feat(security): verify public tls asset health

This commit is contained in:
ogt
2026-07-14 15:31:15 +08:00
parent 248cf07ce1
commit 27f9e46f3b
7 changed files with 815 additions and 12 deletions

View File

@@ -370,6 +370,8 @@ def _build_security_program_domains(
package_digest_unpinned_count: int,
certificate_live_verified_percent: int,
certificate_live_unverified_count: int,
certificate_live_healthy_percent: int,
certificate_live_unhealthy_count: int,
) -> list[dict[str, Any]]:
scope_by_id = {row["scope_id"]: row for row in asset_scopes}
function_by_id = {row["function_id"]: row for row in control_functions}
@@ -399,11 +401,12 @@ def _build_security_program_domains(
supply_chain_gap_code = "runtime_image_digest_pin_missing"
else:
supply_chain_gap_code = "sbom_signature_dependency_evidence_missing"
network_tls_gap_code = (
"certificate_live_tls_probe_missing"
if certificate_live_unverified_count > 0
else "network_dns_tls_runtime_evidence_missing"
)
if certificate_live_unverified_count > 0:
network_tls_gap_code = "certificate_live_tls_probe_missing"
elif certificate_live_unhealthy_count > 0:
network_tls_gap_code = "certificate_live_tls_unhealthy"
else:
network_tls_gap_code = "network_dns_tls_runtime_evidence_missing"
domain_values = (
(
@@ -461,6 +464,7 @@ def _build_security_program_domains(
100 if by_type.get("network", 0) > 0 else 0,
100 if by_type.get("certificate", 0) > 0 else 0,
certificate_live_verified_percent,
certificate_live_healthy_percent,
compliance_percent("ssl_cert_valid"),
),
by_type.get("network", 0)
@@ -687,6 +691,10 @@ def build_iwooos_security_asset_control_plane(
int(_value(row, "unverified_certificate_count", 0) or 0)
for row in inventory_source
)
certificate_live_unhealthy_count = sum(
int(_value(row, "unhealthy_certificate_count", 0) or 0)
for row in inventory_source
)
present_types = {
asset_type for asset_type in _ASSET_TYPES if by_type.get(asset_type, 0) > 0
}
@@ -907,6 +915,16 @@ def build_iwooos_security_asset_control_plane(
by_type.get("certificate", 0),
),
certificate_live_unverified_count=certificate_live_unverified_count,
certificate_live_healthy_percent=_percent(
max(
0,
by_type.get("certificate", 0)
- certificate_live_unverified_count
- certificate_live_unhealthy_count,
),
by_type.get("certificate", 0),
),
certificate_live_unhealthy_count=certificate_live_unhealthy_count,
)
work_items: list[dict[str, Any]] = []
@@ -962,17 +980,21 @@ def build_iwooos_security_asset_control_plane(
),
)
)
if certificate_live_unverified_count > 0:
certificate_live_gap_count = (
certificate_live_unverified_count + certificate_live_unhealthy_count
)
if certificate_live_gap_count > 0:
work_items.append(
_work_item(
"AIA-P0-006-02B",
"P0",
"certificate_live_verification",
"驗證 public TLS 憑證",
certificate_live_unverified_count,
"驗證並修復 public TLS 憑證",
certificate_live_gap_count,
(
"執行 bounded TLS handshake metadata probe驗證 hostname、"
"chain 與 expiry不得讀取 private key 或 certificate volume。"
"chain 與 expiry對 warning/critical 建立受控修復,"
"不得讀取 private key 或 certificate volume。"
),
)
)
@@ -1132,6 +1154,7 @@ def build_iwooos_security_asset_control_plane(
"certificate_live_unverified_count": (
certificate_live_unverified_count
),
"certificate_live_unhealthy_count": certificate_live_unhealthy_count,
"automation_coverage_green_percent": _percent(
coverage_green, coverage_total
),
@@ -1221,10 +1244,23 @@ def build_iwooos_security_asset_control_plane(
by_type.get("certificate", 0)
- certificate_live_unverified_count,
),
"live_tls_evidenced_count": max(
0,
by_type.get("certificate", 0)
- certificate_live_unverified_count,
),
"live_tls_healthy_count": max(
0,
by_type.get("certificate", 0)
- certificate_live_unverified_count
- certificate_live_unhealthy_count,
),
"live_tls_unverified_count": certificate_live_unverified_count,
"live_tls_unhealthy_count": certificate_live_unhealthy_count,
"live_tls_health_proven": (
by_type.get("certificate", 0) > 0
and certificate_live_unverified_count == 0
and certificate_live_unhealthy_count == 0
),
"raw_certificate_path_returned": False,
"certificate_material_read": False,
@@ -1272,6 +1308,7 @@ def build_unavailable_iwooos_security_asset_control_plane(
"package_digest_unpinned_count": 0,
"forbidden_github_supply_chain_asset_count": 0,
"certificate_live_unverified_count": 0,
"certificate_live_unhealthy_count": 0,
"automation_coverage_green_percent": 0,
"automation_coverage_unknown_count": 0,
"compliance_violation_count": 0,
@@ -1438,7 +1475,10 @@ def build_unavailable_iwooos_security_asset_control_plane(
"certificate_inventory": {
"certificate_asset_count": 0,
"live_tls_verified_count": 0,
"live_tls_evidenced_count": 0,
"live_tls_healthy_count": 0,
"live_tls_unverified_count": 0,
"live_tls_unhealthy_count": 0,
"live_tls_health_proven": False,
"raw_certificate_path_returned": False,
"certificate_material_read": False,
@@ -1672,7 +1712,18 @@ class IwoooSSecurityAssetControlPlaneService:
metadata->>'live_tls_probe_evidenced',
'false'
) <> 'true'
) AS unverified_certificate_count
) AS unverified_certificate_count,
count(*) FILTER (
WHERE asset_type = 'certificate'
AND COALESCE(
metadata->>'live_tls_probe_evidenced',
'false'
) = 'true'
AND COALESCE(
metadata->>'live_tls_healthy',
'false'
) <> 'true'
) AS unhealthy_certificate_count
FROM asset_inventory
WHERE lifecycle_state = 'active'
GROUP BY asset_type