stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/scanner/api-gateway-boundary-extractor.md

2.4 KiB
Raw Blame History

API Gateway Boundary Extractor (Kong, Envoy/Istio, AWS API Gateway, Traefik)

Module

Scanner

Status

IMPLEMENTED

Description

Parses API gateway configurations from Kong, Envoy/Istio, AWS API Gateway, and Traefik to extract route-level boundary information for reachability analysis. Determines which internal services are exposed through gateway routes.

Implementation Details

  • Core Extractor:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/GatewayBoundaryExtractor.cs - GatewayBoundaryExtractor implements IBoundaryProofExtractor; parses Kong, Envoy/Istio, AWS API Gateway, and Traefik configurations
    • Includes gateway-specific auth detection: DetectKongAuth(), DetectEnvoyAuth() (including Istio JWT/AuthorizationPolicy), DetectTraefikAuth()
    • Identifies Istio mesh internal routes and external ingress routes
  • Supporting Infrastructure:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/IacBoundaryExtractor.cs - Infrastructure-as-code boundary extraction
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/BoundaryServiceCollectionExtensions.cs - DI registration for boundary extractors
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/BoundaryExtractionContext.cs - Context model for boundary extraction
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/RichGraphBoundaryExtractor.cs - Integrates boundary data into rich graphs
  • Tests:
    • src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/GatewayBoundaryExtractorTests.cs

E2E Test Plan

  • Provide a Kong configuration file with routes exposing internal services and verify extracted boundary information includes route paths, upstream services, and auth requirements
  • Provide an Envoy/Istio configuration with VirtualService and AuthorizationPolicy and verify correct route-to-service mappings and auth detection
  • Provide an AWS API Gateway configuration and verify correct extraction of REST/HTTP API routes with Lambda/ECS integrations
  • Provide a Traefik configuration with middleware auth and verify correct route extraction with authentication metadata
  • Verify extracted boundaries are reflected in the reachability rich graph via GET /api/v1/scans/{scanId}/reachability
  • Verify that gated gateway routes (auth-required) reduce reachability risk scores compared to ungated routes