Echo
83c97aa2b1
Some checks failed
CI Pipeline / Rust Format Check (push) Failing after 36s
CI Pipeline / Clippy Lints (push) Successful in 45s
CI Pipeline / Rust Unit Tests (push) Successful in 1m1s
CI Pipeline / Security Audit (push) Successful in 4s
CI Pipeline / Frontend Lint & Type Check (push) Successful in 11s
CI Pipeline / Build .deb & Release (push) Has been skipped
BUG-6: Add TLS support via axum-server + rustls
- Added axum-server with tls-rustls feature to workspace and pm-web
- pm-web now serves HTTPS when TLS certs exist, falls back to HTTP with warning
- setup.sh generates self-signed ECDSA P-256 TLS cert with SANs
- Config already had web_tls_cert_path/web_tls_key_path fields
BUG-7: Fix audit chain integrity errors
- Migration 005 now TRUNCATEs audit_log after adding prev_hash column
- Existing rows had broken hash chains (inserted before prev_hash existed)
BUG-8: Disable WatchdogSec in patch-manager-web.service
- pm-web does not implement sd_notify, causing systemd to kill the service
BUG-9: Disable WatchdogSec in patch-manager-worker.service
- Same issue as BUG-8, worker does not implement sd_notify
Previous fixes (BUG-1 through BUG-5) also included:
- setup.sh: PostgreSQL 15+ schema GRANTs
- Axum route syntax :param → {param} (19 routes)
- DbUser struct role: String → UserRole enum mapping
- UserRole/AuthProvider Display trait implementations
- Seed admin password hash (Argon2id)
35 lines
1.7 KiB
SQL
35 lines
1.7 KiB
SQL
-- Migration: 005_audit_hardening
|
|
-- Description: Add prev_hash column to audit_log for full hash chaining,
|
|
-- add notification config defaults to system_config, add new
|
|
-- audit_action enum values, and add audit_integrity_last_verified.
|
|
|
|
-- ============================================================
|
|
-- 1. Add prev_hash column to audit_log
|
|
-- ============================================================
|
|
ALTER TABLE audit_log ADD COLUMN IF NOT EXISTS prev_hash TEXT NOT NULL DEFAULT '';
|
|
|
|
-- Reset the audit log so the hash chain starts clean.
|
|
-- Existing rows were inserted before prev_hash existed, so their
|
|
-- chain is broken. Truncating lets the worker build a valid chain.
|
|
TRUNCATE audit_log;
|
|
|
|
-- ============================================================
|
|
-- 2. Add notification config defaults to system_config
|
|
-- ============================================================
|
|
INSERT INTO system_config (key, value, updated_at)
|
|
VALUES
|
|
('notification_email_enabled', 'false', NOW()),
|
|
('notification_email_from', 'patch-manager@localhost', NOW()),
|
|
('notification_email_recipients', '[]', NOW()),
|
|
('audit_integrity_last_verified', '', NOW())
|
|
ON CONFLICT (key) DO NOTHING;
|
|
|
|
-- ============================================================
|
|
-- 3. Add new audit_action enum values
|
|
-- ============================================================
|
|
ALTER TYPE audit_action ADD VALUE IF NOT EXISTS 'audit_integrity_verified';
|
|
ALTER TYPE audit_action ADD VALUE IF NOT EXISTS 'email_notification_sent';
|
|
ALTER TYPE audit_action ADD VALUE IF NOT EXISTS 'patch_job_completed';
|
|
ALTER TYPE audit_action ADD VALUE IF NOT EXISTS 'patch_job_failed';
|
|
ALTER TYPE audit_action ADD VALUE IF NOT EXISTS 'maintenance_window_reminder';
|