mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 14:11:31 +00:00
shankar0123
2a1a0b347c
Audit 2026-05-10 MED-16 closure.
WHAT.
Binds the OIDC pre-login row to the (clientIP, userAgent) tuple of
the /auth/oidc/login request, and enforces a constant-time compare
against the /auth/oidc/callback request at consume time. Defeats
replay of a stolen pre-login cookie by a different browser /
source — the secondary defense layer recommended by RFC 9700 §4.7.1
when the primary layer (HMAC integrity + Path=/ + SameSite=Lax on
the cookie) is bypassed via CSRF / XSS / TLS-termination leak.
WHY.
Pre-fix, the pre-login cookie's HMAC verified only that 'some'
caller of /auth/oidc/login was talking to /auth/oidc/callback; it
did not verify that the SAME browser / source was on both sides.
An attacker who exfiltrated the cookie value via any vector could
replay the bytes through their own user-agent and ride the victim's
authorization. RFC 9700 §4.7.1 calls out the gap explicitly and
recommends binding state to a user-agent fingerprint + source IP.
HOW.
Migration:
migrations/000044_prelogin_uaip.up.sql
ALTER TABLE oidc_pre_login_sessions
ADD COLUMN IF NOT EXISTS client_ip TEXT,
ADD COLUMN IF NOT EXISTS user_agent TEXT;
Both nullable for in-flight rolling-deploy compat — the consume-
side check only enforces when both row AND request carry non-empty
values for the leg in question.
Domain:
internal/repository/oidc.go (PreLoginSession) — adds ClientIP +
UserAgent fields.
Repository:
internal/repository/postgres/oidc_prelogin.go — Create persists
via sql.NullString (empty → NULL); LookupAndConsume reads back.
Re-uses package-local nullableString from discovery.go.
Service:
internal/auth/oidc/service.go
- PreLoginStore.CreatePreLogin signature takes (clientIP,
userAgent) as positions 5–6.
- PreLoginStore.LookupAndConsume returns (clientIP, userAgent)
as positions 5–6.
- HandleAuthRequest signature gains (clientIP, userAgent),
threaded to the store.
- HandleCallback adds Step 1.5 — UA / IP constant-time compare
between stored row and incoming request. Per-leg toggles via
preLoginRequireUA / preLoginRequireIP service fields. Empty
values on either side pass through (rolling-deploy + headless-
proxy compat).
- New sentinels ErrPreLoginUAMismatch, ErrPreLoginIPMismatch.
- SetPreLoginBindingRequirements(requireUA, requireIP) helper
for main.go config wiring.
Adapter:
internal/auth/oidc/prelogin.go — PreLoginAdapter passes the new
fields through to the repo row.
Handler:
internal/api/handler/auth_session_oidc.go
- OIDCAuthHandshaker.HandleAuthRequest signature updated.
- LoginInitiate captures clientIPFromRequest + r.UserAgent()
and passes to the service.
- classifyOIDCFailure adds errors.Is dispatch for the two new
sentinels → prelogin_ua_mismatch / prelogin_ip_mismatch
audit categories.
Config:
internal/config/config.go
+ AuthConfig.OIDCPreLoginRequireUA (default true)
env CERTCTL_OIDC_PRELOGIN_REQUIRE_UA
+ AuthConfig.OIDCPreLoginRequireIP (default true)
env CERTCTL_OIDC_PRELOGIN_REQUIRE_IP
cmd/server/main.go calls oidcService.SetPreLoginBindingRequirements
from cfg.Auth.OIDCPreLoginRequire{UA,IP}.
Tests (internal/auth/oidc/service_test.go):
- TestService_HandleCallback_MED16_UAMismatchRejected
- TestService_HandleCallback_MED16_IPMismatchRejected
- TestService_HandleCallback_MED16_BothMatch_Succeeds
- TestService_HandleCallback_MED16_LegacyRowEmptyValues (rolling-
deploy compat — empty stored values pass through)
- TestService_HandleCallback_MED16_RequireUAFalse_AllowsMismatch
(operator escape-hatch — UA mismatch silently allowed)
Mechanical fan-out:
- stubPreLogin / stubPreLoginRepo signatures updated.
- All existing call sites in service_test.go (~40), prelogin_test.go,
bench_test.go, logging_test.go, provider_enabled_test.go,
integration_keycloak_test.go, integration_okta_smoke_test.go,
auth_session_oidc_test.go updated to pass empty strings for the
new params — pre-existing tests do not exercise UA/IP binding
semantics.
VERIFY.
- go vet ./internal/auth/oidc/... ./internal/api/handler/...
./internal/config/... PASS
- go test -short -count=1 -run MED16 ./internal/auth/oidc/... PASS (5/5)
- go test -short -count=1 ./internal/auth/oidc/... PASS (4.6s)
- go test -short -count=1 ./internal/api/handler/... PASS (4.3s)
- go test -short -count=1 ./internal/config/... PASS
Refs: cowork/auth-bundles-audit-2026-05-10.md MED-16
cowork/auth-bundles-fixes-2026-05-10/HANDOFF.md item 6
RFC 9700 §4.7.1 — OAuth 2.0 Security Best Current Practice
239 lines
9.3 KiB
Go
239 lines
9.3 KiB
Go
package postgres
|
|
|
|
import (
|
|
"context"
|
|
"database/sql"
|
|
"errors"
|
|
"fmt"
|
|
"time"
|
|
|
|
cryptopkg "github.com/certctl-io/certctl/internal/crypto"
|
|
"github.com/certctl-io/certctl/internal/repository"
|
|
)
|
|
|
|
// =============================================================================
|
|
// PreLoginRepository (Auth Bundle 2 Phase 5)
|
|
//
|
|
// Holds short-lived pre-login session rows that carry OIDC state +
|
|
// nonce + PKCE verifier across the IdP redirect. Distinct from the
|
|
// `sessions` table because sessions doesn't carry OIDC-specific
|
|
// columns and the row shape would be incoherent if merged.
|
|
//
|
|
// The 10-minute absolute TTL is enforced at the schema layer
|
|
// (oidc_pre_login_sessions.absolute_expires_at default of
|
|
// NOW() + INTERVAL '10 minutes') AND re-checked at the service
|
|
// layer at consume time.
|
|
//
|
|
// Audit 2026-05-10 HIGH-5 closure — state, nonce, and pkce_verifier
|
|
// are encrypted at rest using v3 AES-256-GCM (per-row salt + nonce)
|
|
// via internal/crypto.EncryptIfKeySet. The encryption key reuses
|
|
// CERTCTL_CONFIG_ENCRYPTION_KEY. The legacy plaintext columns are
|
|
// kept nullable for backward compat with in-flight handshakes during
|
|
// rolling deploys; the new write path NEVER populates them.
|
|
// =============================================================================
|
|
|
|
// PreLoginRepository is the postgres implementation of
|
|
// repository.PreLoginRepository.
|
|
type PreLoginRepository struct {
|
|
db *sql.DB
|
|
encryptionKey string
|
|
}
|
|
|
|
// NewPreLoginRepository constructs a PreLoginRepository.
|
|
//
|
|
// Audit 2026-05-10 HIGH-5: encryptionKey is the same
|
|
// CERTCTL_CONFIG_ENCRYPTION_KEY value already used for OIDC client
|
|
// secrets and SessionSigningKey material. An empty key is rejected at
|
|
// startup by config validation; if the repo is constructed with an
|
|
// empty key here it will fail-closed at write time (see Create), so
|
|
// pre-login rows can never be silently persisted plaintext.
|
|
func NewPreLoginRepository(db *sql.DB, encryptionKey string) *PreLoginRepository {
|
|
return &PreLoginRepository{db: db, encryptionKey: encryptionKey}
|
|
}
|
|
|
|
// Create persists a pre-login row. Caller MUST have already generated
|
|
// the random id (`pl-<base64url>`), state, nonce, and PKCE verifier.
|
|
// CreatedAt + AbsoluteExpiresAt default to NOW() / NOW()+10min when
|
|
// zero (the schema's DEFAULT clauses handle this).
|
|
//
|
|
// Audit 2026-05-10 HIGH-5: state / nonce / pkce_verifier are encrypted
|
|
// before INSERT via crypto.EncryptIfKeySet. The plaintext columns are
|
|
// left NULL — they remain on the schema only for in-flight backward
|
|
// compat with pre-deploy code paths that still write them, and will
|
|
// be dropped in a follow-up migration after the rolling deploy.
|
|
func (r *PreLoginRepository) Create(ctx context.Context, p *repository.PreLoginSession) error {
|
|
stateEnc, _, serr := cryptopkg.EncryptIfKeySet([]byte(p.State), r.encryptionKey)
|
|
if serr != nil {
|
|
return fmt.Errorf("oidc_pre_login encrypt state: %w", serr)
|
|
}
|
|
nonceEnc, _, nerr := cryptopkg.EncryptIfKeySet([]byte(p.Nonce), r.encryptionKey)
|
|
if nerr != nil {
|
|
return fmt.Errorf("oidc_pre_login encrypt nonce: %w", nerr)
|
|
}
|
|
verifierEnc, _, verr := cryptopkg.EncryptIfKeySet([]byte(p.PKCEVerifier), r.encryptionKey)
|
|
if verr != nil {
|
|
return fmt.Errorf("oidc_pre_login encrypt pkce_verifier: %w", verr)
|
|
}
|
|
|
|
// Audit 2026-05-10 MED-16 — persist UA/IP binding on Create.
|
|
// Empty values are inserted as NULL via sql.NullString so the
|
|
// schema's nullable column constraint is respected and existing
|
|
// integration tests that don't provide UA/IP keep working.
|
|
clientIP := nullableString(p.ClientIP)
|
|
userAgent := nullableString(p.UserAgent)
|
|
|
|
if p.CreatedAt.IsZero() && p.AbsoluteExpiresAt.IsZero() {
|
|
_, err := r.db.ExecContext(ctx, `
|
|
INSERT INTO oidc_pre_login_sessions (
|
|
id, tenant_id, signing_key_id, oidc_provider_id,
|
|
state_enc, nonce_enc, pkce_verifier_enc,
|
|
client_ip, user_agent
|
|
) VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9)`,
|
|
p.ID, p.TenantID, p.SigningKeyID, p.OIDCProviderID,
|
|
stateEnc, nonceEnc, verifierEnc,
|
|
clientIP, userAgent)
|
|
if err != nil {
|
|
return fmt.Errorf("oidc_pre_login create: %w", err)
|
|
}
|
|
// Read back created_at + absolute_expires_at so callers see the
|
|
// schema-default values.
|
|
row := r.db.QueryRowContext(ctx,
|
|
`SELECT created_at, absolute_expires_at FROM oidc_pre_login_sessions WHERE id = $1`, p.ID)
|
|
if err := row.Scan(&p.CreatedAt, &p.AbsoluteExpiresAt); err != nil {
|
|
return fmt.Errorf("oidc_pre_login create read-back: %w", err)
|
|
}
|
|
return nil
|
|
}
|
|
_, err := r.db.ExecContext(ctx, `
|
|
INSERT INTO oidc_pre_login_sessions (
|
|
id, tenant_id, signing_key_id, oidc_provider_id,
|
|
state_enc, nonce_enc, pkce_verifier_enc,
|
|
client_ip, user_agent,
|
|
created_at, absolute_expires_at
|
|
) VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11)`,
|
|
p.ID, p.TenantID, p.SigningKeyID, p.OIDCProviderID,
|
|
stateEnc, nonceEnc, verifierEnc,
|
|
clientIP, userAgent,
|
|
p.CreatedAt, p.AbsoluteExpiresAt)
|
|
if err != nil {
|
|
return fmt.Errorf("oidc_pre_login create: %w", err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// MED-16 reuses nullableString from discovery.go (same package). It
|
|
// returns sql.NullString{Valid:false} for empty strings so the database
|
|
// stores NULL rather than the literal empty string — avoiding ambiguity
|
|
// at consume time between "row had no binding" and "row had an explicit
|
|
// empty binding".
|
|
|
|
// LookupAndConsume reads the row by id and atomically deletes it
|
|
// (single-use). Returns ErrPreLoginNotFound on miss; ErrPreLoginExpired
|
|
// when the row was found but past its TTL (the row is still deleted in
|
|
// this case so the second attempt with the same cookie maps to
|
|
// not-found rather than re-running the expiry check).
|
|
//
|
|
// Implementation note: the DELETE ... RETURNING is wrapped in a
|
|
// transaction with REPEATABLE READ so the row read + delete is atomic
|
|
// against concurrent callers — the second caller racing with a
|
|
// successful first caller gets ErrPreLoginNotFound, never a duplicate
|
|
// session-mint.
|
|
//
|
|
// Audit 2026-05-10 HIGH-5: prefer the encrypted columns
|
|
// (state_enc / nonce_enc / pkce_verifier_enc); fall back to the
|
|
// legacy plaintext columns ONLY when the encrypted columns are NULL
|
|
// (in-flight rows from pre-deploy code paths during a rolling
|
|
// deploy). After 000042 drops the plaintext columns, the fallback is
|
|
// dead code.
|
|
func (r *PreLoginRepository) LookupAndConsume(ctx context.Context, id string) (*repository.PreLoginSession, error) {
|
|
row := r.db.QueryRowContext(ctx, `
|
|
DELETE FROM oidc_pre_login_sessions WHERE id = $1
|
|
RETURNING id, tenant_id, signing_key_id, oidc_provider_id,
|
|
state, nonce, pkce_verifier,
|
|
state_enc, nonce_enc, pkce_verifier_enc,
|
|
client_ip, user_agent,
|
|
created_at, absolute_expires_at`,
|
|
id)
|
|
|
|
var p repository.PreLoginSession
|
|
var statePlain, noncePlain, verifierPlain sql.NullString
|
|
var clientIP, userAgent sql.NullString
|
|
var stateEnc, nonceEnc, verifierEnc []byte
|
|
if err := row.Scan(
|
|
&p.ID, &p.TenantID, &p.SigningKeyID, &p.OIDCProviderID,
|
|
&statePlain, &noncePlain, &verifierPlain,
|
|
&stateEnc, &nonceEnc, &verifierEnc,
|
|
&clientIP, &userAgent,
|
|
&p.CreatedAt, &p.AbsoluteExpiresAt,
|
|
); err != nil {
|
|
if errors.Is(err, sql.ErrNoRows) {
|
|
return nil, repository.ErrPreLoginNotFound
|
|
}
|
|
return nil, fmt.Errorf("oidc_pre_login lookup_and_consume: %w", err)
|
|
}
|
|
|
|
// Prefer encrypted columns; fall back to legacy plaintext only
|
|
// when encrypted is NULL (rolling-deploy compat).
|
|
if state, err := r.materialize(stateEnc, statePlain); err != nil {
|
|
return nil, fmt.Errorf("oidc_pre_login decrypt state: %w", err)
|
|
} else {
|
|
p.State = state
|
|
}
|
|
if nonce, err := r.materialize(nonceEnc, noncePlain); err != nil {
|
|
return nil, fmt.Errorf("oidc_pre_login decrypt nonce: %w", err)
|
|
} else {
|
|
p.Nonce = nonce
|
|
}
|
|
if verifier, err := r.materialize(verifierEnc, verifierPlain); err != nil {
|
|
return nil, fmt.Errorf("oidc_pre_login decrypt pkce_verifier: %w", err)
|
|
} else {
|
|
p.PKCEVerifier = verifier
|
|
}
|
|
|
|
// Audit 2026-05-10 MED-16 — surface the binding columns for the
|
|
// service-layer UA / IP compare. Empty when the row was created
|
|
// before this migration landed (rolling-deploy compat).
|
|
if clientIP.Valid {
|
|
p.ClientIP = clientIP.String
|
|
}
|
|
if userAgent.Valid {
|
|
p.UserAgent = userAgent.String
|
|
}
|
|
|
|
if time.Now().UTC().After(p.AbsoluteExpiresAt) {
|
|
return nil, repository.ErrPreLoginExpired
|
|
}
|
|
return &p, nil
|
|
}
|
|
|
|
// materialize returns the decrypted value when the encrypted blob is
|
|
// present; otherwise falls back to the legacy plaintext column for
|
|
// rolling-deploy compat. Returns an error when both are absent —
|
|
// inconsistent row state that should never persist beyond a deploy.
|
|
func (r *PreLoginRepository) materialize(enc []byte, plain sql.NullString) (string, error) {
|
|
if len(enc) > 0 {
|
|
decrypted, err := cryptopkg.DecryptIfKeySet(enc, r.encryptionKey)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
return string(decrypted), nil
|
|
}
|
|
if plain.Valid {
|
|
return plain.String, nil
|
|
}
|
|
return "", errors.New("row missing both encrypted and plaintext value")
|
|
}
|
|
|
|
// GarbageCollectExpired deletes rows whose absolute_expires_at is in
|
|
// the past. Returns the count deleted. Wired into the same scheduler
|
|
// sweep as expired post-login sessions.
|
|
func (r *PreLoginRepository) GarbageCollectExpired(ctx context.Context) (int, error) {
|
|
res, err := r.db.ExecContext(ctx,
|
|
`DELETE FROM oidc_pre_login_sessions WHERE absolute_expires_at < NOW()`)
|
|
if err != nil {
|
|
return 0, fmt.Errorf("oidc_pre_login gc: %w", err)
|
|
}
|
|
n, _ := res.RowsAffected()
|
|
return int(n), nil
|
|
}
|