@ripla/godd-mcp 1.0.3 → 1.0.4-canary.10

package/notes-api/app/config.py

@@ -2,13 +2,22 @@
 
 from __future__ import annotations
 
+import json
 import logging
 import re
+from typing import Annotated
 from urllib.parse import parse_qsl, urlencode, urlsplit, urlunsplit
 
-from pydantic import AliasChoices, Field, model_validator
+from pydantic import AliasChoices, BeforeValidator, Field, model_validator
 from pydantic_settings import BaseSettings, SettingsConfigDict
 
+
+def _empty_str_to_none(v: object) -> object:
+    """Convert empty string to None for optional int fields from env vars."""
+    if v == "":
+        return None
+    return v
+
 _logger = logging.getLogger(__name__)
 
 
@@ -72,9 +81,9 @@ class Settings(BaseSettings):
     github_branch: str = "main"
     github_bot_name: str = "godd-notes-bot"
     github_bot_email: str = "notes-bot@ripla.co.jp"
-    github_app_id: int | None = None
+    github_app_id: Annotated[int | None, BeforeValidator(_empty_str_to_none)] = None
     github_app_private_key: str | None = None
-    github_app_installation_id: int | None = None
+    github_app_installation_id: Annotated[int | None, BeforeValidator(_empty_str_to_none)] = None
     docs_path: str = "docs"
 
     # Trusted proxies (comma-separated CIDRs/IPs that may set X-Forwarded-For)
@@ -84,6 +93,13 @@ class Settings(BaseSettings):
     notes_admin_username: str = "admin"
     notes_admin_password: str = "admin123"
 
+    # IAM principal login (REQ-741)
+    notes_iam_login_enabled: bool = False
+    # JSON string: { "<principalArn>": "<notesUsername>" }
+    notes_iam_principal_user_map: str | None = None
+    # Comma-separated additional allowlist of principal ARNs
+    notes_iam_admin_principal_arns: str | None = None
+
     # Testing (skip DB seed when True)
     testing: bool = False
 
@@ -134,6 +150,31 @@ class Settings(BaseSettings):
         first_origin = self.allowed_origins.split(",")[0].strip()
         return first_origin.startswith("https://")
 
+    @property
+    def iam_principal_user_map(self) -> dict[str, str]:
+        """Parse NOTES_IAM_PRINCIPAL_USER_MAP JSON into a dict."""
+        if not self.notes_iam_principal_user_map:
+            return {}
+        try:
+            data = json.loads(self.notes_iam_principal_user_map)
+            if isinstance(data, dict):
+                return {str(k): str(v) for k, v in data.items()}
+        except (json.JSONDecodeError, ValueError):
+            _logger.warning(
+                "NOTES_IAM_PRINCIPAL_USER_MAP is not valid JSON "
+                "— IAM login will reject all principals"
+            )
+        return {}
+
+    @property
+    def iam_admin_principal_arns(self) -> frozenset[str]:
+        """Parse NOTES_IAM_ADMIN_PRINCIPAL_ARNS into a frozenset of ARN strings."""
+        if not self.notes_iam_admin_principal_arns:
+            return frozenset()
+        return frozenset(
+            a.strip() for a in self.notes_iam_admin_principal_arns.split(",") if a.strip()
+        )
+
     @property
     def trusted_proxy_set(self) -> frozenset[str]:
         """Parse TRUSTED_PROXIES into a set of IP addresses."""
@@ -168,6 +209,10 @@ class Settings(BaseSettings):
             warnings.append("DB_PASSWORD is using the default dev value")
         if self.allowed_origins == "*":
             warnings.append("ALLOWED_ORIGINS is set to '*' (all origins)")
+        if self.notes_iam_login_enabled and not self.notes_iam_principal_user_map:
+            warnings.append(
+                "NOTES_IAM_LOGIN_ENABLED=true but NOTES_IAM_PRINCIPAL_USER_MAP is not set"
+            )
         for w in warnings:
             _logger.warning("SECURITY: %s — override via environment variable for production", w)
         return self

package/notes-api/app/routers/auth.py

@@ -1,4 +1,4 @@
-"""Auth router: login, refresh, logout, me, change-password."""
+"""Auth router: login, refresh, logout, me, change-password, IAM login."""
 
 import uuid
 from datetime import UTC, datetime, timedelta
@@ -11,7 +11,14 @@ from sqlalchemy.ext.asyncio import AsyncSession
 from app.config import settings
 from app.database import get_db
 from app.models import NotesSetting, NotesUser
-from app.schemas.auth import ChangePasswordRequest, LoginRequest, TokenResponse, UserInfo
+from app.schemas.auth import (
+    ChangePasswordRequest,
+    IamChallengeResponse,
+    IamLoginRequest,
+    LoginRequest,
+    TokenResponse,
+    UserInfo,
+)
 from app.security import (
     auth_dependency,
     create_access_token,
@@ -22,6 +29,15 @@ from app.security import (
     verify_password,
 )
 from app.services.audit import audit_log
+from app.services.iam_auth import (
+    IAM_CHALLENGE_TTL_SECONDS,
+    consume_nonce,
+    generate_nonce,
+    is_nonce_signed,
+    normalize_principal,
+    store_nonce,
+    verify_sts_identity,
+)
 
 router = APIRouter(prefix="/api/auth", tags=["auth"])
 
@@ -257,3 +273,165 @@ async def issue_ws_ticket(
     """Issue a short-lived one-time ticket for WebSocket authentication."""
     ticket = create_ws_ticket(payload)
     return {"ticket": ticket}
+
+
+@router.post("/iam/challenge", response_model=IamChallengeResponse)
+async def iam_challenge():
+    """Issue a one-time nonce for an IAM login attempt.
+
+    The caller must include this nonce as the ``X-Godd-Nonce`` header
+    in the SigV4-signed STS ``GetCallerIdentity`` request sent to
+    ``/api/auth/iam-login``.
+
+    Returns 404 when ``NOTES_IAM_LOGIN_ENABLED`` is not ``true``.
+    """
+    if not settings.notes_iam_login_enabled:
+        raise HTTPException(status_code=404, detail="IAM login is not enabled")
+    nonce = generate_nonce()
+    store_nonce(nonce)
+    return IamChallengeResponse(nonce=nonce, expires_in=IAM_CHALLENGE_TTL_SECONDS)
+
+
+@router.post("/iam-login", response_model=TokenResponse)
+async def iam_login(
+    request: Request,
+    body: IamLoginRequest,
+    db: AsyncSession = Depends(get_db),
+):
+    """Verify a SigV4-signed STS GetCallerIdentity request and issue a Notes JWT.
+
+    Flow:
+    1. Validate and consume the nonce (TTL + 1-time).
+    2. Confirm the nonce header is covered by the SigV4 signature.
+    3. Forward the signed request to AWS STS; parse the caller ARN.
+    4. Normalize the ARN (assumed-role → IAM role).
+    5. Verify the principal is in NOTES_IAM_PRINCIPAL_USER_MAP
+       and optionally in NOTES_IAM_ADMIN_PRINCIPAL_ARNS.
+    6. Look up the corresponding Notes user; check lockout.
+    7. Issue JWT access token + refresh cookie (same as password login).
+
+    Returns 404 when ``NOTES_IAM_LOGIN_ENABLED`` is not ``true``.
+    """
+    if not settings.notes_iam_login_enabled:
+        raise HTTPException(status_code=404, detail="IAM login is not enabled")
+
+    ip = _resolve_client_ip(request)
+    headers_lower = {k.lower(): v for k, v in body.signed_headers.items()}
+
+    # --- Step 1: consume nonce (TTL + 1-time) ---
+    nonce = headers_lower.get("x-godd-nonce")
+    if not nonce:
+        await audit_log(
+            db, None, "login_failed", ip,
+            {"auth_method": "iam", "reason": "missing_nonce"},
+        )
+        raise HTTPException(status_code=401, detail="Invalid IAM login challenge")
+
+    if not consume_nonce(nonce):
+        await audit_log(
+            db, None, "login_failed", ip,
+            {"auth_method": "iam", "reason": "invalid_nonce"},
+        )
+        raise HTTPException(status_code=401, detail="Invalid IAM login challenge")
+
+    # --- Step 2: verify nonce is in the SigV4 SignedHeaders ---
+    auth_header = headers_lower.get("authorization", "")
+    if not is_nonce_signed(auth_header):
+        await audit_log(
+            db, None, "login_failed", ip,
+            {"auth_method": "iam", "reason": "nonce_not_signed"},
+        )
+        raise HTTPException(status_code=401, detail="Invalid IAM login challenge")
+
+    # --- Step 3: forward to AWS STS ---
+    try:
+        caller_arn = await verify_sts_identity(body.signed_headers, body.region, body.signed_body)
+    except ValueError as exc:
+        await audit_log(
+            db, None, "login_failed", ip,
+            {"auth_method": "iam", "reason": "sts_verification_failed"},
+        )
+        raise HTTPException(status_code=401, detail="Invalid IAM credentials") from exc
+
+    # --- Step 4: normalize principal ARN ---
+    principal_arn = normalize_principal(caller_arn)
+
+    # --- Step 5a: PRINCIPAL_USER_MAP check ---
+    username = settings.iam_principal_user_map.get(principal_arn)
+    if not username:
+        await audit_log(
+            db, None, "login_failed", ip,
+            {"auth_method": "iam", "reason": "principal_not_allowed",
+             "principal_arn": principal_arn},
+        )
+        raise HTTPException(status_code=403, detail="IAM principal is not allowed")
+
+    # --- Step 5b: optional ADMIN_PRINCIPAL_ARNS allowlist check ---
+    admin_arns = settings.iam_admin_principal_arns
+    if admin_arns and principal_arn not in admin_arns:
+        await audit_log(
+            db, None, "login_failed", ip,
+            {"auth_method": "iam", "reason": "principal_not_in_allowlist",
+             "principal_arn": principal_arn},
+        )
+        raise HTTPException(status_code=403, detail="IAM principal is not allowed")
+
+    # --- Step 6: look up Notes user and check lockout ---
+    result = await db.execute(select(NotesUser).where(NotesUser.username == username))
+    user = result.scalar_one_or_none()
+    if user is None:
+        await audit_log(
+            db, None, "login_failed", ip,
+            {"auth_method": "iam", "reason": "user_not_found", "principal_arn": principal_arn},
+        )
+        raise HTTPException(status_code=403, detail="IAM principal is not allowed")
+
+    if user.locked_until and user.locked_until > datetime.now(UTC):
+        remaining = int((user.locked_until - datetime.now(UTC)).total_seconds() / 60)
+        await audit_log(
+            db, user.id, "login_failed", ip,
+            {"auth_method": "iam", "reason": "account_locked"},
+        )
+        raise HTTPException(
+            status_code=423,
+            detail=f"Account locked. Try again in {remaining} minutes.",
+        )
+
+    # --- Step 7: issue JWT + refresh cookie ---
+    access_token = create_access_token(str(user.id), user.username, user.display_name, user.role)
+    refresh_token = str(uuid.uuid4())
+    user.refresh_token = hash_refresh_token(refresh_token)
+    user.failed_login_attempts = 0
+    user.locked_until = None
+    await db.flush()
+
+    await audit_log(
+        db, user.id, "login", ip,
+        {"auth_method": "iam", "principal_arn": principal_arn},
+    )
+
+    expires_at = datetime.fromtimestamp(
+        datetime.now(UTC).timestamp() + settings.jwt_access_expires_min * 60,
+        tz=UTC,
+    ).isoformat()
+    data = TokenResponse(
+        access_token=access_token,
+        user=UserInfo(
+            id=str(user.id),
+            username=user.username,
+            display_name=user.display_name,
+            role=user.role,
+        ),
+        expires_at=expires_at,
+    )
+    response = JSONResponse(content=data.model_dump(by_alias=True))
+    response.set_cookie(
+        key="refresh_token",
+        value=refresh_token,
+        httponly=True,
+        secure=settings.is_cookie_secure,
+        samesite="strict",
+        path="/api/auth",
+        max_age=settings.jwt_refresh_expires_days * 86400,
+    )
+    return response

package/notes-api/app/routers/issues.py

@@ -13,6 +13,7 @@ from app.security import auth_dependency, require_role
 from app.services.github import get_github_config
 from app.services.github_issues import (
     create_issue,
+    create_label,
     get_issue,
     list_issue_labels,
     list_issues,
@@ -25,6 +26,17 @@ router = APIRouter(prefix="/api/issues", tags=["issues"])
 
 MAX_TITLE_LENGTH = 256
 MAX_BODY_LENGTH = 65_536
+MAX_LABEL_NAME_LENGTH = 50
+MAX_LABEL_DESCRIPTION_LENGTH = 200
+_HEX_COLOR_RE = r"^[0-9a-fA-F]{6}$"
+
+
+class LabelCreateBody(BaseModel):
+    """Label creation request."""
+
+    name: str = Field(..., min_length=1, max_length=MAX_LABEL_NAME_LENGTH)
+    color: str = Field(..., pattern=_HEX_COLOR_RE)
+    description: str = Field(default="", max_length=MAX_LABEL_DESCRIPTION_LENGTH)
 
 
 class IssueCreateBody(BaseModel):
@@ -96,6 +108,39 @@ async def list_labels_endpoint(
         raise HTTPException(status_code=500, detail="Internal server error") from None
 
 
+@router.post("/labels", status_code=201)
+async def create_label_endpoint(
+    body: LabelCreateBody,
+    _payload: dict = Depends(auth_dependency),
+    __: dict = Depends(require_role("admin", "editor")),
+):
+    """Create a new label in the repository."""
+    if settings.is_mock_mode():
+        raise HTTPException(status_code=400, detail="Mock mode: label creation disabled")
+    try:
+        config = get_github_config()
+        return await create_label(
+            config,
+            name=body.name,
+            color=body.color,
+            description=body.description,
+        )
+    except httpx.HTTPStatusError as e:
+        if e.response.status_code in (401, 403):
+            raise HTTPException(
+                status_code=e.response.status_code,
+                detail="GitHub token is invalid or expired",
+            ) from None
+        if e.response.status_code == 422:
+            raise HTTPException(
+                status_code=422, detail="Label name already exists or invalid data",
+            ) from None
+        raise HTTPException(status_code=502, detail="GitHub API error") from e
+    except Exception:
+        logger.exception("Failed to create label")
+        raise HTTPException(status_code=500, detail="Internal server error") from None
+
+
 @router.get("/{number}")
 async def get_issue_endpoint(
     number: int,

package/notes-api/app/schemas/auth.py

@@ -1,7 +1,7 @@
 """Auth-related Pydantic schemas."""
 
 
-from pydantic import BaseModel, Field
+from pydantic import BaseModel, Field, field_validator
 
 
 class LoginRequest(BaseModel):
@@ -41,4 +41,36 @@ class ChangePasswordRequest(BaseModel):
     model_config = {"populate_by_name": True}
 
 
+class IamChallengeResponse(BaseModel):
+    """Response from IAM login challenge endpoint."""
+
+    nonce: str
+    expires_in: int = 300
+
+
+class IamLoginRequest(BaseModel):
+    """IAM login request: SigV4-signed STS GetCallerIdentity headers."""
+
+    region: str = Field(default="us-east-1", min_length=1, max_length=50)
+    # SigV4-signed headers for STS GetCallerIdentity.
+    # Must include: Authorization, X-Amz-Date, X-Godd-Nonce, Content-Type, Host.
+    # X-Amz-Security-Token is required for temporary credentials.
+    signed_headers: dict[str, str] = Field(..., alias="signedHeaders")
+    # Standard STS GetCallerIdentity request body.
+    signed_body: str = Field(
+        default="Action=GetCallerIdentity&Version=2011-06-15",
+        alias="signedBody",
+    )
+
+    model_config = {"populate_by_name": True}
+
+    @field_validator("region")
+    @classmethod
+    def validate_region(cls, v: str) -> str:
+        import re  # noqa: PLC0415
+        if not re.match(r"^[a-z]{2}-[a-z]+-\d+$", v):
+            raise ValueError("Invalid AWS region format")
+        return v
+
+
 TokenResponse.model_rebuild()

package/notes-api/app/services/github_issues.py

@@ -117,6 +117,30 @@ async def update_issue(
     return _format_issue_detail(resp.json())
 
 
+async def create_label(
+    config: dict,
+    *,
+    name: str,
+    color: str,
+    description: str = "",
+) -> dict:
+    """Create a new label in the repository."""
+    client = await get_github_client()
+    token = await resolve_token(config)
+    resp = await client.post(
+        f"{_repo_url(config)}/labels",
+        headers=_auth_headers(token),
+        json={"name": name, "color": color.lstrip("#"), "description": description},
+    )
+    resp.raise_for_status()
+    data = resp.json()
+    return {
+        "name": data["name"],
+        "color": data.get("color", ""),
+        "description": data.get("description", ""),
+    }
+
+
 async def list_issue_labels(config: dict) -> list[dict]:
     """List all labels for the repository (auto-paginates via Link header)."""
     token = await resolve_token(config)

package/notes-api/app/services/iam_auth.py

@@ -0,0 +1,120 @@
+"""IAM principal auth service: nonce management and STS identity verification.
+
+Security design (REQ-741):
+- Nonce is cryptographically random (256-bit entropy), short-lived (5 min), 1-time use.
+- Client includes nonce as `X-Godd-Nonce` in the SigV4-signed STS GetCallerIdentity request.
+- Notes API verifies the nonce header is covered by the SigV4 signature before forwarding.
+- Notes API forwards the signed request to AWS STS; only AWS validates the signature.
+- AWS Secret Access Key / session token is never stored or logged by Notes API.
+"""
+
+from __future__ import annotations
+
+import re
+import secrets
+import xml.etree.ElementTree as ET
+from datetime import UTC, datetime, timedelta
+
+import httpx
+
+IAM_CHALLENGE_TTL_SECONDS: int = 300  # 5 minutes
+NONCE_HEADER_NAME: str = "x-godd-nonce"
+_STS_TIMEOUT = httpx.Timeout(10.0, connect=5.0)
+
+# In-memory nonce store: nonce → expiry timestamp.
+# Single-process assumption: each container handles its own challenges.
+_nonce_store: dict[str, datetime] = {}
+
+
+def generate_nonce() -> str:
+    """Generate a cryptographically random URL-safe nonce (~256-bit entropy)."""
+    return secrets.token_urlsafe(32)
+
+
+def store_nonce(nonce: str) -> None:
+    """Persist nonce with TTL and purge already-expired entries."""
+    now = datetime.now(UTC)
+    expired_keys = [k for k, exp in _nonce_store.items() if exp <= now]
+    for k in expired_keys:
+        del _nonce_store[k]
+    _nonce_store[nonce] = now + timedelta(seconds=IAM_CHALLENGE_TTL_SECONDS)
+
+
+def consume_nonce(nonce: str) -> bool:
+    """Atomically verify and remove nonce (1-time use).
+
+    Returns True only when the nonce exists and has not yet expired.
+    """
+    expires_at = _nonce_store.pop(nonce, None)
+    if expires_at is None:
+        return False
+    return datetime.now(UTC) < expires_at
+
+
+def is_nonce_signed(authorization_header: str) -> bool:
+    """Return True when the SigV4 Authorization header lists x-godd-nonce in SignedHeaders."""
+    m = re.search(r"SignedHeaders=([^,\s]+)", authorization_header, re.IGNORECASE)
+    if not m:
+        return False
+    signed = m.group(1).lower().split(";")
+    return NONCE_HEADER_NAME in signed
+
+
+def normalize_principal(arn: str) -> str:
+    """Normalize an STS assumed-role ARN to the corresponding IAM role ARN.
+
+    arn:aws:sts::<account>:assumed-role/<role>/<session>
+      → arn:aws:iam::<account>:role/<role>
+
+    IAM user ARNs and other formats are returned unchanged.
+    """
+    m = re.match(r"^arn:aws:sts::(\d+):assumed-role/([^/]+)/", arn)
+    if m:
+        account, role = m.group(1), m.group(2)
+        return f"arn:aws:iam::{account}:role/{role}"
+    return arn
+
+
+async def verify_sts_identity(
+    signed_headers: dict[str, str],
+    region: str,
+    signed_body: str,
+) -> str:
+    """Forward a SigV4-signed STS GetCallerIdentity request and return the caller ARN.
+
+    Raises ValueError with a short reason string on any failure.
+    AWS credentials (key, secret, token) are never inspected or stored by this function.
+    """
+    sts_url = f"https://sts.{region}.amazonaws.com/"
+    try:
+        async with httpx.AsyncClient(timeout=_STS_TIMEOUT) as client:
+            resp = await client.post(
+                sts_url,
+                headers=signed_headers,
+                content=signed_body.encode(),
+            )
+    except httpx.HTTPError as exc:
+        raise ValueError("sts_network_error") from exc
+
+    if resp.status_code != 200:
+        raise ValueError("sts_verification_failed")
+
+    return _parse_sts_arn(resp.text)
+
+
+def _parse_sts_arn(xml_text: str) -> str:
+    """Extract the caller ARN from an STS GetCallerIdentity XML response."""
+    try:
+        root = ET.fromstring(xml_text)
+        # AWS STS response uses this namespace
+        ns = {"sts": "https://sts.amazonaws.com/doc/2011-06-15/"}
+        arn_el = root.find(".//sts:Arn", ns)
+        if arn_el is not None and arn_el.text:
+            return arn_el.text
+        # Fallback: no namespace (unit-test stubs)
+        arn_el = root.find(".//Arn")
+        if arn_el is not None and arn_el.text:
+            return arn_el.text
+    except ET.ParseError as exc:
+        raise ValueError("sts_parse_failed") from exc
+    raise ValueError("sts_parse_failed")