Add LDAP Distinguished Name Helper and Credential Audit Context
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Implemented LdapDistinguishedNameHelper for escaping RDN and filter values. - Created AuthorityCredentialAuditContext and IAuthorityCredentialAuditContextAccessor for managing credential audit context. - Developed StandardCredentialAuditLogger with tests for success, failure, and lockout events. - Introduced AuthorityAuditSink for persisting audit records with structured logging. - Added CryptoPro related classes for certificate resolution and signing operations.
This commit is contained in:
master
@@ -346,6 +346,31 @@ exceptions:
|
||||
- Verification responses map guard failures to `ERR_AOC_00x` codes and Authority emits `authority.client_credentials.grant` + `authority.token.validate_access` audit records containing the tenant and scopes so operators can trace who executed a run.
|
||||
- For air-gapped or offline replicas, pre-issue verification tokens per tenant and rotate them alongside ingest credentials; the guard endpoints never mutate data and remain safe to expose through the offline kit schedule.
|
||||
|
||||
### Sealed-mode CI confirmation
|
||||
|
||||
Set `airGap.sealedMode.enforcementEnabled: true` to require sealed-mode evidence before issuing tokens to sensitive clients. The guard expects the DevOps harness (`ops/devops/sealed-mode-ci/run-sealed-ci.sh`) to upload `authority-sealed-ci.json` under `artifacts/sealed-mode-ci/<timestamp>/`. Configure Authority with the absolute or relative path to that file plus freshness/health requirements:
|
||||
|
||||
```
|
||||
airGap:
|
||||
sealedMode:
|
||||
enforcementEnabled: true
|
||||
evidencePath: "artifacts/sealed-mode-ci/latest/authority-sealed-ci.json"
|
||||
maxEvidenceAge: "06:00:00"
|
||||
cacheLifetime: "00:01:00"
|
||||
requireAuthorityHealthPass: true
|
||||
requireSignerHealthPass: true
|
||||
requireAttestorHealthPass: true
|
||||
requireEgressProbePass: true
|
||||
```
|
||||
|
||||
Only clients that set `properties.requiresAirgapSealConfirmation: true` (new `AuthorityClientMetadataKeys.RequiresAirGapSealConfirmation`) are gated. When enabled, `/token` rejects those requests with `invalid_client` until:
|
||||
|
||||
1. `timestamp` inside the evidence file is newer than `maxEvidenceAge`.
|
||||
2. `health.authority/signer/attestor.status` are all `pass` (each requirement can be toggled off via the options above).
|
||||
3. `egressProbe.status` equals `pass`, confirming outbound traffic was blocked during the harness run.
|
||||
|
||||
Audit events now include `airgap.sealed=<state>` where `<state>` is `failure:<code>` (for example `failure:evidence_missing`) or `confirmed:<rfc3339 timestamp>`. Token validation spans also emit the `authority.sealed_mode` activity tag with the same value, so dashboards can alarm when evidence goes stale.
|
||||
|
||||
## 7. Configuration Reference
|
||||
|
||||
| Section | Key | Description | Notes |
|
||||
|
||||
Reference in New Issue
Block a user