certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 16:01:30 +00:00

Commit Graph

Author	SHA1	Message	Date
shankar0123	037dab7b6f	fix(agent,service): SEC-002 — validate certificate_id shape + contain key path Sprint 1 unified-master-audit closure. Pre-fix the agent built its on-disk key path via: keyPath := filepath.Join(a.config.KeyDir, job.CertificateID+".key") migrations/000001_initial_schema.up.sql declares managed_certificates.id as TEXT PRIMARY KEY with no shape constraint, so a compromised control plane (or a poisoned database row) could deliver a job whose certificate_id is '../../etc/passwd', '/absolute/path', a NUL-byte payload, or a Windows-separator-laden string — driving arbitrary file write or read on the agent host. Fix (two ends; both load-bearing): Server side: - New internal/validation/certificate_id.go: ValidateCertificateID pins the canonical TEXT-PK shape (^[A-Za-z0-9._-]{1,128}$, plus explicit '.'/'..' rejection). - CertificateService.Create now invokes ValidateCertificateID after the existing required-fields check; malformed IDs are refused before persistence or downstream job creation. Agent side: - cmd/agent/keymem.go: validateAgentCertID mirrors the server-side shape regex. safeAgentKeyPath additionally asserts the joined path is contained within KeyDir via filepath.Rel — even if a future refactor bypasses the shape check, a path that escapes KeyDir fails closed. - poll.go + deploy.go: both filepath.Join call sites routed through safeAgentKeyPath; rejection surfaces via reportJobStatus so the control plane sees the failure. Regression coverage: - internal/validation/certificate_id_test.go: production shapes accepted; explicit rejection table for empty, overlong, posix traversal, absolute, Windows traversal, Windows separator, NUL byte, newline/tab injection, drive prefix, space, unicode dots. - cmd/agent/keymem_test.go: validateAgentCertID acceptance + rejection tables; safeAgentKeyPath happy path + the 8 audit vectors plus empty-keyDir refusal. Closes SEC-002.	2026-05-16 03:31:59 +00:00
shankar0123	8fa61fd7ba	Bundle 0.7 (Coverage Audit Closure): cmd/agent key-handling regression coverage — C-008 closed Phase 0 of the 2026-04-27 coverage-audit closure plan surfaced cmd/agent/keymem.go with two security-critical functions at 0.0% / 11.1% line coverage: - marshalAgentKeyAndZeroize: zeros the DER backing buffer after PEM encode - ensureAgentKeyDirSecure: locks the agent key directory to 0o700 Both ship as defense-in-depth for agent private-key memory hygiene per Bundle 9 / Audit L-002 + L-003 (agent edition), but had ZERO regression tests. This commit adds cmd/agent/keymem_test.go (~510 LoC, 17 top-level test funcs): marshalAgentKeyAndZeroize coverage: - happy path (DER decodes, callback invoked once) - nil key (asserts onDER NEVER invoked) - onDER returns error (errors.Is propagation) - DER backing buffer zeroized after return INVARIANT (the critical assertion) - DER buffer zeroized even on onDER-error path - contract-violator defense (caller retains slice -> reads zeros) ensureAgentKeyDirSecure coverage (13-row table-driven): - empty/dot/root refused with documented error wrap - creates with 0700 (incl. nested ancestors) - existing 0700 noop short-circuit - tighten 0750/0755/0777 -> 0700 - accept existing 0500/0400 (mode&0o077==0 branch, no chmod) - filepath.Clean normalization (trailing slash + dot prefix) - PathIsAFile (documents current behavior; not a bug per call sites) - Idempotent - Concurrent (-race clean across 8 goroutines) - Stat error propagated (root-skips cleanly on non-root CI) - Mkdir error propagated (root-skips cleanly on non-root CI) - Chmod error propagated (linux-only via /sys read-only fs) - Format-includes-cleaned-path debuggability assertion Plus end-to-end smoke replaying cmd/agent/main.go's composition flow. Coverage delta: cmd/agent/keymem.go::marshalAgentKeyAndZeroize 0.0% -> 85.7% (>=85% gate met) cmd/agent/keymem.go::ensureAgentKeyDirSecure 11.1% -> 94.4% (>=85% gate met) cmd/agent overall 54.3% -> 57.7% (+3.4pp) The cmd/agent overall >=75% stretch target is unachievable from a keymem-only test file because the package's bulk (Run, main, executeCSRJob, executeDeploymentJob, verifyAndReportDeployment) is unrelated to key-handling and dominates the denominator. Tracked as a follow-on cmd/agent flow-test bundle. Verification: go test -short ./cmd/agent/... PASS go test -race -count=3 ./cmd/agent/... PASS, 0 races gofmt -l cmd/agent/keymem_test.go clean go vet ./cmd/agent/... clean staticcheck ./cmd/agent/... clean Audit deliverables: coverage-audit-2026-04-27/findings.yaml: C-008 status open -> closed coverage-audit-2026-04-27/gap-backlog.md: closure log entry + H-006 partial coverage-audit-2026-04-27/coverage-report.md: Bundle 0.7 closure block appended coverage-audit-2026-04-27/coverage-matrix.md: cmd/agent row 'NOT MEASURED' -> 57.7% coverage-audit-closure-plan.md: Bundle 0.7 checklist ticked CHANGELOG.md: [unreleased] Bundle 0.7 entry Bundle J (ACME failure-mode coverage) unblocked.	2026-04-27 14:26:00 +00:00

Author

SHA1

Message

Date

shankar0123

037dab7b6f

fix(agent,service): SEC-002 — validate certificate_id shape + contain key path

Sprint 1 unified-master-audit closure. Pre-fix the agent built its
on-disk key path via:

  keyPath := filepath.Join(a.config.KeyDir, job.CertificateID+".key")

migrations/000001_initial_schema.up.sql declares managed_certificates.id
as TEXT PRIMARY KEY with no shape constraint, so a compromised control
plane (or a poisoned database row) could deliver a job whose
certificate_id is '../../etc/passwd', '/absolute/path', a NUL-byte
payload, or a Windows-separator-laden string — driving arbitrary
file write or read on the agent host.

Fix (two ends; both load-bearing):

Server side:
  - New internal/validation/certificate_id.go: ValidateCertificateID
    pins the canonical TEXT-PK shape (^[A-Za-z0-9._-]{1,128}$, plus
    explicit '.'/'..' rejection).
  - CertificateService.Create now invokes ValidateCertificateID after
    the existing required-fields check; malformed IDs are refused
    before persistence or downstream job creation.

Agent side:
  - cmd/agent/keymem.go: validateAgentCertID mirrors the server-side
    shape regex. safeAgentKeyPath additionally asserts the joined
    path is contained within KeyDir via filepath.Rel — even if a
    future refactor bypasses the shape check, a path that escapes
    KeyDir fails closed.
  - poll.go + deploy.go: both filepath.Join call sites routed
    through safeAgentKeyPath; rejection surfaces via reportJobStatus
    so the control plane sees the failure.

Regression coverage:
  - internal/validation/certificate_id_test.go: production shapes
    accepted; explicit rejection table for empty, overlong, posix
    traversal, absolute, Windows traversal, Windows separator, NUL
    byte, newline/tab injection, drive prefix, space, unicode dots.
  - cmd/agent/keymem_test.go: validateAgentCertID acceptance +
    rejection tables; safeAgentKeyPath happy path + the 8 audit
    vectors plus empty-keyDir refusal.

Closes SEC-002.

2026-05-16 03:31:59 +00:00

shankar0123

8fa61fd7ba

Bundle 0.7 (Coverage Audit Closure): cmd/agent key-handling regression coverage — C-008 closed

Phase 0 of the 2026-04-27 coverage-audit closure plan surfaced cmd/agent/keymem.go

with two security-critical functions at 0.0% / 11.1% line coverage:

  - marshalAgentKeyAndZeroize: zeros the DER backing buffer after PEM encode

  - ensureAgentKeyDirSecure: locks the agent key directory to 0o700

Both ship as defense-in-depth for agent private-key memory hygiene per

Bundle 9 / Audit L-002 + L-003 (agent edition), but had ZERO regression tests.

This commit adds cmd/agent/keymem_test.go (~510 LoC, 17 top-level test funcs):

marshalAgentKeyAndZeroize coverage:

  - happy path (DER decodes, callback invoked once)

  - nil key (asserts onDER NEVER invoked)

  - onDER returns error (errors.Is propagation)

  - DER backing buffer zeroized after return INVARIANT (the critical assertion)

  - DER buffer zeroized even on onDER-error path

  - contract-violator defense (caller retains slice -> reads zeros)

ensureAgentKeyDirSecure coverage (13-row table-driven):

  - empty/dot/root refused with documented error wrap

  - creates with 0700 (incl. nested ancestors)

  - existing 0700 noop short-circuit

  - tighten 0750/0755/0777 -> 0700

  - accept existing 0500/0400 (mode&0o077==0 branch, no chmod)

  - filepath.Clean normalization (trailing slash + dot prefix)

  - PathIsAFile (documents current behavior; not a bug per call sites)

  - Idempotent

  - Concurrent (-race clean across 8 goroutines)

  - Stat error propagated (root-skips cleanly on non-root CI)

  - Mkdir error propagated (root-skips cleanly on non-root CI)

  - Chmod error propagated (linux-only via /sys read-only fs)

  - Format-includes-cleaned-path debuggability assertion

Plus end-to-end smoke replaying cmd/agent/main.go's composition flow.

Coverage delta:

  cmd/agent/keymem.go::marshalAgentKeyAndZeroize  0.0%  -> 85.7% (>=85% gate met)

  cmd/agent/keymem.go::ensureAgentKeyDirSecure   11.1% -> 94.4% (>=85% gate met)

  cmd/agent overall                              54.3% -> 57.7% (+3.4pp)

The cmd/agent overall >=75% stretch target is unachievable from a keymem-only

test file because the package's bulk (Run, main, executeCSRJob,

executeDeploymentJob, verifyAndReportDeployment) is unrelated to key-handling

and dominates the denominator. Tracked as a follow-on cmd/agent flow-test bundle.

Verification:

  go test -short ./cmd/agent/...                  PASS

  go test -race -count=3 ./cmd/agent/...          PASS, 0 races

  gofmt -l cmd/agent/keymem_test.go               clean

  go vet ./cmd/agent/...                          clean

  staticcheck ./cmd/agent/...                     clean

Audit deliverables:

  coverage-audit-2026-04-27/findings.yaml: C-008 status open -> closed

  coverage-audit-2026-04-27/gap-backlog.md: closure log entry + H-006 partial

  coverage-audit-2026-04-27/coverage-report.md: Bundle 0.7 closure block appended

  coverage-audit-2026-04-27/coverage-matrix.md: cmd/agent row 'NOT MEASURED' -> 57.7%

  coverage-audit-closure-plan.md: Bundle 0.7 checklist ticked

  CHANGELOG.md: [unreleased] Bundle 0.7 entry

Bundle J (ACME failure-mode coverage) unblocked.

2026-04-27 14:26:00 +00:00

2 Commits