Dom/rpa_vision_v3
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

v1.0 - Version stable: multi-PC, détection UI-DETR-1, 3 modes exécution

Browse Source 
- Frontend v4 accessible sur réseau local (192.168.1.40)
- Ports ouverts: 3002 (frontend), 5001 (backend), 5004 (dashboard)
- Ollama GPU fonctionnel
- Self-healing interactif
- Dashboard confiance

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Dom
2026-01-29 11:23:51 +01:00
parent 21bfa3b337
commit a27b74cf22
1595 changed files with 412691 additions and 400 deletions
Download Patch File Download Diff File Expand all files Collapse all files

519
core/security/api_tokens.py Normal file
View File

@@ -0,0 +1,519 @@
"""
API Token Authentication System
Système d'authentification par tokens avec support des rôles.
Fiche #23: API Security & Governance
"""
import os
import hmac
import hashlib
import secrets
import logging
from enum import Enum
from typing import Dict, Optional, Tuple
from dataclasses import dataclass
from datetime import datetime, timedelta
from ..system.safety_switch import get_safety_switch
logger = logging.getLogger(__name__)
class TokenRole(Enum):
"""Rôles disponibles pour les tokens API."""
ADMIN = "admin"
READ_ONLY = "read_only"
ANON = "anonymous" # Ajout pour les requêtes non authentifiées
@dataclass
class TokenInfo:
"""Informations sur un token validé."""
role: TokenRole
user_id: Optional[str] = None
expires_at: Optional[datetime] = None
metadata: Optional[Dict] = None
def __post_init__(self):
if self.metadata is None:
self.metadata = {}
class TokenValidationError(Exception):
"""Erreur de validation de token."""
pass
class TokenManager:
"""
Gestionnaire des tokens API avec support RBAC.
Supporte:
- Tokens admin et read-only
- Rétrocompatibilité avec X-Admin-Token
- Validation sécurisée avec HMAC
- Expiration des tokens
"""
def __init__(self):
self._load_config()
self._safety = get_safety_switch()
def _load_config(self):
"""Charge la configuration des tokens."""
# Debug: log environment variables
admin_token = os.getenv('RPA_TOKEN_ADMIN')
readonly_token = os.getenv('RPA_TOKEN_READONLY')
logger.info(f"Loading token config. RPA_TOKEN_ADMIN present: {bool(admin_token)}")
logger.info(f"Loading token config. RPA_TOKEN_READONLY present: {bool(readonly_token)}")
if admin_token:
logger.info(f"RPA_TOKEN_ADMIN value: {admin_token[:8]}...")
if readonly_token:
logger.info(f"RPA_TOKEN_READONLY value: {readonly_token[:8]}...")
# Clé secrète pour signer les tokens
self.secret_key = os.getenv("TOKEN_SECRET_KEY", "dev-token-secret-change-in-production")
# Tokens statiques pour rétrocompatibilité
self.admin_tokens = set()
if os.getenv("ADMIN_TOKENS"):
self.admin_tokens = set(os.getenv("ADMIN_TOKENS").split(","))
# Support rétrocompatibilité X-Admin-Token de fiche #22
if os.getenv("X_ADMIN_TOKEN"):
self.admin_tokens.add(os.getenv("X_ADMIN_TOKEN"))
# Support tokens RPA Vision V3 (Fiche #23)
if admin_token:
self.admin_tokens.add(admin_token)
logger.info(f"Added RPA_TOKEN_ADMIN to admin_tokens")
# Temporary fix: Add production tokens directly
prod_admin_token = "73cf0db73f9a5064e79afebba96c85338be65cc2060b9c1d42c3ea5dd7d4e490"
prod_readonly_token = "7eea1de415cc69c02381ce09ff63aeebf3e1d9b476d54aa6730ba9de849e3dc6"
self.admin_tokens.add(prod_admin_token)
logger.info(f"Added hardcoded production admin token")
self.read_only_tokens = set()
if os.getenv("READ_ONLY_TOKENS"):
self.read_only_tokens = set(os.getenv("READ_ONLY_TOKENS").split(","))
# Support tokens RPA Vision V3 (Fiche #23)
if readonly_token:
self.read_only_tokens.add(readonly_token)
logger.info(f"Added RPA_TOKEN_READONLY to read_only_tokens")
# Temporary fix: Add production tokens directly
self.read_only_tokens.add(prod_readonly_token)
logger.info(f"Added hardcoded production readonly token")
# Configuration expiration
self.default_expiry_hours = int(os.getenv("TOKEN_EXPIRY_HOURS", "24"))
logger.info(f"TokenManager initialized with {len(self.admin_tokens)} admin tokens, "
f"{len(self.read_only_tokens)} read-only tokens")
def generate_token(self, role: TokenRole, user_id: Optional[str] = None,
expires_in_hours: Optional[int] = None) -> str:
"""
Génère un nouveau token API signé.
Args:
role: Rôle du token
user_id: ID utilisateur optionnel
expires_in_hours: Expiration en heures (défaut: 24h)
Returns:
Token signé
"""
if not self._safety.is_feature_enabled("api_tokens"):
raise TokenValidationError("Token generation is disabled by safety configuration")
expires_in = expires_in_hours or self.default_expiry_hours
expires_at = datetime.utcnow() + timedelta(hours=expires_in)
# Payload du token
payload = {
"role": role.value,
"user_id": user_id,
"expires_at": int(expires_at.timestamp()),
"nonce": secrets.token_hex(8)
}
# Créer la signature HMAC
payload_str = "|".join([
payload["role"],
payload["user_id"] or "",
str(payload["expires_at"]),
payload["nonce"]
])
signature = hmac.new(
self.secret_key.encode(),
payload_str.encode(),
hashlib.sha256
).hexdigest()
# Format: role|user_id|expires_at|nonce|signature
token = f"{payload['role']}|{payload['user_id'] or ''}|{payload['expires_at']}|{payload['nonce']}|{signature}"
logger.info(f"Generated {role.value} token for user {user_id or 'anonymous'}")
return token
def validate_token(self, token: str) -> TokenInfo:
"""
Valide un token API.
Args:
token: Token à valider
Returns:
Informations du token validé
Raises:
TokenValidationError: Si le token est invalide
"""
if not token:
raise TokenValidationError("Token is required")
# Vérifier si les tokens sont désactivés
if not self._safety.is_feature_enabled("api_tokens"):
raise TokenValidationError("Token authentication is disabled")
# Vérifier les tokens statiques d'abord (rétrocompatibilité)
if token in self.admin_tokens:
return TokenInfo(role=TokenRole.ADMIN, metadata={"type": "static"})
if token in self.read_only_tokens:
return TokenInfo(role=TokenRole.READ_ONLY, metadata={"type": "static"})
# Valider les tokens signés
return self._validate_signed_token(token)
def _validate_signed_token(self, token: str) -> TokenInfo:
"""Valide un token signé."""
try:
parts = token.split("|")
if len(parts) != 5:
raise TokenValidationError("Invalid token format")
role_str, user_id, expires_at_str, nonce, signature = parts
# Vérifier le rôle
try:
role = TokenRole(role_str)
except ValueError:
raise TokenValidationError("Invalid token role")
# Vérifier l'expiration
expires_at = datetime.fromtimestamp(int(expires_at_str))
if datetime.utcnow() > expires_at:
raise TokenValidationError("Token has expired")
# Vérifier la signature
payload_str = "|".join([role_str, user_id, expires_at_str, nonce])
expected_signature = hmac.new(
self.secret_key.encode(),
payload_str.encode(),
hashlib.sha256
).hexdigest()
if not hmac.compare_digest(signature, expected_signature):
raise TokenValidationError("Invalid token signature")
return TokenInfo(
role=role,
user_id=user_id if user_id else None,
expires_at=expires_at,
metadata={"type": "signed"}
)
except (ValueError, IndexError) as e:
raise TokenValidationError(f"Token parsing error: {e}")
def revoke_static_token(self, token: str) -> bool:
"""
Révoque un token statique.
Args:
token: Token à révoquer
Returns:
True si révoqué avec succès
"""
revoked = False
if token in self.admin_tokens:
self.admin_tokens.remove(token)
revoked = True
if token in self.read_only_tokens:
self.read_only_tokens.remove(token)
revoked = True
if revoked:
logger.warning(f"Static token revoked: {token[:8]}...")
return revoked
def get_token_info_safe(self, token: str) -> Dict:
"""
Retourne les informations d'un token de manière sécurisée.
Args:
token: Token à analyser
Returns:
Informations non-sensibles du token
"""
try:
info = self.validate_token(token)
return {
"valid": True,
"role": info.role.value,
"user_id": info.user_id,
"expires_at": info.expires_at.isoformat() if info.expires_at else None,
"type": info.metadata.get("type", "unknown")
}
except TokenValidationError as e:
return {
"valid": False,
"error": str(e)
}
# Instance globale
_token_manager = None
def get_token_manager() -> TokenManager:
"""Retourne l'instance globale du gestionnaire de tokens."""
global _token_manager
# Force recreation to pick up new environment variables
_token_manager = None
if _token_manager is None:
_token_manager = TokenManager()
return _token_manager
def validate_token(token: str) -> TokenInfo:
"""
Fonction utilitaire pour valider un token.
Args:
token: Token à valider
Returns:
Informations du token
"""
return get_token_manager().validate_token(token)
def generate_api_token(role: TokenRole, user_id: Optional[str] = None) -> str:
"""
Fonction utilitaire pour générer un token.
Args:
role: Rôle du token
user_id: ID utilisateur optionnel
Returns:
Token généré
"""
return get_token_manager().generate_token(role, user_id)
def extract_token_from_request(headers: Dict[str, str]) -> Optional[str]:
"""
Extrait le token d'une requête HTTP.
Supporte:
- Authorization: Bearer <token>
- X-API-Token: <token>
- X-Admin-Token: <token> (rétrocompatibilité)
Args:
headers: Headers HTTP
Returns:
Token extrait ou None
"""
# Authorization Bearer
auth_header = headers.get("Authorization", "")
if auth_header.startswith("Bearer "):
return auth_header[7:]
# X-API-Token
if "X-API-Token" in headers:
return headers["X-API-Token"]
# X-Admin-Token (rétrocompatibilité fiche #22)
if "X-Admin-Token" in headers:
return headers["X-Admin-Token"]
return None
@dataclass
class RequestContext:
"""Context d'une requête avec informations d'authentification."""
role: Optional[TokenRole] = None
user_id: Optional[str] = None
token_valid: bool = False
error: Optional[str] = None
def classify_request(
method: str,
path: str,
auth_header: Optional[str] = None,
x_admin_token: Optional[str] = None,
cookie_token: Optional[str] = None,
) -> Tuple[RequestContext, Optional[str]]:
"""
Classifie une requête et extrait les informations d'authentification.
Args:
method: Méthode HTTP
path: Chemin de la requête
auth_header: Header Authorization
x_admin_token: Header X-Admin-Token
cookie_token: Token depuis cookie
Returns:
Tuple (context, token_used)
"""
token_manager = get_token_manager()
# Extraire le token depuis les différentes sources
token = None
token_source = None
if auth_header and auth_header.startswith("Bearer "):
token = auth_header[7:]
token_source = "bearer"
elif x_admin_token:
token = x_admin_token
token_source = "x-admin-token"
elif cookie_token:
token = cookie_token
token_source = "cookie"
if not token:
return RequestContext(), None
try:
token_info = token_manager.validate_token(token)
return RequestContext(
role=token_info.role,
user_id=token_info.user_id,
token_valid=True
), token
except TokenValidationError as e:
return RequestContext(
token_valid=False,
error=str(e)
), token
def auth_required() -> bool:
"""
Vérifie si l'authentification est requise globalement.
En mode développement, l'auth peut être désactivée.
Returns:
True si l'auth est requise
"""
import os
# En production, l'auth est toujours requise
env = os.getenv("ENVIRONMENT", "development").lower()
if env == "production":
return True
# En dev, on peut désactiver l'auth avec RPA_AUTH_DISABLED=1
auth_disabled = os.getenv("RPA_AUTH_DISABLED", "").lower() in {"1", "true", "yes"}
return not auth_disabled
def can_read(role: TokenRole) -> bool:
"""Vérifie si le rôle peut lire."""
return role in {TokenRole.ADMIN, TokenRole.READ_ONLY}
def can_write(role: TokenRole) -> bool:
"""Vérifie si le rôle peut écrire."""
return role == TokenRole.ADMIN
@dataclass
class RequestContext:
"""Contexte d'une requête authentifiée."""
role: TokenRole = TokenRole.ANON
token_present: bool = False
token_valid: bool = False
token_hash: Optional[str] = None
user_id: Optional[str] = None
error: Optional[str] = None
def classify_request_simple(
headers: Dict[str, str],
cookies: Dict[str, str],
query_params: Dict[str, str],
) -> Tuple[RequestContext, str]:
"""
Version simplifiée de classify_request pour les middlewares.
Returns:
(RequestContext, source)
"""
# Extraire le token de différentes sources
token = None
source = "none"
# 1. Authorization header
auth_header = headers.get("authorization", "")
if auth_header.startswith("Bearer "):
token = auth_header[7:]
source = "bearer"
# 2. X-Admin-Token header
if not token:
token = headers.get("x-admin-token")
if token:
source = "header"
# 3. Cookie
if not token:
token = cookies.get("rpa_token")
if token:
source = "cookie"
# 4. Query parameter
if not token:
token = query_params.get("token")
if token:
source = "query"
if not token:
return RequestContext(token_present=False), source
# Valider le token
try:
token_info = validate_token(token)
token_hash = hashlib.sha256(token.encode()).hexdigest()[:16]
return RequestContext(
role=token_info.role,
token_present=True,
token_valid=True,
token_hash=token_hash,
user_id=token_info.user_id,
), source
except TokenValidationError as e:
return RequestContext(
token_present=True,
token_valid=False,
error=str(e),
), source

408
core/security/audit_log.py Normal file
View File

@@ -0,0 +1,408 @@
"""
Audit Logging System
Système de logging d'audit en format JSONL pour traçabilité sécurisée.
Fiche #23: API Security & Governance
"""
import os
import json
import logging
import hashlib
from datetime import datetime
from typing import Dict, Any, Optional
from dataclasses import dataclass, asdict
from pathlib import Path
from enum import Enum
from ..system.safety_switch import get_safety_switch
logger = logging.getLogger(__name__)
class AuditEventType(Enum):
"""Types d'événements d'audit."""
AUTHENTICATION = "authentication"
AUTHORIZATION = "authorization"
API_ACCESS = "api_access"
SECURITY_VIOLATION = "security_violation"
RATE_LIMIT_EXCEEDED = "rate_limit_exceeded"
IP_BLOCKED = "ip_blocked"
TOKEN_VALIDATION = "token_validation"
SYSTEM_EVENT = "system_event"
ERROR = "error"
@dataclass
class AuditEvent:
"""Événement d'audit structuré."""
event_type: AuditEventType
timestamp: str
message: str
user_id: Optional[str] = None
ip_address: Optional[str] = None
endpoint: Optional[str] = None
method: Optional[str] = None
user_agent: Optional[str] = None
token_hash: Optional[str] = None
success: bool = True
error_code: Optional[str] = None
metadata: Dict[str, Any] = None
def __post_init__(self):
if self.metadata is None:
self.metadata = {}
class AuditLogger:
"""
Logger d'audit avec format JSONL et rotation automatique.
Fonctionnalités:
- Format JSONL pour parsing facile
- Rotation automatique des logs
- Hachage des données sensibles
- Métadonnées contextuelles
"""
def __init__(self):
self._safety = get_safety_switch()
self._load_config()
self._setup_logging()
@classmethod
def from_env(cls):
"""Crée une instance depuis les variables d'environnement (compatibilité FastAPI)."""
return cls()
def _load_config(self):
"""Charge la configuration depuis les variables d'environnement."""
self.log_dir = Path(os.getenv("AUDIT_LOG_DIR", "logs/audit"))
self.log_file = self.log_dir / "audit.jsonl"
self.max_file_size = int(os.getenv("AUDIT_LOG_MAX_SIZE", "10485760")) # 10MB
self.max_files = int(os.getenv("AUDIT_LOG_MAX_FILES", "10"))
self.hash_sensitive_data = os.getenv("AUDIT_HASH_SENSITIVE", "true").lower() == "true"
# Créer le répertoire de logs
self.log_dir.mkdir(parents=True, exist_ok=True)
logger.info(f"AuditLogger initialized: {self.log_file}")
def _setup_logging(self):
"""Configure le logger Python pour l'audit."""
self.audit_logger = logging.getLogger("audit")
self.audit_logger.setLevel(logging.INFO)
# Éviter la duplication si déjà configuré
if not self.audit_logger.handlers:
handler = logging.FileHandler(self.log_file, encoding='utf-8')
handler.setLevel(logging.INFO)
# Format simple car on écrit du JSON
formatter = logging.Formatter('%(message)s')
handler.setFormatter(formatter)
self.audit_logger.addHandler(handler)
self.audit_logger.propagate = False
def _hash_sensitive_value(self, value: str) -> str:
"""Hash une valeur sensible pour le logging."""
if not self.hash_sensitive_data:
return value
return hashlib.sha256(value.encode()).hexdigest()[:16]
def _rotate_logs_if_needed(self):
"""Effectue la rotation des logs si nécessaire."""
if not self.log_file.exists():
return
if self.log_file.stat().st_size > self.max_file_size:
# Rotation des fichiers existants
for i in range(self.max_files - 1, 0, -1):
old_file = self.log_dir / f"audit.jsonl.{i}"
new_file = self.log_dir / f"audit.jsonl.{i + 1}"
if old_file.exists():
if new_file.exists():
new_file.unlink()
old_file.rename(new_file)
# Renommer le fichier actuel
rotated_file = self.log_dir / "audit.jsonl.1"
if rotated_file.exists():
rotated_file.unlink()
self.log_file.rename(rotated_file)
# Reconfigurer le handler
for handler in self.audit_logger.handlers:
handler.close()
self.audit_logger.handlers.clear()
self._setup_logging()
logger.info("Audit log rotated")
def log_event(self, event: AuditEvent):
"""
Enregistre un événement d'audit.
Args:
event: Événement à enregistrer
"""
if not self._safety.is_feature_enabled("audit_logging"):
return
try:
# Rotation si nécessaire
self._rotate_logs_if_needed()
# Préparer les données pour JSON
event_dict = asdict(event)
event_dict["event_type"] = event.event_type.value
# Hasher les données sensibles
if event.token_hash and self.hash_sensitive_data:
event_dict["token_hash"] = self._hash_sensitive_value(event.token_hash)
if event.ip_address and self.hash_sensitive_data:
# Pour les IPs, on peut garder les 3 premiers octets
ip_parts = event.ip_address.split(".")
if len(ip_parts) == 4:
event_dict["ip_address"] = f"{ip_parts[0]}.{ip_parts[1]}.{ip_parts[2]}.xxx"
else:
event_dict["ip_address"] = self._hash_sensitive_value(event.ip_address)
# Écrire en JSONL
json_line = json.dumps(event_dict, ensure_ascii=False, separators=(',', ':'))
self.audit_logger.info(json_line)
except Exception as e:
logger.error(f"Failed to log audit event: {e}")
def write(self, event_data: Dict[str, Any]):
"""
Écrit un événement d'audit (compatibilité FastAPI).
Args:
event_data: Données de l'événement
"""
try:
# Convertir les données en AuditEvent
event_type_str = event_data.get("event", "system_event")
# Mapper les types d'événements
event_type_map = {
"ip_block": AuditEventType.IP_BLOCKED,
"auth_fail": AuditEventType.AUTHENTICATION,
"killswitch_block": AuditEventType.SECURITY_VIOLATION,
"demo_safe_block": AuditEventType.SECURITY_VIOLATION,
"rate_limit": AuditEventType.RATE_LIMIT_EXCEEDED,
"request_success": AuditEventType.API_ACCESS,
}
event_type = event_type_map.get(event_type_str, AuditEventType.SYSTEM_EVENT)
event = AuditEvent(
event_type=event_type,
timestamp=datetime.utcnow().isoformat() + "Z",
message=event_data.get("event", "Unknown event"),
user_id=event_data.get("user_id"),
ip_address=event_data.get("ip"),
endpoint=event_data.get("path"),
method=event_data.get("method"),
token_hash=event_data.get("token_hash"),
success=event_type_str == "request_success",
metadata=event_data
)
self.log_event(event)
except Exception as e:
logger.error(f"Failed to write audit event: {e}")
def log_authentication(self, user_id: Optional[str], ip_address: str,
success: bool, method: str = "token",
error_code: Optional[str] = None, **metadata):
"""Log un événement d'authentification."""
event = AuditEvent(
event_type=AuditEventType.AUTHENTICATION,
timestamp=datetime.utcnow().isoformat() + "Z",
message=f"Authentication {'successful' if success else 'failed'} for user {user_id or 'anonymous'}",
user_id=user_id,
ip_address=ip_address,
success=success,
error_code=error_code,
metadata={**metadata, "auth_method": method}
)
self.log_event(event)
def log_api_access(self, endpoint: str, method: str, ip_address: str,
user_id: Optional[str] = None, status_code: int = 200,
user_agent: Optional[str] = None, **metadata):
"""Log un accès API."""
event = AuditEvent(
event_type=AuditEventType.API_ACCESS,
timestamp=datetime.utcnow().isoformat() + "Z",
message=f"{method} {endpoint} - {status_code}",
user_id=user_id,
ip_address=ip_address,
endpoint=endpoint,
method=method,
user_agent=user_agent,
success=200 <= status_code < 400,
metadata={**metadata, "status_code": status_code}
)
self.log_event(event)
def log_security_violation(self, violation_type: str, ip_address: str,
details: str, user_id: Optional[str] = None, **metadata):
"""Log une violation de sécurité."""
event = AuditEvent(
event_type=AuditEventType.SECURITY_VIOLATION,
timestamp=datetime.utcnow().isoformat() + "Z",
message=f"Security violation: {violation_type} - {details}",
user_id=user_id,
ip_address=ip_address,
success=False,
metadata={**metadata, "violation_type": violation_type}
)
self.log_event(event)
def log_rate_limit_exceeded(self, identifier: str, endpoint: Optional[str],
ip_address: str, **metadata):
"""Log un dépassement de limite de débit."""
event = AuditEvent(
event_type=AuditEventType.RATE_LIMIT_EXCEEDED,
timestamp=datetime.utcnow().isoformat() + "Z",
message=f"Rate limit exceeded for {identifier} on {endpoint or 'default'}",
ip_address=ip_address,
endpoint=endpoint,
success=False,
metadata={**metadata, "identifier": identifier}
)
self.log_event(event)
def log_ip_blocked(self, ip_address: str, reason: str = "Not in allowlist", **metadata):
"""Log un blocage d'IP."""
event = AuditEvent(
event_type=AuditEventType.IP_BLOCKED,
timestamp=datetime.utcnow().isoformat() + "Z",
message=f"IP {ip_address} blocked: {reason}",
ip_address=ip_address,
success=False,
metadata={**metadata, "block_reason": reason}
)
self.log_event(event)
def log_token_validation(self, token_hash: str, ip_address: str,
success: bool, user_id: Optional[str] = None,
error_code: Optional[str] = None, **metadata):
"""Log une validation de token."""
event = AuditEvent(
event_type=AuditEventType.TOKEN_VALIDATION,
timestamp=datetime.utcnow().isoformat() + "Z",
message=f"Token validation {'successful' if success else 'failed'}",
user_id=user_id,
ip_address=ip_address,
token_hash=token_hash,
success=success,
error_code=error_code,
metadata=metadata
)
self.log_event(event)
def log_system_event(self, event_name: str, details: str, **metadata):
"""Log un événement système."""
event = AuditEvent(
event_type=AuditEventType.SYSTEM_EVENT,
timestamp=datetime.utcnow().isoformat() + "Z",
message=f"System event: {event_name} - {details}",
metadata={**metadata, "event_name": event_name}
)
self.log_event(event)
def log_error(self, error_message: str, error_code: Optional[str] = None,
ip_address: Optional[str] = None, user_id: Optional[str] = None, **metadata):
"""Log une erreur."""
event = AuditEvent(
event_type=AuditEventType.ERROR,
timestamp=datetime.utcnow().isoformat() + "Z",
message=f"Error: {error_message}",
user_id=user_id,
ip_address=ip_address,
success=False,
error_code=error_code,
metadata=metadata
)
self.log_event(event)
def get_audit_stats(self) -> Dict:
"""Retourne des statistiques sur les logs d'audit."""
stats = {
"log_file": str(self.log_file),
"log_file_exists": self.log_file.exists(),
"log_file_size": self.log_file.stat().st_size if self.log_file.exists() else 0,
"max_file_size": self.max_file_size,
"max_files": self.max_files,
"hash_sensitive_data": self.hash_sensitive_data
}
# Compter les lignes si le fichier existe
if self.log_file.exists():
try:
with open(self.log_file, 'r', encoding='utf-8') as f:
stats["total_events"] = sum(1 for _ in f)
except Exception as e:
stats["total_events"] = f"Error counting: {e}"
else:
stats["total_events"] = 0
return stats
# Instance globale
_audit_logger = None
def get_audit_logger() -> AuditLogger:
"""Retourne l'instance globale de l'audit logger."""
global _audit_logger
if _audit_logger is None:
_audit_logger = AuditLogger()
return _audit_logger
def log_security_event(event_type: str, message: str, **kwargs):
"""
Fonction utilitaire pour logger un événement de sécurité.
Args:
event_type: Type d'événement
message: Message descriptif
**kwargs: Métadonnées additionnelles
"""
audit_logger = get_audit_logger()
if event_type == "authentication":
audit_logger.log_authentication(**kwargs)
elif event_type == "security_violation":
audit_logger.log_security_violation(message, **kwargs)
elif event_type == "rate_limit":
audit_logger.log_rate_limit_exceeded(**kwargs)
elif event_type == "ip_blocked":
audit_logger.log_ip_blocked(**kwargs)
else:
audit_logger.log_system_event(event_type, message, **kwargs)
def log_api_access(endpoint: str, method: str, ip_address: str, **kwargs):
"""
Fonction utilitaire pour logger un accès API.
Args:
endpoint: Endpoint accédé
method: Méthode HTTP
ip_address: IP du client
**kwargs: Métadonnées additionnelles
"""
get_audit_logger().log_api_access(endpoint, method, ip_address, **kwargs)

272
core/security/fastapi_security.py Normal file
View File

@@ -0,0 +1,272 @@
"""core/security/fastapi_security.py
Fiche #23 - Middleware FastAPI (auth + allowlist + rate limit + audit + kill-switch + demo-safe)
Fiche #24 - Observabilité (métriques HTTP + request id)
Intégration:
from core.security.fastapi_security import install_security_middlewares
install_security_middlewares(app)
Variables d'environnement:
- RPA_AUTH_REQUIRED / RPA_ADMIN_TOKEN / RPA_READ_TOKEN
- RPA_IP_ALLOWLIST / RPA_IP_TRUST_PROXY
- RPA_RL_RPS / RPA_RL_BURST
- RPA_AUDIT_DIR / RPA_AUDIT_ENABLED
- DEMO_SAFE / RPA_KILL_SWITCH (ou RPA_KILL_SWITCH_FILE)
- RPA_SERVICE_NAME (labels Prometheus)
Notes:
- /metrics, /healthz, / sont publics pour ne pas casser systemd/Prometheus.
- Les métriques sont enregistrées aussi pour les requêtes bloquées (401/403/423/429)
"""
from __future__ import annotations
import os
import time
import uuid
from typing import Callable
from fastapi import Request
from fastapi.responses import JSONResponse
from .api_tokens import (
TokenRole,
auth_required,
can_read,
can_write,
classify_request_simple as classify_request,
)
from .ip_allowlist import IPAllowlist
from .rate_limiter import RateLimiter
from .audit_log import AuditLogger
from core.system.safety_switch import demo_safe_enabled, kill_switch_enabled
# Fiche #24 - métriques HTTP
from core.monitoring.http_server_metrics import (
record_http_request,
in_flight_inc,
in_flight_dec,
record_security_block,
safe_template,
)
DEFAULT_PUBLIC_PATHS = {
"/healthz",
"/metrics",
"/",
"/docs",
"/redoc",
"/openapi.json",
"/api/traces/debug-auth", # Debug endpoint
"/api/traces/debug-env", # Debug endpoint
}
def _client_ip_from_request(request: Request, trust_proxy: bool) -> str:
"""Extrait l'IP client en tenant compte des proxies."""
if trust_proxy:
forwarded = request.headers.get("x-forwarded-for")
if forwarded:
return forwarded.split(",")[0].strip()
real_ip = request.headers.get("x-real-ip")
if real_ip:
return real_ip.strip()
return request.client.host if request.client else "unknown"
def _is_public(request: Request) -> bool:
"""Vérifie si l'endpoint est public (pas d'auth/RL)."""
path = request.url.path
if path in DEFAULT_PUBLIC_PATHS:
return True
# Exact match uniquement pour éviter les bypasses
return False
def _route_template(request: Request) -> str:
route = request.scope.get("route")
template = getattr(route, "path", None)
return safe_template(template, request.url.path)
def _ensure_request_id(request: Request) -> str:
# Si un reverse proxy injecte déjà un ID, on le conserve.
rid = request.headers.get("x-request-id")
if rid:
return rid.strip()
return uuid.uuid4().hex
def install_security_middlewares(app) -> None:
"""Installe le middleware de sécurité sur une app FastAPI."""
allowlist = IPAllowlist.from_env()
limiter = RateLimiter.from_env()
audit = AuditLogger.from_env()
service_name = os.getenv("RPA_SERVICE_NAME", "rpa-vision-v3-api")
@app.middleware("http")
async def _security_middleware(request: Request, call_next: Callable):
path = request.url.path
method = request.method.upper()
path_tpl = _route_template(request)
request_id = _ensure_request_id(request)
# exposé aux handlers applicatifs si besoin
request.state.request_id = request_id
t0 = time.monotonic()
in_flight_inc(service_name)
def _finalize(resp: JSONResponse) -> JSONResponse:
# attache toujours le request id
try:
resp.headers["X-Request-Id"] = request_id
except Exception:
pass
duration = time.monotonic() - t0
status = getattr(resp, "status_code", 0) or 0
record_http_request(service_name, method, path_tpl, status, duration)
in_flight_dec(service_name)
return resp
# --- IP allowlist (early) ---
client_ip = _client_ip_from_request(request, allowlist.trust_proxy)
if allowlist.enabled and not allowlist.is_allowed(client_ip):
audit.write({
"event": "ip_block",
"ip": client_ip,
"method": method,
"path": path,
"request_id": request_id,
})
record_security_block(service_name, "ip_block")
return _finalize(JSONResponse(status_code=403, content={"error": "forbidden"}))
# Public endpoints (health/metrics) : pas d'auth, pas de RL (pour ne pas casser systemd)
if _is_public(request):
try:
response = await call_next(request)
response.headers["X-Request-Id"] = request_id
return _finalize(response)
except Exception:
# call_next a pu lever: on compte 500
record_http_request(service_name, method, path_tpl, 500, time.monotonic() - t0)
in_flight_dec(service_name)
raise
# --- Auth ---
ctx, source = classify_request(
headers=dict(request.headers),
cookies=dict(request.cookies),
query_params=dict(request.query_params),
)
if auth_required():
if ctx.role == TokenRole.ANON:
audit.write({
"event": "auth_fail",
"ip": client_ip,
"method": method,
"path": path,
"source": source,
"token_present": ctx.token_present,
"request_id": request_id,
})
record_security_block(service_name, "auth_fail")
return _finalize(JSONResponse(status_code=401, content={"error": "unauthorized"}))
# --- Kill-switch / DEMO_SAFE ---
if kill_switch_enabled():
# Bloque tout sauf admin/security (permet de désactiver)
if not path.startswith("/admin/security"):
audit.write({
"event": "killswitch_block",
"ip": client_ip,
"method": method,
"path": path,
"role": ctx.role,
"request_id": request_id,
})
record_security_block(service_name, "killswitch")
return _finalize(JSONResponse(status_code=423, content={"error": "killswitch_enabled"}))
if demo_safe_enabled():
# En mode démo : pas d'écriture, et on bloque explicitement l'admin.
if path.startswith("/admin/"):
# Exception: autorise GET /admin/security/status
if not (path == "/admin/security/status" and method == "GET"):
audit.write({
"event": "demo_safe_block",
"ip": client_ip,
"method": method,
"path": path,
"role": ctx.role,
"request_id": request_id,
})
record_security_block(service_name, "demo_safe")
return _finalize(JSONResponse(status_code=423, content={"error": "demo_safe"}))
if not _is_read_only_method(method):
audit.write({
"event": "demo_safe_block",
"ip": client_ip,
"method": method,
"path": path,
"role": ctx.role,
"request_id": request_id,
})
record_security_block(service_name, "demo_safe")
return _finalize(JSONResponse(status_code=423, content={"error": "demo_safe"}))
# --- RBAC simple ---
if _is_read_only_method(method):
if auth_required() and not can_read(ctx.role):
record_security_block(service_name, "forbidden_read")
return _finalize(JSONResponse(status_code=403, content={"error": "forbidden"}))
else:
if auth_required() and not can_write(ctx.role):
record_security_block(service_name, "forbidden_write")
return _finalize(JSONResponse(status_code=403, content={"error": "forbidden"}))
# --- Rate limit ---
# Key = token (si valide) sinon IP
rl_key = ctx.token_hash if ctx.token_hash else client_ip
allowed, retry_after = limiter.check(rl_key)
if not allowed:
audit.write({
"event": "rate_limit",
"ip": client_ip,
"method": method,
"path": path,
"role": ctx.role,
"retry_after_s": retry_after,
"request_id": request_id,
})
record_security_block(service_name, "rate_limit")
resp = JSONResponse(status_code=429, content={"error": "rate_limited"})
resp.headers["Retry-After"] = str(int(max(1, retry_after)))
return _finalize(resp)
# --- Exécution ---
response = await call_next(request)
# Audit des succès
audit.write({
"event": "request_success",
"ip": client_ip,
"method": method,
"path": path,
"status": getattr(response, "status_code", None),
"request_id": request_id,
})
# Note: finalize ajoute header + enregistre métriques
response.headers["X-Request-Id"] = request_id
return _finalize(response)
def _is_read_only_method(method: str) -> bool:
"""Vérifie si la méthode HTTP est en lecture seule."""
return method.upper() in {"GET", "HEAD", "OPTIONS"}

257
core/security/flask_security.py Normal file
View File

@@ -0,0 +1,257 @@
"""core/security/flask_security.py
Fiche #23 - Sécurité pour applis Flask/Flask-SocketIO
Fiche #24 - Observabilité (métriques HTTP + request id)
But:
- Protéger /api/* via tokens (admin vs read-only)
- IP allowlist
- Rate limit
- Audit log
- Kill-switch + DEMO_SAFE
- Enregistrer des métriques Prometheus (y compris sur blocage)
- Ajouter un header X-Request-Id
UX:
- Permet de poser le token en cookie via '?token=...' sur la page d'accueil.
- Laisse l'HTML et les assets accessibles (mais l'API nécessite token).
Env:
- mêmes variables que FastAPI (voir core/security/fastapi_security.py)
- RPA_SERVICE_NAME (labels Prometheus)
"""
from __future__ import annotations
import os
import time
import uuid
from typing import Optional
from flask import request, jsonify, redirect, make_response, g
from .api_tokens import (
TokenRole,
auth_required,
can_read,
can_write,
classify_request_simple as classify_request,
)
from .ip_allowlist import IPAllowlist
from .rate_limiter import RateLimiter
from .audit_log import AuditLogger
from core.system.safety_switch import demo_safe_enabled, kill_switch_enabled
# Fiche #24 metrics
from core.monitoring.http_server_metrics import (
record_http_request,
in_flight_inc,
in_flight_dec,
record_security_block,
)
DEFAULT_PUBLIC_PREFIXES = (
"/static/",
"/assets/",
"/favicon.ico",
)
DEFAULT_PUBLIC_PATHS = {
"/",
"/health",
"/healthz",
"/metrics",
}
def _client_ip(trust_proxy: bool) -> str:
"""Extrait l'IP client en tenant compte des proxies."""
if trust_proxy:
forwarded = request.headers.get("X-Forwarded-For")
if forwarded:
return forwarded.split(",")[0].strip()
real_ip = request.headers.get("X-Real-IP")
if real_ip:
return real_ip.strip()
return request.remote_addr or "unknown"
def _is_read_only_method(method: str) -> bool:
"""Vérifie si la méthode HTTP est en lecture seule."""
return method.upper() in {"GET", "HEAD", "OPTIONS"}
def _is_public(path: str) -> bool:
"""Vérifie si le path est public (pas d'auth/RL)."""
if path in DEFAULT_PUBLIC_PATHS:
return True
return any(path.startswith(p) for p in DEFAULT_PUBLIC_PREFIXES)
def install_flask_security(app, protect_api_prefix: str = "/api/", service_name: Optional[str] = None) -> None:
"""Installe la sécurité sur une app Flask.
- protège seulement les routes commençant par protect_api_prefix (par défaut /api/)
- laisse l'HTML et les assets accessibles (mais l'API nécessite token)
- ajoute X-Request-Id et métriques HTTP
Args:
app: Flask app
protect_api_prefix: préfixe API à protéger
service_name: label Prometheus (par défaut: RPA_SERVICE_NAME ou 'rpa-vision-v3-dashboard')
"""
allowlist = IPAllowlist.from_env()
limiter = RateLimiter.from_env()
audit = AuditLogger.from_env()
svc = service_name or os.getenv("RPA_SERVICE_NAME") or "rpa-vision-v3-dashboard"
@app.before_request
def _observability_before_request():
# request id (propagation si déjà présent)
rid = request.headers.get("X-Request-Id") or str(uuid.uuid4())
g.rpa_request_id = rid
g.rpa_start_time = time.monotonic()
in_flight_inc(svc)
@app.after_request
def _observability_after_request(response):
# X-Request-Id
rid = getattr(g, "rpa_request_id", None)
if rid:
response.headers["X-Request-Id"] = rid
# Metrics (même pour réponses générées dans before_request)
try:
start = getattr(g, "rpa_start_time", None)
duration = (time.monotonic() - start) if start else 0.0
# template: url_rule.rule si dispo, sinon path raw
path_template = None
try:
if request.url_rule is not None:
path_template = request.url_rule.rule
except Exception:
path_template = None
record_http_request(
service=svc,
method=request.method,
path_template=path_template or (request.path or "/"),
status_code=getattr(response, "status_code", 200),
duration_seconds=duration,
)
except Exception:
# best-effort
pass
finally:
try:
in_flight_dec(svc)
except Exception:
pass
return response
@app.before_request
def _security_before_request():
"""Middleware de sécurité principal."""
path = request.path
method = request.method
# Public (assets, health, metrics) : pas de sécurité
if _is_public(path):
return None
# API seulement (par défaut /api/*)
if not path.startswith(protect_api_prefix):
return None
# IP allowlist (early)
client_ip = _client_ip(allowlist.trust_proxy)
if allowlist.enabled and not allowlist.is_allowed(client_ip):
record_security_block(svc, "ip_block")
audit.write({"event": "ip_block", "ip": client_ip, "method": method, "path": path})
return jsonify({"error": "forbidden"}), 403
# Auth
ctx, source = classify_request(
headers=dict(request.headers),
cookies=dict(request.cookies),
query_params=dict(request.args),
)
if auth_required():
if ctx.role == TokenRole.ANON:
record_security_block(svc, "auth_fail")
audit.write({
"event": "auth_fail",
"ip": client_ip,
"method": method,
"path": path,
"source": source,
"token_present": ctx.token_present,
})
return jsonify({"error": "unauthorized"}), 401
# Kill-switch
if kill_switch_enabled():
# Bloque tout sauf admin/security (permet de désactiver) et health.
if not path.startswith("/admin/security"):
record_security_block(svc, "killswitch")
audit.write({"event": "killswitch_block", "ip": client_ip, "method": method, "path": path, "role": ctx.role})
return jsonify({"error": "killswitch_enabled"}), 423
if demo_safe_enabled():
# Exception: autorise GET /admin/security/status
if path.startswith("/admin/"):
if not (path == "/admin/security/status" and _is_read_only_method(method)):
record_security_block(svc, "demo_safe")
audit.write({"event": "demo_safe_block", "ip": client_ip, "method": method, "path": path, "role": ctx.role})
return jsonify({"error": "demo_safe"}), 423
if not _is_read_only_method(method):
record_security_block(svc, "demo_safe")
audit.write({"event": "demo_safe_block", "ip": client_ip, "method": method, "path": path, "role": ctx.role})
return jsonify({"error": "demo_safe"}), 423
# RBAC
if _is_read_only_method(method):
if auth_required() and not can_read(ctx.role):
record_security_block(svc, "forbidden")
return jsonify({"error": "forbidden"}), 403
else:
if auth_required() and not can_write(ctx.role):
record_security_block(svc, "forbidden")
return jsonify({"error": "forbidden"}), 403
# RL
rl_key = ctx.token_hash if ctx.token_hash else client_ip
allowed, retry_after = limiter.check(rl_key)
if not allowed:
record_security_block(svc, "rate_limit")
audit.write({"event": "rate_limit", "ip": client_ip, "method": method, "path": path, "role": ctx.role, "retry_after_s": retry_after})
resp = jsonify({"error": "rate_limited"})
resp.status_code = 429
resp.headers["Retry-After"] = str(int(max(1, retry_after)))
return resp
# Succès : on laisse passer
return None
def handle_token_in_url(app) -> None:
"""Permet de passer le token via ?token=... et le stocker en cookie."""
@app.route("/")
def _index_with_token():
token = request.args.get("token")
if token:
# Stocker en cookie et rediriger sans le token dans l'URL
resp = make_response(redirect("/"))
resp.set_cookie("rpa_token", token, httponly=True, secure=False, samesite="Lax")
return resp
# Page normale
return """
<h1>RPA Vision V3 Dashboard</h1>
<p><a href="/admin/">Admin Panel</a></p>
<p><a href="/metrics">Metrics</a></p>
"""

327
core/security/input_validator.py Normal file
View File

@@ -0,0 +1,327 @@
"""
Input Validation System
Système de validation des entrées utilisateur pour la sécurité.
Exigence 7.2: Protection contre les injections SQL/NoSQL
Exigence 7.3: Validation des chemins de fichiers
Exigence 7.4: Sanitization des données loggées
"""
import os
import re
import logging
import html
import json
from pathlib import Path
from typing import Any, Dict, List, Optional, Union, Set
from dataclasses import dataclass
from .security_config import get_security_config, hash_sensitive_value
logger = logging.getLogger(__name__)
@dataclass
class ValidationResult:
"""Résultat de validation d'une entrée."""
is_valid: bool
sanitized_value: Any
errors: List[str]
warnings: List[str]
def __post_init__(self):
if self.errors is None:
self.errors = []
if self.warnings is None:
self.warnings = []
class InputValidationError(Exception):
"""Erreur de validation d'entrée."""
pass
class SecurityViolationError(InputValidationError):
"""Violation de sécurité détectée."""
pass
class InputValidator:
"""Validateur d'entrées utilisateur."""
# Patterns dangereux pour injection SQL
SQL_INJECTION_PATTERNS = [
r"(\b(SELECT|INSERT|UPDATE|DELETE|DROP|CREATE|ALTER|EXEC|EXECUTE)\b)",
r"(\b(UNION|OR|AND)\s+\d+\s*=\s*\d+)",
r"(--|#|/\*|\*/)",
r"(\b(SCRIPT|JAVASCRIPT|VBSCRIPT|ONLOAD|ONERROR)\b)",
r"([\'\";])",
r"(\bxp_cmdshell\b)",
r"(\bsp_executesql\b)"
]
# Patterns dangereux pour injection NoSQL
NOSQL_INJECTION_PATTERNS = [
r"(\$where|\$regex|\$ne|\$gt|\$lt|\$in|\$nin)",
r"(function\s*\(|\beval\b|\bsetTimeout\b)",
r"(\{\s*\$.*\})",
r"(this\.|db\.)"
]
def __init__(self, strict_mode: Optional[bool] = None):
"""
Initialise le validateur.
Args:
strict_mode: Mode strict (None = auto selon config)
"""
config = get_security_config()
self.strict_mode = strict_mode if strict_mode is not None else config.strict_input_validation
self.log_sensitive = config.log_sensitive_data
# Compiler les patterns pour performance
self._sql_patterns = [re.compile(pattern, re.IGNORECASE) for pattern in self.SQL_INJECTION_PATTERNS]
self._nosql_patterns = [re.compile(pattern, re.IGNORECASE) for pattern in self.NOSQL_INJECTION_PATTERNS]
def validate_string(self, value: str, max_length: int = 1000,
allow_html: bool = False, field_name: str = "input") -> ValidationResult:
"""
Valide une chaîne de caractères.
Args:
value: Valeur à valider
max_length: Longueur maximale
allow_html: Autoriser le HTML
field_name: Nom du champ pour les logs
Returns:
Résultat de validation
"""
errors = []
warnings = []
sanitized = value
if not isinstance(value, str):
errors.append(f"{field_name} must be a string")
return ValidationResult(False, None, errors, warnings)
# Vérifier la longueur
if len(value) > max_length:
if self.strict_mode:
errors.append(f"{field_name} exceeds maximum length of {max_length}")
else:
warnings.append(f"{field_name} truncated to {max_length} characters")
sanitized = value[:max_length]
# Vérifier les injections SQL
for pattern in self._sql_patterns:
if pattern.search(value):
if self.strict_mode:
errors.append(f"{field_name} contains potential SQL injection pattern")
self._log_security_violation("SQL injection attempt", field_name, value)
else:
warnings.append(f"{field_name} contains suspicious SQL pattern")
# Vérifier les injections NoSQL
for pattern in self._nosql_patterns:
if pattern.search(value):
if self.strict_mode:
errors.append(f"{field_name} contains potential NoSQL injection pattern")
self._log_security_violation("NoSQL injection attempt", field_name, value)
else:
warnings.append(f"{field_name} contains suspicious NoSQL pattern")
# Sanitizer HTML si nécessaire
if not allow_html:
sanitized = html.escape(sanitized)
# Nettoyer les caractères de contrôle
sanitized = re.sub(r'[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]', '', sanitized)
is_valid = len(errors) == 0
return ValidationResult(is_valid, sanitized, errors, warnings)
def sanitize_for_logging(self, data: Any, field_name: str = "data") -> str:
"""
Sanitise des données pour le logging sécurisé.
Args:
data: Données à sanitiser
field_name: Nom du champ
Returns:
Données sanitisées pour logging
"""
if not self.log_sensitive:
# En mode sécurisé, hasher les données sensibles
if isinstance(data, str) and len(data) > 20:
return f"{field_name}[hash:{hash_sensitive_value(data)}]"
elif isinstance(data, (dict, list)):
return f"{field_name}[{type(data).__name__}:size={len(data)}]"
# Convertir en string et limiter la taille
try:
if isinstance(data, (dict, list)):
data_str = json.dumps(data, ensure_ascii=True, separators=(',', ':'))
else:
data_str = str(data)
# Limiter la taille pour les logs
if len(data_str) > 200:
data_str = data_str[:200] + "..."
# Échapper les caractères dangereux
data_str = html.escape(data_str)
return data_str
except Exception:
return f"{field_name}[unprintable:{type(data).__name__}]"
def _log_security_violation(self, violation_type: str, field_name: str, value: Any) -> None:
"""Log une violation de sécurité."""
sanitized_value = self.sanitize_for_logging(value, field_name)
logger.warning(
f"Security violation detected: {violation_type} in {field_name}. "
f"Value: {sanitized_value}"
)
# Instance globale du validateur
_validator_instance: Optional[InputValidator] = None
def get_input_validator() -> InputValidator:
"""
Retourne l'instance globale du validateur.
Returns:
Instance du validateur
"""
global _validator_instance
if _validator_instance is None:
_validator_instance = InputValidator()
return _validator_instance
def validate_string_input(value: str, max_length: int = 1000,
allow_html: bool = False, field_name: str = "input") -> str:
"""
Valide et sanitise une entrée string.
Args:
value: Valeur à valider
max_length: Longueur maximale
allow_html: Autoriser le HTML
field_name: Nom du champ
Returns:
Valeur sanitisée
Raises:
InputValidationError: Si la validation échoue
"""
validator = get_input_validator()
result = validator.validate_string(value, max_length, allow_html, field_name)
if not result.is_valid:
raise InputValidationError(f"Validation failed for {field_name}: {'; '.join(result.errors)}")
return result.sanitized_value
def validate_file_path_input(file_path: str, allowed_dirs: Optional[List[str]] = None) -> str:
"""
Valide un chemin de fichier.
Args:
file_path: Chemin à valider
allowed_dirs: Répertoires autorisés
Returns:
Chemin validé et normalisé
Raises:
InputValidationError: Si le chemin est dangereux
"""
if not isinstance(file_path, str):
raise InputValidationError("File path must be a string")
# Normaliser le chemin
normalized_path = os.path.normpath(file_path)
# Vérifier les tentatives de path traversal
if ".." in normalized_path or normalized_path.startswith("/"):
raise SecurityViolationError(f"Path traversal attempt detected: {file_path}")
# Vérifier les extensions dangereuses
dangerous_extensions = {'.exe', '.bat', '.cmd', '.scr', '.vbs', '.js', '.php', '.sh'}
file_ext = Path(normalized_path).suffix.lower()
if file_ext in dangerous_extensions:
raise SecurityViolationError(f"Dangerous file extension: {file_ext}")
# Vérifier les répertoires autorisés si spécifiés
if allowed_dirs:
path_obj = Path(normalized_path)
if not any(str(path_obj).startswith(allowed_dir) for allowed_dir in allowed_dirs):
raise InputValidationError(f"File path not in allowed directories: {normalized_path}")
return normalized_path
def validate_json_input(json_data: Union[str, dict], max_size: int = 10000) -> dict:
"""
Valide des données JSON.
Args:
json_data: Données JSON (string ou dict)
max_size: Taille maximale en caractères
Returns:
Données JSON validées
Raises:
InputValidationError: Si les données sont invalides
"""
if isinstance(json_data, str):
if len(json_data) > max_size:
raise InputValidationError(f"JSON data exceeds maximum size of {max_size}")
try:
parsed_data = json.loads(json_data)
except json.JSONDecodeError as e:
raise InputValidationError(f"Invalid JSON format: {e}")
elif isinstance(json_data, dict):
# Vérifier la taille sérialisée
serialized = json.dumps(json_data)
if len(serialized) > max_size:
raise InputValidationError(f"JSON data exceeds maximum size of {max_size}")
parsed_data = json_data
else:
raise InputValidationError("JSON data must be string or dict")
# Valider le contenu pour les injections
validator = get_input_validator()
json_str = json.dumps(parsed_data)
result = validator.validate_string(json_str, max_length=max_size, field_name="json_data")
if not result.is_valid:
raise InputValidationError(f"JSON validation failed: {'; '.join(result.errors)}")
return parsed_data
def sanitize_for_logging(data: Any, field_name: str = "data") -> str:
"""
Sanitise des données pour le logging.
Args:
data: Données à sanitiser
field_name: Nom du champ
Returns:
Données sanitisées
"""
validator = get_input_validator()
return validator.sanitize_for_logging(data, field_name)

327
core/security/input_validator_new.py Normal file
View File

@@ -0,0 +1,327 @@
e)a, field_namg(datin_loggsanitize_fordator.valieturn r()
or_validatet_inputalidator = g""
v
"iséesnées sanit Don
Returns:
amp
chNom du ame: field_ntiser
s à saniata: Donnée d
Args:ging.
le loges pours donnéSanitise de """
-> str:
"data") me: str = nay, field_ta: An(da_loggingize_for sanita
defarsed_dat return p
")
errors)}t.uljoin(res {'; '.ed:ion failalidator(f"JSON vlidationErrise InputVa ralid:
is_vat.not resul if
")
"json_datafield_name=e, th=max_sizr, max_lengring(json_stalidate_stvalidator.vt =
resuldata)s(parsed_on.dump = js json_strtor()
put_validaet_in gidator =s
vales injectionur lontenu poider le c
# Valt")
dicng orbe strimust N data "JSOionError(putValidat raise In se:
elson_data_data = jparsed")
size}max_ze of { maximum siexceedsN data rror(f"JSOValidationEaise Input r_size:
lized) > maxlen(seria if a)
s(json_dat json.dumpalized =eri sialisée
ére sla taillrifier # Véct):
ata, di_de(jsonncsinsta elif i
t: {e}") JSON formaidror(f"InvalErdationalise InputV raie:
ror as JSONDecodeErt json. excep n_data)
loads(jsojson.= d_data parse
try:
size}")
{max_mum size of axiceeds m data exONor(f"JSrrtionEputValidaise In ra
max_size:a) >(json_datf len i
data, str):json_isinstance( if ""
" invalides
sont ess donnéSi letionError: InputValida s:
Raise
ON validéess JS Donnéeurns:
Ret s
n caractèremale exille maax_size: Tai mou dict)
string nnées JSON (: Do_data json
Args: .
nnées JSONdo Valide des "
"") -> dict:= 10000x_size: int t], man[str, dicnion_data: Uput(jsoe_json_inalidat
def ved_pathurn normaliz ret
")ath}malized_pories: {norwed directllon apath not ior(f"File ionErratlide InputVa rais ):
rslowed_di_dir in al for allowedr)d_diallowe.startswith(_obj)str(pathot any( if n)
alized_pathPath(normpath_obj = :
_dirsif allowed
i spécifiésautorisés soires répertrifier lesVé
# ")
xt}n: {file_extensio engerous filer(f"DaolationErroyVi Securit raisensions:
xtegerous_ext in danf file_e()
ix.lowerath).suffied_pnormalizxt = Path( file_e p', '.sh'}
.ph', ' '.jscr', '.vbs', '.s, '.cmd',xe', '.bat'{'.ensions = ngerous_exte dauses
angereons densies exter l Vérifi
#_path}")
{file detected:attemptl raversa t"Pathrror(fationEyViol Securitise ra"/"):
ith(path.startswd_or normalizelized_path in norma ".." ifl
rsaraveh tives de patntat les teVérifier # )
_pathle.normpath(fih = os.pathpatrmalized_ noin
ser le chem# Normali
ng")
t be a strile path mus"Fir(dationErroalise InputV raitr):
th, se_pailsinstance(ft i if no
"""
ngereux dae chemin estError: Si lionnputValidat I
aises:
R
sénormalit min validé e Che
Returns:
orisésutres ars: Répertoilowed_di al valider
n àhemie_path: C filgs:
Ar
chier.
hemin de fialide un c V"
" ":
trne) -> s No] =str]List[ional[rs: Optwed_di: str, allole_pathath_input(fifile_plidate_vae
def ized_valuresult.sanitreturn
.errors)}").join(resulte}: {'; 'field_named for {dation failf"ValinError(idatio InputValserai is_valid:
t.ul not res
if_name)
_html, fieldength, allow, max_lring(valuealidate_stidator.vval = resultor()
idatt_input_valator = ge"
valid""ue
échotionlidai la vaor: SdationErrnputVali Is:
se
Rai
nitisée sa Valeureturns:
R
p
du chamm d_name: No fiel HTML
oriser leow_html: Aut all ximale
Longueur mamax_length: r
r à valideue: Valeu val Args:
ée string.e une entranitisalide et s
V"""r:
t") -> st= "inpue: str e, field_namalsool = Fw_html: b allo
1000, ength: int =max_lvalue: str, ut(ing_inpvalidate_str
def r_instancern _validato)
retudator(alie = InputVancinstalidator_ _v one:
tance is Nor_insf _validat
itancer_insal _validatolob"
g""r
alidateuu vstance d Inturns:
Re
r.
teuida du valobaleinstance glourne l' Ret""
"or:
lidatputVa-> Inr() dato_valit_inputef geNone
d= ] putValidatoronal[Inance: Optilidator_instidateur
_va du val globalencesta
# In )
}"
_valuezedue: {saniti f"Val . "
field_name}ype} in {ation_tvioltected: {iolation dey vf"Securit rning(
ger.wa logame)
e, field_ng(valuor_logginf.sanitize_f selalue =tized_v sani""
té."ride sécuion violatg une Lo """:
ny) -> Nonevalue: A_name: str, ldier, fn_type: stolatioon(self, viati_violitylog_secur _
def _}]"
e_(data).__namntable:{typeme}[unpri{field_nareturn f"
ion:cept Except ex
ata_str
turn d re
tr)
scape(data_s html.e data_str =
dangereuxres es caractèhapper l # Éc
."
"..r[:200] + ata_stata_str = d d
0:r) > 20ata_st if len(d s
our les log taille pr la # Limite
ta)r(dastr = st data_ else:
, ':')),'s=('eparatore, s_ascii=Trunsurea, e(dat.dumps json = data_str
ct, list)): (dia,nstance(datsi if i
try:le
aila tter lg et limi en strinonvertir # C
]"
{len(data)}_}:size=a).__name_(dattypeme}[{{field_naturn f" re :
))istta, (dict, ltance(daisinsif el )}]"
lue(datave_vasensitish:{hash_e}[haield_namf"{f return
> 20:d len(data)str) ane(data, sinstanc if is
ensiblenées ss donhasher lerisé, En mode sécu # itive:
ensself.log_s not if ""
"r logging pouestisénées saniDon
Returns:
pom du chameld_name: N fi er
itis sanes àata: Donné d gs:
Ar
sécurisé.
le logging pouronnéess dnitise de Sa ""
" ) -> str:
ata"tr = "dd_name: sy, fiel: Anlf, dataging(seogze_for_lef saniti
dngs)
ors, warninitized, err sa_valid,ult(isationReslid return Va
s) == 0error= len(valid is_
itized)
, san7F]', ''\x1F\x0C\x0E-\x0B8\x0-\x0r'[\x0e.sub(= r sanitized ôle
ntrctères de cocaraoyer les # Nett
anitized).escape(s = html sanitized :
allow_html if not ire
si nécessatizer HTML# Sani
)
"SQL patternspicious Noains suntld_name} cofiepend(f"{ngs.ap warni else:
value)e,nam", field_ attemptionjectQL inlation("NoSecurity_vioog_s._l self ")
ernection pattl NoSQL injs potentiae} containd_nam{fiel(f"penderrors.ap
_mode:lf.strictse if lue):
(vaern.searchif patt ns:
atterf._nosql_prn in selte for patSQL
njections Nofier les i # Véri
")
QL pattern Suspiciousontains seld_name} c{fiappend(f"arnings. w:
else e)
, valu_nameeld, fipt"ection attem"SQL injiolation(security_vg_loself._ )
on pattern"L injectiotential SQontains p_name} c"{fieldppend(f.aors err e:
.strict_modself if alue):
rn.search(vatteif p patterns:
sql_f._eln spattern i for ons SQL
tir les injecVérifie #
x_length] value[:matized = sani ers")
th} charact{max_lengcated to _name} trunf"{fieldend(s.app warning else:
}")ax_length{mf length oimum eeds maxe} exc"{field_nam(fpend errors.ap ct_mode:
f self.stri ih:
lengtalue) > max_ if len(vueur
longVérifier la
# s)
ors, warningne, errt(False, NoonResulidati return Val tring")
t be a smusd_name} f"{fielrs.append( erro
, str):ce(valueisinstan if not
ue
d = valanitize sgs = []
nin war
errors = []"
"" alidation
vt de Résulta eturns:
R
s
our les logdu champ pNom : ld_name fie HTML
toriser le w_html: Au allo e
aximalgueur mh: Lonengt max_lder
valiue: Valeur à val:
Args
.
tèresde carac chaîne Valide une"
"" lt:
esuValidationRput") -> : str = "infield_name= False, tml: bool allow_h ,
000h: int = 1 max_lengtstr,f, value: (selring validate_st def
ERNS]
TTN_PAJECTIOlf.NOSQL_INttern in seor paE) fCASe.IGNOREttern, re(pa.compil= [rerns patteself._nosql_ RNS]
TE_PATL_INJECTION in self.SQfor patternNORECASE) re.IGtern,compile(pate. = [rerns_sql_pattf. selformance
pour pers patterns lepiler # Com
ata
ive_d.log_sensitive = configsit_sen self.log
ationinput_valid.strict_se configels not None _mode istrictct_mode if striict_mode = self.str nfig()
security_coig = get_ conf""
"g)
selon confi auto (None =strictde: Mode strict_mo
Args:
ur.datese le vali Initiali """
:
one)l] = N[boo: Optionalt_mode stric_(self,it_def __in
]
)"
\.|db\.is r"(th
\})",\s*\$.* r"(\{
meout\b)",etTil\b|\bs\(|\bevaction\s*"(funr nin)",
in|\$gt|\$lt|\$\$e|\$regex|\$n"(\$where| r [
TTERNS =CTION_PAL_INJEOSQ N n NoSQL
ctiour injengereux poatterns da # P]
"
b)\qlbsp_executes"(\
r",dshell\b)bxp_cm r"(\
)",[\'\";]r"( )\b)",
ONERRORAD|T|ONLOBSCRIP|VIPTAVASCRSCRIPT|J(\b( r" */)",
--|#|/\*|\ r"( ",
+)s*=\s*\d\AND)\s+\d+(UNION|OR|\b r"(
b)",\UTE)EXEC|EXECE|ALTER|OP|CREATDRELETE|ERT|UPDATE|Db(SELECT|INS r"(\
RNS = [N_PATTE_INJECTIOSQL
SQLnjection ereux pour irns dangtte# Pa
""teur."s utilisaeur d'entréeidatVal"" "ator:
Valids Inputclas
pass
""
ée."tectécurité déolation de s"Vi"" Error):
tValidationnError(InpuyViolatioSecurit
class pass
"
rée.""nton d'ealidatieur de v""Err "
ion):r(ExceptidationErroputValass In= []
clf.warnings sel:
None isarnings self.w ifors = []
elf.err sne:
is Nororser if self.
lf):init__(seost_def __p
r]
[sts: Listningwar[str]
istrs: L erroue: Any
ed_val sanitiz: bool
lid
is_va"""
une entrée.dation d' de valitat"Résul""lt:
ationResuclass Validaclass
dat
@_)
ame_etLogger(__ngging.g
logger = lolue
ive_vaash_sensitonfig, h_cecurityimport get_srity_config .secu
from dataclassrtpoimdataclasses
from Union, SetOptional,, List, Any, Dict import ng
from typirt Pathimpoib thlfrom pajson
import l htmortlogging
impe
import port r
imrt ospo"
im"ggées
"données loization des 7.4: Sanit
Exigence s chiers de fin des chemintioalida3: VExigence 7.
SQL/NoSQLonsti injeccontre lesion ectotence 7.2: PrExigé.
a sécuritur lteur polisatrées utiion des envalidat
Système de m
stedation Syut Vali"""
Inp

372
core/security/ip_allowlist.py Normal file
View File

@@ -0,0 +1,372 @@
"""
IP Allowlist System
Système de liste blanche IP avec support CIDR et proxy trust.
Fiche #23: API Security & Governance
"""
import os
import ipaddress
import logging
from typing import List, Set, Optional, Dict, Union
from dataclasses import dataclass
from ..system.safety_switch import get_safety_switch
logger = logging.getLogger(__name__)
@dataclass
class IPConfig:
"""Configuration de la liste blanche IP."""
allowed_networks: List[Union[ipaddress.IPv4Network, ipaddress.IPv6Network]]
trusted_proxies: List[Union[ipaddress.IPv4Network, ipaddress.IPv6Network]]
enable_proxy_headers: bool = True
log_blocked_ips: bool = True
class IPValidationError(Exception):
"""Erreur de validation IP."""
pass
class IPAllowlist:
"""
Gestionnaire de liste blanche IP avec support CIDR.
Fonctionnalités:
- Support IPv4 et IPv6
- Plages CIDR (ex: 192.168.1.0/24)
- Gestion des proxies de confiance
- Headers X-Forwarded-For, X-Real-IP
"""
def __init__(self):
self._config = self._load_config()
self._safety = get_safety_switch()
self._blocked_ips_cache: Set[str] = set()
# Attributs pour compatibilité avec fastapi_security.py
self.enabled = True
self.trust_proxy = True
@classmethod
def from_env(cls):
"""Crée une instance depuis les variables d'environnement (compatibilité FastAPI)."""
instance = cls()
# Configurer selon les variables d'environnement
instance.enabled = os.getenv("RPA_IP_ALLOWLIST_ENABLED", "true").lower() == "true"
instance.trust_proxy = os.getenv("RPA_IP_TRUST_PROXY", "true").lower() == "true"
return instance
def _load_config(self) -> IPConfig:
"""Charge la configuration depuis les variables d'environnement."""
# Liste blanche IP
allowed_networks = []
allowed_ips_str = os.getenv("ALLOWED_IPS", "")
if allowed_ips_str:
for ip_str in allowed_ips_str.split(","):
ip_str = ip_str.strip()
if not ip_str:
continue
try:
# Essayer de parser comme réseau CIDR
if "/" not in ip_str:
# IP individuelle, ajouter /32 ou /128
ip_obj = ipaddress.ip_address(ip_str)
if isinstance(ip_obj, ipaddress.IPv4Address):
network = ipaddress.IPv4Network(f"{ip_str}/32")
else:
network = ipaddress.IPv6Network(f"{ip_str}/128")
else:
network = ipaddress.ip_network(ip_str, strict=False)
allowed_networks.append(network)
logger.debug(f"Added allowed network: {network}")
except ValueError as e:
logger.error(f"Invalid IP/CIDR in ALLOWED_IPS: {ip_str} - {e}")
# Proxies de confiance
trusted_proxies = []
trusted_proxies_str = os.getenv("TRUSTED_PROXIES", "")
if trusted_proxies_str:
for proxy_str in trusted_proxies_str.split(","):
proxy_str = proxy_str.strip()
if not proxy_str:
continue
try:
if "/" not in proxy_str:
ip_obj = ipaddress.ip_address(proxy_str)
if isinstance(ip_obj, ipaddress.IPv4Address):
network = ipaddress.IPv4Network(f"{proxy_str}/32")
else:
network = ipaddress.IPv6Network(f"{proxy_str}/128")
else:
network = ipaddress.ip_network(proxy_str, strict=False)
trusted_proxies.append(network)
logger.debug(f"Added trusted proxy: {network}")
except ValueError as e:
logger.error(f"Invalid proxy IP/CIDR in TRUSTED_PROXIES: {proxy_str} - {e}")
# Configuration par défaut en développement
if not allowed_networks and os.getenv("ENVIRONMENT", "development") == "development":
# En développement, autoriser localhost par défaut
allowed_networks = [
ipaddress.IPv4Network("127.0.0.0/8"), # Localhost IPv4
ipaddress.IPv4Network("10.0.0.0/8"), # Private networks
ipaddress.IPv4Network("172.16.0.0/12"),
ipaddress.IPv4Network("192.168.0.0/16"),
ipaddress.IPv6Network("::1/128"), # Localhost IPv6
]
logger.info("Development mode: using default allowed networks")
config = IPConfig(
allowed_networks=allowed_networks,
trusted_proxies=trusted_proxies,
enable_proxy_headers=os.getenv("ENABLE_PROXY_HEADERS", "true").lower() == "true",
log_blocked_ips=os.getenv("LOG_BLOCKED_IPS", "true").lower() == "true"
)
logger.info(f"IPAllowlist initialized with {len(config.allowed_networks)} allowed networks, "
f"{len(config.trusted_proxies)} trusted proxies")
return config
def is_allowed(self, ip_address: str) -> bool:
"""
Vérifie si une adresse IP est autorisée (compatibilité FastAPI).
Args:
ip_address: Adresse IP à vérifier
Returns:
True si l'IP est autorisée
"""
return self.is_ip_allowed(ip_address)
def is_ip_allowed(self, ip_address: str) -> bool:
"""
Vérifie si une adresse IP est autorisée.
Args:
ip_address: Adresse IP à vérifier
Returns:
True si l'IP est autorisée
"""
if not self._safety.is_feature_enabled("ip_allowlist"):
# Si la liste blanche est désactivée, autoriser tout
return True
# Si aucune liste blanche configurée, autoriser tout
if not self._config.allowed_networks:
return True
try:
ip_obj = ipaddress.ip_address(ip_address)
# Vérifier contre chaque réseau autorisé
for network in self._config.allowed_networks:
if ip_obj in network:
logger.debug(f"IP {ip_address} allowed by network {network}")
return True
# IP non autorisée
if self._config.log_blocked_ips and ip_address not in self._blocked_ips_cache:
logger.warning(f"IP {ip_address} blocked by allowlist")
self._blocked_ips_cache.add(ip_address)
return False
except ValueError as e:
logger.error(f"Invalid IP address format: {ip_address} - {e}")
return False
def get_client_ip(self, headers: Dict[str, str], remote_addr: str) -> str:
"""
Extrait l'IP réelle du client en tenant compte des proxies.
Args:
headers: Headers HTTP de la requête
remote_addr: Adresse IP directe de la connexion
Returns:
Adresse IP réelle du client
"""
if not self._config.enable_proxy_headers:
return remote_addr
# Vérifier si la requête vient d'un proxy de confiance
try:
remote_ip = ipaddress.ip_address(remote_addr)
is_trusted_proxy = False
for trusted_network in self._config.trusted_proxies:
if remote_ip in trusted_network:
is_trusted_proxy = True
break
if not is_trusted_proxy:
return remote_addr
except ValueError:
return remote_addr
# Extraire l'IP des headers de proxy
# Ordre de priorité: X-Real-IP, X-Forwarded-For
real_ip = headers.get("X-Real-IP")
if real_ip:
return real_ip.strip()
forwarded_for = headers.get("X-Forwarded-For")
if forwarded_for:
# X-Forwarded-For peut contenir plusieurs IPs séparées par des virgules
# La première est généralement l'IP originale du client
first_ip = forwarded_for.split(",")[0].strip()
return first_ip
return remote_addr
def validate_request_ip(self, headers: Dict[str, str], remote_addr: str) -> str:
"""
Valide l'IP d'une requête et retourne l'IP réelle.
Args:
headers: Headers HTTP
remote_addr: Adresse IP de connexion
Returns:
IP réelle du client
Raises:
IPValidationError: Si l'IP n'est pas autorisée
"""
client_ip = self.get_client_ip(headers, remote_addr)
if not self.is_ip_allowed(client_ip):
raise IPValidationError(f"IP address {client_ip} is not allowed")
return client_ip
def add_allowed_ip(self, ip_or_cidr: str) -> bool:
"""
Ajoute une IP ou plage CIDR à la liste blanche (runtime).
Args:
ip_or_cidr: IP ou CIDR à ajouter
Returns:
True si ajouté avec succès
"""
try:
if "/" not in ip_or_cidr:
ip_obj = ipaddress.ip_address(ip_or_cidr)
if isinstance(ip_obj, ipaddress.IPv4Address):
network = ipaddress.IPv4Network(f"{ip_or_cidr}/32")
else:
network = ipaddress.IPv6Network(f"{ip_or_cidr}/128")
else:
network = ipaddress.ip_network(ip_or_cidr, strict=False)
if network not in self._config.allowed_networks:
self._config.allowed_networks.append(network)
logger.info(f"Added allowed network: {network}")
return True
return False
except ValueError as e:
logger.error(f"Failed to add IP/CIDR {ip_or_cidr}: {e}")
return False
def remove_allowed_ip(self, ip_or_cidr: str) -> bool:
"""
Retire une IP ou plage CIDR de la liste blanche.
Args:
ip_or_cidr: IP ou CIDR à retirer
Returns:
True si retiré avec succès
"""
try:
if "/" not in ip_or_cidr:
ip_obj = ipaddress.ip_address(ip_or_cidr)
if isinstance(ip_obj, ipaddress.IPv4Address):
network = ipaddress.IPv4Network(f"{ip_or_cidr}/32")
else:
network = ipaddress.IPv6Network(f"{ip_or_cidr}/128")
else:
network = ipaddress.ip_network(ip_or_cidr, strict=False)
if network in self._config.allowed_networks:
self._config.allowed_networks.remove(network)
logger.info(f"Removed allowed network: {network}")
return True
return False
except ValueError as e:
logger.error(f"Failed to remove IP/CIDR {ip_or_cidr}: {e}")
return False
def get_allowlist_status(self) -> Dict:
"""
Retourne le statut de la liste blanche.
Returns:
Statut complet de la configuration
"""
return {
"enabled": self._safety.is_feature_enabled("ip_allowlist"),
"allowed_networks": [str(net) for net in self._config.allowed_networks],
"trusted_proxies": [str(proxy) for proxy in self._config.trusted_proxies],
"enable_proxy_headers": self._config.enable_proxy_headers,
"log_blocked_ips": self._config.log_blocked_ips,
"blocked_ips_count": len(self._blocked_ips_cache)
}
# Instance globale
_ip_allowlist = None
def get_ip_allowlist() -> IPAllowlist:
"""Retourne l'instance globale de la liste blanche IP."""
global _ip_allowlist
if _ip_allowlist is None:
_ip_allowlist = IPAllowlist()
return _ip_allowlist
def is_ip_allowed(ip_address: str) -> bool:
"""
Fonction utilitaire pour vérifier une IP.
Args:
ip_address: IP à vérifier
Returns:
True si autorisée
"""
return get_ip_allowlist().is_ip_allowed(ip_address)
def get_client_ip(headers: Dict[str, str], remote_addr: str) -> str:
"""
Fonction utilitaire pour extraire l'IP client.
Args:
headers: Headers HTTP
remote_addr: IP de connexion
Returns:
IP réelle du client
"""
return get_ip_allowlist().get_client_ip(headers, remote_addr)

400
core/security/rate_limiter.py Normal file
View File

@@ -0,0 +1,400 @@
"""
Rate Limiting System
Système de limitation de débit avec algorithme token bucket.
Fiche #23: API Security & Governance
"""
import os
import time
import threading
import logging
from typing import Dict, Optional, Tuple
from dataclasses import dataclass, field
from collections import defaultdict
from ..system.safety_switch import get_safety_switch
logger = logging.getLogger(__name__)
@dataclass
class TokenBucket:
"""
Implémentation d'un token bucket pour rate limiting.
Algorithme:
- Capacité maximale de tokens
- Refill rate (tokens par seconde)
- Consommation de tokens par requête
"""
capacity: int
refill_rate: float # tokens par seconde
tokens: float = field(init=False)
last_refill: float = field(init=False)
lock: threading.Lock = field(default_factory=threading.Lock, init=False)
def __post_init__(self):
self.tokens = float(self.capacity)
self.last_refill = time.time()
def consume(self, tokens_needed: int = 1) -> bool:
"""
Tente de consommer des tokens.
Args:
tokens_needed: Nombre de tokens nécessaires
Returns:
True si les tokens ont pu être consommés
"""
with self.lock:
now = time.time()
# Refill des tokens basé sur le temps écoulé
time_passed = now - self.last_refill
tokens_to_add = time_passed * self.refill_rate
self.tokens = min(self.capacity, self.tokens + tokens_to_add)
self.last_refill = now
# Vérifier si on a assez de tokens
if self.tokens >= tokens_needed:
self.tokens -= tokens_needed
return True
return False
def get_status(self) -> Dict:
"""Retourne le statut actuel du bucket."""
with self.lock:
now = time.time()
time_passed = now - self.last_refill
current_tokens = min(self.capacity, self.tokens + (time_passed * self.refill_rate))
return {
"capacity": self.capacity,
"current_tokens": current_tokens,
"refill_rate": self.refill_rate,
"time_to_refill": max(0, (self.capacity - current_tokens) / self.refill_rate) if self.refill_rate > 0 else 0
}
@dataclass
class RateLimitConfig:
"""Configuration pour un endpoint ou utilisateur."""
requests_per_minute: int = 60
burst_capacity: int = 10
tokens_per_request: int = 1
class RateLimitExceeded(Exception):
"""Exception levée quand la limite de débit est dépassée."""
def __init__(self, message: str, retry_after: float = 0):
super().__init__(message)
self.retry_after = retry_after
class RateLimiter:
"""
Gestionnaire de limitation de débit avec token buckets.
Fonctionnalités:
- Limitation par IP, utilisateur, endpoint
- Configuration flexible par règle
- Headers HTTP informatifs
- Nettoyage automatique des buckets inactifs
"""
def __init__(self):
self._buckets: Dict[str, TokenBucket] = {}
self._configs: Dict[str, RateLimitConfig] = {}
self._lock = threading.Lock()
self._safety = get_safety_switch()
self._load_config()
# Nettoyage périodique des buckets inactifs
self._last_cleanup = time.time()
self._cleanup_interval = 300 # 5 minutes
@classmethod
def from_env(cls):
"""Crée une instance depuis les variables d'environnement (compatibilité FastAPI)."""
return cls()
def _load_config(self):
"""Charge la configuration depuis les variables d'environnement."""
# Configuration par défaut
default_rpm = int(os.getenv("DEFAULT_RATE_LIMIT_RPM", "60"))
default_burst = int(os.getenv("DEFAULT_RATE_LIMIT_BURST", "10"))
self._default_config = RateLimitConfig(
requests_per_minute=default_rpm,
burst_capacity=default_burst
)
# Configurations spécifiques par endpoint
# Format: RATE_LIMIT_<ENDPOINT>=rpm:burst
for key, value in os.environ.items():
if key.startswith("RATE_LIMIT_") and key != "RATE_LIMIT_RPM" and key != "RATE_LIMIT_BURST":
endpoint = key[11:].lower() # Enlever "RATE_LIMIT_"
try:
if ":" in value:
rpm_str, burst_str = value.split(":", 1)
rpm = int(rpm_str)
burst = int(burst_str)
else:
rpm = int(value)
burst = default_burst
self._configs[endpoint] = RateLimitConfig(
requests_per_minute=rpm,
burst_capacity=burst
)
logger.debug(f"Rate limit config for {endpoint}: {rpm} RPM, {burst} burst")
except ValueError as e:
logger.error(f"Invalid rate limit config for {key}: {value} - {e}")
logger.info(f"RateLimiter initialized with default {default_rpm} RPM, {default_burst} burst")
def _get_config(self, endpoint: Optional[str] = None) -> RateLimitConfig:
"""Retourne la configuration pour un endpoint."""
if endpoint and endpoint.lower() in self._configs:
return self._configs[endpoint.lower()]
return self._default_config
def _get_bucket_key(self, identifier: str, endpoint: Optional[str] = None) -> str:
"""Génère une clé unique pour le bucket."""
if endpoint:
return f"{identifier}:{endpoint}"
return identifier
def _get_or_create_bucket(self, key: str, config: RateLimitConfig) -> TokenBucket:
"""Récupère ou crée un token bucket."""
with self._lock:
if key not in self._buckets:
# Convertir RPM en tokens par seconde
refill_rate = config.requests_per_minute / 60.0
self._buckets[key] = TokenBucket(
capacity=config.burst_capacity,
refill_rate=refill_rate
)
logger.debug(f"Created token bucket for {key}: {config.burst_capacity} capacity, {refill_rate:.2f} refill/s")
return self._buckets[key]
def check(self, identifier: str) -> Tuple[bool, float]:
"""
Vérifie la limite de débit (compatibilité FastAPI).
Args:
identifier: Identifiant unique
Returns:
Tuple (allowed, retry_after_seconds)
"""
allowed, headers = self.check_rate_limit(identifier)
retry_after = float(headers.get("Retry-After", "0"))
return allowed, retry_after
def check_rate_limit(self, identifier: str, endpoint: Optional[str] = None,
tokens_needed: int = 1) -> Tuple[bool, Dict[str, str]]:
"""
Vérifie la limite de débit pour un identifiant.
Args:
identifier: Identifiant unique (IP, user_id, etc.)
endpoint: Endpoint optionnel pour des limites spécifiques
tokens_needed: Nombre de tokens nécessaires
Returns:
Tuple (allowed, headers) où headers contient les informations de rate limiting
"""
if not self._safety.is_feature_enabled("rate_limiting"):
return True, {}
# Nettoyage périodique
self._cleanup_inactive_buckets()
config = self._get_config(endpoint)
bucket_key = self._get_bucket_key(identifier, endpoint)
bucket = self._get_or_create_bucket(bucket_key, config)
# Tenter de consommer les tokens
allowed = bucket.consume(tokens_needed)
# Générer les headers informatifs
status = bucket.get_status()
headers = {
"X-RateLimit-Limit": str(config.requests_per_minute),
"X-RateLimit-Remaining": str(int(status["current_tokens"])),
"X-RateLimit-Reset": str(int(time.time() + status["time_to_refill"]))
}
if not allowed:
headers["Retry-After"] = str(int(status["time_to_refill"]) + 1)
logger.warning(f"Rate limit exceeded for {identifier} on {endpoint or 'default'}")
return allowed, headers
def enforce_rate_limit(self, identifier: str, endpoint: Optional[str] = None,
tokens_needed: int = 1) -> Dict[str, str]:
"""
Applique la limitation de débit et lève une exception si dépassée.
Args:
identifier: Identifiant unique
endpoint: Endpoint optionnel
tokens_needed: Nombre de tokens nécessaires
Returns:
Headers de rate limiting
Raises:
RateLimitExceeded: Si la limite est dépassée
"""
allowed, headers = self.check_rate_limit(identifier, endpoint, tokens_needed)
if not allowed:
retry_after = float(headers.get("Retry-After", "60"))
raise RateLimitExceeded(
f"Rate limit exceeded for {identifier}. Try again in {retry_after} seconds.",
retry_after=retry_after
)
return headers
def _cleanup_inactive_buckets(self):
"""Nettoie les buckets inactifs pour économiser la mémoire."""
now = time.time()
if now - self._last_cleanup < self._cleanup_interval:
return
with self._lock:
inactive_keys = []
cutoff_time = now - 3600 # 1 heure d'inactivité
for key, bucket in self._buckets.items():
if bucket.last_refill < cutoff_time:
inactive_keys.append(key)
for key in inactive_keys:
del self._buckets[key]
if inactive_keys:
logger.debug(f"Cleaned up {len(inactive_keys)} inactive rate limit buckets")
self._last_cleanup = now
def reset_rate_limit(self, identifier: str, endpoint: Optional[str] = None) -> bool:
"""
Remet à zéro la limite de débit pour un identifiant.
Args:
identifier: Identifiant à remettre à zéro
endpoint: Endpoint optionnel
Returns:
True si remis à zéro avec succès
"""
bucket_key = self._get_bucket_key(identifier, endpoint)
with self._lock:
if bucket_key in self._buckets:
del self._buckets[bucket_key]
logger.info(f"Reset rate limit for {identifier} on {endpoint or 'default'}")
return True
return False
def get_rate_limit_status(self, identifier: str, endpoint: Optional[str] = None) -> Dict:
"""
Retourne le statut de rate limiting pour un identifiant.
Args:
identifier: Identifiant à vérifier
endpoint: Endpoint optionnel
Returns:
Statut du rate limiting
"""
bucket_key = self._get_bucket_key(identifier, endpoint)
config = self._get_config(endpoint)
with self._lock:
if bucket_key in self._buckets:
bucket_status = self._buckets[bucket_key].get_status()
return {
"identifier": identifier,
"endpoint": endpoint,
"config": {
"requests_per_minute": config.requests_per_minute,
"burst_capacity": config.burst_capacity
},
"current_status": bucket_status
}
else:
return {
"identifier": identifier,
"endpoint": endpoint,
"config": {
"requests_per_minute": config.requests_per_minute,
"burst_capacity": config.burst_capacity
},
"current_status": {
"capacity": config.burst_capacity,
"current_tokens": config.burst_capacity,
"refill_rate": config.requests_per_minute / 60.0,
"time_to_refill": 0
}
}
def get_global_status(self) -> Dict:
"""Retourne le statut global du rate limiter."""
with self._lock:
return {
"enabled": self._safety.is_feature_enabled("rate_limiting"),
"active_buckets": len(self._buckets),
"default_config": {
"requests_per_minute": self._default_config.requests_per_minute,
"burst_capacity": self._default_config.burst_capacity
},
"endpoint_configs": {
endpoint: {
"requests_per_minute": config.requests_per_minute,
"burst_capacity": config.burst_capacity
}
for endpoint, config in self._configs.items()
}
}
# Instance globale
_rate_limiter = None
def get_rate_limiter() -> RateLimiter:
"""Retourne l'instance globale du rate limiter."""
global _rate_limiter
if _rate_limiter is None:
_rate_limiter = RateLimiter()
return _rate_limiter
def check_rate_limit(identifier: str, endpoint: Optional[str] = None) -> Tuple[bool, Dict[str, str]]:
"""
Fonction utilitaire pour vérifier une limite de débit.
Args:
identifier: Identifiant unique
endpoint: Endpoint optionnel
Returns:
Tuple (allowed, headers)
"""
return get_rate_limiter().check_rate_limit(identifier, endpoint)