feat(configgen): yaml.v3 typed-struct config marshal (closes #126) (#130)

Replaces internal/configgen/generator.go's text/template-based agent
config generator with typed-struct marshalling through gopkg.in/yaml.v3.
Defense-in-depth follow-up to GHSA-7hp6-g3pq-3pc3 — closes the entire
YAML-injection class at the output side regardless of upstream
validators.

The public GeneratorInput / FirewallRule / LighthouseInfo /
AdvancedUnsafeRoute types are unchanged; only the implementation
moves from string-interpolation to yaml.v3 Encoder.

- internal/configgen/marshal.go (new): typed nebulaConfig struct
  mirroring the previous template's shape. Inline PEM blocks use a
  literalString MarshalYAML for the `|` literal-block scalar form.
- internal/configgen/generator.go: configTemplate, indentLines, and
  the template-based Generate are removed. Only public input types
  remain.
- internal/configgen/generator_test.go: three multi-address tests
  converted from byte-equality assertions on flow-style + quoted IPs
  to parse-then-compare via yaml.Unmarshal, per your issue body.
  Added TestGenerate_LighthouseAndRelay (lighthouse+relay combo)
  and an assertion in TestGenerate_Lighthouse that
  `static_host_map: {}` is emitted explicitly (locks down the empty
  contract against future omitempty drift).
- internal/configgen/advanced_test.go:
  TestGenerate_TunDevice_StructuralBreakCharsAreQuoted (new) is the
  defense-in-depth acceptance criterion: a TunDevice value containing
  \r, \n, ENQ (0x05), ", :, #, or trailing whitespace round-trips
  through yaml.Unmarshal exactly, and no extra top-level keys appear
  in the output (which would indicate YAML injection).

Mobile bundle path (internal/mobilebundle/builder.go) uses the same
GeneratorInput — no API change needed there.

make ci green: vet, build, race tests, golangci-lint v2.12.0
("0 issues."). All existing configgen tests pass plus the new
LighthouseAndRelay test plus the 7-case defense-in-depth subtest.

Author: ak2k

internal/configgen/advanced_test.go

@@ -3,6 +3,8 @@ package configgen
 import (
 	"strings"
 	"testing"
+
+	"gopkg.in/yaml.v3"
 )
 
 func TestGenerate_DefaultsWhenNoAdvanced(t *testing.T) {
@@ -100,3 +102,66 @@ func TestGenerate_PunchyOverride(t *testing.T) {
 		t.Errorf("expected punch: false override; got:\n%s", out)
 	}
 }
+
+// TestGenerate_TunDevice_StructuralBreakCharsAreQuoted is the GHSA-7hp6
+// defense-in-depth assertion (issue #126): even if the upstream TunDevice
+// validator were bypassed, yaml.v3 marshaling MUST emit structural-break
+// characters as safely-quoted scalars so they cannot escape into YAML
+// structure. Each pathological TunDevice value below round-trips through
+// yaml.Unmarshal exactly — no new top-level keys, no value corruption.
+func TestGenerate_TunDevice_StructuralBreakCharsAreQuoted(t *testing.T) {
+	cases := []string{
+		"nebula0\rinjected: true", // CR — splits lines in plain scalars
+		"nebula0\ninjected: true", // LF — same
+		"nebula0\x05ctrl",         // ENQ — arbitrary control character
+		`nebula0"quote`,           // double-quote — terminates quoted scalars
+		"nebula0:colon",           // colon — key separator in plain scalars
+		"nebula0#hash",            // hash — comment indicator
+		"nebula0 trailing-space ", // leading/trailing whitespace stripping
+	}
+
+	for _, dev := range cases {
+		t.Run(dev, func(t *testing.T) {
+			out, err := Generate(GeneratorInput{
+				HostName:   "h",
+				NebulaIPs:  []string{"10.0.0.1"},
+				CACertPath: "/etc/nebula/ca.crt",
+				CertPath:   "/etc/nebula/host.crt",
+				KeyPath:    "/etc/nebula/host.key",
+				TunDevice:  dev,
+			})
+			if err != nil {
+				t.Fatalf("Generate(%q): %v", dev, err)
+			}
+
+			var parsed struct {
+				Tun struct {
+					Dev string `yaml:"dev"`
+				} `yaml:"tun"`
+			}
+			if err := yaml.Unmarshal(out, &parsed); err != nil {
+				t.Fatalf("invalid YAML for %q: %v\n%s", dev, err, string(out))
+			}
+			if parsed.Tun.Dev != dev {
+				t.Errorf("round-trip mismatch for %q:\n  got: %q\n output:\n%s", dev, parsed.Tun.Dev, string(out))
+			}
+
+			// Also assert no injection happened at the top level — only
+			// the expected keys exist after unmarshal.
+			var top map[string]any
+			if err := yaml.Unmarshal(out, &top); err != nil {
+				t.Fatalf("invalid YAML (top-level) for %q: %v", dev, err)
+			}
+			allowed := map[string]bool{
+				"pki": true, "static_host_map": true, "lighthouse": true,
+				"listen": true, "punchy": true, "tun": true, "relay": true,
+				"logging": true, "firewall": true,
+			}
+			for k := range top {
+				if !allowed[k] {
+					t.Errorf("unexpected top-level key %q for TunDevice=%q — possible YAML injection", k, dev)
+				}
+			}
+		})
+	}
+}

internal/configgen/generator.go

@@ -1,12 +1,5 @@
 package configgen
 
-import (
-	"bytes"
-	"fmt"
-	"strings"
-	"text/template"
-)
-
 // LighthouseInfo describes a lighthouse node for config generation.
 type LighthouseInfo struct {
 	NebulaIPs  []string
@@ -20,7 +13,7 @@ type FirewallRule struct {
 	Group string // "any", "admin", etc.
 }
 
-// AdvancedUnsafeRoute mirrors models.UnsafeRoute for the template.
+// AdvancedUnsafeRoute mirrors models.UnsafeRoute for the generator input.
 type AdvancedUnsafeRoute struct {
 	Route string
 	Via   string
@@ -48,158 +41,12 @@ type GeneratorInput struct {
 	TunDevice      string
 	UnsafeRoutes   []AdvancedUnsafeRoute
 
-	// Optional: if set, override the path-based pki section with inline PEM blocks.
-	// Used for Mobile Nebula clients which import a self-contained YAML config.
-	// When CACertPEM is non-empty, CertPEM and KeyPEM must also be non-empty;
-	// the template uses literal-block scalars for all three. When empty, the
-	// template falls back to CACertPath/CertPath/KeyPath (default behavior).
+	// Optional inline PEM blocks. When CACertPEM is non-empty, CertPEM and
+	// KeyPEM must also be non-empty; all three are emitted as literal-block
+	// scalars in the pki section. When empty, the path-based fields above
+	// are used instead. Mobile Nebula clients use the inline form since
+	// they import a self-contained YAML config.
 	CACertPEM string
 	CertPEM   string
 	KeyPEM    string
 }
-
-const configTemplate = `pki:
-{{- if .CACertPEM }}
-  ca: |
-{{ .CACertPEM | indent4 }}
-  cert: |
-{{ .CertPEM | indent4 }}
-  key: |
-{{ .KeyPEM | indent4 }}
-{{- else }}
-  ca: {{ .CACertPath }}
-  cert: {{ .CertPath }}
-  key: {{ .KeyPath }}
-{{- end }}
-
-{{- if .IsLighthouse }}
-
-static_host_map: {}
-
-lighthouse:
-  am_lighthouse: true
-  {{- if gt .ListenPort 0 }}
-  # Lighthouse listens on port {{ .ListenPort }}
-  {{- end }}
-
-listen:
-  host: {{ if .ListenHost }}{{ .ListenHost }}{{ else }}0.0.0.0{{ end }}
-  port: {{ if gt .ListenPort 0 }}{{ .ListenPort }}{{ else }}4242{{ end }}
-
-{{- else }}
-
-static_host_map:
-  {{- range $lh := .Lighthouses }}
-  {{- range $lh.NebulaIPs }}
-  "{{ . }}": ["{{ $lh.PublicAddr }}"]
-  {{- end }}
-  {{- end }}
-
-lighthouse:
-  am_lighthouse: false
-  hosts:
-    {{- range $lh := .Lighthouses }}
-    {{- range $lh.NebulaIPs }}
-    - "{{ . }}"
-    {{- end }}
-    {{- end }}
-
-listen:
-  host: {{ if .ListenHost }}{{ .ListenHost }}{{ else }}0.0.0.0{{ end }}
-  port: {{ if gt .ListenPort 0 }}{{ .ListenPort }}{{ else }}0{{ end }}
-
-{{- end }}
-
-punchy:
-  punch: {{ if .PunchyOverride }}{{ .PunchyOverride }}{{ else }}true{{ end }}
-{{- if or .MTU .TunDevice .UnsafeRoutes }}
-
-tun:
-  {{- if .TunDevice }}
-  dev: {{ .TunDevice }}
-  {{- end }}
-  {{- if .MTU }}
-  mtu: {{ .MTU }}
-  {{- end }}
-  {{- if .UnsafeRoutes }}
-  unsafe_routes:
-    {{- range .UnsafeRoutes }}
-    - route: {{ .Route }}
-      via: {{ .Via }}
-    {{- end }}
-  {{- end }}
-{{- end }}
-
-{{- if .IsRelay }}
-
-relay:
-  am_relay: true
-{{- else if .Relays }}
-
-relay:
-  relays:
-    {{- range .Relays }}
-    - "{{ . }}"
-    {{- end }}
-{{- end }}
-
-logging:
-  level: info
-  format: text
-
-firewall:
-  outbound:
-    {{- range .FirewallOutbound }}
-    - port: {{ .Port }}
-      proto: {{ .Proto }}
-      {{- if ne .Group "any" }}
-      group: {{ .Group }}
-      {{- else }}
-      host: any
-      {{- end }}
-    {{- end }}
-
-  inbound:
-    {{- range .FirewallInbound }}
-    - port: {{ .Port }}
-      proto: {{ .Proto }}
-      {{- if ne .Group "any" }}
-      group: {{ .Group }}
-      {{- else }}
-      host: any
-      {{- end }}
-    {{- end }}
-`
-
-// indentLines indents each line of the given string by n spaces.
-// Strips trailing newline to avoid empty indented lines at the end.
-func indentLines(s string, n int) string {
-	pad := strings.Repeat(" ", n)
-	s = strings.TrimRight(s, "\n")
-	lines := strings.Split(s, "\n")
-	for i, line := range lines {
-		if line != "" {
-			lines[i] = pad + line
-		}
-	}
-	return strings.Join(lines, "\n")
-}
-
-// Generate produces a Nebula config.yml from the given input.
-func Generate(input GeneratorInput) ([]byte, error) {
-	funcs := template.FuncMap{
-		"indent4": func(s string) string { return indentLines(s, 4) },
-	}
-
-	tmpl, err := template.New("nebula-config").Funcs(funcs).Parse(configTemplate)
-	if err != nil {
-		return nil, fmt.Errorf("parse template: %w", err)
-	}
-
-	var buf bytes.Buffer
-	if err := tmpl.Execute(&buf, input); err != nil {
-		return nil, fmt.Errorf("execute template: %w", err)
-	}
-
-	return buf.Bytes(), nil
-}