mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 23:31:39 +00:00
shankar0123
3ef45e2ad4
# Phase 6 — day-0 admin bootstrap * internal/auth/bootstrap/ (new package): Strategy interface + EnvTokenStrategy with constant-time compare, one-shot consumption via sync.Mutex, optional admin-existence probe. Bundle 2's OIDC- first-admin will plug in alongside as an alternate Strategy. * BootstrapService.ValidateAndMint: validates the operator's CERTCTL_BOOTSTRAP_TOKEN, mints a 32-byte (64-hex-char) random API key value, persists the SHA-256 hash to api_keys, grants r-admin via actor_roles, AddHashed's the runtime keystore so the just- minted key authenticates the next request without restart, and records bootstrap.consume to the audit trail with category=auth. * internal/auth/keystore.go (new): KeyStore interface + StaticKeyStore (immutable env-var-only path) + MutableKeyStore (env-var keys + DB-loaded api_keys + runtime AddHashed). The auth middleware now consumes a KeyStore so the bootstrap path can extend the lookup table at runtime. * migrations/000031_api_keys.up/down.sql: api_keys table with (id, name UNIQUE, key_hash UNIQUE, tenant_id, admin, created_by, created_at, expires_at, last_used_at). Idempotent. * /v1/auth/bootstrap GET (probe) + POST (mint) — auth-exempt. Both routes documented in api/openapi.yaml + AuthExemptRouterRoutes allowlist updated. The token never leaves internal/auth/bootstrap; the minted plaintext key flows only into the HTTP response body. * Startup warning emitted when CERTCTL_BOOTSTRAP_TOKEN is set AND admin actors already exist (config drift signal). * Tests: 4 strategy invariants (empty token born disabled, wrong token=ErrInvalidToken without consumption, one-shot consumption, admin-exists closes path), 5 service tests (happy path + actor- name validation + propagation of strategy errors + nil-deps guard + 32-byte entropy budget), 8 HTTP-handler tests (status 201/410/401/400 mapping + token-leak hygiene scan of slog + audit details + Location header). Token-leak test redirects slog.Default to a buffer for the test scope. # Phase 7 — API-key migration + scope-down CLI * GET /v1/auth/keys handler + service method ListKeys backed by ActorRoleRepository.ListDistinctActors. Returns one row per (actor_id, actor_type) pair with the slice of role IDs they hold. Permission: auth.role.list. * internal/cli/auth_scope_down.go: AuthListKeys, AuthScopeDown (interactive), AuthScopeDownNonInteractive (JSON config), AuthScopeDownSuggest (--suggest with optional --apply). The synthetic actor-demo-anon is filtered out of every interactive / bulk path; non-interactive flow logs and skips it explicitly. * SuggestRoleFromAuditEvents (pure function): walks 30 days of audit events per actor and returns the narrowest matching role (admin / mcp / viewer / agent / operator) plus a one-line reason. Classification: any admin-shaped action wins; otherwise all-MCP → mcp; all-read-only → viewer; all-agent-shaped → agent; otherwise operator. Test table pins all six classifications. * CLI subcommand tree extended: 'auth keys list' + 'auth keys scope-down [--non-interactive <cfg>] [--suggest [--apply]]'. * CHANGELOG.md leads v2.1.0 with the SECURITY: AUDIT YOUR API KEYS call-out + four flow examples. # Phase 8 — auditor role + event_category column * migrations/000032_audit_category.up/down.sql: ALTER TABLE audit_events ADD COLUMN event_category TEXT NOT NULL DEFAULT 'cert_lifecycle' + CHECK constraint (cert_lifecycle/auth/config) + (event_category) and (event_category, timestamp DESC) indexes for the auditor-filter query path. WORM trigger from migration 000018 continues to enforce append-only at the DB layer (DDL is not blocked). * domain.AuditEvent gains EventCategory string (omitempty); domain.EventCategoryCertLifecycle / Auth / Config constants. * AuditService.RecordEventWithCategory sibling of RecordEvent; legacy callers stay on RecordEvent (defaults to cert_lifecycle). Auth callers (RoleService, ActorRoleService, BootstrapService) switched to RecordEventWithCategory(..., 'auth', ...). * GET /v1/audit?category=<cat>: handler accepts the optional query param, validates against the enum (400 on invalid value), dispatches through ListAuditEventsByCategory. OpenAPI updated with the new query param + AuditEvent.event_category schema. * Postgres AuditRepository.Create now writes event_category; AuditRepository.List filters on it; AuditFilter.EventCategory gates the WHERE clause. * Tests: 5 audit-category-filter HTTP tests (dispatch routing, back-compat fallback, 400 for invalid values, all 3 enum values accepted, page+category combine, JSON output surfaces the field). 3 auditor-role invariants (auditor holds exactly audit.read+audit.export, no mutating perms, disjoint from viewer except audit.read). # Cross-phase wiring * HandlerRegistry.Bootstrap field added; cmd/server/main.go wires the bootstrap service ahead of RegisterHandlers (extracted assembleNamedAPIKeys helper into auth_backfill.go, moved the keystore + bootstrap construction up alongside the auth repos). * AuthCheckResolver / AuthActorRoleService extended with ListKeys to satisfy the Phase 7 surface; existing fakes updated. * fakeAudit + mockAuditService stubs in tests gain RecordEventWithCategory + ListAuditEventsByCategory; existing tests untouched. # Verifications * gofmt -l: clean across every modified file. * go vet ./...: clean. * staticcheck across internal/auth + handler + router + cli + service + repository + cmd + domain: clean. * go test -short -count=1: green across every Bundle-1-touched package — internal/auth (incl. bootstrap), internal/api/handler, internal/api/router, internal/cli, internal/service/auth, internal/service, internal/domain/auth, internal/repository/postgres, cmd/server, cmd/cli, plus internal/scheduler, internal/api/middleware, cmd/agent, internal/mcp.
402 lines
13 KiB
Go
402 lines
13 KiB
Go
package cli
|
|
|
|
import (
|
|
"bufio"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"os"
|
|
"strings"
|
|
)
|
|
|
|
// =============================================================================
|
|
// Bundle 1 Phase 7 — `certctl-cli auth keys list` + scope-down helper.
|
|
//
|
|
// The Phase 1 migration backfills every CERTCTL_API_KEYS_NAMED entry to
|
|
// the admin role on first boot (Decision 7's safe-for-back-compat
|
|
// default). Scope-down is the operator-driven downgrade of any keys that
|
|
// don't actually need admin power. This file ships:
|
|
//
|
|
// - AuthListKeys: GET /api/v1/auth/keys — render every actor + roles
|
|
// in tabular / json form.
|
|
// - AuthScopeDown: interactive flow that walks every key (skipping
|
|
// the synthetic actor-demo-anon) and prompts for a target role.
|
|
// - AuthScopeDownNonInteractive: take a JSON config {actor_id: role_id}
|
|
// and apply role changes without prompts; for automation.
|
|
// - AuthScopeDownSuggest: read 30 days of audit events per key and
|
|
// suggest a narrower role based on actual call patterns. The suggest
|
|
// mode still requires confirmation (or --apply for non-interactive).
|
|
//
|
|
// The scope-down flow uses revoke + grant as separate API calls
|
|
// (no batch endpoint yet — by design; auditing each role mutation
|
|
// individually is a Bundle 1 invariant).
|
|
// =============================================================================
|
|
|
|
// AuthKeyEntry mirrors handler.ListKeys's response shape without
|
|
// importing the handler package.
|
|
type AuthKeyEntry struct {
|
|
ActorID string `json:"actor_id"`
|
|
ActorType string `json:"actor_type"`
|
|
TenantID string `json:"tenant_id"`
|
|
RoleIDs []string `json:"role_ids"`
|
|
}
|
|
|
|
type authKeysListResponse struct {
|
|
Keys []AuthKeyEntry `json:"keys"`
|
|
}
|
|
|
|
// AuthListKeys prints every actor in the tenant with their current role
|
|
// assignments. The synthetic actor-demo-anon is shown but flagged as
|
|
// "system-managed" so operators don't accidentally try to mutate it.
|
|
func (c *Client) AuthListKeys() error {
|
|
keys, err := c.fetchAuthKeys()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if c.format == "json" {
|
|
blob, _ := json.MarshalIndent(authKeysListResponse{Keys: keys}, "", " ")
|
|
fmt.Println(string(blob))
|
|
return nil
|
|
}
|
|
fmt.Printf("%-28s %-12s %s\n", "ACTOR", "TYPE", "ROLES")
|
|
for _, k := range keys {
|
|
notes := ""
|
|
if k.ActorID == DemoAnonActorID {
|
|
notes = " (system-managed; scope-down skips this)"
|
|
}
|
|
fmt.Printf("%-28s %-12s %s%s\n", k.ActorID, k.ActorType, strings.Join(k.RoleIDs, ","), notes)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// DemoAnonActorID is replicated from internal/auth/context.go so the
|
|
// CLI doesn't import internal/auth (the CLI binary stays small).
|
|
const DemoAnonActorID = "actor-demo-anon"
|
|
|
|
// AuthScopeDown runs the interactive scope-down flow against stdin /
|
|
// stdout. Each non-system actor is shown with its current roles and
|
|
// the operator picks one of: keep, admin, operator, viewer, agent,
|
|
// mcp, cli, auditor. Empty input keeps the current assignment.
|
|
func (c *Client) AuthScopeDown() error {
|
|
keys, err := c.fetchAuthKeys()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
keys = filterScopeDownCandidates(keys)
|
|
if len(keys) == 0 {
|
|
fmt.Println("no actors eligible for scope-down (only the system-managed actor-demo-anon exists, or no actors hold roles).")
|
|
return nil
|
|
}
|
|
fmt.Println("certctl-cli auth keys scope-down")
|
|
fmt.Println("================================")
|
|
fmt.Printf("Bundle 1 ships role-based authorization. Existing API keys backfill to r-admin (full power).\n")
|
|
fmt.Printf("Walk each key below and select a role that matches its actual usage. Empty input keeps the\n")
|
|
fmt.Printf("current assignment; type a single role name to replace it.\n\n")
|
|
reader := bufio.NewReader(os.Stdin)
|
|
plan, err := buildScopeDownPlan(keys, reader, os.Stdout)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
return c.applyScopeDownPlan(plan)
|
|
}
|
|
|
|
// AuthScopeDownNonInteractive applies a {actor_id: role_id} JSON
|
|
// config without prompts. Useful for automation / Helm post-upgrade
|
|
// hooks. Empty role_id revokes all current roles WITHOUT granting a
|
|
// replacement; the operator can then assign roles selectively via
|
|
// `certctl-cli auth keys assign`.
|
|
func (c *Client) AuthScopeDownNonInteractive(configPath string) error {
|
|
blob, err := os.ReadFile(configPath)
|
|
if err != nil {
|
|
return fmt.Errorf("read config %s: %w", configPath, err)
|
|
}
|
|
var cfg map[string]string
|
|
if err := json.Unmarshal(blob, &cfg); err != nil {
|
|
return fmt.Errorf("decode config %s: %w", configPath, err)
|
|
}
|
|
keys, err := c.fetchAuthKeys()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
currentRoles := map[string][]string{}
|
|
for _, k := range keys {
|
|
currentRoles[k.ActorID] = k.RoleIDs
|
|
}
|
|
plan := []scopeDownAction{}
|
|
for actor, target := range cfg {
|
|
if actor == DemoAnonActorID {
|
|
fmt.Fprintf(os.Stderr, "skipping %s: reserved system actor\n", actor)
|
|
continue
|
|
}
|
|
current, ok := currentRoles[actor]
|
|
if !ok {
|
|
fmt.Fprintf(os.Stderr, "skipping %s: not in actor_roles (no grants to revoke)\n", actor)
|
|
continue
|
|
}
|
|
plan = append(plan, scopeDownAction{
|
|
ActorID: actor,
|
|
CurrentRoles: current,
|
|
TargetRole: target,
|
|
})
|
|
}
|
|
return c.applyScopeDownPlan(plan)
|
|
}
|
|
|
|
// AuthScopeDownSuggest analyses 30 days of audit events per key and
|
|
// prints suggested role assignments. With apply=false (default) the
|
|
// suggestions are advisory and the operator follows up with a manual
|
|
// scope-down or scope-down-non-interactive call. With apply=true the
|
|
// suggestions are applied directly.
|
|
func (c *Client) AuthScopeDownSuggest(apply bool) error {
|
|
keys, err := c.fetchAuthKeys()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
keys = filterScopeDownCandidates(keys)
|
|
plan := []scopeDownAction{}
|
|
fmt.Println("certctl-cli auth keys scope-down --suggest")
|
|
fmt.Println("==========================================")
|
|
fmt.Printf("%-28s %-15s %-15s %s\n", "ACTOR", "CURRENT ROLES", "SUGGESTED", "REASON")
|
|
for _, k := range keys {
|
|
events, fetchErr := c.fetchAuditEventsForActor(k.ActorID, 1000)
|
|
if fetchErr != nil {
|
|
fmt.Fprintf(os.Stderr, "fetch audit for %s: %v\n", k.ActorID, fetchErr)
|
|
continue
|
|
}
|
|
suggested, reason := SuggestRoleFromAuditEvents(events)
|
|
fmt.Printf("%-28s %-15s %-15s %s\n",
|
|
k.ActorID,
|
|
strings.Join(k.RoleIDs, ","),
|
|
suggested,
|
|
reason)
|
|
plan = append(plan, scopeDownAction{
|
|
ActorID: k.ActorID,
|
|
CurrentRoles: k.RoleIDs,
|
|
TargetRole: suggested,
|
|
})
|
|
}
|
|
if !apply {
|
|
fmt.Println("\n(dry run; pass --apply to execute the suggested role changes)")
|
|
return nil
|
|
}
|
|
return c.applyScopeDownPlan(plan)
|
|
}
|
|
|
|
// =============================================================================
|
|
// Internals
|
|
// =============================================================================
|
|
|
|
type scopeDownAction struct {
|
|
ActorID string
|
|
CurrentRoles []string
|
|
TargetRole string
|
|
}
|
|
|
|
func (c *Client) fetchAuthKeys() ([]AuthKeyEntry, error) {
|
|
body, err := c.doGET("/api/v1/auth/keys")
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
var resp authKeysListResponse
|
|
if err := json.Unmarshal(body, &resp); err != nil {
|
|
return nil, fmt.Errorf("decode /v1/auth/keys: %w", err)
|
|
}
|
|
return resp.Keys, nil
|
|
}
|
|
|
|
func filterScopeDownCandidates(keys []AuthKeyEntry) []AuthKeyEntry {
|
|
out := make([]AuthKeyEntry, 0, len(keys))
|
|
for _, k := range keys {
|
|
if k.ActorID == DemoAnonActorID {
|
|
continue
|
|
}
|
|
out = append(out, k)
|
|
}
|
|
return out
|
|
}
|
|
|
|
// validRoles is the canonical list scope-down accepts as targets.
|
|
// Mirrors the Phase 1 default-role seeds; new operator-defined roles
|
|
// can be assigned via `certctl auth keys assign --role <id>` directly.
|
|
var validRoles = []string{"admin", "operator", "viewer", "agent", "mcp", "cli", "auditor"}
|
|
|
|
func isValidRole(s string) bool {
|
|
for _, v := range validRoles {
|
|
if v == s {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
func buildScopeDownPlan(keys []AuthKeyEntry, in *bufio.Reader, out io.Writer) ([]scopeDownAction, error) {
|
|
plan := []scopeDownAction{}
|
|
for _, k := range keys {
|
|
fmt.Fprintf(out, "\n%s (current: %s)\n", k.ActorID, strings.Join(k.RoleIDs, ","))
|
|
fmt.Fprintf(out, " enter target role [%s] or 'keep' (default): ",
|
|
strings.Join(validRoles, "|"))
|
|
line, err := in.ReadString('\n')
|
|
if err != nil && !errors.Is(err, io.EOF) {
|
|
return nil, err
|
|
}
|
|
choice := strings.TrimSpace(line)
|
|
if choice == "" || strings.EqualFold(choice, "keep") {
|
|
fmt.Fprintln(out, " → keeping existing roles")
|
|
continue
|
|
}
|
|
choice = strings.ToLower(choice)
|
|
if !isValidRole(choice) {
|
|
fmt.Fprintf(out, " → unknown role %q, keeping existing\n", choice)
|
|
continue
|
|
}
|
|
// Normalize target to r-<name> for the API.
|
|
plan = append(plan, scopeDownAction{
|
|
ActorID: k.ActorID,
|
|
CurrentRoles: k.RoleIDs,
|
|
TargetRole: "r-" + choice,
|
|
})
|
|
}
|
|
return plan, nil
|
|
}
|
|
|
|
// applyScopeDownPlan runs revoke+grant pairs for every action.
|
|
// Idempotent on the role layer (revoke a missing role yields 404; the
|
|
// CLI swallows that).
|
|
func (c *Client) applyScopeDownPlan(plan []scopeDownAction) error {
|
|
if len(plan) == 0 {
|
|
fmt.Println("\nno role changes to apply.")
|
|
return nil
|
|
}
|
|
fmt.Println("\nApplying role changes:")
|
|
var changed, kept int
|
|
for _, action := range plan {
|
|
// Skip actions whose target role is already exclusively
|
|
// held (no diff). This avoids spurious revoke+grant churn.
|
|
if len(action.CurrentRoles) == 1 && action.CurrentRoles[0] == action.TargetRole {
|
|
fmt.Printf(" %s: already at %s, skipping\n", action.ActorID, action.TargetRole)
|
|
kept++
|
|
continue
|
|
}
|
|
// Revoke every current role.
|
|
for _, current := range action.CurrentRoles {
|
|
if err := c.AuthRevokeRoleFromKey(action.ActorID, current); err != nil {
|
|
return fmt.Errorf("revoke %s/%s: %w", action.ActorID, current, err)
|
|
}
|
|
}
|
|
// Grant the target. Empty target = revoke-only (operator
|
|
// will assign roles selectively via `auth keys assign`).
|
|
if action.TargetRole != "" {
|
|
if err := c.AuthAssignRoleToKey(action.ActorID, action.TargetRole); err != nil {
|
|
return fmt.Errorf("grant %s/%s: %w", action.ActorID, action.TargetRole, err)
|
|
}
|
|
}
|
|
changed++
|
|
}
|
|
fmt.Printf("\nDone. %d actor(s) changed, %d kept.\n", changed, kept)
|
|
return nil
|
|
}
|
|
|
|
// =============================================================================
|
|
// --suggest mode: audit-event analyser. Pure function for ease of
|
|
// testing; no I/O.
|
|
// =============================================================================
|
|
|
|
// AuditEventLite is the subset of fields the suggest analyser
|
|
// consumes. The audit list endpoint returns full domain.AuditEvent
|
|
// rows; we only care about the action / resource_type / resource_id
|
|
// path classification.
|
|
type AuditEventLite struct {
|
|
Action string `json:"action"`
|
|
ResourceType string `json:"resource_type"`
|
|
}
|
|
|
|
// SuggestRoleFromAuditEvents inspects an actor's recent audit-event
|
|
// history and returns the narrowest role that covers the observed
|
|
// usage pattern, plus a one-line reason.
|
|
//
|
|
// Classification (priority order):
|
|
//
|
|
// 1. Any admin-shaped action (role/key/hierarchy/bulk_revoke/admin) → admin.
|
|
// 2. Every event is an MCP-shaped action (mcp.*) → mcp.
|
|
// 3. Every event is read-only (*.read / *.list) → viewer.
|
|
// 4. Every event is agent-shaped (agent.* OR cert.read OR cert.issue) → agent.
|
|
// 5. Otherwise → operator.
|
|
//
|
|
// Empty event list → "viewer" (the safest default).
|
|
func SuggestRoleFromAuditEvents(events []AuditEventLite) (role string, reason string) {
|
|
if len(events) == 0 {
|
|
return "viewer", "no audit history; defaulting to read-only"
|
|
}
|
|
var (
|
|
hasAdmin bool
|
|
allMCP = true
|
|
allReadOnly = true
|
|
allAgent = true
|
|
)
|
|
for _, e := range events {
|
|
action := strings.ToLower(e.Action)
|
|
// Admin-only signals — earliest exit.
|
|
if strings.HasPrefix(action, "auth.role.") ||
|
|
strings.HasPrefix(action, "auth.key.") ||
|
|
strings.HasPrefix(action, "ca.hierarchy.") ||
|
|
strings.Contains(action, "bulk_revoke") ||
|
|
strings.HasPrefix(action, "scep.admin") ||
|
|
strings.HasPrefix(action, "est.admin") ||
|
|
strings.HasPrefix(action, "crl.admin") {
|
|
hasAdmin = true
|
|
}
|
|
if !strings.HasPrefix(action, "mcp.") {
|
|
allMCP = false
|
|
}
|
|
if !strings.HasSuffix(action, ".read") && !strings.HasSuffix(action, ".list") {
|
|
allReadOnly = false
|
|
}
|
|
isAgentShape := strings.HasPrefix(action, "agent.") ||
|
|
action == "cert.issue" || action == "cert.read"
|
|
if !isAgentShape {
|
|
allAgent = false
|
|
}
|
|
}
|
|
switch {
|
|
case hasAdmin:
|
|
return "admin", "called admin-only action (role mgmt / bulk revoke / hierarchy)"
|
|
case allMCP:
|
|
return "mcp", "only MCP-shaped actions observed"
|
|
case allReadOnly:
|
|
return "viewer", "all observed actions are read-only"
|
|
case allAgent:
|
|
return "agent", "only agent + cert read/issue actions observed"
|
|
default:
|
|
return "operator", "cert / profile / target lifecycle mutations observed; no admin signals"
|
|
}
|
|
}
|
|
|
|
// fetchAuditEventsForActor pulls audit events filtered by actor=actorID
|
|
// from /v1/audit. Bundle 1 Phase 7 doesn't yet ship a per-actor query
|
|
// param; we filter client-side from the paginated list endpoint.
|
|
func (c *Client) fetchAuditEventsForActor(actorID string, limit int) ([]AuditEventLite, error) {
|
|
body, err := c.doGET(fmt.Sprintf("/api/v1/audit?per_page=%d", limit))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
var resp struct {
|
|
Data []struct {
|
|
Actor string `json:"actor"`
|
|
Action string `json:"action"`
|
|
ResourceType string `json:"resource_type"`
|
|
} `json:"data"`
|
|
}
|
|
if err := json.Unmarshal(body, &resp); err != nil {
|
|
return nil, fmt.Errorf("decode /v1/audit: %w", err)
|
|
}
|
|
out := make([]AuditEventLite, 0, len(resp.Data))
|
|
for _, e := range resp.Data {
|
|
if e.Actor != actorID {
|
|
continue
|
|
}
|
|
out = append(out, AuditEventLite{Action: e.Action, ResourceType: e.ResourceType})
|
|
}
|
|
return out, nil
|
|
}
|