Skip to content

Security Hardening: Ephemeral CA and Default Credential Removal#175

Open
tyronechrisharris wants to merge 112 commits intoopensensorhub:masterfrom
tyronechrisharris:jules-sync-22889794781
Open

Security Hardening: Ephemeral CA and Default Credential Removal#175
tyronechrisharris wants to merge 112 commits intoopensensorhub:masterfrom
tyronechrisharris:jules-sync-22889794781

Conversation

@tyronechrisharris
Copy link

@tyronechrisharris tyronechrisharris commented Mar 10, 2026
edited
Loading

This submission implements security hardening measures for the OSCAR system. Key changes include the removal of all default hardcoded credentials, the implementation of a runtime Ephemeral CA for automatic TLS certificate generation, and a mandatory Setup Wizard for initial system configuration. The Root CA private key is never persisted to disk, and the leaf certificate is secured with a random password stored in a file with restricted permissions. Redirection logic ensures that users must initialize the system before accessing the administrative interface or client.

Fixes #29

PR created automatically by Jules for task 16606973887661840686 started by @tyronechrisharris

🔄 Auto-Distributed via Sync

Original Flat Repo PR: tyronechrisharris/oscar-flat#38

🔗 Related Updates in this Sync:

mdhsl and others added 30 commits September 24, 2025 18:14
@mdhsl
Update driver to use validTime for feature as a specific column as ts…
4f9843a 
…range indexed column; fix system serialization/deserialization
@mdhsl
Remove useless classes
b0db77c
@mdhsl
Fix wrong selectLastVersionByUidQuery() function for system
bc8fb87
@mdhsl
Do not insert a new system if it already exists: check the uniqueId
31da427
@mdhsl
Fix datastream issues with validTime
c7f91de
@mdhsl
Fix datastreams validTime
4c90585
@mdhsl
Fix issue with non thread safe batchPrepareStatement object; improve …
2cc3779 
…batch mode
@mdhsl
Add FoiFilter to filter Obs and fix PostgisFeature unit tests
3de0277
@mdhsl
Increase timeout and connection max life time
5d47070
@mdhsl
Update driver to use validTime for feature as a specific column as ts…
1b76079 
…range indexed column; fix system serialization/deserialization
@mdhsl
Remove useless classes
d7f2e4e
@mdhsl
Fix wrong selectLastVersionByUidQuery() function for system
f1f1d1c
@mdhsl
Do not insert a new system if it already exists: check the uniqueId
c98b862
@mdhsl
Fix datastream issues with validTime
21e2f9e
@mdhsl
Fix datastreams validTime
ec0a20b
@mdhsl
Fix issue with non thread safe batchPrepareStatement object; improve …
7412f03 
…batch mode
@mdhsl
Add FoiFilter to filter Obs and fix PostgisFeature unit tests
18ff4f5
@mdhsl
Increase timeout and connection max life time
925d872
@earocorn
Update command status serialization for osh-core changes and add inli…
6877aba 
…ne records serialization
@mdhsl
Merge pull request opensensorhub#125 from earocorn/cmd-status-seriali…
94ac11f 
…zation

Update command status serialization for osh-core changes and add inli…
@mdhsl
Fix BigId due to osh-core changes on command API
73d0eb7
@mdhsl
Fix merge
87d4828
@mdhsl
Use config to specify batch mode
2777dd8
@mdhsl
Clear the ThreadSafeBatchExecutor after closing connection
b2b8688
@mdhsl
Fix drop() into Postgis store add Add support for streaming into Feat…
4d41300 
…ureDatabase
@mdhsl
Centralize the use of JDBC connection; add streaming data for OBS, FE…
30f8565 
…ATURE and command; fix blocking connection while executing a DROP request; improve the use of batch
@mdhsl
Add support of obsFilter for FOI queries
cda8bde
@mdhsl
Speed up the batch mode by using addBatch for Feature
9313123
@mdhsl
Change logic when using InnerJoin to add condition directly after the…
a1c9cdd 
… Join instead at the end using WHERE
@mdhsl
Add support for batch removing into obs table; Use validTime into Foi…
6c96e76 
… query to select corresponding query
earocorn and others added 26 commits November 21, 2025 11:03
@earocorn
Upgrade connection pool size to 50. Fix system valid time filter
918a820
@earocorn
Synchronize on all add/put/remove. Query DataStream time ranges in se…
2e45f6c 
…lectEntries
@earocorn
Fix value predicate paging
9cb8030
@earocorn
Remove synchronized methods
754b97e
@earocorn
Use JSONB for obs table and reorder upon deserialization
e9334f9
@earocorn
Remove limit cap when using val predicate
8c41a2d
@earocorn
Add includeMembers filter to UID query
d83e097
@earocorn
Merge master into fix-postgis-commands
aeb59e6
@earocorn
Use cursor-based pagination with phenomenonTime on obs
347b1e0
@earocorn
Fix issue with AsynchronousSocketChannel on Windows
294fdfa
@earocorn
Synchronize and null check in FFmpeg transcoding
81d14db
@earocorn
Update datastream time ranges to use a SQL TRIGGER
915f21c
@earocorn
Add Hikari config
91aa4a9
@earocorn
Add CQL filter to postgis obs store
c6ea923
@earocorn
Update CQL to use @> operator, as well as observed property filter
92235ef
@earocorn
revert datastream query to use jsonb_path_exists
d0846a0
@earocorn
Link obs store to system store
448b993
@earocorn
Revert to ObsIteratorResultSet and fix some query filters
a0b73ee
@earocorn
Revert put() to use update statement
d406d62
@earocorn
Use pgtimestamp instead of date for times
a359156
@earocorn
Limit 1 for select last ID query
56d48bc
@earocorn
Add descending order param to obs queries
fb0e755
@earocorn
Increase socket timeout to 5 minutes
ce66c7f
@earocorn
Fix bug where Vector not serialized properly
1a5fde5
@earocorn
Reduce pool size to 20
c26e214
@github-actions
Auto-sync updates: Security Hardening: Ephemeral CA and Default Crede…
a048c64 
…ntial Removal
This was referenced Mar 10, 2026
Open
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@tyronechrisharris @mdhsl @earocorn @BillBrown341 @alexrobin