6aeb529f13
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 10s
CI / integration (pull_request) Successful in 15s
CI / ui (pull_request) Successful in 53s
CI / gate (pull_request) Successful in 1s
CI / deploy (pull_request) Failing after 2m6s
Move all Telegram egress off the main host. The single connector held the bot token, long-polled Telegram and answered the gateway/backend over the trusted internal network, so the whole component (including login validation) shared fate with its VPN sidecar. Split it into two binaries that share the token: - cmd/validator (home, no VPN): Mini App initData + Login Widget HMAC only, never calls the Bot API. The gateway dials it for Telegram auth, so game login is now independent of Telegram reachability. - cmd/bot (remote): Bot API long-poll + sendMessage, the only component reaching Telegram. It holds no inbound port — it dials the gateway over a new reverse mTLS bot-link (pkg/proto/botlink/v1) and executes the send commands the gateway pushes. The gateway funnels sends to the bot-link: out-of-app push is fire-and-forget (at-most-once, dropped if no bot is connected); the backend admin broadcasts reach a gateway-served relay that forwards them and awaits the bot's ack (SendToUser/SendToGameChannel contract preserved). mTLS (pkg/mtls) is the one inter-service link that leaves the trusted segment; validator<->gateway and the relay stay plaintext internal. The bot is Telegram-rate-limited. One bot now; the gateway bot registry, an owns_updates flag and per-command ids leave seams for N later. Webhook rejected (one URL per token, adds inbound + a static address). The unified test contour runs the split (the bot keeps its VPN sidecar and dials the gateway by its internal name; bot-link certs from deploy/gen-certs.sh, generated in CI). The prod wiring — the bot on a separate host (no VPN), the gateway bot-link port published, PROD_ certs with scheduled rotation, an SSH deploy of both hosts together — is the deferred final stage (PRERELEASE.md TX, Stage 18). Docs: ARCHITECTURE, PRERELEASE (phase TX), platform/telegram + gateway + backend + deploy READMEs, FUNCTIONAL(+ru), CLAUDE.md, .env.example.
69 lines
2.3 KiB
Go
69 lines
2.3 KiB
Go
// Package mtls builds mutual-TLS configurations for the one inter-service link
|
|
// that crosses an untrusted network: the reverse bot-link between a remote
|
|
// Telegram bot and the gateway (pkg/proto/botlink/v1). Both peers present a
|
|
// certificate signed by a shared private CA and verify the other against it, so the
|
|
// gateway accepts only our bot and the bot trusts only our gateway. Every other
|
|
// inter-service hop stays on the trusted internal network and uses plaintext
|
|
// (docs/ARCHITECTURE.md §12).
|
|
package mtls
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"fmt"
|
|
"os"
|
|
)
|
|
|
|
// ServerConfig builds a TLS config for the gateway's bot-link listener. It loads
|
|
// the server certificate from certFile/keyFile, trusts client certificates signed
|
|
// by the CA in caFile, and requires every client to present a valid one.
|
|
func ServerConfig(certFile, keyFile, caFile string) (*tls.Config, error) {
|
|
cert, err := tls.LoadX509KeyPair(certFile, keyFile)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("mtls: load server keypair: %w", err)
|
|
}
|
|
pool, err := loadCAPool(caFile)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &tls.Config{
|
|
Certificates: []tls.Certificate{cert},
|
|
ClientCAs: pool,
|
|
ClientAuth: tls.RequireAndVerifyClientCert,
|
|
MinVersion: tls.VersionTLS13,
|
|
}, nil
|
|
}
|
|
|
|
// ClientConfig builds a TLS config for the bot dialing the gateway. It presents the
|
|
// client certificate from certFile/keyFile, verifies the gateway's certificate
|
|
// against the CA in caFile, and pins the expected serverName.
|
|
func ClientConfig(certFile, keyFile, caFile, serverName string) (*tls.Config, error) {
|
|
cert, err := tls.LoadX509KeyPair(certFile, keyFile)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("mtls: load client keypair: %w", err)
|
|
}
|
|
pool, err := loadCAPool(caFile)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &tls.Config{
|
|
Certificates: []tls.Certificate{cert},
|
|
RootCAs: pool,
|
|
ServerName: serverName,
|
|
MinVersion: tls.VersionTLS13,
|
|
}, nil
|
|
}
|
|
|
|
// loadCAPool reads a PEM bundle and returns a certificate pool trusting it.
|
|
func loadCAPool(caFile string) (*x509.CertPool, error) {
|
|
pem, err := os.ReadFile(caFile)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("mtls: read CA %s: %w", caFile, err)
|
|
}
|
|
pool := x509.NewCertPool()
|
|
if !pool.AppendCertsFromPEM(pem) {
|
|
return nil, fmt.Errorf("mtls: CA %s contains no certificates", caFile)
|
|
}
|
|
return pool, nil
|
|
}
|