Add web UI for SSH CA, Transit, and User engines; full security audit and remediation

Web UI: Added browser-based management for all three remaining engines (SSH CA, Transit, User E2E). Includes gRPC client wiring, handler files, 7 HTML templates, dashboard mount forms, and conditional navigation links. Fixed REST API routes to match design specs (SSH CA cert singular paths, Transit PATCH for update-key-config). Security audit: Conducted full-system audit covering crypto core, all engine implementations, API servers, policy engine, auth, deployment, and documentation. Identified 42 new findings (#39-#80) across all severity levels. Remediation of all 8 High findings: - #68: Replaced 14 JSON-injection-vulnerable error responses with safe json.Encoder via writeJSONError helper - #48: Added two-layer path traversal defense (barrier validatePath rejects ".." segments; engine ValidateName enforces safe name pattern) - #39: Extended RLock through entire crypto operations in barrier Get/Put/Delete/List to eliminate TOCTOU race with Seal - #40: Unified ReWrapKeys and seal_config UPDATE into single SQLite transaction to prevent irrecoverable data loss on crash during MEK rotation - #49: Added resolveTTL to CA engine enforcing issuer MaxTTL ceiling on handleIssue and handleSignCSR - #61: Store raw ECDH private key bytes in userState for effective zeroization on Seal - #62: Fixed user engine policy resource path from mountPath to mountName() so policy rules match correctly - #69: Added newPolicyChecker helper and passed service-level policy evaluation to all 25 typed REST handler engine.Request structs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-16 22:02:06 -07:00
parent 128f5abc4d
commit a80323e320
29 changed files with 5061 additions and 647 deletions
--- a/internal/webserver/sshca.go
+++ b/internal/webserver/sshca.go
@@ -0,0 +1,400 @@
+package webserver
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/go-chi/chi/v5"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+func (ws *WebServer) handleSSHCA(w http.ResponseWriter, r *http.Request) {
+	info := tokenInfoFromContext(r.Context())
+	token := extractCookie(r)
+
+	mountName, err := ws.findSSHCAMount(r, token)
+	if err != nil {
+		http.Redirect(w, r, "/dashboard", http.StatusFound)
+		return
+	}
+
+	data := ws.baseData(r, info)
+	data["MountName"] = mountName
+
+	if pubkey, err := ws.vault.GetSSHCAPublicKey(r.Context(), mountName); err == nil {
+		data["CAPublicKey"] = pubkey.PublicKey
+	}
+
+	if profiles, err := ws.vault.ListSSHCAProfiles(r.Context(), token, mountName); err == nil {
+		data["Profiles"] = profiles
+	}
+
+	if certs, err := ws.vault.ListSSHCACerts(r.Context(), token, mountName); err == nil {
+		for i := range certs {
+			certs[i].IssuedBy = ws.resolveUser(certs[i].IssuedBy)
+		}
+		data["Certs"] = certs
+	}
+
+	ws.renderTemplate(w, "sshca.html", data)
+}
+
+func (ws *WebServer) handleSSHCASignUser(w http.ResponseWriter, r *http.Request) {
+	info := tokenInfoFromContext(r.Context())
+	token := extractCookie(r)
+
+	mountName, err := ws.findSSHCAMount(r, token)
+	if err != nil {
+		http.Error(w, "no SSH CA engine mounted", http.StatusNotFound)
+		return
+	}
+
+	r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
+	_ = r.ParseForm()
+
+	publicKey := strings.TrimSpace(r.FormValue("public_key"))
+	if publicKey == "" {
+		ws.renderSSHCAWithError(w, r, mountName, info, "Public key is required")
+		return
+	}
+
+	var principals []string
+	for _, line := range strings.Split(r.FormValue("principals"), "\n") {
+		if v := strings.TrimSpace(line); v != "" {
+			principals = append(principals, v)
+		}
+	}
+
+	req := SSHCASignRequest{
+		PublicKey:  publicKey,
+		Principals: principals,
+		Profile:   r.FormValue("profile"),
+		TTL:       r.FormValue("ttl"),
+	}
+
+	result, err := ws.vault.SSHCASignUser(r.Context(), token, mountName, req)
+	if err != nil {
+		ws.renderSSHCAWithError(w, r, mountName, info, grpcMessage(err))
+		return
+	}
+
+	ws.renderSSHCAWithResult(w, r, mountName, info, "SignUserResult", result)
+}
+
+func (ws *WebServer) handleSSHCASignHost(w http.ResponseWriter, r *http.Request) {
+	info := tokenInfoFromContext(r.Context())
+	token := extractCookie(r)
+
+	mountName, err := ws.findSSHCAMount(r, token)
+	if err != nil {
+		http.Error(w, "no SSH CA engine mounted", http.StatusNotFound)
+		return
+	}
+
+	r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
+	_ = r.ParseForm()
+
+	publicKey := strings.TrimSpace(r.FormValue("public_key"))
+	if publicKey == "" {
+		ws.renderSSHCAWithError(w, r, mountName, info, "Public key is required")
+		return
+	}
+
+	hostname := strings.TrimSpace(r.FormValue("hostname"))
+	if hostname == "" {
+		ws.renderSSHCAWithError(w, r, mountName, info, "Hostname is required")
+		return
+	}
+
+	req := SSHCASignRequest{
+		PublicKey:  publicKey,
+		Principals: []string{hostname},
+		TTL:       r.FormValue("ttl"),
+	}
+
+	result, err := ws.vault.SSHCASignHost(r.Context(), token, mountName, req)
+	if err != nil {
+		ws.renderSSHCAWithError(w, r, mountName, info, grpcMessage(err))
+		return
+	}
+
+	ws.renderSSHCAWithResult(w, r, mountName, info, "SignHostResult", result)
+}
+
+func (ws *WebServer) handleSSHCACertDetail(w http.ResponseWriter, r *http.Request) {
+	info := tokenInfoFromContext(r.Context())
+	token := extractCookie(r)
+
+	mountName, err := ws.findSSHCAMount(r, token)
+	if err != nil {
+		http.Error(w, "no SSH CA engine mounted", http.StatusNotFound)
+		return
+	}
+
+	serial := chi.URLParam(r, "serial")
+	cert, err := ws.vault.GetSSHCACert(r.Context(), token, mountName, serial)
+	if err != nil {
+		st, _ := status.FromError(err)
+		if st.Code() == codes.NotFound {
+			http.Error(w, "certificate not found", http.StatusNotFound)
+			return
+		}
+		http.Error(w, grpcMessage(err), http.StatusInternalServerError)
+		return
+	}
+
+	cert.IssuedBy = ws.resolveUser(cert.IssuedBy)
+	cert.RevokedBy = ws.resolveUser(cert.RevokedBy)
+	data := ws.baseData(r, info)
+	data["MountName"] = mountName
+	data["Cert"] = cert
+	ws.renderTemplate(w, "sshca_cert_detail.html", data)
+}
+
+func (ws *WebServer) handleSSHCACertRevoke(w http.ResponseWriter, r *http.Request) {
+	info := tokenInfoFromContext(r.Context())
+	if !info.IsAdmin {
+		http.Error(w, "forbidden", http.StatusForbidden)
+		return
+	}
+
+	token := extractCookie(r)
+	mountName, err := ws.findSSHCAMount(r, token)
+	if err != nil {
+		http.Error(w, "no SSH CA engine mounted", http.StatusNotFound)
+		return
+	}
+
+	serial := chi.URLParam(r, "serial")
+	if err := ws.vault.RevokeSSHCACert(r.Context(), token, mountName, serial); err != nil {
+		http.Error(w, grpcMessage(err), http.StatusInternalServerError)
+		return
+	}
+
+	http.Redirect(w, r, "/sshca/cert/"+serial, http.StatusSeeOther)
+}
+
+func (ws *WebServer) handleSSHCACertDelete(w http.ResponseWriter, r *http.Request) {
+	info := tokenInfoFromContext(r.Context())
+	if !info.IsAdmin {
+		http.Error(w, "forbidden", http.StatusForbidden)
+		return
+	}
+
+	token := extractCookie(r)
+	mountName, err := ws.findSSHCAMount(r, token)
+	if err != nil {
+		http.Error(w, "no SSH CA engine mounted", http.StatusNotFound)
+		return
+	}
+
+	serial := chi.URLParam(r, "serial")
+	if err := ws.vault.DeleteSSHCACert(r.Context(), token, mountName, serial); err != nil {
+		http.Error(w, grpcMessage(err), http.StatusInternalServerError)
+		return
+	}
+
+	http.Redirect(w, r, "/sshca", http.StatusSeeOther)
+}
+
+func (ws *WebServer) handleSSHCACreateProfile(w http.ResponseWriter, r *http.Request) {
+	info := tokenInfoFromContext(r.Context())
+	if !info.IsAdmin {
+		http.Error(w, "forbidden", http.StatusForbidden)
+		return
+	}
+
+	token := extractCookie(r)
+	mountName, err := ws.findSSHCAMount(r, token)
+	if err != nil {
+		http.Error(w, "no SSH CA engine mounted", http.StatusNotFound)
+		return
+	}
+
+	r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
+	_ = r.ParseForm()
+
+	name := strings.TrimSpace(r.FormValue("name"))
+	if name == "" {
+		ws.renderSSHCAWithError(w, r, mountName, info, "Profile name is required")
+		return
+	}
+
+	var principals []string
+	for _, line := range strings.Split(r.FormValue("allowed_principals"), "\n") {
+		if v := strings.TrimSpace(line); v != "" {
+			principals = append(principals, v)
+		}
+	}
+
+	extensions := map[string]string{}
+	for _, ext := range r.Form["extensions"] {
+		extensions[ext] = ""
+	}
+
+	criticalOptions := map[string]string{}
+	if v := strings.TrimSpace(r.FormValue("force_command")); v != "" {
+		criticalOptions["force-command"] = v
+	}
+	if v := strings.TrimSpace(r.FormValue("source_address")); v != "" {
+		criticalOptions["source-address"] = v
+	}
+
+	req := SSHCAProfileRequest{
+		Name:              name,
+		CriticalOptions:   criticalOptions,
+		Extensions:        extensions,
+		MaxTTL:            r.FormValue("max_ttl"),
+		AllowedPrincipals: principals,
+	}
+
+	if err := ws.vault.CreateSSHCAProfile(r.Context(), token, mountName, req); err != nil {
+		ws.renderSSHCAWithError(w, r, mountName, info, grpcMessage(err))
+		return
+	}
+
+	http.Redirect(w, r, "/sshca/profile/"+name, http.StatusFound)
+}
+
+func (ws *WebServer) handleSSHCAProfileDetail(w http.ResponseWriter, r *http.Request) {
+	info := tokenInfoFromContext(r.Context())
+	token := extractCookie(r)
+
+	mountName, err := ws.findSSHCAMount(r, token)
+	if err != nil {
+		http.Error(w, "no SSH CA engine mounted", http.StatusNotFound)
+		return
+	}
+
+	name := chi.URLParam(r, "name")
+	profile, err := ws.vault.GetSSHCAProfile(r.Context(), token, mountName, name)
+	if err != nil {
+		st, _ := status.FromError(err)
+		if st.Code() == codes.NotFound {
+			http.Error(w, "profile not found", http.StatusNotFound)
+			return
+		}
+		http.Error(w, grpcMessage(err), http.StatusInternalServerError)
+		return
+	}
+
+	data := ws.baseData(r, info)
+	data["MountName"] = mountName
+	data["Profile"] = profile
+	ws.renderTemplate(w, "sshca_profile_detail.html", data)
+}
+
+func (ws *WebServer) handleSSHCAUpdateProfile(w http.ResponseWriter, r *http.Request) {
+	info := tokenInfoFromContext(r.Context())
+	if !info.IsAdmin {
+		http.Error(w, "forbidden", http.StatusForbidden)
+		return
+	}
+
+	token := extractCookie(r)
+	mountName, err := ws.findSSHCAMount(r, token)
+	if err != nil {
+		http.Error(w, "no SSH CA engine mounted", http.StatusNotFound)
+		return
+	}
+
+	name := chi.URLParam(r, "name")
+	r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
+	_ = r.ParseForm()
+
+	var principals []string
+	for _, line := range strings.Split(r.FormValue("allowed_principals"), "\n") {
+		if v := strings.TrimSpace(line); v != "" {
+			principals = append(principals, v)
+		}
+	}
+
+	extensions := map[string]string{}
+	for _, ext := range r.Form["extensions"] {
+		extensions[ext] = ""
+	}
+
+	criticalOptions := map[string]string{}
+	if v := strings.TrimSpace(r.FormValue("force_command")); v != "" {
+		criticalOptions["force-command"] = v
+	}
+	if v := strings.TrimSpace(r.FormValue("source_address")); v != "" {
+		criticalOptions["source-address"] = v
+	}
+
+	req := SSHCAProfileRequest{
+		CriticalOptions:   criticalOptions,
+		Extensions:        extensions,
+		MaxTTL:            r.FormValue("max_ttl"),
+		AllowedPrincipals: principals,
+	}
+
+	if err := ws.vault.UpdateSSHCAProfile(r.Context(), token, mountName, name, req); err != nil {
+		http.Error(w, grpcMessage(err), http.StatusInternalServerError)
+		return
+	}
+
+	http.Redirect(w, r, "/sshca/profile/"+name, http.StatusSeeOther)
+}
+
+func (ws *WebServer) handleSSHCADeleteProfile(w http.ResponseWriter, r *http.Request) {
+	info := tokenInfoFromContext(r.Context())
+	if !info.IsAdmin {
+		http.Error(w, "forbidden", http.StatusForbidden)
+		return
+	}
+
+	token := extractCookie(r)
+	mountName, err := ws.findSSHCAMount(r, token)
+	if err != nil {
+		http.Error(w, "no SSH CA engine mounted", http.StatusNotFound)
+		return
+	}
+
+	name := chi.URLParam(r, "name")
+	if err := ws.vault.DeleteSSHCAProfile(r.Context(), token, mountName, name); err != nil {
+		http.Error(w, grpcMessage(err), http.StatusInternalServerError)
+		return
+	}
+
+	http.Redirect(w, r, "/sshca", http.StatusSeeOther)
+}
+
+func (ws *WebServer) renderSSHCAWithError(w http.ResponseWriter, r *http.Request, mountName string, info *TokenInfo, errMsg string) {
+	token := extractCookie(r)
+	data := ws.baseData(r, info)
+	data["MountName"] = mountName
+	data["Error"] = errMsg
+
+	if pubkey, err := ws.vault.GetSSHCAPublicKey(r.Context(), mountName); err == nil {
+		data["CAPublicKey"] = pubkey.PublicKey
+	}
+	if profiles, err := ws.vault.ListSSHCAProfiles(r.Context(), token, mountName); err == nil {
+		data["Profiles"] = profiles
+	}
+	if certs, err := ws.vault.ListSSHCACerts(r.Context(), token, mountName); err == nil {
+		data["Certs"] = certs
+	}
+
+	ws.renderTemplate(w, "sshca.html", data)
+}
+
+func (ws *WebServer) renderSSHCAWithResult(w http.ResponseWriter, r *http.Request, mountName string, info *TokenInfo, resultKey string, result *SSHCASignResult) {
+	token := extractCookie(r)
+	data := ws.baseData(r, info)
+	data["MountName"] = mountName
+	data[resultKey] = result
+
+	if pubkey, err := ws.vault.GetSSHCAPublicKey(r.Context(), mountName); err == nil {
+		data["CAPublicKey"] = pubkey.PublicKey
+	}
+	if profiles, err := ws.vault.ListSSHCAProfiles(r.Context(), token, mountName); err == nil {
+		data["Profiles"] = profiles
+	}
+	if certs, err := ws.vault.ListSSHCACerts(r.Context(), token, mountName); err == nil {
+		data["Certs"] = certs
+	}
+
+	ws.renderTemplate(w, "sshca.html", data)
+}