solution_challenge_backend / backend /security_config.py
github-actions
Deploy to Hugging Face
c794b6b
Raw
History Blame Contribute Delete
3.3 kB
"""
Production security validation and secret resolution.
"""
from __future__ import annotations
import hmac
import os
import sys
# Legacy well-known defaults — rejected in strict startup; never auto-resolved from code.
KNOWN_INSECURE_API_KEYS = frozenset({"cepheus-dev-key"})
def is_production() -> bool:
return os.getenv("CEPHEUS_PRODUCTION", "").strip() == "1"
def is_demo_mode() -> bool:
"""Demo simulations (issue progress, missing-person auto-resolve) — never in production."""
if is_production():
return False
return os.getenv("CEPHEUS_DEMO_MODE", "").strip() == "1"
def is_auth_dev_mode() -> bool:
"""Local-only insecure auth defaults — never in production."""
if is_production():
return False
return os.getenv("CEPHEUS_AUTH_DEV_MODE", "").strip() == "1"
def safe_compare_strings(a: str, b: str) -> bool:
if not a or not b:
return False
return hmac.compare_digest(a.encode("utf-8"), b.encode("utf-8"))
def resolve_dev_api_key() -> str:
if not is_auth_dev_mode():
return ""
return os.getenv("CEPHEUS_DEV_API_KEY", "").strip()
def resolve_api_key() -> str:
key = os.getenv("CEPHEUS_API_KEY", "").strip()
if key:
return key
if is_production():
return ""
return resolve_dev_api_key()
def resolve_readonly_api_key() -> str:
"""Optional read-only automation key (ISSUE-178). Role enforced at route dependencies."""
return os.getenv("CEPHEUS_READONLY_API_KEY", "").strip()
def api_key_scope_label() -> str:
"""Document intended API key use (audit / ops); does not enforce RBAC by itself."""
return os.getenv("CEPHEUS_API_KEY_SCOPE", "").strip()
def validate_startup() -> None:
"""Fail fast when production or a real cloud deployment is misconfigured.
Local development may run the cloud stub engine (CEPHEUS_CLOUD=1) together with
CEPHEUS_AUTH_DEV_MODE=1; that combination is intentionally exempt from the strict
secret requirements so developers can run the full stack locally. Real cloud
deployments must NOT set CEPHEUS_AUTH_DEV_MODE and therefore remain strict.
"""
errors: list[str] = []
dev_mode = is_auth_dev_mode()
cloud = os.getenv("CEPHEUS_CLOUD", "").strip() in ("1", "true", "yes")
# Strict when in production, or a cloud deploy that is NOT explicitly in dev mode.
strict = is_production() or (cloud and not dev_mode)
if strict:
if not os.getenv("CEPHEUS_JWT_SECRET", "").strip():
errors.append("CEPHEUS_JWT_SECRET is required in production/cloud")
if dev_mode and is_production():
errors.append("CEPHEUS_AUTH_DEV_MODE must be 0 in production")
key = os.getenv("CEPHEUS_API_KEY", "").strip()
if not key or key in KNOWN_INSECURE_API_KEYS:
errors.append("CEPHEUS_API_KEY must be set to a non-default value in production/cloud")
cors = os.getenv("CORS_ORIGINS", "").strip()
if not cors:
errors.append("CORS_ORIGINS must be set in production/cloud")
if errors:
for msg in errors:
print(f"FATAL: {msg}", file=sys.stderr)
raise SystemExit(1)
def auth_enabled_check() -> bool:
return bool(os.getenv("CEPHEUS_JWT_SECRET", "").strip()) or is_auth_dev_mode()