dataforge/unibus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3a33656cac4a07dae0fadfc5a6d0862d2582c8a1
unibus/cmd/chat/main.go
T
egutierrez 2f5b372a80 fix(0006e): call RefreshSession after membership changes in all clients (audit 0008 N4) 
A secured bus freezes per-subject permissions at connect time, so a peer that
creates or joins a room after connecting cannot pub/sub on it until it reconnects
(RefreshSession). No client called it, so under enforce+ACL the demos failed
closed — pushing the operator to disable the ACL (a security regression at the
operator's discretion).

Wire the membership-change contract into every client:
- cmd/worker: RefreshSession after CreateRoom, before publishing.
- cmd/chat (simple): RefreshSession after CreateRoom+Join, before Subscribe.
- cmd/chat (encrypted demo): A refreshes after CreateRoom; B refreshes after the
  invite+join, both before pub/sub.
- local_files/bridge (gateway): RefreshSession after CreateRoom+Join, before Subscribe.
- mobile: new Session.RefreshSession wrapper + the contract documented for callers.

Contract (documented on the wrappers): after ANY membership change, call
RefreshSession BEFORE pub/sub on the new room (it drops active subs, so it must
precede Subscribe). On an unsecured/dev bus it is a harmless reconnect.

Test:
- TestClientCreateRoomRefreshPublishFlow: end-to-end under enforce+ACL, a peer
  creates a room, refreshes, invites a second peer who joins+refreshes+subscribes,
  and the publish is received — no manual intervention, the ACL stays on.

CGO_ENABLED=0 go build/vet/test green; govulncheck 0 reachable.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-07 17:21:14 +02:00

201 lines
6.5 KiB
Go
Raw Blame History

// Command chat is a demo peer with two modes.
//
// Simple mode (default): joins a room subject and prints every received message
// live. It validates uniformity worker<->chat: a process publishes, a human UI
// subscribes, both speak the same protocol.
//
// Encrypted demo (--demo-encrypted): a self-contained script against a running
// membershipd that proves E2E encryption and forward secrecy. A creates an
// encrypted room, invites B, A publishes a message B can decrypt, then A kicks
// B and publishes again at the new epoch — B can no longer decrypt. Prints a
// PASS/FAIL summary of each assertion.
package main
import (
"flag"
"fmt"
"log"
"os"
"os/signal"
"syscall"
"time"
"github.com/enmanuel/unibus/pkg/client"
"github.com/enmanuel/unibus/pkg/frame"
"github.com/enmanuel/unibus/pkg/room"
)
func main() {
var (
natsURL = flag.String("nats-url", "nats://127.0.0.1:4250", "NATS url")
ctrlURL = flag.String("ctrl-url", "http://127.0.0.1:8470", "membershipd control-plane url")
roomSub = flag.String("room", "proc.test.ticks", "room subject to subscribe to")
idFile = flag.String("id-file", "./local_files/chat.id", "identity file path")
demoEnc = flag.Bool("demo-encrypted", false, "run the encrypted forward-secrecy demo")
caFile = flag.String("ca", "", "path to the bus CA cert (ca.crt); set to connect with TLS + nkey to a secured bus")
)
flag.Parse()
log.SetFlags(log.LstdFlags | log.Lmsgprefix)
log.SetPrefix("[chat] ")
if *demoEnc {
runEncryptedDemo(*natsURL, *ctrlURL, *caFile)
return
}
runSimple(*natsURL, *ctrlURL, *roomSub, *idFile, *caFile)
}
// runSimple subscribes to a cleartext subject and prints messages live.
func runSimple(natsURL, ctrlURL, roomSub, idFile, caFile string) {
id, err := client.LoadOrCreateIdentity(idFile)
if err != nil {
log.Fatalf("identity: %v", err)
}
c, err := client.Connect(natsURL, ctrlURL, id, caFile)
if err != nil {
log.Fatalf("connect: %v", err)
}
defer c.Close()
log.Printf("endpoint: %s", c.Endpoint().ID)
// A subscriber needs a room to resolve the subject + policy. For the
// cleartext demo each peer owns a room mapped to the shared subject; NATS
// fans out by subject so worker publishes reach this subscription.
roomID, err := c.CreateRoom(roomSub, room.ModeNATS)
if err != nil {
log.Fatalf("create room: %v", err)
}
if err := c.Join(roomID); err != nil {
log.Fatalf("join: %v", err)
}
// Membership-change contract (issue 0006e): refresh so the just-created room's
// subject is subscribable under enforce+ACL (permissions are frozen at connect
// time). Must run BEFORE Subscribe — RefreshSession drops active subscriptions.
if err := c.RefreshSession(); err != nil {
log.Fatalf("refresh session after create room: %v", err)
}
sub, err := c.Subscribe(roomID, func(f frame.Frame, plaintext []byte) {
fmt.Printf("[%s] %s: %s\n", f.Subject, shortID(f.Sender), string(plaintext))
})
if err != nil {
log.Fatalf("subscribe: %v", err)
}
defer sub.Unsubscribe()
log.Printf("subscribed to %q; waiting for messages (Ctrl-C to stop)", roomSub)
stop := make(chan os.Signal, 1)
signal.Notify(stop, syscall.SIGINT, syscall.SIGTERM)
<-stop
log.Printf("bye")
}
func shortID(id string) string {
if len(id) > 8 {
return id[:8]
}
return id
}
// runEncryptedDemo proves E2E encryption + forward secrecy end-to-end.
func runEncryptedDemo(natsURL, ctrlURL, caFile string) {
log.Printf("=== encrypted forward-secrecy demo ===")
pass := true
check := func(name string, ok bool) {
status := "PASS"
if !ok {
status = "FAIL"
pass = false
}
fmt.Printf(" [%s] %s\n", status, name)
}
// Two identities: A (owner) and B (invitee). In-memory only (demo).
idA, err := newEphemeralIdentity()
must(err, "generate A identity")
idB, err := newEphemeralIdentity()
must(err, "generate B identity")
a, err := client.Connect(natsURL, ctrlURL, idA, caFile)
must(err, "connect A")
defer a.Close()
b, err := client.Connect(natsURL, ctrlURL, idB, caFile)
must(err, "connect B")
defer b.Close()
// A creates an encrypted room.
roomID, err := a.CreateRoom("room.test", room.ModeMatrix)
must(err, "A create room")
fmt.Printf(" room.test -> %s (E2E, persisted, signed)\n", roomID)
// Membership-change contract (issue 0006e): A only became a member of this room
// after connecting, so refresh to gain its subject + per-room JetStream API
// under enforce+ACL before publishing.
must(a.RefreshSession(), "A refresh after create room")
// A invites B (seals K to B's X25519 key).
must(a.Invite(roomID, b.Endpoint()), "A invite B")
// B joins (fetches + decrypts K).
must(b.Join(roomID), "B join")
// B became a member via the invite above; refresh so B can subscribe to the
// room's subject under enforce+ACL (before subscribing — refresh drops subs).
must(b.RefreshSession(), "B refresh after join")
// B subscribes; capture received plaintexts.
recv := make(chan string, 4)
subB, err := b.Subscribe(roomID, func(f frame.Frame, plaintext []byte) {
recv <- string(plaintext)
})
must(err, "B subscribe")
defer subB.Unsubscribe()
time.Sleep(200 * time.Millisecond) // let the subscription settle
// A publishes a message B can decrypt.
const msg1 = "hola E2E"
must(a.Publish(roomID, []byte(msg1)), "A publish msg1")
got1, ok := waitMsg(recv, 2*time.Second)
check("B decrypts pre-kick message", ok && got1 == msg1)
// A kicks B (rotates K to a new epoch, re-sealed only for the remaining members).
must(a.Kick(roomID, b.Endpoint().ID), "A kick B")
time.Sleep(200 * time.Millisecond)
// A publishes at the new epoch. B must NOT be able to decrypt: it was removed
// from the member list, so /key returns no key for B at the new epoch.
const msg2 = "secreto post-kick"
must(a.Publish(roomID, []byte(msg2)), "A publish msg2 (post-kick)")
got2, ok2 := waitMsg(recv, 1500*time.Millisecond)
// Forward secrecy holds if B did NOT receive the post-kick plaintext.
check("B cannot decrypt post-kick message (forward secrecy)", !(ok2 && got2 == msg2))
if ok2 {
fmt.Printf(" (unexpected: B received %q after kick)\n", got2)
} else {
fmt.Printf(" (B received nothing decryptable after kick — correct)\n")
}
fmt.Println()
if pass {
fmt.Println("RESULT: PASS — E2E encryption and forward secrecy verified")
os.Exit(0)
}
fmt.Println("RESULT: FAIL — see assertions above")
os.Exit(1)
}
func waitMsg(ch <-chan string, timeout time.Duration) (string, bool) {
select {
case m := <-ch:
return m, true
case <-time.After(timeout):
return "", false
}
}
func must(err error, what string) {
if err != nil {
log.Fatalf("%s: %v", what, err)
}
}
Reference in New Issue View Git Blame Copy Permalink