Files
Nexus/docs/archive/audits/2026-06-04-delta/audit-delta-2026-06-04-waveD2.md
T
2026-07-08 22:31:31 +08:00

101 lines
3.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Phase 1 Delta 审计 — Wave D2(认证 / 安装 / WS / Agent
**日期**: 2026-06-04
**范围**: Code Review batch2 后 delta — 认证与 Agent 路径
**标准**: `standards/line-walk-audit-standard-v2.md` 8 步
## 登记
| # | 文件 | 语言 | 行数 N | Read 范围 |
|---|------|------|--------|-----------|
| 1 | `server/api/install.py` | Python | 746 | 1746 全文 |
| 2 | `server/api/auth.py` | Python | 374 | 1374 全文 |
| 3 | `server/api/auth_jwt.py` | Python | 274 | 1274 全文 |
| 4 | `server/api/websocket.py` | Python | 552 | 1552 全文 |
| 5 | `server/api/agent.py` | Python | 378 | 1378 全文 |
## 入口表
### install.py
| 方法 | 路径 | 鉴权 |
|------|------|------|
| GET | `/api/install/status` | 无(已锁定 404 |
| GET | `/api/install/env-check` | 安装模式 + 未 lock |
| POST | `/api/install/init-db` | 无 .env + 未 lock |
| POST | `/api/install/create-admin` | `install_token` |
| POST | `/api/install/lock` | 需已有 admin |
| GET | `/api/install/state` | 未 lock |
### auth.py
| 方法 | 路径 | 鉴权 |
|------|------|------|
| POST | `/api/auth/login` | 公开 |
| POST | `/api/auth/refresh` | Cookie/body refresh |
| POST | `/api/auth/logout` | Cookie |
| POST | `/api/auth/totp/*` | JWT + self admin_id |
| PUT | `/api/auth/password` | JWT + 当前密码 (+TOTP) |
| POST | `/api/auth/webssh-token` | JWT + server 存在 |
| GET | `/api/auth/me` | JWT |
### websocket.py
| 类型 | 路径 | 鉴权 |
|------|------|------|
| WS | `/ws/alerts` | Query `?token=` JWT |
| WS | `/ws/sync` | 同上 |
### agent.py
| 方法 | 路径 | 鉴权 |
|------|------|------|
| POST | `/api/agent/heartbeat` | X-API-Key + per-server key |
| POST | `/api/agent/script-callback` | X-API-Key + job secret + rate limit |
## Closure 表
| H | 文件:行号 | 判定 | 理由 |
|---|-----------|------|------|
| H-Install-lock | install.py:344-350 | SAFE | `_reject_if_locked` 阻断突变 |
| H-Install-token | install.py:314-327 | SAFE | `secrets.compare_digest` 一次性 token |
| H-Install-token | install.py:601 | SAFE | create-admin 必须 token |
| H-Install-SQL | install.py:540-544 | SAFE | 参数化 INSERT settings |
| H-Install-DDL | install.py:489-503 | SAFE | DDL 幂等 except pass |
| H-Install-subprocess | install.py:273-293 | SAFE | crontab/supervisor 固定 argv |
| H-Auth-brute | auth.py:125-138 | SAFE | 429/202 由 AuthService |
| H-Auth-cookie | auth.py:38-54 | SAFE | HttpOnly + Secure(HTTPS) + SameSite=Lax |
| H-Auth-TOTP-IDOR | auth.py:223-259 | SAFE | admin_id 必须等于 JWT sub |
| H-Auth-password | auth.py:288-305 | SAFE | bcrypt + token_version 失效 |
| H-Auth-webssh | auth.py:330-349 | SAFE | 短效 server-bound token |
| H-JWT-middleware | auth_jwt.py:78-146 | SAFE | ASGI 层拦截 /api/* |
| H-JWT-public | auth_jwt.py:38-50 | SAFE | 公开前缀含 agent/install/ws |
| H-JWT-tv | auth_jwt.py:222-226 | SAFE | token_version 精确匹配 |
| H-WS-auth | websocket.py:303-311 | SAFE | 无 token → 4001;无效 → 4401 |
| H-WS-auth | websocket.py:366-407 | SAFE | tv + updated_at 双检 |
| H-WS-ADR011 | websocket.py:9,300 | RISK | JWT 在 query;单人运维已接受 ADR-011 |
| H-Agent-key | agent.py:40-57 | SAFE | compare_digesthandler 二次验 per-server |
| H-Agent-unknown | agent.py:193-199 | SAFE | 未知 server 200 discard,不写入 |
| H-Agent-global | agent.py:84-92 | RISK | legacy global API_KEYrisk-acceptance 文档 |
| H-Agent-callback | agent.py:324-347 | SAFE | rate limit + job secret |
| H-Agent-no-exec | agent.py:378 | SAFE | 控制面无 shell exec |
**len(H)=22, Closure=22**
## FINDING
无 P0/P1 新 FINDING。RISKWS query JWT、Agent global key — 见 `docs/project/risk-acceptance-single-operator.md`
## DoD
- [x] len(H) == Closure
- [x] Read 1..N 全文
- [x] 入口表 + sink
- [x] 逐行完成 ✓(D2 五文件)
## 验证
```bash
bash scripts/local_verify.sh # 预期全绿
```