certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 12:31:29 +00:00

Commit Graph

Author	SHA1	Message	Date
shankar0123	5d7bc86451	fix(oidc): SEC-020 — wrap fetchUserinfoGroups via SafeOIDCContext Acquisition-audit Sprint 1 follow-up to SEC-001 (2026-05-16). The original SEC-001 sweep routed two OIDC discovery legs (test_discovery.go dry-run + service.go runtime provider load) through validation.SafeHTTPDialContext via the SafeOIDCContext(ctx) helper. This commit closes one of the two adjacent call sites the sweep missed: the userinfo-fallback path at service.go::fetchUserinfoGroups. Pre-fix: func (s Service) fetchUserinfoGroups(ctx, entry, token, path) { ... ts := entry.oauthConfig.TokenSource(ctx, token) uinfo, err := entry.provider.UserInfo(ctx, ts) ... } go-oidc/v3 Provider.UserInfo (oidc.go:351-374) derives its http.Client from ctx via getClient(ctx) (oidc.go:61-65). Without an override, the internal doRequest (oidc.go:87-92) falls through to http.DefaultClient — no SSRF guard, no DNS-rebinding re-resolve at dial time. An IdP whose discovery doc advertises a userinfo_endpoint pointing at a reserved address (loopback / link-local / 169.254.169.254 cloud-metadata) would trigger an unguarded HTTPS egress at userinfo-fetch time. Operator opt-in to fetch_userinfo=true turns the gap on; the leg fires whenever the ID token doesn't surface the configured groups claim. Post-fix: safeCtx := SafeOIDCContext(ctx) ts := entry.oauthConfig.TokenSource(safeCtx, token) uinfo, err := entry.provider.UserInfo(safeCtx, ts) Context-key shape: gooidc.ClientContext is implemented as context.WithValue(ctx, oauth2.HTTPClient, client) (go-oidc v3.18.0 oidc.go:57-59). Both go-oidc's getClient AND golang.org/x/oauth2's internal.ContextClient read the same oauth2.HTTPClient key, so the SINGLE SafeOIDCContext wrap covers go-oidc-driven HTTP calls (Provider.UserInfo / Verifier JWKS) AND oauth2-driven HTTP calls (Config.TokenSource refresh / Exchange). No additional context.WithValue(ctx, oauth2.HTTPClient, ...) is required. Files touched: internal/auth/oidc/service.go — wrap ctx in fetchUserinfoGroups internal/auth/oidc/safehttp.go — extend SEC-001 header comment block to enumerate the two newly-patched sites (SEC-020 here + SEC-021 in the next commit) and the oauth2.HTTPClient key-sharing rationale, so future audits don't re-flag the design as confused internal/auth/oidc/service_test.go — new test TestFetchUserinfoGroups_SSRF_BlocksReservedAddress that stands up a loopback discovery server whose discovery doc advertises userinfo_endpoint = http://169.254.169.254/userinfo, constructs gooidc.Provider via the test-bypassed oidcDiscoveryClient (setup_test.go's init() pattern), then RESTORES the production SafeHTTPDialContext-backed client just before the fetchUserinfoGroups call. Asserts the error wraps SafeHTTPDialContext's 'refusing to dial reserved address' rejection rather than a generic connect-refused. Companion to the TestDefaultBCLVerifier_SSRF_BlocksReservedAddress that SEC-021 (next commit) adds. Verified: gofmt -l internal/ docs/ (clean) go vet ./... (clean) go test -race -short ./internal/auth/oidc/... (all green) TestFetchUserinfoGroups_SSRF_BlocksReservedAddress (new; green) All 4 cited CI guards pass (openapi-handler-parity, openapi-codegen-drift, no-sh-c-in-connectors, skip-inventory-drift) Acceptance grep: internal/auth/oidc/service.go:963: uinfo, err := entry.provider.UserInfo(safeCtx, ts) internal/auth/oidc/service.go:1084: provider, err := gooidc.NewProvider(SafeOIDCContext(ctx), cfgRow.IssuerURL) No bare-ctx UserInfo / NewProvider remains in service.go. Closes acquisition-audit SEC-020. SEC-021 (BCL discovery re-fetch) lands in the next commit.	2026-05-16 16:41:05 +00:00
shankar0123	e6cfd756ac	fix(auth): SEC-001 — gate OIDC discovery through SafeHTTPDialContext + ValidateSafeURL Sprint 1 unified-master-audit closure. Two OIDC discovery call sites passed the bare request context to gooidc.NewProvider: - internal/auth/oidc/test_discovery.go:65 (dry-run validator) - internal/auth/oidc/service.go:1066 (runtime cache load) gooidc.NewProvider derives its HTTP client from the context via oidc.ClientContext; with no override it falls through to http.DefaultClient — no SSRF guard. An admin with auth.oidc.create could induce server-side HTTPS egress to loopback (127.0.0.1, ::1), RFC 1918, link-local (169.254.169.254 — cloud-instance metadata), and IPv6 link-local (fe80::/10). The companion JWKS reachability probe was already routed through SafeHTTPDialContext via the Bundle 5 R6 closure; the discovery + claims path bypassed that. Fix: - New internal/auth/oidc/safehttp.go: oidcDiscoveryClient (Transport DialContext = validation.SafeHTTPDialContext) + SafeOIDCContext helper. Both call sites now wrap ctx through SafeOIDCContext before NewProvider runs. - Defense-in-depth: OIDCProvider.Validate calls validation.ValidateSafeURL on the IssuerURL after the existing https/parse checks, refusing reserved-address issuers at provider-creation time. - TestDiscovery surfaces the SSRF policy error via the result's Errors slice up-front (early-fail UX rail) before invoking NewProvider. Test seams: - setup_test.go swaps oidcDiscoveryClient + validateIssuerSSRF for httptest loopback compatibility, mirroring the existing jwksProbeClient pattern. Regression coverage: - internal/auth/oidc/domain/types_test.go: 5-case table pinning loopback v4/v6, cloud metadata, link-local v4/v6 rejection. - internal/auth/oidc/coverage_fill_test.go: same 5 cases against Service.TestDiscovery via temporarily restoring the production gate. Closes SEC-001.	2026-05-16 03:31:42 +00:00

Author

SHA1

Message

Date

shankar0123

5d7bc86451

fix(oidc): SEC-020 — wrap fetchUserinfoGroups via SafeOIDCContext

Acquisition-audit Sprint 1 follow-up to SEC-001 (2026-05-16). The
original SEC-001 sweep routed two OIDC discovery legs (test_discovery.go
dry-run + service.go runtime provider load) through
validation.SafeHTTPDialContext via the SafeOIDCContext(ctx) helper.
This commit closes one of the two adjacent call sites the sweep missed:
the userinfo-fallback path at service.go::fetchUserinfoGroups.

Pre-fix:

    func (s *Service) fetchUserinfoGroups(ctx, entry, token, path) {
        ...
        ts := entry.oauthConfig.TokenSource(ctx, token)
        uinfo, err := entry.provider.UserInfo(ctx, ts)
        ...
    }

go-oidc/v3 Provider.UserInfo (oidc.go:351-374) derives its
http.Client from ctx via getClient(ctx) (oidc.go:61-65). Without an
override, the internal doRequest (oidc.go:87-92) falls through to
http.DefaultClient — no SSRF guard, no DNS-rebinding re-resolve at
dial time. An IdP whose discovery doc advertises a userinfo_endpoint
pointing at a reserved address (loopback / link-local /
169.254.169.254 cloud-metadata) would trigger an unguarded HTTPS
egress at userinfo-fetch time. Operator opt-in to fetch_userinfo=true
turns the gap on; the leg fires whenever the ID token doesn't surface
the configured groups claim.

Post-fix:

    safeCtx := SafeOIDCContext(ctx)
    ts := entry.oauthConfig.TokenSource(safeCtx, token)
    uinfo, err := entry.provider.UserInfo(safeCtx, ts)

Context-key shape: gooidc.ClientContext is implemented as
context.WithValue(ctx, oauth2.HTTPClient, client) (go-oidc v3.18.0
oidc.go:57-59). Both go-oidc's getClient AND golang.org/x/oauth2's
internal.ContextClient read the same oauth2.HTTPClient key, so the
SINGLE SafeOIDCContext wrap covers go-oidc-driven HTTP calls
(Provider.UserInfo / Verifier JWKS) AND oauth2-driven HTTP calls
(Config.TokenSource refresh / Exchange). No additional
context.WithValue(ctx, oauth2.HTTPClient, ...) is required.

Files touched:
  internal/auth/oidc/service.go — wrap ctx in fetchUserinfoGroups
  internal/auth/oidc/safehttp.go — extend SEC-001 header comment block
    to enumerate the two newly-patched sites (SEC-020 here +
    SEC-021 in the next commit) and the oauth2.HTTPClient key-sharing
    rationale, so future audits don't re-flag the design as confused
  internal/auth/oidc/service_test.go — new test
    TestFetchUserinfoGroups_SSRF_BlocksReservedAddress that
    stands up a loopback discovery server whose discovery doc
    advertises userinfo_endpoint = http://169.254.169.254/userinfo,
    constructs *gooidc.Provider via the test-bypassed
    oidcDiscoveryClient (setup_test.go's init() pattern), then
    RESTORES the production SafeHTTPDialContext-backed client just
    before the fetchUserinfoGroups call. Asserts the error wraps
    SafeHTTPDialContext's 'refusing to dial reserved address'
    rejection rather than a generic connect-refused. Companion to
    the TestDefaultBCLVerifier_SSRF_BlocksReservedAddress that
    SEC-021 (next commit) adds.

Verified:
  gofmt -l internal/ docs/                                (clean)
  go vet ./...                                            (clean)
  go test -race -short ./internal/auth/oidc/...           (all green)
  TestFetchUserinfoGroups_SSRF_BlocksReservedAddress      (new; green)
  All 4 cited CI guards pass (openapi-handler-parity,
    openapi-codegen-drift, no-sh-c-in-connectors, skip-inventory-drift)

Acceptance grep:
  internal/auth/oidc/service.go:963: uinfo, err := entry.provider.UserInfo(safeCtx, ts)
  internal/auth/oidc/service.go:1084: provider, err := gooidc.NewProvider(SafeOIDCContext(ctx), cfgRow.IssuerURL)

No bare-ctx UserInfo / NewProvider remains in service.go.

Closes acquisition-audit SEC-020. SEC-021 (BCL discovery re-fetch)
lands in the next commit.

2026-05-16 16:41:05 +00:00

shankar0123

e6cfd756ac

fix(auth): SEC-001 — gate OIDC discovery through SafeHTTPDialContext + ValidateSafeURL

Sprint 1 unified-master-audit closure. Two OIDC discovery call sites
passed the bare request context to gooidc.NewProvider:

  - internal/auth/oidc/test_discovery.go:65 (dry-run validator)
  - internal/auth/oidc/service.go:1066      (runtime cache load)

gooidc.NewProvider derives its HTTP client from the context via
oidc.ClientContext; with no override it falls through to
http.DefaultClient — no SSRF guard. An admin with auth.oidc.create
could induce server-side HTTPS egress to loopback (127.0.0.1, ::1),
RFC 1918, link-local (169.254.169.254 — cloud-instance metadata),
and IPv6 link-local (fe80::/10). The companion JWKS reachability
probe was already routed through SafeHTTPDialContext via the
Bundle 5 R6 closure; the discovery + claims path bypassed that.

Fix:
  - New internal/auth/oidc/safehttp.go: oidcDiscoveryClient (Transport
    DialContext = validation.SafeHTTPDialContext) + SafeOIDCContext
    helper. Both call sites now wrap ctx through SafeOIDCContext
    before NewProvider runs.
  - Defense-in-depth: OIDCProvider.Validate calls
    validation.ValidateSafeURL on the IssuerURL after the existing
    https/parse checks, refusing reserved-address issuers at
    provider-creation time.
  - TestDiscovery surfaces the SSRF policy error via the result's
    Errors slice up-front (early-fail UX rail) before invoking
    NewProvider.

Test seams:
  - setup_test.go swaps oidcDiscoveryClient + validateIssuerSSRF
    for httptest loopback compatibility, mirroring the existing
    jwksProbeClient pattern.

Regression coverage:
  - internal/auth/oidc/domain/types_test.go: 5-case table pinning
    loopback v4/v6, cloud metadata, link-local v4/v6 rejection.
  - internal/auth/oidc/coverage_fill_test.go: same 5 cases against
    Service.TestDiscovery via temporarily restoring the production
    gate.

Closes SEC-001.

2026-05-16 03:31:42 +00:00

2 Commits