Commit Graph

2 Commits

Author SHA1 Message Date
A ashkan@beigi.net
035bc59460 Harden deployment: DB ownership and config secrecy
- Restrict the deployed /etc/esim-provisioning/config.yaml to 600 owned by the
  esim service user; it holds the OP key and was previously world-readable.
- Chown data/ AFTER init_db runs (as root) so the SQLite file is owned by the
  esim service user; the service runs with ReadWritePaths=.../data and could
  not write a root-owned database before.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-01 21:59:27 +00:00
A ashkan@beigi.net
8672b0de6b Add Phase-1 eSIM provisioning implementation
Full working closed-loop eSIM provisioning stack (spec in claude.md / plan/):
Flask API, SQLite subscriber store, credential/profile generator, Open5GS
and free5gc core adapters, captive portal, operational scripts, systemd
units, network configs, and a 44-test suite.

Profile generation currently returns a mock JSON profile; real SGP.22
generation via pySim is the planned Phase-2 upgrade.

Fixes two bugs found while getting the suite green:
- generate_imsi hardcoded a 10-digit MSIN, producing 16-digit IMSIs for a
  3-digit MNC; MSIN length is now 15 - len(mcc) - len(mnc).
- check_rate_limit compared timestamps as strings across mismatched formats
  (SQLite CURRENT_TIMESTAMP vs Python isoformat); both sides now normalized
  via SQLite datetime() so the window check is chronologically correct.

Add .gitignore for venv, caches, runtime config.yaml, and databases.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-01 05:56:31 +00:00