fix(security): Implement Phase 1 critical security fixes

CORS:
- Restrict CORS to DASHBOARD_URL environment variable
- Default to production dashboard domain

Authentication:
- Add AuthUser requirement to all agent management endpoints
- Add AuthUser requirement to all command endpoints
- Add AuthUser requirement to all metrics endpoints
- Add audit logging for command execution (user_id tracked)

Agent Security:
- Replace Unicode characters with ASCII markers [OK]/[ERROR]/[WARNING]
- Add certificate pinning for update downloads (allowlist domains)
- Fix insecure temp file creation (use /var/run/gururmm with 0700 perms)
- Fix rollback script backgrounding (use setsid instead of literal &)

Dashboard Security:
- Move token storage from localStorage to sessionStorage
- Add proper TypeScript types (remove 'any' from error handlers)
- Centralize token management functions

Legacy Agent:
- Add -AllowInsecureTLS parameter (opt-in required)
- Add Windows Event Log audit trail when insecure mode used
- Update documentation with security warnings

Closes: Phase 1 items in issue #1

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
2026-01-20 21:16:24 -07:00
parent fece688c3a
commit 48a177c61a
15 changed files with 1708 additions and 99 deletions

View File

@@ -8,6 +8,7 @@ use axum::{
use serde::{Deserialize, Serialize};
use uuid::Uuid;
use crate::auth::AuthUser;
use crate::db::{self, AgentResponse, AgentStats};
use crate::ws::{generate_api_key, hash_api_key};
use crate::AppState;
@@ -29,10 +30,20 @@ pub struct RegisterAgentRequest {
}
/// Register a new agent (generates API key)
/// Requires authentication to prevent unauthorized agent registration.
pub async fn register_agent(
State(state): State<AppState>,
user: AuthUser,
Json(req): Json<RegisterAgentRequest>,
) -> Result<Json<RegisterAgentResponse>, (StatusCode, String)> {
// Log who is registering the agent
tracing::info!(
user_id = %user.user_id,
hostname = %req.hostname,
os_type = %req.os_type,
"Agent registration initiated by user"
);
// Generate a new API key
let api_key = generate_api_key(&state.config.auth.api_key_prefix);
let api_key_hash = hash_api_key(&api_key);
@@ -50,6 +61,12 @@ pub async fn register_agent(
.await
.map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
tracing::info!(
user_id = %user.user_id,
agent_id = %agent.id,
"Agent registered successfully"
);
Ok(Json(RegisterAgentResponse {
agent_id: agent.id,
api_key, // Return the plain API key (only shown once!)
@@ -59,8 +76,10 @@ pub async fn register_agent(
}
/// List all agents
/// Requires authentication.
pub async fn list_agents(
State(state): State<AppState>,
_user: AuthUser,
) -> Result<Json<Vec<AgentResponse>>, (StatusCode, String)> {
let agents = db::get_all_agents(&state.db)
.await
@@ -71,8 +90,10 @@ pub async fn list_agents(
}
/// Get a specific agent
/// Requires authentication.
pub async fn get_agent(
State(state): State<AppState>,
_user: AuthUser,
Path(id): Path<Uuid>,
) -> Result<Json<AgentResponse>, (StatusCode, String)> {
let agent = db::get_agent_by_id(&state.db, id)
@@ -84,8 +105,10 @@ pub async fn get_agent(
}
/// Delete an agent
/// Requires authentication.
pub async fn delete_agent(
State(state): State<AppState>,
_user: AuthUser,
Path(id): Path<Uuid>,
) -> Result<StatusCode, (StatusCode, String)> {
// Check if agent is connected and disconnect it
@@ -106,8 +129,10 @@ pub async fn delete_agent(
}
/// Get agent statistics
/// Requires authentication.
pub async fn get_stats(
State(state): State<AppState>,
_user: AuthUser,
) -> Result<Json<AgentStats>, (StatusCode, String)> {
let stats = db::get_agent_stats(&state.db)
.await
@@ -123,8 +148,10 @@ pub struct MoveAgentRequest {
}
/// Move an agent to a different site
/// Requires authentication.
pub async fn move_agent(
State(state): State<AppState>,
_user: AuthUser,
Path(id): Path<Uuid>,
Json(req): Json<MoveAgentRequest>,
) -> Result<Json<AgentResponse>, (StatusCode, String)> {
@@ -149,8 +176,10 @@ pub async fn move_agent(
}
/// List all agents with full details (site/client info)
/// Requires authentication.
pub async fn list_agents_with_details(
State(state): State<AppState>,
_user: AuthUser,
) -> Result<Json<Vec<db::AgentWithDetails>>, (StatusCode, String)> {
let agents = db::get_all_agents_with_details(&state.db)
.await
@@ -160,8 +189,10 @@ pub async fn list_agents_with_details(
}
/// List unassigned agents (not belonging to any site)
/// Requires authentication.
pub async fn list_unassigned_agents(
State(state): State<AppState>,
_user: AuthUser,
) -> Result<Json<Vec<AgentResponse>>, (StatusCode, String)> {
let agents = db::get_unassigned_agents(&state.db)
.await
@@ -172,8 +203,10 @@ pub async fn list_unassigned_agents(
}
/// Get extended state for an agent (network interfaces, uptime, etc.)
/// Requires authentication.
pub async fn get_agent_state(
State(state): State<AppState>,
_user: AuthUser,
Path(id): Path<Uuid>,
) -> Result<Json<db::AgentState>, (StatusCode, String)> {
let agent_state = db::get_agent_state(&state.db, id)