gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 16:21:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
2893f9b48e35141497c36286a6faca533b663376
certctl/docs/operator/auth-threat-model.md
T
shankar0123 5313cd8492 auth-bundle-1 Phase 13 follow-up: em-dash sweep + broken-link fix 
Self-audit on e7a94b6 flagged the prompt's 'zero em dashes'
discipline rule. The four new Phase 13 docs and the v2.1.0
CHANGELOG section had 97 em-dash hits between them; this commit
sweeps them all to ASCII hyphens.

Counts before -> after:
  docs/operator/rbac.md                  28 -> 0
  docs/operator/auth-threat-model.md     36 -> 0
  docs/migration/api-keys-to-rbac.md     16 -> 0
  docs/operator/security.md               8 -> 0
  docs/reference/profiles.md              3 -> 0
  CHANGELOG.md                            6 -> 0

Mechanical: ' - ' (spaced em dash) and bare em-dash both replaced
with spaced ASCII hyphen, then double-spaces collapsed. Markdown
list bullets ('^- ', '^  - ', '^    - ') verified intact across
all six files. Internal-link sweep also re-run.

Also fixes a pre-existing broken link the audit caught:
  docs/operator/security.md:70 referenced
  '../internal/crypto/encryption.go' which is a 1-level-up jump
  from docs/operator/, not the 2-level-up jump it actually needs
  ('../../internal/crypto/encryption.go'). Pre-Bundle-1 link rot;
  fixed in lockstep so the merge gate's docs validation passes
  cleanly.

Final state across the Phase-13 docs + CHANGELOG:
  - 0 em dashes
  - 0 broken internal links
  - Last-reviewed: 2026-05-09 header on every new doc

Bundle 1 documentation is now ready for the operator-side merge
gate review.
2026-05-10 00:15:30 +00:00

245 lines
11 KiB
Markdown
Raw Blame History

# Authentication & authorization threat model
> Last reviewed: 2026-05-09
This document describes the attack surface around authentication and
authorization in certctl after Bundle 1 (the RBAC primitive) lands.
It complements [`rbac.md`](rbac.md) - that doc explains how to use
the controls; this one explains what those controls defend against
and which threats they explicitly do NOT close.
For Bundle 2's OIDC + sessions extensions, this document will be
updated. The Bundle 1 boundary is "API-key auth + RBAC primitive +
day-0 bootstrap"; OIDC-federated humans, session cookies,
revocation lists, WebAuthn, and break-glass local accounts are
Bundle 2 scope.
## Threat actors
1. **External attacker with no credential** - probing the public
HTTP surface. The default trust boundary for everything except
the protocol-level endpoints (ACME / SCEP / EST / OCSP / CRL,
which authenticate via embedded credentials per their own RFCs).
2. **Authenticated caller with the wrong role** - has a valid API
key but the role doesn't grant the requested operation. The
primary RBAC threat model.
3. **Compromised API key** - attacker holds a valid Bearer token
that an honest operator originally provisioned. The key may
carry any role.
4. **Insider operator** - legitimate access; potentially trying
to escalate privilege or bypass the approval workflow.
5. **Compromised audit reviewer (auditor role)** - read-only
access to audit events but otherwise untrusted.
## Defenses Bundle 1 ships
### API-key authentication
- API keys live in `CERTCTL_API_KEYS_NAMED` (env-var) or
`api_keys` (DB row, written by Bundle 1 Phase 6 bootstrap and
the future role-management API). Keys hash via SHA-256; the
middleware compares hashes via `crypto/subtle.ConstantTimeCompare`
to defeat timing attacks.
- The auth middleware populates `ActorIDKey` / `ActorTypeKey` /
`TenantIDKey` on every authenticated request context. Audit rows
attribute every action to the named-key actor instead of the
pre-Bundle-1 hardcoded `api-key-user` placeholder.
- Demo mode (`CERTCTL_AUTH_TYPE=none`) injects the synthetic
`actor-demo-anon` actor with admin grants. Production deploys
MUST NOT use demo mode.
### Authorization (RBAC)
- Every gated handler routes through `auth.RequirePermission` (or
the router-level `rbacGate` wrap from Phase 3.5). The middleware
resolves the actor's effective permissions via the
`Authorizer.CheckPermission` service-layer call; on miss, the
handler returns HTTP 403 BEFORE the body runs. This is the
load-bearing gate.
- The five admin-only fine-grained perms (`cert.bulk_revoke` /
`crl.admin` / `scep.admin` / `est.admin` /
`ca.hierarchy.manage`) are seeded into `r-admin` only. To
delegate one, an operator creates a custom role with the
specific perm and grants it to the right actor.
- The auditor split: `r-auditor` holds only `audit.read` +
`audit.export`. Pinned by the
`internal/domain/auth/auditor_test.go` invariants. A regulator
with the auditor key cannot read certificates, profiles,
issuers, or any mutating surface.
- The privilege-escalation guard: granting or revoking a role
requires the caller to hold `auth.role.assign` (enforced in
`internal/service/auth/actor_role_service.go`). A non-admin
cannot self-grant admin.
- The reserved-actor guard: mutations against `actor-demo-anon`
return HTTP 409 from the service layer
(`ErrAuthReservedActor`). The synthetic actor is operator-
inaccessible.
### Day-0 bootstrap
- `CERTCTL_BOOTSTRAP_TOKEN` is constant-time-compared by
`EnvTokenStrategy.Validate`. The strategy is one-shot via
`sync.Mutex`-guarded `consumed` bool; the second call returns
`ErrDisabled` (HTTP 410), not `ErrInvalidToken` (HTTP 401), so
a probing attacker cannot distinguish "wrong token, retry"
from "already consumed".
- The strategy also re-probes admin existence on every Validate.
If an admin actor lands during the gap between Available and
Validate, the second caller still gets HTTP 410.
- The minted plaintext key is written to the response body once.
It is NEVER logged. The token-leak hygiene test in
`internal/api/handler/auth_bootstrap_test.go` redirects
`slog.Default` to a buffer and grep-asserts that neither the
bootstrap token nor the minted key appears in any log line,
audit row, or HTTP header.
- The minted key is hashed before persistence. Lost key →
rotate via the regular RBAC API; the plaintext is not
recoverable from the DB.
### Approval workflow + Phase 9 loophole closure
- `CertificateProfile.RequiresApproval=true` gates two surfaces:
(a) issuance + renewal of every cert pointing at the profile,
(b) edits to the profile itself (Bundle 1 Phase 9). The Phase 9
closure prevents the flip-flop bypass where an admin disables
approval, mutates, re-enables.
- Same-actor self-approve is rejected at the service layer with
`ErrApproveBySameActor` for both `cert_issuance` and
`profile_edit` kinds. Two-person integrity is the load-bearing
invariant; pinned by tests in
`internal/service/approval_test.go`.
### Audit trail
- Every mutating operation flows through `AuditService.RecordEvent`
or `RecordEventWithCategory`. Bundle 1 Phase 8 added the
`event_category` column with a `CHECK` constraint enforcing
the closed enum (`cert_lifecycle` / `auth` / `config`); the
category surfaces the auth-mutation slice to the auditor view.
- The WORM trigger from migration 000018
(`audit_events_worm_trigger`) blocks `UPDATE` and `DELETE` at
the database layer. Even an admin DB user cannot tamper with
audit history without dropping the trigger.
- Bundle-6's redactor (`internal/service/audit_redact.go`)
scrubs credentials + PII from the `details` JSONB before
persistence; an `_redacted_keys` field surfaces what the
redactor took out for compliance review.
### Protocol-endpoint allowlist
ACME / SCEP / EST / OCSP / CRL endpoints authenticate via
embedded credentials defined by their own RFCs (JWS-signed,
challenge passwords, mTLS, public-by-RFC). The auth middleware
explicitly bypasses these via `IsProtocolEndpoint`. The Phase 12
`internal/api/router/phase12_protocol_allowlist_test.go` pins
the invariant at three layers (middleware bypass, allowlist
constant, router-level no-rbacGate-wraps-protocol-paths).
## Threats Bundle 1 does NOT close
These are NOT defended; some are deferred to Bundle 2, others
are out-of-scope for the project entirely.
1. **OIDC / SAML / WebAuthn federation** - Bundle 2.
2. **Session management** - there is no session cookie, no
server-side revocation list. Each Bearer token is the bearer
credential. To revoke a key, delete the `actor_roles` rows or
remove the env-var entry; there is no "log out everywhere"
button. Bundle 2.
3. **Local password accounts (break-glass)** - Bundle 2.
4. **Time-bound role grants / JIT elevation** - the schema
reserves `actor_roles.expires_at` but no UI/API to set it.
Bundle 2 or v3.
5. **MFA / hardware tokens for the operator console** -
Bundle 2.
6. **Rate limiting on the bootstrap endpoint** - the endpoint
is one-shot by construction (consumed flag + admin-existence
probe), so a brute-force attack on the token has at most the
single attempt before the path closes. Per-IP rate limiting
on the broader API is still in place via Bundle C's
`middleware.NewRateLimiter`.
7. **`scope_id` FK enforcement** - operators can grant a
permission at scope `profile`/`p-bogus` without the bogus
profile existing. The gate still works (no rows match at
request time) but a strict 404 on grant would be cleaner. See
`RoleRepository.AddPermission` `TODO(bundle-2)` comment in
`internal/repository/postgres/auth.go`.
8. **OIDC-first-admin bootstrap** - Bundle 1 ships only the
env-var-token strategy. Bundle 2 adds the OIDC-group-claim
strategy alongside (the `Strategy` interface in
`internal/auth/bootstrap/` is already in place).
9. **GUI E2E suite via Playwright** - the prompt asked for
nine end-to-end flow tests. Bundle 1 ships 19 React Testing
Library + Vitest tests covering the same surface; full
Playwright land in Phase 12-extended work.
## Compliance mapping
The control set in this document supports the following
framework requirements. This is a mapping; it is not a claim of
formal certification.
- **SOC 2 CC6.1** (logical access controls) - RBAC primitive
with role-based gating on every mutating endpoint.
- **SOC 2 CC6.3** (privileged access management) - `r-admin`
role separation + role-grant audit trail with two-person
integrity on approval-tier profile edits.
- **HIPAA §164.312(b)** (audit controls) - `event_category`
column lets the auditor role review authentication / authorization
changes specifically. WORM trigger keeps the audit table
append-only at the database layer.
- **NIST SSDF PO.5.2** (separation of duties) - two-person
integrity for compliance-tier issuance via the
`RequiresApproval` flow + Bundle 1 Phase 9's closure of the
flip-flop bypass.
- **FedRAMP AU-9** (audit information protection) - WORM
enforcement + auditor-only read access (the auditor role
cannot mutate, the WORM trigger blocks UPDATE/DELETE).
- **PCI-DSS §10** (audit logging) - every mutating operation
emits an audit row with actor + action + resource + timestamp +
category. The audit table is append-only.
## Operator-facing checks
Run these periodically to verify the controls are working.
1. `certctl-cli auth keys list` - confirm no unexpected actor
holds `r-admin`. Audit any new admin grants against the audit
log.
2. `SELECT actor, action, COUNT(*) FROM audit_events WHERE
action LIKE 'approval_%' AND timestamp > NOW() - INTERVAL '7
days' GROUP BY actor, action;` - confirm approvals are
happening and not concentrated in a single approver.
3. `SELECT COUNT(*) FROM audit_events WHERE actor =
'system-bypass';` - MUST return 0 in production. A non-zero
count means `CERTCTL_APPROVAL_BYPASS=true` was set; production
deploys MUST leave it unset.
4. `SELECT actor, COUNT(*) FROM audit_events WHERE action =
'bootstrap.consume';` - MUST return at most one row per
tenant. Multiple rows means the bootstrap endpoint was called
more than once, which the strategy's one-shot guard should
have prevented; investigate.
5. `certctl-cli auth me` while authenticated as the auditor
key - `effective_permissions` must contain `audit.read` +
`audit.export` ONLY. Any other permission means a role grant
widened the auditor's surface; revoke immediately.
## Cross-references
- [`rbac.md`](rbac.md) - the operator how-to
- [`security.md`](security.md) - the wider security posture
- [`approval-workflow.md`](approval-workflow.md) - the two-person
integrity gate
- [`docs/migration/api-keys-to-rbac.md`](../migration/api-keys-to-rbac.md) -
upgrade flow
- `internal/auth/` - middleware + keystore + RequirePermission +
bootstrap
- `internal/service/auth/` - Authorizer + privilege-escalation
guard + reserved-actor guard
- `migrations/000029_rbac.up.sql` - schema + seed
- `migrations/000030_rbac_admin_perms.up.sql` - five admin-only
fine-grained perms
- `migrations/000032_audit_category.up.sql` - auditor surface
- `migrations/000033_approval_kinds.up.sql` - approval-bypass
closure
Reference in New Issue View Git Blame Copy Permalink