gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-09 17:18:52 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
17b400a684fb326c68311775c9430cc582eaeefb
certctl/internal/repository/breakglass.go
T
shankar0123 a89c69b751 feat(gui+auth): break-glass admin GUI surface (CRIT-4 closure) 
Closes CRIT-4 of the 2026-05-10 audit. Bundle 2 Phase 7.5 shipped the
break-glass backend (Argon2id + lockout + 4 endpoints) but no GUI
surface. Operators recovering during an SSO outage had to hand-craft
curl commands — operationally hostile and the opposite of what
docs/operator/security.md advertised. This commit closes the gap.

Three GUI surfaces:

1. LoginPage.tsx — inline "Use break-glass account (SSO outage
   recovery)" toggle below the API-key form. Clicking reveals an
   amber-bordered inline form (actor-id + password, autocomplete=off).
   Calls breakglassLogin(actor_id, password); on success navigates
   to "/" where AuthProvider re-validates via the session-cookie path.
   Intentionally low-visibility (text-amber-600 small text) — this is
   the deliberate-bypass path, not the everyday-login path.

2. web/src/pages/auth/BreakglassPage.tsx — admin page at /auth/breakglass
   (permission-gated by auth.breakglass.admin). Three sections:
     - Sticky security banner ("every action audited; use only during
       incidents").
     - Set/rotate-password form (≥12-char + confirm-match).
     - Credentialed-actor table with rotate / unlock (disabled when
       not locked) / remove per row. Remove requires type-the-actor-id
       confirmation.

3. Layout.tsx nav — "Break-glass" entry under the auth section. Visible
   to all callers; the page itself permission-gates (server-side 403 is
   the load-bearing defense). Cosmetic hide-when-no-perm is deferred
   to fix 14's LOW bundle.

Backend support (new endpoint required to enumerate credentialed actors):

- internal/repository/breakglass.go — BreakglassCredentialRepository
  gains List(ctx, tenantID) method.
- internal/repository/postgres/breakglass.go — postgres impl; reuses
  the existing breakglassColumns / scanBreakglass helpers.
- internal/auth/breakglass/service.go — Service.List(ctx) method;
  returns ErrDisabled when CERTCTL_BREAKGLASS_ENABLED=false (handler
  maps to 404 for surface invisibility).
- internal/api/handler/auth_breakglass.go — ListCredentials handler;
  password_hash field NEVER serialized to the wire (response shape
  is intentionally limited to actor_id + timestamps + failure_count +
  locked_until).
- internal/api/router/router.go — registers GET
  /api/v1/auth/breakglass/credentials gated by auth.breakglass.admin.
- internal/api/router/openapi_parity_test.go — SpecParityExceptions
  entry for the new endpoint (full OpenAPI row rides along with the
  next OpenAPI sweep).

GUI api/client.ts gains breakglassListCredentials() + the
BreakglassCredentialRow type matching the wire shape.

Six Vitest cases in BreakglassPage.test.tsx pin the contract:
permission gate (forbidden state when caller lacks the perm; admin
surface when they have it), set-password mismatch rejection, set-
password below-threshold-length rejection, unlock-disabled-when-not-
locked, remove-modal type-confirm.

Verification gate green:
- gofmt -l clean on all touched files
- go vet clean
- go test -short -count=1 on internal/api/router (TestRouter_OpenAPIParity
  + TestRouterRBACGateCoverage + TestRouter_AuthExemptAllowlist),
  internal/api/handler (all BCL tests + ListCredentials),
  internal/auth/breakglass (Service.List + stubRepo.List),
  internal/repository/postgres, internal/domain/auth (auditor pin)
  — all pass.

CRIT-1 + CRIT-2 + CRIT-3 from the same audit are already closed on
this branch (commits 457962f, c07825b, 192351e). CRIT-5 (AllowedEmail-
Domains lying field) remains the last Critical blocker for v2.1.0.
Spec: cowork/auth-bundles-fixes-2026-05-10/04-crit-4-breakglass-gui.md.

Refs: cowork/auth-bundles-audit-2026-05-10.md CRIT-4
2026-05-10 20:24:52 +00:00

69 lines
3.2 KiB
Go
Raw Blame History

package repository
import (
"context"
"errors"
bgdomain "github.com/certctl-io/certctl/internal/auth/breakglass/domain"
)
// Sentinel errors for the BreakglassCredentialRepository. Postgres
// implementation translates SQLSTATE codes into these so handler /
// service code can branch via errors.Is.
var (
// ErrBreakglassNotFound: GetByActor / Get found no row. The
// service-layer Authenticate path treats this as "wrong password"
// at the wire (uniform 401, identical timing) so the existence of
// a break-glass credential for a given actor cannot be probed.
ErrBreakglassNotFound = errors.New("breakglass: credential not found")
// ErrBreakglassDuplicate: Create tripped the (actor_id) UNIQUE
// constraint. SetPassword should use Upsert semantics; if a caller
// invokes Create on an actor that already has a row, this surfaces
// as a 409.
ErrBreakglassDuplicate = errors.New("breakglass: credential already exists for actor")
)
// BreakglassCredentialRepository wraps the breakglass_credentials
// table. Auth Bundle 2 Phase 7.5 — see internal/auth/breakglass/service.go
// for the consumer.
type BreakglassCredentialRepository interface {
// Create persists a new credential row. Caller MUST have called
// c.Validate() and computed the Argon2id PHC-format password hash.
// Returns ErrBreakglassDuplicate when (actor_id) UNIQUE fires.
Create(ctx context.Context, c *bgdomain.BreakglassCredential) error
// GetByActor returns the credential for the named actor. Returns
// ErrBreakglassNotFound on miss.
GetByActor(ctx context.Context, actorID, tenantID string) (*bgdomain.BreakglassCredential, error)
// UpdatePasswordHash rotates the password hash + bumps
// last_password_change_at. Resets failure_count + clears
// locked_until (a fresh password starts unlocked).
UpdatePasswordHash(ctx context.Context, actorID, tenantID, newHash string) error
// IncrementFailure increments failure_count + sets last_failure_at;
// when the new count crosses the threshold, sets locked_until.
// Returns the updated row so the service can see the post-update
// failure_count + locked_until without a re-read. Atomic single-
// statement UPDATE so concurrent failed attempts can't race past
// the threshold.
IncrementFailure(ctx context.Context, actorID, tenantID string, threshold int, lockoutDurationSec int) (*bgdomain.BreakglassCredential, error)
// ResetFailureCount clears failure_count + locked_until. Used on
// successful Authenticate AND on admin-initiated Unlock.
ResetFailureCount(ctx context.Context, actorID, tenantID string) error
// Delete removes a credential row. Returns ErrBreakglassNotFound
// on miss. Active sessions for the actor are NOT auto-revoked
// (separate concern; the operator can call SessionService.RevokeAll
// in lockstep).
Delete(ctx context.Context, actorID, tenantID string) error
// List returns the metadata for every break-glass credential in the
// tenant. The password hash is NOT included in the returned rows —
// the admin GUI uses this to render the credentialed-actor table
// (audit 2026-05-10 CRIT-4 closure). Order: created_at ASC.
List(ctx context.Context, tenantID string) ([]*bgdomain.BreakglassCredential, error)
}
Reference in New Issue View Git Blame Copy Permalink