kyle/mcias
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ec7c966ad213cd3ae80567049e1cb863f5af0bfa
mcias/internal/config/config.go
Kyle Isom ec7c966ad2 trusted proxy, TOTP replay protection, new tests 
- Trusted proxy config option for proxy-aware IP extraction
  used by rate limiting and audit logs; validates proxy IP
  before trusting X-Forwarded-For / X-Real-IP headers
- TOTP replay protection via counter-based validation to
  reject reused codes within the same time step (±30s)
- RateLimit middleware updated to extract client IP from
  proxy headers without IP spoofing risk
- New tests for ClientIP proxy logic (spoofed headers,
  fallback) and extended rate-limit proxy coverage
- HTMX error banner script integrated into web UI base
- .gitignore updated for mciasdb build artifact

Security: resolves CRIT-01 (TOTP replay attack) and
DEF-03 (proxy-unaware rate limiting); gRPC TOTP
enrollment aligned with REST via StorePendingTOTP

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-12 17:44:01 -07:00

236 lines
8.4 KiB
Go
Raw Blame History

// Package config handles loading and validating the MCIAS server configuration.
// Sensitive values (master key passphrase) are never stored in this struct
// after initial loading — they are read once and discarded.
package config
import (
"errors"
"fmt"
"net"
"os"
"time"
"github.com/pelletier/go-toml/v2"
)
// Config is the top-level configuration structure parsed from the TOML file.
type Config struct {
Server ServerConfig `toml:"server"`
MasterKey MasterKeyConfig `toml:"master_key"`
Database DatabaseConfig `toml:"database"`
Tokens TokensConfig `toml:"tokens"`
Argon2 Argon2Config `toml:"argon2"`
}
// ServerConfig holds HTTP listener and TLS settings.
type ServerConfig struct {
// ListenAddr is the HTTPS listen address (required).
ListenAddr string `toml:"listen_addr"`
// GRPCAddr is the gRPC listen address (optional; omit to disable gRPC).
// The gRPC listener uses the same TLS certificate and key as the REST listener.
GRPCAddr string `toml:"grpc_addr"`
TLSCert string `toml:"tls_cert"`
TLSKey string `toml:"tls_key"`
// TrustedProxy is the IP address (not a range) of a reverse proxy that
// sits in front of the server and sets X-Forwarded-For or X-Real-IP
// headers. When set, the rate limiter and audit log extract the real
// client IP from these headers instead of r.RemoteAddr.
//
// Security: only requests whose r.RemoteAddr matches TrustedProxy are
// trusted to carry a valid forwarded-IP header. All other requests use
// r.RemoteAddr directly, so this field cannot be exploited for IP
// spoofing by external clients. Omit or leave empty when running
// without a reverse proxy.
TrustedProxy string `toml:"trusted_proxy"`
}
// DatabaseConfig holds SQLite database settings.
type DatabaseConfig struct {
Path string `toml:"path"`
}
// TokensConfig holds JWT issuance settings.
type TokensConfig struct {
Issuer string `toml:"issuer"`
DefaultExpiry duration `toml:"default_expiry"`
AdminExpiry duration `toml:"admin_expiry"`
ServiceExpiry duration `toml:"service_expiry"`
}
// Argon2Config holds Argon2id password hashing parameters.
// Security: OWASP 2023 minimums are time=2, memory=65536 KiB.
// We enforce these minimums to prevent accidental weakening.
type Argon2Config struct {
Time uint32 `toml:"time"`
Memory uint32 `toml:"memory"` // KiB
Threads uint8 `toml:"threads"`
}
// MasterKeyConfig specifies how to obtain the AES-256-GCM master key used to
// encrypt stored secrets (TOTP, Postgres passwords, signing key).
// Exactly one of PassphraseEnv or KeyFile must be set.
type MasterKeyConfig struct {
PassphraseEnv string `toml:"passphrase_env"`
KeyFile string `toml:"keyfile"`
}
// duration is a wrapper around time.Duration that supports TOML string parsing
// (e.g. "720h", "8h").
type duration struct {
time.Duration
}
func (d *duration) UnmarshalText(text []byte) error {
var err error
d.Duration, err = time.ParseDuration(string(text))
if err != nil {
return fmt.Errorf("invalid duration %q: %w", string(text), err)
}
return nil
}
// NewTestConfig returns a minimal valid Config for use in tests.
// It does not read a file; callers can override fields as needed.
func NewTestConfig(issuer string) *Config {
return &Config{
Server: ServerConfig{
ListenAddr: "127.0.0.1:0",
TLSCert: "/dev/null",
TLSKey: "/dev/null",
},
Database: DatabaseConfig{Path: ":memory:"},
Tokens: TokensConfig{
Issuer: issuer,
DefaultExpiry: duration{24 * time.Hour},
AdminExpiry: duration{8 * time.Hour},
ServiceExpiry: duration{8760 * time.Hour},
},
Argon2: Argon2Config{
Time: 3,
Memory: 65536,
Threads: 4,
},
MasterKey: MasterKeyConfig{
PassphraseEnv: "MCIAS_MASTER_PASSPHRASE", //nolint:gosec // G101: env var name, not a credential value
},
}
}
// Load reads and validates a TOML config file from path.
func Load(path string) (*Config, error) {
data, err := os.ReadFile(path) //nolint:gosec // G304: path comes from the operator-supplied --config flag, not user input
if err != nil {
return nil, fmt.Errorf("config: read file: %w", err)
}
var cfg Config
if err := toml.Unmarshal(data, &cfg); err != nil {
return nil, fmt.Errorf("config: parse TOML: %w", err)
}
if err := cfg.validate(); err != nil {
return nil, fmt.Errorf("config: invalid: %w", err)
}
return &cfg, nil
}
// validate checks that all required fields are present and values are safe.
func (c *Config) validate() error {
var errs []error
// Server
if c.Server.ListenAddr == "" {
errs = append(errs, errors.New("server.listen_addr is required"))
}
if c.Server.TLSCert == "" {
errs = append(errs, errors.New("server.tls_cert is required"))
}
if c.Server.TLSKey == "" {
errs = append(errs, errors.New("server.tls_key is required"))
}
// Security (DEF-03): if trusted_proxy is set it must be a valid IP address
// (not a hostname or CIDR) so the middleware can compare it to the parsed
// host part of r.RemoteAddr using a reliable byte-level equality check.
if c.Server.TrustedProxy != "" {
if net.ParseIP(c.Server.TrustedProxy) == nil {
errs = append(errs, fmt.Errorf("server.trusted_proxy %q is not a valid IP address", c.Server.TrustedProxy))
}
}
// Database
if c.Database.Path == "" {
errs = append(errs, errors.New("database.path is required"))
}
// Tokens
if c.Tokens.Issuer == "" {
errs = append(errs, errors.New("tokens.issuer is required"))
}
// Security (DEF-05): enforce both lower and upper bounds on token expiry
// durations. An operator misconfiguration could otherwise produce tokens
// valid for centuries, which would be irrevocable (bar explicit JTI
// revocation) if a token were stolen. Upper bounds are intentionally
// generous to accommodate a range of legitimate deployments while
// catching obvious typos (e.g. "876000h" instead of "8760h").
const (
maxDefaultExpiry = 30 * 24 * time.Hour // 30 days
maxAdminExpiry = 24 * time.Hour // 24 hours
maxServiceExpiry = 5 * 365 * 24 * time.Hour // 5 years
)
if c.Tokens.DefaultExpiry.Duration <= 0 {
errs = append(errs, errors.New("tokens.default_expiry must be positive"))
} else if c.Tokens.DefaultExpiry.Duration > maxDefaultExpiry {
errs = append(errs, fmt.Errorf("tokens.default_expiry must be <= %s (got %s)", maxDefaultExpiry, c.Tokens.DefaultExpiry.Duration))
}
if c.Tokens.AdminExpiry.Duration <= 0 {
errs = append(errs, errors.New("tokens.admin_expiry must be positive"))
} else if c.Tokens.AdminExpiry.Duration > maxAdminExpiry {
errs = append(errs, fmt.Errorf("tokens.admin_expiry must be <= %s (got %s)", maxAdminExpiry, c.Tokens.AdminExpiry.Duration))
}
if c.Tokens.ServiceExpiry.Duration <= 0 {
errs = append(errs, errors.New("tokens.service_expiry must be positive"))
} else if c.Tokens.ServiceExpiry.Duration > maxServiceExpiry {
errs = append(errs, fmt.Errorf("tokens.service_expiry must be <= %s (got %s)", maxServiceExpiry, c.Tokens.ServiceExpiry.Duration))
}
// Argon2 — enforce OWASP 2023 minimums (time=2, memory=65536 KiB).
// Security: reducing these parameters weakens resistance to brute-force
// attacks. Rejection here prevents accidental misconfiguration.
const (
minArgon2Time = 2
minArgon2Memory = 65536 // 64 MiB in KiB
minArgon2Thread = 1
)
if c.Argon2.Time < minArgon2Time {
errs = append(errs, fmt.Errorf("argon2.time must be >= %d (OWASP minimum)", minArgon2Time))
}
if c.Argon2.Memory < minArgon2Memory {
errs = append(errs, fmt.Errorf("argon2.memory must be >= %d KiB (OWASP minimum)", minArgon2Memory))
}
if c.Argon2.Threads < minArgon2Thread {
errs = append(errs, errors.New("argon2.threads must be >= 1"))
}
// Master key — exactly one source must be configured.
hasPassEnv := c.MasterKey.PassphraseEnv != ""
hasKeyFile := c.MasterKey.KeyFile != ""
if !hasPassEnv && !hasKeyFile {
errs = append(errs, errors.New("master_key: one of passphrase_env or keyfile must be set"))
}
if hasPassEnv && hasKeyFile {
errs = append(errs, errors.New("master_key: only one of passphrase_env or keyfile may be set"))
}
return errors.Join(errs...)
}
// DefaultExpiry returns the configured default token expiry duration.
func (c *Config) DefaultExpiry() time.Duration { return c.Tokens.DefaultExpiry.Duration }
// AdminExpiry returns the configured admin token expiry duration.
func (c *Config) AdminExpiry() time.Duration { return c.Tokens.AdminExpiry.Duration }
// ServiceExpiry returns the configured service token expiry duration.
func (c *Config) ServiceExpiry() time.Duration { return c.Tokens.ServiceExpiry.Duration }
Reference in New Issue View Git Blame Copy Permalink