feat: Enhance Authority Identity Provider Registry with Bootstrap Capability
- Added support for bootstrap providers in AuthorityIdentityProviderRegistry. - Introduced a new property for bootstrap providers and updated AggregateCapabilities. - Updated relevant methods to handle bootstrap capabilities during provider registration. feat: Introduce Sealed Mode Status in OpenIddict Handlers - Added SealedModeStatusProperty to AuthorityOpenIddictConstants. - Enhanced ValidateClientCredentialsHandler, ValidatePasswordGrantHandler, and ValidateRefreshTokenGrantHandler to validate sealed mode evidence. - Implemented logic to handle airgap seal confirmation requirements. feat: Update Program Configuration for Sealed Mode - Registered IAuthoritySealedModeEvidenceValidator in Program.cs. - Added logging for bootstrap capabilities in identity provider plugins. - Implemented checks for bootstrap support in API endpoints. chore: Update Tasks and Documentation - Marked AUTH-MTLS-11-002 as DONE in TASKS.md. - Updated documentation to reflect changes in sealed mode and bootstrap capabilities. fix: Improve CLI Command Handlers Output - Enhanced output formatting for command responses and prompts in CommandHandlers.cs. feat: Extend Advisory AI Models - Added Response property to AdvisoryPipelineOutputModel for better output handling. fix: Adjust Concelier Web Service Authentication - Improved JWT token handling in Concelier Web Service to ensure proper token extraction and logging. test: Enhance Web Service Endpoints Tests - Added detailed logging for authentication failures in WebServiceEndpointsTests. - Enabled PII logging for better debugging of authentication issues. feat: Introduce Air-Gap Configuration Options - Added AuthorityAirGapOptions and AuthoritySealedModeOptions to StellaOpsAuthorityOptions. - Implemented validation logic for air-gap configurations to ensure proper setup.
This commit is contained in:
master
@@ -11,11 +11,13 @@ using System.Net.Http.Headers;
|
||||
using System.Security.Claims;
|
||||
using System.Text;
|
||||
using System.Text.Json;
|
||||
using Microsoft.AspNetCore.Authentication;
|
||||
using Microsoft.AspNetCore.Builder;
|
||||
using Microsoft.AspNetCore.Hosting;
|
||||
using Microsoft.AspNetCore.Mvc.Testing;
|
||||
using Microsoft.AspNetCore.TestHost;
|
||||
using Microsoft.AspNetCore.Authentication.JwtBearer;
|
||||
using Microsoft.IdentityModel.Logging;
|
||||
using Microsoft.Extensions.Configuration;
|
||||
using Microsoft.Extensions.DependencyInjection;
|
||||
using Microsoft.Extensions.Logging;
|
||||
@@ -577,6 +579,7 @@ public sealed class WebServiceEndpointsTests : IAsyncLifetime
|
||||
[Fact]
|
||||
public async Task AdvisoryIngestEndpoint_RejectsCrossTenantWhenAuthenticated()
|
||||
{
|
||||
IdentityModelEventSource.ShowPII = true;
|
||||
var environment = new Dictionary<string, string?>
|
||||
{
|
||||
["CONCELIER_AUTHORITY__ENABLED"] = "true",
|
||||
@@ -604,11 +607,29 @@ public sealed class WebServiceEndpointsTests : IAsyncLifetime
|
||||
environment);
|
||||
|
||||
using var client = factory.CreateClient();
|
||||
var schemes = await factory.Services.GetRequiredService<IAuthenticationSchemeProvider>().GetAllSchemesAsync();
|
||||
_output.WriteLine("Schemes => " + string.Join(',', schemes.Select(s => s.Name)));
|
||||
var token = CreateTestToken("tenant-auth", StellaOpsScopes.AdvisoryIngest);
|
||||
_output.WriteLine("token => " + token);
|
||||
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
|
||||
client.DefaultRequestHeaders.Add("X-Stella-Tenant", "tenant-auth");
|
||||
|
||||
var ingestResponse = await client.PostAsJsonAsync("/ingest/advisory", BuildAdvisoryIngestRequest("sha256:auth-1", "GHSA-AUTH-001"));
|
||||
if (ingestResponse.StatusCode != HttpStatusCode.Created)
|
||||
{
|
||||
var body = await ingestResponse.Content.ReadAsStringAsync();
|
||||
_output.WriteLine($"ingestResponse => {(int)ingestResponse.StatusCode} {ingestResponse.StatusCode}: {body}");
|
||||
var authLogs = factory.LoggerProvider.Snapshot("Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler");
|
||||
foreach (var entry in authLogs)
|
||||
{
|
||||
_output.WriteLine($"authLog => {entry.Level}: {entry.Message} ({entry.Exception?.Message})");
|
||||
}
|
||||
var programLogs = factory.LoggerProvider.Snapshot("StellaOps.Concelier.WebService.Program");
|
||||
foreach (var entry in programLogs)
|
||||
{
|
||||
_output.WriteLine($"programLog => {entry.Level}: {entry.Message}");
|
||||
}
|
||||
}
|
||||
Assert.Equal(HttpStatusCode.Created, ingestResponse.StatusCode);
|
||||
|
||||
client.DefaultRequestHeaders.Remove("X-Stella-Tenant");
|
||||
|
||||
Reference in New Issue
Block a user