feat(security): implement FW-N5, FW-N6, FW-N7 (HMAC-SHA256 protocol docs, auto-generate token, replay attack defense)
This commit is contained in:
@@ -83,14 +83,10 @@ The payload shape is unchanged; the transport and trust model tighten. See
|
||||
|
||||
- **Auth / ACL** — username/password + per-topic ACL. `jobs/+/events` publish is
|
||||
granted to the worker credential, subscribe to the Hermes credential.
|
||||
- **`auth_token` (the bonus field)** — each job record carries a per-job
|
||||
`auth_token` (`secrets.token_urlsafe(32)`). The publisher copies it into
|
||||
**`data.auth_token`**; the subscriber compares it against the registry's
|
||||
expected token and **drops mismatches**. This is an integrity check on top of
|
||||
the broker ACL, useful while still on a shared/public broker.
|
||||
- **HMAC Signature Verification (`data.hmac_sig`)** — to authenticate the publisher and verify message integrity without exposing the raw secret token over the wire, each job record contains a per-job `auth_token` (`secrets.token_urlsafe(32)`). The publisher computes an HMAC-SHA256 signature over the serialized payload (excluding `data.hmac_sig` itself) using the `auth_token` as the key, and appends it to **`data.hmac_sig`**. The subscriber reconstructs this signature and **drops any message that does not match or lacks a valid signature**.
|
||||
|
||||
```json
|
||||
{ "...": "...", "data": { "auth_token": "9f3c…", "build_id": "42" } }
|
||||
{ "...": "...", "data": { "hmac_sig": "d2f3...", "build_id": "42" } }
|
||||
```
|
||||
|
||||
- **TLS** — port 8883 + private CA. Toggled with `MQTT_TLS=1` (+ `MQTT_CA_CERTS`);
|
||||
|
||||
Reference in New Issue
Block a user