akanealw
eec8c28fb3
Some checks failed
Go Benchmark / Performance Regression Check (push) Has been cancelled
Cerberus Integration / Cerberus Security Stack Integration (push) Has been cancelled
Upload Coverage to Codecov / Backend Codecov Upload (push) Has been cancelled
Upload Coverage to Codecov / Frontend Codecov Upload (push) Has been cancelled
CodeQL - Analyze / CodeQL analysis (go) (push) Has been cancelled
CodeQL - Analyze / CodeQL analysis (javascript-typescript) (push) Has been cancelled
CrowdSec Integration / CrowdSec Bouncer Integration (push) Has been cancelled
Docker Build, Publish & Test / build-and-push (push) Has been cancelled
Quality Checks / Auth Route Protection Contract (push) Has been cancelled
Quality Checks / Codecov Trigger/Comment Parity Guard (push) Has been cancelled
Quality Checks / Backend (Go) (push) Has been cancelled
Quality Checks / Frontend (React) (push) Has been cancelled
Rate Limit integration / Rate Limiting Integration (push) Has been cancelled
Security Scan (PR) / Trivy Binary Scan (push) Has been cancelled
Supply Chain Verification (PR) / Verify Supply Chain (push) Has been cancelled
WAF integration / Coraza WAF Integration (push) Has been cancelled
Docker Build, Publish & Test / Security Scan PR Image (push) Has been cancelled
Repo Health Check / Repo health (push) Has been cancelled
History Rewrite Dry-Run / Dry-run preview for history rewrite (push) Has been cancelled
Prune Renovate Branches / prune (push) Has been cancelled
Renovate / renovate (push) Has been cancelled
Nightly Build & Package / sync-development-to-nightly (push) Has been cancelled
Nightly Build & Package / Trigger Nightly Validation Workflows (push) Has been cancelled
Nightly Build & Package / build-and-push-nightly (push) Has been cancelled
Nightly Build & Package / test-nightly-image (push) Has been cancelled
Nightly Build & Package / verify-nightly-supply-chain (push) Has been cancelled
5.1 KiB
Executable File
5.1 KiB
Executable File
E2E Security Enforcement Failures Remediation Plan (2 Remaining)
Context
- Branch:
feature/beta-release - Source: docs/reports/qa_report.md
- Failures:
/api/v1/userssetup socket hang up (Security Dashboard navigation), Emergency token baseline blocking (Test 1)
Phase 1 – Analyze (Root Cause Mapping)
Failure A: /api/v1/users setup socket hang up (Security Dashboard navigation)
Symptoms
apiRequestContext.postsocket hang up during test setup user creation in:tests/security/security-dashboard.spec.ts(navigation suite)
Likely Backend Cause
- Test setup creates an admin user via
POST /api/v1/users, which is routed through Cerberus middleware before auth. - If ACL is enabled and the test runner IP is not in
security.admin_whitelist, Cerberus will block all requests when no active ACLs exist. - This block can present as a socket hang up when the proxy closes the connection before Playwright reads the response.
Backend Evidence
- Cerberus middleware executes on all
/api/v1/*routes: backend/internal/api/routes/routes.goapi.Use(cerb.Middleware())andprotected.POST("/users", userHandler.CreateUser)
- ACL default-deny behavior and whitelist bypass: backend/internal/cerberus/cerberus.go
Cerberus.MiddlewareandisAdminWhitelisted
- User creation handler expects admin role after auth: backend/internal/api/handlers/user_handler.go
UserHandler.CreateUser
Fix Options (Backend)
- Ensure ACL cannot block authenticated admin setup calls by moving Cerberus after auth for protected routes (so role can be evaluated).
- Add an explicit Cerberus bypass for
/api/v1/userssetup in test/dev mode when the request has a valid admin session. - Require at least one allow/deny list entry before enabling ACL, and return a clear 4xx error instead of terminating the connection.
Failure B: Emergency token baseline not blocked (Test 1)
Symptoms
- Expected 403 from
/api/v1/security/status, received 200 in:tests/security-enforcement/emergency-token.spec.ts(Test 1)
Likely Backend Cause
- ACL is enabled via
/api/v1/settings, but Cerberus treats the request IP as whitelisted (e.g.,127.0.0.1/32) and skips ACL enforcement. - The whitelist is stored in
SecurityConfigand can persist from prior tests, causing ACL bypass for authenticated requests even without the emergency token.
Backend Evidence
- Admin whitelist bypass check: backend/internal/cerberus/cerberus.go
isAdminWhitelisted
- Security config persistence: backend/internal/models/security_config.go
- ACL enablement via settings: backend/internal/api/handlers/settings_handler.go
SettingsHandler.UpdateSettingauto-enablesfeature.cerberus.enabled
Fix Options (Backend)
- Make ACL bypass conditional on authenticated admin context by applying Cerberus after auth on protected routes.
- Clear or override
security.admin_whitelistwhen enabling ACL in test runs where the baseline must be blocked. - Add a dedicated ACL enforcement endpoint or status check that is not exempted by admin whitelist.
Phase 2 – Focused Remediation Plan (No Code Changes Yet)
Plan A: Diagnose /api/v1/users socket hang up
- Confirm ACL and admin whitelist values immediately before test setup user creation.
- Check server logs for Cerberus ACL blocks or upstream connection resets during
POST /api/v1/users. - Validate that the request is authenticated and that Cerberus is not terminating the request before auth runs.
Acceptance Criteria
POST /api/v1/usersconsistently returns a 2xx or a structured 4xx, not a socket hang up.
Plan B: Emergency token baseline enforcement
- Verify
security.admin_whitelistcontents before Test 1; ensure the test IP is not whitelisted. - Confirm
security.acl.enabledandfeature.cerberus.enabledare bothtrueafter the setup PATCH. - Re-run the baseline
/api/v1/security/statusrequest and verify 403 before applying the emergency token.
Acceptance Criteria
- Baseline
/api/v1/security/statusreturns 403 when ACL + Cerberus are enabled. - Emergency token bypass returns 200 for the same endpoint.
Phase 3 – Validation Plan
- Re-run Chromium E2E suite.
- Verify the two failing tests pass.
- Capture updated results and include status evidence in QA report.
Risks & Notes
- If
security.admin_whitelistpersists across suites, ACL baseline assertions will be bypassed. - If Cerberus runs before auth, ACL cannot distinguish authenticated admin setup calls from unauthenticated setup calls.
Next Steps
- Execute the focused remediation steps above.
- Re-run E2E tests and update docs/reports/qa_report.md.
Status: SUSPENDED - Supersededby critical production bug (Settings Query ID Leakage) Archive Date: 2026-01-28