-
Notifications
You must be signed in to change notification settings - Fork 2.5k
Expand file tree
/
Copy pathCLAUDE.md
More file actions
251 lines (183 loc) · 8.43 KB
/
CLAUDE.md
File metadata and controls
251 lines (183 loc) · 8.43 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
# CLAUDE.md
This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
## Project Overview
OpenNHP is a Go-based Zero Trust security toolkit implementing two core protocols:
- **NHP (Network-infrastructure Hiding Protocol)**: Conceals server ports, IPs, and domains from unauthorized access
- **DHP (Data-content Hiding Protocol)**: Ensures data security via encryption and confidential computing
The system follows NIST Zero Trust Architecture with three core components that communicate via encrypted UDP packets using the Noise Protocol Framework.
## Git Commit Requirements
All commits must be signed with a verified GPG or SSH key. Unsigned commits will fail CI checks.
```bash
# Sign commits (if not configured globally)
git commit -S -m "your message"
# Amend to sign an existing commit
git commit --amend --no-edit -S
```
## Build Commands
```bash
# Full build (all components + SDKs + plugins + archive)
make
# Build individual components
make agentd # Build nhp-agent daemon
make serverd # Build nhp-server daemon
make acd # Build nhp-ac (access controller) daemon
make db # Build nhp-db daemon
make kgc # Build nhp-kgc (key generation center)
# Build with eBPF support (requires clang)
make ebpf
# Build plugins
make plugins
# Initialize/tidy modules
make init
```
## Running Tests
```bash
# Run tests in the nhp module
cd nhp && go test ./...
# Run tests in the endpoints module
cd endpoints && go test ./...
# Run specific test file
cd nhp && go test -v ./test/packet_test.go
# Run benchmark tests
cd nhp && go test -bench=. ./core/benchmark/
```
## Code Formatting
**IMPORTANT**: All Go code must be properly formatted before committing. CI will fail if formatting is incorrect.
### Before Committing
Always run these commands on modified Go files:
```bash
# Format code with gofmt
gofmt -w <file.go>
# Fix import grouping with goimports
goimports -w <file.go>
# Or format all files in a directory
gofmt -w ./path/to/package/
goimports -w ./path/to/package/
```
### Import Grouping Style
Imports must be organized into three groups separated by blank lines:
1. Standard library imports
2. External third-party imports
3. Internal project imports
```go
import (
"fmt"
"net/http"
"github.com/gin-gonic/gin"
"github.com/pelletier/go-toml/v2"
"github.com/OpenNHP/opennhp/nhp/common"
"github.com/OpenNHP/opennhp/nhp/log"
)
```
### Verify Formatting
Check if files need formatting (no output means properly formatted):
```bash
gofmt -l <file.go>
goimports -l <file.go>
```
### Install goimports
If `goimports` is not installed:
```bash
go install golang.org/x/tools/cmd/goimports@latest
```
## Docker Development
```bash
# Build and run the full stack
cd docker && docker-compose up --build
# Individual service testing
docker-compose up nhp-server
docker-compose up nhp-ac
docker-compose up nhp-agent
```
## Architecture
### Module Structure
The codebase uses two separate Go modules with a local replace directive:
- **`nhp/`**: Core protocol library
- `core/`: Packet handling, cryptography, device management, Noise Protocol implementation
- `common/`: Shared types and message definitions (AgentKnockMsg, ServerKnockAckMsg, etc.)
- `utils/`: Utility functions
- `plugins/`: Plugin handler interfaces (PluginHandler interface)
- `log/`: Logging infrastructure
- `etcd/`: Distributed configuration support
- **`endpoints/`**: Daemon implementations (depends on nhp module)
- `agent/`: NHP-Agent - client that sends knock requests
- `server/`: NHP-Server - authenticates and authorizes requests
- `ac/`: NHP-AC - access controller that manages firewall rules
- `db/`: NHP-DB - Data Broker for DHP
- `kgc/`: Key Generation Center for IBC (Identity-Based Cryptography)
- `relay/`: TCP relay functionality
### Core Concepts
**Device Types** (defined in `nhp/core/device.go`):
- `NHP_AGENT`: Client initiating access requests
- `NHP_SERVER`: Central authentication/authorization server
- `NHP_AC`: Access controller managing network rules
- `NHP_DB`: Data Broker for DHP
- `NHP_RELAY`: Packet relay
**Packet Types** (defined in `nhp/core/packet.go`):
- `NHP_KNK`: Agent knock request
- `NHP_ACK`: Server knock acknowledgment
- `NHP_AOP`: Server-to-AC operation request
- `NHP_ART`: AC operation result
- `NHP_REG`/`NHP_RAK`: Agent registration flow
- `DHP_*`: Data Hiding Protocol messages
**Cipher Schemes** (in `nhp/core/crypto.go`):
- `CIPHER_SCHEME_CURVE`: Curve25519 + AES-256-GCM + BLAKE2s
- `CIPHER_SCHEME_GMSM`: SM2 + SM4-GCM + SM3 (Chinese national standards)
### Configuration
All daemons use TOML configuration files in their respective `etc/` directories:
- `config.toml`: Base configuration (private key, listen address, log level)
- `server.toml`: Remote server/peer definitions
- `resource.toml`: Protected resources and auth service providers
- `http.toml`: HTTP server settings (for nhp-server)
### Plugin System
Server plugins implement the `PluginHandler` interface (`nhp/plugins/serverpluginhandler.go`) and are built as Go plugins (`.so` files). See `examples/server_plugin/` for reference implementation.
Key plugin methods:
- `AuthWithNHP()`: Handle NHP protocol authentication
- `AuthWithHttp()`: Handle HTTP-based authentication
- `RegisterAgent()`: Agent registration
- `ListService()`: Service discovery
### Key Generation
All daemons support the `keygen` command:
```bash
./nhp-serverd keygen --curve # Generate Curve25519 keys
./nhp-serverd keygen --sm2 # Generate SM2 keys (default)
```
## Demo Deployment (AWS)
The `terraform/demo/` stack provisions the public demo (nhp-server, nhp-ac,
nhp-relay + nginx + Let's Encrypt) in `us-east-2` on the OpenNHP demo AWS
account. The state bucket is configured at `terraform init` time via
`-backend-config="bucket=$TF_STATE_BUCKET"` (workflows read the
`TF_STATE_BUCKET` repo variable) so the account ID is not committed in source.
All secrets live in a single AWS Secrets Manager secret: **`opennhp/demo`**.
### `opennhp/demo` schema
The secret is JSON; fields are added idempotently by scripts and workflows.
Missing fields are auto-generated on the next `scripts/generate-nhp-keys.sh`
run (triggered by the `deploy-demo-v2` workflow).
| Field | Populated by | Used by |
| --- | --- | --- |
| `nhp_server_private_key` / `_public_key` | `scripts/generate-nhp-keys.sh` | server `config.toml`; peer tables on ac/relay |
| `nhp_ac_private_key` / `_public_key` | same | ac `config.toml`; peer table on server |
| `nhp_relay_private_key` / `_public_key` | same | relay `config.toml`; peer table on server |
| `nhp_agent_private_key` / `_public_key` | same | native nhp-agent clients; `agent.toml` on server |
| `nhp_jsagent_private_key` / `_public_key` | same | `OpenNHP/js-agent` demo page (rendered into `config.json` at deploy time) |
| `cloudflare_api_token` | manually provisioned once | Terraform + certbot DNS-01 (`Zone:DNS:Edit` + `Zone:Zone:Read`) |
| `cloudflare_zone_id` | same | Terraform DNS records for `opennhp.org` |
| `ssh_deploy_private_key` | manually bootstrapped (see `terraform/demo/RUNBOOK.md`); never enters Terraform state | CI SSH into EC2 hosts |
| `ssh_deploy_public_key` | derived in CI via `ssh-keygen -y` and passed as `TF_VAR_deploy_public_key` | `aws_key_pair.deploy` → `ec2-user` authorized keys |
| `ssh_host_keys` | `infra-demo` workflow on `apply` | CI `known_hosts` for strict host key checking |
### Key-generation flow
`scripts/generate-nhp-keys.sh`:
1. Reads existing values from `opennhp/demo`.
2. Uses each daemon's `keygen --curve --json` to fill any missing pair.
3. Writes the merged object back to `opennhp/demo` (preserving unrelated fields).
4. Renders `deploy/config-templates/` via `envsubst` into `deploy/configs/` for
scp to the hosts.
Pass `--regenerate` to the script (or `regenerate_keys=yes` on the workflow) to
force a full rotation. This breaks every registered agent/ac/relay until their
peer tables are redeployed in lockstep, so use sparingly.
## Protocol Flow
1. Agent sends encrypted knock (`NHP_KNK`) to Server
2. Server validates, sends operation request (`NHP_AOP`) to AC
3. AC opens firewall, responds (`NHP_ART`) to Server
4. Server sends acknowledgment (`NHP_ACK`) with access info to Agent
5. Agent can now access the protected resource through AC