mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 17:22:07 +00:00
shankar0123
9c679a5960
pre-login store, OpenID Connect Back-Channel Logout 1.0, cookieAuth
scheme, 7 new auth permissions, CI guard, handler tests
Phase 5 of the bundle puts the Phase 3 OIDC service + Phase 4 session
service on the wire. 13 HTTP endpoints split into three logical groups:
Public OIDC handshake (auth-exempt; protocol-mediated):
GET /auth/oidc/login?provider=<id> -> 302 to IdP authorization URL
+ sets certctl_oidc_pending cookie
(10-min TTL, Path=/auth/oidc/,
SameSite=Lax)
GET /auth/oidc/callback?code=...&state=... -> consume pre-login row,
run Phase 3's 11-step token
validation, mint post-login
session, 302 to dashboard
POST /auth/oidc/back-channel-logout -> OpenID Connect BCL 1.0 — IdP
POSTs logout_token JWT; certctl
validates signature against IdP
JWKS via Phase 3 alg allow-list,
required claims (iss/aud/iat/jti/
events; exactly one of sub/sid;
nonce ABSENT per spec §2.4),
revokes matching sessions,
returns 200 with
Cache-Control: no-store
POST /auth/logout -> revoke caller's session
Session management (RBAC-gated auth.session.*):
GET /api/v1/auth/sessions -> auth.session.list (own / all)
DELETE /api/v1/auth/sessions/{id} -> auth.session.revoke (own bypass)
OIDC provider + group-mapping CRUD (RBAC-gated auth.oidc.*):
GET /api/v1/auth/oidc/providers -> auth.oidc.list
POST /api/v1/auth/oidc/providers -> auth.oidc.create
(client_secret encrypted
at rest via
internal/crypto.EncryptIfKeySet)
PUT /api/v1/auth/oidc/providers/{id} -> auth.oidc.edit
DELETE /api/v1/auth/oidc/providers/{id} -> auth.oidc.delete
(refused via
ErrOIDCProviderInUse → 409
when users authenticated
via this provider)
POST /api/v1/auth/oidc/providers/{id}/refresh -> auth.oidc.edit
(re-runs IdP downgrade
defense via
OIDCService.RefreshKeys)
GET /api/v1/auth/oidc/group-mappings -> auth.oidc.list
POST /api/v1/auth/oidc/group-mappings -> auth.oidc.edit
DELETE /api/v1/auth/oidc/group-mappings/{id} -> auth.oidc.edit
Migration 000037 ships:
- oidc_pre_login_sessions table (10-min absolute TTL, FK CASCADE on
oidc_provider_id, FK RESTRICT on signing_key_id; index on
absolute_expires_at for the GC sweep);
- 7 new permissions seeded into r-admin only:
auth.session.list, auth.session.list.all, auth.session.revoke,
auth.oidc.list, auth.oidc.create, auth.oidc.edit, auth.oidc.delete
CanonicalPermissions extended in lockstep at internal/domain/auth/
validate.go.
Pre-login machinery:
- internal/repository/oidc.go gains PreLoginRepository interface +
PreLoginSession struct + ErrPreLoginNotFound / ErrPreLoginExpired
sentinels.
- internal/repository/postgres/oidc_prelogin.go ships the impl;
LookupAndConsume uses DELETE ... RETURNING for atomic single-use.
- internal/auth/oidc/prelogin.go is the PreLoginAdapter that bridges
the OIDC service's Phase 3 PreLoginStore interface to the new
repository, signing the cookie value under the active
SessionSigningKey via the same v1.<id>.<key>.<HMAC> wire format
Phase 4 uses for post-login cookies. Defense-in-depth: the
pre-login `pl-` prefix is enforced by ParseCookieValue(prefix);
a stolen pre-login cookie cannot be replayed against the
post-login Validate path (pinned by
TestService_Validate_RejectsPreLoginCookieAtPostLoginGate).
Session package extension:
- internal/auth/session/service.go gains exported SignCookieValue,
ParseCookieValue (with caller-supplied id-1 prefix), ComputeCookieHMAC,
DecryptKeyMaterial wrappers so the OIDC pre-login adapter shares
the same length-prefixed HMAC math without code duplication.
- parseCookie no longer hardcodes the `ses-` prefix check (moved to
Validate as defense-in-depth; pre-login cookie verification uses
the `pl-` prefix via ParseCookieValue).
Cookie attributes (all Phase 5 endpoints honor CERTCTL_SESSION_SAMESITE
+ Secure=true via SessionCookieAttrs from Phase 4 config):
- certctl_oidc_pending: Path=/auth/oidc/, MaxAge=600s, SameSite=Lax
(cannot be Strict because the IdP-initiated callback is a top-level
navigation from a different origin).
- certctl_session: Path=/, Expires=8h, SameSite=Lax|Strict, HttpOnly.
- certctl_csrf: Path=/, Expires=8h, HttpOnly=false (intentional —
GUI must read it to echo into X-CSRF-Token header).
Audit logging on every mutating operation (event_category="auth"):
auth.oidc_login_succeeded / failed / unmapped_groups
auth.oidc_back_channel_logout / failed
auth.session_revoked
auth.oidc_provider_{created,updated,deleted,refreshed}
auth.group_mapping_{added,removed}
OpenAPI updates:
- cookieAuth security scheme added to api/openapi.yaml under
components.securitySchemes (apiKey / cookie / certctl_session).
- The 13 Phase 5 routes are added to SpecParityExceptions with a
deferral note: full per-endpoint OpenAPI rows land in a follow-on
commit alongside the GUI work (Phase 8) so the ergonomic shape can
be validated against the live GUI client.
CI guard: scripts/ci-guards/N-bundle-2-security-empty-preserved.sh
asserts api/openapi.yaml has ≥ 14 'security: []' occurrences (the
pre-Bundle-2 baseline). Reducing the count below 14 would silently
force a Bearer-or-cookie requirement onto an endpoint that legitimately
runs without certctl-issued credentials; the guard fires before that
regression lands.
Handler tests (internal/api/handler/auth_session_oidc_test.go):
- All 6 prompt-mandated negative cases:
BCL with missing events claim -> 400
BCL with nonce present -> 400 (per spec §2.4)
BCL with sig signed by an unknown key -> 400
Callback with replayed state -> 400
Callback with PKCE verifier mismatch -> 400
Callback with expired pre-login row -> 400
- Plus happy paths for every endpoint, edge cases (missing-cookie,
duplicate-name, in-use-409, wrong-tenant), and the Helper-function
coverage (peekIssuer, classifyOIDCFailure, defaultIfBlank,
defaultIntIfZero, clientIPFromRequest, encryptClientSecret).
Coverage on internal/api/handler/auth_session_oidc.go: 80.9% per-function
(above the Phase 5 spec's ≥ 80% floor).
Server wiring (cmd/server/main.go):
Wired AFTER sessionService (Phase 4) so the OIDC PreLoginAdapter can
sign pre-login cookies under the active SessionSigningKey:
oidcProviderRepo + oidcMappingRepo + oidcUserRepo + oidcPreLoginRepo
-> preLoginAdapter -> oidcService -> authSessionOIDCHandler.
sessionMinterAdapter shim bridges *session.Service.Create to the
oidcsvc.SessionMinter port the OIDC service consumes.
Router wiring (internal/api/router/router.go):
4 public OIDC routes via direct r.mux.Handle (auth-exempt; pinned in
AuthExemptRouterRoutes); 9 RBAC-gated routes via r.Register +
rbacGate(checker, perm, h). Routes only register when
reg.AuthSessionOIDC != nil so pre-Phase-5 builds skip the block
entirely.
Verifications: gofmt clean, go vet clean across all touched packages,
go test -short -count=1 green across internal/api/handler (74 tests +
new Phase 5 batch), internal/api/router (parity + auth-exempt
allowlist), internal/auth/oidc + session (no regressions), full domain
+ scheduler + config sweeps green, ci-guard
N-bundle-2-security-empty-preserved.sh green (17 ≥ 14 baseline).
159 lines
7.0 KiB
Go
159 lines
7.0 KiB
Go
package repository
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"time"
|
|
|
|
oidcdomain "github.com/certctl-io/certctl/internal/auth/oidc/domain"
|
|
)
|
|
|
|
// Sentinel errors for the OIDC repositories. Postgres implementations
|
|
// translate SQLSTATE codes into these so handler / service code can
|
|
// branch via errors.Is.
|
|
var (
|
|
// ErrOIDCProviderNotFound: Get / GetByName returned no row. HTTP 404.
|
|
ErrOIDCProviderNotFound = errors.New("oidc: provider not found")
|
|
|
|
// ErrOIDCProviderDuplicateName: Create tripped the (tenant_id, name)
|
|
// UNIQUE constraint. HTTP 409.
|
|
ErrOIDCProviderDuplicateName = errors.New("oidc: provider with this name already exists in tenant")
|
|
|
|
// ErrOIDCProviderInUse: Delete failed because at least one users row
|
|
// references the provider via oidc_provider_id (FK ON DELETE
|
|
// RESTRICT). HTTP 409.
|
|
ErrOIDCProviderInUse = errors.New("oidc: provider has authenticated users; revoke all sessions before delete")
|
|
|
|
// ErrGroupRoleMappingNotFound: Get returned no row. HTTP 404.
|
|
ErrGroupRoleMappingNotFound = errors.New("oidc: group-role mapping not found")
|
|
|
|
// ErrGroupRoleMappingDuplicate: Add tripped the
|
|
// (provider_id, group_name, role_id) UNIQUE constraint. HTTP 409.
|
|
ErrGroupRoleMappingDuplicate = errors.New("oidc: group-role mapping already exists")
|
|
)
|
|
|
|
// OIDCProviderRepository wraps the oidc_providers table. Phase 3's
|
|
// OIDCService consumes List + Get to look up the IdP for token
|
|
// validation; the GUI / CLI wire Create / Update / Delete behind
|
|
// auth.oidc.* permission gates per Phase 5.
|
|
type OIDCProviderRepository interface {
|
|
// List returns every configured provider in the tenant. Order:
|
|
// created_at ASC for stable GUI rendering.
|
|
List(ctx context.Context, tenantID string) ([]*oidcdomain.OIDCProvider, error)
|
|
|
|
// Get returns one provider by id. ErrOIDCProviderNotFound on miss.
|
|
Get(ctx context.Context, id string) (*oidcdomain.OIDCProvider, error)
|
|
|
|
// GetByName returns one provider by (tenant_id, name).
|
|
// ErrOIDCProviderNotFound on miss.
|
|
GetByName(ctx context.Context, tenantID, name string) (*oidcdomain.OIDCProvider, error)
|
|
|
|
// Create persists a new provider. Caller MUST have already called
|
|
// p.Validate() and encrypted the client_secret_encrypted byte
|
|
// stream via internal/crypto/encryption.go. Returns
|
|
// ErrOIDCProviderDuplicateName when the (tenant_id, name) UNIQUE
|
|
// constraint fires.
|
|
Create(ctx context.Context, p *oidcdomain.OIDCProvider) error
|
|
|
|
// Update writes the full mutable field set back to the row.
|
|
// Immutable fields (id, tenant_id, created_at) are read-only;
|
|
// updated_at is set to NOW() by the implementation.
|
|
Update(ctx context.Context, p *oidcdomain.OIDCProvider) error
|
|
|
|
// Delete removes a provider by id. Returns ErrOIDCProviderInUse
|
|
// when at least one users row references this provider (FK ON
|
|
// DELETE RESTRICT). Phase 5's handler maps to HTTP 409.
|
|
Delete(ctx context.Context, id string) error
|
|
}
|
|
|
|
// GroupRoleMappingRepository wraps the group_role_mappings table.
|
|
// Phase 3's OIDCService.HandleCallback uses Map() to translate IdP
|
|
// group claims into role IDs; the GUI / CLI wire ListByProvider /
|
|
// Add / Remove for operator configuration.
|
|
type GroupRoleMappingRepository interface {
|
|
// ListByProvider returns every mapping for the named provider.
|
|
// Order: group_name ASC for stable GUI rendering.
|
|
ListByProvider(ctx context.Context, providerID string) ([]*oidcdomain.GroupRoleMapping, error)
|
|
|
|
// Get returns one mapping by id. ErrGroupRoleMappingNotFound on miss.
|
|
Get(ctx context.Context, id string) (*oidcdomain.GroupRoleMapping, error)
|
|
|
|
// Add persists a new mapping. Caller MUST have called m.Validate().
|
|
// Returns ErrGroupRoleMappingDuplicate when the
|
|
// (provider_id, group_name, role_id) UNIQUE constraint fires.
|
|
Add(ctx context.Context, m *oidcdomain.GroupRoleMapping) error
|
|
|
|
// Remove deletes a mapping by id.
|
|
Remove(ctx context.Context, id string) error
|
|
|
|
// Map resolves an IdP-supplied list of group names against the
|
|
// provider's mappings. Returns the deduplicated set of role IDs
|
|
// the user should hold. Empty result means the user matches no
|
|
// mapping (Phase 3 fail-closed: no session minted, audit row
|
|
// `auth.oidc_login_unmapped_groups`).
|
|
Map(ctx context.Context, providerID string, groupNames []string) ([]string, error)
|
|
}
|
|
|
|
// =============================================================================
|
|
// PreLoginRepository — Bundle 2 Phase 5.
|
|
//
|
|
// Holds short-lived rows that carry OIDC state + nonce + PKCE verifier
|
|
// across the IdP redirect. Distinct from the sessions table because
|
|
// sessions doesn't carry OIDC-specific columns. 10-minute absolute TTL
|
|
// at the schema layer (oidc_pre_login_sessions.absolute_expires_at);
|
|
// the GC sweep deletes expired rows.
|
|
//
|
|
// Cookie wire format `v1.<pl-id>.<sk-id>.<HMAC-SHA256>` matches the
|
|
// post-login session cookie format exactly; signing-key id is the
|
|
// active SessionSigningKey at handshake time.
|
|
// =============================================================================
|
|
|
|
// PreLoginSession is the row shape for oidc_pre_login_sessions. Held
|
|
// here (not in oidc/domain) because it's a Phase-5 storage primitive,
|
|
// not a domain concept the wider service layer reasons about.
|
|
type PreLoginSession struct {
|
|
ID string // prefix `pl-`
|
|
TenantID string
|
|
SigningKeyID string // FK to session_signing_keys.id
|
|
OIDCProviderID string // FK to oidc_providers.id
|
|
State string
|
|
Nonce string
|
|
PKCEVerifier string
|
|
CreatedAt time.Time
|
|
AbsoluteExpiresAt time.Time
|
|
}
|
|
|
|
// Sentinel errors for PreLoginRepository.
|
|
var (
|
|
// ErrPreLoginNotFound: LookupAndConsume found no row with the
|
|
// supplied id. The handler maps to HTTP 400 (replay or forgery).
|
|
ErrPreLoginNotFound = errors.New("oidc: pre-login session not found or already consumed")
|
|
|
|
// ErrPreLoginExpired: the row was found but absolute_expires_at is
|
|
// in the past. The handler maps to HTTP 400. The row is also
|
|
// deleted (the consume side of LookupAndConsume).
|
|
ErrPreLoginExpired = errors.New("oidc: pre-login session expired (10-minute TTL exceeded)")
|
|
)
|
|
|
|
// PreLoginRepository wraps the oidc_pre_login_sessions table.
|
|
type PreLoginRepository interface {
|
|
// Create persists a new pre-login row. Caller MUST have already
|
|
// generated the random id, state, nonce, and PKCE verifier;
|
|
// CreatedAt + AbsoluteExpiresAt default to NOW() and NOW()+10min
|
|
// at the schema layer when zero.
|
|
Create(ctx context.Context, p *PreLoginSession) error
|
|
|
|
// LookupAndConsume reads the row by id AND deletes it atomically
|
|
// (single-use). Returns ErrPreLoginNotFound if no row matches OR
|
|
// if the row was already consumed by a concurrent caller.
|
|
// Returns ErrPreLoginExpired if the row was found but expired
|
|
// (the row is still deleted in this case so retries don't
|
|
// re-trigger the expiry check).
|
|
LookupAndConsume(ctx context.Context, id string) (*PreLoginSession, error)
|
|
|
|
// GarbageCollectExpired deletes pre-login rows whose
|
|
// absolute_expires_at is in the past. Returns the count deleted.
|
|
// Wired into the same scheduler sweep as expired post-login sessions.
|
|
GarbageCollectExpired(ctx context.Context) (int, error)
|
|
}
|