profit/golangLAKEHOUSE
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
golangLAKEHOUSE/cmd/gateway/main.go
root fa56134b90 ADR-003 wiring: Bearer token + IP allowlist middleware 
Implements the auth posture from ADR-003 (commit 0d18ffa). Two
independent layers — Bearer token (constant-time compare via
crypto/subtle) and IP allowlist (CIDR set) — composed in shared.Run
so every binary inherits the same gate without per-binary wiring.

Together with the bind-gate from commit 6af0520, this mechanically
closes audit risks R-001 + R-007:
  - non-loopback bind without auth.token = startup refuse
  - non-loopback bind WITH auth.token + override env = allowed
  - loopback bind = all gates open (G0 dev unchanged)

internal/shared/auth.go (NEW)
  RequireAuth(cfg AuthConfig) returns chi-compatible middleware.
  Empty Token + empty AllowedIPs → pass-through (G0 dev mode).
  Token-only → 401 Bearer mismatch.
  AllowedIPs-only → 403 source IP not in CIDR set.
  Both → both gates apply.
  /health bypasses both layers (load-balancer / liveness probes
  shouldn't carry tokens).

  CIDR parsing pre-runs at boot; bare IP (no /N) treated as /32 (or
  /128 for IPv6). Invalid entries log warn and drop, fail-loud-but-
  not-fatal so a typo doesn't kill the binary.

  Token comparison: subtle.ConstantTimeCompare on the full
  "Bearer <token>" wire-format string. Length-mismatch returns 0
  (per stdlib spec), so wrong-length tokens reject without timing
  leak. Pre-encoded comparison slice stored in the middleware
  closure — one allocation per request.

  Source-IP extraction prefers net.SplitHostPort fallback to
  RemoteAddr-as-is for httptest compatibility. X-Forwarded-For
  support is a follow-up when a trusted proxy fronts the gateway
  (config knob TBD per ADR-003 §"Future").

internal/shared/server.go
  Run signature: gained AuthConfig parameter (4th arg).
  /health stays mounted on the outer router (public).
  Registered routes go inside chi.Group with RequireAuth applied —
  empty config = transparent group.
  Added requireAuthOnNonLoopback startup check: non-loopback bind
  with empty Token = refuse to start (cites R-001 + R-007 by name).

internal/shared/config.go
  AuthConfig type added with TOML tags. Fields: Token, AllowedIPs.
  Composed into Config under [auth].

cmd/<svc>/main.go × 7 (catalogd, embedd, gateway, ingestd, queryd,
storaged, vectord, mcpd is unaffected — stdio doesn't bind a port)
  Each call site adds cfg.Auth as the 4th arg to shared.Run. No
  other changes — middleware applies via shared.Run uniformly.

internal/shared/auth_test.go (12 test funcs)
  Empty config pass-through, missing-token 401, wrong-token 401,
  correct-token 200, raw-token-without-Bearer-prefix 401, /health
  always public, IP allowlist allow + reject, bare IP /32, both
  layers when both configured, invalid CIDR drop-with-warn, RemoteAddr
  shape extraction. The constant-time comparison is verified by
  inspection (comments in auth.go) plus the existence of the
  passthrough test (length-mismatch case).

Verified:
  go test -count=1 ./internal/shared/  — all green (was 21, now 33 funcs)
  just verify                            — vet + test + 9 smokes 33s
  just proof contract                    — 53/0/1 unchanged

Smokes + proof harness keep working without any token configuration:
default Auth is empty struct → middleware is no-op → existing tests
pass unchanged. To exercise the gate, operators set [auth].token in
lakehouse.toml (or, per the "future" note in the ADR, via env var).

Closes audit findings:
  R-001 HIGH — fully mechanically closed (was: partial via bind gate)
  R-007 MED  — fully mechanically closed (was: design-only ADR-003)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 07:11:34 -05:00

113 lines
3.9 KiB
Go
Raw Blame History

// gateway is the Lakehouse-Go HTTP ingress. D6 promotes the D1
// stub endpoints into real reverse-proxies fronting all four backing
// services (storaged, catalogd, ingestd, queryd) on a single bind.
//
// Routes:
// /v1/storage/* → storaged
// /v1/catalog/* → catalogd
// /v1/ingest → ingestd
// /v1/sql → queryd
//
// The /v1 prefix lives at the edge — internal services route on
// /storage, /catalog, /ingest, /sql. Per Kimi K2 finding from the
// D1 plan review: httputil.NewSingleHostReverseProxy preserves the
// inbound path by default, so the proxy helper strips /v1 in its
// Director before forwarding.
package main
import (
"flag"
"log/slog"
"net/url"
"os"
"github.com/go-chi/chi/v5"
"git.agentview.dev/profit/golangLAKEHOUSE/internal/gateway"
"git.agentview.dev/profit/golangLAKEHOUSE/internal/shared"
)
func main() {
configPath := flag.String("config", "lakehouse.toml", "path to TOML config")
flag.Parse()
cfg, err := shared.LoadConfig(*configPath)
if err != nil {
slog.Error("config", "err", err)
os.Exit(1)
}
upstreams := map[string]string{
"storaged_url": cfg.Gateway.StoragedURL,
"catalogd_url": cfg.Gateway.CatalogdURL,
"ingestd_url": cfg.Gateway.IngestdURL,
"queryd_url": cfg.Gateway.QuerydURL,
"vectord_url": cfg.Gateway.VectordURL,
"embedd_url": cfg.Gateway.EmbeddURL,
}
for k, v := range upstreams {
if v == "" {
slog.Error("config", "err", "gateway."+k+" is required")
os.Exit(1)
}
}
// Per scrum O-WARN2 (Opus): url.Parse is permissive — a typo
// like "127.0.0.1:3211" (missing scheme) parses without error
// but produces empty Host, and every proxied request 502s. Fail
// fast at startup if scheme/host are missing so misconfigs
// surface in `systemctl status gateway` rather than at first traffic.
storagedURL := mustParseUpstream("storaged_url", cfg.Gateway.StoragedURL)
catalogdURL := mustParseUpstream("catalogd_url", cfg.Gateway.CatalogdURL)
ingestdURL := mustParseUpstream("ingestd_url", cfg.Gateway.IngestdURL)
querydURL := mustParseUpstream("queryd_url", cfg.Gateway.QuerydURL)
vectordURL := mustParseUpstream("vectord_url", cfg.Gateway.VectordURL)
embeddURL := mustParseUpstream("embedd_url", cfg.Gateway.EmbeddURL)
storagedProxy := gateway.NewProxyHandler(storagedURL)
catalogdProxy := gateway.NewProxyHandler(catalogdURL)
ingestdProxy := gateway.NewProxyHandler(ingestdURL)
querydProxy := gateway.NewProxyHandler(querydURL)
vectordProxy := gateway.NewProxyHandler(vectordURL)
embeddProxy := gateway.NewProxyHandler(embeddURL)
if err := shared.Run("gateway", cfg.Gateway.Bind, func(r chi.Router) {
// Storage / catalog have multi-segment paths under their
// prefix (e.g. /v1/storage/get/<key>). chi's `*` wildcard
// captures the rest of the path.
r.Handle("/v1/storage/*", storagedProxy)
r.Handle("/v1/catalog/*", catalogdProxy)
// Ingest + sql are single endpoints. We accept any method
// (GET/POST/etc) and let the backing service decide. ingestd
// only accepts POST; queryd only accepts POST. Other methods
// will get the backend's 405.
r.Handle("/v1/ingest", ingestdProxy)
r.Handle("/v1/sql", querydProxy)
// Vector search routes — /v1/vectors/index, /v1/vectors/index/{name}/...
r.Handle("/v1/vectors/*", vectordProxy)
// Embedding service — /v1/embed
r.Handle("/v1/embed", embeddProxy)
}, cfg.Auth); err != nil {
slog.Error("server", "err", err)
os.Exit(1)
}
}
// mustParseUpstream parses an upstream URL string and validates that
// scheme + host are non-empty. Exits the process on failure — gateway
// can't function without a valid upstream so failing fast is the
// right call. Per scrum O-WARN2.
func mustParseUpstream(name, raw string) *url.URL {
u, err := url.Parse(raw)
if err != nil {
slog.Error("config", "err", "parse "+name+": "+err.Error())
os.Exit(1)
}
if u.Scheme == "" || u.Host == "" {
slog.Error("config", "err", name+" must include scheme + host (got "+raw+")")
os.Exit(1)
}
return u
}
Reference in New Issue View Git Blame Copy Permalink