tony/CHORUS
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity

chore: align slurp config and scaffolding

Browse Source
This commit is contained in:
anthonyrawlins
2025-09-27 21:03:12 +10:00
parent acc4361463
commit 4a77862289
47 changed files with 5133 additions and 4274 deletions
Download Patch File Download Diff File Expand all files Collapse all files

340
pkg/slurp/distribution/security.go
View File

@@ -20,22 +20,22 @@ import (
// SecurityManager handles all security aspects of the distributed system
type SecurityManager struct {
mu sync.RWMutex
config *config.Config
tlsConfig *TLSConfig
authManager *AuthenticationManager
authzManager *AuthorizationManager
auditLogger *SecurityAuditLogger
nodeAuth *NodeAuthentication
encryption *DistributionEncryption
certificateAuth *CertificateAuthority
mu sync.RWMutex
config *config.Config
tlsConfig *TLSConfig
authManager *AuthenticationManager
authzManager *AuthorizationManager
auditLogger *SecurityAuditLogger
nodeAuth *NodeAuthentication
encryption *DistributionEncryption
certificateAuth *CertificateAuthority
// Security state
trustedNodes map[string]*TrustedNode
activeSessions map[string]*SecuritySession
securityPolicies map[string]*SecurityPolicy
threatDetector *ThreatDetector
trustedNodes map[string]*TrustedNode
activeSessions map[string]*SecuritySession
securityPolicies map[string]*SecurityPolicy
threatDetector *ThreatDetector
// Configuration
tlsEnabled bool
mutualTLSEnabled bool
@@ -45,28 +45,28 @@ type SecurityManager struct {
// TLSConfig manages TLS configuration for secure communications
type TLSConfig struct {
ServerConfig *tls.Config
ClientConfig *tls.Config
CertificatePath string
PrivateKeyPath string
CAPath string
MinTLSVersion uint16
CipherSuites []uint16
CurvePreferences []tls.CurveID
ClientAuth tls.ClientAuthType
VerifyConnection func(tls.ConnectionState) error
ServerConfig *tls.Config
ClientConfig *tls.Config
CertificatePath string
PrivateKeyPath string
CAPath string
MinTLSVersion uint16
CipherSuites []uint16
CurvePreferences []tls.CurveID
ClientAuth tls.ClientAuthType
VerifyConnection func(tls.ConnectionState) error
}
// AuthenticationManager handles node and user authentication
type AuthenticationManager struct {
mu sync.RWMutex
providers map[string]AuthProvider
tokenValidator TokenValidator
sessionManager *SessionManager
multiFactorAuth *MultiFactorAuth
credentialStore *CredentialStore
loginAttempts map[string]*LoginAttempts
authPolicies map[string]*AuthPolicy
mu sync.RWMutex
providers map[string]AuthProvider
tokenValidator TokenValidator
sessionManager *SessionManager
multiFactorAuth *MultiFactorAuth
credentialStore *CredentialStore
loginAttempts map[string]*LoginAttempts
authPolicies map[string]*AuthPolicy
}
// AuthProvider interface for different authentication methods
@@ -80,14 +80,14 @@ type AuthProvider interface {
// Credentials represents authentication credentials
type Credentials struct {
Type CredentialType `json:"type"`
Username string `json:"username,omitempty"`
Password string `json:"password,omitempty"`
Token string `json:"token,omitempty"`
Certificate *x509.Certificate `json:"certificate,omitempty"`
Signature []byte `json:"signature,omitempty"`
Challenge string `json:"challenge,omitempty"`
Metadata map[string]interface{} `json:"metadata,omitempty"`
Type CredentialType `json:"type"`
Username string `json:"username,omitempty"`
Password string `json:"password,omitempty"`
Token string `json:"token,omitempty"`
Certificate *x509.Certificate `json:"certificate,omitempty"`
Signature []byte `json:"signature,omitempty"`
Challenge string `json:"challenge,omitempty"`
Metadata map[string]interface{} `json:"metadata,omitempty"`
}
// CredentialType represents different types of credentials
@@ -104,15 +104,15 @@ const (
// AuthResult represents the result of authentication
type AuthResult struct {
Success bool `json:"success"`
UserID string `json:"user_id"`
Roles []string `json:"roles"`
Permissions []string `json:"permissions"`
TokenPair *TokenPair `json:"token_pair"`
SessionID string `json:"session_id"`
ExpiresAt time.Time `json:"expires_at"`
Metadata map[string]interface{} `json:"metadata"`
FailureReason string `json:"failure_reason,omitempty"`
Success bool `json:"success"`
UserID string `json:"user_id"`
Roles []string `json:"roles"`
Permissions []string `json:"permissions"`
TokenPair *TokenPair `json:"token_pair"`
SessionID string `json:"session_id"`
ExpiresAt time.Time `json:"expires_at"`
Metadata map[string]interface{} `json:"metadata"`
FailureReason string `json:"failure_reason,omitempty"`
}
// TokenPair represents access and refresh tokens
@@ -140,13 +140,13 @@ type TokenClaims struct {
// AuthorizationManager handles authorization and access control
type AuthorizationManager struct {
mu sync.RWMutex
policyEngine PolicyEngine
rbacManager *RBACManager
aclManager *ACLManager
resourceManager *ResourceManager
permissionCache *PermissionCache
authzPolicies map[string]*AuthorizationPolicy
mu sync.RWMutex
policyEngine PolicyEngine
rbacManager *RBACManager
aclManager *ACLManager
resourceManager *ResourceManager
permissionCache *PermissionCache
authzPolicies map[string]*AuthorizationPolicy
}
// PolicyEngine interface for policy evaluation
@@ -168,13 +168,13 @@ type AuthorizationRequest struct {
// AuthorizationResult represents the result of authorization
type AuthorizationResult struct {
Decision AuthorizationDecision `json:"decision"`
Reason string `json:"reason"`
Policies []string `json:"applied_policies"`
Conditions []string `json:"conditions"`
TTL time.Duration `json:"ttl"`
Metadata map[string]interface{} `json:"metadata"`
EvaluationTime time.Duration `json:"evaluation_time"`
Decision AuthorizationDecision `json:"decision"`
Reason string `json:"reason"`
Policies []string `json:"applied_policies"`
Conditions []string `json:"conditions"`
TTL time.Duration `json:"ttl"`
Metadata map[string]interface{} `json:"metadata"`
EvaluationTime time.Duration `json:"evaluation_time"`
}
// AuthorizationDecision represents authorization decisions
@@ -188,13 +188,13 @@ const (
// SecurityAuditLogger handles security event logging
type SecurityAuditLogger struct {
mu sync.RWMutex
loggers []SecurityLogger
eventBuffer []*SecurityEvent
alertManager *SecurityAlertManager
compliance *ComplianceManager
retention *AuditRetentionPolicy
enabled bool
mu sync.RWMutex
loggers []SecurityLogger
eventBuffer []*SecurityEvent
alertManager *SecurityAlertManager
compliance *ComplianceManager
retention *AuditRetentionPolicy
enabled bool
}
// SecurityLogger interface for security event logging
@@ -206,22 +206,22 @@ type SecurityLogger interface {
// SecurityEvent represents a security event
type SecurityEvent struct {
EventID string `json:"event_id"`
EventType SecurityEventType `json:"event_type"`
Severity SecuritySeverity `json:"severity"`
Timestamp time.Time `json:"timestamp"`
UserID string `json:"user_id,omitempty"`
NodeID string `json:"node_id,omitempty"`
Resource string `json:"resource,omitempty"`
Action string `json:"action,omitempty"`
Result string `json:"result"`
Message string `json:"message"`
Details map[string]interface{} `json:"details"`
IPAddress string `json:"ip_address,omitempty"`
UserAgent string `json:"user_agent,omitempty"`
SessionID string `json:"session_id,omitempty"`
RequestID string `json:"request_id,omitempty"`
Fingerprint string `json:"fingerprint"`
EventID string `json:"event_id"`
EventType SecurityEventType `json:"event_type"`
Severity SecuritySeverity `json:"severity"`
Timestamp time.Time `json:"timestamp"`
UserID string `json:"user_id,omitempty"`
NodeID string `json:"node_id,omitempty"`
Resource string `json:"resource,omitempty"`
Action string `json:"action,omitempty"`
Result string `json:"result"`
Message string `json:"message"`
Details map[string]interface{} `json:"details"`
IPAddress string `json:"ip_address,omitempty"`
UserAgent string `json:"user_agent,omitempty"`
SessionID string `json:"session_id,omitempty"`
RequestID string `json:"request_id,omitempty"`
Fingerprint string `json:"fingerprint"`
}
// SecurityEventType represents different types of security events
@@ -242,12 +242,12 @@ const (
type SecuritySeverity string
const (
SeverityDebug SecuritySeverity = "debug"
SeverityInfo SecuritySeverity = "info"
SeverityWarning SecuritySeverity = "warning"
SeverityError SecuritySeverity = "error"
SeverityCritical SecuritySeverity = "critical"
SeverityAlert SecuritySeverity = "alert"
SecuritySeverityDebug SecuritySeverity = "debug"
SecuritySeverityInfo SecuritySeverity = "info"
SecuritySeverityWarning SecuritySeverity = "warning"
SecuritySeverityError SecuritySeverity = "error"
SecuritySeverityCritical SecuritySeverity = "critical"
SecuritySeverityAlert SecuritySeverity = "alert"
)
// NodeAuthentication handles node-to-node authentication
@@ -262,16 +262,16 @@ type NodeAuthentication struct {
// TrustedNode represents a trusted node in the network
type TrustedNode struct {
NodeID string `json:"node_id"`
PublicKey []byte `json:"public_key"`
Certificate *x509.Certificate `json:"certificate"`
Roles []string `json:"roles"`
Capabilities []string `json:"capabilities"`
TrustLevel TrustLevel `json:"trust_level"`
LastSeen time.Time `json:"last_seen"`
VerifiedAt time.Time `json:"verified_at"`
Metadata map[string]interface{} `json:"metadata"`
Status NodeStatus `json:"status"`
NodeID string `json:"node_id"`
PublicKey []byte `json:"public_key"`
Certificate *x509.Certificate `json:"certificate"`
Roles []string `json:"roles"`
Capabilities []string `json:"capabilities"`
TrustLevel TrustLevel `json:"trust_level"`
LastSeen time.Time `json:"last_seen"`
VerifiedAt time.Time `json:"verified_at"`
Metadata map[string]interface{} `json:"metadata"`
Status NodeStatus `json:"status"`
}
// TrustLevel represents the trust level of a node
@@ -287,18 +287,18 @@ const (
// SecuritySession represents an active security session
type SecuritySession struct {
SessionID string `json:"session_id"`
UserID string `json:"user_id"`
NodeID string `json:"node_id"`
Roles []string `json:"roles"`
Permissions []string `json:"permissions"`
CreatedAt time.Time `json:"created_at"`
ExpiresAt time.Time `json:"expires_at"`
LastActivity time.Time `json:"last_activity"`
IPAddress string `json:"ip_address"`
UserAgent string `json:"user_agent"`
Metadata map[string]interface{} `json:"metadata"`
Status SessionStatus `json:"status"`
SessionID string `json:"session_id"`
UserID string `json:"user_id"`
NodeID string `json:"node_id"`
Roles []string `json:"roles"`
Permissions []string `json:"permissions"`
CreatedAt time.Time `json:"created_at"`
ExpiresAt time.Time `json:"expires_at"`
LastActivity time.Time `json:"last_activity"`
IPAddress string `json:"ip_address"`
UserAgent string `json:"user_agent"`
Metadata map[string]interface{} `json:"metadata"`
Status SessionStatus `json:"status"`
}
// SessionStatus represents session status
@@ -313,61 +313,61 @@ const (
// ThreatDetector detects security threats and anomalies
type ThreatDetector struct {
mu sync.RWMutex
detectionRules []*ThreatDetectionRule
behaviorAnalyzer *BehaviorAnalyzer
anomalyDetector *AnomalyDetector
threatIntelligence *ThreatIntelligence
activeThreats map[string]*ThreatEvent
mu sync.RWMutex
detectionRules []*ThreatDetectionRule
behaviorAnalyzer *BehaviorAnalyzer
anomalyDetector *AnomalyDetector
threatIntelligence *ThreatIntelligence
activeThreats map[string]*ThreatEvent
mitigationStrategies map[ThreatType]*MitigationStrategy
}
// ThreatDetectionRule represents a threat detection rule
type ThreatDetectionRule struct {
RuleID string `json:"rule_id"`
Name string `json:"name"`
Description string `json:"description"`
ThreatType ThreatType `json:"threat_type"`
Severity SecuritySeverity `json:"severity"`
Conditions []*ThreatCondition `json:"conditions"`
Actions []*ThreatAction `json:"actions"`
Enabled bool `json:"enabled"`
CreatedAt time.Time `json:"created_at"`
UpdatedAt time.Time `json:"updated_at"`
Metadata map[string]interface{} `json:"metadata"`
RuleID string `json:"rule_id"`
Name string `json:"name"`
Description string `json:"description"`
ThreatType ThreatType `json:"threat_type"`
Severity SecuritySeverity `json:"severity"`
Conditions []*ThreatCondition `json:"conditions"`
Actions []*ThreatAction `json:"actions"`
Enabled bool `json:"enabled"`
CreatedAt time.Time `json:"created_at"`
UpdatedAt time.Time `json:"updated_at"`
Metadata map[string]interface{} `json:"metadata"`
}
// ThreatType represents different types of threats
type ThreatType string
const (
ThreatTypeBruteForce ThreatType = "brute_force"
ThreatTypeUnauthorized ThreatType = "unauthorized_access"
ThreatTypeDataExfiltration ThreatType = "data_exfiltration"
ThreatTypeDoS ThreatType = "denial_of_service"
ThreatTypeBruteForce ThreatType = "brute_force"
ThreatTypeUnauthorized ThreatType = "unauthorized_access"
ThreatTypeDataExfiltration ThreatType = "data_exfiltration"
ThreatTypeDoS ThreatType = "denial_of_service"
ThreatTypePrivilegeEscalation ThreatType = "privilege_escalation"
ThreatTypeAnomalous ThreatType = "anomalous_behavior"
ThreatTypeMaliciousCode ThreatType = "malicious_code"
ThreatTypeInsiderThreat ThreatType = "insider_threat"
ThreatTypeAnomalous ThreatType = "anomalous_behavior"
ThreatTypeMaliciousCode ThreatType = "malicious_code"
ThreatTypeInsiderThreat ThreatType = "insider_threat"
)
// CertificateAuthority manages certificate generation and validation
type CertificateAuthority struct {
mu sync.RWMutex
rootCA *x509.Certificate
rootKey interface{}
intermediateCA *x509.Certificate
mu sync.RWMutex
rootCA *x509.Certificate
rootKey interface{}
intermediateCA *x509.Certificate
intermediateKey interface{}
certStore *CertificateStore
crlManager *CRLManager
ocspResponder *OCSPResponder
certStore *CertificateStore
crlManager *CRLManager
ocspResponder *OCSPResponder
}
// DistributionEncryption handles encryption for distributed communications
type DistributionEncryption struct {
mu sync.RWMutex
keyManager *DistributionKeyManager
encryptionSuite *EncryptionSuite
mu sync.RWMutex
keyManager *DistributionKeyManager
encryptionSuite *EncryptionSuite
keyRotationPolicy *KeyRotationPolicy
encryptionMetrics *EncryptionMetrics
}
@@ -379,13 +379,13 @@ func NewSecurityManager(config *config.Config) (*SecurityManager, error) {
}
sm := &SecurityManager{
config: config,
trustedNodes: make(map[string]*TrustedNode),
activeSessions: make(map[string]*SecuritySession),
securityPolicies: make(map[string]*SecurityPolicy),
tlsEnabled: true,
mutualTLSEnabled: true,
auditingEnabled: true,
config: config,
trustedNodes: make(map[string]*TrustedNode),
activeSessions: make(map[string]*SecuritySession),
securityPolicies: make(map[string]*SecurityPolicy),
tlsEnabled: true,
mutualTLSEnabled: true,
auditingEnabled: true,
encryptionEnabled: true,
}
@@ -508,12 +508,12 @@ func (sm *SecurityManager) Authenticate(ctx context.Context, credentials *Creden
// Log authentication attempt
sm.logSecurityEvent(ctx, &SecurityEvent{
EventType: EventTypeAuthentication,
Severity: SeverityInfo,
Severity: SecuritySeverityInfo,
Action: "authenticate",
Message: "Authentication attempt",
Details: map[string]interface{}{
"credential_type": credentials.Type,
"username": credentials.Username,
"username": credentials.Username,
},
})
@@ -525,7 +525,7 @@ func (sm *SecurityManager) Authorize(ctx context.Context, request *Authorization
// Log authorization attempt
sm.logSecurityEvent(ctx, &SecurityEvent{
EventType: EventTypeAuthorization,
Severity: SeverityInfo,
Severity: SecuritySeverityInfo,
UserID: request.UserID,
Resource: request.Resource,
Action: request.Action,
@@ -554,7 +554,7 @@ func (sm *SecurityManager) ValidateNodeIdentity(ctx context.Context, nodeID stri
// Log successful validation
sm.logSecurityEvent(ctx, &SecurityEvent{
EventType: EventTypeAuthentication,
Severity: SeverityInfo,
Severity: SecuritySeverityInfo,
NodeID: nodeID,
Action: "validate_node_identity",
Result: "success",
@@ -609,7 +609,7 @@ func (sm *SecurityManager) AddTrustedNode(ctx context.Context, node *TrustedNode
// Log node addition
sm.logSecurityEvent(ctx, &SecurityEvent{
EventType: EventTypeConfiguration,
Severity: SeverityInfo,
Severity: SecuritySeverityInfo,
NodeID: node.NodeID,
Action: "add_trusted_node",
Result: "success",
@@ -649,7 +649,7 @@ func (sm *SecurityManager) loadOrGenerateCertificate() (*tls.Certificate, error)
func (sm *SecurityManager) generateSelfSignedCertificate() ([]byte, []byte, error) {
// Generate a self-signed certificate for development/testing
// In production, use proper CA-signed certificates
template := x509.Certificate{
SerialNumber: big.NewInt(1),
Subject: pkix.Name{
@@ -660,11 +660,11 @@ func (sm *SecurityManager) generateSelfSignedCertificate() ([]byte, []byte, erro
StreetAddress: []string{""},
PostalCode: []string{""},
},
NotBefore: time.Now(),
NotAfter: time.Now().Add(365 * 24 * time.Hour),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
IPAddresses: []net.IP{net.IPv4(127, 0, 0, 1), net.IPv6loopback},
NotBefore: time.Now(),
NotAfter: time.Now().Add(365 * 24 * time.Hour),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
IPAddresses: []net.IP{net.IPv4(127, 0, 0, 1), net.IPv6loopback},
}
// This is a simplified implementation
@@ -765,8 +765,8 @@ func NewDistributionEncryption(config *config.Config) (*DistributionEncryption,
func NewThreatDetector(config *config.Config) (*ThreatDetector, error) {
return &ThreatDetector{
detectionRules: []*ThreatDetectionRule{},
activeThreats: make(map[string]*ThreatEvent),
detectionRules: []*ThreatDetectionRule{},
activeThreats: make(map[string]*ThreatEvent),
mitigationStrategies: make(map[ThreatType]*MitigationStrategy),
}, nil
}
@@ -831,4 +831,4 @@ type OCSPResponder struct{}
type DistributionKeyManager struct{}
type EncryptionSuite struct{}
type KeyRotationPolicy struct{}
type EncryptionMetrics struct{}
type EncryptionMetrics struct{}