新增数据库驱动的 SecurityEventConnectionManager,复用 RFC 7662 机器 Client,自动完成 Discovery、Push Bearer 生成、Stream 创建、Verification、首次启用、零停机轮换和安全退役。 增加文件与 Kubernetes SecretStore、最小权限 RBAC、动态 Receiver/撤销水位/内省降级,以及系统设置管理页面。已通过全量 Go 测试、go vet、关键包竞态测试、27 个 Web 测试、类型检查、生产构建、Compose 和 Kubernetes dry-run。
27 lines
1011 B
Go
27 lines
1011 B
Go
package httpapi
|
|
|
|
import "net/http"
|
|
|
|
// receiveSecurityEvent accepts an RFC 8417 Security Event Token over RFC 8935 Push.
|
|
//
|
|
// @Summary Receive an SSF Security Event Token
|
|
// @Description Optional endpoint. It validates a stream-specific Bearer before parsing and verifying an ES256 SET. A committed event and a duplicate jti both return an empty 202 response.
|
|
// @Tags Security Events
|
|
// @Accept application/secevent+jwt
|
|
// @Produce json
|
|
// @Param Authorization header string true "Bearer stream-specific-secret"
|
|
// @Param set body string true "Compact signed Security Event Token"
|
|
// @Success 202
|
|
// @Failure 400 {object} map[string]string
|
|
// @Failure 401 {object} map[string]string
|
|
// @Failure 403 {object} map[string]string
|
|
// @Failure 503 {object} map[string]string
|
|
// @Router /api/v1/security-events/ssf [post]
|
|
func (s *Server) receiveSecurityEvent(w http.ResponseWriter, r *http.Request) {
|
|
if s.securityEventReceiver == nil {
|
|
http.NotFound(w, r)
|
|
return
|
|
}
|
|
s.securityEventReceiver.ServeHTTP(w, r)
|
|
}
|