vantzs/corrosion-admin-panel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 18 Wiki Activity

fix(nats): security review — secure-by-default + per-tenant inbox isolation
All checks were successful
CI / backend-types (push) Successful in 10s
Details
CI / frontend-build (push) Successful in 16s
Details
CI / agent-tests (push) Successful in 43s
Details
CI / integration (push) Successful in 23s
Details

Browse Source 
Two HIGH findings from automated review on the generator, both fixed:
1. Cross-tenant inbox access: per-license users were granted _INBOX.>,
   letting license A subscribe to license B's request-reply responses.
   Now scoped to corrosion.{license}.> ONLY; replies must ride the
   license namespace (corrosion.{license}.reply.<id>) — documented in
   PROTOCOL.md. Agent unchanged (responds to msg.reply); constraint is
   on the requester (internal user has full >).
2. Default-open auth bypass: generator defaulted to stage=open with a
   full-access anonymous user — a stale regen left the broker wide open.
   Now defaults to enforce (secure by default); the explicit 'open'
   migration stage maps anonymous to a harmless corrosion.unclaimed.>
   namespace, never real tenant subjects. Committed bootstrap default
   hardened the same way.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Vantz Stockwell
2026-06-11 12:39:31 -04:00
parent 00cff51ce5
commit 463908b18e
3 changed files with 50 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
docker/nats-auth.conf
View File

@@ -1,12 +1,16 @@
# SAFE OPEN DEFAULT — anonymous full access, no secrets. Same behavior as the
# pre-auth broker so fresh deploys and the repo stay valid.
# BOOTSTRAP DEFAULT — no secrets, safe to commit.
#
# Regenerated on deploy by scripts/generate-nats-auth.mjs with the privileged
# internal user + per-license scoped users (those carry secrets and must NOT be
# committed — mark the host copy with `git update-index --assume-unchanged`).
# Anonymous is mapped to a HARMLESS namespace (corrosion.unclaimed.>), never to
# real tenant subjects (corrosion.{uuid}.>) — so a fresh/stale deploy running
# this default cannot read or forge any tenant's traffic. The REST API still
# works; agent telemetry just won't flow until the real config is generated.
#
# On every real deploy, scripts/generate-nats-auth.mjs OVERWRITES this file
# (on the host, not in git) with the privileged internal user + per-license
# scoped users. NATS_AUTH_STAGE defaults to "enforce" (anonymous rejected).
authorization {
users: [
{ user: "anonymous", password: "", permissions: { publish: ">", subscribe: ">" } }
{ user: "anonymous", password: "", permissions: { publish: { allow: ["corrosion.unclaimed.>"] }, subscribe: { allow: ["corrosion.unclaimed.>"] } } }
]
no_auth_user: "anonymous"
}