security

package
v0.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 4, 2025 License: Apache-2.0 Imports: 86 Imported by: 0

Documentation

Overview

Package security implements additional secrets backend implementations

Package security provides enterprise-grade certificate rotation and renewal with automated lifecycle management, compliance monitoring, and integration with Kubernetes cert-manager and external Certificate Authorities

Package security implements container security scanning and RBAC enforcement for Nephoran Intent Operator with O-RAN WG11 compliance

Package security provides enterprise-grade cryptographic utilities implementing O-RAN WG11 security requirements and modern cryptographic standards

Package security implements DDoS protection and advanced rate limiting for Nephoran Intent Operator with O-RAN WG11 compliance

Package security provides enterprise-grade mutual TLS (mTLS) implementation for the Nephoran Intent Operator, ensuring secure inter-service communication with full O-RAN WG11 compliance and automated certificate management

Package security provides cryptographically secure random number generation utilities replacing all instances of insecure crypto/rand usage across the Nephoran codebase

Package security provides comprehensive security configuration and validation

Package security implements SPIFFE/SPIRE zero-trust authentication for Nephoran Intent Operator with O-RAN WG11 compliance

Package security implements real-time security monitoring and threat detection for Nephoran Intent Operator with O-RAN WG11 compliance

Package security provides TLS security audit and reporting capabilities

Package security provides O-RAN WG11 compliant TLS configurations

Index

Constants

View Source 
const (
	MessageTypeData uint8 = 0x01

	MessageTypeHandshake uint8 = 0x02

	MessageTypeHeartbeat uint8 = 0x03

	MessageTypeRekey uint8 = 0x04

	MessageTypeClose uint8 = 0x05
)

Variables

View Source 
var (
	// ErrSecretNotFound is returned when a secret is not found
	ErrSecretNotFound = errors.New("secret not found")

	// ErrKeyNotFound holds errkeynotfound value.
	ErrKeyNotFound = errors.New("key not found")
)
View Source 
var InterfaceSecurityRequirements = map[string]struct {
	RequireMTLS        bool
	RequireOCSP        bool
	RequireClientAuth  bool
	AllowedProfiles    []string
	MinComplianceLevel string
}{
	"A1": {
		RequireMTLS:        true,
		RequireOCSP:        true,
		RequireClientAuth:  true,
		AllowedProfiles:    []string{"enhanced", "strict"},
		MinComplianceLevel: "L2",
	},
	"E2": {
		RequireMTLS:        true,
		RequireOCSP:        true,
		RequireClientAuth:  true,
		AllowedProfiles:    []string{"enhanced", "strict"},
		MinComplianceLevel: "L2",
	},
	"O1": {
		RequireMTLS:        true,
		RequireOCSP:        false,
		RequireClientAuth:  true,
		AllowedProfiles:    []string{"baseline", "enhanced", "strict"},
		MinComplianceLevel: "L1",
	},
	"O2": {
		RequireMTLS:        true,
		RequireOCSP:        true,
		RequireClientAuth:  true,
		AllowedProfiles:    []string{"enhanced", "strict"},
		MinComplianceLevel: "L2",
	},
}

InterfaceSecurityRequirements defines O-RAN interface-specific requirements

View Source 
var ORANSecurityProfiles = map[string]*ORANTLSCompliance{
	"baseline": {
		SecurityProfile: "baseline",
		MinTLSVersion:   tls.VersionTLS12,
		MaxTLSVersion:   tls.VersionTLS13,
		CipherSuites: []uint16{

			tls.TLS_AES_256_GCM_SHA384,
			tls.TLS_AES_128_GCM_SHA256,
			tls.TLS_CHACHA20_POLY1305_SHA256,

			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
		},
		CurvePreferences: []tls.CurveID{
			tls.X25519,
			tls.CurveP384,
			tls.CurveP256,
		},
		RequireStrongKeys:    true,
		MinRSAKeySize:        2048,
		MinECDSAKeySize:      256,
		OCSPStaplingRequired: false,
		SessionTimeout:       24 * time.Hour,
	},
	"enhanced": {
		SecurityProfile: "enhanced",
		MinTLSVersion:   tls.VersionTLS13,
		MaxTLSVersion:   tls.VersionTLS13,
		CipherSuites: []uint16{

			tls.TLS_AES_256_GCM_SHA384,
			tls.TLS_CHACHA20_POLY1305_SHA256,
		},
		CurvePreferences: []tls.CurveID{
			tls.X25519,
			tls.CurveP384,
		},
		RequireStrongKeys:      true,
		MinRSAKeySize:          3072,
		MinECDSAKeySize:        384,
		OCSPStaplingRequired:   true,
		OCSPMustStaple:         true,
		SessionTicketsDisabled: true,
		SessionTimeout:         12 * time.Hour,
		RenegotiationPolicy:    tls.RenegotiateNever,
	},
	"strict": {
		SecurityProfile: "strict",
		MinTLSVersion:   tls.VersionTLS13,
		MaxTLSVersion:   tls.VersionTLS13,
		CipherSuites: []uint16{

			tls.TLS_AES_256_GCM_SHA384,
		},
		CurvePreferences: []tls.CurveID{
			tls.CurveP384,
		},
		RequireStrongKeys:      true,
		MinRSAKeySize:          4096,
		MinECDSAKeySize:        384,
		RequireEKU:             true,
		OCSPStaplingRequired:   true,
		OCSPMustStaple:         true,
		OCSPSoftFail:           false,
		SessionTicketsDisabled: true,
		SessionTimeout:         1 * time.Hour,
		RenegotiationPolicy:    tls.RenegotiateNever,
	},
}

ORANSecurityProfiles defines standard security profiles per WG11

Functions

func AuditAuthenticationAttempt 

func AuditAuthenticationAttempt(provider, userID, ipAddress, userAgent string, success bool, err error)

func AuditSecretAccess 

func AuditSecretAccess(secretType, source, userID, sessionID string, success bool, err error)

func BasicSecurityHeaders 

func BasicSecurityHeaders(next http.Handler) http.Handler

func BasicSecurityHeadersMiddleware 

func BasicSecurityHeadersMiddleware(next http.Handler) http.Handler

BasicSecurityHeadersMiddleware adds basic security headers to HTTP responses

func Bytes 

func Bytes(b []byte)

Bytes fills the slice with secure random bytes

func DecodeBase64 

func DecodeBase64(encoded string) ([]byte, error)

func DecodeHex 

func DecodeHex(encoded string) ([]byte, error)

func DeserializePublicKey 

func DeserializePublicKey(data []byte) (*rsa.PublicKey, error)

func Duration 

func Duration(min, max time.Duration) time.Duration

Duration returns a secure random duration between min and max

func EncodeBase64 

func EncodeBase64(data []byte) string

func EncodeCertificatePEM 

func EncodeCertificatePEM(cert *x509.Certificate) []byte

EncodeCertificatePEM encodes a certificate to PEM format

func EncodeHex 

func EncodeHex(data []byte) string

func EncodePrivateKeyPEM 

func EncodePrivateKeyPEM(key *rsa.PrivateKey) []byte

EncodePrivateKeyPEM encodes an RSA private key to PEM format

func ExpFloat64 

func ExpFloat64() float64

ExpFloat64 returns a secure exponentially distributed float64

func ExportCertificate 

func ExportCertificate(cert *x509.Certificate) []byte

func ExportPrivateKey 

func ExportPrivateKey(key crypto.PrivateKey) ([]byte, error)

func Float32 

func Float32() float32

Float32 returns a secure random float32 in [0.0,1.0)

func Float64 

func Float64() float64

Float64 returns a secure random float64 in [0.0,1.0)

func GenerateExecutionID 

func GenerateExecutionID() string

GenerateExecutionID is the public interface for generating execution IDs

func GenerateKeyPair 

func GenerateKeyPair(bits int) (*rsa.PrivateKey, *rsa.PublicKey, error)

func GenerateSecureToken 

func GenerateSecureToken(length int) (string, error)

GenerateSecureToken generates a cryptographically secure token

func InitGlobalAuditLogger 

func InitGlobalAuditLogger(logFilePath string, minLevel interfaces.AuditLevel) error

func Int 

func Int() int

Int returns a secure random int

func Int31 

func Int31() int32

Int31 returns a secure random 31-bit integer

func Int31n 

func Int31n(n int32) int32

Int31n returns a secure random number in [0,n)

func Int63 

func Int63() int64

Int63 returns a secure random 63-bit integer

func Int63n 

func Int63n(n int64) int64

Int63n returns a secure random number in [0,n)

func Intn 

func Intn(n int) int

Intn returns a secure random number in [0,n)

func NewSecureCORSMiddleware 

func NewSecureCORSMiddleware(config CORSConfig) func(http.Handler) http.Handler

NewSecureCORSMiddleware creates a secure CORS middleware

func NormFloat64 

func NormFloat64() float64

NormFloat64 returns a secure normally distributed float64

func PadPKCS7 

func PadPKCS7(data []byte, blockSize int) []byte

func Perm 

func Perm(n int) []int

Perm returns a secure random permutation of [0,n)

func SafeCloseBody 

func SafeCloseBody(resp *http.Response) error

func SanitizeInput 

func SanitizeInput(input string) string

SanitizeInput sanitizes user input to prevent injection attacks

func SecureBackoff 

func SecureBackoff(attempt int, baseDelay, maxDelay time.Duration) time.Duration

SecureBackoff calculates exponential backoff with secure jitter

func SecureChoice 

func SecureChoice[T any](items []T) T

SecureChoice randomly selects an element from a slice using secure random

func SecureClear 

func SecureClear(data []byte)

func SecureFileOpen 

func SecureFileOpen(basePath, userPath string) (*os.File, error)

SecureFileOpen opens a file with path traversal protection

func SecureHTTPClient 

func SecureHTTPClient(timeout time.Duration) *http.Client

func SecureHTTPServer 

func SecureHTTPServer(addr string, handler http.Handler) *http.Server

func SecureID 

func SecureID() string

SecureID generates a cryptographically secure ID

func SecureJitter 

func SecureJitter(base time.Duration, jitterPercent float64) time.Duration

SecureJitter adds cryptographically secure jitter to a base duration

func SecureRandomString 

func SecureRandomString(length int) string

SecureRandomString generates a cryptographically secure random string

func SecureRequest 

func SecureRequest(ctx context.Context, method, url string, timeout time.Duration) (*http.Request, error)

func SecureSessionID 

func SecureSessionID() string

SecureSessionID generates a secure session ID

func SecureStringCompare 

func SecureStringCompare(a, b string) bool

func SecureToken 

func SecureToken(length int) string

SecureToken generates a cryptographically secure token

func SecureWeightedChoice 

func SecureWeightedChoice[T any](items []T, weights []int) T

SecureWeightedChoice randomly selects an element based on weights using secure random

func SerializePublicKey 

func SerializePublicKey(pub *rsa.PublicKey) ([]byte, error)

func Shuffle 

func Shuffle(n int, swap func(i, j int))

Shuffle securely randomizes the order of elements

func TimingSafeEqual 

func TimingSafeEqual(a, b []byte) bool

func UnpadPKCS7 

func UnpadPKCS7(data []byte) ([]byte, error)

func ValidateConfiguration 

func ValidateConfiguration(config SecurityScannerConfig) error

func ValidateEmail 

func ValidateEmail(email string) error

ValidateEmail validates email addresses

func ValidateEnterpriseSecurityCompliance 

func ValidateEnterpriseSecurityCompliance(config *CryptoConfig) error

ValidateEnterpriseSecurityCompliance validates that the configuration meets enterprise security standards

func ValidateHTTPURL 

func ValidateHTTPURL(rawURL string) (*url.URL, error)

func ValidateJSON 

func ValidateJSON(input string, maxSize int) error

ValidateJSON validates JSON input against a schema

func ValidatePath 

func ValidatePath(path string) error

ValidatePath validates a file path for security issues

func ValidateSecureRandomness 

func ValidateSecureRandomness() error

ValidateSecureRandomness validates that the random number generator is working correctly

func ValidateURL 

func ValidateURL(inputURL string) (*url.URL, error)

ValidateURL validates and sanitizes URLs

func XORBytes 

func XORBytes(a, b []byte) []byte

func ZeroBytes 

func ZeroBytes(b []byte)

Types

type Action 

type Action struct {
	Type string `json:"type"`

	Parameters json.RawMessage `json:"parameters"`
}

type ActiveThreat 

type ActiveThreat struct {
	ID          string            `json:"id"`
	Type        string            `json:"type"`
	Source      string            `json:"source"`
	FirstSeen   time.Time         `json:"first_seen"`
	LastSeen    time.Time         `json:"last_seen"`
	EventCount  int64             `json:"event_count"`
	ThreatScore int               `json:"threat_score"`
	Active      bool              `json:"active"`
	Mitigated   bool              `json:"mitigated"`
	Indicators  []ThreatIndicator `json:"indicators"`
	Metadata    json.RawMessage   `json:"metadata"`
}

ActiveThreat represents an active threat being monitored

type AdvancedKeyManager 

type AdvancedKeyManager interface {
	GenerateKey(keyType string, bits int) (*StoredKey, error)

	StoreKey(key *StoredKey) error

	RetrieveKey(keyID string) (*StoredKey, error)

	RotateKey(keyID string) (*StoredKey, error)

	DeleteKey(keyID string) error

	GenerateMasterKey(keyType string, bits int) error

	DeriveKey(purpose string, version int) ([]byte, error)

	EscrowKey(keyID string, agents []EscrowAgent, threshold int) error

	SetupThresholdCrypto(keyID string, threshold, total int) error
}

func NewKeyManager 

func NewKeyManager(store KeyStore) AdvancedKeyManager

type AlertConfig 

type AlertConfig struct {
	CriticalThreshold int `json:"critical_threshold"` // Number of critical vulns to trigger alert

	HighThreshold int `json:"high_threshold"` // Number of high vulns to trigger alert

	CVSSThreshold float64 `json:"cvss_threshold"` // CVSS score to trigger alert

	TimeToRemediate time.Duration `json:"time_to_remediate"` // SLA for remediation
}

type AnomalyDetectionEngine 

type AnomalyDetectionEngine struct {
	// contains filtered or unexported fields
}

type AuditConfig 

type AuditConfig struct {
	Enabled               bool   `json:"enabled"`
	LogLevel              string `json:"log_level,omitempty"`
	LogSuccessfulRequests bool   `json:"log_successful_requests"`
	LogFailedRequests     bool   `json:"log_failed_requests"`
	RetentionDays         int    `json:"retention_days,omitempty"`
}

AuditConfig holds audit configuration

type AuditEngine 

type AuditEngine struct {
	// contains filtered or unexported fields
}

func NewAuditEngine 

func NewAuditEngine(config *ComplianceConfig, logger logr.Logger) *AuditEngine

func (*AuditEngine) GetRetentionPeriod 

func (a *AuditEngine) GetRetentionPeriod(nodeID string) (int, error)

func (*AuditEngine) IsAuditEnabled 

func (a *AuditEngine) IsAuditEnabled(nodeID string) bool

func (*AuditEngine) RecordComplianceCheck 

func (a *AuditEngine) RecordComplianceCheck(result *ORANComplianceResult)

type AuditEntry 

type AuditEntry struct {
	Timestamp time.Time

	Level string // Info, Warning, Error, Critical

	Component string

	Message string

	UserAction string

	Result string
}

type AuditEvent 

type AuditEvent struct {
	Timestamp time.Time `json:"timestamp"`

	Level interfaces.AuditLevel `json:"level"`

	Event string `json:"event"`

	Component string `json:"component"`

	UserID string `json:"user_id,omitempty"`

	SessionID string `json:"session_id,omitempty"`

	IPAddress string `json:"ip_address,omitempty"`

	UserAgent string `json:"user_agent,omitempty"`

	Data json.RawMessage `json:"data,omitempty"`

	Result string `json:"result"`

	Error string `json:"error,omitempty"`
}

type AuditLogger 

type AuditLogger struct {
	// contains filtered or unexported fields
}
var GlobalAuditLogger *AuditLogger

func NewAuditLogger 

func NewAuditLogger(logFilePath string, minLevel interfaces.AuditLevel) (*AuditLogger, error)

func (*AuditLogger) Close 

func (al *AuditLogger) Close() error

func (*AuditLogger) IsEnabled 

func (al *AuditLogger) IsEnabled() bool

func (*AuditLogger) LogAPIKeyValidation 

func (al *AuditLogger) LogAPIKeyValidation(keyType, provider string, success bool, err error)

func (*AuditLogger) LogAuthenticationAttempt 

func (al *AuditLogger) LogAuthenticationAttempt(provider, userID, ipAddress, userAgent string, success bool, err error)

func (*AuditLogger) LogSecretAccess 

func (al *AuditLogger) LogSecretAccess(secretType, source, userID, sessionID string, success bool, err error)

func (*AuditLogger) LogSecretRotation 

func (al *AuditLogger) LogSecretRotation(secretName, rotationType, userID string, success bool, err error)

func (*AuditLogger) LogSecurityViolation 

func (al *AuditLogger) LogSecurityViolation(violationType, description, userID, ipAddress string, severity interfaces.AuditLevel)

func (*AuditLogger) LogUnauthorizedAccess 

func (al *AuditLogger) LogUnauthorizedAccess(resource, userID, ipAddress, userAgent, reason string)

func (*AuditLogger) SetEnabled 

func (al *AuditLogger) SetEnabled(enabled bool)

type AuditSummary 

type AuditSummary struct {
	TotalEndpoints      int      `json:"total_endpoints"`
	SecureEndpoints     int      `json:"secure_endpoints"`
	VulnerableEndpoints int      `json:"vulnerable_endpoints"`
	CriticalIssues      int      `json:"critical_issues"`
	HighIssues          int      `json:"high_issues"`
	MediumIssues        int      `json:"medium_issues"`
	LowIssues           int      `json:"low_issues"`
	ComplianceStatus    string   `json:"compliance_status"` // PASS, FAIL, PARTIAL
	ORANCompliant       bool     `json:"oran_compliant"`
	SecurityPosture     string   `json:"security_posture"` // EXCELLENT, GOOD, FAIR, POOR, CRITICAL
	TopRisks            []string `json:"top_risks"`
}

AuditSummary provides high-level audit results

type AuditorConfig 

type AuditorConfig struct {
	Endpoints           []string
	Timeout             time.Duration
	DeepScan            bool
	CheckOCSP           bool
	CheckCRL            bool
	TestWeakCiphers     bool
	TestRenegotiation   bool
	ComplianceStandards []string
	OutputFormat        string // json, html, pdf
}

AuditorConfig configures the TLS auditor

type AuthConfig 

type AuthConfig struct {
	Enabled        bool                      `json:"enabled"`
	Providers      []string                  `json:"providers,omitempty"`
	OAuthProviders map[string]*OAuthProvider `json:"oauth_providers,omitempty"`
	JWT            *JWTConfig                `json:"jwt,omitempty"`
	LDAP           *LDAPConfig               `json:"ldap,omitempty"`
	DefaultScopes  []string                  `json:"default_scopes,omitempty"`
	TokenTTL       string                    `json:"token_ttl,omitempty"`
	RefreshEnabled bool                      `json:"refresh_enabled"`
	CacheEnabled   bool                      `json:"cache_enabled"`
	CacheTTL       string                    `json:"cache_ttl,omitempty"`
}

AuthConfig holds authentication configuration

type AuthContext 

type AuthContext struct {
	// SPIFFE identity
	SpiffeID    spiffeid.ID
	TrustDomain string
	ServiceName string

	// JWT claims
	JWTClaims jwt.MapClaims
	Issuer    string
	Audience  []string

	// Request context
	Method     string
	Path       string
	RemoteAddr string
	UserAgent  string

	// Authorization context
	Roles       []string
	Permissions []string
	Attributes  map[string]interface{}

	// Temporal context
	AuthTime       time.Time
	ExpirationTime time.Time
}

AuthContext contains authentication and authorization context

func GetAuthContextFromRequest 

func GetAuthContextFromRequest(r *http.Request) (*AuthContext, bool)

GetAuthContextFromRequest extracts auth context from HTTP request

type AuthStats 

type AuthStats struct {
	TotalAuths       int64     `json:"total_auths"`
	SuccessfulAuths  int64     `json:"successful_auths"`
	FailedAuths      int64     `json:"failed_auths"`
	PolicyDenials    int64     `json:"policy_denials"`
	SvidRotations    int64     `json:"svid_rotations"`
	LastAuthTime     time.Time `json:"last_auth_time"`
	LastSvidRotation time.Time `json:"last_svid_rotation"`
}

AuthStats tracks authentication statistics

type AuthenticationEngine 

type AuthenticationEngine struct {
	// contains filtered or unexported fields
}

Component stubs - in production these would be separate files

func NewAuthenticationEngine 

func NewAuthenticationEngine(config *ComplianceConfig, logger logr.Logger) *AuthenticationEngine

func (*AuthenticationEngine) CheckCertificateRenewals 

func (a *AuthenticationEngine) CheckCertificateRenewals()

func (*AuthenticationEngine) GetNodeCertificate 

func (a *AuthenticationEngine) GetNodeCertificate(nodeID string) (*x509.Certificate, error)

func (*AuthenticationEngine) Start 

func (a *AuthenticationEngine) Start() error

func (*AuthenticationEngine) Stop 

func (a *AuthenticationEngine) Stop()

func (*AuthenticationEngine) ValidateCredentials 

func (a *AuthenticationEngine) ValidateCredentials(creds interface{}) (bool, map[string]interface{}, error)

type AuthorizationEngine 

type AuthorizationEngine struct {
	// contains filtered or unexported fields
}

func NewAuthorizationEngine 

func NewAuthorizationEngine(config *ComplianceConfig, logger logr.Logger) *AuthorizationEngine

func (*AuthorizationEngine) AuthorizeAccess 

func (a *AuthorizationEngine) AuthorizeAccess(subject, resource, action string) (bool, string, error)

func (*AuthorizationEngine) HasValidRBACPolicy 

func (a *AuthorizationEngine) HasValidRBACPolicy(nodeID string) bool

func (*AuthorizationEngine) Start 

func (a *AuthorizationEngine) Start() error

func (*AuthorizationEngine) Stop 

func (a *AuthorizationEngine) Stop()

func (*AuthorizationEngine) ValidateLeastPrivilege 

func (a *AuthorizationEngine) ValidateLeastPrivilege(nodeID string) bool

type AuthzPolicy 

type AuthzPolicy struct {
	ID          string                `json:"id"`
	Name        string                `json:"name"`
	Description string                `json:"description"`
	Rules       []ZeroTrustPolicyRule `json:"rules"`
	Principals  []string              `json:"principals"`
	Resources   []string              `json:"resources"`
	Actions     []string              `json:"actions"`
	Conditions  map[string]string     `json:"conditions"`
	Effect      PolicyDecision        `json:"effect"`
	Priority    int                   `json:"priority"`
	CreatedAt   time.Time             `json:"created_at"`
	UpdatedAt   time.Time             `json:"updated_at"`
}

AuthzPolicy represents an authorization policy

type BehaviorPattern 

type BehaviorPattern struct {
	Name        string            `json:"name"`
	Description string            `json:"description"`
	Indicators  []string          `json:"indicators"`
	Threshold   float64           `json:"threshold"`
	Metadata    map[string]string `json:"metadata"`
}

BehaviorPattern represents a behavioral pattern

type BehavioralAnalysisEngine 

type BehavioralAnalysisEngine struct {
	// contains filtered or unexported fields
}

Detection engines (simplified interfaces)

type BenchmarkResult 

type BenchmarkResult struct {
	Name string

	Operations int

	Duration time.Duration

	BytesPerOp int64

	AllocsPerOp int64

	NsPerOp int64
}

type BlockedIP 

type BlockedIP struct {
	IP           string
	BlockedAt    time.Time
	ExpiresAt    time.Time
	Reason       string
	AttackType   string
	RequestCount int64
}

BlockedIP represents a blocked IP address

type CORSConfig 

type CORSConfig struct {
	Enabled          bool     `json:"enabled"`
	AllowedOrigins   []string `json:"allowed_origins,omitempty"`
	AllowedMethods   []string `json:"allowed_methods,omitempty"`
	AllowedHeaders   []string `json:"allowed_headers,omitempty"`
	ExposedHeaders   []string `json:"exposed_headers,omitempty"`
	AllowCredentials bool     `json:"allow_credentials"`
	MaxAge           int      `json:"max_age,omitempty"`
}

CORSConfig holds CORS configuration

type CRLCache 

type CRLCache struct {
	// contains filtered or unexported fields
}

type CRLManager 

type CRLManager struct {
	// contains filtered or unexported fields
}

type CSRFMiddleware 

type CSRFMiddleware struct {
	// contains filtered or unexported fields
}

CSRFMiddleware provides CSRF protection

func NewCSRFMiddleware 

func NewCSRFMiddleware(secure bool) *CSRFMiddleware

NewCSRFMiddleware creates a new CSRF middleware

func (*CSRFMiddleware) GenerateCSRFToken 

func (c *CSRFMiddleware) GenerateCSRFToken() (string, error)

GenerateCSRFToken generates a new CSRF token

func (*CSRFMiddleware) Middleware 

func (c *CSRFMiddleware) Middleware(next http.Handler) http.Handler

Middleware returns the CSRF middleware function

type CTSubmitter 

type CTSubmitter struct {
	// contains filtered or unexported fields
}

func (*CTSubmitter) Submit 

func (cts *CTSubmitter) Submit(logURL string, certDER []byte) error

type CVERecord 

type CVERecord struct {
	ID string `json:"id"`

	Summary string `json:"summary"`

	Description string `json:"description"`

	CVSS float64 `json:"cvss"`

	Severity string `json:"severity"`

	PublishedDate time.Time `json:"published_date"`

	ModifiedDate time.Time `json:"modified_date"`

	References []string `json:"references"`

	CWE []string `json:"cwe"`

	AffectedProducts []Product `json:"affected_products"`

	Remediation *Remediation `json:"remediation,omitempty"`
}

type CachedCRL 

type CachedCRL struct {
	// contains filtered or unexported fields
}

type CachedOCSPResponse 

type CachedOCSPResponse struct {
	// contains filtered or unexported fields
}

type CertAlert 

type CertAlert struct {
	Type string

	Severity string

	Name string

	Message string

	Timestamp time.Time
}

type CertManager 

type CertManager struct {
	// contains filtered or unexported fields
}

func NewCertManager 

func NewCertManager(store CertificateStore) *CertManager

func (*CertManager) GenerateIntermediateCA 

func (cm *CertManager) GenerateIntermediateCA(commonName string, validYears int) error

func (*CertManager) GenerateRootCA 

func (cm *CertManager) GenerateRootCA(commonName string, validYears int) error

func (*CertManager) GetACMECertificate 

func (cm *CertManager) GetACMECertificate(domain string) (*tls.Certificate, error)

func (*CertManager) IssueCertificate 

func (cm *CertManager) IssueCertificate(commonName string, hosts []string, validDays int) (*tls.Certificate, error)

func (*CertManager) PinCertificate 

func (cm *CertManager) PinCertificate(name string, certDER []byte)

func (*CertManager) RevokeCertificate 

func (cm *CertManager) RevokeCertificate(serialNumber *big.Int, reason int) error

func (*CertManager) ScheduleRotation 

func (cm *CertManager) ScheduleRotation(config *RotationConfig) error

func (*CertManager) SetupACME 

func (cm *CertManager) SetupACME(email string, domains []string, cacheDir string) error

func (*CertManager) ValidateCertificateChain 

func (cm *CertManager) ValidateCertificateChain(ctx context.Context, certs []*x509.Certificate) error

ValidateCertificateChain validates a certificate chain including root, intermediate, and leaf certificates.

func (*CertManager) ValidatePinnedCertificate 

func (cm *CertManager) ValidatePinnedCertificate(name string, cert *x509.Certificate) error

type CertManagerInterface 

type CertManagerInterface struct {
	// contains filtered or unexported fields
}

CertManagerInterface wraps cert-manager operations

func NewCertManagerInterface 

func NewCertManagerInterface(k8sClient kubernetes.Interface, namespace string, logger *zap.Logger) (*CertManagerInterface, error)

NewCertManagerInterface creates a new cert-manager interface

func (*CertManagerInterface) RenewCertificate 

func (cm *CertManagerInterface) RenewCertificate(ctx context.Context, name, namespace string) error

RenewCertificate renews a certificate

type CertMonitor 

type CertMonitor struct {
	// contains filtered or unexported fields
}

func (*CertMonitor) AddCertificate 

func (cm *CertMonitor) AddCertificate(name string, cert *tls.Certificate)

type CertRotationConfig 

type CertRotationConfig struct {
	// Rotation policies
	AutoRotationEnabled bool          `json:"auto_rotation_enabled" yaml:"auto_rotation_enabled"`
	RotationThreshold   time.Duration `json:"rotation_threshold" yaml:"rotation_threshold"`
	CheckInterval       time.Duration `json:"check_interval" yaml:"check_interval"`
	EmergencyThreshold  time.Duration `json:"emergency_threshold" yaml:"emergency_threshold"`

	// Renewal configuration
	RenewalRetryAttempts int           `json:"renewal_retry_attempts" yaml:"renewal_retry_attempts"`
	RenewalRetryInterval time.Duration `json:"renewal_retry_interval" yaml:"renewal_retry_interval"`
	RenewalTimeout       time.Duration `json:"renewal_timeout" yaml:"renewal_timeout"`

	// Backup and rollback
	BackupEnabled         bool          `json:"backup_enabled" yaml:"backup_enabled"`
	BackupRetentionPeriod time.Duration `json:"backup_retention_period" yaml:"backup_retention_period"`
	AutoRollbackEnabled   bool          `json:"auto_rollback_enabled" yaml:"auto_rollback_enabled"`

	// Integration settings
	CertManagerEnabled   bool   `json:"cert_manager_enabled" yaml:"cert_manager_enabled"`
	CertManagerNamespace string `json:"cert_manager_namespace" yaml:"cert_manager_namespace"`
	ExternalCAEnabled    bool   `json:"external_ca_enabled" yaml:"external_ca_enabled"`
	ExternalCAEndpoint   string `json:"external_ca_endpoint" yaml:"external_ca_endpoint"`

	// Notification configuration
	SlackWebhookURL      string   `json:"slack_webhook_url" yaml:"slack_webhook_url"`
	EmailNotifications   []string `json:"email_notifications" yaml:"email_notifications"`
	WebhookNotifications []string `json:"webhook_notifications" yaml:"webhook_notifications"`
}

CertRotationConfig defines certificate rotation policies and schedules

func DefaultCertRotationConfig 

func DefaultCertRotationConfig() *CertRotationConfig

DefaultCertRotationConfig returns enterprise-grade rotation configuration

type CertRotationManager 

type CertRotationManager struct {
	// contains filtered or unexported fields
}

CertRotationManager manages automated certificate lifecycle

func NewCertRotationManager 

func NewCertRotationManager(config *CertRotationConfig, k8sClient kubernetes.Interface, logger *zap.Logger) (*CertRotationManager, error)

NewCertRotationManager creates a new certificate rotation manager

func (*CertRotationManager) ForceRotation 

func (m *CertRotationManager) ForceRotation(name, namespace string) error

ForceRotation immediately rotates a specific certificate

func (*CertRotationManager) GetCertificateStatus 

func (m *CertRotationManager) GetCertificateStatus() map[string]*CertificateTracker

GetCertificateStatus returns the status of all managed certificates

func (*CertRotationManager) GetRotationMetrics 

func (m *CertRotationManager) GetRotationMetrics() *RotationMetrics

GetRotationMetrics returns rotation metrics

func (*CertRotationManager) RegisterCertificate 

func (m *CertRotationManager) RegisterCertificate(name, namespace, secretName string, certType CertificateType) error

RegisterCertificate adds a certificate to rotation management

func (*CertRotationManager) Start 

func (m *CertRotationManager) Start(ctx context.Context) error

Start begins the certificate rotation monitoring and management

func (*CertRotationManager) Stop 

func (m *CertRotationManager) Stop() error

Stop gracefully shuts down the certificate rotation manager

func (*CertRotationManager) UnregisterCertificate 

func (m *CertRotationManager) UnregisterCertificate(name, namespace string)

UnregisterCertificate removes a certificate from rotation management

type CertRotationScheduler 

type CertRotationScheduler struct {
	// contains filtered or unexported fields
}

func (*CertRotationScheduler) Start 

func (rs *CertRotationScheduler) Start()

type CertificateFinding 

type CertificateFinding struct {
	Subject         string    `json:"subject"`
	Issuer          string    `json:"issuer"`
	SerialNumber    string    `json:"serial_number"`
	NotBefore       time.Time `json:"not_before"`
	NotAfter        time.Time `json:"not_after"`
	DaysToExpiry    int       `json:"days_to_expiry"`
	KeyAlgorithm    string    `json:"key_algorithm"`
	KeySize         int       `json:"key_size"`
	SignatureAlgo   string    `json:"signature_algorithm"`
	Issues          []string  `json:"issues"`
	Severity        string    `json:"severity"`
	ValidationError string    `json:"validation_error,omitempty"`
	ChainValid      bool      `json:"chain_valid"`
	OCSPStatus      string    `json:"ocsp_status"`
	CRLStatus       string    `json:"crl_status"`
}

CertificateFinding represents certificate-related findings

type CertificateMetrics 

type CertificateMetrics struct {
	RotationCount   int64         `json:"rotation_count"`
	LastRotation    time.Time     `json:"last_rotation"`
	AverageLifetime time.Duration `json:"average_lifetime"`
	FailureCount    int           `json:"failure_count"`
	LastFailure     time.Time     `json:"last_failure"`
}

CertificateMetrics tracks individual certificate metrics

type CertificatePaths 

type CertificatePaths struct {
	CertFile string `json:"cert_file"`
	KeyFile  string `json:"key_file"`
	CAFile   string `json:"ca_file,omitempty"`
}

CertificatePaths defines paths for certificate files

type CertificateStatus 

type CertificateStatus string

CertificateStatus defines the current status of certificate 

const (
	StatusHealthy  CertificateStatus = "healthy"
	StatusExpiring CertificateStatus = "expiring"
	StatusRotating CertificateStatus = "rotating"
	StatusFailed   CertificateStatus = "failed"
	StatusExpired  CertificateStatus = "expired"
)

type CertificateStore 

type CertificateStore interface {
	Get(ctx context.Context, name string) (*tls.Certificate, error)

	Put(ctx context.Context, name string, cert *tls.Certificate) error

	Delete(ctx context.Context, name string) error

	List(ctx context.Context) ([]string, error)
}

type CertificateTracker 

type CertificateTracker struct {
	Name              string            `json:"name"`
	Namespace         string            `json:"namespace"`
	Type              CertificateType   `json:"type"`
	Certificate       *x509.Certificate `json:"-"`
	SecretName        string            `json:"secret_name"`
	LastRotation      time.Time         `json:"last_rotation"`
	RotationCount     int64             `json:"rotation_count"`
	Status            CertificateStatus `json:"status"`
	NextCheckTime     time.Time         `json:"next_check_time"`
	BackupSecretNames []string          `json:"backup_secret_names"`

	// Health monitoring
	HealthStatus    string    `json:"health_status"`
	LastHealthCheck time.Time `json:"last_health_check"`
	FailureCount    int       `json:"failure_count"`
	LastError       string    `json:"last_error,omitempty"`
}

CertificateTracker tracks individual certificate lifecycle

type CertificateType 

type CertificateType string

CertificateType defines the type of certificate 

const (
	ServerCertificate       CertificateType = "server"
	ClientCertificate       CertificateType = "client"
	CACertificate           CertificateType = "ca"
	IntermediateCertificate CertificateType = "intermediate"
)

type ChainedSignature 

type ChainedSignature struct {
	SignerID string

	Signature []byte

	PreviousHash []byte

	Timestamp time.Time

	Algorithm string
}

type Challenge 

type Challenge struct {
	ID        string
	IP        string
	Type      string
	CreatedAt time.Time
	ExpiresAt time.Time
	Attempts  int
	Solved    bool
	Token     string
}

Challenge represents a security challenge

type ChannelConfig 

type ChannelConfig struct {
	CipherSuite string

	KeySize int

	MACAlgorithm string

	EnablePFS bool

	DHGroup string

	ReplayWindow uint32

	SessionTimeout time.Duration

	HeartbeatInterval time.Duration

	EnableMulticast bool

	MulticastTTL int
}

func DefaultChannelConfig 

func DefaultChannelConfig() *ChannelConfig

type CipherFinding 

type CipherFinding struct {
	CipherSuite    string   `json:"cipher_suite"`
	TLSVersion     string   `json:"tls_version"`
	Strength       string   `json:"strength"` // STRONG, MEDIUM, WEAK
	KeyExchange    string   `json:"key_exchange"`
	Authentication string   `json:"authentication"`
	Encryption     string   `json:"encryption"`
	MAC            string   `json:"mac"`
	ForwardSecrecy bool     `json:"forward_secrecy"`
	Issues         []string `json:"issues"`
	Recommendation string   `json:"recommendation"`
	ORANApproved   bool     `json:"oran_approved"`
}

CipherFinding represents cipher suite findings

type CodeIssue 

type CodeIssue struct {
	ID string `json:"id"`

	Type string `json:"type"` // hardcoded_secret, weak_crypto, etc.

	Severity string `json:"severity"`

	File string `json:"file"`

	Line int `json:"line"`

	Description string `json:"description"`

	Rule string `json:"rule"`

	FoundAt time.Time `json:"found_at"`
}

type CommonSecurityConfig 

type CommonSecurityConfig struct {
	// TLS Configuration
	TLS *TLSConfig `json:"tls,omitempty"`

	// Security Headers Configuration
	SecurityHeaders *SecurityHeadersConfig `json:"security_headers,omitempty"`

	// Enable security features
	Enabled bool `json:"enabled"`

	// Security mode (strict, moderate, permissive)
	Mode string `json:"mode"`
}

CommonSecurityConfig defines common security configuration

func ToCommonConfig 

func ToCommonConfig(config interface{}) *CommonSecurityConfig

ToCommonConfig converts any SecurityConfig variant to CommonSecurityConfig

type ComplianceCheck 

type ComplianceCheck struct {
	ID          string `json:"id"`
	Title       string `json:"title"`
	Description string `json:"description"`
	Status      string `json:"status"`
	Severity    string `json:"severity"`
	Rationale   string `json:"rationale"`
	Remediation string `json:"remediation"`
}

ComplianceCheck represents a compliance check

type ComplianceCheckFunc 

type ComplianceCheckFunc func(nodeID string, context map[string]interface{}) (bool, []string, error)

ComplianceCheckFunc defines the signature for compliance check functions

type ComplianceConfig 

type ComplianceConfig struct {
	// Trust domain configuration
	TrustDomain          string `json:"trust_domain"`
	SPIFFEEndpointSocket string `json:"spiffe_endpoint_socket"`

	// Security policies
	SecurityPolicies []ORANSecurityPolicy `json:"security_policies"`

	// Authentication settings
	AuthenticationMethod string        `json:"authentication_method"` // "mTLS", "JWT", "OAuth2"
	CertificateLifetime  time.Duration `json:"certificate_lifetime"`

	// Encryption requirements
	EncryptionAlgorithm string `json:"encryption_algorithm"`
	MinKeyLength        int    `json:"min_key_length"`

	// Audit settings
	AuditLogLevel      string `json:"audit_log_level"`
	AuditRetentionDays int    `json:"audit_retention_days"`

	// Threat detection
	ThreatDetectionEnabled bool    `json:"threat_detection_enabled"`
	AnomalyThreshold       float64 `json:"anomaly_threshold"`

	// Compliance intervals
	ComplianceCheckInterval time.Duration `json:"compliance_check_interval"`
	CertificateRenewalTime  time.Duration `json:"certificate_renewal_time"`
}

ComplianceConfig holds O-RAN WG11 compliance configuration

type ComplianceDetails 

type ComplianceDetails struct {
	Standard     string              `json:"standard"`
	Version      string              `json:"version"`
	Status       string              `json:"status"` // COMPLIANT, NON_COMPLIANT, PARTIAL
	Score        float64             `json:"score"`  // 0-100
	PassedChecks int                 `json:"passed_checks"`
	FailedChecks int                 `json:"failed_checks"`
	TotalChecks  int                 `json:"total_checks"`
	FailedRules  []TLSComplianceRule `json:"failed_rules"`
	Exemptions   []string            `json:"exemptions,omitempty"`
}

ComplianceDetails provides detailed compliance information

type ComplianceFramework 

type ComplianceFramework string
const (
	FrameworkORAN ComplianceFramework = "O-RAN"

	Framework3GPP ComplianceFramework = "3GPP"

	FrameworkETSI ComplianceFramework = "ETSI-NFV"

	FrameworkNIST ComplianceFramework = "NIST"

	FrameworkISO27001 ComplianceFramework = "ISO27001"
)

type ComplianceManager 

type ComplianceManager struct {
	// contains filtered or unexported fields
}

func NewComplianceManager 

func NewComplianceManager(client client.Client, namespace string) *ComplianceManager

func (*ComplianceManager) GenerateComplianceReport 

func (m *ComplianceManager) GenerateComplianceReport(ctx context.Context, framework ComplianceFramework) ([]byte, error)

func (*ComplianceManager) GetComplianceSummary 

func (m *ComplianceManager) GetComplianceSummary(ctx context.Context) map[string]interface{}

func (*ComplianceManager) ScheduleComplianceAudits 

func (m *ComplianceManager) ScheduleComplianceAudits(ctx context.Context, interval time.Duration)

func (*ComplianceManager) Validate3GPPCompliance 

func (m *ComplianceManager) Validate3GPPCompliance(ctx context.Context) (*ComplianceReport, error)

func (*ComplianceManager) ValidateETSICompliance 

func (m *ComplianceManager) ValidateETSICompliance(ctx context.Context) (*ComplianceReport, error)

func (*ComplianceManager) ValidateORANCompliance 

func (m *ComplianceManager) ValidateORANCompliance(ctx context.Context) (*ComplianceReport, error)

type ComplianceMonitor 

type ComplianceMonitor struct {
	// contains filtered or unexported fields
}

func NewComplianceMonitor 

func NewComplianceMonitor(config *ComplianceConfig, logger logr.Logger) *ComplianceMonitor

func (*ComplianceMonitor) GenerateReport 

func (c *ComplianceMonitor) GenerateReport() (*ORANComplianceReport, error)

func (*ComplianceMonitor) StoreORANComplianceResult 

func (c *ComplianceMonitor) StoreORANComplianceResult(result *ORANComplianceResult)

func (*ComplianceMonitor) TriggerComplianceAlert 

func (c *ComplianceMonitor) TriggerComplianceAlert(result *ORANComplianceResult)

type ComplianceReport 

type ComplianceReport struct {
	Timestamp metav1.Time

	Namespace string

	Framework ComplianceFramework

	Version string

	OverallCompliance float64 // Percentage 0-100

	Requirements []ComplianceRequirement

	VulnerabilityScan VulnerabilityScanResult

	AuditLog []AuditEntry

	Recommendations []string

	NextAuditDate time.Time
}

type ComplianceRequirement 

type ComplianceRequirement struct {
	ID string

	Category string

	Description string

	Status ComplianceStatus

	Evidence []string

	Remediation string

	Severity string
}

type ComplianceResult 

type ComplianceResult struct {
	Framework    string            `json:"framework"`
	Version      string            `json:"version"`
	Score        float64           `json:"score"`
	PassedChecks int               `json:"passed_checks"`
	FailedChecks int               `json:"failed_checks"`
	Results      []ComplianceCheck `json:"results"`
	Summary      json.RawMessage   `json:"summary"`
}

ComplianceResult represents compliance scan results

type ComplianceRule 

type ComplianceRule struct {
	RuleID         string         `json:"rule_id"`
	RuleName       string         `json:"rule_name"`
	RuleType       string         `json:"rule_type"` // "policy", "technical", "procedural"
	Condition      string         `json:"condition"`
	ExpectedResult interface{}    `json:"expected_result"`
	ValidationFunc ValidationFunc `json:"-"`
	Severity       string         `json:"severity"` // "low", "medium", "high", "critical"
}

ComplianceRule defines compliance validation rules

type ComplianceStatus 

type ComplianceStatus string
const (
	StatusCompliant ComplianceStatus = "Compliant"

	StatusNonCompliant ComplianceStatus = "Non-Compliant"

	StatusPartiallyCompliant ComplianceStatus = "Partially Compliant"

	StatusNotApplicable ComplianceStatus = "Not Applicable"
)

type ComplianceTest 

type ComplianceTest struct {
	Name string

	Standard string

	Category string

	Validator func() error

	Required bool
}

type ComplianceViolation 

type ComplianceViolation struct {
	ViolationID      string          `json:"violation_id"`
	ViolationType    string          `json:"violation_type"`
	Severity         string          `json:"severity"`
	Description      string          `json:"description"`
	DetectedAt       time.Time       `json:"detected_at"`
	AffectedResource string          `json:"affected_resource"`
	RemediationSteps []string        `json:"remediation_steps"`
	Context          json.RawMessage `json:"context"`
}

ComplianceViolation represents a security compliance violation

type Condition 

type Condition struct {
	Field string `json:"field"`

	Operator string `json:"operator"`

	Value interface{} `json:"value"`
}

type ConnectionPool 

type ConnectionPool struct {
	// contains filtered or unexported fields
}

type ConstantTimeOps 

type ConstantTimeOps struct{}

func (*ConstantTimeOps) Compare 

func (ct *ConstantTimeOps) Compare(a, b []byte) bool

func (*ConstantTimeOps) LessOrEq 

func (ct *ConstantTimeOps) LessOrEq(x, y int32) int

func (*ConstantTimeOps) Select 

func (ct *ConstantTimeOps) Select(v int, a, b []byte) []byte

type ContainerScanner 

type ContainerScanner interface {
	ScanImage(ctx context.Context, image string) (*ScanResult, error)
	GetScannerInfo() ScannerInfo
	UpdateDatabase(ctx context.Context) error
	Health(ctx context.Context) error
}

ContainerScanner defines the interface for container scanners

func NewClairScanner 

func NewClairScanner(logger interface{}) (ContainerScanner, error)

func NewTrivyScanner 

func NewTrivyScanner(logger interface{}) (ContainerScanner, error)

type ContainerSecurityConfig 

type ContainerSecurityConfig struct {
	// Scanning configuration
	EnableContainerScanning bool          `json:"enable_container_scanning"`
	ScanningTools           []string      `json:"scanning_tools"` // trivy, clair, anchore
	ScanInterval            time.Duration `json:"scan_interval"`
	ScanTimeout             time.Duration `json:"scan_timeout"`
	MaxConcurrentScans      int           `json:"max_concurrent_scans"`

	// Vulnerability thresholds
	BlockCriticalVulns bool `json:"block_critical_vulns"`
	BlockHighVulns     bool `json:"block_high_vulns"`
	MaxCriticalVulns   int  `json:"max_critical_vulns"`
	MaxHighVulns       int  `json:"max_high_vulns"`
	MaxMediumVulns     int  `json:"max_medium_vulns"`

	// RBAC configuration
	EnableRBACEnforcement   bool     `json:"enable_rbac_enforcement"`
	StrictRBACMode          bool     `json:"strict_rbac_mode"`
	MinimumPrivileges       bool     `json:"minimum_privileges"`
	ForbiddenCapabilities   []string `json:"forbidden_capabilities"`
	RequiredSecurityContext bool     `json:"required_security_context"`

	// Policy enforcement
	EnablePolicyEnforcement bool     `json:"enable_policy_enforcement"`
	PolicyEngine            string   `json:"policy_engine"` // opa, gatekeeper, falco
	PolicySets              []string `json:"policy_sets"`
	EnforcementAction       string   `json:"enforcement_action"` // warn, block, audit

	// Image security
	TrustedRegistries   []string `json:"trusted_registries"`
	RequireSignedImages bool     `json:"require_signed_images"`
	AllowedBaseImages   []string `json:"allowed_base_images"`
	ForbiddenPackages   []string `json:"forbidden_packages"`

	// Runtime security
	EnableRuntimeMonitoring bool     `json:"enable_runtime_monitoring"`
	RuntimeSecurityTools    []string `json:"runtime_security_tools"` // falco, sysdig
	AnomalyDetection        bool     `json:"anomaly_detection"`

	// Compliance frameworks
	ComplianceFrameworks []string `json:"compliance_frameworks"` // pci, sox, hipaa
	AuditLogging         bool     `json:"audit_logging"`
	ComplianceReports    bool     `json:"compliance_reports"`
}

ContainerSecurityConfig contains container security configuration

func DefaultContainerSecurityConfig 

func DefaultContainerSecurityConfig() *ContainerSecurityConfig

DefaultContainerSecurityConfig returns default configuration

func (*ContainerSecurityConfig) Validate 

func (config *ContainerSecurityConfig) Validate() error

Validate validates the container security configuration

type ContainerSecurityManager 

type ContainerSecurityManager struct {
	// contains filtered or unexported fields
}

ContainerSecurityManager manages container security and RBAC

func NewContainerSecurityManager 

func NewContainerSecurityManager(config *ContainerSecurityConfig, kubeClient kubernetes.Interface, logger *slog.Logger) (*ContainerSecurityManager, error)

NewContainerSecurityManager creates a new container security manager

func (*ContainerSecurityManager) Close 

func (csm *ContainerSecurityManager) Close() error

Close shuts down the container security manager

func (*ContainerSecurityManager) EvaluateRBAC 

func (csm *ContainerSecurityManager) EvaluateRBAC(ctx context.Context, resource interface{}) ([]PolicyViolation, error)

EvaluateRBAC evaluates RBAC policies for a resource

func (*ContainerSecurityManager) GetStats 

func (csm *ContainerSecurityManager) GetStats() *ContainerSecurityStats

GetStats returns container security statistics

func (*ContainerSecurityManager) ScanImage 

func (csm *ContainerSecurityManager) ScanImage(ctx context.Context, image, namespace string) (*ScanResult, error)

ScanImage scans a container image for vulnerabilities

type ContainerSecurityStats 

type ContainerSecurityStats struct {
	TotalScans           int64     `json:"total_scans"`
	SuccessfulScans      int64     `json:"successful_scans"`
	FailedScans          int64     `json:"failed_scans"`
	CriticalVulns        int64     `json:"critical_vulns"`
	HighVulns            int64     `json:"high_vulns"`
	MediumVulns          int64     `json:"medium_vulns"`
	LowVulns             int64     `json:"low_vulns"`
	PolicyViolations     int64     `json:"policy_violations"`
	BlockedDeployments   int64     `json:"blocked_deployments"`
	LastScanTime         time.Time `json:"last_scan_time"`
	AverageSecurityScore float64   `json:"average_security_score"`
	ComplianceScore      float64   `json:"compliance_score"`
}

ContainerSecurityStats tracks security statistics

type ContainerVulnerability 

type ContainerVulnerability struct {
	ID            string            `json:"id"`
	Title         string            `json:"title"`
	Description   string            `json:"description"`
	Severity      string            `json:"severity"`
	CVSS          float64           `json:"cvss"`
	CVE           string            `json:"cve"`
	Package       string            `json:"package"`
	Version       string            `json:"version"`
	FixedVersion  string            `json:"fixed_version"`
	References    []string          `json:"references"`
	PrimaryURL    string            `json:"primary_url"`
	PublishedDate time.Time         `json:"published_date"`
	LastModified  time.Time         `json:"last_modified"`
	Exploitable   bool              `json:"exploitable"`
	InProduction  bool              `json:"in_production"`
	Metadata      map[string]string `json:"metadata"`
}

ContainerVulnerability represents a security vulnerability in containers

type CreateIncidentRequest 

type CreateIncidentRequest struct {
	Title string `json:"title"`

	Description string `json:"description"`

	Severity string `json:"severity"`

	Category string `json:"category"`

	Source string `json:"source"`

	Tags []string `json:"tags"`

	Impact *ImpactAssessment `json:"impact"`

	Evidence []*Evidence `json:"evidence,omitempty"`
}

type Credential 

type Credential struct {
	Username string `json:"username"`
	Password string `json:"password"`
}

Credential represents login credentials for testing

type CryptoConfig 

type CryptoConfig struct {
	// RSA key size - minimum 3072 bits, recommended 4096 bits for O-RAN compliance
	RSAKeySize int `json:"rsa_key_size" yaml:"rsa_key_size"`

	// Certificate validity periods
	CertValidityPeriod time.Duration `json:"cert_validity_period" yaml:"cert_validity_period"`
	CAValidityPeriod   time.Duration `json:"ca_validity_period" yaml:"ca_validity_period"`

	// TLS configuration
	EnforceTLS13Only             bool     `json:"enforce_tls13_only" yaml:"enforce_tls13_only"`
	AllowedCipherSuites          []string `json:"allowed_cipher_suites" yaml:"allowed_cipher_suites"`
	RequirePerfectForwardSecrecy bool     `json:"require_perfect_forward_secrecy" yaml:"require_perfect_forward_secrecy"`

	// mTLS settings
	MTLSRequired         bool `json:"mtls_required" yaml:"mtls_required"`
	ClientCertValidation bool `json:"client_cert_validation" yaml:"client_cert_validation"`

	// Certificate rotation
	AutoRotateBeforeExpiry time.Duration `json:"auto_rotate_before_expiry" yaml:"auto_rotate_before_expiry"`

	// Random number generation
	UseHardwareRNG bool `json:"use_hardware_rng" yaml:"use_hardware_rng"`
}

CryptoConfig defines enterprise cryptographic configuration

func DefaultCryptoConfig 

func DefaultCryptoConfig() *CryptoConfig

DefaultCryptoConfig returns O-RAN WG11 compliant cryptographic configuration

type CryptoModern 

type CryptoModern struct {
	// contains filtered or unexported fields
}

func NewCryptoModern 

func NewCryptoModern() *CryptoModern

func (*CryptoModern) CreateEncryptionContext 

func (c *CryptoModern) CreateEncryptionContext(id, algorithm string, keySize int) (*EncryptionContext, error)

func (*CryptoModern) Decrypt 

func (c *CryptoModern) Decrypt(data []byte, key []byte, algorithm string) ([]byte, error)

Decrypt with signature expected by tests

func (*CryptoModern) DecryptAESGCM 

func (c *CryptoModern) DecryptAESGCM(data *EncryptedData, key []byte) ([]byte, error)

func (*CryptoModern) DecryptChaCha20Poly1305 

func (c *CryptoModern) DecryptChaCha20Poly1305(data *EncryptedData, key []byte) ([]byte, error)

func (*CryptoModern) DeleteEncryptionContext 

func (c *CryptoModern) DeleteEncryptionContext(id string)

func (*CryptoModern) DeriveKey 

func (c *CryptoModern) DeriveKey(password, salt []byte, method string, keySize int) ([]byte, error)

DeriveKey derives a key using the specified method and size (test-compatible signature)

func (*CryptoModern) DeriveKeyArgon2 

func (c *CryptoModern) DeriveKeyArgon2(password, salt []byte) []byte

func (*CryptoModern) DeriveKeyHKDF 

func (c *CryptoModern) DeriveKeyHKDF(secret, salt []byte, length int) ([]byte, error)

func (*CryptoModern) DeriveKeyPBKDF2 

func (c *CryptoModern) DeriveKeyPBKDF2(password, salt []byte, keyLen int) []byte

func (*CryptoModern) DeriveKeyScrypt 

func (c *CryptoModern) DeriveKeyScrypt(password, salt []byte, keyLen int) ([]byte, error)

func (*CryptoModern) Encrypt 

func (c *CryptoModern) Encrypt(data []byte, key []byte, algorithm string) ([]byte, error)

Encrypt with signature expected by tests

func (*CryptoModern) EncryptAESGCM 

func (c *CryptoModern) EncryptAESGCM(plaintext, key, aad []byte) (*EncryptedData, error)

func (*CryptoModern) EncryptChaCha20Poly1305 

func (c *CryptoModern) EncryptChaCha20Poly1305(plaintext, key, aad []byte) (*EncryptedData, error)

func (*CryptoModern) GenerateEd25519KeyPair 

func (c *CryptoModern) GenerateEd25519KeyPair() (*Ed25519KeyPair, error)

func (*CryptoModern) GenerateKeyPair 

func (c *CryptoModern) GenerateKeyPair(algorithm string) (interface{}, interface{}, error)

GenerateKeyPair generates a cryptographic key pair

func (*CryptoModern) GenerateMAC 

func (c *CryptoModern) GenerateMAC(message, key []byte) []byte

func (*CryptoModern) GenerateRandomBytes 

func (c *CryptoModern) GenerateRandomBytes(length int) ([]byte, error)

GenerateRandomBytes generates cryptographically secure random bytes

func (*CryptoModern) GenerateSecureRandom 

func (c *CryptoModern) GenerateSecureRandom(length int) ([]byte, error)

func (*CryptoModern) GetEncryptionContext 

func (c *CryptoModern) GetEncryptionContext(id string) (*EncryptionContext, bool)

func (*CryptoModern) Hash 

func (c *CryptoModern) Hash(data []byte, algorithm string) ([]byte, error)

Hash provides generic hashing interface

func (*CryptoModern) HashPassword 

func (c *CryptoModern) HashPassword(password string) (string, error)

func (*CryptoModern) SecureCompare 

func (c *CryptoModern) SecureCompare(a, b []byte) bool

func (*CryptoModern) Sign 

func (c *CryptoModern) Sign(message []byte, privateKey interface{}, algorithm string) ([]byte, error)

Sign provides digital signature functionality

func (*CryptoModern) SignEd25519 

func (c *CryptoModern) SignEd25519(message []byte, privateKey ed25519.PrivateKey) ([]byte, error)

func (*CryptoModern) Verify 

func (c *CryptoModern) Verify(message, signature []byte, publicKey interface{}, algorithm string) (bool, error)

Verify provides signature verification functionality

func (*CryptoModern) VerifyEd25519 

func (c *CryptoModern) VerifyEd25519(message, signature []byte, publicKey ed25519.PublicKey) bool

func (*CryptoModern) VerifyMAC 

func (c *CryptoModern) VerifyMAC(message, mac, key []byte) bool

func (*CryptoModern) VerifyPassword 

func (c *CryptoModern) VerifyPassword(password, encoded string) (bool, error)

type CryptoUtils 

type CryptoUtils struct {
	// contains filtered or unexported fields
}

func NewCryptoUtils 

func NewCryptoUtils() *CryptoUtils

func (*CryptoUtils) ComputeHash 

func (cu *CryptoUtils) ComputeHash(data []byte, function HashFunction) []byte

func (*CryptoUtils) CreateSignatureChain 

func (cu *CryptoUtils) CreateSignatureChain(chainID string) *SignatureChain

func (*CryptoUtils) GetHash 

func (cu *CryptoUtils) GetHash(function HashFunction) hash.Hash

func (*CryptoUtils) PutHash 

func (cu *CryptoUtils) PutHash(function HashFunction, h hash.Hash)

func (*CryptoUtils) SecureRandom 

func (cu *CryptoUtils) SecureRandom(length int) ([]byte, error)

func (*CryptoUtils) SecureRandomInt 

func (cu *CryptoUtils) SecureRandomInt(max int) (int, error)

type DDoSProtectionConfig 

type DDoSProtectionConfig struct {
	// Rate limiting tiers
	GlobalRateLimit int           `json:"global_rate_limit"` // Requests per second globally
	PerIPRateLimit  int           `json:"per_ip_rate_limit"` // Requests per second per IP
	BurstSize       int           `json:"burst_size"`        // Burst capacity
	WindowSize      time.Duration `json:"window_size"`       // Time window for rate limiting

	// Connection limits
	MaxConcurrentConns int           `json:"max_concurrent_conns"` // Maximum concurrent connections
	MaxConnsPerIP      int           `json:"max_conns_per_ip"`     // Maximum connections per IP
	ConnectionTimeout  time.Duration `json:"connection_timeout"`   // Connection timeout

	// Detection thresholds
	SuspiciousThreshold int           `json:"suspicious_threshold"` // Requests to trigger suspicious behavior
	AttackThreshold     int           `json:"attack_threshold"`     // Requests to trigger attack detection
	DetectionWindow     time.Duration `json:"detection_window"`     // Time window for attack detection

	// Blocking and mitigation
	BlockDuration   time.Duration `json:"block_duration"`    // How long to block attacking IPs
	TempBanDuration time.Duration `json:"temp_ban_duration"` // Temporary ban duration
	MaxBlockedIPs   int           `json:"max_blocked_ips"`   // Maximum number of IPs to block

	// Whitelist and blacklist
	WhitelistIPs   []string `json:"whitelist_ips"`   // Always allowed IPs
	WhitelistCIDRs []string `json:"whitelist_cidrs"` // Always allowed CIDR ranges
	BlacklistIPs   []string `json:"blacklist_ips"`   // Always blocked IPs
	BlacklistCIDRs []string `json:"blacklist_cidrs"` // Always blocked CIDR ranges

	// Geolocation filtering
	EnableGeoFiltering bool     `json:"enable_geo_filtering"` // Enable geolocation-based filtering
	AllowedCountries   []string `json:"allowed_countries"`    // Allowed country codes
	BlockedCountries   []string `json:"blocked_countries"`    // Blocked country codes

	// Challenge mechanisms
	EnableCaptcha      bool `json:"enable_captcha"`      // Enable CAPTCHA challenges
	EnableRateProof    bool `json:"enable_rate_proof"`   // Enable proof-of-work challenges
	ChallengeThreshold int  `json:"challenge_threshold"` // Requests to trigger challenge

	// Monitoring and alerting
	EnableAlerts     bool          `json:"enable_alerts"`     // Enable security alerts
	AlertWebhook     string        `json:"alert_webhook"`     // Webhook URL for alerts
	MetricsRetention time.Duration `json:"metrics_retention"` // How long to keep metrics
}

DDoSProtectionConfig contains DDoS protection configuration

func DefaultDDoSProtectionConfig 

func DefaultDDoSProtectionConfig() *DDoSProtectionConfig

DefaultDDoSProtectionConfig returns default DDoS protection configuration

func (*DDoSProtectionConfig) Validate 

func (config *DDoSProtectionConfig) Validate() error

Validate validates the DDoS protection configuration

type DDoSProtector 

type DDoSProtector struct {
	// contains filtered or unexported fields
}

DDoSProtector implements comprehensive DDoS protection

func NewDDoSProtector 

func NewDDoSProtector(config *DDoSProtectionConfig, logger *slog.Logger) (*DDoSProtector, error)

NewDDoSProtector creates a new DDoS protector

func (*DDoSProtector) Close 

func (ddp *DDoSProtector) Close() error

Close shuts down the DDoS protector

func (*DDoSProtector) CreateHTTPMiddleware 

func (ddp *DDoSProtector) CreateHTTPMiddleware() func(http.Handler) http.Handler

CreateHTTPMiddleware creates HTTP middleware for DDoS protection

func (*DDoSProtector) GetStats 

func (ddp *DDoSProtector) GetStats() *DDoSStats

GetStats returns DDoS protection statistics

func (*DDoSProtector) ProcessRequest 

func (ddp *DDoSProtector) ProcessRequest(r *http.Request) (bool, string, error)

ProcessRequest processes an incoming request through DDoS protection

type DDoSStats 

type DDoSStats struct {
	TotalRequests      int64     `json:"total_requests"`
	BlockedRequests    int64     `json:"blocked_requests"`
	SuspiciousRequests int64     `json:"suspicious_requests"`
	AttacksDetected    int64     `json:"attacks_detected"`
	IPsBlocked         int64     `json:"ips_blocked"`
	ActiveBlocks       int64     `json:"active_blocks"`
	ChallengesSent     int64     `json:"challenges_sent"`
	ChallengesSolved   int64     `json:"challenges_solved"`
	LastAttack         time.Time `json:"last_attack"`
	LastBlock          time.Time `json:"last_block"`
}

DDoSStats tracks DDoS protection statistics

type DefaultAdvancedKeyManager 

type DefaultAdvancedKeyManager struct {
	// contains filtered or unexported fields
}

func (*DefaultAdvancedKeyManager) DeleteKey 

func (dkm *DefaultAdvancedKeyManager) DeleteKey(keyID string) error

func (*DefaultAdvancedKeyManager) DeriveKey 

func (dkm *DefaultAdvancedKeyManager) DeriveKey(purpose string, version int) ([]byte, error)

func (*DefaultAdvancedKeyManager) EscrowKey 

func (dkm *DefaultAdvancedKeyManager) EscrowKey(keyID string, agents []EscrowAgent, threshold int) error

func (*DefaultAdvancedKeyManager) GenerateKey 

func (dkm *DefaultAdvancedKeyManager) GenerateKey(keyType string, bits int) (*StoredKey, error)

func (*DefaultAdvancedKeyManager) GenerateMasterKey 

func (dkm *DefaultAdvancedKeyManager) GenerateMasterKey(keyType string, bits int) error

func (*DefaultAdvancedKeyManager) RetrieveKey 

func (dkm *DefaultAdvancedKeyManager) RetrieveKey(keyID string) (*StoredKey, error)

func (*DefaultAdvancedKeyManager) RotateKey 

func (dkm *DefaultAdvancedKeyManager) RotateKey(keyID string) (*StoredKey, error)

func (*DefaultAdvancedKeyManager) SetupThresholdCrypto 

func (dkm *DefaultAdvancedKeyManager) SetupThresholdCrypto(keyID string, threshold, total int) error

func (*DefaultAdvancedKeyManager) StoreKey 

func (dkm *DefaultAdvancedKeyManager) StoreKey(key *StoredKey) error

type DefaultKeyManager 

type DefaultKeyManager struct {
	// contains filtered or unexported fields
}

func (*DefaultKeyManager) DeleteKey 

func (dkm *DefaultKeyManager) DeleteKey(keyID string) error

func (*DefaultKeyManager) GenerateKey 

func (dkm *DefaultKeyManager) GenerateKey(keyType string, bits int) (*StoredKey, error)

func (*DefaultKeyManager) RetrieveKey 

func (dkm *DefaultKeyManager) RetrieveKey(keyID string) (*StoredKey, error)

func (*DefaultKeyManager) RotateKey 

func (dkm *DefaultKeyManager) RotateKey(keyID string) (*StoredKey, error)

func (*DefaultKeyManager) StoreKey 

func (dkm *DefaultKeyManager) StoreKey(key *StoredKey) error

type Dependency 

type Dependency struct {
	Name string `json:"name"`

	Version string `json:"version"`

	Type string `json:"type"` // go, npm, pip, maven, etc.

	Vulnerabilities []string `json:"vulnerabilities"` // CVE IDs

	LicenseIssues []LicenseIssue `json:"license_issues"`

	LastChecked time.Time `json:"last_checked"`
}

type DetailedStoredKey 

type DetailedStoredKey struct {
	ID string `json:"id"`

	Version int `json:"version"`

	Key []byte `json:"key"`

	Metadata map[string]string `json:"metadata,omitempty"`

	Created time.Time `json:"created"`

	Updated time.Time `json:"updated,omitempty"`
}

type Ed25519KeyPair 

type Ed25519KeyPair struct {
	PublicKey ed25519.PublicKey

	PrivateKey ed25519.PrivateKey

	Created time.Time

	ID string
}

type EmailConfig 

type EmailConfig struct {
	SMTPHost string `json:"smtp_host"`

	SMTPPort int `json:"smtp_port"`

	SMTPUsername string `json:"smtp_username"`

	SMTPPassword string `json:"smtp_password"`

	FromEmail string `json:"from_email"`

	ToEmails []string `json:"to_emails"`

	Subject string `json:"subject"`

	UseTLS bool `json:"use_tls"`
}

type EncryptedData 

type EncryptedData struct {
	Algorithm string `json:"algorithm"`

	Ciphertext []byte `json:"ciphertext"`

	Nonce []byte `json:"nonce"`

	AAD []byte `json:"aad,omitempty"`

	Salt []byte `json:"salt,omitempty"`

	Tag []byte `json:"tag,omitempty"`

	Created time.Time `json:"created"`

	Version int `json:"version"`
}

type EncryptedItem 

type EncryptedItem struct {
	ID string

	Ciphertext []byte

	Nonce []byte

	Tag []byte

	Algorithm string

	Created time.Time

	Accessed time.Time
}

type EncryptedSecret 

type EncryptedSecret struct {
	// Core identification and metadata
	ID      string `json:"id"`
	Name    string `json:"name"` // ADDED: Secret name field
	Type    string `json:"type"` // ADDED: Secret type field
	Version int    `json:"version"`

	// Encryption details
	Algorithm  string `json:"algorithm"`
	KeyID      string `json:"key_id"`
	KeyVersion int    `json:"key_version"` // For vault integration

	// Encrypted data and cryptographic components
	Data          []byte `json:"data,omitempty"` // Legacy field for compatibility
	IV            []byte `json:"iv,omitempty"`   // Legacy field for compatibility
	EncryptedData []byte `json:"encrypted_data"`
	Ciphertext    []byte `json:"ciphertext"` // ADDED: Ciphertext field
	Nonce         []byte `json:"nonce,omitempty"`
	Salt          []byte `json:"salt"` // ADDED: Salt field for key derivation

	// Timestamps
	CreatedAt time.Time  `json:"created_at"`
	UpdatedAt time.Time  `json:"updated_at"`
	ExpiresAt *time.Time `json:"expires_at,omitempty"`

	// Access tracking
	AccessCount  int64     `json:"access_count"`  // ADDED: Access count field
	LastAccessed time.Time `json:"last_accessed"` // ADDED: Last access time field

	// Metadata
	Metadata map[string]string `json:"metadata,omitempty"`
}

EncryptedSecret represents an encrypted secret with metadata following 2025 best practices

type EncryptedStorage 

type EncryptedStorage struct {
	// contains filtered or unexported fields
}

func NewEncryptedStorage 

func NewEncryptedStorage() *EncryptedStorage

func (*EncryptedStorage) Retrieve 

func (es *EncryptedStorage) Retrieve(id string) ([]byte, error)

func (*EncryptedStorage) Store 

func (es *EncryptedStorage) Store(id string, data []byte) error

type EncryptionCache 

type EncryptionCache struct {
	// contains filtered or unexported fields
}

EncryptionCache provides caching for encryption operations

func NewEncryptionCache 

func NewEncryptionCache() *EncryptionCache

NewEncryptionCache creates a new encryption cache

type EncryptionConfig 

type EncryptionConfig struct {
	Enabled           bool     `json:"enabled"`
	Algorithm         string   `json:"algorithm,omitempty"`
	KeySize           int      `json:"key_size,omitempty"`
	EncryptionKey     string   `json:"encryption_key,omitempty"`
	EncryptionKeyPath string   `json:"encryption_key_path,omitempty"`
	SupportedCiphers  []string `json:"supported_ciphers,omitempty"`
}

EncryptionConfig holds encryption configuration

type EncryptionContext 

type EncryptionContext struct {
	Algorithm string

	Key []byte

	Nonce []byte

	AAD []byte // Additional Authenticated Data

	Created time.Time
}

type EncryptionEngine 

type EncryptionEngine struct {
	// contains filtered or unexported fields
}

func NewEncryptionEngine 

func NewEncryptionEngine(config *ComplianceConfig, logger logr.Logger) *EncryptionEngine

func (*EncryptionEngine) GetKeyLength 

func (e *EncryptionEngine) GetKeyLength(nodeID string) (int, error)

func (*EncryptionEngine) IsAlgorithmCompliant 

func (e *EncryptionEngine) IsAlgorithmCompliant(algorithm string) bool

type EntropyPool 

type EntropyPool struct {
	// contains filtered or unexported fields
}

func NewEntropyPool 

func NewEntropyPool(size int) *EntropyPool

func (*EntropyPool) Read 

func (p *EntropyPool) Read(b []byte) (int, error)

type ErrorSanitizer 

type ErrorSanitizer struct {
	// contains filtered or unexported fields
}

ErrorSanitizer provides error message sanitization to prevent information leakage

func NewErrorSanitizer 

func NewErrorSanitizer() *ErrorSanitizer

NewErrorSanitizer creates a new error sanitizer

func (*ErrorSanitizer) SanitizeError 

func (es *ErrorSanitizer) SanitizeError(err error) string

SanitizeError returns a safe error message for external consumption

type EscalationEngine 

type EscalationEngine struct {
	// contains filtered or unexported fields
}

func NewEscalationEngine 

func NewEscalationEngine(config *IncidentConfig) *EscalationEngine

type EscalationRule 

type EscalationRule struct {
	ID string `json:"id"`

	Conditions []*Condition `json:"conditions"`

	Actions []*Action `json:"actions"`

	Timeout time.Duration `json:"timeout"`

	Enabled bool `json:"enabled"`
}

type EscrowAgent 

type EscrowAgent struct {
	ID string `json:"id"`

	Active bool `json:"active"`
}

type Evidence 

type Evidence struct {
	ID string `json:"id"`

	Type string `json:"type"` // log, file, network, memory

	Source string `json:"source"`

	Timestamp time.Time `json:"timestamp"`

	Description string `json:"description"`

	Data json.RawMessage `json:"data"`

	Hash string `json:"hash"`

	Collected bool `json:"collected"`
}

type EvidenceStorage 

type EvidenceStorage struct {
	// contains filtered or unexported fields
}

type ExecutionContext 

type ExecutionContext struct {
	ID        string            `json:"id"`
	UserID    string            `json:"user_id"`
	SessionID string            `json:"session_id"`
	Resource  string            `json:"resource"`
	Action    string            `json:"action"`
	Timestamp time.Time         `json:"timestamp"`
	Metadata  map[string]string `json:"metadata,omitempty"`
}

ExecutionContext represents the context for policy execution

type ExecutionPolicyRule 

type ExecutionPolicyRule struct {
	ID         string            `json:"id"`
	Type       string            `json:"type"`
	Action     string            `json:"action"`
	Conditions []string          `json:"conditions"`
	Priority   int               `json:"priority"`
	Enabled    bool              `json:"enabled"`
	Metadata   map[string]string `json:"metadata,omitempty"`
}

ExecutionPolicyRule represents a security rule within an execution policy

type ExecutionSecurityPolicy 

type ExecutionSecurityPolicy struct {
	ID        string                `json:"id"`
	Name      string                `json:"name"`
	Version   string                `json:"version"`
	Rules     []ExecutionPolicyRule `json:"rules"`
	Metadata  json.RawMessage       `json:"metadata"`
	CreatedAt time.Time             `json:"created_at"`
	UpdatedAt time.Time             `json:"updated_at"`
	// contains filtered or unexported fields
}

ExecutionSecurityPolicy defines the security policy structure for execution context

func NewExecutionSecurityPolicy 

func NewExecutionSecurityPolicy(name, version string) *ExecutionSecurityPolicy

NewExecutionSecurityPolicy creates a new security policy with default values

func (*ExecutionSecurityPolicy) AddRule 

func (p *ExecutionSecurityPolicy) AddRule(rule ExecutionPolicyRule)

AddRule adds a security rule to the policy

func (*ExecutionSecurityPolicy) Clone 

func (p *ExecutionSecurityPolicy) Clone() *ExecutionSecurityPolicy

Clone creates a deep copy of the security policy

func (*ExecutionSecurityPolicy) Evaluate 

func (p *ExecutionSecurityPolicy) Evaluate(ctx ExecutionContext) (bool, error)

Evaluate evaluates the policy against an execution context (performance optimized)

func (*ExecutionSecurityPolicy) GetRule 

func (p *ExecutionSecurityPolicy) GetRule(ruleID string) (*ExecutionPolicyRule, error)

GetRule retrieves a rule by ID

func (*ExecutionSecurityPolicy) RemoveRule 

func (p *ExecutionSecurityPolicy) RemoveRule(ruleID string) bool

RemoveRule removes a rule by ID

func (*ExecutionSecurityPolicy) Validate 

func (p *ExecutionSecurityPolicy) Validate() error

Validate validates the security policy

type ExtendedSecurityConfig 

type ExtendedSecurityConfig struct {
	// Embed the common config from interfaces
	*CommonSecurityConfig

	// Authentication Configuration
	Auth *AuthConfig `json:"auth,omitempty"`

	// RBAC Configuration
	RBAC *RBACConfig `json:"rbac,omitempty"`

	// Rate Limiting Configuration
	RateLimit *RateLimitConfig `json:"rate_limit,omitempty"`

	// CORS Configuration
	CORS *CORSConfig `json:"cors,omitempty"`

	// Input Validation Configuration
	InputValidation *InputValidationConfig `json:"input_validation,omitempty"`

	// Audit Configuration
	Audit *AuditConfig `json:"audit,omitempty"`

	// Encryption Configuration
	Encryption *EncryptionConfig `json:"encryption,omitempty"`
}

Extended security config with additional fields not in the core interfaces

func DefaultSecurityConfig 

func DefaultSecurityConfig() *ExtendedSecurityConfig

DefaultSecurityConfig returns a default security configuration

type FileBackend 

type FileBackend struct {
	// contains filtered or unexported fields
}

FileBackend implements SecretsBackend interface using file storage

func (*FileBackend) Backup 

func (fb *FileBackend) Backup(ctx context.Context) ([]byte, error)

Backup creates a backup of all secrets

func (*FileBackend) Close 

func (fb *FileBackend) Close() error

Close cleans up the file backend (no-op for file backend)

func (*FileBackend) Delete 

func (fb *FileBackend) Delete(ctx context.Context, key string) error

Delete deletes a secret from a file

func (*FileBackend) Health 

func (fb *FileBackend) Health(ctx context.Context) error

Health checks the health of the file backend

func (*FileBackend) List 

func (fb *FileBackend) List(ctx context.Context, prefix string) ([]string, error)

List lists all secret keys with optional prefix

func (*FileBackend) Retrieve 

func (fb *FileBackend) Retrieve(ctx context.Context, key string) (*EncryptedSecret, error)

Retrieve retrieves a secret from a file

func (*FileBackend) Store 

func (fb *FileBackend) Store(ctx context.Context, key string, value *EncryptedSecret) error

Store stores a secret in a file

type ForensicsCollector 

type ForensicsCollector struct {
	// contains filtered or unexported fields
}

func NewForensicsCollector 

func NewForensicsCollector(config *IncidentConfig) *ForensicsCollector

func (*ForensicsCollector) CollectEvidence 

func (fc *ForensicsCollector) CollectEvidence(ctx context.Context, incident *SecurityIncident) error

type GeolocationFilter 

type GeolocationFilter struct {
	// contains filtered or unexported fields
}

GeolocationFilter provides geolocation-based filtering

type GroupMember 

type GroupMember struct {
	ID string

	PublicKey []byte

	Address string

	Joined time.Time

	Active bool
}

type HTMLValidator 

type HTMLValidator struct {
	// contains filtered or unexported fields
}

HTMLValidator prevents XSS attacks

func NewHTMLValidator 

func NewHTMLValidator() *HTMLValidator

NewHTMLValidator creates an HTML validator with secure defaults

func (*HTMLValidator) SanitizeHTML 

func (h *HTMLValidator) SanitizeHTML(input string) string

SanitizeHTML sanitizes HTML input to prevent XSS attacks

type HashFunction 

type HashFunction string
const (
	HashSHA256 HashFunction = "SHA256"

	HashSHA512 HashFunction = "SHA512"

	HashSHA3_256 HashFunction = "SHA3-256"

	HashSHA3_512 HashFunction = "SHA3-512"

	HashBLAKE2b HashFunction = "BLAKE2b"
)

type HashiCorpVaultBackend 

type HashiCorpVaultBackend struct {
	// contains filtered or unexported fields
}

HashiCorpVaultBackend implements SecretsBackend interface using HashiCorp Vault

func (*HashiCorpVaultBackend) Backup 

func (hv *HashiCorpVaultBackend) Backup(ctx context.Context) ([]byte, error)

Backup creates a backup from Vault

func (*HashiCorpVaultBackend) Close 

func (hv *HashiCorpVaultBackend) Close() error

Close closes the Vault connection

func (*HashiCorpVaultBackend) Delete 

func (hv *HashiCorpVaultBackend) Delete(ctx context.Context, key string) error

Delete deletes a secret from Vault

func (*HashiCorpVaultBackend) Health 

func (hv *HashiCorpVaultBackend) Health(ctx context.Context) error

Health checks the health of the HashiCorp Vault backend

func (*HashiCorpVaultBackend) List 

func (hv *HashiCorpVaultBackend) List(ctx context.Context, prefix string) ([]string, error)

List lists all secret keys in Vault with optional prefix

func (*HashiCorpVaultBackend) Retrieve 

func (hv *HashiCorpVaultBackend) Retrieve(ctx context.Context, key string) (*EncryptedSecret, error)

Retrieve retrieves a secret from Vault

func (*HashiCorpVaultBackend) Store 

func (hv *HashiCorpVaultBackend) Store(ctx context.Context, key string, value *EncryptedSecret) error

Store stores a secret in Vault

type HeaderFinding 

type HeaderFinding struct {
	Header string `json:"header"`

	Issue string `json:"issue"`

	Severity string `json:"severity"`

	Description string `json:"description"`

	Recommendation string `json:"recommendation"`

	Present bool `json:"present"`

	Value string `json:"value,omitempty"`
}

type IPLimiter 

type IPLimiter struct {
	// contains filtered or unexported fields
}

IPLimiter tracks rate limiting for a specific IP

type IRIntegrationConfig 

type IRIntegrationConfig struct {
	SIEM *SIEMConfig `json:"siem,omitempty"`

	SOAR *SOARConfig `json:"soar,omitempty"`

	Ticketing *TicketingConfig `json:"ticketing,omitempty"`
}

type ImageSignature 

type ImageSignature struct {
	Image     string            `json:"image"`
	Signature string            `json:"signature"`
	Issuer    string            `json:"issuer"`
	Valid     bool              `json:"valid"`
	Metadata  map[string]string `json:"metadata"`
	Timestamp time.Time         `json:"timestamp"`
}

ImageSignature represents an image signature

type ImageVerifier 

type ImageVerifier struct {
	// contains filtered or unexported fields
}

ImageVerifier verifies image signatures and attestations

type ImageVuln 

type ImageVuln struct {
	Image string `json:"image"`

	Tag string `json:"tag"`

	Digest string `json:"digest"`

	Vulnerabilities []string `json:"vulnerabilities"`

	LastScanned time.Time `json:"last_scanned"`

	ScanTool string `json:"scan_tool"`
}

type ImpactAssessment 

type ImpactAssessment struct {
	Confidentiality string `json:"confidentiality"` // None, Low, Medium, High

	Integrity string `json:"integrity"`

	Availability string `json:"availability"`

	BusinessImpact string `json:"business_impact"`

	AffectedSystems []string `json:"affected_systems"`

	AffectedUsers int `json:"affected_users"`

	EstimatedCost float64 `json:"estimated_cost"`
}

type IncidentConfig 

type IncidentConfig struct {
	EnableAutoResponse bool `json:"enable_auto_response"`

	AutoResponseThreshold string `json:"auto_response_threshold"` // Critical, High, Medium

	MaxAutoActions int `json:"max_auto_actions"`

	IncidentRetention time.Duration `json:"incident_retention"`

	EscalationTimeout time.Duration `json:"escalation_timeout"`

	ForensicsEnabled bool `json:"forensics_enabled"`

	NotificationConfig *NotificationConfig `json:"notification_config"`

	IntegrationConfig *IRIntegrationConfig `json:"integration_config"`

	WebhookSecret string `json:"webhook_secret"`
}

type IncidentFilter 

type IncidentFilter struct {
	Severity string `json:"severity,omitempty"`

	Status string `json:"status,omitempty"`

	Category string `json:"category,omitempty"`

	Assignee string `json:"assignee,omitempty"`

	Source string `json:"source,omitempty"`

	FromDate time.Time `json:"from_date,omitempty"`

	ToDate time.Time `json:"to_date,omitempty"`

	Tags []string `json:"tags,omitempty"`

	Limit int `json:"limit,omitempty"`
}

type IncidentMetrics 

type IncidentMetrics struct {
	TotalIncidents int64 `json:"total_incidents"`

	OpenIncidents int64 `json:"open_incidents"`

	ResolvedIncidents int64 `json:"resolved_incidents"`

	IncidentsBySeverity map[string]int64 `json:"incidents_by_severity"`

	IncidentsByCategory map[string]int64 `json:"incidents_by_category"`

	MTTR time.Duration `json:"mttr"` // Mean Time To Resolution

	MTTA time.Duration `json:"mtta"` // Mean Time To Acknowledgment

	AutomatedActions int64 `json:"automated_actions"`

	EscalatedIncidents int64 `json:"escalated_incidents"`

	LastIncidentTime time.Time `json:"last_incident_time"`
	// contains filtered or unexported fields
}

type IncidentResponse 

type IncidentResponse struct {
	// contains filtered or unexported fields
}

func NewIncidentResponse 

func NewIncidentResponse(config *IncidentConfig) (*IncidentResponse, error)

func (*IncidentResponse) AddEvidence 

func (ir *IncidentResponse) AddEvidence(incidentID string, evidence *Evidence) error

func (*IncidentResponse) Close 

func (ir *IncidentResponse) Close() error

func (*IncidentResponse) CreateIncident 

func (ir *IncidentResponse) CreateIncident(ctx context.Context, request *CreateIncidentRequest) (*SecurityIncident, error)

func (*IncidentResponse) ExecutePlaybook 

func (ir *IncidentResponse) ExecutePlaybook(ctx context.Context, incidentID, playbookID string) error

func (*IncidentResponse) GetIncident 

func (ir *IncidentResponse) GetIncident(incidentID string) (*SecurityIncident, error)

func (*IncidentResponse) GetMetrics 

func (ir *IncidentResponse) GetMetrics() *IncidentMetrics

func (*IncidentResponse) HandleWebhook 

func (ir *IncidentResponse) HandleWebhook(w http.ResponseWriter, r *http.Request)

func (*IncidentResponse) ListIncidents 

func (ir *IncidentResponse) ListIncidents(filter *IncidentFilter) ([]*SecurityIncident, error)

func (*IncidentResponse) UpdateIncident 

func (ir *IncidentResponse) UpdateIncident(ctx context.Context, incidentID string, updates *IncidentUpdate) error

type IncidentUpdate 

type IncidentUpdate struct {
	Status string `json:"status,omitempty"`

	Assignee string `json:"assignee,omitempty"`

	Severity string `json:"severity,omitempty"`

	Tags []string `json:"tags,omitempty"`

	UpdatedBy string `json:"updated_by"`
}

type InjectionFinding 

type InjectionFinding struct {
	Type string `json:"type"` // SQL, XSS, Command, etc.

	URL string `json:"url"`

	Parameter string `json:"parameter,omitempty"`

	Payload string `json:"payload"`

	Method string `json:"method"`

	Severity string `json:"severity"`

	Description string `json:"description"`

	Evidence string `json:"evidence,omitempty"`
}

type InputSanitizer 

type InputSanitizer struct {
	// contains filtered or unexported fields
}

InputSanitizer provides input sanitization utilities

func NewInputSanitizer 

func NewInputSanitizer() *InputSanitizer

NewInputSanitizer creates a new input sanitizer

func (*InputSanitizer) SanitizeInput 

func (is *InputSanitizer) SanitizeInput(input string, ctx context.Context) string

SanitizeInput removes potentially dangerous content from user input

func (*InputSanitizer) ValidateCommand 

func (is *InputSanitizer) ValidateCommand(input string) bool

ValidateCommand checks for command injection attempts

func (*InputSanitizer) ValidateSQL 

func (is *InputSanitizer) ValidateSQL(input string) bool

ValidateSQL checks for SQL injection attempts

type InputValidationConfig 

type InputValidationConfig struct {
	Enabled                bool     `json:"enabled"`
	MaxRequestSize         int      `json:"max_request_size,omitempty"`
	MaxInputLength         int      `json:"max_input_length,omitempty"`
	MaxOutputLength        int      `json:"max_output_length,omitempty"`
	SanitizeHTML           bool     `json:"sanitize_html"`
	SanitizeInput          bool     `json:"sanitize_input"`
	ValidateJSONSchema     bool     `json:"validate_json_schema"`
	EnableSchemaValidation bool     `json:"enable_schema_validation"`
	StrictValidation       bool     `json:"strict_validation"`
	ForbiddenPatterns      []string `json:"forbidden_patterns,omitempty"`
	RequiredHeaders        []string `json:"required_headers,omitempty"`
}

InputValidationConfig defines input validation configuration

type InputValidator 

type InputValidator struct {
	// contains filtered or unexported fields
}

InputValidator provides comprehensive input validation against injection attacks

func NewInputValidator 

func NewInputValidator() *InputValidator

NewInputValidator creates a new input validator with secure defaults

type Integrations 

type Integrations struct {
	Jira *JiraConfig `json:"jira,omitempty"`

	Slack *SlackConfig `json:"slack,omitempty"`

	Email *EmailConfig `json:"email,omitempty"`

	Webhook *WebhookConfig `json:"webhook,omitempty"`
}

type Issue 

type Issue struct {
	Severity string // Critical, High, Medium, Low

	Component string

	Description string

	Remediation string
}

type JWTConfig 

type JWTConfig struct {
	SecretKey      string        `json:"secret_key,omitempty"`
	TokenDuration  string        `json:"token_duration,omitempty"`
	RefreshEnabled bool          `json:"refresh_enabled"`
	TokenTTL       time.Duration `json:"token_ttl,omitempty"`
	RefreshTTL     time.Duration `json:"refresh_ttl,omitempty"`
}

JWTConfig holds JWT configuration

type JiraConfig 

type JiraConfig struct {
	URL string `json:"url"`

	Username string `json:"username"`

	APIToken string `json:"api_token"`

	ProjectKey string `json:"project_key"`

	IssueType string `json:"issue_type"`
}

type KDFParams 

type KDFParams struct {
	Argon2Time uint32

	Argon2Memory uint32

	Argon2Threads uint8

	Argon2KeyLen uint32

	PBKDF2Iterations int

	ScryptN int

	ScryptR int

	ScryptP int

	HKDFInfo []byte
}

type KeyDerivationManager 

type KeyDerivationManager struct {
	// contains filtered or unexported fields
}

KeyDerivationManager manages key derivation operations

func NewKeyDerivationManager 

func NewKeyDerivationManager() *KeyDerivationManager

NewKeyDerivationManager creates a new key derivation manager

type KeyManager 

type KeyManager = AdvancedKeyManager

type KeyStore 

type KeyStore interface {
	Store(ctx context.Context, key *DetailedStoredKey) error

	Retrieve(ctx context.Context, keyID string) (*DetailedStoredKey, error)

	Delete(ctx context.Context, keyID string) error

	List(ctx context.Context) ([]*DetailedStoredKey, error)

	Rotate(ctx context.Context, keyID string, newKey *DetailedStoredKey) error
}

type KeyVersion 

type KeyVersion struct {
	Version   int       `json:"version"`
	Key       []byte    `json:"key"`
	Algorithm string    `json:"algorithm"` // ADDED: Algorithm field for key version
	CreatedAt time.Time `json:"created_at"`
	ExpiresAt time.Time `json:"expires_at"`
	Active    bool      `json:"active"`
}

KeyVersion represents a versioned encryption key used in vault

type KubernetesBackend 

type KubernetesBackend struct {
	// contains filtered or unexported fields
}

KubernetesBackend implements SecretsBackend interface using Kubernetes secrets

func (*KubernetesBackend) Backup 

func (kb *KubernetesBackend) Backup(ctx context.Context) ([]byte, error)

Backup creates a backup from Kubernetes secrets

func (*KubernetesBackend) Close 

func (kb *KubernetesBackend) Close() error

Close closes the Kubernetes client connection

func (*KubernetesBackend) Delete 

func (kb *KubernetesBackend) Delete(ctx context.Context, key string) error

Delete deletes a secret from Kubernetes

func (*KubernetesBackend) Health 

func (kb *KubernetesBackend) Health(ctx context.Context) error

Health checks the health of the Kubernetes backend

func (*KubernetesBackend) List 

func (kb *KubernetesBackend) List(ctx context.Context, prefix string) ([]string, error)

List lists all secret keys in Kubernetes with optional prefix

func (*KubernetesBackend) Retrieve 

func (kb *KubernetesBackend) Retrieve(ctx context.Context, key string) (*EncryptedSecret, error)

Retrieve retrieves a secret from Kubernetes

func (*KubernetesBackend) Store 

func (kb *KubernetesBackend) Store(ctx context.Context, key string, value *EncryptedSecret) error

Store stores a secret in Kubernetes

type LDAPConfig 

type LDAPConfig struct {
	Enabled bool   `json:"enabled"`
	Host    string `json:"host,omitempty"`
	Port    int    `json:"port,omitempty"`
	BaseDN  string `json:"base_dn,omitempty"`
}

LDAPConfig holds LDAP configuration

type LLMSanitizer 

type LLMSanitizer struct {
	// contains filtered or unexported fields
}

func NewLLMSanitizer 

func NewLLMSanitizer(config *SanitizerConfig) *LLMSanitizer

func (*LLMSanitizer) BuildSecurePrompt 

func (s *LLMSanitizer) BuildSecurePrompt(systemPrompt, userInput string) string

func (*LLMSanitizer) GetMetrics 

func (s *LLMSanitizer) GetMetrics() map[string]interface{}

func (*LLMSanitizer) SanitizeInput 

func (s *LLMSanitizer) SanitizeInput(ctx context.Context, input string) (string, error)

func (*LLMSanitizer) ValidateOutput 

func (s *LLMSanitizer) ValidateOutput(ctx context.Context, output string) (string, error)

func (*LLMSanitizer) ValidateSystemPromptIntegrity 

func (s *LLMSanitizer) ValidateSystemPromptIntegrity(systemPrompt string) error

type LicenseIssue 

type LicenseIssue struct {
	License string `json:"license"`

	Severity string `json:"severity"`

	Description string `json:"description"`
}

type MITREMapping 

type MITREMapping struct {
	Tactics []string `json:"tactics"`

	Techniques []string `json:"techniques"`

	SubTechniques []string `json:"sub_techniques"`

	Confidence float64 `json:"confidence"`
}

type MLDetectionEngine 

type MLDetectionEngine struct {
	// contains filtered or unexported fields
}

type MTLSConfig 

type MTLSConfig struct {
	// Service identity
	ServiceName      string   `json:"service_name" yaml:"service_name"`
	ServiceNamespace string   `json:"service_namespace" yaml:"service_namespace"`
	AllowedServices  []string `json:"allowed_services" yaml:"allowed_services"`

	// Certificate configuration
	CertFile     string        `json:"cert_file" yaml:"cert_file"`
	KeyFile      string        `json:"key_file" yaml:"key_file"`
	CAFile       string        `json:"ca_file" yaml:"ca_file"`
	CertValidity time.Duration `json:"cert_validity" yaml:"cert_validity"`

	// Rotation configuration
	AutoRotateEnabled     bool          `json:"auto_rotate_enabled" yaml:"auto_rotate_enabled"`
	RotationThreshold     time.Duration `json:"rotation_threshold" yaml:"rotation_threshold"`
	RotationCheckInterval time.Duration `json:"rotation_check_interval" yaml:"rotation_check_interval"`

	// Security policies
	RequireClientCert      bool     `json:"require_client_cert" yaml:"require_client_cert"`
	ValidateCommonName     bool     `json:"validate_common_name" yaml:"validate_common_name"`
	ValidateSubjectAltName bool     `json:"validate_subject_alt_name" yaml:"validate_subject_alt_name"`
	AllowedCommonNames     []string `json:"allowed_common_names" yaml:"allowed_common_names"`
	AllowedSANs            []string `json:"allowed_sans" yaml:"allowed_sans"`

	// TLS configuration
	MinTLSVersion    uint16        `json:"min_tls_version" yaml:"min_tls_version"`
	MaxTLSVersion    uint16        `json:"max_tls_version" yaml:"max_tls_version"`
	CipherSuites     []uint16      `json:"cipher_suites" yaml:"cipher_suites"`
	CurvePreferences []tls.CurveID `json:"curve_preferences" yaml:"curve_preferences"`

	// OCSP and CRL configuration
	EnableOCSP         bool   `json:"enable_ocsp" yaml:"enable_ocsp"`
	OCSPServerURL      string `json:"ocsp_server_url" yaml:"ocsp_server_url"`
	EnableCRL          bool   `json:"enable_crl" yaml:"enable_crl"`
	CRLDistributionURL string `json:"crl_distribution_url" yaml:"crl_distribution_url"`
}

MTLSConfig defines comprehensive mutual TLS configuration

func DefaultMTLSConfig 

func DefaultMTLSConfig(serviceName string) *MTLSConfig

DefaultMTLSConfig returns O-RAN WG11 compliant mTLS configuration

type MTLSHealthChecker 

type MTLSHealthChecker struct {
	// contains filtered or unexported fields
}

MTLSHealthChecker provides health checking for mTLS connections

func NewMTLSHealthChecker 

func NewMTLSHealthChecker(manager *MTLSManager, logger *zap.Logger) *MTLSHealthChecker

NewMTLSHealthChecker creates a new mTLS health checker

func (*MTLSHealthChecker) CheckHealth 

func (hc *MTLSHealthChecker) CheckHealth() error

CheckHealth performs a comprehensive health check of mTLS configuration

type MTLSManager 

type MTLSManager struct {
	// contains filtered or unexported fields
}

MTLSManager manages mutual TLS for inter-service communication

func NewMTLSManager 

func NewMTLSManager(config *MTLSConfig, k8sClient kubernetes.Interface, logger *zap.Logger) (*MTLSManager, error)

NewMTLSManager creates a new enterprise mTLS manager

func (*MTLSManager) Close 

func (m *MTLSManager) Close() error

Close shuts down the mTLS manager

func (*MTLSManager) CreateGRPCClientCredentials 

func (m *MTLSManager) CreateGRPCClientCredentials(serverName string) (credentials.TransportCredentials, error)

CreateGRPCClientCredentials creates gRPC client credentials with mTLS

func (*MTLSManager) CreateGRPCServerCredentials 

func (m *MTLSManager) CreateGRPCServerCredentials() (credentials.TransportCredentials, error)

CreateGRPCServerCredentials creates gRPC server credentials with mTLS

func (*MTLSManager) CreateGRPCServerOptions 

func (m *MTLSManager) CreateGRPCServerOptions() ([]grpc.ServerOption, error)

CreateGRPCServerOptions creates gRPC server options with mTLS and additional security

func (*MTLSManager) CreateSecureHTTPClient 

func (m *MTLSManager) CreateSecureHTTPClient(serverName string, timeout time.Duration) (*http.Client, error)

CreateSecureHTTPClient creates an HTTP client with mTLS configuration

func (*MTLSManager) GetCertificateInfo 

func (m *MTLSManager) GetCertificateInfo() map[string]interface{}

GetCertificateInfo returns information about current certificates

func (*MTLSManager) GetClientTLSConfig 

func (m *MTLSManager) GetClientTLSConfig(serverName string) (*tls.Config, error)

GetClientTLSConfig returns a TLS configuration for clients

func (*MTLSManager) GetServerTLSConfig 

func (m *MTLSManager) GetServerTLSConfig() (*tls.Config, error)

GetServerTLSConfig returns a TLS configuration for servers

type MemoryBackend 

type MemoryBackend struct {
	// contains filtered or unexported fields
}

MemoryBackend implements SecretsBackend interface using in-memory storage

func (*MemoryBackend) Backup 

func (mb *MemoryBackend) Backup(ctx context.Context) ([]byte, error)

Backup creates a backup of in-memory secrets

func (*MemoryBackend) Close 

func (mb *MemoryBackend) Close() error

Close cleans up the memory backend

func (*MemoryBackend) Delete 

func (mb *MemoryBackend) Delete(ctx context.Context, key string) error

Delete deletes a secret from memory

func (*MemoryBackend) Health 

func (mb *MemoryBackend) Health(ctx context.Context) error

Health checks the health of the memory backend

func (*MemoryBackend) List 

func (mb *MemoryBackend) List(ctx context.Context, prefix string) ([]string, error)

List lists all secret keys in memory with optional prefix

func (*MemoryBackend) Retrieve 

func (mb *MemoryBackend) Retrieve(ctx context.Context, key string) (*EncryptedSecret, error)

Retrieve retrieves a secret from memory

func (*MemoryBackend) Store 

func (mb *MemoryBackend) Store(ctx context.Context, key string, value *EncryptedSecret) error

Store stores a secret in memory

type Misconfiguration 

type Misconfiguration struct {
	ID          string            `json:"id"`
	Title       string            `json:"title"`
	Description string            `json:"description"`
	Severity    string            `json:"severity"`
	Category    string            `json:"category"`
	Resource    string            `json:"resource"`
	Location    string            `json:"location"`
	Resolution  string            `json:"resolution"`
	References  []string          `json:"references"`
	Metadata    map[string]string `json:"metadata"`
}

Misconfiguration represents a security misconfiguration

type MockCertStore 

type MockCertStore struct{}

MockCertStore implements a mock certificate store for testing

func (*MockCertStore) Delete 

func (m *MockCertStore) Delete(ctx context.Context, name string) error

func (*MockCertStore) Get 

func (m *MockCertStore) Get(ctx context.Context, name string) (*tls.Certificate, error)

func (*MockCertStore) List 

func (m *MockCertStore) List(ctx context.Context) ([]string, error)

func (*MockCertStore) Put 

func (m *MockCertStore) Put(ctx context.Context, name string, cert *tls.Certificate) error

type MockKeyStore 

type MockKeyStore struct{}

func (*MockKeyStore) Delete 

func (m *MockKeyStore) Delete(ctx context.Context, keyID string) error

func (*MockKeyStore) List 

func (m *MockKeyStore) List(ctx context.Context) ([]*DetailedStoredKey, error)

func (*MockKeyStore) Retrieve 

func (m *MockKeyStore) Retrieve(ctx context.Context, keyID string) (*DetailedStoredKey, error)

func (*MockKeyStore) Rotate 

func (m *MockKeyStore) Rotate(ctx context.Context, keyID string, newKey *DetailedStoredKey) error

func (*MockKeyStore) Store 

func (m *MockKeyStore) Store(ctx context.Context, key *DetailedStoredKey) error

type MonitoredCert 

type MonitoredCert struct {
	Name string

	Cert *x509.Certificate

	ExpiryTime time.Time

	Healthy bool

	LastCheck time.Time
}

type MulticastGroup 

type MulticastGroup struct {
	// contains filtered or unexported fields
}

type NetworkList 

type NetworkList struct {
	// contains filtered or unexported fields
}

NetworkList manages IP whitelists and blacklists

type NetworkPolicyManager 

type NetworkPolicyManager struct {
	// contains filtered or unexported fields
}

func NewNetworkPolicyManager 

func NewNetworkPolicyManager(client client.Client, namespace string) *NetworkPolicyManager

func (*NetworkPolicyManager) CreateControllerNetworkPolicy 

func (m *NetworkPolicyManager) CreateControllerNetworkPolicy(ctx context.Context) error

func (*NetworkPolicyManager) CreateDefaultDenyAllPolicy 

func (m *NetworkPolicyManager) CreateDefaultDenyAllPolicy(ctx context.Context) error

func (*NetworkPolicyManager) CreateExternalAccessPolicy 

func (m *NetworkPolicyManager) CreateExternalAccessPolicy(ctx context.Context, serviceName string, allowedCIDRs []string) error

func (*NetworkPolicyManager) CreateLLMServiceNetworkPolicy 

func (m *NetworkPolicyManager) CreateLLMServiceNetworkPolicy(ctx context.Context) error

func (*NetworkPolicyManager) CreateORANInterfacePolicy 

func (m *NetworkPolicyManager) CreateORANInterfacePolicy(ctx context.Context, interfaceType string) error

func (*NetworkPolicyManager) EnforceZeroTrustNetworking 

func (m *NetworkPolicyManager) EnforceZeroTrustNetworking(ctx context.Context) error

func (*NetworkPolicyManager) ValidateNetworkPolicies 

func (m *NetworkPolicyManager) ValidateNetworkPolicies(ctx context.Context) (*NetworkPolicyValidationReport, error)

type NetworkPolicyValidationReport 

type NetworkPolicyValidationReport struct {
	Timestamp metav1.Time

	Namespace string

	Compliant bool

	PolicyCount int

	CoveredPods int

	TotalPods int

	Issues []string

	Warnings []string
}

type NotificationConfig 

type NotificationConfig struct {
	EnableEmail bool `json:"enable_email"`

	EnableSlack bool `json:"enable_slack"`

	EnableSMS bool `json:"enable_sms"`

	EnablePagerDuty bool `json:"enable_pagerduty"`

	Recipients []string `json:"recipients"`

	EscalationList []string `json:"escalation_list"`
}

type OAuthProvider 

type OAuthProvider struct {
	Name         string            `json:"name"`
	Type         string            `json:"type"`
	IssuerURL    string            `json:"issuer_url"`
	ClientID     string            `json:"client_id"`
	ClientSecret string            `json:"client_secret"`
	RedirectURL  string            `json:"redirect_url,omitempty"`
	TenantID     string            `json:"tenant_id,omitempty"`
	Scopes       []string          `json:"scopes,omitempty"`
	ExtraParams  map[string]string `json:"extra_params,omitempty"`
	Enabled      bool              `json:"enabled"`
}

OAuthProvider represents an OAuth provider configuration

type OCSPCache 

type OCSPCache struct {
	// contains filtered or unexported fields
}

type OCSPResponder 

type OCSPResponder struct {
	// contains filtered or unexported fields
}

type OCSPResponse 

type OCSPResponse struct {
	Status int

	RevokedAt time.Time

	Reason int

	UpdatedAt time.Time
}

type OPABundle 

type OPABundle struct {
	// Service name
	Service string `json:"service"`

	// Resource path
	Resource string `json:"resource,omitempty"`

	// Signing configuration
	Signing *OPABundleSigning `json:"signing,omitempty"`
}

OPABundle represents an OPA bundle configuration

type OPABundleSigning 

type OPABundleSigning struct {
	// Public key for verification
	PublicKey string `json:"publicKey,omitempty"`

	// Key ID
	KeyID string `json:"keyId,omitempty"`

	// Exclude files from verification
	Exclude []string `json:"exclude,omitempty"`
}

OPABundleSigning represents bundle signing configuration

type OPACompliancePolicyEngine 

type OPACompliancePolicyEngine struct {
	// Name of the OPA engine instance
	Name string `json:"name"`

	// Namespace where OPA is deployed
	Namespace string `json:"namespace"`

	// OPA server endpoint
	Endpoint string `json:"endpoint"`

	// Policy package name
	PolicyPackage string `json:"policyPackage"`

	// Policies loaded in the engine
	Policies []OPAPolicy `json:"policies,omitempty"`

	// Configuration for the OPA engine
	Config *OPAConfig `json:"config,omitempty"`

	// Status of the engine
	Status OPAEngineStatus `json:"status,omitempty"`
}

OPACompliancePolicyEngine represents Open Policy Agent compliance engine

type OPAConfig 

type OPAConfig struct {
	// Bundles configuration
	Bundles map[string]OPABundle `json:"bundles,omitempty"`

	// Decision logs configuration
	DecisionLogs *OPADecisionLogsConfig `json:"decisionLogs,omitempty"`

	// Status configuration
	Status *OPAStatusConfig `json:"status,omitempty"`

	// Server configuration
	Server *OPAServerConfig `json:"server,omitempty"`
}

OPAConfig represents OPA configuration

type OPADecisionLogsConfig 

type OPADecisionLogsConfig struct {
	// Console logging
	Console bool `json:"console,omitempty"`

	// Service name for remote logging
	Service string `json:"service,omitempty"`

	// Reporting configuration
	Reporting *OPAReportingConfig `json:"reporting,omitempty"`
}

OPADecisionLogsConfig represents decision logs configuration

type OPAEngineStatus 

type OPAEngineStatus struct {
	// Ready indicates if the engine is ready
	Ready bool `json:"ready"`

	// Healthy indicates if the engine is healthy
	Healthy bool `json:"healthy"`

	// Number of loaded policies
	PolicyCount int `json:"policyCount"`

	// Last evaluation timestamp
	LastEvaluation *time.Time `json:"lastEvaluation,omitempty"`

	// Error message if any
	Error string `json:"error,omitempty"`

	// Version of OPA
	Version string `json:"version,omitempty"`
}

OPAEngineStatus represents the status of an OPA engine

type OPAGZIPConfig 

type OPAGZIPConfig struct {
	// Compression level
	Level int `json:"level,omitempty"`
}

OPAGZIPConfig represents GZIP compression configuration

type OPAPolicy 

type OPAPolicy struct {
	// Name of the policy
	Name string `json:"name"`

	// Rego policy content
	Rego string `json:"rego"`

	// Package name for the policy
	Package string `json:"package"`

	// Version of the policy
	Version string `json:"version,omitempty"`

	// When the policy was created
	CreatedAt *time.Time `json:"createdAt,omitempty"`

	// When the policy was last updated
	UpdatedAt *time.Time `json:"updatedAt,omitempty"`
}

OPAPolicy represents a single OPA policy

type OPAPolicyEngine 

type OPAPolicyEngine struct {
	// contains filtered or unexported fields
}

OPAPolicyEngine implements PolicyEngine interface using Open Policy Agent

func (*OPAPolicyEngine) EvaluatePolicy 

func (o *OPAPolicyEngine) EvaluatePolicy(ctx context.Context, policy *SecurityPolicy, resource interface{}) (bool, error)

EvaluatePolicy evaluates a policy against a resource

func (*OPAPolicyEngine) GetViolations 

func (o *OPAPolicyEngine) GetViolations(ctx context.Context) ([]PolicyViolation, error)

GetViolations returns current policy violations

func (*OPAPolicyEngine) LoadPolicies 

func (o *OPAPolicyEngine) LoadPolicies(ctx context.Context, policies []*SecurityPolicy) error

LoadPolicies loads security policies into the engine

type OPAReportingConfig 

type OPAReportingConfig struct {
	// Minimum delay between reports
	MinDelaySeconds int `json:"minDelaySeconds,omitempty"`

	// Maximum delay between reports
	MaxDelaySeconds int `json:"maxDelaySeconds,omitempty"`

	// Upload size limit
	UploadSizeLimitBytes int64 `json:"uploadSizeLimitBytes,omitempty"`
}

OPAReportingConfig represents reporting configuration

type OPAServerConfig 

type OPAServerConfig struct {
	// Encoding for server responses
	Encoding *OPAServerEncoding `json:"encoding,omitempty"`
}

OPAServerConfig represents OPA server configuration

type OPAServerEncoding 

type OPAServerEncoding struct {
	// GZIP compression
	GZIP *OPAGZIPConfig `json:"gzip,omitempty"`
}

OPAServerEncoding represents server encoding configuration

type OPAStatusConfig 

type OPAStatusConfig struct {
	// Service name for status reporting
	Service string `json:"service,omitempty"`

	// Trigger mode
	Trigger string `json:"trigger,omitempty"`
}

OPAStatusConfig represents status reporting configuration

type ORANComplianceReport 

type ORANComplianceReport struct {
	GeneratedAt     time.Time              `json:"generated_at"`
	OverallStatus   ComplianceStatus       `json:"overall_status"`
	ComplianceScore float64                `json:"compliance_score"`
	NodeResults     []ORANComplianceResult `json:"node_results"`
	TotalViolations int                    `json:"total_violations"`
	Summary         json.RawMessage        `json:"summary"`
}

type ORANComplianceResult 

type ORANComplianceResult struct {
	CheckID          string                `json:"check_id"`
	PolicyID         string                `json:"policy_id"`
	RequirementID    string                `json:"requirement_id"`
	NodeID           string                `json:"node_id"`
	ComplianceStatus ComplianceStatus      `json:"compliance_status"`
	ComplianceScore  float64               `json:"compliance_score"`
	Violations       []ComplianceViolation `json:"violations"`
	Recommendations  []string              `json:"recommendations"`
	CheckTimestamp   time.Time             `json:"check_timestamp"`
	ValidUntil       time.Time             `json:"valid_until"`
	Evidence         json.RawMessage       `json:"evidence"`
}

ORANComplianceResult represents the result of compliance validation (renamed to avoid conflict with container_scanner.ComplianceResult)

type ORANPolicyEngine 

type ORANPolicyEngine struct {
	// contains filtered or unexported fields
}

func NewORANPolicyEngine 

func NewORANPolicyEngine(config *ComplianceConfig, logger logr.Logger) *ORANPolicyEngine

type ORANSecurityComplianceEngine 

type ORANSecurityComplianceEngine struct {
	// contains filtered or unexported fields
}

ORANSecurityComplianceEngine implements O-RAN WG11 security specifications following O-RAN.WG11.O1-Interface.0-v05.00, O-RAN.WG11.Security-v05.00

func NewORANSecurityComplianceEngine 

func NewORANSecurityComplianceEngine(config *ComplianceConfig, logger logr.Logger) *ORANSecurityComplianceEngine

NewORANSecurityComplianceEngine creates a new O-RAN WG11 compliance engine

func (*ORANSecurityComplianceEngine) AuthorizeAccess 

func (o *ORANSecurityComplianceEngine) AuthorizeAccess(subject, resource, action string) (bool, string, error)

AuthorizeAccess performs authorization validation

func (*ORANSecurityComplianceEngine) DetectThreats 

func (o *ORANSecurityComplianceEngine) DetectThreats(nodeID string, context map[string]interface{}) ([]ThreatDetectionResult, error)

DetectThreats performs real-time threat detection

func (*ORANSecurityComplianceEngine) EnforceZeroTrustPolicy 

func (o *ORANSecurityComplianceEngine) EnforceZeroTrustPolicy(request interface{}) (bool, string, error)

EnforceZeroTrustPolicy enforces zero-trust security policies

func (*ORANSecurityComplianceEngine) GetORANComplianceReport 

func (o *ORANSecurityComplianceEngine) GetORANComplianceReport() (*ORANComplianceReport, error)

GetORANComplianceReport generates a comprehensive compliance report

func (*ORANSecurityComplianceEngine) Start 

func (o *ORANSecurityComplianceEngine) Start() error

Start initiates the O-RAN security compliance engine

func (*ORANSecurityComplianceEngine) Stop 

func (o *ORANSecurityComplianceEngine) Stop() error

Stop gracefully stops the compliance engine

func (*ORANSecurityComplianceEngine) ValidateAuthentication 

func (o *ORANSecurityComplianceEngine) ValidateAuthentication(credentials interface{}) (bool, map[string]interface{}, error)

ValidateAuthentication validates authentication according to O-RAN WG11

func (*ORANSecurityComplianceEngine) ValidateCompliance 

func (o *ORANSecurityComplianceEngine) ValidateCompliance(nodeID string) (*ORANComplianceResult, error)

ValidateCompliance performs comprehensive compliance validation

type ORANSecurityPolicy 

type ORANSecurityPolicy struct {
	PolicyID        string                `json:"policy_id"`
	PolicyName      string                `json:"policy_name"`
	PolicyVersion   string                `json:"policy_version"`
	ApplicableNodes []string              `json:"applicable_nodes"`
	SecurityLevel   SecurityLevel         `json:"security_level"`
	Requirements    []SecurityRequirement `json:"requirements"`
	ComplianceRules []ComplianceRule      `json:"compliance_rules"`
	CreatedAt       time.Time             `json:"created_at"`
	UpdatedAt       time.Time             `json:"updated_at"`
}

ORANSecurityPolicy defines O-RAN security policy requirements (renamed to avoid conflict with container_scanner.SecurityPolicy)

type ORANTLSCompliance 

type ORANTLSCompliance struct {
	// O-RAN specific configurations
	InterfaceType   string // A1, E1, E2, O1, O2
	SecurityProfile string // baseline, enhanced, strict
	ComplianceLevel string // L1, L2, L3

	// Core TLS settings enforcing O-RAN requirements
	MinTLSVersion    uint16
	MaxTLSVersion    uint16
	CipherSuites     []uint16
	CurvePreferences []tls.CurveID

	// Certificate requirements
	RequireEKU        bool
	RequiredEKUs      []x509.ExtKeyUsage
	RequireStrongKeys bool
	MinRSAKeySize     int
	MinECDSAKeySize   int

	// OCSP requirements (mandatory for O-RAN)
	OCSPStaplingRequired bool
	OCSPMustStaple       bool
	OCSPSoftFail         bool
	OCSPResponseMaxAge   time.Duration

	// Session management
	SessionTicketsDisabled bool
	SessionCacheSize       int
	SessionTimeout         time.Duration
	RenegotiationPolicy    tls.RenegotiationSupport

	// Rate limiting for DoS protection
	HandshakeRateLimit  *rate.Limiter
	ConnectionRateLimit *rate.Limiter
	PerIPRateLimit      map[string]*rate.Limiter

	// Audit and monitoring
	AuditLogger      TLSAuditLogger
	MetricsCollector *TLSMetricsCollector

	// Validation callbacks
	PreHandshakeHook    func(*tls.ClientHelloInfo) error
	PostHandshakeHook   func(tls.ConnectionState) error
	CertificateVerifier func([][]byte, [][]*x509.Certificate) error
	// contains filtered or unexported fields
}

ORANTLSCompliance implements O-RAN WG11 security specifications for TLS

func NewORANCompliantTLS 

func NewORANCompliantTLS(interfaceType, profile string) (*ORANTLSCompliance, error)

NewORANCompliantTLS creates a new O-RAN WG11 compliant TLS configuration

func (*ORANTLSCompliance) BuildTLSConfig 

func (c *ORANTLSCompliance) BuildTLSConfig() (*tls.Config, error)

BuildTLSConfig creates a tls.Config from O-RAN compliance settings

func (*ORANTLSCompliance) ValidateCompliance 

func (c *ORANTLSCompliance) ValidateCompliance() error

ValidateCompliance checks if current configuration meets O-RAN requirements

type ORANThreatDetector 

type ORANThreatDetector struct {
	// contains filtered or unexported fields
}

func NewORANThreatDetector 

func NewORANThreatDetector(config *ComplianceConfig, logger logr.Logger) *ORANThreatDetector

func (*ORANThreatDetector) DetectThreats 

func (t *ORANThreatDetector) DetectThreats(nodeID string, context map[string]interface{}) ([]ThreatDetectionResult, error)

func (*ORANThreatDetector) PerformThreatScan 

func (t *ORANThreatDetector) PerformThreatScan()

func (*ORANThreatDetector) Start 

func (t *ORANThreatDetector) Start() error

func (*ORANThreatDetector) Stop 

func (t *ORANThreatDetector) Stop()

type OperatorRole 

type OperatorRole string
const (
	RoleNetworkOperator OperatorRole = "network-operator"

	RoleNetworkViewer OperatorRole = "network-viewer"

	RoleSecurityAuditor OperatorRole = "security-auditor"

	RoleClusterAdmin OperatorRole = "cluster-admin"

	RoleServiceOperator OperatorRole = "service-operator"
)

type PathValidator 

type PathValidator struct {
	// contains filtered or unexported fields
}

PathValidator prevents path traversal attacks

func NewPathValidator 

func NewPathValidator() *PathValidator

NewPathValidator creates a path validator with secure defaults

func (*PathValidator) ValidateAndSanitizePath 

func (p *PathValidator) ValidateAndSanitizePath(inputPath string) (string, error)

ValidateAndSanitizePath validates and sanitizes file paths to prevent traversal

type PlaybookAction 

type PlaybookAction struct {
	ID string `json:"id"`

	Type string `json:"type"`

	Description string `json:"description"`

	Parameters json.RawMessage `json:"parameters"`

	Timeout time.Duration `json:"timeout"`

	RetryCount int `json:"retry_count"`

	OnFailure string `json:"on_failure"` // continue, abort, escalate
}

type PlaybookTrigger 

type PlaybookTrigger struct {
	Type string `json:"type"`

	Conditions json.RawMessage `json:"conditions"`
}

type PolicyDecision 

type PolicyDecision int

PolicyDecision represents the authorization decision 

const (
	PolicyDeny PolicyDecision = iota
	PolicyAllow
	PolicyConditionalAllow
)

type PolicyEngine 

type PolicyEngine interface {
	EvaluatePolicy(ctx context.Context, policy *SecurityPolicy, resource interface{}) (bool, error)
	LoadPolicies(ctx context.Context, policies []*SecurityPolicy) error
	GetViolations(ctx context.Context) ([]PolicyViolation, error)
}

PolicyEngine defines the interface for policy engines

func NewOPAPolicyEngine 

func NewOPAPolicyEngine(logger *slog.Logger) (PolicyEngine, error)

NewOPAPolicyEngine creates a new OPA-based policy engine

type PolicyMetadata 

type PolicyMetadata struct {
	Owner       string            `json:"owner"`
	Description string            `json:"description"`
	Tags        []string          `json:"tags,omitempty"`
	Properties  map[string]string `json:"properties,omitempty"`
}

PolicyMetadata contains policy metadata

type PolicyRule 

type PolicyRule struct {
	ID         string          `json:"id"`
	Condition  string          `json:"condition"`
	Action     string          `json:"action"`
	Parameters json.RawMessage `json:"parameters"`
	Enabled    bool            `json:"enabled"`
}

PolicyRule represents a policy rule

type PolicyType 

type PolicyType string
const (
	PolicyTypeDenyAll PolicyType = "deny-all"

	PolicyTypeAllowIngress PolicyType = "allow-ingress"

	PolicyTypeAllowEgress PolicyType = "allow-egress"

	PolicyTypeComponentSpecific PolicyType = "component-specific"

	PolicyTypeORANInterface PolicyType = "oran-interface"
)

type PolicyViolation 

type PolicyViolation struct {
	ID          string          `json:"id"`
	PolicyID    string          `json:"policy_id"`
	Resource    string          `json:"resource"`
	Namespace   string          `json:"namespace"`
	Severity    string          `json:"severity"`
	Description string          `json:"description"`
	Timestamp   time.Time       `json:"timestamp"`
	Resolved    bool            `json:"resolved"`
	Action      string          `json:"action"`
	Metadata    json.RawMessage `json:"metadata"`
}

PolicyViolation represents a policy violation

type PortInfo 

type PortInfo struct {
	Port int `json:"port"`

	Protocol string `json:"protocol"`

	Service string `json:"service"`

	Banner string `json:"banner,omitempty"`

	State string `json:"state"`
}

type PortRange 

type PortRange struct {
	Start int `json:"start"`

	End int `json:"end"`
}

type Product 

type Product struct {
	Vendor string `json:"vendor"`

	Product string `json:"product"`

	Versions []string `json:"versions"`

	VersionType string `json:"version_type"` // exact, range, regex
}

type QuarantineInfo 

type QuarantineInfo struct {
	IP             string    `json:"ip"`
	QuarantinedAt  time.Time `json:"quarantined_at"`
	ExpiresAt      time.Time `json:"expires_at"`
	Reason         string    `json:"reason"`
	ThreatScore    int       `json:"threat_score"`
	AutoQuarantine bool      `json:"auto_quarantine"`
}

QuarantineInfo represents quarantine information

type RBACAuditReport 

type RBACAuditReport struct {
	Timestamp metav1.Time

	Namespace string

	Compliant bool

	Issues []string

	Warnings []string

	ServiceAccountCount int
}

type RBACConfig 

type RBACConfig struct {
	Enabled       bool     `json:"enabled"`
	PolicyPath    string   `json:"policy_path,omitempty"`
	DefaultPolicy string   `json:"default_policy,omitempty"` // ALLOW, DENY
	DefaultRole   string   `json:"default_role,omitempty"`
	AdminUsers    []string `json:"admin_users,omitempty"`
	AdminRoles    []string `json:"admin_roles,omitempty"`
}

RBACConfig holds RBAC configuration

type RBACManager 

type RBACManager struct {
	// contains filtered or unexported fields
}

func NewRBACManager 

func NewRBACManager(client client.Client, clientset *kubernetes.Clientset, namespace string) *RBACManager

func (*RBACManager) AuditRBACCompliance 

func (m *RBACManager) AuditRBACCompliance(ctx context.Context) (*RBACAuditReport, error)

func (*RBACManager) BindRoleToServiceAccount 

func (m *RBACManager) BindRoleToServiceAccount(ctx context.Context, saName string, role OperatorRole) error

func (*RBACManager) CreateRole 

func (m *RBACManager) CreateRole(ctx context.Context, role OperatorRole) error

func (*RBACManager) CreateServiceAccount 

func (m *RBACManager) CreateServiceAccount(ctx context.Context, name string, role OperatorRole) error

func (*RBACManager) EnforceMinimalPermissions 

func (m *RBACManager) EnforceMinimalPermissions(ctx context.Context) error

func (*RBACManager) GetRoleDefinitions 

func (m *RBACManager) GetRoleDefinitions() map[OperatorRole]RoleDefinition

func (*RBACManager) GetServiceAccountToken 

func (m *RBACManager) GetServiceAccountToken(ctx context.Context, saName string) (string, error)

func (*RBACManager) ValidatePermissions 

func (m *RBACManager) ValidatePermissions(ctx context.Context, rules []rbacv1.PolicyRule) error

func (*RBACManager) ValidateServiceAccountPermissions 

func (m *RBACManager) ValidateServiceAccountPermissions(ctx context.Context, saName string, expectedRole OperatorRole) error

type RBACPolicy 

type RBACPolicy struct {
	ID          string          `json:"id"`
	Name        string          `json:"name"`
	Description string          `json:"description"`
	Namespace   string          `json:"namespace"`
	Rules       []RBACRule      `json:"rules"`
	Enforcement string          `json:"enforcement"` // enforce, warn, audit
	Exceptions  []string        `json:"exceptions"`
	CreatedAt   time.Time       `json:"created_at"`
	UpdatedAt   time.Time       `json:"updated_at"`
	Metadata    json.RawMessage `json:"metadata"`
}

RBACPolicy represents an RBAC security policy

type RBACRule 

type RBACRule struct {
	Subjects      []string `json:"subjects"`
	Resources     []string `json:"resources"`
	Verbs         []string `json:"verbs"`
	APIGroups     []string `json:"api_groups"`
	AllowedScopes []string `json:"allowed_scopes"`
	Conditions    []string `json:"conditions"`
}

RBACRule represents an RBAC rule

type RateLimitConfig 

type RateLimitConfig struct {
	Enabled           bool          `json:"enabled"`
	RequestsPerMin    int           `json:"requests_per_min,omitempty"`
	RequestsPerMinute int           `json:"requests_per_minute,omitempty"` // Alternative naming
	BurstSize         int           `json:"burst_size,omitempty"`
	BurstLimit        int           `json:"burst_limit,omitempty"` // Alternative naming
	KeyFunc           string        `json:"key_func,omitempty"`    // ip, user, token
	RateLimitWindow   time.Duration `json:"rate_limit_window,omitempty"`
	RateLimitByIP     bool          `json:"rate_limit_by_ip"`
	RateLimitByAPIKey bool          `json:"rate_limit_by_api_key"`
	CleanupInterval   time.Duration `json:"cleanup_interval,omitempty"`
}

RateLimitConfig holds rate limiting configuration

type RateLimiter 

type RateLimiter struct {
	// contains filtered or unexported fields
}

func NewRateLimiter 

func NewRateLimiter(limit int, window time.Duration) *RateLimiter

func (*RateLimiter) Middleware 

func (rl *RateLimiter) Middleware(next http.Handler) http.Handler

type Remediation 

type Remediation struct {
	Type string `json:"type"` // update, patch, config, workaround

	Description string `json:"description"`

	Steps []string `json:"steps"`

	Automated bool `json:"automated"`

	Priority string `json:"priority"`

	ETA time.Duration `json:"eta"`
}

type RemediationAction 

type RemediationAction interface {
	CanRemediate(vuln *CVERecord) bool

	Remediate(ctx context.Context, vuln *CVERecord) error

	GetDescription() string

	GetRiskLevel() string
}

type RemediationEngine 

type RemediationEngine struct {
	// contains filtered or unexported fields
}

func NewRemediationEngine 

func NewRemediationEngine(config *VulnManagerConfig) *RemediationEngine

func (*RemediationEngine) GetAvailableActions 

func (re *RemediationEngine) GetAvailableActions() []string

func (*RemediationEngine) RegisterAction 

func (re *RemediationEngine) RegisterAction(name string, action RemediationAction)

type RemediationPlan 

type RemediationPlan struct {
	ShortTermActions []string `json:"short_term_actions"`

	LongTermActions []string `json:"long_term_actions"`

	PreventiveActions []string `json:"preventive_actions"`

	Timeline time.Duration `json:"timeline"`

	AssignedTo string `json:"assigned_to"`

	Status string `json:"status"`
}

type RemediationResult 

type RemediationResult struct {
	Issue       string    `json:"issue"`
	Remediation string    `json:"remediation"`
	Status      string    `json:"status"`
	Timestamp   time.Time `json:"timestamp"`
}

RemediationResult represents a security remediation result

type RemediationSuggestion 

type RemediationSuggestion struct {
	VulnID string `json:"vuln_id"`

	Type string `json:"type"`

	Description string `json:"description"`

	Steps []string `json:"steps"`

	Automated bool `json:"automated"`

	Priority string `json:"priority"`

	ETA time.Duration `json:"eta"`

	RiskLevel string `json:"risk_level"`
}

type ReplayWindow 

type ReplayWindow struct {
	// contains filtered or unexported fields
}

func NewReplayWindow 

func NewReplayWindow(size uint32) *ReplayWindow

func (*ReplayWindow) Check 

func (rw *ReplayWindow) Check(seqNum uint64) bool

type RequestCounter 

type RequestCounter struct {
	// contains filtered or unexported fields
}

RequestCounter tracks request counts for attack detection

type ResponseAction 

type ResponseAction struct {
	ID string `json:"id"`

	Type string `json:"type"`

	Description string `json:"description"`

	Status string `json:"status"`

	ExecutedAt *time.Time `json:"executed_at,omitempty"`

	CompletedAt *time.Time `json:"completed_at,omitempty"`

	Result string `json:"result"`

	Parameters json.RawMessage `json:"parameters"`

	Automated bool `json:"automated"`
}

type ResponsePlaybook 

type ResponsePlaybook struct {
	ID string `json:"id"`

	Name string `json:"name"`

	Description string `json:"description"`

	Triggers []*PlaybookTrigger `json:"triggers"`

	Actions []*PlaybookAction `json:"actions"`

	Enabled bool `json:"enabled"`

	Priority int `json:"priority"`

	LastExecuted *time.Time `json:"last_executed,omitempty"`
}

type ResponseValidator 

type ResponseValidator struct {
	// contains filtered or unexported fields
}

func NewResponseValidator 

func NewResponseValidator() *ResponseValidator

func (*ResponseValidator) ValidateJSONStructure 

func (rv *ResponseValidator) ValidateJSONStructure(data map[string]interface{}) error

type RevokedCert 

type RevokedCert struct {
	SerialNumber *big.Int

	RevokedAt time.Time

	Reason int
}

type RoleDefinition 

type RoleDefinition struct {
	Name string

	Rules []rbacv1.PolicyRule

	ClusterRole bool

	Labels map[string]string
}

type RotationConfig 

type RotationConfig struct {
	Name string

	CheckInterval time.Duration

	RenewBefore time.Duration

	RenewCallback func(name string, cert *tls.Certificate) error

	ErrorCallback func(name string, err error)
}

type RotationEvent 

type RotationEvent struct {
	Type      string
	Timestamp time.Time
	Details   map[string]interface{}
}

RotationEvent represents a rotation event

type RotationMetrics 

type RotationMetrics struct {
	TotalRotations      int64         `json:"total_rotations"`
	SuccessfulRotations int64         `json:"successful_rotations"`
	FailedRotations     int64         `json:"failed_rotations"`
	EmergencyRotations  int64         `json:"emergency_rotations"`
	AverageRotationTime time.Duration `json:"average_rotation_time"`
	LastRotationTime    time.Time     `json:"last_rotation_time"`

	// Per-certificate metrics
	CertificateMetrics map[string]*CertificateMetrics `json:"certificate_metrics"`
	// contains filtered or unexported fields
}

RotationMetrics tracks rotation statistics

type RotationNotifier 

type RotationNotifier struct {
	// contains filtered or unexported fields
}

RotationNotifier handles rotation notifications

func NewRotationNotifier 

func NewRotationNotifier(config *CertRotationConfig, logger *zap.Logger) *RotationNotifier

NewRotationNotifier creates a new rotation notifier

func (*RotationNotifier) SendNotification 

func (n *RotationNotifier) SendNotification(event RotationEvent) error

SendNotification sends a rotation notification

func (*RotationNotifier) SendRotationFailureNotification 

func (n *RotationNotifier) SendRotationFailureNotification(name string, err error) error

SendRotationFailureNotification sends a failure notification

func (*RotationNotifier) SendRotationSuccessNotification 

func (n *RotationNotifier) SendRotationSuccessNotification(name string) error

SendRotationSuccessNotification sends a success notification

type RotationScheduler 

type RotationScheduler struct {
	// contains filtered or unexported fields
}

RotationScheduler manages certificate rotation scheduling

func NewRotationScheduler 

func NewRotationScheduler(manager *CertRotationManager, logger *zap.Logger) *RotationScheduler

NewRotationScheduler creates a new rotation scheduler

func (*RotationScheduler) Start 

func (rs *RotationScheduler) Start(ctx context.Context) error

Start starts the rotation scheduler

func (*RotationScheduler) Stop 

func (rs *RotationScheduler) Stop() error

Stop stops the rotation scheduler

type SIEMConfig 

type SIEMConfig struct {
	Type string `json:"type"` // splunk, elk, sentinel

	Endpoint string `json:"endpoint"`

	APIKey string `json:"api_key"`

	Index string `json:"index"`
}

type SOARConfig 

type SOARConfig struct {
	Platform string `json:"platform"` // phantom, demisto, etc.

	Endpoint string `json:"endpoint"`

	APIKey string `json:"api_key"`
}

type SPIFFEProvider 

type SPIFFEProvider struct {
	// contains filtered or unexported fields
}

func NewSPIFFEProvider 

func NewSPIFFEProvider(config *ComplianceConfig, logger logr.Logger) *SPIFFEProvider

func (*SPIFFEProvider) GetSVID 

func (s *SPIFFEProvider) GetSVID(nodeID string) (string, error)

func (*SPIFFEProvider) Initialize 

func (s *SPIFFEProvider) Initialize() error

func (*SPIFFEProvider) RotateSVIDs 

func (s *SPIFFEProvider) RotateSVIDs()

type SQLValidator 

type SQLValidator struct {
	// contains filtered or unexported fields
}

SQLValidator prevents SQL injection attacks

func NewSQLValidator 

func NewSQLValidator() *SQLValidator

NewSQLValidator creates a SQL validator with secure defaults

func (*SQLValidator) ExecuteSafeQuery 

func (v *SQLValidator) ExecuteSafeQuery(ctx context.Context, db *sql.DB, query string, args ...interface{}) (*sql.Rows, error)

ExecuteSafeQuery executes a query with parameterized inputs

func (*SQLValidator) ValidateAndSanitizeSQL 

func (v *SQLValidator) ValidateAndSanitizeSQL(ctx context.Context, table string, columns []string, conditions map[string]interface{}) (string, []interface{}, error)

ValidateAndSanitizeSQL validates SQL input and returns safe parameterized query

type SanitizerConfig 

type SanitizerConfig struct {
	MaxInputLength int `json:"max_input_length"`

	MaxOutputLength int `json:"max_output_length"`

	AllowedDomains []string `json:"allowed_domains"`

	BlockedKeywords []string `json:"blocked_keywords"`

	ContextBoundary string `json:"context_boundary"`

	SystemPrompt string `json:"system_prompt"`
}

type ScanRequest 

type ScanRequest struct {
	ID        string    `json:"id"`
	Image     string    `json:"image"`
	Namespace string    `json:"namespace"`
	Priority  int       `json:"priority"`
	Timestamp time.Time `json:"timestamp"`
	Retries   int       `json:"retries"`
}

ScanRequest represents a container scan request

type ScanResult 

type ScanResult struct {
	ID                string                   `json:"id"`
	Image             string                   `json:"image"`
	Scanner           string                   `json:"scanner"`
	ScanTime          time.Time                `json:"scan_time"`
	Duration          time.Duration            `json:"duration"`
	Status            string                   `json:"status"`
	SecurityScore     int                      `json:"security_score"`
	Vulnerabilities   []ContainerVulnerability `json:"vulnerabilities"`
	Misconfigurations []Misconfiguration       `json:"misconfigurations"`
	Secrets           []SecretLeak             `json:"secrets"`
	Compliance        ComplianceResult         `json:"compliance"`
	Metadata          json.RawMessage          `json:"metadata"`
}

ScanResult represents the result of a container scan

type ScanResults 

type ScanResults struct {
	Timestamp time.Time `json:"timestamp"`

	Target string `json:"target"`

	OpenPorts []PortInfo `json:"openPorts"`

	Vulnerabilities []Vulnerability `json:"vulnerabilities"`

	TLSFindings []TLSFinding `json:"tlsFindings"`

	HeaderFindings []HeaderFinding `json:"headerFindings"`

	InjectionFindings []InjectionFinding `json:"injectionFindings"`

	Summary ScanSummary `json:"summary"`

	Duration time.Duration `json:"duration"`
}

type ScanSummary 

type ScanSummary struct {
	TotalPorts int `json:"totalPorts"`

	OpenPorts int `json:"openPorts"`

	TotalVulns int `json:"totalVulns"`

	CriticalVulns int `json:"criticalVulns"`

	HighVulns int `json:"highVulns"`

	MediumVulns int `json:"mediumVulns"`

	LowVulns int `json:"lowVulns"`

	TLSIssues int `json:"tlsIssues"`

	HeaderIssues int `json:"headerIssues"`

	InjectionIssues int `json:"injectionIssues"`

	SecurityScore int `json:"securityScore"` // 0-100

	RiskLevel string `json:"riskLevel"` // Low, Medium, High, Critical
}

type ScannerConfig 

type ScannerConfig struct {
	SecurityScannerConfig

	// Additional fields expected by tests
	BaseURL                string        `json:"base_url"`
	Timeout                time.Duration `json:"timeout"`
	SkipTLSVerification    bool          `json:"skip_tls_verification"`
	EnableVulnScanning     bool          `json:"enable_vuln_scanning"`
	EnablePortScanning     bool          `json:"enable_port_scanning"`
	EnableOWASPTesting     bool          `json:"enable_owasp_testing"`
	EnableAuthTesting      bool          `json:"enable_auth_testing"`
	EnableInjectionTesting bool          `json:"enable_injection_testing"`
	TestCredentials        []Credential  `json:"test_credentials"`
	UserAgents             []string      `json:"user_agents"`
	Wordlists              *Wordlists    `json:"wordlists"`
}

ScannerConfig extends SecurityScannerConfig with test-specific fields

type ScannerInfo 

type ScannerInfo struct {
	Name            string    `json:"name"`
	Version         string    `json:"version"`
	DatabaseVersion string    `json:"database_version"`
	LastUpdated     time.Time `json:"last_updated"`
	Capabilities    []string  `json:"capabilities"`
}

ScannerInfo provides information about a scanner

type SecretLeak 

type SecretLeak struct {
	Type        string `json:"type"`
	Description string `json:"description"`
	File        string `json:"file"`
	Line        int    `json:"line"`
	Severity    string `json:"severity"`
	Confidence  string `json:"confidence"`
	Match       string `json:"match"`
}

SecretLeak represents exposed secrets or credentials

type SecretManager 

type SecretManager struct {
	// contains filtered or unexported fields
}

SecretManager provides secure secret management

func NewSecretManager 

func NewSecretManager(namespace string) *SecretManager

NewSecretManager creates a new secret manager

func (*SecretManager) GetSecret 

func (sm *SecretManager) GetSecret(ctx context.Context, key string) (string, error)

GetSecret retrieves a secret from Kubernetes secrets or environment variables

type SecretMetadata 

type SecretMetadata struct {
	// Core identification
	Name    string `json:"name"`
	Type    string `json:"type"`    // ADDED: Secret type field
	Version int    `json:"version"` // ADDED: Version field

	// Descriptive metadata
	Description string            `json:"description,omitempty"`
	Owner       string            `json:"owner,omitempty"`
	Tags        []string          `json:"tags,omitempty"`
	Labels      map[string]string `json:"labels,omitempty"`
	CreatedBy   string            `json:"created_by,omitempty"`

	// Timestamps
	CreatedAt time.Time  `json:"created_at"`
	UpdatedAt time.Time  `json:"updated_at"`
	ExpiresAt *time.Time `json:"expires_at,omitempty"`

	// Classification
	SecretType string `json:"secret_type"` // "tls", "password", "api_key", etc.
	Sensitive  bool   `json:"sensitive"`   // Whether this secret contains sensitive data

	// Extended metadata
	Metadata map[string]string `json:"metadata,omitempty"` // ADDED: Generic metadata field
}

SecretMetadata represents metadata associated with a secret following 2025 best practices

type SecretRotationConfig 

type SecretRotationConfig struct {
	SecretName string `json:"secret_name"`

	RotationPeriod time.Duration `json:"rotation_period"`

	BackupCount int `json:"backup_count"`

	NotifyBeforeDays int `json:"notify_before_days"`
}

type SecretRotationManager 

type SecretRotationManager struct {
	// contains filtered or unexported fields
}

func NewSecretRotationManager 

func NewSecretRotationManager(secretManager interfaces.SecretManager, k8sClient kubernetes.Interface, namespace string, auditLogger *AuditLogger) *SecretRotationManager

func (*SecretRotationManager) RotateAPIKey 

func (srm *SecretRotationManager) RotateAPIKey(ctx context.Context, provider, newAPIKey, userID string) (*interfaces.RotationResult, error)

func (*SecretRotationManager) RotateJWTSecret 

func (srm *SecretRotationManager) RotateJWTSecret(ctx context.Context, userID string) (*interfaces.RotationResult, error)

func (*SecretRotationManager) RotateOAuth2ClientSecret 

func (srm *SecretRotationManager) RotateOAuth2ClientSecret(ctx context.Context, provider, newClientSecret, userID string) (*interfaces.RotationResult, error)

type SecretValidator 

type SecretValidator struct {
	// contains filtered or unexported fields
}

SecretValidator validates that no secrets are hardcoded in the codebase

func NewSecretValidator 

func NewSecretValidator() *SecretValidator

NewSecretValidator creates a new secret validator

func (*SecretValidator) ValidateFile 

func (sv *SecretValidator) ValidateFile(filepath string) ([]string, error)

ValidateFile checks a file for hardcoded secrets

type SecretsBackend 

type SecretsBackend interface {
	// Store stores an encrypted secret
	Store(ctx context.Context, key string, value *EncryptedSecret) error

	// Retrieve retrieves an encrypted secret
	Retrieve(ctx context.Context, key string) (*EncryptedSecret, error)

	// Delete deletes a secret
	Delete(ctx context.Context, key string) error

	// List lists all secret keys with optional prefix
	List(ctx context.Context, prefix string) ([]string, error)

	// Health checks backend health
	Health(ctx context.Context) error

	// Backup creates a backup of all secrets
	Backup(ctx context.Context) ([]byte, error)

	// Close closes the backend
	Close() error
}

SecretsBackend interface for secret storage implementations

func NewFileBackend 

func NewFileBackend(basePath string, logger *slog.Logger) (SecretsBackend, error)

NewFileBackend creates a new file-based secrets backend

func NewHashiCorpVaultBackend 

func NewHashiCorpVaultBackend(address, token, path string, logger *slog.Logger) (SecretsBackend, error)

NewHashiCorpVaultBackend creates a new HashiCorp Vault backend

func NewKubernetesBackend 

func NewKubernetesBackend(client interface{}, namespace string, logger *slog.Logger) (SecretsBackend, error)

NewKubernetesBackend creates a new Kubernetes secrets backend

func NewMemoryBackend 

func NewMemoryBackend(logger *slog.Logger) SecretsBackend

NewMemoryBackend creates a new in-memory secrets backend

type SecureAllocator 

type SecureAllocator struct {
	// contains filtered or unexported fields
}

func NewSecureAllocator 

func NewSecureAllocator() *SecureAllocator

func (*SecureAllocator) Allocate 

func (sa *SecureAllocator) Allocate(size int) *SecureBuffer

type SecureBuffer 

type SecureBuffer struct {
	// contains filtered or unexported fields
}

func (*SecureBuffer) Clear 

func (sb *SecureBuffer) Clear()

type SecureCertificateGenerator 

type SecureCertificateGenerator struct {
	// contains filtered or unexported fields
}

SecureCertificateGenerator generates enterprise-grade X.509 certificates

func NewSecureCertificateGenerator 

func NewSecureCertificateGenerator(config *CryptoConfig, logger *zap.Logger) *SecureCertificateGenerator

NewSecureCertificateGenerator creates a new secure certificate generator

func (*SecureCertificateGenerator) GenerateCAKeyPair 

func (g *SecureCertificateGenerator) GenerateCAKeyPair(subject pkix.Name) (*rsa.PrivateKey, *x509.Certificate, error)

GenerateCAKeyPair generates a certificate authority key pair

func (*SecureCertificateGenerator) GenerateServerKeyPair 

func (g *SecureCertificateGenerator) GenerateServerKeyPair(
	subject pkix.Name,
	dnsNames []string,
	ipAddresses []net.IP,
	caCert *x509.Certificate,
	caKey *rsa.PrivateKey,
) (*rsa.PrivateKey, *x509.Certificate, error)

GenerateServerKeyPair generates a server certificate key pair

type SecureChannel 

type SecureChannel struct {
	// contains filtered or unexported fields
}

func NewSecureChannel 

func NewSecureChannel(conn net.Conn, config *ChannelConfig) (*SecureChannel, error)

func (*SecureChannel) Close 

func (sc *SecureChannel) Close() error

func (*SecureChannel) GetMetrics 

func (sc *SecureChannel) GetMetrics() map[string]uint64

func (*SecureChannel) JoinMulticastGroup 

func (sc *SecureChannel) JoinMulticastGroup(groupID string, groupKey []byte) error

func (*SecureChannel) Receive 

func (sc *SecureChannel) Receive() ([]byte, error)

func (*SecureChannel) Rekey 

func (sc *SecureChannel) Rekey() error

func (*SecureChannel) Send 

func (sc *SecureChannel) Send(data []byte) error

func (*SecureChannel) SendMulticast 

func (sc *SecureChannel) SendMulticast(data []byte, groupID string) error

type SecureGRPCFactory 

type SecureGRPCFactory struct {
	// contains filtered or unexported fields
}

SecureGRPCFactory creates secure gRPC clients and servers

func NewSecureGRPCFactory 

func NewSecureGRPCFactory(config *CryptoConfig, logger *zap.Logger) *SecureGRPCFactory

NewSecureGRPCFactory creates a new secure gRPC factory

func (*SecureGRPCFactory) CreateSecureClientCredentials 

func (f *SecureGRPCFactory) CreateSecureClientCredentials(
	clientCert *tls.Certificate,
	rootCAs *x509.CertPool,
	serverName string,
) (credentials.TransportCredentials, error)

CreateSecureClientCredentials creates secure gRPC client credentials

func (*SecureGRPCFactory) CreateSecureServerCredentials 

func (f *SecureGRPCFactory) CreateSecureServerCredentials(
	serverCert tls.Certificate,
	clientCAs *x509.CertPool,
) (credentials.TransportCredentials, error)

CreateSecureServerCredentials creates secure gRPC server credentials

type SecureHTTPClientFactory 

type SecureHTTPClientFactory struct {
	// contains filtered or unexported fields
}

SecureHTTPClientFactory creates secure HTTP clients with proper TLS configuration

func NewSecureHTTPClientFactory 

func NewSecureHTTPClientFactory(config *CryptoConfig, logger *zap.Logger) *SecureHTTPClientFactory

NewSecureHTTPClientFactory creates a new secure HTTP client factory

func (*SecureHTTPClientFactory) CreateSecureClient 

func (f *SecureHTTPClientFactory) CreateSecureClient(
	clientCert *tls.Certificate,
	rootCAs *x509.CertPool,
	timeout time.Duration,
) (*http.Client, error)

CreateSecureClient creates an HTTP client with enterprise-grade TLS security

type SecureMessage 

type SecureMessage struct {
	Version uint8

	MessageType uint8

	SequenceNum uint64

	Timestamp int64

	SessionID []byte

	Ciphertext []byte

	MAC []byte

	Nonce []byte
}

type SecureRandom 

type SecureRandom struct {
	// contains filtered or unexported fields
}

SecureRandom provides cryptographically secure random number generation This replaces all insecure crypto/rand usage throughout the codebase

func NewSecureRandom 

func NewSecureRandom() *SecureRandom

NewSecureRandom creates a new cryptographically secure random number generator

func (*SecureRandom) Bytes 

func (sr *SecureRandom) Bytes(b []byte)

Bytes fills the provided byte slice with secure random bytes

func (*SecureRandom) Duration 

func (sr *SecureRandom) Duration(min, max time.Duration) time.Duration

Duration returns a secure random duration between min and max

func (*SecureRandom) ExpFloat64 

func (sr *SecureRandom) ExpFloat64() float64

ExpFloat64 returns an exponentially distributed float64

func (*SecureRandom) Float32 

func (sr *SecureRandom) Float32() float32

Float32 returns, as a float32, a pseudo-random number in [0.0,1.0) This is a drop-in replacement for crypto/rand.Float32()

func (*SecureRandom) Float64 

func (sr *SecureRandom) Float64() float64

Float64 returns, as a float64, a pseudo-random number in [0.0,1.0) This is a drop-in replacement for crypto/rand.Float64()

func (*SecureRandom) Int 

func (sr *SecureRandom) Int() int

Int returns a non-negative pseudo-random int This is a drop-in replacement for crypto/rand.Int()

func (*SecureRandom) Int31 

func (sr *SecureRandom) Int31() int32

Int31 returns a non-negative pseudo-random 31-bit integer as an int32 This is a drop-in replacement for crypto/rand.Int31()

func (*SecureRandom) Int31n 

func (sr *SecureRandom) Int31n(n int32) int32

Int31n returns, as an int32, a non-negative pseudo-random number in [0,n) This is a drop-in replacement for crypto/rand.Int31n()

func (*SecureRandom) Int63 

func (sr *SecureRandom) Int63() int64

Int63 returns a non-negative pseudo-random 63-bit integer as an int64 This is a drop-in replacement for crypto/rand.Int63()

func (*SecureRandom) Int63n 

func (sr *SecureRandom) Int63n(n int64) int64

Int63n returns, as an int64, a non-negative pseudo-random number in [0,n)

func (*SecureRandom) Intn 

func (sr *SecureRandom) Intn(n int) int

Intn returns, as an int, a non-negative pseudo-random number in [0,n) This is a drop-in replacement for crypto/rand.Intn()

func (*SecureRandom) NormFloat64 

func (sr *SecureRandom) NormFloat64() float64

NormFloat64 returns a normally distributed float64 in the range [-math.MaxFloat64, +math.MaxFloat64]

func (*SecureRandom) Perm 

func (sr *SecureRandom) Perm(n int) []int

Perm returns, as a slice of n ints, a pseudo-random permutation of the integers [0,n) This is a drop-in replacement for crypto/rand.Perm()

func (*SecureRandom) SecureID 

func (sr *SecureRandom) SecureID() string

SecureID generates a cryptographically secure ID (32 bytes = 256 bits)

func (*SecureRandom) SecureSessionID 

func (sr *SecureRandom) SecureSessionID() string

SecureSessionID generates a secure session ID

func (*SecureRandom) SecureToken 

func (sr *SecureRandom) SecureToken(length int) string

SecureToken generates a cryptographically secure token of specified length

func (*SecureRandom) Shuffle 

func (sr *SecureRandom) Shuffle(n int, swap func(i, j int))

Shuffle pseudo-randomizes the order of elements using secure random This is a drop-in replacement for crypto/rand.Shuffle()

type SecureRandomGenerator 

type SecureRandomGenerator struct {
	// contains filtered or unexported fields
}

SecureRandomGenerator provides cryptographically secure random number generation

func NewSecureRandomGenerator 

func NewSecureRandomGenerator() *SecureRandomGenerator

NewSecureRandomGenerator creates a new secure random generator

func (*SecureRandomGenerator) GenerateSecureAPIKey 

func (g *SecureRandomGenerator) GenerateSecureAPIKey() (string, error)

GenerateSecureAPIKey generates a secure API key

func (*SecureRandomGenerator) GenerateSecureBytes 

func (g *SecureRandomGenerator) GenerateSecureBytes(length int) ([]byte, error)

GenerateSecureBytes generates cryptographically secure random bytes

func (*SecureRandomGenerator) GenerateSecureSessionID 

func (g *SecureRandomGenerator) GenerateSecureSessionID() (string, error)

GenerateSecureSessionID generates a secure session identifier

func (*SecureRandomGenerator) GenerateSecureToken 

func (g *SecureRandomGenerator) GenerateSecureToken(length int) (string, error)

GenerateSecureToken generates a cryptographically secure base64-encoded token

type SecureTLSConfigBuilder 

type SecureTLSConfigBuilder struct {
	// contains filtered or unexported fields
}

SecureTLSConfigBuilder builds enterprise-grade TLS configurations

func NewSecureTLSConfigBuilder 

func NewSecureTLSConfigBuilder(config *CryptoConfig, logger *zap.Logger) *SecureTLSConfigBuilder

NewSecureTLSConfigBuilder creates a new secure TLS configuration builder

func (*SecureTLSConfigBuilder) BuildClientTLSConfig 

func (b *SecureTLSConfigBuilder) BuildClientTLSConfig(clientCert *tls.Certificate, rootCAs *x509.CertPool, serverName string) (*tls.Config, error)

BuildClientTLSConfig creates a secure client TLS configuration

func (*SecureTLSConfigBuilder) BuildServerTLSConfig 

func (b *SecureTLSConfigBuilder) BuildServerTLSConfig(serverCert tls.Certificate, clientCAs *x509.CertPool) (*tls.Config, error)

BuildServerTLSConfig creates a secure server TLS configuration

type SecurityAuditor 

type SecurityAuditor struct {
	// contains filtered or unexported fields
}

SecurityAuditor provides security audit functionality

func NewSecurityAuditor 

func NewSecurityAuditor(config *SecurityConfig) *SecurityAuditor

NewSecurityAuditor creates a new security auditor

func (*SecurityAuditor) AuditRequest 

func (sa *SecurityAuditor) AuditRequest(ctx context.Context, method, path, userID string, statusCode int)

AuditRequest logs security-relevant request information

func (*SecurityAuditor) AuditSecurityEvent 

func (sa *SecurityAuditor) AuditSecurityEvent(ctx context.Context, eventType, description string, metadata map[string]interface{})

AuditSecurityEvent logs security events

type SecurityConfig 

type SecurityConfig struct {
	// TLS Configuration
	TLSMinVersion   string   `json:"tls_min_version" yaml:"tls_min_version"`
	TLSCipherSuites []string `json:"tls_cipher_suites" yaml:"tls_cipher_suites"`
	RequireMTLS     bool     `json:"require_mtls" yaml:"require_mtls"`

	// Authentication Settings
	RequireStrongPasswords bool   `json:"require_strong_passwords" yaml:"require_strong_passwords"`
	MinPasswordLength      int    `json:"min_password_length" yaml:"min_password_length"`
	PasswordComplexity     string `json:"password_complexity" yaml:"password_complexity"`
	SessionTimeout         int    `json:"session_timeout" yaml:"session_timeout"` // in minutes
	MaxFailedAttempts      int    `json:"max_failed_attempts" yaml:"max_failed_attempts"`
	LockoutDuration        int    `json:"lockout_duration" yaml:"lockout_duration"` // in minutes

	// API Security
	RateLimitPerMinute int      `json:"rate_limit_per_minute" yaml:"rate_limit_per_minute"`
	AllowedOrigins     []string `json:"allowed_origins" yaml:"allowed_origins"`
	RequireAPIKey      bool     `json:"require_api_key" yaml:"require_api_key"`
	APIKeyRotationDays int      `json:"api_key_rotation_days" yaml:"api_key_rotation_days"`

	// Security Headers
	EnableHSTS bool   `json:"enable_hsts" yaml:"enable_hsts"`
	HSTSMaxAge int    `json:"hsts_max_age" yaml:"hsts_max_age"`
	EnableCSP  bool   `json:"enable_csp" yaml:"enable_csp"`
	CSPPolicy  string `json:"csp_policy" yaml:"csp_policy"`

	// Input Validation
	MaxRequestSize    int64    `json:"max_request_size" yaml:"max_request_size"` // in bytes
	AllowedFileTypes  []string `json:"allowed_file_types" yaml:"allowed_file_types"`
	SanitizeUserInput bool     `json:"sanitize_user_input" yaml:"sanitize_user_input"`

	// Audit and Logging
	EnableAuditLog        bool `json:"enable_audit_log" yaml:"enable_audit_log"`
	LogSensitiveData      bool `json:"log_sensitive_data" yaml:"log_sensitive_data"`
	AuditLogRetentionDays int  `json:"audit_log_retention_days" yaml:"audit_log_retention_days"`
}

SecurityConfig holds security-related configuration settings

func DefaultLegacySecurityConfig 

func DefaultLegacySecurityConfig() *SecurityConfig

DefaultLegacySecurityConfig returns a secure default configuration

func (*SecurityConfig) Validate 

func (sc *SecurityConfig) Validate() error

Validate checks if the security configuration is valid and secure

type SecurityEvent 

type SecurityEvent struct {
	ID              string            `json:"id"`
	Timestamp       time.Time         `json:"timestamp"`
	EventType       string            `json:"event_type"`
	Severity        string            `json:"severity"`
	Source          string            `json:"source"`
	SourceIP        string            `json:"source_ip"`
	Target          string            `json:"target"`
	Description     string            `json:"description"`
	RawData         json.RawMessage   `json:"raw_data"`
	ThreatScore     int               `json:"threat_score"`
	Tags            []string          `json:"tags"`
	Context         map[string]string `json:"context"`
	ResponseActions []string          `json:"response_actions"`
}

SecurityEvent represents a security-related event

type SecurityFailure 

type SecurityFailure struct {
	Timestamp time.Time

	FailureType string

	ClientAddr string

	Error error

	Context map[string]interface{}
}

type SecurityHeaders 

type SecurityHeaders struct {
	// contains filtered or unexported fields
}

func NewSecurityHeaders 

func NewSecurityHeaders() (*SecurityHeaders, error)

func (*SecurityHeaders) ApplyToHTTPRequest 

func (sh *SecurityHeaders) ApplyToHTTPRequest(req *http.Request)

func (*SecurityHeaders) GetNonce 

func (sh *SecurityHeaders) GetNonce() string

func (*SecurityHeaders) GetRequestID 

func (sh *SecurityHeaders) GetRequestID() string

type SecurityHeadersConfig 

type SecurityHeadersConfig struct {
	ContentSecurityPolicy   string `json:"content_security_policy,omitempty"`
	XFrameOptions           string `json:"x_frame_options,omitempty"`
	XContentTypeOptions     string `json:"x_content_type_options,omitempty"`
	StrictTransportSecurity string `json:"strict_transport_security,omitempty"`
	XSSProtection           string `json:"xss_protection,omitempty"`
	ReferrerPolicy          string `json:"referrer_policy,omitempty"`
	PermissionsPolicy       string `json:"permissions_policy,omitempty"`
}

SecurityHeadersConfig defines security headers configuration

type SecurityHeadersMiddleware 

type SecurityHeadersMiddleware struct {
	// contains filtered or unexported fields
}

SecurityHeadersMiddleware adds comprehensive security headers to HTTP responses

func NewSecurityHeadersMiddleware 

func NewSecurityHeadersMiddleware(isDevelopment bool) *SecurityHeadersMiddleware

NewSecurityHeadersMiddleware creates a new security headers middleware

func (*SecurityHeadersMiddleware) Middleware 

func (s *SecurityHeadersMiddleware) Middleware(next http.Handler) http.Handler

Middleware returns the HTTP middleware function

type SecurityIncident 

type SecurityIncident struct {
	ID string `json:"id"`

	Title string `json:"title"`

	Description string `json:"description"`

	Severity string `json:"severity"`

	Status string `json:"status"`

	Category string `json:"category"`

	Source string `json:"source"`

	DetectedAt time.Time `json:"detected_at"`

	AcknowledgedAt *time.Time `json:"acknowledged_at,omitempty"`

	ResolvedAt *time.Time `json:"resolved_at,omitempty"`

	Assignee string `json:"assignee"`

	Tags []string `json:"tags"`

	Evidence []*Evidence `json:"evidence"`

	Timeline []*TimelineEvent `json:"timeline"`

	Actions []*ResponseAction `json:"actions"`

	Artifacts json.RawMessage `json:"artifacts"`

	MITRE *MITREMapping `json:"mitre,omitempty"`

	Impact *ImpactAssessment `json:"impact"`

	Remediation *RemediationPlan `json:"remediation"`
}

type SecurityLevel 

type SecurityLevel string

SecurityLevel defines O-RAN security levels 

const (
	SecurityLevelBasic    SecurityLevel = "basic"
	SecurityLevelStandard SecurityLevel = "standard"
	SecurityLevelHigh     SecurityLevel = "high"
	SecurityLevelCritical SecurityLevel = "critical"
)

type SecurityPolicy 

type SecurityPolicy struct {
	ID          string          `json:"id"`
	Name        string          `json:"name"`
	Description string          `json:"description"`
	Type        string          `json:"type"`
	Rules       []PolicyRule    `json:"rules"`
	Enforcement string          `json:"enforcement"`
	Scope       []string        `json:"scope"`
	Enabled     bool            `json:"enabled"`
	CreatedAt   time.Time       `json:"created_at"`
	UpdatedAt   time.Time       `json:"updated_at"`
	Metadata    json.RawMessage `json:"metadata"`
}

SecurityPolicy represents a security policy

type SecurityRecommendation 

type SecurityRecommendation struct {
	Priority    int      `json:"priority"` // 1 (highest) - 5 (lowest)
	Category    string   `json:"category"`
	Title       string   `json:"title"`
	Description string   `json:"description"`
	Impact      string   `json:"impact"`
	Effort      string   `json:"effort"` // LOW, MEDIUM, HIGH
	Steps       []string `json:"implementation_steps"`
	References  []string `json:"references"`
}

SecurityRecommendation provides actionable security improvements

type SecurityRequirement 

type SecurityRequirement struct {
	RequirementID   string              `json:"requirement_id"`
	Category        string              `json:"category"` // "authentication", "encryption", "authorization", "audit"
	Description     string              `json:"description"`
	MandatoryLevel  string              `json:"mandatory_level"` // "SHALL", "SHOULD", "MAY"
	TestCriteria    []string            `json:"test_criteria"`
	ComplianceCheck ComplianceCheckFunc `json:"-"`
}

SecurityRequirement defines specific security requirements

type SecurityScanner 

type SecurityScanner struct {
	client.Client
	// contains filtered or unexported fields
}

func NewSecurityScanner 

func NewSecurityScanner(client client.Client, logger *slog.Logger, config SecurityScannerConfig) (*SecurityScanner, error)

func NewSecurityScannerForTest 

func NewSecurityScannerForTest(config *ScannerConfig) *SecurityScanner

NewSecurityScannerForTest creates a new security scanner with just config for test compatibility

func (*SecurityScanner) ExportResults 

func (ss *SecurityScanner) ExportResults(results *ScanResults, format string) ([]byte, error)

func (*SecurityScanner) GetScanHistory 

func (ss *SecurityScanner) GetScanHistory(ctx context.Context, target string, limit int) ([]ScanResults, error)

func (*SecurityScanner) ScanNetworkIntent 

func (ss *SecurityScanner) ScanNetworkIntent(ctx context.Context, intent *nephiov1.NetworkIntent) (*ScanResults, error)

func (*SecurityScanner) ScanTarget 

func (ss *SecurityScanner) ScanTarget(ctx context.Context, target string) (*ScanResults, error)

func (*SecurityScanner) ScheduleScan 

func (ss *SecurityScanner) ScheduleScan(target string, interval time.Duration) error

func (*SecurityScanner) Stop 

func (ss *SecurityScanner) Stop()

type SecurityScannerConfig 

type SecurityScannerConfig struct {
	MaxConcurrency int `json:"maxConcurrency"`

	ScanTimeout time.Duration `json:"scanTimeout"`

	HTTPTimeout time.Duration `json:"httpTimeout"`

	EnablePortScan bool `json:"enablePortScan"`

	EnableVulnScan bool `json:"enableVulnScan"`

	EnableTLSScan bool `json:"enableTlsScan"`

	EnableHeaderScan bool `json:"enableHeaderScan"`

	EnableInjectionScan bool `json:"enableInjectionScan"`

	PortRanges []PortRange `json:"portRanges"`

	CustomHeaders map[string]string `json:"customHeaders,omitempty"`

	UserAgent string `json:"userAgent,omitempty"`

	ServiceName string `json:"serviceName"`
}

type SignatureChain 

type SignatureChain struct {
	ChainID string

	Signatures []*ChainedSignature

	Verifiers []crypto.PublicKey

	Created time.Time
}

func (*SignatureChain) AddSignature 

func (sc *SignatureChain) AddSignature(signerID string, signature []byte, algorithm string)

func (*SignatureChain) VerifyChain 

func (sc *SignatureChain) VerifyChain() bool

type SignatureDetectionEngine 

type SignatureDetectionEngine struct {
	// contains filtered or unexported fields
}

type SlackConfig 

type SlackConfig struct {
	WebhookURL string `json:"webhook_url"`

	Channel string `json:"channel"`

	Username string `json:"username"`
}

type StoredKey 

type StoredKey struct {
	ID string `json:"id"`

	Type string `json:"type"` // "rsa", "ecdsa", etc.

	Bits int `json:"bits"` // Key size in bits

	PublicKey []byte `json:"publicKey"` // Public key bytes

	PrivateKey []byte `json:"privateKey"` // Encrypted private key bytes

	CreatedAt time.Time `json:"createdAt"`

	ExpiresAt time.Time `json:"expiresAt,omitempty"`

	Metadata map[string]string `json:"metadata,omitempty"`
}

func (*StoredKey) RSAKey 

func (sk *StoredKey) RSAKey() (*rsa.PrivateKey, error)

type StructuredPrompt 

type StructuredPrompt struct {
	SystemContext string `json:"system_context"`

	SecurityPolicy string `json:"security_policy"`

	UserIntent string `json:"user_intent"`

	OutputFormat string `json:"output_format"`

	Constraints []string `json:"constraints"`

	ForbiddenTopics []string `json:"forbidden_topics"`

	Metadata json.RawMessage `json:"metadata"`
}

func NewStructuredPrompt 

func NewStructuredPrompt(userIntent string) *StructuredPrompt

func (*StructuredPrompt) ToDelimitedString 

func (sp *StructuredPrompt) ToDelimitedString(boundary string) string

type SuspiciousActivity 

type SuspiciousActivity struct {
	IP               string
	FirstDetected    time.Time
	LastSeen         time.Time
	SuspiciousEvents []SuspiciousEvent
	ThreatScore      int
}

SuspiciousActivity tracks suspicious behavior patterns

type SuspiciousEvent 

type SuspiciousEvent struct {
	Timestamp time.Time
	EventType string
	Details   string
	Severity  int
}

SuspiciousEvent represents a suspicious event

type SystemComponent 

type SystemComponent struct {
	Name string `json:"name"`

	Version string `json:"version"`

	Type string `json:"type"`

	Path string `json:"path"`
}

type TLSAuditFinding 

type TLSAuditFinding struct {
	Endpoint    string    `json:"endpoint"`
	Finding     string    `json:"finding"`
	Severity    string    `json:"severity"` // CRITICAL, HIGH, MEDIUM, LOW, INFO
	Category    string    `json:"category"`
	Description string    `json:"description"`
	Impact      string    `json:"impact"`
	Evidence    string    `json:"evidence"`
	Remediation string    `json:"remediation"`
	References  []string  `json:"references"`
	Timestamp   time.Time `json:"timestamp"`
}

TLSAuditFinding represents a TLS configuration finding

type TLSAuditLogger 

type TLSAuditLogger interface {
	LogSecurityEvent(event string, details map[string]interface{})
}

TLSAuditLogger interface for security event logging

type TLSAuditReport 

type TLSAuditReport struct {
	Timestamp       time.Time                `json:"timestamp"`
	ReportID        string                   `json:"report_id"`
	ScanDuration    time.Duration            `json:"scan_duration"`
	Summary         AuditSummary             `json:"summary"`
	TLSFindings     []TLSAuditFinding        `json:"tls_findings"`
	CertFindings    []CertificateFinding     `json:"certificate_findings"`
	CipherFindings  []CipherFinding          `json:"cipher_findings"`
	Compliance      TLSComplianceReport      `json:"compliance"`
	Recommendations []SecurityRecommendation `json:"recommendations"`
	RiskScore       int                      `json:"risk_score"` // 0-100, higher is worse
}

TLSAuditReport represents a comprehensive TLS security audit

type TLSAuditor 

type TLSAuditor struct {
	// contains filtered or unexported fields
}

TLSAuditor performs comprehensive TLS security audits

func NewTLSAuditor 

func NewTLSAuditor(config *AuditorConfig) *TLSAuditor

NewTLSAuditor creates a new TLS security auditor

func (*TLSAuditor) AuditEndpoint 

func (a *TLSAuditor) AuditEndpoint(endpoint string) error

AuditEndpoint performs a comprehensive TLS audit on a single endpoint

func (*TLSAuditor) ExportReport 

func (a *TLSAuditor) ExportReport(format string) ([]byte, error)

ExportReport exports the report in the specified format

func (*TLSAuditor) GenerateReport 

func (a *TLSAuditor) GenerateReport() *TLSAuditReport

GenerateReport generates the final audit report

type TLSComplianceReport 

type TLSComplianceReport struct {
	ORANCompliance    ComplianceDetails   `json:"oran_wg11"`
	NISTCompliance    ComplianceDetails   `json:"nist_sp_800_52"`
	OWASPCompliance   ComplianceDetails   `json:"owasp_tls"`
	CustomCompliance  []ComplianceDetails `json:"custom,omitempty"`
	OverallCompliance float64             `json:"overall_compliance_percentage"`
}

TLSComplianceReport represents compliance status against standards

type TLSComplianceRule 

type TLSComplianceRule struct {
	RuleID      string `json:"rule_id"`
	Title       string `json:"title"`
	Description string `json:"description"`
	Severity    string `json:"severity"`
	Result      string `json:"result"` // PASS, FAIL, SKIP, ERROR
	Evidence    string `json:"evidence"`
	Remediation string `json:"remediation"`
}

TLSComplianceRule represents a specific TLS compliance requirement (renamed to avoid conflict)

type TLSConfig 

type TLSConfig struct {
	Enabled            bool              `json:"enabled"`
	CertFile           string            `json:"cert_file"`
	KeyFile            string            `json:"key_file"`
	CAFile             string            `json:"ca_file,omitempty"`
	MinVersion         string            `json:"min_version"`
	MaxVersion         string            `json:"max_version,omitempty"`
	CipherSuites       []string          `json:"cipher_suites,omitempty"`
	ClientAuth         string            `json:"client_auth,omitempty"`
	InsecureSkipVerify bool              `json:"insecure_skip_verify"`
	CertificatePaths   *CertificatePaths `json:"certificate_paths,omitempty"`
}

TLSConfig defines TLS configuration settings

type TLSEnhancedConfig 

type TLSEnhancedConfig struct {
	MinVersion uint16

	MaxVersion uint16

	CipherSuites []uint16

	CurvePreferences []tls.CurveID

	PostQuantumEnabled bool

	HybridMode bool // Use classical + PQ algorithms

	CertFile string

	KeyFile string

	CAFile string

	ClientCAs *x509.CertPool

	OCSPStaplingEnabled bool

	OCSPResponderURL string

	OCSPCache *OCSPCache

	ConnectionPool *ConnectionPool

	CRLCache *CRLCache

	SessionTicketKeys [][]byte

	SessionTicketRotationInterval time.Duration

	HSTSEnabled bool

	HSTSMaxAge time.Duration

	DHE2048Enabled bool // Disable DHE with less than 2048 bits

	CTEnabled bool

	CTLogServers []string

	DANEEnabled bool

	DNSSECRequired bool

	OnlineCertificateValidation bool

	CertificateRevocationCheck bool

	// 0-RTT Early Data Support (TLS 1.3)
	// WARNING: Enabling 0-RTT can expose the application to replay attacks
	// Only enable for idempotent operations
	Enable0RTT bool

	Max0RTTDataSize uint32 // Maximum size of 0-RTT early data in bytes

	PinnedCertificates []string

	PinnedPublicKeys []string

	SessionCacheSize int

	SessionCacheTimeout time.Duration

	SecurityEventCallback func(event TLSSecurityEvent)

	FailureCallback func(failure SecurityFailure)

	MetricsCollector *TLSMetricsCollector
	// contains filtered or unexported fields
}

func NewTLSEnhancedConfig 

func NewTLSEnhancedConfig() *TLSEnhancedConfig

func (*TLSEnhancedConfig) BuildTLSConfig 

func (c *TLSEnhancedConfig) BuildTLSConfig() (*tls.Config, error)

func (*TLSEnhancedConfig) CreateSecureListener 

func (c *TLSEnhancedConfig) CreateSecureListener(address string) (net.Listener, error)

func (*TLSEnhancedConfig) EnableHSTS 

func (c *TLSEnhancedConfig) EnableHSTS(maxAge time.Duration)

func (*TLSEnhancedConfig) GetMetrics 

func (c *TLSEnhancedConfig) GetMetrics() *TLSMetricsCollector

func (*TLSEnhancedConfig) GetTLSConfig 

func (c *TLSEnhancedConfig) GetTLSConfig() (*tls.Config, error)

func (*TLSEnhancedConfig) LoadCA 

func (c *TLSEnhancedConfig) LoadCA(caFile string) error

func (*TLSEnhancedConfig) LoadCertificate 

func (c *TLSEnhancedConfig) LoadCertificate(certFile, keyFile string) error

func (*TLSEnhancedConfig) SetupPostQuantumReadiness 

func (c *TLSEnhancedConfig) SetupPostQuantumReadiness(enable bool, hybridMode bool)

func (*TLSEnhancedConfig) StartSessionTicketRotation 

func (c *TLSEnhancedConfig) StartSessionTicketRotation(ctx context.Context)

func (*TLSEnhancedConfig) ValidateConfiguration 

func (c *TLSEnhancedConfig) ValidateConfiguration() error

func (*TLSEnhancedConfig) WrapHTTPTransport 

func (c *TLSEnhancedConfig) WrapHTTPTransport(transport *http.Transport) error

type TLSFinding 

type TLSFinding struct {
	Issue string `json:"issue"`

	Severity string `json:"severity"`

	Description string `json:"description"`

	Protocol string `json:"protocol,omitempty"`

	Cipher string `json:"cipher,omitempty"`

	Certificate string `json:"certificate,omitempty"`

	Expiry string `json:"expiry,omitempty"`
}

type TLSManager 

type TLSManager struct {
	// contains filtered or unexported fields
}

func NewTLSManager 

func NewTLSManager(config *TLSManagerConfig, logger *zap.Logger) (*TLSManager, error)

func (*TLSManager) Close 

func (tm *TLSManager) Close() error

func (*TLSManager) CreateGRPCDialOptions 

func (tm *TLSManager) CreateGRPCDialOptions() []grpc.DialOption

func (*TLSManager) CreateGRPCServerOptions 

func (tm *TLSManager) CreateGRPCServerOptions() []grpc.ServerOption

func (*TLSManager) CreateHTTPClient 

func (tm *TLSManager) CreateHTTPClient() *http.Client

func (*TLSManager) GetClientCredentials 

func (tm *TLSManager) GetClientCredentials() credentials.TransportCredentials

func (*TLSManager) GetServerCredentials 

func (tm *TLSManager) GetServerCredentials() credentials.TransportCredentials

func (*TLSManager) GetTLSConfig 

func (tm *TLSManager) GetTLSConfig() *tls.Config

func (*TLSManager) ValidatePeerCertificate 

func (tm *TLSManager) ValidatePeerCertificate(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error

type TLSManagerConfig 

type TLSManagerConfig struct {
	CertFile string

	KeyFile string

	CAFile string

	ClientCertFile string

	ClientKeyFile string

	MinVersion uint16

	MaxVersion uint16

	CipherSuites []uint16

	MTLSEnabled bool

	ClientAuthType tls.ClientAuthType

	ValidateHostname bool

	AllowedCNs []string

	AllowedSANs []string

	RotationCheckInterval time.Duration

	RenewalThreshold time.Duration

	ServiceName string
}

func LoadTLSConfigFromEnv 

func LoadTLSConfigFromEnv() *TLSManagerConfig

type TLSMetricsCollector 

type TLSMetricsCollector struct {
	// contains filtered or unexported fields
}

func (*TLSMetricsCollector) RecordHandshake 

func (c *TLSMetricsCollector) RecordHandshake(version uint16, cipherSuite uint16)

RecordHandshake records TLS handshake metrics

type TLSSecurityEvent 

type TLSSecurityEvent struct {
	Timestamp time.Time

	EventType string

	ClientAddr string

	CertSubject string

	TLSVersion uint16

	CipherSuite uint16

	Details map[string]interface{}
}

type TestResult 

type TestResult struct {
	TestName string

	Passed bool

	Duration time.Duration

	ErrorMsg string

	Details map[string]interface{}

	Timestamp time.Time
}

type TestSuite 

type TestSuite struct {
	// contains filtered or unexported fields
}

func NewTestSuite 

func NewTestSuite() *TestSuite

func (*TestSuite) BenchmarkAESGCM 

func (sts *TestSuite) BenchmarkAESGCM() *BenchmarkResult

func (*TestSuite) BenchmarkArgon2 

func (sts *TestSuite) BenchmarkArgon2() *BenchmarkResult

func (*TestSuite) BenchmarkChaCha20Poly1305 

func (sts *TestSuite) BenchmarkChaCha20Poly1305() *BenchmarkResult

func (*TestSuite) BenchmarkEd25519 

func (sts *TestSuite) BenchmarkEd25519() *BenchmarkResult

func (*TestSuite) BenchmarkTLSHandshake 

func (sts *TestSuite) BenchmarkTLSHandshake() *BenchmarkResult

func (*TestSuite) GenerateSecurityReport 

func (sts *TestSuite) GenerateSecurityReport() string

func (*TestSuite) RunAllTests 

func (sts *TestSuite) RunAllTests() map[string]*TestResult

func (*TestSuite) RunBenchmarks 

func (sts *TestSuite) RunBenchmarks() map[string]*BenchmarkResult

func (*TestSuite) RunComplianceTests 

func (sts *TestSuite) RunComplianceTests() map[string]bool

func (*TestSuite) TestAntiReplay 

func (sts *TestSuite) TestAntiReplay() *TestResult

func (*TestSuite) TestCertificateValidation 

func (sts *TestSuite) TestCertificateValidation() *TestResult

func (*TestSuite) TestCryptographicAlgorithms 

func (sts *TestSuite) TestCryptographicAlgorithms() *TestResult

func (*TestSuite) TestKeyManagement 

func (sts *TestSuite) TestKeyManagement() *TestResult

func (*TestSuite) TestPerfectForwardSecrecy 

func (sts *TestSuite) TestPerfectForwardSecrecy() *TestResult

func (*TestSuite) TestQuantumReadiness 

func (sts *TestSuite) TestQuantumReadiness() *TestResult

func (*TestSuite) TestSecureChannels 

func (sts *TestSuite) TestSecureChannels() *TestResult

func (*TestSuite) TestTLSConfiguration 

func (sts *TestSuite) TestTLSConfiguration() *TestResult

type ThreatDetectionConfig 

type ThreatDetectionConfig struct {
	// Detection rules
	EnableBehavioralAnalysis bool `json:"enable_behavioral_analysis"`
	EnableSignatureDetection bool `json:"enable_signature_detection"`
	EnableAnomalyDetection   bool `json:"enable_anomaly_detection"`
	EnableMLDetection        bool `json:"enable_ml_detection"`

	// Thresholds
	HighThreatThreshold   int     `json:"high_threat_threshold"`   // Score threshold for high threats
	MediumThreatThreshold int     `json:"medium_threat_threshold"` // Score threshold for medium threats
	AnomalyThreshold      float64 `json:"anomaly_threshold"`       // Anomaly detection threshold

	// Time windows
	AnalysisWindow time.Duration `json:"analysis_window"` // Time window for analysis
	BaselinePeriod time.Duration `json:"baseline_period"` // Baseline establishment period
	AlertCooldown  time.Duration `json:"alert_cooldown"`  // Cooldown between alerts

	// Response actions
	AutoBlockThreats      bool `json:"auto_block_threats"`      // Automatically block high threats
	AutoQuarantineThreats bool `json:"auto_quarantine_threats"` // Quarantine suspicious activities
	SendAlerts            bool `json:"send_alerts"`             // Send security alerts

	// Integration settings
	SIEMIntegration  bool     `json:"siem_integration"`   // Enable SIEM integration
	SIEMEndpoint     string   `json:"siem_endpoint"`      // SIEM endpoint URL
	ThreatIntelFeeds []string `json:"threat_intel_feeds"` // Threat intelligence feeds

	// Monitoring settings
	MonitoringInterval time.Duration `json:"monitoring_interval"` // How often to run analysis
	RetentionPeriod    time.Duration `json:"retention_period"`    // How long to keep data
	MaxEvents          int           `json:"max_events"`          // Maximum events to keep in memory
}

ThreatDetectionConfig contains threat detection configuration

func DefaultThreatDetectionConfig 

func DefaultThreatDetectionConfig() *ThreatDetectionConfig

DefaultThreatDetectionConfig returns default configuration

func (*ThreatDetectionConfig) Validate 

func (config *ThreatDetectionConfig) Validate() error

Validate validates the threat detection configuration

type ThreatDetectionResult 

type ThreatDetectionResult struct {
	ThreatID        string          `json:"threat_id"`
	ThreatType      string          `json:"threat_type"`
	ThreatLevel     string          `json:"threat_level"`
	Description     string          `json:"description"`
	DetectedAt      time.Time       `json:"detected_at"`
	SourceIP        string          `json:"source_ip"`
	TargetResource  string          `json:"target_resource"`
	AttackVector    string          `json:"attack_vector"`
	Indicators      []string        `json:"indicators"`
	MitigationSteps []string        `json:"mitigation_steps"`
	Context         json.RawMessage `json:"context"`
}

ThreatDetectionResult represents detected security threats

type ThreatDetectionStats 

type ThreatDetectionStats struct {
	TotalEvents         int64         `json:"total_events"`
	ThreatsDetected     int64         `json:"threats_detected"`
	IncidentsCreated    int64         `json:"incidents_created"`
	AutoBlocks          int64         `json:"auto_blocks"`
	FalsePositives      int64         `json:"false_positives"`
	AverageResponseTime time.Duration `json:"average_response_time"`
	LastAnalysis        time.Time     `json:"last_analysis"`
	SystemHealth        string        `json:"system_health"`
}

ThreatDetectionStats tracks detection statistics

type ThreatDetector 

type ThreatDetector struct {
	// contains filtered or unexported fields
}

ThreatDetector implements comprehensive threat detection and monitoring

func NewThreatDetector 

func NewThreatDetector(config *ThreatDetectionConfig, logger *slog.Logger) (*ThreatDetector, error)

NewThreatDetector creates a new threat detector

func (*ThreatDetector) Close 

func (td *ThreatDetector) Close() error

Close shuts down the threat detector

func (*ThreatDetector) GetStats 

func (td *ThreatDetector) GetStats() *ThreatDetectionStats

GetStats returns threat detection statistics

func (*ThreatDetector) ProcessRequest 

func (td *ThreatDetector) ProcessRequest(r *http.Request) *SecurityEvent

ProcessRequest processes an HTTP request for threat detection

type ThreatIndicator 

type ThreatIndicator struct {
	Type        string    `json:"type"` // ip, domain, hash, pattern
	Value       string    `json:"value"`
	Confidence  float64   `json:"confidence"`
	Source      string    `json:"source"`
	FirstSeen   time.Time `json:"first_seen"`
	LastSeen    time.Time `json:"last_seen"`
	Description string    `json:"description"`
}

ThreatIndicator represents an indicator of compromise (IoC)

type ThreatScore 

type ThreatScore struct {
	IP          string    `json:"ip"`
	Score       int       `json:"score"`
	LastUpdated time.Time `json:"last_updated"`
	Events      []string  `json:"events"`
	Category    string    `json:"category"`
	Confidence  float64   `json:"confidence"`
	DecayRate   float64   `json:"decay_rate"`
}

ThreatScore tracks threat scoring for IP addresses

type ThreatSignature 

type ThreatSignature struct {
	ID          string         `json:"id"`
	Name        string         `json:"name"`
	Description string         `json:"description"`
	Pattern     *regexp.Regexp `json:"-"`
	PatternStr  string         `json:"pattern"`
	Severity    string         `json:"severity"`
	Category    string         `json:"category"`
	Enabled     bool           `json:"enabled"`
	CreatedAt   time.Time      `json:"created_at"`
	UpdatedAt   time.Time      `json:"updated_at"`
}

ThreatSignature represents a threat signature

type TicketingConfig 

type TicketingConfig struct {
	System string `json:"system"` // jira, servicenow, etc.

	Endpoint string `json:"endpoint"`

	APIKey string `json:"api_key"`

	Project string `json:"project"`
}

type TimelineEvent 

type TimelineEvent struct {
	Timestamp time.Time `json:"timestamp"`

	Type string `json:"type"`

	Description string `json:"description"`

	Actor string `json:"actor"`

	Automated bool `json:"automated"`
}

type TrafficBaseline 

type TrafficBaseline struct {
	RequestsPerMinute      float64         `json:"requests_per_minute"`
	AverageResponseTime    float64         `json:"average_response_time"`
	ErrorRate              float64         `json:"error_rate"`
	TopUserAgents          map[string]int  `json:"top_user_agents"`
	TopPaths               map[string]int  `json:"top_paths"`
	GeographicDistribution map[string]int  `json:"geographic_distribution"`
	TimeOfDayPatterns      map[int]float64 `json:"time_of_day_patterns"`
	EstablishedAt          time.Time       `json:"established_at"`
	LastUpdated            time.Time       `json:"last_updated"`
}

TrafficBaseline represents normal traffic patterns

type TrustDomainManager 

type TrustDomainManager struct {
	// contains filtered or unexported fields
}

func NewTrustDomainManager 

func NewTrustDomainManager(config *ComplianceConfig, logger logr.Logger) *TrustDomainManager

func (*TrustDomainManager) ValidateTrustDomain 

func (t *TrustDomainManager) ValidateTrustDomain(spiffeID string) bool

type UserBehaviorPattern 

type UserBehaviorPattern struct {
	UserID             string          `json:"user_id"`
	NormalAccessTimes  []time.Duration `json:"normal_access_times"`
	TypicalPaths       map[string]int  `json:"typical_paths"`
	AverageSessionTime time.Duration   `json:"average_session_time"`
	DeviceFingerprints []string        `json:"device_fingerprints"`
	IPRanges           []string        `json:"ip_ranges"`
	LastUpdated        time.Time       `json:"last_updated"`
}

UserBehaviorPattern represents user behavior patterns

type ValidationFunc 

type ValidationFunc func(data interface{}) (bool, string, error)

ValidationFunc defines the signature for validation functions

type ValidationReport 

type ValidationReport struct {
	Timestamp metav1.Time

	Namespace string

	Compliant bool

	ContainerIssues []Issue

	RBACIssues []Issue

	NetworkPolicyIssues []Issue

	SecretManagementIssues []Issue

	TLSConfigurationIssues []Issue

	Score int // Security score 0-100
}

type Validator 

type Validator struct {
	// contains filtered or unexported fields
}

func NewValidator 

func NewValidator(client client.Client, namespace string) *Validator

func (*Validator) ValidateAll 

func (v *Validator) ValidateAll(ctx context.Context) (*ValidationReport, error)

func (*Validator) ValidateContainerSecurity 

func (v *Validator) ValidateContainerSecurity(ctx context.Context) ([]Issue, error)

func (*Validator) ValidateNetworkPolicies 

func (v *Validator) ValidateNetworkPolicies(ctx context.Context) ([]Issue, error)

func (*Validator) ValidateRBACPermissions 

func (v *Validator) ValidateRBACPermissions(ctx context.Context) ([]Issue, error)

func (*Validator) ValidateSecretManagement 

func (v *Validator) ValidateSecretManagement(ctx context.Context) ([]Issue, error)

func (*Validator) ValidateTLSConfiguration 

func (v *Validator) ValidateTLSConfiguration(ctx context.Context) ([]Issue, error)

type VaultAuditEntry 

type VaultAuditEntry struct {
	Timestamp  time.Time `json:"timestamp"`
	Operation  string    `json:"operation"`
	Principal  string    `json:"principal"`   // User or service principal
	SecretName string    `json:"secret_name"` // ADDED: Secret name field
	User       string    `json:"user"`        // ADDED: User field for compatibility
	Resource   string    `json:"resource"`
	Success    bool      `json:"success"`
	Error      string    `json:"error,omitempty"`
	IP         string    `json:"ip,omitempty"`
	UserAgent  string    `json:"user_agent,omitempty"`
}

VaultAuditEntry represents an audit log entry for vault operations

type VaultClient 

type VaultClient struct {
	// contains filtered or unexported fields
}

VaultClient represents a HashiCorp Vault client (placeholder)

type VaultStats 

type VaultStats struct {
	// Health status
	VaultHealthy bool `json:"vault_healthy"`

	// Secret statistics
	TotalSecrets int64         `json:"total_secrets"`
	SecretsCount int           `json:"secrets_count"` // ADDED: Secret count
	BackendType  string        `json:"backend_type"`  // ADDED: Backend type
	SuccessRate  float64       `json:"success_rate"`  // ADDED: Success rate
	Uptime       time.Duration `json:"uptime"`        // ADDED: Uptime

	// Operation statistics
	TotalOperations      int64 `json:"total_operations"`
	SuccessfulOperations int64 `json:"successful_operations"`
	FailedOperations     int64 `json:"failed_operations"`

	// Key rotation statistics
	KeyRotations     int64     `json:"key_rotations"` // ADDED: Key rotation count
	LastRotation     time.Time `json:"last_rotation"` // ADDED: Last rotation time
	LastRotationTime time.Time `json:"last_rotation_time"`

	// Backup statistics
	BackupsCreated int64     `json:"backups_created"`
	LastBackup     time.Time `json:"last_backup"`
	LastBackupTime time.Time `json:"last_backup_time"`

	// System statistics
	CurrentKeyVersion   int     `json:"current_key_version"`
	ActiveConnections   int     `json:"active_connections"`
	AverageResponseTime float64 `json:"average_response_time_ms"`
	UptimeSeconds       int64   `json:"uptime_seconds"`
}

VaultStats represents statistics about vault operations following 2025 best practices

type VulnDatabase 

type VulnDatabase struct {
	CVEs map[string]*CVERecord `json:"cves"`

	Dependencies map[string]*Dependency `json:"dependencies"`

	Images map[string]*ImageVuln `json:"images"`

	CodeIssues map[string]*CodeIssue `json:"code_issues"`

	LastUpdated time.Time `json:"last_updated"`
	// contains filtered or unexported fields
}

type VulnFinding 

type VulnFinding struct {
	ID string `json:"id"`

	Type string `json:"type"`

	Severity string `json:"severity"`

	CVSS float64 `json:"cvss"`

	Title string `json:"title"`

	Description string `json:"description"`

	Component string `json:"component"`

	Version string `json:"version"`

	File string `json:"file,omitempty"`

	Line int `json:"line,omitempty"`

	FoundAt time.Time `json:"found_at"`

	References []string `json:"references,omitempty"`
}

type VulnManagerConfig 

type VulnManagerConfig struct {
	EnableCVEScanning bool `json:"enable_cve_scanning"`

	EnableDependencyCheck bool `json:"enable_dependency_check"`

	EnableImageScanning bool `json:"enable_image_scanning"`

	EnableCodeScanning bool `json:"enable_code_scanning"`

	ScanInterval time.Duration `json:"scan_interval"`

	CVEDatabaseURL string `json:"cve_database_url"`

	NVDAPIKey string `json:"nvd_api_key"`

	AutoRemediation bool `json:"auto_remediation"`

	MaxCVSSForAuto float64 `json:"max_cvss_for_auto"`

	AlertThresholds *AlertConfig `json:"alert_thresholds"`

	IntegrationSettings *Integrations `json:"integrations"`
}

type VulnMetrics 

type VulnMetrics struct {
	TotalVulnerabilities int64 `json:"total_vulnerabilities"`

	CriticalVulnerabilities int64 `json:"critical_vulnerabilities"`

	HighVulnerabilities int64 `json:"high_vulnerabilities"`

	MediumVulnerabilities int64 `json:"medium_vulnerabilities"`

	LowVulnerabilities int64 `json:"low_vulnerabilities"`

	RemediatedVulnerabilities int64 `json:"remediated_vulnerabilities"`

	VulnsByType map[string]int64 `json:"vulns_by_type"`

	MTTRemediation time.Duration `json:"mtt_remediation"`

	LastScanTime time.Time `json:"last_scan_time"`

	ScanDuration time.Duration `json:"scan_duration"`
	// contains filtered or unexported fields
}

type VulnScanResults 

type VulnScanResults struct {
	ScanID string `json:"scan_id"`

	StartTime time.Time `json:"start_time"`

	EndTime time.Time `json:"end_time"`

	Duration time.Duration `json:"duration"`

	Findings []*VulnFinding `json:"findings"`

	Remediation []*RemediationSuggestion `json:"remediation"`
	// contains filtered or unexported fields
}

type Vulnerability 

type Vulnerability struct {
	ID string `json:"id"`

	Title string `json:"title"`

	Description string `json:"description"`

	Severity string `json:"severity"` // Critical, High, Medium, Low

	CVE string `json:"cve,omitempty"`

	CVSS string `json:"cvss,omitempty"`

	Solution string `json:"solution,omitempty"`

	References []string `json:"references,omitempty"`

	Port int `json:"port,omitempty"`

	Service string `json:"service,omitempty"`
}

type VulnerabilityManager 

type VulnerabilityManager struct {
	// contains filtered or unexported fields
}

func NewVulnerabilityManager 

func NewVulnerabilityManager(config *VulnManagerConfig) (*VulnerabilityManager, error)

func (*VulnerabilityManager) GetMetrics 

func (vm *VulnerabilityManager) GetMetrics() *VulnMetrics

func (*VulnerabilityManager) GetVulnerabilityDatabase 

func (vm *VulnerabilityManager) GetVulnerabilityDatabase() *VulnDatabase

func (*VulnerabilityManager) RunComprehensiveScan 

func (vm *VulnerabilityManager) RunComprehensiveScan(ctx context.Context) (*VulnScanResults, error)

func (*VulnerabilityManager) UpdateCVEDatabase 

func (vm *VulnerabilityManager) UpdateCVEDatabase(ctx context.Context) error

type VulnerabilityScanResult 

type VulnerabilityScanResult struct {
	ScanTime time.Time

	Critical int

	High int

	Medium int

	Low int

	Informational int

	TotalFindings int

	RiskScore float64
}

type WebhookConfig 

type WebhookConfig struct {
	URL string `json:"url"`

	Headers map[string]string `json:"headers"`

	Secret string `json:"secret"`
}

type WebhookRateLimiter 

type WebhookRateLimiter struct {
	// contains filtered or unexported fields
}

func NewWebhookRateLimiter 

func NewWebhookRateLimiter(limit int, window time.Duration) *WebhookRateLimiter

func (*WebhookRateLimiter) IsAllowed 

func (rl *WebhookRateLimiter) IsAllowed(ip string) bool

type WebhookSecurityError 

type WebhookSecurityError struct {
	Code string

	Message string
}

func (*WebhookSecurityError) Error 

func (e *WebhookSecurityError) Error() string

type WebhookSecurityValidator 

type WebhookSecurityValidator struct {
	// contains filtered or unexported fields
}

func NewWebhookSecurityValidator 

func NewWebhookSecurityValidator() *WebhookSecurityValidator

func (*WebhookSecurityValidator) ValidateRequest 

func (v *WebhookSecurityValidator) ValidateRequest(r *http.Request) error

func (*WebhookSecurityValidator) WithAllowedUserAgent 

func (v *WebhookSecurityValidator) WithAllowedUserAgent(userAgent string) *WebhookSecurityValidator

func (*WebhookSecurityValidator) WithMaxPayloadSize 

func (v *WebhookSecurityValidator) WithMaxPayloadSize(size int64) *WebhookSecurityValidator

func (*WebhookSecurityValidator) WithRequiredHeaders 

func (v *WebhookSecurityValidator) WithRequiredHeaders(headers []string) *WebhookSecurityValidator

type WebhookTimingValidator 

type WebhookTimingValidator struct {
	// contains filtered or unexported fields
}

func NewWebhookTimingValidator 

func NewWebhookTimingValidator(minTime time.Duration) *WebhookTimingValidator

func (*WebhookTimingValidator) EnsureMinimumResponseTime 

func (v *WebhookTimingValidator) EnsureMinimumResponseTime(start time.Time)

type Wordlists 

type Wordlists struct {
	CommonPasswords  []string `json:"common_passwords"`
	CommonPaths      []string `json:"common_paths"`
	SQLInjection     []string `json:"sql_injection"`
	XSSPayloads      []string `json:"xss_payloads"`
	CommandInjection []string `json:"command_injection"`
}

Wordlists contains various word lists for security testing

type ZeroTrustAuthenticator 

type ZeroTrustAuthenticator struct {
	// contains filtered or unexported fields
}

ZeroTrustAuthenticator implements zero-trust authentication

func NewZeroTrustAuthenticator 

func NewZeroTrustAuthenticator(config *ZeroTrustConfig, logger *slog.Logger) (*ZeroTrustAuthenticator, error)

NewZeroTrustAuthenticator creates a new zero-trust authenticator

func (*ZeroTrustAuthenticator) AuthenticateHTTP 

func (zta *ZeroTrustAuthenticator) AuthenticateHTTP(r *http.Request) (*AuthContext, error)

AuthenticateHTTP performs HTTP authentication with zero-trust principles

func (*ZeroTrustAuthenticator) Close 

func (zta *ZeroTrustAuthenticator) Close() error

Close shuts down the zero-trust authenticator

func (*ZeroTrustAuthenticator) CreateGRPCCredentials 

func (zta *ZeroTrustAuthenticator) CreateGRPCCredentials() credentials.TransportCredentials

CreateGRPCCredentials creates gRPC credentials with SPIFFE authentication

func (*ZeroTrustAuthenticator) CreateHTTPMiddleware 

func (zta *ZeroTrustAuthenticator) CreateHTTPMiddleware() func(http.Handler) http.Handler

CreateHTTPMiddleware creates HTTP middleware for zero-trust authentication

func (*ZeroTrustAuthenticator) GetStats 

func (zta *ZeroTrustAuthenticator) GetStats() *AuthStats

GetStats returns authentication statistics

func (*ZeroTrustAuthenticator) LoadAuthzPolicy 

func (zta *ZeroTrustAuthenticator) LoadAuthzPolicy(policy *AuthzPolicy) error

LoadAuthzPolicy loads an authorization policy

type ZeroTrustConfig 

type ZeroTrustConfig struct {
	// SPIFFE configuration
	SpiffeSocketPath  string
	TrustDomain       string
	ServiceSpiffeID   string
	AllowedSpiffeIDs  []string
	RequiredAudiences []string

	// JWT configuration
	JWTIssuer         string
	JWTSigningKey     []byte
	JWTExpirationTime time.Duration
	JWTRefreshWindow  time.Duration

	// Policy configuration
	EnableAuthzPolicies bool
	PolicyRefreshTime   time.Duration
	DefaultDenyPolicy   bool

	// TLS configuration
	RequireMTLS         bool
	MinTLSVersion       uint16
	AllowedCipherSuites []uint16

	// Service configuration
	ServiceName    string
	ServiceVersion string
	Environment    string
}

ZeroTrustConfig contains zero-trust authentication configuration

func DefaultZeroTrustConfig 

func DefaultZeroTrustConfig() *ZeroTrustConfig

DefaultZeroTrustConfig returns default configuration for zero-trust authentication

type ZeroTrustGateway 

type ZeroTrustGateway struct {
	// contains filtered or unexported fields
}

func NewZeroTrustGateway 

func NewZeroTrustGateway(config *ComplianceConfig, logger logr.Logger) *ZeroTrustGateway

func (*ZeroTrustGateway) EnforcePolicy 

func (z *ZeroTrustGateway) EnforcePolicy(request interface{}) (bool, string, error)

func (*ZeroTrustGateway) Start 

func (z *ZeroTrustGateway) Start() error

func (*ZeroTrustGateway) Stop 

func (z *ZeroTrustGateway) Stop()

type ZeroTrustPolicyEngine 

type ZeroTrustPolicyEngine struct {
	// contains filtered or unexported fields
}

ZeroTrustPolicyEngine implements authorization policies

type ZeroTrustPolicyRule 

type ZeroTrustPolicyRule struct {
	Principal string            `json:"principal"`
	Resource  string            `json:"resource"`
	Action    string            `json:"action"`
	Condition map[string]string `json:"condition"`
	Effect    PolicyDecision    `json:"effect"`
}

ZeroTrustPolicyRule defines a specific authorization rule (renamed to avoid conflicts)

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.