Files
ewoooc/services/http_access_policy_service.py
ogt c839ac3eff
Some checks failed
CD Pipeline / deploy (push) Has been cancelled
feat(security): automate governance review and access controls
2026-07-10 18:49:32 +08:00

73 lines
1.9 KiB
Python

"""Central deny-by-default policy for sensitive HTTP surfaces."""
from __future__ import annotations
POLICY = "ewoooc_sensitive_http_access_policy_v1"
# Entire blueprints that expose business data or operator actions.
SESSION_REQUIRED_BLUEPRINTS = frozenset({
"auto_import",
"category",
"cicd",
"crawler",
"crawler_management",
"vendor",
})
# Mixed public/private blueprints use endpoint-level protection.
SESSION_REQUIRED_ENDPOINTS = frozenset({
"alert.alert_status",
"alert.test_alert",
"code_review.api_history",
"code_review.api_status",
"code_review.dashboard",
"misc.test_url",
"openclaw_bot.set_webhook",
"openclaw_bot.webhook_info",
"sales.abc_analysis_detail",
"system_public.get_logs_api",
"system_public.settings",
"system_public.show_logs",
"system_public.system_settings_page",
})
# Every anonymous GET must be intentional and small enough for public exposure.
INTENTIONALLY_PUBLIC_ENDPOINTS = frozenset({
"bot_api.bot_api_status",
"elephant_alpha.status",
"misc.brand_assets",
"system_public.favicon",
"system_public.health_check",
"system_public.prometheus_metrics",
"system_public.webcrumbs_asset_proxy",
"user_bp.get_password_reqs",
})
def is_session_required(endpoint: str | None, blueprint: str | None) -> bool:
return bool(
blueprint in SESSION_REQUIRED_BLUEPRINTS
or endpoint in SESSION_REQUIRED_ENDPOINTS
)
def enforce_http_access_policy():
"""Protect sensitive routes before their route function executes."""
from flask import request
if not is_session_required(request.endpoint, request.blueprint):
return None
from auth import require_authenticated_request
return require_authenticated_request()
__all__ = [
"POLICY",
"SESSION_REQUIRED_BLUEPRINTS",
"SESSION_REQUIRED_ENDPOINTS",
"INTENTIONALLY_PUBLIC_ENDPOINTS",
"enforce_http_access_policy",
"is_session_required",
]