security: apply four immediate security fixes

Fix #1 - SECRET_KEY startup validation (config.py, .env): - App refuses to start if SECRET_KEY is missing, shorter than 32 chars, or matches a known insecure default value - .env: replaced hardcoded test key with placeholder + generation hint Fix #2 - Docker socket proxy (docker-compose.yml): - Add tecnativa/docker-socket-proxy sidecar - Only expose required Docker API endpoints (CONTAINERS, IMAGES, NETWORKS, POST, EXEC); dangerous endpoints explicitly blocked - Remove direct /var/run/docker.sock mount from main container - Route Docker API via DOCKER_HOST=tcp://docker-socket-proxy:2375 Fix #3 - Azure AD group whitelist (auth.py, models.py, validators.py): - New azure_allowed_group_id field in SystemConfig - After token exchange, verify group membership via Graph API /me/memberOf - Deny login with HTTP 403 if user is not in the required group - New Azure AD users now get role 'viewer' instead of 'admin' Fix #4 - Rate limiting on login (main.py, auth.py, requirements.txt): - Add slowapi==0.1.9 dependency - Initialize SlowAPI limiter in main.py with 429 exception handler - Apply 10 requests/minute limit per IP on /login and /mfa/verify
2026-02-18 21:28:49 +01:00
parent 40456bfaba
commit 72bad11129
7 changed files with 166 additions and 13 deletions
--- a/app/models.py
+++ b/app/models.py
@@ -168,6 +168,10 @@ class SystemConfig(Base):
    azure_tenant_id: Mapped[Optional[str]] = mapped_column(String(255), nullable=True)
    azure_client_id: Mapped[Optional[str]] = mapped_column(String(255), nullable=True)
    azure_client_secret_encrypted: Mapped[Optional[str]] = mapped_column(Text, nullable=True)
+    azure_allowed_group_id: Mapped[Optional[str]] = mapped_column(
+        String(255), nullable=True,
+        comment="If set, only Azure AD users in this group (object ID) are allowed to log in."
+    )
    created_at: Mapped[datetime] = mapped_column(DateTime, default=datetime.utcnow)
    updated_at: Mapped[datetime] = mapped_column(
        DateTime, default=datetime.utcnow, onupdate=datetime.utcnow
@@ -203,6 +207,7 @@ class SystemConfig(Base):
            "azure_tenant_id": self.azure_tenant_id or "",
            "azure_client_id": self.azure_client_id or "",
            "azure_client_secret_set": bool(self.azure_client_secret_encrypted),
+            "azure_allowed_group_id": self.azure_allowed_group_id or "",
            "created_at": self.created_at.isoformat() if self.created_at else None,
            "updated_at": self.updated_at.isoformat() if self.updated_at else None,
        }