Add vault seal/unseal lifecycle

- New internal/vault package: thread-safe Vault struct with seal/unseal state, key material zeroing, and key derivation - REST: POST /v1/vault/unseal, POST /v1/vault/seal, GET /v1/vault/status; health returns sealed status - UI: /unseal page with passphrase form, redirect when sealed - gRPC: sealedInterceptor rejects RPCs when sealed - Middleware: RequireUnsealed blocks all routes except exempt paths; RequireAuth reads pubkey from vault at request time - Startup: server starts sealed when passphrase unavailable - All servers share single *vault.Vault by pointer - CSRF manager derives key lazily from vault Security: Key material is zeroed on seal. Sealed middleware runs before auth. Handlers fail closed if vault becomes sealed mid-request. Unseal endpoint is rate-limited (3/s burst 5). No CSRF on unseal page (no session to protect; chicken-and-egg with master key). Passphrase never logged. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-14 23:55:37 -07:00
parent 5c242f8abb
commit d87b4b4042
28 changed files with 1292 additions and 119 deletions
--- a/internal/ui/handlers_vault.go
+++ b/internal/ui/handlers_vault.go
@@ -0,0 +1,81 @@
+// UI handlers for vault unseal page.
+package ui
+
+import (
+	"net/http"
+
+	"git.wntrmute.dev/kyle/mcias/internal/audit"
+	"git.wntrmute.dev/kyle/mcias/internal/middleware"
+	"git.wntrmute.dev/kyle/mcias/internal/model"
+	"git.wntrmute.dev/kyle/mcias/internal/vault"
+)
+
+// UnsealData is the view model for the unseal page.
+type UnsealData struct {
+	Error string
+}
+
+// handleUnsealPage renders the unseal form, or redirects to login if already unsealed.
+func (u *UIServer) handleUnsealPage(w http.ResponseWriter, r *http.Request) {
+	if !u.vault.IsSealed() {
+		http.Redirect(w, r, "/login", http.StatusFound)
+		return
+	}
+	u.render(w, "unseal", UnsealData{})
+}
+
+// handleUnsealPost processes the unseal form submission.
+//
+// Security: The passphrase is never logged. No CSRF protection is applied
+// because there is no session to protect (the vault is sealed), and CSRF
+// token generation depends on the master key (chicken-and-egg).
+func (u *UIServer) handleUnsealPost(w http.ResponseWriter, r *http.Request) {
+	if !u.vault.IsSealed() {
+		http.Redirect(w, r, "/login", http.StatusFound)
+		return
+	}
+
+	r.Body = http.MaxBytesReader(w, r.Body, maxFormBytes)
+	if err := r.ParseForm(); err != nil {
+		u.render(w, "unseal", UnsealData{Error: "invalid form data"})
+		return
+	}
+
+	passphrase := r.FormValue("passphrase")
+	if passphrase == "" {
+		u.render(w, "unseal", UnsealData{Error: "passphrase is required"})
+		return
+	}
+
+	// Derive master key from passphrase.
+	masterKey, err := vault.DeriveFromPassphrase(passphrase, u.db)
+	if err != nil {
+		u.logger.Error("vault unseal (UI): derive key", "error", err)
+		u.render(w, "unseal", UnsealData{Error: "unseal failed"})
+		return
+	}
+
+	// Decrypt the signing key.
+	privKey, pubKey, err := vault.DecryptSigningKey(u.db, masterKey)
+	if err != nil {
+		// Zero derived master key on failure.
+		for i := range masterKey {
+			masterKey[i] = 0
+		}
+		u.logger.Error("vault unseal (UI): decrypt signing key", "error", err)
+		u.render(w, "unseal", UnsealData{Error: "unseal failed"})
+		return
+	}
+
+	if err := u.vault.Unseal(masterKey, privKey, pubKey); err != nil {
+		u.logger.Error("vault unseal (UI): state transition", "error", err)
+		http.Redirect(w, r, "/login", http.StatusFound)
+		return
+	}
+
+	ip := middleware.ClientIP(r, nil)
+	u.writeAudit(r, model.EventVaultUnsealed, nil, nil, audit.JSON("source", "ui", "ip", ip))
+	u.logger.Info("vault unsealed via UI", "ip", ip)
+
+	http.Redirect(w, r, "/login", http.StatusFound)
+}