certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 15:32:02 +00:00

Commit Graph

Author	SHA1	Message	Date
shankar0123	e7c4654b16	harden(auth/session+oidc): 503/401 split + go-oidc string pin (LOW-6 + Nit-2) Audit 2026-05-10 — close LOW-6 + Nit-2 from the HANDOFF.md backend batch (items 8 + 9). LOW-6: introduce ErrSessionTransient sentinel in session.Service. session.Validate now distinguishes: - errors.Is(err, repository.ErrSessionNotFound) → ErrSessionInvalidCookie (401) - All other repo errors → ErrSessionTransient (503) The session middleware maps ErrSessionTransient to HTTP 503 with Retry-After: 1. Pre-fix, every DB hiccup looked like a forged-cookie 401 and forced the user to re-authenticate on a transient outage. Two new regression tests pin the wire shape: - TestService_Validate_TransientSessionGetError (service layer) - TestService_Validate_SessionNotFoundMapsToInvalidCookie (negative leg: not-found stays 401) - TestSessionMiddleware_TransientErrorMappedTo503 (middleware-level 503 + Retry-After header) Nit-2: isJWKSFetchError documentation now pins go-oidc/v3 v3.18.0 as the source-of-truth string set. v3.18.0 exposes only *oidc.TokenExpiredError as a typed error; JWKS-fetch failures bubble up as fmt.Errorf-wrapped strings. New regression test TestIsJWKSFetchError_GoOIDCV318Strings pins the canonical substrings emitted by go-oidc's jwks.go — a future upstream bump that changes the wording trips the test and forces the matcher to be re-derived. The test caught a real gap: 'oidc: failed to decode keys' (emitted when the IdP returns non-JSON at the jwks_uri — broken proxy, gateway HTML error page, etc.) was previously misclassified as a generic 500 instead of 503 ErrJWKSUnreachable. Added 'decode keys' substring to the matcher. Status: LOW-6 + Nit-2 marked CLOSED in audit-doc table. Refs: cowork/auth-bundles-fixes-2026-05-10/HANDOFF.md items 8, 9 cowork/auth-bundles-audit-2026-05-10.md LOW-6, Nit-2	2026-05-10 22:41:19 +00:00
shankar0123	9cce2ab043	harden(auth): LOW + Nit batch — bootstrap audit, crypto/rand, XFF trust, CSRF check, protocol-prefix unify (Batch 1) Audit 2026-05-10 — close 8 LOWs + 2 Nits in-bundle. Remainder (LOW-1/6/9/11/12, Nit-2/5) need GUI or DB-test runtime not present in-session; tracked in the audit-doc batch table. LOW-2: bootstrap.ValidateAndMint now emits 'bootstrap.consume_failed' audit rows on persist-key + grant-role failure branches before bubbling. Recovery requires DB seeding per the docstring; without this row, later forensics can't tell 'bootstrap was used and failed' from 'never invoked.' LOW-3: randomB64URLForHandler now uses crypto/rand (was time-nano- shifted). Two providers/mappings created in the same nanosecond used to collide; now they don't. Time-nano fallback retained for the unlikely crypto/rand-broken path. LOW-4: breakglass.verifyDummy uses s.readRand(salt) for the dummy Argon2id verify. Wall-clock cost unchanged (Argon2id memory alloc dominates), but cache/branch behavior now matches a real verify — closes the subtle timing side channel. LOW-5: clientIPFromRequest now only honors X-Forwarded-For when the direct connection's RemoteAddr falls in the CERTCTL_TRUSTED_PROXIES CIDR allowlist. Default-deny: empty list means XFF is ignored. SetTrustedProxies wired in cmd/server/main.go from cfg.Auth.TrustedProxies. LOW-7: internal/auth/protocol_endpoints.go::ProtocolEndpointPrefixes now carries /scep-mtls + /.well-known/est-mtls (previously only in router.AuthExemptDispatchPrefixes; the two lists had drifted). The canonical-prefix coverage test in Phase 12 still pins the set. LOW-8: docs/operator/rbac.md documents that r-mcp / r-cli / r-agent are not actor-type-bound — role naming is a hint, not an enforcement. Operators wanting hard binding must apply periodic audit queries. Native binding is on the v2 roadmap. LOW-10: Session.Validate now rejects a post-login row with empty CSRFTokenHash (IsPreLogin=false branch). validSession test fixture updated with a valid 64-hex CSRF hash. Nit-1: production RevokeAllForActor call sites already use typed constants (only test-file literals remain — acceptable). Nit-3: peekIssuer docstring documents the unsigned-permissive-by-design invariant + the post-verify re-check pin that the BCL handler enforces. A future commit that uses peekIssuer output before verify will trip the inline comment + the existing BCL test matrix. Status table updated in cowork/auth-bundles-audit-2026-05-10.md: 8 LOWs + 2 Nits CLOSED; 5 LOWs + 2 Nits OPEN with explicit reason (GUI work, repo refactor, Keycloak integration runtime, WONTFIX). Refs: cowork/auth-bundles-audit-2026-05-10.md LOW-2/3/4/5/7/8/10 cowork/auth-bundles-audit-2026-05-10.md Nit-1/3	2026-05-10 22:26:12 +00:00
shankar0123	3189f3cd71	auth-bundle-2 Phase 6: session middleware + CSRF token plumbing + chained-auth combinator + AuthInfo OIDC providers extension + 2 CI guards (Bundle-1-compat + Bundle-1-to-2-upgrade) Phase 6 wires the Phase 4 session service + Phase 5 OIDC handlers into the request path. Three middlewares + one combinator land in internal/auth/session/middleware.go: 1. SessionMiddleware reads `certctl_session` cookie, validates via SessionService.Validate, populates the legacy UserKey/AdminKey + Phase 3 RBAC context keys (ActorIDKey/ActorTypeKey/TenantIDKey) so downstream RequirePermission + audit-attribution see a consistent caller. Best-effort UpdateLastSeen keeps the idle- expiry sliding window fresh. CRITICALLY: never 401s on validate failure — defers to the next middleware so the chained-auth combinator can fall back to Bearer. 2. CSRFMiddleware gates state-changing methods (POST/PUT/DELETE/ PATCH) for session-authenticated requests. API-key actors are EXEMPT (no session row in context => CSRF doesn't apply; they're not browser-driven). Constant-time-compares SHA-256(X-CSRF-Token header) against the session row's stored hash via SessionService.ValidateCSRF. Mismatch returns 403. 3. ChainAuthSessionThenBearer is the load-bearing chained-auth combinator: tries the session cookie first; on miss/invalid, falls back to the API-key Bearer middleware; if neither authenticates, 401. The composition uses bearerSkipIfAuthenticated so a request with both a valid session AND a valid Bearer uses the session (cookie wins per the Bundle 2 contract). Middleware chain order in cmd/server/main.go (per Phase 6 spec): RequestID → Logging → Recovery → CORS → RateLimit → AUTH (chained: session → Bearer) → CSRF (state-changing only; API-key exempt) → Audit → Handler The chained authMiddleware replaces the bare Bundle-1 bearerMiddleware at the chain entry point; csrfMiddleware lands immediately after so session-authenticated requests pass through CSRF before audit. Both new middlewares are pass-throughs when sessionService is nil (pre-Phase-4 builds). AuthInfo extension (Category E): GET /api/v1/auth/info now returns the list of configured OIDC providers (id + display_name + login_url where login_url = `/auth/oidc/login?provider=<id>`) so the GUI Login page renders the correct "Sign in with X" buttons. Endpoint stays auth-exempt; the providers list is public configuration. Wired via HealthHandler.OIDCProvidersResolver + a new OIDCProvidersListResolver projection interface; the cmd/server adapter oidcProvidersListAdapter projects the postgres OIDCProviderRepository into the public-safe shape. Resolver lookups are best-effort: failures fall back to the minimal payload rather than 500-ing the GUI's auth probe. Nil resolver preserves the pre-Phase-6 minimal shape so test fixtures + no-db deploys keep compiling. Bypass list preserved (Category E): the existing public-route allowlist in router.AuthExemptRouterRoutes is preserved by virtue of those routes registering via direct r.mux.Handle (they bypass the entire chain). The protocol-endpoint allowlist (ACME/SCEP/EST/OCSP/ CRL) bypasses via cmd/server/main.go::buildFinalHandler URL-prefix dispatch — those routes never reach the auth middleware at all. Both preservations are pinned by the Bundle-1 compat CI guard below. Tests (internal/auth/session/middleware_test.go): All 7 Phase 6 spec-mandated middleware-chain tests pass: 1. Session cookie + correct CSRF → 200. 2. Session cookie + wrong CSRF → 403. 3. Bearer-only (no session) + no CSRF → 200 (API-key actors are CSRF-exempt by design). 4. No cookie + no Bearer → 401. 5. Expired cookie + valid Bearer → fall back to Bearer succeeds. 6. Tampered cookie → 401 (no Bearer to fall back to). 7. Bypass-list awareness — state-changing method, no auth, no session row → uniform 401 (NOT a CSRF 403; the CSRF check is gated on session-row presence and never fires for unauth requests). Plus coverage-lift tests covering nil-service pass-through, safe- methods bypass, SessionFromContext nil + populated, isStateChangingMethod matrix, clientIPFromRequest variants (RemoteAddr / XFF first-hop / XFF single / no-port), nil-bearer chain branches. Coverage on internal/auth/session/middleware.go: 100% per-function across the 9 entry points (SessionValidator interfaces + NewSessionMiddleware + NewCSRFMiddleware + ChainAuthSessionThenBearer + bearerSkipIfAuthenticated + SessionFromContext + isStateChangingMethod + clientIPFromRequest + lastIndexByte). Package coverage 94.9%. Two new CI guards: scripts/ci-guards/bundle-1-compat-regression.sh — Bundle-1-only compat invariants. Static-source checks that protect the Bundle-1 path since spinning up docker-compose + running the integration test suite is sandbox-infeasible: 1. SessionMiddleware MUST defer-to-next on missing/invalid cookie. 2. CSRFMiddleware MUST be pass-through on missing session row. 3. cmd/server/main.go MUST wire ChainAuthSessionThenBearer. 4. The 4 public OIDC routes MUST be in AuthExemptRouterRoutes. 5. AuthInfo MUST guard on OIDCProvidersResolver != nil. scripts/ci-guards/bundle-1-to-2-upgrade-regression.sh — Bundle-1 → Bundle-2 upgrade invariants: 1. Migrations 000034..000037 use CREATE TABLE IF NOT EXISTS. 2. Migrations are wrapped in BEGIN; ... COMMIT;. 3. NO DROP TABLE / ALTER ... DROP COLUMN against any of the 19 protected Bundle-1 tables (api_keys, audit_events, certificates, certificate_versions, profiles, issuers, targets, agents, jobs, owners, teams, agent_groups, notifications, roles, permissions, role_permissions, actor_roles, tenants, approvals, intermediate_cas, issuance_approval_requests). 4. 000037 INSERTs use ON CONFLICT DO NOTHING (idempotent re-apply). 5. ChainAuthSessionThenBearer is wired (Bundle-1 Bearer keys continue to authenticate post-upgrade). 6. Bootstrap handler is registered (fresh-deployment bootstrap still works). Both guards are sandbox-feasible static analysis. When the operator gets a Linux VM with docker-in-docker, promote both to real `docker compose up` integration tests against a v2.1.0 baseline DB dump. Verifications: gofmt clean, go vet ./internal/auth/... ./internal/api/... ./cmd/server/... clean, go test -short -count=1 -race green across internal/auth/session (94.9% coverage), internal/api/handler, internal/api/router, no regressions in Bundle 1 packages, both new ci-guards green.	2026-05-10 06:22:25 +00:00

Author

SHA1

Message

Date

shankar0123

e7c4654b16

harden(auth/session+oidc): 503/401 split + go-oidc string pin (LOW-6 + Nit-2)

Audit 2026-05-10 — close LOW-6 + Nit-2 from the HANDOFF.md backend
batch (items 8 + 9).

LOW-6: introduce ErrSessionTransient sentinel in session.Service.
session.Validate now distinguishes:
  - errors.Is(err, repository.ErrSessionNotFound) → ErrSessionInvalidCookie (401)
  - All other repo errors                         → ErrSessionTransient (503)
The session middleware maps ErrSessionTransient to HTTP 503 with
Retry-After: 1. Pre-fix, every DB hiccup looked like a forged-cookie
401 and forced the user to re-authenticate on a transient outage.
Two new regression tests pin the wire shape:
  - TestService_Validate_TransientSessionGetError (service layer)
  - TestService_Validate_SessionNotFoundMapsToInvalidCookie (negative
    leg: not-found stays 401)
  - TestSessionMiddleware_TransientErrorMappedTo503 (middleware-level
    503 + Retry-After header)

Nit-2: isJWKSFetchError documentation now pins go-oidc/v3 v3.18.0 as
the source-of-truth string set. v3.18.0 exposes only
*oidc.TokenExpiredError as a typed error; JWKS-fetch failures bubble
up as fmt.Errorf-wrapped strings. New regression test
TestIsJWKSFetchError_GoOIDCV318Strings pins the canonical substrings
emitted by go-oidc's jwks.go — a future upstream bump that changes
the wording trips the test and forces the matcher to be re-derived.
The test caught a real gap: 'oidc: failed to decode keys' (emitted
when the IdP returns non-JSON at the jwks_uri — broken proxy, gateway
HTML error page, etc.) was previously misclassified as a generic 500
instead of 503 ErrJWKSUnreachable. Added 'decode keys' substring to
the matcher.

Status: LOW-6 + Nit-2 marked CLOSED in audit-doc table.

Refs: cowork/auth-bundles-fixes-2026-05-10/HANDOFF.md items 8, 9
      cowork/auth-bundles-audit-2026-05-10.md LOW-6, Nit-2

2026-05-10 22:41:19 +00:00

shankar0123

9cce2ab043

harden(auth): LOW + Nit batch — bootstrap audit, crypto/rand, XFF trust, CSRF check, protocol-prefix unify (Batch 1)

Audit 2026-05-10 — close 8 LOWs + 2 Nits in-bundle. Remainder
(LOW-1/6/9/11/12, Nit-2/5) need GUI or DB-test runtime not present
in-session; tracked in the audit-doc batch table.

LOW-2: bootstrap.ValidateAndMint now emits 'bootstrap.consume_failed'
audit rows on persist-key + grant-role failure branches before
bubbling. Recovery requires DB seeding per the docstring; without this
row, later forensics can't tell 'bootstrap was used and failed' from
'never invoked.'

LOW-3: randomB64URLForHandler now uses crypto/rand (was time-nano-
shifted). Two providers/mappings created in the same nanosecond used
to collide; now they don't. Time-nano fallback retained for the
unlikely crypto/rand-broken path.

LOW-4: breakglass.verifyDummy uses s.readRand(salt) for the dummy
Argon2id verify. Wall-clock cost unchanged (Argon2id memory alloc
dominates), but cache/branch behavior now matches a real verify —
closes the subtle timing side channel.

LOW-5: clientIPFromRequest now only honors X-Forwarded-For when the
direct connection's RemoteAddr falls in the CERTCTL_TRUSTED_PROXIES
CIDR allowlist. Default-deny: empty list means XFF is ignored.
SetTrustedProxies wired in cmd/server/main.go from cfg.Auth.TrustedProxies.

LOW-7: internal/auth/protocol_endpoints.go::ProtocolEndpointPrefixes
now carries /scep-mtls + /.well-known/est-mtls (previously only in
router.AuthExemptDispatchPrefixes; the two lists had drifted). The
canonical-prefix coverage test in Phase 12 still pins the set.

LOW-8: docs/operator/rbac.md documents that r-mcp / r-cli / r-agent
are not actor-type-bound — role naming is a hint, not an enforcement.
Operators wanting hard binding must apply periodic audit queries.
Native binding is on the v2 roadmap.

LOW-10: Session.Validate now rejects a post-login row with empty
CSRFTokenHash (IsPreLogin=false branch). validSession test fixture
updated with a valid 64-hex CSRF hash.

Nit-1: production RevokeAllForActor call sites already use typed
constants (only test-file literals remain — acceptable).

Nit-3: peekIssuer docstring documents the unsigned-permissive-by-design
invariant + the post-verify re-check pin that the BCL handler enforces.
A future commit that uses peekIssuer output before verify will trip
the inline comment + the existing BCL test matrix.

Status table updated in cowork/auth-bundles-audit-2026-05-10.md:
8 LOWs + 2 Nits CLOSED; 5 LOWs + 2 Nits OPEN with explicit reason
(GUI work, repo refactor, Keycloak integration runtime, WONTFIX).

Refs: cowork/auth-bundles-audit-2026-05-10.md LOW-2/3/4/5/7/8/10
      cowork/auth-bundles-audit-2026-05-10.md Nit-1/3

2026-05-10 22:26:12 +00:00

shankar0123

3189f3cd71

auth-bundle-2 Phase 6: session middleware + CSRF token plumbing +

chained-auth combinator + AuthInfo OIDC providers extension + 2 CI
guards (Bundle-1-compat + Bundle-1-to-2-upgrade)

Phase 6 wires the Phase 4 session service + Phase 5 OIDC handlers into
the request path. Three middlewares + one combinator land in
internal/auth/session/middleware.go:

  1. SessionMiddleware reads `certctl_session` cookie, validates via
     SessionService.Validate, populates the legacy UserKey/AdminKey
     + Phase 3 RBAC context keys (ActorIDKey/ActorTypeKey/TenantIDKey)
     so downstream RequirePermission + audit-attribution see a
     consistent caller. Best-effort UpdateLastSeen keeps the idle-
     expiry sliding window fresh. CRITICALLY: never 401s on validate
     failure — defers to the next middleware so the chained-auth
     combinator can fall back to Bearer.

  2. CSRFMiddleware gates state-changing methods (POST/PUT/DELETE/
     PATCH) for session-authenticated requests. API-key actors are
     EXEMPT (no session row in context => CSRF doesn't apply; they're
     not browser-driven). Constant-time-compares SHA-256(X-CSRF-Token
     header) against the session row's stored hash via
     SessionService.ValidateCSRF. Mismatch returns 403.

  3. ChainAuthSessionThenBearer is the load-bearing chained-auth
     combinator: tries the session cookie first; on miss/invalid,
     falls back to the API-key Bearer middleware; if neither
     authenticates, 401. The composition uses bearerSkipIfAuthenticated
     so a request with both a valid session AND a valid Bearer uses
     the session (cookie wins per the Bundle 2 contract).

Middleware chain order in cmd/server/main.go (per Phase 6 spec):

  RequestID → Logging → Recovery → CORS → RateLimit → AUTH (chained:
  session → Bearer) → CSRF (state-changing only; API-key exempt) →
  Audit → Handler

The chained authMiddleware replaces the bare Bundle-1 bearerMiddleware
at the chain entry point; csrfMiddleware lands immediately after so
session-authenticated requests pass through CSRF before audit. Both
new middlewares are pass-throughs when sessionService is nil
(pre-Phase-4 builds).

AuthInfo extension (Category E): GET /api/v1/auth/info now returns the
list of configured OIDC providers (id + display_name + login_url
where login_url = `/auth/oidc/login?provider=<id>`) so the GUI Login
page renders the correct "Sign in with X" buttons. Endpoint stays
auth-exempt; the providers list is public configuration. Wired via
HealthHandler.OIDCProvidersResolver + a new OIDCProvidersListResolver
projection interface; the cmd/server adapter
oidcProvidersListAdapter projects the postgres OIDCProviderRepository
into the public-safe shape. Resolver lookups are best-effort: failures
fall back to the minimal payload rather than 500-ing the GUI's auth
probe. Nil resolver preserves the pre-Phase-6 minimal shape so test
fixtures + no-db deploys keep compiling.

Bypass list preserved (Category E): the existing public-route
allowlist in router.AuthExemptRouterRoutes is preserved by virtue of
those routes registering via direct r.mux.Handle (they bypass the
entire chain). The protocol-endpoint allowlist (ACME/SCEP/EST/OCSP/
CRL) bypasses via cmd/server/main.go::buildFinalHandler URL-prefix
dispatch — those routes never reach the auth middleware at all. Both
preservations are pinned by the Bundle-1 compat CI guard below.

Tests (internal/auth/session/middleware_test.go):

All 7 Phase 6 spec-mandated middleware-chain tests pass:

  1. Session cookie + correct CSRF → 200.
  2. Session cookie + wrong CSRF → 403.
  3. Bearer-only (no session) + no CSRF → 200 (API-key actors are
     CSRF-exempt by design).
  4. No cookie + no Bearer → 401.
  5. Expired cookie + valid Bearer → fall back to Bearer succeeds.
  6. Tampered cookie → 401 (no Bearer to fall back to).
  7. Bypass-list awareness — state-changing method, no auth, no
     session row → uniform 401 (NOT a CSRF 403; the CSRF check is
     gated on session-row presence and never fires for unauth
     requests).

Plus coverage-lift tests covering nil-service pass-through, safe-
methods bypass, SessionFromContext nil + populated, isStateChangingMethod
matrix, clientIPFromRequest variants (RemoteAddr / XFF first-hop /
XFF single / no-port), nil-bearer chain branches.

Coverage on internal/auth/session/middleware.go: 100% per-function
across the 9 entry points (SessionValidator interfaces +
NewSessionMiddleware + NewCSRFMiddleware + ChainAuthSessionThenBearer +
bearerSkipIfAuthenticated + SessionFromContext + isStateChangingMethod
+ clientIPFromRequest + lastIndexByte). Package coverage 94.9%.

Two new CI guards:

  scripts/ci-guards/bundle-1-compat-regression.sh — Bundle-1-only
  compat invariants. Static-source checks that protect the Bundle-1
  path since spinning up docker-compose + running the integration
  test suite is sandbox-infeasible:
    1. SessionMiddleware MUST defer-to-next on missing/invalid cookie.
    2. CSRFMiddleware MUST be pass-through on missing session row.
    3. cmd/server/main.go MUST wire ChainAuthSessionThenBearer.
    4. The 4 public OIDC routes MUST be in AuthExemptRouterRoutes.
    5. AuthInfo MUST guard on OIDCProvidersResolver != nil.

  scripts/ci-guards/bundle-1-to-2-upgrade-regression.sh — Bundle-1 →
  Bundle-2 upgrade invariants:
    1. Migrations 000034..000037 use CREATE TABLE IF NOT EXISTS.
    2. Migrations are wrapped in BEGIN; ... COMMIT;.
    3. NO DROP TABLE / ALTER ... DROP COLUMN against any of the 19
       protected Bundle-1 tables (api_keys, audit_events, certificates,
       certificate_versions, profiles, issuers, targets, agents, jobs,
       owners, teams, agent_groups, notifications, roles, permissions,
       role_permissions, actor_roles, tenants, approvals,
       intermediate_cas, issuance_approval_requests).
    4. 000037 INSERTs use ON CONFLICT DO NOTHING (idempotent re-apply).
    5. ChainAuthSessionThenBearer is wired (Bundle-1 Bearer keys
       continue to authenticate post-upgrade).
    6. Bootstrap handler is registered (fresh-deployment bootstrap
       still works).

Both guards are sandbox-feasible static analysis. When the operator
gets a Linux VM with docker-in-docker, promote both to real `docker
compose up` integration tests against a v2.1.0 baseline DB dump.

Verifications: gofmt clean, go vet ./internal/auth/... ./internal/api/...
./cmd/server/... clean, go test -short -count=1 -race green across
internal/auth/session (94.9% coverage), internal/api/handler,
internal/api/router, no regressions in Bundle 1 packages, both new
ci-guards green.

2026-05-10 06:22:25 +00:00

3 Commits