stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

consolidation of some of the modules, localization fixes, product advisories work, qa work

Browse Source
This commit is contained in:
master
2026-03-05 03:54:22 +02:00
parent 7bafcc3eef
commit 8e1cb9448d
3878 changed files with 72600 additions and 46861 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
src/Router/StellaOps.Gateway.WebService/Authorization/AuthorizationMiddleware.cs
View File

@@ -69,9 +69,27 @@ public sealed class AuthorizationMiddleware
foreach (var required in effectiveClaims)
{
var userClaims = context.User.Claims;
var hasClaim = required.Value == null
? userClaims.Any(c => c.Type == required.Type)
: userClaims.Any(c => c.Type == required.Type && c.Value == required.Value);
bool hasClaim;
if (required.Value == null)
{
hasClaim = userClaims.Any(c => c.Type == required.Type);
}
else if (string.Equals(required.Type, "scope", StringComparison.OrdinalIgnoreCase) ||
string.Equals(required.Type, "scp", StringComparison.OrdinalIgnoreCase))
{
// Scope claims may be space-separated (RFC 6749 §3.3) or individual claims.
// Check both: exact match on individual claims, and contains-within-space-separated.
hasClaim = userClaims.Any(c =>
c.Type == required.Type &&
(c.Value == required.Value ||
c.Value.Split(' ', StringSplitOptions.RemoveEmptyEntries)
.Any(s => string.Equals(s, required.Value, StringComparison.Ordinal))));
}
else
{
hasClaim = userClaims.Any(c => c.Type == required.Type && c.Value == required.Value);
}
if (!hasClaim)
{

2
src/Router/StellaOps.Gateway.WebService/Dockerfile
View File

@@ -6,7 +6,7 @@ EXPOSE 8443
FROM mcr.microsoft.com/dotnet/sdk:10.0-preview AS build
WORKDIR /src
COPY . .
RUN dotnet publish src/Gateway/StellaOps.Gateway.WebService/StellaOps.Gateway.WebService.csproj -c Release -o /app/publish
RUN dotnet publish src/Router/StellaOps.Gateway.WebService/StellaOps.Gateway.WebService.csproj -c Release -o /app/publish
FROM base AS final
WORKDIR /app

4
src/Router/StellaOps.Gateway.WebService/Middleware/IdentityHeaderPolicyMiddleware.cs
View File

@@ -651,7 +651,9 @@ public sealed class IdentityHeaderPolicyOptions
[
"/connect",
"/console",
"/api/admin"
"/authority",
"/doctor",
"/api"
];
/// <summary>

1
src/Router/StellaOps.Gateway.WebService/TASKS.md
View File

@@ -10,3 +10,4 @@ Source of truth: `docs-archived/implplan/2025-12-29-csproj-audit/SPRINT_20251229
| AUDIT-0347-A | TODO | Pending approval (non-test project; revalidated 2026-01-07). |
| REMED-06 | DONE | SOLID review notes captured for SPRINT_20260130_002. |
| RGH-01 | DONE | 2026-02-22: Added SPA fallback handling for browser deep links on microservice route matches; API prefixes remain backend-dispatched. |
| RGH-02 | DONE | 2026-03-04: Expanded approved auth passthrough prefixes (`/authority`, `/doctor`, `/api`) to unblock authenticated gateway routes used by Audit Log UI E2E. |

160
src/Router/__Libraries/StellaOps.Microservice.AspNetCore/AspNetRouterRequestDispatcher.cs
View File

@@ -1,4 +1,5 @@
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Http.Features;
using Microsoft.AspNetCore.Routing;
@@ -77,6 +78,30 @@ public sealed class AspNetRouterRequestDispatcher : IAspNetRouterRequestDispatch
// Build HttpContext
var httpContext = BuildHttpContext(scope.ServiceProvider, request, cancellationToken);
// Valkey-dispatched requests bypass the middleware pipeline, so we must manually
// initialize services that the endpoint filters depend on:
//
// 1. Pre-authenticate: trigger the OnMessageReceived bridge in the JWT handler so
// that the envelope identity is cached as a valid StellaOpsBearer auth result.
// Without this, RequireAuthorization() filters would fail (no JWT token).
//
// 2. Populate tenant accessor: the StellaOpsTenantMiddleware normally runs in the
// pipeline and sets IStellaOpsTenantAccessor.TenantContext. Endpoint filters that
// call RequireTenant() check this accessor. Without it, they return 500.
if (httpContext.User.Identity is { IsAuthenticated: true, AuthenticationType: "StellaRouterEnvelope" })
{
// Pre-authenticate for the default auth scheme
var authService = httpContext.RequestServices.GetService<IAuthenticationService>();
if (authService is not null)
{
await authService.AuthenticateAsync(httpContext, null).ConfigureAwait(false);
}
// Populate tenant context from claims/headers (mimics StellaOpsTenantMiddleware).
// We use reflection to avoid a hard dependency on Auth.ServerIntegration.
PopulateTenantAccessor(httpContext);
}
// Match endpoint
var endpoint = await MatchEndpointAsync(httpContext).ConfigureAwait(false);
if (endpoint is null)
@@ -282,11 +307,16 @@ public sealed class AspNetRouterRequestDispatcher : IAspNetRouterRequestDispatch
if (!string.IsNullOrWhiteSpace(envelope.Tenant))
{
// Use the canonical StellaOps claim type so that StellaOpsScopeAuthorizationHandler
// and TenantAllowed() can find the tenant via StellaOpsClaimTypes.Tenant.
claims.Add(new Claim("stellaops:tenant", envelope.Tenant));
// Also emit short-form for backward compatibility with inline RequireTenant() checks.
claims.Add(new Claim("tenant", envelope.Tenant));
}
if (!string.IsNullOrWhiteSpace(envelope.Project))
{
claims.Add(new Claim("stellaops:project", envelope.Project));
claims.Add(new Claim("project", envelope.Project));
}
@@ -373,34 +403,57 @@ public sealed class AspNetRouterRequestDispatcher : IAspNetRouterRequestDispatch
#pragma warning disable CS1998
private async Task<RouteEndpoint?> MatchEndpointAsync(HttpContext httpContext)
{
// Use the endpoint selector if available
var selector = httpContext.RequestServices.GetService<EndpointSelector>();
if (selector is not null)
// Build candidate set from data source
var endpoints = _endpointDataSource.Endpoints
.OfType<RouteEndpoint>()
.ToArray();
// Simple matching: find endpoint that matches path and method.
// Sort by specificity: endpoints with fewer parameters match first,
// so literal paths (e.g., /approvals) beat parameterized paths (e.g., /{id:guid}).
var (path, _) = ParsePathAndQuery(httpContext.Request.Path.Value ?? "/");
var pathStr = path.Value ?? "/";
var method = httpContext.Request.Method;
RouteEndpoint? bestMatch = null;
int bestParameterCount = int.MaxValue;
foreach (var endpoint in endpoints)
{
// Build candidate set from data source
var endpoints = _endpointDataSource.Endpoints
.OfType<RouteEndpoint>()
.ToArray();
// Simple matching: find endpoint that matches path and method
var (path, _) = ParsePathAndQuery(httpContext.Request.Path.Value ?? "/");
foreach (var endpoint in endpoints)
if (!IsEndpointMatch(endpoint, method, pathStr, out var routeValues))
{
if (IsEndpointMatch(endpoint, httpContext.Request.Method, path.Value ?? "/"))
{
// Populate route values from path
PopulateRouteValues(httpContext, endpoint, path.Value ?? "/");
return endpoint;
}
continue;
}
// Validate route constraints (e.g., :guid, :int)
if (!ValidateRouteConstraints(endpoint, routeValues))
{
continue;
}
// Prefer endpoints with fewer parameters (more specific)
var paramCount = endpoint.RoutePattern.Parameters.Count;
if (paramCount < bestParameterCount)
{
bestParameterCount = paramCount;
bestMatch = endpoint;
}
}
return null;
if (bestMatch is not null)
{
PopulateRouteValues(httpContext, bestMatch, pathStr);
}
return bestMatch;
}
private static bool IsEndpointMatch(RouteEndpoint endpoint, string method, string path)
private static bool IsEndpointMatch(
RouteEndpoint endpoint, string method, string path,
out Dictionary<string, object?> routeValues)
{
routeValues = new Dictionary<string, object?>(StringComparer.OrdinalIgnoreCase);
// Check HTTP method
var methodMetadata = endpoint.Metadata.GetMetadata<HttpMethodMetadata>();
if (methodMetadata?.HttpMethods is not { } methods)
@@ -415,7 +468,51 @@ public sealed class AspNetRouterRequestDispatcher : IAspNetRouterRequestDispatch
// Match path pattern
var matcher = new TemplateMatcher(endpoint.RoutePattern);
return matcher.TryMatch(path, out _);
return matcher.TryMatch(path, out routeValues);
}
private static bool ValidateRouteConstraints(
RouteEndpoint endpoint,
Dictionary<string, object?> routeValues)
{
foreach (var param in endpoint.RoutePattern.Parameters)
{
if (param.ParameterPolicies.Count == 0)
{
continue;
}
if (!routeValues.TryGetValue(param.Name, out var value) || value is null)
{
continue;
}
var strValue = value.ToString();
foreach (var policy in param.ParameterPolicies)
{
var constraint = policy.Content?.ToLowerInvariant();
var valid = constraint switch
{
"guid" => Guid.TryParse(strValue, out _),
"int" => int.TryParse(strValue, out _),
"long" => long.TryParse(strValue, out _),
"bool" => bool.TryParse(strValue, out _),
"datetime" => DateTime.TryParse(strValue, out _),
"decimal" => decimal.TryParse(strValue, out _),
"double" => double.TryParse(strValue, out _),
"float" => float.TryParse(strValue, out _),
"alpha" => !string.IsNullOrEmpty(strValue) && strValue.All(char.IsLetter),
_ => true // Unknown constraint: accept
};
if (!valid)
{
return false;
}
}
}
return true;
}
private static void PopulateRouteValues(HttpContext httpContext, RouteEndpoint endpoint, string path)
@@ -671,6 +768,27 @@ public sealed class AspNetRouterRequestDispatcher : IAspNetRouterRequestDispatch
public RouteValueDictionary RouteValues { get; set; } = new();
}
/// <summary>
/// Populates the IStellaOpsTenantAccessor. This mimics what StellaOpsTenantMiddleware does
/// in the normal HTTP pipeline: resolves the tenant from claims/headers and sets it
/// on the scoped accessor so that RequireTenant() endpoint filters succeed.
/// </summary>
private static void PopulateTenantAccessor(HttpContext httpContext)
{
var accessor = httpContext.RequestServices
.GetService<StellaOps.Auth.ServerIntegration.Tenancy.IStellaOpsTenantAccessor>();
if (accessor is null)
{
return;
}
if (StellaOps.Auth.ServerIntegration.Tenancy.StellaOpsTenantResolver.TryResolve(
httpContext, out var tenantCtx, out _))
{
accessor.TenantContext = tenantCtx;
}
}
private enum IdentityPopulationResult
{
Accepted,

2
src/Router/__Libraries/StellaOps.Microservice.AspNetCore/StellaOps.Microservice.AspNetCore.csproj
View File

@@ -14,5 +14,7 @@
<ItemGroup>
<ProjectReference Include="..\StellaOps.Microservice\StellaOps.Microservice.csproj" />
<ProjectReference Include="..\StellaOps.Router.Common\StellaOps.Router.Common.csproj" />
<ProjectReference Include="..\..\..\Authority\StellaOps.Authority\StellaOps.Auth.ServerIntegration\StellaOps.Auth.ServerIntegration.csproj" />
<ProjectReference Include="..\..\..\Authority\StellaOps.Authority\StellaOps.Auth.Abstractions\StellaOps.Auth.Abstractions.csproj" />
</ItemGroup>
</Project>

108
src/Router/__Tests/StellaOps.Router.Transport.Plugin.Tests/RouterTransportPluginLoaderTests.cs
View File

@@ -222,10 +222,10 @@ public sealed class RouterTransportPluginLoaderTests
[Trait("Category", TestCategories.Unit)]
[Fact]
public void LoadFromDirectory_NonExistentDirectory_LogsWarning()
public void LoadFromDirectory_NonExistentDirectory_LogsDebug()
{
// Arrange
var loggerMock = new Mock<ILogger>();
var loggerMock = new Mock<ILogger<RouterTransportPluginLoader>>();
var loader = new RouterTransportPluginLoader(loggerMock.Object);
var nonExistentDir = Path.Combine(Path.GetTempPath(), Guid.NewGuid().ToString());
@@ -236,9 +236,9 @@ public sealed class RouterTransportPluginLoaderTests
loader.Plugins.Should().BeEmpty();
loggerMock.Verify(
x => x.Log(
LogLevel.Warning,
LogLevel.Debug,
It.IsAny<EventId>(),
It.Is<It.IsAnyType>((v, t) => v.ToString()!.Contains("does not exist")),
It.Is<It.IsAnyType>((v, t) => v.ToString()!.Contains("does not exist or is empty")),
It.IsAny<Exception>(),
It.IsAny<Func<It.IsAnyType, Exception?, string>>()),
Times.Once);
@@ -269,7 +269,7 @@ public sealed class RouterTransportPluginLoaderTests
[Trait("Category", TestCategories.Unit)]
[Fact]
public void LoadFromDirectory_MethodChaining_Works()
public void LoadFromDirectory_ExistingDirectory_DoesNotThrow()
{
// Arrange
var loader = new RouterTransportPluginLoader();
@@ -279,10 +279,10 @@ public sealed class RouterTransportPluginLoaderTests
try
{
// Act
var result = loader.LoadFromDirectory(emptyDir);
var act = () => loader.LoadFromDirectory(emptyDir);
// Assert
result.Should().BeSameAs(loader);
act.Should().NotThrow();
}
finally
{
@@ -292,23 +292,27 @@ public sealed class RouterTransportPluginLoaderTests
#endregion
#region RegisterConfiguredTransport Tests
#region Plugin Registration Context Tests
[Trait("Category", TestCategories.Integration)]
[Fact]
public void RegisterConfiguredTransport_WithExplicitTransport_RegistersCorrectPlugin()
public void GetPlugin_TcpRegister_RegistersClientAndServer()
{
// Arrange
var loader = new RouterTransportPluginLoader();
loader.LoadFromAssembly(typeof(TcpTransportPlugin).Assembly);
loader.LoadFromAssembly(typeof(InMemoryTransportPlugin).Assembly);
var plugin = loader.GetPlugin("tcp");
var services = new ServiceCollection();
services.AddLogging();
var config = new ConfigurationBuilder().Build();
// Act
loader.RegisterConfiguredTransport(services, config, RouterTransportMode.Both, "tcp");
plugin.Should().NotBeNull();
plugin!.Register(new RouterTransportRegistrationContext(
services,
config,
RouterTransportMode.Both));
// Assert
var provider = services.BuildServiceProvider();
@@ -318,94 +322,28 @@ public sealed class RouterTransportPluginLoaderTests
[Trait("Category", TestCategories.Integration)]
[Fact]
public void RegisterConfiguredTransport_FromConfiguration_ReadsTransportType()
public void GetPlugin_InMemoryRegister_RegistersConnectionRegistry()
{
// Arrange
var loader = new RouterTransportPluginLoader();
loader.LoadFromAssembly(typeof(InMemoryTransportPlugin).Assembly);
var plugin = loader.GetPlugin("inmemory");
var services = new ServiceCollection();
services.AddLogging();
var config = new ConfigurationBuilder()
.AddInMemoryCollection(new Dictionary<string, string?>
{
["Router:Transport:Type"] = "inmemory"
})
.Build();
var config = new ConfigurationBuilder().Build();
// Act
loader.RegisterConfiguredTransport(services, config, RouterTransportMode.Both);
plugin.Should().NotBeNull();
plugin!.Register(new RouterTransportRegistrationContext(
services,
config,
RouterTransportMode.Both));
// Assert
var provider = services.BuildServiceProvider();
provider.GetService<InMemoryConnectionRegistry>().Should().NotBeNull();
}
[Trait("Category", TestCategories.Integration)]
[Fact]
public void RegisterConfiguredTransport_DefaultsToTcp()
{
// Arrange
var loader = new RouterTransportPluginLoader();
loader.LoadFromAssembly(typeof(TcpTransportPlugin).Assembly);
var services = new ServiceCollection();
services.AddLogging();
var config = new ConfigurationBuilder().Build();
// Act
loader.RegisterConfiguredTransport(services, config, RouterTransportMode.Both);
// Assert
var provider = services.BuildServiceProvider();
provider.GetService<ITransportServer>().Should().BeOfType<TcpTransportServer>();
}
[Trait("Category", TestCategories.Unit)]
[Fact]
public void RegisterConfiguredTransport_UnknownTransport_ThrowsException()
{
// Arrange
var loader = new RouterTransportPluginLoader();
var services = new ServiceCollection();
var config = new ConfigurationBuilder().Build();
// Act
var act = () => loader.RegisterConfiguredTransport(services, config, RouterTransportMode.Both, "unknown");
// Assert
act.Should().Throw<InvalidOperationException>()
.WithMessage("*unknown*not found*");
}
#endregion
#region RegisterAllTransports Tests
[Trait("Category", TestCategories.Integration)]
[Fact]
public void RegisterAllTransports_RegistersAllLoadedPlugins()
{
// Arrange
var loader = new RouterTransportPluginLoader();
loader.LoadFromAssembly(typeof(TcpTransportPlugin).Assembly);
loader.LoadFromAssembly(typeof(InMemoryTransportPlugin).Assembly);
var services = new ServiceCollection();
services.AddLogging();
var config = new ConfigurationBuilder().Build();
// Act
loader.RegisterAllTransports(services, config, RouterTransportMode.Both);
// Assert - Both transports should have registered their services
var descriptors = services.Where(d =>
d.ServiceType == typeof(ITransportServer) ||
d.ServiceType == typeof(ITransportClient)).ToList();
// InMemory uses TryAdd, so whichever is registered first will be in the container
descriptors.Should().HaveCountGreaterThanOrEqualTo(2);
}
#endregion
}