64 lines
No EOL
2.4 KiB
Markdown
64 lines
No EOL
2.4 KiB
Markdown
# Goal-2 (RBAC Implementation) Task Sheet
|
|
|
|
## Dependencies
|
|
- Goal-1 completion (Core Dispatcher, RBAC Integration, TLS Compliance)
|
|
- Security validation fixes from Goal-1-Task-3
|
|
|
|
## Security Requirements (from SYM-SEC-004)
|
|
1. TLS 1.3 REQUIRED for all external communications
|
|
2. Certificate OU field MUST map to RBAC roles via signed claims
|
|
3. Certificate revocation checks REQUIRED before RBAC validation
|
|
4. Full TLS handshake parameters logged for security audits
|
|
|
|
## Pending Fixes (from security-validation.md)
|
|
1. Negative encryption tests (RBAC edge cases)
|
|
2. TLS-RBAC integration tests (placeholders exist)
|
|
3. Negative TLS protocol validation tests
|
|
|
|
## Tasks
|
|
|
|
### Task-1: RBAC Core Implementation
|
|
- **Description**: Implement core RBAC engine with role hierarchy
|
|
- **Dependencies**: Goal-1-Task-2 completion
|
|
- **Test Coverage**: 90% (Unit tests for all role operations)
|
|
- **Deliverables**:
|
|
- `security/rbac_engine.py` implementation
|
|
- Unit tests in `tests/security/test_rbac_engine.py`
|
|
|
|
### Task-2: TLS-RBAC Integration
|
|
- **Description**: Implement TLS certificate to RBAC role mapping
|
|
- **Dependencies**: Task-1 completion, Goal-1-Task-6 completion
|
|
- **Test Coverage**: 90% (Integration tests)
|
|
- **Deliverables**:
|
|
- Certificate role mapping implementation
|
|
- Integration tests in `tests/security/test_rbac_engine.py`
|
|
|
|
### Task-3: Negative Test Implementation
|
|
- **Description**: Implement missing negative test cases
|
|
- **Dependencies**: Task-1 completion
|
|
- **Test Coverage**: 100% of edge cases
|
|
- **Deliverables**:
|
|
- Negative test cases for RBAC edge cases in `tests/security/test_rbac_negative.py`
|
|
- Negative TLS protocol validation tests
|
|
- Test categories implemented:
|
|
- Tampered OU claims
|
|
- Certificate pinning failures
|
|
- Role assignment boundary violations
|
|
- Audit log tampering
|
|
- Performance under attack
|
|
- Missing authentication context
|
|
- Invalid permission combinations
|
|
- **Verification Status**: Implemented (validation delegated to symphony-checker)
|
|
|
|
### Task-4: Audit Logging Integration
|
|
- **Description**: Implement RBAC operation audit logging
|
|
- **Dependencies**: Task-1 completion
|
|
- **Test Coverage**: 90% (Unit tests)
|
|
- **Deliverables**:
|
|
- Audit log integration in `security/rbac_engine.py`
|
|
- Log format specification document
|
|
|
|
## Quality Gates
|
|
1. All code must pass static analysis (mypy, pylint)
|
|
2. Minimum 90% test coverage for all modules
|
|
3. Security review required before deployment |