dataforge/unibus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
450ca01baff3afd5ededf1c57f46971e09cc32e4
unibus/pkg/client/identity.go
T
egutierrez 02c2004ebd feat(membershipd): user add/list/revoke --store kv against a live cluster 
Closes the most valuable 0011 deploy gap: adding users to the running
cluster's replicated allowlist with no stop-seed-restart. Under enforce the
per-subject ACL confines every bus user to its own rooms, so no ordinary
identity may write the control-plane KV buckets; the only identity the
authenticator grants full JetStream permissions is membershipd's internal
service identity.

- main.go: --internal-id-file persists that identity (load-or-create, 0600)
  instead of a fresh ephemeral key, so the same nkey is available out of
  process. Empty keeps the ephemeral default (single-node/dev unchanged).
- users_kv.go: connectKVStore loads the persisted identity, presents its
  nkey (recognized as internal -> full perms), opens the KV store and
  writes. Defaults assume an on-node loopback invocation; a remote target
  without --ca is refused (allowlist must not travel cleartext, audit N6).
  Prints KV_UNIBUS_users replication (followers_current) after a write.
- users_cli.go: --store kv on add/list/revoke. Re-adding a key is an explicit
  ErrUserExists (no silent overwrite / role flip); revoke is a status flip.
- pkg/client: LoadIdentity (load-only) extracted from LoadOrCreateIdentity,
  preserving its "corrupt file is an error, not silently regenerated" guard.
- kv_useradd_test.go: golden write under enforce, idempotency, unreachable
  endpoint, and remote-without-CA refusal against an embedded node.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-07 19:41:38 +02:00

120 lines
3.8 KiB
Go
Raw Blame History

package client
import (
"crypto/rand"
"encoding/base64"
"encoding/json"
"fmt"
"os"
"path/filepath"
cs "fn-registry/functions/cybersecurity"
"github.com/oklog/ulid/v2"
)
// newULID returns a fresh, lexicographically-sortable message id with
// crypto/rand entropy.
func newULID() string {
return ulid.MustNew(ulid.Now(), rand.Reader).String()
}
// identityFile is the on-disk JSON representation of an Identity. The four key
// fields are base64-encoded.
//
// SECURITY: this file contains the peer's long-term PRIVATE keys (SignPriv and
// KexPriv). It is written 0600. Losing it means losing the ability to decrypt
// any message addressed to this endpoint — there is no recovery. Treat it like
// an SSH private key. (Hardening with OS keyrings/HSM is a later phase.)
type identityFile struct {
SignPub string `json:"sign_pub"`
SignPriv string `json:"sign_priv"`
KexPub string `json:"kex_pub"`
KexPriv string `json:"kex_priv"`
}
// LoadIdentity loads an existing identity from path. Unlike LoadOrCreateIdentity
// it NEVER creates one: a missing or unreadable file is an error. It is for
// callers that must consume a specific, pre-provisioned identity rather than mint
// a fresh one — for example membershipd's persisted internal service identity,
// which `membershipd user add --store kv` reads to present the privileged nkey
// the cluster authenticator recognizes.
func LoadIdentity(path string) (cs.Identity, error) {
data, err := os.ReadFile(path)
if err != nil {
return cs.Identity{}, fmt.Errorf("client: read identity %q: %w", path, err)
}
var f identityFile
if err := json.Unmarshal(data, &f); err != nil {
return cs.Identity{}, fmt.Errorf("client: parse identity %q: %w", path, err)
}
id, err := f.toIdentity()
if err != nil {
return cs.Identity{}, fmt.Errorf("client: decode identity %q: %w", path, err)
}
return id, nil
}
// LoadOrCreateIdentity loads the identity at path, or generates and persists a
// new one if the file does not exist. The file is written with 0600
// permissions because it holds private keys. A file that exists but is
// unreadable or corrupt is an error (NOT silently regenerated), so a damaged
// identity surfaces instead of minting a new key that cannot decrypt old data.
func LoadOrCreateIdentity(path string) (cs.Identity, error) {
if _, statErr := os.Stat(path); statErr == nil {
return LoadIdentity(path)
}
id, err := cs.GenerateIdentity()
if err != nil {
return cs.Identity{}, fmt.Errorf("client: generate identity: %w", err)
}
if err := saveIdentity(path, id); err != nil {
return cs.Identity{}, err
}
return id, nil
}
func saveIdentity(path string, id cs.Identity) error {
if dir := filepath.Dir(path); dir != "" {
if err := os.MkdirAll(dir, 0o755); err != nil {
return fmt.Errorf("client: mkdir for identity: %w", err)
}
}
f := identityFile{
SignPub: base64.StdEncoding.EncodeToString(id.SignPub),
SignPriv: base64.StdEncoding.EncodeToString(id.SignPriv),
KexPub: base64.StdEncoding.EncodeToString(id.KexPub),
KexPriv: base64.StdEncoding.EncodeToString(id.KexPriv),
}
data, err := json.MarshalIndent(f, "", " ")
if err != nil {
return fmt.Errorf("client: marshal identity: %w", err)
}
if err := os.WriteFile(path, data, 0o600); err != nil {
return fmt.Errorf("client: write identity %q: %w", path, err)
}
return nil
}
func (f identityFile) toIdentity() (cs.Identity, error) {
dec := func(s string) ([]byte, error) { return base64.StdEncoding.DecodeString(s) }
signPub, err := dec(f.SignPub)
if err != nil {
return cs.Identity{}, err
}
signPriv, err := dec(f.SignPriv)
if err != nil {
return cs.Identity{}, err
}
kexPub, err := dec(f.KexPub)
if err != nil {
return cs.Identity{}, err
}
kexPriv, err := dec(f.KexPriv)
if err != nil {
return cs.Identity{}, err
}
return cs.Identity{SignPub: signPub, SignPriv: signPriv, KexPub: kexPub, KexPriv: kexPriv}, nil
}
Reference in New Issue View Git Blame Copy Permalink