814197cfd3
ADR-003 locked the auth substrate; ADR-006 ratifies the operator
playbook + adds two implementation pieces needed for Sprint 4
deployment: env-resolved tokens and dual-token rotation.
Six decisions locked in docs/DECISIONS.md:
- 6.1: Non-loopback bind requires auth.token (mechanical gate at
shared.Run, already implemented; this ratifies it).
- 6.2: Token from env, not TOML. /etc/lakehouse/auth.env (mode 0600)
loaded by systemd EnvironmentFile=. New TokenEnv field on
AuthConfig defaults to "AUTH_TOKEN".
- 6.3: AllowedIPs for inter-service same-trust-domain; Token for
cross-trust-boundary (gateway ↔ external).
- 6.4: /health stays unauthenticated; everything else under
shared.Run is gated. Already implemented; ratified here.
- 6.5: Token rotation is dual-token. New SecondaryTokens []string
on AuthConfig — both primary and any secondary pass auth
during the rotation window. Implemented in this commit.
- 6.6: TLS terminates at the network edge (nginx/Caddy), not
in-process. Daemons stay HTTP-only; internal traffic stays
on private subnets per Decision 6.3.
Implementation:
- internal/shared/config.go: AuthConfig gains TokenEnv +
SecondaryTokens fields. New resolveAuthFromEnv() called by
LoadConfig fills Token from os.Getenv(TokenEnv) when Token is
empty. TokenEnv defaults to "AUTH_TOKEN" so the happy path needs
no TOML config.
- internal/shared/auth.go: RequireAuth pre-encodes Bearer headers
for primary + every secondary token; per-request constant-time
compare walks the slice. Fast path is 1 compare (primary).
Tests:
- TestLoadConfig_AuthTokenFromEnv (3 sub-tests): default env name,
custom token_env, explicit Token wins over env.
- TestRequireAuth_SecondaryTokenAccepted: both primary + secondary
tokens pass during rotation window.
- TestRequireAuth_SecondaryTokensOnly: only-secondary path works
for the case where primary was just promoted-to-empty mid-rotation.
go test ./internal/shared all green; existing auth_test.go
unchanged (constant-time compare path preserved).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
247 lines
8.2 KiB
Go
247 lines
8.2 KiB
Go
package shared
|
|
|
|
import (
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
|
|
"github.com/go-chi/chi/v5"
|
|
)
|
|
|
|
// Closes the audit's R-001 + R-007 mechanically once auth is wired
|
|
// per ADR-003. Tests cover: pass-through on empty config, token
|
|
// gate (401 on missing/wrong, 200 on correct), IP gate (403 on
|
|
// disallowed, 200 on allowed), /health bypass, both-layers when
|
|
// both configured, and constant-time comparison usage.
|
|
|
|
func mountWithAuth(cfg AuthConfig) http.Handler {
|
|
r := chi.NewRouter()
|
|
r.Get("/health", func(w http.ResponseWriter, _ *http.Request) {
|
|
w.WriteHeader(http.StatusOK)
|
|
_, _ = w.Write([]byte("ok"))
|
|
})
|
|
r.Group(func(authed chi.Router) {
|
|
authed.Use(RequireAuth(cfg))
|
|
authed.Get("/data", func(w http.ResponseWriter, _ *http.Request) {
|
|
w.WriteHeader(http.StatusOK)
|
|
_, _ = w.Write([]byte("private"))
|
|
})
|
|
})
|
|
return r
|
|
}
|
|
|
|
func get(t *testing.T, srv *httptest.Server, path string, header string) (int, string) {
|
|
t.Helper()
|
|
req, err := http.NewRequest(http.MethodGet, srv.URL+path, nil)
|
|
if err != nil {
|
|
t.Fatalf("NewRequest: %v", err)
|
|
}
|
|
if header != "" {
|
|
req.Header.Set("Authorization", header)
|
|
}
|
|
resp, err := http.DefaultClient.Do(req)
|
|
if err != nil {
|
|
t.Fatalf("Do: %v", err)
|
|
}
|
|
defer resp.Body.Close()
|
|
buf := make([]byte, 1024)
|
|
n, _ := resp.Body.Read(buf)
|
|
return resp.StatusCode, string(buf[:n])
|
|
}
|
|
|
|
func TestRequireAuth_EmptyConfig_PassesThrough(t *testing.T) {
|
|
srv := httptest.NewServer(mountWithAuth(AuthConfig{}))
|
|
defer srv.Close()
|
|
|
|
if status, _ := get(t, srv, "/data", ""); status != http.StatusOK {
|
|
t.Errorf("empty config should pass through, got status %d", status)
|
|
}
|
|
if status, _ := get(t, srv, "/health", ""); status != http.StatusOK {
|
|
t.Errorf("/health on empty config should pass, got %d", status)
|
|
}
|
|
}
|
|
|
|
func TestRequireAuth_TokenSet_RejectsMissing(t *testing.T) {
|
|
srv := httptest.NewServer(mountWithAuth(AuthConfig{Token: "secret123"}))
|
|
defer srv.Close()
|
|
|
|
if status, _ := get(t, srv, "/data", ""); status != http.StatusUnauthorized {
|
|
t.Errorf("missing Authorization should return 401, got %d", status)
|
|
}
|
|
}
|
|
|
|
func TestRequireAuth_TokenSet_RejectsWrong(t *testing.T) {
|
|
srv := httptest.NewServer(mountWithAuth(AuthConfig{Token: "secret123"}))
|
|
defer srv.Close()
|
|
|
|
if status, _ := get(t, srv, "/data", "Bearer wrong-token"); status != http.StatusUnauthorized {
|
|
t.Errorf("wrong token should return 401, got %d", status)
|
|
}
|
|
}
|
|
|
|
func TestRequireAuth_TokenSet_AcceptsCorrect(t *testing.T) {
|
|
srv := httptest.NewServer(mountWithAuth(AuthConfig{Token: "secret123"}))
|
|
defer srv.Close()
|
|
|
|
status, body := get(t, srv, "/data", "Bearer secret123")
|
|
if status != http.StatusOK {
|
|
t.Errorf("correct Bearer should return 200, got %d", status)
|
|
}
|
|
if body != "private" {
|
|
t.Errorf("expected 'private' body, got %q", body)
|
|
}
|
|
}
|
|
|
|
func TestRequireAuth_TokenSet_HealthRemainsPublic(t *testing.T) {
|
|
srv := httptest.NewServer(mountWithAuth(AuthConfig{Token: "secret123"}))
|
|
defer srv.Close()
|
|
|
|
if status, _ := get(t, srv, "/health", ""); status != http.StatusOK {
|
|
t.Errorf("/health must stay public when token is set, got %d", status)
|
|
}
|
|
}
|
|
|
|
func TestRequireAuth_RejectsTokenAsRawNotBearer(t *testing.T) {
|
|
srv := httptest.NewServer(mountWithAuth(AuthConfig{Token: "secret123"}))
|
|
defer srv.Close()
|
|
|
|
// "secret123" alone (without "Bearer " prefix) should NOT pass.
|
|
if status, _ := get(t, srv, "/data", "secret123"); status != http.StatusUnauthorized {
|
|
t.Errorf("raw-token without 'Bearer ' prefix must reject, got %d", status)
|
|
}
|
|
}
|
|
|
|
func TestRequireAuth_IPAllowlist_AllowsLoopback(t *testing.T) {
|
|
cfg := AuthConfig{AllowedIPs: []string{"127.0.0.0/8"}}
|
|
srv := httptest.NewServer(mountWithAuth(cfg))
|
|
defer srv.Close()
|
|
|
|
// httptest.Server binds 127.0.0.1, so the test client always
|
|
// connects from 127.0.0.1 → allowed.
|
|
if status, _ := get(t, srv, "/data", ""); status != http.StatusOK {
|
|
t.Errorf("loopback in allowed CIDR should pass, got %d", status)
|
|
}
|
|
}
|
|
|
|
func TestRequireAuth_IPAllowlist_RejectsNonAllowed(t *testing.T) {
|
|
// Allowlist excludes loopback — every test request from 127.x.x.x
|
|
// gets rejected.
|
|
cfg := AuthConfig{AllowedIPs: []string{"10.0.0.0/8"}}
|
|
srv := httptest.NewServer(mountWithAuth(cfg))
|
|
defer srv.Close()
|
|
|
|
if status, _ := get(t, srv, "/data", ""); status != http.StatusForbidden {
|
|
t.Errorf("non-allowed IP should return 403, got %d", status)
|
|
}
|
|
}
|
|
|
|
func TestRequireAuth_BareIPInAllowlist(t *testing.T) {
|
|
// Bare IP without /N suffix should be treated as /32.
|
|
cfg := AuthConfig{AllowedIPs: []string{"127.0.0.1"}}
|
|
srv := httptest.NewServer(mountWithAuth(cfg))
|
|
defer srv.Close()
|
|
|
|
if status, _ := get(t, srv, "/data", ""); status != http.StatusOK {
|
|
t.Errorf("bare IP /32 should pass, got %d", status)
|
|
}
|
|
}
|
|
|
|
func TestRequireAuth_BothLayers_RequiresBoth(t *testing.T) {
|
|
cfg := AuthConfig{
|
|
Token: "secret123",
|
|
AllowedIPs: []string{"127.0.0.0/8"},
|
|
}
|
|
srv := httptest.NewServer(mountWithAuth(cfg))
|
|
defer srv.Close()
|
|
|
|
// Missing token: 401 even from allowed IP.
|
|
if status, _ := get(t, srv, "/data", ""); status != http.StatusUnauthorized {
|
|
t.Errorf("allowed IP without token should still 401, got %d", status)
|
|
}
|
|
// Wrong token: 401.
|
|
if status, _ := get(t, srv, "/data", "Bearer wrong"); status != http.StatusUnauthorized {
|
|
t.Errorf("allowed IP + wrong token should 401, got %d", status)
|
|
}
|
|
// Right token: 200 (we're on loopback, IP allowed).
|
|
if status, _ := get(t, srv, "/data", "Bearer secret123"); status != http.StatusOK {
|
|
t.Errorf("allowed IP + correct token should 200, got %d", status)
|
|
}
|
|
// /health: 200 always.
|
|
if status, _ := get(t, srv, "/health", ""); status != http.StatusOK {
|
|
t.Errorf("/health bypass on both-layers cfg, got %d", status)
|
|
}
|
|
}
|
|
|
|
func TestRequireAuth_InvalidCIDR_LoggedAndDropped(t *testing.T) {
|
|
// Mix of valid and invalid CIDRs: invalid should be skipped
|
|
// (warning logged) and the valid one should still gate.
|
|
cfg := AuthConfig{AllowedIPs: []string{
|
|
"not-a-cidr",
|
|
"10.0.0.0/8",
|
|
}}
|
|
srv := httptest.NewServer(mountWithAuth(cfg))
|
|
defer srv.Close()
|
|
|
|
// Loopback test client → still rejected because the only valid
|
|
// rule is 10.0.0.0/8.
|
|
if status, _ := get(t, srv, "/data", ""); status != http.StatusForbidden {
|
|
t.Errorf("loopback should reject when allowlist excludes it, got %d", status)
|
|
}
|
|
}
|
|
|
|
// TestRequireAuth_SecondaryTokenAccepted locks ADR-006 Decision 6.5:
|
|
// during a token rotation, both primary and secondary token strings
|
|
// pass auth. After every caller updates, operators promote secondary
|
|
// → primary and clear secondary, completing the rotation.
|
|
func TestRequireAuth_SecondaryTokenAccepted(t *testing.T) {
|
|
cfg := AuthConfig{
|
|
Token: "primary-tok",
|
|
SecondaryTokens: []string{"secondary-tok"},
|
|
}
|
|
srv := httptest.NewServer(mountWithAuth(cfg))
|
|
defer srv.Close()
|
|
|
|
if status, _ := get(t, srv, "/data", "Bearer primary-tok"); status != http.StatusOK {
|
|
t.Errorf("primary token should pass, got %d", status)
|
|
}
|
|
if status, _ := get(t, srv, "/data", "Bearer secondary-tok"); status != http.StatusOK {
|
|
t.Errorf("secondary token should pass during rotation, got %d", status)
|
|
}
|
|
if status, _ := get(t, srv, "/data", "Bearer wrong-tok"); status != http.StatusUnauthorized {
|
|
t.Errorf("invalid token should still 401, got %d", status)
|
|
}
|
|
}
|
|
|
|
// TestRequireAuth_SecondaryTokensOnly locks the case where primary
|
|
// is empty but secondaries are set — useful mid-rotation when the
|
|
// previous primary was just promoted to nothing and the new primary
|
|
// hasn't been written yet. As long as ANY token is configured, auth
|
|
// is enforced.
|
|
func TestRequireAuth_SecondaryTokensOnly(t *testing.T) {
|
|
cfg := AuthConfig{
|
|
SecondaryTokens: []string{"only-tok"},
|
|
}
|
|
srv := httptest.NewServer(mountWithAuth(cfg))
|
|
defer srv.Close()
|
|
|
|
if status, _ := get(t, srv, "/data", "Bearer only-tok"); status != http.StatusOK {
|
|
t.Errorf("only-secondary should pass, got %d", status)
|
|
}
|
|
if status, _ := get(t, srv, "/data", ""); status != http.StatusUnauthorized {
|
|
t.Errorf("missing token should 401, got %d", status)
|
|
}
|
|
}
|
|
|
|
func TestRemoteIP_SplitHostPortShape(t *testing.T) {
|
|
// Sanity: real httptest requests come through with "ip:port"
|
|
// shape; ensure remoteIP returns the IP portion.
|
|
r, _ := http.NewRequest(http.MethodGet, "/", nil)
|
|
r.RemoteAddr = "10.1.2.3:54321"
|
|
ip := remoteIP(r)
|
|
if ip == nil {
|
|
t.Fatal("remoteIP returned nil for valid 'ip:port' addr")
|
|
}
|
|
if ip.String() != "10.1.2.3" {
|
|
t.Errorf("remoteIP = %q, want 10.1.2.3", ip.String())
|
|
}
|
|
} |