stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Add unit tests for Router configuration and transport layers
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details

Browse Source 
- Implemented tests for RouterConfig, RoutingOptions, StaticInstanceConfig, and RouterConfigOptions to ensure default values are set correctly.
- Added tests for RouterConfigProvider to validate configurations and ensure defaults are returned when no file is specified.
- Created tests for ConfigValidationResult to check success and error scenarios.
- Developed tests for ServiceCollectionExtensions to verify service registration for RouterConfig.
- Introduced UdpTransportTests to validate serialization, connection, request-response, and error handling in UDP transport.
- Added scripts for signing authority gaps and hashing DevPortal SDK snippets.
This commit is contained in:
StellaOps Bot
2025-12-05 08:01:47 +02:00
parent 635c70e828
commit 6a299d231f
294 changed files with 28434 additions and 1329 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
docs/modules/authority/gaps/authority-binding-matrix.md Normal file
View File

@@ -0,0 +1,26 @@
# Authority Binding Matrix (DPoP / mTLS) — AU2/AU3
All values deterministic and sorted by flow, tenant, environment.
## Enforcement Matrix
| Flow | Tenant scope required | Binding | Nonce policy | Audience rules | Notes |
| --- | --- | --- | --- | --- | --- |
| device_code | tenant required; env optional | DPoP (ECDSA P-256) | nonce TTL 120s; single-use; clock skew ±30s | `aud` must match service; reject wildcard | Offline: tokens minted against cached JWKS; nonce list capped 1024 entries |
| auth_code | tenant required; env required | mTLS (SPIFFE) | n/a (channel bound) | `aud` == service; `azp` == client; enforce PKCE | Supports delegated authz; cert SAN must match client_id |
| client_credentials | tenant required; env optional | DPoP (Ed25519) or mTLS | nonce TTL 300s; rotate per token | `aud` == service; forbid multi-audience | Use mTLS when hardware root is available; else DPoP fallback |
## DPoP Requirements
- Proof `htu`/`htm` must match request; reject if clock skew >30s.
- JTI single-use; store for nonce TTL window; evict oldest on cap.
- Accept curves: P-256, Ed25519; forbid P-384/521 until crypto profile registry marks active.
## mTLS Requirements
- Client cert must chain to approved trust roots per tenant.
- SAN must include `urn:stellaops:client:{client_id}`.
- Require OCSP/CRL freshness ≤10m (offline mode: last good CRL/OCSP cached and timestamped).
## Negative-path examples
- Reject DPoP without nonce; reject reuse within TTL.
- Reject auth_code where `aud` contains wildcard or mismatched service.
- Reject client_credentials with missing tenant claim or multi-audience list.