Add Authority Advisory AI and API Lifecycle Configuration

- Introduced AuthorityAdvisoryAiOptions and related classes for managing advisory AI configurations, including remote inference options and tenant-specific settings. - Added AuthorityApiLifecycleOptions to control API lifecycle settings, including legacy OAuth endpoint configurations. - Implemented validation and normalization methods for both advisory AI and API lifecycle options to ensure proper configuration. - Created AuthorityNotificationsOptions and its related classes for managing notification settings, including ack tokens, webhooks, and escalation options. - Developed IssuerDirectoryClient and related models for interacting with the issuer directory service, including caching mechanisms and HTTP client configurations. - Added support for dependency injection through ServiceCollectionExtensions for the Issuer Directory Client. - Updated project file to include necessary package references for the new Issuer Directory Client library.
2025-11-02 13:40:38 +02:00
parent 66cb6c4b8a
commit f98cea3bcf
516 changed files with 68157 additions and 24754 deletions
--- a/src/Notify/StellaOps.Notify.WebService/Options/NotifyWebServiceOptions.cs
+++ b/src/Notify/StellaOps.Notify.WebService/Options/NotifyWebServiceOptions.cs
@@ -55,11 +55,13 @@ public sealed class NotifyWebServiceOptions

        public int TokenClockSkewSeconds { get; set; } = 60;

-        public IList<string> Audiences { get; set; } = new List<string> { "notify" };
-
-        public string ReadScope { get; set; } = "notify.read";
-
-        public string AdminScope { get; set; } = "notify.admin";
+        public IList<string> Audiences { get; set; } = new List<string> { "notify" };
+
+        public string ViewerScope { get; set; } = "notify.viewer";
+
+        public string OperatorScope { get; set; } = "notify.operator";
+
+        public string AdminScope { get; set; } = "notify.admin";

        /// <summary>
        /// Optional development signing key for symmetric JWT validation when Authority is disabled.
--- a/src/Notify/StellaOps.Notify.WebService/Options/NotifyWebServiceOptionsValidator.cs
+++ b/src/Notify/StellaOps.Notify.WebService/Options/NotifyWebServiceOptionsValidator.cs
@@ -60,9 +60,11 @@ internal static class NotifyWebServiceOptionsValidator
                throw new InvalidOperationException("notify:authority:audiences must include at least one value.");
            }

-            if (string.IsNullOrWhiteSpace(authority.AdminScope) || string.IsNullOrWhiteSpace(authority.ReadScope))
-            {
-                throw new InvalidOperationException("notify:authority admin and read scopes must be configured.");
+            if (string.IsNullOrWhiteSpace(authority.AdminScope)
+                || string.IsNullOrWhiteSpace(authority.OperatorScope)
+                || string.IsNullOrWhiteSpace(authority.ViewerScope))
+            {
+                throw new InvalidOperationException("notify:authority admin, operator, and viewer scopes must be configured.");
            }
        }
        else
--- a/src/Notify/StellaOps.Notify.WebService/Program.cs
+++ b/src/Notify/StellaOps.Notify.WebService/Program.cs
--- a/src/Notify/StellaOps.Notify.WebService/Security/AllowAllAuthenticationHandler.cs
+++ b/src/Notify/StellaOps.Notify.WebService/Security/AllowAllAuthenticationHandler.cs
@@ -0,0 +1,31 @@
+using System;
+using System.Security.Claims;
+using System.Text.Encodings.Web;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+
+namespace StellaOps.Notify.WebService.Security;
+
+internal sealed class AllowAllAuthenticationHandler : AuthenticationHandler<AuthenticationSchemeOptions>
+{
+    public const string SchemeName = "Notify.AllowAll";
+
+#pragma warning disable CS0618
+    public AllowAllAuthenticationHandler(
+        IOptionsMonitor<AuthenticationSchemeOptions> options,
+        ILoggerFactory logger,
+        UrlEncoder encoder,
+        ISystemClock clock)
+        : base(options, logger, encoder, clock)
+    {
+    }
+#pragma warning restore CS0618
+
+    protected override Task<AuthenticateResult> HandleAuthenticateAsync()
+    {
+        var principal = new ClaimsPrincipal(new ClaimsIdentity());
+        var ticket = new AuthenticationTicket(principal, Scheme.Name);
+        return Task.FromResult(AuthenticateResult.Success(ticket));
+    }
+}
--- a/src/Notify/StellaOps.Notify.WebService/Security/NotifyPolicies.cs
+++ b/src/Notify/StellaOps.Notify.WebService/Security/NotifyPolicies.cs
@@ -1,7 +1,8 @@
 namespace StellaOps.Notify.WebService.Security;

-internal static class NotifyPolicies
-{
-    public const string Read = "notify.read";
-    public const string Admin = "notify.admin";
-}
+internal static class NotifyPolicies
+{
+    public const string Viewer = "notify.viewer";
+    public const string Operator = "notify.operator";
+    public const string Admin = "notify.admin";
+}