f0662dd45f
- Added DefaultCryptoHmac class implementing ICryptoHmac interface. - Introduced purpose-based HMAC computation methods. - Implemented verification methods for HMACs with constant-time comparison. - Created HmacAlgorithms and HmacPurpose classes for well-known identifiers. - Added compliance profile support for HMAC algorithms. - Included asynchronous methods for HMAC computation from streams.
141 lines
5.0 KiB
Plaintext
141 lines
5.0 KiB
Plaintext
# Concelier configuration template for StellaOps deployments.
|
|
# Copy to ../etc/concelier.yaml (relative to the web service content root)
|
|
# and adjust the values to match your environment. Environment variables
|
|
# (prefixed with CONCELIER_) override these settings at runtime.
|
|
|
|
storage:
|
|
driver: mongo
|
|
# Mongo connection string. Use SRV URI or standard connection string.
|
|
dsn: "mongodb://concelier:concelier@mongo:27017/concelier?authSource=admin"
|
|
# Optional database name; defaults to the name embedded in the DSN or 'concelier'.
|
|
database: "concelier"
|
|
# Mongo command timeout in seconds.
|
|
commandTimeoutSeconds: 30
|
|
|
|
# PostgreSQL storage for LNM linkset cache (optional).
|
|
# When enabled, the Link-Not-Merge linkset cache is stored in PostgreSQL
|
|
# instead of MongoDB, providing improved query performance for large datasets.
|
|
postgresStorage:
|
|
enabled: false
|
|
# PostgreSQL connection string. Required when enabled.
|
|
connectionString: "Host=localhost;Port=5432;Database=concelier;Username=concelier;Password=concelier"
|
|
# Command timeout in seconds.
|
|
commandTimeoutSeconds: 30
|
|
# Connection pool settings.
|
|
maxPoolSize: 100
|
|
minPoolSize: 1
|
|
connectionIdleLifetimeSeconds: 300
|
|
pooling: true
|
|
# Schema name for LNM tables.
|
|
schemaName: "vuln"
|
|
# Enable automatic migration on startup (set to false in production).
|
|
autoMigrate: false
|
|
# Path to SQL migration files. Required if autoMigrate is true.
|
|
# migrationsPath: "./migrations/concelier-postgres"
|
|
|
|
plugins:
|
|
# Concelier resolves plug-ins relative to the content root; override as needed.
|
|
baseDirectory: ".."
|
|
directory: "StellaOps.Concelier.PluginBinaries"
|
|
searchPatterns:
|
|
- "StellaOps.Concelier.Plugin.*.dll"
|
|
|
|
telemetry:
|
|
enabled: true
|
|
enableTracing: false
|
|
enableMetrics: false
|
|
enableLogging: true
|
|
minimumLogLevel: "Information"
|
|
serviceName: "stellaops-concelier"
|
|
# Configure OTLP endpoint when shipping traces/metrics/logs out-of-band.
|
|
otlpEndpoint: ""
|
|
# Optional headers for OTLP exporters, for example authentication tokens.
|
|
otlpHeaders: {}
|
|
# Attach additional resource attributes to telemetry exports.
|
|
resourceAttributes:
|
|
deployment.environment: "local"
|
|
# Emit console exporters for local debugging.
|
|
exportConsole: true
|
|
|
|
authority:
|
|
enabled: false
|
|
# Temporary rollout flag. When true, Concelier logs anonymous access but does not fail requests
|
|
# without tokens. Set to false before 2025-12-31 UTC to enforce authentication fully.
|
|
allowAnonymousFallback: true
|
|
# Issuer advertised by StellaOps Authority (e.g. https://authority.stella-ops.local).
|
|
issuer: "https://authority.stella-ops.local"
|
|
# Optional explicit metadata address; defaults to {issuer}/.well-known/openid-configuration.
|
|
metadataAddress: ""
|
|
requireHttpsMetadata: true
|
|
backchannelTimeoutSeconds: 30
|
|
tokenClockSkewSeconds: 60
|
|
audiences:
|
|
- "api://concelier"
|
|
requiredScopes:
|
|
- "concelier.jobs.trigger"
|
|
- "advisory:read"
|
|
- "advisory:ingest"
|
|
requiredTenants:
|
|
- "tenant-default"
|
|
# Outbound credentials Concelier can use to call Authority (client credentials flow).
|
|
clientId: "concelier-jobs"
|
|
# Prefer storing the secret outside of the config file. Provide either clientSecret or clientSecretFile.
|
|
clientSecret: ""
|
|
clientSecretFile: ""
|
|
clientScopes:
|
|
- "concelier.jobs.trigger"
|
|
- "advisory:read"
|
|
- "advisory:ingest"
|
|
resilience:
|
|
# Enable deterministic retry/backoff when Authority is briefly unavailable.
|
|
enableRetries: true
|
|
retryDelays:
|
|
- "00:00:01"
|
|
- "00:00:02"
|
|
- "00:00:05"
|
|
# Allow stale discovery/JWKS responses when Authority is offline (extend tolerance as needed for air-gapped mirrors).
|
|
allowOfflineCacheFallback: true
|
|
offlineCacheTolerance: "00:10:00"
|
|
# Networks allowed to bypass authentication (loopback by default for on-host cron jobs).
|
|
bypassNetworks:
|
|
- "127.0.0.1/32"
|
|
- "::1/128"
|
|
|
|
mirror:
|
|
enabled: false
|
|
# Directory containing JSON exporter outputs (absolute or relative to content root).
|
|
exportRoot: "exports/json"
|
|
# Optional explicit export identifier; defaults to `latest` symlink or most recent export.
|
|
activeExportId: ""
|
|
latestDirectoryName: "latest"
|
|
mirrorDirectoryName: "mirror"
|
|
requireAuthentication: false
|
|
maxIndexRequestsPerHour: 600
|
|
domains:
|
|
- id: "primary"
|
|
displayName: "Primary Mirror"
|
|
requireAuthentication: false
|
|
maxDownloadRequestsPerHour: 1200
|
|
|
|
sources:
|
|
ghsa:
|
|
apiToken: "${GITHUB_PAT}"
|
|
pageSize: 50
|
|
maxPagesPerFetch: 5
|
|
requestDelay: "00:00:00.200"
|
|
failureBackoff: "00:05:00"
|
|
rateLimitWarningThreshold: 500
|
|
secondaryRateLimitBackoff: "00:02:00"
|
|
cve:
|
|
baseEndpoint: "https://cveawg.mitre.org/api/"
|
|
apiOrg: ""
|
|
apiUser: ""
|
|
apiKey: ""
|
|
# Optional mirror used when credentials are unavailable.
|
|
seedDirectory: "./seed-data/cve"
|
|
pageSize: 200
|
|
maxPagesPerFetch: 5
|
|
initialBackfill: "30.00:00:00"
|
|
requestDelay: "00:00:00.250"
|
|
failureBackoff: "00:10:00"
|