[AZ-552] [AZ-553] [AZ-554] [AZ-555] Cycle-2 hotfix: deploy/infra chain

Batch 5 (cycle 2 hotfix sprint, batch 1 of 2). 6 story points under epic AZ-530. Addresses 2 Critical + 2 High deploy-blocking findings from security_report_cycle2.md (F-INFRA-1..F-INFRA-4). AZ-552 — drop_jwt_secret_deploy_preflight (1 pt, F-INFRA-1 Critical) scripts/start-services.sh swaps obsolete JwtConfig__Secret preflight for the cycle-2 trio (KeysFolder + ActiveKid + DataProtection.KeysFolder). .env.example, env/api/env.ps1, _docs/04_deploy/* updated to match. Repo scan in scripts/ and .env.example returns 0 offenders. AZ-553 — bind_mount_es256_keys (2 pts, F-INFRA-2 Critical) start-services.sh bind-mounts DEPLOY_HOST_JWT_KEYS_DIR read-only at /etc/azaion/jwt-keys; preflight fails fast on a missing or empty host directory with operator-actionable error messages. AZ-554 — persist_dataprotection_keys (2 pts, F-INFRA-3 High) Program.cs DataProtection wiring now fails fast in Production when KeysFolder is unset OR not probe-writable. start-services.sh bind-mounts DEPLOY_HOST_DP_KEYS_DIR read-write at /var/lib/azaion/dp-keys. Development behaviour unchanged (ephemeral default). AZ-555 — secrets_readme_es256_rewrite (1 pt, F-INFRA-4 High) secrets/README.md schema fully rewritten; new "Host-side directories" subsection with bind-mount table + ownership/permission guidance. Cycle-1 JwtConfig__Secret removed from live schema (one prose deprecation paragraph retained). Adjacent hygiene module-layout.md "Owns" extended to include scripts/, secrets/, env/, .env.example (gap from Step 9 new-task layout-delta). Tests e2e/Azaion.E2E/Tests/Cycle2HotfixDeployTests.cs — 19 facts (8 exec, 11 Skip with rationale per AZ-537/AZ-538 precedent). Skipped tests cover preflight/restart/Production-only paths verified at deploy gate. Build: 0W 0E across Azaion.AdminApi + Azaion.E2E. Test run deferred to autodev Step 11 (Run Tests). Tracker transition deferred to next batch (MCP availability unverified in this session — Leftovers pattern). Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 11:31:10 +00:00 · 2026-05-14 09:35:57 +03:00
parent d2b5308b45
commit f369153149
20 changed files with 517 additions and 45 deletions
@@ -144,17 +144,58 @@ builder.Services.AddScoped<ISessionService, SessionService>();
 builder.Services.AddScoped<IMissionTokenService, MissionTokenService>();
 builder.Services.AddScoped<IMfaService, MfaService>();

-// AZ-534 — DataProtection encrypts mfa_secret at rest. Default key storage
-// (per-machine, ephemeral inside containers) is fine for a single-instance SUT.
-// Production deployments MUST set DataProtection__KeysFolder to a persistent
-// volume so encrypted secrets survive restarts and rolling deploys.
+// AZ-534 / AZ-554 — DataProtection encrypts mfa_secret at rest. Production
+// MUST persist the key ring to a bind-mounted host folder; otherwise every
+// container restart rotates the master key and locks every MFA-enrolled user
+// out at the next deploy. Development falls back to the ephemeral default.
 {
    var dpBuilder = builder.Services.AddDataProtection();
    dpBuilder.SetApplicationName("Azaion.AdminApi");
    var keyFolder = builder.Configuration["DataProtection:KeysFolder"];
-    if (!string.IsNullOrWhiteSpace(keyFolder))
+    var isProduction = builder.Environment.IsProduction();
+
+    if (string.IsNullOrWhiteSpace(keyFolder))
    {
-        Directory.CreateDirectory(keyFolder);
+        if (isProduction)
+        {
+            throw new InvalidOperationException(
+                "DataProtection.KeysFolder is required in Production. " +
+                "Set ASPNETCORE_DataProtection__KeysFolder to a persistent bind-mounted path " +
+                "(e.g. /var/lib/azaion/dp-keys backed by DEPLOY_HOST_DP_KEYS_DIR). " +
+                "Without this, MFA secret ciphertexts become unreadable after the next container restart.");
+        }
+    }
+    else
+    {
+        try
+        {
+            Directory.CreateDirectory(keyFolder);
+        }
+        catch (Exception ex)
+        {
+            throw new InvalidOperationException(
+                $"DataProtection.KeysFolder '{keyFolder}' is not writable: {ex.Message}. " +
+                "Ensure the bind-mounted host directory is owned by the container user.",
+                ex);
+        }
+
+        if (isProduction)
+        {
+            var probe = Path.Combine(keyFolder, ".dp-writable-probe");
+            try
+            {
+                File.WriteAllText(probe, "ok");
+                File.Delete(probe);
+            }
+            catch (Exception ex)
+            {
+                throw new InvalidOperationException(
+                    $"DataProtection.KeysFolder '{keyFolder}' exists but is not writable by the current process: {ex.Message}. " +
+                    "Check host-side ownership/permissions of DEPLOY_HOST_DP_KEYS_DIR (must be writable by the container user).",
+                    ex);
+            }
+        }
+
        dpBuilder.PersistKeysToFileSystem(new DirectoryInfo(keyFolder));
    }
 }