stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
907783f625e76d602e95c41304af3ae4de40f494
git.stella-ops.org/src/Signer/__Libraries/StellaOps.Signer.Keyless/SignerKeylessOptions.cs
StellaOps Bot 907783f625 Add property-based tests for SBOM/VEX document ordering and Unicode normalization determinism 
- Implement `SbomVexOrderingDeterminismProperties` for testing component list and vulnerability metadata hash consistency.
- Create `UnicodeNormalizationDeterminismProperties` to validate NFC normalization and Unicode string handling.
- Add project file for `StellaOps.Testing.Determinism.Properties` with necessary dependencies.
- Introduce CI/CD template validation tests including YAML syntax checks and documentation content verification.
- Create validation script for CI/CD templates ensuring all required files and structures are present.
2025-12-26 15:17:58 +02:00

171 lines
4.4 KiB
C#
Raw Blame History

using System.ComponentModel.DataAnnotations;
namespace StellaOps.Signer.Keyless;
/// <summary>
/// Configuration options for keyless signing.
/// </summary>
public sealed class SignerKeylessOptions
{
/// <summary>
/// Configuration section name.
/// </summary>
public const string SectionName = "Signer:Keyless";
/// <summary>
/// Whether keyless signing is enabled.
/// </summary>
public bool Enabled { get; set; }
/// <summary>
/// Fulcio CA configuration.
/// </summary>
public FulcioOptions Fulcio { get; set; } = new();
/// <summary>
/// OIDC configuration for token acquisition.
/// </summary>
public OidcOptions Oidc { get; set; } = new();
/// <summary>
/// Algorithm configuration.
/// </summary>
public AlgorithmOptions Algorithms { get; set; } = new();
/// <summary>
/// Certificate validation configuration.
/// </summary>
public CertificateOptions Certificate { get; set; } = new();
/// <summary>
/// Identity verification configuration.
/// </summary>
public IdentityOptions Identity { get; set; } = new();
}
/// <summary>
/// Fulcio CA configuration options.
/// </summary>
public sealed class FulcioOptions
{
/// <summary>
/// The Fulcio CA URL.
/// </summary>
[Required]
public string Url { get; set; } = "https://fulcio.sigstore.dev";
/// <summary>
/// Request timeout.
/// </summary>
public TimeSpan Timeout { get; set; } = TimeSpan.FromSeconds(30);
/// <summary>
/// Number of retry attempts.
/// </summary>
public int Retries { get; set; } = 3;
/// <summary>
/// Base duration for exponential backoff.
/// </summary>
public TimeSpan BackoffBase { get; set; } = TimeSpan.FromSeconds(1);
/// <summary>
/// Maximum backoff duration.
/// </summary>
public TimeSpan BackoffMax { get; set; } = TimeSpan.FromSeconds(30);
}
/// <summary>
/// OIDC configuration for token acquisition.
/// </summary>
public sealed class OidcOptions
{
/// <summary>
/// The OIDC issuer URL.
/// </summary>
public string? Issuer { get; set; }
/// <summary>
/// The OAuth2 client ID.
/// </summary>
public string? ClientId { get; set; }
/// <summary>
/// Reference to the client secret (e.g., "env:SIGNER_OIDC_CLIENT_SECRET").
/// </summary>
public string? ClientSecretRef { get; set; }
/// <summary>
/// Use ambient OIDC token from CI runner.
/// </summary>
public bool UseAmbientToken { get; set; }
/// <summary>
/// Path to ambient OIDC token file.
/// </summary>
public string? AmbientTokenPath { get; set; } = "/var/run/secrets/tokens/oidc";
/// <summary>
/// Token refresh interval before expiry.
/// </summary>
public TimeSpan RefreshBefore { get; set; } = TimeSpan.FromMinutes(1);
}
/// <summary>
/// Algorithm configuration options.
/// </summary>
public sealed class AlgorithmOptions
{
/// <summary>
/// Preferred algorithm for new signings.
/// </summary>
public string Preferred { get; set; } = KeylessAlgorithms.EcdsaP256;
/// <summary>
/// Allowed algorithms for signing.
/// </summary>
public List<string> Allowed { get; set; } = [KeylessAlgorithms.EcdsaP256, KeylessAlgorithms.Ed25519];
}
/// <summary>
/// Certificate validation configuration options.
/// </summary>
public sealed class CertificateOptions
{
/// <summary>
/// Path to Fulcio root CA bundle.
/// </summary>
public string? RootBundlePath { get; set; }
/// <summary>
/// Additional trusted root certificates (PEM format).
/// </summary>
public List<string> AdditionalRoots { get; set; } = [];
/// <summary>
/// Whether to validate the certificate chain.
/// </summary>
public bool ValidateChain { get; set; } = true;
/// <summary>
/// Whether to require Signed Certificate Timestamp (SCT).
/// </summary>
public bool RequireSct { get; set; } = true;
}
/// <summary>
/// Identity verification configuration options.
/// </summary>
public sealed class IdentityOptions
{
/// <summary>
/// Expected OIDC issuers for verification.
/// </summary>
public List<string> ExpectedIssuers { get; set; } = [];
/// <summary>
/// Expected subject patterns (regex) for SAN verification.
/// </summary>
public List<string> ExpectedSubjectPatterns { get; set; } = [];
}
Reference in New Issue View Git Blame Copy Permalink