mirror of
https://github.com/azaion/admin.git
synced 2026-06-21 08:31:09 +00:00
[AZ-552] [AZ-553] [AZ-554] [AZ-555] Cycle-2 hotfix: deploy/infra chain
Batch 5 (cycle 2 hotfix sprint, batch 1 of 2). 6 story points under epic AZ-530. Addresses 2 Critical + 2 High deploy-blocking findings from security_report_cycle2.md (F-INFRA-1..F-INFRA-4). AZ-552 — drop_jwt_secret_deploy_preflight (1 pt, F-INFRA-1 Critical) scripts/start-services.sh swaps obsolete JwtConfig__Secret preflight for the cycle-2 trio (KeysFolder + ActiveKid + DataProtection.KeysFolder). .env.example, env/api/env.ps1, _docs/04_deploy/* updated to match. Repo scan in scripts/ and .env.example returns 0 offenders. AZ-553 — bind_mount_es256_keys (2 pts, F-INFRA-2 Critical) start-services.sh bind-mounts DEPLOY_HOST_JWT_KEYS_DIR read-only at /etc/azaion/jwt-keys; preflight fails fast on a missing or empty host directory with operator-actionable error messages. AZ-554 — persist_dataprotection_keys (2 pts, F-INFRA-3 High) Program.cs DataProtection wiring now fails fast in Production when KeysFolder is unset OR not probe-writable. start-services.sh bind-mounts DEPLOY_HOST_DP_KEYS_DIR read-write at /var/lib/azaion/dp-keys. Development behaviour unchanged (ephemeral default). AZ-555 — secrets_readme_es256_rewrite (1 pt, F-INFRA-4 High) secrets/README.md schema fully rewritten; new "Host-side directories" subsection with bind-mount table + ownership/permission guidance. Cycle-1 JwtConfig__Secret removed from live schema (one prose deprecation paragraph retained). Adjacent hygiene module-layout.md "Owns" extended to include scripts/, secrets/, env/, .env.example (gap from Step 9 new-task layout-delta). Tests e2e/Azaion.E2E/Tests/Cycle2HotfixDeployTests.cs — 19 facts (8 exec, 11 Skip with rationale per AZ-537/AZ-538 precedent). Skipped tests cover preflight/restart/Production-only paths verified at deploy gate. Build: 0W 0E across Azaion.AdminApi + Azaion.E2E. Test run deferred to autodev Step 11 (Run Tests). Tracker transition deferred to next batch (MCP availability unverified in this session — Leftovers pattern). Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
+25
-7
@@ -15,22 +15,40 @@ ASPNETCORE_ConnectionStrings__AzaionDb=Host=localhost;Port=4312;Database=azaion;
|
||||
ASPNETCORE_ConnectionStrings__AzaionDbAdmin=Host=localhost;Port=4312;Database=azaion;Username=azaion_admin;Password=CHANGE_ME
|
||||
|
||||
# ---------- JWT (ES256, 15 min access, 8/12 h refresh — AZ-531/AZ-532) ------
|
||||
# AZ-532 — admin signs access tokens with ES256. Keys live as PEM files in
|
||||
# JwtConfig__KeysFolder (the kid is the filename without `.pem`); generate with
|
||||
# scripts/generate-jwt-key.sh. JwtConfig__Secret is gone — verifiers fetch the
|
||||
# public key from /.well-known/jwks.json instead.
|
||||
# AZ-532 — admin signs access tokens with ES256. Keys live as PEM files in the
|
||||
# folder named by KeysFolder (the kid is the filename without `.pem`); generate
|
||||
# with scripts/generate-jwt-key.sh. The cycle-1 symmetric secret was removed in
|
||||
# cycle 2; verifiers now fetch the public key from /.well-known/jwks.json.
|
||||
ASPNETCORE_JwtConfig__Issuer=AzaionApi
|
||||
ASPNETCORE_JwtConfig__Audience=Annotators/OrangePi/Admins
|
||||
ASPNETCORE_JwtConfig__KeysFolder=secrets/jwt-keys
|
||||
# ActiveKid optional — defaults to the lexicographically first PEM in the folder.
|
||||
# ASPNETCORE_JwtConfig__ActiveKid=kid-20260514-000000
|
||||
ASPNETCORE_JwtConfig__KeysFolder=/etc/azaion/jwt-keys
|
||||
# AZ-552/AZ-553 — ActiveKid is REQUIRED in production deployments. The
|
||||
# preflight in scripts/start-services.sh fails fast if it is unset.
|
||||
ASPNETCORE_JwtConfig__ActiveKid=kid-20260514-000000
|
||||
ASPNETCORE_JwtConfig__AccessTokenLifetimeMinutes=15
|
||||
|
||||
# AZ-553 — host-side directory holding the ES256 PEMs. Bind-mounted RO into
|
||||
# the container at $JwtConfig__KeysFolder. Must be owned by (or readable by)
|
||||
# the container's `app` UID. See secrets/README.md "Host-side directories".
|
||||
DEPLOY_HOST_JWT_KEYS_DIR=/var/lib/azaion/jwt-keys
|
||||
|
||||
# AZ-531 — refresh-token windows. Sliding extends on every rotation; absolute
|
||||
# caps the family lifetime regardless of activity.
|
||||
ASPNETCORE_SessionConfig__RefreshSlidingHours=8
|
||||
ASPNETCORE_SessionConfig__RefreshAbsoluteHours=12
|
||||
|
||||
# ---------- DataProtection (AZ-554) -----------------------------------------
|
||||
# AZ-554 — DataProtection master keys MUST persist across container restarts;
|
||||
# otherwise the cycle-2 MFA secret ciphertexts become unreadable and every
|
||||
# MFA-enrolled user is locked out at the next deploy. Production deployments
|
||||
# MUST set this; non-prod uses the ephemeral default if unset.
|
||||
ASPNETCORE_DataProtection__KeysFolder=/var/lib/azaion/dp-keys
|
||||
|
||||
# AZ-554 — host-side directory holding the DataProtection key ring. Bind-mounted
|
||||
# RW into the container at $DataProtection__KeysFolder. Must be writable by the
|
||||
# container's `app` UID. NEVER world-readable (chmod 0700).
|
||||
DEPLOY_HOST_DP_KEYS_DIR=/var/lib/azaion/dp-keys
|
||||
|
||||
# ---------- Resource storage (filesystem) -----------------------------------
|
||||
ASPNETCORE_ResourcesConfig__ResourcesFolder=Content
|
||||
|
||||
|
||||
Reference in New Issue
Block a user