awoooi/scripts/security/host-service-owner-request-draft.py

#!/usr/bin/env python3
"""
IwoooS Docker / systemd / host service owner request draft 產生器。

本工具讀取 host-service repo-only 清冊，將 9 個 surface 轉成人工送件前
request draft。它不 SSH、不讀 live host、不執行 docker compose、
不執行 systemctl、不呼叫 repair-bot、不跑 Ansible、不收 secret value。
"""

from __future__ import annotations

import argparse
import json
import subprocess
import sys
from datetime import datetime, timedelta, timezone
from pathlib import Path
from typing import Any


TAIPEI = timezone(timedelta(hours=8))

REQUEST_FIELDS = [
    "request_id",
    "surface_id",
    "label",
    "expected_host_scope",
    "config_kind",
    "service_scope",
    "control_tier",
    "repo_source_path",
    "repo_sha256",
    "owner_role_or_team",
    "decision",
    "decision_reason",
    "affected_scope",
    "redacted_evidence_refs",
    "live_config_hash_ref",
    "maintenance_window",
    "restart_window",
    "rollback_owner",
    "post_check_plan",
    "disable_switch",
    "followup_owner",
    "not_approval",
]

REQUIRED_OWNER_FIELDS = [
    "owner_role_or_team",
    "decision",
    "decision_reason",
    "affected_scope",
    "redacted_evidence_refs",
    "live_config_hash_ref",
    "maintenance_window",
    "restart_window",
    "rollback_owner",
    "post_check_plan",
    "disable_switch",
    "followup_owner",
]

BLOCKED_ACTIONS = [
    "ssh_read",
    "ssh_write",
    "docker_compose_up",
    "docker_compose_down",
    "systemctl_restart",
    "systemctl_reload",
    "repair_bot_execute",
    "ansible_apply",
    "sudo_action",
    "host_file_write",
    "firewall_change",
    "secret_value_collection",
    "active_scan",
    "runtime_gate_open",
]


def git_short_sha(root: Path) -> str:
    try:
        result = subprocess.run(
            ["git", "rev-parse", "--short", "HEAD"],
            cwd=root,
            check=True,
            capture_output=True,
            text=True,
        )
        return result.stdout.strip()
    except Exception:
        return "unknown"


def load_json(path: Path) -> dict[str, Any]:
    return json.loads(path.read_text(encoding="utf-8"))


def request_for(surface: dict[str, Any]) -> dict[str, Any]:
    surface_id = surface["surface_id"]
    write_capable = surface["config_kind"] in {"host_repair_whitelist", "ansible_service_executor"}
    return {
        "request_id": f"host_service_owner_request:{surface_id}",
        "status": "draft_not_dispatched",
        "surface_id": surface_id,
        "label": surface["label"],
        "expected_host_scope": surface["expected_host_scope"],
        "config_kind": surface["config_kind"],
        "service_scope": surface["service_scope"],
        "control_tier": surface["control_tier"],
        "repo_source_path": surface["source_path"],
        "repo_sha256": surface["sha256"],
        "source_line_count": surface["line_count"],
        "requires_live_evidence": surface["requires_live_evidence"],
        "write_capable_surface": write_capable,
        "source_inventory_ref": "docs/security/host-service-config-inventory.snapshot.json",
        "request_fields": REQUEST_FIELDS,
        "required_owner_fields": REQUIRED_OWNER_FIELDS,
        "blocked_actions": BLOCKED_ACTIONS,
        "owner_role_or_team": "pending_owner_role_or_team",
        "decision": "pending_owner_decision",
        "decision_reason": "pending_decision_reason",
        "affected_scope": "pending_affected_scope",
        "redacted_evidence_refs": [],
        "live_config_hash_ref": None,
        "maintenance_window": "pending_maintenance_window",
        "restart_window": "pending_restart_window",
        "rollback_owner": "pending_rollback_owner",
        "post_check_plan": "pending_post_check_plan",
        "disable_switch": "pending_disable_switch",
        "followup_owner": "pending_followup_owner",
        "not_approval": True,
        "request_sent": False,
        "recipient_confirmed": False,
        "owner_response_received": False,
        "owner_response_accepted": False,
        "live_evidence_received": False,
        "restart_window_accepted": False,
        "rollback_owner_accepted": False,
        "post_check_plan_accepted": False,
        "host_write_authorized": False,
        "ssh_read_authorized": False,
        "ssh_write_authorized": False,
        "docker_compose_action_authorized": False,
        "systemctl_action_authorized": False,
        "repair_bot_execution_authorized": False,
        "ansible_apply_authorized": False,
        "secret_value_collection_allowed": False,
        "active_scan_authorized": False,
        "runtime_gate": False,
        "action_buttons_allowed": False,
    }


def build_report(root: Path, inventory: dict[str, Any], generated_at: str | None) -> dict[str, Any]:
    report_time = generated_at or datetime.now(TAIPEI).isoformat(timespec="seconds")
    requests = [request_for(surface) for surface in inventory["config_surfaces"]]
    write_capable_requests = [item for item in requests if item["write_capable_surface"]]
    live_evidence_requests = [item for item in requests if item["requires_live_evidence"]]

    return {
        "schema_version": "host_service_owner_request_draft_v1",
        "generated_at": report_time,
        "git_commit": git_short_sha(root),
        "source_inventory_schema_version": inventory.get("schema_version"),
        "source_inventory_status": inventory.get("status"),
        "status": "owner_request_draft_ready_not_dispatched",
        "summary": {
            "request_draft_count": len(requests),
            "write_capable_request_draft_count": len(write_capable_requests),
            "live_evidence_required_request_count": len(live_evidence_requests),
            "request_field_count": len(REQUEST_FIELDS),
            "required_owner_field_count": len(REQUIRED_OWNER_FIELDS),
            "blocked_action_count": len(BLOCKED_ACTIONS),
            "request_sent_count": 0,
            "recipient_confirmed_count": 0,
            "owner_response_received_count": 0,
            "owner_response_accepted_count": 0,
            "live_evidence_received_count": 0,
            "restart_window_accepted_count": 0,
            "rollback_owner_accepted_count": 0,
            "post_check_plan_accepted_count": 0,
            "host_write_authorized_count": 0,
            "ssh_read_authorized_count": 0,
            "ssh_write_authorized_count": 0,
            "docker_compose_action_authorized_count": 0,
            "systemctl_action_authorized_count": 0,
            "repair_bot_execution_authorized_count": 0,
            "ansible_apply_authorized_count": 0,
            "secret_value_collection_allowed_count": 0,
            "active_scan_authorized_count": 0,
            "runtime_gate_count": 0,
            "action_button_count": 0,
        },
        "execution_boundaries": {
            "request_sent": False,
            "recipient_confirmed": False,
            "owner_response_received": False,
            "owner_response_accepted": False,
            "live_host_read_authorized": False,
            "live_evidence_received": False,
            "host_write_authorized": False,
            "ssh_read_authorized": False,
            "ssh_write_authorized": False,
            "docker_compose_action_authorized": False,
            "systemctl_action_authorized": False,
            "repair_bot_execution_authorized": False,
            "ansible_apply_authorized": False,
            "secret_value_collection_allowed": False,
            "active_scan_authorized": False,
            "runtime_execution_authorized": False,
            "action_buttons_allowed": False,
            "not_authorization": True,
        },
        "request_fields": REQUEST_FIELDS,
        "required_owner_fields": REQUIRED_OWNER_FIELDS,
        "blocked_actions": BLOCKED_ACTIONS,
        "request_drafts": requests,
        "next_steps": [
            "人工送件前確認每個 host scope 的 owner role / team 與回覆窗口。",
            "owner 只能提供脫敏 live hash、config source ref、maintenance window、rollback owner 與 post-check plan。",
            "收到回覆後先做欄位完整性、敏感 payload 隔離與 restart / rollback gate 檢查，不得直接重啟或 apply。",
        ],
    }


def main() -> int:
    parser = argparse.ArgumentParser(description="IwoooS host service owner request draft 產生器")
    parser.add_argument("--root", default=".", help="repo root")
    parser.add_argument(
        "--inventory-report",
        default="docs/security/host-service-config-inventory.snapshot.json",
        help="host-service-config-inventory.py 輸出的 JSON",
    )
    parser.add_argument("--output", help="寫出 JSON 報告")
    parser.add_argument("--generated-at", help="固定報告時間，供 committed snapshot 使用")
    args = parser.parse_args()

    root = Path(args.root).resolve()
    inventory = load_json(root / args.inventory_report)
    report = build_report(root, inventory, args.generated_at)
    payload = json.dumps(report, ensure_ascii=False, indent=2, sort_keys=True)

    if args.output:
        output = Path(args.output)
        output.parent.mkdir(parents=True, exist_ok=True)
        output.write_text(payload + "\n", encoding="utf-8")
    else:
        print(payload)

    summary = report["summary"]
    print(
        "HOST_SERVICE_OWNER_REQUEST_DRAFT_OK "
        f"drafts={summary['request_draft_count']} "
        f"write_capable={summary['write_capable_request_draft_count']} "
        f"fields={summary['required_owner_field_count']} "
        f"sent={summary['request_sent_count']} "
        f"runtime_gate={summary['runtime_gate_count']}",
        file=sys.stderr,
    )
    return 0


if __name__ == "__main__":
    sys.exit(main())