feat: edge gateway service

gateway/internal/grpcapi/signature.go

@@ -0,0 +1,80 @@
+package grpcapi
+
+import (
+	"context"
+	"errors"
+
+	"galaxy/gateway/internal/authn"
+	gatewayv1 "galaxy/gateway/proto/galaxy/gateway/v1"
+
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+// signatureVerifyingService applies client-signature verification after
+// payload integrity checks and before later auth or routing steps run.
+type signatureVerifyingService struct {
+	gatewayv1.UnimplementedEdgeGatewayServer
+
+	delegate gatewayv1.EdgeGatewayServer
+}
+
+// ExecuteCommand verifies req client signature before delegating to the
+// configured service implementation.
+func (s signatureVerifyingService) ExecuteCommand(ctx context.Context, req *gatewayv1.ExecuteCommandRequest) (*gatewayv1.ExecuteCommandResponse, error) {
+	if err := verifyRequestSignature(ctx); err != nil {
+		return nil, err
+	}
+
+	return s.delegate.ExecuteCommand(ctx, req)
+}
+
+// SubscribeEvents verifies req client signature before delegating to the
+// configured service implementation.
+func (s signatureVerifyingService) SubscribeEvents(req *gatewayv1.SubscribeEventsRequest, stream grpc.ServerStreamingServer[gatewayv1.GatewayEvent]) error {
+	if err := verifyRequestSignature(stream.Context()); err != nil {
+		return err
+	}
+
+	return s.delegate.SubscribeEvents(req, stream)
+}
+
+// newSignatureVerifyingService wraps delegate with the client-signature
+// verification gate.
+func newSignatureVerifyingService(delegate gatewayv1.EdgeGatewayServer) gatewayv1.EdgeGatewayServer {
+	return signatureVerifyingService{delegate: delegate}
+}
+
+func verifyRequestSignature(ctx context.Context) error {
+	envelope, ok := parsedEnvelopeFromContext(ctx)
+	if !ok {
+		return status.Error(codes.Internal, "authenticated request context is incomplete")
+	}
+
+	record, ok := resolvedSessionFromContext(ctx)
+	if !ok {
+		return status.Error(codes.Internal, "authenticated request context is incomplete")
+	}
+
+	err := authn.VerifyRequestSignature(record.ClientPublicKey, envelope.Signature, authn.RequestSigningFields{
+		ProtocolVersion: envelope.ProtocolVersion,
+		DeviceSessionID: envelope.DeviceSessionID,
+		MessageType:     envelope.MessageType,
+		TimestampMS:     envelope.TimestampMS,
+		RequestID:       envelope.RequestID,
+		PayloadHash:     envelope.PayloadHash,
+	})
+	switch {
+	case err == nil:
+		return nil
+	case errors.Is(err, authn.ErrInvalidClientPublicKey):
+		return status.Error(codes.Unavailable, "session cache is unavailable")
+	case errors.Is(err, authn.ErrInvalidRequestSignature):
+		return status.Error(codes.Unauthenticated, "invalid request signature")
+	default:
+		return status.Error(codes.Internal, "request signature verification failed")
+	}
+}
+
+var _ gatewayv1.EdgeGatewayServer = signatureVerifyingService{}