certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 14:41:31 +00:00

Commit Graph

Author	SHA1	Message	Date
shankar0123	21aeed4f4e	legal: addlicense headers + normalize legacy variants (Phase 0 RED-4) Phase 0 closure (Path B2, post-rewrite): addlicense sweep — adds the canonical certctl LLC copyright + BUSL-1.1 SPDX header to every production Go file. Template: // Copyright 2026 certctl LLC. All rights reserved. // SPDX-License-Identifier: BUSL-1.1 Coverage: 338 / 338 production Go files (cmd/ + internal/, excluding _test.go and /testdata/). Pre-sweep coverage was 22 / 338 (6.5%); post-sweep is 338 / 338 (100%). Normalized 22 pre-existing legacy headers (`// Copyright (c) certctl` + `// SPDX-License-Identifier: BSL-1.1`) and 1 file using a `Certctl Contributors` attribution. The legacy SPDX ID `BSL-1.1` is non-standard; the official SPDX identifier for Business Source License 1.1 is `BUSL-1.1` (capital U). All 338 files now share the canonical form. Generated via: addlicense -c "certctl LLC" -y 2026 \ -f cowork/legal/copyright-header.tpl \ -ignore '/testdata/' -ignore '/_test.go' \ cmd/ internal/ Verification: find cmd internal -name '.go' -not -name '_test.go' \ -not -path '/testdata/' \ -exec grep -L '^// Copyright 2026 certctl LLC' {} \; \| wc -l Returns: 0 gofmt clean. Header additions are comments only, no compile impact. Closes: cowork/certctl-architecture-diligence-audit.html#fix-RED-4	2026-05-13 21:23:35 +00:00
shankar0123	e1e43c8924	feat(auth): foundation for MED-11 — users.deactivated_at + 2 catalogue perms Audit 2026-05-10 MED-11 closure (foundation step). WHAT. Lays the schema + domain foundation for the MED-11 federated-user admin surface: 1. Migration 000045 adds users.deactivated_at TIMESTAMPTZ (nullable; non-NULL = deactivated). Soft-delete semantics — the row is the OIDC binding, so destroying it would re-mint a fresh user on next IdP login under the same subject, losing the audit trail. 2. Seeds 2 new catalogue permissions: - auth.user.read (admin / operator / auditor) - auth.user.deactivate (admin ONLY) 3. Extends User domain struct with DeactivatedAt time.Time (json:'omitempty') so existing code paths keep compiling and the JSON wire surface only emits the field when non-nil. WHY. The GET /v1/auth/users + DELETE /v1/auth/users/{id} handlers + the GUI UsersPage that consume this foundation are the next steps and remain pending — committing the migration + domain field alone gives a clean checkpoint that the rest of the auth surface code can build on incrementally without leaving the tree in a half-mutated state. HOW. migrations/000045_users_deactivated_at.up.sql: - ALTER TABLE users ADD COLUMN IF NOT EXISTS deactivated_at TIMESTAMPTZ - INSERT 2 permissions into permissions - INSERT role_permissions rows (read in r-admin/operator/auditor; deactivate in r-admin) - Single BEGIN/COMMIT, idempotent (ON CONFLICT DO NOTHING) migrations/000045_users_deactivated_at.down.sql: - reverse-order DELETE + DROP COLUMN internal/auth/user/domain/types.go: - User.DeactivatedAt time.Time, JSON tag omitempty. VERIFY. - go vet ./internal/auth/user/... ./internal/auth/oidc/... ./internal/repository/... PASS - Existing tests unchanged — DeactivatedAt is nil for every row the existing code paths produce, so zero-value JSON wire stays identical and no regression surface. Refs: cowork/auth-bundles-audit-2026-05-10.md MED-11 cowork/auth-bundles-fixes-2026-05-10/HANDOFF.md item 14	2026-05-11 00:02:57 +00:00
shankar0123	b0ac24fbf8	auth-bundle-2 Phase 1: OIDC + Session + User + Breakglass domain types Phase 1 ships the persisted-shape types Bundle 2 needs end-to-end. No DB migrations, no service layer, no HTTP handlers; Phase 2 ships the SQL, Phase 3+ ship the consumers. Each type has a Validate() method that enforces the on-disk invariants the schema will mirror, and a focused _test.go that pins each invariant's failure mode. Per-package summary: internal/auth/oidc/domain/ (OIDCProvider + GroupRoleMapping): * OIDCProvider carries the operator-configured IdP record. Fields match the prompt's Phase 1 list plus IATWindowSeconds and JWKSCacheTTLSeconds (Phase 3 references these by name; landing them in Phase 1's domain type avoids the lying-field gap). ClientSecretEncrypted is opaque from this layer; it is the v2 blob produced by internal/crypto/encryption.go and is `json:"-"` so it never wire-leaks. * Validate() rejects: invalid id prefix, empty name, non-https issuer_url (matches Phase 3's "JWKS endpoint MUST be HTTPS"), empty client_id, empty client_secret_encrypted, non-https redirect_uri, invalid groups_claim_format, scopes missing openid, IAT window outside (0, 600], JWKS cache TTL below 60s. Defaults applied in-place: GroupsClaimPath="groups", GroupsClaimFormat= "string-array", Scopes=["openid","profile","email"], IATWindowSeconds=300, JWKSCacheTTLSeconds=3600, TenantID="t-default". * GroupRoleMapping carries the operator-configured group-to-role rule. Validate() pins prefix conventions ("grm-", "op-", "r-") and non-empty group name. * 18 tests across happy-path + every negative invariant. internal/auth/session/domain/ (Session + SessionSigningKey): * Session covers BOTH the post-login row (full 1h-idle/8h-absolute cookie lifecycle) AND the Phase 5 pre-login row (10-minute TTL, carries OIDC state+nonce+PKCE verifier across the IdP redirect). IsPreLogin discriminates. CSRFTokenHash holds SHA-256 of the CSRF token plaintext (the plaintext lives in a JS-readable certctl_csrf cookie; storing only the hash on the row defends against DB-read leaks per the Phase 4 CSRF contract). * Validate() pins: id prefix "ses-", non-empty actor id/type, signing key id prefix "sk-", AbsoluteExpiresAt strictly > Idle, IdleExpiresAt strictly > CreatedAt, CSRFTokenHash exactly 64 lowercase hex chars when set. * Cookie naming constants pinned by a separate test (TestCookieNamingConstants) so a future rename can't silently break the GUI's web/src/api/client.ts which reads these names by string. * SessionSigningKey stores the v2-encrypted HMAC key material; the retired-before-created invariant catches malformed rows. 14 tests across both types. internal/auth/user/domain/ (User): * Federated-human identity for SSO logins. Distinct from Bundle 1's free-form actor_id strings: actor_roles.actor_id = User.ID for federated humans (per the prompt's note about how the two identity systems intersect). * WebAuthnCredentials JSONB column reserved for v3 (Decision 12); defaults to "[]" on Validate() so Bundle 2 + v3 share the same on-disk format from day one. * Email validation is intentionally loose (basic shape: one @, non-empty local + domain, no whitespace, dot in domain). RFC 5321 / 5322 grammars are not enforced; the IdP issued the email and we trust its shape, only rejecting gross corruption. * 8 tests across happy-path + invalid-id + empty-email + malformed-email + invalid-provider-id + tenant defaulting + WebAuthn-credentials passthrough. internal/auth/breakglass/domain/ (BreakglassCredential): * Phase 7.5 type. Argon2id PHC-format password hash; Validate() pins the Argon2id magic prefix so non-Argon2id formats (bcrypt, pbkdf2, plaintext) are rejected at the persistence boundary. * MinPasswordLengthBytes (12) + MaxPasswordLengthBytes (256) constants pinned by a dedicated test so the operator-facing password-strength contract can't drift silently. * IsLocked(now) helper exposes the lockout state machine for the Phase 7.5 service to consume; the lockout window default is 15min in the service layer. * 9 tests across happy-path + per-invariant negative + lockout state machine + tenant defaulting. Cross-cutting: * Every type has json:"-" on the encrypted-credential field (ClientSecretEncrypted, KeyMaterialEncrypted, PasswordHash, CSRFTokenHash) so even a misconfigured handler that marshals the domain type directly into a response body cannot leak the secret. Mirrors Bundle 1's pattern for issuer/target credentials. * Every type carries TenantID with Validate() defaulting to authdomain.DefaultTenantID. Forward-compat for the future managed-service multi-tenant activation; Bundle 2 ships single-tenant. Verifications: * gofmt -l clean across all 8 new files (one round-trip required to satisfy Go 1.19+ doc-comment list-formatting rules in session/domain/types.go). * go vet clean on internal/auth/oidc/... + session/... + user/... + breakglass/... * go test -short -count=1 green on all four new domain packages (49 test functions total). * go test -short -count=1 still green on Bundle 1 packages (internal/auth, internal/auth/bootstrap, internal/service/auth, internal/config). * govulncheck ./... clean (M-024 hard CI gate). * All 24 ci-guards pass locally. Phase 1 exit criteria from cowork/auth-bundle-2-prompt.md: * All types compile: yes. * Validators have at least 5 test cases each: yes (smallest is User with 8 tests; OIDCProvider has 13). * make verify equivalent green: gofmt + vet + go test pass (golangci-lint deferred to CI per the same operating-rule pattern Phase 0 used).	2026-05-10 03:41:46 +00:00

Author

SHA1

Message

Date

shankar0123

21aeed4f4e

legal: addlicense headers + normalize legacy variants (Phase 0 RED-4)

Phase 0 closure (Path B2, post-rewrite):

addlicense sweep — adds the canonical certctl LLC copyright + BUSL-1.1
SPDX header to every production Go file. Template:

  // Copyright 2026 certctl LLC. All rights reserved.
  // SPDX-License-Identifier: BUSL-1.1

Coverage: 338 / 338 production Go files (cmd/ + internal/, excluding
*_test.go and **/testdata/**). Pre-sweep coverage was 22 / 338 (6.5%);
post-sweep is 338 / 338 (100%).

Normalized 22 pre-existing legacy headers (`// Copyright (c) certctl`
+ `// SPDX-License-Identifier: BSL-1.1`) and 1 file using a
`Certctl Contributors` attribution. The legacy SPDX ID `BSL-1.1`
is non-standard; the official SPDX identifier for Business Source
License 1.1 is `BUSL-1.1` (capital U). All 338 files now share the
canonical form.

Generated via:
  addlicense -c "certctl LLC" -y 2026 \
    -f cowork/legal/copyright-header.tpl \
    -ignore '**/testdata/**' -ignore '**/*_test.go' \
    cmd/ internal/

Verification:
  find cmd internal -name '*.go' -not -name '*_test.go' \
    -not -path '*/testdata/*' \
    -exec grep -L '^// Copyright 2026 certctl LLC' {} \; | wc -l

  Returns: 0

gofmt clean. Header additions are comments only, no compile impact.

Closes: cowork/certctl-architecture-diligence-audit.html#fix-RED-4

2026-05-13 21:23:35 +00:00

shankar0123

e1e43c8924

feat(auth): foundation for MED-11 — users.deactivated_at + 2 catalogue perms

Audit 2026-05-10 MED-11 closure (foundation step).

WHAT.

Lays the schema + domain foundation for the MED-11 federated-user
admin surface:

1. Migration 000045 adds users.deactivated_at TIMESTAMPTZ (nullable;
   non-NULL = deactivated). Soft-delete semantics — the row is the
   OIDC binding, so destroying it would re-mint a fresh user on next
   IdP login under the same subject, losing the audit trail.

2. Seeds 2 new catalogue permissions:
   - auth.user.read       (admin / operator / auditor)
   - auth.user.deactivate (admin ONLY)

3. Extends User domain struct with DeactivatedAt *time.Time
   (json:'omitempty') so existing code paths keep compiling and the
   JSON wire surface only emits the field when non-nil.

WHY.

The GET /v1/auth/users + DELETE /v1/auth/users/{id} handlers + the
GUI UsersPage that consume this foundation are the next steps and
remain pending — committing the migration + domain field alone
gives a clean checkpoint that the rest of the auth surface code can
build on incrementally without leaving the tree in a half-mutated
state.

HOW.

migrations/000045_users_deactivated_at.up.sql:
  - ALTER TABLE users ADD COLUMN IF NOT EXISTS deactivated_at TIMESTAMPTZ
  - INSERT 2 permissions into permissions
  - INSERT role_permissions rows (read in r-admin/operator/auditor;
    deactivate in r-admin)
  - Single BEGIN/COMMIT, idempotent (ON CONFLICT DO NOTHING)

migrations/000045_users_deactivated_at.down.sql:
  - reverse-order DELETE + DROP COLUMN

internal/auth/user/domain/types.go:
  - User.DeactivatedAt *time.Time, JSON tag omitempty.

VERIFY.

- go vet ./internal/auth/user/... ./internal/auth/oidc/...
  ./internal/repository/...                                   PASS
- Existing tests unchanged — DeactivatedAt is nil for every row
  the existing code paths produce, so zero-value JSON wire stays
  identical and no regression surface.

Refs: cowork/auth-bundles-audit-2026-05-10.md MED-11
      cowork/auth-bundles-fixes-2026-05-10/HANDOFF.md item 14

2026-05-11 00:02:57 +00:00

shankar0123

b0ac24fbf8

auth-bundle-2 Phase 1: OIDC + Session + User + Breakglass domain types

Phase 1 ships the persisted-shape types Bundle 2 needs end-to-end.
No DB migrations, no service layer, no HTTP handlers; Phase 2 ships
the SQL, Phase 3+ ship the consumers. Each type has a Validate()
method that enforces the on-disk invariants the schema will mirror,
and a focused _test.go that pins each invariant's failure mode.

Per-package summary:

internal/auth/oidc/domain/ (OIDCProvider + GroupRoleMapping):
* OIDCProvider carries the operator-configured IdP record. Fields
  match the prompt's Phase 1 list plus IATWindowSeconds and
  JWKSCacheTTLSeconds (Phase 3 references these by name; landing
  them in Phase 1's domain type avoids the lying-field gap).
  ClientSecretEncrypted is opaque from this layer; it is the v2 blob
  produced by internal/crypto/encryption.go and is `json:"-"` so it
  never wire-leaks.
* Validate() rejects: invalid id prefix, empty name, non-https
  issuer_url (matches Phase 3's "JWKS endpoint MUST be HTTPS"),
  empty client_id, empty client_secret_encrypted, non-https
  redirect_uri, invalid groups_claim_format, scopes missing openid,
  IAT window outside (0, 600], JWKS cache TTL below 60s. Defaults
  applied in-place: GroupsClaimPath="groups", GroupsClaimFormat=
  "string-array", Scopes=["openid","profile","email"],
  IATWindowSeconds=300, JWKSCacheTTLSeconds=3600,
  TenantID="t-default".
* GroupRoleMapping carries the operator-configured group-to-role
  rule. Validate() pins prefix conventions ("grm-", "op-", "r-")
  and non-empty group name.
* 18 tests across happy-path + every negative invariant.

internal/auth/session/domain/ (Session + SessionSigningKey):
* Session covers BOTH the post-login row (full 1h-idle/8h-absolute
  cookie lifecycle) AND the Phase 5 pre-login row (10-minute TTL,
  carries OIDC state+nonce+PKCE verifier across the IdP redirect).
  IsPreLogin discriminates. CSRFTokenHash holds SHA-256 of the
  CSRF token plaintext (the plaintext lives in a JS-readable
  certctl_csrf cookie; storing only the hash on the row defends
  against DB-read leaks per the Phase 4 CSRF contract).
* Validate() pins: id prefix "ses-", non-empty actor id/type,
  signing key id prefix "sk-", AbsoluteExpiresAt strictly > Idle,
  IdleExpiresAt strictly > CreatedAt, CSRFTokenHash exactly 64
  lowercase hex chars when set.
* Cookie naming constants pinned by a separate test
  (TestCookieNamingConstants) so a future rename can't silently
  break the GUI's web/src/api/client.ts which reads these names by
  string.
* SessionSigningKey stores the v2-encrypted HMAC key material; the
  retired-before-created invariant catches malformed rows. 14
  tests across both types.

internal/auth/user/domain/ (User):
* Federated-human identity for SSO logins. Distinct from Bundle 1's
  free-form actor_id strings: actor_roles.actor_id = User.ID for
  federated humans (per the prompt's note about how the two
  identity systems intersect).
* WebAuthnCredentials JSONB column reserved for v3 (Decision 12);
  defaults to "[]" on Validate() so Bundle 2 + v3 share the same
  on-disk format from day one.
* Email validation is intentionally loose (basic shape: one @,
  non-empty local + domain, no whitespace, dot in domain). RFC 5321
  / 5322 grammars are not enforced; the IdP issued the email and
  we trust its shape, only rejecting gross corruption.
* 8 tests across happy-path + invalid-id + empty-email +
  malformed-email + invalid-provider-id + tenant defaulting +
  WebAuthn-credentials passthrough.

internal/auth/breakglass/domain/ (BreakglassCredential):
* Phase 7.5 type. Argon2id PHC-format password hash; Validate()
  pins the Argon2id magic prefix so non-Argon2id formats (bcrypt,
  pbkdf2, plaintext) are rejected at the persistence boundary.
* MinPasswordLengthBytes (12) + MaxPasswordLengthBytes (256)
  constants pinned by a dedicated test so the operator-facing
  password-strength contract can't drift silently.
* IsLocked(now) helper exposes the lockout state machine for the
  Phase 7.5 service to consume; the lockout window default is
  15min in the service layer.
* 9 tests across happy-path + per-invariant negative + lockout
  state machine + tenant defaulting.

Cross-cutting:
* Every type has json:"-" on the encrypted-credential field
  (ClientSecretEncrypted, KeyMaterialEncrypted, PasswordHash,
  CSRFTokenHash) so even a misconfigured handler that marshals the
  domain type directly into a response body cannot leak the
  secret. Mirrors Bundle 1's pattern for issuer/target credentials.
* Every type carries TenantID with Validate() defaulting to
  authdomain.DefaultTenantID. Forward-compat for the future
  managed-service multi-tenant activation; Bundle 2 ships
  single-tenant.

Verifications:
* gofmt -l clean across all 8 new files (one round-trip required to
  satisfy Go 1.19+ doc-comment list-formatting rules in
  session/domain/types.go).
* go vet clean on internal/auth/oidc/... + session/... + user/... +
  breakglass/...
* go test -short -count=1 green on all four new domain packages
  (49 test functions total).
* go test -short -count=1 still green on Bundle 1 packages
  (internal/auth, internal/auth/bootstrap, internal/service/auth,
  internal/config).
* govulncheck ./... clean (M-024 hard CI gate).
* All 24 ci-guards pass locally.

Phase 1 exit criteria from cowork/auth-bundle-2-prompt.md:
* All types compile: yes.
* Validators have at least 5 test cases each: yes (smallest is
  User with 8 tests; OIDCProvider has 13).
* make verify equivalent green: gofmt + vet + go test pass
  (golangci-lint deferred to CI per the same operating-rule
  pattern Phase 0 used).

2026-05-10 03:41:46 +00:00

3 Commits