certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-10 07:39:03 +00:00

Commit Graph

Author	SHA1	Message	Date
shankar0123	5ea45a19b9	feat(security): Sprint 5 ACQ — RED-003 deny-empty flip + SEC-009/RED-005 RFC1918 opt-in Acquisition-audit Sprint 5 ACQ closure (2026-05-16). Two independent findings ship together because they share Load() / main.go wiring; the closure comments tie each line to its finding. PART A — RED-003 (agent-bootstrap deny-empty cutover) ===================================================== Phase 2 SEC-H1 closure (2026-05-13) introduced the CERTCTL_AGENT_BOOTSTRAP_TOKEN_DENY_EMPTY staged feature flag with default `false` so v2.1.x operators wouldn't get a surprise fail-closed on upgrade. This commit flips the default to `true` (per the staged plan in the existing CHANGELOG "Breaking changes (scheduled for v2.2.0)" block). Operators who haven't generated a real bootstrap token yet keep the v2.1.x warn-mode pass-through for one upgrade window by setting CERTCTL_AGENT_BOOTSTRAP_TOKEN_DENY_EMPTY=false explicitly. Demo-mode escape hatch: CERTCTL_DEMO_MODE_ACK=true skips the fail-closed gate so the screenshot/demo path stays one-command-up. The accompanying boot-banner WARN at cmd/server/main.go:124-126 keeps demo mode visible in every log scraper, so this override cannot silently re-enable warn-mode in production. internal/config/config.go - Load() default for AgentBootstrapTokenDenyEmpty flipped to true - Validate() gate now also checks !c.Auth.DemoModeAck so the demo override line up with the boot-banner WARN - Closure comment block updated to cross-reference Sprint 5 ACQ and the CHANGELOG v2.2.0 entry cmd/server/main.go - Updated boot-time WARN message to reflect the new default (deny-empty=true) — the warn now fires only in the two explicit override scenarios (warn-mode opt-back or demo mode), and explains the operator action either way - Info-line on configured-token path unchanged PART B — SEC-009 + RED-005 (opt-in RFC1918 outbound block) ========================================================== internal/validation/ssrf.go::IsReservedIP has always intentionally left RFC 1918 ranges (10/8, 172.16/12, 192.168/16) NOT-reserved because certctl is designed to manage certificates inside private networks. For operators on hosted IaaS where RFC1918 IS internal trust (kubeadm-default 10.96.0.0/12 service CIDR exposes the Kubernetes API on 10.96.0.1; cloud-provider internal monitoring; hosted-bastion subnets), this default is a real exposure path. Add a package-level atomic.Bool toggle in internal/validation/ssrf.go that, when on, extends IsReservedIP to ALSO return true for the three RFC1918 ranges. Every IsReservedIP-derived path (SafeHTTPDialContext, ValidateSafeURL, the network scanner, the webhook + OIDC + ACME callers) picks up the new policy transitively without per-call-site changes. internal/validation/ssrf.go - blockRFC1918Outbound atomic.Bool + SetBlockRFC1918Outbound / BlockRFC1918OutboundEnabled accessor pair - rfc1918Nets pre-parsed at package init (panic on parse failure surfaces a misconfigured ssrf package immediately, not via a silently disabled toggle) - IsReservedIP checks the toggle after the existing reserved-IP checks - Header comment rewritten to document the toggle + the transitive coverage internal/config/config.go - New NetworkConfig sub-config; Config gains a Network field - Load() reads CERTCTL_BLOCK_RFC1918_OUTBOUND env var (default false; preserves the existing self-hosted threat model) - NetworkConfig docstring lists the operator-trap (enabling this also blocks RFC1918 from the network scanner) so an operator cert-discovering their own RFC1918 space doesn't get a silently-empty scan result cmd/server/main.go - Wires validation.SetBlockRFC1918Outbound after config.Load and near the demo-mode banner / agent-bootstrap-token block; emits a one-shot INFO line when the toggle is enabled so the policy is visible in journals Tests ===== internal/config/config_test.go - TestLoad_AgentBootstrapTokenDenyEmpty_DefaultIsTrue — pins the default flip at the boot path (Load returns the flipped value) - TestValidate_DenyEmptyDefault_RefusesWithoutToken — pins the fail-closed behavior under the new default - TestValidate_DenyEmptyExplicitFalse_AllowsEmpty — pins the v2.1.x back-compat escape hatch - TestValidate_DenyEmpty_DemoModeAckOverride_AllowsEmpty — pins the demo-mode override internal/validation/ssrf_test.go - TestIsReservedIP_RFC1918_OptIn — pins toggle-off / toggle-on behavior across all three RFC1918 ranges, edge cases immediately outside the ranges, and the toggle-back-off path - TestSafeHTTPDialContext_RFC1918_OptIn — pins that the toggle reaches the dial-time SSRF check transitively (not just IsReservedIP in isolation) Test-helper updates (Sprint-5-induced churn): - internal/config/config_test.go::setMinimalValidEnv now sets CERTCTL_AGENT_BOOTSTRAP_TOKEN to a placeholder so Load()-based tests that don't specifically exercise the empty-token gate keep passing under the new fail-closed default. Tests that DO exercise the empty-token path explicitly override back to "". - internal/config/config_est_profiles_test.go + internal/config/config_scep_profiles_test.go: same placeholder fix for the four Load()-based EST/SCEP profile tests. - cmd/server/main_test.go::TestMain_ServerConfigFromEnvironment + TestMain_AuthTypeConfiguration: same fix at the main.go test layer with prior-value restore. Verified locally: gofmt -l clean; go vet clean; staticcheck clean across internal/config, internal/validation, cmd/server; short tests green on all three packages; targeted -v run of all six new test names confirms PASS.	2026-05-16 19:13:52 +00:00
shankar0123	fdd424bf5f	feat(scep): per-issuer SCEP profiles — multi-endpoint dispatch SCEP RFC 8894 + Intune master bundle — Phase 1.5 of 14. Restructures SCEPConfig from a single flat struct (one IssuerID + one RA pair + one challenge password) to a Profiles slice where each profile binds its own URL path (/scep/<pathID>), issuer, optional CertificateProfile, RA cert+key, and challenge password. This phase is the FOUNDATION for Phases 2-12: every downstream handler signature, service envelope, CertRep builder, GUI counter, and test fixture takes a profile_id parameter from here on. Adding multi-profile support post-bundle would cost 3x what greenfielding it now does. Backward compat: legacy CERTCTL_SCEP_* flat env vars synthesise a single-element Profiles[0] with PathID="" (legacy /scep root) when CERTCTL_SCEP_PROFILES is unset. Existing operators see no behavior change. New operators write multi-profile config directly via the indexed env-var form. Indexed env-var convention: CERTCTL_SCEP_PROFILES=corp,iot,server CERTCTL_SCEP_PROFILE_CORP_ISSUER_ID=iss-corp-laptop CERTCTL_SCEP_PROFILE_CORP_PROFILE_ID=prof-corp-tls CERTCTL_SCEP_PROFILE_CORP_CHALLENGE_PASSWORD=... CERTCTL_SCEP_PROFILE_CORP_RA_CERT_PATH=/etc/certctl/scep/corp-ra.crt CERTCTL_SCEP_PROFILE_CORP_RA_KEY_PATH=/etc/certctl/scep/corp-ra.key ... (etc per profile name) internal/config/config.go * SCEPConfig.Profiles []SCEPProfileConfig — primary multi-profile dispatch source. * Legacy flat fields (IssuerID, ProfileID, ChallengePassword, RACertPath, RAKeyPath) preserved with updated docblocks marking them as merge sources for the backward-compat shim. * SCEPProfileConfig new struct (PathID, IssuerID, ProfileID, ChallengePassword, RACertPath, RAKeyPath). * loadSCEPProfilesFromEnv: reads CERTCTL_SCEP_PROFILES (comma-list of names), expands each to per-profile env vars CERTCTL_SCEP_PROFILE_<NAME>_. Returns nil when unset so the legacy-shim path takes over. mergeSCEPLegacyIntoProfiles: when SCEP enabled + Profiles empty + any legacy flat field populated, synthesises Profiles[0] with PathID="". No-op when Profiles already populated (structured form wins) or SCEP disabled. * validSCEPPathID: empty allowed (legacy /scep root); non-empty must be [a-z0-9-] with no leading/trailing hyphen. * Per-profile Validate gates: PathID format, uniqueness across the slice, ChallengePassword presence (CWE-306 per profile), RA pair presence (RFC 8894 §3.2.2), IssuerID presence. * Legacy single-profile gates skip when Profiles is non-empty so the per-profile loop owns the gating in the structured case (avoids double-fire with overlapping error messages). internal/api/router/router.go * RegisterSCEPHandlers signature: map[string]handler.SCEPHandler (was a single SCEPHandler). * Empty PathID handler registered with literal r.Register('GET /scep' + 'POST /scep') so the openapi-parity AST scanner (Bundle D / Audit M-027) continues to see the documented /scep route. Without this preservation, the parity test fails because dynamic string-built routes don't appear in ast.BasicLit walks. Non-empty PathIDs registered dynamically as /scep/<pathID>. * AuthExempt prefix /scep already covers all /scep[/...] paths via prefix match — no change needed there. cmd/server/main.go * SCEP startup block iterates cfg.SCEP.Profiles, builds one service + one handler per profile, stuffs them into a {pathID -> handler} map, hands the map to apiRouter.RegisterSCEPHandlers. * Per-profile preflight: preflightSCEPChallengePassword, preflightSCEPRACertKey, preflightEnrollmentIssuer fire ONCE PER PROFILE with a profile-scoped slog.Logger so failures report PathID + IssuerID. Each per-profile failure os.Exits(1) with a targeted error message. * Final 'SCEP server enabled' info log reports profile_count. internal/config/config_scep_profiles_test.go (new, 9 tests / 22 sub-cases) * TestSCEPConfig_LegacyFlatFields_SynthesizeSingleProfile — the backward-compat smoke test. * TestSCEPConfig_MultipleProfiles_LoadFromEnv — structured-form happy path with two profiles. * TestSCEPConfig_StructuredFormBeatsLegacy — when both forms set, structured wins; legacy flat field MUST NOT leak into Profiles[0].ChallengePassword. * TestSCEPConfig_PathIDValidation — 13 sub-cases covering valid + every reject mode (uppercase, slash, leading/trailing hyphen, underscore, dot, space, non-ASCII). * TestSCEPConfig_DuplicatePathID_Refuses. * TestSCEPConfig_MissingPerProfileChallengePassword, _MissingPerProfileRAPair (3 sub-cases), _MissingPerProfileIssuerID — per-profile gate triplet. * TestSCEPConfig_DisabledIgnoresProfiles — gates only fire when SCEP is enabled. internal/api/router/router_scep_profiles_test.go (new, 4 tests) * TestRouter_RegisterSCEPHandlers_LegacyEmptyPathIDMapsToRoot — empty PathID gets /scep root; both GET + POST routes registered. * TestRouter_RegisterSCEPHandlers_NonEmptyPathIDMapsToSubpath — non-empty PathID gets /scep/<pathID>; /scep root NOT registered when no empty-PathID profile exists. * TestRouter_RegisterSCEPHandlers_MultipleProfilesNoCrossBleed — three profiles (default, corp, iot); each path reaches the right handler instance, verified via per-profile-tagged GetCACaps mock response. * TestRouter_RegisterSCEPHandlers_EmptyMapRegistersNoRoutes — no profiles → no /scep routes (deploy with SCEP disabled). Verification: * gofmt clean for the files I touched. * go vet clean across config / router / cmd/server / domain. * go test -short -count=1 green across config / router / cmd/server / api/handler / service / domain / pkcs7. * Coverage held: handler 79.0% / service 73.2% / pkcs7 100% / config 96.0% / domain 88.6% / router 100% / cmd/server 19.2%. * openapi-parity test green (literal /scep registrations preserved). Phase 1.5 of 14 in SCEP RFC 8894 + Intune master bundle. Living progress at cowork/scep-rfc8894-intune/progress.md.	2026-04-29 03:46:57 +00:00

Author

SHA1

Message

Date

shankar0123

5ea45a19b9

feat(security): Sprint 5 ACQ — RED-003 deny-empty flip + SEC-009/RED-005 RFC1918 opt-in

Acquisition-audit Sprint 5 ACQ closure (2026-05-16). Two
independent findings ship together because they share Load() /
main.go wiring; the closure comments tie each line to its finding.

PART A — RED-003 (agent-bootstrap deny-empty cutover)
=====================================================

Phase 2 SEC-H1 closure (2026-05-13) introduced the
CERTCTL_AGENT_BOOTSTRAP_TOKEN_DENY_EMPTY staged feature flag with
default `false` so v2.1.x operators wouldn't get a surprise
fail-closed on upgrade. This commit flips the default to `true`
(per the staged plan in the existing CHANGELOG "Breaking changes
(scheduled for v2.2.0)" block). Operators who haven't generated a
real bootstrap token yet keep the v2.1.x warn-mode pass-through
for one upgrade window by setting
CERTCTL_AGENT_BOOTSTRAP_TOKEN_DENY_EMPTY=false explicitly.

Demo-mode escape hatch: CERTCTL_DEMO_MODE_ACK=true skips the
fail-closed gate so the screenshot/demo path stays one-command-up.
The accompanying boot-banner WARN at cmd/server/main.go:124-126
keeps demo mode visible in every log scraper, so this override
cannot silently re-enable warn-mode in production.

internal/config/config.go
  - Load() default for AgentBootstrapTokenDenyEmpty flipped to true
  - Validate() gate now also checks !c.Auth.DemoModeAck so the demo
    override line up with the boot-banner WARN
  - Closure comment block updated to cross-reference Sprint 5 ACQ
    and the CHANGELOG v2.2.0 entry

cmd/server/main.go
  - Updated boot-time WARN message to reflect the new default
    (deny-empty=true) — the warn now fires only in the two
    explicit override scenarios (warn-mode opt-back or demo mode),
    and explains the operator action either way
  - Info-line on configured-token path unchanged

PART B — SEC-009 + RED-005 (opt-in RFC1918 outbound block)
==========================================================

internal/validation/ssrf.go::IsReservedIP has always intentionally
left RFC 1918 ranges (10/8, 172.16/12, 192.168/16) NOT-reserved
because certctl is designed to manage certificates inside private
networks. For operators on hosted IaaS where RFC1918 IS internal
trust (kubeadm-default 10.96.0.0/12 service CIDR exposes the
Kubernetes API on 10.96.0.1; cloud-provider internal monitoring;
hosted-bastion subnets), this default is a real exposure path.

Add a package-level atomic.Bool toggle in internal/validation/ssrf.go
that, when on, extends IsReservedIP to ALSO return true for the
three RFC1918 ranges. Every IsReservedIP-derived path
(SafeHTTPDialContext, ValidateSafeURL, the network scanner, the
webhook + OIDC + ACME callers) picks up the new policy
transitively without per-call-site changes.

internal/validation/ssrf.go
  - blockRFC1918Outbound atomic.Bool + SetBlockRFC1918Outbound /
    BlockRFC1918OutboundEnabled accessor pair
  - rfc1918Nets pre-parsed at package init (panic on parse failure
    surfaces a misconfigured ssrf package immediately, not via a
    silently disabled toggle)
  - IsReservedIP checks the toggle after the existing reserved-IP
    checks
  - Header comment rewritten to document the toggle + the
    transitive coverage

internal/config/config.go
  - New NetworkConfig sub-config; Config gains a Network field
  - Load() reads CERTCTL_BLOCK_RFC1918_OUTBOUND env var (default
    false; preserves the existing self-hosted threat model)
  - NetworkConfig docstring lists the operator-trap (enabling this
    also blocks RFC1918 from the network scanner) so an operator
    cert-discovering their own RFC1918 space doesn't get a
    silently-empty scan result

cmd/server/main.go
  - Wires validation.SetBlockRFC1918Outbound after config.Load and
    near the demo-mode banner / agent-bootstrap-token block; emits
    a one-shot INFO line when the toggle is enabled so the policy
    is visible in journals

Tests
=====

internal/config/config_test.go
  - TestLoad_AgentBootstrapTokenDenyEmpty_DefaultIsTrue — pins the
    default flip at the boot path (Load returns the flipped value)
  - TestValidate_DenyEmptyDefault_RefusesWithoutToken — pins the
    fail-closed behavior under the new default
  - TestValidate_DenyEmptyExplicitFalse_AllowsEmpty — pins the
    v2.1.x back-compat escape hatch
  - TestValidate_DenyEmpty_DemoModeAckOverride_AllowsEmpty — pins
    the demo-mode override

internal/validation/ssrf_test.go
  - TestIsReservedIP_RFC1918_OptIn — pins toggle-off / toggle-on
    behavior across all three RFC1918 ranges, edge cases
    immediately outside the ranges, and the toggle-back-off path
  - TestSafeHTTPDialContext_RFC1918_OptIn — pins that the toggle
    reaches the dial-time SSRF check transitively (not just
    IsReservedIP in isolation)

Test-helper updates (Sprint-5-induced churn):
  - internal/config/config_test.go::setMinimalValidEnv now sets
    CERTCTL_AGENT_BOOTSTRAP_TOKEN to a placeholder so Load()-based
    tests that don't specifically exercise the empty-token gate
    keep passing under the new fail-closed default. Tests that DO
    exercise the empty-token path explicitly override back to "".
  - internal/config/config_est_profiles_test.go +
    internal/config/config_scep_profiles_test.go: same placeholder
    fix for the four Load()-based EST/SCEP profile tests.
  - cmd/server/main_test.go::TestMain_ServerConfigFromEnvironment +
    TestMain_AuthTypeConfiguration: same fix at the main.go test
    layer with prior-value restore.

Verified locally: gofmt -l clean; go vet clean; staticcheck clean
across internal/config, internal/validation, cmd/server; short
tests green on all three packages; targeted -v run of all six new
test names confirms PASS.

2026-05-16 19:13:52 +00:00

shankar0123

fdd424bf5f

feat(scep): per-issuer SCEP profiles — multi-endpoint dispatch

SCEP RFC 8894 + Intune master bundle — Phase 1.5 of 14.

Restructures SCEPConfig from a single flat struct (one IssuerID + one
RA pair + one challenge password) to a Profiles slice where each
profile binds its own URL path (/scep/<pathID>), issuer, optional
CertificateProfile, RA cert+key, and challenge password.

This phase is the FOUNDATION for Phases 2-12: every downstream handler
signature, service envelope, CertRep builder, GUI counter, and test
fixture takes a profile_id parameter from here on. Adding multi-profile
support post-bundle would cost 3x what greenfielding it now does.

Backward compat: legacy CERTCTL_SCEP_* flat env vars synthesise a
single-element Profiles[0] with PathID="" (legacy /scep root) when
CERTCTL_SCEP_PROFILES is unset. Existing operators see no behavior
change. New operators write multi-profile config directly via the
indexed env-var form.

Indexed env-var convention:
  CERTCTL_SCEP_PROFILES=corp,iot,server
  CERTCTL_SCEP_PROFILE_CORP_ISSUER_ID=iss-corp-laptop
  CERTCTL_SCEP_PROFILE_CORP_PROFILE_ID=prof-corp-tls
  CERTCTL_SCEP_PROFILE_CORP_CHALLENGE_PASSWORD=...
  CERTCTL_SCEP_PROFILE_CORP_RA_CERT_PATH=/etc/certctl/scep/corp-ra.crt
  CERTCTL_SCEP_PROFILE_CORP_RA_KEY_PATH=/etc/certctl/scep/corp-ra.key
  ... (etc per profile name)

internal/config/config.go
  * SCEPConfig.Profiles []SCEPProfileConfig — primary multi-profile
    dispatch source.
  * Legacy flat fields (IssuerID, ProfileID, ChallengePassword,
    RACertPath, RAKeyPath) preserved with updated docblocks marking
    them as merge sources for the backward-compat shim.
  * SCEPProfileConfig new struct (PathID, IssuerID, ProfileID,
    ChallengePassword, RACertPath, RAKeyPath).
  * loadSCEPProfilesFromEnv: reads CERTCTL_SCEP_PROFILES (comma-list
    of names), expands each to per-profile env vars
    CERTCTL_SCEP_PROFILE_<NAME>_*. Returns nil when unset so the
    legacy-shim path takes over.
  * mergeSCEPLegacyIntoProfiles: when SCEP enabled + Profiles empty +
    any legacy flat field populated, synthesises Profiles[0] with
    PathID="". No-op when Profiles already populated (structured form
    wins) or SCEP disabled.
  * validSCEPPathID: empty allowed (legacy /scep root); non-empty
    must be [a-z0-9-] with no leading/trailing hyphen.
  * Per-profile Validate gates: PathID format, uniqueness across the
    slice, ChallengePassword presence (CWE-306 per profile), RA pair
    presence (RFC 8894 §3.2.2), IssuerID presence.
  * Legacy single-profile gates skip when Profiles is non-empty so
    the per-profile loop owns the gating in the structured case
    (avoids double-fire with overlapping error messages).

internal/api/router/router.go
  * RegisterSCEPHandlers signature: map[string]handler.SCEPHandler
    (was a single SCEPHandler).
  * Empty PathID handler registered with literal r.Register('GET /scep'
    + 'POST /scep') so the openapi-parity AST scanner (Bundle D /
    Audit M-027) continues to see the documented /scep route. Without
    this preservation, the parity test fails because dynamic
    string-built routes don't appear in *ast.BasicLit walks.
  * Non-empty PathIDs registered dynamically as /scep/<pathID>.
  * AuthExempt prefix /scep already covers all /scep[/...] paths via
    prefix match — no change needed there.

cmd/server/main.go
  * SCEP startup block iterates cfg.SCEP.Profiles, builds one service
    + one handler per profile, stuffs them into a {pathID -> handler}
    map, hands the map to apiRouter.RegisterSCEPHandlers.
  * Per-profile preflight: preflightSCEPChallengePassword,
    preflightSCEPRACertKey, preflightEnrollmentIssuer fire ONCE PER
    PROFILE with a profile-scoped slog.Logger so failures report
    PathID + IssuerID. Each per-profile failure os.Exits(1) with a
    targeted error message.
  * Final 'SCEP server enabled' info log reports profile_count.

internal/config/config_scep_profiles_test.go (new, 9 tests / 22 sub-cases)
  * TestSCEPConfig_LegacyFlatFields_SynthesizeSingleProfile — the
    backward-compat smoke test.
  * TestSCEPConfig_MultipleProfiles_LoadFromEnv — structured-form
    happy path with two profiles.
  * TestSCEPConfig_StructuredFormBeatsLegacy — when both forms set,
    structured wins; legacy flat field MUST NOT leak into
    Profiles[0].ChallengePassword.
  * TestSCEPConfig_PathIDValidation — 13 sub-cases covering valid +
    every reject mode (uppercase, slash, leading/trailing hyphen,
    underscore, dot, space, non-ASCII).
  * TestSCEPConfig_DuplicatePathID_Refuses.
  * TestSCEPConfig_MissingPerProfileChallengePassword,
    _MissingPerProfileRAPair (3 sub-cases),
    _MissingPerProfileIssuerID — per-profile gate triplet.
  * TestSCEPConfig_DisabledIgnoresProfiles — gates only fire when
    SCEP is enabled.

internal/api/router/router_scep_profiles_test.go (new, 4 tests)
  * TestRouter_RegisterSCEPHandlers_LegacyEmptyPathIDMapsToRoot —
    empty PathID gets /scep root; both GET + POST routes registered.
  * TestRouter_RegisterSCEPHandlers_NonEmptyPathIDMapsToSubpath —
    non-empty PathID gets /scep/<pathID>; /scep root NOT registered
    when no empty-PathID profile exists.
  * TestRouter_RegisterSCEPHandlers_MultipleProfilesNoCrossBleed —
    three profiles (default, corp, iot); each path reaches the right
    handler instance, verified via per-profile-tagged GetCACaps mock
    response.
  * TestRouter_RegisterSCEPHandlers_EmptyMapRegistersNoRoutes — no
    profiles → no /scep routes (deploy with SCEP disabled).

Verification:
  * gofmt clean for the files I touched.
  * go vet clean across config / router / cmd/server / domain.
  * go test -short -count=1 green across config / router / cmd/server /
    api/handler / service / domain / pkcs7.
  * Coverage held: handler 79.0% / service 73.2% / pkcs7 100% /
    config 96.0% / domain 88.6% / router 100% / cmd/server 19.2%.
  * openapi-parity test green (literal /scep registrations preserved).

Phase 1.5 of 14 in SCEP RFC 8894 + Intune master bundle.
Living progress at cowork/scep-rfc8894-intune/progress.md.

2026-04-29 03:46:57 +00:00

2 Commits