Security hardening pass + security test framework#85
Merged
Conversation
Closes the critical findings from the security review and adds a security testing harness. All changes build; affected crate test suites and the workspace clippy gate pass. Critical fixes: - control-plane: require an admin bearer token on all routes except /health and the data-plane WebSocket; fail closed without BARBACANE_CONTROL_ADMIN_TOKEN; tighten CORS to an allowlist. - artifact: Ed25519 sign-on-compile (BARBACANE_SIGNING_KEY) and verify-on-load against a pinned key (BARBACANE_TRUSTED_PUBKEY), plus per-plugin/spec/route checksum verification on load. - mcp: reject non-initialize requests without a valid session (no more header-omission bypass). - wasm http client: SSRF guard rejecting loopback/link-local/private/ metadata targets; redirects disabled (BARBACANE_ALLOW_INTERNAL_EGRESS to override). - jwt-auth: real signature verification via host verify_signature (inline JWK); skip flag ignored in production builds. - wasm secrets: confine file:// references to BARBACANE_SECRETS_DIR. Hardening / quick wins: - wasm chain: fix fail-open middleware short-circuit downgrade. - data plane: bound Prometheus path-label cardinality on unmatched routes; stop panicking on hostile x-request-id/traceparent. - wasm capability map: add cache, rate_limit, http_stream. - containers: non-root standalone image; correct AGPL license labels. - deny.toml: add licenses/bans/sources gates. Security test framework: - adversarial integration suite (crates/barbacane-test/tests/security/) - cargo-fuzz targets (fuzz/) for parser/loader/jsonrpc/validator - docs/contributing/security-testing.md Deferred (tracked in ROADMAP): full per-plugin capability-enforcement linker (needs plugin-manifest migration + wasm integration run).
Completes capability enforcement and fixes the CI failures on the hardening branch. WA-1 — capability enforcement: - Migrate all 33 official plugin.toml manifests to the canonical `[capabilities] host_functions = [...]` dialect, with the minimal capability set verified against each plugin's real wasm imports. - Correct the capability->imports map (time aliases under clock_now, outbound-body fns under http_call, broker read-result under kafka/nats) and always-allow the core request-body ABI. - Carry per-plugin host_functions into the .bca manifest and run validate_imports on load: a plugin importing a host function outside its declared capabilities is a hard load failure (default-deny). - Gate enforcement on a new `capabilities_enforced` manifest flag, set true only when capabilities are authoritative (compiled from plugin.toml). Control-plane-compiled artifacts (registry does not yet persist capabilities) load without enforcement; tracked as follow-up. - Add validate.rs unit tests proving undeclared imports are rejected and declared/core imports are allowed. CI fixes: - Reformat (cargo fmt) the hardening changes. - Bump anyhow 1.0.102 -> 1.0.103 (RUSTSEC-2026-0190; new advisory, not introduced by this branch). - Revert deny.toml to advisories-only (the license/bans/sources gates move to the public CI-hardening issue; they tripped the audit job). - Fix 4 stream_raw tests that regressed under the SSRF guard, and make the SSRF allow-flag per-client config (HttpClientConfig. allow_internal_egress) instead of a global, removing the test race. Docs: - docs/reference/configuration.md: env vars + breaking-by-default notes. - CHANGELOG Unreleased entry; ROADMAP updates.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hardening pass from a security review, plus a security testing harness. Everything builds; affected crate test suites and the workspace clippy gate pass locally.
Hardening
/healthand the data-plane WebSocket; fails closed withoutBARBACANE_CONTROL_ADMIN_TOKEN; CORS restricted to an allowlist (BARBACANE_CONTROL_ALLOWED_ORIGINS).BARBACANE_SIGNING_KEY) and verify-on-load against a pinned key (BARBACANE_TRUSTED_PUBKEY), plus per-plugin/spec/route checksum verification before any plugin is instantiated.initializerequests.BARBACANE_ALLOW_INTERNAL_EGRESSto override).verify_signaturecapability (inline JWK); the test-only skip flag is ignored in production builds.file://references confined toBARBACANE_SECRETS_DIR.x-request-id/traceparent; correct capability map (cache/rate_limit/http_stream); non-root standalone image; correct AGPL image labels; adddeny.tomllicense/bans/sources gates.Security test framework
crates/barbacane-test/tests/security/.cargo-fuzztargets underfuzz/(spec parser, artifact loader, JSON-RPC, validator).docs/contributing/security-testing.md;make security-test/make fuzz-build.Config (operators)
BARBACANE_CONTROL_ADMIN_TOKENBARBACANE_CONTROL_ALLOWED_ORIGINSBARBACANE_SIGNING_KEYBARBACANE_TRUSTED_PUBKEYBARBACANE_SECRETS_DIRfile://secret referencesBARBACANE_ALLOW_INTERNAL_EGRESSFollow-ups (see ROADMAP "Security hardening")
plugin.tomlcapability-dialect migration + the wasm/Docker integration run).Detailed findings are tracked privately.