tidy up documentation for alpha release

2026-01-04 13:19:40 +07:00
parent 2bb64620d4
commit 70d25e13b8
20 changed files with 4415 additions and 0 deletions
--- a/docs/alpha/sds/SDS-04-Security-Design.md
+++ b/docs/alpha/sds/SDS-04-Security-Design.md
@@ -0,0 +1,224 @@
+# SDS-04: Security Design
+
+## 1. Security Overview
+
+### 1.1 Security Principles
+- **Defense in Depth**: Multiple layers of security
+- **Principle of Least Privilege**: Minimum required permissions
+- **Secure by Default**: Secure default configurations
+- **Input Validation**: Validate all inputs
+- **Output Encoding**: Encode all outputs
+
+## 2. Authentication
+
+### 2.1 Authentication Method
+- **JWT Tokens**: JSON Web Tokens for stateless authentication
+- **Token Expiration**: Configurable expiration time
+- **Token Refresh**: Refresh token mechanism (future)
+
+### 2.2 Password Security
+- **Hashing**: bcrypt with cost factor 10
+- **Password Requirements**: Minimum length, complexity
+- **Password Storage**: Hashed passwords only, never plaintext
+
+### 2.3 Session Management
+- **Stateless**: No server-side session storage
+- **Token Storage**: Secure storage in frontend (localStorage/sessionStorage)
+- **Token Validation**: Validate on every request
+
+## 3. Authorization
+
+### 3.1 Role-Based Access Control (RBAC)
+- **Roles**: Admin, Operator, ReadOnly
+- **Permissions**: Resource-based permissions (storage:read, storage:write)
+- **Role Assignment**: Users assigned to roles
+- **Permission Inheritance**: Permissions inherited from roles
+
+### 3.2 Permission Model
+```
+Resource:Action
+Examples:
+- storage:read
+- storage:write
+- iscsi:read
+- iscsi:write
+- backup:read
+- backup:write
+- system:read
+- system:write
+```
+
+### 3.3 Permission Checking
+- **Middleware**: Permission middleware checks on protected routes
+- **Handler Level**: Additional checks in handlers if needed
+- **Service Level**: Business logic permission checks
+
+## 4. Input Validation
+
+### 4.1 Validation Layers
+1. **Frontend**: Client-side validation
+2. **Handler**: Request validation
+3. **Service**: Business logic validation
+4. **Database**: Constraint validation
+
+### 4.2 Validation Rules
+- **Required Fields**: Check for required fields
+- **Type Validation**: Validate data types
+- **Format Validation**: Validate formats (email, IP, etc.)
+- **Range Validation**: Validate numeric ranges
+- **Length Validation**: Validate string lengths
+
+### 4.3 SQL Injection Prevention
+- **Parameterized Queries**: Use parameterized queries only
+- **No String Concatenation**: Never concatenate SQL strings
+- **Input Sanitization**: Sanitize all inputs
+
+## 5. Output Encoding
+
+### 5.1 XSS Prevention
+- **HTML Encoding**: Encode HTML in responses
+- **JSON Encoding**: Proper JSON encoding
+- **Content Security Policy**: CSP headers
+
+### 5.2 Response Headers
+```
+Content-Security-Policy: default-src 'self'
+X-Content-Type-Options: nosniff
+X-Frame-Options: DENY
+X-XSS-Protection: 1; mode=block
+```
+
+## 6. HTTPS & TLS
+
+### 6.1 TLS Configuration
+- **TLS Version**: TLS 1.2 minimum
+- **Cipher Suites**: Strong cipher suites only
+- **Certificate**: Valid SSL certificate
+
+### 6.2 HTTPS Enforcement
+- **Redirect HTTP to HTTPS**: Force HTTPS
+- **HSTS**: HTTP Strict Transport Security
+
+## 7. Rate Limiting
+
+### 7.1 Rate Limit Strategy
+- **IP-Based**: Rate limit by IP address
+- **User-Based**: Rate limit by authenticated user
+- **Endpoint-Based**: Different limits per endpoint
+
+### 7.2 Rate Limit Configuration
+- **Default**: 100 requests/minute
+- **Authenticated**: 200 requests/minute
+- **Strict Endpoints**: Lower limits for sensitive endpoints
+
+## 8. Audit Logging
+
+### 8.1 Audit Events
+- **Authentication**: Login, logout, failed login
+- **Authorization**: Permission denied events
+- **Data Access**: Read operations (configurable)
+- **Data Modification**: Create, update, delete operations
+- **System Actions**: System configuration changes
+
+### 8.2 Audit Log Format
+```json
+{
+  "id": "uuid",
+  "user_id": "uuid",
+  "action": "CREATE_SHARE",
+  "resource_type": "share",
+  "resource_id": "uuid",
+  "method": "POST",
+  "path": "/api/v1/shares",
+  "ip_address": "192.168.1.100",
+  "user_agent": "Mozilla/5.0...",
+  "request_body": {...},
+  "response_status": 201,
+  "created_at": "2025-01-01T00:00:00Z"
+}
+```
+
+## 9. Error Handling
+
+### 9.1 Error Information
+- **Public Errors**: Safe error messages for users
+- **Private Errors**: Detailed errors in logs only
+- **No Stack Traces**: Never expose stack traces to users
+
+### 9.2 Error Logging
+- **Log All Errors**: Log all errors with context
+- **Sensitive Data**: Never log passwords, tokens, secrets
+- **Error Tracking**: Track error patterns
+
+## 10. File Upload Security
+
+### 10.1 Upload Restrictions
+- **File Types**: Whitelist allowed file types
+- **File Size**: Maximum file size limits
+- **File Validation**: Validate file contents
+
+### 10.2 Storage Security
+- **Secure Storage**: Store in secure location
+- **Access Control**: Restrict file access
+- **Virus Scanning**: Scan uploaded files (future)
+
+## 11. API Security
+
+### 11.1 API Authentication
+- **Bearer Tokens**: JWT in Authorization header
+- **Token Validation**: Validate on every request
+- **Token Expiration**: Enforce token expiration
+
+### 11.2 API Rate Limiting
+- **Per IP**: Rate limit by IP address
+- **Per User**: Rate limit by authenticated user
+- **Per Endpoint**: Different limits per endpoint
+
+## 12. Database Security
+
+### 12.1 Database Access
+- **Connection Security**: Encrypted connections
+- **Credentials**: Secure credential storage
+- **Least Privilege**: Database user with minimum privileges
+
+### 12.2 Data Encryption
+- **At Rest**: Database encryption (future)
+- **In Transit**: TLS for database connections
+- **Sensitive Data**: Encrypt sensitive fields
+
+## 13. System Security
+
+### 13.1 Command Execution
+- **Whitelist**: Only allow whitelisted commands
+- **Input Validation**: Validate command inputs
+- **Output Sanitization**: Sanitize command outputs
+
+### 13.2 File System Access
+- **Path Validation**: Validate all file paths
+- **Access Control**: Restrict file system access
+- **Symlink Protection**: Prevent symlink attacks
+
+## 14. Security Headers
+
+### 14.1 HTTP Security Headers
+```
+X-Content-Type-Options: nosniff
+X-Frame-Options: DENY
+X-XSS-Protection: 1; mode=block
+Content-Security-Policy: default-src 'self'
+Strict-Transport-Security: max-age=31536000
+Referrer-Policy: strict-origin-when-cross-origin
+```
+
+## 15. Security Monitoring
+
+### 15.1 Security Events
+- **Failed Logins**: Monitor failed login attempts
+- **Permission Denials**: Monitor permission denials
+- **Suspicious Activity**: Detect suspicious patterns
+
+### 15.2 Alerting
+- **Security Alerts**: Alert on security events
+- **Thresholds**: Alert thresholds for suspicious activity
+- **Notification**: Notify administrators
+