Kyle Isom
a80323e320
Web UI: Added browser-based management for all three remaining engines (SSH CA, Transit, User E2E). Includes gRPC client wiring, handler files, 7 HTML templates, dashboard mount forms, and conditional navigation links. Fixed REST API routes to match design specs (SSH CA cert singular paths, Transit PATCH for update-key-config). Security audit: Conducted full-system audit covering crypto core, all engine implementations, API servers, policy engine, auth, deployment, and documentation. Identified 42 new findings (#39-#80) across all severity levels. Remediation of all 8 High findings: - #68: Replaced 14 JSON-injection-vulnerable error responses with safe json.Encoder via writeJSONError helper - #48: Added two-layer path traversal defense (barrier validatePath rejects ".." segments; engine ValidateName enforces safe name pattern) - #39: Extended RLock through entire crypto operations in barrier Get/Put/Delete/List to eliminate TOCTOU race with Seal - #40: Unified ReWrapKeys and seal_config UPDATE into single SQLite transaction to prevent irrecoverable data loss on crash during MEK rotation - #49: Added resolveTTL to CA engine enforcing issuer MaxTTL ceiling on handleIssue and handleSignCSR - #61: Store raw ECDH private key bytes in userState for effective zeroization on Seal - #62: Fixed user engine policy resource path from mountPath to mountName() so policy rules match correctly - #69: Added newPolicyChecker helper and passed service-level policy evaluation to all 25 typed REST handler engine.Request structs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
278 lines
7.6 KiB
Go
278 lines
7.6 KiB
Go
package webserver
|
|
|
|
import (
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/go-chi/chi/v5"
|
|
"google.golang.org/grpc/codes"
|
|
"google.golang.org/grpc/status"
|
|
)
|
|
|
|
func (ws *WebServer) handleUser(w http.ResponseWriter, r *http.Request) {
|
|
info := tokenInfoFromContext(r.Context())
|
|
token := extractCookie(r)
|
|
|
|
mountName, err := ws.findUserMount(r, token)
|
|
if err != nil {
|
|
http.Redirect(w, r, "/dashboard", http.StatusFound)
|
|
return
|
|
}
|
|
|
|
data := ws.baseData(r, info)
|
|
data["MountName"] = mountName
|
|
|
|
// Try to fetch the caller's own key.
|
|
if keyInfo, err := ws.vault.GetUserPublicKey(r.Context(), token, mountName, info.Username); err == nil {
|
|
data["OwnKey"] = keyInfo
|
|
}
|
|
|
|
if users, err := ws.vault.ListUsers(r.Context(), token, mountName); err == nil {
|
|
data["Users"] = users
|
|
}
|
|
|
|
ws.renderTemplate(w, "user.html", data)
|
|
}
|
|
|
|
func (ws *WebServer) handleUserRegister(w http.ResponseWriter, r *http.Request) {
|
|
info := tokenInfoFromContext(r.Context())
|
|
token := extractCookie(r)
|
|
|
|
mountName, err := ws.findUserMount(r, token)
|
|
if err != nil {
|
|
http.Error(w, "no user engine mounted", http.StatusNotFound)
|
|
return
|
|
}
|
|
|
|
if _, err := ws.vault.UserRegister(r.Context(), token, mountName); err != nil {
|
|
ws.renderUserWithError(w, r, mountName, info, grpcMessage(err))
|
|
return
|
|
}
|
|
|
|
http.Redirect(w, r, "/user", http.StatusFound)
|
|
}
|
|
|
|
func (ws *WebServer) handleUserProvision(w http.ResponseWriter, r *http.Request) {
|
|
info := tokenInfoFromContext(r.Context())
|
|
if !info.IsAdmin {
|
|
http.Error(w, "forbidden", http.StatusForbidden)
|
|
return
|
|
}
|
|
|
|
token := extractCookie(r)
|
|
mountName, err := ws.findUserMount(r, token)
|
|
if err != nil {
|
|
http.Error(w, "no user engine mounted", http.StatusNotFound)
|
|
return
|
|
}
|
|
|
|
r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
|
|
_ = r.ParseForm()
|
|
|
|
username := strings.TrimSpace(r.FormValue("username"))
|
|
if username == "" {
|
|
ws.renderUserWithError(w, r, mountName, info, "Username is required")
|
|
return
|
|
}
|
|
|
|
if _, err := ws.vault.UserProvision(r.Context(), token, mountName, username); err != nil {
|
|
ws.renderUserWithError(w, r, mountName, info, grpcMessage(err))
|
|
return
|
|
}
|
|
|
|
http.Redirect(w, r, "/user", http.StatusFound)
|
|
}
|
|
|
|
func (ws *WebServer) handleUserKeyDetail(w http.ResponseWriter, r *http.Request) {
|
|
info := tokenInfoFromContext(r.Context())
|
|
token := extractCookie(r)
|
|
|
|
mountName, err := ws.findUserMount(r, token)
|
|
if err != nil {
|
|
http.Error(w, "no user engine mounted", http.StatusNotFound)
|
|
return
|
|
}
|
|
|
|
username := chi.URLParam(r, "username")
|
|
keyInfo, err := ws.vault.GetUserPublicKey(r.Context(), token, mountName, username)
|
|
if err != nil {
|
|
st, _ := status.FromError(err)
|
|
if st.Code() == codes.NotFound {
|
|
http.Error(w, "user not found", http.StatusNotFound)
|
|
return
|
|
}
|
|
http.Error(w, grpcMessage(err), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
data := ws.baseData(r, info)
|
|
data["MountName"] = mountName
|
|
data["KeyInfo"] = keyInfo
|
|
ws.renderTemplate(w, "user_key_detail.html", data)
|
|
}
|
|
|
|
func (ws *WebServer) handleUserEncrypt(w http.ResponseWriter, r *http.Request) {
|
|
info := tokenInfoFromContext(r.Context())
|
|
token := extractCookie(r)
|
|
|
|
mountName, err := ws.findUserMount(r, token)
|
|
if err != nil {
|
|
http.Error(w, "no user engine mounted", http.StatusNotFound)
|
|
return
|
|
}
|
|
|
|
r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
|
|
_ = r.ParseForm()
|
|
|
|
var recipients []string
|
|
for _, line := range strings.Split(r.FormValue("recipients"), "\n") {
|
|
if v := strings.TrimSpace(line); v != "" {
|
|
recipients = append(recipients, v)
|
|
}
|
|
}
|
|
plaintext := r.FormValue("plaintext")
|
|
metadata := r.FormValue("metadata")
|
|
|
|
if len(recipients) == 0 || plaintext == "" {
|
|
ws.renderUserWithError(w, r, mountName, info, "Recipients and plaintext are required")
|
|
return
|
|
}
|
|
|
|
envelope, err := ws.vault.UserEncrypt(r.Context(), token, mountName, plaintext, metadata, recipients)
|
|
if err != nil {
|
|
ws.renderUserWithError(w, r, mountName, info, grpcMessage(err))
|
|
return
|
|
}
|
|
|
|
ws.renderUserWithResult(w, r, mountName, info, "EncryptResult", envelope)
|
|
}
|
|
|
|
func (ws *WebServer) handleUserDecrypt(w http.ResponseWriter, r *http.Request) {
|
|
info := tokenInfoFromContext(r.Context())
|
|
token := extractCookie(r)
|
|
|
|
mountName, err := ws.findUserMount(r, token)
|
|
if err != nil {
|
|
http.Error(w, "no user engine mounted", http.StatusNotFound)
|
|
return
|
|
}
|
|
|
|
r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
|
|
_ = r.ParseForm()
|
|
|
|
envelope := r.FormValue("envelope")
|
|
if envelope == "" {
|
|
ws.renderUserWithError(w, r, mountName, info, "Envelope is required")
|
|
return
|
|
}
|
|
|
|
result, err := ws.vault.UserDecrypt(r.Context(), token, mountName, envelope)
|
|
if err != nil {
|
|
ws.renderUserWithError(w, r, mountName, info, grpcMessage(err))
|
|
return
|
|
}
|
|
|
|
ws.renderUserWithResult(w, r, mountName, info, "DecryptResult", result)
|
|
}
|
|
|
|
func (ws *WebServer) handleUserReEncrypt(w http.ResponseWriter, r *http.Request) {
|
|
info := tokenInfoFromContext(r.Context())
|
|
token := extractCookie(r)
|
|
|
|
mountName, err := ws.findUserMount(r, token)
|
|
if err != nil {
|
|
http.Error(w, "no user engine mounted", http.StatusNotFound)
|
|
return
|
|
}
|
|
|
|
r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
|
|
_ = r.ParseForm()
|
|
|
|
envelope := r.FormValue("envelope")
|
|
if envelope == "" {
|
|
ws.renderUserWithError(w, r, mountName, info, "Envelope is required")
|
|
return
|
|
}
|
|
|
|
newEnvelope, err := ws.vault.UserReEncrypt(r.Context(), token, mountName, envelope)
|
|
if err != nil {
|
|
ws.renderUserWithError(w, r, mountName, info, grpcMessage(err))
|
|
return
|
|
}
|
|
|
|
ws.renderUserWithResult(w, r, mountName, info, "ReEncryptResult", newEnvelope)
|
|
}
|
|
|
|
func (ws *WebServer) handleUserRotateKey(w http.ResponseWriter, r *http.Request) {
|
|
info := tokenInfoFromContext(r.Context())
|
|
token := extractCookie(r)
|
|
|
|
mountName, err := ws.findUserMount(r, token)
|
|
if err != nil {
|
|
http.Error(w, "no user engine mounted", http.StatusNotFound)
|
|
return
|
|
}
|
|
|
|
if _, err := ws.vault.UserRotateKey(r.Context(), token, mountName); err != nil {
|
|
ws.renderUserWithError(w, r, mountName, info, grpcMessage(err))
|
|
return
|
|
}
|
|
|
|
http.Redirect(w, r, "/user", http.StatusSeeOther)
|
|
}
|
|
|
|
func (ws *WebServer) handleUserDeleteUser(w http.ResponseWriter, r *http.Request) {
|
|
info := tokenInfoFromContext(r.Context())
|
|
if !info.IsAdmin {
|
|
http.Error(w, "forbidden", http.StatusForbidden)
|
|
return
|
|
}
|
|
|
|
token := extractCookie(r)
|
|
mountName, err := ws.findUserMount(r, token)
|
|
if err != nil {
|
|
http.Error(w, "no user engine mounted", http.StatusNotFound)
|
|
return
|
|
}
|
|
|
|
username := chi.URLParam(r, "username")
|
|
if err := ws.vault.UserDeleteUser(r.Context(), token, mountName, username); err != nil {
|
|
http.Error(w, grpcMessage(err), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
http.Redirect(w, r, "/user", http.StatusSeeOther)
|
|
}
|
|
|
|
func (ws *WebServer) renderUserWithError(w http.ResponseWriter, r *http.Request, mountName string, info *TokenInfo, errMsg string) {
|
|
token := extractCookie(r)
|
|
data := ws.baseData(r, info)
|
|
data["MountName"] = mountName
|
|
data["Error"] = errMsg
|
|
|
|
if keyInfo, err := ws.vault.GetUserPublicKey(r.Context(), token, mountName, info.Username); err == nil {
|
|
data["OwnKey"] = keyInfo
|
|
}
|
|
if users, err := ws.vault.ListUsers(r.Context(), token, mountName); err == nil {
|
|
data["Users"] = users
|
|
}
|
|
|
|
ws.renderTemplate(w, "user.html", data)
|
|
}
|
|
|
|
func (ws *WebServer) renderUserWithResult(w http.ResponseWriter, r *http.Request, mountName string, info *TokenInfo, resultKey string, result interface{}) {
|
|
token := extractCookie(r)
|
|
data := ws.baseData(r, info)
|
|
data["MountName"] = mountName
|
|
data[resultKey] = result
|
|
|
|
if keyInfo, err := ws.vault.GetUserPublicKey(r.Context(), token, mountName, info.Username); err == nil {
|
|
data["OwnKey"] = keyInfo
|
|
}
|
|
if users, err := ws.vault.ListUsers(r.Context(), token, mountName); err == nil {
|
|
data["Users"] = users
|
|
}
|
|
|
|
ws.renderTemplate(w, "user.html", data)
|
|
}
|