mirror of
https://github.com/lukaszraczylo/gohoarder.git
synced 2026-07-07 04:14:31 +00:00
fixes
This commit is contained in:
@@ -0,0 +1,395 @@
|
||||
package config
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"time"
|
||||
)
|
||||
|
||||
// Config is the main configuration struct
|
||||
type Config struct {
|
||||
Server ServerConfig `mapstructure:"server" json:"server"`
|
||||
Storage StorageConfig `mapstructure:"storage" json:"storage"`
|
||||
Metadata MetadataConfig `mapstructure:"metadata" json:"metadata"`
|
||||
Cache CacheConfig `mapstructure:"cache" json:"cache"`
|
||||
Security SecurityConfig `mapstructure:"security" json:"security"`
|
||||
Auth AuthConfig `mapstructure:"auth" json:"auth"`
|
||||
Network NetworkConfig `mapstructure:"network" json:"network"`
|
||||
Logging LoggingConfig `mapstructure:"logging" json:"logging"`
|
||||
Handlers HandlersConfig `mapstructure:"handlers" json:"handlers"`
|
||||
}
|
||||
|
||||
// ServerConfig contains HTTP server configuration
|
||||
type ServerConfig struct {
|
||||
Host string `mapstructure:"host" json:"host"`
|
||||
Port int `mapstructure:"port" json:"port"`
|
||||
ReadTimeout time.Duration `mapstructure:"read_timeout" json:"read_timeout"`
|
||||
WriteTimeout time.Duration `mapstructure:"write_timeout" json:"write_timeout"`
|
||||
IdleTimeout time.Duration `mapstructure:"idle_timeout" json:"idle_timeout"`
|
||||
TLS TLSConfig `mapstructure:"tls" json:"tls"`
|
||||
}
|
||||
|
||||
// TLSConfig contains TLS/HTTPS configuration
|
||||
type TLSConfig struct {
|
||||
Enabled bool `mapstructure:"enabled" json:"enabled"`
|
||||
CertFile string `mapstructure:"cert_file" json:"cert_file"`
|
||||
KeyFile string `mapstructure:"key_file" json:"key_file"`
|
||||
}
|
||||
|
||||
// StorageConfig contains storage backend configuration
|
||||
type StorageConfig struct {
|
||||
Backend string `mapstructure:"backend" json:"backend"` // filesystem, s3, smb, nfs
|
||||
Path string `mapstructure:"path" json:"path"`
|
||||
Filesystem FilesystemConfig `mapstructure:"filesystem" json:"filesystem"`
|
||||
S3 S3Config `mapstructure:"s3" json:"s3"`
|
||||
SMB SMBConfig `mapstructure:"smb" json:"smb"`
|
||||
Options map[string]interface{} `mapstructure:"options" json:"options"`
|
||||
}
|
||||
|
||||
// FilesystemConfig contains local filesystem storage configuration
|
||||
type FilesystemConfig struct {
|
||||
BasePath string `mapstructure:"base_path" json:"base_path"`
|
||||
}
|
||||
|
||||
// S3Config contains S3-compatible storage configuration
|
||||
type S3Config struct {
|
||||
Endpoint string `mapstructure:"endpoint" json:"endpoint"`
|
||||
Region string `mapstructure:"region" json:"region"`
|
||||
Bucket string `mapstructure:"bucket" json:"bucket"`
|
||||
AccessKeyID string `mapstructure:"access_key_id" json:"access_key_id"`
|
||||
SecretAccessKey string `mapstructure:"secret_access_key" json:"-"` // Don't serialize secrets
|
||||
UseSSL bool `mapstructure:"use_ssl" json:"use_ssl"`
|
||||
}
|
||||
|
||||
// SMBConfig contains SMB/CIFS storage configuration
|
||||
type SMBConfig struct {
|
||||
Host string `mapstructure:"host" json:"host"`
|
||||
Share string `mapstructure:"share" json:"share"`
|
||||
Username string `mapstructure:"username" json:"username"`
|
||||
Password string `mapstructure:"password" json:"-"` // Don't serialize secrets
|
||||
Domain string `mapstructure:"domain" json:"domain"`
|
||||
}
|
||||
|
||||
// MetadataConfig contains metadata store configuration
|
||||
type MetadataConfig struct {
|
||||
Backend string `mapstructure:"backend" json:"backend"` // sqlite, postgresql, file
|
||||
Connection string `mapstructure:"connection" json:"connection"`
|
||||
SQLite SQLiteConfig `mapstructure:"sqlite" json:"sqlite"`
|
||||
PostgreSQL PostgreSQLConfig `mapstructure:"postgresql" json:"postgresql"`
|
||||
}
|
||||
|
||||
// SQLiteConfig contains SQLite-specific configuration
|
||||
type SQLiteConfig struct {
|
||||
Path string `mapstructure:"path" json:"path"`
|
||||
WALMode bool `mapstructure:"wal_mode" json:"wal_mode"`
|
||||
}
|
||||
|
||||
// PostgreSQLConfig contains PostgreSQL-specific configuration
|
||||
type PostgreSQLConfig struct {
|
||||
Host string `mapstructure:"host" json:"host"`
|
||||
Port int `mapstructure:"port" json:"port"`
|
||||
Database string `mapstructure:"database" json:"database"`
|
||||
User string `mapstructure:"user" json:"user"`
|
||||
Password string `mapstructure:"password" json:"-"` // Don't serialize secrets
|
||||
SSLMode string `mapstructure:"ssl_mode" json:"ssl_mode"`
|
||||
}
|
||||
|
||||
// CacheConfig contains cache management configuration
|
||||
type CacheConfig struct {
|
||||
DefaultTTL time.Duration `mapstructure:"default_ttl" json:"default_ttl"`
|
||||
CleanupInterval time.Duration `mapstructure:"cleanup_interval" json:"cleanup_interval"`
|
||||
MaxSizeBytes int64 `mapstructure:"max_size_bytes" json:"max_size_bytes"`
|
||||
PerProjectQuota int64 `mapstructure:"per_project_quota" json:"per_project_quota"`
|
||||
TTLOverrides map[string]time.Duration `mapstructure:"ttl_overrides" json:"ttl_overrides"` // Per ecosystem
|
||||
}
|
||||
|
||||
// SecurityConfig contains security scanning configuration
|
||||
type SecurityConfig struct {
|
||||
Enabled bool `mapstructure:"enabled" json:"enabled"`
|
||||
ScanOnDownload bool `mapstructure:"scan_on_download" json:"scan_on_download"` // Scan packages on first download
|
||||
RescanInterval time.Duration `mapstructure:"rescan_interval" json:"rescan_interval"` // How often to re-scan (e.g., 24h, 168h for weekly)
|
||||
BlockOnSeverity string `mapstructure:"block_on_severity" json:"block_on_severity"` // none, low, medium, high, critical
|
||||
BlockThresholds VulnerabilityThresholds `mapstructure:"block_thresholds" json:"block_thresholds"` // Max vulns per severity before blocking
|
||||
UpdateDBOnStartup bool `mapstructure:"update_db_on_startup" json:"update_db_on_startup"` // Update vulnerability databases on startup
|
||||
AllowedPackages []string `mapstructure:"allowed_packages" json:"allowed_packages"` // Packages that bypass security checks (format: "registry/name@version" or "registry/name")
|
||||
IgnoredCVEs []string `mapstructure:"ignored_cves" json:"ignored_cves"` // CVE IDs to ignore globally (e.g., "CVE-2021-23337")
|
||||
Scanners ScannersConfig `mapstructure:"scanners" json:"scanners"`
|
||||
}
|
||||
|
||||
// VulnerabilityThresholds defines max allowed vulnerabilities per severity
|
||||
type VulnerabilityThresholds struct {
|
||||
Critical int `mapstructure:"critical" json:"critical"` // Max critical vulns (0 = block any)
|
||||
High int `mapstructure:"high" json:"high"` // Max high vulns
|
||||
Medium int `mapstructure:"medium" json:"medium"` // Max medium vulns
|
||||
Low int `mapstructure:"low" json:"low"` // Max low vulns (-1 = unlimited)
|
||||
}
|
||||
|
||||
// ScannersConfig contains individual scanner configurations
|
||||
type ScannersConfig struct {
|
||||
Trivy TrivyConfig `mapstructure:"trivy" json:"trivy"`
|
||||
OSV OSVConfig `mapstructure:"osv" json:"osv"`
|
||||
Static StaticConfig `mapstructure:"static" json:"static"`
|
||||
}
|
||||
|
||||
// TrivyConfig contains Trivy scanner configuration
|
||||
type TrivyConfig struct {
|
||||
Enabled bool `mapstructure:"enabled" json:"enabled"`
|
||||
Timeout time.Duration `mapstructure:"timeout" json:"timeout"`
|
||||
CacheDB string `mapstructure:"cache_db" json:"cache_db"`
|
||||
}
|
||||
|
||||
// OSVConfig contains OSV scanner configuration
|
||||
type OSVConfig struct {
|
||||
Enabled bool `mapstructure:"enabled" json:"enabled"`
|
||||
APIURL string `mapstructure:"api_url" json:"api_url"`
|
||||
Timeout time.Duration `mapstructure:"timeout" json:"timeout"`
|
||||
}
|
||||
|
||||
// StaticConfig contains static analysis configuration
|
||||
type StaticConfig struct {
|
||||
Enabled bool `mapstructure:"enabled" json:"enabled"`
|
||||
MaxPackageSize int64 `mapstructure:"max_package_size" json:"max_package_size"`
|
||||
CheckChecksums bool `mapstructure:"check_checksums" json:"check_checksums"`
|
||||
BlockSuspicious bool `mapstructure:"block_suspicious" json:"block_suspicious"`
|
||||
AllowedLicenses []string `mapstructure:"allowed_licenses" json:"allowed_licenses"`
|
||||
}
|
||||
|
||||
// AuthConfig contains authentication configuration
|
||||
type AuthConfig struct {
|
||||
Enabled bool `mapstructure:"enabled" json:"enabled"`
|
||||
KeyExpiration time.Duration `mapstructure:"key_expiration" json:"key_expiration"`
|
||||
BcryptCost int `mapstructure:"bcrypt_cost" json:"bcrypt_cost"`
|
||||
AuditLog bool `mapstructure:"audit_log" json:"audit_log"`
|
||||
}
|
||||
|
||||
// NetworkConfig contains network resilience configuration
|
||||
type NetworkConfig struct {
|
||||
ConnectTimeout time.Duration `mapstructure:"connect_timeout" json:"connect_timeout"`
|
||||
ReadTimeout time.Duration `mapstructure:"read_timeout" json:"read_timeout"`
|
||||
WriteTimeout time.Duration `mapstructure:"write_timeout" json:"write_timeout"`
|
||||
MaxIdleConns int `mapstructure:"max_idle_conns" json:"max_idle_conns"`
|
||||
MaxConnsPerHost int `mapstructure:"max_conns_per_host" json:"max_conns_per_host"`
|
||||
RateLimit RateLimitConfig `mapstructure:"rate_limit" json:"rate_limit"`
|
||||
CircuitBreaker CircuitBreakerConfig `mapstructure:"circuit_breaker" json:"circuit_breaker"`
|
||||
Retry RetryConfig `mapstructure:"retry" json:"retry"`
|
||||
}
|
||||
|
||||
// RateLimitConfig contains rate limiting configuration
|
||||
type RateLimitConfig struct {
|
||||
PerAPIKey int `mapstructure:"per_api_key" json:"per_api_key"`
|
||||
PerIP int `mapstructure:"per_ip" json:"per_ip"`
|
||||
BurstSize int `mapstructure:"burst_size" json:"burst_size"`
|
||||
}
|
||||
|
||||
// CircuitBreakerConfig contains circuit breaker configuration
|
||||
type CircuitBreakerConfig struct {
|
||||
Threshold int `mapstructure:"threshold" json:"threshold"`
|
||||
Timeout time.Duration `mapstructure:"timeout" json:"timeout"`
|
||||
ResetInterval time.Duration `mapstructure:"reset_interval" json:"reset_interval"`
|
||||
}
|
||||
|
||||
// RetryConfig contains retry policy configuration
|
||||
type RetryConfig struct {
|
||||
MaxAttempts int `mapstructure:"max_attempts" json:"max_attempts"`
|
||||
InitialBackoff time.Duration `mapstructure:"initial_backoff" json:"initial_backoff"`
|
||||
MaxBackoff time.Duration `mapstructure:"max_backoff" json:"max_backoff"`
|
||||
}
|
||||
|
||||
// LoggingConfig contains logging configuration
|
||||
type LoggingConfig struct {
|
||||
Level string `mapstructure:"level" json:"level"` // debug, info, warn, error
|
||||
Format string `mapstructure:"format" json:"format"` // json, pretty
|
||||
}
|
||||
|
||||
// HandlersConfig contains package manager handler configurations
|
||||
type HandlersConfig struct {
|
||||
Go GoHandlerConfig `mapstructure:"go" json:"go"`
|
||||
NPM NPMHandlerConfig `mapstructure:"npm" json:"npm"`
|
||||
PyPI PyPIHandlerConfig `mapstructure:"pypi" json:"pypi"`
|
||||
}
|
||||
|
||||
// GoHandlerConfig contains Go proxy configuration
|
||||
type GoHandlerConfig struct {
|
||||
Enabled bool `mapstructure:"enabled" json:"enabled"`
|
||||
UpstreamProxy string `mapstructure:"upstream_proxy" json:"upstream_proxy"`
|
||||
ChecksumDB string `mapstructure:"checksum_db" json:"checksum_db"`
|
||||
VerifyChecksums bool `mapstructure:"verify_checksums" json:"verify_checksums"`
|
||||
}
|
||||
|
||||
// NPMHandlerConfig contains NPM registry configuration
|
||||
type NPMHandlerConfig struct {
|
||||
Enabled bool `mapstructure:"enabled" json:"enabled"`
|
||||
UpstreamRegistry string `mapstructure:"upstream_registry" json:"upstream_registry"`
|
||||
}
|
||||
|
||||
// PyPIHandlerConfig contains PyPI configuration
|
||||
type PyPIHandlerConfig struct {
|
||||
Enabled bool `mapstructure:"enabled" json:"enabled"`
|
||||
UpstreamURL string `mapstructure:"upstream_url" json:"upstream_url"`
|
||||
SimpleAPIURL string `mapstructure:"simple_api_url" json:"simple_api_url"`
|
||||
}
|
||||
|
||||
// Default returns a configuration with sensible defaults
|
||||
func Default() *Config {
|
||||
return &Config{
|
||||
Server: ServerConfig{
|
||||
Host: "0.0.0.0",
|
||||
Port: 8080,
|
||||
ReadTimeout: 5 * time.Minute,
|
||||
WriteTimeout: 5 * time.Minute,
|
||||
IdleTimeout: 2 * time.Minute,
|
||||
TLS: TLSConfig{
|
||||
Enabled: false,
|
||||
},
|
||||
},
|
||||
Storage: StorageConfig{
|
||||
Backend: "filesystem",
|
||||
Path: "/var/cache/gohoarder",
|
||||
Filesystem: FilesystemConfig{
|
||||
BasePath: "/var/cache/gohoarder",
|
||||
},
|
||||
},
|
||||
Metadata: MetadataConfig{
|
||||
Backend: "sqlite",
|
||||
Connection: "file:gohoarder.db?cache=shared&mode=rwc",
|
||||
SQLite: SQLiteConfig{
|
||||
Path: "gohoarder.db",
|
||||
WALMode: true,
|
||||
},
|
||||
},
|
||||
Cache: CacheConfig{
|
||||
DefaultTTL: 7 * 24 * time.Hour,
|
||||
CleanupInterval: 1 * time.Hour,
|
||||
MaxSizeBytes: 500 * 1024 * 1024 * 1024, // 500GB
|
||||
PerProjectQuota: 50 * 1024 * 1024 * 1024, // 50GB
|
||||
TTLOverrides: map[string]time.Duration{
|
||||
"npm": 7 * 24 * time.Hour,
|
||||
"pip": 7 * 24 * time.Hour,
|
||||
"go": 7 * 24 * time.Hour,
|
||||
},
|
||||
},
|
||||
Security: SecurityConfig{
|
||||
Enabled: false,
|
||||
BlockOnSeverity: "high",
|
||||
Scanners: ScannersConfig{
|
||||
Trivy: TrivyConfig{
|
||||
Enabled: false,
|
||||
Timeout: 5 * time.Minute,
|
||||
CacheDB: "/var/lib/trivy",
|
||||
},
|
||||
OSV: OSVConfig{
|
||||
Enabled: false,
|
||||
APIURL: "https://api.osv.dev",
|
||||
Timeout: 30 * time.Second,
|
||||
},
|
||||
Static: StaticConfig{
|
||||
Enabled: true,
|
||||
MaxPackageSize: 2 * 1024 * 1024 * 1024, // 2GB
|
||||
CheckChecksums: true,
|
||||
BlockSuspicious: false,
|
||||
},
|
||||
},
|
||||
},
|
||||
Auth: AuthConfig{
|
||||
Enabled: true,
|
||||
KeyExpiration: 0, // Never expire
|
||||
BcryptCost: 10,
|
||||
AuditLog: true,
|
||||
},
|
||||
Network: NetworkConfig{
|
||||
ConnectTimeout: 10 * time.Second,
|
||||
ReadTimeout: 5 * time.Minute,
|
||||
WriteTimeout: 5 * time.Minute,
|
||||
MaxIdleConns: 100,
|
||||
MaxConnsPerHost: 10,
|
||||
RateLimit: RateLimitConfig{
|
||||
PerAPIKey: 1000,
|
||||
PerIP: 100,
|
||||
BurstSize: 50,
|
||||
},
|
||||
CircuitBreaker: CircuitBreakerConfig{
|
||||
Threshold: 5,
|
||||
Timeout: 30 * time.Second,
|
||||
ResetInterval: 60 * time.Second,
|
||||
},
|
||||
Retry: RetryConfig{
|
||||
MaxAttempts: 3,
|
||||
InitialBackoff: 1 * time.Second,
|
||||
MaxBackoff: 30 * time.Second,
|
||||
},
|
||||
},
|
||||
Logging: LoggingConfig{
|
||||
Level: "info",
|
||||
Format: "json",
|
||||
},
|
||||
Handlers: HandlersConfig{
|
||||
Go: GoHandlerConfig{
|
||||
Enabled: true,
|
||||
UpstreamProxy: "https://proxy.golang.org",
|
||||
ChecksumDB: "https://sum.golang.org",
|
||||
VerifyChecksums: true,
|
||||
},
|
||||
NPM: NPMHandlerConfig{
|
||||
Enabled: true,
|
||||
UpstreamRegistry: "https://registry.npmjs.org",
|
||||
},
|
||||
PyPI: PyPIHandlerConfig{
|
||||
Enabled: true,
|
||||
UpstreamURL: "https://pypi.org",
|
||||
SimpleAPIURL: "https://pypi.org/simple",
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
// Validate validates the configuration
|
||||
func (c *Config) Validate() error {
|
||||
// Validate server
|
||||
if c.Server.Port < 1 || c.Server.Port > 65535 {
|
||||
return fmt.Errorf("server.port must be between 1 and 65535, got %d", c.Server.Port)
|
||||
}
|
||||
|
||||
// Validate storage backend
|
||||
validStorageBackends := map[string]bool{"filesystem": true, "s3": true, "smb": true, "nfs": true}
|
||||
if !validStorageBackends[c.Storage.Backend] {
|
||||
return fmt.Errorf("storage.backend must be one of: filesystem, s3, smb, nfs; got %s", c.Storage.Backend)
|
||||
}
|
||||
|
||||
// Validate metadata backend
|
||||
validMetadataBackends := map[string]bool{"sqlite": true, "postgresql": true, "file": true}
|
||||
if !validMetadataBackends[c.Metadata.Backend] {
|
||||
return fmt.Errorf("metadata.backend must be one of: sqlite, postgresql, file; got %s", c.Metadata.Backend)
|
||||
}
|
||||
|
||||
// Validate cache
|
||||
if c.Cache.DefaultTTL < 0 {
|
||||
return fmt.Errorf("cache.default_ttl cannot be negative")
|
||||
}
|
||||
if c.Cache.MaxSizeBytes < 0 {
|
||||
return fmt.Errorf("cache.max_size_bytes cannot be negative")
|
||||
}
|
||||
|
||||
// Validate security
|
||||
validSeverities := map[string]bool{"none": true, "low": true, "medium": true, "high": true, "critical": true}
|
||||
if !validSeverities[c.Security.BlockOnSeverity] {
|
||||
return fmt.Errorf("security.block_on_severity must be one of: none, low, medium, high, critical; got %s", c.Security.BlockOnSeverity)
|
||||
}
|
||||
|
||||
// Validate logging level
|
||||
validLevels := map[string]bool{"debug": true, "info": true, "warn": true, "error": true}
|
||||
if !validLevels[c.Logging.Level] {
|
||||
return fmt.Errorf("logging.level must be one of: debug, info, warn, error; got %s", c.Logging.Level)
|
||||
}
|
||||
|
||||
// Validate logging format
|
||||
validFormats := map[string]bool{"json": true, "pretty": true}
|
||||
if !validFormats[c.Logging.Format] {
|
||||
return fmt.Errorf("logging.format must be one of: json, pretty; got %s", c.Logging.Format)
|
||||
}
|
||||
|
||||
// Validate auth
|
||||
if c.Auth.BcryptCost < 4 || c.Auth.BcryptCost > 31 {
|
||||
return fmt.Errorf("auth.bcrypt_cost must be between 4 and 31, got %d", c.Auth.BcryptCost)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
Reference in New Issue
Block a user