stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
8d153522b01f9f81cb0fdcb899d893c1d70cc917
git.stella-ops.org/docs/security/authority-threat-model.md
Vladimir Moushkov ea1106ce7c up
2025-10-15 10:03:56 +03:00

7.1 KiB
Raw Blame History

Authority Threat Model (STRIDE)

Prepared by Security Guild — 2025-10-12. Scope covers Authority host, Standard plug-in, CLI, bootstrap workflow, and offline revocation distribution.

1. Scope & Method

  • Methodology: STRIDE applied to primary Authority surfaces (token issuance, bootstrap, revocation, operator tooling, plug-in extensibility).
  • Assets in scope: identity credentials, OAuth tokens (access/refresh), bootstrap invites, revocation manifests, signing keys, audit telemetry.
  • Out of scope: Third-party IdPs federated via OpenIddict (tracked separately in SEC6 backlog).

2. Assets & Entry Points

Asset / Surface Description Primary Actors
Token issuance APIs (/token, /authorize) OAuth/OIDC endpoints mediated by OpenIddict CLI, UI, automation agents
Bootstrap channel Initial admin invite + bootstrap CLI workflow Platform operators
Revocation bundle Offline JSON + detached JWS consumed by agents Feedser, Agents, Zastava
Plug-in manifests Standard plug-in configuration and password policy overrides Operators, DevOps
Signing keys ES256 signing keys backing tokens and revocation manifests Security Guild, HSM/KeyOps
Audit telemetry Structured login/audit stream persisted to Mongo/observability stack SOC, SecOps

3. Trust Boundaries

Boundary Rationale Controls
TB1 — Public network ↔️ Authority ingress Internet/extranet exposure for /token, /authorize, /bootstrap TLS 1.3, reverse proxy ACLs, rate limiting (SEC3.A / CORE8.RL)
TB2 — Authority host ↔️ Mongo storage Credential store, revocation state, audit log persistence Authenticated Mongo, network segmentation, deterministic serializers
TB3 — Authority host ↔️ Plug-in sandbox Plug-ins may override password policy and bootstrap flows Code signing, manifest validation, restart-time loading only
TB4 — Operator workstation ↔️ CLI CLI holds bootstrap secrets and revocation bundles OS keychain storage, MFA on workstations, offline kit checksum
TB5 — Authority ↔️ Downstream agents Revocation bundle consumption, token validation Mutual TLS (planned), detached JWS signatures, bundle freshness checks

4. Data Flow Diagrams

4.1 Runtime token issuance

flowchart LR
    subgraph Client Tier
        CLI[StellaOps CLI]
        UI[UI / Automation]
    end
    subgraph Perimeter
        RP[Reverse Proxy / WAF]
    end
    subgraph Authority
        AUTH[Authority Host]
        PLGIN[Standard Plug-in]
        STORE[(Mongo Credential Store)]
    end
    CLI -->|OAuth password / client creds| RP --> AUTH
    UI -->|OAuth flows| RP
    AUTH -->|PasswordHashOptions + Secrets| PLGIN
    AUTH -->|Verify / Persist hashes| STORE
    STORE -->|Rehash needed| AUTH
    AUTH -->|Access / refresh token| RP --> Client Tier

4.2 Bootstrap & revocation

flowchart LR
    subgraph Operator
        OPS[Operator Workstation]
    end
    subgraph Authority
        AUTH[Authority Host]
        STORE[(Mongo)]
    end
    subgraph Distribution
        OFFKIT[Offline Kit Bundle]
        AGENT[Authorized Agent / Feedser]
    end
    OPS -->|Bootstrap CLI (`stellaops auth bootstrap`)| AUTH
    AUTH -->|One-time invite + Argon2 hash| STORE
    AUTH -->|Revocation export (`stellaops auth revoke export`)| OFFKIT
    OFFKIT -->|Signed JSON + .jws| AGENT
    AGENT -->|Revocation ACK / telemetry| AUTH

5. STRIDE Analysis

Threat STRIDE Vector Surface Risk (L×I) Existing Controls Gaps / Actions Owner
Spoofed revocation bundle Spoofing TB5 — Authority ↔️ Agents Med×High Detached JWS signature (planned), offline kit checksums Finalise signing key registry & verification script (SEC4.B/SEC4.HOST); add bundle freshness requirement Security Guild (follow-up: SEC5.B)
Parameter tampering on /token Tampering TB1 — Public ingress Med×High ASP.NET model validation, OpenIddict, rate limiter (CORE8.RL) Tampered requests emit authority.token.tamper audit events (request.tampered, unexpected parameter names) correlating with /token outcomes (SEC5.C) Security Guild + Authority Core (follow-up: SEC5.C)
Bootstrap invite replay Repudiation TB4 — Operator CLI ↔️ Authority Low×High One-time bootstrap tokens, Argon2id hashing on creation Invites expire automatically and emit audit events on consumption/expiration (SEC5.D) Security Guild
Token replay by stolen agent Information Disclosure TB5 Med×High Signed revocation bundles, device fingerprint heuristics, optional mTLS Monitor revocation acknowledgement latency via Zastava and tune replay alerting thresholds Security Guild + Zastava (follow-up: SEC5.E)
Privilege escalation via plug-in override Elevation of Privilege TB3 — Plug-in sandbox Med×High Signed plug-ins, restart-only loading, configuration validation Add static analysis on manifest overrides + runtime warning when policy weaker than host Security Guild + DevOps (follow-up: SEC5.F)
Offline bundle tampering Tampering Distribution Low×High SHA256 manifest, signed bundles (planned) Add supply-chain attestation for Offline Kit, publish verification CLI in docs Security Guild + Ops (follow-up: SEC5.G)
Failure to log denied tokens Repudiation TB2 — Authority ↔️ Mongo Med×Med Serilog structured events (partial), Mongo persistence path (planned) Finalise audit schema (SEC2.A) and ensure /token denies include subject/client/IP fields Security Guild + Authority Core (follow-up: SEC5.H)

Risk scoring uses qualitative scale (Low/Med/High) for likelihood × impact; mitigation priority follows High > Med > Low.

6. Follow-up Backlog Hooks

Backlog ID Linked Threat Summary Target Owners
SEC5.B Spoofed revocation bundle Complete libsodium/Core signing integration and ship revocation verification script. Security Guild + Authority Core
SEC5.C Parameter tampering on /token Finalise audit contract (SEC2.A) and add request tamper logging. Security Guild + Authority Core
SEC5.D Bootstrap invite replay Implement expiry enforcement + audit coverage for unused bootstrap invites. Security Guild
SEC5.E Token replay by stolen agent Coordinate Zastava alerting with the new device fingerprint heuristics and surface stale revocation acknowledgements. Security Guild + Zastava
SEC5.F Plug-in override escalation Static analysis of plug-in manifests; warn on weaker password policy overrides. Security Guild + DevOps
SEC5.G Offline bundle tampering Extend Offline Kit build to include attested manifest + verification CLI sample. Security Guild + Ops
SEC5.H Failure to log denied tokens Ensure audit persistence for all /token denials with correlation IDs. Security Guild + Authority Core

Update src/StellaOps.Cryptography/TASKS.md (Security Guild board) with the above backlog entries to satisfy SEC5.A exit criteria.