portal

liderra/portal

Fork 0

Commit Graph

Author	SHA1	Message	Date
Дмитрий	378cfba406	fix(audit): per-RLS-scope hash-chain validation (hole #1 prod fix) Prod smoke revealed the chain is PER-RLS-SCOPE, not global: audit_chain_hash() trigger's prev-SELECT obeys each table's RLS policy under the inserting tenant's GUC. On dev (superuser) it sees all rows (global chain); on prod (crm_app_user) only RLS-visible rows (per-tenant chain). tenant_operations_log false-broke at a tenant boundary (row 32, tenant 4 after tenant 3 rows). Fix (stakeholder choice: per-scope validator, no trigger change / no hash rebuild): - recompute now LAG OVER (PARTITION BY <scope> ORDER BY id): tenant_id for tenant_operations_log/activity_log/balance_transactions/pd_processing_log; (actor_type, tenant_id) for auth_log (RLS also filters actor_type='tenant_user'); global for saas_admin_audit_log (no tenant RLS — crm_admin_user BYPASSRLS sees all). - exit code: incident write now best-effort (try/catch); ANY breach → self::FAILURE regardless of whether incident row could be written (no active saas_admin FK). Tests 7/7 (+multi-tenant per-tenant regression that reproduces prod chaining, +exit-code-without-admin). Console 21/21, pint clean, larastan 0.	2026-05-23 10:42:51 +03:00
Дмитрий	d170c886bc	feat(audit): hash-chain integrity validator — audit:verify-chains (hole #1 ) Closes hole #1: log_hash written by trigger but never verified → tampering invisible. audit:verify-chains (cron daily 04:00) recomputes SHA-256 chain for all 6 audit tables via SQL on pgsql_supplier (prod-safe). Serialization reproduces trigger exactly (ROW with log_hash=NULL::bytea). Break → incidents_log (high, dedup 24h) + AuditChainBreachMail to kdv1@bk.ru + non-zero exit. Tests 5/5, Console 19/19.	2026-05-23 10:27:55 +03:00

Author

SHA1

Message

Date

Дмитрий

378cfba406

fix(audit): per-RLS-scope hash-chain validation (hole #1 prod fix)

Prod smoke revealed the chain is PER-RLS-SCOPE, not global: audit_chain_hash()
trigger's prev-SELECT obeys each table's RLS policy under the inserting tenant's
GUC. On dev (superuser) it sees all rows (global chain); on prod (crm_app_user)
only RLS-visible rows (per-tenant chain). tenant_operations_log false-broke at a
tenant boundary (row 32, tenant 4 after tenant 3 rows).

Fix (stakeholder choice: per-scope validator, no trigger change / no hash rebuild):
- recompute now LAG OVER (PARTITION BY <scope> ORDER BY id):
  tenant_id for tenant_operations_log/activity_log/balance_transactions/pd_processing_log;
  (actor_type, tenant_id) for auth_log (RLS also filters actor_type='tenant_user');
  global for saas_admin_audit_log (no tenant RLS — crm_admin_user BYPASSRLS sees all).
- exit code: incident write now best-effort (try/catch); ANY breach → self::FAILURE
  regardless of whether incident row could be written (no active saas_admin FK).

Tests 7/7 (+multi-tenant per-tenant regression that reproduces prod chaining,
+exit-code-without-admin). Console 21/21, pint clean, larastan 0.

2026-05-23 10:42:51 +03:00

Дмитрий

d170c886bc

feat(audit): hash-chain integrity validator — audit:verify-chains (hole #1 )

Closes hole #1: log_hash written by trigger but never verified → tampering invisible.
audit:verify-chains (cron daily 04:00) recomputes SHA-256 chain for all 6 audit
tables via SQL on pgsql_supplier (prod-safe). Serialization reproduces trigger
exactly (ROW with log_hash=NULL::bytea). Break → incidents_log (high, dedup 24h)
+ AuditChainBreachMail to kdv1@bk.ru + non-zero exit. Tests 5/5, Console 19/19.

2026-05-23 10:27:55 +03:00

2 Commits