Skip to content

fix: Validate twingate.host against trusted controller domains#353

Closed
minhtule wants to merge 4 commits into
masterfrom
feat/mt/validate-twingate-host
Closed

fix: Validate twingate.host against trusted controller domains#353
minhtule wants to merge 4 commits into
masterfrom
feat/mt/validate-twingate-host

Conversation

@minhtule

@minhtule minhtule commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Related Tickets & Documents

Changes

  • Validate twingate.network is a single DNS label, since it is interpolated into the JWKS URL authority.
  • Validate twingate.host against the trusted Twingate controller domains, matched case-insensitively, using the same allowlist as token issuer validation (single source of truth in config) so an accepted host always has a known JWT issuer.
  • Re-validate the controller-resolved host, keeping the configured host if the redirect target is not trusted.

@minhtule minhtule requested a review from Copilot June 29, 2026 22:57
@minhtule minhtule changed the title feat: Validate twingate.host against trusted controller domains fix: Validate twingate.host against trusted controller domains Jun 29, 2026
@codecov

codecov Bot commented Jun 29, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.37%. Comparing base (ae1a656) to head (73d69e2).
⚠️ Report is 1 commits behind head on master.
✅ All tests successful. No failed tests found.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #353      +/-   ##
==========================================
+ Coverage   86.07%   86.37%   +0.29%     
==========================================
  Files          40       40              
  Lines        2830     2847      +17     
==========================================
+ Hits         2436     2459      +23     
+ Misses        269      264       -5     
+ Partials      125      124       -1     
Flag Coverage Δ
integration 54.84% <38.46%> (-0.02%) ⬇️
unit 78.60% <88.46%> (+0.05%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
internal/config/config.go 89.45% <100.00%> (+0.65%) ⬆️
internal/token/parser.go 93.54% <100.00%> (+0.21%) ⬆️

... and 3 files with indirect coverage changes

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens configuration security by validating twingate.host during config validation to ensure the controller JWKS trust anchor can only point at approved Twingate-owned domains.

Changes:

  • Add twingate.host hostname validation and restrict it to trusted suffixes (twingate.com, opstg.com, test).
  • Extend Config.Validate() to enforce the new host validation.
  • Add/adjust config validation tests to cover allowed and disallowed host values.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
internal/config/config.go Adds host validation logic (regex + trusted suffix allowlist) and enforces it during config validation.
internal/config/config_test.go Updates existing validation tests and adds new cases for allowed/disallowed twingate.host values.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread internal/config/config.go
Comment thread internal/config/config.go
Comment thread internal/config/config.go
@minhtule minhtule marked this pull request as draft June 29, 2026 23:17

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

Comment thread internal/config/config.go Outdated
Comment thread internal/config/config_test.go

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

Comment thread internal/config/config.go
Comment on lines +708 to +712
for domain := range IssuerByDomain {
if lowered == domain || strings.HasSuffix(lowered, "."+domain) {
return nil
}
}

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

.test is RFC 6761 non-routable/local-only. We don't need custom code for it.

Comment thread internal/token/parser.go
Comment on lines +23 to 27
for domain, issuer := range config.IssuerByDomain {
if lowered == domain || strings.HasSuffix(lowered, "."+domain) {
return issuer
}
}

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

.test is RFC 6761 non-routable/local-only. We don't need custom code for it.

Comment thread internal/config/config.go
"test": "twingate-local",
"dev.opstg.com": "twingate-dev",
"stg.opstg.com": "twingate-stg",
"sec.opstg.com": "twingate-sec",
Comment on lines +361 to +365
{
name: "host with test suffix",
config: &Config{
Twingate: TwingateConfig{Network: "test", Host: "acme.test"},
Port: 8443,
@minhtule

Copy link
Copy Markdown
Contributor Author

Superseded by #358 (refactor) and #359 (validation), split for reviewability.

@minhtule minhtule closed this Jun 30, 2026
@minhtule minhtule deleted the feat/mt/validate-twingate-host branch June 30, 2026 15:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants