save changes

2026-02-17 00:51:35 +02:00
parent 70fdbfcf25
commit fb46a927ad
324 changed files with 4976 additions and 1499 deletions
--- a/src/Policy/StellaOps.Policy.Engine/Program.cs
+++ b/src/Policy/StellaOps.Policy.Engine/Program.cs
@@ -291,6 +291,17 @@ builder.Services.AddStellaOpsResourceServerAuthentication(
    builder.Configuration,
    configurationSection: $"{PolicyEngineOptions.SectionName}:ResourceServer");

+// Accept self-signed certificates when HTTPS metadata validation is disabled (dev/Docker)
+if (!bootstrap.Options.ResourceServer.RequireHttpsMetadata)
+{
+    builder.Services.AddHttpClient("StellaOps.Auth.ServerIntegration.Metadata")
+        .ConfigurePrimaryHttpMessageHandler(() => new HttpClientHandler
+        {
+            ServerCertificateCustomValidationCallback =
+                HttpClientHandler.DangerousAcceptAnyServerCertificateValidator
+        });
+}
+
 if (bootstrap.Options.Authority.Enabled)
 {
    builder.Services.AddStellaOpsAuthClient(clientOptions =>
--- a/src/Policy/StellaOps.Policy.Gateway/Program.cs
+++ b/src/Policy/StellaOps.Policy.Gateway/Program.cs
@@ -133,6 +133,9 @@ builder.Services.AddAuthentication();
 builder.Services.AddAuthorization();
 builder.Services.AddStellaOpsScopeHandler();
 builder.Services.AddPolicyPostgresStorage(builder.Configuration);
+// Also configure unnamed PostgresOptions so PolicyDataSource (IOptions<PostgresOptions>) resolves the connection string.
+builder.Services.Configure<StellaOps.Infrastructure.Postgres.Options.PostgresOptions>(
+    builder.Configuration.GetSection("Postgres:Policy"));
 builder.Services.AddMemoryCache();

 // Exception services
@@ -198,6 +201,20 @@ builder.Services.AddSingleton<IToolAccessEvaluator, ToolAccessEvaluator>();
 builder.Services.AddStellaOpsResourceServerAuthentication(
    builder.Configuration,
    configurationSection: $"{PolicyGatewayOptions.SectionName}:ResourceServer");
+
+// Accept self-signed certificates when HTTPS metadata validation is disabled (dev/Docker)
+if (!bootstrap.Options.ResourceServer.RequireHttpsMetadata)
+{
+    builder.Services.ConfigureHttpClientDefaults(clientBuilder =>
+    {
+        clientBuilder.ConfigurePrimaryHttpMessageHandler(() => new HttpClientHandler
+        {
+            ServerCertificateCustomValidationCallback =
+                HttpClientHandler.DangerousAcceptAnyServerCertificateValidator
+        });
+    });
+}
+
 builder.Services.AddSingleton<PolicyGatewayMetrics>();
 builder.Services.AddSingleton<PolicyGatewayDpopProofGenerator>();
 builder.Services.AddSingleton<PolicyEngineTokenProvider>();