gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-14 11:59:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): close BUNDLE 1 — server+agent connector config validation chain

Browse Source 
Bundle 1 closure (2026-05-12 acquisition diligence audit). Closes the
acquisition-blocker chain: target.edit (default r-operator grant per
migrations/000029_rbac.up.sql:196) → arbitrary reload_command stored
without validation → agent createTargetConnector json.Unmarshal-only
→ sh -c on agent host. README's 'shell injection prevention on all
connector scripts' claim is now true at the chain level.

Server-side: new internal/connector/target/configcheck package + a
configcheck.Validate call in target.go::Create + ::Update +
::CreateTarget + ::UpdateTarget (all 4 entry points). Rejects shell
metacharacters in reload_command / validate_command / restart_command
for nginx, apache, haproxy, postfix/dovecot, javakeystore, ssh. Sentinel
errors.Is(err, service.ErrInvalidConnectorConfig) available for handler
400 mapping. Non-shell connector types (F5, IIS, Caddy, Traefik, Envoy,
cloud targets, K8s) are no-ops by design.

Agent-side: defense-in-depth connector.ValidateConfig(ctx, configJSON)
call in cmd/agent/main.go inserted between createTargetConnector and
DeployCertificate. This catches (a) configs pre-dating the server gate,
(b) encrypted-blob tampering, (c) per-connector filesystem invariants
that the server can't check.

F5 (S2 finding): proven docs-vs-code drift, not a security bug. The
applyDefaults function never set Insecure=true; runtime default has
always been Go zero-value (false → TLS verified). Three lying 'default
true' comments in f5/f5.go (lines 30, 45-47, 126) rewritten to match
actual code behavior.

Docs (C4 + C9): README L12 + L68 narrowed — 'any CA / any server' →
'Twelve native CA connectors plus an OpenSSL adapter; fifteen native
deployment-target connectors plus a proxy-agent pattern.' 'Every deploy
goes through atomic-write + ...' narrowed to file-based connectors with
inline link to per-target guarantee matrix. New deployment-model.md §1.6
ships a 15-target × 8-property guarantee table covering atomic write /
owner-perms / SHA-256 idempotency / pre-deploy snapshot / on-failure
rollback / post-deploy TLS verify / Prometheus counters / shell-injection
validation — including the K8s preview honesty marker (CLAIM-H4).

Tests: internal/connector/target/configcheck/configcheck_test.go covers
14 shell-injection payloads (semicolon, pipe, backtick, dollar-paren,
redirect, and-chain, newline, double-quote, escape, dollar-var) × 7
shell-using connectors + benign-command acceptance + non-shell no-op
behavior + empty config + malformed JSON. All pass.

Verification (run from /sessions/gifted-blissful-pasteur/mnt/cowork/certctl):
  go fmt ./...              # clean (no diffs)
  go vet ./...              # clean (no findings)
  go test -short -count=1 ./internal/... ./cmd/...
                            # 60+ packages all ok, zero FAIL

Audit-Closes: BUNDLE-1 RT-C1 SEC-M4 CLAIM-M2 CLAIM-L3
Audit-Verifies-False: S2 (F5 'default insecure' was a comment lie, code was always secure)
This commit is contained in:
shankar0123
2026-05-12 23:48:08 +00:00
parent 5a9e994f62
commit b4ce357803
7 changed files with 403 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/connector/target/f5/f5.go
+13 -7
View File
@@ -27,7 +27,7 @@ type Config struct {
Password string `json:"password"` // Administrative password
Partition string `json:"partition"` // F5 partition name (default "Common")
SSLProfile string `json:"ssl_profile"` // SSL client profile name to update
Insecure bool `json:"insecure"` // Skip TLS verification for mgmt interface (default true)
Insecure bool `json:"insecure"` // Skip TLS verification for mgmt interface. Default false (TLS verified). Operators with self-signed F5 mgmt certs must explicitly set "insecure": true.
Timeout int `json:"timeout"` // HTTP timeout in seconds (default 30)
}
@@ -42,9 +42,14 @@ func (c *Config) applyDefaults() {
if c.Timeout == 0 {
c.Timeout = 30
}
// Insecure defaults to true because F5 management interfaces commonly use
// self-signed certificates. See TICKET-016 precedent for InsecureSkipVerify
// documentation. Operators running proper mgmt certs can set insecure=false.
// Insecure has no override in applyDefaults — runtime default is the Go
// zero-value (false), which means InsecureSkipVerify=false and TLS is
// VERIFIED. Operators with self-signed F5 management certs must opt in
// by passing "insecure": true explicitly in the connector config. The
// `S2 (F5 insecure-by-default)` finding from the 2026-05-12 audit was
// based on a misleading legacy comment, not actual code behavior — this
// closure (Bundle 1 / 2026-05-12) corrects the comments to match the
// code default. See TICKET-016 precedent for InsecureSkipVerify framing.
}
// SSLProfileInfo contains information about an F5 SSL client profile.
@@ -122,9 +127,10 @@ func New(config *Config, logger *slog.Logger) (*Connector, error) {
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
// F5 management interfaces commonly use self-signed certificates.
// InsecureSkipVerify is controlled by the config.Insecure field
// (default true). Operators with proper management certs can set
// insecure=false. See TICKET-016 for security rationale.
// InsecureSkipVerify is controlled by config.Insecure (default
// false → TLS verified). Operators with self-signed mgmt certs
// must opt in by passing "insecure": true in the connector
// config. See TICKET-016 for security rationale.
InsecureSkipVerify: config.Insecure, //nolint:gosec // configurable, documented
},
},