gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 14:11:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

harden(auth): demo-mode residual-grants detector + cleanup endpoint + CI guard (A-8)

Browse Source 
Audit 2026-05-11 A-8 closure. Closes the deferred Phase 2 leg of the
2026-05-10 HIGH-12 closure (2e97cc1) — production-startup observability
for actor-demo-anon residual grants + CI guard banning new synthetic-
admin code paths.

What this changes:

* cmd/server/preflight_demo_residual.go (new) runs after the DB pool +
  audit service are constructed and before the HTTPS listener starts.
  Under any non-'none' auth type it queries actor_roles for the
  synthetic actor-demo-anon and emits a WARN log + a categorized audit
  row (auth.demo_residual_grants_detected) listing every grant
  present. Migration 000029 unconditionally seeds the ar-demo-anon-admin
  row at install time, so EVERY production deploy will see this WARN
  on first boot; the intended cutover workflow is cleanup-once at
  production handover.

* CERTCTL_DEMO_MODE_RESIDUAL_STRICT (new env var on AuthConfig,
  default false) pivots the WARN to fail-closed startup refusal for
  operators who want a paranoid posture against re-seeding.

* POST /api/v1/auth/demo-residual/cleanup (new handler at
  internal/api/handler/demo_residual.go) is an admin-class
  (auth.role.assign) endpoint that removes every actor-demo-anon row
  from actor_roles and returns {removed: int64}. Idempotent; refuses
  503 under Auth.Type=none (deleting the row would break the demo
  path); audit-logs every invocation including no-op zero-removed
  calls so the admin's action is always recorded.

* scripts/ci-guards/no-new-synthetic-admin.sh pins the 17-entry
  allowlist of source files that legitimately reference the
  actor-demo-anon literal. New runtime code paths that resolve to the
  synthetic actor (the same pattern that produced the original CRIT
  class) are rejected at PR time. CI workflow auto-picks the script
  via the existing scripts/ci-guards/*.sh loop in .github/workflows/
  ci.yml; no workflow edit needed.

Regression matrix:

* cmd/server/preflight_demo_residual_test.go — 7 tests covering the
  4 main behaviour branches (testcontainers-backed, testing.Short()-
  skipped: DemoModeActive_Skips, NoResidue_Passes, HasResidue_LogsAnd
  Audits, StrictMode_RefusesStartup, DeleteDemoAnonResidue_Idempotent)
  plus 3 pure-Go stdlib unit tests for the row-string formatter +
  nil-safety contracts on both helpers.

* internal/api/handler/demo_residual_test.go — 7 stdlib+httptest
  cases: HappyPath, Idempotent_ReturnsZero, RejectsInDemoMode (503),
  CleanupError_Surfaces500, NilCleanupFn (defensive 500),
  NilAuditWriter_DoesNotPanic, MissingActorContext (falls back to
  'unknown' actor in the audit row).

* internal/api/router/openapi_parity_test.go — new
  POST /api/v1/auth/demo-residual/cleanup entry plus 6 pre-existing
  pre-A-8 entries (oidc/test, jwks-status, users CRUD, runtime-config)
  that had drifted out of SpecParityExceptions; the parity test was
  red on dev/auth-bundle-2 before my work; this commit returns it to
  green with full per-entry justifications + parity-debt notes.

Docs:

* docs/operator/security.md — new 'Demo-to-production cutover (Audit
  2026-05-11 A-8)' section explaining the WARN message, the cleanup
  curl one-liner, the equivalent SQL, the strict-mode env var, and
  the CI guard.

* docs/operator/rbac.md — Last-reviewed bump + pointer to the new
  env var + the security.md section.

* cowork/auth-bundles-audit-2026-05-10.md — HIGH-12 row gains an
  'A-8 follow-on CLOSED 2026-05-11' annotation describing the
  deferred Phase 2 leg now landed.

* CHANGELOG.md — Unreleased ### Security entry summarizing the four
  legs (detector + cleanup + strict-mode flag + CI guard) and the
  acquisition-readiness narrative this closes.

Operator-facing impact: this closes a credibility gap, not an
exploitable vulnerability. The residue requires a regression
elsewhere in the middleware chain to be exploitable. After this
fix, the canonical narrative ('RBAC primitive with no synthetic-
admin fallback') is fully true.

Refs cowork/auth-bundles-fixes-2026-05-11/08-high-demo-mode-residual-
cleanup.md.
This commit is contained in:
shankar0123
2026-05-11 11:45:54 +00:00
parent b8fac59200
commit a923cf697c
12 changed files with 1123 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CHANGELOG.md
+35
View File
@@ -4,6 +4,41 @@
### Security
- **Demo-mode residual-grants detector + cleanup endpoint + CI guard (Audit 2026-05-11 A-8).**
HIGH-12 (closure `b81588e`) added a fail-closed bind-address guard
that refuses startup when `CERTCTL_AUTH_TYPE=none` binds non-loopback
without `CERTCTL_DEMO_MODE_ACK=true`. The Phase 2 leg of that spec —
production-startup banner when `actor-demo-anon` has residual role
grants in `actor_roles` plus a CI guard banning new synthetic-admin
code paths — was deferred. This closure lands all three deferred
legs. (1) `cmd/server/preflight_demo_residual.go` runs after the DB
is open + audit service is constructed, before the HTTPS listener
starts; under any non-`none` auth type it queries `actor_roles` for
`actor-demo-anon` and emits a WARN log + `auth.demo_residual_grants_detected`
audit row when the row is present. The migration 000029 baseline
unconditionally seeds the `ar-demo-anon-admin` row at install time,
so EVERY production deploy will see this WARN on first boot — the
intended cutover workflow is documented at `docs/operator/security.md`.
(2) `POST /api/v1/auth/demo-residual/cleanup` is an admin-class
(`auth.role.assign`) cleanup endpoint that removes every
`actor-demo-anon` row from `actor_roles` and returns
`{"removed": <int64>}`; idempotent (a second call returns
`removed:0`), refuses 503 under `Auth.Type=none` (deleting the row
would break the demo path), audit-logs every invocation. (3) New
env var `CERTCTL_DEMO_MODE_RESIDUAL_STRICT` (default `false`)
pivots the WARN to fail-closed startup refusal for operators who
want a paranoid hostile-environment posture. (4) CI guard
`scripts/ci-guards/no-new-synthetic-admin.sh` pins the 17-entry
allowlist of source files that may reference the `actor-demo-anon`
literal; new runtime code paths that resolve to the synthetic actor
are rejected at PR time so the credibility gap stays closed. The
closure was framed as "credibility gap, not exploitable
vulnerability" — the residue requires a regression elsewhere in the
middleware chain to be exploitable. After this fix, the canonical
acquisition-readiness narrative ("RBAC primitive with no
synthetic-admin fallback") is fully true. Operator runbook at
`docs/operator/security.md#demo-to-production-cutover-audit-2026-05-11-a-8`.
- **Scope-aware actor-role revoke (Audit 2026-05-11 A-4).**
HIGH-10 made it possible to grant the same role to the same actor at
multiple scopes (e.g. `r-operator` on `profile=p-acme` AND `profile=p-globex`)