fix(auth): SEC-001 — gate OIDC discovery through SafeHTTPDialContext + ValidateSafeURL

Sprint 1 unified-master-audit closure. Two OIDC discovery call sites passed the bare request context to gooidc.NewProvider: - internal/auth/oidc/test_discovery.go:65 (dry-run validator) - internal/auth/oidc/service.go:1066 (runtime cache load) gooidc.NewProvider derives its HTTP client from the context via oidc.ClientContext; with no override it falls through to http.DefaultClient — no SSRF guard. An admin with auth.oidc.create could induce server-side HTTPS egress to loopback (127.0.0.1, ::1), RFC 1918, link-local (169.254.169.254 — cloud-instance metadata), and IPv6 link-local (fe80::/10). The companion JWKS reachability probe was already routed through SafeHTTPDialContext via the Bundle 5 R6 closure; the discovery + claims path bypassed that. Fix: - New internal/auth/oidc/safehttp.go: oidcDiscoveryClient (Transport DialContext = validation.SafeHTTPDialContext) + SafeOIDCContext helper. Both call sites now wrap ctx through SafeOIDCContext before NewProvider runs. - Defense-in-depth: OIDCProvider.Validate calls validation.ValidateSafeURL on the IssuerURL after the existing https/parse checks, refusing reserved-address issuers at provider-creation time. - TestDiscovery surfaces the SSRF policy error via the result's Errors slice up-front (early-fail UX rail) before invoking NewProvider. Test seams: - setup_test.go swaps oidcDiscoveryClient + validateIssuerSSRF for httptest loopback compatibility, mirroring the existing jwksProbeClient pattern. Regression coverage: - internal/auth/oidc/domain/types_test.go: 5-case table pinning loopback v4/v6, cloud metadata, link-local v4/v6 rejection. - internal/auth/oidc/coverage_fill_test.go: same 5 cases against Service.TestDiscovery via temporarily restoring the production gate. Closes SEC-001.
2026-06-12 18:59:00 +00:00 · 2026-05-16 03:31:42 +00:00
parent 67dbd18fda
commit e6cfd756ac
7 changed files with 232 additions and 2 deletions
@@ -7,6 +7,8 @@ import (
 	"net/http/httptest"
 	"strings"
 	"testing"
+
+	"github.com/certctl-io/certctl/internal/validation"
 )

 // Coverage fill — v2.1.0 release gate Phase 3.
@@ -59,6 +61,54 @@ func TestJWKSStatus_ReturnsSnapshot_AfterAuthRequestPopulatesEntry(t *testing.T)
 	}
 }

+// TestTestDiscovery_RejectsSSRFIssuer_AtEarlyFailRail pins the
+// SEC-001 closure (Sprint 1, 2026-05-16): TestDiscovery refuses
+// reserved-address issuers up-front via validateIssuerSSRF, surfacing
+// a clean "issuer_url failed SSRF policy" error in the result's
+// Errors slice without ever hitting the dial path. The package-wide
+// setup_test.go init() swaps validateIssuerSSRF to a no-op so the
+// other tests can use httptest loopback servers; this test temporarily
+// restores the production gate (validation.ValidateSafeURL) and
+// asserts the rejection fires.
+func TestTestDiscovery_RejectsSSRFIssuer_AtEarlyFailRail(t *testing.T) {
+	prev := validateIssuerSSRF
+	validateIssuerSSRF = validation.ValidateSafeURL
+	defer func() { validateIssuerSSRF = prev }()
+
+	svc := newServiceForUnitTest(t)
+	cases := []struct {
+		name   string
+		issuer string
+	}{
+		{"loopback_v4", "https://127.0.0.1/realms/certctl"},
+		{"loopback_v6", "https://[::1]/realms/certctl"},
+		{"cloud_metadata", "https://169.254.169.254/latest/meta-data/"},
+		{"link_local_v4", "https://169.254.10.5/realms/certctl"},
+		{"link_local_v6", "https://[fe80::1]/realms/certctl"},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			res, err := svc.TestDiscovery(context.Background(), tc.issuer)
+			if err != nil {
+				t.Fatalf("TestDiscovery (non-fatal): %v", err)
+			}
+			if res == nil {
+				t.Fatalf("expected non-nil result")
+			}
+			if res.DiscoverySucceeded {
+				t.Errorf("expected DiscoverySucceeded=false for SSRF issuer; got true")
+			}
+			if len(res.Errors) == 0 {
+				t.Fatalf("expected non-empty Errors slice")
+			}
+			joined := strings.Join(res.Errors, "|")
+			if !strings.Contains(joined, "SSRF policy") {
+				t.Errorf("expected 'SSRF policy' in errors; got %v", res.Errors)
+			}
+		})
+	}
+}
+
 // TestTestDiscovery_DiscoveryFailure_ReturnsErrorsSlice points
 // TestDiscovery at a URL that doesn't serve a discovery doc; the
 // function MUST return res with DiscoverySucceeded=false and a