ryyst/kalzu-value-store
1
0
Fork 1
Code Issues 6 Pull Requests 3 Actions Packages Projects Releases Wiki Activity
Files
4c3fcbc45ac804b3455f07d66401c142118158a7
kalzu-value-store/features/auth.go
ryyst c7dcebb894 feat: implement secure cluster authentication (issue #13) 
Implemented a comprehensive secure authentication mechanism for inter-node
cluster communication with the following features:

1. Global Cluster Secret (GCS)
   - Auto-generated cryptographically secure random secret (256-bit)
   - Configurable via YAML config file
   - Shared across all cluster nodes for authentication

2. Cluster Authentication Middleware
   - Validates X-Cluster-Secret and X-Node-ID headers
   - Applied to all cluster endpoints (/members/*, /merkle_tree/*, /kv_range)
   - Comprehensive logging of authentication attempts

3. Authenticated HTTP Client
   - Custom HTTP client with cluster auth headers
   - TLS support with configurable certificate verification
   - Protocol-aware (http/https based on TLS settings)

4. Secure Bootstrap Endpoint
   - New /auth/cluster-bootstrap endpoint
   - Protected by JWT authentication with admin scope
   - Allows new nodes to securely obtain cluster secret

5. Updated Cluster Communication
   - All gossip protocol requests include auth headers
   - All Merkle tree sync requests include auth headers
   - All data replication requests include auth headers

6. Configuration
   - cluster_secret: Shared secret (auto-generated if not provided)
   - cluster_tls_enabled: Enable TLS for inter-node communication
   - cluster_tls_cert_file: Path to TLS certificate
   - cluster_tls_key_file: Path to TLS private key
   - cluster_tls_skip_verify: Skip TLS verification (testing only)

This implementation addresses the security vulnerability of unprotected
cluster endpoints and provides a flexible, secure approach to protecting
internal cluster communication while allowing for automated node bootstrapping.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-02 22:19:40 +03:00

103 lines
2.5 KiB
Go
Raw Blame History

package features
import (
"fmt"
"net/http"
"strings"
"github.com/gorilla/mux"
"kvs/types"
)
// AuthContext holds authentication information for a request
type AuthContext struct {
UserUUID string `json:"user_uuid"`
Scopes []string `json:"scopes"`
Groups []string `json:"groups"`
}
// CheckPermission validates if a user has permission to perform an operation
func CheckPermission(permissions int, operation string, isOwner, isGroupMember bool) bool {
switch operation {
case "create":
if isOwner {
return (permissions & types.PermOwnerCreate) != 0
}
if isGroupMember {
return (permissions & types.PermGroupCreate) != 0
}
return (permissions & types.PermOthersCreate) != 0
case "delete":
if isOwner {
return (permissions & types.PermOwnerDelete) != 0
}
if isGroupMember {
return (permissions & types.PermGroupDelete) != 0
}
return (permissions & types.PermOthersDelete) != 0
case "write":
if isOwner {
return (permissions & types.PermOwnerWrite) != 0
}
if isGroupMember {
return (permissions & types.PermGroupWrite) != 0
}
return (permissions & types.PermOthersWrite) != 0
case "read":
if isOwner {
return (permissions & types.PermOwnerRead) != 0
}
if isGroupMember {
return (permissions & types.PermGroupRead) != 0
}
return (permissions & types.PermOthersRead) != 0
default:
return false
}
}
// CheckUserResourceRelationship determines user relationship to resource
func CheckUserResourceRelationship(userUUID string, metadata *types.ResourceMetadata, userGroups []string) (isOwner, isGroupMember bool) {
isOwner = (userUUID == metadata.OwnerUUID)
if metadata.GroupUUID != "" {
for _, groupUUID := range userGroups {
if groupUUID == metadata.GroupUUID {
isGroupMember = true
break
}
}
}
return isOwner, isGroupMember
}
// ExtractTokenFromHeader extracts the Bearer token from the Authorization header
func ExtractTokenFromHeader(r *http.Request) (string, error) {
authHeader := r.Header.Get("Authorization")
if authHeader == "" {
return "", fmt.Errorf("missing authorization header")
}
parts := strings.Split(authHeader, " ")
if len(parts) != 2 || strings.ToLower(parts[0]) != "bearer" {
return "", fmt.Errorf("invalid authorization header format")
}
return parts[1], nil
}
// ExtractKVResourceKey extracts KV resource key from request
func ExtractKVResourceKey(r *http.Request) string {
vars := mux.Vars(r)
if path, ok := vars["path"]; ok {
return path
}
return ""
}
Reference in New Issue View Git Blame Copy Permalink