v0.4.0: slice 4 Phase B — reversibility gate + signed-op consuming layer
The security core of slice 4: hub-supplied intent is no longer trusted for destructive change. The gate fronts the per-guest queue's executor, so every mutation passes it. Reuses internal/authz for all crypto (surface untouched). - Classifier (doc 03 §4): benign vs destructive by provenance + data-bearing- ness, NOT by verb. Destroy/overwrite of customer data is destructive unless agent-internal provenance (same-journaled-txn create, or agent-tagged scratch) makes it benign — and that provenance is journal-recorded, NEVER hub-sourced. Unknown op class fails safe to destructive. - Reversibility gate: benign -> allowed unsigned; destructive -> requires a verified, role-scoped, action-bound operator signature, else pending_signature and never executed. Every decision audited (signal, never the guard). - Signed-op consuming layer over authz.Verifier.Verify (locked pipeline untouched): role-scoping (doc 04 §4 — recovery=rotation only, operational= ordinary destructive + planned rotation) + op-to-action binding (op+host+ guest+params must match the gated action). - Signed-job orchestration: idempotency dedupe by nonce + journal-wrapped execution via an injected DestructiveExecutor (nil this slice — inert). - Crash recovery (Note 1): Engine.Recover consumes the journal InFlight() set at startup (resume-or-rollback) — covers an op that crashed after the POST and before its terminal record, which idempotency dedupe alone cannot. Added TaskStatusOnce to the GuestAPI seam. Wired into daemon startup. - Note 2: memory comparison canonicalized to MiB (desiredMemoryMiB) so a non-MiB-aligned MemoryBytes converges in one pass, not perpetual drift. - Daemon: builds the verifier from config signers (none = nil verifier, the common slice-4 state), the gate (+SlogAudit), runs Recover before mutating. Adversarial matrix proven against the REAL authz.Verifier with in-test-minted SSHSIGs (framing replicated in reconcile's test binary; authz untouched, no signing added to the verify-only package): unsigned job + unsigned desired-state delta -> pending_signature; unknown signer/expired/replay-across-restart/wrong host -> typed authz rejections; wrong guest/op/params -> binding_mismatch; recovery key on ordinary destructive -> role_denied; hub-supplied scratch tag ignored -> refused; valid+role+target+fresh nonce -> accepted then replay rejected. Full module race-clean + vet-clean on the Linux build server. Inert this slice: no destructive deltas served until slice 10; the destructive path is classified, gated, and tested but not wired to live execution. CHECKPOINT: Phase B complete (slice 4 done). Awaiting validation. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,70 @@
|
||||
package reconcile
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"gitea.dooplex.hu/admin/felhom-agent/internal/authz"
|
||||
)
|
||||
|
||||
func TestClassify_BenignClasses(t *testing.T) {
|
||||
for _, c := range []OpClass{ClassStart, ClassStop, ClassSetConfig, ClassCreate, ClassRestart} {
|
||||
if got := Classify(c, Provenance{}); got != Benign {
|
||||
t.Errorf("Classify(%s) = %s, want benign", c, got)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestClassify_DestructiveClassesNeedSignature(t *testing.T) {
|
||||
for _, c := range []OpClass{ClassGuestDestroy, ClassStorageWipe, ClassRestoreOverwrite, ClassDecommission, ClassKeyRotation} {
|
||||
if got := Classify(c, Provenance{}); got != Destructive {
|
||||
t.Errorf("Classify(%s) = %s, want destructive", c, got)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestClassify_InternalProvenanceMakesDestroyBenign(t *testing.T) {
|
||||
// Same-transaction create → compensating rollback is benign (§10).
|
||||
if got := Classify(ClassGuestDestroy, Provenance{SameTxnCreated: true}); got != Benign {
|
||||
t.Errorf("same-txn destroy = %s, want benign", got)
|
||||
}
|
||||
// Agent-tagged scratch teardown is benign (§8).
|
||||
if got := Classify(ClassGuestDestroy, Provenance{AgentTaggedScratch: true}); got != Benign {
|
||||
t.Errorf("scratch destroy = %s, want benign", got)
|
||||
}
|
||||
}
|
||||
|
||||
func TestClassify_KeyRotationAlwaysDestructive(t *testing.T) {
|
||||
// Even with internal provenance, key-rotation stays signed (role-scoping decides
|
||||
// which key) — provenance flags don't apply to it.
|
||||
if got := Classify(ClassKeyRotation, Provenance{SameTxnCreated: true, AgentTaggedScratch: true}); got != Destructive {
|
||||
t.Errorf("key_rotation = %s, want destructive", got)
|
||||
}
|
||||
}
|
||||
|
||||
func TestClassify_UnknownClassFailsSafe(t *testing.T) {
|
||||
if got := Classify(OpClass("totally_unknown_op"), Provenance{}); got != Destructive {
|
||||
t.Errorf("unknown class = %s, want destructive (fail-safe)", got)
|
||||
}
|
||||
}
|
||||
|
||||
func TestRoleAuthorizes(t *testing.T) {
|
||||
op := authz.RoleOperational
|
||||
rec := authz.RoleRecovery
|
||||
cases := []struct {
|
||||
role authz.KeyRole
|
||||
class OpClass
|
||||
want bool
|
||||
}{
|
||||
{op, ClassGuestDestroy, true}, // operational does ordinary destructive
|
||||
{op, ClassDecommission, true}, //
|
||||
{op, ClassKeyRotation, true}, // operational does planned rotation
|
||||
{rec, ClassGuestDestroy, false}, // recovery may NOT do ordinary destructive
|
||||
{rec, ClassStorageWipe, false}, //
|
||||
{rec, ClassKeyRotation, true}, // recovery authorizes ONLY rotation
|
||||
}
|
||||
for _, c := range cases {
|
||||
if got := roleAuthorizes(c.role, c.class); got != c.want {
|
||||
t.Errorf("roleAuthorizes(%s, %s) = %v, want %v", c.role, c.class, got, c.want)
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user