roof/pic - pic - Gitea: Git with a cup of tea

roof/pic

Fork 0

Commit Graph

Author	SHA1	Message	Date
roof	c40919d374	feat: Phase 0 — manifest_validator, compose YAML safety check, cap_add allowlist, backend denylist, provision hook enforcement, size cap Introduces api/manifest_validator.py as a single security chokepoint imported by both ServiceComposer and ServiceStoreManager: - validate_manifest(): rejects kind=builtin, reserved container names, reserved subdomains, backend denylist (localhost, cell-api, etc.), cap_add outside allowlist / in denylist, shell-string provision hooks, and env values with shell-special characters - validate_rendered_compose(): walks the rendered YAML and rejects privileged:true, host network/pid/ipc/userns, absolute bind mounts, denied capabilities, devices key, apparmor/seccomp unconfined, and string-form command/entrypoint (shell-injection vector) - validate_provision_hook(): requires argv list form, lowercase binary, rejects NUL bytes ServiceStoreManager changes: - _validate_manifest() delegates to validate_manifest() after existing checks - _fetch_manifest() and fetch_index() now stream with a 256 KB size cap (prevents memory exhaustion from a malicious or compromised index) - Digest-pin warning for images missing @sha256 (hard error for unknown registries, warning for git.pic.ngo/roof/* and TRUSTED_IMAGES_NO_DIGEST) ServiceComposer changes: - write_compose() calls validate_rendered_compose() before any disk write so no partial file is left if validation fails - render_template() substitutes ${PIC_DATA_DIR} with the resolved data_dir path 102 new tests in tests/test_manifest_validator.py covering all five P0 security issues. Existing test mocks updated to use streaming response pattern (stream=True + raw.read) and valid compose YAML templates. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-29 07:23:08 -04:00
roof	16fb362df7	feat: replace hardcoded service names with ServiceRegistry-driven Caddy and CoreDNS config Unit Tests / test (push) Failing after 11s Details Previously, CaddyManager and NetworkManager contained hardcoded lists of service names (calendar, files, mail, webdav, etc.), meaning every new service required a code change to appear in Caddy routes and DNS records. Now both managers accept a service_registry parameter and derive their service lists dynamically from the registry at runtime. - CaddyManager: new _build_registry_service_routes() and _http01_service_pairs() methods pull routes from the registry - NetworkManager: new _get_service_subdomains() method returns registry subdomains with a hardcoded fallback when no registry is wired in; _build_dns_records, stale-record detection, and service name sets all use the registry - managers.py: service_registry constructed before network_manager so it can be injected into both CaddyManager and NetworkManager - service_registry.py: validation chokepoint in get_caddy_routes() rejects invalid subdomain/backend values and reserved service names - service_store_manager.py: _validate_manifest now validates top-level subdomain, backend, extra_subdomains, and extra_backends fields - tests: 24 new tests covering registry-driven routing and DNS subdomain generation (test_caddy_registry_integration.py) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-28 18:27:52 -04:00
roof	0a21f22076	Phase 4: service store — manifest validation, install/remove, Store UI - ServiceStoreManager: manifest allowlist (git.pic.ngo/roof/*), volume denylist, ACCEPT-only iptables rules, ${SERVICE_IP}-only dest_ip - IP allocator: pool 172.20.0.20-254, skips CONTAINER_OFFSETS VIPs - Compose overlay: docker-compose.services.yml auto-included via DCF - Flask blueprint at /api/store: list, install, remove, refresh - Store.jsx: full install/remove UI with spinners and toast notifications - 95 new unit tests for ServiceStoreManager (all passing) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-09 10:19:39 -04:00

Author

SHA1

Message

Date

roof

c40919d374

feat: Phase 0 — manifest_validator, compose YAML safety check, cap_add allowlist, backend denylist, provision hook enforcement, size cap

Introduces api/manifest_validator.py as a single security chokepoint
imported by both ServiceComposer and ServiceStoreManager:

- validate_manifest(): rejects kind=builtin, reserved container names,
  reserved subdomains, backend denylist (localhost, cell-api, etc.),
  cap_add outside allowlist / in denylist, shell-string provision hooks,
  and env values with shell-special characters
- validate_rendered_compose(): walks the rendered YAML and rejects
  privileged:true, host network/pid/ipc/userns, absolute bind mounts,
  denied capabilities, devices key, apparmor/seccomp unconfined, and
  string-form command/entrypoint (shell-injection vector)
- validate_provision_hook(): requires argv list form, lowercase binary,
  rejects NUL bytes

ServiceStoreManager changes:
- _validate_manifest() delegates to validate_manifest() after existing checks
- _fetch_manifest() and fetch_index() now stream with a 256 KB size cap
  (prevents memory exhaustion from a malicious or compromised index)
- Digest-pin warning for images missing @sha256 (hard error for unknown
  registries, warning for git.pic.ngo/roof/* and TRUSTED_IMAGES_NO_DIGEST)

ServiceComposer changes:
- write_compose() calls validate_rendered_compose() before any disk write
  so no partial file is left if validation fails
- render_template() substitutes ${PIC_DATA_DIR} with the resolved data_dir path

102 new tests in tests/test_manifest_validator.py covering all five P0
security issues.  Existing test mocks updated to use streaming response
pattern (stream=True + raw.read) and valid compose YAML templates.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-29 07:23:08 -04:00

roof

16fb362df7

feat: replace hardcoded service names with ServiceRegistry-driven Caddy and CoreDNS config

Unit Tests / test (push) Failing after 11s

Details

Previously, CaddyManager and NetworkManager contained hardcoded lists of
service names (calendar, files, mail, webdav, etc.), meaning every new
service required a code change to appear in Caddy routes and DNS records.
Now both managers accept a service_registry parameter and derive their
service lists dynamically from the registry at runtime.

- CaddyManager: new _build_registry_service_routes() and
  _http01_service_pairs() methods pull routes from the registry
- NetworkManager: new _get_service_subdomains() method returns registry
  subdomains with a hardcoded fallback when no registry is wired in;
  _build_dns_records, stale-record detection, and service name sets all
  use the registry
- managers.py: service_registry constructed before network_manager so it
  can be injected into both CaddyManager and NetworkManager
- service_registry.py: validation chokepoint in get_caddy_routes() rejects
  invalid subdomain/backend values and reserved service names
- service_store_manager.py: _validate_manifest now validates top-level
  subdomain, backend, extra_subdomains, and extra_backends fields
- tests: 24 new tests covering registry-driven routing and DNS subdomain
  generation (test_caddy_registry_integration.py)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-28 18:27:52 -04:00

roof

0a21f22076

Phase 4: service store — manifest validation, install/remove, Store UI

- ServiceStoreManager: manifest allowlist (git.pic.ngo/roof/*), volume
  denylist, ACCEPT-only iptables rules, ${SERVICE_IP}-only dest_ip
- IP allocator: pool 172.20.0.20-254, skips CONTAINER_OFFSETS VIPs
- Compose overlay: docker-compose.services.yml auto-included via DCF
- Flask blueprint at /api/store: list, install, remove, refresh
- Store.jsx: full install/remove UI with spinners and toast notifications
- 95 new unit tests for ServiceStoreManager (all passing)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-09 10:19:39 -04:00

3 Commits