akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity
1,798 Commits 11 Branches 107 Tags
6e0cb3f89a99fe052d431d3797326ba4bdd92fcd
Commit Graph

4 Commits

Author SHA1 Message Date
GitHub Actions
2f44da2c34 feat(security): add plugin signature allowlisting and security hardening 
Implement Phase 3 of Custom DNS Provider Plugin Support with comprehensive
security controls for external plugin loading.

Add CHARON_PLUGIN_SIGNATURES env var for SHA-256 signature allowlisting
Support permissive (unset), strict ({}), and allowlist modes
Add directory permission verification (reject world-writable)
Configure container with non-root user and read-only plugin mount option
Add 22+ security tests for permissions, signatures, and allowlist logic
Create plugin-security.md operator documentation
Security controls:

Signature verification with sha256: prefix requirement
World-writable directory rejection
Non-root container execution (charon user UID 1000)
Read-only mount support for production deployments
Documented TOCTOU mitigation with atomic deployment workflow
 2026-01-14 19:59:41 +00:00
GitHub Actions
77a020b4db feat: registry-driven DNS provider type discovery 
Phase 1 of Custom DNS Provider Plugin Support: the /api/v1/dns-providers/types
endpoint now returns types dynamically from the dnsprovider.Global() registry
instead of a hardcoded list.

Backend handler queries registry for all provider types, metadata, and fields
Response includes is_built_in flag to distinguish plugins from built-ins
Frontend types updated with DNSProviderField interface and new response shape
Fixed flaky WAF exclusion test (isolated file-based SQLite DB)
Updated operator docs for registry-driven discovery and plugin installation
Refs: #461
 2026-01-14 18:05:46 +00:00
GitHub Actions
4adcd9eda1 feat: add nightly branch workflow 2026-01-13 22:11:35 +00:00
GitHub Actions
b86aa3921b feat(dns): add custom DNS provider plugin system 
- Add plugin interface with lifecycle hooks (Init/Cleanup)
- Implement thread-safe provider registry
- Add plugin loader with SHA-256 signature verification
- Migrate 10 built-in providers to registry pattern
- Add multi-credential support to plugin interface
- Create plugin management UI with enable/disable controls
- Add dynamic credential fields based on provider metadata
- Include PowerDNS example plugin
- Add comprehensive user & developer documentation
- Fix frontend test hang (33min → 1.5min, 22x faster)

Platform: Linux/macOS only (Go plugin limitation)
Security: Signature verification, directory permission checks

Backend coverage: 85.1%
Frontend coverage: 85.31%

Closes: DNS Challenge Future Features - Phase 5
 2026-01-07 02:54:01 +00:00