Skip to content

feat(auth): enforce username uniqueness at startup and config reload#268

Merged
taigrr merged 1 commit intomasterfrom
cd/username-uniqueness-enforcement
Mar 31, 2026
Merged

feat(auth): enforce username uniqueness at startup and config reload#268
taigrr merged 1 commit intomasterfrom
cd/username-uniqueness-enforcement

Conversation

@taigrr
Copy link
Copy Markdown
Member

@taigrr taigrr commented Mar 30, 2026

Summary

Adds validation to reject farmer configs where two or more pubkeys share the same username. Duplicate usernames make audit logs ambiguous — this catches the misconfiguration early.

Changes

  • internal/rbac/config.go: Add ErrDuplicateUsername sentinel error and ValidateUsernameUniqueness() function that scans the users config section for duplicate username assignments across all roles.
  • internal/auth/auth.go: Wire ValidateUsernameUniqueness() into LoadPolicy(), which runs at farmer startup and on SIGHUP config reload.
  • Tests: 6 unit tests for the validator + 2 integration tests for LoadPolicy.

Behavior

  • At farmer startup: duplicate usernames cause a fatal error (farmer refuses to start).
  • On SIGHUP reload: duplicate usernames are logged as an error and the policy reload is rejected (existing policy remains in effect).
  • Empty/missing usernames are ignored — only explicitly configured usernames are checked.
  • Works with both simple and rich user config formats.

Config example that would be rejected

users:
  admin:
    - pubkey: APUBKEY1
      username: alice
  viewer:
    - pubkey: APUBKEY2
      username: alice  # ERROR: duplicate username

@taigrr
feat(auth): enforce username uniqueness at startup and config reload
bedbff1 
Add ValidateUsernameUniqueness() to reject farmer configs where two or
more pubkeys share the same username. Duplicate usernames would make
audit logs ambiguous and prevent reliable identification.

Validation runs in LoadPolicy() alongside the existing pubkey uniqueness
check, catching duplicates both at farmer startup and on SIGHUP config
reload. Empty/missing usernames are ignored (only explicitly set
usernames are checked).

- Add ErrDuplicateUsername sentinel error
- Add ValidateUsernameUniqueness() in internal/rbac/config.go
- Wire into auth.LoadPolicy() in internal/auth/auth.go
- Add 6 unit tests for the validator (cross-role, same-role, empty,
  mixed, no config)
- Add 2 integration tests for LoadPolicy (reject/accept)
@taigrr taigrr merged commit bd75bff into master Mar 31, 2026
6 of 7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@taigrr