profit/golangLAKEHOUSE
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
golangLAKEHOUSE/cmd/catalogd/main.go
root fa56134b90 ADR-003 wiring: Bearer token + IP allowlist middleware 
Implements the auth posture from ADR-003 (commit 0d18ffa). Two
independent layers — Bearer token (constant-time compare via
crypto/subtle) and IP allowlist (CIDR set) — composed in shared.Run
so every binary inherits the same gate without per-binary wiring.

Together with the bind-gate from commit 6af0520, this mechanically
closes audit risks R-001 + R-007:
  - non-loopback bind without auth.token = startup refuse
  - non-loopback bind WITH auth.token + override env = allowed
  - loopback bind = all gates open (G0 dev unchanged)

internal/shared/auth.go (NEW)
  RequireAuth(cfg AuthConfig) returns chi-compatible middleware.
  Empty Token + empty AllowedIPs → pass-through (G0 dev mode).
  Token-only → 401 Bearer mismatch.
  AllowedIPs-only → 403 source IP not in CIDR set.
  Both → both gates apply.
  /health bypasses both layers (load-balancer / liveness probes
  shouldn't carry tokens).

  CIDR parsing pre-runs at boot; bare IP (no /N) treated as /32 (or
  /128 for IPv6). Invalid entries log warn and drop, fail-loud-but-
  not-fatal so a typo doesn't kill the binary.

  Token comparison: subtle.ConstantTimeCompare on the full
  "Bearer <token>" wire-format string. Length-mismatch returns 0
  (per stdlib spec), so wrong-length tokens reject without timing
  leak. Pre-encoded comparison slice stored in the middleware
  closure — one allocation per request.

  Source-IP extraction prefers net.SplitHostPort fallback to
  RemoteAddr-as-is for httptest compatibility. X-Forwarded-For
  support is a follow-up when a trusted proxy fronts the gateway
  (config knob TBD per ADR-003 §"Future").

internal/shared/server.go
  Run signature: gained AuthConfig parameter (4th arg).
  /health stays mounted on the outer router (public).
  Registered routes go inside chi.Group with RequireAuth applied —
  empty config = transparent group.
  Added requireAuthOnNonLoopback startup check: non-loopback bind
  with empty Token = refuse to start (cites R-001 + R-007 by name).

internal/shared/config.go
  AuthConfig type added with TOML tags. Fields: Token, AllowedIPs.
  Composed into Config under [auth].

cmd/<svc>/main.go × 7 (catalogd, embedd, gateway, ingestd, queryd,
storaged, vectord, mcpd is unaffected — stdio doesn't bind a port)
  Each call site adds cfg.Auth as the 4th arg to shared.Run. No
  other changes — middleware applies via shared.Run uniformly.

internal/shared/auth_test.go (12 test funcs)
  Empty config pass-through, missing-token 401, wrong-token 401,
  correct-token 200, raw-token-without-Bearer-prefix 401, /health
  always public, IP allowlist allow + reject, bare IP /32, both
  layers when both configured, invalid CIDR drop-with-warn, RemoteAddr
  shape extraction. The constant-time comparison is verified by
  inspection (comments in auth.go) plus the existence of the
  passthrough test (length-mismatch case).

Verified:
  go test -count=1 ./internal/shared/  — all green (was 21, now 33 funcs)
  just verify                            — vet + test + 9 smokes 33s
  just proof contract                    — 53/0/1 unchanged

Smokes + proof harness keep working without any token configuration:
default Auth is empty struct → middleware is no-op → existing tests
pass unchanged. To exercise the gate, operators set [auth].token in
lakehouse.toml (or, per the "future" note in the ADR, via env var).

Closes audit findings:
  R-001 HIGH — fully mechanically closed (was: partial via bind gate)
  R-007 MED  — fully mechanically closed (was: design-only ADR-003)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 07:11:34 -05:00

133 lines
4.0 KiB
Go
Raw Blame History

// catalogd is the metadata authority — registers Parquet datasets,
// persists manifests in storaged, rehydrates them on startup, and
// answers GET/list queries. ADR-020 idempotency contract enforced
// by internal/catalogd/registry.go.
package main
import (
"context"
"encoding/json"
"errors"
"flag"
"log/slog"
"net/http"
"os"
"time"
"github.com/go-chi/chi/v5"
"git.agentview.dev/profit/golangLAKEHOUSE/internal/catalogd"
"git.agentview.dev/profit/golangLAKEHOUSE/internal/shared"
"git.agentview.dev/profit/golangLAKEHOUSE/internal/storeclient"
)
func main() {
configPath := flag.String("config", "lakehouse.toml", "path to TOML config")
flag.Parse()
cfg, err := shared.LoadConfig(*configPath)
if err != nil {
slog.Error("config", "err", err)
os.Exit(1)
}
if cfg.Catalogd.StoragedURL == "" {
slog.Error("config", "err", "catalogd.storaged_url is required")
os.Exit(1)
}
store := storeclient.New(cfg.Catalogd.StoragedURL)
registry := catalogd.NewRegistry(store)
rehydrateCtx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
n, err := registry.Rehydrate(rehydrateCtx)
cancel()
if err != nil {
slog.Error("rehydrate", "err", err)
os.Exit(1)
}
slog.Info("rehydrated", "manifests", n)
h := newHandlers(registry)
if err := shared.Run("catalogd", cfg.Catalogd.Bind, h.register, cfg.Auth); err != nil {
slog.Error("server", "err", err)
os.Exit(1)
}
}
type handlers struct {
reg *catalogd.Registry
}
func newHandlers(r *catalogd.Registry) *handlers { return &handlers{reg: r} }
func (h *handlers) register(r chi.Router) {
r.Post("/catalog/register", h.handleRegister)
r.Get("/catalog/manifest/*", h.handleGetManifest)
r.Get("/catalog/list", h.handleList)
}
// registerRequest mirrors POST body shape.
type registerRequest struct {
Name string `json:"name"`
SchemaFingerprint string `json:"schema_fingerprint"`
Objects []catalogd.Object `json:"objects"`
RowCount *int64 `json:"row_count,omitempty"`
}
// registerResponse adds the existing flag so callers can distinguish
// fresh registration from idempotent re-register.
type registerResponse struct {
Manifest *catalogd.Manifest `json:"manifest"`
Existing bool `json:"existing"`
}
func (h *handlers) handleRegister(w http.ResponseWriter, r *http.Request) {
defer r.Body.Close()
r.Body = http.MaxBytesReader(w, r.Body, 4<<20) // 4 MiB cap on register payloads
var req registerRequest
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
http.Error(w, "decode body: "+err.Error(), http.StatusBadRequest)
return
}
m, existing, err := h.reg.Register(r.Context(), req.Name, req.SchemaFingerprint, req.Objects, req.RowCount)
if errors.Is(err, catalogd.ErrFingerprintConflict) {
http.Error(w, err.Error(), http.StatusConflict)
return
}
if errors.Is(err, catalogd.ErrEmptyName) || errors.Is(err, catalogd.ErrEmptyFingerprint) {
// Per scrum S2 (Opus): sentinel-based detection, not substring match.
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
if err != nil {
slog.Error("register", "name", req.Name, "err", err)
http.Error(w, "internal", http.StatusInternalServerError)
return
}
w.Header().Set("Content-Type", "application/json")
_ = json.NewEncoder(w).Encode(registerResponse{Manifest: m, Existing: existing})
}
func (h *handlers) handleGetManifest(w http.ResponseWriter, r *http.Request) {
name := chi.URLParam(r, "*")
m, err := h.reg.Get(name)
if errors.Is(err, catalogd.ErrManifestNotFound) {
http.Error(w, "not found", http.StatusNotFound)
return
}
if err != nil {
slog.Error("get manifest", "name", name, "err", err)
http.Error(w, "internal", http.StatusInternalServerError)
return
}
w.Header().Set("Content-Type", "application/json")
_ = json.NewEncoder(w).Encode(m)
}
func (h *handlers) handleList(w http.ResponseWriter, _ *http.Request) {
items := h.reg.List()
w.Header().Set("Content-Type", "application/json")
_ = json.NewEncoder(w).Encode(map[string]any{"manifests": items, "count": len(items)})
}
Reference in New Issue View Git Blame Copy Permalink