Harden deployment and fix PEN-01

- Fix Bearer token extraction to validate prefix (PEN-01) - Add TestExtractBearerFromRequest covering PEN-01 edge cases - Fix flaky TestRenewToken timing (2s → 4s lifetime) - Move default config/install paths to /srv/mcias - Add RUNBOOK.md for operational procedures - Update AUDIT.md with penetration test round 4 Security: extractBearerFromRequest now uses case-insensitive prefix validation instead of fixed-offset slicing, rejecting non-Bearer Authorization schemes that were previously accepted. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-14 22:33:24 -07:00
parent 2a85d4bf2b
commit 1121b7d4fd
14 changed files with 774 additions and 117 deletions
--- a/internal/server/server_test.go
+++ b/internal/server/server_test.go
@@ -620,8 +620,9 @@ func TestRenewToken(t *testing.T) {
 	acct := createTestHumanAccount(t, srv, "renew-user")
 	handler := srv.Handler()

-	// Issue a short-lived token (2s) so we can wait past the 50% threshold.
-	oldTokenStr, claims, err := token.IssueToken(priv, testIssuer, acct.UUID, nil, 2*time.Second)
+	// Issue a short-lived token (4s) so we can wait past the 50% threshold
+	// while leaving enough headroom before expiry to avoid flakiness.
+	oldTokenStr, claims, err := token.IssueToken(priv, testIssuer, acct.UUID, nil, 4*time.Second)
 	if err != nil {
 		t.Fatalf("IssueToken: %v", err)
 	}
@@ -630,8 +631,8 @@ func TestRenewToken(t *testing.T) {
 		t.Fatalf("TrackToken: %v", err)
 	}

-	// Wait for >50% of the 2s lifetime to elapse.
-	time.Sleep(1100 * time.Millisecond)
+	// Wait for >50% of the 4s lifetime to elapse.
+	time.Sleep(2100 * time.Millisecond)

 	rr := doRequest(t, handler, "POST", "/v1/auth/renew", nil, oldTokenStr)
 	if rr.Code != http.StatusOK {
@@ -793,6 +794,46 @@ func TestLoginLockedAccountReturns401(t *testing.T) {

 // TestRenewTokenTooEarly verifies that a token cannot be renewed before 50%
 // of its lifetime has elapsed (SEC-03).
+// TestExtractBearerFromRequest verifies that extractBearerFromRequest correctly
+// validates the "Bearer" prefix before extracting the token string.
+// Security (PEN-01): the previous implementation sliced at a fixed offset
+// without checking the prefix, accepting any 8+ character Authorization value.
+func TestExtractBearerFromRequest(t *testing.T) {
+	tests := []struct {
+		name    string
+		header  string
+		want    string
+		wantErr bool
+	}{
+		{"valid", "Bearer mytoken123", "mytoken123", false},
+		{"missing header", "", "", true},
+		{"no bearer prefix", "Token mytoken123", "", true},
+		{"basic auth scheme", "Basic dXNlcjpwYXNz", "", true},
+		{"empty token", "Bearer ", "", true},
+		{"bearer only no space", "Bearer", "", true},
+		{"case insensitive", "bearer mytoken123", "mytoken123", false},
+		{"mixed case", "BEARER mytoken123", "mytoken123", false},
+		{"garbage 8 chars", "XXXXXXXX", "", true},
+		{"token with spaces", "Bearer token with spaces", "token with spaces", false},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			req := httptest.NewRequest(http.MethodGet, "/", nil)
+			if tc.header != "" {
+				req.Header.Set("Authorization", tc.header)
+			}
+			got, err := extractBearerFromRequest(req)
+			if (err != nil) != tc.wantErr {
+				t.Errorf("wantErr=%v, got err=%v", tc.wantErr, err)
+			}
+			if !tc.wantErr && got != tc.want {
+				t.Errorf("token = %q, want %q", got, tc.want)
+			}
+		})
+	}
+}
+
 func TestRenewTokenTooEarly(t *testing.T) {
 	srv, _, priv, _ := newTestServer(t)
 	acct := createTestHumanAccount(t, srv, "renew-early-user")