| """ |
| Production security validation and secret resolution. |
| """ |
| from __future__ import annotations |
|
|
| import hmac |
| import os |
| import sys |
|
|
| |
| KNOWN_INSECURE_API_KEYS = frozenset({"cepheus-dev-key"}) |
|
|
|
|
| def is_production() -> bool: |
| return os.getenv("CEPHEUS_PRODUCTION", "").strip() == "1" |
|
|
|
|
| def is_demo_mode() -> bool: |
| """Demo simulations (issue progress, missing-person auto-resolve) — never in production.""" |
| if is_production(): |
| return False |
| return os.getenv("CEPHEUS_DEMO_MODE", "").strip() == "1" |
|
|
|
|
| def is_auth_dev_mode() -> bool: |
| """Local-only insecure auth defaults — never in production.""" |
| if is_production(): |
| return False |
| return os.getenv("CEPHEUS_AUTH_DEV_MODE", "").strip() == "1" |
|
|
|
|
| def safe_compare_strings(a: str, b: str) -> bool: |
| if not a or not b: |
| return False |
| return hmac.compare_digest(a.encode("utf-8"), b.encode("utf-8")) |
|
|
|
|
| def resolve_dev_api_key() -> str: |
| if not is_auth_dev_mode(): |
| return "" |
| return os.getenv("CEPHEUS_DEV_API_KEY", "").strip() |
|
|
|
|
| def resolve_api_key() -> str: |
| key = os.getenv("CEPHEUS_API_KEY", "").strip() |
| if key: |
| return key |
| if is_production(): |
| return "" |
| return resolve_dev_api_key() |
|
|
|
|
| def resolve_readonly_api_key() -> str: |
| """Optional read-only automation key (ISSUE-178). Role enforced at route dependencies.""" |
| return os.getenv("CEPHEUS_READONLY_API_KEY", "").strip() |
|
|
|
|
| def api_key_scope_label() -> str: |
| """Document intended API key use (audit / ops); does not enforce RBAC by itself.""" |
| return os.getenv("CEPHEUS_API_KEY_SCOPE", "").strip() |
|
|
|
|
| def validate_startup() -> None: |
| """Fail fast when production or a real cloud deployment is misconfigured. |
| |
| Local development may run the cloud stub engine (CEPHEUS_CLOUD=1) together with |
| CEPHEUS_AUTH_DEV_MODE=1; that combination is intentionally exempt from the strict |
| secret requirements so developers can run the full stack locally. Real cloud |
| deployments must NOT set CEPHEUS_AUTH_DEV_MODE and therefore remain strict. |
| """ |
| errors: list[str] = [] |
|
|
| dev_mode = is_auth_dev_mode() |
| cloud = os.getenv("CEPHEUS_CLOUD", "").strip() in ("1", "true", "yes") |
|
|
| |
| strict = is_production() or (cloud and not dev_mode) |
|
|
| if strict: |
| if not os.getenv("CEPHEUS_JWT_SECRET", "").strip(): |
| errors.append("CEPHEUS_JWT_SECRET is required in production/cloud") |
| if dev_mode and is_production(): |
| errors.append("CEPHEUS_AUTH_DEV_MODE must be 0 in production") |
| key = os.getenv("CEPHEUS_API_KEY", "").strip() |
| if not key or key in KNOWN_INSECURE_API_KEYS: |
| errors.append("CEPHEUS_API_KEY must be set to a non-default value in production/cloud") |
| cors = os.getenv("CORS_ORIGINS", "").strip() |
| if not cors: |
| errors.append("CORS_ORIGINS must be set in production/cloud") |
|
|
| if errors: |
| for msg in errors: |
| print(f"FATAL: {msg}", file=sys.stderr) |
| raise SystemExit(1) |
|
|
|
|
| def auth_enabled_check() -> bool: |
| return bool(os.getenv("CEPHEUS_JWT_SECRET", "").strip()) or is_auth_dev_mode() |
|
|