profit/golangLAKEHOUSE
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
golangLAKEHOUSE/internal/shared/auth.go
root fa56134b90 ADR-003 wiring: Bearer token + IP allowlist middleware 
Implements the auth posture from ADR-003 (commit 0d18ffa). Two
independent layers — Bearer token (constant-time compare via
crypto/subtle) and IP allowlist (CIDR set) — composed in shared.Run
so every binary inherits the same gate without per-binary wiring.

Together with the bind-gate from commit 6af0520, this mechanically
closes audit risks R-001 + R-007:
  - non-loopback bind without auth.token = startup refuse
  - non-loopback bind WITH auth.token + override env = allowed
  - loopback bind = all gates open (G0 dev unchanged)

internal/shared/auth.go (NEW)
  RequireAuth(cfg AuthConfig) returns chi-compatible middleware.
  Empty Token + empty AllowedIPs → pass-through (G0 dev mode).
  Token-only → 401 Bearer mismatch.
  AllowedIPs-only → 403 source IP not in CIDR set.
  Both → both gates apply.
  /health bypasses both layers (load-balancer / liveness probes
  shouldn't carry tokens).

  CIDR parsing pre-runs at boot; bare IP (no /N) treated as /32 (or
  /128 for IPv6). Invalid entries log warn and drop, fail-loud-but-
  not-fatal so a typo doesn't kill the binary.

  Token comparison: subtle.ConstantTimeCompare on the full
  "Bearer <token>" wire-format string. Length-mismatch returns 0
  (per stdlib spec), so wrong-length tokens reject without timing
  leak. Pre-encoded comparison slice stored in the middleware
  closure — one allocation per request.

  Source-IP extraction prefers net.SplitHostPort fallback to
  RemoteAddr-as-is for httptest compatibility. X-Forwarded-For
  support is a follow-up when a trusted proxy fronts the gateway
  (config knob TBD per ADR-003 §"Future").

internal/shared/server.go
  Run signature: gained AuthConfig parameter (4th arg).
  /health stays mounted on the outer router (public).
  Registered routes go inside chi.Group with RequireAuth applied —
  empty config = transparent group.
  Added requireAuthOnNonLoopback startup check: non-loopback bind
  with empty Token = refuse to start (cites R-001 + R-007 by name).

internal/shared/config.go
  AuthConfig type added with TOML tags. Fields: Token, AllowedIPs.
  Composed into Config under [auth].

cmd/<svc>/main.go × 7 (catalogd, embedd, gateway, ingestd, queryd,
storaged, vectord, mcpd is unaffected — stdio doesn't bind a port)
  Each call site adds cfg.Auth as the 4th arg to shared.Run. No
  other changes — middleware applies via shared.Run uniformly.

internal/shared/auth_test.go (12 test funcs)
  Empty config pass-through, missing-token 401, wrong-token 401,
  correct-token 200, raw-token-without-Bearer-prefix 401, /health
  always public, IP allowlist allow + reject, bare IP /32, both
  layers when both configured, invalid CIDR drop-with-warn, RemoteAddr
  shape extraction. The constant-time comparison is verified by
  inspection (comments in auth.go) plus the existence of the
  passthrough test (length-mismatch case).

Verified:
  go test -count=1 ./internal/shared/  — all green (was 21, now 33 funcs)
  just verify                            — vet + test + 9 smokes 33s
  just proof contract                    — 53/0/1 unchanged

Smokes + proof harness keep working without any token configuration:
default Auth is empty struct → middleware is no-op → existing tests
pass unchanged. To exercise the gate, operators set [auth].token in
lakehouse.toml (or, per the "future" note in the ADR, via env var).

Closes audit findings:
  R-001 HIGH — fully mechanically closed (was: partial via bind gate)
  R-007 MED  — fully mechanically closed (was: design-only ADR-003)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 07:11:34 -05:00

130 lines
4.0 KiB
Go
Raw Blame History

// auth.go — inter-service auth middleware per ADR-003.
//
// Two layers, each independently configurable:
// - Bearer token (constant-time compare via crypto/subtle)
// - IP allowlist (CIDR set; bare IPs treated as /32)
//
// /health is exempt from both layers (load balancers + monitors need
// it open; the route doesn't expose anything sensitive).
//
// When both Token and AllowedIPs are empty, RequireAuth returns a
// pass-through that does no work — preserves G0 dev-mode behavior
// where every binary binds 127.0.0.1 and the network is the auth
// layer.
//
// The non-loopback-bind + empty-token coupling is enforced at
// startup in shared.Run, not in the middleware — the middleware
// only sees per-request auth, not the bind config. Together they
// make the audit's worst case (R-001 + R-007: queryd /sql RCE-eq
// off-loopback with no auth) mechanically impossible.
package shared
import (
"crypto/subtle"
"log/slog"
"net"
"net/http"
"strings"
)
// RequireAuth returns a chi-compatible middleware that enforces
// the configured AuthConfig. Empty config returns a pass-through.
func RequireAuth(cfg AuthConfig) func(http.Handler) http.Handler {
tokenSet := cfg.Token != ""
if !tokenSet && len(cfg.AllowedIPs) == 0 {
// G0 dev mode — no auth wired.
return passthrough
}
// Pre-parse CIDRs once. Invalid entries log a warning and are
// dropped — fail-loud-but-not-fatal so a typo in one CIDR
// doesn't kill the binary; operator sees the warning at startup.
var allowedNets []*net.IPNet
for _, raw := range cfg.AllowedIPs {
cidr := raw
if !strings.Contains(cidr, "/") {
// Bare IP — single-host CIDR.
if strings.Contains(cidr, ":") {
cidr += "/128"
} else {
cidr += "/32"
}
}
_, n, err := net.ParseCIDR(cidr)
if err != nil {
slog.Warn("auth: invalid CIDR in allowed_ips, skipping",
"raw", raw, "err", err)
continue
}
allowedNets = append(allowedNets, n)
}
// Pre-encode the wire-format Bearer token so per-request
// comparison is one allocation against a precomputed slice.
expectedHeader := []byte("Bearer " + cfg.Token)
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// /health bypasses both layers. Operators rely on it
// being public for liveness probes.
if r.URL.Path == "/health" {
next.ServeHTTP(w, r)
return
}
if len(allowedNets) > 0 && !ipAllowed(r, allowedNets) {
http.Error(w, "forbidden", http.StatusForbidden)
return
}
if tokenSet {
got := []byte(r.Header.Get("Authorization"))
// ConstantTimeCompare returns 0 if lengths differ,
// 1 on match. Anything else (would be 0 or 1) is
// treated as no-match.
if subtle.ConstantTimeCompare(got, expectedHeader) != 1 {
http.Error(w, "unauthorized", http.StatusUnauthorized)
return
}
}
next.ServeHTTP(w, r)
})
}
}
// passthrough is the no-op middleware returned when no auth is
// configured. Used by RequireAuth in G0 dev mode.
func passthrough(next http.Handler) http.Handler { return next }
// ipAllowed checks whether the request's source IP is in any of
// the allowed networks. Falls back to false for unparseable
// RemoteAddr — a deploy with broken peer-IP logging would otherwise
// silently bypass the allowlist.
func ipAllowed(r *http.Request, nets []*net.IPNet) bool {
ip := remoteIP(r)
if ip == nil {
return false
}
for _, n := range nets {
if n.Contains(ip) {
return true
}
}
return false
}
// remoteIP extracts the request's source IP. Today: r.RemoteAddr.
// Future: when a trusted proxy fronts the gateway and adds
// X-Forwarded-For, we'd add a config knob to honor the first hop.
// G0 deploys are direct-to-binary so RemoteAddr suffices.
func remoteIP(r *http.Request) net.IP {
host, _, err := net.SplitHostPort(r.RemoteAddr)
if err != nil {
// SplitHostPort failure could mean the test's httptest.Server
// passed a bare IP; try parsing as-is.
host = r.RemoteAddr
}
return net.ParseIP(host)
}
Reference in New Issue View Git Blame Copy Permalink