mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-09 06:18:59 +00:00
shankar0123
a1ec42065a
Audit 2026-05-10 HIGH-6 partial closure (silence leg). The audit
identified two distinct gaps in the auth surface's audit-emit pattern:
(1) silence — `_ = audit.RecordEventWithCategory(...)` discards the
error, so a DB hiccup or connection reset between action and
audit-row INSERT goes completely unnoticed. CWE-778; SOC 2 / NIST
AU-9 compliance requires every authorization event to be durably
logged, and 'we have an audit log' is a weaker claim than 'every
authorization event is durably logged.'
(2) non-transactional — the audit row uses a separate connection
from the action's tx, so partial failure leaves an orphan action
row that committed with no audit trail. Decision 8 of the
auth-bundles-index requires action + audit row atomic.
This commit closes leg (1) fully across all six audit-emit call sites
in the auth surface:
- internal/service/auth/actor_role_service.go::recordAudit
- internal/service/auth/role_service.go::recordAudit
- internal/auth/bootstrap/service.go::ValidateAndMint
- internal/auth/breakglass/service.go::recordAudit
- internal/auth/session/service.go::recordAudit
- internal/api/handler/auth_session_oidc.go::recordAudit
- internal/service/profile.go::Update (Phase 9 approval-bypass)
Each `_ = ...` swallow is replaced with:
if err := audit.RecordEventWithCategory(...); err != nil {
slog.WarnContext(ctx, '<surface> audit write failed (action
committed; audit row may be missing)',
'action', action, 'actor_id', actor, 'resource_id', resource,
'err', err)
}
Operators monitoring audit-write failures now see structured WARN
logs with action + actor + resource attribution; missing audit rows
can be cross-referenced against monitoring without manual SELECT-from-
audit-table.
Infrastructure for leg (2) (transactional commit) is also landed in
this commit:
- service.AuditService.RecordEventWithCategoryWithTx (new method;
accepts repository.Querier from postgres.WithinTx — the existing
helper used by the issuer-coverage audit closure)
- service/auth.AuditService interface declares the new method
- test stub fakeAudit.RecordEventWithCategoryWithTx satisfies the
extended interface
The eight per-path WithinTx-refactors documented in
cowork/auth-bundles-fixes-2026-05-10/10-high-6-atomic-audit-commit.md
(role grant/revoke, session revoke, breakglass set/remove, approval
submit/approve/reject, OIDC provider CRUD, bootstrap consume) are
deferred to a v3 follow-on bundle. Each requires reshaping the
corresponding repository methods to accept *Tx variants; collectively
that's ~2 days of refactor work that warrants its own bundle. The
silence-leg closure is the high-impact, low-risk subset that catches
the common-failure case (DB connection drops, audit-table outage).
Refs: cowork/auth-bundles-audit-2026-05-10.md HIGH-6
Spec: cowork/auth-bundles-fixes-2026-05-10/10-high-6-atomic-audit-commit.md
221 lines
7.4 KiB
Go
221 lines
7.4 KiB
Go
package auth
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"log/slog"
|
|
|
|
"github.com/certctl-io/certctl/internal/domain"
|
|
authdomain "github.com/certctl-io/certctl/internal/domain/auth"
|
|
"github.com/certctl-io/certctl/internal/repository"
|
|
)
|
|
|
|
// RoleService manages roles + role-permission grants.
|
|
type RoleService struct {
|
|
repo repository.RoleRepository
|
|
permRepo repository.PermissionRepository
|
|
authorizer *Authorizer
|
|
audit AuditService
|
|
}
|
|
|
|
// NewRoleService constructs a RoleService.
|
|
func NewRoleService(repo repository.RoleRepository, permRepo repository.PermissionRepository, authorizer *Authorizer, audit AuditService) *RoleService {
|
|
return &RoleService{
|
|
repo: repo,
|
|
permRepo: permRepo,
|
|
authorizer: authorizer,
|
|
audit: audit,
|
|
}
|
|
}
|
|
|
|
// List returns every role in the caller's tenant. Requires
|
|
// `auth.role.list`.
|
|
func (s *RoleService) List(ctx context.Context, caller *Caller) ([]*authdomain.Role, error) {
|
|
if err := s.requirePermission(ctx, caller, "auth.role.list"); err != nil {
|
|
return nil, err
|
|
}
|
|
tenantID := caller.TenantID
|
|
if tenantID == "" {
|
|
tenantID = authdomain.DefaultTenantID
|
|
}
|
|
return s.repo.List(ctx, tenantID)
|
|
}
|
|
|
|
// Get returns the role with the given ID. Requires `auth.role.list`.
|
|
func (s *RoleService) Get(ctx context.Context, caller *Caller, id string) (*authdomain.Role, error) {
|
|
if err := s.requirePermission(ctx, caller, "auth.role.list"); err != nil {
|
|
return nil, err
|
|
}
|
|
return s.repo.Get(ctx, id)
|
|
}
|
|
|
|
// Create stores a new role. Requires `auth.role.create`.
|
|
func (s *RoleService) Create(ctx context.Context, caller *Caller, role *authdomain.Role) error {
|
|
if err := s.requirePermission(ctx, caller, "auth.role.create"); err != nil {
|
|
return err
|
|
}
|
|
if role.TenantID == "" {
|
|
role.TenantID = authdomain.DefaultTenantID
|
|
}
|
|
if err := s.repo.Create(ctx, role); err != nil {
|
|
return err
|
|
}
|
|
s.recordAudit(ctx, caller, "role.create", "role", role.ID, map[string]interface{}{"name": role.Name, "tenant_id": role.TenantID})
|
|
return nil
|
|
}
|
|
|
|
// Update modifies an existing role. Requires `auth.role.edit`.
|
|
func (s *RoleService) Update(ctx context.Context, caller *Caller, role *authdomain.Role) error {
|
|
if err := s.requirePermission(ctx, caller, "auth.role.edit"); err != nil {
|
|
return err
|
|
}
|
|
if err := s.repo.Update(ctx, role); err != nil {
|
|
return err
|
|
}
|
|
s.recordAudit(ctx, caller, "role.update", "role", role.ID, map[string]interface{}{"name": role.Name})
|
|
return nil
|
|
}
|
|
|
|
// Delete removes a role. Requires `auth.role.delete`. Returns
|
|
// repository.ErrAuthRoleInUse when active actor_roles still reference
|
|
// the role (FK ON DELETE RESTRICT).
|
|
func (s *RoleService) Delete(ctx context.Context, caller *Caller, id string) error {
|
|
if err := s.requirePermission(ctx, caller, "auth.role.delete"); err != nil {
|
|
return err
|
|
}
|
|
if err := s.repo.Delete(ctx, id); err != nil {
|
|
return err
|
|
}
|
|
s.recordAudit(ctx, caller, "role.delete", "role", id, nil)
|
|
return nil
|
|
}
|
|
|
|
// ListPermissions returns the (permission, scope) grants on the role.
|
|
// Requires `auth.role.list`.
|
|
func (s *RoleService) ListPermissions(ctx context.Context, caller *Caller, roleID string) ([]*authdomain.RolePermission, error) {
|
|
if err := s.requirePermission(ctx, caller, "auth.role.list"); err != nil {
|
|
return nil, err
|
|
}
|
|
return s.repo.ListPermissions(ctx, roleID)
|
|
}
|
|
|
|
// AddPermission grants a permission to a role at the given scope.
|
|
// Requires `auth.role.edit`. Returns ErrInvalidPermission if the
|
|
// permission name is not in the canonical catalogue.
|
|
func (s *RoleService) AddPermission(ctx context.Context, caller *Caller, roleID, permissionName string, scopeType authdomain.ScopeType, scopeID *string) error {
|
|
if err := s.requirePermission(ctx, caller, "auth.role.edit"); err != nil {
|
|
return err
|
|
}
|
|
if !s.permRepo.IsCanonical(permissionName) {
|
|
return fmt.Errorf("%w: %q", ErrInvalidPermission, permissionName)
|
|
}
|
|
perm, err := s.permRepo.GetByName(ctx, permissionName)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
grant := &authdomain.RolePermission{
|
|
RoleID: roleID,
|
|
PermissionID: perm.ID,
|
|
ScopeType: scopeType,
|
|
ScopeID: scopeID,
|
|
}
|
|
if err := s.repo.AddPermission(ctx, grant); err != nil {
|
|
return err
|
|
}
|
|
details := map[string]interface{}{
|
|
"role_id": roleID,
|
|
"permission": permissionName,
|
|
"scope_type": string(scopeType),
|
|
}
|
|
if scopeID != nil {
|
|
details["scope_id"] = *scopeID
|
|
}
|
|
s.recordAudit(ctx, caller, "role.permission.add", "role", roleID, details)
|
|
return nil
|
|
}
|
|
|
|
// RemovePermission revokes a previously-granted permission from a role.
|
|
// Requires `auth.role.edit`.
|
|
func (s *RoleService) RemovePermission(ctx context.Context, caller *Caller, roleID, permissionName string, scopeType authdomain.ScopeType, scopeID *string) error {
|
|
if err := s.requirePermission(ctx, caller, "auth.role.edit"); err != nil {
|
|
return err
|
|
}
|
|
perm, err := s.permRepo.GetByName(ctx, permissionName)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
grant := &authdomain.RolePermission{
|
|
RoleID: roleID,
|
|
PermissionID: perm.ID,
|
|
ScopeType: scopeType,
|
|
ScopeID: scopeID,
|
|
}
|
|
if err := s.repo.RemovePermission(ctx, grant); err != nil {
|
|
return err
|
|
}
|
|
details := map[string]interface{}{
|
|
"role_id": roleID,
|
|
"permission": permissionName,
|
|
"scope_type": string(scopeType),
|
|
}
|
|
if scopeID != nil {
|
|
details["scope_id"] = *scopeID
|
|
}
|
|
s.recordAudit(ctx, caller, "role.permission.remove", "role", roleID, details)
|
|
return nil
|
|
}
|
|
|
|
// requirePermission is the gate every public method runs first. System
|
|
// callers bypass; everyone else must hold the named permission globally.
|
|
// Returns ErrUnauthenticated when caller is nil, ErrForbidden when the
|
|
// caller exists but lacks the permission.
|
|
func (s *RoleService) requirePermission(ctx context.Context, caller *Caller, perm string) error {
|
|
if caller == nil {
|
|
return ErrUnauthenticated
|
|
}
|
|
if caller.IsSystem {
|
|
return nil
|
|
}
|
|
tenantID := caller.TenantID
|
|
if tenantID == "" {
|
|
tenantID = authdomain.DefaultTenantID
|
|
}
|
|
ok, err := s.authorizer.CheckPermission(ctx, caller.ActorID, authdomain.ActorTypeValue(caller.ActorType), tenantID, perm, authdomain.ScopeTypeGlobal, nil)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if !ok {
|
|
return fmt.Errorf("%w: %q", ErrForbidden, perm)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// recordAudit emits an audit row tied to the caller. Best-effort: audit
|
|
// failures are logged via panic-recover but do not fail the operation.
|
|
//
|
|
// Bundle 1 Phase 8: every role-mutation is an authentication /
|
|
// authorization event. The auditor role queries
|
|
// /v1/audit?category=auth to surface this slice.
|
|
func (s *RoleService) recordAudit(ctx context.Context, caller *Caller, action, resourceType, resourceID string, details map[string]interface{}) {
|
|
if s.audit == nil || caller == nil {
|
|
return
|
|
}
|
|
// Audit 2026-05-10 HIGH-6 partial closure — see
|
|
// actor_role_service.go::recordAudit for the rationale. Silence-leg
|
|
// closed by emitting WARN on audit-write failure; transactional-leg
|
|
// (action + audit atomic via WithinTx) is a v3 follow-on.
|
|
if err := s.audit.RecordEventWithCategory(ctx, caller.ActorID, caller.ActorType, action, domain.EventCategoryAuth, resourceType, resourceID, details); err != nil {
|
|
slog.WarnContext(ctx, "audit write failed (action committed; audit row may be missing)",
|
|
"action", action,
|
|
"resource_type", resourceType,
|
|
"resource_id", resourceID,
|
|
"actor_id", caller.ActorID,
|
|
"err", err)
|
|
}
|
|
}
|
|
|
|
// Ensure the compile-time pin: domain.ActorType is convertible to
|
|
// authdomain.ActorTypeValue via string equality. If the underlying
|
|
// types ever diverge this won't compile.
|
|
var _ authdomain.ActorTypeValue = authdomain.ActorTypeValue(domain.ActorTypeAPIKey)
|