4756348c48
Add security hardening features for worker execution: - Worker config with sandboxing options (network_mode, read_only, secrets) - Execution setup with security context propagation - Podman container runtime security enhancements - Security configuration management in config package - Add homelab-sandbox.yaml example configuration Supports running jobs in isolated, restricted environments.
103 lines
2.9 KiB
Go
103 lines
2.9 KiB
Go
package config
|
|
|
|
import (
|
|
"fmt"
|
|
"time"
|
|
)
|
|
|
|
// SecurityConfig holds security-related configuration
|
|
type SecurityConfig struct {
|
|
// AllowedOrigins lists the allowed origins for WebSocket connections
|
|
// Empty list defaults to localhost-only in production mode
|
|
AllowedOrigins []string `yaml:"allowed_origins"`
|
|
|
|
// ProductionMode enables strict security checks
|
|
ProductionMode bool `yaml:"production_mode"`
|
|
|
|
// APIKeyRotationDays is the number of days before API keys should be rotated
|
|
APIKeyRotationDays int `yaml:"api_key_rotation_days"`
|
|
|
|
// AuditLogging configuration
|
|
AuditLogging AuditLoggingConfig `yaml:"audit_logging"`
|
|
|
|
// IPWhitelist for additional connection filtering
|
|
IPWhitelist []string `yaml:"ip_whitelist"`
|
|
}
|
|
|
|
// AuditLoggingConfig holds audit logging configuration
|
|
type AuditLoggingConfig struct {
|
|
Enabled bool `yaml:"enabled"`
|
|
LogPath string `yaml:"log_path"`
|
|
}
|
|
|
|
// PrivacyConfig holds privacy enforcement configuration
|
|
type PrivacyConfig struct {
|
|
Enabled bool `yaml:"enabled"`
|
|
DefaultLevel string `yaml:"default_level"` // private, team, public, anonymized
|
|
EnforceTeams bool `yaml:"enforce_teams"`
|
|
AuditAccess bool `yaml:"audit_access"`
|
|
}
|
|
|
|
// Validate checks privacy configuration
|
|
func (p *PrivacyConfig) Validate() error {
|
|
if !p.Enabled {
|
|
return nil
|
|
}
|
|
validLevels := map[string]bool{"private": true, "team": true, "public": true, "anonymized": true}
|
|
if p.DefaultLevel != "" && !validLevels[p.DefaultLevel] {
|
|
return fmt.Errorf("invalid default privacy level: %s", p.DefaultLevel)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// MonitoringConfig holds monitoring-related configuration
|
|
type MonitoringConfig struct {
|
|
Prometheus PrometheusConfig `yaml:"prometheus"`
|
|
HealthChecks HealthChecksConfig `yaml:"health_checks"`
|
|
}
|
|
|
|
// PrometheusConfig holds Prometheus metrics configuration
|
|
type PrometheusConfig struct {
|
|
Enabled bool `yaml:"enabled"`
|
|
Port int `yaml:"port"`
|
|
Path string `yaml:"path"`
|
|
}
|
|
|
|
// HealthChecksConfig holds health check configuration
|
|
type HealthChecksConfig struct {
|
|
Enabled bool `yaml:"enabled"`
|
|
Interval time.Duration `yaml:"interval"`
|
|
}
|
|
|
|
// Validate validates the security configuration
|
|
func (s *SecurityConfig) Validate() error {
|
|
if s.ProductionMode {
|
|
if len(s.AllowedOrigins) == 0 {
|
|
return fmt.Errorf("production_mode requires at least one allowed_origin")
|
|
}
|
|
}
|
|
|
|
if s.APIKeyRotationDays < 0 {
|
|
return fmt.Errorf("api_key_rotation_days must be positive")
|
|
}
|
|
|
|
if s.AuditLogging.Enabled && s.AuditLogging.LogPath == "" {
|
|
return fmt.Errorf("audit_logging enabled but log_path not set")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// Validate validates the monitoring configuration
|
|
func (m *MonitoringConfig) Validate() error {
|
|
if m.Prometheus.Enabled {
|
|
if m.Prometheus.Port <= 0 || m.Prometheus.Port > 65535 {
|
|
return fmt.Errorf("prometheus port must be between 1 and 65535")
|
|
}
|
|
if m.Prometheus.Path == "" {
|
|
m.Prometheus.Path = "/metrics" // Default
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|