feat(security): implement self-lockout protection and admin whitelist

- Added SecurityConfig model to manage Cerberus settings including admin whitelist and break-glass token. - Introduced SecurityService for handling security configurations and token generation. - Updated Manager to check for admin whitelist before applying configurations to prevent accidental lockouts. - Enhanced frontend with hooks and API calls for managing security settings and generating break-glass tokens. - Updated documentation to include self-lockout protection measures and best practices for using Cerberus.
2025-12-01 18:10:58 +00:00
parent 26c4acffb0
commit 53765afd35
27 changed files with 1490 additions and 323 deletions
@@ -0,0 +1,60 @@
+import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query'
+import { getSecurityStatus, getSecurityConfig, updateSecurityConfig, generateBreakGlassToken, enableCerberus, disableCerberus } from '../api/security'
+import toast from 'react-hot-toast'
+
+export function useSecurityStatus() {
+  return useQuery({ queryKey: ['securityStatus'], queryFn: getSecurityStatus })
+}
+
+export function useSecurityConfig() {
+  return useQuery({ queryKey: ['securityConfig'], queryFn: getSecurityConfig })
+}
+
+export function useUpdateSecurityConfig() {
+  const qc = useQueryClient()
+  return useMutation({
+    mutationFn: (payload: any) => updateSecurityConfig(payload),
+    onSuccess: () => {
+      qc.invalidateQueries({ queryKey: ['securityConfig'] })
+      qc.invalidateQueries({ queryKey: ['securityStatus'] })
+      toast.success('Security configuration updated')
+    },
+    onError: (err: Error) => {
+      toast.error(`Failed to update security settings: ${err.message}`)
+    },
+  })
+}
+
+export function useGenerateBreakGlassToken() {
+  return useMutation({ mutationFn: () => generateBreakGlassToken() })
+}
+
+export function useEnableCerberus() {
+  const qc = useQueryClient()
+  return useMutation({
+    mutationFn: (payload?: any) => enableCerberus(payload),
+    onSuccess: () => {
+      qc.invalidateQueries({ queryKey: ['securityConfig'] })
+      qc.invalidateQueries({ queryKey: ['securityStatus'] })
+      toast.success('Cerberus enabled')
+    },
+    onError: (err: Error) => {
+      toast.error(`Failed to enable Cerberus: ${err.message}`)
+    },
+  })
+}
+
+export function useDisableCerberus() {
+  const qc = useQueryClient()
+  return useMutation({
+    mutationFn: (payload?: any) => disableCerberus(payload),
+    onSuccess: () => {
+      qc.invalidateQueries({ queryKey: ['securityConfig'] })
+      qc.invalidateQueries({ queryKey: ['securityStatus'] })
+      toast.success('Cerberus disabled')
+    },
+    onError: (err: Error) => {
+      toast.error(`Failed to disable Cerberus: ${err.message}`)
+    },
+  })
+}