stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/checked/gateway/gateway-identity-header-strip-and-overwrite-policy-middleware.md
master cf5b72974f save checkpoint
2026-02-11 01:32:14 +02:00

99 lines
6.6 KiB
Markdown
Raw Blame History

# Gateway Identity Header Strip-and-Overwrite Policy Middleware
## Module
Gateway
## Status
VERIFIED
## Description
Security middleware that enforces identity header integrity at the Gateway/Router level. Strips incoming identity headers from external requests and overwrites them with verified claims from the authenticated session, preventing header spoofing attacks in service-to-service communication.
## Implementation Details
- **Identity header middleware**: `src/Gateway/StellaOps.Gateway.WebService/Middleware/IdentityHeaderPolicyMiddleware.cs` -- strips incoming identity headers and overwrites with verified claims (335 lines)
- **Claims store**: `src/Gateway/StellaOps.Gateway.WebService/Authorization/EffectiveClaimsStore.cs`, `IEffectiveClaimsStore.cs` -- manages effective claims after header processing
- **Authorization middleware**: `src/Gateway/StellaOps.Gateway.WebService/Authorization/AuthorizationMiddleware.cs` -- enforces authorization after identity header processing
- **Sender constraints**: `src/Gateway/StellaOps.Gateway.WebService/Middleware/SenderConstraintMiddleware.cs` -- validates sender identity
- **Source**: SPRINT_8100_0011_0002_gateway_identity_header_hardening.md
## E2E Test Plan
- [x] Verify incoming identity headers are stripped from external requests
- [x] Test verified claims replace stripped headers correctly
- [x] Verify header spoofing attempts are blocked
- [x] Test service-to-service communication uses verified identity headers
- [x] Verify edge cases and error handling
## Verification
- **Run ID**: run-002
- **Date**: 2026-02-09
- **Method**: Tier 1 code review + Tier 2d integration tests
- **Build**: PASS (0 errors, 0 warnings)
- **Tests**: PASS (202/202 gateway tests pass)
- **Code Review**:
- IdentityHeaderPolicyMiddleware (335 lines): Lists 14 reserved headers (X-StellaOps-* and legacy X-Stella-*), strips all from incoming requests, extracts identity from validated ClaimsPrincipal, writes canonical + legacy downstream headers.
- IdentityHeaderPolicyMiddlewareTests (502 lines, 18+ tests): Security-focused assertions verifying spoofed headers are replaced, raw claim headers stripped, scopes sorted deterministically, system paths bypass processing.
- Strongest test coverage in the module.
- **Verdict**: PASS
## Tier 2 Recheck (2026-02-10)
- **Run ID**: run-003
- **Result**: PASS
- **What was rechecked**: Spoofed identity-header request path replay plus regression-suite confirmation for identity header strip/overwrite behavior.
- **Evidence**: `docs/qa/feature-checks/runs/gateway/gateway-identity-header-strip-and-overwrite-policy-middleware/run-003/tier2-integration-check.json`
## Recheck (run-005)
- **Date**: 2026-02-10
- **Result**: PASS
- **Verification**: Identity header strip/overwrite anti-spoofing behavior remains stable.
- **Tests**: Gateway.WebService.Tests 259/259, Router Gateway WebService.Tests 160/160, Router.Gateway.Tests 13/13 (432 total).
- **Evidence**: `docs/qa/feature-checks/runs/gateway/gateway-identity-header-strip-and-overwrite-policy-middleware/run-005/tier2-integration-check.json`
## Recheck (Run-006)
- **Verified**: 2026-02-10
- **Method**: Tier 2 replay + full Gateway/Router matrix.
- **Tests**: PASS (`src/Gateway/__Tests/StellaOps.Gateway.WebService.Tests`: 259/259; `src/Router/__Tests/StellaOps.Gateway.WebService.Tests`: 160/160; `src/Router/__Tests/StellaOps.Router.Gateway.Tests`: 13/13).
- **Tier 2 Evidence**: `docs/qa/feature-checks/runs/gateway/gateway-identity-header-strip-and-overwrite-policy-middleware/run-006/tier2-integration-check.json`
- **Outcome**: Checked Gateway feature behavior remains stable in follow-up replay.
## Recheck (Run-007)
- **Verified**: 2026-02-10
- **Method**: Tier 2 integration replay.
- **Tests**: PASS (src/Gateway/__Tests/StellaOps.Gateway.WebService.Tests: 259/259; src/Router/__Tests/StellaOps.Gateway.WebService.Tests: 160/160; src/Router/__Tests/StellaOps.Router.Gateway.Tests: 13/13).
- **Tier 2 Evidence**: `docs/qa/feature-checks/runs/gateway/gateway-identity-header-strip-and-overwrite-policy-middleware/run-007/tier2-integration-check.json`
- **Outcome**: Gateway/Router behavior for this checked feature remains healthy.
## Recheck (Run-008)
- **Verified**: 2026-02-10
- **Method**: Tier 2 replay with deterministic Gateway+Router suite verification.
- **Tests**: PASS (src/Gateway/__Tests/StellaOps.Gateway.WebService.Tests: 259/259; src/Router/__Tests/StellaOps.Gateway.WebService.Tests: 160/160; src/Router/__Tests/StellaOps.Router.Gateway.Tests: 13/13).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/gateway/gateway-identity-header-strip-and-overwrite-policy-middleware/run-008/tier2-integration-check.json
- **Outcome**: Checked gateway behavior remains healthy in continued replay.
## Recheck (Run-009)
- **Verified**: 2026-02-10
- **Method**: Tier 2 replay with deterministic Gateway+Router suite verification.
- **Tests**: PASS (src/Gateway/__Tests/StellaOps.Gateway.WebService.Tests: 259/259; src/Router/__Tests/StellaOps.Gateway.WebService.Tests: 160/160; src/Router/__Tests/StellaOps.Router.Gateway.Tests: 13/13).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/gateway/gateway-identity-header-strip-and-overwrite-policy-middleware/run-009/tier2-integration-check.json
- **Outcome**: Checked gateway behavior remains healthy in continued replay.
## Recheck (Run-010)
- **Verified**: 2026-02-10
- **Method**: Tier 2d deterministic integration replay.
- **Tests**: PASS (Gateway.WebService.Tests 259/259, Router.Gateway.WebService.Tests 160/160, Router.Gateway.Tests 13/13).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/gateway/gateway-identity-header-strip-and-overwrite-policy-middleware/run-010/tier2-integration-check.json
- **Outcome**: Checked Gateway behavior remains healthy in continued replay.
## Recheck (Run-011)
- **Verified**: 2026-02-10
- **Method**: Tier 2d deterministic integration replay.
- **Tests**: PASS (Gateway.WebService 259/259, Router.Gateway.WebService 160/160, Router.Gateway 13/13; total 432/432).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/gateway/gateway-identity-header-strip-and-overwrite-policy-middleware/run-011/tier2-integration-check.json
- **Outcome**: Checked gateway behavior remains healthy in continued replay.
## Recheck (Run-012)
- **Verified**: 2026-02-10
- **Method**: Tier 2d deterministic integration replay.
- **Tests**: PASS (Gateway.WebService 259/259, Router.Gateway.WebService 160/160, Router.Gateway 13/13; total 432/432).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/gateway/gateway-identity-header-strip-and-overwrite-policy-middleware/run-012/tier2-integration-check.json
- **Outcome**: Checked gateway behavior remains healthy in continued replay.
Reference in New Issue View Git Blame Copy Permalink