feat: Oracle IAM OIDC, force password change, security hardening

- OIDC: authorization code flow, JWKS validation, JIT provisioning, group-to-role mapping, dual auth (local/oidc/both)
- Force password change: random admin password on first install, modal blocks UI until changed
- APP_SECRET required in docker-compose (fail if missing), .env.example improved
- Login page: Oracle IAM button (conditional), hide form in oidc-only mode
- OracleIamPage: test connection via backend, masked client_secret handling
- UsersPage: OIDC badge, auth_provider in list
- i18n: login.oidcButton, login.or (pt/en/es)
- README v3.1: Terminal, User Management, Security, OIDC endpoints, versioning
This commit is contained in:
nogueiraguh
2026-04-02 10:26:00 -03:00
parent 60596e790f
commit f22bb54e25
13 changed files with 514 additions and 106 deletions

View File

@@ -9,7 +9,7 @@
</p>
<p align="center">
<img src="https://img.shields.io/badge/version-3.0-C74634?style=flat-square" alt="Version">
<img src="https://img.shields.io/badge/version-3.1-C74634?style=flat-square" alt="Version">
<img src="https://img.shields.io/badge/python-3.12-3776AB?style=flat-square" alt="Python">
<img src="https://img.shields.io/badge/FastAPI-0.115-009688?style=flat-square" alt="FastAPI">
<img src="https://img.shields.io/badge/OCI-GenAI-C74634?style=flat-square" alt="OCI">
@@ -23,7 +23,7 @@
AI Agent — Infrastructure & Security Engineer is a self-hosted web application that automates **CIS Oracle Cloud Infrastructure Foundations Benchmark 3.0** compliance checks, powered by **OCI Generative AI** for intelligent analysis and an **MCP (Model Context Protocol)** server architecture for extensible task execution.
The platform combines security compliance scanning, AI-powered chat with **RAG (Retrieval-Augmented Generation)**, infrastructure exploration, and vector-based knowledge storage into a single, containerized solution with a **React 19 SPA** (TypeScript, Vite), **Oracle Dark Premium** theme (light/dark modes), **KPI dashboard** with compliance gauge, **i18n** (pt/en), and **Recharts** visualizations.
The platform combines security compliance scanning, AI-powered chat with **RAG (Retrieval-Augmented Generation)**, infrastructure exploration, and vector-based knowledge storage into a single, containerized solution with a **React 19 SPA** (TypeScript, Vite), **Oracle Dark Premium** theme (light/dark modes), **KPI dashboard** with compliance gauge, **i18n** (pt/en/es), and **Recharts** visualizations.
---
@@ -219,13 +219,37 @@ The platform combines security compliance scanning, AI-powered chat with **RAG (
- **KPI Dashboard**: compliance score gauge (SVG semicircular arc with gradient), pass/fail/total KPI cards, donut chart, horizontal bar chart — powered by Recharts
- **Animated UI**: staggered fade-in, smooth theme transitions, hover effects, shimmer loading states, pulse alerts
### OCI CLI Terminal
- **Linux-style web terminal** for OCI CLI interaction directly from the browser
- **Config selector**: choose the OCI Config to run commands against
- **Tab autocomplete**: auto-completes OCI CLI commands and subcommands
- **OCID auto-lookup**: paste any OCID (60+ resource types) → auto-detects type and runs `oci <service> <resource> get`
- **`find` by name/IP**: search OCI resources by display name or IP address via OCI Search API
- **Command history**: per-user, navigable with arrow keys
- **Help panel**: collapsible help with all commands and keyboard shortcuts
- **State persistence**: terminal output, config selection, and history survive page navigation (Zustand store)
- **User isolation**: commands execute with user's own OCI config only, history is per-user
### User Management
- **Sub-menu**: Users, My Settings, Oracle IAM
- **My Settings**: per-user timezone, language preference (pt/en/es), password change (local users only), MFA toggle
- **Oracle IAM page**: OIDC configuration UI (issuer, client ID/secret, redirect URI, group-to-role mapping, test connection)
- **Users list**: admin view with role, status, MFA, auth provider badge (OIDC/Local)
### Security
- **JWT authentication** with configurable expiry
- **TOTP MFA** (Google Authenticator / Authy compatible)
- **Oracle IAM OIDC**: SSO via Oracle Identity Domains — authorization code flow with PKCE, JWKS signature validation, JIT user provisioning, group-to-role mapping
- **Dual auth modes**: local only, OIDC only, or both simultaneously
- **RBAC** with 3 roles: Admin, User, Viewer
- Audit logging for all operations
- Encrypted credential storage
- **Per-user timezone** setting (not global)
- **Fernet encryption** (AES-128-CBC + HMAC-SHA256) for credentials and sensitive settings
- **User isolation**: ownership checks on ~70 endpoints, `is_global` flag for shared resources, private reports, per-user embeddings
- **Export sanitization**: config export strips private keys, passwords, and OCIDs
- **Sensitive settings protection**: `oidc_*`, `secret_*` keys blocked for non-admin users
- Audit logging for all operations (auth, OIDC, JIT provisioning, resource actions)
- Rate limiting on login and OIDC endpoints (10 attempts / 5 min)
- **Per-user timezone and language** settings
- Non-root container execution (`runuser`)
---
@@ -493,19 +517,19 @@ Allow group <group-name> to read buckets in compartment <compartment-name>
```
oci-cis-agent/
├── backend/
│ ├── app.py # FastAPI application (~9800 lines)
│ ├── app.py # FastAPI application (~10500 lines)
│ ├── cis_reports.py # Oracle CIS Benchmark checker (6660 lines, report engine)
│ ├── mcp_cis_server.py # MCP server with 12 granular CIS tools (~700 lines)
│ ├── gen_tf_reference.py # OCI Terraform provider resource catalog generator
│ ├── Dockerfile # Python 3.12 + OCI CLI + Terraform 1.14.7 + Chromium
│ └── requirements.txt # Dependencies
├── frontend-react/
│ ├── src/ # React 19 SPA (TypeScript, 39 source files, ~15800 lines)
│ │ ├── pages/ # 16 page components (Chat, Terraform, Explorer, OCI Services, Reports, Config, Admin)
│ ├── src/ # React 19 SPA (TypeScript, 46 source files, ~19500 lines)
│ │ ├── pages/ # 20 page components (Chat, Terraform, Explorer, Terminal, OCI Services, Reports, Config, Admin)
│ │ ├── api/ # API client + endpoint modules
│ │ ├── stores/ # Zustand stores (app state persistence across navigation)
│ │ ├── stores/ # Zustand stores (app, auth, terminal — state persistence across navigation)
│ │ ├── hooks/ # Custom hooks (theme, polling)
│ │ └── i18n/ # Internationalization (pt/en, 703 keys)
│ │ └── i18n/ # Internationalization (pt/en/es, 850+ keys)
│ └── dist/ # Built SPA served at /
├── nginx/
│ └── default.conf # Reverse proxy (React SPA + API /api/)
@@ -528,6 +552,11 @@ oci-cis-agent/
| POST | `/api/auth/logout` | Logout and invalidate session |
| POST | `/api/auth/register` | Create user (admin only) |
| POST | `/api/auth/change-password` | Change password |
| GET | `/api/auth/oidc/config` | Public auth mode (local/oidc/both) |
| GET | `/api/auth/oidc/login` | Redirect to Oracle Identity Domains |
| GET | `/api/auth/oidc/callback` | OIDC callback (code exchange + JIT provisioning) |
| POST | `/api/auth/oidc/logout` | OIDC logout + IdP logout URL |
| POST | `/api/settings/oidc/test` | Test OIDC discovery (admin) |
### OCI Management
@@ -706,10 +735,23 @@ oci-cis-agent/
| Method | Endpoint | Description |
|--------|----------|-------------|
| GET | `/api/users/me` | Get current user profile (includes auth_provider) |
| GET | `/api/users/me/timezone` | Get user timezone |
| PUT | `/api/users/me/timezone` | Set user timezone |
| GET | `/api/users/me/language` | Get user language preference |
| PUT | `/api/users/me/language` | Set user language preference (pt/en/es) |
| GET | `/api/settings/timezone/options` | List available timezone options |
### OCI CLI Terminal
| Method | Endpoint | Description |
|--------|----------|-------------|
| POST | `/api/terminal/execute` | Execute OCI CLI command |
| GET | `/api/terminal/autocomplete` | Tab autocomplete suggestions |
| POST | `/api/terminal/ocid-lookup` | OCID auto-lookup (60+ types) |
| POST | `/api/terminal/find` | Search resources by name/IP |
| GET | `/api/terminal/history` | Get command history (per-user) |
### CIS Engine
| Method | Endpoint | Description |
@@ -783,8 +825,8 @@ All models include OCID mapping for `us-ashburn-1`. For other regions, use the "
| Component | Technology |
|-----------|-----------|
| Backend | Python 3.12, FastAPI 0.115, Uvicorn |
| Frontend | React 19 SPA (Vite + TypeScript), Oracle Dark Premium theme, Recharts, i18n (pt/en), rehype-highlight |
| Auth | JWT + TOTP MFA + RBAC |
| Frontend | React 19 SPA (Vite + TypeScript), Oracle Dark Premium theme, Recharts, Zustand, i18n (pt/en/es), rehype-highlight |
| Auth | JWT + TOTP MFA + RBAC + Oracle IAM OIDC |
| Database | SQLite (WAL mode) |
| OCI SDK | `oci` 2.133.0, `oci-cli` |
| ADB | `python-oracledb` 2.4.1 (Thin mode) |
@@ -801,6 +843,7 @@ All models include OCID mapping for `us-ashburn-1`. For other regions, use the "
| Version | Date | Changes |
|---------|------|---------|
| **v3.1** | 2026-04 | **Oracle IAM OIDC**: SSO via Oracle Identity Domains — authorization code flow, JWKS ID token validation (RS256), CSRF protection (state+nonce), JIT user provisioning from OIDC claims, group-to-role mapping (admin/user/viewer), dual auth modes (local/oidc/both), `oidc_client_secret` encrypted with Fernet, rate-limited OIDC endpoints, IdP logout support. **OCI CLI Terminal**: Linux-style web terminal with Tab autocomplete, OCID auto-lookup (60+ resource types), `find` by name/IP via OCI Search API, per-user command history, help panel. **User Management**: sub-menu (Users, My Settings, Oracle IAM), per-user timezone/language/MFA/password change, auth_provider badge (OIDC/Local) in user list. **Spanish i18n**: 3 languages (pt/en/es), 850+ i18n keys. **Security hardening**: Fernet encryption (AES) for credentials (replacing base64), export sanitization (strips private keys/passwords/OCIDs), sensitive settings protection (`oidc_*`/`secret_*` blocked for non-admin). **User isolation**: ownership checks on ~70 endpoints, `is_global` flag for shared ADB/MCP configs, private reports, per-user embeddings with `user_id` metadata. **State persistence**: Terminal and Explorer state survives page navigation via Zustand stores (compartment tree, selected regions, counts, terminal output, history). **175+ API endpoints**, **20 pages**, **~36,500 lines of code**. |
| **v3.0** | 2026-03 | **OCI Services page**: new menu item with Service Status tab (auto-detect 6 security services — VSS, Data Safe, Cloud Guard, Bastion, Security Zones, Vault — per tenancy via OCI API + user overrides) and OCI Health tab (real-time Oracle service health from ocistatus.oraclecloud.com, 49 regions, search, geo filters). **Compliance Report v3.0**: OCI Services section with summary table + detailed descriptions + Cloud Guard recommendations, back page (Connect with us + copyright), DOCX download (Pillow camouflage strip, green header tables, result boxes, code blocks, A4 format), compliance_data.json shared between HTML and DOCX, progress bar during RAG generation (X/35, percentage), ADB connection pre-check (fail fast 503). **CIS PDF Chunker**: segments CIS PDF by recommendation number (X.X Ensure...), target 7000 chars with 500-char overlap, filters TOC/appendix/page headers — 54/54 recommendations with complete Description + Rationale + Remediation. **Embedding improvements**: auto-detect dimension from DDL (even on empty tables), auto-detect model per dimension (1536=small, 3072=large), RAG timeout 60s + retry (was 30s), direct SQL fetch by metadata recommendationNumber for overlap chunks. **Per-user timezone** (not global). **New API endpoints**: OCI Health proxy, OCI Services status/overrides, user timezone CRUD, DOCX download, compliance progress details, timezone options. |
| **v2.8** | 2026-03 | **Legacy frontend removed**: React SPA now served at root `/` (no more `/app/` prefix), legacy vanilla JS SPA removed. **Compliance Report ZIP download**: Chromium headless PDF generation (identical to browser print) + CSV findings bundled in ZIP. **Compliance generation state persisted server-side**: `.compliance_generating` marker file ensures generation status survives page navigation — spinner auto-resumes on return. **RAG remediation enriched**: extracts Description, Rationale, Audit, and Remediation sections from CIS vector chunks, combines up to 3 matched chunks. **Chat markdown styling**: full markdown rendering with syntax highlighting (Catppuccin Mocha theme via rehype-highlight), styled headings, lists, tables, blockquotes, inline/block code. **Default model auto-select**: Chat Agent auto-selects first GenAI config on page load. **Explorer silent polling**: no more flickering during start/stop resource actions. |
| **v2.7** | 2026-03 | **LAD A-Team CIS Compliance Report**: professional Oracle-format compliance report with cover page, TOC, Security Overview (7 pillars), CIS Assessment Summary, detailed findings with compliance % bars, RAG-powered remediation from ADB vector store (`CISRECOM` table with strict recommendation number filtering), affected resources CSV download links per non-compliant finding (JWT auth via query param). **React SPA**: 15-page React 19 frontend (TypeScript, Vite, Zustand, 38 source files). **i18n**: full internationalization with 625 keys (pt/en), language switcher persisted in localStorage. **Report management**: delete reports endpoint, embed individual report files (CSV/TXT/JSON/PDF) into vector store. **Terraform ZIP download**: replaced individual file downloads with client-side ZIP generation (pure JS, no external lib). **Explorer UX**: silent polling during start/stop actions eliminates flickering (resources update in-place without clearing the list). **Report sections collapsed by default**: HTML report and compliance report iframes start minimized. |