fixes save

2025-12-26 22:03:32 +02:00
parent 9a4cd2e0f7
commit 3bfbbae115
2076 changed files with 47168 additions and 32914 deletions
--- a/devops/compose/docker-compose.dev.yaml
+++ b/devops/compose/docker-compose.dev.yaml
@@ -28,6 +28,7 @@ services:
      PGDATA: /var/lib/postgresql/data/pgdata
    volumes:
      - postgres-data:/var/lib/postgresql/data
+      - ./postgres-init:/docker-entrypoint-initdb.d:ro
    ports:
      - "${POSTGRES_PORT:-5432}:5432"
    networks:
--- a/devops/compose/postgres-init/01-extensions.sql
+++ b/devops/compose/postgres-init/01-extensions.sql
@@ -1,5 +1,7 @@
-- PostgreSQL initialization for StellaOps air-gap deployment
+-- ============================================================================
+-- PostgreSQL initialization for StellaOps
 -- This script runs automatically on first container start
+-- ============================================================================

 -- Enable pg_stat_statements extension for query performance analysis
 CREATE EXTENSION IF NOT EXISTS pg_stat_statements;
@@ -9,25 +11,59 @@ CREATE EXTENSION IF NOT EXISTS pg_trgm;      -- Fuzzy text search
 CREATE EXTENSION IF NOT EXISTS btree_gin;    -- GIN indexes for scalar types
 CREATE EXTENSION IF NOT EXISTS pgcrypto;     -- Cryptographic functions

+-- ============================================================================
 -- Create schemas for all modules
 -- Migrations will create tables within these schemas
-CREATE SCHEMA IF NOT EXISTS authority;
-CREATE SCHEMA IF NOT EXISTS vuln;
-CREATE SCHEMA IF NOT EXISTS vex;
-CREATE SCHEMA IF NOT EXISTS scheduler;
-CREATE SCHEMA IF NOT EXISTS notify;
-CREATE SCHEMA IF NOT EXISTS policy;
-CREATE SCHEMA IF NOT EXISTS concelier;
-CREATE SCHEMA IF NOT EXISTS audit;
-CREATE SCHEMA IF NOT EXISTS unknowns;
+-- ============================================================================

-- Grant usage to application user (assumes POSTGRES_USER is the app user)
-GRANT USAGE ON SCHEMA authority TO PUBLIC;
-GRANT USAGE ON SCHEMA vuln TO PUBLIC;
-GRANT USAGE ON SCHEMA vex TO PUBLIC;
-GRANT USAGE ON SCHEMA scheduler TO PUBLIC;
-GRANT USAGE ON SCHEMA notify TO PUBLIC;
-GRANT USAGE ON SCHEMA policy TO PUBLIC;
-GRANT USAGE ON SCHEMA concelier TO PUBLIC;
-GRANT USAGE ON SCHEMA audit TO PUBLIC;
-GRANT USAGE ON SCHEMA unknowns TO PUBLIC;
+-- Core Platform
+CREATE SCHEMA IF NOT EXISTS authority;     -- Authentication, authorization, OAuth/OIDC
+
+-- Data Ingestion
+CREATE SCHEMA IF NOT EXISTS vuln;          -- Concelier vulnerability data
+CREATE SCHEMA IF NOT EXISTS vex;           -- Excititor VEX documents
+
+-- Scanning & Analysis
+CREATE SCHEMA IF NOT EXISTS scanner;       -- Container scanning, SBOM generation
+
+-- Scheduling & Orchestration
+CREATE SCHEMA IF NOT EXISTS scheduler;     -- Job scheduling
+CREATE SCHEMA IF NOT EXISTS taskrunner;    -- Task execution
+
+-- Policy & Risk
+CREATE SCHEMA IF NOT EXISTS policy;        -- Policy engine
+CREATE SCHEMA IF NOT EXISTS unknowns;      -- Unknown component tracking
+
+-- Artifacts & Evidence
+CREATE SCHEMA IF NOT EXISTS proofchain;    -- Attestor proof chains
+CREATE SCHEMA IF NOT EXISTS attestor;      -- Attestor submission queue
+CREATE SCHEMA IF NOT EXISTS signer;        -- Key management
+
+-- Notifications
+CREATE SCHEMA IF NOT EXISTS notify;        -- Notification delivery
+
+-- Signals & Observability
+CREATE SCHEMA IF NOT EXISTS signals;       -- Runtime signals
+
+-- Registry
+CREATE SCHEMA IF NOT EXISTS packs;         -- Task packs registry
+
+-- Audit
+CREATE SCHEMA IF NOT EXISTS audit;         -- System-wide audit log
+
+-- ============================================================================
+-- Grant usage to application user (for single-user mode)
+-- Per-module users are created in 02-create-users.sql
+-- ============================================================================
+DO $$
+DECLARE
+    schema_name TEXT;
+BEGIN
+    FOR schema_name IN SELECT unnest(ARRAY[
+        'authority', 'vuln', 'vex', 'scanner', 'scheduler', 'taskrunner',
+        'policy', 'unknowns', 'proofchain', 'attestor', 'signer',
+        'notify', 'signals', 'packs', 'audit'
+    ]) LOOP
+        EXECUTE format('GRANT USAGE ON SCHEMA %I TO PUBLIC', schema_name);
+    END LOOP;
+END $$;
--- a/devops/compose/postgres-init/02-create-users.sql
+++ b/devops/compose/postgres-init/02-create-users.sql
@@ -0,0 +1,53 @@
+-- ============================================================================
+-- Per-Module Database Users
+-- ============================================================================
+-- Creates isolated database users for each StellaOps module.
+-- This enables least-privilege access control and audit trail per module.
+--
+-- Password format: {module}_dev (for development only)
+-- In production, use secrets management and rotate credentials.
+-- ============================================================================
+
+-- Core Platform
+CREATE USER authority_user WITH PASSWORD 'authority_dev';
+
+-- Data Ingestion
+CREATE USER concelier_user WITH PASSWORD 'concelier_dev';
+CREATE USER excititor_user WITH PASSWORD 'excititor_dev';
+
+-- Scanning & Analysis
+CREATE USER scanner_user WITH PASSWORD 'scanner_dev';
+
+-- Scheduling & Orchestration
+CREATE USER scheduler_user WITH PASSWORD 'scheduler_dev';
+CREATE USER taskrunner_user WITH PASSWORD 'taskrunner_dev';
+
+-- Policy & Risk
+CREATE USER policy_user WITH PASSWORD 'policy_dev';
+CREATE USER unknowns_user WITH PASSWORD 'unknowns_dev';
+
+-- Artifacts & Evidence
+CREATE USER attestor_user WITH PASSWORD 'attestor_dev';
+CREATE USER signer_user WITH PASSWORD 'signer_dev';
+
+-- Notifications
+CREATE USER notify_user WITH PASSWORD 'notify_dev';
+
+-- Signals & Observability
+CREATE USER signals_user WITH PASSWORD 'signals_dev';
+
+-- Registry
+CREATE USER packs_user WITH PASSWORD 'packs_dev';
+
+-- ============================================================================
+-- Log created users
+-- ============================================================================
+DO $$
+BEGIN
+    RAISE NOTICE 'Created per-module database users:';
+    RAISE NOTICE '  - authority_user, concelier_user, excititor_user';
+    RAISE NOTICE '  - scanner_user, scheduler_user, taskrunner_user';
+    RAISE NOTICE '  - policy_user, unknowns_user';
+    RAISE NOTICE '  - attestor_user, signer_user';
+    RAISE NOTICE '  - notify_user, signals_user, packs_user';
+END $$;
--- a/devops/compose/postgres-init/03-grant-permissions.sql
+++ b/devops/compose/postgres-init/03-grant-permissions.sql
@@ -0,0 +1,153 @@
+-- ============================================================================
+-- Per-Module Schema Permissions
+-- ============================================================================
+-- Grants each module user access to their respective schema(s).
+-- Users can only access tables in their designated schemas.
+-- ============================================================================
+
+-- ============================================================================
+-- Authority Module
+-- ============================================================================
+GRANT USAGE ON SCHEMA authority TO authority_user;
+GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA authority TO authority_user;
+GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA authority TO authority_user;
+ALTER DEFAULT PRIVILEGES IN SCHEMA authority GRANT ALL ON TABLES TO authority_user;
+ALTER DEFAULT PRIVILEGES IN SCHEMA authority GRANT ALL ON SEQUENCES TO authority_user;
+
+-- ============================================================================
+-- Concelier Module (uses 'vuln' schema)
+-- ============================================================================
+GRANT USAGE ON SCHEMA vuln TO concelier_user;
+GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA vuln TO concelier_user;
+GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA vuln TO concelier_user;
+ALTER DEFAULT PRIVILEGES IN SCHEMA vuln GRANT ALL ON TABLES TO concelier_user;
+ALTER DEFAULT PRIVILEGES IN SCHEMA vuln GRANT ALL ON SEQUENCES TO concelier_user;
+
+-- ============================================================================
+-- Excititor Module (uses 'vex' schema)
+-- ============================================================================
+GRANT USAGE ON SCHEMA vex TO excititor_user;
+GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA vex TO excititor_user;
+GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA vex TO excititor_user;
+ALTER DEFAULT PRIVILEGES IN SCHEMA vex GRANT ALL ON TABLES TO excititor_user;
+ALTER DEFAULT PRIVILEGES IN SCHEMA vex GRANT ALL ON SEQUENCES TO excititor_user;
+
+-- ============================================================================
+-- Scanner Module
+-- ============================================================================
+GRANT USAGE ON SCHEMA scanner TO scanner_user;
+GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA scanner TO scanner_user;
+GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA scanner TO scanner_user;
+ALTER DEFAULT PRIVILEGES IN SCHEMA scanner GRANT ALL ON TABLES TO scanner_user;
+ALTER DEFAULT PRIVILEGES IN SCHEMA scanner GRANT ALL ON SEQUENCES TO scanner_user;
+
+-- ============================================================================
+-- Scheduler Module
+-- ============================================================================
+GRANT USAGE ON SCHEMA scheduler TO scheduler_user;
+GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA scheduler TO scheduler_user;
+GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA scheduler TO scheduler_user;
+ALTER DEFAULT PRIVILEGES IN SCHEMA scheduler GRANT ALL ON TABLES TO scheduler_user;
+ALTER DEFAULT PRIVILEGES IN SCHEMA scheduler GRANT ALL ON SEQUENCES TO scheduler_user;
+
+-- ============================================================================
+-- TaskRunner Module
+-- ============================================================================
+GRANT USAGE ON SCHEMA taskrunner TO taskrunner_user;
+GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA taskrunner TO taskrunner_user;
+GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA taskrunner TO taskrunner_user;
+ALTER DEFAULT PRIVILEGES IN SCHEMA taskrunner GRANT ALL ON TABLES TO taskrunner_user;
+ALTER DEFAULT PRIVILEGES IN SCHEMA taskrunner GRANT ALL ON SEQUENCES TO taskrunner_user;
+
+-- ============================================================================
+-- Policy Module
+-- ============================================================================
+GRANT USAGE ON SCHEMA policy TO policy_user;
+GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA policy TO policy_user;
+GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA policy TO policy_user;
+ALTER DEFAULT PRIVILEGES IN SCHEMA policy GRANT ALL ON TABLES TO policy_user;
+ALTER DEFAULT PRIVILEGES IN SCHEMA policy GRANT ALL ON SEQUENCES TO policy_user;
+
+-- ============================================================================
+-- Unknowns Module
+-- ============================================================================
+GRANT USAGE ON SCHEMA unknowns TO unknowns_user;
+GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA unknowns TO unknowns_user;
+GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA unknowns TO unknowns_user;
+ALTER DEFAULT PRIVILEGES IN SCHEMA unknowns GRANT ALL ON TABLES TO unknowns_user;
+ALTER DEFAULT PRIVILEGES IN SCHEMA unknowns GRANT ALL ON SEQUENCES TO unknowns_user;
+
+-- ============================================================================
+-- Attestor Module (uses 'proofchain' and 'attestor' schemas)
+-- ============================================================================
+GRANT USAGE ON SCHEMA proofchain TO attestor_user;
+GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA proofchain TO attestor_user;
+GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA proofchain TO attestor_user;
+ALTER DEFAULT PRIVILEGES IN SCHEMA proofchain GRANT ALL ON TABLES TO attestor_user;
+ALTER DEFAULT PRIVILEGES IN SCHEMA proofchain GRANT ALL ON SEQUENCES TO attestor_user;
+
+GRANT USAGE ON SCHEMA attestor TO attestor_user;
+GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA attestor TO attestor_user;
+GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA attestor TO attestor_user;
+ALTER DEFAULT PRIVILEGES IN SCHEMA attestor GRANT ALL ON TABLES TO attestor_user;
+ALTER DEFAULT PRIVILEGES IN SCHEMA attestor GRANT ALL ON SEQUENCES TO attestor_user;
+
+-- ============================================================================
+-- Signer Module
+-- ============================================================================
+GRANT USAGE ON SCHEMA signer TO signer_user;
+GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA signer TO signer_user;
+GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA signer TO signer_user;
+ALTER DEFAULT PRIVILEGES IN SCHEMA signer GRANT ALL ON TABLES TO signer_user;
+ALTER DEFAULT PRIVILEGES IN SCHEMA signer GRANT ALL ON SEQUENCES TO signer_user;
+
+-- ============================================================================
+-- Notify Module
+-- ============================================================================
+GRANT USAGE ON SCHEMA notify TO notify_user;
+GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA notify TO notify_user;
+GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA notify TO notify_user;
+ALTER DEFAULT PRIVILEGES IN SCHEMA notify GRANT ALL ON TABLES TO notify_user;
+ALTER DEFAULT PRIVILEGES IN SCHEMA notify GRANT ALL ON SEQUENCES TO notify_user;
+
+-- ============================================================================
+-- Signals Module
+-- ============================================================================
+GRANT USAGE ON SCHEMA signals TO signals_user;
+GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA signals TO signals_user;
+GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA signals TO signals_user;
+ALTER DEFAULT PRIVILEGES IN SCHEMA signals GRANT ALL ON TABLES TO signals_user;
+ALTER DEFAULT PRIVILEGES IN SCHEMA signals GRANT ALL ON SEQUENCES TO signals_user;
+
+-- ============================================================================
+-- Packs Registry Module
+-- ============================================================================
+GRANT USAGE ON SCHEMA packs TO packs_user;
+GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA packs TO packs_user;
+GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA packs TO packs_user;
+ALTER DEFAULT PRIVILEGES IN SCHEMA packs GRANT ALL ON TABLES TO packs_user;
+ALTER DEFAULT PRIVILEGES IN SCHEMA packs GRANT ALL ON SEQUENCES TO packs_user;
+
+-- ============================================================================
+-- Verification
+-- ============================================================================
+DO $$
+DECLARE
+    v_user TEXT;
+    v_schema TEXT;
+BEGIN
+    RAISE NOTICE 'Per-module permissions granted:';
+    RAISE NOTICE '  authority_user -> authority';
+    RAISE NOTICE '  concelier_user -> vuln';
+    RAISE NOTICE '  excititor_user -> vex';
+    RAISE NOTICE '  scanner_user -> scanner';
+    RAISE NOTICE '  scheduler_user -> scheduler';
+    RAISE NOTICE '  taskrunner_user -> taskrunner';
+    RAISE NOTICE '  policy_user -> policy';
+    RAISE NOTICE '  unknowns_user -> unknowns';
+    RAISE NOTICE '  attestor_user -> proofchain, attestor';
+    RAISE NOTICE '  signer_user -> signer';
+    RAISE NOTICE '  notify_user -> notify';
+    RAISE NOTICE '  signals_user -> signals';
+    RAISE NOTICE '  packs_user -> packs';
+END $$;