package auth import ( "net/http" "github.com/sirupsen/logrus" ) // ClusterAuthService handles authentication for inter-cluster communication type ClusterAuthService struct { clusterSecret string logger *logrus.Logger } // NewClusterAuthService creates a new cluster authentication service func NewClusterAuthService(clusterSecret string, logger *logrus.Logger) *ClusterAuthService { return &ClusterAuthService{ clusterSecret: clusterSecret, logger: logger, } } // Middleware validates cluster authentication headers func (s *ClusterAuthService) Middleware(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { // Extract authentication headers clusterSecret := r.Header.Get("X-Cluster-Secret") nodeID := r.Header.Get("X-Node-ID") // Log authentication attempt s.logger.WithFields(logrus.Fields{ "node_id": nodeID, "remote_addr": r.RemoteAddr, "path": r.URL.Path, "method": r.Method, }).Debug("Cluster authentication attempt") // Validate cluster secret if clusterSecret == "" { s.logger.WithFields(logrus.Fields{ "node_id": nodeID, "remote_addr": r.RemoteAddr, "path": r.URL.Path, }).Warn("Missing X-Cluster-Secret header") http.Error(w, "Unauthorized: Missing cluster secret", http.StatusUnauthorized) return } if clusterSecret != s.clusterSecret { s.logger.WithFields(logrus.Fields{ "node_id": nodeID, "remote_addr": r.RemoteAddr, "path": r.URL.Path, }).Warn("Invalid cluster secret") http.Error(w, "Unauthorized: Invalid cluster secret", http.StatusUnauthorized) return } // Validate node ID is present if nodeID == "" { s.logger.WithFields(logrus.Fields{ "remote_addr": r.RemoteAddr, "path": r.URL.Path, }).Warn("Missing X-Node-ID header") http.Error(w, "Unauthorized: Missing node ID", http.StatusUnauthorized) return } // Authentication successful s.logger.WithFields(logrus.Fields{ "node_id": nodeID, "path": r.URL.Path, }).Debug("Cluster authentication successful") next.ServeHTTP(w, r) }) }