Bundle B: Auth & transport surface tightening — 5 findings closed

Closes M-001 + M-002 + M-013 + M-018 + M-025 from comprehensive-audit-2026-04-25. M-001 (CWE-916) — PBKDF2 100k -> 600k via v3 blob format internal/crypto/encryption.go: - New v3Magic (0x03), pbkdf2IterationsV3 (600,000 — OWASP 2024 Password Storage Cheat Sheet floor), v3SaltSize (16 bytes), deriveKeyWithSaltV3 helper. - EncryptIfKeySet now unconditionally writes v3: magic(0x03) || salt(16) || nonce(12) || ciphertext+tag - DecryptIfKeySet falls through v3 -> v2 -> v1 with AEAD verification at each step. Wrong-passphrase v3 reads cannot be silently misattributed to v2/v1. - IsLegacyFormat updated to recognize 0x03 as non-legacy. internal/crypto/encryption_v3_test.go (NEW, 7 tests): V3 round-trip / V2 read-fallback against deterministic v2 fixture / V3 wrong-passphrase fails / V3-vs-V2 dispatch order / V2 vs V3 keys differ for same (passphrase, salt) / iteration-count pin at OWASP 2024 floor / IsLegacyFormat-recognises-V3. Coverage internal/crypto: 86.7% -> 88.2%. M-002 (CWE-862) — Auth-exempt allowlist constants + AST regression test Recon found auth-exempt surface spans TWO layers (audit's claim was incomplete): Layer 1 (router.go direct r.mux.Handle): GET /health, GET /ready, GET /api/v1/auth/info, GET /api/v1/version Layer 2 (cmd/server/main.go::buildFinalHandler URL-prefix dispatch): /.well-known/pki/*, /.well-known/est/*, /scep[/...]* internal/api/router/router.go: - New AuthExemptRouterRoutes constant with per-entry justifications. - New AuthExemptDispatchPrefixes constant. internal/api/router/auth_exempt_test.go (NEW, 2 tests): AST-walks router.go for every direct mux.Handle call and asserts set equals AuthExemptRouterRoutes; reads source bytes of Register / RegisterFunc and asserts they still wrap with middleware.Chain. cmd/server/auth_exempt_test.go (NEW, 2 tests): 14-case table test on buildFinalHandler asserting documented prefixes route to noAuthHandler and authenticated routes route to apiHandler; inverse-overlap pin proves no documented bypass shadows an authenticated prefix. M-013 (CWE-942) — CORS deny-by-default verified-already-clean + pin Audit claim 'default allows all origins if env-var unset' was WRONG. internal/api/middleware/middleware.go::NewCORS already denies cross- origin requests when len(cfg.AllowedOrigins) == 0 (no Access-Control-Allow-Origin header is emitted, same-origin policy applies). internal/api/middleware/cors_test.go: +TestNewCORS_NilOriginsDeniesAll + TestNewCORS_M013_ContractDocumentedInOrder (5-case table test pinning the 3-arm dispatch contract). M-018 (CWE-319 / PCI-DSS Req 4) — Postgres TLS opt-in toggle deploy/helm/certctl/values.yaml: new postgresql.tls.{mode,caSecretRef} operator-facing knobs. Default 'disable' preserves in-cluster pod- network behavior; PCI-scoped operators set verify-full. deploy/helm/certctl/templates/_helpers.tpl: certctl.databaseURL helper pipes postgresql.tls.mode into ?sslmode=. deploy/helm/certctl/templates/server-secret.yaml: uses the helper instead of hardcoded sslmode=disable. deploy/docker-compose.yml: CERTCTL_DATABASE_URL is now ${CERTCTL_DATABASE_URL:-...} so operators override without editing. docs/database-tls.md (NEW): operator runbook covering 4 deployment shapes, RDS verify-full example with PGSSLROOTCERT mount, and pg_stat_ssl verification query. helm template + helm lint clean. M-025 (OWASP ASVS L2 §11.2.1) — Per-key rate limiting internal/api/middleware/middleware.go::NewRateLimiter rewritten from a single global tokenBucket to a keyedRateLimiter map keyed on 'user:'+GetUser(ctx) for authenticated callers 'ip:'+RemoteAddr-host for unauthenticated - Empty UserKey strings treated as unauthenticated. - X-Forwarded-For intentionally NOT consulted (header-spoofing risk). - Create-on-demand bucket allocation under sync.RWMutex with double- check pattern. RateLimitConfig.PerUserRPS / PerUserBurstSize fields with env vars CERTCTL_RATE_LIMIT_PER_USER_RPS / CERTCTL_RATE_LIMIT_PER_USER_BURST allow per-user budgets distinct from per-IP. internal/api/middleware/ratelimit_keyed_test.go (NEW, 5 tests): TwoIPsHaveIndependentBuckets / SameUserDifferentIPsShareBucket / TwoUsersHaveIndependentBuckets / PerUserBudgetOverride / EmptyUserKeyTreatedAsAnonymous. Coverage internal/api/middleware: 82.1% -> 83.7%. Audit deliverables: cowork/comprehensive-audit-2026-04-25/audit-report.md: score 25/55 -> 30/55 closed (High 7/9, Medium 7/27 -> 12/27, Low 8/19). cowork/comprehensive-audit-2026-04-25/findings.yaml: 5 status flips open -> closed with closure notes citing the Bundle B mechanism. certctl/CHANGELOG.md: Bundle B section under [unreleased]. Verification: go test -count=1 -short ./... all green staticcheck on changed packages no new SA*/ST* hits (the 4 pre-existing SA1019 sites in cmd/server/main_test.go are Bundle 9 / M-028 partial closure leftovers tracked in Bundle C) helm template + helm lint clean internal/repository/postgres setup-fail sandbox disk pressure, same on master HEAD before this branch — environmental, not Bundle B
2026-06-12 05:38:53 +00:00 · 2026-04-26 23:09:10 +00:00
parent f091fdbcf2
commit e8f5ecf3c9
17 changed files with 1287 additions and 114 deletions
@@ -6,6 +6,76 @@ import (
 	"testing"
 )

+// Bundle B / Audit M-013 (CWE-942) regression pins.
+//
+// The audit-finding text reads: "CORS configuration default allows all
+// origins if env-var unset". Phase 0 recon proves that claim is WRONG —
+// internal/api/middleware/middleware.go::NewCORS already denies when
+// len(cfg.AllowedOrigins) == 0 (no Access-Control-Allow-Origin header is
+// emitted, so same-origin policy applies). Bundle B's M-013 closure is
+// "verified-already-clean": these tests pin the deny-by-default contract
+// in BOTH shapes (nil slice and empty slice) so a future refactor that
+// inverts the default fails CI.
+
+// TestNewCORS_NilOriginsDeniesAll pins the deny-by-default contract for
+// the nil-slice shape (which is what propagates from a missing
+// CERTCTL_CORS_ORIGINS env var via internal/config/config.go::getEnvList).
+func TestNewCORS_NilOriginsDeniesAll(t *testing.T) {
+	mw := NewCORS(CORSConfig{AllowedOrigins: nil})
+	handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/certificates", nil)
+	req.Header.Set("Origin", "https://attacker.example.com")
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+	if got := rr.Header().Get("Access-Control-Allow-Origin"); got != "" {
+		t.Errorf("nil AllowedOrigins must NOT emit Access-Control-Allow-Origin, got %q", got)
+	}
+	if got := rr.Header().Get("Vary"); got != "" {
+		t.Errorf("nil AllowedOrigins must NOT emit Vary, got %q", got)
+	}
+}
+
+// TestNewCORS_M013_ContractDocumentedInOrder pins the documented dispatch
+// order so a refactor cannot silently invert the cases:
+//
+//	1. len(AllowedOrigins) == 0  → deny (no CORS headers)
+//	2. AllowedOrigins == ["*"]   → allow all (Access-Control-Allow-Origin: *)
+//	3. else                      → exact-match allowlist with Vary: Origin
+//
+// If a refactor accidentally falls through to the allow-all branch when
+// AllowedOrigins is empty, this test fails on case 1.
+func TestNewCORS_M013_ContractDocumentedInOrder(t *testing.T) {
+	cases := []struct {
+		name           string
+		origins        []string
+		incomingOrigin string
+		wantHeader     string // "" means no header expected
+	}{
+		{"deny_empty_slice", []string{}, "https://app.example.com", ""},
+		{"deny_nil", nil, "https://app.example.com", ""},
+		{"allow_all_with_star", []string{"*"}, "https://app.example.com", "*"},
+		{"exact_allow_match", []string{"https://app.example.com"}, "https://app.example.com", "https://app.example.com"},
+		{"exact_deny_mismatch", []string{"https://app.example.com"}, "https://attacker.example.com", ""},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			mw := NewCORS(CORSConfig{AllowedOrigins: tc.origins})
+			handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				w.WriteHeader(http.StatusOK)
+			}))
+			req := httptest.NewRequest(http.MethodGet, "/", nil)
+			req.Header.Set("Origin", tc.incomingOrigin)
+			rr := httptest.NewRecorder()
+			handler.ServeHTTP(rr, req)
+			if got := rr.Header().Get("Access-Control-Allow-Origin"); got != tc.wantHeader {
+				t.Errorf("got Access-Control-Allow-Origin=%q, want %q (incoming origin=%q)", got, tc.wantHeader, tc.incomingOrigin)
+			}
+		})
+	}
+}
+
 // TestNewCORS_EmptyOriginList denies CORS by default (secure default).
 func TestNewCORS_EmptyOriginList(t *testing.T) {
 	mw := NewCORS(CORSConfig{AllowedOrigins: []string{}})