wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 3 Packages Projects Releases Wiki Activity
Files
5343d4627bc0c765e6045eb0ecdb5b55869fb310
awoooi/scripts/security/backup-restore-owner-response-acceptance.py

342 lines
15 KiB
Python
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
#!/usr/bin/env python3
"""
IwoooS Backup / Restore / Escrow owner response acceptance 只讀帳本產生器。
本工具讀取 Backup / Restore / Escrow inventory 與 owner request draft建立
未來 owner response 如何收件、補件、隔離、拒收或進 restore / retention
review 的 metadata-only acceptance ledger。它不執行 backup、不 restore、不
rclone sync、不寫 escrow marker、不 restic prune、不 kubectl、不 SSH、不收
secret value。
"""
from __future__ import annotations
import argparse
import json
import subprocess
import sys
from datetime import datetime, timedelta, timezone
from pathlib import Path
from typing import Any
TAIPEI = timezone(timedelta(hours=8))
ACCEPTANCE_FIELDS = [
"acceptance_candidate_id",
"request_id",
"surface_id",
"config_kind",
"backup_scope",
"control_tier",
"write_capable_surface",
"owner_response_ref",
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"latest_backup_status_ref",
"restore_drill_plan_ref",
"offsite_sync_evidence_ref",
"credential_escrow_evidence_ref",
"retention_owner",
"maintenance_window",
"rollback_owner",
"validation_plan",
"reviewer_outcome",
"followup_owner",
"not_approval",
]
REVIEWER_CHECKS = [
{"check_id": "owner_identity_present", "instruction": "owner role / team 必須可追溯。"},
{"check_id": "decision_reason_present", "instruction": "decision 與 decision reason 必須同時存在。"},
{"check_id": "affected_scope_matches_surface", "instruction": "affected scope 必須能對回 committed surface_id。"},
{"check_id": "redacted_refs_only", "instruction": "evidence 只能是脫敏 ref、hash、ticket、commit 或 artifact pointer。"},
{"check_id": "secret_value_absent", "instruction": "不得出現 token、private key、seed、rclone config、kubeconfig 或 credential derivative。"},
{"check_id": "backup_status_ref_shape", "instruction": "latest backup status 只能是 owner-provided redacted ref不得讀 live backup store。"},
{"check_id": "restore_drill_plan_present", "instruction": "restore drill 必須是 plan / approval package不得是執行請求。"},
{"check_id": "offsite_sync_ref_not_payload", "instruction": "offsite sync evidence 只能是 ref不得貼 raw listing 或 secret path。"},
{"check_id": "credential_escrow_metadata_only", "instruction": "credential escrow 只能是 metadata / marker ref不得包含 value。"},
{"check_id": "retention_owner_present", "instruction": "retention owner 與 retention decision 必須可追溯。"},
{"check_id": "maintenance_window_present", "instruction": "任何未來 backup / restore / prune / sync 都必須另有維護窗口。"},
{"check_id": "rollback_owner_present", "instruction": "rollback owner 與 rollback ref 必須存在。"},
{"check_id": "counts_transition_safe", "instruction": "只有 reviewer record 可更新 received / accepted / rejected不得同時開 runtime gate。"},
]
OUTCOME_LANES = [
{"lane_id": "waiting_owner_response", "meaning": "尚未收到 owner response所有 accepted / runtime count 維持 0。"},
{"lane_id": "quarantine_raw_payload", "meaning": "收到 raw backup listing、secret、rclone config 或不可保存內容時只能隔離。"},
{"lane_id": "reject_secret_or_credential_value", "meaning": "出現 secret value、credential derivative 或未脫敏 payload 時直接拒收。"},
{"lane_id": "request_supplement", "meaning": "欄位不足、scope 不清、restore / retention owner 缺失時要求補件。"},
{"lane_id": "ready_for_restore_review", "meaning": "metadata 合格後,只能進 restore / retention reviewer review。"},
{"lane_id": "owner_review_only_update", "meaning": "只允許更新只讀 owner review ledger不得執行 backup / restore / offsite / retention。"},
{"lane_id": "waiting_runtime_gate", "meaning": "即使 owner response acceptedruntime gate 仍等待獨立人工批准。"},
]
BLOCKED_ACTIONS = [
"backup_run",
"restore_run",
"restore_drill",
"offsite_sync",
"offsite_remote_delete",
"credential_escrow_marker_write",
"retention_change",
"restic_prune",
"rclone_config",
"velero_restore",
"velero_backup",
"kubectl_action",
"ssh_read",
"ssh_write",
"secret_value_collection",
"host_write",
"active_scan",
"runtime_gate_open",
"raw_backup_payload_storage",
"accept_secret_value_evidence",
"mark_owner_response_accepted_without_reviewer_record",
"add_action_button",
]
def git_short_sha(root: Path) -> str:
try:
result = subprocess.run(
["git", "rev-parse", "--short", "HEAD"],
cwd=root,
check=True,
capture_output=True,
text=True,
)
return result.stdout.strip()
except Exception:
return "unknown"
def load_json(path: Path) -> dict[str, Any]:
return json.loads(path.read_text(encoding="utf-8"))
def acceptance_candidate(request: dict[str, Any]) -> dict[str, Any]:
surface_id = request["surface_id"]
return {
"acceptance_candidate_id": f"backup_restore_owner_response_acceptance:{surface_id}",
"status": "waiting_owner_response",
"request_id": request["request_id"],
"surface_id": surface_id,
"config_kind": request["config_kind"],
"backup_scope": request["backup_scope"],
"control_tier": request["control_tier"],
"write_capable_surface": request["write_capable_surface"],
"owner_response_ref": None,
"owner_role_or_team": "pending_owner_response",
"decision": "pending_owner_response",
"decision_reason": "pending_owner_response",
"affected_scope": "pending_owner_response",
"redacted_evidence_refs": [],
"latest_backup_status_ref": None,
"restore_drill_plan_ref": None,
"offsite_sync_evidence_ref": None,
"credential_escrow_evidence_ref": None,
"retention_owner": "pending_owner_response",
"maintenance_window": "pending_owner_response",
"rollback_owner": "pending_owner_response",
"validation_plan": "pending_owner_response",
"reviewer_outcome": "waiting_owner_response",
"followup_owner": "pending_owner_response",
"acceptance_fields": ACCEPTANCE_FIELDS,
"required_owner_fields": request["required_owner_fields"],
"reviewer_checks": [item["check_id"] for item in REVIEWER_CHECKS],
"outcome_lanes": [item["lane_id"] for item in OUTCOME_LANES],
"blocked_actions": BLOCKED_ACTIONS,
"not_approval": True,
"request_sent": False,
"recipient_confirmed": False,
"owner_response_received": False,
"owner_response_accepted": False,
"owner_response_rejected": False,
"owner_response_quarantined": False,
"supplement_requested": False,
"live_evidence_received": False,
"restore_drill_accepted": False,
"offsite_sync_accepted": False,
"credential_escrow_accepted": False,
"retention_change_accepted": False,
"maintenance_window_accepted": False,
"rollback_owner_accepted": False,
"validation_plan_accepted": False,
"backup_run_authorized": False,
"restore_run_authorized": False,
"offsite_sync_authorized": False,
"offsite_remote_delete_authorized": False,
"credential_escrow_marker_write_authorized": False,
"retention_change_authorized": False,
"restic_prune_authorized": False,
"rclone_config_authorized": False,
"velero_restore_authorized": False,
"velero_backup_authorized": False,
"kubectl_action_authorized": False,
"ssh_read_authorized": False,
"ssh_write_authorized": False,
"secret_value_collection_allowed": False,
"host_write_authorized": False,
"active_scan_authorized": False,
"runtime_gate": False,
"action_buttons_allowed": False,
}
def build_report(
root: Path,
inventory: dict[str, Any],
request_draft_report: dict[str, Any],
generated_at: str | None,
) -> dict[str, Any]:
report_time = generated_at or datetime.now(TAIPEI).isoformat(timespec="seconds")
requests = request_draft_report.get("request_drafts", [])
acceptance_candidates = [acceptance_candidate(item) for item in requests]
write_capable = [item for item in acceptance_candidates if item["write_capable_surface"]]
live_evidence = [item for item in acceptance_candidates if item["live_evidence_received"] is False]
return {
"schema_version": "backup_restore_owner_response_acceptance_v1",
"generated_at": report_time,
"git_commit": git_short_sha(root),
"source_inventory_schema_version": inventory.get("schema_version"),
"source_inventory_status": inventory.get("status"),
"source_owner_request_schema_version": request_draft_report.get("schema_version"),
"source_owner_request_status": request_draft_report.get("status"),
"status": "owner_response_acceptance_ledger_ready_no_runtime_action",
"summary": {
"source_surface_count": inventory.get("summary", {}).get("surface_count", 0),
"source_request_draft_count": request_draft_report.get("summary", {}).get("request_draft_count", 0),
"acceptance_candidate_count": len(acceptance_candidates),
"write_capable_acceptance_candidate_count": len(write_capable),
"live_evidence_required_candidate_count": len(live_evidence),
"acceptance_field_count": len(ACCEPTANCE_FIELDS),
"required_owner_field_count": len(request_draft_report["required_owner_fields"]),
"reviewer_check_count": len(REVIEWER_CHECKS),
"outcome_lane_count": len(OUTCOME_LANES),
"blocked_action_count": len(BLOCKED_ACTIONS),
"request_sent_count": 0,
"recipient_confirmed_count": 0,
"owner_response_received_count": 0,
"owner_response_accepted_count": 0,
"owner_response_rejected_count": 0,
"owner_response_quarantined_count": 0,
"supplement_requested_count": 0,
"live_evidence_received_count": 0,
"restore_drill_accepted_count": 0,
"offsite_sync_accepted_count": 0,
"credential_escrow_accepted_count": 0,
"retention_change_accepted_count": 0,
"maintenance_window_accepted_count": 0,
"rollback_owner_accepted_count": 0,
"validation_plan_accepted_count": 0,
"backup_run_authorized_count": 0,
"restore_run_authorized_count": 0,
"offsite_sync_authorized_count": 0,
"offsite_remote_delete_authorized_count": 0,
"credential_escrow_marker_write_authorized_count": 0,
"retention_change_authorized_count": 0,
"restic_prune_authorized_count": 0,
"rclone_config_authorized_count": 0,
"velero_restore_authorized_count": 0,
"velero_backup_authorized_count": 0,
"kubectl_action_authorized_count": 0,
"ssh_read_authorized_count": 0,
"ssh_write_authorized_count": 0,
"secret_value_collection_allowed_count": 0,
"host_write_authorized_count": 0,
"active_scan_authorized_count": 0,
"runtime_gate_count": 0,
"action_button_count": 0,
},
"execution_boundaries": {
"request_dispatch_authorized": False,
"owner_response_accepted": False,
"live_evidence_received": False,
"backup_run_authorized": False,
"restore_run_authorized": False,
"restore_drill_authorized": False,
"offsite_sync_authorized": False,
"offsite_remote_delete_authorized": False,
"credential_escrow_marker_write_authorized": False,
"retention_change_authorized": False,
"restic_prune_authorized": False,
"rclone_config_authorized": False,
"velero_restore_authorized": False,
"velero_backup_authorized": False,
"kubectl_action_authorized": False,
"ssh_read_authorized": False,
"ssh_write_authorized": False,
"secret_value_collection_allowed": False,
"host_write_authorized": False,
"active_scan_authorized": False,
"runtime_execution_authorized": False,
"action_buttons_allowed": False,
"not_authorization": True,
},
"acceptance_fields": ACCEPTANCE_FIELDS,
"required_owner_fields": request_draft_report["required_owner_fields"],
"reviewer_checks": REVIEWER_CHECKS,
"outcome_lanes": OUTCOME_LANES,
"blocked_actions": BLOCKED_ACTIONS,
"acceptance_candidates": acceptance_candidates,
"next_steps": [
"等待 owner response未收到前不得更新 accepted count。",
"收到回覆後先走 raw payload / secret / scope / restore / retention / evidence ref 檢查,不合格即隔離、拒收或補件。",
"metadata 合格也只能進 restore / retention reviewer reviewbackup、restore、offsite sync、escrow marker、retention change 與 production write 仍需獨立人工批准。",
],
}
def main() -> int:
parser = argparse.ArgumentParser(description="IwoooS Backup / Restore / Escrow owner response acceptance 只讀帳本產生器")
parser.add_argument("--root", default=".", help="repo root")
parser.add_argument(
"--inventory-report",
default="docs/security/backup-restore-escrow-inventory.snapshot.json",
help="backup-restore-escrow-inventory.py 輸出的 JSON",
)
parser.add_argument(
"--owner-request-report",
default="docs/security/backup-restore-owner-request-draft.snapshot.json",
help="backup-restore-owner-request-draft.py 輸出的 JSON",
)
parser.add_argument("--output", help="寫出 JSON 報告")
parser.add_argument("--generated-at", help="固定報告時間,供 committed snapshot 使用")
args = parser.parse_args()
root = Path(args.root).resolve()
inventory = load_json(root / args.inventory_report)
request_draft_report = load_json(root / args.owner_request_report)
report = build_report(root, inventory, request_draft_report, args.generated_at)
payload = json.dumps(report, ensure_ascii=False, indent=2, sort_keys=True)
if args.output:
output = Path(args.output)
output.parent.mkdir(parents=True, exist_ok=True)
output.write_text(payload + "\n", encoding="utf-8")
else:
print(payload)
summary = report["summary"]
print(
"BACKUP_RESTORE_OWNER_RESPONSE_ACCEPTANCE_OK "
f"candidates={summary['acceptance_candidate_count']} "
f"write_capable={summary['write_capable_acceptance_candidate_count']} "
f"checks={summary['reviewer_check_count']} "
f"lanes={summary['outcome_lane_count']} "
f"accepted={summary['owner_response_accepted_count']} "
f"runtime_gate={summary['runtime_gate_count']}",
file=sys.stderr,
)
return 0
if __name__ == "__main__":
raise SystemExit(main())
Reference in New Issue View Git Blame Copy Permalink