gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 12:41:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
2a1a0b347c3cc8b19a65b81428420a6e61a34fb3
certctl/migrations/000044_prelogin_uaip.up.sql
T
shankar0123 2a1a0b347c harden(oidc): pre-login UA/IP binding (MED-16) — RFC 9700 §4.7.1 
Audit 2026-05-10 MED-16 closure.

WHAT.

Binds the OIDC pre-login row to the (clientIP, userAgent) tuple of
the /auth/oidc/login request, and enforces a constant-time compare
against the /auth/oidc/callback request at consume time. Defeats
replay of a stolen pre-login cookie by a different browser /
source — the secondary defense layer recommended by RFC 9700 §4.7.1
when the primary layer (HMAC integrity + Path=/ + SameSite=Lax on
the cookie) is bypassed via CSRF / XSS / TLS-termination leak.

WHY.

Pre-fix, the pre-login cookie's HMAC verified only that 'some'
caller of /auth/oidc/login was talking to /auth/oidc/callback; it
did not verify that the SAME browser / source was on both sides.
An attacker who exfiltrated the cookie value via any vector could
replay the bytes through their own user-agent and ride the victim's
authorization. RFC 9700 §4.7.1 calls out the gap explicitly and
recommends binding state to a user-agent fingerprint + source IP.

HOW.

Migration:
  migrations/000044_prelogin_uaip.up.sql
    ALTER TABLE oidc_pre_login_sessions
      ADD COLUMN IF NOT EXISTS client_ip   TEXT,
      ADD COLUMN IF NOT EXISTS user_agent  TEXT;
  Both nullable for in-flight rolling-deploy compat — the consume-
  side check only enforces when both row AND request carry non-empty
  values for the leg in question.

Domain:
  internal/repository/oidc.go (PreLoginSession) — adds ClientIP +
    UserAgent fields.

Repository:
  internal/repository/postgres/oidc_prelogin.go — Create persists
    via sql.NullString (empty → NULL); LookupAndConsume reads back.
    Re-uses package-local nullableString from discovery.go.

Service:
  internal/auth/oidc/service.go
    - PreLoginStore.CreatePreLogin signature takes (clientIP,
      userAgent) as positions 5–6.
    - PreLoginStore.LookupAndConsume returns (clientIP, userAgent)
      as positions 5–6.
    - HandleAuthRequest signature gains (clientIP, userAgent),
      threaded to the store.
    - HandleCallback adds Step 1.5 — UA / IP constant-time compare
      between stored row and incoming request. Per-leg toggles via
      preLoginRequireUA / preLoginRequireIP service fields. Empty
      values on either side pass through (rolling-deploy + headless-
      proxy compat).
    - New sentinels ErrPreLoginUAMismatch, ErrPreLoginIPMismatch.
    - SetPreLoginBindingRequirements(requireUA, requireIP) helper
      for main.go config wiring.

Adapter:
  internal/auth/oidc/prelogin.go — PreLoginAdapter passes the new
    fields through to the repo row.

Handler:
  internal/api/handler/auth_session_oidc.go
    - OIDCAuthHandshaker.HandleAuthRequest signature updated.
    - LoginInitiate captures clientIPFromRequest + r.UserAgent()
      and passes to the service.
    - classifyOIDCFailure adds errors.Is dispatch for the two new
      sentinels → prelogin_ua_mismatch / prelogin_ip_mismatch
      audit categories.

Config:
  internal/config/config.go
    + AuthConfig.OIDCPreLoginRequireUA (default true)
      env CERTCTL_OIDC_PRELOGIN_REQUIRE_UA
    + AuthConfig.OIDCPreLoginRequireIP (default true)
      env CERTCTL_OIDC_PRELOGIN_REQUIRE_IP
  cmd/server/main.go calls oidcService.SetPreLoginBindingRequirements
    from cfg.Auth.OIDCPreLoginRequire{UA,IP}.

Tests (internal/auth/oidc/service_test.go):
  - TestService_HandleCallback_MED16_UAMismatchRejected
  - TestService_HandleCallback_MED16_IPMismatchRejected
  - TestService_HandleCallback_MED16_BothMatch_Succeeds
  - TestService_HandleCallback_MED16_LegacyRowEmptyValues  (rolling-
    deploy compat — empty stored values pass through)
  - TestService_HandleCallback_MED16_RequireUAFalse_AllowsMismatch
    (operator escape-hatch — UA mismatch silently allowed)

Mechanical fan-out:
  - stubPreLogin / stubPreLoginRepo signatures updated.
  - All existing call sites in service_test.go (~40), prelogin_test.go,
    bench_test.go, logging_test.go, provider_enabled_test.go,
    integration_keycloak_test.go, integration_okta_smoke_test.go,
    auth_session_oidc_test.go updated to pass empty strings for the
    new params — pre-existing tests do not exercise UA/IP binding
    semantics.

VERIFY.

- go vet ./internal/auth/oidc/... ./internal/api/handler/...
  ./internal/config/...                                       PASS
- go test -short -count=1 -run MED16 ./internal/auth/oidc/... PASS (5/5)
- go test -short -count=1 ./internal/auth/oidc/...            PASS (4.6s)
- go test -short -count=1 ./internal/api/handler/...          PASS (4.3s)
- go test -short -count=1 ./internal/config/...               PASS

Refs: cowork/auth-bundles-audit-2026-05-10.md MED-16
      cowork/auth-bundles-fixes-2026-05-10/HANDOFF.md item 6
      RFC 9700 §4.7.1 — OAuth 2.0 Security Best Current Practice
2026-05-10 23:18:23 +00:00

48 lines
2.7 KiB
SQL
Raw Blame History

-- =============================================================================
-- 2026-05-10 Audit / MED-16 closure
-- =============================================================================
--
-- Pre-login rows in oidc_pre_login_sessions used to carry only the OIDC state,
-- nonce, and PKCE verifier — the binding to the user agent that initiated the
-- handshake was implicit (the pre-login cookie's HMAC, scoped to the active
-- SessionSigningKey, only verifies that *some* caller of /auth/oidc/login is
-- talking to /auth/oidc/callback; it does not verify that the SAME browser /
-- HTTP client is on both sides).
--
-- RFC 9700 §4.7.1 (security best current practice for OAuth 2.0) recommends
-- binding state to a user-agent fingerprint + source IP so that a pre-login
-- cookie leaked in transit (CSRF / XSS / TLS termination on a shared proxy)
-- cannot be replayed by a different browser. Even with HMAC integrity, the
-- attacker who steals the bytes could otherwise complete the handshake.
--
-- This migration adds:
-- - client_ip TEXT — captured at /auth/oidc/login from the request's
-- clientIPFromRequest result (post LOW-5 XFF
-- trusted-proxy gating, so the value is honest).
-- - user_agent TEXT — captured at /auth/oidc/login from r.UserAgent().
-- Stored verbatim; the consume path compares with
-- constant-time equality.
--
-- Both columns are nullable so in-flight pre-login rows from pre-deploy code
-- paths still consume cleanly (the consume-side check only enforces when both
-- the row AND the request carry non-empty values; legacy rows pass through
-- because the row's binding columns are NULL).
--
-- The audit failure_category distinguishes:
-- - prelogin_ua_mismatch — UA changed across the redirect (most common
-- real-world false-positive: aggressive UA
-- rewriters on enterprise proxies).
-- - prelogin_ip_mismatch — source IP changed across the redirect (mobile
-- carrier-grade NAT, dual-stack v4/v6 hops, VPN
-- toggle).
-- - prelogin_uaip_mismatch — both differ.
--
-- Operators wanting to disable the gate (e.g. dual-stack v4/v6 environments
-- where source IP routinely flips) set the CERTCTL_OIDC_PRELOGIN_REQUIRE_UA
-- or CERTCTL_OIDC_PRELOGIN_REQUIRE_IP env var to "false". Default true.
-- =============================================================================
ALTER TABLE oidc_pre_login_sessions
ADD COLUMN IF NOT EXISTS client_ip TEXT,
ADD COLUMN IF NOT EXISTS user_agent TEXT;
Reference in New Issue View Git Blame Copy Permalink