7063f8718e
Audit logging: - audit_log table with event tracking - app/audit.py module with log_event(), query_audit_log() - GET /audit endpoint (admin only) - configurable retention and cleanup Prometheus metrics: - app/metrics.py with custom counters - paste create/access/delete, rate limit, PoW, dedup metrics - instrumentation in API routes CLI clipboard integration: - fpaste create -C/--clipboard (read from clipboard) - fpaste create --copy-url (copy result URL) - fpaste get -c/--copy (copy content) - cross-platform: xclip, xsel, pbcopy, wl-copy Shell completions: - completions/ directory with bash/zsh/fish scripts - fpaste completion --shell command
162 lines
6.7 KiB
Python
162 lines
6.7 KiB
Python
"""Application configuration."""
|
|
|
|
import os
|
|
from pathlib import Path
|
|
|
|
# Application version
|
|
VERSION = "1.5.0"
|
|
|
|
|
|
class Config:
|
|
"""Base configuration."""
|
|
|
|
BASE_DIR = Path(__file__).parent.parent
|
|
DATABASE = os.environ.get("FLASKPASTE_DB", BASE_DIR / "data" / "pastes.db")
|
|
PASTE_ID_LENGTH = int(os.environ.get("FLASKPASTE_ID_LENGTH", "12"))
|
|
|
|
# Paste size limits
|
|
# Minimum size enforces encryption overhead (IV + tag + ciphertext)
|
|
# AES-256-GCM: 12 byte IV + 16 byte tag = 28 bytes minimum, ~40 base64
|
|
MIN_PASTE_SIZE = int(os.environ.get("FLASKPASTE_MIN_SIZE", 0)) # 0 = disabled
|
|
MAX_PASTE_SIZE_ANON = int(os.environ.get("FLASKPASTE_MAX_ANON", 3 * 1024 * 1024)) # 3MiB
|
|
MAX_PASTE_SIZE_AUTH = int(os.environ.get("FLASKPASTE_MAX_AUTH", 50 * 1024 * 1024)) # 50MiB
|
|
MAX_CONTENT_LENGTH = MAX_PASTE_SIZE_AUTH # Flask request limit
|
|
|
|
# Paste expiry (tiered by authentication level)
|
|
# Anonymous users: shortest expiry (default 1 day)
|
|
EXPIRY_ANON = int(os.environ.get("FLASKPASTE_EXPIRY_ANON", 1 * 24 * 60 * 60))
|
|
# Untrusted certs (authenticated but not registered): medium expiry (default 7 days)
|
|
EXPIRY_UNTRUSTED = int(os.environ.get("FLASKPASTE_EXPIRY_UNTRUSTED", 7 * 24 * 60 * 60))
|
|
# Trusted certs (registered in PKI): longest expiry (default 30 days, 0 = no expiry)
|
|
EXPIRY_TRUSTED = int(os.environ.get("FLASKPASTE_EXPIRY_TRUSTED", 30 * 24 * 60 * 60))
|
|
# Maximum custom expiry (default 90 days, 0 = unlimited for trusted)
|
|
MAX_EXPIRY_SECONDS = int(os.environ.get("FLASKPASTE_MAX_EXPIRY", 90 * 24 * 60 * 60))
|
|
# Legacy alias for backwards compatibility
|
|
PASTE_EXPIRY_SECONDS = EXPIRY_ANON
|
|
|
|
# Content deduplication / abuse prevention
|
|
# Throttle repeated submissions of identical content
|
|
CONTENT_DEDUP_WINDOW = int(os.environ.get("FLASKPASTE_DEDUP_WINDOW", 3600)) # 1 hour
|
|
CONTENT_DEDUP_MAX = int(os.environ.get("FLASKPASTE_DEDUP_MAX", 3)) # max 3 per window
|
|
|
|
# Minimum entropy requirement (0 = disabled)
|
|
# Encrypted data has ~7.5-8.0 bits/byte, plaintext ~4.0-5.0
|
|
# Set to 6.0+ to effectively require encryption
|
|
MIN_ENTROPY = float(os.environ.get("FLASKPASTE_MIN_ENTROPY", 0))
|
|
# Minimum size for entropy check (small data has unreliable entropy measurement)
|
|
MIN_ENTROPY_SIZE = int(os.environ.get("FLASKPASTE_MIN_ENTROPY_SIZE", 256))
|
|
|
|
# Require binary content (reject recognizable formats)
|
|
# Rejects content with known magic bytes (PNG, JPEG, PDF, etc.) and UTF-8 text.
|
|
REQUIRE_BINARY = os.environ.get("FLASKPASTE_REQUIRE_BINARY", "0").lower() in (
|
|
"1",
|
|
"true",
|
|
"yes",
|
|
)
|
|
|
|
# Reverse proxy trust configuration
|
|
# SECURITY: The X-SSL-Client-SHA1 header is trusted for authentication.
|
|
# This header MUST only come from a trusted reverse proxy that validates
|
|
# client certificates. Direct access to this app MUST be blocked.
|
|
#
|
|
# Set FLASKPASTE_PROXY_SECRET to require the proxy to send a matching
|
|
# X-Proxy-Secret header, providing defense-in-depth against header spoofing.
|
|
TRUSTED_PROXY_SECRET = os.environ.get("FLASKPASTE_PROXY_SECRET", "")
|
|
|
|
# Proof-of-work spam prevention
|
|
# Clients must solve a computational puzzle before paste creation.
|
|
# Difficulty is number of leading zero bits required in hash (0 = disabled).
|
|
POW_DIFFICULTY = int(os.environ.get("FLASKPASTE_POW_DIFFICULTY", "20"))
|
|
POW_CHALLENGE_TTL = int(os.environ.get("FLASKPASTE_POW_TTL", "300")) # 5 minutes
|
|
# Secret key for signing challenges (auto-generated if not set)
|
|
POW_SECRET = os.environ.get("FLASKPASTE_POW_SECRET", "")
|
|
# Registration PoW difficulty (higher than paste creation for security)
|
|
REGISTER_POW_DIFFICULTY = int(os.environ.get("FLASKPASTE_REGISTER_POW", "24"))
|
|
|
|
# Anti-flood: dynamically increase PoW difficulty under load
|
|
ANTIFLOOD_ENABLED = os.environ.get("FLASKPASTE_ANTIFLOOD", "1").lower() in (
|
|
"1",
|
|
"true",
|
|
"yes",
|
|
)
|
|
ANTIFLOOD_WINDOW = int(os.environ.get("FLASKPASTE_ANTIFLOOD_WINDOW", "60")) # seconds
|
|
ANTIFLOOD_THRESHOLD = int(os.environ.get("FLASKPASTE_ANTIFLOOD_THRESHOLD", "5")) # req/window
|
|
ANTIFLOOD_STEP = int(os.environ.get("FLASKPASTE_ANTIFLOOD_STEP", "2")) # bits per step
|
|
ANTIFLOOD_MAX = int(os.environ.get("FLASKPASTE_ANTIFLOOD_MAX", "28")) # max difficulty
|
|
ANTIFLOOD_DECAY = int(os.environ.get("FLASKPASTE_ANTIFLOOD_DECAY", "60")) # seconds to decay
|
|
|
|
# URL prefix for reverse proxy deployments (e.g., "/paste" for mymx.me/paste)
|
|
URL_PREFIX = os.environ.get("FLASKPASTE_URL_PREFIX", "").rstrip("/")
|
|
|
|
# IP-based rate limiting
|
|
# Limits paste creation per IP address using sliding window
|
|
RATE_LIMIT_ENABLED = os.environ.get("FLASKPASTE_RATE_LIMIT", "1").lower() in (
|
|
"1",
|
|
"true",
|
|
"yes",
|
|
)
|
|
RATE_LIMIT_WINDOW = int(os.environ.get("FLASKPASTE_RATE_WINDOW", "60")) # seconds
|
|
RATE_LIMIT_MAX = int(os.environ.get("FLASKPASTE_RATE_MAX", "10")) # requests per window
|
|
# Authenticated users get higher limits (multiplier)
|
|
RATE_LIMIT_AUTH_MULTIPLIER = int(os.environ.get("FLASKPASTE_RATE_AUTH_MULT", "5"))
|
|
|
|
# Audit Logging
|
|
# Track security-relevant events (paste creation, deletion, rate limits, etc.)
|
|
AUDIT_ENABLED = os.environ.get("FLASKPASTE_AUDIT", "1").lower() in ("1", "true", "yes")
|
|
AUDIT_RETENTION_DAYS = int(os.environ.get("FLASKPASTE_AUDIT_RETENTION", "90"))
|
|
|
|
# PKI Configuration
|
|
# Enable PKI endpoints for certificate authority and issuance
|
|
PKI_ENABLED = os.environ.get("FLASKPASTE_PKI_ENABLED", "0").lower() in ("1", "true", "yes")
|
|
# CA password for signing operations (REQUIRED when PKI is enabled)
|
|
PKI_CA_PASSWORD = os.environ.get("FLASKPASTE_PKI_CA_PASSWORD", "")
|
|
# Default validity period for issued certificates (days)
|
|
PKI_CERT_DAYS = int(os.environ.get("FLASKPASTE_PKI_CERT_DAYS", "365"))
|
|
# CA certificate validity period (days)
|
|
PKI_CA_DAYS = int(os.environ.get("FLASKPASTE_PKI_CA_DAYS", "3650")) # 10 years
|
|
|
|
|
|
class DevelopmentConfig(Config):
|
|
"""Development configuration."""
|
|
|
|
DEBUG = True
|
|
|
|
|
|
class ProductionConfig(Config):
|
|
"""Production configuration."""
|
|
|
|
DEBUG = False
|
|
|
|
|
|
class TestingConfig(Config):
|
|
"""Testing configuration."""
|
|
|
|
TESTING = True
|
|
DATABASE = ":memory:"
|
|
|
|
# Relaxed dedup for testing (100 per second window)
|
|
CONTENT_DEDUP_WINDOW = 1
|
|
CONTENT_DEDUP_MAX = 100
|
|
|
|
# Disable PoW for most tests (easier testing)
|
|
POW_DIFFICULTY = 0
|
|
|
|
# Relaxed rate limiting for tests
|
|
RATE_LIMIT_ENABLED = True
|
|
RATE_LIMIT_WINDOW = 1
|
|
RATE_LIMIT_MAX = 100
|
|
|
|
# PKI testing configuration
|
|
PKI_ENABLED = True
|
|
PKI_CA_PASSWORD = "test-ca-password"
|
|
PKI_CERT_DAYS = 30
|
|
PKI_CA_DAYS = 365
|
|
|
|
|
|
config = {
|
|
"development": DevelopmentConfig,
|
|
"production": ProductionConfig,
|
|
"testing": TestingConfig,
|
|
"default": DevelopmentConfig,
|
|
}
|