gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-08 13:28:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
757e2ec30cee2d9b30fe3c086ea5cc2bb179c298
certctl/.github/coverage-thresholds.yml
T
shankar0123 757e2ec30c auth-bundle-2 Phase 3: OIDC service (HandleAuthRequest, HandleCallback, 
RefreshKeys), hand-rolled group-claim resolver, 21+ negative-test
matrix, token-leak hygiene, IdP downgrade-attack defense

Phase 3 of the bundle ships the business logic that turns the Phase 2
storage primitives into a working OpenID Connect 1.0 + RFC 7636 PKCE
authorization-code flow against any enterprise IdP (Okta / Azure AD /
Google Workspace / Keycloak / Authentik / Auth0).

Service surface:

  - Service.HandleAuthRequest(providerID) -> authURL, cookie, preLoginID
    Builds the IdP redirect with PKCE-S256 (mandatory; RFC 9700 §2.1.1),
    server-generated 32-byte state + nonce, persisted to the pre-login
    row keyed by the cookie value.
  - Service.HandleCallback(cookie, code, state, ip, ua) -> *CallbackResult
    11-step validation: pre-login lookup-and-consume (single-use),
    constant-time state compare, code-for-token exchange with PKCE
    verifier, ID-token verify (alg pin via go-oidc/v3), service-layer
    re-checks of iss / aud / azp (multi-aud requires it; mismatch
    rejected) / at_hash (REQUIRED when access_token returned —
    Phase 3 lifts the OIDC core "MAY" to a service-level "MUST") /
    exp / iat-window / nonce, group-claim resolution with userinfo
    fallback, group->role mapping (fail-closed on no match),
    user upsert, session mint via SessionMinter port.
  - Service.RefreshKeys(providerID) — explicit cache eviction +
    re-load. Re-runs the IdP downgrade-attack defense so a provider
    that later rotates to advertising HS* / none is caught BEFORE the
    next user login attempt.

Security posture (every fail-closed branch is a sentinel error +
test):

  - Algorithm pinning: allow-list {RS256, RS512, ES256, ES384, EdDSA};
    deny-list {HS256, HS384, HS512, none}. Belt-and-braces re-check
    via isDisallowedAlg after go-oidc.Verify.
  - PKCE-S256 mandatory (oauth2.GenerateVerifier + S256ChallengeOption);
    `plain` rejection sentinel exists for defense-in-depth.
  - State + nonce: 32-byte crypto/rand, base64url-no-pad,
    constant-time compare, single-use.
  - IdP downgrade-attack defense: at provider creation / RefreshKeys,
    reject any IdP whose discovery doc advertises HS* / none in
    id_token_signing_alg_values_supported.
  - JWKS fail-closed: in-flight login fails 503; existing sessions
    untouched. isJWKSFetchError detects the gooidc verify-error
    shape; ErrJWKSUnreachable is the wire mapping.
  - Token-leak hygiene: ID tokens, access tokens, refresh tokens,
    authorization codes, PKCE verifiers, state, nonce, signing key
    bytes — NEVER logged at any level. logging_test.go pins the
    invariant via a slog buffer + grep-assert across HandleAuthRequest,
    HandleCallback, alg rejection, and provider-load paths.

Group-claim resolver (internal/auth/oidc/groupclaim/):

  - Hand-rolled per Decision 10 (no JSON-path lib; ~150 LOC).
  - URL-shape paths (https:// / http://) treated as a single
    literal key — Auth0 namespaced claims like
    https://your-namespace/groups work without splitting on the
    dots in the URL.
  - Dot-separated paths walked through nested map[string]interface{}.
  - []interface{} / []string / single-string normalized to []string;
    bool / number / object / nil → fail closed.
  - 18 unit tests + sentinels (ErrPathEmpty, ErrSegmentMissing,
    ErrSegmentNotObject, ErrInvalidValueType).

Test surface:

  - service_test.go: 57 test functions including all 21 prompt-mandated
    negative cases (wrong aud / wrong iss / expired / unknown alg /
    alg=none / HMAC alg / azp missing on multi-aud / azp mismatched /
    at_hash missing / at_hash mismatched / iat in future / iat too old /
    nonce mismatched / state mismatched / state replayed / PKCE plain
    sentinel / pre-login replay / forged cookie / IdP downgrade /
    group-claim missing / group-claim unmapped) plus the userinfo
    fallback matrix (happy path + endpoint-missing + endpoint-failing +
    userinfo-also-empty), HandleAuthRequest entry point + RNG-failure
    paths, upsertUser update + create + display-name fallback +
    Validate-error paths, decryptClientSecret real-encrypt round-trip
    + bad-passphrase, alg-parser malformed-header matrix.
  - logging_test.go: 4 hygiene tests pinning no token / code / verifier /
    state / cookie / client_secret / alg name appears in any captured
    log line.
  - groupclaim/resolver_test.go: 18 cases covering Okta string-array,
    Keycloak realm_access.roles, Auth0 namespaced URL claim,
    single-string normalization, deeply-nested 3-segment walks, and
    every fail-closed branch.

Coverage:
  internal/auth/oidc                  92.2%  (floor: 90)
  internal/auth/oidc/groupclaim      100.0%  (floor: 95)
  internal/auth/oidc/domain           96.2%  (floor: 90)

Coverage gates added at .github/coverage-thresholds.yml so a future
regression in any fail-closed branch fails CI before the commit lands.

Phase 3 of cowork/auth-bundle-2-prompt.md is closed. Next up: Phase 4
(Session service: cookies, revocation, sliding-vs-absolute expiry).
2026-05-10 04:56:03 +00:00

151 lines
6.0 KiB
YAML
Raw Blame History

# Coverage floors per gated package.
#
# Each entry: floor: <integer percentage>, why: <load-bearing context>.
# Adding a new gated package: one entry here; CI's `Check Coverage Thresholds`
# step auto-picks up. Lowering a floor REQUIRES corresponding code-side test
# work — never lower the gate to make CI green.
#
# Per ci-pipeline-cleanup bundle Phase 2 / frozen decision 0.3.
internal/service:
floor: 70
why: |
Bundle R-CI-extended raise (post-Bundle-N.C-extended): service
55 → 70. HEAD 73.4% (3pp margin). Prescribed Bundle R target
was 80; held lower to avoid false-positives on single low-
coverage files dragging the global per-file-average down.
internal/api/handler:
floor: 75
why: |
Bundle R-CI-extended raise: handler 60 → 75. HEAD 79.8% (4pp
margin). Prescribed Bundle R target was 80; held lower for
same reason as service layer.
internal/domain:
floor: 40
why: |
Domain layer is mostly type definitions + validators; 40% is
the load-bearing-paths floor.
internal/api/middleware:
floor: 30
why: |
Middleware coverage is per-handler-test-driven. 30% is the
floor that catches the wired-up middleware paths; the
unwired paths (alternative auth providers not currently
enabled) sit below.
internal/crypto:
floor: 88
why: |
Bundle R closure CI checkpoint #3: crypto floor lifted 85 → 88.
Post-Bundle-Q package-scoped coverage at HEAD: 88.2%. The
remaining ~12% gap is platform-failure branches (rand.Reader /
aes.NewCipher) that require interface seams the production
code doesn't use; closing them is tracked as R-CI-extended,
not Bundle R scope.
internal/connector/issuer/local:
floor: 86
why: |
Bundle R closure CI checkpoint #3: local-issuer floor lifted
85 → 86. Post-Bundle-Q package-scoped coverage at HEAD: 86.7%.
The prescribed Bundle R target was 92, but reaching it
requires interface seams for crypto/x509 signing-error
branches — tracked as R-CI-extended.
internal/connector/issuer/acme:
floor: 80
why: |
Bundle R-CI-extended threshold raise (post-Bundle-J-extended):
ACME 50 → 80. The Pebble-style mock + per-CA failure tests
lift package-scoped ACME to 85.4%; gate at 80 with 5pp margin
to absorb the global-run per-file-average dip.
internal/connector/issuer/stepca:
floor: 80
why: |
Bundle L.B / Coverage-Audit C-005 — StepCA failure-mode + JWE
round-trip tests lift package from 52.1% to 90.4% (per-package
run). Floor at 80 with margin.
internal/mcp:
floor: 85
why: |
Bundle K / Coverage-Audit C-002 — MCP per-tool dispatch via
in-memory transport lifts package from 28.0% to 93.1% (per-
package run). Floor at 85.
internal/auth:
floor: 85
why: |
Bundle 1 Phase 12 — RBAC primitive coverage gate.
internal/auth ships keystore + middleware + RequirePermission +
bootstrap + the Phase-3 context keys + the protocol-endpoint
allowlist. Negative-test coverage (no actor → 401, no role →
403, wrong scope → 403, bootstrap-token-wrong → 401, bootstrap-
used-twice → 410, admin-already-exists → 410, zero-length token
rejection) is now in place. Prescribed Bundle 1 target was 90;
held at 85 to absorb the per-file-average dip from the
middleware shim files (testfixtures.go) which CI runs but only
test fixtures exercise. Sub-package internal/auth/bootstrap
inherits this floor.
internal/service/auth:
floor: 85
why: |
Bundle 1 Phase 12 — RBAC service-layer coverage gate.
PermissionService + RoleService + ActorRoleService + Authorizer
each have positive + negative tests covering the
privilege-escalation guard (auth.role.assign required for
Grant/Revoke), the reserved-actor invariant (actor-demo-anon
cannot be mutated), the canonical-permission validation, the
role-in-use guard on Delete, and every sentinel-error path
(ErrUnauthenticated / ErrForbidden / ErrSelfRoleAssignment /
ErrAuthReservedActor / ErrAuthUnknownPermission /
ErrAuthRoleInUse).
internal/auth/oidc:
floor: 90
why: |
Bundle 2 Phase 3 — OIDC service coverage gate. Phase 3 spec
pins the floor at 90 explicitly because every fail-closed
branch is load-bearing for the security posture: alg pinning
(deny-list HS*/none + allow-list RS*/ES*/EdDSA), audience
re-check, azp enforcement on multi-aud tokens, at_hash
REQUIRED-when-access-token-present (Phase 3 lifts the OIDC
core "MAY" to a service-level "MUST"), iat-window window,
nonce constant-time-compare, single-use state replay defense,
PKCE-S256 mandatory, IdP downgrade-attack defense at
provider-load + RefreshKeys time, JWKS-fail-closed semantics,
group-claim resolution + userinfo-fallback fail-closed
semantics, token-leak hygiene. A regression in any one of
these branches is a security incident; the floor catches it
before the commit lands. The mock-IdP fixture in
service_test.go is the load-bearing harness.
internal/auth/oidc/groupclaim:
floor: 95
why: |
Bundle 2 Phase 3 — group-claim resolver. Hand-rolled (no
JSON-path dep per Decision 10); ~150 LOC, every branch
exercised by 19 unit tests covering the documented IdP shapes
(Okta string array, Keycloak realm_access.roles, Auth0
namespaced URL claim, single-string normalization,
deeply-nested 3-segment walks) plus every fail-closed branch
(empty path, missing key, missing nested key, non-object
intermediate, bool/number/object/nil values, array with
non-string element, URL-shape with dots-in-path treated as
literal). Resolver should be at 100%; floor at 95 leaves a
1-statement margin for future error-message refactors.
internal/auth/oidc/domain:
floor: 90
why: |
Bundle 2 Phase 1 — OIDCProvider + GroupRoleMapping domain.
Validation-heavy package; constructors + Validate methods
cover all canonical IdP shapes (Okta / Azure AD / Google
Workspace / Keycloak / Authentik / Auth0). Floor at 90 to
catch any future field that ships without a validator.
Reference in New Issue View Git Blame Copy Permalink