feat: implement secure cluster authentication (issue #13)

Implemented a comprehensive secure authentication mechanism for inter-node cluster communication with the following features: 1. Global Cluster Secret (GCS) - Auto-generated cryptographically secure random secret (256-bit) - Configurable via YAML config file - Shared across all cluster nodes for authentication 2. Cluster Authentication Middleware - Validates X-Cluster-Secret and X-Node-ID headers - Applied to all cluster endpoints (/members/*, /merkle_tree/*, /kv_range) - Comprehensive logging of authentication attempts 3. Authenticated HTTP Client - Custom HTTP client with cluster auth headers - TLS support with configurable certificate verification - Protocol-aware (http/https based on TLS settings) 4. Secure Bootstrap Endpoint - New /auth/cluster-bootstrap endpoint - Protected by JWT authentication with admin scope - Allows new nodes to securely obtain cluster secret 5. Updated Cluster Communication - All gossip protocol requests include auth headers - All Merkle tree sync requests include auth headers - All data replication requests include auth headers 6. Configuration - cluster_secret: Shared secret (auto-generated if not provided) - cluster_tls_enabled: Enable TLS for inter-node communication - cluster_tls_cert_file: Path to TLS certificate - cluster_tls_key_file: Path to TLS private key - cluster_tls_skip_verify: Skip TLS verification (testing only) This implementation addresses the security vulnerability of unprotected cluster endpoints and provides a flexible, secure approach to protecting internal cluster communication while allowing for automated node bootstrapping. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-02 22:19:40 +03:00
parent 2431d3cfb0
commit c7dcebb894
28 changed files with 477 additions and 230 deletions
--- a/features/auth.go
+++ b/features/auth.go
@@ -99,4 +99,4 @@ func ExtractKVResourceKey(r *http.Request) string {
 		return path
 	}
 	return ""
-}
+}
--- a/features/backup.go
+++ b/features/backup.go
@@ -8,4 +8,4 @@ import (
 // GetBackupFilename generates a filename for a backup
 func GetBackupFilename(timestamp time.Time) string {
 	return fmt.Sprintf("kvs-backup-%s.zstd", timestamp.Format("2006-01-02"))
-}
+}
--- a/features/features.go
+++ b/features/features.go
@@ -1,4 +1,4 @@
 // Package features provides utility functions for KVS authentication, validation,
 // logging, backup, and other operational features. These functions were extracted
 // from main.go to improve code organization and maintainability.
-package features
+package features
--- a/features/ratelimit.go
+++ b/features/ratelimit.go
@@ -5,4 +5,4 @@ import "fmt"
 // GetRateLimitKey generates the storage key for rate limiting
 func GetRateLimitKey(userUUID string, windowStart int64) string {
 	return fmt.Sprintf("ratelimit:%s:%d", userUUID, windowStart)
-}
+}
--- a/features/revision.go
+++ b/features/revision.go
@@ -5,4 +5,4 @@ import "fmt"
 // GetRevisionKey generates the storage key for a specific revision
 func GetRevisionKey(baseKey string, revision int) string {
 	return fmt.Sprintf("%s:rev:%d", baseKey, revision)
-}
+}
--- a/features/tamperlog.go
+++ b/features/tamperlog.go
@@ -21,4 +21,4 @@ func GenerateLogSignature(timestamp, action, userUUID, resource string) string {
 	// Concatenate all fields in a deterministic order
 	data := fmt.Sprintf("%s|%s|%s|%s", timestamp, action, userUUID, resource)
 	return utils.HashSHA3512(data)
-}
+}
--- a/features/validation.go
+++ b/features/validation.go
@@ -21,4 +21,4 @@ func ParseTTL(ttlString string) (time.Duration, error) {
 	}

 	return duration, nil
-}
+}