-e29051dca629'::uuid
AND lower(key_alias) = lower('default-core-signing')
);
INSERT INTO release.trust_issuers (
id,
tenant_id,
issuer_name,
issuer_uri,
trust_level,
status,
created_at,
updated_at,
created_by,
updated_by
)
SELECT
'f7d0505e-4a94-4688-a046-87f7a9c7cf76'::uuid,
'c1eea837-19ce-7d68-132f-e29051dca629'::uuid,
'Default Root CA',
'https://issuer.default.stella-ops.local/root',
'high',
'active',
'2026-03-01T00:00:00Z'::timestamptz,
'2026-03-01T00:00:00Z'::timestamptz,
'system',
'system'
WHERE NOT EXISTS (
SELECT 1
FROM release.trust_issuers
WHERE tenant_id = 'c1eea837-19ce-7d68-132f-e29051dca629'::uuid
AND lower(issuer_uri) = lower('https://issuer.default.stella-ops.local/root')
);
INSERT INTO release.trust_certificates (
id,
tenant_id,
key_id,
issuer_id,
serial_number,
status,
not_before,
not_after,
created_at,
updated_at,
created_by,
updated_by
)
SELECT
'c0d9c7db-a0c8-41e9-a7f4-e8f03e4b31e3'::uuid,
'c1eea837-19ce-7d68-132f-e29051dca629'::uuid,
'5fdf7b2d-9d32-4b69-874f-9b22a4d22f21'::uuid,
'f7d0505e-4a94-4688-a046-87f7a9c7cf76'::uuid,
'DEFAULT-SER-0001',
'active',
'2026-03-01T00:00:00Z'::timestamptz,
'2026-09-01T00:00:00Z'::timestamptz,
'2026-03-01T00:00:00Z'::timestamptz,
'2026-03-01T00:00:00Z'::timestamptz,
'system',
'system'
WHERE NOT EXISTS (
SELECT 1
FROM release.trust_certificates
WHERE tenant_id = 'c1eea837-19ce-7d68-132f-e29051dca629'::uuid
AND lower(serial_number) = lower('DEFAULT-SER-0001')
);
INSERT INTO release.trust_transparency_configs (
tenant_id,
log_url,
witness_url,
enforce_inclusion,
updated_at,
updated_by
)
VALUES (
'c1eea837-19ce-7d68-132f-e29051dca629'::uuid,
'https://rekor.default.stella-ops.local',
'https://rekor-witness.default.stella-ops.local',
true,
'2026-03-01T00:00:00Z'::timestamptz,
'system'
)
ON CONFLICT (tenant_id) DO UPDATE
SET
log_url = EXCLUDED.log_url,
witness_url = EXCLUDED.witness_url,
enforce_inclusion = EXCLUDED.enforce_inclusion,
updated_at = EXCLUDED.updated_at,
updated_by = EXCLUDED.updated_by;