stonks-oracle/infra/superset/superset_config.py

"""Apache Superset configuration for Stonks Oracle.

Security hardening applied:
- Session cookies: HttpOnly, Secure, SameSite=Lax
- Talisman CSP headers enabled
- Public role disabled (login required)
- Unsafe DB connections blocked
- Row limits enforced
"""
import os

# Superset secret key — must be set via SUPERSET_SECRET_KEY env var
SECRET_KEY = os.getenv("SUPERSET_SECRET_KEY", "stonks-dev-secret-key-change-me")

# Default Trino datasource (Hive catalog for backward compatibility)
SQLALCHEMY_DATABASE_URI = "trino://trino@trino:8080/lakehouse/stonks"

# Feature flags
FEATURE_FLAGS = {
    "ENABLE_TEMPLATE_PROCESSING": True,
}

# Additional database connections available in Superset UI:
#   Hive catalog:    trino://trino@trino:8080/lakehouse/stonks
#   Iceberg catalog: trino://trino@trino:8080/iceberg/stonks

# Cache config (Redis-backed)
CACHE_CONFIG = {
    "CACHE_TYPE": "RedisCache",
    "CACHE_DEFAULT_TIMEOUT": 300,
    "CACHE_KEY_PREFIX": "superset_",
    "CACHE_REDIS_HOST": os.getenv("REDIS_HOST", "redis"),
    "CACHE_REDIS_PORT": int(os.getenv("REDIS_PORT", "6379")),
    "CACHE_REDIS_DB": 1,
}

# --- Security hardening ---
# Disable public user role (require login)
PUBLIC_ROLE_LIKE = None

# Session cookie security
SESSION_COOKIE_HTTPONLY = True
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_SAMESITE = "Lax"

# Talisman CSP headers
TALISMAN_ENABLED = True
TALISMAN_CONFIG = {
    "content_security_policy": {
        "default-src": ["'self'"],
        "img-src": ["'self'", "data:"],
        "style-src": ["'self'", "'unsafe-inline'"],
        "script-src": ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
    },
    "force_https": False,  # TLS terminated at ingress
}

# Prevent Superset from allowing arbitrary SQL database connections
PREVENT_UNSAFE_DB_CONNECTIONS = True

# Row limit for queries
ROW_LIMIT = 50000
SQL_MAX_ROW = 100000