134 lines
3.1 KiB
Text
134 lines
3.1 KiB
Text
# Security Configuration Schema
|
|
# Common schema for authentication, RBAC, and encryption
|
|
|
|
{
|
|
# Supported KMS backends
|
|
|
|
SecurityConfig = {
|
|
# JWT Configuration
|
|
jwt | {
|
|
# JWT issuer
|
|
issuer | String | optional,
|
|
|
|
# JWT audience
|
|
audience | String | optional,
|
|
|
|
# Token expiration in seconds
|
|
expiration | Number | optional,
|
|
|
|
# Refresh token expiration in seconds
|
|
refresh_expiration | Number | optional,
|
|
|
|
# Secret key for JWT signing
|
|
secret | String | optional,
|
|
|
|
# Algorithm (HS256, RS256, etc.)
|
|
algorithm | String | optional,
|
|
} | optional,
|
|
|
|
# Encryption Configuration
|
|
encryption | {
|
|
# KMS backend: none, age, sops, kms_external
|
|
kms_backend | String | default = 'none,
|
|
|
|
# Path to encryption key file
|
|
key_path | String | optional,
|
|
|
|
# Master encryption key (for age/SOPS)
|
|
master_key | String | optional,
|
|
|
|
# Enable encrypted field storage
|
|
enable_field_encryption | Bool | default = false,
|
|
} | optional,
|
|
|
|
# RBAC Configuration
|
|
rbac | {
|
|
# Enable RBAC
|
|
enabled | Bool | default = false,
|
|
|
|
# Default role for new users
|
|
default_role | String | optional,
|
|
|
|
# Allow role inheritance
|
|
inheritance | Bool | default = true,
|
|
} | optional,
|
|
|
|
# MFA Configuration
|
|
mfa | {
|
|
# Require MFA for all users
|
|
required | Bool | default = false,
|
|
|
|
# Supported MFA methods (totp, webauthn, etc.)
|
|
methods | Array String | optional,
|
|
|
|
# Max failed MFA attempts before lockout
|
|
max_attempts | String | optional,
|
|
|
|
# Lockout duration in minutes
|
|
lockout_duration | Number | optional,
|
|
} | optional,
|
|
|
|
# Rate Limiting
|
|
rate_limiting | {
|
|
# Enable rate limiting
|
|
enabled | Bool | default = false,
|
|
|
|
# Max requests per window
|
|
max_requests | String | optional,
|
|
|
|
# Time window in seconds
|
|
window_seconds | Number | optional,
|
|
|
|
# Lockout duration in minutes
|
|
lockout_duration | Number | optional,
|
|
} | optional,
|
|
|
|
# Session Configuration
|
|
session | {
|
|
# Session max duration in seconds
|
|
max_duration | Number | optional,
|
|
|
|
# Idle timeout in seconds
|
|
idle_timeout | Number | optional,
|
|
|
|
# Enable session tracking
|
|
tracking | Bool | default = false,
|
|
} | optional,
|
|
|
|
# TLS Configuration
|
|
tls | {
|
|
# Enable TLS
|
|
enabled | Bool | default = false,
|
|
|
|
# Path to certificate file
|
|
cert_path | String | optional,
|
|
|
|
# Path to key file
|
|
key_path | String | optional,
|
|
|
|
# CA certificate path for client verification
|
|
ca_path | String | optional,
|
|
|
|
# Require client certificates
|
|
client_auth | Bool | default = false,
|
|
} | optional,
|
|
|
|
# CORS Configuration
|
|
cors | {
|
|
# Enable CORS
|
|
enabled | Bool | default = false,
|
|
|
|
# Allowed origins (comma-separated or array)
|
|
allowed_origins | Array String | optional,
|
|
|
|
# Allow credentials
|
|
allow_credentials | Bool | default = false,
|
|
|
|
# Allowed methods
|
|
allowed_methods | Array String | optional,
|
|
|
|
# Allowed headers
|
|
allowed_headers | Array String | optional,
|
|
} | optional,
|
|
},
|
|
}
|