Add web UI for SSH CA, Transit, and User engines; full security audit and remediation

Web UI: Added browser-based management for all three remaining engines (SSH CA, Transit, User E2E). Includes gRPC client wiring, handler files, 7 HTML templates, dashboard mount forms, and conditional navigation links. Fixed REST API routes to match design specs (SSH CA cert singular paths, Transit PATCH for update-key-config). Security audit: Conducted full-system audit covering crypto core, all engine implementations, API servers, policy engine, auth, deployment, and documentation. Identified 42 new findings (#39-#80) across all severity levels. Remediation of all 8 High findings: - #68: Replaced 14 JSON-injection-vulnerable error responses with safe json.Encoder via writeJSONError helper - #48: Added two-layer path traversal defense (barrier validatePath rejects ".." segments; engine ValidateName enforces safe name pattern) - #39: Extended RLock through entire crypto operations in barrier Get/Put/Delete/List to eliminate TOCTOU race with Seal - #40: Unified ReWrapKeys and seal_config UPDATE into single SQLite transaction to prevent irrecoverable data loss on crash during MEK rotation - #49: Added resolveTTL to CA engine enforcing issuer MaxTTL ceiling on handleIssue and handleSignCSR - #61: Store raw ECDH private key bytes in userState for effective zeroization on Seal - #62: Fixed user engine policy resource path from mountPath to mountName() so policy rules match correctly - #69: Added newPolicyChecker helper and passed service-level policy evaluation to all 25 typed REST handler engine.Request structs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-16 22:02:06 -07:00
parent 128f5abc4d
commit a80323e320
29 changed files with 5061 additions and 647 deletions
--- a/web/templates/transit_key_detail.html
+++ b/web/templates/transit_key_detail.html
@@ -0,0 +1,103 @@
+{{define "title"}} - Key: {{.Key.Name}}{{end}}
+{{define "content"}}
+<div class="page-header">
+    <h2>Key: {{.Key.Name}}</h2>
+    <div class="page-meta">
+        <a href="/transit">&larr; Transit</a>
+    </div>
+</div>
+
+<div class="card">
+    <div class="card-title">Key Details</div>
+    <table class="kv-table">
+        <tbody>
+            <tr><th>Name</th><td>{{.Key.Name}}</td></tr>
+            <tr><th>Type</th><td><code>{{.Key.Type}}</code></td></tr>
+            <tr><th>Current Version</th><td>{{.Key.CurrentVersion}}</td></tr>
+            <tr><th>Min Decryption Version</th><td>{{.Key.MinDecryptionVersion}}</td></tr>
+            <tr><th>Allow Deletion</th><td>{{if .Key.AllowDeletion}}yes{{else}}no{{end}}</td></tr>
+        </tbody>
+    </table>
+</div>
+
+<div class="card">
+    <div class="card-title">Key Versions</div>
+    {{if .Key.Versions}}
+    <div class="table-wrapper">
+        <table>
+            <thead>
+                <tr>
+                    <th>Version</th>
+                </tr>
+            </thead>
+            <tbody>
+            {{range .Key.Versions}}
+            <tr>
+                <td>{{.}}</td>
+            </tr>
+            {{end}}
+            </tbody>
+        </table>
+    </div>
+    {{else}}
+    <p>No version information available.</p>
+    {{end}}
+</div>
+
+{{if .PublicKey}}
+<div class="card">
+    <div class="card-title">Public Key</div>
+    <textarea rows="4" class="pem-input" readonly>{{.PublicKey}}</textarea>
+</div>
+{{end}}
+
+{{if .IsAdmin}}
+<div class="card">
+    <div class="card-title">Admin Actions</div>
+    <form method="post" action="/transit/key/{{.Key.Name}}/rotate" style="display:inline;">
+        {{csrfField}}
+        <button type="submit" onclick="return confirm('Rotate key {{.Key.Name}}?')">Rotate Key</button>
+    </form>
+
+    <details style="margin-top: 1rem;">
+        <summary>Update Config</summary>
+        <form method="post" action="/transit/key/{{.Key.Name}}/config">
+            {{csrfField}}
+            <div class="form-row">
+                <div class="form-group">
+                    <label for="cfg_min_decrypt">Min Decryption Version</label>
+                    <input type="number" id="cfg_min_decrypt" name="min_decryption_version" value="{{.Key.MinDecryptionVersion}}" min="0">
+                </div>
+                <div class="form-group">
+                    <label>&nbsp;</label>
+                    <label class="checkbox-label"><input type="checkbox" name="allow_deletion"{{if .Key.AllowDeletion}} checked{{end}}> Allow Deletion</label>
+                </div>
+            </div>
+            <div class="form-actions">
+                <button type="submit">Update Config</button>
+            </div>
+        </form>
+    </details>
+
+    <details style="margin-top: 1rem;">
+        <summary>Trim Old Versions</summary>
+        <form method="post" action="/transit/key/{{.Key.Name}}/trim">
+            {{csrfField}}
+            <p>Trims key versions below the current min_decryption_version.</p>
+            <div class="form-actions">
+                <button type="submit" class="btn-danger" onclick="return confirm('Trim old versions of key {{.Key.Name}}? This cannot be undone.')">Trim Versions</button>
+            </div>
+        </form>
+    </details>
+
+    {{if .Key.AllowDeletion}}
+    <div style="margin-top: 1rem;">
+        <form method="post" action="/transit/key/{{.Key.Name}}/delete">
+            {{csrfField}}
+            <button type="submit" class="btn-danger" onclick="return confirm('Permanently delete key {{.Key.Name}}? This cannot be undone.')">Delete Key</button>
+        </form>
+    </div>
+    {{end}}
+</div>
+{{end}}
+{{end}}