Merge pull request #179 from jamals86/feature/vector-search

Add trusted-proxy support; Docker & CI updates

Author: jamals86

.github/workflows/release.yml

@@ -1319,19 +1319,19 @@ jobs:
           tags: |
             ${{ steps.vars.outputs.docker_repo }}:${{ needs.read_version.outputs.version }}-amd64
 
-      - name: Test Docker image (linux/amd64)
-        continue-on-error: true
+      - name: Test Docker startup (linux/amd64)
         shell: bash
         run: |
           set -euo pipefail
           export KALAMDB_JWT_SECRET="$(openssl rand -base64 32)"
+          export DOCKER_PLATFORM="linux/amd64"
           
           # Pull the just-built image
           docker pull ${{ steps.vars.outputs.docker_repo }}:${{ needs.read_version.outputs.version }}-amd64
           
-          # Run smoke test
-          chmod +x docker/build/test-docker-image.sh
-          ./docker/build/test-docker-image.sh ${{ steps.vars.outputs.docker_repo }}:${{ needs.read_version.outputs.version }}-amd64
+          # Require at least a clean startup before publishing multi-arch tags
+          chmod +x docker/build/test-docker-startup.sh
+          ./docker/build/test-docker-startup.sh ${{ steps.vars.outputs.docker_repo }}:${{ needs.read_version.outputs.version }}-amd64
 
       - name: Build and push Docker image (linux/arm64)
         uses: docker/build-push-action@v6
@@ -1380,6 +1380,14 @@ jobs:
 
           echo "✅ Multi-arch manifest created for ${REPO}:${VERSION}, ${REPO}:${VERSION_COMMIT_TAG}, and ${REPO}:latest"
 
+      - name: Update Docker Hub repository README
+        uses: peter-evans/dockerhub-description@v4
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          repository: ${{ steps.vars.outputs.docker_repo }}
+          readme-filepath: ./docker/REPO-README.md
+
   # ═══════════════════════════════════════════════════════════════════════════
   # INTEGRATION TESTS - Smoke + TypeScript SDK + Dart SDK against Docker image
   # ═══════════════════════════════════════════════════════════════════════════

Cargo.lock

@@ -178,6 +178,7 @@ sha2 = "0.10"
 storekey = "0.11"
 moka = { version = "0.12.13", features = ["future", "sync"] }
 ntest = "0.9.5"
+ipnet = "2.11.0"
 wasm-bindgen = { version = "0.2.114" }
 wasm-bindgen-futures = { version = "0.4.64" }
 js-sys = { version = "0.3.91" }

Cargo.toml

@@ -51,6 +51,7 @@ tracing = { workspace = true }
 
 # Async runtime
 tokio = { workspace = true }
+ipnet = { workspace = true }
 
 # Time handling
 chrono = { workspace = true }

backend/crates/kalamdb-auth/Cargo.toml

@@ -3,9 +3,16 @@
 //! This module provides secure extraction of client IP addresses from HTTP requests,
 //! with protection against header spoofing attacks that attempt to bypass localhost checks.
 
+use actix_web::http::header::{HeaderMap, HeaderValue};
 use actix_web::HttpRequest;
+use ipnet::IpNet;
 use kalamdb_commons::models::ConnectionInfo;
 use log::warn;
+use once_cell::sync::Lazy;
+use std::net::IpAddr;
+use std::sync::RwLock;
+
+static TRUSTED_PROXY_RANGES: Lazy<RwLock<Vec<IpNet>>> = Lazy::new(|| RwLock::new(Vec::new()));
 
 /// Extract client IP address with security checks against header spoofing
 ///
@@ -34,36 +41,80 @@ use log::warn;
 ///     println!("Client IP: {:?}", client_ip);
 /// }
 /// ```
+pub fn init_trusted_proxy_ranges(entries: &[String]) -> anyhow::Result<()> {
+    let parsed = kalamdb_configs::parse_trusted_proxy_entries(entries)?;
+    *TRUSTED_PROXY_RANGES
+        .write()
+        .expect("trusted proxy ranges lock poisoned") = parsed;
+    Ok(())
+}
+
+pub fn extract_client_ip_addr_secure(peer_addr: Option<IpAddr>, headers: &HeaderMap) -> Option<IpAddr> {
+    let trusted_proxy_ranges = TRUSTED_PROXY_RANGES
+        .read()
+        .expect("trusted proxy ranges lock poisoned");
+    extract_client_ip_addr_with_trusted_ranges(peer_addr, headers, &trusted_proxy_ranges)
+}
+
 pub fn extract_client_ip_secure(req: &HttpRequest) -> ConnectionInfo {
-    let peer_addr = req.peer_addr().map(|addr| addr.ip());
-
-    // Trust X-Forwarded-For only when the direct peer is loopback (trusted local reverse proxy).
-    if peer_addr.is_some_and(|ip| ip.is_loopback()) {
-        if let Some(forwarded_for) = req.headers().get("X-Forwarded-For") {
-            if let Ok(header_value) = forwarded_for.to_str() {
-                // Take first IP in comma-separated list (original client)
-                let first_ip = header_value.split(',').next().unwrap_or("").trim();
-
-                // Security check: Reject localhost values in X-Forwarded-For
-                // This prevents bypass attempts like: X-Forwarded-For: 127.0.0.1
-                if is_localhost_address(first_ip) {
-                    warn!(
-                        "Security: Rejected localhost value in trusted X-Forwarded-For header: '{}'. Using peer_addr instead.",
-                        first_ip
-                    );
-                } else if !first_ip.is_empty() {
-                    return ConnectionInfo::new(Some(first_ip.to_string()));
-                }
-            }
+    extract_client_ip_addr_secure(req.peer_addr().map(|addr| addr.ip()), req.headers())
+        .map(|ip| ConnectionInfo::new(Some(ip.to_string())))
+        .unwrap_or_else(|| ConnectionInfo::new(None))
+}
+
+fn extract_client_ip_addr_with_trusted_ranges(
+    peer_addr: Option<IpAddr>,
+    headers: &HeaderMap,
+    trusted_proxy_ranges: &[IpNet],
+) -> Option<IpAddr> {
+    if peer_addr.is_some_and(|ip| is_trusted_proxy_peer(ip, trusted_proxy_ranges)) {
+        if let Some(ip) = extract_proxy_header_ip(headers.get("X-Forwarded-For"), true, "X-Forwarded-For") {
+            return Some(ip);
+        }
+
+        if let Some(ip) = extract_proxy_header_ip(headers.get("X-Real-IP"), false, "X-Real-IP") {
+            return Some(ip);
         }
-    } else if req.headers().contains_key("X-Forwarded-For") {
-        warn!("Security: Ignoring X-Forwarded-For from non-loopback peer {:?}", peer_addr);
+    } else if headers.contains_key("X-Forwarded-For") || headers.contains_key("X-Real-IP") {
+        warn!(
+            "Security: Ignoring proxy headers from untrusted peer {:?}",
+            peer_addr
+        );
     }
 
-    // Fallback to peer address (direct TCP connection)
     peer_addr
-        .map(|ip| ConnectionInfo::new(Some(ip.to_string())))
-        .unwrap_or_else(|| ConnectionInfo::new(None))
+}
+
+fn is_trusted_proxy_peer(peer_addr: IpAddr, trusted_proxy_ranges: &[IpNet]) -> bool {
+    peer_addr.is_loopback() || trusted_proxy_ranges.iter().any(|range| range.contains(&peer_addr))
+}
+
+fn extract_proxy_header_ip(
+    header: Option<&HeaderValue>,
+    first_csv_value: bool,
+    header_name: &str,
+) -> Option<IpAddr> {
+    let header_value = header?.to_str().ok()?;
+    let candidate = if first_csv_value {
+        header_value.split(',').next().unwrap_or("").trim()
+    } else {
+        header_value.trim()
+    };
+
+    if candidate.is_empty() {
+        return None;
+    }
+
+    if is_localhost_address(candidate) {
+        warn!(
+            "Security: Rejected localhost value in trusted {} header: '{}'. Using peer_addr instead.",
+            header_name,
+            candidate
+        );
+        return None;
+    }
+
+    candidate.parse::<IpAddr>().ok()
 }
 
 /// Check if an IP address string represents localhost
@@ -94,6 +145,7 @@ pub fn is_localhost_address(ip: &str) -> bool {
 #[cfg(test)]
 mod tests {
     use super::*;
+    use actix_web::http::header::{HeaderMap, HeaderName, HeaderValue};
 
     #[test]
     fn test_is_localhost_address() {
@@ -138,4 +190,80 @@ mod tests {
             );
         }
     }
+
+    #[test]
+    fn test_loopback_proxy_headers_are_trusted() {
+        let mut headers = HeaderMap::new();
+        headers.insert(
+            HeaderName::from_static("x-forwarded-for"),
+            HeaderValue::from_static("203.0.113.8, 10.0.0.1"),
+        );
+
+        let ip = extract_client_ip_addr_with_trusted_ranges(
+            Some("127.0.0.1".parse().unwrap()),
+            &headers,
+            &[],
+        );
+
+        assert_eq!(ip, Some("203.0.113.8".parse().unwrap()));
+    }
+
+    #[test]
+    fn test_trusted_proxy_range_allows_forwarded_headers() {
+        let mut headers = HeaderMap::new();
+        headers.insert(
+            HeaderName::from_static("x-forwarded-for"),
+            HeaderValue::from_static("203.0.113.8"),
+        );
+        let trusted_ranges = kalamdb_configs::parse_trusted_proxy_entries(&[
+            "10.0.0.0/8".to_string(),
+        ])
+        .unwrap();
+
+        let ip = extract_client_ip_addr_with_trusted_ranges(
+            Some("10.0.1.9".parse().unwrap()),
+            &headers,
+            &trusted_ranges,
+        );
+
+        assert_eq!(ip, Some("203.0.113.8".parse().unwrap()));
+    }
+
+    #[test]
+    fn test_untrusted_proxy_headers_are_ignored() {
+        let mut headers = HeaderMap::new();
+        headers.insert(
+            HeaderName::from_static("x-forwarded-for"),
+            HeaderValue::from_static("203.0.113.8"),
+        );
+
+        let ip = extract_client_ip_addr_with_trusted_ranges(
+            Some("10.0.1.9".parse().unwrap()),
+            &headers,
+            &[],
+        );
+
+        assert_eq!(ip, Some("10.0.1.9".parse().unwrap()));
+    }
+
+    #[test]
+    fn test_localhost_spoofing_is_rejected_even_for_trusted_proxy() {
+        let mut headers = HeaderMap::new();
+        headers.insert(
+            HeaderName::from_static("x-forwarded-for"),
+            HeaderValue::from_static("127.0.0.1"),
+        );
+        let trusted_ranges = kalamdb_configs::parse_trusted_proxy_entries(&[
+            "10.0.0.0/8".to_string(),
+        ])
+        .unwrap();
+
+        let ip = extract_client_ip_addr_with_trusted_ranges(
+            Some("10.0.1.9".parse().unwrap()),
+            &headers,
+            &trusted_ranges,
+        );
+
+        assert_eq!(ip, Some("10.0.1.9".parse().unwrap()));
+    }
 }

backend/crates/kalamdb-auth/src/helpers/ip_extractor.rs

@@ -23,7 +23,10 @@ pub use helpers::extractor::{AuthExtractError, AuthSessionExtractor};
 // Re-export unified session type from kalamdb-session
 pub use kalamdb_session::AuthSession;
 // Re-export items needed by extractor
-pub use helpers::ip_extractor::{extract_client_ip_secure, is_localhost_address};
+pub use helpers::ip_extractor::{
+    extract_client_ip_addr_secure, extract_client_ip_secure, init_trusted_proxy_ranges,
+    is_localhost_address,
+};
 pub use models::impersonation::{ImpersonationContext, ImpersonationOrigin};
 pub use providers::jwt_auth::{
     create_and_sign_refresh_token, create_and_sign_token, generate_jwt_token, refresh_jwt_token,

backend/crates/kalamdb-auth/src/lib.rs

@@ -14,6 +14,7 @@ toml = { workspace = true }
 anyhow = { workspace = true }
 num_cpus = { workspace = true }
 openraft = { workspace = true }
+ipnet = { workspace = true }
 
 [lib]
 name = "kalamdb_configs"

backend/crates/kalamdb-configs/Cargo.toml

@@ -1,4 +1,5 @@
 use super::types::ServerConfig;
+use super::trusted_proxies::parse_trusted_proxy_entries;
 use crate::file_helpers::normalize_dir_path;
 use std::fs;
 use std::path::Path;
@@ -106,6 +107,13 @@ impl ServerConfig {
             return Err(anyhow::anyhow!("cleanup_job_schedule cannot be empty"));
         }
 
+        parse_trusted_proxy_entries(&self.security.trusted_proxy_ranges).map_err(|error| {
+            anyhow::anyhow!(
+                "Invalid security.trusted_proxy_ranges configuration: {}",
+                error
+            )
+        })?;
+
         Ok(())
     }
 }
@@ -133,4 +141,11 @@ mod tests {
         config.logging.level = "invalid".to_string();
         assert!(config.validate().is_err());
     }
+
+    #[test]
+    fn test_invalid_trusted_proxy_ranges() {
+        let mut config = ServerConfig::default();
+        config.security.trusted_proxy_ranges = vec!["nope".to_string()];
+        assert!(config.validate().is_err());
+    }
 }

backend/crates/kalamdb-configs/src/config/loader.rs

@@ -3,7 +3,9 @@ pub mod defaults;
 pub mod loader;
 #[path = "override.rs"]
 pub mod overrides;
+pub mod trusted_proxies;
 pub mod types;
 
+pub use trusted_proxies::*;
 pub use cluster::*;
 pub use types::*;

backend/crates/kalamdb-configs/src/config/mod.rs

@@ -38,6 +38,7 @@ impl ServerConfig {
     /// - KALAMDB_COOKIE_SECURE: Override auth.cookie_secure
     /// - KALAMDB_ALLOW_REMOTE_SETUP: Override auth.allow_remote_setup
     /// - KALAMDB_AUTH_AUTO_CREATE_USERS_FROM_PROVIDER: Override auth.auto_create_users_from_provider
+    /// - KALAMDB_SECURITY_TRUSTED_PROXY_RANGES: Override security.trusted_proxy_ranges
     /// - KALAMDB_RATE_LIMIT_AUTH_REQUESTS_PER_IP_PER_SEC: Override rate_limit.max_auth_requests_per_ip_per_sec
     /// - KALAMDB_WEBSOCKET_CLIENT_TIMEOUT_SECS: Override websocket.client_timeout_secs
     /// - KALAMDB_WEBSOCKET_AUTH_TIMEOUT_SECS: Override websocket.auth_timeout_secs
@@ -146,6 +147,17 @@ impl ServerConfig {
                 val.to_lowercase() == "true" || val == "1" || val.to_lowercase() == "yes";
         }
 
+        // Trusted proxy ranges used for X-Forwarded-For / X-Real-IP trust.
+        if let Ok(val) = env::var("KALAMDB_SECURITY_TRUSTED_PROXY_RANGES")
+            .or_else(|_| env::var("KALAMDB_TRUSTED_PROXY_RANGES"))
+        {
+            self.security.trusted_proxy_ranges = val
+                .split(',')
+                .map(|entry| entry.trim().to_string())
+                .filter(|entry| !entry.is_empty())
+                .collect();
+        }
+
         // Auth rate limit per IP
         if let Ok(val) = env::var("KALAMDB_RATE_LIMIT_AUTH_REQUESTS_PER_IP_PER_SEC") {
             self.rate_limit.max_auth_requests_per_ip_per_sec = val.parse().map_err(|_| {
@@ -355,4 +367,23 @@ mod tests {
 
         env::remove_var("KALAMDB_LOG_LEVEL");
     }
+
+    #[test]
+    fn test_env_override_trusted_proxy_ranges() {
+        let _guard = acquire_env_lock();
+        env::set_var(
+            "KALAMDB_SECURITY_TRUSTED_PROXY_RANGES",
+            "10.0.1.9,192.168.0.0/24",
+        );
+
+        let mut config = ServerConfig::default();
+        config.apply_env_overrides().unwrap();
+
+        assert_eq!(
+            config.security.trusted_proxy_ranges,
+            vec!["10.0.1.9".to_string(), "192.168.0.0/24".to_string()]
+        );
+
+        env::remove_var("KALAMDB_SECURITY_TRUSTED_PROXY_RANGES");
+    }
 }