stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
c52ca826528b63f38386a0adddecff0eaacfcf30
git.stella-ops.org/docs/features/checked/scanner/api-gateway-boundary-extractor.md
master 5bca406787 save checkpoint: save features
2026-02-12 10:27:23 +02:00

2.6 KiB
Raw Blame History

API Gateway Boundary Extractor (Kong, Envoy/Istio, AWS API Gateway, Traefik)

Module

Scanner

Status

VERIFIED

Description

Parses API gateway configurations from Kong, Envoy/Istio, AWS API Gateway, and Traefik to extract route-level boundary information for reachability analysis. Determines which internal services are exposed through gateway routes.

Implementation Details

  • Core Extractor:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/GatewayBoundaryExtractor.cs - GatewayBoundaryExtractor implements IBoundaryProofExtractor; parses Kong, Envoy/Istio, AWS API Gateway, and Traefik configurations
    • Includes gateway-specific auth detection: DetectKongAuth(), DetectEnvoyAuth() (including Istio JWT/AuthorizationPolicy), DetectTraefikAuth()
    • Identifies Istio mesh internal routes and external ingress routes
  • Supporting Infrastructure:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/IacBoundaryExtractor.cs - Infrastructure-as-code boundary extraction
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/BoundaryServiceCollectionExtensions.cs - DI registration for boundary extractors
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/BoundaryExtractionContext.cs - Context model for boundary extraction
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/RichGraphBoundaryExtractor.cs - Integrates boundary data into rich graphs
  • Tests:
    • src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/GatewayBoundaryExtractorTests.cs

E2E Test Plan

  • Provide a Kong configuration file with routes exposing internal services and verify extracted boundary information includes route paths, upstream services, and auth requirements
  • Provide an Envoy/Istio configuration with VirtualService and AuthorizationPolicy and verify correct route-to-service mappings and auth detection
  • Provide an AWS API Gateway configuration and verify correct extraction of REST/HTTP API routes with Lambda/ECS integrations
  • Provide a Traefik configuration with middleware auth and verify correct route extraction with authentication metadata
  • Verify extracted boundaries are reflected in the reachability rich graph via GET /api/v1/scans/{scanId}/reachability
  • Verify that gated gateway routes (auth-required) reduce reachability risk scores compared to ungated routes

Verification

  • Run ID: run-001
  • Verified at (UTC): 2026-02-12T06:59:12.7973839Z
  • FLOW tiers: Tier 0 source verification, Tier 1 build/test/code review, Tier 2 integration verification.