mosaicstack/stack
1
0
Fork 0
Code Issues 18 Pull Requests 1 Actions Packages Projects Releases 13 Wiki Activity

Compare commits

base: mosaicstack:feat/federation-m3-client
Branches Tags
mosaicstack:main mosaicstack:feat/federation-m3-client mosaicstack:feat/federation-m3-auth-guard mosaicstack:feat/federation-m3-harness mosaicstack:feat/federation-m3-types mosaicstack:fix/gateway-federation-test-fixtures-real-pem mosaicstack:docs/federation-m3-planning mosaicstack:chore/federation-m2-close mosaicstack:docs/federation-m2-docs mosaicstack:fix/federation-m2-security mosaicstack:feat/federation-m2-e2e mosaicstack:feat/federation-m2-integration mosaicstack:feat/federation-m2-ca-service mosaicstack:fix/federation-test-stack-healthcheck mosaicstack:deploy/gateway-image-update mosaicstack:feat/federation-m2-stepca mosaicstack:feat/federation-m2-scope-schema mosaicstack:fix/gateway-dockerfile-pnpm-deploy mosaicstack:docs/federation-s21-tracking mosaicstack:feat/federation-m2-schema mosaicstack:feat/federation-m1-doctor mosaicstack:feat/federation-m1-migrate mosaicstack:feat/federation-m1-detector mosaicstack:feat/federation-m1-pgvector mosaicstack:feat/federation-m1-compose mosaicstack:feat/federation-m1-tier-config mosaicstack:docs/mvp-mission-manifest mosaicstack:docs/federation-planning mosaicstack:release/mosaic-v0.0.29 mosaicstack:fix/installer-idempotent-creds mosaicstack:feat/framework-superpowers-enforcement mosaicstack:feat/install-ux-intent mosaicstack:feat/install-ux-polish mosaicstack:docs/iuv-m01-complete mosaicstack:fix/build-vitest-allowdefault mosaicstack:fix/bootstrap-hotfix mosaicstack:docs/install-ux-v2-scaffold mosaicstack:release/mosaic-v0.0.25 mosaicstack:docs/iuh-mission-complete mosaicstack:feat/unified-first-run mosaicstack:docs/iuh-m02-complete mosaicstack:feat/wizard-remediation mosaicstack:feat/mosaic-macp-cli mosaicstack:fix/gateway-token-recovery-review mosaicstack:feat/mosaic-auth-cli mosaicstack:feat/mosaic-forge-cli-v2 mosaicstack:feat/mosaic-storage-cli mosaicstack:feat/mosaic-memory-cli mosaicstack:feat/gateway-token-recovery mosaicstack:feat/mosaic-forge-cli mosaicstack:feat/mosaic-config-command mosaicstack:feat/mosaic-queue-cli mosaicstack:feat/mosaic-brain-cli mosaicstack:feat/mosaic-help-alphabetize mosaicstack:docs/gateway-token-recovery-plan mosaicstack:chore/bump-mosaic-0.0.21 mosaicstack:fix/populate-known-packages-list mosaicstack:fix/publish-loud-errors mosaicstack:fix/gitea-org-rename mosaicstack:fix/gateway-install-ux mosaicstack:fix/rename-mosaic-scope-391 mosaicstack:fix/db-memory-queue-publish-drift mosaicstack:fix/updater-wrapper-gitea-387 mosaicstack:fix/config-package-version-drift mosaicstack:fix/updater-mosaic-package-382 mosaicstack:fix/merge-cli-into-mosaic mosaicstack:fix/metapackage-cli-dep mosaicstack:chore/bump-cli-mosaic-0.0.16 mosaicstack:fix/gateway-deprecation-warnings mosaicstack:fix/gateway-install-prefix-eacces mosaicstack:chore/gateway-default-port-14242 mosaicstack:fix/gateway-scoped-registry mosaicstack:fix/gateway-install-registry mosaicstack:chore/bump-0.0.11 mosaicstack:feat/gateway-local-tier mosaicstack:feat/task-1775219952-fix-add-build-tools-to-ci-install-step-for-better-sqlite3 mosaicstack:fix/pnpm-build-scripts mosaicstack:fix/storage-sqlite-ci mosaicstack:feat/storage-abstraction mosaicstack:fix/idempotent-init
mosaicstack:fed-v0.2.0-m2 mosaicstack:fed-v0.1.0-m1 mosaicstack:mosaic-v0.0.29 mosaicstack:mosaic-v0.0.28 mosaicstack:mosaic-v0.0.27 mosaicstack:mosaic-v0.0.26 mosaicstack:mosaic-v0.0.25 mosaicstack:mosaic-v0.0.24 mosaicstack:v0.2.0 mosaicstack:v0.1.0 mosaicstack:v0.0.8 mosaicstack:v0.0.7 mosaicstack:v0.0.6 mosaicstack:v0.0.5 mosaicstack:v0.0.4
..
compare: mosaicstack:feat/federation-m3-auth-guard
Branches Tags
mosaicstack:main mosaicstack:feat/federation-m3-client mosaicstack:feat/federation-m3-auth-guard mosaicstack:feat/federation-m3-harness mosaicstack:feat/federation-m3-types mosaicstack:fix/gateway-federation-test-fixtures-real-pem mosaicstack:docs/federation-m3-planning mosaicstack:chore/federation-m2-close mosaicstack:docs/federation-m2-docs mosaicstack:fix/federation-m2-security mosaicstack:feat/federation-m2-e2e mosaicstack:feat/federation-m2-integration mosaicstack:feat/federation-m2-ca-service mosaicstack:fix/federation-test-stack-healthcheck mosaicstack:deploy/gateway-image-update mosaicstack:feat/federation-m2-stepca mosaicstack:feat/federation-m2-scope-schema mosaicstack:fix/gateway-dockerfile-pnpm-deploy mosaicstack:docs/federation-s21-tracking mosaicstack:feat/federation-m2-schema mosaicstack:feat/federation-m1-doctor mosaicstack:feat/federation-m1-migrate mosaicstack:feat/federation-m1-detector mosaicstack:feat/federation-m1-pgvector mosaicstack:feat/federation-m1-compose mosaicstack:feat/federation-m1-tier-config mosaicstack:docs/mvp-mission-manifest mosaicstack:docs/federation-planning mosaicstack:release/mosaic-v0.0.29 mosaicstack:fix/installer-idempotent-creds mosaicstack:feat/framework-superpowers-enforcement mosaicstack:feat/install-ux-intent mosaicstack:feat/install-ux-polish mosaicstack:docs/iuv-m01-complete mosaicstack:fix/build-vitest-allowdefault mosaicstack:fix/bootstrap-hotfix mosaicstack:docs/install-ux-v2-scaffold mosaicstack:release/mosaic-v0.0.25 mosaicstack:docs/iuh-mission-complete mosaicstack:feat/unified-first-run mosaicstack:docs/iuh-m02-complete mosaicstack:feat/wizard-remediation mosaicstack:feat/mosaic-macp-cli mosaicstack:fix/gateway-token-recovery-review mosaicstack:feat/mosaic-auth-cli mosaicstack:feat/mosaic-forge-cli-v2 mosaicstack:feat/mosaic-storage-cli mosaicstack:feat/mosaic-memory-cli mosaicstack:feat/gateway-token-recovery mosaicstack:feat/mosaic-forge-cli mosaicstack:feat/mosaic-config-command mosaicstack:feat/mosaic-queue-cli mosaicstack:feat/mosaic-brain-cli mosaicstack:feat/mosaic-help-alphabetize mosaicstack:docs/gateway-token-recovery-plan mosaicstack:chore/bump-mosaic-0.0.21 mosaicstack:fix/populate-known-packages-list mosaicstack:fix/publish-loud-errors mosaicstack:fix/gitea-org-rename mosaicstack:fix/gateway-install-ux mosaicstack:fix/rename-mosaic-scope-391 mosaicstack:fix/db-memory-queue-publish-drift mosaicstack:fix/updater-wrapper-gitea-387 mosaicstack:fix/config-package-version-drift mosaicstack:fix/updater-mosaic-package-382 mosaicstack:fix/merge-cli-into-mosaic mosaicstack:fix/metapackage-cli-dep mosaicstack:chore/bump-cli-mosaic-0.0.16 mosaicstack:fix/gateway-deprecation-warnings mosaicstack:fix/gateway-install-prefix-eacces mosaicstack:chore/gateway-default-port-14242 mosaicstack:fix/gateway-scoped-registry mosaicstack:fix/gateway-install-registry mosaicstack:chore/bump-0.0.11 mosaicstack:feat/gateway-local-tier mosaicstack:feat/task-1775219952-fix-add-build-tools-to-ci-install-step-for-better-sqlite3 mosaicstack:fix/pnpm-build-scripts mosaicstack:fix/storage-sqlite-ci mosaicstack:feat/storage-abstraction mosaicstack:fix/idempotent-init
mosaicstack:fed-v0.2.0-m2 mosaicstack:fed-v0.1.0-m1 mosaicstack:mosaic-v0.0.29 mosaicstack:mosaic-v0.0.28 mosaicstack:mosaic-v0.0.27 mosaicstack:mosaic-v0.0.26 mosaicstack:mosaic-v0.0.25 mosaicstack:mosaic-v0.0.24 mosaicstack:v0.2.0 mosaicstack:v0.1.0 mosaicstack:v0.0.8 mosaicstack:v0.0.7 mosaicstack:v0.0.6 mosaicstack:v0.0.5 mosaicstack:v0.0.4

2 Commits
feat/feder ... feat/feder

Author SHA1 Message Date
Jarvis
71c7b85026 fix(federation/auth-guard): remediate CRIT-1/CRIT-2 + HIGH-1..4 review findings
All checks were successful
ci/woodpecker/pr/ci Pipeline was successful
Details
ci/woodpecker/push/ci Pipeline was successful
Details 
- CRIT-1: Validate cert subjectUserId against grant.subjectUserId from DB;
  use authoritative DB value in FederationContext
- CRIT-2: Add @Inject(GrantsService) decorator (tsx/esbuild requirement)
- HIGH-1: Validate UTF8String TLV tag, length, and bounds in OID parser
- HIGH-2: Collapse all 403 wire messages to a generic string to prevent
  grant enumeration; keep internal logger detail
- HIGH-3: Assert federation wire envelope shape in all guard tests
- HIGH-4: Regression test for subjectUserId cert/DB mismatch

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-23 22:45:35 -05:00
Jarvis
53ee36239b feat(federation): mTLS AuthGuard with OID-based grant resolution (FED-M3-03)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details 
Adds FederationAuthGuard that validates inbound mTLS client certs on
federation API routes. Extracts custom OIDs (grantId, subjectUserId),
loads the grant+peer from DB in one query, asserts active status, and
validates cert serial as defense-in-depth. Attaches FederationContext
to requests on success and uses federation wire-format error envelopes
(not raw NestJS exceptions) for 401/403 responses.

New files:
- apps/gateway/src/federation/oid.util.ts — shared OID extraction (no dupe ASN.1 logic)
- apps/gateway/src/federation/server/federation-auth.guard.ts — guard impl
- apps/gateway/src/federation/server/federation-context.ts — FederationContext type + module augment
- apps/gateway/src/federation/server/index.ts — barrel export
- apps/gateway/src/federation/server/__tests__/federation-auth.guard.spec.ts — 11 unit tests

Modified:
- apps/gateway/src/federation/grants.service.ts — adds getGrantWithPeer() with join
- apps/gateway/src/federation/federation.module.ts — registers FederationAuthGuard as provider

Closes #462

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-23 22:17:54 -05:00
12 changed files with 1021 additions and 1078 deletions
Expand all files Collapse all files

1
apps/gateway/package.json
View File

@@ -73,7 +73,6 @@
"rxjs": "^7.8.0", "rxjs": "^7.8.0",
"socket.io": "^4.8.0", "socket.io": "^4.8.0",
"uuid": "^11.0.0", "uuid": "^11.0.0",
"undici": "^7.24.6",
"zod": "^4.3.6" "zod": "^4.3.6"
}, },
"devDependencies": { "devDependencies": {

553
apps/gateway/src/federation/client/__tests__/federation-client.service.spec.ts
View File

@@ -1,553 +0,0 @@
/**
* Unit tests for FederationClientService (FED-M3-08).
*
* HTTP mocking strategy:
* undici MockAgent is used to intercept outbound HTTP requests. The service
* uses `undici.fetch` with a `dispatcher` option, so MockAgent is set as the
* global dispatcher and all requests flow through it.
*
* Because the service builds one `undici.Agent` per peer and passes it as
* the dispatcher on every fetch call, we cannot intercept at the Agent level
* in unit tests without significant refactoring. Instead, we set the global
* dispatcher to a MockAgent and override the service's `doRequest` indirection
* by spying on the internal fetch call.
*
* For the cert/key wiring, we use the real `sealClientKey` function from
* peer-key.util.ts with a test secret — no stubs.
*
* Sealed-key setup:
* Each test (or beforeAll) calls `sealClientKey(TEST_PRIVATE_KEY_PEM)` with
* BETTER_AUTH_SECRET set to a deterministic test value so that
* `unsealClientKey` in the service recovers the original PEM.
*/
import 'reflect-metadata';
import { describe, it, expect, vi, beforeEach, afterEach, beforeAll, afterAll } from 'vitest';
import { MockAgent, setGlobalDispatcher, getGlobalDispatcher } from 'undici';
import type { Dispatcher } from 'undici';
import { writeFileSync, unlinkSync } from 'node:fs';
import { tmpdir } from 'node:os';
import { join } from 'node:path';
import type { Db } from '@mosaicstack/db';
import { FederationClientService, FederationClientError } from '../federation-client.service.js';
import { sealClientKey } from '../../peer-key.util.js';
// ---------------------------------------------------------------------------
// Test constants
// ---------------------------------------------------------------------------
const TEST_SECRET = 'test-secret-for-federation-client-spec-only';
const PEER_ID = 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa';
const ENDPOINT = 'https://peer.example.com';
// Minimal valid RSA/EC private key PEM — does NOT need to be a real key for
// unit tests because we only verify it round-trips through seal/unseal, not
// that it actually negotiates TLS (MockAgent handles that).
const TEST_PRIVATE_KEY_PEM = `-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDummyKeyForTests
-----END PRIVATE KEY-----`;
// Minimal self-signed cert PEM (dummy — only used for mTLS Agent construction)
const TEST_CERT_PEM = `-----BEGIN CERTIFICATE-----
MIIBdummyCertForFederationClientTests==
-----END CERTIFICATE-----`;
const TEST_CERT_SERIAL = 'ABCDEF1234567890';
// ---------------------------------------------------------------------------
// Sealed key (computed once in beforeAll)
// ---------------------------------------------------------------------------
let SEALED_KEY: string;
// Path to a stub Step-CA root cert file written in beforeAll. The cert is never
// actually used to negotiate TLS in unit tests (MockAgent + spy on resolveEntry
// short-circuit the network), but loadStepCaRoot() requires the file to exist.
const STUB_CA_PEM_PATH = join(tmpdir(), 'federation-client-spec-ca.pem');
const STUB_CA_PEM = `-----BEGIN CERTIFICATE-----
MIIBdummyCAforFederationClientSpecOnly==
-----END CERTIFICATE-----
`;
// ---------------------------------------------------------------------------
// Peer row factory
// ---------------------------------------------------------------------------
function makePeerRow(overrides: Partial<Record<string, unknown>> = {}) {
return {
id: PEER_ID,
commonName: 'peer-example-com',
displayName: 'Test Peer',
certPem: TEST_CERT_PEM,
certSerial: TEST_CERT_SERIAL,
certNotAfter: new Date('2030-01-01T00:00:00Z'),
clientKeyPem: SEALED_KEY,
state: 'active' as const,
endpointUrl: ENDPOINT,
lastSeenAt: null,
createdAt: new Date('2026-01-01T00:00:00Z'),
revokedAt: null,
...overrides,
};
}
// ---------------------------------------------------------------------------
// Mock DB builder
// ---------------------------------------------------------------------------
function makeDb(selectRows: unknown[] = [makePeerRow()]): Db {
const limitSelect = vi.fn().mockResolvedValue(selectRows);
const whereSelect = vi.fn().mockReturnValue({ limit: limitSelect });
const fromSelect = vi.fn().mockReturnValue({ where: whereSelect });
const selectMock = vi.fn().mockReturnValue({ from: fromSelect });
return {
select: selectMock,
insert: vi.fn(),
update: vi.fn(),
delete: vi.fn(),
transaction: vi.fn(),
} as unknown as Db;
}
// ---------------------------------------------------------------------------
// Helpers for MockAgent HTTP interception
// ---------------------------------------------------------------------------
/**
* Create a MockAgent + MockPool for the peer endpoint, set it as the global
* dispatcher, and return both for per-test configuration.
*/
function makeMockAgent() {
const mockAgent = new MockAgent({ connections: 1 });
mockAgent.disableNetConnect();
setGlobalDispatcher(mockAgent);
const pool = mockAgent.get(ENDPOINT);
return { mockAgent, pool };
}
/**
* Build a FederationClientService with a mock DB and a spy on the internal
* fetch so we can intercept at the HTTP layer via MockAgent.
*
* The service calls `fetch(url, { dispatcher: agent })` where `agent` is the
* mTLS undici.Agent built from the peer's cert+key. To make MockAgent work,
* we need the fetch dispatcher to be the MockAgent, not the per-peer Agent.
*
* Strategy: we replace the private `resolveEntry` result's `agent` field with
* the MockAgent's pool, so fetch uses our interceptor. We do this by spying
* on `resolveEntry` and returning a controlled entry.
*/
function makeService(db: Db, mockPool: Dispatcher): FederationClientService {
const svc = new FederationClientService(db);
// Override resolveEntry to inject MockAgent pool as the dispatcher
vi.spyOn(
svc as unknown as { resolveEntry: (peerId: string) => Promise<unknown> },
'resolveEntry',
).mockImplementation(async (_peerId: string) => {
// Still call DB (via the real logic) to exercise peer validation,
// but return mock pool as the agent.
// For simplicity in unit tests, directly return a controlled entry.
return {
agent: mockPool,
endpointUrl: ENDPOINT,
certPem: TEST_CERT_PEM,
certSerial: TEST_CERT_SERIAL,
};
});
return svc;
}
// ---------------------------------------------------------------------------
// Test setup
// ---------------------------------------------------------------------------
let originalDispatcher: Dispatcher;
beforeAll(() => {
// Seal the test key once — requires BETTER_AUTH_SECRET
const saved = process.env['BETTER_AUTH_SECRET'];
process.env['BETTER_AUTH_SECRET'] = TEST_SECRET;
try {
SEALED_KEY = sealClientKey(TEST_PRIVATE_KEY_PEM);
} finally {
if (saved === undefined) {
delete process.env['BETTER_AUTH_SECRET'];
} else {
process.env['BETTER_AUTH_SECRET'] = saved;
}
}
writeFileSync(STUB_CA_PEM_PATH, STUB_CA_PEM, 'utf8');
});
afterAll(() => {
try {
unlinkSync(STUB_CA_PEM_PATH);
} catch {
// best-effort cleanup
}
});
beforeEach(() => {
originalDispatcher = getGlobalDispatcher();
process.env['BETTER_AUTH_SECRET'] = TEST_SECRET;
process.env['STEP_CA_ROOT_CERT_PATH'] = STUB_CA_PEM_PATH;
});
afterEach(() => {
setGlobalDispatcher(originalDispatcher);
vi.restoreAllMocks();
delete process.env['BETTER_AUTH_SECRET'];
delete process.env['STEP_CA_ROOT_CERT_PATH'];
});
// ---------------------------------------------------------------------------
// Helpers
// ---------------------------------------------------------------------------
/** Successful list response body */
const LIST_BODY = {
items: [{ id: '1', title: 'Task One' }],
nextCursor: undefined,
_partial: false,
};
/** Successful get response body */
const GET_BODY = {
item: { id: '1', title: 'Task One' },
_partial: false,
};
/** Successful capabilities response body */
const CAP_BODY = {
resources: ['tasks'],
excluded_resources: [],
max_rows_per_query: 100,
supported_verbs: ['list', 'get', 'capabilities'] as const,
};
// ---------------------------------------------------------------------------
// Tests
// ---------------------------------------------------------------------------
describe('FederationClientService', () => {
// ─── Successful verb calls ─────────────────────────────────────────────────
describe('list()', () => {
it('returns parsed typed response on success', async () => {
const db = makeDb();
const { mockAgent, pool } = makeMockAgent();
const svc = makeService(db, pool);
pool
.intercept({
path: '/api/federation/v1/list/tasks',
method: 'POST',
})
.reply(200, LIST_BODY, { headers: { 'content-type': 'application/json' } });
const result = await svc.list(PEER_ID, 'tasks', {});
expect(result.items).toHaveLength(1);
expect(result.items[0]).toMatchObject({ id: '1', title: 'Task One' });
await mockAgent.close();
});
});
describe('get()', () => {
it('returns parsed typed response on success', async () => {
const db = makeDb();
const { mockAgent, pool } = makeMockAgent();
const svc = makeService(db, pool);
pool
.intercept({
path: '/api/federation/v1/get/tasks/1',
method: 'POST',
})
.reply(200, GET_BODY, { headers: { 'content-type': 'application/json' } });
const result = await svc.get(PEER_ID, 'tasks', '1', {});
expect(result.item).toMatchObject({ id: '1', title: 'Task One' });
await mockAgent.close();
});
});
describe('capabilities()', () => {
it('returns parsed capabilities response on success', async () => {
const db = makeDb();
const { mockAgent, pool } = makeMockAgent();
const svc = makeService(db, pool);
pool
.intercept({
path: '/api/federation/v1/capabilities',
method: 'GET',
})
.reply(200, CAP_BODY, { headers: { 'content-type': 'application/json' } });
const result = await svc.capabilities(PEER_ID);
expect(result.resources).toContain('tasks');
expect(result.max_rows_per_query).toBe(100);
await mockAgent.close();
});
});
// ─── HTTP error surfaces ──────────────────────────────────────────────────
describe('non-2xx responses', () => {
it('surfaces 403 as FederationClientError({ status: 403, code: "FORBIDDEN" })', async () => {
const db = makeDb();
const { mockAgent, pool } = makeMockAgent();
const svc = makeService(db, pool);
pool.intercept({ path: '/api/federation/v1/list/tasks', method: 'POST' }).reply(
403,
{ error: { code: 'forbidden', message: 'Access denied' } },
{
headers: { 'content-type': 'application/json' },
},
);
await expect(svc.list(PEER_ID, 'tasks', {})).rejects.toMatchObject({
status: 403,
code: 'FORBIDDEN',
peerId: PEER_ID,
});
await mockAgent.close();
});
it('surfaces 404 as FederationClientError({ status: 404, code: "HTTP_404" })', async () => {
const db = makeDb();
const { mockAgent, pool } = makeMockAgent();
const svc = makeService(db, pool);
pool.intercept({ path: '/api/federation/v1/get/tasks/999', method: 'POST' }).reply(
404,
{ error: { code: 'not_found', message: 'Not found' } },
{
headers: { 'content-type': 'application/json' },
},
);
await expect(svc.get(PEER_ID, 'tasks', '999', {})).rejects.toMatchObject({
status: 404,
code: 'HTTP_404',
peerId: PEER_ID,
});
await mockAgent.close();
});
});
// ─── Network error ─────────────────────────────────────────────────────────
describe('network errors', () => {
it('surfaces network error as FederationClientError({ code: "NETWORK" })', async () => {
const db = makeDb();
const { mockAgent, pool } = makeMockAgent();
const svc = makeService(db, pool);
pool
.intercept({ path: '/api/federation/v1/capabilities', method: 'GET' })
.replyWithError(new Error('ECONNREFUSED'));
await expect(svc.capabilities(PEER_ID)).rejects.toMatchObject({
code: 'NETWORK',
peerId: PEER_ID,
});
await mockAgent.close();
});
});
// ─── Invalid response body ─────────────────────────────────────────────────
describe('invalid response body', () => {
it('surfaces as FederationClientError({ code: "INVALID_RESPONSE" }) when body shape is wrong', async () => {
const db = makeDb();
const { mockAgent, pool } = makeMockAgent();
const svc = makeService(db, pool);
// capabilities returns wrong shape (missing required fields)
pool
.intercept({ path: '/api/federation/v1/capabilities', method: 'GET' })
.reply(200, { totally: 'wrong' }, { headers: { 'content-type': 'application/json' } });
await expect(svc.capabilities(PEER_ID)).rejects.toMatchObject({
code: 'INVALID_RESPONSE',
peerId: PEER_ID,
});
await mockAgent.close();
});
});
// ─── Peer DB validation ────────────────────────────────────────────────────
describe('peer validation (without resolveEntry spy)', () => {
/**
* These tests exercise the real `resolveEntry` path — no spy on resolveEntry.
*/
it('throws PEER_NOT_FOUND when peer is not in DB', async () => {
// DB returns empty array (peer not found)
const db = makeDb([]);
const svc = new FederationClientService(db);
await expect(svc.capabilities(PEER_ID)).rejects.toMatchObject({
code: 'PEER_NOT_FOUND',
peerId: PEER_ID,
});
});
it('throws PEER_INACTIVE when peer state is not "active"', async () => {
const db = makeDb([makePeerRow({ state: 'suspended' })]);
const svc = new FederationClientService(db);
await expect(svc.capabilities(PEER_ID)).rejects.toMatchObject({
code: 'PEER_INACTIVE',
peerId: PEER_ID,
});
});
});
// ─── Cache behaviour ───────────────────────────────────────────────────────
describe('cache behaviour', () => {
it('hits cache on second call — only one DB lookup happens', async () => {
// Verify cache by calling the private resolveEntry directly twice and
// asserting the DB was queried only once. This avoids the HTTP layer,
// which would require either a real network or per-peer Agent rewiring
// that the cache invariant doesn't depend on.
const db = makeDb();
const selectSpy = vi.spyOn(db, 'select');
const svc = new FederationClientService(db);
const resolveEntry = (
svc as unknown as { resolveEntry: (peerId: string) => Promise<unknown> }
).resolveEntry.bind(svc);
const first = await resolveEntry(PEER_ID);
const second = await resolveEntry(PEER_ID);
expect(first).toBe(second);
expect(selectSpy).toHaveBeenCalledTimes(1);
});
it('serializes concurrent resolveEntry calls — only one DB lookup', async () => {
const db = makeDb();
const selectSpy = vi.spyOn(db, 'select');
const svc = new FederationClientService(db);
const resolveEntry = (
svc as unknown as {
resolveEntry: (peerId: string) => Promise<unknown>;
}
).resolveEntry.bind(svc);
const [a, b] = await Promise.all([resolveEntry(PEER_ID), resolveEntry(PEER_ID)]);
expect(a).toBe(b);
expect(selectSpy).toHaveBeenCalledTimes(1);
});
it('flushPeer destroys the evicted Agent so old TLS connections close', async () => {
const db = makeDb();
const svc = new FederationClientService(db);
const resolveEntry = (
svc as unknown as {
resolveEntry: (peerId: string) => Promise<{ agent: { destroy: () => Promise<void> } }>;
}
).resolveEntry.bind(svc);
const entry = await resolveEntry(PEER_ID);
const destroySpy = vi.spyOn(entry.agent, 'destroy').mockResolvedValue();
svc.flushPeer(PEER_ID);
expect(destroySpy).toHaveBeenCalledTimes(1);
});
it('flushPeer() invalidates cache — next call re-reads DB', async () => {
const db = makeDb();
const { mockAgent, pool } = makeMockAgent();
const svc = makeService(db, pool);
pool
.intercept({ path: '/api/federation/v1/capabilities', method: 'GET' })
.reply(200, CAP_BODY, { headers: { 'content-type': 'application/json' } })
.times(2);
// First call — populates cache (via mock resolveEntry)
await svc.capabilities(PEER_ID);
// Flush the cache
svc.flushPeer(PEER_ID);
// The spy on resolveEntry is still active — check it's called again after flush
const resolveEntrySpy = vi.spyOn(
svc as unknown as { resolveEntry: (peerId: string) => Promise<unknown> },
'resolveEntry',
);
// Second call after flush — should call resolveEntry again
await svc.capabilities(PEER_ID);
// resolveEntry should have been called once after we started spying (post-flush)
expect(resolveEntrySpy).toHaveBeenCalledTimes(1);
await mockAgent.close();
});
});
// ─── loadStepCaRoot env-var guard ─────────────────────────────────────────
describe('loadStepCaRoot() env-var guard', () => {
it('throws PEER_MISCONFIGURED when STEP_CA_ROOT_CERT_PATH is not set', async () => {
delete process.env['STEP_CA_ROOT_CERT_PATH'];
const db = makeDb();
const svc = new FederationClientService(db);
const resolveEntry = (
svc as unknown as {
resolveEntry: (peerId: string) => Promise<unknown>;
}
).resolveEntry.bind(svc);
await expect(resolveEntry(PEER_ID)).rejects.toMatchObject({
code: 'PEER_MISCONFIGURED',
});
});
});
// ─── FederationClientError class ──────────────────────────────────────────
describe('FederationClientError', () => {
it('is instanceof Error and FederationClientError', () => {
const err = new FederationClientError({
code: 'PEER_NOT_FOUND',
message: 'test',
peerId: PEER_ID,
});
expect(err).toBeInstanceOf(Error);
expect(err).toBeInstanceOf(FederationClientError);
expect(err.name).toBe('FederationClientError');
});
it('carries status, code, and peerId', () => {
const err = new FederationClientError({
status: 403,
code: 'FORBIDDEN',
message: 'forbidden',
peerId: PEER_ID,
});
expect(err.status).toBe(403);
expect(err.code).toBe('FORBIDDEN');
expect(err.peerId).toBe(PEER_ID);
});
});
});

500
apps/gateway/src/federation/client/federation-client.service.ts
View File

@@ -1,500 +0,0 @@
/**
* FederationClientService — outbound mTLS client for federation requests (FED-M3-08).
*
* Dials peer gateways over mTLS using the cert+sealed-key stored in `federation_peers`,
* invokes federation verbs (list / get / capabilities), and surfaces all failure modes
* as typed `FederationClientError` instances.
*
* ## Error code taxonomy
*
* | Code | When |
* | ------------------ | ------------------------------------------------------------- |
* | PEER_NOT_FOUND | No row in federation_peers for the given peerId |
* | PEER_INACTIVE | Peer row exists but state !== 'active' |
* | PEER_MISCONFIGURED | Peer row is active but missing endpointUrl or clientKeyPem |
* | NETWORK | undici threw a connection / TLS / timeout error |
* | HTTP_{status} | Peer returned a non-2xx response (e.g. HTTP_403, HTTP_404) |
* | FORBIDDEN | Peer returned 403 (convenience alias alongside HTTP_403) |
* | INVALID_RESPONSE | Response body failed Zod schema validation |
*
* ## Cache strategy
*
* Per-peer `undici.Agent` instances are cached in a `Map<peerId, AgentCacheEntry>` for
* the lifetime of the service instance. The cache is keyed on peerId (UUID).
*
* Cache invalidation:
* - `flushPeer(peerId)` — removes the entry immediately. M5/M6 MUST call this on
* cert rotation or peer revocation events so the next request re-reads the DB and
* builds a fresh TLS Agent with the new cert material.
* - On cache miss: re-reads the DB, checks state === 'active', rebuilds Agent.
*
* Cache does NOT auto-expire. The service is expected to be a singleton scoped to the
* NestJS application lifecycle; flushing on revocation/rotation is the only invalidation
* path by design (avoids redundant DB round-trips on the hot path).
*/
import { Injectable, Inject, Logger } from '@nestjs/common';
import { readFileSync } from 'node:fs';
import { Agent, fetch as undiciFetch } from 'undici';
import type { Dispatcher } from 'undici';
import { z } from 'zod';
import { type Db, eq, federationPeers } from '@mosaicstack/db';
import {
FederationListResponseSchema,
FederationGetResponseSchema,
FederationCapabilitiesResponseSchema,
FederationErrorEnvelopeSchema,
type FederationListResponse,
type FederationGetResponse,
type FederationCapabilitiesResponse,
} from '@mosaicstack/types';
import { DB } from '../../database/database.module.js';
import { unsealClientKey } from '../peer-key.util.js';
// ---------------------------------------------------------------------------
// Error taxonomy
// ---------------------------------------------------------------------------
/**
* Client-side error code set. Distinct from the server-side `FederationErrorCode`
* (which lives in `@mosaicstack/types`) because the client has additional failure
* modes (PEER_NOT_FOUND, PEER_INACTIVE, PEER_MISCONFIGURED, NETWORK) that the
* server never emits.
*/
export type FederationClientErrorCode =
| 'PEER_NOT_FOUND'
| 'PEER_INACTIVE'
| 'PEER_MISCONFIGURED'
| 'NETWORK'
| 'FORBIDDEN'
| 'INVALID_RESPONSE'
| `HTTP_${number}`;
export interface FederationClientErrorOptions {
status?: number;
code: FederationClientErrorCode;
message: string;
peerId: string;
cause?: unknown;
}
/**
* Thrown by FederationClientService on every failure path.
* Callers can dispatch on `error.code` for programmatic handling.
*/
export class FederationClientError extends Error {
readonly status?: number;
readonly code: FederationClientErrorCode;
readonly peerId: string;
readonly cause?: unknown;
constructor(opts: FederationClientErrorOptions) {
super(opts.message);
this.name = 'FederationClientError';
this.status = opts.status;
this.code = opts.code;
this.peerId = opts.peerId;
this.cause = opts.cause;
}
}
// ---------------------------------------------------------------------------
// Internal cache types
// ---------------------------------------------------------------------------
interface AgentCacheEntry {
agent: Agent;
endpointUrl: string;
certPem: string;
certSerial: string;
}
// ---------------------------------------------------------------------------
// Service
// ---------------------------------------------------------------------------
@Injectable()
export class FederationClientService {
private readonly logger = new Logger(FederationClientService.name);
/**
* Per-peer undici Agent cache.
* Key = peerId (UUID string).
*
* Values are either a resolved `AgentCacheEntry` or an in-flight
* `Promise<AgentCacheEntry>` (promise-cache pattern). Storing the promise
* prevents duplicate DB lookups and duplicate key-unseal operations when two
* requests for the same peer arrive before the first build completes.
*
* Flush via `flushPeer(peerId)` on cert rotation / peer revocation (M5/M6).
*/
private readonly cache = new Map<string, AgentCacheEntry | Promise<AgentCacheEntry>>();
/**
* Step-CA root cert PEM, loaded once from `STEP_CA_ROOT_CERT_PATH`.
* Used as the trust anchor for peer server certificates so federation TLS is
* pinned to our PKI, not the public trust store. Lazily loaded on first use
* so unit tests that don't exercise the agent path can run without the env var.
*/
private cachedCaPem: string | null = null;
constructor(@Inject(DB) private readonly db: Db) {}
// -------------------------------------------------------------------------
// Public verb API
// -------------------------------------------------------------------------
/**
* Invoke the `list` verb on a remote peer.
*
* @param peerId UUID of the peer row in `federation_peers`.
* @param resource Resource path, e.g. "tasks".
* @param request Free-form body sent as JSON in the POST body.
* @returns Parsed `FederationListResponse<T>`.
*/
async list<T>(
peerId: string,
resource: string,
request: Record<string, unknown>,
): Promise<FederationListResponse<T>> {
const { endpointUrl, agent } = await this.resolveEntry(peerId);
const url = `${endpointUrl}/api/federation/v1/list/${encodeURIComponent(resource)}`;
const body = await this.doPost(peerId, url, agent, request);
return this.parseWith<FederationListResponse<T>>(
peerId,
body,
FederationListResponseSchema(z.unknown()),
);
}
/**
* Invoke the `get` verb on a remote peer.
*
* @param peerId UUID of the peer row in `federation_peers`.
* @param resource Resource path, e.g. "tasks".
* @param id Resource identifier.
* @param request Free-form body sent as JSON in the POST body.
* @returns Parsed `FederationGetResponse<T>`.
*/
async get<T>(
peerId: string,
resource: string,
id: string,
request: Record<string, unknown>,
): Promise<FederationGetResponse<T>> {
const { endpointUrl, agent } = await this.resolveEntry(peerId);
const url = `${endpointUrl}/api/federation/v1/get/${encodeURIComponent(resource)}/${encodeURIComponent(id)}`;
const body = await this.doPost(peerId, url, agent, request);
return this.parseWith<FederationGetResponse<T>>(
peerId,
body,
FederationGetResponseSchema(z.unknown()),
);
}
/**
* Invoke the `capabilities` verb on a remote peer.
*
* @param peerId UUID of the peer row in `federation_peers`.
* @returns Parsed `FederationCapabilitiesResponse`.
*/
async capabilities(peerId: string): Promise<FederationCapabilitiesResponse> {
const { endpointUrl, agent } = await this.resolveEntry(peerId);
const url = `${endpointUrl}/api/federation/v1/capabilities`;
const body = await this.doGet(peerId, url, agent);
return this.parseWith<FederationCapabilitiesResponse>(
peerId,
body,
FederationCapabilitiesResponseSchema,
);
}
// -------------------------------------------------------------------------
// Cache management
// -------------------------------------------------------------------------
/**
* Flush the cached Agent for a specific peer.
*
* M5/M6 MUST call this on:
* - cert rotation events (so new cert material is picked up)
* - peer revocation events (so future requests fail at PEER_INACTIVE)
*
* After flushing, the next call to `list`, `get`, or `capabilities` for
* this peer will re-read the DB and rebuild the Agent.
*/
flushPeer(peerId: string): void {
const entry = this.cache.get(peerId);
if (entry === undefined) {
return;
}
this.cache.delete(peerId);
if (!(entry instanceof Promise)) {
// best-effort destroy; promise-cached entries skip destroy because
// the in-flight build owns its own Agent which will be GC'd when the
// owning request handles the rejection from the cache miss
entry.agent.destroy().catch(() => {
// intentionally ignored — destroy errors are not actionable
});
}
this.logger.log(`Cache flushed for peer ${peerId}`);
}
// -------------------------------------------------------------------------
// Internal helpers
// -------------------------------------------------------------------------
/**
* Load and cache the Step-CA root cert PEM from `STEP_CA_ROOT_CERT_PATH`.
* Throws `FederationClientError` if the env var is unset or the file cannot
* be read — mTLS to a peer without a pinned trust anchor would silently
* fall back to the public trust store.
*/
private loadStepCaRoot(): string {
if (this.cachedCaPem !== null) {
return this.cachedCaPem;
}
const path = process.env['STEP_CA_ROOT_CERT_PATH'];
if (!path) {
throw new FederationClientError({
code: 'PEER_MISCONFIGURED',
message: 'STEP_CA_ROOT_CERT_PATH is not set; refusing to dial peer without pinned CA trust',
peerId: '',
});
}
try {
const pem = readFileSync(path, 'utf8');
this.cachedCaPem = pem;
return pem;
} catch (err) {
throw new FederationClientError({
code: 'PEER_MISCONFIGURED',
message: `Failed to read STEP_CA_ROOT_CERT_PATH (${path})`,
peerId: '',
cause: err,
});
}
}
/**
* Resolve the cache entry for a peer, reading DB on miss.
*
* Uses a promise-cache pattern: concurrent callers for the same uncached
* `peerId` all `await` the same in-flight `Promise<AgentCacheEntry>` so
* only one DB lookup and one key-unseal ever runs per peer per cache miss.
* The promise is replaced with the concrete entry on success, or deleted on
* rejection so a transient error does not poison the cache permanently.
*
* Throws `FederationClientError` with appropriate code if the peer is not
* found, is inactive, or is missing required fields.
*/
private async resolveEntry(peerId: string): Promise<AgentCacheEntry> {
const cached = this.cache.get(peerId);
if (cached) {
return cached; // Promise or concrete entry — both are awaitable
}
const inflight = this.buildEntry(peerId).then(
(entry) => {
this.cache.set(peerId, entry); // replace promise with concrete value
return entry;
},
(err: unknown) => {
this.cache.delete(peerId); // don't poison the cache with a rejected promise
throw err;
},
);
this.cache.set(peerId, inflight);
return inflight;
}
/**
* Build the `AgentCacheEntry` for a peer by reading the DB, validating the
* peer's state, unsealing the private key, and constructing the mTLS Agent.
*
* Throws `FederationClientError` with appropriate code if the peer is not
* found, is inactive, or is missing required fields.
*/
private async buildEntry(peerId: string): Promise<AgentCacheEntry> {
// DB lookup
const [peer] = await this.db
.select()
.from(federationPeers)
.where(eq(federationPeers.id, peerId))
.limit(1);
if (!peer) {
throw new FederationClientError({
code: 'PEER_NOT_FOUND',
message: `Federation peer ${peerId} not found`,
peerId,
});
}
if (peer.state !== 'active') {
throw new FederationClientError({
code: 'PEER_INACTIVE',
message: `Federation peer ${peerId} is not active (state: ${peer.state})`,
peerId,
});
}
if (!peer.endpointUrl || !peer.clientKeyPem) {
throw new FederationClientError({
code: 'PEER_MISCONFIGURED',
message: `Federation peer ${peerId} is missing endpointUrl or clientKeyPem`,
peerId,
});
}
// Unseal the private key
let privateKeyPem: string;
try {
privateKeyPem = unsealClientKey(peer.clientKeyPem);
} catch (err) {
throw new FederationClientError({
code: 'PEER_MISCONFIGURED',
message: `Failed to unseal client key for peer ${peerId}`,
peerId,
cause: err,
});
}
// Build mTLS agent — pin trust to Step-CA root so we never accept
// a peer cert signed by a public CA (defense against MITM with a
// publicly-trusted DV cert for the peer's hostname).
const agent = new Agent({
connect: {
cert: peer.certPem,
key: privateKeyPem,
ca: this.loadStepCaRoot(),
// rejectUnauthorized: true is the undici default for HTTPS
},
});
const entry: AgentCacheEntry = {
agent,
endpointUrl: peer.endpointUrl,
certPem: peer.certPem,
certSerial: peer.certSerial,
};
this.logger.log(`Agent cached for peer ${peerId} (serial: ${peer.certSerial})`);
return entry;
}
/**
* Execute a POST request with a JSON body.
* Returns the parsed response body as an unknown value.
* Throws `FederationClientError` on network errors and non-2xx responses.
*/
private async doPost(
peerId: string,
url: string,
agent: Dispatcher,
body: Record<string, unknown>,
): Promise<unknown> {
return this.doRequest(peerId, url, agent, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify(body),
});
}
/**
* Execute a GET request.
* Returns the parsed response body as an unknown value.
* Throws `FederationClientError` on network errors and non-2xx responses.
*/
private async doGet(peerId: string, url: string, agent: Dispatcher): Promise<unknown> {
return this.doRequest(peerId, url, agent, { method: 'GET' });
}
private async doRequest(
peerId: string,
url: string,
agent: Dispatcher,
init: { method: string; headers?: Record<string, string>; body?: string },
): Promise<unknown> {
let response: Awaited<ReturnType<typeof undiciFetch>>;
try {
response = await undiciFetch(url, {
...init,
dispatcher: agent,
});
} catch (err) {
throw new FederationClientError({
code: 'NETWORK',
message: `Network error calling peer ${peerId} at ${url}: ${err instanceof Error ? err.message : String(err)}`,
peerId,
cause: err,
});
}
const rawBody = await response.text().catch(() => '');
if (!response.ok) {
const status = response.status;
// Attempt to parse as federation error envelope
let serverMessage = `HTTP ${status}`;
try {
const json: unknown = JSON.parse(rawBody);
const result = FederationErrorEnvelopeSchema.safeParse(json);
if (result.success) {
serverMessage = result.data.error.message;
}
} catch {
// Not valid JSON or not a federation envelope — use generic message
}
// Specific code for 403 (most actionable for callers); generic HTTP_{n} for others
const code: FederationClientErrorCode = status === 403 ? 'FORBIDDEN' : `HTTP_${status}`;
throw new FederationClientError({
status,
code,
message: `Peer ${peerId} returned ${status}: ${serverMessage}`,
peerId,
});
}
try {
return JSON.parse(rawBody) as unknown;
} catch (err) {
throw new FederationClientError({
code: 'INVALID_RESPONSE',
message: `Peer ${peerId} returned non-JSON body`,
peerId,
cause: err,
});
}
}
/**
* Parse and validate a response body against a Zod schema.
*
* For list/get, callers pass the result of `FederationListResponseSchema(z.unknown())`
* so that the envelope structure is validated without requiring a concrete item schema
* at the client level. The generic `T` provides compile-time typing.
*
* Throws `FederationClientError({ code: 'INVALID_RESPONSE' })` on parse failure.
*/
private parseWith<T>(peerId: string, body: unknown, schema: z.ZodTypeAny): T {
const result = schema.safeParse(body);
if (!result.success) {
const issues = result.error.issues
.map((e: z.ZodIssue) => `[${e.path.join('.') || 'root'}] ${e.message}`)
.join('; ');
throw new FederationClientError({
code: 'INVALID_RESPONSE',
message: `Peer ${peerId} returned invalid response shape: ${issues}`,
peerId,
});
}
return result.data as T;
}
}

13
apps/gateway/src/federation/client/index.ts
View File

@@ -1,13 +0,0 @@
/**
* Federation client barrel — re-exports for FederationModule consumers.
*
* M3-09 (QuerySourceService) and future milestones should import from here,
* not directly from the implementation file.
*/
export {
FederationClientService,
FederationClientError,
type FederationClientErrorCode,
type FederationClientErrorOptions,
} from './federation-client.service.js';

6
apps/gateway/src/federation/federation.module.ts
View File

@@ -5,11 +5,11 @@ import { EnrollmentController } from './enrollment.controller.js';
import { EnrollmentService } from './enrollment.service.js'; import { EnrollmentService } from './enrollment.service.js';
import { FederationController } from './federation.controller.js'; import { FederationController } from './federation.controller.js';
import { GrantsService } from './grants.service.js'; import { GrantsService } from './grants.service.js';
import { FederationClientService } from './client/index.js'; import { FederationAuthGuard } from './server/index.js';
@Module({ @Module({
controllers: [EnrollmentController, FederationController], controllers: [EnrollmentController, FederationController],
providers: [AdminGuard, CaService, EnrollmentService, GrantsService, FederationClientService], providers: [AdminGuard, CaService, EnrollmentService, GrantsService, FederationAuthGuard],
exports: [CaService, EnrollmentService, GrantsService, FederationClientService], exports: [CaService, EnrollmentService, GrantsService, FederationAuthGuard],
}) })
export class FederationModule {} export class FederationModule {}

31
apps/gateway/src/federation/grants.service.ts
View File

@@ -10,12 +10,14 @@
*/ */
import { ConflictException, Inject, Injectable, NotFoundException } from '@nestjs/common'; import { ConflictException, Inject, Injectable, NotFoundException } from '@nestjs/common';
import { type Db, and, eq, federationGrants } from '@mosaicstack/db'; import { type Db, and, eq, federationGrants, federationPeers } from '@mosaicstack/db';
import { DB } from '../database/database.module.js'; import { DB } from '../database/database.module.js';
import { parseFederationScope } from './scope-schema.js'; import { parseFederationScope } from './scope-schema.js';
import type { CreateGrantDto, ListGrantsDto } from './grants.dto.js'; import type { CreateGrantDto, ListGrantsDto } from './grants.dto.js';
export type Grant = typeof federationGrants.$inferSelect; export type Grant = typeof federationGrants.$inferSelect;
export type Peer = typeof federationPeers.$inferSelect;
export type GrantWithPeer = Grant & { peer: Peer };
@Injectable() @Injectable()
export class GrantsService { export class GrantsService {
@@ -60,6 +62,33 @@ export class GrantsService {
return grant; return grant;
} }
/**
* Fetch a single grant by ID, joined with its associated peer row.
* Used by FederationAuthGuard to perform grant status + cert serial checks
* in a single DB round-trip.
*
* Throws NotFoundException if the grant does not exist.
* Throws NotFoundException if the associated peer row is missing (data integrity issue).
*/
async getGrantWithPeer(id: string): Promise<GrantWithPeer> {
const rows = await this.db
.select()
.from(federationGrants)
.innerJoin(federationPeers, eq(federationGrants.peerId, federationPeers.id))
.where(eq(federationGrants.id, id))
.limit(1);
const row = rows[0];
if (!row) {
throw new NotFoundException(`Grant ${id} not found`);
}
return {
...row.federation_grants,
peer: row.federation_peers,
};
}
/** /**
* List grants with optional filters for peerId, subjectUserId, and status. * List grants with optional filters for peerId, subjectUserId, and status.
*/ */

146
apps/gateway/src/federation/oid.util.ts Normal file
View File

@@ -0,0 +1,146 @@
/**
* Shared OID extraction helpers for Mosaic federation certificates.
*
* Custom OID registry (PRD §6, docs/federation/SETUP.md):
* 1.3.6.1.4.1.99999.1 — mosaic_grant_id
* 1.3.6.1.4.1.99999.2 — mosaic_subject_user_id
*
* The encoding convention: each extension value is an OCTET STRING wrapping
* an ASN.1 UTF8String TLV:
* 0x0C (tag) + 1-byte length + UTF-8 bytes
*
* CaService encodes values this way via encodeUtf8String(), and this module
* decodes them with the corresponding `.slice(2)` to skip tag + length byte.
*
* This module is intentionally pure — no NestJS, no DB, no network I/O.
*/
import { X509Certificate } from '@peculiar/x509';
// ---------------------------------------------------------------------------
// OID constants
// ---------------------------------------------------------------------------
export const OID_MOSAIC_GRANT_ID = '1.3.6.1.4.1.99999.1';
export const OID_MOSAIC_SUBJECT_USER_ID = '1.3.6.1.4.1.99999.2';
// ---------------------------------------------------------------------------
// Extraction result types
// ---------------------------------------------------------------------------
export interface MosaicOids {
grantId: string;
subjectUserId: string;
}
export type OidExtractionResult =
| { ok: true; value: MosaicOids }
| {
ok: false;
error: 'MISSING_GRANT_ID' | 'MISSING_SUBJECT_USER_ID' | 'PARSE_ERROR';
detail?: string;
};
// ---------------------------------------------------------------------------
// Helpers
// ---------------------------------------------------------------------------
const decoder = new TextDecoder();
/**
* Decode an extension value encoded as ASN.1 UTF8String TLV
* (tag 0x0C + 1-byte length + UTF-8 bytes).
* Validates tag, length byte, and buffer bounds before decoding.
* Throws a descriptive Error on malformed input; caller wraps in try/catch.
*/
function decodeUtf8StringTlv(value: ArrayBuffer): string {
const bytes = new Uint8Array(value);
// Need at least tag + length bytes
if (bytes.length < 2) {
throw new Error(`UTF8String TLV too short: expected at least 2 bytes, got ${bytes.length}`);
}
// Tag byte must be 0x0C (ASN.1 UTF8String)
if (bytes[0] !== 0x0c) {
throw new Error(
`UTF8String TLV tag mismatch: expected 0x0C, got 0x${bytes[0]!.toString(16).toUpperCase()}`,
);
}
// Only single-byte length form is supported (values 0127); long form not needed
// for OID strings of this length.
const declaredLength = bytes[1]!;
if (declaredLength > 127) {
throw new Error(
`UTF8String TLV uses long-form length (0x${declaredLength.toString(16).toUpperCase()}), which is not supported`,
);
}
// Declared length must match actual remaining bytes
if (declaredLength !== bytes.length - 2) {
throw new Error(
`UTF8String TLV length mismatch: declared ${declaredLength}, actual ${bytes.length - 2}`,
);
}
// Skip: tag (1 byte) + length (1 byte)
return decoder.decode(bytes.slice(2));
}
// ---------------------------------------------------------------------------
// Public API
// ---------------------------------------------------------------------------
/**
* Extract Mosaic custom OIDs (grantId, subjectUserId) from an X.509 certificate
* already parsed via @peculiar/x509.
*
* Returns `{ ok: true, value: MosaicOids }` on success, or
* `{ ok: false, error: <code>, detail? }` on any failure — never throws.
*/
export function extractMosaicOids(cert: X509Certificate): OidExtractionResult {
try {
const grantIdExt = cert.getExtension(OID_MOSAIC_GRANT_ID);
if (!grantIdExt) {
return { ok: false, error: 'MISSING_GRANT_ID' };
}
const subjectUserIdExt = cert.getExtension(OID_MOSAIC_SUBJECT_USER_ID);
if (!subjectUserIdExt) {
return { ok: false, error: 'MISSING_SUBJECT_USER_ID' };
}
const grantId = decodeUtf8StringTlv(grantIdExt.value);
const subjectUserId = decodeUtf8StringTlv(subjectUserIdExt.value);
return {
ok: true,
value: { grantId, subjectUserId },
};
} catch (err) {
return {
ok: false,
error: 'PARSE_ERROR',
detail: err instanceof Error ? err.message : String(err),
};
}
}
/**
* Parse a PEM-encoded certificate and extract Mosaic OIDs.
* Returns an OidExtractionResult — never throws.
*/
export function extractMosaicOidsFromPem(certPem: string): OidExtractionResult {
let cert: X509Certificate;
try {
cert = new X509Certificate(certPem);
} catch (err) {
return {
ok: false,
error: 'PARSE_ERROR',
detail: err instanceof Error ? err.message : String(err),
};
}
return extractMosaicOids(cert);
}

521
apps/gateway/src/federation/server/__tests__/federation-auth.guard.spec.ts Normal file
View File

@@ -0,0 +1,521 @@
/**
* Unit tests for FederationAuthGuard (FED-M3-03).
*
* Coverage:
* - Missing cert (no TLS socket / no getPeerCertificate) → 401
* - Cert parse failure (corrupt DER raw bytes) → 401
* - Missing grantId OID → 401
* - Missing subjectUserId OID → 401
* - Grant not found (GrantsService throws NotFoundException) → 403
* - Grant in `pending` status → 403
* - Grant in `revoked` status → 403
* - Grant in `expired` status → 403
* - Cert serial mismatch → 403
* - Happy path: active grant + matching cert serial → context attached, returns true
*/
import 'reflect-metadata';
import { describe, it, expect, vi, beforeEach } from 'vitest';
import type { ExecutionContext } from '@nestjs/common';
import { NotFoundException } from '@nestjs/common';
import { FederationAuthGuard } from '../federation-auth.guard.js';
import { makeMosaicIssuedCert } from '../../__tests__/helpers/test-cert.js';
import type { GrantsService, GrantWithPeer } from '../../grants.service.js';
// ---------------------------------------------------------------------------
// Test constants
// ---------------------------------------------------------------------------
const GRANT_ID = 'a1111111-1111-1111-1111-111111111111';
const USER_ID = 'b2222222-2222-2222-2222-222222222222';
const PEER_ID = 'c3333333-3333-3333-3333-333333333333';
// Node.js TLS serialNumber is uppercase hex (no colons)
const CERT_SERIAL_HEX = '01';
const VALID_SCOPE = { resources: ['tasks'], max_rows_per_query: 100 };
// ---------------------------------------------------------------------------
// Mock builders
// ---------------------------------------------------------------------------
/**
* Build a minimal GrantWithPeer-shaped mock.
*/
function makeGrantWithPeer(overrides: Partial<GrantWithPeer> = {}): GrantWithPeer {
return {
id: GRANT_ID,
peerId: PEER_ID,
subjectUserId: USER_ID,
scope: VALID_SCOPE,
status: 'active',
expiresAt: null,
createdAt: new Date('2026-01-01T00:00:00Z'),
revokedAt: null,
revokedReason: null,
peer: {
id: PEER_ID,
commonName: 'test-peer',
displayName: 'Test Peer',
certPem: '',
certSerial: CERT_SERIAL_HEX,
certNotAfter: new Date(Date.now() + 86_400_000),
clientKeyPem: null,
state: 'active',
endpointUrl: null,
lastSeenAt: null,
createdAt: new Date('2026-01-01T00:00:00Z'),
revokedAt: null,
},
...overrides,
};
}
/**
* Build a mock ExecutionContext with a pre-built TLS peer certificate.
*
* `certPem` — PEM string to present as the raw DER cert (converted to Buffer).
* Pass null to simulate "no cert presented".
* `certSerialHex` — serialNumber string returned by the TLS socket.
* Node.js returns uppercase hex.
* `hasTlsSocket` — if false, raw.socket has no getPeerCertificate (plain HTTP).
*/
function makeContext(opts: {
certPem: string | null;
certSerialHex?: string;
hasTlsSocket?: boolean;
}): {
ctx: ExecutionContext;
statusMock: ReturnType<typeof vi.fn>;
sendMock: ReturnType<typeof vi.fn>;
} {
const { certPem, certSerialHex = CERT_SERIAL_HEX, hasTlsSocket = true } = opts;
// Build peerCert object that Node.js TLS socket.getPeerCertificate() returns
let peerCert: Record<string, unknown>;
if (certPem === null) {
// Simulate no cert: Node.js returns object with empty string fields
peerCert = { raw: null, serialNumber: '' };
} else {
// Convert PEM to DER Buffer (strip headers + base64 decode)
const b64 = certPem
.replace(/-----BEGIN CERTIFICATE-----/, '')
.replace(/-----END CERTIFICATE-----/, '')
.replace(/\s+/g, '');
const raw = Buffer.from(b64, 'base64');
peerCert = { raw, serialNumber: certSerialHex };
}
const getPeerCertificate = vi.fn().mockReturnValue(peerCert);
const socket = hasTlsSocket ? { getPeerCertificate } : {}; // No getPeerCertificate → non-TLS
// Fastify reply mocks
const sendMock = vi.fn().mockReturnValue(undefined);
const headerMock = vi.fn().mockReturnValue({ send: sendMock });
const statusMock = vi.fn().mockReturnValue({ header: headerMock });
const request = {
raw: {
socket,
},
};
const reply = {
status: statusMock,
};
const ctx = {
switchToHttp: () => ({
getRequest: () => request,
getResponse: () => reply,
}),
} as unknown as ExecutionContext;
return { ctx, statusMock, sendMock };
}
/**
* Build a mock GrantsService.
*/
function makeGrantsService(
overrides: Partial<Pick<GrantsService, 'getGrantWithPeer'>> = {},
): GrantsService {
return {
getGrantWithPeer: vi.fn().mockResolvedValue(makeGrantWithPeer()),
...overrides,
} as unknown as GrantsService;
}
// ---------------------------------------------------------------------------
// Test suite
// ---------------------------------------------------------------------------
describe('FederationAuthGuard', () => {
let certPem: string;
beforeEach(async () => {
// Generate a real Mosaic-issued cert with the standard OIDs
certPem = await makeMosaicIssuedCert({ grantId: GRANT_ID, subjectUserId: USER_ID });
});
// ── 401: No TLS socket ────────────────────────────────────────────────────
it('returns 401 when there is no TLS socket (plain HTTP connection)', async () => {
const { ctx, statusMock, sendMock } = makeContext({
certPem: certPem,
hasTlsSocket: false,
});
const guard = new FederationAuthGuard(makeGrantsService());
const result = await guard.canActivate(ctx);
expect(result).toBe(false);
expect(statusMock).toHaveBeenCalledWith(401);
expect(sendMock).toHaveBeenCalledWith(
expect.objectContaining({
error: expect.objectContaining({ code: 'unauthorized', message: expect.any(String) }),
}),
);
});
// ── 401: Cert not presented ───────────────────────────────────────────────
it('returns 401 when the peer did not present a certificate', async () => {
const { ctx, statusMock, sendMock } = makeContext({ certPem: null });
const guard = new FederationAuthGuard(makeGrantsService());
const result = await guard.canActivate(ctx);
expect(result).toBe(false);
expect(statusMock).toHaveBeenCalledWith(401);
expect(sendMock).toHaveBeenCalledWith(
expect.objectContaining({
error: expect.objectContaining({ code: 'unauthorized', message: expect.any(String) }),
}),
);
});
// ── 401: Cert parse failure ───────────────────────────────────────────────
it('returns 401 when the certificate DER bytes are corrupt', async () => {
// Build context with a cert that has garbage DER bytes
const corruptPem = '-----BEGIN CERTIFICATE-----\naW52YWxpZA==\n-----END CERTIFICATE-----';
const { ctx, statusMock, sendMock } = makeContext({ certPem: corruptPem });
const guard = new FederationAuthGuard(makeGrantsService());
const result = await guard.canActivate(ctx);
expect(result).toBe(false);
expect(statusMock).toHaveBeenCalledWith(401);
expect(sendMock).toHaveBeenCalledWith(
expect.objectContaining({
error: expect.objectContaining({ code: 'unauthorized', message: expect.any(String) }),
}),
);
});
// ── 401: Missing grantId OID ─────────────────────────────────────────────
it('returns 401 when the cert is missing the grantId OID', async () => {
// makeSelfSignedCert produces a cert without any Mosaic OIDs
const { makeSelfSignedCert } = await import('../../__tests__/helpers/test-cert.js');
const plainCert = await makeSelfSignedCert();
const { ctx, statusMock, sendMock } = makeContext({ certPem: plainCert });
const guard = new FederationAuthGuard(makeGrantsService());
const result = await guard.canActivate(ctx);
expect(result).toBe(false);
expect(statusMock).toHaveBeenCalledWith(401);
expect(sendMock).toHaveBeenCalledWith(
expect.objectContaining({
error: expect.objectContaining({ code: 'unauthorized', message: expect.any(String) }),
}),
);
});
// ── 401: Missing subjectUserId OID ───────────────────────────────────────
it('returns 401 when the cert has grantId OID but is missing subjectUserId OID', async () => {
// Build a cert with only the grantId OID by importing cert generator internals
const { webcrypto } = await import('node:crypto');
const {
X509CertificateGenerator,
Extension,
KeyUsagesExtension,
KeyUsageFlags,
BasicConstraintsExtension,
cryptoProvider,
} = await import('@peculiar/x509');
cryptoProvider.set(webcrypto as unknown as Parameters<typeof cryptoProvider.set>[0]);
const alg = { name: 'ECDSA', namedCurve: 'P-256', hash: 'SHA-256' } as const;
const keys = await webcrypto.subtle.generateKey(alg, false, ['sign', 'verify']);
const now = new Date();
const tomorrow = new Date(now.getTime() + 86_400_000);
// Encode grantId only — missing subjectUserId extension
const utf8 = new TextEncoder().encode(GRANT_ID);
const encoded = new Uint8Array(2 + utf8.length);
encoded[0] = 0x0c;
encoded[1] = utf8.length;
encoded.set(utf8, 2);
const cert = await X509CertificateGenerator.createSelfSigned({
serialNumber: '01',
name: 'CN=partial-oid-test',
notBefore: now,
notAfter: tomorrow,
signingAlgorithm: alg,
keys,
extensions: [
new BasicConstraintsExtension(false),
new KeyUsagesExtension(KeyUsageFlags.digitalSignature),
new Extension('1.3.6.1.4.1.99999.1', false, encoded), // grantId only
],
});
const { ctx, statusMock, sendMock } = makeContext({ certPem: cert.toString('pem') });
const guard = new FederationAuthGuard(makeGrantsService());
const result = await guard.canActivate(ctx);
expect(result).toBe(false);
expect(statusMock).toHaveBeenCalledWith(401);
expect(sendMock).toHaveBeenCalledWith(
expect.objectContaining({
error: expect.objectContaining({ code: 'unauthorized', message: expect.any(String) }),
}),
);
});
// ── 403: Grant not found ─────────────────────────────────────────────────
it('returns 403 when the grantId from the cert does not exist in DB', async () => {
const grantsService = makeGrantsService({
getGrantWithPeer: vi
.fn()
.mockRejectedValue(new NotFoundException(`Grant ${GRANT_ID} not found`)),
});
const { ctx, statusMock, sendMock } = makeContext({ certPem });
const guard = new FederationAuthGuard(grantsService);
const result = await guard.canActivate(ctx);
expect(result).toBe(false);
expect(statusMock).toHaveBeenCalledWith(403);
expect(sendMock).toHaveBeenCalledWith(
expect.objectContaining({
error: expect.objectContaining({ code: 'forbidden', message: 'Federation access denied' }),
}),
);
});
// ── 403: Grant in `pending` status ───────────────────────────────────────
it('returns 403 when the grant is in pending status', async () => {
const grantsService = makeGrantsService({
getGrantWithPeer: vi.fn().mockResolvedValue(makeGrantWithPeer({ status: 'pending' })),
});
const { ctx, statusMock, sendMock } = makeContext({ certPem });
const guard = new FederationAuthGuard(grantsService);
const result = await guard.canActivate(ctx);
expect(result).toBe(false);
expect(statusMock).toHaveBeenCalledWith(403);
expect(sendMock).toHaveBeenCalledWith(
expect.objectContaining({
error: expect.objectContaining({ code: 'forbidden', message: 'Federation access denied' }),
}),
);
});
// ── 403: Grant in `revoked` status ───────────────────────────────────────
it('returns 403 when the grant is in revoked status', async () => {
const grantsService = makeGrantsService({
getGrantWithPeer: vi
.fn()
.mockResolvedValue(makeGrantWithPeer({ status: 'revoked', revokedAt: new Date() })),
});
const { ctx, statusMock, sendMock } = makeContext({ certPem });
const guard = new FederationAuthGuard(grantsService);
const result = await guard.canActivate(ctx);
expect(result).toBe(false);
expect(statusMock).toHaveBeenCalledWith(403);
expect(sendMock).toHaveBeenCalledWith(
expect.objectContaining({
error: expect.objectContaining({ code: 'forbidden', message: 'Federation access denied' }),
}),
);
});
// ── 403: Grant in `expired` status ───────────────────────────────────────
it('returns 403 when the grant is in expired status', async () => {
const grantsService = makeGrantsService({
getGrantWithPeer: vi.fn().mockResolvedValue(makeGrantWithPeer({ status: 'expired' })),
});
const { ctx, statusMock, sendMock } = makeContext({ certPem });
const guard = new FederationAuthGuard(grantsService);
const result = await guard.canActivate(ctx);
expect(result).toBe(false);
expect(statusMock).toHaveBeenCalledWith(403);
expect(sendMock).toHaveBeenCalledWith(
expect.objectContaining({
error: expect.objectContaining({ code: 'forbidden', message: 'Federation access denied' }),
}),
);
});
// ── 403: Cert serial mismatch ─────────────────────────────────────────────
it('returns 403 when the cert serial does not match the registered peer cert serial', async () => {
// Return a grant whose peer has a different stored serial
const grantsService = makeGrantsService({
getGrantWithPeer: vi.fn().mockResolvedValue(
makeGrantWithPeer({
peer: {
id: PEER_ID,
commonName: 'test-peer',
displayName: 'Test Peer',
certPem: '',
certSerial: 'DEADBEEF', // different from CERT_SERIAL_HEX='01'
certNotAfter: new Date(Date.now() + 86_400_000),
clientKeyPem: null,
state: 'active',
endpointUrl: null,
lastSeenAt: null,
createdAt: new Date('2026-01-01T00:00:00Z'),
revokedAt: null,
},
}),
),
});
// Context presents cert with serial '01' but DB has 'DEADBEEF'
const { ctx, statusMock, sendMock } = makeContext({ certPem, certSerialHex: '01' });
const guard = new FederationAuthGuard(grantsService);
const result = await guard.canActivate(ctx);
expect(result).toBe(false);
expect(statusMock).toHaveBeenCalledWith(403);
expect(sendMock).toHaveBeenCalledWith(
expect.objectContaining({
error: expect.objectContaining({ code: 'forbidden', message: 'Federation access denied' }),
}),
);
});
// ── 403: subjectUserId cert/DB mismatch (CRIT-1 regression test) ─────────
it('returns 403 when the cert subjectUserId does not match the DB grant subjectUserId', async () => {
// Build a cert that claims an attacker's subjectUserId
const attackerSubjectUserId = 'attacker-user-id';
const attackerCertPem = await makeMosaicIssuedCert({
grantId: GRANT_ID,
subjectUserId: attackerSubjectUserId,
});
// DB returns a grant with the legitimate USER_ID
const grantsService = makeGrantsService({
getGrantWithPeer: vi.fn().mockResolvedValue(makeGrantWithPeer({ subjectUserId: USER_ID })),
});
// Cert presents attacker-user-id but DB has USER_ID — should be rejected
const { ctx, statusMock, sendMock } = makeContext({
certPem: attackerCertPem,
certSerialHex: CERT_SERIAL_HEX,
});
const guard = new FederationAuthGuard(grantsService);
const result = await guard.canActivate(ctx);
expect(result).toBe(false);
expect(statusMock).toHaveBeenCalledWith(403);
expect(sendMock).toHaveBeenCalledWith(
expect.objectContaining({
error: expect.objectContaining({ code: 'forbidden', message: 'Federation access denied' }),
}),
);
});
// ── Happy path ────────────────────────────────────────────────────────────
it('returns true and attaches federationContext on happy path', async () => {
const grant = makeGrantWithPeer({
status: 'active',
peer: {
id: PEER_ID,
commonName: 'test-peer',
displayName: 'Test Peer',
certPem: '',
certSerial: CERT_SERIAL_HEX,
certNotAfter: new Date(Date.now() + 86_400_000),
clientKeyPem: null,
state: 'active',
endpointUrl: null,
lastSeenAt: null,
createdAt: new Date('2026-01-01T00:00:00Z'),
revokedAt: null,
},
});
const grantsService = makeGrantsService({
getGrantWithPeer: vi.fn().mockResolvedValue(grant),
});
// Build context manually to capture what gets set on request.federationContext
const b64 = certPem
.replace(/-----BEGIN CERTIFICATE-----/, '')
.replace(/-----END CERTIFICATE-----/, '')
.replace(/\s+/g, '');
const raw = Buffer.from(b64, 'base64');
const peerCert = { raw, serialNumber: CERT_SERIAL_HEX };
const sendMock = vi.fn().mockReturnValue(undefined);
const headerMock = vi.fn().mockReturnValue({ send: sendMock });
const statusMock = vi.fn().mockReturnValue({ header: headerMock });
const request: Record<string, unknown> = {
raw: {
socket: { getPeerCertificate: vi.fn().mockReturnValue(peerCert) },
},
};
const reply = { status: statusMock };
const ctx = {
switchToHttp: () => ({
getRequest: () => request,
getResponse: () => reply,
}),
} as unknown as ExecutionContext;
const guard = new FederationAuthGuard(grantsService);
const result = await guard.canActivate(ctx);
expect(result).toBe(true);
expect(statusMock).not.toHaveBeenCalled();
// Verify the context was attached correctly
expect(request['federationContext']).toEqual({
grantId: GRANT_ID,
subjectUserId: USER_ID,
peerId: PEER_ID,
scope: VALID_SCOPE,
});
});
});

212
apps/gateway/src/federation/server/federation-auth.guard.ts Normal file
View File

@@ -0,0 +1,212 @@
/**
* FederationAuthGuard — NestJS CanActivate guard for inbound federation requests.
*
* Validates the mTLS client certificate presented by a peer gateway, extracts
* custom OIDs to identify the grant + subject user, loads the grant from DB,
* asserts it is active, and verifies the cert serial against the registered peer
* cert serial as a defense-in-depth measure.
*
* On success, attaches `request.federationContext` for downstream verb controllers.
* On failure, responds with the federation wire-format error envelope (not raw
* NestJS exception JSON) to match the federation protocol contract.
*
* ## Cert-serial check decision
* The guard validates that the inbound client cert's serial number matches the
* `certSerial` stored on the associated `federation_peers` row. This is a
* defense-in-depth measure: even if the mTLS handshake is compromised at the
* transport layer (e.g. misconfigured TLS terminator that forwards arbitrary
* client certs), an attacker cannot replay a cert with a different serial than
* what was registered during enrollment. This check is NOT loosened because:
* 1. It is O(1) — no additional DB round-trip (peerId is on the grant row,
* so we join to federationPeers in the same query).
* 2. Cert renewal MUST update the stored serial — enforced by M6 scheduler.
* 3. The OID-only path (without serial check) would allow any cert from the
* same CA bearing the same grantId OID to succeed after cert compromise.
*
* ## FastifyRequest typing path
* NestJS + Fastify wraps the raw Node.js IncomingMessage in a FastifyRequest.
* The underlying TLS socket is accessed via `request.raw.socket`, which is a
* `tls.TLSSocket` when the server is listening on HTTPS. In development/test
* the gateway may run over plain HTTP, in which case `getPeerCertificate` is
* not available. The guard safely handles both cases by checking for the
* method's existence before calling it.
*
* Note: The guard reads the peer certificate from the *already-completed*
* TLS handshake via `socket.getPeerCertificate(detailed=true)`. This relies
* on the server being configured with `requestCert: true` at the TLS level
* so Fastify/Node.js requests the client cert during the handshake.
* The guard does NOT verify the cert chain itself — that is handled by the
* TLS layer (Node.js `rejectUnauthorized: true` with the CA cert pinned).
*/
import {
type CanActivate,
type ExecutionContext,
Inject,
Injectable,
Logger,
} from '@nestjs/common';
import type { FastifyReply, FastifyRequest } from 'fastify';
import * as tls from 'node:tls';
import { X509Certificate } from '@peculiar/x509';
import { FederationForbiddenError, FederationUnauthorizedError } from '@mosaicstack/types';
import { extractMosaicOids } from '../oid.util.js';
import { GrantsService } from '../grants.service.js';
import type { FederationContext } from './federation-context.js';
import './federation-context.js'; // side-effect import: applies FastifyRequest module augmentation
// ---------------------------------------------------------------------------
// Internal helpers
// ---------------------------------------------------------------------------
/**
* Send a federation wire-format error response directly on the Fastify reply.
* Returns false — callers return this value from canActivate.
*/
function sendFederationError(
reply: FastifyReply,
error: FederationUnauthorizedError | FederationForbiddenError,
): boolean {
const statusCode = error.code === 'unauthorized' ? 401 : 403;
void reply.status(statusCode).header('content-type', 'application/json').send(error.toEnvelope());
return false;
}
// ---------------------------------------------------------------------------
// Guard
// ---------------------------------------------------------------------------
@Injectable()
export class FederationAuthGuard implements CanActivate {
private readonly logger = new Logger(FederationAuthGuard.name);
constructor(@Inject(GrantsService) private readonly grantsService: GrantsService) {}
async canActivate(context: ExecutionContext): Promise<boolean> {
const http = context.switchToHttp();
const request = http.getRequest<FastifyRequest>();
const reply = http.getResponse<FastifyReply>();
// ── Step 1: Extract peer certificate from TLS socket ────────────────────
const rawSocket = request.raw.socket;
// Check TLS socket: getPeerCertificate is only available on TLS connections.
if (
!rawSocket ||
typeof (rawSocket as Partial<tls.TLSSocket>).getPeerCertificate !== 'function'
) {
this.logger.warn('No TLS socket — client cert unavailable (non-mTLS connection)');
return sendFederationError(
reply,
new FederationUnauthorizedError('Client certificate required'),
);
}
const tlsSocket = rawSocket as tls.TLSSocket;
const peerCert = tlsSocket.getPeerCertificate(true);
// Node.js returns an object with empty string fields when no cert was presented.
if (!peerCert || !peerCert.raw) {
this.logger.warn('Peer certificate not presented (mTLS handshake did not supply cert)');
return sendFederationError(
reply,
new FederationUnauthorizedError('Client certificate required'),
);
}
// ── Step 2: Parse the DER-encoded certificate via @peculiar/x509 ────────
let cert: X509Certificate;
try {
// peerCert.raw is a Buffer containing the DER-encoded cert
cert = new X509Certificate(peerCert.raw);
} catch (err) {
this.logger.warn(
`Failed to parse peer certificate: ${err instanceof Error ? err.message : String(err)}`,
);
return sendFederationError(
reply,
new FederationUnauthorizedError('Client certificate could not be parsed'),
);
}
// ── Step 3: Extract Mosaic custom OIDs ──────────────────────────────────
const oidResult = extractMosaicOids(cert);
if (!oidResult.ok) {
const message =
oidResult.error === 'MISSING_GRANT_ID'
? 'Client certificate is missing required OID: mosaic_grant_id (1.3.6.1.4.1.99999.1)'
: oidResult.error === 'MISSING_SUBJECT_USER_ID'
? 'Client certificate is missing required OID: mosaic_subject_user_id (1.3.6.1.4.1.99999.2)'
: `Client certificate OID extraction failed: ${oidResult.detail ?? 'unknown error'}`;
this.logger.warn(`OID extraction failure [${oidResult.error}]: ${message}`);
return sendFederationError(reply, new FederationUnauthorizedError(message));
}
const { grantId, subjectUserId } = oidResult.value;
// ── Step 4: Load grant from DB ───────────────────────────────────────────
let grant: Awaited<ReturnType<GrantsService['getGrantWithPeer']>>;
try {
grant = await this.grantsService.getGrantWithPeer(grantId);
} catch {
// getGrantWithPeer throws NotFoundException when not found
this.logger.warn(`Grant not found: ${grantId}`);
return sendFederationError(reply, new FederationForbiddenError('Federation access denied'));
}
// ── Step 5: Assert grant is active ──────────────────────────────────────
if (grant.status !== 'active') {
this.logger.warn(`Grant ${grantId} is not active — status=${grant.status}`);
return sendFederationError(reply, new FederationForbiddenError('Federation access denied'));
}
// ── Step 5b: Validate cert-extracted subjectUserId against DB (CRIT-1) ──
// The cert claim is untrusted input; the DB row is authoritative.
if (subjectUserId !== grant.subjectUserId) {
this.logger.warn(`subjectUserId mismatch for grant ${grantId}`);
return sendFederationError(reply, new FederationForbiddenError('Federation access denied'));
}
// ── Step 6: Defense-in-depth — cert serial must match registered peer ───
// The serial number from Node.js TLS is upper-case hex without colons.
// The @peculiar/x509 serialNumber is decimal. We compare using the native
// Node.js crypto cert serial which is uppercase hex, matching DB storage.
// Both are derived from the peerCert.serialNumber Node.js provides.
const inboundSerial: string = peerCert.serialNumber ?? '';
if (!grant.peer.certSerial) {
// Peer row exists but has no stored serial — something is wrong with enrollment
this.logger.error(`Peer ${grant.peerId} has no stored certSerial — enrollment incomplete`);
return sendFederationError(reply, new FederationForbiddenError('Federation access denied'));
}
// Normalize both to uppercase for comparison (Node.js serialNumber is
// already uppercase hex; DB value was stored from extractSerial() which
// returns crypto.X509Certificate.serialNumber — also uppercase hex).
if (inboundSerial.toUpperCase() !== grant.peer.certSerial.toUpperCase()) {
this.logger.warn(
`Cert serial mismatch for grant ${grantId}: ` +
`inbound=${inboundSerial} registered=${grant.peer.certSerial}`,
);
return sendFederationError(reply, new FederationForbiddenError('Federation access denied'));
}
// ── Step 7: Attach FederationContext to request ──────────────────────────
// Use grant.subjectUserId from DB (authoritative) — not the cert-extracted value.
const federationContext: FederationContext = {
grantId,
subjectUserId: grant.subjectUserId,
peerId: grant.peerId,
scope: grant.scope as Record<string, unknown>,
};
request.federationContext = federationContext;
this.logger.debug(
`Federation auth OK — grantId=${grantId} peerId=${grant.peerId} subjectUserId=${grant.subjectUserId}`,
);
return true;
}
}

39
apps/gateway/src/federation/server/federation-context.ts Normal file
View File

@@ -0,0 +1,39 @@
/**
* FederationContext — attached to inbound federation requests after successful
* mTLS + grant validation by FederationAuthGuard.
*
* Downstream verb controllers access this via `request.federationContext`.
*/
/**
* Augment FastifyRequest so TypeScript knows about the federation context
* property that FederationAuthGuard attaches on success.
*/
declare module 'fastify' {
interface FastifyRequest {
federationContext?: FederationContext;
}
}
/**
* Typed context object attached to the request by FederationAuthGuard.
* Carries all data extracted from the mTLS cert + grant DB row needed
* by downstream federation verb handlers.
*/
export interface FederationContext {
/** The federation grant ID extracted from OID 1.3.6.1.4.1.99999.1 */
grantId: string;
/** The local subject user whose data is accessible under this grant */
subjectUserId: string;
/** The peer gateway ID (from the grant's peerId FK) */
peerId: string;
/**
* Grant scope — determines which resources the peer may query.
* Typed as Record<string, unknown> because the full scope schema lives in
* scope-schema.ts; downstream handlers should narrow via parseFederationScope.
*/
scope: Record<string, unknown>;
}

13
apps/gateway/src/federation/server/index.ts Normal file
View File

@@ -0,0 +1,13 @@
/**
* Federation server-side barrel — inbound request handling.
*
* Exports the mTLS auth guard and the FederationContext interface
* for use by verb controllers (M3-05/06/07).
*
* Usage:
* import { FederationAuthGuard } from './server/index.js';
* @UseGuards(FederationAuthGuard)
*/
export { FederationAuthGuard } from './federation-auth.guard.js';
export type { FederationContext } from './federation-context.js';

64
pnpm-lock.yaml generated
View File

@@ -179,9 +179,6 @@ importers:
socket.io: socket.io:
specifier: ^4.8.0 specifier: ^4.8.0
version: 4.8.3 version: 4.8.3
undici:
specifier: ^7.24.6
version: 7.24.6
uuid: uuid:
specifier: ^11.0.0 specifier: ^11.0.0
version: 11.1.0 version: 11.1.0
@@ -716,10 +713,10 @@ importers:
dependencies: dependencies:
'@mariozechner/pi-agent-core': '@mariozechner/pi-agent-core':
specifier: ^0.63.1 specifier: ^0.63.1
version: 0.63.2(@modelcontextprotocol/sdk@1.28.0(zod@4.3.6))(ws@8.20.0)(zod@4.3.6) version: 0.63.2(@modelcontextprotocol/sdk@1.28.0(zod@4.3.6))(ws@8.20.0)(zod@3.25.76)
'@mariozechner/pi-ai': '@mariozechner/pi-ai':
specifier: ^0.63.1 specifier: ^0.63.1
version: 0.63.2(@modelcontextprotocol/sdk@1.28.0(zod@4.3.6))(ws@8.20.0)(zod@4.3.6) version: 0.63.2(@modelcontextprotocol/sdk@1.28.0(zod@4.3.6))(ws@8.20.0)(zod@3.25.76)
'@sinclair/typebox': '@sinclair/typebox':
specifier: ^0.34.41 specifier: ^0.34.41
version: 0.34.48 version: 0.34.48
@@ -6996,6 +6993,10 @@ packages:
resolution: {integrity: sha512-gBLkYIlEnSp8pFbT64yFgGE6UIB9tAkhukC23PmMDCe5Nd+cRqKxSjw5y54MK2AZMgZfJWMaNE4nYUHgi1XEOw==} resolution: {integrity: sha512-gBLkYIlEnSp8pFbT64yFgGE6UIB9tAkhukC23PmMDCe5Nd+cRqKxSjw5y54MK2AZMgZfJWMaNE4nYUHgi1XEOw==}
engines: {node: '>=18.17'} engines: {node: '>=18.17'}
undici@7.24.3:
resolution: {integrity: sha512-eJdUmK/Wrx2d+mnWWmwwLRyA7OQCkLap60sk3dOK4ViZR7DKwwptwuIvFBg2HaiP9ESaEdhtpSymQPvytpmkCA==}
engines: {node: '>=20.18.1'}
undici@7.24.6: undici@7.24.6:
resolution: {integrity: sha512-Xi4agocCbRzt0yYMZGMA6ApD7gvtUFaxm4ZmeacWI4cZxaF6C+8I8QfofC20NAePiB/IcvZmzkJ7XPa471AEtA==} resolution: {integrity: sha512-Xi4agocCbRzt0yYMZGMA6ApD7gvtUFaxm4ZmeacWI4cZxaF6C+8I8QfofC20NAePiB/IcvZmzkJ7XPa471AEtA==}
engines: {node: '>=20.18.1'} engines: {node: '>=20.18.1'}
@@ -7328,6 +7329,12 @@ snapshots:
'@jridgewell/gen-mapping': 0.3.13 '@jridgewell/gen-mapping': 0.3.13
'@jridgewell/trace-mapping': 0.3.31 '@jridgewell/trace-mapping': 0.3.31
'@anthropic-ai/sdk@0.73.0(zod@3.25.76)':
dependencies:
json-schema-to-ts: 3.1.1
optionalDependencies:
zod: 3.25.76
'@anthropic-ai/sdk@0.73.0(zod@4.3.6)': '@anthropic-ai/sdk@0.73.0(zod@4.3.6)':
dependencies: dependencies:
json-schema-to-ts: 3.1.1 json-schema-to-ts: 3.1.1
@@ -8669,6 +8676,18 @@ snapshots:
- ws - ws
- zod - zod
'@mariozechner/pi-agent-core@0.63.2(@modelcontextprotocol/sdk@1.28.0(zod@4.3.6))(ws@8.20.0)(zod@3.25.76)':
dependencies:
'@mariozechner/pi-ai': 0.63.2(@modelcontextprotocol/sdk@1.28.0(zod@4.3.6))(ws@8.20.0)(zod@3.25.76)
transitivePeerDependencies:
- '@modelcontextprotocol/sdk'
- aws-crt
- bufferutil
- supports-color
- utf-8-validate
- ws
- zod
'@mariozechner/pi-agent-core@0.63.2(@modelcontextprotocol/sdk@1.28.0(zod@4.3.6))(ws@8.20.0)(zod@4.3.6)': '@mariozechner/pi-agent-core@0.63.2(@modelcontextprotocol/sdk@1.28.0(zod@4.3.6))(ws@8.20.0)(zod@4.3.6)':
dependencies: dependencies:
'@mariozechner/pi-ai': 0.63.2(@modelcontextprotocol/sdk@1.28.0(zod@4.3.6))(ws@8.20.0)(zod@4.3.6) '@mariozechner/pi-ai': 0.63.2(@modelcontextprotocol/sdk@1.28.0(zod@4.3.6))(ws@8.20.0)(zod@4.3.6)
@@ -8717,6 +8736,30 @@ snapshots:
- ws - ws
- zod - zod
'@mariozechner/pi-ai@0.63.2(@modelcontextprotocol/sdk@1.28.0(zod@4.3.6))(ws@8.20.0)(zod@3.25.76)':
dependencies:
'@anthropic-ai/sdk': 0.73.0(zod@3.25.76)
'@aws-sdk/client-bedrock-runtime': 3.1008.0
'@google/genai': 1.45.0(@modelcontextprotocol/sdk@1.28.0(zod@4.3.6))
'@mistralai/mistralai': 1.14.1
'@sinclair/typebox': 0.34.48
ajv: 8.18.0
ajv-formats: 3.0.1(ajv@8.18.0)
chalk: 5.6.2
openai: 6.26.0(ws@8.20.0)(zod@3.25.76)
partial-json: 0.1.7
proxy-agent: 6.5.0
undici: 7.24.3
zod-to-json-schema: 3.25.1(zod@3.25.76)
transitivePeerDependencies:
- '@modelcontextprotocol/sdk'
- aws-crt
- bufferutil
- supports-color
- utf-8-validate
- ws
- zod
'@mariozechner/pi-ai@0.63.2(@modelcontextprotocol/sdk@1.28.0(zod@4.3.6))(ws@8.20.0)(zod@4.3.6)': '@mariozechner/pi-ai@0.63.2(@modelcontextprotocol/sdk@1.28.0(zod@4.3.6))(ws@8.20.0)(zod@4.3.6)':
dependencies: dependencies:
'@anthropic-ai/sdk': 0.73.0(zod@4.3.6) '@anthropic-ai/sdk': 0.73.0(zod@4.3.6)
@@ -8730,7 +8773,7 @@ snapshots:
openai: 6.26.0(ws@8.20.0)(zod@4.3.6) openai: 6.26.0(ws@8.20.0)(zod@4.3.6)
partial-json: 0.1.7 partial-json: 0.1.7
proxy-agent: 6.5.0 proxy-agent: 6.5.0
undici: 7.24.6 undici: 7.24.3
zod-to-json-schema: 3.25.1(zod@4.3.6) zod-to-json-schema: 3.25.1(zod@4.3.6)
transitivePeerDependencies: transitivePeerDependencies:
- '@modelcontextprotocol/sdk' - '@modelcontextprotocol/sdk'
@@ -12589,7 +12632,7 @@ snapshots:
saxes: 6.0.0 saxes: 6.0.0
symbol-tree: 3.2.4 symbol-tree: 3.2.4
tough-cookie: 6.0.1 tough-cookie: 6.0.1
undici: 7.24.6 undici: 7.24.3
w3c-xmlserializer: 5.0.0 w3c-xmlserializer: 5.0.0
webidl-conversions: 8.0.1 webidl-conversions: 8.0.1
whatwg-mimetype: 5.0.0 whatwg-mimetype: 5.0.0
@@ -13309,6 +13352,11 @@ snapshots:
dependencies: dependencies:
mimic-function: 5.0.1 mimic-function: 5.0.1
openai@6.26.0(ws@8.20.0)(zod@3.25.76):
optionalDependencies:
ws: 8.20.0
zod: 3.25.76
openai@6.26.0(ws@8.20.0)(zod@4.3.6): openai@6.26.0(ws@8.20.0)(zod@4.3.6):
optionalDependencies: optionalDependencies:
ws: 8.20.0 ws: 8.20.0
@@ -14440,6 +14488,8 @@ snapshots:
undici@6.21.3: {} undici@6.21.3: {}
undici@7.24.3: {}
undici@7.24.6: {} undici@7.24.6: {}
unhomoglyph@1.0.6: {} unhomoglyph@1.0.6: {}