certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 18:01:37 +00:00

Commit Graph

Author SHA1 Message Date

Author	SHA1	Message	Date
shankar0123	739745e9fe	fix(oidc): enforce AllowedEmailDomains allowlist in HandleCallback Closes CRIT-5 of the 2026-05-10 audit — the LAST Critical blocker for v2.1.0. The OIDCProvider.AllowedEmailDomains field shipped persisted (internal/auth/oidc/domain/types.go:47), API-surfaced (internal/api/handler/auth_session_oidc.go), MCP-surfaced (internal/mcp/tools_auth_bundle2.go), and GUI-editable, but the verifier in internal/auth/oidc/service.go::HandleCallback NEVER read it. Operators filling allowed_email_domains: ["acme.com"] expected "users outside acme.com cannot log in" — the field had zero effect. Textbook lying-field shape per CLAUDE.md's "complete path" rule. This commit: - Adds Step 7.5 to HandleCallback (between profile-claim resolve and group-claim resolve): when the provider's AllowedEmailDomains slice is non-empty, the user's email-domain MUST match a list entry (case- insensitive exact match; subdomains NOT auto-accepted — operators who want dev.acme.com authorized must list it explicitly). - Two new sentinel errors at the package level: - ErrEmailDomainNotAllowed — email is set but domain not in list - ErrEmailMissingButRequired — allowlist set + ID token has no email - New extractEmailDomain helper: case-folds + trims whitespace + uses LastIndex for the @ split + rejects empty input / no-@ / empty local-part / empty domain-part. Returns the lowercase domain or an error. - 21 regression tests in internal/auth/oidc/email_domain_test.go: - 10 extractEmailDomain shape cases (plain, mixed-case input, leading/trailing whitespace, subdomain preserved, empty, no @, empty local-part, empty domain-part, multiple @ via LastIndex). - 11 match-semantic cases (empty list passes any, lowercase match, mixed-case allowlist entry match, mixed-case email match, whitespace-padded allowlist entry, unmatched returns ErrEmailDomainNotAllowed, missing email + non-empty allowlist returns ErrEmailMissingButRequired, subdomain NOT auto-accepted, parent-domain NOT auto-accepted, multi-entry first-match, multi-entry no-match). Subdomain matching (alice@dev.acme.com against allowlist=[acme.com]) is intentionally NOT auto-accepted. The audit's MED-line tracks the wildcard / suffix support story for v3; v2.1 ships strict. Verification gate green: - gofmt clean - go vet clean - go test -short -count=1 ./internal/auth/oidc/... ./internal/api/... ./internal/domain/auth/ — all pass (incl. existing OIDC service test suite, the 4 BCL tests, the auditor pin, and the AST RBAC-gate coverage guard). Branch dev/auth-bundle-2 status post-commit: CRIT-1 (`68ca42f`), CRIT-2 (`ca1e135`), CRIT-3 (`00eace8`), CRIT-4 (`f1d9771`), CRIT-5 (this) — all five Criticals from the 2026-05-10 audit closed. v2.1.0 is unblocked. HIGH-1..HIGH-12 + MEDs + LOWs are independently mergeable follow-ups (spec at cowork/auth-bundles-fixes-2026-05-10/). Refs: cowork/auth-bundles-audit-2026-05-10.md CRIT-5	2026-05-10 20:30:32 +00:00

shankar0123

739745e9fe

fix(oidc): enforce AllowedEmailDomains allowlist in HandleCallback

Closes CRIT-5 of the 2026-05-10 audit — the LAST Critical blocker for
v2.1.0. The OIDCProvider.AllowedEmailDomains field shipped persisted
(internal/auth/oidc/domain/types.go:47), API-surfaced
(internal/api/handler/auth_session_oidc.go), MCP-surfaced
(internal/mcp/tools_auth_bundle2.go), and GUI-editable, but the
verifier in internal/auth/oidc/service.go::HandleCallback NEVER read
it. Operators filling allowed_email_domains: ["acme.com"] expected
"users outside acme.com cannot log in" — the field had zero effect.
Textbook lying-field shape per CLAUDE.md's "complete path" rule.

This commit:

- Adds Step 7.5 to HandleCallback (between profile-claim resolve and
  group-claim resolve): when the provider's AllowedEmailDomains slice
  is non-empty, the user's email-domain MUST match a list entry (case-
  insensitive exact match; subdomains NOT auto-accepted — operators
  who want dev.acme.com authorized must list it explicitly).

- Two new sentinel errors at the package level:
    - ErrEmailDomainNotAllowed   — email is set but domain not in list
    - ErrEmailMissingButRequired — allowlist set + ID token has no email

- New extractEmailDomain helper: case-folds + trims whitespace + uses
  LastIndex for the @ split + rejects empty input / no-@ / empty
  local-part / empty domain-part. Returns the lowercase domain or
  an error.

- 21 regression tests in internal/auth/oidc/email_domain_test.go:
    - 10 extractEmailDomain shape cases (plain, mixed-case input,
      leading/trailing whitespace, subdomain preserved, empty, no @,
      empty local-part, empty domain-part, multiple @ via LastIndex).
    - 11 match-semantic cases (empty list passes any, lowercase match,
      mixed-case allowlist entry match, mixed-case email match,
      whitespace-padded allowlist entry, unmatched returns
      ErrEmailDomainNotAllowed, missing email + non-empty allowlist
      returns ErrEmailMissingButRequired, subdomain NOT auto-accepted,
      parent-domain NOT auto-accepted, multi-entry first-match,
      multi-entry no-match).

Subdomain matching (alice@dev.acme.com against allowlist=[acme.com])
is intentionally NOT auto-accepted. The audit's MED-line tracks the
wildcard / suffix support story for v3; v2.1 ships strict.

Verification gate green:
- gofmt clean
- go vet clean
- go test -short -count=1 ./internal/auth/oidc/... ./internal/api/...
  ./internal/domain/auth/ — all pass (incl. existing OIDC service
  test suite, the 4 BCL tests, the auditor pin, and the AST
  RBAC-gate coverage guard).

Branch dev/auth-bundle-2 status post-commit: CRIT-1 (68ca42f),
CRIT-2 (ca1e135), CRIT-3 (00eace8), CRIT-4 (f1d9771), CRIT-5 (this)
— all five Criticals from the 2026-05-10 audit closed. v2.1.0 is
unblocked. HIGH-1..HIGH-12 + MEDs + LOWs are independently mergeable
follow-ups (spec at cowork/auth-bundles-fixes-2026-05-10/).

Refs: cowork/auth-bundles-audit-2026-05-10.md CRIT-5

2026-05-10 20:30:32 +00:00

1 Commits