net-kingdom

Author	SHA1	Message	Date
tegwick	576cf0d95b	Local Identity OICD bootstrap	2026-05-02 16:58:44 +02:00
tegwick	52d44daec2	refactor(local-identity): post-Stage4 cleanups and micro-fixes - audit: chmod only on file creation, not every append (TOCTOU fix) - jwt_utils: add extract_unverified_payload() helper - cli: use extract_unverified_payload + JWTError instead of inline decode - keys: extract _public_key_bytes() helper, import _b64url from jwt_utils - security: FileNotFoundError try/except instead of path.exists() (TOCTOU fix) - serve: cache JWK response at server init instead of per-request recompute 138 tests passing. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-02 08:25:21 +01:00
tegwick	e7bafd69fc	feat(local-identity): Stage 4 — security hardening (NK-WP-0002-T04) Permission enforcement on startup: enforce_permissions() checks store dir (700), user files (600), signing key, TLS key, audit.log, revoked.json. CLI and run_server() call it before any sensitive operation. New modules: security.py check_store(), enforce_permissions(), print_security_check() audit.py log_event() — append-only TSV audit log (mode 600) revoke.py revoke(jti), is_revoked(jti) — revocation list (mode 600) New CLI commands: security-check Print per-check pass/warn/fail report; exit 1 on failure revoke-token <jti\|jwt> Add JTI to revocation list; accepts raw JTI or full JWT Serve integration: Audit log written for auth request, token issuance, and userinfo calls Revocation checked at /userinfo; revoked tokens return 401 Docs: security model section in LocalIdentity.md — threat model, assumptions, non-guarantees, SELinux/AppArmor guidance, revocation usage. 138 tests passing (34 new for Stage 4). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-02 08:06:56 +01:00
tegwick	d35823df08	feat(local-identity): Stage 3 — minimal native OIDC provider (NK-WP-0002-T03) Add local-identity serve command: a minimal Authorization Code flow OIDC server backed by file-store users. Implemented natively with no heavy OIDC library — only stdlib http.server and the cryptography package. New modules: keys.py RSA-2048 signing key generation + JWKS helpers tls.py Self-signed TLS certificate (localhost/127.0.0.1 SANs) jwt_utils.py RS256 JWT creation and verification serve.py OIDCHandler + make_handler() factory + run_server() Endpoints: /.well-known/openid-configuration, /jwks, /auth, /token, /userinfo. Server binds to 127.0.0.1 only; tokens carry iss: local-identity which production Keycloak rejects by design. 104 tests passing (16 new for Stage 3). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-02 01:05:50 +01:00
tegwick	dad8365e6a	feat(local-identity): Stage 2 — Keycloak export & bootstrap integration (NK-WP-0002-T02) export.py: - split_fullname(): last-token strategy (Bernd Worsch → firstName/lastName) - _deterministic_id(): uuid5(DNS, "local-identity.{realm}.{username}") for stable, re-import-idempotent Keycloak IDs - user_to_keycloak(): full Keycloak Admin REST API user representation; production_identity mapping applied to username + realm; isolation attributes (local_identity_environment, local_identity_generated) always present; validate_keycloak_user() called on every conversion to catch schema drift - bulk_export_body(): partial import body (ifResourceExists/realm/users) cli.py: add `export` subcommand - export <username> single user, prints Keycloak JSON - export (no args) bulk; primary users only; stderr note on skipped test users - export --include-test bulk; all users including generated - --realm / --if-resource-exists flags docs/LocalIdentity.md: add two new sections - Keycloak import procedure: export → partialImport API → password reset → retire - Isolation guarantee: attribute schema, Keycloak Condition authenticator config, production_identity mapping walkthrough tests/test_export.py: 34 new tests (88 total, all passing) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-02 00:23:39 +01:00
tegwick	666a56f4ed	feat(local-identity): add --username and --fullname overrides to init Resolves the system identity mismatch between the Linux username (worsch) and the bootstrap identity (tegwick / Bernd Worsch / custom email). Resolution order for all three fields: flag > config > system derivation. Config is updated on every init so --force reinits are idempotent without repeating the flags. - cli.py: extract _resolve_init_params(); add --username / --fullname args; persist all three fields to config.yaml on init - tests/test_cli.py: 13 new tests covering flag priority, config fallback, system derivation, config persistence, idempotent --force reinit 54 tests passing. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-02 00:11:04 +01:00
tegwick	4491beaffe	feat(local-identity): implement Stage 1 — core file store (NK-WP-0002-T01) Deliverables: - src/local_identity/gecos.py: /etc/passwd GECOS parsing, current_username() - src/local_identity/user.py: UserRecord dataclass, ProductionIdentity, make_test_user() - Pure test-user derivation: <user>N / +testN email alias / source_user tracking - src/local_identity/store.py: file store CRUD backed by LOCAL_IDENTITY_HOME - ~/.local-identity/ mode 700, user files mode 600 - All path lookups dynamic (env-var override enables clean test isolation) - src/local_identity/cli.py: init/list/show commands; email from flag > config > prompt - pyproject.toml + uv.lock: pyyaml dep, local-identity script entry point Tests (41 passing): - test_gecos.py: 9 tests — simple/comma/empty/non-ASCII/whitespace GECOS, fallback - test_user.py: 14 tests — test-user derivation, YAML roundtrip, non-ASCII, idempotency - test_store.py: 18 tests — dir creation, permissions (700/600), CRUD, list, config, idempotency (reinit with --force produces identical users) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-02 00:01:54 +01:00

7 Commits