wip: doctor/cli/docs/api to vector db consolidation; api hardening for descriptions, tenant, and scopes; migrations and conversions of all DALs to EF v10
This commit is contained in:
master
@@ -1,7 +1,9 @@
|
||||
|
||||
using Microsoft.AspNetCore.Builder;
|
||||
using Microsoft.Extensions.DependencyInjection;
|
||||
using StellaOps.Auth.Abstractions;
|
||||
using StellaOps.Auth.ServerIntegration;
|
||||
using StellaOps.SmRemote.Service.Security;
|
||||
using Microsoft.Extensions.Hosting;
|
||||
using Microsoft.Extensions.Options;
|
||||
using StellaOps.Cryptography;
|
||||
@@ -30,6 +32,14 @@ builder.Services.AddSingleton<ICryptoProviderRegistry>(_ =>
|
||||
builder.Services.AddHttpContextAccessor();
|
||||
builder.Services.AddEndpointsApiExplorer();
|
||||
|
||||
// Authentication and authorization
|
||||
builder.Services.AddStellaOpsResourceServerAuthentication(builder.Configuration);
|
||||
builder.Services.AddAuthorization(options =>
|
||||
{
|
||||
options.AddStellaOpsScopePolicy(SmRemotePolicies.Sign, StellaOpsScopes.SmRemoteSign);
|
||||
options.AddStellaOpsScopePolicy(SmRemotePolicies.Verify, StellaOpsScopes.SmRemoteVerify);
|
||||
});
|
||||
|
||||
builder.Services.AddStellaOpsCors(builder.Environment, builder.Configuration);
|
||||
|
||||
// Stella Router integration
|
||||
@@ -50,15 +60,23 @@ if (app.Environment.IsDevelopment())
|
||||
}
|
||||
|
||||
app.UseStellaOpsCors();
|
||||
app.UseAuthentication();
|
||||
app.UseAuthorization();
|
||||
app.TryUseStellaRouter(routerEnabled);
|
||||
|
||||
app.MapGet("/health", () => Results.Ok(new SmHealthResponse("ok")));
|
||||
app.MapGet("/health", () => Results.Ok(new SmHealthResponse("ok")))
|
||||
.WithName("SmRemoteHealth")
|
||||
.WithDescription("Returns the liveness status of the SM Remote crypto service. Always returns 200 OK with status 'ok' when the service is running. Used by infrastructure health probes.")
|
||||
.AllowAnonymous();
|
||||
|
||||
app.MapGet("/status", (ICryptoProviderRegistry registry) =>
|
||||
{
|
||||
var algorithms = new[] { SignatureAlgorithms.Sm2 };
|
||||
return Results.Ok(new SmStatusResponse(true, "cn.sm.soft", algorithms));
|
||||
});
|
||||
})
|
||||
.WithName("SmRemoteStatus")
|
||||
.WithDescription("Returns the availability status and supported algorithms of the SM Remote crypto provider. Reports the active provider name (cn.sm.soft or cn.sm.remote.http) and the list of supported signature algorithms.")
|
||||
.AllowAnonymous();
|
||||
|
||||
app.MapPost("/hash", (HashRequest req) =>
|
||||
{
|
||||
@@ -78,7 +96,10 @@ app.MapPost("/hash", (HashRequest req) =>
|
||||
algorithmId,
|
||||
Convert.ToBase64String(hash),
|
||||
Convert.ToHexString(hash).ToLowerInvariant()));
|
||||
});
|
||||
})
|
||||
.WithName("SmRemoteHash")
|
||||
.WithDescription("Computes an SM3 hash of the provided base64-encoded payload. Returns the hash as both base64 and lowercase hex. Defaults to SM3 if algorithmId is omitted. Returns 400 if the payload is missing, invalid base64, or an unsupported algorithm is requested.")
|
||||
.RequireAuthorization(SmRemotePolicies.Sign);
|
||||
|
||||
app.MapPost("/encrypt", (EncryptRequest req) =>
|
||||
{
|
||||
@@ -102,7 +123,9 @@ app.MapPost("/encrypt", (EncryptRequest req) =>
|
||||
var ciphertext = ProcessCipher(cipher, payload);
|
||||
|
||||
return Results.Ok(new EncryptResponse(algorithmId, Convert.ToBase64String(ciphertext)));
|
||||
});
|
||||
})
|
||||
.WithName("SmRemoteEncrypt")
|
||||
.WithDescription("Encrypts the provided base64-encoded payload using SM4-ECB with PKCS7 padding and the supplied 128-bit (16-byte) base64-encoded key. Returns the ciphertext as base64. Returns 400 if the key, payload, or algorithm is missing, invalid, or the key length is not 16 bytes.");
|
||||
|
||||
app.MapPost("/decrypt", (DecryptRequest req) =>
|
||||
{
|
||||
@@ -132,7 +155,9 @@ app.MapPost("/decrypt", (DecryptRequest req) =>
|
||||
{
|
||||
return Results.BadRequest("invalid ciphertext");
|
||||
}
|
||||
});
|
||||
})
|
||||
.WithName("SmRemoteDecrypt")
|
||||
.WithDescription("Decrypts the provided base64-encoded SM4-ECB ciphertext using the supplied 128-bit (16-byte) base64-encoded key with PKCS7 unpadding. Returns the plaintext payload as base64. Returns 400 if the key, ciphertext, or algorithm is invalid, or if the ciphertext padding is corrupt.");
|
||||
|
||||
app.MapPost("/sign", async (SignRequest req, ICryptoProviderRegistry registry, TimeProvider timeProvider, CancellationToken ct) =>
|
||||
{
|
||||
@@ -151,7 +176,9 @@ app.MapPost("/sign", async (SignRequest req, ICryptoProviderRegistry registry, T
|
||||
var signer = resolution.Signer;
|
||||
var signature = await signer.SignAsync(payload, ct);
|
||||
return Results.Ok(new SignResponse(Convert.ToBase64String(signature)));
|
||||
});
|
||||
})
|
||||
.WithName("SmRemoteSign")
|
||||
.WithDescription("Signs the provided base64-encoded payload using the SM2 algorithm and the specified key ID. Seeds the key from an ephemeral EC key pair if not already present. Returns the base64-encoded SM2 signature. Returns 400 if the key ID, algorithm, or payload is missing or invalid.");
|
||||
|
||||
app.MapPost("/verify", async (VerifyRequest req, ICryptoProviderRegistry registry, TimeProvider timeProvider, CancellationToken ct) =>
|
||||
{
|
||||
@@ -169,7 +196,9 @@ app.MapPost("/verify", async (VerifyRequest req, ICryptoProviderRegistry registr
|
||||
var signer = resolution.Signer;
|
||||
var ok = await signer.VerifyAsync(payload, signature, ct);
|
||||
return Results.Ok(new VerifyResponse(ok));
|
||||
});
|
||||
})
|
||||
.WithName("SmRemoteVerify")
|
||||
.WithDescription("Verifies an SM2 signature against the provided base64-encoded payload using the specified key ID. Returns a boolean valid field indicating whether the signature matches. Returns 400 if the key ID, algorithm, payload, or signature is missing or invalid base64.");
|
||||
|
||||
app.TryRefreshStellaRouterEndpoints(routerEnabled);
|
||||
app.Run();
|
||||
|
||||
@@ -0,0 +1,16 @@
|
||||
// Copyright (c) StellaOps. Licensed under the BUSL-1.1.
|
||||
|
||||
namespace StellaOps.SmRemote.Service.Security;
|
||||
|
||||
/// <summary>
|
||||
/// Named authorization policy constants for the SM Remote cryptography service.
|
||||
/// Policies are registered via AddStellaOpsScopePolicy in Program.cs.
|
||||
/// </summary>
|
||||
internal static class SmRemotePolicies
|
||||
{
|
||||
/// <summary>Policy for signing and hash operations. Requires sm-remote:sign scope.</summary>
|
||||
public const string Sign = "SmRemote.Sign";
|
||||
|
||||
/// <summary>Policy for signature verification operations. Requires sm-remote:verify scope.</summary>
|
||||
public const string Verify = "SmRemote.Verify";
|
||||
}
|
||||
Reference in New Issue
Block a user