Documentation
¶
Overview ¶
This package defines environment configuration for Cookie settings
Index ¶
- Constants
- func GenerateKeyPair(bitsize int) (*rsa.PrivateKey, *rsa.PublicKey, error)
- type AIConfig
- type AuthzConfig
- type Config
- type EmailConfig
- type EmailProviderSettings
- type EnvironmentType
- type JWTKeyBootstrapAction
- type PoamConfig
- type RetryPolicyConfig
- type RiskConfig
- type SESConfig
- type SMTPConfig
- type SSOConfig
- type SSOProviderConfig
- type SlackConfig
- type SupportedEmailProviders
- type WorkerConfig
- type WorkflowConfig
Constants ¶
View Source
const ( AIProviderAnthropic = "anthropic" DefaultAIModel = "claude-opus-4-8" )
View Source
const ( // DefaultAuthzDriver is the in-process driver that reproduces CCF's pre-authz rules. DefaultAuthzDriver = "builtin" // DefaultAuthzFailMode denies requests when the PDP is unavailable. DefaultAuthzFailMode = "closed" )
Variables ¶
This section is empty.
Functions ¶
func GenerateKeyPair ¶
Types ¶
type AIConfig ¶ added in v0.17.0
type AIConfig struct {
Enabled bool `mapstructure:"enabled" json:"enabled"`
Provider string `mapstructure:"provider" json:"provider"`
APIKey string `mapstructure:"api_key" json:"-" yaml:"-"`
Model string `mapstructure:"model" json:"model"`
BaseURL string `mapstructure:"base_url" json:"baseUrl"`
RequestTimeout time.Duration `mapstructure:"request_timeout" json:"requestTimeout"`
MaxControlsPerChunk int `mapstructure:"max_controls_per_chunk" json:"maxControlsPerChunk"`
MaxLabelSetsPerChunk int `mapstructure:"max_label_sets_per_chunk" json:"maxLabelSetsPerChunk"`
QueueWorkers int `mapstructure:"queue_workers" json:"queueWorkers"`
MaxCallsPerRun int `mapstructure:"max_calls_per_run" json:"maxCallsPerRun"`
MaxSuggestionsPerRun int `mapstructure:"max_suggestions_per_run" json:"maxSuggestionsPerRun"`
// MaxOutputTokens caps the model's response length per cell. Too low a value
// truncates the JSON (surfacing as "truncated non-json text content").
MaxOutputTokens int `mapstructure:"max_output_tokens" json:"maxOutputTokens"`
// GeneralizableLabelKeys are the label keys whose value identifies an
// instance/provider rather than the evidence meaning. The deterministic
// filter-merge detector may drop exactly one of these to generalize several
// near-duplicate filters into one. Meaning-bearing keys (_policy, type) are
// never dropped, so they must not appear here.
GeneralizableLabelKeys []string `mapstructure:"generalizable_label_keys" json:"generalizableLabelKeys"`
// candidate filters must have in common before a merge is proposed, so a
// merge only fires when it is the same control intent across instances.
GeneralizationMinSharedControls int `mapstructure:"generalization_min_shared_controls" json:"generalizationMinSharedControls"`
}
func DefaultAIConfig ¶ added in v0.17.0
func DefaultAIConfig() *AIConfig
func LoadAIConfig ¶ added in v0.17.0
func LoadAIConfigFromViper ¶ added in v0.17.0
type AuthzConfig ¶ added in v0.17.0
type AuthzConfig struct {
Driver string `mapstructure:"driver" json:"driver"`
FailMode string `mapstructure:"fail_mode" json:"failMode"`
Endpoint string `mapstructure:"endpoint" json:"endpoint"`
CacheTTL time.Duration `mapstructure:"cache_ttl" json:"cacheTtl"`
RoleAssignmentsPath string `mapstructure:"role_assignments" json:"roleAssignments"`
CedarPolicyDir string `mapstructure:"cedar_policy_dir" json:"cedarPolicyDir"`
}
AuthzConfig configures the central authorization layer. Driver selects the PDP engine ("builtin" in-process, "cedar" the embedded Cedar RBAC engine, or "authzen" for any remote AuthZen-compliant PDP); FailMode controls how the PEP behaves when the PDP is unavailable ("closed" denies, "open" allows). Endpoint is the remote PDP's single-evaluation URL (authzen driver only), and CacheTTL optionally caches decisions for that long to absorb the network hop (0 = off).
The cedar driver reads two more (both optional, both ignored by the other drivers): RoleAssignmentsPath is the YAML file mapping users/groups/agents to the bundled roles (BCH-1319 §11.3); CedarPolicyDir is a directory of operator *.cedar files appended to the bundled role policies (the GitOps escape hatch, §11.2).
func LoadAuthzConfig ¶ added in v0.17.0
func LoadAuthzConfig() *AuthzConfig
LoadAuthzConfig reads authz settings from Viper, applying defaults. Any fail mode other than "open" is normalized to the default "closed" so a typo fails safe.
type Config ¶
type Config struct {
AppPort string
Environment string
DBDriver string
DBConnectionString string
DBDebug bool
JWTSecret string
JWTPrivateKey *rsa.PrivateKey
JWTPublicKey *rsa.PublicKey
APIAllowedOrigins []string
MetricsEnabled bool
MetricsPort string
WebBaseURL string
SSO *SSOConfig
Email *EmailConfig
Slack *SlackConfig
Worker *WorkerConfig
EvidenceDefaultExpiryMonths int // Default expiration in months for evidence without explicit expiry
DigestEnabled bool // Enable or disable the digest scheduler
DigestSchedule string // Cron schedule for digest emails
Workflow *WorkflowConfig
Risk *RiskConfig
Poam *PoamConfig
AI *AIConfig
PprofEnabled bool // Enable or disable pprof debugging server
PprofPort string // Port for pprof debugging server
StrictDisablePublicAgentEndpoints bool
Authz *AuthzConfig
}
func NewConfig ¶
func NewConfig(logger *zap.SugaredLogger) *Config
type EmailConfig ¶ added in v0.6.0
type EmailConfig struct {
Enabled bool `yaml:"enabled" json:"enabled" mapstructure:"enabled"`
Provider string `yaml:"provider" json:"provider" mapstructure:"provider"` // default provider to use
Providers *SupportedEmailProviders `yaml:"providers" json:"providers" mapstructure:"providers"`
}
func LoadEmailConfig ¶ added in v0.6.0
func LoadEmailConfig(path string) (*EmailConfig, error)
func (*EmailConfig) GetDefaultProvider ¶ added in v0.6.0
func (c *EmailConfig) GetDefaultProvider() EmailProviderSettings
func (*EmailConfig) GetEnabledProviders ¶ added in v0.6.0
func (c *EmailConfig) GetEnabledProviders() []EmailProviderSettings
func (*EmailConfig) GetProvider ¶ added in v0.6.0
func (c *EmailConfig) GetProvider(name string) EmailProviderSettings
type EmailProviderSettings ¶ added in v0.6.0
EmailProviderSettings represents common behaviors for all provider-specific configs.
type EnvironmentType ¶ added in v0.5.0
type EnvironmentType string
const ( EnvironmentProduction EnvironmentType = "production" EnvironmentLocal EnvironmentType = "local" EnvironmentDevelopment EnvironmentType = "development" EnvironmentEmpty EnvironmentType = "" )
type JWTKeyBootstrapAction ¶ added in v0.13.0
type JWTKeyBootstrapAction string
const ( JWTKeyBootstrapNoop JWTKeyBootstrapAction = "noop" JWTKeyBootstrapGenerated JWTKeyBootstrapAction = "generated" JWTKeyBootstrapDerivedPublic JWTKeyBootstrapAction = "derived_public" JWTKeyBootstrapRegenerated JWTKeyBootstrapAction = "regenerated" )
func BootstrapJWTKeyPair ¶ added in v0.13.0
func BootstrapJWTKeyPair(privateKeyPath, publicKeyPath string, bitSize int, force bool) (JWTKeyBootstrapAction, error)
BootstrapJWTKeyPair ensures a matching JWT RSA keypair exists at the given paths.
Behavior:
- when both files exist and force=false: no-op
- when only private exists and force=false: derives and writes the public key
- otherwise: generates a new keypair and writes both files
type PoamConfig ¶ added in v0.15.0
type PoamConfig struct {
// DeadlineReminderEnabled enables the daily POAM deadline reminder scanner (0 0 8 * * *).
DeadlineReminderEnabled bool `mapstructure:"deadline_reminder_enabled" yaml:"deadline_reminder_enabled" json:"deadlineReminderEnabled"`
DeadlineReminderSchedule string `mapstructure:"deadline_reminder_schedule" yaml:"deadline_reminder_schedule" json:"deadlineReminderSchedule"`
// ReminderWindowDays is the look-ahead window (in days) for the deadline reminder.
// Items with deadline - now <= ReminderWindowDays are included. Default: 30.
ReminderWindowDays int `mapstructure:"reminder_window_days" yaml:"reminder_window_days" json:"reminderWindowDays"`
// OverdueTransitionEnabled enables the daily overdue transition scanner (0 0 9 * * *).
OverdueTransitionEnabled bool `mapstructure:"overdue_transition_enabled" yaml:"overdue_transition_enabled" json:"overdueTransitionEnabled"`
OverdueTransitionSchedule string `mapstructure:"overdue_transition_schedule" yaml:"overdue_transition_schedule" json:"overdueTransitionSchedule"`
// MilestoneOverdueEnabled enables the weekly incomplete milestone scanner (0 0 10 * * 1).
MilestoneOverdueEnabled bool `mapstructure:"milestone_overdue_enabled" yaml:"milestone_overdue_enabled" json:"milestoneOverdueEnabled"`
MilestoneOverdueSchedule string `mapstructure:"milestone_overdue_schedule" yaml:"milestone_overdue_schedule" json:"milestoneOverdueSchedule"`
// OpenDigestEnabled enables the daily POAM open digest job (0 0 7 * * *).
OpenDigestEnabled bool `mapstructure:"open_digest_enabled" yaml:"open_digest_enabled" json:"openDigestEnabled"`
OpenDigestSchedule string `mapstructure:"open_digest_schedule" yaml:"open_digest_schedule" json:"openDigestSchedule"`
// OpenDigestWindow controls whether the digest covers a "daily" or "weekly" window.
OpenDigestWindow string `mapstructure:"open_digest_window" yaml:"open_digest_window" json:"openDigestWindow"`
}
PoamConfig contains configuration for POAM-related periodic workers. All three jobs are disabled by default; enable via environment variables or a poam.yaml config file (CCF_POAM_CONFIG env var).
func DefaultPoamConfig ¶ added in v0.15.0
func DefaultPoamConfig() *PoamConfig
DefaultPoamConfig returns a PoamConfig with safe defaults (all jobs disabled).
func LoadPoamConfig ¶ added in v0.15.0
func LoadPoamConfig(path string) (*PoamConfig, error)
LoadPoamConfig loads PoamConfig from a YAML file and/or CCF_POAM_* env vars. If path is empty or the file does not exist, defaults are used.
func (*PoamConfig) Validate ¶ added in v0.15.0
func (c *PoamConfig) Validate() error
Validate checks that all enabled jobs have valid cron schedules, that open_digest_window is one of the accepted values, and that ReminderWindowDays is a positive integer. Mirrors the validation performed by RiskConfig.Validate.
type RetryPolicyConfig ¶ added in v0.10.0
type RetryPolicyConfig struct {
// MaxAttempts is the maximum number of attempts for a job
MaxAttempts int `mapstructure:"max_attempts"`
}
RetryPolicyConfig defines retry behavior for jobs
type RiskConfig ¶ added in v0.13.0
type RiskConfig struct {
ReviewDeadlineReminderEnabled bool `mapstructure:"review_deadline_reminder_enabled" yaml:"review_deadline_reminder_enabled" json:"reviewDeadlineReminderEnabled"`
ReviewDeadlineReminderSchedule string `` /* 127-byte string literal not displayed */
ReviewOverdueEscalationEnabled bool `` /* 127-byte string literal not displayed */
ReviewOverdueEscalationSchedule string `` /* 130-byte string literal not displayed */
StaleRiskScannerEnabled bool `mapstructure:"stale_risk_scanner_enabled" yaml:"stale_risk_scanner_enabled" json:"staleRiskScannerEnabled"`
StaleRiskScannerSchedule string `mapstructure:"stale_risk_scanner_schedule" yaml:"stale_risk_scanner_schedule" json:"staleRiskScannerSchedule"`
EvidenceReconciliationEnabled bool `mapstructure:"evidence_reconciliation_enabled" yaml:"evidence_reconciliation_enabled" json:"evidenceReconciliationEnabled"`
EvidenceReconciliationSchedule string `mapstructure:"evidence_reconciliation_schedule" yaml:"evidence_reconciliation_schedule" json:"evidenceReconciliationSchedule"`
OpenDigestEnabled bool `mapstructure:"open_digest_enabled" yaml:"open_digest_enabled" json:"openDigestEnabled"`
OpenDigestSchedule string `mapstructure:"open_digest_schedule" yaml:"open_digest_schedule" json:"openDigestSchedule"`
OpenDigestWindow string `mapstructure:"open_digest_window" yaml:"open_digest_window" json:"openDigestWindow"`
AutoReopenEnabled bool `mapstructure:"auto_reopen_enabled" yaml:"auto_reopen_enabled" json:"autoReopenEnabled"`
AutoReopenThresholdDays int `mapstructure:"auto_reopen_threshold_days" yaml:"auto_reopen_threshold_days" json:"autoReopenThresholdDays"`
}
RiskConfig contains configuration for risk-related periodic workers.
func DefaultRiskConfig ¶ added in v0.13.0
func DefaultRiskConfig() *RiskConfig
func LoadRiskConfig ¶ added in v0.13.0
func LoadRiskConfig(path string) (*RiskConfig, error)
func (*RiskConfig) Validate ¶ added in v0.13.0
func (c *RiskConfig) Validate() error
type SESConfig ¶ added in v0.6.0
type SESConfig struct {
Name string `yaml:"name" json:"name" mapstructure:"name"`
Enabled bool `yaml:"enabled" json:"enabled" mapstructure:"enabled"`
Region string `yaml:"region" json:"region" mapstructure:"region"`
AccessKeyID string `yaml:"access_key_id" json:"accessKeyId" mapstructure:"access_key_id"`
SecretAccessKey string `yaml:"secret_access_key" json:"secretAccessKey" mapstructure:"secret_access_key"`
SessionToken string `yaml:"session_token" json:"sessionToken" mapstructure:"session_token"`
From string `yaml:"from" json:"from" mapstructure:"from"`
FromName string `yaml:"from_name" json:"fromName" mapstructure:"from_name"`
}
type SMTPConfig ¶ added in v0.6.0
type SMTPConfig struct {
Name string `yaml:"name" json:"name" mapstructure:"name"`
Enabled bool `yaml:"enabled" json:"enabled" mapstructure:"enabled"`
Host string `yaml:"host" json:"host" mapstructure:"host"`
Port int `yaml:"port" json:"port" mapstructure:"port"`
Username string `yaml:"username" json:"username" mapstructure:"username"`
Password string `yaml:"password" json:"password" mapstructure:"password"`
From string `yaml:"from" json:"from" mapstructure:"from"`
FromName string `yaml:"from_name" json:"fromName" mapstructure:"from_name"`
UseTLS bool `yaml:"use_tls" json:"useTls" mapstructure:"use_tls"`
UseSSL bool `yaml:"use_ssl" json:"useSsl" mapstructure:"use_ssl"`
}
func (*SMTPConfig) GetName ¶ added in v0.6.0
func (c *SMTPConfig) GetName() string
func (*SMTPConfig) GetType ¶ added in v0.6.0
func (c *SMTPConfig) GetType() string
func (*SMTPConfig) IsEnabled ¶ added in v0.6.0
func (c *SMTPConfig) IsEnabled() bool
type SSOConfig ¶ added in v0.5.0
type SSOConfig struct {
Enabled bool `yaml:"enabled" json:"enabled" mapstructure:"enabled"`
BaseURL string `yaml:"base_url" json:"base_url" mapstructure:"base_url"`
CallbackURL string `yaml:"callback_url" json:"callback_url" mapstructure:"callback_url"`
Providers map[string]SSOProviderConfig `yaml:"providers" json:"providers" mapstructure:"providers"`
}
func LoadSSOConfig ¶ added in v0.5.0
func (*SSOConfig) GetEnabledProviders ¶ added in v0.5.0
func (c *SSOConfig) GetEnabledProviders() []SSOProviderConfig
func (*SSOConfig) GetProvider ¶ added in v0.5.0
func (c *SSOConfig) GetProvider(name string) *SSOProviderConfig
type SSOProviderConfig ¶ added in v0.5.0
type SSOProviderConfig struct {
Name string `yaml:"name" json:"name" mapstructure:"name"`
DisplayName string `yaml:"display_name" json:"displayName" mapstructure:"display_name"`
Provider string `yaml:"provider" json:"provider" mapstructure:"provider"` // google, github, generic
Protocol string `yaml:"protocol" json:"protocol" mapstructure:"protocol"` // oidc or oauth
IconURL string `yaml:"icon_url" json:"iconUrl" mapstructure:"icon_url"`
RequiredLoginGroups []string `yaml:"required_login_groups" json:"requiredLoginGroups" mapstructure:"required_login_groups"`
RequiredAdminGroups []string `yaml:"required_admin_groups" json:"requiredAdminGroups" mapstructure:"required_admin_groups"`
ClientID string `yaml:"client_id" json:"clientId" mapstructure:"client_id"`
ClientSecret string `yaml:"client_secret" json:"clientSecret" mapstructure:"client_secret"`
IssuerURL string `yaml:"issuer_url" json:"issuerUrl" mapstructure:"issuer_url"`
WellKnownURL string `yaml:"well_known_url" json:"wellKnownUrl" mapstructure:"well_known_url"`
AuthURL string `yaml:"auth_url" json:"authUrl" mapstructure:"auth_url"`
TokenURL string `yaml:"token_url" json:"tokenUrl" mapstructure:"token_url"`
UserInfoURL string `yaml:"user_info_url" json:"userInfoUrl" mapstructure:"user_info_url"`
EmailURL string `yaml:"email_url" json:"emailUrl" mapstructure:"email_url"`
Scopes []string `yaml:"scopes" json:"scopes" mapstructure:"scopes"`
Enabled bool `yaml:"enabled" json:"enabled" mapstructure:"enabled"`
GroupMapping map[string][]string `yaml:"group_mapping" json:"groupMapping" mapstructure:"group_mapping"`
}
type SlackConfig ¶ added in v0.15.0
type SlackConfig struct {
Enabled bool `mapstructure:"enabled" yaml:"enabled" json:"enabled"`
Token string `mapstructure:"token" yaml:"token" json:"token"`
// DigestChannel is kept for one-time migration into ccf_system_notification_destinations.
DigestChannel string `mapstructure:"digest_channel" yaml:"digest_channel" json:"digest_channel"`
ClientID string `mapstructure:"client_id" yaml:"client_id" json:"client_id"`
ClientSecret string `mapstructure:"client_secret" yaml:"client_secret" json:"client_secret"`
RedirectURL string `mapstructure:"redirect_url" yaml:"redirect_url" json:"redirect_url"`
}
func LoadSlackConfig ¶ added in v0.15.0
func LoadSlackConfig(path string) (*SlackConfig, error)
type SupportedEmailProviders ¶ added in v0.6.0
type SupportedEmailProviders struct {
SMTP *SMTPConfig `yaml:"smtp" json:"smtp" mapstructure:"smtp"`
SES *SESConfig `yaml:"ses" json:"ses" mapstructure:"ses"`
}
type WorkerConfig ¶ added in v0.10.0
type WorkerConfig struct {
// Enabled determines if workers should be started
Enabled bool `mapstructure:"enabled"`
// Number of worker goroutines to run
Workers int `mapstructure:"workers"`
// Queue is the name of the queue to work on
Queue string `mapstructure:"queue"`
// UsePolling makes River poll for jobs instead of using PostgreSQL LISTEN/NOTIFY.
UsePolling bool `mapstructure:"use_polling"`
// RetryPolicy defines how jobs should be retried
RetryPolicy RetryPolicyConfig `mapstructure:"retry_policy"`
}
WorkerConfig contains configuration for background workers Environment variables:
- CCF_WORKER_ENABLED: Enable/disable workers (default: true)
- CCF_WORKER_COUNT: Number of concurrent workers (default: 5)
- CCF_WORKER_QUEUE: Queue name to process (default: "email")
- CCF_WORKER_USE_POLLING: Use River polling instead of PostgreSQL LISTEN/NOTIFY (default: false)
func DefaultWorkerConfig ¶ added in v0.10.0
func DefaultWorkerConfig() *WorkerConfig
DefaultWorkerConfig returns a default worker configuration
type WorkflowConfig ¶ added in v0.12.0
type WorkflowConfig struct {
// SchedulerEnabled determines if the workflow scheduler is enabled
SchedulerEnabled bool `mapstructure:"scheduler_enabled" yaml:"scheduler_enabled" json:"schedulerEnabled"`
// Schedule is the cron schedule for the workflow scheduler
Schedule string `mapstructure:"scheduler_schedule" yaml:"scheduler_schedule" json:"schedulerSchedule"`
// GracePeriodDays is the number of days before a workflow step is considered overdue
GracePeriodDays int `mapstructure:"grace_period_days" yaml:"grace_period_days" json:"gracePeriodDays"`
// OverdueCheckEnabled determines if we should check for overdue workflows
OverdueCheckEnabled bool `mapstructure:"overdue_check_enabled" yaml:"overdue_check_enabled" json:"overdueCheckEnabled"`
// DueSoonEnabled determines if the daily due-soon reminder emails are enabled
DueSoonEnabled bool `mapstructure:"due_soon_enabled" yaml:"due_soon_enabled" json:"dueSoonEnabled"`
// DueSoonSchedule is the cron schedule for the due-soon checker (default: daily at 08:00 UTC)
DueSoonSchedule string `mapstructure:"due_soon_schedule" yaml:"due_soon_schedule" json:"dueSoonSchedule"`
// TaskDigestEnabled determines if the daily workflow task digest emails are enabled
TaskDigestEnabled bool `mapstructure:"task_digest_enabled" yaml:"task_digest_enabled" json:"taskDigestEnabled"`
// TaskDigestSchedule is the cron schedule for the workflow task digest (default: daily at 08:00 UTC)
TaskDigestSchedule string `mapstructure:"task_digest_schedule" yaml:"task_digest_schedule" json:"taskDigestSchedule"`
}
WorkflowConfig contains configuration for the workflow scheduler
func DefaultWorkflowConfig ¶ added in v0.12.0
func DefaultWorkflowConfig() *WorkflowConfig
DefaultWorkflowConfig returns a default workflow configuration
func LoadWorkflowConfig ¶ added in v0.12.0
func LoadWorkflowConfig(path string) (*WorkflowConfig, error)
LoadWorkflowConfig loads workflow configuration from a file or environment variables
func (*WorkflowConfig) Validate ¶ added in v0.12.0
func (c *WorkflowConfig) Validate() error
Validate checks if the configuration is valid
Source Files
Click to show internal directories.
Click to hide internal directories.