mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add web UI for SSH CA, Transit, and User engines; full security audit and remediation

Browse Source 
Web UI: Added browser-based management for all three remaining engines
(SSH CA, Transit, User E2E). Includes gRPC client wiring, handler files,
7 HTML templates, dashboard mount forms, and conditional navigation links.
Fixed REST API routes to match design specs (SSH CA cert singular paths,
Transit PATCH for update-key-config).

Security audit: Conducted full-system audit covering crypto core, all
engine implementations, API servers, policy engine, auth, deployment,
and documentation. Identified 42 new findings (#39-#80) across all
severity levels.

Remediation of all 8 High findings:
- #68: Replaced 14 JSON-injection-vulnerable error responses with safe
  json.Encoder via writeJSONError helper
- #48: Added two-layer path traversal defense (barrier validatePath
  rejects ".." segments; engine ValidateName enforces safe name pattern)
- #39: Extended RLock through entire crypto operations in barrier
  Get/Put/Delete/List to eliminate TOCTOU race with Seal
- #40: Unified ReWrapKeys and seal_config UPDATE into single SQLite
  transaction to prevent irrecoverable data loss on crash during MEK
  rotation
- #49: Added resolveTTL to CA engine enforcing issuer MaxTTL ceiling
  on handleIssue and handleSignCSR
- #61: Store raw ECDH private key bytes in userState for effective
  zeroization on Seal
- #62: Fixed user engine policy resource path from mountPath to
  mountName() so policy rules match correctly
- #69: Added newPolicyChecker helper and passed service-level policy
  evaluation to all 25 typed REST handler engine.Request structs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-03-16 22:02:06 -07:00
parent 128f5abc4d
commit a80323e320
29 changed files with 5061 additions and 647 deletions
Download Patch File Download Diff File Expand all files Collapse all files

104
web/templates/sshca_profile_detail.html Normal file
View File

@@ -0,0 +1,104 @@
{{define "title"}} - Profile: {{.Profile.Name}}{{end}}
{{define "content"}}
<div class="page-header">
<h2>Profile: {{.Profile.Name}}</h2>
<div class="page-meta">
<a href="/sshca">&larr; SSH CA</a>
</div>
</div>
<div class="card">
<div class="card-title">Configuration</div>
<table class="kv-table">
<tbody>
<tr><th>Name</th><td>{{.Profile.Name}}</td></tr>
<tr><th>Max TTL</th><td>{{if .Profile.MaxTTL}}{{.Profile.MaxTTL}}{{else}}&mdash;{{end}}</td></tr>
<tr>
<th>Allowed Principals</th>
<td>
{{if .Profile.AllowedPrincipals}}
{{range .Profile.AllowedPrincipals}}<code>{{.}}</code> {{end}}
{{else}}
(any)
{{end}}
</td>
</tr>
<tr>
<th>Extensions</th>
<td>
{{if .Profile.Extensions}}
{{range $k, $v := .Profile.Extensions}}<code>{{$k}}</code> {{end}}
{{else}}
(none)
{{end}}
</td>
</tr>
<tr>
<th>Critical Options</th>
<td>
{{if .Profile.CriticalOptions}}
{{range $k, $v := .Profile.CriticalOptions}}<code>{{$k}}{{if $v}}={{$v}}{{end}}</code> {{end}}
{{else}}
(none)
{{end}}
</td>
</tr>
</tbody>
</table>
</div>
{{if .IsAdmin}}
<div class="card">
<div class="card-title">Edit Profile</div>
<details>
<summary>Update configuration</summary>
<form method="post" action="/sshca/profile/{{.Profile.Name}}/update">
{{csrfField}}
<div class="form-group">
<label for="edit_max_ttl">Max TTL</label>
<input type="text" id="edit_max_ttl" name="max_ttl" value="{{.Profile.MaxTTL}}" placeholder="8760h">
</div>
<div class="form-group">
<label for="edit_principals">Allowed Principals <small style="text-transform:none;letter-spacing:0;">(one per line)</small></label>
<textarea id="edit_principals" name="allowed_principals" rows="3">{{range .Profile.AllowedPrincipals}}{{.}}
{{end}}</textarea>
</div>
<div class="form-group">
<label>Extensions</label>
<div class="checkbox-group">
<label class="checkbox-label"><input type="checkbox" name="extensions" value="permit-pty"{{if index .Profile.Extensions "permit-pty"}} checked{{end}}> permit-pty</label>
<label class="checkbox-label"><input type="checkbox" name="extensions" value="permit-agent-forwarding"{{if index .Profile.Extensions "permit-agent-forwarding"}} checked{{end}}> permit-agent-forwarding</label>
<label class="checkbox-label"><input type="checkbox" name="extensions" value="permit-port-forwarding"{{if index .Profile.Extensions "permit-port-forwarding"}} checked{{end}}> permit-port-forwarding</label>
<label class="checkbox-label"><input type="checkbox" name="extensions" value="permit-X11-forwarding"{{if index .Profile.Extensions "permit-X11-forwarding"}} checked{{end}}> permit-X11-forwarding</label>
<label class="checkbox-label"><input type="checkbox" name="extensions" value="permit-user-rc"{{if index .Profile.Extensions "permit-user-rc"}} checked{{end}}> permit-user-rc</label>
</div>
</div>
<details>
<summary>Critical Options</summary>
<div class="form-row">
<div class="form-group">
<label for="edit_force_cmd">Force Command</label>
<input type="text" id="edit_force_cmd" name="force_command" value="{{index .Profile.CriticalOptions "force-command"}}">
</div>
<div class="form-group">
<label for="edit_source_addr">Source Address</label>
<input type="text" id="edit_source_addr" name="source_address" value="{{index .Profile.CriticalOptions "source-address"}}">
</div>
</div>
</details>
<div class="form-actions">
<button type="submit">Update Profile</button>
</div>
</form>
</details>
</div>
<div class="card">
<div class="card-title">Admin Actions</div>
<form method="post" action="/sshca/profile/{{.Profile.Name}}/delete">
{{csrfField}}
<button type="submit" class="btn-danger" onclick="return confirm('Delete profile {{.Profile.Name}}?')">Delete Profile</button>
</form>
</div>
{{end}}
{{end}}