fix(archreview): security authz+hub cluster (SEC-07/05/08/11) + validation hardening
SEC-07: add QueryActiveAlarmsRequest -> events:read scope arm; fix two tests that
constructed StreamAlarmsRequest instead of QueryActiveAlarmsRequest.
SEC-05: shorten hub-token lifetime 30m -> 5m; document that the ?access_token= query
carriage must never be request-logged.
SEC-08: gateway-side CachingApiKeyVerifier (short TTL, keyed on a hash of the presented
secret) skips the per-call store read+last_used write; CoalescingMarkApiKeyStore bounds
last_used writes to <=1/key/min; identity constraints are cached. Invalidation is wired
at the gateway admin sites (revoke/rotate/delete); short TTL backstops out-of-process CLI.
SEC-11: fixed-window rate limit on POST /auth/login + a per-peer (key-id) failure limiter
checked before VerifyAsync; new MxGateway:Security options bound + validated.
Also fixes regressions from the SEC-01/04/06 commit (c185f62) that a narrow test filter
missed (all now covered by a full-suite checkpoint):
- Rooting check is cross-platform: accepts Windows C:\/UNC forms on Unix so the shipped
appsettings path validates on the macOS dev box, still rejecting bare filenames.
- AddGatewayConfiguration TryAdds a non-production IHostEnvironment fallback so the validator
resolves in minimal test/tooling containers; the real host + apikey CLI register the actual
environment first (TryAdd no-op there).
- Test assembly defaults ASPNETCORE_ENVIRONMENT=Development (ModuleInitializer) so full-host
tests exercise wiring instead of tripping the SEC-04/06 production guards.
- GatewayOptionsTests asserts the SEC-01 CommonApplicationData-derived default (platform-correct).
archreview: SEC-07/05/08/11 (P1). Verified: NonWindows build clean; full gateway suite
747 passed / 42 failed, where all 42 are the pre-existing macOS named-pipe-harness failures
(Unix-socket path limit) and 0 are validation/regression failures.
This commit is contained in:
@@ -0,0 +1,152 @@
|
||||
using System.Collections.Concurrent;
|
||||
using ZB.MOM.WW.MxGateway.Server.Configuration;
|
||||
|
||||
namespace ZB.MOM.WW.MxGateway.Server.Security.Authorization;
|
||||
|
||||
/// <summary>
|
||||
/// Cheap, in-process per-peer sliding-window failure counter for the gRPC auth path (SEC-11). It is
|
||||
/// checked BEFORE the API-key verification store read and short-circuits a peer that has exceeded
|
||||
/// <see cref="SecurityOptions.ApiKeyFailureLimit"/> failed attempts within
|
||||
/// <see cref="SecurityOptions.ApiKeyFailureWindowSeconds"/>; a successful verification resets the
|
||||
/// peer's counter.
|
||||
/// </summary>
|
||||
/// <remarks>
|
||||
/// <para>
|
||||
/// The peer key is the API key id when the presented token parses, falling back to the transport
|
||||
/// peer address otherwise. Keying on key id (per the NAT caveat in <c>glauth.md</c>) means a single
|
||||
/// abusive credential behind a shared NAT is throttled without locking out unrelated clients on the
|
||||
/// same address.
|
||||
/// </para>
|
||||
/// <para>
|
||||
/// The tracked-peer set is a bounded LRU (<see cref="SecurityOptions.ApiKeyFailureTrackedPeers"/>) so
|
||||
/// a spray of unique peer keys cannot grow memory without limit. Successful peers are removed on
|
||||
/// reset, so in steady state the map holds only peers with recent failures — the common success path
|
||||
/// is a lock-free dictionary miss.
|
||||
/// </para>
|
||||
/// </remarks>
|
||||
public sealed class ApiKeyFailureLimiter
|
||||
{
|
||||
private readonly int _limit;
|
||||
private readonly long _windowTicks;
|
||||
private readonly int _maxPeers;
|
||||
private readonly TimeProvider _clock;
|
||||
|
||||
private readonly ConcurrentDictionary<string, PeerState> _peers = new(StringComparer.Ordinal);
|
||||
|
||||
/// <summary>Initializes a new instance of the <see cref="ApiKeyFailureLimiter"/> class.</summary>
|
||||
/// <param name="security">Security options carrying the failure-limit knobs.</param>
|
||||
/// <param name="clock">The time provider.</param>
|
||||
public ApiKeyFailureLimiter(SecurityOptions security, TimeProvider clock)
|
||||
: this(
|
||||
(security ?? throw new ArgumentNullException(nameof(security))).ApiKeyFailureLimit,
|
||||
TimeSpan.FromSeconds(security.ApiKeyFailureWindowSeconds),
|
||||
security.ApiKeyFailureTrackedPeers,
|
||||
clock)
|
||||
{
|
||||
}
|
||||
|
||||
// Test/explicit seam.
|
||||
internal ApiKeyFailureLimiter(int limit, TimeSpan window, int maxPeers, TimeProvider clock)
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(clock);
|
||||
_limit = limit;
|
||||
_windowTicks = window.Ticks;
|
||||
_maxPeers = maxPeers;
|
||||
_clock = clock;
|
||||
}
|
||||
|
||||
/// <summary>Returns whether the peer has reached the failure limit within the current window.</summary>
|
||||
/// <param name="peer">The peer key (key id or peer address).</param>
|
||||
/// <returns><see langword="true"/> when the peer should be short-circuited.</returns>
|
||||
public bool IsBlocked(string peer)
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(peer);
|
||||
if (_limit <= 0)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
if (!_peers.TryGetValue(peer, out PeerState? state))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
long now = _clock.GetUtcNow().UtcTicks;
|
||||
lock (state)
|
||||
{
|
||||
Prune(state, now);
|
||||
return state.FailureTicks.Count >= _limit;
|
||||
}
|
||||
}
|
||||
|
||||
/// <summary>Records a failed verification attempt for the peer.</summary>
|
||||
/// <param name="peer">The peer key (key id or peer address).</param>
|
||||
public void RecordFailure(string peer)
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(peer);
|
||||
if (_limit <= 0)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
long now = _clock.GetUtcNow().UtcTicks;
|
||||
PeerState state = _peers.GetOrAdd(peer, static _ => new PeerState());
|
||||
lock (state)
|
||||
{
|
||||
Prune(state, now);
|
||||
state.FailureTicks.Enqueue(now);
|
||||
state.LastActivityTicks = now;
|
||||
}
|
||||
|
||||
EvictIfOverCapacity();
|
||||
}
|
||||
|
||||
/// <summary>Clears the peer's failure count after a successful verification.</summary>
|
||||
/// <param name="peer">The peer key (key id or peer address).</param>
|
||||
public void Reset(string peer)
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(peer);
|
||||
_peers.TryRemove(peer, out _);
|
||||
}
|
||||
|
||||
private void Prune(PeerState state, long now)
|
||||
{
|
||||
while (state.FailureTicks.Count > 0 && now - state.FailureTicks.Peek() >= _windowTicks)
|
||||
{
|
||||
state.FailureTicks.Dequeue();
|
||||
}
|
||||
}
|
||||
|
||||
private void EvictIfOverCapacity()
|
||||
{
|
||||
// Best-effort eviction: only runs when the map exceeds the cap (rare, since only peers with
|
||||
// recent failures are tracked). Removes the least-recently-active peer. Racy under
|
||||
// concurrency, which is acceptable for a bound rather than an exact policy.
|
||||
while (_peers.Count > _maxPeers)
|
||||
{
|
||||
string? oldest = null;
|
||||
long oldestTicks = long.MaxValue;
|
||||
foreach (KeyValuePair<string, PeerState> entry in _peers)
|
||||
{
|
||||
long activity = Volatile.Read(ref entry.Value.LastActivityTicks);
|
||||
if (activity < oldestTicks)
|
||||
{
|
||||
oldestTicks = activity;
|
||||
oldest = entry.Key;
|
||||
}
|
||||
}
|
||||
|
||||
if (oldest is null || !_peers.TryRemove(oldest, out _))
|
||||
{
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private sealed class PeerState
|
||||
{
|
||||
public Queue<long> FailureTicks { get; } = new();
|
||||
|
||||
public long LastActivityTicks;
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user