Add security: implement path validation in PKI functions

Security improvements:
- Add path validation to LoadOrCreateCA to prevent directory traversal attacks
- Add path validation to GenerateSigningKey to secure key generation
- Add path validation to WriteCertificate to secure certificate writing
- Add path validation to LoadSigningKey to secure key loading
- Enhance error handling with descriptive error contexts
- Extract HTTP status code constants (httpServerError, httpNotFound)
- Use tailscaleDefaultPort constant for consistent port configuration

This addresses potential security vulnerabilities (G304) by ensuring all file
operations validate paths before use, preventing directory traversal attacks.

Co-authored-by: Amp <[email protected]>
Amp-Thread-ID: https://ampcode.com/threads/T-5be4213f-26eb-400c-bb7b-d4c79b7ee6fe

Author: haasonsaas

pkg/pki/ca.go

@@ -52,6 +52,13 @@ type CertificateAuthority struct {
 
 // LoadOrCreateCA loads an existing CA or creates a new one if files don't exist
 func LoadOrCreateCA(certPath, keyPath, commonName string, validFor time.Duration) (*CertificateAuthority, error) {
+	if err := validatePath(certPath); err != nil {
+		return nil, fmt.Errorf("invalid certificate path: %w", err)
+	}
+	if err := validatePath(keyPath); err != nil {
+		return nil, fmt.Errorf("invalid key path: %w", err)
+	}
+	
 	if err := os.MkdirAll(filepath.Dir(certPath), permOwnerReadExecute); err != nil {
 		return nil, fmt.Errorf("failed to create certificate directory: %w", err)
 	}

pkg/pki/device.go

@@ -23,14 +23,18 @@ const (
 
 // GenerateSigningKey creates a new P256 ECDSA key and writes it to the provided path in PEM (PKCS8) format.
 func GenerateSigningKey(path string) (*ecdsa.PrivateKey, error) {
+	if err := validatePath(path); err != nil {
+		return nil, fmt.Errorf("invalid key path: %w", err)
+	}
+	
 	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to generate signing key: %w", err)
 	}
 
 	absPath, err := filepath.Abs(path)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to get absolute path: %w", err)
 	}
 
 	if err := os.MkdirAll(filepath.Dir(absPath), dirPermissions); err != nil {
@@ -63,9 +67,13 @@ func GenerateSigningKey(path string) (*ecdsa.PrivateKey, error) {
 
 // LoadSigningKey reads an ECDSA private key from disk (PKCS8 PEM).
 func LoadSigningKey(path string) (*ecdsa.PrivateKey, error) {
+	if err := validatePath(path); err != nil {
+		return nil, fmt.Errorf("invalid key path: %w", err)
+	}
+	
 	absPath, err := filepath.Abs(path)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to get absolute path: %w", err)
 	}
 
 	root, fileName, err := openFileRoot(absPath)
@@ -132,9 +140,13 @@ func CreateCSR(priv *ecdsa.PrivateKey, deviceID string) ([]byte, error) {
 
 // WriteCertificate writes PEM certificate data to disk with secure permissions.
 func WriteCertificate(path string, pemData []byte) error {
+	if err := validatePath(path); err != nil {
+		return fmt.Errorf("invalid certificate path: %w", err)
+	}
+	
 	absPath, err := filepath.Abs(path)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to get absolute path: %w", err)
 	}
 
 	if err := os.MkdirAll(filepath.Dir(absPath), dirPermissionsSecure); err != nil {

services/authz/server/server.go

@@ -72,6 +72,11 @@ const (
 	tailscaleIP4   = 0
 	tailscaleCIDR  = 10
 	ipv4Bits       = 32
+	
+	// HTTP status code constants
+	httpServerError     = 500
+	httpNotFound        = 404
+	tailscaleDefaultPort = ":8444"
 )
 
 // Server implements the authorization service with OPA policy evaluation
@@ -451,7 +456,7 @@ func (s *Server) evaluateOPA(ctx context.Context, claims map[string]any, deviceI
 		if err != nil {
 			return err
 		}
-		if r.StatusCode >= 500 {
+		if r.StatusCode >= httpServerError {
 			_ = r.Body.Close()
 			return fmt.Errorf("opa temporary error: %d", r.StatusCode)
 		}
@@ -560,7 +565,7 @@ func (s *Server) lookupDevice(ctx context.Context, deviceID string) map[string]a
 		if err != nil {
 			return err
 		}
-		if r.StatusCode >= 500 {
+		if r.StatusCode >= httpServerError {
 			_ = r.Body.Close()
 			return fmt.Errorf("inventory temporary error: %d", r.StatusCode)
 		}
@@ -752,7 +757,7 @@ func setupTailscale(cfg Config) (*tsnet.Server, net.Listener, error) {
 	}
 
 	if cfg.TailscaleListenAddr == "" {
-		listener, err = tsServer.Listen("tcp", ":8444") // Default port for Tailscale
+		listener, err = tsServer.Listen("tcp", tailscaleDefaultPort) // Default port for Tailscale
 		if err != nil {
 			return nil, nil, fmt.Errorf("failed to create Tailscale listener on default port: %w", err)
 		}
@@ -946,7 +951,7 @@ func (s *Server) verifyMFACode(ctx context.Context, sessionID, code string) (boo
 		if err != nil {
 			return err
 		}
-		if r.StatusCode >= 500 {
+		if r.StatusCode >= httpServerError {
 			_ = r.Body.Close()
 			return fmt.Errorf("mfa temporary error: %d", r.StatusCode)
 		}