othman.suseno/calypso
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8a3ff6a12c720172880bee5de9808b72b0e7c145
calypso/docs/alpha/sds/SDS-04-Security-Design.md
Warp Agent 70d25e13b8 tidy up documentation for alpha release
2026-01-04 13:19:40 +07:00

225 lines
6.3 KiB
Markdown
Raw Blame History

# SDS-04: Security Design
## 1. Security Overview
### 1.1 Security Principles
- **Defense in Depth**: Multiple layers of security
- **Principle of Least Privilege**: Minimum required permissions
- **Secure by Default**: Secure default configurations
- **Input Validation**: Validate all inputs
- **Output Encoding**: Encode all outputs
## 2. Authentication
### 2.1 Authentication Method
- **JWT Tokens**: JSON Web Tokens for stateless authentication
- **Token Expiration**: Configurable expiration time
- **Token Refresh**: Refresh token mechanism (future)
### 2.2 Password Security
- **Hashing**: bcrypt with cost factor 10
- **Password Requirements**: Minimum length, complexity
- **Password Storage**: Hashed passwords only, never plaintext
### 2.3 Session Management
- **Stateless**: No server-side session storage
- **Token Storage**: Secure storage in frontend (localStorage/sessionStorage)
- **Token Validation**: Validate on every request
## 3. Authorization
### 3.1 Role-Based Access Control (RBAC)
- **Roles**: Admin, Operator, ReadOnly
- **Permissions**: Resource-based permissions (storage:read, storage:write)
- **Role Assignment**: Users assigned to roles
- **Permission Inheritance**: Permissions inherited from roles
### 3.2 Permission Model
```
Resource:Action
Examples:
- storage:read
- storage:write
- iscsi:read
- iscsi:write
- backup:read
- backup:write
- system:read
- system:write
```
### 3.3 Permission Checking
- **Middleware**: Permission middleware checks on protected routes
- **Handler Level**: Additional checks in handlers if needed
- **Service Level**: Business logic permission checks
## 4. Input Validation
### 4.1 Validation Layers
1. **Frontend**: Client-side validation
2. **Handler**: Request validation
3. **Service**: Business logic validation
4. **Database**: Constraint validation
### 4.2 Validation Rules
- **Required Fields**: Check for required fields
- **Type Validation**: Validate data types
- **Format Validation**: Validate formats (email, IP, etc.)
- **Range Validation**: Validate numeric ranges
- **Length Validation**: Validate string lengths
### 4.3 SQL Injection Prevention
- **Parameterized Queries**: Use parameterized queries only
- **No String Concatenation**: Never concatenate SQL strings
- **Input Sanitization**: Sanitize all inputs
## 5. Output Encoding
### 5.1 XSS Prevention
- **HTML Encoding**: Encode HTML in responses
- **JSON Encoding**: Proper JSON encoding
- **Content Security Policy**: CSP headers
### 5.2 Response Headers
```
Content-Security-Policy: default-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
```
## 6. HTTPS & TLS
### 6.1 TLS Configuration
- **TLS Version**: TLS 1.2 minimum
- **Cipher Suites**: Strong cipher suites only
- **Certificate**: Valid SSL certificate
### 6.2 HTTPS Enforcement
- **Redirect HTTP to HTTPS**: Force HTTPS
- **HSTS**: HTTP Strict Transport Security
## 7. Rate Limiting
### 7.1 Rate Limit Strategy
- **IP-Based**: Rate limit by IP address
- **User-Based**: Rate limit by authenticated user
- **Endpoint-Based**: Different limits per endpoint
### 7.2 Rate Limit Configuration
- **Default**: 100 requests/minute
- **Authenticated**: 200 requests/minute
- **Strict Endpoints**: Lower limits for sensitive endpoints
## 8. Audit Logging
### 8.1 Audit Events
- **Authentication**: Login, logout, failed login
- **Authorization**: Permission denied events
- **Data Access**: Read operations (configurable)
- **Data Modification**: Create, update, delete operations
- **System Actions**: System configuration changes
### 8.2 Audit Log Format
```json
{
"id": "uuid",
"user_id": "uuid",
"action": "CREATE_SHARE",
"resource_type": "share",
"resource_id": "uuid",
"method": "POST",
"path": "/api/v1/shares",
"ip_address": "192.168.1.100",
"user_agent": "Mozilla/5.0...",
"request_body": {...},
"response_status": 201,
"created_at": "2025-01-01T00:00:00Z"
}
```
## 9. Error Handling
### 9.1 Error Information
- **Public Errors**: Safe error messages for users
- **Private Errors**: Detailed errors in logs only
- **No Stack Traces**: Never expose stack traces to users
### 9.2 Error Logging
- **Log All Errors**: Log all errors with context
- **Sensitive Data**: Never log passwords, tokens, secrets
- **Error Tracking**: Track error patterns
## 10. File Upload Security
### 10.1 Upload Restrictions
- **File Types**: Whitelist allowed file types
- **File Size**: Maximum file size limits
- **File Validation**: Validate file contents
### 10.2 Storage Security
- **Secure Storage**: Store in secure location
- **Access Control**: Restrict file access
- **Virus Scanning**: Scan uploaded files (future)
## 11. API Security
### 11.1 API Authentication
- **Bearer Tokens**: JWT in Authorization header
- **Token Validation**: Validate on every request
- **Token Expiration**: Enforce token expiration
### 11.2 API Rate Limiting
- **Per IP**: Rate limit by IP address
- **Per User**: Rate limit by authenticated user
- **Per Endpoint**: Different limits per endpoint
## 12. Database Security
### 12.1 Database Access
- **Connection Security**: Encrypted connections
- **Credentials**: Secure credential storage
- **Least Privilege**: Database user with minimum privileges
### 12.2 Data Encryption
- **At Rest**: Database encryption (future)
- **In Transit**: TLS for database connections
- **Sensitive Data**: Encrypt sensitive fields
## 13. System Security
### 13.1 Command Execution
- **Whitelist**: Only allow whitelisted commands
- **Input Validation**: Validate command inputs
- **Output Sanitization**: Sanitize command outputs
### 13.2 File System Access
- **Path Validation**: Validate all file paths
- **Access Control**: Restrict file system access
- **Symlink Protection**: Prevent symlink attacks
## 14. Security Headers
### 14.1 HTTP Security Headers
```
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'
Strict-Transport-Security: max-age=31536000
Referrer-Policy: strict-origin-when-cross-origin
```
## 15. Security Monitoring
### 15.1 Security Events
- **Failed Logins**: Monitor failed login attempts
- **Permission Denials**: Monitor permission denials
- **Suspicious Activity**: Detect suspicious patterns
### 15.2 Alerting
- **Security Alerts**: Alert on security events
- **Thresholds**: Alert thresholds for suspicious activity
- **Notification**: Notify administrators
Reference in New Issue View Git Blame Copy Permalink