feat: implement secure cluster authentication (issue #13)
Implemented a comprehensive secure authentication mechanism for inter-node cluster communication with the following features: 1. Global Cluster Secret (GCS) - Auto-generated cryptographically secure random secret (256-bit) - Configurable via YAML config file - Shared across all cluster nodes for authentication 2. Cluster Authentication Middleware - Validates X-Cluster-Secret and X-Node-ID headers - Applied to all cluster endpoints (/members/*, /merkle_tree/*, /kv_range) - Comprehensive logging of authentication attempts 3. Authenticated HTTP Client - Custom HTTP client with cluster auth headers - TLS support with configurable certificate verification - Protocol-aware (http/https based on TLS settings) 4. Secure Bootstrap Endpoint - New /auth/cluster-bootstrap endpoint - Protected by JWT authentication with admin scope - Allows new nodes to securely obtain cluster secret 5. Updated Cluster Communication - All gossip protocol requests include auth headers - All Merkle tree sync requests include auth headers - All data replication requests include auth headers 6. Configuration - cluster_secret: Shared secret (auto-generated if not provided) - cluster_tls_enabled: Enable TLS for inter-node communication - cluster_tls_cert_file: Path to TLS certificate - cluster_tls_key_file: Path to TLS private key - cluster_tls_skip_verify: Skip TLS verification (testing only) This implementation addresses the security vulnerability of unprotected cluster endpoints and provides a flexible, secure approach to protecting internal cluster communication while allowing for automated node bootstrapping. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
@@ -1,12 +1,14 @@
|
||||
package config
|
||||
|
||||
import (
|
||||
"crypto/rand"
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
"os"
|
||||
"path/filepath"
|
||||
|
||||
"kvs/types"
|
||||
"gopkg.in/yaml.v3"
|
||||
"kvs/types"
|
||||
)
|
||||
|
||||
// Default configuration
|
||||
@@ -27,41 +29,61 @@ func Default() *types.Config {
|
||||
BootstrapMaxAgeHours: 720, // 30 days
|
||||
ThrottleDelayMs: 100,
|
||||
FetchDelayMs: 50,
|
||||
|
||||
|
||||
// Default compression settings
|
||||
CompressionEnabled: true,
|
||||
CompressionLevel: 3, // Balance between performance and compression ratio
|
||||
|
||||
|
||||
// Default TTL and size limit settings
|
||||
DefaultTTL: "0", // No default TTL
|
||||
MaxJSONSize: 1048576, // 1MB default max JSON size
|
||||
|
||||
DefaultTTL: "0", // No default TTL
|
||||
MaxJSONSize: 1048576, // 1MB default max JSON size
|
||||
|
||||
// Default rate limiting settings
|
||||
RateLimitRequests: 100, // 100 requests per window
|
||||
RateLimitWindow: "1m", // 1 minute window
|
||||
|
||||
|
||||
// Default tamper-evident logging settings
|
||||
TamperLogActions: []string{"data_write", "user_create", "auth_failure"},
|
||||
|
||||
|
||||
// Default backup system settings
|
||||
BackupEnabled: true,
|
||||
BackupSchedule: "0 0 * * *", // Daily at midnight
|
||||
BackupPath: "./backups",
|
||||
BackupRetention: 7, // Keep backups for 7 days
|
||||
|
||||
|
||||
// Default feature toggle settings (all enabled by default)
|
||||
AuthEnabled: true,
|
||||
TamperLoggingEnabled: true,
|
||||
ClusteringEnabled: true,
|
||||
RateLimitingEnabled: true,
|
||||
RevisionHistoryEnabled: true,
|
||||
|
||||
|
||||
// Default anonymous access settings (both disabled by default for security)
|
||||
AllowAnonymousRead: false,
|
||||
AllowAnonymousWrite: false,
|
||||
AllowAnonymousRead: false,
|
||||
AllowAnonymousWrite: false,
|
||||
|
||||
// Default cluster authentication settings (Issue #13)
|
||||
ClusterSecret: generateClusterSecret(),
|
||||
ClusterTLSEnabled: false,
|
||||
ClusterTLSCertFile: "",
|
||||
ClusterTLSKeyFile: "",
|
||||
ClusterTLSSkipVerify: false,
|
||||
}
|
||||
}
|
||||
|
||||
// generateClusterSecret generates a cryptographically secure random cluster secret
|
||||
func generateClusterSecret() string {
|
||||
// Generate 32 bytes (256 bits) of random data
|
||||
randomBytes := make([]byte, 32)
|
||||
if _, err := rand.Read(randomBytes); err != nil {
|
||||
// Fallback to a warning - this should never happen in practice
|
||||
fmt.Fprintf(os.Stderr, "Warning: Failed to generate secure cluster secret: %v\n", err)
|
||||
return ""
|
||||
}
|
||||
// Encode as base64 for easy configuration file storage
|
||||
return base64.StdEncoding.EncodeToString(randomBytes)
|
||||
}
|
||||
|
||||
// Load configuration from file or create default
|
||||
func Load(configPath string) (*types.Config, error) {
|
||||
config := Default()
|
||||
@@ -94,5 +116,13 @@ func Load(configPath string) (*types.Config, error) {
|
||||
return nil, fmt.Errorf("failed to parse config file: %v", err)
|
||||
}
|
||||
|
||||
// Generate cluster secret if not provided and clustering is enabled (Issue #13)
|
||||
if config.ClusteringEnabled && config.ClusterSecret == "" {
|
||||
config.ClusterSecret = generateClusterSecret()
|
||||
fmt.Printf("Warning: No cluster_secret configured. Generated a random secret.\n")
|
||||
fmt.Printf(" To share this secret with other nodes, add it to your config:\n")
|
||||
fmt.Printf(" cluster_secret: %s\n", config.ClusterSecret)
|
||||
}
|
||||
|
||||
return config, nil
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user