roof/pic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: full security audit remediation — P0/P1/P2/P3 fixes + 1020 passing tests

Browse Source 
P0 — Broken functionality:
- Fix 12+ endpoints with wrong manager method signatures (email/calendar/file/routing)
- Fix email_manager.delete_email_user() missing domain arg
- Fix cell-link DNS forwarding wiped on every peer change (generate_corefile now
  accepts cell_links param; add/remove_cell_dns_forward no longer clobber the file)
- Fix Flask SECRET_KEY regenerating on every restart (persisted to DATA_DIR)
- Fix _next_peer_ip exhaustion returning 500 instead of 409
- Fix ConfigManager Caddyfile path (/app/config-caddy/)
- Fix UI double-add and wrong-key peer bugs in Peers.jsx / WireGuard.jsx
- Remove hardcoded credentials from Dashboard.jsx

P1 — Security:
- CSRF token validation on all POST/PUT/DELETE/PATCH to /api/* (double-submit pattern)
- enforce_auth: 503 only when users file readable but empty; never bypass on IOError
- WireGuard add_cell_peer: validate pubkey, name, endpoint against strict regexes
- DNS add_cell_dns_forward: validate IP and domain; reject injection chars
- DNS zone write: realpath containment + record content validation
- iptables comment /32 suffix prevents substring match deleting wrong peer rules
- is_local_request() trusts only loopback + 172.16.0.0/12 (Docker bridge)
- POST /api/containers: volume allow-list prevents arbitrary host mounts
- file_manager: bcrypt ($2b→$2y) for WebDAV; realpath containment in delete_user
- email/calendar: stop persisting plaintext passwords in user records
- routing_manager: validate IPs, networks, and interface names
- peer_registry: write peers.json at mode 0o600
- vault_manager: Fernet key file at mode 0o600
- CORS: lock down to explicit origin list
- domain/cell_name validation: reject newline, brace, semicolon injection chars

P2 — Architecture:
- Peer add: rollback registry entry if firewall rules fail post-add
- restart_service(): base class now calls _restart_container(); email and calendar
  managers call cell-mail / cell-radicale respectively
- email/calendar managers sync user list (no passwords) to cell_config.json
- Pending-restart flag cleared only after helper subprocess exits with code 0
- docker-compose.yml: add config-caddy volume to API container

P3 — Tests (854 → 1020):
- Fill test_email_endpoints.py, test_calendar_endpoints.py,
  test_network_endpoints.py, test_routing_endpoints.py
- New: test_peer_management_update.py, test_peer_management_edge_cases.py,
  test_input_validation.py, test_enforce_auth_configured.py,
  test_cell_link_dns.py, test_logs_endpoints.py, test_cells_endpoints.py,
  test_is_local_request_per_endpoint.py, test_caddy_routing.py
- E2E conftest: skip WireGuard suite when wg-quick absent
- Update existing tests to match fixed signatures and comment formats

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Dmitrii Iurco
2026-04-27 11:30:21 -04:00
parent 0c12e3fc97
commit a43f9fbf0d
47 changed files with 4578 additions and 579 deletions
Download Patch File Download Diff File Expand all files Collapse all files
api/calendar_manager.py
+38 -7
View File
@@ -255,9 +255,14 @@ class CalendarManager(BaseServiceManager):
return False
# Create new user
# SECURITY: Do NOT persist the plaintext password here. The calendar
# password is the same as the user's VPN auth password and storing
# it in plain JSON would leak every user credential if this file is
# read. Auth verification goes through auth_manager; the actual
# CalDAV/CardDAV auth is handled by the cell-radicale container
# (htpasswd file). This JSON is metadata only.
new_user = {
'username': username,
'password': password, # In production, this should be hashed
'calendars_count': 0,
'events_count': 0,
'created_at': datetime.utcnow().isoformat(),
@@ -267,11 +272,14 @@ class CalendarManager(BaseServiceManager):
users.append(new_user)
self._save_users(users)
# Sync user list to cell_config.json (best-effort, non-fatal)
self._sync_users_to_cell_config()
# Create user directory
user_dir = os.path.join(self.calendar_data_dir, 'users', username)
self.safe_makedirs(user_dir)
logger.info(f"Created calendar user: {username}")
return True
except Exception as e:
@@ -288,13 +296,16 @@ class CalendarManager(BaseServiceManager):
if user.get('username') == username:
del users[i]
self._save_users(users)
# Sync user list to cell_config.json (best-effort, non-fatal)
self._sync_users_to_cell_config()
# Remove user directory
user_dir = os.path.join(self.calendar_data_dir, 'users', username)
if os.path.exists(user_dir):
import shutil
shutil.rmtree(user_dir)
logger.info(f"Deleted calendar user: {username}")
return True
@@ -446,11 +457,31 @@ class CalendarManager(BaseServiceManager):
except Exception as e:
return self.handle_error(e, "get_metrics")
def _sync_users_to_cell_config(self):
"""Best-effort sync of the calendar user list into cell_config.json via ConfigManager.
Only safe metadata (no passwords) is written. Failures are logged as
warnings so they never block the per-service operation that triggered them.
"""
try:
from config_manager import ConfigManager
cm = ConfigManager()
_SENSITIVE = {'password', 'hashed_password', 'password_hash'}
safe_users = [
{k: v for k, v in u.items() if k not in _SENSITIVE}
for u in self._load_users()
]
existing = cm.get_service_config('calendar')
existing['users'] = safe_users
cm.update_service_config('calendar', existing)
except Exception as e:
self.logger.warning(f"Failed to sync calendar users to cell_config.json: {e}")
def restart_service(self) -> bool:
"""Restart calendar service"""
"""Restart calendar service (restarts the cell-radicale Docker container)."""
try:
logger.info('Calendar service restart requested')
return True
return self._restart_container('cell-radicale')
except Exception as e:
logger.error(f'Failed to restart calendar service: {e}')
return False