certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 21:41:39 +00:00

Commit Graph

Author	SHA1	Message	Date
shankar0123	4f2d865b51	feat(middleware): SEC-008 — Permissions-Policy deny-all-features header Acquisition-audit SEC-008 closure (Sprint 2 ACQ, 2026-05-16). Add Permissions-Policy as a sixth security header alongside HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and CSP. Default value is a deny-all-features baseline: accelerometer=(), camera=(), geolocation=(), microphone=(), payment=(), usb=(), interest-cohort=() certctl is a control-plane API + dashboard; no part of the surface needs camera / microphone / geolocation / accelerometer / payment / USB access, and `interest-cohort=()` opts out of the deprecated FLoC browser feature. The deny-all default removes those attack/fingerprint surfaces if certctl is ever embedded in a malicious page or if a dashboard route is XSS-compromised post-CSP-bypass. Per-field empty-string suppression is preserved: operators who want to allow a feature (e.g. hardware-attestation flows wanting WebAuthn's USB transport) can either set Cfg.PermissionsPolicy to their own narrowed allowlist or set it to "" to suppress the header entirely. Tests: - TestSecurityHeaders_PermissionsPolicyDefault — pins the literal default value byte-for-byte so any widening (e.g. someone adding camera=*) breaks the test. - TestSecurityHeaders_PermissionsPolicyOverrideToEmptySuppresses — pins the operator escape hatch and that the per-field suppression contract still holds field-by-field. - TestSecurityHeaders_DefaultsAllPresent gains Permissions-Policy in its loop, so the existing on-error and on-2xx paths now cover the new header too. The middleware pre-trim slice capacity bumps from 5 → 6 entries.	2026-05-16 17:13:17 +00:00
shankar0123	3e78ecb799	feat(security): bodyLimit on noAuth + security headers + encryption-key validation (H-1 master) Closes three 2026-04-24 audit findings (all P2): - cat-s5-4936a1cf0118: noAuthHandler chain accepted arbitrary-size bodies (EST simpleenroll, SCEP, PKI CRL/OCSP, /health, /ready). Memory exhaustion vector without HTTP-layer auth gatekeeping. - cat-s11-missing_security_headers: zero security headers on any response. Clickjacking, MIME-sniffing, untrusted-origin resource loads against the dashboard and API. - cat-r-encryption_key_no_length_validation: CERTCTL_CONFIG_ENCRYPTION_KEY accepted with any non-empty value including a single character. PBKDF2-SHA256 (100k rounds) does not compensate for low-entropy passphrases at scale (CWE-916, CWE-329). Changes: - cmd/server/main.go::noAuthHandler chain — added bodyLimitMiddleware + securityHeadersMiddleware. Same default cap as authed surface (1MB via CERTCTL_MAX_BODY_SIZE), same 413 on overflow. - cmd/server/main.go::middlewareStack (authed) — added securityHeadersMiddleware before corsMiddleware. - internal/api/middleware/securityheaders.go (new) — SecurityHeaders middleware + SecurityHeadersDefaults() with conservative defaults: HSTS 1y+includeSubDomains, X-Frame-Options DENY, X-Content-Type- Options nosniff, Referrer-Policy no-referrer-when-downgrade, CSP default-src 'self' + img/data + style 'unsafe-inline' (Tailwind/Vite needs it; scripts still 'self' only) + connect 'self' + frame- ancestors 'none'. Operators behind a customising reverse proxy can disable any header by setting its config field to empty. - internal/config/config.go::Validate() — enforce minEncryptionKeyLength = 32 bytes when CERTCTL_CONFIG_ENCRYPTION_KEY is set. Empty stays accepted (downstream fail-closed sentinel handles it). Structured error names the env var, the actual length, the required minimum, and the canonical generation command (`openssl rand -base64 32`). Tests: - internal/api/middleware/securityheaders_test.go (new) — 4 cases (defaults present, empty value disables single header, override applied, headers on 4xx/5xx). - internal/config/config_test.go — 5 new cases for the encryption-key length check (empty accepted, 1-byte rejected, 31-byte rejected at boundary, 32-byte accepted, 44-byte realistic operator key accepted). Documentation: - CHANGELOG.md — H-1 section above D-2 under [unreleased] with Breaking-change callout (operators with low-entropy keys must rotate before upgrade). - coverage-gap-audit-2026-04-24-v5/unified-audit.md — Live Tracker 25/47 → 33/47, P1 14/14 (zero remaining), P2 11/27 → 16/27. Three H-1 findings flipped + closed-bundle row added. Verification: - go build ./... — clean - go vet ./... — clean - golangci-lint v2.11.4 run ./... — 0 issues - go test ./internal/api/middleware/... — pass (incl. 4 new SecurityHeaders cases) - go test ./internal/config/... — pass (incl. 5 new EncryptionKey cases) - tsc --noEmit (frontend) — clean - All sibling guardrails (S-1 / G-3 / D-1 / D-2 / B-1 / L-1) still pass Audit findings closed: - cat-s5-4936a1cf0118 (P2) - cat-s11-missing_security_headers (P2) - cat-r-encryption_key_no_length_validation (P2) Breaking change: - Operators with CERTCTL_CONFIG_ENCRYPTION_KEY shorter than 32 bytes must rotate before upgrade. Generate via `openssl rand -base64 32`. Deferred follow-ups: - Weak-key dictionary check (reject password123, common ASCII patterns) — adds operational friction with low marginal entropy gain at the 32-byte minimum. - CSP 'unsafe-inline' for styles — required for Tailwind/Vite per-component <style> blocks; removing requires HTML report or component refactor outside H-1 scope. - Permissions-Policy header — dashboard uses no advanced browser APIs (camera, mic, geolocation); deferred until a real consumer needs it.	2026-04-25 16:40:21 +00:00

Author

SHA1

Message

Date

shankar0123

4f2d865b51

feat(middleware): SEC-008 — Permissions-Policy deny-all-features header

Acquisition-audit SEC-008 closure (Sprint 2 ACQ, 2026-05-16).

Add Permissions-Policy as a sixth security header alongside HSTS,
X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and CSP.
Default value is a deny-all-features baseline:

  accelerometer=(), camera=(), geolocation=(), microphone=(),
  payment=(), usb=(), interest-cohort=()

certctl is a control-plane API + dashboard; no part of the surface
needs camera / microphone / geolocation / accelerometer / payment /
USB access, and `interest-cohort=()` opts out of the deprecated
FLoC browser feature. The deny-all default removes those
attack/fingerprint surfaces if certctl is ever embedded in a
malicious page or if a dashboard route is XSS-compromised
post-CSP-bypass.

Per-field empty-string suppression is preserved: operators who want
to allow a feature (e.g. hardware-attestation flows wanting
WebAuthn's USB transport) can either set Cfg.PermissionsPolicy to
their own narrowed allowlist or set it to "" to suppress the
header entirely.

Tests:
  - TestSecurityHeaders_PermissionsPolicyDefault — pins the literal
    default value byte-for-byte so any widening (e.g. someone adding
    camera=*) breaks the test.
  - TestSecurityHeaders_PermissionsPolicyOverrideToEmptySuppresses —
    pins the operator escape hatch and that the per-field
    suppression contract still holds field-by-field.
  - TestSecurityHeaders_DefaultsAllPresent gains Permissions-Policy
    in its loop, so the existing on-error and on-2xx paths now
    cover the new header too.

The middleware pre-trim slice capacity bumps from 5 → 6 entries.

2026-05-16 17:13:17 +00:00

shankar0123

3e78ecb799

feat(security): bodyLimit on noAuth + security headers + encryption-key validation (H-1 master)

Closes three 2026-04-24 audit findings (all P2):
  - cat-s5-4936a1cf0118: noAuthHandler chain accepted arbitrary-size
    bodies (EST simpleenroll, SCEP, PKI CRL/OCSP, /health, /ready).
    Memory exhaustion vector without HTTP-layer auth gatekeeping.
  - cat-s11-missing_security_headers: zero security headers on any
    response. Clickjacking, MIME-sniffing, untrusted-origin resource
    loads against the dashboard and API.
  - cat-r-encryption_key_no_length_validation: CERTCTL_CONFIG_ENCRYPTION_KEY
    accepted with any non-empty value including a single character.
    PBKDF2-SHA256 (100k rounds) does not compensate for low-entropy
    passphrases at scale (CWE-916, CWE-329).

Changes:
- cmd/server/main.go::noAuthHandler chain — added bodyLimitMiddleware
  + securityHeadersMiddleware. Same default cap as authed surface
  (1MB via CERTCTL_MAX_BODY_SIZE), same 413 on overflow.
- cmd/server/main.go::middlewareStack (authed) — added
  securityHeadersMiddleware before corsMiddleware.
- internal/api/middleware/securityheaders.go (new) — SecurityHeaders
  middleware + SecurityHeadersDefaults() with conservative defaults:
  HSTS 1y+includeSubDomains, X-Frame-Options DENY, X-Content-Type-
  Options nosniff, Referrer-Policy no-referrer-when-downgrade, CSP
  default-src 'self' + img/data + style 'unsafe-inline' (Tailwind/Vite
  needs it; scripts still 'self' only) + connect 'self' + frame-
  ancestors 'none'. Operators behind a customising reverse proxy can
  disable any header by setting its config field to empty.
- internal/config/config.go::Validate() — enforce minEncryptionKeyLength
  = 32 bytes when CERTCTL_CONFIG_ENCRYPTION_KEY is set. Empty stays
  accepted (downstream fail-closed sentinel handles it). Structured
  error names the env var, the actual length, the required minimum,
  and the canonical generation command (`openssl rand -base64 32`).

Tests:
- internal/api/middleware/securityheaders_test.go (new) — 4 cases
  (defaults present, empty value disables single header, override
  applied, headers on 4xx/5xx).
- internal/config/config_test.go — 5 new cases for the encryption-key
  length check (empty accepted, 1-byte rejected, 31-byte rejected at
  boundary, 32-byte accepted, 44-byte realistic operator key accepted).

Documentation:
- CHANGELOG.md — H-1 section above D-2 under [unreleased] with
  Breaking-change callout (operators with low-entropy keys must rotate
  before upgrade).
- coverage-gap-audit-2026-04-24-v5/unified-audit.md — Live Tracker
  25/47 → 33/47, P1 14/14 (zero remaining), P2 11/27 → 16/27. Three
  H-1 findings flipped + closed-bundle row added.

Verification:
- go build ./... — clean
- go vet ./... — clean
- golangci-lint v2.11.4 run ./... — 0 issues
- go test ./internal/api/middleware/... — pass (incl. 4 new
  SecurityHeaders cases)
- go test ./internal/config/... — pass (incl. 5 new EncryptionKey
  cases)
- tsc --noEmit (frontend) — clean
- All sibling guardrails (S-1 / G-3 / D-1 / D-2 / B-1 / L-1) still pass

Audit findings closed:
- cat-s5-4936a1cf0118 (P2)
- cat-s11-missing_security_headers (P2)
- cat-r-encryption_key_no_length_validation (P2)

Breaking change:
- Operators with CERTCTL_CONFIG_ENCRYPTION_KEY shorter than 32 bytes
  must rotate before upgrade. Generate via `openssl rand -base64 32`.

Deferred follow-ups:
- Weak-key dictionary check (reject password123, common ASCII patterns)
  — adds operational friction with low marginal entropy gain at the
  32-byte minimum.
- CSP 'unsafe-inline' for styles — required for Tailwind/Vite
  per-component <style> blocks; removing requires HTML report or
  component refactor outside H-1 scope.
- Permissions-Policy header — dashboard uses no advanced browser APIs
  (camera, mic, geolocation); deferred until a real consumer needs it.

2026-04-25 16:40:21 +00:00

2 Commits