gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-11 12:48:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

harden(auth): LOW + Nit batch — bootstrap audit, crypto/rand, XFF trust, CSRF check, protocol-prefix unify (Batch 1)

Browse Source 
Audit 2026-05-10 — close 8 LOWs + 2 Nits in-bundle. Remainder
(LOW-1/6/9/11/12, Nit-2/5) need GUI or DB-test runtime not present
in-session; tracked in the audit-doc batch table.

LOW-2: bootstrap.ValidateAndMint now emits 'bootstrap.consume_failed'
audit rows on persist-key + grant-role failure branches before
bubbling. Recovery requires DB seeding per the docstring; without this
row, later forensics can't tell 'bootstrap was used and failed' from
'never invoked.'

LOW-3: randomB64URLForHandler now uses crypto/rand (was time-nano-
shifted). Two providers/mappings created in the same nanosecond used
to collide; now they don't. Time-nano fallback retained for the
unlikely crypto/rand-broken path.

LOW-4: breakglass.verifyDummy uses s.readRand(salt) for the dummy
Argon2id verify. Wall-clock cost unchanged (Argon2id memory alloc
dominates), but cache/branch behavior now matches a real verify —
closes the subtle timing side channel.

LOW-5: clientIPFromRequest now only honors X-Forwarded-For when the
direct connection's RemoteAddr falls in the CERTCTL_TRUSTED_PROXIES
CIDR allowlist. Default-deny: empty list means XFF is ignored.
SetTrustedProxies wired in cmd/server/main.go from cfg.Auth.TrustedProxies.

LOW-7: internal/auth/protocol_endpoints.go::ProtocolEndpointPrefixes
now carries /scep-mtls + /.well-known/est-mtls (previously only in
router.AuthExemptDispatchPrefixes; the two lists had drifted). The
canonical-prefix coverage test in Phase 12 still pins the set.

LOW-8: docs/operator/rbac.md documents that r-mcp / r-cli / r-agent
are not actor-type-bound — role naming is a hint, not an enforcement.
Operators wanting hard binding must apply periodic audit queries.
Native binding is on the v2 roadmap.

LOW-10: Session.Validate now rejects a post-login row with empty
CSRFTokenHash (IsPreLogin=false branch). validSession test fixture
updated with a valid 64-hex CSRF hash.

Nit-1: production RevokeAllForActor call sites already use typed
constants (only test-file literals remain — acceptable).

Nit-3: peekIssuer docstring documents the unsigned-permissive-by-design
invariant + the post-verify re-check pin that the BCL handler enforces.
A future commit that uses peekIssuer output before verify will trip
the inline comment + the existing BCL test matrix.

Status table updated in cowork/auth-bundles-audit-2026-05-10.md:
8 LOWs + 2 Nits CLOSED; 5 LOWs + 2 Nits OPEN with explicit reason
(GUI work, repo refactor, Keycloak integration runtime, WONTFIX).

Refs: cowork/auth-bundles-audit-2026-05-10.md LOW-2/3/4/5/7/8/10
      cowork/auth-bundles-audit-2026-05-10.md Nit-1/3
This commit is contained in:
shankar0123
2026-05-10 22:26:12 +00:00
parent 630831aeac
commit 9cce2ab043
11 changed files with 204 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/auth/session/middleware_test.go
+19 -2
View File
@@ -301,19 +301,36 @@ func TestIsStateChangingMethod(t *testing.T) {
}
func TestClientIPFromRequest_Variants(t *testing.T) {
// Audit 2026-05-10 LOW-5 — XFF is now only trusted when the
// direct connection's RemoteAddr falls into the configured
// trusted-proxy CIDR allowlist. Reset to a known state before/after.
prev := trustedProxyCIDRs
t.Cleanup(func() { trustedProxyCIDRs = prev })
// (1) No XFF trust configured (empty allowlist) — XFF is IGNORED.
trustedProxyCIDRs = nil
r := httptest.NewRequest(http.MethodGet, "/", nil)
r.RemoteAddr = "1.2.3.4:5555"
if ip := clientIPFromRequest(r); ip != "1.2.3.4" {
t.Errorf("RemoteAddr: got %q; want 1.2.3.4", ip)
}
r.Header.Set("X-Forwarded-For", "10.0.0.1, 10.0.0.2")
if ip := clientIPFromRequest(r); ip != "1.2.3.4" {
t.Errorf("XFF without trusted proxy: got %q; want 1.2.3.4 (ignored)", ip)
}
// (2) Trusted-proxy CIDR matches RemoteAddr — XFF IS honored.
trustedProxyCIDRs = []string{"1.2.3.0/24"}
r.Header.Set("X-Forwarded-For", "10.0.0.1, 10.0.0.2")
if ip := clientIPFromRequest(r); ip != "10.0.0.1" {
t.Errorf("XFF first hop: got %q; want 10.0.0.1", ip)
t.Errorf("XFF first hop (trusted): got %q; want 10.0.0.1", ip)
}
r.Header.Set("X-Forwarded-For", "10.0.0.99")
if ip := clientIPFromRequest(r); ip != "10.0.0.99" {
t.Errorf("XFF single: got %q; want 10.0.0.99", ip)
t.Errorf("XFF single (trusted): got %q; want 10.0.0.99", ip)
}
// (3) No-port RemoteAddr unchanged.
r2 := httptest.NewRequest(http.MethodGet, "/", nil)
r2.RemoteAddr = "no-port"
if ip := clientIPFromRequest(r2); ip != "no-port" {