mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 14:11:31 +00:00
shankar0123
90210c9334
Pre-login rows previously persisted the OIDC state, nonce, and PKCE
verifier as plaintext columns; an operator restoring an unredacted
backup of oidc_pre_login_sessions to a debug environment leaked every
in-flight handshake. If the IdP also leaked the auth code in the same
window (logged at a misconfigured TLS terminator, etc.), the attacker
could exchange code + verifier directly. RFC 7636 §7 requires verifier
confidentiality.
This commit:
- Migration 000041 adds {state,nonce,pkce_verifier}_enc BYTEA columns
and makes the legacy plaintext columns nullable. A follow-up
migration drops the plaintext columns once the rolling deploy
completes.
- internal/repository/postgres/oidc_prelogin.go::Create encrypts the
three secrets via crypto.EncryptIfKeySet (v3 magic 0x03 + per-row
salt + nonce + AES-256-GCM tag) and writes only the encrypted
columns; legacy plaintext stays NULL on the write path.
- LookupAndConsume prefers encrypted columns via materialize(),
falling back to the legacy plaintext only when _enc is NULL — the
rolling-deploy compat layer that 000042 will retire.
- NewPreLoginRepository takes encryptionKey; cmd/server/main.go threads
cfg.Encryption.ConfigEncryptionKey in.
- Encryption key reuses CERTCTL_CONFIG_ENCRYPTION_KEY (same passphrase
already protecting OIDC client secrets and SessionSigningKey material).
No new env var.
Why encryption-at-rest, not HMAC: the spec's HMAC approach required
moving plaintext into the cookie (the cookie currently carries only
row ID + HMAC). Re-shaping the cookie wire format would be a larger
refactor; the audit explicitly admits encryption-at-rest is an
acceptable closure (weaker because backups still contain decryptable
ciphertext, but the encryption key is held separately from the DB
backup, and the 10-minute TTL further bounds usable secret window).
Three new regression tests in oidc_prelogin_encryption_test.go pin:
(a) _enc columns contain v3-format ciphertext, NOT plaintext
substrings, post-Create
(b) legacy plaintext columns are NULL post-Create (defends against
future patches that re-introduce plaintext writes)
(c) LookupAndConsume round-trips state/nonce/verifier byte-for-byte
A fourth test pins the legacy-row fallback for rolling-deploy compat.
Refs: cowork/auth-bundles-audit-2026-05-10.md HIGH-5
Spec: cowork/auth-bundles-fixes-2026-05-10/09-high-5-prelogin-secret-protection.md
207 lines
8.1 KiB
Go
207 lines
8.1 KiB
Go
package postgres_test
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"testing"
|
|
|
|
cryptopkg "github.com/certctl-io/certctl/internal/crypto"
|
|
"github.com/certctl-io/certctl/internal/repository"
|
|
"github.com/certctl-io/certctl/internal/repository/postgres"
|
|
)
|
|
|
|
// Audit 2026-05-10 HIGH-5 closure — pin the at-rest invariant for
|
|
// the OIDC pre-login table. Pre-fix, state / nonce / pkce_verifier
|
|
// rode plaintext columns; an operator restoring an unredacted backup
|
|
// to a debug environment leaked every in-flight handshake. Post-fix,
|
|
// the new write path encrypts via crypto.EncryptIfKeySet (v3 magic
|
|
// 0x03 || salt(16) || nonce(12) || ciphertext+tag). The legacy
|
|
// plaintext columns remain on the schema (nullable) for in-flight
|
|
// rolling-deploy compat; the new write path NEVER populates them.
|
|
//
|
|
// Mirror of the Phase 13 oidc_providers encryption-invariant pattern.
|
|
// Lives in the postgres_test package so it runs against the real
|
|
// migrated schema via testcontainers; protected by testing.Short().
|
|
|
|
const (
|
|
preLoginEncTestPassphrase = "high-5-prelogin-test-encryption-key-DO-NOT-USE-IN-PROD"
|
|
)
|
|
|
|
// TestPreLoginRepository_EncryptionInvariant_HIGH5 pins three legs:
|
|
//
|
|
// (a) the {state,nonce,pkce_verifier}_enc columns contain v3
|
|
// AES-GCM blobs (NOT the plaintext) immediately after Create;
|
|
// (b) the legacy plaintext columns are NULL after the new write
|
|
// path runs (defense against a regressing patch that re-adds
|
|
// plaintext writes);
|
|
// (c) LookupAndConsume round-trips the original plaintext via the
|
|
// encrypted columns, returning state / nonce / pkce_verifier
|
|
// byte-for-byte equal to the values written.
|
|
func TestPreLoginRepository_EncryptionInvariant_HIGH5(t *testing.T) {
|
|
if testing.Short() {
|
|
t.Skip("HIGH-5 encryption invariant: integration test in short mode")
|
|
}
|
|
db := getTestDB(t).freshSchema(t)
|
|
ctx := context.Background()
|
|
|
|
// Seed a session_signing_keys row + an oidc_providers row so the
|
|
// pre-login row's FK constraints are satisfied. The signing-key
|
|
// material can be any non-empty byte slice (the pre-login repo
|
|
// doesn't decrypt it).
|
|
if _, err := db.ExecContext(ctx, `
|
|
INSERT INTO session_signing_keys (id, tenant_id, key_material_encrypted)
|
|
VALUES ('sk-high5', 't-default', $1)`,
|
|
[]byte{0x03, 0x00, 0x01, 0x02}); err != nil {
|
|
t.Fatalf("seed session_signing_keys: %v", err)
|
|
}
|
|
provRepo := postgres.NewOIDCProviderRepository(db)
|
|
if err := provRepo.Create(ctx, newValidProvider("high5")); err != nil {
|
|
t.Fatalf("seed oidc_provider: %v", err)
|
|
}
|
|
|
|
repo := postgres.NewPreLoginRepository(db, preLoginEncTestPassphrase)
|
|
|
|
statePlain := "very-secret-oidc-state-do-not-leak"
|
|
noncePlain := "very-secret-oidc-nonce-do-not-leak"
|
|
verifierPlain := "very-secret-pkce-verifier-bytes-do-not-leak"
|
|
|
|
row := &repository.PreLoginSession{
|
|
ID: "pl-high5-1",
|
|
TenantID: "t-default",
|
|
SigningKeyID: "sk-high5",
|
|
OIDCProviderID: "op-high5",
|
|
State: statePlain,
|
|
Nonce: noncePlain,
|
|
PKCEVerifier: verifierPlain,
|
|
}
|
|
if err := repo.Create(ctx, row); err != nil {
|
|
t.Fatalf("Create: %v", err)
|
|
}
|
|
|
|
// ── Invariant (a): encrypted columns contain v3 blobs, NOT plaintext. ──
|
|
var stateEnc, nonceEnc, verifierEnc []byte
|
|
if err := db.QueryRowContext(ctx, `
|
|
SELECT state_enc, nonce_enc, pkce_verifier_enc
|
|
FROM oidc_pre_login_sessions WHERE id = $1`, row.ID).
|
|
Scan(&stateEnc, &nonceEnc, &verifierEnc); err != nil {
|
|
t.Fatalf("SELECT raw enc columns: %v", err)
|
|
}
|
|
for label, blob := range map[string][]byte{
|
|
"state": stateEnc,
|
|
"nonce": nonceEnc,
|
|
"pkce_verifier": verifierEnc,
|
|
} {
|
|
if len(blob) == 0 {
|
|
t.Errorf("INVARIANT (a) VIOLATED: %s_enc is empty post-Create", label)
|
|
continue
|
|
}
|
|
// v3 magic + salt(16) + nonce(12) + at least 16 bytes for the AEAD tag.
|
|
if len(blob) < 1+16+12+16 {
|
|
t.Errorf("INVARIANT (a) VIOLATED: %s_enc blob too short (%d bytes)", label, len(blob))
|
|
}
|
|
if blob[0] != 0x03 {
|
|
t.Errorf("INVARIANT (a) VIOLATED: %s_enc magic = 0x%02x; want 0x03 (v3)", label, blob[0])
|
|
}
|
|
}
|
|
if bytes.Contains(stateEnc, []byte(statePlain)) {
|
|
t.Errorf("INVARIANT (a) VIOLATED: state_enc contains plaintext substring %q", statePlain)
|
|
}
|
|
if bytes.Contains(nonceEnc, []byte(noncePlain)) {
|
|
t.Errorf("INVARIANT (a) VIOLATED: nonce_enc contains plaintext substring %q", noncePlain)
|
|
}
|
|
if bytes.Contains(verifierEnc, []byte(verifierPlain)) {
|
|
t.Errorf("INVARIANT (a) VIOLATED: pkce_verifier_enc contains plaintext substring %q", verifierPlain)
|
|
}
|
|
|
|
// ── Invariant (b): legacy plaintext columns are NULL post-Create. ──
|
|
var statePlainCol, noncePlainCol, verifierPlainCol *string
|
|
if err := db.QueryRowContext(ctx, `
|
|
SELECT state, nonce, pkce_verifier
|
|
FROM oidc_pre_login_sessions WHERE id = $1`, row.ID).
|
|
Scan(&statePlainCol, &noncePlainCol, &verifierPlainCol); err != nil {
|
|
t.Fatalf("SELECT plaintext columns: %v", err)
|
|
}
|
|
if statePlainCol != nil {
|
|
t.Errorf("INVARIANT (b) VIOLATED: legacy state column = %q; want NULL", *statePlainCol)
|
|
}
|
|
if noncePlainCol != nil {
|
|
t.Errorf("INVARIANT (b) VIOLATED: legacy nonce column = %q; want NULL", *noncePlainCol)
|
|
}
|
|
if verifierPlainCol != nil {
|
|
t.Errorf("INVARIANT (b) VIOLATED: legacy pkce_verifier column = %q; want NULL", *verifierPlainCol)
|
|
}
|
|
|
|
// ── Invariant (c): LookupAndConsume round-trips the plaintext. ──
|
|
got, err := repo.LookupAndConsume(ctx, row.ID)
|
|
if err != nil {
|
|
t.Fatalf("LookupAndConsume: %v", err)
|
|
}
|
|
if got.State != statePlain {
|
|
t.Errorf("INVARIANT (c) VIOLATED: round-trip state = %q; want %q", got.State, statePlain)
|
|
}
|
|
if got.Nonce != noncePlain {
|
|
t.Errorf("INVARIANT (c) VIOLATED: round-trip nonce = %q; want %q", got.Nonce, noncePlain)
|
|
}
|
|
if got.PKCEVerifier != verifierPlain {
|
|
t.Errorf("INVARIANT (c) VIOLATED: round-trip pkce_verifier = %q; want %q", got.PKCEVerifier, verifierPlain)
|
|
}
|
|
|
|
// Sanity: a wrong passphrase MUST fail the AEAD check.
|
|
if _, err := cryptopkg.DecryptIfKeySet(stateEnc, preLoginEncTestPassphrase+"-wrong"); err == nil {
|
|
t.Error("AEAD broken: DecryptIfKeySet succeeded with wrong passphrase")
|
|
}
|
|
}
|
|
|
|
// TestPreLoginRepository_EncryptionInvariant_LegacyPlaintextStillReadable
|
|
// pins the rolling-deploy fallback. Pre-deploy code paths that already
|
|
// wrote a row using the legacy schema (plaintext columns populated,
|
|
// _enc columns NULL) must continue to consume cleanly. After 000042
|
|
// drops the plaintext columns, this test should be deleted along with
|
|
// the materialize() fallback in the repo.
|
|
func TestPreLoginRepository_EncryptionInvariant_LegacyPlaintextStillReadable(t *testing.T) {
|
|
if testing.Short() {
|
|
t.Skip("HIGH-5 legacy fallback: integration test in short mode")
|
|
}
|
|
db := getTestDB(t).freshSchema(t)
|
|
ctx := context.Background()
|
|
|
|
if _, err := db.ExecContext(ctx, `
|
|
INSERT INTO session_signing_keys (id, tenant_id, key_material_encrypted)
|
|
VALUES ('sk-legacy', 't-default', $1)`,
|
|
[]byte{0x03, 0x00, 0x01, 0x02}); err != nil {
|
|
t.Fatalf("seed session_signing_keys: %v", err)
|
|
}
|
|
provRepo := postgres.NewOIDCProviderRepository(db)
|
|
if err := provRepo.Create(ctx, newValidProvider("legacy")); err != nil {
|
|
t.Fatalf("seed oidc_provider: %v", err)
|
|
}
|
|
|
|
// Simulate a legacy-write row (plaintext populated, _enc NULL) by
|
|
// inserting directly via SQL — this is the byte shape the pre-fix
|
|
// code path produced.
|
|
if _, err := db.ExecContext(ctx, `
|
|
INSERT INTO oidc_pre_login_sessions (
|
|
id, tenant_id, signing_key_id, oidc_provider_id,
|
|
state, nonce, pkce_verifier
|
|
) VALUES ($1, $2, $3, $4, $5, $6, $7)`,
|
|
"pl-legacy-1", "t-default", "sk-legacy", "op-legacy",
|
|
"legacy-state", "legacy-nonce", "legacy-verifier"); err != nil {
|
|
t.Fatalf("legacy direct INSERT: %v", err)
|
|
}
|
|
|
|
repo := postgres.NewPreLoginRepository(db, preLoginEncTestPassphrase)
|
|
got, err := repo.LookupAndConsume(ctx, "pl-legacy-1")
|
|
if err != nil {
|
|
t.Fatalf("LookupAndConsume legacy row: %v", err)
|
|
}
|
|
if got.State != "legacy-state" {
|
|
t.Errorf("legacy round-trip state = %q; want legacy-state", got.State)
|
|
}
|
|
if got.Nonce != "legacy-nonce" {
|
|
t.Errorf("legacy round-trip nonce = %q; want legacy-nonce", got.Nonce)
|
|
}
|
|
if got.PKCEVerifier != "legacy-verifier" {
|
|
t.Errorf("legacy round-trip pkce_verifier = %q; want legacy-verifier", got.PKCEVerifier)
|
|
}
|
|
}
|