unibus

dataforge/unibus

Fork 0

Commit Graph

Author	SHA1	Message	Date
egutierrez	87ef52cc80	fix(0005e): wire per-subject ACL into membershipd (close H4 wildcard metadata leak) The per-subject data-plane ACL existed since 0003e (membership.SubjectACLFor + busauth.NewNkeyAuthenticatorACL, unit-tested in TestSubjectACLIsolation) but the binary never used it: cmd/membershipd installed the plain NewNkeyAuthenticator, so in production a registered NON-member could open a raw NATS connection, Subscribe(">"), and harvest every room's subject plus JetStream stream/advisory activity (payload stayed E2E ciphertext, metadata leaked) — the re-audit's H4 vector (report 0006). Fix: - New busauth.PermissionsFromSubjects adapts a subject-deriving function into the PermissionsFunc the ACL authenticator expects (subjects granted as both the publish and subscribe allow set; a derivation error fails closed). It lives in busauth so membership stays free of the nats-server dependency. - cmd/membershipd, under enforce, now installs NewNkeyAuthenticatorACL(store.IsAuthorized, PermissionsFromSubjects(membership.SubjectACLFor(store))) so every connection is confined to the subjects of the rooms it belongs to plus the client-infra subjects. - pkg/membership/acl_test.go's helper now delegates to the production wiring (PermissionsFromSubjects) instead of a test-only reimplementation, so the tests exercise the real path. Verification (pkg/membership/acl_test.go): - TestReaudit_H4_WildcardMetadataLeak: a non-member's Subscribe(">") and any foreign-subject subscribe raise permission violations; the member still pub/subs her own room and the non-member captures nothing. With the plain authenticator (the pre-0005e wiring) the test fails ("wildcard metadata leak still open"), confirming the wiring is what closes it. - TestSubjectACLIsolation / TestRefreshSessionGainsNewRoom still green. - CGO_ENABLED=0 go build ./... && go vet ./... && go test -count=1 ./... green. Residual (documented): the client-infra grant includes "$JS.API.>", shared by all peers so per-connection JetStream works; a peer that subscribes specifically to "$JS.API.>" can still observe stream-management requests whose subjects embed the room-derived stream name. Fully closing that needs NATS accounts/permissions per identity (deferred to the 0003 decentralization line). Operational note: NATS freezes permissions at connect time, so clients must client.RefreshSession after a membership change to gain a new room's subject; cmd/chat and cmd/worker do not yet call it, a functional gap to close before an enforce+ACL deployment. Refs: report 0006 H4, issue 0005e. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-07 16:15:52 +02:00
agent	96abb75a2e	feat(0003e/3): per-subject data-plane ACL from room membership (audit H4) Closes the residual the 0004 hardening deferred: the NATS authenticator can now confine a registered peer to the subjects of the rooms it belongs to, instead of letting any registered identity sub/pub on any subject. The dynamic-membership reconnection model the audit named is provided by client.RefreshSession. pkg/busauth: - verifyNkey factors out the shared nkey verification. - NewNkeyAuthenticatorACL + PermissionsFunc: an authenticator that, after authorizing, derives and RegisterUser()s per-subject permissions. A derivation error denies the connection (fail closed). pkg/membership: - SubjectACLFor(store) maps a signing pubkey to the subjects it may use: the subject of every room it belongs to, plus the client infrastructure subjects (_INBOX.>, $JS.API.> for request/reply and the persisted plane). pkg/client: - RefreshSession() rebuilds the data-plane connection so the authenticator re-derives permissions after a membership change (NATS freezes permissions at connect time). It retains the seeds/options to reconnect; active subscriptions are dropped and must be re-made (documented). Tests (DoD: isolation + refresh): - TestSubjectACLIsolation: alice (member of room.A) may sub/pub room.A but is DENIED sub and pub on room.B (permissions violation), and never reads bob's room.B traffic; bob never receives alice's cross-room publish. - TestRefreshSessionGainsNewRoom: alice has no permission for room B until she is added and calls RefreshSession; the reconnect grants the subject and she then receives room B traffic. Scope note: the per-subject ACL authenticator is opt-in (NewServer/ membershipd keep the open authenticator by default) and is wired in with the decentralized boot path; auto-RefreshSession on every membership change (fully transparent) remains for 0003f. Master behavior unchanged.	2026-06-07 15:27:45 +02:00

Author

SHA1

Message

Date

egutierrez

87ef52cc80

fix(0005e): wire per-subject ACL into membershipd (close H4 wildcard metadata leak)

The per-subject data-plane ACL existed since 0003e (membership.SubjectACLFor +
busauth.NewNkeyAuthenticatorACL, unit-tested in TestSubjectACLIsolation) but the
binary never used it: cmd/membershipd installed the plain NewNkeyAuthenticator, so
in production a registered NON-member could open a raw NATS connection,
Subscribe(">"), and harvest every room's subject plus JetStream stream/advisory
activity (payload stayed E2E ciphertext, metadata leaked) — the re-audit's H4
vector (report 0006).

Fix:
- New busauth.PermissionsFromSubjects adapts a subject-deriving function into the
  PermissionsFunc the ACL authenticator expects (subjects granted as both the
  publish and subscribe allow set; a derivation error fails closed). It lives in
  busauth so membership stays free of the nats-server dependency.
- cmd/membershipd, under enforce, now installs
  NewNkeyAuthenticatorACL(store.IsAuthorized,
    PermissionsFromSubjects(membership.SubjectACLFor(store)))
  so every connection is confined to the subjects of the rooms it belongs to plus
  the client-infra subjects.
- pkg/membership/acl_test.go's helper now delegates to the production wiring
  (PermissionsFromSubjects) instead of a test-only reimplementation, so the tests
  exercise the real path.

Verification (pkg/membership/acl_test.go):
- TestReaudit_H4_WildcardMetadataLeak: a non-member's Subscribe(">") and any
  foreign-subject subscribe raise permission violations; the member still pub/subs
  her own room and the non-member captures nothing. With the plain authenticator
  (the pre-0005e wiring) the test fails ("wildcard metadata leak still open"),
  confirming the wiring is what closes it.
- TestSubjectACLIsolation / TestRefreshSessionGainsNewRoom still green.
- CGO_ENABLED=0 go build ./... && go vet ./... && go test -count=1 ./...  green.

Residual (documented): the client-infra grant includes "$JS.API.>", shared by all
peers so per-connection JetStream works; a peer that subscribes specifically to
"$JS.API.>" can still observe stream-management requests whose subjects embed the
room-derived stream name. Fully closing that needs NATS accounts/permissions per
identity (deferred to the 0003 decentralization line). Operational note: NATS
freezes permissions at connect time, so clients must client.RefreshSession after a
membership change to gain a new room's subject; cmd/chat and cmd/worker do not yet
call it, a functional gap to close before an enforce+ACL deployment.

Refs: report 0006 H4, issue 0005e.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-07 16:15:52 +02:00

agent

96abb75a2e

feat(0003e/3): per-subject data-plane ACL from room membership (audit H4)

Closes the residual the 0004 hardening deferred: the NATS authenticator
can now confine a registered peer to the subjects of the rooms it
belongs to, instead of letting any registered identity sub/pub on any
subject. The dynamic-membership reconnection model the audit named is
provided by client.RefreshSession.

pkg/busauth:
- verifyNkey factors out the shared nkey verification.
- NewNkeyAuthenticatorACL + PermissionsFunc: an authenticator that, after
  authorizing, derives and RegisterUser()s per-subject permissions. A
  derivation error denies the connection (fail closed).

pkg/membership:
- SubjectACLFor(store) maps a signing pubkey to the subjects it may use:
  the subject of every room it belongs to, plus the client infrastructure
  subjects (_INBOX.>, $JS.API.> for request/reply and the persisted plane).

pkg/client:
- RefreshSession() rebuilds the data-plane connection so the authenticator
  re-derives permissions after a membership change (NATS freezes
  permissions at connect time). It retains the seeds/options to reconnect;
  active subscriptions are dropped and must be re-made (documented).

Tests (DoD: isolation + refresh):
- TestSubjectACLIsolation: alice (member of room.A) may sub/pub room.A but
  is DENIED sub and pub on room.B (permissions violation), and never reads
  bob's room.B traffic; bob never receives alice's cross-room publish.
- TestRefreshSessionGainsNewRoom: alice has no permission for room B until
  she is added and calls RefreshSession; the reconnect grants the subject
  and she then receives room B traffic.

Scope note: the per-subject ACL authenticator is opt-in (NewServer/
membershipd keep the open authenticator by default) and is wired in with
the decentralized boot path; auto-RefreshSession on every membership
change (fully transparent) remains for 0003f. Master behavior unchanged.

2026-06-07 15:27:45 +02:00

2 Commits