feat(authz): operator signed-op verifier + durable nonce store (slice 2, v0.2.0)
internal/authz: production form of the Phase-4 SSHSIG signing primitive. - Verifier.New/Verify with the LOCKED pipeline (namespace → allow-list by key material → crypto over RAW bytes → target → time → nonce LAST); each post-crypto stage rejects even with a valid sig; an invalid sig never burns a nonce. - SSHSIG framing via x/crypto/ssh (no hand-rolled crypto); key-type-agnostic (ed25519 / sk-ssh-ed25519 / rsa / ecdsa via pub.Verify). Fixed namespace felhom-op-v1. Typed errors. OpBlob (fixed host_id/guest_id tags) + VerifiedOp. - NonceStore: MemoryNonceStore + durable crash-safe FileNonceStore (fsync'd append log, replay-on-open, compaction, expiry-only pruning; survives restart). - config.AuthzConfig (nonce path + pinned operational/recovery signer keys). - Tests (14): real ssh-keygen fixture, per-stage rejection, nonce-not-burned, replay, persistence-across-restart, synthetic sk, byte-exactness. Dep: golang.org/x/crypto v0.52.0 (declares go 1.25 — the Phase-4 doc's "Go 1.24.4 / x/crypto v0.52.0" pairing doesn't build; build server upgraded to go1.26.0, backward-compatible). Version 0.1.0 -> 0.2.0. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -3,6 +3,62 @@
|
||||
All notable changes to **felhom-agent** are recorded here. Update on every code
|
||||
change that gets pushed.
|
||||
|
||||
## v0.2.0 — `authz` signed-op verifier (slice 2) (2026-06-08)
|
||||
|
||||
Production form of the Phase-4 signing primitive: a key-type-agnostic SSHSIG
|
||||
verifier for operator-signed destructive ops, with the full anti-replay/
|
||||
authorization pipeline and a durable, crash-safe nonce store. What slice 4
|
||||
(reconcile) will call to gate destructive desired-state deltas. No hub, no signing
|
||||
CLI, no reconcile loop.
|
||||
|
||||
### Added
|
||||
- **`internal/authz` — `Verifier`**: `New(signers, store, hostID)` + `Verify(blob,
|
||||
sigArmored) (*VerifiedOp, error)`. Runs the LOCKED pipeline (order is
|
||||
load-bearing): parse armor → namespace → parse pubkey → allow-list (by key
|
||||
**material**, `pub.Marshal()` equality, not key_id) → crypto verify (over the
|
||||
**raw received bytes**, never re-canonicalized) → parse blob → target → time
|
||||
window → **nonce recorded LAST**. Each post-crypto stage rejects even with a
|
||||
valid signature.
|
||||
- **SSHSIG framing** (`sshsig.go`) via `golang.org/x/crypto/ssh` — `pem.Decode` →
|
||||
strip 6-byte magic → `ssh.Unmarshal` → `ssh.ParsePublicKey` → recompute signed
|
||||
data with the named hash → `pub.Verify` (dispatches on key algorithm). No
|
||||
hand-rolled crypto. Key-type-agnostic: ed25519 / **sk-ssh-ed25519 (FIDO2)** /
|
||||
rsa / ecdsa via the one path.
|
||||
- **Fixed namespace** `felhom-op-v1` (package constant, never caller-supplied).
|
||||
- **`OpBlob`** (corrected `host_id`/`guest_id` json tags) + **`VerifiedOp`** (op,
|
||||
host/guest, params, key_id, matched signer). key_id is advisory/audit only —
|
||||
never an authz input.
|
||||
- **Typed errors**: `ErrMalformed, ErrNamespace, ErrUnknownSigner, ErrBadSignature,
|
||||
ErrTarget, ErrExpired, ErrNotYetValid, ErrReplay` (errors.Is-friendly).
|
||||
- **`NonceStore`** + two impls: `MemoryNonceStore` (tests) and **`FileNonceStore`**
|
||||
— durable, crash-safe (fsync'd append log, replayed into an index on open,
|
||||
periodic compaction, expiry-only pruning). A nonce is fsync'd to disk before
|
||||
`SeenOrRecord` returns false; replay protection survives restart; I/O failure
|
||||
fails safe (reports seen=true). Target generalization: host_id matched strictly,
|
||||
guest_id surfaced for the caller to route.
|
||||
- **Config**: `AuthzConfig` (nonce-store path + pinned operator `signers` tagged
|
||||
`operational`/`recovery` with a key_id, as authorized_keys lines).
|
||||
- **Version 0.2.0.**
|
||||
|
||||
### Tests
|
||||
- Real OpenSSH interop via a committed `ssh-keygen -Y sign` vector (hermetic CI);
|
||||
per-stage rejection (each with an otherwise-valid sig); the headline
|
||||
**invalid-sig-does-not-burn-the-nonce** invariant; replay; **persistence across
|
||||
restart**; synthetic **sk-ssh-ed25519** through the unchanged path; byte-exactness
|
||||
(a re-serialized blob fails crypto — not re-canonicalized).
|
||||
|
||||
### Notes / corrections to the Phase-4 reference
|
||||
- §7's `Target` lacked json tags (`host_id`/`guest_id`) — fixed.
|
||||
- The doc paired "Go 1.24.4 / x/crypto v0.52.0", but v0.52.0 declares `go 1.25.0`
|
||||
and does **not** build on Go 1.24. Resolved by upgrading the build server to
|
||||
go1.26.0 (backward-compatible; felhom-controller/hub unaffected); the module is
|
||||
`go 1.25.0` on x/crypto v0.52.0.
|
||||
- Free function → constructed `Verifier`; returns the full `VerifiedOp`; typed
|
||||
errors; clock-skew tolerance added; durable nonce store is the net-new work.
|
||||
- **Shared-contract dependency flagged** (not built): the hub and the `felhom-sign`
|
||||
CLI must emit byte-identical canonical JSON or signatures won't verify; a shared
|
||||
canonicalizer both import would be the right home.
|
||||
|
||||
## v0.1.0 — Scaffold + `proxmox` interaction layer (slice 1) (2026-06-08)
|
||||
|
||||
First slice: stand up the host-agent project and its foundation — the typed
|
||||
|
||||
Reference in New Issue
Block a user