certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 19:41:30 +00:00

Commit Graph

Author	SHA1	Message	Date
shankar0123	2a1a0b347c	harden(oidc): pre-login UA/IP binding (MED-16) — RFC 9700 §4.7.1 Audit 2026-05-10 MED-16 closure. WHAT. Binds the OIDC pre-login row to the (clientIP, userAgent) tuple of the /auth/oidc/login request, and enforces a constant-time compare against the /auth/oidc/callback request at consume time. Defeats replay of a stolen pre-login cookie by a different browser / source — the secondary defense layer recommended by RFC 9700 §4.7.1 when the primary layer (HMAC integrity + Path=/ + SameSite=Lax on the cookie) is bypassed via CSRF / XSS / TLS-termination leak. WHY. Pre-fix, the pre-login cookie's HMAC verified only that 'some' caller of /auth/oidc/login was talking to /auth/oidc/callback; it did not verify that the SAME browser / source was on both sides. An attacker who exfiltrated the cookie value via any vector could replay the bytes through their own user-agent and ride the victim's authorization. RFC 9700 §4.7.1 calls out the gap explicitly and recommends binding state to a user-agent fingerprint + source IP. HOW. Migration: migrations/000044_prelogin_uaip.up.sql ALTER TABLE oidc_pre_login_sessions ADD COLUMN IF NOT EXISTS client_ip TEXT, ADD COLUMN IF NOT EXISTS user_agent TEXT; Both nullable for in-flight rolling-deploy compat — the consume- side check only enforces when both row AND request carry non-empty values for the leg in question. Domain: internal/repository/oidc.go (PreLoginSession) — adds ClientIP + UserAgent fields. Repository: internal/repository/postgres/oidc_prelogin.go — Create persists via sql.NullString (empty → NULL); LookupAndConsume reads back. Re-uses package-local nullableString from discovery.go. Service: internal/auth/oidc/service.go - PreLoginStore.CreatePreLogin signature takes (clientIP, userAgent) as positions 5–6. - PreLoginStore.LookupAndConsume returns (clientIP, userAgent) as positions 5–6. - HandleAuthRequest signature gains (clientIP, userAgent), threaded to the store. - HandleCallback adds Step 1.5 — UA / IP constant-time compare between stored row and incoming request. Per-leg toggles via preLoginRequireUA / preLoginRequireIP service fields. Empty values on either side pass through (rolling-deploy + headless- proxy compat). - New sentinels ErrPreLoginUAMismatch, ErrPreLoginIPMismatch. - SetPreLoginBindingRequirements(requireUA, requireIP) helper for main.go config wiring. Adapter: internal/auth/oidc/prelogin.go — PreLoginAdapter passes the new fields through to the repo row. Handler: internal/api/handler/auth_session_oidc.go - OIDCAuthHandshaker.HandleAuthRequest signature updated. - LoginInitiate captures clientIPFromRequest + r.UserAgent() and passes to the service. - classifyOIDCFailure adds errors.Is dispatch for the two new sentinels → prelogin_ua_mismatch / prelogin_ip_mismatch audit categories. Config: internal/config/config.go + AuthConfig.OIDCPreLoginRequireUA (default true) env CERTCTL_OIDC_PRELOGIN_REQUIRE_UA + AuthConfig.OIDCPreLoginRequireIP (default true) env CERTCTL_OIDC_PRELOGIN_REQUIRE_IP cmd/server/main.go calls oidcService.SetPreLoginBindingRequirements from cfg.Auth.OIDCPreLoginRequire{UA,IP}. Tests (internal/auth/oidc/service_test.go): - TestService_HandleCallback_MED16_UAMismatchRejected - TestService_HandleCallback_MED16_IPMismatchRejected - TestService_HandleCallback_MED16_BothMatch_Succeeds - TestService_HandleCallback_MED16_LegacyRowEmptyValues (rolling- deploy compat — empty stored values pass through) - TestService_HandleCallback_MED16_RequireUAFalse_AllowsMismatch (operator escape-hatch — UA mismatch silently allowed) Mechanical fan-out: - stubPreLogin / stubPreLoginRepo signatures updated. - All existing call sites in service_test.go (~40), prelogin_test.go, bench_test.go, logging_test.go, provider_enabled_test.go, integration_keycloak_test.go, integration_okta_smoke_test.go, auth_session_oidc_test.go updated to pass empty strings for the new params — pre-existing tests do not exercise UA/IP binding semantics. VERIFY. - go vet ./internal/auth/oidc/... ./internal/api/handler/... ./internal/config/... PASS - go test -short -count=1 -run MED16 ./internal/auth/oidc/... PASS (5/5) - go test -short -count=1 ./internal/auth/oidc/... PASS (4.6s) - go test -short -count=1 ./internal/api/handler/... PASS (4.3s) - go test -short -count=1 ./internal/config/... PASS Refs: cowork/auth-bundles-audit-2026-05-10.md MED-16 cowork/auth-bundles-fixes-2026-05-10/HANDOFF.md item 6 RFC 9700 §4.7.1 — OAuth 2.0 Security Best Current Practice	2026-05-10 23:18:23 +00:00
shankar0123	2cd2a5c52f	harden(oidc): RFC 9207 iss URL parameter check on callback (MED-17) Audit 2026-05-10 MED-17 closure. WHAT. When the matched IdP's discovery doc advertises authorization_response_iss_parameter_supported=true (RFC 9207 §3), HandleCallback now REQUIRES a non-empty `iss` query parameter on /auth/oidc/callback and enforces a constant-time compare against the configured provider's IssuerURL. Mismatch maps to two new sentinel errors (ErrIssParamMissing / ErrIssParamMismatch) that the handler's classifyOIDCFailure dispatches via errors.Is BEFORE the substring fall-through, so the audit failure_category remains distinguishable between the RFC 9207 leg (iss_param_missing / iss_param_mismatch) and the in-token iss claim leg (id_token_iss_mismatch). WHY. The RFC 9207 iss URL parameter is the load-bearing mix-up-attack defense for multi-tenant IdPs (Keycloak realms, Authentik tenants, Auth0 tenants, public-trust CAs). Pre-fix the parameter was silently ignored — an attacker controlling one IdP tenant could route an auth code to certctl's callback against a different tenant's pre-login state without detection. Modern Keycloak / Authentik / public-trust CAs ship the discovery flag by default; legacy IdPs that don't advertise are unaffected (back-compat preserved). HOW. - internal/auth/oidc/service.go - providerEntry gains issParamSupported bool. - getOrLoad extends the discovery-claims read to include authorization_response_iss_parameter_supported, alongside the existing id_token_signing_alg_values_supported defense. - HandleCallback's signature gains callbackIss string at position 5. Step 2.5 runs after the state compare + provider load: when issParamSupported is true, an empty callbackIss returns ErrIssParamMissing; a present-but-mismatched value returns ErrIssParamMismatch (constant-time compare). - Two new sentinels: ErrIssParamMissing, ErrIssParamMismatch. ErrIssuerMismatch's doc-string clarified to note it covers the in-token leg only. - internal/api/handler/auth_session_oidc.go - OIDCAuthHandshaker.HandleCallback signature updated. - LoginCallback reads r.URL.Query().Get("iss") (no TrimSpace — byte-strict compare upstream) and threads it through. - classifyOIDCFailure: typed errors.Is dispatch for the three iss-family sentinels BEFORE the substring fall-through, so the three cases stay distinguishable in the audit row. - internal/api/handler/auth_session_oidc_test.go - stubOIDCSvc.HandleCallback bumped to 7-arg signature. - TestClassifyOIDCFailure extended with 5 new cases pinning the iss-family dispatch + a wrapped-error round-trip. - internal/auth/oidc/service_test.go - mockIdP gains advertiseIssParameterSupported bool; the /.well-known/openid-configuration handler emits the claim only when set (so existing tests stay back-compat). - 4 new regression tests: * MED17_NoSupport_AnyIssAccepted — provider doesn't advertise; arbitrary callbackIss is ignored (back-compat). * MED17_SupportButMissing — provider advertises; missing iss → ErrIssParamMissing. * MED17_SupportButMismatch — provider advertises; wrong iss → ErrIssParamMismatch (load-bearing mix-up defense). * MED17_SupportAndCorrect — provider advertises; matching iss → success path proves the gate isn't over-eager. - internal/auth/oidc/bench_test.go, internal/auth/oidc/logging_test.go, internal/auth/oidc/integration_keycloak_test.go - Mechanical: all existing HandleCallback call sites updated to pass "" for callbackIss (matches pre-fix behavior for IdPs that don't advertise support — the Keycloak integration suite tests will be re-evaluated once the Keycloak fixture is run against a realm with the discovery flag enabled). VERIFY. - go vet ./internal/auth/oidc/... ./internal/api/handler/... PASS - go test -short -count=1 ./internal/auth/oidc/... PASS (3.4s) - go test -short -count=1 ./internal/api/handler/... PASS (5.4s) - 4 new MED-17 regression tests + extended TestClassifyOIDCFailure pass. Refs: cowork/auth-bundles-audit-2026-05-10.md MED-17 cowork/auth-bundles-fixes-2026-05-10/HANDOFF.md item 7 RFC 9207 — OAuth 2.0 Authorization Server Issuer Identification	2026-05-10 23:05:52 +00:00
shankar0123	9b6294e83d	auth-bundle-2 Phase 14: session + OIDC validation benchmarks (steady-state + cold paths) + auth-benchmarks.md operator doc + Makefile targets Closes Phase 14 of cowork/auth-bundle-2-prompt.md. Ships four benchmarks producing four numbers + the operator-doc table; three default-tag benchmarks runnable on every CI runner, the fourth (cold-cache OIDC) runnable on operator-side Docker hosts via the new make target. Files ===== internal/auth/session/bench_test.go (NEW): * BenchmarkSession_SteadyState (target p99 < 1ms; measured 5µs). Warm in-memory repo + warm session row. Pure CPU: parseCookie + HMAC verify + map lookup + sentinel checks. * BenchmarkSession_ColdProcess (target p99 < 10ms; measured 7.1ms). Same pipeline but with a configurable per-call delay simulating a 1ms Postgres RTT on each repo call. Two repo calls per Validate (signing-key fetch + session-row fetch) = 2ms minimum; Go time.Sleep granularity adds ~1-2ms jitter. Documented why testcontainers Postgres isn't viable inside b.N: 30+ second container boot incompatible with per-iteration timing. * slowSessionRepo + slowKeyRepo wrappers add the per-call delay via time.Sleep; they delegate to the existing in-memory stubs. * reportPercentiles helper sorts + reports p50/p95/p99/max via b.ReportMetric (Go testing.B doesn't surface percentiles natively). internal/auth/oidc/bench_test.go (NEW): * BenchmarkOIDC_SteadyState (target p99 < 5ms; measured 1.5ms). Drives full HandleCallback against an in-process mockIdP (httptest.Server localhost loopback). Pre-warmed JWKS cache via RefreshKeys at setup. Pipeline: pre-login consume + state compare + token exchange (localhost ~50-200µs) + go-oidc Verify (RSA-2048 sig verify + alg pin) + service-layer iss/ aud/azp/at_hash/exp/iat/nonce re-checks + group-claim resolution + group→role mapping + user upsert + session mint. * The localhost-loopback /token call adds ~100-500µs of TCP overhead vs pure crypto; the prompt's "no network calls" steady-state framing accommodates this since the localhost loopback is the closest practical proxy for a same-region IdP /token call (which adds 5-15ms in production). internal/auth/oidc/bench_keycloak_test.go (NEW, //go:build integration): * BenchmarkOIDC_ColdCache (target p99 < 200ms; operator-runs). Drives RefreshKeys against a live Keycloak container from the Phase 10 testfixtures harness. Each iteration evicts the in-process cache + re-fetches discovery + re-fetches JWKS over real HTTP + re-runs the IdP-downgrade-attack defense. * Network-bounded: the cold path is dominated by HTTPS RTT to the IdP discovery endpoint, NOT crypto. The 200ms cap accommodates a geographically-distant IdP (~150ms RTT) plus the in-process JWKS fetch + downgrade-defense logic (~5ms locally). * Reuses the sharedKeycloak fixture from integration_keycloak_test.go (Phase 10) so the benchmark doesn't pay the 60-90s container boot cost separately. Skips with a clear message if invoked without the integration test setup. * Reports p50/p95/p99/max in MILLISECONDS (vs the microsecond-granularity steady-state benchmarks) since the cold path is two orders of magnitude slower. internal/auth/oidc/service_test.go (MODIFIED): * Refactored newMockIdP(t testing.T) to delegate to a new newMockIdPWithTB(t testing.TB) sibling. Standard Go pattern for sharing test fixtures between testing.T and testing.B. No behavior change for existing service_test.go tests; the benchmark file in bench_test.go calls newMockIdPWithTB(b) to get the same fixture. docs/operator/auth-benchmarks.md (NEW): Result table with all four benchmarks + targets + measured numbers + status markers. Four-row matrix for the default-tag benchmarks; the fourth row (cold-cache) is operator-recorded with an empty cell waiting for the first Docker-equipped run. * Hardware floor section pinning the 4 vCPU / 8 GiB RAM / Postgres 16 / Go 1.25 baseline. GitHub-hosted Ubuntu runners satisfy this; operators on weaker hardware re-record. * "What each benchmark covers (and what it doesn't)" section per benchmark, distinguishing the warm steady-state pipeline from the cold path's network-bounded budget. * "Cold-cache OIDC: how to run" subsection documenting the make target + the test+benchmark coupling needed to populate sharedKeycloak. Operator-recorded baseline table seeded empty for first runs. * "Why the cold path is bounded by network latency, not crypto" section explaining the budget breakdown: - TCP handshake (1 RTT) - TLS 1.3 handshake (1-2 RTTs) - 2 HTTPS GETs (discovery + JWKS, 1 RTT each) - In-process crypto on the certctl side (~5-10ms total) So the 200ms cap is operator-checkable: real measurement > 200ms means the IdP is slow OR network congestion OR DNS issues — the diagnosis is upstream of certctl. Real measurement < 200ms means the IdP is on a fast same-region link. * Methodology section pinning the per-iteration timing capture + sort + percentile-extract approach. * Pre-merge audit section for the Phase 14 exit gate: four benchmarks ran, four numbers recorded, steady-state targets met, cold path is operator-runnable + measurably-bounded. Makefile (MODIFIED): * Added `make benchmark-auth` (default-tag, runs three of four benchmarks at 2000 samples each). * Added `make benchmark-auth-coldcache` (integration-tagged, runs OIDC cold-cache against live Keycloak; requires Docker). * Both targets carry explanatory comment blocks. docs/README.md (MODIFIED): * Added the auth-benchmarks.md doc to the Operator nav table alongside performance-baselines.md. Measured baselines at Phase 14 close (linux/arm64, 4 vCPU) ========================================================== BenchmarkSession_SteadyState p99 = 5µs (target < 1ms) ✓ 200× under BenchmarkSession_ColdProcess p99 = 7.1ms (target < 10ms) ✓ BenchmarkOIDC_SteadyState p99 = 1.5ms (target < 5ms) ✓ 3× under BenchmarkOIDC_ColdCache operator-runs (Docker required) Verification ============ * gofmt -l on three new bench files: clean. * go vet ./internal/auth/session/... ./internal/auth/oidc/...: clean (default tag). * go vet -tags integration ./internal/auth/oidc/...: clean (integration tag covers the bench_keycloak_test.go file). * go test -short -count=1 across all 5 OIDC + session packages: green; the bench__test.go files compile but don't run under -short (testing.Short() guards + benchmarks are not selected by -run pattern). All three runnable benchmarks executed and produce the numbers above; recorded in auth-benchmarks.md.	2026-05-10 16:51:28 +00:00

Author

SHA1

Message

Date

shankar0123

2a1a0b347c

harden(oidc): pre-login UA/IP binding (MED-16) — RFC 9700 §4.7.1

Audit 2026-05-10 MED-16 closure.

WHAT.

Binds the OIDC pre-login row to the (clientIP, userAgent) tuple of
the /auth/oidc/login request, and enforces a constant-time compare
against the /auth/oidc/callback request at consume time. Defeats
replay of a stolen pre-login cookie by a different browser /
source — the secondary defense layer recommended by RFC 9700 §4.7.1
when the primary layer (HMAC integrity + Path=/ + SameSite=Lax on
the cookie) is bypassed via CSRF / XSS / TLS-termination leak.

WHY.

Pre-fix, the pre-login cookie's HMAC verified only that 'some'
caller of /auth/oidc/login was talking to /auth/oidc/callback; it
did not verify that the SAME browser / source was on both sides.
An attacker who exfiltrated the cookie value via any vector could
replay the bytes through their own user-agent and ride the victim's
authorization. RFC 9700 §4.7.1 calls out the gap explicitly and
recommends binding state to a user-agent fingerprint + source IP.

HOW.

Migration:
  migrations/000044_prelogin_uaip.up.sql
    ALTER TABLE oidc_pre_login_sessions
      ADD COLUMN IF NOT EXISTS client_ip   TEXT,
      ADD COLUMN IF NOT EXISTS user_agent  TEXT;
  Both nullable for in-flight rolling-deploy compat — the consume-
  side check only enforces when both row AND request carry non-empty
  values for the leg in question.

Domain:
  internal/repository/oidc.go (PreLoginSession) — adds ClientIP +
    UserAgent fields.

Repository:
  internal/repository/postgres/oidc_prelogin.go — Create persists
    via sql.NullString (empty → NULL); LookupAndConsume reads back.
    Re-uses package-local nullableString from discovery.go.

Service:
  internal/auth/oidc/service.go
    - PreLoginStore.CreatePreLogin signature takes (clientIP,
      userAgent) as positions 5–6.
    - PreLoginStore.LookupAndConsume returns (clientIP, userAgent)
      as positions 5–6.
    - HandleAuthRequest signature gains (clientIP, userAgent),
      threaded to the store.
    - HandleCallback adds Step 1.5 — UA / IP constant-time compare
      between stored row and incoming request. Per-leg toggles via
      preLoginRequireUA / preLoginRequireIP service fields. Empty
      values on either side pass through (rolling-deploy + headless-
      proxy compat).
    - New sentinels ErrPreLoginUAMismatch, ErrPreLoginIPMismatch.
    - SetPreLoginBindingRequirements(requireUA, requireIP) helper
      for main.go config wiring.

Adapter:
  internal/auth/oidc/prelogin.go — PreLoginAdapter passes the new
    fields through to the repo row.

Handler:
  internal/api/handler/auth_session_oidc.go
    - OIDCAuthHandshaker.HandleAuthRequest signature updated.
    - LoginInitiate captures clientIPFromRequest + r.UserAgent()
      and passes to the service.
    - classifyOIDCFailure adds errors.Is dispatch for the two new
      sentinels → prelogin_ua_mismatch / prelogin_ip_mismatch
      audit categories.

Config:
  internal/config/config.go
    + AuthConfig.OIDCPreLoginRequireUA (default true)
      env CERTCTL_OIDC_PRELOGIN_REQUIRE_UA
    + AuthConfig.OIDCPreLoginRequireIP (default true)
      env CERTCTL_OIDC_PRELOGIN_REQUIRE_IP
  cmd/server/main.go calls oidcService.SetPreLoginBindingRequirements
    from cfg.Auth.OIDCPreLoginRequire{UA,IP}.

Tests (internal/auth/oidc/service_test.go):
  - TestService_HandleCallback_MED16_UAMismatchRejected
  - TestService_HandleCallback_MED16_IPMismatchRejected
  - TestService_HandleCallback_MED16_BothMatch_Succeeds
  - TestService_HandleCallback_MED16_LegacyRowEmptyValues  (rolling-
    deploy compat — empty stored values pass through)
  - TestService_HandleCallback_MED16_RequireUAFalse_AllowsMismatch
    (operator escape-hatch — UA mismatch silently allowed)

Mechanical fan-out:
  - stubPreLogin / stubPreLoginRepo signatures updated.
  - All existing call sites in service_test.go (~40), prelogin_test.go,
    bench_test.go, logging_test.go, provider_enabled_test.go,
    integration_keycloak_test.go, integration_okta_smoke_test.go,
    auth_session_oidc_test.go updated to pass empty strings for the
    new params — pre-existing tests do not exercise UA/IP binding
    semantics.

VERIFY.

- go vet ./internal/auth/oidc/... ./internal/api/handler/...
  ./internal/config/...                                       PASS
- go test -short -count=1 -run MED16 ./internal/auth/oidc/... PASS (5/5)
- go test -short -count=1 ./internal/auth/oidc/...            PASS (4.6s)
- go test -short -count=1 ./internal/api/handler/...          PASS (4.3s)
- go test -short -count=1 ./internal/config/...               PASS

Refs: cowork/auth-bundles-audit-2026-05-10.md MED-16
      cowork/auth-bundles-fixes-2026-05-10/HANDOFF.md item 6
      RFC 9700 §4.7.1 — OAuth 2.0 Security Best Current Practice

2026-05-10 23:18:23 +00:00

shankar0123

2cd2a5c52f

harden(oidc): RFC 9207 iss URL parameter check on callback (MED-17)

Audit 2026-05-10 MED-17 closure.

WHAT.

When the matched IdP's discovery doc advertises
authorization_response_iss_parameter_supported=true (RFC 9207 §3),
HandleCallback now REQUIRES a non-empty `iss` query parameter on
/auth/oidc/callback and enforces a constant-time compare against the
configured provider's IssuerURL. Mismatch maps to two new sentinel
errors (ErrIssParamMissing / ErrIssParamMismatch) that the handler's
classifyOIDCFailure dispatches via errors.Is BEFORE the substring
fall-through, so the audit failure_category remains distinguishable
between the RFC 9207 leg (iss_param_missing / iss_param_mismatch) and
the in-token iss claim leg (id_token_iss_mismatch).

WHY.

The RFC 9207 iss URL parameter is the load-bearing mix-up-attack
defense for multi-tenant IdPs (Keycloak realms, Authentik tenants,
Auth0 tenants, public-trust CAs). Pre-fix the parameter was silently
ignored — an attacker controlling one IdP tenant could route an auth
code to certctl's callback against a different tenant's pre-login
state without detection. Modern Keycloak / Authentik / public-trust
CAs ship the discovery flag by default; legacy IdPs that don't
advertise are unaffected (back-compat preserved).

HOW.

- internal/auth/oidc/service.go
  - providerEntry gains issParamSupported bool.
  - getOrLoad extends the discovery-claims read to include
    authorization_response_iss_parameter_supported, alongside the
    existing id_token_signing_alg_values_supported defense.
  - HandleCallback's signature gains callbackIss string at position 5.
    Step 2.5 runs after the state compare + provider load: when
    issParamSupported is true, an empty callbackIss returns
    ErrIssParamMissing; a present-but-mismatched value returns
    ErrIssParamMismatch (constant-time compare).
  - Two new sentinels: ErrIssParamMissing, ErrIssParamMismatch.
    ErrIssuerMismatch's doc-string clarified to note it covers the
    in-token leg only.

- internal/api/handler/auth_session_oidc.go
  - OIDCAuthHandshaker.HandleCallback signature updated.
  - LoginCallback reads r.URL.Query().Get("iss") (no TrimSpace —
    byte-strict compare upstream) and threads it through.
  - classifyOIDCFailure: typed errors.Is dispatch for the three
    iss-family sentinels BEFORE the substring fall-through, so the
    three cases stay distinguishable in the audit row.

- internal/api/handler/auth_session_oidc_test.go
  - stubOIDCSvc.HandleCallback bumped to 7-arg signature.
  - TestClassifyOIDCFailure extended with 5 new cases pinning the
    iss-family dispatch + a wrapped-error round-trip.

- internal/auth/oidc/service_test.go
  - mockIdP gains advertiseIssParameterSupported bool; the
    /.well-known/openid-configuration handler emits the claim only
    when set (so existing tests stay back-compat).
  - 4 new regression tests:
    * MED17_NoSupport_AnyIssAccepted — provider doesn't advertise;
      arbitrary callbackIss is ignored (back-compat).
    * MED17_SupportButMissing — provider advertises; missing iss →
      ErrIssParamMissing.
    * MED17_SupportButMismatch — provider advertises; wrong iss →
      ErrIssParamMismatch (load-bearing mix-up defense).
    * MED17_SupportAndCorrect — provider advertises; matching iss →
      success path proves the gate isn't over-eager.

- internal/auth/oidc/bench_test.go,
  internal/auth/oidc/logging_test.go,
  internal/auth/oidc/integration_keycloak_test.go
  - Mechanical: all existing HandleCallback call sites updated to
    pass "" for callbackIss (matches pre-fix behavior for IdPs that
    don't advertise support — the Keycloak integration suite tests
    will be re-evaluated once the Keycloak fixture is run against a
    realm with the discovery flag enabled).

VERIFY.

- go vet ./internal/auth/oidc/... ./internal/api/handler/...   PASS
- go test -short -count=1 ./internal/auth/oidc/...              PASS (3.4s)
- go test -short -count=1 ./internal/api/handler/...            PASS (5.4s)
- 4 new MED-17 regression tests + extended TestClassifyOIDCFailure pass.

Refs: cowork/auth-bundles-audit-2026-05-10.md MED-17
      cowork/auth-bundles-fixes-2026-05-10/HANDOFF.md item 7
      RFC 9207 — OAuth 2.0 Authorization Server Issuer Identification

2026-05-10 23:05:52 +00:00

shankar0123

9b6294e83d

auth-bundle-2 Phase 14: session + OIDC validation benchmarks (steady-state + cold paths) + auth-benchmarks.md operator doc + Makefile targets

Closes Phase 14 of cowork/auth-bundle-2-prompt.md. Ships four
benchmarks producing four numbers + the operator-doc table; three
default-tag benchmarks runnable on every CI runner, the fourth
(cold-cache OIDC) runnable on operator-side Docker hosts via the
new make target.

Files
=====

internal/auth/session/bench_test.go (NEW):
* BenchmarkSession_SteadyState (target p99 < 1ms; measured 5µs).
  Warm in-memory repo + warm session row. Pure CPU: parseCookie +
  HMAC verify + map lookup + sentinel checks.
* BenchmarkSession_ColdProcess (target p99 < 10ms; measured 7.1ms).
  Same pipeline but with a configurable per-call delay simulating
  a 1ms Postgres RTT on each repo call. Two repo calls per
  Validate (signing-key fetch + session-row fetch) = 2ms minimum;
  Go time.Sleep granularity adds ~1-2ms jitter. Documented why
  testcontainers Postgres isn't viable inside b.N: 30+ second
  container boot incompatible with per-iteration timing.
* slowSessionRepo + slowKeyRepo wrappers add the per-call delay
  via time.Sleep; they delegate to the existing in-memory stubs.
* reportPercentiles helper sorts + reports p50/p95/p99/max via
  b.ReportMetric (Go testing.B doesn't surface percentiles
  natively).

internal/auth/oidc/bench_test.go (NEW):
* BenchmarkOIDC_SteadyState (target p99 < 5ms; measured 1.5ms).
  Drives full HandleCallback against an in-process mockIdP
  (httptest.Server localhost loopback). Pre-warmed JWKS cache via
  RefreshKeys at setup. Pipeline: pre-login consume + state
  compare + token exchange (localhost ~50-200µs) + go-oidc
  Verify (RSA-2048 sig verify + alg pin) + service-layer iss/
  aud/azp/at_hash/exp/iat/nonce re-checks + group-claim
  resolution + group→role mapping + user upsert + session mint.
* The localhost-loopback /token call adds ~100-500µs of TCP
  overhead vs pure crypto; the prompt's "no network calls"
  steady-state framing accommodates this since the localhost
  loopback is the closest practical proxy for a same-region
  IdP /token call (which adds 5-15ms in production).

internal/auth/oidc/bench_keycloak_test.go (NEW, //go:build integration):
* BenchmarkOIDC_ColdCache (target p99 < 200ms; operator-runs).
  Drives RefreshKeys against a live Keycloak container from the
  Phase 10 testfixtures harness. Each iteration evicts the
  in-process cache + re-fetches discovery + re-fetches JWKS over
  real HTTP + re-runs the IdP-downgrade-attack defense.
* Network-bounded: the cold path is dominated by HTTPS RTT to
  the IdP discovery endpoint, NOT crypto. The 200ms cap
  accommodates a geographically-distant IdP (~150ms RTT) plus
  the in-process JWKS fetch + downgrade-defense logic (~5ms
  locally).
* Reuses the sharedKeycloak fixture from
  integration_keycloak_test.go (Phase 10) so the benchmark
  doesn't pay the 60-90s container boot cost separately. Skips
  with a clear message if invoked without the integration test
  setup.
* Reports p50/p95/p99/max in MILLISECONDS (vs the
  microsecond-granularity steady-state benchmarks) since the
  cold path is two orders of magnitude slower.

internal/auth/oidc/service_test.go (MODIFIED):
* Refactored newMockIdP(t *testing.T) to delegate to a new
  newMockIdPWithTB(t testing.TB) sibling. Standard Go pattern
  for sharing test fixtures between *testing.T and *testing.B.
  No behavior change for existing service_test.go tests; the
  benchmark file in bench_test.go calls newMockIdPWithTB(b)
  to get the same fixture.

docs/operator/auth-benchmarks.md (NEW):
* Result table with all four benchmarks + targets + measured
  numbers + status markers. Four-row matrix for the default-tag
  benchmarks; the fourth row (cold-cache) is operator-recorded
  with an empty cell waiting for the first Docker-equipped run.
* Hardware floor section pinning the 4 vCPU / 8 GiB RAM /
  Postgres 16 / Go 1.25 baseline. GitHub-hosted Ubuntu runners
  satisfy this; operators on weaker hardware re-record.
* "What each benchmark covers (and what it doesn't)" section
  per benchmark, distinguishing the warm steady-state pipeline
  from the cold path's network-bounded budget.
* "Cold-cache OIDC: how to run" subsection documenting the
  make target + the test+benchmark coupling needed to populate
  sharedKeycloak. Operator-recorded baseline table seeded
  empty for first runs.
* "Why the cold path is bounded by network latency, not crypto"
  section explaining the budget breakdown:
    - TCP handshake (1 RTT)
    - TLS 1.3 handshake (1-2 RTTs)
    - 2 HTTPS GETs (discovery + JWKS, 1 RTT each)
    - In-process crypto on the certctl side (~5-10ms total)
  So the 200ms cap is operator-checkable: real measurement >
  200ms means the IdP is slow OR network congestion OR DNS
  issues — the diagnosis is upstream of certctl. Real
  measurement < 200ms means the IdP is on a fast same-region
  link.
* Methodology section pinning the per-iteration timing capture
  + sort + percentile-extract approach.
* Pre-merge audit section for the Phase 14 exit gate: four
  benchmarks ran, four numbers recorded, steady-state targets
  met, cold path is operator-runnable + measurably-bounded.

Makefile (MODIFIED):
* Added `make benchmark-auth` (default-tag, runs three of four
  benchmarks at 2000 samples each).
* Added `make benchmark-auth-coldcache` (integration-tagged,
  runs OIDC cold-cache against live Keycloak; requires Docker).
* Both targets carry explanatory comment blocks.

docs/README.md (MODIFIED):
* Added the auth-benchmarks.md doc to the Operator nav table
  alongside performance-baselines.md.

Measured baselines at Phase 14 close (linux/arm64, 4 vCPU)
==========================================================

  BenchmarkSession_SteadyState     p99 = 5µs    (target < 1ms)   ✓ 200× under
  BenchmarkSession_ColdProcess     p99 = 7.1ms  (target < 10ms)  ✓
  BenchmarkOIDC_SteadyState        p99 = 1.5ms  (target < 5ms)   ✓ 3× under
  BenchmarkOIDC_ColdCache          operator-runs (Docker required)

Verification
============

* gofmt -l on three new bench files: clean.
* go vet ./internal/auth/session/... ./internal/auth/oidc/...: clean
  (default tag).
* go vet -tags integration ./internal/auth/oidc/...: clean (integration
  tag covers the bench_keycloak_test.go file).
* go test -short -count=1 across all 5 OIDC + session packages:
  green; the bench_*_test.go files compile but don't run under
  -short (testing.Short() guards + benchmarks are not selected
  by -run pattern).
* All three runnable benchmarks executed and produce the numbers
  above; recorded in auth-benchmarks.md.

2026-05-10 16:51:28 +00:00

3 Commits