Unify API auth + RFC-compliant CRL/OCSP (M-002 + M-003 + M-006, auto-closes M-001)

Closes the remaining P1 gaps from coverage-gap-audit.md (M-001/M-002/M-003/M-006) on top of the C-001/C-002 ownership + agent-FK contract fixes landed in a53a4b8. The work lands as a single commit spanning server, docs, tests, and the React client. M-002 — Named API keys with per-key actor propagation * Migration 000014 adds the 'api_keys' table (id, name, hash, principal, role, created_at, last_used_at, disabled_at) so every credential carries an identifiable principal instead of the opaque 'anonymous'/'api-key' sentinel. * Auth middleware now rotates through configured keys, performs constant-time hash comparison, stamps 'last_used_at', and emits an actor struct via contextWithActor(). The audit middleware, bulk-revocation handler, approval handlers, and MCP tool layer now read the principal off the context and persist it on every audit_events row. * Regression coverage: - internal/api/middleware/audit_test.go — actor propagation, principal redaction for disabled keys, anonymous fallback for unauthenticated endpoints. - internal/api/handler/bulk_revocation_handler_test.go, job_handler_test.go — principal-on-audit assertions. M-003 — Authorization gates (Phase B) * Approval handler rejects self-approval / self-rejection with 403 when the actor principal equals the job's requested_by field. * Bulk revocation is gated behind the 'admin' role; operators and viewers receive 403. * Regression coverage: - internal/service/job_test.go — TestApproveJob_NotSelf, TestRejectJob_NotSelf. - internal/api/handler/bulk_revocation_handler_test.go — TestBulkRevoke_RequiresAdmin, TestBulkRevoke_AdminSucceeds. M-006 — RFC-compliant CRL/OCSP on the unauthenticated .well-known mux * Per RFC 8615, relying parties cannot reasonably be asked to authenticate against the issuing certctl instance to retrieve revocation material. CRL and OCSP move off the authenticated '/api/v1/crl*' and '/api/v1/ocsp/*' paths onto: GET /.well-known/pki/crl/{issuer_id} Content-Type: application/pkix-crl (RFC 5280 §5) GET /.well-known/pki/ocsp/{issuer_id}/{serial} Content-Type: application/ocsp-response (RFC 6960) * Non-standard JSON CRL shape is removed; only DER is served. * Short-lived certificate exemption (profile TTL < 1h → skip CRL/OCSP) is preserved; the response simply omits the serial. * Routes are registered on the unauthenticated 'finalHandler' mux in cmd/server/main.go alongside EST ('/.well-known/est/*') and SCEP ('/scep'). Legacy authenticated paths return 404. * Regression coverage: - internal/api/handler/certificate_handler_test.go — content type, DER parseability, 404 for unknown issuer. - internal/api/handler/adversarial_path_test.go — unauthenticated access asserted for CRL, OCSP, EST, SCEP. - internal/api/router/router_test.go — route-table assertion that '.well-known/pki/*', '.well-known/est/*', and '/scep' are mounted on the unauthenticated branch. M-001 — Auto-closed by M-002 EST and SCEP were already registered on the unauthenticated 'finalHandler' mux; the router comment at internal/api/router/router.go:247 now matches reality. The adversarial-path tests above lock the behavior in. Verification (all gates green): * go vet ./... — clean * go build ./... — ok * go test -short ./... (55+ packages) — all pass * web/ : npm test (225 Vitest tests) — all pass * web/ : npx tsc --noEmit — clean * grep sweep for '/api/v1/(crl|ocsp)' — 13 surviving hits, all intentional M-006 tombstone/relocation comments. Documentation: * coverage-gap-audit.md — status flips M-001/M-002/M-003/M-006 → Fixed, with per-finding resolution paragraphs citing regression test IDs. (Audit file lives outside this repo; see cowork root.) * CLAUDE.md Project Status line updated with the auth-unification closure note. * docs/features.md, docs/architecture.md, docs/quickstart.md, docs/concepts.md, docs/connectors.md, docs/test-env.md, docs/testing-guide.md, docs/compliance-*.md, docs/demo-advanced.md — refreshed for the new '.well-known/pki/*' namespace and named API keys. * api/openapi.yaml — documents the new unauthenticated endpoints and removes the legacy '/api/v1/crl*' + '/api/v1/ocsp/*' paths. .gitignore: adds '/.gocache/' and '/.gomodcache/' for the session- scoped Go caches so they never enter the tree.
2026-06-09 07:48:54 +00:00 · 2026-04-18 18:17:41 +00:00
parent a53a4b845b
commit 3287e174dc
45 changed files with 1468 additions and 526 deletions
@@ -7,6 +7,11 @@ interface AuthState {
  authRequired: boolean;
  authenticated: boolean;
  authType: string;
+  // M-003: named-key identity + admin flag surfaced from /auth/check so admin-
+  // only GUI affordances (e.g., bulk-revoke) can be hidden from non-admin
+  // callers. These are UX hints — authorization remains enforced server-side.
+  user: string;
+  admin: boolean;
  login: (key: string) => Promise<void>;
  logout: () => void;
  error: string | null;
@@ -17,6 +22,8 @@ const AuthContext = createContext<AuthState>({
  authRequired: false,
  authenticated: false,
  authType: 'none',
+  user: '',
+  admin: false,
  login: async () => {},
  logout: () => {},
  error: null,
@@ -31,6 +38,8 @@ export default function AuthProvider({ children }: { children: ReactNode }) {
  const [authRequired, setAuthRequired] = useState(false);
  const [authenticated, setAuthenticated] = useState(false);
  const [authType, setAuthType] = useState('none');
+  const [user, setUser] = useState('');
+  const [admin, setAdmin] = useState(false);
  const [error, setError] = useState<string | null>(null);

  // Check if server requires auth on mount
@@ -40,12 +49,19 @@ export default function AuthProvider({ children }: { children: ReactNode }) {
        setAuthType(info.auth_type);
        setAuthRequired(info.required);
        if (!info.required) {
+          // CERTCTL_AUTH_TYPE=none: the server treats every caller as
+          // anonymous with admin=false. Mirror that locally so gated
+          // affordances stay hidden.
          setAuthenticated(true);
+          setUser('');
+          setAdmin(false);
        }
      })
      .catch(() => {
        // If auth/info fails, assume no auth required (server may be old version)
        setAuthenticated(true);
+        setUser('');
+        setAdmin(false);
      })
      .finally(() => setLoading(false));
  }, []);
@@ -55,6 +71,8 @@ export default function AuthProvider({ children }: { children: ReactNode }) {
    const handler = () => {
      setAuthenticated(false);
      setApiKey(null);
+      setUser('');
+      setAdmin(false);
      setError('Session expired. Please re-enter your API key.');
    };
    window.addEventListener('certctl:auth-required', handler);
@@ -64,9 +82,13 @@ export default function AuthProvider({ children }: { children: ReactNode }) {
  const login = useCallback(async (key: string) => {
    setError(null);
    try {
-      await checkAuth(key);
+      // /auth/check returns {status, user, admin}. Capture user + admin so the
+      // GUI can hide admin-only affordances (bulk revoke, etc.).
+      const resp = await checkAuth(key);
      setApiKey(key);
      setAuthenticated(true);
+      setUser(resp.user ?? '');
+      setAdmin(Boolean(resp.admin));
    } catch {
      setError('Invalid API key');
      throw new Error('Invalid API key');
@@ -76,11 +98,13 @@ export default function AuthProvider({ children }: { children: ReactNode }) {
  const logout = useCallback(() => {
    setApiKey(null);
    setAuthenticated(false);
+    setUser('');
+    setAdmin(false);
    setError(null);
  }, []);

  return (
-    <AuthContext.Provider value={{ loading, authRequired, authenticated, authType, login, logout, error }}>
+    <AuthContext.Provider value={{ loading, authRequired, authenticated, authType, user, admin, login, logout, error }}>
      {children}
    </AuthContext.Provider>
  );