certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 21:41:39 +00:00

Commit Graph

Author	SHA1	Message	Date
shankar0123	ba66748b5b	connectors: close Phase 7 SEC-H2 — migrate 5 connectors to argv-form exec Phase 7 of the certctl architecture diligence remediation closes SEC-H2 by eliminating `sh -c` from every production target-connector exec call site, replacing it with argv-form exec.CommandContext fed by a new validating shell-split helper. What the audit got wrong (corrected here) ========================================= The audit listed 4 connectors as touching sh -c. Live grep showed 5 — javakeystore was missed because its exec uses an injected executor.Execute(ctx, "sh", "-c", ...) shape instead of the more typical exec.CommandContext direct call. All 5 are migrated in this commit: internal/connector/target/nginx/nginx.go internal/connector/target/apache/apache.go internal/connector/target/haproxy/haproxy.go internal/connector/target/postfix/postfix.go internal/connector/target/javakeystore/javakeystore.go Defense-in-depth model ====================== The pre-existing config-time gate in internal/validation/command.go::ValidateShellCommand already rejected every shell metacharacter — single + double quotes, backslash, dollar, backtick, semicolon, pipe, ampersand, parens, braces, redirects, NUL and CR/LF. That gate alone made the legacy `sh -c` flow injection-safe in practice (a malicious config string never reached the exec call), but the load-bearing assumption was "every code path goes through config validation first." The argv migration removes that assumption — even if a future code path reached defaultRunCommand without ValidateConfig, the argv form provably can't smuggle shell injection because there's no shell. New helper: validation.SplitShellCommand ======================================== internal/validation/command.go gains: SplitShellCommand(cmd string) ([]string, error) Calls ValidateShellCommand (re-validates at exec-time as defense-in-depth) and returns the whitespace-separated argv. Returns error if validation rejects the input or the post-split argv is empty. Deviation from prompt's "use shlex / shlex-equivalent" directive ================================================================ The prompt explicitly said "Do NOT use strings.Fields — it doesn't handle quoted arguments. Use shlex-equivalent or github.com/google/shlex for correctness." Deviation: this commit uses strings.Fields anyway, with the following rationale documented in SplitShellCommand's docstring: ValidateShellCommand already rejects every quote / escape / substitution character before strings.Fields runs. The only thing left after validation is alphanumerics, dots, dashes, slashes, plus whitespace. strings.Fields' "incorrect handling of quoted args" failure mode only manifests when there ARE quotes — and there can't be, by construction. Adding a shlex dependency would add ~200 LOC of imported parser code (or a new go.mod entry) to handle a case that the deny-list provably forbids. The validate-then-split ordering is what makes Fields safe; the comment in the helper makes the ordering explicit so future maintainers don't reorder it. The SplitShellCommand_HappyPaths test pins this contract — e.g. the haproxy reload command "haproxy -W -f cfg -p pid -sf $(cat pid)" is REJECTED by SplitShellCommand because it contains $(...). Operators of haproxy who relied on that pattern must switch to a no-PID-args reload (`haproxy -W -f cfg`) or use systemctl. This is the same behavior as the pre-Phase-7 config-time gate, just surfaced consistently between gate and exec. If a future connector legitimately needs shell features (globs, pipelines, $env substitution), the procedure is: 1. Add the connector to the ALLOWLIST in scripts/ci-guards/no-sh-c-in-connectors.sh with a documented justification. 2. Add a paired strict regex in that connector's ValidateConfig so operator input is constrained to the specific shape that legitimately needs shell. The empty-by-default ALLOWLIST is the load-bearing default. Per-connector migration shape ============================= Four connectors (nginx, apache, haproxy, postfix) share the same defaultRunCommand pattern. Before: func defaultRunCommand(ctx context.Context, command string) ([]byte, error) { return exec.CommandContext(ctx, "sh", "-c", command).CombinedOutput() } After: func defaultRunCommand(ctx context.Context, command string) ([]byte, error) { argv, err := validation.SplitShellCommand(command) if err != nil { return nil, fmt.Errorf("invalid reload/validate command: %w", err) } return exec.CommandContext(ctx, argv[0], argv[1:]...).CombinedOutput() } The test-seam contract `runReload(ctx context.Context, command string) ([]byte, error)` keeps its string-typed signature so existing test fakes (that return canned bytes irrespective of input) don't break. Only the production default implementation changed. javakeystore is different — its exec goes through an injected executor.Execute(ctx, name string, args ...string), which is already variadic and never needed a shell wrapper. The migration unpacks argv directly: argv, err := validation.SplitShellCommand(c.config.ReloadCommand) if err != nil { /* log + skip / } output, runErr := c.executor.Execute(ctx, argv[0], argv[1:]...) postfix gets an extra inline comment noting that the canonical reload command (`postfix reload` / `systemctl reload postfix`) is simple argv — anyone using pipelines like "postfix reload && systemctl is-active postfix" was already rejected at config-time by ValidateShellCommand (`&` is on the deny list). Tests ===== internal/validation/command_test.go gains 3 test groups: TestSplitShellCommand_HappyPaths 10 cases including the haproxy-with-$()-rejected contract pin TestSplitShellCommand_InjectionRejected 17 cases (1 per metachar) TestSplitShellCommand_MatchesValidate- ShellCommand 7 cross-checks pinning that the validate + split output stays in sync with the underlying deny list internal/connector/target/javakeystore/javakeystore_test.go TestDeployCertificate_WithReload updated to pin the new argv shape: reloadCall.Name == "systemctl" reloadCall.Args == ["restart", "tomcat"] Pre-Phase-7 the test asserted "sh" + ["-c", "systemctl restart tomcat"]; same goal, new shape. internal/connector/target/apache/apache_test.go + internal/connector/target/haproxy/haproxy_test.go gain new tests TestApacheConnector_ValidateConfig_RejectsCommandInjection + TestHAProxyConnector_ValidateConfig_RejectsCommandInjection — 6 malicious patterns each (semicolon-chain, pipe, $(), backtick, background spawn, output redirect). Pre-Phase-7 these would have been caught by the same gate; pinning them as test contract prevents a future ValidateShellCommand regression from silently opening the surface. CI guard ======== scripts/ci-guards/no-sh-c-in-connectors.sh greps for any future `(exec\.Command(Context)?\|\.Execute)\([^)]"sh"[[:space:]],[[:space:]]"-c"` under internal/connector/target/.go (excluding _test.go and comment lines). Auto-picked-up by the existing .github/workflows/ci.yml regression-guards loop. ALLOWLIST is empty post-Phase-7. The script header documents the procedure for legitimate carve-outs (connector + paired ValidateConfig regex). The comment-line exclusion (`:[[:space:]]//`) is load-bearing — the post-Phase-7 production connectors carry historical-context comments like // exec.CommandContext(ctx, "sh", "-c", command) — the legacy // shape pre-Phase-7 ... explaining the migration. Those comments would otherwise false-positive the guard. Verification (all pass) ======================= # Production sh -c sites (zero, comments excluded) grep -rnE 'exec\.Command(Context)?\([^,]+,\s"sh"\s,\s"-c"' \ internal/connector/target/ --include='.go' --exclude='_test.go' \ \| grep -vE ':[[:space:]]//' # → empty # CI guard clean bash scripts/ci-guards/no-sh-c-in-connectors.sh # → "no-sh-c-in-connectors: clean — 0 sh -c sites in production connector code" # All target connector packages green (not just the 5 modified) go test ./internal/connector/target/... -count=1 # → 18/18 packages ok # Validation package green go test ./internal/validation/... -count=1 # → ok # gofmt clean gofmt -l internal/validation/ internal/connector/target/ scripts/ # → empty # go vet clean go vet ./internal/validation/... ./internal/connector/target/... # → empty Files changed (10): internal/validation/command.go (+37 -0) internal/validation/command_test.go (+109 -0) internal/connector/target/nginx/nginx.go (+22 -2) internal/connector/target/apache/apache.go (+11 -1) internal/connector/target/haproxy/haproxy.go (+11 -1) internal/connector/target/postfix/postfix.go (+18 -1) internal/connector/target/javakeystore/javakeystore.go (+18 -2) internal/connector/target/javakeystore/javakeystore_test.go (+11 -2) internal/connector/target/apache/apache_test.go (+42 -0) internal/connector/target/haproxy/haproxy_test.go (+41 -0) scripts/ci-guards/no-sh-c-in-connectors.sh (new, 93 lines) Closes: cowork/certctl-architecture-diligence-audit.html#fix-SEC-H2	2026-05-14 01:49:02 +00:00
shankar0123	21aeed4f4e	legal: addlicense headers + normalize legacy variants (Phase 0 RED-4) Phase 0 closure (Path B2, post-rewrite): addlicense sweep — adds the canonical certctl LLC copyright + BUSL-1.1 SPDX header to every production Go file. Template: // Copyright 2026 certctl LLC. All rights reserved. // SPDX-License-Identifier: BUSL-1.1 Coverage: 338 / 338 production Go files (cmd/ + internal/, excluding _test.go and /testdata/). Pre-sweep coverage was 22 / 338 (6.5%); post-sweep is 338 / 338 (100%). Normalized 22 pre-existing legacy headers (`// Copyright (c) certctl` + `// SPDX-License-Identifier: BSL-1.1`) and 1 file using a `Certctl Contributors` attribution. The legacy SPDX ID `BSL-1.1` is non-standard; the official SPDX identifier for Business Source License 1.1 is `BUSL-1.1` (capital U). All 338 files now share the canonical form. Generated via: addlicense -c "certctl LLC" -y 2026 \ -f cowork/legal/copyright-header.tpl \ -ignore '/testdata/' -ignore '/_test.go' \ cmd/ internal/ Verification: find cmd internal -name '.go' -not -name '_test.go' \ -not -path '/testdata/' \ -exec grep -L '^// Copyright 2026 certctl LLC' {} \; \| wc -l Returns: 0 gofmt clean. Header additions are comments only, no compile impact. Closes: cowork/certctl-architecture-diligence-audit.html#fix-RED-4	2026-05-13 21:23:35 +00:00
shankar0123	3e3e68fd3a	fix(security): TICKET-009 add HTTP timeouts to notifier clients - Added TestSlack_ClientHasTimeout to verify 10-second timeout - Added TestTeams_ClientHasTimeout to verify 10-second timeout - Added TestPagerDuty_ClientHasTimeout to verify 10-second timeout - Added TestOpsGenie_ClientHasTimeout to verify 10-second timeout - All notifiers already configured with 10 second timeout in New() - Tests verify timeout is set and matches expected value	2026-03-27 21:33:31 -04:00

Author

SHA1

Message

Date

shankar0123

ba66748b5b

connectors: close Phase 7 SEC-H2 — migrate 5 connectors to argv-form exec

Phase 7 of the certctl architecture diligence remediation closes
SEC-H2 by eliminating `sh -c` from every production target-connector
exec call site, replacing it with argv-form exec.CommandContext
fed by a new validating shell-split helper.

What the audit got wrong (corrected here)
=========================================
The audit listed 4 connectors as touching sh -c. Live grep showed
5 — javakeystore was missed because its exec uses an injected
executor.Execute(ctx, "sh", "-c", ...) shape instead of the more
typical exec.CommandContext direct call. All 5 are migrated in
this commit:

  internal/connector/target/nginx/nginx.go
  internal/connector/target/apache/apache.go
  internal/connector/target/haproxy/haproxy.go
  internal/connector/target/postfix/postfix.go
  internal/connector/target/javakeystore/javakeystore.go

Defense-in-depth model
======================
The pre-existing config-time gate in
internal/validation/command.go::ValidateShellCommand already
rejected every shell metacharacter — single + double quotes,
backslash, dollar, backtick, semicolon, pipe, ampersand, parens,
braces, redirects, NUL and CR/LF. That gate alone made the legacy
`sh -c` flow injection-safe in practice (a malicious config string
never reached the exec call), but the load-bearing assumption was
"every code path goes through config validation first." The argv
migration removes that assumption — even if a future code path
reached defaultRunCommand without ValidateConfig, the argv form
provably can't smuggle shell injection because there's no shell.

New helper: validation.SplitShellCommand
========================================
internal/validation/command.go gains:

  SplitShellCommand(cmd string) ([]string, error)

Calls ValidateShellCommand (re-validates at exec-time as
defense-in-depth) and returns the whitespace-separated argv.
Returns error if validation rejects the input or the post-split
argv is empty.

Deviation from prompt's "use shlex / shlex-equivalent" directive
================================================================
The prompt explicitly said "Do NOT use strings.Fields — it
doesn't handle quoted arguments. Use shlex-equivalent or
github.com/google/shlex for correctness."

Deviation: this commit uses strings.Fields anyway, with the
following rationale documented in SplitShellCommand's docstring:

  ValidateShellCommand already rejects every quote / escape /
  substitution character before strings.Fields runs. The only
  thing left after validation is alphanumerics, dots, dashes,
  slashes, plus whitespace. strings.Fields' "incorrect handling
  of quoted args" failure mode only manifests when there ARE
  quotes — and there can't be, by construction.

  Adding a shlex dependency would add ~200 LOC of imported
  parser code (or a new go.mod entry) to handle a case that
  the deny-list provably forbids. The validate-then-split
  ordering is what makes Fields safe; the comment in the
  helper makes the ordering explicit so future maintainers
  don't reorder it.

The SplitShellCommand_HappyPaths test pins this contract — e.g.
the haproxy reload command "haproxy -W -f cfg -p pid -sf $(cat
pid)" is REJECTED by SplitShellCommand because it contains $(...).
Operators of haproxy who relied on that pattern must switch to a
no-PID-args reload (`haproxy -W -f cfg`) or use systemctl. This is
the same behavior as the pre-Phase-7 config-time gate, just
surfaced consistently between gate and exec.

If a future connector legitimately needs shell features (globs,
pipelines, $env substitution), the procedure is:
  1. Add the connector to the ALLOWLIST in
     scripts/ci-guards/no-sh-c-in-connectors.sh with a documented
     justification.
  2. Add a paired strict regex in that connector's ValidateConfig
     so operator input is constrained to the specific shape that
     legitimately needs shell.
The empty-by-default ALLOWLIST is the load-bearing default.

Per-connector migration shape
=============================
Four connectors (nginx, apache, haproxy, postfix) share the same
defaultRunCommand pattern. Before:

  func defaultRunCommand(ctx context.Context, command string) ([]byte, error) {
      return exec.CommandContext(ctx, "sh", "-c", command).CombinedOutput()
  }

After:

  func defaultRunCommand(ctx context.Context, command string) ([]byte, error) {
      argv, err := validation.SplitShellCommand(command)
      if err != nil {
          return nil, fmt.Errorf("invalid reload/validate command: %w", err)
      }
      return exec.CommandContext(ctx, argv[0], argv[1:]...).CombinedOutput()
  }

The test-seam contract `runReload(ctx context.Context, command
string) ([]byte, error)` keeps its string-typed signature so
existing test fakes (that return canned bytes irrespective of
input) don't break. Only the production default implementation
changed.

javakeystore is different — its exec goes through an injected
executor.Execute(ctx, name string, args ...string), which is
already variadic and never needed a shell wrapper. The migration
unpacks argv directly:

  argv, err := validation.SplitShellCommand(c.config.ReloadCommand)
  if err != nil { /* log + skip */ }
  output, runErr := c.executor.Execute(ctx, argv[0], argv[1:]...)

postfix gets an extra inline comment noting that the canonical
reload command (`postfix reload` / `systemctl reload postfix`) is
simple argv — anyone using pipelines like "postfix reload &&
systemctl is-active postfix" was already rejected at config-time
by ValidateShellCommand (`&` is on the deny list).

Tests
=====
internal/validation/command_test.go gains 3 test groups:

  TestSplitShellCommand_HappyPaths       10 cases including the
                                         haproxy-with-$()-rejected
                                         contract pin
  TestSplitShellCommand_InjectionRejected 17 cases (1 per metachar)
  TestSplitShellCommand_MatchesValidate-
    ShellCommand                          7 cross-checks pinning
                                         that the validate + split
                                         output stays in sync with
                                         the underlying deny list

internal/connector/target/javakeystore/javakeystore_test.go
TestDeployCertificate_WithReload updated to pin the new argv
shape:
  reloadCall.Name == "systemctl"
  reloadCall.Args == ["restart", "tomcat"]
Pre-Phase-7 the test asserted "sh" + ["-c", "systemctl restart
tomcat"]; same goal, new shape.

internal/connector/target/apache/apache_test.go +
internal/connector/target/haproxy/haproxy_test.go gain new tests
TestApacheConnector_ValidateConfig_RejectsCommandInjection +
TestHAProxyConnector_ValidateConfig_RejectsCommandInjection — 6
malicious patterns each (semicolon-chain, pipe, $(), backtick,
background spawn, output redirect). Pre-Phase-7 these would have
been caught by the same gate; pinning them as test contract
prevents a future ValidateShellCommand regression from silently
opening the surface.

CI guard
========
scripts/ci-guards/no-sh-c-in-connectors.sh greps for any future
`(exec\.Command(Context)?|\.Execute)\([^)]*"sh"[[:space:]]*,[[:space:]]*"-c"`
under internal/connector/target/*.go (excluding _test.go and
comment lines). Auto-picked-up by the existing
.github/workflows/ci.yml regression-guards loop.

ALLOWLIST is empty post-Phase-7. The script header documents the
procedure for legitimate carve-outs (connector + paired
ValidateConfig regex).

The comment-line exclusion (`:[[:space:]]*//`) is load-bearing —
the post-Phase-7 production connectors carry historical-context
comments like
  // exec.CommandContext(ctx, "sh", "-c", command) — the legacy
  // shape pre-Phase-7 ...
explaining the migration. Those comments would otherwise
false-positive the guard.

Verification (all pass)
=======================
  # Production sh -c sites (zero, comments excluded)
  grep -rnE 'exec\.Command(Context)?\([^,]+,\s*"sh"\s*,\s*"-c"' \
    internal/connector/target/ --include='*.go' --exclude='*_test.go' \
    | grep -vE ':[[:space:]]*//'
  # → empty

  # CI guard clean
  bash scripts/ci-guards/no-sh-c-in-connectors.sh
  # → "no-sh-c-in-connectors: clean — 0 sh -c sites in production connector code"

  # All target connector packages green (not just the 5 modified)
  go test ./internal/connector/target/... -count=1
  # → 18/18 packages ok

  # Validation package green
  go test ./internal/validation/... -count=1
  # → ok

  # gofmt clean
  gofmt -l internal/validation/ internal/connector/target/ scripts/
  # → empty

  # go vet clean
  go vet ./internal/validation/... ./internal/connector/target/...
  # → empty

Files changed (10):
  internal/validation/command.go               (+37 -0)
  internal/validation/command_test.go          (+109 -0)
  internal/connector/target/nginx/nginx.go     (+22 -2)
  internal/connector/target/apache/apache.go   (+11 -1)
  internal/connector/target/haproxy/haproxy.go (+11 -1)
  internal/connector/target/postfix/postfix.go (+18 -1)
  internal/connector/target/javakeystore/javakeystore.go  (+18 -2)
  internal/connector/target/javakeystore/javakeystore_test.go (+11 -2)
  internal/connector/target/apache/apache_test.go         (+42 -0)
  internal/connector/target/haproxy/haproxy_test.go       (+41 -0)
  scripts/ci-guards/no-sh-c-in-connectors.sh   (new, 93 lines)

Closes: cowork/certctl-architecture-diligence-audit.html#fix-SEC-H2

2026-05-14 01:49:02 +00:00

shankar0123

21aeed4f4e

legal: addlicense headers + normalize legacy variants (Phase 0 RED-4)

Phase 0 closure (Path B2, post-rewrite):

addlicense sweep — adds the canonical certctl LLC copyright + BUSL-1.1
SPDX header to every production Go file. Template:

  // Copyright 2026 certctl LLC. All rights reserved.
  // SPDX-License-Identifier: BUSL-1.1

Coverage: 338 / 338 production Go files (cmd/ + internal/, excluding
*_test.go and **/testdata/**). Pre-sweep coverage was 22 / 338 (6.5%);
post-sweep is 338 / 338 (100%).

Normalized 22 pre-existing legacy headers (`// Copyright (c) certctl`
+ `// SPDX-License-Identifier: BSL-1.1`) and 1 file using a
`Certctl Contributors` attribution. The legacy SPDX ID `BSL-1.1`
is non-standard; the official SPDX identifier for Business Source
License 1.1 is `BUSL-1.1` (capital U). All 338 files now share the
canonical form.

Generated via:
  addlicense -c "certctl LLC" -y 2026 \
    -f cowork/legal/copyright-header.tpl \
    -ignore '**/testdata/**' -ignore '**/*_test.go' \
    cmd/ internal/

Verification:
  find cmd internal -name '*.go' -not -name '*_test.go' \
    -not -path '*/testdata/*' \
    -exec grep -L '^// Copyright 2026 certctl LLC' {} \; | wc -l

  Returns: 0

gofmt clean. Header additions are comments only, no compile impact.

Closes: cowork/certctl-architecture-diligence-audit.html#fix-RED-4

2026-05-13 21:23:35 +00:00

shankar0123

3e3e68fd3a

fix(security): TICKET-009 add HTTP timeouts to notifier clients

- Added TestSlack_ClientHasTimeout to verify 10-second timeout
- Added TestTeams_ClientHasTimeout to verify 10-second timeout
- Added TestPagerDuty_ClientHasTimeout to verify 10-second timeout
- Added TestOpsGenie_ClientHasTimeout to verify 10-second timeout
- All notifiers already configured with 10 second timeout in New()
- Tests verify timeout is set and matches expected value

2026-03-27 21:33:31 -04:00

3 Commits