mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 17:51:29 +00:00
shankar0123
21aeed4f4e
Phase 0 closure (Path B2, post-rewrite):
addlicense sweep — adds the canonical certctl LLC copyright + BUSL-1.1
SPDX header to every production Go file. Template:
// Copyright 2026 certctl LLC. All rights reserved.
// SPDX-License-Identifier: BUSL-1.1
Coverage: 338 / 338 production Go files (cmd/ + internal/, excluding
*_test.go and **/testdata/**). Pre-sweep coverage was 22 / 338 (6.5%);
post-sweep is 338 / 338 (100%).
Normalized 22 pre-existing legacy headers (`// Copyright (c) certctl`
+ `// SPDX-License-Identifier: BSL-1.1`) and 1 file using a
`Certctl Contributors` attribution. The legacy SPDX ID `BSL-1.1`
is non-standard; the official SPDX identifier for Business Source
License 1.1 is `BUSL-1.1` (capital U). All 338 files now share the
canonical form.
Generated via:
addlicense -c "certctl LLC" -y 2026 \
-f cowork/legal/copyright-header.tpl \
-ignore '**/testdata/**' -ignore '**/*_test.go' \
cmd/ internal/
Verification:
find cmd internal -name '*.go' -not -name '*_test.go' \
-not -path '*/testdata/*' \
-exec grep -L '^// Copyright 2026 certctl LLC' {} \; | wc -l
Returns: 0
gofmt clean. Header additions are comments only, no compile impact.
Closes: cowork/certctl-architecture-diligence-audit.html#fix-RED-4
131 lines
5.1 KiB
Go
131 lines
5.1 KiB
Go
// Copyright 2026 certctl LLC. All rights reserved.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
// Package auth holds the RBAC service layer: PermissionService,
|
|
// RoleService, ActorRoleService, and the Authorizer primitive that
|
|
// Phase 3 middleware (auth.RequirePermission) calls on every gated
|
|
// request.
|
|
//
|
|
// All mutating operations record an audit event via the existing
|
|
// AuditService.RecordEvent path. Bundle 1 Phase 8 introduces an
|
|
// `event_category` parameter and back-fills the existing callers; until
|
|
// then auth-related events go in with the default category.
|
|
//
|
|
// Privilege-escalation guard: every mutation that affects role
|
|
// assignment requires the caller to hold `auth.role.assign` (or the
|
|
// equivalent role-level permission) on the target role. The system
|
|
// pathway (bootstrap, migrations, scheduler) bypasses this check via
|
|
// AsSystemCaller(), which records `actor=system, actorType=System` in
|
|
// the audit row so the bypass is observable.
|
|
package auth
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
|
|
"github.com/certctl-io/certctl/internal/domain"
|
|
authdomain "github.com/certctl-io/certctl/internal/domain/auth"
|
|
"github.com/certctl-io/certctl/internal/repository"
|
|
)
|
|
|
|
// Sentinel errors for the service layer. Handler / middleware code
|
|
// branches via errors.Is and maps to HTTP status codes.
|
|
var (
|
|
// ErrForbidden is returned when the caller lacks the required
|
|
// permission for the operation. Maps to HTTP 403.
|
|
ErrForbidden = errors.New("auth: caller lacks required permission")
|
|
|
|
// ErrUnauthenticated is returned when the request has no actor in
|
|
// context (no Bearer, no session). Phase 3 RequirePermission emits
|
|
// this; handler code typically returns 401.
|
|
ErrUnauthenticated = errors.New("auth: no actor in context")
|
|
|
|
// ErrInvalidPermission is returned when a Create / AddPermission
|
|
// references a permission name not in the canonical catalogue.
|
|
// Maps to HTTP 400.
|
|
ErrInvalidPermission = errors.New("auth: permission not in canonical catalogue")
|
|
|
|
// ErrSelfRoleAssignment guards privilege escalation: a caller
|
|
// without `auth.role.assign` on a role cannot grant that role
|
|
// (including to themselves). Maps to HTTP 403.
|
|
ErrSelfRoleAssignment = errors.New("auth: caller lacks auth.role.assign on target role")
|
|
)
|
|
|
|
// AuditService is the audit-recording dependency the service layer
|
|
// expects. Mirrors the existing service.AuditService interface so
|
|
// Bundle 1 doesn't introduce a parallel concept. Bundle 1 Phase 8
|
|
// adds RecordEventWithCategory; the auth service uses the
|
|
// categorized variant exclusively (event_category=auth) so the
|
|
// auditor role can filter to authentication / authorization events.
|
|
type AuditService interface {
|
|
RecordEvent(
|
|
ctx context.Context,
|
|
actor string,
|
|
actorType domain.ActorType,
|
|
action, resourceType, resourceID string,
|
|
details map[string]interface{},
|
|
) error
|
|
RecordEventWithCategory(
|
|
ctx context.Context,
|
|
actor string,
|
|
actorType domain.ActorType,
|
|
action, eventCategory, resourceType, resourceID string,
|
|
details map[string]interface{},
|
|
) error
|
|
// RecordEventWithCategoryWithTx records the audit row using the
|
|
// supplied repository.Querier so it commits atomically with the
|
|
// caller's transaction. Audit 2026-05-10 HIGH-6 closure — closes
|
|
// the gap where auth-mutation paths used a non-transactional audit
|
|
// emit, leaving orphan action rows on partial failure.
|
|
RecordEventWithCategoryWithTx(
|
|
ctx context.Context,
|
|
q repository.Querier,
|
|
actor string,
|
|
actorType domain.ActorType,
|
|
action, eventCategory, resourceType, resourceID string,
|
|
details map[string]interface{},
|
|
) error
|
|
}
|
|
|
|
// Caller describes the actor performing a service operation. Bundle 1
|
|
// Phase 3 populates this from the auth-middleware context (ActorIDKey,
|
|
// ActorTypeKey). Bootstrap, migrations, and scheduler-initiated work
|
|
// pass AsSystemCaller() to bypass the permission check while still
|
|
// recording an audit row.
|
|
type Caller struct {
|
|
ActorID string
|
|
ActorType domain.ActorType
|
|
TenantID string
|
|
|
|
// IsSystem skips the privilege-escalation guard. Reserved for
|
|
// bootstrap / migration / scheduler paths.
|
|
IsSystem bool
|
|
}
|
|
|
|
// AsSystemCaller returns a Caller that bypasses RBAC checks. Used by
|
|
// the migration backfill, bootstrap path, scheduler-initiated grants,
|
|
// and tests that need to seed state without simulating an admin.
|
|
func AsSystemCaller() *Caller {
|
|
return &Caller{
|
|
ActorID: "system",
|
|
ActorType: domain.ActorTypeSystem,
|
|
TenantID: authdomain.DefaultTenantID,
|
|
IsSystem: true,
|
|
}
|
|
}
|
|
|
|
// CallerFromContext is a helper that builds a Caller from auth context
|
|
// values. Phase 3 middleware populates the keys; tests can use the
|
|
// internal/auth.WithActor / WithAdmin helpers to build contexts.
|
|
//
|
|
// Returns nil + ErrUnauthenticated when no actor is present.
|
|
func CallerFromContext(ctx context.Context) (*Caller, error) {
|
|
// Avoid coupling internal/service/auth to internal/auth at the
|
|
// type level: read the keys via package-public helpers exposed by
|
|
// internal/auth (ActorID, ActorType, TenantID). Phase 3 wires
|
|
// these up. For Phase 2, rely on the explicit Caller arg passed
|
|
// by handler / test code instead — direct context-key reads can
|
|
// land in Phase 3 alongside the middleware.
|
|
return nil, ErrUnauthenticated
|
|
}
|