mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 12:21:31 +00:00
shankar0123
21aeed4f4e
Phase 0 closure (Path B2, post-rewrite):
addlicense sweep — adds the canonical certctl LLC copyright + BUSL-1.1
SPDX header to every production Go file. Template:
// Copyright 2026 certctl LLC. All rights reserved.
// SPDX-License-Identifier: BUSL-1.1
Coverage: 338 / 338 production Go files (cmd/ + internal/, excluding
*_test.go and **/testdata/**). Pre-sweep coverage was 22 / 338 (6.5%);
post-sweep is 338 / 338 (100%).
Normalized 22 pre-existing legacy headers (`// Copyright (c) certctl`
+ `// SPDX-License-Identifier: BSL-1.1`) and 1 file using a
`Certctl Contributors` attribution. The legacy SPDX ID `BSL-1.1`
is non-standard; the official SPDX identifier for Business Source
License 1.1 is `BUSL-1.1` (capital U). All 338 files now share the
canonical form.
Generated via:
addlicense -c "certctl LLC" -y 2026 \
-f cowork/legal/copyright-header.tpl \
-ignore '**/testdata/**' -ignore '**/*_test.go' \
cmd/ internal/
Verification:
find cmd internal -name '*.go' -not -name '*_test.go' \
-not -path '*/testdata/*' \
-exec grep -L '^// Copyright 2026 certctl LLC' {} \; | wc -l
Returns: 0
gofmt clean. Header additions are comments only, no compile impact.
Closes: cowork/certctl-architecture-diligence-audit.html#fix-RED-4
192 lines
7.3 KiB
Go
192 lines
7.3 KiB
Go
// Copyright 2026 certctl LLC. All rights reserved.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
// Package oidc — Bundle 2 Phase 5 / pre-login cookie machinery.
|
|
//
|
|
// This file implements the production-side PreLoginStore that the
|
|
// Phase 3 OIDC service wires into HandleAuthRequest + HandleCallback.
|
|
// Phase 3 shipped the interface + an in-memory test stub; Phase 5
|
|
// ships the real implementation backed by:
|
|
//
|
|
// - oidc_pre_login_sessions table (Phase 5 migration 000037)
|
|
// - the active SessionSigningKey (Phase 4 service)
|
|
//
|
|
// The cookie wire format is `v1.<pl-id>.<sk-id>.<base64url-no-pad
|
|
// HMAC-SHA256>` — IDENTICAL to the post-login session cookie shape so
|
|
// both surfaces share the same parser, the same length-prefixed HMAC
|
|
// input (defeats concatenation collisions), and the same v1. version
|
|
// prefix. Different cookie name (`certctl_oidc_pending` vs
|
|
// `certctl_session`) and different id prefix (`pl-` vs `ses-`) keep
|
|
// the two surfaces distinguishable; defense-in-depth checks at each
|
|
// consumer reject the wrong-prefix shape even if the cookie value
|
|
// somehow gets routed to the wrong handler.
|
|
|
|
package oidc
|
|
|
|
import (
|
|
"context"
|
|
cryptorand "crypto/rand"
|
|
"crypto/subtle"
|
|
"encoding/base64"
|
|
"errors"
|
|
"fmt"
|
|
|
|
"github.com/certctl-io/certctl/internal/auth/session"
|
|
sessiondomain "github.com/certctl-io/certctl/internal/auth/session/domain"
|
|
"github.com/certctl-io/certctl/internal/repository"
|
|
)
|
|
|
|
// SigningKeyLookup is the slice of SessionSigningKey access the
|
|
// pre-login adapter needs. SessionService satisfies this implicitly
|
|
// via the Phase 4 SigningKeyRepo (we re-use the interface here rather
|
|
// than adding a method to SessionService).
|
|
type SigningKeyLookup interface {
|
|
GetActive(ctx context.Context, tenantID string) (*sessiondomain.SessionSigningKey, error)
|
|
Get(ctx context.Context, id string) (*sessiondomain.SessionSigningKey, error)
|
|
}
|
|
|
|
// PreLoginAdapter implements the Phase 3 OIDCService.PreLoginStore
|
|
// interface against a real PreLoginRepository + the active
|
|
// SessionSigningKey.
|
|
//
|
|
// The cookie value returned by CreatePreLogin is the wire-format
|
|
// `v1.pl-<id>.sk-<id>.<HMAC-SHA256>`; LookupAndConsume parses + HMAC-
|
|
// verifies the cookie value before reading + deleting the row.
|
|
type PreLoginAdapter struct {
|
|
repo repository.PreLoginRepository
|
|
keys SigningKeyLookup
|
|
tenantID string
|
|
encryptionKey string
|
|
|
|
// Injectable for tests so the adapter can be exercised against a
|
|
// deterministic-failure RNG.
|
|
readRand func([]byte) (int, error)
|
|
}
|
|
|
|
// NewPreLoginAdapter constructs a PreLoginAdapter wired against the
|
|
// supplied repository + signing-key lookup. encryptionKey is the
|
|
// CERTCTL_CONFIG_ENCRYPTION_KEY value used to decrypt the
|
|
// SessionSigningKey.KeyMaterialEncrypted blob.
|
|
func NewPreLoginAdapter(
|
|
repo repository.PreLoginRepository,
|
|
keys SigningKeyLookup,
|
|
tenantID, encryptionKey string,
|
|
) *PreLoginAdapter {
|
|
return &PreLoginAdapter{
|
|
repo: repo,
|
|
keys: keys,
|
|
tenantID: tenantID,
|
|
encryptionKey: encryptionKey,
|
|
readRand: cryptorand.Read,
|
|
}
|
|
}
|
|
|
|
// SetRandReaderForTest replaces the entropy source. ONLY for tests.
|
|
func (a *PreLoginAdapter) SetRandReaderForTest(r func([]byte) (int, error)) {
|
|
a.readRand = r
|
|
}
|
|
|
|
// CreatePreLogin generates a fresh `pl-<random>` id, signs the cookie
|
|
// value under the active SessionSigningKey, persists the row, and
|
|
// returns the cookie value + the row id.
|
|
//
|
|
// Audit 2026-05-10 MED-16 — clientIP + userAgent are persisted into
|
|
// the row for the callback-time UA/IP binding check.
|
|
//
|
|
// Implements the Phase 3 OIDCService.PreLoginStore.CreatePreLogin
|
|
// interface signature.
|
|
func (a *PreLoginAdapter) CreatePreLogin(ctx context.Context, providerID, state, nonce, verifier, clientIP, userAgent string) (cookieValue, sessionID string, err error) {
|
|
active, err := a.keys.GetActive(ctx, a.tenantID)
|
|
if err != nil {
|
|
return "", "", fmt.Errorf("pre-login: get active signing key: %w", err)
|
|
}
|
|
hmacKey, err := session.DecryptKeyMaterial(active.KeyMaterialEncrypted, a.encryptionKey)
|
|
if err != nil {
|
|
return "", "", fmt.Errorf("pre-login: decrypt active key: %w", err)
|
|
}
|
|
id, err := a.newID()
|
|
if err != nil {
|
|
return "", "", fmt.Errorf("pre-login: generate id: %w", err)
|
|
}
|
|
row := &repository.PreLoginSession{
|
|
ID: id,
|
|
TenantID: a.tenantID,
|
|
SigningKeyID: active.ID,
|
|
OIDCProviderID: providerID,
|
|
State: state,
|
|
Nonce: nonce,
|
|
PKCEVerifier: verifier,
|
|
ClientIP: clientIP,
|
|
UserAgent: userAgent,
|
|
}
|
|
if err := a.repo.Create(ctx, row); err != nil {
|
|
return "", "", fmt.Errorf("pre-login: persist row: %w", err)
|
|
}
|
|
cookieValue = session.SignCookieValue(id, active.ID, hmacKey)
|
|
return cookieValue, id, nil
|
|
}
|
|
|
|
// LookupAndConsume parses + HMAC-verifies the cookie value, looks up
|
|
// the row, atomically deletes it, and returns the OIDC handshake
|
|
// material the callback handler needs.
|
|
//
|
|
// Failure semantics:
|
|
// - Malformed cookie / wrong v1. prefix / wrong id prefix /
|
|
// bad base64 HMAC -> ErrPreLoginNotFound (uniform 400 to the wire,
|
|
// no information leak about which check failed).
|
|
// - HMAC mismatch -> ErrPreLoginNotFound (forged cookie).
|
|
// - Signing key id not found -> ErrPreLoginNotFound.
|
|
// - Row not found OR already consumed -> ErrPreLoginNotFound.
|
|
// - Row found but past 10-minute TTL -> ErrPreLoginExpired (row is
|
|
// deleted at the repo layer regardless).
|
|
//
|
|
// Audit 2026-05-10 MED-16 — also returns the row's stored clientIP +
|
|
// userAgent so the service-layer caller can enforce the UA/IP binding.
|
|
//
|
|
// Implements the Phase 3 OIDCService.PreLoginStore.LookupAndConsume
|
|
// interface signature.
|
|
func (a *PreLoginAdapter) LookupAndConsume(ctx context.Context, cookieValue string) (providerID, state, nonce, verifier, clientIP, userAgent string, err error) {
|
|
plID, signingKeyID, providedHMAC, perr := session.ParseCookieValue(cookieValue, "pl-")
|
|
if perr != nil {
|
|
return "", "", "", "", "", "", ErrPreLoginNotFound
|
|
}
|
|
|
|
signingKey, kerr := a.keys.Get(ctx, signingKeyID)
|
|
if kerr != nil {
|
|
return "", "", "", "", "", "", ErrPreLoginNotFound
|
|
}
|
|
hmacKey, derr := session.DecryptKeyMaterial(signingKey.KeyMaterialEncrypted, a.encryptionKey)
|
|
if derr != nil {
|
|
return "", "", "", "", "", "", ErrPreLoginNotFound
|
|
}
|
|
expectedHMAC := session.ComputeCookieHMAC(plID, signingKeyID, hmacKey)
|
|
if subtle.ConstantTimeCompare(expectedHMAC, providedHMAC) != 1 {
|
|
return "", "", "", "", "", "", ErrPreLoginNotFound
|
|
}
|
|
|
|
row, lerr := a.repo.LookupAndConsume(ctx, plID)
|
|
if lerr != nil {
|
|
// Map both not-found AND expired to the same uniform sentinel
|
|
// the OIDC service consumes; the audit row distinguishes via
|
|
// the wrapped error from the repo (which the handler logs).
|
|
if errors.Is(lerr, repository.ErrPreLoginNotFound) {
|
|
return "", "", "", "", "", "", ErrPreLoginNotFound
|
|
}
|
|
if errors.Is(lerr, repository.ErrPreLoginExpired) {
|
|
return "", "", "", "", "", "", ErrPreLoginNotFound
|
|
}
|
|
return "", "", "", "", "", "", fmt.Errorf("pre-login: lookup_and_consume: %w", lerr)
|
|
}
|
|
|
|
return row.OIDCProviderID, row.State, row.Nonce, row.PKCEVerifier, row.ClientIP, row.UserAgent, nil
|
|
}
|
|
|
|
// newID returns `pl-<base64url-no-pad>` with 16 bytes of entropy.
|
|
func (a *PreLoginAdapter) newID() (string, error) {
|
|
b := make([]byte, 16)
|
|
if _, err := a.readRand(b); err != nil {
|
|
return "", err
|
|
}
|
|
return "pl-" + base64.RawURLEncoding.EncodeToString(b), nil
|
|
}
|