mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-10 10:58:52 +00:00
Merge Fix 04 (HIGH A-4): scope-aware ActorRole revoke
This commit is contained in:
shankar0123
@@ -406,14 +406,59 @@ func (r *ActorRoleRepository) Grant(ctx context.Context, ar *authdomain.ActorRol
|
||||
return nil
|
||||
}
|
||||
|
||||
func (r *ActorRoleRepository) Revoke(ctx context.Context, actorID string, actorType authdomain.ActorTypeValue, roleID, tenantID string) error {
|
||||
_, err := r.db.ExecContext(ctx, `
|
||||
// Audit 2026-05-11 A-4 — scope-aware revoke. The pre-fix SQL omitted
|
||||
// (scope_type, scope_id) from the WHERE clause; combined with HIGH-10's
|
||||
// UNIQUE (actor_id, actor_type, role_id, scope_type, scope_id, tenant_id)
|
||||
// uniqueness extension, an operator who granted the same role to the
|
||||
// same actor at two different scopes had no selective-revoke path —
|
||||
// every Revoke call nuked both rows. The new behaviour:
|
||||
//
|
||||
// - opts.ScopeType == "" (legacy call shape): drop the scope from the
|
||||
// WHERE clause; delete every variant. Zero-row delete is NOT an
|
||||
// error (preserves the GUI's pre-A-4 idempotence contract).
|
||||
//
|
||||
// - opts.ScopeType != "": narrow WHERE with
|
||||
// `scope_type = $5 AND scope_id IS NOT DISTINCT FROM $6` (the
|
||||
// IS-NOT-DISTINCT-FROM handles the `global → scope_id IS NULL`
|
||||
// case cleanly — Postgres `= NULL` would silently match nothing).
|
||||
// Zero-row delete IS an error (ErrActorRoleNotFound, mapped to
|
||||
// HTTP 404 upstream) so operators get feedback when they target a
|
||||
// scope variant that doesn't exist.
|
||||
func (r *ActorRoleRepository) Revoke(ctx context.Context, actorID string, actorType authdomain.ActorTypeValue, roleID, tenantID string, opts repository.ActorRoleRevokeOptions) error {
|
||||
if opts.ScopeType == "" {
|
||||
// Legacy "revoke all variants" path. Zero-row delete = no-op.
|
||||
_, err := r.db.ExecContext(ctx, `
|
||||
DELETE FROM actor_roles
|
||||
WHERE actor_id = $1 AND actor_type = $2 AND role_id = $3 AND tenant_id = $4
|
||||
`, actorID, string(actorType), roleID, tenantID)
|
||||
if err != nil {
|
||||
return fmt.Errorf("actorRole.revoke: %w", err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
// Scoped path. `scope_id IS NOT DISTINCT FROM $6` makes
|
||||
// (global, NULL) match (global, NULL) cleanly — vanilla `=` would
|
||||
// drop on NULL ≠ NULL.
|
||||
var scopeID interface{}
|
||||
if opts.ScopeID != nil && *opts.ScopeID != "" {
|
||||
scopeID = *opts.ScopeID
|
||||
}
|
||||
res, err := r.db.ExecContext(ctx, `
|
||||
DELETE FROM actor_roles
|
||||
WHERE actor_id = $1 AND actor_type = $2 AND role_id = $3 AND tenant_id = $4
|
||||
`, actorID, string(actorType), roleID, tenantID)
|
||||
WHERE actor_id = $1
|
||||
AND actor_type = $2
|
||||
AND role_id = $3
|
||||
AND tenant_id = $4
|
||||
AND scope_type = $5
|
||||
AND scope_id IS NOT DISTINCT FROM $6
|
||||
`, actorID, string(actorType), roleID, tenantID, string(opts.ScopeType), scopeID)
|
||||
if err != nil {
|
||||
return fmt.Errorf("actorRole.revoke: %w", err)
|
||||
}
|
||||
n, _ := res.RowsAffected()
|
||||
if n == 0 {
|
||||
return repository.ErrActorRoleNotFound
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
|
||||
@@ -0,0 +1,231 @@
|
||||
package postgres_test
|
||||
|
||||
// Audit 2026-05-11 A-4 closure — scope-aware ActorRoleRepository.Revoke
|
||||
// regression matrix. Pre-fix, Revoke deleted every (actor,role,tenant)
|
||||
// row regardless of (scope_type, scope_id), so an operator who held
|
||||
// the same role at two different profile scopes could only nuke them
|
||||
// both — selective revoke was unrepresentable. The new semantic:
|
||||
//
|
||||
// opts.ScopeType == "" → legacy "revoke all variants"
|
||||
// opts.ScopeType == global → drop only the (global, NULL) row
|
||||
// opts.ScopeType == profile|issuer + scope_id → drop only that variant
|
||||
// no match for a scoped revoke → ErrActorRoleNotFound (HTTP 404)
|
||||
//
|
||||
// Helpers (seedRoleWithPerm, grantActorRoleAtScope, ptrStr) live in
|
||||
// auth_scope_test.go in this same _test package.
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"testing"
|
||||
|
||||
authdomain "github.com/certctl-io/certctl/internal/domain/auth"
|
||||
"github.com/certctl-io/certctl/internal/repository"
|
||||
"github.com/certctl-io/certctl/internal/repository/postgres"
|
||||
)
|
||||
|
||||
// listActorRoleScopes returns every (scope_type, scope_id-or-empty)
|
||||
// tuple held by the actor for the role. Lets tests assert which
|
||||
// variants are still standing after a Revoke.
|
||||
func listActorRoleScopes(t *testing.T, ctx context.Context, repo *postgres.ActorRoleRepository, actorID, roleID string) []string {
|
||||
t.Helper()
|
||||
rows, err := repo.ListByActor(ctx, actorID, authdomain.ActorTypeValue("APIKey"), authdomain.DefaultTenantID)
|
||||
if err != nil {
|
||||
t.Fatalf("ListByActor: %v", err)
|
||||
}
|
||||
var out []string
|
||||
for _, r := range rows {
|
||||
if r.RoleID != roleID {
|
||||
continue
|
||||
}
|
||||
st := string(r.ScopeType)
|
||||
sid := ""
|
||||
if r.ScopeID != nil {
|
||||
sid = *r.ScopeID
|
||||
}
|
||||
out = append(out, st+"|"+sid)
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
// TestRevokeActorRole_NoOpts_RemovesAllVariants — pre-A-4 legacy
|
||||
// semantic. Actor holds the same role at two profile scopes; Revoke
|
||||
// with zero-value opts must wipe both.
|
||||
func TestRevokeActorRole_NoOpts_RemovesAllVariants(t *testing.T) {
|
||||
if testing.Short() {
|
||||
t.Skip("integration test in short mode")
|
||||
}
|
||||
db := getTestDB(t).freshSchema(t)
|
||||
ctx := context.Background()
|
||||
roleRepo := postgres.NewRoleRepository(db)
|
||||
permRepo := postgres.NewPermissionRepository(db)
|
||||
actorRepo := postgres.NewActorRoleRepository(db)
|
||||
|
||||
roleID := seedRoleWithPerm(t, ctx, roleRepo, permRepo, "rev-noopts", "cert.read", authdomain.ScopeTypeGlobal, nil)
|
||||
grantActorRoleAtScope(t, ctx, actorRepo, "alice", roleID, authdomain.ScopeTypeProfile, ptrStr("p-acme"))
|
||||
grantActorRoleAtScope(t, ctx, actorRepo, "alice", roleID, authdomain.ScopeTypeProfile, ptrStr("p-globex"))
|
||||
|
||||
got := listActorRoleScopes(t, ctx, actorRepo, "alice", roleID)
|
||||
if len(got) != 2 {
|
||||
t.Fatalf("pre-revoke variants = %v; want 2", got)
|
||||
}
|
||||
|
||||
if err := actorRepo.Revoke(ctx, "alice", authdomain.ActorTypeValue("APIKey"), roleID, authdomain.DefaultTenantID, repository.ActorRoleRevokeOptions{}); err != nil {
|
||||
t.Fatalf("Revoke (no-opts): %v", err)
|
||||
}
|
||||
got = listActorRoleScopes(t, ctx, actorRepo, "alice", roleID)
|
||||
if len(got) != 0 {
|
||||
t.Errorf("legacy revoke left variants: %v; want []", got)
|
||||
}
|
||||
}
|
||||
|
||||
// TestRevokeActorRole_WithScope_RemovesOnlyMatching — the A-4
|
||||
// selective-revoke happy path. Two scoped grants; revoke one by
|
||||
// (profile=p-acme); the other (profile=p-globex) stays.
|
||||
func TestRevokeActorRole_WithScope_RemovesOnlyMatching(t *testing.T) {
|
||||
if testing.Short() {
|
||||
t.Skip("integration test in short mode")
|
||||
}
|
||||
db := getTestDB(t).freshSchema(t)
|
||||
ctx := context.Background()
|
||||
roleRepo := postgres.NewRoleRepository(db)
|
||||
permRepo := postgres.NewPermissionRepository(db)
|
||||
actorRepo := postgres.NewActorRoleRepository(db)
|
||||
|
||||
roleID := seedRoleWithPerm(t, ctx, roleRepo, permRepo, "rev-scoped", "cert.read", authdomain.ScopeTypeGlobal, nil)
|
||||
grantActorRoleAtScope(t, ctx, actorRepo, "alice", roleID, authdomain.ScopeTypeProfile, ptrStr("p-acme"))
|
||||
grantActorRoleAtScope(t, ctx, actorRepo, "alice", roleID, authdomain.ScopeTypeProfile, ptrStr("p-globex"))
|
||||
|
||||
err := actorRepo.Revoke(ctx, "alice", authdomain.ActorTypeValue("APIKey"), roleID, authdomain.DefaultTenantID, repository.ActorRoleRevokeOptions{
|
||||
ScopeType: authdomain.ScopeTypeProfile,
|
||||
ScopeID: ptrStr("p-acme"),
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("scoped Revoke: %v", err)
|
||||
}
|
||||
got := listActorRoleScopes(t, ctx, actorRepo, "alice", roleID)
|
||||
if len(got) != 1 || got[0] != "profile|p-globex" {
|
||||
t.Errorf("post-revoke variants = %v; want [profile|p-globex]", got)
|
||||
}
|
||||
}
|
||||
|
||||
// TestRevokeActorRole_WithGlobalScope_RemovesOnlyGlobal — pin the
|
||||
// `scope_id IS NOT DISTINCT FROM $6` branch. Actor holds global +
|
||||
// profile-scoped grants of the same role; revoke `scope_type=global`
|
||||
// drops only the global row.
|
||||
func TestRevokeActorRole_WithGlobalScope_RemovesOnlyGlobal(t *testing.T) {
|
||||
if testing.Short() {
|
||||
t.Skip("integration test in short mode")
|
||||
}
|
||||
db := getTestDB(t).freshSchema(t)
|
||||
ctx := context.Background()
|
||||
roleRepo := postgres.NewRoleRepository(db)
|
||||
permRepo := postgres.NewPermissionRepository(db)
|
||||
actorRepo := postgres.NewActorRoleRepository(db)
|
||||
|
||||
roleID := seedRoleWithPerm(t, ctx, roleRepo, permRepo, "rev-global", "cert.read", authdomain.ScopeTypeGlobal, nil)
|
||||
grantActorRoleAtScope(t, ctx, actorRepo, "alice", roleID, authdomain.ScopeTypeGlobal, nil)
|
||||
grantActorRoleAtScope(t, ctx, actorRepo, "alice", roleID, authdomain.ScopeTypeProfile, ptrStr("p-acme"))
|
||||
|
||||
err := actorRepo.Revoke(ctx, "alice", authdomain.ActorTypeValue("APIKey"), roleID, authdomain.DefaultTenantID, repository.ActorRoleRevokeOptions{
|
||||
ScopeType: authdomain.ScopeTypeGlobal,
|
||||
ScopeID: nil,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("global-scope Revoke: %v", err)
|
||||
}
|
||||
got := listActorRoleScopes(t, ctx, actorRepo, "alice", roleID)
|
||||
if len(got) != 1 || got[0] != "profile|p-acme" {
|
||||
t.Errorf("post-revoke variants = %v; want [profile|p-acme]", got)
|
||||
}
|
||||
}
|
||||
|
||||
// TestRevokeActorRole_NoMatch_ReturnsNotFound — operator passes a
|
||||
// (scope_type, scope_id) the actor doesn't actually hold for this
|
||||
// role. Selective revoke must return ErrActorRoleNotFound; existing
|
||||
// rows must be untouched.
|
||||
func TestRevokeActorRole_NoMatch_ReturnsNotFound(t *testing.T) {
|
||||
if testing.Short() {
|
||||
t.Skip("integration test in short mode")
|
||||
}
|
||||
db := getTestDB(t).freshSchema(t)
|
||||
ctx := context.Background()
|
||||
roleRepo := postgres.NewRoleRepository(db)
|
||||
permRepo := postgres.NewPermissionRepository(db)
|
||||
actorRepo := postgres.NewActorRoleRepository(db)
|
||||
|
||||
roleID := seedRoleWithPerm(t, ctx, roleRepo, permRepo, "rev-nomatch", "cert.read", authdomain.ScopeTypeGlobal, nil)
|
||||
grantActorRoleAtScope(t, ctx, actorRepo, "alice", roleID, authdomain.ScopeTypeProfile, ptrStr("p-acme"))
|
||||
|
||||
err := actorRepo.Revoke(ctx, "alice", authdomain.ActorTypeValue("APIKey"), roleID, authdomain.DefaultTenantID, repository.ActorRoleRevokeOptions{
|
||||
ScopeType: authdomain.ScopeTypeProfile,
|
||||
ScopeID: ptrStr("p-globex"),
|
||||
})
|
||||
if !errors.Is(err, repository.ErrActorRoleNotFound) {
|
||||
t.Errorf("err = %v; want ErrActorRoleNotFound", err)
|
||||
}
|
||||
got := listActorRoleScopes(t, ctx, actorRepo, "alice", roleID)
|
||||
if len(got) != 1 || got[0] != "profile|p-acme" {
|
||||
t.Errorf("untargeted revoke mutated existing rows: %v", got)
|
||||
}
|
||||
}
|
||||
|
||||
// TestRevokeActorRole_NoOpts_NoMatch_IsNoOp — pin the legacy
|
||||
// idempotence contract. Empty opts + zero matching rows must NOT
|
||||
// return an error (the GUI's pre-A-4 revoke button fires this when
|
||||
// the operator clicks "remove" on a stale row).
|
||||
func TestRevokeActorRole_NoOpts_NoMatch_IsNoOp(t *testing.T) {
|
||||
if testing.Short() {
|
||||
t.Skip("integration test in short mode")
|
||||
}
|
||||
db := getTestDB(t).freshSchema(t)
|
||||
ctx := context.Background()
|
||||
roleRepo := postgres.NewRoleRepository(db)
|
||||
permRepo := postgres.NewPermissionRepository(db)
|
||||
actorRepo := postgres.NewActorRoleRepository(db)
|
||||
|
||||
// Seed an unrelated role + grant so the table isn't completely
|
||||
// empty (more realistic baseline).
|
||||
otherRole := seedRoleWithPerm(t, ctx, roleRepo, permRepo, "rev-noop-other", "cert.read", authdomain.ScopeTypeGlobal, nil)
|
||||
grantActorRoleAtScope(t, ctx, actorRepo, "bob", otherRole, authdomain.ScopeTypeGlobal, nil)
|
||||
|
||||
if err := actorRepo.Revoke(ctx, "alice", authdomain.ActorTypeValue("APIKey"), "r-nonexistent", authdomain.DefaultTenantID, repository.ActorRoleRevokeOptions{}); err != nil {
|
||||
t.Errorf("no-match no-opts Revoke should be nil; got %v", err)
|
||||
}
|
||||
// Sanity: the unrelated grant is untouched.
|
||||
got := listActorRoleScopes(t, ctx, actorRepo, "bob", otherRole)
|
||||
if len(got) != 1 || got[0] != "global|" {
|
||||
t.Errorf("unrelated grant mutated: %v", got)
|
||||
}
|
||||
}
|
||||
|
||||
// TestRevokeActorRole_IssuerScope_RemovesOnlyMatching — pin the
|
||||
// issuer-scope variant (the other half of the {profile, issuer}
|
||||
// scope-type pair). Actor holds the same role across profile + issuer
|
||||
// scopes; revoke `issuer=iss-x` drops only the issuer row.
|
||||
func TestRevokeActorRole_IssuerScope_RemovesOnlyMatching(t *testing.T) {
|
||||
if testing.Short() {
|
||||
t.Skip("integration test in short mode")
|
||||
}
|
||||
db := getTestDB(t).freshSchema(t)
|
||||
ctx := context.Background()
|
||||
roleRepo := postgres.NewRoleRepository(db)
|
||||
permRepo := postgres.NewPermissionRepository(db)
|
||||
actorRepo := postgres.NewActorRoleRepository(db)
|
||||
|
||||
roleID := seedRoleWithPerm(t, ctx, roleRepo, permRepo, "rev-issuer", "cert.read", authdomain.ScopeTypeGlobal, nil)
|
||||
grantActorRoleAtScope(t, ctx, actorRepo, "alice", roleID, authdomain.ScopeTypeProfile, ptrStr("p-acme"))
|
||||
grantActorRoleAtScope(t, ctx, actorRepo, "alice", roleID, authdomain.ScopeTypeIssuer, ptrStr("iss-x"))
|
||||
|
||||
err := actorRepo.Revoke(ctx, "alice", authdomain.ActorTypeValue("APIKey"), roleID, authdomain.DefaultTenantID, repository.ActorRoleRevokeOptions{
|
||||
ScopeType: authdomain.ScopeTypeIssuer,
|
||||
ScopeID: ptrStr("iss-x"),
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("issuer-scope Revoke: %v", err)
|
||||
}
|
||||
got := listActorRoleScopes(t, ctx, actorRepo, "alice", roleID)
|
||||
if len(got) != 1 || got[0] != "profile|p-acme" {
|
||||
t.Errorf("post-revoke variants = %v; want [profile|p-acme]", got)
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user