docs(security): 新增 Host Service owner request draft [skip ci]
This commit is contained in:
265
scripts/security/host-service-owner-request-draft.py
Normal file
265
scripts/security/host-service-owner-request-draft.py
Normal file
@@ -0,0 +1,265 @@
|
||||
#!/usr/bin/env python3
|
||||
"""
|
||||
IwoooS Docker / systemd / host service owner request draft 產生器。
|
||||
|
||||
本工具讀取 host-service repo-only 清冊,將 9 個 surface 轉成人工送件前
|
||||
request draft。它不 SSH、不讀 live host、不執行 docker compose、
|
||||
不執行 systemctl、不呼叫 repair-bot、不跑 Ansible、不收 secret value。
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import argparse
|
||||
import json
|
||||
import subprocess
|
||||
import sys
|
||||
from datetime import datetime, timedelta, timezone
|
||||
from pathlib import Path
|
||||
from typing import Any
|
||||
|
||||
|
||||
TAIPEI = timezone(timedelta(hours=8))
|
||||
|
||||
REQUEST_FIELDS = [
|
||||
"request_id",
|
||||
"surface_id",
|
||||
"label",
|
||||
"expected_host_scope",
|
||||
"config_kind",
|
||||
"service_scope",
|
||||
"control_tier",
|
||||
"repo_source_path",
|
||||
"repo_sha256",
|
||||
"owner_role_or_team",
|
||||
"decision",
|
||||
"decision_reason",
|
||||
"affected_scope",
|
||||
"redacted_evidence_refs",
|
||||
"live_config_hash_ref",
|
||||
"maintenance_window",
|
||||
"restart_window",
|
||||
"rollback_owner",
|
||||
"post_check_plan",
|
||||
"disable_switch",
|
||||
"followup_owner",
|
||||
"not_approval",
|
||||
]
|
||||
|
||||
REQUIRED_OWNER_FIELDS = [
|
||||
"owner_role_or_team",
|
||||
"decision",
|
||||
"decision_reason",
|
||||
"affected_scope",
|
||||
"redacted_evidence_refs",
|
||||
"live_config_hash_ref",
|
||||
"maintenance_window",
|
||||
"restart_window",
|
||||
"rollback_owner",
|
||||
"post_check_plan",
|
||||
"disable_switch",
|
||||
"followup_owner",
|
||||
]
|
||||
|
||||
BLOCKED_ACTIONS = [
|
||||
"ssh_read",
|
||||
"ssh_write",
|
||||
"docker_compose_up",
|
||||
"docker_compose_down",
|
||||
"systemctl_restart",
|
||||
"systemctl_reload",
|
||||
"repair_bot_execute",
|
||||
"ansible_apply",
|
||||
"sudo_action",
|
||||
"host_file_write",
|
||||
"firewall_change",
|
||||
"secret_value_collection",
|
||||
"active_scan",
|
||||
"runtime_gate_open",
|
||||
]
|
||||
|
||||
|
||||
def git_short_sha(root: Path) -> str:
|
||||
try:
|
||||
result = subprocess.run(
|
||||
["git", "rev-parse", "--short", "HEAD"],
|
||||
cwd=root,
|
||||
check=True,
|
||||
capture_output=True,
|
||||
text=True,
|
||||
)
|
||||
return result.stdout.strip()
|
||||
except Exception:
|
||||
return "unknown"
|
||||
|
||||
|
||||
def load_json(path: Path) -> dict[str, Any]:
|
||||
return json.loads(path.read_text(encoding="utf-8"))
|
||||
|
||||
|
||||
def request_for(surface: dict[str, Any]) -> dict[str, Any]:
|
||||
surface_id = surface["surface_id"]
|
||||
write_capable = surface["config_kind"] in {"host_repair_whitelist", "ansible_service_executor"}
|
||||
return {
|
||||
"request_id": f"host_service_owner_request:{surface_id}",
|
||||
"status": "draft_not_dispatched",
|
||||
"surface_id": surface_id,
|
||||
"label": surface["label"],
|
||||
"expected_host_scope": surface["expected_host_scope"],
|
||||
"config_kind": surface["config_kind"],
|
||||
"service_scope": surface["service_scope"],
|
||||
"control_tier": surface["control_tier"],
|
||||
"repo_source_path": surface["source_path"],
|
||||
"repo_sha256": surface["sha256"],
|
||||
"source_line_count": surface["line_count"],
|
||||
"requires_live_evidence": surface["requires_live_evidence"],
|
||||
"write_capable_surface": write_capable,
|
||||
"source_inventory_ref": "docs/security/host-service-config-inventory.snapshot.json",
|
||||
"request_fields": REQUEST_FIELDS,
|
||||
"required_owner_fields": REQUIRED_OWNER_FIELDS,
|
||||
"blocked_actions": BLOCKED_ACTIONS,
|
||||
"owner_role_or_team": "pending_owner_role_or_team",
|
||||
"decision": "pending_owner_decision",
|
||||
"decision_reason": "pending_decision_reason",
|
||||
"affected_scope": "pending_affected_scope",
|
||||
"redacted_evidence_refs": [],
|
||||
"live_config_hash_ref": None,
|
||||
"maintenance_window": "pending_maintenance_window",
|
||||
"restart_window": "pending_restart_window",
|
||||
"rollback_owner": "pending_rollback_owner",
|
||||
"post_check_plan": "pending_post_check_plan",
|
||||
"disable_switch": "pending_disable_switch",
|
||||
"followup_owner": "pending_followup_owner",
|
||||
"not_approval": True,
|
||||
"request_sent": False,
|
||||
"recipient_confirmed": False,
|
||||
"owner_response_received": False,
|
||||
"owner_response_accepted": False,
|
||||
"live_evidence_received": False,
|
||||
"restart_window_accepted": False,
|
||||
"rollback_owner_accepted": False,
|
||||
"post_check_plan_accepted": False,
|
||||
"host_write_authorized": False,
|
||||
"ssh_read_authorized": False,
|
||||
"ssh_write_authorized": False,
|
||||
"docker_compose_action_authorized": False,
|
||||
"systemctl_action_authorized": False,
|
||||
"repair_bot_execution_authorized": False,
|
||||
"ansible_apply_authorized": False,
|
||||
"secret_value_collection_allowed": False,
|
||||
"active_scan_authorized": False,
|
||||
"runtime_gate": False,
|
||||
"action_buttons_allowed": False,
|
||||
}
|
||||
|
||||
|
||||
def build_report(root: Path, inventory: dict[str, Any], generated_at: str | None) -> dict[str, Any]:
|
||||
report_time = generated_at or datetime.now(TAIPEI).isoformat(timespec="seconds")
|
||||
requests = [request_for(surface) for surface in inventory["config_surfaces"]]
|
||||
write_capable_requests = [item for item in requests if item["write_capable_surface"]]
|
||||
live_evidence_requests = [item for item in requests if item["requires_live_evidence"]]
|
||||
|
||||
return {
|
||||
"schema_version": "host_service_owner_request_draft_v1",
|
||||
"generated_at": report_time,
|
||||
"git_commit": git_short_sha(root),
|
||||
"source_inventory_schema_version": inventory.get("schema_version"),
|
||||
"source_inventory_status": inventory.get("status"),
|
||||
"status": "owner_request_draft_ready_not_dispatched",
|
||||
"summary": {
|
||||
"request_draft_count": len(requests),
|
||||
"write_capable_request_draft_count": len(write_capable_requests),
|
||||
"live_evidence_required_request_count": len(live_evidence_requests),
|
||||
"request_field_count": len(REQUEST_FIELDS),
|
||||
"required_owner_field_count": len(REQUIRED_OWNER_FIELDS),
|
||||
"blocked_action_count": len(BLOCKED_ACTIONS),
|
||||
"request_sent_count": 0,
|
||||
"recipient_confirmed_count": 0,
|
||||
"owner_response_received_count": 0,
|
||||
"owner_response_accepted_count": 0,
|
||||
"live_evidence_received_count": 0,
|
||||
"restart_window_accepted_count": 0,
|
||||
"rollback_owner_accepted_count": 0,
|
||||
"post_check_plan_accepted_count": 0,
|
||||
"host_write_authorized_count": 0,
|
||||
"ssh_read_authorized_count": 0,
|
||||
"ssh_write_authorized_count": 0,
|
||||
"docker_compose_action_authorized_count": 0,
|
||||
"systemctl_action_authorized_count": 0,
|
||||
"repair_bot_execution_authorized_count": 0,
|
||||
"ansible_apply_authorized_count": 0,
|
||||
"secret_value_collection_allowed_count": 0,
|
||||
"active_scan_authorized_count": 0,
|
||||
"runtime_gate_count": 0,
|
||||
"action_button_count": 0,
|
||||
},
|
||||
"execution_boundaries": {
|
||||
"request_sent": False,
|
||||
"recipient_confirmed": False,
|
||||
"owner_response_received": False,
|
||||
"owner_response_accepted": False,
|
||||
"live_host_read_authorized": False,
|
||||
"live_evidence_received": False,
|
||||
"host_write_authorized": False,
|
||||
"ssh_read_authorized": False,
|
||||
"ssh_write_authorized": False,
|
||||
"docker_compose_action_authorized": False,
|
||||
"systemctl_action_authorized": False,
|
||||
"repair_bot_execution_authorized": False,
|
||||
"ansible_apply_authorized": False,
|
||||
"secret_value_collection_allowed": False,
|
||||
"active_scan_authorized": False,
|
||||
"runtime_execution_authorized": False,
|
||||
"action_buttons_allowed": False,
|
||||
"not_authorization": True,
|
||||
},
|
||||
"request_fields": REQUEST_FIELDS,
|
||||
"required_owner_fields": REQUIRED_OWNER_FIELDS,
|
||||
"blocked_actions": BLOCKED_ACTIONS,
|
||||
"request_drafts": requests,
|
||||
"next_steps": [
|
||||
"人工送件前確認每個 host scope 的 owner role / team 與回覆窗口。",
|
||||
"owner 只能提供脫敏 live hash、config source ref、maintenance window、rollback owner 與 post-check plan。",
|
||||
"收到回覆後先做欄位完整性、敏感 payload 隔離與 restart / rollback gate 檢查,不得直接重啟或 apply。",
|
||||
],
|
||||
}
|
||||
|
||||
|
||||
def main() -> int:
|
||||
parser = argparse.ArgumentParser(description="IwoooS host service owner request draft 產生器")
|
||||
parser.add_argument("--root", default=".", help="repo root")
|
||||
parser.add_argument(
|
||||
"--inventory-report",
|
||||
default="docs/security/host-service-config-inventory.snapshot.json",
|
||||
help="host-service-config-inventory.py 輸出的 JSON",
|
||||
)
|
||||
parser.add_argument("--output", help="寫出 JSON 報告")
|
||||
parser.add_argument("--generated-at", help="固定報告時間,供 committed snapshot 使用")
|
||||
args = parser.parse_args()
|
||||
|
||||
root = Path(args.root).resolve()
|
||||
inventory = load_json(root / args.inventory_report)
|
||||
report = build_report(root, inventory, args.generated_at)
|
||||
payload = json.dumps(report, ensure_ascii=False, indent=2, sort_keys=True)
|
||||
|
||||
if args.output:
|
||||
output = Path(args.output)
|
||||
output.parent.mkdir(parents=True, exist_ok=True)
|
||||
output.write_text(payload + "\n", encoding="utf-8")
|
||||
else:
|
||||
print(payload)
|
||||
|
||||
summary = report["summary"]
|
||||
print(
|
||||
"HOST_SERVICE_OWNER_REQUEST_DRAFT_OK "
|
||||
f"drafts={summary['request_draft_count']} "
|
||||
f"write_capable={summary['write_capable_request_draft_count']} "
|
||||
f"fields={summary['required_owner_field_count']} "
|
||||
f"sent={summary['request_sent_count']} "
|
||||
f"runtime_gate={summary['runtime_gate_count']}",
|
||||
file=sys.stderr,
|
||||
)
|
||||
return 0
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
sys.exit(main())
|
||||
@@ -95,6 +95,9 @@ def validate(root: Path) -> None:
|
||||
security_dir / "high-value-config-owner-request-draft.snapshot.json"
|
||||
)
|
||||
host_service_config_inventory = load_json(security_dir / "host-service-config-inventory.snapshot.json")
|
||||
host_service_owner_request_draft = load_json(
|
||||
security_dir / "host-service-owner-request-draft.snapshot.json"
|
||||
)
|
||||
ssh_network_access_inventory = load_json(security_dir / "ssh-network-access-inventory.snapshot.json")
|
||||
backup_restore_escrow_inventory = load_json(security_dir / "backup-restore-escrow-inventory.snapshot.json")
|
||||
monitoring_alerting_observability_inventory = load_json(
|
||||
@@ -2710,6 +2713,114 @@ def validate(root: Path) -> None:
|
||||
[item["surface_id"] for item in host_service_config_inventory["write_capable_surfaces"]],
|
||||
surface_id,
|
||||
)
|
||||
assert_equal(
|
||||
"host_service_owner_request_draft.schema",
|
||||
host_service_owner_request_draft["schema_version"],
|
||||
"host_service_owner_request_draft_v1",
|
||||
)
|
||||
assert_equal(
|
||||
"host_service_owner_request_draft.status",
|
||||
host_service_owner_request_draft["status"],
|
||||
"owner_request_draft_ready_not_dispatched",
|
||||
)
|
||||
assert_equal(
|
||||
"host_service_owner_request_draft.source_inventory_schema_version",
|
||||
host_service_owner_request_draft["source_inventory_schema_version"],
|
||||
"host_service_config_inventory_v1",
|
||||
)
|
||||
expected_host_service_owner_request_summary = {
|
||||
"request_draft_count": 9,
|
||||
"write_capable_request_draft_count": 3,
|
||||
"live_evidence_required_request_count": 8,
|
||||
"request_field_count": 22,
|
||||
"required_owner_field_count": 12,
|
||||
"blocked_action_count": 14,
|
||||
"request_sent_count": 0,
|
||||
"recipient_confirmed_count": 0,
|
||||
"owner_response_received_count": 0,
|
||||
"owner_response_accepted_count": 0,
|
||||
"live_evidence_received_count": 0,
|
||||
"restart_window_accepted_count": 0,
|
||||
"rollback_owner_accepted_count": 0,
|
||||
"post_check_plan_accepted_count": 0,
|
||||
"host_write_authorized_count": 0,
|
||||
"ssh_read_authorized_count": 0,
|
||||
"ssh_write_authorized_count": 0,
|
||||
"docker_compose_action_authorized_count": 0,
|
||||
"systemctl_action_authorized_count": 0,
|
||||
"repair_bot_execution_authorized_count": 0,
|
||||
"ansible_apply_authorized_count": 0,
|
||||
"secret_value_collection_allowed_count": 0,
|
||||
"active_scan_authorized_count": 0,
|
||||
"runtime_gate_count": 0,
|
||||
"action_button_count": 0,
|
||||
}
|
||||
for key, expected in expected_host_service_owner_request_summary.items():
|
||||
assert_equal(
|
||||
f"host_service_owner_request_draft.summary.{key}",
|
||||
host_service_owner_request_draft["summary"][key],
|
||||
expected,
|
||||
)
|
||||
for key, value in host_service_owner_request_draft["execution_boundaries"].items():
|
||||
if key == "not_authorization":
|
||||
assert_true(f"host_service_owner_request_draft.execution_boundaries.{key}", value)
|
||||
else:
|
||||
assert_false(f"host_service_owner_request_draft.execution_boundaries.{key}", value)
|
||||
assert_equal(
|
||||
"host_service_owner_request_draft.request_drafts.count",
|
||||
len(host_service_owner_request_draft["request_drafts"]),
|
||||
9,
|
||||
)
|
||||
host_service_owner_request_ids = [
|
||||
item["request_id"] for item in host_service_owner_request_draft["request_drafts"]
|
||||
]
|
||||
for request_id in [
|
||||
"host_service_owner_request:repair_bot_110_whitelist",
|
||||
"host_service_owner_request:repair_bot_188_whitelist",
|
||||
"host_service_owner_request:ansible_docker_compose_service_role",
|
||||
"host_service_owner_request:config_backup_host_capture",
|
||||
]:
|
||||
assert_contains(
|
||||
"host_service_owner_request_draft.request_drafts",
|
||||
host_service_owner_request_ids,
|
||||
request_id,
|
||||
)
|
||||
for draft in host_service_owner_request_draft["request_drafts"]:
|
||||
assert_equal(
|
||||
f"host_service_owner_request_draft.{draft['request_id']}.required_owner_fields",
|
||||
len(draft["required_owner_fields"]),
|
||||
12,
|
||||
)
|
||||
assert_equal(
|
||||
f"host_service_owner_request_draft.{draft['request_id']}.blocked_actions",
|
||||
len(draft["blocked_actions"]),
|
||||
14,
|
||||
)
|
||||
for false_key in [
|
||||
"request_sent",
|
||||
"recipient_confirmed",
|
||||
"owner_response_received",
|
||||
"owner_response_accepted",
|
||||
"live_evidence_received",
|
||||
"restart_window_accepted",
|
||||
"rollback_owner_accepted",
|
||||
"post_check_plan_accepted",
|
||||
"host_write_authorized",
|
||||
"ssh_read_authorized",
|
||||
"ssh_write_authorized",
|
||||
"docker_compose_action_authorized",
|
||||
"systemctl_action_authorized",
|
||||
"repair_bot_execution_authorized",
|
||||
"ansible_apply_authorized",
|
||||
"secret_value_collection_allowed",
|
||||
"active_scan_authorized",
|
||||
"runtime_gate",
|
||||
"action_buttons_allowed",
|
||||
]:
|
||||
assert_false(
|
||||
f"host_service_owner_request_draft.{draft['request_id']}.{false_key}",
|
||||
draft[false_key],
|
||||
)
|
||||
assert_equal(
|
||||
"ssh_network_access_inventory.schema",
|
||||
ssh_network_access_inventory["schema_version"],
|
||||
|
||||
Reference in New Issue
Block a user