init

2025-09-24 10:32:22 +02:00
parent b851b57e28
commit dc3abf661f
17 changed files with 1008 additions and 0 deletions
--- a/internal/security/http.go
+++ b/internal/security/http.go
@@ -0,0 +1,20 @@
+package security
+
+import "net/http"
+
+func MaxBody(n int64, next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		r.Body = http.MaxBytesReader(w, r.Body, n)
+		next.ServeHTTP(w, r)
+	})
+}
+
+func SecurityHeaders(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("X-Content-Type-Options", "nosniff")
+		w.Header().Set("X-Frame-Options", "DENY")
+		w.Header().Set("Referrer-Policy", "no-referrer")
+		w.Header().Set("Content-Security-Policy", "default-src 'self'")
+		next.ServeHTTP(w, r)
+	})
+}
--- a/internal/security/mesh_auth.go
+++ b/internal/security/mesh_auth.go
@@ -0,0 +1,189 @@
+package security
+
+import (
+	"crypto/ed25519"
+	"crypto/hmac"
+	"crypto/rand"
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/hex"
+	"encoding/pem"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+)
+
+type MeshVerifier struct {
+	mode   string // ed25519|hmac
+	priv   ed25519.PrivateKey
+	pubs   map[string]ed25519.PublicKey // nodeID->pub
+	secret []byte
+}
+
+func NewMeshAuth(mode, privPath, pubDir, secret string) (*MeshVerifier, *MeshVerifier) {
+	mv := &MeshVerifier{mode: mode}
+	if mode == "ed25519" {
+		if privPath != "" {
+			if b, err := os.ReadFile(privPath); err == nil {
+				if p, _ := pem.Decode(b); p != nil {
+					mv.priv = ed25519.PrivateKey(p.Bytes)
+				}
+			}
+		}
+		mv.pubs = map[string]ed25519.PublicKey{}
+		_ = filepath.WalkDir(pubDir, func(path string, d os.DirEntry, err error) error {
+			if err != nil || d.IsDir() {
+				return nil
+			}
+			if !strings.HasSuffix(path, ".pub") && !strings.HasSuffix(path, ".pem") {
+				return nil
+			}
+			name := strings.TrimSuffix(filepath.Base(path), filepath.Ext(path))
+			b, _ := os.ReadFile(path)
+			p, _ := pem.Decode(b)
+			if p != nil {
+				mv.pubs[name] = ed25519.PublicKey(p.Bytes)
+			}
+			return nil
+		})
+	} else {
+		mv.secret = []byte(secret)
+	}
+	return mv, mv
+}
+
+func (m *MeshVerifier) bodyHash(r *http.Request) string {
+	// Expect header X-Mesh-Hash (hex) from client for POST; for GET may be empty
+	return r.Header.Get("X-Mesh-Hash")
+}
+
+func (m *MeshVerifier) canonical(r *http.Request, ts, nonce, bodyHash string) []byte {
+	return []byte(strings.Join([]string{r.Method, r.URL.Path, ts, nonce, bodyHash}, "\n"))
+}
+
+// Verify incoming request (used in middleware)
+func (m *MeshVerifier) VerifyIncoming(r *http.Request, now time.Time, nonces *NonceStore) bool {
+	ts := r.Header.Get("X-Mesh-TS")
+	nonce := r.Header.Get("X-Mesh-Nonce")
+	from := r.Header.Get("X-Mesh-From")
+	bh := m.bodyHash(r)
+	if ts == "" || nonce == "" || from == "" {
+		return false
+	}
+	// timestamp window
+	//sec, _ := time.ParseDuration("0s")
+	if len(ts) >= 10 { // crude parse
+		i := int64(0)
+		for _, ch := range ts {
+			if ch < '0' || ch > '9' {
+				i = 0
+				break
+			}
+			i = i*10 + int64(ch-'0')
+		}
+		if i != 0 {
+			dt := time.Unix(i, 0).Sub(now)
+			if dt > 60*time.Second || dt < -60*time.Second {
+				return false
+			}
+		}
+	}
+	if !nonces.Use(nonce, now) {
+		return false
+	}
+	canon := m.canonical(r, ts, nonce, bh)
+	if m.mode == "ed25519" {
+		sig := r.Header.Get("X-Mesh-Sig")
+		pub := m.pubs[from]
+		if len(pub) == 0 {
+			return false
+		}
+		b, err := base64.StdEncoding.DecodeString(sig)
+		if err != nil {
+			return false
+		}
+		return ed25519.Verify(pub, canon, b)
+	}
+	macHex := r.Header.Get("X-Mesh-MAC")
+	if macHex == "" {
+		return false
+	}
+	mac := hmac.New(sha256.New, m.secret)
+	mac.Write(canon)
+	want := mac.Sum(nil)
+	got, _ := hex.DecodeString(macHex)
+	return hmac.Equal(want, got)
+}
+
+// Sign outgoing mesh request (client-side helper)
+func (m *MeshVerifier) SignOutgoing(r *http.Request, bodyHash string, from string) {
+	ts := time.Now().Unix()
+	nonce := make([]byte, 12)
+	_, _ = rand.Read(nonce)
+	nonceB64 := base64.RawURLEncoding.EncodeToString(nonce)
+	r.Header.Set("X-Mesh-TS", fmtItoa(ts))
+	r.Header.Set("X-Mesh-Nonce", nonceB64)
+	r.Header.Set("X-Mesh-From", from)
+	r.Header.Set("X-Mesh-Hash", bodyHash)
+	canon := m.canonical(r, fmtItoa(ts), nonceB64, bodyHash)
+	if m.mode == "ed25519" {
+		sig := ed25519.Sign(m.priv, canon)
+		r.Header.Set("X-Mesh-Sig", base64.StdEncoding.EncodeToString(sig))
+	} else {
+		mac := hmac.New(sha256.New, m.secret)
+		mac.Write(canon)
+		r.Header.Set("X-Mesh-MAC", hex.EncodeToString(mac.Sum(nil)))
+	}
+}
+
+// Middleware enforcing mesh auth
+func MeshAuthMiddleware(verifier *MeshVerifier, nonces *NonceStore, maxBody int64) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			// limit headers/body
+			r.Body = http.MaxBytesReader(w, r.Body, maxBody)
+			if !verifier.VerifyIncoming(r, time.Now(), nonces) {
+				http.Error(w, "unauthorized", http.StatusUnauthorized)
+				return
+			}
+			next.ServeHTTP(w, r)
+		})
+	}
+}
+
+// helpers to avoid extra imports
+
+func fmtItoa(i int64) string { // fast itoa
+	if i == 0 {
+		return "0"
+	}
+	neg := i < 0
+	if neg {
+		i = -i
+	}
+	buf := make([]byte, 0, 20)
+	for i > 0 {
+		buf = append(buf, byte('0'+i%10))
+		i /= 10
+	}
+	for l, r := 0, len(buf)-1; l < r; l, r = l+1, r-1 {
+		buf[l], buf[r] = buf[r], buf[l]
+	}
+	if neg {
+		return "-" + string(buf)
+	}
+	return string(buf)
+}
+
+func LoadCertPool(caPath string) *x509.CertPool {
+	b, err := os.ReadFile(caPath)
+	if err != nil {
+		return nil
+	}
+	pool := x509.NewCertPool()
+	pool.AppendCertsFromPEM(b)
+	return pool
+}
--- a/internal/security/nonce.go
+++ b/internal/security/nonce.go
@@ -0,0 +1,31 @@
+package security
+
+import (
+	"sync"
+	"time"
+)
+
+type NonceStore struct {
+	mu  sync.Mutex
+	m   map[string]int64
+	ttl time.Duration
+}
+
+func NewNonceStore(ttl time.Duration) *NonceStore {
+	return &NonceStore{m: map[string]int64{}, ttl: ttl}
+}
+
+func (s *NonceStore) Use(nonce string, now time.Time) bool {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if exp, ok := s.m[nonce]; ok && exp >= now.Unix() {
+		return false
+	}
+	s.m[nonce] = now.Add(s.ttl).Unix()
+	for k, v := range s.m {
+		if v < now.Unix() {
+			delete(s.m, k)
+		}
+	}
+	return true
+}
--- a/internal/security/ratelimit.go
+++ b/internal/security/ratelimit.go
@@ -0,0 +1,62 @@
+package security
+
+import (
+	"net"
+	"net/http"
+	"sync"
+	"time"
+)
+
+type bucket struct {
+	tokens float64
+	last   time.Time
+}
+
+type Limiter struct {
+	mu    sync.Mutex
+	m     map[string]*bucket
+	rps   float64
+	burst float64
+}
+
+func NewLimiter(rps, burst float64) *Limiter {
+	return &Limiter{m: map[string]*bucket{}, rps: rps, burst: burst}
+}
+
+func (l *Limiter) allow(key string) bool {
+	l.mu.Lock()
+	defer l.mu.Unlock()
+	b := l.m[key]
+	now := time.Now()
+	if b == nil {
+		b = &bucket{tokens: l.burst, last: now}
+		l.m[key] = b
+	}
+	elapsed := now.Sub(b.last).Seconds()
+	b.tokens = min(l.burst, b.tokens+elapsed*l.rps)
+	b.last = now
+	if b.tokens >= 1 {
+		b.tokens -= 1
+		return true
+	}
+	return false
+}
+
+func (l *Limiter) Middleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		host, _, _ := net.SplitHostPort(r.RemoteAddr)
+		key := host + r.URL.Path
+		if !l.allow(key) {
+			http.Error(w, "rate limit", http.StatusTooManyRequests)
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
+}
+
+func min(a, b float64) float64 {
+	if a < b {
+		return a
+	}
+	return b
+}