admin/honeyDueAPI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): remediate 2026-05-12 audit findings (Stages 2–5)
Backend CI / Test (push) Has been cancelled
Details
Backend CI / Contract Tests (push) Has been cancelled
Details
Backend CI / Lint (push) Has been cancelled
Details
Backend CI / Secret Scanning (push) Has been cancelled
Details
Backend CI / Build (push) Has been cancelled
Details

Browse Source 
Remediation of the 2026-05-12/13 audits (78 findings + cluster gaps),
tracked in deploy-k3s/SECURITY.md, plus fixes from two independent
post-remediation reviews.

Auth & sessions:
- SHA-256 hashed auth-token storage (C1); prior-token cache eviction on
  re-login (MEDIUM-1)
- local Google JWKS verification, iss/aud/exp checks (C2/C3)
- constant-time login + generic errors (L1/LIVE-L11/LIVE-L13)
- per-account login lockout keyed on distinct source IPs (M5/MEDIUM-3)
- verified-email gating, login rate limiting (LIVE-L19, H1-H3)

IAP & webhooks:
- Apple/Google cross-account replay protection (C5/C6/C10/C13, H5/H6)
- migrations 000003-000006 (token hashing, IAP replay, audit_log +
  webhook_event_log table creation, append-only audit log)

Authorization & races:
- file-ownership owner-OR-member fix (C7), atomic share-code join
  (C9/H9), device-token reassignment (C8/LOW-3)

Secrets & deploy:
- secrets file-mounted at /etc/honeydue/secrets, not env (F8); Redis
  password out of the ConfigMap (HIGH-1); B2 keys reconciled
- digest-pinned images, admin ingress hardening, CSP/HSTS, /metrics
  lockdown; kubeconfig 0600, etcd secrets-encryption, fail2ban +
  unattended-upgrades at provision; secret-rotation runbook

Build, vet, and the full test suite (incl. -race) pass; the goose
migration chain is verified against PostgreSQL 16.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Trey t
2026-05-16 22:28:33 -05:00
parent 2004f9c5b2
commit c77ff07ce9
59 changed files with 2819 additions and 1245 deletions
Download Patch File Download Diff File Expand all files Collapse all files
deploy-k3s/manifests/kyverno-verify-images.yaml
+61
View File
@@ -0,0 +1,61 @@
# Kyverno image-signature verification policy (audit CODE-L5).
#
# ──────────────────────────────────────────────────────────────────────────
# THIS MANIFEST IS NOT APPLIED BY 03-deploy.sh. It is intentionally outside
# the script's apply set. Applying it before the prerequisites are in place
# would block every honeydue Pod from scheduling. Operator steps:
#
# 1. Install Kyverno in the cluster (it is an admission controller):
# kubectl create -f https://github.com/kyverno/kyverno/releases/latest/download/install.yaml
# 2. Generate a cosign key pair and keep the private key safe:
# cosign generate-key-pair # -> cosign.key (PRIVATE) + cosign.pub
# Set COSIGN_KEY=cosign.key in the deploy environment so 03-deploy.sh
# signs images after pushing them (the signing step is already wired,
# guarded, into 03-deploy.sh).
# 3. Paste the contents of cosign.pub into the publicKeys block below.
# 4. Apply this policy: kubectl apply -f deploy-k3s/manifests/kyverno-verify-images.yaml
# 5. After confirming honeydue Pods still schedule, flip
# validationFailureAction from Audit to Enforce.
#
# Until then it is a documented, ready-to-use template — not active config.
# ──────────────────────────────────────────────────────────────────────────
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: verify-honeydue-images
annotations:
policies.kyverno.io/title: Verify honeyDue image signatures
policies.kyverno.io/description: >-
Requires that honeyDue application images pulled into the honeydue
namespace carry a valid cosign signature made with the operator's key.
spec:
# Audit first — logs violations without blocking. Switch to Enforce once
# signing is confirmed working end to end.
validationFailureAction: Audit
background: false
webhookTimeoutSeconds: 30
rules:
- name: verify-gitea-image-signatures
match:
any:
- resources:
kinds:
- Pod
namespaces:
- honeydue
verifyImages:
# Only the images we build and sign. Public base images
# (redis, vmagent) are pinned by digest instead — see their manifests.
- imageReferences:
- "gitea.treytartt.com/admin/honeydue-api*"
- "gitea.treytartt.com/admin/honeydue-worker*"
- "gitea.treytartt.com/admin/honeydue-admin*"
- "gitea.treytartt.com/admin/honeydue-web*"
attestors:
- count: 1
entries:
- keys:
publicKeys: |-
-----BEGIN PUBLIC KEY-----
REPLACE_WITH_CONTENTS_OF_cosign.pub
-----END PUBLIC KEY-----