nodedb-cluster 0.0.5

Distributed coordination layer for NodeDB — vShards, QUIC transport, and replication
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231

//! Authenticated SWIM datagram wire.
//!
//! SWIM has no TLS layer — UDP datagrams travel in the clear. The
//! authenticated envelope is the only thing standing between the cluster
//! and an off-network attacker who wants to forge or replay SWIM packets.
//!
//! # Envelope
//!
//! Each UDP datagram is an
//! [`auth_envelope`](crate::rpc_codec::auth_envelope) around the zerompk
//! encoding of [`SwimMessage`]:
//!
//! ```text
//! [env_ver | addr_hash | seq | inner_len | msgpack(SwimMessage) | mac]
//! ```
//!
//! - `addr_hash` is a stable 64-bit hash of the **sender's** UDP socket
//!   address. On receive the verifier must assert `addr_hash ==
//!   hash(observed_remote)` — this binds the envelope claim to the
//!   packet's actual origin, rejecting captured frames replayed from a
//!   different IP by an attacker who somehow has the MAC key.
//! - `mac` is HMAC-SHA256 over every byte of the envelope except the MAC.
//! - `seq` is a per-remote-address monotonic counter with a 64-entry
//!   sliding-window replay detector.
//!
//! # Relationship to Raft envelope
//!
//! Same [`auth_envelope`] primitive, same MAC algorithm, same cluster
//! MAC key. The only layering difference is the choice of `from_node_id`
//! field — Raft uses the u64 node id, SWIM uses the hash of the socket
//! address because SWIM's identity model is address-centric. The MAC
//! key is the cluster-wide shared secret so cross-transport replay
//! attacks (captured Raft frame replayed as SWIM, or vice versa) are
//! still detected — the envelope's `env_ver` field is shared and MAC
//! verification will succeed, but the inner bytes are in different
//! formats so deserialisation in the target handler will fail.

use std::net::SocketAddr;

use sha2::{Digest, Sha256};

use crate::rpc_codec::auth_envelope;
use crate::rpc_codec::{MacKey, PeerSeqSender, PeerSeqWindow};
use crate::swim::error::SwimError;

use super::{codec, message::SwimMessage};

/// Deterministic hash of a `SocketAddr` into a `u64`.
///
/// Uses SHA-256 truncated to the first 8 bytes. Deterministic across
/// processes and hosts so that sender and receiver agree on the value.
/// Not a MAC — the envelope MAC is the actual integrity primitive; this
/// hash exists only as a binding between the envelope's claimed origin
/// and the packet's observed source address.
pub fn addr_hash(addr: SocketAddr) -> u64 {
    let mut h = Sha256::new();
    h.update(addr.to_string().as_bytes());
    let digest = h.finalize();
    u64::from_le_bytes(digest[..8].try_into().expect("sha256 is 32 bytes"))
}

/// Per-transport auth state: MAC key, per-peer outbound counters, and a
/// per-peer inbound replay-detection window. Owned by the
/// [`UdpTransport`](crate::swim::detector::transport::udp::UdpTransport).
#[derive(Debug)]
pub struct SwimAuth {
    mac_key: MacKey,
    local_addr_hash: u64,
    seq_out: PeerSeqSender,
    seq_in: PeerSeqWindow,
}

impl SwimAuth {
    /// Construct from the cluster MAC key and the bound local address.
    /// Passing [`MacKey::zero`] is the insecure-mode opt-out — MAC and
    /// replay detection are cosmetic in that mode but the wire format
    /// stays identical so mixed-mode misconfiguration fails loudly
    /// instead of succeeding by accident.
    pub fn new(mac_key: MacKey, local_addr: SocketAddr) -> Self {
        Self {
            mac_key,
            local_addr_hash: addr_hash(local_addr),
            seq_out: PeerSeqSender::new(),
            seq_in: PeerSeqWindow::new(),
        }
    }

    /// Hash of the local bound address — used as the envelope's
    /// `from_node_id` on every outbound datagram.
    pub fn local_addr_hash(&self) -> u64 {
        self.local_addr_hash
    }
}

/// Encode `msg` and wrap it in an authenticated envelope destined for
/// `to`. Returns the bytes to hand to `UdpSocket::send_to`.
///
/// `to` is retained in the signature as documentation (callers pass the
/// destination they are about to `send_to`), but the outbound seq is a
/// single sender-global counter — see `PeerSeqSender`.
pub fn wrap(auth: &SwimAuth, _to: SocketAddr, msg: &SwimMessage) -> Result<Vec<u8>, SwimError> {
    let inner = codec::encode(msg)?;
    let seq = auth.seq_out.next();
    let mut out = Vec::with_capacity(auth_envelope::ENVELOPE_OVERHEAD + inner.len());
    auth_envelope::write_envelope(auth.local_addr_hash, seq, &inner, &auth.mac_key, &mut out)
        .map_err(|e| SwimError::Encode {
            detail: format!("swim envelope: {e}"),
        })?;
    Ok(out)
}

/// Parse an inbound datagram: verify MAC, bind envelope's advertised
/// origin to the observed remote address, reject replays, then decode
/// the inner [`SwimMessage`].
pub fn unwrap(auth: &SwimAuth, from: SocketAddr, bytes: &[u8]) -> Result<SwimMessage, SwimError> {
    let (fields, inner_frame) =
        auth_envelope::parse_envelope(bytes, &auth.mac_key).map_err(|e| SwimError::Decode {
            detail: format!("swim envelope: {e}"),
        })?;

    let expected = addr_hash(from);
    if fields.from_node_id != expected {
        return Err(SwimError::Decode {
            detail: format!(
                "swim envelope from {from} claimed addr_hash {}, observed hash {}",
                fields.from_node_id, expected
            ),
        });
    }

    auth.seq_in
        .accept(fields.from_node_id, fields.seq)
        .map_err(|e| SwimError::Decode {
            detail: format!("swim replay: {e}"),
        })?;

    codec::decode(inner_frame)
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::swim::incarnation::Incarnation;
    use crate::swim::wire::probe::{Ping, ProbeId};
    use nodedb_types::NodeId;
    use std::net::{IpAddr, Ipv4Addr};

    fn addr(port: u16) -> SocketAddr {
        SocketAddr::new(IpAddr::V4(Ipv4Addr::LOCALHOST), port)
    }

    fn sample_msg() -> SwimMessage {
        SwimMessage::Ping(Ping {
            probe_id: ProbeId::new(1),
            from: NodeId::new("a"),
            incarnation: Incarnation::ZERO,
            piggyback: vec![],
        })
    }

    #[test]
    fn addr_hash_is_deterministic() {
        // addr_hash is deterministic across processes — same input,
        // same output. This is required for cross-node agreement on
        // the envelope's from_node_id binding.
        assert_eq!(addr_hash(addr(7001)), addr_hash(addr(7001)));
        assert_ne!(addr_hash(addr(7001)), addr_hash(addr(7002)));
    }

    #[test]
    fn roundtrip_across_independent_endpoints() {
        // Two separate SwimAuth instances (as in a real two-node
        // cluster) must agree on the envelope binding because
        // addr_hash is deterministic.
        let key = MacKey::from_bytes([0x11u8; 32]);
        let sender = SwimAuth::new(key.clone(), addr(7001));
        let receiver = SwimAuth::new(key, addr(7002));
        let bytes = wrap(&sender, addr(7002), &sample_msg()).unwrap();
        // Receiver observed the datagram coming from addr(7001).
        let msg = unwrap(&receiver, addr(7001), &bytes).unwrap();
        assert_eq!(msg, sample_msg());
    }

    #[test]
    fn rejects_spoofed_source_address() {
        // Attacker captures a datagram sender A → receiver B, then
        // replays it with their own IP as source. The receiver's
        // addr_hash(observed_source) will differ from the envelope's
        // embedded addr_hash, so binding check fails.
        let key = MacKey::from_bytes([0x33u8; 32]);
        let real_sender = SwimAuth::new(key.clone(), addr(7001));
        let receiver = SwimAuth::new(key, addr(7002));
        let bytes = wrap(&real_sender, addr(7002), &sample_msg()).unwrap();
        let err = unwrap(&receiver, addr(9999), &bytes).unwrap_err();
        assert!(err.to_string().contains("addr_hash"));
    }

    #[test]
    fn rejects_tampered_mac() {
        let key = MacKey::from_bytes([3u8; 32]);
        let sender = SwimAuth::new(key.clone(), addr(7001));
        let receiver = SwimAuth::new(key, addr(7002));
        let mut bytes = wrap(&sender, addr(7002), &sample_msg()).unwrap();
        let mac_start = bytes.len() - 32;
        bytes[mac_start] ^= 0xFF;
        let err = unwrap(&receiver, addr(7001), &bytes).unwrap_err();
        assert!(err.to_string().contains("MAC verification failed"));
    }

    #[test]
    fn rejects_replay() {
        let key = MacKey::from_bytes([4u8; 32]);
        let sender = SwimAuth::new(key.clone(), addr(7001));
        let receiver = SwimAuth::new(key, addr(7002));
        let bytes = wrap(&sender, addr(7002), &sample_msg()).unwrap();
        unwrap(&receiver, addr(7001), &bytes).unwrap();
        let err = unwrap(&receiver, addr(7001), &bytes).unwrap_err();
        assert!(err.to_string().contains("replayed"));
    }

    #[test]
    fn rejects_wrong_cluster_key() {
        let k1 = MacKey::from_bytes([1u8; 32]);
        let k2 = MacKey::from_bytes([2u8; 32]);
        let sender = SwimAuth::new(k1, addr(7001));
        let receiver = SwimAuth::new(k2, addr(7002));
        let bytes = wrap(&sender, addr(7002), &sample_msg()).unwrap();
        let err = unwrap(&receiver, addr(7001), &bytes).unwrap_err();
        assert!(err.to_string().contains("MAC verification failed"));
    }
}