Files
multica/server/internal/cloudruntime/client.go
LinYushen c968c13c87 feat(auth): support mcn_ Cloud Node PATs verified via Fleet (#3349)
* feat(auth): support mcn_ Cloud Node PATs verified via Fleet

Adds a new token kind, mcn_ (multica cloud node), recognized in both
the regular Auth and DaemonAuth middlewares. mcn_ tokens are minted
and owned by Multica Cloud (not the local personal_access_tokens
table); the server validates them by POSTing to the Fleet's
/api/v1/pat/verify endpoint and uses the returned owner_id as
X-User-ID for downstream handlers.

Cloud is the authoritative owner of token status, so this is a
verifier-only path with no DB fallback:

  * Fleet says valid:false -> 401 (token genuinely bad)
  * Fleet unreachable / 5xx -> 503 (transient, retry)
  * No MULTICA_CLOUD_FLEET_URL configured -> 401 (fail closed)

Verification results are cached in Redis for 60s under
mul:auth:mcn:<sha256> to bound the per-request load on Fleet without
extending the revocation window beyond what the Cloud doc allows.
Negative results are NOT cached, so a freshly minted token doesn't
get locked out by a stale 'token_not_found'.

Reuses MULTICA_CLOUD_FLEET_URL (the same env the cloud-runtime proxy
already uses) so deployments don't need a second config knob.

Tests cover the happy path, every documented invalid reason, 4xx/5xx
mapping, network error, decode error, ctx cancellation, the
fail-closed valid:true-without-owner_id case, trailing-slash URL
normalization, and the Redis cache short-circuit + negative
no-cache contract. Middleware tests pin the four 401/503/200 outcomes
in both Auth and DaemonAuth.

* auth(mcn): require owner_id to map to a real local user; drop X-User-PAT plumbing

Two related changes:

1. Cloud-verified owner_id is now checked against our local users table.
   The Cloud owner_id and our users.id share the same UUID space by
   contract; a missing local user means either the row was deleted
   under an active node or something is forging owner_ids — either
   way, fail closed.

   CloudPATVerifier.Verify takes a new OwnerLookupFunc:
     - returns (true, nil)   -> success, cache + return
     - returns (false, nil)  -> ErrCloudPATInvalid (reason='owner_unknown'),
                                NOT cached (so a freshly-created user
                                doesn't get locked out for a TTL window)
     - returns (_, error)    -> ErrCloudPATUnavailable (transient,
                                middleware emits 503)

   Both Auth and DaemonAuth wire ownerLookupFor(queries), a new shared
   helper that wraps queries.GetUser, mapping pgx.ErrNoRows / unparseable
   UUIDs to (false, nil) and other errors to a real Go error.

2. Removed all X-User-PAT plumbing. Cloud now mints node-scoped mcn_
   PATs itself during /api/v1/nodes (see multica-cloud
   docs/api/node-pat.md) and ships them into the EC2 instance via SSM,
   so multica-api no longer needs to forward the caller's mul_ PAT.
   Propagating a long-lived user PAT into a remote machine widened
   the blast radius of any node compromise; that's gone now.

   Removed:
     - cloud_runtime.go: withUserPAT option, cloudRuntimeUserPAT,
       generateCloudRuntimePAT, revokeGeneratedPAT
     - cloudruntime/Request.UserPAT field + X-User-PAT header
     - X-User-PAT from CORS allowed headers
     - obsolete handler tests:
         TestCreateCloudRuntimeNodeForwardsValidatedPAT
         TestCreateCloudRuntimeNodeRejectsUnownedPAT
         TestCreateCloudRuntimeNodeRejectsExpiredPAT
         TestCreateCloudRuntimeNodeAutoGeneratesPAT
       replaced with TestCreateCloudRuntimeNodeForwardsBody
     - X-User-PAT references in packages/core/api/client.test.ts

Tests:
  * 3 new verifier-level tests (owner_unknown not cached, lookup error
    -> Unavailable, success path is cached for both fleet AND lookup)
  * 5 new owner_lookup_test.go tests (nil queries, existing user,
    missing user, malformed UUID, DB error)
  * 1 new end-to-end DaemonAuth test (cloud says valid, no local user
    -> 401)
  * Existing X-User-PAT TS assertions removed; full vitest run passes.
  * go test ./... and go vet ./... clean on the server module.
2026-05-27 14:52:03 +08:00

125 lines
2.6 KiB
Go

package cloudruntime
import (
"bytes"
"context"
"errors"
"fmt"
"io"
"net/http"
"net/url"
"strings"
"time"
)
const (
defaultTimeout = 35 * time.Second
maxResponseBodySize = 1 << 20
)
var (
ErrDisabled = errors.New("cloud runtime fleet URL is not configured")
ErrInvalidBaseURL = errors.New("cloud runtime fleet URL is invalid")
)
type Config struct {
BaseURL string
Timeout time.Duration
HTTPClient *http.Client
}
type Request struct {
Method string
Path string
Query url.Values
Body []byte
UserID string
RequestID string
}
type Response struct {
StatusCode int
Header http.Header
Body []byte
}
type Client struct {
baseURL string
httpClient *http.Client
}
func NewClient(cfg Config) *Client {
timeout := cfg.Timeout
if timeout <= 0 {
timeout = defaultTimeout
}
httpClient := cfg.HTTPClient
if httpClient == nil {
httpClient = &http.Client{Timeout: timeout}
}
return &Client{
baseURL: strings.TrimRight(strings.TrimSpace(cfg.BaseURL), "/"),
httpClient: httpClient,
}
}
func (c *Client) Enabled() bool {
return c != nil && c.baseURL != ""
}
func (c *Client) Do(ctx context.Context, req Request) (*Response, error) {
if c == nil || c.baseURL == "" {
return nil, ErrDisabled
}
base, err := url.Parse(c.baseURL)
if err != nil || base.Scheme == "" || base.Host == "" {
return nil, fmt.Errorf("%w: %s", ErrInvalidBaseURL, c.baseURL)
}
if !strings.HasPrefix(req.Path, "/") {
return nil, fmt.Errorf("cloud runtime path must start with /: %s", req.Path)
}
u := *base
u.Path = strings.TrimRight(base.Path, "/") + req.Path
u.RawQuery = req.Query.Encode()
var body io.Reader
if len(req.Body) > 0 {
body = bytes.NewReader(req.Body)
}
httpReq, err := http.NewRequestWithContext(ctx, req.Method, u.String(), body)
if err != nil {
return nil, err
}
httpReq.Header.Set("Accept", "application/json")
if len(req.Body) > 0 {
httpReq.Header.Set("Content-Type", "application/json")
}
if req.UserID != "" {
httpReq.Header.Set("X-User-ID", req.UserID)
}
if req.RequestID != "" {
httpReq.Header.Set("X-Request-ID", req.RequestID)
}
resp, err := c.httpClient.Do(httpReq)
if err != nil {
return nil, err
}
defer resp.Body.Close()
data, err := io.ReadAll(io.LimitReader(resp.Body, maxResponseBodySize+1))
if err != nil {
return nil, err
}
if len(data) > maxResponseBodySize {
return nil, fmt.Errorf("cloud runtime response exceeds %d bytes", maxResponseBodySize)
}
return &Response{
StatusCode: resp.StatusCode,
Header: resp.Header.Clone(),
Body: data,
}, nil
}