ryyst
c7dcebb894
Implemented a comprehensive secure authentication mechanism for inter-node cluster communication with the following features: 1. Global Cluster Secret (GCS) - Auto-generated cryptographically secure random secret (256-bit) - Configurable via YAML config file - Shared across all cluster nodes for authentication 2. Cluster Authentication Middleware - Validates X-Cluster-Secret and X-Node-ID headers - Applied to all cluster endpoints (/members/*, /merkle_tree/*, /kv_range) - Comprehensive logging of authentication attempts 3. Authenticated HTTP Client - Custom HTTP client with cluster auth headers - TLS support with configurable certificate verification - Protocol-aware (http/https based on TLS settings) 4. Secure Bootstrap Endpoint - New /auth/cluster-bootstrap endpoint - Protected by JWT authentication with admin scope - Allows new nodes to securely obtain cluster secret 5. Updated Cluster Communication - All gossip protocol requests include auth headers - All Merkle tree sync requests include auth headers - All data replication requests include auth headers 6. Configuration - cluster_secret: Shared secret (auto-generated if not provided) - cluster_tls_enabled: Enable TLS for inter-node communication - cluster_tls_cert_file: Path to TLS certificate - cluster_tls_key_file: Path to TLS private key - cluster_tls_skip_verify: Skip TLS verification (testing only) This implementation addresses the security vulnerability of unprotected cluster endpoints and provides a flexible, secure approach to protecting internal cluster communication while allowing for automated node bootstrapping. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
78 lines
2.1 KiB
Go
78 lines
2.1 KiB
Go
package auth
|
|
|
|
import (
|
|
"net/http"
|
|
|
|
"github.com/sirupsen/logrus"
|
|
)
|
|
|
|
// ClusterAuthService handles authentication for inter-cluster communication
|
|
type ClusterAuthService struct {
|
|
clusterSecret string
|
|
logger *logrus.Logger
|
|
}
|
|
|
|
// NewClusterAuthService creates a new cluster authentication service
|
|
func NewClusterAuthService(clusterSecret string, logger *logrus.Logger) *ClusterAuthService {
|
|
return &ClusterAuthService{
|
|
clusterSecret: clusterSecret,
|
|
logger: logger,
|
|
}
|
|
}
|
|
|
|
// Middleware validates cluster authentication headers
|
|
func (s *ClusterAuthService) Middleware(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
// Extract authentication headers
|
|
clusterSecret := r.Header.Get("X-Cluster-Secret")
|
|
nodeID := r.Header.Get("X-Node-ID")
|
|
|
|
// Log authentication attempt
|
|
s.logger.WithFields(logrus.Fields{
|
|
"node_id": nodeID,
|
|
"remote_addr": r.RemoteAddr,
|
|
"path": r.URL.Path,
|
|
"method": r.Method,
|
|
}).Debug("Cluster authentication attempt")
|
|
|
|
// Validate cluster secret
|
|
if clusterSecret == "" {
|
|
s.logger.WithFields(logrus.Fields{
|
|
"node_id": nodeID,
|
|
"remote_addr": r.RemoteAddr,
|
|
"path": r.URL.Path,
|
|
}).Warn("Missing X-Cluster-Secret header")
|
|
http.Error(w, "Unauthorized: Missing cluster secret", http.StatusUnauthorized)
|
|
return
|
|
}
|
|
|
|
if clusterSecret != s.clusterSecret {
|
|
s.logger.WithFields(logrus.Fields{
|
|
"node_id": nodeID,
|
|
"remote_addr": r.RemoteAddr,
|
|
"path": r.URL.Path,
|
|
}).Warn("Invalid cluster secret")
|
|
http.Error(w, "Unauthorized: Invalid cluster secret", http.StatusUnauthorized)
|
|
return
|
|
}
|
|
|
|
// Validate node ID is present
|
|
if nodeID == "" {
|
|
s.logger.WithFields(logrus.Fields{
|
|
"remote_addr": r.RemoteAddr,
|
|
"path": r.URL.Path,
|
|
}).Warn("Missing X-Node-ID header")
|
|
http.Error(w, "Unauthorized: Missing node ID", http.StatusUnauthorized)
|
|
return
|
|
}
|
|
|
|
// Authentication successful
|
|
s.logger.WithFields(logrus.Fields{
|
|
"node_id": nodeID,
|
|
"path": r.URL.Path,
|
|
}).Debug("Cluster authentication successful")
|
|
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|