profit/golangLAKEHOUSE
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
golangLAKEHOUSE/internal/shared/bind_test.go
root 6af0520ed2 A: fail-loud on non-loopback bind — closes worst case of R-001 
shared.Run now refuses to bind a non-loopback address unless the
LH_<SERVICE>_ALLOW_NONLOOPBACK=1 env is set. Single change covers
all 7 binaries via the existing Run call site; no per-binary
wiring needed.

Closes the accidental-0.0.0.0 deploy attack surface for R-001:
queryd /sql is RCE-equivalent off loopback (DuckDB has filesystem
read + COPY TO + read_text), but the gate applies to every binary
uniformly so the same posture covers vectord (mutation routes),
catalogd (manifest writes), and the others.

What passes the gate:
  127.0.0.1:port, 127.x.y.z:port (full /8), [::1]:port,
  localhost:port, OR explicit env LH_<SVC>_ALLOW_NONLOOPBACK=1

What fail-louds:
  0.0.0.0:port, [::]:port, :port (all interfaces),
  any non-loopback IP, any non-localhost hostname,
  unparseable shapes ("", "no port", garbage)

Override env is strict equality "1" — typos like "true"/"yes" do NOT
trigger it, so a future operator can't accidentally expose by typing
the wrong value. Override fires log a structured warn so the choice
is auditable in production.

Error message cites the env name AND R-001 by name so operators see
the fix path without grepping:
  "refusing non-loopback bind \"0.0.0.0:3214\" for \"queryd\"
   (set LH_QUERYD_ALLOW_NONLOOPBACK=1 to override; see audit R-001)"

internal/shared/bind.go            — requireLoopbackOrOverride + isLoopbackAddr
internal/shared/bind_test.go       — 7 test funcs incl. table-driven
                                     IPv4/IPv6/hostname coverage and
                                     per-service env isolation
internal/shared/server.go          — 1-line gate in Run before listen

Verified:
  go test -short ./internal/shared/ — all green (was 14 funcs, now 21)
  just verify                       — vet + test + 9 smokes still 33s

Doesn't address R-001's full attack surface (any reachable port can
issue arbitrary SQL); ADR-003 + Bearer-token middleware is the
follow-up. This commit makes the implicit "localhost-only is the auth
layer" guarantee explicit and un-bypassable without explicit env.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 05:56:42 -05:00

130 lines
4.4 KiB
Go
Raw Blame History

package shared
import (
"os"
"strings"
"testing"
)
// Closes audit R-001's worst case (accidental non-loopback deploy)
// at the predicate layer. Run integration coverage lives in the
// existing smoke chain — this file proves the rules.
func TestIsLoopbackAddr(t *testing.T) {
cases := []struct {
name string
addr string
want bool
}{
// Pass cases — every shape we accept.
{"127.0.0.1 standard", "127.0.0.1:3214", true},
{"127.0.0.0/8 mid-range", "127.5.6.7:3214", true},
{"127.255.255.254 edge", "127.255.255.254:3214", true},
{"IPv6 loopback", "[::1]:3214", true},
{"localhost hostname", "localhost:3214", true},
// Reject cases — every shape that should fail-loud.
{"empty addr", "", false},
{"empty host (all interfaces)", ":3214", false},
{"explicit any IPv4", "0.0.0.0:3214", false},
{"explicit any IPv6", "[::]:3214", false},
{"public IPv4", "8.8.8.8:3214", false},
{"private LAN IPv4", "192.168.1.176:3214", false},
{"hostname (not localhost)", "myhost.example.com:3214", false},
{"missing port", "127.0.0.1", false},
{"garbage", "not an addr", false},
}
for _, tc := range cases {
t.Run(tc.name, func(t *testing.T) {
got := isLoopbackAddr(tc.addr)
if got != tc.want {
t.Errorf("isLoopbackAddr(%q) = %v, want %v", tc.addr, got, tc.want)
}
})
}
}
func TestRequireLoopback_AcceptsLoopback(t *testing.T) {
if err := requireLoopbackOrOverride("queryd", "127.0.0.1:3214"); err != nil {
t.Errorf("loopback should pass without env, got %v", err)
}
if err := requireLoopbackOrOverride("vectord", "[::1]:3215"); err != nil {
t.Errorf("IPv6 loopback should pass, got %v", err)
}
}
func TestRequireLoopback_RejectsNonLoopback(t *testing.T) {
cases := []string{
"0.0.0.0:3214",
":3214",
"192.168.1.176:3214",
}
for _, addr := range cases {
t.Run(addr, func(t *testing.T) {
err := requireLoopbackOrOverride("queryd", addr)
if err == nil {
t.Fatalf("expected error on %q without override, got nil", addr)
}
// Error message should cite the override env so operators
// can quickly see how to opt in if intentional.
if !strings.Contains(err.Error(), "LH_QUERYD_ALLOW_NONLOOPBACK") {
t.Errorf("error should cite override env, got %q", err.Error())
}
// And reference R-001 so the audit trail is explicit.
if !strings.Contains(err.Error(), "R-001") {
t.Errorf("error should cite R-001, got %q", err.Error())
}
})
}
}
func TestRequireLoopback_OverrideEnvAllowsNonLoopback(t *testing.T) {
t.Setenv("LH_QUERYD_ALLOW_NONLOOPBACK", "1")
if err := requireLoopbackOrOverride("queryd", "0.0.0.0:3214"); err != nil {
t.Errorf("override should permit non-loopback, got %v", err)
}
}
func TestRequireLoopback_OverrideEnvOnlyApplies_ExactValue1(t *testing.T) {
// "true", "yes", anything else != "1" should NOT trigger the
// override. Strict matching prevents silent acceptance of typos.
cases := []string{"true", "yes", "TRUE", "01", " 1", ""}
for _, val := range cases {
t.Run("val="+val, func(t *testing.T) {
t.Setenv("LH_QUERYD_ALLOW_NONLOOPBACK", val)
err := requireLoopbackOrOverride("queryd", "0.0.0.0:3214")
if err == nil {
t.Fatalf("override value %q should NOT permit non-loopback", val)
}
})
}
}
func TestRequireLoopback_EnvIsPerService(t *testing.T) {
// Setting queryd's override should NOT affect vectord. Each binary
// must opt in explicitly so a single-service exposure decision
// doesn't silently apply to others.
t.Setenv("LH_QUERYD_ALLOW_NONLOOPBACK", "1")
// queryd allowed:
if err := requireLoopbackOrOverride("queryd", "0.0.0.0:3214"); err != nil {
t.Errorf("queryd should be allowed, got %v", err)
}
// vectord still rejected:
if err := requireLoopbackOrOverride("vectord", "0.0.0.0:3215"); err == nil {
t.Error("vectord should still be rejected — env is per-service")
}
}
// Sanity: the env override variable name composition. If anyone ever
// renames the prefix or casing, every cmd/<svc>/main.go behavior breaks.
func TestRequireLoopback_OverrideEnvName(t *testing.T) {
// Make sure the env we expect users to set actually triggers the
// path. Helps catch a refactor that changes the prefix without
// updating docs.
defer os.Unsetenv("LH_GATEWAY_ALLOW_NONLOOPBACK")
os.Setenv("LH_GATEWAY_ALLOW_NONLOOPBACK", "1")
if err := requireLoopbackOrOverride("gateway", "0.0.0.0:3110"); err != nil {
t.Errorf("gateway override env should work, got %v", err)
}
}
Reference in New Issue View Git Blame Copy Permalink