jpetree331
f97d4845af
Complete RedFlag codebase with two major security audit implementations.
== A-1: Ed25519 Key Rotation Support ==
Server:
- SignCommand sets SignedAt timestamp and KeyID on every signature
- signing_keys database table (migration 020) for multi-key rotation
- InitializePrimaryKey registers active key at startup
- /api/v1/public-keys endpoint for rotation-aware agents
- SigningKeyQueries for key lifecycle management
Agent:
- Key-ID-aware verification via CheckKeyRotation
- FetchAndCacheAllActiveKeys for rotation pre-caching
- Cache metadata with TTL and staleness fallback
- SecurityLogger events for key rotation and command signing
== A-2: Replay Attack Fixes (F-1 through F-7) ==
F-5 CRITICAL - RetryCommand now signs via signAndCreateCommand
F-1 HIGH - v3 format: "{agent_id}:{cmd_id}:{type}:{hash}:{ts}"
F-7 HIGH - Migration 026: expires_at column with partial index
F-6 HIGH - GetPendingCommands/GetStuckCommands filter by expires_at
F-2 HIGH - Agent-side executedIDs dedup map with cleanup
F-4 HIGH - commandMaxAge reduced from 24h to 4h
F-3 CRITICAL - Old-format commands rejected after 48h via CreatedAt
Verification fixes: migration idempotency (ETHOS #4), log format
compliance (ETHOS #1), stale comments updated.
All 24 tests passing. Docker --no-cache build verified.
See docs/ for full audit reports and deviation log (DEV-001 to DEV-019).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
47 lines
2.5 KiB
SQL
47 lines
2.5 KiB
SQL
-- Add machine ID and public key fingerprint fields to agents table
|
|
-- This enables Ed25519 binary signing and machine binding
|
|
|
|
ALTER TABLE agents
|
|
ADD COLUMN machine_id VARCHAR(64) UNIQUE,
|
|
ADD COLUMN public_key_fingerprint VARCHAR(16),
|
|
ADD COLUMN is_updating BOOLEAN DEFAULT false,
|
|
ADD COLUMN updating_to_version VARCHAR(50),
|
|
ADD COLUMN update_initiated_at TIMESTAMP;
|
|
|
|
-- Create index for machine ID lookups
|
|
CREATE INDEX idx_agents_machine_id ON agents(machine_id);
|
|
CREATE INDEX idx_agents_public_key_fingerprint ON agents(public_key_fingerprint);
|
|
|
|
-- Add comment to document the new fields
|
|
COMMENT ON COLUMN agents.machine_id IS 'Unique machine identifier to bind agent binaries to specific hardware';
|
|
COMMENT ON COLUMN agents.public_key_fingerprint IS 'Fingerprint of embedded public key for binary signature verification';
|
|
COMMENT ON COLUMN agents.is_updating IS 'Whether agent is currently updating';
|
|
COMMENT ON COLUMN agents.updating_to_version IS 'Target version for ongoing update';
|
|
COMMENT ON COLUMN agents.update_initiated_at IS 'When the update process started';
|
|
|
|
-- Create table for storing signed update packages
|
|
CREATE TABLE agent_update_packages (
|
|
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
|
|
version VARCHAR(50) NOT NULL,
|
|
platform VARCHAR(50) NOT NULL, -- linux-amd64, linux-arm64, windows-amd64, etc.
|
|
architecture VARCHAR(20) NOT NULL,
|
|
binary_path VARCHAR(500) NOT NULL,
|
|
signature VARCHAR(128) NOT NULL, -- Ed25519 signature (64 bytes hex encoded)
|
|
checksum VARCHAR(64) NOT NULL, -- SHA-256 checksum
|
|
file_size BIGINT NOT NULL,
|
|
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
|
|
created_by VARCHAR(100) DEFAULT 'system',
|
|
is_active BOOLEAN DEFAULT true
|
|
);
|
|
|
|
-- Add indexes for update packages
|
|
CREATE INDEX idx_agent_update_packages_version ON agent_update_packages(version);
|
|
CREATE INDEX idx_agent_update_packages_platform ON agent_update_packages(platform, architecture);
|
|
CREATE INDEX idx_agent_update_packages_active ON agent_update_packages(is_active);
|
|
|
|
-- Add comments for update packages table
|
|
COMMENT ON TABLE agent_update_packages IS 'Stores signed agent binary packages for secure updates';
|
|
COMMENT ON COLUMN agent_update_packages.signature IS 'Ed25519 signature of the binary file';
|
|
COMMENT ON COLUMN agent_update_packages.checksum IS 'SHA-256 checksum of the binary file';
|
|
COMMENT ON COLUMN agent_update_packages.platform IS 'Target platform (OS-architecture)';
|
|
COMMENT ON COLUMN agent_update_packages.is_active IS 'Whether this package is available for updates'; |