fix(0006f): cluster secret out of argv, migrate-to-kv TLS guard, R1/CA docs (audit 0008 lows)

Low-severity cluster hardening from audit 0008: - Route secret out of argv (N1-low): --cluster-pass and a nats://user:pass@host in --routes are visible in ps/journald. New --cluster-pass-file and the UNIBUS_CLUSTER_PASS env var (precedence file > env > flag); the resolved secret guards the route layer and is injected into bare --routes entries (injectRouteCreds), so peers can be listed as nats://host:6250 with no secret in argv. The legacy --cluster-pass stays for dev/compat. - migrate-to-kv confidentiality (N6): refuse a remote --nats-url without --ca (the allowlist would travel cleartext); loopback targets are exempt (isLoopbackURL). - Docs (N1 route CA, N3 DoS): deploy/README gains a Clustering section — use a SEPARATE cluster CA for routes (not the client CA), keep the secret out of argv, run migrate-to-kv loopback/TLS only, and R1 is a SPOF of auth (not HA); R3 quorum is real HA. The generated cert material lives in deploy/cluster/ (0006g). Tests: - TestResolveClusterPass (file > env > flag precedence; missing file errors), - TestInjectRouteCreds (injects only into userinfo-less routes; preserves overrides), - TestIsLoopbackURL (loopback vs remote vs malformed). CGO_ENABLED=0 go build/vet/test green; govulncheck 0 reachable. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-07 17:24:46 +02:00
parent 3a33656cac
commit b8201a82cd
5 changed files with 208 additions and 4 deletions
@@ -63,7 +63,12 @@ func main() {
 		clusterPort = flag.Int("cluster-port", 6250, "route listener port for server-to-server cluster traffic")
 		routesCSV   = flag.String("routes", "", "comma-separated nats-route URLs of the OTHER nodes, e.g. nats://user:pass@10.0.0.2:6250")
 		clusterUser = flag.String("cluster-user", "", "shared route secret username (gates the route listener)")
-		clusterPass = flag.String("cluster-pass", "", "shared route secret password")
+		clusterPass = flag.String("cluster-pass", "", "shared route secret password (argv-visible — prefer --cluster-pass-file or UNIBUS_CLUSTER_PASS)")
+		// Secret out of argv (issue 0006f, audit 0008 N1-low): a password in
+		// --cluster-pass / --routes is visible in ps/journald. Prefer a file or the
+		// UNIBUS_CLUSTER_PASS env var; routes may then omit userinfo and the secret
+		// is injected from here.
+		clusterPassFile = flag.String("cluster-pass-file", "", "path to a file holding the cluster route password (preferred over --cluster-pass; keeps the secret out of argv)")
 		routeTLSCert = flag.String("route-tls-cert", "", "this node's route certificate (CA-signed); enables mutual route TLS with --route-tls-key/--route-tls-ca")
 		routeTLSKey  = flag.String("route-tls-key", "", "this node's route private key")
 		routeTLSCA   = flag.String("route-tls-ca", "", "bus CA that signs every node's route certificate (deploy/tls/ca.crt)")
@@ -89,6 +94,14 @@ func main() {
 		log.Fatalf("--store must be \"sqlite\" or \"kv\", got %q", *storeBackend)
 	}

+	// Resolve the cluster route secret out of argv (file/env preferred). The
+	// resolved value (not *clusterPass) is what guards the route layer and is
+	// injected into peer route URLs below.
+	clusterPassResolved, passSource, err := resolveClusterPass(*clusterPass, *clusterPassFile, os.Getenv("UNIBUS_CLUSTER_PASS"))
+	if err != nil {
+		log.Fatalf("%v", err)
+	}
+
 	// Fail-open guard (audit H2): a non-loopback bind, or any TLS flag, demands
 	// --bus-auth enforce. This makes an insecure public startup impossible rather
 	// than silently exposing the bus with the appearance of security.
@@ -97,7 +110,7 @@ func main() {
 	}
 	// Cluster route guard (issue 0003a): a public cluster needs a route secret
 	// and mutual route TLS, and the route-TLS flags are all-or-nothing.
-	if err := validateClusterConfig(*clusterName, *bind, *clusterUser, *clusterPass, *routeTLSCert, *routeTLSKey, *routeTLSCA, authMode); err != nil {
+	if err := validateClusterConfig(*clusterName, *bind, *clusterUser, clusterPassResolved, *routeTLSCert, *routeTLSKey, *routeTLSCA, authMode); err != nil {
 		log.Fatalf("%v", err)
 	}

@@ -178,14 +191,21 @@ func main() {
 		}
 		// Cluster (issue 0003a): with a cluster name, join the route layer for HA.
 		if *clusterName != "" {
+			// Inject the resolved secret into peer route URLs that omit userinfo, so
+			// the password need not appear in --routes argv (issue 0006f).
+			routes, rerr := injectRouteCreds(splitRoutes(*routesCSV), *clusterUser, clusterPassResolved)
+			if rerr != nil {
+				log.Fatalf("%v", rerr)
+			}
 			cc := &embeddednats.ClusterConfig{
 				Name:     *clusterName,
 				Host:     *bind,
 				Port:     *clusterPort,
-				Routes:   splitRoutes(*routesCSV),
+				Routes:   routes,
 				Username: *clusterUser,
-				Password: *clusterPass,
+				Password: clusterPassResolved,
 			}
+			log.Printf("cluster route secret source: %s", passSource)
 			if *routeTLSCert != "" {
 				rtls, err := busauth.RouteTLSConfig(*routeTLSCert, *routeTLSKey, *routeTLSCA)
 				if err != nil {