gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 16:51:31 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
69a508dfcf64264ba6bcfa2f52faab644b7b893b
certctl/internal/service/auth/auth.go
T
shankar0123 3ef45e2ad4 auth-bundle-1 Phase 6-7-8: bootstrap path + scope-down CLI + auditor-role split 
# Phase 6 — day-0 admin bootstrap

* internal/auth/bootstrap/ (new package): Strategy interface +
  EnvTokenStrategy with constant-time compare, one-shot consumption
  via sync.Mutex, optional admin-existence probe. Bundle 2's OIDC-
  first-admin will plug in alongside as an alternate Strategy.
* BootstrapService.ValidateAndMint: validates the operator's
  CERTCTL_BOOTSTRAP_TOKEN, mints a 32-byte (64-hex-char) random API
  key value, persists the SHA-256 hash to api_keys, grants r-admin
  via actor_roles, AddHashed's the runtime keystore so the just-
  minted key authenticates the next request without restart, and
  records bootstrap.consume to the audit trail with category=auth.
* internal/auth/keystore.go (new): KeyStore interface +
  StaticKeyStore (immutable env-var-only path) + MutableKeyStore
  (env-var keys + DB-loaded api_keys + runtime AddHashed). The auth
  middleware now consumes a KeyStore so the bootstrap path can
  extend the lookup table at runtime.
* migrations/000031_api_keys.up/down.sql: api_keys table with
  (id, name UNIQUE, key_hash UNIQUE, tenant_id, admin, created_by,
  created_at, expires_at, last_used_at). Idempotent.
* /v1/auth/bootstrap GET (probe) + POST (mint) — auth-exempt. Both
  routes documented in api/openapi.yaml + AuthExemptRouterRoutes
  allowlist updated. The token never leaves internal/auth/bootstrap;
  the minted plaintext key flows only into the HTTP response body.
* Startup warning emitted when CERTCTL_BOOTSTRAP_TOKEN is set AND
  admin actors already exist (config drift signal).
* Tests: 4 strategy invariants (empty token born disabled, wrong
  token=ErrInvalidToken without consumption, one-shot consumption,
  admin-exists closes path), 5 service tests (happy path + actor-
  name validation + propagation of strategy errors + nil-deps
  guard + 32-byte entropy budget), 8 HTTP-handler tests (status
  201/410/401/400 mapping + token-leak hygiene scan of slog +
  audit details + Location header). Token-leak test redirects
  slog.Default to a buffer for the test scope.

# Phase 7 — API-key migration + scope-down CLI

* GET /v1/auth/keys handler + service method ListKeys backed by
  ActorRoleRepository.ListDistinctActors. Returns one row per
  (actor_id, actor_type) pair with the slice of role IDs they hold.
  Permission: auth.role.list.
* internal/cli/auth_scope_down.go: AuthListKeys, AuthScopeDown
  (interactive), AuthScopeDownNonInteractive (JSON config),
  AuthScopeDownSuggest (--suggest with optional --apply). The
  synthetic actor-demo-anon is filtered out of every interactive /
  bulk path; non-interactive flow logs and skips it explicitly.
* SuggestRoleFromAuditEvents (pure function): walks 30 days of
  audit events per actor and returns the narrowest matching role
  (admin / mcp / viewer / agent / operator) plus a one-line reason.
  Classification: any admin-shaped action wins; otherwise all-MCP
  → mcp; all-read-only → viewer; all-agent-shaped → agent;
  otherwise operator. Test table pins all six classifications.
* CLI subcommand tree extended: 'auth keys list' + 'auth keys
  scope-down [--non-interactive <cfg>] [--suggest [--apply]]'.
* CHANGELOG.md leads v2.1.0 with the SECURITY: AUDIT YOUR API KEYS
  call-out + four flow examples.

# Phase 8 — auditor role + event_category column

* migrations/000032_audit_category.up/down.sql: ALTER TABLE
  audit_events ADD COLUMN event_category TEXT NOT NULL DEFAULT
  'cert_lifecycle' + CHECK constraint (cert_lifecycle/auth/config)
  + (event_category) and (event_category, timestamp DESC) indexes
  for the auditor-filter query path. WORM trigger from migration
  000018 continues to enforce append-only at the DB layer (DDL is
  not blocked).
* domain.AuditEvent gains EventCategory string (omitempty);
  domain.EventCategoryCertLifecycle / Auth / Config constants.
* AuditService.RecordEventWithCategory sibling of RecordEvent;
  legacy callers stay on RecordEvent (defaults to cert_lifecycle).
  Auth callers (RoleService, ActorRoleService, BootstrapService)
  switched to RecordEventWithCategory(..., 'auth', ...).
* GET /v1/audit?category=<cat>: handler accepts the optional query
  param, validates against the enum (400 on invalid value),
  dispatches through ListAuditEventsByCategory. OpenAPI updated
  with the new query param + AuditEvent.event_category schema.
* Postgres AuditRepository.Create now writes event_category;
  AuditRepository.List filters on it; AuditFilter.EventCategory
  gates the WHERE clause.
* Tests: 5 audit-category-filter HTTP tests (dispatch routing,
  back-compat fallback, 400 for invalid values, all 3 enum values
  accepted, page+category combine, JSON output surfaces the
  field). 3 auditor-role invariants (auditor holds exactly
  audit.read+audit.export, no mutating perms, disjoint from
  viewer except audit.read).

# Cross-phase wiring

* HandlerRegistry.Bootstrap field added; cmd/server/main.go wires
  the bootstrap service ahead of RegisterHandlers (extracted
  assembleNamedAPIKeys helper into auth_backfill.go, moved the
  keystore + bootstrap construction up alongside the auth repos).
* AuthCheckResolver / AuthActorRoleService extended with ListKeys
  to satisfy the Phase 7 surface; existing fakes updated.
* fakeAudit + mockAuditService stubs in tests gain
  RecordEventWithCategory + ListAuditEventsByCategory; existing
  tests untouched.

# Verifications

* gofmt -l: clean across every modified file.
* go vet ./...: clean.
* staticcheck across internal/auth + handler + router + cli +
  service + repository + cmd + domain: clean.
* go test -short -count=1: green across every Bundle-1-touched
  package — internal/auth (incl. bootstrap), internal/api/handler,
  internal/api/router, internal/cli, internal/service/auth,
  internal/service, internal/domain/auth, internal/repository/postgres,
  cmd/server, cmd/cli, plus internal/scheduler, internal/api/middleware,
  cmd/agent, internal/mcp.
2026-05-09 20:15:43 +00:00

114 lines
4.4 KiB
Go
Raw Blame History

// Package auth holds the RBAC service layer: PermissionService,
// RoleService, ActorRoleService, and the Authorizer primitive that
// Phase 3 middleware (auth.RequirePermission) calls on every gated
// request.
//
// All mutating operations record an audit event via the existing
// AuditService.RecordEvent path. Bundle 1 Phase 8 introduces an
// `event_category` parameter and back-fills the existing callers; until
// then auth-related events go in with the default category.
//
// Privilege-escalation guard: every mutation that affects role
// assignment requires the caller to hold `auth.role.assign` (or the
// equivalent role-level permission) on the target role. The system
// pathway (bootstrap, migrations, scheduler) bypasses this check via
// AsSystemCaller(), which records `actor=system, actorType=System` in
// the audit row so the bypass is observable.
package auth
import (
"context"
"errors"
"github.com/certctl-io/certctl/internal/domain"
authdomain "github.com/certctl-io/certctl/internal/domain/auth"
)
// Sentinel errors for the service layer. Handler / middleware code
// branches via errors.Is and maps to HTTP status codes.
var (
// ErrForbidden is returned when the caller lacks the required
// permission for the operation. Maps to HTTP 403.
ErrForbidden = errors.New("auth: caller lacks required permission")
// ErrUnauthenticated is returned when the request has no actor in
// context (no Bearer, no session). Phase 3 RequirePermission emits
// this; handler code typically returns 401.
ErrUnauthenticated = errors.New("auth: no actor in context")
// ErrInvalidPermission is returned when a Create / AddPermission
// references a permission name not in the canonical catalogue.
// Maps to HTTP 400.
ErrInvalidPermission = errors.New("auth: permission not in canonical catalogue")
// ErrSelfRoleAssignment guards privilege escalation: a caller
// without `auth.role.assign` on a role cannot grant that role
// (including to themselves). Maps to HTTP 403.
ErrSelfRoleAssignment = errors.New("auth: caller lacks auth.role.assign on target role")
)
// AuditService is the audit-recording dependency the service layer
// expects. Mirrors the existing service.AuditService interface so
// Bundle 1 doesn't introduce a parallel concept. Bundle 1 Phase 8
// adds RecordEventWithCategory; the auth service uses the
// categorized variant exclusively (event_category=auth) so the
// auditor role can filter to authentication / authorization events.
type AuditService interface {
RecordEvent(
ctx context.Context,
actor string,
actorType domain.ActorType,
action, resourceType, resourceID string,
details map[string]interface{},
) error
RecordEventWithCategory(
ctx context.Context,
actor string,
actorType domain.ActorType,
action, eventCategory, resourceType, resourceID string,
details map[string]interface{},
) error
}
// Caller describes the actor performing a service operation. Bundle 1
// Phase 3 populates this from the auth-middleware context (ActorIDKey,
// ActorTypeKey). Bootstrap, migrations, and scheduler-initiated work
// pass AsSystemCaller() to bypass the permission check while still
// recording an audit row.
type Caller struct {
ActorID string
ActorType domain.ActorType
TenantID string
// IsSystem skips the privilege-escalation guard. Reserved for
// bootstrap / migration / scheduler paths.
IsSystem bool
}
// AsSystemCaller returns a Caller that bypasses RBAC checks. Used by
// the migration backfill, bootstrap path, scheduler-initiated grants,
// and tests that need to seed state without simulating an admin.
func AsSystemCaller() *Caller {
return &Caller{
ActorID: "system",
ActorType: domain.ActorTypeSystem,
TenantID: authdomain.DefaultTenantID,
IsSystem: true,
}
}
// CallerFromContext is a helper that builds a Caller from auth context
// values. Phase 3 middleware populates the keys; tests can use the
// internal/auth.WithActor / WithAdmin helpers to build contexts.
//
// Returns nil + ErrUnauthenticated when no actor is present.
func CallerFromContext(ctx context.Context) (*Caller, error) {
// Avoid coupling internal/service/auth to internal/auth at the
// type level: read the keys via package-public helpers exposed by
// internal/auth (ActorID, ActorType, TenantID). Phase 3 wires
// these up. For Phase 2, rely on the explicit Caller arg passed
// by handler / test code instead — direct context-key reads can
// land in Phase 3 alongside the middleware.
return nil, ErrUnauthenticated
}
Reference in New Issue View Git Blame Copy Permalink