niuniu/lijiaoqiao
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
222 Commits 4 Branches 0 Tags
bb67f30be0d8e91fb5745dc2d033a67219b9d661
Commit Graph

4 Commits

Author SHA1 Message Date
Your Name
ecfde0e887 P4-D: secret治理和KMS表述清理 
domain/account.go: CredentialKMSKeyAlias → CredentialKeyAlias + 注释说明(非KMS)
repository/account.go: 字段映射同步更新(SQL列名credential_kms_key_alias保持不变避免迁移)
security/kms_service.go: 添加模块顶部注释,区分本地加密与真实KMS服务,明确ProviderType="local"为本地实现
 2026-04-21 20:32:31 +08:00
Your Name
2e0f6e29aa fix(supply-api): restore uncached build health 2026-04-17 16:20:34 +08:00
Your Name
ad776e4079 fix: P0/P1 security fixes across gateway, token-runtime, and supply-api 
P0 fixes:
- platform-token-runtime: Add store.Save() after Refresh token update (P0-3)
- platform-token-runtime: Add sync.RWMutex to InMemoryRuntimeStore (P0-4)
- platform-token-runtime: Add bearer token auth to /audit-events endpoint (P0-5)
- gateway: Fail startup in production if PASSWORD_ENCRYPTION_KEY uses default (P0-1)
- gateway: Require explicit CORS_ALLOW_ORIGINS in production (P0-2)

P1 fixes:
- gateway: Add TrustedProxies config field + env var GATEWAY_TRUSTED_PROXIES (P1-5)
- gateway: Sanitize X-Request-ID header to prevent log injection (P1-6)
- gateway: Strip internal error details from error responses to clients (P1-7)
- supply-api: Upgrade deriveDEK from trivial byte-rotation to HKDF-SHA256 (P1-1)
- supply-api: Reject HS256/HS384/HS512 in production, require RSA (P1-2)

Code quality fixes:
- supply-api: Add BruteForceMaxAttempts + BruteForceLockoutDuration to AuthConfig (MED-12)
- supply-api: Add TrustedProxies to token_auth_middleware (IP spoofing protection)
- supply-api: Use shared pathutil.SplitPath instead of duplicate splitPath
- supply-api: Fix query_key_reject_middleware call sites with trustedProxies param
- gateway: Wire TrustedProxies into AuthMiddlewareConfig and extractClientIP
- gateway: Add CORSAllowOrigins to AuthConfig, wire into CORSMiddleware
- gateway: Fix CompletionsHandle to have context and RecordResult like ChatCompletions
- gateway: Add sanitizeRequestID helper for X-Request-ID log injection prevention
- gateway: Add os import for PASSWORD_ENCRYPTION_KEY check
- gateway: Add strings import to handler.go for sanitizeRequestID

Environment issues documented in TEST_ENVIRONMENT_ISSUES.md
 2026-04-17 14:36:02 +08:00
Your Name
7280ef565c test: improve coverage for audit/events and security modules 
- audit/events: 73.5% → 97.6% (+24.1%)
  - Add tests for IsM013/M014/M015RelatedEvent
  - Add tests for FormatSECURITYEvent
  - Add comprehensive coverage for all CRED and SECURITY event functions

- security: 67.2% → 88.8% (+21.6%)
  - Add tests for ValidateKeyID, DecryptionError.Error()
  - Add tests for ValidateQueryParams, GetAllowedParamNames
  - Add tests for isHexString, looksLikeAPIKey
  - Fix test cases to match actual implementation behavior

- audit/sanitizer: Fix MaskMap []string handling bug
  - Add maskSliceInterface for []interface{} type
  - Tests now pass for string slice sensitive fields

All tests pass
 2026-04-08 09:00:29 +08:00