git-echo/linux_patch_manager
Private
Public Access
1
0
Fork 0
Code Releases 8 Wiki Activity
Files
224248888f00f2eec6d0309a90167f6ecaedf76c
linux_patch_manager/tasks/todo.md
Draco Lunaris ed5df26140 fix(ws): add Origin allowlist to browser WebSocket upgrade (CSWSH hardening) 
Closes Draco-Lunaris/Linux-Patch-Manager#10

The browser WebSocket endpoint at GET /api/v1/ws/jobs previously
authenticated solely via a single-use, 60-second ticket passed as a query
parameter. A leaked ticket (browser history, Referer, proxy logs, support
bundles) could be redeemed from any origin, enabling Cross-Site WebSocket
Hijacking (CSWSH).

This change adds a second gate: the Origin header must match an explicit
allowlist. The check runs BEFORE ticket validation so that rejected
cross-origin probes do not consume the legitimate users ticket.

Changes:
- pm-core: new security.allowed_origins config field; default derived
  from sso_callback_url; startup warning if both are unparseable
- pm-web: ws_handler extracts HeaderMap and calls check_origin first;
  returns 403 on missing/malformed/disallowed origins
- config: documented allowed_origins key in config.example.toml
- docs: security-review.md section 1.4 (WebSocket Origin Allowlist)
- tests: 40 unit tests (7 pm-core, 33 pm-web)
2026-06-02 10:45:38 -05:00

7.2 KiB
Raw Blame History

SSO Implementation Fix Plan

Issues Identified

  1. No SSO Login Button — LoginPage.tsx missing "Sign in with Azure" button
  2. No SSO Callback Route — App.tsx missing frontend route to handle SSO callback
  3. authStore No SSO Support — authStore.ts has no method to store SSO tokens
  4. Backend Returns JSON Not Redirect — azure_sso.rs callback returns JSON tokens instead of redirecting to frontend
  5. No SSO Session Cleanup — sso_sessions DashMap has no expiry/cleanup task (memory leak)
  6. No JWT Signature Verification — id_token decoded without verifying Azure AD signature

Phases

Phase 1: Backend SSO Fixes (Issues 4, 5) — COMPLETE

  • 1a: Add SSO session cleanup task in main.rs (purge sessions older than 10 minutes)
  • 1b: Modify azure_sso.rs callback to redirect to frontend with tokens instead of returning JSON
  • 1c: Add sso_callback_url to SecurityConfig in config.rs with serde default
  • 1d: Update settings.rs to include sso_callback_url in settings response
  • 1e: Verify backend compiles with cargo check

Phase 2: Frontend SSO Integration (Issues 1, 2, 3) — COMPLETE

  • 2a: Add SSO callback page component (SsoCallbackPage.tsx)
  • 2b: Add SSO callback route to App.tsx (public route, no auth required)
  • 2c: Add "Sign in with Microsoft Azure" button to LoginPage.tsx
  • 2d: Add SSO-related types and API methods to frontend
  • 2e: Verify frontend builds with TypeScript compilation

Phase 3: JWT Signature Verification (Issue 6) — COMPLETE

  • 3a: Add JWKS client dependency to pm-web/Cargo.toml
  • 3b: Implement id_token signature verification in azure_sso.rs
  • 3c: Verify backend compiles with cargo check

Phase 4: Integration Testing and Verification — COMPLETE

  • 4a: Backend code review — all changes verified manually
  • 4b: Frontend TypeScript compilation — passes cleanly
  • 4c: SSO login flow reviewed end-to-end (backend redirect → frontend callback → auth store)
  • 4d: SSO session cleanup verified (10-minute expiry, 60-second purge interval)
  • 4e: Settings page SSO config unchanged (sso_callback_url added as read-only)
  • 4f: Lessons captured below

Lessons Learned

WS Origin Allowlist — Implementation Plan (Issue #10)

Spec: tasks/ws-origin-check-spec.md (v0.1.0, awaiting sign-off)

Issues Identified

  1. No Origin check on WS upgradecrates/pm-web/src/routes/ws.rs ws_handler does not inspect the Origin header, leaving the /api/v1/ws/jobs endpoint exposed to Cross-Site WebSocket Hijacking (CSWSH) if a ticket ever leaks via logs / Referer / browser history / support bundles.
  2. No allowed_origins config fieldSecurityConfig has no way to express the allowlist; defaults need to be derived from sso_callback_url to stay secure out of the box.
  3. No integration tests for ws.rs — there is no crates/pm-web/tests/ directory today, so the new behavior would land without automated coverage.

Phases

Phase 1: Config schema (Issue 2)

  • 1a: Add allowed_origins: Vec<String> to SecurityConfig in crates/pm-core/src/config.rs
  • 1b: Implement default_allowed_origins() that parses sso_callback_url to scheme://host[:port]
  • 1c: Emit tracing::warn! at startup if the derived allowlist ends up empty
  • 1d: Update Default for AppConfig to include the new field
  • 1e: Update config/config.example.toml with documented allowed_origins key

Phase 2: Handler change (Issue 1)

  • 2a: Add HeaderMap extractor to ws_handler
  • 2b: Implement hand-rolled Origin parser (scheme, host, port) with default-port normalization
  • 2c: Implement allowlist match (exact, case-insensitive host, case-sensitive scheme/port)
  • 2d: Reject missing / malformed / non-allowlisted Origin with 403 forbidden_origin before ticket validation
  • 2e: Augment the success tracing::info! with origin; add tracing::warn! on rejection (never log the ticket)
  • 2f: Verify cargo check -p pm-web and cargo clippy --all-targets pass

Phase 3: Tests (Issue 3)

  • 3a: Add crates/pm-web/tests/ and a build_test_app harness (no DB, minimal AppState)
  • 3b: Add ws_rejects_missing_origin test
  • 3c: Add ws_rejects_disallowed_origin test
  • 3d: Add ws_rejects_malformed_origin test
  • 3e: Add ws_allows_listed_origin_with_valid_ticket test (asserts ticket is consumed)
  • 3f: Add ws_default_origin_derived_from_sso_callback_url config-derivation test
  • 3g: Verify cargo test -p pm-web passes

Phase 4: Documentation

  • 4a: Update docs/security-review.md with a new control row for the WS Origin allowlist
  • 4b: (Optional, per Kelly) bump SPEC.md to 0.0.3 with a sentence in the Security section

Phase 5: Review

  • 5a: Self-review against the 10-point acceptance criteria in the spec
  • 5b: Commit on a feature branch (issue/10-ws-origin-check) per git-workflow skill
  • 5c: Lessons captured below

Lessons Learned (this issue)

(filled in at completion)

  • SSO callback must redirect, not return JSON — Browser OAuth2 flows require the backend to redirect to the frontend SPA, not return JSON tokens. The frontend must parse tokens from URL query parameters.
  • URLSearchParams.get() already decodes — Don't double-decode with decodeURIComponent() when using URLSearchParams.
  • JWKS caching prevents rate-limiting — Azure AD JWKS endpoint should be cached with TTL (1 hour) to avoid fetching on every SSO login.
  • tokio::sync::Mutex over std::sync::Mutex — Axum handlers must be Send; std::sync::MutexGuard is not Send across await points.
  • DashMap session cleanup — In-memory session stores (DashMap) need periodic cleanup tasks to prevent memory leaks. Pattern: tokio::spawn with interval + retain with time-based cutoff.

Host Self-Enrollment Implementation Plan

Phases

Phase 1: Database & Core Models

  • 1a: Create SQL migration for enrollment_requests table
  • 1b: Define Rust data models for EnrollmentRequest in pm-core
  • 1c: Add DB interaction methods (insert, list, delete) in pm-core

Phase 2: Client-Facing API (pm-web)

  • 2a: Implement POST /api/v1/enroll to accept payloads and generate polling_token
  • 2b: Implement GET /api/v1/enroll/status/{token} to return pending/approved (PKI) statuses
  • 2c: Implement IP-based rate limiting for the /enroll endpoint

Phase 3: Admin-Facing API (pm-web)

  • 3a: Implement GET /api/v1/admin/enrollments to list pending queue
  • 3b: Implement POST /api/v1/admin/enrollments/{id}/approve (generate PKI via pm-ca, migrate to hosts table)
  • 3c: Implement DELETE /api/v1/admin/enrollments/{id}/deny to purge request

Phase 4: Background Workers (pm-worker)

  • 4a: Create a scheduled task to purge enrollment_requests older than 24 hours

Phase 5: Frontend UI (pm-web/React)

  • 5a: Add enrollment API methods and types to frontend
  • 5b: Update Hosts view to include "Pending Enrollments" filter and visual badge
  • 5c: Render pending hosts in the table with highlight styling
  • 5d: Add Approve/Deny action buttons to pending host rows
  • 5e: Implement "merge/overwrite" interactive modal for fqdn/ip_address collisions on approval