43 lines
No EOL
1.3 KiB
Markdown
43 lines
No EOL
1.3 KiB
Markdown
# SecureAudit Version Control - Branch Protection Rules
|
|
|
|
## RBAC Enforcement
|
|
- **GLOBAL**: All users (read-only)
|
|
- **INTERNAL**: Developers (push/merge)
|
|
- **RESTRICTED**: Admins (force push, delete)
|
|
|
|
## TLS 1.3 Requirements
|
|
```mermaid
|
|
graph TD
|
|
A[Git Client] -->|TLS 1.3 AES256-GCM/CHACHA20| B[Git Server]
|
|
B -->|Certificate Pinning| C[RBAC Engine]
|
|
C -->|HMAC-SHA256| D[Audit Logs]
|
|
```
|
|
|
|
## Certificate Pinning
|
|
1. Server certificates must have SHA-256 fingerprints registered in:
|
|
```python
|
|
# In RBACEngine initialization
|
|
self.trusted_cert_fingerprints = {
|
|
'fingerprint1': 'admin.example.com',
|
|
'fingerprint2': 'git.internal.example.com'
|
|
}
|
|
```
|
|
|
|
## Audit Log Requirements
|
|
- All git operations must include:
|
|
- HMAC-SHA256 signature
|
|
- Timestamp verification
|
|
- Chained hashes for tamper detection
|
|
|
|
## Branch Protection Matrix
|
|
| Branch Type | Push Access | Merge Access | Force Push |
|
|
|---------------|-------------------|-------------------|------------|
|
|
| main | RESTRICTED only | RESTRICTED only | Disabled |
|
|
| release/* | INTERNAL+ | INTERNAL+ | Disabled |
|
|
| feature/* | DEVELOPER+ | DEVELOPER+ | Disabled |
|
|
|
|
## Implementation Verification
|
|
✅ RBAC Boundaries
|
|
✅ TLS 1.3 Enforcement
|
|
✅ Certificate Pinning
|
|
✅ Audit Log Integrity |