wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 3 Packages Projects Releases Wiki Activity
Files
96ef71736d3edad91345ccbd68b538c3d239d4fd
awoooi/apps/api/src/services/iwooos_wazuh_live_metadata_gate.py
Your Name 10a925bab6
All checks were successful
Code Review / ai-code-review (push) Successful in 16s
Details
CD Pipeline / tests (push) Successful in 1m45s
Details
CD Pipeline / build-and-deploy (push) Successful in 5m8s
Details
CD Pipeline / post-deploy-checks (push) Successful in 1m35s
Details
feat(iwooos): expose Wazuh live metadata gate readback
2026-06-27 00:11:54 +08:00

281 lines
12 KiB
Python
Raw Blame History

"""
IwoooS Wazuh live metadata owner gate readback.
This module only exposes committed gate metadata plus public-safe Wazuh route
aggregate status. It never reads secret values, never queries hosts, and never
authorizes Wazuh active response, scans, restarts, reloads, or host writes.
"""
from __future__ import annotations
import json
from pathlib import Path
from typing import Any
from src.services.snapshot_paths import default_security_dir
_DEFAULT_SECURITY_DIR = default_security_dir(Path(__file__))
_SNAPSHOT_FILE = "wazuh-readonly-live-metadata-env-gate.snapshot.json"
_EXPECTED_SCHEMA = "iwooos_wazuh_readonly_live_metadata_env_gate_v1"
_REQUIRED_FALSE_BOUNDARIES = {
"argocd_sync_authorized",
"docker_restart_authorized",
"firewall_change_authorized",
"host_write_authorized",
"k8s_secret_patch_authorized",
"kali_active_scan_authorized",
"nginx_gateway_workaround_authorized",
"production_deploy_authorized",
"raw_wazuh_payload_storage_allowed",
"repo_write_authorized",
"runtime_execution_authorized",
"secret_value_collection_allowed",
"wazuh_active_response_authorized",
"wazuh_api_live_query_authorized",
}
def load_latest_iwooos_wazuh_live_metadata_gate(
security_dir: Path | None = None,
wazuh_live_status: dict[str, Any] | None = None,
wazuh_live_http_status: int = 0,
) -> dict[str, Any]:
"""Load the committed Wazuh live metadata owner gate as a public-safe payload."""
directory = security_dir or _DEFAULT_SECURITY_DIR
snapshot = _load_snapshot(directory)
_require_boundaries(snapshot)
summary = _summary(snapshot)
live_route = _live_route_summary(wazuh_live_status, wazuh_live_http_status)
merged_summary = {
"server_side_env_key_count": _int(summary.get("server_side_env_key_count")),
"required_owner_field_count": _int(summary.get("required_owner_field_count")),
"reviewer_check_count": _int(summary.get("reviewer_check_count")),
"outcome_lane_count": _int(summary.get("outcome_lane_count")),
"blocked_action_count": _int(summary.get("blocked_action_count")),
"production_route_readback_passed_count": _int(summary.get("production_route_readback_passed_count")),
"live_metadata_owner_response_received_count": _int(
summary.get("live_metadata_owner_response_received_count")
),
"live_metadata_owner_response_accepted_count": _int(
summary.get("live_metadata_owner_response_accepted_count")
),
"secret_source_metadata_accepted_count": _int(summary.get("secret_source_metadata_accepted_count")),
"wazuh_manager_health_ref_accepted_count": _int(
summary.get("wazuh_manager_health_ref_accepted_count")
),
"readonly_account_scope_accepted_count": _int(summary.get("readonly_account_scope_accepted_count")),
"post_enable_readback_passed_count": _int(summary.get("post_enable_readback_passed_count")),
"wazuh_api_live_query_authorized_count": _int(summary.get("wazuh_api_live_query_authorized_count")),
"wazuh_active_response_authorized_count": _int(summary.get("wazuh_active_response_authorized_count")),
"host_write_authorized_count": _int(summary.get("host_write_authorized_count")),
"runtime_gate_count": _int(summary.get("runtime_gate_count")),
"wazuh_live_route_http_status": live_route["http_status"],
"wazuh_live_route_degraded_count": live_route["degraded_count"],
"wazuh_live_readonly_api_enabled_count": live_route["readonly_api_enabled_count"],
"wazuh_live_agent_total": live_route["agent_total"],
"wazuh_live_metadata_available_count": live_route["metadata_available_count"],
"wazuh_live_status": live_route["status"],
}
return {
"schema_version": "iwooos_wazuh_live_metadata_gate_readback_v1",
"status": snapshot.get("status", "blocked_waiting_live_metadata_owner_response"),
"mode": "committed_snapshot_readback_with_public_safe_wazuh_route_metadata",
"source_refs": [f"docs/security/{_SNAPSHOT_FILE}", "GET /api/iwooos/wazuh"],
"summary": merged_summary,
"items": _items(merged_summary),
"boundary_markers": _boundary_markers(merged_summary),
"boundaries": {
"runtime_execution_authorized": False,
"secret_value_collection_allowed": False,
"raw_wazuh_payload_storage_allowed": False,
"wazuh_api_live_query_authorized": False,
"wazuh_active_response_authorized": False,
"host_write_authorized": False,
"kali_active_scan_authorized": False,
"k8s_secret_patch_authorized": False,
"argocd_sync_authorized": False,
"docker_restart_authorized": False,
"nginx_gateway_workaround_authorized": False,
"firewall_change_authorized": False,
"not_authorization": True,
},
"no_false_green_rules": [
"正式路由 200 不是即時查詢授權",
"Wazuh 儀表板可見不是 manager registry 已驗收",
"機密來源只能交付中繼資料,不得交付明文、片段或雜湊",
"live metadata query、active response、host write 與 Kali active scan 是不同閘門",
"owner response accepted、post-enable readback 與 runtime gate 仍全部維持 0",
],
}
def _load_snapshot(directory: Path) -> dict[str, Any]:
path = directory / _SNAPSHOT_FILE
if not path.is_file():
raise FileNotFoundError(f"{path}: Wazuh 即時中繼資料閘門快照不存在")
with path.open(encoding="utf-8") as handle:
payload = json.load(handle)
if not isinstance(payload, dict):
raise ValueError(f"{path}: expected JSON object")
if payload.get("schema_version") != _EXPECTED_SCHEMA:
raise ValueError(f"{path}: expected schema_version={_EXPECTED_SCHEMA}")
return payload
def _summary(payload: dict[str, Any]) -> dict[str, Any]:
summary = payload.get("summary")
return summary if isinstance(summary, dict) else {}
def _int(value: Any) -> int:
return value if isinstance(value, int) else 0
def _live_route_summary(payload: dict[str, Any] | None, http_status: int) -> dict[str, Any]:
if not isinstance(payload, dict):
return {
"status": "not_checked_by_snapshot_loader",
"http_status": 0,
"degraded_count": 1,
"readonly_api_enabled_count": 0,
"agent_total": 0,
"metadata_available_count": 0,
}
summary = _summary(payload)
status_text = str(payload.get("status") or "unknown")
metadata_available = status_text == "readonly_metadata_available"
return {
"status": status_text,
"http_status": http_status if isinstance(http_status, int) else 0,
"degraded_count": 0 if metadata_available else 1,
"readonly_api_enabled_count": _int(summary.get("readonly_api_enabled_count")),
"agent_total": _int(summary.get("agent_total")),
"metadata_available_count": 1 if metadata_available else 0,
}
def _items(summary: dict[str, Any]) -> list[dict[str, Any]]:
return [
_item(
"release_readback",
"ENV-1",
"route_readback_passed",
"steady" if summary["production_route_readback_passed_count"] == 1 else "warn",
{"route_readback": summary["production_route_readback_passed_count"]},
),
_item(
"server_env_owner",
"ENV-2",
"waiting_owner_response",
"locked",
{
"owner_received": summary["live_metadata_owner_response_received_count"],
"owner_accepted": summary["live_metadata_owner_response_accepted_count"],
},
),
_item(
"secret_metadata",
"ENV-3",
"metadata_only_waiting_acceptance",
"locked",
{"secret_metadata_accepted": summary["secret_source_metadata_accepted_count"]},
),
_item(
"manager_health",
"ENV-4",
"waiting_manager_health_ref",
"warn",
{
"manager_health_accepted": summary["wazuh_manager_health_ref_accepted_count"],
"live_route_degraded": summary["wazuh_live_route_degraded_count"],
},
),
_item(
"readonly_scope",
"ENV-5",
"waiting_readonly_scope_ref",
"warn",
{"readonly_scope_accepted": summary["readonly_account_scope_accepted_count"]},
),
_item(
"post_enable_readback",
"ENV-6",
"waiting_post_enable_readback",
"locked",
{
"post_enable_readback": summary["post_enable_readback_passed_count"],
"live_query_authorized": summary["wazuh_api_live_query_authorized_count"],
"runtime_gate": summary["runtime_gate_count"],
},
),
]
def _item(
item_id: str,
check: str,
state_key: str,
tone: str,
metrics: dict[str, int],
) -> dict[str, Any]:
return {
"item_id": item_id,
"check": check,
"state_key": state_key,
"tone": tone,
"metrics": metrics,
}
def _boundary_markers(summary: dict[str, Any]) -> list[str]:
return [
f"正式路由讀回={summary['production_route_readback_passed_count']}",
f"負責人回覆接受={summary['live_metadata_owner_response_accepted_count']}",
f"機密來源中繼資料接受={summary['secret_source_metadata_accepted_count']}",
f"管理節點健康參照接受={summary['wazuh_manager_health_ref_accepted_count']}",
f"唯讀帳號範圍接受={summary['readonly_account_scope_accepted_count']}",
f"啟用後讀回={summary['post_enable_readback_passed_count']}",
f"Wazuh 即時查詢授權={summary['wazuh_api_live_query_authorized_count']}",
f"Wazuh 主動回應授權={summary['wazuh_active_response_authorized_count']}",
f"主機寫入授權={summary['host_write_authorized_count']}",
f"執行期閘門={summary['runtime_gate_count']}",
"機密明文收集=false",
"原始 Wazuh 載荷保存=false",
"K8s secret 手動修改=false",
"ArgoCD 手動同步=false",
"Docker 重啟=false",
"Nginx 或 gateway 繞路=false",
"防火牆變更=false",
"資安觀測節點主動掃描=false",
"不是執行授權=true",
]
def _require_boundaries(payload: dict[str, Any]) -> None:
summary = _summary(payload)
for key in (
"live_metadata_owner_response_accepted_count",
"secret_source_metadata_accepted_count",
"wazuh_manager_health_ref_accepted_count",
"readonly_account_scope_accepted_count",
"post_enable_readback_passed_count",
"wazuh_api_live_query_authorized_count",
"wazuh_active_response_authorized_count",
"host_write_authorized_count",
"runtime_gate_count",
):
if _int(summary.get(key)) != 0:
raise ValueError(f"Wazuh 即時中繼資料閘門 summary.{key} 必須維持 0")
boundaries = payload.get("execution_boundaries")
if not isinstance(boundaries, dict):
raise ValueError("Wazuh 即時中繼資料閘門 execution_boundaries 缺失")
for key in _REQUIRED_FALSE_BOUNDARIES:
if boundaries.get(key) is not False:
raise ValueError(f"Wazuh 即時中繼資料閘門 execution_boundaries.{key} 必須維持 false")
if boundaries.get("not_authorization") is not True:
raise ValueError("Wazuh 即時中繼資料閘門 not_authorization 必須維持 true")
Reference in New Issue View Git Blame Copy Permalink