Harden registry HTTP surface: SSRF defense, WAL, snapshot validation

- Extract SSRF validator into pkg/urlvalidate and apply to every registry
  URL surface (IDP config, webhook target, snapshot restore).
- Match cloud metadata hostnames case-insensitively; prior check bypassed
  when the attacker uppercased a segment.
- Validate URLs when restoring snapshots so a tainted snapshot can't
  smuggle a malicious IDP/webhook URL on startup.
- Cap crypto-map growth and short-circuit before scalar-mult when the
  unauth map is already at the bound.
- Add SPDX headers to all registry sources; tighten tests for the new
  validator paths.

Author: teovl

pkg/registry/audit_export.go

@@ -1,3 +1,5 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
 package registry
 
 import (

pkg/registry/audit_export_test.go

@@ -1,3 +1,5 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
 package registry
 
 import (

pkg/registry/authorize_task_test.go

@@ -0,0 +1,64 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package registry
+
+import (
+	"testing"
+)
+
+// TestDecidePoloGate verifies the pure gate math behind the
+// registry-side authorize_task_submit endpoint. Replaces the gate-math
+// portion of test_task_polo_gate.sh — docker tier still covers the
+// end-to-end "rejection cites polo" wire behavior, but a Go unit test
+// covers every decision branch in milliseconds.
+func TestDecidePoloGate(t *testing.T) {
+	intp := func(n int) *int { return &n }
+	cases := []struct {
+		name        string
+		subPolo     int
+		recPolo     int
+		minPolo     *int
+		wantAllowed bool
+	}{
+		{"equal_zero_allows", 0, 0, nil, true},
+		{"submitter_higher_allows", 5, 0, nil, true},
+		{"submitter_lower_denies", -1, 0, nil, false},
+		{"equal_nonzero_allows", 7, 7, nil, true},
+
+		{"min_met_allows", 10, 0, intp(5), true},
+		{"min_equal_allows", 5, 0, intp(5), true},
+		{"min_unmet_denies", 4, 0, intp(5), false},
+		{"min_zero_allows", 0, 0, intp(0), true},
+
+		// Guarantee floor takes precedence over the receiver's own polo.
+		{"min_beats_receiver_rule_allow", 20, 100, intp(10), true},
+		{"min_beats_receiver_rule_deny", 5, 0, intp(10), false},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			allowed, reason := decidePoloGate(tc.subPolo, tc.recPolo, tc.minPolo)
+			if allowed != tc.wantAllowed {
+				t.Fatalf("allowed=%v want=%v (sub=%d rec=%d min=%v) reason=%q",
+					allowed, tc.wantAllowed, tc.subPolo, tc.recPolo, tc.minPolo, reason)
+			}
+			if !allowed {
+				if reason == "" {
+					t.Fatal("deny must return a non-empty reason")
+				}
+				// Privacy: reason must NOT leak numeric polo values.
+				if containsDigit(reason) && tc.minPolo == nil {
+					t.Fatalf("reason leaks polo numbers: %q", reason)
+				}
+			}
+		})
+	}
+}
+
+func containsDigit(s string) bool {
+	for _, r := range s {
+		if r >= '0' && r <= '9' {
+			return true
+		}
+	}
+	return false
+}

pkg/registry/binary_client.go

@@ -1,3 +1,5 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
 package registry
 
 import (
@@ -123,7 +125,9 @@ func (c *BinaryClient) heartbeatLocked(nodeID uint32, sig []byte) (int64, bool,
 		return 0, false, fmt.Errorf("send heartbeat: %w", err)
 	}
 
+	c.conn.SetReadDeadline(time.Now().Add(30 * time.Second))
 	msgType, payload, err := wireReadFrame(c.conn)
+	c.conn.SetReadDeadline(time.Time{})
 	if err != nil {
 		return 0, false, fmt.Errorf("recv heartbeat: %w", err)
 	}
@@ -158,7 +162,9 @@ func (c *BinaryClient) lookupLocked(nodeID uint32) (*WireLookupResult, error) {
 		return nil, fmt.Errorf("send lookup: %w", err)
 	}
 
+	c.conn.SetReadDeadline(time.Now().Add(30 * time.Second))
 	msgType, payload, err := wireReadFrame(c.conn)
+	c.conn.SetReadDeadline(time.Time{})
 	if err != nil {
 		return nil, fmt.Errorf("recv lookup: %w", err)
 	}
@@ -197,7 +203,9 @@ func (c *BinaryClient) resolveLocked(nodeID, requesterID uint32, sig []byte) (*W
 		return nil, fmt.Errorf("send resolve: %w", err)
 	}
 
+	c.conn.SetReadDeadline(time.Now().Add(30 * time.Second))
 	msgType, payload, err := wireReadFrame(c.conn)
+	c.conn.SetReadDeadline(time.Time{})
 	if err != nil {
 		return nil, fmt.Errorf("recv resolve: %w", err)
 	}
@@ -242,7 +250,9 @@ func (c *BinaryClient) sendJSONLocked(msg map[string]interface{}) (map[string]in
 		return nil, fmt.Errorf("send: %w", err)
 	}
 
+	c.conn.SetReadDeadline(time.Now().Add(30 * time.Second))
 	msgType, payload, readErr := wireReadFrame(c.conn)
+	c.conn.SetReadDeadline(time.Time{})
 	if readErr != nil {
 		return nil, fmt.Errorf("recv: %w", readErr)
 	}

pkg/registry/binary_client_test.go

@@ -1,3 +1,5 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
 package registry
 
 import (

pkg/registry/client.go

@@ -1,3 +1,5 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
 package registry
 
 import (
@@ -159,7 +161,9 @@ func (c *Client) sendLocked(msg map[string]interface{}) (map[string]interface{},
 	if err := writeMessage(c.conn, msg); err != nil {
 		return nil, fmt.Errorf("send: %w", err)
 	}
+	c.conn.SetReadDeadline(time.Now().Add(30 * time.Second))
 	resp, err := readMessage(c.conn)
+	c.conn.SetReadDeadline(time.Time{})
 	if err != nil {
 		return nil, fmt.Errorf("recv: %w", err)
 	}
@@ -575,12 +579,20 @@ func (c *Client) SetPoloScore(nodeID uint32, poloScore int) (map[string]interfac
 	})
 }
 
-// GetPoloScore retrieves the current polo score for a node.
+// GetPoloScore retrieves the polo score for a node. Polo is private —
+// callers may only read their OWN polo. The registry rejects cross-reads.
+// callerNodeID identifies the requester (must equal nodeID); the request
+// is signed via c.sign so the registry can verify ownership.
 func (c *Client) GetPoloScore(nodeID uint32) (int, error) {
-	resp, err := c.Send(map[string]interface{}{
-		"type":    "get_polo_score",
-		"node_id": nodeID,
-	})
+	msg := map[string]interface{}{
+		"type":           "get_polo_score",
+		"node_id":        nodeID,
+		"caller_node_id": nodeID,
+	}
+	if sig := c.sign(fmt.Sprintf("get_polo_score:%d", nodeID)); sig != "" {
+		msg["signature"] = sig
+	}
+	resp, err := c.Send(msg)
 	if err != nil {
 		return 0, err
 	}
@@ -590,6 +602,33 @@ func (c *Client) GetPoloScore(nodeID uint32) (int, error) {
 	return 0, fmt.Errorf("polo_score not found in response")
 }
 
+// AuthorizeTaskSubmit asks the registry to decide whether `submitter`
+// may submit a task to `receiver`. The registry compares polos
+// internally and returns only the verdict — daemons never see another
+// node's polo. Optionally pass a guarantee floor via minPolo (>0) so
+// the receiver can require submitters to meet a minimum score.
+func (c *Client) AuthorizeTaskSubmit(callerNodeID, submitter, receiver uint32, minPolo int) (bool, string, error) {
+	msg := map[string]interface{}{
+		"type":              "authorize_task_submit",
+		"caller_node_id":    callerNodeID,
+		"submitter_node_id": submitter,
+		"receiver_node_id":  receiver,
+	}
+	if minPolo > 0 {
+		msg["min_polo"] = float64(minPolo)
+	}
+	if sig := c.sign(fmt.Sprintf("authorize_task_submit:%d:%d:%d", callerNodeID, submitter, receiver)); sig != "" {
+		msg["signature"] = sig
+	}
+	resp, err := c.Send(msg)
+	if err != nil {
+		return false, "", err
+	}
+	authorized, _ := resp["authorized"].(bool)
+	reason, _ := resp["reason"].(string)
+	return authorized, reason, nil
+}
+
 // InviteToNetwork stores a pending invite for a target node to join an invite-only network.
 func (c *Client) InviteToNetwork(networkID uint16, inviterID, targetNodeID uint32, adminToken string) (map[string]interface{}, error) {
 	msg := map[string]interface{}{

pkg/registry/client_iter117_test.go

@@ -1,3 +1,5 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
 package registry
 
 import (

pkg/registry/client_iter118_test.go

@@ -1,3 +1,5 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
 package registry
 
 import (