Fimeg/Redflag
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
38894f64d3f87946a2eb6e14a1e23002234ec3f0
Redflag/aggregator-server/internal/api/handlers/security.go
Fimeg eccc38d7c9 feat: separate data classification architecture 
- Create separate scanner interfaces for storage, system, and docker data
- Add dedicated endpoints for metrics and docker images instead of misclassifying as updates
- Implement proper database tables for storage metrics and docker images
- Fix storage/system metrics appearing incorrectly as package updates
- Add scanner types with proper data structures for each subsystem
- Update agent handlers to use correct endpoints for each data type
2025-11-03 21:44:48 -05:00

264 lines
8.3 KiB
Go
Raw Blame History

package handlers
import (
"net/http"
"time"
"github.com/Fimeg/RedFlag/aggregator-server/internal/database/queries"
"github.com/Fimeg/RedFlag/aggregator-server/internal/services"
"github.com/gin-gonic/gin"
)
// SecurityHandler handles security health check endpoints
type SecurityHandler struct {
signingService *services.SigningService
agentQueries *queries.AgentQueries
commandQueries *queries.CommandQueries
}
// NewSecurityHandler creates a new security handler
func NewSecurityHandler(signingService *services.SigningService, agentQueries *queries.AgentQueries, commandQueries *queries.CommandQueries) *SecurityHandler {
return &SecurityHandler{
signingService: signingService,
agentQueries: agentQueries,
commandQueries: commandQueries,
}
}
// setSecurityHeaders sets appropriate cache control headers for security endpoints
func (h *SecurityHandler) setSecurityHeaders(c *gin.Context) {
c.Header("Cache-Control", "no-store, no-cache, must-revalidate, private")
c.Header("Pragma", "no-cache")
c.Header("Expires", "0")
}
// SigningStatus returns the status of the Ed25519 signing service
func (h *SecurityHandler) SigningStatus(c *gin.Context) {
h.setSecurityHeaders(c)
response := gin.H{
"status": "unavailable",
"timestamp": time.Now(),
"checks": map[string]interface{}{
"service_initialized": false,
"public_key_available": false,
"signing_operational": false,
},
}
if h.signingService != nil {
response["status"] = "available"
response["checks"].(map[string]interface{})["service_initialized"] = true
// Check if public key is available
pubKey := h.signingService.GetPublicKey()
if pubKey != "" {
response["checks"].(map[string]interface{})["public_key_available"] = true
response["checks"].(map[string]interface{})["signing_operational"] = true
response["public_key_fingerprint"] = h.signingService.GetPublicKeyFingerprint()
response["algorithm"] = "ed25519"
}
}
c.JSON(http.StatusOK, response)
}
// NonceValidationStatus returns nonce validation health metrics
func (h *SecurityHandler) NonceValidationStatus(c *gin.Context) {
h.setSecurityHeaders(c)
response := gin.H{
"status": "unknown",
"timestamp": time.Now(),
"checks": map[string]interface{}{
"validation_enabled": true,
"max_age_minutes": 5,
"recent_validations": 0,
"validation_failures": 0,
},
"details": map[string]interface{}{
"nonce_format": "UUID:UnixTimestamp",
"signature_algorithm": "ed25519",
"replay_protection": "active",
},
}
// TODO: Add metrics collection for nonce validations
// This would require adding logging/metrics to the nonce validation process
// For now, we provide the configuration status
response["status"] = "healthy"
response["checks"].(map[string]interface{})["validation_enabled"] = true
response["checks"].(map[string]interface{})["max_age_minutes"] = 5
c.JSON(http.StatusOK, response)
}
// CommandValidationStatus returns command validation and processing metrics
func (h *SecurityHandler) CommandValidationStatus(c *gin.Context) {
h.setSecurityHeaders(c)
response := gin.H{
"status": "unknown",
"timestamp": time.Now(),
"metrics": map[string]interface{}{
"total_pending_commands": 0,
"agents_with_pending": 0,
"commands_last_hour": 0,
"commands_last_24h": 0,
},
"checks": map[string]interface{}{
"command_processing": "unknown",
"backpressure_active": false,
"agent_responsive": "unknown",
},
}
// Get command metrics
if h.commandQueries != nil {
// TODO: Add methods to CommandQueries for aggregate metrics
// For now, we can provide basic status
response["metrics"].(map[string]interface{})["total_pending_commands"] = "N/A"
response["metrics"].(map[string]interface{})["agents_with_pending"] = "N/A"
}
// Get agent metrics for responsiveness
if h.agentQueries != nil {
// TODO: Add method to count online vs offline agents
// This would help identify if agents are responsive to commands
}
response["status"] = "healthy"
response["checks"].(map[string]interface{})["command_processing"] = "operational"
c.JSON(http.StatusOK, response)
}
// MachineBindingStatus returns machine binding enforcement metrics
func (h *SecurityHandler) MachineBindingStatus(c *gin.Context) {
h.setSecurityHeaders(c)
response := gin.H{
"status": "unknown",
"timestamp": time.Now(),
"checks": map[string]interface{}{
"binding_enforced": true,
"min_agent_version": "v0.1.22",
"fingerprint_required": true,
"recent_violations": 0,
},
"details": map[string]interface{}{
"enforcement_method": "hardware_fingerprint",
"binding_scope": "machine_id + cpu + memory + system_uuid",
"violation_action": "command_rejection",
},
}
// TODO: Add metrics for machine binding violations
// This would require logging when machine binding middleware rejects requests
response["status"] = "enforced"
response["checks"].(map[string]interface{})["binding_enforced"] = true
response["checks"].(map[string]interface{})["min_agent_version"] = "v0.1.22"
c.JSON(http.StatusOK, response)
}
// SecurityOverview returns a comprehensive overview of all security subsystems
func (h *SecurityHandler) SecurityOverview(c *gin.Context) {
h.setSecurityHeaders(c)
overview := gin.H{
"timestamp": time.Now(),
"overall_status": "unknown",
"subsystems": map[string]interface{}{
"ed25519_signing": map[string]interface{}{
"status": "unknown",
"enabled": true,
},
"nonce_validation": map[string]interface{}{
"status": "unknown",
"enabled": true,
},
"machine_binding": map[string]interface{}{
"status": "unknown",
"enabled": true,
},
"command_validation": map[string]interface{}{
"status": "unknown",
"enabled": true,
},
},
"alerts": []string{},
"recommendations": []string{},
}
// Check Ed25519 signing
if h.signingService != nil && h.signingService.GetPublicKey() != "" {
overview["subsystems"].(map[string]interface{})["ed25519_signing"].(map[string]interface{})["status"] = "healthy"
} else {
overview["subsystems"].(map[string]interface{})["ed25519_signing"].(map[string]interface{})["status"] = "unavailable"
overview["alerts"] = append(overview["alerts"].([]string), "Ed25519 signing service not configured")
overview["recommendations"] = append(overview["recommendations"].([]string), "Set REDFLAG_SIGNING_PRIVATE_KEY environment variable")
}
// Check nonce validation
overview["subsystems"].(map[string]interface{})["nonce_validation"].(map[string]interface{})["status"] = "healthy"
// Check machine binding
overview["subsystems"].(map[string]interface{})["machine_binding"].(map[string]interface{})["status"] = "enforced"
// Check command validation
overview["subsystems"].(map[string]interface{})["command_validation"].(map[string]interface{})["status"] = "operational"
// Determine overall status
healthyCount := 0
totalCount := 4
for _, subsystem := range overview["subsystems"].(map[string]interface{}) {
subsystemMap := subsystem.(map[string]interface{})
if subsystemMap["status"] == "healthy" || subsystemMap["status"] == "enforced" || subsystemMap["status"] == "operational" {
healthyCount++
}
}
if healthyCount == totalCount {
overview["overall_status"] = "healthy"
} else if healthyCount >= totalCount/2 {
overview["overall_status"] = "degraded"
} else {
overview["overall_status"] = "unhealthy"
}
c.JSON(http.StatusOK, overview)
}
// SecurityMetrics returns detailed security metrics for monitoring
func (h *SecurityHandler) SecurityMetrics(c *gin.Context) {
h.setSecurityHeaders(c)
metrics := gin.H{
"timestamp": time.Now(),
"signing": map[string]interface{}{
"public_key_fingerprint": "",
"algorithm": "ed25519",
"key_size": 32,
},
"nonce": map[string]interface{}{
"max_age_seconds": 300, // 5 minutes
"format": "UUID:UnixTimestamp",
},
"machine_binding": map[string]interface{}{
"min_version": "v0.1.22",
"enforcement": "hardware_fingerprint",
},
"command_processing": map[string]interface{}{
"backpressure_threshold": 5,
"rate_limit_per_second": 100,
},
}
// Add signing metrics if available
if h.signingService != nil {
metrics["signing"].(map[string]interface{})["public_key_fingerprint"] = h.signingService.GetPublicKeyFingerprint()
metrics["signing"].(map[string]interface{})["configured"] = true
} else {
metrics["signing"].(map[string]interface{})["configured"] = false
}
c.JSON(http.StatusOK, metrics)
}
Reference in New Issue View Git Blame Copy Permalink