phase 3
This commit is contained in:
Ilia Denisov
+44
-20
@@ -353,9 +353,9 @@ Targeted tests:
|
||||
in both `chromium-desktop` and `webkit-desktop` projects;
|
||||
- intentional failure produces a Playwright trace artefact in CI.
|
||||
|
||||
## Phase 3. Go Core: Canonical Bytes and Keypair
|
||||
## ~~Phase 3. Go Core: Canonical Bytes and Keypair~~
|
||||
|
||||
Status: pending.
|
||||
Status: done.
|
||||
|
||||
Goal: implement the canonical-bytes serializer and Ed25519 keypair
|
||||
management in pure Go, with bit-for-bit parity to the gateway-side
|
||||
@@ -363,41 +363,65 @@ implementation. No network, no UI.
|
||||
|
||||
Artifacts:
|
||||
|
||||
- `ui/core/go.mod` module declared in the project Go workspace
|
||||
- `ui/core/go.mod` module `galaxy/core` declared in the project Go
|
||||
workspace (`go.work` `use` and `replace` directives)
|
||||
- `.gitea/workflows/ui-test.yaml` and `.gitea/workflows/ui-release.yaml`
|
||||
extended to add `./ui/core/...` to the Tier 1 / Tier 2 `go test`
|
||||
command list introduced in Phase 2
|
||||
- `ui/core/canon/` canonical bytes for `galaxy-request-v1`,
|
||||
`galaxy-response-v1`, and `galaxy-event-v1`, matching
|
||||
`docs/ARCHITECTURE.md` §15 byte-for-byte
|
||||
`docs/ARCHITECTURE.md` §15 byte-for-byte. Server-only signers
|
||||
(`Ed25519ResponseSigner`, PKCS#8 PEM loaders) intentionally stay
|
||||
in `gateway/authn` — `ui/core` is verify-only on the server side
|
||||
- `ui/core/keypair/` Ed25519 generate, marshal, unmarshal helpers
|
||||
returning opaque blobs to upper layers
|
||||
- `ui/core/types/` envelope structs and result codes
|
||||
- `ui/core/canon/testdata/` test vectors copied from gateway-side
|
||||
canonicalisation fixtures
|
||||
over opaque `[]byte` blobs; `Generate` accepts an injected
|
||||
`io.Reader` so the WASM build can wire in `crypto.getRandomValues`
|
||||
- `ui/core/types/` full v1 transport-envelope structs with
|
||||
`SigningFields()` projection helpers; result-code and
|
||||
protocol-version constants (`ProtocolVersionV1`, `ResultCodeOK`).
|
||||
`TraceID` is part of the request envelope but deliberately
|
||||
excluded from the request signing input (matches §15)
|
||||
- `ui/core/canon/testdata/` golden JSON test vectors for the three
|
||||
Phase-3 message types plus one response and one event
|
||||
- `ui/core/README.md` documenting the public API and the
|
||||
network-free / storage-free invariant
|
||||
network-free / storage-free / no-x509 / no-PEM / no-`os` invariant
|
||||
- `gateway/authn/parity_with_ui_core_test.go` (cross-module test)
|
||||
proving canonical-bytes parity and bidirectional sign/verify
|
||||
acceptance between `gateway/authn` and `galaxy/core`. The test
|
||||
adds `require galaxy/core` to `gateway/go.mod` (test-only in
|
||||
practice — gateway production binary does not link `ui/core`)
|
||||
|
||||
Dependencies: Phase 1.
|
||||
|
||||
Acceptance criteria:
|
||||
|
||||
- canonical-bytes output matches gateway-side fixtures byte-for-byte
|
||||
for at least three message types (`user.account.read`,
|
||||
`user.lobby.list`, `user.games.command`);
|
||||
- canonical-bytes output matches gateway-side output byte-for-byte
|
||||
for the three Phase-3 message types (`user.account.get`,
|
||||
`lobby.my.games.list`, `user.games.command`);
|
||||
- a request signed by `ui/core` is accepted by the gateway's own
|
||||
verifier in a unit test;
|
||||
- a response signed by gateway test fixtures is accepted by `ui/core`'s
|
||||
verifier;
|
||||
- freshness window violations and tampered hashes are rejected with
|
||||
stable error codes.
|
||||
verifier in a unit test (`TestParityRequestSignedByUICoreAcceptedByGateway`);
|
||||
- a response signed by `gateway/authn`'s `Ed25519ResponseSigner` is
|
||||
accepted by `ui/core`'s verifier
|
||||
(`TestParityResponseSignedByGatewayAcceptedByUICore`); the same
|
||||
applies to gateway-signed events;
|
||||
- tampered `payload_hash`, mismatched `request_id`, mismatched
|
||||
`timestamp_ms`, and invalid signature length are rejected with
|
||||
stable error codes from `ui/core/canon`. Server-side freshness
|
||||
enforcement (the symmetric ±5 minutes around server time) stays
|
||||
in `gateway/internal/grpcapi/freshness_replay.go` and is not
|
||||
duplicated in `ui/core`.
|
||||
|
||||
Targeted tests:
|
||||
|
||||
- canonical-bytes equality tests on shared fixtures;
|
||||
- canonical-bytes equality tests on golden JSON fixtures
|
||||
(`testdata/`) for every envelope kind;
|
||||
- round-trip sign-then-verify across all three envelope kinds;
|
||||
- negative tests: tampered `payload_hash`, wrong `request_id`, expired
|
||||
timestamp, invalid signature length.
|
||||
- negative tests: tampered `payload_hash`, mismatched `request_id`,
|
||||
mismatched `timestamp_ms`, invalid signature lengths (too short,
|
||||
too long, empty), bit-flipped signature, wrong public key,
|
||||
malformed base64 public key;
|
||||
- `gateway/authn` cross-module parity tests as listed under
|
||||
Artifacts.
|
||||
|
||||
## Phase 4. ConnectRPC Support in Gateway
|
||||
|
||||
|
||||
Reference in New Issue
Block a user