stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

search and ai stabilization work, localization stablized.

Browse Source
This commit is contained in:
master
2026-02-24 23:29:36 +02:00
parent 4f947a8b61
commit b07d27772e
766 changed files with 55299 additions and 3221 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
devops/compose/docker-compose.idp-testing.yml Normal file
View File

@@ -0,0 +1,62 @@
version: "3.9"
# Identity Provider testing containers for LDAP, SAML, and OIDC integration tests.
# Usage: docker compose -f docker-compose.idp-testing.yml --profile idp up -d
networks:
stellaops-testing:
name: stellaops-testing
driver: bridge
services:
openldap:
image: osixia/openldap:1.5.0
profiles: ["idp"]
container_name: stellaops-openldap
hostname: openldap.stellaops.test
environment:
LDAP_ORGANISATION: "StellaOps Test"
LDAP_DOMAIN: "stellaops.test"
LDAP_ADMIN_PASSWORD: "admin-secret"
LDAP_CONFIG_PASSWORD: "config-secret"
LDAP_READONLY_USER: "true"
LDAP_READONLY_USER_USERNAME: "readonly"
LDAP_READONLY_USER_PASSWORD: "readonly-secret"
LDAP_TLS: "false"
ports:
- "3389:389"
- "3636:636"
volumes:
- ./fixtures/ldap/bootstrap.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/50-bootstrap.ldif:ro
command: "--copy-service"
networks:
- stellaops-testing
healthcheck:
test: ["CMD", "ldapsearch", "-x", "-H", "ldap://localhost:389", "-b", "dc=stellaops,dc=test", "-D", "cn=admin,dc=stellaops,dc=test", "-w", "admin-secret"]
interval: 10s
timeout: 5s
retries: 5
start_period: 15s
keycloak:
image: quay.io/keycloak/keycloak:24.0
profiles: ["idp"]
container_name: stellaops-keycloak
hostname: keycloak.stellaops.test
environment:
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: admin-secret
KC_HEALTH_ENABLED: "true"
ports:
- "8280:8080"
volumes:
- ./fixtures/keycloak/stellaops-realm.json:/opt/keycloak/data/import/stellaops-realm.json:ro
command: ["start-dev", "--import-realm"]
networks:
- stellaops-testing
healthcheck:
test: ["CMD-SHELL", "exec 3<>/dev/tcp/localhost/8080 && echo -e 'GET /health/ready HTTP/1.1\r\nHost: localhost\r\n\r\n' >&3 && cat <&3 | grep -q '\"status\":\"UP\"'"]
interval: 15s
timeout: 10s
retries: 10
start_period: 60s

6
devops/compose/envsettings-override.json
View File

@@ -1,9 +1,9 @@
{
"authority": {
"issuer": "https://authority.stella-ops.local/",
"issuer": "https://stella-ops.local/",
"clientId": "stella-ops-ui",
"authorizeEndpoint": "https://authority.stella-ops.local/connect/authorize",
"tokenEndpoint": "https://authority.stella-ops.local/connect/token",
"authorizeEndpoint": "https://stella-ops.local/connect/authorize",
"tokenEndpoint": "https://stella-ops.local/connect/token",
"redirectUri": "https://stella-ops.local/auth/callback",
"postLogoutRedirectUri": "https://stella-ops.local/",
"scope": "openid profile email offline_access ui.read ui.admin authority:tenants.read authority:users.read authority:roles.read authority:clients.read authority:tokens.read authority:branding.read authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve orch:read analytics.read advisory:read vex:read exceptions:read exceptions:approve aoc:verify findings:read release:read scheduler:read scheduler:operate notify.viewer notify.operator notify.admin notify.escalate evidence:read export.viewer export.operator export.admin vuln:view vuln:investigate vuln:operate vuln:audit platform.context.read platform.context.write doctor:run doctor:admin",

179
devops/compose/fixtures/keycloak/stellaops-realm.json Normal file
View File

@@ -0,0 +1,179 @@
{
"realm": "stellaops",
"enabled": true,
"displayName": "StellaOps Test Realm",
"sslRequired": "none",
"registrationAllowed": false,
"loginWithEmailAllowed": true,
"duplicateEmailsAllowed": false,
"roles": {
"realm": [
{ "name": "admin", "description": "StellaOps administrator role" },
{ "name": "operator", "description": "StellaOps operator role" },
{ "name": "viewer", "description": "StellaOps viewer role" }
]
},
"users": [
{
"username": "saml-admin",
"email": "saml-admin@stellaops.test",
"firstName": "SAML",
"lastName": "Admin",
"enabled": true,
"emailVerified": true,
"credentials": [
{ "type": "password", "value": "saml-admin-password", "temporary": false }
],
"realmRoles": ["admin"]
},
{
"username": "saml-operator",
"email": "saml-operator@stellaops.test",
"firstName": "SAML",
"lastName": "Operator",
"enabled": true,
"emailVerified": true,
"credentials": [
{ "type": "password", "value": "saml-operator-password", "temporary": false }
],
"realmRoles": ["operator"]
},
{
"username": "oidc-admin",
"email": "oidc-admin@stellaops.test",
"firstName": "OIDC",
"lastName": "Admin",
"enabled": true,
"emailVerified": true,
"credentials": [
{ "type": "password", "value": "oidc-admin-password", "temporary": false }
],
"realmRoles": ["admin"]
},
{
"username": "oidc-operator",
"email": "oidc-operator@stellaops.test",
"firstName": "OIDC",
"lastName": "Operator",
"enabled": true,
"emailVerified": true,
"credentials": [
{ "type": "password", "value": "oidc-operator-password", "temporary": false }
],
"realmRoles": ["operator"]
}
],
"clients": [
{
"clientId": "stellaops-saml-sp",
"name": "StellaOps SAML Service Provider",
"protocol": "saml",
"enabled": true,
"frontchannelLogout": true,
"attributes": {
"saml.assertion.signature": "true",
"saml.server.signature": "true",
"saml.client.signature": "false",
"saml.authnstatement": "true",
"saml.force.post.binding": "true",
"saml_name_id_format": "username",
"saml_assertion_consumer_url_post": "https://localhost:5001/saml/acs",
"saml_single_logout_service_url_post": "https://localhost:5001/saml/slo"
},
"redirectUris": [
"https://localhost:5001/*"
],
"protocolMappers": [
{
"name": "role-mapper",
"protocol": "saml",
"protocolMapper": "saml-role-list-mapper",
"consentRequired": false,
"config": {
"single": "true",
"attribute.nameformat": "Basic",
"attribute.name": "Role"
}
},
{
"name": "email-mapper",
"protocol": "saml",
"protocolMapper": "saml-user-attribute-mapper",
"consentRequired": false,
"config": {
"attribute.nameformat": "Basic",
"user.attribute": "email",
"friendly.name": "email",
"attribute.name": "email"
}
}
]
},
{
"clientId": "stellaops-oidc-client",
"name": "StellaOps OIDC Client",
"protocol": "openid-connect",
"enabled": true,
"publicClient": false,
"secret": "stellaops-oidc-test-secret",
"directAccessGrantsEnabled": true,
"standardFlowEnabled": true,
"serviceAccountsEnabled": true,
"redirectUris": [
"https://localhost:5001/*",
"http://localhost:4200/*"
],
"webOrigins": [
"https://localhost:5001",
"http://localhost:4200"
],
"defaultClientScopes": [
"openid",
"profile",
"email",
"roles"
],
"protocolMappers": [
{
"name": "realm-role-mapper",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-realm-role-mapper",
"consentRequired": false,
"config": {
"multivalued": "true",
"claim.name": "roles",
"jsonType.label": "String",
"id.token.claim": "true",
"access.token.claim": "true",
"userinfo.token.claim": "true"
}
}
]
}
],
"clientScopes": [
{
"name": "roles",
"protocol": "openid-connect",
"attributes": {
"include.in.token.scope": "true"
},
"protocolMappers": [
{
"name": "realm-roles",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-realm-role-mapper",
"consentRequired": false,
"config": {
"multivalued": "true",
"claim.name": "realm_roles",
"jsonType.label": "String",
"id.token.claim": "true",
"access.token.claim": "true",
"userinfo.token.claim": "true"
}
}
]
}
]
}

76
devops/compose/fixtures/ldap/bootstrap.ldif Normal file
View File

@@ -0,0 +1,76 @@
## StellaOps LDAP Test Bootstrap Data
## Loaded by osixia/openldap via --copy-service
# Organizational Units
dn: ou=users,dc=stellaops,dc=test
objectClass: organizationalUnit
ou: users
dn: ou=groups,dc=stellaops,dc=test
objectClass: organizationalUnit
ou: groups
# Users
dn: uid=test-admin,ou=users,dc=stellaops,dc=test
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: test-admin
cn: Test Admin
sn: Admin
givenName: Test
mail: test-admin@stellaops.test
userPassword: admin-password
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/test-admin
loginShell: /bin/bash
dn: uid=test-operator,ou=users,dc=stellaops,dc=test
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: test-operator
cn: Test Operator
sn: Operator
givenName: Test
mail: test-operator@stellaops.test
userPassword: operator-password
uidNumber: 1002
gidNumber: 1002
homeDirectory: /home/test-operator
loginShell: /bin/bash
dn: uid=test-viewer,ou=users,dc=stellaops,dc=test
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: test-viewer
cn: Test Viewer
sn: Viewer
givenName: Test
mail: test-viewer@stellaops.test
userPassword: viewer-password
uidNumber: 1003
gidNumber: 1003
homeDirectory: /home/test-viewer
loginShell: /bin/bash
# Groups
dn: cn=admins,ou=groups,dc=stellaops,dc=test
objectClass: groupOfNames
cn: admins
description: StellaOps Administrators
member: uid=test-admin,ou=users,dc=stellaops,dc=test
dn: cn=operators,ou=groups,dc=stellaops,dc=test
objectClass: groupOfNames
cn: operators
description: StellaOps Operators
member: uid=test-operator,ou=users,dc=stellaops,dc=test
dn: cn=viewers,ou=groups,dc=stellaops,dc=test
objectClass: groupOfNames
cn: viewers
description: StellaOps Viewers
member: uid=test-viewer,ou=users,dc=stellaops,dc=test

7
devops/compose/postgres-init/advisoryai-knowledge-test/01_extensions.sql
View File

@@ -1,5 +1,12 @@
CREATE SCHEMA IF NOT EXISTS advisoryai;
-- pg_trgm: required for trigram fuzzy matching (Sprint 101 / G5).
-- Included in standard PostgreSQL contrib — always available.
CREATE EXTENSION IF NOT EXISTS pg_trgm;
-- pgvector: required for vector(384) embedding columns and cosine similarity.
-- NOT included in postgres:alpine by default — requires pgvector/pgvector image or manual install.
-- AKS degrades gracefully to array embeddings fallback if missing.
DO $$
BEGIN
CREATE EXTENSION IF NOT EXISTS vector;

16
devops/compose/router-gateway-local.json
View File

@@ -442,9 +442,9 @@
"PreserveAuthHeaders": true
},
{
"Type": "StaticFile",
"Type": "ReverseProxy",
"Path": "/platform/envsettings.json",
"TranslatesTo": "/app/envsettings-override.json"
"TranslatesTo": "http://platform.stella-ops.local/platform/envsettings.json"
},
{
"Type": "ReverseProxy",
@@ -452,21 +452,21 @@
"TranslatesTo": "http://platform.stella-ops.local/platform"
},
{
"Type": "Microservice",
"Type": "ReverseProxy",
"Path": "/connect",
"TranslatesTo": "https://authority.stella-ops.local/connect",
"TranslatesTo": "http://authority.stella-ops.local/connect",
"PreserveAuthHeaders": true
},
{
"Type": "Microservice",
"Type": "ReverseProxy",
"Path": "/.well-known",
"TranslatesTo": "https://authority.stella-ops.local/well-known",
"TranslatesTo": "http://authority.stella-ops.local/.well-known",
"PreserveAuthHeaders": true
},
{
"Type": "Microservice",
"Type": "ReverseProxy",
"Path": "/jwks",
"TranslatesTo": "https://authority.stella-ops.local/jwks",
"TranslatesTo": "http://authority.stella-ops.local/jwks",
"PreserveAuthHeaders": true
},
{