mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

feat(#360): Add federation credential isolation

Browse Source 
Implement explicit deny-lists in QueryService and CommandService to prevent
user credentials from leaking across federation boundaries.

## Changes

### Core Implementation
- QueryService: Block all credential-related queries with keyword detection
- CommandService: Block all credential operations (create/update/delete/read)
- Case-insensitive keyword matching for both queries and commands

### Security Features
- Deny-list includes: credential, api_key, secret, token, password, oauth
- Errors returned for blocked operations
- No impact on existing allowed operations (tasks, events, projects, agent commands)

### Testing
- Added 2 unit tests to query.service.spec.ts
- Added 3 unit tests to command.service.spec.ts
- Added 8 integration tests in credential-isolation.integration.spec.ts
- All 377 federation tests passing

### Documentation
- Created comprehensive security doc at docs/security/federation-credential-isolation.md
- Documents 4 security guarantees (G1-G4)
- Includes testing strategy and incident response procedures

## Security Guarantees

1. G1: Credential Confidentiality - Credentials never leave instance in plaintext
2. G2: Cross-Instance Isolation - Compromised key on one instance doesn't affect others
3. G3: Query/Command Isolation - Federated instances cannot query/modify credentials
4. G4: Accidental Exposure Prevention - Credentials cannot leak via messages

## Defense-in-Depth

This implementation adds application-layer protection on top of existing:
- Transit key separation (mosaic-credentials vs mosaic-federation)
- Per-instance OpenBao servers
- Workspace-scoped credential access

Fixes #360

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-02-07 16:55:49 -06:00
parent 33dc746714
commit 73074932f6
7 changed files with 959 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

141
apps/api/src/federation/command.service.spec.ts
View File

@@ -756,4 +756,145 @@ describe("CommandService", () => {
);
});
});
describe("handleIncomingCommand - Credential Isolation", () => {
it("should reject credential.create commands", async () => {
const commandMessage: CommandMessage = {
messageId: "cmd-123",
instanceId: "remote-instance-1",
commandType: "credential.create",
payload: {
name: "test-credential",
value: "secret-value",
},
timestamp: Date.now(),
signature: "signature-123",
};
const mockConnection = {
id: "connection-1",
workspaceId: mockWorkspaceId,
remoteInstanceId: "remote-instance-1",
status: FederationConnectionStatus.ACTIVE,
};
const mockIdentity = {
instanceId: "local-instance-1",
};
vi.spyOn(signatureService, "validateTimestamp").mockReturnValue(true);
vi.spyOn(prisma.federationConnection, "findFirst").mockResolvedValue(mockConnection as never);
vi.spyOn(signatureService, "verifyMessage").mockResolvedValue({
valid: true,
error: null,
} as never);
vi.spyOn(federationService, "getInstanceIdentity").mockResolvedValue(mockIdentity as never);
vi.spyOn(signatureService, "signMessage").mockResolvedValue("response-signature");
const result = await service.handleIncomingCommand(commandMessage);
expect(result.success).toBe(false);
expect(result.error).toContain("Credential operations are not allowed");
});
it("should reject all credential operations", async () => {
const credentialCommands = [
"credential.create",
"credential.update",
"credential.delete",
"credential.read",
"credential.list",
"credentials.sync",
];
const mockConnection = {
id: "connection-1",
workspaceId: mockWorkspaceId,
remoteInstanceId: "remote-instance-1",
status: FederationConnectionStatus.ACTIVE,
};
const mockIdentity = {
instanceId: "local-instance-1",
};
vi.spyOn(signatureService, "validateTimestamp").mockReturnValue(true);
vi.spyOn(prisma.federationConnection, "findFirst").mockResolvedValue(mockConnection as never);
vi.spyOn(signatureService, "verifyMessage").mockResolvedValue({
valid: true,
error: null,
} as never);
vi.spyOn(federationService, "getInstanceIdentity").mockResolvedValue(mockIdentity as never);
vi.spyOn(signatureService, "signMessage").mockResolvedValue("response-signature");
for (const commandType of credentialCommands) {
const commandMessage: CommandMessage = {
messageId: `cmd-${Math.random()}`,
instanceId: "remote-instance-1",
commandType,
payload: {},
timestamp: Date.now(),
signature: "signature-123",
};
const result = await service.handleIncomingCommand(commandMessage);
expect(result.success).toBe(false);
expect(result.error).toContain("Credential operations are not allowed");
}
});
it("should allow agent commands (existing functionality)", async () => {
const commandMessage: CommandMessage = {
messageId: "cmd-123",
instanceId: "remote-instance-1",
commandType: "agent.spawn",
payload: {
agentType: "task-executor",
},
timestamp: Date.now(),
signature: "signature-123",
};
const mockConnection = {
id: "connection-1",
workspaceId: mockWorkspaceId,
remoteInstanceId: "remote-instance-1",
status: FederationConnectionStatus.ACTIVE,
};
const mockIdentity = {
instanceId: "local-instance-1",
};
vi.spyOn(signatureService, "validateTimestamp").mockReturnValue(true);
vi.spyOn(prisma.federationConnection, "findFirst").mockResolvedValue(mockConnection as never);
vi.spyOn(signatureService, "verifyMessage").mockResolvedValue({
valid: true,
error: null,
} as never);
vi.spyOn(federationService, "getInstanceIdentity").mockResolvedValue(mockIdentity as never);
vi.spyOn(signatureService, "signMessage").mockResolvedValue("response-signature");
// Mock FederationAgentService
const mockAgentService = {
handleAgentCommand: vi.fn().mockResolvedValue({
success: true,
data: { agentId: "agent-123" },
}),
};
const moduleRef = {
get: vi.fn().mockReturnValue(mockAgentService),
};
// Inject moduleRef into service
(service as never)["moduleRef"] = moduleRef;
const result = await service.handleIncomingCommand(commandMessage);
expect(result.success).toBe(true);
expect(result.data).toEqual({ agentId: "agent-123" });
});
});
});

19
apps/api/src/federation/command.service.ts
View File

@@ -162,6 +162,12 @@ export class CommandService {
let errorMessage: string | undefined;
try {
// SECURITY: Block all credential-related commands
// Credentials must never be manipulated via federation
if (this.isCredentialCommand(commandMessage.commandType)) {
throw new CommandProcessingError("Credential operations are not allowed via federation");
}
// Route agent commands to FederationAgentService
if (commandMessage.commandType.startsWith("agent.")) {
// Import FederationAgentService dynamically to avoid circular dependency
@@ -396,4 +402,17 @@ export class CommandService {
return details;
}
/**
* Check if command is attempting to access credential data
* Returns true if command type is credential-related
*/
private isCredentialCommand(commandType: string): boolean {
const lowerCommandType = commandType.toLowerCase();
// Deny-list of credential-related command prefixes
const credentialPrefixes = ["credential.", "credentials."];
return credentialPrefixes.some((prefix) => lowerCommandType.startsWith(prefix));
}
}

255
apps/api/src/federation/credential-isolation.integration.spec.ts Normal file
View File

@@ -0,0 +1,255 @@
/**
* Credential Isolation Integration Tests
*
* Verifies that UserCredential data never leaks across federation boundaries.
*/
import { describe, it, expect, beforeEach } from "vitest";
import { Test, TestingModule } from "@nestjs/testing";
import { QueryService } from "./query.service";
import { CommandService } from "./command.service";
import { PrismaService } from "../prisma/prisma.service";
import { FederationService } from "./federation.service";
import { SignatureService } from "./signature.service";
import { HttpService } from "@nestjs/axios";
import { ConfigService } from "@nestjs/config";
import { TasksService } from "../tasks/tasks.service";
import { EventsService } from "../events/events.service";
import { ProjectsService } from "../projects/projects.service";
import { ModuleRef } from "@nestjs/core";
import { FederationConnectionStatus } from "@prisma/client";
describe("Credential Isolation (Integration)", () => {
let queryService: QueryService;
let commandService: CommandService;
const mockPrisma = {
federationConnection: {
findFirst: () =>
Promise.resolve({
id: "connection-1",
workspaceId: "workspace-1",
remoteInstanceId: "remote-instance-1",
status: FederationConnectionStatus.ACTIVE,
}),
},
};
const mockFederationService = {
getInstanceIdentity: () =>
Promise.resolve({
instanceId: "local-instance-1",
}),
};
const mockSignatureService = {
validateTimestamp: () => true,
verifyMessage: () => Promise.resolve({ valid: true }),
signMessage: () => Promise.resolve("signature"),
};
beforeEach(async () => {
const module: TestingModule = await Test.createTestingModule({
providers: [
QueryService,
CommandService,
{ provide: PrismaService, useValue: mockPrisma },
{ provide: FederationService, useValue: mockFederationService },
{ provide: SignatureService, useValue: mockSignatureService },
{ provide: HttpService, useValue: { post: () => Promise.resolve() } },
{ provide: ConfigService, useValue: { get: () => null } },
{ provide: TasksService, useValue: { findAll: () => Promise.resolve({ data: [] }) } },
{ provide: EventsService, useValue: { findAll: () => Promise.resolve({ data: [] }) } },
{ provide: ProjectsService, useValue: { findAll: () => Promise.resolve({ data: [] }) } },
{ provide: ModuleRef, useValue: { get: () => ({}) } },
],
}).compile();
queryService = module.get<QueryService>(QueryService);
commandService = module.get<CommandService>(CommandService);
});
describe("Query Isolation", () => {
it("should block direct credential entity queries", async () => {
const queryMessage = {
messageId: "msg-1",
instanceId: "remote-instance-1",
query: "SELECT * FROM user_credentials",
context: { workspaceId: "workspace-1" },
timestamp: Date.now(),
signature: "valid-signature",
};
const result = await queryService.handleIncomingQuery(queryMessage);
expect(result.success).toBe(false);
expect(result.error).toContain("Credential queries are not allowed");
});
it("should block queries with credential keywords in different case", async () => {
const queries = ["Get all CREDENTIALS", "Show API_KEYS", "List oauth TOKENS", "Find secrets"];
for (const query of queries) {
const queryMessage = {
messageId: `msg-${Math.random()}`,
instanceId: "remote-instance-1",
query,
context: { workspaceId: "workspace-1" },
timestamp: Date.now(),
signature: "valid-signature",
};
const result = await queryService.handleIncomingQuery(queryMessage);
expect(result.success).toBe(false);
expect(result.error).toContain("Credential queries are not allowed");
}
});
it("should allow non-credential queries", async () => {
const queries = ["tasks", "events", "projects"];
for (const query of queries) {
const queryMessage = {
messageId: `msg-${Math.random()}`,
instanceId: "remote-instance-1",
query,
context: { workspaceId: "workspace-1" },
timestamp: Date.now(),
signature: "valid-signature",
};
const result = await queryService.handleIncomingQuery(queryMessage);
expect(result.success).toBe(true);
}
});
});
describe("Command Isolation", () => {
it("should block credential.create commands", async () => {
const commandMessage = {
messageId: "cmd-1",
instanceId: "remote-instance-1",
commandType: "credential.create",
payload: { name: "test", value: "secret" },
timestamp: Date.now(),
signature: "valid-signature",
};
const result = await commandService.handleIncomingCommand(commandMessage);
expect(result.success).toBe(false);
expect(result.error).toContain("Credential operations are not allowed");
});
it("should block all credential operations", async () => {
const operations = [
"credential.create",
"credential.update",
"credential.delete",
"credential.read",
"credentials.sync",
"credentials.list",
];
for (const commandType of operations) {
const commandMessage = {
messageId: `cmd-${Math.random()}`,
instanceId: "remote-instance-1",
commandType,
payload: {},
timestamp: Date.now(),
signature: "valid-signature",
};
const result = await commandService.handleIncomingCommand(commandMessage);
expect(result.success).toBe(false);
expect(result.error).toContain("Credential operations are not allowed");
}
});
it("should block credential operations with different case", async () => {
const operations = ["CREDENTIAL.create", "Credentials.Update", "CrEdEnTiAl.delete"];
for (const commandType of operations) {
const commandMessage = {
messageId: `cmd-${Math.random()}`,
instanceId: "remote-instance-1",
commandType,
payload: {},
timestamp: Date.now(),
signature: "valid-signature",
};
const result = await commandService.handleIncomingCommand(commandMessage);
expect(result.success).toBe(false);
expect(result.error).toContain("Credential operations are not allowed");
}
});
it("should allow agent commands (existing functionality)", async () => {
const commandMessage = {
messageId: "cmd-1",
instanceId: "remote-instance-1",
commandType: "agent.spawn",
payload: { agentType: "task-executor" },
timestamp: Date.now(),
signature: "valid-signature",
};
// Mock FederationAgentService
const moduleRef = {
get: () => ({
handleAgentCommand: () =>
Promise.resolve({
success: true,
data: { agentId: "agent-123" },
}),
}),
};
// Inject moduleRef
(commandService as never)["moduleRef"] = moduleRef;
const result = await commandService.handleIncomingCommand(commandMessage);
expect(result.success).toBe(true);
});
});
describe("Defense-in-Depth", () => {
it("should document transit key separation", () => {
// This test documents the architectural isolation
// TransitKey.CREDENTIALS is used for user credentials
// TransitKey.FEDERATION is used for federation private keys
// Each federated instance has its own OpenBao instance
// Even if one Transit key is compromised, credentials remain isolated
const architecture = {
userCredentials: {
transitKey: "mosaic-credentials",
service: "VaultService",
scope: "per-workspace",
},
federationKeys: {
transitKey: "mosaic-federation",
service: "CryptoService (legacy) / VaultService (future)",
scope: "per-instance",
},
isolation: {
cryptographic: "Separate Transit keys prevent cross-contamination",
infrastructure: "Each instance has its own OpenBao",
application: "Deny-lists prevent accidental exposure",
},
};
expect(architecture.userCredentials.transitKey).not.toBe(
architecture.federationKeys.transitKey
);
expect(architecture.isolation).toBeDefined();
});
});
});

76
apps/api/src/federation/query.service.spec.ts
View File

@@ -704,5 +704,81 @@ describe("QueryService", () => {
expect(result.success).toBe(false);
expect(result.error).toContain("workspaceId");
});
it("should reject queries for UserCredential entity type", async () => {
const queryMessage = {
messageId: "msg-1",
instanceId: "remote-instance-1",
query: "credentials",
context: { workspaceId: "workspace-1" },
timestamp: Date.now(),
signature: "valid-signature",
};
const mockConnection = {
id: "connection-1",
workspaceId: "workspace-1",
remoteInstanceId: "remote-instance-1",
status: FederationConnectionStatus.ACTIVE,
};
const mockIdentity = {
instanceId: "local-instance-1",
};
mockPrisma.federationConnection.findFirst.mockResolvedValue(mockConnection);
mockSignatureService.validateTimestamp.mockReturnValue(true);
mockSignatureService.verifyMessage.mockResolvedValue({ valid: true });
mockFederationService.getInstanceIdentity.mockResolvedValue(mockIdentity);
mockSignatureService.signMessage.mockResolvedValue("response-signature");
const result = await service.handleIncomingQuery(queryMessage);
expect(result).toBeDefined();
expect(result.success).toBe(false);
expect(result.error).toContain("Credential queries are not allowed");
});
it("should reject queries containing credential-related keywords", async () => {
const credentialQueries = [
"SELECT * FROM user_credentials",
"get all credentials",
"show my api keys",
"list oauth tokens",
];
const mockConnection = {
id: "connection-1",
workspaceId: "workspace-1",
remoteInstanceId: "remote-instance-1",
status: FederationConnectionStatus.ACTIVE,
};
const mockIdentity = {
instanceId: "local-instance-1",
};
mockPrisma.federationConnection.findFirst.mockResolvedValue(mockConnection);
mockSignatureService.validateTimestamp.mockReturnValue(true);
mockSignatureService.verifyMessage.mockResolvedValue({ valid: true });
mockFederationService.getInstanceIdentity.mockResolvedValue(mockIdentity);
mockSignatureService.signMessage.mockResolvedValue("response-signature");
for (const query of credentialQueries) {
const queryMessage = {
messageId: `msg-${Math.random()}`,
instanceId: "remote-instance-1",
query,
context: { workspaceId: "workspace-1" },
timestamp: Date.now(),
signature: "valid-signature",
};
const result = await service.handleIncomingQuery(queryMessage);
expect(result.success).toBe(false);
expect(result.error).toContain("Credential queries are not allowed");
}
});
});
});

29
apps/api/src/federation/query.service.ts
View File

@@ -375,6 +375,12 @@ export class QueryService {
throw new Error("workspaceId is required in query context");
}
// SECURITY: Block all credential-related queries
// Credentials must never be exposed via federation
if (this.isCredentialQuery(query)) {
throw new Error("Credential queries are not allowed via federation");
}
// Parse query to determine type and parameters
const queryType = this.parseQueryType(query);
const queryParams = this.parseQueryParams(query, context);
@@ -392,6 +398,29 @@ export class QueryService {
}
}
/**
* Check if query is attempting to access credential data
* Returns true if query contains credential-related keywords
*/
private isCredentialQuery(query: string): boolean {
const lowerQuery = query.toLowerCase();
// Deny-list of credential-related keywords
const credentialKeywords = [
"credential",
"user_credential",
"api_key",
"api key",
"secret",
"token",
"password",
"oauth",
"access_token",
];
return credentialKeywords.some((keyword) => lowerQuery.includes(keyword));
}
/**
* Parse query string to determine query type
*/