fix: full security audit remediation — P0/P1/P2/P3 fixes + 1020 passing tests

P0 — Broken functionality: - Fix 12+ endpoints with wrong manager method signatures (email/calendar/file/routing) - Fix email_manager.delete_email_user() missing domain arg - Fix cell-link DNS forwarding wiped on every peer change (generate_corefile now accepts cell_links param; add/remove_cell_dns_forward no longer clobber the file) - Fix Flask SECRET_KEY regenerating on every restart (persisted to DATA_DIR) - Fix _next_peer_ip exhaustion returning 500 instead of 409 - Fix ConfigManager Caddyfile path (/app/config-caddy/) - Fix UI double-add and wrong-key peer bugs in Peers.jsx / WireGuard.jsx - Remove hardcoded credentials from Dashboard.jsx P1 — Security: - CSRF token validation on all POST/PUT/DELETE/PATCH to /api/* (double-submit pattern) - enforce_auth: 503 only when users file readable but empty; never bypass on IOError - WireGuard add_cell_peer: validate pubkey, name, endpoint against strict regexes - DNS add_cell_dns_forward: validate IP and domain; reject injection chars - DNS zone write: realpath containment + record content validation - iptables comment /32 suffix prevents substring match deleting wrong peer rules - is_local_request() trusts only loopback + 172.16.0.0/12 (Docker bridge) - POST /api/containers: volume allow-list prevents arbitrary host mounts - file_manager: bcrypt ($2b→$2y) for WebDAV; realpath containment in delete_user - email/calendar: stop persisting plaintext passwords in user records - routing_manager: validate IPs, networks, and interface names - peer_registry: write peers.json at mode 0o600 - vault_manager: Fernet key file at mode 0o600 - CORS: lock down to explicit origin list - domain/cell_name validation: reject newline, brace, semicolon injection chars P2 — Architecture: - Peer add: rollback registry entry if firewall rules fail post-add - restart_service(): base class now calls _restart_container(); email and calendar managers call cell-mail / cell-radicale respectively - email/calendar managers sync user list (no passwords) to cell_config.json - Pending-restart flag cleared only after helper subprocess exits with code 0 - docker-compose.yml: add config-caddy volume to API container P3 — Tests (854 → 1020): - Fill test_email_endpoints.py, test_calendar_endpoints.py, test_network_endpoints.py, test_routing_endpoints.py - New: test_peer_management_update.py, test_peer_management_edge_cases.py, test_input_validation.py, test_enforce_auth_configured.py, test_cell_link_dns.py, test_logs_endpoints.py, test_cells_endpoints.py, test_is_local_request_per_endpoint.py, test_caddy_routing.py - E2E conftest: skip WireGuard suite when wg-quick absent - Update existing tests to match fixed signatures and comment formats Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-27 11:30:21 -04:00
parent 0c12e3fc97
commit a43f9fbf0d
47 changed files with 4578 additions and 579 deletions
@@ -299,11 +299,16 @@ class EmailManager(BaseServiceManager):
                    return False
            
            # Create new user
+            # SECURITY: Do NOT persist the plaintext password here. The email
+            # password is the same as the user's VPN auth password and storing
+            # it in plain JSON would leak every user credential if this file
+            # is read. Auth verification goes through auth_manager; the actual
+            # mailbox auth is handled by the cell-mail container (Dovecot),
+            # which has its own credential store. This JSON is metadata only.
            new_user = {
                'username': username,
                'domain': domain,
                'email': f'{username}@{domain}',
-                'password': password,  # In production, this should be hashed
                'quota_limit': quota_limit,
                'quota_used': 0,
                'created_at': datetime.utcnow().isoformat(),
@@ -313,11 +318,14 @@ class EmailManager(BaseServiceManager):
            
            users.append(new_user)
            self._save_users(users)
-            
+
+            # Sync user list to cell_config.json (best-effort, non-fatal)
+            self._sync_users_to_cell_config()
+
            # Create user mailbox directory
            mailbox_dir = os.path.join(self.email_data_dir, 'mailboxes', f'{username}@{domain}')
            self.safe_makedirs(mailbox_dir)
-            
+
            logger.info(f"Created email user: {username}@{domain}")
            return True
        except Exception as e:
@@ -334,13 +342,16 @@ class EmailManager(BaseServiceManager):
                if user.get('username') == username and user.get('domain') == domain:
                    del users[i]
                    self._save_users(users)
-                    
+
+                    # Sync user list to cell_config.json (best-effort, non-fatal)
+                    self._sync_users_to_cell_config()
+
                    # Remove user mailbox directory
                    mailbox_dir = os.path.join(self.email_data_dir, 'mailboxes', f'{username}@{domain}')
                    if os.path.exists(mailbox_dir):
                        import shutil
                        shutil.rmtree(mailbox_dir)
-                    
+
                    logger.info(f"Deleted email user: {username}@{domain}")
                    return True
            
@@ -408,11 +419,35 @@ class EmailManager(BaseServiceManager):
        except Exception as e:
            return self.handle_error(e, "get_metrics")

+    def _sync_users_to_cell_config(self):
+        """Best-effort sync of the email user list into cell_config.json via ConfigManager.
+
+        Only safe metadata (no passwords) is written.  Failures are logged as
+        warnings so they never block the per-service operation that triggered them.
+        """
+        try:
+            # Import here to avoid circular imports and to tolerate environments
+            # where config_manager is not on sys.path.
+            from config_manager import ConfigManager
+            cm = ConfigManager()
+            # Build safe user list: strip any sensitive keys that should not
+            # land in the shared config file.
+            _SENSITIVE = {'password', 'hashed_password', 'password_hash'}
+            safe_users = [
+                {k: v for k, v in u.items() if k not in _SENSITIVE}
+                for u in self._load_users()
+            ]
+            existing = cm.get_service_config('email')
+            existing['users'] = safe_users
+            cm.update_service_config('email', existing)
+        except Exception as e:
+            self.logger.warning(f"Failed to sync email users to cell_config.json: {e}")
+
    def restart_service(self) -> bool:
-        """Restart email service"""
+        """Restart email service (restarts the cell-mail Docker container)."""
        try:
            logger.info('Email service restart requested')
-            return True
+            return self._restart_container('cell-mail')
        except Exception as e:
            logger.error(f'Failed to restart email service: {e}')
            return False