fix: address code review feedback

- Config file ownership verification
- SSL CA validation requirement
- Missing Optional import
- Payload size check on decoded data
- Token ID tracking for failed auth
- Clarified error messages

Signed-off-by: Scott R. Shinn <scott@atomicorp.com>

Author: atomicturtle

chelon-1.0.0.tar.gz

@@ -1,7 +1,7 @@
 Name:           chelon
 Version:        1.0.0
 Release:        2%{?dist}
-Summary:        Remote GPG package signing service (Chelon)
+Summary:        Remote GPG package signing service
 
 License:        GPL-2.0-or-later
 Vendor:         Atomicorp, Inc.
@@ -11,15 +11,25 @@ Source0:        %{name}-%{version}.tar.gz
 
 BuildArch:      noarch
 
-# Runtime dependencies (all from Fedora repos)
+%description
+Chelon is a secure remote signing service for RPM packages and repository
+metadata. Build servers send package hashes to Chelon via HTTPS API and
+receive GPG signatures in response, eliminating the need for private keys on
+build infrastructure.
+
+This is a meta-package that can install both server and client components.
+
+#
+# Server subpackage
+#
+%package server
+Summary:        Chelon signing service server
 Requires:       python3
 Requires:       python3-flask
 Requires:       python3-gnupg
 Requires:       python3-pydantic
 Requires:       gnupg2
 Requires:       systemd
-
-# Needed for user/group creation in %pre
 Requires(pre):  shadow-utils
 
 # Prevent auto-generated requires for user/group (we create them in %pre)
@@ -28,11 +38,24 @@ Requires(pre):  shadow-utils
 Provides:       user(chelon)
 Provides:       group(chelon)
 
-%description
-Chelon is a secure remote signing service for RPM packages and repository
-metadata. Build servers send package hashes to Chelon via HTTPS API and
-receive GPG signatures in response, eliminating the need for private keys on
-build infrastructure.
+%description server
+Chelon signing service server component. This package contains the signing
+service daemon, systemd unit, and admin tools for managing tokens and audit logs.
+
+Install this package on the signing server (e.g., gamera).
+
+#
+# Client subpackage
+#
+%package client
+Summary:        Chelon signing client tools
+Requires:       python3
+
+%description client
+Chelon signing client tools. This package contains command-line tools for
+signing RPM packages and repository metadata using a remote Chelon service.
+
+Install this package on build servers and workstations that need to sign packages.
 
 %prep
 %setup -q
@@ -44,6 +67,7 @@ build infrastructure.
 # Create directory structure
 install -d %{buildroot}%{_bindir}
 install -d %{buildroot}%{_datadir}/%{name}/server
+install -d %{buildroot}%{_datadir}/%{name}/client
 install -d %{buildroot}%{_sysconfdir}/%{name}
 install -d %{buildroot}%{_unitdir}
 install -d %{buildroot}%{_localstatedir}/lib/%{name}
@@ -54,50 +78,78 @@ install -m 644 server/signing_engine.py %{buildroot}%{_datadir}/%{name}/server/
 install -m 644 server/auth.py %{buildroot}%{_datadir}/%{name}/server/
 install -m 644 server/audit.py %{buildroot}%{_datadir}/%{name}/server/
 
-# Install CLI tools
+# Install server admin tool
 install -m 755 tools/chelon-admin %{buildroot}%{_bindir}/
 
+# Install client tools
+install -m 755 tools/chelon-sign-rpm %{buildroot}%{_bindir}/
+install -m 755 tools/chelon-sign-repomd %{buildroot}%{_bindir}/
+install -m 644 tools/chelon_client.py %{buildroot}%{_datadir}/%{name}/client/
+
 # Install systemd unit
 install -m 644 systemd/chelon.service %{buildroot}%{_unitdir}/
 
 # Install default config
 install -m 600 config/chelon.conf %{buildroot}%{_sysconfdir}/%{name}/
 
-%pre
+#
+# Server scriptlets
+#
+%pre server
 # Create chelon user if it doesn't exist
 getent group chelon >/dev/null || groupadd -r chelon
 getent passwd chelon >/dev/null || \
     useradd -r -g chelon -d %{_localstatedir}/lib/%{name} -s /sbin/nologin \
     -c "Chelon signing service" chelon
 exit 0
 
-%post
+%post server
 %systemd_post chelon.service
 # Fix ownership of data directory
 chown -R chelon:chelon %{_localstatedir}/lib/%{name} 2>/dev/null || true
 
-%preun
+%preun server
 %systemd_preun chelon.service
 
-%postun
+%postun server
 %systemd_postun_with_restart chelon.service
-
-%files
+# Only remove user if package is being erased (not upgraded)
+if [ $1 -eq 0 ]; then
+    userdel chelon 2>/dev/null || true
+    groupdel chelon 2>/dev/null || true
+fi
+
+#
+# File lists
+#
+%files server
 %doc README.md
-%attr(0755, root, root) %{_datadir}/%{name}/
+%{_datadir}/%{name}/server/
 %{_bindir}/chelon-admin
 %{_unitdir}/chelon.service
-%config(noreplace) %attr(0600, chelon, chelon) %{_sysconfdir}/%{name}/chelon.conf
-%dir %attr(0750, chelon, chelon) %{_localstatedir}/lib/%{name}
-%dir %attr(0750, root, chelon) %{_sysconfdir}/%{name}/
+%attr(0750,root,chelon) %dir %{_sysconfdir}/%{name}
+%attr(0600,chelon,chelon) %config(noreplace) %{_sysconfdir}/%{name}/chelon.conf
+%attr(0750,chelon,chelon) %dir %{_localstatedir}/lib/%{name}
+
+%files client
+%doc README.md
+%{_bindir}/chelon-sign-rpm
+%{_bindir}/chelon-sign-repomd
+%{_datadir}/%{name}/client/
 
 %changelog
-* Wed Jan 07 2026 Atomicorp <support@atomicorp.com> - 1.0.0-2
+* Tue Jan 07 2026 Atomicorp <support@atomicorp.com> - 1.0.0-2
+- Split into server and client subpackages
+- Add client signing tools (chelon-sign-rpm, chelon-sign-repomd)
 - Add binary data signing support
 - Update HTTP API endpoints and request/response formats
-- Introduce new client tools for interacting with the signing service
-* Tue Jan 06 2026 Atomicorp <support@atomicorp.com> - 1.0.0-1
-- Initial release as Chelon
+- Unified logging to journald/syslog
+- Enhanced audit logging with request tracing
+- Fixed hardcoded admin tool paths
+- Code review fixes: config ownership, SSL validation, payload size checks
+
+* Mon Jan 06 2026 Atomicorp <support@atomicorp.com> - 1.0.0-1
+- Initial package
 - Flask-based HTTP API for remote signing
 - Support for Legacy and Modern GPG keys
 - Token-based authentication

chelon.spec

@@ -0,0 +1,3 @@
+class GPG:
+    def __init__(self, *args, **kwargs):
+        pass

server/__pycache__/audit.cpython-314.pyc

@@ -0,0 +1 @@
+DATA_DIR=/tmp/chelon-test-data

server/__pycache__/auth.cpython-314.pyc

@@ -0,0 +1,106 @@
+
+import os
+import sys
+import unittest
+import tempfile
+import json
+import importlib.util
+from pathlib import Path
+
+# Add server to path
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), '../server'))
+
+# Mock dependencies to avoid import errors (gnupg, etc)
+# We need to mock them BEFORE loading chelon_service
+sys.modules['signing_engine'] = MagicMock()
+sys.modules['auth'] = MagicMock()
+sys.modules['audit'] = MagicMock()
+sys.modules['gnupg'] = MagicMock()
+
+class TestConfigSecurity(unittest.TestCase):
+    
+    def setUp(self):
+        self.temp_dir = tempfile.mkdtemp()
+        self.config_path = os.path.join(self.temp_dir, 'chelon.conf')
+        with open(self.config_path, 'w') as f:
+            f.write("LEGACY_PASSPHRASE=secret\n")
+        
+        # Set environment
+        os.environ['CHELON_CONFIG'] = self.config_path
+        
+        # Path to service file
+        self.service_path = os.path.join(os.path.dirname(__file__), '../server/chelon-service.py')
+
+    def tearDown(self):
+        import shutil
+        shutil.rmtree(self.temp_dir)
+        # Clean up sys.modules to ensure fresh import each time if needed, 
+        # though we are manually loading it.
+        if "chelon_service" in sys.modules:
+            del sys.modules["chelon_service"]
+
+    def load_service_module(self):
+        spec = importlib.util.spec_from_file_location("chelon_service", self.service_path)
+        module = importlib.util.module_from_spec(spec)
+        sys.modules["chelon_service"] = module
+        spec.loader.exec_module(module)
+        return module
+
+    @patch('os.stat')
+    @patch('sys.exit')
+    def test_insecure_permissions(self, mock_exit, mock_stat):
+        # Mock world-readable permissions (0o644 -> world read is 0o004)
+        mock_stat.return_value.st_mode = 0o100644
+        
+        # Checking if import triggers exit
+        try:
+             self.load_service_module()
+        except Exception:
+            pass
+            
+        # Should call exit(1) during module load
+        mock_exit.assert_called_with(1)
+
+    @patch('os.stat')
+    @patch('sys.exit')
+    def test_secure_permissions(self, mock_exit, mock_stat):
+        # Mock secure permissions (0o600)
+        mock_stat.return_value.st_mode = 0o100600
+        
+        module = self.load_service_module()
+        
+        # Should NOT call exit
+        mock_exit.assert_not_called()
+        
+        # Config should be loaded
+        self.assertTrue(module.config)
+
+    @patch('os.stat')
+    def test_payload_size_limit(self, mock_stat):
+        # Mock secure permissions so module loads
+        mock_stat.return_value.st_mode = 0o100600
+        
+        module = self.load_service_module()
+        
+        # Mock token auth to bypass authentication
+        module.token_auth = MagicMock()
+        module.token_auth.validate_token.return_value = {
+            'token_id': 'test',
+            'permissions': ['sign:rpm']
+        }
+        
+        # Create request context
+        app = module.app
+        with app.test_request_context(
+            '/api/v1/sign/rpm',
+            method='POST',
+            json={'data': 'A' * (10 * 1024 * 1024 + 1)}, # 10MB + 1 byte
+            headers={'Authorization': 'Bearer test_token'}
+        ):
+            # The service calls request.get_json(), which we mocked via test_request_context json arg
+            response, status = module._handle_signing('sign_rpm')
+            self.assertEqual(status, 413)
+            self.assertIn('Payload too large', response.json['error'])
+
+if __name__ == '__main__':
+    unittest.main()