stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Add LDAP Distinguished Name Helper and Credential Audit Context
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details

Browse Source 
- Implemented LdapDistinguishedNameHelper for escaping RDN and filter values.
- Created AuthorityCredentialAuditContext and IAuthorityCredentialAuditContextAccessor for managing credential audit context.
- Developed StandardCredentialAuditLogger with tests for success, failure, and lockout events.
- Introduced AuthorityAuditSink for persisting audit records with structured logging.
- Added CryptoPro related classes for certificate resolution and signing operations.
This commit is contained in:
master
2025-11-09 12:21:38 +02:00
parent ba4c935182
commit 75c2bcafce
385 changed files with 7354 additions and 7344 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
docs/implplan/SPRINT_100_identity_signing.md
View File

@@ -10,8 +10,8 @@ Focus: Identity & Signing focus on Authority (phase I).
| # | Task ID & handle | State | Key dependency / next step | Owners |
| --- | --- | --- | --- | --- |
| 1 | AUTH-AIRGAP-57-001 | DOING (2025-11-08) | Enforce sealed-mode CI gating by refusing token issuance when declared sealed install lacks sealing confirmation. (Deps: AUTH-AIRGAP-56-001, DEVOPS-AIRGAP-57-002.) | Authority Core & Security Guild, DevOps Guild (src/Authority/StellaOps.Authority/TASKS.md) |
| 2 | AUTH-PACKS-43-001 | BLOCKED (2025-10-27) | Enforce pack signing policies, approval RBAC checks, CLI CI token scopes, and audit logging for approvals. (Deps: AUTH-PACKS-41-001, TASKRUN-42-001, ORCH-SVC-42-101.) | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) |
| 1 | AUTH-AIRGAP-57-001 | DONE (2025-11-08) | Enforce sealed-mode CI gating by refusing token issuance when declared sealed install lacks sealing confirmation. (Deps: AUTH-AIRGAP-56-001, DEVOPS-AIRGAP-57-002.) | Authority Core & Security Guild, DevOps Guild (src/Authority/StellaOps.Authority) |
| 2 | AUTH-PACKS-43-001 | BLOCKED (2025-10-27) | Enforce pack signing policies, approval RBAC checks, CLI CI token scopes, and audit logging for approvals. (Deps: AUTH-PACKS-41-001, TASKRUN-42-001, ORCH-SVC-42-101.) | Authority Core & Security Guild (src/Authority/StellaOps.Authority) |
## 100.B) Authority.II
Dependency: None specified; follow module prerequisites.
@@ -19,16 +19,23 @@ Focus: Identity & Signing focus on Authority (phase II).
| # | Task ID & handle | State | Key dependency / next step | Owners |
| --- | --- | --- | --- | --- |
| 1 | AUTH-DPOP-11-001 | DONE (2025-11-08) | DPoP validation now runs for every `/token` grant, interactive tokens inherit `cnf.jkt`/sender claims, and docs/tests document the expanded coverage. (Deps: AUTH-AOC-19-002.) | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) |
| 2 | AUTH-MTLS-11-002 | DONE (2025-11-08) | Refresh grants now enforce the original client certificate, tokens persist `x5t#S256`/hex metadata via shared helper, and docs/JWKS guidance call out the mTLS binding expectations. (Deps: AUTH-DPOP-11-001.) | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) |
| 3 | PLG4-6.CAPABILITIES | DONE (2025-11-08) | Finalise capability metadata exposure, config validation, and developer guide updates; remaining action is Docs polish/diagram export. | BE-Auth Plugin, Docs Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md) |
| 4 | PLG6.DIAGRAM | DONE (2025-11-03) | Component + sequence diagrams rendered (Mermaid + SVG) and offline assets published under `docs/assets/authority`; dev guide now references final exports. | Docs Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md) |
| 5 | PLG7.RFC | DONE (2025-11-03) | LDAP plugin RFC reviewed; guild sign-off captured and follow-up implementation issues filed per review notes. | BE-Auth Plugin, Security Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md) |
| 6 | SEC2.PLG | BLOCKED (2025-10-21) | Emit audit events from password verification outcomes and persist via `IAuthorityLoginAttemptStore`. ⛔ Waiting on AUTH-DPOP-11-001 / AUTH-MTLS-11-002 to stabilise Authority auth surfaces (PLUGIN-DI-08-001 closed 2025-10-21; re-run once sender constraints land). | Security Guild, Storage Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md) |
| 7 | SEC3.PLG | BLOCKED (2025-10-21) | Ensure lockout responses and rate-limit metadata flow through plugin logs/events (include retry-after). ⛔ Pending AUTH-DPOP-11-001 / AUTH-MTLS-11-002; PLUGIN-DI-08-001 already merged, so limiter telemetry just awaits final Authority surface. | Security Guild, BE-Auth Plugin (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md) |
| 8 | SEC5.PLG | BLOCKED (2025-10-21) | Address plugin-specific mitigations (bootstrap user handling, password policy docs) in threat model backlog. ⛔ Final documentation now hinges on AUTH-DPOP-11-001 / AUTH-MTLS-11-002 (PLUGIN-DI-08-001 landed 2025-10-21). | Security Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md) |
| 1 | AUTH-DPOP-11-001 | DONE (2025-11-08) | DPoP validation now runs for every `/token` grant, interactive tokens inherit `cnf.jkt`/sender claims, and docs/tests document the expanded coverage. (Deps: AUTH-AOC-19-002.) | Authority Core & Security Guild (src/Authority/StellaOps.Authority) |
| 2 | AUTH-MTLS-11-002 | DONE (2025-11-08) | Refresh grants now enforce the original client certificate, tokens persist `x5t#S256`/hex metadata via shared helper, and docs/JWKS guidance call out the mTLS binding expectations. (Deps: AUTH-DPOP-11-001.) | Authority Core & Security Guild (src/Authority/StellaOps.Authority) |
| 3 | PLG4-6.CAPABILITIES | DONE (2025-11-08) | Finalise capability metadata exposure, config validation, and developer guide updates; remaining action is Docs polish/diagram export. | BE-Auth Plugin, Docs Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) |
| 4 | PLG6.DIAGRAM | DONE (2025-11-03) | Component + sequence diagrams rendered (Mermaid + SVG) and offline assets published under `docs/assets/authority`; dev guide now references final exports. | Docs Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) |
| 5 | PLG7.RFC | DONE (2025-11-03) | LDAP plugin RFC reviewed; guild sign-off captured and follow-up implementation issues filed per review notes. | BE-Auth Plugin, Security Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) |
| 6 | SEC2.PLG | DONE (2025-11-09) | StandardCredentialAuditLogger now pushes `authority.plugin.standard.password_verification` events via `IAuthEventSink`, pulling client/tenant/network metadata from `AuthorityCredentialAuditContextAccessor`; success/failure/lockout scenarios are covered by new unit tests. | Security Guild, Storage Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) |
| 7 | SEC3.PLG | DONE (2025-11-09) | Lockout/rate-limit telemetry emits deterministic `plugin.retry_after_seconds` + `plugin.lockout_until` properties, maps failure codes to the extended `AuthEventOutcome` set, and is validated by updated credential store/audit logger tests. | Security Guild, BE-Auth Plugin (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) |
| 8 | SEC5.PLG | DONE (2025-11-09) | Plugin guide + threat model document bootstrap safeguards, Argon2 password policy expectations, and the credential audit contract (`plugin.*` properties) so SOC/offline reviewers can trace mitigations end-to-end. | Security Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) |
| 9 | PLG7.IMPL-003 | DONE (2025-11-09) | Claims enricher ships with DN map + regex substitutions, Mongo claims cache (TTL + capacity enforcement) wired through DI, plus unit tests covering enrichment + cache eviction. | BE-Auth Plugin (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) |
| 10 | PLG7.IMPL-004 | DONE (2025-11-09) | LDAP plug-in now ships `clientProvisioning.*` options, a Mongo-audited `LdapClientProvisioningStore`, capability gating, and docs/tests covering LDAP writes + cache shims. | BE-Auth Plugin, DevOps Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap) |
| 11 | PLG7.IMPL-005 | DONE (2025-11-09) | LDAP plug-in docs refreshed (mutual TLS, regex mappings, cache/audit mirror guidance), sample manifest updated, Offline Kit + release notes now reference the bundled plug-in assets. | BE-Auth Plugin, Docs Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard) |
- 2025-11-08: PLG4-6.CAPABILITIES marked DONE bootstrap capability surfaced in code/docs, registry logs updated, and bootstrap APIs now gate on providers that advertise it (`dotnet test` across plugins + Authority core).
- 2025-11-08: AUTH-AIRGAP-57-001 landed — new `airGap.sealedMode` options, file-backed evidence ingestion, client metadata gating, docs/tests, and audit telemetry ensure sealed tenants cannot mint tokens until `authority-sealed-ci.json` passes.
- 2025-11-09: PLG7.IMPL-003 + PLG7.IMPL-004 complete — LDAP claims enricher/cache + client provisioning store with audit mirror, LDAP DN escapes, DI wiring, and plugin docs/tests refreshed.
- 2025-11-09: PLG7.IMPL-003 complete — LDAP claims enricher + Mongo cache wired (DI + tests), regex placeholder compatibility finalised, sample config/docs updated, and plugin tests green (`StellaOps.Authority.Plugin.Ldap.Tests`).
- 2025-11-09: PLG7.IMPL-005 complete — Developer guide, sample manifest, Offline Kit notes, and release updates now cover LDAP mutual TLS, regex mappings, caching, and the audit mirror workflow.
## 100.D) __Libraries
Dependency: None specified; follow module prerequisites.
@@ -36,5 +43,5 @@ Focus: Identity & Signing focus on __Libraries.
| # | Task ID & handle | State | Key dependency / next step | Owners |
| --- | --- | --- | --- | --- |
| 1 | KMS-73-001 | DONE (2025-11-03) | AWS/GCP KMS drivers landed with digest-first signing, metadata caching, config samples, and docs/tests green. | KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms/TASKS.md) |
| 2 | KMS-73-002 | DONE (2025-11-03) | PKCS#11 + FIDO2 drivers shipped (deterministic digesting, authenticator factories, DI extensions) with docs + xUnit fakes covering sign/verify/export flows. | KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms/TASKS.md) |
| 1 | KMS-73-001 | DONE (2025-11-03) | AWS/GCP KMS drivers landed with digest-first signing, metadata caching, config samples, and docs/tests green. | KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms) |
| 2 | KMS-73-002 | DONE (2025-11-03) | PKCS#11 + FIDO2 drivers shipped (deterministic digesting, authenticator factories, DI extensions) with docs + xUnit fakes covering sign/verify/export flows. | KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms) |