feat(feedbacksystem): add brute force protection configuration (#84)

* feat(feedbacksystem): add brute force protection configuration * chore(feedbacksystem): bump version to 0.31.0
thm-mni-ii · Nov 15, 2023 · 5c9c106 · 5c9c106
1 parent 4c95e9e
commit 5c9c106
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 1 deletion.
diff --git a/charts/feedbacksystem/Chart.yaml b/charts/feedbacksystem/Chart.yaml
@@ -6,7 +6,7 @@ sources:
   - https://github.com/thm-mni-ii/feedbacksystem
 home: https://github.com/thm-mni-ii/feedbacksystem
 type: application
-version: 0.30.0
+version: 0.31.0
 # renovate: image=thmmniii/fbs-core
 appVersion: v1.12.0
 dependencies:

diff --git a/charts/feedbacksystem/templates/config.yaml b/charts/feedbacksystem/templates/config.yaml
@@ -49,3 +49,13 @@ metadata:
 data:
   bind_password: {{ .Values.core.config.ldap.bind.password | b64enc | quote }}
 {{ end }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-anti-brute-force
+data:
+  trusted_proxy_count: {{ .Values.core.config.antiBruteForce.trustedProxyCount | quote }}
+  interval: {{ .Values.core.config.antiBruteForce.interval | quote }}
+  max_attempts: {{ .Values.core.config.antiBruteForce.maxAttempts | quote }}
+  allow_list: {{ .Values.core.config.antiBruteForce.allowList | join "," | quote }}
diff --git a/charts/feedbacksystem/templates/core.yaml b/charts/feedbacksystem/templates/core.yaml
@@ -186,6 +186,26 @@ spec:
                 name: {{ .Release.Name }}-ldap
                 key: attribute_mail
           {{ end }}
+          - name: TRUSTED_PROXIES
+            valueFrom:
+              configMapKeyRef:
+                name: {{ .Release.Name }}-anti-brute-force
+                key: trusted_proxy_count
+          - name: BRUTEFORCE_INTERVAL
+            valueFrom:
+              configMapKeyRef:
+                name: {{ .Release.Name }}-anti-brute-force
+                key: interval
+          - name: BRUTEFORCE_ATTEMPTS
+            valueFrom:
+              configMapKeyRef:
+                name: {{ .Release.Name }}-anti-brute-force
+                key: max_attempts
+          - name: BRUTEFORCE_ALLOW_LIST
+            valueFrom:
+              configMapKeyRef:
+                name: {{ .Release.Name }}-anti-brute-force
+                key: allow_list
         resources:
           requests:
             cpu: {{ .Values.core.resources.cpu.request }}

diff --git a/charts/feedbacksystem/values.yaml b/charts/feedbacksystem/values.yaml
@@ -47,6 +47,11 @@ core:
     digitalClassroom:  # Overwritten if digitalClassroom.enabled
       url: "https://bbb.feedback.example.org"
       secret: "1234"
+    antiBruteForce:
+      trustedProxyCount: 0
+      interval: 600
+      maxAttempts: 10
+      allowList: []
   ingressRoute:
     enabled: false