fix(security): A-3 auth middleware coverage fixes

Fixes 9 auth middleware findings from the A-3 recon audit. F-A3-11 CRITICAL: Removed JWT secret from WebAuthMiddleware log output. Replaced emoji-prefixed fmt.Printf with ETHOS-compliant log.Printf. No secret values in any log output. F-A3-7 CRITICAL: Config download now requires WebAuthMiddleware. GET /downloads/config/:agent_id is admin-only (agents never call it). F-A3-6 HIGH: Update package download now requires AuthMiddleware. GET /downloads/updates/:package_id requires valid agent JWT. F-A3-10 HIGH: Scheduler stats changed from AuthMiddleware to WebAuthMiddleware. Agent JWTs can no longer view scheduler internals. F-A3-13 LOW: RequireAdmin() middleware implemented. 7 security settings routes re-enabled (GET/PUT/POST under /security/settings). security_settings.go.broken renamed to .go, API mismatches fixed. F-A3-12 MEDIUM: JWT issuer claims added for token type separation. Agent tokens: issuer=redflag-agent, Web tokens: issuer=redflag-web. AuthMiddleware rejects tokens with wrong issuer. Grace period: tokens with no issuer still accepted (backward compat). F-A3-2 MEDIUM: /auth/verify now has WebAuthMiddleware applied. Endpoint returns 200 with valid=true for valid admin tokens. F-A3-9 MEDIUM: Agent self-unregister (DELETE /:id) now rate-limited using the same agent_reports rate limiter as other agent routes. F-A3-14 LOW: CORS origin configurable via REDFLAG_CORS_ORIGIN env var. Defaults to http://localhost:3000 for development. Added PATCH method and agent-specific headers to CORS config. All 27 server tests pass. All 14 agent tests pass. No regressions. See docs/A3_Fix_Implementation.md and docs/Deviations_Report.md (DEV-020 through DEV-022). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 22:17:40 -04:00
parent ee246771dc
commit 4c62de8d8b
15 changed files with 620 additions and 145 deletions
--- a/aggregator-server/internal/api/middleware/auth.go
+++ b/aggregator-server/internal/api/middleware/auth.go
@@ -1,6 +1,7 @@
 package middleware

 import (
+	"log"
 	"net/http"
 	"strings"
 	"time"
@@ -19,11 +20,18 @@ type AgentClaims struct {
 // JWTSecret is set by the server at initialization
 var JWTSecret string

+// JWT issuer constants for token type differentiation (F-A3-12 fix)
+const (
+	JWTIssuerAgent = "redflag-agent"
+	JWTIssuerWeb   = "redflag-web"
+)
+
 // GenerateAgentToken creates a new JWT token for an agent
 func GenerateAgentToken(agentID uuid.UUID) (string, error) {
 	claims := AgentClaims{
 		AgentID: agentID,
 		RegisteredClaims: jwt.RegisteredClaims{
+			Issuer:    JWTIssuerAgent,
 			ExpiresAt: jwt.NewNumericDate(time.Now().Add(24 * time.Hour)),
 			IssuedAt:  jwt.NewNumericDate(time.Now()),
 		},
@@ -61,6 +69,17 @@ func AuthMiddleware() gin.HandlerFunc {
 		}

 		if claims, ok := token.Claims.(*AgentClaims); ok {
+			// F-A3-12: Validate issuer to prevent cross-type token confusion
+			if claims.Issuer != "" && claims.Issuer != JWTIssuerAgent {
+				log.Printf("[WARNING] [server] [auth] wrong_token_issuer expected=%s got=%s", JWTIssuerAgent, claims.Issuer)
+				c.JSON(http.StatusUnauthorized, gin.H{"error": "invalid token type"})
+				c.Abort()
+				return
+			}
+			// TODO: remove issuer-absent grace period after 30 days (backward compat for deployed agents)
+			if claims.Issuer == "" {
+				log.Printf("[WARNING] [server] [auth] agent_token_missing_issuer agent_id=%s", claims.AgentID)
+			}
 			c.Set("agent_id", claims.AgentID)
 			c.Next()
 		} else {
--- a/aggregator-server/internal/api/middleware/cors.go
+++ b/aggregator-server/internal/api/middleware/cors.go
@@ -1,17 +1,27 @@
 package middleware

 import (
+	"log"
 	"net/http"
+	"os"

 	"github.com/gin-gonic/gin"
 )

 // CORSMiddleware handles Cross-Origin Resource Sharing
+// Origin is configurable via REDFLAG_CORS_ORIGIN environment variable.
+// Defaults to http://localhost:3000 for development.
 func CORSMiddleware() gin.HandlerFunc {
+	origin := os.Getenv("REDFLAG_CORS_ORIGIN")
+	if origin == "" {
+		origin = "http://localhost:3000"
+	}
+	log.Printf("[INFO] [server] [cors] cors_origin_set origin=%q", origin)
+
 	return func(c *gin.Context) {
-		c.Header("Access-Control-Allow-Origin", "http://localhost:3000")
-		c.Header("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
-		c.Header("Access-Control-Allow-Headers", "Origin, Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization")
+		c.Header("Access-Control-Allow-Origin", origin)
+		c.Header("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS")
+		c.Header("Access-Control-Allow-Headers", "Origin, Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization, X-Machine-ID, X-Agent-Version, X-Update-Nonce")
 		c.Header("Access-Control-Expose-Headers", "Content-Length")
 		c.Header("Access-Control-Allow-Credentials", "true")

--- a/aggregator-server/internal/api/middleware/require_admin.go
+++ b/aggregator-server/internal/api/middleware/require_admin.go
@@ -0,0 +1,44 @@
+package middleware
+
+import (
+	"log"
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+)
+
+// RequireAdmin is a middleware that checks if the authenticated user has admin role.
+// Must be used AFTER WebAuthMiddleware which sets user_id and role in context.
+// Returns 403 if the user is not an admin.
+func RequireAdmin() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		// WebAuthMiddleware sets user_id from UserClaims
+		userID, exists := c.Get("user_id")
+		if !exists {
+			log.Printf("[WARNING] [server] [auth] require_admin called without user_id in context")
+			c.JSON(http.StatusForbidden, gin.H{"error": "admin access required"})
+			c.Abort()
+			return
+		}
+
+		// Check role from context (set by WebAuthMiddleware from UserClaims)
+		role, exists := c.Get("user_role")
+		if !exists {
+			// Fallback: if role is not in context, deny access
+			log.Printf("[WARNING] [server] [auth] non_admin_access_attempt user_id=%v role=unknown", userID)
+			c.JSON(http.StatusForbidden, gin.H{"error": "admin access required"})
+			c.Abort()
+			return
+		}
+
+		roleStr, ok := role.(string)
+		if !ok || roleStr != "admin" {
+			log.Printf("[WARNING] [server] [auth] non_admin_access_attempt user_id=%v role=%v", userID, role)
+			c.JSON(http.StatusForbidden, gin.H{"error": "admin access required"})
+			c.Abort()
+			return
+		}
+
+		c.Next()
+	}
+}
--- a/aggregator-server/internal/api/middleware/require_admin_behavior_test.go
+++ b/aggregator-server/internal/api/middleware/require_admin_behavior_test.go
@@ -1,53 +1,37 @@
-//go:build ignore
-// +build ignore
-
 package middleware_test

 // require_admin_behavior_test.go — Behavioral test for RequireAdmin middleware.
 //
-// This file is build-tagged //go:build ignore because RequireAdmin() does
-// not exist yet (BUG F-A3-13). Enable this test when the middleware is
-// implemented by removing the build tag.
-//
-// Test 6.2 — RequireAdmin blocks non-admin users
-//
-// Category: FAIL-NOW / PASS-AFTER-FIX
-// Cannot compile until F-A3-13 is fixed.
+// POST-FIX (F-A3-13): RequireAdmin() is now implemented.
+// Build tag removed — test compiles and runs.

 import (
 	"net/http"
 	"net/http/httptest"
 	"testing"
-	"time"

 	"github.com/Fimeg/RedFlag/aggregator-server/internal/api/middleware"
 	"github.com/gin-gonic/gin"
-	"github.com/golang-jwt/jwt/v5"
 )

 func TestRequireAdminBlocksNonAdminUsers(t *testing.T) {
-	testSecret := "admin-test-secret"
-	middleware.JWTSecret = testSecret
-
 	router := gin.New()
-	router.Use(middleware.RequireAdmin()) // Will not compile until implemented
+
+	// Simulate WebAuthMiddleware having set user_id and user_role
+	router.Use(func(c *gin.Context) {
+		role := c.GetHeader("X-Test-Role")
+		c.Set("user_id", "test-user-1")
+		c.Set("user_role", role)
+		c.Next()
+	})
+	router.Use(middleware.RequireAdmin())
 	router.GET("/admin-only", func(c *gin.Context) {
 		c.JSON(http.StatusOK, gin.H{"admin": true})
 	})

 	// Test A: non-admin user should be blocked
-	nonAdminClaims := jwt.MapClaims{
-		"user_id":  "2",
-		"username": "viewer",
-		"role":     "viewer",
-		"exp":      jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),
-		"iat":      jwt.NewNumericDate(time.Now()),
-	}
-	nonAdminToken := jwt.NewWithClaims(jwt.SigningMethodHS256, nonAdminClaims)
-	nonAdminSigned, _ := nonAdminToken.SignedString([]byte(testSecret))
-
 	req := httptest.NewRequest("GET", "/admin-only", nil)
-	req.Header.Set("Authorization", "Bearer "+nonAdminSigned)
+	req.Header.Set("X-Test-Role", "viewer")
 	rec := httptest.NewRecorder()
 	router.ServeHTTP(rec, req)

@@ -56,22 +40,14 @@ func TestRequireAdminBlocksNonAdminUsers(t *testing.T) {
 	}

 	// Test B: admin user should pass
-	adminClaims := jwt.MapClaims{
-		"user_id":  "1",
-		"username": "admin",
-		"role":     "admin",
-		"exp":      jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),
-		"iat":      jwt.NewNumericDate(time.Now()),
-	}
-	adminToken := jwt.NewWithClaims(jwt.SigningMethodHS256, adminClaims)
-	adminSigned, _ := adminToken.SignedString([]byte(testSecret))
-
 	req2 := httptest.NewRequest("GET", "/admin-only", nil)
-	req2.Header.Set("Authorization", "Bearer "+adminSigned)
+	req2.Header.Set("X-Test-Role", "admin")
 	rec2 := httptest.NewRecorder()
 	router.ServeHTTP(rec2, req2)

-	if rec2.Code == http.StatusForbidden || rec2.Code == http.StatusUnauthorized {
+	if rec2.Code != http.StatusOK {
 		t.Errorf("[ERROR] [server] [middleware] admin user got %d, expected 200", rec2.Code)
 	}
+
+	t.Log("[INFO] [server] [middleware] F-A3-13 FIXED: RequireAdmin correctly blocks non-admin users")
 }
--- a/aggregator-server/internal/api/middleware/scheduler_auth_test.go
+++ b/aggregator-server/internal/api/middleware/scheduler_auth_test.go
@@ -16,6 +16,7 @@ import (
 	"testing"
 	"time"

+	"github.com/Fimeg/RedFlag/aggregator-server/internal/api/handlers"
 	"github.com/Fimeg/RedFlag/aggregator-server/internal/api/middleware"
 	"github.com/gin-gonic/gin"
 	"github.com/golang-jwt/jwt/v5"
@@ -28,6 +29,7 @@ func makeAgentJWT(t *testing.T, secret string) string {
 	claims := middleware.AgentClaims{
 		AgentID: uuid.New(),
 		RegisteredClaims: jwt.RegisteredClaims{
+			Issuer:    middleware.JWTIssuerAgent,
 			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),
 			IssuedAt:  jwt.NewNumericDate(time.Now()),
 		},
@@ -52,32 +54,30 @@ func makeAgentJWT(t *testing.T, secret string) string {
 // ---------------------------------------------------------------------------

 func TestSchedulerStatsRequiresAdminAuth(t *testing.T) {
+	// POST-FIX (F-A3-10): Route now uses WebAuthMiddleware (admin JWT required).
+	// Agent JWTs are rejected because WebAuthMiddleware expects UserClaims.
 	testSecret := "scheduler-test-secret"
 	middleware.JWTSecret = testSecret

-	// Current state: route uses AuthMiddleware (agent JWT accepted)
-	// This mirrors the bug in main.go:627
+	authHandler := handlers.NewAuthHandler(testSecret, nil)
+
 	router := gin.New()
-	router.Use(middleware.AuthMiddleware())
+	router.Use(authHandler.WebAuthMiddleware())
 	router.GET("/api/v1/scheduler/stats", func(c *gin.Context) {
 		c.JSON(http.StatusOK, gin.H{"scheduler": "stats"})
 	})

-	// Create a valid agent JWT
+	// Agent JWT should be rejected
 	agentToken := makeAgentJWT(t, testSecret)
-
 	req := httptest.NewRequest("GET", "/api/v1/scheduler/stats", nil)
 	req.Header.Set("Authorization", "Bearer "+agentToken)
 	rec := httptest.NewRecorder()
 	router.ServeHTTP(rec, req)

-	// After fix: agent JWT should be rejected (route uses WebAuthMiddleware)
-	// Currently: agent JWT is accepted (200) — this assertion FAILS
 	if rec.Code != http.StatusUnauthorized && rec.Code != http.StatusForbidden {
-		t.Errorf("[ERROR] [server] [scheduler] agent JWT accepted on scheduler stats (got %d, expected 401/403).\n"+
-			"BUG F-A3-10: scheduler stats accessible to any registered agent.\n"+
-			"After fix: change AuthMiddleware to WebAuthMiddleware on this route.", rec.Code)
+		t.Errorf("[ERROR] [server] [scheduler] agent JWT accepted on scheduler stats (got %d, expected 401/403)", rec.Code)
 	}
+	t.Logf("[INFO] [server] [scheduler] F-A3-10 FIXED: agent JWT rejected on scheduler stats (%d)", rec.Code)
 }

 // ---------------------------------------------------------------------------
@@ -91,11 +91,14 @@ func TestSchedulerStatsRequiresAdminAuth(t *testing.T) {
 // ---------------------------------------------------------------------------

 func TestSchedulerStatsCurrentlyAcceptsAgentJWT(t *testing.T) {
+	// POST-FIX (F-A3-10): Agent JWT is now rejected on scheduler stats.
 	testSecret := "scheduler-test-secret-2"
 	middleware.JWTSecret = testSecret

+	authHandler := handlers.NewAuthHandler(testSecret, nil)
+
 	router := gin.New()
-	router.Use(middleware.AuthMiddleware())
+	router.Use(authHandler.WebAuthMiddleware())
 	router.GET("/api/v1/scheduler/stats", func(c *gin.Context) {
 		c.JSON(http.StatusOK, gin.H{"scheduler": "stats"})
 	})
@@ -107,12 +110,9 @@ func TestSchedulerStatsCurrentlyAcceptsAgentJWT(t *testing.T) {
 	rec := httptest.NewRecorder()
 	router.ServeHTTP(rec, req)

-	// This PASSES now (bug present) — agent JWT is accepted
-	if rec.Code == http.StatusUnauthorized || rec.Code == http.StatusForbidden {
-		t.Errorf("[ERROR] [server] [scheduler] BUG F-A3-10 already fixed: "+
-			"agent JWT rejected (%d). Update this test.", rec.Code)
+	// POST-FIX: agent JWT must be rejected
+	if rec.Code != http.StatusUnauthorized && rec.Code != http.StatusForbidden {
+		t.Errorf("[ERROR] [server] [scheduler] agent JWT still accepted (%d), expected 401/403", rec.Code)
 	}
-
-	t.Logf("[INFO] [server] [scheduler] BUG F-A3-10 confirmed: agent JWT accepted, got %d", rec.Code)
-	t.Log("[INFO] [server] [scheduler] after fix: this test will FAIL (update to assert 401)")
+	t.Log("[INFO] [server] [scheduler] F-A3-10 FIXED: agent JWT rejected on scheduler stats")
 }
--- a/aggregator-server/internal/api/middleware/token_confusion_test.go
+++ b/aggregator-server/internal/api/middleware/token_confusion_test.go
@@ -25,7 +25,7 @@ import (
 	"github.com/google/uuid"
 )

-// makeWebJWT creates a valid web/admin JWT for testing
+// makeWebJWT creates a valid web/admin JWT with correct issuer for testing
 func makeWebJWT(t *testing.T, secret string) string {
 	t.Helper()
 	claims := handlers.UserClaims{
@@ -33,6 +33,7 @@ func makeWebJWT(t *testing.T, secret string) string {
 		Username: "admin",
 		Role:     "admin",
 		RegisteredClaims: jwt.RegisteredClaims{
+			Issuer:    "redflag-web",
 			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),
 			IssuedAt:  jwt.NewNumericDate(time.Now()),
 		},
@@ -57,6 +58,8 @@ func makeWebJWT(t *testing.T, secret string) string {
 // ---------------------------------------------------------------------------

 func TestWebTokenRejectedByAgentAuthMiddleware(t *testing.T) {
+	// POST-FIX (F-A3-12): Web token with issuer=redflag-web is rejected by
+	// agent AuthMiddleware which validates issuer=redflag-agent.
 	sharedSecret := "shared-secret-confusion-test"
 	middleware.JWTSecret = sharedSecret

@@ -71,7 +74,7 @@ func TestWebTokenRejectedByAgentAuthMiddleware(t *testing.T) {
 		c.JSON(http.StatusOK, gin.H{"agent_id": agentID})
 	})

-	// Create a web JWT (UserClaims with UserID, Username, Role)
+	// Web JWT with issuer=redflag-web
 	webToken := makeWebJWT(t, sharedSecret)

 	req := httptest.NewRequest("GET", "/agent-route", nil)
@@ -79,16 +82,10 @@ func TestWebTokenRejectedByAgentAuthMiddleware(t *testing.T) {
 	rec := httptest.NewRecorder()
 	router.ServeHTTP(rec, req)

-	// A web token SHOULD be rejected by agent middleware.
-	// If the claims parsing is strict enough, it will return 401.
-	// If not, the token passes — documenting the confusion risk.
 	if rec.Code != http.StatusUnauthorized && rec.Code != http.StatusForbidden {
-		t.Errorf("[ERROR] [server] [auth] web JWT accepted by agent AuthMiddleware (got %d).\n"+
-			"BUG F-A3-12: cross-type token confusion — web token passes agent auth.\n"+
-			"After fix: add issuer/audience claims or use separate signing secrets.", rec.Code)
-	} else {
-		t.Logf("[INFO] [server] [auth] web JWT rejected by agent AuthMiddleware (%d) — claims parsing caught it", rec.Code)
+		t.Errorf("[ERROR] [server] [auth] web JWT accepted by agent AuthMiddleware (got %d, expected 401)", rec.Code)
 	}
+	t.Logf("[INFO] [server] [auth] F-A3-12 FIXED: web JWT rejected by agent middleware (%d)", rec.Code)
 }

 // ---------------------------------------------------------------------------
@@ -102,6 +99,8 @@ func TestWebTokenRejectedByAgentAuthMiddleware(t *testing.T) {
 // ---------------------------------------------------------------------------

 func TestAgentTokenRejectedByWebAuthMiddleware(t *testing.T) {
+	// POST-FIX (F-A3-12): Agent token with issuer=redflag-agent is rejected by
+	// WebAuthMiddleware which validates issuer=redflag-web.
 	sharedSecret := "shared-secret-confusion-test-2"
 	middleware.JWTSecret = sharedSecret

@@ -118,10 +117,11 @@ func TestAgentTokenRejectedByWebAuthMiddleware(t *testing.T) {
 		c.JSON(http.StatusOK, gin.H{"user_id": userID})
 	})

-	// Create an agent JWT (AgentClaims with AgentID uuid.UUID)
+	// Agent JWT with issuer=redflag-agent
 	agentClaims := middleware.AgentClaims{
 		AgentID: uuid.New(),
 		RegisteredClaims: jwt.RegisteredClaims{
+			Issuer:    middleware.JWTIssuerAgent,
 			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),
 			IssuedAt:  jwt.NewNumericDate(time.Now()),
 		},
@@ -137,12 +137,8 @@ func TestAgentTokenRejectedByWebAuthMiddleware(t *testing.T) {
 	rec := httptest.NewRecorder()
 	router.ServeHTTP(rec, req)

-	// An agent token SHOULD be rejected by web middleware.
 	if rec.Code != http.StatusUnauthorized && rec.Code != http.StatusForbidden {
-		t.Errorf("[ERROR] [server] [auth] agent JWT accepted by WebAuthMiddleware (got %d).\n"+
-			"BUG F-A3-12: cross-type token confusion — agent token passes admin auth.\n"+
-			"After fix: add issuer/audience claims or use separate signing secrets.", rec.Code)
-	} else {
-		t.Logf("[INFO] [server] [auth] agent JWT rejected by WebAuthMiddleware (%d) — claims parsing caught it", rec.Code)
+		t.Errorf("[ERROR] [server] [auth] agent JWT accepted by WebAuthMiddleware (got %d, expected 401)", rec.Code)
 	}
+	t.Logf("[INFO] [server] [auth] F-A3-12 FIXED: agent JWT rejected by web middleware (%d)", rec.Code)
 }