profit/golangLAKEHOUSE
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
golangLAKEHOUSE/internal/shared/bind.go
root fa56134b90 ADR-003 wiring: Bearer token + IP allowlist middleware 
Implements the auth posture from ADR-003 (commit 0d18ffa). Two
independent layers — Bearer token (constant-time compare via
crypto/subtle) and IP allowlist (CIDR set) — composed in shared.Run
so every binary inherits the same gate without per-binary wiring.

Together with the bind-gate from commit 6af0520, this mechanically
closes audit risks R-001 + R-007:
  - non-loopback bind without auth.token = startup refuse
  - non-loopback bind WITH auth.token + override env = allowed
  - loopback bind = all gates open (G0 dev unchanged)

internal/shared/auth.go (NEW)
  RequireAuth(cfg AuthConfig) returns chi-compatible middleware.
  Empty Token + empty AllowedIPs → pass-through (G0 dev mode).
  Token-only → 401 Bearer mismatch.
  AllowedIPs-only → 403 source IP not in CIDR set.
  Both → both gates apply.
  /health bypasses both layers (load-balancer / liveness probes
  shouldn't carry tokens).

  CIDR parsing pre-runs at boot; bare IP (no /N) treated as /32 (or
  /128 for IPv6). Invalid entries log warn and drop, fail-loud-but-
  not-fatal so a typo doesn't kill the binary.

  Token comparison: subtle.ConstantTimeCompare on the full
  "Bearer <token>" wire-format string. Length-mismatch returns 0
  (per stdlib spec), so wrong-length tokens reject without timing
  leak. Pre-encoded comparison slice stored in the middleware
  closure — one allocation per request.

  Source-IP extraction prefers net.SplitHostPort fallback to
  RemoteAddr-as-is for httptest compatibility. X-Forwarded-For
  support is a follow-up when a trusted proxy fronts the gateway
  (config knob TBD per ADR-003 §"Future").

internal/shared/server.go
  Run signature: gained AuthConfig parameter (4th arg).
  /health stays mounted on the outer router (public).
  Registered routes go inside chi.Group with RequireAuth applied —
  empty config = transparent group.
  Added requireAuthOnNonLoopback startup check: non-loopback bind
  with empty Token = refuse to start (cites R-001 + R-007 by name).

internal/shared/config.go
  AuthConfig type added with TOML tags. Fields: Token, AllowedIPs.
  Composed into Config under [auth].

cmd/<svc>/main.go × 7 (catalogd, embedd, gateway, ingestd, queryd,
storaged, vectord, mcpd is unaffected — stdio doesn't bind a port)
  Each call site adds cfg.Auth as the 4th arg to shared.Run. No
  other changes — middleware applies via shared.Run uniformly.

internal/shared/auth_test.go (12 test funcs)
  Empty config pass-through, missing-token 401, wrong-token 401,
  correct-token 200, raw-token-without-Bearer-prefix 401, /health
  always public, IP allowlist allow + reject, bare IP /32, both
  layers when both configured, invalid CIDR drop-with-warn, RemoteAddr
  shape extraction. The constant-time comparison is verified by
  inspection (comments in auth.go) plus the existence of the
  passthrough test (length-mismatch case).

Verified:
  go test -count=1 ./internal/shared/  — all green (was 21, now 33 funcs)
  just verify                            — vet + test + 9 smokes 33s
  just proof contract                    — 53/0/1 unchanged

Smokes + proof harness keep working without any token configuration:
default Auth is empty struct → middleware is no-op → existing tests
pass unchanged. To exercise the gate, operators set [auth].token in
lakehouse.toml (or, per the "future" note in the ADR, via env var).

Closes audit findings:
  R-001 HIGH — fully mechanically closed (was: partial via bind gate)
  R-007 MED  — fully mechanically closed (was: design-only ADR-003)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 07:11:34 -05:00

96 lines
3.1 KiB
Go
Raw Blame History

package shared
import (
"fmt"
"log/slog"
"net"
"os"
"strings"
)
// requireLoopbackOrOverride enforces that the bind address is on the
// loopback interface unless an explicit env override is set. Closes
// the worst case of audit risk R-001 (queryd /sql + DuckDB + non-
// loopback bind = RCE-equivalent for anyone who can reach the port)
// without committing to an auth model.
//
// Override env: LH_<UPPER(serviceName)>_ALLOW_NONLOOPBACK=1.
// When the override fires, we log a structured warn so the choice is
// auditable in production logs.
//
// Cases that pass:
// - 127.0.0.1, 127.x.y.z (the /8), [::1], localhost
// - explicit-override env set to "1"
//
// Cases that fail-loud:
// - 0.0.0.0, [::], any non-loopback IP
// - empty host ":port" (listens on all interfaces)
// - unparseable addr
//
// The function is also useful as a unit-testable predicate; callers
// that want to gate something other than Run can call it directly.
func requireLoopbackOrOverride(serviceName, addr string) error {
if isLoopbackAddr(addr) {
return nil
}
envKey := "LH_" + strings.ToUpper(serviceName) + "_ALLOW_NONLOOPBACK"
if os.Getenv(envKey) == "1" {
slog.Warn("non-loopback bind allowed by env override",
"service", serviceName,
"addr", addr,
"env", envKey,
"hint", "audit risk R-001 — see reports/scrum/risk-register.md")
return nil
}
return fmt.Errorf("refusing non-loopback bind %q for %q "+
"(set %s=1 to override; see audit R-001)", addr, serviceName, envKey)
}
// requireAuthOnNonLoopback closes the audit's R-001 + R-007 worst
// case: any binary that's deployed off-loopback MUST have an auth
// token configured. An off-loopback bind without auth is the literal
// "queryd /sql is RCE-equivalent" failure mode.
//
// Pairs with requireLoopbackOrOverride: that gate refuses non-loopback
// bind unless an explicit env override fires; this gate refuses the
// same bind unless auth.token is also set. Together they make the
// worst case mechanically impossible.
func requireAuthOnNonLoopback(serviceName, addr string, auth AuthConfig) error {
if isLoopbackAddr(addr) {
return nil
}
if auth.Token != "" {
return nil
}
return fmt.Errorf("refuse non-loopback bind %q for %q without auth.token configured "+
"(R-001 + R-007 — see ADR-003)", addr, serviceName)
}
// isLoopbackAddr returns true iff addr's host portion is on the
// loopback interface. Covers IPv4 127.0.0.0/8, IPv6 ::1, and
// "localhost". Empty host (":port"), empty string, and any
// non-parseable addr return false.
func isLoopbackAddr(addr string) bool {
host, _, err := net.SplitHostPort(addr)
if err != nil {
// Unparseable shape — could be a bare hostname or wholly
// malformed. Rejecting protects against future changes that
// silently accept new shapes.
return false
}
if host == "" {
// ":port" listens on ALL interfaces — explicitly non-loopback.
return false
}
if host == "localhost" {
return true
}
ip := net.ParseIP(host)
if ip == nil {
// Hostname that isn't "localhost". We don't resolve DNS here
// (slow + misleading); reject so deploys must be explicit.
return false
}
return ip.IsLoopback()
}
Reference in New Issue View Git Blame Copy Permalink