anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(swarm): require admin JWT on all swarm operator endpoints

Browse Source 
Gate all 8 swarm-controller operator routes (enroll, list/get/decommission
hosts, deploy, teardown, check, list deckies) with the centralized
require_admin RBAC dependency alongside require_operator_cert; mTLS becomes
defense-in-depth instead of the only gate. /heartbeat stays cert-fingerprint
pinned (worker-facing) and /swarm/health stays open (liveness only).

CLI swarm commands now send Authorization: Bearer $DECNET_API_TOKEN with a
401/403 hint covering the must_change_password bootstrap flow.

Bump pyjwt to 2.13.0 and pip to 26.1.2 (pip-audit PYSEC-2026-175/177/178/179,
PYSEC-2026-196); authz suite re-verified on the new pyjwt.

Closes ASVS_L2_AUDIT.md V4.1.1a and V4.1.1b (CRITICAL).
This commit is contained in:
anti
2026-06-09 17:08:10 -04:00
parent ae16c4437b
commit 8d18c59201
14 changed files with 350 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
decnet/web/router/swarm/api_enroll_host.py
View File

@@ -6,10 +6,15 @@ generates a fresh worker keypair + CA-signed cert, and returns the full
bundle to the operator. Bundle delivery to the worker (scp/sshpass/etc.)
is outside this process's trust boundary.
Authorization: this mints a CA-signed identity (and its private key), so it
is gated by :func:`require_operator_cert` — an operator-CN client cert when
the controller runs mTLS, or a local request when it is loopback-bound.
A worker's own cert cannot enroll further hosts.
Authorization (defense-in-depth, both must pass):
* :func:`require_admin` — an admin-role JWT. This is the primary
application-layer gate: enrollment is operator-driven (admin UI / CLI),
so the caller always carries operator credentials. A worker agent has no
JWT and therefore cannot enroll further hosts.
* :func:`require_operator_cert` — the transport gate: an operator-CN client
cert when the controller runs mTLS, or a loopback request on the shipping
single-host default.
"""
from __future__ import annotations
@@ -21,7 +26,7 @@ from fastapi import APIRouter, Depends, HTTPException, status
from decnet.swarm import pki
from decnet.web.db.repository import BaseRepository
from decnet.web.dependencies import get_repo
from decnet.web.dependencies import get_repo, require_admin
from decnet.web.router.swarm._mtls import PeerCert, require_operator_cert
from decnet.web.db.models import SwarmEnrolledBundle, SwarmEnrollRequest, SwarmUpdaterBundle
@@ -35,6 +40,8 @@ router = APIRouter()
tags=["Swarm Hosts"],
responses={
400: {"description": "Bad Request (malformed JSON body)"},
401: {"description": "Missing or invalid admin JWT"},
403: {"description": "Authenticated user is not an admin, or operator cert missing"},
409: {"description": "A worker with this name is already enrolled"},
422: {"description": "Request body validation error"},
},
@@ -42,6 +49,7 @@ router = APIRouter()
async def api_enroll_host(
req: SwarmEnrollRequest,
repo: BaseRepository = Depends(get_repo),
_admin: dict = Depends(require_admin),
_operator: PeerCert = Depends(require_operator_cert),
) -> SwarmEnrolledBundle:
existing = await repo.get_swarm_host_by_name(req.name)