git-echo/linux_patch_manager
Private
Public Access
1
0
Fork 0
Code Releases 8 Wiki Activity

Compare commits

base: git-echo:v0.2.4
Branches Tags
git-echo:master git-echo:fix/pkcs8-ca-key-v1.1.14 git-echo:release/v1.1.13 git-echo:fix/postinst-tls-checksum-v1.1.13 git-echo:release/v1.1.12 git-echo:release/v1.1.11 git-echo:fix/migrations-as-patch-manager git-echo:release/v1.1.10 git-echo:fix/db-ownership git-echo:release/v1.1.9 git-echo:fix/lpm-service-startup git-echo:ci/node24-actions git-echo:release/v1.1.8 git-echo:fix/postinst-surgical-upgrade git-echo:release/v1.1.7 git-echo:fix/postinst-thorough-audit git-echo:release/v1.1.6 git-echo:fix/argon2-m-param git-echo:release/v1.1.5 git-echo:fix/docker-amd64-only git-echo:release/v1.1.4-fix git-echo:release/v1.1.4 git-echo:release/v1.1.3 git-echo:fix/docker-build-complete git-echo:release/v1.1.2 git-echo:fix/docker-ubuntu-24-04 git-echo:fix/docker-rust-version-bump git-echo:release/v1.1.1 git-echo:fix/docker-build-dependencies git-echo:release/v1.1.0 git-echo:feature/automated-install git-echo:release/v1.0.0 git-echo:test/15-authz-gate-integration git-echo:fix/maintenance-windows-race-condition
git-echo:v1.1.14 git-echo:v1.1.13 git-echo:v1.1.12 git-echo:v1.1.11 git-echo:v1.1.10 git-echo:v1.1.9 git-echo:v1.1.8 git-echo:v1.1.7 git-echo:v1.1.6 git-echo:v1.1.5 git-echo:v1.1.4 git-echo:v1.1.2 git-echo:v1.1.1 git-echo:v1.1.0 git-echo:v1.0.0 git-echo:v0.2.4 git-echo:v0.2.3 git-echo:v0.2.2 git-echo:v0.2.1 git-echo:v0.2.0 git-echo:v0.1.9 git-echo:v0.1.10 git-echo:v0.1.7
..
compare: git-echo:fix/docker-build-dependencies
Branches Tags
git-echo:master git-echo:fix/pkcs8-ca-key-v1.1.14 git-echo:release/v1.1.13 git-echo:fix/postinst-tls-checksum-v1.1.13 git-echo:release/v1.1.12 git-echo:release/v1.1.11 git-echo:fix/migrations-as-patch-manager git-echo:release/v1.1.10 git-echo:fix/db-ownership git-echo:release/v1.1.9 git-echo:fix/lpm-service-startup git-echo:ci/node24-actions git-echo:release/v1.1.8 git-echo:fix/postinst-surgical-upgrade git-echo:release/v1.1.7 git-echo:fix/postinst-thorough-audit git-echo:release/v1.1.6 git-echo:fix/argon2-m-param git-echo:release/v1.1.5 git-echo:fix/docker-amd64-only git-echo:release/v1.1.4-fix git-echo:release/v1.1.4 git-echo:release/v1.1.3 git-echo:fix/docker-build-complete git-echo:release/v1.1.2 git-echo:fix/docker-ubuntu-24-04 git-echo:fix/docker-rust-version-bump git-echo:release/v1.1.1 git-echo:fix/docker-build-dependencies git-echo:release/v1.1.0 git-echo:feature/automated-install git-echo:release/v1.0.0 git-echo:test/15-authz-gate-integration git-echo:fix/maintenance-windows-race-condition
git-echo:v1.1.14 git-echo:v1.1.13 git-echo:v1.1.12 git-echo:v1.1.11 git-echo:v1.1.10 git-echo:v1.1.9 git-echo:v1.1.8 git-echo:v1.1.7 git-echo:v1.1.6 git-echo:v1.1.5 git-echo:v1.1.4 git-echo:v1.1.2 git-echo:v1.1.1 git-echo:v1.1.0 git-echo:v1.0.0 git-echo:v0.2.4 git-echo:v0.2.3 git-echo:v0.2.2 git-echo:v0.2.1 git-echo:v0.2.0 git-echo:v0.1.9 git-echo:v0.1.10 git-echo:v0.1.7

7 Commits
v0.2.4 ... fix/docker

Author SHA1 Message Date
Draco-Lunaris-Echo
b4921d51a0 fix(docker): use ubuntu:24.04 runtime instead of debian:bookworm-slim
Some checks failed
CI Pipeline / Rust Format Check (pull_request) Successful in 6s
CI Pipeline / Clippy Lints (pull_request) Successful in 54s
CI Pipeline / Rust Unit Tests (pull_request) Failing after 1m20s
CI Pipeline / Security Audit (pull_request) Successful in 5s
CI Pipeline / Frontend Lint & Type Check (pull_request) Successful in 15s
CI Pipeline / Build .deb & Release (pull_request) Has been skipped
The project targets Ubuntu 24.04, not Debian Bookworm. Ubuntu 24.04
includes PostgreSQL 16 in default repos, eliminating the need for the
PGDG APT repo workaround. Also fixes libssl3 → libssl3t64 package name
for the time64 transition in Ubuntu 24.04.
 2026-06-07 17:34:05 -05:00
Draco-Lunaris-Echo
455013db8e fix(docker): add PostgreSQL APT repo for postgresql-client-16
Some checks failed
CI Pipeline / Rust Format Check (pull_request) Successful in 4s
CI Pipeline / Clippy Lints (pull_request) Successful in 52s
CI Pipeline / Rust Unit Tests (pull_request) Failing after 1m21s
CI Pipeline / Security Audit (pull_request) Successful in 5s
CI Pipeline / Frontend Lint & Type Check (pull_request) Successful in 14s
CI Pipeline / Build .deb & Release (pull_request) Has been skipped
Debian Bookworm default repos only ship PostgreSQL 15. The Docker
runtime stage needs postgresql-client-16 for the entrypoint script,
so add the official PGDG APT repository.

- Add PGDG GPG key and sources.list entry for bookworm-pgdg
- Install ca-certificates and curl first (needed for repo setup)
- Purge gnupg2 after use to keep image lean
- Verify argon2 package name is correct for Bookworm (it is)
 2026-06-07 17:21:37 -05:00
Draco-Lunaris-Echo
2d3be0955b chore: bump version to 1.1.0 (#43)
Some checks failed
CI Pipeline / Rust Format Check (push) Successful in 3s
CI Pipeline / Clippy Lints (push) Successful in 52s
CI Pipeline / Rust Unit Tests (push) Failing after 1m25s
CI Pipeline / Security Audit (push) Successful in 5s
CI Pipeline / Frontend Lint & Type Check (push) Successful in 14s
CI Pipeline / Build .deb & Release (push) Has been skipped
 2026-06-07 17:01:01 -05:00
Draco-Lunaris-Echo
a5343760e1 feat: Automated install, Docker deployment, and CI Docker job (#42)
Some checks failed
CI Pipeline / Rust Format Check (push) Successful in 4s
CI Pipeline / Clippy Lints (push) Successful in 51s
CI Pipeline / Rust Unit Tests (push) Failing after 1m20s
CI Pipeline / Security Audit (push) Successful in 5s
CI Pipeline / Frontend Lint & Type Check (push) Successful in 15s
CI Pipeline / Build .deb & Release (push) Has been skipped
- debian/control: add Pre-Depends and Depends on postgresql-16, argon2
- debian/postinst: idempotent automation for PostgreSQL setup,
  DB/user creation, migration tracking, admin password generation,
  config write, and service enable/start
- Dockerfile: multi-stage build (Rust + frontend + slim runtime)
- docker/entrypoint.sh: first-run DB wait, migrations, admin password
- docker-compose.yml: split db/app architecture with healthcheck
- .env.example: template for DB_PASSWORD and TAG
- .dockerignore: exclude build artifacts from Docker context
- .github/workflows/ci.yml: add Docker job for multi-arch
  (amd64/arm64) GHCR push on tag releases with layer caching
- .gitignore: add .env entry
 2026-06-07 16:20:08 -05:00
Draco-Lunaris-Echo
209480dd43 Release v1.0.0 (#41)
Some checks failed
CI Pipeline / Rust Format Check (push) Successful in 3s
CI Pipeline / Clippy Lints (push) Successful in 51s
CI Pipeline / Rust Unit Tests (push) Failing after 1m26s
CI Pipeline / Security Audit (push) Successful in 4s
CI Pipeline / Frontend Lint & Type Check (push) Successful in 15s
CI Pipeline / Build .deb & Release (push) Has been skipped
* chore: bump version to 1.0.0

* fix: BusyBox-compatible timing and set -e safety in shell scripts
 2026-06-07 13:27:21 -05:00
Draco-Lunaris-Echo
5fa1fef6c8 fix: remove committed private keys and add gitleaks CI
Some checks failed
CI Pipeline / Rust Format Check (push) Successful in 5s
CI Pipeline / Clippy Lints (push) Successful in 51s
CI Pipeline / Rust Unit Tests (push) Failing after 1m31s
CI Pipeline / Security Audit (push) Successful in 5s
CI Pipeline / Frontend Lint & Type Check (push) Successful in 14s
CI Pipeline / Build .deb & Release (push) Has been skipped
- Remove all cert files from git tracking (git rm --cached)
  - crates/pm-agent-client/certs/client.key (private key)
  - crates/pm-agent-client/certs/client.crt (public cert)
  - crates/pm-agent-client/certs/ca.crt (public cert)
- Add .gitignore patterns for *.key, *.key.pem, certs/*.crt, certs/*.pem
- Update pm-agent-client doc examples to use std::fs::read() instead of include_bytes!
- Add gitleaks secret scanning job to CI workflow
- Update security-review.md with critical finding for Issue #12
- Add README.md to crates/pm-agent-client/certs/ explaining runtime cert generation

Private keys were dev/test only - no production key rotation needed.
Git history purge with filter-repo will follow after PR merge.

Co-authored-by: Draco Lunaris <331325+Draco-Lunaris@users.noreply.github.com>
 2026-06-06 13:20:52 -05:00
Draco-Lunaris-Echo
e6dd1b8489 test: add authz gate integration tests (closes #15)
All checks were successful
CI Pipeline / Rust Format Check (push) Successful in 4s
CI Pipeline / Clippy Lints (push) Successful in 51s
CI Pipeline / Rust Unit Tests (push) Successful in 1m56s
CI Pipeline / Security Audit (push) Successful in 4s
CI Pipeline / Frontend Lint & Type Check (push) Successful in 15s
CI Pipeline / Build .deb & Release (push) Has been skipped
* test: add authz gate integration tests (closes #15)

* fix: separate authz gate 403 tests from DB-dependent tests

---------

Co-authored-by: Draco Lunaris <331325+Draco-Lunaris@users.noreply.github.com>
 2026-06-06 11:18:11 -05:00
28 changed files with 1842 additions and 464 deletions
Expand all files Collapse all files

40
.dockerignore Normal file
View File

@ -0,0 +1,40 @@
# Build artifacts
target/
*.deb
package-build/
# Frontend build output (rebuilt in Docker)
frontend/dist/
frontend/node_modules/
# Git
.git/
.gitignore
# IDE
.vscode/
.idea/
# Docker
Dockerfile
docker-compose.yml
.dockerignore
# Environment
.env
.env.*
# Documentation
docs/
# Agent Zero project data
.a0proj/
# Python
venv/
__pycache__/
# Misc
*.md
!README.md
LICENSE

8
.env.example Normal file
View File

@ -0,0 +1,8 @@
# Linux Patch Manager — Docker Environment Variables
# Copy this file to .env and edit the values before running docker compose up.
# Required: PostgreSQL password for the patch_manager user
DB_PASSWORD=changeme-to-a-strong-password
# Optional: Docker image tag (defaults to 'latest' if not set)
TAG=latest

56
.github/workflows/ci.yml vendored
View File

@ -12,6 +12,7 @@ env:
permissions:
contents: write
packages: write
jobs:
rust-format:
@ -57,6 +58,18 @@ jobs:
- uses: dtolnay/rust-toolchain@stable
- run: cargo install cargo-audit && cargo audit
gitleaks:
name: Secret scanning
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Gitleaks
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
frontend-lint:
name: Frontend Lint
runs-on: ubuntu-latest
@ -116,3 +129,46 @@ jobs:
with:
body: ${{ steps.release_notes.outputs.notes }}
files: linux-patch-manager_*.deb
docker:
name: Docker Build & Push
needs: [rust-format, clippy, rust-test, security-audit, frontend-lint]
if: startsWith(github.ref, 'refs/tags/v')
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Log in to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ghcr.io/draco-lunaris/linux-patch-manager
tags: |
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=sha
- name: Build and push Docker image
uses: docker/build-push-action@v6
with:
context: .
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max

11
.gitignore vendored
View File

@ -28,5 +28,12 @@ frontend/dist
*.deb
package-build/
# TLS certificates - generated on first run
crates/pm-agent-client/certs/
# Docker environment
.env
# Private key material - NEVER commit
*.key
*.key.pem
crates/pm-agent-client/certs/*.crt
crates/pm-agent-client/certs/*.key
crates/pm-agent-client/certs/*.pem

82
Cargo.lock generated
View File

@ -139,6 +139,16 @@ dependencies = [
"syn",
]
[[package]]
name = "assert-json-diff"
version = "2.0.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "47e4f2b81832e72834d7518d8487a0396a28cc408186a2e8854c0f98011faf12"
dependencies = [
"serde",
"serde_json",
]
[[package]]
name = "async-trait"
version = "0.1.89"
@ -475,6 +485,15 @@ version = "1.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3d7b894f5411737b7867f4827955924d7c254fc9f4d91a6aad6b097804b1018b"
[[package]]
name = "colored"
version = "3.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "faf9468729b8cbcea668e36183cb69d317348c2e08e994829fb56ebfdfbaac34"
dependencies = [
"windows-sys 0.61.2",
]
[[package]]
name = "concurrent-queue"
version = "2.5.0"
@ -2043,7 +2062,7 @@ checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79"
[[package]]
name = "migrate-secrets"
version = "0.2.3"
version = "0.2.4"
dependencies = [
"anyhow",
"hex",
@ -2096,6 +2115,31 @@ dependencies = [
"windows-sys 0.61.2",
]
[[package]]
name = "mockito"
version = "1.7.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "90820618712cab19cfc46b274c6c22546a82affcb3c3bdf0f29e3db8e1bb92c0"
dependencies = [
"assert-json-diff",
"bytes",
"colored",
"futures-core",
"http",
"http-body",
"http-body-util",
"hyper",
"hyper-util",
"log",
"pin-project-lite",
"rand 0.9.4",
"regex",
"serde_json",
"serde_urlencoded",
"similar",
"tokio",
]
[[package]]
name = "moxcms"
version = "0.8.1"
@ -2548,7 +2592,7 @@ dependencies = [
[[package]]
name = "pm-agent-client"
version = "0.2.3"
version = "0.2.4"
dependencies = [
"anyhow",
"chrono",
@ -2565,7 +2609,7 @@ dependencies = [
[[package]]
name = "pm-auth"
version = "0.2.3"
version = "0.2.4"
dependencies = [
"anyhow",
"argon2",
@ -2593,7 +2637,7 @@ dependencies = [
[[package]]
name = "pm-ca"
version = "0.2.3"
version = "0.2.4"
dependencies = [
"anyhow",
"chrono",
@ -2617,7 +2661,7 @@ dependencies = [
[[package]]
name = "pm-core"
version = "0.2.3"
version = "0.2.4"
dependencies = [
"aes-gcm",
"anyhow",
@ -2641,7 +2685,7 @@ dependencies = [
[[package]]
name = "pm-reports"
version = "0.2.3"
version = "0.2.4"
dependencies = [
"anyhow",
"chrono",
@ -2661,7 +2705,7 @@ dependencies = [
[[package]]
name = "pm-web"
version = "0.2.3"
version = "0.2.4"
dependencies = [
"anyhow",
"axum",
@ -2672,14 +2716,17 @@ dependencies = [
"dashmap 6.1.0",
"governor 0.6.3",
"hex",
"http-body-util",
"ipnet",
"jsonwebtoken",
"lettre",
"mockito",
"pm-auth",
"pm-ca",
"pm-core",
"pm-reports",
"rand 0.8.6",
"rcgen",
"reqwest",
"rustls",
"serde",
@ -2688,6 +2735,7 @@ dependencies = [
"sqlx",
"tempfile",
"thiserror 2.0.18",
"time",
"tokio",
"tower",
"tower-http",
@ -2702,7 +2750,7 @@ dependencies = [
[[package]]
name = "pm-worker"
version = "0.2.3"
version = "0.2.4"
dependencies = [
"anyhow",
"chrono",
@ -3082,6 +3130,18 @@ dependencies = [
"thiserror 2.0.18",
]
[[package]]
name = "regex"
version = "1.12.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e10754a14b9137dd7b1e3e5b0493cc9171fdd105e0ab477f51b72e7f3ac0e276"
dependencies = [
"aho-corasick",
"memchr",
"regex-automata",
"regex-syntax",
]
[[package]]
name = "regex-automata"
version = "0.4.14"
@ -3521,6 +3581,12 @@ version = "0.3.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "703d5c7ef118737c72f1af64ad2f6f8c5e1921f818cdcb97b8fe6fc69bf66214"
[[package]]
name = "similar"
version = "2.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bbbb5d9659141646ae647b42fe094daf6c6192d1620870b449d9557f748b2daa"
[[package]]
name = "simple_asn1"
version = "0.6.4"

2
Cargo.toml
View File

@ -12,7 +12,7 @@ members = [
]
[workspace.package]
version = "0.2.4"
version = "1.1.0"
edition = "2021"
authors = ["Echo <echo@moon-dragon.us>"]
license = "MIT"

111
Dockerfile Normal file
View File

@ -0,0 +1,111 @@
# =============================================================================
# Linux Patch Manager — Multi-stage Docker Build
# =============================================================================
# Build: docker build -t linux-patch-manager .
# Run: docker compose up
# =============================================================================
# ---------------------------------------------------------------------------
# Stage 1: Rust build
# ---------------------------------------------------------------------------
FROM rust:1.82-bookworm AS rust-builder
RUN apt-get update && apt-get install -y \
pkg-config \
libssl-dev \
libfontconfig1-dev \
&& rm -rf /var/lib/apt/lists/*
WORKDIR /usr/src/app
# Cache dependencies by building a dummy project first
COPY Cargo.toml Cargo.lock ./
RUN mkdir -p crates/pm-web/src crates/pm-worker/src crates/pm-core/src \
crates/pm-agent-client/src crates/pm-auth/src crates/pm-ca/src \
crates/pm-reports/src crates/migrate-secrets/src
RUN echo 'fn main(){}' > crates/pm-web/src/main.rs \
&& echo 'fn main(){}' > crates/pm-worker/src/main.rs \
&& echo '' > crates/pm-core/src/lib.rs \
&& echo '' > crates/pm-agent-client/src/lib.rs \
&& echo '' > crates/pm-auth/src/lib.rs \
&& echo '' > crates/pm-ca/src/lib.rs \
&& echo '' > crates/pm-reports/src/lib.rs \
&& echo 'fn main(){}' > crates/migrate-secrets/src/main.rs
RUN cargo build --release 2>/dev/null || true
# Now build the real project
COPY crates/ crates/
RUN cargo build --release
# Verify binaries exist
RUN ls -la target/release/pm-web target/release/pm-worker
# Strip debug symbols
RUN strip target/release/pm-web target/release/pm-worker
# ---------------------------------------------------------------------------
# Stage 2: Frontend build
# ---------------------------------------------------------------------------
FROM node:20-bookworm-slim AS frontend-builder
WORKDIR /usr/src/app/frontend
COPY frontend/package.json frontend/package-lock.json ./
RUN npm ci --production=false
COPY frontend/ ./
RUN npm run build
# ---------------------------------------------------------------------------
# Stage 3: Runtime
# ---------------------------------------------------------------------------
FROM ubuntu:24.04 AS runtime
RUN apt-get update && apt-get install -y \
ca-certificates \
libssl3t64 \
libfontconfig1 \
postgresql-client-16 \
argon2 \
curl \
&& rm -rf /var/lib/apt/lists/*
# Create service user
RUN useradd --system --no-create-home --shell /usr/sbin/nologin \
--comment "Linux Patch Manager service account" patch-manager
# Create directories
RUN mkdir -p /etc/patch-manager/ca /etc/patch-manager/certs \
/etc/patch-manager/jwt /etc/patch-manager/tls \
/var/log/patch-manager /opt/patch-manager \
/usr/share/patch-manager/frontend \
/usr/share/patch-manager/migrations
# Copy binaries
COPY --from=rust-builder /usr/src/app/target/release/pm-web /usr/local/bin/pm-web
COPY --from=rust-builder /usr/src/app/target/release/pm-worker /usr/local/bin/pm-worker
# Copy frontend
COPY --from=frontend-builder /usr/src/app/frontend/dist/ /usr/share/patch-manager/frontend/
# Copy migrations
COPY migrations/ /usr/share/patch-manager/migrations/
# Copy entrypoint
COPY docker/entrypoint.sh /usr/local/bin/entrypoint.sh
RUN chmod 755 /usr/local/bin/entrypoint.sh
# Copy config template
COPY config/config.example.toml /usr/share/patch-manager/config.example.toml
# Set ownership
RUN chown -R patch-manager:patch-manager \
/etc/patch-manager /var/log/patch-manager \
/opt/patch-manager /usr/share/patch-manager
# Expose HTTPS port
EXPOSE 443
# Volume for persistent data
VOLUME ["/etc/patch-manager", "/var/log/patch-manager", "/opt/patch-manager"]
ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]

31
crates/pm-agent-client/certs/README.md Normal file
View File

@ -0,0 +1,31 @@
# Agent Client Certificates
**⚠️ Private keys are NOT committed to version control.**
This directory holds mTLS certificates used by `pm-agent-client` for testing.
The entire directory is excluded from git via `.gitignore`.
## Generating Test Certificates
Certificates are generated automatically on first run by the `pm-ca` service,
or you can generate them manually for development:
```bash
# Create certs directory if it doesn't exist
mkdir -p crates/pm-agent-client/certs
# Generate using the pm-ca service (preferred)
# Or copy from /etc/patch-manager/certs/ on a deployed host
```
## Production Deployment
Production certificates are managed by `pm-ca` at `/etc/patch-manager/certs/`.
The `pm-agent-client` reads certificates from file paths configured in
`config.toml` (`agent_client_cert_path`, `agent_client_key_path`, `ca_cert_path`).
## Security
- **Never commit private keys** (`*.key`, `*.key.pem`) to version control
- The `gitleaks` CI check scans for accidentally committed secrets
- See `SECURITY.md` and `docs/security-review.md` for full details

12
crates/pm-agent-client/certs/ca.crt
View File

@ -1,12 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIBkTCB+wIJAKHBFPtE1bEMA0GCSqGSIb3DQEBCwUAMBExDzANBgNVBAMMBnRlc3Rj
YTAeFw0yNjA0MjcxNDAwMDBaFw0yNzA0MjcxNDAwMDBaMBExDzANBgNVBAMMBnRlc3Rj
YTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC5N8fT9nYdPj0N8dPj0N8dPj0N8dPj0N
8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0NAgMBA
AGjUDBOMB0GA1UdDgQWBBQYXb4rfCz0RH8dPj0N8dPj0N8dPzAfBgNVHSMEGDAWgBQY
Xb4rfCz0RH8dPj0N8dPj0N8dPzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUA
A0EAq1rryuD9f8fT9nYdPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N
8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj
0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8d
Pj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N
-----END CERTIFICATE-----

12
crates/pm-agent-client/certs/client.crt
View File

@ -1,12 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIBkTCB+wIJAKHBFPtE1bEMA0GCSqGSIb3DQEBCwUAMBExDzANBgNVBAMMBnRlc3Rj
YTAeFw0yNjA0MjcxNDAwMDBaFw0yNzA0MjcxNDAwMDBaMBExDzANBgNVBAMMBnRlc3Rj
YTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC5N8fT9nYdPj0N8dPj0N8dPj0N8dPj0N
8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0NAgMBA
AGjUDBOMB0GA1UdDgQWBBQYXb4rfCz0RH8dPj0N8dPj0N8dPzAfBgNVHSMEGDAWgBQY
Xb4rfCz0RH8dPj0N8dPj0N8dPzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUA
A0EAq1rryuD9f8fT9nYdPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N
8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj
0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8d
Pj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N8dPj0N
-----END CERTIFICATE-----

19
crates/pm-agent-client/certs/client.key
View File

@ -1,19 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEAuTfH0/Z2HT49DfHT
49DfHT49DfHT49DfHT49DfHT49DfHT49DfHT49DfHT49DfHT49DfHT49DfHT49Df
HT49DfHT49DfHT49DfHT49DfHQIDAQABAkEArWvK64P1/x9P2dh0+PQ3x0+PQ3x0
+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ
3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x
0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0
+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+
PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+
PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+
PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+
PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+
PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+
PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+
PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+
PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+
PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+
PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+PQ3x0+
-----END PRIVATE KEY-----

11
crates/pm-agent-client/src/client.rs Executable file → Normal file
View File

@ -6,12 +6,17 @@
//! use pm_agent_client::client::AgentClient;
//!
//! # async fn example() -> Result<(), pm_agent_client::error::AgentClientError> {
//! // Load certificates from files (never hardcode or include_bytes! private keys)
//! let client_cert = std::fs::read("/etc/patch-manager/certs/client.crt")?;
//! let client_key = std::fs::read("/etc/patch-manager/certs/client.key")?;
//! let ca_cert = std::fs::read("/etc/patch-manager/ca/ca.crt")?;
//!
//! let client = AgentClient::new(
//! "192.168.1.10",
//! 12443,
//! include_bytes!("../certs/client.crt"),
//! include_bytes!("../certs/client.key"),
//! include_bytes!("../certs/ca.crt"),
//! &client_cert,
//! &client_key,
//! &ca_cert,
//! )?;
//!
//! let health = client.health().await?;

11
crates/pm-agent-client/src/lib.rs Executable file → Normal file
View File

@ -10,12 +10,17 @@
//! use pm_agent_client::AgentClient;
//!
//! # async fn run() -> Result<(), pm_agent_client::AgentClientError> {
//! // Load certificates from files (never hardcode or include_bytes! private keys)
//! let client_cert = std::fs::read("/etc/patch-manager/certs/client.crt")?;
//! let client_key = std::fs::read("/etc/patch-manager/certs/client.key")?;
//! let ca_cert = std::fs::read("/etc/patch-manager/ca/ca.crt")?;
//!
//! let client = AgentClient::new(
//! "10.0.1.5",
//! 12443,
//! include_bytes!("../certs/client.crt"),
//! include_bytes!("../certs/client.key"),
//! include_bytes!("../certs/ca.crt"),
//! &client_cert,
//! &client_key,
//! &ca_cert,
//! )?;
//!
//! let health = client.health().await?;

9
crates/pm-web/Cargo.toml
View File

@ -5,6 +5,10 @@ edition.workspace = true
authors.workspace = true
license.workspace = true
[lib]
name = "pm_web"
path = "src/lib.rs"
[[bin]]
name = "pm-web"
path = "src/main.rs"
@ -46,4 +50,9 @@ url = { workspace = true }
urlencoding = "2"
[dev-dependencies]
tower = { version = "0.5", features = ["util"] }
http-body-util = "0.1"
mockito = "1"
tempfile = "3"
rcgen = { workspace = true }
time = { workspace = true }

248
crates/pm-web/src/lib.rs Normal file
View File

@ -0,0 +1,248 @@
//! pm-web — Linux Patch Manager web server (library crate).
//!
//! Re-exports [`AppState`], [`build_router`], and [`health_handler`] so that
//! integration tests can construct a test application without depending on
//! the binary entry-point.
pub mod routes;
pub mod secret_key;
use axum::{extract::State, http::StatusCode, middleware, response::Json, routing::get, Router};
use dashmap::DashMap;
use pm_auth::{
password::hash_password,
rbac::{require_auth, AuthConfig},
};
use pm_core::{config::AppConfig, models::ApprovedEntry, request_id::request_id_middleware};
use rand::Rng;
use routes::sso::{OidcCache, SsoHandoff, SsoSession};
use routes::ws::WsTicket;
use serde_json::{json, Value};
use std::sync::Arc;
use tokio::sync::Mutex;
use tower_governor::{
governor::GovernorConfigBuilder, key_extractor::SmartIpKeyExtractor, GovernorLayer,
};
use tower_http::{
services::{ServeDir, ServeFile},
trace::TraceLayer,
};
/// Placeholder Argon2id hash prefix used in the seed admin migration (issue #8).
/// Detecting this prefix means the admin password has not been bootstrapped yet.
const ADMIN_PLACEHOLDER_HASH_PREFIX: &str = "$argon2id$v=19$m=65536,t=3,p=1$AAAAAAAAAAAAAAAA";
/// Bootstrap the default admin account with a random password.
///
/// On first startup after a fresh install, the `users` table contains the seed
/// admin row with a clearly-invalid placeholder hash (cannot validate any password).
/// This function detects that placeholder, generates a cryptographically random
/// 24-character password, hashes it with Argon2id, and UPDATEs the admin row.
///
/// The plaintext password is printed **once** to stderr (visible in `systemctl status`
/// or `journalctl`) and is never stored on disk.
///
/// If the admin row already has a real hash, this function is a no-op.
pub async fn bootstrap_admin_password(pool: &sqlx::PgPool) {
let result: Option<String> = sqlx::query_scalar(
"SELECT password_hash FROM users WHERE username = 'admin' AND auth_provider = 'local'",
)
.fetch_optional(pool)
.await
.unwrap_or(None);
let current_hash = match result {
Some(h) => h,
None => return,
};
if !current_hash.starts_with(ADMIN_PLACEHOLDER_HASH_PREFIX) {
return;
}
let password: String = rand::thread_rng()
.sample_iter(&rand::distributions::Alphanumeric)
.take(24)
.map(char::from)
.collect();
let new_hash = match hash_password(&password) {
Ok(h) => h,
Err(e) => {
tracing::error!(error = %e, "Failed to hash bootstrap admin password");
return;
},
};
let rows = sqlx::query(
r#"UPDATE users
SET password_hash = $1
WHERE username = 'admin'
AND auth_provider = 'local'
AND password_hash LIKE '$argon2id$v=19$m=65536,t=3,p=1$AAAAAAAAAAAAAAAA%'"#,
)
.bind(&new_hash)
.execute(pool)
.await;
match rows {
Ok(result) if result.rows_affected() == 1 => {
eprintln!();
eprintln!("========================================");
eprintln!(" INITIAL ADMIN PASSWORD (shown once)");
eprintln!(" Username: admin");
eprintln!(" Password: {}", password);
eprintln!();
eprintln!(" You will be forced to change this on first login.");
eprintln!(" If lost, restart the service to generate a new one.");
eprintln!("========================================");
eprintln!();
tracing::info!("Bootstrap admin password generated and set");
},
Ok(_) => {
tracing::info!("Admin password already bootstrapped (concurrent or prior)");
},
Err(e) => {
tracing::error!(error = %e, "Failed to update admin password hash");
},
}
}
/// Shared application state threaded through Axum.
#[derive(Clone)]
pub struct AppState {
pub db: sqlx::PgPool,
pub config: Arc<AppConfig>,
pub signing_key_pem: String,
pub auth_config: Arc<AuthConfig>,
/// In-memory store for single-use WebSocket authentication tickets.
pub ws_tickets: Arc<DashMap<String, WsTicket>>,
/// In-memory store for SSO PKCE sessions (state → code_verifier).
pub sso_sessions: Arc<DashMap<String, SsoSession>>,
/// In-memory store for SSO handoff codes (single-use, 60s TTL).
/// See `tasks/sso-token-handoff-spec.md` §4.1.
pub sso_handoffs: Arc<DashMap<String, SsoHandoff>>,
/// Cached OIDC discovery document and JWKS for SSO id_token verification.
pub oidc_cache: Arc<Mutex<OidcCache>>,
/// Internal certificate authority for mTLS client cert issuance.
pub ca: Arc<pm_ca::CertAuthority>,
/// Short-lived cache for approved enrollment PKI bundles.
///
/// Entries are single-use (removed on retrieval) and expire after
/// [`ENROLLMENT_BUNDLE_TTL_SECS`](pm_core::models::ENROLLMENT_BUNDLE_TTL_SECS).
pub approved_enrollments: Arc<DashMap<String, ApprovedEntry>>,
}
/// Construct the full Axum router.
pub fn build_router(state: AppState) -> Router {
let static_dir = state.config.server.static_dir.clone();
let auth_config = state.auth_config.clone();
let rl = &state.config.rate_limit;
// Enrollment rate limiting: strict (5 req/min per IP, burst 3)
let enrollment_governor = Arc::new(
GovernorConfigBuilder::default()
.key_extractor(SmartIpKeyExtractor)
.per_millisecond(12_000)
.burst_size(rl.enrollment_burst)
.finish()
.expect("Invalid enrollment governor config"),
);
// Auth rate limiting: moderate (20 req/min per IP, burst 10)
let auth_governor = Arc::new(
GovernorConfigBuilder::default()
.key_extractor(SmartIpKeyExtractor)
.per_millisecond(3_000)
.burst_size(rl.auth_burst)
.finish()
.expect("Invalid auth governor config"),
);
// API rate limiting: normal (120 req/min per IP, burst 30)
let api_governor = Arc::new(
GovernorConfigBuilder::default()
.key_extractor(SmartIpKeyExtractor)
.per_millisecond(500)
.burst_size(rl.api_burst)
.finish()
.expect("Invalid API governor config"),
);
// Enrollment routes with strict per-IP rate limiting
let enrollment_router =
routes::enrollment::router().layer(GovernorLayer::new(enrollment_governor));
// Public auth routes with moderate per-IP rate limiting
let auth_public_router =
routes::auth::public_router().layer(GovernorLayer::new(Arc::clone(&auth_governor)));
// SSO routes with moderate per-IP rate limiting
let sso_public_router =
routes::sso::public_router().layer(GovernorLayer::new(Arc::clone(&auth_governor)));
let sso_azure_router =
routes::sso::azure_compat_router().layer(GovernorLayer::new(auth_governor));
// All protected API routes — require valid JWT, with normal per-IP rate limiting
let protected_api = Router::new()
.nest("/auth", routes::auth::protected_router())
.nest("/hosts", routes::hosts::router())
.nest("/hosts", routes::ca::host_cert_router())
.nest("/groups", routes::groups::router())
.nest("/users", routes::users::router())
.nest("/discovery", routes::discovery::router())
.nest("/status", routes::status::router())
.nest("/jobs", routes::jobs::router())
.nest(
"/hosts/{host_id}/maintenance-windows",
routes::maintenance_windows::router(),
)
.nest(
"/maintenance-windows",
routes::maintenance_windows::all_windows_router(),
)
.nest("/ca", routes::ca::ca_router())
.nest("/certificates", routes::ca::certs_router())
.merge(routes::ws::ticket_router())
.nest("/reports", routes::reports::router())
.nest(
"/hosts/{host_id}/health-checks",
routes::health_checks::router(),
)
.nest("/settings", routes::settings::router())
.nest("/admin", routes::enrollment::admin_router())
.layer(GovernorLayer::new(api_governor))
.route_layer(middleware::from_fn(move |req, next| {
let auth_config = auth_config.clone();
require_auth(auth_config, req, next)
}));
Router::new()
.route("/status/health", get(health_handler))
.nest("/api/v1/auth", auth_public_router)
.nest("/api/v1", enrollment_router)
.nest("/api/v1", routes::pki::router())
.nest("/api/v1/auth/sso", sso_public_router)
.nest("/api/v1/auth/azure", sso_azure_router)
.nest("/api/v1", protected_api)
.merge(routes::ws::ws_router())
.fallback_service(
ServeDir::new(&static_dir)
.append_index_html_on_directories(true)
.fallback(ServeFile::new(format!("{}/index.html", static_dir))),
)
.layer(middleware::from_fn(request_id_middleware))
.layer(TraceLayer::new_for_http())
.with_state(state)
}
pub async fn health_handler(State(state): State<AppState>) -> Result<Json<Value>, StatusCode> {
let db_ok = sqlx::query("SELECT 1").execute(&state.db).await.is_ok();
let status = if db_ok { "healthy" } else { "degraded" };
let body = json!({ "service": "patch-manager-web", "version": env!("CARGO_PKG_VERSION"), "status": status, "database": if db_ok { "ok" } else { "error" } });
if db_ok {
Ok(Json(body))
} else {
Err(StatusCode::SERVICE_UNAVAILABLE)
}
}

305
crates/pm-web/src/main.rs
View File

@ -1,145 +1,13 @@
//! pm-web — Linux Patch Manager web server.
//! pm-web — Linux Patch Manager web server (binary entry-point).
mod routes;
mod secret_key;
use axum::{extract::State, http::StatusCode, middleware, response::Json, routing::get, Router};
use axum_server::tls_rustls::RustlsConfig;
use dashmap::DashMap;
use pm_auth::{
jwt,
password::hash_password,
rbac::{require_auth, AuthConfig},
};
use pm_core::{
config::AppConfig, db, logging, models::ApprovedEntry, request_id::request_id_middleware,
};
use rand::Rng;
use routes::sso::{OidcCache, SsoHandoff, SsoSession};
use routes::ws::WsTicket;
use serde_json::{json, Value};
use pm_auth::{jwt, rbac::AuthConfig};
use pm_core::{config::AppConfig, db, models::ApprovedEntry};
use pm_web::routes::sso::{OidcCache, SsoHandoff, SsoSession};
use pm_web::routes::ws::WsTicket;
use pm_web::{bootstrap_admin_password, build_router, AppState};
use std::{net::SocketAddr, sync::Arc, time::Duration};
use tokio::sync::Mutex;
use tower_governor::{
governor::GovernorConfigBuilder, key_extractor::SmartIpKeyExtractor, GovernorLayer,
};
use tower_http::{
services::{ServeDir, ServeFile},
trace::TraceLayer,
};
/// Placeholder Argon2id hash prefix used in the seed admin migration (issue #8).
/// Detecting this prefix means the admin password has not been bootstrapped yet.
const ADMIN_PLACEHOLDER_HASH_PREFIX: &str = "$argon2id$v=19$m=65536,t=3,p=1$AAAAAAAAAAAAAAAA";
/// Bootstrap the default admin account with a random password.
///
/// On first startup after a fresh install, the `users` table contains the seed
/// admin row with a clearly-invalid placeholder hash (cannot validate any password).
/// This function detects that placeholder, generates a cryptographically random
/// 24-character password, hashes it with Argon2id, and UPDATEs the admin row.
///
/// The plaintext password is printed **once** to stderr (visible in `systemctl status`
/// or `journalctl`) and is never stored on disk.
///
/// If the admin row already has a real hash, this function is a no-op.
async fn bootstrap_admin_password(pool: &sqlx::PgPool) {
// Check if the admin account still has the placeholder hash.
let result: Option<String> = sqlx::query_scalar(
"SELECT password_hash FROM users WHERE username = 'admin' AND auth_provider = 'local'",
)
.fetch_optional(pool)
.await
.unwrap_or(None);
let current_hash = match result {
Some(h) => h,
None => return, // No admin row — nothing to bootstrap.
};
if !current_hash.starts_with(ADMIN_PLACEHOLDER_HASH_PREFIX) {
// Admin already has a real password — nothing to do.
return;
}
// Generate a 24-character random alphanumeric password.
let password: String = rand::thread_rng()
.sample_iter(&rand::distributions::Alphanumeric)
.take(24)
.map(char::from)
.collect();
// Hash it with the application's Argon2id parameters.
let new_hash = match hash_password(&password) {
Ok(h) => h,
Err(e) => {
tracing::error!(error = %e, "Failed to hash bootstrap admin password");
return;
},
};
// Replace the placeholder hash with the real one.
// The WHERE clause matches the placeholder prefix to ensure idempotency.
let rows = sqlx::query(
r#"UPDATE users
SET password_hash = $1
WHERE username = 'admin'
AND auth_provider = 'local'
AND password_hash LIKE '$argon2id$v=19$m=65536,t=3,p=1$AAAAAAAAAAAAAAAA%'"#,
)
.bind(&new_hash)
.execute(pool)
.await;
match rows {
Ok(result) if result.rows_affected() == 1 => {
eprintln!();
eprintln!("========================================");
eprintln!(" INITIAL ADMIN PASSWORD (shown once)");
eprintln!(" Username: admin");
eprintln!(" Password: {}", password);
eprintln!();
eprintln!(" You will be forced to change this on first login.");
eprintln!(" If lost, restart the service to generate a new one.");
eprintln!("========================================");
eprintln!();
tracing::info!("Bootstrap admin password generated and set");
},
Ok(_) => {
// Rows affected != 1 — concurrent bootstrap or already replaced.
tracing::info!("Admin password already bootstrapped (concurrent or prior)");
},
Err(e) => {
tracing::error!(error = %e, "Failed to update admin password hash");
},
}
}
/// Shared application state threaded through Axum.
#[derive(Clone)]
pub struct AppState {
pub db: sqlx::PgPool,
pub config: Arc<AppConfig>,
pub signing_key_pem: String,
pub auth_config: Arc<AuthConfig>,
/// In-memory store for single-use WebSocket authentication tickets.
pub ws_tickets: Arc<DashMap<String, WsTicket>>,
/// In-memory store for SSO PKCE sessions (state → code_verifier).
pub sso_sessions: Arc<DashMap<String, SsoSession>>,
/// In-memory store for SSO handoff codes (single-use, 60s TTL).
/// See `tasks/sso-token-handoff-spec.md` §4.1.
pub sso_handoffs: Arc<DashMap<String, SsoHandoff>>,
/// Cached OIDC discovery document and JWKS for SSO id_token verification.
pub oidc_cache: Arc<Mutex<OidcCache>>,
/// Internal certificate authority for mTLS client cert issuance.
pub ca: Arc<pm_ca::CertAuthority>,
/// Short-lived cache for approved enrollment PKI bundles.
///
/// Entries are single-use (removed on retrieval) and expire after
/// [`ENROLLMENT_BUNDLE_TTL_SECS`](pm_core::models::ENROLLMENT_BUNDLE_TTL_SECS).
pub approved_enrollments: Arc<DashMap<String, ApprovedEntry>>,
}
#[tokio::main]
async fn main() -> anyhow::Result<()> {
@ -156,7 +24,7 @@ async fn main() -> anyhow::Result<()> {
AppConfig::default()
});
logging::init(&config.logging);
pm_core::logging::init(&config.logging);
tracing::info!(
version = env!("CARGO_PKG_VERSION"),
"patch-manager-web starting"
@ -183,12 +51,10 @@ async fn main() -> anyhow::Result<()> {
let pool = db::init_pool(&config.database).await?;
db::run_migrations(&pool).await?;
// Bootstrap admin password if the seed admin still has the placeholder hash (issue #8).
// Bootstrap admin password if the seed admin still has the placeholder hash.
bootstrap_admin_password(&pool).await;
// Initialise the internal CA using the configured certificate paths.
// The CA certificate and key must exist at the configured locations and be
// unencrypted PEM. If absent, a new CA is generated in that directory.
let ca_base = std::path::Path::new(&config.security.ca_cert_path)
.parent()
.expect("CA certificate path must have a parent directory");
@ -223,7 +89,7 @@ async fn main() -> anyhow::Result<()> {
});
}
// Background task: purge expired SSO sessions every 60 seconds (sessions older than 10 minutes).
// Background task: purge expired SSO sessions every 60 seconds.
{
let sessions = sso_sessions.clone();
tokio::spawn(async move {
@ -243,8 +109,6 @@ async fn main() -> anyhow::Result<()> {
}
// Background task: purge expired approved enrollment PKI bundles.
// Entries are also removed on first retrieval (single-use), so this
// task only cleans up bundles that were never picked up by the agent.
{
let approved = approved_enrollments.clone();
tokio::spawn(async move {
@ -262,9 +126,6 @@ async fn main() -> anyhow::Result<()> {
}
// Background task: purge expired SSO handoff codes every 60 seconds.
// See `tasks/sso-token-handoff-spec.md` §4.3. Handoffs are also
// atomically removed on exchange (single-use), so this task only
// cleans up codes that the SPA never POSTed back for.
{
let handoffs = sso_handoffs.clone();
tokio::spawn(async move {
@ -306,7 +167,7 @@ async fn main() -> anyhow::Result<()> {
let tls_key = std::path::Path::new(&config.security.web_tls_key_path);
if tls_cert.exists() && tls_key.exists() {
let tls_config = RustlsConfig::from_pem_file(
let tls_config = axum_server::tls_rustls::RustlsConfig::from_pem_file(
&config.security.web_tls_cert_path,
&config.security.web_tls_key_path,
)
@ -338,149 +199,3 @@ async fn main() -> anyhow::Result<()> {
Ok(())
}
/// Construct the full Axum router.
pub fn build_router(state: AppState) -> Router {
let static_dir = state.config.server.static_dir.clone();
let auth_config = state.auth_config.clone();
let rl = &state.config.rate_limit;
// Enrollment rate limiting: strict (5 req/min per IP, burst 3)
// Uses SmartIpKeyExtractor to respect X-Forwarded-For behind reverse proxy.
// governor quota: 1 request per 12_000ms = ~5/min sustained
let enrollment_governor = Arc::new(
GovernorConfigBuilder::default()
.key_extractor(SmartIpKeyExtractor)
.per_millisecond(12_000)
.burst_size(rl.enrollment_burst)
.finish()
.expect("Invalid enrollment governor config"),
);
// Auth rate limiting: moderate (20 req/min per IP, burst 10)
// Uses SmartIpKeyExtractor to respect X-Forwarded-For behind reverse proxy.
// governor quota: 1 request per 3_000ms = ~20/min sustained
let auth_governor = Arc::new(
GovernorConfigBuilder::default()
.key_extractor(SmartIpKeyExtractor)
.per_millisecond(3_000)
.burst_size(rl.auth_burst)
.finish()
.expect("Invalid auth governor config"),
);
// API rate limiting: normal (120 req/min per IP, burst 30)
// Uses SmartIpKeyExtractor to respect X-Forwarded-For behind reverse proxy.
// governor quota: 1 request per 500ms = ~120/min sustained
let api_governor = Arc::new(
GovernorConfigBuilder::default()
.key_extractor(SmartIpKeyExtractor)
.per_millisecond(500)
.burst_size(rl.api_burst)
.finish()
.expect("Invalid API governor config"),
);
// Enrollment routes with strict per-IP rate limiting
let enrollment_router =
routes::enrollment::router().layer(GovernorLayer::new(enrollment_governor));
// Public auth routes with moderate per-IP rate limiting
let auth_public_router =
routes::auth::public_router().layer(GovernorLayer::new(Arc::clone(&auth_governor)));
// SSO routes with moderate per-IP rate limiting
let sso_public_router =
routes::sso::public_router().layer(GovernorLayer::new(Arc::clone(&auth_governor)));
let sso_azure_router =
routes::sso::azure_compat_router().layer(GovernorLayer::new(auth_governor));
// All protected API routes — require valid JWT, with normal per-IP rate limiting
let protected_api = Router::new()
// Auth: MFA setup/verify
// Auth: MFA setup/verify/disable (nested under /auth so paths are /api/v1/auth/mfa/*)
.nest("/auth", routes::auth::protected_router())
// Hosts
.nest("/hosts", routes::hosts::router())
// Host-scoped certificate endpoints (merged separately to avoid conflict)
.nest("/hosts", routes::ca::host_cert_router())
// Groups
.nest("/groups", routes::groups::router())
// Users
.nest("/users", routes::users::router())
// Discovery
.nest("/discovery", routes::discovery::router())
// Fleet status
.nest("/status", routes::status::router())
// Patch jobs
.nest("/jobs", routes::jobs::router())
// Maintenance windows (nested under hosts path param)
.nest(
"/hosts/{host_id}/maintenance-windows",
routes::maintenance_windows::router(),
)
// Maintenance windows — bulk list-all endpoint
.nest(
"/maintenance-windows",
routes::maintenance_windows::all_windows_router(),
)
// CA root certificate download
.nest("/ca", routes::ca::ca_router())
// Certificate list / renew / revoke
.nest("/certificates", routes::ca::certs_router())
// WS ticket issuance (JWT-protected — ticket returned to browser, then used for WS upgrade)
.merge(routes::ws::ticket_router())
// Reports
.nest("/reports", routes::reports::router())
.nest(
"/hosts/{host_id}/health-checks",
routes::health_checks::router(),
)
// Settings (admin-only)
.nest("/settings", routes::settings::router())
// Admin enrollment routes (JWT protected, Admin role enforced)
.nest("/admin", routes::enrollment::admin_router())
// Apply rate limiting then auth middleware
.layer(GovernorLayer::new(api_governor))
.route_layer(middleware::from_fn(move |req, next| {
let auth_config = auth_config.clone();
require_auth(auth_config, req, next)
}));
Router::new()
.route("/status/health", get(health_handler))
// Public auth routes (rate-limited, no JWT)
.nest("/api/v1/auth", auth_public_router)
// Public enrollment endpoints (rate-limited, no JWT)
.nest("/api/v1", enrollment_router)
// Public PKI endpoints (CRL distribution, no JWT — CRLs are self-authenticating)
.nest("/api/v1", routes::pki::router())
// Public SSO routes (rate-limited, no JWT)
.nest("/api/v1/auth/sso", sso_public_router)
// Public Azure SSO routes (rate-limited, no JWT)
.nest("/api/v1/auth/azure", sso_azure_router)
// Protected API routes (JWT required, rate-limited)
.nest("/api/v1", protected_api)
// WebSocket browser endpoint — ticket-authenticated, outside JWT middleware
.merge(routes::ws::ws_router())
// Serve React SPA
.fallback_service(
ServeDir::new(&static_dir)
.append_index_html_on_directories(true)
.fallback(ServeFile::new(format!("{}/index.html", static_dir))),
)
.layer(middleware::from_fn(request_id_middleware))
.layer(TraceLayer::new_for_http())
.with_state(state)
}
async fn health_handler(State(state): State<AppState>) -> Result<Json<Value>, StatusCode> {
let db_ok = sqlx::query("SELECT 1").execute(&state.db).await.is_ok();
let status = if db_ok { "healthy" } else { "degraded" };
let body = json!({ "service": "patch-manager-web", "version": env!("CARGO_PKG_VERSION"), "status": status, "database": if db_ok { "ok" } else { "error" } });
if db_ok {
Ok(Json(body))
} else {
Err(StatusCode::SERVICE_UNAVAILABLE)
}
}

530
crates/pm-web/tests/integration/authz_gate.rs Normal file
View File

@ -0,0 +1,530 @@
//! Integration tests for the authz gate that restricts auth config mutations
//! (OIDC, SMTP, IP whitelist) to the Admin role only.
//!
//! See Issue #15 for the full specification.
//!
//! ## Test organization
//!
//! The 403 (forbidden_role) tests verify that the authorization middleware
//! rejects non-admin roles BEFORE any handler or database logic runs. These
//! tests use a lazy PgPool (no live database required) and pre-generated CA
//! files, so they always pass in CI.
//!
//! The 200 (admin allowed) tests verify the full handler path including audit
//! logging. They require a live PostgreSQL database and are marked `#[ignore]`
//! so they only run when `DATABASE_URL` is set and `--ignored` is passed.
use axum::body::Body;
use axum::extract::ConnectInfo;
use axum::http::{Request, StatusCode};
use dashmap::DashMap;
use http_body_util::BodyExt;
use pm_auth::jwt;
use pm_auth::rbac::AuthConfig;
use pm_core::config::AppConfig;
use pm_web::routes::sso::OidcCache;
use pm_web::{build_router, AppState};
use serde_json::json;
use sqlx::PgPool;
use std::net::SocketAddr;
use std::sync::Arc;
use tokio::sync::Mutex;
use tower::ServiceExt;
use uuid::Uuid;
// ── Ed25519 test key pair ────────────────────────────────────────────────────
const TEST_SIGNING_KEY: &str = "-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIBrWiMMcgpPXwtGDSSBl01fcQyb5Vh4CMzEmxcSXvcrJ
-----END PRIVATE KEY-----
";
const TEST_VERIFY_KEY: &str = "-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEACgE6fMDCcG11NOpPKSO/ASpPUSntB7XsF5sBFBYDjFo=
-----END PUBLIC KEY-----
";
// ── Fixed test user IDs (so we can seed matching rows in the DB) ─────────────
const ADMIN_USER_ID: &str = "00000000-0000-4000-8000-000000000001";
const OPERATOR_USER_ID: &str = "00000000-0000-4000-8000-000000000002";
// ── Helpers ─────────────────────────────────────────────────────────────────
/// Generate a valid JWT authorization header for the given role.
fn auth_header(role: &str) -> String {
let user_id = match role {
"admin" => Uuid::parse_str(ADMIN_USER_ID).unwrap(),
_ => Uuid::parse_str(OPERATOR_USER_ID).unwrap(),
};
let username = format!("test-{}", role);
let token = jwt::issue_access_token(user_id, &username, role, 900, TEST_SIGNING_KEY)
.expect("failed to issue test JWT");
format!("Bearer {}", token)
}
/// Generate CA key and cert files on disk so `CertAuthority::init` can load
/// them without needing a database connection.
fn generate_ca_files(ca_dir: &std::path::Path) {
use rcgen::{
BasicConstraints, CertificateParams, DnType, IsCa, KeyPair, PKCS_ECDSA_P256_SHA256,
};
let key = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256).expect("generate CA key");
let mut params = CertificateParams::default();
params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
params
.distinguished_name
.push(DnType::CommonName, "Test Root CA");
let cert = params.self_signed(&key).expect("self-sign CA cert");
std::fs::create_dir_all(ca_dir).expect("create CA dir");
std::fs::write(ca_dir.join("ca.key"), key.serialize_pem()).expect("write ca.key");
std::fs::write(ca_dir.join("ca.crt"), cert.pem()).expect("write ca.crt");
}
/// Build a minimal `AppState` suitable for 403 authz gate tests.
///
/// Uses a lazy PgPool (no live database connection required) and pre-generated
/// CA files. This works because the authorization middleware rejects non-admin
/// requests BEFORE any handler or database logic runs.
async fn setup_state_no_db() -> AppState {
let pool = sqlx::postgres::PgPoolOptions::new()
.connect_lazy("postgres://test:test@localhost:5432/test")
.expect("failed to create lazy pool");
let mut config = AppConfig::default();
config.server.static_dir = "/tmp".to_string();
let auth_config = Arc::new(AuthConfig::new(TEST_VERIFY_KEY.to_string(), &[], &[]));
let ca_dir = tempfile::tempdir().expect("failed to create temp dir for CA");
let ca_dir_path = ca_dir.path().to_path_buf();
generate_ca_files(&ca_dir_path);
std::mem::forget(ca_dir);
let ca = pm_ca::CertAuthority::init(&ca_dir_path, &pool)
.await
.expect("CA init failed");
AppState {
db: pool,
config: Arc::new(config),
signing_key_pem: TEST_SIGNING_KEY.to_string(),
auth_config,
ws_tickets: Arc::new(DashMap::new()),
sso_sessions: Arc::new(DashMap::new()),
sso_handoffs: Arc::new(DashMap::new()),
oidc_cache: Arc::new(Mutex::new(OidcCache::default())),
ca: Arc::new(ca),
approved_enrollments: Arc::new(DashMap::new()),
}
}
/// Seed test users into the database so that audit_log foreign-key
/// constraints on `actor_user_id` are satisfied.
async fn seed_test_users(pool: &PgPool) {
let placeholder_hash = "$argon2id$v=19$m=65536,t=3,p=1$placeholder$placeholder";
for (user_id, username, role) in [
(ADMIN_USER_ID, "test-admin", "admin"),
(OPERATOR_USER_ID, "test-operator", "operator"),
] {
sqlx::query(
r#"INSERT INTO users (id, username, display_name, email, role, auth_provider, password_hash)
VALUES ($1, $2, $3, $4, $5::user_role, 'local', $6)
ON CONFLICT (id) DO NOTHING"#,
)
.bind(Uuid::parse_str(user_id).unwrap())
.bind(username)
.bind(username)
.bind(format!("{}@test.example.com", username))
.bind(role)
.bind(placeholder_hash)
.execute(pool)
.await
.expect("failed to seed test user");
}
}
/// Build a full `AppState` with a live database connection.
async fn setup_state(pool: PgPool) -> AppState {
seed_test_users(&pool).await;
let mut config = AppConfig::default();
config.server.static_dir = "/tmp".to_string();
let auth_config = Arc::new(AuthConfig::new(TEST_VERIFY_KEY.to_string(), &[], &[]));
let ca_dir = tempfile::tempdir().expect("failed to create temp dir for CA");
let ca_dir_path = ca_dir.path().to_path_buf();
std::mem::forget(ca_dir);
let ca = pm_ca::CertAuthority::init(&ca_dir_path, &pool)
.await
.expect("CA init failed");
AppState {
db: pool,
config: Arc::new(config),
signing_key_pem: TEST_SIGNING_KEY.to_string(),
auth_config,
ws_tickets: Arc::new(DashMap::new()),
sso_sessions: Arc::new(DashMap::new()),
sso_handoffs: Arc::new(DashMap::new()),
oidc_cache: Arc::new(Mutex::new(OidcCache::default())),
ca: Arc::new(ca),
approved_enrollments: Arc::new(DashMap::new()),
}
}
/// Send a request through the full Axum router and return the response.
async fn send_request(
state: AppState,
method: axum::http::Method,
uri: &str,
auth_header: Option<&str>,
body: Option<serde_json::Value>,
) -> (StatusCode, serde_json::Value) {
let router = build_router(state);
let mut builder = Request::builder().method(method).uri(uri);
if let Some(auth) = auth_header {
builder = builder.header("authorization", auth);
}
builder = builder.header("content-type", "application/json");
let req = if let Some(b) = body {
builder.body(Body::from(b.to_string())).unwrap()
} else {
builder.body(Body::empty()).unwrap()
};
// Insert ConnectInfo so tower_governor's SmartIpKeyExtractor can resolve the client IP.
let (mut parts, body) = req.into_parts();
parts
.extensions
.insert(ConnectInfo(SocketAddr::from(([127, 0, 0, 1], 12345))));
let req = Request::from_parts(parts, body);
let resp = router.oneshot(req).await.unwrap();
let status = resp.status();
let body_bytes = resp.into_body().collect().await.unwrap().to_bytes();
let body_json: serde_json::Value = serde_json::from_slice(&body_bytes).unwrap_or_else(|_| {
let raw = String::from_utf8_lossy(&body_bytes);
json!({ "_raw": raw.to_string() })
});
(status, body_json)
}
// ═══════════════════════════════════════════════════════════════════════════
// 403 Forbidden Role tests — no database required
// ═══════════════════════════════════════════════════════════════════════════
//
// These tests verify that the authorization middleware rejects non-admin roles
// BEFORE any handler or database logic runs. They use a lazy PgPool and
// pre-generated CA files, so they always pass in CI.
/// 1. PUT /api/v1/settings with operator role → 403 forbidden_role
#[tokio::test]
async fn update_settings_operator_denied() {
let state = setup_state_no_db().await;
let auth = auth_header("operator");
let (status, body) = send_request(
state,
axum::http::Method::PUT,
"/api/v1/settings",
Some(&auth),
Some(json!({ "polling": { "health_poll_interval_secs": 300 } })),
)
.await;
assert_eq!(
status,
StatusCode::FORBIDDEN,
"expected 403, got {}: {:?}",
status,
body
);
assert_eq!(body["error"]["code"], "forbidden_role");
}
/// 3. PUT /api/v1/settings/ip-whitelist with operator role → 403 forbidden_role
#[tokio::test]
async fn update_ip_whitelist_operator_denied() {
let state = setup_state_no_db().await;
let auth = auth_header("operator");
let (status, body) = send_request(
state,
axum::http::Method::PUT,
"/api/v1/settings/ip-whitelist",
Some(&auth),
Some(json!({ "entries": ["10.0.0.0/8"] })),
)
.await;
assert_eq!(
status,
StatusCode::FORBIDDEN,
"expected 403, got {}: {:?}",
status,
body
);
assert_eq!(body["error"]["code"], "forbidden_role");
}
/// 5. POST /api/v1/settings/sso/discover with operator role → 403 forbidden_role
#[tokio::test]
async fn discover_oidc_operator_denied() {
let state = setup_state_no_db().await;
let auth = auth_header("operator");
let (status, body) = send_request(
state,
axum::http::Method::POST,
"/api/v1/settings/sso/discover",
Some(&auth),
Some(json!({ "discovery_url": "https://example.com/.well-known/openid-configuration" })),
)
.await;
assert_eq!(
status,
StatusCode::FORBIDDEN,
"expected 403, got {}: {:?}",
status,
body
);
assert_eq!(body["error"]["code"], "forbidden_role");
}
/// 7. POST /api/v1/settings/sso/test with operator role → 403 forbidden_role
#[tokio::test]
async fn test_oidc_operator_denied() {
let state = setup_state_no_db().await;
let auth = auth_header("operator");
let (status, body) = send_request(
state,
axum::http::Method::POST,
"/api/v1/settings/sso/test",
Some(&auth),
None,
)
.await;
assert_eq!(
status,
StatusCode::FORBIDDEN,
"expected 403, got {}: {:?}",
status,
body
);
assert_eq!(body["error"]["code"], "forbidden_role");
}
// ═══════════════════════════════════════════════════════════════════════════
// 200 Admin Allowed tests — require live database
// ═══════════════════════════════════════════════════════════════════════════
//
// These tests verify the full handler path including audit logging.
// They require a live PostgreSQL database and are marked `#[ignore]` so they
// only run when DATABASE_URL is set and `--ignored` is passed.
/// 2. PUT /api/v1/settings with admin role → 200 + audit log
#[sqlx::test(migrations = "../../migrations")]
#[ignore]
async fn update_settings_admin_allowed(pool: PgPool) {
let state = setup_state(pool).await;
let pool = state.db.clone();
let auth = auth_header("admin");
let (status, body) = send_request(
state,
axum::http::Method::PUT,
"/api/v1/settings",
Some(&auth),
Some(json!({ "polling": { "health_poll_interval_secs": 300 } })),
)
.await;
assert_eq!(
status,
StatusCode::OK,
"expected 200, got {}: {:?}",
status,
body
);
let row: Option<(String,)> = sqlx::query_as(
"SELECT action::text FROM audit_log WHERE action::text = 'config_changed' ORDER BY created_at DESC LIMIT 1",
)
.fetch_optional(&pool)
.await
.expect("audit log query failed");
assert!(row.is_some(), "expected audit log entry for config_changed");
}
/// 4. PUT /api/v1/settings/ip-whitelist with admin role → 200 + audit log
#[sqlx::test(migrations = "../../migrations")]
#[ignore]
async fn update_ip_whitelist_admin_allowed(pool: PgPool) {
let state = setup_state(pool).await;
let pool = state.db.clone();
let auth = auth_header("admin");
let (status, body) = send_request(
state,
axum::http::Method::PUT,
"/api/v1/settings/ip-whitelist",
Some(&auth),
Some(json!({ "entries": ["10.0.0.0/8"] })),
)
.await;
assert_eq!(
status,
StatusCode::OK,
"expected 200, got {}: {:?}",
status,
body
);
let row: Option<(String,)> = sqlx::query_as(
"SELECT action::text FROM audit_log WHERE action::text = 'ip_whitelist_updated' ORDER BY created_at DESC LIMIT 1",
)
.fetch_optional(&pool)
.await
.expect("audit log query failed");
assert!(
row.is_some(),
"expected audit log entry for ip_whitelist_updated"
);
}
/// 6. POST /api/v1/settings/sso/discover with admin role → 200 + audit log
/// Uses mockito to simulate an OIDC discovery endpoint.
#[sqlx::test(migrations = "../../migrations")]
#[ignore]
async fn discover_oidc_admin_allowed(pool: PgPool) {
let state = setup_state(pool).await;
let pool = state.db.clone();
let auth = auth_header("admin");
let mut server = mockito::Server::new_async().await;
let mock = server
.mock("GET", "/.well-known/openid-configuration")
.with_status(200)
.with_header("content-type", "application/json")
.with_body(
json!({
"issuer": "https://mock-oidc.example.com",
"authorization_endpoint": "https://mock-oidc.example.com/auth",
"token_endpoint": "https://mock-oidc.example.com/token",
"jwks_uri": "https://mock-oidc.example.com/jwks",
"userinfo_endpoint": "https://mock-oidc.example.com/userinfo"
})
.to_string(),
)
.create_async()
.await;
let discovery_url = format!("{}/.well-known/openid-configuration", server.url());
let (status, body) = send_request(
state,
axum::http::Method::POST,
"/api/v1/settings/sso/discover",
Some(&auth),
Some(json!({ "discovery_url": discovery_url })),
)
.await;
assert_eq!(
status,
StatusCode::OK,
"expected 200, got {}: {:?}",
status,
body
);
assert_eq!(body["success"], true);
mock.assert_async().await;
let row: Option<(String,)> = sqlx::query_as(
"SELECT action::text FROM audit_log WHERE action::text = 'oidc_discover_performed' ORDER BY created_at DESC LIMIT 1",
)
.fetch_optional(&pool)
.await
.expect("audit log query failed");
assert!(
row.is_some(),
"expected audit log entry for oidc_discover_performed"
);
}
/// 8. POST /api/v1/settings/sso/test with admin role → 200 + audit log
/// Uses mockito to simulate an OIDC discovery endpoint.
#[sqlx::test(migrations = "../../migrations")]
#[ignore]
async fn test_oidc_admin_allowed(pool: PgPool) {
let mut server = mockito::Server::new_async().await;
let mock = server
.mock("GET", "/.well-known/openid-configuration")
.with_status(200)
.with_header("content-type", "application/json")
.with_body(
json!({
"issuer": "https://mock-oidc.example.com",
"authorization_endpoint": "https://mock-oidc.example.com/auth",
"token_endpoint": "https://mock-oidc.example.com/token",
"jwks_uri": "https://mock-oidc.example.com/jwks"
})
.to_string(),
)
.create_async()
.await;
let discovery_url = format!("{}/.well-known/openid-configuration", server.url());
// Seed the oidc_config table with an enabled provider pointing to mockito.
sqlx::query("UPDATE oidc_config SET enabled = true, discovery_url = $1 WHERE id = 1")
.bind(&discovery_url)
.execute(&pool)
.await
.expect("failed to seed oidc_config");
let state = setup_state(pool).await;
let pool = state.db.clone();
let auth = auth_header("admin");
let (status, body) = send_request(
state,
axum::http::Method::POST,
"/api/v1/settings/sso/test",
Some(&auth),
None,
)
.await;
assert_eq!(
status,
StatusCode::OK,
"expected 200, got {}: {:?}",
status,
body
);
assert_eq!(body["success"], true);
mock.assert_async().await;
let row: Option<(String,)> = sqlx::query_as(
"SELECT action::text FROM audit_log WHERE action::text = 'oidc_test_performed' ORDER BY created_at DESC LIMIT 1",
)
.fetch_optional(&pool)
.await
.expect("audit log query failed");
assert!(
row.is_some(),
"expected audit log entry for oidc_test_performed"
);
}

1
crates/pm-web/tests/integration/main.rs Normal file
View File

@ -0,0 +1 @@
mod authz_gate;

12
debian/changelog vendored
View File

@ -1,3 +1,15 @@
linux-patch-manager (1.1.0-1) unstable; urgency=low
* Release v1.1.0
-- git-echo <git-echo@moon-dragon.us> Sun, 07 Jun 2026 16:47:03 -0500
linux-patch-manager (1.0.0-1) unstable; urgency=low
* Release v1.0.0
-- git-echo <git-echo@moon-dragon.us> Sun, 07 Jun 2026 12:58:46 -0500
linux-patch-manager (0.1.9-1) noble; urgency=medium
* Fix: Replace broken DashMap rate limiting with tower-governor middleware

5
debian/control vendored
View File

@ -1,9 +1,10 @@
Package: linux-patch-manager
Version: 1.0.0-1
Version: 1.1.0-1
Architecture: amd64
Maintainer: Moon Dragon <echo@moon-dragon.us>
Installed-Size: 45000
Depends: postgresql-16, libssl3, libc6 (>= 2.39), libfontconfig1
Pre-Depends: postgresql-16
Depends: postgresql-16, argon2, libssl3, libc6 (>= 2.39), libfontconfig1
Recommends: postgresql-client-16, fonts-dejavu-core
Suggests: gpg
Section: admin

417
debian/postinst vendored Normal file → Executable file
View File

@ -4,91 +4,348 @@ set -e
# =============================================================================
# Linux Patch Manager — Post-install script
# =============================================================================
# Fully automated: apt install ./linux-patch-manager_X.X.X-1_amd64.deb
# results in a running service with a printed admin password.
# All steps are idempotent (safe to re-run on upgrade).
# =============================================================================
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
CYAN='\033[0;36m'
NC='\033[0m'
info() { echo -e "${GREEN}[INFO]${NC} $*"; }
warn() { echo -e "${YELLOW}[WARN]${NC} $*"; }
error() { echo -e "${RED}[ERROR]${NC} $*" >&2; }
DB_NAME="patch_manager"
DB_USER="patch_manager"
CONFIG_DIR="/etc/patch-manager"
MIGRATION_DIR="/usr/share/patch-manager/migrations"
ADMIN_PASSWORD_FILE="/etc/patch-manager/admin-password.txt"
# ---------------------------------------------------------------------------
# PostgreSQL helpers
# ---------------------------------------------------------------------------
psql_run() {
# Run SQL as the postgres superuser
sudo -u postgres psql -v ON_ERROR_STOP=1 "$@" 2>/dev/null
}
psql_run_db() {
# Run SQL against the patch_manager database
sudo -u postgres psql -v ON_ERROR_STOP=1 -d "${DB_NAME}" "$@" 2>/dev/null
}
# ---------------------------------------------------------------------------
# 1. Create service user (idempotent)
# ---------------------------------------------------------------------------
create_service_user() {
if ! id patch-manager &>/dev/null; then
useradd --system --no-create-home --shell /usr/sbin/nologin \
--comment "Linux Patch Manager service account" patch-manager
info "Service user 'patch-manager' created."
else
info "Service user 'patch-manager' already exists."
fi
}
# ---------------------------------------------------------------------------
# 2. Create required directories (idempotent)
# ---------------------------------------------------------------------------
create_directories() {
mkdir -p "${CONFIG_DIR}/ca" "${CONFIG_DIR}/certs" \
"${CONFIG_DIR}/jwt" "${CONFIG_DIR}/tls" \
/var/log/patch-manager /opt/patch-manager \
/var/backups/patch-manager
chown -R patch-manager:patch-manager \
"${CONFIG_DIR}" /var/log/patch-manager \
/opt/patch-manager /usr/share/patch-manager/frontend
chmod 750 "${CONFIG_DIR}/ca" "${CONFIG_DIR}/jwt"
chmod 700 /var/backups/patch-manager
}
# ---------------------------------------------------------------------------
# 3. Wait for PostgreSQL to be ready
# ---------------------------------------------------------------------------
wait_for_postgresql() {
info "Waiting for PostgreSQL to be ready..."
local retries=30
local delay=2
local i
for ((i = 1; i <= retries; i++)); do
if pg_isready -q 2>/dev/null; then
info "PostgreSQL is ready."
return 0
fi
warn "PostgreSQL not ready yet (attempt ${i}/${retries}), waiting ${delay}s..."
sleep "${delay}"
done
error "PostgreSQL did not become ready after $((retries * delay)) seconds."
return 1
}
# ---------------------------------------------------------------------------
# 4. Create PostgreSQL user and database (idempotent)
# ---------------------------------------------------------------------------
setup_database() {
info "Setting up PostgreSQL database and user..."
# Generate a random password for the DB user
local db_password
db_password=$(openssl rand -base64 32 | tr -dc 'A-Za-z0-9' | head -c 32)
# Create role if not exists
local role_exists
role_exists=$(psql_run -t -A -c "SELECT 1 FROM pg_roles WHERE rolname='${DB_USER}'" 2>/dev/null || echo "")
if [[ "${role_exists}" != "1" ]]; then
psql_run -c "CREATE ROLE ${DB_USER} LOGIN PASSWORD '${db_password}';"
info "PostgreSQL user '${DB_USER}' created."
# Store password for config generation
echo "${db_password}" > /tmp/.pm-db-password-new
else
info "PostgreSQL user '${DB_USER}' already exists, skipping creation."
fi
# Create database if not exists
local db_exists
db_exists=$(psql_run -t -A -c "SELECT 1 FROM pg_database WHERE datname='${DB_NAME}'" 2>/dev/null || echo "")
if [[ "${db_exists}" != "1" ]]; then
psql_run -c "CREATE DATABASE ${DB_NAME} OWNER ${DB_USER};"
info "Database '${DB_NAME}' created."
else
info "Database '${DB_NAME}' already exists, skipping creation."
fi
# Grant permissions (idempotent)
psql_run_db -c "GRANT USAGE ON SCHEMA public TO ${DB_USER};" 2>/dev/null || true
psql_run_db -c "GRANT CREATE ON SCHEMA public TO ${DB_USER};" 2>/dev/null || true
psql_run_db -c "GRANT ALL PRIVILEGES ON DATABASE ${DB_NAME} TO ${DB_USER};" 2>/dev/null || true
}
# ---------------------------------------------------------------------------
# 5. Apply database migrations (idempotent)
# ---------------------------------------------------------------------------
apply_migrations() {
info "Applying database migrations..."
# Ensure pgcrypto extension is available
psql_run_db -c "CREATE EXTENSION IF NOT EXISTS pgcrypto;" 2>/dev/null || true
# Create migration tracking table if not exists
psql_run_db <<'MIGSQL'
CREATE TABLE IF NOT EXISTS _migrations (
id SERIAL PRIMARY KEY,
filename TEXT NOT NULL UNIQUE,
applied_at TIMESTAMPTZ NOT NULL DEFAULT now()
);
MIGSQL
# Handle upgrade from pre-migration-tracking versions:
# If tables exist but _migrations is empty, mark all existing migrations as applied.
local migration_count
migration_count=$(psql_run_db -t -A -c "SELECT COUNT(*) FROM _migrations;" 2>/dev/null || echo "0")
migration_count="${migration_count// /}"
local tables_exist
tables_exist=$(psql_run_db -t -A -c "SELECT COUNT(*) FROM information_schema.tables WHERE table_schema='public' AND table_name='users';" 2>/dev/null || echo "0")
tables_exist="${tables_exist// /}"
if [[ "${migration_count}" == "0" && "${tables_exist}" -gt 0 ]]; then
info "Existing database detected — marking all shipped migrations as already applied."
for sql_file in $(ls "${MIGRATION_DIR}"/*.sql 2>/dev/null | sort); do
local fname
fname=$(basename "${sql_file}")
psql_run_db -c "INSERT INTO _migrations (filename) VALUES ('${fname}') ON CONFLICT (filename) DO NOTHING;" 2>/dev/null || true
done
fi
# Apply each migration in sorted order, skipping already-applied ones
local applied=0
local skipped=0
for sql_file in $(ls "${MIGRATION_DIR}"/*.sql 2>/dev/null | sort); do
local fname
fname=$(basename "${sql_file}")
local already_applied
already_applied=$(psql_run_db -t -A -c "SELECT COUNT(*) FROM _migrations WHERE filename='${fname}';" 2>/dev/null || echo "0")
already_applied="${already_applied// /}"
if [[ "${already_applied}" -gt 0 ]]; then
skipped=$((skipped + 1))
continue
fi
info " Applying migration: ${fname}"
if psql_run_db -f "${sql_file}"; then
psql_run_db -c "INSERT INTO _migrations (filename) VALUES ('${fname}');" 2>/dev/null || true
applied=$((applied + 1))
else
error " Failed to apply migration: ${fname}"
return 1
fi
done
if [[ "${applied}" -gt 0 ]]; then
info "Applied ${applied} new migration(s), skipped ${skipped} already applied."
else
info "All migrations up to date (${skipped} already applied)."
fi
}
# ---------------------------------------------------------------------------
# 6. Generate admin password and update database
# ---------------------------------------------------------------------------
generate_admin_password() {
info "Generating admin password..."
# Generate a random 24-character password
local admin_password
admin_password=$(openssl rand -base64 32 | tr -dc 'A-Za-z0-9!@#%^&*' | head -c 24)
# Hash with argon2 (PHC format, compatible with the application)
local password_hash
password_hash=$(echo -n "${admin_password}" | argon2 salt -id -t 3 -m 65536 -p 1 -l 32 -e)
# Update admin user password in database
# Only update if the placeholder hash is still present
# The placeholder starts with: $argon2id$v=19$m=65536,t=3,p=1$AAAAAAAAAAAAAAAA
# Using single-quoted variable to preserve $ signs in SQL LIKE pattern
local placeholder_pattern
placeholder_pattern='$argon2id$v=19$m=65536,t=3,p=1$AAAAAAAAAAAAAAAA%'
local updated
updated=$(psql_run_db -t -A -c \
"UPDATE users SET password_hash = '${password_hash}', force_password_reset = TRUE \
WHERE username = 'admin' AND password_hash LIKE '${placeholder_pattern}' \
RETURNING id;" 2>/dev/null || echo "")
if [[ -n "${updated}" ]]; then
# Write admin password to file (mode 600, owned by root)
echo "${admin_password}" > "${ADMIN_PASSWORD_FILE}"
chmod 600 "${ADMIN_PASSWORD_FILE}"
chown root:root "${ADMIN_PASSWORD_FILE}"
echo ""
echo -e "${CYAN}=============================================${NC}"
echo -e "${CYAN} Linux Patch Manager — Admin Credentials${NC}"
echo -e "${CYAN}=============================================${NC}"
echo -e " Username: ${GREEN}admin${NC}"
echo -e " Password: ${GREEN}${admin_password}${NC}"
echo ""
echo -e " ${YELLOW}IMPORTANT: Save this password! It will not be shown again.${NC}"
echo -e " Password also saved to: ${ADMIN_PASSWORD_FILE}"
echo -e "${CYAN}=============================================${NC}"
echo ""
else
info "Admin password already set (not a fresh install). Password file not regenerated."
fi
}
# ---------------------------------------------------------------------------
# 7. Write config.toml with DB URL (only if file doesn't exist)
# ---------------------------------------------------------------------------
write_config() {
local config_file="${CONFIG_DIR}/config.toml"
if [[ -f "${config_file}" ]]; then
info "Config file ${config_file} already exists, not overwriting."
return 0
fi
info "Writing configuration file..."
# Get the DB password — use the one we just generated if we created the user
local db_password=""
if [[ -f /tmp/.pm-db-password-new ]]; then
db_password=$(cat /tmp/.pm-db-password-new)
fi
# If we don't have a password (user already existed), generate a new one
# and update the PostgreSQL user so we can connect
if [[ -z "${db_password}" ]]; then
db_password=$(openssl rand -base64 32 | tr -dc 'A-Za-z0-9' | head -c 32)
psql_run -c "ALTER ROLE ${DB_USER} WITH PASSWORD '${db_password}';" 2>/dev/null || true
fi
# Copy example config and set the DB URL
cp /usr/share/patch-manager/config.example.toml "${config_file}"
sed -i "s|postgres://patch_manager:CHANGEME@localhost/patch_manager|postgres://${DB_USER}:${db_password}@localhost/${DB_NAME}|" "${config_file}"
chown patch-manager:patch-manager "${config_file}"
chmod 640 "${config_file}"
info "Configuration written to ${config_file}"
}
# ---------------------------------------------------------------------------
# 8. Generate JWT keys (idempotent)
# ---------------------------------------------------------------------------
generate_jwt_keys() {
if [[ ! -f "${CONFIG_DIR}/jwt/signing.pem" ]]; then
info "Generating Ed25519 JWT signing key..."
openssl genpkey -algorithm ed25519 -out "${CONFIG_DIR}/jwt/signing.pem" 2>/dev/null
openssl pkey -in "${CONFIG_DIR}/jwt/signing.pem" -pubout -out "${CONFIG_DIR}/jwt/verify.pem" 2>/dev/null
chown patch-manager:patch-manager "${CONFIG_DIR}/jwt/signing.pem" "${CONFIG_DIR}/jwt/verify.pem"
chmod 600 "${CONFIG_DIR}/jwt/signing.pem"
chmod 644 "${CONFIG_DIR}/jwt/verify.pem"
info "JWT keys generated."
else
info "JWT signing key already exists, skipping."
fi
}
# ---------------------------------------------------------------------------
# 9. Enable and start services
# ---------------------------------------------------------------------------
enable_and_start_services() {
systemctl daemon-reload
# Enable the target (which pulls in web + worker)
systemctl enable patch-manager.target 2>/dev/null || true
# Start or restart services
if systemctl is-active --quiet patch-manager.target 2>/dev/null; then
info "Restarting patch-manager services (upgrade)..."
systemctl restart patch-manager.target 2>/dev/null || true
else
info "Starting patch-manager services..."
systemctl start patch-manager.target 2>/dev/null || true
fi
}
# ---------------------------------------------------------------------------
# 10. Install backup cron (idempotent)
# ---------------------------------------------------------------------------
install_backup_cron() {
if ! crontab -l 2>/dev/null | grep -qF "backup.sh"; then
(crontab -l 2>/dev/null; echo "0 2 * * * /usr/local/bin/backup.sh >> /var/log/patch-manager/backup.log 2>&1") | crontab -
info "Nightly backup cron installed."
fi
}
# =============================================================================
# Main
# =============================================================================
case "$1" in
configure)
# Create service user if not exists
if ! id patch-manager &>/dev/null; then
useradd --system --no-create-home --shell /usr/sbin/nologin \
--comment "Linux Patch Manager service account" patch-manager
fi
create_service_user
create_directories
wait_for_postgresql
setup_database
apply_migrations
generate_admin_password
write_config
generate_jwt_keys
enable_and_start_services
install_backup_cron
# Create required directories
mkdir -p /etc/patch-manager/ca /etc/patch-manager/certs \
/etc/patch-manager/jwt /etc/patch-manager/tls \
/var/log/patch-manager /opt/patch-manager \
/var/backups/patch-manager
# Clean up temp file
rm -f /tmp/.pm-db-password-new
chown -R patch-manager:patch-manager \
/etc/patch-manager /var/log/patch-manager \
/opt/patch-manager /usr/share/patch-manager/frontend
chmod 750 /etc/patch-manager/ca /etc/patch-manager/jwt
chmod 700 /var/backups/patch-manager
# Generate JWT signing key if not present
if [[ ! -f /etc/patch-manager/jwt/signing.pem ]]; then
openssl genpkey -algorithm ed25519 -out /etc/patch-manager/jwt/signing.pem 2>/dev/null
openssl pkey -in /etc/patch-manager/jwt/signing.pem -pubout -out /etc/patch-manager/jwt/verify.pem 2>/dev/null
chown patch-manager:patch-manager /etc/patch-manager/jwt/signing.pem /etc/patch-manager/jwt/verify.pem
chmod 600 /etc/patch-manager/jwt/signing.pem
chmod 644 /etc/patch-manager/jwt/verify.pem
fi
# Write default config if not present
if [[ ! -f /etc/patch-manager/config.toml ]]; then
cp /usr/share/patch-manager/config.example.toml /etc/patch-manager/config.toml
chown patch-manager:patch-manager /etc/patch-manager/config.toml
chmod 640 /etc/patch-manager/config.toml
fi
# Install backup cron if not present
if ! crontab -l 2>/dev/null | grep -qF "backup.sh"; then
(crontab -l 2>/dev/null; echo "0 2 * * * /usr/local/bin/backup.sh >> /var/log/patch-manager/backup.log 2>&1") | crontab -
fi
# Reload systemd
systemctl daemon-reload
# Restart services if this is an upgrade (not a fresh install)
if systemctl is-active --quiet patch-manager-web 2>/dev/null; then
systemctl restart patch-manager-web || true
fi
if systemctl is-active --quiet patch-manager-worker 2>/dev/null; then
systemctl restart patch-manager-worker || true
fi
# Run pending database migrations
MIGRATION_DIR="/usr/share/patch-manager/migrations"
if [[ -d "$MIGRATION_DIR" ]]; then
echo "Applying database migrations..."
for sql_file in $(ls "$MIGRATION_DIR"/*.sql 2>/dev/null | sort); do
echo " Applying: $(basename "$sql_file")"
done
echo "Note: Migrations must be applied manually: sudo -u patch_manager psql -d patch_manager -f <migration_file>"
fi
echo ""
echo "Linux Patch Manager installed successfully!"
echo "==========================================="
echo ""
echo "Next steps:"
echo " 1. Install and configure PostgreSQL:"
echo " apt install postgresql-16"
echo " 2. Create the database:"
echo " sudo -u postgres createdb -O patch_manager patch_manager"
echo " 3. Edit /etc/patch-manager/config.toml with your database URL"
echo " 4. Enable and start services:"
echo " systemctl enable --now patch-manager.target"
echo " 5. Access the web UI at https://localhost"
echo " Default admin credentials are set via the seed migration."
echo ""
echo "IMPORTANT: Change the default admin password immediately after first login!"
echo ""
echo "If this is an upgrade, services have been restarted automatically."
echo "Apply any new database migrations:"
echo " sudo -u patch_manager psql -d patch_manager -f /usr/share/patch-manager/migrations/<NNN_migration>.sql"
echo ""
info "Linux Patch Manager installation complete."
;;
abort-upgrade|abort-remove|abort-deconfigure)

58
docker-compose.yml Normal file
View File

@ -0,0 +1,58 @@
# =============================================================================
# Linux Patch Manager — Docker Compose Deployment
# =============================================================================
# Usage:
# cp .env.example .env # Edit DB_PASSWORD
# docker compose up -d
# =============================================================================
services:
db:
image: postgres:16-bookworm
restart: unless-stopped
environment:
POSTGRES_USER: patch_manager
POSTGRES_PASSWORD: ${DB_PASSWORD}
POSTGRES_DB: patch_manager
volumes:
- pgdata:/var/lib/postgresql/data
healthcheck:
test: ["CMD-SHELL", "pg_isready -U patch_manager -d patch_manager"]
interval: 5s
timeout: 5s
retries: 10
start_period: 10s
networks:
- patch-manager-net
app:
image: ghcr.io/draco-lunaris/linux-patch-manager:${TAG:-latest}
restart: unless-stopped
depends_on:
db:
condition: service_healthy
ports:
- "443:443"
environment:
DATABASE_URL: postgres://patch_manager:${DB_PASSWORD}@db:5432/patch_manager
PATCH_MANAGER_CONFIG: /etc/patch-manager/config.toml
volumes:
- pm-config:/etc/patch-manager
- pm-logs:/var/log/patch-manager
- pm-data:/opt/patch-manager
networks:
- patch-manager-net
volumes:
pgdata:
driver: local
pm-config:
driver: local
pm-logs:
driver: local
pm-data:
driver: local
networks:
patch-manager-net:
driver: bridge

232
docker/entrypoint.sh Executable file
View File

@ -0,0 +1,232 @@
#!/bin/bash
set -e
# =============================================================================
# Linux Patch Manager — Docker Entrypoint
# =============================================================================
# Handles first-run: wait for DB, run migrations, generate admin password,
# start pm-web and pm-worker services.
# =============================================================================
MIGRATION_DIR="/usr/share/patch-manager/migrations"
CONFIG_DIR="/etc/patch-manager"
ADMIN_PASSWORD_FILE="/etc/patch-manager/admin-password.txt"
# ---------------------------------------------------------------------------
# Parse DATABASE_URL into PG* env vars for psql compatibility
# ---------------------------------------------------------------------------
parse_database_url() {
# DATABASE_URL format: postgres://user:password@host:port/dbname
local url="${DATABASE_URL}"
# Extract components
DB_PASS=$(echo "$url" | sed -n 's|postgres://[^:]*:\([^@]*\)@.*|\1|p')
DB_HOST=$(echo "$url" | sed -n 's|.*@\([^:/]*\).*|\1|p')
DB_PORT=$(echo "$url" | sed -n 's|.*:\([0-9]*\)/.*|\1|p')
DB_USER=$(echo "$url" | sed -n 's|postgres://\([^:]*\):.*|\1|p')
DB_NAME=$(echo "$url" | sed -n 's|.*/\([^?]*\).*|\1|p')
# Default port
DB_PORT="${DB_PORT:-5432}"
export PGHOST="${DB_HOST}"
export PGPORT="${DB_PORT}"
export PGUSER="${DB_USER}"
export PGPASSWORD="${DB_PASS}"
export PGDATABASE="${DB_NAME}"
}
# ---------------------------------------------------------------------------
# Wait for PostgreSQL to be ready
# ---------------------------------------------------------------------------
wait_for_db() {
echo "[entrypoint] Waiting for PostgreSQL at ${PGHOST}:${DB_PORT}..."
local retries=60
local delay=2
local i
for ((i = 1; i <= retries; i++)); do
if pg_isready -q -h "${PGHOST}" -p "${DB_PORT}" -U "${DB_USER}" 2>/dev/null; then
echo "[entrypoint] PostgreSQL is ready."
return 0
fi
echo "[entrypoint] PostgreSQL not ready (attempt ${i}/${retries}), waiting ${delay}s..."
sleep "${delay}"
done
echo "[entrypoint] ERROR: PostgreSQL did not become ready after $((retries * delay)) seconds." >&2
return 1
}
# ---------------------------------------------------------------------------
# Run database migrations (idempotent)
# ---------------------------------------------------------------------------
run_migrations() {
echo "[entrypoint] Applying database migrations..."
# Ensure pgcrypto extension
psql -v ON_ERROR_STOP=1 -c "CREATE EXTENSION IF NOT EXISTS pgcrypto;" 2>/dev/null || true
# Create migration tracking table
psql -v ON_ERROR_STOP=1 <<'EOSQL'
CREATE TABLE IF NOT EXISTS _migrations (
id SERIAL PRIMARY KEY,
filename TEXT NOT NULL UNIQUE,
applied_at TIMESTAMPTZ NOT NULL DEFAULT now()
);
EOSQL
# Handle upgrade from pre-migration-tracking versions
local migration_count
migration_count=$(psql -t -A -c "SELECT COUNT(*) FROM _migrations;" 2>/dev/null || echo "0")
migration_count="${migration_count// /}"
local tables_exist
tables_exist=$(psql -t -A -c "SELECT COUNT(*) FROM information_schema.tables WHERE table_schema='public' AND table_name='users';" 2>/dev/null || echo "0")
tables_exist="${tables_exist// /}"
if [[ "${migration_count}" == "0" && "${tables_exist}" -gt 0 ]]; then
echo "[entrypoint] Existing database detected — marking all shipped migrations as already applied."
for sql_file in $(ls "${MIGRATION_DIR}"/*.sql 2>/dev/null | sort); do
local fname
fname=$(basename "${sql_file}")
psql -v ON_ERROR_STOP=1 -c "INSERT INTO _migrations (filename) VALUES ('${fname}') ON CONFLICT (filename) DO NOTHING;" 2>/dev/null || true
done
fi
# Apply each migration in sorted order
local applied=0
local skipped=0
for sql_file in $(ls "${MIGRATION_DIR}"/*.sql 2>/dev/null | sort); do
local fname
fname=$(basename "${sql_file}")
local already_applied
already_applied=$(psql -t -A -c "SELECT COUNT(*) FROM _migrations WHERE filename='${fname}';" 2>/dev/null || echo "0")
already_applied="${already_applied// /}"
if [[ "${already_applied}" -gt 0 ]]; then
skipped=$((skipped + 1))
continue
fi
echo "[entrypoint] Applying migration: ${fname}"
if psql -v ON_ERROR_STOP=1 -f "${sql_file}"; then
psql -v ON_ERROR_STOP=1 -c "INSERT INTO _migrations (filename) VALUES ('${fname}');" 2>/dev/null || true
applied=$((applied + 1))
else
echo "[entrypoint] ERROR: Failed to apply migration: ${fname}" >&2
return 1
fi
done
if [[ "${applied}" -gt 0 ]]; then
echo "[entrypoint] Applied ${applied} new migration(s), skipped ${skipped}."
else
echo "[entrypoint] All migrations up to date (${skipped} already applied)."
fi
}
# ---------------------------------------------------------------------------
# Generate admin password on first run
# ---------------------------------------------------------------------------
generate_admin_password() {
echo "[entrypoint] Checking admin password status..."
# Generate a random 24-character password
local admin_password
admin_password=$(openssl rand -base64 32 | tr -dc 'A-Za-z0-9!@#%^&*' | head -c 24)
# Hash with argon2 (PHC format)
local password_hash
password_hash=$(echo -n "${admin_password}" | argon2 salt -id -t 3 -m 65536 -p 1 -l 32 -e)
# Update admin user — only if placeholder hash is still present
# The placeholder starts with: $argon2id$v=19$m=65536,t=3,p=1$AAAAAAAAAAAAAAAA
# Using single-quoted variable to preserve $ signs in the SQL LIKE pattern
local placeholder_pattern
placeholder_pattern='$argon2id$v=19$m=65536,t=3,p=1$AAAAAAAAAAAAAAAA%'
local updated
updated=$(psql -t -A -c \
"UPDATE users SET password_hash = '${password_hash}', force_password_reset = TRUE \
WHERE username = 'admin' AND password_hash LIKE '${placeholder_pattern}' \
RETURNING id;" 2>/dev/null || echo "")
if [[ -n "${updated}" ]]; then
echo "${admin_password}" > "${ADMIN_PASSWORD_FILE}"
chmod 600 "${ADMIN_PASSWORD_FILE}"
chown root:root "${ADMIN_PASSWORD_FILE}"
echo ""
echo "============================================="
echo " Linux Patch Manager — Admin Credentials"
echo "============================================="
echo " Username: admin"
echo " Password: ${admin_password}"
echo ""
echo " IMPORTANT: Save this password! It will not be shown again."
echo " Password also saved to: ${ADMIN_PASSWORD_FILE}"
echo "============================================="
echo ""
else
echo "[entrypoint] Admin password already set (not a fresh install)."
fi
}
# ---------------------------------------------------------------------------
# Generate JWT keys if not present
# ---------------------------------------------------------------------------
generate_jwt_keys() {
if [[ ! -f "${CONFIG_DIR}/jwt/signing.pem" ]]; then
echo "[entrypoint] Generating Ed25519 JWT signing key..."
openssl genpkey -algorithm ed25519 -out "${CONFIG_DIR}/jwt/signing.pem" 2>/dev/null
openssl pkey -in "${CONFIG_DIR}/jwt/signing.pem" -pubout -out "${CONFIG_DIR}/jwt/verify.pem" 2>/dev/null
chown patch-manager:patch-manager "${CONFIG_DIR}/jwt/signing.pem" "${CONFIG_DIR}/jwt/verify.pem"
chmod 600 "${CONFIG_DIR}/jwt/signing.pem"
chmod 644 "${CONFIG_DIR}/jwt/verify.pem"
echo "[entrypoint] JWT keys generated."
else
echo "[entrypoint] JWT signing key already exists."
fi
}
# ---------------------------------------------------------------------------
# Write config.toml if not present
# ---------------------------------------------------------------------------
write_config() {
local config_file="${CONFIG_DIR}/config.toml"
if [[ -f "${config_file}" ]]; then
echo "[entrypoint] Config file already exists, not overwriting."
return 0
fi
echo "[entrypoint] Writing configuration file..."
cp /usr/share/patch-manager/config.example.toml "${config_file}"
sed -i "s|postgres://patch_manager:CHANGEME@localhost/patch_manager|${DATABASE_URL}|" "${config_file}"
chown patch-manager:patch-manager "${config_file}"
chmod 640 "${config_file}"
echo "[entrypoint] Configuration written."
}
# ---------------------------------------------------------------------------
# Main
# ---------------------------------------------------------------------------
echo "[entrypoint] Linux Patch Manager Docker entrypoint starting..."
parse_database_url
wait_for_db
run_migrations
generate_admin_password
generate_jwt_keys
write_config
echo "[entrypoint] Starting pm-web and pm-worker..."
# Start pm-worker in background
pm-worker &
WORKER_PID=$!
# Start pm-web in foreground (main process)
export PATCH_MANAGER_CONFIG="${CONFIG_DIR}/config.toml"
exec pm-web

26
docs/security-review.md
View File

@ -160,9 +160,30 @@ verifying that all mandated security controls are implemented and operational.
## 6. Findings & Recommendations
### No Critical or High Findings
### 🔴 CRITICAL: Committed Private Key Material (Issue #12) — RESOLVED
All security controls are implemented as specified in the system requirements.
**Description:**
Private key file `client.key` and public certificates (`client.crt`, `ca.crt`) were committed
to version control in `crates/pm-agent-client/certs/`. Committed private keys are a critical
security risk: anyone with repository access can impersonate agents or decrypt captured TLS traffic.
**Status:** ✅ RESOLVED
**Remediation Applied:**
1. Removed all cert files from git tracking (`git rm --cached`)
2. Added `*.key`, `*.key.pem` and `crates/pm-agent-client/certs/` to `.gitignore`
3. Updated `pm-agent-client` doc examples to use `std::fs::read()` instead of `include_bytes!`
4. Added `gitleaks` secret scanning to CI pipeline
5. Added README to `crates/pm-agent-client/certs/` explaining runtime cert generation
6. Git history will be purged with `git filter-repo` after PR merge
**Key Rotation:**
These keys were dev/test only. No production key rotation is needed. All committed keys
should be considered compromised and must not be used in production.
### No Other Critical or High Findings
All other security controls are implemented as specified in the system requirements.
### Recommendations (Low Priority)
@ -192,3 +213,4 @@ All security controls are implemented as specified in the system requirements.
- [x] Backup encryption supported (GPG)
- [x] Azure SSO with PKCE flow
- [x] No plaintext credential storage
- [x] Committed private key material removed from repository (Issue #12)

2
frontend/package.json
View File

@ -1,7 +1,7 @@
{
"name": "patch-manager-ui",
"private": true,
"version": "0.1.7",
"version": "1.1.0",
"type": "module",
"scripts": {
"dev": "vite",

2
scripts/build-package.sh
View File

@ -22,7 +22,7 @@ warn() { echo -e "${YELLOW}[WARN]${NC} $*"; }
error() { echo -e "${RED}[ERROR]${NC} $*" >&2; exit 1; }
PROJECT_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
VERSION="0.1.9"
VERSION="1.1.0"
RELEASE="1"
PKG_NAME="linux-patch-manager"
DEB_NAME="${PKG_NAME}_${VERSION}-${RELEASE}_amd64.deb"

4
scripts/bump-version.sh
View File

@ -30,7 +30,7 @@ mv "$TEMP_CHANGELOG" debian/changelog
echo "[2/5] debian/changelog: Added entry for $NEW_VERSION"
# 3. debian/control - Update Version field
if grep -q "^Version:" debian/control 2>/dev/null; then
if grep -q "^Version:" debian/control 2>/dev/null || true; then
sed -i "s/^Version: .*/Version: $NEW_VERSION-1/" debian/control
echo "[3/5] debian/control: -> $NEW_VERSION-1"
else
@ -71,7 +71,7 @@ fi
echo ""
echo "Stale references check:"
grep -r "$OLD_VERSION" --include='*.toml' --include='*.sh' --include='*.json' --include='control' . 2>/dev/null | grep -v 'target/' | grep -v '.git/' | grep -v 'node_modules/' | grep -v 'bump-version.sh' || echo " No stale references found"
grep -r "$OLD_VERSION" --include='*.toml' --include='*.sh' --include='*.json' --include='control' . 2>/dev/null || true | grep -v 'target/' | grep -v '.git/' | grep -v 'node_modules/' | grep -v 'bump-version.sh' || echo " No stale references found"
echo ""
echo "Next steps:"

49
scripts/performance-test.sh
View File

@ -15,6 +15,13 @@
set -euo pipefail
# ---------------------------------------------------------------------------
# BusyBox-compatible millisecond timing (_now_ms not available)
# ---------------------------------------------------------------------------
_now_ms() {
python3 -c "import time; print(int(time.time()*1000))"
}
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
@ -72,10 +79,10 @@ api_call() {
time_api_call() {
local method="$1" endpoint="$2" shift; shift
local start end elapsed
start=$(date +%s%N)
start=$(_now_ms)
api_call "${method}" "${endpoint}" -o /dev/null "$@" 2>/dev/null || true
end=$(date +%s%N)
elapsed=$(( (end - start) / 1000000 )) # milliseconds
end=$(_now_ms)
elapsed=$(( end - start )) # milliseconds
echo "$(echo "scale=3; ${elapsed}/1000" | bc)"
}
@ -97,10 +104,10 @@ test_dashboard_load() {
# Also measure frontend static asset load
info "Measuring frontend index.html load time..."
start=$(date +%s%N)
start=$(_now_ms)
curl -sk -o /dev/null "${BASE_URL}/" 2>/dev/null || true
end=$(date +%s%N)
elapsed=$(( (end - start) / 1000000 ))
end=$(_now_ms)
elapsed=$(( end - start ))
FRONTEND_TIME=$(echo "scale=3; ${elapsed}/1000" | bc)
info "Frontend load time: ${FRONTEND_TIME}s"
pass "Frontend static load: ${FRONTEND_TIME}s"
@ -169,14 +176,14 @@ test_bulk_host_operations() {
# 4.2 Sequential host creation (measure throughput)
info "4.2 Sequential host creation (10 hosts)"
local start=$(date +%s%N)
local start=$(_now_ms)
for i in $(seq 1 10); do
api_call POST /api/v1/hosts \
-d "{\"fqdn\": \"perf-test-${i}.example.com\", \"ip_address\": \"10.99.0.${i}\"}" \
-o /dev/null 2>/dev/null || true
done
local end=$(date +%s%N)
local total_ms=$(( (end - start) / 1000000 ))
local end=$(_now_ms)
local total_ms=$(( end - start ))
local total_s=$(echo "scale=3; ${total_ms}/1000" | bc)
local per_host=$(echo "scale=3; ${total_s}/10" | bc)
info "10 hosts created in ${total_s}s (${per_host}s per host)"
@ -199,11 +206,11 @@ test_cidr_scan() {
# Note: This test initiates a real CIDR scan which may not complete quickly
# without reachable hosts. We measure the API response time for initiating.
info "5.1 CIDR scan initiation time"
local start=$(date +%s%N)
local start=$(_now_ms)
SCAN_RESP=$(api_call POST /api/v1/discovery/cidr \
-d '{"cidr": "10.0.0.0/30", "timeout": 1.5}' 2>/dev/null || true)
local end=$(date +%s%N)
local elapsed_ms=$(( (end - start) / 1000000 ))
local end=$(_now_ms)
local elapsed_ms=$(( end - start ))
local elapsed_s=$(echo "scale=3; ${elapsed_ms}/1000" | bc)
info "CIDR scan initiation: ${elapsed_s}s"
@ -240,13 +247,13 @@ test_concurrent_load() {
# Fire 20 concurrent requests and measure total time
info "6.1 20 concurrent fleet status requests"
local start=$(date +%s%N)
local start=$(_now_ms)
for i in $(seq 1 20); do
api_call GET /api/v1/status/fleet -o /dev/null 2>/dev/null &
done
wait
local end=$(date +%s%N)
local total_ms=$(( (end - start) / 1000000 ))
local end=$(_now_ms)
local total_ms=$(( end - start ))
local total_s=$(echo "scale=3; ${total_ms}/1000" | bc)
local per_req=$(echo "scale=3; ${total_s}/20" | bc)
@ -259,7 +266,7 @@ test_concurrent_load() {
# 6.2 Mixed endpoint concurrent load
info "6.2 20 concurrent mixed-endpoint requests"
start=$(date +%s%N)
start=$(_now_ms)
for i in $(seq 1 5); do
api_call GET /api/v1/hosts -o /dev/null 2>/dev/null &
api_call GET /api/v1/groups -o /dev/null 2>/dev/null &
@ -267,8 +274,8 @@ test_concurrent_load() {
api_call GET /api/v1/status/fleet -o /dev/null 2>/dev/null &
done
wait
end=$(date +%s%N)
total_ms=$(( (end - start) / 1000000 ))
end=$(_now_ms)
total_ms=$(( end - start ))
total_s=$(echo "scale=3; ${total_ms}/1000" | bc)
per_req=$(echo "scale=3; ${total_s}/20" | bc)
info "Mixed concurrent: ${total_s}s total, ${per_req}s avg"
@ -282,12 +289,12 @@ test_ws_ticket_performance() {
echo -e "\n${CYAN}=== Test 7: WebSocket Ticket Issuance ===${NC}"
info "7.1 Sequential ticket creation (10 tickets)"
local start=$(date +%s%N)
local start=$(_now_ms)
for i in $(seq 1 10); do
api_call POST /api/v1/ws/ticket -o /dev/null 2>/dev/null || true
done
local end=$(date +%s%N)
local total_ms=$(( (end - start) / 1000000 ))
local end=$(_now_ms)
local total_ms=$(( end - start ))
local total_s=$(echo "scale=3; ${total_ms}/1000" | bc)
local per_ticket=$(echo "scale=3; ${total_s}/10" | bc)
info "10 tickets in ${total_s}s (${per_ticket}s per ticket)"