certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 14:11:31 +00:00

Commit Graph

Author	SHA1	Message	Date
shankar0123	56e2ea1ad7	docs: v2.1.0 release polish — strip internal bundle/phase tags, update status for OIDC ship README: - Rewrite Status block: drop the stale 'federated identity not yet shipped' line; flag v2.1.0 OIDC + sessions + back-channel logout + break-glass as early-access; encourage GitHub issues for IdP rough edges. (A1 framing — keep early-access umbrella, no SAML/WebAuthn/JIT roadmap teaser.) - Add OIDC SSO bullet to 'What it does' covering per-IdP runbooks, group-claim → role mapping, AES-256-GCM client_secret encryption, JWKS auto-refresh, PKCE-S256, RFC 9700 §4.7.1 pre-login binding, RFC 9207 iss check, __Host- cookies, CSRF rotation, idle+absolute expiry, BCL, break-glass admin. - Update Security paragraph: three auth paths (API keys / OIDC / break-glass), HMAC-signed sessions, CSRF rotation, RFC OIDC BCL. - Correct CI coverage thresholds against .github/coverage-thresholds.yml (service 70%, handler 75%, crypto 88%, auth packages 85-95%); 'static analysis' replaces the inflated '11 linters' claim (actual count is 4 active). Docs B3 sweep — strip operator-facing 'Bundle N' / 'Phase N' tags: - docs/operator/auth-threat-model.md — rewrite intro; rename 5 H2 sections (API-key + RBAC defenses / OIDC + sessions + break-glass defenses / OIDC + sessions threat catalogue / Closed federated- identity threats / Future-work threats); clean ~12 H3/prose hits. - docs/operator/rbac.md — strip Bundle 1 framing from intro, scope_id deferral note, MCP tools section, day-0 bootstrap, and 'Where to look next'. - docs/operator/auth-benchmarks.md — drop 'Phase 14' framing from title intro, hardware floor caption, result table caption, methodology, and pre-merge audit section. - docs/operator/security.md — already cleaned earlier this session (RBAC / day-0 / approval-bypass / OIDC federation / sessions / OIDC first-admin / break-glass H3s). - docs/operator/oidc-runbooks/{index,keycloak,authentik,okta, azure-ad}.md — strip Auth Bundle 2 framing + Phase 10/3/4 references; replace with feature-name prose. - docs/operator/legacy-clients-tls-1.2.md — drop Bundle F / M-023 audit-reference framing; keep CWE-326. - docs/operator/database-tls.md — drop Bundle B / M-018 framing from intro + Helm section. - docs/operator/runbooks/disaster-recovery.md — drop 'Production hardening II Phase 10' status callout. - docs/migration/oidc-enable.md — retitle 'Enable OIDC SSO'; strip Bundle 1/2 framing from prereqs, troubleshooting, related docs; update __Host- cookie callout from 'audit MED-14' to v2.1.0-BREAKING. - docs/migration/api-keys-to-rbac.md — strip Bundle 1 framing from intro, migration table, IsAdmin section, and cross-references. - docs/migration/acme-from-cert-manager.md — strip residual 'Phase 5' tags from cert-manager integration test references. - docs/reference/configuration.md — retitle Auth section. - docs/reference/profiles.md — strip Bundle 1 Phase 9 framing from RequiresApproval section + Related list. - docs/reference/auth-standards-implemented.md — rewrite intro (API-key + RBAC + OIDC + sessions + back-channel logout + break-glass); rename 'Bundle 1 (RBAC) standards covered separately' H2; clean per-row Phase references. - docs/README.md — rewrite nav-table entries to drop Bundle 1/2 parentheticals; retitle 'Enable OIDC SSO' migration entry. No code or test changes; pure operator-facing prose polish for the v2.1.0 tag.	2026-05-11 16:54:07 +00:00
shankar0123	874419989d	harden(auth/cookies): __Host- prefix on all three auth cookies (MED-14, BREAKING) Audit 2026-05-10 — close MED-14 from the HANDOFF.md backend batch (item 5). The session, CSRF, and OIDC pre-login cookies all carry the __Host- prefix; browsers now reject any subdomain attempt to overwrite them. Cookie name changes (BREAKING — existing sessions invalidate): - certctl_session → __Host-certctl_session - certctl_csrf → __Host-certctl_csrf - certctl_oidc_pending → __Host-certctl_oidc_pending The __Host- prefix requires Path=/ + Secure + no Domain attribute. Post-login session + CSRF cookies already met all three. The pre-login cookie's Path widened from '/auth/oidc/' to '/' to satisfy the prefix; the cookie lives 10 minutes and is only consumed by the callback handler, so the wider path scope is harmless. Files touched: - internal/auth/session/domain/types.go — constant rename + comment - internal/auth/session/domain/types_test.go — assertion update - internal/api/handler/auth_session_oidc.go — pre-login set + clear paths widened from /auth/oidc/ to / - web/src/api/client.ts — readCSRFCookie now compares against '__Host-certctl_csrf' - CHANGELOG.md — Unreleased > Security (BREAKING) entry - docs/migration/oidc-enable.md — operator-facing detail of the one-time re-authentication window + GUI customization guidance Operator impact: ONE re-login prompt per active session at the deploy that lands this change. Subsequent logins issue the __Host-prefixed cookie automatically. Existing bookmarked deep links work without modification (cookies are path-scoped, not URL-scoped). Refs: cowork/auth-bundles-fixes-2026-05-10/HANDOFF.md item 5 cowork/auth-bundles-audit-2026-05-10.md MED-14	2026-05-10 22:52:53 +00:00
shankar0123	c03d18bb1c	auth-bundle-2 Phase 16: docs updates (security.md OIDC + sessions + break-glass + auditor split sections; new migration/oidc-enable.md; CHANGELOG.md v2.1.0 Bundle 2 release notes) Closes Phase 16 of cowork/auth-bundle-2-prompt.md. Three operator- facing docs updated, one new migration guide ships, README nav row added. Files ===== docs/operator/security.md (MODIFIED, Last reviewed bumped to 2026-05-10): * Added 5 new Bundle 2 subsections under '## Authentication surface' after the Bundle 1 approval-bypass-closure entry: - 'OIDC federation (Bundle 2 Phases 1-7)' — alg allow-list, IdP-downgrade defense, iss/aud/azp/at_hash, single-use state+nonce, PKCE-S256 mandatory, JWKS rotation handling, encrypted client_secret at rest with the v3 blob format pinned by an integration test, pointer to oidc-runbooks/ for per-IdP setup. - 'Sessions + back-channel logout (Bundle 2 Phases 4-6)' — length-prefixed HMAC cookie wire format, HttpOnly + Secure + SameSite cookie hardening, idle/absolute timeouts, CSRF defense, signing-key rotation primitive, fail-fatal EnsureInitialSigningKey at server boot, OpenID Connect Back-Channel Logout 1.0 (NOT RFC 8414). - 'OIDC first-admin bootstrap (Bundle 2 Phase 7)' — coexists with Bundle 1's env-var-token bootstrap, group-scoped via CERTCTL_BOOTSTRAP_ADMIN_GROUPS + CERTCTL_BOOTSTRAP_OIDC_PROVIDER_ID, one-shot per tenant. - 'Break-glass admin (Bundle 2 Phase 7.5)' — default-OFF, surface invisibility via 404-not-403, Argon2id with OWASP 2024 params, lockout state machine, constant-time-via- verifyDummy, WARN log at boot, runbook pointer for operator drill. - 'Migrating an existing deployment to OIDC' — pointer to the new migration/oidc-enable.md walkthrough. docs/migration/oidc-enable.md (NEW, Last reviewed 2026-05-10): * Step-by-step migration guide for an operator on a Bundle-1-merged deployment to enable OIDC SSO. Pre-reqs (CERTCTL_CONFIG_ENCRYPTION_KEY, admin actor with auth.oidc.create + auth.oidc.edit, IdP tenant) + 7 numbered steps (pin encryption key, complete IdP-side per runbook, configure certctl-side OIDCProvider, add group→role mappings with fail-closed warning, optional first-admin bootstrap, verify with single test user, announce SSO endpoint). * Rollback section covering the 4-step disable flow + the 409 Conflict on provider-delete-while-sessions-exist + the existing-sessions-keep-working-until-expiry semantics. * Troubleshooting section pinning 8 most-common failure modes (discovery doc fetch fails / IdP downgrade defense rejects / no roles assigned / iss mismatch / pre-login expired / state mismatch / sessions revoked but user can hit API / JWKS rotation breaks login). * Database row count drift documented so operators know what to expect after OIDC is live (10 Bundle 2 tables enumerated). * Cross-references to oidc-runbooks/ + security.md + auth-threat-model.md + auth-benchmarks.md + auth-standards-implemented.md. CHANGELOG.md (MODIFIED): * v2.1.0 section title bumped from 'Auth Bundle 1: RBAC primitive' to 'Auth Bundles 1 + 2: RBAC primitive + OIDC SSO + sessions'. * Replaced the Bundle 1 closing-bullet ('Bundle 2 starts after Bundle 1 lands on master') with 18 new Bundle 2 entries: - OIDC + sessions + back-channel logout + break-glass overview. - OIDC token validation pinned at three layers (alg allow-list, IdP-downgrade defense, OIDC Core §3.1.3.7 re-verification). - Length-prefixed HMAC session cookies. - CSRF double-submit + hashed-token-on-row. - OIDC client_secret AES-256-GCM v3 blob at rest + integration-test invariant. - OIDC first-admin bootstrap. - Default-OFF break-glass admin (Argon2id + lockout + constant-time + surface invisibility). - GUI: 4 new pages + login-page IdP buttons + sidebar logout. - 11 new MCP tools for OIDC + session management. - 6 per-IdP runbooks (Keycloak / Authentik / Okta / Auth0 / Entra ID / Google Workspace). - Threat model extended with 5 new defense subsections + 8 new threat-catalogue subsections. - Performance baselines documented (4 benchmarks; 3 measured + 1 operator-runs). - Standards-and-RFC implementation table (13 RFCs + 14 CWEs; NOT a compliance-mapping doc). - Coverage gates held at floor 90 across all 4 Bundle 2 packages (anti-Bundle-1-mistake invariant). - Multi-tenant query CI guard (ratchet baseline 32). - Phase 10 Keycloak testcontainers integration test + optional Okta smoke test. - OpenAPI cookieAuth security scheme + 13 new endpoints + 4 break-glass endpoints. - Bundle-1-only compat regression CI guard + Bundle-1-to-2-upgrade regression CI guard. * Final paragraph updated to point at oidc-enable.md alongside api-keys-to-rbac.md as the two migration walkthroughs. docs/README.md (MODIFIED): * Added the new oidc-enable.md migration row under '## Migration' alongside the existing api-keys-to-rbac.md entry, with a one-line description flagging it as the Bundle 2 OIDC onboarding walkthrough. Verification ============ * Last-reviewed on security.md + oidc-enable.md: 2026-05-10. * Internal-link sweep on oidc-enable.md: 0 broken (every relative link resolves via shell-loop verification). * Internal-link sweep on docs/README.md: 0 broken (all .md references resolve). * No Go-side impact, make verify gate unchanged. Bundle 2 documentation deliverables now complete: security.md + auth-threat-model.md + oidc-runbooks/ + auth-benchmarks.md + auth-standards-implemented.md + api-keys-to-rbac.md + oidc-enable.md + CHANGELOG.md v2.1.0. The full Bundle 2 surface is operator- discoverable from docs/README.md root nav.	2026-05-10 17:07:27 +00:00

Author

SHA1

Message

Date

shankar0123

56e2ea1ad7

docs: v2.1.0 release polish — strip internal bundle/phase tags, update status for OIDC ship

README:
- Rewrite Status block: drop the stale 'federated identity not yet
  shipped' line; flag v2.1.0 OIDC + sessions + back-channel logout
  + break-glass as early-access; encourage GitHub issues for IdP
  rough edges. (A1 framing — keep early-access umbrella, no
  SAML/WebAuthn/JIT roadmap teaser.)
- Add OIDC SSO bullet to 'What it does' covering per-IdP runbooks,
  group-claim → role mapping, AES-256-GCM client_secret encryption,
  JWKS auto-refresh, PKCE-S256, RFC 9700 §4.7.1 pre-login binding,
  RFC 9207 iss check, __Host- cookies, CSRF rotation, idle+absolute
  expiry, BCL, break-glass admin.
- Update Security paragraph: three auth paths (API keys / OIDC /
  break-glass), HMAC-signed sessions, CSRF rotation, RFC OIDC BCL.
- Correct CI coverage thresholds against
  .github/coverage-thresholds.yml (service 70%, handler 75%,
  crypto 88%, auth packages 85-95%); 'static analysis' replaces
  the inflated '11 linters' claim (actual count is 4 active).

Docs B3 sweep — strip operator-facing 'Bundle N' / 'Phase N' tags:
- docs/operator/auth-threat-model.md — rewrite intro; rename 5 H2
  sections (API-key + RBAC defenses / OIDC + sessions + break-glass
  defenses / OIDC + sessions threat catalogue / Closed federated-
  identity threats / Future-work threats); clean ~12 H3/prose hits.
- docs/operator/rbac.md — strip Bundle 1 framing from intro,
  scope_id deferral note, MCP tools section, day-0 bootstrap, and
  'Where to look next'.
- docs/operator/auth-benchmarks.md — drop 'Phase 14' framing from
  title intro, hardware floor caption, result table caption,
  methodology, and pre-merge audit section.
- docs/operator/security.md — already cleaned earlier this session
  (RBAC / day-0 / approval-bypass / OIDC federation / sessions /
  OIDC first-admin / break-glass H3s).
- docs/operator/oidc-runbooks/{index,keycloak,authentik,okta,
  azure-ad}.md — strip Auth Bundle 2 framing + Phase 10/3/4
  references; replace with feature-name prose.
- docs/operator/legacy-clients-tls-1.2.md — drop Bundle F / M-023
  audit-reference framing; keep CWE-326.
- docs/operator/database-tls.md — drop Bundle B / M-018 framing
  from intro + Helm section.
- docs/operator/runbooks/disaster-recovery.md — drop 'Production
  hardening II Phase 10' status callout.
- docs/migration/oidc-enable.md — retitle 'Enable OIDC SSO';
  strip Bundle 1/2 framing from prereqs, troubleshooting, related
  docs; update __Host- cookie callout from 'audit MED-14' to
  v2.1.0-BREAKING.
- docs/migration/api-keys-to-rbac.md — strip Bundle 1 framing from
  intro, migration table, IsAdmin section, and cross-references.
- docs/migration/acme-from-cert-manager.md — strip residual
  'Phase 5' tags from cert-manager integration test references.
- docs/reference/configuration.md — retitle Auth section.
- docs/reference/profiles.md — strip Bundle 1 Phase 9 framing
  from RequiresApproval section + Related list.
- docs/reference/auth-standards-implemented.md — rewrite intro
  (API-key + RBAC + OIDC + sessions + back-channel logout +
  break-glass); rename 'Bundle 1 (RBAC) standards covered
  separately' H2; clean per-row Phase references.
- docs/README.md — rewrite nav-table entries to drop Bundle 1/2
  parentheticals; retitle 'Enable OIDC SSO' migration entry.

No code or test changes; pure operator-facing prose polish for
the v2.1.0 tag.

2026-05-11 16:54:07 +00:00

shankar0123

874419989d

harden(auth/cookies): __Host- prefix on all three auth cookies (MED-14, BREAKING)

Audit 2026-05-10 — close MED-14 from the HANDOFF.md backend batch
(item 5). The session, CSRF, and OIDC pre-login cookies all carry
the __Host- prefix; browsers now reject any subdomain attempt to
overwrite them.

Cookie name changes (BREAKING — existing sessions invalidate):
  - certctl_session       → __Host-certctl_session
  - certctl_csrf          → __Host-certctl_csrf
  - certctl_oidc_pending  → __Host-certctl_oidc_pending

The __Host- prefix requires Path=/ + Secure + no Domain attribute.
Post-login session + CSRF cookies already met all three. The pre-login
cookie's Path widened from '/auth/oidc/' to '/' to satisfy the prefix;
the cookie lives 10 minutes and is only consumed by the callback
handler, so the wider path scope is harmless.

Files touched:
  - internal/auth/session/domain/types.go — constant rename + comment
  - internal/auth/session/domain/types_test.go — assertion update
  - internal/api/handler/auth_session_oidc.go — pre-login set + clear
    paths widened from /auth/oidc/ to /
  - web/src/api/client.ts — readCSRFCookie now compares against
    '__Host-certctl_csrf'
  - CHANGELOG.md — Unreleased > Security (BREAKING) entry
  - docs/migration/oidc-enable.md — operator-facing detail of the
    one-time re-authentication window + GUI customization guidance

Operator impact: ONE re-login prompt per active session at the deploy
that lands this change. Subsequent logins issue the __Host-prefixed
cookie automatically. Existing bookmarked deep links work without
modification (cookies are path-scoped, not URL-scoped).

Refs: cowork/auth-bundles-fixes-2026-05-10/HANDOFF.md item 5
      cowork/auth-bundles-audit-2026-05-10.md MED-14

2026-05-10 22:52:53 +00:00

shankar0123

c03d18bb1c

auth-bundle-2 Phase 16: docs updates (security.md OIDC + sessions + break-glass + auditor split sections; new migration/oidc-enable.md; CHANGELOG.md v2.1.0 Bundle 2 release notes)

Closes Phase 16 of cowork/auth-bundle-2-prompt.md. Three operator-
facing docs updated, one new migration guide ships, README nav row
added.

Files
=====

docs/operator/security.md (MODIFIED, Last reviewed bumped to 2026-05-10):
* Added 5 new Bundle 2 subsections under '## Authentication
  surface' after the Bundle 1 approval-bypass-closure entry:
  - 'OIDC federation (Bundle 2 Phases 1-7)' — alg allow-list,
    IdP-downgrade defense, iss/aud/azp/at_hash, single-use
    state+nonce, PKCE-S256 mandatory, JWKS rotation handling,
    encrypted client_secret at rest with the v3 blob format
    pinned by an integration test, pointer to oidc-runbooks/
    for per-IdP setup.
  - 'Sessions + back-channel logout (Bundle 2 Phases 4-6)' —
    length-prefixed HMAC cookie wire format, HttpOnly + Secure
    + SameSite cookie hardening, idle/absolute timeouts, CSRF
    defense, signing-key rotation primitive, fail-fatal
    EnsureInitialSigningKey at server boot, OpenID Connect
    Back-Channel Logout 1.0 (NOT RFC 8414).
  - 'OIDC first-admin bootstrap (Bundle 2 Phase 7)' — coexists
    with Bundle 1's env-var-token bootstrap, group-scoped via
    CERTCTL_BOOTSTRAP_ADMIN_GROUPS + CERTCTL_BOOTSTRAP_OIDC_PROVIDER_ID,
    one-shot per tenant.
  - 'Break-glass admin (Bundle 2 Phase 7.5)' — default-OFF,
    surface invisibility via 404-not-403, Argon2id with OWASP
    2024 params, lockout state machine, constant-time-via-
    verifyDummy, WARN log at boot, runbook pointer for
    operator drill.
  - 'Migrating an existing deployment to OIDC' — pointer to
    the new migration/oidc-enable.md walkthrough.

docs/migration/oidc-enable.md (NEW, Last reviewed 2026-05-10):
* Step-by-step migration guide for an operator on a Bundle-1-merged
  deployment to enable OIDC SSO. Pre-reqs (CERTCTL_CONFIG_ENCRYPTION_KEY,
  admin actor with auth.oidc.create + auth.oidc.edit, IdP tenant)
  + 7 numbered steps (pin encryption key, complete IdP-side per
  runbook, configure certctl-side OIDCProvider, add group→role
  mappings with fail-closed warning, optional first-admin bootstrap,
  verify with single test user, announce SSO endpoint).
* Rollback section covering the 4-step disable flow + the 409
  Conflict on provider-delete-while-sessions-exist + the
  existing-sessions-keep-working-until-expiry semantics.
* Troubleshooting section pinning 8 most-common failure modes
  (discovery doc fetch fails / IdP downgrade defense rejects /
  no roles assigned / iss mismatch / pre-login expired / state
  mismatch / sessions revoked but user can hit API / JWKS
  rotation breaks login).
* Database row count drift documented so operators know what to
  expect after OIDC is live (10 Bundle 2 tables enumerated).
* Cross-references to oidc-runbooks/ + security.md +
  auth-threat-model.md + auth-benchmarks.md + auth-standards-implemented.md.

CHANGELOG.md (MODIFIED):
* v2.1.0 section title bumped from 'Auth Bundle 1: RBAC primitive'
  to 'Auth Bundles 1 + 2: RBAC primitive + OIDC SSO + sessions'.
* Replaced the Bundle 1 closing-bullet ('Bundle 2 starts after
  Bundle 1 lands on master') with 18 new Bundle 2 entries:
  - OIDC + sessions + back-channel logout + break-glass overview.
  - OIDC token validation pinned at three layers (alg allow-list,
    IdP-downgrade defense, OIDC Core §3.1.3.7 re-verification).
  - Length-prefixed HMAC session cookies.
  - CSRF double-submit + hashed-token-on-row.
  - OIDC client_secret AES-256-GCM v3 blob at rest +
    integration-test invariant.
  - OIDC first-admin bootstrap.
  - Default-OFF break-glass admin (Argon2id + lockout +
    constant-time + surface invisibility).
  - GUI: 4 new pages + login-page IdP buttons + sidebar logout.
  - 11 new MCP tools for OIDC + session management.
  - 6 per-IdP runbooks (Keycloak / Authentik / Okta / Auth0 /
    Entra ID / Google Workspace).
  - Threat model extended with 5 new defense subsections + 8 new
    threat-catalogue subsections.
  - Performance baselines documented (4 benchmarks; 3 measured
    + 1 operator-runs).
  - Standards-and-RFC implementation table (13 RFCs + 14 CWEs;
    NOT a compliance-mapping doc).
  - Coverage gates held at floor 90 across all 4 Bundle 2
    packages (anti-Bundle-1-mistake invariant).
  - Multi-tenant query CI guard (ratchet baseline 32).
  - Phase 10 Keycloak testcontainers integration test + optional
    Okta smoke test.
  - OpenAPI cookieAuth security scheme + 13 new endpoints + 4
    break-glass endpoints.
  - Bundle-1-only compat regression CI guard +
    Bundle-1-to-2-upgrade regression CI guard.
* Final paragraph updated to point at oidc-enable.md alongside
  api-keys-to-rbac.md as the two migration walkthroughs.

docs/README.md (MODIFIED):
* Added the new oidc-enable.md migration row under '## Migration'
  alongside the existing api-keys-to-rbac.md entry, with a
  one-line description flagging it as the Bundle 2 OIDC
  onboarding walkthrough.

Verification
============

* Last-reviewed on security.md + oidc-enable.md: 2026-05-10.
* Internal-link sweep on oidc-enable.md: 0 broken (every relative
  link resolves via shell-loop verification).
* Internal-link sweep on docs/README.md: 0 broken (all .md
  references resolve).
* No Go-side impact, make verify gate unchanged.

Bundle 2 documentation deliverables now complete: security.md +
auth-threat-model.md + oidc-runbooks/ + auth-benchmarks.md +
auth-standards-implemented.md + api-keys-to-rbac.md + oidc-enable.md
+ CHANGELOG.md v2.1.0. The full Bundle 2 surface is operator-
discoverable from docs/README.md root nav.

2026-05-10 17:07:27 +00:00

3 Commits