v1.0.0 Release - All Phases Complete

Phase 2: Core API Development - 15 REST API endpoints (packages, patches, system, jobs, websocket) - mTLS authentication layer (src/auth/mtls.rs) - IP whitelist enforcement (src/auth/whitelist.rs) - Job manager with async operation support - WebSocket streaming for job status Phase 3: Security Hardening - Security testing: 16/16 tests passing - Fuzz testing: 21 tests, all findings resolved - Threat model validation (STRIDE matrix) - TLS binding fix (critical vulnerability resolved) - Security documentation complete Phase 4: Production Readiness - Performance benchmarking (all targets met) - Package creation (.deb/.rpm structures) - Documentation (README, API docs, deployment guide) - Security hardening (6 vulnerabilities fixed) Deliverables: - API_DOCUMENTATION.md (889 lines) - DEPLOYMENT_GUIDE.md (733 lines) - SECURITY.md (346 lines) - README.md (525 lines) - debian/ package structure - linux-patch-api.spec (RPM) - install.sh installer script - benches/api_benchmarks.rs - Multiple security/performance reports Security Status: 0 vulnerabilities remaining Test Coverage: 31 unit tests, 21 integration tests Build Status: Release optimized
2026-04-10 01:41:19 +00:00
parent ab53177210
commit b615a5639e
63 changed files with 13101 additions and 72 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -0,0 +1,11 @@
+linux-patch-api (1.0.0-1) stable; urgency=medium
+
+  * Initial production release
+  * Secure mTLS-authenticated REST API for remote package management
+  * 15 API endpoints for package install/remove, patch application, system management
+  * Asynchronous job processing with WebSocket status streaming
+  * IP whitelist enforcement and comprehensive audit logging
+  * Systemd integration with security hardening
+  * Supports Debian 11/12, Ubuntu 20.04/22.04/24.04
+
+ -- Echo <echo@moon-dragon.us>  Thu, 09 Apr 2026 18:57:12 -0500
--- a/debian/compat
+++ b/debian/compat
@ -0,0 +1 @@
+12
--- a/debian/conffiles
+++ b/debian/conffiles
@ -0,0 +1,2 @@
+/etc/linux_patch_api/config.yaml
+/etc/linux_patch_api/whitelist.yaml
--- a/debian/control
+++ b/debian/control
@ -0,0 +1,34 @@
+Source: linux-patch-api
+Section: admin
+Priority: optional
+Maintainer: Echo <echo@moon-dragon.us>
+Build-Depends: debhelper (>= 12),
+               cargo,
+               rustc,
+               libsystemd-dev,
+               pkg-config
+Standards-Version: 4.6.0
+Homepage: https://gitea.moon-dragon.us/echo/linux_patch_api
+Vcs-Git: https://gitea.moon-dragon.us/echo/linux_patch_api.git
+Vcs-Browser: https://gitea.moon-dragon.us/echo/linux_patch_api
+
+Package: linux-patch-api
+Architecture: amd64
+Depends: systemd,
+         libsystemd0,
+         ${shlibs:Depends},
+         ${misc:Depends}
+Description: Secure remote package management API for Linux systems
+ Linux Patch API provides a secure, mTLS-authenticated REST API for
+ remote package management operations including:
+  - Package installation and removal
+  - Security patch application
+  - System health monitoring
+  - Job queue management with WebSocket status streaming
+ .
+ Features:
+  - Mutual TLS (mTLS) authentication
+  - IP whitelist enforcement
+  - Asynchronous job processing
+  - Comprehensive audit logging
+  - Systemd integration with security hardening
--- a/debian/copyright
+++ b/debian/copyright
@ -0,0 +1,31 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: linux-patch-api
+Upstream-Contact: Echo <echo@moon-dragon.us>
+Source: https://gitea.moon-dragon.us/echo/linux_patch_api
+
+Files: *
+Copyright: 2024-2026 Echo <echo@moon-dragon.us>
+License: MIT
+
+License: MIT
+ Permission is hereby granted, free of charge, to any person obtaining a copy
+ of this software and associated documentation files (the "Software"), to deal
+ in the Software without restriction, including without limitation the rights
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ copies of the Software, and to permit persons to whom the Software is
+ furnished to do so, subject to the following conditions:
+ .
+ The above copyright notice and this permission notice shall be included in
+ all copies or substantial portions of the Software.
+ .
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ THE SOFTWARE.
+
+Files: debian/*
+Copyright: 2024-2026 Echo <echo@moon-dragon.us>
+License: MIT
--- a/debian/install
+++ b/debian/install
@ -0,0 +1,14 @@
+# Binary installation
+usr/bin/linux-patch-api usr/bin/
+
+# Systemd service
+lib/systemd/system/linux-patch-api.service lib/systemd/system/
+
+# Configuration files (examples, actual configs managed by conffiles)
+etc/linux_patch_api/config.yaml.example etc/linux_patch_api/
+etc/linux_patch_api/whitelist.yaml.example etc/linux_patch_api/
+
+# Create directories (handled by maintainer scripts)
+# var/log/linux_patch_api/
+# var/lib/linux_patch_api/
+# etc/linux_patch_api/certs/
--- a/debian/postinst
+++ b/debian/postinst
@ -0,0 +1,49 @@
+#!/bin/bash
+# postinst script for linux-patch-api
+# Created by package build system
+
+set -e
+
+# Configure with debhelper
+if [ "$1" = "configure" ]; then
+    echo "Configuring linux-patch-api..."
+    
+    # Copy example configs if they don't exist
+    if [ ! -f "/etc/linux_patch_api/config.yaml" ]; then
+        echo "Creating default config.yaml..."
+        cp /etc/linux_patch_api/config.yaml.example /etc/linux_patch_api/config.yaml
+        chmod 640 /etc/linux_patch_api/config.yaml
+        chown linux-patch-api:linux-patch-api /etc/linux_patch_api/config.yaml
+    fi
+    
+    if [ ! -f "/etc/linux_patch_api/whitelist.yaml" ]; then
+        echo "Creating default whitelist.yaml..."
+        cp /etc/linux_patch_api/whitelist.yaml.example /etc/linux_patch_api/whitelist.yaml
+        chmod 640 /etc/linux_patch_api/whitelist.yaml
+        chown linux-patch-api:linux-patch-api /etc/linux_patch_api/whitelist.yaml
+    fi
+    
+    # Reload systemd daemon to pick up new service file
+    systemctl daemon-reload
+    
+    # Enable the service (but don't start automatically - admin should configure first)
+    systemctl enable linux-patch-api.service
+    
+    echo ""
+    echo "linux-patch-api installed successfully!"
+    echo ""
+    echo "Next steps:"
+    echo "  1. Configure /etc/linux_patch_api/config.yaml with your settings"
+    echo "  2. Place TLS certificates in /etc/linux_patch_api/certs/"
+    echo "  3. Configure IP whitelist in /etc/linux_patch_api/whitelist.yaml"
+    echo "  4. Start the service: systemctl start linux-patch-api"
+    echo "  5. Check status: systemctl status linux-patch-api"
+    echo ""
+fi
+
+# Handle upgrade
+if [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-remove" ] || [ "$1" = "abort-deconfigure" ]; then
+    echo "Installation aborted - service remains in previous state"
+fi
+
+exit 0
--- a/debian/postrm
+++ b/debian/postrm
@ -0,0 +1,64 @@
+#!/bin/bash
+# postrm script for linux-patch-api
+# Created by package build system
+
+set -e
+
+# Handle purge - remove all configuration and data
+if [ "$1" = "purge" ]; then
+    echo "Purging linux-patch-api configuration and data..."
+    
+    # Stop service if still running
+    if systemctl is-active --quiet linux-patch-api.service 2>/dev/null; then
+        systemctl stop linux-patch-api.service
+    fi
+    
+    # Disable service
+    if systemctl is-enabled --quiet linux-patch-api.service 2>/dev/null; then
+        systemctl disable linux-patch-api.service
+    fi
+    
+    # Reload systemd to remove service file
+    systemctl daemon-reload
+    
+    # Remove configuration directory (preserved by conffiles during normal remove)
+    if [ -d "/etc/linux_patch_api" ]; then
+        echo "Removing /etc/linux_patch_api..."
+        rm -rf /etc/linux_patch_api
+    fi
+    
+    # Remove data directory
+    if [ -d "/var/lib/linux_patch_api" ]; then
+        echo "Removing /var/lib/linux_patch_api..."
+        rm -rf /var/lib/linux_patch_api
+    fi
+    
+    # Remove log directory
+    if [ -d "/var/log/linux_patch_api" ]; then
+        echo "Removing /var/log/linux_patch_api..."
+        rm -rf /var/log/linux_patch_api
+    fi
+    
+    # Remove system user
+    if getent passwd linux-patch-api > /dev/null 2>&1; then
+        echo "Removing user linux-patch-api..."
+        userdel linux-patch-api 2>/dev/null || true
+    fi
+    
+    # Remove system group
+    if getent group linux-patch-api > /dev/null 2>&1; then
+        echo "Removing group linux-patch-api..."
+        groupdel linux-patch-api 2>/dev/null || true
+    fi
+    
+    echo "linux-patch-api purged successfully"
+fi
+
+# Handle upgrade/remove - just ensure service is disabled
+if [ "$1" = "remove" ] || [ "$1" = "upgrade" ]; then
+    # Service should already be stopped by prerm
+    # Just reload systemd to remove the service file
+    systemctl daemon-reload 2>/dev/null || true
+fi
+
+exit 0
--- a/debian/preinst
+++ b/debian/preinst
@ -0,0 +1,46 @@
+#!/bin/bash
+# preinst script for linux-patch-api
+# Created by package build system
+
+set -e
+
+# Check if this is an upgrade
+if [ -d "/etc/linux_patch_api" ]; then
+    echo "Detected existing installation - performing upgrade"
+fi
+
+# Create system user if it doesn't exist
+if ! getent group linux-patch-api > /dev/null 2>&1; then
+    echo "Creating group linux-patch-api..."
+    groupadd --system linux-patch-api
+fi
+
+if ! getent passwd linux-patch-api > /dev/null 2>&1; then
+    echo "Creating user linux-patch-api..."
+    useradd --system \
+        --gid linux-patch-api \
+        --home-dir /var/lib/linux_patch_api \
+        --no-create-home \
+        --shell /usr/sbin/nologin \
+        --comment "Linux Patch API Service" \
+        linux-patch-api
+fi
+
+# Create required directories
+mkdir -p /etc/linux_patch_api/certs
+mkdir -p /var/lib/linux_patch_api
+mkdir -p /var/log/linux_patch_api
+
+# Set proper ownership
+chown -R linux-patch-api:linux-patch-api /var/lib/linux_patch_api
+chown -R linux-patch-api:linux-patch-api /var/log/linux_patch_api
+
+# Set secure permissions
+chmod 750 /etc/linux_patch_api
+chmod 750 /etc/linux_patch_api/certs
+chmod 755 /var/lib/linux_patch_api
+chmod 755 /var/log/linux_patch_api
+
+echo "Pre-installation checks completed successfully"
+
+exit 0
--- a/debian/prerm
+++ b/debian/prerm
@ -0,0 +1,33 @@
+#!/bin/bash
+# prerm script for linux-patch-api
+# Created by package build system
+
+set -e
+
+# Stop the service before removal/upgrade
+if [ "$1" = "remove" ] || [ "$1" = "upgrade" ]; then
+    echo "Stopping linux-patch-api service..."
+    
+    if systemctl is-active --quiet linux-patch-api.service; then
+        systemctl stop linux-patch-api.service
+        echo "Service stopped successfully"
+    else
+        echo "Service was not running"
+    fi
+    
+    # Disable the service
+    if systemctl is-enabled --quiet linux-patch-api.service 2>/dev/null; then
+        systemctl disable linux-patch-api.service
+        echo "Service disabled"
+    fi
+fi
+
+# Handle failed upgrade
+if [ "$1" = "failed-upgrade" ]; then
+    echo "Upgrade failed - attempting to restore previous state"
+    # Previous version should handle restoration
+fi
+
+echo "Pre-removal script completed"
+
+exit 0
--- a/debian/rules
+++ b/debian/rules
@ -0,0 +1,37 @@
+#!/usr/bin/make -f
+# debian/rules for linux-patch-api
+
+export DEB_CARGO_PACKAGE=linux-patch-api
+export DEB_CARGO_BUILD_FLAGS=--release
+
+%:
+	dh $@
+
+override_dh_auto_build:
+	cargo build --release --target x86_64-unknown-linux-gnu
+
+override_dh_auto_install:
+	dh_auto_install
+	# Create installation directories
+	mkdir -p debian/linux-patch-api/usr/bin
+	mkdir -p debian/linux-patch-api/etc/linux_patch_api
+	mkdir -p debian/linux-patch-api/lib/systemd/system
+	mkdir -p debian/linux-patch-api/var/log/linux_patch_api
+	mkdir -p debian/linux-patch-api/var/lib/linux_patch_api
+	# Install binary
+	cp target/x86_64-unknown-linux-gnu/release/linux-patch-api debian/linux-patch-api/usr/bin/
+	chmod 755 debian/linux-patch-api/usr/bin/linux-patch-api
+	# Install systemd service
+	cp configs/linux-patch-api.service debian/linux-patch-api/lib/systemd/system/
+	chmod 644 debian/linux-patch-api/lib/systemd/system/linux-patch-api.service
+	# Install example configs (will be copied to /etc on first install)
+	cp configs/config.yaml.example debian/linux-patch-api/etc/linux_patch_api/config.yaml.example
+	cp configs/whitelist.yaml.example debian/linux-patch-api/etc/linux_patch_api/whitelist.yaml.example
+	chmod 644 debian/linux-patch-api/etc/linux_patch_api/*.example
+
+override_dh_strip_nondeterminism:
+	# Disable for reproducible builds with cargo
+	dh_strip_nondeterminism --disable
+
+override_dh_shlibdeps:
+	dh_shlibdeps -- --dpkg-shlibdeps-params=--ignore-missing-info