mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 17:51:29 +00:00
shankar0123
aa139ee0d9
route + RFC 9266 channel binding + HTTP Basic enrollment-password +
per-source-IP failed-auth limit + per-(CN, sourceIP) sliding-window cap.
Two new shared packages so EST + Intune share infrastructure:
- internal/cms/ — RFC 9266 tls-exporter extractor (ExtractTLSExporter
with stdlib-panic recovery for synthetic ConnectionStates) +
CSR-side channel-binding parser via raw TBSCertificationRequestInfo
walk (the stdlib's csr.Attributes can't represent the OCTET STRING
binding value), VerifyChannelBinding composite, EmbedChannel-
BindingAttribute fixture helper, typed sentinel errors for missing
/ mismatch / not-TLS-1.3 mapped to HTTP 400 / 409 / 426 in handler.
- internal/trustanchor/ — extracted from scep/intune/trust_anchor*.go
so the EST mTLS sibling route + Intune dispatcher share the same
SIGHUP-reloadable PEM bundle primitive. intune.TrustAnchorHolder
is now `= trustanchor.Holder` (type alias) + NewTrustAnchorHolder =
trustanchor.New (function alias) — every existing call site compiles
unchanged. Intune's LoadTrustAnchor is a thin wrapper over
trustanchor.LoadBundle. White-box tests moved to the new package.
- internal/ratelimit/ — extracted from scep/intune/rate_limit.go (this
was Phase 4.1, in the same bundle). intune.PerDeviceRateLimiter
is now a thin wrapper preserving the (subject, issuer)→key
composition; EST handler reaches for SlidingWindowLimiter directly.
ESTHandler grew six optional fields wired by per-profile setters
(SetMTLSTrust / SetChannelBindingRequired / SetEnrollmentPassword /
SetSourceIPRateLimiter / SetPerPrincipalRateLimiter / SetLabelForLog)
plus four new mTLS-route methods (CACertsMTLS / SimpleEnrollMTLS /
SimpleReEnrollMTLS / CSRAttrsMTLS); shared internal pipeline
handleEnrollOrReEnroll(reEnroll, viaMTLS) keeps the auth/binding/
rate-limit gates DRY. New router method RegisterESTMTLSHandlers
registers /.well-known/est-mtls/<PathID>/{cacerts,simpleenroll,
simplereenroll,csrattrs}; AuthExemptDispatchPrefixes extends the
no-auth chain to /.well-known/est-mtls.
cmd/server/main.go's EST loop wires per-profile mTLS holder +
channel-binding policy + per-principal limiter + (when EnrollmentPassword
non-empty) Basic + source-IP limiter; new preflightESTMTLSClientCATrust-
Bundle returns *trustanchor.Holder so SIGHUP rotates the EST mTLS
bundle live without restart. SCEP + EST mTLS profiles now share a
single union mtlsUnionPoolForTLS passed to buildServerTLSConfigWithMTLS
(replaces the protocol-specific scepMTLSUnionPoolForTLS); per-handler
re-verify enforces "cert must chain to THIS profile's bundle" so
cross-protocol bleed is blocked at the application layer even though
the TLS layer trusts certs from either pool's union.
Phase 3.3 source-IP failed-Basic limiter defaults: 10 attempts / 1h
/ 50k tracked IPs (no env var; tunable in a follow-up). Phase 4.2
per-principal limiter cap from CERTCTL_EST_PROFILE_<NAME>_RATE_
LIMIT_PER_PRINCIPAL_24H (existing field, Phase 1 shipped).
New tests:
- internal/cms/channelbinding_test.go: extractor + CSR-side parser +
composite + TLS-1.3 round-trip end-to-end + EmbedChannelBinding-
Attribute round-trip
- internal/trustanchor/holder_test.go: parseBundlePEM white-box +
LoadBundle + Holder Get/Pool/SetLabelForLog/Reload-happy/
Reload-keeps-old-on-failure/Reload-keeps-old-on-expired/
WatchSIGHUP-reloads-pool/WatchSIGHUP-stop-clean
- internal/api/handler/est_hardening_test.go: 16 named cases covering
mTLS no-trust-pool 500 + no-cert 401 + cross-profile cert 401 +
happy-path 200 + CACertsMTLS auth gate + CSRAttrsMTLS auth gate +
channel-binding required-absent-rejected + not-required-absent-
allowed + writeChannelBindingError mapping + Basic no-header 401
+ Basic wrong-password 401 + Basic correct-200 + Basic-no-password
no-gate + per-IP failed-attempt lockout 429 + per-principal
blocks-after-cap + different-principals-independent + no-limiter-
unbounded.
Pre-commit verification (sandbox): gofmt clean, go vet clean
(excluding repository/postgres which the sandbox can't build —
disk-space testcontainers download), staticcheck clean for
cms/trustanchor/api/handler/api/router/scep/intune/ratelimit/
cmd/server, go test -short -count=1 green for cms/trustanchor/
api/handler/api/router/scep/intune/ratelimit/service. G-3
docs-drift guard reproduced locally clean (Phase 1 already
documented every new env var; Phases 2-4 added zero new env vars).
189 lines
6.5 KiB
Go
189 lines
6.5 KiB
Go
// Package ratelimit provides shared rate-limit primitives used by
|
|
// authenticated-but-shared-credential code paths (SCEP/Intune
|
|
// per-device challenge enrollment, EST per-principal CSR enrollment,
|
|
// EST HTTP-Basic source-IP failed-auth limiter) where the threat
|
|
// model is "single legitimate identity could mint enrollments
|
|
// faster than any human/fleet workflow would."
|
|
//
|
|
// Origin: this package was extracted from
|
|
// internal/scep/intune/rate_limit.go in the EST RFC 7030 hardening
|
|
// master bundle Phase 4.1 — EST is the third caller after the
|
|
// Intune dispatcher (per-device-GUID cap on enrollment) and the EST
|
|
// per-principal cap (Phase 4.2). The original Intune-package type +
|
|
// constructor + ErrRateLimited sentinel are preserved as type
|
|
// aliases at internal/scep/intune/rate_limit.go so existing call
|
|
// sites compile unchanged. New callers SHOULD use this package
|
|
// directly.
|
|
//
|
|
// Algorithm: sliding window log. Each key maps to a bucket holding
|
|
// timestamps within the configured window. On Allow, the bucket
|
|
// prunes timestamps older than (now - window) and either appends +
|
|
// returns nil, or rejects + returns ErrRateLimited when the
|
|
// post-prune count is already at the cap. Exact (no token-leak
|
|
// rounding); O(N_per_key) per-call but N is bounded by the cap, so
|
|
// effectively O(1).
|
|
//
|
|
// Concurrency: safe for concurrent Allow calls. Internal map guarded
|
|
// by sync.Mutex; per-key slices mutated only while the mutex is
|
|
// held.
|
|
//
|
|
// Memory: bounded by the per-instance map cap (default 100,000 keys;
|
|
// configurable). At-cap eviction drops the oldest entry by newest
|
|
// timestamp — small janitor pass; rarely fires in practice because
|
|
// the prune-on-Allow path keeps most buckets short-lived.
|
|
package ratelimit
|
|
|
|
import (
|
|
"errors"
|
|
"sync"
|
|
"time"
|
|
)
|
|
|
|
// ErrRateLimited is returned by SlidingWindowLimiter.Allow when the
|
|
// bucket for the given key is already at the cap. Callers can
|
|
// errors.Is against this sentinel; the underlying message is stable
|
|
// across the package's lifetime so test assertions can match on it.
|
|
var ErrRateLimited = errors.New("ratelimit: per-key cap exceeded for the configured window")
|
|
|
|
// SlidingWindowLimiter is the sliding-window-log rate limiter.
|
|
//
|
|
// Construct via NewSlidingWindowLimiter. The zero value is NOT
|
|
// usable — the buckets map needs initialisation.
|
|
type SlidingWindowLimiter struct {
|
|
mu sync.Mutex
|
|
buckets map[string][]time.Time // key → sliding window of timestamps
|
|
maxN int // max enrollments per window
|
|
window time.Duration // window length (default 24h)
|
|
cap int // max keys before LRU eviction kicks in
|
|
disabled bool // maxN <= 0 → all Allow calls return nil
|
|
}
|
|
|
|
// NewSlidingWindowLimiter returns a limiter with the given per-key
|
|
// cap + window. maxN <= 0 disables the limiter (all Allow calls
|
|
// return nil); this is operator opt-out for the rare case where the
|
|
// per-key cap is undesirable (test harnesses, sketchpad deploys).
|
|
//
|
|
// Window defaults to 24h when zero. Map cap defaults to 100,000 when
|
|
// zero (matches the SCEP/Intune replay cache cap).
|
|
func NewSlidingWindowLimiter(maxN int, window time.Duration, mapCap int) *SlidingWindowLimiter {
|
|
if window <= 0 {
|
|
window = 24 * time.Hour
|
|
}
|
|
if mapCap <= 0 {
|
|
mapCap = 100_000
|
|
}
|
|
return &SlidingWindowLimiter{
|
|
buckets: make(map[string][]time.Time),
|
|
maxN: maxN,
|
|
window: window,
|
|
cap: mapCap,
|
|
disabled: maxN <= 0,
|
|
}
|
|
}
|
|
|
|
// Allow reports whether an event keyed by `key` is permitted right
|
|
// now. Returns nil when allowed (and records the timestamp in the
|
|
// bucket) or ErrRateLimited when the bucket is at maxN.
|
|
//
|
|
// Empty key is treated as "skip the limiter" — the caller's
|
|
// validation should have rejected an empty-key event already; this
|
|
// is belt-and-suspenders so a single empty-key bucket doesn't
|
|
// become a chokepoint for every empty-key event. SCEP/Intune
|
|
// callers compose the key as `subject + "|" + issuer`; EST callers
|
|
// compose `cn + "|" + sourceIP` or `sourceIP`-alone for the
|
|
// failed-auth limiter.
|
|
func (l *SlidingWindowLimiter) Allow(key string, now time.Time) error {
|
|
if l.disabled {
|
|
return nil
|
|
}
|
|
if key == "" {
|
|
return nil
|
|
}
|
|
|
|
l.mu.Lock()
|
|
defer l.mu.Unlock()
|
|
|
|
// At-cap eviction: when the map is full, drop the oldest entry
|
|
// by finding the bucket whose newest timestamp is the smallest.
|
|
// O(N_keys) but rarely fires; the prune-on-Allow path keeps
|
|
// most buckets short-lived.
|
|
if len(l.buckets) >= l.cap {
|
|
l.evictOldestLocked()
|
|
}
|
|
|
|
bucket := l.buckets[key]
|
|
bucket = pruneOlderThan(bucket, now.Add(-l.window))
|
|
|
|
if len(bucket) >= l.maxN {
|
|
// Don't append; over the limit. Persist the pruned bucket so
|
|
// the next call sees the most-recently-pruned state.
|
|
l.buckets[key] = bucket
|
|
return ErrRateLimited
|
|
}
|
|
|
|
bucket = append(bucket, now)
|
|
l.buckets[key] = bucket
|
|
return nil
|
|
}
|
|
|
|
// pruneOlderThan returns the slice with all entries strictly before
|
|
// `cutoff` removed. Preserves order (timestamps are appended in
|
|
// increasing time, so a single linear scan from the front suffices).
|
|
func pruneOlderThan(b []time.Time, cutoff time.Time) []time.Time {
|
|
i := 0
|
|
for i < len(b) && b[i].Before(cutoff) {
|
|
i++
|
|
}
|
|
if i == 0 {
|
|
return b
|
|
}
|
|
// Copy-shrink to release the underlying-array memory eventually
|
|
// (otherwise the slice would hold a reference to the older
|
|
// entries indefinitely until a re-allocation).
|
|
out := make([]time.Time, len(b)-i)
|
|
copy(out, b[i:])
|
|
return out
|
|
}
|
|
|
|
// evictOldestLocked drops the map entry whose newest timestamp is
|
|
// the oldest. Called under l.mu. O(N_keys) per eviction; at-cap is
|
|
// rare in practice (caps are sized for steady-state).
|
|
func (l *SlidingWindowLimiter) evictOldestLocked() {
|
|
var (
|
|
oldestKey string
|
|
oldestTs time.Time
|
|
first = true
|
|
)
|
|
for k, b := range l.buckets {
|
|
if len(b) == 0 {
|
|
// Empty bucket — drop it immediately, no candidate scan needed.
|
|
delete(l.buckets, k)
|
|
return
|
|
}
|
|
newest := b[len(b)-1]
|
|
if first || newest.Before(oldestTs) {
|
|
oldestKey = k
|
|
oldestTs = newest
|
|
first = false
|
|
}
|
|
}
|
|
if oldestKey != "" {
|
|
delete(l.buckets, oldestKey)
|
|
}
|
|
}
|
|
|
|
// Len returns the approximate number of distinct keys currently
|
|
// tracked. For observability + tests; not load-stable under
|
|
// concurrent Allow calls.
|
|
func (l *SlidingWindowLimiter) Len() int {
|
|
l.mu.Lock()
|
|
defer l.mu.Unlock()
|
|
return len(l.buckets)
|
|
}
|
|
|
|
// Disabled reports whether the limiter is in opt-out mode (maxN <= 0).
|
|
// Useful for handler-side gating + admin-endpoint observability.
|
|
func (l *SlidingWindowLimiter) Disabled() bool {
|
|
return l.disabled
|
|
}
|