1.3 KiB
1.3 KiB
SecureAudit Version Control - Branch Protection Rules
RBAC Enforcement
- GLOBAL: All users (read-only)
- INTERNAL: Developers (push/merge)
- RESTRICTED: Admins (force push, delete)
TLS 1.3 Requirements
graph TD
A[Git Client] -->|TLS 1.3 AES256-GCM/CHACHA20| B[Git Server]
B -->|Certificate Pinning| C[RBAC Engine]
C -->|HMAC-SHA256| D[Audit Logs]
Certificate Pinning
- Server certificates must have SHA-256 fingerprints registered in:
# In RBACEngine initialization self.trusted_cert_fingerprints = { 'fingerprint1': 'admin.example.com', 'fingerprint2': 'git.internal.example.com' }
Audit Log Requirements
- All git operations must include:
- HMAC-SHA256 signature
- Timestamp verification
- Chained hashes for tamper detection
Branch Protection Matrix
| Branch Type | Push Access | Merge Access | Force Push |
|---|---|---|---|
| main | RESTRICTED only | RESTRICTED only | Disabled |
| release/* | INTERNAL+ | INTERNAL+ | Disabled |
| feature/* | DEVELOPER+ | DEVELOPER+ | Disabled |
Implementation Verification
✅ RBAC Boundaries
✅ TLS 1.3 Enforcement
✅ Certificate Pinning
✅ Audit Log Integrity