fix(archreview): security authz+hub cluster (SEC-07/05/08/11) + validation hardening
SEC-07: add QueryActiveAlarmsRequest -> events:read scope arm; fix two tests that
constructed StreamAlarmsRequest instead of QueryActiveAlarmsRequest.
SEC-05: shorten hub-token lifetime 30m -> 5m; document that the ?access_token= query
carriage must never be request-logged.
SEC-08: gateway-side CachingApiKeyVerifier (short TTL, keyed on a hash of the presented
secret) skips the per-call store read+last_used write; CoalescingMarkApiKeyStore bounds
last_used writes to <=1/key/min; identity constraints are cached. Invalidation is wired
at the gateway admin sites (revoke/rotate/delete); short TTL backstops out-of-process CLI.
SEC-11: fixed-window rate limit on POST /auth/login + a per-peer (key-id) failure limiter
checked before VerifyAsync; new MxGateway:Security options bound + validated.
Also fixes regressions from the SEC-01/04/06 commit (c185f62) that a narrow test filter
missed (all now covered by a full-suite checkpoint):
- Rooting check is cross-platform: accepts Windows C:\/UNC forms on Unix so the shipped
appsettings path validates on the macOS dev box, still rejecting bare filenames.
- AddGatewayConfiguration TryAdds a non-production IHostEnvironment fallback so the validator
resolves in minimal test/tooling containers; the real host + apikey CLI register the actual
environment first (TryAdd no-op there).
- Test assembly defaults ASPNETCORE_ENVIRONMENT=Development (ModuleInitializer) so full-host
tests exercise wiring instead of tripping the SEC-04/06 production guards.
- GatewayOptionsTests asserts the SEC-01 CommonApplicationData-derived default (platform-correct).
archreview: SEC-07/05/08/11 (P1). Verified: NonWindows build clean; full gateway suite
747 passed / 42 failed, where all 42 are the pre-existing macOS named-pipe-harness failures
(Unix-socket path limit) and 0 are validation/regression failures.
This commit is contained in:
@@ -101,6 +101,38 @@ return ApiKeyVerificationResult.Success(new ApiKeyIdentity(
|
||||
`DisplayName`, `Scopes`, and `Constraints`) and is the type downstream
|
||||
authorization code consumes.
|
||||
|
||||
### Hot-path caching and last-used coalescing
|
||||
|
||||
Left unmediated, every authenticated gRPC call costs a SQLite read plus a
|
||||
`last_used_utc` **write** (the library verifier couples `MarkKeyUsed` into
|
||||
`VerifyAsync`), which makes the auth store the throughput ceiling on the
|
||||
bulk-read workload. The gateway layers two decorators over the shared library's
|
||||
registrations (in `AuthStoreServiceCollectionExtensions`) — it does not edit the
|
||||
library:
|
||||
|
||||
- **`CachingApiKeyVerifier`** wraps `IApiKeyVerifier` with an `IMemoryCache`
|
||||
entry per successful verification, keyed on a SHA-256 hash of the presented
|
||||
token (never the plaintext secret). A cache hit within
|
||||
`MxGateway:Security:ApiKeyVerificationCacheSeconds` (default 15 s) returns the
|
||||
cached result without touching the store, so both the read and the coupled
|
||||
write are skipped. Only successes are cached; failures always reach the inner
|
||||
verifier. On a gateway-initiated revoke/rotate/delete the dashboard admin
|
||||
service calls `IApiKeyCacheInvalidator.Invalidate(keyId)`, evicting the cached
|
||||
entry immediately. The short TTL is the backstop for out-of-band mutations
|
||||
(a direct DB edit, or a revoke run by the separate `apikey` CLI process, whose
|
||||
in-memory cache is not the running gateway's cache).
|
||||
- **`CoalescingMarkApiKeyStore`** wraps `IApiKeyStore` and forwards at most one
|
||||
`MarkUsed` write per key per `MxGateway:Security:ApiKeyLastUsedCoalesceSeconds`
|
||||
(default 60 s), so even under a cache miss the `last_used_utc` write is bounded
|
||||
to roughly one per key per minute rather than one per RPC. `last_used_utc` is a
|
||||
coarse staleness hint, not an audit record (audit rows are written separately),
|
||||
so bounded staleness of up to one window is acceptable.
|
||||
|
||||
`GatewayApiKeyIdentityMapper` additionally memoizes the constraints-JSON
|
||||
deserialization by blob, so the per-call parse on the mapped identity collapses to
|
||||
a dictionary lookup. Both windows are configurable and may be set to `0` to
|
||||
disable the respective mechanism; see [GatewayConfiguration](./GatewayConfiguration.md).
|
||||
|
||||
## Storage
|
||||
|
||||
The gateway keeps API key state in a dedicated SQLite database. SQLite is sufficient because credential volume is small, the gateway runs as a single process, and the file is straightforward to back up and rotate independently of the main application data.
|
||||
|
||||
Reference in New Issue
Block a user