Harden deployment and fix PEN-01
- Fix Bearer token extraction to validate prefix (PEN-01) - Add TestExtractBearerFromRequest covering PEN-01 edge cases - Fix flaky TestRenewToken timing (2s → 4s lifetime) - Move default config/install paths to /srv/mcias - Add RUNBOOK.md for operational procedures - Update AUDIT.md with penetration test round 4 Security: extractBearerFromRequest now uses case-insensitive prefix validation instead of fixed-offset slicing, rejecting non-Bearer Authorization schemes that were previously accepted. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
18
dist/mcias.conf.example
vendored
18
dist/mcias.conf.example
vendored
@@ -1,12 +1,12 @@
|
||||
# mcias.conf — Reference configuration for mciassrv
|
||||
#
|
||||
# Copy this file to /etc/mcias/mcias.conf and adjust the values for your
|
||||
# Copy this file to /srv/mcias/mcias.toml and adjust the values for your
|
||||
# deployment. All fields marked REQUIRED must be set before the server will
|
||||
# start. Fields marked OPTIONAL can be omitted to use defaults.
|
||||
#
|
||||
# File permissions: mode 0640, owner root:mcias.
|
||||
# chmod 0640 /etc/mcias/mcias.conf
|
||||
# chown root:mcias /etc/mcias/mcias.conf
|
||||
# chmod 0640 /srv/mcias/mcias.toml
|
||||
# chown root:mcias /srv/mcias/mcias.toml
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# [server] — Network listener configuration
|
||||
@@ -26,11 +26,11 @@ listen_addr = "0.0.0.0:8443"
|
||||
# REQUIRED. Path to the TLS certificate (PEM format).
|
||||
# Self-signed certificates work fine for personal deployments; for
|
||||
# public-facing deployments consider a certificate from Let's Encrypt.
|
||||
tls_cert = "/etc/mcias/server.crt"
|
||||
tls_cert = "/srv/mcias/server.crt"
|
||||
|
||||
# REQUIRED. Path to the TLS private key (PEM format).
|
||||
# Permissions: mode 0640, owner root:mcias.
|
||||
tls_key = "/etc/mcias/server.key"
|
||||
tls_key = "/srv/mcias/server.key"
|
||||
|
||||
# OPTIONAL. IP address of a trusted reverse proxy (e.g. nginx, Caddy, HAProxy).
|
||||
# When set, the rate limiter and audit log extract the real client IP from the
|
||||
@@ -55,7 +55,7 @@ tls_key = "/etc/mcias/server.key"
|
||||
# REQUIRED. Path to the SQLite database file.
|
||||
# The directory must be writable by the mcias user. WAL mode is enabled
|
||||
# automatically; expect three files: mcias.db, mcias.db-wal, mcias.db-shm.
|
||||
path = "/var/lib/mcias/mcias.db"
|
||||
path = "/srv/mcias/mcias.db"
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# [tokens] — JWT issuance policy
|
||||
@@ -113,13 +113,13 @@ threads = 4
|
||||
# database on first run and reused on subsequent runs so the same passphrase
|
||||
# always produces the same master key.
|
||||
#
|
||||
# Set the passphrase in /etc/mcias/env (loaded by the systemd EnvironmentFile
|
||||
# Set the passphrase in /srv/mcias/env (loaded by the systemd EnvironmentFile
|
||||
# directive). See dist/mcias.env.example for the template.
|
||||
passphrase_env = "MCIAS_MASTER_PASSPHRASE"
|
||||
|
||||
# Option B: Key file mode. The file must contain exactly 32 bytes of raw key
|
||||
# material (AES-256). Generate with: openssl rand -out /etc/mcias/master.key 32
|
||||
# material (AES-256). Generate with: openssl rand -out /srv/mcias/master.key 32
|
||||
# Permissions: mode 0640, owner root:mcias.
|
||||
#
|
||||
# Uncomment and comment out passphrase_env to switch modes.
|
||||
# keyfile = "/etc/mcias/master.key"
|
||||
# keyfile = "/srv/mcias/master.key"
|
||||
|
||||
Reference in New Issue
Block a user