certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 14:11:31 +00:00

Commit Graph

Author	SHA1	Message	Date
shankar0123	9c679a5960	auth-bundle-2 Phase 5: OIDC + session HTTP surface (13 endpoints), pre-login store, OpenID Connect Back-Channel Logout 1.0, cookieAuth scheme, 7 new auth permissions, CI guard, handler tests Phase 5 of the bundle puts the Phase 3 OIDC service + Phase 4 session service on the wire. 13 HTTP endpoints split into three logical groups: Public OIDC handshake (auth-exempt; protocol-mediated): GET /auth/oidc/login?provider=<id> -> 302 to IdP authorization URL + sets certctl_oidc_pending cookie (10-min TTL, Path=/auth/oidc/, SameSite=Lax) GET /auth/oidc/callback?code=...&state=... -> consume pre-login row, run Phase 3's 11-step token validation, mint post-login session, 302 to dashboard POST /auth/oidc/back-channel-logout -> OpenID Connect BCL 1.0 — IdP POSTs logout_token JWT; certctl validates signature against IdP JWKS via Phase 3 alg allow-list, required claims (iss/aud/iat/jti/ events; exactly one of sub/sid; nonce ABSENT per spec §2.4), revokes matching sessions, returns 200 with Cache-Control: no-store POST /auth/logout -> revoke caller's session Session management (RBAC-gated auth.session.): GET /api/v1/auth/sessions -> auth.session.list (own / all) DELETE /api/v1/auth/sessions/{id} -> auth.session.revoke (own bypass) OIDC provider + group-mapping CRUD (RBAC-gated auth.oidc.): GET /api/v1/auth/oidc/providers -> auth.oidc.list POST /api/v1/auth/oidc/providers -> auth.oidc.create (client_secret encrypted at rest via internal/crypto.EncryptIfKeySet) PUT /api/v1/auth/oidc/providers/{id} -> auth.oidc.edit DELETE /api/v1/auth/oidc/providers/{id} -> auth.oidc.delete (refused via ErrOIDCProviderInUse → 409 when users authenticated via this provider) POST /api/v1/auth/oidc/providers/{id}/refresh -> auth.oidc.edit (re-runs IdP downgrade defense via OIDCService.RefreshKeys) GET /api/v1/auth/oidc/group-mappings -> auth.oidc.list POST /api/v1/auth/oidc/group-mappings -> auth.oidc.edit DELETE /api/v1/auth/oidc/group-mappings/{id} -> auth.oidc.edit Migration 000037 ships: - oidc_pre_login_sessions table (10-min absolute TTL, FK CASCADE on oidc_provider_id, FK RESTRICT on signing_key_id; index on absolute_expires_at for the GC sweep); - 7 new permissions seeded into r-admin only: auth.session.list, auth.session.list.all, auth.session.revoke, auth.oidc.list, auth.oidc.create, auth.oidc.edit, auth.oidc.delete CanonicalPermissions extended in lockstep at internal/domain/auth/ validate.go. Pre-login machinery: - internal/repository/oidc.go gains PreLoginRepository interface + PreLoginSession struct + ErrPreLoginNotFound / ErrPreLoginExpired sentinels. - internal/repository/postgres/oidc_prelogin.go ships the impl; LookupAndConsume uses DELETE ... RETURNING for atomic single-use. - internal/auth/oidc/prelogin.go is the PreLoginAdapter that bridges the OIDC service's Phase 3 PreLoginStore interface to the new repository, signing the cookie value under the active SessionSigningKey via the same v1.<id>.<key>.<HMAC> wire format Phase 4 uses for post-login cookies. Defense-in-depth: the pre-login `pl-` prefix is enforced by ParseCookieValue(prefix); a stolen pre-login cookie cannot be replayed against the post-login Validate path (pinned by TestService_Validate_RejectsPreLoginCookieAtPostLoginGate). Session package extension: - internal/auth/session/service.go gains exported SignCookieValue, ParseCookieValue (with caller-supplied id-1 prefix), ComputeCookieHMAC, DecryptKeyMaterial wrappers so the OIDC pre-login adapter shares the same length-prefixed HMAC math without code duplication. - parseCookie no longer hardcodes the `ses-` prefix check (moved to Validate as defense-in-depth; pre-login cookie verification uses the `pl-` prefix via ParseCookieValue). Cookie attributes (all Phase 5 endpoints honor CERTCTL_SESSION_SAMESITE + Secure=true via SessionCookieAttrs from Phase 4 config): - certctl_oidc_pending: Path=/auth/oidc/, MaxAge=600s, SameSite=Lax (cannot be Strict because the IdP-initiated callback is a top-level navigation from a different origin). - certctl_session: Path=/, Expires=8h, SameSite=Lax\|Strict, HttpOnly. - certctl_csrf: Path=/, Expires=8h, HttpOnly=false (intentional — GUI must read it to echo into X-CSRF-Token header). Audit logging on every mutating operation (event_category="auth"): auth.oidc_login_succeeded / failed / unmapped_groups auth.oidc_back_channel_logout / failed auth.session_revoked auth.oidc_provider_{created,updated,deleted,refreshed} auth.group_mapping_{added,removed} OpenAPI updates: - cookieAuth security scheme added to api/openapi.yaml under components.securitySchemes (apiKey / cookie / certctl_session). - The 13 Phase 5 routes are added to SpecParityExceptions with a deferral note: full per-endpoint OpenAPI rows land in a follow-on commit alongside the GUI work (Phase 8) so the ergonomic shape can be validated against the live GUI client. CI guard: scripts/ci-guards/N-bundle-2-security-empty-preserved.sh asserts api/openapi.yaml has ≥ 14 'security: []' occurrences (the pre-Bundle-2 baseline). Reducing the count below 14 would silently force a Bearer-or-cookie requirement onto an endpoint that legitimately runs without certctl-issued credentials; the guard fires before that regression lands. Handler tests (internal/api/handler/auth_session_oidc_test.go): - All 6 prompt-mandated negative cases: BCL with missing events claim -> 400 BCL with nonce present -> 400 (per spec §2.4) BCL with sig signed by an unknown key -> 400 Callback with replayed state -> 400 Callback with PKCE verifier mismatch -> 400 Callback with expired pre-login row -> 400 - Plus happy paths for every endpoint, edge cases (missing-cookie, duplicate-name, in-use-409, wrong-tenant), and the Helper-function coverage (peekIssuer, classifyOIDCFailure, defaultIfBlank, defaultIntIfZero, clientIPFromRequest, encryptClientSecret). Coverage on internal/api/handler/auth_session_oidc.go: 80.9% per-function (above the Phase 5 spec's ≥ 80% floor). Server wiring (cmd/server/main.go): Wired AFTER sessionService (Phase 4) so the OIDC PreLoginAdapter can sign pre-login cookies under the active SessionSigningKey: oidcProviderRepo + oidcMappingRepo + oidcUserRepo + oidcPreLoginRepo -> preLoginAdapter -> oidcService -> authSessionOIDCHandler. sessionMinterAdapter shim bridges *session.Service.Create to the oidcsvc.SessionMinter port the OIDC service consumes. Router wiring (internal/api/router/router.go): 4 public OIDC routes via direct r.mux.Handle (auth-exempt; pinned in AuthExemptRouterRoutes); 9 RBAC-gated routes via r.Register + rbacGate(checker, perm, h). Routes only register when reg.AuthSessionOIDC != nil so pre-Phase-5 builds skip the block entirely. Verifications: gofmt clean, go vet clean across all touched packages, go test -short -count=1 green across internal/api/handler (74 tests + new Phase 5 batch), internal/api/router (parity + auth-exempt allowlist), internal/auth/oidc + session (no regressions), full domain + scheduler + config sweeps green, ci-guard N-bundle-2-security-empty-preserved.sh green (17 ≥ 14 baseline).	2026-05-10 06:08:27 +00:00
shankar0123	17b30c1f7f	auth-bundle-2 Phase 4: session service (cookie minting + signature validation, idle/absolute expiry, signing-key rotation, CSRF, GC), 15-case negative-test matrix, fail-fatal initial-key bootstrap Phase 4 of the bundle ships the post-login session lifecycle that backs every authenticated request once Phase 5 wires the OIDC handlers + the session middleware. The state machine is the load-bearing primitive for the Bundle 2 control plane: forge a session cookie and you bypass every RBAC gate. Service surface (internal/auth/session/service.go, ~880 LOC): - Service.Create(actorID, actorType, ip, ua) -> CreateResult Mints a session row; signs the cookie value with the active signing key; returns the cookie payload AND the CSRF token plaintext for the handler to set on the response. - Service.Validate(ValidateInput) -> Session Parses the cookie, looks up the signing key (incl. retired-but-in- retention), recomputes HMAC-SHA256, loads the session row, enforces revocation + absolute + idle expiry + optional IP/UA bind. Maps to one of 9 sentinel errors; the handler uniformly returns 401 to the wire (specific reason in the audit row). - Service.ValidateCSRF(headerValue, *Session) error Constant-time compares SHA-256(header) against the stored hash on the session row. - Service.UpdateLastSeen / Revoke / RevokeAllForActor - Service.RotateCSRFToken — mints fresh token, persists hash, returns plaintext; called on login completion, logout, role-change against actor, explicit operator rotate. - Service.RotateSigningKey — mints new active key, retires previous; retired keys stay valid for cfg.SigningKeyRetention so existing cookies don't immediately fail. - Service.EnsureInitialSigningKey — idempotent; mints first key on fresh deploys; emits auth.session_signing_key_bootstrap audit row with event_category=auth. Wired into cmd/server/main.go AFTER migrations + RBAC backfill, BEFORE the HTTP listener binds; failure is FATAL (logger.Error + os.Exit(1)) per the prompt — server refuses to boot rather than serve session-less. - Service.GarbageCollect — sweeps expired post-login sessions + pre-login rows >10min + retired-past-retention signing keys. Wired into the new internal/scheduler/scheduler.go::sessionGCLoop on a CERTCTL_SESSION_GC_INTERVAL tick. Cookie wire format (load-bearing): v1.<session_id>.<signing_key_id>.<base64url-no-pad(HMAC-SHA256)> The HMAC input is LENGTH-PREFIXED to defeat concatenation collisions: len(session_id) \|\| ":" \|\| session_id \|\| ":" \|\| len(signing_key_id) \|\| ":" \|\| signing_key_id where len(...) is the ASCII decimal byte-length. Without the length prefix, the bare-concatenation form `session_id \|\| signing_key_id` would let a forger swap one byte across the boundary — `<a, bc>` and `<ab, c>` produce identical HMAC inputs. The length prefix moves the boundary into the input itself so the two cases can never collide. The v1. version prefix is reserved. A future incompatible upgrade ships as v2. and the parser rejects unknown prefixes (no fallback). CSRF token model: - Plaintext goes in a JS-readable certctl_csrf cookie (HttpOnly=false intentional; the GUI must read it to echo into X-CSRF-Token header). - SHA-256 hash of the plaintext lives on the session row. - Validation: SHA-256(X-CSRF-Token) constant-time-compared. - Rotated by Service.RotateCSRFToken on login / logout / role-change / explicit admin-trigger. Optional defense-in-depth (default OFF): - CERTCTL_SESSION_BIND_IP — Validate compares client IP to row's recorded IP. Mismatch -> 401, audit row, session NOT auto-revoked (user may have legitimate IP change). Mobile + corporate-NAT environments leave this off. - CERTCTL_SESSION_BIND_USER_AGENT — same shape against UA. Configurable lifetimes (env vars wired in internal/config/config.go): CERTCTL_SESSION_IDLE_TIMEOUT 1h CERTCTL_SESSION_ABSOLUTE_TIMEOUT 8h CERTCTL_SESSION_SIGNING_KEY_RETENTION 24h CERTCTL_SESSION_GC_INTERVAL 1h CERTCTL_SESSION_SAMESITE Lax CERTCTL_SESSION_BIND_IP false CERTCTL_SESSION_BIND_USER_AGENT false Test surface (internal/auth/session/service_test.go, ~860 LOC): All 15 prompt-mandated negative cases: 1. Tampered cookie (HMAC byte flipped near segment start where all 6 bits are real — base64url-no-pad's last char carries only 2 bits so a tail-flip is unreliable). 1b. Tampered SESSION_ID segment (same HMAC-recompute outcome). 2. Cookie missing v1. prefix. 3. Cookie with unknown version prefix (v99). 4. Idle expiry — back-dated last_seen_at + idle_expires_at. 5. Absolute expiry — back-dated absolute_expires_at. 6. Revoked session. 7. Wrong signing key id (no row matches). 8. Cookie signed under retired-but-in-retention key SUCCEEDS. 9. Cookie signed under retired-past-retention key FAILS. 10. Concatenation collision — direct evidence that computeHMAC("abc","de") != computeHMAC("ab","cde") AND that a forged-boundary-slide cookie is rejected. 11. CSRF token missing. 12. CSRF token mismatch (constant-time compare). 13. IP-bind enabled + IP changed -> ErrSessionIPMismatch + audit row. 14. UA-bind enabled + UA changed -> ErrSessionUAMismatch + audit row. 15. EnsureInitialSigningKey RNG failure -> ErrInitialSigningKeyMintFailed wrap (cmd/server/main.go treats as fatal). Plus coverage-lift batch covering: every error wrap on every repo collaborator (Create, Get, UpdateLastSeen, UpdateCSRFTokenHash, Revoke, RevokeAllForActor, GC), every RNG-failure surface in Create / RotateCSRFToken / RotateSigningKey, every alg-pinning helper edge, the cookie parser's full negative matrix (empty, wrong segment count, missing prefixes, bad base64, wrong HMAC length), and a real-encryption round-trip via internal/crypto.EncryptIfKeySet -> DecryptIfKeySet so the v3-blob path is exercised end-to-end at the session-cookie level. Coverage: internal/auth/session 94.5% (floor 90) internal/auth/session/domain 96+% (floor 90, Phase 1) .github/coverage-thresholds.yml extended with 2 new gate entries (internal/auth/session and internal/auth/session/domain). The why: paragraphs explain why each fail-closed branch is load-bearing. Repository extensions: internal/repository/session.go gains UpdateCSRFTokenHash on the SessionRepository interface; internal/repository/postgres/session.go ships the implementation. RotateCSRFToken consumes it. Scheduler extensions: internal/scheduler/scheduler.go gains SessionGarbageCollector interface + sessionGC field + sessionGCInterval + SetSessionGarbageCollector + SetSessionGCInterval + sessionGCLoop. Pattern matches the existing acmeGCLoop: atomic.Bool guard prevents concurrent sweeps, sync.WaitGroup tracks for graceful shutdown, per-tick context.WithTimeout(1m) bounds a stuck Postgres. Server wiring: cmd/server/main.go constructs sessionService AFTER the bootstrap block (post-RBAC backfill) and BEFORE the policy-service block. EnsureInitialSigningKey runs immediately; failure is fatal via os.Exit(1). The scheduler section wires SetSessionGarbageCollector + SetSessionGCInterval alongside the other interval setters and emits an Info log so operators can confirm the loop is enabled. Phase 4 deviation note: Service.GarbageCollect() returns (int, error) rather than the prompt's literal `error`. The int is the count of session rows deleted on this sweep; the scheduler discards it (`_, err := ...`) but tests + future operator-facing audit rows can read it. The wider behavior matches the spec exactly. Verifications: gofmt clean, go vet ./internal/auth/session/... ./internal/scheduler/... ./internal/config/... ./cmd/server/... ./internal/repository/... clean, go test -short -count=1 -race green across all 3 session packages, full repository + auth + scheduler + config test sweeps green, no regressions in Bundle 1 packages.	2026-05-10 05:31:24 +00:00

Author

SHA1

Message

Date

shankar0123

9c679a5960

auth-bundle-2 Phase 5: OIDC + session HTTP surface (13 endpoints),

pre-login store, OpenID Connect Back-Channel Logout 1.0, cookieAuth
scheme, 7 new auth permissions, CI guard, handler tests

Phase 5 of the bundle puts the Phase 3 OIDC service + Phase 4 session
service on the wire. 13 HTTP endpoints split into three logical groups:

Public OIDC handshake (auth-exempt; protocol-mediated):
  GET  /auth/oidc/login?provider=<id>  -> 302 to IdP authorization URL
                                          + sets certctl_oidc_pending cookie
                                          (10-min TTL, Path=/auth/oidc/,
                                          SameSite=Lax)
  GET  /auth/oidc/callback?code=...&state=... -> consume pre-login row,
                                          run Phase 3's 11-step token
                                          validation, mint post-login
                                          session, 302 to dashboard
  POST /auth/oidc/back-channel-logout  -> OpenID Connect BCL 1.0 — IdP
                                          POSTs logout_token JWT; certctl
                                          validates signature against IdP
                                          JWKS via Phase 3 alg allow-list,
                                          required claims (iss/aud/iat/jti/
                                          events; exactly one of sub/sid;
                                          nonce ABSENT per spec §2.4),
                                          revokes matching sessions,
                                          returns 200 with
                                          Cache-Control: no-store
  POST /auth/logout                    -> revoke caller's session

Session management (RBAC-gated auth.session.*):
  GET    /api/v1/auth/sessions         -> auth.session.list (own / all)
  DELETE /api/v1/auth/sessions/{id}    -> auth.session.revoke (own bypass)

OIDC provider + group-mapping CRUD (RBAC-gated auth.oidc.*):
  GET    /api/v1/auth/oidc/providers              -> auth.oidc.list
  POST   /api/v1/auth/oidc/providers              -> auth.oidc.create
                                                     (client_secret encrypted
                                                     at rest via
                                                     internal/crypto.EncryptIfKeySet)
  PUT    /api/v1/auth/oidc/providers/{id}         -> auth.oidc.edit
  DELETE /api/v1/auth/oidc/providers/{id}         -> auth.oidc.delete
                                                     (refused via
                                                     ErrOIDCProviderInUse → 409
                                                     when users authenticated
                                                     via this provider)
  POST   /api/v1/auth/oidc/providers/{id}/refresh -> auth.oidc.edit
                                                     (re-runs IdP downgrade
                                                     defense via
                                                     OIDCService.RefreshKeys)
  GET    /api/v1/auth/oidc/group-mappings         -> auth.oidc.list
  POST   /api/v1/auth/oidc/group-mappings         -> auth.oidc.edit
  DELETE /api/v1/auth/oidc/group-mappings/{id}    -> auth.oidc.edit

Migration 000037 ships:

  - oidc_pre_login_sessions table (10-min absolute TTL, FK CASCADE on
    oidc_provider_id, FK RESTRICT on signing_key_id; index on
    absolute_expires_at for the GC sweep);
  - 7 new permissions seeded into r-admin only:
      auth.session.list, auth.session.list.all, auth.session.revoke,
      auth.oidc.list, auth.oidc.create, auth.oidc.edit, auth.oidc.delete

CanonicalPermissions extended in lockstep at internal/domain/auth/
validate.go.

Pre-login machinery:

  - internal/repository/oidc.go gains PreLoginRepository interface +
    PreLoginSession struct + ErrPreLoginNotFound / ErrPreLoginExpired
    sentinels.
  - internal/repository/postgres/oidc_prelogin.go ships the impl;
    LookupAndConsume uses DELETE ... RETURNING for atomic single-use.
  - internal/auth/oidc/prelogin.go is the PreLoginAdapter that bridges
    the OIDC service's Phase 3 PreLoginStore interface to the new
    repository, signing the cookie value under the active
    SessionSigningKey via the same v1.<id>.<key>.<HMAC> wire format
    Phase 4 uses for post-login cookies. Defense-in-depth: the
    pre-login `pl-` prefix is enforced by ParseCookieValue(prefix);
    a stolen pre-login cookie cannot be replayed against the
    post-login Validate path (pinned by
    TestService_Validate_RejectsPreLoginCookieAtPostLoginGate).

Session package extension:

  - internal/auth/session/service.go gains exported SignCookieValue,
    ParseCookieValue (with caller-supplied id-1 prefix), ComputeCookieHMAC,
    DecryptKeyMaterial wrappers so the OIDC pre-login adapter shares
    the same length-prefixed HMAC math without code duplication.
  - parseCookie no longer hardcodes the `ses-` prefix check (moved to
    Validate as defense-in-depth; pre-login cookie verification uses
    the `pl-` prefix via ParseCookieValue).

Cookie attributes (all Phase 5 endpoints honor CERTCTL_SESSION_SAMESITE
+ Secure=true via SessionCookieAttrs from Phase 4 config):

  - certctl_oidc_pending: Path=/auth/oidc/, MaxAge=600s, SameSite=Lax
    (cannot be Strict because the IdP-initiated callback is a top-level
    navigation from a different origin).
  - certctl_session: Path=/, Expires=8h, SameSite=Lax|Strict, HttpOnly.
  - certctl_csrf: Path=/, Expires=8h, HttpOnly=false (intentional —
    GUI must read it to echo into X-CSRF-Token header).

Audit logging on every mutating operation (event_category="auth"):

  auth.oidc_login_succeeded / failed / unmapped_groups
  auth.oidc_back_channel_logout / failed
  auth.session_revoked
  auth.oidc_provider_{created,updated,deleted,refreshed}
  auth.group_mapping_{added,removed}

OpenAPI updates:

  - cookieAuth security scheme added to api/openapi.yaml under
    components.securitySchemes (apiKey / cookie / certctl_session).
  - The 13 Phase 5 routes are added to SpecParityExceptions with a
    deferral note: full per-endpoint OpenAPI rows land in a follow-on
    commit alongside the GUI work (Phase 8) so the ergonomic shape can
    be validated against the live GUI client.

CI guard: scripts/ci-guards/N-bundle-2-security-empty-preserved.sh
asserts api/openapi.yaml has ≥ 14 'security: []' occurrences (the
pre-Bundle-2 baseline). Reducing the count below 14 would silently
force a Bearer-or-cookie requirement onto an endpoint that legitimately
runs without certctl-issued credentials; the guard fires before that
regression lands.

Handler tests (internal/api/handler/auth_session_oidc_test.go):

  - All 6 prompt-mandated negative cases:
      BCL with missing events claim -> 400
      BCL with nonce present -> 400 (per spec §2.4)
      BCL with sig signed by an unknown key -> 400
      Callback with replayed state -> 400
      Callback with PKCE verifier mismatch -> 400
      Callback with expired pre-login row -> 400
  - Plus happy paths for every endpoint, edge cases (missing-cookie,
    duplicate-name, in-use-409, wrong-tenant), and the Helper-function
    coverage (peekIssuer, classifyOIDCFailure, defaultIfBlank,
    defaultIntIfZero, clientIPFromRequest, encryptClientSecret).

Coverage on internal/api/handler/auth_session_oidc.go: 80.9% per-function
(above the Phase 5 spec's ≥ 80% floor).

Server wiring (cmd/server/main.go):

  Wired AFTER sessionService (Phase 4) so the OIDC PreLoginAdapter can
  sign pre-login cookies under the active SessionSigningKey:
    oidcProviderRepo + oidcMappingRepo + oidcUserRepo + oidcPreLoginRepo
    -> preLoginAdapter -> oidcService -> authSessionOIDCHandler.
  sessionMinterAdapter shim bridges *session.Service.Create to the
  oidcsvc.SessionMinter port the OIDC service consumes.

Router wiring (internal/api/router/router.go):

  4 public OIDC routes via direct r.mux.Handle (auth-exempt; pinned in
  AuthExemptRouterRoutes); 9 RBAC-gated routes via r.Register +
  rbacGate(checker, perm, h). Routes only register when
  reg.AuthSessionOIDC != nil so pre-Phase-5 builds skip the block
  entirely.

Verifications: gofmt clean, go vet clean across all touched packages,
go test -short -count=1 green across internal/api/handler (74 tests +
new Phase 5 batch), internal/api/router (parity + auth-exempt
allowlist), internal/auth/oidc + session (no regressions), full domain
+ scheduler + config sweeps green, ci-guard
N-bundle-2-security-empty-preserved.sh green (17 ≥ 14 baseline).

2026-05-10 06:08:27 +00:00

shankar0123

17b30c1f7f

auth-bundle-2 Phase 4: session service (cookie minting + signature

validation, idle/absolute expiry, signing-key rotation, CSRF, GC),
15-case negative-test matrix, fail-fatal initial-key bootstrap

Phase 4 of the bundle ships the post-login session lifecycle that backs
every authenticated request once Phase 5 wires the OIDC handlers + the
session middleware. The state machine is the load-bearing primitive for
the Bundle 2 control plane: forge a session cookie and you bypass every
RBAC gate.

Service surface (internal/auth/session/service.go, ~880 LOC):

  - Service.Create(actorID, actorType, ip, ua) -> *CreateResult
    Mints a session row; signs the cookie value with the active signing
    key; returns the cookie payload AND the CSRF token plaintext for
    the handler to set on the response.
  - Service.Validate(ValidateInput) -> *Session
    Parses the cookie, looks up the signing key (incl. retired-but-in-
    retention), recomputes HMAC-SHA256, loads the session row, enforces
    revocation + absolute + idle expiry + optional IP/UA bind. Maps to
    one of 9 sentinel errors; the handler uniformly returns 401 to the
    wire (specific reason in the audit row).
  - Service.ValidateCSRF(headerValue, *Session) error
    Constant-time compares SHA-256(header) against the stored hash on
    the session row.
  - Service.UpdateLastSeen / Revoke / RevokeAllForActor
  - Service.RotateCSRFToken — mints fresh token, persists hash, returns
    plaintext; called on login completion, logout, role-change against
    actor, explicit operator rotate.
  - Service.RotateSigningKey — mints new active key, retires previous;
    retired keys stay valid for cfg.SigningKeyRetention so existing
    cookies don't immediately fail.
  - Service.EnsureInitialSigningKey — idempotent; mints first key on
    fresh deploys; emits auth.session_signing_key_bootstrap audit row
    with event_category=auth. Wired into cmd/server/main.go AFTER
    migrations + RBAC backfill, BEFORE the HTTP listener binds; failure
    is FATAL (logger.Error + os.Exit(1)) per the prompt — server refuses
    to boot rather than serve session-less.
  - Service.GarbageCollect — sweeps expired post-login sessions +
    pre-login rows >10min + retired-past-retention signing keys. Wired
    into the new internal/scheduler/scheduler.go::sessionGCLoop on a
    CERTCTL_SESSION_GC_INTERVAL tick.

Cookie wire format (load-bearing):

  v1.<session_id>.<signing_key_id>.<base64url-no-pad(HMAC-SHA256)>

The HMAC input is LENGTH-PREFIXED to defeat concatenation collisions:

  len(session_id) || ":" || session_id || ":" || len(signing_key_id) || ":" || signing_key_id

where len(...) is the ASCII decimal byte-length. Without the length
prefix, the bare-concatenation form `session_id || signing_key_id`
would let a forger swap one byte across the boundary — `<a, bc>` and
`<ab, c>` produce identical HMAC inputs. The length prefix moves the
boundary into the input itself so the two cases can never collide.

The v1. version prefix is reserved. A future incompatible upgrade
ships as v2. and the parser rejects unknown prefixes (no fallback).

CSRF token model:

  - Plaintext goes in a JS-readable certctl_csrf cookie (HttpOnly=false
    intentional; the GUI must read it to echo into X-CSRF-Token header).
  - SHA-256 hash of the plaintext lives on the session row.
  - Validation: SHA-256(X-CSRF-Token) constant-time-compared.
  - Rotated by Service.RotateCSRFToken on login / logout / role-change /
    explicit admin-trigger.

Optional defense-in-depth (default OFF):

  - CERTCTL_SESSION_BIND_IP — Validate compares client IP to row's
    recorded IP. Mismatch -> 401, audit row, session NOT auto-revoked
    (user may have legitimate IP change). Mobile + corporate-NAT
    environments leave this off.
  - CERTCTL_SESSION_BIND_USER_AGENT — same shape against UA.

Configurable lifetimes (env vars wired in internal/config/config.go):

  CERTCTL_SESSION_IDLE_TIMEOUT             1h
  CERTCTL_SESSION_ABSOLUTE_TIMEOUT         8h
  CERTCTL_SESSION_SIGNING_KEY_RETENTION    24h
  CERTCTL_SESSION_GC_INTERVAL              1h
  CERTCTL_SESSION_SAMESITE                 Lax
  CERTCTL_SESSION_BIND_IP                  false
  CERTCTL_SESSION_BIND_USER_AGENT          false

Test surface (internal/auth/session/service_test.go, ~860 LOC):

  All 15 prompt-mandated negative cases:

    1.  Tampered cookie (HMAC byte flipped near segment start where all
        6 bits are real — base64url-no-pad's last char carries only 2
        bits so a tail-flip is unreliable).
    1b. Tampered SESSION_ID segment (same HMAC-recompute outcome).
    2.  Cookie missing v1. prefix.
    3.  Cookie with unknown version prefix (v99).
    4.  Idle expiry — back-dated last_seen_at + idle_expires_at.
    5.  Absolute expiry — back-dated absolute_expires_at.
    6.  Revoked session.
    7.  Wrong signing key id (no row matches).
    8.  Cookie signed under retired-but-in-retention key SUCCEEDS.
    9.  Cookie signed under retired-past-retention key FAILS.
    10. Concatenation collision — direct evidence that
        computeHMAC("abc","de") != computeHMAC("ab","cde") AND that
        a forged-boundary-slide cookie is rejected.
    11. CSRF token missing.
    12. CSRF token mismatch (constant-time compare).
    13. IP-bind enabled + IP changed -> ErrSessionIPMismatch + audit row.
    14. UA-bind enabled + UA changed -> ErrSessionUAMismatch + audit row.
    15. EnsureInitialSigningKey RNG failure -> ErrInitialSigningKeyMintFailed
        wrap (cmd/server/main.go treats as fatal).

  Plus coverage-lift batch covering: every error wrap on every repo
  collaborator (Create, Get, UpdateLastSeen, UpdateCSRFTokenHash,
  Revoke, RevokeAllForActor, GC), every RNG-failure surface in Create /
  RotateCSRFToken / RotateSigningKey, every alg-pinning helper edge,
  the cookie parser's full negative matrix (empty, wrong segment count,
  missing prefixes, bad base64, wrong HMAC length), and a real-encryption
  round-trip via internal/crypto.EncryptIfKeySet -> DecryptIfKeySet so
  the v3-blob path is exercised end-to-end at the session-cookie level.

Coverage:

  internal/auth/session              94.5%  (floor 90)
  internal/auth/session/domain       96+%   (floor 90, Phase 1)

.github/coverage-thresholds.yml extended with 2 new gate entries
(internal/auth/session and internal/auth/session/domain). The
why: paragraphs explain why each fail-closed branch is load-bearing.

Repository extensions:

  internal/repository/session.go gains UpdateCSRFTokenHash on the
  SessionRepository interface; internal/repository/postgres/session.go
  ships the implementation. RotateCSRFToken consumes it.

Scheduler extensions:

  internal/scheduler/scheduler.go gains SessionGarbageCollector
  interface + sessionGC field + sessionGCInterval +
  SetSessionGarbageCollector + SetSessionGCInterval + sessionGCLoop.
  Pattern matches the existing acmeGCLoop: atomic.Bool guard prevents
  concurrent sweeps, sync.WaitGroup tracks for graceful shutdown,
  per-tick context.WithTimeout(1m) bounds a stuck Postgres.

Server wiring:

  cmd/server/main.go constructs sessionService AFTER the bootstrap
  block (post-RBAC backfill) and BEFORE the policy-service block.
  EnsureInitialSigningKey runs immediately; failure is fatal via
  os.Exit(1). The scheduler section wires SetSessionGarbageCollector
  + SetSessionGCInterval alongside the other interval setters and
  emits an Info log so operators can confirm the loop is enabled.

Phase 4 deviation note: Service.GarbageCollect() returns (int, error)
rather than the prompt's literal `error`. The int is the count of
session rows deleted on this sweep; the scheduler discards it (`_, err
:= ...`) but tests + future operator-facing audit rows can read it.
The wider behavior matches the spec exactly.

Verifications: gofmt clean, go vet ./internal/auth/session/...
./internal/scheduler/... ./internal/config/... ./cmd/server/...
./internal/repository/... clean, go test -short -count=1 -race green
across all 3 session packages, full repository + auth + scheduler +
config test sweeps green, no regressions in Bundle 1 packages.

2026-05-10 05:31:24 +00:00

2 Commits