gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 17:22:07 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
9135c4490891c9051822584a532b872e64c290c7
certctl/api/openapi-handler-exceptions-baseline.txt
T
shankar0123 9135c44908 docs(arch-h1): Phase 13 Sprint 13.5 — OpenAPI breakglass + users + runtime-config ops (batch 2, 8 ops) 
Phase 13 Sprint 13.5 closure (architecture diligence audit ARCH-H1):
authors OpenAPI operations for the auth/breakglass admin cluster
(4) + auth/users cluster (3) + auth/runtime-config (1), drives the
`rest-deferred` exception bucket from 15 → 7.

OpenAPI-only sprint: zero Go changes. Every schema field-by-field
mirrors the projection types in
internal/api/handler/auth_breakglass.go +
internal/api/handler/auth_users.go.

8 new operations
================

  Break-glass admin cluster (4 ops, all gated `auth.breakglass.admin`):
    GET    /api/v1/auth/breakglass/credentials                       listBreakglassCredentials
    POST   /api/v1/auth/breakglass/credentials                       setBreakglassPassword
    DELETE /api/v1/auth/breakglass/credentials/{actor_id}            removeBreakglassCredential
    POST   /api/v1/auth/breakglass/credentials/{actor_id}/unlock     unlockBreakglassCredential

  Users cluster (3 ops):
    GET    /api/v1/auth/users                                        listAuthUsers              (auth.user.read)
    DELETE /api/v1/auth/users/{id}                                   deactivateAuthUser         (auth.user.deactivate)
    POST   /api/v1/auth/users/{id}/reactivate                        reactivateAuthUser         (auth.user.deactivate)

  Runtime-config read (1 op):
    GET    /api/v1/auth/runtime-config                               getAuthRuntimeConfig       (auth.role.assign)

5 new schemas (components/schemas)
==================================

  BreakglassCredentialResponse     — mirrors breakglassCredentialResponse
                                     (6 fields). Password hash NEVER
                                     serialized.
  BreakglassCredentialListResponse — mirrors listBreakglassCredentialsResponse
                                     ({"credentials": [...]}).
  BreakglassSetPasswordRequest     — mirrors breakglassSetPasswordRequest
                                     (actor_id + password; password marked
                                     `format: password`).
  BreakglassSetPasswordResponse    — mirrors the inline response shape
                                     returned by SetPassword (actor_id +
                                     created_at).
  AuthUser                         — mirrors userResponse (9 fields,
                                     including pointer-based
                                     deactivated_at marked nullable).

Every schema field's JSON tag, type, required-ness, and (where
applicable) nullability grounded against the live Go source. The
`tenant_id` field surfaces on AuthUser (the handler emits it) but
does NOT appear on the breakglass schemas (the breakglass surface
is tenant-implicit — derived from caller context, not request body).

Surface-invisibility property
=============================

Each break-glass admin endpoint returns 404 when
`CERTCTL_BREAKGLASS_ENABLED=false` so an attacker probing the admin
surface gets the same signal as probing the login endpoint
(consistent with Audit 2026-05-10 CRIT-4 closure). Documented in the
per-op description so client implementations don't surprise on the
404 path.

Self-deactivate guard
=====================

`DELETE /api/v1/auth/users/{id}` returns 409 (not 403) when the
caller is deactivating their own account — Audit 2026-05-11 A-2
foot-gun closure. Break-glass remains the documented recovery path.
The 409 is documented in the per-op responses block.

Exception YAML + baseline
=========================

8 entries removed from api/openapi-handler-exceptions.yaml. Post-cut
shape:

  total entries:           43   (was 51)
  wire-protocol:           36   (unchanged)
  rest-deferred:           7    (was 15)

Baseline file bumped 15 → 7. The Sprint 13.1 monotonic-decrease
guard now pins `rest-deferred ≤ 7`. Sprint 13.6 walks it to zero
(7 → 0).

YAML header narrative updated: "Sprint 13.5 SHIPPED — 15 - 8 = 7".

Receipts (all from the live tree)
=================================

  $ grep -cE '^\s+operationId:' api/openapi.yaml
    179   (was 171 + 8)

  $ bash scripts/ci-guards/openapi-handler-parity.sh
    Router routes:                  220
    OpenAPI operations:             179
    Documented exceptions:          43
      wire-protocol:                36
      rest-deferred:                7
    openapi-handler-parity: clean.

  $ bash scripts/ci-guards/openapi-rest-deferred-monotonic.sh
    openapi-rest-deferred-monotonic: clean — rest-deferred = 7,
    baseline = 7.

  $ cat api/openapi-handler-exceptions-baseline.txt
    7

  $ python3 -c "import yaml; ..."
    paths: 133, operations: 179, schemas: 72
    sprint-13.5 schemas missing: (none)
    OpenAPI lint: clean.

  $ gofmt -l .                                          → clean
  $ go vet ./internal/api/handler/... ./cmd/server/...  → clean

Sprint 13.6 next (audit/export + demo-residual + 3 OIDC browser
flows + auth/logout + auth/breakglass/login = 7 ops; rest-deferred
7 → 0 — the zero-floor commit that completes ARCH-H1's substantive
burn-down). Same OpenAPI-only pattern; the OIDC browser-flow
endpoints in 13.6 model redirect-only operations (302 + Location
header, empty body) per OAS 3.1 conventions.

Refs: ARCH-H1 batch 2 closure.
2026-05-14 12:28:29 +00:00

2 lines
2 B
Plaintext
Raw Blame History

7
Reference in New Issue View Git Blame Copy Permalink