deb-bootc-compose/configs/security.yaml

# Security Configuration for deb-bootc-compose
# This file demonstrates comprehensive security features including:
# - Multiple authentication providers (Kerberos, OIDC, API Key)
# - Role-based access control (RBAC)
# - SSL/TLS configuration
# - Comprehensive audit logging

security:
  enabled: true
  provider: "auto"  # auto, kerberos, oidc, apikey

  # Kerberos Authentication
  kerberos:
    enabled: true
    realm: "DEBIAN.ORG"
    keytab_path: "/etc/krb5.keytab"
    service_name: "deb-bootc-compose"
    debug: false

  # OpenID Connect Authentication
  oidc:
    enabled: true
    issuer_url: "https://auth.debian.org"
    client_id: "deb-bootc-compose"
    client_secret: "${OIDC_CLIENT_SECRET}"  # Use environment variable
    redirect_url: "https://compose.debian.org/auth/callback"
    scopes: "openid profile email groups"
    token_endpoint: "https://auth.debian.org/oauth2/token"
    userinfo_url: "https://auth.debian.org/oauth2/userinfo"
    jwks_url: "https://auth.debian.org/.well-known/jwks.json"

  # API Key Authentication
  api_key:
    enabled: true
    header_name: "X-API-Key"
    query_param: "api_key"
    secret_path: "/etc/deb-bootc-compose/api-keys"
    algorithm: "HS256"
    expiration: "24h"

  # SSL/TLS Configuration
  ssl:
    enabled: true
    cert_file: "/etc/ssl/certs/deb-bootc-compose.crt"
    key_file: "/etc/ssl/private/deb-bootc-compose.key"
    ca_file: "/etc/ssl/certs/deb-ca.crt"
    min_version: "TLS1.2"
    max_version: "TLS1.3"
    cipher_suites:
      - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
      - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
      - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"

  # Role-Based Access Control (RBAC)
  rbac:
    enabled: true
    default_role: "user"
    
    # Role Definitions
    roles:
      # Base user role with minimal permissions
      user:
        name: "user"
        description: "Basic user with read access to public resources"
        permissions:
          - "compose:read"
          - "variant:read"
          - "phase:read"
          - "metadata:read"
        inherits: []

      # Developer role with build permissions
      developer:
        name: "developer"
        description: "Developer with build and test permissions"
        permissions:
          - "compose:create"
          - "compose:build"
          - "variant:create"
          - "variant:modify"
          - "phase:execute"
          - "build:trigger"
          - "test:run"
        inherits: ["user"]

      # Maintainer role with full variant control
      maintainer:
        name: "maintainer"
        description: "Package maintainer with full variant control"
        permissions:
          - "variant:delete"
          - "variant:publish"
          - "repository:manage"
          - "signing:manage"
        inherits: ["developer"]

      # Admin role with full system access
      admin:
        name: "admin"
        description: "System administrator with full access"
        permissions:
          - "*:*"  # Full access to everything
        inherits: ["maintainer"]

      # Security role for security-related operations
      security:
        name: "security"
        description: "Security team with audit and security management permissions"
        permissions:
          - "audit:read"
          - "audit:export"
          - "security:manage"
          - "rbac:manage"
          - "user:manage"
        inherits: ["user"]

    # Policy Definitions
    policies:
      # Deny access to sensitive resources for non-admin users
      deny_sensitive_resources:
        name: "deny_sensitive_resources"
        description: "Deny access to sensitive system resources"
        effect: "deny"
        resources:
          - "system:*"
          - "security:*"
          - "audit:*"
        actions:
          - "*"
        conditions:
          user_groups: ["user", "developer", "maintainer"]

      # Allow developers to access development resources
      allow_dev_access:
        name: "allow_dev_access"
        description: "Allow developers to access development resources"
        effect: "allow"
        resources:
          - "dev:*"
          - "test:*"
          - "build:*"
        actions:
          - "*"
        conditions:
          user_groups: ["developer", "maintainer", "admin"]

      # Time-based access control (example)
      business_hours_only:
        name: "business_hours_only"
        description: "Restrict access to business hours for non-critical operations"
        effect: "deny"
        resources:
          - "compose:create"
          - "variant:modify"
        actions:
          - "*"
        conditions:
          time_of_day: "outside_business_hours"

  # Audit Logging Configuration
  audit:
    enabled: true
    log_file: "/var/log/deb-bootc-compose/audit.log"
    log_level: "info"
    max_size: 100      # MB
    max_backups: 10
    max_age: 30        # days

  # Custom security settings
  custom:
    session_timeout: "8h"
    max_login_attempts: 5
    lockout_duration: "15m"
    password_policy:
      min_length: 12
      require_uppercase: true
      require_lowercase: true
      require_numbers: true
      require_special: true
    ip_whitelist:
      - "10.0.0.0/8"
      - "172.16.0.0/12"
      - "192.168.0.0/16"
    rate_limiting:
      requests_per_minute: 100
      burst_size: 20

# Example user assignments (in production, this would be in a separate database)
users:
  - username: "alice"
    email: "alice@debian.org"
    full_name: "Alice Developer"
    groups: ["developer"]
    metadata:
      department: "Engineering"
      location: "Remote"

  - username: "bob"
    email: "bob@debian.org"
    full_name: "Bob Maintainer"
    groups: ["maintainer"]
    metadata:
      department: "Package Maintenance"
      location: "Berlin"

  - username: "charlie"
    email: "charlie@debian.org"
    full_name: "Charlie Admin"
    groups: ["admin"]
    metadata:
      department: "Infrastructure"
      location: "Amsterdam"

  - username: "diana"
    email: "diana@debian.org"
    full_name: "Diana Security"
    groups: ["security"]
    metadata:
      department: "Security Team"
      location: "Paris"

# Example API keys (in production, these would be hashed and stored securely)
api_keys:
  - key: "dev-key-12345"
    user: "alice"
    permissions: ["compose:create", "variant:read"]
    expires_at: "2025-12-31T23:59:59Z"

  - key: "maintainer-key-67890"
    user: "bob"
    permissions: ["*:*"]
    expires_at: "2025-12-31T23:59:59Z"

# Security monitoring and alerting
monitoring:
  enabled: true
  alerts:
    - event_type: "authentication_failure"
      threshold: 5
      window: "5m"
      action: "lockout_user"
      notification: "email"

    - event_type: "access_denied"
      threshold: 10
      window: "1m"
      action: "block_ip"
      notification: "slack"

    - event_type: "security_violation"
      threshold: 1
      window: "1m"
      action: "immediate_alert"
      notification: "pagerduty"

# Compliance and reporting
compliance:
  enabled: true
  standards:
    - "SOX"
    - "GDPR"
    - "ISO27001"
  
  reporting:
    frequency: "monthly"
    formats: ["pdf", "csv", "json"]
    recipients:
      - "security@debian.org"
      - "compliance@debian.org"
  
  retention:
    audit_logs: "7y"
    user_sessions: "1y"
    security_events: "10y"