feat: implement secure cluster authentication (issue #13)

Implemented a comprehensive secure authentication mechanism for inter-node
cluster communication with the following features:

1. Global Cluster Secret (GCS)
   - Auto-generated cryptographically secure random secret (256-bit)
   - Configurable via YAML config file
   - Shared across all cluster nodes for authentication

2. Cluster Authentication Middleware
   - Validates X-Cluster-Secret and X-Node-ID headers
   - Applied to all cluster endpoints (/members/*, /merkle_tree/*, /kv_range)
   - Comprehensive logging of authentication attempts

3. Authenticated HTTP Client
   - Custom HTTP client with cluster auth headers
   - TLS support with configurable certificate verification
   - Protocol-aware (http/https based on TLS settings)

4. Secure Bootstrap Endpoint
   - New /auth/cluster-bootstrap endpoint
   - Protected by JWT authentication with admin scope
   - Allows new nodes to securely obtain cluster secret

5. Updated Cluster Communication
   - All gossip protocol requests include auth headers
   - All Merkle tree sync requests include auth headers
   - All data replication requests include auth headers

6. Configuration
   - cluster_secret: Shared secret (auto-generated if not provided)
   - cluster_tls_enabled: Enable TLS for inter-node communication
   - cluster_tls_cert_file: Path to TLS certificate
   - cluster_tls_key_file: Path to TLS private key
   - cluster_tls_skip_verify: Skip TLS verification (testing only)

This implementation addresses the security vulnerability of unprotected
cluster endpoints and provides a flexible, secure approach to protecting
internal cluster communication while allowing for automated node bootstrapping.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

server/handlers.go

@@ -22,8 +22,6 @@ import (
 	"kvs/utils"
 )
 
-
-
 // healthHandler returns server health status
 func (s *Server) healthHandler(w http.ResponseWriter, r *http.Request) {
 	mode := s.getMode()
@@ -1271,3 +1269,29 @@ func (s *Server) getRevisionHistory(key string) ([]map[string]interface{}, error
 func (s *Server) getSpecificRevision(key string, revision int) (*types.StoredValue, error) {
 	return s.revisionService.GetSpecificRevision(key, revision)
 }
+
+// clusterBootstrapHandler provides the cluster secret to authenticated administrators (Issue #13)
+func (s *Server) clusterBootstrapHandler(w http.ResponseWriter, r *http.Request) {
+	// Ensure clustering is enabled
+	if !s.config.ClusteringEnabled {
+		http.Error(w, "Clustering is disabled", http.StatusServiceUnavailable)
+		return
+	}
+
+	// Ensure cluster secret is configured
+	if s.config.ClusterSecret == "" {
+		s.logger.Error("Cluster secret is not configured")
+		http.Error(w, "Cluster secret is not configured", http.StatusInternalServerError)
+		return
+	}
+
+	// Return the cluster secret for secure bootstrap
+	response := map[string]string{
+		"cluster_secret": s.config.ClusterSecret,
+	}
+
+	s.logger.WithField("remote_addr", r.RemoteAddr).Info("Cluster secret retrieved for bootstrap")
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(response)
+}

server/routes.go

@@ -1,6 +1,8 @@
 package server
 
 import (
+	"net/http"
+
 	"github.com/gorilla/mux"
 )
 
@@ -20,7 +22,7 @@ func (s *Server) setupRoutes() *mux.Router {
 	} else {
 		router.HandleFunc("/kv/{path:.+}", s.getKVHandler).Methods("GET")
 	}
-	
+
 	// PUT endpoint - require auth if anonymous write is disabled
 	if s.config.AuthEnabled && !s.config.AllowAnonymousWrite {
 		router.Handle("/kv/{path:.+}", s.authService.Middleware(
@@ -29,7 +31,7 @@ func (s *Server) setupRoutes() *mux.Router {
 	} else {
 		router.HandleFunc("/kv/{path:.+}", s.putKVHandler).Methods("PUT")
 	}
-	
+
 	// DELETE endpoint - always require authentication (no anonymous delete)
 	if s.config.AuthEnabled {
 		router.Handle("/kv/{path:.+}", s.authService.Middleware(
@@ -41,16 +43,31 @@ func (s *Server) setupRoutes() *mux.Router {
 
 	// Member endpoints (available when clustering is enabled)
 	if s.config.ClusteringEnabled {
-		router.HandleFunc("/members/", s.getMembersHandler).Methods("GET")
-		router.HandleFunc("/members/join", s.joinMemberHandler).Methods("POST")
-		router.HandleFunc("/members/leave", s.leaveMemberHandler).Methods("DELETE")
-		router.HandleFunc("/members/gossip", s.gossipHandler).Methods("POST")
-		router.HandleFunc("/members/pairs_by_time", s.pairsByTimeHandler).Methods("POST")
+		// Apply cluster authentication middleware if cluster secret is configured
+		if s.clusterAuthService != nil {
+			router.Handle("/members/", s.clusterAuthService.Middleware(http.HandlerFunc(s.getMembersHandler))).Methods("GET")
+			router.Handle("/members/join", s.clusterAuthService.Middleware(http.HandlerFunc(s.joinMemberHandler))).Methods("POST")
+			router.Handle("/members/leave", s.clusterAuthService.Middleware(http.HandlerFunc(s.leaveMemberHandler))).Methods("DELETE")
+			router.Handle("/members/gossip", s.clusterAuthService.Middleware(http.HandlerFunc(s.gossipHandler))).Methods("POST")
+			router.Handle("/members/pairs_by_time", s.clusterAuthService.Middleware(http.HandlerFunc(s.pairsByTimeHandler))).Methods("POST")
 
-		// Merkle Tree endpoints (clustering feature)
-		router.HandleFunc("/merkle_tree/root", s.getMerkleRootHandler).Methods("GET")
-		router.HandleFunc("/merkle_tree/diff", s.getMerkleDiffHandler).Methods("POST")
-		router.HandleFunc("/kv_range", s.getKVRangeHandler).Methods("POST")
+			// Merkle Tree endpoints (clustering feature)
+			router.Handle("/merkle_tree/root", s.clusterAuthService.Middleware(http.HandlerFunc(s.getMerkleRootHandler))).Methods("GET")
+			router.Handle("/merkle_tree/diff", s.clusterAuthService.Middleware(http.HandlerFunc(s.getMerkleDiffHandler))).Methods("POST")
+			router.Handle("/kv_range", s.clusterAuthService.Middleware(http.HandlerFunc(s.getKVRangeHandler))).Methods("POST")
+		} else {
+			// Fallback to unprotected endpoints (for backwards compatibility)
+			router.HandleFunc("/members/", s.getMembersHandler).Methods("GET")
+			router.HandleFunc("/members/join", s.joinMemberHandler).Methods("POST")
+			router.HandleFunc("/members/leave", s.leaveMemberHandler).Methods("DELETE")
+			router.HandleFunc("/members/gossip", s.gossipHandler).Methods("POST")
+			router.HandleFunc("/members/pairs_by_time", s.pairsByTimeHandler).Methods("POST")
+
+			// Merkle Tree endpoints (clustering feature)
+			router.HandleFunc("/merkle_tree/root", s.getMerkleRootHandler).Methods("GET")
+			router.HandleFunc("/merkle_tree/diff", s.getMerkleDiffHandler).Methods("POST")
+			router.HandleFunc("/kv_range", s.getKVRangeHandler).Methods("POST")
+		}
 	}
 
 	// Authentication and user management endpoints (available when auth is enabled)
@@ -59,15 +76,15 @@ func (s *Server) setupRoutes() *mux.Router {
 		router.Handle("/api/users", s.authService.Middleware(
 			[]string{"admin:users:create"}, nil, "",
 		)(s.createUserHandler)).Methods("POST")
-		
+
 		router.Handle("/api/users/{uuid}", s.authService.Middleware(
 			[]string{"admin:users:read"}, nil, "",
 		)(s.getUserHandler)).Methods("GET")
-		
+
 		router.Handle("/api/users/{uuid}", s.authService.Middleware(
 			[]string{"admin:users:update"}, nil, "",
 		)(s.updateUserHandler)).Methods("PUT")
-		
+
 		router.Handle("/api/users/{uuid}", s.authService.Middleware(
 			[]string{"admin:users:delete"}, nil, "",
 		)(s.deleteUserHandler)).Methods("DELETE")
@@ -76,15 +93,15 @@ func (s *Server) setupRoutes() *mux.Router {
 		router.Handle("/api/groups", s.authService.Middleware(
 			[]string{"admin:groups:create"}, nil, "",
 		)(s.createGroupHandler)).Methods("POST")
-		
+
 		router.Handle("/api/groups/{uuid}", s.authService.Middleware(
 			[]string{"admin:groups:read"}, nil, "",
 		)(s.getGroupHandler)).Methods("GET")
-		
+
 		router.Handle("/api/groups/{uuid}", s.authService.Middleware(
 			[]string{"admin:groups:update"}, nil, "",
 		)(s.updateGroupHandler)).Methods("PUT")
-		
+
 		router.Handle("/api/groups/{uuid}", s.authService.Middleware(
 			[]string{"admin:groups:delete"}, nil, "",
 		)(s.deleteGroupHandler)).Methods("DELETE")
@@ -93,6 +110,12 @@ func (s *Server) setupRoutes() *mux.Router {
 		router.Handle("/api/tokens", s.authService.Middleware(
 			[]string{"admin:tokens:create"}, nil, "",
 		)(s.createTokenHandler)).Methods("POST")
+
+		// Cluster Bootstrap endpoint (Issue #13) - Protected by JWT authentication
+		// Allows authenticated administrators to retrieve the cluster secret for new nodes
+		router.Handle("/auth/cluster-bootstrap", s.authService.Middleware(
+			[]string{"admin:tokens:create"}, nil, "",
+		)(s.clusterBootstrapHandler)).Methods("GET")
 	}
 
 	// Revision History endpoints (available when revision history is enabled)

server/server.go

@@ -50,7 +50,8 @@ type Server struct {
 	backupMu      sync.RWMutex       // Protects backup status
 
 	// Authentication service
-	authService *auth.AuthService
+	authService        *auth.AuthService
+	clusterAuthService *auth.ClusterAuthService
 }
 
 // NewServer initializes and returns a new Server instance
@@ -120,6 +121,11 @@ func NewServer(config *types.Config) (*Server, error) {
 	// Initialize authentication service
 	server.authService = auth.NewAuthService(db, logger, config)
 
+	// Initialize cluster authentication service (Issue #13)
+	if config.ClusteringEnabled {
+		server.clusterAuthService = auth.NewClusterAuthService(config.ClusterSecret, logger)
+	}
+
 	// Setup initial root account if needed (Issue #3)
 	if config.AuthEnabled {
 		if err := server.setupRootAccount(); err != nil {
@@ -219,7 +225,7 @@ func (s *Server) setupRootAccount() error {
 func (s *Server) createRootUserAndToken() error {
 	rootNickname := "root"
 	adminGroupName := "admin"
-	
+
 	// Generate UUIDs
 	rootUserUUID := "root-" + time.Now().Format("20060102-150405")
 	adminGroupUUID := "admin-" + time.Now().Format("20060102-150405")
@@ -234,7 +240,7 @@ func (s *Server) createRootUserAndToken() error {
 		UpdatedAt: now,
 	}
 
-	// Create root user  
+	// Create root user
 	rootUser := types.User{
 		UUID:         rootUserUUID,
 		NicknameHash: hashUserNickname(rootNickname),
@@ -251,7 +257,7 @@ func (s *Server) createRootUserAndToken() error {
 	// Create API token with full administrative scopes
 	adminScopes := []string{
 		"admin:users:create", "admin:users:read", "admin:users:update", "admin:users:delete",
-		"admin:groups:create", "admin:groups:read", "admin:groups:update", "admin:groups:delete", 
+		"admin:groups:create", "admin:groups:read", "admin:groups:update", "admin:groups:delete",
 		"admin:tokens:create", "admin:tokens:revoke",
 		"read", "write", "delete",
 	}
@@ -269,13 +275,13 @@ func (s *Server) createRootUserAndToken() error {
 
 	// Log the token securely (one-time display)
 	s.logger.WithFields(logrus.Fields{
-		"user_uuid":    rootUserUUID,
-		"group_uuid":   adminGroupUUID,
-		"expires_at":   time.Unix(expiresAt, 0).Format(time.RFC3339),
-		"expires_in":   "24 hours",
+		"user_uuid":  rootUserUUID,
+		"group_uuid": adminGroupUUID,
+		"expires_at": time.Unix(expiresAt, 0).Format(time.RFC3339),
+		"expires_in": "24 hours",
 	}).Warn("Root account created - SAVE THIS TOKEN:")
 
-	// Display token prominently  
+	// Display token prominently
 	fmt.Printf("\n" + strings.Repeat("=", 80) + "\n")
 	fmt.Printf("🔐 ROOT ACCOUNT CREATED - INITIAL SETUP TOKEN\n")
 	fmt.Printf("===========================================\n")
@@ -309,7 +315,7 @@ func (s *Server) storeUserAndGroup(user *types.User, group *types.Group) error {
 		if err != nil {
 			return fmt.Errorf("failed to marshal user data: %v", err)
 		}
-		
+
 		if err := txn.Set([]byte(auth.UserStorageKey(user.UUID)), userData); err != nil {
 			return fmt.Errorf("failed to store user: %v", err)
 		}
@@ -319,7 +325,7 @@ func (s *Server) storeUserAndGroup(user *types.User, group *types.Group) error {
 		if err != nil {
 			return fmt.Errorf("failed to marshal group data: %v", err)
 		}
-		
+
 		if err := txn.Set([]byte(auth.GroupStorageKey(group.UUID)), groupData); err != nil {
 			return fmt.Errorf("failed to store group: %v", err)
 		}
@@ -327,4 +333,3 @@ func (s *Server) storeUserAndGroup(user *types.User, group *types.Group) error {
 		return nil
 	})
 }
-