lfg2025/archy
1
0
Fork 0
Code Issues 7 Pull Requests Actions Packages Projects Releases 33 Wiki Activity

Initial commit

Browse Source
This commit is contained in:
zazawowow
2026-01-24 22:01:51 +00:00
commit 64cc3bc7fb
56 changed files with 4584 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
core/security/src/container_policies.rs Normal file
View File

@@ -0,0 +1,74 @@
// AppArmor/SELinux policy generator for containers
// Creates security profiles for each containerized app
use anyhow::Result;
use std::collections::HashMap;
use std::path::PathBuf;
use tokio::fs;
pub struct ContainerPolicyGenerator {
policies_dir: PathBuf,
}
impl ContainerPolicyGenerator {
pub fn new(policies_dir: PathBuf) -> Self {
Self { policies_dir }
}
/// Generate AppArmor profile for a container
pub async fn generate_apparmor_profile(
&self,
app_id: &str,
capabilities: &[String],
readonly: bool,
) -> Result<PathBuf> {
let profile_path = self.policies_dir.join(format!("{}.apparmor", app_id));
let mut profile = String::from("# AppArmor profile for Archipelago container\n");
profile.push_str(&format!("profile archipelago-{} flags=(attach_disconnected,mediate_deleted) {{\n", app_id));
// Base includes
profile.push_str(" #include <abstractions/base>\n");
// Capabilities
if capabilities.is_empty() {
profile.push_str(" capability,\n");
} else {
for cap in capabilities {
profile.push_str(&format!(" capability {},\n", cap));
}
}
// Filesystem access
if readonly {
profile.push_str(" deny / rw,\n");
profile.push_str(&format!(" /var/lib/archipelago/{} rw,\n", app_id));
} else {
profile.push_str(" / r,\n");
profile.push_str(&format!(" /var/lib/archipelago/{} rw,\n", app_id));
}
// Network
profile.push_str(" network,\n");
profile.push_str("}\n");
fs::write(&profile_path, profile).await?;
Ok(profile_path)
}
/// Apply AppArmor profile to a container
pub async fn apply_profile(&self, container_name: &str, profile_path: &PathBuf) -> Result<()> {
// Load the profile
tokio::process::Command::new("apparmor_parser")
.arg("-r")
.arg(profile_path)
.output()
.await?;
// TODO: Configure Podman to use the profile
// This requires Podman configuration changes
Ok(())
}
}

90
core/security/src/image_verifier.rs Normal file
View File

@@ -0,0 +1,90 @@
// Container image signature verification using Cosign
// Verifies that container images are signed and trusted
use anyhow::{Context, Result};
use std::process::Command;
use tracing::{info, warn};
pub struct ImageVerifier {
cosign_public_key: Option<String>, // Public key for verification
}
impl ImageVerifier {
pub fn new(cosign_public_key: Option<String>) -> Self {
Self { cosign_public_key }
}
/// Verify a container image signature
pub async fn verify_image(&self, image: &str, signature: Option<&str>) -> Result<bool> {
if signature.is_none() && self.cosign_public_key.is_none() {
warn!("No signature provided for image: {}", image);
return Ok(false);
}
// Check if cosign is available
let cosign_available = Command::new("cosign")
.arg("version")
.output()
.is_ok();
if !cosign_available {
warn!("Cosign not available, skipping signature verification");
return Ok(false);
}
// If public key is provided, use it for verification
if let Some(ref public_key) = self.cosign_public_key {
let output = Command::new("cosign")
.arg("verify")
.arg("--key")
.arg(public_key)
.arg(image)
.output()
.context("Failed to run cosign verify")?;
if output.status.success() {
info!("Image signature verified: {}", image);
return Ok(true);
} else {
let stderr = String::from_utf8_lossy(&output.stderr);
return Err(anyhow::anyhow!("Signature verification failed: {}", stderr));
}
}
// If signature URL is provided, verify using that
if let Some(sig_url) = signature {
if sig_url.starts_with("cosign://") {
// Extract signature reference
let sig_ref = sig_url.strip_prefix("cosign://").unwrap();
let output = Command::new("cosign")
.arg("verify")
.arg("--signature")
.arg(sig_ref)
.arg(image)
.output()
.context("Failed to run cosign verify")?;
if output.status.success() {
info!("Image signature verified: {}", image);
return Ok(true);
} else {
let stderr = String::from_utf8_lossy(&output.stderr);
return Err(anyhow::anyhow!("Signature verification failed: {}", stderr));
}
}
}
Ok(false)
}
/// Check if an image has a signature
pub async fn has_signature(&self, image: &str) -> bool {
// Try to find signature in registry
let output = Command::new("cosign")
.arg("triangulate")
.arg(image)
.output();
output.is_ok() && output.unwrap().status.success()
}
}

7
core/security/src/lib.rs Normal file
View File

@@ -0,0 +1,7 @@
pub mod container_policies;
pub mod secrets_manager;
pub mod image_verifier;
pub use container_policies::ContainerPolicyGenerator;
pub use secrets_manager::SecretsManager;
pub use image_verifier::ImageVerifier;

98
core/security/src/secrets_manager.rs Normal file
View File

@@ -0,0 +1,98 @@
// Encrypted secrets management for containers
// Stores secrets securely and injects them at runtime
use anyhow::{Context, Result};
use std::collections::HashMap;
use std::path::PathBuf;
use tokio::fs;
use uuid::Uuid;
pub struct SecretsManager {
secrets_dir: PathBuf,
encryption_key: Vec<u8>, // In production, derive from user password
}
impl SecretsManager {
pub fn new(secrets_dir: PathBuf, encryption_key: Vec<u8>) -> Self {
Self {
secrets_dir,
encryption_key,
}
}
/// Store a secret for an app
pub async fn store_secret(
&self,
app_id: &str,
key: &str,
value: &str,
) -> Result<String> {
let secret_id = Uuid::new_v4().to_string();
let secret_path = self.secrets_dir
.join(app_id)
.join(format!("{}.secret", secret_id));
fs::create_dir_all(secret_path.parent().unwrap()).await?;
// TODO: Encrypt the secret value
// For now, store as plaintext (MUST be encrypted in production)
fs::write(&secret_path, value).await
.context("Failed to write secret")?;
// Set restrictive permissions
#[cfg(unix)]
{
use std::os::unix::fs::PermissionsExt;
let mut perms = fs::metadata(&secret_path).await?.permissions();
perms.set_mode(0o600);
fs::set_permissions(&secret_path, perms).await?;
}
Ok(secret_id)
}
/// Retrieve a secret (returns the secret ID path for volume mounting)
pub fn get_secret_path(&self, app_id: &str, secret_id: &str) -> PathBuf {
self.secrets_dir
.join(app_id)
.join(format!("{}.secret", secret_id))
}
/// List secrets for an app
pub async fn list_secrets(&self, app_id: &str) -> Result<Vec<String>> {
let app_secrets_dir = self.secrets_dir.join(app_id);
if !app_secrets_dir.exists() {
return Ok(vec![]);
}
let mut secrets = Vec::new();
let mut entries = fs::read_dir(&app_secrets_dir).await?;
while let Some(entry) = entries.next_entry().await? {
let path = entry.path();
if path.extension().and_then(|s| s.to_str()) == Some("secret") {
if let Some(secret_id) = path.file_stem()
.and_then(|s| s.to_str())
.map(|s| s.to_string()) {
secrets.push(secret_id);
}
}
}
Ok(secrets)
}
/// Delete a secret
pub async fn delete_secret(&self, app_id: &str, secret_id: &str) -> Result<()> {
let secret_path = self.secrets_dir
.join(app_id)
.join(format!("{}.secret", secret_id));
if secret_path.exists() {
fs::remove_file(&secret_path).await?;
}
Ok(())
}
}