feat: Oracle IAM OIDC, force password change, security hardening
- OIDC: authorization code flow, JWKS validation, JIT provisioning, group-to-role mapping, dual auth (local/oidc/both) - Force password change: random admin password on first install, modal blocks UI until changed - APP_SECRET required in docker-compose (fail if missing), .env.example improved - Login page: Oracle IAM button (conditional), hide form in oidc-only mode - OracleIamPage: test connection via backend, masked client_secret handling - UsersPage: OIDC badge, auth_provider in list - i18n: login.oidcButton, login.or (pt/en/es) - README v3.1: Terminal, User Management, Security, OIDC endpoints, versioning
This commit is contained in:
67
README.md
67
README.md
@@ -9,7 +9,7 @@
|
||||
</p>
|
||||
|
||||
<p align="center">
|
||||
<img src="https://img.shields.io/badge/version-3.0-C74634?style=flat-square" alt="Version">
|
||||
<img src="https://img.shields.io/badge/version-3.1-C74634?style=flat-square" alt="Version">
|
||||
<img src="https://img.shields.io/badge/python-3.12-3776AB?style=flat-square" alt="Python">
|
||||
<img src="https://img.shields.io/badge/FastAPI-0.115-009688?style=flat-square" alt="FastAPI">
|
||||
<img src="https://img.shields.io/badge/OCI-GenAI-C74634?style=flat-square" alt="OCI">
|
||||
@@ -23,7 +23,7 @@
|
||||
|
||||
AI Agent — Infrastructure & Security Engineer is a self-hosted web application that automates **CIS Oracle Cloud Infrastructure Foundations Benchmark 3.0** compliance checks, powered by **OCI Generative AI** for intelligent analysis and an **MCP (Model Context Protocol)** server architecture for extensible task execution.
|
||||
|
||||
The platform combines security compliance scanning, AI-powered chat with **RAG (Retrieval-Augmented Generation)**, infrastructure exploration, and vector-based knowledge storage into a single, containerized solution with a **React 19 SPA** (TypeScript, Vite), **Oracle Dark Premium** theme (light/dark modes), **KPI dashboard** with compliance gauge, **i18n** (pt/en), and **Recharts** visualizations.
|
||||
The platform combines security compliance scanning, AI-powered chat with **RAG (Retrieval-Augmented Generation)**, infrastructure exploration, and vector-based knowledge storage into a single, containerized solution with a **React 19 SPA** (TypeScript, Vite), **Oracle Dark Premium** theme (light/dark modes), **KPI dashboard** with compliance gauge, **i18n** (pt/en/es), and **Recharts** visualizations.
|
||||
|
||||
---
|
||||
|
||||
@@ -219,13 +219,37 @@ The platform combines security compliance scanning, AI-powered chat with **RAG (
|
||||
- **KPI Dashboard**: compliance score gauge (SVG semicircular arc with gradient), pass/fail/total KPI cards, donut chart, horizontal bar chart — powered by Recharts
|
||||
- **Animated UI**: staggered fade-in, smooth theme transitions, hover effects, shimmer loading states, pulse alerts
|
||||
|
||||
### OCI CLI Terminal
|
||||
- **Linux-style web terminal** for OCI CLI interaction directly from the browser
|
||||
- **Config selector**: choose the OCI Config to run commands against
|
||||
- **Tab autocomplete**: auto-completes OCI CLI commands and subcommands
|
||||
- **OCID auto-lookup**: paste any OCID (60+ resource types) → auto-detects type and runs `oci <service> <resource> get`
|
||||
- **`find` by name/IP**: search OCI resources by display name or IP address via OCI Search API
|
||||
- **Command history**: per-user, navigable with arrow keys
|
||||
- **Help panel**: collapsible help with all commands and keyboard shortcuts
|
||||
- **State persistence**: terminal output, config selection, and history survive page navigation (Zustand store)
|
||||
- **User isolation**: commands execute with user's own OCI config only, history is per-user
|
||||
|
||||
### User Management
|
||||
- **Sub-menu**: Users, My Settings, Oracle IAM
|
||||
- **My Settings**: per-user timezone, language preference (pt/en/es), password change (local users only), MFA toggle
|
||||
- **Oracle IAM page**: OIDC configuration UI (issuer, client ID/secret, redirect URI, group-to-role mapping, test connection)
|
||||
- **Users list**: admin view with role, status, MFA, auth provider badge (OIDC/Local)
|
||||
|
||||
### Security
|
||||
- **JWT authentication** with configurable expiry
|
||||
- **TOTP MFA** (Google Authenticator / Authy compatible)
|
||||
- **Oracle IAM OIDC**: SSO via Oracle Identity Domains — authorization code flow with PKCE, JWKS signature validation, JIT user provisioning, group-to-role mapping
|
||||
- **Dual auth modes**: local only, OIDC only, or both simultaneously
|
||||
- **RBAC** with 3 roles: Admin, User, Viewer
|
||||
- Audit logging for all operations
|
||||
- Encrypted credential storage
|
||||
- **Per-user timezone** setting (not global)
|
||||
- **Fernet encryption** (AES-128-CBC + HMAC-SHA256) for credentials and sensitive settings
|
||||
- **User isolation**: ownership checks on ~70 endpoints, `is_global` flag for shared resources, private reports, per-user embeddings
|
||||
- **Export sanitization**: config export strips private keys, passwords, and OCIDs
|
||||
- **Sensitive settings protection**: `oidc_*`, `secret_*` keys blocked for non-admin users
|
||||
- Audit logging for all operations (auth, OIDC, JIT provisioning, resource actions)
|
||||
- Rate limiting on login and OIDC endpoints (10 attempts / 5 min)
|
||||
- **Per-user timezone and language** settings
|
||||
- Non-root container execution (`runuser`)
|
||||
|
||||
---
|
||||
|
||||
@@ -493,19 +517,19 @@ Allow group <group-name> to read buckets in compartment <compartment-name>
|
||||
```
|
||||
oci-cis-agent/
|
||||
├── backend/
|
||||
│ ├── app.py # FastAPI application (~9800 lines)
|
||||
│ ├── app.py # FastAPI application (~10500 lines)
|
||||
│ ├── cis_reports.py # Oracle CIS Benchmark checker (6660 lines, report engine)
|
||||
│ ├── mcp_cis_server.py # MCP server with 12 granular CIS tools (~700 lines)
|
||||
│ ├── gen_tf_reference.py # OCI Terraform provider resource catalog generator
|
||||
│ ├── Dockerfile # Python 3.12 + OCI CLI + Terraform 1.14.7 + Chromium
|
||||
│ └── requirements.txt # Dependencies
|
||||
├── frontend-react/
|
||||
│ ├── src/ # React 19 SPA (TypeScript, 39 source files, ~15800 lines)
|
||||
│ │ ├── pages/ # 16 page components (Chat, Terraform, Explorer, OCI Services, Reports, Config, Admin)
|
||||
│ ├── src/ # React 19 SPA (TypeScript, 46 source files, ~19500 lines)
|
||||
│ │ ├── pages/ # 20 page components (Chat, Terraform, Explorer, Terminal, OCI Services, Reports, Config, Admin)
|
||||
│ │ ├── api/ # API client + endpoint modules
|
||||
│ │ ├── stores/ # Zustand stores (app state persistence across navigation)
|
||||
│ │ ├── stores/ # Zustand stores (app, auth, terminal — state persistence across navigation)
|
||||
│ │ ├── hooks/ # Custom hooks (theme, polling)
|
||||
│ │ └── i18n/ # Internationalization (pt/en, 703 keys)
|
||||
│ │ └── i18n/ # Internationalization (pt/en/es, 850+ keys)
|
||||
│ └── dist/ # Built SPA served at /
|
||||
├── nginx/
|
||||
│ └── default.conf # Reverse proxy (React SPA + API /api/)
|
||||
@@ -528,6 +552,11 @@ oci-cis-agent/
|
||||
| POST | `/api/auth/logout` | Logout and invalidate session |
|
||||
| POST | `/api/auth/register` | Create user (admin only) |
|
||||
| POST | `/api/auth/change-password` | Change password |
|
||||
| GET | `/api/auth/oidc/config` | Public auth mode (local/oidc/both) |
|
||||
| GET | `/api/auth/oidc/login` | Redirect to Oracle Identity Domains |
|
||||
| GET | `/api/auth/oidc/callback` | OIDC callback (code exchange + JIT provisioning) |
|
||||
| POST | `/api/auth/oidc/logout` | OIDC logout + IdP logout URL |
|
||||
| POST | `/api/settings/oidc/test` | Test OIDC discovery (admin) |
|
||||
|
||||
### OCI Management
|
||||
|
||||
@@ -706,10 +735,23 @@ oci-cis-agent/
|
||||
|
||||
| Method | Endpoint | Description |
|
||||
|--------|----------|-------------|
|
||||
| GET | `/api/users/me` | Get current user profile (includes auth_provider) |
|
||||
| GET | `/api/users/me/timezone` | Get user timezone |
|
||||
| PUT | `/api/users/me/timezone` | Set user timezone |
|
||||
| GET | `/api/users/me/language` | Get user language preference |
|
||||
| PUT | `/api/users/me/language` | Set user language preference (pt/en/es) |
|
||||
| GET | `/api/settings/timezone/options` | List available timezone options |
|
||||
|
||||
### OCI CLI Terminal
|
||||
|
||||
| Method | Endpoint | Description |
|
||||
|--------|----------|-------------|
|
||||
| POST | `/api/terminal/execute` | Execute OCI CLI command |
|
||||
| GET | `/api/terminal/autocomplete` | Tab autocomplete suggestions |
|
||||
| POST | `/api/terminal/ocid-lookup` | OCID auto-lookup (60+ types) |
|
||||
| POST | `/api/terminal/find` | Search resources by name/IP |
|
||||
| GET | `/api/terminal/history` | Get command history (per-user) |
|
||||
|
||||
### CIS Engine
|
||||
|
||||
| Method | Endpoint | Description |
|
||||
@@ -783,8 +825,8 @@ All models include OCID mapping for `us-ashburn-1`. For other regions, use the "
|
||||
| Component | Technology |
|
||||
|-----------|-----------|
|
||||
| Backend | Python 3.12, FastAPI 0.115, Uvicorn |
|
||||
| Frontend | React 19 SPA (Vite + TypeScript), Oracle Dark Premium theme, Recharts, i18n (pt/en), rehype-highlight |
|
||||
| Auth | JWT + TOTP MFA + RBAC |
|
||||
| Frontend | React 19 SPA (Vite + TypeScript), Oracle Dark Premium theme, Recharts, Zustand, i18n (pt/en/es), rehype-highlight |
|
||||
| Auth | JWT + TOTP MFA + RBAC + Oracle IAM OIDC |
|
||||
| Database | SQLite (WAL mode) |
|
||||
| OCI SDK | `oci` 2.133.0, `oci-cli` |
|
||||
| ADB | `python-oracledb` 2.4.1 (Thin mode) |
|
||||
@@ -801,6 +843,7 @@ All models include OCID mapping for `us-ashburn-1`. For other regions, use the "
|
||||
|
||||
| Version | Date | Changes |
|
||||
|---------|------|---------|
|
||||
| **v3.1** | 2026-04 | **Oracle IAM OIDC**: SSO via Oracle Identity Domains — authorization code flow, JWKS ID token validation (RS256), CSRF protection (state+nonce), JIT user provisioning from OIDC claims, group-to-role mapping (admin/user/viewer), dual auth modes (local/oidc/both), `oidc_client_secret` encrypted with Fernet, rate-limited OIDC endpoints, IdP logout support. **OCI CLI Terminal**: Linux-style web terminal with Tab autocomplete, OCID auto-lookup (60+ resource types), `find` by name/IP via OCI Search API, per-user command history, help panel. **User Management**: sub-menu (Users, My Settings, Oracle IAM), per-user timezone/language/MFA/password change, auth_provider badge (OIDC/Local) in user list. **Spanish i18n**: 3 languages (pt/en/es), 850+ i18n keys. **Security hardening**: Fernet encryption (AES) for credentials (replacing base64), export sanitization (strips private keys/passwords/OCIDs), sensitive settings protection (`oidc_*`/`secret_*` blocked for non-admin). **User isolation**: ownership checks on ~70 endpoints, `is_global` flag for shared ADB/MCP configs, private reports, per-user embeddings with `user_id` metadata. **State persistence**: Terminal and Explorer state survives page navigation via Zustand stores (compartment tree, selected regions, counts, terminal output, history). **175+ API endpoints**, **20 pages**, **~36,500 lines of code**. |
|
||||
| **v3.0** | 2026-03 | **OCI Services page**: new menu item with Service Status tab (auto-detect 6 security services — VSS, Data Safe, Cloud Guard, Bastion, Security Zones, Vault — per tenancy via OCI API + user overrides) and OCI Health tab (real-time Oracle service health from ocistatus.oraclecloud.com, 49 regions, search, geo filters). **Compliance Report v3.0**: OCI Services section with summary table + detailed descriptions + Cloud Guard recommendations, back page (Connect with us + copyright), DOCX download (Pillow camouflage strip, green header tables, result boxes, code blocks, A4 format), compliance_data.json shared between HTML and DOCX, progress bar during RAG generation (X/35, percentage), ADB connection pre-check (fail fast 503). **CIS PDF Chunker**: segments CIS PDF by recommendation number (X.X Ensure...), target 7000 chars with 500-char overlap, filters TOC/appendix/page headers — 54/54 recommendations with complete Description + Rationale + Remediation. **Embedding improvements**: auto-detect dimension from DDL (even on empty tables), auto-detect model per dimension (1536=small, 3072=large), RAG timeout 60s + retry (was 30s), direct SQL fetch by metadata recommendationNumber for overlap chunks. **Per-user timezone** (not global). **New API endpoints**: OCI Health proxy, OCI Services status/overrides, user timezone CRUD, DOCX download, compliance progress details, timezone options. |
|
||||
| **v2.8** | 2026-03 | **Legacy frontend removed**: React SPA now served at root `/` (no more `/app/` prefix), legacy vanilla JS SPA removed. **Compliance Report ZIP download**: Chromium headless PDF generation (identical to browser print) + CSV findings bundled in ZIP. **Compliance generation state persisted server-side**: `.compliance_generating` marker file ensures generation status survives page navigation — spinner auto-resumes on return. **RAG remediation enriched**: extracts Description, Rationale, Audit, and Remediation sections from CIS vector chunks, combines up to 3 matched chunks. **Chat markdown styling**: full markdown rendering with syntax highlighting (Catppuccin Mocha theme via rehype-highlight), styled headings, lists, tables, blockquotes, inline/block code. **Default model auto-select**: Chat Agent auto-selects first GenAI config on page load. **Explorer silent polling**: no more flickering during start/stop resource actions. |
|
||||
| **v2.7** | 2026-03 | **LAD A-Team CIS Compliance Report**: professional Oracle-format compliance report with cover page, TOC, Security Overview (7 pillars), CIS Assessment Summary, detailed findings with compliance % bars, RAG-powered remediation from ADB vector store (`CISRECOM` table with strict recommendation number filtering), affected resources CSV download links per non-compliant finding (JWT auth via query param). **React SPA**: 15-page React 19 frontend (TypeScript, Vite, Zustand, 38 source files). **i18n**: full internationalization with 625 keys (pt/en), language switcher persisted in localStorage. **Report management**: delete reports endpoint, embed individual report files (CSV/TXT/JSON/PDF) into vector store. **Terraform ZIP download**: replaced individual file downloads with client-side ZIP generation (pure JS, no external lib). **Explorer UX**: silent polling during start/stop actions eliminates flickering (resources update in-place without clearing the list). **Report sections collapsed by default**: HTML report and compliance report iframes start minimized. |
|
||||
|
||||
Reference in New Issue
Block a user