Skip to content

Correct Okta-session-reuse claim; expand threat model#28

Merged
jgowdy-godaddy merged 1 commit intomainfrom
docs/threat-model-updates
Apr 17, 2026
Merged

Correct Okta-session-reuse claim; expand threat model#28
jgowdy-godaddy merged 1 commit intomainfrom
docs/threat-model-updates

Conversation

@jgowdy-godaddy
Copy link
Copy Markdown
Contributor

@jgowdy-godaddy jgowdy-godaddy commented Apr 17, 2026

Summary

The headline fix: `THREAT_MODEL.md` T11 and `DESIGN.md` §Okta Session Reuse Status both previously claimed that transparent Okta session reuse was disabled. It is actively implemented. After a successful `awsenc auth`, the Okta `/authn` session token is cached as ECIES ciphertext alongside the AWS credentials (cache flag `FLAG_HAS_OKTA_SESSION`), and `awsenc serve` calls `try_transparent_reauth` to refresh expiring AWS creds silently — without prompting for MFA — for the lifetime of Okta's session.

This PR rewrites both sections to describe the real behavior and its trust model, then expands the threat inventory with seven new entries discovered during the same audit pass:

  • T12 SAML / STS parser hardening (`scraper` HTML parser with tiered form selection, `roxmltree` for SAML and STS XML, chunked-TE size enforcement)
  • T13 256 KB response-size cap enforced on both `Content-Length` and streaming
  • T14 local `config.toml` tamper redirecting Okta authentication to a lookalike IdP
  • T15 concurrent `awsenc serve` race (duplicate STS traffic; atomic write ensures cache integrity)
  • T16 cache rollback to an earlier intact ciphertext — bounded by server-side STS `Expiration`
  • T17 PATH hijack surface — currently minimal (no `$BROWSER` / `gh` / `open` path yet), future work must use `enclaveapp-core::bin_discovery`
  • T18 Type 1 trusted-consumer boundary — the AWS CLI is in the TCB once credentials cross the `credential_process` stdout pipe

Test plan

  • Docs-only change; CI should pass cleanly.

@jgowdy
docs: correct Okta-session-reuse claim and expand threat model
9c09e1f 
THREAT_MODEL.md T11 previously claimed transparent Okta session reuse was
disabled. It is actively implemented: awsenc caches the Okta /authn session
token as ECIES ciphertext in the .enc file (FLAG_HAS_OKTA_SESSION), and
awsenc serve's try_transparent_reauth path decrypts it to silently refresh
expiring AWS creds for the remainder of Okta's session lifetime. Rewritten
to describe the real behavior and its trust model.

DESIGN.md "Okta Session Reuse Status" rewritten for the same reason.

New threats added:
- T12 SAML / STS parser hardening (scraper + roxmltree, chunked-TE cap)
- T13 HTTP response size limits (256 KB, both Content-Length and streaming)
- T14 local config.toml tamper redirecting Okta auth
- T15 concurrent serve race (duplicate STS, atomic-write resolves)
- T16 cache rollback — bounded by server-side STS Expiration
- T17 binary discovery / PATH hijack (currently no $BROWSER/gh surface)
- T18 Type 1 trusted-consumer boundary (explicit accepted risk)
@jgowdy-godaddy jgowdy-godaddy merged commit 3ebe024 into main Apr 17, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jgowdy-godaddy @jgowdy