Add web UI for SSH CA, Transit, and User engines; full security audit and remediation
Web UI: Added browser-based management for all three remaining engines (SSH CA, Transit, User E2E). Includes gRPC client wiring, handler files, 7 HTML templates, dashboard mount forms, and conditional navigation links. Fixed REST API routes to match design specs (SSH CA cert singular paths, Transit PATCH for update-key-config). Security audit: Conducted full-system audit covering crypto core, all engine implementations, API servers, policy engine, auth, deployment, and documentation. Identified 42 new findings (#39-#80) across all severity levels. Remediation of all 8 High findings: - #68: Replaced 14 JSON-injection-vulnerable error responses with safe json.Encoder via writeJSONError helper - #48: Added two-layer path traversal defense (barrier validatePath rejects ".." segments; engine ValidateName enforces safe name pattern) - #39: Extended RLock through entire crypto operations in barrier Get/Put/Delete/List to eliminate TOCTOU race with Seal - #40: Unified ReWrapKeys and seal_config UPDATE into single SQLite transaction to prevent irrecoverable data loss on crash during MEK rotation - #49: Added resolveTTL to CA engine enforcing issuer MaxTTL ceiling on handleIssue and handleSignCSR - #61: Store raw ECDH private key bytes in userState for effective zeroization on Seal - #62: Fixed user engine policy resource path from mountPath to mountName() so policy rules match correctly - #69: Added newPolicyChecker helper and passed service-level policy evaluation to all 25 typed REST handler engine.Request structs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -8,6 +8,7 @@ import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"log/slog"
|
||||
"regexp"
|
||||
"strings"
|
||||
"sync"
|
||||
|
||||
@@ -28,8 +29,21 @@ var (
|
||||
ErrMountExists = errors.New("engine: mount already exists")
|
||||
ErrMountNotFound = errors.New("engine: mount not found")
|
||||
ErrUnknownType = errors.New("engine: unknown engine type")
|
||||
ErrInvalidName = errors.New("engine: invalid name")
|
||||
)
|
||||
|
||||
var validName = regexp.MustCompile(`^[a-zA-Z0-9][a-zA-Z0-9._-]*$`)
|
||||
|
||||
// ValidateName checks that a user-provided name is safe for use in barrier
|
||||
// paths. Names must be 1-128 characters, start with an alphanumeric, and
|
||||
// contain only alphanumerics, dots, hyphens, and underscores.
|
||||
func ValidateName(name string) error {
|
||||
if name == "" || len(name) > 128 || !validName.MatchString(name) {
|
||||
return fmt.Errorf("%w: %q", ErrInvalidName, name)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// CallerInfo carries authentication context into engines.
|
||||
type CallerInfo struct {
|
||||
Username string
|
||||
@@ -131,6 +145,10 @@ const mountsPrefix = "engine/_mounts/"
|
||||
|
||||
// Mount creates and initializes a new engine mount.
|
||||
func (r *Registry) Mount(ctx context.Context, name string, engineType EngineType, config map[string]interface{}) error {
|
||||
if err := ValidateName(name); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
r.mu.Lock()
|
||||
defer r.mu.Unlock()
|
||||
|
||||
|
||||
Reference in New Issue
Block a user