mirror of
https://github.com/multica-ai/multica.git
synced 2026-07-14 13:49:18 +02:00
* feat(auth): support mcn_ Cloud Node PATs verified via Fleet
Adds a new token kind, mcn_ (multica cloud node), recognized in both
the regular Auth and DaemonAuth middlewares. mcn_ tokens are minted
and owned by Multica Cloud (not the local personal_access_tokens
table); the server validates them by POSTing to the Fleet's
/api/v1/pat/verify endpoint and uses the returned owner_id as
X-User-ID for downstream handlers.
Cloud is the authoritative owner of token status, so this is a
verifier-only path with no DB fallback:
* Fleet says valid:false -> 401 (token genuinely bad)
* Fleet unreachable / 5xx -> 503 (transient, retry)
* No MULTICA_CLOUD_FLEET_URL configured -> 401 (fail closed)
Verification results are cached in Redis for 60s under
mul:auth:mcn:<sha256> to bound the per-request load on Fleet without
extending the revocation window beyond what the Cloud doc allows.
Negative results are NOT cached, so a freshly minted token doesn't
get locked out by a stale 'token_not_found'.
Reuses MULTICA_CLOUD_FLEET_URL (the same env the cloud-runtime proxy
already uses) so deployments don't need a second config knob.
Tests cover the happy path, every documented invalid reason, 4xx/5xx
mapping, network error, decode error, ctx cancellation, the
fail-closed valid:true-without-owner_id case, trailing-slash URL
normalization, and the Redis cache short-circuit + negative
no-cache contract. Middleware tests pin the four 401/503/200 outcomes
in both Auth and DaemonAuth.
* auth(mcn): require owner_id to map to a real local user; drop X-User-PAT plumbing
Two related changes:
1. Cloud-verified owner_id is now checked against our local users table.
The Cloud owner_id and our users.id share the same UUID space by
contract; a missing local user means either the row was deleted
under an active node or something is forging owner_ids — either
way, fail closed.
CloudPATVerifier.Verify takes a new OwnerLookupFunc:
- returns (true, nil) -> success, cache + return
- returns (false, nil) -> ErrCloudPATInvalid (reason='owner_unknown'),
NOT cached (so a freshly-created user
doesn't get locked out for a TTL window)
- returns (_, error) -> ErrCloudPATUnavailable (transient,
middleware emits 503)
Both Auth and DaemonAuth wire ownerLookupFor(queries), a new shared
helper that wraps queries.GetUser, mapping pgx.ErrNoRows / unparseable
UUIDs to (false, nil) and other errors to a real Go error.
2. Removed all X-User-PAT plumbing. Cloud now mints node-scoped mcn_
PATs itself during /api/v1/nodes (see multica-cloud
docs/api/node-pat.md) and ships them into the EC2 instance via SSM,
so multica-api no longer needs to forward the caller's mul_ PAT.
Propagating a long-lived user PAT into a remote machine widened
the blast radius of any node compromise; that's gone now.
Removed:
- cloud_runtime.go: withUserPAT option, cloudRuntimeUserPAT,
generateCloudRuntimePAT, revokeGeneratedPAT
- cloudruntime/Request.UserPAT field + X-User-PAT header
- X-User-PAT from CORS allowed headers
- obsolete handler tests:
TestCreateCloudRuntimeNodeForwardsValidatedPAT
TestCreateCloudRuntimeNodeRejectsUnownedPAT
TestCreateCloudRuntimeNodeRejectsExpiredPAT
TestCreateCloudRuntimeNodeAutoGeneratesPAT
replaced with TestCreateCloudRuntimeNodeForwardsBody
- X-User-PAT references in packages/core/api/client.test.ts
Tests:
* 3 new verifier-level tests (owner_unknown not cached, lookup error
-> Unavailable, success path is cached for both fleet AND lookup)
* 5 new owner_lookup_test.go tests (nil queries, existing user,
missing user, malformed UUID, DB error)
* 1 new end-to-end DaemonAuth test (cloud says valid, no local user
-> 401)
* Existing X-User-PAT TS assertions removed; full vitest run passes.
* go test ./... and go vet ./... clean on the server module.
125 lines
2.6 KiB
Go
125 lines
2.6 KiB
Go
package cloudruntime
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
"net/url"
|
|
"strings"
|
|
"time"
|
|
)
|
|
|
|
const (
|
|
defaultTimeout = 35 * time.Second
|
|
maxResponseBodySize = 1 << 20
|
|
)
|
|
|
|
var (
|
|
ErrDisabled = errors.New("cloud runtime fleet URL is not configured")
|
|
ErrInvalidBaseURL = errors.New("cloud runtime fleet URL is invalid")
|
|
)
|
|
|
|
type Config struct {
|
|
BaseURL string
|
|
Timeout time.Duration
|
|
HTTPClient *http.Client
|
|
}
|
|
|
|
type Request struct {
|
|
Method string
|
|
Path string
|
|
Query url.Values
|
|
Body []byte
|
|
UserID string
|
|
RequestID string
|
|
}
|
|
|
|
type Response struct {
|
|
StatusCode int
|
|
Header http.Header
|
|
Body []byte
|
|
}
|
|
|
|
type Client struct {
|
|
baseURL string
|
|
httpClient *http.Client
|
|
}
|
|
|
|
func NewClient(cfg Config) *Client {
|
|
timeout := cfg.Timeout
|
|
if timeout <= 0 {
|
|
timeout = defaultTimeout
|
|
}
|
|
httpClient := cfg.HTTPClient
|
|
if httpClient == nil {
|
|
httpClient = &http.Client{Timeout: timeout}
|
|
}
|
|
return &Client{
|
|
baseURL: strings.TrimRight(strings.TrimSpace(cfg.BaseURL), "/"),
|
|
httpClient: httpClient,
|
|
}
|
|
}
|
|
|
|
func (c *Client) Enabled() bool {
|
|
return c != nil && c.baseURL != ""
|
|
}
|
|
|
|
func (c *Client) Do(ctx context.Context, req Request) (*Response, error) {
|
|
if c == nil || c.baseURL == "" {
|
|
return nil, ErrDisabled
|
|
}
|
|
|
|
base, err := url.Parse(c.baseURL)
|
|
if err != nil || base.Scheme == "" || base.Host == "" {
|
|
return nil, fmt.Errorf("%w: %s", ErrInvalidBaseURL, c.baseURL)
|
|
}
|
|
if !strings.HasPrefix(req.Path, "/") {
|
|
return nil, fmt.Errorf("cloud runtime path must start with /: %s", req.Path)
|
|
}
|
|
|
|
u := *base
|
|
u.Path = strings.TrimRight(base.Path, "/") + req.Path
|
|
u.RawQuery = req.Query.Encode()
|
|
|
|
var body io.Reader
|
|
if len(req.Body) > 0 {
|
|
body = bytes.NewReader(req.Body)
|
|
}
|
|
httpReq, err := http.NewRequestWithContext(ctx, req.Method, u.String(), body)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
httpReq.Header.Set("Accept", "application/json")
|
|
if len(req.Body) > 0 {
|
|
httpReq.Header.Set("Content-Type", "application/json")
|
|
}
|
|
if req.UserID != "" {
|
|
httpReq.Header.Set("X-User-ID", req.UserID)
|
|
}
|
|
if req.RequestID != "" {
|
|
httpReq.Header.Set("X-Request-ID", req.RequestID)
|
|
}
|
|
|
|
resp, err := c.httpClient.Do(httpReq)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
data, err := io.ReadAll(io.LimitReader(resp.Body, maxResponseBodySize+1))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if len(data) > maxResponseBodySize {
|
|
return nil, fmt.Errorf("cloud runtime response exceeds %d bytes", maxResponseBodySize)
|
|
}
|
|
return &Response{
|
|
StatusCode: resp.StatusCode,
|
|
Header: resp.Header.Clone(),
|
|
Body: data,
|
|
}, nil
|
|
}
|