mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-12 05:48:52 +00:00
shankar0123
596e675ec7
Bundle 5 closure (2026-05-13 acquisition diligence audit). 13-finding
security audit pass across the auth / OIDC / MCP / API / browser-
security surface. Five real closures shipped in code, two false-as-
stated findings annotated with the existing implementation, three
operator-decision items documented for v3 follow-up, three doc-only
fixes (auth architecture narrative aligned with shipped OIDC).
Source findings closed (code):
S1 break-glass /auth/breakglass/login lacked the documented
5/min per-source-IP rate limit; handler now owns its own
SlidingWindowLimiter wired at startup. Doc claim turns true.
R6 OIDC test_discovery JWKS probe ran on http.DefaultClient;
now uses an http.Client whose transport wraps
validation.SafeHTTPDialContext. JWKS URI can no longer
pivot into reserved-address ranges via DNS rebinding.
R7 Slack + Teams notifiers built http.Client without the SSRF
dial-time guard. Both New() constructors now install
validation.SafeHTTPDialContext; webhook URLs (operator-
configured via dynamic-config GUI) cannot dial 169.254.x or
in-cluster reserved ranges. Test seam: newForTest bypasses
the guard for httptest's 127.0.0.1 binds, mirroring the
existing internal/connector/notifier/webhook pattern.
RT-L2 CERTCTL_ACME_INSECURE=true now emits a prominent
logger.Warn at server boot. Pre-Bundle-5 the knob silently
disabled ACME directory TLS verification.
Source findings closed (doc):
finding 1 + HIGH-5 Architecture doc claimed no in-process JWT/
OIDC/mTLS/SAML and pointed everyone at the
authenticating-gateway pattern. Auth Bundle 2
(commit dea5053) shipped native OIDC + sessions +
break-glass. New §"In-process authentication surface"
table (api-key / oidc / none) supersedes the old framing;
"Authenticating-gateway pattern (SAML, mTLS-as-auth,
LDAP)" section retained for protocols certctl still
doesn't ship natively.
Source findings verified false (existing implementation):
S4 OIDC email-domain allowlist — `email_domain_test.go`
already pins the strict-equality semantics (subdomain not
auto-accepted, multi-entry no-match path, empty allowlist
accepts all by-design per RFC 9700 §4.1.1).
SEC-L1 CSP / HSTS / referrer-policy headers — already shipped at
internal/api/middleware/securityheaders.go and wired at
cmd/server/main.go L2003+L2027+L2115.
Operator-decision / deferred (tracked in bundle-5 closure doc):
S3 CERTCTL_API_KEYS_NAMED parsing is wired, end-to-end
validation is partial. Operator decides: complete the
named-key middleware path or deprecate the syntax.
S5 Audit-middleware best-effort for read paths;
security-critical writes use WithinTx. Operator decides
per-path escalation.
S8 MCP threat model — the binary is a thin protocol bridge,
no privileges of its own; every tool call carries
CERTCTL_API_KEY and is auth'd + RBAC-gated server-side.
Optional CERTCTL_MCP_READ_ONLY gate tracked as v3.
SEC-H1 2026-05-10 audit CRIT-1/2/4 already closed on master;
CRIT-3/5 status against the spec folder is operator-
workstation-validation-only. Documented for follow-up.
SEC-L2 WebAuthn / FIDO2 / step-up — already documented in
docs/operator/auth-threat-model.md "Threats Bundle 2 does
NOT close". v3 work item per CLAUDE.md decision 12.
Full per-finding rationale + receipts at
docs/operator/security-bundle-5-audit-closure.md.
Verification:
gofmt -l # clean
go vet ./internal/connector/notifier/slack
./internal/connector/notifier/teams ./internal/auth/oidc
./internal/api/handler ./cmd/server # clean
go build ./cmd/server [...] # clean
go test -short -count=1 ./internal/connector/notifier/slack
./internal/connector/notifier/teams ./internal/api/handler
./internal/auth/oidc ./internal/config # PASS
# (slack 0.028s + teams
# 0.023s + handler 11.0s;
# newForTest seam keeps
# httptest tests green)
Audit-Closes: BUNDLE-5 S1 R6 R7 RT-L2 finding-1 HIGH-5
Audit-Verifies-False: S4 SEC-L1
Audit-Defers: S3 S5 S8 SEC-H1 SEC-L2
125 lines
3.3 KiB
Go
125 lines
3.3 KiB
Go
package teams
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"encoding/json"
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
"time"
|
|
|
|
"github.com/certctl-io/certctl/internal/validation"
|
|
)
|
|
|
|
// teamsClientTimeout bounds every outbound Teams webhook request and
|
|
// its resolution/dial phase. Shared by the SSRF-safe transport dialer
|
|
// (Bundle 5 R7 closure) and the http.Client.
|
|
const teamsClientTimeout = 10 * time.Second
|
|
|
|
// Config holds configuration for the Microsoft Teams notifier.
|
|
type Config struct {
|
|
// WebhookURL is the Teams incoming webhook URL.
|
|
WebhookURL string `json:"webhook_url"`
|
|
}
|
|
|
|
// Notifier sends notifications to Microsoft Teams via incoming webhooks.
|
|
type Notifier struct {
|
|
config Config
|
|
httpClient *http.Client
|
|
}
|
|
|
|
// New creates a new Teams notifier.
|
|
//
|
|
// Bundle 5 closure (audit R7): SSRF-safe transport — see the parallel
|
|
// rationale in internal/connector/notifier/slack.New. Webhook URLs are
|
|
// operator-configured via the dynamic-config GUI and must not pivot
|
|
// into cloud metadata services or in-cluster reserved ranges.
|
|
func New(config Config) *Notifier {
|
|
transport := &http.Transport{
|
|
DialContext: validation.SafeHTTPDialContext(teamsClientTimeout),
|
|
MaxIdleConns: 10,
|
|
IdleConnTimeout: 90 * time.Second,
|
|
TLSHandshakeTimeout: 10 * time.Second,
|
|
ExpectContinueTimeout: 1 * time.Second,
|
|
}
|
|
return &Notifier{
|
|
config: config,
|
|
httpClient: &http.Client{
|
|
Timeout: teamsClientTimeout,
|
|
Transport: transport,
|
|
},
|
|
}
|
|
}
|
|
|
|
// newForTest bypasses the SSRF dial-time guard for unit tests that hit
|
|
// httptest.NewServer (binds to 127.0.0.1). Production uses `New`.
|
|
func newForTest(config Config) *Notifier {
|
|
return &Notifier{
|
|
config: config,
|
|
httpClient: &http.Client{
|
|
Timeout: teamsClientTimeout,
|
|
},
|
|
}
|
|
}
|
|
|
|
// Channel returns the channel identifier.
|
|
func (n *Notifier) Channel() string {
|
|
return "Teams"
|
|
}
|
|
|
|
// Send delivers a notification to Teams via webhook using MessageCard format.
|
|
func (n *Notifier) Send(ctx context.Context, recipient string, subject string, body string) error {
|
|
card := teamsMessageCard{
|
|
Type: "MessageCard",
|
|
Context: "https://schema.org/extensions",
|
|
ThemeColor: "0076D7",
|
|
Summary: subject,
|
|
Sections: []teamsSection{
|
|
{
|
|
ActivityTitle: subject,
|
|
Text: body,
|
|
Markdown: true,
|
|
},
|
|
},
|
|
}
|
|
|
|
jsonBytes, err := json.Marshal(card)
|
|
if err != nil {
|
|
return fmt.Errorf("teams: failed to marshal payload: %w", err)
|
|
}
|
|
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodPost, n.config.WebhookURL, bytes.NewReader(jsonBytes))
|
|
if err != nil {
|
|
return fmt.Errorf("teams: failed to create request: %w", err)
|
|
}
|
|
req.Header.Set("Content-Type", "application/json")
|
|
|
|
resp, err := n.httpClient.Do(req)
|
|
if err != nil {
|
|
return fmt.Errorf("teams: request failed: %w", err)
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
if resp.StatusCode != http.StatusOK {
|
|
respBody, _ := io.ReadAll(resp.Body)
|
|
return fmt.Errorf("teams: webhook returned HTTP %d: %s", resp.StatusCode, string(respBody))
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
type teamsMessageCard struct {
|
|
Type string `json:"@type"`
|
|
Context string `json:"@context"`
|
|
ThemeColor string `json:"themeColor"`
|
|
Summary string `json:"summary"`
|
|
Sections []teamsSection `json:"sections"`
|
|
}
|
|
|
|
type teamsSection struct {
|
|
ActivityTitle string `json:"activityTitle"`
|
|
Text string `json:"text"`
|
|
Markdown bool `json:"markdown"`
|
|
}
|