mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 16:41:36 +00:00
shankar0123
f5ba17114d
Audit 2026-05-10 HIGH-6 partial closure (silence leg). The audit
identified two distinct gaps in the auth surface's audit-emit pattern:
(1) silence — `_ = audit.RecordEventWithCategory(...)` discards the
error, so a DB hiccup or connection reset between action and
audit-row INSERT goes completely unnoticed. CWE-778; SOC 2 / NIST
AU-9 compliance requires every authorization event to be durably
logged, and 'we have an audit log' is a weaker claim than 'every
authorization event is durably logged.'
(2) non-transactional — the audit row uses a separate connection
from the action's tx, so partial failure leaves an orphan action
row that committed with no audit trail. Decision 8 of the
auth-bundles-index requires action + audit row atomic.
This commit closes leg (1) fully across all six audit-emit call sites
in the auth surface:
- internal/service/auth/actor_role_service.go::recordAudit
- internal/service/auth/role_service.go::recordAudit
- internal/auth/bootstrap/service.go::ValidateAndMint
- internal/auth/breakglass/service.go::recordAudit
- internal/auth/session/service.go::recordAudit
- internal/api/handler/auth_session_oidc.go::recordAudit
- internal/service/profile.go::Update (Phase 9 approval-bypass)
Each `_ = ...` swallow is replaced with:
if err := audit.RecordEventWithCategory(...); err != nil {
slog.WarnContext(ctx, '<surface> audit write failed (action
committed; audit row may be missing)',
'action', action, 'actor_id', actor, 'resource_id', resource,
'err', err)
}
Operators monitoring audit-write failures now see structured WARN
logs with action + actor + resource attribution; missing audit rows
can be cross-referenced against monitoring without manual SELECT-from-
audit-table.
Infrastructure for leg (2) (transactional commit) is also landed in
this commit:
- service.AuditService.RecordEventWithCategoryWithTx (new method;
accepts repository.Querier from postgres.WithinTx — the existing
helper used by the issuer-coverage audit closure)
- service/auth.AuditService interface declares the new method
- test stub fakeAudit.RecordEventWithCategoryWithTx satisfies the
extended interface
The eight per-path WithinTx-refactors documented in
cowork/auth-bundles-fixes-2026-05-10/10-high-6-atomic-audit-commit.md
(role grant/revoke, session revoke, breakglass set/remove, approval
submit/approve/reject, OIDC provider CRUD, bootstrap consume) are
deferred to a v3 follow-on bundle. Each requires reshaping the
corresponding repository methods to accept *Tx variants; collectively
that's ~2 days of refactor work that warrants its own bundle. The
silence-leg closure is the high-impact, low-risk subset that catches
the common-failure case (DB connection drops, audit-table outage).
Refs: cowork/auth-bundles-audit-2026-05-10.md HIGH-6
Spec: cowork/auth-bundles-fixes-2026-05-10/10-high-6-atomic-audit-commit.md
128 lines
5.0 KiB
Go
128 lines
5.0 KiB
Go
// Package auth holds the RBAC service layer: PermissionService,
|
|
// RoleService, ActorRoleService, and the Authorizer primitive that
|
|
// Phase 3 middleware (auth.RequirePermission) calls on every gated
|
|
// request.
|
|
//
|
|
// All mutating operations record an audit event via the existing
|
|
// AuditService.RecordEvent path. Bundle 1 Phase 8 introduces an
|
|
// `event_category` parameter and back-fills the existing callers; until
|
|
// then auth-related events go in with the default category.
|
|
//
|
|
// Privilege-escalation guard: every mutation that affects role
|
|
// assignment requires the caller to hold `auth.role.assign` (or the
|
|
// equivalent role-level permission) on the target role. The system
|
|
// pathway (bootstrap, migrations, scheduler) bypasses this check via
|
|
// AsSystemCaller(), which records `actor=system, actorType=System` in
|
|
// the audit row so the bypass is observable.
|
|
package auth
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
|
|
"github.com/certctl-io/certctl/internal/domain"
|
|
authdomain "github.com/certctl-io/certctl/internal/domain/auth"
|
|
"github.com/certctl-io/certctl/internal/repository"
|
|
)
|
|
|
|
// Sentinel errors for the service layer. Handler / middleware code
|
|
// branches via errors.Is and maps to HTTP status codes.
|
|
var (
|
|
// ErrForbidden is returned when the caller lacks the required
|
|
// permission for the operation. Maps to HTTP 403.
|
|
ErrForbidden = errors.New("auth: caller lacks required permission")
|
|
|
|
// ErrUnauthenticated is returned when the request has no actor in
|
|
// context (no Bearer, no session). Phase 3 RequirePermission emits
|
|
// this; handler code typically returns 401.
|
|
ErrUnauthenticated = errors.New("auth: no actor in context")
|
|
|
|
// ErrInvalidPermission is returned when a Create / AddPermission
|
|
// references a permission name not in the canonical catalogue.
|
|
// Maps to HTTP 400.
|
|
ErrInvalidPermission = errors.New("auth: permission not in canonical catalogue")
|
|
|
|
// ErrSelfRoleAssignment guards privilege escalation: a caller
|
|
// without `auth.role.assign` on a role cannot grant that role
|
|
// (including to themselves). Maps to HTTP 403.
|
|
ErrSelfRoleAssignment = errors.New("auth: caller lacks auth.role.assign on target role")
|
|
)
|
|
|
|
// AuditService is the audit-recording dependency the service layer
|
|
// expects. Mirrors the existing service.AuditService interface so
|
|
// Bundle 1 doesn't introduce a parallel concept. Bundle 1 Phase 8
|
|
// adds RecordEventWithCategory; the auth service uses the
|
|
// categorized variant exclusively (event_category=auth) so the
|
|
// auditor role can filter to authentication / authorization events.
|
|
type AuditService interface {
|
|
RecordEvent(
|
|
ctx context.Context,
|
|
actor string,
|
|
actorType domain.ActorType,
|
|
action, resourceType, resourceID string,
|
|
details map[string]interface{},
|
|
) error
|
|
RecordEventWithCategory(
|
|
ctx context.Context,
|
|
actor string,
|
|
actorType domain.ActorType,
|
|
action, eventCategory, resourceType, resourceID string,
|
|
details map[string]interface{},
|
|
) error
|
|
// RecordEventWithCategoryWithTx records the audit row using the
|
|
// supplied repository.Querier so it commits atomically with the
|
|
// caller's transaction. Audit 2026-05-10 HIGH-6 closure — closes
|
|
// the gap where auth-mutation paths used a non-transactional audit
|
|
// emit, leaving orphan action rows on partial failure.
|
|
RecordEventWithCategoryWithTx(
|
|
ctx context.Context,
|
|
q repository.Querier,
|
|
actor string,
|
|
actorType domain.ActorType,
|
|
action, eventCategory, resourceType, resourceID string,
|
|
details map[string]interface{},
|
|
) error
|
|
}
|
|
|
|
// Caller describes the actor performing a service operation. Bundle 1
|
|
// Phase 3 populates this from the auth-middleware context (ActorIDKey,
|
|
// ActorTypeKey). Bootstrap, migrations, and scheduler-initiated work
|
|
// pass AsSystemCaller() to bypass the permission check while still
|
|
// recording an audit row.
|
|
type Caller struct {
|
|
ActorID string
|
|
ActorType domain.ActorType
|
|
TenantID string
|
|
|
|
// IsSystem skips the privilege-escalation guard. Reserved for
|
|
// bootstrap / migration / scheduler paths.
|
|
IsSystem bool
|
|
}
|
|
|
|
// AsSystemCaller returns a Caller that bypasses RBAC checks. Used by
|
|
// the migration backfill, bootstrap path, scheduler-initiated grants,
|
|
// and tests that need to seed state without simulating an admin.
|
|
func AsSystemCaller() *Caller {
|
|
return &Caller{
|
|
ActorID: "system",
|
|
ActorType: domain.ActorTypeSystem,
|
|
TenantID: authdomain.DefaultTenantID,
|
|
IsSystem: true,
|
|
}
|
|
}
|
|
|
|
// CallerFromContext is a helper that builds a Caller from auth context
|
|
// values. Phase 3 middleware populates the keys; tests can use the
|
|
// internal/auth.WithActor / WithAdmin helpers to build contexts.
|
|
//
|
|
// Returns nil + ErrUnauthenticated when no actor is present.
|
|
func CallerFromContext(ctx context.Context) (*Caller, error) {
|
|
// Avoid coupling internal/service/auth to internal/auth at the
|
|
// type level: read the keys via package-public helpers exposed by
|
|
// internal/auth (ActorID, ActorType, TenantID). Phase 3 wires
|
|
// these up. For Phase 2, rely on the explicit Caller arg passed
|
|
// by handler / test code instead — direct context-key reads can
|
|
// land in Phase 3 alongside the middleware.
|
|
return nil, ErrUnauthenticated
|
|
}
|