stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

consolidation of some of the modules, localization fixes, product advisories work, qa work

Browse Source
This commit is contained in:
master
2026-03-05 03:54:22 +02:00
parent 7bafcc3eef
commit 8e1cb9448d
3878 changed files with 72600 additions and 46861 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
docs/modules/authority/architecture.md
View File

@@ -511,3 +511,61 @@ Signer validates that `hash(JWK)` in the proof matches `cnf.jkt` in the token.
2. **Add**: mTLSâ€bound tokens for Signer/Attestor; device code for CLI; optional introspection.
3. **Hardening**: DPoP nonce support; full audit pipeline; HA tuning.
4. **UX**: Tenant/installation admin UI; roleâ†scope editors; client bootstrap wizards.
---
## 21) Identity domain schema ownership
> **ADR: No-merge decision (Sprint 216, 2026-03-04)**
>
> Authority and IssuerDirectory share the same PostgreSQL instance but use **separate schemas and separate DbContext classes**. This is a deliberate security decision, not a consolidation oversight.
### 21.1 AuthorityDbContext (schema: `authority`)
The most security-critical schema in the system. Owns:
| Table/Entity group | Security classification | Content |
| --- | --- | --- |
| Users | **Critical** | Password hashes, MFA state, lockout counters, email verification |
| Sessions | **Critical** | Active session tokens, refresh tokens, device grants |
| Tokens | **Critical** | Issued OpTok metadata, revocation records, jti replay cache |
| Roles & Permissions | **High** | Role-to-scope mappings, audience bindings |
| Clients | **High** | Client registrations, JWK material references, grant type configs |
| Tenants | **High** | Tenant/installation registry, cross-tenant isolation boundaries |
| MFA | **Critical** | TOTP secrets, recovery codes, WebAuthn credentials |
| Audit | **High** | Authentication event log, admin change trail |
**Compiled models:** AuthorityDbContext uses EF Core compiled models (generated by Sprint 219). The `<Compile Remove>` directive for `EfCore/CompiledModels/AuthorityDbContextAssemblyAttributes.cs` lives in `src/Authority/__Libraries/StellaOps.Authority.Persistence/StellaOps.Authority.Persistence.csproj`.
### 21.2 IssuerDirectoryDbContext (schema: `issuer_directory`)
Manages trusted VEX/CSAF publisher metadata. Owns:
| Table/Entity group | Security classification | Content |
| --- | --- | --- |
| Issuers | **Medium** | Publisher identity, display name, homepage, tenant scope |
| Issuer Keys | **Medium** | Public key material (Ed25519, X.509, DSSE), fingerprints, key lifecycle |
| Issuer Audit | **Medium** | CRUD audit trail for issuer metadata changes |
**Compiled models:** IssuerDirectoryDbContext also uses EF Core compiled models. The `<Compile Remove>` directive for `EfCore/CompiledModels/IssuerDirectoryDbContextAssemblyAttributes.cs` lives in `src/Authority/__Libraries/StellaOps.IssuerDirectory.Persistence/StellaOps.IssuerDirectory.Persistence.csproj` (relocated from `src/IssuerDirectory/` by Sprint 216).
### 21.3 No-merge security rationale
**Decision:** Schemas remain permanently separate. No cross-schema DB merge.
**Rationale:**
- AuthorityDbContext manages the most security-sensitive data in the system: password hashes, MFA state, session tokens, refresh tokens, and tenant isolation boundaries.
- A merged DbContext would mean any code path with access to issuer metadata could also reach authentication internals via the same EF Core connection and change tracker.
- The security principle of **least privilege** demands keeping these schemas separate even though they share the same PostgreSQL instance.
- **Blast radius containment**: a vulnerability in issuer metadata handling (e.g., a malformed CSAF publisher import) cannot escalate to credential compromise when the schemas are isolated.
- Each DbContext has its own migration history, compiled models, and connection pooling, enabling independent security hardening.
### 21.4 IssuerDirectory domain ownership
As of Sprint 216, the IssuerDirectory source tree is owned by the Authority domain:
- Source: `src/Authority/StellaOps.IssuerDirectory/` (service projects)
- Persistence: `src/Authority/__Libraries/StellaOps.IssuerDirectory.Persistence/`
- Tests: `src/Authority/__Tests/StellaOps.IssuerDirectory.Persistence.Tests/`
- Client library: `src/Authority/__Libraries/StellaOps.IssuerDirectory.Client/` (shared with Excititor, DeltaVerdict)
- Solution: included in `src/Authority/StellaOps.Authority.sln`
- Runtime identity: unchanged (separate container, separate endpoints, separate schema)