Skip to content

fix(eventstream): gate subscription on TrustChecker (PILOT-251)#24

Closed
matthew-pilot wants to merge 1 commit into
mainfrom
openclaw/pilot-251-20260712-235633
Closed

fix(eventstream): gate subscription on TrustChecker (PILOT-251)#24
matthew-pilot wants to merge 1 commit into
mainfrom
openclaw/pilot-251-20260712-235633

Conversation

@matthew-pilot

Copy link
Copy Markdown
Collaborator

What failed

Previously, any peer that completed L6 key exchange could subscribe to any eventstream topic by simply connecting and sending a subscribe event. There was no auth gate — handleConn at service.go:236-244 would add the subscriber to the requested topic without checking whether the peer was allowed to read that topic.

A malicious peer could subscribe to any topic to learn who publishes on it and, for non-encrypted topics, read the event content.

Why this fix

When the trustedagents plugin is registered (deps.Trust != nil), handleConn now checks sub.conn.RemoteAddr().Node against the trust allowlist before adding the subscriber. Untrusted peers are rejected with a WARN log.

When trustedagents is not loaded (deps.Trust == nil — e.g., operator did not configure trusted agents), the fallback is the previous behavior: allow all. This ensures backward compatibility for existing deployments that do not use the trust gate.

Verification

  • go build ./...
  • go vet ./...
  • go test ./... -count=1 ✅ (0.22s, all tests pass)
  • New tests: TestBroker_HandleConn_TrustGateRejectsUntrusted, TestBroker_HandleConn_TrustGateAcceptsTrusted

Scope

4 files, +156/-19 — medium tier.

Closes https://vulturelabs.atlassian.net/browse/PILOT-251

Add an auth gate in handleConn: when the trustedagents plugin is
registered (deps.Trust != nil), reject subscription attempts from
peers whose node ID is NOT on the trusted-agents allowlist.

When trustedagents is NOT loaded (deps.Trust == nil), fall back to
the previous behavior (allow all) for backward compatibility.

Changes:
- service.go: broker stores optional TrustChecker, handleConn checks
  sub.conn.RemoteAddr().Node against trust.IsTrusted before addSub
- zz_added_coverage_test.go: +2 tests (reject untrusted, accept trusted)
- zz_more_test.go, zz_resilience_test.go: update newBroker call sites

Closes PILOT-251
@codecov

codecov Bot commented Jul 12, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@matthew-pilot

Copy link
Copy Markdown
Collaborator Author

Closing — superseded by #29 which uses the cleaner TopicPolicy interface approach. #29 has all checks green and is ready for review/merge.

@matthew-pilot
matthew-pilot deleted the openclaw/pilot-251-20260712-235633 branch July 13, 2026 15:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant