Jean-Gabriel Gill-Couture
6c45fb22ba
harmony-nats-callout becomes a deployable service, not just a library:
- New [[bin]] target with env+secret-file driven config and
SIGINT/SIGTERM-aware shutdown.
- Dockerfile (single-stage archlinux:base, non-root, matches
harmony-fleet-operator convention).
- Refactored handler into a pure `decide()` function so the entire
authorization decision tree is unit-testable without async-nats.
- New `roles` module with role resolution + a `validate_device_id`
security gate that rejects NATS subject metacharacters in device_id
(.>* whitespace) — closes a real escalation path through the
`{device_id}` placeholder in the per-device permissions block.
- Configurable role claim path + admin/device role names; admin wins
when both are present (privilege-escalation invariant).
57 unit tests cover every reachable branch of the security decision
tree; 4 e2e tests in nats/integration-test-callout exercise real NATS
in podman with: device pubsub on own subjects, cross-device subject
isolation, admin-can-read-anything, and JWT-without-role rejection.
harmony/src/modules/nats_auth_callout/:
- New `NatsAuthCalloutScore` deploys the callout as a K8s Deployment +
Secret. fsGroup + 0o440 secret mode so the non-root container can
read its mounted seed/password without leaving them in env vars.
- `render_auth_callout_block` helper produces the YAML for NATS Helm
`config.merge.authorization.auth_callout` so both halves stay in
sync.
examples/fleet_auth_callout/:
- `bring_up_stack()` orchestrates k3d -> Zitadel + Postgres ->
CoreDNS rewrite -> project + roles + machine users with JWT keys
-> NATS Helm with auth_callout block -> callout image build +
sideload -> NatsAuthCalloutScore deploy. Idempotent across re-runs
(issuer NKey persisted in a K8s secret so user JWTs survive
restarts).
- `mint_access_token()` RFC 7523 JWT-bearer client. Uses Host header
with port so Zitadel emits a matching issuer.
- main.rs prints URLs/creds/keyIds and waits for Ctrl-C.
- Three #[tokio::test] functions sharing one cluster via OnceCell:
admin_can_read_any_device_subject, device_can_only_access_own_subjects,
unknown_role_is_rejected. All green on real k3d.
27 lines
1.3 KiB
Docker
27 lines
1.3 KiB
Docker
# Minimal runtime container for the NATS auth callout service.
|
|
# Assumes `target/release/harmony-nats-callout` has already been built on
|
|
# the host (the deployment Score / example harness does this). Same
|
|
# convention as `fleet/harmony-fleet-operator/Dockerfile` to keep local
|
|
# k3d iteration fast — multi-stage cargo-in-Docker rebuilds the entire
|
|
# workspace and is reserved for the release pipeline.
|
|
#
|
|
# Base image is archlinux:base to guarantee the host's glibc (ABI-
|
|
# matched) — debian:bookworm-slim ships an older glibc and would error
|
|
# at startup with "version `GLIBC_2.x' not found".
|
|
FROM docker.io/library/archlinux:base
|
|
|
|
# ca-certificates ship with archlinux:base, which the OIDC client needs
|
|
# for HTTPS to the Zitadel issuer.
|
|
|
|
COPY target/release/harmony-nats-callout /usr/local/bin/harmony-nats-callout
|
|
|
|
# Non-root runtime, matching the harmony-fleet-operator convention.
|
|
# 65532 is the `nonroot` UID used by distroless + security-hardened
|
|
# base images. The Pod manifest sets `runAsNonRoot: true`; the image's
|
|
# USER directive is the portable mechanism that pairs with that flag
|
|
# without pinning a specific UID at the Pod level (OpenShift's
|
|
# restricted-v2 SCC assigns its own namespace-scoped UIDs).
|
|
USER 65532:65532
|
|
|
|
ENTRYPOINT ["/usr/local/bin/harmony-nats-callout"]
|