fix: full security audit remediation — P0/P1/P2/P3 fixes + 1020 passing tests
P0 — Broken functionality: - Fix 12+ endpoints with wrong manager method signatures (email/calendar/file/routing) - Fix email_manager.delete_email_user() missing domain arg - Fix cell-link DNS forwarding wiped on every peer change (generate_corefile now accepts cell_links param; add/remove_cell_dns_forward no longer clobber the file) - Fix Flask SECRET_KEY regenerating on every restart (persisted to DATA_DIR) - Fix _next_peer_ip exhaustion returning 500 instead of 409 - Fix ConfigManager Caddyfile path (/app/config-caddy/) - Fix UI double-add and wrong-key peer bugs in Peers.jsx / WireGuard.jsx - Remove hardcoded credentials from Dashboard.jsx P1 — Security: - CSRF token validation on all POST/PUT/DELETE/PATCH to /api/* (double-submit pattern) - enforce_auth: 503 only when users file readable but empty; never bypass on IOError - WireGuard add_cell_peer: validate pubkey, name, endpoint against strict regexes - DNS add_cell_dns_forward: validate IP and domain; reject injection chars - DNS zone write: realpath containment + record content validation - iptables comment /32 suffix prevents substring match deleting wrong peer rules - is_local_request() trusts only loopback + 172.16.0.0/12 (Docker bridge) - POST /api/containers: volume allow-list prevents arbitrary host mounts - file_manager: bcrypt ($2b→$2y) for WebDAV; realpath containment in delete_user - email/calendar: stop persisting plaintext passwords in user records - routing_manager: validate IPs, networks, and interface names - peer_registry: write peers.json at mode 0o600 - vault_manager: Fernet key file at mode 0o600 - CORS: lock down to explicit origin list - domain/cell_name validation: reject newline, brace, semicolon injection chars P2 — Architecture: - Peer add: rollback registry entry if firewall rules fail post-add - restart_service(): base class now calls _restart_container(); email and calendar managers call cell-mail / cell-radicale respectively - email/calendar managers sync user list (no passwords) to cell_config.json - Pending-restart flag cleared only after helper subprocess exits with code 0 - docker-compose.yml: add config-caddy volume to API container P3 — Tests (854 → 1020): - Fill test_email_endpoints.py, test_calendar_endpoints.py, test_network_endpoints.py, test_routing_endpoints.py - New: test_peer_management_update.py, test_peer_management_edge_cases.py, test_input_validation.py, test_enforce_auth_configured.py, test_cell_link_dns.py, test_logs_endpoints.py, test_cells_endpoints.py, test_is_local_request_per_endpoint.py, test_caddy_routing.py - E2E conftest: skip WireGuard suite when wg-quick absent - Update existing tests to match fixed signatures and comment formats Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -24,9 +24,9 @@ function Dashboard({ isOnline }) {
|
||||
const { domain = 'cell', cell_name = 'mycell' } = useConfig();
|
||||
const SERVICES = [
|
||||
{ name: 'Cell Home', url: `http://${cell_name}.${domain}`, desc: 'Main UI — no login needed' },
|
||||
{ name: 'Calendar', url: `http://calendar.${domain}`, desc: 'Login: your WireGuard username' },
|
||||
{ name: 'Files', url: `http://files.${domain}`, desc: 'Login: admin / admin123' },
|
||||
{ name: 'Webmail', url: `http://mail.${domain}`, desc: 'Login: admin@rainloop.net / 12345' },
|
||||
{ name: 'Calendar', url: `http://calendar.${domain}`, desc: 'Use your configured account credentials' },
|
||||
{ name: 'Files', url: `http://files.${domain}`, desc: 'Use your configured account credentials' },
|
||||
{ name: 'Webmail', url: `http://mail.${domain}`, desc: 'Use your configured account credentials' },
|
||||
];
|
||||
const [cellStatus, setCellStatus] = useState(null);
|
||||
const [servicesStatus, setServicesStatus] = useState(null);
|
||||
|
||||
@@ -191,13 +191,6 @@ PersistentKeepalive = ${peer.persistent_keepalive || 25}`;
|
||||
password: formData.password,
|
||||
};
|
||||
const addResult = await peerRegistryAPI.addPeer(peerData);
|
||||
const assignedIp = addResult.data?.ip;
|
||||
await wireguardAPI.addPeer({
|
||||
name: formData.name,
|
||||
public_key: publicKey,
|
||||
allowed_ips: assignedIp ? `${assignedIp}/32` : `${peerData.ip}/32`,
|
||||
persistent_keepalive: formData.persistent_keepalive,
|
||||
});
|
||||
|
||||
if (formData.create_calendar) {
|
||||
try {
|
||||
@@ -268,7 +261,7 @@ PersistentKeepalive = ${peer.persistent_keepalive || 25}`;
|
||||
const handleRemovePeer = async (peerName) => {
|
||||
if (!window.confirm(`Remove peer "${peerName}"?`)) return;
|
||||
try {
|
||||
await Promise.all([peerRegistryAPI.removePeer(peerName), wireguardAPI.removePeer({ name: peerName })]);
|
||||
await peerRegistryAPI.removePeer(peerName);
|
||||
fetchPeers();
|
||||
showToast(`Peer "${peerName}" removed.`);
|
||||
} catch { showToast('Failed to remove peer', 'error'); }
|
||||
|
||||
@@ -66,26 +66,29 @@ function WireGuard() {
|
||||
const peersData = peersResponse.data || [];
|
||||
const wireguardPeers = wireguardResponse.data || [];
|
||||
|
||||
// Create a map of WireGuard peers by name for quick lookup
|
||||
// Create a map of WireGuard peers by public_key for quick lookup
|
||||
const wireguardMap = {};
|
||||
wireguardPeers.forEach(peer => {
|
||||
wireguardMap[peer.name] = peer;
|
||||
if (peer.public_key) wireguardMap[peer.public_key] = peer;
|
||||
});
|
||||
|
||||
|
||||
// Merge the data
|
||||
const mergedPeers = peersData.map(peer => ({
|
||||
...peer,
|
||||
...wireguardMap[peer.peer || peer.name],
|
||||
name: peer.peer || peer.name,
|
||||
status: 'Online', // For now, assume all peers are online
|
||||
type: 'WireGuard',
|
||||
// Preserve important fields that might be overwritten
|
||||
private_key: peer.private_key,
|
||||
server_public_key: peer.server_public_key,
|
||||
server_endpoint: peer.server_endpoint,
|
||||
allowed_ips: peer.allowed_ips || wireguardMap[peer.peer || peer.name]?.AllowedIPs || '0.0.0.0/0',
|
||||
persistent_keepalive: peer.persistent_keepalive || wireguardMap[peer.peer || peer.name]?.PersistentKeepalive || 25
|
||||
}));
|
||||
const mergedPeers = peersData.map(peer => {
|
||||
const wgEntry = wireguardMap[peer.public_key] || {};
|
||||
return {
|
||||
...peer,
|
||||
...wgEntry,
|
||||
// Registry fields always win over wg0.conf fields for name/keys/endpoint
|
||||
name: peer.peer || peer.name,
|
||||
type: 'WireGuard',
|
||||
private_key: peer.private_key,
|
||||
server_public_key: peer.server_public_key,
|
||||
server_endpoint: peer.server_endpoint,
|
||||
public_key: peer.public_key,
|
||||
allowed_ips: peer.allowed_ips || wgEntry.allowed_ips || '0.0.0.0/0',
|
||||
persistent_keepalive: peer.persistent_keepalive || wgEntry.persistent_keepalive || 25,
|
||||
};
|
||||
});
|
||||
|
||||
// Load all peer statuses in one call (keyed by public_key)
|
||||
let liveStatuses = {};
|
||||
|
||||
@@ -1,5 +1,16 @@
|
||||
import axios from 'axios';
|
||||
|
||||
// Module-level CSRF token — populated after login or token refresh
|
||||
let _csrfToken = null;
|
||||
|
||||
/**
|
||||
* Update the module-level CSRF token.
|
||||
* Call this after a successful login with the token returned in the response body.
|
||||
*/
|
||||
export function setCsrfToken(token) {
|
||||
_csrfToken = token;
|
||||
}
|
||||
|
||||
// Create axios instance with base configuration
|
||||
const api = axios.create({
|
||||
baseURL: import.meta.env.VITE_API_URL || '',
|
||||
@@ -10,10 +21,16 @@ const api = axios.create({
|
||||
},
|
||||
});
|
||||
|
||||
// Request interceptor for logging
|
||||
// Request interceptor — logging + CSRF header injection
|
||||
api.interceptors.request.use(
|
||||
(config) => {
|
||||
console.log(`API Request: ${config.method?.toUpperCase()} ${config.url}`);
|
||||
// Attach CSRF token for all state-changing methods
|
||||
const method = (config.method || 'get').toLowerCase();
|
||||
if (['post', 'put', 'delete', 'patch'].includes(method) && _csrfToken) {
|
||||
config.headers = config.headers || {};
|
||||
config.headers['X-CSRF-Token'] = _csrfToken;
|
||||
}
|
||||
return config;
|
||||
},
|
||||
(error) => {
|
||||
@@ -22,13 +39,36 @@ api.interceptors.request.use(
|
||||
}
|
||||
);
|
||||
|
||||
// Response interceptor for error handling
|
||||
// Response interceptor — error handling + CSRF token refresh on 403
|
||||
api.interceptors.response.use(
|
||||
(response) => {
|
||||
return response;
|
||||
},
|
||||
(error) => {
|
||||
async (error) => {
|
||||
console.error('API Response Error:', error.response?.data || error.message);
|
||||
|
||||
// Handle CSRF token expiry: refresh the token and retry the original request once
|
||||
if (
|
||||
error.response?.status === 403 &&
|
||||
error.response?.data?.error === 'CSRF token missing or invalid' &&
|
||||
!error.config._csrfRetry
|
||||
) {
|
||||
try {
|
||||
const refreshResp = await api.get('/api/auth/csrf-token');
|
||||
const newToken = refreshResp.data?.csrf_token;
|
||||
if (newToken) {
|
||||
setCsrfToken(newToken);
|
||||
// Retry the original request with the new token
|
||||
const retryConfig = { ...error.config, _csrfRetry: true };
|
||||
retryConfig.headers = retryConfig.headers || {};
|
||||
retryConfig.headers['X-CSRF-Token'] = newToken;
|
||||
return api(retryConfig);
|
||||
}
|
||||
} catch (refreshErr) {
|
||||
console.error('CSRF token refresh failed:', refreshErr);
|
||||
}
|
||||
}
|
||||
|
||||
if (
|
||||
error.response?.status === 401 &&
|
||||
!error.config.url.includes('/auth/login') &&
|
||||
@@ -107,12 +147,19 @@ export const peerRegistryAPI = {
|
||||
|
||||
// Auth API
|
||||
export const authAPI = {
|
||||
login: (username, password) => api.post('/api/auth/login', { username, password }),
|
||||
login: async (username, password) => {
|
||||
const response = await api.post('/api/auth/login', { username, password });
|
||||
if (response.data?.csrf_token) {
|
||||
setCsrfToken(response.data.csrf_token);
|
||||
}
|
||||
return response;
|
||||
},
|
||||
logout: () => api.post('/api/auth/logout'),
|
||||
me: () => api.get('/api/auth/me'),
|
||||
changePassword: (old_password, new_password) => api.post('/api/auth/change-password', { old_password, new_password }),
|
||||
adminResetPassword: (username, new_password) => api.post('/api/auth/admin/reset-password', { username, new_password }),
|
||||
listUsers: () => api.get('/api/auth/users'),
|
||||
getCsrfToken: () => api.get('/api/auth/csrf-token'),
|
||||
};
|
||||
|
||||
// Peer-facing dashboard API
|
||||
|
||||
Reference in New Issue
Block a user