Harden deployment and fix PEN-01

- Fix Bearer token extraction to validate prefix (PEN-01) - Add TestExtractBearerFromRequest covering PEN-01 edge cases - Fix flaky TestRenewToken timing (2s → 4s lifetime) - Move default config/install paths to /srv/mcias - Add RUNBOOK.md for operational procedures - Update AUDIT.md with penetration test round 4 Security: extractBearerFromRequest now uses case-insensitive prefix validation instead of fixed-offset slicing, rejecting non-Bearer Authorization schemes that were previously accepted. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-14 22:33:24 -07:00
parent 2a85d4bf2b
commit 1121b7d4fd
14 changed files with 774 additions and 117 deletions
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -12,11 +12,11 @@ func validConfig() string {
 	return `
 [server]
 listen_addr = "0.0.0.0:8443"
-tls_cert    = "/etc/mcias/server.crt"
-tls_key     = "/etc/mcias/server.key"
+tls_cert    = "/srv/mcias/server.crt"
+tls_key     = "/srv/mcias/server.key"

 [database]
-path = "/var/lib/mcias/mcias.db"
+path = "/srv/mcias/mcias.db"

 [tokens]
 issuer          = "https://auth.example.com"
@@ -154,11 +154,11 @@ func TestValidateMasterKeyBothSet(t *testing.T) {
 	path := writeTempConfig(t, `
 [server]
 listen_addr = "0.0.0.0:8443"
-tls_cert    = "/etc/mcias/server.crt"
-tls_key     = "/etc/mcias/server.key"
+tls_cert    = "/srv/mcias/server.crt"
+tls_key     = "/srv/mcias/server.key"

 [database]
-path = "/var/lib/mcias/mcias.db"
+path = "/srv/mcias/mcias.db"

 [tokens]
 issuer         = "https://auth.example.com"
@@ -173,7 +173,7 @@ threads = 4

 [master_key]
 passphrase_env = "MCIAS_MASTER_PASSPHRASE"
-keyfile        = "/etc/mcias/master.key"
+keyfile        = "/srv/mcias/master.key"
 `)
 	_, err := Load(path)
 	if err == nil {
@@ -185,11 +185,11 @@ func TestValidateMasterKeyNoneSet(t *testing.T) {
 	path := writeTempConfig(t, `
 [server]
 listen_addr = "0.0.0.0:8443"
-tls_cert    = "/etc/mcias/server.crt"
-tls_key     = "/etc/mcias/server.key"
+tls_cert    = "/srv/mcias/server.crt"
+tls_key     = "/srv/mcias/server.key"

 [database]
-path = "/var/lib/mcias/mcias.db"
+path = "/srv/mcias/mcias.db"

 [tokens]
 issuer         = "https://auth.example.com"