Pulse

vrr/Pulse

Fork 0

mirror of https://github.com/rcourtman/Pulse.git synced 2026-04-28 11:30:15 +00:00

Commit graph

Author	SHA1	Message	Date
rcourtman	9aafa6449f	feat(security): Add capability-based authorization Implements proper least-privilege model for RPC methods. Previously, any UID in allowed_peer_uids could call privileged methods, meaning another service's UID would inherit full host-level control. Capability System: - Three levels: read, write, admin - Per-UID capability assignment via allowed_peers config - Privileged methods require admin capability - Backwards compatible with legacy allowed_peer_uids format Configuration: allowed_peers: - uid: 0 capabilities: [read, write, admin] # Root gets all - uid: 1000 capabilities: [read] # Docker: read-only - uid: 1001 capabilities: [read, write] # Temps but not key distribution Security benefit: Services can be granted only the capabilities they need, preventing unintended privilege escalation. Related to security audit 2025-11-07. Co-authored-by: Codex <codex@openai.com>	2025-11-07 17:09:32 +00:00
rcourtman	29f4879cd4	test: add comprehensive security tests and documentation Implements all remaining Codex recommendations before launch: 1. Privileged Methods Tests: - TestPrivilegedMethodsCompleteness ensures all host-side RPCs are protected - Will fail if new privileged RPC is added without authorization - Verifies read-only methods are NOT in privilegedMethods 2. ID-Mapped Root Detection Tests: - TestIDMappedRootDetection covers all boundary conditions - Tests UID/GID range detection (both must be in range) - Tests multiple ID ranges, edge cases, disabled mode - 100% coverage of container identification logic 3. Authorization Tests: - TestPrivilegedMethodsBlocked verifies containers can't call privileged RPCs - TestIDMappedRootDisabled ensures feature can be disabled - Tests both container and host credentials 4. Comprehensive Security Documentation (23 KB): - Architecture overview with diagrams - Complete authentication & authorization flow - Rate limiting details (already implemented: 20/min per peer) - SSH security model and forced commands - Container isolation mechanisms - Monitoring & alerting recommendations - Development mode documentation (PULSE_DEV_ALLOW_CONTAINER_SSH) - Troubleshooting guide with common issues - Incident response procedures Rate Limiting Status: - Already implemented in throttle.go (20 req/min, burst 10, max 10 concurrent) - Per-peer rate limiting at line 328 in main.go - Per-node concurrency control at line 825 in main.go - Exceeds Codex's requirements All tests pass. Documentation covers all security aspects. Addresses final Codex recommendations for production readiness.	2025-10-19 16:47:13 +00:00

Author

SHA1

Message

Date

rcourtman

9aafa6449f

feat(security): Add capability-based authorization

Implements proper least-privilege model for RPC methods. Previously,
any UID in allowed_peer_uids could call privileged methods, meaning
another service's UID would inherit full host-level control.

Capability System:
- Three levels: read, write, admin
- Per-UID capability assignment via allowed_peers config
- Privileged methods require admin capability
- Backwards compatible with legacy allowed_peer_uids format

Configuration:
  allowed_peers:
    - uid: 0
      capabilities: [read, write, admin]  # Root gets all
    - uid: 1000
      capabilities: [read]  # Docker: read-only
    - uid: 1001
      capabilities: [read, write]  # Temps but not key distribution

Security benefit: Services can be granted only the capabilities they
need, preventing unintended privilege escalation.

Related to security audit 2025-11-07.

Co-authored-by: Codex <codex@openai.com>

2025-11-07 17:09:32 +00:00

rcourtman

29f4879cd4

test: add comprehensive security tests and documentation

Implements all remaining Codex recommendations before launch:

1. Privileged Methods Tests:
   - TestPrivilegedMethodsCompleteness ensures all host-side RPCs are protected
   - Will fail if new privileged RPC is added without authorization
   - Verifies read-only methods are NOT in privilegedMethods

2. ID-Mapped Root Detection Tests:
   - TestIDMappedRootDetection covers all boundary conditions
   - Tests UID/GID range detection (both must be in range)
   - Tests multiple ID ranges, edge cases, disabled mode
   - 100% coverage of container identification logic

3. Authorization Tests:
   - TestPrivilegedMethodsBlocked verifies containers can't call privileged RPCs
   - TestIDMappedRootDisabled ensures feature can be disabled
   - Tests both container and host credentials

4. Comprehensive Security Documentation (23 KB):
   - Architecture overview with diagrams
   - Complete authentication & authorization flow
   - Rate limiting details (already implemented: 20/min per peer)
   - SSH security model and forced commands
   - Container isolation mechanisms
   - Monitoring & alerting recommendations
   - Development mode documentation (PULSE_DEV_ALLOW_CONTAINER_SSH)
   - Troubleshooting guide with common issues
   - Incident response procedures

Rate Limiting Status:
- Already implemented in throttle.go (20 req/min, burst 10, max 10 concurrent)
- Per-peer rate limiting at line 328 in main.go
- Per-node concurrency control at line 825 in main.go
- Exceeds Codex's requirements

All tests pass. Documentation covers all security aspects.

Addresses final Codex recommendations for production readiness.

2025-10-19 16:47:13 +00:00

2 commits