fix(proxy): classify token-endpoint 403 invalid_grant as auth-failure; audit detected protocol

Author: nnemirovsky

internal/proxy/pool_failover.go

@@ -86,9 +86,14 @@ func classifyFailover(statusCode int, body []byte, isTokenEndpoint bool) (class
 		if bodyContainsAny(body, "insufficient_quota", "quota_exceeded", "quota exhausted", "rate_limit_exceeded") {
 			return failoverRateLimited, ""
 		}
-		return failoverNone, ""
+		// NOT a quota signal: do not early-return. A 403 is still a non-2xx
+		// status, so a real token-endpoint body of invalid_grant/invalid_token
+		// must classify as auth-failure (consistent with the 400/401 path).
+		// The shared non-2xx token-endpoint check below handles it; a 403 from
+		// a non-token-endpoint with an unrelated body still resolves to
+		// failoverNone there (the body is only trusted on a real token URL).
 	}
-	// Non-4xx-status path. Only a real token-endpoint body may be classified
+	// Non-2xx-status path. Only a real token-endpoint body may be classified
 	// (invalid_grant/invalid_token), and only when the status is not a 2xx
 	// success. A 2xx token response is a healthy refresh, never a failover.
 	if isTokenEndpoint && (statusCode < 200 || statusCode > 299) {
@@ -133,21 +138,26 @@ type FailoverEvent struct {
 // poolForResponse maps a response's CONNECT destination back to a pooled
 // binding and returns the pool name + the member that was active for this
 // request. Returns ok=false when the destination is not bound to a pool.
-func (a *SluiceAddon) poolForResponse(f *mitmproxy.Flow) (pool, activeMember string, pr *vault.PoolResolver, ok bool) {
+//
+// proto is the protocol detected for THIS request (the same value used for
+// the protocol-scoped binding lookup). The caller threads it into the
+// cred_failover audit event so the audit records the real protocol of the
+// pooled binding (grpc / http2 / etc.) instead of a hardcoded "https".
+func (a *SluiceAddon) poolForResponse(f *mitmproxy.Flow) (pool, activeMember, proto string, pr *vault.PoolResolver, ok bool) {
 	if a.poolResolver == nil || a.resolver == nil {
-		return "", "", nil, false
+		return "", "", "", nil, false
 	}
 	pr = a.poolResolver.Load()
 	if pr == nil {
-		return "", "", nil, false
+		return "", "", "", nil, false
 	}
 	res := a.resolver.Load()
 	if res == nil {
-		return "", "", nil, false
+		return "", "", "", nil, false
 	}
 	host, port := connectTargetForFlow(a, f)
 	if host == "" {
-		return "", "", nil, false
+		return "", "", "", nil, false
 	}
 	// Finding 3: the failover binding lookup MUST use the same protocol the
 	// request-side injection (injectHeaders / buildPhantomPairs) used, not a
@@ -157,7 +167,7 @@ func (a *SluiceAddon) poolForResponse(f *mitmproxy.Flow) (pool, activeMember str
 	// detectRequestProtocol mirrors the injection path exactly (URL scheme
 	// then header refinement); for the common unscoped-binding case the
 	// result is still https-equivalent so behavior is unchanged.
-	proto := a.detectRequestProtocol(f, port).String()
+	proto = a.detectRequestProtocol(f, port).String()
 	for _, boundName := range res.CredentialsForDestination(host, port, proto) {
 		if !pr.IsPool(boundName) {
 			continue
@@ -176,15 +186,15 @@ func (a *SluiceAddon) poolForResponse(f *mitmproxy.Flow) (pool, activeMember str
 				// member of this pool (a membership change could have
 				// raced); otherwise fall through to ResolveActive.
 				if pr.PoolForMember(injected) == boundName {
-					return boundName, injected, pr, true
+					return boundName, injected, proto, pr, true
 				}
 			}
 		}
 		member, mok := pr.ResolveActive(boundName)
 		if !mok || member == "" {
 			continue
 		}
-		return boundName, member, pr, true
+		return boundName, member, proto, pr, true
 	}
 
 	// Token-endpoint path. An OAuth refresh hits the credential's token-URL
@@ -246,7 +256,7 @@ func (a *SluiceAddon) poolForResponse(f *mitmproxy.Flow) (pool, activeMember str
 			realRefresh := extractRequestRefreshToken(f.Request.Body, reqCT)
 			if owner, ok := a.refreshAttr.Peek(realRefresh); ok && owner != "" {
 				if ownerPool := pr.PoolForMember(owner); ownerPool != "" {
-					return ownerPool, owner, pr, true
+					return ownerPool, owner, proto, pr, true
 				}
 				// owner is no longer in any pool (membership change
 				// raced the failure); fall through to the active-member
@@ -261,20 +271,20 @@ func (a *SluiceAddon) poolForResponse(f *mitmproxy.Flow) (pool, activeMember str
 				log.Printf("[POOL-FAILOVER] pool %q: could not attribute "+
 					"token-endpoint failure via injected refresh token; "+
 					"falling back to active member %q", pool, active)
-				return pool, active, pr, true
+				return pool, active, proto, pr, true
 			}
 			// Last resort: a pooled index match if any (preserves prior
 			// behavior when even ResolveActive cannot decide; better than
 			// no attribution at all).
 			for _, c := range matches {
 				if pr.PoolForMember(c) != "" {
-					return pool, c, pr, true
+					return pool, c, proto, pr, true
 				}
 			}
-			return pool, matched, pr, true
+			return pool, matched, proto, pr, true
 		}
 	}
-	return "", "", nil, false
+	return "", "", "", nil, false
 }
 
 // handlePoolFailover is the Phase 2 entry point invoked from Response for
@@ -302,7 +312,7 @@ func (a *SluiceAddon) handlePoolFailover(f *mitmproxy.Flow) {
 	if f == nil || f.Response == nil || f.Request == nil {
 		return
 	}
-	pool, from, pr, ok := a.poolForResponse(f)
+	pool, from, proto, pr, ok := a.poolForResponse(f)
 	if !ok {
 		return
 	}
@@ -352,11 +362,14 @@ func (a *SluiceAddon) handlePoolFailover(f *mitmproxy.Flow) {
 		evt := audit.Event{
 			Destination: host,
 			Port:        port,
-			Protocol:    "https",
-			Verdict:     "failover",
-			Action:      "cred_failover",
-			Reason:      fmt.Sprintf("%s:%s->%s:%s", pool, from, to, tag),
-			Credential:  from,
+			// Same protocol used for the protocol-scoped binding lookup in
+			// poolForResponse, NOT a hardcoded "https". For a grpc/http2
+			// scoped pooled binding the audit must record the real protocol.
+			Protocol:   proto,
+			Verdict:    "failover",
+			Action:     "cred_failover",
+			Reason:     fmt.Sprintf("%s:%s->%s:%s", pool, from, to, tag),
+			Credential: from,
 		}
 		if err := a.auditLog.Log(evt); err != nil {
 			log.Printf("[POOL-FAILOVER] audit log error: %v", err)

internal/proxy/pool_failover_test.go

@@ -57,6 +57,17 @@ func TestClassifyFailover(t *testing.T) {
 		{"403 insufficient_quota", 403, `{"error":"insufficient_quota"}`, false, failoverRateLimited, "403"},
 		{"403 quota_exceeded", 403, `{"error":{"code":"quota_exceeded"}}`, false, failoverRateLimited, "403"},
 		{"403 unrelated -> noop", 403, `{"error":"forbidden: bad scope"}`, false, failoverNone, ""},
+		// Finding 1: a token-endpoint 403 carrying invalid_grant/invalid_token
+		// is an auth failure (consistent with the 400/401 token-endpoint path).
+		// The old code early-returned failoverNone in the 403 branch before the
+		// token-endpoint body check ever ran.
+		{"403 token-endpoint invalid_grant -> auth", 403, `{"error":"invalid_grant"}`, true, failoverAuthFailure, "invalid_grant"},
+		{"403 token-endpoint invalid_token -> auth", 403, `{"error":"invalid_token"}`, true, failoverAuthFailure, "invalid_token"},
+		// 403 + quota signal stays rate-limited (unchanged).
+		{"403 insufficient_quota (tokenEP) stays rate-limited", 403, `{"error":"insufficient_quota"}`, true, failoverRateLimited, "403"},
+		// 403 + invalid_grant but NOT a real token endpoint -> still noop
+		// (the body is only trusted on a real token URL).
+		{"403 invalid_grant but NOT token endpoint -> noop", 403, `{"error":"invalid_grant"}`, false, failoverNone, ""},
 		{"401 auth failure", 401, "", false, failoverAuthFailure, "401"},
 		{"token-endpoint invalid_grant", 400, `{"error":"invalid_grant"}`, true, failoverAuthFailure, "invalid_grant"},
 		{"token-endpoint invalid_token", 400, `{"error":"invalid_token"}`, true, failoverAuthFailure, "invalid_token"},
@@ -307,7 +318,7 @@ func TestPoolForResponseResolvesActiveMember(t *testing.T) {
 	client := setupAddonConn(addon, "auth.example.com:443")
 	f := newPoolRespFlow(client, 429, nil)
 
-	pool, member, pr, ok := addon.poolForResponse(f)
+	pool, member, _, pr, ok := addon.poolForResponse(f)
 	if !ok {
 		t.Fatal("poolForResponse: expected a pooled destination match")
 	}
@@ -392,7 +403,7 @@ func TestTokenEndpointHostFailoverOnPooledMember(t *testing.T) {
 	// (this is exactly the gap CRITICAL-2 describes). poolForResponse must
 	// still succeed via the token-URL index path.
 	f := newPoolRespFlow(client, 400, []byte(`{"error":"invalid_grant"}`))
-	pool, member, _, ok := addon.poolForResponse(f)
+	pool, member, _, _, ok := addon.poolForResponse(f)
 	if !ok {
 		t.Fatal("poolForResponse: token-endpoint response on a pooled member must be attributed (CRITICAL-2 fix); got ok=false")
 	}
@@ -497,7 +508,7 @@ func TestTokenEndpointFailoverAttributesInjectedMemberNotFirstIndex(t *testing.T
 	// poolForResponse must now attribute the failure to memB (the injected
 	// member), NOT memA (the first index entry).
 	f := newPoolRespFlowBody(client, 400, "B-refresh-old", []byte(`{"error":"invalid_grant"}`))
-	pool, member, _, ok := addon.poolForResponse(f)
+	pool, member, _, _, ok := addon.poolForResponse(f)
 	if !ok {
 		t.Fatal("poolForResponse: token-endpoint failure on a pooled member must be attributed")
 	}
@@ -614,7 +625,7 @@ func TestTokenEndpointFailover3MemberAttributesMiddleMember(t *testing.T) {
 	addon.refreshAttr.Tag("memB-refresh", "memB")
 
 	f := newPoolRespFlowBody(client, 401, "memB-refresh", []byte(`{"error":"invalid_token"}`))
-	pool, member, _, ok := addon.poolForResponse(f)
+	pool, member, _, _, ok := addon.poolForResponse(f)
 	if !ok || pool != "codex_pool" || member != "memB" {
 		t.Fatalf("poolForResponse got ok=%v pool=%q member=%q, want codex_pool/memB", ok, pool, member)
 	}
@@ -650,7 +661,7 @@ func TestTokenEndpointFailoverFallsBackToActiveMember(t *testing.T) {
 	}
 
 	f := newPoolRespFlowBody(client, 400, "untagged-refresh", []byte(`{"error":"invalid_grant"}`))
-	pool, member, _, ok := addon.poolForResponse(f)
+	pool, member, _, _, ok := addon.poolForResponse(f)
 	if !ok {
 		t.Fatal("poolForResponse: expected attribution via active-member fallback")
 	}

internal/proxy/pool_splithost_test.go

@@ -1,11 +1,15 @@
 package proxy
 
 import (
+	"encoding/json"
+	"os"
+	"path/filepath"
 	"strings"
 	"sync/atomic"
 	"testing"
 	"time"
 
+	"github.com/nemirovsky/sluice/internal/audit"
 	"github.com/nemirovsky/sluice/internal/store"
 	"github.com/nemirovsky/sluice/internal/vault"
 )
@@ -241,7 +245,7 @@ func TestSplitHost_TokenEndpointFailoverWithPlainCredSortingFirst(t *testing.T)
 	// poolForResponse MUST attribute the failure to memB (the injected
 	// member), not return ok=false because the plain credential sorted first.
 	f := newPoolRespFlowBody(client, 400, "B-refresh-old", []byte(`{"error":"invalid_grant"}`))
-	pool, member, _, ok := addon.poolForResponse(f)
+	pool, member, _, _, ok := addon.poolForResponse(f)
 	if !ok {
 		t.Fatal("Finding 2: token-endpoint failure on a pooled member must be attributed even when a plain cred sorts first; got ok=false")
 	}
@@ -355,13 +359,27 @@ func TestFinding3_ProtocolScopedPooledBindingFailoverLookup(t *testing.T) {
 		t.Fatal("precondition: a 'https' lookup must NOT match the grpc-scoped binding (this is the Finding 3 bug)")
 	}
 
-	pool2, member, _, ok := addon.poolForResponse(f)
+	pool2, member, detProto, _, ok := addon.poolForResponse(f)
 	if !ok {
 		t.Fatal("Finding 3: protocol-scoped (grpc) pooled binding must be recognized on the failover path; got ok=false")
 	}
 	if pool2 != poolName || member != "gA" {
 		t.Fatalf("Finding 3: got pool=%q member=%q, want %s/gA", pool2, member, poolName)
 	}
+	if detProto != ProtoGRPC.String() {
+		t.Fatalf("Finding 2: poolForResponse detected protocol = %q, want %q", detProto, ProtoGRPC.String())
+	}
+
+	// Finding 2: the cred_failover audit event must record the SAME
+	// protocol that drove the binding lookup (grpc here), not a hardcoded
+	// "https". Wire a real audit logger and assert the persisted Protocol.
+	dir := t.TempDir()
+	logPath := filepath.Join(dir, "audit.log")
+	logger, lerr := audit.NewFileLogger(logPath)
+	if lerr != nil {
+		t.Fatalf("NewFileLogger: %v", lerr)
+	}
+	addon.auditLog = logger
 
 	var got FailoverEvent
 	gotCalled := make(chan struct{}, 1)
@@ -382,4 +400,32 @@ func TestFinding3_ProtocolScopedPooledBindingFailoverLookup(t *testing.T) {
 	if got.From != "gA" || got.Pool != poolName || got.Reason != "429" {
 		t.Fatalf("FailoverEvent = %+v, want from=gA pool=%s reason=429", got, poolName)
 	}
+
+	if cerr := logger.Close(); cerr != nil {
+		t.Fatalf("logger close: %v", cerr)
+	}
+	data, rerr := os.ReadFile(logPath)
+	if rerr != nil {
+		t.Fatalf("read audit log: %v", rerr)
+	}
+	var foundFailover bool
+	for _, line := range strings.Split(strings.TrimSpace(string(data)), "\n") {
+		if line == "" {
+			continue
+		}
+		var evt audit.Event
+		if uerr := json.Unmarshal([]byte(line), &evt); uerr != nil {
+			t.Fatalf("unmarshal audit line %q: %v", line, uerr)
+		}
+		if evt.Action != "cred_failover" {
+			continue
+		}
+		foundFailover = true
+		if evt.Protocol != ProtoGRPC.String() {
+			t.Fatalf("Finding 2: cred_failover audit Protocol = %q, want %q (must match the detected request protocol, not hardcoded https)", evt.Protocol, ProtoGRPC.String())
+		}
+	}
+	if !foundFailover {
+		t.Fatalf("no cred_failover audit event found in:\n%s", data)
+	}
 }