mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
metacrypt/web/templates/dashboard.html
Kyle Isom a80323e320 Add web UI for SSH CA, Transit, and User engines; full security audit and remediation 
Web UI: Added browser-based management for all three remaining engines
(SSH CA, Transit, User E2E). Includes gRPC client wiring, handler files,
7 HTML templates, dashboard mount forms, and conditional navigation links.
Fixed REST API routes to match design specs (SSH CA cert singular paths,
Transit PATCH for update-key-config).

Security audit: Conducted full-system audit covering crypto core, all
engine implementations, API servers, policy engine, auth, deployment,
and documentation. Identified 42 new findings (#39-#80) across all
severity levels.

Remediation of all 8 High findings:
- #68: Replaced 14 JSON-injection-vulnerable error responses with safe
  json.Encoder via writeJSONError helper
- #48: Added two-layer path traversal defense (barrier validatePath
  rejects ".." segments; engine ValidateName enforces safe name pattern)
- #39: Extended RLock through entire crypto operations in barrier
  Get/Put/Delete/List to eliminate TOCTOU race with Seal
- #40: Unified ReWrapKeys and seal_config UPDATE into single SQLite
  transaction to prevent irrecoverable data loss on crash during MEK
  rotation
- #49: Added resolveTTL to CA engine enforcing issuer MaxTTL ceiling
  on handleIssue and handleSignCSR
- #61: Store raw ECDH private key bytes in userState for effective
  zeroization on Seal
- #62: Fixed user engine policy resource path from mountPath to
  mountName() so policy rules match correctly
- #69: Added newPolicyChecker helper and passed service-level policy
  evaluation to all 25 typed REST handler engine.Request structs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-16 22:02:06 -07:00

155 lines
5.9 KiB
HTML
Raw Permalink Blame History

{{define "title"}} - Dashboard{{end}}
{{define "content"}}
<div class="page-header">
<h2>Dashboard</h2>
<div class="page-meta">
<span class="state-chip state-{{.State}}">{{.State}}</span>
</div>
</div>
<div class="card">
<div class="card-title">Engine Mounts</div>
{{if .Mounts}}
<div class="table-wrapper">
<table>
<thead>
<tr>
<th>Name</th>
<th>Type</th>
<th>Path</th>
</tr>
</thead>
<tbody>
{{range .Mounts}}
<tr>
<td>
{{if eq (printf "%s" .Type) "ca"}}
<a href="/pki">{{.Name}}</a>
{{else if eq (printf "%s" .Type) "sshca"}}
<a href="/sshca">{{.Name}}</a>
{{else if eq (printf "%s" .Type) "transit"}}
<a href="/transit">{{.Name}}</a>
{{else if eq (printf "%s" .Type) "user"}}
<a href="/user">{{.Name}}</a>
{{else}}
{{.Name}}
{{end}}
</td>
<td><code>{{.Type}}</code></td>
<td><code>{{.MountPath}}</code></td>
</tr>
{{end}}
</tbody>
</table>
</div>
{{else}}
<p>No engines mounted.</p>
{{end}}
</div>
{{if .IsAdmin}}
<div class="card">
<div class="card-title">Mount Engine</div>
{{if .MountError}}<div class="error">{{.MountError}}</div>{{end}}
<details>
<summary>Mount a CA engine</summary>
<form method="post" action="/dashboard/mount-ca" enctype="multipart/form-data">
{{csrfField}}
<div class="form-row">
<div class="form-group">
<label for="mount_name">Mount Name</label>
<input type="text" id="mount_name" name="name" placeholder="pki" required>
</div>
<div class="form-group">
<label for="organization">Organization</label>
<input type="text" id="organization" name="organization" placeholder="Metacircular">
</div>
</div>
<details>
<summary>Import existing root CA (optional)</summary>
<div class="form-group">
<label for="cert_file">Certificate PEM</label>
<input type="file" id="cert_file" name="cert_file" accept=".pem,.crt">
</div>
<div class="form-group">
<label for="key_file">Private Key PEM</label>
<input type="file" id="key_file" name="key_file" accept=".pem,.key">
</div>
</details>
<div class="form-actions">
<button type="submit">Mount</button>
</div>
</form>
</details>
<details>
<summary>Mount an SSH CA engine</summary>
<form method="post" action="/dashboard/mount-engine">
{{csrfField}}
<input type="hidden" name="type" value="sshca">
<div class="form-row">
<div class="form-group">
<label for="sshca_name">Mount Name</label>
<input type="text" id="sshca_name" name="name" placeholder="sshca" required>
</div>
<div class="form-group">
<label for="sshca_algo">Key Algorithm</label>
<select id="sshca_algo" name="key_algorithm">
<option value="ed25519">ed25519 (default)</option>
<option value="ecdsa-p256">ecdsa-p256</option>
<option value="ecdsa-p384">ecdsa-p384</option>
</select>
</div>
</div>
<div class="form-actions">
<button type="submit">Mount</button>
</div>
</form>
</details>
<details>
<summary>Mount a Transit engine</summary>
<form method="post" action="/dashboard/mount-engine">
{{csrfField}}
<input type="hidden" name="type" value="transit">
<div class="form-group">
<label for="transit_name">Mount Name</label>
<input type="text" id="transit_name" name="name" placeholder="transit" required>
</div>
<div class="form-actions">
<button type="submit">Mount</button>
</div>
</form>
</details>
<details>
<summary>Mount a User Crypto engine</summary>
<form method="post" action="/dashboard/mount-engine">
{{csrfField}}
<input type="hidden" name="type" value="user">
<div class="form-row">
<div class="form-group">
<label for="user_name">Mount Name</label>
<input type="text" id="user_name" name="name" placeholder="user" required>
</div>
<div class="form-group">
<label for="user_algo">Key Algorithm</label>
<select id="user_algo" name="key_algorithm">
<option value="x25519">x25519 (default)</option>
<option value="ecdh-p256">ecdh-p256</option>
<option value="ecdh-p384">ecdh-p384</option>
</select>
</div>
</div>
<div class="form-actions">
<button type="submit">Mount</button>
</div>
</form>
</details>
</div>
<div class="card">
<div class="card-title">Administration</div>
<p>Sealing the service will require the seal password to restore access.</p>
<button class="btn-danger" hx-post="/v1/seal" hx-confirm="Are you sure you want to seal the service?">Seal Service</button>
</div>
{{end}}
{{end}}
Reference in New Issue View Git Blame Copy Permalink