phase 14-15: docker build validation and helm deployment

infra/superset/superset_config.py

@@ -1,10 +1,18 @@
-"""Apache Superset configuration for Stonks Oracle."""
+"""Apache Superset configuration for Stonks Oracle.
+
+Security hardening applied:
+- Session cookies: HttpOnly, Secure, SameSite=Lax
+- Talisman CSP headers enabled
+- Public role disabled (login required)
+- Unsafe DB connections blocked
+- Row limits enforced
+"""
 import os
 
-# Superset secret key
+# Superset secret key — must be set via SUPERSET_SECRET_KEY env var
 SECRET_KEY = os.getenv("SUPERSET_SECRET_KEY", "stonks-dev-secret-key-change-me")
 
-# Trino datasource
+# Default Trino datasource (Hive catalog for backward compatibility)
 SQLALCHEMY_DATABASE_URI = "trino://trino@trino:8080/lakehouse/stonks"
 
 # Feature flags
@@ -12,6 +20,10 @@ FEATURE_FLAGS = {
     "ENABLE_TEMPLATE_PROCESSING": True,
 }
 
+# Additional database connections available in Superset UI:
+#   Hive catalog:    trino://trino@trino:8080/lakehouse/stonks
+#   Iceberg catalog: trino://trino@trino:8080/iceberg/stonks
+
 # Cache config (Redis-backed)
 CACHE_CONFIG = {
     "CACHE_TYPE": "RedisCache",
@@ -21,3 +33,31 @@ CACHE_CONFIG = {
     "CACHE_REDIS_PORT": int(os.getenv("REDIS_PORT", "6379")),
     "CACHE_REDIS_DB": 1,
 }
+
+# --- Security hardening ---
+# Disable public user role (require login)
+PUBLIC_ROLE_LIKE = None
+
+# Session cookie security
+SESSION_COOKIE_HTTPONLY = True
+SESSION_COOKIE_SECURE = True
+SESSION_COOKIE_SAMESITE = "Lax"
+
+# Talisman CSP headers
+TALISMAN_ENABLED = True
+TALISMAN_CONFIG = {
+    "content_security_policy": {
+        "default-src": ["'self'"],
+        "img-src": ["'self'", "data:"],
+        "style-src": ["'self'", "'unsafe-inline'"],
+        "script-src": ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
+    },
+    "force_https": False,  # TLS terminated at ingress
+}
+
+# Prevent Superset from allowing arbitrary SQL database connections
+PREVENT_UNSAFE_DB_CONNECTIONS = True
+
+# Row limit for queries
+ROW_LIMIT = 50000
+SQL_MAX_ROW = 100000