Add LDAP Distinguished Name Helper and Credential Audit Context
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Implemented LdapDistinguishedNameHelper for escaping RDN and filter values. - Created AuthorityCredentialAuditContext and IAuthorityCredentialAuditContextAccessor for managing credential audit context. - Developed StandardCredentialAuditLogger with tests for success, failure, and lockout events. - Introduced AuthorityAuditSink for persisting audit records with structured logging. - Added CryptoPro related classes for certificate resolution and signing operations.
This commit is contained in:
master
@@ -39,10 +39,15 @@ claims:
|
||||
"cn=stellaops-read,ou=groups,dc=example,dc=internal": "auditors"
|
||||
regexMappings:
|
||||
- pattern: "^cn=stellaops-(?P<role>[a-z-]+),ou=groups,dc=example,dc=internal$"
|
||||
roleFormat: "{role}"
|
||||
roleFormat: "{role}" # {role} comes from the named capture group in the pattern above
|
||||
extraAttributes:
|
||||
displayName: "displayName"
|
||||
email: "mail"
|
||||
cache:
|
||||
enabled: true # enable Mongo-backed cache to avoid hammering LDAP for repeat grants
|
||||
collectionName: "ldap_claims_cache" # optional; defaults to ldap_claims_cache_<pluginName> when omitted
|
||||
ttlSeconds: 600
|
||||
maxEntries: 5000
|
||||
|
||||
queries:
|
||||
userFilter: "(&(objectClass=person)(uid={username}))"
|
||||
@@ -57,7 +62,7 @@ clientProvisioning:
|
||||
secretAttribute: "userPassword"
|
||||
auditMirror:
|
||||
enabled: true
|
||||
collectionName: "ldap_client_provisioning"
|
||||
collectionName: "ldap_client_provisioning" # Mongo mirror ships inside the Offline Kit for auditors
|
||||
|
||||
health:
|
||||
probeIntervalSeconds: 60
|
||||
|
||||
@@ -12,12 +12,16 @@ StellaOps:
|
||||
CryptoPro:
|
||||
Keys:
|
||||
- KeyId: ru-csp-default
|
||||
LibraryPath: /opt/cprocsp/lib/amd64/libcapi20.so
|
||||
ContainerLabel: CN=RootPack Signing
|
||||
Algorithm: GOST12-256
|
||||
ProviderName: "Crypto-Pro GOST R 34.10-2012 Cryptographic Service Provider"
|
||||
CertificateThumbprint: "<thumbprint>"
|
||||
CertificateStoreLocation: LocalMachine
|
||||
CertificateStoreName: My
|
||||
ContainerName: CN=RootPack Signing
|
||||
Pkcs11:
|
||||
Keys:
|
||||
- KeyId: ru-token-default
|
||||
Algorithm: GOST12-256
|
||||
LibraryPath: /usr/local/lib/librutokenecp.so
|
||||
SlotId: "0x1"
|
||||
Pin: "${PKCS11_PIN}"
|
||||
|
||||
Reference in New Issue
Block a user