security: apply four immediate security fixes

Fix #1 - SECRET_KEY startup validation (config.py, .env): - App refuses to start if SECRET_KEY is missing, shorter than 32 chars, or matches a known insecure default value - .env: replaced hardcoded test key with placeholder + generation hint Fix #2 - Docker socket proxy (docker-compose.yml): - Add tecnativa/docker-socket-proxy sidecar - Only expose required Docker API endpoints (CONTAINERS, IMAGES, NETWORKS, POST, EXEC); dangerous endpoints explicitly blocked - Remove direct /var/run/docker.sock mount from main container - Route Docker API via DOCKER_HOST=tcp://docker-socket-proxy:2375 Fix #3 - Azure AD group whitelist (auth.py, models.py, validators.py): - New azure_allowed_group_id field in SystemConfig - After token exchange, verify group membership via Graph API /me/memberOf - Deny login with HTTP 403 if user is not in the required group - New Azure AD users now get role 'viewer' instead of 'admin' Fix #4 - Rate limiting on login (main.py, auth.py, requirements.txt): - Add slowapi==0.1.9 dependency - Initialize SlowAPI limiter in main.py with 429 exception handler - Apply 10 requests/minute limit per IP on /login and /mfa/verify
2026-02-18 21:28:49 +01:00
parent 40456bfaba
commit 72bad11129
7 changed files with 166 additions and 13 deletions
--- a/app/utils/config.py
+++ b/app/utils/config.py
@@ -35,8 +35,34 @@ class AppConfig:
    wildcard_cert_id: int | None


+# ---------------------------------------------------------------------------
 # Environment-level settings (not stored in DB)
-SECRET_KEY: str = os.environ.get("SECRET_KEY", "change-me-in-production")
+# ---------------------------------------------------------------------------
+
+# Known insecure default values that must never be used in production.
+_INSECURE_KEY_VALUES: set[str] = {
+    "change-me-in-production",
+    "local-test-secret-key-not-for-production-1234",
+    "secret",
+    "changeme",
+    "",
+}
+
+SECRET_KEY: str = os.environ.get("SECRET_KEY", "")
+
+# --- Startup security gate ---
+# Abort immediately if the key is missing, too short, or a known default.
+_MIN_KEY_LENGTH = 32
+if SECRET_KEY in _INSECURE_KEY_VALUES or len(SECRET_KEY) < _MIN_KEY_LENGTH:
+    raise RuntimeError(
+        "FATAL: SECRET_KEY is insecure, missing, or too short.\n"
+        f"  Current length : {len(SECRET_KEY)} characters (minimum: {_MIN_KEY_LENGTH})\n"
+        "  The key must be at least 32 random characters and must not be a known default value.\n"
+        "  Generate a secure key with:\n"
+        "    python3 -c \"import secrets; print(secrets.token_hex(32))\"\n"
+        "  Then set it in your .env file as: SECRET_KEY=<generated-value>"
+    )
+
 DATABASE_PATH: str = os.environ.get("DATABASE_PATH", "/app/data/netbird_msp.db")
 LOG_LEVEL: str = os.environ.get("LOG_LEVEL", "INFO")
 JWT_ALGORITHM: str = "HS256"