mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 16:41:36 +00:00
shankar0123
f1d97710e1
Closes CRIT-4 of the 2026-05-10 audit. Bundle 2 Phase 7.5 shipped the
break-glass backend (Argon2id + lockout + 4 endpoints) but no GUI
surface. Operators recovering during an SSO outage had to hand-craft
curl commands — operationally hostile and the opposite of what
docs/operator/security.md advertised. This commit closes the gap.
Three GUI surfaces:
1. LoginPage.tsx — inline "Use break-glass account (SSO outage
recovery)" toggle below the API-key form. Clicking reveals an
amber-bordered inline form (actor-id + password, autocomplete=off).
Calls breakglassLogin(actor_id, password); on success navigates
to "/" where AuthProvider re-validates via the session-cookie path.
Intentionally low-visibility (text-amber-600 small text) — this is
the deliberate-bypass path, not the everyday-login path.
2. web/src/pages/auth/BreakglassPage.tsx — admin page at /auth/breakglass
(permission-gated by auth.breakglass.admin). Three sections:
- Sticky security banner ("every action audited; use only during
incidents").
- Set/rotate-password form (≥12-char + confirm-match).
- Credentialed-actor table with rotate / unlock (disabled when
not locked) / remove per row. Remove requires type-the-actor-id
confirmation.
3. Layout.tsx nav — "Break-glass" entry under the auth section. Visible
to all callers; the page itself permission-gates (server-side 403 is
the load-bearing defense). Cosmetic hide-when-no-perm is deferred
to fix 14's LOW bundle.
Backend support (new endpoint required to enumerate credentialed actors):
- internal/repository/breakglass.go — BreakglassCredentialRepository
gains List(ctx, tenantID) method.
- internal/repository/postgres/breakglass.go — postgres impl; reuses
the existing breakglassColumns / scanBreakglass helpers.
- internal/auth/breakglass/service.go — Service.List(ctx) method;
returns ErrDisabled when CERTCTL_BREAKGLASS_ENABLED=false (handler
maps to 404 for surface invisibility).
- internal/api/handler/auth_breakglass.go — ListCredentials handler;
password_hash field NEVER serialized to the wire (response shape
is intentionally limited to actor_id + timestamps + failure_count +
locked_until).
- internal/api/router/router.go — registers GET
/api/v1/auth/breakglass/credentials gated by auth.breakglass.admin.
- internal/api/router/openapi_parity_test.go — SpecParityExceptions
entry for the new endpoint (full OpenAPI row rides along with the
next OpenAPI sweep).
GUI api/client.ts gains breakglassListCredentials() + the
BreakglassCredentialRow type matching the wire shape.
Six Vitest cases in BreakglassPage.test.tsx pin the contract:
permission gate (forbidden state when caller lacks the perm; admin
surface when they have it), set-password mismatch rejection, set-
password below-threshold-length rejection, unlock-disabled-when-not-
locked, remove-modal type-confirm.
Verification gate green:
- gofmt -l clean on all touched files
- go vet clean
- go test -short -count=1 on internal/api/router (TestRouter_OpenAPIParity
+ TestRouterRBACGateCoverage + TestRouter_AuthExemptAllowlist),
internal/api/handler (all BCL tests + ListCredentials),
internal/auth/breakglass (Service.List + stubRepo.List),
internal/repository/postgres, internal/domain/auth (auditor pin)
— all pass.
CRIT-1 + CRIT-2 + CRIT-3 from the same audit are already closed on
this branch (commits 68ca42f, ca1e135, 00eace8). CRIT-5 (AllowedEmail-
Domains lying field) remains the last Critical blocker for v2.1.0.
Spec: cowork/auth-bundles-fixes-2026-05-10/04-crit-4-breakglass-gui.md.
Refs: cowork/auth-bundles-audit-2026-05-10.md CRIT-4
197 lines
6.4 KiB
Go
197 lines
6.4 KiB
Go
package postgres
|
|
|
|
import (
|
|
"context"
|
|
"database/sql"
|
|
"errors"
|
|
"fmt"
|
|
|
|
"github.com/lib/pq"
|
|
|
|
bgdomain "github.com/certctl-io/certctl/internal/auth/breakglass/domain"
|
|
"github.com/certctl-io/certctl/internal/repository"
|
|
)
|
|
|
|
// BreakglassCredentialRepository is the postgres implementation of
|
|
// repository.BreakglassCredentialRepository. Auth Bundle 2 Phase 7.5.
|
|
type BreakglassCredentialRepository struct {
|
|
db *sql.DB
|
|
}
|
|
|
|
// NewBreakglassCredentialRepository constructs a
|
|
// BreakglassCredentialRepository.
|
|
func NewBreakglassCredentialRepository(db *sql.DB) *BreakglassCredentialRepository {
|
|
return &BreakglassCredentialRepository{db: db}
|
|
}
|
|
|
|
const breakglassColumns = `id, tenant_id, actor_id, password_hash,
|
|
created_at, last_password_change_at, failure_count, locked_until,
|
|
last_failure_at`
|
|
|
|
func scanBreakglass(row interface{ Scan(...interface{}) error }) (*bgdomain.BreakglassCredential, error) {
|
|
var c bgdomain.BreakglassCredential
|
|
var lockedUntil, lastFailureAt sql.NullTime
|
|
if err := row.Scan(
|
|
&c.ID, &c.TenantID, &c.ActorID, &c.PasswordHash,
|
|
&c.CreatedAt, &c.LastPasswordChangeAt, &c.FailureCount,
|
|
&lockedUntil, &lastFailureAt,
|
|
); err != nil {
|
|
return nil, err
|
|
}
|
|
if lockedUntil.Valid {
|
|
c.LockedUntil = &lockedUntil.Time
|
|
}
|
|
if lastFailureAt.Valid {
|
|
c.LastFailureAt = &lastFailureAt.Time
|
|
}
|
|
return &c, nil
|
|
}
|
|
|
|
// Create persists a new credential row.
|
|
func (r *BreakglassCredentialRepository) Create(ctx context.Context, c *bgdomain.BreakglassCredential) error {
|
|
_, err := r.db.ExecContext(ctx, `
|
|
INSERT INTO breakglass_credentials (
|
|
id, tenant_id, actor_id, password_hash
|
|
) VALUES ($1,$2,$3,$4)`,
|
|
c.ID, c.TenantID, c.ActorID, c.PasswordHash)
|
|
if err != nil {
|
|
var pqErr *pq.Error
|
|
if errors.As(err, &pqErr) && pqErr.Code == "23505" {
|
|
return repository.ErrBreakglassDuplicate
|
|
}
|
|
return fmt.Errorf("breakglass create: %w", err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// GetByActor returns the credential for the named actor.
|
|
func (r *BreakglassCredentialRepository) GetByActor(ctx context.Context, actorID, tenantID string) (*bgdomain.BreakglassCredential, error) {
|
|
row := r.db.QueryRowContext(ctx,
|
|
`SELECT `+breakglassColumns+` FROM breakglass_credentials WHERE actor_id = $1 AND tenant_id = $2`,
|
|
actorID, tenantID)
|
|
c, err := scanBreakglass(row)
|
|
if err != nil {
|
|
if errors.Is(err, sql.ErrNoRows) {
|
|
return nil, repository.ErrBreakglassNotFound
|
|
}
|
|
return nil, fmt.Errorf("breakglass get_by_actor: %w", err)
|
|
}
|
|
return c, nil
|
|
}
|
|
|
|
// UpdatePasswordHash rotates the password hash. Idempotent reset of
|
|
// failure_count + locked_until (a fresh password starts unlocked).
|
|
func (r *BreakglassCredentialRepository) UpdatePasswordHash(ctx context.Context, actorID, tenantID, newHash string) error {
|
|
res, err := r.db.ExecContext(ctx, `
|
|
UPDATE breakglass_credentials
|
|
SET password_hash = $3,
|
|
last_password_change_at = NOW(),
|
|
failure_count = 0,
|
|
locked_until = NULL,
|
|
last_failure_at = NULL
|
|
WHERE actor_id = $1 AND tenant_id = $2`,
|
|
actorID, tenantID, newHash)
|
|
if err != nil {
|
|
return fmt.Errorf("breakglass update_password_hash: %w", err)
|
|
}
|
|
n, _ := res.RowsAffected()
|
|
if n == 0 {
|
|
return repository.ErrBreakglassNotFound
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// IncrementFailure atomically bumps failure_count + sets last_failure_at;
|
|
// when the new count >= threshold, sets locked_until = NOW() + duration.
|
|
// The whole transition is one UPDATE so concurrent racing wrong-password
|
|
// attempts can't observe an intermediate state.
|
|
//
|
|
// Returns the post-update row so the service can decide whether to
|
|
// surface ErrBreakglassLocked without a re-read.
|
|
func (r *BreakglassCredentialRepository) IncrementFailure(ctx context.Context, actorID, tenantID string, threshold int, lockoutDurationSec int) (*bgdomain.BreakglassCredential, error) {
|
|
row := r.db.QueryRowContext(ctx, `
|
|
UPDATE breakglass_credentials
|
|
SET failure_count = failure_count + 1,
|
|
last_failure_at = NOW(),
|
|
locked_until = CASE
|
|
WHEN failure_count + 1 >= $3 THEN NOW() + ($4 || ' seconds')::interval
|
|
ELSE locked_until
|
|
END
|
|
WHERE actor_id = $1 AND tenant_id = $2
|
|
RETURNING `+breakglassColumns,
|
|
actorID, tenantID, threshold, lockoutDurationSec)
|
|
c, err := scanBreakglass(row)
|
|
if err != nil {
|
|
if errors.Is(err, sql.ErrNoRows) {
|
|
return nil, repository.ErrBreakglassNotFound
|
|
}
|
|
return nil, fmt.Errorf("breakglass increment_failure: %w", err)
|
|
}
|
|
return c, nil
|
|
}
|
|
|
|
// ResetFailureCount clears failure_count + locked_until. Used on
|
|
// successful Authenticate AND on admin-initiated Unlock. Idempotent.
|
|
func (r *BreakglassCredentialRepository) ResetFailureCount(ctx context.Context, actorID, tenantID string) error {
|
|
res, err := r.db.ExecContext(ctx, `
|
|
UPDATE breakglass_credentials
|
|
SET failure_count = 0,
|
|
locked_until = NULL,
|
|
last_failure_at = NULL
|
|
WHERE actor_id = $1 AND tenant_id = $2`,
|
|
actorID, tenantID)
|
|
if err != nil {
|
|
return fmt.Errorf("breakglass reset_failure_count: %w", err)
|
|
}
|
|
n, _ := res.RowsAffected()
|
|
if n == 0 {
|
|
return repository.ErrBreakglassNotFound
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Delete removes a credential row.
|
|
func (r *BreakglassCredentialRepository) Delete(ctx context.Context, actorID, tenantID string) error {
|
|
res, err := r.db.ExecContext(ctx,
|
|
`DELETE FROM breakglass_credentials WHERE actor_id = $1 AND tenant_id = $2`,
|
|
actorID, tenantID)
|
|
if err != nil {
|
|
return fmt.Errorf("breakglass delete: %w", err)
|
|
}
|
|
n, _ := res.RowsAffected()
|
|
if n == 0 {
|
|
return repository.ErrBreakglassNotFound
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// List returns every break-glass credential in the tenant. Audit
|
|
// 2026-05-10 CRIT-4 closure — backs the GUI admin page that lists
|
|
// credentialed actors. The password hash is read into the returned
|
|
// row (it's an internal type passed to the handler which strips it
|
|
// before serializing the JSON response).
|
|
func (r *BreakglassCredentialRepository) List(ctx context.Context, tenantID string) ([]*bgdomain.BreakglassCredential, error) {
|
|
rows, err := r.db.QueryContext(ctx,
|
|
`SELECT `+breakglassColumns+`
|
|
FROM breakglass_credentials
|
|
WHERE tenant_id = $1
|
|
ORDER BY created_at ASC`,
|
|
tenantID)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("breakglass list: %w", err)
|
|
}
|
|
defer rows.Close()
|
|
var out []*bgdomain.BreakglassCredential
|
|
for rows.Next() {
|
|
c, err := scanBreakglass(rows)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("breakglass list scan: %w", err)
|
|
}
|
|
out = append(out, c)
|
|
}
|
|
if err := rows.Err(); err != nil {
|
|
return nil, fmt.Errorf("breakglass list iter: %w", err)
|
|
}
|
|
return out, nil
|
|
}
|