fix: limit allowed cipher's for TLS 1.2 BED-7722

[superlinkx]

Description

When the application is configured for HTTPS, some insecure ciphers are available by default according to Go's current list. In order to better protect the application when not running behind a load balancer, this change introduces a list of ciphers we want to support

Motivation and Context

Resolves BED-7722

How Has This Been Tested?

Locally tested and verified with nmap --script ssl-enum-ciphers -p 443 localhost

Types of changes

• Bug fix (non-breaking change which fixes an issue)

Checklist:

• I have met the contributing prerequisites
  • Assigned myself to this PR
  • Added the appropriate labels
  • Associated an issue: Issues and Pull Requests README #672
  • Read the Contributing guide: https://github.com/SpecterOps/BloodHound/wiki/Contributing
• I have ensured that related documentation is up-to-date
  • Open API docs
  • Code comments (GoDocs / JSDocs)
• I have followed proper test practices
  • Added/updated tests to cover my changes
  • All new and existing tests passed

Summary by CodeRabbit

Release Notes

• New Features

  • Added support for Azure Federated Identity Credential node type with visual styling.
  • Enhanced error handling and diagnostics for Cypher selector failures.

• Bug Fixes

  • Enforced minimum TLS 1.2 with restricted cipher suites for API servers.

• Chores

  • Updated Go toolchain to v1.26.1.
  • Updated SharpHound and AzureHound to v2.11.0.
  • Removed vulnerability scanning GitHub Actions workflow.

[github-actions]

Howdy! Thank you for opening this pull request 🙇

Your title is formatted correctly but we did not find a matching issue reference.
Please verify that the reference is correct and available in Jira or GitHub issues.

Details:

Issue request error: Invalid Jira issue

[coderabbitai]

Caution

Review failed

Failed to post review comments

📝 Walkthrough

Walkthrough

The pull request upgrades the Go toolchain from 1.24 to 1.26.1, migrates the SourceKind type from the database package to the model package with corresponding SQL schema updates, adds support for AZFederatedIdentityCredential node styling, enforces TLS 1.2+ with restricted cipher suites on API servers, introduces CypherSelectorError for improved error tracking, enhances Azure tenant context in federated identity credential conversion, and bumps tool versions including SharpHound/AzureHound to v2.11.0.

Changes

Cohort / File(s)	Summary
Go Toolchain Upgrade DEVREADME.md, go.mod, go.work.template, dockerfiles/bloodhound.Dockerfile, tools/docker-compose/api.Dockerfile	Updated Go version from 1.24.13 to 1.26.1 across configuration, module files, and Docker build stages; also bumped SharpHound/AzureHound to v2.11.0 and Delve debugger to v1.26.1.
SourceKind Type Migration (database → model) cmd/api/src/model/sourcekinds.go, cmd/api/src/database/sourcekinds.go, cmd/api/src/api/v2/kinds.go, cmd/api/src/daemons/datapipe/pipeline.go, cmd/api/src/database/sourcekinds_integration_test.go, cmd/api/src/api/v2/assetgrouptags_test.go, cmd/api/src/database/mocks/db.go, cmd/api/src/database/.../graphschema_integration_test.go, cmd/api/src/database/.../upsert_schema_extension_integration_test.go	Created new model.SourceKind struct; updated interface signatures and all implementations to return model.SourceKind instead of database.SourceKind; switched RegisterSourceKind SQL to call upsert_source_kind() function; dynamically reference table names via TableName() methods; updated all test mocks and assertions accordingly.
Database Schema Migration cmd/api/src/database/migration/migrations/v8.9.0.sql	Added migration changing source_kinds.id to INTEGER with sequence reset; implemented upsert_kind(node_kind_name text) and upsert_source_kind(source_kind_name TEXT) functions with advisory transaction locking to prevent concurrent race conditions during upsert operations.
TLS Configuration Hardening cmd/api/src/daemons/api/bhapi/api.go, cmd/api/src/daemons/api/toolapi/api.go	Added TLSConfig to http.Server enforcing minimum TLS 1.2 and restricting cipher suites to specified ECDHE_RSA variants (AES-GCM and AES-CBC).
CypherSelectorError Handling cmd/api/src/daemons/datapipe/agt.go, cmd/api/src/daemons/datapipe/agt_test.go, cmd/api/src/daemons/datapipe/analysis.go	Introduced CypherSelectorError type with Error() and Unwrap() methods; added ContainsOnlyCypherSelectorErrors() helper; updated FetchNodesFromSeeds to wrap cypher query failures; extended TagAssetGroupsAndTierZero error logic to treat Cypher-only errors as partial failure rather than complete failure.
BloodHound Graph Node Styling cmd/api/src/api/bloodhoundgraph/bloodhoundgraph.go	Added styling support for AZFederatedIdentityCredential node type with font awesome key icon and light yellow background color.
Azure Federated Identity Credential Conversion cmd/api/src/services/graphify/azure_convertors.go, packages/go/ein/azure.go, packages/go/ein/azure_test.go	Updated ConvertAppFederatedIdentityCredential to accept and use tenant name/ID; changed node Name to include tenant context (e.g., <credential>@<tenantName>); added TenantID property to node; refactored test to table-driven format with expanded assertions.
Authentication Configuration cmd/api/src/auth/saml.go	Removed dependency on goxmldsig.RSASHA256SignatureMethod constant; defined local RSASHA256SignatureMethod constant with RSA-SHA256 XMLDSIG URI value.
Indentation & Formatting Fixes cmd/api/src/database/assetgrouptags.go, cmd/api/src/database/auth.go, cmd/api/src/database/customnode.go	Corrected whitespace/brace alignment for NewBloodhoundDB variable initialization within transactional blocks without changing control flow or logic.
Dependency Updates go.mod	Bumped github.com/bloodhoundad/azurehound/v2 to v2.11.0; updated github.com/russellhaering/goxmldsig to v1.6.0 (indirect); updated github.com/beevik/etree to v1.6.0 (indirect).
CI/CD Workflow Removal .github/workflows/vuln-scan.yml	Removed the Trivy vulnerability scanning GitHub Actions workflow.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 17.39% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly identifies the main change: limiting cipher suites for TLS 1.2 security. It references the ticket (BED-7722) and directly relates to the primary security fix in the changeset.
Description check	✅ Passed	The PR description covers the required template sections: describes the security cipher restriction change, provides motivation (protecting app when not behind load balancer), includes testing details (nmap verification), specifies the change type (bug fix), and confirms checklist completion including issue association (BED-7722).

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch BED-7722

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[superlinkx]

@StephenHinck was able to properly validate the ciphers match expectations. We'll do a final pass on the full version of BHCE