Documentation
¶
Index ¶
- Constants
- func ApplySecurityConfig(config SecurityConfig) error
- func ResetConfigForTest()
- func SaveSecurityConfig(config SecurityConfig, configPath string) error
- func ValidateProductionConfig() error
- func ValidateSecurityConfig(config SecurityConfig) error
- type BillingConfig
- type Config
- type EmergencyConfig
- type EndpointConfig
- type EntityIDConfig
- type MonitoringConfig
- type RateLimitConfig
- type SecurityConfig
- type SecurityEventsConfig
Constants ¶
View Source
const Version = "v0.26.4"
Version is the current Arkfile application version. Update this const when releasing a new version.
Variables ¶
This section is empty.
Functions ¶
func ApplySecurityConfig ¶
func ApplySecurityConfig(config SecurityConfig) error
ApplySecurityConfig applies security configuration to the application
func ResetConfigForTest ¶
func ResetConfigForTest()
Testing helper - DO NOT USE IN PRODUCTION ResetConfigForTest resets the sync.Once and config variable for testing purposes. This allows LoadConfig to be called again with potentially different env vars in tests.
func SaveSecurityConfig ¶
func SaveSecurityConfig(config SecurityConfig, configPath string) error
SaveSecurityConfig saves security configuration to file
func ValidateProductionConfig ¶
func ValidateProductionConfig() error
ValidateProductionConfig validates that the configuration is safe for production
func ValidateSecurityConfig ¶
func ValidateSecurityConfig(config SecurityConfig) error
ValidateSecurityConfig validates the security configuration
Types ¶
type BillingConfig ¶
type BillingConfig struct {
// Enabled is the master switch. When false, the billing scheduler is not
// started; the API endpoints continue to return current/zero state.
Enabled bool `json:"enabled"`
// FreeBaselineBytes is the per-instance free baseline in bytes. Storage
// usage above this threshold is billable.
FreeBaselineBytes int64 `json:"free_baseline_bytes"`
// CustomerPriceUSDPerTBPerMonth is the dollars-and-cents price string
// (e.g. "10.00", "19.99") used to seed billing_settings on first startup.
// Runtime updates go through the admin set-price endpoint and persist
// in billing_settings; this value is only the seed.
CustomerPriceUSDPerTBPerMonth string `json:"customer_price_usd_per_tb_per_month"`
// GiftedCreditsUSD is the per-user-on-approval gift amount as a
// dollars-and-cents string. Default "0.00" means no automatic gift.
// Admins can manually gift credit at any time via `arkfile-admin billing gift`.
GiftedCreditsUSD string `json:"gifted_credits_usd"`
// TickInterval is the meter tick cadence. Production should leave at 1h;
// the e2e billing test overrides to 1m for fast verification.
TickInterval time.Duration `json:"tick_interval"`
// SweepAtUTC is the daily settlement time as "HH:MM" UTC.
SweepAtUTC string `json:"sweep_at_utc"`
// IncludeAdmins controls whether admin accounts are billed. Default false
// keeps operator self-usage out of beta usage data.
IncludeAdmins bool `json:"include_admins"`
}
BillingConfig is the storage credits / usage metering configuration. See docs/wip/storage-credits-v2.md §9 for details.
type Config ¶
type Config struct {
Server struct {
Port string `json:"port"`
TLSPort string `json:"tls_port"`
Host string `json:"host"`
BaseURL string `json:"base_url"`
LogLevel string `json:"log_level"`
TLSEnabled bool `json:"tls_enabled"`
AllowedOrigins []string `json:"allowed_origins"`
} `json:"server"`
Database struct {
Path string `json:"path"`
} `json:"database"`
Storage struct {
Provider string `json:"provider"` // "generic-s3", "backblaze", "wasabi", "vultr", "aws-s3"
Endpoint string `json:"endpoint"`
AccessKeyID string `json:"access_key_id"`
SecretAccessKey string `json:"secret_access_key"`
BucketName string `json:"bucket_name"`
Region string `json:"region"`
UseSSL bool `json:"use_ssl"`
ForcePathStyle bool `json:"force_path_style"` // Required for many self-hosted S3 (SeaweedFS, Ceph, MinIO)
EnableUploadReplication bool `json:"enable_upload_replication"` // When true and a secondary provider is configured, new uploads are auto-replicated
} `json:"storage"`
Security struct {
JWTPrivateKeyPath string `json:"jwt_private_key_path"`
JWTPublicKeyPath string `json:"jwt_public_key_path"`
JWTExpiryHours int `json:"jwt_expiry_hours"`
RefreshTokenDuration time.Duration `json:"refresh_token_duration"`
RefreshTokenCookieName string `json:"refresh_token_cookie_name"`
RevokeUsedRefreshTokens bool `json:"revoke_used_refresh_tokens"`
} `json:"security"`
Logging struct {
Directory string `json:"directory"`
MaxSize int64 `json:"max_size"`
MaxBackups int `json:"max_backups"`
} `json:"logging"`
KeyManagement struct {
KeyDirectory string `json:"key_directory"`
OPAQUEKeyPath string `json:"opaque_key_path"`
JWTKeyPath string `json:"jwt_key_path"`
TLSCertPath string `json:"tls_cert_path"`
UseSystemdCreds bool `json:"use_systemd_creds"`
BackupDirectory string `json:"backup_directory"`
RotationSchedule string `json:"rotation_schedule"`
} `json:"key_management"`
Deployment struct {
Environment string `json:"environment"`
DataDirectory string `json:"data_directory"`
LogDirectory string `json:"log_directory"`
AdminContact string `json:"admin_contact"`
AdminUsernames []string `json:"admin_usernames"`
RequireApproval bool `json:"require_approval"`
MaintenanceWindow string `json:"maintenance_window"`
BackupRetention int `json:"backup_retention_days"`
} `json:"deployment"`
Billing BillingConfig `json:"billing"`
}
func LoadConfig ¶
LoadConfig loads the configuration from environment variables and optional JSON file
type EmergencyConfig ¶
type EmergencyConfig struct {
// Automatic responses
AutoRotateOnBreach bool `json:"auto_rotate_on_breach"` // true
AutoEscalateRateLimit bool `json:"auto_escalate_rate_limit"` // true
AutoIsolateOnPattern bool `json:"auto_isolate_on_pattern"` // true
// Emergency contacts and procedures
EmergencyContacts []string `json:"emergency_contacts"`
NotificationEndpoint string `json:"notification_endpoint"`
EscalationThresholds map[string]int `json:"escalation_thresholds"`
// Emergency rate limiting
EmergencyRateLimitMultiplier float64 `json:"emergency_rate_limit_multiplier"` // 0.1 (10x stricter)
EmergencyDuration time.Duration `json:"emergency_duration"` // 1 * time.Hour
// Recovery procedures
RequireManualRecovery bool `json:"require_manual_recovery"` // true
RecoveryValidationSteps []string `json:"recovery_validation_steps"`
}
EmergencyConfig configures emergency response procedures
type EndpointConfig ¶
type EndpointConfig struct {
Path string `json:"path"`
Method string `json:"method"`
Category string `json:"category"` // "auth", "account", "admin", "unrestricted"
Limit int `json:"limit"` // requests per time window
WindowType string `json:"window_type"` // "hour", "day"
WindowSize time.Duration `json:"window_size"`
Enabled bool `json:"enabled"`
Description string `json:"description"`
}
EndpointConfig defines rate limiting configuration for specific endpoints
func GetRateLimitedEndpoints ¶
func GetRateLimitedEndpoints() []EndpointConfig
GetRateLimitedEndpoints returns the configuration for rate-limited endpoints
type EntityIDConfig ¶
type EntityIDConfig struct {
RotationPeriod time.Duration `json:"rotation_period"` // 24 * time.Hour
RetentionDays int `json:"retention_days"` // 90
CleanupInterval time.Duration `json:"cleanup_interval"` // 24 * time.Hour
EmergencyRotation bool `json:"emergency_rotation"` // true
}
EntityIDConfig configures privacy-preserving entity identification
type MonitoringConfig ¶
type MonitoringConfig struct {
// Key health monitoring
KeyHealthInterval time.Duration `json:"key_health_interval"` // 1 * time.Hour
CertExpiryWarning time.Duration `json:"cert_expiry_warning"` // 30 * 24 * time.Hour (30 days)
CertExpiryCritical time.Duration `json:"cert_expiry_critical"` // 7 * 24 * time.Hour (7 days)
KeyRotationOverdue time.Duration `json:"key_rotation_overdue"` // 35 * 24 * time.Hour (35 days)
BackupValidation time.Duration `json:"backup_validation"` // 7 * 24 * time.Hour (weekly)
// System monitoring
HealthCheckInterval time.Duration `json:"health_check_interval"` // 5 * time.Minute
MetricsRetention time.Duration `json:"metrics_retention"` // 30 * 24 * time.Hour (30 days)
AlertCooldown time.Duration `json:"alert_cooldown"` // 1 * time.Hour
// Performance monitoring
EnablePerformanceMetrics bool `json:"enable_performance_metrics"` // true
MetricsEndpoint string `json:"metrics_endpoint"` // "/metrics"
// Database monitoring
DatabaseHealthInterval time.Duration `json:"database_health_interval"` // 10 * time.Minute
SlowQueryThreshold time.Duration `json:"slow_query_threshold"` // 1 * time.Second
}
MonitoringConfig configures key health and system monitoring
type RateLimitConfig ¶
type RateLimitConfig struct {
// Authentication endpoints (per hour)
RegisterLimit int `json:"register_limit"` // 5 per day
LoginLimit int `json:"login_limit"` // 20 per hour
RefreshLimit int `json:"refresh_limit"` // 60 per hour
ForgotPasswordLimit int `json:"forgot_password_limit"` // 3 per day
ResetPasswordLimit int `json:"reset_password_limit"` // 10 per hour
// Account operations (per hour)
ProfileAccessLimit int `json:"profile_access_limit"` // 100 per hour
UsernameCheckLimit int `json:"username_check_limit"` // 20 per hour
// Administrative operations (per hour)
UserManagementLimit int `json:"user_management_limit"` // 50 per hour
SystemStatusLimit int `json:"system_status_limit"` // 30 per hour
AuditLogsLimit int `json:"audit_logs_limit"` // 20 per hour
// Progressive penalty configuration
ViolationPenalty float64 `json:"violation_penalty"` // 2.0 (double delay)
MaxPenaltyDelay time.Duration `json:"max_penalty_delay"` // 15 minutes
RecoveryPeriod time.Duration `json:"recovery_period"` // 1 hour
MaxViolations int `json:"max_violations"` // 5 before max penalty
// Global settings
EnableRateLimit bool `json:"enable_rate_limit"` // true
CleanupInterval time.Duration `json:"cleanup_interval"` // 24 * time.Hour
RetentionDays int `json:"retention_days"` // 30
}
RateLimitConfig configures rate limiting policies
type SecurityConfig ¶
type SecurityConfig struct {
// Entity ID configuration
EntityID EntityIDConfig `json:"entity_id"`
// Rate limiting configuration
RateLimit RateLimitConfig `json:"rate_limit"`
// Security event configuration
SecurityEvents SecurityEventsConfig `json:"security_events"`
// Monitoring configuration
Monitoring MonitoringConfig `json:"monitoring"`
// Emergency procedures configuration
Emergency EmergencyConfig `json:"emergency"`
}
SecurityConfig centralizes all security-related configuration
func GetDefaultSecurityConfig ¶
func GetDefaultSecurityConfig() SecurityConfig
GetDefaultSecurityConfig returns the default security configuration
func LoadSecurityConfig ¶
func LoadSecurityConfig(configPath string) (SecurityConfig, error)
LoadSecurityConfig loads security configuration from file or returns defaults
type SecurityEventsConfig ¶
type SecurityEventsConfig struct {
MaxRetentionDays int `json:"max_retention_days"` // 90
EnabledEvents []string `json:"enabled_events"`
AlertThresholds map[string]int `json:"alert_thresholds"`
SeverityLevels map[string]string `json:"severity_levels"`
AutoCleanup bool `json:"auto_cleanup"` // true
CleanupInterval time.Duration `json:"cleanup_interval"` // 24 * time.Hour
LogToFile bool `json:"log_to_file"` // true
LogToDatabase bool `json:"log_to_database"` // true
}
SecurityEventsConfig configures security event logging
Source Files
Click to show internal directories.
Click to hide internal directories.