feat(auth/rbac): scope_type+scope_id+expires_at on role grants (HIGH-10)

Audit 2026-05-10 — close HIGH-10 from the HANDOFF.md backend batch (item 1). Per-actor scoped + time-bound role grants are now expressible via the API. Migration 000043: adds scope_type TEXT NOT NULL DEFAULT 'global' + scope_id TEXT to actor_roles. Constraints: - actor_roles_scope_type_enum: scope_type ∈ {global, profile, issuer} - actor_roles_scope_id_required_when_not_global: scope_id is NULL iff scope_type='global' - Uniqueness extended: (actor_id, actor_type, role_id, scope_type, scope_id, tenant_id) — so an operator can grant the same role to the same actor scoped to multiple profiles/issuers (e.g. r-operator on p-finance AND on p-engineering). Index idx_actor_roles_scope for non-global lookup hot paths. Domain: ActorRole.ScopeType (ScopeType enum) + ScopeID (*string). Authorizer.CheckPermission already understands the tuple via the parallel role_permissions columns; this addition gives operators a per-actor knob without forking roles. Postgres repo: Grant writes scope_type+scope_id with ON CONFLICT keyed on the new uniqueness tuple. Defaults to (global, NULL) when caller omits. Handler: assignRoleRequest extended with scope_type / scope_id / expires_at. Validation: - role_id required (unchanged) - scope_type defaults to 'global'; allowed values global/profile/ issuer; anything else → 400 - scope_id required when scope_type ∈ {profile, issuer}; rejected (must be empty) when scope_type='global' - expires_at must be in the future when present; nil = standing Regression matrix in internal/api/handler/auth_test.go (6 cases): - TestAssignRoleToKey_HIGH10_ProfileScopeBoundGrantPersists - TestAssignRoleToKey_HIGH10_TimeBoundGrantPersists - TestAssignRoleToKey_HIGH10_RejectsScopeIDWithGlobalScope - TestAssignRoleToKey_HIGH10_RejectsMissingScopeIDOnProfile - TestAssignRoleToKey_HIGH10_RejectsPastExpiry - TestAssignRoleToKey_HIGH10_RejectsInvalidScopeType HIGH-10 marked CLOSED in audit-doc — the v3 deferral from the prior session is reversed; everything lands in v2. Refs: cowork/auth-bundles-fixes-2026-05-10/HANDOFF.md item 1 cowork/auth-bundles-audit-2026-05-10.md HIGH-10
2026-06-07 15:11:29 +00:00 · 2026-05-10 22:47:45 +00:00
parent e7c4654b16
commit 72b54ce850
6 changed files with 261 additions and 5 deletions
@@ -6,6 +6,7 @@ import (
 	"errors"
 	"net/http"
 	"strings"
+	"time"

 	"github.com/certctl-io/certctl/internal/auth"
 	"github.com/certctl-io/certctl/internal/domain"
@@ -174,8 +175,26 @@ type addPermissionRequest struct {
 	ScopeID    *string `json:"scope_id,omitempty"`
 }

+// assignRoleRequest is the POST /api/v1/auth/keys/{id}/roles body.
+//
+// Audit 2026-05-10 HIGH-10 closure — extended with scope_type /
+// scope_id / expires_at so per-actor scoped + time-bound grants are
+// expressible via the API. Pre-fix, the only path was creating a
+// scoped role and granting that; now operators can scope a standing
+// role to a specific resource on a per-actor basis.
+//
+// Validation rules:
+//   - role_id is required.
+//   - scope_type defaults to "global"; allowed values are global /
+//     profile / issuer.
+//   - scope_id is required when scope_type != "global"; rejected
+//     (must be empty) when scope_type == "global".
+//   - expires_at must be in the future when present; nil = standing.
 type assignRoleRequest struct {
-	RoleID string `json:"role_id"`
+	RoleID    string     `json:"role_id"`
+	ScopeType string     `json:"scope_type,omitempty"`
+	ScopeID   *string    `json:"scope_id,omitempty"`
+	ExpiresAt *time.Time `json:"expires_at,omitempty"`
 }

 type meResponse struct {
@@ -427,10 +446,39 @@ func (h AuthHandler) AssignRoleToKey(w http.ResponseWriter, r *http.Request) {
 		Error(w, http.StatusBadRequest, "role_id is required")
 		return
 	}
+
+	// Audit 2026-05-10 HIGH-10 validation.
+	scopeType := authdomain.ScopeType(req.ScopeType)
+	if scopeType == "" {
+		scopeType = authdomain.ScopeTypeGlobal
+	}
+	switch scopeType {
+	case authdomain.ScopeTypeGlobal:
+		if req.ScopeID != nil && *req.ScopeID != "" {
+			Error(w, http.StatusBadRequest, "scope_id must be empty when scope_type=global")
+			return
+		}
+	case authdomain.ScopeTypeProfile, authdomain.ScopeTypeIssuer:
+		if req.ScopeID == nil || strings.TrimSpace(*req.ScopeID) == "" {
+			Error(w, http.StatusBadRequest, "scope_id is required when scope_type is profile or issuer")
+			return
+		}
+	default:
+		Error(w, http.StatusBadRequest, "invalid scope_type — must be global, profile, or issuer")
+		return
+	}
+	if req.ExpiresAt != nil && !req.ExpiresAt.After(time.Now().UTC()) {
+		Error(w, http.StatusBadRequest, "expires_at must be in the future")
+		return
+	}
+
 	ar := &authdomain.ActorRole{
 		ActorID:   keyID,
 		ActorType: authdomain.ActorTypeValue(domain.ActorTypeAPIKey),
 		RoleID:    req.RoleID,
+		ScopeType: scopeType,
+		ScopeID:   req.ScopeID,
+		ExpiresAt: req.ExpiresAt,
 	}
 	if err := h.actors.Grant(r.Context(), caller, ar); err != nil {
 		writeAuthError(w, err)