feat(auth/sessions): list-all gate + revoke-all-except-current (MED-1/2/3)

Audit 2026-05-10 Fix 13 Phase A — close MED-1, MED-2, MED-3. MED-1 (verification only): Fix 01's CRIT-1 router-gate sweep already wraps every read endpoint with rbacGate(reg.Checker, '<resource>.read', ...). Verified post-sweep that GET /api/v1/certificates, /profiles, /issuers, /targets, /agents, /audit all carry the corresponding *.read permission gate. MED-2: ListSessions now gates ?actor_id=<other> on auth.session.list.all via the new permissionChecker projection installed by WithPermissionChecker. cmd/server/main.go threads the existing authCheckerAdapter into the handler. When caller's actor_id != caller.ActorID AND the handler has a checker, an inline CheckPermission(..., 'auth.session.list.all', 'global', nil) call fires; on false → 403 with explanatory message; on repository error → 500. Defense-in-depth: the router-level rbacGate enforces auth.session.list as the floor; the .list.all re-check is the privilege-elevation guard for cross-actor queries that the rbacGate can't express (it can't see the query parameter). MED-3: ship DELETE /api/v1/auth/sessions?except=current — the 'sign out all other sessions' flow. Gated by auth.session.revoke; the handler reads the caller's current session ID from session.SessionFromContext(ctx) (cookie-mode); empty for Bearer-mode callers (in which case ALL the actor's sessions revoke, matching 'log me out everywhere' semantic for API-key users). New repository method SessionRepository.RevokeAllExceptForActor: UPDATE sessions SET revoked_at = NOW() WHERE actor_id = AND actor_type = AND tenant_id = AND revoked_at IS NULL AND id != returning rowcount. Added to the interface in internal/repository/session.go, wired into postgres impl, and added to all SessionRepo test stubs (handler stubSessionRepo, service-test stubSessionRepo, benchmark slowSessionRepo). The session.SessionRepo internal interface also gains the method so the bench_test.go forwarder compiles. Audit row records the count for compliance evidence (one summary row per invocation per the existing audit policy). OpenAPI parity exception added for the new route — the unbounded-DELETE-with-query-flag shape doesn't fit standard REST CRUD operations cleanly; matches the documented-inline pattern set by the streaming audit-export endpoint. GUI button (SessionsPage 'Sign out all other sessions') deferred to Phase D. Refs: cowork/auth-bundles-audit-2026-05-10.md MED-1, MED-2, MED-3 Spec: cowork/auth-bundles-fixes-2026-05-10/13-med-bundle.md Phase A
2026-06-07 15:01:32 +00:00 · 2026-05-10 21:49:35 +00:00
parent 912ec3f547
commit ba0959ddc7
10 changed files with 168 additions and 15 deletions
@@ -120,6 +120,31 @@ type AuthSessionOIDCHandler struct {
 	cookieAttrs   SessionCookieAttrs
 	tenantID      string
 	postLoginURL  string // 302 target after successful callback (default: /)
+
+	// checker is the optional PermissionChecker projection used for
+	// query-parameter-conditional gates that the router-level rbacGate
+	// can't express. Audit 2026-05-10 MED-2: ListSessions allows the
+	// caller to query their own sessions with auth.session.list, but
+	// `?actor_id=<other>` requires the narrower auth.session.list.all.
+	// Nil-safe: handlers that don't need conditional gating leave it
+	// unset (existing tests).
+	checker permissionChecker
+}
+
+// permissionChecker is the projection of auth.PermissionChecker the
+// session handler uses for query-conditional gates (MED-2). Defined
+// locally to avoid importing internal/auth from the handler package
+// just for this single use.
+type permissionChecker interface {
+	CheckPermission(ctx context.Context, actorID, actorType, tenantID, permission, scopeType string, scopeID *string) (bool, error)
+}
+
+// WithPermissionChecker installs a PermissionChecker projection on the
+// handler. Audit 2026-05-10 MED-2 closure — used by ListSessions to
+// gate `?actor_id=<other>` on auth.session.list.all.
+func (h *AuthSessionOIDCHandler) WithPermissionChecker(c permissionChecker) *AuthSessionOIDCHandler {
+	h.checker = c
+	return h
 }

 // BCLReplayConsumer is the projection of repository.BCLReplayRepository
@@ -558,18 +583,29 @@ func (h *AuthSessionOIDCHandler) ListSessions(w http.ResponseWriter, r *http.Req
 	actorID := caller.ActorID
 	actorType := string(caller.ActorType)
 	if q := r.URL.Query().Get("actor_id"); q != "" && q != actorID {
-		// listing a different actor's sessions requires
-		// auth.session.list.all (router-level rbacGate ALREADY enforced
-		// auth.session.list, but `.list.all` is a separate, narrower
-		// gate — encoded inline here since the router gate doesn't
-		// vary by query parameter).
-		// For Phase 5 we keep the simple model: any caller with
-		// auth.session.list.all (admins) can pass actor_id=<other>;
-		// we don't re-check that permission here because the rbacGate
-		// pattern doesn't carry a checker into the handler. The router
-		// wraps this whole handler with auth.session.list.all when
-		// query inspection isn't possible; operators wanting the
-		// finer-grained gate use the auth.session.list.all role.
+		// Audit 2026-05-10 MED-2 closure — listing a different
+		// actor's sessions requires the narrower auth.session.list.all
+		// permission. The router gate already enforced
+		// auth.session.list (the floor for any session-list call),
+		// but the all-actors variant is an admin-class capability and
+		// must be checked separately because the rbacGate can't see
+		// the query param. When the handler is wired with
+		// WithPermissionChecker (production), we re-check inline; when
+		// it isn't (legacy tests), the router gate's auth.session.list
+		// floor is the only check.
+		if h.checker != nil {
+			ok, perr := h.checker.CheckPermission(r.Context(),
+				caller.ActorID, string(caller.ActorType), h.tenantID,
+				"auth.session.list.all", "global", nil)
+			if perr != nil {
+				Error(w, http.StatusInternalServerError, "permission check failed")
+				return
+			}
+			if !ok {
+				Error(w, http.StatusForbidden, "auth.session.list.all required to list another actor's sessions")
+				return
+			}
+		}
 		actorID = q
 		if at := r.URL.Query().Get("actor_type"); at != "" {
 			actorType = at
@@ -626,6 +662,55 @@ func (h *AuthSessionOIDCHandler) RevokeSession(w http.ResponseWriter, r *http.Re
 	w.WriteHeader(http.StatusNoContent)
 }

+// RevokeAllExceptCurrent handles DELETE /api/v1/auth/sessions?except=current.
+//
+// Audit 2026-05-10 MED-3 closure — backs the "Sign out all other
+// sessions" SessionsPage button. Revokes every active session for the
+// caller EXCEPT the session that issued the current request (so the
+// user doesn't get logged out by the action they just took).
+//
+// The current session ID is read from the request's session cookie via
+// the SessionMiddleware's actor context — for Bearer-mode callers this
+// is the empty string and ALL the actor's sessions are revoked (matches
+// the "log me out everywhere" semantic for API-key-mode users).
+//
+// Audit row records the count for compliance (one summary row per
+// invocation; per-session detail is implicit in the count + actor).
+func (h *AuthSessionOIDCHandler) RevokeAllExceptCurrent(w http.ResponseWriter, r *http.Request) {
+	caller, err := callerFromRequest(r)
+	if err != nil {
+		writeAuthError(w, err)
+		return
+	}
+	if r.URL.Query().Get("except") != "current" {
+		Error(w, http.StatusBadRequest, "only ?except=current is supported")
+		return
+	}
+	// Current session ID — empty for Bearer/API-key callers (acceptable;
+	// the repo's RevokeAllExceptForActor handles "" by revoking
+	// literally every active session). Read from the session middleware's
+	// SessionFromContext helper which populates the validated session
+	// on the request context for cookie-mode callers.
+	currentSessionID := ""
+	if sess := sessionsvc.SessionFromContext(r.Context()); sess != nil {
+		currentSessionID = sess.ID
+	}
+
+	count, rerr := h.sessionRepo.RevokeAllExceptForActor(r.Context(),
+		caller.ActorID, string(caller.ActorType), h.tenantID, currentSessionID)
+	if rerr != nil {
+		Error(w, http.StatusInternalServerError, "could not revoke sessions")
+		return
+	}
+	h.recordAudit(r.Context(), "auth.sessions_revoked_all_except_current",
+		caller.ActorID, caller.ActorType, currentSessionID,
+		map[string]interface{}{
+			"count":              count,
+			"current_session_id": currentSessionID,
+		})
+	writeJSON(w, http.StatusOK, map[string]interface{}{"revoked_count": count})
+}
+
 // =============================================================================
 // 3. OIDC provider + group-mapping CRUD.
 // =============================================================================
@@ -193,8 +193,11 @@ func (s *stubSessionRepo) Revoke(_ context.Context, id string) error {
 	return nil
 }
 func (s *stubSessionRepo) RevokeAllForActor(_ context.Context, _, _, _ string) error { return nil }
-func (s *stubSessionRepo) GarbageCollectExpired(_ context.Context) (int, error)      { return 0, nil }
-func (s *stubSessionRepo) Delete(_ context.Context, _ string) error                  { return nil }
+func (s *stubSessionRepo) RevokeAllExceptForActor(_ context.Context, _, _, _, _ string) (int, error) {
+	return 0, nil
+}
+func (s *stubSessionRepo) GarbageCollectExpired(_ context.Context) (int, error) { return 0, nil }
+func (s *stubSessionRepo) Delete(_ context.Context, _ string) error             { return nil }

 // stubUserRepo implements just enough of repository.UserRepository for
 // the BCL sub→actor_id resolution path (CRIT-2 closure). Lookups by
@@ -153,6 +153,14 @@ var SpecParityExceptions = map[string]string{
 	// in docs/operator/security.md::audit-export and the handler doc
 	// comment.
 	"GET /api/v1/audit/export": "Audit 2026-05-10 HIGH-11 — streaming NDJSON audit export; gated audit.export. Documented inline at internal/api/handler/audit.go::ExportAudit.",
+
+	// Audit 2026-05-10 MED-3 — `DELETE /api/v1/auth/sessions?except=current`
+	// is the "sign out all other sessions" flow. Distinct from the
+	// per-session DELETE /api/v1/auth/sessions/{id} (already in OpenAPI);
+	// this variant operates on the caller's whole session set minus the
+	// current. Documented inline at
+	// internal/api/handler/auth_session_oidc.go::RevokeAllExceptCurrent.
+	"DELETE /api/v1/auth/sessions": "Audit 2026-05-10 MED-3 — sign-out-all-other-sessions; gated auth.session.revoke. Documented inline at internal/api/handler/auth_session_oidc.go::RevokeAllExceptCurrent.",
 }

 func TestRouter_OpenAPIParity(t *testing.T) {
@@ -446,6 +446,12 @@ func (r *Router) RegisterHandlers(reg HandlerRegistry) {
 		// handler layer per Phase 5 spec.
 		r.Register("GET /api/v1/auth/sessions", rbacGate(reg.Checker, "auth.session.list", reg.AuthSessionOIDC.ListSessions))
 		r.Register("DELETE /api/v1/auth/sessions/{id}", rbacGate(reg.Checker, "auth.session.revoke", reg.AuthSessionOIDC.RevokeSession))
+		// Audit 2026-05-10 MED-3 closure — DELETE /api/v1/auth/sessions?except=current
+		// is the "Sign out all other sessions" flow. Gated by
+		// auth.session.revoke (any authenticated caller with the perm
+		// can revoke their OWN remaining sessions; the handler reads
+		// the current session ID from context and excludes it).
+		r.Register("DELETE /api/v1/auth/sessions", rbacGate(reg.Checker, "auth.session.revoke", reg.AuthSessionOIDC.RevokeAllExceptCurrent))

 		// OIDC provider CRUD.
 		r.Register("GET /api/v1/auth/oidc/providers", rbacGate(reg.Checker, "auth.oidc.list", reg.AuthSessionOIDC.ListProviders))