mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 15:41:41 +00:00
shankar0123
3ef45e2ad4
# Phase 6 — day-0 admin bootstrap * internal/auth/bootstrap/ (new package): Strategy interface + EnvTokenStrategy with constant-time compare, one-shot consumption via sync.Mutex, optional admin-existence probe. Bundle 2's OIDC- first-admin will plug in alongside as an alternate Strategy. * BootstrapService.ValidateAndMint: validates the operator's CERTCTL_BOOTSTRAP_TOKEN, mints a 32-byte (64-hex-char) random API key value, persists the SHA-256 hash to api_keys, grants r-admin via actor_roles, AddHashed's the runtime keystore so the just- minted key authenticates the next request without restart, and records bootstrap.consume to the audit trail with category=auth. * internal/auth/keystore.go (new): KeyStore interface + StaticKeyStore (immutable env-var-only path) + MutableKeyStore (env-var keys + DB-loaded api_keys + runtime AddHashed). The auth middleware now consumes a KeyStore so the bootstrap path can extend the lookup table at runtime. * migrations/000031_api_keys.up/down.sql: api_keys table with (id, name UNIQUE, key_hash UNIQUE, tenant_id, admin, created_by, created_at, expires_at, last_used_at). Idempotent. * /v1/auth/bootstrap GET (probe) + POST (mint) — auth-exempt. Both routes documented in api/openapi.yaml + AuthExemptRouterRoutes allowlist updated. The token never leaves internal/auth/bootstrap; the minted plaintext key flows only into the HTTP response body. * Startup warning emitted when CERTCTL_BOOTSTRAP_TOKEN is set AND admin actors already exist (config drift signal). * Tests: 4 strategy invariants (empty token born disabled, wrong token=ErrInvalidToken without consumption, one-shot consumption, admin-exists closes path), 5 service tests (happy path + actor- name validation + propagation of strategy errors + nil-deps guard + 32-byte entropy budget), 8 HTTP-handler tests (status 201/410/401/400 mapping + token-leak hygiene scan of slog + audit details + Location header). Token-leak test redirects slog.Default to a buffer for the test scope. # Phase 7 — API-key migration + scope-down CLI * GET /v1/auth/keys handler + service method ListKeys backed by ActorRoleRepository.ListDistinctActors. Returns one row per (actor_id, actor_type) pair with the slice of role IDs they hold. Permission: auth.role.list. * internal/cli/auth_scope_down.go: AuthListKeys, AuthScopeDown (interactive), AuthScopeDownNonInteractive (JSON config), AuthScopeDownSuggest (--suggest with optional --apply). The synthetic actor-demo-anon is filtered out of every interactive / bulk path; non-interactive flow logs and skips it explicitly. * SuggestRoleFromAuditEvents (pure function): walks 30 days of audit events per actor and returns the narrowest matching role (admin / mcp / viewer / agent / operator) plus a one-line reason. Classification: any admin-shaped action wins; otherwise all-MCP → mcp; all-read-only → viewer; all-agent-shaped → agent; otherwise operator. Test table pins all six classifications. * CLI subcommand tree extended: 'auth keys list' + 'auth keys scope-down [--non-interactive <cfg>] [--suggest [--apply]]'. * CHANGELOG.md leads v2.1.0 with the SECURITY: AUDIT YOUR API KEYS call-out + four flow examples. # Phase 8 — auditor role + event_category column * migrations/000032_audit_category.up/down.sql: ALTER TABLE audit_events ADD COLUMN event_category TEXT NOT NULL DEFAULT 'cert_lifecycle' + CHECK constraint (cert_lifecycle/auth/config) + (event_category) and (event_category, timestamp DESC) indexes for the auditor-filter query path. WORM trigger from migration 000018 continues to enforce append-only at the DB layer (DDL is not blocked). * domain.AuditEvent gains EventCategory string (omitempty); domain.EventCategoryCertLifecycle / Auth / Config constants. * AuditService.RecordEventWithCategory sibling of RecordEvent; legacy callers stay on RecordEvent (defaults to cert_lifecycle). Auth callers (RoleService, ActorRoleService, BootstrapService) switched to RecordEventWithCategory(..., 'auth', ...). * GET /v1/audit?category=<cat>: handler accepts the optional query param, validates against the enum (400 on invalid value), dispatches through ListAuditEventsByCategory. OpenAPI updated with the new query param + AuditEvent.event_category schema. * Postgres AuditRepository.Create now writes event_category; AuditRepository.List filters on it; AuditFilter.EventCategory gates the WHERE clause. * Tests: 5 audit-category-filter HTTP tests (dispatch routing, back-compat fallback, 400 for invalid values, all 3 enum values accepted, page+category combine, JSON output surfaces the field). 3 auditor-role invariants (auditor holds exactly audit.read+audit.export, no mutating perms, disjoint from viewer except audit.read). # Cross-phase wiring * HandlerRegistry.Bootstrap field added; cmd/server/main.go wires the bootstrap service ahead of RegisterHandlers (extracted assembleNamedAPIKeys helper into auth_backfill.go, moved the keystore + bootstrap construction up alongside the auth repos). * AuthCheckResolver / AuthActorRoleService extended with ListKeys to satisfy the Phase 7 surface; existing fakes updated. * fakeAudit + mockAuditService stubs in tests gain RecordEventWithCategory + ListAuditEventsByCategory; existing tests untouched. # Verifications * gofmt -l: clean across every modified file. * go vet ./...: clean. * staticcheck across internal/auth + handler + router + cli + service + repository + cmd + domain: clean. * go test -short -count=1: green across every Bundle-1-touched package — internal/auth (incl. bootstrap), internal/api/handler, internal/api/router, internal/cli, internal/service/auth, internal/service, internal/domain/auth, internal/repository/postgres, cmd/server, cmd/cli, plus internal/scheduler, internal/api/middleware, cmd/agent, internal/mcp.
171 lines
8.1 KiB
Go
171 lines
8.1 KiB
Go
package repository
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
|
|
authdomain "github.com/certctl-io/certctl/internal/domain/auth"
|
|
)
|
|
|
|
// Sentinel errors for the RBAC repositories. Postgres implementations
|
|
// translate SQLSTATE codes (23505 unique-violation, 23503 FK-violation,
|
|
// no-rows) into these so handler / service code branches via errors.Is.
|
|
var (
|
|
// ErrAuthNotFound is returned by Get / GetByName when no row matches.
|
|
// Maps to HTTP 404.
|
|
ErrAuthNotFound = errors.New("auth: row not found")
|
|
|
|
// ErrAuthDuplicateName is returned by Create when a UNIQUE constraint
|
|
// fires (e.g. roles.name within a tenant). Maps to HTTP 409.
|
|
ErrAuthDuplicateName = errors.New("auth: duplicate name")
|
|
|
|
// ErrAuthRoleInUse is returned by RoleRepository.Delete when active
|
|
// actor_roles still reference the role (FK ON DELETE RESTRICT).
|
|
// Maps to HTTP 409.
|
|
ErrAuthRoleInUse = errors.New("auth: role still has active actor assignments")
|
|
|
|
// ErrAuthReservedActor is returned when a mutation targets a system-
|
|
// reserved actor (currently `actor-demo-anon`). Maps to HTTP 409.
|
|
ErrAuthReservedActor = errors.New("auth: reserved system actor cannot be modified")
|
|
|
|
// ErrAuthUnknownPermission is returned when a RolePermission grant
|
|
// references a permission name not in the canonical catalog.
|
|
// Maps to HTTP 400.
|
|
ErrAuthUnknownPermission = errors.New("auth: permission not in canonical catalog")
|
|
)
|
|
|
|
// TenantRepository wraps the tenants table. Bundle 1 ships single-tenant
|
|
// (one seeded `t-default`); the future managed-service offering activates
|
|
// multi-tenant by inserting additional tenants.
|
|
type TenantRepository interface {
|
|
Get(ctx context.Context, id string) (*authdomain.Tenant, error)
|
|
List(ctx context.Context) ([]*authdomain.Tenant, error)
|
|
EnsureDefault(ctx context.Context) error
|
|
}
|
|
|
|
// RoleRepository wraps the roles + role_permissions tables.
|
|
type RoleRepository interface {
|
|
Get(ctx context.Context, id string) (*authdomain.Role, error)
|
|
GetByName(ctx context.Context, tenantID, name string) (*authdomain.Role, error)
|
|
List(ctx context.Context, tenantID string) ([]*authdomain.Role, error)
|
|
Create(ctx context.Context, role *authdomain.Role) error
|
|
Update(ctx context.Context, role *authdomain.Role) error
|
|
// Delete fails with ErrAuthRoleInUse when active actor_roles still
|
|
// reference the role (FK ON DELETE RESTRICT).
|
|
Delete(ctx context.Context, id string) error
|
|
|
|
// ListPermissions returns the (Permission, ScopeType, ScopeID)
|
|
// triples granted to the role.
|
|
ListPermissions(ctx context.Context, roleID string) ([]*authdomain.RolePermission, error)
|
|
// AddPermission creates a row in role_permissions. ON CONFLICT DO
|
|
// NOTHING preserves idempotency for re-applied seeds.
|
|
AddPermission(ctx context.Context, grant *authdomain.RolePermission) error
|
|
// RemovePermission deletes a specific (role, permission, scope) row.
|
|
RemovePermission(ctx context.Context, grant *authdomain.RolePermission) error
|
|
}
|
|
|
|
// PermissionRepository wraps the permissions table.
|
|
type PermissionRepository interface {
|
|
List(ctx context.Context) ([]*authdomain.Permission, error)
|
|
GetByName(ctx context.Context, name string) (*authdomain.Permission, error)
|
|
// IsCanonical returns true when name is in
|
|
// authdomain.CanonicalPermissions. The migration seeds the catalog;
|
|
// this is an in-memory check so callers (RoleService.AddPermission)
|
|
// can fail-fast without a DB roundtrip.
|
|
IsCanonical(name string) bool
|
|
}
|
|
|
|
// ActorRoleRepository wraps the actor_roles table.
|
|
type ActorRoleRepository interface {
|
|
// ListByActor returns all standing role grants for an actor.
|
|
ListByActor(ctx context.Context, actorID string, actorType authdomain.ActorTypeValue, tenantID string) ([]*authdomain.ActorRole, error)
|
|
// ListByRole returns all actors holding a given role. Used by
|
|
// RoleService.Delete to enforce the in-use guard.
|
|
ListByRole(ctx context.Context, roleID string) ([]*authdomain.ActorRole, error)
|
|
|
|
// Grant creates an actor_roles row. Idempotent via ON CONFLICT.
|
|
// The reserved actor `actor-demo-anon` admin grant is seeded by
|
|
// the migration; this method will create additional grants for it
|
|
// only if the operator explicitly wires that, which the API
|
|
// layer rejects.
|
|
Grant(ctx context.Context, ar *authdomain.ActorRole) error
|
|
// Revoke deletes an actor_roles row by (actor_id, actor_type,
|
|
// role_id, tenant_id). The API layer must reject revocations
|
|
// targeting `actor-demo-anon` to preserve the demo path.
|
|
Revoke(ctx context.Context, actorID string, actorType authdomain.ActorTypeValue, roleID, tenantID string) error
|
|
|
|
// EffectivePermissions returns the deduplicated set of
|
|
// (permission_name, scope_type, scope_id) triples granted to the
|
|
// actor across all roles they hold. The middleware-level
|
|
// auth.RequirePermission gate (Phase 3) calls this on every
|
|
// gated request; implementations should cache or use SQL JOINs
|
|
// for performance.
|
|
EffectivePermissions(ctx context.Context, actorID string, actorType authdomain.ActorTypeValue, tenantID string) ([]EffectivePermission, error)
|
|
|
|
// AdminExists reports whether ANY actor in the tenant currently
|
|
// holds the r-admin role. Bundle 1 Phase 6's bootstrap probe
|
|
// uses this to gate the day-0 endpoint: once the answer flips
|
|
// from false to true the bootstrap path stays closed forever
|
|
// (the seeded actor-demo-anon admin only exists in demo mode;
|
|
// in api-key mode the operator either uses bootstrap or
|
|
// CERTCTL_API_KEYS_NAMED to mint the first admin). The query
|
|
// excludes the synthetic actor-demo-anon so demo-mode deploys
|
|
// can still bootstrap a real admin if/when the operator
|
|
// switches to api-key mode without re-migrating.
|
|
AdminExists(ctx context.Context, tenantID string) (bool, error)
|
|
|
|
// ListDistinctActors returns one row per (actor_id, actor_type)
|
|
// pair with at least one actor_roles grant in the tenant.
|
|
// Bundle 1 Phase 7's `auth keys list` + scope-down helper use
|
|
// this to enumerate the actor population without joining
|
|
// against the env-var-loaded namedKeys (whose canonical record
|
|
// is the actor_roles backfill from Phase 1 / C2). The synthetic
|
|
// actor-demo-anon is included so the GUI can render it as
|
|
// "system-managed, scope-down hidden"; Phase 7's interactive
|
|
// flow filters it out of the prompt loop.
|
|
ListDistinctActors(ctx context.Context, tenantID string) ([]ActorWithRoles, error)
|
|
}
|
|
|
|
// ActorWithRoles is the (actor, roles) projection returned by
|
|
// ActorRoleRepository.ListDistinctActors. Roles is the slice of role
|
|
// IDs the actor holds; the caller can resolve role names via the
|
|
// RoleRepository or the CLI's already-cached role list.
|
|
type ActorWithRoles struct {
|
|
ActorID string
|
|
ActorType authdomain.ActorTypeValue
|
|
TenantID string
|
|
RoleIDs []string
|
|
}
|
|
|
|
// EffectivePermission is the (permission, scope) pair returned by
|
|
// ActorRoleRepository.EffectivePermissions. Multiple actor_roles rows
|
|
// may grant the same permission at different scopes; callers receive
|
|
// every grant and the matcher handles "global beats specific" semantics.
|
|
type EffectivePermission struct {
|
|
PermissionName string
|
|
ScopeType authdomain.ScopeType
|
|
ScopeID *string // NULL = global
|
|
}
|
|
|
|
// APIKeyRepository wraps the api_keys table. Bundle 1 Phase 6 ships
|
|
// this so the bootstrap endpoint (POST /v1/auth/bootstrap) can mint
|
|
// the first admin API key without needing the operator to roundtrip
|
|
// through CERTCTL_API_KEYS_NAMED. Operator-tier keys live here;
|
|
// agent-tier keys remain on the agents table (`api_key_hash` column).
|
|
type APIKeyRepository interface {
|
|
// Create stores a new key row. ID + CreatedAt default if zero.
|
|
// The plaintext key is NOT stored — callers pass only the
|
|
// SHA-256 hex hash. Returns ErrAuthDuplicateName when the
|
|
// (name) UNIQUE constraint fires.
|
|
Create(ctx context.Context, key *authdomain.APIKey) error
|
|
// GetByName returns a single row by operator-visible name.
|
|
// Returns ErrAuthNotFound when no row matches.
|
|
GetByName(ctx context.Context, name string) (*authdomain.APIKey, error)
|
|
// List returns every key row across the tenant. Bundle 1 ships
|
|
// single-tenant so tenantID is typically t-default.
|
|
List(ctx context.Context, tenantID string) ([]*authdomain.APIKey, error)
|
|
// Delete removes a key row by name. Used by the RBAC API's key
|
|
// rotation/revocation paths.
|
|
Delete(ctx context.Context, name string) error
|
|
}
|