mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 18:51:32 +00:00
shankar0123
3ef45e2ad4
# Phase 6 — day-0 admin bootstrap * internal/auth/bootstrap/ (new package): Strategy interface + EnvTokenStrategy with constant-time compare, one-shot consumption via sync.Mutex, optional admin-existence probe. Bundle 2's OIDC- first-admin will plug in alongside as an alternate Strategy. * BootstrapService.ValidateAndMint: validates the operator's CERTCTL_BOOTSTRAP_TOKEN, mints a 32-byte (64-hex-char) random API key value, persists the SHA-256 hash to api_keys, grants r-admin via actor_roles, AddHashed's the runtime keystore so the just- minted key authenticates the next request without restart, and records bootstrap.consume to the audit trail with category=auth. * internal/auth/keystore.go (new): KeyStore interface + StaticKeyStore (immutable env-var-only path) + MutableKeyStore (env-var keys + DB-loaded api_keys + runtime AddHashed). The auth middleware now consumes a KeyStore so the bootstrap path can extend the lookup table at runtime. * migrations/000031_api_keys.up/down.sql: api_keys table with (id, name UNIQUE, key_hash UNIQUE, tenant_id, admin, created_by, created_at, expires_at, last_used_at). Idempotent. * /v1/auth/bootstrap GET (probe) + POST (mint) — auth-exempt. Both routes documented in api/openapi.yaml + AuthExemptRouterRoutes allowlist updated. The token never leaves internal/auth/bootstrap; the minted plaintext key flows only into the HTTP response body. * Startup warning emitted when CERTCTL_BOOTSTRAP_TOKEN is set AND admin actors already exist (config drift signal). * Tests: 4 strategy invariants (empty token born disabled, wrong token=ErrInvalidToken without consumption, one-shot consumption, admin-exists closes path), 5 service tests (happy path + actor- name validation + propagation of strategy errors + nil-deps guard + 32-byte entropy budget), 8 HTTP-handler tests (status 201/410/401/400 mapping + token-leak hygiene scan of slog + audit details + Location header). Token-leak test redirects slog.Default to a buffer for the test scope. # Phase 7 — API-key migration + scope-down CLI * GET /v1/auth/keys handler + service method ListKeys backed by ActorRoleRepository.ListDistinctActors. Returns one row per (actor_id, actor_type) pair with the slice of role IDs they hold. Permission: auth.role.list. * internal/cli/auth_scope_down.go: AuthListKeys, AuthScopeDown (interactive), AuthScopeDownNonInteractive (JSON config), AuthScopeDownSuggest (--suggest with optional --apply). The synthetic actor-demo-anon is filtered out of every interactive / bulk path; non-interactive flow logs and skips it explicitly. * SuggestRoleFromAuditEvents (pure function): walks 30 days of audit events per actor and returns the narrowest matching role (admin / mcp / viewer / agent / operator) plus a one-line reason. Classification: any admin-shaped action wins; otherwise all-MCP → mcp; all-read-only → viewer; all-agent-shaped → agent; otherwise operator. Test table pins all six classifications. * CLI subcommand tree extended: 'auth keys list' + 'auth keys scope-down [--non-interactive <cfg>] [--suggest [--apply]]'. * CHANGELOG.md leads v2.1.0 with the SECURITY: AUDIT YOUR API KEYS call-out + four flow examples. # Phase 8 — auditor role + event_category column * migrations/000032_audit_category.up/down.sql: ALTER TABLE audit_events ADD COLUMN event_category TEXT NOT NULL DEFAULT 'cert_lifecycle' + CHECK constraint (cert_lifecycle/auth/config) + (event_category) and (event_category, timestamp DESC) indexes for the auditor-filter query path. WORM trigger from migration 000018 continues to enforce append-only at the DB layer (DDL is not blocked). * domain.AuditEvent gains EventCategory string (omitempty); domain.EventCategoryCertLifecycle / Auth / Config constants. * AuditService.RecordEventWithCategory sibling of RecordEvent; legacy callers stay on RecordEvent (defaults to cert_lifecycle). Auth callers (RoleService, ActorRoleService, BootstrapService) switched to RecordEventWithCategory(..., 'auth', ...). * GET /v1/audit?category=<cat>: handler accepts the optional query param, validates against the enum (400 on invalid value), dispatches through ListAuditEventsByCategory. OpenAPI updated with the new query param + AuditEvent.event_category schema. * Postgres AuditRepository.Create now writes event_category; AuditRepository.List filters on it; AuditFilter.EventCategory gates the WHERE clause. * Tests: 5 audit-category-filter HTTP tests (dispatch routing, back-compat fallback, 400 for invalid values, all 3 enum values accepted, page+category combine, JSON output surfaces the field). 3 auditor-role invariants (auditor holds exactly audit.read+audit.export, no mutating perms, disjoint from viewer except audit.read). # Cross-phase wiring * HandlerRegistry.Bootstrap field added; cmd/server/main.go wires the bootstrap service ahead of RegisterHandlers (extracted assembleNamedAPIKeys helper into auth_backfill.go, moved the keystore + bootstrap construction up alongside the auth repos). * AuthCheckResolver / AuthActorRoleService extended with ListKeys to satisfy the Phase 7 surface; existing fakes updated. * fakeAudit + mockAuditService stubs in tests gain RecordEventWithCategory + ListAuditEventsByCategory; existing tests untouched. # Verifications * gofmt -l: clean across every modified file. * go vet ./...: clean. * staticcheck across internal/auth + handler + router + cli + service + repository + cmd + domain: clean. * go test -short -count=1: green across every Bundle-1-touched package — internal/auth (incl. bootstrap), internal/api/handler, internal/api/router, internal/cli, internal/service/auth, internal/service, internal/domain/auth, internal/repository/postgres, cmd/server, cmd/cli, plus internal/scheduler, internal/api/middleware, cmd/agent, internal/mcp.
158 lines
5.4 KiB
Go
158 lines
5.4 KiB
Go
package auth
|
|
|
|
import (
|
|
"crypto/subtle"
|
|
"sync"
|
|
)
|
|
|
|
// KeyStore is the lookup contract NewAuthWithKeyStore consults to
|
|
// resolve a Bearer token (already SHA-256 hashed by the middleware) to
|
|
// a NamedAPIKey identity. The interface exists so the same auth
|
|
// middleware can serve both the env-var-keys-only path (immutable
|
|
// in-memory hash table built at startup) and the bootstrap-extended
|
|
// path (env-var keys plus runtime-minted admin keys persisted in
|
|
// `api_keys`). Bundle 2 will plug in an OIDC-session lookup behind the
|
|
// same interface.
|
|
//
|
|
// LookupByHash MUST be safe for concurrent reads. Implementations that
|
|
// support runtime additions wrap their backing slice/map in a
|
|
// sync.RWMutex (see MutableKeyStore) so the request path remains lock-
|
|
// free in the steady state.
|
|
type KeyStore interface {
|
|
// LookupByHash returns the NamedAPIKey whose SHA-256 hash matches
|
|
// the supplied hex-encoded hash. The matched bool is false when no
|
|
// entry matches; callers MUST treat false as "wrong key" (HTTP
|
|
// 401) and never as "fall through to a default identity".
|
|
//
|
|
// The supplied hash is the output of HashAPIKey(token) — already a
|
|
// 64-char lowercase hex string. Implementations compare it against
|
|
// stored hashes via crypto/subtle.ConstantTimeCompare so a
|
|
// timing-attacking caller can't byte-by-byte recover a key.
|
|
LookupByHash(hash string) (NamedAPIKey, bool)
|
|
}
|
|
|
|
// StaticKeyStore is the immutable Bundle-0 behaviour: the entries are
|
|
// fixed at construction and the lookup is a constant-time scan. Used
|
|
// by deployments that haven't enabled the Bundle-1 bootstrap flow and
|
|
// by tests that don't need runtime additions.
|
|
type StaticKeyStore struct {
|
|
entries []entry
|
|
}
|
|
|
|
type entry struct {
|
|
hash string // SHA-256 hex
|
|
name string
|
|
admin bool
|
|
}
|
|
|
|
// NewStaticKeyStore builds an immutable KeyStore from a slice of
|
|
// NamedAPIKey values. Each key is hashed once at construction. The
|
|
// returned store is safe for concurrent reads with no locking; mutation
|
|
// is not supported.
|
|
func NewStaticKeyStore(keys []NamedAPIKey) *StaticKeyStore {
|
|
out := &StaticKeyStore{
|
|
entries: make([]entry, 0, len(keys)),
|
|
}
|
|
for _, nk := range keys {
|
|
out.entries = append(out.entries, entry{
|
|
hash: HashAPIKey(nk.Key),
|
|
name: nk.Name,
|
|
admin: nk.Admin,
|
|
})
|
|
}
|
|
return out
|
|
}
|
|
|
|
// LookupByHash implements KeyStore.
|
|
func (s *StaticKeyStore) LookupByHash(hash string) (NamedAPIKey, bool) {
|
|
for i := range s.entries {
|
|
if subtle.ConstantTimeCompare([]byte(hash), []byte(s.entries[i].hash)) == 1 {
|
|
e := s.entries[i]
|
|
return NamedAPIKey{Name: e.name, Admin: e.admin}, true
|
|
}
|
|
}
|
|
return NamedAPIKey{}, false
|
|
}
|
|
|
|
// Len reports how many entries the store holds. Test/debug helper; the
|
|
// request path uses LookupByHash which is the load-bearing contract.
|
|
func (s *StaticKeyStore) Len() int { return len(s.entries) }
|
|
|
|
// MutableKeyStore is the Bundle-1 Phase 6 KeyStore that supports
|
|
// runtime additions. The Bundle 1 bootstrap flow inserts a new row
|
|
// into `api_keys`, then calls Add(...) so the just-minted key
|
|
// authenticates the very next request without a server restart. The
|
|
// backing store loads the same `api_keys` rows on startup so DB-
|
|
// persisted keys survive process restart.
|
|
//
|
|
// Concurrency: a sync.RWMutex guards a slice of entries. Reads
|
|
// (LookupByHash) take the read lock; Add takes the write lock. The
|
|
// in-memory slice mirrors the env-var named-key entries plus every
|
|
// `api_keys` row loaded at boot plus every Add that fires after
|
|
// startup.
|
|
type MutableKeyStore struct {
|
|
mu sync.RWMutex
|
|
entries []entry
|
|
}
|
|
|
|
// NewMutableKeyStore seeds a MutableKeyStore with the provided keys.
|
|
// Pass the env-var named keys here at boot; Add additional keys
|
|
// (loaded from `api_keys` or minted by bootstrap) after construction.
|
|
func NewMutableKeyStore(seed []NamedAPIKey) *MutableKeyStore {
|
|
out := &MutableKeyStore{
|
|
entries: make([]entry, 0, len(seed)),
|
|
}
|
|
for _, nk := range seed {
|
|
out.entries = append(out.entries, entry{
|
|
hash: HashAPIKey(nk.Key),
|
|
name: nk.Name,
|
|
admin: nk.Admin,
|
|
})
|
|
}
|
|
return out
|
|
}
|
|
|
|
// LookupByHash implements KeyStore.
|
|
func (s *MutableKeyStore) LookupByHash(hash string) (NamedAPIKey, bool) {
|
|
s.mu.RLock()
|
|
defer s.mu.RUnlock()
|
|
for i := range s.entries {
|
|
if subtle.ConstantTimeCompare([]byte(hash), []byte(s.entries[i].hash)) == 1 {
|
|
e := s.entries[i]
|
|
return NamedAPIKey{Name: e.name, Admin: e.admin}, true
|
|
}
|
|
}
|
|
return NamedAPIKey{}, false
|
|
}
|
|
|
|
// Add registers a new key with the store. The plaintext key is hashed
|
|
// once and stored alongside the name + admin flag. Idempotent on
|
|
// duplicate hashes (an existing entry for the same hash is replaced
|
|
// in-place so re-running the bootstrap loader on startup is safe).
|
|
func (s *MutableKeyStore) Add(key NamedAPIKey) {
|
|
s.AddHashed(key.Name, HashAPIKey(key.Key), key.Admin)
|
|
}
|
|
|
|
// AddHashed registers a key whose SHA-256 hash is already computed.
|
|
// Used by the api_keys boot loader (the DB stores the hash, not the
|
|
// plaintext, so the loader has no plaintext to re-hash).
|
|
func (s *MutableKeyStore) AddHashed(name, hashHex string, admin bool) {
|
|
s.mu.Lock()
|
|
defer s.mu.Unlock()
|
|
for i := range s.entries {
|
|
if s.entries[i].hash == hashHex {
|
|
s.entries[i].name = name
|
|
s.entries[i].admin = admin
|
|
return
|
|
}
|
|
}
|
|
s.entries = append(s.entries, entry{hash: hashHex, name: name, admin: admin})
|
|
}
|
|
|
|
// Len reports the current entry count. Test helper.
|
|
func (s *MutableKeyStore) Len() int {
|
|
s.mu.RLock()
|
|
defer s.mu.RUnlock()
|
|
return len(s.entries)
|
|
}
|