feat(nats): per-license auth mechanism — agent user/password, scoped broker, generator (non-breaking)
All checks were successful
All checks were successful
Closes the open broker (anonymous publish to any tenant's corrosion.*).
Per-license isolation via NATS user/password + subject permissions:
each license -> user=license_id, password=HMAC-SHA256(license_id,
NATS_TOKEN_SECRET), scoped to corrosion.{license_id}.> + _INBOX. Backend
uses a privileged internal user.
- Agent (alpha.5): nats_user/nats_password config + env, user_and_password
auth; falls back to token/anonymous (transition-safe)
- Backend: connects with NATS_INTERNAL_USER/PASSWORD when set, else anon
- scripts/generate-nats-auth.mjs: regenerates nats-auth.conf from the
licenses table; NATS_AUTH_STAGE=open keeps a no_auth_user fallback
(verify creds first), =enforce rejects anonymous
- committed nats-auth.conf is the SAFE OPEN default (no secrets); the
host copy carries real users and is not committed
- compose: NATS_INTERNAL_USER/PASSWORD/NATS_TOKEN_SECRET, mount nats-auth.conf
Entirely non-breaking until secrets+config deployed; staged cutover next.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Vantz Stockwell
@@ -31,6 +31,9 @@ services:
|
||||
volumes:
|
||||
- nats_data:/data
|
||||
- ./nats.conf:/etc/nats/nats.conf:ro
|
||||
# Per-license authorization (generated on the host; carries secrets, not
|
||||
# committed with real users — see scripts/generate-nats-auth.mjs).
|
||||
- ./nats-auth.conf:/etc/nats/nats-auth.conf:ro
|
||||
ports:
|
||||
- "8089:4222" # Client connections
|
||||
|
||||
@@ -43,6 +46,12 @@ services:
|
||||
DATABASE_URL: postgres://corrosion:${DB_PASSWORD:-corrosion_dev}@postgres:5432/corrosion
|
||||
DATABASE_MAX_CONNECTIONS: "20"
|
||||
NATS_URL: nats://nats:4222
|
||||
# Privileged internal NATS user (full corrosion.> access). Empty = anonymous.
|
||||
NATS_INTERNAL_USER: ${NATS_INTERNAL_USER:-}
|
||||
NATS_INTERNAL_PASSWORD: ${NATS_INTERNAL_PASSWORD:-}
|
||||
# Secret for deriving per-license agent passwords (shared with the
|
||||
# nats-auth generator). HMAC-SHA256(license_id, secret).
|
||||
NATS_TOKEN_SECRET: ${NATS_TOKEN_SECRET:-}
|
||||
JWT_SECRET: ${JWT_SECRET}
|
||||
JWT_ACCESS_EXPIRY_SECONDS: "14400"
|
||||
JWT_REFRESH_EXPIRY_SECONDS: "604800"
|
||||
|
||||
12
docker/nats-auth.conf
Normal file
12
docker/nats-auth.conf
Normal file
@@ -0,0 +1,12 @@
|
||||
# SAFE OPEN DEFAULT — anonymous full access, no secrets. Same behavior as the
|
||||
# pre-auth broker so fresh deploys and the repo stay valid.
|
||||
#
|
||||
# Regenerated on deploy by scripts/generate-nats-auth.mjs with the privileged
|
||||
# internal user + per-license scoped users (those carry secrets and must NOT be
|
||||
# committed — mark the host copy with `git update-index --assume-unchanged`).
|
||||
authorization {
|
||||
users: [
|
||||
{ user: "anonymous", password: "", permissions: { publish: ">", subscribe: ">" } }
|
||||
]
|
||||
no_auth_user: "anonymous"
|
||||
}
|
||||
@@ -28,8 +28,11 @@ logtime: true
|
||||
max_payload: 8MB # Support map file transfer metadata
|
||||
max_connections: 10000
|
||||
|
||||
# Authorization — tokens validated per-connection
|
||||
# Plugin and companion agents authenticate with license-specific tokens
|
||||
authorization {
|
||||
timeout: 5
|
||||
}
|
||||
# Authorization — per-license isolation.
|
||||
# The committed nats-auth.conf is the SAFE OPEN default (anonymous full access,
|
||||
# no secrets — same as before). On deploy, scripts/generate-nats-auth.mjs
|
||||
# regenerates this file from the licenses table with the privileged internal
|
||||
# user + per-license scoped users; flip NATS_AUTH_STAGE=enforce to reject
|
||||
# anonymous. The host copy carries secrets and is NOT committed
|
||||
# (git update-index --assume-unchanged docker/nats-auth.conf).
|
||||
include "nats-auth.conf"
|
||||
|
||||
Reference in New Issue
Block a user