generated from coulomb/repo-seed
feat(local-identity): Stage 4 — security hardening (NK-WP-0002-T04)
Permission enforcement on startup: enforce_permissions() checks store dir (700), user files (600), signing key, TLS key, audit.log, revoked.json. CLI and run_server() call it before any sensitive operation. New modules: security.py check_store(), enforce_permissions(), print_security_check() audit.py log_event() — append-only TSV audit log (mode 600) revoke.py revoke(jti), is_revoked(jti) — revocation list (mode 600) New CLI commands: security-check Print per-check pass/warn/fail report; exit 1 on failure revoke-token <jti|jwt> Add JTI to revocation list; accepts raw JTI or full JWT Serve integration: Audit log written for auth request, token issuance, and userinfo calls Revocation checked at /userinfo; revoked tokens return 401 Docs: security model section in LocalIdentity.md — threat model, assumptions, non-guarantees, SELinux/AppArmor guidance, revocation usage. 138 tests passing (34 new for Stage 4). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -191,8 +191,9 @@ pass an OIDC conformance smoke test; server refuses to bind to 0.0.0.0.
|
||||
```task
|
||||
id: NK-WP-0002-T04
|
||||
state_hub_task_id: 936de7fa-dfb4-48a2-804f-6b9bd7271a05
|
||||
status: todo
|
||||
status: done
|
||||
priority: medium
|
||||
commit: (pending)
|
||||
```
|
||||
|
||||
Permission enforcement:
|
||||
@@ -227,9 +228,9 @@ expiry and revocation functional.
|
||||
- [x] `~/.local-identity/` store initialised from Linux identity; test users generated
|
||||
- [x] `local-identity list / show / export` working; Keycloak export validated
|
||||
- [x] Minimal OIDC server passes conformance smoke test; binds localhost only
|
||||
- [ ] Filesystem permissions enforced on startup; `security-check` passes
|
||||
- [ ] Audit log recording all auth events
|
||||
- [ ] `docs/LocalIdentity.md` complete with import procedure and security model
|
||||
- [x] Filesystem permissions enforced on startup; `security-check` passes
|
||||
- [x] Audit log recording all auth events
|
||||
- [x] `docs/LocalIdentity.md` complete with import procedure and security model
|
||||
- [ ] NK-WP-0001 T07 migration procedure documented (Local Identity → Keycloak)
|
||||
|
||||
## Open Questions
|
||||
|
||||
Reference in New Issue
Block a user