profit/golangLAKEHOUSE
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
golangLAKEHOUSE/internal/shared/auth_test.go
root fa56134b90 ADR-003 wiring: Bearer token + IP allowlist middleware 
Implements the auth posture from ADR-003 (commit 0d18ffa). Two
independent layers — Bearer token (constant-time compare via
crypto/subtle) and IP allowlist (CIDR set) — composed in shared.Run
so every binary inherits the same gate without per-binary wiring.

Together with the bind-gate from commit 6af0520, this mechanically
closes audit risks R-001 + R-007:
  - non-loopback bind without auth.token = startup refuse
  - non-loopback bind WITH auth.token + override env = allowed
  - loopback bind = all gates open (G0 dev unchanged)

internal/shared/auth.go (NEW)
  RequireAuth(cfg AuthConfig) returns chi-compatible middleware.
  Empty Token + empty AllowedIPs → pass-through (G0 dev mode).
  Token-only → 401 Bearer mismatch.
  AllowedIPs-only → 403 source IP not in CIDR set.
  Both → both gates apply.
  /health bypasses both layers (load-balancer / liveness probes
  shouldn't carry tokens).

  CIDR parsing pre-runs at boot; bare IP (no /N) treated as /32 (or
  /128 for IPv6). Invalid entries log warn and drop, fail-loud-but-
  not-fatal so a typo doesn't kill the binary.

  Token comparison: subtle.ConstantTimeCompare on the full
  "Bearer <token>" wire-format string. Length-mismatch returns 0
  (per stdlib spec), so wrong-length tokens reject without timing
  leak. Pre-encoded comparison slice stored in the middleware
  closure — one allocation per request.

  Source-IP extraction prefers net.SplitHostPort fallback to
  RemoteAddr-as-is for httptest compatibility. X-Forwarded-For
  support is a follow-up when a trusted proxy fronts the gateway
  (config knob TBD per ADR-003 §"Future").

internal/shared/server.go
  Run signature: gained AuthConfig parameter (4th arg).
  /health stays mounted on the outer router (public).
  Registered routes go inside chi.Group with RequireAuth applied —
  empty config = transparent group.
  Added requireAuthOnNonLoopback startup check: non-loopback bind
  with empty Token = refuse to start (cites R-001 + R-007 by name).

internal/shared/config.go
  AuthConfig type added with TOML tags. Fields: Token, AllowedIPs.
  Composed into Config under [auth].

cmd/<svc>/main.go × 7 (catalogd, embedd, gateway, ingestd, queryd,
storaged, vectord, mcpd is unaffected — stdio doesn't bind a port)
  Each call site adds cfg.Auth as the 4th arg to shared.Run. No
  other changes — middleware applies via shared.Run uniformly.

internal/shared/auth_test.go (12 test funcs)
  Empty config pass-through, missing-token 401, wrong-token 401,
  correct-token 200, raw-token-without-Bearer-prefix 401, /health
  always public, IP allowlist allow + reject, bare IP /32, both
  layers when both configured, invalid CIDR drop-with-warn, RemoteAddr
  shape extraction. The constant-time comparison is verified by
  inspection (comments in auth.go) plus the existence of the
  passthrough test (length-mismatch case).

Verified:
  go test -count=1 ./internal/shared/  — all green (was 21, now 33 funcs)
  just verify                            — vet + test + 9 smokes 33s
  just proof contract                    — 53/0/1 unchanged

Smokes + proof harness keep working without any token configuration:
default Auth is empty struct → middleware is no-op → existing tests
pass unchanged. To exercise the gate, operators set [auth].token in
lakehouse.toml (or, per the "future" note in the ADR, via env var).

Closes audit findings:
  R-001 HIGH — fully mechanically closed (was: partial via bind gate)
  R-007 MED  — fully mechanically closed (was: design-only ADR-003)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 07:11:34 -05:00

204 lines
6.5 KiB
Go
Raw Blame History

package shared
import (
"net/http"
"net/http/httptest"
"testing"
"github.com/go-chi/chi/v5"
)
// Closes the audit's R-001 + R-007 mechanically once auth is wired
// per ADR-003. Tests cover: pass-through on empty config, token
// gate (401 on missing/wrong, 200 on correct), IP gate (403 on
// disallowed, 200 on allowed), /health bypass, both-layers when
// both configured, and constant-time comparison usage.
func mountWithAuth(cfg AuthConfig) http.Handler {
r := chi.NewRouter()
r.Get("/health", func(w http.ResponseWriter, _ *http.Request) {
w.WriteHeader(http.StatusOK)
_, _ = w.Write([]byte("ok"))
})
r.Group(func(authed chi.Router) {
authed.Use(RequireAuth(cfg))
authed.Get("/data", func(w http.ResponseWriter, _ *http.Request) {
w.WriteHeader(http.StatusOK)
_, _ = w.Write([]byte("private"))
})
})
return r
}
func get(t *testing.T, srv *httptest.Server, path string, header string) (int, string) {
t.Helper()
req, err := http.NewRequest(http.MethodGet, srv.URL+path, nil)
if err != nil {
t.Fatalf("NewRequest: %v", err)
}
if header != "" {
req.Header.Set("Authorization", header)
}
resp, err := http.DefaultClient.Do(req)
if err != nil {
t.Fatalf("Do: %v", err)
}
defer resp.Body.Close()
buf := make([]byte, 1024)
n, _ := resp.Body.Read(buf)
return resp.StatusCode, string(buf[:n])
}
func TestRequireAuth_EmptyConfig_PassesThrough(t *testing.T) {
srv := httptest.NewServer(mountWithAuth(AuthConfig{}))
defer srv.Close()
if status, _ := get(t, srv, "/data", ""); status != http.StatusOK {
t.Errorf("empty config should pass through, got status %d", status)
}
if status, _ := get(t, srv, "/health", ""); status != http.StatusOK {
t.Errorf("/health on empty config should pass, got %d", status)
}
}
func TestRequireAuth_TokenSet_RejectsMissing(t *testing.T) {
srv := httptest.NewServer(mountWithAuth(AuthConfig{Token: "secret123"}))
defer srv.Close()
if status, _ := get(t, srv, "/data", ""); status != http.StatusUnauthorized {
t.Errorf("missing Authorization should return 401, got %d", status)
}
}
func TestRequireAuth_TokenSet_RejectsWrong(t *testing.T) {
srv := httptest.NewServer(mountWithAuth(AuthConfig{Token: "secret123"}))
defer srv.Close()
if status, _ := get(t, srv, "/data", "Bearer wrong-token"); status != http.StatusUnauthorized {
t.Errorf("wrong token should return 401, got %d", status)
}
}
func TestRequireAuth_TokenSet_AcceptsCorrect(t *testing.T) {
srv := httptest.NewServer(mountWithAuth(AuthConfig{Token: "secret123"}))
defer srv.Close()
status, body := get(t, srv, "/data", "Bearer secret123")
if status != http.StatusOK {
t.Errorf("correct Bearer should return 200, got %d", status)
}
if body != "private" {
t.Errorf("expected 'private' body, got %q", body)
}
}
func TestRequireAuth_TokenSet_HealthRemainsPublic(t *testing.T) {
srv := httptest.NewServer(mountWithAuth(AuthConfig{Token: "secret123"}))
defer srv.Close()
if status, _ := get(t, srv, "/health", ""); status != http.StatusOK {
t.Errorf("/health must stay public when token is set, got %d", status)
}
}
func TestRequireAuth_RejectsTokenAsRawNotBearer(t *testing.T) {
srv := httptest.NewServer(mountWithAuth(AuthConfig{Token: "secret123"}))
defer srv.Close()
// "secret123" alone (without "Bearer " prefix) should NOT pass.
if status, _ := get(t, srv, "/data", "secret123"); status != http.StatusUnauthorized {
t.Errorf("raw-token without 'Bearer ' prefix must reject, got %d", status)
}
}
func TestRequireAuth_IPAllowlist_AllowsLoopback(t *testing.T) {
cfg := AuthConfig{AllowedIPs: []string{"127.0.0.0/8"}}
srv := httptest.NewServer(mountWithAuth(cfg))
defer srv.Close()
// httptest.Server binds 127.0.0.1, so the test client always
// connects from 127.0.0.1 → allowed.
if status, _ := get(t, srv, "/data", ""); status != http.StatusOK {
t.Errorf("loopback in allowed CIDR should pass, got %d", status)
}
}
func TestRequireAuth_IPAllowlist_RejectsNonAllowed(t *testing.T) {
// Allowlist excludes loopback — every test request from 127.x.x.x
// gets rejected.
cfg := AuthConfig{AllowedIPs: []string{"10.0.0.0/8"}}
srv := httptest.NewServer(mountWithAuth(cfg))
defer srv.Close()
if status, _ := get(t, srv, "/data", ""); status != http.StatusForbidden {
t.Errorf("non-allowed IP should return 403, got %d", status)
}
}
func TestRequireAuth_BareIPInAllowlist(t *testing.T) {
// Bare IP without /N suffix should be treated as /32.
cfg := AuthConfig{AllowedIPs: []string{"127.0.0.1"}}
srv := httptest.NewServer(mountWithAuth(cfg))
defer srv.Close()
if status, _ := get(t, srv, "/data", ""); status != http.StatusOK {
t.Errorf("bare IP /32 should pass, got %d", status)
}
}
func TestRequireAuth_BothLayers_RequiresBoth(t *testing.T) {
cfg := AuthConfig{
Token: "secret123",
AllowedIPs: []string{"127.0.0.0/8"},
}
srv := httptest.NewServer(mountWithAuth(cfg))
defer srv.Close()
// Missing token: 401 even from allowed IP.
if status, _ := get(t, srv, "/data", ""); status != http.StatusUnauthorized {
t.Errorf("allowed IP without token should still 401, got %d", status)
}
// Wrong token: 401.
if status, _ := get(t, srv, "/data", "Bearer wrong"); status != http.StatusUnauthorized {
t.Errorf("allowed IP + wrong token should 401, got %d", status)
}
// Right token: 200 (we're on loopback, IP allowed).
if status, _ := get(t, srv, "/data", "Bearer secret123"); status != http.StatusOK {
t.Errorf("allowed IP + correct token should 200, got %d", status)
}
// /health: 200 always.
if status, _ := get(t, srv, "/health", ""); status != http.StatusOK {
t.Errorf("/health bypass on both-layers cfg, got %d", status)
}
}
func TestRequireAuth_InvalidCIDR_LoggedAndDropped(t *testing.T) {
// Mix of valid and invalid CIDRs: invalid should be skipped
// (warning logged) and the valid one should still gate.
cfg := AuthConfig{AllowedIPs: []string{
"not-a-cidr",
"10.0.0.0/8",
}}
srv := httptest.NewServer(mountWithAuth(cfg))
defer srv.Close()
// Loopback test client → still rejected because the only valid
// rule is 10.0.0.0/8.
if status, _ := get(t, srv, "/data", ""); status != http.StatusForbidden {
t.Errorf("loopback should reject when allowlist excludes it, got %d", status)
}
}
func TestRemoteIP_SplitHostPortShape(t *testing.T) {
// Sanity: real httptest requests come through with "ip:port"
// shape; ensure remoteIP returns the IP portion.
r, _ := http.NewRequest(http.MethodGet, "/", nil)
r.RemoteAddr = "10.1.2.3:54321"
ip := remoteIP(r)
if ip == nil {
t.Fatal("remoteIP returned nil for valid 'ip:port' addr")
}
if ip.String() != "10.1.2.3" {
t.Errorf("remoteIP = %q, want 10.1.2.3", ip.String())
}
}
Reference in New Issue View Git Blame Copy Permalink