certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 16:11:29 +00:00

Commit Graph

Author SHA1 Message Date

Author	SHA1	Message	Date
shankar0123	def4be9b38	fix(migrations): two cold-DB regressions surfaced by Phase-9 docker compose smoke The v2.1.0 release-gate Phase-9 docker compose smoke run against a fresh Postgres surfaced two real defects in the migration files that testcontainers schema-per-test never exercised. Both reproduce by running 'docker compose down -v && docker compose up --build' against the current master tree. Bug A — migration 000045_users_deactivated_at.up.sql is malformed. The 000029 schema defines: permissions (id TEXT PRIMARY KEY, name TEXT NOT NULL UNIQUE, namespace TEXT NOT NULL) role_permissions (..., permission_id TEXT NOT NULL REFERENCES ..., ...) But 000045 was written as: INSERT INTO permissions (name) VALUES ... -- missing id + namespace INSERT INTO role_permissions (role_id, permission, ...) VALUES ... ^^ wrong column name On a cold-DB run this fails immediately with: pq: null value in column "id" of relation "permissions" violates not-null constraint Fix: provide id + namespace columns, use permission_id (the actual column name), ON CONFLICT (id) DO NOTHING. The new permission ids follow the existing 'p-auth-' prefix convention (p-auth-user-read + p-auth-user-deactivate) used by 000029. Bug B — migration 000029_rbac.up.sql is not idempotent post-000043. 000029 originally created actor_roles with: UNIQUE (actor_id, actor_type, role_id, tenant_id) Audit 2026-05-10 HIGH-10 closure / migration 000043 drops that constraint and re-creates it WITH scope columns: UNIQUE (actor_id, actor_type, role_id, scope_type, scope_id, tenant_id) The migration runner (internal/repository/postgres/db.go::RunMigrations) is naive — no tracker table — and re-runs every .up.sql file on every server boot. On the second-and-later boots, 000029's seed INSERT for actor-demo-anon-admin still references the pre-000043 constraint name in its ON CONFLICT clause: ON CONFLICT (actor_id, actor_type, role_id, tenant_id) DO NOTHING Postgres errors out with: pq: there is no unique or exclusion constraint matching the ON CONFLICT specification Fix: pin the conflict target to the row's primary key 'id' column (always present, never altered). The seed row's deterministic id 'ar-demo-anon-admin' makes ON CONFLICT (id) work under both pre- and post-000043 schemas. Why testcontainers schema-per-test missed these: Each test in internal/repository/postgres/*_test.go spins up a fresh schema and applies every .up.sql in order ONCE. The full '000029 -> 000043 -> retry 000029' cascade never happens because migrations don't re-run within a test. Phase-9 docker compose smoke is the only test path that exercises the server-restart- on-error retry, which is exactly the missing coverage. Verify (sandbox): go test ./internal/repository/postgres/ PASS. Workstation re-runs 'docker compose down -v && docker compose up' to confirm both bugs are closed.	2026-05-11 16:06:20 +00:00
shankar0123	45122d7edb	auth-bundle-1 fix: migration 000029 role_permissions NULL scope_id Real bug an external tester (operator) hit on first docker compose up: failed to execute migration 000029_rbac.up.sql: pq: null value in column "scope_id" of relation "role_permissions" violates not-null constraint # Root cause The role_permissions table declared scope_id TEXT (nullable) but also declared PRIMARY KEY (role_id, permission_id, scope_type, scope_id) In Postgres, PRIMARY KEY columns are implicitly NOT NULL — the PK constraint silently overrode the column-level nullability. So every global-scope INSERT (which legitimately has scope_id=NULL per the CHECK constraint that requires it) tripped the NOT NULL. The schema was never reachable in the unit-test suite because the in-memory fakes don't enforce Postgres semantics, and the postgres integration tests skip on -short. First contact with a real postgres:16-alpine boot caught it. # Fix Switch to a synthetic BIGSERIAL primary key + a UNIQUE NULLS NOT DISTINCT constraint on the natural key (role_id, permission_id, scope_type, scope_id): - BIGSERIAL primary key satisfies Postgres's PK-implies-NOT-NULL. - UNIQUE NULLS NOT DISTINCT (Postgres 15+; the project targets postgres:16-alpine) treats two NULL scope_ids as colliding, which is what the seed's ON CONFLICT (...) DO NOTHING relies on to make re-running the migration idempotent. - The CHECK (scope_type='global' AND scope_id IS NULL OR scope_type IN ('profile','issuer') AND scope_id IS NOT NULL) still enforces the per-row invariant. The ON CONFLICT (col1, col2, ...) clauses in the seed and in RoleRepository.AddPermission infer the unique index from the column list and still resolve correctly against the renamed constraint — no other changes needed. # Verification After this commit, docker compose up -d --build should boot clean: postgres becomes healthy, certctl-tls-init exits 0, certctl-server applies all 33 migrations including 000029, backfills the 7 default roles + 33-permission catalogue + the synthetic actor-demo-anon admin grant, and starts serving on :8443. docker compose -f deploy/docker-compose.yml \ -f deploy/docker-compose.demo.yml down -v docker compose -f deploy/docker-compose.yml \ -f deploy/docker-compose.demo.yml up -d --build sleep 15 curl -sk https://localhost:8443/api/v1/auth/me \| jq # Expect: actor_id=actor-demo-anon, admin=true, roles=[r-admin]	2026-05-10 00:25:28 +00:00
shankar0123	19497eef87	auth-bundle-1 Phase 1: RBAC schema + domain types + repository layer Bundle 1 / Phase 1: ships the RBAC primitive as schema + domain types + repo layer. Service-layer wiring lands in Phase 2; middleware integration in Phase 3. Schema (migrations/000029_rbac.up.sql, 272 lines, idempotent, transaction-wrapped): tenants, roles, permissions, role_permissions, actor_roles. TEXT primary keys with prefixes (t-, r-, p-, ar-) per CLAUDE.md Architecture Decisions. TIMESTAMPTZ time columns. FK cascade explicit (tenant CASCADE, role RESTRICT, actor CASCADE). Three-value scope_type CHECK ('global', 'profile', 'issuer') matched 1:1 with internal/domain/auth.ScopeType. UNIQUE(tenant_id, name) on roles, UNIQUE(name) on permissions, UNIQUE(actor_id, actor_type, role_id, tenant_id) on actor_roles. Seeds: t-default tenant, 7 default roles (admin, operator, viewer, agent, mcp, cli, auditor), 33-permission canonical catalogue (cert.* / profile.* / issuer.* / target.* / agent.* / audit.* / auth.role.* / auth.key.* / auth.bootstrap.use), full role->permission grant matrix at global scope. Demo-mode preservation: actor-demo-anon seeded with admin role unconditionally; Phase 3 wires the auth middleware to inject this actor into the context when CERTCTL_AUTH_TYPE=none. Reserved system actor; Phase 4 API rejects mutations / deletions targeting it with 409 Conflict. Domain types (internal/domain/auth/{types,validate,validate_test}.go): Tenant, Role, Permission, RolePermission, ActorRole structs with JSON tags. ScopeType enum (global/profile/issuer). ActorTypeValue mirrors internal/domain.ActorType to avoid an import cycle. CanonicalPermissions slice + DefaultRoles map are the single source of truth referenced by the migration; validate_test.go pins (a) no duplicate permissions, (b) every default-role permission is canonical, (c) admin holds the full catalogue, (d) seeded IDs carry the prefix convention, (e) ScopeType enum has exactly 3 values matching the CHECK constraint. Extended internal/domain/audit.go: added ActorTypeAPIKey + ActorTypeAnonymous to the existing User/System/Agent enum so the audit trail can distinguish API-key requests from federated humans (Bundle 2 OIDC) and demo-mode (CERTCTL_AUTH_TYPE=none). Existing code that records actor_type=User keeps working; new APIKey value used by Bundle 1 Phase 3 middleware. Repository layer (internal/repository/auth.go + internal/repository/postgres/auth.go): TenantRepository (Get, List, EnsureDefault). RoleRepository (Get, GetByName, List, Create, Update, Delete with ErrAuthRoleInUse on FK RESTRICT, ListPermissions, AddPermission idempotent, RemovePermission). PermissionRepository (List, GetByName, IsCanonical for fail-fast catalog check). ActorRoleRepository (ListByActor, ListByRole, Grant idempotent, Revoke, EffectivePermissions which is the JOIN that auth.RequirePermission will use in Phase 3 — returns deduplicated (permission, scope) triples honouring the not-yet-expired predicate so future time-bound grants work without code change). Sentinel errors ErrAuthNotFound, ErrAuthDuplicateName, ErrAuthRoleInUse, ErrAuthReservedActor, ErrAuthUnknownPermission for handler-layer 404/409/400 mapping. Verification: gofmt clean, go vet ./... clean, go test -short ./internal/domain/auth ./internal/repository/postgres pass. Integration tests against a live Postgres are gated by testing.Short() per repo convention; Phase 12 wires the testcontainers harness for full e2e coverage. Branch: dev/auth-bundle-1. Phase 0 was `99a012e` (extract internal/auth/). Phase 2 (service layer) is the next bundle.	2026-05-09 16:00:08 +00:00

shankar0123

def4be9b38

fix(migrations): two cold-DB regressions surfaced by Phase-9 docker compose smoke

The v2.1.0 release-gate Phase-9 docker compose smoke run against a
fresh Postgres surfaced two real defects in the migration files that
testcontainers schema-per-test never exercised. Both reproduce by
running 'docker compose down -v && docker compose up --build'
against the current master tree.

Bug A — migration 000045_users_deactivated_at.up.sql is malformed.

  The 000029 schema defines:
    permissions      (id TEXT PRIMARY KEY, name TEXT NOT NULL UNIQUE,
                      namespace TEXT NOT NULL)
    role_permissions (..., permission_id TEXT NOT NULL REFERENCES ..., ...)

  But 000045 was written as:
    INSERT INTO permissions (name) VALUES ...        -- missing id + namespace
    INSERT INTO role_permissions (role_id, permission, ...) VALUES ...
                                                       ^^ wrong column name

  On a cold-DB run this fails immediately with:
    pq: null value in column "id" of relation "permissions"
        violates not-null constraint

  Fix: provide id + namespace columns, use permission_id (the actual
  column name), ON CONFLICT (id) DO NOTHING. The new permission ids
  follow the existing 'p-auth-*' prefix convention (p-auth-user-read +
  p-auth-user-deactivate) used by 000029.

Bug B — migration 000029_rbac.up.sql is not idempotent post-000043.

  000029 originally created actor_roles with:
    UNIQUE (actor_id, actor_type, role_id, tenant_id)

  Audit 2026-05-10 HIGH-10 closure / migration 000043 drops that
  constraint and re-creates it WITH scope columns:
    UNIQUE (actor_id, actor_type, role_id, scope_type, scope_id, tenant_id)

  The migration runner (internal/repository/postgres/db.go::RunMigrations)
  is naive — no tracker table — and re-runs every *.up.sql file on
  every server boot. On the second-and-later boots, 000029's seed
  INSERT for actor-demo-anon-admin still references the
  pre-000043 constraint name in its ON CONFLICT clause:
    ON CONFLICT (actor_id, actor_type, role_id, tenant_id) DO NOTHING

  Postgres errors out with:
    pq: there is no unique or exclusion constraint matching the
        ON CONFLICT specification

  Fix: pin the conflict target to the row's primary key 'id' column
  (always present, never altered). The seed row's deterministic id
  'ar-demo-anon-admin' makes ON CONFLICT (id) work under both pre-
  and post-000043 schemas.

Why testcontainers schema-per-test missed these:

  Each test in internal/repository/postgres/*_test.go spins up a
  fresh schema and applies every .up.sql in order ONCE. The full
  '000029 -> 000043 -> retry 000029' cascade never happens because
  migrations don't re-run within a test. Phase-9 docker compose
  smoke is the only test path that exercises the server-restart-
  on-error retry, which is exactly the missing coverage.

Verify (sandbox): go test ./internal/repository/postgres/ PASS.
Workstation re-runs 'docker compose down -v && docker compose up'
to confirm both bugs are closed.

2026-05-11 16:06:20 +00:00

shankar0123

45122d7edb

auth-bundle-1 fix: migration 000029 role_permissions NULL scope_id

Real bug an external tester (operator) hit on first docker compose up:

  failed to execute migration 000029_rbac.up.sql: pq: null value in
  column "scope_id" of relation "role_permissions" violates
  not-null constraint

# Root cause

The role_permissions table declared scope_id TEXT (nullable) but
also declared

  PRIMARY KEY (role_id, permission_id, scope_type, scope_id)

In Postgres, PRIMARY KEY columns are implicitly NOT NULL — the
PK constraint silently overrode the column-level nullability. So
every global-scope INSERT (which legitimately has scope_id=NULL
per the CHECK constraint that requires it) tripped the NOT NULL.

The schema was never reachable in the unit-test suite because
the in-memory fakes don't enforce Postgres semantics, and the
postgres integration tests skip on -short. First contact with a
real postgres:16-alpine boot caught it.

# Fix

Switch to a synthetic BIGSERIAL primary key + a UNIQUE NULLS NOT
DISTINCT constraint on the natural key
(role_id, permission_id, scope_type, scope_id):

  - BIGSERIAL primary key satisfies Postgres's PK-implies-NOT-NULL.
  - UNIQUE NULLS NOT DISTINCT (Postgres 15+; the project targets
    postgres:16-alpine) treats two NULL scope_ids as colliding,
    which is what the seed's ON CONFLICT (...) DO NOTHING relies
    on to make re-running the migration idempotent.
  - The CHECK (scope_type='global' AND scope_id IS NULL OR
    scope_type IN ('profile','issuer') AND scope_id IS NOT NULL)
    still enforces the per-row invariant.

The ON CONFLICT (col1, col2, ...) clauses in the seed and in
RoleRepository.AddPermission infer the unique index from the
column list and still resolve correctly against the renamed
constraint — no other changes needed.

# Verification

After this commit, docker compose up -d --build should boot
clean: postgres becomes healthy, certctl-tls-init exits 0,
certctl-server applies all 33 migrations including 000029,
backfills the 7 default roles + 33-permission catalogue + the
synthetic actor-demo-anon admin grant, and starts serving on
:8443.

  docker compose -f deploy/docker-compose.yml \
    -f deploy/docker-compose.demo.yml down -v
  docker compose -f deploy/docker-compose.yml \
    -f deploy/docker-compose.demo.yml up -d --build
  sleep 15
  curl -sk https://localhost:8443/api/v1/auth/me | jq
  # Expect: actor_id=actor-demo-anon, admin=true, roles=[r-admin]

2026-05-10 00:25:28 +00:00

shankar0123

19497eef87

auth-bundle-1 Phase 1: RBAC schema + domain types + repository layer

Bundle 1 / Phase 1: ships the RBAC primitive as schema + domain types + repo layer. Service-layer wiring lands in Phase 2; middleware integration in Phase 3.

Schema (migrations/000029_rbac.up.sql, 272 lines, idempotent, transaction-wrapped):

tenants, roles, permissions, role_permissions, actor_roles. TEXT primary keys with prefixes (t-, r-, p-, ar-) per CLAUDE.md Architecture Decisions. TIMESTAMPTZ time columns. FK cascade explicit (tenant CASCADE, role RESTRICT, actor CASCADE). Three-value scope_type CHECK ('global', 'profile', 'issuer') matched 1:1 with internal/domain/auth.ScopeType. UNIQUE(tenant_id, name) on roles, UNIQUE(name) on permissions, UNIQUE(actor_id, actor_type, role_id, tenant_id) on actor_roles.

Seeds: t-default tenant, 7 default roles (admin, operator, viewer, agent, mcp, cli, auditor), 33-permission canonical catalogue (cert.* / profile.* / issuer.* / target.* / agent.* / audit.* / auth.role.* / auth.key.* / auth.bootstrap.use), full role->permission grant matrix at global scope. Demo-mode preservation: actor-demo-anon seeded with admin role unconditionally; Phase 3 wires the auth middleware to inject this actor into the context when CERTCTL_AUTH_TYPE=none. Reserved system actor; Phase 4 API rejects mutations / deletions targeting it with 409 Conflict.

Domain types (internal/domain/auth/{types,validate,validate_test}.go):

Tenant, Role, Permission, RolePermission, ActorRole structs with JSON tags. ScopeType enum (global/profile/issuer). ActorTypeValue mirrors internal/domain.ActorType to avoid an import cycle. CanonicalPermissions slice + DefaultRoles map are the single source of truth referenced by the migration; validate_test.go pins (a) no duplicate permissions, (b) every default-role permission is canonical, (c) admin holds the full catalogue, (d) seeded IDs carry the prefix convention, (e) ScopeType enum has exactly 3 values matching the CHECK constraint.

Extended internal/domain/audit.go: added ActorTypeAPIKey + ActorTypeAnonymous to the existing User/System/Agent enum so the audit trail can distinguish API-key requests from federated humans (Bundle 2 OIDC) and demo-mode (CERTCTL_AUTH_TYPE=none). Existing code that records actor_type=User keeps working; new APIKey value used by Bundle 1 Phase 3 middleware.

Repository layer (internal/repository/auth.go + internal/repository/postgres/auth.go):

TenantRepository (Get, List, EnsureDefault). RoleRepository (Get, GetByName, List, Create, Update, Delete with ErrAuthRoleInUse on FK RESTRICT, ListPermissions, AddPermission idempotent, RemovePermission). PermissionRepository (List, GetByName, IsCanonical for fail-fast catalog check). ActorRoleRepository (ListByActor, ListByRole, Grant idempotent, Revoke, EffectivePermissions which is the JOIN that auth.RequirePermission will use in Phase 3 — returns deduplicated (permission, scope) triples honouring the not-yet-expired predicate so future time-bound grants work without code change). Sentinel errors ErrAuthNotFound, ErrAuthDuplicateName, ErrAuthRoleInUse, ErrAuthReservedActor, ErrAuthUnknownPermission for handler-layer 404/409/400 mapping.

Verification: gofmt clean, go vet ./... clean, go test -short ./internal/domain/auth ./internal/repository/postgres pass. Integration tests against a live Postgres are gated by testing.Short() per repo convention; Phase 12 wires the testcontainers harness for full e2e coverage.

Branch: dev/auth-bundle-1. Phase 0 was 99a012e (extract internal/auth/). Phase 2 (service layer) is the next bundle.

2026-05-09 16:00:08 +00:00

3 Commits