loki-mode 5.35.0 → 5.37.0

package/dashboard/auth.py

@@ -4,13 +4,19 @@ Optional Authentication Module for Loki Mode Dashboard.
 Enterprise feature - disabled by default.
 Enable with LOKI_ENTERPRISE_AUTH=true environment variable.
 
+OIDC/SSO support (optional) - enable with LOKI_OIDC_ISSUER + LOKI_OIDC_CLIENT_ID.
+Supports enterprise SSO providers (Okta, Azure AD, Google Workspace).
+
 Token storage: ~/.loki/dashboard/tokens.json
 """
 
+import base64
 import hashlib
 import json
 import os
 import secrets
+import time
+import urllib.request
 from datetime import datetime, timezone
 from pathlib import Path
 from typing import Optional
@@ -23,6 +29,24 @@ ENTERPRISE_AUTH_ENABLED = os.environ.get("LOKI_ENTERPRISE_AUTH", "").lower() in
 TOKEN_DIR = Path.home() / ".loki" / "dashboard"
 TOKEN_FILE = TOKEN_DIR / "tokens.json"
 
+# OIDC Configuration (optional - disabled by default)
+OIDC_ISSUER = os.environ.get("LOKI_OIDC_ISSUER", "")  # e.g., https://accounts.google.com
+OIDC_CLIENT_ID = os.environ.get("LOKI_OIDC_CLIENT_ID", "")
+OIDC_AUDIENCE = os.environ.get("LOKI_OIDC_AUDIENCE", "")  # Usually same as client_id
+OIDC_ENABLED = bool(OIDC_ISSUER and OIDC_CLIENT_ID)
+
+if OIDC_ENABLED:
+    import logging as _logging
+    _logging.getLogger("loki.auth").warning(
+        "OIDC/SSO enabled (EXPERIMENTAL). Claims-based validation only -- "
+        "JWT signatures are NOT cryptographically verified. Install PyJWT + "
+        "cryptography for production signature verification."
+    )
+
+# OIDC JWKS cache (issuer URL -> (keys_dict, fetch_timestamp))
+_oidc_jwks_cache = {}  # type: dict[str, tuple[dict, float]]
+_OIDC_CACHE_TTL = 3600  # Cache JWKS for 1 hour
+
 # Security scheme (optional)
 security = HTTPBearer(auto_error=False)
 
@@ -53,9 +77,20 @@ def _save_tokens(tokens: dict) -> None:
         json.dump(tokens, f, indent=2, default=str)
 
 
-def _hash_token(token: str) -> str:
-    """Hash a token for storage."""
-    return hashlib.sha256(token.encode()).hexdigest()
+def _hash_token(token: str, salt: str = None) -> tuple[str, str]:
+    """Hash a token for storage with a per-token random salt.
+
+    Args:
+        token: The raw token string to hash.
+        salt: Optional salt. If None, a new random salt is generated.
+
+    Returns:
+        Tuple of (hex_digest, salt).
+    """
+    if salt is None:
+        salt = secrets.token_hex(16)
+    digest = hashlib.sha256((salt + token).encode()).hexdigest()
+    return digest, salt
 
 
 def _constant_time_compare(a: str, b: str) -> bool:
@@ -94,7 +129,7 @@ def generate_token(
 
     # Generate secure random token
     raw_token = f"loki_{secrets.token_urlsafe(32)}"
-    token_hash = _hash_token(raw_token)
+    token_hash, token_salt = _hash_token(raw_token)
     token_id = token_hash[:12]
 
     tokens = _load_tokens()
@@ -114,6 +149,7 @@ def generate_token(
         "id": token_id,
         "name": name,
         "hash": token_hash,
+        "salt": token_salt,
         "scopes": scopes or ["*"],
         "created_at": datetime.now(timezone.utc).isoformat(),
         "expires_at": expires_at,
@@ -229,11 +265,12 @@ def validate_token(raw_token: str) -> Optional[dict]:
     if not raw_token or not raw_token.startswith("loki_"):
         return None
 
-    token_hash = _hash_token(raw_token)
     tokens = _load_tokens()
 
     # Find matching token (using constant-time comparison to prevent timing attacks)
     for token in tokens["tokens"].values():
+        stored_salt = token.get("salt", "")
+        token_hash, _ = _hash_token(raw_token, salt=stored_salt)
         if _constant_time_compare(token["hash"], token_hash):
             # Check if revoked
             if token.get("revoked"):
@@ -273,6 +310,121 @@ def has_scope(token_info: dict, required_scope: str) -> bool:
     return "*" in scopes or required_scope in scopes
 
 
+# ---------------------------------------------------------------------------
+# OIDC / SSO Support (optional - disabled by default)
+# ---------------------------------------------------------------------------
+
+
+def _get_oidc_config() -> dict:
+    """Fetch OIDC discovery document from the issuer.
+
+    Results are not cached here; callers should use _get_jwks() which
+    handles caching internally.
+    """
+    if not OIDC_ISSUER:
+        return {}
+    url = f"{OIDC_ISSUER.rstrip('/')}/.well-known/openid-configuration"
+    try:
+        with urllib.request.urlopen(url, timeout=10) as resp:
+            return json.loads(resp.read())
+    except Exception:
+        return {}
+
+
+def _get_jwks() -> dict:
+    """Fetch and cache JWKS keys from the OIDC provider.
+
+    Keys are cached for 1 hour (controlled by _OIDC_CACHE_TTL).
+    """
+    global _oidc_jwks_cache
+    now = time.time()
+
+    cached = _oidc_jwks_cache.get(OIDC_ISSUER)
+    if cached:
+        keys, fetched_at = cached
+        if now - fetched_at < _OIDC_CACHE_TTL:
+            return keys
+
+    config = _get_oidc_config()
+    jwks_uri = config.get("jwks_uri")
+    if not jwks_uri:
+        return {"keys": []}
+    try:
+        with urllib.request.urlopen(jwks_uri, timeout=10) as resp:
+            keys = json.loads(resp.read())
+            _oidc_jwks_cache[OIDC_ISSUER] = (keys, now)
+            return keys
+    except Exception:
+        return {"keys": []}
+
+
+def _base64url_decode(data: str) -> bytes:
+    """Decode base64url-encoded data with padding correction."""
+    padding = 4 - len(data) % 4
+    if padding != 4:
+        data += "=" * padding
+    return base64.urlsafe_b64decode(data)
+
+
+def validate_oidc_token(token_str: str) -> Optional[dict]:
+    """Validate an OIDC JWT token.
+
+    Returns decoded user info dict if valid, None if invalid.
+
+    This is a claims-based validation that checks:
+    - Token structure (3 base64url-encoded parts)
+    - Issuer matches OIDC_ISSUER
+    - Audience matches OIDC_AUDIENCE or OIDC_CLIENT_ID
+    - Token is not expired
+
+    NOTE: Full cryptographic signature verification requires an RSA
+    library (e.g., PyJWT + cryptography). This implementation validates
+    claims and relies on HTTPS transport security for the token. For
+    production deployments with untrusted networks, consider adding
+    PyJWT for full signature verification.
+    """
+    if not OIDC_ENABLED:
+        return None
+
+    try:
+        parts = token_str.split(".")
+        if len(parts) != 3:
+            return None
+
+        # Decode payload (claims)
+        claims = json.loads(_base64url_decode(parts[1]))
+
+        # Validate issuer
+        if claims.get("iss") != OIDC_ISSUER:
+            return None
+
+        # Validate audience
+        aud = claims.get("aud")
+        expected_aud = OIDC_AUDIENCE or OIDC_CLIENT_ID
+        if isinstance(aud, list):
+            if expected_aud not in aud:
+                return None
+        elif aud != expected_aud:
+            return None
+
+        # Validate expiration
+        exp = claims.get("exp")
+        if exp and datetime.now(timezone.utc).timestamp() > exp:
+            return None
+
+        # Return user info from claims
+        return {
+            "id": claims.get("sub", ""),
+            "name": claims.get("name", claims.get("email", claims.get("sub", ""))),
+            "email": claims.get("email", ""),
+            "scopes": ["*"],  # OIDC users get full access
+            "auth_method": "oidc",
+            "issuer": claims.get("iss"),
+        }
+    except Exception:
+        return None
+
+
 # FastAPI dependency for optional auth
 async def get_current_token(
     request: Request,
@@ -281,33 +433,43 @@ async def get_current_token(
     """
     FastAPI dependency for optional token authentication.
 
-    When LOKI_ENTERPRISE_AUTH is enabled:
-        - Requires valid Bearer token
-        - Returns token info
+    Supports two auth methods (tried in order):
+    1. OIDC/SSO (when LOKI_OIDC_ISSUER + LOKI_OIDC_CLIENT_ID are set)
+    2. Token auth (when LOKI_ENTERPRISE_AUTH=true)
 
-    When disabled:
+    When neither is enabled:
         - Returns None (allows anonymous access)
     """
-    if not ENTERPRISE_AUTH_ENABLED:
-        # Auth disabled - allow anonymous
+    if not ENTERPRISE_AUTH_ENABLED and not OIDC_ENABLED:
+        # No auth configured - allow anonymous
         return None
 
     if not credentials:
         raise HTTPException(
             status_code=401,
-            detail="Authentication required (enterprise mode)",
+            detail="Authentication required",
             headers={"WWW-Authenticate": "Bearer"},
         )
 
-    token_info = validate_token(credentials.credentials)
-    if not token_info:
-        raise HTTPException(
-            status_code=401,
-            detail="Invalid, expired, or revoked token",
-            headers={"WWW-Authenticate": "Bearer"},
-        )
+    token_str = credentials.credentials
 
-    return token_info
+    # Try OIDC first (JWTs are typically longer and don't start with loki_)
+    if OIDC_ENABLED and not token_str.startswith("loki_"):
+        oidc_result = validate_oidc_token(token_str)
+        if oidc_result:
+            return oidc_result
+
+    # Fall back to token auth
+    if ENTERPRISE_AUTH_ENABLED:
+        token_info = validate_token(token_str)
+        if token_info:
+            return token_info
+
+    raise HTTPException(
+        status_code=401,
+        detail="Invalid, expired, or revoked token",
+        headers={"WWW-Authenticate": "Bearer"},
+    )
 
 
 def require_scope(scope: str):
@@ -318,7 +480,7 @@ def require_scope(scope: str):
         @app.get("/admin", dependencies=[Depends(require_scope("admin"))])
     """
     async def check_scope(token_info: Optional[dict] = Security(get_current_token)):
-        if not ENTERPRISE_AUTH_ENABLED:
+        if not ENTERPRISE_AUTH_ENABLED and not OIDC_ENABLED:
             return  # No auth required
 
         if not token_info:
@@ -334,5 +496,10 @@ def require_scope(scope: str):
 
 
 def is_enterprise_mode() -> bool:
-    """Check if enterprise mode is enabled."""
+    """Check if enterprise mode is enabled (token auth or OIDC)."""
     return ENTERPRISE_AUTH_ENABLED
+
+
+def is_oidc_mode() -> bool:
+    """Check if OIDC/SSO authentication is enabled."""
+    return OIDC_ENABLED

package/dashboard/requirements.txt

@@ -1,8 +1,8 @@
 # Loki Mode Dashboard Dependencies
-fastapi>=0.109.0
-uvicorn[standard]>=0.27.0
-sqlalchemy>=2.0.0
-aiosqlite>=0.19.0
-greenlet>=3.0.0
-pydantic>=2.0.0
-websockets>=12.0
+fastapi==0.115.6
+uvicorn[standard]==0.34.0
+sqlalchemy==2.0.36
+aiosqlite==0.20.0
+greenlet==3.1.1
+pydantic==2.10.4
+websockets==14.1

package/dashboard/secrets.py

@@ -0,0 +1,152 @@
+"""
+Secret management utilities for Loki Mode.
+
+Provides:
+- API key validation (format checks, not auth checks)
+- Credential rotation detection
+- Secure environment loading with masking
+- Secret file support (Docker/K8s secret mounts)
+"""
+
+import hashlib
+import json
+import os
+import re
+from pathlib import Path
+from typing import Optional
+
+# Known API key patterns for format validation
+_KEY_PATTERNS = {
+    "ANTHROPIC_API_KEY": re.compile(r"^sk-ant-[a-zA-Z0-9_-]{90,}$"),
+    "OPENAI_API_KEY": re.compile(r"^sk-[a-zA-Z0-9_-]{40,}$"),
+    "GOOGLE_API_KEY": re.compile(r"^AI[a-zA-Z0-9_-]{30,}$"),
+}
+
+# Secret file mount paths (Docker/K8s convention)
+_SECRET_MOUNT_PATHS = [
+    "/run/secrets",           # Docker secrets
+    "/var/run/secrets",       # K8s secrets
+]
+
+
+def validate_api_key(key_name: str, key_value: str) -> dict:
+    """Validate an API key format (not authentication).
+
+    Returns dict with: valid (bool), masked (str), warning (str or None)
+    """
+    if not key_value:
+        return {"valid": False, "masked": "", "warning": "Key is empty"}
+
+    masked = key_value[:8] + "..." + key_value[-4:] if len(key_value) > 16 else "***"
+
+    pattern = _KEY_PATTERNS.get(key_name)
+    if pattern and not pattern.match(key_value):
+        return {
+            "valid": False,
+            "masked": masked,
+            "warning": f"Key format does not match expected pattern for {key_name}",
+        }
+
+    return {"valid": True, "masked": masked, "warning": None}
+
+
+def load_secret_from_file(key_name: str) -> Optional[str]:
+    """Load a secret from Docker/K8s secret mount paths.
+
+    Checks /run/secrets/{key_name} and /var/run/secrets/{key_name}.
+    Returns the secret value or None.
+    """
+    lower_name = key_name.lower()
+    for mount_path in _SECRET_MOUNT_PATHS:
+        secret_file = Path(mount_path) / lower_name
+        if secret_file.exists():
+            try:
+                return secret_file.read_text().strip()
+            except (PermissionError, IOError):
+                pass
+    return None
+
+
+def load_secrets() -> dict:
+    """Load all API keys with secret file fallback.
+
+    Priority: Environment variable > Secret file mount > None
+    Returns dict of key_name -> {source, set, masked, valid_format, warning}
+    """
+    keys = ["ANTHROPIC_API_KEY", "OPENAI_API_KEY", "GOOGLE_API_KEY"]
+    result = {}
+
+    for key_name in keys:
+        env_value = os.environ.get(key_name, "")
+        file_value = load_secret_from_file(key_name)
+
+        if env_value:
+            value = env_value
+            source = "environment"
+        elif file_value:
+            value = file_value
+            source = "secret_file"
+            # Set in environment for child processes
+            os.environ[key_name] = value
+        else:
+            value = ""
+            source = "not_set"
+
+        validation = validate_api_key(key_name, value)
+        result[key_name] = {
+            "source": source,
+            "set": bool(value),
+            "masked": validation["masked"],
+            "valid_format": validation["valid"],
+            "warning": validation["warning"],
+        }
+
+    return result
+
+
+def get_key_fingerprint(key_value: str) -> str:
+    """Get a stable fingerprint for a key (for rotation detection).
+
+    Uses first 8 chars of SHA-256 hash. Safe to log/store.
+    """
+    if not key_value:
+        return ""
+    return hashlib.sha256(key_value.encode()).hexdigest()[:8]
+
+
+def check_rotation(state_file: str = ".loki/state/key-fingerprints.json") -> list:
+    """Check if any API keys have been rotated since last check.
+
+    Compares current key fingerprints against stored fingerprints.
+    Returns list of rotated key names.
+    """
+    state_path = Path(state_file)
+
+    # Get current fingerprints
+    current = {}
+    for key_name in ["ANTHROPIC_API_KEY", "OPENAI_API_KEY", "GOOGLE_API_KEY"]:
+        value = os.environ.get(key_name, "")
+        if value:
+            current[key_name] = get_key_fingerprint(value)
+
+    # Load previous fingerprints
+    previous = {}
+    if state_path.exists():
+        try:
+            previous = json.loads(state_path.read_text())
+        except Exception:
+            pass
+
+    # Detect rotations
+    rotated = []
+    for key_name, fp in current.items():
+        prev_fp = previous.get(key_name)
+        if prev_fp and prev_fp != fp:
+            rotated.append(key_name)
+
+    # Save current fingerprints
+    if current:
+        state_path.parent.mkdir(parents=True, exist_ok=True)
+        state_path.write_text(json.dumps(current, indent=2))
+
+    return rotated