Trey t
c77ff07ce9
Remediation of the 2026-05-12/13 audits (78 findings + cluster gaps), tracked in deploy-k3s/SECURITY.md, plus fixes from two independent post-remediation reviews. Auth & sessions: - SHA-256 hashed auth-token storage (C1); prior-token cache eviction on re-login (MEDIUM-1) - local Google JWKS verification, iss/aud/exp checks (C2/C3) - constant-time login + generic errors (L1/LIVE-L11/LIVE-L13) - per-account login lockout keyed on distinct source IPs (M5/MEDIUM-3) - verified-email gating, login rate limiting (LIVE-L19, H1-H3) IAP & webhooks: - Apple/Google cross-account replay protection (C5/C6/C10/C13, H5/H6) - migrations 000003-000006 (token hashing, IAP replay, audit_log + webhook_event_log table creation, append-only audit log) Authorization & races: - file-ownership owner-OR-member fix (C7), atomic share-code join (C9/H9), device-token reassignment (C8/LOW-3) Secrets & deploy: - secrets file-mounted at /etc/honeydue/secrets, not env (F8); Redis password out of the ConfigMap (HIGH-1); B2 keys reconciled - digest-pinned images, admin ingress hardening, CSP/HSTS, /metrics lockdown; kubeconfig 0600, etcd secrets-encryption, fail2ban + unattended-upgrades at provision; secret-rotation runbook Build, vet, and the full test suite (incl. -race) pass; the goose migration chain is verified against PostgreSQL 16. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
53 lines
2.3 KiB
PL/PgSQL
53 lines
2.3 KiB
PL/PgSQL
-- +goose Up
|
|
-- Audit M7: make audit_log append-only. A BEFORE trigger rejects UPDATE and
|
|
-- DELETE so the security-event history cannot be altered or erased after the
|
|
-- fact — even by a database account with broad table privileges. The
|
|
-- application only ever INSERTs into this table.
|
|
|
|
-- The audit_log table itself was never created by a goose migration — it is
|
|
-- only built by GORM AutoMigrate in the test harness, and production never
|
|
-- runs AutoMigrate. CREATE TABLE IF NOT EXISTS brings it under migration
|
|
-- control without disturbing an existing table: a no-op on a DB that already
|
|
-- has it, and a correct build (matching models.AuditLog) on a from-scratch
|
|
-- redeploy — so the trigger below has a table to attach to and a clean
|
|
-- redeploy comes up with a working, append-only audit log.
|
|
CREATE TABLE IF NOT EXISTS audit_log (
|
|
id BIGSERIAL PRIMARY KEY,
|
|
user_id BIGINT,
|
|
event_type VARCHAR(50) NOT NULL,
|
|
ip_address VARCHAR(45),
|
|
user_agent TEXT,
|
|
details JSONB,
|
|
created_at TIMESTAMPTZ NOT NULL DEFAULT now()
|
|
);
|
|
CREATE INDEX IF NOT EXISTS idx_audit_log_user_id ON audit_log (user_id);
|
|
CREATE INDEX IF NOT EXISTS idx_audit_log_created_at ON audit_log (created_at);
|
|
|
|
-- +goose StatementBegin
|
|
CREATE OR REPLACE FUNCTION audit_log_append_only() RETURNS trigger AS $$
|
|
BEGIN
|
|
RAISE EXCEPTION 'audit_log is append-only: % is not permitted', TG_OP;
|
|
END;
|
|
$$ LANGUAGE plpgsql;
|
|
-- +goose StatementEnd
|
|
|
|
-- DROP ... IF EXISTS before CREATE keeps this idempotent (CREATE TRIGGER has
|
|
-- no OR REPLACE on older PostgreSQL).
|
|
DROP TRIGGER IF EXISTS audit_log_no_update ON audit_log;
|
|
CREATE TRIGGER audit_log_no_update
|
|
BEFORE UPDATE ON audit_log
|
|
FOR EACH ROW EXECUTE FUNCTION audit_log_append_only();
|
|
|
|
DROP TRIGGER IF EXISTS audit_log_no_delete ON audit_log;
|
|
CREATE TRIGGER audit_log_no_delete
|
|
BEFORE DELETE ON audit_log
|
|
FOR EACH ROW EXECUTE FUNCTION audit_log_append_only();
|
|
|
|
-- +goose Down
|
|
-- Reverses only the append-only guard, which is this migration's purpose.
|
|
-- The audit_log table is intentionally NOT dropped — it may hold security
|
|
-- history that predates this migration.
|
|
DROP TRIGGER IF EXISTS audit_log_no_delete ON audit_log;
|
|
DROP TRIGGER IF EXISTS audit_log_no_update ON audit_log;
|
|
DROP FUNCTION IF EXISTS audit_log_append_only();
|