feat(config): add security feature toggle support
Implements a master toggle for security features across config, CLI, and application logic. This allows granular control over whether the advanced security middleware and protections are active globally.
This commit is contained in:
@@ -1,6 +1,7 @@
|
||||
package server
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"net"
|
||||
"net/http"
|
||||
"path/filepath"
|
||||
@@ -27,14 +28,24 @@ type adminSecurityActionRequest struct {
|
||||
BanUntil string `json:"ban_until"`
|
||||
}
|
||||
|
||||
func (app *App) reloadSecurityConfig() {
|
||||
func (app *App) reloadSecurityConfig() error {
|
||||
if app == nil || app.config == nil {
|
||||
return fmt.Errorf("app or config is nil")
|
||||
}
|
||||
if !app.securityFeaturesEnabled() {
|
||||
if app.securityGuard != nil {
|
||||
_ = app.securityGuard.Close()
|
||||
}
|
||||
app.securityGuard = nil
|
||||
return nil
|
||||
}
|
||||
if app.securityGuard == nil {
|
||||
app.securityGuard = security.NewGuard()
|
||||
}
|
||||
if app.config != nil {
|
||||
_ = app.securityGuard.EnableBanPersistence(filepath.Join(app.config.DBDir, "bans.badger"))
|
||||
if err := app.securityGuard.EnableBanPersistence(filepath.Join(app.config.DBDir, "bans.badger")); err != nil {
|
||||
return fmt.Errorf("enable ban persistence: %w", err)
|
||||
}
|
||||
_ = app.securityGuard.Reload(security.Config{
|
||||
if err := app.securityGuard.Reload(security.Config{
|
||||
IPWhitelist: app.config.SecurityIPWhitelist,
|
||||
AdminIPWhitelist: app.config.SecurityAdminIPWhitelist,
|
||||
LoginWindowSeconds: app.config.SecurityLoginWindowSeconds,
|
||||
@@ -45,7 +56,14 @@ func (app *App) reloadSecurityConfig() {
|
||||
UploadWindowSeconds: app.config.SecurityUploadWindowSeconds,
|
||||
UploadMaxRequests: app.config.SecurityUploadMaxRequests,
|
||||
UploadMaxBytes: app.config.SecurityUploadMaxBytes,
|
||||
})
|
||||
}); err != nil {
|
||||
return fmt.Errorf("reload guard config: %w", err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (app *App) securityFeaturesEnabled() bool {
|
||||
return app != nil && app.config != nil && app.config.SecurityEnabled
|
||||
}
|
||||
|
||||
func (app *App) logActivity(kind string, severity string, message string, ctx *gin.Context, meta map[string]string) {
|
||||
@@ -85,6 +103,10 @@ func (app *App) createAlert(title string, severity string, group string, code st
|
||||
|
||||
func (app *App) securityMiddleware() gin.HandlerFunc {
|
||||
return func(ctx *gin.Context) {
|
||||
if !app.securityFeaturesEnabled() {
|
||||
ctx.Next()
|
||||
return
|
||||
}
|
||||
if app.securityGuard == nil {
|
||||
ctx.Next()
|
||||
return
|
||||
@@ -104,6 +126,10 @@ func (app *App) securityMiddleware() gin.HandlerFunc {
|
||||
}
|
||||
|
||||
func (app *App) handleNoRoute(ctx *gin.Context) {
|
||||
if !app.securityFeaturesEnabled() {
|
||||
ctx.JSON(http.StatusNotFound, gin.H{"error": "Not found"})
|
||||
return
|
||||
}
|
||||
if app.securityGuard == nil {
|
||||
ctx.JSON(http.StatusNotFound, gin.H{"error": "Not found"})
|
||||
return
|
||||
@@ -148,6 +174,10 @@ func (app *App) handleAdminActivity(ctx *gin.Context) {
|
||||
}
|
||||
|
||||
func (app *App) handleAdminSecurity(ctx *gin.Context) {
|
||||
if !app.securityFeaturesEnabled() {
|
||||
ctx.String(http.StatusNotFound, "Security features are disabled")
|
||||
return
|
||||
}
|
||||
events := []activity.Event{}
|
||||
alertsList := []alerts.Alert{}
|
||||
if app.activityStore != nil {
|
||||
@@ -215,6 +245,10 @@ func (app *App) recordManualBanAction(ctx *gin.Context, kind string, message str
|
||||
}
|
||||
|
||||
func (app *App) handleAdminSecurityAction(ctx *gin.Context) {
|
||||
if !app.securityFeaturesEnabled() {
|
||||
ctx.JSON(http.StatusNotFound, gin.H{"error": "Security features are disabled"})
|
||||
return
|
||||
}
|
||||
if app.securityGuard == nil {
|
||||
ctx.JSON(http.StatusInternalServerError, gin.H{"error": "Security guard unavailable"})
|
||||
return
|
||||
|
||||
Reference in New Issue
Block a user