gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-12 18:28:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(auth): ARCH-002 — relax OIDC runtime guard, full Bundle-2 stack ships

Browse Source 
Sprint 4 unified-master-audit closure. The README has advertised OIDC
SSO as a v2.1 feature (L18, L74) but cmd/server/main.go retained a
Bundle-2-Phase-0 runtime guard that os.Exit(1)'d the moment any
operator set CERTCTL_AUTH_TYPE=oidc:

    CERTCTL_AUTH_TYPE=oidc: the OIDC auth chain is not yet wired in
    this build (Auth Bundle 2 Phase 6 ships the session middleware
    that consumes this auth-type literal).

That message was true when Phase 0 landed (the literal got reserved
in ValidAuthTypes ahead of the handler chain). It's been stale since
Phase 6 shipped. As of 2026-05-16 the full stack is live:

  - session.NewService at cmd/server/main.go:394
  - oidcsvc.NewService at cmd/server/main.go:436
  - ChainAuthSessionThenBearer at cmd/server/main.go:2012
  - csrfMiddleware at cmd/server/main.go:2017
  - /auth/oidc/{login,callback,back-channel-logout} routes at router.go
  - 6 OIDC handler files in internal/api/handler/
  - 2,852 LOC in internal/auth/oidc/ + 1,632 LOC in internal/auth/session/

Fix:
  - Introduce config.IsRuntimeSupportedAuthType(AuthType) as the
    single source of truth for which auth-type literals the cmd/server
    runtime guard accepts. The set is {api-key, none, oidc} —
    every entry in ValidAuthTypes(). The helper exists so the test
    suite can pin the invariant 'ValidAuthTypes ⊆ runtime-supported'
    without grepping cmd/server source.
  - cmd/server/main.go's switch collapses to a single
    IsRuntimeSupportedAuthType check; the dedicated AuthTypeOIDC
    fail-loud case is gone. The G-1 silent-auth-downgrade invariant
    stays intact — 'jwt' is still rejected at config.Validate()
    time (never made it into ValidAuthTypes()).
  - internal/config/auth.go AuthTypeOIDC comment updated to reflect
    the post-Phase-6 reality (it was prescriptive pre-fix:
    'Once Bundle 2's session middleware + OIDC service ship, the
    runtime guard relaxes' — that condition is met).

Regression coverage:
  - TestIsRuntimeSupportedAuthType_AcceptsAllValidEntries — every
    valid type is runtime-supported (catches future drift).
  - TestIsRuntimeSupportedAuthType_AcceptsOIDC — explicit pin on
    the ARCH-002 invariant.
  - TestIsRuntimeSupportedAuthType_RejectsUnknown — 'jwt', empty,
    'saml', 'mtls', 'API-KEY' all rejected.

(Also lands the ARCH-003 keygen-mode tests in the same file —
contiguous hunk in config_test.go.)

Closes ARCH-002.
This commit is contained in:
shankar0123
2026-05-16 04:53:36 +00:00
parent 3ce05ab0a8
commit 34d5200904
3 changed files with 181 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/config/auth.go
+25 -9
View File
@@ -138,15 +138,13 @@ const (
// docs/architecture.md "Authenticating-gateway pattern".
AuthTypeNone AuthType = "none"
// AuthTypeOIDC (Auth Bundle 2 Phase 0) reserves the literal that the
// OIDC handler chain (Bundle 2 Phase 5+6) consumes. Pre-Bundle-2
// behavior: the literal is allowed by the validator but the handler
// chain is not yet wired, so the runtime guard in cmd/server/main.go
// surfaces a clear "oidc auth-type configured but Bundle 2 handlers
// not registered" error rather than silently falling back to api-key
// (the failure mode that drove G-1's jwt-literal removal). Once
// Bundle 2's session middleware + OIDC service ship, the runtime
// guard relaxes and CERTCTL_AUTH_TYPE=oidc routes through them.
// AuthTypeOIDC drives the OIDC SSO handler chain (Bundle 2 Phase 5+6).
// ARCH-002 closure (Sprint 4, 2026-05-16): the Phase-0 runtime guard
// at cmd/server/main.go that refused to boot on this literal has
// been relaxed — every prerequisite (session.NewService,
// oidcsvc.NewService, ChainAuthSessionThenBearer, the OIDC handler
// routes) ships, so CERTCTL_AUTH_TYPE=oidc is now a fully-supported
// production auth mode alongside api-key + none.
//
// Note: this is the AUTH-TYPE literal value, NOT the JWT alg literal.
// ID tokens are JWTs internally but the auth-type config string is
@@ -171,6 +169,24 @@ func ValidAuthTypes() []AuthType {
return []AuthType{AuthTypeAPIKey, AuthTypeNone, AuthTypeOIDC}
}
// IsRuntimeSupportedAuthType reports whether the cmd/server/main.go
// runtime guard accepts this auth-type literal at boot. ARCH-002
// closure (Sprint 4, 2026-05-16): post-fix this returns true for
// every entry in ValidAuthTypes() — the Bundle-2-Phase-0 stale guard
// that exited on AuthTypeOIDC has been relaxed, since the full
// session middleware + OIDC handler chain ships. The helper exists
// as a single source of truth so the test suite can pin the
// invariant `ValidAuthTypes ⊆ runtime-supported` (which protects
// against future drift in either direction).
func IsRuntimeSupportedAuthType(t AuthType) bool {
switch t {
case AuthTypeAPIKey, AuthTypeNone, AuthTypeOIDC:
return true
default:
return false
}
}
// AuthConfig contains authentication configuration.
type AuthConfig struct {
// Type sets the authentication mechanism for the REST API.