feat(api): Phase 2 — REST-API MVP + CRUD für Domains/Backends/Routing

REST-API mit Response-Envelope (1:1 mail-gateway), HS256-JWT-Signer (Secret persistent unter /var/lib/edgeguard/.jwt_fingerprint), Setup-Wizard (Bcrypt-Admin-Passwort in setup.json), Auth-Middleware (Cookie + Bearer), Setup-Gate. Update-Banner-Endpoints /system/package-versions + /system/upgrade ab Tag 1 wired (Pattern aus enconf-management-agent: systemd-run detached, HTTP-Response geht VOR dem Self-Replace raus). CRUD-Repos für domains/backends/routing_rules mit pgxpool + handgeschriebenem SQL (mail-gateway-Pattern, kein GORM zur Laufzeit). Audit-Log-Schreiber auf jede Mutation, NodeID aus /etc/machine-id. DB-Pool öffnet best-effort — ohne erreichbare PG bleiben CRUD-Routen unregistriert, Auth/Setup/System antworten weiter (Dev ohne PG). End-to-end live-getestet gegen lokale postgres-16: Setup → Login → POST/PUT/DELETE Backends + Domains + Routing-Rules → audit_log schreibt 5 Zeilen mit korrektem actor/action/subject. Graceful degrade ohne DB ebenfalls verifiziert. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-09 09:56:10 +02:00
parent 106ef95f6d
commit 0a6f81beaa
18 changed files with 1925 additions and 10 deletions
--- a/internal/services/session/session.go
+++ b/internal/services/session/session.go
@@ -0,0 +1,167 @@
+// Package session implements signed admin-session tokens.
+//
+// Tokens are opaque strings of the form
+//
+//	base64url(payload) . base64url(HMAC-SHA256(payload))
+//
+// where payload is a small JSON ({actor, role, iat, exp}). A 32-byte
+// secret on disk (0600 edgeguard:edgeguard, generated on first use)
+// keys the HMAC. No DB round-trip for verification — handlers
+// validate the token and trust the payload.
+//
+// Pattern 1:1 nach mail-gateway/internal/services/session/. Audience-
+// Splitting (admin vs portal) und API-Key-Synthese sind bewusst nicht
+// im v1-Scope (kein Quarantine-Portal in EdgeGuard).
+package session
+
+import (
+	"crypto/hmac"
+	"crypto/rand"
+	"crypto/sha256"
+	"crypto/subtle"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"time"
+)
+
+const (
+	DefaultSecretPath = "/var/lib/edgeguard/.jwt_fingerprint"
+
+	defaultTTL = 24 * time.Hour
+	secretSize = 32
+)
+
+type Token struct {
+	Actor string `json:"actor"`
+	Role  string `json:"role,omitempty"`
+	Iat   int64  `json:"iat"`
+	Exp   int64  `json:"exp"`
+}
+
+type Signer struct {
+	Secret []byte
+	Now    func() time.Time
+	TTL    time.Duration
+}
+
+// NewSignerFromPath loads or creates a 32-byte secret at path. Parent
+// dir gets 0o700, file is 0o600.
+func NewSignerFromPath(path string) (*Signer, error) {
+	if path == "" {
+		path = DefaultSecretPath
+	}
+	secret, err := loadOrCreateSecret(path)
+	if err != nil {
+		return nil, err
+	}
+	return &Signer{
+		Secret: secret,
+		Now:    func() time.Time { return time.Now().UTC() },
+		TTL:    defaultTTL,
+	}, nil
+}
+
+// NewSigner builds a signer with an in-memory secret — for tests.
+func NewSigner(secret []byte, now func() time.Time, ttl time.Duration) *Signer {
+	if now == nil {
+		now = func() time.Time { return time.Now().UTC() }
+	}
+	if ttl == 0 {
+		ttl = defaultTTL
+	}
+	return &Signer{Secret: secret, Now: now, TTL: ttl}
+}
+
+func loadOrCreateSecret(path string) ([]byte, error) {
+	if b, err := os.ReadFile(path); err == nil {
+		if len(b) < secretSize {
+			return nil, fmt.Errorf("%s is shorter than %d bytes", path, secretSize)
+		}
+		return b[:secretSize], nil
+	}
+	if err := os.MkdirAll(filepath.Dir(path), 0o700); err != nil {
+		return nil, err
+	}
+	secret := make([]byte, secretSize)
+	if _, err := rand.Read(secret); err != nil {
+		return nil, err
+	}
+	if err := os.WriteFile(path, secret, 0o600); err != nil {
+		return nil, err
+	}
+	return secret, nil
+}
+
+// IssueWithRole returns a signed token for the given actor + role.
+func (s *Signer) IssueWithRole(actor, role string) (string, *Token, error) {
+	now := s.Now()
+	t := Token{
+		Actor: actor,
+		Role:  role,
+		Iat:   now.Unix(),
+		Exp:   now.Add(s.TTL).Unix(),
+	}
+	data, err := json.Marshal(t)
+	if err != nil {
+		return "", nil, err
+	}
+	mac := hmac.New(sha256.New, s.Secret)
+	mac.Write(data)
+	signature := mac.Sum(nil)
+	encoded := base64.RawURLEncoding.EncodeToString(data) + "." +
+		base64.RawURLEncoding.EncodeToString(signature)
+	return encoded, &t, nil
+}
+
+// Issue is IssueWithRole with empty role.
+func (s *Signer) Issue(actor string) (string, *Token, error) {
+	return s.IssueWithRole(actor, "")
+}
+
+// Verify checks a token. Returns ErrInvalidToken or ErrExpiredToken.
+func (s *Signer) Verify(raw string) (*Token, error) {
+	if raw == "" {
+		return nil, ErrInvalidToken
+	}
+	var payloadB64, sigB64 string
+	for i := 0; i < len(raw); i++ {
+		if raw[i] == '.' {
+			payloadB64 = raw[:i]
+			sigB64 = raw[i+1:]
+			break
+		}
+	}
+	if payloadB64 == "" || sigB64 == "" {
+		return nil, ErrInvalidToken
+	}
+	payload, err := base64.RawURLEncoding.DecodeString(payloadB64)
+	if err != nil {
+		return nil, ErrInvalidToken
+	}
+	sig, err := base64.RawURLEncoding.DecodeString(sigB64)
+	if err != nil {
+		return nil, ErrInvalidToken
+	}
+	mac := hmac.New(sha256.New, s.Secret)
+	mac.Write(payload)
+	if subtle.ConstantTimeCompare(mac.Sum(nil), sig) != 1 {
+		return nil, ErrInvalidToken
+	}
+	var t Token
+	if err := json.Unmarshal(payload, &t); err != nil {
+		return nil, ErrInvalidToken
+	}
+	if s.Now().Unix() >= t.Exp {
+		return nil, ErrExpiredToken
+	}
+	return &t, nil
+}
+
+var (
+	ErrInvalidToken = errors.New("invalid session token")
+	ErrExpiredToken = errors.New("session token expired")
+)
--- a/internal/services/session/session_test.go
+++ b/internal/services/session/session_test.go
@@ -0,0 +1,54 @@
+package session
+
+import (
+	"errors"
+	"testing"
+	"time"
+)
+
+func TestIssueAndVerify(t *testing.T) {
+	s := NewSigner([]byte("0123456789abcdef0123456789abcdef"), nil, time.Hour)
+	raw, tok, err := s.IssueWithRole("admin@example.com", "admin")
+	if err != nil {
+		t.Fatalf("issue: %v", err)
+	}
+	if tok.Actor != "admin@example.com" || tok.Role != "admin" {
+		t.Fatalf("token claims: %+v", tok)
+	}
+	got, err := s.Verify(raw)
+	if err != nil {
+		t.Fatalf("verify: %v", err)
+	}
+	if got.Actor != tok.Actor || got.Role != tok.Role {
+		t.Fatalf("roundtrip mismatch: %+v vs %+v", got, tok)
+	}
+}
+
+func TestVerifyRejectsTampered(t *testing.T) {
+	s := NewSigner([]byte("0123456789abcdef0123456789abcdef"), nil, time.Hour)
+	raw, _, _ := s.Issue("a")
+	tampered := raw[:len(raw)-2] + "AA"
+	if _, err := s.Verify(tampered); !errors.Is(err, ErrInvalidToken) {
+		t.Fatalf("expected ErrInvalidToken, got %v", err)
+	}
+}
+
+func TestVerifyExpired(t *testing.T) {
+	now := time.Unix(1_000_000, 0).UTC()
+	s := NewSigner([]byte("0123456789abcdef0123456789abcdef"),
+		func() time.Time { return now }, time.Minute)
+	raw, _, _ := s.Issue("a")
+
+	// shift clock forward past Exp
+	s.Now = func() time.Time { return now.Add(2 * time.Minute) }
+	if _, err := s.Verify(raw); !errors.Is(err, ErrExpiredToken) {
+		t.Fatalf("expected ErrExpiredToken, got %v", err)
+	}
+}
+
+func TestVerifyEmptyRaw(t *testing.T) {
+	s := NewSigner([]byte("0123456789abcdef0123456789abcdef"), nil, time.Hour)
+	if _, err := s.Verify(""); !errors.Is(err, ErrInvalidToken) {
+		t.Fatalf("expected ErrInvalidToken, got %v", err)
+	}
+}