mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 13:51:36 +00:00
shankar0123
2a1a0b347c
Audit 2026-05-10 MED-16 closure.
WHAT.
Binds the OIDC pre-login row to the (clientIP, userAgent) tuple of
the /auth/oidc/login request, and enforces a constant-time compare
against the /auth/oidc/callback request at consume time. Defeats
replay of a stolen pre-login cookie by a different browser /
source — the secondary defense layer recommended by RFC 9700 §4.7.1
when the primary layer (HMAC integrity + Path=/ + SameSite=Lax on
the cookie) is bypassed via CSRF / XSS / TLS-termination leak.
WHY.
Pre-fix, the pre-login cookie's HMAC verified only that 'some'
caller of /auth/oidc/login was talking to /auth/oidc/callback; it
did not verify that the SAME browser / source was on both sides.
An attacker who exfiltrated the cookie value via any vector could
replay the bytes through their own user-agent and ride the victim's
authorization. RFC 9700 §4.7.1 calls out the gap explicitly and
recommends binding state to a user-agent fingerprint + source IP.
HOW.
Migration:
migrations/000044_prelogin_uaip.up.sql
ALTER TABLE oidc_pre_login_sessions
ADD COLUMN IF NOT EXISTS client_ip TEXT,
ADD COLUMN IF NOT EXISTS user_agent TEXT;
Both nullable for in-flight rolling-deploy compat — the consume-
side check only enforces when both row AND request carry non-empty
values for the leg in question.
Domain:
internal/repository/oidc.go (PreLoginSession) — adds ClientIP +
UserAgent fields.
Repository:
internal/repository/postgres/oidc_prelogin.go — Create persists
via sql.NullString (empty → NULL); LookupAndConsume reads back.
Re-uses package-local nullableString from discovery.go.
Service:
internal/auth/oidc/service.go
- PreLoginStore.CreatePreLogin signature takes (clientIP,
userAgent) as positions 5–6.
- PreLoginStore.LookupAndConsume returns (clientIP, userAgent)
as positions 5–6.
- HandleAuthRequest signature gains (clientIP, userAgent),
threaded to the store.
- HandleCallback adds Step 1.5 — UA / IP constant-time compare
between stored row and incoming request. Per-leg toggles via
preLoginRequireUA / preLoginRequireIP service fields. Empty
values on either side pass through (rolling-deploy + headless-
proxy compat).
- New sentinels ErrPreLoginUAMismatch, ErrPreLoginIPMismatch.
- SetPreLoginBindingRequirements(requireUA, requireIP) helper
for main.go config wiring.
Adapter:
internal/auth/oidc/prelogin.go — PreLoginAdapter passes the new
fields through to the repo row.
Handler:
internal/api/handler/auth_session_oidc.go
- OIDCAuthHandshaker.HandleAuthRequest signature updated.
- LoginInitiate captures clientIPFromRequest + r.UserAgent()
and passes to the service.
- classifyOIDCFailure adds errors.Is dispatch for the two new
sentinels → prelogin_ua_mismatch / prelogin_ip_mismatch
audit categories.
Config:
internal/config/config.go
+ AuthConfig.OIDCPreLoginRequireUA (default true)
env CERTCTL_OIDC_PRELOGIN_REQUIRE_UA
+ AuthConfig.OIDCPreLoginRequireIP (default true)
env CERTCTL_OIDC_PRELOGIN_REQUIRE_IP
cmd/server/main.go calls oidcService.SetPreLoginBindingRequirements
from cfg.Auth.OIDCPreLoginRequire{UA,IP}.
Tests (internal/auth/oidc/service_test.go):
- TestService_HandleCallback_MED16_UAMismatchRejected
- TestService_HandleCallback_MED16_IPMismatchRejected
- TestService_HandleCallback_MED16_BothMatch_Succeeds
- TestService_HandleCallback_MED16_LegacyRowEmptyValues (rolling-
deploy compat — empty stored values pass through)
- TestService_HandleCallback_MED16_RequireUAFalse_AllowsMismatch
(operator escape-hatch — UA mismatch silently allowed)
Mechanical fan-out:
- stubPreLogin / stubPreLoginRepo signatures updated.
- All existing call sites in service_test.go (~40), prelogin_test.go,
bench_test.go, logging_test.go, provider_enabled_test.go,
integration_keycloak_test.go, integration_okta_smoke_test.go,
auth_session_oidc_test.go updated to pass empty strings for the
new params — pre-existing tests do not exercise UA/IP binding
semantics.
VERIFY.
- go vet ./internal/auth/oidc/... ./internal/api/handler/...
./internal/config/... PASS
- go test -short -count=1 -run MED16 ./internal/auth/oidc/... PASS (5/5)
- go test -short -count=1 ./internal/auth/oidc/... PASS (4.6s)
- go test -short -count=1 ./internal/api/handler/... PASS (4.3s)
- go test -short -count=1 ./internal/config/... PASS
Refs: cowork/auth-bundles-audit-2026-05-10.md MED-16
cowork/auth-bundles-fixes-2026-05-10/HANDOFF.md item 6
RFC 9700 §4.7.1 — OAuth 2.0 Security Best Current Practice
189 lines
7.2 KiB
Go
189 lines
7.2 KiB
Go
// Package oidc — Bundle 2 Phase 5 / pre-login cookie machinery.
|
|
//
|
|
// This file implements the production-side PreLoginStore that the
|
|
// Phase 3 OIDC service wires into HandleAuthRequest + HandleCallback.
|
|
// Phase 3 shipped the interface + an in-memory test stub; Phase 5
|
|
// ships the real implementation backed by:
|
|
//
|
|
// - oidc_pre_login_sessions table (Phase 5 migration 000037)
|
|
// - the active SessionSigningKey (Phase 4 service)
|
|
//
|
|
// The cookie wire format is `v1.<pl-id>.<sk-id>.<base64url-no-pad
|
|
// HMAC-SHA256>` — IDENTICAL to the post-login session cookie shape so
|
|
// both surfaces share the same parser, the same length-prefixed HMAC
|
|
// input (defeats concatenation collisions), and the same v1. version
|
|
// prefix. Different cookie name (`certctl_oidc_pending` vs
|
|
// `certctl_session`) and different id prefix (`pl-` vs `ses-`) keep
|
|
// the two surfaces distinguishable; defense-in-depth checks at each
|
|
// consumer reject the wrong-prefix shape even if the cookie value
|
|
// somehow gets routed to the wrong handler.
|
|
|
|
package oidc
|
|
|
|
import (
|
|
"context"
|
|
cryptorand "crypto/rand"
|
|
"crypto/subtle"
|
|
"encoding/base64"
|
|
"errors"
|
|
"fmt"
|
|
|
|
"github.com/certctl-io/certctl/internal/auth/session"
|
|
sessiondomain "github.com/certctl-io/certctl/internal/auth/session/domain"
|
|
"github.com/certctl-io/certctl/internal/repository"
|
|
)
|
|
|
|
// SigningKeyLookup is the slice of SessionSigningKey access the
|
|
// pre-login adapter needs. SessionService satisfies this implicitly
|
|
// via the Phase 4 SigningKeyRepo (we re-use the interface here rather
|
|
// than adding a method to SessionService).
|
|
type SigningKeyLookup interface {
|
|
GetActive(ctx context.Context, tenantID string) (*sessiondomain.SessionSigningKey, error)
|
|
Get(ctx context.Context, id string) (*sessiondomain.SessionSigningKey, error)
|
|
}
|
|
|
|
// PreLoginAdapter implements the Phase 3 OIDCService.PreLoginStore
|
|
// interface against a real PreLoginRepository + the active
|
|
// SessionSigningKey.
|
|
//
|
|
// The cookie value returned by CreatePreLogin is the wire-format
|
|
// `v1.pl-<id>.sk-<id>.<HMAC-SHA256>`; LookupAndConsume parses + HMAC-
|
|
// verifies the cookie value before reading + deleting the row.
|
|
type PreLoginAdapter struct {
|
|
repo repository.PreLoginRepository
|
|
keys SigningKeyLookup
|
|
tenantID string
|
|
encryptionKey string
|
|
|
|
// Injectable for tests so the adapter can be exercised against a
|
|
// deterministic-failure RNG.
|
|
readRand func([]byte) (int, error)
|
|
}
|
|
|
|
// NewPreLoginAdapter constructs a PreLoginAdapter wired against the
|
|
// supplied repository + signing-key lookup. encryptionKey is the
|
|
// CERTCTL_CONFIG_ENCRYPTION_KEY value used to decrypt the
|
|
// SessionSigningKey.KeyMaterialEncrypted blob.
|
|
func NewPreLoginAdapter(
|
|
repo repository.PreLoginRepository,
|
|
keys SigningKeyLookup,
|
|
tenantID, encryptionKey string,
|
|
) *PreLoginAdapter {
|
|
return &PreLoginAdapter{
|
|
repo: repo,
|
|
keys: keys,
|
|
tenantID: tenantID,
|
|
encryptionKey: encryptionKey,
|
|
readRand: cryptorand.Read,
|
|
}
|
|
}
|
|
|
|
// SetRandReaderForTest replaces the entropy source. ONLY for tests.
|
|
func (a *PreLoginAdapter) SetRandReaderForTest(r func([]byte) (int, error)) {
|
|
a.readRand = r
|
|
}
|
|
|
|
// CreatePreLogin generates a fresh `pl-<random>` id, signs the cookie
|
|
// value under the active SessionSigningKey, persists the row, and
|
|
// returns the cookie value + the row id.
|
|
//
|
|
// Audit 2026-05-10 MED-16 — clientIP + userAgent are persisted into
|
|
// the row for the callback-time UA/IP binding check.
|
|
//
|
|
// Implements the Phase 3 OIDCService.PreLoginStore.CreatePreLogin
|
|
// interface signature.
|
|
func (a *PreLoginAdapter) CreatePreLogin(ctx context.Context, providerID, state, nonce, verifier, clientIP, userAgent string) (cookieValue, sessionID string, err error) {
|
|
active, err := a.keys.GetActive(ctx, a.tenantID)
|
|
if err != nil {
|
|
return "", "", fmt.Errorf("pre-login: get active signing key: %w", err)
|
|
}
|
|
hmacKey, err := session.DecryptKeyMaterial(active.KeyMaterialEncrypted, a.encryptionKey)
|
|
if err != nil {
|
|
return "", "", fmt.Errorf("pre-login: decrypt active key: %w", err)
|
|
}
|
|
id, err := a.newID()
|
|
if err != nil {
|
|
return "", "", fmt.Errorf("pre-login: generate id: %w", err)
|
|
}
|
|
row := &repository.PreLoginSession{
|
|
ID: id,
|
|
TenantID: a.tenantID,
|
|
SigningKeyID: active.ID,
|
|
OIDCProviderID: providerID,
|
|
State: state,
|
|
Nonce: nonce,
|
|
PKCEVerifier: verifier,
|
|
ClientIP: clientIP,
|
|
UserAgent: userAgent,
|
|
}
|
|
if err := a.repo.Create(ctx, row); err != nil {
|
|
return "", "", fmt.Errorf("pre-login: persist row: %w", err)
|
|
}
|
|
cookieValue = session.SignCookieValue(id, active.ID, hmacKey)
|
|
return cookieValue, id, nil
|
|
}
|
|
|
|
// LookupAndConsume parses + HMAC-verifies the cookie value, looks up
|
|
// the row, atomically deletes it, and returns the OIDC handshake
|
|
// material the callback handler needs.
|
|
//
|
|
// Failure semantics:
|
|
// - Malformed cookie / wrong v1. prefix / wrong id prefix /
|
|
// bad base64 HMAC -> ErrPreLoginNotFound (uniform 400 to the wire,
|
|
// no information leak about which check failed).
|
|
// - HMAC mismatch -> ErrPreLoginNotFound (forged cookie).
|
|
// - Signing key id not found -> ErrPreLoginNotFound.
|
|
// - Row not found OR already consumed -> ErrPreLoginNotFound.
|
|
// - Row found but past 10-minute TTL -> ErrPreLoginExpired (row is
|
|
// deleted at the repo layer regardless).
|
|
//
|
|
// Audit 2026-05-10 MED-16 — also returns the row's stored clientIP +
|
|
// userAgent so the service-layer caller can enforce the UA/IP binding.
|
|
//
|
|
// Implements the Phase 3 OIDCService.PreLoginStore.LookupAndConsume
|
|
// interface signature.
|
|
func (a *PreLoginAdapter) LookupAndConsume(ctx context.Context, cookieValue string) (providerID, state, nonce, verifier, clientIP, userAgent string, err error) {
|
|
plID, signingKeyID, providedHMAC, perr := session.ParseCookieValue(cookieValue, "pl-")
|
|
if perr != nil {
|
|
return "", "", "", "", "", "", ErrPreLoginNotFound
|
|
}
|
|
|
|
signingKey, kerr := a.keys.Get(ctx, signingKeyID)
|
|
if kerr != nil {
|
|
return "", "", "", "", "", "", ErrPreLoginNotFound
|
|
}
|
|
hmacKey, derr := session.DecryptKeyMaterial(signingKey.KeyMaterialEncrypted, a.encryptionKey)
|
|
if derr != nil {
|
|
return "", "", "", "", "", "", ErrPreLoginNotFound
|
|
}
|
|
expectedHMAC := session.ComputeCookieHMAC(plID, signingKeyID, hmacKey)
|
|
if subtle.ConstantTimeCompare(expectedHMAC, providedHMAC) != 1 {
|
|
return "", "", "", "", "", "", ErrPreLoginNotFound
|
|
}
|
|
|
|
row, lerr := a.repo.LookupAndConsume(ctx, plID)
|
|
if lerr != nil {
|
|
// Map both not-found AND expired to the same uniform sentinel
|
|
// the OIDC service consumes; the audit row distinguishes via
|
|
// the wrapped error from the repo (which the handler logs).
|
|
if errors.Is(lerr, repository.ErrPreLoginNotFound) {
|
|
return "", "", "", "", "", "", ErrPreLoginNotFound
|
|
}
|
|
if errors.Is(lerr, repository.ErrPreLoginExpired) {
|
|
return "", "", "", "", "", "", ErrPreLoginNotFound
|
|
}
|
|
return "", "", "", "", "", "", fmt.Errorf("pre-login: lookup_and_consume: %w", lerr)
|
|
}
|
|
|
|
return row.OIDCProviderID, row.State, row.Nonce, row.PKCEVerifier, row.ClientIP, row.UserAgent, nil
|
|
}
|
|
|
|
// newID returns `pl-<base64url-no-pad>` with 16 bytes of entropy.
|
|
func (a *PreLoginAdapter) newID() (string, error) {
|
|
b := make([]byte, 16)
|
|
if _, err := a.readRand(b); err != nil {
|
|
return "", err
|
|
}
|
|
return "pl-" + base64.RawURLEncoding.EncodeToString(b), nil
|
|
}
|