Add tests and implement StubBearer authentication for Signer endpoints

- Created SignerEndpointsTests to validate the SignDsse and VerifyReferrers endpoints. - Implemented StubBearerAuthenticationDefaults and StubBearerAuthenticationHandler for token-based authentication. - Developed ConcelierExporterClient for managing Trivy DB settings and export operations. - Added TrivyDbSettingsPageComponent for UI interactions with Trivy DB settings, including form handling and export triggering. - Implemented styles and HTML structure for Trivy DB settings page. - Created NotifySmokeCheck tool for validating Redis event streams and Notify deliveries.
2025-10-21 09:37:07 +03:00
parent 2b6304c9c3
commit 791e12baab
298 changed files with 20490 additions and 5751 deletions
--- a/etc/authority.yaml.sample
+++ b/etc/authority.yaml.sample
@@ -108,6 +108,52 @@ clients:

 # CIDR ranges that bypass network-sensitive policies (e.g. on-host cron jobs).
 # Keep the list tight: localhost is sufficient for most air-gapped installs.
-bypassNetworks:
-  - "127.0.0.1/32"
-  - "::1/128"
+bypassNetworks:
+  - "127.0.0.1/32"
+  - "::1/128"
+
+# Security posture (rate limiting + sender constraints).
+security:
+  rateLimiting:
+    token:
+      enabled: true
+      permitLimit: 30
+      window: "00:01:00"
+      queueLimit: 0
+    authorize:
+      enabled: true
+      permitLimit: 60
+      window: "00:01:00"
+      queueLimit: 10
+    internal:
+      enabled: false
+      permitLimit: 5
+      window: "00:01:00"
+      queueLimit: 0
+  senderConstraints:
+    dpop:
+      enabled: true
+      allowedAlgorithms: [ "ES256", "ES384" ]
+      proofLifetime: "00:02:00"
+      allowedClockSkew: "00:00:30"
+      replayWindow: "00:05:00"
+      nonce:
+        enabled: true
+        ttl: "00:10:00"
+        maxIssuancePerMinute: 120
+        store: "memory" # Set to "redis" for multi-node Authority deployments.
+        requiredAudiences:
+          - "signer"
+          - "attestor"
+        # redisConnectionString: "redis://authority-redis:6379?ssl=false"
+    mtls:
+      enabled: false
+      requireChainValidation: true
+      rotationGrace: "00:15:00"
+      enforceForAudiences:
+        - "signer"
+      allowedSanTypes:
+        - "dns"
+        - "uri"
+      allowedCertificateAuthorities: [ ]
+      allowedSubjectPatterns: [ ]