diff --git a/cmd/server/main.go b/cmd/server/main.go index 94bbdfe..fc3f51b 100644 --- a/cmd/server/main.go +++ b/cmd/server/main.go @@ -457,7 +457,7 @@ func main() { Secure: true, }, ).WithBCLReplayConsumer(bclReplayRepo, bclMaxAge). // HIGH-3 jti consumed-set. - WithPermissionChecker(authCheckerAdapter) // MED-2 auth.session.list.all gate. + WithPermissionChecker(authCheckerAdapter) // MED-2 auth.session.list.all gate. // ========================================================================= // Auth Bundle 2 Phase 7 — OIDC first-admin bootstrap hook. @@ -1344,17 +1344,17 @@ func main() { // Lazy build — re-read cfg.Auth.* values on every call so // post-startup re-evaluation reflects any (future) mutation. return map[string]string{ - "CERTCTL_AUTH_TYPE": string(cfg.Auth.Type), - "CERTCTL_SESSION_SAMESITE": cfg.Auth.Session.SameSite, - "CERTCTL_OIDC_BCL_MAX_AGE_SECONDS": strconv.Itoa(cfg.Auth.OIDCBCLMaxAgeSeconds), - "CERTCTL_OIDC_PRELOGIN_REQUIRE_UA": strconv.FormatBool(cfg.Auth.OIDCPreLoginRequireUA), - "CERTCTL_OIDC_PRELOGIN_REQUIRE_IP": strconv.FormatBool(cfg.Auth.OIDCPreLoginRequireIP), - "CERTCTL_BREAKGLASS_ENABLED": strconv.FormatBool(cfg.Auth.Breakglass.Enabled), + "CERTCTL_AUTH_TYPE": string(cfg.Auth.Type), + "CERTCTL_SESSION_SAMESITE": cfg.Auth.Session.SameSite, + "CERTCTL_OIDC_BCL_MAX_AGE_SECONDS": strconv.Itoa(cfg.Auth.OIDCBCLMaxAgeSeconds), + "CERTCTL_OIDC_PRELOGIN_REQUIRE_UA": strconv.FormatBool(cfg.Auth.OIDCPreLoginRequireUA), + "CERTCTL_OIDC_PRELOGIN_REQUIRE_IP": strconv.FormatBool(cfg.Auth.OIDCPreLoginRequireIP), + "CERTCTL_BREAKGLASS_ENABLED": strconv.FormatBool(cfg.Auth.Breakglass.Enabled), "CERTCTL_BREAKGLASS_LOCKOUT_THRESHOLD": strconv.Itoa(cfg.Auth.Breakglass.LockoutThreshold), - "CERTCTL_DEMO_MODE_ACK": strconv.FormatBool(cfg.Auth.DemoModeAck), - "CERTCTL_TRUSTED_PROXIES_COUNT": strconv.Itoa(len(cfg.Auth.TrustedProxies)), - "CERTCTL_BOOTSTRAP_TOKEN_SET": strconv.FormatBool(cfg.Auth.BootstrapToken != ""), - "CERTCTL_BOOTSTRAP_OIDC_PROVIDER_ID": cfg.Auth.BootstrapOIDCProviderID, + "CERTCTL_DEMO_MODE_ACK": strconv.FormatBool(cfg.Auth.DemoModeAck), + "CERTCTL_TRUSTED_PROXIES_COUNT": strconv.Itoa(len(cfg.Auth.TrustedProxies)), + "CERTCTL_BOOTSTRAP_TOKEN_SET": strconv.FormatBool(cfg.Auth.BootstrapToken != ""), + "CERTCTL_BOOTSTRAP_OIDC_PROVIDER_ID": cfg.Auth.BootstrapOIDCProviderID, "CERTCTL_BOOTSTRAP_ADMIN_GROUPS_COUNT": strconv.Itoa(len(cfg.Auth.BootstrapAdminGroups)), } }, diff --git a/internal/api/handler/audit.go b/internal/api/handler/audit.go index 5ca03b3..84674b3 100644 --- a/internal/api/handler/audit.go +++ b/internal/api/handler/audit.go @@ -284,5 +284,3 @@ func (h AuditHandler) ExportAudit(w http.ResponseWriter, r *http.Request) { "actor_id", actorID, "rows", len(events), "err", err) } } - - diff --git a/internal/auth/protocol_endpoints.go b/internal/auth/protocol_endpoints.go index 0d7f460..4b4b2ae 100644 --- a/internal/auth/protocol_endpoints.go +++ b/internal/auth/protocol_endpoints.go @@ -40,7 +40,7 @@ import "strings" var ProtocolEndpointPrefixes = []string{ "/acme", "/scep", - "/scep-mtls", // SCEP + mTLS sibling route (Phase 6.5) + "/scep-mtls", // SCEP + mTLS sibling route (Phase 6.5) "/.well-known/est", "/.well-known/est-mtls", // EST + mTLS sibling route (EST hardening Phase 2) "/.well-known/pki/ocsp", diff --git a/internal/config/config_test.go b/internal/config/config_test.go index 973ffca..34ee2a6 100644 --- a/internal/config/config_test.go +++ b/internal/config/config_test.go @@ -530,7 +530,7 @@ func TestIsLoopbackAddr(t *testing.T) { {"10.0.0.1", false}, {"192.168.1.1", false}, {"203.0.113.42", false}, - {"example.com", false}, // hostname → fail closed + {"example.com", false}, // hostname → fail closed {"my-cert-server.internal", false}, // Defensive: host:port form should still classify the host part. {"127.0.0.1:8443", true},