新增数据库驱动的 SecurityEventConnectionManager,复用 RFC 7662 机器 Client,自动完成 Discovery、Push Bearer 生成、Stream 创建、Verification、首次启用、零停机轮换和安全退役。 增加文件与 Kubernetes SecretStore、最小权限 RBAC、动态 Receiver/撤销水位/内省降级,以及系统设置管理页面。已通过全量 Go 测试、go vet、关键包竞态测试、27 个 Web 测试、类型检查、生产构建、Compose 和 Kubernetes dry-run。
294 lines
12 KiB
Go
294 lines
12 KiB
Go
package securityevents
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"errors"
|
|
"net"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"strings"
|
|
"sync"
|
|
"sync/atomic"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/easyai/easyai-ai-gateway/apps/api/internal/auth"
|
|
"github.com/easyai/easyai-ai-gateway/apps/api/internal/store"
|
|
"github.com/google/uuid"
|
|
)
|
|
|
|
type memoryConnectionRepository struct {
|
|
mutex sync.Mutex
|
|
connection *store.SecurityEventConnection
|
|
mode string
|
|
verifiedAt *time.Time
|
|
evaluation store.SecurityEventEvaluation
|
|
}
|
|
|
|
func (*memoryConnectionRepository) ApplySessionRevoked(context.Context, store.ApplySessionRevokedInput) (store.ApplySecurityEventResult, error) {
|
|
return store.ApplySecurityEventResult{}, nil
|
|
}
|
|
func (*memoryConnectionRepository) ApplySecurityEventStreamUpdated(context.Context, string, string, string, string, string, string, time.Time) (bool, error) {
|
|
return true, nil
|
|
}
|
|
func (*memoryConnectionRepository) ConfirmSecurityEventVerification(context.Context, string, string, string, string, []byte, time.Time) (bool, error) {
|
|
return true, nil
|
|
}
|
|
func (*memoryConnectionRepository) RecordSecurityEventReceipt(context.Context, string, string, string, string, string) (bool, error) {
|
|
return true, nil
|
|
}
|
|
func (r *memoryConnectionRepository) EnsureSecurityEventStreamState(context.Context, string, string, string) error {
|
|
r.mode = "bootstrap"
|
|
return nil
|
|
}
|
|
func (*memoryConnectionRepository) BeginSecurityEventVerification(context.Context, string, string, []byte, time.Time) error {
|
|
return nil
|
|
}
|
|
func (*memoryConnectionRepository) RecordSecurityEventHeartbeatFailure(context.Context, string, string, string) error {
|
|
return nil
|
|
}
|
|
func (*memoryConnectionRepository) AdvanceSecurityEventStreamState(context.Context, string, string, time.Time, time.Duration) error {
|
|
return nil
|
|
}
|
|
func (r *memoryConnectionRepository) EvaluateOIDCSecurityEvent(context.Context, string, string, string, string, string, time.Time, time.Time, time.Duration) (store.SecurityEventEvaluation, error) {
|
|
if r.evaluation.Mode == "" {
|
|
return store.SecurityEventEvaluation{Mode: "bootstrap", RequireIntrospection: true}, nil
|
|
}
|
|
return r.evaluation, nil
|
|
}
|
|
func (r *memoryConnectionRepository) CreateSecurityEventConnection(_ context.Context, input store.CreateSecurityEventConnectionInput) (store.SecurityEventConnection, error) {
|
|
r.mutex.Lock()
|
|
defer r.mutex.Unlock()
|
|
if r.connection != nil {
|
|
return store.SecurityEventConnection{}, store.ErrSecurityEventConnectionConflict
|
|
}
|
|
now := time.Now().UTC()
|
|
value := store.SecurityEventConnection{ConnectionID: input.ConnectionID, TransmitterIssuer: input.TransmitterIssuer,
|
|
EndpointURL: input.EndpointURL, CredentialRef: input.CredentialRef, LifecycleStatus: "connecting", Version: 1,
|
|
IdempotencyKey: input.IdempotencyKey, CreatedAt: now, UpdatedAt: now, HealthMode: "disabled"}
|
|
r.connection = &value
|
|
return value, nil
|
|
}
|
|
func (r *memoryConnectionRepository) SecurityEventConnection(context.Context) (store.SecurityEventConnection, error) {
|
|
r.mutex.Lock()
|
|
defer r.mutex.Unlock()
|
|
if r.connection == nil {
|
|
return store.SecurityEventConnection{}, store.ErrSecurityEventConnectionNotFound
|
|
}
|
|
value := *r.connection
|
|
value.HealthMode, value.LastVerificationAt = r.mode, r.verifiedAt
|
|
return value, nil
|
|
}
|
|
func (r *memoryConnectionRepository) BindSecurityEventConnection(_ context.Context, id, audience, streamID, lifecycle string, expected int64) (store.SecurityEventConnection, error) {
|
|
r.mutex.Lock()
|
|
defer r.mutex.Unlock()
|
|
if r.connection == nil || r.connection.ConnectionID != id || r.connection.Version != expected {
|
|
return store.SecurityEventConnection{}, store.ErrSecurityEventConnectionConflict
|
|
}
|
|
r.connection.Audience, r.connection.StreamID = &audience, &streamID
|
|
r.connection.LifecycleStatus, r.connection.Version = lifecycle, r.connection.Version+1
|
|
return *r.connection, nil
|
|
}
|
|
func (r *memoryConnectionRepository) UpdateSecurityEventConnectionLifecycle(_ context.Context, id, lifecycle string, category *string) (store.SecurityEventConnection, error) {
|
|
r.mutex.Lock()
|
|
defer r.mutex.Unlock()
|
|
if r.connection == nil || r.connection.ConnectionID != id {
|
|
return store.SecurityEventConnection{}, store.ErrSecurityEventConnectionNotFound
|
|
}
|
|
r.connection.LifecycleStatus, r.connection.LastErrorCategory = lifecycle, category
|
|
r.connection.Version++
|
|
r.connection.UpdatedAt = time.Now().UTC()
|
|
return *r.connection, nil
|
|
}
|
|
func (r *memoryConnectionRepository) SetSecurityEventNextCredential(context.Context, string, string) (store.SecurityEventConnection, error) {
|
|
return store.SecurityEventConnection{}, errors.New("not used")
|
|
}
|
|
|
|
func TestConnectionManagerBootstrapOnlyBecomesEnabledWhenPushIsHealthy(t *testing.T) {
|
|
for _, test := range []struct {
|
|
mode, wantLifecycle string
|
|
}{
|
|
{mode: "push_healthy", wantLifecycle: "enabled"},
|
|
{mode: "introspection_fallback", wantLifecycle: "degraded"},
|
|
} {
|
|
t.Run(test.mode, func(t *testing.T) {
|
|
audience := "urn:easyai:ssf:receiver:" + uuid.NewString()
|
|
repository := &memoryConnectionRepository{mode: test.mode, connection: &store.SecurityEventConnection{
|
|
ConnectionID: uuid.NewString(), TransmitterIssuer: "https://auth.example/ssf", Audience: &audience,
|
|
LifecycleStatus: "bootstrap", Version: 1, UpdatedAt: time.Now().UTC(),
|
|
}}
|
|
manager := &ConnectionManager{ctx: context.Background(), repository: repository,
|
|
config: ConnectionManagerConfig{BootstrapDuration: time.Millisecond}}
|
|
manager.finishBootstrap(repository.connection.ConnectionID)
|
|
connection, err := repository.SecurityEventConnection(context.Background())
|
|
if err != nil || connection.LifecycleStatus != test.wantLifecycle {
|
|
t.Fatalf("connection=%#v err=%v", connection, err)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestRemoteNotFoundIsRecognizedForIdempotentDisconnect(t *testing.T) {
|
|
if !isRemoteHTTPStatus(remoteHTTPError{status: http.StatusNotFound}, http.StatusNotFound) {
|
|
t.Fatal("remote 404 was not recognized as an already-deleted Stream")
|
|
}
|
|
}
|
|
|
|
func TestTransmitterSSRFProtectionBlocksReservedNetworks(t *testing.T) {
|
|
for _, address := range []string{
|
|
"127.0.0.1", "10.0.0.1", "169.254.169.254", "100.64.0.1", "192.0.2.1", "198.51.100.1", "203.0.113.1", "2001:db8::1",
|
|
} {
|
|
if !blockedAddress(net.ParseIP(address)) {
|
|
t.Fatalf("reserved address %s was allowed", address)
|
|
}
|
|
}
|
|
if blockedAddress(net.ParseIP("8.8.8.8")) {
|
|
t.Fatal("public address was blocked")
|
|
}
|
|
}
|
|
|
|
func TestRetiringConnectionStillAppliesRevocationWatermark(t *testing.T) {
|
|
audience := "urn:easyai:ssf:receiver:" + uuid.NewString()
|
|
repository := &memoryConnectionRepository{
|
|
evaluation: store.SecurityEventEvaluation{Mode: "introspection_fallback", Revoked: true, RequireIntrospection: true},
|
|
connection: &store.SecurityEventConnection{
|
|
ConnectionID: uuid.NewString(), TransmitterIssuer: "https://auth.example/ssf", Audience: &audience,
|
|
LifecycleStatus: "retiring", Version: 1,
|
|
},
|
|
}
|
|
manager := &ConnectionManager{ctx: context.Background(), repository: repository, config: ConnectionManagerConfig{StaleAfter: 3 * time.Minute}}
|
|
evaluation, err := manager.Evaluate(context.Background(), auth.OIDCSecurityEventIdentity{IssuedAt: time.Now().Add(-time.Minute)})
|
|
if err != nil || !evaluation.Enabled || !evaluation.Revoked || !evaluation.RequireIntrospection {
|
|
t.Fatalf("retiring evaluation=%#v err=%v", evaluation, err)
|
|
}
|
|
}
|
|
func (r *memoryConnectionRepository) PromoteSecurityEventCredential(context.Context, string, string) (store.SecurityEventConnection, error) {
|
|
return store.SecurityEventConnection{}, errors.New("not used")
|
|
}
|
|
func (r *memoryConnectionRepository) DeleteSecurityEventConnection(context.Context, string) error {
|
|
r.connection = nil
|
|
return nil
|
|
}
|
|
func (r *memoryConnectionRepository) SecurityEventMetrics(context.Context, string, string) (string, *time.Time, error) {
|
|
return r.mode, r.verifiedAt, nil
|
|
}
|
|
|
|
type memorySecretStore struct {
|
|
values map[string][]byte
|
|
}
|
|
|
|
func (s *memorySecretStore) Put(_ context.Context, reference string, value []byte) error {
|
|
if s.values == nil {
|
|
s.values = map[string][]byte{}
|
|
}
|
|
s.values[reference] = append([]byte(nil), value...)
|
|
return nil
|
|
}
|
|
func (s *memorySecretStore) Get(_ context.Context, reference string) ([]byte, error) {
|
|
value, ok := s.values[reference]
|
|
if !ok {
|
|
return nil, ErrSecretNotFound
|
|
}
|
|
return append([]byte(nil), value...), nil
|
|
}
|
|
func (s *memorySecretStore) Delete(_ context.Context, reference string) error {
|
|
delete(s.values, reference)
|
|
return nil
|
|
}
|
|
|
|
func TestConnectionManagerCreatesPausedStreamWithBackendGeneratedBearer(t *testing.T) {
|
|
repository := &memoryConnectionRepository{}
|
|
secrets := &memorySecretStore{}
|
|
ctx, cancel := context.WithCancel(context.Background())
|
|
defer cancel()
|
|
var transmitter *httptest.Server
|
|
verificationRequested := make(chan struct{}, 1)
|
|
var managementScopeRequested atomic.Bool
|
|
transmitter = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
switch r.URL.Path {
|
|
case "/.well-known/ssf-configuration/ssf":
|
|
_ = json.NewEncoder(w).Encode(map[string]any{
|
|
"spec_version": "1_0", "issuer": transmitter.URL + "/ssf", "jwks_uri": transmitter.URL + "/ssf/jwks.json",
|
|
"configuration_endpoint": transmitter.URL + "/ssf/v1/stream", "status_endpoint": transmitter.URL + "/ssf/v1/status",
|
|
"verification_endpoint": transmitter.URL + "/ssf/v1/verify", "delivery_methods_supported": []string{pushDeliveryMethod},
|
|
})
|
|
case "/oidc/token":
|
|
clientID, secret, ok := r.BasicAuth()
|
|
if !ok || clientID != "gateway-machine" || secret != "machine-secret" {
|
|
t.Fatal("RFC 7662 machine client was not reused")
|
|
}
|
|
_ = r.ParseForm()
|
|
if strings.Contains(r.Form.Get("scope"), "ssf.stream.manage") {
|
|
managementScopeRequested.Store(true)
|
|
}
|
|
_ = json.NewEncoder(w).Encode(map[string]any{"access_token": "machine-token", "token_type": "Bearer"})
|
|
case "/ssf/v1/stream":
|
|
if r.Method == http.MethodGet {
|
|
_, _ = w.Write([]byte(`[]`))
|
|
return
|
|
}
|
|
var request struct {
|
|
Delivery struct {
|
|
AuthorizationHeader string `json:"authorization_header"`
|
|
EndpointURL string `json:"endpoint_url"`
|
|
} `json:"delivery"`
|
|
Description string `json:"description"`
|
|
}
|
|
_ = json.NewDecoder(r.Body).Decode(&request)
|
|
if len(strings.TrimPrefix(request.Delivery.AuthorizationHeader, "Bearer ")) < 43 {
|
|
t.Fatal("generated Push Bearer has less than 256 bits")
|
|
}
|
|
_ = json.NewEncoder(w).Encode(map[string]any{
|
|
"stream_id": uuid.NewString(), "iss": transmitter.URL + "/ssf",
|
|
"aud": "urn:easyai:ssf:receiver:" + uuid.NewString(), "events_requested": []string{sessionRevokedEvent},
|
|
"delivery": map[string]any{"method": pushDeliveryMethod, "endpoint_url": request.Delivery.EndpointURL},
|
|
"description": request.Description,
|
|
})
|
|
case "/ssf/v1/verify":
|
|
w.WriteHeader(http.StatusNoContent)
|
|
select {
|
|
case verificationRequested <- struct{}{}:
|
|
default:
|
|
}
|
|
default:
|
|
http.NotFound(w, r)
|
|
}
|
|
}))
|
|
defer transmitter.Close()
|
|
manager, err := NewConnectionManager(ctx, repository, secrets, ConnectionManagerConfig{
|
|
AppEnv: "test", OIDCEnabled: true, OIDCIssuer: transmitter.URL + "/oidc", OIDCTenantID: uuid.NewString(),
|
|
ManagementClientID: "gateway-machine", ManagementClientSecret: "machine-secret",
|
|
PublicBaseURL: transmitter.URL, HeartbeatInterval: time.Hour, StaleAfter: 2 * time.Hour, HTTPClient: transmitter.Client(),
|
|
}, &Metrics{})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
evaluation, err := manager.Evaluate(ctx, auth.OIDCSecurityEventIdentity{})
|
|
if err != nil || evaluation.Enabled {
|
|
t.Fatalf("unconfigured manager evaluation=%#v err=%v", evaluation, err)
|
|
}
|
|
view, err := manager.Connect(ctx, transmitter.URL+"/ssf", "connect-once")
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if view.LifecycleStatus != "verifying" || view.StreamID == nil || view.Audience == nil {
|
|
t.Fatalf("connection view=%#v", view)
|
|
}
|
|
encoded, _ := json.Marshal(view)
|
|
if strings.Contains(string(encoded), "credential") || strings.Contains(string(encoded), "machine-secret") || strings.Contains(string(encoded), "ssf-push-") {
|
|
t.Fatalf("secret metadata escaped in response: %s", encoded)
|
|
}
|
|
if len(secrets.values) != 1 {
|
|
t.Fatalf("secret count=%d", len(secrets.values))
|
|
}
|
|
if !managementScopeRequested.Load() {
|
|
t.Fatal("management scopes were not requested automatically")
|
|
}
|
|
select {
|
|
case <-verificationRequested:
|
|
case <-time.After(2 * time.Second):
|
|
t.Fatal("verification was not started without a restart")
|
|
}
|
|
}
|