egutierrez
60d6a86655
Pre-auth DoS hardening (audit H1, Critical). The control-plane middleware read the request body with io.ReadAll before authenticating and with no size cap, so an unauthenticated peer could force the server to buffer an arbitrary body in RAM (the auditor sent 400 MB and watched RSS climb to ~898 MB). - ServeHTTP now caps the buffered body before reading: a per-route ceiling (1 MiB JSON, 16 MiB /blobs) rejects an over-declared Content-Length outright and wraps the body in http.MaxBytesReader so a lying/chunked sender trips at the ceiling instead of unbounded. - handlePutBlob maps the MaxBytesReader cutoff to 413 in every auth mode. - Per-IP token-bucket rate limiter (golang.org/x/time/rate, already in the module graph) sheds floods before auth or body reads. Loopback dev stacks are unaffected (burst >> any single client's rate). Kept in-package as transport glue, not promoted to the registry, mirroring the nonceCache decision in 0003. - membershipd sets http.Server.MaxHeaderBytes and ReadHeaderTimeout. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
509 lines
16 KiB
Go
509 lines
16 KiB
Go
package membership
|
|
|
|
import (
|
|
"bytes"
|
|
"database/sql"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"log"
|
|
"net/http"
|
|
"strconv"
|
|
"strings"
|
|
"time"
|
|
|
|
cs "fn-registry/functions/cybersecurity"
|
|
|
|
"golang.org/x/time/rate"
|
|
|
|
"github.com/enmanuel/unibus/pkg/blobstore"
|
|
)
|
|
|
|
// Body-size ceilings for the control plane. They bound how much an unauthenticated
|
|
// peer can make the server buffer in RAM before the request is even authenticated
|
|
// (the signature is verified over the full body, so the body must be read — but
|
|
// not unboundedly). maxControlBodyBytes covers JSON metadata requests; /blobs gets
|
|
// a separate, larger ceiling because media ciphertext is legitimately bigger. A
|
|
// request whose declared Content-Length already exceeds its ceiling is rejected
|
|
// before a single byte is buffered.
|
|
const (
|
|
maxControlBodyBytes = 1 << 20 // 1 MiB for JSON control-plane requests
|
|
maxBlobBytes = 16 << 20 // 16 MiB for a single media blob upload
|
|
// MaxHeaderBytes caps request header size; wired into the http.Server by the
|
|
// command. Exported so the bound lives next to its body-size siblings.
|
|
MaxHeaderBytes = 1 << 20 // 1 MiB
|
|
)
|
|
|
|
// Per-IP rate-limit defaults for the control plane. Tuned for an interactive
|
|
// human/agent bus rather than a high-QPS API: a steady ~20 req/s with a burst of
|
|
// 40 absorbs a chat client's bursty polling while throttling a flood. Loopback
|
|
// dev stacks pass r<=0 to disable limiting entirely.
|
|
const (
|
|
defaultRatePerSec = rate.Limit(20)
|
|
defaultRateBurst = 40
|
|
rateBucketTTL = 10 * time.Minute
|
|
)
|
|
|
|
// Server is the HTTP control plane: the authoritative source of room metadata,
|
|
// membership, and per-epoch sealed keys. The data plane (messages) is NATS.
|
|
//
|
|
// Auth model (v1): mutating endpoints require an Ed25519 signature from the
|
|
// room owner over the canonical bytes of the request (the request body with the
|
|
// "sig" field cleared). v1 trusts the internal network: there is no TLS, no
|
|
// rate limiting, and read endpoints (GET) are unauthenticated. Hardening
|
|
// (mTLS, capabilities, rate limits) is a later phase.
|
|
type Server struct {
|
|
store *Store
|
|
blobs *blobstore.Store
|
|
mux *http.ServeMux
|
|
authMode AuthMode
|
|
nonces *nonceCache
|
|
limiter *ipRateLimiter
|
|
}
|
|
|
|
// NewServer wires the membership store and blob store into an http.Handler. The
|
|
// authMode selects the control-plane auth rollout state (AuthOff for callers and
|
|
// tests that have not migrated to signed requests yet). It installs a per-IP
|
|
// rate limiter with the package defaults; loopback dev behavior is unchanged
|
|
// because the burst comfortably exceeds any single client's request rate.
|
|
func NewServer(store *Store, blobs *blobstore.Store, authMode AuthMode) *Server {
|
|
s := &Server{
|
|
store: store,
|
|
blobs: blobs,
|
|
mux: http.NewServeMux(),
|
|
authMode: authMode,
|
|
nonces: newNonceCache(nonceTTL),
|
|
limiter: newIPRateLimiter(defaultRatePerSec, defaultRateBurst, rateBucketTTL),
|
|
}
|
|
s.routes()
|
|
return s
|
|
}
|
|
|
|
// ServeHTTP satisfies http.Handler. It runs the control-plane auth middleware
|
|
// (signature verification + anti-replay + allowlist) ahead of the router
|
|
// according to authMode, then dispatches to the matched handler.
|
|
func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
now := time.Now()
|
|
|
|
// Per-IP rate limit runs first, ahead of auth and body reads, so a flood is
|
|
// shed at the cheapest possible point. The health probe is exempt so liveness
|
|
// checks are never throttled.
|
|
if !isAuthExempt(r) && !s.limiter.allow(clientIP(r), now) {
|
|
writeErr(w, http.StatusTooManyRequests, "rate limit exceeded")
|
|
return
|
|
}
|
|
|
|
// Cap how much body we will buffer, BEFORE reading a single byte. The ceiling
|
|
// is per-route: /blobs may legitimately carry a media ciphertext, everything
|
|
// else is small JSON. A declared Content-Length over the ceiling is rejected
|
|
// outright (no buffering); MaxBytesReader then guards against a lying or
|
|
// chunked sender by failing the read once the limit is crossed. This is the
|
|
// fix for the pre-auth DoS: without it an unauthenticated peer could make the
|
|
// server buffer an unbounded body in RAM before authenticate() ever ran.
|
|
limit := int64(maxControlBodyBytes)
|
|
if r.Method == http.MethodPost && r.URL.Path == "/blobs" {
|
|
limit = int64(maxBlobBytes)
|
|
}
|
|
if r.ContentLength > limit {
|
|
writeErr(w, http.StatusRequestEntityTooLarge, "request body too large")
|
|
return
|
|
}
|
|
r.Body = http.MaxBytesReader(w, r.Body, limit)
|
|
|
|
if s.authMode == AuthOff || isAuthExempt(r) {
|
|
s.mux.ServeHTTP(w, r)
|
|
return
|
|
}
|
|
|
|
// Buffer the (now bounded) body so the signature can be verified over it and
|
|
// the handler still reads it.
|
|
body, err := io.ReadAll(r.Body)
|
|
if err != nil {
|
|
if isBodyTooLarge(err) {
|
|
writeErr(w, http.StatusRequestEntityTooLarge, "request body too large")
|
|
return
|
|
}
|
|
writeErr(w, http.StatusBadRequest, "read body")
|
|
return
|
|
}
|
|
_ = r.Body.Close()
|
|
r.Body = io.NopCloser(bytes.NewReader(body))
|
|
|
|
if _, err := s.authenticate(r, body, now); err != nil {
|
|
if s.authMode == AuthSoft {
|
|
log.Printf("[auth] soft: would reject %s %s: %v", r.Method, r.URL.Path, err)
|
|
s.mux.ServeHTTP(w, r)
|
|
return
|
|
}
|
|
writeErr(w, http.StatusUnauthorized, "unauthorized: "+err.Error())
|
|
return
|
|
}
|
|
s.mux.ServeHTTP(w, r)
|
|
}
|
|
|
|
// isBodyTooLarge reports whether err is the sentinel returned by MaxBytesReader
|
|
// when the body exceeds its limit, so the middleware can map it to 413.
|
|
func isBodyTooLarge(err error) bool {
|
|
var maxErr *http.MaxBytesError
|
|
return errors.As(err, &maxErr)
|
|
}
|
|
|
|
// isAuthExempt lists requests that bypass control-plane auth even under enforce.
|
|
// Only the unauthenticated health probe qualifies: it carries no data and is
|
|
// needed by load balancers / smoke checks / systemd before any identity exists.
|
|
func isAuthExempt(r *http.Request) bool {
|
|
return r.Method == http.MethodGet && r.URL.Path == "/healthz"
|
|
}
|
|
|
|
func (s *Server) routes() {
|
|
s.mux.HandleFunc("GET /healthz", s.handleHealth)
|
|
s.mux.HandleFunc("POST /rooms", s.handleCreateRoom)
|
|
s.mux.HandleFunc("POST /rooms/{id}/invite", s.handleInvite)
|
|
s.mux.HandleFunc("GET /rooms/{id}/key", s.handleGetKey)
|
|
s.mux.HandleFunc("GET /rooms/{id}/members", s.handleListMembers)
|
|
s.mux.HandleFunc("GET /members/{endpoint}/rooms", s.handleListMemberRooms)
|
|
s.mux.HandleFunc("POST /rooms/{id}/rekey", s.handleRekey)
|
|
s.mux.HandleFunc("GET /rooms/{id}", s.handleGetRoom)
|
|
s.mux.HandleFunc("POST /blobs", s.handlePutBlob)
|
|
s.mux.HandleFunc("GET /blobs/{hash}", s.handleGetBlob)
|
|
}
|
|
|
|
// ---- wire types -----------------------------------------------------------
|
|
|
|
type policyJSON struct {
|
|
Encrypt bool `json:"encrypt"`
|
|
Persist bool `json:"persist"`
|
|
SignMsgs bool `json:"sign_msgs"`
|
|
}
|
|
|
|
type endpointJSON struct {
|
|
Endpoint string `json:"endpoint"`
|
|
SignPub []byte `json:"sign_pub"`
|
|
KexPub []byte `json:"kex_pub"`
|
|
}
|
|
|
|
type createRoomReq struct {
|
|
Subject string `json:"subject"`
|
|
Policy policyJSON `json:"policy"`
|
|
Owner endpointJSON `json:"owner"`
|
|
SealedKeySelf []byte `json:"sealed_key_self"`
|
|
}
|
|
|
|
type createRoomResp struct {
|
|
RoomID string `json:"room_id"`
|
|
}
|
|
|
|
type inviteReq struct {
|
|
By string `json:"by"` // owner endpoint id
|
|
Sig []byte `json:"sig"` // Ed25519 over canonical(request with sig cleared)
|
|
Member endpointJSON `json:"member"`
|
|
SealedKey []byte `json:"sealed_key"`
|
|
}
|
|
|
|
type keyResp struct {
|
|
Epoch int `json:"epoch"`
|
|
SealedKey []byte `json:"sealed_key"`
|
|
}
|
|
|
|
type memberJSON struct {
|
|
Endpoint string `json:"endpoint"`
|
|
Role string `json:"role"`
|
|
SignPub []byte `json:"sign_pub"`
|
|
KexPub []byte `json:"kex_pub"`
|
|
}
|
|
|
|
type roomResp struct {
|
|
Subject string `json:"subject"`
|
|
Epoch int `json:"epoch"`
|
|
Policy policyJSON `json:"policy"`
|
|
}
|
|
|
|
type memberRoomJSON struct {
|
|
RoomID string `json:"room_id"`
|
|
Subject string `json:"subject"`
|
|
Epoch int `json:"epoch"`
|
|
Policy policyJSON `json:"policy"`
|
|
Role string `json:"role"`
|
|
}
|
|
|
|
type rekeyKey struct {
|
|
Endpoint string `json:"endpoint"`
|
|
SealedKey []byte `json:"sealed_key"`
|
|
}
|
|
|
|
type rekeyReq struct {
|
|
By string `json:"by"`
|
|
Sig []byte `json:"sig"`
|
|
NewEpoch int `json:"new_epoch"`
|
|
Keys []rekeyKey `json:"keys"`
|
|
Remove []string `json:"remove"`
|
|
}
|
|
|
|
type blobResp struct {
|
|
Hash string `json:"hash"`
|
|
}
|
|
|
|
// ---- helpers --------------------------------------------------------------
|
|
|
|
func writeJSON(w http.ResponseWriter, code int, v any) {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.WriteHeader(code)
|
|
_ = json.NewEncoder(w).Encode(v)
|
|
}
|
|
|
|
func writeErr(w http.ResponseWriter, code int, msg string) {
|
|
writeJSON(w, code, map[string]string{"error": msg})
|
|
}
|
|
|
|
// canonicalSig returns the bytes to verify for a request: the request struct
|
|
// re-marshaled with its Sig field cleared. The caller passes a copy with Sig
|
|
// already zeroed. This is symmetric with how the client signs.
|
|
func canonicalSig(v any) []byte {
|
|
b, _ := json.Marshal(v)
|
|
return b
|
|
}
|
|
|
|
// verifyOwnerSig checks that sig is a valid Ed25519 signature by the room owner
|
|
// over canonical(reqWithSigCleared). It returns the owner Member on success.
|
|
func (s *Server) verifyOwnerSig(roomID, by string, sig, canonical []byte) (Member, error) {
|
|
info, err := s.store.GetRoom(roomID)
|
|
if err != nil {
|
|
return Member{}, fmt.Errorf("room not found")
|
|
}
|
|
if by != info.OwnerEndpoint {
|
|
return Member{}, fmt.Errorf("requester %q is not the room owner", by)
|
|
}
|
|
owner, err := s.store.GetMember(roomID, by)
|
|
if err != nil {
|
|
return Member{}, fmt.Errorf("owner member not found")
|
|
}
|
|
if !cs.VerifyEd25519(owner.SignPub, canonical, sig) {
|
|
return Member{}, fmt.Errorf("invalid owner signature")
|
|
}
|
|
return owner, nil
|
|
}
|
|
|
|
// ---- handlers -------------------------------------------------------------
|
|
|
|
func (s *Server) handleHealth(w http.ResponseWriter, _ *http.Request) {
|
|
writeJSON(w, http.StatusOK, map[string]string{"status": "ok"})
|
|
}
|
|
|
|
func (s *Server) handleCreateRoom(w http.ResponseWriter, r *http.Request) {
|
|
var req createRoomReq
|
|
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
|
|
writeErr(w, http.StatusBadRequest, "bad json: "+err.Error())
|
|
return
|
|
}
|
|
if req.Subject == "" || req.Owner.Endpoint == "" {
|
|
writeErr(w, http.StatusBadRequest, "subject and owner.endpoint required")
|
|
return
|
|
}
|
|
roomID := newULID()
|
|
info := RoomInfo{
|
|
RoomID: roomID,
|
|
Subject: req.Subject,
|
|
Encrypt: req.Policy.Encrypt,
|
|
Persist: req.Policy.Persist,
|
|
SignMsgs: req.Policy.SignMsgs,
|
|
OwnerEndpoint: req.Owner.Endpoint,
|
|
}
|
|
if err := s.store.CreateRoom(info, req.Owner.SignPub, req.Owner.KexPub, req.SealedKeySelf); err != nil {
|
|
writeErr(w, http.StatusInternalServerError, err.Error())
|
|
return
|
|
}
|
|
writeJSON(w, http.StatusCreated, createRoomResp{RoomID: roomID})
|
|
}
|
|
|
|
func (s *Server) handleInvite(w http.ResponseWriter, r *http.Request) {
|
|
roomID := r.PathValue("id")
|
|
var req inviteReq
|
|
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
|
|
writeErr(w, http.StatusBadRequest, "bad json: "+err.Error())
|
|
return
|
|
}
|
|
// Canonical bytes = the request with Sig cleared.
|
|
sig := req.Sig
|
|
req.Sig = nil
|
|
if _, err := s.verifyOwnerSig(roomID, req.By, sig, canonicalSig(req)); err != nil {
|
|
writeErr(w, http.StatusForbidden, err.Error())
|
|
return
|
|
}
|
|
info, err := s.store.GetRoom(roomID)
|
|
if err != nil {
|
|
writeErr(w, http.StatusNotFound, err.Error())
|
|
return
|
|
}
|
|
m := Member{
|
|
Endpoint: req.Member.Endpoint,
|
|
Role: "member",
|
|
SignPub: req.Member.SignPub,
|
|
KexPub: req.Member.KexPub,
|
|
}
|
|
if err := s.store.AddMember(roomID, m, info.Epoch, req.SealedKey); err != nil {
|
|
writeErr(w, http.StatusInternalServerError, err.Error())
|
|
return
|
|
}
|
|
writeJSON(w, http.StatusOK, map[string]string{"status": "invited"})
|
|
}
|
|
|
|
func (s *Server) handleGetKey(w http.ResponseWriter, r *http.Request) {
|
|
roomID := r.PathValue("id")
|
|
endpoint := r.URL.Query().Get("endpoint")
|
|
if endpoint == "" {
|
|
writeErr(w, http.StatusBadRequest, "endpoint query param required")
|
|
return
|
|
}
|
|
epoch := 0
|
|
if e := r.URL.Query().Get("epoch"); e != "" {
|
|
if n, err := strconv.Atoi(e); err == nil {
|
|
epoch = n
|
|
}
|
|
}
|
|
ep, sealed, err := s.store.GetSealedKey(roomID, endpoint, epoch)
|
|
if err != nil {
|
|
if errors.Is(err, sql.ErrNoRows) {
|
|
writeErr(w, http.StatusForbidden,
|
|
"not invited to this encrypted room: no key has been sealed for your identity. Ask the room owner to invite you before joining.")
|
|
return
|
|
}
|
|
writeErr(w, http.StatusInternalServerError, err.Error())
|
|
return
|
|
}
|
|
writeJSON(w, http.StatusOK, keyResp{Epoch: ep, SealedKey: sealed})
|
|
}
|
|
|
|
func (s *Server) handleListMembers(w http.ResponseWriter, r *http.Request) {
|
|
roomID := r.PathValue("id")
|
|
members, err := s.store.ListMembers(roomID)
|
|
if err != nil {
|
|
writeErr(w, http.StatusInternalServerError, err.Error())
|
|
return
|
|
}
|
|
out := make([]memberJSON, 0, len(members))
|
|
for _, m := range members {
|
|
out = append(out, memberJSON{Endpoint: m.Endpoint, Role: m.Role, SignPub: m.SignPub, KexPub: m.KexPub})
|
|
}
|
|
writeJSON(w, http.StatusOK, out)
|
|
}
|
|
|
|
func (s *Server) handleListMemberRooms(w http.ResponseWriter, r *http.Request) {
|
|
endpoint := r.PathValue("endpoint")
|
|
if endpoint == "" {
|
|
writeErr(w, http.StatusBadRequest, "endpoint required")
|
|
return
|
|
}
|
|
rooms, err := s.store.ListRoomsForEndpoint(endpoint)
|
|
if err != nil {
|
|
writeErr(w, http.StatusInternalServerError, err.Error())
|
|
return
|
|
}
|
|
out := make([]memberRoomJSON, 0, len(rooms))
|
|
for _, rm := range rooms {
|
|
out = append(out, memberRoomJSON{
|
|
RoomID: rm.RoomID,
|
|
Subject: rm.Subject,
|
|
Epoch: rm.Epoch,
|
|
Policy: policyJSON{Encrypt: rm.Encrypt, Persist: rm.Persist, SignMsgs: rm.SignMsgs},
|
|
Role: rm.Role,
|
|
})
|
|
}
|
|
writeJSON(w, http.StatusOK, out)
|
|
}
|
|
|
|
func (s *Server) handleGetRoom(w http.ResponseWriter, r *http.Request) {
|
|
roomID := r.PathValue("id")
|
|
info, err := s.store.GetRoom(roomID)
|
|
if err != nil {
|
|
writeErr(w, http.StatusNotFound, err.Error())
|
|
return
|
|
}
|
|
writeJSON(w, http.StatusOK, roomResp{
|
|
Subject: info.Subject,
|
|
Epoch: info.Epoch,
|
|
Policy: policyJSON{Encrypt: info.Encrypt, Persist: info.Persist, SignMsgs: info.SignMsgs},
|
|
})
|
|
}
|
|
|
|
func (s *Server) handleRekey(w http.ResponseWriter, r *http.Request) {
|
|
roomID := r.PathValue("id")
|
|
var req rekeyReq
|
|
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
|
|
writeErr(w, http.StatusBadRequest, "bad json: "+err.Error())
|
|
return
|
|
}
|
|
sig := req.Sig
|
|
req.Sig = nil
|
|
if _, err := s.verifyOwnerSig(roomID, req.By, sig, canonicalSig(req)); err != nil {
|
|
writeErr(w, http.StatusForbidden, err.Error())
|
|
return
|
|
}
|
|
if req.NewEpoch <= 0 {
|
|
writeErr(w, http.StatusBadRequest, "new_epoch must be > 0")
|
|
return
|
|
}
|
|
// Bump epoch, then store the fresh sealed keys for the remaining members,
|
|
// then remove the kicked/left members.
|
|
if err := s.store.BumpEpoch(roomID, req.NewEpoch); err != nil {
|
|
writeErr(w, http.StatusInternalServerError, err.Error())
|
|
return
|
|
}
|
|
keys := make(map[string][]byte, len(req.Keys))
|
|
for _, k := range req.Keys {
|
|
keys[k.Endpoint] = k.SealedKey
|
|
}
|
|
if len(keys) > 0 {
|
|
if err := s.store.PutSealedKeys(roomID, req.NewEpoch, keys); err != nil {
|
|
writeErr(w, http.StatusInternalServerError, err.Error())
|
|
return
|
|
}
|
|
}
|
|
for _, ep := range req.Remove {
|
|
if err := s.store.RemoveMember(roomID, ep); err != nil {
|
|
writeErr(w, http.StatusInternalServerError, err.Error())
|
|
return
|
|
}
|
|
}
|
|
writeJSON(w, http.StatusOK, map[string]any{"status": "rekeyed", "epoch": req.NewEpoch})
|
|
}
|
|
|
|
func (s *Server) handlePutBlob(w http.ResponseWriter, r *http.Request) {
|
|
// The body arrives already bounded: ServeHTTP wraps it in a MaxBytesReader
|
|
// (maxBlobBytes) and rejects an over-declared Content-Length before this
|
|
// handler runs, in every auth mode. Reading here therefore cannot buffer
|
|
// more than the ceiling; a sender that lies about its length (e.g. chunked)
|
|
// trips MaxBytesReader and we map that to 413 rather than a generic 400.
|
|
data, err := io.ReadAll(r.Body)
|
|
if err != nil {
|
|
if isBodyTooLarge(err) {
|
|
writeErr(w, http.StatusRequestEntityTooLarge, "request body too large")
|
|
return
|
|
}
|
|
writeErr(w, http.StatusBadRequest, "read body")
|
|
return
|
|
}
|
|
hash, err := s.blobs.Put(data)
|
|
if err != nil {
|
|
writeErr(w, http.StatusInternalServerError, err.Error())
|
|
return
|
|
}
|
|
writeJSON(w, http.StatusOK, blobResp{Hash: hash})
|
|
}
|
|
|
|
func (s *Server) handleGetBlob(w http.ResponseWriter, r *http.Request) {
|
|
hash := r.PathValue("hash")
|
|
if strings.ContainsAny(hash, "/\\.") {
|
|
writeErr(w, http.StatusBadRequest, "invalid hash")
|
|
return
|
|
}
|
|
data, err := s.blobs.Get(hash)
|
|
if err != nil {
|
|
writeErr(w, http.StatusNotFound, err.Error())
|
|
return
|
|
}
|
|
w.Header().Set("Content-Type", "application/octet-stream")
|
|
w.WriteHeader(http.StatusOK)
|
|
_, _ = w.Write(data)
|
|
}
|